Policy: add model, network, and MCP conformance checks

[giodl73-repo]

Policy: add model, network, and MCP conformance checks

Branch: policy-conformance-examples
GitHub base: main
Logical base: main after #80056 merged
Status: ready for maintainer review

Summary

This PR extends the bundled Policy plugin with three additional config-level conformance areas: model providers and model refs, private-network SSRF settings, and OpenClaw-managed MCP servers.

Policy stays a read-only conformance layer over existing OpenClaw config:

• policy.jsonc defines authored requirements.
• OpenClaw config remains the source of truth for observed workspace state.
• Policy extracts evidence from existing settings.
• The Policy plugin registers doctor health checks for concrete authored rules.
• doctor --lint and policy check report drift without mutating config or runtime state.
• policy check --json emits the recordable audit tuple: policyHash + evidenceHash + findingsHash + clean result -> attestationHash.

This follows the channels and tools policy slices, but keeps the added areas read-only. It proves the shape works across several OpenClaw settings categories without adding runtime enforcement or duplicate registries.

What Changed

• Added model-provider evidence to policy check --json: modelProviders and modelRefs.
• Added models.providers.allow and models.providers.deny policy support.
• Added policy/models-denied-provider and policy/models-unapproved-provider.
• Added network evidence to policy check --json.
• Added network.privateNetwork.allow.
• Added policy/network-private-access-enabled.
• Added MCP server evidence to policy check --json.
• Added mcp.servers.allow and mcp.servers.deny policy support.
• Added policy/mcp-denied-server and policy/mcp-unapproved-server.
• Updated policy CLI and plugin reference docs.
• Added tests for denied rules, allowlists, evidence extraction, and empty category namespaces.

Policy Shape

{
  "models": {
    "providers": {
      "allow": ["openai", "anthropic"],
      "deny": ["openrouter"],
    },
  },
  "network": {
    "privateNetwork": {
      "allow": false,
    },
  },
  "mcp": {
    "servers": {
      "allow": ["docs"],
      "deny": ["untrusted"],
    },
  },
}

Category blocks are namespaces. A block such as models: {}, network: {}, or mcp: {} does not run a check by itself. A check runs when a concrete authored requirement is present, such as models.providers.allow, network.privateNetwork.allow, or mcp.servers.deny.

Deny wins over allow. If a provider or server is denied, the finding reports the deny rule and does not also report the allowlist rule for the same target.

Evidence Shape

{
  "evidence": {
    "modelProviders": [
      {
        "id": "openai",
        "source": "oc://openclaw.config/models/providers/openai"
      }
    ],
    "modelRefs": [
      {
        "ref": "openai/gpt-5.5",
        "provider": "openai",
        "model": "gpt-5.5",
        "source": "oc://openclaw.config/agents/defaults/model"
      }
    ],
    "network": [
      {
        "id": "browser-private-network",
        "source": "oc://openclaw.config/browser/ssrfPolicy/dangerouslyAllowPrivateNetwork",
        "value": false
      }
    ],
    "mcpServers": [
      {
        "id": "docs",
        "transport": "stdio",
        "source": "oc://openclaw.config/mcp/servers/docs",
        "command": "npx"
      }
    ]
  }
}

Safety

doctor --lint and policy check are read-only for these areas. This PR does not:

• change model config or intercept model runtime calls;
• change browser or web-fetch network config;
• edit mcp.servers, start MCP runtimes, stop MCP runtimes, or contact remote MCP servers;
• add gateway protocol, approval, before-tool-call, or runtime policy enforcement surfaces.

Findings identify both sides of the decision:

• target points to the observed OpenClaw setting.
• requirement points to the authored policy rule.

Real Behavior Proof

Behavior addressed: Enabled bundled Policy registers model-provider, MCP-server, and private-network health checks, collects config-derived evidence, and emits structured findings with oc:// target/requirement paths when configured model providers, MCP servers, or private-network SSRF posture violates policy.

Real environment tested: Windows source worktree restacked on origin/main after #80056 merge, head 6f6e7c8283; previous before/after WSL proof artifact remains linked below.

