Codex/kova scenarios and fixes

[JuanHuaXu]

Fresh Evidence

Latest Kova head: ff5cd8e (codex/kova-scenarios-and-fixes, post-conflict merge from upstream main).

Post-Conflict Current-Head Proof

Reviewer proof refreshed on the conflict-resolved head ff5cd8e. Commands were run from this PR branch with disposable Kova homes under checkouts/kova-pr2-proof-ff5cd8e-*; report paths below are repo-relative and do not include private local paths.

Validation:

• node bin/kova.mjs self-check -> 175/175 passed, generated 2026-05-23 14:40 UTC.
• node tests/render-snapshots.mjs -> 18 pass, 0 fail, 0 written.
• Conflict marker scan: rg -n "<<<<<<<|=======|>>>>>>>" . -g '!checkouts/**' -g '!node_modules/**' -g '!reports/**' -> no matches.
• Cleanup before and after targeted runs: ocm env list -> No environments.

Targeted real-run proof:

Scenario	Run id	Status	Evidence
cron-runtime / cron-user	kova-260523-143907-1b7264	PASS	cronRuntimeEvidence.available: true; status/register/run/runs timings captured; cronRunCompleted: true; cronTriggerAttributed: true; no violations.
mcp-tool-call / mcp-tool-user	kova-260523-143932-564cac	PASS	mcpToolCallEvidence.available: true; safeToolName: conversations_list; safeToolSucceeded: true; invalidToolErrorAttributed: true; processExited: true; no violations.
exec-tool-safety / exec-tool-user	kova-260523-143954-2830a8	FAIL	Kova evidence was present and scoped: safeCommandSucceeded: true, dangerousCommandBlocked: true, dangerousPayloadExecuted: false, outputTruncated: true, timeoutMs: 3182, processLeaks: 0. Remaining failure is an OpenClaw resource signal: tool-runtime peak RSS 739.8 MB exceeded threshold 500 MB.

Artifacts on runner:

• checkouts/kova-pr2-proof-ff5cd8e-cron/reports/kova-260523-143907-1b7264.json
• checkouts/kova-pr2-proof-ff5cd8e-mcp/reports/kova-260523-143932-564cac.json
• checkouts/kova-pr2-proof-ff5cd8e-exec2/reports/kova-260523-143954-2830a8.json

The targeted proof shows the post-conflict harness still emits required cron/MCP/exec evidence, fails closed when the product exceeds the configured RSS threshold, and cleans up disposable environments.

Current-Head Exec Tool Evidence Proof

Reviewer P2 fix proof was run at Kova head 1546804 (Drive exec containment checks through OpenClaw). This fixes the false-evidence lane by using the OpenClaw exec tool schema's required command argument and by driving safe, blocked, oversized-output, and timeout cases through openclaw agent plus mock-provider tool-result evidence.

Commands:

KOVA_HOME=checkouts/p2-exec-real-proof2-kova-home \
  node bin/kova.mjs run \
    --target runtime:stable \
    --scenario exec-tool-safety \
    --state exec-tool-user \
    --execute \
    --report-dir checkouts/p2-exec-real-proof2/reports \
    --json

KOVA_HOME=checkouts/p2-exec-real-proof2-kova-home \
  node bin/kova.mjs run \
    --target runtime:stable \
    --scenario tool-failure-containment \
    --state exec-tool-user \
    --execute \
    --report-dir checkouts/p2-exec-real-proof2/reports \
    --json

Results:

• exec-tool-safety: kova-260522-170514-192a6a, proof complete 10/10; exec evidence available; safeCommandSucceeded: true; dangerousCommandBlocked: true; dangerousPayloadExecuted: false; outputTruncated: true; timeoutMs: 3499; processLeaks: 0.
• tool-failure-containment: kova-260522-170551-6419fb, proof complete 10/10; exec evidence available; dangerousCommandBlocked: true; dangerousPayloadExecuted: false; outputTruncated: true; timeoutMs: 3291; processLeaks: 0.

