Commit Graph

66940 Commits

Author SHA1 Message Date
qingminlong
56096eb859 fix(browser): report malformed relay CDP frames (#102070)
* fix(browser): report malformed relay CDP frames

* refactor(browser): streamline relay frame validation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 12:00:38 +01:00
Miorbnli
61a7fc5da6 fix(plugins): fall back to os.homedir() when HOME/OPENCLAW_HOME is empty (#102413)
* fix(plugins): fall back to os.homedir() when HOME/OPENCLAW_HOME is empty

manifest-metadata-scan resolved the home directory with
`env.OPENCLAW_HOME ?? env.HOME ?? env.USERPROFILE ?? os.homedir()`. The nullish
coalescing operator only catches null/undefined, so an empty or whitespace home
variable (e.g. HOME="" in a stripped-down container/sandbox env) was kept as ""
and path.join("", ".openclaw") resolved to a RELATIVE ".openclaw" under the cwd.
Plugin discovery then read global extensions from the wrong directory.

Normalize each candidate with the already-imported normalizeOptionalString (which
returns undefined for empty/whitespace) so an empty value falls through to
os.homedir(), matching the canonical home resolver in src/infra/home-dir.ts.

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor(plugins): reuse canonical manifest paths

Co-authored-by: liyuanbin <li.yuanbin1@xydigit.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 12:00:12 +01:00
Eulices
182376ea83 fix: iOS chat streaming stays visually stable as replies arrive (#50483)
* fix(ios): stabilize visible chat streaming

Co-authored-by: Eulices Lopez <leulices@gmail.com>

* fix(ios): keep chat segment IDs out of localization

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:59:42 +01:00
qingminlong
2f8f8ae1ae fix(read): reject non-positive offsets (#102481)
* fix(read): reject non-positive offsets

* fix(read): validate offsets before filesystem access

Co-authored-by: qingminlong <qing.minlong@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:59:29 +01:00
SunnyShu
65c3061ad7 fix(agents): emit model.failover diagnostic on normal model fallback transitions (#102051)
* [AI] fix(agents): emit model.failover diagnostic on normal model fallback transitions

Restructure observeFailedCandidate to emit the existing model.failover
diagnostic event for candidate run failures when an actual next fallback
candidate exists.

Previously emitFailoverEvent was only called in the cooldown lane-suspension
branch.  Normal fallback transitions only reached the trajectory recorder
(onFallbackStep) and were invisible in OTel traces.

Key design decisions:
- Emit inside observeFailedCandidate so both LiveSessionModelSwitchError
  and generic error paths are covered automatically
- Guard emission on nextCandidate to avoid false telemetry for single-model
  runs or terminal candidate exhaustion (the cooldown suspension branch
  already handles that case with suspended=true)
- Extract error reason via existing describeFailoverError helper

Related to #102015

Co-Authored-By: claude-4.6 <noreply@anthropic.com>

* [AI] test(agents): add regression tests for model.failover diagnostic emission

Covers three scenarios:
- Primary fails, fallback succeeds: verifies model.failover event payload
  (from/to provider/model, reason, cascadeDepth, suspended)
- Single-model run: verifies no false event emission
- Exhausted chain: verifies only real transition emits, terminal does not

Related to #102015

Co-Authored-By: claude-4.6 <noreply@anthropic.com>

* test(agents): consolidate failover diagnostics coverage

* test(agents): satisfy fallback diagnostic gates

---------

Co-authored-by: claude-4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:59:17 +01:00
qingminlong
6cd94f6049 fix(web): mark partial response reads when streams fail (#102550)
* fix(web): mark partial response reads when streams fail

* fix(web): report partial stream bytes accurately

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:58:56 +01:00
Peter Steinberger
5afd4707c7 fix(ui): split-view toolbar segments misalign with the panes they label (#102675)
* fix(ui): align split-view toolbar segments with the pane edges they label

* fix(ui): track pane gutter and horizontal overflow in the split toolbar

* fix(ui): reset split toolbar scroll offset on mode flips and reserve docked terminal space

* fix(ui): scroll clipped split panes into view when their toolbar segment gains focus
2026-07-09 11:58:31 +01:00
huangjianxiong
c067802cda fix(microsoft-foundry): keep connection test error truncation UTF-16 safe (#102605)
* fix(microsoft-foundry): keep connection test error truncation UTF-16 safe

Replace `.slice(0, 200)` with `truncateUtf16Safe(body, 200)` in
testFoundryConnection error messages to prevent surrogate pair corruption.

Ref. lsr911 pattern — mechanical substitution, no behavior change.

* test(microsoft-foundry): cover UTF-16-safe connection errors

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:51:38 +01:00
Alix-007
bebf0b98c1 fix(nextcloud-talk): add timeouts to Talk send requests (#102025)
* fix(nextcloud-talk): add timeouts to Talk send requests

* test(nextcloud-talk): simplify send timeout proof

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:49:48 +01:00
huangjianxiong
c335ecdb73 fix(microsoft-foundry): keep Azure CLI error truncation UTF-16 safe (#102604)
* fix(microsoft-foundry): keep Azure CLI error truncation UTF-16 safe

Replace `.slice(0, 300)` with `truncateUtf16Safe(normalized, 300)` in
summarizeAzErrorMessage to prevent surrogate pair corruption.

Ref. lsr911 pattern — mechanical substitution, no behavior change.

* test(microsoft-foundry): cover UTF-16-safe CLI errors

* test(microsoft-foundry): assert complete CLI error

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:49:35 +01:00
huangjianxiong
0a8677ec99 fix(whatsapp): keep echo tracker log truncation UTF-16 safe (#102603)
* fix(whatsapp): keep echo tracker log truncation UTF-16 safe

Replace `.slice(0, 50)` with `truncateUtf16Safe(text, 50)` in
echo tracker verbose log message to prevent surrogate pair corruption.

Ref. lsr911 pattern — mechanical substitution, no behavior change.

* test(whatsapp): cover UTF-16-safe echo previews

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:46:52 +01:00
Peter Steinberger
5154fe08fa feat: show Codex sessions across Gateway and paired nodes (#102586)
* feat(codex): add federated session catalog

* fix(codex): align session catalog checks

* fix(ui): translate Codex session catalog

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-09 03:42:03 -07:00
Peter Steinberger
201acd4e7a fix(macos): keep Settings below native titlebar controls (#102663)
* fix(macos): clear settings titlebar controls

* chore: leave release notes to release automation
2026-07-09 11:41:29 +01:00
sunlit-deng
e635cdbbe9 fix(realtime-transcription): bound inbound websocket payloads (#102443)
* fix(realtime-transcription): bound inbound websocket payloads

* test(realtime-transcription): tighten payload cap proof

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:39:22 +01:00
huangjianxiong
29d2a1ed42 fix(ollama): use truncateUtf16Safe for malformed NDJSON log truncation (#102593)
* fix(ollama): use truncateUtf16Safe for malformed NDJSON log warning

The parseNdjsonStream function uses naive .slice(0, 120) on malformed
NDJSON data in log warnings which can split surrogate pairs. Replace
with truncateUtf16Safe().

* test(ollama): cover UTF-16-safe NDJSON warnings

* test(ollama): satisfy lint in NDJSON coverage

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:38:54 +01:00
Josh
ff031149f3 chore: align Android icons with favicon mark (#101423)
* chore: align Android icons with favicon mark

* fix(android): keep launcher mark inside adaptive safe zone

* docs(changelog): note Android launcher icon refresh

* chore: keep release changelog unchanged

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:37:24 +01:00
Peter Steinberger
bcc4517d99 test(ui): align sidebar ordering coverage (#102660) 2026-07-09 11:37:09 +01:00
Peter Steinberger
5b0e970dc7 fix(gateway): avoid reapproval on node permission loss (#102661) 2026-07-09 11:36:52 +01:00
clawSean
b8c1b220e4 fix(node-host): clarify unusable node exec cwd failures (#97105)
* fix(node-host): clarify unusable exec cwd failures

* fix(node-host): tighten cwd failure diagnostics

* refactor(node-host): keep cwd handling localized

* chore: leave release changelog ownership centralized

---------

Co-authored-by: clawSean <260045960+clawSean@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:34:25 +01:00
Sally O'Malley
e595a8c0ac Add Vault SecretRef plugin (#89255)
* Add Vault SecretRef plugin

Signed-off-by: sallyom <somalley@redhat.com>

* expand Vault setup to registered SecretRef targets

Signed-off-by: sallyom <somalley@redhat.com>

* fix(vault): use sdk secret target seam

* fix(vault): preserve auth profile target paths

* docs(vault): document plugin enable step

* fix(vault): make status provider-alias aware

* fix(vault): reject noncanonical secret ids

* fix(vault): separate resolver timeout deadlines

* fix(vault): forward private CA trust settings

* fix(secrets): preserve plugin policy boundaries

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-07-09 05:30:12 -05:00
maweibin
6a6aba0d5a fix(ui): validate realtime VAD threshold (#102161)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: maweibin <maweibin@users.noreply.github.com>
2026-07-09 11:29:30 +01:00
Vincent Koc
45d15aabf9 fix(tts-local-cli): preserve file output on stream errors
Co-authored-by: 赵旺0668001248 <zhao.wang1@xydigit.com>
2026-07-09 03:28:51 -07:00
huangjianxiong
c87b9a7cee fix(parallel): use truncateUtf16Safe for MCP error JSON truncation (#102592)
* fix(parallel): use truncateUtf16Safe for MCP error JSON truncation

The extractMcpToolPayload function and error messages use naive
.slice(0, 500) on JSON-serialized errors and results which can split
surrogate pairs. Replace with truncateUtf16Safe().

* test(parallel): cover UTF-16-safe MCP errors

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:25:28 +01:00
lsr911
1beea4b873 fix(qqbot): use truncateUtf16Safe for debug log URL/key truncation (#102572)
* fix(qqbot): use truncateUtf16Safe for debug log URL/key truncation

Replace naive .slice(0, N) with truncateUtf16Safe() in:
- image-size.ts: URL preview in debug logs (2 sites)
- upload-cache.ts: cache key preview in debug logs (2 sites)

Co-Authored-By: Claude <noreply@anthropic.com>

* test(qqbot): cover UTF-16-safe debug previews

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:20:38 +01:00
Peter Steinberger
06b33f5462 improve(ui): remove the Roundness appearance setting (#102641)
Corner radius is owned by themes; drop the browser-local multiplier that
scaled all --radius-* variables (added in #49436). Stale borderRadius
localStorage keys are ignored and dropped on next settings write.
2026-07-09 11:20:15 +01:00
Alix-007
b37476ab0b fix(twilio): redact webhook turnToken diagnostics (#102089)
* fix(twilio): redact webhook turnToken diagnostics

* chore(twilio): rerun ci

* fix(twilio): contain webhook URL diagnostics

Co-authored-by: Alix-007 <li.long15@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:19:40 +01:00
Peter Steinberger
2f66c3c0c8 perf(test): skip gateway dispatch sleeps 2026-07-09 06:15:26 -04:00
Alix-007
c765b5de3b fix(secrets): reject inherited exec response ids (#101739)
* fix(secrets): check own exec response ids

* test(secrets): cover inherited exec response errors

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:13:13 +01:00
NIO
32dee52329 fix(googlechat): cap approval binding registries (#101744)
Co-authored-by: NIO <nocodet@mail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-09 11:12:32 +01:00
lsr911
6ad8a77b51 fix(telegram): use truncateUtf16Safe for raw update log truncation (#102567)
* fix(telegram): use truncateUtf16Safe for raw update log truncation

* refactor(telegram): own raw log bounds in formatter

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:11:35 +01:00
lsr911
e39e628a84 fix(active-memory): use truncateUtf16Safe for log value truncation (#102551)
* fix(active-memory): use truncateUtf16Safe for log value truncation

