fix(doctor): report managed plugin version drift

[brokemac79]

Summary

What problem does this PR solve?

• openclaw doctor now surfaces active official managed plugin version drift that was previously only visible in openclaw gateway status --deep.
• Doctor uses daemon-context status data so the warning is based on the running local gateway version, not the caller CLI version.
• The drift probe is local-gateway only, skips misleading remote-mode local install-record checks, and avoids executing daemon-side exec SecretRefs unless --allow-exec is set.

Why does this matter now?

• Closes [Bug]: Doctor does not report official managed plugin version drift after core upgrade #90891, where a live stable core upgrade left an official managed plugin stale while doctor missed the mismatch.

What is the intended outcome?

• Doctor emits a Plugin version drift note with the stale plugin version, expected gateway version, and an actionable openclaw plugins update <plugin> && openclaw gateway restart repair.

What is intentionally out of scope?

• Hook drift, non-official plugin version policy, and changing the existing gateway-status drift detector.

What does success look like?

• A local managed official plugin drift appears in doctor output, while remote gateway mode and auth-skipped probes do not produce misleading local drift advice.

What should reviewers focus on?

• runWorkspaceStatusHealth now obtains drift from gatherDaemonStatus.
• status.gather.ts keeps daemon preauth probes on the stricter probe credential policy.
• doctor:gateway-health keeps the existing normal Gateway RPC credential policy and skips any exec SecretRef that could be selected unless --allow-exec is set.

Linked context

Which issue does this close?

Closes #90891

Which issues, PRs, or discussions are related?

Related #90917 was an overlapping contributor PR; it has now been closed. This PR carries the proofed fix.

Was this requested by a maintainer or owner?

Yes. The issue reporter/maintainer account brokemac79 owns the affected VPS proof environment and asked for this focused fix.

Real behavior proof

• Behavior or issue addressed: openclaw doctor --non-interactive reports official managed plugin version drift for a stale active managed install.
• Real environment tested: myvps (polymarket-mc), Ubuntu Linux, temp clone /tmp/oc-90891-latest, PR head d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee.
• Exact steps or command run after this patch: In /tmp/oc-90891-latest, verified git rev-parse HEAD was d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee, created a temp OPENCLAW_STATE_DIR / OPENCLAW_CONFIG_PATH, wrote an installed-plugin-index SQLite row for stale official managed npm plugin @openclaw/acpx@2026.5.30-beta.1, started a short-lived local gateway from this PR head with node openclaw.mjs gateway --port <temp-port> --bind loopback --force, then ran node openclaw.mjs doctor --non-interactive and asserted the drift note and repair command with grep -F.
• Evidence after fix: Copied live output from the current-head VPS run:

HEAD=d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee
ROOT=/tmp/oc-90891-proof.Kr1I0z
PORT=29848
UNIT=openclaw-gateway-proof-90891-19800
--- doctor drift excerpt ---
Plugin version drift
1 active official plugin not on OpenClaw 2026.6.2
- acpx: 2026.5.30-beta.1 (npm) -> expected 2026.6.2
Fix: openclaw plugins update acpx && openclaw gateway restart.
--- assertions ---
Plugin version drift
1 active official plugin not on OpenClaw 2026.6.2
- acpx: 2026.5.30-beta.1 (npm) -> expected 2026.6.2
Fix: openclaw plugins update acpx && openclaw gateway restart.
doctor proof ok

• Observed result after fix: Doctor emitted the Plugin version drift note for the stale official managed plugin, showed installed version 2026.5.30-beta.1, expected running gateway version 2026.6.2, and the actionable repair command openclaw plugins update acpx && openclaw gateway restart.
• What was not tested: Mantis was not available. Crabbox was attempted earlier but not usable: Blacksmith Testbox was unauthenticated/repo resolution failed, and Azure Crabbox allocation cbx_2113c24a2c6f / run_e119becc434e could not sync because local Windows rsync.exe was missing behind the shim. The live proof used acpx instead of the issue host's older codex fixture because codex is not present in the current official external plugin catalog at this head.
• Proof limitations or environment constraints: Real behavior proof was run on the maintainer/reporter VPS rather than Crabbox/Mantis for the availability reasons above.
• Before evidence: Issue [Bug]: Doctor does not report official managed plugin version drift after core upgrade #90891 includes the affected host output where gateway status --deep reported stale official managed plugin drift while doctor only showed plugin counts/errors.