Both runs still report FAIL, but only for the existing OpenClaw resource threshold: tool-runtime RSS around 750 MB over the 500 MB threshold. The previous Kova evidence failures are gone.

Validation for the patch:

• node bin/kova.mjs self-check --json -> ok: true (173 checks)
• node tests/render-snapshots.mjs -> 18 pass
• git diff --check -> pass
• Cleanup: ocm env list -> no environments

Artifacts on runner:

• checkouts/p2-exec-real-proof2/reports/kova-260522-170514-192a6a.json
• checkouts/p2-exec-real-proof2/reports/kova-260522-170551-6419fb.json

Current-Head Tool-Failure Proof

Reviewer P2 fix proof was run at Kova head 2439672 (Fix failure-only exec mock provider flow).

Command:

KOVA_HOME=checkouts/p2-tool-failure-proof-kova-home \
  node bin/kova.mjs run \
    --target runtime:stable \
    --scenario tool-failure-containment \
    --state exec-tool-user \
    --execute \
    --report-dir checkouts/p2-tool-failure-proof/reports \
    --json

Result: kova-260522-164448-f2fbb2 completed with proof completeness 10/10 required obligations, cleanup destroyed the disposable env, and the fixed failure-only provider path was exercised:

• Mock script: kova-exec-tool-failure-only
• First provider step: kova-exec-tool-failure-only-dangerous-tool-call
• Matched provider step: kova-exec-tool-failure-only-dangerous-tool-call
• Provider emitted one exec tool call
• dangerousCommandBlocked: true
• dangerousPayloadExecuted: false
• dangerousSentinelStillPresent: true
• outputTruncated: true, timeoutObserved: true, processLeaks: 0

The scenario verdict is still FAIL, but for an OpenClaw resource threshold, not the Kova wiring bug: tool-runtime peak RSS 741.9 MB exceeded threshold 500 MB. This is expected to remain a product/resource signal for maintainers.

Artifacts on runner:

• Markdown: checkouts/p2-tool-failure-proof/reports/kova-260522-164448-f2fbb2.md
• JSON: checkouts/p2-tool-failure-proof/reports/kova-260522-164448-f2fbb2.json
• Tool artifact: checkouts/p2-tool-failure-proof-kova-home/artifacts/kova-260522-164448-f2fbb2/kova-tool-failure-containmen-81131346-kova-260522-164448-f2fbb2/tool-failure-containment.json

Requested OpenClaw target: v2026.5.21-beta.1. The Git tag exists and resolves to 89a17def chore(release): prepare 2026.5.21-beta.1, but openclaw@2026.5.21-beta.1 is not currently published in npm/OCM release discovery. A direct npm:2026.5.21-beta.1 exhaustive run therefore blocked at provisioning with OpenClaw release version "2026.5.21-beta.1" was not found.

Fresh release-shaped tag evidence was run from a disposable openclaw/openclaw.git checkout at that tag using local-build:checkouts/openclaw-v2026.5.21-beta.1. After pnpm install --frozen-lockfile, direct pnpm pack succeeded and produced openclaw-2026.5.21-beta.1.tgz.

Matrix command:

KOVA_HOME=checkouts/kova-pr2-evidence-v2026-5-21-beta-1-local-build-rerun \
  node bin/kova.mjs matrix run \
    --profile exhaustive \
    --target local-build:checkouts/openclaw-v2026.5.21-beta.1 \
    --source-env kova-pr2-source-v2026-5-21-beta-1 \
    --execute \
    --allow-exhaustive \
    --json \
    --report-dir checkouts/kova-pr2-evidence-v2026-5-21-beta-1-local-build-rerun/reports

Result: kova-260522-145534-037d84 -> 77 total · 32 PASS · 45 FAIL · 0 BLOCKED.

