fix: expand unsafe host env denylist

[pgondhi987]

Summary

• Expands the shared host environment safety policy to reject additional interpreter startup and search-path variables before they reach host command execution.
• Regenerates the macOS host environment policy from the shared JSON source so app and Node-host sanitizers stay aligned.
• Updates focused regression coverage and user-facing docs that enumerate the blocked environment override classes.
• Intentionally does not change the sanitizer control flow; this keeps the existing policy-driven behavior and only expands the denylist data.

AI-assisted: yes.

Linked context

No public issue linked in this PR body.

Real behavior proof (required for external PRs)

• Behavior addressed: Host environment overrides for additional interpreter startup/search-path variables are rejected by the existing node-host system.run handler before process execution.
• Real environment tested: Local OpenClaw checkout on Linux using the actual handleSystemRunInvoke runtime path and a real child process spawn for the safe case.
• Exact steps or command run after this patch: pnpm exec tsx /tmp/openclaw-system-run-proof-91618.ts
• Evidence after fix: The blocked request reported SYSTEM_RUN_DENIED: environment override rejected (blocked override keys: BASHOPTS, FPATH, KSH_ENV, TCLLIBPATH) with executed: false; the safe request reported executed: true, ok: true, stdout: "ok\nBASHOPTS_UNSET\n", and exitCode: 0.
• Observed result after fix: The four risky env overrides are rejected before system.run executes, while an ordinary OPENCLAW_PROOF_SAFE=ok env override still reaches the spawned process.
• What was not tested: Full gateway-to-paired-node WebSocket round trip and full repository CI were not run locally.
• Proof limitations or environment constraints: The proof uses the real node-host handler and real process execution in a local checkout, but not a separately paired node service.
• Before evidence: Existing tests did not cover these variables in the shared policy baseline.

Tests and validation

• node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.policy-parity.test.ts src/infra/host-env-security.reported-baseline.test.ts
• node scripts/generate-host-env-security-policy-swift.mjs --check
• git diff --check
• scripts/pr review-tests 91618 src/infra/host-env-security.test.ts src/infra/host-env-security.policy-parity.test.ts src/infra/host-env-security.reported-baseline.test.ts
• timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• pnpm exec tsx /tmp/openclaw-system-run-proof-91618.ts

Regression coverage was added for dangerous-key classification, inherited sanitization, override sanitization, diagnostics, reported baseline coverage, and generated macOS policy parity.

Risk checklist

Did user-visible behavior change? Yes

Did config, environment, or migration behavior change? Yes

Did security, auth, secrets, network, or tool execution behavior change? Yes

Highest-risk area: Host command execution environment filtering.

Risk mitigation: The change reuses the existing denylist policy mechanism, keeps ordinary credential/proxy/server-specific variables unaffected, adds focused tests for the expanded policy surface, and includes runtime proof that safe env overrides still pass.

Current review state

Next action: Wait for automated CI, ClawSweeper re-review, and maintainer review.

Still waiting on: GitHub CI and any maintainer-requested broader validation.

Bot or reviewer comments addressed: ClawSweeper proof request addressed by adding runtime system.run handler proof to this PR body.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 2:06 AM ET / 06:06 UTC.

Summary
The branch adds BASHOPTS, FPATH, KSH_ENV, and TCLLIBPATH to the shared host environment denylist, regenerates the macOS policy mirror, and updates focused tests and docs.

PR surface: Source +8, Tests +35, Docs 0, Generated +8. Total +51 across 8 files.

Reproducibility: yes. Current main lacks the four keys in the shared policy, and both node-host and macOS system.run paths reject keys classified by that policy before execution.

Review metrics: 1 noteworthy metric.

• Denied Env Keys: 4 added. The patch expands the shared host execution denylist, which is the compatibility-sensitive part maintainers need to accept before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Refresh CI and merge state on the current head before landing.
• Have a maintainer or secops reviewer explicitly accept the env compatibility change.

