Commit Graph

66965 Commits

Author SHA1 Message Date
Peter Steinberger
c4b41c1e4a fix: clear transcript search data when sessions are deleted (#105249)
* fix: delete session transcript search state

* chore: keep release note in PR body
2026-07-12 10:43:53 +01:00
Peter Steinberger
7a4cfa3764 test(matrix): isolate approval reaction runtime (#105251) 2026-07-12 10:43:00 +01:00
Peter Steinberger
1bea458124 test(plugins): align prerelease contracts (#105252) 2026-07-12 10:42:34 +01:00
Peter Steinberger
e0f45bfbf0 feat(tooling): enforce indexed access checks in root tests (#105223)
* feat(tooling): enforce indexed access checks in root tests

* style(tooling): clarify scoped package guard
2026-07-12 10:42:07 +01:00
Peter Steinberger
251f54baec fix(apps): remove dead native code 2026-07-12 02:41:17 -07:00
Vincent Koc
a67b124f10 refactor(sessions): remove unused transcript helpers (#105245) 2026-07-12 17:40:54 +08:00
Vincent Koc
9b7f828d01 chore(skills): sync canonical autoreview (#105250) 2026-07-12 17:37:15 +08:00
Peter Steinberger
48e7f76e3a fix(nodes): expose typed executable lookup to agents (#105182)
* fix(nodes): add typed executable lookup action

* test(nodes): refresh executable lookup snapshots
2026-07-12 10:36:33 +01:00
Peter Steinberger
cc3dfc9ded fix: preserve unmanaged gateway restart truth (#105241) 2026-07-12 10:32:17 +01:00
Vincent Koc
1592d422ee fix(sqlite): reject orphaned database state before mutation (#105222)
* fix(sqlite): detect foreign key corruption

* docs(sqlite): document foreign key compaction checks

* fix(sqlite): prevent pragma shadow bypass
2026-07-12 17:31:24 +08:00
Vincent Koc
e90929ba41 chore(plugin-sdk): refresh node presence API baseline (#105236) 2026-07-12 17:25:03 +08:00
Peter Steinberger
477f3af688 fix(docs): preserve named runtimes and plugins 2026-07-12 05:24:06 -04:00
Peter Steinberger
b02d276bbc test(slack): align prerelease contracts (#105214)
* test(slack): align prerelease contracts

* docs(agents): note review artifact enums

* style(slack): format prerelease test
2026-07-12 10:23:47 +01:00
Peter Steinberger
b4a0fc5c57 perf(agents): reduce repeated turn setup latency (#105220)
* perf(agents): reuse prepared auth route models

* chore: leave release notes to release automation
2026-07-12 10:21:31 +01:00
Peter Steinberger
9bdb2a5ac0 fix(cron): preserve successful run status after delivery failure (#105215)
* fix(cron): keep isolated run status ok when delivery fails

A successful isolated cron agentTurn whose post-run delivery phase returns
an error collapsed the execution status into the delivery error, so the
outer scheduled run persisted status=error even though the isolated session
ended successfully.

Decouple execution status from delivery outcome in finalizeCronRun: when the
agent payload is non-fatal and the run was not aborted, a delivery dispatch
error now keeps status=ok and records the failure separately via
delivered/deliveryAttempted plus delivery diagnostics, which drive the
already-decoupled run-log deliveryStatus (not-delivered). Aborted runs and
fatal agent payloads keep their error status.

Fixes #94058

* fix(cron): keep deliberate delivery-target refusals as error status

The #94058 fix kept isolated turn status=ok when post-run delivery
fails, but the broad `status === "error"` check also caught the
#91613 keyless implicit last-target refusal, which is a deliberate
delivery-target guard (errorKind "delivery-target") and must stay
status=error. Exclude that errorKind so genuine delivery dispatch
failures still become ok while target-guard refusals remain errors.

* fix(cron): surface successful run delivery errors to run logs

A successful isolated agent turn keeps status=ok when post-run delivery
fails (#94058), but the ok/not-delivered resolveRunOutcome branch only
forwarded delivery diagnostics and dropped the delivery dispatch error.
That left lastDeliveryError empty and the finished-event deliveryError
field blank, so CLI/UI/API run logs could not show why delivery did not
land for an otherwise successful run.

Thread the delivery error on a dedicated CronRunOutcome.deliveryError
field from resolveRunOutcome through executeDetachedCronJob and
applyJobResult into resolveDeliveryState, so it persists as
lastDeliveryError and reaches the finished event (and thus the run log)
without conflating it with a run-level error (lastError stays empty on a
successful run).