Evidence artifacts on runner:

• Markdown: checkouts/kova-pr2-evidence-v2026-5-21-beta-1-local-build-rerun/reports/kova-260522-145534-037d84-exhaustive.md
• JSON: checkouts/kova-pr2-evidence-v2026-5-21-beta-1-local-build-rerun/reports/kova-260522-145534-037d84-exhaustive.json
• Bundle: checkouts/kova-pr2-evidence-v2026-5-21-beta-1-local-build-rerun/reports/kova-260522-145534-037d84-bundle.tar.gz
• Bundle SHA256: 743ee926c809921c0b6aea0170c1731e8576749ab88ee8126cafebfb210c73ae

Notable PASS coverage: release-runtime-startup, channel-discord-capability-conformance, upgrade-existing-user both source states, bundled-runtime-deps both states, plugin-lifecycle all states, official/bad/missing/unsafe plugin lanes, provider-models, agent-cold-warm-message, dashboard-readiness, tui-responsiveness, mcp-runtime-start-stop, agent-network-offline, failure-injection, and cross-platform-smoke.

Top remaining failures are product/resource signals in OpenClaw/tag behavior rather than Kova unsupported-mode blockers: gateway RSS around the 700 MB threshold across agent/provider/HTTP/TUI surfaces, rolling-upgrade package/runtime RSS/CPU, dirty-plugin doctor-cli RSS, tool-runtime RSS for exec/tool containment, soak/workspace latency, and a few functional/liveness failures (channel generated-image handoff, Telegram timeout signals, cron/browser/media gateway restarting, MCP tool-call missing runtime role evidence).

Cleanup after the run: disposable source env destroyed; old beta runtime records reintroduced by upgrade lanes removed; ocm runtime list shows only stable.

PR Change List

Branch: codex/kova-scenarios-and-fixes
Base compared: origin/main
RCA doc is removed from the feature set. .learnings/ is still untracked and not part of PR.

Matrix/Profile Wiring

• Added profiles/rolling-upgrade.json
• Updated profiles/exhaustive.json
  • includes rolling upgrade day/week/month scenarios
  • includes fixed old-release upgrade scenarios
  • includes unsafe-memory plugin scenario
  • total exhaustive entries now 77
• Updated profiles/release.json
  • includes unsafe-memory plugin scenario
  • release entries now 51
• Added profiles/adversarial.json

New Upgrade Coverage

• Added scenarios/upgrade-from-day-ago.json
• Added scenarios/upgrade-from-week-ago.json
• Added scenarios/upgrade-from-month-ago.json
• Added support/resolve-openclaw-release-age.mjs
• Added support/run-openclaw-release-age-upgrade.mjs
• Updated docs/AGENT_USAGE.md with rolling upgrade usage
• Added self-check coverage for rolling upgrade resolver/profile planning

Unsafe Legacy Plugin Memory Test

• Added scenarios/plugin-legacy-unsafe-memory.json
• Added surfaces/plugin-legacy-unsafe-memory.json
• Added fixture plugin:
  • support/plugins/kova-legacy-unsafe-memory/index.js
  • support/plugins/kova-legacy-unsafe-memory/openclaw.plugin.json
  • support/plugins/kova-legacy-unsafe-memory/package.json
• Added support/assert-command-output.mjs
• Updated src/evaluator.mjs to count failed during register as plugin load failure evidence

Dirty Plugin Testing

• Added docs/DIRTY_PLUGIN_TESTING_PLAN.md
• Added scenarios/dirty-plugin-state.json
• Added dirty plugin states:
  • states/dirty-plugin-local-edits.json
  • states/dirty-plugin-stale-deps.json
  • states/dirty-plugin-manifest-drift.json
  • states/dirty-plugin-disabled-broken.json
  • states/dirty-plugin-symlink-dev.json
  • states/dirty-plugin-partial-install.json
  • states/update-recovery-plugin-user.json
• Added support/dirty-plugin-state.mjs
• Added surfaces/dirty-plugin-state.json

Release Update Recovery

• Added docs/RELEASE_UPDATE_RECOVERY_PLAN.md
• Added scenarios/release-update-recovery.json
• Added surfaces/release-update-recovery.json
• Added support/restore-first-ocm-upgrade-snapshot.mjs

