Clarify AGENTS.md review policy for config/default additions as review metrics and merge risk

[Takhoffman]

Goal

Update AGENTS.md so OpenClaw-specific ClawSweeper review policy treats new or changed config/default surfaces as review metrics and merge-risk material when they can affect existing users, upgrade behavior, operator action, provider routing, plugin behavior, persisted preferences, setup, startup, or fallback behavior.

This is an OpenClaw repository policy clarification. It should steer review behavior through ClawSweeper's generic reviewMetrics shape and existing review fields such as mergeRiskLabels, risks, bestSolution, mergeRiskOptions, and labelJustifications.

Background

The current AGENTS.md already says plugin APIs, provider routing, auth/session state, persisted preferences, config loading, migrations, setup, startup checks, and fallback behavior are compatibility/upgrade-sensitive. It also says config breaks, removed fallbacks, fail-closed changes, or new operator action should be treated as merge risk even with green CI.

That policy should also cover new config/default additions. Adding a new option, default, required setting, strict mode, validation path, provider route, startup check, workflow behavior, or operator action can change the effective contract even when nothing is removed.

When practical, the review should make the count and direction visible through reviewMetrics, such as “adds 2 config/default surfaces,” “changes 1 default,” or “removes 1 fallback/config surface.” When that metric indicates concrete merge risk, the concern should also appear in risks and the appropriate merge-risk fields.

Proposed AGENTS.md update

In ## ClawSweeper Review Policy, update the existing compatibility/upgrade-sensitive bullet to explicitly include additions.

Suggested wording:

- Plugin APIs, provider routing, auth/session state, persisted preferences, config loading, config/default additions, migrations, setup, startup checks, and fallback behavior are compatibility/upgrade-sensitive. Treat config breaks, new config/default surfaces, removed fallbacks, fail-closed changes, stricter validation, or new operator action as merge risk even with green CI when they can affect existing users, upgrades, provider/plugin behavior, or maintainer operations.

Add a follow-up sentence:

- For PRs that add, remove, or change config/default surfaces with possible compatibility, upgrade, provider/plugin, operator, setup, startup, or fallback impact, ClawSweeper review should emit a `reviewMetrics` entry when practical. The metric should name the count and direction of the changes, such as added, changed, or removed config/default surfaces, and explain why the metric matters before merge. When the metric indicates concrete merge risk, also surface the concern in `risks`, use `mergeRiskLabels` when the risk matches the label rubric, make `bestSolution` name the desired pre-merge state, and ensure `labelJustifications` explain the specific reason rather than restating the label.

Acceptance criteria

• AGENTS.md explicitly says config/default additions can be compatibility/upgrade-sensitive merge risk.
• The wording covers additions without implying every config-looking change is automatically risky.
• For affected PRs, OpenClaw policy steers ClawSweeper to emit reviewMetrics entries that name the count and direction of config/default surface changes when known, such as “adds 2 config/default surfaces,” “changes 1 default,” or “removes 1 fallback/config surface.”
• The metric reason explains why the count matters for merge review, such as compatibility, upgrade behavior, provider/plugin behavior, operator action, setup/startup behavior, or fallback behavior.
• When the metric indicates concrete merge risk, the concern is also surfaced in risks and existing merge-risk fields where appropriate.
• The policy keeps ClawSweeper using generic review metrics and existing review fields rather than introducing an OpenClaw-specific schema concept.
• The policy distinguishes ordinary implementation changes from changes that affect existing users, upgrade behavior, provider/plugin behavior, operator action, or maintainer operations.
• The change remains under ## ClawSweeper Review Policy.

Non-goals

• Do not add an OpenClaw-specific ClawSweeper schema field.
• Do not change ClawSweeper labels in this issue.
• Do not require every config-looking PR to get a merge-risk label.
• Do not require perfect deterministic counting when the public/config boundary is ambiguous.
• Do not duplicate generic ClawSweeper prompt rules in OpenClaw beyond the OpenClaw-specific policy.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 24, 2026, 10:28 PM ET / 02:28 UTC.

Summary
Keep open: current AGENTS.md still lacks the requested wording for config/default additions and reviewMetrics, and the protected maintainer label makes this a maintainer-handled policy item rather than an automated cleanup close.

Reproducibility: not applicable. this is a repository policy clarification, not a runtime bug with a reproduction path. The current text can be verified directly in root AGENTS.md.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
The protected maintainer label plus clawsweeper:needs-product-decision make this a maintainer wording decision rather than a safe autonomous fix lane.

