DEV Community

Cover image for I Merged 348 PRs. Here Are The 11 Bugs That Tested My Sanity.
ANIRUDDHA  ADAK
ANIRUDDHA ADAK Subscriber

Posted on

I Merged 348 PRs. Here Are The 11 Bugs That Tested My Sanity.

Summer Bug Smash: Smash Stories Submission 🐛🛹

Hey. I am Aniruddha Adak.

A final year computer science student coding from a hostel room in West Bengal.

Two years ago, I was staring at a blank terminal. I was trying to understand how Git actually worked. I was terrified of merge conflicts.

Today, I am looking back at 348 merged pull requests across dozens of repositories.

Open source completely changed how I write code.

But for the DEV Summer Bug Smash, I do not want to talk about the easy wins. I want to share a real Smash Story.

I want to talk about the chaos.

Here are the 11 critical bugs across modern AI and web frameworks that forced me to become a better software engineer.

The Windows Curse

Bugs in open source rarely look like simple syntax errors. They look like complete system failures.

While contributing to advanced Graph RAG tools like cognee and AI frameworks like openclaw, I noticed a silent killer.

Most maintainers build on Unix systems. They use Mac. They use Linux.

Windows users are often left in the dark.

🐞 In cognee, users were facing a chaotic OS Error 3. Windows was struggling with long file paths during dataset context resolution. It completely broke the local database integration.

I dove into the LanceDB integration and wrote a fix to automatically prefix Windows paths. This bypassed the legacy path limits.

fix(lancedb): automatically prefix windows paths to resolve OS Error 3 for long paths (fixes #2941) #3123

Closes #2941

This PR automatically normalizes and prefixes absolute Windows paths for the vector_db_url when using local filesystem storage. This resolves OS Error 3 triggered by LanceDB subprocesses when generating long file paths for persisting vector data on Windows.

🦟 The exact same thing was happening in openclaw. The install tests were failing exclusively on Windows machines. I restructured the symlink tests to respect Windows environment paths.

test: make install-safe-path symlink tests compatible with Windows #90275

Summary

  • Run the existing install-path symlink boundary tests on Windows when directory junctions are supported.
  • Use Windows junctions for directory links while preserving dir symlinks elsewhere.
  • Keep production install-path behavior unchanged.
  • Treat temporary-directory or cleanup failures in the capability probe as unsupported test environments instead of failing module import.

Linked context

No linked issue. This is a test portability improvement for existing install-path boundary coverage.

Real behavior proof

  • Behavior addressed: Three install-safe-path symlink boundary tests were unconditionally skipped on Windows.
  • Real environment tested: Native Windows Azure VM (Standard_D4ads_v6) through Crabbox.
  • Exact steps or command run after this patch: node scripts/run-vitest.mjs src/infra/install-safe-path.test.ts
  • Evidence after fix: Native Windows console output from Crabbox lease cbx_be4230e2069c, run run_0fb83e164185:
RUN  v4.1.8 C:/repo/openclaw

✓ infra src/infra/install-safe-path.test.ts (24 tests) 525ms

Test Files  1 passed (1)
Tests       24 passed (24)
  • Observed result after fix: The directory-junction cases executed successfully on native Windows instead of being skipped by platform.
  • What was not tested: No end-user install flow was exercised because the patch changes tests only.
  • Proof limitations or environment constraints: The tests still skip when the host cannot create directory links.
  • Before evidence: Current main uses it.runIf(process.platform !== "win32") for all three cases.

Tests and validation

  • node scripts/run-vitest.mjs src/infra/install-safe-path.test.ts
  • node scripts/run-oxlint.mjs src/infra/install-safe-path.test.ts
  • Native Windows Crabbox: 24/24 tests passed
  • Blacksmith Testbox tbx_01kv72nvfyz4fgpny8cyn48xfr: pnpm check:changed
  • .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Risk checklist

  • Did user-visible behavior change? No
  • Did config, environment, or migration behavior change? No
  • Did security, auth, secrets, network, or tool execution behavior change? No
  • Highest-risk area: Windows directory-link capability detection in the test harness.
  • Mitigation: Capability-gated execution plus direct native-Windows proof.

Current review state

  • Next action: Refresh CI on the rebased head and merge when required checks pass.
  • Addressed review comments: Temporary directory creation and cleanup are contained by the probe; module-level probing remains intentional because Vitest evaluates skipIf during test declaration.

The Silent AI Crashes

AI agents are powerful. But they are incredibly fragile when they receive unexpected data.

🦗 In the hermes-agent repository, I found a bug where the system would panic if an API returned an empty response. I implemented a fix to handle None responses gracefully from the ACP permission requests.

fix(permissions): handle None response from ACP request_permission #13457

What does this PR do?

This PR hardens the ACP ? Hermes permission-approval bridge by safely handling an unexpected None result from equest_permission, preventing attribute errors and defaulting to a safe deny.