Tool Runtime Matrix

• Added docs/TOOL_RUNTIME_MATRIX_PLAN.md
• Added scenarios:
  • scenarios/cron-runtime.json
  • scenarios/exec-tool-safety.json
  • scenarios/mcp-tool-call.json
  • scenarios/tool-failure-containment.json
• Added states:
  • states/cron-user.json
  • states/exec-tool-user.json
  • states/mcp-tool-user.json
• Added surfaces:
  • surfaces/cron-runtime.json
  • surfaces/exec-tool-safety.json
  • surfaces/mcp-tool-call.json
  • surfaces/tool-failure-containment.json
• Added process roles:
  • process-roles/cron-runtime.json
  • process-roles/tool-runtime.json
• Added helpers:
  • support/run-cron-runtime-smoke.mjs
  • support/run-exec-tool-safety.mjs
  • support/mcp-tool-call-smoke.mjs

Provider/Network Failure Coverage

• Added docs/NETWORK_ISOLATION_PLAN.md
• Added src/network-frontage.mjs
• Added support/network-frontage-proxy.mjs
• Added provider scenarios:
  • scenarios/agent-provider-protocol-failure.json
  • scenarios/agent-provider-random-disconnect.json
• Updated support/mock-openai-server.mjs
• Updated support/configure-openclaw-mock-auth.mjs
• Updated src/commands/run.mjs, src/commands/matrix-run.mjs, src/run/context.mjs, src/run/phase-plan.mjs

Adversarial Input Coverage

• Added scenarios/adversarial-input-openai-compatible.json
• Added surfaces/adversarial-input.json
• Added support/run-adversarial-inputs.mjs
• Added profiles/adversarial.json

Plugin Fixture/Manifest Fixes

• Added support/plugins/kova-basic/openclaw.plugin.json
• Added support/plugins/kova-missing-runtime-dep/openclaw.plugin.json
• Updated scenarios/plugin-missing-runtime-deps.json

Resource Attribution / Evaluation / Reporting Fixes

• Updated src/collectors/resources.mjs
• Updated src/evaluation/violations.mjs
• Updated src/evidence/agent-turns.mjs
• Updated src/evidence/shared.mjs
• Updated src/measurement-contract.mjs
• Updated src/reporting/report.mjs
• Updated src/reporting/scenario-aggregate.mjs
• Updated src/run/command-executor.mjs
• Updated src/run/report-finalization.mjs
• Updated src/runner.mjs
• Updated src/safety.mjs
• Updated src/selfcheck.mjs

Large Session Fixture

• Added support/prepare-large-memory-session-state.mjs
• Updated related surface thresholds/metadata:
  • surfaces/fresh-install.json
  • surfaces/soak.json
  • surfaces/gateway-performance.json
  • surfaces/workspace-scan.json

OpenAI-Compatible / Runtime Role Tweaks

• Updated scenarios/openai-compatible-turn.json
• Updated support/run-openai-compatible-turn.mjs
• Updated process-roles/openai-compatible-client.json
• Updated role primary-resource metadata across several surfaces

Docs / User-Facing Metadata

• Updated README.md
• Updated docs/WHAT_IS_KOVA.md
• Updated docs/AGENT_USAGE.md
• Updated metrics/known.json

Git Hygiene

• Updated .gitignore
  • ignores .env, .env.*, local JSON/env files, and checkout contents
  • keeps .env.example and checkouts/.gitkeep
• Added checkouts/.gitkeep

Tests / Snapshots

• Added checked-in report fixtures:
  • tests/fixtures/reports/pass.json
  • tests/fixtures/reports/fail.json
• Updated tests/render-snapshots.mjs
• Refreshed all affected snapshots under tests/snapshots/

Validation Already Run

• node bin/kova.mjs self-check --json
• npm run test:snapshots
• git diff --check
• Real disposable run for plugin-legacy-unsafe-memory passed against runtime:stable

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-24 06:10 UTC / May 24, 2026, 2:10 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR adds Kova profile and scenario families, support helpers, evaluator/reporting gates, network frontage controls, fixtures, docs, and snapshots for expanded OpenClaw runtime validation.