Tests and validation

Which commands did you run?

# Local Windows focused validation
node scripts/run-vitest.mjs src/flows/doctor-health-contributions.test.ts
node scripts/run-vitest.mjs src/flows/doctor-health-contributions.test.ts src/commands/doctor-workspace-status.test.ts src/cli/daemon-cli/status.gather.test.ts src/gateway/probe-auth.test.ts
node scripts/run-vitest.mjs src/commands/doctor-workspace-status.test.ts
node --import tsx scripts/check-no-extension-test-core-imports.ts
node scripts/run-vitest.mjs src/agents/openclaw-tools.camera.test.ts
node scripts/run-vitest.mjs run --config test/vitest/vitest.live.config.ts extensions/google/google.live.test.ts extensions/minimax/minimax.live.test.ts
pnpm lint --threads=8
pnpm exec oxlint src/flows/doctor-health-contributions.ts src/flows/doctor-health-contributions.test.ts src/cli/daemon-cli/status.gather.ts src/cli/daemon-cli/status.gather.test.ts src/commands/agent-via-gateway.test.ts
git diff --check
codex review --base origin/main
codex review --commit HEAD

# VPS Linux latest-head validation
COREPACK_ENABLE_DOWNLOAD_PROMPT=0 node scripts/run-vitest.mjs src/commands/agent-via-gateway.test.ts
COREPACK_ENABLE_DOWNLOAD_PROMPT=0 node scripts/run-vitest.mjs src/flows/doctor-health-contributions.test.ts src/commands/doctor-workspace-status.test.ts src/cli/daemon-cli/status.gather.test.ts src/gateway/probe-auth.test.ts

Observed latest-head VPS result on d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee:

• src/commands/agent-via-gateway.test.ts: 55 passed.
• Focused doctor/status/probe-auth/workspace tests: 34 passed, 8 passed, 30 passed / 1 skipped, 44 passed.

What regression coverage was added or updated?

• Doctor workspace status formatter renders supplied drift reports and exact single-plugin repair advice.
• Doctor flow passes daemon-context drift only when a confirmed daemon/gateway drift report is available and probe auth was not skipped.
• Doctor skips the drift status probe for remote gateway mode.
• Status gather disables exec SecretRef materialization by default while preserving the stricter daemon preauth probe credential policy.
• Doctor gateway health skips exec SecretRefs that could be selected by normal Gateway RPC credential resolution unless --allow-exec is set.
• Agent CLI SIGTERM tests now wait for the signal bridge rather than racing embedded-agent import/migration startup.

What failed before this fix, if known?

• Doctor did not show any plugin version drift note for the reported stale official managed plugin state.

If no test was added, why not?

• Tests were added.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes. Doctor can now emit a new Plugin version drift warning.

Did config, environment, or migration behavior change? (Yes/No)

No.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes, narrowly. The new doctor drift probe can read daemon-context gateway auth, but exec SecretRefs are disabled by default and require --allow-exec, matching doctor's existing exec gate.

What is the highest-risk area?

Avoiding misleading local install-record drift warnings and avoiding unexpected exec SecretRef execution.

How is that risk mitigated?

The probe is skipped for remote gateway mode, drift is suppressed when auth materialization was skipped, a probed gateway version is required before doctor emits drift advice, and tests cover exec SecretRef plus local/remote credential boundaries.

Current review state

What is the next action?

Maintainer review.

What is still waiting on author, maintainer, CI, or external proof?

No author-side code/proof work is pending. CI is green on head d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee with only success/skipped/neutral checks except for a transient auto-response GitHub API 500 on label lookup, which is being retried by this body refresh. ClawSweeper re-review has completed successfully for this exact head; the remaining rank-up item is human owner/security acceptance for the exec SecretRef probe policy and repair advice.

Which bot or reviewer comments were addressed?

