Commit Graph

65907 Commits

Author SHA1 Message Date
openclaw-mantis[bot]
40dc7e5bd2 chore(i18n): refresh native locales (#103689)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-07-10 13:52:12 +01:00
Peter Steinberger
ea6aa1dc75 fix(pr): prevent same-PR operations from overlapping (#103669)
* fix(pr): serialize operations per pull request

* fix(pr): tighten supervisor error handling
2026-07-10 13:34:03 +01:00
Peter Steinberger
505f8ae6a3 fix(control-ui): harden workspace avatar projection (#103657)
* fix(control-ui): harden workspace avatar projection

Co-authored-by: LZY3538 <liu.zhenye@xydigit.com>

* refactor(gateway): remove dead avatar URL mapper

* test(control-ui): track avatar temp directories

---------

Co-authored-by: LZY3538 <liu.zhenye@xydigit.com>
2026-07-10 13:31:22 +01:00
Vincent Koc
0426f238c3 fix(providers): align Meta Model API contract (#103680)
* fix(providers): align Meta Model API contract

* fix(security): classify Meta endpoint as native
2026-07-10 05:24:14 -07:00
openclaw-mantis[bot]
831f4630fa chore(ui): refresh control ui locales (#103682)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-07-10 13:13:05 +01:00
ragesaq
b8d195f45e fix: subscribe ClickClack from startup tail cursor (#102486)
Prevent ClickClack startup history from replaying as new agent input while preserving messages created during startup. Uses the server-captured realtime tail cursor from openclaw/clickclack#46, paginates reconnect recovery, and retains legacy client and server compatibility.

Prepared head SHA: 0e7008fbf6
Co-authored-by: ragesaq <11304287+ragesaq@users.noreply.github.com>
Co-authored-by: Shakker <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd
2026-07-10 13:07:07 +01:00
Peter Steinberger
a13d2c4c93 fix(terminal): strip C1 OSC payloads from output (#103672) 2026-07-10 13:02:21 +01:00
Peter Steinberger
a238dead67 fix(docker): package selected external plugins in source-built images (#103629)
* build(docker): package selected external plugins

* test(docker): auto-clean plugin fixture

* fix(docker): preserve selected image provenance

* fix(docker): accept manifest-only plugin selections

* fix(docker): resolve selected plugin manifest ids

* fix(docker): isolate resolved plugin selection
2026-07-10 13:00:50 +01:00
Peter Steinberger
13819996ad fix(ci): preflight generated PR app permissions (#103671) 2026-07-10 12:57:30 +01:00
Peter Steinberger
bbc845a100 fix(ui): guard cron page registration (#103670) 2026-07-10 12:55:25 +01:00
Peter Steinberger
28ce79a94a perf(test): resolve mocked live-run cancellation 2026-07-10 07:52:44 -04:00
Peter Steinberger
a14bbd1f1f fix(agents): serialize session lock cleanup 2026-07-10 07:52:44 -04:00
Peter Steinberger
965396921a fix(ui): avoid Zod eval under strict CSP (#103665) 2026-07-10 12:48:33 +01:00
Ayaan Zaidi
d11d1d0ee6 fix(telegram): scope reply-fence abort authority to pre-adoption dispatch 2026-07-10 17:08:31 +05:30
Gorkem Erdogan
9330ad86ff fix: 429 errors without rate-limit wording skip the same-model retry (#99097)
* fix: 429 errors without rate-limit wording skip the same-model retry

Aggregated providers such as OpenRouter provider pools surface transient
upstream throttles as a bare "429 <generic text>" with no RPM/TPM wording
and no Retry-After header. resolveShortWindowRateLimitRetry required one
of those hints, so these errors bypassed the same-model retry ladder and
failed the turn on the first attempt.

Treat a status-prefixed 429 as short-window once the long-window guard
(quota, usage, billing wording) has filtered its phrasings, and let the
existing backoff ladder pace the retry.

* test(agents): streamline bare 429 coverage

---------

Co-authored-by: Altay <altay@hey.com>
2026-07-10 14:33:36 +03:00
Peter Steinberger
80a1778363 fix(ui): preserve lobster vigil outcomes (#103483) 2026-07-10 12:32:59 +01:00
Peter Steinberger
4cc5304178 test(qa): derive smoke scenario coverage (#103656) 2026-07-10 12:28:02 +01:00
Peter Steinberger
a3ef0153fb fix(ci): restore manually dispatched live suites (#103654) 2026-07-10 12:26:44 +01:00
Peter Steinberger
c8655be915 test(terminal): cover C1 buffer text controls (#103439) 2026-07-10 12:24:17 +01:00
Peter Steinberger
d72e618818 fix(ci): split locale publisher app permissions (#103644)
* fix(ci): split locale publisher app permissions

* fix(ci): prevent stale locale publication
2026-07-10 12:16:03 +01:00
Peter Steinberger
a0a709555f fix: keep gateway model probes stateless (#103651)
* fix: keep gateway model runs stateless

* chore: keep release notes in PR body
2026-07-10 12:15:47 +01:00
Peter Steinberger
7b03a2ae20 test(qa): model non-assistant parity usage (#103650) 2026-07-10 12:12:28 +01:00
Peter Steinberger
dff4c634f1 fix(macos): keep dashboard tab reuse and ordering accurate (#103464)
* fix(macos): preserve dashboard tab identity

* test(macos): strengthen dashboard tab regressions

* fix(macos): retire failed dashboard navigation aliases
2026-07-10 11:57:04 +01:00
Peter Steinberger
401f278f11 feat: add Control UI plugin management (#103176)
* feat(ui): add plugin catalog management

* feat(gateway): add plugins.uninstall and richer plugin catalog metadata

Adds a plugins.uninstall gateway method (operator.admin, control-plane write)
backed by a lock-guarded uninstallManagedPlugin that mirrors the CLI flow:
config cleanup, install-record removal, managed file deletion, and registry
refresh. Bundled plugins stay disable-only. Catalog entries now carry a
manifest-derived category and a removable flag; ClawHub search results expose
download counts and verification tiers.

* feat(ui): redesign plugins page with inventory, store shelves, and cover art

Rebuilds /settings/plugins around three tabs: Installed (category-grouped
inventory with overview stats, state filters, uninstall for external plugins,
and inline MCP server management through the shared config seam), Discover
(featured/official shelves plus one-click MCP connectors and curated ClawHub
searches), and ClawHub (search with download counts and verification badges).
Every catalog entry renders bundled cover art or a deterministic gradient
monogram tile - no more empty boxes. Artwork generated with Codex CLI, shipped
as 512px WebP under ui/public/plugin-art.

* chore(ui): regenerate locale bundles for plugins manager strings

* docs: describe plugins manager tabs, uninstall, and MCP connectors

* fix(plugins): human catalog labels and un-pinned hosted fallback ids

listManagedPlugins now prefers manifest names over registry package-name
backfill, falls back to channel catalog labels and blurbs, and stops pinning
expectedPluginId when a hosted feed entry only exposes its package name
(which rejected every legitimate install of that package). Found via live
gateway testing against ClawHub.

* fix(ui): send minimal RFC 7396 merge patches for MCP server edits

config.patch merges rather than replaces, so key removal needs an explicit
null; sending the full config back made MCP server removal a no-op. Found
via live gateway testing.

* fix(ui): write explicit MCP transports for URL servers

The MCP runtime defaults URL-only servers to SSE, so streamable HTTP
endpoints saved by the add form or connector templates would fail at
connect time. Connector templates now declare their transport and the
add form infers streamable-http unless the URL follows the /sse
convention. Flagged by autoreview against the transport resolver.

* test(ui): wait for deferred plugin requests before resolving in e2e

* feat(ui): plugins detail view, action menus, and unified ClawHub search

Reworks the plugins page from PR #103176 feedback: merges the ClawHub tab into
Discover (typing searches ClawHub inline and appends a quiet From ClawHub
section, with Browse ClawHub demoted to a header text link), makes every row and
store card open a plugin detail overlay (hero art, primary enable/install
action, metadata table), and replaces enable/disable switches with a state chip
plus an overflow menu (Enable/Disable, Remove for external plugins, View
details) matching the ChatGPT-store install+menu pattern. MCP rows use the same
menu; refresh is now icon-only.

* chore(ui): regenerate locale bundles for plugins UI iteration

* feat(ui): vetted, grouped connector catalog for the plugins store

Expands Connect your world to 28 connectors organized into use-case shelves
(Work & productivity, Coding & infrastructure, Home & media, Everyday life).
Every entry passed a three-stage subagent review: official-docs verification
plus live endpoint probes for MCP servers, ClawHub result-quality and
malware/typosquat screening for curated searches, and an adversarial pass
that dynamically registered OAuth clients to prove one-click viability.

That review removed Figma (registration allowlisted, 403) and Atlassian
(OAuth issuer-mismatch bug upstream), downgraded GitHub to PAT-based setup
(no dynamic client registration upstream), fixed Linear (/sse retired) and
Home Assistant (/api/mcp, streamable HTTP) endpoints, retargeted poisoned or
dead searches (youtube, finance, hue dropped; calendar -> google calendar;
stocks replaces finance), and added Todoist, Airtable, Canva, Stripe,
Context7, DeepWiki, Hugging Face one-click MCP servers plus Jira, PDF,
transcription, Kubernetes, Reddit, maps, translation, and notes searches.
Keyless servers get a ready-to-use success message; new cover art included.

* chore(ui): regenerate locale bundles for connector groups

* fix(plugins): suppress hosted catalog rows once their package is installed

Hosted feed entries without a declared runtime id fall back to their package
name as catalog id, which never matches the installed runtime id, so the
Discover shelf kept offering an already-installed package. Installed package
names now also suppress official rows. Flagged by autoreview.

* fix(plugins): pin declared runtime ids and surface connector errors in place

The runtime-id pin now keys off explicitly declared catalog ids (plugin,
channel, or provider) instead of string-comparing against the package name,
so declared ids that equal their package name stay enforced while entry-id
fallbacks stay unpinned. Connector add failures on Discover now render on the
triggering card instead of the Installed tab's MCP section. Both flagged by
autoreview; regression tests included.

* feat(ui): full inventory artwork, pulse header, and two-column plugin list

Every bundled plugin now ships distinctive cover art (113 new Codex CLI
illustrations; 172 total, ~2.1MB WebP), so inventory rows and detail views
never fall back to monogram tiles. The four stat cards give way to a compact
inventory pulse: a segmented enabled/disabled/issues meter whose legend and
counts live inside the filter chips. Inventory, MCP, and search rows flow
into two columns when the panel is wide enough.

* chore(ui): regenerate locale bundles for pulse header

* fix(ui): omit stdio args from the MCP server row target

Stdio MCP args routinely carry tokens, and the inventory is visible to
read-only operators; mirror the config page and show only the command.
Flagged by autoreview; regression test included.

* fix(merge): point crestodian setup at relocated plugin commit/refresh modules

* fix(merge): add bootstrapToken to plugins page test gateway harness

* fix(plugins): name catalog install-action branches so Swift emits the union

* fix(ui): satisfy strict lint on plugins page form parsing and mocks

* chore(build): regen docs map, raise plugin-sdk declaration budget for new protocol surface

* fix(ui): type the plugins page patch mock with its real call signature
2026-07-10 11:56:44 +01:00
Peter Steinberger
62bd760c0e chore(swift): enforce current formatting and lint rules (#103313)
* style: apply SwiftFormat 0.62.1 rules

Refs #103202

* ci: enforce deterministic Swift lint

Refs #103202

* refactor: keep gateway connect lint-clean

Refs #103202

* style: keep iOS typography checks warning-free

* ci: route MLX Swift changes through pre-push

* fix: preserve native i18n extraction after Swift cleanup

* refactor: keep rebased Swift surfaces lint-clean

* style: format latest Swift additions

* chore: refresh native i18n inventory

* style: keep generated Swift formatter-clean

* fix: preserve node route invalidation callbacks

* fix: keep native translation IDs stable

* fix: retain native translation identifiers

* fix: preserve translations across Swift source moves
2026-07-10 11:54:08 +01:00
Peter Steinberger
6eb9a5ada2 test(macos): isolate config change notifications (#103481) 2026-07-10 11:47:26 +01:00
Peter Steinberger
7d87cedcda fix(ui): use default cursor for mount fallback (#103448)
* fix(ui): use default cursor for mount fallback

* test(ui): focus mount fallback cursor coverage
2026-07-10 11:43:32 +01:00
Peter Steinberger
74717f6a5a fix(qa): keep retry passes terminally successful (#103635)
Refs #103631
2026-07-10 11:42:13 +01:00
Peter Steinberger
29d018f0af fix(ui): detect encoded media URL extensions (#103466) 2026-07-10 11:32:01 +01:00
Peter Steinberger
bcf2798920 fix(ci): publish locale refreshes through exact merge (#103625) 2026-07-10 11:25:25 +01:00
Peter Steinberger
bacc75a358 fix(ui): stop session shortcuts after panel collapse (#103514)
* fix(ui): stop hidden session menu shortcuts

* fix(ui): adapt hidden menu dismissal to restored sidebar
2026-07-10 11:14:41 +01:00
Peter Steinberger
f1b75bf5fa fix(release): leave canonical public release pages untouched on resume
Codex review: the early draft-page creation could rewrite an
already-public release with the proofless prepublish body, stripping its
verification section until the proof append re-ran — a failed resume
would leave the public page proofless. create_or_update now no-ops when
the existing page is public and already canonical (the state
guard_existing_public_release vetted); drafts still get refreshed
notes.
2026-07-10 03:09:10 -07:00
Peter Steinberger
8d66e47773 fix(release): prove registry tarball identity before resuming a publish
Codex review: version existence alone does not prove the npm registry
serves the tarball this tag's preflight built — the same version could
have been published from a different artifact and npm versions are
immutable. The resume resolver now downloads the preflight manifest,
requires its releaseSha to match the target, and compares the published
registry tarball's sha256 against the manifest before skipping the core
dispatch; mismatches abort with correction-tag guidance.
2026-07-10 03:09:10 -07:00
Peter Steinberger
cb350ad333 fix(release): guard asset-contract verifiers for if-predicate use
The retry short-circuits call the Android/Windows verifiers as if
predicates, where bash suppresses errexit inside the function; a failed
gh attestation verify would have fallen through to the summary echo and
classified an unverified APK as promoted. Every failure-capable command
in both verifiers now returns explicitly.
2026-07-10 03:09:09 -07:00
Peter Steinberger
a8d16113f6 fix(release): keep retry evidence stable and scope ClawHub verification skips
Codex review on the resumable publish chain: postpublish evidence embeds
the current run id, so retries regenerated different bytes and wedged on
the byte-identity asset check — the evidence json and its checksum now
replace the release asset (latest verification wins; prior copies stay
as workflow artifacts) while content-stable manifest and dependency
evidence remain byte-verified. ClawHub verification is now skipped only
when ClawHub itself failed, not when an unrelated Windows/Android
promotion flake set the aggregate failure flag.
2026-07-10 03:09:09 -07:00
Peter Steinberger
ef22e77f0b perf(release): make publish reruns resumable and promote assets concurrently
The 2026.7.1 retro measured ~13h tag-to-published for beta.2 and stable
2026.6.11; any post-npm failure previously hard-aborted retries because
the already-published guard refused the whole run.

- resolve_openclaw_npm_publish_state replaces the abort guard: an
  already-published core version skips the core npm dispatch and resumes
  the remaining stages; verify_published_release still proves the
  registry state matches the tag before the page leaves draft.
- Windows and Android promotion runs concurrently with the core npm
  publish (their only shared prerequisite is the draft release page,
  which is now created before the dispatch) and each promotion
  short-circuits when the release already carries its verified asset
  contract, so retries only redo failed stages.
- The release proof cites the core npm run only when this run dispatched
  one; resumed publishes rely on the registry package check.
2026-07-10 03:09:09 -07:00
Peter Steinberger
fde42b5eea perf(ci): reuse npm preflight build outputs on same-SHA re-runs
The preflight ran 61 times at ~14 minutes during 2026.7.1, redoing the
full build and Control UI build after every late-step failure. Restore
dist outputs from an actions/cache keyed on the resolved target SHA and
lockfile hash (mirroring ci.yml's dist-build cache) so re-runs skip only
the build producers; every validation step still runs against the
restored artifacts.
2026-07-10 03:09:08 -07:00
Peter Steinberger
0bf2c7aedb test(ui): cover session drops on pane headers (#103525)
* fix(ui): accept session drops on split headers

* test(ui): cover session drops on pane headers
2026-07-10 11:04:06 +01:00
Peter Steinberger
d6c7dbc3aa fix(ui): restore sidebar pin editor keyboard controls (#103612)
* fix(ui): restore sidebar menu keyboard controls

* test(ui): cover About in settings search E2E

* chore: leave release notes to release closeout
2026-07-10 11:03:19 +01:00
LZY3538
4af1d53766 fix(agent): return data URIs for workspace-relative identity card avatars (#97602) (#102892)
* fix(agent): return data URIs for workspace-relative identity card avatars (#97602)

agent.identity.get resolved workspace-relative agent avatars via
resolveAssistantAvatarUrl to /avatar/<agentId> route URLs. <img> tags
in the Control UI Personal card cannot load these URLs because they
lack Bearer auth headers, showing broken images (401).

Read the validated local avatar file into a data URI inline before
constructing the identity response. The file-reading helper lives in
agent.ts as a private (non-exported) function so it does not leak onto
the public Plugin SDK surface. The workspace root is canonicalised with
realpathSync to match the already-resolved filePath from
resolveAgentAvatar, fixing containment checks for symlinked workspaces.

Fixes #97602

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(gateway): inline workspace avatars in bootstrap config Personal card (#97602)

agent.identity.get already returns inline data URIs for workspace-local
avatars, but the Control UI Personal card is initialized from the bootstrap
config (control-ui-config.json), which still mapped workspace avatars to the
auth-gated /avatar/<agentId> route. An <img> cannot carry Bearer auth, so the
linked Personal card 401/broken-image symptom persisted despite the RPC fix.

Consolidate the workspace-safe avatar reader into a single gateway-internal
helper (readLocalAvatarDataUrl in session-utils) and use it in both
agent.identity.get and the bootstrap config handler, so the identity and
bootstrap projections produce identical data URIs. Not re-exported on the
Plugin SDK surface. Adds a bootstrap-config regression test.

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(control-ui): inline workspace assistant avatars

Project workspace-local assistant avatars into browser-safe data URLs across bootstrap and agent identity RPCs while preserving same-origin avatar routes and shared size limits.

Co-authored-by: LZY3538 <LZY3538@users.noreply.github.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: LZY3538 <LZY3538@users.noreply.github.com>
2026-07-10 11:03:08 +01:00
Peter Steinberger
b07a2eecc0 fix(codex): defer sandbox cleanup until process close (#103617) 2026-07-10 11:02:56 +01:00
Peter Steinberger
f601d0ef9e fix(ui): hover-only chrome for header icon buttons and a usable bottom-docked rail (#103601)
Light mode re-added a 1px border to ghost icon buttons: the light-theme
.btn--icon override outranks .btn--ghost and only background was reset.
Ghost buttons are now chromeless at rest in light mode too (matching
dark), showing background only on hover; the workspace rail's terminal
and collapse buttons drop their always-on borders the same way.

The bottom-docked workspace rail compressed its sections into clipped
half-rows (flex children shrank instead of scrolling). Sections now lay
out as side-by-side scroll columns in the bottom dock, using the width
the dock actually has.
2026-07-10 10:57:08 +01:00
Peter Steinberger
dd4f94f19d perf(test): overlap TUI gateway startup 2026-07-10 05:54:54 -04:00
Yuval Dinodia
1bac1022e6 fix(exec): auto-approve recognized read-only boolean flags on default safe bins (#88953)
* fix(exec): auto-approve recognized read-only boolean flags on default safe bins

Default safe bins (cut, head, tail, tr, uniq, wc) auto-approve stdin-only
text-filter invocations, but the short-option validator only had an accept
path for value-consuming flags: a cluster of pure boolean short flags fell
through to a terminal reject, so common read-only forms like 'wc -l',
'tr -d', 'uniq -c' and 'sort -n' were force-routed to manual approval even
though the bins are stdin-only and the dangerous flags are already denied.

Add an allowedBooleanFlags allowlist to the safe-bin profile model and
populate it for the default bins with their read-only boolean flags. The
short-cluster validator now accepts recognized boolean flags and the long
validator reuses its existing boolean-flag accept branch (previously
unreachable). Unrecognized short flags (e.g. 'tr -S') stay fail-closed, and
denied flags are still rejected first.

* fix(exec): keep safe-bin allowedBooleanFlags off the config-facing fixture type

The boolean-flag allowlist for default safe bins leaked onto SafeBinProfileFixture, the type used for tools.exec.safeBinProfiles, while the strict zod schema and the config normalizer never accepted or preserved the key. Move allowedBooleanFlags to an internal BuiltinSafeBinProfileFixture used only for the curated built-in profiles; custom config profiles keep the allowedValueFlags/deniedFlags model.

Adds tests proving built-in profiles still honor the boolean allowlist and that a custom profile cannot widen it.

* fix(exec): keep tail follow approval-gated

* test(exec): stabilize safe-bin trust fixtures

* test(exec): isolate safe-bin argv fixtures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 10:53:56 +01:00
Peter Steinberger
4bc300843d fix(qa): keep runtime parity tiers flow-compatible (#103609)
* fix(qa): keep runtime parity tiers flow-compatible

Refs #103588

* test(qa): follow canonical frontier defaults
2026-07-10 10:51:13 +01:00
Peter Steinberger
7fe004d852 feat: show build identity in About screens (#103595)
* feat: show build identity in About screens

* chore: leave root changelog to release automation

* fix: translate Control UI About build details
2026-07-10 10:42:36 +01:00
Ben Badejo
1f3ea6faaa fix(codex): prevent startup hangs after binding migration (#103281)
* fix(codex): archive imported orphan binding sidecars

* fix(codex): harden binding sidecar migration

Co-authored-by: Benjamin Badejo <ben@benbadejo.com>

* chore: keep release notes out of contributor PRs

---------

Co-authored-by: Benjamin Badejo <ben@benbadejo.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 10:38:35 +01:00
heichl_xydigit
7eacd78c01 feat(devices): rename command for durable human-friendly device names (#94517)
Paired devices can now carry a durable operator-assigned label: device.pair.rename { deviceId, label } (schema-bounded, admin/ownership-gated) stores an operatorLabel that persists in the shared SQLite state DB, survives device repair and re-approval, and takes display precedence over the client-reported name in CLI devices list and the Control UI inventory (operatorLabel, then displayName, then clientId, then deviceId). The label was previously dropped on write because the pairing store had no column for it. CLI: openclaw devices rename --device <id> --name <label>. Docs cover the command and precedence.

Fixes #13870

Thanks to @bladin for the contribution.

Co-authored-by: heichl_xydigit <1740879+bladin@users.noreply.github.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-07-10 15:05:41 +05:30
Peter Steinberger
abbd5ae3ea fix(discord): recover from failed gateway resumes (#103596)
* fix(discord): recover from failed gateway resumes

* chore: leave release notes to release workflow
2026-07-10 10:34:29 +01:00
Alix-007
f35b6e52a7 fix(chutes): add timeouts to OAuth HTTP requests (#102026)
* fix(chutes): add timeouts to OAuth HTTP requests

* fixup: reuse OAuth request signal helper for Chutes

* fix(chutes): bound OAuth requests

* test(chutes): normalize abort rejections

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 10:28:58 +01:00