Review details

Best possible solution:

A maintainer should approve a narrow root AGENTS.md update under ## ClawSweeper Review Policy that covers config/default additions only when they can affect compatibility, upgrades, provider/plugin behavior, setup/startup, fallback behavior, operator action, or maintainer operations, while using generic review metrics and existing merge-risk fields.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a repository policy clarification, not a runtime bug with a reproduction path. The current text can be verified directly in root AGENTS.md.

Is this the best way to solve the issue?

Unclear until maintainer review: the requested direction fits existing compatibility-risk policy, but exact reviewMetrics wording and scope are maintainer policy choices.

Remaining risk / open question:

• The wording is policy-sensitive: too broad a rule could make ordinary config-looking changes appear risky, while too narrow a rule would miss real upgrade/default changes.
• The protected maintainer label and needs-product-decision signal mean a bot-authored policy edit should not be queued without maintainer approval.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4798264a2993.

Label changes

Label changes:

• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.

Label justifications:

• P3: This is a low-risk repository policy/docs clarification, not a runtime defect or urgent user-facing regression.

Evidence reviewed

Acceptance criteria:

• git diff --check
• Review the exact root AGENTS.md wording under ## ClawSweeper Review Policy for scope creep and generic-schema compatibility.

What I checked:

• Current policy gap: The current ClawSweeper Review Policy covers config loading, migrations, setup, startup checks, fallback behavior, config breaks, removed fallbacks, fail-closed changes, and new operator action, but it does not explicitly cover config/default additions, stricter validation, or reviewMetrics counting. (AGENTS.md:26, 4798264a2993)
• No existing reviewMetrics wording: Repository search found no reviewMetrics mention in AGENTS.md, while the only matching compatibility policy line is the existing line noted above. (AGENTS.md:26, 4798264a2993)
• Policy section provenance: The current ClawSweeper Review Policy section, including the compatibility-risk line, was introduced by the merged AGENTS policy PR commit. (AGENTS.md:26, 242e8767e7a7)
• Related merged policy PR: Commit 242e8767e7a74a2ab486a1db2f3c5dcf6075a33d is docs: add ClawSweeper review policy to AGENTS (#86197) and changed only AGENTS.md, so this issue is a follow-up to that policy surface rather than already implemented text. (AGENTS.md:20, 242e8767e7a7)
• Protected-label routing: The provided live issue context includes maintainer, clawsweeper:no-new-fix-pr, and clawsweeper:needs-product-decision, which makes this explicit maintainer policy work rather than an autonomous repair candidate.
• Vision fit: VISION.md prioritizes security and safe defaults plus setup reliability, and its security section says risky paths should be explicit and operator-controlled, which supports careful review policy for config/default surfaces. (VISION.md:21, 4798264a2993)

Likely related people:

• clawsweeper[bot]: git blame shows the current ClawSweeper Review Policy section and the compatibility-risk line were introduced by commit 242e8767e7a74a2ab486a1db2f3c5dcf6075a33d. (role: recent policy-section author; confidence: high; commits: 242e8767e7a7; files: AGENTS.md)
• Takhoffman: The current issue requests this follow-up clarification, and the related merged policy PR body says the prior AGENTS policy move was requested by this same handle. (role: policy requester; confidence: medium; files: AGENTS.md)
• Vincent Koc: git blame shows the current VISION.md policy direction used for fit assessment was authored in commit ad71a998ff9426e09c17870ab99ed780a45d8fd3. (role: adjacent policy/vision contributor; confidence: low; commits: ad71a998ff94; files: VISION.md)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Keesan12]

This looks like one of those config changes that behaves like a product change. If defaults are part of the merge surface, I’d want a review checklist that calls out behavior changes, not just syntax, plus a changelog note that says which user path changes. That makes the review risk visible before it slips into main.

[Takhoffman]

@clawsweeper fix

[clawsweeper]

🦞🔧
ClawSweeper issue implementation requested.

I queued the repair worker to verify this issue on latest main and open or update one narrow implementation PR if it is safe.
Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/26380342678
Model: gpt-5.5

This lane creates PRs only; it does not merge or close the issue.

Result: implementation PR opened.

• PR: docs: clarify config default review risk policy #86295
• Branch: clawsweeper/issue-openclaw-openclaw-86288
• Worker: https://github.com/openclaw/clawsweeper/actions/runs/26380342678
• Updated: 2026-05-25T02:44:13.341Z

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.