fix(control-ui): support raw edits from editable config

[BlackFrameAI]

What changed

• Keeps Control UI Raw config mode available when a config snapshot has editable structured config but no raw text payload.
• Allows that generated raw text to be submitted through config.set / config.apply.
• Adds controller regression coverage for both staying in Raw mode and saving generated raw text from a raw: null snapshot.

Supersedes #86640 and #86641. Those split PRs were not independently safe because raw-mode visibility and raw-mode submit eligibility need to change together.

Why

The gateway can return redacted config snapshots where raw is missing or null while editable structured config is still available through sourceConfig, resolved, or config. applyConfigSnapshot already serializes that editable config into configRaw.

Before this change, the UI could only treat Raw mode as available when the snapshot originally included raw text. If only structured config was available, Raw mode was forced off even though serializable raw text existed. The submit guard had the same mismatch and rejected generated raw drafts.

This keeps availability, rendering, and submit behavior aligned around the same editable-snapshot behavior.

Real behavior proof

• Behavior or issue addressed: The live Control UI keeps Raw config mode available for an editable snapshot without raw text, and the generated raw text can be submitted with the live snapshot base hash.
• Real environment tested: WSL Ubuntu 24.04 local OpenClaw setup, OpenClaw 2026.5.25, token-authenticated Control UI at http://127.0.0.1:18789/config, backed by running OpenClaw gateway processes from /home/icon/CodexOps/OpenClaw/dist/index.js.
• Exact steps or command run after this patch: Loaded the token-authenticated Control UI in headless Chrome, opened Settings -> Advanced -> Raw, inspected the live openclaw-app state, staged a raw-mode draft, clicked Save, and intercepted the browser client request to inspect the outgoing payload without mutating the real config file.
• Evidence after fix:

title=OpenClaw Control
url=http://127.0.0.1:18789/config
containsConfig=true
live state: snapshotRawIsString=false, snapshotRawType=object, hasSourceConfig=true, hasConfig=true, generatedRawLength=25322
rendered buttons: Form disabled=false, Raw disabled=false, Save disabled=true, Apply disabled=true

livePageBefore={"mode":"raw","snapshotRawIsString":false,"snapshotRawType":"object","hasSourceConfig":true,"hasConfig":true,"generatedRawLength":25322,"hashPrefix":"78b0f6f64637"}
capturedRequests=[{"method":"config.set","rawLength":25323,"rawPrefix":"{\n  \"meta\": {\n    \"lastTouchedVersion\": ","baseHashMatches":true},{"method":"config.get","rawLength":null,"rawPrefix":null,"baseHashMatches":false}]

• Observed result after fix: Raw mode was selectable even though the snapshot did not contain raw text. Clicking Save produced a config.set request containing generated raw text and the live snapshot base hash. The request was intercepted only to avoid modifying the local operator config during proof capture.
• What was not tested: No live config file write was allowed during proof capture; the payload and base hash were verified before network mutation.

Validation

• ../node_modules/.bin/vitest run --config vitest.config.ts src/ui/controllers/config.test.ts from ui/

[BlackFrameAI]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26426728051
• Updated: 2026-05-26T01:28:05.784Z

[clawsweeper]

Codex review: passed. Reviewed May 25, 2026, 10:13 PM ET / 02:13 UTC.

Summary
The branch updates Control UI config rendering and controller logic so generated raw config from editable snapshots without original raw text remains selectable and can be submitted, with controller regression tests.

PR surface: Source 0, Tests +23. Total +23 across 3 files.

Reproducibility: yes. from source inspection: current main generates configRaw from sourceConfig/resolved/config for raw:null snapshots but then disables Raw mode and rejects raw submit when snapshot.raw is not a string. I did not run tests because this review was required to keep the checkout read-only.

Review metrics: 1 noteworthy metric.

• Raw config gates: 2 changed. The PR changes both Raw-mode availability and Raw-mode submit eligibility, which is the compatibility/security-sensitive part of the review.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Maintainers should explicitly accept the generated raw/redaction-restore contract, or ask for one redacted live write-and-reload proof before merge.

