fix(ci): scope PR merge diff checks to first parent

[hxy91819]

Summary

• Fix PR diff-scope checks that mixed stale pull_request.base.sha values with GitHub synthetic merge commits.
• Add explicit PR merge-head first-parent mode for CI changed-scope, changed-lanes, and OpenGrep PR diff scans.
• Add synthetic merge regression coverage for stale-base false positives.

Verification

• node scripts/run-vitest.mjs src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-opengrep.test.ts
• node scripts/run-vitest.mjs src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-opengrep.test.ts test/scripts/ci-workflow-guards.test.ts
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/scripts/ci-changed-scope.test.ts test/scripts/ci-workflow-guards.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-opengrep.test.ts scripts/ci-changed-scope.mjs scripts/changed-lanes.mjs
• pnpm lint --threads=8
• git diff --check
• bash -n scripts/run-opengrep.sh
• .agents/skills/autoreview/scripts/autoreview --mode local -> clean, no accepted/actionable findings before initial push and after CI-fix follow-up

Real behavior proof

Behavior addressed: PR diff-scoped CI checks could include files from base-branch movement when a stale PR payload base SHA was compared against GitHub's synthetic PR merge commit.

Real environment tested: Local repo plus live GitHub refs for #89456 (refs/pull/89456/merge and refs/pull/89456/head).

Exact steps or command run after this patch: Fetched #89456 PR refs, compared git diff --name-only <payload-base> refs/pull/89456/merge with listChangedPaths(<payload-base>, <merge-ref>, cwd, true), and compared the fixed result to <payload-base>...refs/pull/89456/head.

Evidence after fix: Old diff returned 399 paths including src/infra/host-env-security.test.ts; fixed first-parent mode returned 10 paths and exactly matched the real PR head diff.

Observed result after fix: OpenGrep PR diff scope is limited to the actual PR files instead of scanning unrelated main-branch files.

What was not tested: A full end-to-end rerun of #89456 with this patch applied to that PR branch; this PR's own CI is expected to cover the workflow wiring.

[clawsweeper]

Codex review: passed. Reviewed June 4, 2026, 1:23 PM ET / 17:23 UTC.

Summary
This PR adds opt-in first-parent merge-head diff-base handling for CI changed-scope, changed-lanes, and OpenGrep PR scans, plus synthetic merge coverage and small lint/type cleanups.

PR surface: Source +6, Tests +204, Config +1, Other +179. Total +390 across 15 files.

Reproducibility: yes. The synthetic merge tests and PR body live-ref proof show the stale payload-base path can include main-only files, and first-parent mode narrows it to PR-owned paths.

Review metrics: 1 noteworthy metric.

• Diff-scope controls: 1 CLI flag, 1 env flag, 2 fetch-depth increases. These are the maintainer-visible automation controls that change how PR files are selected for CI routing and OpenGrep scans.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Let required exact-head checks finish and confirm CI/security owner acceptance of the first-parent scan-scope contract.

Risk before merge

• [P1] The PR deliberately narrows PR CI/OpenGrep path selection to GitHub synthetic merge-head first-parent semantics; if that parent shape or fetch depth is wrong, automation could under-scope scans.

Maintainer options:

1. Accept the first-parent contract after checks (recommended)
   Proceed once required exact-head checks finish and CI/security owners are comfortable that GitHub PR merge commits expose the base as first parent.
2. Add a fail-closed parent guard
   Before merge, add a guard that detects an unexpected parent shape and falls back to the broader diff or emits an explicit diagnostic.
3. Pause if scans should remain broad
   If security owners prefer stale-base broad scans over attribution-scoped scans, pause this PR and choose a different PR-diff attribution mechanism.

Next step before merge

• [P2] Automerge/manual review should handle the security-sensitive scan-scope decision; there is no narrow code repair from this pass.

Security
Cleared: The security-sensitive automation diff was reviewed; it changes OpenGrep path selection but does not add third-party action refs, broaden permissions, change dependency sources, or expose secrets.

Review details

Best possible solution:

Land the opt-in first-parent diff-base path after exact-head required checks pass and CI/security owners accept GitHub merge-head parent ordering; otherwise add a fail-closed guard or keep the broader scan.

Do we have a high-confidence way to reproduce the issue?

Yes. The synthetic merge tests and PR body live-ref proof show the stale payload-base path can include main-only files, and first-parent mode narrows it to PR-owned paths.

Is this the best way to solve the issue?

Yes, with maintainer acceptance. The PR keeps first-parent behavior opt-in at CI/OpenGrep call sites instead of changing all diff helpers globally, which is the narrowest maintainable fix I found for this automation bug.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8d65e78a071e.