Add a service/run-log readback test proving the delivery error survives
the cron boundary into a persisted run-log entry, and extend the
isolated-turn regression to assert the dedicated deliveryError field.

* fix(cron): preserve successful delivery outcomes

* fix(cron): preserve startup delivery errors

* fix(cron): retain best-effort delivery errors

* fix(cron): preserve delivery errors on fallback paths

* fix(cron): preserve delivery errors on fallback paths

---------

Co-authored-by: Alix-007 <li.long15@xydigit.com>
2026-07-12 10:20:53 +01:00
Peter Steinberger
7c954849e6 fix(google-meet): use strong caption epochs (#105221) 2026-07-12 10:20:50 +01:00
Peter Steinberger
de4d4079ad fix(browser): make ref uploads request-owned (#105151)
* fix(browser): make ref uploads request-owned

* style(browser): satisfy upload owner const lint
2026-07-12 10:19:19 +01:00
Peter Steinberger
4efe056d32 fix(ci): stop Telegram release checks from fetching history (#105219)
* fix(ci): bound Telegram provenance lookups

* docs(agents): note linked worktree invocations
2026-07-12 10:18:39 +01:00
Vincent Koc
25f00f9881 refactor(plugins): remove dead contribution owner wrappers (#105224) 2026-07-12 17:17:54 +08:00
Peter Steinberger
e580275464 feat(tooling): enforce noUncheckedIndexedAccess in the scripts lane (NUIA phase 5) (#105180)
* feat(tooling): enforce noUncheckedIndexedAccess in the scripts lane

Burns down all 153 scripts-lane errors (bench aggregation, release
checks, i18n inventories, argv indexing) and flips the flag in
tsconfig.scripts.json. Direct-Node-executed release harness scripts use
local narrowing instead of workspace imports, which do not resolve
under plain node execution. Benchmark measured loops untouched.

* fix(scripts): import expect helpers via relative package sources

tsconfig path aliases resolve from cwd under tsx, so release wrapper
scripts running against old release target cwds could not resolve
@openclaw/normalization-core (not a linked root dependency). Relative
package-source imports match the established pattern on the adjacent
lines and are cwd-independent; old-target planning verified directly.
2026-07-12 10:17:00 +01:00
Peter Steinberger
d79373fa14 ci: bound legacy QA smoke compatibility (#105213) 2026-07-12 10:15:33 +01:00
Peter Steinberger
def7b51899 test(agents): keep model discovery assertions hermetic against bundled plugin runtime (#105050) 2026-07-12 10:15:05 +01:00
Peter Steinberger
a8b104c4e3 feat(mac): swap dashboard titlebar buttons with sidebar state (#105175)
* feat(mac): swap dashboard titlebar buttons with sidebar state

The Control UI reports sidebar collapsed/width over a new openclawNav
WKScriptMessage; the titlebar accessory shows toggle+back/forward
right-aligned to the sidebar edge while expanded, and
toggle+search+new-session while collapsed. Search opens the command
palette and + opens the new-session surface via openclaw:native-*
events. Older gateway bundles that never report keep the shipped
toggle/back/forward layout.

Refs #105129

* docs: describe state-dependent mac titlebar buttons
2026-07-12 10:13:36 +01:00
Coy Geek
3ac83ddfca fix: Canvas WebSocket creation in browser context silently swallows... (#82505)
* fix(canvas): report live reload websocket errors

Surface WebSocket initialization failures from the injected canvas live reload client through console diagnostics, DOM attributes, and a browser event instead of silently swallowing them.

* refactor(canvas): keep reload diagnostics console-only

* fix(canvas): distinguish page teardown from socket failure

* style(canvas): brace pagehide listener

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 10:13:04 +01:00
Peter Steinberger
4983594867 test(browser): align snapshot contract fixtures (#105210) 2026-07-12 10:12:47 +01:00
Peter Steinberger
acc57e4145 ci: isolate frozen Control UI tests (#105208) 2026-07-12 10:06:23 +01:00
Peter Steinberger
55254c3a0b feat(nodes): route alerts to the active computer (#105083)
* feat(nodes): route alerts by active computer

* fix(ci): allowlist node presence mobile coverage

* test(prompts): refresh node presence snapshots

* fix(macos): await presence reporter actor hop

* fix(macos): type presence test delivery state

* docs(nodes): add active presence guide

* docs(nodes): format presence troubleshooting
2026-07-12 10:05:50 +01:00
wangyan2026
232de2315b fix(gateway): reject disallowed browser Origin before accepting auth.mode=none on HTTP (#102834) (#102881)
* fix(gateway): reject disallowed browser Origin before accepting auth.mode=none on HTTP (#102834)

* refactor(gateway): scope HTTP Origin checks to no-auth

* fix(gateway): preserve trusted-proxy scan boundary

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 10:02:21 +01:00
Peter Steinberger
92accfde94 improve(ui): compact the New session controls and hero on phones (#105177)
* improve(ui): compact the new-session screen on phones

The /new target controls condense on phones: Where and Worktree share one
line and the folder picker takes its own full-width line below, so long
paths stay readable instead of stacking three loose rows. The shared
welcome hero (start screen and /new) scales down on phones so the
composer and recent chats fit the first screenful, and the /new scroll
inset matches the chat thread's mobile padding.