Risk before merge

• Merging intentionally expands raw-mode write eligibility for redacted/editable config snapshots; maintainers should accept that generated raw text plus gateway redaction restore is the intended operator path.
• The live proof intercepted the request before a real config file write, so final acceptance relies on existing gateway restore/base-hash behavior and the added controller coverage rather than an after-write live proof.

Maintainer options:

1. Accept generated raw editing (recommended)
   Keep the PR as-is and let check/mergeability gates finish if maintainers agree that generated raw text from redacted editable snapshots is valid input to config.set/config.apply.
2. Require one live write proof
   Ask for a redacted live write-and-reload proof before merge if maintainers want end-to-end evidence beyond the intercepted request and controller tests.
3. Keep Raw gated to original text
   Pause or close this PR if maintainers do not want Raw mode to save generated text when the gateway withheld the original raw payload.

Next step before merge
No automated repair is needed; with no blocking findings, the remaining action is normal check/mergeability gating plus maintainer acceptance of the called-out config risk.

Security
Cleared: No concrete credential leak, permission expansion, dependency, or supply-chain issue was found in the diff; the security-sensitive redaction contract is tracked as merge risk.

Review details

Best possible solution:

Land the focused UI fix if maintainers accept the generated raw/redaction-restore contract; otherwise keep Raw mode gated to snapshots with original raw text and solve editable raw export as an explicit gateway contract.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main generates configRaw from sourceConfig/resolved/config for raw:null snapshots but then disables Raw mode and rejects raw submit when snapshot.raw is not a string. I did not run tests because this review was required to keep the checkout read-only.

Is this the best way to solve the issue?

Yes, with maintainer risk acceptance: changing availability and submit eligibility together is the narrow fix, and the PR keeps the server-side config.set/config.apply redaction-restore contract unchanged.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 93015982d391.

Label changes

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix live Control UI output showing Raw mode available for a raw:null snapshot and an intercepted config.set payload with generated raw text and matching base hash.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P2: This is a normal-priority Control UI config editing bugfix with limited surface area but real operator impact.
• merge-risk: 🚨 compatibility: Generated raw text can now be submitted when the original raw payload was absent, which can affect config round-trip behavior and operator expectations.
• merge-risk: 🚨 security-boundary: The change relies on redacted structured snapshots and gateway restore logic to avoid leaking or corrupting credential material during raw config saves.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix live Control UI output showing Raw mode available for a raw:null snapshot and an intercepted config.set payload with generated raw text and matching base hash.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live Control UI output showing Raw mode available for a raw:null snapshot and an intercepted config.set payload with generated raw text and matching base hash.

Evidence reviewed

PR surface:

Source 0, Tests +23. Total +23 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	5	5	0
Tests	1	25	2	+23
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	30	7	+23

What I checked:

• Current source mismatch: Current main already serializes editable snapshot data from sourceConfig/resolved/config into configRaw when raw is null, but Raw availability is still gated only on snapshot.raw being a string and the raw submit path rejects snapshots without raw text. (ui/src/ui/controllers/config.ts:97, 93015982d391)
• Renderer disables Raw mode on raw:null snapshots: Current main passes rawAvailable based only on configSnapshot.raw, so the rendered Raw tab can be disabled even when the controller has generated raw text from editable config. (ui/src/ui/app-render.ts:1201, 93015982d391)
• PR patch covers both UI and submit gates: The PR changes the renderer/controller availability checks, removes the raw submit rejection, and adds tests for keeping Raw mode and submitting generated raw text from a raw:null editable snapshot. (ui/src/ui/controllers/config.test.ts:186, 4644c0781c16)
• Gateway dependency contract: config.get returns redactConfigSnapshot, and config.set/config.apply parse raw input then restore redacted sentinel values against the server-side snapshot before validation, which is the contract this UI path relies on. (src/gateway/server-methods/config.ts:251, 93015982d391)
• Redaction behavior: redactConfigSnapshot intentionally nulls unsafe raw text and exposes redacted structured config, while restoreRedactedValues is documented as the config.set/config.apply round-trip path for credentials. (src/config/redact-snapshot.ts:410, 93015982d391)
• Repository policy applied: Root policy treats config loading/defaults/fallback behavior as compatibility-sensitive, so the raw generated-config write path remains a merge-risk callout even without a line-level defect. (AGENTS.md:26, 93015982d391)

