safety-checks

Verify before you trust — model pinning, fallbacks, and runtime safety validation

# safety-checks (安全)

Unified skill for runtime safety verification including model version pinning,
fallback chain validation, cache staleness detection, and cross-session state checks.
Consolidates 4 granular skills into a single safety verification suite.

**Trigger**: 事前検証 (pre-flight) or HEARTBEAT

**Source skills**: model-pinner, fallback-checker, cache-validator, cross-session-safety-check (from extensions)

## Installation

```bash
openclaw install leegitw/safety-checks
```

**Dependencies**: `leegitw/constraint-engine` (for enforcement integration)

```bash
# Install with dependencies
openclaw install leegitw/context-verifier
openclaw install leegitw/failure-memory
openclaw install leegitw/constraint-engine
openclaw install leegitw/safety-checks
```

**Standalone usage**: Model pinning and cache checks work independently.
Full integration with constraint enforcement requires constraint-engine.

**Data handling**: This skill performs local-only operations. All checks (model version comparison,
cache age verification, file lock detection) are local file/metadata operations — no data is sent
to any model, API, or external service. Results are written to `output/safety/` in your workspace.

## What This Solves

AI systems can silently degrade — model versions drift, caches go stale, sessions accumulate state. This skill catches these issues before they cause problems:

1. **Model pinning** — verify you're using the model you expect
2. **Fallback validation** — ensure degraded-mode paths exist and work
3. **Cache checks** — detect stale or corrupted cached data
4. **Session hygiene** — identify cross-session state contamination

**The insight**: Runtime verification catches what static rules miss. Check the system state, not just the configuration.

## Usage

```
/sc <sub-command> [arguments]
```

## Sub-Commands

| Command | CJK | Logic | Trigger |
|---------|-----|-------|---------|
| `/sc model` | 機種 | model.version→pinned✓∨drift✗ | HEARTBEAT |
| `/sc fallback` | 代替 | chain.exists→safe✓∨missing✗ | HEARTBEAT |
| `/sc cache` | 快取 | response.age>TTL→stale✗ | HEARTBEAT |
| `/sc session` | 会話 | cross_session.state→clean✓∨interference✗ | HEARTBEAT |

## Arguments

### /sc model

| Argument | Required | Description |
|----------|----------|-------------|
| --expected | No | Expected model version (default: from config) |
| --strict | No | Fail on any version mismatch |

### /sc fallback

| Argument | Required | Description |
|----------|----------|-------------|
| --chain | No | Specific fallback chain to check in config |

**Note**: This command validates that fallback configurations exist in your config file.
It does NOT make network calls or test actual connectivity. It's a config file audit.

### /sc cache

| Argument | Required | Description |
|----------|----------|-------------|
| --ttl | No | TTL in seconds (default: 3600) |
| --clear | No | Clear stale cache entries |

### /sc session

| Argument | Required | Description |
|----------|----------|-------------|
| --check-state | No | Check for state leakage between sessions |
| --clear-state | No | Clear any leaked state |

## Configuration

Configuration is loaded from (in order of precedence):
1. `.openclaw/safety-checks.yaml` (OpenClaw standard)
2. `.claude/safety-checks.yaml` (Claude Code compatibility)
3. Defaults (built-in)

## Core Logic

### Model Version Pinning

Ensures AI model version matches expected configuration.

**How it works**: This skill compares the model version reported in your agent's session
metadata (e.g., the model name in API responses or agent headers) against the expected
version in your config file. It does NOT call the model API to check — it reads the
version string that your agent runtime already exposes.

**Model version format**: `{provider}-{model}-{version}-{date}`

Examples:
- `anthropic-opus-4-5-20251101`
- `openai-gpt-4-turbo-20250301`
- `google-gemini-2-pro-20260101`

```yaml
# .openclaw/safety-checks.yaml
model:
  expected: "anthropic-opus-4-5-20251101"  # Provider-neutral format
  strict: true
```

| Condition | Result |
|-----------|--------|
| Version matches | ✓ Pinned |
| Version differs, strict=false | ⚠ Warning |
| Version differs, strict=true | ✗ Fail |

### Fallback Chain Validation

**Config audit only** — verifies fallback entries exist in your config file. This does NOT
make network calls or test actual connectivity.

