Add ClawHub publisher abuse digest endpoint#17
Conversation
|
Codex review: needs maintainer review before merge. Reviewed July 2, 2026, 9:54 AM ET / 13:54 UTC. Summary Reproducibility: not applicable. This PR adds a new integration endpoint rather than reporting broken current behavior. Source inspection shows current main has no publisher-abuse digest route to reproduce against. Review metrics: 3 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Mantis proof suggestion Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Finish maintainer review, explicitly accept or adjust the token boundary, and coordinate rollout with the companion ClawHub sender before landing. Do we have a high-confidence way to reproduce the issue? Not applicable; this PR adds a new integration endpoint rather than reporting broken current behavior. Source inspection shows current main has no publisher-abuse digest route to reproduce against. Is this the best way to solve the issue? Mostly yes: the implementation is narrow, follows the repository’s Carbon and routing patterns, and has focused tests. The remaining question is maintainer acceptance of the token boundary and paired rollout, not a mechanical code repair. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 268a0d1c15c8. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
6afe825 to
21cde48
Compare
21cde48 to
89908db
Compare
|
/clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
/clawsweeper re-review |
1 similar comment
|
/clawsweeper re-review |
There was a problem hiding this comment.
Pull request overview
Adds a new authenticated Hermit API receiver for ClawHub “publisher abuse signals changed” digests, validates payload/link safety before touching Discord, and posts a Carbon component summary into the configured ClawHub review channel.
Changes:
- Introduces
POST /api/clawhub-publisher-abuse/signals/digesthandler that authenticates via bearer token, validates payload shape/metrics/URLs, and sends a CarbonContainermessage to Discord. - Wires the new request wrapper into the main
fetchrouter and extends runtime env typing forCLAWHUB_HERMIT_TOKENandCLAWHUB_SITE_URL. - Adds a focused API test suite covering auth/method/JSON/payload guardrails, trusted origins, escaping, truncation behavior, and runtime wrapper wiring.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/publisherAbuseDigestApi.test.ts | Adds end-to-end-ish handler tests for auth, payload validation, trusted origins, escaping, and Discord delivery payload. |
| src/runtime/env.ts | Extends Env typing with optional CLAWHUB_HERMIT_TOKEN and CLAWHUB_SITE_URL. |
| src/index.ts | Registers the new publisher-abuse digest handler in the main request routing flow. |
| src/clawhubPublisherAbuse/api.ts | Implements digest parsing/validation, trusted-origin URL checks, Carbon message rendering, and Discord delivery. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const bearerToken = (request: Request) => | ||
| request.headers.get("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1] ?? "" |
| const optionalValidUrl = (value: unknown, trustedOrigins: ReadonlySet<string>) => | ||
| value === undefined || value === null || value === "" ? null : validUrl(value, trustedOrigins) | ||
|
|
||
| const invalidOptionalUrl = (rawValue: unknown, parsedValue: string | null) => | ||
| rawValue !== undefined && rawValue !== null && rawValue !== "" && parsedValue === null |
Summary
Hermit now accepts ClawHub publisher-abuse signal digest notifications at
POST /api/clawhub-publisher-abuse/signals/digest. The endpoint validates a shared bearer token, checks the incoming digest shape before touching Discord, and posts a Carbon component summary into the configured ClawHub review channel.This pairs with ClawHub PR #2927 so changed publisher-abuse signals can reach the Discord review queue from ClawHub's notification job.
What Changed
POST /api/clawhub-publisher-abuse/signals/digestis handled, and requests must sendAuthorization: Bearer <token>.CLAWHUB_HERMIT_TOKENand falls back to the existingCLAWHUB_BAN_APPEALS_TOKEN, matching ClawHub's sender behavior.CLAWHUB_SITE_URLwhen configured, orhttps://clawhub.aiby default.ContainertoformSettings.clawhubAppealReviewChannelIdand allow onlyformSettings.clawhubAppealReviewRoleIdto be mentioned.POSTmethods, invalid JSON, empty signal lists, cross-origin or non-web URLs, and malformed numeric metrics are rejected before fetching the Discord channel.Proof
Representative success request:
Expected response after Discord delivery:
{"ok":true,"delivered":true,"changedCount":1}The focused Hermit API test verifies that this request sends one Carbon component message to the ClawHub review channel, mentions only the configured review role, includes the dashboard/skill/publisher links, and shows a local truncation hint when more than five signals are supplied.
The ClawHub PR #2927 compatibility test verifies that ClawHub posts to
https://forms.example.test/api/clawhub-publisher-abuse/signals/digestwithAuthorization: Bearer hermit-tokenand apublisher_abuse_signals_changedpayload containingchangedCount,hasMore,dashboardUrl, signal metrics,skillUrl, andpublisherUrl.No screenshots are included because this PR adds a backend integration endpoint and Discord message delivery path, not browser UI.
Verification
Reviewer-checkable behavior:
bun test tests/publisherAbuseDigestApi.test.tspassed: 17 tests, 98 assertions.bunx vitest run convex/publisherAbuse.test.ts --testNamePattern 'sends one Hermit digest for claimed changed signals'passed: 1 test, 105 skipped.Automated checks:
bun run typecheckpassed.bun testpassed: 48 tests, 172 assertions.git diff --check main...HEADpassed.Review:
Formatting note:
bunx prettier --check src/clawhubPublisherAbuse/api.ts src/index.ts src/runtime/env.ts tests/publisherAbuseDigestApi.test.tscould not run because the configured package registry returnedGET https://packages.atlassian.com/artifactory/api/npm/prettier - 404. There is no localprettierdependency orformat:checkscript in this repo, so whitespace was checked withgit diff --check.