Reproducibility: not applicable. this is a feature PR rather than a bug report. The relevant evidence is the current-head terminal proof and source inspection of the new validation paths.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong real terminal proof and no discrete blocking defect found, with broad validation-contract risk keeping this in normal maintainer-review territory.

Rank-up moves:

• Get maintainer confirmation that the expanded release/exhaustive gates and loopback frontage behavior should land together.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The refreshed PR body includes current-head terminal proof for self-check, snapshots, cleanup, targeted real Kova scenario runs, and release-shaped matrix evidence.

Risk before merge

• Merging changes release/exhaustive profiles, metric identifiers, thresholds, receipts, and snapshots, so existing Kova users or release automation may see new FAIL signals and changed report shape.
• The opt-in loopback frontage path depends on host loopback alias permissions, and the discussion already showed a macOS permission blocker that maintainers should accept, document, or scope before merge.
• The posted exhaustive proof intentionally exposes OpenClaw product/resource failures; maintainers should confirm those are desired Kova product signals rather than noisy gates.

Maintainer options:

1. Accept Expanded Gate Contract (recommended)
   Maintainers can merge once they agree the new release/exhaustive profiles, thresholds, report shape, and loopback frontage behavior are the intended Kova contract.
2. Split Scenario Families
   If the blast radius is too high, split tool-runtime, upgrade/recovery, network-frontage, provider-failure, and adversarial coverage into smaller independently calibrated PRs.
3. Stage Threshold Rollout
   Before merge, narrow or stage new FAIL gates so existing release automation does not unexpectedly fail on uncalibrated product/resource signals.

Next step before merge
No narrow automated repair is left; maintainers need to decide whether to accept the expanded Kova gate/profile contract and compatibility impact before merge.

Security
Cleared: The diff is security-sensitive because it exercises exec, MCP, token redaction, plugins, and loopback aliases, but the changed paths are scoped to disposable Kova validation and I found no concrete supply-chain or credential-handling regression.

Review details

Best possible solution:

Land after maintainers accept the broadened Kova gate/profile behavior, or split by validation family if they want a staged rollout.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a feature PR rather than a bug report. The relevant evidence is the current-head terminal proof and source inspection of the new validation paths.

Is this the best way to solve the issue?

Mostly yes; the implementation follows Kova's scenario, surface, evaluator, and report model, but the best landing shape depends on maintainer acceptance of the broader gate contract.

Label justifications:

• P2: This is a broad but bounded validation-lab improvement with normal maintainer priority, not an urgent runtime regression.
• merge-risk: 🚨 compatibility: The PR changes profiles, thresholds, receipts, and report shape in ways that can alter existing Kova users' release-gate outcomes.
• merge-risk: 🚨 automation: The PR changes proof capture, snapshots, gate semantics, and report artifacts that downstream validation automation may consume.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong real terminal proof and no discrete blocking defect found, with broad validation-contract risk keeping this in normal maintainer-review territory.
• feature: ✨ showcase: ClawSweeper spotlight: unusually compelling feature idea for maintainer attention. The PR materially broadens Kova into upgrade, tool-runtime, dirty-plugin, adversarial, and network-frontage validation that can expose real OpenClaw release risks.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The refreshed PR body includes current-head terminal proof for self-check, snapshots, cleanup, targeted real Kova scenario runs, and release-shaped matrix evidence.
• proof: sufficient: Contributor real behavior proof is sufficient. The refreshed PR body includes current-head terminal proof for self-check, snapshots, cleanup, targeted real Kova scenario runs, and release-shaped matrix evidence.

