* fix(slack): use endsWith instead of includes for _all_ action_id matching
* fix(slack): codify bulk action IDs and add confirmation regressions
Extract isSlackBulkActionId() with the documented _all suffix grammar,
use it for bulk-row detection, and add whole-path chat.update tests for
bulk-row cleanup plus deploy_all_services false-positive control.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): use OpenClaw bulk block marker instead of _all suffix
Replace global endsWith("_all") bulk detection with an explicit
openclaw:bulk: block_id prefix and closed action IDs, export a shared
producer helper, and add live Slack chat.update proof for bulk-row
removal and deploy_all_services preservation.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): keep bulk contract private and add legacy upgrade path
Drop speculative bulk-action exports from the Slack plugin API, keep
accepted ID collections private and immutable, and recognize legacy bare
select_all/deselect_all rows while still rejecting deploy_all_services
false positives.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): drop unsupported bare bulk compatibility branch
Remove the legacy select_all/deselect_all classifier that overmatched
single-ID and duplicate-ID rows, and add negative whole-path regressions
preserving unrelated custom action rows.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): remove unsupported bulk-row cleanup heuristic
Delete the undocumented bulk-row inference and namespaced replacement
contract. Confirmation updates now replace only the selected actions row
and preserve every other authored Block Kit row.
* refactor(slack): tighten interaction confirmation fix
* chore(changelog): preserve historical TTS entries
* chore(slack): move release note to PR body
---------
Co-authored-by: zw-xysk <zw-xysk@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* feat: add metadata-only message audit events
* chore(protocol): restore generated swift models and config baseline after rebase
* fix(state): gate agent-db ownership check before schema version
* fix(cli): sync audit command description into the root-help catalog
* fix(audit): require destination proof before classifying outbound messages as direct
* refactor(audit): drop dead migration guard and add contract comments
* docs(gateway): add dedicated audit history page and cross-links
* test(e2e): enable direct-mode message audit in the telegram proof SUT config
* test(channels): expect declared conversationKind in durable delivery session context
* fix(audit): record the routing channel id for inbound rows from plugin channels
* fix(audit): match channel-prefixed delivery targets in the destination route gate
* fix(audit): validate explicit target kind against the destination route kind
* fix(audit): use the canonical target-prefix grammar in the destination route gate and fail closed on foreign migration tables
* fix(audit): normalize nested provider and kind target prefixes in the destination gate
* fix(audit): strip registered provider aliases and the direct kind prefix in the destination gate
* chore(docs): refresh config baseline after rebase
* fix(agents): protect provider auth exchange output by sensitivity, not input marker
protectPreparedProviderRuntimeAuth decided whether to protect a credential from
the shape of the input sourceApiKey: if the input was not a sentinel and not
registered for redaction it returned the exchange output untouched. That
assumes output sensitivity mirrors input sensitivity, which is false for any
provider that turns a non-secret marker into a real credential.
The bundled amazon-bedrock-mantle plugin hits this live: its stored apiKey is
the marker __amazon_bedrock_mantle_iam__ (not declared in nonSecretAuthMarkers,
so resolved raw), and its prepareRuntimeAuth mints a real IAM-derived Bedrock
bearer token. That real token flowed through the guard unprotected, so it was
stored and logged unredacted.
Gate protection per output value instead: skip empty values and non-secret
markers, protect everything else. Sibling providers that echo their own markers
(ollama-local, lmstudio-local, codex-app-server, gcp-vertex-credentials) are
unaffected. Drops the now-dead sourceApiKey parameter and its call sites.
* test(agents): assert sentinel storage and egress restoration for protected provider auth
* test(agents): assert protected runtime auth state
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(crabbox): preserve UTF-16 boundaries in CLI failure detail truncation
commandDetail replaced raw .slice(0, MAX_ERROR_DETAIL_CHARS) with
truncateUtf16Safe on the whitespace-compressed error detail output.
A 511-code-unit prefix with an emoji at the boundary produces a lone
high surrogate (U+D83D) on current main; the shared surrogate-aware
helper backs the cut up to preserve well-formed UTF-16.
* fix(crabbox): add provider-path UTF-16 regression test for inspect boundary
The existing test exercised commandDetail directly; ClawSweeper's P1
requires proof through the real provider boundary. The new test calls
provider.inspect() with a CLI runner that returns 511 ASCII + emoji in
stderr, proving commandDetail → truncateUtf16Safe works through the
full inspect → commandError → commandDetail chain.
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor(crabbox): keep error proof on provider path
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* improve(pr): trust origin/main-matching wrappers when the canonical checkout is parked elsewhere
* improve(crabbox): hint at lease expiry when reused-lease runs fail fast
* fix(pr): pin the wrapper trust anchor to the remote-tracking ref
* feat(sessions): durable session state events with parent invalidation
Parents no longer act on stale child-session state: a durable, typed
signal log (session_state_events + per-agent heads) records direct human
messages to children, child spawn/terminal outcomes, goal changes, and
compaction at the seams where those facts are created. A frozen-watermark
cursor protocol (session_watch_cursors) delivers one coalesced system
notice to the parent through the existing system-event + heartbeat wake
idiom, acknowledged at the shared generic drain, with a deferred startup
sweep for restart recovery. session_status gains stateVersion and
changesSince (with exact pruned-history gap signaling); sessions_list
rows gain stateVersion.
Closes#104565
* chore: regenerate docs map and prompt snapshots for session_status changesSince
* fix(outbound): preserve backticks on <code> tags with attributes
The plain-text sanitizer only matched bare <code> openers, so attributed
variants such as <code class="language-ts"> lost their backtick wrapping
and were stripped to raw text before channel delivery.
Allow optional attributes on the opening <code> tag, consistent with the
existing handling for <h[1-6]> and <li> in the same function.
Fixes#104117
* fix(outbound): preserve attributed inline formatting
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
* test(outbound): compact attributed tag coverage
* fix(outbound): normalize attributed formatting tags
* docs(outbound): clarify attribute normalization invariant
* fix(outbound): preserve native formatting semantics
* docs(plugin-sdk): document sanitizer markup styles
* docs(plugin-sdk): refresh docs map
---------
Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
* feat(tooling): extend strict-ratchet lane to all remaining leaf packages
* fix(packages): burn down indexed-access debt in ai and agent-core
All 196 noUncheckedIndexedAccess errors fixed behavior-identically
(iteration, .at()/slices, DataView byte math, guarded queue peeks) plus
cleanup finds: a sparse-tool diagnostic bug, deduplicated Responses
call/item ID parsing with an honest string|undefined splitter, and a
clearer local failure for redacted-thinking blocks missing signatures.
Removes all 17 remaining non-null assertions across ai, gateway-client,
and llm-core so the assertion ban aligns 1:1 with the ratchet lane.
speech-core joins memory-host-sdk as structurally deferred (imports
src/** via plugin-sdk path mappings).
* feat(fleet): add openclaw fleet cell supervisor for multi-tenant hosting
* test(fleet): cover cell profile, registry, containers, and service flows
* docs(fleet): document multi-tenant hosting and the fleet CLI
* fix(fleet): verify upgrade replacements and release foreign-collision reservations
* fix(fleet): gate upgrade commit on replacement health
* docs(fleet): mark fleet experimental and pin its single-host scope
* test(fleet): make incomplete-profile casts explicit for test-type lane
* fix(state): regenerate kysely schema artifacts after rebase conflict