* fix(ui): keep mobile target rows in DOM order

Review caught that order: 2 on the folder chip made visual and tab order
diverge on phones. The folder chip now flexes next to Where with a 140px
floor that pushes Worktree to the second line, so the compact layout
keeps visual, reading, and focus order aligned.

* fix(ui): wrap the worktree fields with their toggle

Groups the worktree toggle and its branch/name fields in one flex unit so
line breaks never separate the dependent fields from the toggle at any
width; review caught that the previous flex sizing let the branch control
wrap alone on wider phones.
2026-07-12 10:02:04 +01:00
Vincent Koc
004b7b69c7 fix(ui): align E2E with current interaction contracts (#105206) 2026-07-12 17:01:45 +08:00
Vincent Koc
e7f9a430e3 refactor(plugins): remove obsolete plain-file installer (#105205) 2026-07-12 17:00:50 +08:00
Peter Steinberger
00cab8d42b fix(secrets): preserve partial gateway assignments (#105160)
Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>
2026-07-12 09:58:33 +01:00
Vincent Koc
cf2af03d02 fix(sqlite): validate agent state before schema setup (#105179) 2026-07-12 16:57:18 +08:00
Peter Steinberger
f84b6f6091 test(release): harden shared UI and performance proof (#105061)
* ci(perf): pin PID-aware Kova evaluator

* test(ui): follow localized automation labels

* ci(perf): pin compatible Kova runner

* test(ui): bound chat hover browser wait

* docs(agents): require release validation helper

* ci(perf): retain redacted Kova reports

* style(ui): format chat hover test

* docs(agents): avoid dependency scripts in PR worktrees

* docs(agents): guard shared checkout branches

* docs(agents): quote gh api query endpoints
2026-07-12 09:55:21 +01:00
Peter Steinberger
17a533ce26 improve(ui): redesign the Automations tab with stats, a table list, and a full-page detail view (#105174)
* feat(ui): redesign Automations tab with stats, table list, and detail tabs

* docs(web): describe redesigned Automations page layout

* fix(ui): global failing-count stat via filtered cron.list and unclipped row menus

* fix(ui): refresh failing-count stat after cron job mutations

* chore(ui): sync locale bundles for automations redesign keys
2026-07-12 09:51:12 +01:00
Peter Steinberger
ae14fc1e81 fix: harden Crestodian maintenance flows (#105153)
* fix: harden Crestodian maintenance flows

* fix: skip trajectories for ephemeral Crestodian plans

* test: satisfy Crestodian CI gates
2026-07-12 09:51:03 +01:00
Peter Steinberger
1793c67ae1 test(browser): repair pw-ai page fixture (#105172) 2026-07-12 09:47:10 +01:00
Peter Steinberger
204d2b176a refactor(agents): compress model prompts and tool instructions (#105095)
* refactor(agents): compress model prompt instructions

* test(agents): align compact prompt assertions

* test(gateway): align compact message prompt assertion

* chore(plugin-sdk): refresh prompt overlay API baseline

* docs(changelog): note prompt instruction compaction

* test(agents): align compact prompt contracts

* test(agents): align CLI prompt contracts

* style(agents): format CLI prompt tests

* fix(qa): prioritize shadow trial workflow

* test(agents): refresh rebased prompt snapshots
2026-07-12 09:45:30 +01:00
Peter Steinberger
18eb472f82 fix(gradium): restrict TTS credential egress (#105169)
* fix(gradium): restrict TTS base URL before sending API keys

* fix(gradium): pin credential egress hostname

* docs(changelog): note Gradium credential guard

* docs(changelog): note Gradium credential guard

---------

Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com>
2026-07-12 09:43:22 +01:00
pick-cat
1710ccad29 fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM (#101274)
* fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM

* fix(tlon): cap SSE stream buffer and JSON.parse at 16 MiB to prevent OOM

* chore(tlon): add production-style SSE bounded proof script (#101274)

Adds extensions/tlon/proof-sse-bounded.mts which drives the real
UrbitSSEClient.processStream and processEvent against Node Readable streams
(not unit-test mocks) to demonstrate:

- normal SSE events are still delivered through the stream path;
- an unterminated stream that would grow beyond 16 MiB is rejected before
  unbounded accumulation;
- a single SSE payload above 16 MiB is rejected before JSON.parse.