Risk before merge

• [P1] Merging intentionally rejects or strips BASHOPTS, FPATH, KSH_ENV, and TCLLIBPATH across shared host env consumers; existing setups that depend on those request-scoped variables will need host or service-level configuration instead.
• [P1] The branch base is behind current main; touched files did not move on main, but maintainers should still refresh CI and merge state before landing.

Maintainer options:

1. Accept The Hardened Denylist (recommended)
   Land after maintainer or secops review explicitly accepts that these four request-scoped env overrides are no longer supported and fresh checks are green.
2. Request A Compatibility Path
   If maintainers know legitimate request-scoped uses for these variables, ask for a documented safe path or narrower policy before merge.

Next step before merge

• [P2] The remaining action is maintainer acceptance of a compatibility-sensitive security-boundary change, not an automated code repair.

Security
Cleared: The diff narrows the host process environment attack surface through the existing policy mechanism and adds no new dependencies, workflows, secret handling, or code execution paths.

Review details

Best possible solution:

Land the shared policy-data expansion only after maintainers accept the compatibility-sensitive hardening and current CI/merge checks pass.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main lacks the four keys in the shared policy, and both node-host and macOS system.run paths reject keys classified by that policy before execution.

Is this the best way to solve the issue?

Yes, as a patch shape. Updating the shared JSON policy plus the generated Swift mirror keeps the existing owner boundary and avoids new sanitizer control flow, but the compatibility decision still needs maintainer acceptance.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4c98a547d09a.

Label changes

Label justifications:

• P2: This is a normal-priority security hardening PR with focused blast radius and no current evidence of a live broken workflow.
• merge-risk: 🚨 compatibility: Existing users who pass BASHOPTS, FPATH, KSH_ENV, or TCLLIBPATH through system.run or related host env surfaces will now see those values rejected or stripped.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-fix terminal proof using the real node-host system.run handler path and a real spawned process for the safe case.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal proof using the real node-host system.run handler path and a real spawned process for the safe case.

Evidence reviewed

PR surface:

Source +8, Tests +35, Docs 0, Generated +8. Total +51 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	9	1	+8
Tests	2	232	197	+35
Docs	3	3	3	0
Config	0	0	0	0
Generated	1	8	0	+8
Other	0	0	0	0
Total	8	252	201	+51

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.policy-parity.test.ts src/infra/host-env-security.reported-baseline.test.ts.
• [P1] node scripts/generate-host-env-security-policy-swift.mjs --check.
• [P1] git diff --check.

What I checked:

• Repository policy read: The root AGENTS.md and scoped docs/AGENTS.md were read; their security-boundary, docs, and compatibility-sensitive review guidance applies to this PR. (AGENTS.md:1, 4c98a547d09a)
• Current main policy path: Current main derives dangerous inherited and override key sets from the shared host-env policy and rejects matching override keys before accepting them. (src/infra/host-env-security.ts:190, 4c98a547d09a)
• Current main still lacks requested keys: Current main has no BASHOPTS, FPATH, KSH_ENV, or TCLLIBPATH entries under the host-env policy, macOS generated policy, or touched docs, so the PR is not already implemented on main. (src/infra/host-env-security-policy.json:2, 4c98a547d09a)
• PR policy change: The PR adds BASHOPTS, KSH_ENV, FPATH, and TCLLIBPATH to blockedEverywhereKeys, which flows into both inherited filtering and request override rejection through the shared loader. (src/infra/host-env-security-policy.json:15, aa22f7a307a5)
• Node-host entry point: The node-host system.run path calls inspectHostExecEnvOverrides and returns SYSTEM_RUN_DENIED before execution when rejected override keys are present. (src/node-host/invoke-system-run.ts:421, 4c98a547d09a)
• macOS sibling parity: The generated macOS policy mirror contains the same new keys in blocked inherited and blocked override sets used by HostEnvSanitizer. (apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift:31, aa22f7a307a5)

