Openclaw/repo boundaries 20260506#30
Conversation
…oid protocol mismatch
…PI for reliable execution
- VITE_OFFICE_TITLE: customizes the header title (default: OpenClaw Office) - VITE_BRANCH_LABEL: customizes the neon branch badge (default: SitioUno) - fix: pass agent prop to LocalSkillsTab in AgentDetailTabs
…d of hacky HTTP fetch
…aunch with explicit vault path fallback
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Test environment regression:
localStorageis missing core Storage methods (clear,removeItem) causing widespread test failures.- Why it breaks:
pnpm testfails with many errors (TypeError: localStorage.clear is not a function,localStorage.removeItem is not a function). This is a hard blocker. - Minimal repro (or how to prove):
gh pr checkout 30 -R WW-AI-Lab/openclaw-officepnpm test- Example failures:
src/gateway/__tests__/ws-client.test.ts:78(localStorage.clear)src/store/__tests__/chat-workspace-store.test.ts:8(localStorage.removeItem)
- Smallest safe fix:
- Ensure tests run with a full Storage-compatible
localStorageimplementation. - If you’re intentionally overriding
globalThis.localStoragein tests, make sure the mock includes at least:getItem,setItem,removeItem,clear,key, andlength. - A pragmatic fix is to add a guarded shim in
tests/setup.tsthat installs a complete mock whenlocalStorage.clear/removeItemaren’t functions.
- Ensure tests run with a full Storage-compatible
- Why it breaks:
Evidence
- CI config notes:
- No GitHub status checks are configured for this PR.
- Local verification:
pnpm typecheck(exit=0)pnpm test(exit=1)
Next actions (blocking first)
- Fix the test environment/localStorage setup so the test suite is runnable again.
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T04:00:57Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=pnpm typecheck (exit=0); pnpm test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P1) Local verification blocked:
pnpm -s testfails with many deterministic failures starting atsrc/gateway/__tests__/ws-client.test.ts:78(localStorage.clear is not a function) andsrc/store/__tests__/chat-workspace-store.test.ts:8(localStorage.removeItem is not a function).- Why it breaks: the test environment’s
localStoragedoes not implement the full Storage API, so core gateway/store tests can’t execute. - Minimal repro:
pnpm -s test. - Smallest safe fix: in
tests/setup.ts, explicitly stub a fulllocalStorageimplementation (withgetItem/setItem/removeItem/clear/key/length) or ensure the jsdom environment provideswindow.localStorageand nothing overrides it.
- Why it breaks: the test environment’s
-
(P2) This PR is very large (~40+ files, ~4k LOC). Without a passing test suite, regressions in gateway/store behavior are hard to rule out.
- Evidence needed: CI must run unit tests for this branch (or document why tests are intentionally skipped).
Risk surface / changed files
- UI + console store changes, i18n changes, docs/ops guidance; potential impact on gateway + local persistence.
Local verification
pnpm -s typecheck(exit=0)pnpm -s test(exit=1; localStorage API missing methods; many failures)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T04:14:16Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=pnpm -s typecheck (exit=0); pnpm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P1) Verification blocked: repo test suite fails locally, so the changes in this PR cannot be validated end-to-end.
Evidence / why this breaks
Local verification:
pnpm -s test(exit=1)- Same
localStorage.* is not a functionfailures as seen in PR #18 runs.
- Same
This PR touches console/setup + registry client + store logic; with tests failing, regressions can slip through.
Smallest safe fix:
- Fix the
localStoragetest environment so the full test suite can run green, then re-run CI and re-review.
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T04:17:30Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=pnpm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P1) Stray patch artifact committed:
src/gateway/adapter.ts.diff.- Why it breaks: shipping
.diffartifacts insrc/is easy to miss, confuses tooling/search, and is usually unintentional. - Repro: file exists in the PR as-is.
- Smallest safe fix: remove
src/gateway/adapter.ts.difffrom the repo; if it’s meant as documentation, move it underdocs/with a clearer name.
- Why it breaks: shipping
-
(P1)
pnpm testfails withlocalStorage.removeItem is not a functioninsrc/store/__tests__/chat-workspace-store.test.ts.- Repro:
pnpm -s test→ 18/18 failures in that file; first call site atsrc/store/__tests__/chat-workspace-store.test.ts:8. - Smallest safe fix: provide a complete
localStoragepolyfill for the test environment (must includegetItem/setItem/removeItem/clear/key/length). Consider updatingtests/setup.tsto patch/replaceglobalThis.localStoragewhen any required method is missing (not onlygetItem).
