chore: update sweep records

[skip ci]

records/openclaw-clawhub/items/2047.md

@@ -10,7 +10,7 @@ item_updated_at: 2026-05-08T18:42:19Z
 author: janeXlab
 author_association: NONE
 labels: []
-reviewed_at: 2026-05-08T19:45:12.081Z
+reviewed_at: 2026-05-08T23:30:42.294Z
 main_sha: 5b63d5df6071a91cfd3e5e184bc44e212e977cc9
 pull_head_sha: unknown
 latest_release: v0.1.0
@@ -35,8 +35,8 @@ review_static_prompt_chars: 33412
 review_context_chars: 7721
 review_schema_chars: 14081
 review_additional_prompt_chars: 0
-review_context_elapsed_ms: 1265
-review_codex_elapsed_ms: 252845
+review_context_elapsed_ms: 1627
+review_codex_elapsed_ms: 187862
 review_mode: propose
 review_status: complete
 local_checkout_access: verified
@@ -51,13 +51,13 @@ confidence: high
 action_taken: kept_open
 work_candidate: manual_review
 work_confidence: high
-work_priority: medium
+work_priority: high
 work_status: manual_review
-work_reason_sha256: 29355bdcbe63d254db382ffc74853769e87f1685a3cfca555898cfe9b13cdd02
+work_reason_sha256: 180a406174b5b4eb1ceb106025a0be491e430b446de8892e72cfd3891b873ea2
 work_prompt_sha256: none
-work_cluster_refs: ["https://github.com/openclaw/clawhub/issues/1717"]
-work_validation: ["curl -i https://clawhub.ai/api/auth/signin/github should redirect instead of returning HTTP 500 after operator repair.","curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill should show the skill only after an intentional publish/import.","Verify `clawhub login`, `clawhub whoami`, and `clawhub skill publish <verified-skill-dir> --version 1.3.1` in a real authenticated setup after OAuth is restored."]
-work_likely_files: ["convex/auth.ts","convex/http.ts","src/routes/cli/auth.tsx","packages/clawhub/src/browserAuth.ts","packages/clawhub/src/cli/commands/auth.ts","src/routes/skills/publish.tsx","src/routes/import.tsx","packages/clawhub/src/cli/commands/publish.ts","convex/lib/skillPublish.ts","docs/auth.md","docs/troubleshooting.md","docs/cli.md"]
+work_cluster_refs: ["https://github.com/openclaw/clawhub/issues/1717","https://github.com/openclaw/clawhub/issues/1999","https://github.com/openclaw/clawhub/issues/1244"]
+work_validation: ["curl -i https://clawhub.ai/api/auth/signin/github","curl -i https://wry-manatee-359.convex.site/api/auth/signin/github","curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill","If source changes follow diagnosis: bun run test -- src/routes/cli/-auth.test.tsx src/components/SignInButton.test.tsx src/__tests__/skills-publish-route.test.tsx"]
+work_likely_files: ["convex/auth.ts","convex/http.ts","src/routes/cli/auth.tsx","packages/clawhub/src/cli/commands/auth.ts","packages/clawhub/src/cli/commands/publish.ts","src/routes/skills/publish.tsx","convex/lib/skillPublish.ts","convex/httpApiV1/skillsV1.ts","docs/auth.md","docs/troubleshooting.md","docs/publishing.md"]
 item_category: support
 reproduction_status: unclear
 reproduction_confidence: medium
@@ -103,29 +103,29 @@ Action taken: kept_open
 
 ## Summary
 
-Keep open: this is still an actionable ClawHub publishing/support request, and this repository’s cleanup policy keeps issues open. Current source and docs show self-serve publish/import/login fallback paths, but the requested skill is still not published and production GitHub OAuth currently fails, so maintainer/operator follow-up is needed.
+Keep open: this is an actionable ClawHub publishing/support issue, and this repository’s cleanup policy keeps issues open unless a maintainer resolves them. The submitted skill still is not published under the requested slug, and live production auth checks show the GitHub OAuth entrypoints returning 500, so the next step is maintainer/operator follow-up rather than conservative source cleanup.
 
