openclaw - 💡(How to fix) Fix Proposal: first-class AI Agentic Engineer identity binding for CLI-backend spawns

Context

Momentiq runs a Dark Factory SDLC where AI Agentic Engineers (persistent agent identities like our Lyra, built on openclaw) dispatch Claude Code as subagents to actually write code. We separate two git identities per commit:

• Author — the AI Agentic Engineer (proves who directed the change).
• Committer — the dispatched Code Creator (proves what produced the bytes).

The CI gate on the product side (momentiq-ai/sage3c) loads a registry of AI AE identities from a protected base ref and hard-fails any PR whose commit committer matches a registered AI AE identity directly. This catches "AI AE wrote code directly" violations of the orchestrator-not-coder principle.

For this to work, the openclaw runtime must inject GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL into the spawned Claude Code subprocess so the committer field carries the Code Creator identity rather than the inherited AI AE identity.

Status today (v2026.5.7)

Today this works fine, but only because agents.defaults.cliBackends["claude-cli"].env is a generic config path that any deployment can fill in. We landed it in our state/openclaw.json via alien8d/lyra#144 — config-only, no code change.

What's missing:

• It's opaque. A fresh deployment setting up a new AI AE has to know to use this specific path with these specific keys.
• It's per-CLI-backend rather than per-agent. If we add a codex-CLI agent that also dispatches subagents, we'd repeat the env block for that backend too.
• It's not validated. openclaw doctor doesn't check the binding against any source of truth.
• There's no first-class concept to discover from openclaw --help or the schema documentation.

Proposal

Add a top-level identity binding concept to the openclaw agent config:

{
  "agents": {
    "list": [
      {
        "id": "main",
        "identity": {
          "name": "Lyra",
          "ae": {
            // The AI Agentic Engineer identity (author field on every commit).
            "git_name": "lyra-orchestra",
            "git_email": "[email protected]"
          },
          "code_creator": {
            // The dispatched subagent identity (committer field on every commit).
            "git_name": "Claude Code (via Lyra)",
            "git_email": "[email protected]"
          },
          "registry": {
            // Optional — points at a remote registry (e.g. on a product repo) for doctor verification.
            "url": "https://raw.githubusercontent.com/momentiq-ai/sage3c/main/.github/agentic-engineers.json",
            "match_path": "agentic_engineers.ai_frameworks[?(@.framework=='openclaw')].instances[?(@.github_login=='lyra-orchestra')]"
          }
        }
      }
    ]
  }
}

Runtime behavior:

1. On every CLI-backend spawn (claude-cli today, codex-cli tomorrow), set GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL from identity.code_creator. No need to repeat per backend.
2. openclaw doctor fetches the optional registry URL and warns if the local identity.code_creator doesn't match what the registry says about this agent. Catches drift.
3. agents.defaults.cliBackends.<id>.env remains supported for non-identity env injection.

Why upstream this

• Makes the Dark Factory SDLC's persona-separation contract a first-class openclaw concept rather than a per-deployment workaround.
• Future openclaw deployments inherit the pattern automatically — every new AI AE you bring up gets identity separation by default.
• Doctor-time verification means binding drift is caught at deploy time, before any commits hit a remote.

Workaround until shipped

The config-only workaround above works fine — it's what we ship today on Lyra. We'll keep it in state/openclaw.json and switch to the first-class binding when it lands.