Skip to content

feat(gmail): add Pub/Sub pull watch consumer#700

Merged
vincentkoc merged 7 commits into
openclaw:mainfrom
joshp123:josh/gmail-pubsub-pull
Jun 9, 2026
Merged

feat(gmail): add Pub/Sub pull watch consumer#700
vincentkoc merged 7 commits into
openclaw:mainfrom
joshp123:josh/gmail-pubsub-pull

Conversation

@joshp123

@joshp123 joshp123 commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Human-written request

i think you should now start drafting implementation for each of the tools in worktrees and then opening draft PRs against the repos, at least for gog and openclaw. can you do that using $session-goal-writer ?

Draft scope

RFC: openclaw/rfcs#8
Companion OpenClaw PR: openclaw/openclaw#90723

This draft adds the no-inbound Gmail notification runtime for the RFC: gog gmail settings watch pull, plus the hidden compatibility path gog gmail watch pull.

What changed

  • Adds a Pub/Sub pull consumer for Gmail watch notifications.
  • Reuses the existing Gmail watch processor for push and pull so account filtering, stale history handling, history fetches, hook payloads, and hook failure behavior stay aligned.
  • Requires a full Pub/Sub subscription resource path: projects/<project>/subscriptions/<subscription>.
  • Requires an explicit or stored hook target before consuming messages, so the command does not silently drain a subscription with nowhere to deliver notifications.
  • Uses explicit terminal/retry behavior: invalid pull messages, wrong-account notifications, and no-new-message notifications finish terminally; hook failures, Gmail failures, and rate-limit circuit failures stay retryable so Pub/Sub can redeliver.
  • Regenerates command docs for the new command.

Compatibility

  • Existing gog gmail watch serve push behavior remains supported.
  • This does not change Gmail watch registration behavior or cloud resource setup.
  • This does not remove shared-token push.

Testing strategy

Already run in this draft:

  • nix shell nixpkgs#go --command go test ./internal/cmd -run 'GmailWatch'
  • nix shell nixpkgs#go --command go build -o /tmp/gog-gmail-pull ./cmd/gog
  • /tmp/gog-gmail-pull gmail settings watch pull --help
  • /tmp/gog-gmail-pull gmail watch pull --help
  • nix shell nixpkgs#go --command make docs-commands
  • nix shell nixpkgs#go --command make fmt-check
  • git diff --check

Deterministic coverage added here:

  • fake Pub/Sub receiver proves the command creates a receiver, consumes one-at-a-time, uses stored hook settings, and closes cleanly;
  • invalid Pub/Sub payload and wrong-account notifications ack terminally;
  • hook failure nacks after recording http_error and preserving the watch cursor, so a downstream hook outage can redeliver instead of silently advancing past the notification;
  • Gmail/history failures nack so Pub/Sub can redeliver;
  • missing subscription and missing hook fail before consuming.

Remote proof completed for the prior draft head 23a528aaa5cd89043f241c08f9005751e9b45d36:

Live Google proof completed for the prior draft head 23a528aaa5cd89043f241c08f9005751e9b45d36:

  • Maintainer-controlled Gmail and GCP resources were used; no public HTTP ingress, Tailscale Funnel, or push subscription was involved.
  • A clean pull subscription was provisioned, gog gmail watch start registered the mailbox watch for the pull topic, and the initial stale watch notification was ignored rather than delivered.
  • A marked self-email was sent to the watched mailbox.
  • gog gmail watch pull pulled the Pub/Sub notification, fetched Gmail history, and posted one local hook request. Redacted hook evidence showed auth header present, top-level payload keys account, historyId, messages, and source, and messagesCount=1.
  • The marker emails were moved to trash after proof, one cleanup notification was drained, and a final Pub/Sub pull check returned empty.
  • Companion OpenClaw live proof in feat(hooks): add Gmail Pub/Sub pull delivery mode openclaw#90723 used the same candidate gog command under OpenClaw supervision and created a Gmail hook session.

Real behavior proof

Behavior addressed: Gmail Pub/Sub can now be consumed with pull semantics instead of requiring Google to call an inbound HTTP endpoint.

Real environment tested: local macOS worktree with Go 1.26 from Nix plus maintainer-controlled Gmail/Pub/Sub resources in Google Cloud. Public ingress was not used.