Exact steps or command run after this patch:

• pnpm docs:list
• node --no-maglev node_modules\\vitest\\vitest.mjs extensions/policy/src/policy-state.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/doctor/register.test.ts src/flows/bundled-health-checks.test.ts --run
• node node_modules\\@typescript\\native-preview\\bin\\tsgo.js --project tsconfig.json --noEmit
• pnpm docs:check-mdx -- docs/cli/policy.md docs/plugins/reference/policy.md
• git diff --check origin/main...HEAD

Evidence after fix:

Observed result after fix: Focused policy and bundled health-check tests passed 4 files and 70 tests. tsgo, docs MDX, and diff whitespace checks passed. The restacked diff is limited to Policy docs, Policy source/tests, and the bundled health-check registration test.

What was not tested: Runtime policy enforcement, approval metadata propagation, approval UI, supervisor protocol, gateway protocol, Swift protocol surfaces, and MCP runtime execution are intentionally not part of this PR. Local oxfmt could not be run in this Windows worktree because the formatter process failed with spawn EPERM / Access is denied; docs MDX and whitespace checks passed.

Related

• Doctor health contract and lint validation: Doctor: add health-check contract and --lint validation #80055
• Channels-first policy conformance: Policy: add conformance system with channel checks #80407
• Tool metadata conformance: Policy: add tool metadata conformance #80056
• Runtime audit metadata and attestation enforcement: Policy: add runtime audit metadata and attestation enforcement #81104

Policy stack links

This PR is part of the Policy 1.0 proof stack:

1. Policy: add conformance system with channel checks #80407 — Policy: add conformance system with channel checks
2. Policy: add tool metadata conformance #80056 — Policy: add tool metadata conformance
3. Policy: add model, network, and MCP conformance checks #80783 — Policy: add model, network, and MCP conformance checks
4. Policy: add runtime audit metadata and attestation enforcement #81104 — Policy: add runtime audit metadata and attestation enforcement
5. Policy: add secret and auth conformance checks #81974 — Policy: add secrets auth provenance checks
6. Policy: add gateway exposure checks #81981 — Policy: add gateway exposure checks

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds read-only Policy plugin evidence, doctor/policy checks, docs, and tests for model providers/refs, MCP servers, and selected private-network SSRF settings.

Reproducibility: not applicable. as a feature PR rather than a bug report. The source diff and inspected proof show the new model, MCP, and network policy checks are absent on current main and present on the PR head.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong focused proof and a coherent read-only Policy implementation; remaining uncertainty is maintainer acceptance of the governance boundary and attestation churn, not a discrete patch bug.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body contains an inspected before/after proof image for the new policy categories, and later comments provide after-fix command output for the latest provider-normalization regression repairs.

Risk before merge

• Merging changes the Policy evidence payload and workspace hash shape, so accepted attestations produced from the current channel/tool-only Policy surface need an intentional refresh.
• This expands a governance-facing Policy category boundary; false-clean model, MCP, or network findings would weaken audit confidence even though the implementation is read-only.
• The provided proof is focused source-worktree proof plus command output; broad CI/Testbox results were not part of the evidence I could inspect here.

Maintainer options:

1. Accept category expansion with attestation refresh (recommended)
   Merge after maintainer approval that existing accepted Policy attestations from the earlier evidence shape must be regenerated when this stack ships.
2. Hold for narrower policy scope
   Pause this PR if maintainers are not ready for model, MCP, or private-network posture to become bundled Policy audit categories.
3. Add release-facing upgrade note
   Before shipping a release with this stack, note that the Policy evidence hash includes new model, MCP, and network evidence fields.

Next step before merge
No narrow automated repair remains; the protected maintainer label and governance-facing Policy category expansion need human approval before merge.

Security
Cleared: No dependency, workflow, script, or code-execution regression was found; the diff is read-only Policy evaluation and redacts MCP URLs while using the shared provider normalization contract.

Review details

Best possible solution:

Land the category expansion only after maintainers accept the read-only Policy boundary and expected attestation refresh, keeping runtime enforcement in the separate follow-up PR.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a feature PR rather than a bug report. The source diff and inspected proof show the new model, MCP, and network policy checks are absent on current main and present on the PR head.

Is this the best way to solve the issue?

