Policy: add agent workspace conformance checks

[giodl73-repo]

Summary

Adds a policy-only conformance surface for locking agent workspace posture down to read-only/no-write configurations.

• records agent/default sandbox workspaceAccess, sandbox mode, and tool deny coverage as policy evidence
• adds agents.workspace.allowedAccess and agents.workspace.denyTools checks
• treats omitted or off sandbox mode as nonconforming for read-only/no-write workspace policy
• documents the supported read-only policy shape, evidence payload, and attestation-hash impact

This is stacked after #81981 and intentionally stays at config/policy conformance level; it does not add runtime enforcement.

Policy syntax

{
  "agents": {
    "workspace": {
      "allowedAccess": ["none", "ro"],
      "denyTools": ["exec", "process", "write", "edit", "apply_patch"],
    },
  },
}

For this policy to pass, the matching OpenClaw config must explicitly enable sandbox mode for the applicable defaults or agent and set workspaceAccess to an allowed value. A config that omits sandbox mode, or sets it to off, does not satisfy a read-only/no-write posture even if workspaceAccess is ro.

Enabling or upgrading these rules adds agentWorkspace evidence to the workspace and attestation hashes. Operators should review the new evidence and refresh accepted attestation hashes after enabling these rules.

Verification

• git diff --check
• pnpm docs:list
• pnpm exec oxfmt --write --threads=1 extensions/policy/src/policy-state.ts extensions/policy/src/doctor/register.ts extensions/policy/src/doctor/register.test.ts docs/cli/policy.md docs/plugins/reference/policy.md
• node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts --run --reporter=dot (114 passed)
• node scripts/run-vitest.mjs extensions/policy/src/cli.test.ts --run --reporter=dot (12 passed)
• pnpm docs:check-mdx docs/cli/policy.md docs/plugins/reference/policy.md
• /mnt/c/src/claws-hapi/.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --reviewer codex --fallback-reviewer none (clean: no accepted/actionable findings)

Real behavior proof

Behavior addressed: Policy conformance can require agent sandbox workspace access to stay within an allowlist and require explicit deny coverage for shell/process/file-mutation tools. It now rejects read-only/no-write workspace policy when sandbox mode is omitted or off.
Real environment tested: WSL checkout at /root/src/openclaw-policy-agent-workspace on Ubuntu-24.04.
Exact steps or command run after this patch: direct policyCheckCommand({ cwd, json: true, severityMin: "error" }) against temp OpenClaw configs under /tmp/policy-proof-85096-refresh, with OPENCLAW_CONFIG_PATH set to each config.
Evidence after fix: Sandbox omitted/off plus workspaceAccess: "ro" produced policy/agents-workspace-access-denied at oc://openclaw.config/agents/defaults/sandbox/mode; explicit sandbox mode: "all", workspaceAccess: "ro", and group:runtime/group:fs denies produced ok: true.
Observed result after fix: The policy check emitted agentWorkspace evidence with sandbox mode fields and no longer accepts a default unsandboxed config as read-only/no-write compliant.
What was not tested: No runtime sandbox/tool enforcement was tested because this PR only adds config-level policy conformance.

Redacted CLI evidence

Sandbox omitted/off:

{
  "exitCode": 1,
  "ok": false,
  "checksRun": 30,
  "findings": [
    {
      "checkId": "policy/agents-workspace-access-denied",
      "message": "agents.defaults sandbox mode 'off' is not allowed by policy.",
      "ocPath": "oc://openclaw.config/agents/defaults/sandbox/mode"
    }
  ]
}

Accepted read-only posture:

{
  "exitCode": 0,
  "ok": true,
  "checksRun": 30,
  "findings": []
}

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-23 03:21 UTC / May 22, 2026, 11:21 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds Policy plugin checks, evidence, tests, and docs for agents.workspace.allowedAccess and required agent workspace tool denies.

Reproducibility: not applicable. this is a new Policy plugin conformance/config surface rather than a bug report. The PR body includes redacted live CLI output and focused tests that give a clear behavior path for the new checks.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Good normal PR quality with sufficient live-output proof and no blocking findings, gated by maintainer approval of the Policy semantics.

Rank-up moves:

• Get explicit maintainer approval for the config-only security posture and attestation/hash impact.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes redacted live CLI output showing omitted/off sandbox posture rejected and explicit read-only posture accepted after the patch.

Risk before merge

• Operators enabling or upgrading agents.workspace rules will get new agentWorkspace evidence, so accepted workspace and attestation hashes may need review and refresh.
• The checks describe security posture but intentionally do not enforce runtime sandbox or tool behavior; maintainers need to accept that config-conformance boundary before merge.
• The stacked follow-ups for tool and sandbox posture may need to be sequenced with this PR as one Policy semantics decision.

Maintainer options:

1. Approve the config-conformance boundary (recommended)
   Merge if maintainers accept that agents.workspace reports configuration posture only and operators must refresh accepted hashes after enabling the rules.
2. Clarify runtime expectations first
   Ask for a small docs or test clarification before merge if users might read these checks as runtime sandbox enforcement.
3. Sequence with the posture stack
   Pause this PR if maintainers want to review the agent workspace, tool posture, and sandbox posture Policy surfaces together.

Next step before merge
Protected maintainer labeling and security/compat-sensitive Policy semantics require human approval; no narrow automated repair is indicated.

Security
Cleared: No concrete supply-chain, secret-handling, or runtime-enforcement regression was found in the five-file diff; the remaining security-sensitive point is maintainer approval of the new policy semantics.

Review details

Best possible solution:

Merge only after a human maintainer approves the config-only agent workspace semantics, attestation-hash impact, and sequencing with the adjacent Policy posture stack.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a new Policy plugin conformance/config surface rather than a bug report. The PR body includes redacted live CLI output and focused tests that give a clear behavior path for the new checks.

Is this the best way to solve the issue?

Yes, with maintainer approval: the Policy plugin is the right owner for config-level conformance, and runtime enforcement should remain a separate decision unless maintainers choose a broader security model.

Label justifications:

• P2: This is a normal-priority Policy plugin feature with limited runtime blast radius but real operator attestation and security-posture impact.
• merge-risk: 🚨 compatibility: The PR adds new Policy evidence and checks that can change accepted attestation hashes for operators who enable these rules.
• merge-risk: 🚨 security-boundary: The PR defines a security-posture conformance signal while explicitly leaving runtime sandbox and tool enforcement unchanged.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Good normal PR quality with sufficient live-output proof and no blocking findings, gated by maintainer approval of the Policy semantics.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes redacted live CLI output showing omitted/off sandbox posture rejected and explicit read-only posture accepted after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted live CLI output showing omitted/off sandbox posture rejected and explicit read-only posture accepted after the patch.

What I checked:

• Protected workflow state: The provided GitHub context shows the PR is open, contributor-authored, labeled maintainer, and marked ready for maintainer look, so cleanup close is not allowed by policy. (d81f5ed30d07)
• Current sandbox config contract: Current main defines sandbox mode as off, non-main, or all, and workspace access as none, ro, or rw, matching the PR's conformance vocabulary. (src/config/zod-schema.agent-runtime.ts:710, 2edd6e24621d)
• Current sandbox behavior documentation: Current docs state sandboxing is optional, off means host tools, non-main sandboxes only non-main sessions, and all sandboxes every session; the PR's mode-sensitive policy checks are aligned with that boundary. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:9, 2edd6e24621d)
• Current tool policy contract: Current docs say global, per-agent, and sandbox tool policies support deny entries and group:runtime/group:fs, and that deny wins; the PR's required-deny posture follows that documented model. Public docs: docs/gateway/sandbox-vs-tool-policy-vs-elevated.md. (docs/gateway/sandbox-vs-tool-policy-vs-elevated.md:58, 2edd6e24621d)
• PR implementation surface: The PR diff adds the new Policy check ids, registers two health checks, validates agents.workspace policy shape, conditionally collects agent workspace evidence, and emits workspace-access and missing-deny findings. (extensions/policy/src/doctor/register.ts, d81f5ed30d07)
• PR evidence surface: The PR diff adds agentWorkspace evidence that records sandbox mode, workspace access, and required tool-deny coverage for defaults and per-agent entries. (extensions/policy/src/policy-state.ts, d81f5ed30d07)

Likely related people:

• giodl73-repo: Authored the merged Gateway exposure Policy PR that changed the same Policy implementation, tests, and docs files, and is carrying this stacked Policy conformance work. (role: recent Policy plugin contributor; confidence: high; commits: dcc5e45b5006, d81f5ed30d07; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts, extensions/policy/src/doctor/register.test.ts)
• galiniliev: The PR author explicitly asked this reviewer to look at the policy stack after rebases and proof refreshes. (role: requested reviewer; confidence: medium; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts, docs/cli/policy.md)
• luna system: Local blame for the current Policy files points at the grafted current-main snapshot commit, so this is only a weak routing signal from the checked-out history. (role: current-main file provenance signal; confidence: low; commits: bf1a22ced4cc; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2edd6e24621d.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Velvet Signal Puff

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: purrs at green checks.
Image traits: location flaky test forest; accessory green check lantern; palette moss green and polished brass; mood calm; pose holding its accessory up for inspection; shell paper lantern shell; lighting warm desk-lamp glow; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Signal Puff in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[giodl73-repo]

Updated this PR after the predecessor fixes:

• rebased on Policy: add gateway exposure checks #81981 head f559951
• refreshed the PR body with redacted real openclaw policy check --json proof for malformed policy, nonconforming workspace/tool posture, and accepted read-only posture
• documented the expected attestation-hash upgrade behavior

Proof run on this head:

• git diff --check fork/policy-gateway-exposure-conformance..HEAD
• node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts --run --reporter=dot
• node node_modules/@typescript/native-preview/bin/tsgo.js -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test-policy-agent-workspace-restack-2.tsbuildinfo
• /mnt/c/src/claws-hapi/.agents/skills/autoreview/scripts/autoreview --mode branch

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26260632336
• Updated: 2026-05-22T00:18:24.899Z

[giodl73-repo]

@clawsweeper re-review

[giodl73-repo]

@galiniliev this is ready for review when you have a chance. I restacked it on the merged gateway policy base, kept it config/policy-conformance only, updated the docs/body with the agents.workspace syntax, and added redacted CLI proof for malformed policy, nonconforming workspace/tool posture, and accepted read-only posture.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26293677897
• Updated: 2026-05-22T14:37:31.172Z

[giodl73-repo]

@clawsweeper re-review

[giodl73-repo]

@galiniliev quick update: I rebased the full policy stack onto current main to clear the shrinkwrap guard, pushed signed head 387e11a, and refreshed the PR body/proof. Still config/policy-conformance only, no runtime enforcement.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26294601781
• Updated: 2026-05-22T14:53:39.336Z

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26295145925
• Updated: 2026-05-22T15:05:20.359Z