From 204971f2a94e6639b0e550767a3a02ffced80802 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 09:05:49 -0700 Subject: [PATCH] docs: remove duplicate body H1s + sentence-case headings across 10 pages --- docs/install/fly.md | 2 -- docs/install/hetzner.md | 2 -- docs/nodes/audio.md | 2 -- docs/nodes/images.md | 2 -- docs/plugins/dependency-resolution.md | 2 -- docs/plugins/webhooks.md | 2 -- docs/plugins/zalouser.md | 2 -- docs/security/CONTRIBUTING-THREAT-MODEL.md | 16 +++++++--------- docs/security/THREAT-MODEL-ATLAS.md | 4 +--- docs/security/network-proxy.md | 8 +++----- 10 files changed, 11 insertions(+), 31 deletions(-) diff --git a/docs/install/fly.md b/docs/install/fly.md index dff5e5c6d8d..4dfa083d74d 100644 --- a/docs/install/fly.md +++ b/docs/install/fly.md @@ -6,8 +6,6 @@ read_when: - Setting up Fly volumes, secrets, and first-run config --- -# Fly.io Deployment - **Goal:** OpenClaw Gateway running on a [Fly.io](https://fly.io) machine with persistent storage, automatic HTTPS, and Discord/channel access. ## What you need diff --git a/docs/install/hetzner.md b/docs/install/hetzner.md index df2c2282b88..72b163ed37e 100644 --- a/docs/install/hetzner.md +++ b/docs/install/hetzner.md @@ -8,8 +8,6 @@ read_when: title: "Hetzner" --- -# OpenClaw on Hetzner (Docker, Production VPS Guide) - ## Goal Run a persistent OpenClaw Gateway on a Hetzner VPS using Docker, with durable state, baked-in binaries, and safe restart behavior. diff --git a/docs/nodes/audio.md b/docs/nodes/audio.md index 06a32ae96d9..018a4461d0d 100644 --- a/docs/nodes/audio.md +++ b/docs/nodes/audio.md @@ -5,8 +5,6 @@ read_when: title: "Audio and voice notes" --- -# Audio / Voice Notes (2026-01-17) - ## What works - **Media understanding (audio)**: If audio understanding is enabled (or auto-detected), OpenClaw: diff --git a/docs/nodes/images.md b/docs/nodes/images.md index de52e791e90..94a887cbd1f 100644 --- a/docs/nodes/images.md +++ b/docs/nodes/images.md @@ -5,8 +5,6 @@ read_when: title: "Image and media support" --- -# Image & Media Support (2025-12-05) - The WhatsApp channel runs via **Baileys Web**. This document captures the current media handling rules for send, gateway, and agent replies. ## Goals diff --git a/docs/plugins/dependency-resolution.md b/docs/plugins/dependency-resolution.md index a2ac739b634..bf0e4b1dc1d 100644 --- a/docs/plugins/dependency-resolution.md +++ b/docs/plugins/dependency-resolution.md @@ -8,8 +8,6 @@ title: "Plugin dependency resolution" sidebarTitle: "Dependencies" --- -# Plugin dependency resolution - OpenClaw keeps plugin dependency work at install/update time. Runtime loading does not run package managers, repair dependency trees, or mutate the OpenClaw package directory. diff --git a/docs/plugins/webhooks.md b/docs/plugins/webhooks.md index 52b1dfc836c..19cb0ef79cf 100644 --- a/docs/plugins/webhooks.md +++ b/docs/plugins/webhooks.md @@ -6,8 +6,6 @@ read_when: title: "Webhooks plugin" --- -# Webhooks (plugin) - The Webhooks plugin adds authenticated HTTP routes that bind external automation to OpenClaw TaskFlows. diff --git a/docs/plugins/zalouser.md b/docs/plugins/zalouser.md index 32d0fdf4419..91e75d8029e 100644 --- a/docs/plugins/zalouser.md +++ b/docs/plugins/zalouser.md @@ -6,8 +6,6 @@ read_when: title: "Zalo personal plugin" --- -# Zalo Personal (plugin) - Zalo Personal support for OpenClaw via a plugin, using native `zca-js` to automate a normal Zalo user account. diff --git a/docs/security/CONTRIBUTING-THREAT-MODEL.md b/docs/security/CONTRIBUTING-THREAT-MODEL.md index 3e587f86325..1e8f0e531f1 100644 --- a/docs/security/CONTRIBUTING-THREAT-MODEL.md +++ b/docs/security/CONTRIBUTING-THREAT-MODEL.md @@ -6,13 +6,11 @@ read_when: - Reviewing or updating the threat model --- -# Contributing to the OpenClaw Threat Model - Thanks for helping make OpenClaw more secure. This threat model is a living document and we welcome contributions from anyone - you don't need to be a security expert. -## Ways to Contribute +## Ways to contribute -### Add a Threat +### Add a threat Spotted an attack vector or risk we haven't covered? Open an issue on [openclaw/trust](https://github.com/openclaw/trust/issues) and describe it in your own words. You don't need to know any frameworks or fill in every field - just describe the scenario. @@ -27,25 +25,25 @@ We'll handle the ATLAS mapping, threat IDs, and risk assessment during review. I > **This is for adding to the threat model, not reporting live vulnerabilities.