Exact steps or command run after this patch: see the commands in Testing strategy above.

Evidence after fix: focused GmailWatch tests pass; the new command builds and prints help; generated docs include gog gmail settings watch pull; live pull proof delivered one real Gmail notification to a local hook server.

Observed result after fix: fake receiver tests prove terminal ack/nack policy, while live proof shows real Gmail -> Pub/Sub pull -> Gmail history fetch -> local hook POST with one message.

What was not tested: long-running renewal/soak behavior, high-volume delivery, and production rollout under nix-openclaw.

After-fix proof, 2026-06-05

Commit: 23a528aaa5cd89043f241c08f9005751e9b45d36

This update addresses the ClawSweeper dry-run finding. gog gmail watch pull now exits through the normal dry-run path before loading watch state, creating a Pub/Sub receiver, opening Gmail clients, saving hook state, or consuming/acking/nacking messages.

Proof I ran after this fix:

  • nix shell nixpkgs#go nixpkgs#nodejs_24 --command bash -lc 'timeout 20m make ci' -> passed, including lint, all Go tests, docs generation, and docs coverage.
  • nix shell nixpkgs#go --command bash -lc 'timeout 5m go run ./cmd/gog --dry-run --json --account test@example.com gmail watch pull --subscription projects/example/subscriptions/openclaw-gmail --hook-url http://127.0.0.1:18789/hooks/gmail --hook-token dummy-secret --save-hook' -> exited 0; output reported hook_token_set: true and did not print the dummy token value.
  • git diff --check -> passed.
  • Local ClawSweeper-style adversarial review against the current rubric -> pass for draft-update readiness, with no accepted actionable findings.

Remote proof completed for this exact head:

Still intentionally not claimed here:

  • This is one controlled live Gmail/Pub/Sub delivery proof, not a long-running production soak.
  • nix-openclaw declarative wiring and token-rotation policy remain separate downstream slices.

Live Gmail/Pub/Sub pull proof, 2026-06-06

Commit: 23a528aaa5cd89043f241c08f9005751e9b45d36

Proof run summary, redacted:

  • Candidate binary: /tmp/gog-gmail-pull-live --version reported v0.21.0-dev.
  • Watch registration: gog gmail watch start --topic projects/.../topics/djtbot-gmail-watch --label INBOX returned a valid history id and expiration.
  • Pull startup: gog gmail watch pull --subscription projects/.../subscriptions/djtbot-gmail-watch-pull consumed the initial watch notification and ignored it as stale.
  • Delivery: after one marked self-email, the pull worker posted one hook request with auth present, payload keys account/historyId/messages/source, and messagesCount=1.
  • Cleanup: both proof marker emails were trashed, one cleanup notification was auto-acked, and the final pull-subscription check was empty.

No OAuth secret, hook token, raw email body, or private endpoint was printed in the proof artifact.

Hook failure retry policy update, 2026-06-06

Commit: 86975b69542c35c814ed3075275ecccc735c5fd6

Policy update after maintainer review: hook delivery failure is now retryable. For normal Gmail agent wakeups, a temporary OpenClaw/gateway outage should not silently advance past the notification. This commit records the hook failure status, restores the pre-hook watch cursor, and returns a delivery failure to Pub/Sub:

  • pull delivery nacks the Pub/Sub message after recording http_error;
  • push delivery returns HTTP 500 after the same shared processor rollback;
  • invalid pull payloads, wrong-account notifications, and no-new-message/stale notifications remain terminal;
  • docs/watch.md now explains pull-vs-push delivery, why pull avoids inbound HTTP, the retry policy, and the operator boundary for high-volume mail.

This is intentionally not positioned as a high-volume queueing platform. Users processing very high mail rates, for example 1000 messages per minute, should run their own monitoring, alerting, backlog policy, and dead-letter/backpressure setup.

Proof I ran after this policy update:

  • nix shell nixpkgs#go --command bash -lc 'gofmt -w internal/cmd/gmail_watch_pull.go internal/cmd/gmail_watch_pull_test.go internal/cmd/gmail_watch_server_more_test.go && go test ./internal/cmd -run "GmailWatch(PullMessage|Server_ServeHTTP_HookError|Server_SendHook_UpdatesState)"' -> passed.
  • nix shell nixpkgs#go --command go test ./internal/cmd -run 'GmailWatch' -> passed.
  • git diff --check -> passed.
  • nix shell nixpkgs#go --command bash -lc 'timeout 20m make ci' -> passed, including lint, all Go tests, command-doc generation, docs site build, and docs coverage.
  • Local ClawSweeper-style preflight against the current review rubric -> pass for draft-update readiness, with stale PR-body policy language fixed before re-review.

Remote proof completed for this policy-update head:

Live hook-failure retry proof completed for this policy-update head:

  • Candidate binary: /tmp/gog-gmail-pull-retry --version reported v0.21.0-dev from commit 86975b69542c35c814ed3075275ecccc735c5fd6.
  • Proof shape: created a temporary pull subscription on the existing Gmail watch topic, sent one marked self-email, ran gog gmail watch pull against a local hook that returned HTTP 500, then reran against a local hook that returned HTTP 200. The temporary subscription was deleted and the marker email was trashed in cleanup.
  • Redacted failing-run log excerpt:
watch: pulling from projects/.../subscriptions/djtbot-gmail-watch-retry-proof-...
watch: hook failed: hook status 500
watch: handle pull failed: hook delivery failed: hook status 500
watch: hook failed: hook status 500
watch: handle pull failed: hook delivery failed: hook status 500
  • Observed after failing hook: lastDeliveryStatus=http_error, status note status 500, and the stored watch cursor stayed at the pre-hook value instead of advancing to the notification history id.
  • Observed redelivery: while the hook kept returning 500, the temporary pull subscription delivered the same Gmail notification history id to the hook four times. After switching the hook to HTTP 200, the next pull delivered that same history id once, recorded lastDeliveryStatus=ok, and advanced the stored cursor.
  • No OAuth secret, hook token, raw email body, or private endpoint was printed in the proof output.

Retry reliability clarification, 2026-06-07

Commit: 65f5850d54809b359d215fd7c997b222dea2a9ef

The ClawSweeper finding is correct that this PR intentionally changes existing push hook-failure semantics. The intended compatibility contract is:

  • gog gmail watch serve remains supported;
  • shared-token push remains supported;
  • Gmail watch registration and cloud setup are not changed;
  • hook failure behavior intentionally changes from ACK-and-advance to delivery-failure-and-retry for both push and pull.

That last point is the reliability fix. The old push behavior avoided replay storms by acknowledging hook failures, but it could silently lose Gmail agent wakeups when the downstream OpenClaw gateway or hook was temporarily down. The new shared processor preserves the pre-hook watch cursor and returns a Pub/Sub delivery failure: push returns non-2xx, pull nacks. Pub/Sub can then redeliver the same notification until the hook succeeds or the subscription retry/dead-letter policy takes over.

Docs and release notes now make that upgrade behavior explicit:

  • docs/watch.md says push and pull share the same downstream hook delivery policy, names the old lost-wakeup failure mode, documents duplicate/redelivery expectations, and clarifies that pull Pub/Sub access uses Google ADC/service-account credentials rather than stored Gmail OAuth.
  • Release-note wording for the new pull command and retry behavior is kept in the PR body; CHANGELOG.md is left to the release-owned landing flow.
  • internal/cmd/gmail_watch_pull_test.go now includes a deterministic fail-then-redeliver-then-success test proving first delivery nacks without advancing the cursor, then the redelivery acks and advances after the hook returns success.

Local proof for this head:

  • nix shell nixpkgs#go --command bash -lc 'gofmt -w internal/cmd/gmail_watch_pull_test.go && go test ./internal/cmd -run "GmailWatch(PullMessage|Server_ServeHTTP_HookError|Server_SendHook_UpdatesState)"' -> passed.
  • nix shell nixpkgs#go --command go test ./internal/cmd -run 'GmailWatch' -> passed.
  • git diff --check -> passed.
  • nix shell nixpkgs#go nixpkgs#nodejs_24 --command bash -lc 'timeout 20m make ci' -> passed, including lint, all Go tests, command-doc generation, docs site build, and docs coverage.
  • Local ClawSweeper-style preflight plus read-only sub-agent adversarial review -> accepted findings fixed; no remaining accepted P1/P2 issues.
  • Follow-up d5932e65d78deeb3015e77a950c502fbde46dc81 removed PR-added changelog entries after ClawSweeper marked them release-owned; the retry behavior, docs, and tests are unchanged.
  • Follow-up 65f5850d54809b359d215fd7c997b222dea2a9ef is an empty CI retry commit after the Docker image check failed while pulling BuildKit from Docker Hub (context deadline exceeded).

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@joshp123 joshp123 mentioned this pull request Jun 5, 2026
Open
@clawsweeper

clawsweeper Bot commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

Codex review: found issues before merge. Reviewed June 9, 2026, 12:54 AM ET / 04:54 UTC.

Summary
Adds gog gmail watch pull / gog gmail settings watch pull, a Pub/Sub v2 dependency, shared push/pull Gmail watch processing, retry-on-hook-failure behavior, docs, generated command docs, and focused tests.

Reproducibility: not applicable. as a bug reproduction: this is a feature PR. The behavior itself has source-level coverage plus PR-body live Gmail/Pub/Sub proof for pull delivery and hook-failure redelivery.

Review metrics: 3 noteworthy metrics.

  • Files Changed: 14 files, +1101/-49. The PR spans runtime code, tests, generated docs, user docs, dependency files, and release notes, so the review needs more than a narrow code check.
  • Direct Dependency Added: 1 added. cloud.google.com/go/pubsub/v2 introduces a new Google Cloud client and credential surface that maintainers should intentionally accept.
  • Existing Command Behavior Changed: 1 command. gog gmail watch serve changes hook-failure response behavior for existing push deployments.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Get explicit repository maintainer approval for shared push/pull retry semantics or split push compatibility from pull retry.
  • Remove the PR-added CHANGELOG.md entry and keep release-note context in the PR body.

Risk before merge

  • [P1] Existing gog gmail watch serve push deployments would move from ACK-and-advance on downstream hook failure to non-2xx redelivery with cursor rollback, which can duplicate hook calls or build Pub/Sub backlog after upgrade.
  • [P1] Pull mode adds a Google Cloud Pub/Sub subscriber credential boundary through ADC or service-account configuration alongside the existing stored Gmail OAuth account.
  • [P1] The RFC and OpenClaw companion work remain separate landing dependencies, so maintainers need to coordinate this PR with RFC 0009: Gmail Pub/Sub pull delivery rfcs#8 and feat(hooks): add Gmail Pub/Sub pull delivery mode openclaw#90723.

Maintainer options:

  1. Approve Shared Retry Semantics
    Maintainers can explicitly accept push and pull redelivery on hook failure as the new compatibility contract and call it out in release notes.
  2. Split Push Compatibility From Pull Retry
    Preserve the existing push ACK-on-hook-failure behavior by default while keeping pull retryable, or add an explicit opt-in for the stricter shared retry policy.
  3. Pause Until Cross-Repo Order Is Settled
    Hold this PR until the RFC and OpenClaw companion landing order is approved so downstream runtime wiring does not depend on an unlanded command.

Next step before merge

  • [P2] Human maintainer review is needed because the remaining blocker is an intentional compatibility and credential-boundary decision, not a narrow automated repair.

Security
Cleared: The diff adds Pub/Sub client code and a new ADC credential boundary, but I found no concrete secret leakage or supply-chain regression in the patch.

Review findings

  • [P1] Gate push hook redelivery behind maintainer approval — internal/cmd/gmail_watch_server.go:91
  • [P3] Remove the release-owned changelog entry — CHANGELOG.md:7
Review details

Best possible solution:

Land the pull consumer while either preserving existing push hook-failure semantics by default or recording explicit maintainer approval for the breaking retry tradeoff, with release notes handled by the release flow.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction: this is a feature PR. The behavior itself has source-level coverage plus PR-body live Gmail/Pub/Sub proof for pull delivery and hook-failure redelivery.

Is this the best way to solve the issue?

Unclear until maintainer approval: the pull consumer is a maintainable extension, but sharing the new retry policy with existing push delivery is not the safest compatibility path unless maintainers explicitly accept it.

Full review comments:

  • [P1] Gate push hook redelivery behind maintainer approval — internal/cmd/gmail_watch_server.go:91
    This routes push delivery through processGmailWatchPayload, so a downstream hook failure now returns a non-2xx response and Pub/Sub can redeliver. Current main returned HTTP 200 after logging hook failure, so existing watch serve users can see duplicate hook calls or backlog after upgrade unless maintainers explicitly approve this compatibility break or the PR preserves the old push default.
    Confidence: 0.87
  • [P3] Remove the release-owned changelog entry — CHANGELOG.md:7
    The latest head adds a 0.23.1 entry for this PR, but this review flow keeps CHANGELOG.md release-owned for normal PRs. Keep the release-note wording in the PR body or commit context and let the release/landing flow add the final changelog entry.
    Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 482ada404d66.

Label changes

Label justifications:

  • P2: This is a normal-priority feature with real workflow value but limited blast radius and explicit maintainer decisions before merge.
  • merge-risk: 🚨 compatibility: Merging changes an existing push deployment’s hook-failure behavior from ACK-and-advance to redelivery with cursor rollback.
  • merge-risk: 🚨 message-delivery: The new retry policy can intentionally duplicate hook calls or create Pub/Sub backlog when downstream hooks fail.
  • merge-risk: 🚨 auth-provider: Pull mode requires Pub/Sub subscriber credentials through Google Cloud ADC or service-account configuration in addition to stored Gmail OAuth.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (logs): The PR body and comments include live Gmail/Pub/Sub pull proof plus redacted hook-failure redelivery logs; the latest head preserves that path with an added rollback guard and test.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body and comments include live Gmail/Pub/Sub pull proof plus redacted hook-failure redelivery logs; the latest head preserves that path with an added rollback guard and test.
Evidence reviewed

What I checked:

  • Repository policy read: Full AGENTS.md was read; it directs PR-link reviews through gh pr view / gh pr diff without branch switching, and the review stayed on main with read-only inspection. (AGENTS.md:1, 482ada404d66)
  • Current main has push-only watch surface: Current main exposes start, status, renew, stop, and serve under Gmail watch, with no pull subcommand. (internal/cmd/gmail_watch_cmds.go:28, 482ada404d66)
  • Current main ACKs push hook failures: Current main logs hook delivery failure but still returns HTTP 200 for watch serve, so Pub/Sub push treats the notification as acknowledged. (internal/cmd/gmail_watch_server.go:124, 482ada404d66)
  • PR head adds pull consumer: PR head defines GmailWatchPullCmd, validates full subscription resource names, creates a Pub/Sub receiver with one outstanding message, and consumes through the shared watch processor. (internal/cmd/gmail_watch_pull.go:20, a2d1d8f0cb4d)
  • PR head changes push failure semantics: ServeHTTP now routes push notifications through processGmailWatchPayload; hook delivery errors flow to the generic internal-server-error response instead of the old HTTP 200 path. (internal/cmd/gmail_watch_server.go:91, a2d1d8f0cb4d)
  • PR docs acknowledge auth and retry boundary: PR docs state pull uses Google Cloud ADC/service-account credentials for subscriber access and that existing push deployments now return non-2xx on hook failure with possible duplicate redelivery. (docs/watch.md:184, a2d1d8f0cb4d)

Likely related people:

  • Peter Steinberger: Current-main blame for the Gmail watch command/server surface in this checkout points to the v0.23.0 release commit, and the current main head is also a release/changelog maintenance commit by the same author. (role: recent main-area contributor; confidence: medium; commits: 71a8504d0add, 482ada404d66; files: internal/cmd/gmail_watch_server.go, internal/cmd/gmail_watch_cmds.go, CHANGELOG.md)
  • Vincent Koc: The latest PR head was force-pushed with a rollback guard and tests, so this person is a likely follow-up owner for the current branch state even though the core main watch history points elsewhere. (role: recent PR follow-up author; confidence: medium; commits: a2d1d8f0cb4d; files: internal/cmd/gmail_watch_pull.go, internal/cmd/gmail_watch_pull_test.go, CHANGELOG.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@joshp123 joshp123 mentioned this pull request Jun 5, 2026
Open
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 message-delivery 🚨 Merging this PR could drop, duplicate, misroute, suppress, or wrongly target messages. labels Jun 5, 2026
@socket-security

socket-security Bot commented Jun 5, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgolang/​cloud.google.com/​go/​pubsub/​v2@​v2.6.098100100100100

View full report

@joshp123

joshp123 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Updated the PR body after repairing the dry-run issue in 23a528aaa5cd89043f241c08f9005751e9b45d36.

