fix: retry atomic snapshot pushes

[steipete]

Summary

• retry concurrent encrypted backup branch-and-tag pushes through CrawlKit
• preserve the current/legacy backup branch and retarget unpublished tags after rebase
• preserve unrelated backup-repository edits during retry rebases

Proof

• go test ./...
• go test -race ./...
• go vet ./...
• autoreview clean

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 19, 2026, 7:57 AM ET / 11:57 UTC.

Summary
The branch bumps github.com/openclaw/crawlkit, switches tagged backup pushes to mirror.PushCurrentSnapshot, updates checksums, and adds a changelog entry.

Reproducibility: no. not from a real current-main run in this read-only review. The source path and upstream CrawlKit tests make the rejected atomic push retry path understandable, but the PR still needs real or locally reproduced backup push evidence.

Review metrics: 3 noteworthy metrics.

• Diff surface: 4 files affected. The PR is small locally, but it combines a runtime call-site change, dependency checksum update, and release-note hunk.
• Dependency-driven behavior: 1 CrawlKit pseudo-version bump. Most retry behavior lives in the bumped CrawlKit commit rather than Telecrawl-local code.
• Release-owned file: 1 changelog entry added. Maintainers should remove this hunk before normal merge because release notes are assembled separately.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted terminal output or logs showing the rejected tagged backup push, rebase/tag retarget, and successful retry; redact private paths, remotes, tokens, and other sensitive details.
• Remove the CHANGELOG.md hunk from the branch.
• After adding proof, update the PR body to trigger a fresh ClawSweeper review; if it does not trigger, ask a maintainer to comment @clawsweeper re-review.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body lists tests/vet only; please add redacted terminal output, logs, or a recording from a real concurrent tagged backup push retry, then update the PR body so ClawSweeper re-reviews.

Risk before merge

• [P1] The behavior change is mostly delivered by a same-organization CrawlKit pseudo-version, so Telecrawl’s one-line call-site swap depends on the upstream helper and its retry/rebase semantics.
• [P1] The PR body lists tests and static checks only; it does not prove an actual concurrent tagged backup push retry against a real or locally reproduced backup remote.
• [P1] The diff edits release-owned CHANGELOG.md, which should be removed from a normal contributor PR before merge.

Maintainer options:

1. Require backup retry proof first (recommended)
   Ask for redacted terminal output or logs from a real or locally reproduced two-checkout tagged backup push where the first atomic push is rejected, rebased, tag-retargeted, and retried successfully.
2. Accept the CrawlKit helper risk
   Maintainers can intentionally merge the dependency-backed retry helper without real-run proof if they are comfortable owning any backup repository compatibility regression tests missed.

Next step before merge

• [P1] Contributor-provided real backup retry proof is the merge blocker, so this should stay on human review rather than an automated repair lane.

Security
Cleared: No concrete security or supply-chain regression was found; the CrawlKit bump is checksum-pinned and treated as compatibility-sensitive rather than security-sensitive.

Review findings

• [P3] Remove the release-owned changelog hunk — CHANGELOG.md:13

Review details

Best possible solution:

Land the narrow call-site and CrawlKit bump after removing the changelog hunk and adding redacted real-run proof for a rejected concurrent tagged backup push retry that preserves branch and tag state.

Do we have a high-confidence way to reproduce the issue?

No, not from a real current-main run in this read-only review. The source path and upstream CrawlKit tests make the rejected atomic push retry path understandable, but the PR still needs real or locally reproduced backup push evidence.

Is this the best way to solve the issue?

Mostly yes: delegating the retry to CrawlKit is the narrowest maintainable path because backup mirror synchronization already lives there. It is not merge-ready until the changelog hunk is removed and the contributor adds real behavior proof.

Full review comments:

• [P3] Remove the release-owned changelog hunk — CHANGELOG.md:13
  OpenClaw keeps CHANGELOG.md release-owned for normal PRs, and this PR already carries the release-note context in its body. Please drop this changelog entry so release notes can be assembled by the release process.
  Confidence: 0.9

Overall correctness: patch is correct
Overall confidence: 0.78

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 4e6fb27ae15f.

Label changes

Label changes:

• add P2: This is a normal-priority backup durability fix with limited blast radius but real compatibility impact for encrypted Git backup users.
• add merge-risk: 🚨 compatibility: Changing the tagged backup push path and CrawlKit mirror synchronization can affect existing backup repositories and upgrade behavior beyond what green unit tests settle.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists tests/vet only; please add redacted terminal output, logs, or a recording from a real concurrent tagged backup push retry, then update the PR body so ClawSweeper re-reviews.

Label justifications:

• P2: This is a normal-priority backup durability fix with limited blast radius but real compatibility impact for encrypted Git backup users.
• merge-risk: 🚨 compatibility: Changing the tagged backup push path and CrawlKit mirror synchronization can affect existing backup repositories and upgrade behavior beyond what green unit tests settle.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists tests/vet only; please add redacted terminal output, logs, or a recording from a real concurrent tagged backup push retry, then update the PR body so ClawSweeper re-reviews.

Evidence reviewed

What I checked:

• Target AGENTS check: No AGENTS.md exists inside the telecrawl target repository, so no target-specific AGENTS policy applied.
• Current main still has the old call site: The checked-out default branch calls mirror.PushAtomic for tagged backup pushes, so the central retry helper is not already implemented on main. (internal/backup/backup.go:116, 4e6fb27ae15f)
• PR changes the Telecrawl call site: The PR changes the tagged push path from PushAtomic(..., "HEAD", "refs/tags/"+tag) to PushCurrentSnapshot(..., tag) and bumps CrawlKit to the helper commit. (internal/backup/backup.go:116, 7a638e085975)
• CrawlKit helper inspected: The target CrawlKit commit defines PushCurrentSnapshot, validates the tag, atomically pushes HEAD plus the tag, detects non-fast-forward output, runs SyncCurrentForWrite, and retries once. (github.com/openclaw/crawlkit/mirror/history.go:180, eb1aa35e0e78)
• CrawlKit retry coverage exists upstream: CrawlKit has a test covering PushCurrentSnapshot after a legacy-branch concurrent remote update, including branch and tag resolution after retry. (github.com/openclaw/crawlkit/mirror/mirror_test.go:634, eb1aa35e0e78)
• Feature provenance: The tagged backup push path on current main was introduced with the durable backup history merge, making that commit the relevant local provenance for this PR. (internal/backup/backup.go:116, e07a15d9b42f)

Likely related people:

• steipete: Git blame and PR history show steipete introduced the tagged backup push path and recently maintained the backup history and recovery-command changes that this PR builds on. (role: feature owner and recent area contributor; confidence: high; commits: e07a15d9b42f, 4e6fb27ae15f, 49930fd7e801; files: internal/backup/backup.go, internal/backup/git.go, go.mod)
• joshp123: Recent merged work by joshp123 touched adjacent CLI, store, dependency, and Telegram import surfaces in the same short history window, though not the exact tagged push line. (role: recent adjacent contributor; confidence: medium; commits: 01eeecc55fc0, 9df81dcf3183, 9ef3b111c008; files: internal/cli/cli.go, internal/store/store.go, go.mod)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7a638e0859

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve existing backup remotes during retry

When a tagged push hits the new retry path, PushCurrentSnapshot receives mirrorOptions(cfg), including cfg.Remote. Unlike the earlier ensureRepo path, this bypasses syncOptions, so for an already-cloned backup repo whose origin intentionally differs from the config/default remote, the helper's sync step can reconfigure origin to cfg.Remote before retrying the push. In the non-fast-forward case this can make backup push --tag fail against, or publish metadata to, the wrong remote; pass the same remote-preserving options used by ensureRepo for existing repos.

Useful? React with 👍 / 👎.

[steipete]

Landed in 32999a44d56ef2ae8382966fc447a752499b3b2a.

Proof: full tests, race tests, vet, and autoreview passed locally; GitHub tests, lint, dependencies, Docker, release snapshot, CodeQL, and secret scanning passed.

[steipete]

Post-merge audit: PASS — no defect found.

• Exercised the tagged backup runtime path against a fresh synthetic bare Git remote. A concurrent writer advanced the remote after the local snapshot/tag was created; ancestry was checked to prove the first atomic push was non-fast-forward. The retry rebased the snapshot, retargeted the unpublished new tag, and atomically published both refs.
• Verified the concurrent remote commit remained in history, the earlier published snapshot tag stayed immutable, and an attempted retarget was rejected.
• Restored the earlier snapshot by tag and verified historical restore did not move the backup checkout. The current branch, an additional local branch, and tracked plus untracked dirty state all survived the retry/restore flow.
• Verified backup config/identity and encrypted shard permissions; ciphertext inspection found no synthetic plaintext. Generated recovery instructions use the supported telecrawl backup pull and telecrawl status commands.
• Built the merged tree and ran metadata, status, and an archive read through that binary. Output was captured privately at mode 0600 and validated only for JSON shape; no archive content was surfaced. No live Telegram API call was made.
• Local gates passed: module verification/tidiness, full tests, race tests, 56.1% coverage (35% floor), build, vet, golangci-lint, staticcheck, deadcode, gofumpt, gosec, govulncheck, and both Git-history/working-tree secret scans.
• Autoreview of the exact merged commit reported no accepted/actionable findings. Public model-identifier gate passed across the diff, tests/fixtures, workflows/generated metadata, exact CI logs, built binary, and public PR surfaces.
• Exact merged-head CI is green: CI, Docker, and CodeQL for 32999a44d56ef2ae8382966fc447a752499b3b2a.