NVIDIA · cv · May 27, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/docs/security/best-practices.mdx b/docs/security/best-practices.mdx
@@ -202,13 +202,13 @@ Writable agent state such as plugins, skills, hooks, and workspace metadata live
 By default, this directory starts writable so the agent can manage its own config, install skills, and write to standard home-directory paths natively.
 For sensitive workloads, use a reviewed host-side immutability workflow after initial setup so config and writable state entry points cannot be changed by the sandbox user.
 
-- **DAC permissions (default).** The sandbox user owns `/sandbox/.openclaw` with mode `700` and `openclaw.json` with mode `600`, so the agent can read and write config directly.
+- **DAC permissions (default).** The sandbox user owns `/sandbox/.openclaw` with mode `2770` (setgid `sandbox:sandbox`) and `openclaw.json` with mode `660`, so the agent and its group can read and write config directly. `shields status` cross-checks the locked posture against the sandbox filesystem and reports drift when a host-root tamper reverts these perms.
 - **Config integrity hash.** The image includes a SHA256 hash of `openclaw.json`. In the default mutable state, `.config-hash` is sandbox-owned and is not a tamper-proof trust anchor, so startup does not fail closed on that hash. When the hash is root-owned and read-only, startup enforces it and refuses to start if the hash does not match.
 - **Gateway token environment.** The gateway exports `OPENCLAW_GATEWAY_TOKEN` and writes it to `/tmp/nemoclaw-proxy-env.sh` for interactive sandbox sessions. Keep this in mind when deciding whether a workload should run with mutable config or an immutable config posture.
 
 | Aspect | Detail |
 |---|---|
-| Default | The sandbox keeps `/sandbox/.openclaw` writable (`700 sandbox:sandbox`), sets `openclaw.json` to `600 sandbox:sandbox`, lets the agent manage state directly, and has the gateway place `OPENCLAW_GATEWAY_TOKEN` in `/tmp/nemoclaw-proxy-env.sh` for interactive shells. |
+| Default | The sandbox keeps `/sandbox/.openclaw` writable (`2770 sandbox:sandbox`), sets `openclaw.json` to `660 sandbox:sandbox`, lets the agent manage state directly, and has the gateway place `OPENCLAW_GATEWAY_TOKEN` in `/tmp/nemoclaw-proxy-env.sh` for interactive shells. |
 | What you can change | Apply a reviewed host-side immutability workflow to lock config and state directories with DAC permissions and the immutable flag where available. |
 | Risk of default | A writable `.openclaw` directory lets the agent modify its own gateway config: disabling CORS or redirecting inference to an attacker-controlled endpoint. |
 | Recommendation | For always-on assistants handling sensitive workloads, lock config after initial setup. For development workflows, the writable default is appropriate. |

diff --git a/src/lib/shields/index.test.ts b/src/lib/shields/index.test.ts
@@ -655,6 +655,131 @@ describe("shields — unit logic", () => {
       expect(exitSpy).toHaveBeenCalledWith(1);
     });
   });
+
+  // -------------------------------------------------------------------
+  // shieldsStatus: locked-state drift surface
+  // -------------------------------------------------------------------
+  describe("shieldsStatus surfaces drift returned by the verifier", () => {
+    async function loadShieldsModule() {
+      const distModulePath = path.join(
+        process.cwd(),
+        "dist",
+        "lib",
+        "shields",
+        "index.js",
+      );
+      return import(distModulePath);
+    }
+
+    function stateDir(): string {
+      return path.join(tmpDir, ".nemoclaw", "state");
+    }
+
+    function writeLockedState(sandboxName: string): void {
+      fs.mkdirSync(stateDir(), { recursive: true });
+      fs.writeFileSync(
+        path.join(stateDir(), `shields-${sandboxName}.json`),
+        JSON.stringify(
+          {
+            shieldsDown: false,
+            updatedAt: new Date().toISOString(),
+          },
+          null,
+          2,
+        ),
+        { mode: 0o600 },
+      );
+    }
+
+    it("prints DRIFTED with the issue list and exits 2 when the verifier reports drift", async () => {
+      const sandboxName = "openclaw";
+      writeLockedState(sandboxName);
+      const driftIssues = [
+        "/sandbox/.openclaw/openclaw.json mode=660 (expected 444)",
+        "/sandbox/.openclaw/openclaw.json owner=sandbox:sandbox (expected root:root)",
+        "dir mode=2770 (expected 755)",
+        "dir owner=sandbox:sandbox (expected root:root)",
+      ];
+      const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+      const exitSpy = vi
+        .spyOn(process, "exit")
+        .mockImplementation((code?: string | number | null) => {
+          throw new Error(`exit ${String(code)}`);
+        });
+
+      const { shieldsStatus } = await loadShieldsModule();
+      expect(() =>
+        shieldsStatus(sandboxName, true, {
+          verifyLockState: () => ({ ok: false, issues: driftIssues }),
+          resolveConfig: () => ({
+            agentName: "openclaw",
+            configPath: "/sandbox/.openclaw/openclaw.json",
+            configDir: "/sandbox/.openclaw",
+          }),
+        }),
+      ).toThrow("exit 2");
+
+      expect(errorSpy).toHaveBeenCalledWith(
+        "  Shields: UP (DRIFTED — declared locked but sandbox filesystem differs)",
+      );
+      expect(errorSpy).toHaveBeenCalledWith("  Drift:");
+      for (const issue of driftIssues) {
+        expect(errorSpy).toHaveBeenCalledWith(`    - ${issue}`);
+      }
+      expect(errorSpy).toHaveBeenCalledWith(
+        `  Recovery: nemoclaw ${sandboxName} shields up   # re-lock and re-verify`,
+      );
+      expect(exitSpy).toHaveBeenCalledWith(2);
+    });
+
+    it("prints a clean locked status when the verifier reports no drift", async () => {
+      const sandboxName = "openclaw";
+      writeLockedState(sandboxName);
+      const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+      const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+      const { shieldsStatus } = await loadShieldsModule();
+      shieldsStatus(sandboxName, true, {
+        verifyLockState: () => ({ ok: true, issues: [] }),
+        resolveConfig: () => ({
+          agentName: "openclaw",
+          configPath: "/sandbox/.openclaw/openclaw.json",
+          configDir: "/sandbox/.openclaw",
+        }),
+      });
+
+      expect(logSpy).toHaveBeenCalledWith("  Shields: UP (lockdown active)");
+      expect(logSpy).toHaveBeenCalledWith("  Policy:  restrictive");
+      expect(errorSpy).not.toHaveBeenCalled();
+    });
+
+    it("treats a resolveConfig throw as drift so the locked status cannot mask a setup gap", async () => {
+      const sandboxName = "openclaw";
+      writeLockedState(sandboxName);
+      const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+      const exitSpy = vi
+        .spyOn(process, "exit")
+        .mockImplementation((code?: string | number | null) => {
+          throw new Error(`exit ${String(code)}`);
+        });
+
+      const { shieldsStatus } = await loadShieldsModule();
+      expect(() =>
+        shieldsStatus(sandboxName, true, {
+          verifyLockState: () => ({ ok: true, issues: [] }),
+          resolveConfig: () => {
+            throw new Error("agent config not found");
+          },
+        }),
+      ).toThrow("exit 2");
+
+      const allErrors = errorSpy.mock.calls.map((args) => args[0]).join("\n");
+      expect(allErrors).toContain(
+        "unable to resolve agent config target: agent config not found",
+      );
+      expect(exitSpy).toHaveBeenCalledWith(2);
+    });
+  });
 });
 
 // -------------------------------------------------------------------