Related Issue

Fixes #13449

Type of Change

  • [x] ?? Bug fix (non-breaking change that fixes an issue)
  • [ ] ? New feature (non-breaking change that adds functionality)
  • [ ] ?? Security fix
  • [ ] ?? Documentation update
  • [x] ? Tests (adding or improving test coverage)
  • [ ] ?? Refactor (no behavior change)
  • [ ] ?? New skill (bundled or hub)

Changes Made

  • Return "deny" when equest_permission resolves to None in the approval callback.
  • Add a unit test covering the None response case to ensure the callback denies safely.

How to Test

  1. Connect via an ACP client that sends an empty response to permission requests.
  2. Verify the permission is denied rather than throwing an exception.

Checklist

Code

  • [x] I've read the Contributing Guide
  • [x] My commit messages follow Conventional Commits
  • [x] I searched for existing PRs to make sure this isn't a duplicate
  • [x] My PR contains only changes related to this fix/feature (no unrelated commits)
  • [x] I've run pytest tests/ -q and all tests pass
  • [x] I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • [x] I've tested on my platform

Documentation & Housekeeping

  • [x] I've updated relevant documentation (README, docs/, docstrings) � or N/A
  • [x] I've updated cli-config.yaml.example if I added/changed config keys � or N/A
  • [x] I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows � or N/A
  • [x] I've considered cross-platform impact (Windows, macOS) per the compatibility guide � or N/A
  • [x] I've updated tool descriptions/schemas if I changed tool behavior � or N/A

Back in cognee, I tackled two more critical architecture flaws.

🪳 First, the graph engine was initializing before the dataset context was actually ready. This order dependency bug caused random failures. I rewired the visualization logic to wait for resolution.

fix(visualize): resolve dataset context before initializing graph engine #3114

Closes #3007

Currently, visualize_graph() initializes the graph engine without any dataset context, falling back to the default empty graph database instead of the actual per-dataset database where cognify writes. This fix matches the dataset resolution logic in search() by resolving datasets via get_authorized_existing_datasets and providing the dataset UUID to get_unified_engine().

🪰 Second, I found a vulnerability where global settings were exposed and public registration was left wide open. I locked it down.

fix(security): restrict global settings and disable public registration #3115

Closes #3084

This PR addresses the security vulnerabilities reported in #3084:

  • Requires superuser privileges for POST /api/v1/settings to prevent global configuration takeover.
  • Fully masks LLM and VectorDB API keys in GET /api/v1/settings to prevent leaking key prefixes.
  • Adds a COGNEE_PUBLIC_REGISTRATION_ENABLED environment variable to allow administrators to disable public self-registration.

The Database Labyrinth

The most intense debugging sessions happened inside Tracer-Cloud/opensre.

I spent weeks clearing out a lineup of database logic errors and QA edge cases. These were the kinds of bugs that only show up under heavy load or specific cloud configurations.

I shipped five separate pull requests to stabilize their systems.

🪲 Batch 2 Edge Cases: I expanded the database logic to catch unhandled state changes.

fix: Database logic expansion for QA Edge Cases (Batch 2) #626

_build_database_directive() has been expanded exponentially to train the AI to parse red herrings, distinguish between dual fault symptoms versus single root causes, infer missing Storage metrics organically, ignore healthy oscillating traffic metrics, and trace WAL replication lags adequately.

🐛 Batch 3 Edge Cases: I patched another layer of database failures.

fix: Database logic expansion for QA Edge Cases (Batch 3) #627

Resolves #606, resolves #607, resolves #608, resolves #609, resolves #610. Expands the _build_database_directive() function to correctly train the LLM to identify Compositional Faults (treating simultaneous CPU and Storage constraints as independent sources while filtering out connection bounds), infer replication lag from bare WAL metrics despite missing Replica metrics, accurately ignore historical maintenance distractions via timestamps, identify stale autoscaling recovery, and distinguish VACUUM-driven Checkpoint Storms.

🦗 RDS Testing: I corrected broken testing environment directives for their relational databases.

fix: Database directives for RDS QA testing #625

Resolves #598 and #599 by supplying the agent with specific database directives that inform the RCA logic of standard scenarios like Connection Exhaustion and Free Storage exhaustion.

🪳 Validation Status: I fixed a critical bug by including eks_* keys so the system could correctly identify a healthy state.

Fix: Include eks_* keys in _INVESTIGATED_EVIDENCE_KEYS for is_clearly_healthy (Fixes #582) #617

Fixes #582

Type of Change

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

What changed and why

The is_clearly_healthy() short-circuit relies on the presence of keys in _INVESTIGATED_EVIDENCE_KEYS to verify that an investigation collected evidence. This set was missing all Kubernetes / EKS keys. Because of this gap, investigations finding pure-Kubernetes workloads in a healthy state missed the short-circuit and incorrectly ran the root cause LLM.

This PR adds the missing EKS investigation keys (eks_pods, eks_events, eks_deployments, eks_node_health, eks_pod_logs) to _INVESTIGATED_EVIDENCE_KEYS.

Note: This relies on the changes from #581 where the EKS mappers populate these keys in state["evidence"].

