openclaw
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/opengrep-precise.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/opengrep-precise.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎scripts/changed-lanes.mjs‎
Lines changed: 27 additions & 5 deletions b/‎scripts/changed-lanes.mjs‎
Lines changed: 27 additions & 5 deletions
diff --git a/‎scripts/ci-changed-scope.d.mts‎
Lines changed: 6 additions & 1 deletion b/‎scripts/ci-changed-scope.d.mts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎scripts/ci-changed-scope.mjs‎
Lines changed: 27 additions & 4 deletions b/‎scripts/ci-changed-scope.mjs‎
Lines changed: 27 additions & 4 deletions
diff --git a/‎scripts/lib/merge-head-diff-base.mjs‎
Lines changed: 95 additions & 0 deletions b/‎scripts/lib/merge-head-diff-base.mjs‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎scripts/run-opengrep.sh‎
Lines changed: 36 additions & 2 deletions b/‎scripts/run-opengrep.sh‎
Lines changed: 36 additions & 2 deletions
diff --git a/‎src/commands/migrate/skill-selection-prompt.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/commands/migrate/skill-selection-prompt.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/plugins/contracts/plugin-sdk-package-contract-guardrails.test.ts‎
Lines changed: 4 additions & 2 deletions b/‎src/plugins/contracts/plugin-sdk-package-contract-guardrails.test.ts‎
Lines changed: 4 additions & 2 deletions
@@ -92,7 +92,7 @@ jobs:
             for attempt in 1 2 3; do
               timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
                 -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+                fetch --no-tags --prune --no-recurse-submodules --depth=2 origin \
                 "+${ref}:refs/remotes/origin/checkout" && return 0
               fetch_status="$?"
               if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
@@ -146,12 +146,12 @@ jobs:
 
           if [ "${{ github.event_name }}" = "push" ]; then
             BASE="${{ github.event.before }}"
+            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
           else
             BASE="${{ github.event.pull_request.base.sha }}"
+            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD --merge-head-first-parent
           fi
 
-          node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
-
       - name: Build CI manifest
         id: manifest
         env:
 
@@ -44,7 +44,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
-          fetch-depth: 1
+          fetch-depth: 2
           fetch-tags: false
           persist-credentials: false
           submodules: false
@@ -74,6 +74,7 @@ jobs:
       - name: Run opengrep on PR diff
         env:
           OPENCLAW_OPENGREP_BASE_REF: ${{ github.event.pull_request.base.sha }}...HEAD
+          OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT: "1"
         # Findings from precise rules block this workflow. Pull requests scan
         # changed first-party source paths only so findings stay attributable to
         # the PR diff. Test/fixture/QA path exclusions live in `.semgrepignore`
 
@@ -2,6 +2,7 @@ import { execFileSync } from "node:child_process";
 import { appendFileSync, existsSync, readFileSync } from "node:fs";
 import { booleanFlag, parseFlagArgs, stringFlag } from "./lib/arg-utils.mjs";
 import { isDirectRunUrl } from "./lib/direct-run.mjs";
+import { resolveMergeHeadDiffBase } from "./lib/merge-head-diff-base.mjs";
 
 const GIT_OUTPUT_MAX_BUFFER = 64 * 1024 * 1024;
 const IMPLAUSIBLE_NO_MERGE_BASE_DIFF_PATHS = 200;
@@ -213,13 +214,21 @@ export function detectChangedLanes(changedPaths, options = {}) {
 }
 
 /**
- * @param {{ paths: string[]; base: string; head?: string; staged?: boolean }} params
+ * @param {{ paths: string[]; base: string; head?: string; staged?: boolean; mergeHeadFirstParent?: boolean }} params
  * @returns {ChangedLaneResult}
  */
 export function detectChangedLanesForPaths(params) {
+  const base = params.staged
+    ? params.base
+    : resolveMergeHeadDiffBase({
+        base: params.base,
+        head: params.head ?? "HEAD",
+        maxBuffer: GIT_OUTPUT_MAX_BUFFER,
+        preferFirstParent: params.mergeHeadFirstParent === true,
+      });
   const packageJsonChangeKind = params.paths.includes("package.json")
     ? classifyPackageJsonChangeFromGit({
-        base: params.base,
+        base,
         head: params.head,
         staged: params.staged,
       })
@@ -228,13 +237,19 @@ export function detectChangedLanesForPaths(params) {
 }
 