Label changes

Label justifications:

• P2: This is a normal-priority CI/security-scan accuracy fix with limited user blast radius but real maintainer automation impact.
• merge-risk: 🚨 automation: The diff changes changed-scope, changed-lanes, and OpenGrep PR path selection, so an incorrect merge-head assumption could misroute or under-scope automation.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body provides concrete after-fix live-ref proof: first-parent mode returned the PR file set instead of the old stale-base 399-path diff.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides concrete after-fix live-ref proof: first-parent mode returned the PR file set instead of the old stale-base 399-path diff.

Evidence reviewed

PR surface:

Source +6, Tests +204, Config +1, Other +179. Total +390 across 15 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	11	5	+6
Tests	6	212	8	+204
Docs	0	0	0	0
Config	2	5	4	+1
Generated	0	0	0	0
Other	5	191	12	+179
Total	15	419	29	+390

What I checked:

• Repository policy: Root AGENTS.md plus scoped scripts, src/plugins, and test guides were read; the automation/security-sensitive review guidance affected the merge-risk assessment. (AGENTS.md:1, 8d65e78a071e)
• Current main behavior: Current main's changed-scope helper diffs the explicit payload base directly against HEAD, which is the behavior this PR changes for PR merge commits. (scripts/ci-changed-scope.mjs:237, 8d65e78a071e)
• PR implementation: The PR head adds resolveMergeHeadDiffBase(), which switches to the merge commit first parent only when the opt-in flag is set and the head has multiple parents. (scripts/lib/merge-head-diff-base.mjs:6, 40235e8c3dc0)
• OpenGrep wiring: The shell path delegates first-parent resolution to the shared Node helper, addressing the reviewer concern about JS/shell drift. (scripts/run-opengrep.sh:112, 40235e8c3dc0)
• Regression coverage: The PR head includes a synthetic merge test showing stale-base diff output includes main-only files, while first-parent mode returns only the PR file. (src/scripts/ci-changed-scope.test.ts:696, 40235e8c3dc0)
• GitHub merge-parent contract: The live synthetic merge commit for this PR lists the base commit first and PR head second, matching the contract the new opt-in mode relies on. (8346f9fa0244)

Likely related people:

• steipete: Recent path history shows repeated work on CI routing and script surfaces touched by this PR. (role: recent area contributor; confidence: high; commits: e24a9c5457d0, b1117d98622f; files: scripts/ci-changed-scope.mjs, scripts/changed-lanes.mjs, .github/workflows/ci.yml)
• vincentkoc: Recent history shows work on changed-lanes and OpenGrep workflow stabilization adjacent to this diff-scope behavior. (role: recent adjacent contributor; confidence: high; commits: 7b8ec95108e7, 005eeca06f3c; files: scripts/changed-lanes.mjs, scripts/run-opengrep.sh, .github/workflows/opengrep-precise.yml)
• jesse-merhi: The OpenGrep CI workflow history traces the security scan pipeline introduction to this contributor, making them relevant for scan-scope decisions. (role: introduced adjacent security automation; confidence: medium; commits: 6de9d71bfbbf; files: .github/workflows/opengrep-precise.yml, scripts/run-opengrep.sh, security/opengrep/precise.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[byungskers]

I like the narrow opt-in shape here. One maintainability nit: resolveMergeHeadDiffBase() now exists in JS for the Node helpers, while run-opengrep.sh re-implements the same first-parent resolution in shell. The current logic matches, but this feels like one of those places that could drift later. If you keep iterating on this path, I'd consider having the shell script delegate to the shared helper (or at least add a comment that the two implementations need to stay in lockstep).

[hxy91819]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=40235e8c3dc048d5f5676d5f65c02187b73533e8)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-06-04T17:24:04Z
Merge commit: 8b29ff5f1691

What merged:

• This PR adds opt-in first-parent merge-head diff-base handling for CI changed-scope, changed-lanes, and OpenGrep PR scans, plus synthetic merge coverage and small lint/type cleanups.
• PR surface: Source +6, Tests +204, Config +1, Other +179. Total +390 across 15 files.
• Reproducibility: yes. The synthetic merge tests and PR body live-ref proof show the stale payload-base path can include main-only files, and first-parent mode narrows it to PR-owned paths.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(ci): update workflow guard expectations
• PR branch already contained follow-up commit before automerge: fix(ci): resolve plugin guardrail lint failures
• PR branch already contained follow-up commit before automerge: fix(ci): preserve plugin run context typing
• PR branch already contained follow-up commit before automerge: fix(ci): scope PR merge diff checks to first parent

The automerge loop is complete.

