Commit Graph

1516 Commits

Author SHA1 Message Date
Peter Steinberger
c48ed95533 feat(ui): merge Instances into a unified Devices page (#104561)
* chore(i18n): regenerate locale bundles for Devices rename

* chore(i18n): regenerate locale bundles for Devices rename

* chore(i18n): sync locale metadata for Devices rename

* fix(gateway): stop tracking ephemeral control-plane clients in presence

* feat(ui): merge Instances into a unified Devices page

* docs: point Instances references at the unified Devices page

* chore(i18n): reconcile locale metadata after rebase

* fix(gateway): keep test-mode clients tracked in presence; refresh docs map
2026-07-11 13:36:07 -07:00
Peter Steinberger
8fe6ac7fb9 refactor: remove pre-2026.4 compatibility shims and legacy migrations (#104650)
* refactor(matrix): retire pre-2026.4 legacy crypto and flat-storage migrations

* refactor(cli): drop pre-tsdown daemon-cli dist compat shim from the build

* refactor(diffs): remove deprecated image*/format tool params and output aliases

* refactor(ui): drop pre-gateway-scoped localStorage readers and legacy theme map

* refactor: remove assorted pre-2026.4 compat shims and deprecated aliases

* fix(discord): map legacy thread-binding fields in the doctor JSON import

* fix(msteams): keep bot read fallback for legacy imported conversation rows

* test(msteams): cover legacy bot-only imported conversation references

* fix(ui): keep channel-prefixed session key display fallback

* chore: refresh native i18n inventory and build-docker step count

* chore(matrix): drop now-unused migration-config module

* chore: re-pin plugin SDK public export budget after compat removals

* chore: refresh native i18n inventory after rebase

* chore: re-pin plugin SDK callable budget and refresh i18n inventory after rebase
2026-07-11 13:22:27 -07:00
Peter Steinberger
2bb79d10fd feat: parents get durable state-change notices when humans interact with child sessions (#104636)
* feat(sessions): durable session state events with parent invalidation

Parents no longer act on stale child-session state: a durable, typed
signal log (session_state_events + per-agent heads) records direct human
messages to children, child spawn/terminal outcomes, goal changes, and
compaction at the seams where those facts are created. A frozen-watermark
cursor protocol (session_watch_cursors) delivers one coalesced system
notice to the parent through the existing system-event + heartbeat wake
idiom, acknowledged at the shared generic drain, with a deferred startup
sweep for restart recovery. session_status gains stateVersion and
changesSince (with exact pruned-history gap signaling); sessions_list
rows gain stateVersion.

Closes #104565

* chore: regenerate docs map and prompt snapshots for session_status changesSince
2026-07-11 12:19:02 -07:00
Peter Steinberger
49b5b862ac feat: node-hosted plugins — dynamic tools, MCP servers, and skills (#90431)
* feat: node-hosted plugins — dynamic tools, MCP servers, and skills

Nodes become declarative plugin hosts:
- node.pluginTools.update: node hosts publish plugin-registered agent tool
  descriptors; gateway materializes them as agent tools executing via
  node.invoke under the node command allowlist, with tools.effective
  invalidation and node online/offline removal.
- Trusted paired-node descriptors: no gateway-side plugin registration
  required; gateway.nodes.pluginTools.enabled off-switch (default on);
  description/count caps; deterministic node-prefixed collision names.
- Declarative node-hosted MCP: nodeHost.mcp.servers (McpServerConfig shape)
  starts MCP clients on the node host, publishes tools as pluginId node-mcp,
  executes via built-in mcp.tools.call.v1 with per-layer timeouts, failure
  isolation, and orphan-safe shutdown. No re-pairing when servers change.
- Node-hosted skills: node.skills.update publishes ~/.openclaw/skills
  content (64 skills/64KB/512KB caps both sides); gateway merges them into
  the skills snapshot while connected and exec host=node is available, with
  node:// locators, node-prefixed collisions, disabled command dispatch,
  and gateway.nodes.skills.enabled + nodeHost.skills.enabled switches.
- Security: node-supplied pluginIds cannot satisfy pluginId-scoped tool
  allowlists unless gateway-registered; reserved node-mcp id requires the
  core MCP descriptor shape; protocol registry kept out of public
  plugin-sdk dts.
- E2E: pond harness proves publication, MCP round-trip, skills locator, and
  disconnect/reconnect for all three surfaces.

