vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-31 03:42:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
53,872 Commits 1,843 Branches 149 Tags
27b15a19e84c1442d8ecd304cd021bd12e8796d7
Commit Graph

1032 Commits

Author SHA1 Message Date
Peter Steinberger
2209faef40 feat: improve cron create delivery ergonomics 
Summary:
- Add Hermes-style schedule-first cron create parsing while preserving flagged create options.
- Support webhook create/edit delivery and clear stale webhook/chat delivery fields across mode changes.
- Update cron docs and schedule identity normalization tests.

Verification:
- pnpm test src/cron/schedule-identity.test.ts src/cli/cron-cli.test.ts src/cron/service.jobs.test.ts -- --reporter=verbose
- pnpm test src/cli/cron-cli.test.ts src/cron/service.jobs.test.ts -- --reporter=verbose
- pnpm check:test-types
- pnpm check:import-cycles
- pnpm check:docs
- pnpm check:changed via Crabbox run_8c44bcb158da, exit 0
- autoreview branch diff clean
 2026-05-29 04:34:50 +01:00
Merlin
00067563a6 fix(doctor): handle gateway SecretRefs in auth checks 
Handle exec-backed Gateway SecretRefs in doctor, lint, and health probing without executing providers by default.

- Add `openclaw doctor --allow-exec` for explicit SecretRef execution during lint/doctor checks.
- Skip only the active exec-backed gateway probe path and avoid local service diagnostics for remote-only skipped health.
- Keep env-winning and dormant fallback credentials probeable, stabilize related tests, and remove a stale live-shard fixture left by the moving base.

Verification:
- `node scripts/run-vitest.mjs src/commands/doctor-gateway-auth-token.test.ts src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts src/gateway/credentials.test.ts src/gateway/probe-auth.test.ts src/commands/doctor-gateway-daemon-flow.test.ts test/scripts/test-live-shard.test.ts --reporter=verbose`
- `mise x node@24.13.0 -- pnpm prompt:snapshots:check`
- `pnpm tsgo:prod`
- `pnpm build`
- `.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main`
- Crabbox AWS live config proof: `run_f44a4d9dae4e`
- GitHub CI: green on final head `88d24abdbf9529a59d75d1d5e04eac74bbbbc267` after rerunning a stale in-progress Security High workflow.

Co-authored-by: Merlin <258679497+funmerlin@users.noreply.github.com>
 2026-05-29 02:07:50 +01:00
AMARA
3029326a56 fix(memory): compact short-term promotion entries 
Compact promoted short-term memory snippets before writing them into MEMORY.md, while keeping the full rehydrated snippet in recall state for ranking/provenance. Adds the deep-dreaming config surface and docs, with the default promoted snippet cap set to 160 estimated tokens.

Verification:
- git diff --check
- fnm exec --using v24.13.0 node scripts/run-vitest.mjs run extensions/memory-core/src/short-term-promotion.test.ts extensions/memory-core/src/dreaming.test.ts src/memory-host-sdk/dreaming.test.ts
- GitHub CI run 26605272497
- CodeQL security run 26605272404

Co-authored-by: AMARA <amara@eyeinthesky.pl>
 2026-05-29 00:05:54 +01:00
Peter Steinberger
4491232874 fix: resolve compatible npm plugin versions 
* fix: resolve compatible npm plugin versions

* fix: satisfy plugin install lint

* fix: refresh plugin install tests on latest main
 2026-05-28 23:20:32 +01:00
Peter Steinberger
ea682182d0 fix: isolate npm plugin installs per package (#87647) 
* fix: isolate npm plugin installs per package

* test: assert isolated npm plugin projects in upgrade survivor

* test: assert plugin lifecycle npm project roots

* test: resolve npm project deps in live assertions

* fix: resolve codex bins from isolated npm projects

* docs: document isolated npm plugin projects

* ci: configure testbox workflow for crabbox

* fix: stabilize npm project fingerprint

* fix: keep fetch runtime import side-effect free

* test: keep dynamic live model unit hermetic

* ci: handle empty node toolcache roots

* test: make nounset toolcache probe deterministic
 2026-05-28 21:16:07 +01:00
Andy Ye
5f88932806 fix(sessions): recover empty preflight compaction 
Fixes #87016.

