Skip to content

Development#2

Closed
Josephrp wants to merge 1006 commits into
mainfrom
development
Closed

Development#2
Josephrp wants to merge 1006 commits into
mainfrom
development

Conversation

@Josephrp

@Josephrp Josephrp commented Feb 22, 2026

Copy link
Copy Markdown
Owner

@cursor review

bugbot run


Note

Medium Risk
CI runner/installation and Docker build changes can break pipelines or builds if runner labels, permissions, or install flags differ from expectations; runtime product code is largely unaffected.

Overview
Maintainer agent workflow docs under .agents are removed/archived and replaced with a pointer to the external openclaw/maintainers repo, with .agents now ignored by git.

CI is migrated from generic/self-hosted runners to specific Blacksmith runner labels (including ARM), actions/setup-node is pinned by SHA, and composite actions are hardened by validating inputs (pnpm-version, frozen-lockfile) and avoiding direct ${{ inputs.* }} interpolation in run blocks (enforced via a new workflow-sanity actionlint job).

Infra/maintenance updates include adding Docker Dependabot updates, ignoring additional build artifacts in .gitignore, pinning Docker base images to digests and running Docker builds as the non-root node user (with correct Playwright cache ownership), small issue-template text tweaks, and updating CONTRIBUTING.md credits and the CHANGELOG.md version section.

Written by Cursor Bugbot for commit 1ec89f4. This will update automatically on new commits. Configure here.

steipete and others added 30 commits February 22, 2026 07:44
steipete and others added 22 commits February 22, 2026 11:29
@Josephrp

Copy link
Copy Markdown
Owner Author

@cursor check it out

@cursor

cursor Bot commented Feb 22, 2026

Copy link
Copy Markdown

PR review summary for the Development branch:


PR Review: Development Branch

Overview

The branch has 20+ commits ahead of main, with changes across security, UI, exec approvals, onboarding, and channel docs.

Build & Quality Checks

Check Status
Build Passes
Lint/Format Passes (oxfmt, oxlint)
Tests Pass when run individually; full suite hit OOM in this environment

Notable Changes

Security & Exec

  • fix(security): block shell env allowlist bypass in system.run
  • fix(exec): require explicit safe-bin profiles
  • New exec approval flow: ExecAllowlistMatcher, ExecApprovalEvaluation, ExecCommandResolution, ExecEnvInvocationUnwrapper, ExecShellWrapperParser, HostEnvSanitizer

UI & Gateway

  • fix(ui): stop auth failure reconnect loop, surface login gate
  • fix: HF inference prefix not sent to client; mixed-case prefix and tests
  • Gateway UX: remote WS onboarding and defaults

Onboarding

  • Default dmScope to per-channel-peer (breaking change)
  • Hardened remote WS guidance

iOS/macOS

  • iOS app icon updates, Watch app assets
  • NodeAppModel, TalkModeManager, GatewayConnectionController updates
  • Deep link parsing and security tests

Docs & Infrastructure

  • Agent skills archived (PR workflow, mintlify, merge/prepare/review-pr)
  • Dependabot config updates
  • CI workflow changes

Test Notes

  • src/web/inbound.media.test.ts passes when run alone.
  • Full suite hit JavaScript heap OOM in this environment; likely resource limits rather than code bugs.

Recommendation

The branch looks ready to merge from a code and quality perspective. The OOM during the full test run appears environment-related; CI should be checked for similar issues.

Open in Web Open in Cursor 

@Josephrp

Copy link
Copy Markdown
Owner Author

bugbot run

@cursor

cursor Bot commented Feb 22, 2026

Copy link
Copy Markdown

Skipping Bugbot: Bugbot is disabled for this repository. Visit the Bugbot dashboard to update your settings.

@Josephrp

Copy link
Copy Markdown
Owner Author

bugbot run

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issues.

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on March 5

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

Comment thread .gitignore
.claude/settings.local.json
.agents/
.agents
.agent/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gitignore .agent/ overrides !.agent/workflows/ exception

Medium Severity

The new .agent/ entry at line 100 overrides the existing !.agent/workflows/ negation at line 94, making it dead code. In gitignore, later patterns take precedence, and once a parent directory is excluded, it's impossible to re-include children. New files in .agent/workflows/ will be silently ignored by git. The tracked file .agent/workflows/update_clawdbot.md remains tracked, but the negation pattern is now ineffective.

Additional Locations (1)

Fix in Cursor Fix in Web

Comment thread Dockerfile
@@ -1,4 +1,4 @@
FROM node:22-bookworm
FROM node:22-bookworm@sha256:cd7bcd2e7a1e6f72052feb023c7f6b722205d3fcab7bbcbd2d1bfdab10b1e935

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bun installed in root-only path, inaccessible to build user

Medium Severity

Bun is installed as root into /root/.bun/bin (line 4–5), but pnpm install and pnpm build now run as the node user (lines 25–26, 45–47). On Debian, /root has 0700 permissions, making Bun inaccessible to the node user. Previously all build steps ran as root. The comment says Bun is "required for build scripts," but the binary is effectively unreachable during both build and runtime.

Additional Locations (2)

Fix in Cursor Fix in Web

@cursor

cursor Bot commented Feb 22, 2026

Copy link
Copy Markdown

Bugbot Autofix prepared fixes for 2 of the 2 bugs found in the latest run.

  • ✅ Fixed: Gitignore .agent/ overrides !.agent/workflows/ exception
    • Replaced .agent/ (which excluded the parent directory and made negation impossible) with .agent/* so that !.agent/workflows/ can correctly un-ignore the workflows subdirectory.
  • ✅ Fixed: Bun installed in root-only path, inaccessible to build user
    • Installed Bun to /usr/local via BUN_INSTALL=/usr/local so the binary is in /usr/local/bin, which is accessible to the node user during pnpm install and pnpm build.

Create PR

@Josephrp Josephrp closed this Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.