 /**
- * @param {{ base: string; head?: string; includeWorktree?: boolean; cwd?: string }} params
+ * @param {{ base: string; head?: string; includeWorktree?: boolean; cwd?: string; mergeHeadFirstParent?: boolean }} params
  * @returns {string[]}
  */
 export function listChangedPathsFromGit(params) {
-  const base = params.base;
   const head = params.head ?? "HEAD";
   const cwd = params.cwd ?? process.cwd();
+  const base = resolveMergeHeadDiffBase({
+    base: params.base,
+    head,
+    cwd,
+    maxBuffer: GIT_OUTPUT_MAX_BUFFER,
+    preferFirstParent: params.mergeHeadFirstParent === true,
+  });
   if (!base) {
     return [];
   }
@@ -453,6 +468,7 @@ function parseArgs(argv) {
     base: "origin/main",
     head: "HEAD",
     staged: false,
+    mergeHeadFirstParent: false,
     json: false,
     githubOutput: false,
     help: false,
@@ -465,6 +481,7 @@ function parseArgs(argv) {
       stringFlag("--base", "base"),
       stringFlag("--head", "head"),
       booleanFlag("--staged", "staged"),
+      booleanFlag("--merge-head-first-parent", "mergeHeadFirstParent"),
       booleanFlag("--json", "json"),
       booleanFlag("--github-output", "githubOutput"),
       booleanFlag("--help", "help"),
@@ -538,12 +555,17 @@ if (isDirectRun()) {
       ? args.paths
       : args.staged
         ? listStagedChangedPaths()
-        : listChangedPathsFromGit({ base: args.base, head: args.head });
+        : listChangedPathsFromGit({
+            base: args.base,
+            head: args.head,
+            mergeHeadFirstParent: args.mergeHeadFirstParent,
+          });
   const result = detectChangedLanesForPaths({
     paths,
     base: args.base,
     head: args.head,
     staged: args.staged,
+    mergeHeadFirstParent: args.mergeHeadFirstParent,
   });
   if (args.githubOutput) {
     writeChangedLaneGitHubOutput(result);
 
@@ -15,7 +15,12 @@ export type InstallSmokeScope = {
 
 export function detectChangedScope(changedPaths: string[]): ChangedScope;
 export function detectInstallSmokeScope(changedPaths: string[]): InstallSmokeScope;
-export function listChangedPaths(base: string, head?: string): string[];
+export function listChangedPaths(
+  base: string,
+  head?: string,
+  cwd?: string,
+  preferMergeHeadFirstParent?: boolean,
+): string[];
 export function writeGitHubOutput(
   scope: ChangedScope,
   outputPath?: string,
 
@@ -1,6 +1,7 @@
 import { execFileSync } from "node:child_process";
 import { appendFileSync } from "node:fs";
 import { isDirectRunUrl } from "./lib/direct-run.mjs";
+import { resolveMergeHeadDiffBase } from "./lib/merge-head-diff-base.mjs";
 
 /** @typedef {{ runNode: boolean; runMacos: boolean; runAndroid: boolean; runWindows: boolean; runSkillsPython: boolean; runChangedSmoke: boolean; runControlUiI18n: boolean }} ChangedScope */
 /** @typedef {{ runFastOnly: boolean; runPluginContracts: boolean; runCiRouting: boolean }} NodeFastScope */
@@ -228,13 +229,26 @@ export function detectInstallSmokeScope(changedPaths) {
 /**
  * @param {string} base
  * @param {string} [head]
+ * @param {string} [cwd]
  * @returns {string[]}
  */
-export function listChangedPaths(base, head = "HEAD") {
+export function listChangedPaths(
+  base,
+  head = "HEAD",
+  cwd = process.cwd(),
+  preferMergeHeadFirstParent = false,
+) {
   if (!base) {
     return [];
   }
-  const output = execFileSync("git", ["diff", "--name-only", base, head], {
+  const diffBase = resolveMergeHeadDiffBase({
+    base,
+    head,
+    cwd,
+    preferFirstParent: preferMergeHeadFirstParent,
+  });
+  const output = execFileSync("git", ["diff", "--name-only", diffBase, head], {
+    cwd,
     stdio: ["ignore", "pipe", "pipe"],
     encoding: "utf8",
   });
@@ -293,7 +307,7 @@ function isDirectRun() {
 
 /** @param {string[]} argv */
 function parseArgs(argv) {
-  const args = { base: "", head: "HEAD" };
+  const args = { base: "", head: "HEAD", mergeHeadFirstParent: false };
   for (let i = 0; i < argv.length; i += 1) {
     if (argv[i] === "--base") {
       args.base = argv[i + 1] ?? "";
@@ -303,6 +317,10 @@ function parseArgs(argv) {
     if (argv[i] === "--head") {
       args.head = argv[i + 1] ?? "HEAD";
       i += 1;
+      continue;
+    }
+    if (argv[i] === "--merge-head-first-parent") {
+      args.mergeHeadFirstParent = true;
     }
   }
   return args;
@@ -311,7 +329,12 @@ function parseArgs(argv) {
 if (isDirectRun()) {
   const args = parseArgs(process.argv.slice(2));
   try {
-    const changedPaths = listChangedPaths(args.base, args.head);
+    const changedPaths = listChangedPaths(
+      args.base,
+      args.head,
+      process.cwd(),
+      args.mergeHeadFirstParent,
+    );
     if (changedPaths.length === 0) {
       writeGitHubOutput(EMPTY_SCOPE);
       process.exit(0);
 
@@ -0,0 +1,95 @@
+import { execFileSync } from "node:child_process";
+import { pathToFileURL } from "node:url";
+
+const DEFAULT_GIT_OUTPUT_MAX_BUFFER = 16 * 1024 * 1024;
+
+export function resolveMergeHeadDiffBase({
+  base,
+  head = "HEAD",
+  cwd = process.cwd(),
+  maxBuffer = DEFAULT_GIT_OUTPUT_MAX_BUFFER,
+  preferFirstParent = false,
+}) {
+  if (!base) {
+    return "";
+  }
+  if (!preferFirstParent) {
+    return base;
+  }
+
+  const parents = listCommitParents({ ref: head, cwd, maxBuffer });
+  if (parents.length < 2) {
+    return base;
+  }
+
+  const firstParent = resolveCommit({ ref: parents[0], cwd, maxBuffer });
+  const explicitBase = resolveCommit({ ref: base, cwd, maxBuffer });
+  if (!firstParent || firstParent === explicitBase) {
+    return base;
+  }
+
+  return firstParent;
+}
+
+function listCommitParents({ ref, cwd, maxBuffer }) {
+  try {
+    const output = execFileSync("git", ["rev-list", "--parents", "-n", "1", ref], {
+      cwd,
+      stdio: ["ignore", "pipe", "ignore"],
+      encoding: "utf8",
+      maxBuffer,
+    }).trim();
+    return output.split(/\s+/u).slice(1);
+  } catch {
+    return [];
+  }
+}
+
+function resolveCommit({ ref, cwd, maxBuffer }) {
+  try {
+    return execFileSync("git", ["rev-parse", "--verify", `${ref}^{commit}`], {
+      cwd,
+      stdio: ["ignore", "pipe", "ignore"],
+      encoding: "utf8",
+      maxBuffer,
+    }).trim();
+  } catch {
+    return "";
+  }
+}
+
+function parseArgs(argv) {
+  const args = {
+    base: "",
+    head: "HEAD",
+    preferFirstParent: false,
+  };
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === "--base") {
+      args.base = argv[index + 1] ?? "";
+      index += 1;
+      continue;
+    }
+    if (arg === "--head") {
+      args.head = argv[index + 1] ?? "HEAD";
+      index += 1;
+      continue;
+    }
+    if (arg === "--prefer-first-parent") {
+      args.preferFirstParent = true;
+    }
+  }
+  return args;
+}
+
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  const args = parseArgs(process.argv.slice(2));
+  process.stdout.write(
+    `${resolveMergeHeadDiffBase({
+      base: args.base,
+      head: args.head,
+      preferFirstParent: args.preferFirstParent,
+    })}\n`,
+  );
+}
@@ -109,9 +109,43 @@ if (( CHANGED_ONLY && PATHS_PASSED )); then
   exit 64
 fi
 
