perf: performance sweep

[buremba]

Behavior-preserving performance fixes from the parallel performance-analysis sweep. Caching is bounded (immutable-per-process or short TTL) and credential-affecting paths invalidate correctly.

What landed (per area, with expected win)

Area	Change	Win
core/encryption.ts	Memoize the derived ENCRYPTION_KEY buffer (was base64-decode + regex on every call).	Removes fixed CPU from every verifyWorkerToken / decrypt (per worker→gateway RPC, per config-value load).
core/logger.ts	Pass log info to Sentry by reference instead of {...info, message}.	No unbounded shallow-clone-then-serialize on every prod error/warn.
core/sanitize.ts	Single compiled regex for sensitive-key matching + maxDepth cap; drop dead env branch.	Bounds the per-key array scan + deep clone on large config objects logged.
agent-worker/worker.ts	Promise.all the output/ dir clearing (was serial awaited unlinks).	Fewer serial syscalls on the per-message critical path.
agent-worker/gateway-integration.ts	Drop JSON.stringify(payload).substring(0,500) log on the stream-delta POST; log identifying fields only.	One full serialize-then-discard removed per delta on a long answer.
embeddings/embeddings.ts	batchGenerateLocalEmbeddings passes the whole batch to transformers.js (single padded vectorized ONNX pass).	~2–5× CPU throughput on embedding backfill (the WASM backend is single-threaded; the old Promise.all over per-text calls ran serially).
connector-worker/executor.ts	embed_backfill now batches embeddings instead of one round-trip per event.	O(1) embedding call instead of O(events) on the "lots of events" path.
server/gateway/auth/api-auth-middleware.ts	Run the local worker-token check before the remote OIDC userinfo fetch.	Removes a remote round-trip from every worker-token request to /api/v1/agents/*.
server/gateway/.../message-handler-bridge.ts, unified-thread-consumer.ts	Stop calling flushTracing() per inbound message (SimpleSpanProcessor already exports on span end).	One outbound HTTP / connection-churn removed per message.
server/gateway/proxy/http-proxy.ts	Pre-lowercase the env domain allow/deny lists once when building global config.	Removes per-pattern .toLowerCase() from the per-request domain matcher.
server/utils/public-origin.ts	Memoize getConfiguredPublicOrigin() (mirrors hasLocalFrontend).	No new URL() per auth resolution.
server/workspace/multi-tenant.ts	Bearer (PAT/OAuth) MCP auth now uses the shared 60s membership-role cache (was hard-bypassing it every request — the cookie path already trusts it).	~1 DB round-trip removed per steady-state bearer MCP call.
server/lobu/stores/postgres-stores.ts	Hoist decrypt to a static import; fast-path decryptLegacyEncryptedConfig (no clone unless a value is enc:v1:).	Removes a dynamic require + needless object clone from a per-row connection mapper.
server/sandbox/sdk-manifest.ts, tools/registry.ts	Memoize enumerateSDKManifest, getAllTools, getTool over the static tool registry / method metadata.	Per-sandbox-call ~545-entry walk and per-tools/list schema-flatten become Map lookups.
server/index.ts	Memoize generateOpenAPISpec() by origin.	Polled /openapi.json becomes a Map lookup instead of an O(tools × schema) walk.
server/server.ts	Defer assertExternalDepsResolvable until after listen(); assign the env snapshot to c.env by reference instead of Object.assign per request.	Lower cold-boot/readiness latency; one object-spread removed per request.
server/identity/engine.ts	Batch revokeDerivationsForEvent into one = ANY(...) UPDATE.	N → 1 round-trips inside the identity ingest transaction.
server/watchers/automation.ts	reconcileWatcherRuns short-circuits when no active watcher run awaits a dispatched message; otherwise drives the containment join from the small side and bounds the chat_message scan to recent completions.	Removes a multi-hundred-ms-to-seconds unbounded runs seq-scan that ran every 60s, forever.
server/notifications/service.ts	Dedup the connections/targets fetch + service-token mint, send via Promise.allSettled, and fan bot delivery out once per createNotificationForUsers call (was once per user → N duplicate messages + N re-fetches).	O(users × connections) serial HTTP → O(connections) parallel.
server/worker-api.ts, connectors/repair-agent.ts	Detach the repair-agent triggers from the worker-completion ACK (fire-and-forget; the inner UPDATEs already use atomic claims); fetch loadRecentRuns lazily so the heaviest query isn't paid on every rejected failure.	Repair-thread bookkeeping off the synchronous completion path.
openclaw-plugin/index.ts	Memoize the last (query → recall block) so the second recall hook for a turn is a free cache hit.	Cuts search_memory calls per turn in half on the latency-sensitive hook path.

Validation: make build-packages, bun run typecheck, and the affected packages' unit suites (core, agent-worker, connector-worker, embeddings, server __tests__/unit) all pass. A few tests were updated to reflect the new behavior (encryption-key cache reset hook; loadRecentRuns is now lazy; the embeddings test mock now mirrors the array-batch contract). Integration suites (Postgres-backed) were not run.

Deferred (architectural / higher-risk — needs a dedicated PR)

• packages/server/src/db/migrations/ + embedded-schema-patches.ts — add a current_events view (no event_embeddings join) and migrate the ~65 call sites; med-risk view change across many readers, M–L effort. (analyst 10 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/db/migrations/ — idx_entities_metadata_gin (GIN over entities.metadata) + rewrite findEntitiesByMetadataField to @>; @> semantics differ for non-string JSON + write-amplification — needs its own test. (analyst 10 Add Claude Code GitHub Workflow #3)
• packages/server/src/db/migrations/ — dynamic-metadata GIN index on events; same write-amplification / @> concerns. (analyst 10 Add Claude Code GitHub Workflow #3)
• packages/server/src/gateway/proxy/secret-proxy.ts — stream request/response bodies (duplex: 'half') instead of buffering into strings; needs proxy integration tests across Node 22–24. (analyst 08 Add Claude Code GitHub Workflow #3)
• packages/server/src/gateway/proxy/egress-judge/cache.ts — coarsen the verdict cache key (drop/normalize the path) so plain-HTTP traffic actually hits the cache; widens the trust window — needs a per-policy opt-out. (analyst 08 feat: Replace GitHub Actions with Slack Bolt Application #4)
• packages/server/src/gateway/permissions/grant-store.ts + http-proxy.ts — in-process grant cache for isDenied/hasGrant; invalidation wiring on grant mutations. (analyst 08 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/mcp-proxy/credential-resolver.ts — short-TTL cache for resolved MCP credentials, invalidate on auth failure; correctness-sensitive (token rotation). (analyst 11 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/utils/compiler-core.ts + sandbox/run-script.ts — LRU compile cache + esbuild.transform over build for sandbox scripts; needs care around the npm: rewrite path. (analyst 11 Kubernetes Integration #2)
• packages/server/src/sandbox/run-script.ts — pre-snapshot GUEST_PREAMBLE (and the isolate-pool variant — explicitly out of scope). (analyst 11 Add Claude Code GitHub Workflow #3)
• packages/server/src/gateway/connections/conversation-state-store.ts — drop the history_index write + DB lock from appendHistory, bulk-insert backfill rows; touches the Chat-SDK list contract. (analyst 07 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/gateway/connections/slack-connection-coordinator.ts — in-memory teamId → connectionId index for Slack webhook routing; derived-index invalidation. (analyst 07 feat: Replace GitHub Actions with Slack Bolt Application #4)
• packages/server/src/lobu/stores/postgres-secret-store.ts — TTL cache for PostgresSecretStore.get; secret-rotation staleness window. (analyst 14 feat: Replace GitHub Actions with Slack Bolt Application #4)
• packages/server/src/worker-api/device-reconcile.ts — gate reconcileDeviceCapabilities behind a change-detector + memoize the connector catalog walk; must keep the self-heal path. (analyst 14 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/auth/schema-validation.ts + ajv-singleton.ts — cache compiled AJV validators (+ optional entity-type-schema DB lookup cache). (analyst 13 Kubernetes Integration #2)
• packages/server/src/workspace/multi-tenant.ts — full bearer-token AuthInfo cache + drop the redundant 3rd SELECT "user" by propagating email/name/emailVerified; touches the authz gate, needs careful invalidation. (analyst 13 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/server/src/connectors/repair-agent.ts + worker-api.ts — fold maybeCloseRepairThread's UPDATE into the success-path feeds UPDATE; touches the worker-completion transaction's race semantics. (analyst 09 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/cli/src/commands/_lib/apply/apply-cmd.ts — parallelize fetchRemoteSnapshot into dependency waves with a concurrency cap; well-tested but reorders network calls. (analyst 03 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/cli/src/commands/eval.ts + eval/runner.ts — bounded-concurrency eval/trial runner; could surface gateway resource pressure. (analyst 03 Kubernetes Integration #2)
• packages/cli/package.json — split server-only deps out of @lobu/cli's dependencies (sharp/jimp/playwright as optional); easy to break a lazy runtime path. (analyst 03 Issue #2: Changes from Claude #5)
• packages/agent-worker/src/embedded/just-bash-bootstrap.ts — memoize discoverBinaries() + bound the per-binary shebang read; (the lazy-import hoist is also pending). (analyst 02 Remove Github Actions Integration and replace with Slack Bolt Application #1)
• packages/agent-worker/src/openclaw/worker.ts — cache the SessionManager/session per sessionFile; correctness-sensitive (provider-change / session-reset invalidation). (analyst 02 Kubernetes Integration #2)
• packages/agent-worker/src/openclaw/worker.ts — skip the .skills/ rewrite when skillsConfig is unchanged (hash gate). (analyst 02 Issue #2: Changes from Claude #5)
• packages/agent-worker/** + gateway/sse-client.ts + embedded/mcp-cli-commands.ts — hoist await import(...) of hot worker modules to static imports (also fixes a documented repo-rule violation). (analyst 02 Add Claude Code GitHub Workflow #3)
• packages/connector-worker/src/daemon/worker.ts — honor next_poll_seconds + claim back-to-back when work is queued (instead of a fixed 10s sleep). (analyst 04 Add Claude Code GitHub Workflow #3)
• packages/connector-sdk/src/browser/cdp.ts — cache the resolved CDP ws:// URL + Promise.all the port probes; stale-endpoint risk. (analyst 04 feat: Replace GitHub Actions with Slack Bolt Application #4)
• packages/connector-worker/src/executor/subprocess.ts — warm-pool of pre-forked child processes; defeats part of the per-run isolation guarantee. (analyst 04 Support local as an alternative to Kubernetes deployment #6)
• packages/connectors/** — shared createRateLimiter / bounded-concurrency util + convert the per-item-sleep connectors (Reddit, Gmail, website); parallelize RSS fetches. (analyst 05 Kubernetes Integration #2/feat: Replace GitHub Actions with Slack Bolt Application #4/Issue #2: Changes from Claude #5)
• packages/openclaw-plugin/src/index.ts — replace fetchMcpBootstrapSync / refreshStoredTokenSync node -e subprocesses with async fire-and-forget; touches the "tools must exist before prompt build" invariant. (analyst 06 Add Claude Code GitHub Workflow #3)
• packages/landing/** — re-architect client:load islands (client:visible/client:idle, pass selected use-case data as props); re-encode demo.mp4 + optimize public/ images. (analyst 06 Issue #2: Changes from Claude #5/Support local as an alternative to Kubernetes deployment #6)
• packages/server/src/__tests__/setup/test-db.ts + vitest.config.ts — per-fork test database (drop singleFork); test-isolation rewrite needing a full integration run. (analyst 15 Remove Github Actions Integration and replace with Slack Bolt Application #1)

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 90.90909% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
packages/core/src/logger.ts	0.00%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!

[buremba]

Rebased onto current main (now includes #672) and fixed integration regressions:

• Reverted the bearer-MCP membership-cache change in workspace/multi-tenant.ts — broke mcp/member-write-access.test.ts > applies self-leave immediately (token-based MCP path needs the hard cache miss to honor immediate revocation). Moved to deferred.
• Reverted the batched revokeDerivationsForEvent → revokeDerivationsForEvents change in identity/engine.ts — broke 4 identity/engine.test.ts cases (UC2, UC4, claim-collision dedup, multi-value namespace). Moved to deferred.
• Also dropped the unused GatewayConfig import + 4 InvalidationEvent.resource: call sites left dangling on main by refactor: simplification sweep #672 so standalone server typecheck passes.

All other perf fixes from the PR body are unchanged.