EPIC-OC: OpenClaw Architecture Integration (Phases 1-7)

Seven phases of architectural improvements inspired by the OpenClaw
Applicability Assessment:

Phase 1 - Concurrency: Lane-aware executor with configurable concurrency
caps, queue modes (collect/followup/steer), concurrent step tracking.

Phase 2 - Skill Hardening: Semantic versioning, precedence-aware skill
discovery (workspace > managed > bundled), SHA-256 hash pinning,
SecurityScanner SKILL_MD_INJECTION rules, pack CLI commands.

Phase 3 - Memory/Compaction: 4-tier compaction engine (pin > recent >
summary > discard), context pin registry with SQLite persistence,
pre-compaction memory flush manager.

Phase 4 - Security: Ed25519 pack signing/verification, tool sandbox
profiles with deny-wins merge, gateway budget enforcement, circuit
breaker in model router.

Phase 5 - Hooks/Webhooks: 6 new hook points, outbound webhook dispatcher
with HMAC-SHA256 signing and retry, webhook bridge hook, CLI commands
for webhook management.

Phase 6 - Harness Abstraction: RuntimeHarness protocol with PydanticAI
implementation, per-run session sandbox with path boundary enforcement,
scoped approvals store.

Phase 7 - Gateway Protocol: Idempotency cache with TTL for WS message
deduplication, client identity tracking on connect.

540 tests pass, mypy clean, ruff clean. All 18 key classes verified
with production call sites.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Codex Agent

campaign-packs/_marketplace/manifest-schema.json

@@ -0,0 +1,52 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "PackManifest",
+  "description": "Schema for OpenEinstein campaign pack manifests.",
+  "type": "object",
+  "required": ["name", "version", "author", "license", "sha256"],
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Unique pack identifier."
+    },
+    "version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+",
+      "description": "Semantic version string."
+    },
+    "author": {
+      "type": "string",
+      "description": "Pack author or organization."
+    },
+    "license": {
+      "type": "string",
+      "description": "SPDX license identifier."
+    },
+    "sha256": {
+      "type": "string",
+      "description": "SHA-256 hash of the pack contents."
+    },
+    "description": {
+      "type": "string",
+      "description": "Human-readable pack description."
+    },
+    "dependencies": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": [],
+      "description": "List of required dependency pack names."
+    },
+    "min_platform_version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+",
+      "description": "Minimum OpenEinstein platform version required."
+    },
+    "tags": {
+      "type": "array",
+      "items": { "type": "string" },
+      "default": [],
+      "description": "Categorization tags."
+    }
+  },
+  "additionalProperties": false
+}

campaign-packs/scalar-tensor-lab/campaign.yaml

@@ -0,0 +1,13 @@
+campaign:
+  name: "Scalar-Tensor Lab Starter"
+  version: "0.1.0"
+  description: "Starter campaign for scalar-tensor gravity model sweeps."
+  search_space:
+    generator_skill: "scalar-tensor-search"
+  gate_pipeline:
+    - name: "stability"
+      skill: "stability-analysis"
+      cas_requirements: ["tensor_algebra"]
+      timeout_seconds: 45
+  dependencies:
+    tools: ["sympy", "scanner"]

campaign-packs/scalar-tensor-lab/docs/README.md

@@ -0,0 +1,3 @@
+# Scalar-Tensor Lab Starter
+
+Marketplace pack used by dashboard integration tests for install and schema wiring.