 ## What This Changes
 
-The issue asks maintainers to manually index or assist publishing the external jjr-iot-skill v1.3.1 because the reporter says GitHub OAuth login loops in the CLI and website.
+The requester asks maintainers to manually index or help publish `jjr-iot-skill` v1.3.1 because CLI and web GitHub OAuth login loops block self-service publication.
 
 ## Best Possible Solution
 
-Restore the production GitHub OAuth path tracked by https://github.com/openclaw/clawhub/issues/1717, then have the author publish through the existing self-serve CLI/web/import flow or have a maintainer manually publish only after repo, license, ownership, and moderation checks pass.
+A maintainer should restore or diagnose production GitHub OAuth, verify the external repo, owner identity, MIT-0 acceptance, scan/moderation posture, then publish through the normal self-serve or audited admin path.
 
 ## Reproduction Assessment
 
-Partial, but not high-confidence for the exact reported loop. Current production auth endpoints return HTTP/2 500 and the requested slug returns 404, but the reporter’s precise CLI/browser loop lacks version, account-state, redirect, and log details and was not reproduced against a local current-main setup.
+Do we have a high-confidence way to reproduce the issue? No for the full reported CLI/web OAuth loop tied to this account because the issue lacks browser/account/CLI trace details; live checks do reproduce adjacent auth 500s and the unpublished skill state.
 
 ## Solution Assessment
 
-Unclear. Manual indexing may unblock this publisher after verification, but the maintainable route is to restore production OAuth and use the existing publish/import/token paths; any source fix should be scoped to a canonical auth issue with a concrete reproduction.
+Is this the best way to solve the issue? Unclear. Manual indexing may unblock this publisher, but the maintainable path is to restore the existing publish/import/token flow and use audited admin publication only after ownership, license, scan, and moderation checks.
 
 ## Review Findings
 
 Overall correctness: not a patch
 
-Overall confidence: 0.35
+Overall confidence: 0.3
 
 Full review comments:
 
@@ -133,13 +133,18 @@ Full review comments:
 
 ## Security Review
 
-Status: not_applicable
+Status: needs_attention
 
-Summary: Non-PR support/submission issue; no patch security review applies, though manual publication should still go through normal ClawHub moderation.
+Summary: Manual publication of an external skill is supply-chain sensitive and should preserve normal ownership, license, scan, and moderation gates.
 
 Concerns:
 
-- none
+- **[medium] Do not bypass publish gates:** `convex/lib/skillPublish.ts:113`
+  - body: The normal publish path enforces account, file, size, manifest, and backend validation before a skill becomes installable; any manual registry action should preserve those checks and the moderation/scanner path.
+  - confidence: 0.84
+- **[low] Confirm platform license acceptance:** `convex/httpApiV1/skillsV1.ts:1013`
+  - body: The web/API publish paths require MIT-0 terms acceptance for skills, while the submitted package metadata says MIT, so maintainers should get explicit acceptance before manual publication.
+  - confidence: 0.8
 
 ## Real Behavior Proof
 
@@ -149,7 +154,7 @@ Evidence kind: not_applicable
 
 Needs contributor action: false
 
-Summary: Non-PR issue; contributor proof gate does not apply.
+Summary: This is a non-PR support issue, so contributor real-behavior proof is not a merge gate.
 
 ## Work Candidate
 
@@ -157,105 +162,106 @@ Candidate: manual_review
 
 Confidence: high
 
-Priority: medium
+Priority: high
 
 Status: manual_review
 
-Reason: Maintainer/operator follow-up is required because production OAuth and any manual registry indexing/moderation cannot be completed by a source-only repair PR.
+Reason: Manual review is needed because the live auth failure and any manual skill publication require production/admin access, identity verification, and supply-chain checks rather than an automated source-only fix.
 
