70655 Commits

Author SHA1 Message Date
Peter Steinberger
5a6a19c133 fix(qa): align runner inbound dispatch contract (#111507) 2026-07-19 11:51:24 -07:00
Peter Steinberger
163a6c6e16 fix(agents): declare visible-session constraints upfront in sessions_spawn (#111502) 2026-07-19 11:42:05 -07:00
Peter Steinberger
3e154b6761 fix(agents): let swarm collector fan-outs honor group caps (#111505)
* refactor(agents): single admission owner per child mode (#111401)

* refactor(agents): branch admission gather per mode — no cross-mode fallback pairing
2026-07-19 11:40:55 -07:00
Peter Steinberger
c69d6e148e feat(ui): who's-online roster menu on the footer facepile (#111501)
* feat(ui): who's-online roster menu on the footer facepile

Clicking the sidebar footer facepile now opens a scrollable roster of
everyone online — avatar, name, and email subtitle per person, with your
own entry pinned first and marked (you). Uses the stock menu-surface +
wa-dropdown idiom; long rosters scroll inside the popup via the dropdown's
menu part. Session-row facepiles stay non-interactive so row clicks keep
navigating.

* fix(ui): roster menu interaction hardening from review

- close explicitly on wa-select (preventDefault also cancels the
  dropdown's own select-and-hide)
- clear the open state when a presence update unmounts the footer
  facepile, so the menu cannot remount stale when presence returns
- restore focus to the visible facepile button on keyboard dismissal
  (the dropdown's own trigger is a hidden throwaway anchor)

* fix(ui): return focus to the facepile trigger on roster row selection
2026-07-19 11:34:17 -07:00
Peter Steinberger
40d31f3481 feat(control-ui): show relative commit age and hover-only copy button on About (#111495)
The About page commit row now embeds the commit's committer timestamp
(commitAt, advisory like branch/dirty) and renders it as an always-relative
age with the exact localized date-time on hover. The copy button becomes a
compact borderless icon revealed on hover/focus only where hover exists;
touch keeps it visible.
2026-07-19 11:13:25 -07:00
Peter Steinberger
6d4082ef97 fix(ui): prevent unsafe custodian nudge answers (#111430)
* fix(ui): harden custodian nudge actions

* refactor(ui): split custodian page helpers

* fix(ui): classify custodian nudge delivery

* fix(ui): ignore stale custodian question replies

* fix(ui): restore rejected custodian questions

* fix(ui): preserve custodian wizard uncertainty

* refactor(ui): keep nudge text helper private

* test(ui): model uncertain custodian delivery

* fix(ui): scope delayed custodian dismissals

* fix(ui): retain in-flight custodian nudges

* fix(ui): block nudges during hosted wizard input

* chore(protocol): regenerate gateway models
2026-07-19 11:10:41 -07:00
Peter Steinberger
b9cf1add0f fix(qa): retry transient history rebuilds (#111475)
* fix(qa): retry transient history rebuilds

* fix(qa): preserve history retry timeout cause

* test(qa): avoid retry timeout shadowing
2026-07-19 11:10:15 -07:00
Peter Steinberger
c7e7ac2728 refactor: remove expired plugin compatibility surfaces (#111451)
* docs(secrets): remove retired web credential paths

