Commit Graph

66940 Commits

Author SHA1 Message Date
QiuYuang
769b8260cb fix(ports): ignore malformed lsof listener pids (#98505)
* fix(ports): ignore malformed lsof listener pids

* fix(infra): strictly reject malformed lsof pid tokens

Number.parseInt truncated tokens like "111abc" to 111, silently accepting
a corrupted lsof pid record. Switch to parseStrictPositiveInteger so the
whole token must be a valid positive integer, and restore the deduped
listener test that a prior change had replaced instead of extended.

* fix(cli): strictly reject malformed lsof pid tokens

Harden the force-free lsof parser to reject digit-prefixed garbage like
p111abc instead of truncating it to pid 111, and cover the sibling parser
with a focused regression test.

* fix(infra): strictly parse stale lsof pid tokens

Harden the stale gateway cleanup parser to reject digit-prefixed garbage
like p111abc instead of truncating it to pid 111, and add a focused
regression test without dropping the existing argv verification coverage.

* fix(ports): fail closed on malformed lsof pids

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 07:40:26 +01:00
xingzhou
de152b1f65 fix(plugin-sdk): align speech runtime packaging (#89899)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 07:38:41 +01:00
Truffle
5537bc9c4d fix(media): allow Bedrock SDK auth for image and PDF tools (#72092)
* fix(media): allow aws-sdk auth mode for image and audio/video paths

Media understanding tools failed for amazon-bedrock deployments using
auth.mode "aws-sdk" (BYOK via role/SSO/profile creds). Each path called
requireApiKey, which throws on the empty-key sentinel before the AWS SDK
credential chain can resolve creds at call time.

The image path (image.ts) resolves auth via getApiKeyForModel; the
audio/video paths route through resolveProviderExecutionAuth. Both now
mirror the chat path's allowMissingApiKeyModes allowance: when the
resolved key is empty and the mode is aws-sdk, execute keyless and let
the SDK resolve credentials. The image path skips setRuntimeApiKey so no
empty-string secret is persisted; audio/video return the kind:"none"
execution auth so the runner bypasses key rotation.

Closes #72031

* fix(media): cover Bedrock PDF SDK auth

* fix(pdf): register plugin completion streams

* fix(media): recognize Bedrock SDK tool auth

* chore: move release note to PR

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 07:37:32 +01:00
wings1029
e779abf70e fix(agent-core): handle stdout/stderr stream errors in harness exec (#101370)
* fix(agent-core): handle stdout/stderr stream errors in harness exec

Register error handlers on stdout and stderr streams in
NodeExecutionEnv.exec() to prevent uncaught exceptions when
a pipe breaks (e.g. EPIPE after child process exit).

Without these listeners, Node.js throws an uncaught exception
that crashes the entire agent-core process.

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(agent-core): address review — hoist-safe mock and curly lint

- Use vi.hoisted pattern for spawnMock to fix ReferenceError in CI
- Wrap one-line if guard in braces per repo curly rule

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: keep release notes in PR context

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 07:34:11 +01:00
Alix-007
3929c52069 fix(agents): keep structured prompt summaries UTF-16 safe (#101311)
* fix(agents): keep structured prompt summaries UTF-16 safe

* chore: align prompt summary branch with current main

* fix(agents): keep structured summaries UTF-16 safe

* chore: keep release notes in PR context

* chore: keep release notes in PR context

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-07 07:32:05 +01:00
mushuiyu886
92e25df271 fix(agents): avoid repeated item progress snapshots (#101042)
* fix(agents): avoid repeated item progress snapshots

* chore: align ACP branch with current main

* fix(agents): deduplicate ACP parent progress

* chore: keep release notes in PR context

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-07 07:31:13 +01:00
Vincent Koc
33163d4273 refactor(plugins): localize private declarations (#101406) 2026-07-06 23:26:47 -07:00
Peter Steinberger
554d772c1a refactor(codex): keyed turn routing, client-scoped rate limits, and resume subscription safety (#101376)
* feat(codex): scope app-server rate limits to the physical client

Replace the process-global rate-limit cache with a WeakMap keyed by the
physical app-server client, tracking per-limitId revisions. Rolling
account/rateLimits/updated notifications merge sparsely per the protocol
contract (credits/individualLimit/planType survive nulls), and
usage-limit errors only trust a snapshot for auth-profile blocking when
the same client observed a primary update during the failing turn's
startup. Fixes cross-client rate-limit bleed in usage-limit error
messages. A new client-runtime module installs the
account/chatgptAuthTokens/refresh handler and the rate-limit observer
once per physical client, replacing per-start inline handlers in
shared-client, run-attempt, and side-question.

* refactor(codex): split thread/resume subscription safety into thread-resume

Move the thread/resume request out of thread-lifecycle into a dedicated
thread-resume module that retires the exact physical client when resume
acceptance is indeterminate: only a structured RPC rejection proves
Codex holds no subscription, so any other failure abandons the client
instead of returning it to the shared pool. Resume responses naming a
different thread now fail closed (assertCodexThreadResumeSubscription),
and the fresh-thread fallback requires a released subscription unless
the resume was a proven RPC rejection.

* refactor(codex): replace client-factory positional DI with shared-client factory

Delete the lazy positional-argument CodexAppServerClientFactory and use
the options-object factory type exported from shared-client. Callers in
run-attempt, compact, bounded-turn, provider-capabilities, and the
web-search provider now default to getLeasedSharedCodexAppServerClient
directly; the lazy indirection was ineffective because those modules
already import shared-client statically.

* feat(codex): route app-server turn traffic through a keyed turn router

Install one turn router per physical app-server client and replace the
broad per-attempt notification/request fanout with explicit per-thread
routes. Attempt startup reserves the thread route (before thread/resume
on the resume path, so early notifications buffer instead of racing),
run-attempt activates it with receive-time, queued, and request
handlers, arms the route before turn/start, binds the accepted turn id
to flush buffered traffic in wire order, and releases the route on
cleanup. Requests for a pending turn wait for binding instead of being
auto-declined, native turn completion waits use route state instead of
scanning buffered notifications, and correlation readers now match the
canonical v2 wire shapes only (top-level threadId, nested turn.id). The
unscoped response-delta lease-count attribution and its client API are
deleted along with the retired correlation predicates.

* test(codex): reset the shared binding store between thread-lifecycle tests

SQLite bindings are keyed by session identity rather than the per-test
temp dir, so earlier tests leaked resumable threads into fresh-start
expectations. The old silent resume-failure fallback masked the leak;
subscription safety surfaces it.

* test(codex): reset the binding store between delivery-hint iterations

The loop reuses one session identity across iterations, so the previous
iteration's thread would resume against a harness that cannot serve it.
2026-07-07 07:25:15 +01:00
SunnyShu
13f8dfae86 fix(outbound): retry proven pre-connect failures (#101024)
* fix(outbound): retry proven pre-connect failures

Co-authored-by: 0668000539 <shu.zongyu@xydigit.com>

* refactor(infra): keep retry attempt metadata internal

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 07:23:54 +01:00
Vincent Koc
27e8ea10eb docs(talk): format realtime model table 2026-07-06 23:22:33 -07:00
Vincent Koc
9a872a22d7 docs(openai): note realtime 2.1 mini override 2026-07-06 23:22:33 -07:00
Vincent Koc
6e6d1aac4c test(openai): add focused realtime live smoke 2026-07-06 23:22:33 -07:00
Vincent Koc
f0564943a7 docs(openai): refresh realtime 2.1 examples 2026-07-06 23:22:33 -07:00
Vincent Koc
c43e020f47 feat(openai): default realtime voice to gpt-realtime-2.1 2026-07-06 23:22:33 -07:00
Dallin Romney
3175d8e742 refactor(qa): drive Matrix lifecycle through channel drivers (#101055)
* test(matrix): add substrate lifecycle contract

* fix(matrix): satisfy lifecycle dependency gates

* refactor(matrix): keep Crabline lifecycle in adapter

* refactor(qa): select Matrix lifecycle by driver lane

* refactor(matrix): keep lifecycle helpers test-only

* refactor(qa): drive Matrix lifecycle through channel drivers
2026-07-06 23:13:21 -07:00
Vincent Koc
4a9fe264e6 test(github-copilot): use real token exchange response 2026-07-07 08:07:43 +02:00
Peter Steinberger
09977a9328 perf(test): overlap restart CLI probes 2026-07-07 02:03:36 -04:00
Vincent Koc
b662209488 refactor(github-copilot): localize internal helpers (#101393) 2026-07-06 22:58:46 -07:00
Peter Steinberger
7b366e16b0 fix: Windows CLI backends fail through npm shims (#101378)
* fix(process): resolve Windows npm CLI shims directly

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>

* docs(changelog): note Windows CLI shim fix

* docs(process): explain Windows shim boundary

* chore: keep release changelog owner-only

* test(process): isolate Windows shim resolution

* fix(process): classify Windows forwarding shims safely

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
2026-07-07 06:57:16 +01:00
Evgeni Obuchowski
72bd74e9dd fix(thinking): clamp below-range requests down to the cheapest level, not up (#93335)
resolveSupportedThinkingLevelFromProfile sorts the supported levels descending,
then, when every supported level exceeds the request (e.g. a stored `off` on a
profile that has no off level), fell through to `ranked.find(non-off)` — the
first entry of a descending list, i.e. the most expensive level. A session
carrying thinking `off` that switched onto such a model was silently remapped to
maximum reasoning and persisted (src/auto-reply/reply/directive-handling.persist.ts).