Yes, subject to maintainer acceptance of the category boundary. The implementation keeps Policy read-only, uses existing OpenClaw config as evidence, and reuses the shared provider-id normalization contract instead of adding a separate provider registry.

Label changes:

• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong focused proof and a coherent read-only Policy implementation; remaining uncertainty is maintainer acceptance of the governance boundary and attestation churn, not a discrete patch bug.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body contains an inspected before/after proof image for the new policy categories, and later comments provide after-fix command output for the latest provider-normalization regression repairs.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.
• remove proof: 📸 screenshot: Current real behavior proof evidence kind is terminal.

Label justifications:

• P2: This is a normal-priority Policy feature expansion with limited blast radius but meaningful maintainer review needs.
• merge-risk: 🚨 compatibility: The PR changes Policy evidence and attestation hash inputs, so existing accepted Policy hashes may need regeneration.
• merge-risk: 🚨 security-boundary: The PR expands audit/governance checks for model, MCP, and network posture, where false-clean findings would affect security confidence.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong focused proof and a coherent read-only Policy implementation; remaining uncertainty is maintainer acceptance of the governance boundary and attestation churn, not a discrete patch bug.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body contains an inspected before/after proof image for the new policy categories, and later comments provide after-fix command output for the latest provider-normalization regression repairs.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains an inspected before/after proof image for the new policy categories, and later comments provide after-fix command output for the latest provider-normalization regression repairs.

What I checked:

• Current main policy evidence scope: On current main, collectPolicyEvidence returns channel evidence and optional TOOLS.md evidence only; model, MCP, and network evidence are not implemented there. (extensions/policy/src/policy-state.ts:99, c49647ee238a)
• PR policy evidence scope: The PR head changes collectPolicyEvidence to always include mcpServers, modelProviders, modelRefs, and network evidence alongside channels/tools. (extensions/policy/src/policy-state.ts:142, 84998bfea9ae)
• PR conformance checks: The PR head adds MCP allow/deny, model provider allow/deny, and private-network findings that compare evidence to authored policy rules. (extensions/policy/src/doctor/register.ts:827, 84998bfea9ae)
• Provider-normalization regression coverage: The latest PR head includes regressions for mixed-case OpenRouter refs and the aws-bedrock alias normalizing to amazon-bedrock for deny/allow policy comparison. (extensions/policy/src/doctor/register.test.ts:917, 84998bfea9ae)
• Provider-id dependency contract: The shared provider-model SDK export points to normalizeProviderId, whose runtime aliases include aws-bedrock -> amazon-bedrock and case-normalized provider ids. (src/agents/provider-id.ts:3, c49647ee238a)
• Docs describe the new public policy surface: The PR docs list the new 15 Policy check ids and examples for MCP, model-provider, and network findings. Public docs: docs/cli/policy.md. (docs/cli/policy.md:276, 84998bfea9ae)

Likely related people:

• giodl73-repo: Authored the merged Policy channel conformance, tool metadata conformance, and doctor health-contract PRs that introduced and extended the same Policy plugin and doctor lint surfaces. (role: feature-history owner; confidence: high; commits: cbf72e5e26ee, a30ac3f8d7cb, 9a5f2f61e76f; files: extensions/policy/src/policy-state.ts, extensions/policy/src/doctor/register.ts, docs/cli/policy.md)
• Andy Ye: Local current-main blame/log for the policy files attributes the checked-out source snapshot to commit 46030f5, so this is a weak routing signal for current checkout provenance rather than feature authorship. (role: current-main snapshot contributor; confidence: low; commits: 46030f548986; files: extensions/policy/src/policy-state.ts, extensions/policy/src/doctor/register.ts, docs/cli/policy.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c49647ee238a.

[giodl73-repo]

Fixed the review findings in the latest push (7cf60f4): invalid policy JSONC now emits a policy parse finding, MCP URL evidence is redacted to scheme/host, and agents.defaults.models allowlist keys are scanned as model refs. I also updated the proof section so the Real behavior proof gate is green.