** If you've found an exploitable vulnerability, see our [Trust page](https://trust.openclaw.ai) for responsible disclosure instructions. -### Suggest a Mitigation +### Suggest a mitigation Have an idea for how to address an existing threat? Open an issue or PR referencing the threat. Useful mitigations are specific and actionable - for example, "per-sender rate limiting of 10 messages/minute at the gateway" is better than "implement rate limiting." -### Propose an Attack Chain +### Propose an attack chain Attack chains show how multiple threats combine into a realistic attack scenario. If you see a dangerous combination, describe the steps and how an attacker would chain them together. A short narrative of how the attack unfolds in practice is more valuable than a formal template. -### Fix or Improve Existing Content +### Fix or improve existing content Typos, clarifications, outdated info, better examples - PRs welcome, no issue needed. ## What we use -### MITRE ATLAS +### MITRE ATLAS framework This threat model is built on [MITRE ATLAS](https://atlas.mitre.org/) (Adversarial Threat Landscape for AI Systems), a framework designed specifically for AI/ML threats like prompt injection, tool misuse, and agent exploitation. You don't need to know ATLAS to contribute - we map submissions to the framework during review. -### Threat IDs +### Threat ids Each threat gets an ID like `T-EXEC-003`. The categories are: diff --git a/docs/security/THREAT-MODEL-ATLAS.md b/docs/security/THREAT-MODEL-ATLAS.md index c34f481caa8..734a4b92d34 100644 --- a/docs/security/THREAT-MODEL-ATLAS.md +++ b/docs/security/THREAT-MODEL-ATLAS.md @@ -6,9 +6,7 @@ read_when: - Working on security features or audit responses --- -# OpenClaw Threat Model v1.0 - -## MITRE ATLAS Framework +## MITRE ATLAS framework **Version:** 1.0-draft **Last Updated:** 2026-02-04 diff --git a/docs/security/network-proxy.md b/docs/security/network-proxy.md index 04fc076a80b..690180dbf14 100644 --- a/docs/security/network-proxy.md +++ b/docs/security/network-proxy.md @@ -6,13 +6,11 @@ read_when: - Configuring an external forward proxy for OpenClaw runtime traffic --- -# Network Proxy - OpenClaw can route runtime HTTP and WebSocket traffic through an operator-managed forward proxy. This is optional defense in depth for deployments that want central egress control, stronger SSRF protection, and better network auditability. OpenClaw does not ship, download, start, configure, or certify a proxy. You run the proxy technology that fits your environment, and OpenClaw routes normal process-local HTTP and WebSocket clients through it. -## Why Use a Proxy? +## Why use a proxy A proxy gives operators one network control point for outbound HTTP and WebSocket traffic. That can be useful even outside SSRF hardening: @@ -25,7 +23,7 @@ A proxy gives operators one network control point for outbound HTTP and WebSocke Proxy routing is a process-level guardrail for normal HTTP and WebSocket egress. It gives operators a fail-closed path for routing supported JavaScript HTTP clients through their own filtering proxy, but it is not an OS-level network sandbox and does not make OpenClaw certify the proxy's destination policy. -## How OpenClaw Routes Traffic +## How OpenClaw routes traffic When `proxy.enabled=true` and a proxy URL is configured, protected runtime processes such as `openclaw gateway run`, `openclaw node run`, and `openclaw agent --local` route normal HTTP and WebSocket egress through the configured proxy: @@ -51,7 +49,7 @@ While the proxy is active, OpenClaw clears `no_proxy`, `NO_PROXY`, and `GLOBAL_A On shutdown, OpenClaw restores the previous proxy environment and resets cached process routing state. -## Related Proxy Terms +## Related proxy terms - `proxy.enabled` / `proxy.proxyUrl`: outbound forward-proxy routing for OpenClaw runtime egress. This page documents that feature. - `gateway.auth.mode: "trusted-proxy"`: inbound identity-aware reverse-proxy authentication for Gateway access. See [Trusted proxy auth](/gateway/trusted-proxy-auth).