assertNotRoot only checked process.getuid(), so the guard was bypassed
when the CLI was launched with a non-root real UID but an effective UID
of 0 (e.g. via a setuid-root wrapper). In that context the process still
has root write privileges and can cause the same state/config corruption
the guard was added to prevent.
Now checks both getuid() and geteuid() — either being 0 triggers the
guard. Added three tests covering setuid-root scenarios.
OPENCLAW_CLI_CONTAINER_BYPASS alone is an internal recursion sentinel,
not a user-facing opt-in. Require OPENCLAW_CONTAINER_HINT to also be
present — this combination only occurs in the container-forwarding flow
(container-target.ts), so inherited or accidental env vars can no
longer silently skip the root guard.
The container forwarder sets OPENCLAW_CLI_CONTAINER_BYPASS=1 but not
OPENCLAW_ALLOW_ROOT. When the child CLI inside a root-based container
hits assertNotRoot(), it would exit before command handling. Exempt
container-forwarded invocations from the root guard.
Replace dynamic import helper with a static import since root-guard.ts
has no module-level mutable state and vi.resetModules() is not used,
making the dynamic import unnecessary.
Block openclaw CLI from running as root (uid 0) to prevent:
- Separate state directory at /root/.openclaw/
- Conflicting systemd user services racing on port 18789
- Root-owned files in the service user state dir (EACCES)
The guard runs early in src/entry.ts before any state/config operations.
Root-level --help and --version bypass the guard so users can discover
the OPENCLAW_ALLOW_ROOT=1 override. Subcommand help paths still enforce
the guard since they enter runCli() and resolve state directories.
Closes#67478
Add an owned Kysely dialect for native node:sqlite, raise the Node 22 floor to 22.16+ for StatementSync.columns(), and cover select/returning/stale insert id behavior.
* feat(channels list): drop auth providers, add --all, surface installed/configured/enabled
`openclaw channels list` used to conflate two very different surfaces: chat
channels and OAuth/API-key auth providers for model routing. The auth
section was the first and most visible block in the output even for
operators who only cared about chat channels, and its JSON `auth` key
leaked model-provider identities into a command whose top-level help
describes it as channel management. Worse, the command silently hid
every channel that had no configured account, so users could not tell
from `channels list` which bundled or catalog channels were even
available to configure.
Split the surface cleanly around channels only:
1. Remove the `Auth providers (OAuth + API keys)` text section and the
`auth` field from the JSON payload. Model-provider auth profiles
remain reachable via `openclaw models auth list`, which is where
they conceptually belong.
2. Add a `--all` flag to surface every channel an operator could
configure: bundled channel plugins that have no account yet and
catalog-listed external channels whose plugin package is not even
installed on disk. Without `--all` the output still shows only
channels with at least one configured account, matching the
previous default behavior so existing scripts keep working. The
"empty" default path now prints a hint pointing at `--all`.
3. Render three explicit status tags per row — `installed` /
`not installed`, `configured` / `not configured`, `enabled` /
`disabled` — so bundled-but-unconfigured plugins and installable
catalog channels both render with accurate state instead of being
invisible. Installed state comes from the same
`isCatalogChannelInstalled` probe the setup flow uses, so it stays
consistent with `openclaw onboard` and `channels add`.
4. JSON payload now carries an `origin` per channel (`configured`,
`available`, `installable`) alongside `installed: boolean`, which
lets tooling distinguish "user has set this up" from "user could
set this up" without second-guessing.
Register `--all` on both the Commander CLI and the fast-path route-arg
parser so the flag works in both code paths, update the one routes
test that asserted the parsed args shape, and rewrite the old auth
profiles surface test as a broader `channels list` behavior spec
covering default output, `--all` output, JSON shape (no `auth`), and
the bundled-unconfigured + catalog-not-installed cases.
Docs: call out that `channels list` is chat-channel only now, mention
`--all`, and point at `openclaw models auth list` for what used to be
the auth providers block.
* fix(channels list): surface catalog channels that are installed on disk but not yet configured
The previous `--all` path filtered catalog entries with
`!installedByChannelId.get(entry.id)` before rendering them as
catalog-only rows. That assumed "catalog entry not already rendered
as a plugin row" implied "not installed", which is wrong: an external
channel plugin package can be installed on disk (`isCatalogChannelInstalled`
returns true) while the read-only channel loader still declines to
surface a plugin object for it — the loader only activates channels
that appear in user config, so a plugin that is installed but never
configured ended up in neither bucket and silently dropped out of
`channels list --all`.
Operator-facing symptom: `pnpm openclaw channels list --all` omitted
WeCom (and any other catalog channel in the same state) even though
its npm package was present on disk and its catalog entry existed,
while rendering every other uninstalled catalog channel as expected.
Fix: drop the `installed` filter from `catalogOnlyLines` so every
catalog entry that is not already represented by a plugin row is
rendered, and let the row itself carry the real installed/not-installed
tag. Two renderings now land in the catalog-only bucket:
- Not installed — rendered as `not installed, not configured, disabled`
(installable row).
- Installed but unconfigured — rendered as `installed, not configured,
disabled` (ready-to-configure row). The JSON `origin` for this case
becomes `available`, matching the existing origin for bundled
plugins that are installed but unconfigured, so downstream tooling
sees a consistent "you could configure this now" signal regardless
of whether the plugin came from bundled sources or from the catalog.
Regression test added under the WeCom scenario.
* refactor(channels list): drop model-provider usage surface, make the command channel-only
`openclaw channels list` used to append a model-provider usage/quota
snapshot (Anthropic, OpenRouter, OpenAI Codex, Gemini, Zai, Minimax,
etc.) under every invocation. That was a leftover from the days when
`channels list` was the only "operator overview" command; the same
data is now owned by `openclaw status` (overview) and
`openclaw models list` (per-provider), which handle timeouts, probe
errors, and output shape consistently for that class of data. Keeping
the snapshot wired into `channels list` meant:
- Every default invocation made one blocking `loadProviderUsageSummary`
call that fanned out to every configured provider billing/auth
endpoint, adding seconds of latency to a command that otherwise
just reads local config.
- `channels list --no-usage` was the escape hatch, but the flag was
itself a self-sustaining bug: it only existed because the command
did work that did not belong to it.
- JSON consumers had an optional `usage` key whose shape was owned by
the provider-usage module, not by the channels module, so any
change upstream silently reshaped `channels list --json` output.
- Failed provider fetches printed provider-side errors on a command
that never advertised itself as a provider-health surface.
Scope this PR tightens, in one move:
1. Remove `loadProviderUsageSummary` / `formatUsageReportLines` usage
from `src/commands/channels/list.ts`. The command now only reads
config, the read-only channel plugin registry, and the trusted
catalog — matching its name.
2. Drop `--no-usage` from the Commander CLI registration, from the
fast-path route-arg parser (`parseChannelsListRouteArgs`), and
from `ChannelsListOptions`. The flag is gone, not silently
ignored, so anyone depending on it will get a clear
"unknown option" from Commander and from the fast-path router.
3. Drop the `usage` key from `channels list --json` payloads. Shape
of the `chat` record and the new `origin` / `installed` tags
introduced earlier in this branch are unchanged.
4. Print a single-line migration pointer at the bottom of the text
output so operators who expected usage know where it went
(`openclaw status` / `openclaw models list`). This replaces what
used to be a block of fetched provider data with one static line,
so it cannot fail or add latency.
5. Update `docs/cli/channels.md` troubleshooting to remove the
`--no-usage` mention and point at the two new entry points.
6. Update tests: drop the `loadProviderUsageSummary` mock and the
`"keeps JSON output valid when usage loading fails"` case,
replace it with a positive assertion that `payload.usage` is
undefined (locking in the narrower contract), and remove `usage`
from every `channelsListCommand(...)` call to match the narrowed
`ChannelsListOptions` type. The route-args test is updated to
expect `{ json, all }` without `usage`.
No other command changes. `openclaw status` and `openclaw models list`
already render usage; they are the documented replacements.
Breaking-ish surface:
- CLI: `channels list --no-usage` now fails with "unknown option".
Tooling should drop the flag — there is nothing left to opt out of.
- JSON: `channels list --json` no longer carries a top-level `usage`
key. Tooling that read it must migrate to
`openclaw status --json` or `openclaw models list --json`.
* fix(channels.list.test): widen isCatalogChannelInstalled mock signature to accept entry param
CI typecheck failed because the mock was declared with a zero-arg signature while one test called mockImplementation(({ entry }) => …). Tighten the generic so vitest's mock accepts the same params the real helper does.
* changelog: record channels list channel-only rework (#78456)
* feat(cron): add computed status field to --json output
`openclaw cron list --json` and `openclaw cron show <id> --json` now
include a top-level `status` field on each job object, computed from
enabled + state.runningAtMs + state.lastRunStatus.
Values: "disabled" | "running" | "ok" | "error" | "skipped" | "idle"
This matches the human-readable status column already shown by
`cron list` and `cron show` (without --json), making it easier for
external tooling (dashboards, ops gateways) to determine job state
without re-implementing the derivation logic.
The raw state object is preserved unchanged for backward compatibility.
* fix: preserve lastStatus fallback + add changelog entry
Address ClawSweeper review findings:
- P2: Fall back to deprecated state.lastStatus when lastRunStatus is
absent, matching the existing formatStatus behavior for legacy jobs.
- P3: Add CHANGELOG.md entry under Unreleased for this user-facing
CLI feature.
* fix: address lint errors - add braces and avoid spread-in-map
---------
Co-authored-by: Rodin <rodin@forgedthought.ai>
Co-authored-by: claw <claw@weiker.me>
Summary:
- Add explicit sessions cleanup --fix-dm-scope handling for stale direct-DM rows after session.dmScope returns to main.
- Preserve removed-row transcripts as deleted archives and expose the option through CLI, Gateway RPC, protocol schema, generated Swift mirrors, docs, tests, and changelog.
- Fixes#47561 and #45554.
Verification:
- pnpm exec oxfmt --check --threads=1 CHANGELOG.md docs/cli/sessions.md docs/concepts/session.md src/config/sessions/cleanup-service.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts src/gateway/protocol/schema/sessions.ts src/gateway/server-methods/sessions.ts src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts
- git diff --check origin/main...HEAD
- pnpm protocol:check
- pnpm exec oxlint src/config/sessions/cleanup-service.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts src/gateway/protocol/schema/sessions.ts src/gateway/server-methods/sessions.ts src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts
- pnpm test src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts src/gateway/server.sessions.store-rpc.test.ts
- pnpm changed:lanes --json
Security:
- No new network, credential, process execution, dependency, or permission surface. Cleanup is explicit operator-invoked local session-store repair.
CI note:
- Exact-head CI failures match current main at 2e78fc57af in unrelated extensions/codex and extensions/microsoft-foundry type checks, outside this PR diff. No required checks are reported for this branch.
* fix infer model run codex instructions
* docs changelog for codex model probe fix
* fix codex model probe instructions only
* docs: note codex model probe instruction shim
* chore: rerun proof gate
---------
Co-authored-by: Le LI <leli@LedeMacBook-Air.local>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(plugins): sync official npm installs during update
* fix(plugins): sync official clawhub installs during update
* test(update): mock official plugin sync helpers
---------
Co-authored-by: Patrick Erichsen <patrick.a.erichsen@gmail.com>
Summary:
- This PR adds optional `agentId` filtering to `cron.list`, auto-fills it for agent tool calls, exposes `openclaw cron list --agent`, updates generated protocol clients, docs, changelog, tests, and prompt fixtures.
- Reproducibility: yes. The motivating behavior is source-reproducible on current main because cron tool, CLI, ... e list paths do not accept or apply `agentId`; the PR diff adds that path with focused regression coverage.
Automerge notes:
- Ran the ClawSweeper repair loop before final review.
- Included post-review commit in the final squash: chore: regenerate protocol schema after adding agentId to CronListParams
- Included post-review commit in the final squash: feat(cron): add agentId filtering to cron list
Validation:
- ClawSweeper review passed for head 35b692bc97.
- Required merge gates passed before the squash merge.
Prepared head SHA: 35b692bc97
Review: https://github.com/openclaw/openclaw/pull/77602#issuecomment-4375631700
Co-authored-by: zhanggttry <zhanggttry@163.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
