Skip to content

chore: merge dev into staging#69

Merged
ducnmm merged 19 commits intostagingfrom
dev
Apr 1, 2026
Merged

chore: merge dev into staging#69
ducnmm merged 19 commits intostagingfrom
dev

Conversation

@Aaron1924
Copy link
Copy Markdown
Collaborator

@Aaron1924 Aaron1924 commented Apr 1, 2026

Summary

Merge dev into staging to propagate all recent changes including:

Test plan

  • Verify Redis rate limiting middleware initializes correctly on server startup
  • Verify storage quota tracking via blob_size_bytes column works for remember, remember/manual, analyze, restore endpoints
  • Verify AppError::QuotaExceeded returns HTTP 402 on quota breach
  • Verify AppError::RateLimited returns HTTP 429 with Retry-After header
  • Verify graceful degradation when Redis is unavailable (requests allowed through)
  • Verify 003_rate_limiter.sql migration runs without table lock on production DB
  • Verify --frozen-lockfile enforced in all CI workflows
  • Smoke test all API endpoints on staging

🤖 Generated with Claude Code

hungtranphamminh and others added 13 commits March 30, 2026 13:24
@hungtranphamminh
Build: Prepare OpenClaw memory plugin for npm publish (#58)
5d2538a 
* build(openclaw-plugin): prepare package for npm publish

Rename to @mysten-incubation/oc-memwal, add tsconfig, build scripts,
exports, types, and engine requirements. Compiled JS output in dist/.

* docs(openclaw-plugin): update install flow for npm, remove TEE references

Replace manual symlink install with openclaw plugins install command.
Update config examples to use oc-memwal. Remove TEE from relayer labels.

* ci(openclaw-plugin): add release workflow for npm publish

Auto-publish on push to main/staging/dev when plugin code changes.
Uses OIDC provenance, auto-increments dev/rc versions per branch.
Add typecheck script. Reset base version to 0.0.1.

* fix(openclaw-plugin): update outdated links in manifest and README

Replace app.memwal.com with memwal.ai in plugin uiHints.
Fix relative Mintlify links to use full docs.memwal.ai URLs.
@hungtranphamminh
fix(openclaw-plugin): add repository field for npm OIDC provenance (#59)
d70748d
@hungtranphamminh
fix(openclaw-plugin): remove openclaw peer dep, downgrade zod to v3 (#60
9663303 
)

Remove openclaw peer dependency that causes install failures via
openclaw plugins install. Downgrade zod from v4 to v3 for monorepo
compatibility. No API changes.
@Ashwin-3cS
fix(server): use UTF-8 safe truncation in log preview strings
b1ce951 
Byte-level slicing via `&text[..text.len().min(50)]` panics when byte
50 lands inside a multi-byte UTF-8 character (e.g. emoji). Replace all
four instances with a `truncate_str` helper that backs up to the
nearest char boundary.
@ducnmm
feat(relayer): multi-layer rate limiting with Redis, storage quota, a…
be4e439 
…nd cost-weighted endpoints [ENG-1081]
@ducnmm
docs: improve docs for AI agents, add SKILL.md, llms.txt, changelogs,…
71fcd0b 
… setup guide, and release automation
@ducnmm
Merge pull request #64 from Ashwin-3cS/fix/server-utf8-log-truncation
cf4e661 
fix(server): use UTF-8 safe truncation in log preview strings
@ducnmm
fix: enforce --frozen-lockfile in all CI workflows and Dockerfiles
0fd01e5 
- deploy-app-walrus.yml: --no-frozen-lockfile → --frozen-lockfile
- release-oc-memwal.yml: --no-frozen-lockfile → --frozen-lockfile
- release-sdk.yml: --no-frozen-lockfile → --frozen-lockfile
- apps/app/Dockerfile: pnpm install → pnpm install --frozen-lockfile
- apps/researcher/Dockerfile: bun install → bun install --frozen-lockfile
- apps/researcher/package.json: pin @mysten-incubation/memwal to exact 0.0.1

