Commit Graph

37105 Commits

Author SHA1 Message Date
Vincent Koc
7e0324263b fix(text): keep reachable truncation boundaries UTF-16 safe
Consolidates #102007, #101818, and #101782.

Co-authored-by: 杨浩宇0668001029 <yang.haoyu@xydigit.com>
Co-authored-by: NIO <nocodet@mail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-07 23:37:52 -07:00
Tran Quang
19f7b72a74 fix(voice-call): preserve per-call agent routing (#77763)
* fix(voice-call): preserve per-call agent routing

Co-authored-by: Tran Quang <randytran8800@gmail.com>

* chore: keep release notes in PR metadata

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-08 07:06:35 +01:00
kasangyong
22376d80e1 fix(doctor): honor per-agent bootstrap profile in size check (#84424)
* fix(doctor): honor per-agent bootstrap profile in size check

* fix(doctor): thread defaultAgentId through structured bootstrap-size health check

The noteBootstrapFileSize note path was fixed in the previous commit.
This commit applies the same defaultAgentId threading to the registered
core/doctor/bootstrap-size health check in doctor-core-checks.ts, which
is used by doctor --lint and repair flows.  Adds an integration regression
test that places a 15 000-char AGENTS.md between the per-agent budget
(10 000) and the defaults budget (20 000) and asserts that a truncation
warning is emitted -- the test fails on main (defaults budget wins, no
warning) and passes after this patch (per-agent budget wins, warning).
Also updates three fixHint strings in the health check to name the
per-agent knob before the defaults fallback, matching the note-path tip
text from the previous commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(doctor): preserve total-budget remediation guidance

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 21:19:27 -07:00
Yzx
bf31035538 fix(gateway): log websocket handshake phase (#93402)
* fix(gateway): log websocket handshake phase

* fix(gateway): clarify websocket handshake phases
2026-07-07 20:31:51 -07:00
Jason (Json)
4e84981402 feat(crestodian): guide providerless model setup (#101887)
* feat(crestodian): guide providerless model setup

* fix(crestodian): avoid TUI message shadowing

* fix(crestodian): tighten provider setup handoff

* fix(crestodian): simplify model setup result

* fix(crestodian): audit committed config hash

* fix(crestodian): contain embedded wizard exits

* test(crestodian): auto-clean operation temp dirs
2026-07-07 19:24:54 -06:00
Vincent Koc
180ddf1ec5 refactor(gateway): localize terminal helper types (#101941) 2026-07-07 18:13:19 -07:00
Wynne668
6db0506474 fix: lower successful agent stop completion logs (#101703) 2026-07-07 16:29:10 -07:00
Peter Steinberger
f2c6a0eda6 fix(tests): align plugin temp-dir and registry tests with current contracts (#101896) 2026-07-07 23:49:12 +01:00
Vishal Dharmadhikari
d708df47a3 improve(google): identify OpenClaw Gemini API traffic (#101834) 2026-07-07 16:09:02 -06:00
Bryan Tegomoh, MD, MPH
3d442153f6 fix(agents): avoid false unscheduled note after shell cron add (#101807)
* fix(agents): count shell cron reminder adds

* fix(agents): narrow shell cron reminder tracking

* fix(agents): handle shell runner variants

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 14:45:10 -07:00
Vincent Koc
1b6f3e43d1 refactor(deadcode): trim private helper exports (#101886) 2026-07-07 14:43:45 -07:00
Omar Shahine
91a0ebbce6 Improve iMessage imsg setup and skill ownership (#101407)
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
2026-07-07 14:13:37 -07:00
Vincent Koc
f565138ddc refactor(deadcode): localize core helpers (#101869) 2026-07-07 13:16:57 -07:00
NianJiu
dbbab1044e fix: require full frontmatter delimiter lines (#101795)
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
2026-07-07 11:53:03 -07:00
Peter Steinberger
a6768d9de5 feat(cron): event triggers — polled condition-watcher scripts via code mode (#101195)
* feat(cron): add headless code-mode driver and trigger-script evaluator

Part A of cron event triggers: runCodeModeScriptHeadless runs a script
to completion (exec/settle/resume, no snapshots, no session), plus the
cron-facing evaluator with per-job tool catalog cache, semaphore, 16KB
state cap, and closed failure taxonomy.

* fix(cron): correct trigger-script bootstrap flags and cache narrowing

* feat(cron): add event triggers (polled condition-watcher scripts)

Part B: trigger field on cron jobs gated by cron.triggers.enabled;
timer evaluates the script each due tick, quiet ticks leave no run
history, fired runs append the script message to the payload; once
semantics, min-interval floor, SQLite columns, RPC/CLI/agent-tool
surfaces, and docs.

* fix(cron): propagate triggerEval through startup catch-up outcomes

* fix(cron): honor cron staggering on quiet trigger ticks; fix trigger test types

* fix(cron): reject with Error reason in trigger-script abort test

* fix(cron): regenerate protocol/docs/snapshot artifacts and break madge cycle for trigger types

CI fixes for #101195: trigger evaluator result types move to the cron
types leaf (madge cycle), cron tool schema inventory gains trigger,
Swift protocol bindings + docs map + Linux prompt snapshots regenerated.

* fix(cron): drop underscore-dangle names in trigger code sync assert

* fix(cron): adopt registerHeadlessToolSearchCatalog after tool-search symbol localization

Upstream #101831 made registerToolSearchCatalog module-private; fold the
headless ref-only catalog registration into one public seam.
2026-07-07 19:12:38 +01:00
zw-xysk
e5c224754c fix(gateway): bound all-agent usage cache concurrency (#101589)
* fix(gateway): bound all-agent usage.cost concurrency to prevent SQLite starvation

Replace raw Promise.all in loadAllAgentCostUsageSummary with
runTasksWithConcurrency (limit=12), matching the sibling sessions.usage
pattern. Unbounded concurrent usage-cost cache reads saturated the SQLite
connection pool for deployments with 100+ agents, causing SQLITE_BUSY
timeouts or gateway memory crashes.

Fixes #101552

* fix(gateway): share usage cache concurrency cap

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-07 10:48:02 -07:00
Josh Lehman
a68caa185b refactor(sessions): move parent-session forking behind the accessor boundary (#101699)
* refactor(sessions): move parent-session forking behind the accessor boundary

* fix(sessions): lazy-load fork transcript runtime to keep accessor imports lean

* test(sessions): align parent fork mock shape
2026-07-07 10:47:02 -07:00
Vincent Koc
b88f80940a refactor: localize internal implementation symbols (#101831) 2026-07-07 10:23:36 -07:00
Alix-007
fa84741f93 fix(claude-cli): surface re-auth hint when subprocess OAuth token expires (#97669)
* fix(claude-cli): surface re-auth hint when subprocess OAuth token expires

When the claude-cli subprocess emits a 401 "Failed to authenticate. API
Error: 401 Invalid authentication credentials" because its stored OAuth
token has expired, the error was surfaced as the generic provider-auth
copy instead of the targeted re-auth hint.

Two fixes:

1. Extend isOAuthRefreshFailureMessage to recognise the claude-cli
   subprocess 401 error shape (requires "claude-cli" prefix + 401 +
   auth failure text). extractOAuthRefreshFailureProvider returns
   "claude-cli" for this pattern; classifyOAuthRefreshFailureReason
   maps it to "revoked" so the "expired" copy is shown.

2. Reorder both classification sites in buildExternalRunFailureReply and
   the runAgentTurnWithFallback catch block so the OAuth-refresh check
   runs before classifyProviderRequestError.  The typed 401 branch in
   classifyProviderRequestError would otherwise intercept the FailoverError
   before the OAuth hint path is ever reached.

Fixes #97553

* fix(claude-cli): use correct auth login command format in re-auth hint

--provider claude-cli is not a registered provider id; the correct
command to re-authenticate the claude subprocess is:

  openclaw models auth login --provider anthropic --method cli

Add a special-case branch in buildOAuthRefreshFailureLoginCommand so
that a 'claude-cli' sanitized provider emits the two-flag form instead
of the generic --provider <id> template.  Update the regression test
expectation to match.

* test(claude-cli): expect CLI auth re-login command

* fix(claude-cli): classify structured OAuth auth failures

* test(claude-cli): add real http oauth expiry proof

* test(claude-cli): add proof output to real HTTP server OAuth test

* test(claude-cli): add proof console.log to real HTTP server test

* test(claude-cli): keep real HTTP OAuth proof output explicit

* fix(agents): include Claude CLI reauth step

* test(claude-cli): expect full cli reauth command

* test(claude-cli): align reauth hint with terminal wording

* chore: retrigger claude-cli CI after opengrep fetch failure
2026-07-07 12:51:13 -04:00
cxbAsDev
f92ed16e60 fix(sessions): bound trajectory snapshot and pointer reads (#101450)
* fix(sessions): bound trajectory snapshot and pointer reads

* test(sessions): align oversized snapshot assertion with bounded reader error message

* fix(sessions): cap follow-mode trajectory deltas

ClawSweeper review noted that the trajectory snapshot read was bounded
but the follow-mode delta read (Buffer.alloc(fileState.size - offset))
was not. A runaway trajectory append could still OOM the tail loop.
Reject deltas above TRAJECTORY_RUNTIME_FILE_MAX_BYTES and add regression
coverage for the oversized-delta path.

* test(sessions): exercise trajectory limits through command path

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-07 09:49:27 -07:00
Josh Lehman
453f5968bb refactor(gateway): route chat transcript injection through the session accessor (#101688)
* refactor(gateway): route chat transcript injection through the session accessor

* fix(gateway): avoid map-spread in source reply mirror rewrite results

* perf(sessions): find injected transcript duplicates with a reverse early-exit scan
2026-07-07 09:10:30 -07:00
Shakker
9d15544038 fix: use configured Control UI base path at startup 2026-07-07 16:53:48 +01:00
Vincent Koc
3d206140f3 refactor: localize internal implementation constants (#101758) 2026-07-07 08:34:13 -07:00
wings1029
d633a2df42 fix(http-error-body): keep emoji / surrogate pairs intact during error body truncation (#101728)
* fix(http-error-body): keep emoji / surrogate pairs intact during error body truncation

Replace .slice(0, limits.maxChars) with truncateUtf16Safe() so that
emoji straddling the maxChars boundary don't produce lone surrogates
that render as � in error diagnostics. Matches the sibling http-body.ts
which already uses truncateUtf16Safe.

Co-Authored-By: Claude <noreply@anthropic.com>

* test: cover UTF-16 HTTP body branches

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 16:06:13 +01:00
Peter Steinberger
87fe266c5e fix: preserve emoji at remaining bounded-text edges (#101711)
* fix: keep remaining text bounds UTF-16 safe

Co-authored-by: ben.li <li.yang6@xydigit.com>
Co-authored-by: 0668001336 <wang.lizhang@xydigit.com>
Co-authored-by: Alix-007 <li.long15@xydigit.com>

* docs: credit bounded Unicode fixes

* test: update UTF-16 browser import boundary

* chore: leave Unicode note to release changelog

---------

Co-authored-by: ben.li <li.yang6@xydigit.com>
Co-authored-by: 0668001336 <wang.lizhang@xydigit.com>
Co-authored-by: Alix-007 <li.long15@xydigit.com>
2026-07-07 15:48:21 +01:00
Vincent Koc
fdc7892a6e refactor: localize internal implementation types (#101731) 2026-07-07 07:41:04 -07:00
Vincent Koc
c8d95da14c refactor: localize file-private exports (#101701) 2026-07-07 06:57:19 -07:00
Peter Steinberger
a7faec8ca1 fix(gateway): support native Windows exec approvals (#101669)
* fix(gateway): support native Windows exec approvals

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* chore: defer changelog entry to release

* test: use tracked approvals temp directories

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 14:50:59 +01:00
Peter Steinberger
176fee5d07 fix: prevent garbled emoji at remaining text limits (#101685)
* fix: keep remaining bounded text UTF-16 safe

