fix(workboard): isolate stale lifecycle bulk patches

[BunsDev]

Summary

• Follow-up to Fix Workboard status persistence #89600 after final autoreview found that stale lifecycle suppression mutated the caller-provided Workboard patch object.
• Isolate stale lifecycle normalization through an effectivePatch so bulk updates do not let one stale card strip the status/provenance update for later cards.
• Add a Workboard store regression proving a shared bulk patch remains unchanged and a fresh later card still receives the lifecycle status.
• Carry a small migrate-hermes test-only type narrowing because latest main exposed that unrelated check-test-types failure while refreshing this PR.

Refs #89600
Refs #88592

Verification

• node scripts/run-vitest.mjs ui/src/ui/controllers/workboard.test.ts ui/src/ui/views/workboard.test.ts extensions/workboard/src/store.test.ts extensions/workboard/src/gateway.test.ts --reporter=verbose
• node scripts/run-vitest.mjs --config test/vitest/vitest.ui-e2e.config.ts --configLoader runner ui/src/ui/e2e/workboard-status-persistence.e2e.test.ts ui/src/ui/e2e/workboard.e2e.test.ts --reporter=verbose
• node scripts/run-vitest.mjs extensions/migrate-hermes/secrets.test.ts src/infra/npm-managed-root.test.ts --reporter=verbose
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test.tsbuildinfo
• git diff --name-only origin/main...HEAD | xargs node scripts/run-oxlint.mjs
• git diff --check origin/main...HEAD
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --no-web-search

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 3, 2026, 8:35 PM ET / 00:35 UTC.

Summary
The branch isolates WorkboardStore stale lifecycle normalization through an effective patch, adds a bulk-update regression, and updates migrate-hermes auth-profile test expectations.

PR surface: Source +14, Tests +43. Total +57 across 4 files.

Reproducibility: yes. source-reproducible: current main reuses one bulk patch object across card ids while updateCard mutates that object for stale lifecycle writes. I did not execute the failing test path in this read-only review.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Confirm the listed Workboard, migrate-hermes, tsgo, oxlint, and autoreview checks on head 5ee8b3d before merge.

Risk before merge

• [P1] The protected maintainer label means merge or closure should remain an explicit maintainer decision.
• [P1] This read-only review did not execute the listed Vitest, UI E2E, tsgo, oxlint, or autoreview commands; final merge readiness should rely on CI or maintainer-run validation for head 5ee8b3d.

Maintainer options:

1. Decide the mitigation before merge
   Merge the focused patch after maintainer review confirms current-head validation, keeping lifecycle status precedence in WorkboardStore and migrate-hermes assertions aligned with the current auth-profile shape.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] Manual review is the right lane because the PR has a protected maintainer label and no narrow ClawSweeper repair finding remains.

Security
Cleared: The diff only changes Workboard store logic and tests, with no new dependency, workflow, secret, install, or code-execution surface.

Review details

Best possible solution:

Merge the focused patch after maintainer review confirms current-head validation, keeping lifecycle status precedence in WorkboardStore and migrate-hermes assertions aligned with the current auth-profile shape.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main reuses one bulk patch object across card ids while updateCard mutates that object for stale lifecycle writes. I did not execute the failing test path in this read-only review.

Is this the best way to solve the issue?

Yes, this is the narrow owner-boundary fix: local effectivePatch normalization prevents updateCard from mutating caller-owned input for both bulk reuse and direct callers, without adding a second API path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 58f7d7e5f8ff.

Label changes

Label justifications:

• P2: This is a normal-priority Workboard state persistence bugfix with focused plugin/test blast radius.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The PR is maintainer-associated with a protected maintainer label, so the external contributor real-behavior-proof gate does not apply; the body records maintainer validation commands instead.

