Commit Graph

15644 Commits

Author SHA1 Message Date
Peter Steinberger
4249cdb8fe fix(discord): keep slash commands deployed at the application limit (#105280)
* fix(discord): reconcile commands at the application cap

* docs(changelog): note Discord command cap fix

* chore: keep release changelog unchanged

* fix(discord): narrow command deployment errors
2026-07-12 11:37:29 +01:00
Vincent Koc
2148c3bf7e fix(active-memory): restore SQLite recall sessions (#105255)
* fix(qa): seed memory scenarios through SQLite

* fix(active-memory): initialize SQLite recall sessions

* test(active-memory): model missing harness reservation

* fix(active-memory): clean up transient recall sessions

* fix(active-memory): isolate concurrent recall sessions

* fix(active-memory): discard transient SQLite recalls

* fix(active-memory): preserve transient recall boundaries

* fix(active-memory): retry transient recall cleanup

* fix(active-memory): always clean transient recall workspaces

* chore: drop release-owned changelog entry
2026-07-12 18:29:23 +08:00
Vincent Koc
4d8b201371 refactor(plugins): remove dead channel helpers (#105276) 2026-07-12 18:21:11 +08:00
Peter Steinberger
0350b87f06 test(ci): repair plugin prerelease contracts (#105272)
* test(ci): repair plugin prerelease contracts

* docs(agents): clarify stale Testbox recovery

* docs(agents): require Bash for Testbox compounds
2026-07-12 11:13:08 +01:00
Peter Steinberger
a824078101 fix(channels): tombstone corrupt ingress rows (#105259)
* fix(infra): guard channel ingress queue parseJson against corrupted JSON

* fix(infra): fix type assertion in ingress queue test

* fix(infra): use tagged parse result and validate payload before claiming

* fix(infra): remove unnecessary non-null assertion in ingress queue test

* fix(infra): scan corrupt ingress rows in claimNext

* test(gateway): avoid typed empty mock call tuple access

* fix(infra): tombstone corrupt ingress rows on duplicate enqueue and stale recovery

Two P1 gaps: enqueue() threw on duplicate when the existing row had corrupt
payload_json, and recoverStaleClaims() silently skipped corrupt claimed rows,
leaving them invisible to recovery. Both paths now tombstone the unrecoverable
row as failed with reason "corrupt_payload" and return a proper result.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(infra): resolve lint shadow and await-thenable in recoverStaleClaims

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(channels): tombstone corrupt ingress rows

* test(channels): use explicit placeholder claim tokens

* refactor(channels): name claim token values

* refactor(channels): keep claim projection direct

* fix(channels): preserve active ingress claims

* fix(channels): make corrupt recovery policy-aware

* refactor(channels): name corrupt claim token

* fix(channels): bound corrupt ingress reconciliation

* fix(channels): paginate pending ingress by key

* refactor(telegram): return live owner check directly

* build(plugin-sdk): refresh public export budget

---------

Co-authored-by: Pick-cat <huang.ting3@xydigit.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-12 11:09:52 +01:00
Peter Steinberger
1999935108 fix(config): restore canonical flat streaming-key resolution and preserve discord preview mode in doctor migration (#105054)
* fix(config): keep flat streaming keys resolving for canonical-flat channels and pin discord preview default in doctor migration

* fix(discord): pin inherited streaming mode for account alias migration and align core streaming test
2026-07-12 11:00:24 +01:00
Peter Steinberger
566043eb54 feat(tooling): enforce noUncheckedIndexedAccess from the base tsconfig (NUIA endgame) (#105239)
* feat(tooling): enforce noUncheckedIndexedAccess from the base tsconfig

Completes #104600: the flag moves to tsconfig.json, the five per-lane
copies are removed, and test lanes carry one documented opt-out at their
shared parent (the ~4,400 fixture-indexing sites are a tracked
lane-by-lane follow-up). Any future lane inherits the flag by default.
Synthetic probes verify src rejects unchecked reads while test files
compile; all nine lane commands green.

* fix(memory-core): give the batch-call sort a defined element type

Type-aware lint analyzes test files under the base flag (its tsconfig
extends the root, not the test parent), so the widened call[0] made the
bare toSorted() fire require-array-sort-compare.
2026-07-12 10:57:26 +01:00
Peter Steinberger
5b56a1f664 feat(gateway): land remaining durable-approvals stack and repair main gates (#104837)
* feat(gateway): propagate approvals to ancestor sessions with replay

Squash-rebased #103921 segment onto the native-clients tip on current main.
Session-scoped approval events publish sanitized pending/terminal
transitions to opted-in session audiences, with authoritative pending
replay on stream subscribe and durable-expiry reconciliation through the
owning manager. SessionApprovalEvent/Replay wire types export from the
approvals owner module; Swift models regenerated.

