fix(ci): authenticate proof verdict markers

clawsweeper[bot] · clawsweeper[bot] · commit f4c375eaa7e7 · 2026-05-18T17:34:41.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,6 +46,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- CI: require real-behavior-proof verdict markers to come from the ClawSweeper GitHub App before accepting exact-head proof. (#83692)
 - Agents/image generation: allow distinct `image_generate` prompts to start separate session-backed background tasks while same-prompt retries still return the active task status. (#83614) Thanks @Elarwei001.
 - Control UI: stop the chat reading indicator from sticking after an assistant response finishes. (#83515) Thanks @njuboy11.
 - Skills: reject empty or whitespace-only skill names and descriptions during quick validation. (#27061)
diff --git a/scripts/github/real-behavior-proof-policy.mjs b/scripts/github/real-behavior-proof-policy.mjs
@@ -243,11 +243,10 @@ function extractMarkerField(marker, name) {
 }
 
 function isTrustedClawSweeperComment(comment) {
-  const user = comment?.user ?? comment?.author ?? {};
-  const login = String(user?.login ?? "").toLowerCase();
-  const type = String(user?.type ?? "").toLowerCase();
-  const appSlug = String(comment?.performed_via_github_app?.slug ?? "").toLowerCase();
-  return appSlug === "clawsweeper" || (login === "clawsweeper[bot]" && type === "bot");
+  const appSlug = String(
+    comment?.performed_via_github_app?.slug ?? comment?.performedViaGithubApp?.slug ?? "",
+  ).toLowerCase();
+  return appSlug === "clawsweeper";
 }
 
 export function hasClawSweeperExactHeadProof({ pullRequest, comments = [] } = {}) {
diff --git a/test/scripts/barnacle-auto-response.test.ts b/test/scripts/barnacle-auto-response.test.ts
@@ -135,7 +135,11 @@ function barnacleGithub(
     maintainerLogins?: string[];
     removeLabelNotFound?: string[];
     repositoryRoles?: Record<string, string>;
-    comments?: Array<{ body: string; user?: { login: string; type: string } }>;
+    comments?: Array<{
+      body: string;
+      performed_via_github_app?: { slug: string };
+      user?: { login: string; type: string };
+    }>;
   } = {},
 ) {
   const maintainerLogins = new Set(
@@ -797,6 +801,9 @@ describe("barnacle-auto-response", () => {
             login: "clawsweeper[bot]",
             type: "Bot",
           },
+          performed_via_github_app: {
+            slug: "clawsweeper",
+          },
           body: `<!-- clawsweeper-verdict:pass item=123 sha=${headSha} confidence=high -->`,
         },
       ],
diff --git a/test/scripts/real-behavior-proof-policy.test.ts b/test/scripts/real-behavior-proof-policy.test.ts
@@ -190,6 +190,9 @@ describe("real-behavior-proof-policy", () => {
           login: "clawsweeper[bot]",
           type: "Bot",
         },
+        performed_via_github_app: {
+          slug: "clawsweeper",
+        },
         body: [
           "Codex review: passed.",
           "<!-- clawsweeper-verdict:pass item=83581 sha=06ee95df6608d29a395c52ba8ab53fdd93a9dc4f confidence=high -->",
@@ -230,6 +233,27 @@ describe("real-behavior-proof-policy", () => {
     expect(hasClawSweeperExactHeadProof({ pullRequest, comments })).toBe(false);
     expect(evaluateClawSweeperExactHeadProof({ pullRequest, comments }).passed).toBe(false);
   });
+
+  it("rejects bot-shaped ClawSweeper pass verdict markers without the GitHub App source", () => {
+    const pullRequest = {
+      number: 83581,
+      head: {
+        sha: "06ee95df6608d29a395c52ba8ab53fdd93a9dc4f",
+      },
+    };
+    const comments = [
+      {
+        user: {
+          login: "clawsweeper[bot]",
+          type: "Bot",
+        },
+        body: "<!-- clawsweeper-verdict:pass item=83581 sha=06ee95df6608d29a395c52ba8ab53fdd93a9dc4f confidence=high -->",
+      },
+    ];
+
+    expect(hasClawSweeperExactHeadProof({ pullRequest, comments })).toBe(false);
+    expect(evaluateClawSweeperExactHeadProof({ pullRequest, comments }).passed).toBe(false);
+  });
 });
 
 describe("isMaintainerTeamMember", () => {

Original file line number	Diff line number	Diff line change
`@@ -243,11 +243,10 @@ function extractMarkerField(marker, name) {`
`243`	`243`	`}`
`244`	`244`
`245`	`245`	`function isTrustedClawSweeperComment(comment) {`
`246`		`- const user = comment?.user ?? comment?.author ?? {};`
`247`		`- const login = String(user?.login ?? "").toLowerCase();`
`248`		`- const type = String(user?.type ?? "").toLowerCase();`
`249`		`- const appSlug = String(comment?.performed_via_github_app?.slug ?? "").toLowerCase();`
`250`		`- return appSlug === "clawsweeper" \|\| (login === "clawsweeper[bot]" && type === "bot");`
	`246`	`+ const appSlug = String(`
	`247`	`+ comment?.performed_via_github_app?.slug ?? comment?.performedViaGithubApp?.slug ?? "",`
	`248`	`+ ).toLowerCase();`
	`249`	`+ return appSlug === "clawsweeper";`
`251`	`250`	`}`
`252`	`251`
`253`	`252`	`export function hasClawSweeperExactHeadProof({ pullRequest, comments = [] } = {}) {`