Update goclaw version

[trwng-thdat]

No description provided.

[mrgoonie]

Summary: This PR should not merge into nextlevelbuilder/goclaw as-is. It mixes fork-specific deployment/docs, an unchecked binary artifact, and a security-sensitive MCP outbound auth change without tests or a clear upstream product contract.

Risk level: High

Mandatory gates:

• Duplicate/prior implementation: partial overlap/no direct duplicate found. Related MCP/OAuth/client work exists in open PR #1196, and header/user-context patterns already exist in HTTP/gateway paths, but I did not find this exact MCP_RUNTIME_ACCESS_TOKEN + MCP client RoundTripper implementation upstream.
• Project standards: failed. The PR commits a generated goclaw.exe, rewrites upstream README install guidance to a personal fork/local Windows path, and adds runtime auth behavior without tests or docs.
• Strategic necessity: unclear for upstream. Per-agent/per-user context propagation to remote MCP servers can be valuable, but this PR is currently packaged as a fork customization rather than a maintainable upstream feature.
• CI/checks: missing/no check rollup reported by GitHub.

Findings:

• Critical: goclaw.exe is committed as a new binary artifact. This repository builds release artifacts through CI/release workflows; committing a platform binary makes review impossible, bloats the repo, and creates supply-chain risk. Remove it from the PR.
• Important: The README changes are fork/platform-specific, not upstream-safe. The PR changes clone instructions to github.com/trwng-thdat/goclaw, labels the repo as a custom fork for “AI Claw”, and includes a local file:///C:/... link. That cannot ship in nextlevelbuilder/goclaw documentation.
• Important: docker-compose.yml adds a plaintext GOCLAW_POSTGRES_DSN and a new postgres service/port mapping in the default compose file. This changes the upstream runtime topology and default exposed ports without a migration/design note, and it duplicates existing env/bootstrap behavior instead of fitting the documented Docker setup.
• Important: internal/mcp/auth.go reads MCP_RUNTIME_ACCESS_TOKEN from process env and injects it into every outbound SSE/streamable-HTTP MCP request made through this client. That is a security-sensitive trust-boundary change: it needs explicit docs, scoping rules, and tests proving the token is only sent to intended MCP server endpoints and does not override configured per-server headers unexpectedly.
• Important: No tests cover the new MCP auth/context propagation. At minimum, add unit tests with a local HTTP server/round tripper proving Authorization, X-GoClaw-Agent-Id, and X-GoClaw-User-Id behavior, including empty-token/context cases and precedence with configured headers.

Verdict: REQUEST_CHANGES

Next step: split this into a clean upstream MCP-context PR only. Remove the binary, fork README edits, and default compose topology changes; document the runtime-token trust boundary; add focused tests for the MCP HTTP client header injection before re-review.

Posted by /github-maintain at 2026-06-21T05:28:25Z