* fix(control-ui): use canonical thinkingDefault key in Quick Config
The Control UI Quick Config panel was reading and writing the
non-canonical key agents.defaults.thinkingLevel, which is rejected
by the gateway's strict Zod schema with INVALID_REQUEST errors.
Fix: read from and write to agents.defaults.thinkingDefault instead.
The schema already defines this key and the runtime already reads it
at cfg.agents?.defaults?.thinkingDefault, so this is purely a UI path
correction with zero runtime changes.
The fast-mode control is left unchanged pending a maintainer decision
on its intended scope (per-agent, per-model, or new global default).
Refs #104501
* test(control-ui): prove quick thinking persistence
* docs(changelog): note Quick Config thinking fix
* chore: keep changelog release-owned
---------
Co-authored-by: Erick Kinnee <erick@ekinnee.dev>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* feat(gateway): add sessions.files.set workspace file write with hash CAS (#104698)
* feat(ui): CodeMirror file editor panel with CAS save + clickable tool-card paths (#104698)
* fix(gateway): issue the file CAS hash only for strict-UTF-8 text (#104698)
* docs(web): document the editable file detail panel (#104698)
* fix(gateway,ui): round-trip BOM and CRLF bytes through the file editor (#104698)
* fix(ui): keep mixed-line-ending files read-only in the file editor (#104698)
* fix(ui): re-gate editability when a conflict reload returns non-editable content (#104698)
* fix(gateway): reject NUL bytes in sessions.files.set replacement content (#104698)
* fix(gateway,ui): regenerate protocol bindings, fix prod types and lint for file editor (#104698)
* fix(sessions): read zstd transcript archives through a materialized cache
Compressed archives were discovered but unreadable: the reset-archive
header probe read raw zstd bytes and every JSONL reader parsed them as
malformed lines, so compressed archives silently contributed zero
history and zero usage. Archives are write-once, so they materialize
once into a plain JSONL cache under the OpenClaw tmp dir and every
downstream reader (index, tail chunks, probes, usage scans) works
unchanged; the usage scanner also decompresses directly for whole-file
iteration.
* fix(sessions): keep usage byte-range semantics for compressed archives
Route zstd archive usage reads through the materialized plain-JSONL
cache so persisted incremental-scan offsets always measure decompressed
bytes; the whole-file decompress branch ignored requested ranges and
could overcount archived usage.
* fix(sessions): normalize compressed archives to decompressed space at usage discovery
Sizes, incremental offsets, and cache signatures for zstd archives now
all measure the materialized plain-JSONL cache, closing the truncation
window when persisted offsets from the compressed path met decompressed
reads.
* fix(sessions): gate the archive read cache on source identity
Every materialized-cache hit now stats the source archive: a deleted or
budget-evicted archive scrubs its cache entries instead of serving
stale plaintext, and the cache name carries the source size so a
same-path rewrite can never alias.
* fix(sessions): include source mtime in the archive cache identity
Same-path same-size rewrites can no longer alias a stale plaintext
cache entry; any source change mints a new cache name and the previous
entries are scrubbed on the next materialization.
* fix(sessions): bound and isolate the materialized archive cache
Cache entries expire on a 24h TTL sweep so budget-evicted archives
cannot leave plaintext copies behind, stale-identity scrubbing skips
the live identity and in-flight temp files, and unique temp names plus
last-rename-wins make concurrent materialization race-free.
* fix(sessions): drop useless probe-path initializer flagged by lint
* fix(agents): surface utility-model narration failures and show the utility model in models status
Narration failures were verbose-only, so a dead utility-model credential
silently degraded channel progress drafts back to raw tool lines. The
narrator now warns once per turn when it disables after consecutive
failures, naming the utility model + auth profile, and openclaw models
status renders the resolved utility model (config / provider default /
disabled) in human and JSON output.
Formatting verified remotely via Testbox format:check (hook bypassed:
no node_modules in this worktree).
Fixes#104764
* fix(models): include the utility model in models status auth analysis
The utility ref was rendered but not registered as a provider use, so
missing utility-provider auth kept --check green (Codex review P2).
Utility completions ride the plain API path like image models.
Formatting verified remotely via Testbox format:check.
* fix(models): register the utility model only for otherwise-unused providers
main's route analysis reports per-model issues; a same-provider utility
ref duplicated route reports (CI: incompatible-routes test). Shared
providers are already analyzed via their configured uses; utility-only
providers still enter the analysis so they stay visible to status.
Formatting verified remotely via Testbox format:check.
* fix(models): always analyze the utility model route in models status
Same-provider dedupe hid the documented incident class: an OAuth-healthy
primary says nothing about the utility model's plain API route (Codex
review round 3). The openai route-test fixture now pins utilityModel off
so route tests stay focused on their configured models, and a dedicated
test covers the OAuth-primary/api-key-utility scenario.
