From bc84bda4236e72dccde51ec166e20fca8d528fbe Mon Sep 17 00:00:00 2001 From: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 23:45:33 +0000 Subject: [PATCH] chore: update sweep records [skip ci] --- records/openclaw-clawhub/items/2047.md | 211 ++++++++------------- results/sweep-status/openclaw-clawhub.json | 12 +- 2 files changed, 81 insertions(+), 142 deletions(-) diff --git a/records/openclaw-clawhub/items/2047.md b/records/openclaw-clawhub/items/2047.md index e452298ab0..efed714130 100644 --- a/records/openclaw-clawhub/items/2047.md +++ b/records/openclaw-clawhub/items/2047.md @@ -1,5 +1,4 @@ --- -review_comment_synced_at: 2026-05-08T23:33:15.488Z number: 2047 repository: openclaw/clawhub type: issue @@ -7,11 +6,11 @@ title: "[Submission] jjr-iot-skill v1.3.1 - Agriculture IoT Integration" url: https://github.com/openclaw/clawhub/issues/2047 state_at_review: open item_created_at: 2026-05-06T09:20:16Z -item_updated_at: 2026-05-08T18:42:19Z +item_updated_at: 2026-05-08T23:33:14Z author: janeXlab author_association: NONE labels: [] -reviewed_at: 2026-05-08T23:30:42.294Z +reviewed_at: 2026-05-08T23:44:31.082Z main_sha: 5b63d5df6071a91cfd3e5e184bc44e212e977cc9 pull_head_sha: unknown latest_release: v0.1.0 @@ -31,40 +30,40 @@ review_model: gpt-5.5 review_reasoning_effort: high review_sandbox: danger-full-access review_service_tier: default -review_prompt_chars: 42395 +review_prompt_chars: 42408 review_static_prompt_chars: 33412 -review_context_chars: 7721 +review_context_chars: 7734 review_schema_chars: 14081 review_additional_prompt_chars: 0 -review_context_elapsed_ms: 1627 -review_codex_elapsed_ms: 187862 +review_context_elapsed_ms: 1417 +review_codex_elapsed_ms: 600249 review_mode: propose -review_status: complete +review_status: failed local_checkout_access: verified -item_snapshot_hash: 8a193db93ec2acb398d60eb28291102932620783e05339ef7ed290088cc2d504 +item_snapshot_hash: 08a7e45a4ad06ebc0ef434d2bba6e70a49c3596b22ebc6f9cbc5e3acc4f6d61e close_comment_sha256: none -review_comment_sha256: 07d66e6f2f1aa7d6e9ffbf72a1bb9f1300540d4fa15233ef4f923d35f14e8ecb -review_comment_id: 4386674996 -review_comment_url: https://github.com/openclaw/clawhub/issues/2047#issuecomment-4386674996 +review_comment_sha256: none +review_comment_id: unknown +review_comment_url: unknown decision: keep_open close_reason: none -confidence: high +confidence: low action_taken: kept_open -work_candidate: manual_review -work_confidence: high -work_priority: high -work_status: manual_review -work_reason_sha256: 180a406174b5b4eb1ceb106025a0be491e430b446de8892e72cfd3891b873ea2 +work_candidate: none +work_confidence: low +work_priority: low +work_status: none +work_reason_sha256: bce3e06bef67715fe81a350fc8022200749a9c147586dadd4640cf8824912c18 work_prompt_sha256: none -work_cluster_refs: ["https://github.com/openclaw/clawhub/issues/1717","https://github.com/openclaw/clawhub/issues/1999","https://github.com/openclaw/clawhub/issues/1244"] -work_validation: ["curl -i https://clawhub.ai/api/auth/signin/github","curl -i https://wry-manatee-359.convex.site/api/auth/signin/github","curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill","If source changes follow diagnosis: bun run test -- src/routes/cli/-auth.test.tsx src/components/SignInButton.test.tsx src/__tests__/skills-publish-route.test.tsx"] -work_likely_files: ["convex/auth.ts","convex/http.ts","src/routes/cli/auth.tsx","packages/clawhub/src/cli/commands/auth.ts","packages/clawhub/src/cli/commands/publish.ts","src/routes/skills/publish.tsx","convex/lib/skillPublish.ts","convex/httpApiV1/skillsV1.ts","docs/auth.md","docs/troubleshooting.md","docs/publishing.md"] -item_category: support +work_cluster_refs: [] +work_validation: [] +work_likely_files: [] +item_category: unclear reproduction_status: unclear -reproduction_confidence: medium +reproduction_confidence: low requires_new_feature: false requires_new_config_option: false -requires_product_decision: true +requires_product_decision: false real_behavior_proof_status: not_applicable real_behavior_proof_evidence_kind: not_applicable real_behavior_proof_needs_contributor_action: false @@ -84,7 +83,7 @@ Labels: none Created at: May 6, 2026, 09:20 UTC -Updated at: May 8, 2026, 18:42 UTC +Updated at: May 8, 2026, 23:33 UTC Reviewed against: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) @@ -98,35 +97,35 @@ Fixed in: not determined