fix: Hook ingress token unlocks password-mode gateway auth

[coygeek]

Summary

• Problem: When hooks.token equals gateway.auth.password, any caller that only knows the hook ingress bearer can authenticate directly to password-mode Gateway HTTP surfaces. That bypasses hook-specific routing controls and upgrades a hook token into full operator access, including owner-only tool behavior on /tools/invoke.
• Why it matters: Add the missing security-audit coverage for password-mode reuse.
• What changed: Add the missing security-audit coverage for password-mode reuse.
• What did NOT change (scope boundary): No unrelated defaults, migrations, or compatibility behavior were intentionally changed.

Motivation

• Add the missing security-audit coverage for password-mode reuse.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Hook ingress token unlocks password-mode gateway auth #84337
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: When hooks.token equals gateway.auth.password, any caller that only knows the hook ingress bearer can authenticate directly to password-mode Gateway HTTP surfaces. That bypasses hook-specific routing controls and upgrades a hook token into full operator access, including owner-only tool behavior on /tools/invoke.
• Real environment tested: See Repro + Verification.
• Exact steps or command run after this patch: node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check reported passed.
• Observed result after fix: passed
• What was not tested: Interactive/manual scenarios not captured in the staged issue bundle.
• Before evidence (optional but encouraged): See the linked issue analysis.

Root Cause (if applicable)

• Root cause: Add the missing security-audit coverage for password-mode reuse.
• Missing detection / guardrail: No narrower detection note was recorded in the issue bundle.
• Contributing context (if known): See the linked issue analysis and changed files below.

Regression Test Plan (if applicable)

• Coverage level that should have caught this: Validation command node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check
• Target test or file: Not explicitly recorded in the issue bundle.
• Scenario the test should lock in: When hooks.token equals gateway.auth.password, any caller that only knows the hook ingress bearer can authenticate directly to password-mode Gateway HTTP surfaces. That bypasses hook-specific routing controls and upgrades a hook token into full operator access, including owner-only tool behavior on /tools/invoke.
• Why this is the smallest reliable guardrail: It validates the failing behavior on the touched path without expanding scope.
• Existing test that already covers this (if any): Unknown.
• If no new test is added, why not: The staged bundle did not record a narrower regression target.

User-visible / Behavior Changes

• None beyond resolving the linked issue's broken behavior.

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): Yes
• New/changed network calls? (Yes/No): Yes
• Command/tool execution surface changed? (Yes/No): Yes
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: Add the missing security-audit coverage for password-mode reuse.. Mitigation: node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check reported passed.

Repro + Verification

Environment

• OS: N/A
• Runtime/container: N/A
• Model/provider: github-copilot/gpt-5.3-codex
• Integration/channel (if any): N/A
• Relevant config (redacted): AI-assisted=yes

Steps

1. Reproduce the linked issue using the recorded issue bundle.
2. Apply the fix from this branch.
3. Run node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check.

Expected

• When hooks.token equals gateway.auth.password, any caller that only knows the hook ingress bearer can authenticate directly to password-mode Gateway HTTP surfaces. That bypasses hook-specific routing controls and upgrades a hook token into full operator access, including owner-only tool behavior on /tools/invoke.
• Validation passes for the touched behavior.

Actual

• Validation status: passed

Evidence

• Validation evidence: node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check reported passed.
• CVSS v3.1: 8.8 (High)
• CVSS v4.0: 8.7 (High)
• Changed files:
• src/gateway/startup-auth.test.ts (+42/-3)
• src/gateway/startup-auth.ts (+11/-5)
• src/security/audit-extra.sync.ts (+17/-17)
• src/security/audit-hooks-routing.test.ts (+29/-0)

Manual audit/startup proof

Using a disposable config at .artifacts/pr-84338-manual/openclaw.json where hooks.token equals gateway.auth.password:

{
  "gateway": {
    "mode": "local",
    "auth": {
      "mode": "password",
      "password": "shared-gateway-password-1234567890"
    }
  },
  "hooks": {
    "enabled": true,
    "token": "shared-gateway-password-1234567890",
    "defaultSessionKey": "hook:ingress"
  }
}

Security audit reports the reused password as a finding:

OPENCLAW_HOME="$PWD/.artifacts/pr-84338-manual/home" \
OPENCLAW_STATE_DIR="$PWD/.artifacts/pr-84338-manual/state" \
OPENCLAW_CONFIG_PATH="$PWD/.artifacts/pr-84338-manual/openclaw.json" \
node --import tsx src/entry.ts security audit

Observed output included:

CRITICAL
hooks.token_reuse_gateway_token Hooks token reuses the Gateway password
  hooks.token matches gateway.auth password; compromise of hooks expands blast radius to Gateway password auth.