 Cluster refs:
 
 - https://github.com/openclaw/clawhub/issues/1717
+- https://github.com/openclaw/clawhub/issues/1999
+- https://github.com/openclaw/clawhub/issues/1244
 
 Likely files:
 
 - convex/auth.ts
 - convex/http.ts
 - src/routes/cli/auth.tsx
-- packages/clawhub/src/browserAuth.ts
 - packages/clawhub/src/cli/commands/auth.ts
-- src/routes/skills/publish.tsx
-- src/routes/import.tsx
 - packages/clawhub/src/cli/commands/publish.ts
+- src/routes/skills/publish.tsx
 - convex/lib/skillPublish.ts
+- convex/httpApiV1/skillsV1.ts
 - docs/auth.md
 - docs/troubleshooting.md
-- docs/cli.md
+- docs/publishing.md
 
 Validation:
 
-- curl -i https://clawhub.ai/api/auth/signin/github should redirect instead of returning HTTP 500 after operator repair.
-- curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill should show the skill only after an intentional publish/import.
-- Verify `clawhub login`, `clawhub whoami`, and `clawhub skill publish <verified-skill-dir> --version 1.3.1` in a real authenticated setup after OAuth is restored.
+- curl -i https://clawhub.ai/api/auth/signin/github
+- curl -i https://wry-manatee-359.convex.site/api/auth/signin/github
+- curl -i https://clawhub.ai/api/v1/skills/jjr-iot-skill
+- If source changes follow diagnosis: bun run test -- src/routes/cli/-auth.test.tsx src/components/SignInButton.test.tsx src/__tests__/skills-publish-route.test.tsx
 