* refactor(web): remove retired provider compatibility paths

* refactor(providers): delete retired compatibility routes

* refactor(secrets): remove retired credential aliases

* refactor(plugin-sdk): delete retired compatibility surfaces

* docs(plugin-sdk): remove retired migration guidance

* chore(plugin-sdk): refresh rebased surface budgets

* chore(plugin-sdk): refresh API removal baseline

* refactor(compat): migrate retired internal callers

* chore(plugin-sdk): refresh current-main baselines

* test(config): migrate plugin-owned secret assertions

* test(gateway): narrow plugin secret refs

* fix(plugin-sdk): preserve private boundary type identity

* chore(compat): remove stale sweep references

* chore(lint): lower max-lines budget

* refactor(secrets): remove unused web helper

* build(plugin-sdk): drop removed compat entries

* chore(plugin-sdk): refresh rebased API baseline

* chore(plugin-sdk): use Linux API baseline hash

* fix(plugin-sdk): preserve private bundled build entries

* fix(plugin-sdk): package private runtime facades

* fix(plugins): preserve external credential contracts
2026-07-19 11:04:48 -07:00
Peter Steinberger
e6d7aee41d fix(ui): stop chat normalizers throwing on null/undefined message entries (#111494)
normalizeMessage / isToolResultMessage / isStandaloneToolMessageForDisplay
cast their unknown input to a record and then read `typeof m.role`. That
still evaluates `m.role`, so an undefined entry (e.g. groupMessages calling
normalizeMessage(item.message) with an absent message on a pending or
malformed transcript row) threw "Cannot read properties of undefined
(reading 'role')" inside the gateway event handler — a caught but recurring
error storm on the live team instance. Coerce non-object input to {} at the
source so every downstream `typeof m.<field>` check works and role degrades
to "unknown". The existing safeNormalizeMessage try/catch wrapper existed
precisely for this hazard; the guard now lives in normalizeMessage itself.
2026-07-19 10:54:55 -07:00
WhatsSkiLL
50ce5dedea fix(android): improve Wear thread follow behavior (#111459)
* improve(android): move Wear agent, session, and model pickers to Home

* fix(android): improve Wear thread follow behavior

* fix(android): stabilize Wear thread follow lifecycle

* fix(android): keep streamed Wear tail visible

Co-authored-by: JARVIS-Glasses <whatsskilll@gmail.com>

---------

Co-authored-by: Colin <colin@solvely.net>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 10:54:10 -07:00
Shakker
8e0c50380c fix: preserve message-only terminal output (#111493) 2026-07-19 18:51:06 +01:00
Peter Steinberger
83303f1ba8 feat(channels): batch 1 producers drop media placeholder bodies (#111447)
* feat(channels): batch 1 producers drop media placeholder bodies

Media-placeholder program batch 1: Google Chat, Zalo, LINE, and
Mattermost stop minting <media:kind> placeholder bodies. Media-only
messages carry an empty caption plus one structured fact per native
attachment (type-only when a download fails or is rejected, so payload
positions and kind signals stay aligned). The shared
formatMediaPlaceholderText SDK formatter renders text-only carriers
(Mattermost pending-room lines) from structured facts; per-channel
placeholder builders and the expected-count side channel are deleted.

* fix(mattermost): satisfy type, deadcode, and SDK manifest gates
2026-07-19 10:32:09 -07:00
Peter Steinberger
4c55a4fc28 feat(plugins): expose requester context to tool hooks (#111190)
* feat(plugins): expose requester context to tool hooks

* chore(plugin-sdk): restore generated API baseline

* chore: drop release-owned changelog entry

* docs: refresh documentation map
2026-07-19 10:31:58 -07:00
Masato Hoshino
6fb3aae404 fix(gateway): stop the unmanaged gateway named by its lock (#111378)
`openclaw gateway stop` resolved the unmanaged fallback port from config and
discovered pids through lsof only. On hosts without lsof, and whenever the
gateway runs on a port other than the configured one, discovery came back empty
and the command reported `Gateway service disabled.` with `ok:true` and exit 0
while the gateway kept serving.

The gateway lock already holds the verified owner pid and port. Restart learned
to read the lock port in #105241 to keep an unmanaged restart honest when the
configured port drifts; stop's fallback never did. Read the lock identity once in
the not-loaded fallback, use its port for discovery, and signal its owner when no
listener is found. Verified listeners still win when lsof is available.

Signalling still goes through `signalVerifiedGatewayPidSync`, which re-reads argv
immediately before SIGTERM, and lock identities are only returned after a
liveness and start-time or argv check, so dead, recycled, port-less and
non-gateway lock owners are refused and the command stays `not-loaded`.

