test: derive deprecated SDK usage guard

[steipete]

Summary

• derive deprecated plugin SDK import guardrails from the curated deprecated public subpath inventory
• keep root/private compatibility aliases explicit
• skip test-support helper files so the guard continues to enforce production SDK usage

Verification

• node scripts/check-deprecated-api-usage.mjs
• node scripts/run-vitest.mjs test/scripts/check-deprecated-api-usage.test.ts
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 25, 2026, 4:57 AM ET / 08:57 UTC.

Summary
The PR replaces the deprecated plugin SDK guard’s hard-coded compat subpath list with a helper derived from the curated deprecated public subpath JSON, broadens test-support skips, and adds focused Vitest coverage.

PR surface: Tests +23, Other +12. Total +35 across 3 files.

Reproducibility: not applicable. this is a scripts/test cleanup PR rather than a reported runtime bug. Source inspection confirmed the current hard-coded guard and the existing curated inventory that the PR derives from.

Review metrics: 1 noteworthy metric.

• Guard source of truth: 13 hard-coded specifiers -> 53 derived/explicit specifiers. The PR broadens deprecated SDK import enforcement from the curated inventory, which is useful for maintainers to notice before merge even though current source inspection found no violations.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Next step before merge
No repair lane is needed; this needs normal maintainer and CI handling because the PR is protected by the maintainer label and has no actionable patch defect.

Security
Cleared: No concrete security or supply-chain concern found; the PR adds a local script helper/test and does not change dependencies, workflows, secrets, install hooks, or release machinery.

Review details

Best possible solution:

Land the guard derivation after normal required checks confirm the script and focused Vitest test pass, keeping the curated deprecated SDK inventory as the single source of truth with explicit root/private aliases.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a scripts/test cleanup PR rather than a reported runtime bug. Source inspection confirmed the current hard-coded guard and the existing curated inventory that the PR derives from.

Is this the best way to solve the issue?

Yes; deriving the guard from the existing curated inventory is narrower and less drift-prone than maintaining a second manual list, and the explicit extras preserve root/private alias handling.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 912fdfbedd5a.

Label changes

Label changes:

• add P3: This is a low-risk scripts/test guardrail cleanup with no runtime behavior, user data, provider, auth, or message-delivery change.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable; this is a maintainer-labeled scripts/test guardrail PR with no user-visible runtime behavior to prove in a real setup.

Label justifications:

• P3: This is a low-risk scripts/test guardrail cleanup with no runtime behavior, user data, provider, auth, or message-delivery change.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable; this is a maintainer-labeled scripts/test guardrail PR with no user-visible runtime behavior to prove in a real setup.

Evidence reviewed

PR surface:

Tests +23, Other +12. Total +35 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	23	0	+23
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	2	27	15	+12
Total	3	50	15	+35

What I checked:

• Current main checked: The checkout is on current main at the review target SHA. (912fdfbedd5a)
• Repository policy applied: Root AGENTS.md was read fully; its ClawSweeper policy treats maintainer as a protected label and requires scoped guides for touched paths. (AGENTS.md:16, 912fdfbedd5a)
• Scoped scripts guide applied: scripts/AGENTS.md was read and its wrapper/test guidance matches the PR's script and run-vitest validation path. (scripts/AGENTS.md:3, 912fdfbedd5a)
• Current guard is hard-coded: Current main still hard-codes 13 deprecated plugin SDK module specifiers in the plugin-sdk-compat-subpaths rule, so the PR is not already implemented on main. (scripts/check-deprecated-api-usage.mjs:131, 912fdfbedd5a)
• Curated deprecated SDK inventory exists: The deprecated public plugin SDK subpath inventory is already maintained as JSON and contains the broader curated list the PR uses as source of truth. (scripts/lib/plugin-sdk-deprecated-public-subpaths.json:1, 912fdfbedd5a)
• Existing SDK entry helpers use that inventory: Current helper code already derives deprecated public plugin SDK entrypoints from the same JSON inventory, supporting the PR's source-of-truth direction. (scripts/lib/plugin-sdk-entries.mjs:28, 912fdfbedd5a)

Likely related people:

• Val Alexander: Commit 119a01c introduced the current deprecated API guard, curated deprecated SDK inventory, and related SDK entry helpers touched by this PR. (role: recent area contributor; confidence: high; commits: 119a01c82998; files: scripts/check-deprecated-api-usage.mjs, scripts/lib/plugin-sdk-deprecated-public-subpaths.json, scripts/lib/plugin-sdk-entries.mjs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Frosted Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: sniffs out flaky tests.
Image traits: location review cove; accessory release bell; palette moss green and polished brass; mood mischievous; pose standing beside its cracked shell; shell frosted glass shell; lighting gentle morning glow; background tiny artifact crates.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Frosted Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Landing verification for #86403:

Behavior addressed: deprecated plugin SDK usage guard now derives banned deprecated public subpaths from scripts/lib/plugin-sdk-deprecated-public-subpaths.json, while keeping root/private compatibility aliases explicit.
Real environment tested: GitHub CI plus PR-provided local source checkout proof.
Exact steps or command run after this patch: node scripts/check-deprecated-api-usage.mjs; node scripts/run-vitest.mjs test/scripts/check-deprecated-api-usage.test.ts; git diff --check; .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main.
Evidence after fix: PR CI has no active failing/pending required checks; ClawSweeper review found no actionable defect and marked ready for maintainer look.
Observed result after fix: guard source of truth is no longer duplicated in scripts/check-deprecated-api-usage.mjs.
What was not tested: no runtime behavior, because this is scripts/test guardrail-only.