Exact-read bypass: never compact read-only config-inspection command output (incl. ssh-wrapped)#202
Open
chrislro wants to merge 1 commit into
Open
Exact-read bypass: never compact read-only config-inspection command output (incl. ssh-wrapped)#202chrislro wants to merge 1 commit into
chrislro wants to merge 1 commit into
Conversation
Compacting the output of read-only configuration-inspection commands can silently drop config keys, so agents act on truncated data without knowing anything was removed - strictly worse than spending the tokens. This extends the file-content inspection bypass so these outputs pass through verbatim: - plutil plist dumps (plutil -p, plutil -convert ... -o -) - read-only config CLIs (openclaw config get) - ssh-wrapped inspection commands (ssh host 'cat file'), including ssh option/value parsing to locate the remote command The verbatim bypass in reduceExecution now applies to every detected inspection command instead of only those that classified to generic/fallback, and plutil dumps are exempted from the large-document summary. Detection is fail-open: anything not positively identified as a read-only inspection command keeps today's compaction behavior. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Compacting the output of a read-only configuration-inspection command is strictly worse than spending the tokens: the agent receives a config dump that looks complete but is silently missing keys, and then acts on the wrong data. We hit exactly this in production — agents read compacted
plutil -pplist dumps,openclaw config getoutput, and ssh-wrapped file reads (ssh host 'cat file'), and made decisions based on truncated config. For these commands, exactness is the entire point of running them.This change has been running as a local hotfix in production across several agent hosts since 2026-05-31 with no regressions.
What's detected
The existing file-content inspection bypass is extended to cover:
plutilplist dumps —plutil -p <file>andplutil -convert <fmt> -o - <file>(stdout output only; in-place conversions are not affected). plutil dumps are also exempted from the large-document summary so they always pass through verbatim.openclaw config get ...(write commands likeconfig setare not matched).ssh host '<cmd>', where the remote command is extracted (with proper handling of ssh option/value pairs like-p 2222,-i key,-o opt) and recursively checked against the same detectors (cat/sed/head/...,git show <rev>:<path>,gh api .../contents/... | base64 -d,plutil, read-only config CLIs).Additionally, the verbatim bypass in
reduceExecutionnow applies to every detected inspection command instead of only those that classified togeneric/fallback— previously an exact read whose output happened to match a content-based reducer could still be compacted.Fail-open design
Detection is conservative and fail-open: anything not positively identified as a read-only inspection command keeps today's compaction behavior unchanged. A missed detection means we compact (status quo); there is no path where this change compacts something that was previously passed through.
Verification
pnpm lint,pnpm lint:circular,pnpm typecheck— cleanpnpm test— 131 files / 2255 tests passing, including new unit tests for the detector (plutil, config-get, ssh-wrapped positive and negative cases) and reduce-level tests asserting verbatim passthrough (ratio === 1)pnpm build— clean🤖 Generated with Claude Code