Startup does not block on that same reused-password config:

OPENCLAW_HOME="$PWD/.artifacts/pr-84338-manual/home" \
OPENCLAW_STATE_DIR="$PWD/.artifacts/pr-84338-manual/state" \
OPENCLAW_CONFIG_PATH="$PWD/.artifacts/pr-84338-manual/openclaw.json" \
node --import tsx src/entry.ts gateway run --port 19043 --bind loopback

Observed startup output reached:

[gateway] resolving authentication...
[gateway] starting...
[gateway] http server listening
[gateway] ready

Human Verification (required)

• Verified scenarios: When hooks.token equals gateway.auth.password, any caller that only knows the hook ingress bearer can authenticate directly to password-mode Gateway HTTP surfaces. That bypasses hook-specific routing controls and upgrades a hook token into full operator access, including owner-only tool behavior on /tools/invoke.
• Edge cases checked: node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check completed with status passed.
• What you did not verify: Interactive/manual scenarios not captured in the staged issue bundle.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: Regression in the touched behavior while closing the linked issue.
  • Mitigation: node scripts/run-oxlint.mjs 'src/security/audit-extra.sync.ts' 'src/security/audit-hooks-routing.test.ts' && node scripts/run-vitest.mjs 'src/security/audit-extra.sync.test.ts' 'src/security/audit-hooks-routing.test.ts' && pnpm build && pnpm check reported passed and the changed-file scope stayed limited to the recorded diff.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 25, 2026, 5:32 AM ET / 09:32 UTC.

Summary
The PR extends openclaw security audit and related docs/tests to flag hooks.token reuse of active Gateway password auth, including an explicit --auth password --password audit path.

PR surface: Source +156, Tests +271, Docs +12. Total +439 across 14 files.

Reproducibility: yes. source inspection gives a high-confidence path: current main forwards a bearer token into password auth and only rejects hook reuse for token-mode Gateway auth, while the PR keeps password reuse startup-valid. I did not run a live HTTP repro because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Runtime enforcement delta: 0 HTTP auth checks changed; 1 audit check extended. The linked report is about a runtime auth boundary, so maintainers should notice that the branch adds detection rather than preventing the HTTP credential reuse path.
• Changed surface: 14 files affected. The PR touches CLI, docs, Gateway startup tests, and security audit plumbing around a protected security/auth surface.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get maintainer security/compatibility direction on audit-only versus runtime fail-closed behavior.
• If runtime enforcement is chosen, add focused tests showing reused hook/Gateway password secrets no longer unlock Gateway HTTP surfaces.
• After repair, provide redacted terminal or live-output proof for audit plus direct HTTP auth behavior.

Proof guidance:
Needs stronger real behavior proof before merge: The PR body now includes copied terminal output for audit and startup behavior, but it does not demonstrate that the direct password-mode HTTP auth bypass is prevented after the patch. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• Merging this as the linked security fix could leave hooks.token == gateway.auth.password accepted on full-operator HTTP surfaces while only adding an audit warning.
• A runtime fail-closed repair would be compatibility-sensitive for existing reused-secret configs, so maintainers need to choose the upgrade behavior before automerge.
• The supplied terminal proof shows audit/startup behavior, but not that direct password-mode HTTP auth is no longer reachable with the hook token.

Maintainer options:

1. Hold for security boundary decision (recommended)
   Pause automerge until maintainers decide whether audit-only detection is acceptable or runtime separation is required for the linked security report.
2. Fix before merge with runtime enforcement
   Update the startup/auth resolution path to reject or otherwise prevent reused hook/Gateway shared secrets for token, password, and trusted-proxy password auth, with explicit upgrade proof.
3. Accept as audit-only hardening
   Merge only if maintainers intentionally scope this PR to detection/docs and keep the runtime security issue tracked separately.

Next step before merge
Protected security/auth behavior and the audit-only versus fail-closed compatibility tradeoff need maintainer judgment before any repair or automerge path.

Security
Needs attention: The diff is security-sensitive and currently leaves the reported hook-token to Gateway-password operator escalation as an audit warning rather than a runtime fix.

