Commit Graph

66940 Commits

Author SHA1 Message Date
Ayaan Zaidi
77c84de510 fix(telegram): complete spooled updates at turn adoption, rescope ingress watchdog 2026-07-10 14:32:11 +05:30
Ayaan Zaidi
ef103205ad feat(channels): add turn-adoption ack to channel inbound dispatch 2026-07-10 14:32:11 +05:30
Peter Steinberger
be151c6f14 feat(webchat): the lobster celebrates anniversaries and earns titles (#103563)
On the month/day anniversary of a palette's first Lobsterdex visit the
arriving lobster wears the party hat. Lifetime visit milestones add
honorifics to the hover name: Sir at 50, Captain at 100, Elder at 250.
2026-07-10 09:56:15 +01:00
NianJiu
8b49bc61a8 fix(ios): stop camera work when invoke is cancelled (#103069)
* fix(ios): stop camera work when invoke is cancelled

* fix(ios): mark AVFoundation cancellation boundary

* chore(ios): refresh native i18n inventory

* fix(camera): clean up cancelled warm-up sessions

* fix(ios): make camera cancellation lifecycle-safe

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 09:44:42 +01:00
Michael Appel
56e97dab3a fix(qqbot): limit channel API targets to configured groups [AI] (#101765)
* fix(qqbot): scope channel API targets to configured groups

* fix(qqbot): fail closed scoped channel API resources

---------

Co-authored-by: Pavan Kumar Gondhi <pavangondhi@gmail.com>
2026-07-10 14:11:50 +05:30
Peter Steinberger
57f72bcca0 perf(test): avoid image tool runtime warmup 2026-07-10 04:38:55 -04:00
Eva
2b223549ed fix(codex): cap native tool output before replay (#99578)
The Codex app-server projector now caps native tool output at 10k chars before it reaches OpenClaw's replayable surfaces (transcript tool results, trajectory output, progress text, streamed delta accumulation, MCP/dynamic tool text), with an explicit truncation notice carrying the original length. Assistant-item echo suppression is scoped to raw-lane promotions with bounded multi-shape signatures: typed agentMessage finals are never content-filtered (verbatim tool-output answers are preserved), fine-grained streams cannot evict the start-summary signature, and the post-truncation prefix freeze from main is restored so surrogate-boundary cuts cannot corrupt echo matching. This closes the projector-side replay amplification from #99465; native/provider-side replay budgets remain tracked in #99551.

Fixes #99465

Thanks to Eva (@100yenadmin) for the contribution.
2026-07-10 14:06:56 +05:30
Peter Steinberger
9ecb2f3a84 feat(ui): restore sidebar chrome, delete the pane workspace strip, compact native narrow header (#103561)
* feat(ui): restore sidebar chrome and remove the pane workspace strip

Reverse course from #103426 on the app chrome: the left sidebar owns
brand, pinned navigation + More, New session, sessions, and the footer
(status dot, Settings, Docs, pairing, theme) again, and the desktop
topbar is gone. What stays from that PR: the dockable workspace rail
(right/bottom, drag or button), the in-flow split-pane headers, and
Cmd+B now hides the sidebar entirely (no 78px icon rail) with a
floating expand control.

The real target of the original request: the vertical icon strip at
each pane's right edge is deleted. A collapsed workspace rail renders
nothing; the toggle (with a changed-file badge) lives in the split-pane
header next to split/close, or floats at the top-right in single-pane
chat. Shift+Cmd+B still toggles.

Narrow native macOS windows (e.g. the in-app link browser splitting
the window) previously stacked 50px of injected titlebar padding on
top of the 58px drawer row; the web CSS now folds that into one
compact 58px row beside the traffic lights, with selectors that
outrank the rules shipped Mac apps inject.