+resolve_changed_diff_ref() {
+  local diff_ref="${OPENCLAW_OPENGREP_BASE_REF:-origin/main...HEAD}"
+  local base_ref
+  local head_ref
+  local resolved_base
+
+  if [[ "$diff_ref" != *"..."* ]]; then
+    printf '%s\n' "$diff_ref"
+    return 0
+  fi
+  if [[ "${OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT:-0}" != "1" ]]; then
+    printf '%s\n' "$diff_ref"
+    return 0
+  fi
+
+  base_ref="${diff_ref%%...*}"
+  head_ref="${diff_ref#*...}"
+  # First-parent resolution is shared with the Node CI routers so PR diff
+  # scope cannot drift between changed-lanes, changed-scope, and OpenGrep.
+  resolved_base="$(
+    node "$REPO_ROOT/scripts/lib/merge-head-diff-base.mjs" \
+      --base "$base_ref" \
+      --head "$head_ref" \
+      --prefer-first-parent 2>/dev/null || true
+  )"
+  if [[ -z "$resolved_base" || "$resolved_base" == "$base_ref" ]]; then
+    printf '%s\n' "$diff_ref"
+    return 0
+  fi
+
+  printf '%s...%s\n' "$resolved_base" "$head_ref"
+}
+
 # Default scan paths match CI. Override by passing `-- <paths...>`.
 if (( PATHS_PASSED == 0 )); then
   if (( CHANGED_ONLY )); then
+    CHANGED_DIFF_REF="$(resolve_changed_diff_ref)"
     SCAN_PATHS=()
     while IFS= read -r path; do
       # OpenGrep errors when an explicit changed path is a symlink; scan the
@@ -125,7 +159,7 @@ if (( PATHS_PASSED == 0 )); then
       SCAN_PATHS+=( "$path" )
     done < <(
       {
-        git diff --name-only --diff-filter=ACMRTUXB "${OPENCLAW_OPENGREP_BASE_REF:-origin/main...HEAD}" 2>/dev/null || true
+        git diff --name-only --diff-filter=ACMRTUXB "$CHANGED_DIFF_REF" 2>/dev/null || true
         git diff --name-only --diff-filter=ACMRTUXB -- 2>/dev/null || true
         git ls-files --others --exclude-standard
       } | awk '/^(src|extensions|apps|packages|scripts)\// { print }' | sort -u
@@ -135,7 +169,7 @@ if (( PATHS_PASSED == 0 )); then
       RULEPACK_CHANGED_PATHS+=( "$path" )
     done < <(
       {
-        git diff --name-only --diff-filter=ACMRTUXB "${OPENCLAW_OPENGREP_BASE_REF:-origin/main...HEAD}" 2>/dev/null || true
+        git diff --name-only --diff-filter=ACMRTUXB "$CHANGED_DIFF_REF" 2>/dev/null || true
         git diff --name-only --diff-filter=ACMRTUXB -- 2>/dev/null || true
         git ls-files --others --exclude-standard
       } | awk '/^(security\/opengrep\/|scripts\/run-opengrep\.sh$|\.semgrepignore$|\.github\/workflows\/opengrep-)/ { print }' | sort -u
 
@@ -256,5 +256,5 @@ export function promptMigrationSkillSelectionValues(
   return prompt.prompt();
 }
 
-/** Back-compat alias for plugin selection prompts that share the same picker. */
+/** Compatibility alias for plugin selection prompts that share the same picker. */
 export const promptMigrationSelectionValues = promptMigrationSkillSelectionValues;
@@ -515,8 +515,10 @@ function collectDeprecatedTestBarrelImports(): string[] {
 function collectDeprecatedPackageTestingBridgeDrift(): string[] {
   const source = fs
     .readFileSync(resolve(REPO_ROOT, "packages/plugin-sdk/src/testing.ts"), "utf8")
-    .trim();
-  return source === 'export * from "../../../src/plugin-sdk/testing.js";'
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line && !line.startsWith("//"));
+  return source.length === 1 && source[0] === 'export * from "../../../src/plugin-sdk/testing.js";'
     ? []
     : ["packages/plugin-sdk/src/testing.ts"];
 }
Original file line number	Diff line number	Diff line change
`@@ -256,5 +256,5 @@ export function promptMigrationSkillSelectionValues(`
`256`	`256`	`return prompt.prompt();`
`257`	`257`	`}`
`258`	`258`
`259`		`-/** Back-compat alias for plugin selection prompts that share the same picker. */`
	`259`	`+/** Compatibility alias for plugin selection prompts that share the same picker. */`
`260`	`260`	`export const promptMigrationSelectionValues = promptMigrationSkillSelectionValues;`