fix(exec): hide unavailable durable approval actions

[jesse-merhi]

Summary

• teach the macOS native exec approval prompt to consume allowedDecisions directly, with ask only as a legacy fallback
• pass allowedDecisions through the Control UI approval parser and render only allowed dashboard actions
• keep durable approvals available for on-miss approvals and legacy payloads that do not include an allowed decision list
• fall back safely when native allowedDecisions is malformed instead of dropping the prompt
• keep modal cancel from sending deny when denial is not an allowed decision

Verification

• node scripts/run-vitest.mjs ui/src/ui/controllers/exec-approval.test.ts ui/src/ui/views/exec-approval.test.ts ui/src/ui/views/exec-approval.browser.test.ts
• swift test --package-path apps/macos --filter ExecApprovalPromptLayoutTests
• swift test --package-path apps/macos --filter ExecApprovalsSocketAuthTests --filter ExecApprovalsGatewayPrompterTests
• git diff --check 4beadbf9519ef45d2b9cf74dbb60c4b75af3a48e..HEAD
• .agents/skills/autoreview/scripts/autoreview --mode commit --commit HEAD clean: no accepted/actionable findings
• Rebuilt BAD and GOOD mac apps from current origin/main base 4beadbf951 with real signing identity jessesCert

Real behavior proof

Behavior addressed: Ask mode: always approvals no longer offer durable Always Allow in the native macOS prompt or the Control UI approval modal.
Real environment tested: local macOS A/B apps, signed with jessesCert; BAD from current main, GOOD from this PR.
Exact steps or command run after this patch: triggered system.run for /bin/sh -lc pwd through the local Gateway/native app approval path.
Evidence after fix: BAD showed Allow Once, Always Allow, and Don't Allow; GOOD showed only Don't Allow and Allow Once in the native prompt. Focused Control UI tests prove allowedDecisions: ["allow-once", "deny"] renders only Allow once and Deny. Focused Swift tests prove malformed native allowedDecisions falls back and native modal close does not synthesize deny when it was not rendered.
Observed result after fix: GOOD no longer exposes durable approval for ask: always.
What was not tested: broad full-suite CI; GitHub checks had not reported yet after the latest push.

Agent Transcript

Redacted local agent transcript

Scope:
- PR #86359: fix unavailable durable exec approval actions.
- Branch: jm/fix-macos-ask-always-approval.
- Primary surfaces:
  - macOS native exec approval prompt.
  - Control UI exec/plugin approval prompt.
  - Gateway approval-decision contract.
  - JSONL socket close handling for native prompt cancellation.
  - Control UI warning text and i18n fallback files.

Redaction note:
- This transcript is a curated local work log, not a raw chat export.
- Personal/casual wording, local machine details, auth/session details, raw tool output, prompts, secrets, browser state, and unrelated turns were omitted.
- User input is summarized as maintainer direction and verification feedback.
- Multiple related local sessions were reviewed. Duplicate subagent reviews and unrelated branch-review turns were not included directly; only the parts that explain how this PR was discovered, scoped, tested, and fixed are summarized.

Origin context before this PR:
- Before PR #86359 existed, a separate heavy review session investigated PR #84172, the broader command-authorization rewrite.
- The maintainer asked that review to look hard at old exec-approval behavior, especially approval fallbacks, durable "allow always" persistence, native macOS parity, and behavior that had grown from earlier security patching.
- That review found several real approval-contract issues in the broader branch. Two were especially relevant to this PR:
  - request-specific approval choices were being modeled as `allowedDecisions`;
  - native/macOS approval paths still had to prove they respected the same approval-decision contract as the gateway.
- One origin sub-review explicitly checked exec approvals, allow-always persistence, approval fallback behavior, node-host/gateway/system.run/native macOS parity, UI/native `allowedDecisions`, and `requiresInteractiveApproval`.
- That sub-review found a native macOS gap: caller-supplied `approved` or `approvalDecision` fields could bypass an interactive-only approval path even when the prompt hid `allow-always`.
- The same origin review showed the intended server contract:
  - `ask=always` resolves to `["allow-once", "deny"]`;
  - other approval modes can include `["allow-once", "allow-always", "deny"]`;
  - the gateway rejects unavailable decisions such as `allow-always` when the effective policy requires approval every time.
- This was the context that led to carving out PR #86359 as a narrow shipped-behavior fix: make the approval UIs show only the choices the request/server contract allows, instead of waiting for the much larger PR #84172.

