fix: block side-effecting command wrappers [AI]

[pgondhi987]

Summary

• Treat side-effecting dispatch wrapper forms as policy-blocked instead of transparent when evaluating exec approval allowlists.
• Keep plain GNU time usage transparent when it only reports to stderr, while blocking output-file forms before allowlist matching.
• Carry the requested analysis platform into command resolution so BSD/macOS wrapper behavior is tested deterministically from Linux.
• AI-assisted.

Linked context

No public issue linked in this PR body.

Real behavior proof (required for external PRs)

• Behavior addressed: Exec approval allowlists no longer approve an inner command while preserving a side-effecting wrapper for execution.
• Real environment tested: Local Linux checkout with Node 24.15.0, repo Vitest wrapper, and direct OpenClaw exec-approval allowlist probes against the patched code.
• Exact steps or command run after this patch: node scripts/run-vitest.mjs src/infra/exec-wrapper-resolution.test.ts src/infra/exec-command-resolution.test.ts src/infra/exec-approvals-analysis.test.ts
• Exact steps or command run after this patch: node --import tsx --input-type=module with evaluateShellAllowlist probes for script ~/.zshenv git log -1 --format='payload' on darwin, /usr/bin/time -o ~/.bashrc -a -f 'payload' git status on linux, and /usr/bin/time -p git status on linux.
• Evidence after fix: Test Files 3 passed (3); Tests 269 passed (269)
• Evidence after fix: bsd-script-darwin {"analysisOk":true,"allowlistSatisfied":false,"segmentSatisfiedBy":[null],"policyBlocked":true,"blockedWrapper":"script"}
• Evidence after fix: gnu-time-output-linux {"analysisOk":true,"allowlistSatisfied":false,"segmentSatisfiedBy":[null],"policyBlocked":true,"blockedWrapper":"time"}
• Evidence after fix: gnu-time-stderr-linux {"analysisOk":true,"allowlistSatisfied":true,"segmentSatisfiedBy":["allowlist"],"policyBlocked":false}
• Observed result after fix: BSD/macOS script transcript wrappers and GNU time -o wrappers are policy-blocked before allowlist matching; plain time -p remains allowlist-transparent.
• What was not tested: Full suite and cross-OS runtime execution on macOS/FreeBSD were not run locally.
• Proof limitations or environment constraints: The BSD/macOS behavior is covered by platform-parameterized OpenClaw allowlist analysis in this Linux worktree rather than by running BSD script on a macOS/FreeBSD host.
• Before evidence: The previous behavior reduced wrapper commands to the inner command for allowlist matching while preserving the raw source command for execution.

Tests and validation

Which commands did you run?

git diff --check

pnpm exec oxfmt --write src/infra/dispatch-wrapper-resolution.ts src/infra/exec-approvals-allowlist.ts src/infra/exec-approvals-analysis.ts src/infra/exec-wrapper-trust-plan.ts src/infra/exec-wrapper-resolution.test.ts src/infra/exec-command-resolution.test.ts src/infra/exec-approvals-analysis.test.ts

node scripts/run-vitest.mjs src/infra/exec-wrapper-resolution.test.ts src/infra/exec-command-resolution.test.ts src/infra/exec-approvals-analysis.test.ts

node --import tsx --input-type=module direct evaluateShellAllowlist probes for the blocked script and time -o forms plus allowed time -p.

What regression coverage was added or updated?

• Dispatch wrapper trust-plan tests for BSD/macOS script transcript wrappers and GNU time -o / --output wrappers.
• Command-resolution tests proving file-writing wrappers stay on the policy boundary.
• Allowlist tests proving the reported wrapper classes no longer satisfy an inner git allowlist while plain time -p still does.

What failed before this fix, if known?

The wrapper allowlist behavior could approve the reduced inner command while execution preserved the raw wrapper command.

If no test was added, why not?

Not applicable.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes.

Did config, environment, or migration behavior change? (Yes/No)

No.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes.

What is the highest-risk area?

Exec approval compatibility for users who intentionally wrapped allowlisted commands with transcript or output-file wrappers.

How is that risk mitigated?

The change is limited to wrapper policy transparency, preserves non-file-output time behavior, and adds focused regression coverage for blocked and still-transparent cases.

Current review state

What is the next action?

Review gates and GitHub CI are pending.

What is still waiting on author, maintainer, CI, or external proof?

Maintainer review and GitHub CI are pending; direct real-behavior proof has been added above.

Which bot or reviewer comments were addressed?

ClawSweeper's real-behavior proof request was addressed by adding direct patched-code allowlist probe output to this PR body.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 9:15 AM ET / 13:15 UTC.

Summary
The PR changes exec wrapper resolution and allowlist analysis so BSD/macOS script transcript wrappers and GNU time -o/--output wrappers are policy-blocked while plain stderr-only GNU time remains transparent.

PR surface: Source +82, Tests +96. Total +178 across 8 files.

Reproducibility: yes. from source inspection: current main marks script and time transparent and allowlist evaluation only fails once a segment is policyBlocked. I did not execute a current-main repro because this review was read-only, but the PR body also documents before/after direct allowlist probes.

Review metrics: 1 noteworthy metric.

• Exec-approval wrapper policy: 2 wrapper families newly blocked. script transcript wrappers and GNU time output-file wrappers can turn formerly allowlisted inner commands into approval misses.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Wait for the relevant GitHub CI checks to complete.
• Have a maintainer explicitly accept the fail-closed compatibility change for wrapped allowlisted commands.

