crabbox run rsyncs the invoking repo by default, which blew the setup
budget when the gateway provisioned from a source checkout. Workspace
transfer is owned by the worker tunnel, so setup passes --no-sync.
Live AWS E2E hit the designed fail-stop: worker bootstrap requires Node on
the leased host, and bare AWS leases ship without it. Implement the plan's
provider setup phase as an opt-in `setup` profile key: after the lease is
SSH-ready the provider runs the command via `crabbox run --keep=true`,
gets its own timeout budget on top of provision, and stops the lease
before surfacing a failure so no unbootstrapped box leaks. Setup runs on
every provision attempt (including replay adoption), so commands must be
idempotent.
Replaces the Settings -> Worktrees column grid (which collapsed to unlabeled
stacked cells at common window widths) with list-item rows: name + status
chip, repo/branch/owner meta line, right-aligned last-active + actions.
Rows sort by most recent activity. Deletes the now-unused generic .table
CSS family and stale column-header i18n keys.
Live cloud-worker E2E surfaced that sessions.dispatch was advertised but
dispatched as 'unknown method': the handler existed in sessions.ts but was
never added to the lazy method-to-loader table — the same class of break
terminal.attach/list/text shipped with. Add the route and broaden the
existing terminal.*-only completeness test to every core descriptor
(aux-injected and control-ui methods excluded explicitly).
Both settings grant local UI automation, so run PeekabooBridge only while
Allow Computer Control is on. The toggle now reflects the effective state and
is disabled when Computer Control is off; users drive Peekaboo via its own Mac
app in that case. Removes the confusing standalone bridge switch.
The settings shell capped page headers at 1120px while narrow settings
pages use a 760px column, leaving the title floating left of the
content. The header now adopts the column width of the page below it
(760px default, 1120px for wide pages); fill-height surfaces without a
settings-page column are unchanged.
* feat(ui): add settings design-language foundation (tokens, settings.css, helpers)
* refactor(ui): move settings workspace shell styles into settings.css
* refactor(ui): migrate all settings surfaces to the unified settings design language
Every settings surface (General quick+advanced schema form, Appearance,
Communications, Automation, MCP, Infrastructure, AI Agents, Channels,
Connection, About, Profile, Model Providers, Plugins, Skills, Skill
Workshop chrome, Devices, Worktrees, Debug, Logs, Activity, Automations,
Sessions, Usage chrome) now renders through the settings-ui helpers and
settings.css: sections as plain uppercase headings outside one flat
group surface, hairline-divided rows, a single toggle/segmented/status
vocabulary, status dots instead of pills, and no cards-in-cards or enter
animations. Deletes the qs-*/cfg-*/config-section-card/account-card/
plugins-row/cron-editor-card/session-badge/agent-pill families and
orphaned shared rules.
* style(ui-docs): format design-system docs
* fix(ui): make activity statusKind lookup exhaustive for consistent-return lint
* fix(ui): address settings design-language review findings
Label-wrapped toggle rows with required accessible names, named selects
and cron form controls, busy-disabled segmented controls with restored
theme-transition anchors, collapsible skill groups, semantic plugin
headings, gateway connected status, paired-devices empty state, logs
subtitle, cron prompt help, and keyboard-accessible session goal
objectives.
* fix(ui): harden settings primitives per review round two
Wrap row action clusters, fully-inset nav focus ring, restore number
steppers in the schema form, cap node capability lines, keep the named
Activity region landmark, and associate cron help text via the row
label.
* fix(ui): skip empty section headings and fix the toggle doc example
* docs(ui): import renderSettingsToggleRow in the settings example
* fix(ui): rename number stepper delta to avoid shadowing
#106332 landed using revokeAttachGrantsForSession after #106038 removed it
as dead, breaking prod-types compile on every PR merge ref. Restores the
helper verbatim from 2deb696ef4 with a doc comment.
* feat(gateway-protocol): add session placement schema
Closed state discriminator for session execution placement (local/requested/provisioning/syncing/starting/active/draining/reconciling/reclaimed/failed), sessions.dispatch params, and worker-admission transcript/live cursor extensions. Swift protocol models mirror the schema.
* feat(state): add worker session placement table
worker_session_placements rows carry placement state, transition generation, worker ownership metadata, ACK cursors, and the turn claim columns used for atomic admission.
* feat(cloud-workers): add durable placement state machine store
SQLite-backed placement store split by concern: state table (placement-state), discriminated record types + shape invariants (placement-record), row codec + CAS transition values (placement-row-codec), atomic turn-claim admission/release/waiters (placement-turn-claims), and lifecycle CAS transitions (placement-store).
* feat(cloud-workers): sync workspaces and attach sessions to worker environments
Environment service session attachment + turn credentials, tunnel workspace commands over a dedicated SSH runner, and git/plain workspace sync into $HOME/.openclaw-worker/workspaces with an immutable manifest. Symlink escapes are rejected locally before transfer (macOS openrsync stat-fails them opaquely) and again by the remote manifest guard.
* feat(worker): run one-shot embedded turns from launch descriptors
Worker runtime executes a single embedded turn from a stdin launch descriptor and reports completed/failed/fenced on stdout for the gateway launcher. Terminal lifecycle live events are deferred past the final transcript flush; transcript projection helpers are shared via transcript-message instead of duplicated in the runtime.
* feat(cloud-workers): dispatch placements and route worker turns
Dispatch service drives local->requested->provisioning->syncing->starting->active with failure teardown (placement-dispatch-failure) and restart/runtime recovery incl. lost-worker reclaim (placement-dispatch-recovery). Worker turn launcher claims the placement turn atomically, builds a windowed launch descriptor (worker-turn-payload), runs the remote one-shot worker, and reconciles the committed transcript; agent runners route turns through the session placement admission provider.
* feat(gateway): expose session placement RPCs and startup reconciliation
sessions.dispatch RPC with lifecycle admission barriers, operator-facing placement projection on session listings, placement-aware session reset guard, and startup/interval reconciliation wiring for worker placements.