Policy: add ingress channel conformance checks

[giodl73-repo]

Summary

Adds policy conformance checks for ingress and channel access posture. This is a config-level conformance layer: it reports findings when the configured OpenClaw workspace does not satisfy the authored policy, and it does not add runtime channel enforcement.

The new policy.jsonc syntax is:

{
  "ingress": {
    "session": {
      "requireDmScope": "per-channel-peer"
    },
    "channels": {
      "allowDmPolicies": ["pairing", "allowlist", "disabled"],
      "denyOpenGroups": true,
      "requireMentionInGroups": true
    }
  },
  "scopes": {
    "telegram-ingress": {
      "channelIds": ["telegram"],
      "ingress": {
        "channels": {
          "allowDmPolicies": ["allowlist", "disabled"],
          "denyOpenGroups": true,
          "requireMentionInGroups": true
        }
      }
    }
  }
}

Contract

ingress.session.requireDmScope observes session.dmScope and remains top-level only, because session scope is not channel-attributable evidence.

ingress.channels.* observes configured channel/account/group ingress settings and can be used either top-level or inside scopes.<name> with channelIds. A policy finding means the configured workspace violates the policy claim for that channel posture.

Supported fields:

Policy field	Observed state	Use when
ingress.session.requireDmScope	session.dmScope	Require a reviewed direct-message isolation scope.
ingress.channels.allowDmPolicies	channels.*.dmPolicy and legacy channel DM policy fields	Allow only reviewed direct-message channel policies.
ingress.channels.denyOpenGroups	Channel, account, and group ingress policy	Deny open group ingress for configured channels and accounts.
ingress.channels.requireMentionInGroups	Channel, account, group, guild, and nested mention gate config	Require mention gates when group ingress is open or mention-gated.

New check IDs:

Check ID	Meaning
policy/ingress-dm-policy-unapproved	A channel DM policy is outside the policy allowlist.
policy/ingress-dm-scope-unapproved	session.dmScope does not match the policy-required DM isolation scope.
policy/ingress-open-groups-denied	A channel group policy is open while policy denies open group ingress.
policy/ingress-group-mention-required	A channel or group entry disables mention gates while policy requires them.

Usage

openclaw policy check
openclaw policy check --json
openclaw doctor --lint

Validation

• Focused policy doctor coverage for ingress/channel findings, scoped channel selectors, malformed ingress policy shape, and evidence payloads.
• Policy docs updated with ingress syntax, selector behavior, command usage, check IDs, and exit-code behavior.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 29, 2026, 1:07 AM ET / 05:07 UTC.

Summary
The PR adds Policy plugin ingress/channel conformance fields, four policy check IDs, channel-scoped selector support, docs, and focused policy doctor/CLI tests.

PR surface: Source +1053, Tests +1568, Docs +41. Total +2662 across 5 files.

Reproducibility: not applicable. this is a feature PR adding config-level Policy plugin conformance checks, not a bug report needing reproduction. The changed command path is still covered by provided failing and passing policy-check JSON proof plus focused tests.

Review metrics: 1 noteworthy metric.

• Policy contract additions: 4 policy fields, 4 check IDs, 1 selector added. These names become operator-facing policy.jsonc and diagnostic surfaces that are costly to rename after release.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Merging establishes new policy.jsonc ingress fields, scopes.*.channelIds selector behavior, and four operator-facing check IDs as durable Policy plugin contracts.
• [P1] The new checks interpret existing channel/account/group ingress config as conformance evidence; maintainers should explicitly confirm that config-only diagnostic contract before users rely on it in automation.

Maintainer options:

1. Approve the policy contract before merge (recommended)
   A maintainer can accept the new ingress fields, channel selector, and check IDs as durable Policy plugin contract and then merge with the provided proof.
2. Rename or narrow the contract first
   If any field names, selector semantics, or check IDs are not intended to be durable, ask for the schema, docs, and tests to change before merge.
3. Pause if ingress policy belongs elsewhere
   If maintainers decide ingress posture should not be a Policy plugin conformance surface, pause or close this PR and redesign around the chosen owner boundary.

Next step before merge

• [P2] The PR is under a protected maintainer label and needs human approval of the new Policy plugin config and diagnostic contract rather than an automated repair.

Security
Cleared: The diff adds Policy plugin diagnostics, docs, and tests without dependency, workflow, package, secret-handling, or runtime-enforcement changes.

Review details

Best possible solution:

Land this only after explicit maintainer approval of the Policy plugin ingress config, selector, and check-ID contract; otherwise keep the branch open for that decision rather than closing it as stale or obsolete.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR adding config-level Policy plugin conformance checks, not a bug report needing reproduction. The changed command path is still covered by provided failing and passing policy-check JSON proof plus focused tests.

