fix: Reject non-HTTPS Alibaba Token Plan overrides

[YanxinXue]

Summary

• Reject explicitly non-HTTPS ALIBABA_TOKEN_PLAN_HOST and ALIBABA_TOKEN_PLAN_QUOTA_URL values.
• Keep existing bare-host behavior by still inferring https:// for quota URL overrides without a scheme.

Implementation Notes

• hostOverride now returns nil when the override includes a scheme other than https.
• quotaURL now returns nil for explicit non-HTTPS schemes instead of accepting them as-is.
• Added focused tests for HTTPS inference, non-HTTPS quota URL rejection, and non-HTTPS host override rejection.
• Root cause: override parsing previously treated any URL with a scheme as valid, allowing http:// or other schemes for Token Plan endpoints.
• Behavior change: insecure or unsupported explicit override schemes are ignored rather than used.

Validation

• swift test --filter AlibabaTokenPlan - passed.
• git diff --check - passed.
• make check - SwiftFormat/SwiftLint reported 0 violations; the command exited non-zero because the sandbox could not write the SwiftLint cache plist.
• CODEXBAR_SIGNING=adhoc CODEXBAR_WIDGET_METADATA_MODE=skip ./.build/codexbar-package-app-nosandbox.sh release - passed; produced CodexBar.app.
• codesign --verify --deep --strict --verbose=2 CodexBar.app - passed.

Risk

• Low. This only affects Alibaba Token Plan environment override handling.
• Users relying on explicit non-HTTPS override URLs will need to switch to HTTPS or omit the scheme for the existing HTTPS inference path.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Latest ClawSweeper review: 2026-05-22 11:31 UTC / May 22, 2026, 7:31 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR rejects explicit non-HTTPS Alibaba Token Plan host and quota URL overrides, preserves bare quota URL HTTPS inference, adds focused tests, imports FoundationNetworking for the cookie-header file, and updates the changelog.

Reproducibility: yes. Source inspection on current main shows quotaURL accepts any parsed scheme, hostOverride returns the cleaned override unchanged, and the fetcher consumes those values as request targets.

PR rating
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Summary: The patch is narrow and test-backed, but missing real behavior proof and compatibility-policy acceptance keep the PR below normal merge readiness.

Rank-up moves:

• Add redacted terminal output, logs, or a terminal screenshot showing http/ftp Token Plan overrides ignored and a bare host resolving through HTTPS after the fix.
• Get maintainer acceptance that explicit non-HTTPS Token Plan override environment variables are unsupported before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: The PR body has tests and packaging validation but no after-fix terminal/log/screenshot proof showing non-HTTPS overrides ignored and bare-host HTTPS inference preserved; the contributor should add redacted proof and update the PR body to trigger re-review.

Risk before merge

• Intentional compatibility change: explicit non-HTTPS ALIBABA_TOKEN_PLAN_HOST or ALIBABA_TOKEN_PLAN_QUOTA_URL values that currently affect request targets will be ignored and fall back to the default HTTPS endpoints.
• No after-fix real behavior proof is present, so the contributor still needs to show the override path running outside tests with private values redacted.
• The HTTPS-only rule is Token Plan-specific; nearby override readers still accept explicit non-HTTPS schemes, so maintainers should accept the targeted policy difference before merge.

Maintainer options:

1. Accept HTTPS-only Token Plan overrides after proof (recommended)
   Merge after contributor proof is added if maintainers agree that explicit non-HTTPS Token Plan overrides may be ignored and fall back to supported HTTPS endpoints.
2. Surface rejected overrides before merge
   If silent fallback is too surprising, revise the patch to log or surface a clear rejection when an explicit non-HTTPS override is ignored.
3. Defer to a broader override policy
   Pause this PR if maintainers want one consistent HTTPS validation policy across Token Plan, Coding Plan, z.ai, and MiniMax override readers.

Next step before merge
Human handling is needed for contributor-supplied real behavior proof and an explicit decision on ignoring non-HTTPS override environment variables; there is no narrow ClawSweeper repair task.

Security
Cleared: The diff narrows accepted Token Plan endpoint schemes and does not change dependencies, workflows, secrets handling, or other supply-chain surfaces.

Review details

Best possible solution:

Land the narrow HTTPS-only Token Plan override hardening after redacted terminal or log proof is added and maintainers accept that explicit non-HTTPS Token Plan endpoint overrides are unsupported.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows quotaURL accepts any parsed scheme, hostOverride returns the cleaned override unchanged, and the fetcher consumes those values as request targets.

Is this the best way to solve the issue?

Mostly yes. Validating schemes at the settings-reader boundary is a narrow maintainable hardening path that preserves bare-host HTTPS inference, but the silent fallback and Token Plan-only policy need maintainer acceptance.

Label justifications:

• P2: This is a focused provider hardening PR with limited blast radius but real compatibility implications for override users.
• merge-risk: 🚨 compatibility: Merging changes how existing Token Plan environment override values are interpreted, and explicit non-HTTPS values will no longer target the configured endpoint.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🐚 platinum hermit, and The patch is narrow and test-backed, but missing real behavior proof and compatibility-policy acceptance keep the PR below normal merge readiness.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body has tests and packaging validation but no after-fix terminal/log/screenshot proof showing non-HTTPS overrides ignored and bare-host HTTPS inference preserved; the contributor should add redacted proof and update the PR body to trigger re-review.

What I checked:

• Current main accepts explicit quota URL schemes: On current main, AlibabaTokenPlanSettingsReader.quotaURL returns any URL with a parsed scheme instead of restricting it to HTTPS. (Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanSettingsReader.swift:23, 68a6b23ba641)
• Current main uses the override as the request target: resolveQuotaURL consumes the quota URL override first, then hostOverride, and falls back to the default Token Plan API only when those readers return nil. (Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanUsageFetcher.swift:189, 68a6b23ba641)
• Current main builds dashboard and quota URLs from hostOverride: The host override is used to construct both the quota API URL and dashboard URL, so accepting a non-HTTPS host can affect both request paths. (Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanUsageFetcher.swift:351, 68a6b23ba641)
• PR validates override schemes at the reader boundary: At the PR head, hostOverride and quotaURL return nil for parsed schemes whose lowercase value is not https, while bare values still proceed to the existing HTTPS inference path. (Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanSettingsReader.swift:17, 10d80156d579)
• PR adds focused scheme tests: The PR adds tests for bare quota URL HTTPS inference, rejection of http and ftp quota URLs, and rejection/preservation behavior for host overrides. (Tests/CodexBarTests/AlibabaTokenPlanProviderTests.swift:15, 10d80156d579)
• PR keeps the cookie-header file Linux-compatible: The PR imports FoundationNetworking conditionally in AlibabaTokenPlanCookieHeader.swift, matching the repository pattern for URL-loading and cookie types on Linux. (Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanCookieHeader.swift:2, 10d80156d579)

Likely related people:

• YanxinXue: The current-main changelog credits YanxinXue for adding Alibaba Token Plan support, and the central Token Plan files were introduced in that merged provider commit. (role: feature contributor; confidence: medium; commits: b2bc921ab8b8; files: Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanSettingsReader.swift, Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanUsageFetcher.swift, Tests/CodexBarTests/AlibabaTokenPlanProviderTests.swift)
• Peter Steinberger: The merged Token Plan provider commit lists Peter Steinberger as a co-author, and current-main changelog/release history around this provider was updated by him. (role: co-author and recent area contributor; confidence: medium; commits: b2bc921ab8b8, b020dffc4; files: CHANGELOG.md, Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanUsageFetcher.swift)
• Misty: git blame attributes the Alibaba Token Plan settings reader, fetcher, and tests on current main to the merged provider commit authored under the display name Misty. (role: current-main implementation author; confidence: high; commits: b2bc921ab8b8; files: Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanSettingsReader.swift, Sources/CodexBarCore/Providers/Alibaba/AlibabaTokenPlanUsageFetcher.swift, Tests/CodexBarTests/AlibabaTokenPlanProviderTests.swift)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 68a6b23ba641.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.