- Repro:
Local verification
pnpm -s run typecheck(exit=0)pnpm -s run build(exit=0)pnpm -s test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor\n- run_utc=2026-05-27T04:21:23Z\n- repo=WW-AI-Lab/openclaw-office\n- pr=30\n- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512\n- local_verification=pnpm -s run typecheck (exit=0); pnpm -s run build (exit=0); pnpm -s test (exit=1)\n
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Local verification blocked:
npm -s test -- src/gateway/__tests__/ws-client.test.tsfails withTypeError: localStorage.clear is not a function.- Why it breaks: the gateway client tests assume a real
Storageimplementation, but in this environmentglobalThis.localStorageis an empty object (noclear/getItem/setItem). - Minimal repro:
cd openclaw-office && npm -s test -- src/gateway/__tests__/ws-client.test.ts
- Smallest safe fix:
- In
tests/setup.ts, forceglobalThis.localStorage = window.localStorage(and same forsessionStorage) after JSDOM is initialized; or explicitlyvi.stubGlobal("localStorage", window.localStorage). - If the project intentionally runs tests in Node (no jsdom), replace direct
localStorage.*usage in unit tests with a stubbed storage layer.
- In
- Why it breaks: the gateway client tests assume a real
- (P1) CI signal missing: GitHub shows 0 status checks on this PR, so there’s no automated verification gate.
Evidence / notes
- I also observed
npm -s test -- src/store/__tests__/office-store.test.tsfailing onorigin/mainwithTypeError: localStorage.getItem is not a function, which suggests thelocalStoragetest environment issue is repo-wide, not just this PR.
Local verification
cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && npm -s test -- src/gateway/__tests__/ws-client.test.ts(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=$NOW
- repo=$repo
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd openclaw-office && npm -s test -- src/gateway/tests/ws-client.test.ts (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P1) Local verification is blocked:
npm testfails on the PR head SHA (multiple failing tests / runtime errors).- Evidence (examples):
TypeError: localStorage.clear is not a function(src/gateway/__tests__/ws-client.test.ts:78) andTypeError: localStorage.removeItem is not a function(src/store/__tests__/chat-workspace-store.test.ts:8). - Smallest safe fix: ensure the test environment always provides a complete
localStorageimplementation (either via a robusttests/setup.tsmock, or by configuring the test environment to a DOM implementation that supplies full Storage semantics).
- Evidence (examples):
-
(P1) Suspicious/likely accidental file committed:
src/gateway/adapter.ts.diff.- Why this breaks: it’s not source code and will confuse builds/tools, and it risks being shipped.
- Smallest safe fix: remove
src/gateway/adapter.ts.difffrom the PR (and ensure it’s gitignored if it’s an authoring artifact).
Notes
- GitHub status checks are not configured/visible on this PR (
checks_total=0). Please add CI or at least document the expected verification commands.
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T08:53:17Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office; git checkout --detach 68f5601; npm test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
P1 / Blocking: stray diff artifact committed under src/
src/gateway/adapter.ts.diff appears to be a patch artifact, not source.
- Why this breaks: it can confuse tooling (search/import globs, packaging) and is very likely accidental.
- Minimal reproduction: the file contents are literally a unified diff.
- Smallest safe fix: delete
src/gateway/adapter.ts.diff(or move it to docs if intentionally retained).
P1 / Blocking: local test suite fails (verification blocked)
npm test fails with TypeError: localStorage.* is not a function across multiple tests.
- Why this breaks: I cannot verify this PR’s behavior locally.
- Minimal reproduction:
cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office; npm test - Smallest safe fix: fix the test environment’s
localStoragepolyfill (ensuregetItem/setItem/removeItem/clearexist) or adjust tests to not rely on a partial polyfill.
P2 / Risk: admin surfaces added without obvious role gate in UI
src/components/pages/SetupGcpPage.tsx:14-68 renders Channels / Pairing / OpenHands admin views. I don’t see a frontend role/permission check here.
- Why this matters: if the backing sidecar APIs are reachable from an untrusted network or lack server-side authz, this becomes a privilege escalation path.
- Evidence needed to clear: where the registry sidecar enforces authn/authz (or confirmation this UI is only reachable on a trusted tailnet).