* style: format node-plugin-tools test

* fix(skills): keep status loader unfiltered when eligibility is passed

skills.status started passing eligibility for the node-skill merge, which
flipped loadWorkspaceSkillEntries into filtered mode and dropped disabled
skills from status reports (QA plugin-lifecycle-hot-reload timeout). Status
now merges node skills explicitly around an unfiltered load. Also: regen
docs_map for new node docs sections; add the intentional node-host MCP
onclose suppression to the lint-suppression allowlist.
2026-07-11 10:16:34 -07:00
Peter Steinberger
fa77fe10d5 chore: migrate active GPT-5.5 references to GPT-5.6 (#104452)
* chore(models): migrate active GPT-5.5 references

* test(workboard): expect GPT-5.6 Sol default

* chore: keep release notes in PR body

* test(models): align picker fixtures with Sol default

* test: update PDF default model expectation

* test(qa): migrate thinking smoke to Luna

* test(gateway): align mock catalog with Sol default

* ci: retrigger exact-head PR checks

* test(gateway): document default catalog invariant
2026-07-11 06:30:57 -07:00
Peter Steinberger
2d319961d5 fix(browser): block interaction-triggered navigation SSRF (#104254)
* fix(browser): guard interaction navigation requests

* fix(browser): preserve pages on blocked navigation

* fix(browser): enforce interaction navigation policy

* test(browser): type navigation guard fixtures

* fix(browser): execute guarded wait predicates

* style(browser): satisfy interaction lint

* fix(browser): guard hover drag and scroll navigation

* fix(browser): type policy check outcomes

* test(browser): type navigation guard mocks

* fix(browser): preserve proxy policy for guarded interactions

* fix(browser): carry navigation policy through actions

* fix(browser): retain policy for existing-session guards

* fix(browser): guard existing-session waits

* test(browser): avoid shadowed guard pages

* fix(browser): expose scroll action to agents

* fix(browser): disable speculative managed preconnects

* docs(browser): bound managed preconnect hardening

* fix(browser): keep wait behavior outside interaction guards

* chore(browser): leave release notes to release automation

* fix(browser): guard all interaction navigations
2026-07-11 04:30:33 -07:00
NIO
98fb858769 docs(cli): clarify that exec-policy show and approvals get exclude per-session /exec overrides (#94999)
* docs(cli): clarify exec-policy show and approvals get exclude per-session /exec overrides

* refactor(cli): centralize session exec override note

* test(cli): cover node exec override note

* test(cli): use complete node policy fixture

---------

Co-authored-by: NIO <nocodet@mail.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 02:58:37 -07:00
Peter Steinberger
236d1b2484 feat(control-ui): selection popup with More details and Ask in side chat via /btw (#104205)
* feat(control-ui): add chat selection popup with More details and Ask in side chat

* fix(control-ui): keep BTW pending card visible and clear it on resultless terminal runs

* fix(control-ui): route failed BTW runs to an error side-result card and ignore stale side results

* fix(control-ui): correlate BTW pending cards by pre-generated run id and suppress superseded runs

* fix(control-ui): retire abandoned BTW runs so late side events never reach the transcript

* chore(docs): regenerate docs map for btw selection-popup section; fix selection-popup test lint
2026-07-11 01:42:17 -07:00
Vincent Koc
597888680c feat(browser): expose managed graphics diagnostics (#104291)
* feat(browser): expose managed Chrome graphics diagnostics

* feat(browser): surface graphics facts in doctor

* docs(browser): explain managed graphics diagnostics

* fix(browser): remove unused graphics type import

* fix(browser): keep graphics facts sorting immutable

* fix(browser): bind graphics facts to owned process

* fix(browser): classify disabled graphics as software

* fix(browser): detect Windows software renderers

* fix(browser): classify disabled renderer sentinel
2026-07-11 15:41:16 +08:00
Peter Steinberger
9f53f8a256 feat(macos): import local browser login (#104177)
* feat(macos): import local browser login

* chore: leave release notes to release workflow

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory

* chore: sync release summary executable bit

* chore(macos): refresh native i18n inventory

* style(macos): wrap browser import result

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory
2026-07-10 22:14:36 -07:00
Josh Avant
fbd330b7aa fix(channels): honor configured read target policies (#99905)
* fix(channels): enforce configured read targets