* chore(ui): regenerate locale bundles and docs map for sidebar restore

* fix(ui): bind showPaneHeader explicitly on the classic single pane

* chore(ui): reconcile locale metadata after rebase onto lobster wild cards
2026-07-10 09:35:14 +01:00
Eva
ae63a48e94 fix(auto-reply): recover stranded message-tool finals by default (#99536)
In messages.visibleReplies "message_tool" sessions, a successful agent turn that produced a substantive private final without calling message(action=send) previously left the user with silence and only an operator log. The gateway now enqueues one protected front-of-queue retry prompting the model to deliver the reply, and falls back to a sanitized visible diagnostic when the retry cannot be enqueued or also strands. Queue overflow protection is unified with the in-flight-aware drop policy (skip in-flight or protected items, reject when nothing is droppable), rejected overflow no longer refreshes the drain debounce, heartbeat turns are excluded from recovery, and recovery retries no longer share the client turn's queued-turn lifecycle.

Fixes #85714

Thanks to Eva (@100yenadmin) for the contribution.
2026-07-10 14:01:01 +05:30
Peter Steinberger
26d200c6a3 feat(channels): narrated progress drafts + activity receipt on the final answer (#103463)
* feat(channels): narrated progress drafts + activity receipt on the final answer

Progress mode replaces raw tool lines with short utility-model narration of
what the agent is doing (streaming.progress.narration, default on, requires
an explicit utilityModel). On Discord the final answer now carries the
-# activity receipt and the working draft is deleted once the answer lands,
so busy channels keep no orphaned tool log above the reply.

Formatting verified remotely via Testbox oxfmt --check (hook bypassed:
no node_modules in this worktree).

* fix(channels): keep narration toggle independent of channel-default stream mode

Discord resolves its own progress default, so the resolver must not re-derive
mode with the generic partial fallback (narration was off for unset config).

* fix(auto-reply): honor status-only command text in narration model input

streaming.progress.commandText: "status" hides raw exec/bash text from the
channel draft; narration input now mirrors that policy so the utility model
never receives more command detail than the draft shows (Codex review P2).

Formatting verified remotely via Testbox oxfmt --check.

* fix(auto-reply): share the draft's command-tool set for narration and regen channel metadata

Reuse isCommandToolName (exec|shell|bash) so narration's commandText policy
matches the draft formatter exactly, and regenerate bundled channel config
metadata for the new streaming.progress.narration key (Codex review round 2).

Gates verified on Testbox: config:channels:check, oxfmt --check, 4 test shards.

* fix(channels): clear stale narration when the narrator stops mid-turn

An empty narration update now falls the draft back to raw tool lines, and the
narrator emits that clear when it disables after consecutive failures or the
per-turn cap, so drafts never pin stale status text (Codex review round 3).

Gates verified on Testbox: oxfmt --check + 4 test shards.

* chore(config): regen bundled channel metadata after rebase onto main

* chore: CI fixups — lint nits, test harness types, docs map, SDK surface budget

Two deliberate public SDK additions (resolveChannelStreamingProgressNarration,
isCommandToolName via the streaming wildcard re-export) bump the pinned
public-surface budgets to current counts (exports 10488, callable 5235).

Gates verified on Testbox: oxfmt, targeted oxlint, docs:map:check,
config:channels:check, check:test-types, 5 test shards.
2026-07-10 09:28:47 +01:00
Peter Steinberger
4a4a32a5de feat(cli,webchat): lobster wild cards — a CLI cousin, moving day, and opt-in sounds (#103412)
* feat(cli,webchat): lobster wild cards - a CLI cousin, moving day, and opt-in sounds

The openclaw banner gains a rare day-seeded ASCII lobster (rich TTYs,
random tagline mode, never CI). The web pet notices gateway upgrades and
arrives carrying a bindle for one load. A new default-off Lobster sounds
quick setting adds tiny WebAudio chirps on pokes and pets. The lobster
docs page learns about petting, sounds, and this batch's field notes.