Local verification
cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office; git checkout --detach 68f56015a1b71e3afd3461ed06123e3d56469512(ok)cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office; npm test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T09:26:58Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office; npm test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
P0 — Merge conflict + local tests failing (verification blocked)
PR state: mergeable=CONFLICTING — cannot merge until conflicts are resolved/rebased.
1) Unit tests fail on this PR head
Repro:
pnpm test(exit 1)
Primary failure mode (cascades):
- Multiple tests throw
TypeError: localStorage.clear is not a functionandTypeError: localStorage.removeItem is not a function.- Example:
src/gateway/__tests__/ws-client.test.ts:78callslocalStorage.clear(). - Example:
src/store/__tests__/chat-workspace-store.test.ts:8callslocalStorage.removeItem(...).
- Example:
Impact:
- This causes many downstream failures (dozens of tests fail), so functional verification is currently blocked.
Smallest safe fix:
- Ensure the test environment provides a complete
localStorageimplementation (withgetItem/setItem/removeItem/clear/key/length).- E.g. add a
localStoragepolyfill intests/setup.ts(similar to what PR #18 does), and adjust any tests that spy onStorage.prototype.*to instead spy onglobalThis.localStorage.*when a polyfill is used.
- E.g. add a
Local verification
pnpm test(exit 1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T12:35:45Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=pnpm test (1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P1)
pnpm testfails in multiple suites due tolocalStoragenot implementing expected methods (clear,removeItem).- Evidence:
src/gateway/__tests__/ws-client.test.ts:68-79callslocalStorage.clear(); failure observed:TypeError: localStorage.clear is not a function.src/store/__tests__/chat-workspace-store.test.ts:7-10callslocalStorage.removeItem(...); failure observed:TypeError: localStorage.removeItem is not a function.tests/setup.tscurrently does not polyfill/normalizelocalStorage.
- Why this breaks: CI/local runs in
jsdomshould provide a fullStorageinterface; these errors indicate the environment is missing/overwritinglocalStorage(or tests are being executed without a proper DOM storage implementation). - Smallest safe fix: add a
localStoragepolyfill/normalizer intests/setup.ts(similar to PR #18) that providesgetItem/setItem/removeItem/clear/key/length, or ensure the configured Vitest environment reliably supplieswindow.localStorage.
- Evidence:
Local verification
pnpm install --frozen-lockfile(exit=0)pnpm run typecheck(exit=0)pnpm test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T12:48:49Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=pnpm install --frozen-lockfile (exit=0); pnpm run typecheck (exit=0); pnpm test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P0) Test suite is failing with
localStorage.* is not a functionat module init time (src/store/console-stores/settings-store.ts:9-12), cascading into many failures.- Why it breaks: store modules call
localStorage.getItem/setItem/...assuming a functionallocalStorageobject wheneverwindowexists, but in the test runtimelocalStorageis present yet missing methods. - Minimal repro:
cd /tmp/codex_openclaw_office/pr30 && pnpm -s test→ first failure atsrc/store/console-stores/settings-store.ts:11. - Smallest safe fix: add a robust
localStoragepolyfill intests/setup.ts(getItem/setItem/removeItem/clear/key/length) solocalStorageis always usable in tests, AND/OR harden production code by wrapping localStorage access intry/catchwith fallbacks.
- Why it breaks: store modules call
-
(P1) Production hardening: direct
localStorageaccess withouttry/catchcan crash in environments where storage is blocked (private browsing, hardened browsers) even thoughwindowexists (src/store/console-stores/settings-store.ts:9-19,:36-49).- Fix: wrap
getItemandsetItemcalls intry/catch, returning fallbacks and ignoring write failures.
- Fix: wrap
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T12:55:11Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /tmp/codex_openclaw_office/pr30; pnpm -s run typecheck (exit=0); pnpm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Test suite fails broadly:
npm testexits 1 with many failures starting fromTypeError: localStorage.removeItem is not a functioninsrc/store/__tests__/chat-workspace-store.test.ts:8.- Why it breaks: the test assumes a full Web Storage API; current test environment provides a
localStoragewithoutremoveItem. - Repro:
npm ci && npm test. - Smallest safe fix: add a storage polyfill in
tests/setup.tsthat implementsgetItem/setItem/removeItem/clear/key/length(same approach as PR #18’stests/setup.ts), or ensure the configuredjsdomenvironment reliably provideslocalStoragewithremoveItem.
