Policy: add conformance system with channel checks

[giodl73-repo]

Policy: add conformance system with channel checks

Branch: policy-channels-consumer
GitHub base: main
Current draft: #80407
Draft status: channels-first policy PR

Title

Policy: add conformance system with channel checks

Summary

This PR adds policy as a bundled extension for enterprise conformance. It gives operators a workspace
artifact for expressing required posture, uses existing OpenClaw settings as
the enforcement target, and produces auditable proof that the workspace still
matches the requirements.

This draft uses channels as the first concrete policy area:

• policy.jsonc defines the authored channel requirement, such as denying a
  provider.
• When the policy is enabled, it registers channel health checks with
  the shared health registry. Doctor then runs the registered checks; doctor
  does not load plugins itself.
• OpenClaw observes current channels.* config as evidence.
• doctor --lint reports non-conforming settings, and doctor --fix can
  repair the owned setting when repairs are enabled.
• policy check --json emits the recordable audit tuple:
  policyHash + evidenceHash + findingsHash + clean result -> attestationHash.

Policy is only a conformance layer here. channels.* remains the runtime
configuration. Findings identify both sides of the decision: target points
to the observed setting, such as oc://openclaw.config/channels/telegram, and
requirement points to the authored policy rule, such as
oc://policy.jsonc/channels/denyRules/#0.

Motivation

Operators already use config to decide which communication surfaces exist, but
there is not a small, auditable way to say "this workspace must not enable this
surface" and then prove that setting is still true. That shows up in adjacent
requests for protected config changes, proposal-only disabling of
plugin/tool/channel surfaces, and doctor dry-run/diff behavior:

• Add owner-approved flow for protected config changes #77886
• Need documented config keys for disabling plugin/tool/channel/owner-elevated surfaces for proposal-only mode #80081
• [Feature] Doctor dry-run / diff mode #79166

This PR keeps the answer narrow. It does not add runtime channel enforcement or
a second channel config system. It adds a way to prove which policy file was
checked against which observed channel evidence, what findings were returned,
and when that check happened.

Maintainer Input Requested

1. Is policy-as-health the right architecture?

   This draft treats policy as a set of health checks over existing OpenClaw
   surfaces. policy.jsonc defines requirements, the enabled policy package
   registers the relevant checks, and doctor --lint remains the shared
   conformance gate over already-registered checks. Doctor does not load
   plugins itself. Is that the right shape, or should policy own a separate
   check/evaluation loop?

2. Where should policy settings live?

   The draft uses policy.jsonc for authored requirements and
   plugins.entries.policy.config for operator toggles such as enabled,
   workspaceRepairs, expectedHash, and the policy path. Is that split right,
   or should more of this be expressed through normal OpenClaw config?

3. Is the attestation shape useful and sufficient?

   policy check --json emits policy.hash, workspace.hash over the
   observed evidence payload, findingsHash, checkedAt, and
   attestationHash. checkedAt is audit metadata; the stable
   attestationHash binds policy hash, evidence hash, findings hash, and clean
   result. Is that the right durable audit tuple for policy checks, or should
   the evidence/result model be different before runtime consumers start
   recording it?

4. Is the extension activation boundary right?

   Doctor does not load plugins directly. This draft keeps the policy logic in
   the bundled policy extension and lets the core bundled-health loader
   register policy checks only when the policy extension is enabled and not
   blocked by plugin control-plane settings. Is that the right boundary for
   bundled policy health checks?

What Changed

• Added the bundled policy package and its config schema.
• Added policy check.
• Added policy.jsonc as the workspace-owned policy artifact.
• Added observed channel evidence, hashes, and an attestation hash to
  policy check --json.
• Added policy finding target and requirement fields so reviewers can see
  the observed setting and authored policy rule behind each finding.
• Added bounded policy health registration for doctor lint/fix.
• Added health findings for missing policy, hash mismatch, and denied enabled
  channel providers.
• Added opt-in repair for denied enabled channels.
• Added policy evidence collection that treats real channel providers as
  evidence while ignoring reserved channel config namespaces such as
  channels.defaults and channels.modelByChannel.

Policy Shape

{
  "channels": {
    "denyRules": [
      {
        "id": "no-telegram",
        "when": { "provider": "telegram" },
        "reason": "Telegram is not approved for this workspace.",
      },
    ],
  },
}

Category blocks are namespaces. channels: {} does not run a check by itself;
the channel check runs when an authored requirement such as denyRules is
present.

