fix(update): require integer timeout values

[giodl73-repo]

Summary

• require --timeout values to be complete positive integer second values
• reject partial numeric strings such as 1.5 and 10abc
• add parser coverage for invalid and valid timeout inputs

Fixes #83281.

Real behavior proof

• Behavior or issue addressed: update --timeout now rejects values that are not complete positive integer seconds instead of accepting numeric prefixes.

• Real environment tested: WSL Ubuntu-24.04 source worktrees for origin/main and fix-update-timeout-integer-83281; proof generated with the established deterministic before/after image artifact pattern and published to proof-artifacts/pr-83310-fresh.

• Exact steps or command run after this patch: Ran the same source-level CLI parser command on origin/main and PR head: node --import tsx /tmp/pr83310-timeout-proof.mjs, importing the real parseTimeoutMsOrExit() implementation and exercising 1.5, 10abc, 0, -1, 10, 001, and omitted timeout.

• Evidence after fix:

  Fresh deterministic proof artifacts:

  • Summary: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-83310-fresh/pr-83310/summary.txt
  • Before log: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-83310-fresh/pr-83310/before-origin-main-with-regression-proof.log
  • After log: https://raw.githubusercontent.com/giodl73-repo/openclaw/proof-artifacts/pr-83310-fresh/pr-83310/after-pr-83310.log

  before_origin_main_status=1
  after_pr_83310_status=0

• Observed result after fix: origin/main accepts partial numeric prefixes such as 1.5 => 1000 ms and 10abc => 10000 ms, so the regression proof fails before the patch. PR head rejects 1.5, 10abc, 0, and -1 with the invalid-timeout path while still accepting complete positive integer strings like 10 and 001.

• What was not tested: A full live package update was not run; this proof isolates the real CLI timeout parser before any network/package-manager update work begins.

• Before evidence: The linked before log shows origin/main returning 1000 for 1.5 and 10000 for 10abc, followed by ASSERTION FAILED: --timeout must reject partial numeric strings and non-positive values..

Root Cause

• Root cause: the parser used Number.parseInt, which accepts numeric prefixes instead of requiring the full string to match the option contract.
• Missing detection / guardrail: no focused parser coverage for fractional or suffixed timeout values.
• Contributing context: the existing check only rejected NaN and non-positive parsed values.

Regression Test Plan

• Coverage level that should have caught this: unit test.
• Target test or file: src/cli/update-cli/shared.command-runner.test.ts.
• Scenario the test should lock in: timeout parsing rejects partial numeric strings and accepts complete positive integer strings.
• Why this is the smallest reliable guardrail: the behavior is isolated to parseTimeoutMsOrExit before any update command runs.

Validation

• CI=1 node scripts/run-vitest.mjs src/cli/update-cli/shared.command-runner.test.ts
• pnpm check:changed

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by maintainer comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors can comment @clawsweeper re-review or @clawsweeper re-run on their own open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR tightens the update CLI --timeout parser to require complete positive integer seconds and adds focused parser coverage for malformed and valid values.

Reproducibility: yes. Current main’s shared parser uses Number.parseInt, and the linked before log shows 1.5 becoming 1000 ms and 10abc becoming 10000 ms.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🐚 platinum hermit
Summary: The PR is review-clean with useful parser proof and focused tests, with merge readiness now mainly gated by normal protected-label and CI handling.

Rank-up moves:

• Wait for the remaining required CI to complete before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (linked_artifact): The PR body links before/after logs from WSL source worktrees that import the real parser and show the numeric-prefix regression fixed on the PR branch.

Next step before merge
No repair lane is needed; the prior whitespace-only defect is fixed and the remaining action is normal maintainer/CI handling for an open protected PR.

Security
Cleared: The diff only changes local CLI timeout parsing and colocated tests; no dependency, workflow, secret, permission, or supply-chain surface changed.

