[Repo Assist] eng(tests): add NuGetAuditMode=all to tests/Directory.Build.props

[github-actions]

🤖 This is an automated PR from Repo Assist.

What

Adds <NuGetAuditMode>all</NuGetAuditMode> to tests/Directory.Build.props.

Why

src/Directory.Build.props already sets NuGetAuditMode=all so that transitive NuGet dependencies in source projects are checked for known CVEs at restore time. The tests/Directory.Build.props lacked this setting, meaning test projects' transitive dependencies were only audited at the "direct" level (the SDK default).

This one-line change mirrors the existing security posture across the whole repo. No test output or build steps are affected — the audit runs during dotnet restore and surfaces advisories as warnings/errors.

Test Status

dotnet restore tests/OpenClaw.Shared.Tests succeeds with no new warnings or advisories on the current dependency graph.

---

Generated by 🌈 Repo Assist, see workflow run. Learn more.

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@97143ac59cb3a13ef2a77581f929f06719c7402a

Generated by 🌈 Repo Assist, see workflow run. Learn more.

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@97143ac59cb3a13ef2a77581f929f06719c7402a

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 9:45 AM ET / 13:45 UTC.

Summary
The PR adds a comment and <NuGetAuditMode>all</NuGetAuditMode> to tests/Directory.Build.props.

Reproducibility: not applicable. as a bug reproduction: this is a configuration-hardening PR. Source inspection does confirm the reported configuration gap between source and test props on current main.

Review metrics: 2 noteworthy metrics.

• Diff size: 1 file modified, +3/-0. The patch is small enough that review can focus on MSBuild restore behavior rather than broad code churn.
• Validation reported: 1 restore command in PR body. Repository policy asks for full build plus shared and tray test validation before completion.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Run or confirm ./build.ps1, the shared test command, and the tray test command before merge.

Risk before merge

• AGENTS.md requires ./build.ps1, shared tests, and tray tests after changes; the PR body reports only dotnet restore tests/OpenClaw.Shared.Tests, and this read-only review did not run validation.
• NuGetAuditMode=all can cause test restores or CI validation to surface transitive NuGet advisories that the current test props would not catch; that stricter posture appears intentional but needs maintainer acceptance before merge.

Maintainer options:

1. Validate full test restore path (recommended)
   Run or confirm ./build.ps1 plus the shared and tray test commands against the PR head before landing the stricter test restore audit.
2. Accept stricter audit policy
   Maintainers can intentionally accept that future transitive advisories may block test restores because that is the security-hardening goal.

Next step before merge
No automated repair is needed; maintainers need to run or confirm repo validation and decide whether the stricter test restore audit should land.

Security
Cleared: The diff tightens NuGet audit coverage and adds no dependencies, scripts, permissions, lockfile changes, or external code execution.

Review details

Best possible solution:

Land the narrow test props change after maintainer review confirms the stricter audit posture and the AGENTS.md build/shared/tray validation passes.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction: this is a configuration-hardening PR. Source inspection does confirm the reported configuration gap between source and test props on current main.

Is this the best way to solve the issue?

Yes: adding the same MSBuild property to the shared test props is the narrowest maintainable way to align test restore auditing with the existing source-project policy.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ef6ac8acbab2.

Label changes

Label changes:

• add P3: This is low-risk repository security hardening for test restore configuration, not an urgent runtime regression.
• add merge-risk: 🚨 automation: The diff changes shared test restore audit behavior, so future transitive advisories can affect validation or CI independently of normal code tests.

Label justifications:

• P3: This is low-risk repository security hardening for test restore configuration, not an urgent runtime regression.
• merge-risk: 🚨 automation: The diff changes shared test restore audit behavior, so future transitive advisories can affect validation or CI independently of normal code tests.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a bot-authored automation PR, so the external contributor real-behavior-proof gate does not apply; the body reports a restore check but full validation remains maintainer work.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was present and read fully; its validation guidance affects this PR because the change is build/test configuration, but this review is read-only and did not run validation commands. (AGENTS.md:1, ef6ac8acbab2)
• Current test props gap: Current main's shared test props set target framework, nullability, packability, and TreatWarningsAsErrors, but do not set NuGetAuditMode. (tests/Directory.Build.props:8, ef6ac8acbab2)
• Existing source audit policy: Current main's source props already set NuGetAuditMode=all with a direct/transitive CVE audit comment. (src/Directory.Build.props:11, ef6ac8acbab2)
• PR diff scope: The GitHub PR files API shows one modified file with three added lines: a comment and NuGetAuditMode=all under the existing shared test PropertyGroup. (tests/Directory.Build.props:13, b8d6f29f941c)
• Audit policy provenance: GitHub commit history shows shanselman introduced src/Directory.Build.props with transitive NuGet vulnerability auditing in commit 645856d. (src/Directory.Build.props:13, 645856d1d665)
• Known audit-warning interaction: The UI test project already has a targeted NU1904 WarningsNotAsErrors entry for a transitive System.Drawing.Common advisory flowing through the tray project reference. (tests/OpenClaw.Tray.UITests/OpenClaw.Tray.UITests.csproj:30, ef6ac8acbab2)

Likely related people:

• shanselman: Authored the commit that added src/Directory.Build.props and established NuGetAuditMode=all for source projects, then worked on the related System.Drawing.Common vulnerability path. (role: introduced adjacent audit policy; confidence: high; commits: 645856d1d665, 435b47fddc68; files: src/Directory.Build.props, src/OpenClaw.Tray.WinUI/OpenClaw.Tray.WinUI.csproj)
• github-actions[bot]: GitHub API history shows bot-authored commits created tests/Directory.Build.props and later added TreatWarningsAsErrors to that shared test configuration. (role: introduced current shared test props behavior; confidence: medium; commits: 8944d59744e6, 1c251dd9c745; files: tests/Directory.Build.props)
• codemonkeychris: Recent test infrastructure work touched tests/Directory.Build.props while adding the WinUI A2UI renderer and test coverage. (role: recent adjacent test area contributor; confidence: medium; commits: 9fa43f347703; files: tests/Directory.Build.props, tests/OpenClaw.Tray.UITests/OpenClaw.Tray.UITests.csproj)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Clockwork Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location diff observatory; accessory release bell; palette moss green and polished brass; mood bright-eyed; pose leaning over a miniature review desk; shell frosted glass shell; lighting subtle sparkle highlights; background soft code-shaped tiles.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.