APPROVE (security) — P4 openclaw mgmt-MCP: stdio descriptor verified against live openclaw@2026.5.7 CLI (mcp set→show round-trip), real renderer + fail-closed present-reader, loaded-INVENTORY producer (not per-turn → avoids #142/#3082 class), npm-auth ported. Tests green.
APPROVE (security) on fixed head — RC 13985 resolved: ON CONFLICT now derives template from the PRESERVED runtime (CASE mirroring conciergeTemplateForRuntime), so (runtime,template) stays matched after default reinstall; prove-fail test extended to assert the template field (fails vs 9e4e5d08, passes now); verified against real pgvector Postgres + 95 migrations. Runtime-preservation untouched.
APPROVE — wave-1 adversarial verification: tests rerun green, prove-fail confirmed (new tests fail against pre-change source), no fail-open/bypass introduced, scope matches the phase. security/fail-closed lens
APPROVE — wave-1 adversarial verification: tests rerun green, prove-fail confirmed (new tests fail against pre-change source), no fail-open/bypass introduced, scope matches the phase. security/fail-closed lens
APPROVE — wave-1 adversarial verification: tests rerun green, prove-fail confirmed (new tests fail against pre-change source), no fail-open/bypass introduced, scope matches the phase. security/fail-closed lens
APPROVE (security). Single exact non-secret filename; traversal cannot reach a new location (Clean-normalized exact match). Upstream traversal guard at cp_provisioner.go addAsset + gitea_template_assets.go fetcher unchanged; fail-closed posture intact. Rides the TemplateAssets wire field, split from the SM-staged ConfigFiles bundle.
APPROVE (security). {{CONCIERGE_NAME}} substitution is value-only within the already-allowlisted config set (cannot add files). Name origin payload.Name is validated — rejects \n/\r and YAML-special {}[]
APPROVE — adversarial security review of the RCA#2970 fail-closed gate.
APPROVE (security) — no new trust boundary or auth surface. The change is a transactional wrapper around two existing writes on an already-authorized PATCH path (ValidateAnyToken, unchanged). Transaction is correctly scoped: BeginTx -> conditional model-reset -> runtime UPDATE -> Commit, deferred Rollback covers every early-return/error so no partial write or open-tx leak. Fail-closed on any tx error (500, nothing persisted). No model value is attacker-chosen — resetTo comes from the registry SSOT default, not request input; the orphaned-no-default case still 422s fail-closed. setModelSecretExec reuses the existing activityExecutor interface and the same parameterized INSERT/DELETE (no SQL-injection surface change). No secrets logged. LGTM.
Security review: no auth/secret/network surface concern in this change. Approve.
Security review: no auth/secret/network surface concern in this change. Approve.
Security review: no auth/secret/network surface concern in this change. Approve.
Security review: this is a merge-gate HARDENING — it only ever makes the conductor MORE restrictive (adds an unconditional fail-closed pre-check that force_merge cannot bypass). No new privilege, no token/secret handling, no network surface. The CRITICAL_REQUIRED_CONTEXT_PREFIXES env override defaults to the two correct contexts and can only ADD critical contexts, never remove the built-in gate (an empty/blank override just yields no extra prefixes; it cannot disable the existing required-set check). Unverifiable == BLOCK is the right posture for a merge authority. No concerns. Approving.
Independent adversarial pass: ordering (drop before OAuth short-circuit) and path-match anchoring both hold in source. BYOK-OAuth-direct (api.anthropic.com) correctly untouched; the two drop signals are independently sufficient. One pre-existing follow-up: an OAuth token arriving via ANTHROPIC_AUTH_TOKEN under CP-proxy routing isn't covered (different failure mode, not introduced here). APPROVE.
Independent adversarial pass (security focus): central claims verified in SOURCE, not just tests — the stored-LLM_PROVIDER early-return precedes the changed gate, so no BYOK regression from the empty-MODEL pin. Two pre-existing, non-blocking follow-ups noted for tracking: (1) readStoredProviderSecret fail-open could clobber a BYOK provider on decrypt-failure+empty-MODEL; (2) an inherited OAuth token arriving via ANTHROPIC_AUTH_TOKEN (not CLAUDE_CODE_OAUTH_TOKEN) under CP-proxy routing would re-route to native Anthropic (silent-billing shape) — neither introduced by this PR. APPROVE.
APPROVE — Security review.
Security review (core-security). No secret values are logged — the ::error:: names secret NAMES only, never values. set -euo pipefail preserved; the guard uses ${VAR:-} so it is safe under set -u. `
Security review (core-security). No secret values are logged — the ::error:: names secret NAMES only, never values. set -euo pipefail preserved; the guard uses ${VAR:-} so it is safe under set -u. `