Likely related people:

• steipete: Peter Steinberger authored the original startup-file env injection block and later generated host env policy refactor that define this surface. (role: introduced behavior and feature-history owner; confidence: high; commits: 2cdbadee1f8f, 4894d907faa7; files: src/infra/host-env-security.ts, apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift, apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift)
• joshavant: Josh Avant authored the later host env override hardening across gateway and node, including the node-host and macOS sanitizer paths this PR extends. (role: recent hardening contributor; confidence: high; commits: 7abfff756d6c; files: src/infra/host-env-security.ts, src/node-host/invoke-system-run.ts, apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift)
• Agustin Rivera: Agustin Rivera authored the inherited host exec env filtering alignment that is directly affected by adding keys to blockedEverywhereKeys. (role: adjacent behavior contributor; confidence: medium; commits: fa82193c7273; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.ts)
• vincentkoc: Vincent Koc most recently touched the host-env policy and sanitizer files through release/baseline work visible in current blame and log history. (role: recent area contributor; confidence: medium; commits: 2e08f0f4221f, ebb9c6a013b5; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

Updated the PR body with real behavior proof for the node-host system.run handler path.

Proof added: pnpm exec tsx /tmp/openclaw-system-run-proof-91618.ts shows the blocked request is denied before execution for BASHOPTS, FPATH, KSH_ENV, and TCLLIBPATH, while a safe OPENCLAW_PROOF_SAFE=ok override reaches a spawned process.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27186015055
• Updated: 2026-06-09T05:36:21.853Z

[pgondhi987]

Verification complete for final head aa22f7a307a54f5b053d1d9f2b33e5c44e657ccd.

Behavior fixed: request-scoped host exec env filtering now blocks BASHOPTS, FPATH, KSH_ENV, and TCLLIBPATH through the shared host-env policy, with regenerated macOS policy parity, docs updates, reported-baseline coverage, and sanitizer regression coverage. NODE_REPL_EXTERNAL_MODULE was already blocked on main.

Local / review proof:

• node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.policy-parity.test.ts src/infra/host-env-security.reported-baseline.test.ts -> passed, 34 tests.
• node scripts/generate-host-env-security-policy-swift.mjs --check -> passed.
• git diff --check -> passed.
• OPENCLAW_OPENGREP_BASE_REF=origin/main...HEAD OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT=1 scripts/run-opengrep.sh --changed --error with OpenGrep 1.22.0 -> passed, 0 findings.
• Runtime proof via pnpm exec tsx /tmp/openclaw-system-run-proof-91618.ts -> blocked BASHOPTS, FPATH, KSH_ENV, and TCLLIBPATH overrides before execution; safe env command still executed.
• scripts/pr review-tests 91618 src/infra/host-env-security.test.ts src/infra/host-env-security.policy-parity.test.ts src/infra/host-env-security.reported-baseline.test.ts -> passed in review-pr mode.

Gates:

• GHSA dry-run after the final source change: PASS (ACCEPT / SOLVES / PASS).
• review-pr: passed on aa22f7a307a5, READY FOR /prepare-pr, findings 0, artifacts validated.
• autoreview: passed on aa22f7a307a5, clean with no accepted/actionable findings.
• GHSA real gate: PASS (ACCEPT / SOLVES / PASS), tracking issue evaluation posted: https://github.com/NVIDIA-dev/openclaw-tracking/issues/735#issuecomment-4656654438.
• GitHub CI: clean on aa22f7a307a5, no pending checks, no related failures, mergeable MERGEABLE / CLEAN. One failed-job rerun was needed after runner/harness-inconsistent CI failures; the rerun cleared them. Superseded cancelled routine auto-response / Real behavior proof runs were ignored.

Known proof gap: I did not run the full repository suite locally; GitHub CI and the focused local/review/security checks above are green for the touched surface.