* test(channels): align policy checks with boundaries

* fix: bind channel reads to trusted turn context

* test: satisfy gateway lint

* fix: narrow message action channel imports

* fix(feishu): authorize message reads before provider access

* fix(slack): await reaction clear authorization

* fix(channels): align provider action contracts

* fix(matrix): read direct-room account data before sync

* fix(channels): reject unsupported attachment actions early

* fix: restore trusted operator conversation reads

* fix(matrix): authorize pin actions before provider reads

* fix: preserve trusted channel read workflows

* fix(discord): resolve current channel ids consistently

* fix(agents): preserve message action turn capability

* fix(plugins): enforce host-owned read provenance

* fix(channels): harden Teams and Discord read policy

* fix(channels): preserve exact-current action compatibility

* fix(imessage): authorize trusted current chat aliases

* fix(channels): preserve normalized current aliases

* fix(channels): preserve external current target aliases

* fix: reconcile channel policy with current main

* fix(discord): isolate DM read policy

* fix(channels): enforce provider read gates

* fix(gateway): await serialized message action identity tokens

* fix(ci): refresh channel protocol contracts
2026-07-10 22:29:37 -05:00
pick-cat
997a564c28 fix(agents): apply stale-run liveness check to aborted subagent orphan recovery (#90817)
* fix(agents): apply stale-run liveness to aborted subagent orphan recovery

Skip stale unended subagent runs during orphan recovery and registry
restore, even when they carry abortedLastRun. Previously, restart-aborted
runs were exempt from the stale-unended age check, allowing hours-old
aborted child sessions to be resurrected after long downtime.

Fixes #90766

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(agents): finalize stale aborted runs instead of only skipping them

Previously the stale-run check in recoverOrphanedSubagentSessions only
incremented the skipped counter. Stale active runs were left unended
because scheduleOrphanRecovery only retries failedRuns, not skipped runs.

Now stale runs are finalized via finalizeInterruptedSubagentRun so they
don't remain orphaned in the registry.

Ref: #90766 review feedback

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(agents): await stale-run finalization in orphan recovery

Await finalizeInterruptedSubagentRun for stale aborted runs and report
failedRuns when finalization does not update the registry, so the
scheduler retry path can recover from finalization failures.

Co-authored-by: Cursor <cursoragent@cursor.com>

* test(agents): faithful restart-path proof for stale orphan recovery

Drive the real recoverOrphanedSubagentSessions against the real subagent
registry, the real isStaleUnendedSubagentRun policy, and a real on-disk
session store, mocking only the outbound gateway transport and transcript
reader. Proves finalizeInterruptedSubagentRun actually ends the stale
aborted run in the registry (endedAt set, outcome error) instead of
resuming it, while a fresh aborted run still resumes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore: amend author email

* fix(agents): scope orphan finalization to run generation

* fix(agents): preserve stale restart recovery ownership

* test(agents): isolate restart recovery scheduling

* fix(agents): make stale restart finalization durable

* fix(agents): keep stale retries generation-scoped

* test(agents): await restart recovery scheduling

* fix(agents): verify interrupted finalization

* fix(agents): defer interrupted finalization during restart

* fix(agents): preserve lifecycle type narrowing

* style(agents): use nonmutating recovery ordering

* chore: keep release note in PR body

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Pick-cat <266665499+Pick-cat@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 21:56:57 +01:00
Peter Steinberger
9b1c36d23c fix: prevent exec approval revocation races (#103515)
* fix(security): serialize exec approval mutations

* fix(security): preserve additive approval writes

* test(cli): expect normalized approval shape

* fix(security): preserve exec approval compatibility

* test(security): exercise locked approval initialization

* test(security): mock serialized approval helpers

* test(exec): derive enforced command path from plan

* fix(gateway): always return approval CAS conflicts

* fix(macos): serialize exec approvals writes

* fix(security): repair approval build errors

* fix(security): serialize exec approval mutations

* fix(security): fail closed on approval persistence errors

* test(security): cover detached approval persistence failures

* fix(security): harden exec approval state

* style(macos): format exec approval sources

* fix(security): complete exec approval hardening

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(macos): preserve approved login-shell semantics

* fix(macos): keep login shell approvals one-shot

* fix(security): linearize exec authorization

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): preserve durable approval basis

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): bind exec grants to current policy

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* test(security): fix exec revocation fixtures

* test(security): align gateway approval fixtures

* fix(macos): return approval decisions

* chore(i18n): sync native approval strings

* test(security): align approval hardening fixtures

* test(node): authorize completed event fixture

* test(security): fix approval decision fixtures

* test(security): await durable approval visibility

* fix(exec): preserve concurrent approval grants

* fix(exec): address exact-head CI failures

* fix(exec): preserve concurrent approval promotions

* fix(exec): make Swift shutdown state explicit

* test(macos): handle approval read failures

* fix(macos): harden approval socket paths

* fix(macos): preserve exact shell payload bytes

* test(macos): make approval fixtures explicit

* test(macos): fix approval suite compilation

* fix(macos): bound approval socket JSONL reads

* chore: move exec approval note to release process

* chore: move exec approval note to release process

---------

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>
2026-07-10 21:35:05 +01:00
Peter Steinberger
baea671ef3 fix(anthropic): delegate adaptive Claude CLI effort (#103815)
* fix(anthropic): delegate adaptive CLI effort

Strip static --effort args for adaptive runs so Claude Code resolves effort from its environment, settings, and model default. Preserve configured effort for off or absent thinking and replace it only for concrete OpenClaw levels.

Fixes #103245

Co-authored-by: Dan Korotin <korotin.daniil@gmail.com>

* fix(anthropic): make effort dispatch exhaustive

---------

Co-authored-by: Dan Korotin <korotin.daniil@gmail.com>
2026-07-10 17:57:50 +01:00
Peter Steinberger
845311cf97 fix(browser): prevent stale handles from switching duplicate-URL tabs (#103816)
* fix(browser): reject ambiguous tab replacements

* fix(browser): guide stale tab recovery
2026-07-10 17:40:14 +01:00
JC
59e95fe3fd feat: support GPT-5.6 Ultra across OpenClaw and Codex runtimes (#98021)
* feat: support GPT-5.6 Ultra across agent runtimes

Co-authored-by: J Cai <anyech@gmail.com>

* fix: keep harness projections discovery-free

* fix(codex): mirror V2 native subagent tasks

* chore: refresh plugin SDK surface budgets

* test: expose Ultra wire effort proof

* test(cron): avoid hoisted mock initialization race

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 15:23:24 +01:00
Yuval Dinodia
1bac1022e6 fix(exec): auto-approve recognized read-only boolean flags on default safe bins (#88953)
* fix(exec): auto-approve recognized read-only boolean flags on default safe bins

Default safe bins (cut, head, tail, tr, uniq, wc) auto-approve stdin-only
text-filter invocations, but the short-option validator only had an accept
path for value-consuming flags: a cluster of pure boolean short flags fell
through to a terminal reject, so common read-only forms like 'wc -l',
'tr -d', 'uniq -c' and 'sort -n' were force-routed to manual approval even
though the bins are stdin-only and the dangerous flags are already denied.

Add an allowedBooleanFlags allowlist to the safe-bin profile model and
populate it for the default bins with their read-only boolean flags. The
short-cluster validator now accepts recognized boolean flags and the long
validator reuses its existing boolean-flag accept branch (previously
unreachable). Unrecognized short flags (e.g. 'tr -S') stay fail-closed, and
denied flags are still rejected first.

* fix(exec): keep safe-bin allowedBooleanFlags off the config-facing fixture type

The boolean-flag allowlist for default safe bins leaked onto SafeBinProfileFixture, the type used for tools.exec.safeBinProfiles, while the strict zod schema and the config normalizer never accepted or preserved the key. Move allowedBooleanFlags to an internal BuiltinSafeBinProfileFixture used only for the curated built-in profiles; custom config profiles keep the allowedValueFlags/deniedFlags model.

Adds tests proving built-in profiles still honor the boolean allowlist and that a custom profile cannot widen it.