* chore(webchat): regenerate keyless raw-copy i18n baseline after rebase
2026-07-10 08:49:27 +01:00
Peter Steinberger
b07ebe3ff3 feat: correlate managed agent requests (#103476) 2026-07-10 08:42:55 +01:00
Peter Steinberger
3bec587d74 fix(computer): stop typing after cancellation (#103528) 2026-07-10 08:37:37 +01:00
Peter Steinberger
66bcfeac6b fix(ui): dismiss stale topbar menus and restore focus (#103508) 2026-07-10 08:33:14 +01:00
Peter Steinberger
d133f28cfb fix: preserve selected models through hot reloads and fallbacks (#103510)
* fix(agents): keep model fallback turn-local instead of persisting over user pins

* fix(telegram): use live config snapshots per operation

Co-authored-by: Ayaan Zaidi <hi@obviy.us>

* test(telegram): fix config snapshot type coverage

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-07-10 08:26:33 +01:00
Peter Steinberger
195bec6910 feat(ios): show per-message usage metadata (#103471)
* feat(ios): show per-message usage metadata

* fix(ios): compile usage context calculation
2026-07-10 08:24:28 +01:00
Peter Steinberger
ace2407acd fix(ci): compare the full harness surface for evidence reuse
Codex review round four: workflows execute helper scripts from the
workflow ref, so comparing only the .github/workflows tree missed
script-only harness changes. Harness equivalence now means the git tree
diff between the candidate run's head SHA and the current workflow SHA
is itself release-metadata-only, using the same canonical classifier as
the target delta. The classifier's worktree overlay no longer applies
when --head is an explicit SHA, keeping SHA-exact comparisons exact.
2026-07-10 00:21:26 -07:00
Peter Steinberger
494987fa6e fix(ci): require an identical workflow harness for evidence reuse
Codex review round three: a prior green run may have executed with
different lane definitions; the resolver now compares the candidate
run head SHA's .github/workflows tree against the current workflow
ref before accepting its manifest.
2026-07-10 00:21:25 -07:00
Peter Steinberger
e8a634f714 test(release): pin extended preflight usage line 2026-07-10 00:21:25 -07:00
Peter Steinberger
e98bb5942a fix(ci): scope beta advisory to live-provider suites and validate reuse targets
Codex review round two: the reusable advisory input is global, so beta
would also have softened hermetic repo/OpenShell E2E — add a scoped
live_advisory input that only covers the live-provider suite jobs and
narrow the umbrella fail-fast exclusion to those job names. Evidence
reuse now also runs the macOS source-version consistency check against
the target (release-preflight --macos-versions-only) so version-stamp
deltas cannot reuse evidence while version surfaces disagree.
2026-07-10 00:21:24 -07:00
Peter Steinberger
6bb240b6da fix(ci): match validation inputs and recheck child runs before evidence reuse
Codex review findings: evidence reuse must not let a default-input run
stand in for a focused provider/mode/filter/package-spec run, and
recorded child runs can be re-run to failure while the parent stays
green. Manifests now record validationInputs; the resolver requires an
exact input match and healthy child runs, and the summary re-verifies
the chain root plus its recorded children. Reuse-mode evidence dispatch
notes now disclose the chain-root relationship.
2026-07-10 00:21:24 -07:00
Peter Steinberger
d3959d97a6 test(ci): pin new release validation concurrency and preflight guards 2026-07-10 00:21:23 -07:00
Peter Steinberger
87f98090e1 feat(ci): reuse release validation evidence and speed up the release pipeline
- Full Release Validation now checks for a prior green validation whose
  target differs only by release metadata (changelog/version stamps) and
  reuses that evidence instead of re-running every lane; disable with
  reuse_evidence=false. Evidence manifests chain through reuse runs via
  evidenceReuse.runId and the summary re-verifies the chain root.
- The Docker runtime-assets preflight no longer serializes the CI,
  plugin-prerelease, release-checks, and performance lanes; it runs in
  parallel and stays enforced by the umbrella verifier.
- Umbrella runs for release/* refs now supersede in-progress runs with
  the same ref and rerun group instead of requiring manual cancels.
- release_profile=beta treats the live-provider E2E suites as advisory
  (third-party model deployments move underneath releases); stable and
  full profiles keep them blocking, and beta live failures no longer
  fail-fast-cancel the remaining release-check matrix.
2026-07-10 00:21:23 -07:00
Peter Steinberger
68cc97693d fix(macos): sync Info.plist source versions with package.json
The release-preflight macOS source-version check requires
CFBundleShortVersionString/CFBundleVersion to match the package.json
base version; main drifted to 2026.6.10 and the cherry-picked check
carried release-branch 2026.7.1 literals.
2026-07-10 00:21:22 -07:00
Vincent Koc
d6b38e2eae fix(release): validate macOS source versions
(cherry picked from commit f7aea57edb)
2026-07-10 00:21:22 -07:00
Vincent Koc
8017deb871 test(gateway): allow loaded CI media mirror completion
(cherry picked from commit 0f52c07e29)
2026-07-10 00:21:22 -07:00
Peter Steinberger
51c1c08227 fix(ui): preserve desktop lobster run outcomes (#103501) 2026-07-10 08:18:54 +01:00
rvdlaar
fc507c70c5 fix(agents): xAI/Grok requests fail after a stale reasoning replay ("could not decrypt encrypted_content") (#97926)
* fix(agents): recover xAI/Grok "could not decrypt encrypted_content" 400 instead of tripping the circuit breaker