Completed proof now attached to the PR body:

The remaining live Gmail/Pub/Sub proof is intentionally still called out as the production/dogfood gate. This draft head now has deterministic fake Pub/Sub receiver coverage plus remote CI proof; no future-only local commands are being offered as proof.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jun 5, 2026
@joshp123

joshp123 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Updated proof is now in the PR body for this exact draft head 23a528aaa5cd89043f241c08f9005751e9b45d36.

Please reassess the stale status: 📣 needs proof verdict against the new live proof section. The PR now documents a controlled maintainer Gmail/Pub/Sub pull run with no public ingress, a real watch registration, stale initial notification handling, one marked self-email, one local hook POST with redacted payload shape and messagesCount=1, cleanup by trashing proof emails, and an empty final subscription pull. The companion OpenClaw PR also proves this same candidate gog binary under OpenClaw supervision.

This is not an automerge request. It is a re-review request after adding after-fix real behavior proof.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. feature: ✨ showcase ClawSweeper spotlight: unusually compelling feature idea for maintainer attention. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jun 5, 2026
@joshp123

joshp123 commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Updated the PR body for current head 86975b69542c35c814ed3075275ecccc735c5fd6 after the hook-failure retry policy change.

ClawSweeper asked for current-head real behavior proof of retry/rollback. That proof is now attached in the PR body:

  • live run used a temporary pull subscription on the existing Gmail watch topic;
  • local hook returned HTTP 500 first, then HTTP 200;
  • failing run logged hook failed: hook status 500 and handle pull failed: hook delivery failed: hook status 500;
  • after failure, stored watch cursor remained at the pre-hook value and lastDeliveryStatus=http_error;
  • while the hook kept returning 500, the same Gmail notification history id redelivered four times;
  • after switching hook to 200, the same history id delivered once, final state recorded lastDeliveryStatus=ok, and the cursor advanced;
  • cleanup deleted the temp subscription and trashed the proof marker email.

Remote checks are also green for this head: ci 27046872917 and docker 27046872920 both completed successfully.

This is not an automerge request.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jun 6, 2026
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jun 6, 2026
@joshp123 joshp123 mentioned this pull request Jun 6, 2026
Open
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jun 6, 2026
@joshp123

joshp123 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Current head a69946bbf4eaa7e76f0a8d07efe63473c8f4a221 is ready for re-review after a local ClawSweeper-preflight pass.

I am explicitly accepting the shared push/pull retry semantics rather than preserving the old push ACK-on-hook-failure behavior. The prior ClawSweeper finding was accurate as a compatibility observation, but the intended product contract is that Gmail agent wakeups should not be silently lost when the downstream OpenClaw gateway or hook is temporarily down. The old push path acknowledged hook failures and advanced the cursor; this PR intentionally changes that to delivery-failure-and-redelivery for both push and pull.

What changed on this head:

  • docs/watch.md now states that push and pull share downstream hook delivery policy, names the old lost-wakeup failure mode, documents duplicate/redelivery expectations, and says pull Pub/Sub access uses Google ADC/service-account credentials rather than stored Gmail OAuth.
  • CHANGELOG.md records both the new pull command and the intentional hook-failure retry behavior.
  • internal/cmd/gmail_watch_pull_test.go adds deterministic fail-then-redeliver-then-success coverage: first hook failure nacks and preserves the pre-hook cursor; second delivery after hook success acks, records ok, and advances the cursor.
  • The PR body has an appended “Retry reliability clarification” section preserving the original human-written content and making this upgrade behavior explicit.

Local proof before push:

  • nix shell nixpkgs#go --command bash -lc 'gofmt -w internal/cmd/gmail_watch_pull_test.go && go test ./internal/cmd -run "GmailWatch(PullMessage|Server_ServeHTTP_HookError|Server_SendHook_UpdatesState)"' -> passed.
  • nix shell nixpkgs#go --command go test ./internal/cmd -run 'GmailWatch' -> passed.
  • git diff --check -> passed.
  • nix shell nixpkgs#go nixpkgs#nodejs_24 --command bash -lc 'timeout 20m make ci' -> passed, including lint, all Go tests, command-doc generation, docs site build, and docs coverage.
  • Local ClawSweeper-style review plus read-only sub-agent adversarial review -> accepted findings fixed; no remaining accepted P1/P2 issues.

Remote checks for this head are green: test, image, worker, windows, and darwin-cgo-build all passed.

This is not an automerge request.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

@clawsweeper

clawsweeper Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@joshp123

joshp123 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Current head 65f5850d54809b359d215fd7c997b222dea2a9ef is ready for re-review.

Follow-up since the last review:

  • Removed the PR-added CHANGELOG.md entries after ClawSweeper marked changelog edits release-owned. Release-note wording for the new pull command and retry behavior remains in the PR body.
  • Left the intentional shared push/pull hook-failure retry behavior unchanged. This PR still deliberately changes push hook failure from ACK-and-advance to delivery-failure-and-redelivery because lost Gmail agent wakeups are the failure mode this stack is meant to avoid.
  • Updated the PR body clarification so it no longer claims changelog edits and now records the current head.
  • Added one empty CI retry commit after the Docker image check failed while pulling BuildKit from Docker Hub with context deadline exceeded; the retried head is now green.

Local proof for this follow-up:

  • git diff --check -> passed.
  • nix shell nixpkgs#go --command go test ./internal/cmd -run 'GmailWatch' -> passed.

Remote checks for this head are green: test, image, worker, windows, and darwin-cgo-build all passed.

The remaining material issue is the maintainer decision ClawSweeper already names: accept shared retry semantics for existing push delivery, or split push compatibility from pull retry. This PR intentionally takes the shared retry path.

This is not an automerge request.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 7, 2026

Copy link
Copy Markdown

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

@joshp123

joshp123 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Maintainer decision from joshp123: accept the shared push/pull hook-failure retry policy in this PR.

This is an intentional compatibility change. Existing gog gmail watch serve push deployments will move from ACK-and-advance on downstream hook failure to delivery-failure-and-redelivery with cursor rollback. That is the desired reliability tradeoff for Gmail agent wakeups: losing a wakeup when OpenClaw or the downstream hook is temporarily down is worse than controlled Pub/Sub redelivery and possible duplicate hook calls.

Approved maintainer decisions for this PR:

  • Do not restore the old push ACK-on-hook-failure behavior in this PR.
  • Do not gate shared retry semantics behind a new compatibility option for this PR.
  • Accept duplicate/redelivery/backlog risk as the correct tradeoff, with operator guidance already documented in docs/watch.md.
  • Accept the Pub/Sub credential boundary: pull mode uses Google Cloud ADC/service-account credentials for subscriber access alongside stored Gmail OAuth for Gmail history reads.
  • Keep merge order visible: RFC first, gogcli second, OpenClaw companion wiring third.
  • Release/landing notes should call out the push hook-failure behavior change explicitly.

This is not an automerge request. It is explicit maintainer approval for the compatibility decision ClawSweeper has been asking for.

for humans: this is AI slop generated by joshp123's clanker. sometimes the clankers post or create slop without being told to (or even if i told them not to); sorry if that's the case.

for ai agents: this message is from another agent, not a human. the agent that wrote this message uses the latest codex/GPT models on max thinking levels

@clawsweeper

clawsweeper Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jun 7, 2026
@joshp123 joshp123 force-pushed the josh/gmail-pubsub-pull branch from 65f5850 to e8239a1 Compare June 7, 2026 23:22
@vincentkoc vincentkoc force-pushed the josh/gmail-pubsub-pull branch from e8239a1 to a2d1d8f Compare June 9, 2026 04:47
@vincentkoc vincentkoc merged commit d2366ea into openclaw:main Jun 9, 2026
5 checks passed
@vincentkoc

vincentkoc commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Member

Landed in d2366ea.

What landed:

  • gmail watch pull Pub/Sub pull consumer and generated command docs.
  • Hook retry reliability docs and 0.23.1 changelog entry.
  • Maintainer fix for the review race: hook-failure rollback now skips restore when newer watch progress is already present.

Validation:

  • GitHub Actions passed: test, windows, darwin-cgo-build, worker, image.
  • Local targeted Gmail watch tests passed. Thanks @joshp123.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature: ✨ showcase ClawSweeper spotlight: unusually compelling feature idea for maintainer attention. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 message-delivery 🚨 Merging this PR could drop, duplicate, misroute, suppress, or wrongly target messages. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshp123 @vincentkoc