feat: add crestodian local planner fallback

docs/cli/crestodian.md

@@ -105,7 +105,7 @@ Read-only operations can run immediately:
 - show the audit-log path
 
 Persistent operations require conversational approval in interactive mode unless
-you pass `--yes` for a one-shot command:
+you pass `--yes` for a direct command:
 
 - write config
 - run `config set`
@@ -153,14 +153,22 @@ model unset. Install or log into Codex/Claude Code, or expose
 
 ## Model-Assisted Planner
 
-Crestodian always starts in deterministic mode. Once a valid OpenClaw model is
-configured, local Crestodian can make one bounded model call for fuzzy commands
-that the deterministic parser does not understand.
+Crestodian always starts in deterministic mode. For fuzzy commands that the
+deterministic parser does not understand, local Crestodian can make one bounded
+planner turn through OpenClaw's normal runtime paths. It first uses the
+configured OpenClaw model. If no configured model is usable yet, it can fall
+back to local runtimes already present on the machine:
+
+- Claude Code CLI: `claude-cli/claude-opus-4-7`
+- Codex app-server harness: `openai/gpt-5.5` with `embeddedHarness.runtime: "codex"`
+- Codex CLI: `codex-cli/gpt-5.5`
 
 The model-assisted planner cannot mutate config directly. It must translate the
 request into one of Crestodian's typed commands, then the normal approval and
 audit rules apply. Crestodian prints the model it used and the interpreted
-command before it runs anything.
+command before it runs anything. Configless fallback planner turns are
+temporary, tool-disabled where the runtime supports it, and use a temporary
+workspace/session.
 
 Message-channel rescue mode does not use the model-assisted planner. Remote
 rescue stays deterministic so a broken or compromised normal agent path cannot
@@ -275,6 +283,19 @@ Remote rescue is covered by the Docker lane:
 pnpm test:docker:crestodian-rescue
 ```
 
+Configless local planner fallback is covered by:
+
+```bash
+pnpm test:docker:crestodian-planner
+```
+
+An opt-in live channel command-surface smoke checks `/crestodian status` plus a
+persistent approval roundtrip through the rescue handler:
+
+```bash
+pnpm test:live:crestodian-rescue-channel
+```
+
 Fresh configless setup through Crestodian is covered by:
 
 ```bash

docs/help/testing.md

@@ -55,6 +55,14 @@ When debugging real providers/models (requires real creds):
     Slack DM with `/codex bind`, exercises `/codex fast` and
     `/codex permissions`, then verifies a plain reply and an image attachment
     route through the native plugin binding instead of ACP.
+- Crestodian rescue command smoke: `pnpm test:live:crestodian-rescue-channel`
+  - Opt-in belt-and-suspenders check for the message-channel rescue command
+    surface. It exercises `/crestodian status`, queues a persistent model
+    change, replies `/crestodian yes`, and verifies the audit/config write path.
+- Crestodian planner Docker smoke: `pnpm test:docker:crestodian-planner`
+  - Runs Crestodian in a configless container with a fake Claude CLI on `PATH`
+    and verifies the fuzzy planner fallback translates into an audited typed
+    config write.
 - Moonshot/Kimi cost smoke: with `MOONSHOT_API_KEY` set, run
   `openclaw models list --provider moonshot --json`, then run an isolated
   `openclaw agent --local --session-id live-kimi-cost --message 'Reply exactly: KIMI_LIVE_OK' --thinking off --json`