Prevents supply chain attacks like axios@1.14.1 compromise (axios/axios#10604)
from being silently pulled into CI builds.
@ducnmm
Merge pull request #67 from MystenLabs/fix/frozen-lockfile-security
73dfbc6 
fix: enforce --frozen-lockfile in all CI workflows and Dockerfiles
@ducnmm
Merge pull request #65 from MystenLabs/feat/docs-dx-improvements
83bc799 
docs: improve docs for AI agents, add SKILL.md, llms.txt, changelogs,…
@ducnmm
Merge pull request #66 from MystenLabs/feat/rate-limiter-eng-1081
66aebbc 
feat(relayer): multi-layer rate limiting with Redis, storage quota, a…
@ducnmm
fix(server): sponsor walrus register flow and use pooled signer keys
41c295c
@Aaron1924
Merge pull request #68 from MystenLabs/codex/enoki-sponsor-pool-upload
1948b12 
fix(server): sponsor walrus register flow and use pooled signer keys
@Aaron1924
Copy link
Copy Markdown
Collaborator Author

Aaron1924 commented Apr 1, 2026

Code review

Found 3 issues (confidence >= 80):

  1. [CRITICAL] Rate limiting middleware is completely non-functional — is registered as the outer layer before , but it reads from request extensions which is only set by auth. In Axum, outer layers run after inner layers. Auth runs first and sets , then rate limiting runs and sees , falling through immediately. The entire 3-layer Redis rate limiter is dead code.

    Fix: swap the layer registration order so is outer and is inner.

    services/server/src/main.rs#L2329-L2335

  2. [CRITICAL] Storage quota bypass via delete/restore cycle — usage: restore [OPTIONS] [PATTERN [PATTERN...]]
    Options are:

    -a, --all Restore all filesystems.
    -l, --level=LEVEL Start restoring from the given backup LEVEL
    (default 0).
    -v, --verbose[=LEVEL] Set verbosity level. Default 100.

Informational options:
-h, --help Display this help message.
-V, --version Display program version.

Send bug reports to bug-tar@gnu.org. re-inserts with . If deleted rows are not purged from , a user can store to quota -> delete -> restore -> store again. The migration comment says cleanup happens via ; please confirm this permanently removes rows so does not include deleted entries.

services/server/src/routes.rs#L2842-L2844

  1. [MEDIUM] Enoki fallback removed — reliability regression on upload path — was replaced with . Previously, Enoki sponsorship failure fell back to direct signing. Now any transient Enoki failure fails the entire upload. Consider restoring the fallback or adding a config flag to control it.

    services/server/scripts/sidecar-server.ts#L2157-L2165

All 3 issues scored >= 80 confidence after independent verification. Issues #1 and #2 are CRITICAL and should be addressed before merge. Issue #3 is a regression that warrants at minimum a warning log + optional config flag.

hungtranphamminh and others added 4 commits April 1, 2026 13:33
@hungtranphamminh
refactor(openclaw-plugin): extract magic numbers to shared constants
cc78771 
Consolidate scattered numeric literals into src/constants.ts with
documentation for each value's purpose and which modules consume it.
No behavior change — pure refactor.
@ducnmm
chore: resolve release workflow merge conflict with staging
3db517b
@ducnmm
fix(server): restore quota accounting and enoki fallback behavior
5e52008
@ducnmm
Merge pull request #72 from MystenLabs/codex/fix-rate-limit-quota-eno…
51c7565 
…ki-fallback

fix(server): restore quota accounting and enoki fallback behavior
@ducnmm
Merge pull request #70 from MystenLabs/refactor/oc-memwal-extract-con…
9e7316a 
…stants

Refactor: Extract magic numbers to shared constants
@ducnmm ducnmm merged commit 9147566 into staging Apr 1, 2026
8 of 9 checks passed
ducnmm added a commit that referenced this pull request Apr 1, 2026
@ducnmm
Merge pull request #73 from MystenLabs/staging
58ae16c 
Merge pull request #69 from MystenLabs/staging
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ducnmm ducnmm ducnmm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Aaron1924 @ducnmm @hungtranphamminh @Ashwin-3cS