openclaw - 💡(How to fix) Fix Non-public Commander rawArgs property accessed via unsafe cast [1 comments, 2 participants]

Severity: low / Confidence: medium / Category: maintainability Triage: risk Detected against: openclaw v2026.5.18 (latest stable at time of scan, 2026-05-18) Tooling: clawpatch 0.3.0 + acpx/claude-sonnet-4-5 via Brad Mills protocol

Evidence

• src/cli/program/action-reparse.ts:20-20 (reparseProgramFromActionArgs)

const rawArgs = (root as Command & { rawArgs?: string[] }).rawArgs;

Reasoning

rawArgs is not part of Commander's public TypeScript interface, requiring a manual cast to access it. Commander's public API exposes parsed options and arguments but not the raw argv slice per sub-command. If Commander removes, renames, or changes the shape of rawArgs in a minor version, this cast will silently return undefined at runtime, causing buildParseArgv to fall back to fallbackArgv—which may reconstruct a subtly different command line (e.g. omitting flags that were passed positionally). There is no runtime assertion to detect this degradation.

Recommendation

Assert that rawArgs is defined after the cast and log a warning if it falls back to fallbackArgv, or replace the internal property access with a Commander-version-pinned workaround that is explicitly tested. Document the Commander version dependency in a comment.

Why existing tests miss this

No tests for action-reparse.ts exist in the provided suite.

Suggested regression test

Unit test reparseProgramFromActionArgs with a mock Command where rawArgs is undefined to verify it correctly falls back to the reconstructed fallbackArgv without throwing.

Minimum fix scope

src/cli/program/action-reparse.ts line 20 — add runtime assertion or explicit fallback logging

Standardized clawpatch finding. Persistent in v2026.5.18 (not resolved by upgrading from v2026.5.12). Finding ID: fnd_sig-feat-cli-command-0f69ccd6ad-_3add68fbbc.