 ## Evidence
 
-- **Live issue state:** The issue is open, has no labels, has no linked implementation PR from the same author, and the only visible comment is the prior ClawSweeper keep-open review.
-  - command: `gh issue view 2047 --repo openclaw/clawhub --json number,title,state,author,labels,body,comments,createdAt,updatedAt,url`
-- **External submission exists:** The linked public repository's package.json declares name jjr-iot-skill and version 1.3.1, and SKILL.md on the default branch declares version 1.3.1 with IoT/agriculture metadata.
-  - command: `curl -L -s https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/package.json; curl -L -s https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/SKILL.md`
-- **Skill not currently published:** The public ClawHub skill detail API returned HTTP/2 404 with body Skill not found for jjr-iot-skill.
-  - command: `curl -s -i https://clawhub.ai/api/v1/skills/jjr-iot-skill | sed -n '1,80p'`
-- **Search does not find the slug:** The public search API returned HTTP/2 200 with an empty results array for q=jjr-iot-skill.
-  - command: `curl -s -i 'https://clawhub.ai/api/v1/search?q=jjr-iot-skill&limit=5'`
-- **Production OAuth currently fails:** Both the canonical site and Convex auth endpoint returned HTTP/2 500 for /api/auth/signin/github, which matches the login-blocker side of the report but points to operator/auth configuration rather than a narrow source patch from this issue.
-  - command: `curl -s -i https://clawhub.ai/api/auth/signin/github; curl -s -i https://wry-manatee-359.convex.site/api/auth/signin/github`
-- **Core scope keeps new skills in ClawHub:** VISION.md says new skills should be published to ClawHub first and core skill additions should be rare, so this is registry publishing/support work rather than a bundled source addition.
+- **Live issue state:** The issue is open, has no labels, and has only the prior ClawSweeper keep-open review; there is no linked maintainer resolution or implementation PR.
+  - command: `gh issue view 2047 --repo openclaw/clawhub --json number,title,state,author,labels,comments,body,createdAt,updatedAt,url`
+- **External submission exists:** The linked public repository’s package manifest declares name `jjr-iot-skill` and version `1.3.1`, and the repository has a `SKILL.md` with matching skill metadata.
+  - command: `curl -sSfL https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/package.json; curl -sSfL https://raw.githubusercontent.com/janeXlab/jjr-iot-skill/main/SKILL.md`
+- **Skill not published:** The public ClawHub skill detail API returns 404 `Skill not found` for `jjr-iot-skill`, so the requested slug is still not available in the registry.
+  - command: `curl -sS -o /dev/null -w '%{http_code} %{url_effective}\n' https://clawhub.ai/api/v1/skills/jjr-iot-skill; curl -sS https://clawhub.ai/api/v1/skills/jjr-iot-skill`
+- **Current production auth outage:** Both the canonical site and Convex site GitHub sign-in endpoints returned HTTP 500 while the unauthenticated skill list API returned 200, supporting the reported publishing/auth blockage as a production support issue.
+  - command: `curl -sS -o /dev/null -w '%{http_code}' https://clawhub.ai/api/auth/signin/github; curl -sS -o /dev/null -w '%{http_code}' https://wry-manatee-359.convex.site/api/auth/signin/github; curl -sS -o /dev/null -w '%{http_code}' https://clawhub.ai/api/v1/skills?limit=1`
+- **Scope anchor:** The project vision says new skills should be published to ClawHub first and core skill additions should be rare, so this should remain a registry publishing/support path rather than a bundled source change.
   - file: [VISION.md:58](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/VISION.md#L58)
-  - command: `sed -n '1,140p' VISION.md`
+  - command: `nl -ba VISION.md | sed -n '50,70p'`
   - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9)
-- **Documented login fallback:** Auth docs describe the browser CLI login flow and the headless token fallback with clawhub login --token for callback-blocked environments.
+- **Documented token fallback:** Auth docs document browser CLI login and the `clawhub login --token clh_...` fallback for environments where the local callback cannot complete.
   - file: [docs/auth.md:22](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/docs/auth.md#L22)
-  - command: `nl -ba docs/auth.md | sed -n '1,180p'`
+  - command: `nl -ba docs/auth.md | sed -n '1,90p'`
   - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9)
-- **Troubleshooting covers incomplete browser login:** Troubleshooting docs specifically cover clawhub login opening a browser but never completing, including loopback, firewall/VPN/proxy checks, and token login.
+- **Troubleshooting path:** Troubleshooting docs specifically cover `clawhub login` opening a browser but never completing and point users to loopback, firewall, VPN, proxy, and token-login checks.
   - file: [docs/troubleshooting.md:10](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/docs/troubleshooting.md#L10)
-  - command: `nl -ba docs/troubleshooting.md | sed -n '1,180p'`
+  - command: `nl -ba docs/troubleshooting.md | sed -n '1,80p'`
   - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9)
-- **Current publish paths exist:** The CLI publishes skills through POST /api/v1/skills with SKILL.md validation and acceptLicenseTerms, while the web publish route uploads files and calls publishVersion.
+- **CLI publish path exists:** The CLI skill publish command requires an auth token, requires `SKILL.md`, sends `acceptLicenseTerms: true`, and posts to the skills API.
   - file: [packages/clawhub/src/cli/commands/publish.ts:35](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/packages/clawhub/src/cli/commands/publish.ts#L35)
-  - command: `nl -ba packages/clawhub/src/cli/commands/publish.ts | sed -n '1,260p'; nl -ba src/routes/skills/publish.tsx | sed -n '408,509p'`
+  - command: `nl -ba packages/clawhub/src/cli/commands/publish.ts | sed -n '1,170p'`
   - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9)
-- **Publishing enforces MIT-0 acceptance:** CLI docs and the web publish route state that ClawHub skills are published under MIT-0 and require the publisher to accept those terms, while the external package currently declares MIT.
-  - file: [docs/cli.md:160](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/docs/cli.md#L160)
-  - command: `nl -ba docs/cli.md | sed -n '151,163p'; nl -ba src/routes/skills/publish.tsx | sed -n '700,750p'`
+- **Web publish path exists:** The web skill publish route requires sign-in, validates metadata/files, requires MIT-0 license acceptance, and calls the backend publish action.
+  - file: [src/routes/skills/publish.tsx:387](https://github.com/openclaw/clawhub/blob/5b63d5df6071a91cfd3e5e184bc44e212e977cc9/src/routes/skills/publish.tsx#L387)
+  - command: `nl -ba src/routes/skills/publish.tsx | sed -n '260,560p'`
   - sha: [5b63d5df6071](https://github.com/openclaw/clawhub/commit/5b63d5df6071a91cfd3e5e184bc44e212e977cc9)
-- **Related auth issue remains open:** A broader open issue reports /api/auth/signin/github returning HTTP 500 and blocking new CLI token generation, which matches the current live OAuth failure more directly than this submission issue.
-  - command: `gh issue view 1717 --repo openclaw/clawhub --json number,title,state,url,body,comments,updatedAt`
+- **Related auth reports remain open:** Search results show multiple open OAuth/login-loop reports, including a production 500 report, so this submission should not be treated as a uniquely resolved skill-only request.
+  - command: `gh issue list --repo openclaw/clawhub --search 'OAuth login loop OR login loop OR jjr-iot-skill OR browser never completes' --state all --json number,title,state,url,author,labels,updatedAt --limit 20`
 