Codex review findings were addressed locally before PR creation and during CI cleanup:

• Use running gateway context instead of CLI-only workspace status.
• Do not execute daemon-side exec SecretRefs before doctor's --allow-exec gate.
• Match daemon preauth probe credential policy so remote SecretRefs do not block local preauth probes.
• Preserve normal Gateway health credential selection and skip fallback exec SecretRefs there.
• Skip drift probes for remote doctor runs.
• Require a probed gateway version before doctor emits drift advice, so exec-skipped or otherwise unprobed fallback-version drift is suppressed.
• Stabilize the local-agent SIGTERM test by synchronizing on signal listener registration.

Codex review final result on merge head d841d8c623: codex review --commit HEAD reported no actionable correctness issues in the HEAD diff. It noted focused gateway approval tests passed; broader Windows agent tests hit temp cleanup/SQLite lock failures that did not indicate a changed runtime bug. A branch-wide codex review --base origin/main retry previously timed out after 15 minutes with no findings before commit-scoped review completed cleanly.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 11:05 AM ET / 15:05 UTC.

Summary
The PR routes daemon-context official managed plugin drift into openclaw doctor, adds drift output and repair text, gates exec SecretRef use in diagnostic probes, and updates focused doctor/status/agent tests.

PR surface: Source +113, Tests +523. Total +636 across 9 files.

Reproducibility: yes. by source inspection and linked live evidence: current main gathers plugin drift in daemon status but doctor never receives or prints that report, and the linked issue shows the before state on a real upgraded host.

Review metrics: 1 noteworthy metric.

• Credential probe policy surfaces: 2 changed. Doctor workspace drift probing and gateway health probing now conditionally avoid exec SecretRefs, which is a security-boundary behavior maintainers should notice before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get explicit gateway/doctor/security owner acceptance for the exec SecretRef probe policy and update/restart repair guidance.

Risk before merge

• [P1] Doctor can now prescribe openclaw plugins update <plugin> && openclaw gateway restart after upgrades; owners should accept that as the canonical repair guidance for managed official plugin drift.
• [P1] The PR changes diagnostic credential handling so doctor/status can skip exec-backed gateway SecretRefs by default and rely on --allow-exec for materialization; gateway/security owners should explicitly accept that boundary.

Maintainer options:

1. Accept with owner/security sign-off (recommended)
   If gateway, doctor, and security owners accept the repair text and no-exec default, the current patch is the cleanest observed fix shape and can proceed through normal merge gates.
2. Tighten policy before merge
   If owners want a narrower boundary, revise the doctor/status probe gate or emitted advice while preserving focused tests for default and --allow-exec behavior.
3. Pause for remediation decision
   If maintainers do not want doctor to prescribe plugin update plus gateway restart, pause this PR and decide the canonical post-upgrade remediation path first.

Next step before merge

• [P2] The remaining action is owner/security review of diagnostic credential policy and repair guidance, not a narrow automated code repair.

Security
Needs attention: No exploit or supply-chain issue was found, but the exec SecretRef diagnostic probe policy is security-sensitive and needs owner/security acceptance before merge.

Review details

Best possible solution:

Merge the daemon-status-based doctor fix after gateway/doctor/security owners accept the SecretRef gate and plugin update/restart guidance.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection and linked live evidence: current main gathers plugin drift in daemon status but doctor never receives or prints that report, and the linked issue shows the before state on a real upgraded host.

Is this the best way to solve the issue?

Yes, with owner/security caveats. Reusing daemon status is the best observed fix shape because it uses the running gateway context instead of duplicating local install-record policy inside doctor.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d46dc39b18ec.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains exact-head VPS live output showing openclaw doctor --non-interactive emitting the new drift note and repair command after the patch.

Label justifications:

• P2: The PR fixes a production diagnostic gap after upgrades, but the affected surface is limited to doctor/status reporting and repair guidance.
• merge-risk: 🚨 compatibility: The patch changes post-upgrade doctor output and can change existing operator guidance for managed plugin drift.
• merge-risk: 🚨 security-boundary: The patch changes when doctor/status diagnostics may skip or materialize exec-backed gateway credentials.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The PR body contains exact-head VPS live output showing openclaw doctor --non-interactive emitting the new drift note and repair command after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains exact-head VPS live output showing openclaw doctor --non-interactive emitting the new drift note and repair command after the patch.

Evidence reviewed

PR surface:

Source +113, Tests +523. Total +636 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	154	41	+113
Tests	5	532	9	+523
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	9	686	50	+636

Security concerns:

• [medium] Confirm exec SecretRef probe policy — src/cli/daemon-cli/status.gather.ts:636
  The PR intentionally changes doctor/status behavior so exec-backed gateway credentials are not materialized by default in this diagnostic path; this reduces accidental execution but still changes a credential/tool-execution boundary that owners should accept.
  Confidence: 0.82

What I checked:

• Repository policy read: Root AGENTS.md was read fully, and scoped gateway/plugin/agent AGENTS files were checked; the compatibility and security-boundary guidance applies to this doctor/gateway/SecretRef PR. (AGENTS.md:1, d46dc39b18ec)
• Current main doctor gap: Current main noteWorkspaceStatus prints skills, plugin counts, compatibility warnings, diagnostics, and TaskFlow hints, but has no plugin-version-drift input or output path. (src/commands/doctor-workspace-status.ts:57, d46dc39b18ec)
• Existing drift source: Current main already computes pluginVersionDrift in daemon status from daemon install records and the probed gateway version, so reusing daemon status is the right source of truth. (src/cli/daemon-cli/status.gather.ts:654, d46dc39b18ec)
• PR routes daemon drift into doctor: At PR head, runWorkspaceStatusHealth calls gatherDaemonStatus, requires a real probed gateway version, suppresses auth-warning cases, and passes pluginVersionDrift to workspace status. (src/flows/doctor-health-contributions.ts:757, d841d8c62323)
• PR formats actionable doctor output: At PR head, notePluginVersionDrift emits stale official plugin versions and the single-plugin openclaw plugins update <plugin> && openclaw gateway restart advice. (src/commands/doctor-workspace-status.ts:61, d841d8c62323)
• Credential boundary changed: At PR head, daemon status accepts allowExecSecretRefs and skips materializing active exec SecretRefs when the option is false, which is the intended mitigation but still a security-boundary decision. (src/cli/daemon-cli/status.gather.ts:636, d841d8c62323)

Likely related people:

• hussein1362: Commit 4a285d5 added the external plugin version drift detector and wired it into gateway status, which is the behavior this PR reuses for doctor. (role: introduced drift detector; confidence: high; commits: 4a285d529a00; files: src/plugins/plugin-version-drift.ts, src/cli/daemon-cli/status.gather.ts, src/cli/daemon-cli/status.print.ts)
• vincentkoc: Recent history around gateway credential SecretRef handling and local probe auth points to this area for the exec SecretRef policy review. (role: credential/probe auth history; confidence: high; commits: 935bd6de7fcb, ce01b8f250e8; files: src/gateway/credentials-secret-inputs.ts, src/gateway/probe-auth.ts)
• RomneyDa: Commit d48b927 added gateway health auth diagnostics, adjacent to the doctor gateway-health behavior this PR refactors through the shared exec credential check. (role: gateway health auth contributor; confidence: medium; commits: d48b9274d819; files: src/flows/doctor-health-contributions.ts, src/commands/doctor-gateway-health.ts)
• steipete: Recent commits touched doctor health contribution and gateway auth/probe documentation surfaces, making this a useful routing candidate for review context. (role: recent adjacent contributor; confidence: medium; commits: 538d36eaaaa6, 861bf541c229, 0b8aabe8648e; files: src/flows/doctor-health-contributions.ts, src/gateway/probe-auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

CI note after initial monitor:

• ClawSweeper reviewed commit 9bed66616005 and marked the PR ready for maintainer review with proof: sufficient / status: ready for maintainer look.
• The only failing visible CI check I found is checks-node-agentic-agents-core-tools, failing in src/agents/openclaw-tools.camera.test.ts because the camera/image test expected a mocked JPEG image and received [].
• That shard is unrelated to this PR's doctor/plugin/status/probe-auth changes. Local focused tests and VPS check:changed passed on the pushed commit.
• I tried to rerun the failed job, but the GitHub app token returned 403 and gh run rerun --failed requires repository admin rights, so I cannot clear the optional failure from here.