- Why it breaks: the test assumes a full Web Storage API; current test environment provides a
PR context
- Title: Openclaw/repo boundaries 20260506
- Base:
main - Head:
68f56015a1b71e3afd3461ed06123e3d56469512 - URL: #30
Local verification
npm ci(exit=0)npm run typecheck(exit=0)npm test(exit=1)npm run build(exit=0)
Next actions
- Fix
localStorageavailability in tests first; it currently causes cascading failures.
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Local verification fails on PR head:
npm testexits 1 (18 failing test files / 24 failing tests).- Evidence examples:
src/gateway/__tests__/ws-client.test.ts:78→TypeError: localStorage.clear is not a functionsrc/store/__tests__/chat-workspace-store.test.ts:8→TypeError: localStorage.removeItem is not a function- additional failures cascade from the above.
- Why this matters: this PR touches broad surfaces (gateway, stores, UI). With test infra broken, regressions are very likely to ship.
- Minimal reproduction:
cd /Users/leeyoonhyun/.codex/automations/github-pr-verification-monitor/tmp/worktrees/openclaw-office-pr30 && npm -s test
- Smallest safe fix:
- Fix the test runtime so
localStorageis a jsdomStorage(hasclear/removeItem/setItem/getItem) and is not overwritten by mocks. - After restoring
localStorage, re-run tests to confirm remaining failures are real regressions vs environment issues.
- Fix the test runtime so
- Evidence examples:
Risk surface classification
- Client state/persistence: ✅ (lots of localStorage usage)
- Gateway behavior: ✅
- Docs/config: medium
Local verification
cd /Users/leeyoonhyun/.codex/automations/github-pr-verification-monitor/tmp/worktrees/openclaw-office-pr30 && npm -s run typecheck(exit=0)cd /Users/leeyoonhyun/.codex/automations/github-pr-verification-monitor/tmp/worktrees/openclaw-office-pr30 && npm -s test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-27T14:14:09Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=npm -s run typecheck (exit=0); npm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P0) Verification blocked: test environment crashes due to
localStorageshape- Why this breaks: during module init, multiple stores call
localStorage.getItem(...), butlocalStorage.getItemis not a function in this test environment, so suites fail before assertions run. - Repro (minimal):
cd /tmp/openclaw-office_pr30 && npm -s cicd /tmp/openclaw-office_pr30 && npm -s test -- src/store/__tests__/office-store.test.ts
- Failure points:
src/store/office-store.ts:79(getInitialTheme)src/store/console-stores/settings-store.ts:11(readLocal)- plus cascading failures where tests call
localStorage.clear/removeItem.
- Smallest safe fix (pick one, ideally both for robustness):
- Add a
localStoragepolyfill intests/setup.tsthat implementsgetItem/setItem/removeItem/clear/key/length(PR #18 already demonstrates one approach), and - Harden runtime code paths that assume
localStorageexists by checkingtypeof localStorage?.getItem === "function"before calling.
- Add a
- Note: I reproduced the same
localStorage.getItem is not a functionfailure on upstream/main commits (so this appears to be a repo-wide test harness issue that this PR does not address).
- Why this breaks: during module init, multiple stores call
-
(P1) Potential CSRF / ambient-authority risk in
src/lib/registry-api-client.ts- This client performs state-changing requests (approve/reject pairing; set secrets; broadcast notifications) with no auth header by design, relying on the VPN perimeter.
- Risk: if the sidecar accepts cross-origin requests (or does not validate
Origin/Referer), a malicious webpage could trigger actions via cross-site form POSTs from a browser on the tailnet. - Evidence needed to clear this risk: sidecar must enforce an origin check and/or require a custom header that forces CORS preflight (and only allow the console origin), or require an explicit bearer/CSRF token.
-
(P2) Accidental diff artifact committed
src/gateway/adapter.ts.difflooks like a unified diff, not source code.- Smallest safe fix: delete
src/gateway/adapter.ts.diff(or move it to docs if intentionally tracked).
-
(P1) No CI / no GitHub status checks
- Evidence: repo has no
.github/workflows/on this branch; PR showschecks_total: 0. - Smallest safe fix: add a basic PR workflow running
npm ci,npm run typecheck,npm test, andnpm run lint.