openclaw already strips a stale reasoning replay and retries the Responses call, but the
recovery is gated on isInvalidEncryptedContentError(), which only recognizes the
`invalid_encrypted_content` / `thinking_signature_invalid` codes/messages. xAI/Grok returns
a prose 400 with no error code — "Could not decrypt the provided encrypted_content. Ensure
the value is the unmodified encrypted_content from a previous response." — so the matcher
returns false, the call fails, and the per-model circuit breaker trips, blocking ALL
grok-4.3 traffic through the gateway until manual intervention.

Match that message (contains `encrypted_content` and a decrypt-failure phrase) so the
existing strip-and-retry path handles it too. Narrow enough to avoid unrelated
"could not decrypt" messages (e.g. the OAuth sidecar warning), which do not mention
`encrypted_content`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(agents): narrow xAI decrypt retry detection

Co-authored-by: rvdlaar <rvdlaar@gmail.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 08:17:29 +01:00
Vincent Koc
27ceb13e21 fix(ci): select trusted release harness for Docker lanes (#103504) 2026-07-10 00:13:06 -07:00
Peter Steinberger
c6ddb4bda9 fix: stabilize gateway deletion admission CI fixture (#103486)
* test(gateway): stabilize deletion admission fixture

* test(gateway): delete session through lifecycle owner
2026-07-10 08:12:51 +01:00
Peter Steinberger
0d63f46498 feat(webchat): the lobster remembers - dex memories and a familiarity arc (#103359)
The Lobsterdex upgrades to a v2 object schema (v1 arrays migrate in
place, memories backfill on the next visit): each palette remembers its
first visitor's name and date, shown in the gallery tooltips ('Goldie -
first visited 7/5/2026'). Familiarity counters (visits, shoos) shape
behavior with no UI: fewer than three lifetime visits is shy (shorter
stays, later arrivals), fifteen or more is a friend (longer stays,
sooner returns, and a hello wave on the first arrival of each load),
and shooing it too often makes it wary, stretching the gaps between
visits. All best-effort localStorage; tuning lives in one exported
table.
2026-07-10 08:10:14 +01:00
Peter Steinberger
ce47e6ac53 fix(mcp): keep server config private in groups (#103502)
* fix(mcp): keep server config private in groups