Empty preflight compaction recovery now resets stale token snapshots immediately, preserves valid legacy transcript rows during cleanup, and avoids re-persisting stale context-budget or compaction metadata after a successful retry.

Co-authored-by: Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com>
 2026-05-28 17:06:38 +01:00
Patrick Erichsen
ee57f341f0 Add ClawHub skill verification and trust surfaces (#86699) 
* feat(skills): fetch ClawHub skill verification

* feat(skills): resolve ClawHub verification targets

* feat(skills): add ClawHub verify command

* docs(skills): document ClawHub verification

* test(skills): type verify CLI fixture

* fix(skills): fetch verified skill card URL

* fix(skills): bound verified card downloads

* fix(skills): fail closed on malformed verification

* fix(skills): corroborate ClawHub install origins

* feat(skills): surface ClawHub trust in control UI

* chore(protocol): refresh generated gateway models

* chore(ui): refresh i18n raw copy baseline

* docs: clarify skills verify wording

* fix: fail closed on skill trust mismatches

* fix: reject incomplete clawhub provenance

* fix: satisfy trust verdict lint

* fix: restore ci checks after main merge
 2026-05-27 14:23:24 -05:00
Peter Steinberger
bb46b79d3c refactor: internalize OpenClaw agent runtime (#85341) 
* refactor: extract agent core package

Introduce packages/agent-core as the OpenClaw-owned home for reusable agent loop, harness, session, prompt, and runtime dependency contracts.

* refactor: extract shared llm runtime

Move provider model registries, stream wrappers, OAuth helpers, and LLM utilities into src/llm with plugin-sdk barrels instead of depending on the old embedded runtime layout.

* refactor: remove pi runtime internals

Rename remaining Pi-shaped agent surfaces to OpenClaw agent runtime names, delete obsolete Pi docs and package graph checks, and add the third-party notice for incorporated code.

* refactor: tighten agent session runtime

Make agent-core/runtime dependencies explicit, consolidate compaction and session transcript helpers, and move model/session helpers behind OpenClaw-owned contracts.

* refactor: remove static model and pi auth paths

Drop static model catalogs and Pi auth bridges, move model/provider facts to manifest-owned runtime contracts, and harden internal embedded-agent utilities.

