Best possible solution:

Render unavailable MXC as an effective off/unavailable UI state without mutating the stored sandbox preference; preserve strict fallback blocking and require redacted unavailable-host proof before merge.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: the PR head calls normalization from page refresh/load, sets SystemRunSandboxEnabled=false, then saves. I did not run the WinUI scenario because this review is read-only.

Is this the best way to solve the issue?

No, not as submitted. The safer fix is to separate the effective unavailable UI state from the persisted user preference unless maintainers explicitly approve and prove a persist-off upgrade behavior.

Full review comments:

• [P1] Preserve the stored sandbox preference — src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs:365-373
  When MXC is definitively unavailable, this path writes SystemRunSandboxEnabled=false and saves it during page refresh. Current main treats sandbox-on plus non-strict unavailable MXC as a compatibility fallback state, so opening this page can silently erase the user's desired sandbox-on preference and leave future commands uncontained after MXC becomes available again.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 5602c96c2704.

Label justifications:

• P1: The PR touches sandbox settings behavior and can silently disable future contained execution for existing unsupported-MXC users.
• merge-risk: 🚨 compatibility: The diff writes an existing persisted sandbox preference to false during page refresh on unsupported hosts.
• merge-risk: 🚨 security-boundary: The setting controls whether future system.run commands use MXC containment once available, and rewriting it can leave commands uncontained.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists validation commands but no redacted screenshot, terminal output, logs, recording, or artifact showing the unavailable-MXC UI behavior after the fix. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Security concerns:

• [medium] Automatic opt-out can disable future containment — src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs:365
  Saving SystemRunSandboxEnabled=false on an unsupported host means the user's sandbox-on preference will not automatically resume containment after MXC is installed or repaired.
  Confidence: 0.88

What I checked:

• Repository policy read: AGENTS.md was read fully; its validation and tray settings guidance were applied as review context, while the review stayed read-only. (AGENTS.md:1, 5602c96c2704)
• Current fallback contract: Current main documents sandbox enabled plus unavailable MXC as host fallback unless strict blocking is enabled, while sandbox disabled bypasses MXC entirely. (src/OpenClaw.Shared/Mxc/MxcCommandRunner.cs:14, 5602c96c2704)
• Current fallback tests: Current shared tests cover sandboxEnabled=true with non-strict unavailable MXC routing to host, and strict fallback blocking denying execution. (tests/OpenClaw.Shared.Tests/Mxc/MxcCommandRunnerTests.cs:291, 5602c96c2704)
• PR persisted setting change: The PR head sets SystemRunSandboxEnabled=false, updates the toggle, then calls Save() when MXC is definitively unavailable and strict blocking is not enabled. (src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs:365, 9147d1dfb493)
• Settings persistence: SettingsManager.Save writes the current settings snapshot to settings.json and raises Saved, so the PR's normalization path is a real persisted preference change. (src/OpenClaw.Tray.WinUI/Services/SettingsManager.cs:402, 5602c96c2704)
• Proof gate evidence: The PR body lists build/test commands and GitHub comments, but no redacted screenshot, terminal output, logs, recording, or linked artifact proving the unavailable-MXC UI path in a real setup. (9147d1dfb493)

Likely related people:

• TheAngryPit: Commit ce3294d added the current strict fallback setting, unavailable-MXC behavior, and related tests that this PR must preserve. (role: introduced fallback contract; confidence: high; commits: ce3294d40624; files: src/OpenClaw.Shared/Mxc/MxcCommandRunner.cs, src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs, tests/OpenClaw.Shared.Tests/Mxc/MxcCommandRunnerTests.cs)
• bkudiess: Commit 9f4d238 carried recent MXC probe and Sandbox page work on the same settings surface. (role: recent MXC/Sandbox page contributor; confidence: high; commits: 9f4d23804122; files: src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs, src/OpenClaw.Shared/Mxc/MxcAvailability.cs, src/OpenClaw.Shared/Mxc/MxcCommandRunner.cs)
• RBrid: Commit 1a07759 recently touched sandbox unavailable messaging and notification behavior adjacent to this UI path. (role: recent adjacent contributor; confidence: medium; commits: 1a07759a7e6e; files: src/OpenClaw.Tray.WinUI/Pages/SandboxPage.xaml.cs, src/OpenClaw.Tray.WinUI/App.xaml.cs)

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.