fix(cli): reject out-of-range port numbers in parsePort (#83900)

[hclsys]

Fixes #83900.

parsePort (src/cli/shared/parse-port.ts) delegated to parseStrictPositiveInteger, which only enforces positivity. Any value above 65535 — the 16-bit TCP/UDP maximum — was returned as-is and reached the gateway-cli / node-cli / daemon-cli bind paths. The OS then surfaced the error at bind/connect time instead of the CLI rejecting it cleanly at parse time. The function's documented contract (number | null) implied a valid port, but the implementation didn't enforce the upper bound.

Changes

• src/cli/shared/parse-port.ts: introduce a MAX_TCP_PORT = 65_535 constant and reject any parseStrictPositiveInteger result above it by returning null (the same shape callers already handle for zero, negative, NaN, and non-integer inputs).
• src/cli/shared/parse-port.test.ts: new file. 5 regression cases covering nullish inputs, zero/negative (already-enforced), the valid range including the inclusive 65535 boundary, the issue's exact 99999 and 100000 repros, and non-integer / non-finite / NaN inputs.

Diff stat: 2 files, +48 / -1.

Real behavior proof

• Behavior or issue addressed: Sanitized issue evidence — parsePort('99999') returned 99999, which then reached gateway-cli/run.ts:531 (portOverride = parsePort(opts.port)) and node-cli/daemon.ts:82 as a "valid" override. The OS-level bind error surfaces downstream instead of a clean CLI-level rejection.

• Real environment tested: Local Node 22.x. Probe at /tmp/probe_83900.mjs (a) parses the patched parse-port.ts and verifies the MAX_TCP_PORT constant + the guard shape (parsed === undefined || parsed > MAX_TCP_PORT) + the preserved nullish early-return, and (b) replays both the patched and pre-fix shapes against 11 fixtures: valid 1 / 8080 / 65535, the issue's exact 99999, the boundary 65536, zero, negative, nullish undefined/null, string-form valid "3000", and string-form out-of-range "100000". Confirms patched returns null for out-of-range and the buggy shape returned the raw out-of-range integer that would have reached bind/connect.

• Exact steps or command run after this patch: node /tmp/probe_83900.mjs

• Evidence after fix:

PASS: MAX_TCP_PORT constant declared (16-bit boundary)
PASS: guard rejects undefined OR values above MAX_TCP_PORT
PASS: nullish-input early-return preserved
PASS: replay: all 11 fixtures (in-range / out-of-range / nullish / string-form) match patched and buggy shapes correctly
PASS: issue repro: buggy(99999)=99999 (would reach bind/connect), patched(99999)=null (clean rejection)

ALL CASES PASS

• Observed result after fix: openclaw gateway run --port 99999 (or any other CLI surface that pipes through parsePort) now treats out-of-range port input identically to other invalid inputs: parsePort returns null, and the caller's existing ?? defaultPort / null-check path applies. No OS-level bind error from invalid 16-bit input.

• What was not tested: Live openclaw gateway run --port 99999 smoke against an actual build — that requires pnpm build. The probe replays the predicate end-to-end against the issue's exact fixture, and the vitest regression test exercises the public parsePort contract directly.

Audit (per CLAUDE rules — all 5 steps)

• Existing-helper check: Reuses the existing parseStrictPositiveInteger import; the new constant MAX_TCP_PORT is a single magic-number replacement for a well-known IANA value. No new helper. PASS
• Shared-helper caller check: parsePort has 4 production callers — gateway-cli/run.ts:531, node-cli/daemon.ts:82, node-cli/register.ts:19, daemon-cli/install.ts. All four read the result as number | null and apply a default-or-error fallback for null. Adding the upper bound strengthens the existing null contract; no caller signature change. PASS
• Broader-fix rival scan: gh pr list --search '83900 in:title,body' and gh pr list --search 'parsePort in:title,body' return no open PRs. PASS
• Recent-merge audit: git log --oneline -5 -- src/cli/shared/parse-port.ts shows e1061a8b46 test(live): tolerate provider drift in release checks — unrelated. PASS
• Prototype-pollution scan: N/A — single numeric comparison, no external-input key copying.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a 65,535 upper-bound check to the shared CLI parsePort helper, a colocated regression test, and a changelog entry for the linked port-range bug.

Reproducibility: yes. Source inspection on current main shows parsePort('99999') delegates to parseStrictPositiveInteger, which accepts any positive safe integer, so the return would be 99999; I did not execute it because this review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Good normal PR: the patch is small, matches the existing contract, has focused regression coverage, and includes adequate terminal proof for a parser-only fix.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Velvet Clawlet

       _..------.._          
    .-'  .-.  .-.  '-.       
   /    ( * )( * )    \      
  |        .--.        |     
  |   <\   ====   />   |     
   \    '.______.'    /      
    '-._   ____   _.-'       
        `-.____.-'           
       __/|_||_|\__          
      /__.'    '.__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: stacks clean commits.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (terminal): Sufficient: the PR body includes copied Node 22 terminal output replaying patched and pre-fix parser behavior for boundary and out-of-range fixtures, which is adequate for this pure parser change.

Next step before merge
No repair job is needed; the branch already contains the focused fix and the opt-in automerge path can rely on exact-head review plus CI.

Security
Cleared: Cleared: the diff only changes numeric CLI parsing, a regression test, and a changelog entry, with no dependency, workflow, secret, or code-execution surface added.