Testing steps with evidence

  • Added parameterized unit tests in tests/nodes/root_cause_diagnosis/test_evidence_checker.py.
  • Tested the is_clearly_healthy function directly, ensuring pure-EKS healthy configurations return True, mixed outputs return True, and an unhealthy state correctly blocks it returning False.

Impact analysis

  • Backward Compatibility: Yes, fully compatible.
  • Breaking Changes: None. This saves redundant reasoning LLM tokens and time.

AI-Assisted Contribution

  • [x] I have reviewed every line of code.
  • [x] I understand the logic.
  • [x] I have tested edge cases.
  • [x] I have verified the code matches the project conventions.

🐜 Synthetic QA: I resolved an alerting classification bug so healthy alerts were no longer flagged as broken.

fix(synthetic-qa): Identify healthy alerts correctly (#596) #618

This PR fixes the 000-healthy synthetic-qa failure (Fixes: #596).

Cause:

  1. The LLM extraction step was classifying 'healthy' and scheduled checks (which have severity 'info' and state 'normal') as is_noise=True.
  2. Even if it bypassed noise extraction, the LLM was assuming it didn't need to gather investigation metrics because the alert explicitly said the database was normal, leading to an empty sequence of actions. This empty sequence caused the is_clearly_healthy function to loop infinitely because condition 4 requires at least one investigative operation.

Fix:

  • Noise Extraction: Updated app/nodes/extract_alert/extract.py prompt to explicitly state that informational states and health checks are NOT noise.
  • Planner Prompt Guidance: Updated app/nodes/plan_actions/build_prompt.py to ensure the agent MUST still query relevant monitoring platforms for verification when it identifies informational or healthy states.
  • Planner Code Guard: Added a code-level guard in app/nodes/plan_actions/node.py to fall back and force at least one verification action if the LLM returns an empty plan to prevent infinite insufficient_evidence loops.
  • Evidence Consistency: Fixed EKS evidence truthiness check in app/nodes/root_cause_diagnosis/evidence_checker.py to correctly evaluate via is not None.
  • Cleanup: Removed accidentally committed pr_body.md template.

The Ghost in the UI

Sometimes the most annoying bugs are the ones the user stares at directly.

🪰 In openclaw, the configuration wizard would just look broken if a user had no skills set up. It was a blank void. I jumped into the frontend and built an empty state notice to guide the user forward.

fix(skills): show empty state notice in config wizard #85032

Summary

  • Rebase the skills wizard empty-state fix onto current main.
  • Show an explicit all-ready note when skill setup has no missing dependencies to install.
  • Add localized title copy and focused regression coverage.

Real behavior proof

Behavior addressed: setupSkills() could show the status summary, ask to configure skills, and then exit without any next-step note when every non-blocked skill was already eligible and no requirements were missing. Real environment tested: local OpenClaw source checkout on macOS, Node/pnpm repo runtime, with a temporary OPENCLAW_HOME and the production skills status/setup path exercised directly through node --import tsx. Exact steps or command run after this patch: OPENCLAW_HOME=$(mktemp -d) TMP_WS=$(mktemp -d) node --import tsx --input-type=module probe that builds real workspace skill status, disables the few missing non-blocked local skills to create the all-ready state, then calls setupSkills() with a recording prompter. Evidence after fix:

{
  "disabledMissingSkills": [
    "qqbot-channel",
    "qqbot-media",
    "qqbot-remind"
  ],
  "finalNote": {
    "title": "All skills ready",
    "message": "No missing skill dependencies to install.\nTo inspect available skills, run: openclaw skills list --verbose\nTo check skill status, run: openclaw skills check"
  }
}
Enter fullscreen mode Exit fullscreen mode

Observed result after fix: the wizard emits an All skills ready note with openclaw skills list --verbose and openclaw skills check, does not show dependency multiselect, and does not call the installer. What was not tested: no manual interactive terminal wizard session; the direct probe exercises the production setup path with a recording prompter, and the focused test covers the exact prompter calls.

Verification

  • pnpm test src/commands/onboard-skills.test.ts
  • pnpm check:test-types
  • git diff --check
  • Auto Review: clean, no accepted/actionable findings.

What I Learned from the Chaos

Smashing these 11 bugs taught me a few golden rules.

1️⃣ Test your paths. Never assume everyone is running Linux.
2️⃣ Expect the null. AI agents will eventually receive empty data. Build fallbacks.
3️⃣ Small steps matter.

I started my journey writing simple Python scripts in repositories like 100LinesOfPythonCode. Those tiny commits gave me the confidence to dive into massive AI architectures and cloud database logic.

✅ Every single merge represents a puzzle solved.

✅ Every PR is a conversation with a maintainer.

✅ Every bug smashed is a step forward in my engineering journey.

If you want to talk about open source, Python, or AI systems, feel free to connect with me.

This is a submission for DEV's Summer Bug Smash: Smash Stories powered by Sentry.

Let us keep creating in the open.

Top comments (0)