prompt request: require maintainer review for config value additions

[dutifulbob]

Opened on behalf of Onur Solmaz (osolmaz). This is a prompt request; work is not yet started.

Motivation

OpenClaw PR openclaw/openclaw#84947 added the public plugin manifest config value contracts.embeddingProviders. ClawSweeper correctly routed that PR through the needs-human path because it introduced a new public SDK/config contract and credential/security boundary, then maintainer approval allowed automerge to continue.

That behavior should be systematic for config-surface additions. New config values, CLI flags, env vars, plugin manifest contracts, schema fields, or policy knobs are public API and compatibility decisions. They should not silently pass through normal repair/automerge just because the patch is mechanically correct.

Request

Make ClawSweeper require human/maintainer review whenever a PR adds an OpenClaw config value.

This should be both prompt-level and deterministic:

• Prompt-level: update the review instructions so new config values are treated as requiresNewConfigOption: true and as maintainer-review work, not as a narrow automated repair/pass.
• Deterministic guard: inspect PR files/patches for config-surface additions and force the review automation marker to clawsweeper-verdict:needs-human when detected.
• Persist the result in durable report frontmatter, for example config_surface_change: true and, if practical, config_surface_keys: [...].
• Block isRepairLoopPassReport(...) from producing a normal pass when this flag is true.

Suggested OpenClaw config-surface areas to cover:

• src/config/zod-schema*.ts
• src/config/types*.ts
• src/config/schema.help.ts
• src/config/schema.labels.ts
• src/plugins/manifest.ts
• src/plugins/manifest-registry.ts
• docs/gateway/configuration*.md
• docs/plugins/manifest.md

Acceptance Criteria

• A PR adding a root/user config schema field triggers clawsweeper-verdict:needs-human in the review comment.
• A PR adding a plugin manifest config contract such as contracts.embeddingProviders triggers the same path.
• In an automerge lane, the routed action adds/keeps clawsweeper:human-review and blocks merge until maintainer approval.
• Non-semantic documentation wording changes do not trigger this unless they add a config key/value surface.
• Existing review-finding behavior remains intact for non-config PRs.
• Tests cover config-schema additions, plugin-manifest contract additions, and a negative case.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-22 15:24 UTC / May 22, 2026, 11:24 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main has model-level config-option metadata, but the requested deterministic guard is still missing: there is no stored config_surface_change flag and the automerge pass path does not check config-surface additions before emitting a pass verdict.

Reproducibility: not applicable. as a bug reproduction. Source inspection does show the requested deterministic config-surface guard is absent from the current automerge pass path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
The acceptance criteria and target surfaces are specific enough for a focused PR, but the implementation should keep detection conservative to avoid unnecessary automerge pauses.

Review details

Best possible solution:

Add a conservative config-surface detector over hydrated PR files/patches, persist the detected flag and keys in reports, and force needs-human before automerge/pass markers while covering the requested positive and negative cases.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction. Source inspection does show the requested deterministic config-surface guard is absent from the current automerge pass path.

Is this the best way to solve the issue?

Yes. Combining prompt guidance with a deterministic report/marker guard is the narrowest maintainable way to avoid relying only on model classification for public config-surface additions.

Label changes:

• add P2: The request is a normal-priority review automation improvement with limited blast radius, not an active runtime outage.
• add impact:security: The issue asks ClawSweeper to require human review for public config and credential/security-boundary additions before automation can merge them.
• add issue-rating: 🌊 off-meta tidepool: Current issue advisory state selects this label.

Label justifications:

• P2: The request is a normal-priority review automation improvement with limited blast radius, not an active runtime outage.
• impact:security: The issue asks ClawSweeper to require human review for public config and credential/security-boundary additions before automation can merge them.

