Commit Graph

3366 Commits

Author SHA1 Message Date
Ayaan Zaidi
a18708c5c1 feat(gateway): add persisted crash-loop breaker and fatal-config exit contract
Gateways that crash-loop under systemd/launchd previously flapped forever
with no persisted state and no supervisor signal. The gateway now records
every boot outcome in the shared state DB (gateway_boot_lifecycle); three
unclean boots within five minutes trip a breaker that boots the gateway in
safe mode: full control plane available, channel/provider auto-start
suppressed at the channel-manager seam (startup, config hot-reload,
secrets.reload) with manual channels.start override, one stability bundle
per trip. The breaker re-evaluates each boot and logs recovery when the
window drains. Slow shutdowns record forced_stop and never count as
crashes; /readyz stays ready and reports suppressed channels; the health
monitor treats suppressed accounts as expected-stopped. Fatal invalid-config
errors now exit 78 (EX_CONFIG) on both the startup and unhandled-rejection
paths, engaging the systemd unit's pre-existing RestartPreventExitStatus=78
so supervisors stop relaunching until the config is fixed.
2026-07-06 06:45:55 +00:00
Peter Steinberger
62d957634c fix(agents): cap effective compaction reserve (#100621)
* fix(agents): cap effective compaction reserve

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* docs(changelog): link small-context compaction fix

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 06:49:44 +01:00
Peter Steinberger
dd972b8bf7 fix: replies fail when memory flush is exhausted (#100618)
* fix(reply): recover from memory flush exhaustion

Co-authored-by: 忻役 <xinyi@mininglamp.com>

Co-authored-by: Jerry-Xin <jerryxin0@gmail.com>

* test(reply): remove unused memory flush result

---------

Co-authored-by: Jerry-Xin <jerryxin0@gmail.com>
2026-07-06 06:41:16 +01:00
Peter Steinberger
87d8fa7e3a fix(config): compare size guard against canonical input (#100591)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 05:47:49 +01:00
Peter Steinberger
eedd309c4a fix(config): dedupe repeated validation warnings (#100569)
* fix(config): dedupe repeated validation warnings

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* docs(changelog): defer config diagnostic note

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 05:30:04 +01:00
Sulaga
2b51c255f8 feat(tencent): add Tencent Hy3 provider (TokenHub and TokenPlan) (#99076)
Summary:
- Merged feat(tencent): add Tencent Hy3 provider (TokenHub and TokenPlan) after ClawSweeper review.

Automerge notes:
- Ran the ClawSweeper repair loop before final review.
- Included post-review commit in the final squash: fix(tencent): preserve TokenHub auth compatibility
- Included post-review commit in the final squash: refactor(tencent): unify TokenPlan env/flag naming with TokenHub
- Included post-review commit in the final squash: docs: refresh Tencent provider docs metadata
- Included post-review commit in the final squash: fix: allow TokenPlan provider config overlays
- Included post-review commit in the final squash: docs: dedupe Tencent provider glossary labels
- Included post-review commit in the final squash: fix(tencent): repair TokenHub model defaults

Validation:
- ClawSweeper review passed for head 30c9fc130f.
- Required merge gates passed before the squash merge.

Prepared head SHA: 30c9fc130f
Review: https://github.com/openclaw/openclaw/pull/99076#issuecomment-4888527271

Co-authored-by: leisang <leisang@tencent.com>
Co-authored-by: Mason Huang <masonxhuang@tencent.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: hxy91819
2026-07-06 04:29:48 +00:00
Hemant Sudarshan
bacd1c512a fix(browser): time out remote tab enumeration (#80147)
* fix(browser): time out remote tab enumeration

* chore: remove stale changelog entry

* fix(browser): isolate timed-out read cleanup

* fix(browser): isolate timed-out read cleanup

* test(browser): satisfy connection regression lint

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 00:56:05 +01:00
Peter Steinberger
aaf5ab910c fix: land ten small reliability fixes (#100483)
* fix(agents): harden LSP process failures

Source: #100450

Co-authored-by: morluto <williamlin1327@gmail.com>

* fix(sandbox): report effective workspace layout

Sources: #100435, #100439

Co-authored-by: Aniruddha Adak <aniruddhaadak80@users.noreply.github.com>

Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>

* fix(security): fail install checks on stream errors

Source: #100413

Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>

* fix(android): normalize all-day calendar events

Source: #100032

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(ios): serialize push-to-talk lifecycle