Safety

doctor --lint and policy check are read-only. The audit value comes from
policy check --json, which records:

policy hash + evidence hash + findings hash + clean result -> attestation hash

checkedAt is emitted alongside that hash so operators can see when the check
ran, but it is not part of the stable attestation hash.

doctor --fix only changes channel config when
plugins.entries.policy.config.workspaceRepairs is explicitly enabled. The
repair is intentionally narrow: it disables denied channels and leaves all
other channel material intact.

This draft does not add a channel runtime enforcement hook. If a later channel
gateway hook uses policy to block, approve, or annotate a channel interaction,
the audit message should include the attestation hash from the last clean
policy check. That attestation binds the policy hash, observed evidence hash, findings hash, and clean result so operators can correlate the runtime decision with the exact policy file, workspace evidence, and clean result that produced it. checkedAt remains audit metadata beside the stable hash.

Real behavior proof

Fresh deterministic proof artifacts:

• Summary: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-80407-fresh/pr-80407/summary.txt
• Before/source proof log: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-80407-fresh/pr-80407/before-source-proof.log
• After/PR proof log: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-80407-fresh/pr-80407/after-pr-80407.log

Behavior addressed: Policy channel checks produce lint findings, repair the
owned setting when allowed, and end with a clean policy check --json
attestation over the updated evidence.

Real environment tested: Local Windows source checkout with a temporary
OpenClaw config and workspace. The policy was enabled in config,
policy.jsonc denied provider telegram, and the OpenClaw config had
channels.telegram.enabled=true.

Exact steps or command run after this patch:

1. Authored policy.jsonc with
   channels.denyRules[{ when: { provider: "telegram" } }].
2. Ran openclaw policy check --json to emit channel evidence plus policy,
   evidence, findings, and attestation hashes.
3. Ran openclaw doctor --lint --only policy/channels-denied-provider --json.
4. Ran openclaw doctor --fix --yes --non-interactive to apply enabled policy repairs.
5. Reran openclaw doctor --lint --only policy/channels-denied-provider --json
   after the fix.
6. Reran openclaw policy check --json to emit the final clean attestation.

Evidence after fix:

Observed result after fix: The first lint command reports the enabled
Telegram channel with target=oc://openclaw.config/channels/telegram and
requirement=oc://policy.jsonc/channels/denyRules/#0. doctor --fix --yes --non-interactive disables
channels.telegram.enabled. The after-fix lint command validates clean with
zero findings, and the final policy check --json emits a clean attestation
over the updated channel evidence.

What was not tested: No live channel gateway was started. This PR only
changes policy conformance checks and config repair; it does not add runtime
channel enforcement.

Testing

Focused tests cover bounded policy health registration, policy check
attestation output, missing policy reporting, hash mismatch reporting,
deny-rule findings, disabled-channel allowance, and denied-channel repair.

node scripts/run-vitest.mjs extensions/policy/src/policy-state.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/doctor/register.test.ts src/flows/bundled-health-checks.test.ts src/cli/program/register.maintenance.test.ts
node_modules/.bin/tsgo --noxmit --pretty false
node_modules/.bin/tsgo -p tsconfig.core.json --noxmit --incremental false --pretty false
pnpm plugin-sdk:api:check
git diff --check
codex review --base upstream/main

Follow-Up

Tool metadata conformance is scoped as a follow-up PR. It uses the same
authored-policy plus observed-evidence model without reintroducing generated
policy:
#80056

Model, network, and MCP conformance are scoped as a combined follow-up that
shows the same policy shape across more OpenClaw settings categories:
#80783

Runtime audit metadata and accepted-attestation enforcement are scoped as the
final follow-up in this first policy arc:
#81104

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a bundled policy plugin with policy check, policy.jsonc channel deny-rule evidence and attestations, doctor lint/fix health registration, docs, labeler metadata, tests, and a plugin-local json5 dependency.

Reproducibility: not applicable. as a bug reproduction; this is a new feature PR. The inspected proof log gives a high-confidence behavior path for policy check, doctor lint, opt-in repair, and clean recheck.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: The PR has strong behavior proof and no blocking code finding, with remaining confidence gated by maintainer policy and release/package decisions.

Rank-up moves:

• Get explicit maintainer approval for the bundled policy, repair, dependency, and attestation boundaries.
• Run package/release-oriented checks for the new bundled plugin and dependency importer before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (logs): Linked logs show after-fix behavior in a temporary real Windows checkout, including policy findings, opt-in repair, disabled Telegram config, and clean recheck; later head changes are docs/package metadata only.

