Skip to content

fix: align command status comment trust config#83

Merged
hxy91819 merged 1 commit into
mainfrom
fix/command-status-config
May 17, 2026
Merged

fix: align command status comment trust config#83
hxy91819 merged 1 commit into
mainfrom
fix/command-status-config

Conversation

@hxy91819
Copy link
Copy Markdown
Member

@hxy91819 hxy91819 commented May 17, 2026
edited
Loading

Problem

PR #75 fixed a real command-status targeting bug: ordinary event-item reviews and /clawsweeper re-review command runs share the same clawsweeper_item workflow, but only command-triggered re-reviews have a command status comment to update. When an ordinary PR/issue event had no command_status_marker or status_comment_id, the old parser could treat --marker "" as the string "true", causing update-command-status to scan comments for body.includes("true") and potentially patch a human comment such as one containing isError: true.

That fix left two follow-up issues in the merged code:

  • update-command-status hardcoded clawsweeper and openclaw-clawsweeper as trusted status comment authors, while the rest of the repair lane supports trusted bot overrides through CLAWSWEEPER_TRUSTED_BOTS.
  • The direct env fallback for the status comment id read CLAWSWEEPER_STATUS_COMMENT_ID, but the workflow exports STATUS_COMMENT_ID and passes that value to --status-comment-id.

Solution

This follow-up keeps PR #75's conservative behavior: update-command-status only updates a status comment that can be proven by exact comment id or full command marker, and the target must be authored by a trusted bot.

The changes are:

  • Export the repair lane default trusted bot list from src/repair/config.ts so command status updates do not maintain a second copy of that policy.
  • Parse --trusted-bots / CLAWSWEEPER_TRUSTED_BOTS in src/repair/update-command-status.ts and use isAllowedMutationActor() for the same foo / foo[bot] normalization used elsewhere in the repair lane.
  • Align the env fallback with the workflow by reading STATUS_COMMENT_ID when --status-comment-id is not provided.
  • Add regression tests for env-based status comment id parsing, custom trusted bot exact-id matching, custom trusted bot marker fallback, and the existing human-comment guard.

Test plan

  • pnpm run build:repair && node --test test/repair/update-command-status.test.ts
  • nvm use 24 && pnpm run check

@hxy91819
fix: align command status comment trust config
5f2e6db 
Reuse the repair lane trusted bot configuration when updating command status comments and align the direct env fallback with the workflow's STATUS_COMMENT_ID name.
@hxy91819
Copy link
Copy Markdown
Member Author

hxy91819 commented May 17, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented May 17, 2026

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@hxy91819 hxy91819 merged commit cf1961e into main May 17, 2026
8 checks passed
@hxy91819 hxy91819 deleted the fix/command-status-config branch May 17, 2026 03:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hxy91819