fix(infra): allow macOS browser open over SSH env

[steipete]

Summary

• Let macOS resolve browser launching through open even when SSH environment variables are present.
• Preserve the Linux SSH/no-display refusal path.
• Add focused tests for both platform branches.

Verification
Behavior addressed: openclaw dashboard/browser launch helpers no longer misclassify macOS shells with SSH_CONNECTION as headless when open is available.
Real environment tested: local macOS source checkout with platform/env branches mocked in unit tests.
Exact steps or command run after this patch: node scripts/run-vitest.mjs src/infra/browser-open.test.ts; git diff --check; .agents/skills/autoreview/scripts/autoreview --mode local
Evidence after fix: regression test verifies macOS + SSH_CONNECTION resolves { argv: ["open"], command: "open" }, while Linux + SSH without display still returns ssh-no-display.
Observed result after fix: focused test passed, diff check passed, autoreview reported no accepted/actionable findings.
What was not tested: live browser opening from an SSH-launched macOS terminal.

Fixes #67088

[clawsweeper]

Codex review: needs real behavior proof before merge.

Latest ClawSweeper review: 2026-05-22 12:58 UTC / May 22, 2026, 8:58 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes the browser-open helper so macOS with SSH environment variables can use open, adds focused regression tests, and adds a changelog fix entry.

Reproducibility: yes. from source inspection: current main returns ssh-no-display before checking the darwin open branch when SSH environment variables are present and no display is set. I did not establish a live failing macOS run in this read-only review.

PR rating
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Summary: The patch is focused and appears correct, but mock-only proof keeps overall readiness thin for a real OS/browser-launch behavior change.

Rank-up moves:

• Add redacted live macOS SSH-env terminal output, logs, a screenshot, or a recording showing the dashboard/browser launch path after this patch.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body provides mocked unit-test proof and says live SSH-launched macOS browser opening was not tested, so the contributor should add redacted terminal output, logs, a screenshot, or a recording and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review if needed.

Mantis proof suggestion
A visible macOS terminal/browser proof would materially help validate the OS launch path that mocked tests cannot show. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify on macOS that `openclaw dashboard` with SSH_CONNECTION set opens the browser and does not show the no-GUI tunnel hint.

Risk before merge

• No live macOS SSH-env browser launch proof is shown; this shared helper affects dashboard, onboarding, and OAuth URL opening, so mocked platform/env tests do not settle the actual LaunchServices-over-SSH behavior.
• The PR changes macOS SSH/no-display handling from returning the tunnel hint to attempting open, so maintainers should accept that compatibility shift or require live proof or an explicit proof override before merge.

Maintainer options:

1. Require live macOS SSH-env proof (recommended)
   Ask for redacted terminal output, logs, a screenshot, or a recording showing openclaw dashboard launches the browser with SSH environment variables present before landing.
2. Accept a maintainer proof override
   A maintainer can intentionally accept the source and mocked-test proof if they are comfortable owning the macOS SSH behavior without contributor live proof.
3. Pause until the OS path is verified
   Hold or close the PR if maintainers do not want to change actual macOS SSH/no-display behavior without a real run.

Next step before merge
Needs contributor live proof, Mantis-style maintainer proof, or a maintainer proof override; source review did not identify a narrow code repair for automation.

Security
Cleared: No concrete security or supply-chain regression was found; the diff changes a platform guard, tests, and changelog while the helper still restricts URLs to HTTP(S) and uses argv-based process execution.

Review details

Best possible solution:

Keep the narrow macOS exception if maintainers accept the behavior change, backed by focused tests plus redacted live macOS SSH-env proof or an explicit maintainer proof override.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main returns ssh-no-display before checking the darwin open branch when SSH environment variables are present and no display is set. I did not establish a live failing macOS run in this read-only review.

Is this the best way to solve the issue?

Yes. Excluding darwin from the early SSH/no-display refusal is the narrowest maintainable code change because it preserves the Linux refusal path and keeps the existing fallback path when browser opening is not available.

Label changes:

• add merge-risk: 🚨 compatibility: The PR changes current macOS SSH/no-display behavior from a deterministic remote-access hint to an attempted open launch.

Label justifications:

• P2: This is a focused macOS dashboard/browser-launch bug fix with limited blast radius and a linked source-reproducible report.
• merge-risk: 🚨 compatibility: The PR changes current macOS SSH/no-display behavior from a deterministic remote-access hint to an attempted open launch.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🐚 platinum hermit, and The patch is focused and appears correct, but mock-only proof keeps overall readiness thin for a real OS/browser-launch behavior change.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body provides mocked unit-test proof and says live SSH-launched macOS browser opening was not tested, so the contributor should add redacted terminal output, logs, a screenshot, or a recording and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review if needed.

What I checked:

• Current main behavior: Current main computes SSH/no-display before the macOS open branch, so SSH_CONNECTION with no display returns ssh-no-display on darwin before detectBinary("open") can run. (src/infra/browser-open.ts:51, a00c58363a4f)
• PR implementation: The provided PR diff narrows the early refusal to exclude darwin while preserving the Linux SSH/no-display path, and adds mocked regression coverage for macOS plus Linux branches. (src/infra/browser-open.ts:51, aef160490492)
• Proof gap: The PR body reports unit-test, diff-check, and autoreview proof, but explicitly says live browser opening from an SSH-launched macOS terminal was not tested. (aef160490492)
• Affected caller: openclaw dashboard checks detectBrowserOpenSupport(), calls openUrl(), and only prints the SSH tunnel hint when the open attempt is not considered successful. (src/commands/dashboard.ts:101, a00c58363a4f)
• Security-relevant execution path: The existing helper accepts only HTTP(S) URLs and runs the browser command through argv-based process spawning rather than shell execution. (src/infra/browser-open.ts:31, a00c58363a4f)
• History provenance: The browser-open helper, dashboard caller, and SSH hint path all appear in the visible history as introduced by commit edab653. (src/infra/browser-open.ts:43, edab6531788f)

Likely related people:

• Kaspre: The visible blame/log history shows commit edab653 introduced the shared browser-open helper, dashboard caller path, tests, and SSH hint behavior now being changed. (role: introduced behavior and recent area contributor; confidence: high; commits: edab6531788f; files: src/infra/browser-open.ts, src/infra/browser-open.test.ts, src/commands/dashboard.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a00c58363a4f.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.