Initial goal:
- Review PR #86359 and explain what it changed.
- Find related issues and PRs that had raised similar approval-policy problems.
- Fix review findings.
- Build and test bad/good local macOS app variants for A/B behavior checks.
- Use the dashboard/manual test flow so the maintainer could personally verify behavior.

How the issue was found:
- The earlier discovery work started in the PR #84172 review, where the maintainer was searching for approval behavior that should be removed or tightened.
- That review showed `allowedDecisions` was the approval UI contract, not just a helper for one client.
- PR #86359 was then created to fix the smaller shipped mismatch exposed by that work.
- The later PR #86359 review compared the PR description against current shipped behavior and the gateway approval contract.
- Current-main and PR source showed a mismatch:
  - the gateway already computed `allowedDecisions`;
  - the gateway already rejected decisions outside that list;
  - approval consumers could still render choices such as `Always allow` without using that list.
- The earlier PR #84172 work showed the intended shape more clearly:
  - approval requests carry `allowedDecisions`;
  - UI clients should render from the allowed list;
  - server-side resolution remains the final enforcement point.
- This is what turned the review from "macOS hides one button based on ask" into "all approval clients should respect the request's allowed-decision contract."
- The maintainer then pushed on whether this was only macOS or also the dashboard, which led to explicitly including the Control UI in the fix.

Related session candidates reviewed:
- Origin heavy review session for PR #84172:
  - predates PR #86359 and contains the broader approval-policy investigation that led to carving this fix out.
  - covered command authorization, exact-command durable fallback removal, `allow-always` persistence, fallback behavior, native macOS parity, UI/native `allowedDecisions`, and `requiresInteractiveApproval`.
- Origin sub-review for PR #84172:
  - focused on the native macOS approval boundary and confirmed the request-specific decision list was the contract approval clients should respect.
  - reported that native macOS could still bypass interactive-only approval through caller-supplied approval flags, showing that native parity was still an open approval-boundary concern.
- Earlier fallback review around the same branch:
  - found that "Allow Always unavailable" and "interactive approval required" should not be conflated.
  - helped separate the durable-button visibility question from timeout/fallback denial behavior.
- Main PR review and implementation session:
  - contained the initial PR review, related-issue search, local A/B testing, fixes, review loops, and final push.
- Broader command-authorization review sessions:
  - showed where the `allowedDecisions` contract was being introduced and how sibling approval clients were expected to use it.
- Related PR/issue discovery sessions:
  - identified the broader normalized command authorization PR as overlapping context, but not a reason to close this standalone shipped bugfix.
- Local testing sessions:
  - captured the bad/good app setup, dashboard testing, repeated rebuilds from latest main, and manual prompt behavior checks.
- Cold-review sessions:
  - independently checked the final approval/socket behavior, but were mostly excluded from the transcript body because they duplicated the same findings and validation targets.

Initial PR understanding:
- The PR aimed to hide the durable "Always allow" action when the effective exec approval policy requires approval every time.
- The expected `ask=always` choices were:
  - `Allow once`
  - `Deny`
- The expected durable-approval-capable choices remained:
  - `Allow once`
  - `Always allow`
  - `Deny`
- The gateway already computed and enforced allowed approval decisions. The bug was that one or more UI consumers could still show choices the gateway would reject.

Related-work review:
- The broader command authorization work was inspected as related context.
- That work had the same core concept: approval requests carry an `allowedDecisions` list, and UIs should render from that list.
- That context made it clear that `allowedDecisions` was not just a web UI helper. It was the protocol shape approval consumers should use when deciding which actions to show.
- The standalone PR remained justified because this was a shipped approval UI mismatch that could be fixed narrowly without waiting for the broader branch.
- The maintainer asked specifically whether anything already fixed the bug on latest main. Main still needed this fix for the shipped behavior.

Maintainer-driven manual testing:
- The maintainer requested a true A/B setup with separate bad and good macOS apps.
- Both apps were rebuilt from a current main base with a real signing identity so native permission prompts would behave realistically.
- The maintainer tested simple commands such as `pwd` from the local UI/dashboard flow.
- During A/B testing, the maintainer reported that prompts did not always appear as expected, the bad app behavior was confusing, and one flow appeared to flash an approval request and then disappear.
- The test setup was refreshed by pulling latest main and rebuilding both variants to confirm the bug was not just stale local state.
- The maintainer confirmed the dashboard path should be part of the real validation, not only the native app path.