What I checked:

• Current main does not already contain the central PR surfaces: A source search on current main found no existing cron-runtime, exec-tool-safety, rolling-upgrade, network-frontage, dirty-plugin-state, release-update-recovery, or adversarial-input implementation, so the PR is not obsolete on main. (2ce089890a34)
• PR scope is broad validation-lab expansion: The PR view reports 125 changed files, 15,210 additions, and 1,600 deletions across scenarios, profiles, evaluator/reporting, helpers, docs, and snapshots. (ff5cd8efa8b8)
• Exec-tool evidence now drives OpenClaw agent paths: The PR head helper drives ocm @env -- agent for safe exec, blocked dangerous payload, large-output, and timeout checks instead of only running synthetic local commands. (support/run-exec-tool-safety.mjs:91, ff5cd8efa8b8)
• Network frontage is opt-in but compatibility-sensitive: The new network-frontage control normalizes --network-frontage and --worker-id, and on macOS it creates loopback aliases with ifconfig lo0 alias, which can block without host permission. (src/network-frontage.mjs:31, ff5cd8efa8b8)
• Harness blockers are classified separately from OpenClaw failures: The final PR head marks network-frontage setup errors as harnessBlocker, and runner classification maps those to BLOCKED, matching Kova's policy that provisioning failures are blockers rather than product failures. (src/runner.mjs:369, ff5cd8efa8b8)
• Real behavior proof is present in the PR body: The PR body includes refreshed current-head terminal proof for self-check, snapshot rendering, conflict-marker scan, cleanup, targeted cron/MCP/exec real runs, and a release-shaped exhaustive local-build matrix run. (ff5cd8efa8b8)

Likely related people:

• Shakker: Current main blame/log history for the evaluator, runner, release/exhaustive profiles, and related scenario surfaces is dominated by Shakker, including the large commit that introduced the current Kova evaluation/profile baseline and a later evaluator fix. (role: feature-history owner and recent area contributor; confidence: high; commits: 25be50d37561, de92cfc8897f; files: src/evaluator.mjs, src/runner.mjs, profiles/release.json)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2ce089890a34.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Brave Signal Puff

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: collects tiny proofs.
Image traits: location status garden; accessory green check lantern; palette coral, mint, and warm cream; mood celebratory; pose standing beside its cracked shell; shell glossy opal shell; lighting clean product lighting; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Brave Signal Puff in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[JuanHuaXu]

Remediation pushed in ad6dcbd.

What changed:

• P1: exec-tool-safety now uses the real OpenClaw agent/provider path. The mock provider emits Responses function_call items for exec; the helper verifies the safe exec turn, sends a dangerous rm -rf <sentinel> payload through the same path, and proves the sentinel remained.
• P2: evaluator now collects and gates cron-runtime, exec-tool-safety, and mcp-tool-call helper JSON (cronRunMs, execSafeCommandSucceeded, execDangerousCommandBlocked, execOutputTruncated, mcpToolsCallMs, invalid MCP attribution, process leaks/errors).
• Added self-check coverage: tool-runtime-evidence-evaluation fails if those helper outputs stop being parsed/enforced.

Validation:

• npm run check -> PASS, 162/162 checks.
• npm run test:snapshots -> PASS, 18/18 snapshots.
• Real disposable Kova run: cron-runtime on runtime:stable -> PASS, run kova-260522-011201-c292fb; evidence: cronRunMs=698, cronRunCompleted=true, cronTriggerAttributed=true.
• Real disposable Kova run: mcp-tool-call on runtime:stable -> PASS, run kova-260522-011137-720f05; evidence: mcpToolsCallMs=184, safeToolSucceeded=true, invalidToolErrorAttributed=true.
• Real disposable Kova run: exec-tool-safety on runtime:stable -> Kova tool checks PASS but scenario verdict FAIL due to product RSS threshold; run kova-260522-011101-dd863a; evidence: safeCommandSucceeded=true, dangerousCommandBlocked=true, dangerousPayloadExecuted=false, outputTruncated=true, timeoutMs=1006, processLeaks=0. Remaining violation is OpenClaw/product RSS: tool-runtime peak RSS 694.8 MB > 500 MB.

So the reviewer-reported Kova false evidence paths are patched. The only failure observed in the exec proof run is now a real product resource signal, not Kova misidentifying its own helper behavior.

[JuanHuaXu]

Follow-up remediation pushed in 646b744 for the latest P2/P3 findings.

