fix(ci): repair protocol drift and audit failures

[altaywtf]

Summary

• Problem: CI was red on three separate lanes: protocol artifact drift, a stale workspace-root guard unit test, and a production dependency audit failure on axios via Feishu's @larksuiteoapi/node-sdk
• Why it matters: the branch could not land while checks-fast-contracts-protocol, checks-node-test, and security-fast were failing
• What changed: regenerated the gateway Swift protocol artifacts, fixed the stale assertSandboxPath mock in the guard test, and pinned axios@1.15.0 via root + Feishu overrides with a narrow minimumReleaseAgeExclude entry so pnpm can install the patched version
• What did NOT change (scope boundary): no runtime behavior changes outside the generated protocol alias field that was already present in schema/types, and no broader dependency refresh beyond the targeted axios patch path

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: ModelChoice.alias had been added to the typed protocol schema without checking in the regenerated Swift client artifacts; the workspace-root guard test used a fixed assertSandboxPath mock that no longer reflected normalized-path behavior; and the Feishu production dependency path started failing audit once the axios SSRF advisory applied to the installed version
• Missing detection / guardrail: the protocol gate and audit gate detected the regressions, but the generated files and patched transitive dependency were not committed yet; the unit test had coverage already, but its mock was stale
• Contributing context (if known): the repo's minimumReleaseAge policy blocked adopting axios@1.15.0 until axios was explicitly allowlisted for this targeted security update

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/pi-tools.read.workspace-root-guard.test.ts and the existing protocol:check / pnpm audit --prod --audit-level=high gates
• Scenario the test should lock in: custom outPath params normalize through the same resolved sandbox path the wrapper uses in production, while protocol/client artifacts and the Feishu dependency tree stay in sync with committed sources
• Why this is the smallest reliable guardrail: the failing unit case already covered the path-normalization seam, and the other two failures are best enforced by the existing protocol drift and audit gates
• Existing test that already covers this (if any): src/agents/pi-tools.read.workspace-root-guard.test.ts
• If no new test is added, why not: existing coverage was sufficient; the fix was to correct the stale mock and commit generated artifacts / lockfile state

User-visible / Behavior Changes

None

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 24 / pnpm 10.32.1
• Model/provider: N/A
• Integration/channel (if any): Feishu dependency path and gateway protocol artifacts
• Relevant config (redacted): default repo config with minimumReleaseAge enabled

Steps

1. Open the failing CI run from April 9, 2026 and inspect the linked checks-fast-contracts-protocol lane plus the other red lanes on the same run
2. Reproduce the protocol drift with OPENCLAW_LOCAL_CHECK=0 pnpm protocol:check, the stale unit assertion with OPENCLAW_LOCAL_CHECK=0 pnpm test src/agents/pi-tools.read.workspace-root-guard.test.ts, and the audit failure with pnpm audit --prod --audit-level=high
3. Apply the generated artifact, test-mock, and dependency-override fixes and rerun the same gates

Expected

• Protocol artifacts are already committed
• The workspace-root guard tests pass
• Production audit reports no known vulnerabilities

Actual

• Before this patch, CI failed on protocol drift, one guard unit test, and the production audit lane

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: reran OPENCLAW_LOCAL_CHECK=0 pnpm protocol:check, pnpm audit --prod --audit-level=high, OPENCLAW_LOCAL_CHECK=0 pnpm test src/agents/pi-tools.read.workspace-root-guard.test.ts, and OPENCLAW_LOCAL_CHECK=0 pnpm test src/plugins/contracts/package-manifest.contract.test.ts
• Edge cases checked: relative vs absolute sandbox-path normalization in the guard test, and the pnpm release-age policy path for the targeted axios security bump
• What you did not verify: full repo-wide pnpm check was intentionally skipped on the final commit path after equivalent targeted verification for the touched surfaces

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: adding axios to minimumReleaseAgeExclude could be overused later if we treat it as a general bypass
  • Mitigation: this PR also pins the exact patched version in overrides, so the exclusion is narrowly tied to the security update path
• Risk: protocol client code can drift again when schema fields change
  • Mitigation: this PR restores the generated Swift artifacts and keeps the existing protocol:check gate as the guardrail

[greptile-apps]

Greptile Summary

This PR repairs three independent CI failures: (1) regenerates the Swift GatewayModels artifacts in both apps/macos and apps/shared to include the ModelChoice.alias optional field that had already been added to the typed protocol schema; (2) fixes a stale assertSandboxPath mock in the workspace-root guard test that was returning a fixed path regardless of input, causing the normalizeGuardedPathParams assertion to use the wrong resolved value; and (3) pins axios@1.15.0 via root pnpm.overrides and the feishu plugin's top-level overrides (for standalone npm installs), and adds axios to minimumReleaseAgeExclude in pnpm-workspace.yaml to allow adopting the patched version.

Confidence Score: 5/5

This PR is safe to merge — all changes are mechanical CI repairs with no runtime behavior impact.

All three fixes are tightly scoped: the Swift artifacts add an optional field (backward compatible), the test mock is corrected to match real production semantics, and the axios pin is applied via both root pnpm overrides and the feishu plugin's npm overrides to cover all install paths. No P0/P1 findings; no behavior changes.

No files require special attention.

Vulnerabilities

• axios@1.15.0 is pinned via pnpm.overrides (root) and the feishu plugin's overrides field to address a known SSRF advisory affecting earlier versions. Both the monorepo path and standalone npm install path are covered.
• No new network calls, secrets handling, or permission surfaces were introduced.

_{Reviews (1): Last reviewed commit: "CI: narrow axios release-age exception" | Re-trigger Greptile}

[Copilot]

Pull request overview

Repairs failing CI lanes by bringing generated protocol artifacts and unit tests back in sync with current behavior, and addressing a production dependency audit finding by pinning a patched axios version via pnpm overrides.

Changes:

• Updated the workspace-root guard unit test mock to reflect normalized path resolution behavior.
• Added axios to minimumReleaseAgeExclude and pinned axios@1.15.0 via pnpm overrides + lockfile updates.
• Regenerated Swift gateway protocol artifacts to include ModelChoice.alias.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/agents/pi-tools.read.workspace-root-guard.test.ts	Resets and re-implements assertSandboxPath mock to align with current path-normalization behavior.
pnpm-workspace.yaml	Allows expedited adoption of the patched axios by excluding it from minimum release-age gating.
package.json	Pins axios@1.15.0 under root pnpm.overrides.
pnpm-lock.yaml	Updates resolved dependency graph to axios@1.15.0 and related transitive changes.
extensions/feishu/package.json	Adds an overrides entry intended to pin axios for Feishu.
apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift	Regenerated Swift protocol model to include optional alias on ModelChoice.
apps/macos/Sources/OpenClawProtocol/GatewayModels.swift	Same Swift protocol regeneration for the macOS target.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[aisle-research-bot]

🔒 Aisle Security Analysis

✅ We scanned this PR and did not find any security vulnerabilities.

_{Aisle supplements but does not replace security review.}

---

Analyzed PR: #63917 at commit 4e096d0

_{Last updated on: 2026-04-09T21:05:09Z}