Co-authored-by: 0668000787 <ma.weibin@xydigit.com>
Co-authored-by: ben.li <li.yang6@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 陈志强0668000989 <chen.zhiqiang1@xydigit.com>

* test: use tracked prompt template fixture

---------

Co-authored-by: 0668000787 <ma.weibin@xydigit.com>
Co-authored-by: ben.li <li.yang6@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 陈志强0668000989 <chen.zhiqiang1@xydigit.com>
2026-07-07 14:49:15 +01:00
Vincent Koc
407443264c refactor: localize internal reply and plugin types (#101666) 2026-07-07 05:51:47 -07:00
Peter Steinberger
a9582a1bb6 fix: keep bounded text truncation UTF-16 safe (#101654)
* fix: keep bounded text UTF-16 safe

Co-authored-by: wm0018 <wu.min5@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 0668000787 <ma.weibin@xydigit.com>

* chore: keep UTF-16 release note in PR body

---------

Co-authored-by: wm0018 <wu.min5@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 0668000787 <ma.weibin@xydigit.com>
2026-07-07 13:44:32 +01:00
maweibin
4d5cd05a64 fix(tasks): keep emoji / surrogate pairs intact during terminal output truncation (#101600)
* fix(tasks): keep emoji / surrogate pairs intact during terminal output truncation

.slice() counts UTF-16 code units; use Array.from() to count full
code points instead, preventing lone surrogates in task list output.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(tasks): preserve terminal column width

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:54:53 +01:00
Wynne668
cd0d570164 fix(gateway): keep session history stream errors handled (#101571) 2026-07-07 04:54:38 -07:00
Peter Steinberger
7c0a7c8be2 fix(agents): keep exec visible for lean local models (#101607)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 12:46:26 +01:00
maweibin
f6ffe89df6 fix(control-ui-assets): keep emoji / surrogate pairs intact during last-line truncation (#101591)
* fix(control-ui-assets): keep emoji / surrogate pairs intact during last-line truncation

.slice(0, 239) counts UTF-16 code units; an emoji straddling the
cut point produces a lone surrogate rendering as  in WebUI assets.

Use [...last] spread to count full code points instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(control-ui-assets): preserve diagnostic length cap

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:32:21 +01:00
wm0018
d26a842799 fix(auto-reply): keep suppressed reply text preview truncation UTF-16 safe (#101575)
* fix(auto-reply): keep suppressed reply text preview truncation UTF-16 safe

String.prototype.slice at offset 160 can split surrogate pairs in
reply text previews logged for suppressed auto-replies. Replace raw
slice(0, 160) with truncateUtf16Safe — already imported in this file.

* test(auto-reply): exercise suppressed preview logging

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:25:53 +01:00
Peter Steinberger
a853489b3d fix(agents): clean up ls cancellation listeners (#101588)
Co-authored-by: 0668001336 <wang.lizhang@xydigit.com>
2026-07-07 12:15:49 +01:00
lsr911
42fc9e8a92 fix(acp): use truncateUtf16Safe for event mapper error text truncation (#101535)
* fix(acp): use truncateUtf16Safe for event mapper error text truncation

.slice(0, 100) on ACP event argument values can split surrogate
pairs from emoji or CJK text, producing U+FFFD in error/warning
notices shown to operators.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(acp): cover UTF-16-safe tool titles

* refactor(acp): keep event mapper import leaf-only

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:10:28 +01:00
Peter Steinberger
46276312d6 fix(auth): clean OAuth contention diagnostics (#101573)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 12:08:50 +01:00
Peter Steinberger
0979b51f49 fix(session-memory): preserve sibling paths in logs (#101577)
Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>
2026-07-07 12:08:08 +01:00
Peter Steinberger
4172de867c fix: preserve session labels across rollover (#101576)
Co-authored-by: ZengWen-DT <290981215+ZengWen-DT@users.noreply.github.com>
2026-07-07 12:07:25 +01:00
Peter Steinberger
2fe39692ad fix(gateway): preserve UTF-16 plugin approval fields (#101580)
* fix(gateway): keep plugin approval title and description truncation UTF-16 safe

Node.js String.prototype.slice cuts at UTF-16 code unit boundaries,
which can split surrogate pairs (emoji, CJK supplementary characters)
into lone surrogates that render as U+FFFD in approval UI payloads.

Use truncateUtf16Safe for both title and description fields in
createPluginApprovalsAttachment so approval requests never deliver
broken characters to the gateway approval UI.

Fixes #???

* test(gateway): exercise UTF-16 approval payloads

---------

Co-authored-by: wm0018 <wu.min5@xydigit.com>
2026-07-07 12:06:38 +01:00
maweibin
afdb9fd264 fix(session-cost-usage): keep emoji / surrogate pairs intact during content truncation (#101517)
* fix(session-cost-usage): keep emoji / surrogate pairs intact during content truncation

.slice(0, maxLen) counts UTF-16 code units, so an emoji straddling
the cut point produces a lone surrogate that renders as � in
usage cost CLI output. Use [...str] to count full code points instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test(usage): cover UTF-16-safe log truncation

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:05:15 +01:00
wm0018
e7d617d4d9 fix(agents): keep exec auto-reviewer rationale truncation UTF-16 safe (#101513)
* fix(agents): keep exec auto-reviewer rationale truncation UTF-16 safe

String.prototype.slice at offset 500 can split surrogate pairs in
LLM-generated review rationale text, rendering broken U+FFFD in
exec approval UI payloads.

Replace raw slice(0, 500) with truncateUtf16Safe.

* fix(agents): keep exec reviewer rationale and prompt template description truncation UTF-16 safe

String.prototype.slice can split surrogate pairs at truncation boundaries,
producing broken U+FFFD in both exec approval rationale (500 chars) and
session prompt-template descriptions (60 chars).

Replace raw slice with truncateUtf16Safe in both locations.

* test(exec): cover UTF-16-safe reviewer rationale

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:04:19 +01:00
lsr911
78f9449d73 fix(channels): use truncateUtf16Safe for thread binding name truncation (#101527)
* fix(channels): use truncateUtf16Safe for thread binding name truncation

Raw .slice(0, 100) on emoji-labelled agent names can split a
surrogate pair, producing U+FFFD replacement characters in native
channel thread names.  Use truncateUtf16Safe instead.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(channels): cover UTF-16-safe thread names

* refactor(channels): keep thread binding import leaf-only

* refactor(channels): keep thread binding import leaf-only

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:03:24 +01:00
Peter Steinberger
454fccd784 fix(browser): keep screenshots private by default (#101434)
* fix(browser): keep screenshots private by default

* fix(browser): preserve screenshot share handles

* fix(browser): stage explicit screenshot shares

* test(browser): avoid screenshot share temp files
2026-07-07 11:56:49 +01:00
Momo
695fa4e112 fix(infra): handle detached respawn child errors (#101489)
* fix(infra): handle detached respawn child errors

* docs(infra): explain detached respawn error listener

* fix(infra): handle detached respawn child errors

* fix(infra): handle detached respawn child errors

---------

Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-07-07 03:51:55 -07:00
NianJiu
040ac31546 fix: route direct outbound polls through channel adapters (#99950)
* fix: route direct outbound polls through channel adapters

* docs: note direct poll delivery

* test: isolate direct poll formatter label

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:46:26 +01:00
wm0018
5511b6fcaf fix(status): keep issue message truncation UTF-16 safe (#101503)
* fix(status): keep issue message truncation UTF-16 safe

String.prototype.slice at offset 90 can split surrogate pairs in issue
titles displayed by `openclaw status --all`, rendering broken U+FFFD in
the channel issues column.

Replace raw slice(0, 90) with truncateUtf16Safe to match the existing
UTF-16-safe truncation hardening pattern.

Fixes #???

* test(status): cover UTF-16-safe issue rendering

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:45:36 +01:00
Peter Steinberger
942b449661 fix(exec): keep pending approval warnings truthful (#101561)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 11:30:41 +01:00