- Evidence: repo has no
-
(P1) Local lint is not runnable (
oxlintmissing)- Repro:
cd /tmp/openclaw-office_pr30 && npm -s run lint→sh: oxlint: command not found(exit=127).
- Repro:
Local verification
cd /tmp/openclaw-office_pr30 && npm -s ci(exit=0)cd /tmp/openclaw-office_pr30 && npm -s run typecheck(exit=0)cd /tmp/openclaw-office_pr30 && npm -s test -- src/store/__tests__/office-store.test.ts(exit=1)cd /tmp/openclaw-office_pr30 && npm -s test(exit=1)cd /tmp/openclaw-office_pr30 && npm -s run lint(exit=127)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T05:15:48Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /tmp/openclaw-office_pr30; npm -s ci (exit=0); npm -s run typecheck (exit=0); npm -s test -- src/store/tests/office-store.test.ts (exit=1); npm -s test (exit=1); npm -s run lint (exit=127)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- P0 (merge blocked): PR is
CONFLICTINGwith base. GitHub reports merge conflicts; this can’t be safely merged as-is. - P1 (verification blocked): local tests fail in both PR and base.
npm -s testexits 1 with failures starting atsrc/gateway/__tests__/ws-client.test.ts(TypeError: localStorage.clear is not a function).
Why this breaks
- Merge conflicts mean the code being reviewed is not the code that will land after resolution.
- With the test suite failing on
mainas well, I can’t distinguish PR regressions from baseline failures; this blocks “codex-verified”.
Minimal reproduction
- On PR head worktree:
cd /Users/leeyoonhyun/.codex/automations/github-pr-verification-monitor/tmp/worktrees/openclaw-office-pr30 && npm -s test→ exit=1 (localStorage.clear is not a function). - On base
main:cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && git checkout main && npm -s test→ exit=1 (samelocalStorage.* is not a functionclass of failures, plus others).
Smallest safe fix
- Resolve merge conflicts against
mainand push an updated head SHA. - Fix test environment so DOM storage APIs exist during unit tests (e.g., provide a
localStoragemock/polyfill intests/setup.ts, or ensure ajsdom/happy-domenvironment is configured consistently).
Local verification
npm -s run typecheck(exit=0)npm -s test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T05:20:53Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=npm -s run typecheck (exit=0); npm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Tests failing heavily on PR head (
pnpm test).- Why it breaks: large portion of suite fails due to missing
localStoragemethods. - Repro:
cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && git switch --detach 68f56015a1b71e3afd3461ed06123e3d56469512 && pnpm -s test(exit=1) - Root cause:
tests/setup.tsdoes not provide alocalStoragemock (only imports), but many tests calllocalStorage.clear/removeItem/...(e.g.src/gateway/__tests__/ws-client.test.ts:78). - Smallest safe fix: add a minimal
localStoragemock totests/setup.ts(similar to what later commits appear to do) or run tests in an environment providingStorage(jsdom/happy-dom) and ensurelocalStorageexists.
- Why it breaks: large portion of suite fails due to missing
- (P1) PR is currently
CONFLICTING(needs rebase/merge frommain).
Local verification
cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && git switch --detach 68f56015a1b71e3afd3461ed06123e3d56469512 && pnpm -s install --frozen-lockfile(exit=0)cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && pnpm -s run typecheck(exit=0)cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && pnpm -s test(exit=1)
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T06:01:43Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /Users/leeyoonhyun/Documents/GitHub/openclaw-office && git switch --detach 68f5601 && pnpm -s install --frozen-lockfile (exit=0); pnpm -s run typecheck (exit=0); pnpm -s test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Local verification is blocked:
pnpm -s testfails broadly due to missing/incorrectlocalStoragein the test environment.- Example failures:
src/gateway/__tests__/ws-client.test.ts:78callslocalStorage.clear()→TypeError: localStorage.clear is not a function.src/store/__tests__/chat-workspace-store.test.ts:8callslocalStorage.removeItem(...)→TypeError: localStorage.removeItem is not a function.
- Root cause appears to be that
tests/setup.tsno longer installs a localStorage mock (it only imports jest-dom + i18n). Seetests/setup.ts:1.
- Example failures:
- (P1)
pnpm -s lintfails withsh: oxlint: command not foundbecausepackage.jsondefineslint: oxlint src/, butoxlintis not in dependencies. - (P1) Accidental patch artifact committed:
src/gateway/adapter.ts.diffshould not ship in source control.