(cherry picked from commit 2d1dcf9747044710111d0c730fc46ba6013a165c)
(cherry picked from commit ccf88efd56b513d07599ffcee997bf0cddaf9adc)
(cherry picked from commit 8eb33f59f00ec9ee4625259b76bd7ae60d2cd480)
(cherry picked from commit c297cbc93c8401e9c79c20f242245a194f5dd236)
(cherry picked from commit 93d68f28601ff37d863da4db009504993a22533a)
(cherry picked from commit d285ccd8b2f212bb57e814107e7709c896e96b7d)
(cherry picked from commit 5c536982231402b1b58d1683794ea9948b32d077)
(cherry picked from commit 1646e5b6dc4dd20de54e10f110a5909be18d7d50)
(cherry picked from commit 35cf1b705b247fb282f4d56ffe74bd2fb238221f)
(cherry picked from commit 4f8ef3699d)
(cherry picked from commit 74fbdcc99d5fff062d67760a51dba4ee9e84479b)
(cherry picked from commit 222b285502681d2be14b1819798e9ee5555f431e)
(cherry picked from commit b9e744951f676b600e7c5322bfd04b0e99797c07)
(cherry picked from commit 9e904efde5)
(cherry picked from commit 678f2384fa)
(cherry picked from commit 72842e5cf6)
(cherry picked from commit be74c25e80e84a1f065053766f23efb84822e811)
(cherry picked from commit 93ba8c4b09)
(cherry picked from commit 8f23761372)

* feat(gateway): fail-closed plugin and tool approval gates

Squash-rebased #103932 segment onto the ancestor-propagation tip on
current main. Plugin node.invoke approvals claim a one-shot allow-once
decision before handing execution authority to the policy, so observation
or retry cannot replay a consumed approval; sibling tool gates bind
approval ids to their originating reviewer identity.

(cherry picked from commit 122df0d75281f572c012b6484ed5daf085d1d577)
(cherry picked from commit f23d8ac240a8dcf2a42c4daaae962263975a0ae8)
(cherry picked from commit 8632fb6436a224dac7a9a9ef0216884530de2c24)
(cherry picked from commit d9fe2dd5c53665e5732f5f3da5ed1907a686ade8)
(cherry picked from commit bb139f2c8aa36ddad70413e1ef79ff491a6f2ecd)
(cherry picked from commit 9b3e056b68ea515c7d4baef269289b6670570480)
(cherry picked from commit b11e66b59a7af1f3b08712de06864aed64d349e4)
(cherry picked from commit a12916ee592d03dfa35e86a2aaede4476a5d4e5d)
(cherry picked from commit d699de840fc8346892b9ae244fe3c3e8c4413032)
(cherry picked from commit 9b7e5a9608)
(cherry picked from commit 4b507593f1b2f10b4496984c84a2803b853e5c5e)
(cherry picked from commit 56408a186733c4eeb5aa76bd5907cde7b0cd3d5b)
(cherry picked from commit a4051d6d8353d39d6fa0b5d69c36e06c3cd3e796)
(cherry picked from commit 76829805a7)
(cherry picked from commit a8b493f934)
(cherry picked from commit aceb990597)
(cherry picked from commit a29b0e75482470c53a9fb4fe3f204e14cf71868f)
(cherry picked from commit 2e3be08653)
(cherry picked from commit c9ae3d7202)

* fix: main-gate repairs for the durable-approvals stack

- android: capture createdAtMs on the pending exec-approval write at
  registration; canonical readback after a refresh that already replaced
  the visible rows was dropping the approval instead of surfacing the
  still-pending reconciliation message (#104913 merged without this)
- android: generous CI timeout ceilings in GatewayExecApprovalRuntimeTest
- agents: hermetic model-discovery test via the plugins/provider-runtime
  boundary (lazy plugin-runtime resolution hangs vitest workers since #104770)
- cli: usage-cost settle-budget test asserts the budget bound on every call
  instead of pinning the poll count (fast hosts fit a second poll in 50ms)
- protocol coverage: allowlist session.approval for ios/android (native
  review rides exec.approval push/nudge delivery)
- docs map, native i18n inventory, plugin-sdk api baseline regenerated
2026-07-12 10:51:38 +01:00
Peter Steinberger
ce562c3511 test(openai): align prerelease contracts (#105256) 2026-07-12 10:49:48 +01:00
Peter Steinberger
dad278a89d test(telegram): align prerelease contracts (#105253) 2026-07-12 10:45:14 +01:00
Peter Steinberger
7a4cfa3764 test(matrix): isolate approval reaction runtime (#105251) 2026-07-12 10:43:00 +01:00
Peter Steinberger
b02d276bbc test(slack): align prerelease contracts (#105214)
* test(slack): align prerelease contracts