* refactor: remove legacy provider compat paths

* docs: remove agent parity notes

* fix: skip provider wildcard metadata parsing

* refactor: share session extension sdk loading

* refactor: inline acpx proxy error formatter

* refactor: fold edit recovery into edit tool

* fix: accept extension batch separator

* test: align startup provider plugin expectations

* fix: restore provider-scoped release discovery

* test: align static asset packaging expectations

* fix: run static provider catalogs during scoped discovery

* fix: add provider entry catalogs for scoped live discovery

* fix: load lightweight provider catalog entries

* fix: refresh provider-scoped plugin metadata

* fix: keep provider catalog entries on release live path

* fix: keep static manifest models in release live checks

* fix: harden release model discovery

* fix: reduce OpenAI live cache probe reasoning

* fix: disable OpenAI cache probe reasoning

* ci: extend OpenAI gateway live timeout

* fix: extend live gateway model budget

* fix: stabilize release validation regressions

* fix: honor provider aliases in model rows

* fix: stabilize release validation lanes

* fix: stabilize release memory qa

* ci: stabilize release validation lanes

* ci: prefer ipv4 for live docker node calls

* fix: restore shared tool-call stream wrapper

* ci: remove legacy pi test shard alias

* fix: clean up embedded agent test drift

* fix: stabilize runtime alias status

* fix: clean up embedded agent ci drift

* fix: restore release ci invariants

* fix: clean up post-rebase runtime drift

* fix: restore release ci checks

* fix: restore release ci after rebase

* fix: remove stale pi runtime path

* test: align compaction runtime expectations

* test: update plugin prerelease expectations

* fix: handle claude live tool approvals

* fix: stabilize release validation gates

* fix: finish agent runtime import

* test: finish post-rebase agent runtime mocks

* fix: keep codex compaction native

* fix: stabilize codex app-server hook tests

* test: isolate codex diagnostic active run

* test: remove codex diagnostic completion race

# Conflicts:
#	extensions/codex/src/app-server/run-attempt.test.ts

* ci: fix full release manifest performance run id

* refactor: narrow llm plugin sdk boundary

* chore: drop generated google boundary stamps

* fix: repair rebase fallout

* fix: clean up rebased runtime references

* fix: decode codex jwt payloads as base64url

* fix: preserve shipped pi runtime alias

* fix: add scoped sdk virtual modules

* fix: decode llm codex oauth jwt as base64url

* fix: avoid stale vertex adc negative cache

* fix: harden tool arg decoding and codeql path

* fix: keep vertex adc negative checks live

* refactor: consolidate codex jwt and edit helpers

* fix: await codex oauth node runtime imports

* fix: preserve sdk tool and notice contracts

* fix: preserve shipped compat config boundaries

* fix: align codex oauth callback host

* fix: terminate agent-core loop streams on failure

* fix: keep codex oauth callback alive during fallback

* ci: include session tools in critical codeql scans

* fix: keep Cloudflare Anthropic provider auth header

* docs: redirect legacy pi runtime pages

* fix: honor bundled web provider compat discovery

* fix: protect session output spill files

* fix: keep legacy agent dir env blocked

* fix: contain auto-discovered skill symlinks

* fix: harden agent core sdk proxy surfaces

* fix: restore approval reaction sdk compat

* fix: keep live docker runs bounded

* fix: keep codex oauth redirect host aligned

* fix: resolve post-rebase agent runtime drift

* fix: redact anthropic oauth parse failures

* fix: preserve responses strict tool shaping

* fix: repair agent runtime rebase cleanup

* docs: redirect retired parity pages

* fix: bound auto-discovered resources to roots

* fix: repair post-rebase agent test drift

* fix: preserve bundled provider allowlist migration

* fix: preserve manifest-owned provider aliases

* fix: declare photon image dependency

* fix: keep provider headers out of proxy body

* fix: preserve shipped env aliases

* fix: refresh control ui i18n generated state

* fix: quote read fallback paths

* fix: preview edits through configured backend

* test: satisfy core test typecheck

* fix: preserve ZAI usage auth fallback

* test: repair codex diagnostic test

* fix: repair agent runtime rebase drift

* test: finish embedded runner import rename

* fix: repair agent runtime rebase integrations

* test: align compaction oauth fallback expectations

* fix: allow sdk-auth session models

* fix: update doctor tool schema import

* fix: preserve bedrock plugin region

* fix: stream harmony-like prose immediately

* ci: include session runtime in codeql shards

* fix: repair latest rebase integrations

* fix: honor explicit codex websocket transport

* fix: keep openai-compatible credentials provider-scoped

* fix: refresh sdk api baseline after rebase

* fix: route cli runtime aliases through openclaw harness

* test: rename stale harness mock expectation

* test: rename embedded agent overflow calls

* test: clean embedded auth test wording

* test: use openclaw stream types in deepinfra cache test

* fix: refresh sdk api baseline on latest main

* fix: honor bundled discovery compat allowlists

* fix: refresh sdk api baseline after latest rebase

* fix: remove stale rebase imports

* test: rename stale model catalog mock

* test: mock renamed doctor runtime modules

* fix: map canonical kimi env auth

* fix: use internal model registry in bench script

* fix: migrate deepinfra provider catalog entry

* fix: enforce builtin tool suppression

* fix: route compaction auth and proxy payloads safely

* refactor: prune unused llm registry leftovers

* test: update codex hooks session import

* test: fix model picker ci coverage

* test: align model picker auth mock types
 2026-05-27 19:24:04 +01:00
Andi Liao
085228c961 fix(auth): document paste-token stdin setup (#63050) 
Document that automation should pipe `models auth paste-token` credentials over stdin instead of passing token material in argv, keeping the existing secret-handling path explicit in the CLI docs.

Also include accepted auth-profile credential types in invalid-profile warning logs so malformed local auth stores are easier to repair.