* fix(exec): keep tail follow approval-gated

* test(exec): stabilize safe-bin trust fixtures

* test(exec): isolate safe-bin argv fixtures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 10:53:56 +01:00
Peter Steinberger
dc476a7e7c fix(browser): stale Chrome MCP handles survive reconnect (#103576)
* fix(browser): expire Chrome MCP handles after reconnect

* chore(browser): satisfy Chrome MCP static checks
2026-07-10 10:10:20 +01:00
Peter Steinberger
ce47e6ac53 fix(mcp): keep server config private in groups (#103502)
* fix(mcp): keep server config private in groups

* fix(config): redact underscore credential flags

* fix(config): redact plural credential flags
2026-07-10 08:09:48 +01:00
Peter Steinberger
a97633a9ad fix(codex): require human approval for app-server commands (#103457)
* fix(codex): require human approval for app-server commands

* docs(exec): clarify Codex approval fallback
2026-07-10 08:07:18 +01:00
Peter Steinberger
d7dc6ee845 fix(xai): validate x_search handle filters (#103393) 2026-07-10 08:02:18 +01:00
Peter Steinberger
7f5dce8bbf fix(xai): discover TTS voices dynamically (#103446) 2026-07-10 07:05:45 +01:00
Peter Steinberger
461772868d fix(computer): prevent stale, replayed, and post-cancel desktop actions (#103422)
* fix(ai): preserve streamed tool-call identity

* fix(computer): bind actions to current tool authority

* fix(macos): serialize computer control lifecycle

* docs(computer): document hardened control contract

* chore: follow release-owned changelog policy

* test(agents): cover node list cancellation
2026-07-10 06:47:56 +01:00
Peter Steinberger
9d4fb60e90 fix: harden exec auto-review approvals (#103430) 2026-07-10 06:44:03 +01:00
Peter Steinberger
4a40f5d7f0 fix(xai): align image and video capability contracts (#103384)
* fix(xai): align media capability contracts

* chore: move xai media release note to pr
2026-07-10 06:06:50 +01:00
Peter Steinberger
cd9db5ed9a fix(doctor): keep automated repair from moving approval state (#103353)
* fix(doctor): isolate automated cross-state imports

* test(update): cover isolated doctor finalization
2026-07-10 05:42:36 +01:00
krissding
5ebe040eaa fix(xai): require consent for cross-provider billed tools (#97629)
* fix(xai): gate billed tools by active provider

Co-authored-by: 丁宇婷0668001435 <ding.yuting@xydigit.com>

* chore: remove contributor changelog entry

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 05:30:23 +01:00
Peter Steinberger
75dfd3dc09 feat(xai): support Grok Imagine Video 1.5 (#103316)
* feat(media): add per-model generation catalog metadata

* feat(xai): support Grok Imagine Video 1.5

* test(plugin-sdk): update public surface budget
2026-07-10 04:49:42 +01:00
Peter Steinberger
2b3dc3042f fix(doctor): gate cross-state-dir legacy imports behind explicit doctor opt-in (#103247)
* fix(doctor): gate cross-state-dir legacy imports behind explicit doctor opt-in

A gateway or CLI command started with OPENCLAW_STATE_DIR pointing at a
non-default directory used to import legacy files FROM the default
~/.openclaw state dir (exec-approvals.json, plugin-binding-approvals.json)
and archive the originals with a .migrated suffix. Any isolated, test, or
staging run on a host with production state silently captured and archived
the production files.

Cross-state-dir imports now run only with the new crossStateDirImports
opt-in: openclaw doctor --fix (or an interactive doctor confirm) performs
the import; the implicit CLI/gateway preflight leaves the default dir
untouched and emits a notice pointing at doctor instead.

* test(doctor): include notices in legacy-state detector mocks
2026-07-10 03:56:02 +01:00
Peter Steinberger
db12cb7023 fix(xai): align current model catalog and tools (#103260)
* fix(xai): align current model catalog and tools

* chore(xai): defer release note to release closeout

* docs: refresh xai documentation map
2026-07-10 03:36:14 +01:00
Peter Steinberger
67ff8dfc15 fix(ui): apply selected reasoning and speed before sending (#103253)
* fix(ui): gate sends on pending session settings

* chore(ui): keep changelog release-owned
2026-07-10 03:14:23 +01:00
abel-zer0
b47405954e fix(skills): preserve compact prompt descriptions (#88426)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 20:23:05 +01:00
Peter Steinberger
3c048ef052 fix(browser): preserve no-display launch diagnostics (#102946)
* fix(browser): preserve no-display launch diagnostics

* chore: keep changelog release-owned
2026-07-09 16:26:18 +01:00
Peter Steinberger
f8dbd34ab8 feat(nodes): add computer use (computer.act) on macOS nodes via Peekaboo (#102776)
* feat(nodes): add computer use (computer.act) on macOS nodes via Peekaboo

* fix(nodes): release held computer.act input on node disconnect/stop/disable

* fix(nodes): release held computer.act input armed after a lifecycle release

* fix(nodes): scope computer.act lifecycle catch-up release to the arming action

* chore(nodes): register computer tool display metadata, sync native i18n, doc-comment constants

* fix(nodes): preserve caught-error cause in computer tool resolver; regen docs map
2026-07-09 15:28:09 +01:00
Peter Steinberger
b5ba0771f9 feat: carry gateway client capabilities through the CLI loopback backend (#102835)
* test: shorten loopback token fixtures below secret-scanner thresholds

* feat: carry gateway client capabilities through the CLI loopback backend

CLI-backed model runs now transport the originating client's declared
capabilities along the existing per-field loopback contract: RunCliAgentParams
gains clientCaps, prepare emits OPENCLAW_MCP_CLIENT_CAPS, the loopback header
template forwards x-openclaw-client-caps, the request context parses and
normalizes it (grant-authenticated callers keep ignoring spoofable headers),
and the loopback tool cache keys on a stable caps serialization so capless and
capped requests never share tool lists. Capability-gated tools such as
show_widget now work on CLI backends; the CLI session binding hash includes
caps, consistent with messageProvider. Cron and command-attempt runs stay
capless (fail closed).

Fixes #102577
2026-07-09 15:09:09 +01:00
mikasa
18fd6ee9e6 fix(tts-local-cli): cap local CLI speech outputs (#101510)
* fix(tts-local-cli): bound local speech output

Co-authored-by: mikasa0818 <0668001030@xydigit.com>

* chore(tts-local-cli): keep changelog release-owned

* docs(tts-local-cli): format output-limit note

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 12:42:41 +01:00
Peter Steinberger
3ccf2a0739 feat: render inline web chat widgets via capability-gated show_widget tool (#101840)
Adds client-capability-gated tool availability: gateway clients declare
capabilities at connect (new inline-widgets cap), chat.send stamps them into
the run context, and every tool assembly path (embedded runner, queued
followups, Codex app-server harness, plugin-only construction plans) drops
tools whose requiredClientCaps the originating client did not declare. The
Canvas plugin ships the first such tool, show_widget: agents pass SVG or an
HTML fragment plus a title; the plugin hosts it as a bounded, retention-scoped
Canvas document and returns the existing canvas preview handle, which web chat
renders as a sandboxed iframe fitted to the widget's reported content height.
Widget frames never get allow-same-origin (per-preview sandbox ceiling,
including the sidebar path) and the Canvas host serves widget documents with a
CSP sandbox header so direct navigation runs in an opaque origin. Verified
live end-to-end on a Testbox with gpt-5.5 (screenshots on the PR). CLI-backed
model backends do not carry client caps yet and stay fail-closed (#102577).

Closes #101790
2026-07-09 12:29:50 +01:00
Pavan Kumar Gondhi
5f04dc97e6 Harden jq safe-bin semantics (#102032) 2026-07-08 15:43:37 +05:30
Peter Steinberger
a7faec8ca1 fix(gateway): support native Windows exec approvals (#101669)
* fix(gateway): support native Windows exec approvals

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* chore: defer changelog entry to release

* test: use tracked approvals temp directories

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 14:50:59 +01:00
Peter Steinberger
bd7da9decd fix(browser): keep upload errors specific (#101465) 2026-07-07 12:35:27 +01:00
Peter Steinberger
454fccd784 fix(browser): keep screenshots private by default (#101434)
* fix(browser): keep screenshots private by default

* fix(browser): preserve screenshot share handles

* fix(browser): stage explicit screenshot shares

* test(browser): avoid screenshot share temp files
2026-07-07 11:56:49 +01:00
Peter Steinberger
942b449661 fix(exec): keep pending approval warnings truthful (#101561)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 11:30:41 +01:00
Peter Steinberger
a2a68d154b fix(agent): preserve explicit recipient sessions (#101507)
* fix(agent): honor recipient session routing

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: pingfanfan <pingfan.work@gmail.com>