[brokemac79]

CI context update after the final poll:

The remaining visible failures still look unrelated to this PR's changed files:

• checks-node-agentic-agents-core-tools fails in src/agents/openclaw-tools.camera.test.ts because the test expected a mocked JPEG image but received an empty image list.
• build-artifacts / core-support-boundary and check-additional-boundaries-bcd fail the extension boundary guard for existing files extensions/google/google.live.test.ts and extensions/minimax/minimax.live.test.ts.

This PR changes only the doctor/status/probe-auth path for managed plugin drift. The focused local tests, VPS focused tests, VPS check:changed, and VPS live doctor behavior proof all passed on the pushed head. I also tried to rerun the failed CI, but this account does not have the required repo/admin permission to rerun those jobs.

[brokemac79]

Superseding the earlier CI notes: the PR is now clean on head 13280dd326.

What changed after the failures:

• Rebasing onto current origin/main picked up related upstream fixes.
• Added a small follow-up commit, test: align CI baseline checks, to keep the extension live tests on the public openclaw/plugin-sdk/test-env surface and update the camera test mock for the stricter image sanitizer.

Validation after the cleanup:

• node --import tsx scripts/check-no-extension-test-core-imports.ts passed.
• node scripts/run-vitest.mjs src/agents/openclaw-tools.camera.test.ts passed.
• node scripts/run-vitest.mjs test/extension-test-boundary.test.ts extensions/google/google.live.test.ts extensions/minimax/minimax.live.test.ts passed.
• Original focused doctor/status/probe-auth Vitest suite passed again.
• git diff --check passed.
• codex review --base origin/main found no actionable correctness issues.

GitHub CI: all visible checks are passing or intentionally skipped; gh pr checks --required reports no required checks configured for this branch. ClawSweeper is still at proof sufficient / ready for maintainer look.

[brokemac79]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27140272962
• Updated: 2026-06-08T13:23:02.165Z

[brokemac79]

@clawsweeper re-review

Current-head VPS real behavior proof is now in the PR body for 326d4e7e1873fd898fc0b79ab035730e26fda15b.

It uses a temp state/config and a short-lived local gateway from this PR head, then runs node openclaw.mjs doctor --non-interactive and asserts the Plugin version drift note plus openclaw plugins update acpx && openclaw gateway restart repair command.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27138940732
• Updated: 2026-06-08T12:53:59.531Z

[brokemac79]

@clawsweeper re-review

Current-head proof gate is now passing for 326d4e7e1873fd898fc0b79ab035730e26fda15b: Real behavior proof completed successfully after the PR body was reshaped with the required proof fields. Code CI is green/neutral/skipped only, and the rank-up items have been addressed except for normal human owner/security review of the SecretRef probe policy.

[brokemac79]

@clawsweeper re-review

Current-head proof gate is now passing for 326d4e7e1873fd898fc0b79ab035730e26fda15b: Real behavior proof completed successfully after the PR body was reshaped with the required proof fields. Code CI is green/neutral/skipped only. The rank-up items are addressed except for normal human owner/security review of the SecretRef probe policy.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[brokemac79]

@clawsweeper re-review

Merge conflicts are resolved on current head aad643fb07e635ca5b781a7feed14b77e5bdd3f6. GitHub now reports the PR mergeable and CI is green/neutral/skipped only. The PR body has been refreshed with exact-head VPS doctor drift proof plus VPS focused tests, and codex review --commit HEAD reported no actionable correctness issues on the merge-resolution commit.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27143058201
• Updated: 2026-06-08T14:10:33.823Z

[brokemac79]

@clawsweeper re-review

Current-main merge conflicts are resolved on head d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee; the branch now includes live origin/main (da401341b6857b2cf9df920e7a7c86135dc79d8c) and GitHub reports the PR mergeable. CI is green/neutral/skipped only: 132 pass, 30 skip/neutral. The PR body has been refreshed with exact-head VPS proof on d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee:

• src/commands/agent-via-gateway.test.ts: 55 passed on myvps.
• Focused doctor/status/probe-auth suite on myvps: doctor health 34 passed, doctor workspace 8 passed, daemon status 30 passed/1 skipped, probe auth 44 passed.
• Live doctor drift proof on myvps produced Plugin version drift, 1 active official plugin not on OpenClaw 2026.6.2, - acpx: 2026.5.30-beta.1 (npm) -> expected 2026.6.2, and Fix: openclaw plugins update acpx && openclaw gateway restart.
• codex review --commit HEAD on d841d8c623 reported no actionable correctness issues in the HEAD diff.

