Skip to content

feat(cloud): publish content-addressed review snapshots#102

Merged
vincentkoc merged 52 commits into
mainfrom
feat/cloud-v2-publish
Jul 12, 2026
Merged

feat(cloud): publish content-addressed review snapshots#102
vincentkoc merged 52 commits into
mainfrom
feat/cloud-v2-publish

Conversation

@vincentkoc

@vincentkoc vincentkoc commented Jul 12, 2026

Copy link
Copy Markdown
Member

Summary

  • publish complete Gitcrawl cloud-v2 snapshots from one exact source SQLite digest
  • keep preflight metadata-only and publication memory bounded to one dataset batch at a time
  • require authenticated publisher/reader authorization and exact final coverage plus SQLite-bundle acknowledgements
  • validate export queries against the frozen local SQLite image before remote mutation
  • bind resume and post-cutover publisher status to the exact snapshot ID
  • resume initial 409 snapshot_mismatch candidates idempotently
  • recover 409 snapshot_active races only after an exact scoped status re-probe proves the same completed digest, profile, generation, and coverage
  • keep post-cutover verification strict and verify hydrated SQLite bytes against exact size and digest
  • use durable observation reservation/order as PR-file freshness proof, with fetched-at only as a legacy fallback

Validation

  • exact head: 7003e67
  • go test ./...
  • go vet ./...
  • go mod tidy
  • gofmt clean on touched Go files
  • git diff --check
  • focused resume/concurrency proof: go test ./internal/cli -run TestCloudPublishStageOnlyThenResumesDefaultCutover -count=1
  • CrawlKit v0.14.2 resolves to signed tag commit 22294e99c70e313fd5f0f34902649c7f68152130

Rollout gate

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. labels Jul 12, 2026
@clawsweeper

clawsweeper Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codex review: stale review; fresh review needed.

Summary
The latest durable ClawSweeper review was for head 57c5842fd489417baa1eb47b845d65d224eb9b5f, but the PR head is now 0ac0a1749328d35ec93f02f2afd977c1f8860ffb. Its old verdict and PR readiness labels are no longer current.

Next step
Run or wait for a fresh ClawSweeper review on the current PR head.

Review history (12 earlier review cycles; latest 8 shown)
  • reviewed 2026-07-12T11:56:38.730Z sha a94c58c :: found issues before merge. :: [P1] Recognize completed staged snapshots before re-ingesting
  • reviewed 2026-07-12T12:26:34.318Z sha efe1364 :: needs changes before merge. :: [P1] Recognize completed inactive staged snapshots before re-ingesting
  • reviewed 2026-07-12T12:38:08.002Z sha 1febffe :: needs maintainer review before merge. :: none
  • reviewed 2026-07-12T13:04:15.496Z sha 701fb8f :: needs maintainer review before merge. :: none
  • reviewed 2026-07-12T13:28:22.946Z sha af5ae32 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-12T13:52:27.426Z sha 4cd93f7 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-12T14:06:01.324Z sha 00e8738 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-12T14:22:56.003Z sha 90bb683 :: needs changes before merge. :: [P1] Recognize inactive staged candidates before re-ingesting

@vincentkoc vincentkoc force-pushed the feat/cloud-v2-publish branch from 3dff57c to 5bb004d Compare July 12, 2026 10:50
@vincentkoc vincentkoc force-pushed the feat/cloud-v2-publish branch from 5bb004d to 8301159 Compare July 12, 2026 10:53
@clawsweeper clawsweeper Bot removed status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. labels Jul 12, 2026
@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. feature: ✨ showcase ClawSweeper spotlight: unusually compelling feature idea for maintainer attention. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jul 12, 2026
@clawsweeper clawsweeper Bot added merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jul 12, 2026
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. label Jul 12, 2026
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. label Jul 12, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​openclaw/​crawlkit@​v0.13.4 ⏵ v0.14.281 -9100100100100

View full report

@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
Potentially malicious package (AI signal): golang github.com/openclaw/crawlkit is 86.0% likely malicious

Notes: High-risk/suspicious behavior: the code mutates the reviewed repository by installing “hostile” engine/tool configurations (CLI hooks, MCP server commands, cursor shell permissions, Pi extension that writes files) and then runs git add/commit. This is consistent with sabotage or supply-chain-style injection rather than a purely read-only reviewer-bundling tool. Additionally, the optional parallel-tests feature can execute arbitrary commands with shell=True and PowerShell ExecutionPolicy Bypass. Overall, treat this code as potentially malicious/unsafe until verified and isolated to explicit self-test modes.

Confidence: 0.86

Severity: 0.85

From: go.modgolang/github.com/openclaw/crawlkit@v0.14.2

ℹ Read more on: This package | This alert | What is AI-detected potential malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/openclaw/crawlkit@v0.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@clawsweeper clawsweeper Bot removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. labels Jul 12, 2026
@vincentkoc vincentkoc marked this pull request as ready for review July 12, 2026 17:29
@vincentkoc vincentkoc requested a review from a team as a code owner July 12, 2026 17:29
@vincentkoc vincentkoc merged commit fc31bc7 into main Jul 12, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P1 Urgent regression or broken agent/channel workflow affecting real users now.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant