Commit Graph

66940 Commits

Author SHA1 Message Date
Peter Steinberger
acc57e4145 ci: isolate frozen Control UI tests (#105208) 2026-07-12 10:06:23 +01:00
Peter Steinberger
55254c3a0b feat(nodes): route alerts to the active computer (#105083)
* feat(nodes): route alerts by active computer

* fix(ci): allowlist node presence mobile coverage

* test(prompts): refresh node presence snapshots

* fix(macos): await presence reporter actor hop

* fix(macos): type presence test delivery state

* docs(nodes): add active presence guide

* docs(nodes): format presence troubleshooting
2026-07-12 10:05:50 +01:00
wangyan2026
232de2315b fix(gateway): reject disallowed browser Origin before accepting auth.mode=none on HTTP (#102834) (#102881)
* fix(gateway): reject disallowed browser Origin before accepting auth.mode=none on HTTP (#102834)

* refactor(gateway): scope HTTP Origin checks to no-auth

* fix(gateway): preserve trusted-proxy scan boundary

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 10:02:21 +01:00
Peter Steinberger
92accfde94 improve(ui): compact the New session controls and hero on phones (#105177)
* improve(ui): compact the new-session screen on phones

The /new target controls condense on phones: Where and Worktree share one
line and the folder picker takes its own full-width line below, so long
paths stay readable instead of stacking three loose rows. The shared
welcome hero (start screen and /new) scales down on phones so the
composer and recent chats fit the first screenful, and the /new scroll
inset matches the chat thread's mobile padding.

* fix(ui): keep mobile target rows in DOM order

Review caught that order: 2 on the folder chip made visual and tab order
diverge on phones. The folder chip now flexes next to Where with a 140px
floor that pushes Worktree to the second line, so the compact layout
keeps visual, reading, and focus order aligned.

* fix(ui): wrap the worktree fields with their toggle

Groups the worktree toggle and its branch/name fields in one flex unit so
line breaks never separate the dependent fields from the toggle at any
width; review caught that the previous flex sizing let the branch control
wrap alone on wider phones.
2026-07-12 10:02:04 +01:00
Vincent Koc
004b7b69c7 fix(ui): align E2E with current interaction contracts (#105206) 2026-07-12 17:01:45 +08:00
Vincent Koc
e7f9a430e3 refactor(plugins): remove obsolete plain-file installer (#105205) 2026-07-12 17:00:50 +08:00
Peter Steinberger
00cab8d42b fix(secrets): preserve partial gateway assignments (#105160)
Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>
2026-07-12 09:58:33 +01:00
Vincent Koc
cf2af03d02 fix(sqlite): validate agent state before schema setup (#105179) 2026-07-12 16:57:18 +08:00
Peter Steinberger
f84b6f6091 test(release): harden shared UI and performance proof (#105061)
* ci(perf): pin PID-aware Kova evaluator

* test(ui): follow localized automation labels

* ci(perf): pin compatible Kova runner

* test(ui): bound chat hover browser wait

* docs(agents): require release validation helper

* ci(perf): retain redacted Kova reports

* style(ui): format chat hover test

* docs(agents): avoid dependency scripts in PR worktrees

* docs(agents): guard shared checkout branches

* docs(agents): quote gh api query endpoints
2026-07-12 09:55:21 +01:00
Peter Steinberger
17a533ce26 improve(ui): redesign the Automations tab with stats, a table list, and a full-page detail view (#105174)
* feat(ui): redesign Automations tab with stats, table list, and detail tabs

* docs(web): describe redesigned Automations page layout

* fix(ui): global failing-count stat via filtered cron.list and unclipped row menus

* fix(ui): refresh failing-count stat after cron job mutations

* chore(ui): sync locale bundles for automations redesign keys
2026-07-12 09:51:12 +01:00
Peter Steinberger
ae14fc1e81 fix: harden Crestodian maintenance flows (#105153)
* fix: harden Crestodian maintenance flows

* fix: skip trajectories for ephemeral Crestodian plans

* test: satisfy Crestodian CI gates
2026-07-12 09:51:03 +01:00
Peter Steinberger
1793c67ae1 test(browser): repair pw-ai page fixture (#105172) 2026-07-12 09:47:10 +01:00
Peter Steinberger
204d2b176a refactor(agents): compress model prompts and tool instructions (#105095)
* refactor(agents): compress model prompt instructions

* test(agents): align compact prompt assertions

* test(gateway): align compact message prompt assertion

* chore(plugin-sdk): refresh prompt overlay API baseline

* docs(changelog): note prompt instruction compaction

* test(agents): align compact prompt contracts

* test(agents): align CLI prompt contracts

* style(agents): format CLI prompt tests

* fix(qa): prioritize shadow trial workflow

* test(agents): refresh rebased prompt snapshots
2026-07-12 09:45:30 +01:00
Peter Steinberger
18eb472f82 fix(gradium): restrict TTS credential egress (#105169)
* fix(gradium): restrict TTS base URL before sending API keys

* fix(gradium): pin credential egress hostname

* docs(changelog): note Gradium credential guard

* docs(changelog): note Gradium credential guard

---------

Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com>
2026-07-12 09:43:22 +01:00
pick-cat
1710ccad29 fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM (#101274)
* fix(tlon): cap SSE payload JSON.parse at 16 MiB to prevent OOM

* fix(tlon): cap SSE stream buffer and JSON.parse at 16 MiB to prevent OOM

* chore(tlon): add production-style SSE bounded proof script (#101274)

Adds extensions/tlon/proof-sse-bounded.mts which drives the real
UrbitSSEClient.processStream and processEvent against Node Readable streams
(not unit-test mocks) to demonstrate:

- normal SSE events are still delivered through the stream path;
- an unterminated stream that would grow beyond 16 MiB is rejected before
  unbounded accumulation;
- a single SSE payload above 16 MiB is rejected before JSON.parse.

The script passes on this branch and fails 2/3 assertions when run against
origin/main's sse-client.ts, providing the before/after proof ClawSweeper
requested.

* chore(tlon): fix oxlint catch type in proof script (#101274)

* fix(tlon): reject oversized SSE chunk before buffer concatenation

Move the stream byte-limit check before buffer += chunkStr so a
single oversized chunk never lands in the pending buffer. The old
guard ran after concatenation, which still allowed the memory spike
this hardening is meant to prevent.

Add a single-oversized-chunk test to prove the guard fires before
the chunk is concatenated into the pending buffer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore(tlon): remove PR-specific SSE bounded proof script

The proof script was review-only validation for #101274. Durable behavior
coverage lives in sse-client.test.ts (stream buffer bounding, oversized
chunk rejection before concatenation, 16 MiB boundary, normal delivery,
1000 small events). Per ClawSweeper P3 finding, drop the one-off script
from the plugin tree.

* fix(tlon): bound SSE event buffering safely

* test(tlon): avoid unsafe optional chaining

* fix(tlon): count split Unicode at SSE limit

* fix(tlon): parse split SSE delimiters at limit

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:41:53 +01:00
Vincent Koc
55e599c7b6 fix(node): foreground pairing no longer exits early (#105038)
* fix(node): keep foreground pairing wait alive

* test(node): cover foreground pairing lifetime

* fix(node): retain keepalive through shutdown

* test(node): match deferred cleanup mock type
2026-07-12 16:41:17 +08:00
Peter Steinberger
91863a2ec5 fix: keep MCP Apps aligned with runtime tool policy (#105075)
* fix: harden MCP Apps runtime policy

* fix: preserve MCP App reserved tool names

* fix: restart gateway for whole MCP Apps changes
2026-07-12 09:41:07 +01:00
Peter Steinberger
9cf4f03afe feat(telegram): add rich outbound location and video notes (#105142)
* feat(telegram): add rich outbound sends

Co-authored-by: Paul Kondratov <paulislava@mail.ru>

* fix(telegram): reject unsupported outbound locations

* fix(telegram): preserve location send semantics

* fix(telegram): preserve cross-context location markers

* fix(outbound): validate standalone locations before decoration

* fix(telegram): project native locations into prompt context

* chore: defer Telegram changelog to release

* fix(telegram): align SDK surface and docs map

---------

Co-authored-by: Paul Kondratov <paulislava@mail.ru>
2026-07-12 09:36:22 +01:00
Peter Steinberger
68553bed84 fix: live updater survives launchd teardown and retargets wrapped gateways (#105022)
* fix(updater): tolerate launchd teardown and replace plist args safely

* test(updater): declare plist argument helper
2026-07-12 09:35:53 +01:00
Peter Steinberger
7197eef3eb fix(gateway): queue agent runtime identity verification (#105143)
* fix(gateway): queue agent runtime identity verification

* chore: keep release changelog unchanged

* fix(gateway): recheck runtime context expiry after lock wait
2026-07-12 09:33:14 +01:00
Vincent Koc
e2f79a7614 refactor(channels): remove unused token prompt helper (#105159) 2026-07-12 16:32:43 +08:00
Vincent Koc
73bf1f29f8 refactor(models): trim private catalog exports (#105150) 2026-07-12 16:31:59 +08:00
Peter Steinberger
d31eeea408 fix(android): upsert device sessions safely (#105144) 2026-07-12 09:28:14 +01:00
Peter Steinberger
514d7189af fix(docs): preserve ambiguous product names 2026-07-12 04:24:53 -04:00
Peter Steinberger
fecd1ca195 improve(ui): unify the New session draft with the start-screen layout (#105069)
The /new draft page now renders the same welcome block as the empty-chat
start screen, with the draft controls folded in launcher-style: hero on
top, a quiet borderless target row (agent, node, folder, worktree)
directly above the mid-screen composer, and the recent chats below. The
page reuses renderWelcomeState via hint/composer slots so the surfaces
cannot drift apart; the shell treats /new as a chat-like route that owns
its scrolling, with the top inset doubling as the native titlebar drag
band. The welcome is content-sized on this route so a tall draft (open
folder browser, short window) stays scrollable from the top. Also
repairs the stale new-session e2e heading wait (the h1 was removed in

Closes #105068
2026-07-12 09:22:51 +01:00
Vincent Koc
2af4871f63 fix(ci): refresh plugin SDK declaration budget 2026-07-12 16:22:29 +08:00
zw-xysk
1cbb67668f fix(slack): log typing reaction errors instead of silently swallowing them (#103303)
* fix(slack): log typing reaction errors instead of silently swallowing them

The typing reaction (emoji) add and remove calls both use empty catch
handlers, silently discarding all errors. If the bot token lacks
reactions:write scope, the operator has no way to diagnose why the
configured typing reaction never appears.

Replace the empty catch with logVerbose calls that record the Slack
error, matching the existing logging pattern in the same file.

* test(slack): cover typing reaction failures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:20:56 +01:00
Peter Steinberger
218dcd815a feat(tooling): enforce noUncheckedIndexedAccess in the extensions lane (NUIA phase 4) (#105132)
* fix(extensions): make indexed access explicit across channel plugins

Transport-payload-safe burn-down: malformed Telegram/Discord/QQ/LINE
and sibling channel input keeps existing skip paths; no synthesized
fields, no new throws in delivery loops. Zalo escape sentinels preserve
literal matches instead of undefined replacements.

* fix(extensions): make indexed access explicit across provider and memory plugins

Stream and model iteration, tool-block guards, capture guards, and
sparse accumulators; singleton model reads carry named invariants.

* fix(extensions): make indexed access explicit across tooling plugins, flip the extensions lane

Remaining plugins (oc-path, qa-lab, browser, logbook, and siblings) plus
the tsconfig.extensions.json flag flip. Cleanup: logbook sampleFrames
NaN index at max=1, QA retry clamp at non-positive attempts, dead Canvas
probe and OpenShell no-op slice removed, twitch test setup leak excluded
from the prod lane.

* refactor(plugin-sdk): expose expectDefined via a focused SDK subpath

Extensions imported @openclaw/normalization-core directly, crossing the
external-plugin packaging boundary (it only worked because the runtime
builder bundles undeclared workspace helpers). expect-runtime joins the
canonical entrypoints JSON, generated exports, API baseline, docs, and
subpath contract test; all 78 extension imports now use the SDK seam.
Two scanner-shaped locals renamed for review-bundle hygiene.

* chore(plugin-sdk): raise surface budgets for the expect-runtime subpath

One new entrypoint with one callable export, added intentionally as the
packaging-honest seam for extension invariant helpers.
2026-07-12 09:17:31 +01:00
Shubhankar Tripathy
43e138cc66 feat(google-meet): retain the full caption transcript per session (#103387) (#103811)
* feat(google-meet): retain bounded transcripts

Co-authored-by: lonexreb <reach2shubhankar@gmail.com>

* chore: leave changelog to release tooling

* fix(google-meet): satisfy transcript CI checks

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-12 09:16:46 +01:00
Vincent Koc
648d742ee7 fix(ci): validate sqlite Codex transcripts 2026-07-12 16:15:44 +08:00
Vincent Koc
a381b50643 test(agents): skip region-blocked xAI models 2026-07-12 16:15:44 +08:00
Peter Steinberger
6fc564278d feat(agents): sessions_search full-text recall over past session transcripts (#105057)
Adds a core sessions_search agent tool backed by a SQLite FTS5 index that
lives next to the transcript rows in the per-agent database. Indexing is
transactional: user/assistant text is indexed inside the same write
transaction that persists the event, deletes drop index rows in the same
transaction, and branch rewinds mark the session dirty so the next search
rebuilds it from the same visible-path resolution sessions_history uses
(which also lazily backfills doctor-migrated databases). Search executes
gateway-side behind an additive sessions.search method with a bounded
session-key allowlist; visibility, sandbox restrictions, and snippet
redaction mirror sessions_history.