Is this the best way to solve the issue?

Yes, subject to maintainer approval: keeping this as config-only Policy plugin conformance matches the existing policy-check pattern and avoids runtime channel enforcement. The remaining question is whether maintainers accept the new durable field, check-ID, and selector contract.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 22e8cd2a1d25.

Label changes

Label justifications:

• P2: This is a normal-priority Policy plugin feature with focused scope but durable operator-facing behavior.
• merge-risk: 🚨 compatibility: The PR adds policy.jsonc fields, check IDs, and selector semantics that existing users may depend on after release.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR discussion includes after-fix live command-path output for failing and passing ingress configs through policyCheckCommand JSON.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR discussion includes after-fix live command-path output for failing and passing ingress configs through policyCheckCommand JSON.

Evidence reviewed

PR surface:

Source +1053, Tests +1568, Docs +41. Total +2662 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	1101	48	+1053
Tests	1	1590	22	+1568
Docs	2	66	25	+41
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	2757	95	+2662

Acceptance criteria:

• [P1] OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-85744-proof OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts -- --reporter=dot --testTimeout=30000.
• [P1] pnpm tsgo:extensions.
• [P1] node scripts/run-bundled-extension-oxlint.mjs.
• [P1] pnpm exec oxfmt --check --threads=1 docs/cli/policy.md docs/plugins/reference/policy.md extensions/policy/src/doctor/register.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/policy-state.ts.
• [P1] pnpm docs:check-mdx docs/cli/policy.md docs/plugins/reference/policy.md.

What I checked:

• Repository policy applied: Root AGENTS.md and the scoped docs/extensions guides were read; the root policy treats plugin config/default additions and durable policy contracts as compatibility-sensitive, and extensions guidance keeps this inside the plugin boundary. (AGENTS.md:21, 7979639cd887)
• Live PR state: The live PR is open, cleanly mergeable, has head 7afe307, and carries the protected maintainer label plus proof: sufficient and merge-risk: compatibility labels. (7afe307c2c50)
• New policy contract: The branch adds ingress policy check IDs and channelIds scope metadata for ingress.channels rules, making the PR an operator-facing Policy plugin contract change. (extensions/policy/src/doctor/register.ts:36, 7afe307c2c50)
• Ingress evidence scanner: The PR records session DM scope and enabled channel/account ingress posture as Policy evidence, including DM policy, group policy, and requireMention evidence. (extensions/policy/src/policy-state.ts:457, 7afe307c2c50)
• Focused tests and proof: The PR discussion includes direct policyCheckCommand JSON proof for failing and passing ingress configs, and the current branch tests cover ingress findings, mixed-case dmScope normalization, scoped channel selectors, invalid scopes, defaults, disabled channels, and nested mention gates. (extensions/policy/src/doctor/register.test.ts:2300, 7afe307c2c50)
• Maintainer review context: A prior GitHub review identified rebase, changelog, and dmScope normalization work; later comments say the dmScope regression was fixed, the release-owned changelog entry was removed, and focused tests passed on the current head. (7afe307c2c50)

Likely related people:

• giodl73-repo: Recent merged Policy plugin PRs for tool posture, agent-scoped overlays, and sandbox posture conformance touched the same Policy files and directly precede this ingress contract work. (role: recent Policy plugin contributor; confidence: high; commits: 1e2e6147480c, fbb63405427a, af64a824a1f8; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts, docs/cli/policy.md)
• galiniliev: The adjacent merged Policy overlay and tool/sandbox posture PRs were assigned or requested to galiniliev, and this PR also requests galiniliev review. (role: assigned reviewer for adjacent Policy work; confidence: medium; commits: 1e2e6147480c, fbb63405427a, af64a824a1f8; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts)
• steipete: The shared coercion helper refactor recently touched the same Policy code path and was called out in earlier review context as an adjacent conflict source. (role: recent adjacent refactor author; confidence: medium; commits: 77d9ac30bb8d; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts)
• omarshahine: The GitHub review on this PR identified the dmScope normalization issue and rebase/changelog follow-up, which later branch updates addressed. (role: reviewer; confidence: medium; files: extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts, docs/cli/policy.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Frosted Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: collects tiny proofs.
Image traits: location CI tidepool; accessory CI status badge; palette violet, aqua, and starlight; mood watchful; pose waving from a small platform; shell glossy opal shell; lighting soft underwater shimmer; background delicate sparkle particles.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Frosted Lint Imp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26336702202
• Updated: 2026-05-23T15:35:47.941Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26336723723
• Updated: 2026-05-23T15:44:51.047Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26541887998
• Updated: 2026-05-27T22:24:24.780Z

[giodl73-repo]

Removed the release-owned CHANGELOG.md entry that ClawSweeper flagged on the stacked policy branches.