* fix(config): redact underscore credential flags

* fix(config): redact plural credential flags
2026-07-10 08:09:48 +01:00
Peter Steinberger
a97633a9ad fix(codex): require human approval for app-server commands (#103457)
* fix(codex): require human approval for app-server commands

* docs(exec): clarify Codex approval fallback
2026-07-10 08:07:18 +01:00
SunnyShu
a1d03f1cfd fix(gateway): re-check session runtime model against current agent defaults after hot-reload (#102305)
* fix(gateway): re-check session runtime model against current agent defaults after hot-reload

Agent model hot-reload silently did not take effect because session entries
cached modelProvider/model from agent defaults during reset, and the resolver
returned these cached values before checking current config.

Fix (three-pronged):
1. Reset-side: only cache modelProvider/model when the resolved model came
   from a user override — default-derived values are no longer persisted.
2. Resolver-side: when runtime metadata exists without overrides and an
   agentId is available, the values are default-derived and may be stale —
   skip them in the persisted-model fallback so current config defaults win.
3. Inheritance: only inherit runtime model metadata from parent when it
   carries explicit user overrides (align with reset-side contract).

Reset response includes resolvedModel so API and TUI consumers always get
the effective model identity.

Fixes #102269

* fix(gateway): restore truncateUtf16Safe and emoji-boundary title test per ClawSweeper review

* fix(gateway): only skip stale session runtime model metadata when it actually differs from current defaults

The previous change unconditionally skipped cached modelProvider/model when no
user overrides were present and an agentId was available, assuming it was always
stale. This broke sessions that legitimately had non-default models set through
normal session creation (e.g. custom vision models).

Now the resolver resolves the current agent default first and compares: if the
cached runtime metadata matches the current default it is returned directly
(not stale); only when it differs is it treated as stale and re-resolved.

Also updates tests that set modelProvider/model without overrides to configure
their agent defaults so the expected model matches the resolution result.

* fix(session-model-ref): add stale-metadata detection for config hot-reload

* fix(test): remove strict timeoutMs assertion in provider catalog live-runtime test

The remainingTimeoutMs calculation can be off by 1ms depending on timing
(Date.now() - startedAt = 1ms on fast CI runners), causing a flaky failure.
This assertion is not the test's focus — dedicated timeout behavior is already
covered by 'uses one timeout budget across paginated live catalog discovery'.

* fix: restore AVATAR_MAX_BYTES to 2MB (revert accidental merge contamination)

* fix(gateway): resolve session models from current config

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 08:04:55 +01:00
llagy007
56fb460b83 fix(memory): keep batch failure attempts finite (#103117)
* fix(memory): keep batch failure attempts finite

* fix(memory): own batch retry attempt accounting

Co-authored-by: llagy007 <0668001470@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 08:03:23 +01:00
Peter Steinberger
e169bfed7c fix: default optional Swift protocol fields (#103493) 2026-07-10 08:02:49 +01:00
Peter Steinberger
ed74d8dc7d test(macos): deflake Codex pipe drain (#103478) 2026-07-10 08:02:39 +01:00
Peter Steinberger
d7dc6ee845 fix(xai): validate x_search handle filters (#103393) 2026-07-10 08:02:18 +01:00
Peter Steinberger
19111cf29d fix(xai): route provider alias to native endpoint (#103488) 2026-07-10 08:02:08 +01:00
Pavan Kumar Gondhi
0ac5394192 fix: enforce sandbox tool policy for loopback tools [AI] (#103074)
* fix: apply sandbox policy to gateway loopback tools

* test: type gateway sandbox policy helper

* style: format gateway sandbox policy import

* test: exercise sandbox deny on allowed loopback tool
2026-07-10 12:30:51 +05:30
Peter Steinberger
5476930568 improve(ui): mark the default model inline (#103484)
* improve(ui): mark the default model inline