Closes #100978
2026-07-12 09:15:41 +01:00
Vincent Koc
2f7aa65167 fix(qa): avoid login shell in cron watcher (#105118) 2026-07-12 16:15:26 +08:00
Vincent Koc
97c874d563 test(i18n): cover retry validation feedback 2026-07-12 16:15:23 +08:00
Vincent Koc
f67e50cd1a fix(i18n): feed validation failures into retries 2026-07-12 16:15:23 +08:00
llagy007
7ed7840c94 fix(google-meet): validate calendar Meet URLs (#104863)
* fix(google-meet): validate calendar meet urls

* fix(google-meet): share meet url normalization

* fix(google-meet): normalize Calendar Meet URLs

* fix(google-meet): keep calendar text fallback stable

* fix(google-meet): validate calendar text candidates

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-12 09:12:40 +01:00
Vincent Koc
86af5f08b3 fix(release): support explicit provenance overrides 2026-07-12 16:12:23 +08:00
Peter Steinberger
91ca35ba58 ci: make locale parity advisory before release (#105140) 2026-07-12 09:11:57 +01:00
Peter Steinberger
c0496ea96d fix(android): bound structured chat image decoding (#105065)
* fix(android): bound structured chat images

* chore(android): sync native i18n inventory
2026-07-12 09:11:21 +01:00
Peter Steinberger
9cda1af020 fix(ui): open the start screen from the sidebar brand (#105046)
* fix(ui): restore sidebar start-screen navigation

* test(ui): align sidebar proof with automations
2026-07-12 09:09:27 +01:00
Vincent Koc
d6d7c19c9d fix(tasks): fail closed when task-flow state cannot restore (#105088)
* fix(tasks): fail closed on task-flow restore errors

* fix(tasks): keep maintenance checks behind owner seam

* fix(tasks): gate runtime startup on flow restore

* test(tasks): prove runtime restore gate failures

* fix(tasks): gate cancellation on flow readiness
2026-07-12 16:08:29 +08:00
Vincent Koc
c293fef3a8 refactor(sessions): remove obsolete file projection path (#105136) 2026-07-12 16:08:04 +08:00
Peter Steinberger
10371ff475 fix(gateway): suspension waits for accepted node work (#105134)
* fix(gateway): retain node event work during suspension

* chore: leave gateway release note to release closeout
2026-07-12 09:07:23 +01:00
Peter Steinberger
6038480915 feat(ui): browse Gateway and node folders from one root (#105114)
* feat(ui): browse Gateway and node folders

* chore: keep changelog release-owned

* chore: refresh native i18n inventory

* refactor(macos): isolate node filesystem commands
2026-07-12 09:07:07 +01:00
Peter Steinberger
448b90a594 feat(android): adopt per-device app sessions (#105115)
* feat(android): adopt per-device app sessions

Co-authored-by: snowzlmbot <293528334+snowzlmbot@users.noreply.github.com>

* test(android): assert latest session adoption wins

---------

Co-authored-by: snowzlmbot <293528334+snowzlmbot@users.noreply.github.com>
2026-07-12 09:06:45 +01:00
Vincent Koc
4da606ccf1 refactor(line): remove unused rich-menu user helpers (#105107) 2026-07-12 16:05:07 +08:00
Peter Steinberger
1a946dba78 test(qa): cover repeated live restart recovery (#105126) 2026-07-12 09:03:54 +01:00
Peter Steinberger
1c9a2f6a9d perf(gateway): skip completed startup migrations (#105099) 2026-07-12 09:03:45 +01:00
Vincent Koc
ac69e5008c fix(ci): avoid stale workflow rate limits (#105117)
* fix(ci): throttle stale issue locking

* fix(ci): throttle stale issue locking
2026-07-12 16:03:24 +08:00
Peter Steinberger
d325b6c76b fix: preserve parent abort reasons through timeouts (#105071) 2026-07-12 09:02:12 +01:00