* docs(agents): note review artifact enums

* style(slack): format prerelease test
2026-07-12 10:23:47 +01:00
Peter Steinberger
7c954849e6 fix(google-meet): use strong caption epochs (#105221) 2026-07-12 10:20:50 +01:00
Peter Steinberger
de4d4079ad fix(browser): make ref uploads request-owned (#105151)
* fix(browser): make ref uploads request-owned

* style(browser): satisfy upload owner const lint
2026-07-12 10:19:19 +01:00
Coy Geek
3ac83ddfca fix: Canvas WebSocket creation in browser context silently swallows... (#82505)
* fix(canvas): report live reload websocket errors

Surface WebSocket initialization failures from the injected canvas live reload client through console diagnostics, DOM attributes, and a browser event instead of silently swallowing them.

* refactor(canvas): keep reload diagnostics console-only

* fix(canvas): distinguish page teardown from socket failure

* style(canvas): brace pagehide listener

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 10:13:04 +01:00
Peter Steinberger
4983594867 test(browser): align snapshot contract fixtures (#105210) 2026-07-12 10:12:47 +01:00
Peter Steinberger
1793c67ae1 test(browser): repair pw-ai page fixture (#105172) 2026-07-12 09:47:10 +01:00
Peter Steinberger
204d2b176a refactor(agents): compress model prompts and tool instructions (#105095)
* refactor(agents): compress model prompt instructions

* test(agents): align compact prompt assertions

* test(gateway): align compact message prompt assertion

* chore(plugin-sdk): refresh prompt overlay API baseline

* docs(changelog): note prompt instruction compaction

* test(agents): align compact prompt contracts

* test(agents): align CLI prompt contracts

* style(agents): format CLI prompt tests

* fix(qa): prioritize shadow trial workflow

* test(agents): refresh rebased prompt snapshots
2026-07-12 09:45:30 +01:00
Peter Steinberger
18eb472f82 fix(gradium): restrict TTS credential egress (#105169)
* fix(gradium): restrict TTS base URL before sending API keys

* fix(gradium): pin credential egress hostname

* docs(changelog): note Gradium credential guard

* docs(changelog): note Gradium credential guard

---------

Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com>
2026-07-12 09:43:22 +01:00
pick-cat
1710ccad29 fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM (#101274)
* fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM

* fix(tlon): cap SSE stream buffer and JSON.parse at 16 MiB to prevent OOM

* chore(tlon): add production-style SSE bounded proof script (#101274)

Adds extensions/tlon/proof-sse-bounded.mts which drives the real
UrbitSSEClient.processStream and processEvent against Node Readable streams
(not unit-test mocks) to demonstrate:

- normal SSE events are still delivered through the stream path;
- an unterminated stream that would grow beyond 16 MiB is rejected before
  unbounded accumulation;
- a single SSE payload above 16 MiB is rejected before JSON.parse.

The script passes on this branch and fails 2/3 assertions when run against
origin/main's sse-client.ts, providing the before/after proof ClawSweeper
requested.

* chore(tlon): fix oxlint catch type in proof script (#101274)

* fix(tlon): reject oversized SSE chunk before buffer concatenation

Move the stream byte-limit check before buffer += chunkStr so a
single oversized chunk never lands in the pending buffer. The old
guard ran after concatenation, which still allowed the memory spike
this hardening is meant to prevent.

Add a single-oversized-chunk test to prove the guard fires before
the chunk is concatenated into the pending buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore(tlon): remove PR-specific SSE bounded proof script

The proof script was review-only validation for #101274. Durable behavior
coverage lives in sse-client.test.ts (stream buffer bounding, oversized
chunk rejection before concatenation, 16 MiB boundary, normal delivery,
1000 small events). Per ClawSweeper P3 finding, drop the one-off script
from the plugin tree.

