Skip to content

feat: add guarded FakeCo AWS owner#48

Merged
steipete merged 15 commits into
mainfrom
feat/fakeco-aws-owner
Jul 11, 2026
Merged

feat: add guarded FakeCo AWS owner#48
steipete merged 15 commits into
mainfrom
feat/fakeco-aws-owner

Conversation

@steipete

@steipete steipete commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a guarded FakeCo-only CloudFormation owner for one private ARM64 ClickClack VM in the dedicated member account
  • reuse an explicitly supplied, account-owned VPC, private subnet, and active egress path; allow TCP 8080 only from approved source security groups
  • add protected manual plan/apply/verify/teardown operations with exact account, live template/resource inventory, network, AMI, storage, security-group, and workload-IAM replay
  • add deterministic SSM bootstrap, seed equality, health/readiness, metadata-only metrics, runtime identity, SQLite backup/integrity, rollback-safe restore, and retained-data teardown proof
  • document account prerequisites, Environment inputs, costs, durations, canary handoff, failure recovery, and disposal boundaries

Production Cloudflare Worker, Container, Postgres, R2, domains, release, and version paths are unchanged.

Safety boundary

  • plan is the default and never executes its change set
  • apply rejects resource removals and actual or conditional replacement
  • no public IP, SSH key, port 22 rule, VPC, subnet, route table, NAT gateway, load balancer, or DNS resource is created
  • VPC, subnet, ingress sources, transit gateway, and every distinct NAT-managed ENI must belong to the dedicated account
  • the instance role is inline-policy-only, permissions-boundary constrained, and limited to SSM plus exact artifact/log/backup/KMS destinations
  • verify and teardown match the current CloudFormation template and logical-resource inventory, accept stable rollback-complete recovery, and fail closed on extra block devices or live instance, volume, security-group, IAM, release, and runtime-image drift
  • teardown refreshes stack and instance evidence immediately before retention, takes a fresh hot backup and encrypted snapshot, retains the root volume and versioned manifest, and contains no implicit data-delete path
  • every existing verified runtime gets a health-checked, integrity-checked, create-only S3 backup before update source, configuration, or image work; ambiguous state and objects larger than the documented 5,000,000,000-byte small-instance limit fail closed
  • restore uses one evidence file, a bounded health/readiness wait, and an error trap that restores and re-probes the prior database or leaves the app stopped
  • workflow inputs contain identifiers only; no GitHub or application secret values are added

Validation

Exact candidate: 64bb8c90fb020e1b1d39451cc0ac6890caf9fd6d / tree be57df2c625e9f43859a93e323513504f99a5559.

Diff: 12 files, 5,349 insertions, 24 deletions; SHA-256 287f4e2f54cce70af002ca52b0209b612e8e99e67e5ca407c71a560a0b3fa23b. Source archive SHA-256: 8537e6315ceddfb69fde9f6e61c45b1c9f32f8b8e5e2d5bfe959bb4d605c7f7d.

  • pnpm check
  • pnpm docs:site
  • pnpm coverage — 86.5%
  • pnpm test:e2e — 46 passed
  • pnpm test:fakeco-aws — 30 passed, including stack/template/resource, rollback, extra-volume, pre-update backup, runtime, cleanup, and restore mutations
  • actionlint .github/workflows/fakeco-aws.yml
  • shellcheck deploy/fakeco/aws/bootstrap.sh plus Bash syntax and ShellCheck proof for the extracted restore block
  • uvx --from cfn-lint cfn-lint deploy/fakeco/aws/template.json
  • exact-head Docker buildx linux/arm64 and linux/amd64 builds, cache-only with no registry output
  • source-blind operator behavior validation — contract satisfied at confidence 0.98; deterministic private plan, credential non-persistence, wrong-region, duplicate-ingress, and overlapping-destination mutations covered
  • canonical autoreview — cumulative branch findings repaired; exact final patch clean with no accepted/actionable findings at confidence 0.91

Review repairs

  • install the versioned official AWS CLI ARM64 archive after checksum verification instead of relying on an unavailable Noble package
  • accept reserved CloudFormation aws: tags while rejecting every unexpected customer-owned tag
  • scope remote script listing to the artifact owner prefix and bound SSM execution
  • make teardown rollback-safe when a failed update leaves the prior verified release serving
  • bind restore to observed runtime evidence and roll back or stop on readiness failure
  • match the live template and logical-resource set before destructive workflow stages
  • reject every unexpected attached volume and refresh instance evidence immediately before snapshot/deletion
  • permit guarded recovery from UPDATE_ROLLBACK_COMPLETE
  • require dedicated-account ownership for the supplied network, including deduplicated NAT ENI ownership checks
  • back up and verify the currently serving SQLite database before every update or same-commit retry, refuse overwrite collisions, and retain the local backup whenever the durable handoff fails

Public Model Identifier Gate: PASS. The exact diff, source archive, tests, workflow, generated docs, cache-only build logs, and public PR proof contain zero blocking unknown identifiers. The canary uses the public ClawRouter model-ref syntax and documented example from official OpenClaw ClawRouter documentation.

