[codex] Use clawpdf for PDF extraction

[steipete]

Summary

• Replace bundled PDF extraction runtime from PDF.js/canvas with clawpdf.
• Preserve the document-extract plugin contract while switching PDF text/page rendering to the new extractor API.
• Update docs, dependency ownership, Knip config, pnpm lockfile, npm shrinkwrap, and the fresh-release age exception for clawpdf@0.2.0.

Release

• npm: https://www.npmjs.com/package/clawpdf/v/0.2.0
• GitHub Release: https://github.com/openclaw/clawpdf/releases/tag/v0.2.0
• Tarball: https://registry.npmjs.org/clawpdf/-/clawpdf-0.2.0.tgz
• Integrity: sha512-Za4HD3CMRHNqOXOOyVJiQLnEuezRZR/oXiBzraTwL5XEQZuBwFxnyC1UzN4AjQWV2JrLN3ItbzfPRGE0gGOVwg==

Verification

• pnpm deps:shrinkwrap:root:check
• pnpm exec vitest run extensions/document-extract/document-extractor.test.ts src/media/pdf-extract.test.ts src/media/document-extractors.runtime.test.ts src/plugins/document-extractors.runtime.test.ts test/scripts/root-dependency-ownership-audit.test.ts
• pnpm exec vitest run extensions/document-extract/document-extractor.test.ts src/media/document-extractors.runtime.test.ts src/plugins/document-extractors.runtime.test.ts
• pnpm check:docs
• node scripts/run-tsgo.mjs -p tsconfig.plugin-sdk.dts.json --declaration true
• node --require tsx/cjs -e "const mod = require('./extensions/document-extract/document-extractor.ts'); console.log(typeof mod.createPdfDocumentExtractor);"
• $autoreview: clean, no accepted/actionable findings

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​silk-wasm@​3.7.1
	npm/​openai@​6.39.0
	npm/​playwright-core@​1.60.0
	npm/​mpg123-decoder@​1.0.3
	npm/​https-proxy-agent@​9.0.0
	npm/​fake-indexeddb@​6.2.5
	npm/​gaxios@​7.1.4
	npm/​zca-js@​2.1.2
	npm/​google-auth-library@​10.6.2
	npm/​markdown-it@​14.1.1

View full report

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 28, 2026, 11:48 AM ET / 15:48 UTC.

Summary
The PR replaces the bundled document-extract PDF runtime from PDF.js/canvas with clawpdf, updates PDF docs, dependency ownership metadata, lockfiles/shrinkwrap, package policy, and a nearby approval prompt typing line.

PR surface: Source -169, Tests +14, Docs 0, Config -7, Other -512. Total -674 across 14 files.

Reproducibility: not applicable. this is a PR changing an implementation dependency rather than a bug report with a failing reproduction. The required evidence is after-fix real behavior proof for built-plugin PDF extraction with the final package.

Review metrics: 1 noteworthy metric.

• Dependency policy surfaces: 1 parser dependency swapped; 1 minimumReleaseAge exclude added; 1 allowBuilds entry added. These package-policy changes affect how a new untrusted-file parser is admitted and installed, so green unit tests alone do not settle merge readiness.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦐 gold shrimp
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted terminal output or a linked artifact showing the built document-extract plugin extracting a PDF with clawpdf@0.2.0.
• Update the PR body so the dependency provenance describes the published npm package, not the earlier codeload tarball.
• Rebase or otherwise reconcile the dirty branch against current main before final maintainer review.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR body lists commands and a smoke claim, but it lacks redacted terminal output, logs, screenshots, recordings, or a linked artifact showing after-fix PDF extraction with the final clawpdf@0.2.0 dependency; redact private data and update the PR body so ClawSweeper re-reviews automatically, or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• [P1] The contributor proof gate is still open: the PR body describes a smoke result but provides no redacted after-fix output, log, screenshot, recording, or linked artifact for the final clawpdf@0.2.0 package.
• [P1] This intentionally moves untrusted PDF parsing/rendering to a new PDFium WebAssembly dependency and package-policy allowance, which needs explicit maintainer security/provenance approval before merge.
• [P1] The PR is draft, carries the protected maintainer label, and is reported dirty against current main, so the approval-runtime follow-up and final branch state need human reconciliation.
• [P1] The PR body still contains stale codeload-tarball notes even though the diff now locks published npm clawpdf@0.2.0; the merge record should match the actual dependency provenance.

Maintainer options:

1. Gate on provenance, proof, and clean head (recommended)
   Keep the PR open until the dependency provenance is maintainer-approved, the contributor adds redacted built-plugin extraction proof for clawpdf@0.2.0, and the dirty branch is reconciled with current main.
2. Accept the parser swap deliberately
   Maintainers may choose to land the new PDFium/WASM parser after explicitly accepting the dependency and behavior-compatibility risk as the new bundled PDF path.
3. Pause the runtime swap
   If the new parser boundary is not worth taking now, pause or close this branch and keep the existing PDF.js/canvas path until a narrower dependency proposal is approved.

Next step before merge

• [P1] Needs human maintainer handling for the protected label, draft/dirty state, new untrusted-PDF dependency approval, stale provenance notes, and contributor real-proof gate.

Security
Needs attention: No malicious change was evident, but the PR deliberately introduces a new untrusted-PDF PDFium WASM parser and package-policy allowance that needs maintainer approval before merge.

Review details

Best possible solution:

Land only after maintainers explicitly accept the clawpdf@0.2.0 PDFium/WASM provenance, the PR body and proof reflect the published npm package, and the branch is rebased cleanly with focused document-extract and Gateway PDF validation.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a PR changing an implementation dependency rather than a bug report with a failing reproduction. The required evidence is after-fix real behavior proof for built-plugin PDF extraction with the final package.

Is this the best way to solve the issue?

Unclear until maintainer approval; the implementation path matches the published clawpdf API and preserves the intended text-first/image-fallback shape, but the dependency/security boundary and stale proof need resolution before it can be called the best merge path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 79e733cc34a3.

Label changes

Label justifications:

• P2: This is a normal-priority user-visible PDF extraction runtime change with limited blast radius but non-trivial dependency and proof requirements.
• merge-risk: 🚨 compatibility: Replacing PDF.js/canvas with clawpdf can change extracted text, rendered image output, PDF support, and upgrade behavior for existing PDF workflows.
• merge-risk: 🚨 security-boundary: The PR introduces a new PDFium WebAssembly parser for untrusted PDFs and updates package install policy for that dependency.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body lists commands and a smoke claim, but it lacks redacted terminal output, logs, screenshots, recordings, or a linked artifact showing after-fix PDF extraction with the final clawpdf@0.2.0 dependency; redact private data and update the PR body so ClawSweeper re-reviews automatically, or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source -169, Tests +14, Docs 0, Config -7, Other -512. Total -674 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	49	218	-169
Tests	2	106	92	+14
Docs	2	5	5	0
Config	3	4	11	-7
Generated	0	0	0	0
Other	4	26	538	-512
Total	14	190	864	-674

Security concerns:

• [medium] Approve the new PDFium WASM parser boundary — scripts/lib/dependency-ownership.json:131
  The diff classifies clawpdf as wasm, parser, and untrusted-files, and package policy allows the dependency; maintainers should approve this provenance and parser boundary before routing user PDFs through it.
  Confidence: 0.86

What I checked:

• Root policy read: Read the full root AGENTS.md plus scoped guides for extensions/, docs/, scripts/, and src/plugin-sdk/; dependency-backed behavior, lockfiles, plugin boundaries, and real behavior proof requirements affected this review. (AGENTS.md:1, 79e733cc34a3)
• Current main PDF runtime: Current main loads pdfjs-dist/legacy/build/pdf.mjs and @napi-rs/canvas through the bundled document-extract plugin, so this PR is a real runtime parser/rendering swap rather than already-implemented cleanup. (extensions/document-extract/document-extractor.ts:45, 79e733cc34a3)
• PR runtime implementation: The PR imports createEngine from clawpdf, opens PDFs through the shared engine, extracts text first, and falls back to mode: "images" with PNG image conversion before destroying each document. (extensions/document-extract/document-extractor.ts:1, 45c4f82b40e6)
• Published dependency lock: The current PR head locks clawpdf@0.2.0 from npm with an integrity hash in both pnpm and npm shrinkwrap metadata, resolving the prior codeload-package-shape blocker but still changing the parser dependency surface. (pnpm-lock.yaml:4522, 45c4f82b40e6)
• Package policy surface: The PR adds clawpdf to minimumReleaseAgeExclude and allowBuilds while removing the old canvas build allowance, which is merge-relevant package policy rather than ordinary code-only churn. (pnpm-workspace.yaml:57, 45c4f82b40e6)
• Dependency ownership risk: The dependency ownership table classifies clawpdf as a plugin runtime activated by PDF input and explicitly marks the risk as wasm, parser, and untrusted-files. (scripts/lib/dependency-ownership.json:131, 45c4f82b40e6)

Likely related people:

• steipete: Prior current-main history includes PDF extraction type-surface and input validation work plus PDF/Gateway docs updates, beyond authoring this PR branch. (role: PDF and gateway surface contributor; confidence: high; commits: 1f71137d1e15, 7240830ca42f, 998cc02af40c; files: src/media/pdf-extract.ts, src/media/input-files.ts, docs/tools/pdf.md)
• vincentkoc: Current-main blame for the checked-out document-extract and PDF docs surface is dominated by a recent grafted fix, and nearby history includes Gateway/media input work. (role: recent adjacent area contributor; confidence: medium; commits: 56302f79a858, d10669629d73, eaad4ad1be38; files: extensions/document-extract/document-extractor.ts, docs/gateway/openresponses-http-api.md, docs/tools/pdf.md)
• Tyler Yust: Feature history shows the original PDF analysis tool addition in the central PDF tool path, making this person a useful historical routing candidate if behavior compatibility questions come up. (role: original PDF tool contributor; confidence: medium; commits: d0ac1b019517; files: src/agents/tools/pdf-tool.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[github-actions]

Dependency Changes Detected

This PR changes dependency-related files. Maintainers should confirm these changes are intentional.

Changed files:

• extensions/document-extract/package.json
• npm-shrinkwrap.json
• package.json
• pnpm-lock.yaml
• pnpm-workspace.yaml

Maintainer follow-up:

• Review whether the dependency changes are intentional.
• Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.
• Treat package-lock.json and npm-shrinkwrap.json diffs as security-review surfaces.
• Run pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json locally for detailed release-style evidence.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: extensions/matrix/npm-shrinkwrap.json → npm/markdown-it@14.1.1 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: extensions/matrix/npm-shrinkwrap.json → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm silk-wasm Location: Package overview From: extensions/qqbot/npm-shrinkwrap.json → npm/silk-wasm@3.7.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/silk-wasm@3.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm whatsapp-rust-bridge Location: Package overview From: extensions/whatsapp/npm-shrinkwrap.json → npm/baileys@7.0.0-rc13 → npm/whatsapp-rust-bridge@0.5.4 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/whatsapp-rust-bridge@0.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report