My manifest lists capabilities—why does doctor still report undeclared access?

Usually path or schema drift: the gateway only reads manifests under an allow-listed root or workspace; field casing, JSON Schema draft, or a version mismatch against the running binary can invalidate the file. Use the grep snippets in this article and compare the resolved path from openclaw doctor -v with the file you edited.

After disabling ACP dispatch, can existing sessions still invoke plugins?

Implementation-dependent: many builds apply the change to new requests after hot reload, while queued work may still carry old routing metadata. Reload the gateway during a maintenance window, validate 403 or noop with read-only smoke calls, then confirm JSONL no longer shows plugin spans for blocked clientIds.

What is the fastest rollback when fail-closed blocks a legitimate plugin?

Restore the previous openclaw.json (or equivalent config snapshot) and reload; if you changed manifest schema enforcement, roll back gateway and plugin bundle together. Rolling back only the binary while keeping new policy often yields doctor green but broken automation.

Can we canary one 7×24 node before fleet-wide enforcement?

Recommended: enable fail-closed and manifest checks on a secondary node while the primary stays on legacy policy; compare error rate and P95 latency over a one-hour window before promotion. Pin every node to the same git tag or config revision to avoid half-new diagnostics.

2026 OpenClaw Plugins: Fail-Closed + Mandatory Manifest on a Remote Physical Mac 24/7 Gateway—doctor, ACP dispatch, Rollback Runbook

Introduction and scope

On a headless Mac in a remote rack, plugins are part of your attack surface. The 2026 mainstream pattern is mandatory manifests (no compliant manifest, no load) plus fail-closed (failed validation denies execution rather than silently allowing).

This guide turns that posture into doctor-backed checklist items and grep you can attach to a change record, and treats ACP (Agent Client Protocol) dispatch as the master switch for who may reach the plugin scheduler. Pair it with snapshots so rollback RTO stays inside your maintenance window. Scope excludes vendor model contracts; it assumes launchd pins the service user and WorkingDirectory. For fleet-wide multi-region pool posture, see global Mac resource pools: latency optimization and a compliance matrix; if you co-locate automation next to the gateway, self-hosted GitHub Actions runners on nearby physical Macs to keep Actions cache and mirrors warm.

Pain points

Constraint: implicit powers and “it runs, ship it.” Capabilities such as fs, network, or subprocess left out of the manifest are often silently allowed in fail-open mode, so audits cannot prove what was permitted.
Hidden cost: doctor green ≠ policy live. openclaw doctor may cover runtime and ports while hot reload never picked up new manifest enforcement flags—externally you still see legacy behavior.
Stability and audit: rollback without paired snapshots is fiction. Aggressive fail-closed breaks legitimate automation overnight; without config + plugin bundle snapshots you end up hand-editing JSON under pager duty, violating 7×24 SLOs.

Fail-closed × manifest decision matrices

The first table answers “how hard should we be?” The second maps change signals to verification.

Environment	Manifest	Fail-closed	ACP dispatch
Production 7×24 gateway	Mandatory	On	Allow-listed clientId / workspace only
Staging integration	Mandatory	On (per-plugin shadow allowed)	Team tenant relax with full JSONL
Developer laptop	Mandatory recommended to mirror prod	Optional off for fast iteration	Local all-open or loopback-bound

Change signal	Recommended action	Extra acceptance
New plugin or major upgrade	Canary node + dual-manifest diff	doctor + grep for declared schema version
More external ACP / agent clients	Tighten dispatch allow list and rate limits	Trace plugin spans by requestId
Error spike with denied in logs	Shadow-count first, then decide rollback	Diff five-minute windows pre/post rollback

openclaw doctor audit checklist

Treat doctor as proof that policy actually loaded—tick each item on your change ticket (map keys to openclaw.json or env vars per your distribution docs).

Runtime and PATH: Matches the launchd user; which openclaw equals the plist binary path.
Manifest resolution: Prints effective plugin roots; rejects directories without a manifest when enforcement is on.
Fail-closed flags: Doctor prints the boolean and originating file; WARN is a release blocker.
ACP dispatch: Switch state plus allow-list cardinality; empty allow list with dispatch on should warn “no clients can enter.”
External health: Pair localhost curl with /ready (if present) so you do not get “self-check green, reverse proxy red.”

ACP dispatch switches

ACP dispatch here means whether requests from agent clients (IDEs, CLIs, external orchestrators) may enter the plugin scheduler. With fail-closed, order operations as validate the plugin set via manifest first, then use dispatch to guard the front door so a compromised client cannot jump straight into a high-risk hook.

Illustrative JSON (replace keys with your release schema before production):

{
  "plugins": {
    "requireManifest": true,
    "failClosed": true,
    "manifestSchemaVersion": "2026-05"
  },
  "acp": {
    "dispatchEnabled": true,
    "allowedClientIds": ["ci-runner-prod", "vscode-workspace-ops"],
    "denyByDefault": true
  }
}

Align allowedClientIds with internal OAuth or mTLS subjects, and log the Cartesian product of clientId × pluginId in JSONL for forensics.

Acceptance grep snippets

Run from your archive or live workspace (adjust paths):

# Explicit fail-closed / requireManifest flags
grep -RniE 'failClosed|fail_closed|requireManifest|require_manifest' \
  ~/.config/openclaw ./openclaw.json 2>/dev/null

# Every plugin directory should carry a manifest (missing = should not load)
find "$OPENCLAW_PLUGIN_ROOT" -maxdepth 2 -type f \( -name 'manifest.json' -o -name 'plugin.yaml' \) | wc -l

# ACP dispatch allow list must be non-empty in production
grep -Rni 'dispatchEnabled|allowedClientIds|denyByDefault' ~/.config/openclaw ./openclaw.json 2>/dev/null

If the first grep returns nothing, you are likely still on implicit fail-open—do not sign off on production from muscle memory alone.

Seven-step controlled rollback runbook

Freeze: Post maintenance; pause cron jobs that widen the call surface.
Snapshot: Tar openclaw.json, plugin trees, launchd plists, and doctor stdout.
Mandatory manifests on: Reload, grep-verify, watch “refused load” counters.
Fail-closed on: Uniform error codes for undeclared capabilities; keep a five-minute JSONL baseline.
Tighten ACP dispatch: Shadow (log-only) first, then deny-by-default.
Rollback trigger: If SLO breaks, restore paired snapshots, launchctl kickstart, rerun doctor.
RCA: Update the grep checklist and ticket; schedule the next canary.

Cite-ready facts

Observation window: Watch at least a five-minute sliding window after policy edits before deciding stay/rollback—startup spikes are not incidents.
Snapshot retention: Keep three restorable config revisions in production, each with a plugin tarball checksum.
Audit retention: Store full doctor output plus grep captures with the ticket for ≥30 days to satisfy typical internal compliance spot checks.

FAQ

Manifest lists capabilities—why “undeclared”?

Compare the resolved path doctor prints with the file you edited; watch schema version and field casing. Re-run the same bundle on staging with full load logs if needed.

After turning dispatch off, do old sessions still call plugins?

Depends on queues and implementation: reload, drop unacknowledged work if your SLO allows, then read-only smoke critical paths.

Can fail-closed coexist with shadow mode?

Yes—shadow increments “would have denied” counters without changing HTTP status; promote to hard deny once metrics flatten.

Chinese edition: OpenClaw 插件 fail-closed 与 manifest（简体）.

Summary and why Mac mini fits this workload

Plugin governance moves trust from tribal knowledge to machine-verifiable policy: manifests bound capabilities, fail-closed defines failure posture, ACP dispatch shrinks the ingress surface, and doctor plus grep supply the evidence chain auditors expect.

On macOS that stacks cleanly with launchd, Unified Logging, Gatekeeper, and SIP. Apple Silicon Mac mini M4 idles on the order of 4W, which is ideal for always-on gateways and sidecar probes; compared with generic mini-PCs at the same price, you usually see smoother long-session behavior when OpenClaw, health exporters, and a light CI runner share one remote physical machine.

If you want this runbook on a dedicated hosted node instead of self-racking hardware, Mac mini M4 remains one of the best-value starting points in 2026—get a remote physical Mac and turn manifest enforcement plus rollback into a repeatable procedure.

2026 OpenClaw Plugins: Fail-Closed Defaults and Mandatory Manifests on a Remote Physical Mac 24/7 Gateway—`openclaw doctor` Audit Checklist, ACP Dispatch Switches, and a Controlled Rollback Runbook (grep Snippets + FAQ)