Risk before merge

• Maintainers still need to accept policy-as-health, the policy.jsonc plus plugin-config split, stable attestation semantics, and the bundled extension boundary before this becomes the base for the linked policy stack.
• When workspaceRepairs is enabled, doctor --fix can intentionally disable an existing configured channel, so operators need to understand that opt-in can stop a current channel workflow.
• The PR adds a bundled plugin package, plugin-local dependency, lockfile importer, labeler metadata, and generated inventory/docs surfaces, so release/package automation should verify the new package is handled correctly.

Maintainer options:

1. Accept the policy boundary
   Maintainers can explicitly approve the policy-as-health model, the authored policy/config split, the opt-in repair behavior, and the attestation trust semantics before merge.
2. Run release and package proof
   Before merging, verify the new bundled plugin package, lockfile importer, inventory docs, and labeler metadata through package/release-oriented checks rather than relying only on focused unit tests.
3. Pause the policy stack
   If policy should remain external or needs a broader governance design first, pause or close this stack before follow-up policy PRs build on this boundary.

Next step before merge
No narrow automation repair remains; the next action is maintainer approval of the policy/security/release boundary plus package-oriented validation.

Security
Cleared: No concrete security or supply-chain defect was found; the pinned plugin-local json5 dependency and policy trust model remain maintainer approval decisions.

Review details

Best possible solution:

Merge this only as an explicitly approved, opt-in conformance layer over existing OpenClaw config, with release/package checks confirming the new bundled plugin and dependency are packaged correctly.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction; this is a new feature PR. The inspected proof log gives a high-confidence behavior path for policy check, doctor lint, opt-in repair, and clean recheck.

Is this the best way to solve the issue?

Unclear until maintainers accept the product boundary. If policy-as-health is the desired architecture, the implementation is coherent and I did not find a blocking correctness defect; if not, this should pause before the dependent policy stack proceeds.

Label changes:

• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and The PR has strong behavior proof and no blocking code finding, with remaining confidence gated by maintainer policy and release/package decisions.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): Linked logs show after-fix behavior in a temporary real Windows checkout, including policy findings, opt-in repair, disabled Telegram config, and clean recheck; later head changes are docs/package metadata only.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a substantial but opt-in policy/conformance feature with focused blast radius and no evidence of an urgent production regression.
• merge-risk: 🚨 compatibility: Enabling policy workspace repairs can intentionally disable an existing channel config path during doctor --fix.
• merge-risk: 🚨 security-boundary: The PR introduces policy hashes, accepted attestations, and conformance checks that affect operator trust and future enforcement boundaries.
• merge-risk: 🚨 automation: The diff adds a bundled plugin package, dependency lockfile importer, labeler metadata, changelog, and generated plugin inventory surfaces that release automation must handle.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and The PR has strong behavior proof and no blocking code finding, with remaining confidence gated by maintainer policy and release/package decisions.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): Linked logs show after-fix behavior in a temporary real Windows checkout, including policy findings, opt-in repair, disabled Telegram config, and clean recheck; later head changes are docs/package metadata only.
• proof: sufficient: Contributor real behavior proof is sufficient. Linked logs show after-fix behavior in a temporary real Windows checkout, including policy findings, opt-in repair, disabled Telegram config, and clean recheck; later head changes are docs/package metadata only.

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/policy/src/policy-state.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/doctor/register.test.ts src/flows/bundled-health-checks.test.ts src/cli/program/register.maintenance.test.ts
• node_modules/.bin/tsgo --noEmit --pretty false
• node_modules/.bin/tsgo -p tsconfig.core.json --noEmit --incremental false --pretty false
• pnpm plugin-sdk:api:check
• pnpm plugins:inventory:check

What I checked:

• Policy checks and opt-in repair: The policy plugin registers five doctor checks, evaluates policy files, reports denied enabled channels, and only repairs channel config when workspaceRepairs is enabled. (extensions/policy/src/doctor/register.ts:51, 4e09b067f446)
• Bundled activation boundary: Core doctor lint/fix loads the bundled policy public API only when policy is enabled and passes the plugin control-plane policy check. (src/flows/bundled-health-checks.ts:11, 4e09b067f446)
• Policy CLI behavior: policy check builds a lint context, evaluates policy findings, emits evidence and attestation hashes, and uses config snapshot reads with observation disabled. (extensions/policy/src/cli.ts:73, 4e09b067f446)
• Focused regression coverage: The tests cover malformed policy files, malformed deny rules, hash and attestation mismatch gating, denied-channel findings, and opt-in channel repair. (extensions/policy/src/doctor/register.test.ts:137, 4e09b067f446)
• Package metadata synced: The latest PR head has @openclaw/policy version 2026.5.19 and peerDependencies.openclaw >=2026.5.19, matching the root package version at that head. (extensions/policy/package.json:1, 4e09b067f446)
• Real behavior proof inspected: The linked proof log shows policy check --json, doctor --lint, doctor --fix --yes --non-interactive, disabled channels.telegram.enabled, and clean after-repair detection in a temporary Windows checkout. (0fb828e20e4b)

