fix: refresh published Discord member roles daily

[hannesrudolph]

Summary

• add sync --with-members to opt into member crawling during a latest-only sync
• run the Discord backup publisher with that flag once daily while retaining 15-minute message-only deltas
• make explicit member refreshes fail if Discord rejects, rate-limits, or times out the member crawl, avoiding a silently stale role snapshot
• document the behavior and cover the CLI mode plus failure path

Validation

• go test ./internal/syncer ./internal/cli
• workflow YAML parsed successfully
• git diff --check

[steipete]

--with-members still does not guarantee a member crawl. refreshGuildMembers exits early through shouldRefreshMembers when the snapshot is fresh, or when an imported snapshot has rows but no marker. With the 24-hour freshness interval and GitHub schedule jitter, the daily job can therefore skip a day and publish stale roles without exercising the required failure path.

Please make RequireMembers bypass the freshness/import-seeding gate (or add an explicit force parameter at this ownership boundary), and add a regression test where a fresh marker exists but RequireMembers: true still calls GuildMembers. Full go test ./... passes on the current head; this is the remaining correctness blocker.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 19, 2026, 4:28 AM ET / 08:28 UTC.

Summary
The PR adds sync --with-members, runs the Discord backup publisher with that mode once daily, fails required member-refresh errors, and updates docs plus focused CLI/syncer tests.

Reproducibility: yes. from source inspection: current main's scheduled Discord publisher always uses --skip-members, and the syncer can skip member crawling for fresh or imported snapshots. I did not execute the live scheduled workflow in this read-only review.

Review metrics: 3 noteworthy metrics.

• Changed surface: 7 files affected. The diff spans workflow automation, CLI parsing, syncer behavior, docs, and tests, so code and operational review both matter.
• Publisher cadence: 1 daily cron added; 15-minute cron retained. The production backup workflow gains a new daily live member-crawl path without changing the frequent message-only delta cadence.
• Regression coverage: 2 syncer tests plus CLI flag coverage added. The tests cover required member crawl failure, forced refresh despite a fresh marker, and conflicting member flags.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Clear or supersede the stale requested-changes review after the latest force-push.
• [P2] Confirm the production Discord backup bot can perform the required guild member crawl.

Risk before merge

• [P1] The new daily publisher intentionally fails if the production Discord bot lacks member-crawl access or hits Discord rate limits/timeouts, so existing backup operators may see a scheduled run stop instead of publishing stale roles.
• [P1] GitHub still reports a requested-changes review state from an older head commit; a maintainer needs to clear or supersede that review after the force-push.

Maintainer options:

1. Confirm member-crawl readiness (recommended)
   Before merge, a maintainer should confirm the production backup bot has the required Discord member-crawl access and clear or supersede the stale requested-changes review.
2. Accept visible daily failures
   Maintainers may intentionally accept that the daily publisher fails closed when Discord rejects, rate-limits, or times out member crawling.
3. Pause the workflow change
   If fail-closed daily publishing is not acceptable operationally, keep the current message-only schedule and revisit a softer opt-in path.

Next step before merge

• [P2] A maintainer needs to clear the requested-changes state and accept the live Discord member-crawl workflow risk; there is no narrow automated repair left from this review.

Security
Cleared: The diff reuses existing workflow secrets and pinned action refs, adds no new permissions, and does not introduce a dependency or secret-handling change beyond the scheduled member-crawl path.

Review details

Best possible solution:

Land after a maintainer clears the requested-changes state and confirms the production backup bot can perform the daily required member crawl while the 15-minute path stays message-only.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main's scheduled Discord publisher always uses --skip-members, and the syncer can skip member crawling for fresh or imported snapshots. I did not execute the live scheduled workflow in this read-only review.

Is this the best way to solve the issue?

Yes, the latest PR head is a narrow maintainable implementation of the requested direction: it adds an explicit CLI mode, forces required member refreshes past the freshness gate, and keeps the frequent publisher path message-only. The remaining question is maintainer acceptance of the fail-closed daily workflow behavior.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against e6f719b7fa9b.

Label changes

Label justifications:

• P2: This is a bounded backup freshness improvement for published Discord member roles, not an urgent core-runtime outage.
• merge-risk: 🚨 compatibility: Existing backup operators may see the new daily run fail if their Discord bot setup cannot crawl guild members.
• merge-risk: 🚨 automation: The diff changes scheduled GitHub Actions behavior and makes one publisher path depend on live Discord member crawling.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external-contributor real-behavior proof gate does not apply because GitHub context reports the PR author as a repository MEMBER.

Evidence reviewed

What I checked:

• Target AGENTS.md check: No AGENTS.md exists under the target repository root, so no target-specific AGENTS policy applied.
• Protected maintainer/member handling: GitHub context reports the PR author association as MEMBER, and gh pr view reports reviewDecision CHANGES_REQUESTED on the open PR, so this cleanup review should keep it open for maintainer handling. (76f258ad6435)
• Current main still skips member crawling in the publisher: The current main workflow runs discrawl sync with --skip-members --latest-only; the requested daily role refresh is not already implemented on main. (.github/workflows/publish-discord-backup.yml:86, e6f719b7fa9b)
• Current main lacks the new CLI mode: Current main defines --skip-members but not --with-members, and the current SyncOptions does not include RequireMembers. (internal/cli/admin_commands.go:121, e6f719b7fa9b)
• Current main can skip fresh or imported member snapshots: shouldRefreshMembers skips crawling when a fresh success marker exists or when an imported snapshot already has member rows, which is the stale-role path this PR targets. (internal/syncer/syncer.go:315, e6f719b7fa9b)
• PR head wires the required member mode: The PR head adds RequireMembers, rejects conflicting member flags, and maps --with-members to latest-only sync without SkipMembers. (internal/cli/admin_commands.go:122, 76f258ad6435)

Likely related people:

• steipete: Current main blame for the syncer, CLI sync command, and Discord backup workflow points to the v0.11.0 release commit by Peter Steinberger, and steipete also requested and authored the latest freshness-bypass change on this PR. (role: recent area contributor and reviewer; confidence: high; commits: 37a9338fdcdb, 76f258ad6435; files: internal/syncer/syncer.go, internal/cli/admin_commands.go, .github/workflows/publish-discord-backup.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Rebased onto current main as 76f258ad64358981ca455fd5682dcd1f87917024. The exact-head CI, Docker, CodeQL, dependency, release, lint, test, and secret checks all passed; local full tests and autoreview also pass.

Only remaining gate: a real required-member sync needs Discord bot credentials, and discrawl --json doctor reports no token in the environment or keyring. Holding merge until that live proof is available or explicitly waived.

[steipete]

Live gate passed on the exact PR head: bot authentication and guild access succeeded; sync --with-members --latest-only --no-update forced a member refresh despite the existing freshness marker, returned a nonzero member set, advanced the member sync timestamp, and completed. Full tests, autoreview, and exact-head CI are green.

[steipete]

Landed as f77e560318fa23b1070071e7eaf6d7ffaf17ae2a; contributor credit added in 91b1ca7.

Live proof on the exact PR head: bot authentication and guild access passed; a required member sync bypassed the prior freshness marker, returned a nonzero member set, advanced the member-refresh state, and completed latest-message sync. Full tests, autoreview, and exact-head CI passed. Thanks @hannesrudolph.