Acceptance criteria:

• pnpm exec node --test test/clawsweeper.test.ts test/repair/comment-router-core.test.ts test/repair/issue-implementation-intake.test.ts
• pnpm run check

What I checked:

• Prompt has only generic config-option classification: The review prompt already says new config options are not bugs and should set requiresNewConfigOption, but it does not specifically require human review for added OpenClaw config-surface keys or plugin manifest contracts. (prompts/review-item.md:70, 6eed37e5bfc8)
• Report frontmatter stores config-option booleans only: Durable reports persist requires_new_config_option and requires_product_decision, but current main has no config_surface_change or config_surface_keys frontmatter field. (src/clawsweeper.ts:10880, 6eed37e5bfc8)
• Automerge pass gate lacks config-surface check: reviewAutomationMarkersFromReport can emit clawsweeper-verdict:pass through repairLoopPassModeFromReport, and isRepairLoopPassReport checks labels, completion, confidence, proof, correctness, and findings but not config-surface metadata. (src/clawsweeper.ts:10080, 6eed37e5bfc8)
• No deterministic config-surface detector found: Repository search found requiresNewConfigOption plumbing but no config_surface or configSurface detector/report field. (6eed37e5bfc8)
• Existing human-review pause path can be reused: The comment router already treats trusted clawsweeper-verdict:needs-human markers as trustedHumanReview, so the requested guard can route through the existing pause mechanism once the review marker is forced. (src/repair/comment-router-core.ts:1040, 6eed37e5bfc8)
• History points to current review automation implementation: Git blame shows the prompt, report frontmatter, marker generation, and repair-loop pass predicate were introduced in commit 5733db1. (src/clawsweeper.ts:10048, 5733db19fa6b)

Likely related people:

• Tak Hoffman: Introduced the current review prompt, durable report schema/frontmatter, verdict marker path, and repair-loop pass predicate, then made recent human-review pause refinements. (role: feature-history owner; confidence: high; commits: 5733db19fa6b, cb3d70ceec0f, b08d09badf8b; files: src/clawsweeper.ts, prompts/review-item.md, test/clawsweeper.test.ts)
• Peter Steinberger: Recently touched adjacent ClawSweeper source/workflow behavior, including apply label sync and target repository fanout, which are near the review/apply automation surface. (role: recent adjacent contributor; confidence: medium; commits: 0e1005eb0736, 43cfca13e47e; files: src/clawsweeper.ts, .github/workflows/sweep.yml)

Remaining risk / open question:

• Detector scope needs care: it must catch semantic additions in config/schema/manifest/docs surfaces without pausing non-semantic documentation wording changes.
• The guard should force human review before a pass verdict while preserving existing needs-changes behavior for non-config correctness findings.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6eed37e5bfc8.

[dutifulbob]

Additional implementation pointers:

• Existing #84947 flow to preserve/reuse:

  • Review comment emitted <!-- clawsweeper-verdict:needs-human ... -->.
  • parseTrustedAutomation(...) in src/repair/comment-router-core.ts mapped that to intent clawsweeper_needs_human.
  • classifyNeedsHuman(...) in src/repair/comment-router.ts planned clawsweeper:human-review.
  • validateAutomergeReadiness(...) then blocked merge while clawsweeper:human-review was present, until maintainer approval.

• Likely ClawSweeper code touch points:

  • markdownFor(...) in src/clawsweeper.ts: persist a deterministic config-surface flag and any detected keys into report frontmatter.
  • reviewAutomationMarkersFromReport(...) in src/clawsweeper.ts: if the config-surface flag is true, emit clawsweeper-verdict:needs-human before returning a normal pass marker.
  • isRepairLoopPassReport(...) in src/clawsweeper.ts: include !configSurfaceReviewRequired(markdown) so config additions cannot become an automatic pass.
  • test/clawsweeper.test.ts: add marker-generation tests for config additions.

• Suggested detector shape:

  • Start from context.pullFiles; compactPullFile(...) already includes filename, status, additions/deletions, and a truncated patch.
  • Treat added lines in schema/type/config docs as a trigger when they look like new keys, enum values, config labels, help text entries, zod object fields, or plugin manifest contract list entries.
  • Keep it conservative but deterministic: false positives should pause for maintainer review, not merge automatically.

• Concrete examples that should trigger:

  • Adding contracts.embeddingProviders in src/plugins/manifest.ts / docs/plugins/manifest.md.
  • Adding agents.list[].experimental.localModelLean in config schema/help/labels.
  • Adding allowed values like "auto" | "metal" | "cpu" for a new config field.

• Concrete examples that should not trigger by themselves:

  • Rewording existing config docs without introducing a new key/value.
  • Tests that only reference an already-existing config key.
  • Internal refactors in config code that do not expand the public config surface.