Reproduction / verification trace
- Head SHA:
68f56015a1b71e3afd3461ed06123e3d56469512 - Commands:
pnpm -s typecheck(exit=0)pnpm -s test(exit=1)- multiple failures due to
localStorage.*missing
- multiple failures due to
pnpm -s lint(exit=1)- error:
sh: oxlint: command not found
- error:
pnpm -s build(exit=0)
Smallest safe fixes
- Restore a consistent localStorage implementation for unit tests:
- Re-add a minimal mock in
tests/setup.ts(similar to what PR #18 introduced), OR - switch Vitest to a jsdom environment for the affected test suites (and ensure jsdom provides a full
Storageimplementation).
- Re-add a minimal mock in
- Fix lint by either adding
oxlinttodevDependenciesor changinglintto a tool already present. - Remove
src/gateway/adapter.ts.difffrom the PR (and add it to.gitignoreif it is a local workflow artifact).
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T06:17:31Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /Users/leeyoonhyun/.codex/automations/github-pr-verification-monitor/tmp/worktrees/openclaw-office-pr30; pnpm -s typecheck (exit=0); pnpm -s test (exit=1); pnpm -s lint (exit=1); pnpm -s build (exit=0)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
-
(P0) Test suite is massively failing on this PR (blocks merge).
- Evidence / repro:
npm -s run typecheck(exit=0)npm -s test(exit=1) with 18 failed test files / 24 failed tests.
- Primary failure mode (deterministic):
localStorageis missing standard methods in the test runtime.src/gateway/__tests__/ws-client.test.ts:78callslocalStorage.clear()→TypeError: localStorage.clear is not a function.src/store/__tests__/chat-workspace-store.test.ts:8callslocalStorage.removeItem(...)→TypeError: localStorage.removeItem is not a function.tests/setup.tsin this PR only imports i18n setup and does not provide a localStorage polyfill.
- Smallest safe fix:
- Add a
localStoragemock/polyfill intests/setup.ts(or rebase and include the fix from PR #18’stests/setup.ts).
- Add a
- Evidence / repro:
-
(P0) PR is
mergeable=CONFLICTING.- Smallest safe fix: rebase onto
mainand resolve conflicts before any further review.
- Smallest safe fix: rebase onto
-
(P1) No GitHub status checks are configured/running for this PR.
- Today, the only guard is local developer discipline. Given how many tests fail locally, this is unsafe.
- Smallest safe fix: add a minimal GitHub Actions workflow to run
npm ci,npm run typecheck,npm test(and lint/format once toolchain is settled).
Risk surface summary
- Very wide surface area: docs, local skills, UI console flows, shared error boundary, and gateway types.
- Deploy safety: changes to
package.json+ many UI files without automated checks.
Local verification
npm -s run typecheck(exit=0)npm -s run lint(exit=127:oxlint: command not found)npm -s run format:check(exit=127:oxfmt: command not found)npm -s test(exit=1)
Next actions
- Rebase PR and resolve merge conflicts.
- Restore a working test environment by polyfilling
localStorageintests/setup.ts. - Add CI so this can’t regress silently.
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T06:18:00Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=npm run typecheck (exit=0); npm run lint (exit=127); npm run format:check (exit=127); npm test (exit=1)
leeyoonhyun
left a comment
There was a problem hiding this comment.
Findings (ordered by severity)
- (P0) Unit tests fail under
npm testbecause the test environment does not provide a functionallocalStorage.- Evidence:
npm ci(exit=0) +npm test(exit=1) at head SHA68f56015a1b71e3afd3461ed06123e3d56469512. - Example failures:
src/store/__tests__/chat-workspace-store.test.ts#L8:localStorage.removeItem is not a functionsrc/gateway/__tests__/ws-client.test.ts#L78:localStorage.clear is not a function
- Evidence:
Reproduction
cd /tmp/openclaw-office_pr30 && npm ci(exit=0)cd /tmp/openclaw-office_pr30 && npm test(exit=1)
Smallest safe fix
- Provide a
localStoragepolyfill for the Vitest environment intests/setup.ts(same approach as PR #18), or switch the Vitest environment to one that provideslocalStorage(e.g. jsdom/happy-dom) and ensure it’s configured consistently in CI.
