fix: block git protocol env controls [AI]

[pgondhi987]

Summary

• Blocks request-scoped Git protocol-control environment variables in the shared host environment security policy.
• Filters inherited GIT_ALLOW_PROTOCOL to Git safe default protocols and preserves inherited GIT_PROTOCOL_FROM_USER only when keeping it does not make Git more permissive, including false-like and malformed fail-closed values.
• Keeps the macOS sanitizer and generated policy in parity with the shared TypeScript policy.
• Adds focused sanitizer coverage plus live Git regressions for ext:: helper execution and restrictive allowlist non-widening.
• AI-assisted.

Out of scope: broader host environment policy reshaping, config changes, and unrelated Git transport policy changes.

Linked context

Security maintainer-requested host environment hardening. Private tracking context intentionally omitted from the PR body.

Real behavior proof (required for external PRs)

• Behavior addressed: Git protocol-control environment variables are blocked or filtered before host execution so inherited or request-scoped env cannot loosen Git transport policy.
• Real environment tested: Local source checkout on Linux with system Git, Node/Vitest wrapper, core test-type lane, and local OpenGrep changed-path scan.
• Exact steps or command run after this patch: node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo; node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts; node scripts/generate-host-env-security-policy-swift.mjs --check; scripts/run-opengrep.sh --changed --json; git diff --check.
• Evidence after fix: 3 Vitest files passed, 40 tests passed; generated Swift policy check passed; local changed-path OpenGrep reported 0 findings; GitHub PR checks passed on the final head.
• Observed result after fix: Regression tests prove unsafe env can execute a Git ext:: helper before sanitization, while sanitized env blocks that path; inherited allowlists are filtered without widening local file transport access; inherited fail-closed GIT_PROTOCOL_FROM_USER values are preserved.
• What was not tested: Full cross-platform package/release packaging.
• Proof limitations or environment constraints: No live channel/provider credentials were used; this is a host-exec sanitizer boundary.
• Before evidence: The prior policy did not include the two Git protocol-control variables in the blocked key set.

Tests and validation

• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
• node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts
• node scripts/generate-host-env-security-policy-swift.mjs --check
• scripts/run-opengrep.sh --changed --json
• git diff --check
• Review-pr: passed on final head with zero findings.
• Autoreview: passed on final head with no accepted/actionable findings.
• GitHub PR checks: passed on final head.

Risk checklist

Did user-visible behavior change? (Yes/No): No.

Did config, environment, or migration behavior change? (Yes/No): Yes, host execution now blocks or filters two additional Git-related environment variables.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No): Yes, host tool execution environment sanitization is stricter for Git transport policy controls.

What is the highest-risk area?

Operators who intentionally relied on passing permissive Git protocol-control variables into OpenClaw-spawned host Git commands will no longer get that behavior.

How is that risk mitigated?

The blocked variables directly alter Git transport policy. The change lands in the existing host-env security policy boundary, keeps generated macOS parity, preserves inherited fail-closed restrictions, and adds focused regression coverage.

Current review state

Next action: maintainer review/merge.

Waiting on: None known.

Bot or reviewer comments addressed: Review-pr and autoreview findings were addressed; final review-pr and autoreview are clean.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 9, 2026, 11:09 AM ET / 15:09 UTC.

Summary
Adds Git protocol-control environment blocking/filtering to shared host environment sanitization and macOS policy parity, with regression coverage for Git ext:: and file-transport behavior.

PR surface: Source +59, Tests +340, Generated +4, Other +44. Total +447 across 9 files.

Reproducibility: yes. source-reproducible: current main lacks both Git protocol-control variables in the host env policy, and the PR adds focused Git regression tests for ext::, file transport non-widening, and forced-off GIT_PROTOCOL_FROM_USER. I did not run the Git regressions locally in this read-only review.

Review metrics: 1 noteworthy metric.

• Git protocol env policy: 2 variables added to blocked/filtering policy. GIT_ALLOW_PROTOCOL and GIT_PROTOCOL_FROM_USER change host Git execution behavior and need maintainer-visible compatibility/security acceptance before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦪 silver shellfish
Patch quality: 🦞 diamond lobster
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted real host-exec or macOS app terminal/log output showing GIT_ALLOW_PROTOCOL and GIT_PROTOCOL_FROM_USER are stripped, narrowed, or forced after the patch.
• Get maintainer/security owner acceptance of the compatibility tradeoff for operators relying on permissive Git protocol env controls.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body lists tests, CI, generated-policy check, and OpenGrep, but not redacted terminal/live output from an actual OpenClaw host-exec or macOS app path; add proof, redact private data, update the PR body for re-review, or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• [P1] Merging intentionally tightens inherited and request-scoped Git protocol environment behavior; operator setups relying on permissive GIT_ALLOW_PROTOCOL or GIT_PROTOCOL_FROM_USER in OpenClaw-spawned host Git commands may fail closed after upgrade.
• [P1] The external real behavior proof is still tests, CI, and static-analysis text rather than redacted terminal/live output from an actual OpenClaw host-exec or macOS app path after the patch.
• [P1] The PR has the protected maintainer label and private security-maintainer context, so the compatibility and security-boundary tradeoff needs explicit maintainer handling before merge.