* fix(tlon): bound SSE event buffering safely

* test(tlon): avoid unsafe optional chaining

* fix(tlon): count split Unicode at SSE limit

* fix(tlon): parse split SSE delimiters at limit

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:41:53 +01:00
Peter Steinberger
9cf4f03afe feat(telegram): add rich outbound location and video notes (#105142)
* feat(telegram): add rich outbound sends

Co-authored-by: Paul Kondratov <paulislava@mail.ru>

* fix(telegram): reject unsupported outbound locations

* fix(telegram): preserve location send semantics

* fix(telegram): preserve cross-context location markers

* fix(outbound): validate standalone locations before decoration

* fix(telegram): project native locations into prompt context

* chore: defer Telegram changelog to release

* fix(telegram): align SDK surface and docs map

---------

Co-authored-by: Paul Kondratov <paulislava@mail.ru>
2026-07-12 09:36:22 +01:00
zw-xysk
1cbb67668f fix(slack): log typing reaction errors instead of silently swallowing them (#103303)
* fix(slack): log typing reaction errors instead of silently swallowing them

The typing reaction (emoji) add and remove calls both use empty catch
handlers, silently discarding all errors. If the bot token lacks
reactions:write scope, the operator has no way to diagnose why the
configured typing reaction never appears.

Replace the empty catch with logVerbose calls that record the Slack
error, matching the existing logging pattern in the same file.

* test(slack): cover typing reaction failures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:20:56 +01:00
Peter Steinberger
218dcd815a feat(tooling): enforce noUncheckedIndexedAccess in the extensions lane (NUIA phase 4) (#105132)
* fix(extensions): make indexed access explicit across channel plugins

Transport-payload-safe burn-down: malformed Telegram/Discord/QQ/LINE
and sibling channel input keeps existing skip paths; no synthesized
fields, no new throws in delivery loops. Zalo escape sentinels preserve
literal matches instead of undefined replacements.

* fix(extensions): make indexed access explicit across provider and memory plugins

Stream and model iteration, tool-block guards, capture guards, and
sparse accumulators; singleton model reads carry named invariants.

* fix(extensions): make indexed access explicit across tooling plugins, flip the extensions lane

Remaining plugins (oc-path, qa-lab, browser, logbook, and siblings) plus
the tsconfig.extensions.json flag flip. Cleanup: logbook sampleFrames
NaN index at max=1, QA retry clamp at non-positive attempts, dead Canvas
probe and OpenShell no-op slice removed, twitch test setup leak excluded
from the prod lane.

* refactor(plugin-sdk): expose expectDefined via a focused SDK subpath

Extensions imported @openclaw/normalization-core directly, crossing the
external-plugin packaging boundary (it only worked because the runtime
builder bundles undeclared workspace helpers). expect-runtime joins the
canonical entrypoints JSON, generated exports, API baseline, docs, and
subpath contract test; all 78 extension imports now use the SDK seam.
Two scanner-shaped locals renamed for review-bundle hygiene.

* chore(plugin-sdk): raise surface budgets for the expect-runtime subpath

One new entrypoint with one callable export, added intentionally as the
packaging-honest seam for extension invariant helpers.
2026-07-12 09:17:31 +01:00
Shubhankar Tripathy
43e138cc66 feat(google-meet): retain the full caption transcript per session (#103387) (#103811)
* feat(google-meet): retain bounded transcripts

Co-authored-by: lonexreb <reach2shubhankar@gmail.com>

* chore: leave changelog to release tooling

* fix(google-meet): satisfy transcript CI checks

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:16:46 +01:00
llagy007
7ed7840c94 fix(google-meet): validate calendar Meet URLs (#104863)
* fix(google-meet): validate calendar meet urls

* fix(google-meet): share meet url normalization

* fix(google-meet): normalize Calendar Meet URLs

* fix(google-meet): keep calendar text fallback stable

* fix(google-meet): validate calendar text candidates

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-12 09:12:40 +01:00
Vincent Koc
4da606ccf1 refactor(line): remove unused rich-menu user helpers (#105107) 2026-07-12 16:05:07 +08:00
Peter Steinberger
1a946dba78 test(qa): cover repeated live restart recovery (#105126) 2026-07-12 09:03:54 +01:00
Peter Steinberger
89f740651d fix(browser): normalize geolocation permission origins (#105092)
Co-authored-by: llagy007 <0668001470@xydigit.com>
2026-07-12 08:54:04 +01:00
Vincent Koc
cf33f5aa02 fix(qa): force Codex runtime for Slack approvals 2026-07-12 15:43:58 +08:00
Peter Steinberger
401ae11b71 fix(codex): preserve native subagent results after parent cleanup (#102060)
Codex native subagent results now survive parent cleanup, app-server persistence races, resumptions, and transient delivery failures. The monitor treats app-server thread/read and thread/turns/list history as canonical recovery state (works on non-stdio transports), retains the shared physical client only while detached children need monitoring, fences stale reads across lifecycle changes, keeps interrupted children resumable, preserves multi-agent V2 subAgentActivity lineage, and bounds terminal delivery retries with a durable failed state. Removes rollout-file discovery, transcript parsing, periodic whole-client rescans, and the deferred one-shot cleanup path.

Adds an opt-in live E2E lane (OPENCLAW_LIVE_CODEX_NATIVE_SUBAGENT=1) proving detached delivery and history-only recovery against a real app-server with an OpenAI key, restores the registered-child user-spoof regression test, and registers both codex opt-in live files in the release shard optional-env map.

Closes #97593
Related: #93313
2026-07-12 08:27:40 +01:00
llagy007
f5a50db569 fix(microsoft-foundry): reject malformed endpoints (#104796) 2026-07-12 08:23:44 +01:00
Vincent Koc
4d15c47e9f fix(qa): keep runtime parity lanes reproducible 2026-07-12 15:10:38 +08:00
Vincent Koc
d36d543ed4 fix(qa): recognize typed Slack approval actions 2026-07-12 15:10:38 +08:00
Galin Iliev
68dcfe633d fix(msteams): emit native cjs runtime entrypoints (#102366)
Co-authored-by: Galin Iliev <Galin.Iliev@microsoft.com>
2026-07-11 23:48:05 -07:00
destire-mio
f547e2bd85 fix(feishu): drive info finds files past the first page (#104190)
Co-authored-by: destire-mio <248462155+destire-mio@users.noreply.github.com>
2026-07-12 07:24:06 +01:00
Vincent Koc
48bda3197b test(qa): validate debug request cursor 2026-07-12 08:18:34 +02:00
Vincent Koc
bdc9c6070d fix(qa): add stable mock request cursors 2026-07-12 08:18:34 +02:00
moguangyu5-design
0b140c3546 fix(telegram): rewrite allow-always alias for any whitespace separator (#104942)
* fix(telegram): rewrite allow-always alias for any whitespace separator

* fix(telegram): require absolute approval alias suffix

---------

Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 07:13:05 +01:00
llagy007
f6d11d0e29 fix(google-meet): guard node-host meet URLs (#104687) 2026-07-12 06:55:38 +01:00
Shubhankar Tripathy
86cd9786c8 fix(google-meet): actually leave the Meet call in the browser on leave (#103386) (#103522)
* fix(google-meet): leave browser calls on session end

Co-authored-by: lonexreb <reach2shubhankar@gmail.com>

* fix(google-meet): keep agent browser control in gateway

* chore(google-meet): move release note to pr

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 06:50:13 +01:00
Vincent Koc
c8427919b9 refactor(acpx): remove redundant probe plumbing (#105023) 2026-07-12 13:49:32 +08:00
pick-cat
3c7edce61e fix(codex): preserve UTF-16 pairs in tool output delta truncation (#104116)
* fix(codex): preserve UTF-16 pairs in tool output delta truncation

* chore: trigger CI re-run

* test(codex): add UTF-16 safety regression test for progress message cap

* chore: trigger CI re-run

Co-Authored-By: Claude <noreply@anthropic.com>

* test(codex): tighten UTF-16 progress regression

* test(codex): match progress label

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 06:40:48 +01:00
Peter Steinberger
d14bb8ec44 fix: resume replay-safe work after gateway restarts (#104997)
* fix: resume replay-safe work after gateway restart

* chore: leave restart note to release process

* fix: sync restart recovery protocol artifacts
2026-07-12 06:37:22 +01:00
thomas.szbay
a9e2b06812 fix(nextcloud-talk): align supported message actions (#104906)
Nextcloud Talk's supportsAction advertised support for all non-send
actions (including delete, pin, edit, read), but the handler only
implements 'react'. Unsupported actions passed the dispatcher boundary
check only to fail inside the handler.

This aligns supportsAction with actual implementation, matching the
pattern from PR #104788 (Signal adapter fix).
2026-07-12 06:28:07 +01:00
Vincent Koc
b67417909b refactor: remove dead core and extension exports (#104963)
* refactor(agents): remove obsolete exec eligibility helper

* refactor(diffs): internalize viewer-only state

* refactor(qa-lab): internalize implementation helpers
2026-07-12 13:06:23 +08:00
Vincent Koc
4040267af9 fix(qa): run mixed channel suites 2026-07-12 06:51:59 +02:00
Vincent Koc
5d03825597 refactor(qa): isolate scenario command lifecycle (#104958) 2026-07-12 12:27:29 +08:00
Vincent Koc
982efe51e4 refactor: remove dead UI and parser helpers (#104944)
* refactor(tool-call-repair): remove unused parser wrapper

* refactor(ui): remove dead private helper surfaces
2026-07-12 12:08:56 +08:00
Peter Steinberger
6b95f98fe7 fix(core): make indexed access explicit across remaining src (NUIA phase 3b) (#104773)
* fix(core): make indexed access explicit in auto-reply, infra, and config

Part 1/3 of the src NUIA phase-3b burn-down (#104600): iteration and
destructuring over index reads, boundary guards on parsed input, and
named invariants. Config path walkers bind the path head once; SQLite
migration key handling is hoisted without query-shape changes.

* fix(core): make indexed access explicit in cli, gateway, commands, security, shared

Part 2/3: argv/token selection restructured, gateway event/attachment
invariants named, security parsers stay fail-closed (invariant
violations throw), edit-distance matrices access checked entries.

* fix(core): make indexed access explicit across remaining src surfaces

Part 3/3: channels, plugins, process, cron, plugin-sdk, media, logging,
tui, hooks, daemon, and small directories. Latent bug fixed: a tailnet
resolver could leak undefined through a string|null contract and now
fails with a descriptive local error.

* fix(core): keep optional boundaries optional after per-commit review

Review findings: expectDefined misused where absence is a legitimate
state. CLI --profile/route-args missing next tokens take their existing
miss paths; help normalization compares --help against the last
positional again; first-time plugin install spreads absent cfg.plugins;
denylist scan iterates manifest dependency entries instead of throwing
on omitted sections; tailnet resolver returns a guaranteed string at
the source instead of a caller-side undefined throw.

* refactor(core): closed-key provider labels and honest optional passthroughs

PROVIDER_LABELS becomes a satisfies-typed closed record (static reads
provably defined; dynamic lookups go through providerUsageLabel with
honest string|undefined). Status-scan overview passes its optional
params through unchanged instead of asserting them.

* fix(channels): make getChatChannelMeta honestly optional

The original signature claimed ChatChannelMeta while leaking undefined
on bundled channel id metadata drift; three of four callers already
handled absence. The return type now says so, and the one assuming
caller falls back to the raw channel label.

* fix(core): index-safety for post-rebase main drift

Covers the sqlite-sessions flip and auth-source-plan code that landed
mid-phase, plus the channel-validation test consuming the now honestly
optional getChatChannelMeta.

* refactor(channels): split chat-meta accessors along the SDK contract

getChatChannelMeta keeps its shipped plugin-SDK signature (defined for
bundled ids, fail-loud on impossible misses); new findChatChannelMeta
carries the drift-tolerant optional contract for core auto-enable and
formatting paths.

* fix(qa-channel): own channel metadata instead of a guaranteed-undefined catalog lookup

qa-channel spread getChatChannelMeta over an id that is never in the
bundled catalog, shipping an empty setup meta by accident; the fail-loud
SDK accessor exposed it. The channel now declares its metadata once.

* fix(gateway): heartbeat projection lookahead is optional at the transcript tail

expectDefined wrapped messages[i + 1] whose absence on the final message
is the normal case; the adjacent ternary already handled it. Restores
the plain optional read with an explicit guard in the pair condition.

* fix(plugin-sdk): channel plugin factory tolerates non-bundled channel ids again

createChannelPluginBase spreads bundled catalog meta for ANY channel id,
where absence is the normal case for external plugins; the resolver is
honestly optional again while the exported bundled-id accessor keeps the
fail-loud contract.

* fix(core): spreads of optional config sections stay optional

Fresh-setup and first-install paths (crestodian setup inference, hook
installs, agent config base, target agent models) legitimately lack the
section being rebuilt; spreading undefined is the shipped {} semantics.
Removes the remaining gratuitous assertion wraps found by tree audit.
2026-07-11 20:47:34 -07:00
Alix-007
d0764f3566 fix(browser): preserve own profile entries (#101694)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 20:10:59 -07:00