Skip to content

Wire workspace admin controls#54

Merged
steipete merged 8 commits into
openclaw:mainfrom
Solvely-Colin:s/workspace-admin-controls
Jul 12, 2026
Merged

Wire workspace admin controls#54
steipete merged 8 commits into
openclaw:mainfrom
Solvely-Colin:s/workspace-admin-controls

Conversation

@Solvely-Colin

@Solvely-Colin Solvely-Colin commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add workspace manager controls for name, slug, and icon updates.
  • Add owner-only ownership transfer and permanent workspace deletion.
  • Persist workspace icons and durable upload-cleanup queues in SQLite and Postgres.
  • Make every eligible ownership candidate reachable across all member-directory pages.
  • Serialize Postgres partial updates, ownership changes, and deletion against concurrent writes.
  • Keep published icons readable by workspace members without exposing unrelated private uploads.
  • Drain cleanup work beyond poisoned batches and recover failed object deletion after restart.
  • Add typed OpenAPI and TypeScript SDK workspace administration methods.
  • Preserve Windows-compatible SDK generation and deterministic embedded web assets.

Exact candidate

  • Head: 020b7f84e133e4f1c567c8ce7c66c3826cebc072
  • Base: eb6e05d0dd73872a3ba1d3822c1a7ad1d6a8fb4a
  • Contributor implementation remains the first authored commit; maintainer hardening follows in focused commits.

Proof

  • CLICKCLACK_POSTGRES_TEST_DSN=<disposable-postgres-17> pnpm check — pass, including SQLite and real Postgres migrations and lifecycle tests.
  • pnpm coverage — pass, 85.8% total Go statement coverage.
  • pnpm test:e2e — pass, 61 Playwright tests.
  • Focused real Postgres proof — update, ownership transfer, permanent deletion, failed cleanup persistence, store reopen, and recovery all pass.
  • Cleanup regression — more than one default batch with a full poisoned first page still attempts and removes every later object; retry drains the poison page.
  • Ownership regression — a target returned after the first 200 members is present in the accessible ownership selector.
  • Existing-profile Chrome proof — profile edits persist across reload; icon upload preserves pending local edits and does not overwrite a concurrent administrator update; transfer changes roles; former-owner deletion is rejected; current-owner deletion succeeds.
  • go run github.com/goreleaser/goreleaser/v2@v2.16.0 check — pass.
  • Private GoReleaser snapshot — pass for eight OS/architecture archives plus deb, rpm, and checksums; nothing published.
  • pnpm audit --prod — zero vulnerabilities.
  • govulncheck ./... — no vulnerabilities found.
  • Structured autoreview — clean after all accepted findings were fixed and re-reviewed.
  • Public model identifier audit — pass across source diff, generated assets, built binary/packages, and proof text.

User-visible behavior

  • Managers can update workspace identity and choose an authorized workspace image.
  • Owners can select any eligible human member, including members beyond page 200, and transfer ownership atomically.
  • Only the current owner can permanently delete the workspace.
  • Metadata deletion commits independently of object-store availability; failed object cleanup stays durable and retries without starving later rows.

Screenshot

Workspace icon proof

Copilot AI review requested due to automatic review settings July 12, 2026 03:54

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR wires full workspace admin controls end-to-end: backend store + HTTP API for updating workspace profile, transferring ownership, and deleting a workspace; plus web UI updates to manage and render workspace icons. It also updates the TypeScript SDK build to be Windows-friendly.

Changes:

  • Add workspace admin API endpoints (PATCH workspace, transfer ownership, delete) backed by new store interface methods and permission checks.
  • Persist and surface workspace.icon_url across DB schemas/migrations, store adapters, API responses, and web UI icon rendering.
  • Replace POSIX-only mkdir/cp in the TS SDK build script with a Node-based copy script.

