chore: promote staging to staging-promote/3da9810e-23351687636 (2026-03-20 17:14 UTC)

[ironclaw-ci]

Auto-promotion from staging CI

Batch range: c4ab382522c86e7e19d55fee760b125fb1970518..ee6f5cd62abdc6086a9087f40bd51a53c79b7447
Promotion branch: staging-promote/ee6f5cd6-23354122351
Base: staging-promote/3da9810e-23351687636
Triggered by: Staging CI batch at 2026-03-20 17:14 UTC

Commits in this batch (16):

• cac6f40 Add owner-scoped permissions for full-job routines (Add owner-scoped permissions for full-job routines #1440)
• 6b0f84b perf: use Arc in embedding cache to avoid clones on miss path (perf: use Arc in embedding cache to avoid clones on miss path #1438)
• 8920322 fix: staging CI triage — consolidate retry parsing, fix flaky tests, add docs (fix: staging CI triage — consolidate retry parsing, fix flaky tests, add docs #1427)
• 8526cde fix: restore libSQL vector search with dynamic dimensions (fix: restore libSQL vector search with dynamic dimensions #1393)
• 455f543 fix(routines): surface errors when sandbox unavailable for full_job routines (fix(routines): surface errors when sandbox unavailable for full_job routines #769)
• 3a52334 fix: f32→f64 precision artifact in temperature causes provider 400 errors (fix: f32→f64 precision artifact in temperature causes provider 400 errors #1450)
• 806d402 feat: chat onboarding and routine advisor (feat: chat onboarding and routine advisor #927)
• 31c3b5b feat(agent): activate stuck_threshold for time-based stuck job detection (feat(agent): activate stuck_threshold for time-based stuck job detection #1234)
• ef3d769 fix(security): validate embedding base URLs to prevent SSRF (fix(security): validate embedding base URLs to prevent SSRF #1221)
• b952d22 fix: prefer execution-local message routing metadata (fix: prefer execution-local message routing metadata #1449)
• e82f4bd fix: register sandbox jobs in ContextManager for query tool visibility (fix: register sandbox jobs in ContextManager for query tool visibility #1426)
• c176261 fix: skip credential validation for Bedrock backend (fix: skip credential validation for Bedrock backend #1011)
• 1b97ef4 fix: resolve wasm broadcast merge conflicts with staging (channels/wasm: implement telegram broadcast path for message tool #395) (fix: resolve wasm broadcast merge conflicts with staging (#395) #1460)
• cba1bc3 feat(web): add light theme with dark/light/system toggle (feat(web): add light theme with dark/light/system toggle #1457)
• 3da9810 feat(llm): Add OpenAI Codex (ChatGPT subscription) as LLM provider (feat(llm): Add OpenAI Codex (ChatGPT subscription) as LLM provider #1461)
• ee6f5cd Use live owner tool scope for autonomous routines and jobs (Use live owner tool scope for autonomous routines and jobs #1453)

Current commits in this promotion (1)

Current base: staging-promote/3da9810e-23351687636
Current head: staging-promote/ee6f5cd6-23354122351
Current range: origin/staging-promote/3da9810e-23351687636..origin/staging-promote/ee6f5cd6-23354122351

• ee6f5cd Use live owner tool scope for autonomous routines and jobs (Use live owner tool scope for autonomous routines and jobs #1453)

Auto-updated by staging promotion metadata workflow

Waiting for gates:

• Tests: pending
• E2E: pending
• Claude Code review: pending (will post comments on this PR)

---

Auto-created by staging-ci workflow

[claude]

Code review

Found 5 issues:

1. [HIGH:80] Removed approval requirement check in lightweight routine tool execution

In src/agent/routine_engine.rs, the function execute_routine_tool() previously enforced that lightweight routines could only call tools with ApprovalRequirement::Never, blocking UnlessAutoApproved and Always tools due to prompt injection vulnerability. The new code relies solely on the AUTONOMOUS_TOOL_DENYLIST which is more comprehensive but does not verify the approval requirement of individual tools. If a tool's metadata changes or new tools are added with approval requirements, lightweight routines could now call sensitive tools unintentionally.

https://github.com/anthropics/ironclaw/blob/ee6f5cd62abdc6086a9087f40bd51a53c79b7447/src/agent/routine_engine.rs#L537-L545

2. [MEDIUM:75] Silent removal of tool_permissions and permission_mode from routine serialization

The PR removes tool_permissions and permission_mode fields from RoutineAction::FullJob, including from the to_config_json() method. While backward compatibility exists for parsing legacy routines from the database, any routine that is read and re-written will lose these fields permanently. Users cannot audit whether a routine was set to Explicit vs InheritOwner permission mode.

https://github.com/anthropics/ironclaw/blob/ee6f5cd62abdc6086a9087f40bd51a53c79b7447/src/agent/routine.rs#L365-L375

3. [MEDIUM:72] Denylist expansion may silently break existing routines

AUTONOMOUS_TOOL_DENYLIST was expanded from 5 to 17 tools. Tools like event_emit, tool_install, skill_install, secret_delete are now denylisted. Any existing full_job routines referencing these tools in legacy tool_permissions will silently fail at runtime without migration warning.

https://github.com/anthropics/ironclaw/blob/ee6f5cd62abdc6086a9087f40bd51a53c79b7447/src/tools/autonomy.rs#L8-L26

4. [MEDIUM:70] SchedulerDeps struct exported without documentation

The new SchedulerDeps struct is exported but lacks documentation explaining why it bundles these fields or its role in autonomous tool resolution. This impacts maintainability.

https://github.com/anthropics/ironclaw/blob/ee6f5cd62abdc6086a9087f40bd51a53c79b7447/src/agent/agent_loop.rs#L227-L236

5. [LOW:50] AUTONOMOUS_TOOL_DENYLIST policy scattered across functions

Tool allowlisting logic is split across multiple functions. Consider a single helper like is_tool_allowed_for_autonomy(name: &str) -> bool to centralize policy.

https://github.com/anthropics/ironclaw/blob/ee6f5cd62abdc6086a9087f40bd51a53c79b7447/src/tools/autonomy.rs#L8-L68