Risk before merge

• This intentionally makes some previously allowlisted wrapped commands require approval, so users who rely on script or time -o/--output around allowlisted commands can see a fail-closed behavior change after upgrade.
• The PR's proof covers BSD/macOS script through OpenClaw's platform-parameterized analysis from Linux, not a live macOS or FreeBSD runtime run.

Maintainer options:

1. Land After Compatibility Acceptance (recommended)
   Maintainers can accept the stricter fail-closed exec-approval behavior as the security fix once required CI is green.
2. Request Cross-OS Proof First
   Maintainers can ask for macOS or FreeBSD runtime proof if platform-specific script behavior must be verified outside the Linux analysis harness before merge.
3. Pause If Existing Wrapper Workflows Must Stay Transparent
   If preserving allowlisted transcript/output wrappers is a product requirement, pause this PR and design an explicit strict-mode or migration path instead.

Next step before merge
Protected maintainer label plus security-sensitive exec behavior and compatibility impact make this a human maintainer review path, not an automated repair lane.

Security
Cleared: The diff tightens an exec approval security boundary and does not introduce a concrete supply-chain or secret-handling regression; compatibility risk is tracked separately.

Review details

Best possible solution:

Land the narrow fail-closed wrapper policy after maintainer acceptance of the compatibility change and relevant CI completion, keeping the focused regression tests and proof in place.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main marks script and time transparent and allowlist evaluation only fails once a segment is policyBlocked. I did not execute a current-main repro because this review was read-only, but the PR body also documents before/after direct allowlist probes.

Is this the best way to solve the issue?

Yes, the patch is a narrow owner-boundary fix: classify side-effecting wrappers as policy-blocked before allowlist matching and pass the requested platform into command resolution. The remaining question is maintainer acceptance of the compatibility impact, not a different implementation path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against dc5954b0f8cb.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body includes copied live output from direct OpenClaw allowlist probes showing both blocked wrapper cases and the still-allowed plain time -p case after the patch.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The updated PR body includes copied live output from direct OpenClaw allowlist probes showing both blocked wrapper cases and the still-allowed plain time -p case after the patch.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P0: The PR addresses a security-sensitive exec approval allowlist bypass where side-effecting wrappers could run under an inner-command allowlist.
• merge-risk: 🚨 compatibility: The stricter wrapper policy can break existing setups that intentionally wrap allowlisted commands with script or time -o/--output.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The updated PR body includes copied live output from direct OpenClaw allowlist probes showing both blocked wrapper cases and the still-allowed plain time -p case after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body includes copied live output from direct OpenClaw allowlist probes showing both blocked wrapper cases and the still-allowed plain time -p case after the patch.

Evidence reviewed

PR surface:

Source +82, Tests +96. Total +178 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	97	15	+82
Tests	3	96	0	+96
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	193	15	+178

What I checked:

• Current main transparent wrappers: Current main treats script and time as transparent dispatch wrappers, so a resolved inner command can satisfy allowlist matching unless another policy block applies. (src/infra/dispatch-wrapper-resolution.ts:371, dc5954b0f8cb)
• Policy-blocked segments deny allowlist: Exec allowlist evaluation already fails a segment when segment.resolution.policyBlocked is true, so the PR's wrapper policy flag directly prevents allowlist satisfaction. (src/infra/exec-approvals-allowlist.ts:606, dc5954b0f8cb)
• PR wrapper policy change: The PR adds timeInvocationWritesOutputFile, marks script non-transparent, and makes time transparent only when it does not write an output file. (src/infra/dispatch-wrapper-resolution.ts:238, 117f28f4fd54)
• PR platform propagation: The PR carries the requested analysis platform through shell command analysis into command resolution, which is needed for deterministic BSD/macOS wrapper behavior from Linux tests. (src/infra/exec-approvals-analysis.ts:1201, 117f28f4fd54)
• Regression coverage: The PR adds focused allowlist tests proving script and GNU time -o no longer satisfy a git allowlist while /usr/bin/time -p git status still does. (src/infra/exec-approvals-analysis.test.ts:627, 117f28f4fd54)
• Dependency contract check: GNU time --help documents -o, --output=FILE as writing to FILE instead of stderr, matching the PR's side-effect boundary.

Likely related people:

• Georgi Atsev: git blame attributes the current dispatch wrapper resolution and exec wrapper trust-plan code to commit 9e7c2b3, which also appears as the only local history touch for these central files. (role: introduced behavior; confidence: high; commits: 9e7c2b356bac; files: src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-trust-plan.ts, src/infra/exec-approvals-allowlist.ts)
• Peter Steinberger: Commit 9e7c2b3 lists Peter Steinberger as a co-author on the broad change that introduced the current exec-approval wrapper files in this checkout history. (role: adjacent contributor; confidence: medium; commits: 9e7c2b356bac; files: src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-trust-plan.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Frosted Clawlet

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: hums during re-review.
Image traits: location proof lagoon; accessory CI status badge; palette moss green and polished brass; mood determined; pose stepping out of a freshly hatched shell; shell brushed metal shell; lighting cool dashboard glow; background smooth stones and checkmarks.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Frosted Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[pgondhi987]

Updated the PR body with direct exec-approval allowlist probe output for the blocked wrapper cases and the still-allowed plain time case. @clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.