Fixes #63042.

Thanks @liaoandi.
 2026-05-27 18:44:44 +01:00
Agustin Rivera
0d0bddf032 fix(gateway): require admin for device role approvals (#87146) 
* fix(gateway): require admin for device role approvals

* fix(gateway): add trusted-proxy approval proof
 2026-05-27 08:08:51 -07:00
Pavan Kumar Gondhi
91590132f6 Block unsafe Node runtime env overrides [AI] (#87308) 
* fix: block unsafe node runtime env overrides

* fix: block node env path redirects

* docs: add changelog entry for PR merge
 2026-05-27 20:34:12 +05:30
Peter Steinberger
517ce3df75 fix: require admin for node device approvals 2026-05-27 13:18:50 +01:00
Peter Steinberger
69d84d775b fix(docs): use Cloudflare docs search API 2026-05-27 00:58:09 +01:00
fuller-stack-dev
40fa750b4f docs: explain bundled plugin npm override 2026-05-26 23:51:53 +01:00
Vincent Koc
3127808473 fix(cli): default logs to local timestamps (#85387) 2026-05-26 21:14:47 +01:00
Peter Steinberger
cac0b2db18 refactor: move transcripts into core 
Move meeting notes into core transcripts, remove the bundled meeting-notes plugin/API, and require explicit transcripts.enabled before exposing the recording-capable tool.
 2026-05-26 14:51:11 +01:00
Gio Della-Libera
fbb6340542 Policy: add agent-scoped policy overlays (#85817) 
* feat(policy): add agent-scoped policy overlays

* docs(policy): use generic agent-scoped examples

* fix(policy): generalize scoped policy overlays

* fix(policy): clean scoped overlay checks

* fix(policy): evaluate inherited scoped agent posture

* chore(policy): keep agent harness out of scoped policy pr
 2026-05-25 08:45:16 -07:00
clawsweeper[bot]
d51f26850d fix: Hook ingress token unlocks password-mode gateway auth (#86453) 
Summary:
- The PR expands security audit, CLI docs, and tests so `hooks.token` reuse of active Gateway token/password auth is reported while password-mode Gateway startup remains compatible.
- PR surface: Source +178, Tests +311, Docs +14. Total +503 across 14 files.
- Reproducibility: yes. from source inspection: current main forwards a bearer token as both token and passwor ... ecause this review was read-only, but the linked issue and code path make the reproduction high confidence.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(cr-fmi-hook-ingress-token-unlocks-password-mode-gateway-auth): ap…
- PR branch already contained follow-up commit before automerge: fix: include trusted proxy password in hooks token reuse check
- PR branch already contained follow-up commit before automerge: fix(gateway): audit hooks password reuse without blocking startup
- PR branch already contained follow-up commit before automerge: fix: Hook ingress token unlocks password-mode gateway auth

Validation:
- ClawSweeper review passed for head 7c796b22ec.
- Required merge gates passed before the squash merge.

Prepared head SHA: 7c796b22ec
Review: https://github.com/openclaw/openclaw/pull/86453#issuecomment-4533831028

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: jesse-merhi
 2026-05-25 13:39:56 +00:00
Nimrod Gutman
c791e4242b fix(gateway): gate talk secret bootstrap handoff (#85690) 
Merged via squash.

Prepared head SHA: 9247cdab05
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman
 2026-05-25 11:34:12 +03:00
FullerStackDev
0a98c2d626 address migrate auth review comments 2026-05-25 09:16:37 +01:00
FullerStackDev
f036bac144 migrate auth credentials 2026-05-25 09:16:37 +01:00
Gio Della-Libera
3a72a30074 fix(oc-path): support deep config edits (#86060) 2026-05-24 18:10:02 -07:00
Gio Della-Libera
82af6119fa fix: honor OPENCLAW_HOME defaults (#85802) 
* fix: honor OPENCLAW_HOME defaults

