惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
The Register - Security
The Register - Security
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The GitHub Blog
The GitHub Blog
博客园 - 司徒正美
罗磊的独立博客
U
Unit 42
S
SegmentFault 最新的问题
Y
Y Combinator Blog
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
J
Java Code Geeks
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
C
Check Point Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
V
Vulnerabilities – Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
S
Securelist
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Threatpost
Scott Helme
Scott Helme
博客园 - 聂微东
博客园 - 【当耐特】
T
Tenable Blog
I
Intezer
D
DataBreaches.Net
B
Blog RSS Feed
Security Latest
Security Latest
C
Cisco Blogs
T
Tor Project blog
N
Netflix TechBlog - Medium

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
fix(ci): honor exact-head proof verdicts (#83688) · openclaw/openclaw@e4fba78
Takhoffman · 2026-05-19 · via Recent Commits to openclaw:main
Original file line numberDiff line numberDiff line change

@@ -18,6 +18,7 @@ jobs:

1818

name: Real behavior proof

1919

permissions:

2020

contents: read

21+

issues: read

2122

pull-requests: read

2223

runs-on: ubuntu-24.04

2324

steps:

Original file line numberDiff line numberDiff line change

@@ -7,6 +7,7 @@ import {

77

PROOF_SUFFICIENT_LABEL,

88

PROOF_SUPPLIED_LABEL,

99

evaluateRealBehaviorProof,

10+

hasClawSweeperExactHeadProof,

1011

labelsForRealBehaviorProof,

1112

} from "./real-behavior-proof-policy.mjs";

1213

@@ -767,6 +768,15 @@ async function listPullRequestFiles(github, context, pullRequest) {

767768

});

768769

}

769770
771+

async function listIssueComments(github, context, issueNumber) {

772+

return github.paginate(github.rest.issues.listComments, {

773+

owner: context.repo.owner,

774+

repo: context.repo.repo,

775+

issue_number: issueNumber,

776+

per_page: 100,

777+

});

778+

}

779+
770780

async function addMissingLabels(github, context, core, issueNumber, labels, labelSet) {

771781

const missingLabels = labels.filter((label) => !labelSet.has(label));

772782

if (missingLabels.length === 0) {

@@ -784,7 +794,10 @@ async function addMissingLabels(github, context, core, issueNumber, labels, labe

784794

core.info(`Added candidate labels to #${issueNumber}: ${missingLabels.join(", ")}`);

785795

}

786796
787-

function shouldRemoveProofSufficientLabel(context, proofEvaluation) {

797+

function shouldRemoveProofSufficientLabel(context, proofEvaluation, hasExactHeadClawSweeperProof) {

798+

if (hasExactHeadClawSweeperProof) {

799+

return false;

800+

}

788801

if (proofEvaluation.status !== "passed") {

789802

return true;

790803

}

@@ -793,6 +806,12 @@ function shouldRemoveProofSufficientLabel(context, proofEvaluation) {

793806
794807

async function applyPullRequestCandidateLabels(github, context, core, pullRequest, labelSet) {

795808

const files = await listPullRequestFiles(github, context, pullRequest);

809+

const hasExactHeadClawSweeperProof =

810+

labelSet.has(PROOF_SUFFICIENT_LABEL) &&

811+

hasClawSweeperExactHeadProof({

812+

pullRequest,

813+

comments: await listIssueComments(github, context, pullRequest.number),

814+

});

796815

const proofEvaluation = evaluateRealBehaviorProof({

797816

pullRequest: {

798817

...pullRequest,

@@ -811,7 +830,7 @@ async function applyPullRequestCandidateLabels(github, context, core, pullReques

811830

);

812831

if (

813832

labelSet.has(PROOF_SUFFICIENT_LABEL) &&

814-

shouldRemoveProofSufficientLabel(context, proofEvaluation)

833+

shouldRemoveProofSufficientLabel(context, proofEvaluation, hasExactHeadClawSweeperProof)

815834

) {

816835

staleProofLabels.push(PROOF_SUFFICIENT_LABEL);

817836

}

Original file line numberDiff line numberDiff line change

@@ -1,6 +1,7 @@

11

#!/usr/bin/env node

22

import { readFileSync } from "node:fs";

33

import {

4+

evaluateClawSweeperExactHeadProof,

45

evaluateRealBehaviorProof,

56

isMaintainerTeamMember,

67

} from "./real-behavior-proof-policy.mjs";

@@ -26,12 +27,12 @@ if (!pullRequest) {

2627

process.exit(0);

2728

}

2829
29-

const token = process.env.GH_APP_TOKEN;

30+

const appToken = process.env.GH_APP_TOKEN;

3031

const org = event.repository?.owner?.login;

3132

const authorLogin = pullRequest.user?.login;

32-

if (token && org && authorLogin) {

33+

if (appToken && org && authorLogin) {

3334

try {

34-

if (await isMaintainerTeamMember({ token, org, login: authorLogin })) {

35+

if (await isMaintainerTeamMember({ token: appToken, org, login: authorLogin })) {

