* fix(logs): clean up gateway and channel startup/shutdown log output
Scope Discord slash-command deploy REST diagnostics to command routes so
concurrent startup traffic (voice-state probes, channel lookups) keeps its
owner's error handling; make per-request deploy error lines verbose-only and
drop JSON bodies that only repeat message+code. Log allowlist summaries one
line per call so unresolved lines keep their timestamp/subsystem prefix, and
skip identity lookups that resolved to themselves. Remove embedded subsystem
prefixes, demote routine signal/shutdown/force/postbuild/diag chatter to
debug or verbose, merge the duplicate Control UI build notices, drop doctor's
duplicate backup line, and name the config surface or platform limit in the
transcripts autoStart and command-limit warnings.
Fixes#104163
* fix(slack): keep bare-name allowlist resolutions in startup log summary
Only omit identity lookups where the input already is the resolved id;
name-based lookups that translated to an id stay logged even when the
display name matches the input.
* fix(telegram): keep isolated-ingress readiness marker on the runtime log
test/e2e/qa-lab telegram-bot-token-runtime waits for this line via the
injected RuntimeEnv.log; verbose-only logging would deterministically time
out that live proof. Comment the contract at the call site.
* [AI] fix(session-memory): forward hook config model to LLM slug generator
When llmSlug is enabled with a model override in the session-memory hook
config, that model was ignored — slug generation always resolved the
agent default model via resolveDefaultModelForAgent.
Add an optional model parameter to generateSlugViaLLM and pass
hookConfig.model from the session-memory handler. When a hook model is
provided, only the model is forwarded (provider is omitted) so
runEmbeddedAgent's built-in resolveInitialEmbeddedRunModel chain handles
alias, provider-qualified ref, and bare-name resolution through a single
source of truth — avoiding the routing drift that blocked prior PRs.
Fixes#89551
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* fix(session-memory): centralize slug model resolution
Honor the session-memory slug model override while keeping default, alias, and provider-qualified model selection in the embedded runner.
Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(doctor): follow symlinked launcher when locating sandbox setup scripts
* refactor(doctor): reuse shared package-root resolver for sandbox scripts
resolveSandboxScript hand-rolled its own cwd/argv1/realpath candidate
scan, duplicating openclaw-root discovery. Reuse resolveOpenClawPackageRootSync,
which already follows the symlinked launcher via realpath and handles
node_modules/.bin and version-manager links, then look for scripts/ under
the resolved package root. Resolves the duplicate-discovery review finding.
* fix(doctor): keep searching cwd for sandbox scripts when first package root lacks them
resolveSandboxScript stopped at the first openclaw package root the shared
resolver returned. argv1 candidates resolve before cwd, so an installed/published
root (package.json present, scripts/ dropped by the npm files allowlist) shadowed
a valid source-checkout cwd and made doctor --fix return null.
- add resolveOpenClawPackageRootsSync: all distinct roots in candidate order
- resolveSandboxScript returns the first root that actually contains the script
- resolveOpenClawPackageRootSync now delegates to the plural (behavior unchanged)
- test: source-checkout cwd shadowed by an installed argv1 root without scripts/
* feat(webui): reintroduce opt-in AI purpose titles for tool calls
Restores the chat.toolTitles path removed in #103821, gated behind the new
gateway.controlUi.toolTitles opt-in (default false) so tool rendering stays
fully deterministic with no background model calls unless an operator enables
it. Disabled gateways answer { titles: {}, disabled: true } without loading
the completion runtime, and clients stop asking for the session.
When enabled, titles use canonical utility-model routing: an explicit
utilityModel (operator-chosen provider, like every utility task), else the
session provider's declared small-model default, honoring per-session model
overrides and auth profiles; utilityModel "" disables titles and malformed
refs fail closed — never the primary model. Tool inputs are redacted with the
tools-mode redactor before cache keys or prompts, caller ids are bounded and
never reach the model, and results cache in the per-agent SQLite
cache_entries so repeat views never re-bill.
Also completes two crestodian model-input mock factories that leaked into
sibling tests under shared-registry CI shards.