Review details

Best possible solution:

Land the narrow shared parser fix with its regression coverage, then let the linked bug close through the PR’s closing reference.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main’s shared parser uses Number.parseInt, and the linked before log shows 1.5 becoming 1000 ms and 10abc becoming 10000 ms.

Is this the best way to solve the issue?

Yes. Fixing the shared update timeout parser is the narrow maintainable path because update, status, finalize, and wizard all flow through this helper.

What I checked:

• Current main accepts numeric prefixes: Current main still computes timeout milliseconds with Number.parseInt(timeout, 10) * 1000, so inputs like 1.5 and 10abc are accepted as positive numeric prefixes before validation. (src/cli/update-cli/shared.ts:57, 645ef817b66e)
• CLI/docs contract is seconds: The update CLI declares --timeout <seconds> and the user docs describe it as a per-step timeout in seconds, supporting full integer-second validation at the shared parser. (src/cli/update-cli.ts:53, 645ef817b66e)
• PR parser fix: The PR head returns undefined only for an actually omitted timeout, trims supplied values, requires a full decimal digit string, checks safe positive integer seconds, and returns milliseconds. (src/cli/update-cli/shared.ts:56, f5e6e06f8ee2)
• PR regression coverage: The PR adds parser tests rejecting 1.5, 10abc, 0, -1, and whitespace-only input while accepting trimmed and leading-zero positive integer strings plus omitted timeout. (src/cli/update-cli/shared.command-runner.test.ts:50, f5e6e06f8ee2)
• Linked real behavior proof: The PR body links WSL before/after artifacts that import the real parser: current main accepts 1.5 and 10abc, while the PR branch rejects those malformed values and accepts valid integer strings. (fc079319da71)
• CI state at PR head: The check-runs query for the latest head showed the main node/check/security lanes and the Real behavior proof job successful, with one Critical Quality lane still in progress at review time. (f5e6e06f8ee2)

Likely related people:

• Rubén Cuevas: The current parser helper lines are blamed to squash commit 893f580, which lists Rubén Cuevas as a co-author; that commit carried the Number.parseInt timeout parser now being fixed. (role: introduced behavior; confidence: medium; commits: 893f5800727e; files: src/cli/update-cli/shared.ts)
• shakkernerd: GitHub path history shows 92f8c1e adding update finalization command work in shared.ts, adjacent to the shared timeout helper used by update/finalize/status/wizard. (role: recent update CLI contributor; confidence: medium; commits: 92f8c1edac78; files: src/cli/update-cli/shared.ts)
• steipete: Recent path history shows multiple updates to the same update CLI shared/helper surface, including CLI helper export cleanup and update completion refresh work. (role: recent adjacent owner; confidence: medium; commits: 960fabdaef72, f427ddc220b5, 694ca50e9775; files: src/cli/update-cli/shared.ts, src/cli/update-cli.ts)
• giodl73-repo: Separate from this PR, current-main history shows giodl73-repo recently touched the update command area in commit 9a5f2f6. (role: recent area contributor; confidence: low; commits: 9a5f2f61e76f; files: src/cli/update-cli/update-command.ts)

Remaining risk / open question:

• The latest head still had one Critical Quality check in progress in the read-only check-runs query, so merge should wait for required checks to finish.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 645ef817b66e.

[giodl73-repo]

Thanks, fixed in f5e6e06.

Behavior addressed: --timeout is now treated as omitted only when the option value is actually undefined. A supplied whitespace-only value now follows the same invalid-timeout path as other malformed values.

Verification:

• git diff --check
• node node_modules/vitest/vitest.mjs run src/cli/update-cli/shared.command-runner.test.ts passed: 1 file, 3 tests

I also tried the requested node scripts/run-vitest.mjs src/cli/update-cli/shared.command-runner.test.ts, but this Windows checkout failed before Vitest startup with spawn EPERM, so I used the direct focused Vitest entrypoint as the local fallback.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26008836939
• Updated: 2026-05-18T01:38:55.373Z