 ## Likely Related People
 
-- **steipete:** feature introducer and auth/publish owner
-  - reason: Git history shows Peter introduced the current CLI auth route and loopback login flow and recently maintained org-owned skill publishing paths adjacent to this issue.
+- **steipete:** feature introducer and publishing/auth owner
+  - reason: Current blame on the CLI auth route and CLI auth command points to the commit that introduced the current token handoff, and recent history includes org-owned skill publishing support.
   - confidence: high
   - commits: 768a50149eee11736faba33121a5ae76d9b7a9c6, 6925ec761c56ef1e1bb857c8cd9e5c1431b69f8e
   - files: src/routes/cli/auth.tsx, packages/clawhub/src/browserAuth.ts, packages/clawhub/src/cli/commands/auth.ts, packages/clawhub/src/cli/commands/publish.ts
-- **Th3Ya0vi:** adjacent auth bugfix contributor
-  - reason: Authored the merged CLI auth fallback-token fix for Windows/Chrome redirect failures, which is close to the callback/loop symptoms reported here.
+- **Th3Ya0vi:** adjacent CLI auth bugfix contributor
+  - reason: Authored the merged fallback-token fix for Windows/Chrome redirect failures, directly adjacent to the CLI callback symptoms in this report.
   - confidence: medium
   - commits: b2038fc9314f54974f3cf782744ecbc06dd0fbbf
   - files: src/routes/cli/auth.tsx, src/routes/cli/-auth.test.tsx
-- **ImLukeF:** adjacent auth flow maintainer
+- **ImLukeF:** adjacent web auth flow maintainer
   - reason: Authored a merged auth-flow and WebKit compatibility fix touching sign-in, CLI auth, and import surfaces relevant to login-loop reports.
   - confidence: medium
   - commits: f4db0ee32b7cdfa2909217badd0fee3e079450b4
   - files: src/components/SignInButton.tsx, src/routes/cli/auth.tsx, src/routes/import.tsx
-- **Patrick-Erichsen:** recent publishing-route maintainer
-  - reason: Recently updated publishing visibility, docs links, and publishing flow documentation, which are useful for the publication support side of this request.
+- **Patrick-Erichsen:** recent publishing-route and docs maintainer
+  - reason: Recent merged work added and adjusted publishing routes, publishing docs, and ownership visibility around the web publishing surface used by this submission.
   - confidence: medium
-  - commits: 8c86d6f570b98ce7028aa2b2a9347c906d9fbd57, a292a60a36839255886888afae877e03df8922ae, 88756d59974282b4183d8ca8f7ee48d5764e12ad
+  - commits: 8c86d6f570b98ce7028aa2b2a9347c906d9fbd57, a292a60a36839255886888afae877e03df8922ae, 88756d5
   - files: src/routes/skills/publish.tsx, src/routes/import.tsx, docs/publishing.md
-- **momothemage:** recent skill publishing maintainer
-  - reason: Current main includes their skill owner migration hardening across CLI, API, docs, and backend publish paths adjacent to this issue’s publish flow.
+- **momothemage:** recent skill publishing owner-migration maintainer
+  - reason: Current main is a skill owner migration hardening commit touching backend skill publish/API paths and the CLI publish command adjacent to this support request.
   - confidence: medium
-  - commits: 5b63d5df6071a91cfd3e5e184bc44e212e977cc9
-  - files: convex/lib/skillPublish.ts, convex/httpApiV1/skillsV1.ts, convex/skills.ts, packages/clawhub/src/cli/commands/publish.ts, src/routes/skills/publish.tsx
+  - commits: 5b63d5df6071a91cfd3e5e184bc44e212e977cc9, 38c21345906ab1f107a91b33bb86b63667d96643
+  - files: convex/lib/skillPublish.ts, convex/httpApiV1/skillsV1.ts, packages/clawhub/src/cli/commands/publish.ts
 