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25712952250
• Updated: 2026-05-12T04:21:09.840Z

[giodl73-repo]

Fixed the docs/check-id drift in c382517: policy.md now lists all 13 policy checks including invalid policy JSONC and unknown tool risk. I also brought over the policy health host-registry wiring and made workspace repair opt-in config-only, with a regression test so policy.jsonc cannot enable repairs by itself. Focused tests passed for policy doctor registration, bundled health checks, policy CLI, and runtime tool policy. @clawsweeper re-review

[giodl73-repo]

Restacked on the updated policy tool runtime branch and current origin/main (e643890). Fixed the policy docs check count and the strict partial-config test casts, then reran focused stack verification.\n\n@clawsweeper re-review

[giodl73-repo]

Fixed the latest ClawSweeper findings in d76802b:

• Added fail-closed policy/policy-jsonc-invalid validation for malformed mcp.servers.allow/deny, models.providers.allow/deny, and network.privateNetwork.allow rule shapes.
• Added regression coverage for malformed MCP/model/network policy entries.
• Updated the docs JSON example to checksRun: 15.

Verification after rebasing onto current origin/main:

• node --no-maglev node_modules\vitest\vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts --run --reporter=dot
• node node_modules\@typescript\native-preview\bin\tsgo.js -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-80783-validation.tsbuildinfo
• pnpm docs:check-mdx -- docs/cli/policy.md docs/plugins/reference/policy.md
• git diff --check origin/main...HEAD

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26206484971
• Updated: 2026-05-21T05:08:42.993Z

[giodl73-repo]

Fixed the latest ClawSweeper P2 findings in signed commit 66495f031f:

• Quoted dynamic MCP server id evidence paths, including ids with whitespace.
• Quoted agents.defaults.models model-ref keys, including refs containing /.
• Added regressions for Outlook Graph MCP evidence and openrouter/* model-ref evidence.

Verification:

• node --no-maglev node_modules\vitest\vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts --run --reporter=dot
• node node_modules\@typescript\native-preview\bin\tsgo.js -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-80783-ocpath.tsbuildinfo
• git diff --check

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26207423326
• Updated: 2026-05-21T05:39:00.154Z

[giodl73-repo]

Fixed the ClawSweeper per-agent model map finding in 5ed7c62.

Behavior addressed: policy evidence now scans documented per-agent agents.list[].models map keys in addition to agents.defaults.models, so refs such as agents.list[0].models["openrouter/*"] are checked by model provider allow/deny policy.
Real environment tested: local Codex worktree on Windows for PR #80783.
Exact steps or command run after this patch:

• node --no-maglev node_modules\vitest\vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts --run --reporter=dot
• node node_modules\@typescript\native-preview\bin\tsgo.js -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-80783-per-agent-models.tsbuildinfo
• git diff --check
  Evidence after fix: focused policy doctor regression added for agents.list[0].models["openrouter/*"] producing policy/models-unapproved-provider at oc://openclaw.config/agents/list/#0/models/"openrouter/*".
  Observed result after fix: Vitest passed 2 files / 74 tests; tsgo passed; diff check passed; commit is GitHub verified.
  What was not tested: broad CI/Testbox.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26209398656
• Updated: 2026-05-21T06:35:26.410Z

[giodl73-repo]

Fixed the ClawSweeper provider-normalization finding in 84998bf.

Behavior addressed: Policy model-provider evidence and model provider allow/deny policy comparison now use the runtime provider-id normalization contract from openclaw/plugin-sdk/provider-model-shared. Raw model refs and oc:// source paths remain preserved for evidence.
Real environment tested: local Codex worktree on Windows for PR #80783.
Exact steps or command run after this patch:

• node --no-maglev node_modules\vitest\vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts --run --reporter=dot
• node node_modules\@typescript\native-preview\bin\tsgo.js -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-80783-normalized-providers.tsbuildinfo
• git diff --check
  Evidence after fix: added regressions for mixed-case OpenRouter/openai/gpt-5.5 and runtime-supported alias aws-bedrock normalizing to amazon-bedrock across deny and allow policy comparisons.
  Observed result after fix: Vitest passed 2 files / 76 tests; tsgo passed; diff check passed; commit is GitHub verified.
  What was not tested: broad CI/Testbox. codex review --uncommitted could not inspect the tree under the Windows sandbox, and the WSL retry timed out; manual review plus focused proof completed.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26230916421
• Updated: 2026-05-21T14:13:03.574Z