* fix(install): preserve openclaw home upgrade defaults

* fix(install): satisfy shellcheck tilde patterns
 2026-05-23 20:39:59 -07:00
Gio Della-Libera
4ffbd07c06 docs(policy): add policy rule reference tables (#85795) 2026-05-23 16:59:33 -07:00
Gio Della-Libera
1e2e614748 Policy: add tool posture conformance checks (#85482) 
* feat(policy): add tool posture conformance

* fix(policy): attest tool alsoAllow posture
 2026-05-23 16:44:42 -07:00
Peter Steinberger
f4b5e58231 fix: aggressively prune retired model catalogs 2026-05-23 17:29:50 +01:00
Daniel Marta
4ec85762ab feat(auth): support named model login profiles 
* docs(auth): document named OAuth profile logins

* feat(auth): support --profile-id in models auth login

* docs: note named model login profiles

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-05-23 12:44:57 +01:00
Peter Steinberger
a7e0fa08e7 docs: expand meeting notes docs 2026-05-23 11:58:29 +01:00
Vincent Koc
6e3b3183dd fix(cli): keep logs follow on live gateway state 
Use the passive backend Gateway client for implicit local logs reads, and route Linux follow-mode local RPC failures to a bounded/redacted active systemd journal fallback instead of stale configured-file logs.

Fixes #83656
Fixes #66841
 2026-05-23 17:54:23 +08:00
Peter Steinberger
07694c639d feat: add meeting notes plugin 
Adds source-only external meeting notes plugin, SDK source-provider contract, CLI access, date-sharded storage, and Discord voice source.
 2026-05-23 10:38:09 +01:00
Peter Steinberger
2c536a8626 docs: absorb documentation PR sweep 2026-05-23 10:23:34 +01:00
Peter Steinberger
99a1107b61 docs: absorb hook and subagent guidance PRs 2026-05-23 09:47:37 +01:00
Gio Della-Libera
a94f3444a0 Policy: add agent workspace conformance checks (#85096) 
* feat(policy): add agent workspace conformance

* chore(policy): refresh agent workspace checks

* fix(policy): require enabled sandbox for workspace policy

* fix(policy): align agent workspace evidence with runtime
 2026-05-22 20:24:31 -07:00
Gio Della-Libera
959b935f3d fix(doctor): classify codex asset notice as info (#85119) 2026-05-22 18:28:45 -07:00
Josh Avant
f2365053d3 fix(codex): add API key paste auth (#85533) 
* fix codex api key auth paste

* changelog for codex api key auth

* support piped codex api key auth

* fix codex auth prompt validator type

* normalize pasted codex auth secrets

* honor codex auth profile type at runtime
 2026-05-22 17:53:05 -07:00
clawsweeper[bot]
464ffc1003 feat: start onboarding for fresh CLI installs (#85519) 
Summary:
- This PR routes bare `openclaw` to classic onboarding for missing, empty, or metadata-only configs; keeps aut ... cs/changelog/tests; and narrows a Docker E2E boundary-check exception for an existing source-checkout lane.
- Reproducibility: not applicable. this is a feature/default-routing PR rather than a bug report. The branch p ... ill includes a fresh-state terminal run reaching `OpenClaw setup` and tests for the relevant config states.

Automerge notes:
- PR branch already contained follow-up commit before automerge: feat: start onboarding for fresh CLI installs

Validation:
- ClawSweeper review passed for head f4b2572f2e.
- Required merge gates passed before the squash merge.

Prepared head SHA: f4b2572f2e
Review: https://github.com/openclaw/openclaw/pull/85519#issuecomment-4522938004

Co-authored-by: FullerStackDev <263060202+fuller-stack-dev@users.noreply.github.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: takhoffman
Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>
 2026-05-22 22:00:21 +00:00
Jason (Json)
84f6b5c7f8 fix(update): prepack npm git update specs 
Prepack npm GitHub/git source update specs into temporary tarballs before the staged global npm install. Extends coverage to hosted GitHub HTTPS URLs without a `.git` suffix.

