openclaw crestodian
Crestodian is OpenClaw’s local setup, repair, and configuration helper. It stays reachable when the normal agent path is broken: it can run when openclaw.json is missing or invalid, the Gateway is down, plugin command registration is unavailable, or no agent is configured yet.
When it starts
Runningopenclaw with no subcommand routes based on config state:
- Config missing, or exists with no authored settings (empty, or only
$schema/metakeys): starts classic onboarding. - Config exists but fails validation: starts Crestodian.
- Config exists and is valid: opens the normal agent TUI (against a reachable configured Gateway, or locally if none is reachable). Use
/crestodianinside the TUI, or runopenclaw crestodiandirectly, to reach Crestodian.
openclaw crestodian always starts Crestodian explicitly, regardless of config state. openclaw --help and openclaw --version keep their normal fast paths.
Noninteractive bare openclaw (no TTY) exits with a short message instead of printing root help: it points to non-interactive onboarding on a fresh install, to openclaw crestodian --message "status" when config is invalid, or to openclaw agent --local ... when config is valid.
openclaw onboard --modern starts Crestodian as the modern onboarding preview. Plain openclaw onboard keeps classic onboarding.
What Crestodian shows
Interactive Crestodian opens the same TUI shell asopenclaw tui, with a Crestodian chat backend. The startup greeting covers:
- config validity and the default agent
- the model or deterministic planner path Crestodian is using
- Gateway reachability from the first startup probe
- the next recommended debug action
status for the detailed inventory: config path, docs/source paths, local CLI probes, key/token presence, agents, model, and Gateway details.
Crestodian uses the same reference discovery as regular agents: in a Git checkout it points at local docs/ and the source tree; in an npm install it uses bundled docs and links to https://github.com/openclaw/openclaw, with guidance to check source when docs are not enough.
Examples
Operations and approval
Crestodian uses typed operations instead of editing config ad hoc. Read-only, run immediately: show overview, list agents, list installed plugins, search ClawHub plugins, show model/backend status, run status/health checks, check Gateway reachability, run doctor without interactive fixes, validate config, show the audit-log path. Starting the guided channel setup (connect telegram) also runs immediately — the wizard itself collects explicit answers and commits only at the end.
Persistent, require conversational approval (or --yes for a direct command): write config, config set, config set-ref, setup/onboarding bootstrap, change the default model, start/stop/restart the Gateway, create agents, install or uninstall plugins, run doctor repairs that rewrite config or state.
Approval is given in your own words: unambiguous replies (“yes”, “sure”, “go ahead”, “not now”) resolve from a closed deterministic list, and anything else is judged by a separate host-run model call that sees only your message and the pending proposal — never by the conversation model itself, which cannot self-approve. Ambiguous replies keep the proposal pending and the conversation asks again. When no model is usable, only the closed deterministic list applies.
Applied writes are recorded in ~/.openclaw/audit/crestodian.jsonl. Discovery is not audited; only applied operations and writes are.
Channel setup can run as a hosted conversation when the host supports masked
input. The local Crestodian TUI does not accept sensitive wizard answers;
instead it directs you to openclaw channels add --channel <channel>, whose
interactive prompts mask credentials.
Setup bootstrap
setup is the chat-first onboarding bootstrap. It writes only through typed config operations and asks for approval first.
- Existing explicit model, if already configured.
OPENAI_API_KEY->openai/gpt-5.5ANTHROPIC_API_KEY->anthropic/claude-opus-4-8- Claude Code CLI ->
claude-cli/claude-opus-4-8 - Codex ->
openai/gpt-5.5through the Codex app-server harness - Gemini CLI ->
google-gemini-cli/gemini-3.1-pro-preview
OPENAI_API_KEY/ANTHROPIC_API_KEY, then run setup again.
The macOS app drives the same ladder through the crestodian.setup.detect and crestodian.setup.activate gateway methods: detect lists every reusable backend it finds, activate live-tests one candidate (a real “reply with OK” completion) and only persists the model, workspace, and gateway defaults after the test passes. A failing candidate never changes config; the app automatically walks down the ladder and finally offers a manual key/token step populated from the Gateway’s active text-inference provider plugins. The selected provider owns its starter model and config, and the credential is verified the same way before it is saved.