Source: #99942

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(talk): reject inherited provider names

Source: #99849

Co-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>

* fix(android): stop voice capture in background

Source: #99840

Co-authored-by: xialonglee <li.xialong@xydigit.com>

* fix(cron): preserve fallback result classification

Source: #99913

Co-authored-by: jincheng-xydt <xu.jincheng@xydigit.com>

* fix(google): bound Vertex response decompression

Source: #99812

Co-authored-by: 黄剑雄0668001315 <huang.jianxiong@xydigit.com>

* fix(plugins): report malformed discovery JSON

Source: #99892

Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>

* test(sandbox): configure non-default workspace fixture

* test: fix small-fix batch validation

---------

Co-authored-by: morluto <williamlin1327@gmail.com>
Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>
Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>
Co-authored-by: xialonglee <li.xialong@xydigit.com>
Co-authored-by: jincheng-xydt <xu.jincheng@xydigit.com>
Co-authored-by: 黄剑雄0668001315 <huang.jianxiong@xydigit.com>
2026-07-06 00:08:51 +01:00
Peter Steinberger
4da855a1ff fix(slack): prefer native status by default (#100462)
Co-authored-by: Peter Steinberger <steipete@openai.com>
2026-07-05 23:10:08 +01:00
Peter Steinberger
8f9dd7af9e test: remove redundant reply concurrency warmup 2026-07-05 17:11:34 -04:00
Omar Garcia
92af54b64f fix: heartbeat survives transient filesystem read races (#100389)
* fix(heartbeat): retry transient workspace reads

* fix(heartbeat): bound transient filesystem retries

* fix(sessions): stop retrying permanent read failures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-05 22:07:11 +01:00
Peter Steinberger
5e0504aa43 feat(ui): simplify Talk settings (#100453)
Co-authored-by: Peter Steinberger <steipete@openai.com>
2026-07-05 21:31:52 +01:00
Peter Steinberger
c757675f34 improve: keep isolated tests under one second (#100019)
* test: speed up isolated test suite

* test: finish isolated latency cleanup

* test: eliminate remaining isolated latency spikes

* test: remove final isolated timing outliers

* test: bound full-suite tooling processes

* test: bound native test process lifetime

* test: warm isolated runtime suites

* test: eliminate final isolated timing outliers

* test: fix isolated timing fixture types

* test: make timeout cleanup timing deterministic

* test: pin media manifests to source checkout

* test: isolate provider manifest contracts

* test: eliminate residual isolated timing spikes

* test: restore final isolated timing fixes

* test: eliminate remaining isolated timing spikes

* test: warm Zalo lifecycle imports

* test: keep isolated suites below one second

* test: use readable browser response fixtures
2026-07-05 10:57:19 -07:00
ragesaq
01b34139b1 feat(clickclack): publish durable agent activity rows (commentary + tool)
Opt-in per-account (agentActivity: true): the ClickClack channel extension
now mirrors streamed commentary and tool progress into durable
agent_commentary / agent_tool message rows via the existing
replyOptions.onItemEvent seam, coalesced so one logical step is one row.
Requires a bot token carrying the agent_activity:write scope; publishing
is best-effort and never interrupts final text delivery.
2026-07-05 09:32:37 -07:00
Peter Steinberger
f607ba0691 feat(control-ui): session grouping with drag & drop and channel categorization (#100262)
* feat(control-ui): session grouping with drag & drop and channel categorization

* fix(control-ui): restrict session drag&drop to private session-key payloads

* chore(i18n): translate session grouping strings across control ui locales

* chore(protocol): regenerate swift gateway models for session category

* chore(protocol): regenerate swift gateway models for session category
2026-07-05 09:13:17 -07:00
Peter Steinberger
1f484a8dbd test: speed up and stabilize full suite 2026-07-05 08:00:23 -04:00
Vincent Koc
214ee02359 test(docs): align rewrite guards with current wording (#100183) 2026-07-04 22:23:10 -07:00
truiem-bot
420b3cdd29 feat(slack): support per-channel replyToMode (#82253)
* feat(slack): support per-channel replyToMode

* fix(slack): align per-channel threading contexts

* fix(slack): preserve queued channel reply mode

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-04 23:41:24 -04:00
Hana Chang
4ec7842be0 feat(slack): add ignoreOtherMentions channel config (#53467)
* feat(slack): add ignoreOtherMentions channel config

Mirrors the existing Discord `ignoreOtherMentions` option for Slack
channels. When set on a channel entry, drop channel/group/MPIM messages
that mention another user or subteam but not this bot — the inverse of
`requireMention`. Useful in busy channels where the bot would otherwise
reply to side conversations.