Closes #72948
2026-07-19 10:20:31 -07:00
Peter Steinberger
d4c7549d1c test(nextcloud-talk): stabilize room timeout proof (#111490) 2026-07-19 10:08:45 -07:00
Shakker
0db0142ec8 fix: preserve streamed text before terminal errors (#108509) 2026-07-19 18:07:12 +01:00
Shakker
1e80a0ee88 chore: format chat run error changes 2026-07-19 18:07:12 +01:00
Shakker
9dd021a5cc fix: align run error on mobile 2026-07-19 18:07:12 +01:00
Shakker
0d511d1a67 chore: remove unrelated run failure changes 2026-07-19 18:07:12 +01:00
Shakker
d2a4025d1f test: cover chat run error recovery 2026-07-19 18:07:12 +01:00
Shakker
25b1c6c400 fix: show run failures above the composer 2026-07-19 18:07:12 +01:00
Shakker
9a699c7037 fix: keep chat errors out of assistant messages 2026-07-19 18:07:12 +01:00
vyctorbrzezowski
86b1961bcc fix: show run failures above composer 2026-07-19 18:07:12 +01:00
mushuiyu886
34978b5a07 fix(browser): report final URL when opening managed Chrome tabs (#111374) 2026-07-19 10:01:42 -07:00
zengLingbiao
0e0432e76e fix(gateway): keep xdg-open stderr truncation surrogate-safe (#111323)
* fix(gateway): keep xdg-open stderr truncation surrogate-safe

* test(gateway): pin xdg-open diagnostic cap

Assert the exact diagnostic content and UTF-16 code-unit length at the surrogate-safe boundary.\n\nCo-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:58:44 -07:00
YangManBOBO
996312da9f fix(media): input_image base64 without media_type is forced to image/png even when bytes sniff as another valid image type (#111276)
* fix(media): prefer sniffed image MIME over hardcoded default when input_image media_type is absent

* test(media): cover sniffed MIME precedence

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:55:56 -07:00
Peter Steinberger
a876451d8b fix(qa): avoid touching operator state during private QA runs (#111446)
* fix(qa): isolate commands from operator state

* fix(qa): isolate runner discovery from operator state

* fix(qa): keep discovery scope internal
2026-07-19 09:52:21 -07:00
Peter Steinberger
197c4f5a04 feat: generic session discussion seam with Control UI panel (#111337)
* feat: add session discussion panel seam

* fix: keep discussion iframe cookie-capable and changelog release-owned

* test: cover cookie-capable discussion iframe sandbox

* fix: stretch discussion panel host so the embed fills the rail

* fix: keep provider failures retryable and probe discussion availability before showing the action

* fix: block same-origin discussion embeds, show action on catalog sessions, close stale panel on reconnect

* fix: scope discussion probes and panel callbacks to the issuing connection

* fix: dedupe in-flight discussion probes per session

* fix: retry superseded discussion probes and key-scope panel results

* fix: regenerate Swift protocol models and extend advertised-method expectations

* style: format chat-pane-header

* fix: regenerate Kotlin protocol models and date discussion methods in the 2026.7 train

* chore: restore release-owned changelog to main state

* chore: keep changelog untouched relative to merge-base
2026-07-19 09:47:47 -07:00
Peter Steinberger
7aedca21b2 test(release): align built-in timing proofs (#111483) 2026-07-19 09:42:16 -07:00
zengLingbiao
a70f7702a9 fix(agents): keep web search error serialization surrogate-safe (#111327)
* fix(agents): keep web search error serialization surrogate-safe

* test(agents): pin web search truncation prefix

Preserve the pre-existing provider_error fallback while proving the exact UTF-16-safe retained prefix.\n\nCo-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:39:04 -07:00
xingzhou
269099585a fix(discord): activity widgets recover from stalled gateway responses (#111380)
* fix(discord): bound Activity gateway requests

* test(discord): tighten Activity shell harness

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:32:29 -07:00
litang9
b15718f8d3 fix: warn before retrying timed-out exec commands (#111390)
* fix: warn before retrying timed-out exec commands

* fix(exec): cover detached approval timeout followups

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:31:40 -07:00
mushuiyu886
a626330a3b fix(deepinfra): model list fails when HTTP proxy is required (#111428) 2026-07-19 09:30:12 -07:00
Yiğit ERDOĞAN
6c9b31e4d5 fix(ai): honor Retry-After when retry-after-ms is unparseable (#111353)
* fix(ai): honor Retry-After when retry-after-ms is unparseable

The ChatGPT Responses retry path returned as soon as `retry-after-ms` was
present, so a malformed or empty value discarded a valid `Retry-After`
header sent alongside it and the client fell back to blind exponential
backoff. The sibling parser in `provider-transport-fetch.ts` treats the
two headers as ordered preferences and falls through on a parse failure;
this aligns the Responses path with that contract.