AI conversation
Interactive Crestodian is AI-only: every message — including ones that look like typed commands — runs through the same embedded agent loop as regular OpenClaw agents, restricted to one ring-zerocrestodian tool that wraps the typed operations. Read actions run freely, mutations require your conversational approval for that exact operation (see Operations and approval), and every applied write is audited and re-validated. The agent session persists, so the custodian has real multi-turn memory. It first uses the configured OpenClaw model; with no usable model it falls back to a local runtime already present on the machine, in setup-ladder order:
- Claude Code CLI:
claude-cli/claude-opus-4-8(agent loop; the ring-zero tool is served over MCP, see the trust model below) - Codex app-server harness:
openai/gpt-5.5(agent loop with an enforced single-tool allow-list) - Gemini CLI:
google-gemini-cli/gemini-3.1-pro-preview(agent loop; ring-zero tool over MCP)
config set on a sensitive path (tokens, keys, passwords) never reaches a model. It runs on the deterministic path with a redacted proposal, and the value is masked in the AI-visible history. Prefer config set-ref <path> env <ENV_VAR> for secrets.
Message-channel rescue mode never uses the model-assisted planner. Remote rescue stays deterministic so a broken or compromised normal agent path cannot be used as a config editor.
CLI harness trust model
Embedded runtimes and the Codex app-server harness enforce the ring-zero restriction directly: the run carries a tool allow-list with only thecrestodian tool. CLI harnesses (Claude Code, Gemini CLI) cannot enforce an
OpenClaw tool allow-list — the CLI owns its native tools and its own permission
policy, so OpenClaw fails closed if asked to restrict one. For CLI-harness
models Crestodian instead:
- injects a dedicated MCP server that serves only the
crestodiantool and replaces OpenClaw’s normal MCP tool surface for the run (for Claude Code the generated config is applied with--strict-mcp-config, so no other MCP servers are loaded), - keeps every config mutation inside the tool’s approval and audit contract — reads run freely, writes require your conversational yes, and every applied write is audited and re-validated,
- leaves native tools (file reads, shell) to the harness. They follow the same
permission posture as normal OpenClaw agent runs on this machine: with
OpenClaw’s default exec settings Claude Code runs with permissions bypassed,
and a restricted
tools.execconfig falls back to the CLI’s own permission policy.
Switching to an agent
Use a natural-language selector to leave Crestodian and open the normal TUI:openclaw tui, openclaw chat, and openclaw terminal open the normal agent TUI directly; they do not start Crestodian. After switching into the normal TUI, /crestodian returns to Crestodian, optionally with a follow-up request:
Message rescue mode
Message rescue mode is the message-channel entrypoint for Crestodian: use it when your normal agent is dead but a trusted channel (for example WhatsApp) still receives commands. Supported command:/crestodian <request>. Rescue accepts the exact typed command grammar only — natural language is rejected with a hint, never guessed into an operation, and no model is ever consulted.
- Disabled when sandboxing is active for the agent/session; Crestodian refuses remote rescue and points to local CLI repair.
- Default effective state is
auto: allow remote rescue only in trusted YOLO operation, where the runtime already has unsandboxed local authority (tools.exec.securityresolves tofullandtools.exec.askresolves tooff, with sandbox modeoff). - Requires an explicit owner identity; no wildcard sender rules, open group policy, unauthenticated webhooks, or anonymous channels.
- Owner DMs only by default; group/channel rescue needs explicit opt-in.
- Plugin search and list are read-only. Plugin install is always local-only (blocked in rescue, even when otherwise enabled) because it downloads executable code. Plugin uninstall can be approved as a persistent rescue operation.
- Remote rescue cannot open the local TUI or switch into an interactive agent session; use local
openclawfor agent handoff. - Persistent writes still require approval, even in rescue mode.
- Every applied rescue operation is audited. Message-channel rescue records channel, account, sender, and source-address metadata; config-mutating operations also record config hashes before and after.
- Secrets are never echoed. SecretRef inspection reports availability, not values.
- If the Gateway is alive, rescue prefers Gateway typed operations; if it is dead, rescue uses only the minimal local repair surface that does not depend on the normal agent loop.
enabled:"auto"(default) allows rescue only when the effective runtime is YOLO and sandboxing is off;falsenever allows message-channel rescue;trueexplicitly allows rescue when owner/channel checks pass (still subject to the sandboxing denial).ownerDmOnly: restrict rescue to owner direct messages. Defaulttrue.pendingTtlMinutes: how long a pending rescue write stays open for/crestodian yesapproval before expiring. Default15.
/crestodian status plus a persistent approval roundtrip through the rescue handler: