Josh Avant
36d2ae2a22
SecretRef: harden custom/provider secret persistence and reuse ( #42554 )
...
* Models: gate custom provider keys by usable secret semantics
* Config: project runtime writes onto source snapshot
* Models: prevent stale apiKey preservation for marker-managed providers
* Runner: strip SecretRef marker headers from resolved models
* Secrets: scan active agent models.json path in audit
* Config: guard runtime-source projection for unrelated configs
* Extensions: fix onboarding type errors in CI
* Tests: align setup helper account-enabled expectation
* Secrets audit: harden models.json file reads
* fix: harden SecretRef custom/provider secret persistence (#42554 ) (thanks @joshavant)
2026-03-10 23:55:10 +00:00
Peter Steinberger
20237358d9
refactor: clarify archive staging intent
2026-03-10 23:54:12 +00:00
Peter Steinberger
0bac47de51
refactor: split tar.bz2 extraction helpers
2026-03-10 23:53:32 +00:00
Peter Steinberger
9c64508822
refactor: rename tar archive preflight checker
2026-03-10 23:52:51 +00:00
Peter Steinberger
6565ae1857
refactor: extract archive staging helpers
2026-03-10 23:52:31 +00:00
Peter Steinberger
658cf4bd94
fix: harden archive extraction destinations
2026-03-10 23:49:35 +00:00
Josh Avant
fbc66324ee
SecretRef: harden custom/provider secret persistence and reuse ( #42554 )
...
* Models: gate custom provider keys by usable secret semantics
* Config: project runtime writes onto source snapshot
* Models: prevent stale apiKey preservation for marker-managed providers
* Runner: strip SecretRef marker headers from resolved models
* Secrets: scan active agent models.json path in audit
* Config: guard runtime-source projection for unrelated configs
* Extensions: fix onboarding type errors in CI
* Tests: align setup helper account-enabled expectation
* Secrets audit: harden models.json file reads
* fix: harden SecretRef custom/provider secret persistence (#42554 ) (thanks @joshavant)
2026-03-10 18:46:47 -05:00
Peter Steinberger
201420a7ee
fix: harden secret-file readers
2026-03-10 23:40:10 +00:00
Peter Steinberger
208fb1aa35
test: share runtime group policy fallback cases
2026-03-10 22:20:19 +00:00
Peter Steinberger
344b2286aa
refactor: share windows command shim resolution
2026-03-10 22:18:04 +00:00
Peter Steinberger
1df78202b9
refactor: share approval gateway client setup
2026-03-10 22:18:04 +00:00
Peter Steinberger
bc1cc2e50f
refactor: share telegram payload send flow
2026-03-10 22:18:04 +00:00
Peter Steinberger
a455c0cc3d
refactor: share passive account lifecycle helpers
2026-03-10 22:18:04 +00:00
Peter Steinberger
50ded5052f
refactor: share channel config schema fragments
2026-03-10 22:18:04 +00:00
Peter Steinberger
4a8e039a5f
refactor: share channel config security scaffolding
2026-03-10 22:18:04 +00:00
Peter Steinberger
725958c66f
refactor: share onboarding secret prompt flows
2026-03-10 22:18:03 +00:00
Peter Steinberger
00170f8e1a
refactor: share scoped account config patching
2026-03-10 22:18:03 +00:00
David Guttman
b517dc089a
feat(discord): add autoArchiveDuration config option ( #35065 )
...
* feat(discord): add autoArchiveDuration config option
Add config option to control auto-archive duration for auto-created threads:
- autoArchiveDuration: 60 (default), 1440, 4320, or 10080
- Sets archive duration in minutes (1hr/1day/3days/1week)
- Accepts both string and numeric values
- Discord's default was 60 minutes (hardcoded)
Example config:
```yaml
channels:
discord:
guilds:
GUILD_ID:
channels:
CHANNEL_ID:
autoThread: true
autoArchiveDuration: 10080 # 1 week
```
* feat(discord): add autoArchiveDuration changelog entry (#35065 ) (thanks @davidguttman)
---------
Co-authored-by: Onur <onur@textcortex.com >
2026-03-10 23:13:24 +01:00
Josh Avant
a76e810193
fix(gateway): harden token fallback/reconnect behavior and docs ( #42507 )
...
* fix(gateway): harden token fallback and auth reconnect handling
* docs(gateway): clarify auth retry and token-drift recovery
* fix(gateway): tighten auth reconnect gating across clients
* fix: harden gateway token retry (#42507 ) (thanks @joshavant)
2026-03-10 17:05:57 -05:00
Rodrigo Uroz
ff2e7a2945
fix(acp): strip provider auth env for child ACP processes (openclaw#42250)
...
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini
Co-authored-by: rodrigouroz <384037+rodrigouroz@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-03-10 16:50:10 -05:00
Matt Van Horn
5ed96da990
fix(browser): surface 429 rate limit errors with actionable hints ( #40491 )
...
Merged via squash.
Prepared head SHA: 13839c2dbd455140+mvanhorn@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-11 00:49:31 +03:00
Pejman Pour-Moezzi
7c76acafd6
fix(acp): scope cancellation and event routing by runId ( #41331 )
2026-03-10 22:37:21 +01:00
Onur
c00117aff2
docs: require codex review in contributing guide ( #42503 )
2026-03-10 22:15:00 +01:00
PonyX-lab
53374394fb
Fix stale runtime model reuse on session reset ( #41173 )
...
Merged via squash.
Prepared head SHA: d8a04a466a266766228+PonyX-lab@users.noreply.github.com >
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com >
Reviewed-by: @jalehman
2026-03-10 14:02:43 -07:00
Shadow
0c17e7c225
docs: document r: spam auto-close label
2026-03-10 16:00:34 -05:00
Shadow
b16ee34c34
fix(ci): auto-close and lock r: spam items
2026-03-10 15:58:24 -05:00
David Guttman
9f5dee32f6
fix(acp): implicit streamToParent for mode=run without thread ( #42404 )
...
* fix(acp): implicit streamToParent for mode=run without thread
When spawning ACP sessions with mode=run and no thread binding,
automatically route output to parent session instead of Discord.
This enables agent-to-agent supervision patterns where the spawning
agent wants results returned programmatically, not posted as chat.
The change makes sessions_spawn with runtime=acp and thread=false
behave like direct acpx invocation - output goes to the spawning
session, not to Discord.
Fixes the issue where mode=run without thread still posted to Discord
because hasDeliveryTarget was true when called from a Discord context.
* fix: use resolved spawnMode instead of params.mode
Move implicit streamToParent check to after resolveSpawnMode so that
both explicit mode="run" and omitted mode (which defaults to "run"
when thread is false) correctly trigger parent routing.
This fixes the issue where callers that rely on default mode selection
would not get the intended parent streaming behavior.
* fix: tighten implicit ACP parent relay gating (#42404 ) (thanks @davidguttman)
---------
Co-authored-by: Onur Solmaz <2453968+osolmaz@users.noreply.github.com >
2026-03-10 21:42:15 +01:00
Peter Steinberger
f209a9be80
test: extract sendpayload outbound contract suite
2026-03-10 20:35:03 +00:00
Peter Steinberger
158a3b49a7
test: deduplicate cli option collision fixtures
2026-03-10 20:34:54 +00:00
Peter Steinberger
283570de4d
fix: normalize stale openai completions transport
2026-03-10 20:23:03 +00:00
Peter Steinberger
0976317f96
test: deduplicate diffs extension fixtures
2026-03-10 20:22:56 +00:00
Peter Steinberger
23cd997526
fix: make install smoke docker-driver safe
2026-03-10 20:02:26 +00:00
Peter Steinberger
6d4241cbd9
fix: wire modelstudio env discovery ( #40634 ) (thanks @pomelo-nwu)
2026-03-10 19:58:43 +00:00
pomelo-nwu
95eaa08781
refactor: rename bailian to modelstudio and fix review issues
...
- Rename provider ID, constants, functions, CLI flags, and types from
"bailian" to "modelstudio" to match the official English name
"Alibaba Cloud Model Studio".
- Fix P2 bug: global endpoint variant now always overwrites baseUrl
instead of silently preserving a stale CN URL.
- Fix P1 bug: add modelstudio entry to PROVIDER_ENV_VARS so
secret-input-mode=ref no longer throws.
- Move Model Studio imports to top of onboard-auth.config-core.ts.
- Remove unused BAILIAN_BASE_URL export.
Made-with: Cursor
2026-03-10 19:58:43 +00:00
pomelo-nwu
77a35025e8
feat: integrate Alibaba Bailian Coding Plan into onboarding wizard
2026-03-10 19:58:43 +00:00
Nimrod Gutman
c2e41c57c9
fix(ios): make pairing instructions generic
2026-03-10 21:44:00 +02:00
Nimrod Gutman
6bcf89b09b
feat(ios): refresh home canvas toolbar
2026-03-10 21:44:00 +02:00
Mariano Belinky
67746a12de
iOS: add welcome home canvas
2026-03-10 21:44:00 +02:00
Onur
8ba1b6eff1
ci: add npm release workflow and CalVer checks ( #42414 ) (thanks @onutc)
2026-03-10 20:09:25 +01:00
Altay
0ff184397d
docs(telegram): clarify group and sender allowlists ( #42451 )
...
Merged via squash.
Prepared head SHA: f30cacafb39790196+altaywtf@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 21:56:30 +03:00
Josh Avant
b205de6154
Docs: add changelog entry for SecretRef traversal ( #42455 )
2026-03-10 13:52:50 -05:00
Josh Avant
d30dc28b8c
Secrets: reject exec SecretRef traversal ids across schema/runtime/gateway ( #42370 )
...
* Secrets: harden exec SecretRef validation and reload LKG coverage
* Tests: harden exec fast-exit stdin regression case
* Tests: align lifecycle daemon test formatting with oxfmt 0.36
2026-03-10 13:45:37 -05:00
Josh Avant
0687e04760
fix: thread runtime config through Discord/Telegram sends ( #42352 ) (thanks @joshavant) ( #42352 )
2026-03-10 13:30:57 -05:00
Yufeng He
c2d9386796
fix: log auth profile resolution failures instead of swallowing silently ( #41271 )
...
Merged via squash.
Prepared head SHA: 049d1e119a40085740+he-yufeng@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 20:38:49 +03:00
JiangNan
e9e8b81939
fix(failover): classify Gemini MALFORMED_RESPONSE as retryable timeout ( #42292 )
...
Merged via squash.
Prepared head SHA: 68f106ff4912096460+jnMetaCode@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 20:34:32 +03:00
jiarung
bc9b35d6ce
fix(logging): include model and provider in overload/error log ( #41236 )
...
Merged via squash.
Prepared head SHA: bb16fecbf716461359+jiarung@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 20:32:14 +03:00
Ayaan Zaidi
3b582f1d54
fix(telegram): chunk long html outbound messages ( #42240 )
...
Merged via squash.
Prepared head SHA: 4d79c41ddf22031114+obviyus@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
2026-03-10 22:53:04 +05:30
CryUshio
8bf64f219a
fix: recognize Poe 402 'used up your points' as billing for fallback ( #42278 )
...
Merged via squash.
Prepared head SHA: f3cdfa76dd30655354+CryUshio@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 20:17:36 +03:00
Pejman Pour-Moezzi
466cc816a8
docs(acp): document resumeSessionId for session resume ( #42280 )
...
* docs(acp): document resumeSessionId for session resume
* docs: clarify ACP resumeSessionId thread/mode behavior (#42280 ) (thanks @pejmanjohn)
---------
Co-authored-by: Onur <onur@textcortex.com >
2026-03-10 18:06:09 +01:00
sline
bfeea5d23f
fix(agents): prevent /v1beta duplication in Gemini PDF URL ( #34369 )
...
Strip trailing /v1beta from baseUrl before appending the version
segment, so callers that already include /v1beta in their base URL
(e.g. subagent-registry) no longer produce /v1beta/v1beta/models/…
which results in a 404 from the Gemini API.
Closes #34312
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-10 12:52:49 -04:00
