chore(deps): bump the swift-deps group across 1 directory with 3 updates

[dependabot]

Bumps the swift-deps group with 3 updates in the /apps/macos directory: github.com/apple/swift-log, github.com/sparkle-project/sparkle and github.com/steipete/peekaboo.

Updates github.com/apple/swift-log from 1.12.0 to 1.13.1

Release notes

Sourced from github.com/apple/swift-log's releases.

1.13.1

What's Changed

SemVer Patch

• Match DefaultStringInterpolation appendInterpolation overloads by @​kukushechkin in apple/swift-log#469

Full Changelog: apple/swift-log@1.13.0...1.13.1

1.13.0

What's Changed

SemVer Minor

• [SLG-0004]: metadata value attributes implementation by @​kukushechkin in apple/swift-log#453

This release contains a source-breaking change of MetadataValue compatibility with custom string interpolations. Please see apple/swift-log#467 for details.

Full Changelog: apple/swift-log@1.12.1...1.13.0

1.12.1

What's Changed

SemVer Patch

• Improve readability by extracting separate types to their own files by @​samuelmurray in apple/swift-log#444
• Skip handler dispatch for setters under MaxLogLevelNone by @​rnro in apple/swift-log#465

Other Changes

• Update documentation to reflect recent changes by @​samuelmurray in apple/swift-log#445
• Update dependabot to daily schedule by @​kukushechkin in apple/swift-log#446
• Bump swiftlang/github-workflows/.github/workflows/soundness.yml from 0.0.9 to 0.0.11 by @​dependabot[bot] in apple/swift-log#447
• Make dependabot set label by @​kukushechkin in apple/swift-log#448
• Add tests for SwiftLogNoOpLogHandler by @​crleonard in apple/swift-log#449
• Cleanup repository structure by @​kukushechkin in apple/swift-log#451
• Disable nightly 6.3 WASM builds by @​kukushechkin in apple/swift-log#454
• [SLG-0004]: metadata value attributes proposal (revision 2) by @​kukushechkin in apple/swift-log#440
• Migrate macOS CI to Swift version inputs by @​rnro in apple/swift-log#457
• Shared workflows changed from Xcode XX.X to Xcode swift X.X by @​kukushechkin in apple/swift-log#461
• Adopt multi-package macOS benchmarks workflow by @​rnro in apple/swift-log#466

New Contributors

• @​crleonard made their first contribution in apple/swift-log#449

Full Changelog: apple/swift-log@1.12.0...1.12.1

Commits

• 2aed77a Match DefaultStringInterpolation appendInterpolation overloads (#469)
• 7dc6101 [SLG-0004]: metadata value attributes implementation (#453)
• a012e0a Adopt multi-package macOS benchmarks workflow (#466)
• 1069d31 Skip handler dispatch for setters under MaxLogLevelNone (#465)
• 3061a62 Shared workflows changed from Xcode XX.X to Xcode swift X.X (#461)
• 184c737 Migrate macOS CI to Swift version inputs (#457)
• eca8199 [SLG-0004]: metadata value attributes proposal (revision 2) (#440)
• ac3646e Disable nightly 6.3 WASM builds (#454)
• 5c348a6 Cleanup repository structure (#451)
• deae26e Add tests for SwiftLogNoOpLogHandler (#449)
• Additional commits viewable in compare view

Updates github.com/sparkle-project/sparkle from 2.9.1 to 2.9.2

Release notes

Sourced from github.com/sparkle-project/sparkle's releases.

2.9.2 Appcast Improvements

Changes:

• Show hidden window title in update window for accessibility (#2871) (Zorg)
• Polish and update Spanish translations to be gender neutral (#2874, #2875) (Emilio P Egido)
• Guard against NULL CFRelease() on failure condition in fallback path (#2867) (Zorg)
• Guard against symlinks when applying delta update files (fe7b718) (Zorg, fg0x0)
• Enforce connection to installer to be validated before receiving appcast item data (#2876, #2877) (Zorg, fg0x0)

This release contains two high-complex security fixes reported by @​fg0x0. The details will be posted in the 2.9 discussion.