Maintainer options:

1. Require proof and owner acceptance (recommended)
   Before merge, get maintainer/security-owner acceptance of the stricter Git protocol policy and add redacted real host-exec or macOS output showing the sanitizer behavior after the patch.
2. Accept the stricter policy deliberately
   Maintainers can intentionally accept the operator compatibility break because the variables directly alter Git transport security policy.
3. Pause for a narrower policy
   If maintainers do not want to break permissive inherited Git protocol controls, pause this PR and design an explicit opt-in or narrower owner-approved policy instead.

Next step before merge

• [P1] Human maintainer handling is required for the protected label, security-boundary policy acceptance, compatibility tradeoff, and external real behavior proof gate.

Security
Cleared: No concrete supply-chain or new security regression was found; the diff tightens an existing host-exec sanitizer boundary while leaving a maintainer policy decision before merge.

Review details

Best possible solution:

Land the focused sanitizer hardening after maintainer/security owner acceptance and redacted real host-exec or macOS proof confirms the Git env variables are stripped, narrowed, or forced in an actual OpenClaw path.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main lacks both Git protocol-control variables in the host env policy, and the PR adds focused Git regression tests for ext::, file transport non-widening, and forced-off GIT_PROTOCOL_FROM_USER. I did not run the Git regressions locally in this read-only review.

Is this the best way to solve the issue?

Yes, this appears to be the right boundary: the shared host env policy plus macOS parity is narrower and more maintainable than caller-specific Git handling. The remaining blockers are maintainer/security acceptance and real behavior proof, not a definite code defect.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7cdec2870604.

Label changes

Label justifications:

• P1: This is urgent host-execution security hardening with a compatibility-sensitive fail-closed behavior change.
• merge-risk: 🚨 compatibility: Existing operator workflows that intentionally pass permissive Git protocol controls into OpenClaw-spawned Git commands may stop working after merge.
• merge-risk: 🚨 security-boundary: The diff changes the host execution sanitizer boundary for Git transport policy controls, which requires explicit security-policy acceptance.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦪 silver shellfish and patch quality is 🦞 diamond lobster.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists tests, CI, generated-policy check, and OpenGrep, but not redacted terminal/live output from an actual OpenClaw host-exec or macOS app path; add proof, redact private data, update the PR body for re-review, or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +59, Tests +340, Generated +4, Other +44. Total +447 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	70	11	+59
Tests	3	549	209	+340
Docs	0	0	0	0
Config	0	0	0	0
Generated	1	4	0	+4
Other	1	44	0	+44
Total	9	667	220	+447

What I checked:

• Repository policy read: Root AGENTS.md was read fully; its PR review guidance treats env/default/security-boundary changes as compatibility-sensitive and requires scoped code, tests, current behavior, and dependency-contract review. (AGENTS.md:1, 7cdec2870604)
• Scoped agents policy read: The touched agent runtime path has a scoped AGENTS.md focused on keeping runtime imports and agent test coverage bounded; this review applied it when checking the bash exec runtime test addition. (src/agents/AGENTS.md:1, 7cdec2870604)
• Current main lacks the new Git env policy: Current main has no GIT_ALLOW_PROTOCOL or GIT_PROTOCOL_FROM_USER entries in the host env policy, sanitizer, macOS sanitizer, or adjacent tests, so the PR is not already implemented on main. (src/infra/host-env-security-policy.json:1, 7cdec2870604)
• Shared sanitizer change: The PR adds sanitizeHostInheritedEnvEntry, filters inherited GIT_ALLOW_PROTOCOL to Git safe default protocols, and forces permissive GIT_PROTOCOL_FROM_USER values to 0; sanitizeHostExecEnvWithDiagnostics now routes inherited entries through that helper. (src/infra/host-env-security.ts:177, c422f19b48c8)
• Host exec caller parity: The bash host-exec helper now uses the shared inherited-env sanitizer instead of duplicating dangerous inherited key checks, keeping agent host execution aligned with the infra sanitizer. (src/agents/bash-tools.exec-runtime.ts:96, c422f19b48c8)
• Policy and macOS parity: The PR adds both Git protocol-control variables to the shared policy JSON, generated Swift policy, and macOS sanitizer logic, preserving cross-surface parity for the host environment boundary. (apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift:27, c422f19b48c8)