Keep open: kept open -Confidence: high +Confidence: low Action taken: kept_open ## Summary -Keep open: this is an actionable ClawHub publishing/support issue, and this repository’s cleanup policy keeps issues open unless a maintainer resolves them. The submitted skill still is not published under the requested slug, and live production auth checks show the GitHub OAuth entrypoints returning 500, so the next step is maintainer/operator follow-up rather than conservative source cleanup. +Codex review failed: timeout. ## What This Changes -The requester asks maintainers to manually index or help publish `jjr-iot-skill` v1.3.1 because CLI and web GitHub OAuth login loops block self-service publication. +Review failed before ClawSweeper could summarize the requested change. ## Best Possible Solution -A maintainer should restore or diagnose production GitHub OAuth, verify the external repo, owner identity, MIT-0 acceptance, scan/moderation posture, then publish through the normal self-serve or audited admin path. +Retry the Codex review after fixing the execution failure. ## Reproduction Assessment -Do we have a high-confidence way to reproduce the issue? No for the full reported CLI/web OAuth loop tied to this account because the issue lacks browser/account/CLI trace details; live checks do reproduce adjacent auth 500s and the unpublished skill state. +Unclear. The review failed before ClawSweeper could establish a reproduction path. ## Solution Assessment -Is this the best way to solve the issue? Unclear. Manual indexing may unblock this publisher, but the maintainable path is to restore the existing publish/import/token flow and use audited admin publication only after ownership, license, scan, and moderation checks. +Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction. ## Review Findings Overall correctness: not a patch -Overall confidence: 0.3 +Overall confidence: 0 Full review comments: @@ -134,18 +133,13 @@ Full review comments: ## Security Review -Status: needs_attention +Status: not_applicable -Summary: Manual publication of an external skill is supply-chain sensitive and should preserve normal ownership, license, scan, and moderation gates. +Summary: Security review did not run because the Codex review failed before completion. Concerns: -- **[medium] Do not bypass publish gates:** `convex/lib/skillPublish.ts:113` - - body: The normal publish path enforces account, file, size, manifest, and backend validation before a skill becomes installable; any manual registry action should preserve those checks and the moderation/scanner path. - - confidence: 0.84 -- **[low] Confirm platform license acceptance:** `convex/httpApiV1/skillsV1.ts:1013` - - body: The web/API publish paths require MIT-0 terms acceptance for skills, while the submitted package metadata says MIT, so maintainers should get explicit acceptance before manual publication. - - confidence: 0.8 +- none ## Real Behavior Proof @@ -155,114 +149,59 @@ Evidence kind: not_applicable Needs contributor action: false -Summary: This is a non-PR support issue, so contributor real-behavior proof is not a merge gate. +Summary: Real behavior proof was not assessed because the Codex review failed. ## Work Candidate -Candidate: manual_review +Candidate: none -Confidence: high +Confidence: low -Priority: high +Priority: low -Status: manual_review +Status: none -Reason: Manual review is needed because the live auth failure and any manual skill publication require production/admin access, identity verification, and supply-chain checks rather than an automated source-only fix. - -Cluster refs: - -- https://github.com/openclaw/clawhub/issues/1717 -- https://github.com/openclaw/clawhub/issues/1999 -- https://github.com/openclaw/clawhub/issues/1244 - -Likely files: - -- convex/auth.ts -- convex/http.ts -- src/routes/cli/auth.tsx -- packages/clawhub/src/cli/commands/auth.ts -- packages/clawhub/src/cli/commands/publish.ts -- src/routes/skills/publish.tsx -- convex/lib/skillPublish.ts -- convex/httpApiV1/skillsV1.ts -- docs/auth.md -- docs/troubleshooting.md -- docs/publishing.md - -Validation: - -- curl -i https://clawhub.ai/api/auth/signin/github -- curl -i https://wry-manatee-359.convex.site/api/auth/signin/github -- curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill -- If source changes follow diagnosis: bun run test -- src/routes/cli/-auth.test.tsx