Fix auth profile block expiry type narrowing

[VACInc]

Summary

• Fix auth-profile blocked-until updates so existing expiry timestamps are narrowed to a definite number before Math.max.
• Restores the plugin SDK declaration build on current main.

Root Cause

Commit 30e3ca08a5 replaced the explicit numeric guard for previousStats?.blockedUntil with isFutureDateTimestampMs(...). That helper returns boolean, not a TypeScript type predicate, so existingBlockedUntil remains number | undefined when passed to Math.max during tsconfig.plugin-sdk.dts.json declaration generation.

Before behavior proof: pnpm build failed in build:plugin-sdk:dts with TS2345 at src/agents/auth-profiles/usage.ts:844 and :891, both reporting number | undefined was not assignable to number.

Real behavior proof

Behavior addressed: pnpm build failure in build:plugin-sdk:dts on current main.

Real environment tested: local OpenClaw checkout in a detached worktree based on origin/main at bdb0fde0ea.

Exact steps or command run after this patch: pnpm build

Evidence after fix: build:plugin-sdk:dts done in 3.96s; final build summary reported phase timings: total 101.3s with exit code 0.

Observed result after fix: the exact failed build phase completed successfully and the full core/UI build finished.

What was not tested: daemon install, health check, and security audit; those are covered by the follow-up oc-update run.

Verification

• pnpm build

What was not tested

• openclaw daemon install --force, openclaw health, and openclaw security audit --deep before opening this PR.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main already fixes the type-narrowing failure by making the shared future-timestamp guard a number type predicate, so this PR's caller-local narrowing is now redundant. The fix is present on main only and is not in the latest release tag I checked.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the shared predicate fix on main and close this redundant branch rather than merge a second caller-local narrowing path.

Do we have a high-confidence way to reproduce the issue?

No; the original declaration-build failure is no longer reproducible from current source inspection because isFutureDateTimestampMs now narrows to number at both reported callers. The PR body supplied before/after build proof for the older base state.

Is this the best way to solve the issue?

Yes; current main is the better solution because it fixes the shared helper's type contract once instead of duplicating equivalent narrowing in two callers.

Security review:

Security review cleared: The one-file TypeScript narrowing change does not alter secrets, auth tokens, dependencies, CI, or package resolution.

AGENTS.md: found and applied where relevant.

What I checked:

• Current source fix: isFutureDateTimestampMs now returns value is number, which gives TypeScript the narrowing this PR was trying to restore. (src/shared/number-coercion.ts:108, 99ce71ddbbdb)
• Current caller behavior: markAuthProfileBlockedUntil still uses isFutureDateTimestampMs(existingBlockedUntil, { nowMs: now }) before both Math.max calls, so the updated predicate fixes both reported declaration-build sites. (src/agents/auth-profiles/usage.ts:839, 99ce71ddbbdb)
• Git history provenance: Blame ties the type-predicate change on the helper signature directly to commit 99ce71ddbbdb93627605c01b7b9ac5e7c280afde. (src/shared/number-coercion.ts:108, 99ce71ddbbdb)
• Regression provenance: Commit 30e3ca08a5694ae72f442011635770aeca3d78af replaced the explicit numeric guard in markAuthProfileBlockedUntil with isFutureDateTimestampMs, matching the PR's root-cause description. (src/agents/auth-profiles/usage.ts:839, 30e3ca08a569)
• Current-main-only release check: git tag --contains returned no tags for the fix SHA, while git branch --contains shows main, so the fix is on current main but not in a tagged release. (99ce71ddbbdb)
• Latest release baseline: The latest release tag inspected, v2026.5.27, points at 27ae826f65256c7fbd1d78475fca87b674a53e7b, before the current-main fix. (27ae826f6525)

Likely related people:

• steipete: Peter Steinberger authored the commit that changed the auth-profile blocked-expiry guard and the later current-main commit that made the shared timestamp helper a type predicate. (role: introduced behavior and current-main fix author; confidence: high; commits: 30e3ca08a569, 99ce71ddbbdb; files: src/agents/auth-profiles/usage.ts, src/shared/number-coercion.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 471164afbd88; fix evidence: commit 99ce71ddbbdb, main fix timestamp 2026-05-30T19:48:52+01:00.

[clawsweeper]

ClawSweeper applied the proposed close for this PR.

• Action: closed this PR.
• Close reason: already implemented on main.
• Evidence: durable ClawSweeper review.