Checks that your `safety-checks.yaml` declares fallback configurations:

```yaml
# Example config entries this command validates exist:
fallbacks:
  model: ["primary-model", "fallback-model", "cached"]
  storage: ["primary-path", "backup-path"]
```

| Check | What It Validates |
|-------|-------------------|
| Model fallbacks | Config lists alternative models |
| Storage fallbacks | Config lists backup paths |

### Cache Staleness Detection

Prevents use of outdated cached data:

| Age | TTL | Status |
|-----|-----|--------|
| < TTL | Any | ✓ Fresh |
| > TTL | Not critical | ⚠ Stale warning |
| > TTL | Critical | ✗ Stale fail |

### Cross-Session State

Detects state leakage between sessions:

| Check | Exact File Checked | Risk |
|-------|-------------------|------|
| File locks | `.openclaw/safety-checks.lock` | Resource contention |
| Workspace temp files | `output/safety/temp-*` | Disk exhaustion |
| Skill config | `.openclaw/safety-checks.yaml` values | Configuration drift |

**Scope**: Checks are limited to this skill's own files only. This skill does NOT scan
directories, does NOT read other skills' config files, and does NOT access files outside
the specific paths listed above.

## Output

### /sc model output (pinned)

```
[MODEL CHECK]
Status: ✓ PINNED

Expected: anthropic-opus-4-5-20251101
Actual:   anthropic-opus-4-5-20251101

Model version matches configuration.
```

### /sc model output (drift)

```
[MODEL CHECK]
Status: ✗ VERSION DRIFT

Expected: anthropic-opus-4-5-20251101
Actual:   anthropic-opus-4-5-20251201

WARNING: Model version has changed.
This may affect behavior consistency.

Action: Update expected version in settings, or investigate change.
```

### /sc fallback output

```
[FALLBACK CHECK]
Status: ✓ CONFIGURED

Config file: .openclaw/safety-checks.yaml

Fallback entries found:
  ✓ model.fallbacks: 3 entries defined
  ✓ storage.fallbacks: 2 entries defined

Note: This validates config entries exist, not actual connectivity.
  ✓ Tertiary (memory) - 4GB free
```

### /sc cache output

```
[CACHE CHECK]
Status: ⚠ STALE ENTRIES FOUND

Cache Statistics:
  Total entries: 156
  Fresh (< 1h): 142
  Stale (> 1h): 14
  Critical stale: 0

Stale entries:
  - api_response_auth (age: 2h 15m)
  - user_preferences (age: 1h 30m)
  - ...

Action: Run /sc cache --clear to remove stale entries.
```

### /sc session output (clean)

```
[SESSION CHECK]
Status: ✓ CLEAN

No cross-session interference detected.

Checks passed:
  ✓ No stale lock file (.openclaw/safety-checks.lock)
  ✓ No orphan temp files (output/safety/temp-*)
  ✓ Config file valid (.openclaw/safety-checks.yaml)
```

### /sc session output (interference)

```
[SESSION CHECK]
Status: ✗ INTERFERENCE DETECTED

Issues found:

1. Stale file lock:
   File: .openclaw/safety-checks.lock
   Owner: PID 12345 (not running)
   Action: Remove lock with /sc session --clear-state

2. Orphan temp files (3):
   output/safety/temp-*.log
   Age: > 24 hours
   Action: Remove with /sc session --clear-state

Run /sc session --clear-state to remediate.
```

## Integration

- **Layer**: Safety
- **Depends on**: constraint-engine (for enforcement integration)
- **Used by**: constraint-engine (for pre-action safety checks), governance (for health monitoring)

## Failure Modes

| Condition | Behavior |
|-----------|----------|
| Invalid sub-command | List available sub-commands |
| Config not found | Use defaults, warn user |
| Network unavailable | Skip remote checks, warn |
| Permission denied | Error with remediation steps |

## Next Steps

After invoking this skill:

| Conditi