Policy: add runtime audit metadata and attestation enforcement

[giodl73-repo]

Policy: add runtime audit metadata and attestation enforcement

Branch: policy-runtime-audit
GitHub base: main
Logical base: policy-conformance-examples
Current draft: #81104
Draft status: final policy runtime/audit step

Title

Policy: add runtime audit metadata and attestation enforcement

Summary

This PR closes the first policy arc by connecting clean policy checks to
runtime decisions and runtime audit evidence.

xarlier policy drafts establish the model:

• policy.jsonc defines authored requirements.
• OpenClaw config and workspace declarations are observed as evidence.
• Policy registers health checks.
• doctor --lint and policy check report conformance findings.
• policy check --json emits a stable attestation hash for the accepted clean
  state.

This PR makes that attestation useful at runtime. When the policy runtime tool
gate is enabled, approval decisions carry structured policy metadata. If
expectedAttestationHash is configured and watched evidence changes, the gate
fails closed before approval. That lets a supervisor or gateway compare a tool
decision against the exact policy/evidence state that was previously accepted.
policy diff can then compare two saved policy check --json outputs to
explain whether the policy, evidence, findings, or clean result changed.

The PR also adds the first runtime evidence slice for policy health checks.
Health checks can receive a channel runtime snapshot and report a denied
channel account that is still running. The important contract is the runtime
evidence payload; any finding target is only a compact evidence label, not a
new path language.

The intended ownership model is that a workspace can produce a candidate clean
attestation, but a supervisor or gateway authority accepts the attestation. The
agent/container should not be able to silently update the accepted hash that
governs its own runtime decisions.

Motivation

Policy conformance is only useful for runtime governance if the runtime can
prove which policy check it is relying on. Otherwise an operator can run
policy check, accept a clean result, and then miss a later change to the
watched evidence before a tool call is approved.

This PR adds the missing handshake:

• a clean policy check produces the accepted attestation hash;
• a supervisor or gateway accepts that hash out of band;
• OpenClaw config can record that accepted hash as expectedAttestationHash;
• the runtime gate recomputes the current attestation from policy.jsonc and
  watched evidence;
• matching hashes allow normal policy runtime decisions;
• mismatched hashes block before approval and report both hashes.

The runtime gate still uses OpenClaw's existing trusted tool policy hook. This
does not add a new gateway protocol or a second policy engine.

checkedAt remains audit timing metadata. It is not part of
attestationHash, so repeated clean checks of unchanged policy state do not
force a new accepted hash.

Maintainer Input Requested

1. Is the accepted-attestation handshake the right runtime boundary?

   The draft treats expectedAttestationHash as the compact value a supervisor
   or gateway can compare against. It binds policy hash, evidence hash,
   findings hash, and clean result. Is that the right unit to carry into
   runtime decisions, and should the accepted value be owned by the supervisor
   rather than by the workspace being governed?

2. Is runtimeEvidence the right health-check input for runtime audits?

   The draft adds optional runtimeEvidence to the health check context. The
   policy extension uses it for channel runtime snapshots and keeps runtime
   findings focused on the evidence package rather than oc-path syntax. Is this
   the right shape for health checks that need to compare config/policy against
   live runtime state?

3. Should runtime evidence refs stay runtime://..., or become read-only oc://runtime/... paths?

   The draft intentionally separates live runtime evidence from document/config
   oc-paths: policy findings can point to resolvable files with oc://..., but
   running channel accounts and other live observations are evidence refs rather
   than writable workspace documents. We chose a separate runtime://...-style
   namespace for that boundary. Would maintainers prefer exposing runtime
   evidence as read-only oc://runtime/... paths instead, so path tooling can
   discover/search them consistently with config and workspace paths? In
   particular, should openclaw path find (or the future shared find surface)
   be able to search runtime refs alongside document-backed oc:// paths while
   still making runtime refs non-mutating and clearly evidence-only?

4. Should block decisions have structured metadata too?

   Approval decisions already carry structured metadata through gateway approval
   records. Attestation mismatch blocks currently include both hashes in the
   block reason because the existing block result shape has no metadata slot.
   Should blocked trusted-tool-policy decisions also gain structured metadata,
   or is the human-readable block reason enough for this first step?