* fix(active-memory): use truncateUtf16Safe for log value truncation

* test(active-memory): cover UTF-16-safe log limits

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:10:42 +01:00
Peter Steinberger
fc5a4defaf feat(cohere): add current Command models (#102563)
* feat(cohere): add current Command models

* docs: keep release notes out of PR
2026-07-09 11:07:50 +01:00
Peter Steinberger
5cb5f38144 fix(ui): square chat rail toggles and center split-view opener in collapsed rail (#102639) 2026-07-09 11:06:24 +01:00
zw-xysk
9fa913740d fix(tts-local-cli): handle stdout/stderr stream errors in speech provider (#102347)
* fix(tts-local-cli): handle stdout/stderr stream errors in speech provider

CLI TTS speech provider spawns a child process to generate audio and
registers stdout/stderr data listeners but omits stream error handlers.

stdout carries synthesized audio data. A pipe error mid-generation must
reject the promise so the caller does not silently receive truncated
audio when the child later exits zero. stderr carries diagnostic logs
only — errors there are benign and should not crash the provider.

Apply separate strategies matching vincentkoc's requirement:
- stdout (audio): error → reject(Promise) — surface the failure
- stderr (diagnostic): error → ignore — does not affect audio output

* fix lint: remove unused signal param from mock kill()

* fix(tts-local-cli): contain child stream failures

Co-authored-by: 赵旺0668001248 <zhao.wang1@xydigit.com>

* chore(tts-local-cli): keep release notes in PR body

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:06:10 +01:00
huangjianxiong
fae5421f81 fix(diagnostics-prometheus): use truncateUtf16Safe for error message truncation (#102591)
* fix(diagnostics-prometheus): use truncateUtf16Safe for error message truncation

The safeErrorMessage function uses naive .slice(0, 500) on error messages
which can split surrogate pairs. Replace with truncateUtf16Safe().

* test(diagnostics-prometheus): cover UTF-16-safe errors

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 11:04:47 +01:00
huangjianxiong
4be6fa7413 fix(codex-supervisor): use truncateUtf16Safe for stderr tail truncation (#102590)
* fix(codex-supervisor): use truncateUtf16Safe for stderr tail truncation

StdioCodexJsonRpcConnection includes stderr output in the transport-closed
error message with a naive .slice(0, 1200) which can split surrogate pairs.
Replace with truncateUtf16Safe().

* test(codex-supervisor): cover UTF-16-safe stderr tails

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:59:17 +01:00
Peter Steinberger
d27d7ba6d3 perf(test): narrow gateway context reload coverage 2026-07-09 05:55:34 -04:00
lsr911
f650d641e4 fix(codex): use truncateUtf16Safe in trajectory and client parse log truncation (#102576)
* fix(codex): use truncateUtf16Safe in trajectory and client parse log truncation

Replace naive .slice(0, N) with truncateUtf16Safe() in:
- trajectory.ts: payload redaction display (20k char limit)
- client.ts: parse error log truncation

Co-Authored-By: Claude <noreply@anthropic.com>

* test(codex): cover UTF-16 truncation boundaries

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:53:25 +01:00
qingminlong
c86fe21cad fix(browser): keep UTF-8 stderr tails valid (#102543) 2026-07-09 10:51:52 +01:00
lsr911
d0264de058 fix(gateway): use truncateUtf16Safe in WebSocket log formatting (#102561)
* fix(gateway): use truncateUtf16Safe in WebSocket log formatting

Replace naive .slice(0, N) with truncateUtf16Safe() at four sites:
- formatForLog() error chain display
- formatForLog() object message display
- formatForLog() string value display
- compactPreview() log compaction

Prevents surrogate pair splitting in gateway WS console logs.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(gateway): cover UTF-16-safe WebSocket log bounds

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:47:01 +01:00
Peter Steinberger
60bef7bd41 fix(release): accept tool-only completion signal (#102600)
* test(release): accept tool-only completion signal

* test(release): retry transient tool-read failures
2026-07-09 10:46:33 +01:00
lsr911
b8cca6ac72 fix(logging): use truncateUtf16Safe in diagnostic stability and session context (#102570)
* fix(logging): use truncateUtf16Safe in diagnostic stability and session context

Replace naive .slice(0, N) with truncateUtf16Safe() in:
- diagnostic-stability-bundle.ts: error message sanitization
- diagnostic-session-context.ts: quoted field value truncation

Co-Authored-By: Claude <noreply@anthropic.com>

* test(logging): cover diagnostic UTF-16 bounds

* style(logging): normalize diagnostic imports

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:45:28 +01:00
lsr911
4792fa583f fix(auto-reply): keep ACP steer output UTF-16 safe (#102583)
* fix(auto-reply): use truncateUtf16Safe in bash command and ACP steer output truncation

Replace naive .slice(0, N) with truncateUtf16Safe() in:
- bash-command.ts: shell command name preview
- lifecycle.ts: ACP steer output text

Co-Authored-By: Claude <noreply@anthropic.com>

* test(auto-reply): prove safe ACP steer output bounds

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:44:00 +01:00
maweibin
9bf212765f fix(ui): keep workboard capture text truncation UTF-16 safe (#102544)
* fix(ui): keep workboard capture text truncation UTF-16 safe

Replace raw .slice(0, N - 3) with truncateUtf16Safe in
clampSessionCaptureText and clampSessionCaptureTitle to prevent
lone surrogates when emoji cross the truncation boundary.

Completes the UTF-16 hardening started in #101685, which added the
import but only covered buildCardSessionLabel.

* test(ui): cover workboard UTF-16 boundaries

* docs(changelog): note Workboard UTF-16 fix

* docs(changelog): leave release notes to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:42:34 +01:00
lsr911
bb1fa4012e fix(memory-host): use truncateUtf16Safe for QMD stderr context truncation (#102547)
* fix(memory-host): use truncateUtf16Safe for QMD stderr context truncation

* test(memory): cover UTF-16-safe qmd stderr summary

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:38:43 +01:00
Peter Steinberger
4cc92009ed feat(mac): unified Liquid Glass pairing approval panel (#102601)
* feat(mac): unified Liquid Glass pairing approval panel

Replace the serial node/device pairing NSAlerts with one floating
approval panel. Both prompters feed request cards into a shared
PairingApprovalCenter; each card shows a hardware icon, platform and
model, app/core version, source IP, a copyable short id, request age,
a trust line (first connection / already-paired-id caution / repair
token rotation), and a friendly access summary with an elevated
warning for system.run-class commands. Requests resolved elsewhere
disappear live; Not Now snoozes without resolving (gateway TTL
applies) and the menu-bar pending line reopens the panel. Liquid
Glass surface on macOS 26+, material fallback on macOS 15. Deletes
the NSAlert + invisible-host-window machinery, dead node isRepair
handling, and text-only describe() body.

Closes #102535

* fix(mac): satisfy swiftformat conditionalAssignment and resync native i18n inventory
2026-07-09 10:31:42 +01:00
wangmiao0668000666
6433b82723 fix(qa-lab): surface gateway child stream failures (#102104)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:28:32 +01:00
Peter Steinberger
fd34019b4d fix(agents): keep prompt history append-only mid-session (#99495) (#102610)
Session-scoped tool-result projection freeze (shrink-only, stable
fallback identities for ambiguous tool ids) and a sent-watermark so
late-resolving inbound media appends a new user turn instead of
rewriting an already-sent slot. Stops Anthropic prompt-cache tail
invalidation on busy/media-heavy embedded sessions.
2026-07-09 10:28:10 +01:00
xingzhou
4ad94febcb fix(agents): keep cleanup timeout details UTF-16 safe (#102565) 2026-07-09 10:17:59 +01:00
Samuel Alake
3f2466c4c3 fix(swift): keep device auth compatible with v2 gateways (#80656)
* fix(swift): keep device auth compatible with v2 gateways

* refactor(swift): contain v2 auth compatibility

* docs(changelog): note Swift v2 auth compatibility

* chore(apple): sync native string inventory

* chore: keep release changelog owned

---------

Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 10:15:47 +01:00