- The repository uses layered verification rather than a single root
npm test command.
- Core confidence comes from lint/type/build gates plus skill-local Node test suites.
- Python and shell tooling are validated through dedicated lint/security checks.
- Workflow pipelines run the same command classes used in local pre-push automation.
| Layer | Commands | Scope |
|---|
| Frontend/static checks | ESLint + tsc --noEmit + npm run build | TS/TSX correctness and build viability. |
| Skill unit tests | node skills/<skill>/test/*.test.mjs | Signature, matching, suppression, installer contracts. |
| Python quality | ruff check utils/, bandit -r utils/ -ll | Utility correctness and security patterns. |
| Shell/script quality | ShellCheck + manual script smoke runs | Script hygiene and command robustness. |
| CI security scans | Trivy, npm audit, CodeQL, Scorecard | Dependency, config, and supply-chain security posture. |
| Local pre-push security scan | optional gitleaks detect via scripts/prepare-to-push.sh | Secret leak detection before push. |
| Skill | Test Files | Primary Focus |
|---|
clawsec-suite | feed_verification, guarded_install, path_resolution, fuzz tests | Signature checks, advisory gating, path safety, matching robustness. |
openclaw-audit-watchdog | suppression config and render tests | Config parsing, suppression behavior, report formatting. |
clawsec-clawhub-checker | reputation_check.test.mjs | Input validation and reputation gating behavior. |
| Workflow | Trigger | Key Assertions |
|---|
ci.yml | PR/push to main | Lint/type/build, Python checks, security scans, skill tests. |
codeql.yml | PR/push/schedule | JS/TS static security analysis. |
scorecard.yml | schedule/push | Supply-chain posture reporting and SARIF upload. |
skill-release.yml | tags + PRs | Version parity and release artifact verification. |
# baseline frontend + config checks
npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0
npx tsc --noEmit
npm run build
# representative skill tests
node skills/clawsec-suite/test/feed_verification.test.mjs
node skills/clawsec-suite/test/guarded_install.test.mjs
node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
- Signature/test fixtures can fail from key/payload mismatch when expected files are regenerated inconsistently.
- Path-resolution tests intentionally fail on escaped home tokens; this behavior is expected and security-relevant.
- Local scripts relying on
openclaw or clawhub binaries may fail in environments where those CLIs are absent.
- Deploy/release logic can pass locally while failing in CI if signing secrets or workflow permissions differ.
- Run
./scripts/prepare-to-push.sh for a full local gate.
- Run directly impacted skill-local tests.
- For feed/signing changes, run suite verification tests first (
feed_verification, guarded_install).
- For workflow or release changes, also run
scripts/validate-release-links.sh and key consistency script.
- 2026-02-26: Updated source references to the migrated
wiki/platform-verification.md checklist.
- AGENTS.md
- scripts/prepare-to-push.sh
- scripts/validate-release-links.sh
- .github/workflows/ci.yml
- .github/workflows/codeql.yml
- .github/workflows/scorecard.yml
- .github/workflows/skill-release.yml
- skills/clawsec-suite/test/feed_verification.test.mjs
- skills/clawsec-suite/test/guarded_install.test.mjs
- skills/clawsec-suite/test/path_resolution.test.mjs
- skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
- skills/clawsec-clawhub-checker/test/reputation_check.test.mjs
- wiki/platform-verification.md