Live-proof waiver and residual risk

No AWS resource, GitHub Environment, secret, account, workflow dispatch, release, version, tag, or registry artifact was created while preparing or validating this PR. Authenticated member-account apply/verify/backup/restore/teardown proof remains unavailable because the service identity and protected Environment are not active.

After that exact gate was reported, the repository owner explicitly directed “land it” on 2026-07-11. This waives only the pre-merge live AWS lifecycle proof for this PR; it does not authorize a deployment or any account, Environment, secret, or resource creation. The manual workflow remains protected and must not be dispatched until the documented account foundation and permissions are independently available.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5618111f8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/fakeco/aws/bootstrap.sh Outdated
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels Jul 10, 2026
@clawsweeper

clawsweeper Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed July 11, 2026, 5:10 PM ET / 21:10 UTC.

Summary
Adds a protected manual FakeCo AWS owner for one private ARM64 VM, with CloudFormation and SSM lifecycle operations, backup and restore safeguards, focused tests, CI coverage, and operator documentation.

Reproducibility: not applicable. This PR introduces a new guarded deployment-owner capability rather than reporting broken current-main behavior.

Review metrics: 3 noteworthy metrics.

  • Infrastructure surface: 12 files; 5,349 added, 24 removed. The PR adds a substantial cloud-owner, IAM, workflow, and persistent-state lifecycle surface.
  • Resolved review threads: 6 resolved. The branch repaired concrete AWS installation, IAM, timeout, teardown, restore, and backup-ordering defects across repeated review cycles.
  • Focused AWS coverage: 30 tests reported passing. The dedicated suite covers stack ownership, rollback, extra volumes, update backup ordering, runtime verification, cleanup, and restore mutations.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🦞 diamond lobster
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Merge only the reviewed exact head and preserve the waiver's no-dispatch boundary until account readiness is independently confirmed.

Risk before merge

  • [P1] The first authenticated member-account lifecycle remains unobserved, so real IAM, permissions-boundary, KMS, S3, CloudFormation, SSM, network, backup, restore, and teardown behavior could still expose account-specific incompatibilities.
  • [P1] Merging establishes a new owner for an existing FakeCo VM and SQLite lifecycle; operators must not dispatch it until the documented account foundation and protected Environment are independently ready.

Maintainer options:

  1. Land under the scoped waiver (recommended)
    Merge the exact head while leaving the protected workflow undispatched until the documented account prerequisites and permissions are independently verified.
  2. Hold for authenticated lifecycle proof
    Pause merge until a redacted real-account plan, apply, verify, backup, restore, and retained-data teardown run confirms the account-specific assumptions.

Next step before merge

  • No automated repair remains: the exact head is clean, all checks pass, and the remaining account-specific uncertainty is covered by the recorded scoped waiver for normal maintainer merge.

Security
Cleared: No concrete security or supply-chain defect remains in the exact diff; the residual unobserved cloud-boundary risk is explicitly scoped and accepted rather than silently assumed.

Review details

Best possible solution:

Merge the exact guarded implementation under the recorded scoped waiver, keep the workflow manual and protected, and enable it only after independently verifying the dedicated account foundation, roles, network, buckets, KMS key, and Environment controls.

Do we have a high-confidence way to reproduce the issue?

Not applicable. This PR introduces a new guarded deployment-owner capability rather than reporting broken current-main behavior.

Is this the best way to solve the issue?

Yes. A protected manual workflow with exact ownership checks, create-only durable backups, rollback-safe restore, and retained-data teardown is a narrow maintainable owner for this single VM; the exact head also fixes the previously identified upgrade-ordering defect.

AGENTS.md: found, but no applicable review policy affected this item.

Codex review notes: model internal, reasoning high; reviewed against f441a9c6e05b.

Label changes

Label justifications:

  • P2: The feature is isolated to non-production FakeCo infrastructure, but it controls cloud resources and persistent SQLite lifecycle behavior.
  • merge-risk: 🚨 compatibility: Apply and teardown can alter an existing FakeCo stack, image, configuration, IAM resources, and account-specific infrastructure assumptions.
  • merge-risk: 🚨 session-state: The workflow backs up, migrates, restores, snapshots, and retains the live SQLite database, making lifecycle ordering and recovery merge-critical.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦐 gold shrimp and patch quality is 🦞 diamond lobster.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Override: Authenticated AWS lifecycle proof is unavailable, but the discussion records an explicit item-specific pre-merge waiver after disclosure; it permits landing only and does not authorize deployment or workflow dispatch.
Evidence reviewed

What I checked:

  • Prior P1 repaired at exact head: The final commit adds a verified pre-update backup path and invokes it before runtime installation, configuration changes, or starting the requested image; focused tests assert the ordering and failure behavior. (deploy/fakeco/aws/bootstrap.sh:653, 64bb8c90fb02)
  • Review threads resolved: All six inline review threads are resolved, covering AWS CLI installation, S3 listing permission, SSM execution timeout, rollback-safe teardown, restore image selection, and pre-update backup ordering. (deploy/fakeco/aws/bootstrap.sh:653, 64bb8c90fb02)
  • Exact-head checks pass: GitHub reports successful Go, TypeScript, Playwright E2E, Docker Image, Linux Desktop, macOS Desktop, and Windows Desktop checks with a clean merge state. (.github/workflows/ci.yml:110, 64bb8c90fb02)
  • Scoped proof waiver recorded: The discussion explicitly accepts the remaining unobserved AWS authorization and lifecycle risk for landing this guarded implementation, while withholding authorization for workflow dispatch, deployment, secrets, releases, or resource creation. (64bb8c90fb02)
  • Feature ownership provenance: The existing FakeCo staging surface dates to commit 54dba16 by Peter Steinberger, who is also the dominant contributor to the current FakeCo deployment area. (docs/fakeco.md:1, 54dba16c27c1)
  • Repository remained clean: Read-only inspection left the checkout byte-for-byte clean on current main. (f441a9c6e05b)

Likely related people:

  • steipete: Peter Steinberger introduced the merged FakeCo staging surface and owns most history under deploy/fakeco and docs/fakeco.md, making him the strongest routing candidate for this AWS extension and its scoped risk acceptance. (role: introduced behavior and feature owner; confidence: high; commits: 54dba16c27c1, 591e85bc499b; files: deploy/fakeco, docs/fakeco.md)
  • Shakker: Shakker recently changed docs/fakeco.md and is relevant for adjacent FakeCo behavior, though the history does not indicate primary ownership of the AWS owner. (role: recent adjacent contributor; confidence: medium; commits: 275601ba541a; files: docs/fakeco.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (8 earlier review cycles)
  • reviewed 2026-07-10T18:42:15.246Z sha 5618111 :: needs real behavior proof before merge. :: [P3] Remove the release-owned changelog entry
  • reviewed 2026-07-10T19:24:49.189Z sha e36ef7c :: needs real behavior proof before merge. :: [P1] Grant bucket listing for the SSM remote script
  • reviewed 2026-07-10T19:48:02.634Z sha 1c222e9 :: needs real behavior proof before merge. :: [P2] Bound the started SSM command to the workflow deadline
  • reviewed 2026-07-10T20:42:47.318Z sha 61f4535 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-10T21:32:36.569Z sha dccbeb8 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-11T20:29:18.960Z sha c303256 :: needs real behavior proof before merge. :: [P3] Remove the release-owned changelog entry
  • reviewed 2026-07-11T20:34:36.799Z sha c303256 :: needs changes before merge. :: [P3] Remove the release-owned changelog entry
  • reviewed 2026-07-11T20:44:53.474Z sha 184e6d7 :: needs changes before merge. :: [P1] Back up the live database before starting updated code

@steipete

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@codex review

@clawsweeper

clawsweeper Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e36ef7cacb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/fakeco/aws/template.json
@steipete

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@codex review

@clawsweeper

clawsweeper Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c222e934c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/fakeco-aws.yml
@steipete

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@codex review

@clawsweeper

clawsweeper Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 61f4535f84

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/fakeco/aws/bootstrap.sh Outdated
Comment thread deploy/fakeco/aws/README.md Outdated
@steipete

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Please review exact head dccbeb8aa31926fd6e93e0360017dbb5f8ca1ab2.

The latest repairs make teardown backup the independently verified running release after a failed stack update, preserve failed-update artifacts until retained snapshot proof, and make manual restore fail closed on one evidence document before stopping the app. Local exact-head tests, dual-architecture cache-only builds, source-blind behavior validation, canonical autoreview, and the public identifier audit are clean. Hosted CI is in progress.