* chore: leave changelog to release workflow

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-09 23:54:43 -07:00
Peter Steinberger
0f3fb9ea58 fix(codex): prefer ChatGPT desktop resources (#103470)
Co-authored-by: Hiroshi Tanaka <solavrc@gmail.com>
2026-07-10 07:44:24 +01:00
wuqxuan
9e74dabad2 fix: parse zero-argument XML tool calls (#103220)
* fix: parse zero-argument XML tool calls

* fix(tool-call-repair): handle empty XML calls safely

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 07:39:23 +01:00
Peter Steinberger
6025aa5f60 fix(macos): tighten the link-browser tab header (#103469)
Drop the 32pt drag-overlay clearance above the sidebar tab strip to a
12pt inset - just enough to clear the window's 12pt drag overlay so
every tab pixel stays clickable - and shrink the header from 98pt to
78pt. Follow-up to #103438 per maintainer feedback.
2026-07-10 07:37:11 +01:00
Peter Steinberger
4a72a6cb2f feat(ui): move app chrome into a topbar and dock the session workspace rail (#103426)
* feat(ui): move app chrome into a topbar and dock the session workspace rail

The desktop shell now uses a slim topbar for brand, primary navigation
(Chat + pinned routes + More menu), command-palette search, pairing,
theme, and Settings; the left column slims down to a sessions-only
panel (Cmd+B hides it entirely — the 78px icon rail is gone). Split
view drops the fixed geometry-mirroring toolbar for in-flow per-pane
headers. The session workspace rail can dock right or bottom inside
its pane — drag its header between edges or use the dock button — and
the collapsed strip's file glyph is now a real button (it used to be a
dead, button-looking span) with a changed-file count badge. The Mac
app's injected chrome CSS slims down accordingly; its drag-region
geometry is unchanged and the topbar brand strip stays passive under
it.

* chore(ui): regenerate locale bundles for topbar and workspace dock strings

* fix(ui): keep the native macOS drawer clear of the titlebar overlay

The narrow-width slide-over drawer sits fixed at the window top, over
the AppKit traffic lights and drag regions. The old Mac-app-injected
CSS padded .sidebar-shell for this; that rule moved web-side for the
desktop topbar, so restore drawer clearance here for both the app
drawer and the in-drawer settings sidebar.

* chore(ui): translate topbar and workspace dock strings; regen docs map
2026-07-10 07:32:57 +01:00
Vincent Koc
f11b2493b9 fix(ci): read Codex bindings from SQLite in live harness (#103467)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 23:32:39 -07:00
cxbAsDev
158d646184 fix(signal): retry inbound flushes on reply session init conflict (#103218)
* fix(signal): retry inbound flushes on reply session init conflict

* fix(signal): bind conflict retries to monitor lifecycle

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 07:29:58 +01:00
Peter Steinberger
20bc552590 feat(webchat): pass-through visitors - strangers and the crab (#103352)
Roughly one load in ten, someone else walks across the footer ledge
once and leaves: usually a stranger lobster wearing a palette the
resident pet does not (hover: 'a stranger'), and on rare loads a crab
(hover: 'definitely a lobster') - wide shell, eye stalks, walks
strictly sideways, smug about it. Passers never perch, never react,
and never count for the Lobsterdex. Planned by a pure per-seed
function, gated by the visits setting, skipped under reduced motion,
and their timers reset with the seed and clean up on disconnect.
2026-07-10 07:22:09 +01:00
NIO
514829f0e1 fix(mattermost): cap outbound and monitor caches (#101740)
Co-authored-by: NIO <nocodet@mail.com>
2026-07-10 07:17:34 +01:00
Peter Steinberger
1d20542449 fix(tlon): strip internal tool-trace banners from outbound text (#103450)
Route assistant-visible Tlon output through the shared sanitizer and prove the rendered Urbit poke payload for DMs, groups, and media captions.

Co-authored-by: masatohoshino <g515hoshino@gmail.com>
2026-07-10 07:17:17 +01:00