Exact-read bypass: never compact read-only config-inspection command output (incl. ssh-wrapped)

[chrislro]

Motivation

Compacting the output of a read-only configuration-inspection command is strictly worse than spending the tokens: the agent receives a config dump that looks complete but is silently missing keys, and then acts on the wrong data. We hit exactly this in production — agents read compacted plutil -p plist dumps, openclaw config get output, and ssh-wrapped file reads (ssh host 'cat file'), and made decisions based on truncated config. For these commands, exactness is the entire point of running them.

This change has been running as a local hotfix in production across several agent hosts since 2026-05-31 with no regressions.

What's detected

The existing file-content inspection bypass is extended to cover:

• plutil plist dumps — plutil -p <file> and plutil -convert <fmt> -o - <file> (stdout output only; in-place conversions are not affected). plutil dumps are also exempted from the large-document summary so they always pass through verbatim.
• Read-only config CLIs — openclaw config get ... (write commands like config set are not matched).
• ssh-wrapped inspection commands — ssh host '<cmd>', where the remote command is extracted (with proper handling of ssh option/value pairs like -p 2222, -i key, -o opt) and recursively checked against the same detectors (cat/sed/head/..., git show <rev>:<path>, gh api .../contents/... | base64 -d, plutil, read-only config CLIs).

Additionally, the verbatim bypass in reduceExecution now applies to every detected inspection command instead of only those that classified to generic/fallback — previously an exact read whose output happened to match a content-based reducer could still be compacted.

Fail-open design

Detection is conservative and fail-open: anything not positively identified as a read-only inspection command keeps today's compaction behavior unchanged. A missed detection means we compact (status quo); there is no path where this change compacts something that was previously passed through.

Verification

• pnpm lint, pnpm lint:circular, pnpm typecheck — clean
• pnpm test — 131 files / 2255 tests passing, including new unit tests for the detector (plutil, config-get, ssh-wrapped positive and negative cases) and reduce-level tests asserting verbatim passthrough (ratio === 1)
• pnpm build — clean

🤖 Generated with Claude Code

[vincentkoc]

Pushed maintainer follow-ups on the contributor branch:

• bypass inspection summaries before they can truncate exact config/file reads
• retain ordinary direct file-inspection summaries
• cover SSH option parsing, remote shell wrappers, exact gh contents decode, and compound-command rejection

Validation: pnpm verify; final autoreview clean.