Reviewed changes

Copilot reviewed 27 out of 73 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
packages/sdk-ts/scripts/copy-generated-types.mjs Node script to copy generated OpenAPI types (Windows-compatible).
packages/sdk-ts/package.json SDK build now invokes Node copy script instead of POSIX shell commands.
apps/web/src/styles/sidebar.css Styles for workspace header icon and guild rail image sizing/cropping.
apps/web/src/styles/settings.css Styles for workspace settings controls, status/errors, selects, and avatar image fit.
apps/web/src/routes/app/[workspaceID]/settings/overview/+page.svelte Workspace settings overview now supports editing name/slug, uploading icon, transferring ownership, and deleting workspace.
apps/web/src/lib/types.ts Adds Workspace.icon_url.
apps/web/src/components/navigation/Sidebar.svelte Sidebar header can render workspace icon.
apps/web/src/components/navigation/GuildRail.svelte Guild rail renders workspace icon images when present.
apps/web/src/ChatApp.svelte Passes selected workspace icon URL into Sidebar.
apps/api/internal/webassets/dist/index.html Rebuilt embedded webassets HTML entrypoint.
apps/api/internal/webassets/dist/200.html Rebuilt embedded webassets fallback HTML.
apps/api/internal/webassets/dist/_app/immutable/nodes/9.CDu5alQM.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/9.BDSCeL1M.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/8.DsFZpWZS.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/8.BHcl3rtv.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/7.9an27izZ.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/6.CagJg1eD.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/5.zX4VRxlb.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/5.O5p3Pyje.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/4.D73AL4lC.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/4._3UejRZu.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/3.F-rapJUn.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/3.BOBxDKYZ.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/2.Bkcfcy6u.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/10.D5B2o53Y.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/10.BPYd-zrK.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/1.DanbpO9Q.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/1.CHMiefCn.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/nodes/0.DiWWjBeQ.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/nodes/0.BriggHg7.js Rebuilt embedded webassets bundle output.
apps/api/internal/webassets/dist/_app/immutable/entry/start.Dyv7sipE.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/entry/start.2f8svVwH.js Rebuilt embedded webassets start entry.
apps/api/internal/webassets/dist/_app/immutable/entry/app.RH0QXgiE.js Rebuilt embedded webassets app entry.
apps/api/internal/webassets/dist/_app/immutable/entry/app.DAXQSUER.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/chunks/YqczlggC.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/ngo_HMNL.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/DXYf4c9c.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/CXzWvqht.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/chunks/C3nQAG0S.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/BMwWeE0w.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/BiKJNDVR.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/BhIAEoqt.js Rebuilt embedded webassets chunk output.
apps/api/internal/webassets/dist/_app/immutable/chunks/BeJijayk.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/_app/immutable/chunks/B-UA2BLZ.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/webassets/dist/app/immutable/chunks/aWd3JpF.js Removed/rotated hashed bundle output from rebuild.
apps/api/internal/store/types.go Adds ErrWorkspaceOwnerRequired, Workspace.IconURL, and new store interface methods for workspace admin mutations.
apps/api/internal/store/sqlite/storedb/queries.sql.go Updates generated sqlite storedb rows to include icon_url in workspace queries.
apps/api/internal/store/sqlite/storedb/models.go Adds icon_url field to sqlite storedb Workspace model.
apps/api/internal/store/sqlite/sqlite.go Adds owner permission helper and workspace settings normalization/slug conflict mapping.
apps/api/internal/store/sqlite/sqlc/schema.sql Adds workspaces.icon_url column to sqlite schema.
apps/api/internal/store/sqlite/sqlc/queries.sql Extends workspace queries + adds new workspace mutation/permission queries (sqlc source).
apps/api/internal/store/sqlite/sqlc_adapters.go Maps icon_url from sqlc rows into store Workspace.
apps/api/internal/store/sqlite/routes.go Includes icon_url in resolved route target workspace payload.
apps/api/internal/store/sqlite/mutations.go Implements UpdateWorkspace / TransferOwnership / DeleteWorkspace in sqlite store.
apps/api/internal/store/sqlite/migrations/0021_workspace_icon_url.sql SQLite migration to add icon_url.
apps/api/internal/store/sqlite/members.go Workspace-by-slug query now includes icon_url.
apps/api/internal/store/postgres/storedb/queries.sql.go Updates generated postgres storedb rows to include icon_url in workspace queries.
apps/api/internal/store/postgres/storedb/models.go Adds icon_url field to postgres storedb Workspace model.
apps/api/internal/store/postgres/sqlc/schema.sql Adds workspaces.icon_url column to postgres schema.
apps/api/internal/store/postgres/sqlc/queries.sql Extends workspace queries + adds new workspace mutation/permission queries (sqlc source).
apps/api/internal/store/postgres/sqlc_adapters.go Maps icon_url from sqlc rows into store Workspace.
apps/api/internal/store/postgres/routes.go Includes icon_url in resolved route target workspace payload.
apps/api/internal/store/postgres/postgres.go Adds owner permission helper and workspace settings normalization/slug conflict mapping.
apps/api/internal/store/postgres/mutations.go Implements UpdateWorkspace / TransferOwnership / DeleteWorkspace in postgres store.
apps/api/internal/store/postgres/migrations/0014_workspace_icon_url.sql Postgres migration to add icon_url.
apps/api/internal/store/postgres/members.go Workspace-by-slug query now includes icon_url.
apps/api/internal/httpapi/server.go Registers new workspace admin routes and handlers; maps owner-required errors to 403.
Files not reviewed (4)
  • apps/api/internal/store/postgres/storedb/models.go: Generated file
  • apps/api/internal/store/postgres/storedb/queries.sql.go: Generated file
  • apps/api/internal/store/sqlite/storedb/models.go: Generated file
  • apps/api/internal/store/sqlite/storedb/queries.sql.go: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apps/api/internal/store/sqlite/sqlc/queries.sql
Comment thread apps/api/internal/store/postgres/sqlc/queries.sql
Comment thread apps/api/internal/store/sqlite/mutations.go Outdated
Comment thread apps/api/internal/store/postgres/mutations.go Outdated
Comment thread apps/web/src/components/navigation/GuildRail.svelte
Comment thread apps/api/internal/httpapi/server.go Outdated
Comment thread apps/api/internal/httpapi/server.go

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 65a76f89e7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/internal/store/postgres/mutations.go Outdated
Comment thread apps/api/internal/store/sqlite/mutations.go Outdated
@clawsweeper

clawsweeper Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed July 12, 2026, 8:11 AM ET / 12:11 UTC.

Summary
The PR adds manager workspace profile and icon controls, owner-only transfer and permanent deletion, durable cross-database upload cleanup, typed API/SDK methods, settings UI wiring, and lifecycle regression coverage.

Reproducibility: not applicable. to the feature request itself. The earlier pagination, authorization, cleanup, and concurrency defects have concrete source paths and focused regression coverage on the exact head; the current hosted failure reproduces only an unchanged notification test outside this feature.

Review metrics: 4 noteworthy metrics.

  • Changed surface: 97 files, +3188/-269. The branch coordinates destructive API behavior, two database adapters, generated clients/assets, browser UI, and SDK tooling.
  • Persistent migrations: 4 added across 2 stores. Workspace icons and durable cleanup rows change existing-install state in SQLite and Postgres.
  • Hosted browser suite: 60 passed, 1 failed. All new workspace-admin tests passed, while one unchanged notification test needs rerun or classification.
  • Review continuity: 11 completed prior cycles, 0 remaining prior findings. The current head addresses every previously reported blocker rather than silently dropping them.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Attach redacted exact-head terminal output, logs, or a recording for real Postgres upgrade, transfer, permanent deletion, cleanup failure persistence, restart, and recovery.
  • Re-run or explain the unchanged notification-test failure in the hosted Playwright job.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The inspected screenshot directly proves icon rendering, but transfer, permanent deletion, cleanup recovery, concurrent-edit preservation, and real Postgres upgrade are reported only in prose rather than linked inspectable output; add redacted artifacts, update the PR body to trigger review, or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

  • [P1] Existing installations receive four new SQLite/Postgres migrations and permanent workspace deletion semantics; the PR body and maintainer comment report successful exact-head runs, but no linked terminal transcript, logs, recording, or database artifact directly demonstrates those upgrade and recovery paths.
  • [P1] The sole hosted Playwright failure is outside the new workspace-admin tests and the test source is unchanged from base, but the job should be re-run or otherwise classified before merge because generated web assets changed on this branch.

Maintainer options:

  1. Complete upgrade proof before merge (recommended)
    Re-run or classify the notification failure and attach inspectable exact-head SQLite/Postgres migration, transfer, deletion, and cleanup-recovery evidence.
  2. Accept summarized lifecycle proof
    Merge after a clean browser rerun while explicitly accepting that the destructive and existing-install paths are documented by detailed assertions rather than linked runtime artifacts.
  3. Pause the broad landing
    Defer the PR if maintainers do not want to accept permanent deletion and new persisted cleanup state without inspectable upgrade evidence.

Next step before merge

  • [P1] No narrow code defect is currently established for automated repair; maintainers should require inspectable exact-head lifecycle proof and a clean or explained Playwright rerun before merging.