Formatting verified remotely via Testbox format:check.
* fix(models): give the utility model full text-route analysis in models status
Uses without codex fallback previously skipped per-model route
resolution (image-auth scoping), so the utility ref never produced
missing-auth route issues. Route scope is now explicit: text uses get
evaluateModelAuth, image uses keep provider-wide availability.
Formatting verified remotely via Testbox format:check.
* fix(models): probe the configured utility model and document source labels
--probe candidates now include the utility ref so utility-only providers
probe the actual configured model instead of an arbitrary catalog entry
(Codex review round 4). Inline comment records that the status resolver
never falls back to the primary, so 'provider default' labels are exact.
Formatting verified remotely via Testbox format:check.
* fix(models): canonicalize the reported utility ref and dedupe route diagnostics
utilityModel accepts aliases, so status now reports the resolved
provider/model instead of the raw alias, and identical route issues from
overlapping primary/utility refs collapse to one entry (Codex round 5).
Formatting verified remotely via Testbox format:check.
zod@4 declares sideEffects:false, so bundlers tree-shake the classic entry's
implicit config(en()) locale registration and every issue in a built dist
falls back to the bare "Invalid input" message. Users hit unactionable
errors like "agents.defaults: Invalid input" (#89445, #103956) and
message-text-keyed issue filtering in validation.ts diverges from source
behavior. Register the English locale explicitly next to the config schemas;
zod keeps its config on globalThis, so one call covers the whole process.
Fixes#104014
* fix(browser): reject non-page json new targets
* fix(browser): adopt only validated raw CDP targets
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* feat(gateway): persist operator approvals
* fix(gateway): preserve approval ids exactly
* fix(gateway): enforce approval reviewer bindings
* fix(gateway): reconcile durable approvals with exec revocation hardening
Map #103515 semantics onto the durable lifecycle: resolutionSource and
one-shot consumeAskFallback stay process-local record facts, trusted
auto-review resolves through the durable CAS as a runtime resolver, and
lost races settle with the winner's operator source. Also: derive the
audience walker cap from the store cap, report APPROVAL_ALREADY_RESOLVED
for a resolve that loses the CAS race, document approval.get/resolve in
the protocol docs, and regenerate Swift models on the new base.
* fix(approvals): validate resolver kind
* docs(approvals): explain malformed verdict denial
* fix(protocol): regenerate approval models after rebase
* chore: leave changelog entry to release generation
* fix(gateway): preserve approval registration boundaries
* test(gateway): prove multi-device approval races
* test(gateway): keep approval order assertion stable
* docs: index operator approval architecture
* fix(protocol): bound approval declaration exports
* feat(ui): detect background tasks eagerly and show live tool activity in the chat rail
Track tool-start counts and the last tool name per task run in the task
registry, persist them on task_runs, and expose them as additive optional
TaskSummary fields. The chat background-tasks rail now loads its snapshot
eagerly so the collapsed toggle badge detects running work immediately,
and rows show a live elapsed timer, tool-use count, and the tool
currently in use (run duration for finished rows).
Issue: #104775
* fix(ui): translate background-task activity strings and refresh generated protocol models
The singular tool-use label is literal ("1 tool use") because several
locales legitimately drop the count placeholder in singular forms, which
fail-closes the placeholder guard in the i18n sync. Locale bundles are
the authenticated ui:i18n:sync output (fallbacks=0); GatewayModels.swift
is protocol:gen:swift output for the new TaskSummary fields.
* chore(ui): refresh i18n raw-copy baseline after rebase
* fix(scripts): make clawlog default behavior match documented usage
Running scripts/clawlog.sh with no arguments was printing the usage help
instead of the documented default behavior (last 50 lines from the past 5
minutes). Remove the early no-args help branch so the defaults are used.
Also validate that options requiring a value (-n, -l, -c, -s, -o) actually
receive one, preventing an unbound-variable abort under set -u.
Fixes#104058
* fix(scripts): preserve dash-prefixed operands in clawlog and add regression tests
ClawSweeper review feedback on #104059 noted that the missing-value
guards introduced in the previous commit also rejected valid operands
beginning with a dash (e.g., search text '-failed' or an output file
named '-debug.log'). Narrow the guards so they only reject genuinely
missing operands, not dash-prefixed values.
Add focused regression coverage in test/scripts/clawlog.test.ts for:
- no-argument default behavior
- missing values for -n/-l/-c/-s/-o
- acceptance of dash-prefixed operands
- --help still printing usage
Related: #104058
* test(scripts): isolate clawlog command execution
* test(clawlog): use managed temp directories
---------
Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>