Evidence reviewed

PR surface:

Source +14, Tests +43. Total +57 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	48	34	+14
Tests	3	46	3	+43
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	94	37	+57

What I checked:

• Repository policy read: Root AGENTS.md was read fully, and scoped guides for extensions, UI, and tests were checked before reviewing the PR surface. (AGENTS.md:1, 58f7d7e5f8ff)
• Protected maintainer state: The provided live GitHub context marks the PR author association as MEMBER and includes the protected maintainer label, so this cleanup review should not close it automatically.
• Current main bug path: On current main, bulkUpdate normalizes one patch object and passes that same object to update for every id, making mutation inside updateCard observable across later cards. (extensions/workboard/src/store.ts:4198, 58f7d7e5f8ff)
• Current main mutation: The stale lifecycle branch on current main mutates patch.status and patch.metadata in place before returning or applying the update. (extensions/workboard/src/store.ts:2649, 58f7d7e5f8ff)
• PR repair shape: The PR head introduces effectivePatch and routes subsequent normalization, metadata, automation, status-hold, and timestamp handling through that local value instead of mutating the caller patch. (extensions/workboard/src/store.ts:2643, 5ee8b3dd5f4a)
• Regression coverage: The new test covers a stale first target and fresh later target sharing one bulk patch, and also asserts the original patch object remains unchanged. (extensions/workboard/src/store.test.ts:424, 5ee8b3dd5f4a)

Likely related people:

• BunsDev: Authored the merged Workboard lifecycle status persistence work that introduced the stale lifecycle precedence path this PR repairs, and also authored this follow-up branch. (role: recent area contributor; confidence: high; commits: e07dbb27d91f, 175ce70cf7be; files: extensions/workboard/src/store.ts, extensions/workboard/src/store.test.ts, ui/src/ui/controllers/workboard.ts)
• steipete: The current bulkUpdate implementation that reuses a normalized patch object traces to the grafted baseline commit in the reviewed history. (role: adjacent owner; confidence: medium; commits: 381c5e0762d1; files: extensions/workboard/src/store.ts)
• vincentkoc: Recent current-main commits changed migrate-hermes auth-profile storage expectations in the same tests touched by this PR's test-only narrowing. (role: recent adjacent test contributor; confidence: high; commits: 96136e6d7147, 6d84fb35c7a5; files: extensions/migrate-hermes/secrets.test.ts, extensions/migrate-hermes/files-and-skills.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Copilot]

Pull request overview

This PR fixes a regression in the Workboard extension store where stale lifecycle-status suppression mutated the caller-provided patch object during updateCard, causing subsequent cards in a bulkUpdate to lose their intended status/provenance updates. The change introduces an effectivePatch derived from the original patch when stale lifecycle writes must be ignored, ensuring bulk updates remain isolated per-card without side effects.

Changes:

• Prevents updateCard from mutating the input patch by applying stale-lifecycle normalization to a derived effectivePatch.
• Ensures stale lifecycle status writes can be dropped while still allowing other (non-status) fields to apply.
• Adds a regression test proving a shared bulk patch remains unchanged and later cards still receive the lifecycle status/provenance update.

Best-fix verdict: best (fixes the root cause—unexpected mutation of an input object—at the point of mutation).
Alternatives considered:

• Clone the patch inside bulkUpdate for each id (would avoid the symptom but leaves updateCard impure and vulnerable to other call sites).
• Freeze patches defensively (would turn the bug into runtime errors rather than preventing it).
  Code read: extensions/workboard/src/store.ts (updateCard, bulkUpdate, stale-lifecycle helpers), extensions/workboard/src/store.test.ts (new regression coverage).
  Remaining uncertainty: None material from the reviewed diff/context; the change is localized and covered by a targeted regression test.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
extensions/workboard/src/store.ts	Introduces effectivePatch to avoid mutating caller patches while suppressing stale lifecycle status writes (fixes bulk update isolation).
extensions/workboard/src/store.test.ts	Adds regression test ensuring stale handling in bulkUpdate doesn’t strip later card updates and doesn’t mutate the shared patch object.