5. Is this the right place to thread approval metadata?

   This PR keeps metadata on the existing approval descriptor and preserves it
   through gateway approval list/resolve events. Is that the correct audit path,
   or should policy decisions be recorded in a separate runtime audit event?

What Changed

• Added attestation metadata to policy trusted-tool approval requests.
• Preserved plugin approval metadata through gateway approval request, list,
  and resolve paths.
• Added small view-model support so approval surfaces can display policy hash,
  evidence hash, current/expected attestation hash, and target tool reference.
• Added runtime enforcement of expectedAttestationHash.
• Added policy diff for comparing two saved policy check outputs.
• Added optional health-check runtimeEvidence and a policy channel runtime
  audit check for denied channel accounts that are still running.
• Added a test where TOOLS.md changes after an accepted clean policy check
  and the runtime gate refuses the tool request because the current
  attestation differs.
• Updated policy docs to describe accepted attestation runtime enforcement.

Runtime Shape

Config records the accepted clean policy check:

{
  "plugins": {
    "entries": {
      "policy": {
        "enabled": true,
        "config": {
          "enabled": true,
          "runtimeToolPolicy": true,
          "expectedAttestationHash": "sha256:..."
        }
      }
    }
  }
}

In an enterprise deployment, that value should come from a supervisor/gateway
acceptance flow, not from the agent updating its own workspace. A typical review
loop is:

1. Run policy check --json > accepted.json for the currently accepted state.
2. Change the workspace, for example by adding a new tool with risk and
   sensitivity metadata.
3. Run policy check --json > candidate.json.
4. Run policy diff accepted.json candidate.json.
5. If the diff shows an acceptable clean change, the supervisor accepts the new
   attestationHash.
6. The gateway/runtime uses that accepted hash as expectedAttestationHash.

At runtime:

1. Policy reads policy.jsonc.
2. The runtime gate observes current TOOLS.md evidence.
3. It builds the same attestation shape as policy check.
4. If the current attestation differs from expectedAttestationHash, the tool
   call is blocked before approval.
5. If the attestation matches, existing tool metadata rules decide whether the
   call proceeds or requires approval.

Policy health checks can also receive runtime evidence. The first supported
runtime shape is a channel runtime snapshot with channelAccounts. If policy
denies a channel provider but that provider still has a running account, policy
reports policy/channels-denied-provider-running against that runtime evidence:

{
  "checkId": "policy/channels-denied-provider-running",
  "path": "gateway runtime",
  "target": "runtime:channels/telegram/accounts/default",
  "requirement": "oc://policy.jsonc/channels/denyRules/#0"
}

The target string is intentionally minimal. It is a label inside the runtime
evidence package, not a new oc-path surface. Config and workspace findings keep
using real oc:// paths when they point to resolvable documents.

Real Behavior Proof

Behavior addressed: Policy check should emit auditable policy/evidence/findings/attestation hashes, policy diff/policy watch should distinguish timestamp-only checks from real drift, runtime tool policy should fail closed when expectedAttestationHash is stale, and policy-governed approval requests should carry structured policy/evidence/attestation metadata.

Real environment tested: Clean WSL detached worktrees for upstream/main and PR #81104 head, with a temporary workspace containing policy.jsonc and TOOLS.md. The source-level probe imported the PR-head policy runtime modules through the repo tsx loader.

Exact steps or command run after this patch:

1. Created a clean upstream/main worktree and a clean PR-head worktree at Policy: add runtime audit metadata and attestation enforcement #81104 head.
2. In each worktree, ran node --import ./node_modules/tsx/dist/loader.mjs probe-policy-runtime-audit.mjs.
3. Built a clean policy/evidence attestation from policy.jsonc and a critical governed deploy tool in TOOLS.md.
4. Recomputed the attestation with only checkedAt changed and compared it to the original.
5. Recomputed the attestation after evidence drift and compared the diff summary.
6. Evaluated the runtime trusted-tool policy with a matching expectedAttestationHash to capture approval metadata.
7. Evaluated the runtime trusted-tool policy with stale expectedAttestationHash=sha256:not-current to prove fail-closed behavior.