The script passes on this branch and fails 2/3 assertions when run against
origin/main's sse-client.ts, providing the before/after proof ClawSweeper
requested.

* chore(tlon): fix oxlint catch type in proof script (#101274)

* fix(tlon): reject oversized SSE chunk before buffer concatenation

Move the stream byte-limit check before buffer += chunkStr so a
single oversized chunk never lands in the pending buffer. The old
guard ran after concatenation, which still allowed the memory spike
this hardening is meant to prevent.

Add a single-oversized-chunk test to prove the guard fires before
the chunk is concatenated into the pending buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore(tlon): remove PR-specific SSE bounded proof script

The proof script was review-only validation for #101274. Durable behavior
coverage lives in sse-client.test.ts (stream buffer bounding, oversized
chunk rejection before concatenation, 16 MiB boundary, normal delivery,
1000 small events). Per ClawSweeper P3 finding, drop the one-off script
from the plugin tree.

* fix(tlon): bound SSE event buffering safely

* test(tlon): avoid unsafe optional chaining

* fix(tlon): count split Unicode at SSE limit

* fix(tlon): parse split SSE delimiters at limit

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:41:53 +01:00
Vincent Koc
55e599c7b6 fix(node): foreground pairing no longer exits early (#105038)
* fix(node): keep foreground pairing wait alive

* test(node): cover foreground pairing lifetime

* fix(node): retain keepalive through shutdown

* test(node): match deferred cleanup mock type
2026-07-12 16:41:17 +08:00
Peter Steinberger
91863a2ec5 fix: keep MCP Apps aligned with runtime tool policy (#105075)
* fix: harden MCP Apps runtime policy

* fix: preserve MCP App reserved tool names

* fix: restart gateway for whole MCP Apps changes
2026-07-12 09:41:07 +01:00
Peter Steinberger
9cf4f03afe feat(telegram): add rich outbound location and video notes (#105142)
* feat(telegram): add rich outbound sends

Co-authored-by: Paul Kondratov <paulislava@mail.ru>

* fix(telegram): reject unsupported outbound locations

* fix(telegram): preserve location send semantics

* fix(telegram): preserve cross-context location markers

* fix(outbound): validate standalone locations before decoration

* fix(telegram): project native locations into prompt context

* chore: defer Telegram changelog to release

* fix(telegram): align SDK surface and docs map

---------

Co-authored-by: Paul Kondratov <paulislava@mail.ru>
2026-07-12 09:36:22 +01:00
Peter Steinberger
68553bed84 fix: live updater survives launchd teardown and retargets wrapped gateways (#105022)
* fix(updater): tolerate launchd teardown and replace plist args safely

* test(updater): declare plist argument helper
2026-07-12 09:35:53 +01:00
Peter Steinberger
7197eef3eb fix(gateway): queue agent runtime identity verification (#105143)
* fix(gateway): queue agent runtime identity verification

* chore: keep release changelog unchanged

* fix(gateway): recheck runtime context expiry after lock wait
2026-07-12 09:33:14 +01:00
Vincent Koc
e2f79a7614 refactor(channels): remove unused token prompt helper (#105159) 2026-07-12 16:32:43 +08:00
Vincent Koc
73bf1f29f8 refactor(models): trim private catalog exports (#105150) 2026-07-12 16:31:59 +08:00
Peter Steinberger
d31eeea408 fix(android): upsert device sessions safely (#105144) 2026-07-12 09:28:14 +01:00
Peter Steinberger
514d7189af fix(docs): preserve ambiguous product names 2026-07-12 04:24:53 -04:00
Peter Steinberger
fecd1ca195 improve(ui): unify the New session draft with the start-screen layout (#105069)
The /new draft page now renders the same welcome block as the empty-chat
start screen, with the draft controls folded in launcher-style: hero on
top, a quiet borderless target row (agent, node, folder, worktree)
directly above the mid-screen composer, and the recent chats below. The
page reuses renderWelcomeState via hint/composer slots so the surfaces
cannot drift apart; the shell treats /new as a chat-like route that owns
its scrolling, with the top inset doubling as the native titlebar drag
band. The welcome is content-sized on this route so a tall draft (open
folder browser, short window) stays scrollable from the top. Also
repairs the stale new-session e2e heading wait (the h1 was removed in

Closes #105068
2026-07-12 09:22:51 +01:00