lint: classify raw socket callsites

[jesse-merhi]

Summary

• add lint:tmp:raw-socket-classification boundary guard requiring raw net.connect, tls.connect, and http2.connect callsites to be classified before landing, with rationale comments for current allowlisted callsites (local IPC/probes, APNs HTTP/2 wrapper, managed CONNECT tunnel helper, debug proxy internals, QA lab diagnostics, IRC)
• add lint:tmp:managed-proxy-runtime-mutation boundary guard requiring direct mutation of process.env proxy keys and global/globalThis.GLOBAL_AGENT to live in the canonical proxy-lifecycle owner, with a narrow allowlist for the proxy lifecycle and the browser CDP loopback bypass helper
• wire lint:tmp:no-raw-http2-imports and lint:tmp:managed-proxy-runtime-mutation into the additional boundary checks pipeline
• document proxy.loopbackMode (gateway-only default, proxy, block), the --apns-reachable validation probe, and a managed-proxy coverage/status table in docs/security/network-proxy.md

Test Plan

• OPENCLAW_LOCAL_CHECK=0 pnpm test test/scripts/check-raw-socket-callsite-classification.test.ts test/scripts/check-managed-proxy-runtime-mutation.test.ts test/scripts/run-additional-boundary-checks.test.ts
• pnpm lint:tmp:raw-socket-classification
• pnpm lint:tmp:managed-proxy-runtime-mutation
• pnpm lint:tmp:no-raw-http2-imports
• pnpm format:check scripts/check-raw-socket-callsite-classification.mjs scripts/check-managed-proxy-runtime-mutation.mjs test/scripts/check-raw-socket-callsite-classification.test.ts test/scripts/check-managed-proxy-runtime-mutation.test.ts test/scripts/run-additional-boundary-checks.test.ts scripts/run-additional-boundary-checks.mjs package.json docs/security/network-proxy.md
• OPENCLAW_LOCAL_CHECK=0 pnpm check:changed

[clawsweeper]

Codex review: passed.

Summary
The branch adds a CodeQL network-runtime-boundary shard with raw socket and managed proxy mutation queries, plus managed-proxy docs and changelog updates.

Reproducibility: not applicable. This PR adds CI guardrails and documentation, not a runtime bug. The exact-head Critical Quality (network-runtime-boundary) check passed, verifying the new CodeQL shard compiles and runs.

Real behavior proof
Not applicable: Not applicable because this is a MEMBER-authored maintainer PR, so the external-contributor real behavior proof gate does not apply.

Next step before merge
Automerge is requested, but secops-owned files and the non-narrow macos-swift failure need maintainer disposition; there is no clear ClawSweeper repair target.

Security
Cleared: The diff is security-sensitive, but it uses pinned official checkout/CodeQL actions, narrow existing workflow permissions, local queries, and pinned CodeQL pack dependencies without a concrete supply-chain regression.

Review details

Best possible solution:

Land the additive CodeQL guardrail after secops/CODEOWNERS review and exact-head CI disposition, keeping the proxy docs and changelog aligned.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds CI guardrails and documentation, not a runtime bug. The exact-head Critical Quality (network-runtime-boundary) check passed, verifying the new CodeQL shard compiles and runs.

Is this the best way to solve the issue?

Yes: an additive CodeQL Critical Quality shard is a maintainable place for this policy, and the docs describe the managed-proxy coverage boundary. The remaining decision is maintainer/secops approval plus CI disposition, not a code repair from this review.

What I checked:

• Maintainer/protected PR: The live PR API reports authorAssociation MEMBER with labels docs, maintainer, size: L, and clawsweeper:automerge; this cleanup workflow should not close it. (b64d78065508)
• Secops ownership applies: CODEOWNERS routes .github/codeql/, .github/workflows/codeql-critical-quality.yml, and docs/security/ to @openclaw/openclaw-secops. (.github/CODEOWNERS:10, 8e88c7b29768)
• Additive workflow shard: The PR adds network-runtime-boundary to the CodeQL Critical Quality selector and a dedicated job that fails on SARIF findings. (.github/workflows/codeql-critical-quality.yml:410, b64d78065508)
• Boundary queries: The raw-socket query detects net/tls/http2 connect APIs, and the managed-proxy query detects proxy-related process.env and GLOBAL_AGENT mutations outside allowed owner scopes. (.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql:33, b64d78065508)
• Docs aligned: The PR-head docs add the managed proxy coverage/status table for HTTP/WebSocket, APNs, loopback, debug proxy, IRC, and other raw socket surfaces. Public docs: docs/security/network-proxy.md. (docs/security/network-proxy.md:224, b64d78065508)
• Exact-head checks: The exact-head Critical Quality (network-runtime-boundary) check completed successfully, while macos-swift completed with failure and only generic exit-code annotations. (b64d78065508)

Likely related people:

• @vincentkoc: Recent history shows repeated additions and expansion of CodeQL Critical Quality shards that this PR extends. (role: CodeQL critical-quality workflow maintainer; confidence: high; commits: 02597caa8bff, 6308d2a1dcd4, 423f6df5b1de; files: .github/workflows/codeql-critical-quality.yml, .github/codeql)
• @jesse-merhi: Prior merged work added operator-managed proxy routing, APNs HTTP/2 proxy handling, and recent managed-proxy docs that this guardrail classifies. (role: managed proxy and APNs runtime owner; confidence: high; commits: 2633b1491413, d5b0083300a6, 5b00cd1ae12a; files: src/infra/net/proxy/proxy-lifecycle.ts, src/infra/push-apns-http2.ts, src/infra/net/http-connect-tunnel.ts)
• @steipete: CODEOWNERS protects the touched CodeQL workflow, query directory, and security docs under secops review, and recent commits touched CodeQL/proxy-adjacent policy. (role: secops and proxy-adjacent maintainer; confidence: medium; commits: 9dd5014cf38c, bdcd543ed78a, b113d92c6fda; files: .github/CODEOWNERS, .github/workflows/codeql-critical-quality.yml, docs/security/network-proxy.md)

Remaining risk / open question:

• Exact-head CI still shows macos-swift failing with only generic exit-code annotations, so a maintainer needs to decide whether it is unrelated before merge.
• The diff is intentionally security-sensitive and touches secops-owned CodeQL workflow/query and security-doc surfaces, so CODEOWNERS/secops review remains the merge gate.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8e88c7b29768.

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25422123506
• Updated: 2026-05-06T07:32:47.873Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25423559014
• Updated: 2026-05-06T08:08:59.357Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25427675891
• Updated: 2026-05-06T09:43:47.524Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25428500398
• Updated: 2026-05-06T10:02:48.809Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25431125116
• Updated: 2026-05-06T11:01:50.277Z

[Copilot]

Pull request overview

This PR tightens the project’s network security posture by introducing CodeQL-based “boundary guard” checks that prevent new unclassified raw-socket egress and unmanaged proxy-runtime state mutations from landing without explicit review, and documents managed-proxy coverage/behavior for operators.

Changes:

• Add new CodeQL boundary queries to (1) require classification of raw net/tls/http2 client connect callsites and (2) restrict proxy-related process.env and GLOBAL_AGENT mutations to approved owner scopes.
• Wire a new network-runtime-boundary shard into the “CodeQL Critical Quality” workflow and add a dedicated CodeQL config for these network boundary checks.
• Update proxy security docs with a managed-proxy coverage/status table and add a changelog entry describing the new boundary checks.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
docs/security/network-proxy.md	Adds a managed proxy coverage/status table documenting which traffic surfaces are proxied vs raw/direct.
CHANGELOG.md	Records the managed proxy/security boundary-check additions.
.github/workflows/codeql-critical-quality.yml	Introduces a new network-runtime-boundary shard/job and expands PR path triggers for network boundary checks.
.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql	New CodeQL query enforcing classification/allowlisting of raw socket connect callsites.
.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql	New CodeQL query enforcing owner-scope restrictions for proxy-related runtime mutations.
.github/codeql/openclaw-boundary/qlpack.yml	Adds a local CodeQL pack definition for the boundary queries.
.github/codeql/openclaw-boundary/codeql-pack.lock.yml	Adds the dependency lockfile for the local CodeQL pack.
.github/codeql/codeql-network-runtime-boundary-critical-quality.yml	Adds a dedicated CodeQL config that runs the new network boundary queries over src and extensions.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25481738447
• Updated: 2026-05-07T07:22:35.683Z

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25494652601
• Updated: 2026-05-07T12:10:36.972Z

[jesse-merhi]

/clawsweeper re-review

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25496237562
• Updated: 2026-05-07T12:44:26.776Z

[jesse-merhi]

/clawsweeper re-review

[jesse-merhi]

/clawsweeper re-review

[jesse-merhi]

/clawsweeper automerge

[clawsweeper]

ClawSweeper 🐠 automerge status

ClawSweeper finished this automerge repair pass without changing the branch.

Executor outcome: no planned fix actions.
Worker summary: Prepared non-mutating classification only. The sole hydrated item, this PR, is already closed as merged, so no repair, close, merge, comment, or label action is valid from this worker run.

Worker actions:

• keep_closed on this PR: skipped - this PR is the canonical PR for this one-item automerge cluster, but it is already closed as merged. The only idempotent result is to keep it closed and emit no mutating repair path.

Nothing moved downstream from this pass: no branch update, replacement PR, merge, or re-review.

fish notes: model gpt-5.5, reasoning high.

Automerge progress:

• 2026-05-07 12:44:51 UTC review queued b64d78065508 (queued)

• 2026-05-07 12:46:33 UTC repair queued b64d78065508 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/25496627680

• 2026-05-07 14:52:45 UTC review queued b64d78065508 (queued)

• 2026-05-07 15:00:18 UTC review passed b64d78065508 (structured ClawSweeper verdict: pass (sha=b64d78065508117287e4bdf338089db3c4a26...)

• 2026-05-07 23:02:30 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/25496627680 automerge-openclaw-openclaw-77126

• 2026-05-07 23:02:31 UTC repair completed (no branch change) in 2s Run: https://github.com/openclaw/clawsweeper/actions/runs/25496627680 no planned fix actions

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: Maintainers should complete secops/CODEOWNERS review and decide whether the failing macos-swift check is unrelated; there is no narrow ClawSweeper repair target.; Cleared: The diff is security-sensitive, but it uses pinned official CodeQL/checkout actions, narrow existing permissions, and local query files without adding a concrete supply-chain regression. (sha=b64d78065508117287e4bdf338089db3c4a26ff4)

I added clawsweeper:human-review and left the final call with a maintainer.

[jesse-merhi]

/clawsweeper automerge