Behavior clarified during review:
- This was not a command-specific rule. The same command can show different actions depending on the approval policy and request metadata.
- For `ask=always`, even a harmless command like `pwd` should not offer durable approval.
- For `ask=on-miss`, a command that misses the allowlist may legitimately offer durable approval.
- Plugin approval requests can also restrict decisions, but their reasons are not necessarily exec-policy reasons.
- The server remains the source of truth and rejects unavailable decisions even if a client tries to send them.

Main implementation work:
- macOS native prompt:
  - Decoded `allowedDecisions` from the approval request.
  - Filtered malformed decision values.
  - Rendered buttons from the explicit allowed-decision list when present.
  - Preserved fallback behavior for older/malformed payloads:
    - `ask=always` falls back to `Allow once` and `Deny`.
    - other/missing ask values preserve previous durable-approval behavior.
  - Mapped AppKit modal button indexes back through the same ordered decision list.
  - Avoided returning a hidden decision when a prompt closes and `deny` is not available.

- macOS native callers:
  - Passed ask-derived allowed decisions into local native prompt paths.
  - Treated prompt close without a decision as denial/unavailable, so commands do not run after an unresolved close.

- Control UI:
  - Parsed `allowedDecisions` from exec approval events.
  - Parsed `allowedDecisions` from plugin approval events.
  - Rendered only allowed buttons.
  - Preserved explicit decision order.
  - Fell back from missing/malformed data using the same ask-aware behavior.
  - Prevented Escape/cancel from sending `deny` when `deny` is not an available decision.

- JSONL socket handling:
  - Review found that native prompt close without a response could leave Node socket clients waiting for the full timeout.
  - The socket client was changed to settle on peer `end`/`close`.
  - Timeout cleanup was moved into the shared finish path so all outcomes clear the timer.
  - A focused regression test was added for close-without-accepted-response.

Maintainer-policy discussion:
- Review called out a policy choice around legacy/malformed payload fallback.
- Current behavior preserves compatibility:
  - missing/malformed `allowedDecisions` plus `ask=always` omits durable approval.
  - missing/malformed `allowedDecisions` plus missing/unknown/non-always ask preserves old durable-approval behavior.
- The maintainer asked for plain-English clarification of whether fallback exists and what it means.
- The conclusion was that this is an intentional compatibility fallback unless maintainers choose a stricter fail-closed policy.

GitHub review follow-up:
- A maintainer comment asked the Control UI to mirror channel-message behavior by explaining why "Allow Always" is unavailable.
- The existing channel copy was:
  "The effective approval policy requires approval every time, so Allow Always is unavailable."
- The Control UI was updated to show that warning for exec approvals when `allow-always` is absent.
- The warning was scoped away from plugin approvals because plugin restrictions can be request-scoped and unrelated to exec policy.
- Tests were added for:
  - restricted exec approval shows the warning.
  - unrestricted exec approval does not show the warning.
  - restricted plugin approval does not show the exec-policy warning.
- Adding the English i18n key triggered a review finding about generated locale drift.
- `ui:i18n:sync` was run and generated locale fallback/meta updates were committed.
- `ui:i18n:check` then passed.

Review findings fixed:
- Swift formatting issue on the original PR head.
- Native prompt initially deriving decisions from raw `ask` instead of the gateway decision contract.
- Native prompt close/cancel behavior producing or attempting hidden decisions.
- Control UI lint/return-shape issue in approval action rendering.
- JSONL socket timeout behavior after native close without a response.
- Control UI warning initially applying too broadly to plugin approvals.
- i18n generated file drift after adding the warning string.

Focused validation run after fixes:
- Vitest:
  - `src/infra/jsonl-socket.test.ts`
  - `src/infra/exec-host.test.ts`
  - `src/infra/exec-approvals-store.test.ts`
  - `ui/src/ui/controllers/exec-approval.test.ts`
  - `ui/src/ui/views/exec-approval.test.ts`
  - `ui/src/ui/views/exec-approval.browser.test.ts`
- Result:
  - 6 files passed.
  - 57 tests passed.

- Swift:
  - `ExecApprovalPromptLayoutTests`
  - Result: 7 tests passed.
  - Covered allowed decision lists, ask fallback, malformed allowed decisions, modal close behavior, and prompt layout.