Likely related people:

• Fermin Quant: Current-main blame for the Control UI config controller, renderer, tests, and redaction-related paths points to the imported snapshot commit authored by Fermin Quant. (role: recent area contributor; confidence: medium; commits: 342bde2af6e5; files: ui/src/ui/controllers/config.ts, ui/src/ui/app-render.ts, ui/src/ui/controllers/config.test.ts)
• Peter Steinberger: The same imported snapshot commit that carries the relevant current-main files was committed by Peter Steinberger, making him a likely routing candidate for the current behavior history. (role: merger/committer; confidence: medium; commits: 342bde2af6e5; files: ui/src/ui/controllers/config.ts, ui/src/ui/app-render.ts, src/gateway/server-methods/config.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sleeps inside passing CI.
Image traits: location release reef; accessory green check lantern; palette moonlit blue and soft silver; mood determined; pose guarding a tiny green check; shell polished stone shell; lighting soft underwater shimmer; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🔧
ClawSweeper saw the passing review, but the PR needs another repair pass before merge.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=4644c0781c167ef1eadf02c6b67567eea4ffdf7d); failed required checks before automerge: Real behavior proof:CANCELLED
Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129
Model: gpt-5.5

I will update this PR branch, or open a safe credited replacement, if the repair worker finds a narrow CI fix.

Automerge progress:

• 2026-05-26 02:06:15 UTC review queued 4644c0781c16 (queued)

• 2026-05-26 02:16:56 UTC review passed 4644c0781c16 (structured ClawSweeper verdict: pass (sha=4644c0781c167ef1eadf02c6b67567eea4ffd...)

• 2026-05-26 02:17:14 UTC repair queued 4644c0781c16 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129

• 2026-05-26 02:18:43 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 automerge-openclaw-openclaw-86700

• 2026-05-26 02:19:01 UTC validation plan (passed) in 18s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-26 02:19:11 UTC Codex write preflight (passed) in 28s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 danger-full-access

• 2026-05-26 02:24:31 UTC Codex edit 1 24d02d886483 (complete) in 5m 48s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 exit 0

• 2026-05-26 02:28:26 UTC validation and review 1 befbe163626b (base moved) in 9m 43s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 rebased

• 2026-05-26 02:29:09 UTC repair finished befbe163626b (opened) in 10m 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/26428478129 open_fix_pr

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: Maintainer review should decide whether the generated raw/redaction restore contract is acceptable before merge; there is no narrow automated repair required.; Cleared: No new dependency, secret exposure, or supply-chain issue was found in the diff; the credential-sensitive config write behavior is tracked as merge risk. (sha=4644c0781c167ef1eadf02c6b67567eea4ffdf7d)

Why human review is needed:
This item has security-sensitive risk. ClawSweeper is pausing instead of making an autonomous change that could affect trust, credentials, permissions, or exposure.

What the maintainer can do as a next step:
If the maintainer accepts the current risk and wants ClawSweeper to continue merge gates, comment @clawsweeper approve. If the security-sensitive detail still needs changes, describe the safe path or push the fix, then comment @clawsweeper automerge. If the risk should not be automated, keep the PR paused for manual review or comment @clawsweeper stop.

I added clawsweeper:human-review and left the final call with a maintainer.

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the contribution here. ClawSweeper tried the original lane first, but branch permissions blocked the push, so a replacement PR is carrying the fix forward.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #86726
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
Closing this source PR only because source-PR closing was explicitly enabled for this run.
Contributor credit is copied into the replacement PR notes and release-note context.
Co-author credit kept:

• @BlackFrameAI: Co-authored-by: Blackframe AI 122847831+BlackFrameAI@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against befbe16.