* fix(agent): preserve canonical recipient routes

* fix(agent): require exact recipient routes

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>

Co-authored-by: pingfanfan <pingfan.work@gmail.com>

* fix(agent): harden recipient route resolution

* fix(imessage): require canonical recipient handles

* fix(agent): refine provider recipient exactness

* fix(agent): bound direct alias session routing

* fix(signal): preserve direct alias route type

* fix(agent): honor binding-scoped recipient sessions

* fix(routing): honor configured main session aliases

* fix(clickclack): align account-owned session routes

* fix(twitch): preserve canonical recipient sessions

* fix(routing): isolate stable outbound identities

* chore: defer recipient session changelog

* fix(sms): use dedicated channel SDK facade

---------

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: pingfanfan <pingfan.work@gmail.com>
2026-07-07 10:07:13 +01:00
Peter Steinberger
01d6ea1f0e feat(browser): expose agent download actions (#101369)
* feat(browser): expose agent download actions

Co-authored-by: changcy <742592895@qq.com>

* chore: keep release notes in PR context

---------

Co-authored-by: changcy <742592895@qq.com>
2026-07-07 06:17:52 +01:00
Peter Steinberger
90b680435a fix(minimax): clarify TTS volume boundary (#101359)
Co-authored-by: Quratulain-bilal <umayaimanshah@gmail.com>
2026-07-07 05:53:08 +01:00
Peter Steinberger
654029892d feat(browser): pair the Chrome extension directly to a remote gateway (#101127)
* feat(browser): direct extension→gateway relay path for remote Chrome (#53599)

Let the OpenClaw Chrome extension pair directly to a remote gateway over
wss:// with no OpenClaw node host on the browser machine — the managed-hosting
path from #53599 (extension is the only thing installed on the laptop).

- Gateway route /browser/extension registered by the browser plugin with
  auth:"plugin" + no nodeCapability, so the gateway does not pre-enforce token
  auth (browser WebSockets cannot send an Authorization header). The upgrade
  handler self-validates the host-local relay secret from ?token=, origin-checks
  chrome-extension://, resolves the extension profile, then attaches the socket
  to the same ExtensionRelayBridge the loopback relay uses. All CDP synthesis,
  tab-group scoping, and the in-process Playwright /cdp client are unchanged.
- `openclaw browser extension pair --gateway-url wss://host` prints a
  wss://host/browser/extension#<secret> string; the path ends in /extension so
  the extension's existing pairing parser accepts it with zero extension code
  changes.
- relay-server: extract attachExtensionWebSocket + export requestToken /
  isAllowedExtensionOrigin / EXTENSION_RELAY_MAX_PAYLOAD_BYTES so loopback and
  gateway paths share one bind + one frame cap.
- runtime-lifecycle: dispose the shared gateway WebSocketServer on shutdown.
- docs: three remote topologies (same host / direct-to-gateway / via node host).

Coverage: 6 unit tests for the handler's path/503/403/404/401/attach branches.
The full extension→bridge→CDP→Chrome loop over /browser/extension was live-proven
with a real Chrome + the built extension. The real gateway upgrade→handleUpgrade
dispatch for an auth:"plugin" unprotected route is verified against core
(server-http.ts, plugins-http.ts, route-auth.ts).

* fix(browser): harden remote extension pairing
2026-07-07 04:31:52 +01:00
Peter Steinberger
1a307be2e0 feat(skills): add lifecycle curator for workshop-created skills (#101214)
Tracks per-skill usage from the skill.used diagnostic event (trusted-only
delivery, file-scoped identity), sweeps workshop-created skills daily from
gateway maintenance (active -> stale 30d -> archived 90d, pinned bypass,
restore-only unarchive, files never touched), filters archived skills from
snapshots fail-open, reports workspace-scoped overlap candidates, and adds
openclaw skills curator CLI, additive gateway methods, and a warn-only
doctor finding. Zero new config keys; SQLite/Kysely state only.
2026-07-07 03:25:44 +01:00
Peter Steinberger
553acdfc1a feat(gateway): add tts.speak method returning synthesized audio inline (#100770)
* feat(gateway): add tts.speak method returning synthesized audio inline

* test(gateway): type tts.speak synthesis mock for failure shapes

* fix(gateway): restore lowercase normalizer import used by talk catalog

* test(gateway): shift advertised-method window for tts.speak

* fix(gateway): ready tts speak for landing

* docs(changelog): record tts speak gateway API

* test(agents): stabilize fast auto startup synchronization

* test(crabbox): stabilize sparse checkout exit guard
2026-07-06 18:25:08 +01:00
Peter Steinberger
dc600d4a77 feat(diffs): changed-files summary nav for multi-file patch diffs (#100753)
* feat(diffs): add changed-files summary nav for multi-file patch diffs