Review details

Best possible solution:

Merge the shared parsePort upper-bound guard after exact-head CI/automerge checks; any broader change to how individual callers handle explicit invalid ports can be tracked separately if maintainers want that UX tightened.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows parsePort('99999') delegates to parseStrictPositiveInteger, which accepts any positive safe integer, so the return would be 99999; I did not execute it because this review is read-only.

Is this the best way to solve the issue?

Yes. The shared parser is the narrow maintainable boundary because gateway, daemon install, and node callers already consume number | null, and existing CLI/config messages already define the valid range as 1-65535.

Label justifications:

• P2: This is a normal, focused CLI bug fix for invalid user input with limited blast radius.

What I checked:

• Current parser accepts any positive safe integer: On current main, parsePort returns parseStrictPositiveInteger(raw) ?? null with no TCP/UDP upper-bound check, so a value like 99999 is not rejected at this layer. (src/cli/shared/parse-port.ts:7, d7083bab4c6e)
• Shared numeric helper only enforces positivity: parseStrictPositiveInteger delegates to strict integer parsing and only checks parsed > 0; it intentionally has no port-specific maximum. (src/infra/parse-finite-number.ts:34, d7083bab4c6e)
• CLI callers already have a 1-65535 contract: Gateway startup parses --port, treats null as invalid explicit input, and separately rejects resolved config ports above 65_535, matching the requested parser contract. (src/cli/gateway-cli/run.ts:531, d7083bab4c6e)
• User-facing error text already documents the upper bound: The shared CLI error formatter tells users to use a port number from 1 to 65535, so the PR aligns parsing with existing user-facing guidance. (src/cli/error-format.ts:9, d7083bab4c6e)
• PR patch applies the narrow guard and regression coverage: The provided PR diff at head 9ad0705c4433 adds MAX_TCP_PORT = 65_535, returns null when parsed input is above that maximum, and adds tests for nullish, invalid, valid boundary, and out-of-range inputs. (src/cli/shared/parse-port.ts:3, 9ad0705c4433)
• PR proof and repair validation are sufficient for this parser change: The PR body includes copied Node 22 terminal output replaying patched and pre-fix parser behavior, and the ClawSweeper repair status reports pnpm check:changed; pnpm lint; pnpm check:test-types after updating the branch to 9ad0705c4433. (9ad0705c4433)

Likely related people:

• WhatsSkiLL: git blame and git log --follow attribute the current parsePort, parseStrictPositiveInteger, and nearby CLI port validation surface to commit 9b517b50cb2c20ed2ca8d741d93cb63cd81a3cd3. (role: introduced current parser surface; confidence: high; commits: 9b517b50cb2c; files: src/cli/shared/parse-port.ts, src/infra/parse-finite-number.ts, src/cli/gateway-cli/run.ts)
• Takhoffman: The PR discussion includes a direct @clawsweeper automerge request from Takhoffman, so they are a relevant review/merge-routing contact for this active PR even though the code-history owner is separate. (role: automerge requester; confidence: medium; files: src/cli/shared/parse-port.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against d7083bab4c6e.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=9ad0705c44334dd167ac1f7ec407e61d870d86f2)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-19T11:36:13Z
Merge commit: e2c8e7c8ae65

What merged:

• The PR adds a 65,535 upper-bound check to the shared CLI parsePort helper, a colocated regression test, and a changelog entry for the linked port-range bug.
• Reproducibility: yes. Source inspection on current main shows parsePort('99999') delegates to parseStrict ... sitive safe integer, so the return would be 99999`; I did not execute it because this review is read-only.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(cli): reject out-of-range port numbers in parsePort (parsePort accepts out-of-range port numbers (> 65535) #83900)

The automerge loop is complete.

Automerge progress:

• 2026-05-19 11:16:39 UTC review queued c9d281314960 (queued)

• 2026-05-19 11:18:53 UTC repair queued c9d281314960 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626

• 2026-05-19 11:21:38 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 automerge-openclaw-openclaw-84008

• 2026-05-19 11:21:54 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-19 11:22:14 UTC Codex write preflight (passed) in 36s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 danger-full-access

• 2026-05-19 11:27:02 UTC Codex edit 1 547adcfe60be (complete) in 5m 25s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 exit 0

• 2026-05-19 11:30:01 UTC validation and review 1 9ad0705c4433 (complete) in 8m 24s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 already-current

• 2026-05-19 11:30:08 UTC repair completed 9ad0705c4433 (branch updated) in 8m 30s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 initial automerge rebase is delegated to Codex repair

• 2026-05-19 11:30:07 UTC review queued 9ad0705c4433 (after repair)

• 2026-05-19 11:36:30 UTC automerge wait 9ad0705c4433 (merged) in 14m 53s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 pull request already merged

• 2026-05-19 11:35:56 UTC review passed 9ad0705c4433 (structured ClawSweeper verdict: pass (sha=9ad0705c44334dd167ac1f7ec407e61d870d8...)

• 2026-05-19 11:36:16 UTC merged 9ad0705c4433 (merged by ClawSweeper automerge)

• 2026-05-19 11:36:31 UTC repair finished 9ad0705c4433 (pushed) in 14m 54s Run: https://github.com/openclaw/clawsweeper/actions/runs/26093786626 repair_contributor_branch