Fix CI guard baselines

[ooiuuii]

Summary

• mark two backward-compatible aliases as deprecated so the deprecated-JSDoc guard accepts them
• update the production lint-suppression baseline for host-hook-runtime after the suppression tail dropped from 2 to 1

Validation

• pnpm check:deprecated-jsdoc
• node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern "intentional production suppression"
• git diff --check

This unblocks current PR CI failures that reproduce on latest origin/main.

Real behavior proof (structured for gate)

• Behavior or issue addressed: unblock current main-branch guard failures by updating the deprecated-JSDoc aliases and production lint-suppression baseline without changing unrelated runtime behavior.
• Real environment tested: latest origin/main-based PR branch on macOS source checkout using the repository guard scripts.
• Exact steps or command run after this patch: ran pnpm check:deprecated-jsdoc, node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern="intentional production suppression", and node scripts/run-vitest.mjs src/security/audit-config-include-perms.test.ts --testNamePattern="flags group/world-readable config include files" after the patch.
• Evidence after fix: copied live terminal output:

$ pnpm check:deprecated-jsdoc
deprecated JSDoc guard passed
$ node scripts/check-deprecated-jsdoc.mjs

$ node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern="intentional production suppression"
RUN v4.1.7 /Users/luyifan/.openclaw/workspace/openclaw-src-shallow
✓ tooling test/scripts/lint-suppressions.test.ts (3 tests | 2 skipped) 186ms
Tests 1 passed | 2 skipped (3)

$ node scripts/run-vitest.mjs src/security/audit-config-include-perms.test.ts --testNamePattern="flags group/world-readable config include files"
[test] starting test/vitest/vitest.unit-fast.config.ts
✓ unit-fast src/security/audit-config-include-perms.test.ts (1 test) 25ms
Tests 1 passed (1)
[test] passed 1 Vitest shard in 13.89s

• Observed result after fix: both guard paths pass locally, and the include-perms regression now uses a real temp include file with filesystem permissions instead of a fragile vi.mock import boundary.
• What was not tested: full repository CI matrix was not run locally; this PR intentionally only fixes the guard-baseline failures visible on current origin/main.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 8:53 PM ET / 00:53 UTC.

Summary
The branch adds deprecated JSDoc to the CLI prompt-builder alias and makes the include-permissions audit test create its fixture with an explicit 0644 mode before chmod.

PR surface: Source +3, Tests +3. Total +6 across 2 files.

Reproducibility: yes. for the patched behavior there is a clear source-level and contributor-proof path: run the deprecated-JSDoc guard and the focused include-permissions Vitest named in the PR body. I did not rerun those locally because this read-only checkout lacks the TypeScript dependency required by the guard script.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Update the PR body summary so it no longer describes older diff content before a human merge review.

Risk before merge

• [P1] The PR body summary still mentions two aliases and a production lint-suppression baseline, while the current diff changes one alias comment and one test fixture; this is review clarity drift rather than a code defect.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow guard/test cleanup after maintainer review and required checks, with the PR body summary updated if maintainers want it to match the current diff exactly.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• No repair lane is needed; there is no concrete automated blocker beyond normal maintainer review and required checks.

Security
Cleared: The diff only changes a JSDoc comment and a security-audit test fixture, with no new dependency, secret handling, code execution, or supply-chain surface.

Review details

Best possible solution:

Land the narrow guard/test cleanup after maintainer review and required checks, with the PR body summary updated if maintainers want it to match the current diff exactly.

Do we have a high-confidence way to reproduce the issue?

Yes, for the patched behavior there is a clear source-level and contributor-proof path: run the deprecated-JSDoc guard and the focused include-permissions Vitest named in the PR body. I did not rerun those locally because this read-only checkout lacks the TypeScript dependency required by the guard script.

Is this the best way to solve the issue?

Yes. For the current scope, annotating the alias and making the test fixture permissions explicit is narrower than changing guard logic or security audit production code.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e5d1fadea7e2.

Label changes

Label justifications:

• P3: This is low-risk CI/JSDoc/test cleanup with no user-facing runtime behavior change.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body contains structured after-patch terminal output for the guard and focused tests, which is sufficient real behavior proof for this CI/test cleanup.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains structured after-patch terminal output for the guard and focused tests, which is sufficient real behavior proof for this CI/test cleanup.

Evidence reviewed

PR surface:

Source +3, Tests +3. Total +6 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	4	1	+3
Tests	1	4	1	+3
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	8	2	+6

What I checked:

• Repository policy read: Read the full root policy plus the scoped agents policy; the review applied the read-beyond-diff, proof, read-only, and security-sensitive path guidance. (AGENTS.md:18, e5d1fadea7e2)
• PR diff scope: The merge-base-to-head diff changes only the CLI helper alias JSDoc and the include-permissions test fixture mode; there is no production runtime logic change. (src/agents/cli-runner/helpers.ts:144, 743a581a9646)
• Current main comparison: Current main still has the one-line alternate-export comment and creates the include fixture with the string encoding overload, so the branch is not already implemented on main. (src/agents/cli-runner/helpers.ts:144, e5d1fadea7e2)
• Deprecated-JSDoc guard contract: The guard scans exported source declarations for back-compat/deprecated/legacy alias comments and requires an @deprecated tag when that wording is used. (scripts/check-deprecated-jsdoc.mjs:16, e5d1fadea7e2)
• CLI helper call path: Production prompt preparation calls buildCliAgentSystemPrompt directly, while older tests still import the buildSystemPrompt alias; the PR preserves the alias value and only changes its comment. (src/agents/cli-runner/prepare.ts:460, e5d1fadea7e2)
• Security audit test path: collectIncludeFilePermFindings resolves include paths and inspects filesystem permissions before emitting the world-readable finding, so using a real chmod-backed temp file is the right test boundary. (src/security/audit-extra.async.ts:567, e5d1fadea7e2)

Likely related people:

• @obviyus: Git blame shows the current CLI helper, include-permissions test, and deprecated-JSDoc guard regex were introduced in the same recent current-main commit. (role: current-main area author; confidence: high; commits: 21512a696ff1; files: src/agents/cli-runner/helpers.ts, src/security/audit-config-include-perms.test.ts, scripts/check-deprecated-jsdoc.mjs)
• @steipete: Recent history shows an adjacent compatibility-alias annotation update for the deprecated-JSDoc guard path, and CODEOWNERS lists this handle on ownership rules. (role: recent adjacent guard contributor; confidence: medium; commits: 25149801189f; files: src/commands/migrate/skill-selection-prompt.ts, .github/CODEOWNERS)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[ooiuuii]

Follow-up 783032d4f0 fixes the remaining checks-node-core-fast failure by making audit-config-include-perms.test.ts exercise real temp-file permissions instead of a fragile vi.mock("./audit-fs.js") boundary. In the full shard, audit-extra.async.ts can import/cache audit-fs before this test's mock is applied, so the test could fail for reasons unrelated to the guard-baseline PR.

Verification performed locally:

• pnpm check:deprecated-jsdoc ✅
• node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern "intentional production suppression" ✅
• git diff --check ✅

I attempted the focused include-perms Vitest as well, but this local machine hit the same no-output Vitest stall I noted on the related PRs, so CI is the authoritative rerun for that shard.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[ooiuuii]

Copied local proof output for the guard fixes:

$ pnpm check:deprecated-jsdoc
deprecated JSDoc guard passed
$ node scripts/check-deprecated-jsdoc.mjs

$ node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern "intentional production suppression"
RUN v4.1.7 /Users/luyifan/.openclaw/workspace/openclaw-src-shallow
✓ tooling test/scripts/lint-suppressions.test.ts (3 tests | 2 skipped) 186ms
Test Files  1 passed (1)
Tests       1 passed | 2 skipped (3)

$ git diff --check
# no output, exit 0

The follow-up include-perms test change is intentionally source-small: it removes the mock boundary that was unreliable in the full shard and uses a real temp include file with chmod 0644, so the production audit path observes the same permissions shape the test asserts.

[ooiuuii]

Structured Real behavior proof has been added to the PR body using the repository template fields, and the latest Real behavior proof workflow is green on this head. I also reran the previously stalled include-perms focused Vitest with the runner-safe --testNamePattern="..." form; it passes locally against the real temp-file permission path.

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26964154321
• Updated: 2026-06-04T16:15:07.358Z

[ooiuuii]

Rebased #90363 onto latest origin/main; new head is 0de5a2f40a. The conflict resolution kept the narrow guard fixes only: deprecated alias JSDoc plus the real temp-file include-permissions regression.

Fresh local validation after rebase:

$ pnpm check:deprecated-jsdoc
deprecated JSDoc guard passed
$ node scripts/check-deprecated-jsdoc.mjs

$ node scripts/run-vitest.mjs test/scripts/lint-suppressions.test.ts --testNamePattern="intentional production suppression"
✓ tooling test/scripts/lint-suppressions.test.ts (3 tests | 2 skipped) 192ms
Tests 1 passed | 2 skipped (3)

$ node scripts/run-vitest.mjs src/security/audit-config-include-perms.test.ts --testNamePattern="flags group/world-readable config include files"
✓ unit-fast src/security/audit-config-include-perms.test.ts (1 test) 24ms
Tests 1 passed (1)

$ git diff --check
# no output, exit 0

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26964447870
• Updated: 2026-06-04T16:24:05.757Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27047729845
• Updated: 2026-06-06T00:54:13.943Z