3536

console.log(

3637

`PR author @${authorLogin} is an active member of the ${org}/maintainer team; skipping real behavior proof gate.`,

3738

);

@@ -50,6 +51,44 @@ if (evaluation.passed) {

5051

process.exit(0);

5152

}

5253
54+

const token = appToken || process.env.GITHUB_TOKEN;

55+

const repository = process.env.GITHUB_REPOSITORY;

56+

if (token && repository && pullRequest.number) {

57+

const [owner, repo] = repository.split("/");

58+

const comments = [];

59+

for (let page = 1; page <= 10; page += 1) {

60+

const url = new URL(

61+

`https://api.github.com/repos/${owner}/${repo}/issues/${pullRequest.number}/comments`,

62+

);

63+

url.searchParams.set("per_page", "100");

64+

url.searchParams.set("page", String(page));

65+

const response = await fetch(url, {

66+

headers: {

67+

Accept: "application/vnd.github+json",

68+

Authorization: `Bearer ${token}`,

69+

"X-GitHub-Api-Version": "2022-11-28",

70+

},

71+

});

72+

if (!response.ok) {

73+

throw new Error(`Failed to fetch PR comments for proof verdicts: ${response.status}`);

74+

}

75+

const pageComments = await response.json();

76+

comments.push(...pageComments);

77+

if (pageComments.length < 100) {

78+

break;

79+

}

80+

}

81+
82+

const clawSweeperEvaluation = evaluateClawSweeperExactHeadProof({

83+

pullRequest,

84+

comments,

85+

});

86+

if (clawSweeperEvaluation.passed) {

87+

console.log(clawSweeperEvaluation.reason);

88+

process.exit(0);

89+

}

90+

}

91+
5392

const message = `${evaluation.reason} Add after-fix evidence from a real OpenClaw setup in the PR body. Screenshots, recordings, terminal screenshots, console output, redacted runtime logs, linked artifacts, or copied live output count. Unit tests, mocks, snapshots, lint, typechecks, and CI are supplemental only. A maintainer can apply proof: override when appropriate.`;

5493

console.error(`::error title=Real behavior proof required::${escapeCommandValue(message)}`);

5594

process.exit(1);

Original file line numberDiff line numberDiff line change

@@ -5,6 +5,8 @@ export const NEEDS_REAL_BEHAVIOR_PROOF_LABEL = "triage: needs-real-behavior-proo

55

export const MOCK_ONLY_PROOF_LABEL = "triage: mock-only-proof";

66

export const MAINTAINER_TEAM_SLUG = "maintainer";

77
8+

export const CLAWSWEEPER_PROOF_VERDICT_STATUS = "clawsweeper_exact_head_pass";

9+
810

const privilegedAuthorAssociations = new Set(["OWNER", "MEMBER", "COLLABORATOR"]);

911
1012

const requiredProofFields = [

@@ -230,11 +232,47 @@ function result(status, reason, details = {}) {

230232

status,

231233

reason,

232234

applies: ["passed", "missing", "mock_only", "insufficient", "override"].includes(status),

233-

passed: ["passed", "skipped", "override"].includes(status),

235+

passed: ["passed", "skipped", "override", CLAWSWEEPER_PROOF_VERDICT_STATUS].includes(status),

234236

...details,

235237

};

236238

}

237239
240+

function extractMarkerField(marker, name) {

241+

const match = marker.match(new RegExp(`\\b${escapeRegex(name)}=([^\\s>]+)`, "i"));

242+

return match?.[1] ?? "";

243+

}

244+
245+

export function hasClawSweeperExactHeadProof({ pullRequest, comments = [] } = {}) {

246+

const pullNumber = String(pullRequest?.number ?? "");

247+

const headSha = String(pullRequest?.head?.sha ?? pullRequest?.head_sha ?? "").toLowerCase();

248+

if (!pullNumber || !/^[0-9a-f]{40}$/i.test(headSha)) {

249+

return false;

250+

}

251+
252+

for (const comment of comments) {

253+

const body = String(comment?.body ?? "");

254+

const markers = body.match(/<!--\s*clawsweeper-verdict:pass\b[\s\S]*?-->/gi) ?? [];

255+

for (const marker of markers) {

256+

const item = extractMarkerField(marker, "item");

257+

const sha = extractMarkerField(marker, "sha").toLowerCase();

258+

if (item === pullNumber && sha === headSha) {

259+

return true;

260+

}

261+

}

262+

}

263+

return false;

264+

}

265+
266+

export function evaluateClawSweeperExactHeadProof({ pullRequest, comments = [] } = {}) {

267+

if (hasClawSweeperExactHeadProof({ pullRequest, comments })) {

268+

return result(

269+

CLAWSWEEPER_PROOF_VERDICT_STATUS,

270+

"ClawSweeper accepted real behavior proof for the exact PR head.",

271+

);

272+

}

273+

return result("insufficient", "No exact-head ClawSweeper proof verdict was found.");

274+

}

275+
238276

export function evaluateRealBehaviorProof({ pullRequest, labels } = {}) {

239277

const currentLabels = labels ?? pullRequest?.labels ?? [];

