[Bug]: update --timeout accepts partially numeric strings despite positive-integer contract

[giodl73-repo]

Summary

A local code audit found that update CLI timeout parsing accepts partially numeric strings even though the option contract is a positive integer in seconds.

Affected area

• src/cli/update-cli/shared.ts
• parseTimeoutMsOrExit

Repro

Pass values such as --timeout 1.5 or --timeout 10abc to an update subcommand. The parser accepts the numeric prefix instead of rejecting the full value.

Expected

The parser should reject any value that is not entirely a positive integer string.

Suggested fix

Trim the input and require a full-string decimal integer match, then verify the parsed number is a safe positive integer before converting seconds to milliseconds.

Suggested regression test

Add update CLI timeout validation cases for 1.5 and 10abc that expect the existing positive-integer error and exit path.

Source: local code audit.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by maintainer comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors can comment @clawsweeper re-review or @clawsweeper re-run on their own open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: the timeout parser bug is source-reproducible on current main and still matches the latest shipped code, and the protected maintainer label means this cleanup workflow should not close or queue it automatically.

Reproducibility: yes. at source level: passing --timeout 1.5 or --timeout 10abc reaches Number.parseInt and produces a positive timeout instead of the existing error path. I did not run the update CLI because this was a read-only review of commands that can touch update/install state.

Next step
The protected maintainer label requires explicit maintainer handling, so this review should not queue an automatic repair lane.

Review details

Best possible solution:

Fix parseTimeoutMsOrExit to require a trimmed full-string decimal positive safe integer, guard seconds-to-milliseconds conversion, and add focused regression cases for update, status, and wizard timeout validation.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: passing --timeout 1.5 or --timeout 10abc reaches Number.parseInt and produces a positive timeout instead of the existing error path. I did not run the update CLI because this was a read-only review of commands that can touch update/install state.

Is this the best way to solve the issue?

Yes, the suggested full-string integer validation is the narrowest maintainable fix for the documented seconds contract. The change should stay inside parseTimeoutMsOrExit with focused tests rather than altering update command behavior elsewhere.

What I checked:

• Protected label: The provided GitHub context shows this open issue has the protected maintainer label, so ClawSweeper cleanup should keep it open for explicit maintainer handling.
• Current parser accepts numeric prefixes: parseTimeoutMsOrExit converts the raw string with Number.parseInt(timeout, 10) * 1000 and only rejects NaN or non-positive results, so partial numeric strings do not reach the existing positive-integer error path. (src/cli/update-cli/shared.ts:56, c93d6d8daa37)
• CLI contract names seconds: The update CLI option is declared as --timeout <seconds>, matching the issue's expected positive-integer seconds contract rather than arbitrary parseable prefixes. (src/cli/update-cli.ts:53, c93d6d8daa37)
• Docs contract names seconds: The user-facing update docs document --timeout <seconds> for openclaw update, update status, and update wizard. Public docs: docs/cli/update.md. (docs/cli/update.md:45, c93d6d8daa37)
• Regression coverage gap: Existing timeout validation tests cover the fully invalid string invalid for update, status, and wizard, but the searched tests do not cover partial numeric inputs such as 1.5 or 10abc. (src/cli/update-cli.test.ts:4728, c93d6d8daa37)
• JavaScript contract proof: A read-only Node probe showed Number.parseInt('1.5', 10) * 1000 becomes 1000 and Number.parseInt('10abc', 10) * 1000 becomes 10000, confirming the source-level acceptance path.

Likely related people:

• steipete: Peter Steinberger introduced the core auto-updater surface and later shared timeout validation/test history around this parser. (role: feature-history owner; confidence: high; commits: f442a3539f19, 61c0c147ad2f, 31d739fda2d7; files: src/cli/update-cli/shared.ts, src/cli/update-cli/update-command.ts, src/cli/update-cli/status.ts)
• vincentkoc: Vincent Koc made recent update CLI changes in the same shared/update command/docs area, including package-manager main install support and default git-dir handling. (role: recent area contributor; confidence: medium; commits: 5a7aba94a2bf, 8fa91d283beb; files: src/cli/update-cli/shared.ts, src/cli/update-cli/update-command.ts, docs/cli/update.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c93d6d8daa37.