⚡ Agent import flow: docs + auto-refresh on import #55
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }; | ||
|
|
||
| if (isHttps && isLocalhost) { | ||
| options.rejectUnauthorized = false; |
Check failure
Code scanning / CodeQL
Disabling certificate validation High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, the fix is to avoid ever setting rejectUnauthorized = false. For localhost development, either (1) use http:// instead of https:// so TLS isn’t involved, or (2) configure a certificate that the Node process trusts (e.g., via ca/cert options or system trust), while keeping rejectUnauthorized at its secure default (true).
For this specific code in src/app/api/widgets/import/route.ts, the minimal change that keeps the current intent is:
- Remove the special case that sets
options.rejectUnauthorized = false. - Optionally, adjust the HTTP-module selection so that if someone sets
OPENCLAW_WEBHOOK_URLto anhttps://localhostaddress, the code still works securely (i.e., use HTTPS without relaxing cert checks) or document that localhost must behttp://if using self-signed certs. Since we can’t change behavior outside this snippet, the safest small change is simply to drop therejectUnauthorizedoverride and leave everything else as-is. HTTPS requests (including to localhost) will now require a valid, trusted certificate.
Concretely:
-
In
triggerInitialRefresh, delete the block:if (isHttps && isLocalhost) { options.rejectUnauthorized = false; }
No extra imports or helper methods are needed.
| @@ -98,10 +98,6 @@ | ||
| timeout: 5000 | ||
| }; | ||
|
|
||
| if (isHttps && isLocalhost) { | ||
| options.rejectUnauthorized = false; | ||
| } | ||
|
|
||
| const httpModule = isHttps ? https : (await import('http')).default; | ||
|
|
||
| await new Promise<void>((resolve) => { |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } | ||
|
|
||
| return { queued: true, webhookSent }; | ||
| } |
There was a problem hiding this comment.
Duplicated webhook and refresh logic across routes
Medium Severity
The triggerInitialRefresh function duplicates ~90 lines of code that already exist in src/app/api/widgets/[slug]/refresh/route.ts. Both contain identical: table creation SQL, refresh request insertion, HTTP/HTTPS detection, webhook payload construction, and promise-based request handling. This should be extracted into a shared utility function in /lib.
SKILL.md: - Add comprehensive 'Agent Import Flow' section - Document dry_run → verify credentials → confirm pattern - Include credential type reference table - Add complete flow diagram - Show example verification code Import route: - Auto-trigger refresh for agent_refresh widgets after import - Queue refresh request + send webhook notification - Widget shows data immediately instead of waiting for heartbeat
acfranzen
force-pushed
the
zeus/agent-import-flow-docs
branch
from
fc96d7c to
3443c31
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| `).run(slug, now); | ||
| } catch { | ||
| // Ignore duplicate key errors | ||
| } |
There was a problem hiding this comment.
Return value incorrectly indicates queued even on failure
Low Severity
The triggerInitialRefresh function always returns queued: true at line 130, regardless of whether the database INSERT actually succeeded. The try-catch at lines 56-58 swallows all exceptions (not just duplicate key errors as the comment suggests), meaning if the INSERT fails for any reason, queued is still reported as true. When the webhook also isn't sent, the caller displays "Initial refresh queued (will process on next heartbeat)" even though nothing was actually queued.
Additional Locations (1)
| await new Promise<void>((resolve) => { | ||
| const req = httpModule.request(webhookUrl, options, (res) => { | ||
| let data = ''; | ||
| res.on('data', chunk => data += chunk); |
There was a problem hiding this comment.
Unused variable accumulates response but is never read
Low Severity
The data variable accumulates the HTTP response body (let data = ''; res.on('data', chunk => data += chunk);) but is never used afterward. The similar code in [slug]/refresh/route.ts uses data for error logging. Either remove this dead store or add error logging for consistency.
1 participant
Summary
Improves the agent experience when importing widgets by:
SKILL.md Changes
Import Route Changes
agent_refreshwidgets, automatically:The Problem This Solves
Previously, after importing a widget:
Now:
Note
Medium Risk
Modifies the widget import API to create DB state and perform outbound webhook calls, which could impact import latency/behavior or fail in unexpected network/env configurations.
Overview
Improves the widget import experience by documenting a best-practice agent import flow in
SKILL.md(dry-run → verify credentials → confirm import), including credential verification guidance and an end-to-end flow diagram.Updates
POST /api/widgets/importso that after importing anagent_refreshwidget it queues an initial refresh request in SQLite and, whenOPENCLAW_WEBHOOK_URL/OPENCLAW_WEBHOOK_TOKENare set, fires a webhook wake to prompt OpenClaw to populate data immediately (otherwise leaving it queued for the next heartbeat).Written by Cursor Bugbot for commit 3443c31. This will update automatically on new commits. Configure here.