fix(config): guard legacy agentRuntime regression

[galiniliev]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: users upgrading to 2026.4.24 reported Config invalid on agents.defaults.agentRuntime, which could block CLI workflows including the suggested doctor --fix recovery path.
• Main fix already landed: runtime/schema behavior was restored on main by direct commit 5b9be2c (fix: migrate agent runtime config). GitHub's commit-to-PR lookup returns no associated PR for that commit.
• What this PR changes: adds targeted regression tests to lock two guarantees — agents.defaults.agentRuntime is accepted by schema validation, and config guard allowlisted commands (including doctor fix) do not hard-exit on invalid snapshots while still surfacing diagnostics.
• What this PR does not change: no runtime config parser behavior is changed here; this is test-only guardrail coverage for the already-landed fix.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: 2026.4.24 schema validator rejects agents.defaults.agentRuntime from prior 4.x configs; gates ALL CLI commands including doctor --fix #72872
• Main behavior fix: 5b9be2c (direct main commit; no associated PR returned by GitHub commit-to-PR lookup)
• Related Breaking config change in v2026.4.21: dreaming.storage schema migration breaks CLI on upgrade #70407
• This PR adds regression tests for a bug/regression

Root Cause (if applicable)

• Root cause of the shipped regression: a prior release path reportedly rejected a legacy/expected config key during startup validation. That runtime/schema behavior was already corrected on main by 5b9be2c.
• Missing detection / guardrail addressed by this PR: no focused regression tests were locking agents.defaults.agentRuntime acceptance + doctor fix allowlist behavior in the config guard test path.
• Contributing context (if known): repeated regressions in neighboring config keys show this startup validation surface is high-impact and needs explicit test locks.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
  • src/config/zod-schema.agent-defaults.test.ts
  • src/cli/program/config-guard.test.ts
• Scenario the test should lock in:
  • schema accepts agents.defaults.agentRuntime values
  • invalid snapshot mentioning Unrecognized key: "agentRuntime" does not hard-exit allowlisted commands, including doctor fix, while still printing diagnostics.
• Why this is the smallest reliable guardrail: both checks run in fast unit suites and directly cover the two failure surfaces (schema acceptance and startup guard behavior) without introducing broader integration harness cost.
• Existing test that already covers this (if any): existing config-guard allowlist tests partially covered non-exit behavior; this PR adds the agentRuntime-specific assertion.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

None. This PR adds tests only; the user-visible regression fix is already present on main in 5b9be2c.

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: Linux (dev harness) + Azure Crabbox
• Runtime/container: local Node + pnpm worktree; Azure Crabbox amber-crab (lease cbx_e503b0866411) with Node v22.22.2 and pnpm 11.2.2
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): synthetic invalid snapshot in test (agents.defaults → Unrecognized key: "agentRuntime")

Steps

1. Run pnpm test -- src/config/zod-schema.agent-defaults.test.ts src/cli/program/config-guard.test.ts
2. Run Azure Crabbox evidence: collect-openclaw-evidence.sh --id amber-crab --name pr-73257-agent-runtime-proof --test src/config/zod-schema.agent-defaults.test.ts --test src/cli/program/config-guard.test.ts --command '<schema proof command>'
3. Confirm the schema proof accepts id-only agentRuntime and rejects retired fallback.

Expected

• Schema test accepts agents.defaults.agentRuntime.
• Config-guard allowlist test verifies doctor fix does not hard-exit and still emits key diagnostics.

Actual

• Both expectations pass.
• Azure Crabbox focused test proof passed on the same two-file diff before rebase (merge commit 59b92227a710db43bd421c652322eb13ef6a35b7): 2 Vitest shards passed, 41 tests passed. After rebasing onto current origin/main, focused local proof also passed on head a09d162ab0414f2ba05c60ef22bcc78f8c0471bb: 2 files passed, 41 tests passed.
• Schema proof: AGENT_RUNTIME_SCHEMA_PROOF=idOnly:true;fallback:false;fallbackIssue:agentRuntime:Unrecognized key: "fallback".

Real Behavior Proof

Behavior addressed: agents.defaults.agentRuntime remains accepted by schema validation with the supported id-only shape, and allowlisted invalid-config commands including doctor fix continue instead of hard-exiting while surfacing diagnostics.