Fixes#103987
* fix(webui): redact tool-title inputs before truncation
* feat(browser): import Chrome-family system-profile cookies into managed profiles
Import cookies from a real Chrome/Brave/Edge/Chromium system profile (macOS)
into a fresh OpenClaw-managed browser profile so the agent can browse as the
signed-in user. Reads the source Cookies DB via a coherent VACUUM INTO snapshot,
decrypts v10 AES-128-CBC values with the Safe Storage Keychain key (one Touch ID
consent), maps rows to Playwright cookies (FILETIME expiry, SameSite, M124+
domain-hash prefix strip, CHIPS skipped), and best-effort injects them via
addCookies into a mock-keychain profile so they persist without further prompts.
Decrypted values are never logged or returned.
Exposed as agent tool action=importprofile, CLI system-profiles/import-profile,
and POST /profiles/import; action=profiles surfaces importable systemProfiles.
Listing and import are pinned host-local at every surface (gateway, browser
tool, node proxy) since they read the local Keychain and Chrome profiles.
Malformed domain filters fail closed via a shared validator. Gated by
browser.allowSystemProfileImport (default on). Imports cookies only.
* fix(browser): satisfy CI lint (OpenClaw temp dir, Unicode control-char class)
Use resolvePreferredOpenClawTmpDir() instead of os.tmpdir() for the cookie DB
snapshot (messaging/channel runtime tmpdir guard), and match control characters
via the Unicode \p{Cc} class instead of a literal control-char range so the
CLI table sanitizer passes the no-control-regex lint.
* fix(skill-workshop): reject invalid proposal list limits
* refactor(skill-workshop): validate list params before storage
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(auth): preserve token health after OAuth migration
After a user migrates from OAuth to a token/setup-token credential, the
gateway model-auth rollup reported the provider as missing, producing a
false "model auth expired" warning.
Rename aggregateOAuthStatus → aggregateRefreshableAuthStatus and
extract aggregateProfileStatus helper. OAuth remains authoritative when
present; token credentials are the fallback when no effective OAuth
profile exists. Empty effectiveProfiles stays authoritative (missing).
Token fallback applies regardless of expectsOAuth flag.
Fixes#97996
Co-authored-by: SunnyShu0925 <SunnyShu0925@users.noreply.github.com>
* test(auth): use fake token fixture
* fix(doctor): repair stale auth profile orders
* fix(doctor): inspect retained auth profile stores
* fix(doctor): harden retained auth store proof
---------
Co-authored-by: SunnyShu0925 <SunnyShu0925@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(agents): apply stale-run liveness to aborted subagent orphan recovery
Skip stale unended subagent runs during orphan recovery and registry
restore, even when they carry abortedLastRun. Previously, restart-aborted
runs were exempt from the stale-unended age check, allowing hours-old
aborted child sessions to be resurrected after long downtime.
Fixes#90766
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(agents): finalize stale aborted runs instead of only skipping them
Previously the stale-run check in recoverOrphanedSubagentSessions only
incremented the skipped counter. Stale active runs were left unended
because scheduleOrphanRecovery only retries failedRuns, not skipped runs.
Now stale runs are finalized via finalizeInterruptedSubagentRun so they
don't remain orphaned in the registry.
Ref: #90766 review feedback
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(agents): await stale-run finalization in orphan recovery
Await finalizeInterruptedSubagentRun for stale aborted runs and report
failedRuns when finalization does not update the registry, so the
scheduler retry path can recover from finalization failures.
Co-authored-by: Cursor <cursoragent@cursor.com>
* test(agents): faithful restart-path proof for stale orphan recovery
Drive the real recoverOrphanedSubagentSessions against the real subagent
registry, the real isStaleUnendedSubagentRun policy, and a real on-disk
session store, mocking only the outbound gateway transport and transcript
reader. Proves finalizeInterruptedSubagentRun actually ends the stale
aborted run in the registry (endedAt set, outcome error) instead of
resuming it, while a fresh aborted run still resumes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* chore: amend author email
* fix(agents): scope orphan finalization to run generation
* fix(agents): preserve stale restart recovery ownership
* test(agents): isolate restart recovery scheduling
* fix(agents): make stale restart finalization durable
* fix(agents): keep stale retries generation-scoped
* test(agents): await restart recovery scheduling
* fix(agents): verify interrupted finalization
* fix(agents): defer interrupted finalization during restart
* fix(agents): preserve lifecycle type narrowing
* style(agents): use nonmutating recovery ordering
* chore: keep release note in PR body
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Pick-cat <266665499+Pick-cat@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>