Automerge progress:

• 2026-06-04 16:38:15 UTC automerge wait 626ad530d8c3 (blocked) in 21m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26963660360 GitHub checks failed: check-additional-runtime-topology-architecture:FAILURE

• 2026-06-04 16:38:17 UTC repair finished 626ad530d8c3 (pushed) in 21m 22s Run: https://github.com/openclaw/clawsweeper/actions/runs/26963660360 repair_contributor_branch

• 2026-06-04 16:50:34 UTC review passed 626ad530d8c3 (structured ClawSweeper verdict: pass (sha=626ad530d8c369285cb0d95952364ef907c03...)

• 2026-06-04 16:50:54 UTC repair queued 626ad530d8c3 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132

• 2026-06-04 16:52:35 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 automerge-openclaw-openclaw-90287

• 2026-06-04 16:52:54 UTC validation plan (passed) in 19s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-06-04 16:53:07 UTC Codex write preflight (passed) in 32s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 danger-full-access

• 2026-06-04 17:03:54 UTC Codex edit 1 ba54515b0588 (complete) in 11m 19s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 exit 0

• 2026-06-04 17:12:14 UTC validation and review 1 40235e8c3dc0 (base moved) in 19m 39s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 rebased

• 2026-06-04 17:12:20 UTC repair completed 40235e8c3dc0 (branch updated) in 19m 45s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 initial automerge rebase is delegated to Codex repair

• 2026-06-04 17:12:19 UTC review queued 40235e8c3dc0 (after repair)

• 2026-06-04 17:22:24 UTC automerge wait 40235e8c3dc0 (waiting) in 29m 49s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 waiting for exact-head ClawSweeper review pass

• 2026-06-04 17:15:58 UTC review queued 40235e8c3dc0 (queued)

• 2026-06-04 17:22:25 UTC repair finished 40235e8c3dc0 (pushed) in 29m 50s Run: https://github.com/openclaw/clawsweeper/actions/runs/26966316132 repair_contributor_branch

• 2026-06-04 17:23:46 UTC review passed 40235e8c3dc0 (structured ClawSweeper verdict: pass (sha=40235e8c3dc048d5f5676d5f65c02187b7353...)

• 2026-06-04 17:24:07 UTC merged 40235e8c3dc0 (merged by ClawSweeper automerge)

[hxy91819]

Post-merge verification: CI diff-scope fix working correctly

Checked 15 open PRs after the #90287 merge. Confirmed the three affected CI paths are all using first-parent mode — scope is neither inflated nor under-scoped.

Affected CI paths verified

1. ci-changed-scope.mjs (ci.yml → "Detect changed scopes" step)

Verified --merge-head-first-parent is present in the preflight step for every checked PR. Example from #90503:

BASE="96e5812426050d29236c772351426cdb0dd37c4b"
node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD --merge-head-first-parent

Confirmed in runs: #90507, #90505, #90503, #90500, #90487.

2. opengrep-precise.yml (Scan changed paths (precise))

Verified OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT=1 is set in the job env. Example from #90503:

OPENCLAW_OPENGREP_BASE_REF: 96e5812...4b...HEAD
OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT: 1

Confirmed in runs: #90503, #90505, #90500.

3. changed-lanes.mjs (test shard selection)

Consumes the same --merge-head-first-parent flag via resolveMergeHeadDiffBase. Shard counts below confirm scope is proportional.

Scope sanity — not over- or under-scoped

For 2–6 file PRs, 91 out of 92 node test shards pass (1 skip = checks-node-compat-node22, which is conditional and expected). This means the fix does not under-scope — all relevant lanes still run.

PR	Files	Node shards pass	Node shards skip	Scan changed paths	Opengrep OSS
#90503	2 (sessions/store-load)	91	1	✅ pass	✅ pass
#90501	2 (daemon/inspect)	91	1	✅ pass	✅ pass
#90493	2 (skills/workshop)	91	1	✅ pass	✅ pass
#90489	2 (sessions-access)	91	1	✅ pass	✅ pass
#90487	4 (agents/transport)	91	1	✅ pass	✅ pass
#90507	2 (doctor/codex)	91	1	✅ pass	✅ pass
#90505	4 (agents/maintenance)	91	1	✅ pass	✅ pass
#90502	2 (daemon/inspect)	91	1	✅ pass	✅ pass

Critical Quality shards are correctly skipped (boundary code not touched). No PR shows the pre-fix symptom of hundreds of files entering the diff scope. All CI failures in open PRs are unrelated to diff-scope (proof checks, lint/type errors, or test flakiness).