Real environment tested: Azure Crabbox provider azure, slug amber-crab, lease cbx_e503b0866411, remote workdir /work/crabbox/cbx_e503b0866411/openclaw-pr73257-evidence; Node v22.22.2, pnpm 11.2.2.

Exact steps or command run after this patch: collect-openclaw-evidence.sh --id amber-crab --name pr-73257-agent-runtime-proof --test src/config/zod-schema.agent-defaults.test.ts --test src/cli/program/config-guard.test.ts --command '<schema proof command>'.

Evidence after fix: AGENT_RUNTIME_SCHEMA_PROOF=idOnly:true;fallback:false;fallbackIssue:agentRuntime:Unrecognized key: "fallback"; Azure Crabbox: src/config/zod-schema.agent-defaults.test.ts passed 28 tests and src/cli/program/config-guard.test.ts passed 13 tests; post-rebase local focused proof also passed 41 tests.

Observed result after fix: Crabbox evidence run exited 0; focused remote tests passed 2 shards / 41 tests; post-rebase focused local tests passed 2 files / 41 tests; id-only agentRuntime parsed successfully and retired fallback was rejected.

What was not tested: full cross-version upgrade flow on the originally affected macOS host; packaged npm global install reproduction end-to-end.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • targeted tests pass for schema + config guard paths locally
  • Azure Crabbox focused evidence passes on the PR merge ref
  • id-only agents.defaults.agentRuntime parses, while retired agentRuntime.fallback is rejected
• Edge cases checked:
  • allowlisted command path includes explicit doctor fix check for non-exit
  • schema proof confirms this PR does not re-lock the retired fallback contract
• What you did not verify:
  • full cross-version upgrade flow on affected macOS host
  • packaged npm global install reproduction end-to-end

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: this PR is test-only; if runtime behavior regresses in a new path, these tests may not catch every variant.
  • Mitigation: tests target the two highest-signal contracts for this incident class (schema acceptance + config-guard allowlist behavior), and can be extended if new repro details emerge.

[greptile-apps]

Greptile Summary

This PR adds regression tests only — no production code is changed. It adds a AgentDefaultsSchema schema test confirming agentRuntime is a recognized key, and extends the config-guard suite to assert that doctor fix is in the invalid-config allowlist while still surfacing diagnostics via runtime.error.

Confidence Score: 5/5

Safe to merge — only test files are changed, no production code is affected.

All changes are in test files. The new assertions correctly model the existing implementation: AgentRuntimePolicySchema already accepts { id, fallback }, 'doctor' is already in ALLOWED_INVALID_COMMANDS, and runtime.error is always called before the allowInvalid exit guard.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(config): guard legacy agentRuntime r..." | Re-trigger Greptile}

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 10:57 AM ET / 14:57 UTC.

Summary
The PR adds regression assertions for agents.defaults.agentRuntime schema acceptance and invalid-config guard behavior on doctor fix.

PR surface: Tests +18. Total +18 across 2 files.

Reproducibility: no. high-confidence current-main failure path remains; current main and v2026.5.22 source already accept id-only agents.defaults.agentRuntime and allow doctor through invalid-config diagnostics. The PR is regression coverage for a previously reported release regression, not a runtime behavior change.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge
There are no actionable repair findings for automation; the remaining action is maintainer review or landing of the guardrail tests.

Security
Cleared: The diff is test-only and does not change permissions, secrets handling, dependency sources, workflows, package metadata, or runtime code execution paths.

Review details

Best possible solution:

Land the focused guardrail tests if maintainers want regression coverage; no runtime/config contract change is needed in this PR.

Do we have a high-confidence way to reproduce the issue?

No high-confidence current-main failure path remains; current main and v2026.5.22 source already accept id-only agents.defaults.agentRuntime and allow doctor through invalid-config diagnostics. The PR is regression coverage for a previously reported release regression, not a runtime behavior change.

Is this the best way to solve the issue?

Yes. For the remaining PR scope, targeted tests are the narrowest maintainable solution because production behavior already matches the desired contract.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against aa702cf3dbe7.

Label changes

Label justifications:

• P2: This is normal-priority regression coverage for a config-validation startup path that previously caused CLI outage symptoms, but the PR is test-only and low blast radius.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes after-patch Crabbox/log proof for the focused schema and config-guard paths plus the explicit schema parse result.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-patch Crabbox/log proof for the focused schema and config-guard paths plus the explicit schema parse result.

Evidence reviewed

PR surface:

Tests +18. Total +18 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	2	21	3	+18
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	21	3	+18

What I checked:

• PR diff scope: The branch only changes src/cli/program/config-guard.test.ts and src/config/zod-schema.agent-defaults.test.ts, adding the id-only agentRuntime schema assertion and extending the invalid-config allowlist test to cover doctor fix. (src/cli/program/config-guard.test.ts:203, a09d162ab041)
• Current schema behavior: Current main already includes agentRuntime: AgentRuntimePolicySchema in AgentDefaultsSchema, and AgentRuntimePolicySchema is strict optional object with optional id, matching the PR's accepted id-only fixture. (src/config/zod-schema.agent-defaults.ts:47, aa702cf3dbe7)
• Current config guard behavior: Current main allowlists doctor for invalid config and emits diagnostics before deciding whether to exit, so the proposed guardrail matches the production path. (src/cli/program/config-guard.ts:6, aa702cf3dbe7)
• Published behavior check: The latest release tag v2026.5.22 contains the same schema acceptance and invalid-config doctor allowlist behavior as current main. (src/cli/program/config-guard.ts:6, a374c3a5bfd5)
• Documented contract: Docs describe whole-agent agents.defaults.agentRuntime as legacy and ignored by runtime selection, with openclaw doctor --fix as the cleanup path; the PR asserts schema/guard reachability without changing that contract. Public docs: docs/gateway/config-agents.md. (docs/gateway/config-agents.md:499, aa702cf3dbe7)
• History provenance: The strict config validation change that touched the central schema and config-guard paths is commit d1e9490f95e0474e41d3718a2a44268a2d33128d, useful for maintainer routing on this surface. (src/cli/program/config-guard.ts:1, d1e9490f95e0)

Likely related people:

• Peter Steinberger: Authored and committed the strict config validation change that touched config-guard.ts, zod-schema.agent-defaults.ts, and zod-schema.agent-runtime.ts; also appears in current release provenance for this area. (role: introduced strict validation / recent area contributor; confidence: high; commits: d1e9490f95e0, a374c3a5bfd5; files: src/cli/program/config-guard.ts, src/config/zod-schema.agent-defaults.ts, src/config/zod-schema.agent-runtime.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Pearl Merge Sprite

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location merge queue dock; accessory commit compass; palette charcoal, cyan, and signal green; mood focused; pose peeking out from the egg shell; shell translucent glimmer shell; lighting soft studio lighting; background miniature CI buoys.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[galiniliev]

Landing verification for #73257.

Behavior addressed: regression coverage for agents.defaults.agentRuntime schema acceptance and invalid-config doctor fix reachability. The production fix already landed on main in 5b9be2c; this PR adds guardrail tests.

Exact local command run before merge:

git switch --detach upstream/main
git merge --no-ff --no-commit upstream/pr-73257-head
pnpm test -- src/config/zod-schema.agent-defaults.test.ts src/cli/program/config-guard.test.ts
git merge --abort
git switch main

Local proof: merged a09d162ab0414f2ba05c60ef22bcc78f8c0471bb onto latest fetched upstream/main 2afb8198c126875a5c8e912b9b7f67590f58f83d; focused proof passed 2 Vitest shards / 41 tests (src/config/zod-schema.agent-defaults.test.ts: 28 passed, src/cli/program/config-guard.test.ts: 13 passed).

CI proof: GitHub checks green on the relevant lanes, including Real behavior proof run 26418225372 / job 77767196743, CI run 26406445994 covering check-lint, check-prod-types, check-test-types, checks-node-agentic-cli, checks-node-agentic-commands-doctor, and checks-node-agentic-commands-doctor-shared, plus CodeQL/config-boundary run 26406445972.

Known proof gaps: no packaged npm global install or original macOS upgrade reproduction was rerun for this test-only guardrail PR.