src/components/SignInButton.test.tsx src/__tests__/skills-publish-route.test.tsx +Reason: Review did not complete, so no work-lane recommendation was made. ## Evidence -- **Live issue state:** The issue is open, has no labels, and has only the prior ClawSweeper keep-open review; there is no linked maintainer resolution or implementation PR. - - command: `gh issue view 2047 --repo openclaw/clawhub --json number,title,state,author,labels,comments,body,createdAt,updatedAt,url` -- **External submission exists:** The linked public repository’s package manifest declares name `jjr-iot-skill` and version `1.3.1`, and the repository has a `SKILL.md` with matching skill metadata. - - command: `curl -sSfL https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/package.json; curl -sSfL https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/SKILL.md` -- **Skill not published:** The public ClawHub skill detail API returns 404 `Skill not found` for `jjr-iot-skill`, so the requested slug is still not available in the registry. - - command: `curl -sS -o /dev/null -w '%{http_code} %{url_effective}\n' https://clawhub.ai/api/v1/skills/jjr-iot-skill; curl -sS https://clawhub.ai/api/v1/skills/jjr-iot-skill` -- **Current production auth outage:** Both the canonical site and Convex site GitHub sign-in endpoints returned HTTP 500 while the unauthenticated skill list API returned 200, supporting the reported publishing/auth blockage as a production support issue. - - command: `curl -sS -o /dev/null -w '%{http_code}' https://clawhub.ai/api/auth/signin/github; curl -sS -o /dev/null -w '%{http_code}' https://wry-manatee-359.convex.site/api/auth/signin/github; curl -sS -o /dev/null -w '%{http_code}' https://clawhub.ai/api/v1/skills?limit=1` -- **Scope anchor:** The project vision says new skills should be published to ClawHub first and core skill additions should be rare, so this should remain a registry publishing/support path rather than a bundled source change. - - file: [VISION.md:58](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/VISION.md#L58) - - command: `nl -ba VISION.md | sed -n '50,70p'` - - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) -- **Documented token fallback:** Auth docs document browser CLI login and the `clawhub login --token clh_...` fallback for environments where the local callback cannot complete. - - file: [docs/auth.md:22](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/docs/auth.md#L22) - - command: `nl -ba docs/auth.md | sed -n '1,90p'` - - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) -- **Troubleshooting path:** Troubleshooting docs specifically cover `clawhub login` opening a browser but never completing and point users to loopback, firewall, VPN, proxy, and token-login checks. - - file: [docs/troubleshooting.md:10](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/docs/troubleshooting.md#L10) - - command: `nl -ba docs/troubleshooting.md | sed -n '1,80p'` - - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) -- **CLI publish path exists:** The CLI skill publish command requires an auth token, requires `SKILL.md`, sends `acceptLicenseTerms: true`, and posts to the skills API. - - file: [packages/clawhub/src/cli/commands/publish.ts:35](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/packages/clawhub/src/cli/commands/publish.ts#L35) - - command: `nl -ba packages/clawhub/src/cli/commands/publish.ts | sed -n '1,170p'` - - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) -- **Web publish path exists:** The web skill publish route requires sign-in, validates metadata/files, requires MIT-0 license acceptance, and calls the backend publish action. - - file: [src/routes/skills/publish.tsx:387](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/src/routes/skills/publish.tsx#L387) - - command: `nl -ba src/routes/skills/publish.tsx | sed -n '260,560p'` - - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9) -- **Related auth reports remain open:** Search results show multiple open OAuth/login-loop reports, including a production 500 report, so this submission should not be treated as a uniquely resolved skill-only request. - - command: `gh issue list --repo openclaw/clawhub --search 'OAuth login loop OR login loop OR jjr-iot-skill OR browser never completes' --state all --json number,title,state,url,author,labels,updatedAt --limit 20` +- **failure reason:** timeout +- **codex failure detail:** Codex review failed for #2047: spawnSync codex ETIMEDOUT +he requested slug, and live production auth checks show the GitHub OAuth entrypoints returning 500, so the next step is maintainer/operator follow-up rather than conservative source cleanup.