feat: expose ClawHub catalog feed lanes

[giodl73-repo]

Summary

Adds ClawHub-hosted root feed lanes for clients that want a standard feed document instead of bespoke catalog queries.

The new HTTP surface exposes:

• /api/v1/feeds
• /api/v1/feeds/all
• /api/v1/feeds/official
• /api/v1/feeds/community
• /api/v1/feeds/reviewed

Each feed emits the shared feed shape used by the OpenClaw and Scout feed work: schemaVersion, feedId, root scope, deterministic entries, sourceRevision, and a SHA-256 attestation hash. The reviewed lane describes its criteria through criteria, aligned with the feed schema language used in the other stacks.

Feed lanes

• all: all public ClawHub skills and installable plugins.
• official: entries marked official by ClawHub/OpenClaw metadata.
• community: public non-official entries.
• reviewed: public entries matching current ClawHub review criteria.

Not included

• No tenant feed hosting.
• No enterprise approval workflow.
• No package safety guarantee beyond the exposed ClawHub metadata and feed attestation.
• No change to existing ClawHub search defaults.

Related stack

• OpenClaw read-only feed discovery: #87824
• OpenClaw approved feed installs: #87825
• OpenClaw feed policy conformance: #87826
• OpenClaw feed lifecycle tooling: #87827
• OpenClaw native feed search defaults: #88732
• Feeds RFC: https://github.com/giodl73-repo/rfcs/blob/feeds-rfc-draft/rfcs/0004-feeds.md

Validation

• git diff --check
• codex review --commit HEAD found and drove fixes for public feed visibility, plugin-family filtering, and skill URLs.
• codex review --uncommitted after those fixes: no actionable correctness issues.
• Not run: ClawHub focused tests, because bun is not installed in the WSL environment used for this reconstruction.

Feed PR stack

1. feat(feeds): add read-only feed discovery openclaw#87824 - read-only feed discovery
2. feat(feeds): install approved feed entries openclaw#87825 - approved feed installs
3. feat(policy): add feed catalog conformance openclaw#87826 - feed catalog policy conformance
4. feat(feeds): add feed lifecycle tooling openclaw#87827 - feed lifecycle tooling
5. feat(feeds): add native feed search defaults openclaw#88732 - native feed search defaults and policy checks
6. feat: expose ClawHub catalog feed lanes #2460 - ClawHub root feed lanes

The stack keeps OpenClaw as a feed consumer. ClawHub root feeds are producer infrastructure; enterprise or tenant feeds can be produced elsewhere using the same schema.

RFC draft: https://github.com/giodl73-repo/rfcs/blob/feeds-rfc-draft/rfcs/0004-feeds.md

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clawhub	Ready	Preview, Comment	Jun 3, 2026 10:15pm

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 19, 2026, 4:59 PM ET / 20:59 UTC.

Summary
Adds ClawHub-hosted /api/v1/feeds root feed HTTP lanes, a Convex feed query and handlers/tests, route constants, generated schema files, and HTTP API docs.

Reproducibility: yes. for the blocking review findings: source inspection shows the PR's feed handler calls a public feed query without applyRateLimit, while current catalog reads consume the read bucket first. The live behavior proof path is not established because the preview returns Vercel 401.

Review metrics: 3 noteworthy metrics.

• HTTP Surface: 5 GET routes added. The PR creates a new public API family that clients may depend on after merge.
• Backend Read Cap: up to 15,000 digest rows per feed request. The proposed feed query can read 5,000 skills plus 5,000 rows for each plugin family before filtering.
• Changed Surface: 10 files, +1053/-2. The change spans Convex routes, handlers, tests, schema route exports, generated package files, and docs.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Make rootFeed internal, apply rate limiting in feedV1Handler, and add focused 429/header tests.
• [P1] Add the feed endpoints and response schemas to public/api/v1/openapi.json, docs/api.md, and a durable spec note for reviewed-feed semantics.
• Post redacted live endpoint proof, such as curl output or a terminal screenshot for /api/v1/feeds and one feed lane; redact private endpoints, tokens, IPs, and other sensitive details, then update the PR body so ClawSweeper can re-review or ask a maintainer to comment @clawsweeper re-review.

Proof guidance:

• [P1] Needs real behavior proof before merge: Missing: the PR body lists checks and a Vercel deployment, but no accessible redacted curl output, terminal screenshot, copied live output, or logs show the feed routes returning real JSON; the preview endpoints returned Vercel 401. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] Unauthenticated callers could repeatedly trigger up to 15,000 digest-row reads per feed request without consuming the documented public read quota.
• [P1] The reviewed lane, criteria text, and attestation hash create a public trust signal before the review criteria and approval path are durable.
• [P1] Client discovery and validation would be split because the new public routes are not present in public/api/v1/openapi.json or the public docs/api.md endpoint overview.
• [P1] The contributor has not posted accessible redacted live output showing /api/v1/feeds and at least one feed lane returning JSON; the posted preview currently returns Vercel 401.

Maintainer options:

1. Gate And Specify Feed Reads (recommended)
   Make the feed data function internal, apply the existing read or export limiter with 429/header tests, and publish complete OpenAPI/docs/spec coverage before exposing the routes.
2. Approve Reviewed-Feed Semantics
   Maintainers may intentionally accept the reviewed-lane criteria and attestation semantics, but that approval should be visible and durable before clients depend on it.
3. Pause The Feed Stack
   If the OpenClaw feed consumer stack or RFC direction is not ready, keep this draft paused or close it until the producer contract is settled.