* test(ai): deduplicate retry header coverage

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:26:47 -07:00
VectorPeak
fe9e018045 fix(tavily): reject blank extract URLs (#111333)
* fix(tavily): reject blank extract URLs

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix(tavily): normalize tool string arrays

Co-authored-by: VectorPeak <73048950+VectorPeak@users.noreply.github.com>

---------

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-19 09:18:33 -07:00
Peter Steinberger
359859d343 fix(gateway): keep first outbound TLS off the main event loop on macOS (system-CA/trustd) (#111473) 2026-07-19 09:01:09 -07:00
Peter Steinberger
87fbc19fe3 fix: complete lint toolchain reuse in worktrees (#111467)
* fix(scripts): complete worktree lint toolchain

* fix(scripts): prepare complete lint pipeline
2026-07-19 08:58:43 -07:00
Peter Steinberger
f8e35afecc feat: avatar upload UI, self-service profiles, server-side avatar route (#111421)
* feat: avatar upload UI, self-service profiles, server-side avatar proxy

* refactor(ui): make resolveAvatar synchronous so avatar updates render immediately

resolveAvatar no longer does async work (gravatar moved server-side), so
the until()-deferred render left the identity chip img stale after
updateSelfUser. Rendering synchronously reuses the img element and
reflects avatarUrl changes on the next render.

* fix(gateway): bound avatar Gravatar lookup to one timeout budget

Linked-email Gravatar lookups ran sequentially, each with its own 5s
timeout, so an upstream outage stalled the held connection for
5s x linked-email-count. Resolve them concurrently and pick the first
hit in email order, keeping primary-email precedence while capping the
request to a single timeout budget.

* fix(gateway): cap per-profile Gravatar fan-out to bound sockets and memory

A profile with many linked emails would fan out one concurrent fetch per
email with no bound, each able to buffer up to MAX_GRAVATAR_BYTES before
the cache budget applies. Cap the lookups to the first 8 primary-ordered
emails so a single avatar request holds a bounded number of sockets and
transient bytes.

* test: reconcile avatar tests with server-side gravatar model after merge

main landed a client-side Gravatar path (browser computes the gravatar.com
URL); this branch resolves avatars through the same-origin gateway route,
which is the only approach that works under the Control UI CSP (img-src
'self'). Update the identity-section, app-sidebar footer chip, and
profile-page e2e expectations to assert the canonical /api/users/<id>/avatar
route (gateway serves the Gravatar fallback behind it) instead of a
CSP-blocked direct gravatar.com image.

* test(gateway): fix fetchImpl mock param type for check-test-types

The Gravatar mock typed its param as (url: string), narrower than the
fetchImpl signature (URL | RequestInfo); function-param contravariance
made it unassignable under tsgo:test. Widen to the fetch input type and
extract the URL via a small helper that avoids no-base-to-string on a
Request.

* fix(gateway): short-circuit Gravatar lookups and version presence avatar URL

Two autoreview findings on the avatar path:

- Privacy: the concurrent Promise.all fan-out queried every linked email's
  hash against Gravatar even when the primary already had one, exposing
  secondary work/personal addresses. Resolve sequentially with short-circuit
  so a later hash is disclosed only after the earlier email is a definite
  miss, under one shared request deadline that still bounds total latency.