* docs: regenerate docs map for diffs multi-file navigation section

* fix(diffs): respect reduced motion in summary navigation
2026-07-06 16:55:56 +01:00
Peter Steinberger
d6801f23d4 feat(browser): restore driver "extension" via a loopback Chrome extension relay (no remote-debugging prompt) (#100619)
* feat(browser): restore driver "extension" via loopback Chrome extension relay

Reintroduces browser profile driver "extension" (removed in 2026.3.22) as a
loopback relay that drives the user's signed-in Chrome through an MV3 extension
instead of the remote-debugging port. This avoids Chrome's blocking "Allow
remote debugging?" prompt, which cannot be clicked when the operator drives
OpenClaw from a phone. Automated tabs live in an "OpenClaw" tab group (the
consent boundary), mirroring the Codex/Claude-in-Chrome model.

- relay bridge synthesizes the CDP browser target surface for Playwright
  connectOverCDP and forwards session-scoped commands to chrome.debugger
- relay server binds loopback only; both sides authenticate with a token
  derived (HMAC-SHA256) from gateway auth, so the raw credential never reaches
  Chrome; extension origin + loopback Host checks guard the upgrade
- built-in "chrome" profile; distinct relay ports per extension profile;
  relay reconciles on auth rotation / cdpPort change and prunes removed profiles
- doctor + status surface the extension transport; doctor keeps repairing the
  retired relay endpoint URL on legacy "extension" profiles

Refs #53599

* feat(browser): bundle the OpenClaw MV3 Chrome extension

Thin MV3 extension (chrome-extension/): a WebSocket client to the loopback
relay plus chrome.debugger forwarding and OpenClaw tab-group management. All
CDP target synthesis lives server-side in the relay bridge, so the extension
stays a dumb transport (the removed 2026.3 extension put that logic in a
1000-line untestable service worker). Popup handles pairing and per-tab share
toggle; `openclaw browser extension path|pair` load and pair it. A build copy
hook stages it into dist so the load path is stable.

Refs #53599

* docs(browser): document the Chrome extension profile

Adds docs/tools/chrome-extension for the restored extension driver (install,
pair, tab-group consent model, security posture) and wires it into the browser
docs profile section and nav.

Refs #53599

* feat(browser): make the extension relay work on remote browser nodes

Derives the relay auth token from a host-local secret in the credentials dir
(created on first use) instead of gateway auth. Each machine that runs a
browser — the gateway host and every browser node host — owns its own token, so
the extension pairs with whichever machine hosts its Chrome and no gateway
credential travels to a node. The node host already runs the shared browser
control bootstrap, so this is all that was missing for cross-machine control.

Also removes the "relay needs gateway auth before it can start" failure mode:
startup and `openclaw browser extension pair` ensure the secret exists.

Refs #53599

* fix(browser): harden relay secret creation and satisfy CI lint/typecheck

- Make the host-local relay secret creation atomic (O_CREAT|O_EXCL + adopt the
  winner on EEXIST) so the gateway service and `extension pair` CLI cannot mint
  divergent tokens on a fresh host (would 401 until restart); credentials dir
  created mode 0700. (adversarial review finding)
- Resolve type-aware oxlint findings across the relay + extension: unknown catch
  vars, addEventListener over ws.on* in the MV3 worker, void async listeners,
  drop useless returns/spreads, Object.assign over map-spread, safe ws frame
  decode (Buffer[]/ArrayBuffer), toSorted.
- Add extensionRelayDefaultPort/extensionRelayPorts to remaining test config
  literals; type the extension relay-core module (.d.ts, excluded from dist);
  regenerate docs_map.

* fix(browser): satisfy OpenGrep security policy on the relay

- Hash both operands before timingSafeEqual so token comparison has no
  length short-circuit (GHSA-JJ6Q-RRRF-H66H).
- Bound the relay WebSocketServer with maxPayload (64 MiB, headroom for CDP
  screenshots/bodies) against oversized frames (GHSA-VW3H-Q6XQ-JJM5).
- Rewrite the config test env helper to avoid the skill-env-host-injection
  shape (GHSA-82G8-464F-2MV7); it is a test-only env swap.
2026-07-06 10:08:27 +01:00