Implementation lives in `prepareSlackMessage` right after the
`allowBots: "mentions"` bot-drop gate and before the `shouldRequireMention`
non-mention drop, so it integrates with the new `messageIngress` ingress
pipeline. The gate is conditional on `canDetectMention` (botUserId
resolvable via `auth.test` or explicit mention regexes configured) to
avoid false drops when we have no reliable way to tell bot vs non-bot
mentions apart.

Slack implicit mentions (thread participation) are intentionally NOT
respected here — they fire for every message in a bot-participated
thread, so honoring them would defeat the feature in any active thread.
The gate matches on `wasMentioned` (explicit) and `hasAnyMention`, with
the existing `shouldBypassMention` override (e.g. authorized commands)
also respected.

Includes config types, zod schema, channel-config resolution,
prepare-message implementation, full test coverage in
`prepare.test.ts`, regenerated channel + docs baselines, and Slack
docs entry.

* refactor(slack): harden other-mention filtering

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-04 20:08:14 -04:00
Dallin Romney
c2fc7aa28a refactor: consolidate exact keyed async queues (#99691)
* refactor: consolidate keyed async queues

* chore: refresh merge-ref CI

* refactor: encapsulate keyed queue ownership
2026-07-04 16:45:07 -07:00
Peter Steinberger
5938c7809a feat(gateway): terminal detach/reattach with output replay, terminal.list/text 2026-07-04 15:58:17 -07:00
xingzhou
27d6c88167 feat: add utility models and generated session titles (#87643)
* feat: add utility model session titles

* docs: clarify utility model calls

* fix: budget utility title reasoning

* docs: refresh config baseline

* docs: refresh plugin sdk baseline

* docs: refresh plugin sdk baseline

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-04 17:24:51 -04:00
Dizesales
ff58d23e8f fix(telegram): resolve local Bot API container file paths against trustedLocalFileRoots [AI-assisted] (#91984)
* fix(telegram): resolve local Bot API container file paths against trustedLocalFileRoots

When the self-hosted telegram-bot-api server runs with --local inside a
container, getFile returns absolute file_path values rooted at the
container data dir (/var/lib/telegram-bot-api/...). The host process
mounts that volume at a different path, so the absolute path never
matches a trustedLocalFileRoots entry and inbound media fails to
materialize (messages reach the agent as bare <media:document>
placeholders without bytes).

Map container-absolute paths back to relative candidates and resolve
them under each trusted root, trying both with and without the
per-token directory segment the local server uses. Relative file_path
values are now also resolved against trusted roots before falling back
to the HTTP file endpoint, which keeps large-file (>20MB) local-mode
downloads working.

Path traversal protections: candidates are normalized, NUL bytes and
dot-segments are rejected, and reads stay behind the trusted-roots
file-access sandbox.

AI-assisted (Claude Code), validated with targeted vitest run.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Co-Authored-By: Dizesales <269209351+Dizesales@users.noreply.github.com>

* fix(telegram): map local Bot API container media paths

Co-authored-by: Lucas Magalhaes <ellucasrj@gmail.com>

* chore(config): refresh channel metadata

---------

Co-authored-by: Lucas Magalhaes <ellucasrj@gmail.com>
Co-authored-by: Dizesales <269209351+Dizesales@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-04 17:07:51 -04:00
Peter Steinberger
7e8ea61b08 fix(gateway): harden embedded terminal policy (#100081)
* fix(gateway): harden operator terminal policy

* test(gateway): complete terminal context coverage

* test(gateway): narrow terminal policy mock

* test(gateway): satisfy CSP header lint

* docs: refresh terminal docs map

* test: route terminal temp helper importer
2026-07-04 16:34:07 -04:00
Kevin Lin
d214622320 feat(update): support extended-stable package updates (#99811)
* feat(update): add extended-stable channel contract