Evidence before fix: Upstream/main has no policy check/watch/diff CLI layer, no runtime expectedAttestationHash enforcement, no policy approval metadata view, no audit hash tuple, no watch/diff stale-attestation result, and no fail-closed runtime block for stale accepted attestations.

Evidence after fix:

Observed result after fix: PR #81104 emits policy, evidence, findings, and attestation hashes; keeps the attestation stable when only checkedAt changes; reports no diff for timestamp-only changes; reports evidence and attestation drift when evidence changes; marks a mismatched accepted attestation as stale; includes Policy Hash, Workspace Hash, Attestation Hash, Expected Attestation, and Policy Target approval metadata; and blocks runtime tool calls when the current attestation no longer matches the accepted one.

What was not tested: This proof focuses on the runtime audit/attestation contract and does not exercise every policy category already covered by earlier stack PRs.

Testing

pnpm test src/infra/approval-view-model.test.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/runtime-tool-policy.test.ts -- --reporter=dot
pnpm tsgo:prod
pnpm exec oxfmt --check --threads=1 src/infra/policy-approval-metadata.ts src/infra/approval-view-model.test.ts src/flows/health-checks.ts extensions/policy/src/policy-state.ts extensions/policy/src/doctor/register.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts docs/cli/policy.md docs/plugins/reference/policy.md
pnpm check:changed
git diff --check

Latest local result:

• Policy runtime/CLI/doctor plus approval metadata tests: 4 files, 58 tests passed.
• Formatting check: passed.
• Production TypeScript check: passed.
• Changed-file check: passed.
• Whitespace check: passed.

Related

• Doctor health contract and lint validation:
  Doctor: add health-check contract and --lint validation #80055
• Channels-first policy conformance:
  Policy: add conformance system with channel checks #80407
• Tool metadata conformance and basic runtime trusted tool policy:
  Policy: add tool metadata conformance #80056
• Model, network, and MCP conformance examples:
  Policy: add model, network, and MCP conformance checks #80783

Policy stack links

This PR is part of the Policy 1.0 proof stack. Final category branches added after the runtime-audit layer:

• Policy: add secret and auth conformance checks #81974 — Policy: add secrets auth provenance checks
• Policy: add gateway exposure checks #81981 — Policy: add gateway exposure checks

Full stack reference:

1. Policy: add conformance system with channel checks #80407 — Policy: add conformance system with channel checks
2. Policy: add tool metadata conformance #80056 — Policy: add tool metadata conformance and runtime checks
3. Policy: add model, network, and MCP conformance checks #80783 — Policy: add model, network, and MCP conformance checks
4. Policy: add runtime audit metadata and attestation enforcement #81104 — Policy: add runtime audit metadata and attestation enforcement
5. Policy: add secret and auth conformance checks #81974 — Policy: add secrets auth provenance checks
6. Policy: add gateway exposure checks #81981 — Policy: add gateway exposure checks

[clawsweeper]

Codex review: found issues before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds Policy runtime trusted-tool attestation enforcement, policy approval metadata propagation, policy diff/watch/audit documentation, runtime evidence health checks, oc-path packaging aliases, and focused tests.

Reproducibility: yes. for the review findings: the PR diff and current main source show the stale secret-file expectation and the runtime isRecord array gap. I did not run tests because this review is read-only.

PR rating
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🧂 unranked krab
Summary: Strong screenshot proof is outweighed by concrete fail-closed security contract blockers in the patch.

Rank-up moves:

• Restore current main's tryReadSecretFileSync rejected-symlink expectation.
• Make runtime policy shape validation reject arrays and cover top-level and section arrays in tests.
• Rebase against the settled policy stack and rerun the focused policy, approval, protocol, and secret-file checks.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (screenshot): The inspected screenshot proof shows after-fix runtime hash tuples, diff/watch drift behavior, approval metadata, and stale-attestation blocking for the main claimed behavior.