Current signed head: fd6b34c2ace.

Fresh validation for this cleanup:

• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-85744-no-changelog OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts -- --reporter=dot --testTimeout=30000 -> 2 files, 257 tests passed
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md && git diff --check

The existing ingress real behavior proof remains valid; the only follow-up change was removing the release-owned changelog line.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26610943201
• Updated: 2026-05-29T00:54:48.252Z

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26545007577
• Updated: 2026-05-27T23:35:48.990Z

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26617602577
• Updated: 2026-05-29T04:20:20.408Z

[giodl73-repo]

Maintainer-side contract review for the current ingress branch (b9609585d9):

I reviewed the PR against current main, including the root, docs, and extensions AGENTS.md guidance, the five-file diff, the policy docs, the policy evidence scanner, the doctor checks, and the focused tests.

Contract surface accepted for this PR:

• ingress.session.requireDmScope is a top-level policy rule for the configured session.dmScope evidence. It is intentionally not supported under scopes.*.ingress because session DM scope evidence is global, not channel-attributable.
• ingress.channels.allowDmPolicies, ingress.channels.denyOpenGroups, and ingress.channels.requireMentionInGroups are config-only Policy plugin conformance rules for channel/account/group ingress posture. They do not claim live runtime channel enforcement.
• scopes.<name>.channelIds is accepted as the selector for channel-scoped ingress overlays. Agent-scoped policy sections remain behind agentIds; channel-scoped ingress remains behind channelIds.
• The four new operator-facing check IDs are accepted as Policy plugin diagnostics: policy/ingress-dm-policy-unapproved, policy/ingress-dm-scope-unapproved, policy/ingress-open-groups-denied, and policy/ingress-group-mention-required.
• The PR does not add Plugin SDK exports or core plugin API surface. The new surface is Policy plugin config/docs/diagnostics only.

Implementation review notes:

• Shape validation rejects unsupported scoped/session combinations and validates the new policy fields before findings are produced.
• Ingress evidence is collected from configured channels, active accounts, defaults, nested group/guild/room/team containers, wildcard mention gates, and session DM scope.
• Channel-scoped findings are filtered through normalized channel IDs, and invalid scoped overlays do not produce ingress findings.
• The earlier mixed-case session.dmScope concern is fixed by normalizing evidence before comparison and has a focused regression test.
• The release-owned changelog entry was removed, so this branch now touches only docs plus Policy plugin implementation/tests.

Validation already provided for the rebased branch:

• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-85744-final-* OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts -- --reporter=dot --testTimeout=30000 -> 2 files, 257 tests passed
• pnpm exec oxfmt --check --threads=1 docs/cli/policy.md docs/plugins/reference/policy.md extensions/policy/src/doctor/register.ts extensions/policy/src/doctor/register.test.ts extensions/policy/src/policy-state.ts
• pnpm tsgo:extensions
• node scripts/run-bundled-extension-oxlint.mjs -> 0 warnings, 0 errors
• pnpm docs:check-mdx docs/cli/policy.md docs/plugins/reference/policy.md
• git diff --check
• GitHub CI is green for the current PR head.

Real behavior proof remains valid: the actual policyCheckCommand({ json: true }) path was exercised with failing and passing ingress configs. The failing config returned exitCode: 1, ok: false, checksRun: 52, checksSkipped: 0, and expected findings for all four ingress checks. The passing config returned exitCode: 0, ok: true, checksRun: 52, checksSkipped: 0, and no findings.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26618042359
• Updated: 2026-05-29T04:36:59.021Z

[giodl73-repo]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26618772024
• Updated: 2026-05-29T04:54:37.928Z

[giodl73-repo]

Fresh proof on latest PR head bd63c8d1539eac4f20e16cbbe0b9872b935809d6 after the GitHub-side update:

• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=/tmp/openclaw-85744-bd63c8d-proof OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/policy/src/doctor/register.test.ts extensions/policy/src/cli.test.ts -- --reporter=dot --testTimeout=30000 -> 2 files, 257 tests passed

This is the same focused policy/CLI coverage on the current PR head after rebasing/merging latest main into the branch. The previous off-meta result appears to be from ClawSweeper/Codex review execution failing, not from a concrete code finding.

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26619057020
• Updated: 2026-05-29T05:08:02.384Z