* feat(update): implement extended-stable package flow

* docs(update): document extended-stable behavior

* fix(update): preserve extended-stable preflight guarantees

* fix(update): reject extended-stable Git repair

* fix(update): support loopback extended-stable canaries

* fix(update): preserve scoped package roots
2026-07-04 12:34:29 -07:00
Dallin Romney
bd3ad2feb0 refactor(infra): consolidate identifier digests (#99788) 2026-07-04 12:04:46 -07:00
Peter Steinberger
6df0fb818d feat: add session thread management (#98510)
* feat: add session thread management

Squash of codex/thread-management (025aefc3ad1) onto origin/main:
pin/archive/rename sessions via sessions.patch, archived-aware
sessions.list, lifecycle fencing, read-only archived chat, SDK +
Swift protocol support, Control UI session management.

* refactor(ui): minimal session rows with hover-revealed management

Chat picker and sidebar recents share session-row primitives: single-line
rows, relative timestamps, rename/archive/pin revealed on hover or focus,
accent pin badge for pinned rows, and an active-run spinner in the trail
slot. Sidebar floats pinned sessions above recency via the shared
comparator and gains archive/pin actions through the unified sessions-view
patch fallback. Archive eligibility is one shared policy
(canArchiveSessionRow); the sidebar/picker active-run tooltip now uses the
real sessionsView.activeRun locale key.

* fix: align session admission with mailbox-era main

Integration fixes after rebasing onto current main: sessions_list mailbox
test expectations learn the archived/pinned row fields and archived:false
list param; gateway agent admission treats a session as deleted only when
both the requested and canonical alias sets miss it (legacy bare-main
stores and exec-approval followups read under different spellings); cron
persist tests keep a consistent store across claim-guarded persist calls;
the ACP abort hook test asserts abort propagation instead of signal
identity; drop dead lifecycle writes flagged by no-useless-assignment and
fix the promise-executor return in the codex compact test.

* fix(qa): align UI e2e and shard fixtures with redesigned session rows

Sidebar session rows are wrapper divs with an inner link now: update the
navigation browser tests and chat-flow Playwright selectors. Seed a real
per-test session store for the auto-fallback admission guard instead of
depending on leftover host files at /tmp/sessions.json. Teach the
test-projects routing fixture about the suites that newly import the
shared temp-dir helper. Document the Codex thread-format contract for
archivedAt/pinnedAt (flag derived from server-stamped timestamp, epoch ms
here vs Codex epoch seconds) at the type and in the session docs.

* test: route auto-fallback suite through temp-dir helper plans

The auto-fallback suite now imports the shared temp-dir helper for its
seeded session store, so the top-level helper routing fixture must list
it in the auto-reply plan.
2026-07-04 14:30:47 -04:00
Peter Steinberger
f083f35ddb feat(gateway): embedded operator terminal (PTY) with fail-closed isolation and kill switch 2026-07-04 11:18:41 -07:00
Vincent Koc
db7286187f fix(transcripts): mark delivery mirrors as artifacts (#99855)
* fix(transcripts): mark delivery mirrors as artifacts

* fix(transcripts): mark delivery mirrors as artifacts

* fix(transcripts): mark delivery mirrors as artifacts
2026-07-04 04:02:55 -07:00
Peter Steinberger
82610d3b15 feat(whatsapp): add requester-bound MeowCaller calls (#99635)
* feat(whatsapp): add requester-bound MeowCaller calls

* fix(whatsapp): align MeowCaller CLI contract

* test(whatsapp): narrow MeowCaller audio path

* fix(whatsapp): budget MeowCaller setup phases

* feat(whatsapp): gate experimental calls

* fix(whatsapp): use managed call temp storage

* fix(whatsapp): preserve channel entry boundary
2026-07-04 02:19:28 -07:00
Vincent Koc
29814252e8 fix(config): restrict config paths to own properties (#99846)
Co-authored-by: zenglingbiao <zeng.lingbiao@xydigit.com>
2026-07-03 23:52:52 -07:00
ZOOWH
9aa4250c58 fix(cli): hide synthetic Claude reseed prompts (#99653)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-03 22:56:06 -07:00
Dallin Romney
553b41687d refactor(net): consolidate URL protocol predicates (#99719) 2026-07-03 20:03:55 -07:00
Dallin Romney
1a04c9c2ad refactor: consolidate string reader mechanics (#99676)
* refactor: consolidate string reader mechanics

