chore: promote staging to staging-promote/ee6f5cd6-23354122351 (2026-03-20 19:41 UTC)

[ironclaw-ci]

Auto-promotion from staging CI

Batch range: c4ab382522c86e7e19d55fee760b125fb1970518..d3b69e7be35217ebb6f6ce9fb3547402c862797e
Promotion branch: staging-promote/d3b69e7b-23359661011
Base: staging-promote/ee6f5cd6-23354122351
Triggered by: Staging CI batch at 2026-03-20 19:41 UTC

Commits in this batch (17):

• cac6f40 Add owner-scoped permissions for full-job routines (Add owner-scoped permissions for full-job routines #1440)
• 6b0f84b perf: use Arc in embedding cache to avoid clones on miss path (perf: use Arc in embedding cache to avoid clones on miss path #1438)
• 8920322 fix: staging CI triage — consolidate retry parsing, fix flaky tests, add docs (fix: staging CI triage — consolidate retry parsing, fix flaky tests, add docs #1427)
• 8526cde fix: restore libSQL vector search with dynamic dimensions (fix: restore libSQL vector search with dynamic dimensions #1393)
• 455f543 fix(routines): surface errors when sandbox unavailable for full_job routines (fix(routines): surface errors when sandbox unavailable for full_job routines #769)
• 3a52334 fix: f32→f64 precision artifact in temperature causes provider 400 errors (fix: f32→f64 precision artifact in temperature causes provider 400 errors #1450)
• 806d402 feat: chat onboarding and routine advisor (feat: chat onboarding and routine advisor #927)
• 31c3b5b feat(agent): activate stuck_threshold for time-based stuck job detection (feat(agent): activate stuck_threshold for time-based stuck job detection #1234)
• ef3d769 fix(security): validate embedding base URLs to prevent SSRF (fix(security): validate embedding base URLs to prevent SSRF #1221)
• b952d22 fix: prefer execution-local message routing metadata (fix: prefer execution-local message routing metadata #1449)
• e82f4bd fix: register sandbox jobs in ContextManager for query tool visibility (fix: register sandbox jobs in ContextManager for query tool visibility #1426)
• c176261 fix: skip credential validation for Bedrock backend (fix: skip credential validation for Bedrock backend #1011)
• 1b97ef4 fix: resolve wasm broadcast merge conflicts with staging (channels/wasm: implement telegram broadcast path for message tool #395) (fix: resolve wasm broadcast merge conflicts with staging (#395) #1460)
• cba1bc3 feat(web): add light theme with dark/light/system toggle (feat(web): add light theme with dark/light/system toggle #1457)
• 3da9810 feat(llm): Add OpenAI Codex (ChatGPT subscription) as LLM provider (feat(llm): Add OpenAI Codex (ChatGPT subscription) as LLM provider #1461)
• ee6f5cd Use live owner tool scope for autonomous routines and jobs (Use live owner tool scope for autonomous routines and jobs #1453)
• d3b69e7 Fix CI approval flows and stale fixtures (Fix CI approval flows and stale fixtures #1478)

Current commits in this promotion (1)

Current base: staging-promote/ee6f5cd6-23354122351
Current head: staging-promote/d3b69e7b-23359661011
Current range: origin/staging-promote/ee6f5cd6-23354122351..origin/staging-promote/d3b69e7b-23359661011

• d3b69e7 Fix CI approval flows and stale fixtures (Fix CI approval flows and stale fixtures #1478)

Auto-updated by staging promotion metadata workflow

Waiting for gates:

• Tests: pending
• E2E: pending
• Claude Code review: pending (will post comments on this PR)

---

Auto-created by staging-ci workflow

[claude]

Code review

Found 8 issues:

1. [CRITICAL:100] Cross-channel approval thread hijacking - authorization bypass
   An attacker can approve/deny tool requests on threads they didn't initiate by supplying the target thread UUID to the approval endpoint. The code at line 1039 only checks if a thread exists in the session without verifying channel authorization context or ownership of the approval request. This allows potential escalation of privileges across channels.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1033-L1051

2. [CRITICAL:95] TOCTOU race condition in approval thread resolution
   The code checks thread existence and mutates session state (lines 1040-1041), then drops the lock before completing the async register_thread() call (lines 1042-1050). This violates the session locking invariant documented in src/agent/CLAUDE.md:127 and creates a window where concurrent operations could modify session state after the mutations but before the thread is registered. The entire check-mutate-register sequence must complete while holding the write lock.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1038-L1051

3. [HIGH:70] Incomplete fallback logic for non-existent approval threads
   When an approval targets a UUID that doesn't exist in the local session, the code falls back to resolve_thread() with the same UUID string (line 1053). But resolve_thread() expects either None or a conversation_scope value, not a UUID. This fallback may not correctly handle or create the intended thread.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1052-L1062

4. [MEDIUM:85] Unnecessary repeated UUID parsing in hot path
   The approval thread UUID is parsed from string on every approval submission via Uuid::parse_str(thread_id).ok() (lines 1022-1031). For high-frequency approval workloads, this repeated parsing could accumulate. Consider caching the parsed UUID or parsing once during message deserialization.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1022-L1031

5. [MEDIUM:80] Lock contention in approval thread resolution
   Multiple sequential lock acquisitions: get_or_create_session() write lock, session.lock(), then register_thread() with additional locks (lines 1036-1050). The explicit drop(sess) hints at intentional lock management but suggests the lock pattern needs review. Under high approval load, this sequential locking could cause contention.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1036-L1050

6. [MEDIUM:70] Missing architectural trait for approval submission routing
   The code hardcodes a type check for Submission::ExecApproval { .. } | Submission::ApprovalResponse { .. } to detect approval submissions that can bypass normal thread resolution (lines 1022-1031). Per CLAUDE.md architecture guidelines, trait-based design is preferred over hardcoding conditionals. A method like submission.can_target_existing_thread() would make the intent explicit.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1022-L1031

7. [MEDIUM:75] Test URLs changed to use public IPs
   Test URLs in config tests changed from https://custom.example.com to https://8.8.8.8 and similar. While these are test fixtures, using public IP addresses (Google DNS) in test mocking could accidentally expose real network calls if test isolation fails. Use RFC 5737 TEST-NET addresses (192.0.2.x) or localhost instead.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/config/embeddings.rs#L302
https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/config/llm.rs#L858

8. [LOW:70] Unnecessary UTC time fetch on every approval thread reuse
   Line 1041 calls chrono::Utc::now() every time an existing approval thread is reused. This syscall is unnecessary for functionality and could accumulate under high approval frequency. Consider deferring to periodic heartbeat updates.

https://github.com/anthropics/ironclaw/blob/067ff01a2780fd91354b7902b4743316293beba0/src/agent/agent_loop.rs#L1040-L1041