Likely related people:

• giodl73-repo: The related merged doctor health-contract PR is the base surface this policy plugin consumes, and the current policy stack is built around that contract rather than being an isolated drive-by proposal. (role: feature owner and adjacent health-contract contributor; confidence: high; commits: 9a5f2f61e76f, de929d0101e2; files: src/flows/health-checks.ts, src/plugin-sdk/health.ts, extensions/policy/src/doctor/register.ts)
• steipete: The latest PR head is a maintainer-authored docs and package-metadata polish commit, and the PR is currently assigned to this maintainer in the provided timeline. (role: recent PR branch maintainer and docs/package polisher; confidence: high; commits: 4e09b067f446, 50a2481652b6; files: docs/cli/policy.md, docs/plugins/reference/policy.md, extensions/policy/package.json)
• Vincent Koc: The bundled policy health loader depends on the bundled public artifact loader, whose recent history has several focused loader performance and cache changes by this contributor. (role: adjacent public-surface loader contributor; confidence: medium; commits: 7834cc14f092, b2076f0a3f4a, 5a9ee9841959; files: src/plugins/public-surface-loader.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 45930457ca19.

[galiniliev]

Review result: NEEDS WORK

I found one blocker before this should go to /prepare-pr:

F1 IMPORTANT: Invalid policy.jsonc is treated as clean

In extensions/policy/src/doctor/register.ts, evaluatePolicyUncached returns with an empty findings array when the parsed policy has error diagnostics. That means doctor --lint and policy check can report success even though the enabled policy artifact cannot be parsed, and the channel deny rules/hash checks are skipped.

I verified this with a malformed policy.jsonc ({ channels: ): evaluatePolicy returned {"findings":[],"hasPolicy":false}.

Fix requested: Add a dedicated policy-parse-error health finding/check, or reuse an existing policy finding surface with error severity, and include tests for malformed policy files in both doctor lint and policy check --json.

Focused tests passed locally via PowerShell:

pnpm exec vitest run extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts src/flows/bundled-health-checks.test.ts extensions/oc-path/src/oc-path/tests/document.test.ts --reporter=dot

Result: 4 test files passed, 24 tests passed.

Note: the scripts/pr review-tests wrapper was attempted first, but failed before executing tests in this Windows/WSL environment because Bash pnpm launched Windows Node with an unconverted /mnt/c/.../pnpm.cjs path.

[giodl73-repo]

Fixed in the latest push (bb7fb6f): malformed policy JSONC now emits a policy/policy-jsonc-invalid error finding instead of returning clean, with focused coverage in extensions/policy/src/doctor/register.test.ts. I also made doctor --fix reject --only/--skip outside --lint so selectors are not silently ignored.

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25712650788
• Updated: 2026-05-12T04:11:56.451Z

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26062594994
• Updated: 2026-05-18T22:00:27.014Z

[giodl73-repo]

The prior re-review workflow run failed before producing a fresh verdict. Re-requesting now that the docs nav fix is pushed and CI is green.

@clawsweeper re-review

[giodl73-repo]

/review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26148318037
• Updated: 2026-05-20T07:42:07.227Z

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: collects tiny proofs.
Image traits: location artifact grotto; accessory commit compass; palette moss green and polished brass; mood determined; pose balancing on a branch marker; shell matte ceramic shell; lighting subtle sparkle highlights; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Merged in cbf72e5. Thanks @giodl73-repo.

What landed:

• bundled Policy plugin with channel conformance checks and openclaw policy check
• policy attestation drift checks and opt-in doctor --fix workspace repair
• CLI docs, generated plugin inventory/reference docs, package metadata sync, and changelog credit

Proof:

• local: node --import tsx scripts/sync-plugin-versions.ts --check
• local: pnpm plugins:inventory:check
• local: pnpm docs:list
• local: git diff --check origin/main..HEAD
• local: node scripts/run-vitest.mjs extensions/policy/src/policy-state.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/doctor/register.test.ts src/flows/bundled-health-checks.test.ts src/cli/program/register.maintenance.test.ts passed, 5 files / 42 tests
• autoreview: accepted docs JSON-shape finding fixed, reran clean; codex review --commit HEAD clean after rebase
• GitHub CI on 4e09b06: CI, Workflow Sanity, CodeQL, CodeQL Critical Quality, OpenGrep PR Diff, Real behavior proof, Dependency Change Awareness all green; reran the failed Windows Node setup job successfully