* fix: declare model catalog normalization dependency

* fix: keep model catalog dependency-free

* refactor(core): keep string readers internal
2026-07-03 18:00:07 -07:00
Dallin Romney
c7aca4f029 refactor: consolidate async timing helpers (#99721) 2026-07-03 17:58:15 -07:00
Dallin Romney
a633887c34 refactor(models): consolidate catalog ref parsing (#99682) 2026-07-03 16:28:25 -07:00
Peter Steinberger
af420dbee5 fix(macos): remote mode fails with managed SSH aliases (#99661)
* fix(macos): support managed SSH aliases safely

* test(macos): serialize gateway state isolation
2026-07-03 15:19:01 -07:00
Jesse Merhi
8c915f0685 feat(signal): add target aliases (#95738)
* feat(signal): add target aliases

* fix(signal): canonicalize alias delivery targets

* fix(signal): harden alias target resolution

* test(signal): cover formatted media aliases

* test(signal): align approval alias proof with request shape

* Reuse Signal alias map for directory listing
2026-07-03 23:40:10 +10:00
Jesse Merhi
8abc633cf8 Add Signal status reaction lifecycle (#98791) 2026-07-03 21:42:39 +10:00
zengLingbiao
459b93e3dd fix(config): use Object.hasOwn instead of in operator in restoreOriginalValueOrThrow (#99152)
* fix(config): use Object.hasOwn instead of in operator in restoreOriginalValueOrThrow

* test(config): add regression test for prototype-named keys in restoreRedactedValues

* test(config): focus prototype restore regression

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-03 04:32:25 -07:00
Ayaan Zaidi
0bf66ab7bd fix(sessions): scope ambient transcript watermark to session id
Ambient transcript watermarks now carry the transcript session id, resolve only for the current session entry, and skip stale room-event hooks that no longer match the prepared transcript session.

This protects Telegram group prompt windows after reset by backfilling rows that are no longer present in the new session transcript, while preserving steady-state watermark filtering within one session.

Fixes #99373

Release-note: fixes Telegram group context loss after session reset when ambient transcript watermarks outlived the transcript they referenced.
2026-07-02 22:57:01 -07:00
Ayaan Zaidi
3ad465d32b fix(telegram): persist ambient transcript rows
Persist room-event observations as durable bare user transcript rows and carry an ambient transcript watermark through session state so Telegram chat windows only include the unpersisted gap.

Fixes #99257
2026-07-02 19:01:22 -07:00
Dallin Romney
5fa2082655 refactor(shared): consolidate core leaf lazy loaders (#99278) 2026-07-02 18:06:00 -07:00
Peter Steinberger
a004e18b4b test(sessions): publish concurrency markers atomically (#99212) 2026-07-02 12:30:45 -07:00
moguangyu5-design
826c84ea19 fix(config/sessions): narrow reply-session initialization revision to identity fields (#98835)
* fix(config/sessions): narrow reply-session initialization revision to identity fields

The initialization guard compared the full persisted session entry, so
background touches to updatedAt, heartbeat timestamps, context-budget
metadata, etc. produced false-positive stale-snapshot conflicts and the
"reply session initialization conflicted" error.

Only sessionId and sessionFile matter for detecting a session rotation.
Narrow the revision to those identity fields and add a regression test.

Fixes #98672

* fix(config/sessions): merge current metadata when reply-init identity guard passes

* fix(config/sessions): preserve only snapshot-drifted metadata in reply-init commit

* fix: preserve cleared reply-session metadata

* fix: allow same-session reply initialization drift

---------

Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Josh Lehman <josh@martian.engineering>
2026-07-02 10:59:45 -07:00
Ayaan Zaidi
b07fd6f1b4 fix(telegram): keep group history always on 2026-07-02 09:22:59 -07:00
Shakker
c032f9809d fix: preserve built-in channel auto-enable fallback 2026-07-02 17:13:38 +01:00
Shakker
d2d20b5fed test: cover repaired channel plugin allowlist 2026-07-02 17:13:38 +01:00
Jacob Tomlinson
48f4a09e1f fix: enable repaired Mattermost plugin on startup 2026-07-02 17:13:38 +01:00
Josh Avant
0cdce79221 docs: update mobile app release messaging (#98843) 2026-07-01 21:11:56 -05:00