Security
Cleared: The diff preserves human manager/owner authorization, rejects bot-token administration, restricts icon access to the selected same-workspace upload, and adds no new dependency or workflow execution source.

Review details

Best possible solution:

Keep the current atomic authorization and durable-cleanup design, re-run or classify the notification test failure, and attach redacted exact-head browser plus terminal/database evidence for existing-profile migration, ownership transfer, permanent deletion, cleanup failure persistence, restart, and recovery.

Do we have a high-confidence way to reproduce the issue?

Not applicable to the feature request itself. The earlier pagination, authorization, cleanup, and concurrency defects have concrete source paths and focused regression coverage on the exact head; the current hosted failure reproduces only an unchanged notification test outside this feature.

Is this the best way to solve the issue?

Yes for the implementation direction: typed SQL mutations, explicit owner/manager boundaries, serialized Postgres writes, and a durable cleanup queue are the narrowest coherent design. Merge readiness still requires better inspectable lifecycle proof and a clean or explained browser run.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against eb6e05d0dd73.

Label changes

Label justifications:

  • P2: This is a substantial but bounded administration feature with normal-priority product impact and no demonstrated urgent regression.
  • merge-risk: 🚨 compatibility: Merging adds stored-schema migrations and permanent deletion behavior whose upgrade and recovery safety is not fully settled by green unit checks or the icon screenshot.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦐 gold shrimp and patch quality is 🐚 platinum hermit.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The inspected screenshot directly proves icon rendering, but transfer, permanent deletion, cleanup recovery, concurrent-edit preservation, and real Postgres upgrade are reported only in prose rather than linked inspectable output; add redacted artifacts, update the PR body to trigger review, or ask a maintainer to comment @clawsweeper re-review.
  • proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The inspected screenshot directly proves icon rendering, but transfer, permanent deletion, cleanup recovery, concurrent-edit preservation, and real Postgres upgrade are reported only in prose rather than linked inspectable output; add redacted artifacts, update the PR body to trigger review, or ask a maintainer to comment @clawsweeper re-review.
Evidence reviewed

What I checked:

  • Prior findings resolved: The exact head adds cursor-complete ownership candidate loading, same-workspace icon visibility, generated sqlc mutations, serialized Postgres ownership and deletion paths, durable cleanup retries, and focused regression coverage corresponding to the earlier review findings. (apps/web/src/routes/app/[workspaceID, 9d859b332ef1)
  • Ownership serialization: Postgres locks the actor and target membership rows before role validation and performs the demotion and promotion in one transaction, addressing the concurrent-transfer defect. (apps/api/internal/store/postgres/mutations.go:55, 9d859b332ef1)
  • Durable deletion lifecycle: The database transaction records every upload storage path in the cleanup queue before deleting workspace metadata and commits independently of subsequent object-store cleanup. (apps/api/internal/store/postgres/mutations.go:110, 9d859b332ef1)
  • Cleanup starvation protection: The retry sweep tracks rows already attempted and expands its query window when poison rows fill the first page, allowing later cleanup work to proceed. (apps/api/internal/httpapi/server.go:567, 9d859b332ef1)
  • SQL generation policy satisfied: The branch changes sqlc schema/query sources and includes matching generated storedb helpers for SQLite and Postgres, consistent with AGENTS.md. (apps/api/internal/store/postgres/sqlc/queries.sql:242, 9d859b332ef1)
  • Visible proof inspected: The linked PNG visibly demonstrates the uploaded workspace icon rendering in the workspace rail and active workspace header, but it does not show transfer, deletion, cleanup recovery, or database migration behavior. (9d859b332ef1)

Likely related people:

  • steipete: Authored the core API/store foundation and six focused commits completing concurrency, cleanup, pagination, proof, and generated-asset work on this branch. (role: original subsystem author and branch hardening author; confidence: high; commits: 03feef83cd6e, 039bd20478de, d9939d171311; files: apps/api/internal/httpapi/server.go, apps/api/internal/store/types.go, apps/api/internal/store/postgres/mutations.go)
  • Shakker: Introduced the paginated workspace-members endpoint and recent workspace authorization changes used by the ownership selector and permission boundary. (role: workspace membership and authorization feature owner; confidence: high; commits: db8bb6dfcdc4, 3edf830a5477, 4cea8ecb29bb; files: apps/api/internal/httpapi/server.go)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (11 earlier review cycles; latest 8 shown)
  • reviewed 2026-07-12T04:30:51.412Z sha 2fd181b :: needs real behavior proof before merge. :: [P1] Keep workspace metadata until upload cleanup can succeed
  • reviewed 2026-07-12T04:49:06.745Z sha 72db3ae :: needs changes before merge. :: [P1] Keep workspace metadata until upload cleanup can succeed | [P2] Regenerate a repeatable embedded web build
  • reviewed 2026-07-12T04:56:31.919Z sha 96a7361 :: needs changes before merge. :: [P1] Preserve cleanup metadata until storage deletion succeeds | [P2] Format the moved settings redirect file
  • reviewed 2026-07-12T05:01:50.497Z sha 8438d62 :: needs changes before merge. :: [P1] Preserve cleanup metadata until storage deletion succeeds
  • reviewed 2026-07-12T05:19:52.272Z sha f2e3152 :: needs changes before merge. :: [P1] Report committed workspace deletion as successful | [P2] Drain pending cleanup rows beyond the first 100
  • reviewed 2026-07-12T05:25:10.561Z sha f2e3152 :: needs changes before merge. :: [P1] Report committed workspace deletion as successful | [P2] Drain pending cleanup rows beyond the first 100
  • reviewed 2026-07-12T05:52:57.857Z sha 842a100 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-12T05:58:50.126Z sha 842a100 :: needs real behavior proof before merge. :: [P2] Load ownership targets beyond the first member page

@Solvely-Colin Solvely-Colin force-pushed the s/workspace-admin-controls branch from 65a76f8 to 970edae Compare July 12, 2026 04:03
@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P1 Urgent regression or broken agent/channel workflow affecting real users now. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jul 12, 2026
@Solvely-Colin Solvely-Colin force-pushed the s/workspace-admin-controls branch from 970edae to 2fd181b Compare July 12, 2026 04:23
@Solvely-Colin

Copy link
Copy Markdown
Contributor Author

Resolved the review blockers in 2fd181b:

  • Rebased onto current main and regenerated sqlc + webassets.
  • Switched workspace mutations to generated sqlc helpers.
  • Made workspace icon uploads visible to same-workspace members only.
  • Added workspace upload storage cleanup on delete.
  • Locked Postgres transfer role reads with FOR UPDATE.
  • Added HTTP regression coverage for second-member icon access, member/bot rejection, transfer, audit metadata, and delete cleanup.
  • Added SQLite/Postgres workspace icon migration upgrade tests.
  • Updated PR body with external proof artifact and embedded proof image.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jul 12, 2026
@Solvely-Colin Solvely-Colin force-pushed the s/workspace-admin-controls branch from 2fd181b to ad0467f Compare July 12, 2026 04:35
@clawsweeper clawsweeper Bot removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. labels Jul 12, 2026
@Solvely-Colin Solvely-Colin force-pushed the s/workspace-admin-controls branch from ad0467f to 72db3ae Compare July 12, 2026 04:42
@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels Jul 12, 2026
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jul 12, 2026
@Solvely-Colin Solvely-Colin force-pushed the s/workspace-admin-controls branch from f2e3152 to 842a100 Compare July 12, 2026 05:48
@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. and removed proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P1 Urgent regression or broken agent/channel workflow affecting real users now. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. labels Jul 12, 2026
@steipete steipete force-pushed the s/workspace-admin-controls branch from 842a100 to 9d859b3 Compare July 12, 2026 12:06
@steipete

steipete commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Exact-head landing proof for 020b7f84e133e4f1c567c8ce7c66c3826cebc072 on current main eb6e05d0dd73872a3ba1d3822c1a7ad1d6a8fb4a:

  • Reconciled the contributor branch onto current main; Colin's authored implementation commit remains first in the eight-commit stack and changelog credit is preserved.
  • Fixed ownership-candidate pagination beyond 200, with Playwright regression coverage.
  • Proved SQLite and disposable Postgres 17 migration, profile update, ownership transfer, permanent deletion, failed cleanup persistence, reopen, and recovery.
  • Proved that a full poisoned cleanup page cannot starve later objects.
  • Proved icon authorization/visibility and Postgres concurrent update/deletion locking.
  • Existing-profile Chrome confirmed accessible controls, second-page selection, persistence, role changes, authorization rejection, deletion, cleanup recovery, and concurrent-edit preservation.
  • pnpm check, pnpm coverage (85.8%), and all 61 Playwright tests passed.
  • GoReleaser configuration and private multi-platform snapshot passed; no artifact was published.
  • Production dependency audit and Go vulnerability scan found no vulnerabilities.
  • Structured autoreview is clean; public model identifier audit passed for the exact candidate and proof surfaces.
  • Stabilized two hosted notification races by waiting for the actual realtime connection, using collision-resistant fixtures, and binding notification assertions to the exact channel. Focused parallel stress passed 40/40; the full suite passed 61/61 locally.