Co-authored-by: fuller-stack-dev <263060202+fuller-stack-dev@users.noreply.github.com>
 2026-05-22 22:58:16 +01:00
Gio Della-Libera
dcc5e45b50 Policy: add gateway exposure checks (#81981) 
* feat(policy): add gateway exposure conformance

* fix(policy): align custom bind exposure evidence
 2026-05-22 14:18:01 -07:00
Peter Steinberger
bb5010b89a docs: absorb docs sweep 
Co-authored-by: Kai <kai@itskai.dev>
Co-authored-by: Weihang <gwh7078@163.com>
Co-authored-by: Scott Long <longstoryscott@gmail.com>
Co-authored-by: moejaberr <mjaber@uoguelph.ca>
Co-authored-by: huihui0822 <109355071+huihui0822@users.noreply.github.com>
 2026-05-22 21:52:01 +01:00
Gio Della-Libera
c85feace54 Policy: add secret and auth conformance checks (#81974) 
* feat(policy): add secrets auth conformance

* fix(policy): include sandbox ssh secret data

* fix(policy): complete secret input provenance

* fix(policy): cover media request secrets

* fix(policy): satisfy policy lint

* fix(policy): narrow secret conformance evidence

* fix(policy): cover request bearer token secrets
 2026-05-22 12:48:14 -07:00
吴杨帆
88f50e8cd1 docs(config): quote bracket config paths (#83058) 2026-05-22 20:20:10 +01:00
Peter Steinberger
59aef2ff0d fix: apply docs sweep updates 2026-05-22 18:40:20 +01:00
Kaspre
01fce88082 fix(agent): abort accepted gateway runs on signal 2026-05-22 09:16:36 +01:00
fuller-stack-dev
65471a2da6 feat: add xai oauth web search and provider timeouts 2026-05-22 08:49:53 +01:00
Kaspre
eb7f3b7b50 fix(agent): support explicit CLI session keys (#85121) 
Summary:
- The PR adds `openclaw agent --session-key`, normalizes explicit session keys through Gateway and embedded agent execution, and updates docs, tests, and changelog.
- Reproducibility: yes. Current main's `openclaw agent` registration and gateway CLI option type lack `--sessi ... Gateway agent protocol already accepts `sessionKey`; this is source-reproducible without executing the CLI.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(agent): support explicit CLI session keys

Validation:
- ClawSweeper review passed for head 2c76dd339f.
- Required merge gates passed before the squash merge.

Prepared head SHA: 2c76dd339f
Review: https://github.com/openclaw/openclaw/pull/85121#issuecomment-4513508932

Co-authored-by: Kaspre <kaspre@gmail.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: takhoffman
Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>
 2026-05-22 03:08:25 +00:00
Vincent Koc
15a0156a8c fix(update): reject openclaw source package targets 2026-05-22 07:35:57 +08:00
Gio Della-Libera
6dbd5bd446 Policy: add model, network, and MCP conformance checks (#80783) 
* feat(policy): add model network and mcp conformance checks

* fix(policy): validate conformance rule shapes

* fix(policy): quote dynamic evidence paths

* fix(policy): scan per-agent model maps

* fix(policy): normalize model provider conformance
 2026-05-21 07:27:16 -07:00
Patrick Erichsen
c0312748c4 feat: support git and local skill installs (#84793) 2026-05-20 21:12:03 -07:00
Gio Della-Libera
a30ac3f8d7 Policy: add tool metadata conformance (#80056) 
* feat(policy): add tool metadata conformance checks

* Add policy trusted tool runtime gate

* Use requireMetadata for tool policy

Make tools.requireMetadata the canonical policy schema for risk, sensitivity, and owner requirements. Update runtime enforcement, doctor findings, evidence parsing, tests, and policy docs to use the new schema.

* fix(policy): persist approval metadata

* fix(policy): refresh approval metadata artifacts

* docs(policy): list all tool finding checks

* fix(policy): parse multiline tool metadata

* test(policy): cover unparseable policy check output

* fix(policy): resolve oc-path api in packaged dist

* fix(policy): clear post-rebase CI failures

* test(policy): clear post-rebase CI failures

* fix(policy): restore watch and align validation

* fix(policy): clear ci gate failures

* Simplify policy tool evidence parsing
 2026-05-20 20:47:32 -07:00
Peter Steinberger
a13468320c fix: clarify pinned session model status 2026-05-20 15:59:24 +01:00