Risk before merge

• The branch still conflicts with current main's fail-closed credential symlink contract by changing the regression test to expect rejected secret-file symlinks to be swallowed.
• The runtime policy validator can treat array containers as valid records, which weakens the new security boundary for malformed policy.jsonc input.
• The accepted-attestation gate intentionally blocks tool calls when evidence drifts, so maintainers need to accept the trusted supervisor-owned config boundary before enabling it for real operators.

Maintainer options:

1. Fix fail-closed regressions first (recommended)
   Restore the current secret-file symlink expectation and make runtime policy validation reject array containers before any merge.
2. Accept the trusted-config boundary
   Maintainers can approve the opt-in expectedAttestationHash model only if the operator flow makes clear that it enforces when config is supervisor-owned.
3. Pause behind the policy stack
   Because this PR is stacked on open policy work, maintainers can keep it paused until the base conformance branch settles.

Next step before merge
This needs author fixes for the two fail-closed blockers plus maintainer signoff on the trusted-attestation boundary; it is not a safe autonomous cleanup lane while draft and maintainer-labeled.

Security
Needs attention: The policy runtime change is security-sensitive, and the diff currently weakens fail-closed behavior for malformed policy input and conflicts with the credential symlink rejection contract.

Review findings

• [P1] Keep secret-file symlink rejection fail-closed — src/infra/secret-file.test.ts:123-125
• [P1] Reject array policy containers at runtime — extensions/policy/src/runtime-tool-policy.ts:442

Review details

Best possible solution:

Refresh on latest main, preserve fail-closed credential and malformed-policy behavior, then land the runtime audit layer only after maintainers accept the trusted-config attestation semantics.

Do we have a high-confidence way to reproduce the issue?

Yes for the review findings: the PR diff and current main source show the stale secret-file expectation and the runtime isRecord array gap. I did not run tests because this review is read-only.

Is this the best way to solve the issue?

No, not yet: the runtime audit direction is plausible and well-proved, but the branch must preserve fail-closed security contracts and align runtime policy shape validation with current doctor validation.

Label justifications:

• P2: This is a normal-priority but security-sensitive policy runtime feature with limited immediate blast radius because it is opt-in and still draft.
• merge-risk: 🚨 security-boundary: The PR adds runtime policy enforcement and currently has malformed-policy and credential symlink fail-closed issues.
• merge-risk: 🚨 availability: The new accepted-attestation enforcement intentionally fails closed and can block tool calls when operator evidence drifts.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🦞 diamond lobster, patch quality is 🧂 unranked krab, and Strong screenshot proof is outweighed by concrete fail-closed security contract blockers in the patch.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The inspected screenshot proof shows after-fix runtime hash tuples, diff/watch drift behavior, approval metadata, and stale-attestation blocking for the main claimed behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. The inspected screenshot proof shows after-fix runtime hash tuples, diff/watch drift behavior, approval metadata, and stale-attestation blocking for the main claimed behavior.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The inspected screenshot proof shows after-fix runtime hash tuples, diff/watch drift behavior, approval metadata, and stale-attestation blocking for the main claimed behavior.

Full review comments:

• [P1] Keep secret-file symlink rejection fail-closed — src/infra/secret-file.test.ts:123-125
  This changes the current-main regression test for tryReadSecretFileSync(..., { rejectSymlink: true }) so a rejected symlink is swallowed as undefined. Commit 90fd26b602 restored the contract that blank/missing paths return undefined while symlink, hardlink, non-regular, and oversize secret-file failures throw, and credential readers rely on that fail-closed behavior.
  Confidence: 0.94
• [P1] Reject array policy containers at runtime — extensions/policy/src/runtime-tool-policy.ts:442
  The new runtime isRecord helper returns true for arrays, so policy.jsonc values like [] or { "tools": [] } pass validateRuntimePolicyShape, produce a clean attestation, and can let tool calls proceed instead of failing closed. Match the existing doctor validator by excluding arrays and add runtime tests for top-level and section arrays.
  Confidence: 0.87

Overall correctness: patch is incorrect
Overall confidence: 0.88

Security concerns:

• [high] Credential symlink rejection expectation is stale — src/infra/secret-file.test.ts:123
  The PR changes the test expectation away from current main's fail-closed secret-file symlink contract, which protects Telegram, LINE, Zalo, IRC, and Nextcloud credential file readers.
  Confidence: 0.94
• [high] Malformed policy arrays can bypass runtime rejection — extensions/policy/src/runtime-tool-policy.ts:442
  Runtime policy enforcement treats arrays as records, allowing malformed policy containers to be accepted where the existing doctor policy validation rejects them.
  Confidence: 0.87

What I checked:

• PR diff changes current secret-file expectation: The PR head changes the symlink rejection test to expect tryReadSecretFileSync(..., { rejectSymlink: true }) to return undefined instead of throwing. (src/infra/secret-file.test.ts:123, b11c171c80b1)
• Current main keeps symlink rejection fail-closed: Current main still expects rejected credential-file symlinks to throw, matching the restored @openclaw/fs-safe contract. (src/infra/secret-file.test.ts:123, 79be9401306f)
• Secret-file provenance: Commit 90fd26b restored the direct tryReadSecretFileSync re-export so blank/missing paths return undefined but symlink, oversize, non-regular, and hardlink validation failures throw. (src/infra/secret-file.ts:5, 90fd26b602b0)
• Runtime policy shape guard treats arrays as records: The new runtime policy helper returns true for any non-null object, including arrays, so malformed array policy containers can bypass the intended fail-closed shape validation. (extensions/policy/src/runtime-tool-policy.ts:442, b11c171c80b1)
• Current policy validation excludes arrays: Current main's policy doctor validation uses an isRecord helper that explicitly rejects arrays, so runtime validation should match that contract. (extensions/policy/src/doctor/register.ts:982, 79be9401306f)
• Real behavior proof inspected: The linked proof image shows before/after runtime hash tuples, policy diff/watch drift behavior, approval metadata, and stale-attestation blocking for the claimed happy-path runtime audit behavior. (b11c171c80b1)

Likely related people:

• giodl73-repo: Authored the merged Policy tool metadata conformance work that current main's policy validation and docs are built on, and this PR continues that policy stack. (role: policy feature owner / recent area contributor; confidence: high; commits: a30ac3f8d7cb; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts, extensions/policy/src/cli.ts)
• Dallin Romney: Restored the fail-closed secret-file symlink rejection behavior that this PR's stale test expectation conflicts with. (role: recent security contract contributor; confidence: high; commits: 90fd26b602b0; files: src/infra/secret-file.ts, src/infra/secret-file.test.ts)
• Moeed Ahmed: Current main's plugin approval request handling, hook context, and related approval payload paths in this review are carried by the grafted main history commit. (role: adjacent approval and hook surface contributor; confidence: medium; commits: 9c00268914b9; files: src/gateway/server-methods/plugin-approval.ts, src/plugins/hook-types.ts, src/infra/plugin-approvals.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 79be9401306f.

[giodl73-repo]

Restacked on the refreshed policy conformance stack and current origin/main (e643890). Verified runtime approval metadata/stale-attestation behavior with focused tests and extension typecheck.\n\nChecks:\n- node scripts/test-projects.mjs extensions/policy/src/runtime-tool-policy.test.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts src/flows/bundled-health-checks.test.ts --reporter=verbose\n- node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test.tsbuildinfo\n- node scripts/check-changed.mjs\n- git diff --check\n\n@clawsweeper re-review

[giodl73-repo]

Updated the runtime audit pass after the rebase. The policy health context now accepts optional runtime evidence, channel runtime findings use a non-oc evidence target (
untime:channels/...) instead of pretending runtime state is a resolvable oc-path document, and approval views now render current/expected attestation hashes.\n\nChecks:\n- pnpm test src/infra/approval-view-model.test.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/runtime-tool-policy.test.ts -- --reporter=dot\n- pnpm tsgo:prod\n- pnpm exec oxfmt --check --threads=1 src/infra/policy-approval-metadata.ts src/infra/approval-view-model.test.ts src/flows/health-checks.ts extensions/policy/src/policy-state.ts extensions/policy/src/doctor/register.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts docs/cli/policy.md docs/plugins/reference/policy.md\n- pnpm check:changed\n- git diff --check\n\n@clawsweeper re-review