240278

if (hasProofOverride(currentLabels)) {

Original file line numberDiff line numberDiff line change

@@ -135,6 +135,7 @@ function barnacleGithub(

135135

maintainerLogins?: string[];

136136

removeLabelNotFound?: string[];

137137

repositoryRoles?: Record<string, string>;

138+

comments?: Array<{ body: string }>;

138139

} = {},

139140

) {

140141

const maintainerLogins = new Set(

@@ -154,8 +155,10 @@ function barnacleGithub(

154155

removeLabel: [] as Array<{ issue_number: number; name: string }>,

155156

update: [] as Array<{ issue_number: number; state?: string }>,

156157

};

158+

const listFiles = async () => files;

159+

const listComments = async () => options.comments ?? [];

157160

const github = {

158-

paginate: async () => files,

161+

paginate: async (fn: unknown) => (fn === listComments ? (options.comments ?? []) : files),

159162

rest: {

160163

issues: {

161164

addLabels: async (params: { issue_number: number; labels: string[] }) => {

@@ -173,6 +176,7 @@ function barnacleGithub(

173176

managedLabelSpecs[params.name as keyof typeof managedLabelSpecs]?.description ?? "",

174177

},

175178

}),

179+

listComments,

176180

lock: async (params: { issue_number: number; lock_reason?: string }) => {

177181

calls.lock.push(params);

178182

},

@@ -190,7 +194,7 @@ function barnacleGithub(

190194

updateLabel: async () => undefined,

191195

},

192196

pulls: {

193-

listFiles: async () => files,

197+

listFiles,

194198

},

195199

repos: {

196200

getCollaboratorPermissionLevel: async ({ username }: { username: string }) => {

@@ -784,6 +788,36 @@ describe("barnacle-auto-response", () => {

784788

},

785789

);

786790
791+

it("preserves sufficient proof on synchronize when ClawSweeper passed the exact head", async () => {

792+

const headSha = "06ee95df6608d29a395c52ba8ab53fdd93a9dc4f";

793+

const { calls, github } = barnacleGithub([file("src/gateway/server.ts")], {

794+

comments: [

795+

{

796+

body: `<!-- clawsweeper-verdict:pass item=123 sha=${headSha} confidence=high -->`,

797+

},

798+

],

799+

});

800+
801+

await runBarnacleAutoResponse({

802+

github,

803+

context: barnacleContext(

804+

{

805+

body: blankTemplateBody,

806+

head: { sha: headSha },

807+

},

808+

[PROOF_SUFFICIENT_LABEL],

809+

{ action: "synchronize" },

810+

),

811+

core: {

812+

info: () => undefined,

813+

},

814+

});

815+
816+

expect(calls.removeLabel).not.toContainEqual(

817+

expect.objectContaining({ name: PROOF_SUFFICIENT_LABEL }),

818+

);

819+

});

820+
787821

it("preserves ClawSweeper's sufficient proof label on ordinary label events", async () => {

788822

const { calls, github } = barnacleGithub([file("src/gateway/server.ts")]);

789823
Original file line numberDiff line numberDiff line change

@@ -4,7 +4,9 @@ import {

44

NEEDS_REAL_BEHAVIOR_PROOF_LABEL,

55

PROOF_OVERRIDE_LABEL,

66

PROOF_SUPPLIED_LABEL,

7+

evaluateClawSweeperExactHeadProof,

78

evaluateRealBehaviorProof,

9+

hasClawSweeperExactHeadProof,

810

isMaintainerTeamMember,

911

labelsForRealBehaviorProof,

1012

} from "../../scripts/github/real-behavior-proof-policy.mjs";

@@ -174,6 +176,35 @@ describe("real-behavior-proof-policy", () => {

174176

}).status,

175177

).toBe("override");

176178

});

179+
180+

it("accepts ClawSweeper pass verdict comments only for the exact PR head", () => {

181+

const pullRequest = {

182+

number: 83581,

183+

head: {

184+

sha: "06ee95df6608d29a395c52ba8ab53fdd93a9dc4f",

185+

},

186+

};

187+

const comments = [

188+

{

189+

body: [

190+

"Codex review: passed.",

191+

"<!-- clawsweeper-verdict:pass item=83581 sha=06ee95df6608d29a395c52ba8ab53fdd93a9dc4f confidence=high -->",

192+

].join("\n"),

193+

},

194+

];

195+
196+

expect(hasClawSweeperExactHeadProof({ pullRequest, comments })).toBe(true);

197+

expect(evaluateClawSweeperExactHeadProof({ pullRequest, comments }).passed).toBe(true);

198+

expect(

199+

hasClawSweeperExactHeadProof({

200+

pullRequest: {

201+

...pullRequest,

202+

head: { sha: "d0215b2d67a45a783277fc7d2949ac4a30f63ec6" },

203+

},

204+

comments,

205+

}),

206+

).toBe(false);

207+

});

177208

});

178209
179210

describe("isMaintainerTeamMember", () => {