Commit Graph

66940 Commits

Author SHA1 Message Date
wm0018
d26a842799 fix(auto-reply): keep suppressed reply text preview truncation UTF-16 safe (#101575)
* fix(auto-reply): keep suppressed reply text preview truncation UTF-16 safe

String.prototype.slice at offset 160 can split surrogate pairs in
reply text previews logged for suppressed auto-replies. Replace raw
slice(0, 160) with truncateUtf16Safe — already imported in this file.

* test(auto-reply): exercise suppressed preview logging

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:25:53 +01:00
Peter Steinberger
3901094ace fix(browser): cancel Chrome MCP requests on crash (#101454)
* fix(browser): cancel Chrome MCP requests on crash

* test(browser): cover request budget options
2026-07-07 12:22:31 +01:00
Vincent Koc
988f30e30e refactor(memory): trim unused Windows spawn exports (#101594) 2026-07-07 04:17:32 -07:00
Peter Steinberger
a853489b3d fix(agents): clean up ls cancellation listeners (#101588)
Co-authored-by: 0668001336 <wang.lizhang@xydigit.com>
2026-07-07 12:15:49 +01:00
lsr911
42fc9e8a92 fix(acp): use truncateUtf16Safe for event mapper error text truncation (#101535)
* fix(acp): use truncateUtf16Safe for event mapper error text truncation

.slice(0, 100) on ACP event argument values can split surrogate
pairs from emoji or CJK text, producing U+FFFD in error/warning
notices shown to operators.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(acp): cover UTF-16-safe tool titles

* refactor(acp): keep event mapper import leaf-only

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:10:28 +01:00
Peter Steinberger
3db8174f0e fix(gateway): keep plugin approval text UTF-16 safe (#101579)
Co-authored-by: wm0018 <wu.min5@xydigit.com>
2026-07-07 12:08:53 +01:00
Peter Steinberger
46276312d6 fix(auth): clean OAuth contention diagnostics (#101573)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 12:08:50 +01:00
Peter Steinberger
0979b51f49 fix(session-memory): preserve sibling paths in logs (#101577)
Co-authored-by: 陈宪彪0668000387 <chen.xianbiao@xydigit.com>
2026-07-07 12:08:08 +01:00
Peter Steinberger
4172de867c fix: preserve session labels across rollover (#101576)
Co-authored-by: ZengWen-DT <290981215+ZengWen-DT@users.noreply.github.com>
2026-07-07 12:07:25 +01:00
Peter Steinberger
2fe39692ad fix(gateway): preserve UTF-16 plugin approval fields (#101580)
* fix(gateway): keep plugin approval title and description truncation UTF-16 safe

Node.js String.prototype.slice cuts at UTF-16 code unit boundaries,
which can split surrogate pairs (emoji, CJK supplementary characters)
into lone surrogates that render as U+FFFD in approval UI payloads.

Use truncateUtf16Safe for both title and description fields in
createPluginApprovalsAttachment so approval requests never deliver
broken characters to the gateway approval UI.

Fixes #???

* test(gateway): exercise UTF-16 approval payloads

---------

Co-authored-by: wm0018 <wu.min5@xydigit.com>
2026-07-07 12:06:38 +01:00
maweibin
afdb9fd264 fix(session-cost-usage): keep emoji / surrogate pairs intact during content truncation (#101517)
* fix(session-cost-usage): keep emoji / surrogate pairs intact during content truncation

.slice(0, maxLen) counts UTF-16 code units, so an emoji straddling
the cut point produces a lone surrogate that renders as � in
usage cost CLI output. Use [...str] to count full code points instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test(usage): cover UTF-16-safe log truncation

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:05:15 +01:00
wm0018
e7d617d4d9 fix(agents): keep exec auto-reviewer rationale truncation UTF-16 safe (#101513)
* fix(agents): keep exec auto-reviewer rationale truncation UTF-16 safe

String.prototype.slice at offset 500 can split surrogate pairs in
LLM-generated review rationale text, rendering broken U+FFFD in
exec approval UI payloads.

Replace raw slice(0, 500) with truncateUtf16Safe.

* fix(agents): keep exec reviewer rationale and prompt template description truncation UTF-16 safe

String.prototype.slice can split surrogate pairs at truncation boundaries,
producing broken U+FFFD in both exec approval rationale (500 chars) and
session prompt-template descriptions (60 chars).

Replace raw slice with truncateUtf16Safe in both locations.

* test(exec): cover UTF-16-safe reviewer rationale

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:04:19 +01:00
lsr911
78f9449d73 fix(channels): use truncateUtf16Safe for thread binding name truncation (#101527)
* fix(channels): use truncateUtf16Safe for thread binding name truncation

Raw .slice(0, 100) on emoji-labelled agent names can split a
surrogate pair, producing U+FFFD replacement characters in native
channel thread names.  Use truncateUtf16Safe instead.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(channels): cover UTF-16-safe thread names

* refactor(channels): keep thread binding import leaf-only

* refactor(channels): keep thread binding import leaf-only

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:03:24 +01:00
Peter Steinberger
84d0a71406 fix(memory): preserve UTF-16 chunk boundaries (#101574)
* fix(memory): preserve UTF-16 chunk boundaries

* test(memory): require coarse boundary split

Co-authored-by: jensenwang560-blip <267012233+jensenwang560-blip@users.noreply.github.com>

* fix(memory): retain chunk budget at surrogate boundaries

---------

Co-authored-by: jensenwang560-blip <267012233+jensenwang560-blip@users.noreply.github.com>
2026-07-07 12:01:32 +01:00
lsr911
37d613a596 fix(codex): use truncateUtf16Safe for attempt notification text truncation (#101534)
* fix(codex): use truncateUtf16Safe for attempt notification text truncation

.slice(0, 237) on notification text can split surrogate pairs from
CJK characters or emoji in agent output, producing U+FFFD in Codex
desktop notifications.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(codex): cover UTF-16-safe attempt previews

* test(codex): assign notification coverage to a shard

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 12:00:35 +01:00
Vincent Koc
098b471143 refactor(memory): remove unused runtime facade exports (#101583) 2026-07-07 03:57:51 -07:00
Peter Steinberger
16348ddec3 feat(android): render LaTeX display math in chat via bundled KaTeX (#101435)
* feat(android): render LaTeX display math in chat via bundled KaTeX

* fix(android): preserve fallback for invalid math

* docs(changelog): note Android display math

* Revert "docs(changelog): note Android display math"

This reverts commit 40356286a3.
2026-07-07 11:57:24 +01:00
Peter Steinberger
454fccd784 fix(browser): keep screenshots private by default (#101434)
* fix(browser): keep screenshots private by default

* fix(browser): preserve screenshot share handles

* fix(browser): stage explicit screenshot shares

* test(browser): avoid screenshot share temp files
2026-07-07 11:56:49 +01:00
Momo
695fa4e112 fix(infra): handle detached respawn child errors (#101489)
* fix(infra): handle detached respawn child errors

* docs(infra): explain detached respawn error listener

* fix(infra): handle detached respawn child errors

* fix(infra): handle detached respawn child errors

---------

Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-07-07 03:51:55 -07:00
Peter Steinberger
69b9932fae fix(feishu): support drive folder pagination (#101572)
Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com>
2026-07-07 11:48:04 +01:00
Peter Lee
c2cc50c9a0 fix(codex): use UTF-16-safe truncation for approval display paths (#100177)
* fix(codex): use UTF-16-safe truncation for approval display paths

* fix(codex): resolve oxlint errors in approval-bridge and elicitation-bridge tests

* test(codex): cover approval Unicode boundaries

* test(codex): narrow approval command assertion

* chore: remove generated changelog entry

* chore: restore CHANGELOG.md to upstream/main baseline

* test(codex): tighten UTF-16 approval assertions

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:46:50 +01:00
NianJiu
040ac31546 fix: route direct outbound polls through channel adapters (#99950)
* fix: route direct outbound polls through channel adapters

* docs: note direct poll delivery

* test: isolate direct poll formatter label

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:46:26 +01:00
wm0018
5511b6fcaf fix(status): keep issue message truncation UTF-16 safe (#101503)
* fix(status): keep issue message truncation UTF-16 safe

String.prototype.slice at offset 90 can split surrogate pairs in issue
titles displayed by `openclaw status --all`, rendering broken U+FFFD in
the channel issues column.

Replace raw slice(0, 90) with truncateUtf16Safe to match the existing
UTF-16-safe truncation hardening pattern.

Fixes #???

* test(status): cover UTF-16-safe issue rendering

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:45:36 +01:00
mushuiyu886
846195c6b0 fix(codex): handle app-server stdio stream errors (#101505)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 03:41:27 -07:00
Peter Steinberger
942b449661 fix(exec): keep pending approval warnings truthful (#101561)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 11:30:41 +01:00
Vincent Koc
036686ab95 refactor(memory): localize host SDK helpers (#101568) 2026-07-07 03:28:00 -07:00
VectorPeak
cd5c3fc3b7 fix(mcp): reject non-object tool call arguments (#99180)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:26:01 +01:00
Peter Steinberger
cba20f9aec docs(changelog): credit Discord thread title fix (#101566) 2026-07-07 11:22:56 +01:00
Peter Steinberger
903a09ab85 fix(android): bound link preview image cache (#101560) 2026-07-07 11:22:52 +01:00
Peter Steinberger
42e2390b31 perf(test): run TUI PTY backends concurrently 2026-07-07 06:21:13 -04:00
Peter Steinberger
9fb2403221 fix(discord): keep thread title prompts UTF-16 safe (#101551)
Co-authored-by: Alix-007 <li.long15@xydigit.com>
2026-07-07 11:16:59 +01:00
Peter Steinberger
0d9329d3a2 revert(test): restore session plugin cleanup 2026-07-07 06:14:43 -04:00
xingzhou
f14eb97ae7 fix(codex): honor Pro reasoning effort contracts (#101484)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 03:13:50 -07:00
Peter Steinberger
6e792f08f8 fix(ios): serialize screen recording finalization (#101550)
* fix(ios): serialize screen recording finalization

* chore: keep release changelog out of PR
2026-07-07 11:13:46 +01:00
pick-cat
61dce7cb6e fix: forward pending timeout snapshot in waitForAgentJob fallback timer (#89367)
* fix(agents): export isHardAgentRunTimeoutPhase for wait-layer reuse

* fix(gateway): forward pending hard-timeout snapshot in waitForAgentJob fallback timer (fixes #89095)

* test(gateway): add e2e proof for subagent hard-timeout parent notification (#89095)

* fix(gateway): match fallback hard-timeout gate to terminal-outcome contract

Also treat provider-started timeout snapshots as hard timeouts in the
waitForAgentJob fallback, mirroring buildAgentRunTerminalOutcome.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(gateway): use shared hard-timeout classifier in waitForAgentJob fallback

* chore: amend author email

* chore: rebase on main, resolve conflicts

* test(gateway): focus timeout fallback coverage

* docs(changelog): note agent wait timeout fix

* fix(gateway): isolate fresh wait terminal state

---------

Co-authored-by: Pick-cat <266665499+Pick-cat@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:11:13 +01:00
machine3at
a00e9fc228 fix(ssrf): block loopback addresses for trusted hostname origins (#100835)
* fix(ssrf): block loopback addresses for trusted hostname origins

* fix(ssrf): allow loopback resolution for explicitly trusted loopback/localhost hostnames

* refactor(cron): remove unrelated cron session option changes from ssrf branch

* test(ssrf): add explicit loopback-origin allow tests to close ClawSweeper proof gap

* test(ssrf): add real gateway runtime proof script for loopback rebinding

* fix(ssrf): harden trusted-host loopback checks

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:08:51 +01:00
Vincent Koc
b9a3db13f1 test(e2e): parse corrupt plugin timeouts as decimal 2026-07-07 12:03:11 +02:00
Vincent Koc
a9c0592831 test(e2e): align corrupt plugin update timeout 2026-07-07 12:03:10 +02:00
Alix-007
079a704dda fix(voice-call): keep realtime context truncation UTF-16 safe (#101304)
* Fix UTF-16-safe realtime context truncation

* test(voice-call): tighten UTF-16 context regression

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 11:01:48 +01:00
Peter Steinberger
395fbb8eb6 fix(ui): send approvals past busy chat queue (#101532)
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 10:59:16 +01:00
Peter Steinberger
6b76a306d4 fix(zalo): accept opaque string chat IDs (#101548)
Co-authored-by: Goutam Adwant <workwithgoutam@gmail.com>
2026-07-07 10:58:59 +01:00
Peter Steinberger
5a234d61fa feat(ui): redesign dashboard chrome with tiny top bar and sidebar search (#101497)
* feat(ui): redesign dashboard chrome with tiny top bar and sidebar search

Move the sidebar toggle to the top bar as a macOS-style panel button
(collapse on desktop, drawer on tablet/mobile), move search into a
sidebar field that opens the command palette, and move the color-mode
toggle into the sidebar footer. Shrink the top bar to 44px, make the
terminal toggle a quiet ghost button, and drop the shadow plate behind
the macOS titlebar brand mark so the transparent mascot renders bare.
Adds the missing common.colorModeOption i18n key (theme buttons were
announcing the raw key) and removes the dead theme-orb styles.

* fix(ui): translate common.colorModeOption across locale bundles

The i18n sync initially recorded English fallbacks for the new key,
which the ships-no-recorded-English-fallbacks gate rejects. Regenerated
with a real translation provider; all 20 locales now carry translated
values (fallbacks=0).

* refactor(ui): unify the topbar sidebar toggle into one button

One button drives both modes: rail collapse on desktop and the
slide-over drawer at the ≤1100px breakpoint, decided via matchMedia
(with the legacy addListener fallback used elsewhere in bootstrap).
Replaces the previous pair of CSS-swapped buttons.
2026-07-07 10:57:45 +01:00
Peter Steinberger
2394a0a559 perf(test): reuse session plugin registry 2026-07-07 05:56:30 -04:00
Alix-007
240487179b fix(web-fetch): keep spill content truncation UTF-16 safe (#101312)
* Fix UTF-16-safe web fetch spill truncation

* fix(web-fetch): report actual spill character count
2026-07-07 10:56:14 +01:00
brokemac79
037412ec7d ci(mantis): add web UI chat proof lane (#100472)
* ci(mantis): add web ui chat proof lane

* ci(mantis): tighten web ui proof candidate parsing

* ci: tighten Mantis Web UI proof lane

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 10:54:35 +01:00
Peter Steinberger
354a151544 feat(gateway): archive-gated session deletes give Android delete parity (#101522)
sessions.delete gains an explicit archivedOnly param (additive protocol
schema change, Swift models regenerated): with archivedOnly=true, the
dispatcher grants operator.write and the handler requires the target to
already be archived (archive-then-delete keeps destructive intent a
two-step action). Without the flag nothing changes: deletes require
operator.admin, so internal fallback/synthetic dispatch, subagent cleanup,
and CLI minting keep their admin contracts, and the session-kill HTTP
endpoint pins admin explicitly since it terminates live runs.

Android sends archivedOnly and offers Delete only on archived rows, where
its bounded (non-admin) operator session is now authorized; active rows
archive first. iOS/web connect with admin and keep unrestricted deletes.

Refs #100712
2026-07-07 10:52:53 +01:00
Pavan Kumar Gondhi
9133d552ac fix: block mixed-case cron shell jobs from agent tool [AI] (#101350)
* fix: normalize cron tool shell guard kinds

* fix(cron): narrow mixed-case shell guard

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 10:52:20 +01:00
Vincent Koc
7e995cbf2b refactor(ui): remove stale helper exports (#101549) 2026-07-07 02:49:42 -07:00
Alix-007
b84ae42063 fix(agents): keep prompt data truncation UTF-16 safe (#101303) 2026-07-07 10:46:23 +01:00
Alix-007
d01015b243 Fix UTF-16-safe audit context truncation (#101298) 2026-07-07 10:43:45 +01:00