Review findings

• [P1] Do not keep reused gateway passwords startup-valid — src/gateway/startup-auth.test.ts:417

Review details

Best possible solution:

Decide whether the security fix must enforce distinct hook and Gateway shared secrets at runtime; if maintainers choose audit-only compatibility, keep or retitle this PR as hardening and leave the linked security issue open for the runtime boundary decision.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence path: current main forwards a bearer token into password auth and only rejects hook reuse for token-mode Gateway auth, while the PR keeps password reuse startup-valid. I did not run a live HTTP repro because this review is read-only.

Is this the best way to solve the issue?

No. The audit finding is useful, but an audit-only change is not the narrowest complete fix if this PR is meant to close the security boundary report; maintainers should choose runtime enforcement or explicitly keep the remaining work open.

Full review comments:

• [P1] Do not keep reused gateway passwords startup-valid — src/gateway/startup-auth.test.ts:417
  This new test locks in hooks.token == gateway.auth.password as a valid startup state, but current HTTP auth still passes a bearer into password auth and /tools/invoke treats shared-secret auth as full operator access. That means this PR can warn in security audit but would still close the linked security boundary with the bypass intact; either enforce distinct hook/Gateway shared secrets with an explicit upgrade decision or scope the PR as audit-only without closing the security issue.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 033693843c26.

Label changes

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Needs stronger real behavior proof before merge: The PR body now includes copied terminal output for audit and startup behavior, but it does not demonstrate that the direct password-mode HTTP auth bypass is prevented after the patch. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• remove merge-risk: 🚨 compatibility: Current PR review merge-risk labels are merge-risk: 🚨 security-boundary.
• remove status: 📣 needs proof: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P0: The item concerns a reported security boundary bypass where a hook ingress secret can become full Gateway operator access.
• merge-risk: 🚨 security-boundary: Merging this PR as the fix could leave the password-mode Gateway auth boundary unresolved because the branch preserves startup acceptance of reused hook/password secrets.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🧂 unranked krab.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Needs stronger real behavior proof before merge: The PR body now includes copied terminal output for audit and startup behavior, but it does not demonstrate that the direct password-mode HTTP auth bypass is prevented after the patch. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +156, Tests +271, Docs +12. Total +439 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	185	29	+156
Tests	5	291	20	+271
Docs	4	16	4	+12
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	14	492	53	+439

Security concerns:

• [high] Audit-only change leaves password-mode auth boundary open — src/gateway/startup-auth.test.ts:417
  The PR adds detection for reused hook/Gateway password secrets, but it also preserves startup success for that configuration while current HTTP auth still accepts the bearer as a Gateway password.
  Confidence: 0.9

What I checked:

• Current main bearer handling: Gateway HTTP auth reads the bearer token and passes the same value as both token and password, so a bearer matching the Gateway password can authenticate in password mode. (src/gateway/http-auth-utils.ts:111, 033693843c26)
• Current main password auth acceptance: Password-mode Gateway auth accepts connectAuth.password, which is populated from the bearer token on HTTP requests. (src/gateway/auth.ts:550, 033693843c26)
• Current startup guard only checks token mode: The existing startup guard only compares hooks.token against token-mode Gateway auth and returns early for password/trusted-proxy password auth. (src/gateway/startup-auth.ts:235, 033693843c26)
• PR locks password reuse as startup-valid: The PR adds a test that expects startup to continue when hooks.token equals gateway.auth.password, preserving the vulnerable runtime configuration rather than rejecting it. (src/gateway/startup-auth.test.ts:417, 03d3c5b75941)
• PR adds audit-only detection: The PR adds a critical audit finding when hook token reuse matches Gateway password auth, which is useful detection but does not change HTTP authorization behavior. (src/security/audit-extra.sync.ts:583, 03d3c5b75941)
• Trust model confirms impact: OpenClaw's security policy treats shared-secret Gateway callers, including /tools/invoke, as trusted operators with owner semantics. (SECURITY.md:124, 033693843c26)

Likely related people:

• coygeek: Authorship of f7a7a28c5604e8afc871874d0b053b4c805ed24a added the existing hook-token separation startup guard and audit severity path for token-mode Gateway auth. (role: introduced related guard; confidence: high; commits: f7a7a28c5604; files: src/gateway/startup-auth.ts, src/security/audit-extra.sync.ts)
• jesse-merhi: Authored the latest PR commits that changed the branch from startup blocking to audit-only detection and then requested ClawSweeper automerge in the PR discussion. (role: recent PR branch maintainer; confidence: high; commits: f6ef8cae0588, 03d3c5b75941; files: src/gateway/startup-auth.ts, src/security/audit-extra.sync.ts, src/cli/security-cli.ts)
• jacobtomlinson: Recent merged work on trusted-proxy auth configuration guardrails is adjacent to the password/trusted-proxy branch considered by this PR. (role: adjacent gateway auth contributor; confidence: medium; commits: 6c679e5f049a; files: src/gateway/auth.ts)
• vincentkoc: Recent merged work hardened trusted-proxy local fallback behavior in the same Gateway auth surface. (role: adjacent gateway auth contributor; confidence: medium; commits: 1738d540f440; files: src/gateway/auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[jesse-merhi]