Automation provenance
- automation_id=github-pr-verification-monitor
- run_utc=2026-05-28T06:26:52Z
- repo=WW-AI-Lab/openclaw-office
- pr=30
- head_sha=68f56015a1b71e3afd3461ed06123e3d56469512
- local_verification=cd /tmp/openclaw-office_pr30 && npm ci (exit=0); npm test (exit=1)
|
Codex review findings. P1: Local verification fails (mostly baseline issues)Head: Observed locally on this PR head:
Base branch context:
Smallest safe fix direction:
Automation provenance
|
|
Follow-up from Codex automation:
Automation provenance
|
|
Correction to previous automation follow-up (a Markdown formatting bug stripped a couple fields):
Automation provenance
|
Codex review (blocking)P0 — Merge conflict
P1 — Local verification failing
P1 — Package manager / lockfile inconsistency
P2 — Repo bloat risk (binary assets)
Local verification (this run)
Automation provenance
|
Codex review findings\n\n### P0 — Test suite breaks (localStorage missing methods)\n- First failure:
|
Codex review (actionable)P0 — Merge is blocked
P1 — Accidental diff artifact committed
Smallest safe fix:
Verification (local)Local verification is blocked (seems to be a repo baseline issue, not clearly caused by this PR):
LabelsI can post comments, but cannot create labels in Automation provenance
|
leeyoonhyun
left a comment
There was a problem hiding this comment.
Codex Review (blocking)\n\n### P0 — Merge blocked (conflicts)\n- PR reports in GitHub UI/API. Rebase or resolve conflicts against before any deeper verification can be trusted.\n\n### P1 — Command/URL injection risk in Obsidian launcher\n- In the code builds a shell command string with interpolated and POSTs it to , and also sets using .\n- If can be influenced by untrusted data (Gateway, remote agents, or attacker-controlled workspace state), this becomes a command-injection and/or URL-injection primitive.\n- Smallest safe fix: treat agent identifiers as untrusted. Avoid shell-string construction; send structured (or escape/quote robustly) and use for any URL interpolation.\n\n### P2 — Hard-coded host paths\n- hardcodes . Make this configurable (env/config) or derive from Gateway-reported workspace root; otherwise it will be wrong for most installs.\n\n---\n\n## Automation provenance\n- automation_id: github-pr-verification-monitor\n- run_utc: 2026-05-31T03:??:??Z\n- repo: WW-AI-Lab/openclaw-office\n- pr: #30\n- head_sha: 68f5601\n- fingerprint: openclaw-office#3068f5601 (updatedAt=2026-05-30T23:25:22Z mergeable=CONFLICTING)\n- action: requested_changes\n- local_verification: not_run (PR is conflicting; did not checkout)\n
leeyoonhyun
left a comment
There was a problem hiding this comment.
Codex Review (blocking)
P0 — Merge blocked (conflicts)
- PR reports
mergeable=CONFLICTINGvia GitHub API. Rebase or resolve conflicts againstmainbefore any deeper verification can be trusted.
P1 — Command/URL injection risk in Obsidian launcher
- In
src/components/console/agents/LocalSkillsTab.tsxthe UI builds a shell command string with interpolatedagent.idand POSTs it to/api/v1/agents/<agent-id>/tools/exec, and also setswindow.location.hrefusingagent.id. - If
agent.idcan be influenced by untrusted data (Gateway, remote agents, or attacker-controlled workspace state), this becomes a command-injection and/or URL-injection primitive. - Smallest safe fix: treat agent identifiers as untrusted. Avoid shell-string construction; send structured
{cmd, args[]}(or robustly escape/quote) and useencodeURIComponentfor any URL interpolation.
P2 — Hard-coded host paths
LocalSkillsTabhardcodes/home/magnus-vaos/openclaw-workspaces/.... Make this configurable (env/config) or derive from a Gateway-reported workspace root; otherwise it will be wrong for most installs.
Automation provenance
- automation_id: github-pr-verification-monitor
- run_utc: 2026-05-31T03:31:00Z
- repo: WW-AI-Lab/openclaw-office
- pr: #30
- head_sha: 68f5601
- fingerprint: openclaw-office#3068f5601 (updatedAt=2026-05-30T23:25:22Z mergeable=CONFLICTING)
- action: requested_changes
- local_verification: not_run (PR is conflicting; did not checkout)
Automation provenance correction
|
leeyoonhyun
left a comment
There was a problem hiding this comment.
Codex review (adversarial)
P1 — PR is currently merge-conflicting
- GitHub reports
mergeable: CONFLICTING. - Smallest safe fix: rebase/merge
maininto this branch and resolve conflicts, then re-run checks.
P0 — Removes browser bearer token and relies on VPN as the trust boundary
- Evidence: changes in
src/lib/registry-api-client.ts/ related docs explicitly state: “VPN is the trust boundary — no Authorization header by design”. - Why it matters: if the registry sidecar/API is ever reachable outside the intended VPN (misconfigured ingress, shared network, local port-forward, compromised node), this becomes unauthenticated admin control from the browser, including setting secrets.
- Smallest safe fix:
- Keep the “no long-lived token in browser bundle” constraint, but enforce auth server-side (mTLS, short-lived signed session from Gateway, or sidecar bound to localhost + gateway proxy).
- Add explicit hardening: same-origin + CORS deny by default, and ensure the sidecar is not exposed publicly.
- Document a concrete threat model + deployment guardrails (firewall/Tailscale ACLs) and add a smoke test that fails if the endpoint is reachable without the expected perimeter.
P1 — Secret-management UI needs explicit authorization boundary
- Evidence: Setup GCP flows handle secret values (
type="password", POSTs that set secret versions) without a browser auth token. - Why it matters: “VPN-only” auth is a big hammer; any user on the VPN becomes a secret admin unless additional gates exist.
- Smallest safe fix: role-gate these endpoints (operator.admin) and ensure the sidecar enforces it, not just the UI.
P2 — Accidental artifact committed: src/gateway/adapter.ts.diff
- Evidence: file added is literally a diff snippet, not source.
- Smallest safe fix: remove it from the repo and apply the underlying change directly (or keep it as a PR comment, not a tracked file).
P2 — Scope is too broad for safe review/merge
- Evidence: 37-patch series mixes docs, branding, UI, API client auth model changes, and tests.
- Smallest safe fix: split into focused PRs (e.g. branding/docs, Local Skills UI, registry client/auth changes) so each can be reviewed and reverted independently.
P1 — Local verification is blocked in this environment
pnpm -s lint=> exit1(oxlint: command not found).pnpm -s test=> exit1(many failures; e.g.localStorage.* is not a function).
Note — Labeling not possible via this automation
GitHub labels API returns HTTP 404 for this repo under this automation account, so I cannot apply handshake labels.
Automation provenance
- automation_id: github-pr-verification-monitor
- run_utc: 2026-05-31T21:52:42Z
- repo: WW-AI-Lab/openclaw-office
- pr: #30
- head_sha: 68f5601
- fingerprint: {"headRefOid":"68f56015a1b71e3afd3461ed06123e3d56469512","updatedAt":"2026-05-31T02:25:29Z","checks":[],"labels":[]}
- action_taken: requested-changes review posted (labels unavailable)
- local_verification:
- pnpm -s lint: exit 1
- pnpm -s typecheck: exit 0
- pnpm -s test: exit 1
Codex review findingsP1 — Merge blocked: base branch conflicts
P1 — Local verification failing
Notes (non-blocking)
Automation provenance
|
leeyoonhyun
left a comment
There was a problem hiding this comment.
Codex Review (action required)
P1 — PR is currently unmergeable due to conflicts
- Where: PR metadata shows
mergeable=CONFLICTING,mergeStateStatus=DIRTY. - Impact: No verification/merge gate can proceed until conflicts are resolved.
- Smallest safe fix: Rebase/merge
maininto the branch and resolve conflicts, then push an updated head SHA.
P2 — Label management blocked by permissions
- I attempted to ensure the shared handshake labels exist (
codex-needs-claude-fix,codex-verified,claude-verified,codex-merged,claude-next-task-ready,codex-merge-blocked) but label creation failed (likely insufficient repo permissions). If you want this automation to drive labels here, grant label admin permission or pre-create the labels.
Verification
- Local verification was skipped because the PR is conflicted/unmergeable and would not reflect the merge result.
Automation provenance
- automation_id: github-pr-verification-monitor
- run_utc: 2026-06-01T16:13:02Z
- repo: openclaw-office
- pr: #30
- head_sha: 68f5601
- fingerprint: openclaw-office#30|68f56015a1b71e3afd3461ed06123e3d56469512|2026-06-01T15:14:50Z|mergeable=CONFLICTING
- action_taken: posted_review_comment
- local_verification: (skipped)
No description provided.