Please also check 2.9.1 and 2.9.0 for previous changes.

Commits

• 6276ba2 Update Package management files for version 2.9.2
• 113279a Improve synchronization of _receivedAppcastItemData (#2877)
• 7c4741d Update Package management files for version 2.9.2
• 5df807d Update README for 2.9.2
• c6ab245 Update Package management files for version 2.9.2
• 6e370a5 Enforce connection to installer to be validated before receiving appcast item...
• cbdc150 Polish Spanish localization in Sparkle.strings (#2875)
• fe7b718 Merge commit from fork
• d2b796b Update you're up to date Spanish translation to be gender neutral (#2874)
• 2f33f56 Fix QoS warning when running Test app server on main thread (#2873)
• Additional commits viewable in compare view

Updates github.com/steipete/peekaboo from 3.2.1 to 3.3.0

Release notes

Sourced from github.com/steipete/peekaboo's releases.

v3.3.0

[3.3.0] - 2026-06-01

Added

• peekaboo agent now supports MiniMax China via minimax-cn/... models and MINIMAX_CN_API_KEY, while preserving the existing international MiniMax endpoint. Thanks @​LLuke for #161.

Changed

• peekaboo click, type, hotkey, press, and paste now use background process-targeted delivery by default when a target PID/app/window/snapshot process can be resolved, with --foreground for focused foreground input.

Fixed

• Background text input now prefers AX text editing for typing, paste, clear, and focused-field key presses so targeted apps stay in the background more reliably.
• Background text paste no longer snapshots or restores the user clipboard, positional peekaboo paste "text" works again, and background cmd+a selects focused text fields via AX.
• peekaboo open --app Finder ... now resolves Finder from CoreServices, matching the documented examples.
• Visualizer settings and capture-engine docs now reference peekaboo capture live instead of stale top-level peekaboo watch/peekaboo capture command forms. Thanks @​coygeek for #166 and #167.

Verification

• npm: https://www.npmjs.com/package/@​steipete/peekaboo/v/3.3.0
• Registry tarball: https://registry.npmjs.org/@​steipete/peekaboo/-/peekaboo-3.3.0.tgz
• Integrity: sha512-5VfZ/Xr4KG1Hh4AC1kcQof7SdiNJK0jgSqElW4HErkj9e2hPNft59mJYpZDZnBRQ7JRX3ZJz3vwpx7A8R5+sAA==
• Published: 2026-05-31T23:41:15.713Z
• Proof: SwiftFormat, SwiftLint, warning gate, pnpm run test:safe (463 tests), notarization, appcast validation, npm registry verification.

v3.2.3

[3.2.3] - 2026-05-24

Added

• peekaboo image --json now reports capture coordinate diagnostics and warns when window captures look blank or solid.

Fixed

• Interaction commands now accept --snapshot latest explicitly and window/app capture failures list rejected capture candidates.

Release proof

• npm: https://www.npmjs.com/package/@​steipete/peekaboo/v/3.2.3
• registry tarball: https://registry.npmjs.org/@​steipete/peekaboo/-/peekaboo-3.2.3.tgz
• integrity: sha512-0+NJGpJVNnwTYiw/ApL7VNYCMJkOIHHxQqR8qJubzm7EKRt3tVu7CdqHs1lXkpcdJaJ5PYeGGDngj+PeUlPxFA==
• published: 2026-05-24T04:33:55.374Z
• proof: autoreview clean; pnpm run test:safe; node scripts/prepare-release.js; notarized app zip accepted; GitHub assets verified; npm latest points to 3.2.3

v3.2.2

[3.2.2] - 2026-05-22

Added

• GameBridge manifests now let peekaboo see expose Firestaff/SDL game UI zones from GPU-rendered windows. Thanks @​yeager for #152.

Fixed

• peekaboo agent now accepts OpenRouter model IDs and can use OPENROUTER_API_KEY from env or credentials. Thanks @​delort for #155.

Release Verification

... (truncated)

Commits

• faf8430 chore(release): update appcast for 3.3.0
• 6feffe5 chore(release): prepare 3.3.0
• 697acdd chore: update Tachikoma submodule
• 6609a43 fix(cli): improve background text input
• 619a033 fix(cli): harden background text input
• 122c96d feat(cli): use background keyboard delivery by default
• abb4e87 fix(cli): default clicks to background delivery (#168)
• c15ff18 docs: update AXorcist submodule
• 28a47f9 docs: position README banner
• 9d32a65 ci: pin macOS runner labels
• Additional commits viewable in compare view

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 4:44 AM ET / 08:44 UTC.

Summary
This PR updates the macOS SwiftPM manifest and lockfile to resolve Peekaboo 3.3.0, Sparkle 2.9.2, and swift-log 1.13.1.

PR surface: Other 0. Total 0 across 2 files.

Reproducibility: not applicable. this is a dependency update rather than a bug report. The reviewable proof is current main still pinning the old versions, the PR head pinning the new versions, upstream release notes, and exact-head checks.

Review metrics: 2 noteworthy metrics.

• Runtime SwiftPM dependencies: 3 updated. All updated packages are direct production macOS dependencies used by logging, updater, or PeekabooBridge runtime paths.
• Exact-head relevant checks: 6 passed, 1 queued. macos-swift, macos-node, dependency-guard, security-fast, Opengrep OSS, and Real behavior proof passed on the inspected head, while ci-timings-summary had not completed yet.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Run a signed packaged macOS app launch smoke for this exact head.
• [P2] Exercise Sparkle updater initialization/check and PeekabooBridge enable/startup before merge if maintainers want runtime proof.

Mantis proof suggestion
A real macOS desktop proof would materially help verify the signed app, Sparkle updater controls, and PeekabooBridge startup after the dependency bump. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: launch the packaged macOS app for this PR, open About update controls, enable Peekaboo Bridge, and capture startup or updater errors.

Risk before merge

• [P1] Sparkle 2.9.2 changes updater/appcast validation and includes upstream security fixes in the signed app update path, so maintainers should be comfortable with the trust-boundary update before merge.
• [P1] Peekaboo 3.3.0 changes background process-targeted input delivery while OpenClaw hosts PeekabooBridge with Team ID allowlisting, so a signed macOS app and bridge startup smoke would reduce runtime uncertainty.
• [P1] swift-log 1.13.0 notes a source-breaking MetadataValue custom interpolation change; current OpenClaw logging code uses Logger.Metadata.Value directly and exact-head macos-swift passed, so this looks low risk but still belongs in the compatibility review.

Maintainer options:

1. Smoke the signed macOS runtime (recommended)
   Run a signed packaged app launch that initializes Sparkle and enables PeekabooBridge on this exact head before merging.
2. Accept the upstream dependency risk
   Maintainers may merge based on the green exact-head macOS/package checks and upstream release notes if they are comfortable owning runtime validation after merge.
3. Split the security-sensitive bumps
   If the grouped update is too much to judge at once, close or pause this PR and take Sparkle, Peekaboo, and swift-log as separate dependency PRs with focused proof.

Next step before merge

• [P2] The next action is maintainer risk acceptance or runtime proof for signed macOS updater and bridge paths; there is no narrow code repair for ClawSweeper to queue.

Security
Cleared: No concrete malicious or supply-chain regression was found in the narrow SwiftPM manifest and lockfile bump, but the changed Sparkle and Peekaboo trust boundaries remain explicit merge risks.