Next step before merge

• [P1] Manual review is needed because the remaining blockers include contributor proof and maintainer product/security approval of the public feed trust contract, not only mechanical edits.

Security
Needs attention: The diff needs security attention because it bypasses the current public read quota for large feed reads and creates reviewed-feed trust semantics.

Review findings

• [P1] Keep root feed reads behind rate limiting — convex/feeds.ts:59
• [P2] Add the feed routes to the public API contract — docs/http-api.md:139

Review details

Best possible solution:

Land this only after the feed data path is internal and rate-limited, OpenAPI/docs/spec coverage is complete, reviewed-feed semantics are explicitly approved, and redacted live endpoint proof is posted.

Do we have a high-confidence way to reproduce the issue?

Yes for the blocking review findings: source inspection shows the PR's feed handler calls a public feed query without applyRateLimit, while current catalog reads consume the read bucket first. The live behavior proof path is not established because the preview returns Vercel 401.

Is this the best way to solve the issue?

No. The feature direction may be useful, but the patch should keep large feed reads internal and rate-limited, update public API contracts, and settle reviewed-lane trust semantics before merge.

Full review comments:

• [P1] Keep root feed reads behind rate limiting — convex/feeds.ts:59
  This registers rootFeed as a public Convex query while the new HTTP feed handler calls it without applyRateLimit. Callers can drive large catalog digest reads outside the documented public read quota; make the data function internal and apply the existing limiter before running it.
  Confidence: 0.9
• [P2] Add the feed routes to the public API contract — docs/http-api.md:139
  The PR documents and exposes new public v1 feed routes here, but the committed OpenAPI spec and docs/api.md endpoint index still omit them. Clients using /api/v1/openapi.json or the API overview will not discover or validate this API family, so add the feed paths and schemas before publishing the routes.
  Confidence: 0.82

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 7accfb71c771.

Label changes

Label justifications:

• P2: This is a normal-priority feature PR with bounded but meaningful public API, operational, and trust-contract risk.
• merge-risk: 🚨 availability: The diff can expose large unauthenticated catalog feed reads without the existing public read quota.
• merge-risk: 🚨 security-boundary: The reviewed feed lane and attestation affect how clients interpret ClawHub catalog trust metadata.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Missing: the PR body lists checks and a Vercel deployment, but no accessible redacted curl output, terminal screenshot, copied live output, or logs show the feed routes returning real JSON; the preview endpoints returned Vercel 401. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

Security concerns:

• [medium] Unauthenticated feed reads bypass rate limits — convex/httpApiV1/feedsV1.ts:405
  The HTTP feed handler calls the feed query without the existing rate-limit helper, and the feed query is public, so high-volume callers can trigger large catalog digest reads outside the documented public API quota.
  Confidence: 0.9
• [low] Reviewed lane creates a public trust signal — convex/httpApiV1/feedsV1.ts:31
  The reviewed feed definition and attestation can be interpreted by clients as ClawHub approval, but the durable criteria and approval path are not established in the patch.
  Confidence: 0.72

What I checked:

• Live PR state and proof context: The PR is draft at head 02d1120 with 10 changed files and +1053/-2; its body lists static checks and a Vercel preview but no live endpoint output. (02d11208469f)
• Current main lacks feed endpoints: Current main has no /api/v1/feeds, rootFeed, clawhub-reviewed, or feed route constants in the searched API/docs/schema surfaces. (7accfb71c771)
• PR exposes large feed query publicly: The branch registers rootFeed with the public query wrapper and can read 5,000 skill digest rows plus 5,000 rows for each plugin family before filtering. (convex/feeds.ts:59, 02d11208469f)
• PR feed handler bypasses read limiter: The new HTTP feed handler calls apiRefs.feeds.rootFeed and returns JSON without calling applyRateLimit, so the new public route does not consume the existing read bucket or return rate-limit headers. (convex/httpApiV1/feedsV1.ts:405, 02d11208469f)
• Current public package reads are rate-limited: Current main applies applyRateLimit(ctx, request, "read") before package catalog list work, matching the documented public read quota pattern. (convex/httpApiV1/packagesV1.ts:1447, 7accfb71c771)
• Rate-limit contract is current behavior: The current public API docs say public read APIs are rate-limited and clients should honor 429, Retry-After, and rate-limit headers. (docs/api.md:16, 7accfb71c771)

Likely related people:

• Patrick-Erichsen: Blame and log history tie the current HTTP rate-limit helper, public package-list rate limiting, and API docs baseline to this recent work. (role: recent API and rate-limit owner; confidence: high; commits: 8d7ac580d15d, 69c79e8f0120, eccdbb38305b; files: convex/lib/httpRateLimit.ts, convex/httpApiV1/packagesV1.ts, docs/api.md)
• fuller-stack-dev: Recent merged catalog taxonomy work touched package catalog and HTTP API docs surfaces adjacent to the proposed feed-lane catalog contract. (role: recent catalog contributor; confidence: medium; commits: 04ec212100f5; files: convex/httpApiV1/packagesV1.ts, docs/http-api.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.