\n\nReproducibility: Do we have a high-confidence way to reproduce the issue? No for the full reported CLI/web OAuth loop tied to this account because the issue lacks browser/account/CLI trace details; live checks do reproduce adjacent auth 500s and the unpublished skill state.\n\n**Next step**\nManual review is needed because the live auth failure and any manual skill publication require production/admin access, identity verification, and supply-chain checks rather than an automated source-only fix.\n\n**Security**\nNeeds attention: Manual publication of an external skill is supply-chain sensitive and should preserve normal ownership, license, scan, and moderation gates.\n\n\n
\nReview details\n\nBest possible solution:\n\nA maintainer should restore or diagnose production GitHub OAuth, verify the external repo, owner identity, MIT-0 acceptance, scan/moderation posture, then publish through the normal self-serve or audited admin path.\n\nDo we have a high-confidence way to reproduce the issue?\n\nDo we have a high-confidence way to reproduce the issue? No for the full reported CLI/web OAuth loop tied to this account because the issue lacks browser/account/CLI trace details; live checks do reproduce adjacent auth 500s and the unpublished skill state.\n\nIs this the best way to solve the issue?\n\nIs this the best way to solve the issue? Unclear. Manual indexing may unblock this publisher, but the maintainable path is to restore the existing publish/import/token flow and use audited admin publication only after ownership, license, scan, and moderation checks.\n\nSecurity concerns:\n\n- [medium] Do not bypass publish gates — `convex/lib/ski + +... truncated 2177 chars ... + +b63d5df6071))\n- **Documented token fallback:** Auth docs document browser CLI login and the `clawhub login --token clh_...` fallback for environments where the local callback cannot complete. ([`docs/auth.md:22`](https://github.com/openclaw/clawhub/blob/5b63d5df6071/docs/auth.md#L22), [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071))\n\nLikely related people:\n\n- **steipete:** Current blame on the CLI auth route and CLI auth command points to the commit that introduced the current token handoff, and recent history includes org-owned skill publishing support. (role: feature introducer and publishing/auth owner; confidence: high; commits: [768a50149eee](https://github.com/openclaw/clawhub/commit/768a50149eee11736faba33121a5ae76d9b7a9c6), [6925ec761c56](https://github.com/openclaw/clawhub/commit/6925ec761c56ef1e1bb857c8cd9e5c1431b69f8e); files: `src/routes/cli/auth.tsx`, `packages/clawhub/src/browserAuth.ts`, `packages/clawhub/src/cli/commands/auth.ts`)\n- **Th3Ya0vi:** Authored the merged fallback-token fix for Windows/Chrome redirect failures, directly adjacent to the CLI callback symptoms in this report. (role: adjacent CLI auth bugfix contributor; confidence: medium; commits: [b2038fc9314f](https://github.com/openclaw/clawhub/commit/b2038fc9314f54974f3cf782744ecbc06dd0fbbf); files: `src/routes/cli/auth.tsx`, `src/routes/cli/-auth.test.tsx`)\n- **ImLukeF:** Authored a merged auth-flow and WebKit compatibility fix touching sign-in, CLI auth, and import surfaces relevant to login-loop reports. (role: adjacent web auth flow maintainer; confidence: medium; commits: [f4db0ee32b7c](https://github.com/openclaw/clawhub/commit/f4db0\n\n[truncated 2218 chars]" + } + ], + "timeline": [ + { + "id": 4386674996, + "event": "commented", + "createdAt": "2026-05-06T09:20:58Z", + "actor": "clawsweeper[bot]" + } + ], + "counts": { + "comments": 1, + "timeline": 1 + } +} +``` + + + +- **codex stdout:** Per-item Codex failure; continuing with the rest of the shard. ## Likely Related People -- **steipete:** feature introducer and publishing/auth owner - - reason: Current blame on the CLI auth route and CLI auth command points to the commit that introduced the current token handoff, and recent history includes org-owned skill publishing support. - - confidence: high - - commits: 768a50149eee11736faba33121a5ae76d9b7a9c6, 6925ec761c56ef1e1bb857c8cd9e5c1431b69f8e - - files: src/routes/cli/auth.tsx, packages/clawhub/src/browserAuth.ts, packages/clawhub/src/cli/commands/auth.ts, packages/clawhub/src/cli/commands/publish.ts -- **Th3Ya0vi:** adjacent CLI auth bugfix contributor - - reason: Authored the merged fallback-token fix for Windows/Chrome redirect failures, directly adjacent to the CLI callback symptoms in this report. - - confidence: medium - - commits: b2038fc9314f54974f3cf782744ecbc06dd0fbbf - - files: src/routes/cli/auth.tsx, src/routes/cli/-auth.test.tsx -- **ImLukeF:** adjacent web auth flow maintainer - - reason: Authored a merged auth-flow and WebKit compatibility fix touching sign-in, CLI auth, and import surfaces relevant to login-loop reports. - - confidence: medium - - commits: f4db0ee32b7cdfa2909217badd0fee3e079450b4 - - files: src/components/SignInButton.tsx, src/routes/cli/auth.tsx, src/routes/import.tsx -- **Patrick-Erichsen:** recent publishing-route and docs maintainer - - reason: Recent merged work added and adjusted publishing routes, publishing docs, and ownership visibility around the web publishing surface used by this submission. - - confidence: medium - - commits: 8c86d6f570b98ce7028aa2b2a9347c906d9fbd57, a292a60a36839255886888afae877e03df8922ae, 88756d5 - - files: src/routes/skills/publish.tsx, src/routes/import.tsx, docs/publishing.md -- **momothemage:** recent skill publishing owner-migration maintainer - - reason: Current main is a skill owner migration hardening commit touching backend skill publish/API paths and the CLI publish command adjacent to this support request. - - confidence: medium - - commits: 5b63d5df6071a91cfd3e5e184bc44e212e977cc9, 38c21345906ab1f107a91b33bb86b63667d96643 - - files: convex/lib/skillPublish.ts, convex/httpApiV1/skillsV1.ts, packages/clawhub/src/cli/commands/publish.ts +- **unknown:** review did not complete + - reason: Codex failed before it could trace repository history. + - confidence: low ## Risks / Open Questions -- The exact browser/CLI loop for this reporter lacks OS, browser version, CLI version, account state, redirect trace, screenshots, and logs. -- Production OAuth repair likely requires maintainer/operator access to Convex env, GitHub OAuth app settings, and deployment logs, not only source changes. -- Manual indexing could bypass normal owner, license, file, scan, and moderation gates unless handled through the existing audited publish/admin paths. -- The submitted package manifest declares MIT while ClawHub skills are published under MIT-0, so maintainers should confirm explicit platform license acceptance before publication. +- No close action taken because the review did not complete. ## Close Comment @@ -278,11 +217,11 @@ _No close comment posted._ ## Review Telemetry -- prompt chars: 42395 +- prompt chars: 42408 - static prompt chars: 33412 -- context chars: 7721 +- context chars: 7734 - schema chars: 14081 - additional prompt chars: 0 -- context collection ms: 1627 -- Codex review ms: 187862 +- context collection ms: 1417 +- Codex review ms: 600249 \ No newline at end of file diff --git a/results/sweep-status/openclaw-clawhub.json b/results/sweep-status/openclaw-clawhub.json index 8da88d7216..a3fb248afb 100644 --- a/results/sweep-status/openclaw-clawhub.json +++ b/results/sweep-status/openclaw-clawhub.json @@ -3,15 +3,15 @@ "slug": "openclaw-clawhub", "display_name": "ClawHub", "target_repo": "openclaw/clawhub", - "state": "Review in progress", - "detail": "Planned 1 items across 1 shards. Capacity is 1 items; due backlog scanned is 42. Capacity reason: saturated: due backlog filled planned capacity. Review shards are starting; publish will merge artifacts when they finish.", - "run_url": "https://github.com/openclaw/clawsweeper/actions/runs/25584993918", + "state": "Hot intake publish complete", + "detail": "Merged 1 hot intake artifacts for run 25584668401 without full folder reconciliation. Captured 1 shard metrics; 1 shards reported non-success review status.", + "run_url": "https://github.com/openclaw/clawsweeper/actions/runs/25584668401", "planned_count": 1, "planned_capacity": 1, "planned_shards": 1, - "active_codex": 1, - "due_backlog": 42, + "active_codex": 0, + "due_backlog": 41, "oldest_unreviewed_at": "2026-05-06T23:03:34Z", "capacity_reason": "saturated: due backlog filled planned capacity", - "updated_at": "2026-05-08T23:44:48.911Z" + "updated_at": "2026-05-08T23:45:32.254Z" }