Review details

Best possible solution:

Land the dependency bump after maintainer acceptance of the signed-updater and PeekabooBridge runtime risk, ideally with a signed macOS app launch, Sparkle updater initialization, and PeekabooBridge enable/startup smoke on the exact head.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency update rather than a bug report. The reviewable proof is current main still pinning the old versions, the PR head pinning the new versions, upstream release notes, and exact-head checks.

Is this the best way to solve the issue?

Yes for the maintenance task: updating the SwiftPM manifest and lockfile is the right owner boundary for this dependency group. The safer pre-merge state is maintainer-owned signed-app/updater/bridge smoke or an explicit decision to accept that runtime risk.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1a3ce7c2a8da.

Label changes

Label justifications:

• P3: This is routine dependency maintenance with a bounded macOS surface and no reported user-facing regression.
• merge-risk: 🚨 compatibility: The bump includes swift-log's noted source-breaking MetadataValue interpolation change and Peekaboo behavior changes that could affect macOS runtime compatibility.
• merge-risk: 🚨 security-boundary: Sparkle owns signed app update handling and PeekabooBridge exposes allowlisted UI automation, so these dependency changes cross security-sensitive runtime boundaries.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot dependency PR, so contributor real-behavior proof is not required; maintainers may still request signed macOS runtime smoke for the security-sensitive paths.

Evidence reviewed

PR surface:

Other 0. Total 0 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	0	0	0	0
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	2	8	8	0
Total	2	8	8	0

What I checked:

• Live PR state: The live GitHub API shows this PR is open, cleanly mergeable, and at head 661aa2b against current main 1a3ce7c. (661aa2b5b2ca)
• Current main dependency pins: Current main still declares swift-log from 1.10.1, Sparkle from 2.9.0, and exact Peekaboo 3.2.1; Package.resolved still locks swift-log 1.12.0, Sparkle 2.9.1, and Peekaboo 3.2.1. (apps/macos/Package.swift:20, 1a3ce7c2a8da)
• PR head dependency pins: The PR head changes the exact Peekaboo manifest pin to 3.3.0 and the lockfile to Peekaboo 3.3.0, Sparkle 2.9.2, and swift-log 1.13.1. (apps/macos/Package.resolved:45, 661aa2b5b2ca)
• Runtime dependency surface: OpenClaw's macOS app directly imports Sparkle for SPUStandardUpdaterController and imports PeekabooBridge/PeekabooAutomationKit for the Team-ID-allowlisted bridge host, so this is not a test-only dependency bump. (apps/macos/Sources/OpenClaw/MenuBar.swift:461, 1a3ce7c2a8da)
• Upstream release contracts: Official upstream release data says Sparkle 2.9.2 includes two high-complexity security fixes, Peekaboo 3.3.0 changes background process-targeted input delivery, and swift-log 1.13.0 contains a source-breaking MetadataValue custom interpolation change fixed forward by 1.13.1.
• Exact-head checks: GitHub check-runs for the exact PR head show macos-swift, macos-node, dependency-guard, security-fast, Opengrep OSS, and Real behavior proof completed successfully; ci-timings-summary was still queued at inspection time. (661aa2b5b2ca)

Likely related people:

• steipete: Git history and blame show Peter Steinberger introduced Sparkle update support, hosted PeekabooBridge, switched Peekaboo to SPM, and has the recent dominant history on the macOS Package files and runtime dependency paths. (role: feature owner and recent area contributor; confidence: high; commits: ddbe680a585e, c17440f5b487, cf3becfb2e20; files: apps/macos/Package.swift, apps/macos/Package.resolved, apps/macos/Sources/OpenClaw/MenuBar.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg: ✨ hatched 🥚 common Clockwork Proofling. Rarity: 🥚 common. Trait: sniffs out flaky tests.

Details

Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Proofling in ClawSweeper.
Hatchability:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

About:

• Eggs appear after real-behavior proof passes. They are collectible flavor only.
• Review momentum changes the shell state: follow-up work warms it, re-review makes it wobble, and a clean final review lets it hatch.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.