Hosted checks are now running against this exact head. @clawsweeper re-review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9d859b332e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

IconURL: body.IconURL,
})
if err == nil && event.ID != "" {
s.publishEvent(r.Context(), event)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Handle workspace update events in the web client

When one member changes the workspace name or icon, this publishes workspace.updated, but the web realtime handler in ChatApp.svelte only reloads for channel and member-moderation events and never handles this event type. Other connected members therefore keep seeing stale GuildRail/Sidebar names and icons until a full reload, so the new admin controls do not propagate to live clients; please reload workspace data on workspace.updated.

Useful? React with 👍 / 👎.

Comment on lines +994 to +996
if !strings.HasPrefix(contentType, "image/") {
return errors.New("workspace icon must be an image")
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject icon types uploads cannot serve inline

When an API or SDK client sets an upload with a type like image/svg+xml or image/heic as the icon, this validation accepts it, but getUpload later runs the stored type through safeUploadContentType, which only preserves PNG/JPEG/GIF/WebP image MIME types and otherwise serves application/octet-stream. That lets a workspace save an icon URL that the sidebar/rail <img> can render as broken; validate against the same renderable image allowlist here and in the SQLite mirror, or serve the accepted types as images.

Useful? React with 👍 / 👎.

@steipete

Copy link
Copy Markdown
Contributor

Hosted notification-race stabilization is now on exact head 020b7f84e133e4f1c567c8ce7c66c3826cebc072; local focused stress is 40/40 and full Playwright is 61/61. Please bind the final review to this head. @clawsweeper re-review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 020b7f84e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +90 to +92
if targetRole == store.WorkspaceRoleBot || targetRole == store.WorkspaceRoleGuest {
return store.Workspace{}, store.Event{}, errors.New("new owner must be a human member or moderator")
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject moderated ownership targets

When the selected target is currently blocked or timed out, this validation still allows the transfer because it only checks the role; the moderation row remains in place after the target is promoted. The new owner is then immediately rejected by owner/manager flows that call requireNoModerationBlockTx (for example workspace updates and member moderation), while the UI can still offer such members because the transfer list is built from the regular member page without moderation state. Please reject or clear active moderation for the target before promoting them; the SQLite implementation mirrors this same check.

Useful? React with 👍 / 👎.

@steipete steipete merged commit e493526 into openclaw:main Jul 12, 2026
7 checks passed
@steipete

Copy link
Copy Markdown
Contributor

Merged by rebase at e493526788725130168e240ec0e1dd2d8e16b488.

  • Main's tree exactly matches the proven candidate tree (6b7dbb3b387d81ddde4950d97fe2d8ff29fbb1e9).
  • Colin's authored implementation is preserved as main commit e5c18102630447f7b8926d88ac60c1b463db029c; changelog credit remains intact.
  • Exact-head hosted CI is green: TypeScript, Go, Playwright, and Docker, plus macOS, Linux, and Windows desktop.
  • Local gates: pnpm check; 85.8% Go coverage; Playwright 61/61; notification stress 40/40; SQLite and disposable Postgres 17 upgrade/transfer/delete/failure-recovery proof; existing-profile Chrome behavior proof; private GoReleaser snapshot; npm and Go vulnerability audits; clean autoreview; Public Model Identifier Gate PASS.

No release, deployment, version bump, tag, registry publication, or unrelated dependency update was performed.

@steipete

Copy link
Copy Markdown
Contributor

Post-merge verification on synchronized main at e493526788725130168e240ec0e1dd2d8e16b488 is green: pnpm check passed and the built Go-backed Playwright suite passed 61/61. Checkout tree remains identical to the reviewed candidate tree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P2 Normal priority bug or improvement with limited blast radius. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants