chore: promote staging to main (2026-03-11 00:16 UTC)

[ironclaw-ci]

Auto-promotion from staging CI

Batch range: 873322f2fb53143d0af30f4456c8a368937c6587..b0214fef41e953b6c2996522a4095354133ce995
Promotion branch: staging-promote/b0214fef-22930316561
Base: staging-promote/3a841b30-22928320566
Triggered by: Staging CI batch at 2026-03-11 00:16 UTC

Waiting for gates:

• Tests: pending
• E2E: pending
• Claude Code review: pending (will post comments on this PR)

---

Auto-created by staging-ci workflow

[claude]

Code review

Found 11 issues:

1. [CRITICAL:100] Missing consecutive_failures reset on successful reconnection — Stream end increments counter but successful reconnect doesn't reset to 0, so circuit breaker counts total not consecutive failures.

ironclaw/src/channels/relay/channel.rs

Lines 268 to 345 in b0214fe

	return;
	}
	}
	// Stream ended, attempt reconnect with backoff
	consecutive_failures += 1;
	if consecutive_failures >= max_consecutive_failures {
	tracing::error!(
	channel = %relay_name,
	failures = consecutive_failures,
	"Relay channel giving up after {} consecutive failures",
	consecutive_failures
	);
	break;
	}
	tracing::warn!(
	backoff_ms = backoff_ms,
	failures = consecutive_failures,
	"Relay SSE stream ended, reconnecting..."
	);
	tokio::time::sleep(std::time::Duration::from_millis(backoff_ms)).await;
	backoff_ms = (backoff_ms * 2).min(backoff_max_ms);
	// Try to reconnect
	let token = stream_token.read().await.clone();
	match client.connect_stream(&token, stream_timeout_secs).await {
	Ok((new_stream, new_parser)) => {
	tracing::info!("Relay SSE stream reconnected");
	current_stream = new_stream;
	// Abort old parser before replacing
	if let Some(old) = parser_handle.write().await.take() {
	old.abort();
	}
	*parser_handle.write().await = Some(new_parser);
	}
	Err(RelayError::TokenExpired) => {
	// Attempt token renewal
	tracing::info!("Relay stream token expired, renewing...");
	match client.renew_token(&instance_id, &user_id).await {
	Ok(new_token) => {
	*stream_token.write().await = new_token.clone();
	match client.connect_stream(&new_token, stream_timeout_secs).await {
	Ok((new_stream, new_parser)) => {
	tracing::info!(
	"Relay SSE stream reconnected with new token"
	);
	current_stream = new_stream;
	if let Some(old) = parser_handle.write().await.take() {
	old.abort();
	}
	*parser_handle.write().await = Some(new_parser);
	}
	Err(e) => {
	tracing::error!(
	error = %e,
	"Failed to reconnect after token renewal"
	);
	}
	}
	}
	Err(e) => {
	tracing::error!(
	error = %e,
	"Failed to renew relay stream token"
	);
	}
	}
	}
	Err(e) => {
	tracing::error!(error = %e, "Failed to reconnect relay SSE stream");
	}
	}
	// Check if the team is still valid (skip when team_id is unknown,
	// e.g. when no DB store was available at activation time)
	if !team_id.is_empty() {
	match client.list_connections(&instance_id).await {

2. [HIGH:75] Missing Module Initialization Documentation — ExtensionManager requires calling set_relay_channel_manager() before restore_relay_channels(). Order dependency not documented; calling in wrong order silently fails.

ironclaw/src/extensions/manager.rs

Lines 115 to 135 in b0214fe

	/// Gateway auth token for authenticating with the platform token exchange proxy.
	/// Read once at construction from `GATEWAY_AUTH_TOKEN` env var.
	gateway_token: Option<String>,
	/// Relay config captured at startup. Used by `auth_channel_relay` and
	/// `activate_channel_relay` instead of re-reading env vars.
	relay_config: Option<crate::config::RelayConfig>,
	}
	/// Sanitize a URL for logging by removing query parameters and credentials.
	/// Prevents accidental logging of API keys, OAuth tokens, or other sensitive data in URLs.
	fn sanitize_url_for_logging(url: &str) -> String {
	// If URL is very short or doesn't look like a URL, just use as-is
	if url.len() < 10 || !url.contains("://") {
	return url.to_string();
	}
	// Try to parse and remove sensitive components
	if let Ok(mut parsed) = url::Url::parse(url) {
	// Remove query string and fragment
	parsed.set_query(None);
	parsed.set_fragment(None);

3. [MEDIUM:75] DRY Violation — Repeated Secret Key Format Strings — Pattern format!("relay:{}:oauth_state", name) repeated ~14 times. Extract to helper functions in relay module.

ironclaw/src/extensions/manager.rs

Lines 240 to 260 in b0214fe

	self.secrets
	.exists(&self.user_id, &format!("relay:{}:stream_token", name))
	.await
	.unwrap_or(false)
	}
	/// Restore persisted relay channels after startup.
	///
	/// Loads the persisted active channel list, filters to relay types (those with
	/// a stored stream token), and activates each via `activate_stored_relay()`.
	/// Skips channels that are already active. Call this after `set_relay_channel_manager()`.
	pub async fn restore_relay_channels(&self) {
	let persisted = self.load_persisted_active_channels().await;
	let already_active = self.active_channel_names.read().await.clone();
	for name in &persisted {
	if already_active.contains(name) {
	continue;
	}
	if !self.is_relay_channel(name).await {
	continue;

4. [MEDIUM:75] Hardcoded Provider ("slack") — RelayProvider::Slack hardcoded at activation instead of from registry/config. Violates CLAUDE.md extensibility principle; blocks support for Teams/Discord without code changes.

ironclaw/src/extensions/manager.rs

Lines 3330 to 3340 in b0214fe

	)
	.map_err(|e| ExtensionError::ActivationFailed(e.to_string()))?;
	let channel = crate::channels::relay::RelayChannel::new_with_provider(
	client,
	crate::channels::relay::channel::RelayProvider::Slack,
	stream_token,
	team_id,
	instance_id,
	self.user_id.clone(),
	)

5. [MEDIUM:75] Repeated RwLock Read + Clone on Hot Path — Stream token read and cloned on every reconnection attempt, creating unnecessary allocations and lock contention.

ironclaw/src/channels/relay/channel.rs

Lines 290 to 310 in b0214fe

	backoff_ms = (backoff_ms * 2).min(backoff_max_ms);
	// Try to reconnect
	let token = stream_token.read().await.clone();
	match client.connect_stream(&token, stream_timeout_secs).await {
	Ok((new_stream, new_parser)) => {
	tracing::info!("Relay SSE stream reconnected");
	current_stream = new_stream;
	// Abort old parser before replacing
	if let Some(old) = parser_handle.write().await.take() {
	old.abort();
	}
	*parser_handle.write().await = Some(new_parser);
	}
	Err(RelayError::TokenExpired) => {
	// Attempt token renewal
	tracing::info!("Relay stream token expired, renewing...");
	match client.renew_token(&instance_id, &user_id).await {
	Ok(new_token) => {
	*stream_token.write().await = new_token.clone();
	match client.connect_stream(&new_token, stream_timeout_secs).await {

6. [MEDIUM:75] Missing Timeout on list_connections API — Call relies on global 30+ second timeout. If relay service is slow, entire reconnect loop blocks, freezing the channel.

ironclaw/src/channels/relay/channel.rs

Lines 340 to 365 in b0214fe

	}
	// Check if the team is still valid (skip when team_id is unknown,
	// e.g. when no DB store was available at activation time)
	if !team_id.is_empty() {
	match client.list_connections(&instance_id).await {
	Ok(conns) => {
	let has_team =
	conns.iter().any(|c| c.team_id == team_id && c.connected);
	if !has_team {
	tracing::warn!(
	team_id = %team_id,
	"Team no longer connected, stopping relay channel"
	);
	return;
	}
	}
	Err(e) => {
	tracing::warn!(
	error = %e,
	"Could not verify team connection, will retry next iteration"
	);
	}
	}
	}
	}

7. [MEDIUM:75] Inefficient String Building in SSE Parser — Creates Vec with multiple allocations per line, then calls join(). Use single String with push_str() instead.

ironclaw/src/channels/relay/client.rs

Lines 345 to 400 in b0214fe

	) {
	use futures::StreamExt;
	let mut buffer = Vec::<u8>::new();
	let mut event_type = String::new();
	let mut data_lines = Vec::new();
	let mut byte_stream = std::pin::pin!(byte_stream);
	while let Some(chunk_result) = byte_stream.next().await {
	let chunk = match chunk_result {
	Ok(c) => c,
	Err(e) => {
	tracing::debug!(error = %e, "SSE stream chunk error");
	break;
	}
	};
	buffer.extend_from_slice(&chunk);
	// Process complete lines (decode UTF-8 only on full lines to avoid
	// corruption when multi-byte characters span chunk boundaries)
	while let Some(newline_pos) = buffer.iter().position(|&b| b == b'\n') {
	let line = String::from_utf8_lossy(&buffer[..newline_pos])
	.trim_end_matches('\r')
	.to_string();
	buffer.drain(..=newline_pos);
	if line.is_empty() {
	// Blank line = end of event
	if !data_lines.is_empty() {
	let data = data_lines.join("\n");
	if let Ok(mut event) = serde_json::from_str::<ChannelEvent>(&data) {
	if event.event_type.is_empty() && !event_type.is_empty() {
	event.event_type = event_type.clone();
	}
	if tx.send(event).await.is_err() {
	return; // receiver dropped
	}
	} else {
	tracing::debug!(
	event_type = %event_type,
	data_len = data.len(),
	"Failed to parse SSE event data as ChannelEvent"
	);
	}
	}
	event_type.clear();
	data_lines.clear();
	} else if let Some(value) = line.strip_prefix("event:") {
	event_type = value.trim().to_string();
	} else if let Some(value) = line.strip_prefix("data:") {
	data_lines.push(value.trim().to_string());
	}
	// Ignore other fields (id:, retry:, comments)
	}
	}

8. [MEDIUM:50] Stringly-Typed Secret Keys — Keys passed as plain strings. CLAUDE.md says prefer strong types. Use newtype wrappers or enums for relay secret keys.

ironclaw/src/extensions/manager.rs

Lines 240 to 260 in b0214fe

	self.secrets
	.exists(&self.user_id, &format!("relay:{}:stream_token", name))
	.await
	.unwrap_or(false)
	}
	/// Restore persisted relay channels after startup.
	///
	/// Loads the persisted active channel list, filters to relay types (those with
	/// a stored stream token), and activates each via `activate_stored_relay()`.
	/// Skips channels that are already active. Call this after `set_relay_channel_manager()`.
	pub async fn restore_relay_channels(&self) {
	let persisted = self.load_persisted_active_channels().await;
	let already_active = self.active_channel_names.read().await.clone();
	for name in &persisted {
	if already_active.contains(name) {
	continue;
	}
	if !self.is_relay_channel(name).await {
	continue;

9. [LOW:50] Config Duplication — RelayConfig captured at construction but also re-read elsewhere. Document that runtime env changes won't be reflected.

ironclaw/src/extensions/manager.rs

Lines 115 to 125 in b0214fe

	/// Gateway auth token for authenticating with the platform token exchange proxy.
	/// Read once at construction from `GATEWAY_AUTH_TOKEN` env var.
	gateway_token: Option<String>,
	/// Relay config captured at startup. Used by `auth_channel_relay` and
	/// `activate_channel_relay` instead of re-reading env vars.
	relay_config: Option<crate::config::RelayConfig>,
	}
	/// Sanitize a URL for logging by removing query parameters and credentials.
	/// Prevents accidental logging of API keys, OAuth tokens, or other sensitive data in URLs.
	fn sanitize_url_for_logging(url: &str) -> String {

10. [LOW:50] RwLock Double-Acquire on Parser Handle — Acquire, take, release, then acquire again to store. Combine into single lock acquisition, but impact minimal.

ironclaw/src/channels/relay/channel.rs

Lines 295 to 320 in b0214fe

	Ok((new_stream, new_parser)) => {
	tracing::info!("Relay SSE stream reconnected");
	current_stream = new_stream;
	// Abort old parser before replacing
	if let Some(old) = parser_handle.write().await.take() {
	old.abort();
	}
	*parser_handle.write().await = Some(new_parser);
	}
	Err(RelayError::TokenExpired) => {
	// Attempt token renewal
	tracing::info!("Relay stream token expired, renewing...");
	match client.renew_token(&instance_id, &user_id).await {
	Ok(new_token) => {
	*stream_token.write().await = new_token.clone();
	match client.connect_stream(&new_token, stream_timeout_secs).await {
	Ok((new_stream, new_parser)) => {
	tracing::info!(
	"Relay SSE stream reconnected with new token"
	);
	current_stream = new_stream;
	if let Some(old) = parser_handle.write().await.take() {
	old.abort();
	}
	*parser_handle.write().await = Some(new_parser);
	}

11. [LOW:50] Metadata JSON per Message — 7-field JSON object allocated per message. Could use dedicated struct, but impact negligible.

ironclaw/src/channels/relay/channel.rs

Lines 245 to 260 in b0214fe

	"Relay: received message from {}", provider_str
	);
	let msg = IncomingMessage::new(&relay_name, &event.sender_id, event.text())
	.with_user_name(event.display_name())
	.with_metadata(serde_json::json!({
	"team_id": event.team_id(),
	"channel_id": event.channel_id,
	"sender_id": event.sender_id,
	"sender_name": event.display_name(),
	"event_type": event.event_type,
	"thread_id": event.thread_id,
	"provider": event.provider,
	}));
	let msg = if let Some(ref thread_id) = event.thread_id {

Summary: 1 critical logic bug (consecutive_failures), 1 high-priority documentation issue, 6 medium refactorings/perf optimizations, 3 low-priority style improvements. Security passed.