Authenticated FakeCo member-account lifecycle proof remains unavailable, so this PR must stay unmerged after public/non-cloud proof completes.

@clawsweeper

clawsweeper Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@steipete

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep them coming!

Reviewed commit: dccbeb8aa3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@steipete steipete force-pushed the feat/fakeco-aws-owner branch from dccbeb8 to c303256 Compare July 11, 2026 20:24
@steipete

Copy link
Copy Markdown
Contributor Author

@codex review

@steipete

Copy link
Copy Markdown
Contributor Author

Feature-owner decision for exact head c30325663da7ff1c2ad1d89be0db5dc1316e594c: I grant the item-specific pre-merge live-proof waiver for PR #48 and accept the remaining unobserved FakeCo AWS authorization and lifecycle risk identified in the review.

This waiver applies only to landing this guarded, non-production owner implementation. It does not authorize a workflow dispatch, deployment, AWS or GitHub Environment resource creation, secret change, release, version, tag, or registry publication. The manual workflow remains protected and must not run until the documented account foundation is independently ready.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jul 11, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c30325663d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread deploy/fakeco/aws/bootstrap.sh
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 session-state 🚨 Merging this PR could lose, corrupt, stale, or mis-associate session or agent state. and removed status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jul 11, 2026
@steipete

Copy link
Copy Markdown
Contributor Author

Exact-head follow-up: 64bb8c90fb020e1b1d39451cc0ac6890caf9fd6d (tree be57df2c625e9f43859a93e323513504f99a5559).

This head addresses the update-recovery finding by durably backing up and verifying every existing serving runtime before source, configuration, or image startup work. It also removes overwrite races with create-only database/evidence objects and documents the small-instance single-object bound. The focused ordering/failure test and full exact-head suite pass.

Evidence: pnpm check; 30/30 FakeCo AWS owner tests; docs; 86.5% Go coverage; 46/46 E2E; actionlint; ShellCheck; cfn-lint; cache-only ARM64 and AMD64 builds; source-blind behavior contract satisfied at 0.98; canonical autoreview clean at 0.91. Public Model Identifier Gate: PASS against the official OpenClaw ClawRouter provider documentation.

The repository owner's item-specific instruction to land this PR continues to waive only unavailable authenticated FakeCo AWS lifecycle proof for this final candidate. It does not authorize deployment, workflow dispatch, GitHub Environment or secret changes, AWS resource creation, releases, versions, tags, or registry publication; none occurred during this repair.

@clawsweeper re-review

@codex review

@clawsweeper

clawsweeper Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Hooray!

Reviewed commit: 64bb8c90fb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@steipete

Copy link
Copy Markdown
Contributor Author

Landing proof for exact head 64bb8c90fb020e1b1d39451cc0ac6890caf9fd6d:

  • base: f441a9c6e05b871e3a8cf7de810d23cc1292ecae
  • tree: be57df2c625e9f43859a93e323513504f99a5559
  • diff: 12 files, 5,349 insertions, 24 deletions; SHA-256 287f4e2f54cce70af002ca52b0209b612e8e99e67e5ca407c71a560a0b3fa23b
  • source archive SHA-256: 8537e6315ceddfb69fde9f6e61c45b1c9f32f8b8e5e2d5bfe959bb4d605c7f7d
  • local proof: full check; docs; 86.5% coverage; 46 E2E cases; 30 FakeCo AWS owner cases; workflow, shell, restore-block, and CloudFormation lint; cache-only ARM64 and AMD64 builds; source-blind behavior validation at 0.98; canonical autoreview clean at 0.91
  • hosted CI: CI and desktop, all seven jobs successful
  • hosted review: Codex exact-head review found no major issues; all six review threads are resolved
  • ClawSweeper exact-head review and run completed successfully with no automated repair remaining and recommend landing under the scoped waiver
  • Public Model Identifier Gate: PASS against the official OpenClaw ClawRouter provider documentation

Residual risk remains the unobserved authenticated member-account lifecycle. The repository owner's recorded item-specific landing instruction accepts that risk for this guarded non-production owner only. It does not authorize workflow dispatch, deployment, AWS or GitHub Environment resource creation, secret changes, release, version, tag, or registry publication; none occurred.

@steipete steipete merged commit afcf67c into main Jul 11, 2026
7 checks passed
@steipete steipete deleted the feat/fakeco-aws-owner branch July 11, 2026 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 session-state 🚨 Merging this PR could lose, corrupt, stale, or mis-associate session or agent state. P2 Normal priority bug or improvement with limited blast radius. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant