From 5e8c396bb84f6bf1da7c3fcc880ad54ae497f798 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Thu, 30 Apr 2026 02:11:36 +0100
Subject: [PATCH] docs: explain security autofix boundary

---
 .agents/skills/clawsweeper/SKILL.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.agents/skills/clawsweeper/SKILL.md b/.agents/skills/clawsweeper/SKILL.md
index 5cfdea588e3..c083eb7feeb 100644
--- a/.agents/skills/clawsweeper/SKILL.md
+++ b/.agents/skills/clawsweeper/SKILL.md
@@ -285,13 +285,17 @@ CLAWSWEEPER_MAX_REPAIRS_PER_HEAD=1
 
 ## Security Boundary
 
-Do not stage security-sensitive work for ClawSweeper Repair. Route vulnerability
-reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys, plaintext secret
-storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege escalation, and sensitive
-data exposure to central OpenClaw security handling.
+Do not stage unapproved security-sensitive work for ClawSweeper Repair. Route
+vulnerability reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys,
+plaintext secret storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege
+escalation, and sensitive data exposure to central OpenClaw security handling.
 
-For adopted automerge jobs, trust deterministic ClawSweeper security markers,
-labels, and job frontmatter; do not infer security handling from vague prose.
+For PRs explicitly opted into `clawsweeper:autofix` or
+`clawsweeper:automerge`, security-sensitive review findings may dispatch
+bounded repair, but merge remains blocked until a later exact-head review is
+clean and the normal merge gates pass. Trust deterministic ClawSweeper security
+markers, labels, and job frontmatter; do not infer security handling from vague
+prose.
 
 ## Monitoring