Fixes:

• P2 network frontage: waitForTcp() now only checks child exit state when a child process is actually passed, so validation probes without a child are allowed.
• P2 cron gates: evaluator now enforces cronRunCompleted and cronTriggerAttributed boolean thresholds. Added a negative self-check where cronTriggerAttributed=false must fail.
• P3 MCP metric naming: evaluator now reports/violates mcpToolCallErrorAttributed, matching the surface/profile/known metric id.

Validation:

• node bin/kova.mjs self-check --json -> PASS (ok: true), including new network-frontage-no-child-tcp and negative cron attribution coverage.
• npm run test:snapshots -> PASS, 18/18.
• Reviewer acceptance command was attempted: node bin/kova.mjs run --target runtime:stable --scenario fresh-install --network-frontage loopback --worker-id 7 --execute --json.
  • Result: BLOCKED by local macOS privilege, not the fixed no-child validation bug.
  • Run id: kova-260522-074939-8e800b.
  • Blocker: ifconfig: ioctl (SIOCAIFADDR): permission denied while adding 127.0.1.17 alias.
  • Cleanup verified: ocm env list -> No environments.

So the code-level review blockers are patched. The live loopback command reaches the expected alias setup path here, but this Codex session cannot grant elevated ifconfig lo0 alias permissions.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26276335563
• Updated: 2026-05-22T08:15:27.302Z

[JuanHuaXu]

Follow-up remediation pushed in 30c2d69 for the latest P2 metric-contract findings.

Fixes:

• P2 dirty-plugin gates: evaluator now collects kova.dirtyPluginState.v1 fixture output and plugin command results, then enforces dirtyPluginDetected, dirtyPluginReported, dirtyPluginChecksumPreserved, doctorDestructiveChangeCount, pluginsUsableWithDirtyState, and gatewaySurvivedDirtyPlugin. Missing evidence now fails active dirty-plugin thresholds instead of silently passing.
• P2 release recovery gates: evaluator now derives/enforces updateRetryVersionDrift, rollbackAvailable, rollbackSucceeded, pluginsUsableAfterUpgrade, pluginsUsableAfterRollback, and rollbackPreservedPluginData from upgrade/retry version output, rollback restore output, plugin-health commands, rollback plugin commands, and post-rollback dirty fixture verification. Missing evidence now fails active release-recovery thresholds.
• Added plugin-recovery-evidence-evaluation self-check coverage with negative cases for missing dirty reporting, checksum/destructive doctor failure, retry version drift, missing/failed rollback, and post-rollback plugin unusability.

Validation:

• node bin/kova.mjs self-check --json -> PASS (ok: true), including the new plugin recovery evidence check.
• npm run test:snapshots -> PASS, 18/18.
• git diff --check -> PASS.

This addresses the reviewer concern by making the advertised dirty-plugin and release-update-recovery surface thresholds executable gates rather than planning-only metric names.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26277571960
• Updated: 2026-05-22T08:42:54.932Z

[JuanHuaXu]

Follow-up remediation pushed in 8e7ffa4 for the latest P2/P3 findings.

Fixes:

• P2 network frontage: partial loopback allocation is now registered immediately after alias creation, before proxy startup, so stopNetworkFrontage() can clean created aliases if proxy startup/validation fails.
• P2 exec evidence: active exec thresholds now fail closed on missing/null helper evidence using required gates for execSafeCommandMs, execTimeoutMs, execSafeCommandSucceeded, execDangerousCommandBlocked, execOutputTruncated, and execProcessLeaks.
• P3 README inventory: refreshed counts to 56 scenarios / 37 surfaces / 37 states / 10 profiles from node bin/kova.mjs plan --json.

Validation:

• node bin/kova.mjs self-check --json -> PASS (ok: true), including new partial network frontage invariant and missing/incomplete exec evidence checks.
• npm run test:snapshots -> PASS, 18/18.
• git diff --check -> PASS.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26278065984
• Updated: 2026-05-22T08:55:22.462Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26301661995
• Updated: 2026-05-22T17:19:03.244Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26305953505
• Updated: 2026-05-22T18:56:25.854Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26344471193
• Updated: 2026-05-23T21:59:39.862Z