- Swift:
  - `ExecApprovalsSocketAuthTests`
  - `ExecApprovalsGatewayPrompterTests`
  - Result: 12 tests passed.

- Control UI follow-up tests:
  - `ui/src/ui/controllers/exec-approval.test.ts`
  - `ui/src/ui/views/exec-approval.test.ts`
  - `ui/src/ui/views/exec-approval.browser.test.ts`
  - Result after warning work: 3 files passed, 27 tests passed.

- i18n:
  - `pnpm ui:i18n:check`
  - Result: clean for all configured locales with fallback entries updated.

- Lint/format:
  - `node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json ...`
  - Result: passed for touched UI files.
  - `git diff --check`
  - Result: passed.

Review process:
- Repeated review passes were run after each accepted fix.
- Independent cold review passes were run on the final approval/socket fix.
- A follow-up autoreview found the i18n sync gap; it was fixed.
- A follow-up autoreview found the plugin-warning scope bug; it was fixed.
- Final autoreview on the warning follow-up reported no accepted/actionable findings.

Pushed commits:
- `fix(macos): align ask always approval actions`
- `fix(macos): harden approval prompt decisions`
- `fix(ui): satisfy approval action lint`
- `fix(infra): settle jsonl sockets on close`
- `fix(ui): explain unavailable durable approvals`

Outcome:
- The PR branch was pushed to the live PR.
- The final pushed head included the macOS native fix, Control UI fix, JSONL socket close fix, dashboard warning, i18n generated updates, and focused tests.
- CI restarted on the final pushed head; no failures were reported at the time of handoff.

[Copilot]

Pull request overview

This PR updates the macOS exec-approval prompt so that “Always Allow” (durable approval) is not offered when the ask policy is always, while keeping durable approvals available for on-miss. It also adds focused test coverage around the prompt decision set.

Changes:

• Drive NSAlert button creation from a computed decision list (instead of hardcoding 3 buttons).
• Add allowedPromptDecisions to omit .allowAlways when ask == always.
• Add unit tests validating decision sets for always vs on-miss, and make ExecApprovalDecision Equatable to support assertions.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
apps/macos/Tests/OpenClawIPCTests/ExecApprovalPromptLayoutTests.swift	Adds tests covering which decisions/buttons are allowed for ask=always vs ask=on-miss.
apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift	Refactors prompt button generation to be decision-driven and introduces the decision-filtering logic.
apps/macos/Sources/OpenClaw/ExecApprovals.swift	Adds Equatable conformance to ExecApprovalDecision for test comparisons.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 26, 2026, 11:57 PM ET / 03:57 UTC.

Summary
Threads allowedDecisions through macOS native and Control UI approval prompts, adjusts cancel/socket-close handling, adds focused Swift/Vitest coverage, and regenerates UI i18n fallback output.

PR surface: Source +122, Tests +152, Other +246. Total +520 across 49 files.

Reproducibility: yes. Current-main source shows the gateway emits allowedDecisions without allow-always for ask=always, while the current Control UI hardcodes an Always allow button; the PR body also reports signed macOS BAD/GOOD A/B proof.

Review metrics: 1 noteworthy metric.

• Approval prompt clients: 2 changed. Both the macOS native prompt and Control UI now render from the request's allowed-decision list, which is the security-sensitive behavior maintainers need to review.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Risk before merge

• This PR intentionally changes a command-approval security boundary in both native macOS and Control UI prompts, so maintainers should explicitly confirm the UI contract before merge.
• The PR body reports focused tests and signed macOS A/B proof, but broad full-suite CI was not part of the stated after-fix proof and should gate the exact head.

Maintainer options:

1. Land after security-boundary review (recommended)
   A maintainer can land this after confirming allowedDecisions is the prompt-rendering contract and exact-head checks are acceptable.
2. Ask for broader visual proof
   If the PR-body A/B proof is not enough, ask for additional native macOS and Control UI visual proof before merge.
3. Defer to the larger exec branch
   Pause only if maintainers reverse the current discussion and decide this standalone approval bugfix should not land separately.

Next step before merge
Protected MEMBER-authored security-boundary PR: the remaining action is maintainer review and exact-head validation, not an automated repair.

Security
Cleared: No concrete supply-chain or secrets-handling issue was found; the approval-boundary behavior is captured as merge risk for maintainer review.

