Luci · Hunt API calls. Check MC logs + DB for creation event
Luci
Hunt API calls. Check MC logs + DB for creation events around 03:35/03:50 SAST 2026-05-31.
Luci
Both via `/api/v1/tickets`, source=api, source_type=human default, assigned_to=luci. Now find WHO called — auth identity, IP, token. Check access logging + comments author.
Luci
Key finding: "impossible timing" is a **timezone artifact** — comments stored naive-UTC (`01:38:35`, `02:03:50`), ticket `created_at` stored with `+02:00`. 4476 created 03:50 SAST = 01:50 UTC; "Phase 2" comment 02:03:50 UTC = 13min later. Not impossible.
Also: `source=api, source_type=human` are the **defaults** — means `get_identity(request)` returned None → caller sent NO auth token. Unauthenticated POST. Now find the client. Check ticket_events for origin + hunt the generator.
Luci
Need real schemas + creation rows. The Control Room watcher (Hermes cron, runs `agent-control-room`+`kanban-orchestrator` every 5min) is the prime suspect — its commands.md references the ticket API. Pulling creation events + the command pattern.
Luci
Correct schemas now. Pulling creation events + Control Room watcher activity at create time (the prime suspect — claude session, curl to 127.0.0.1:3001, no token → source=api).
Luci
No routing_log/creation events (creation bypassed routing). MC has no access log. The client is a **script** posting via API without a token. Big lead: `dream-cycle.log` (1.7MB, modified exactly May 31 00:00) — overnight autonomous loop. Recent commits = "autonomous MC guide", "overnight mode". Hunting it.
Luci
Major lead: these EXACT topics were run before — `docs/sa-mozambique-gas-pipeline-deal-2026-05-10`, `ai-safety-institute-landscape-2026-05-24`, and re-run **today** plus a 3rd (`llm-eval-frameworks-2026`). Classic **eval fixtures**. And crontab has `deep-research-eval` weekly **Sunday** (today). Reading the eval runner + dream_cycle.
Luci
🎯 **ROOT CAUSE FOUND — smoking gun.**
`evals/scenarios.yaml` in the **deep-research skill-eval**:
- L60: `"create audio overview and slides on the SA-Mozambique gas pipeline deal"` → MC-4475
- L68: `"brief me with slides on the AI safety institute landscape"` → MC-4476
- L75: `"what frameworks do people use for LLM evals in 2026"` → 3rd (docs/llm-eval-frameworks, 04:12)
Confirming trigger timing via the eval log.
Luci
✅ **Root cause confirmed and timing fully reconciled.**
Eval log: `=== 2026-05-31T01:00:01Z eval start on openclaw ===` (01:00 UTC = **03:00 SAST**, system TZ Africa/Johannesburg). The cron `0 3 * * 0` fires 03:00 **SAST** — the `# 03:00 UTC` comment is mislabeled. Eval runs `scenarios.yaml --all` sequentially → x01 (Mozambique) created MC-4475 at 03:35 → x02 (AI safety) created MC-4476 at 03:50 → edge01 (LLM-eval) doc at 04:12. Weekly Sunday pattern explains the May 10 + May 24 docs too.
Making config change (disable rogue cron) → invoking mandated dev-loop first.
Luci
Tier 1 containment. Reproduce → remove rogue line → verify.
Luci
Confirmed present. Removing rogue line, keeping the 4 legit entries.
Luci
Rogue cron removed — recurrence stopped. Now a regression guard so re-running (cron re-add or manual) can't re-pollute live MC. Adding an isolation gate to `eval_runner.sh` per eval-isolation rule.
Luci
Verify guard fires (expect exit 2, no MC contact):
Luci
Guard works. Committing in the `~/.claude` skills repo (where the script lives, per skills-management rule).
Luci
Done. Reporting findings.
Luci
REVIEW: Found the API calls. Caller = **deep-research weekly skill-eval** (`~/.claude/skills/deep-research/scripts/eval_runner.sh` → `scenarios.yaml --all`). Three scenarios are research-brief prompts matching exactly:
- x01 "...SA-Mozambique gas pipeline deal" → **MC-4475**
- x02 "...AI safety institute landscape" → **MC-4476**
- edge01 "...LLM evals in 2026" → 3rd (docs only)
When fired, the real research-brief skill runs its full pipeline and **POSTs to `/api/v1/tickets` unauthenticated** → defaults `source=api, source_type=human, assigned_to=luci`, generates audio/slides/report, posts comments via API (the `source=api/human` "Phase 2" comment).
Trigger = unauthorized crontab line `0 3 * * 0 .../eval_runner.sh`. Eval log `2026-05-31T01:00:01Z` = 03:00 SAST (system TZ +0200) → scenarios ran sequentially → MC-4475 @03:35, MC-4476 @03:50. Every Sunday (explains May 10 + May 24 docs).
"Impossible timing" = **false alarm**: timezone artifact. Comments stored naive-UTC (02:03Z), `created_at` stored +02:00 (03:50 SAST=01:50Z). Phase 2 @02:03Z is 13min *after* creation.
Contained (committed+pushed to `~/.claude` master):
1. Removed rogue crontab line.
2. Added `DR_EVAL_ISOLATED` gate to eval_runner.sh — refuses unless isolated env (verified exit 2).
Violated eval-isolation rule + Luci rule #7. Follow-up: re-provision the eval isolated (separate box, no MC access) — infra decision. Want a ticket for that rebuild?
{"mc_signal":"REVIEW","ticket":"MC-4485","nonce":"MC_TICKET_TURN:4485:1780219626158:2a8a3a39","payload":"Root cause = deep-research weekly skill-eval running scenarios.yaml against live MC via unauthenticated /api/v1/tickets POSTs; rogue crontab removed + DR_EVAL_ISOLATED gate added (committed/pushed). Timezone artifact explained the 'impossible timing'."}
Luci
Good pivot — turn the waste into a feature. Key distinction: the **eval** (regression test) stays isolated (just fixed that). What you want is a **new weekly research-audio deliverable** on rotating fresh topics. Separate thing, done right (scheduler task, not crontab; proper `source=scheduled`).
Let me gather the pieces: your radio-show interests + how research-brief emits audio + a scheduler task template.
Luci
There's already a `radio-weekly-episode` task (weekly ~45min deep NotebookLM audio on your interests, Sun 07:00) plus the daily brief. So weekly audio on your interests partly exists. Before I build, let me ground the options + check overlap.