[giodl73-repo]

Reviewed the runtime-audit branch after the runtime evidence change and updated the PR body. One small follow-up fix: runtime evidence refs now URI-encode channel/account segments so
untime:channels/.../accounts/... remains stable and unambiguous.\n\nRevalidated:\n- pnpm test extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts src/infra/approval-view-model.test.ts extensions/policy/src/runtime-tool-policy.test.ts -- --reporter=dot\n- pnpm tsgo:prod\n- pnpm exec oxfmt --check --threads=1 extensions/policy/src/policy-state.ts\n- pnpm check:changed\n- git diff --check\n\n@clawsweeper re-review

[giodl73-repo]

Small wording follow-up after review: clarified that runtime audit findings are centered on the
untimeEvidence payload. Any runtime arget is just a compact evidence label, not a new path language or oc-path surface.\n\nValidation for the doc-only change:\n- pnpm exec oxfmt --check --threads=1 docs/cli/policy.md docs/plugins/reference/policy.md\n- pnpm check:changed\n- git diff --check\n\n@clawsweeper re-review

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​jsdom@​29.1.1
	npm/​chokidar@​5.0.0
	npm/​https-proxy-agent@​9.0.0
	npm/​jsonwebtoken@​9.0.3
	npm/​fake-indexeddb@​6.2.5
	npm/​highlight.js@​11.11.1
	npm/​jimp@​1.6.1
	npm/​gaxios@​7.1.4
	npm/​ipaddr.js@​2.4.0
	npm/​google-auth-library@​10.6.2
	npm/​croner@​10.0.1
	npm/​jiti@​2.7.0
	npm/​file-type@​22.0.1
	npm/​dompurify@​3.4.5
	npm/​express@​5.2.1
	npm/​dotenv@​17.4.2
	npm/​grammy@​1.43.0
	npm/​jscpd@​4.2.3
	npm/​jwks-rsa@​4.0.1
	npm/​discord-api-types@​0.38.47
	npm/​kysely@​0.29.2

View full report

[giodl73-repo]

Restacked this runtime-audit PR on the refreshed policy stack through #80783 and pushed 5903758c43e1331b647ce650c1b2840fc8b3c3de.

Cleanup included:

• Preserved the Policy: add tool metadata conformance #80056/Policy: add model, network, and MCP conformance checks #80783 evidence model while replaying runtime audit: tool evidence remains optional unless TOOLS.md is actually scanned, and runtime evidence is added as a separate evidence slice.
• Resolved replay duplicates around plugin approval metadata after the stack already included structured metadata support.
• Re-ran protocol generation directly (scripts/protocol-gen.ts and scripts/protocol-gen-swift.ts); the tracked shared Swift protocol model already contains metadata, and no stale generated-artifact diff remains in this checkout.
• Clarified the accepted-attestation trust boundary in CLI docs, plugin reference docs, and the Policy manifest: expectedHash / expectedAttestationHash are enforcement inputs only when OpenClaw config is controlled by a trusted operator/gateway/supervisor; if the governed workspace can edit its config, they are advisory audit locks rather than a boundary against that workspace.

Verification:

node --import tsx scripts/protocol-gen.ts && node --import tsx scripts/protocol-gen-swift.ts && node scripts/run-vitest.mjs extensions/policy/src/runtime-tool-policy.test.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts src/infra/approval-view-model.test.ts src/gateway/server-methods/plugin-approval.test.ts src/flows/bundled-health-checks.test.ts --reporter=dot
node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-81104-restack.tsbuildinfo && node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test-policy-81104-restack.tsbuildinfo && git diff --check

Observed locally:

• runtime/doctor/CLI/approval/bundled-health tests: 7 files, 141 tests passed
• extension test tsgo: passed
• core test tsgo: passed
• git diff --check: passed

CI has restarted on the new SHA; the PR is still draft and currently mergeable with pending checks.