The only remaining rank-up item should be the human owner/security acceptance for the exec SecretRef probe policy and repair advice.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[brokemac79]

@clawsweeper re-review

The previous d841d8c623 re-review ran before I repaired the PR-body Markdown formatting, so it evaluated stale/flattened proof text. The body is now restored as multiline Markdown with the required ## Real behavior proof fields, and the Real behavior proof workflow passed on exact head d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee in run https://github.com/openclaw/openclaw/actions/runs/27144991413.

Current state for this exact head:

• GitHub mergeability: mergeable against base da401341b6857b2cf9df920e7a7c86135dc79d8c.
• Checks: 132 pass, 30 skipped/neutral, no failures or pending.
• VPS proof: live doctor run emitted Plugin version drift, 1 active official plugin not on OpenClaw 2026.6.2, - acpx: 2026.5.30-beta.1 (npm) -> expected 2026.6.2, and Fix: openclaw plugins update acpx && openclaw gateway restart.
• VPS tests: agent-channel shard 55 passed; focused doctor/status/probe-auth suite 34 passed, 8 passed, 30 passed/1 skipped, 44 passed.
• Codex review: codex review --commit HEAD reported no actionable correctness issues in the HEAD diff.

Expected remaining rank-up item: human owner/security acceptance for the exec SecretRef probe policy and repair advice.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27145166634
• Updated: 2026-06-08T14:46:39.848Z

[brokemac79]

Auto-response retry note: the latest auto-response check failed on a transient GitHub API 500 while reading label dirty (GET /repos/openclaw/openclaw/labels/dirty), not on PR code or proof. No branch changes; this comment is only to trigger a fresh auto-response pass.

[brokemac79]

@clawsweeper re-review

Final pass request after the PR-body state line was refreshed to clear the transient auto-response failure. Current head is unchanged: d841d8c6232321e26b2fc4d875b4ffe1c7ca07ee. The body remains multiline Markdown with the required ## Real behavior proof fields, and both latest body-triggered checks passed:

• Real behavior proof: https://github.com/openclaw/openclaw/actions/runs/27146328856
• Auto response: https://github.com/openclaw/openclaw/actions/runs/27146329480

Current PR checks are clean: 132 pass, 30 skipped/neutral. GitHub reports the PR mergeable against base da401341b6857b2cf9df920e7a7c86135dc79d8c. Please refresh the durable verdict/labels for this stable body/head. Expected remaining rank-up item is still only human owner/security acceptance for the exec SecretRef probe policy and repair advice.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27146521678
• Updated: 2026-06-08T15:06:23.161Z

[vincentkoc]

Maintainer update: rebased this PR onto current main, resolved the src/commands/agent-via-gateway.test.ts conflict, and added the missing exec-credential guard for the require-RPC status path.

Proof on head b39d7d39908805795a8da6d68a138c24ac49b417:

• node scripts/run-vitest.mjs src/commands/agent-via-gateway.test.ts src/cli/daemon-cli/probe.test.ts src/cli/daemon-cli/status.gather.test.ts src/flows/doctor-health-contributions.test.ts src/commands/doctor-workspace-status.test.ts src/gateway/probe-auth.test.ts passed: 4 shards, 185 tests.
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main clean: no accepted/actionable findings.
• Crabbox delegated Blacksmith Testbox tbx_01ktmwa5q0c2eb688dkbkw8v2b: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed passed, exit 0.
• GitHub PR state is MERGEABLE / CLEAN; commit-level CI/CodeQL/security/workflow checks settled green. The cancelled Real behavior proof run was superseded by fresh successful run 27176100376 on this same head.