Likely related people:

• steipete: Peter Steinberger centralized the host env policy and authored several early security hardening commits in this path; shortlog shows the largest share of history across the central files. (role: feature owner / original area contributor; confidence: high; commits: f202e73077a2, 2cdbadee1f8f, e80c803fa887; files: src/infra/host-env-security.ts, src/infra/host-env-security-policy.json, apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift)
• vincentkoc: Vincent Koc is the current-main blame owner for the host env sanitizer file in this checkout and previously landed Git helper/env hardening in the same security surface. (role: recent area contributor; confidence: high; commits: b3c946999d71, 1dcef7b64452, 276ee259ca2d; files: src/infra/host-env-security.ts, src/infra/host-env-security.test.ts)
• pgondhi987: pgondhi987/Pavan Kumar Gondhi has recent merged host-env and Git env hardening commits in current main and authored earlier inherited Git env denylist work in this path. (role: recent adjacent contributor; confidence: medium; commits: bc3b05dce4b2, 9f413acc183d, 7cdec2870604; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.test.ts, src/infra/host-env-security.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

Final verification for head a1beddf76b79811c810d75b31af02110bcc3d4fa:

• Security dry-run gate: passed (ACCEPT / SOLVES / BC PASS, zero actionable bot comments).
• Security real gate: passed.
• Review-pr: passed, READY FOR /prepare-pr, zero findings, artifacts validated.
• Autoreview: passed, no accepted/actionable findings.
• Local validation: passed:
  • node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
  • node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts
  • node scripts/generate-host-env-security-policy-swift.mjs --check
  • scripts/run-opengrep.sh --changed --json
  • git diff --check
• GitHub PR checks: passed on the final head; latest statusCheckRollup had no relevant non-success checks.
• Conflict check: GitHub reports mergeable with no file conflicts.

Behavior change: request-scoped Git protocol-control env vars are blocked before host execution, inherited GIT_ALLOW_PROTOCOL is filtered to Git safe defaults, and inherited GIT_PROTOCOL_FROM_USER preserves fail-closed restrictions instead of widening Git's default behavior. Regression risk is low and targeted to the existing host-env sanitizer boundary; no API, CLI, config, migration, or wire contract changed.

[pgondhi987]

Final verification for PR #91619

Behavior addressed: request-scoped Git protocol-control environment variables are now blocked before host exec env overrides are merged. Inherited GIT_ALLOW_PROTOCOL is filtered down to Git safe default protocols, inherited permissive GIT_PROTOCOL_FROM_USER values are forced to 0, and the shared inherited-env sanitizer is used by both sanitizeHostExecEnv and the bash exec runtime. The macOS sanitizer and generated policy are aligned with the TypeScript policy.

Head verified: c422f19b48c8a4dd65edaaa2e3bd0028ec475269.

Gate results:

• GHSA dry-run: passed (ACCEPT / SOLVES / BC PASS, zero actionable bot comments).
• GHSA real gate: passed (ACCEPT / SOLVES / BC PASS, zero actionable bot comments).
• review-pr: passed, READY FOR /prepare-pr, zero findings, artifacts validated.
• autoreview: passed clean with no accepted/actionable findings.
• PR CI: relevant checks passed on the verified head; one cancelled auto-response run was ignored as routine workflow noise.

Local validation run:

• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
• node scripts/run-vitest.mjs src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts src/agents/bash-tools.exec-runtime.test.ts
• node scripts/generate-host-env-security-policy-swift.mjs --check
• scripts/run-opengrep.sh --changed --json
• git diff --check

Real environment tested: local source checkout with Git 2.34.1 behavior probes plus GitHub Actions PR CI. The direct Git probe confirmed GIT_PROTOCOL_FROM_USER=1 git clone ... succeeds, GIT_PROTOCOL_FROM_USER=0 git clone ... fails, and unset behavior is permissive, which is why the sanitizer now forces inherited permissive values to 0 instead of dropping them.

Best-fix judgment: this is the right boundary for the issue. The patch updates the shared host env security policy and shared inherited-env sanitizer instead of adding one-off caller logic, and it covers the sibling bash exec base-env path plus the macOS host sanitizer.

Regression risk: targeted host env security hardening. This intentionally changes Git protocol env handling for host exec, but it does not change public CLI/API contracts, config schema/defaults, wire formats, auth policy, approval flow, sandbox policy, storage, provider routing, plugin contracts, or channel behavior. This aligns with SECURITY.md by treating the affected surface as a trusted-operator host exec boundary and closing the demonstrated protocol-control bypass.

What was not tested: no live external remote/provider scenario and no Crabbox/Testbox run. Focused local tests, direct Git behavior proof, GHSA gates, review-pr, autoreview, and GitHub Actions CI were used for this PR.