configs/compaction.yaml

@@ -0,0 +1,4 @@
+# Compaction engine defaults
+recent_turns_keep: 5
+summary_model_role: fast
+budget_trigger_pct: 70

configs/lanes.yaml

@@ -0,0 +1,16 @@
+# Default lane configuration for concurrent campaign step dispatch.
+# Each lane controls how many steps of a given type may run simultaneously.
+
+lanes:
+  main:
+    max_concurrent: 4
+    queue_mode: collect
+  subagent:
+    max_concurrent: 8
+    queue_mode: collect
+  literature:
+    max_concurrent: 2
+    queue_mode: followup
+  gating:
+    max_concurrent: 2
+    queue_mode: collect

configs/openeinstein.example.yaml

@@ -18,8 +18,10 @@ model_routing:
         provider: anthropic
         model: claude-sonnet-4-5
       fallback:
-        provider: openai
-        model: gpt-4.1
+        - provider: openai
+          model: gpt-4.1
+        - provider: google
+          model: gemini-2.5-pro
 
     fast:
       description: Classification and simple extraction

configs/tool-profiles.yaml

@@ -0,0 +1,41 @@
+# Tool Sandbox Profiles
+# Controls per-tool permissions enforced by the ToolSandboxHook.
+#
+# Presets define reusable permission sets with optional inheritance.
+# Profiles match tools by name (exact or glob) and inherit from presets.
+# Merge logic: deny-wins for booleans, stricter-wins for numeric limits.
+
+presets:
+  minimal:
+    allow_network: false
+    allow_fs_write: false
+    allow_shell: false
+
+  research:
+    inherits: minimal
+    allow_network: true
+
+  full:
+    allow_network: true
+    allow_fs_write: true
+    allow_shell: true
+
+profiles:
+  - tool_name_pattern: "arxiv_*"
+    inherits: research
+    max_tokens_per_call: 8000
+    max_calls_per_run: 20
+
+  - tool_name_pattern: "semantic_scholar_*"
+    inherits: research
+    max_tokens_per_call: 8000
+    max_calls_per_run: 20
+
+  - tool_name_pattern: "shell_exec"
+    inherits: full
+    max_calls_per_run: 10
+
+  - tool_name_pattern: "file_write"
+    inherits: minimal
+    allow_fs_write: true
+    max_calls_per_run: 50

configs/trusted-keys/README.md

@@ -0,0 +1,4 @@
+# Trusted Keys
+
+Place Ed25519 public keys here for pack signature verification.
+Keys should be stored as raw bytes in `.pub` files.

configs/webhooks.yaml

@@ -0,0 +1,14 @@
+# Outbound Webhook Configuration
+# Each webhook receives HTTP POST notifications for subscribed event types.
+# Events are signed with HMAC-SHA256 using the per-webhook secret.
+#
+# Available event types:
+#   before_tool_call, after_tool_call, campaign_state_transition,
+#   before_run_start, after_run_end,
+#   before_compaction, after_compaction,
+#   candidate_generated, gate_passed, gate_failed, budget_warning
+
+webhooks: []
+  # - url: https://example.com/openeinstein/webhook
+  #   events: [candidate_generated, gate_passed, gate_failed]
+  #   secret: change-me-to-a-strong-secret

docs/audits/production-audit-a.md

@@ -0,0 +1,23 @@
+# Production Audit A
+
+## Scope
+Acceptance matrix and red-test validity review after WP-1 (tests-first cutover baseline).
+
+## Findings
+- Medium: `tests/production/*` initially failed collection due missing runtime modules (`CampaignExecutor`, provider qualification, subjective evals). This confirmed a true red baseline.
+- Low: Production profile marker registration (`@pytest.mark.production`) was missing and added in `pyproject.toml`.
+
+## Evidence
+- Baseline command: `.venv/bin/pytest tests/production -q`
+- Baseline failure classes: `ModuleNotFoundError` for:
+  - `openeinstein.campaigns.executor`
+  - `openeinstein.routing.provider_qualification`
+
+## Unmet Contracts (at audit time)
+- IC-PR-01 through IC-PR-12 were not yet implemented at runtime.
+
+## Remediation
+- Implemented runtime executor, v2 surface, provider qualification module, subjective eval module, and production profile policy script.
+
+## Decision
+- No-Go at audit capture time (expected red baseline). Go-forward approved after remediation.