/clawsweeper automerge

[clawsweeper]

🦞👀
Maintainer-approved ClawSweeper automerge is not merged yet.

Approver: jesse-merhi
Head: 03d3c5b75941
Merge status: checks are not green: security-fast:CANCELLED

I left the PR open for the remaining gate instead of bypassing it.

Automerge progress:

• 2026-05-25 09:26:07 UTC review queued 03d3c5b75941 (queued)

• 2026-05-25 09:27:04 UTC repair queued 03d3c5b75941 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434

• 2026-05-25 09:28:24 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 automerge-openclaw-openclaw-84338

• 2026-05-25 09:28:40 UTC validation plan (passed) in 18s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-25 09:28:54 UTC Codex write preflight (passed) in 31s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 danger-full-access

• 2026-05-25 09:34:21 UTC Codex edit 1 9317148ad5cb (complete) in 5m 58s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 exit 0

• 2026-05-25 09:38:18 UTC validation and review 1 de5d923978b7 (base moved) in 9m 55s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 rebased

• 2026-05-25 09:38:24 UTC repair completed (no branch change) in 10m 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 source PR fix: Hook ingress token unlocks password-mode gateway auth #84338 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-25 09:38:25 UTC repair finished de5d923978b7 (blocked) in 10m 2s Run: https://github.com/openclaw/clawsweeper/actions/runs/26393448434 source PR fix: Hook ingress token unlocks password-mode gateway auth #84338 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-25 10:42:42 UTC repair queued 03d3c5b75941 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529

• 2026-05-25 10:43:57 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 automerge-openclaw-openclaw-84338

• 2026-05-25 10:44:13 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-25 10:44:27 UTC Codex write preflight (passed) in 31s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 danger-full-access

• 2026-05-25 11:06:48 UTC Codex edit 1 b55ccc058599 (complete) in 22m 52s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 exit 0

• 2026-05-25 11:16:12 UTC validation and review 1 4ddb1c4f9af3 (complete) in 32m 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 already-current

• 2026-05-25 11:17:04 UTC repair finished 4ddb1c4f9af3 (opened) in 33m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/26396404529 open_fix_pr

[jesse-merhi]

Maintainer note: after discussion with the team, we want this to be audit-only for password-mode reuse.

This PR has been updated so reused hooks.token / Gateway password values are reported by openclaw security audit, while Gateway startup stays non-blocking for that case. Token-mode Gateway auth reuse remains a startup block.

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: Protected security/auth behavior and the audit-only versus fail-closed compatibility tradeoff need maintainer judgment before any repair or automerge path.; Needs attention: The diff is security-sensitive and currently leaves the reported hook-token to Gateway-password operator escalation as an audit warning rather than a runtime fix.; Review finding: [P1] Do not keep reused gateway passwords startup-valid — src/gat... (sha=03d3c5b759416cac60e04758beca5dfcc7c9ecd7)

Why human review is needed:
This item has security-sensitive risk. ClawSweeper is pausing instead of making an autonomous change that could affect trust, credentials, permissions, or exposure.

What the maintainer can do as a next step:
If the maintainer accepts the current risk and wants ClawSweeper to continue merge gates, comment @clawsweeper approve. If the security-sensitive detail still needs changes, describe the safe path or push the fix, then comment @clawsweeper automerge. If the risk should not be automated, keep the PR paused for manual review or comment @clawsweeper stop.

I added clawsweeper:human-review and left the final call with a maintainer.

[jesse-merhi]

@clawsweeper approve

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the work on this. ClawSweeper opened a replacement PR only because the source branch was not writable from the available bot permissions. branch tides, not contributor blame.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #86453
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
Closing this source PR only because source-PR closing was explicitly enabled for this run.
The original contribution stays credited in the replacement PR context.
Co-author credit kept:

• @coygeek: Co-authored-by: Coy Geek 65363919+coygeek@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 4ddb1c4.