 ## Risks / Open Questions
 
-- The exact reporter loop is still under-specified: no browser, OS, CLI version, account state, redirect trace, screenshot, or logs are provided.
-- Production OAuth currently returns HTTP 500, but the root cause likely requires Convex/GitHub OAuth environment or operator access outside a source-only cleanup PR.
-- Manual indexing affects production registry state and moderation; maintainers still need to verify the external repo, license acceptance, and publication safety before approving or importing it.
+- The exact browser/CLI loop for this reporter lacks OS, browser version, CLI version, account state, redirect trace, screenshots, and logs.
+- Production OAuth repair likely requires maintainer/operator access to Convex env, GitHub OAuth app settings, and deployment logs, not only source changes.
+- Manual indexing could bypass normal owner, license, file, scan, and moderation gates unless handled through the existing audited publish/admin paths.
+- The submitted package manifest declares MIT while ClawHub skills are published under MIT-0, so maintainers should confirm explicit platform license acceptance before publication.
 
 ## Close Comment
 
@@ -276,6 +282,6 @@ _No close comment posted._
 - context chars: 7721
 - schema chars: 14081
 - additional prompt chars: 0
-- context collection ms: 1265
-- Codex review ms: 252845
+- context collection ms: 1627
+- Codex review ms: 187862
   

results/sweep-status/openclaw-clawhub.json

@@ -3,15 +3,15 @@
   "slug": "openclaw-clawhub",
   "display_name": "ClawHub",
   "target_repo": "openclaw/clawhub",
-  "state": "Hot intake publish complete",
-  "detail": "Merged 1 hot intake artifacts for run 25584382285 without full folder reconciliation. Captured 1 shard metrics; 0 shards reported non-success review status.",
-  "run_url": "https://github.com/openclaw/clawsweeper/actions/runs/25584382285",
+  "state": "Review publish complete",
+  "detail": "Merged 1 review artifacts for run 25584450308. Captured 1 shard metrics; 0 shards reported non-success review status. Folder reconciliation moved tracked files to match current GitHub open/closed state.",
+  "run_url": "https://github.com/openclaw/clawsweeper/actions/runs/25584450308",
   "planned_count": 1,
   "planned_capacity": 1,
   "planned_shards": 1,
   "active_codex": 0,
-  "due_backlog": 39,
+  "due_backlog": 40,
   "oldest_unreviewed_at": "2026-05-06T23:03:34Z",
   "capacity_reason": "saturated: due backlog filled planned capacity",
-  "updated_at": "2026-05-08T23:27:09.542Z"
+  "updated_at": "2026-05-08T23:31:53.307Z"
 }