- Staleness: presence published an unversioned /api/users/<id>/avatar, so a
  reconnecting viewer's <img> kept the stale cached image after an upload.
  Carry the profile revision as ?v=<updatedAt> so a changed avatar refetches.
2026-07-19 08:52:01 -07:00
Peter Steinberger
1ef99e6dfb feat(agents): authoritative write diffs end to end (#111456)
* feat(agents): authoritative write diffs end to end

The write tool now reports what actually happened: no-op (changed:false),
created files (created:true with a bounded numbered diff), and overwrites
(created:false with a real old-to-new diff when the old content is
readable text within byte, line, and edit-distance budgets — unknown
removals are never fabricated). The gateway history projection forwards
the changed/created flags, the web and iOS write rows prefer the
authoritative diff and suppress the +N -0 stat when creation is not
proven, and the iOS transcript cache persists one bounded apply_patch
envelope so patch diffs survive cold opens.

* chore(i18n): sync native inventory
2026-07-19 08:48:26 -07:00
Peter Steinberger
218c8a5496 test(signal): make status reaction timing deterministic (#111477) 2026-07-19 08:43:10 -07:00
Peter Steinberger
ca3a1873a6 fix(test): make broad shard execution deterministic (#111416)
* fix(test): harden broad shard execution

* test: allow broad-profile contention

* style(telegram): remove redundant chat id cast

* style(test): preserve setup test spacing
2026-07-19 08:39:16 -07:00
Peter Steinberger
8c7f09a3c4 feat(system-agent): durable rolling transcript with openclaw.chat.history (#111440)
* feat(system-agent): durable rolling transcript with openclaw.chat.history

* chore(ui): scanner-safe auth root in custodian session ownership key

* fix(system-agent): durable reset boundary for transcript seeding

* fix(ui): ownership-aware custodian session rotation with capability gating

* fix(ui): bounded history load and reconnect-safe transcript refresh

* fix(ui): keep unknown-outcome warning and event nudges across transport transitions

* fix(ui): flag-backed unknown-outcome warning independent of retry state

* fix(ui): armed ownership boundaries and abandon-before-rotate ordering

* chore(ui): localize the server-side sensitive mask in durable history

* fix(ui): repair rebase-dropped import and mock arity

* chore: gate fixes — void history handler, module-local transcript internals

* refactor(gateway): leaf history-turn contract to keep the module graph acyclic

* chore(gateway): stamp openclaw.chat.history with its introduction train

* test(gateway): record openclaw.chat.history in the 2026.7 train pin
2026-07-19 08:37:00 -07:00
metaforismo
a53461b2b1 fix(ios): render Markdown lists and thematic breaks (#111223) 2026-07-19 11:24:30 -04:00
Peter Steinberger
223235044a fix(cli): exit cleanly on subcommand-group --help (lazy register handle leak) (#111433)
Lazy command-group registration must import the real command tree to render complete help. On macOS with NODE_USE_SYSTEM_CA=1, those imports start Node's system CA loader worker; natural shutdown can block in CleanupCachedRootCertificates while joining LoadSystemCACertificates.

Request the existing stream-flushed one-shot exit immediately after successful Commander help parsing, covering both CommanderError and normal-return plugin help without affecting leaf command execution.
2026-07-19 08:10:56 -07:00
Peter Steinberger
356bec6f5d fix(usage): price usage rows with the owning agent's model registry (#111389)
* fix: scope usage pricing by agent

* fix(usage): satisfy pricing check gates
2026-07-19 07:57:50 -07:00
Peter Steinberger
1f507162ee fix(ci): validate sticky importer restores (#111444) 2026-07-19 07:57:46 -07:00
Peter Steinberger
31423de908 fix(channels): preserve ingress shutdown and named-account setup (#111449)
* fix(channels): repair plugin prerelease regressions

* chore: leave release notes to release automation

* fix(channels): update plugin SDK API baseline
2026-07-19 07:57:37 -07:00
Dallin Romney
6dc6d5efee fix(qa): wait for active config revision after restart (#111073) 2026-07-19 07:46:32 -07:00
Peter Steinberger
adf02e8de4 refactor(plugin-sdk): retire global provider publication (#111426)
* refactor(plugin-sdk): retire global provider publication

* docs: refresh SDK migration map
2026-07-19 07:44:11 -07:00
Peter Steinberger
783a5d21cf refactor(config): purge numeric tuning knobs behind built-in defaults (#111382) 2026-07-19 07:35:45 -07:00