Review details

Best possible solution:

Keep the standalone bugfix, complete maintainer security-boundary review plus exact-head checks, then let the broader normalized auto-mode work rebase on this behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. Current-main source shows the gateway emits allowedDecisions without allow-always for ask=always, while the current Control UI hardcodes an Always allow button; the PR body also reports signed macOS BAD/GOOD A/B proof.

Is this the best way to solve the issue?

Yes. Rendering from server-provided allowedDecisions is the narrow maintainable fix, with ask-mode fallback only for legacy payloads rather than adding a separate UI policy source.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d58f864e23dc.

Label changes

Label justifications:

• P2: This is a normal-priority approval UI/security-boundary bugfix with focused blast radius across macOS and Control UI prompts.
• merge-risk: 🚨 security-boundary: Merging changes which command-approval actions users can choose and how prompt cancellation resolves, so the approval boundary needs maintainer confirmation.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix signed macOS BAD/GOOD A/B proof plus focused Control UI and Swift verification for the changed approval behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix signed macOS BAD/GOOD A/B proof plus focused Control UI and Swift verification for the changed approval behavior.

Evidence reviewed

PR surface:

Source +122, Tests +152, Other +246. Total +520 across 49 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	41	199	77	+122
Tests	3	153	1	+152
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	5	268	22	+246
Total	49	620	100	+520

What I checked:

• Current main still hardcodes durable Control UI action: Current main renders Allow once, Always allow, and Deny buttons unconditionally in the exec approval modal, so it ignores the gateway-provided allowed decision list. (ui/src/ui/views/exec-approval.ts:151, d58f864e23dc)
• Current main gateway contract already carries allowed decisions: Exec approval requests on current main include allowedDecisions: resolveExecApprovalAllowedDecisions({ ask }), and resolve validation rejects decisions outside resolveExecApprovalRequestAllowedDecisions. (src/gateway/server-methods/exec-approval.ts:325, d58f864e23dc)
• Allowed-decision resolver omits allow-always for ask=always: Current main's resolveExecApprovalAllowedDecisions returns only allow-once and deny when ask normalizes to always. (src/infra/exec-approvals.ts:1286, d58f864e23dc)
• PR makes Control UI render from allowedDecisions: The PR parses allowedDecisions, resolves fallback decisions from ask, renders only those decisions, and suppresses cancel-as-deny when deny is unavailable. (ui/src/ui/views/exec-approval.ts:141, 1c73fa13ed71)
• PR makes macOS native prompt render from allowedDecisions: The PR decodes valid native allowedDecisions, falls back by ask mode for legacy payloads, maps modal button indexes through the decision list, and returns nil when no rendered denial exists. (apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift:53, 1c73fa13ed71)
• Focused regression coverage is present: The PR adds Swift coverage for ask=always, legacy fallback, malformed native decisions, and modal close behavior, plus Control UI tests for hidden unavailable decisions and cancel handling. (apps/macos/Tests/OpenClawIPCTests/ExecApprovalPromptLayoutTests.swift:5, 1c73fa13ed71)

Likely related people:

• vincentkoc: Local blame/log on the current-main approval UI, macOS prompt, and gateway request contract points to commit 8fa5ecb as the available current-main provenance in this checkout. (role: current-main introducer and recent area contributor; confidence: medium; commits: 8fa5ecb81d02; files: ui/src/ui/views/exec-approval.ts, apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift, src/gateway/server-methods/exec-approval.ts)
• jesse-merhi: The hydrated PR context and related command-authorization work show active ownership of this approval-decision boundary beyond a one-off branch proposal. (role: active approval-boundary contributor; confidence: medium; commits: 73ef69a1cbd0, b60e7a10f1a3, 1c73fa13ed71; files: apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift, apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift, ui/src/ui/views/exec-approval.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Cosmic Test Hopper

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: keeps receipts.
Image traits: location merge queue dock; accessory tiny test log scroll; palette cobalt, lime, and pearl; mood curious; pose nestled inside a glowing shell; shell soft velvet shell; lighting moonlit rim light; background quiet workflow signs.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Cosmic Test Hopper in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[jesse-merhi]

Closing: per follow-up we are keeping these fixes in the original normalized auto mode PR branch instead.

[jesse-merhi]

Reopening: this standalone main bugfix should remain separate from PR #70543.