Use `ranked.findLast(non-off)` so a below-range request resolves to the cheapest
non-off level instead. Regression test included (red before, green after).

This surfaces with the first bundled no-off thinking profiles (Fireworks
GPT-OSS 120B, see #92217), but the clamp lives in shared core logic, so it ships
on its own.
2026-07-07 06:55:25 +01:00
袁焊忠
6ed2aafe3c fix(doctor): preview missing transcript cleanup (#83630)
* fix(doctor): preview missing transcript cleanup

* fix(doctor): preview missing transcript cleanup

---------

Co-authored-by: YuanHanzhong <YuanHanzhong@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
2026-07-07 06:49:44 +01:00
Santiago
80bb0cd24e fix: include pnpm 11 bins in gateway PATH (#85238)
* fix: include pnpm 11 bins in gateway PATH

* fix: include pnpm 11 bins in gateway PATH

* fix(security): reject workspace package-manager PATH roots

* fix(infra): preserve package paths from root cwd

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 22:49:21 -07:00
Vincent Koc
094c0d421f fix(voice-call): bound Twilio API hosts 2026-07-07 07:40:14 +02:00
Peter Steinberger
d69c5ba116 perf(test): overlap process guard waits 2026-07-07 01:38:21 -04:00
Vincent Koc
cc085da581 refactor(copilot): localize internal runtime types (#101379) 2026-07-06 22:33:59 -07:00
dongdong
54be942e6b fix: avoid reminder-guard false positives for plain memory promises (#47586) (#93862)
* fix(auto-reply): narrow reminder guard remember matches

* test(auto-reply): prove reminder guard final payload

* fix(auto-reply): classify explicit reminder commitments

* fix(auto-reply): cover repeated reminder modals

* refactor(auto-reply): require explicit reminder actions

---------

Co-authored-by: Jasmine Zhang <jasminezhang@JasminedeMac-mini.local>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 06:29:29 +01:00
Peter Steinberger
3a482a71be fix(windows): remove findstr from restart probe (#101366)
* fix(windows): remove findstr from restart probe

Co-authored-by: Deepak Jain <deepujain@gmail.com>

* docs(changelog): note Windows restart probe fix

* docs(changelog): defer release note

---------

Co-authored-by: Deepak Jain <deepujain@gmail.com>
2026-07-07 06:29:13 +01:00
Ben.Li
f75782ee01 fix(ios): full-row Settings toggles on iOS 26 (#99888)
* fix(ios): use full-row Settings toggles on iOS 26

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(ios): refresh native string inventory

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 06:26:40 +01:00
Qiong
7db7487a5d fix(security): route temp workspaces through private OpenClaw temp root (#101224) (#101246)
* fix(security): route temp workspaces through private OpenClaw temp root (#101224)

* test(infra): skip POSIX mode proof on Windows

* chore: align release changelog before main sync

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-07 06:25:35 +01:00
Josh Avant
531c7a5f4c fix(android): preserve hardware Enter key sequences (#101360) 2026-07-07 00:25:33 -05:00
Peter Steinberger
5d7a451b15 fix(tests): reorder initializer arguments so the shared-kit test module compiles (#101372) 2026-07-07 06:25:06 +01:00
snowzlmbot
53580e13a4 fix(usage): preserve provider-billed zero totals (#101177)
* fix(usage): preserve provider-billed zero totals

* fix(usage): harden provider-billed cost provenance

* fix(openrouter): retry delayed generation metadata

* fix(openrouter): satisfy retry lint

* refactor(openrouter): consume streamed billed cost

* chore: keep release notes out of contributor PR

---------

Co-authored-by: snowzlmbot <293528334+snowzlmbot@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 06:22:28 +01:00
Ashd.LW.
70c2e837cd fix(gateway): show last error when status probe fails (#95902)
* fix(gateway): show last error when status probe fails

* fix(gateway): scope status log diagnostics

---------

Co-authored-by: wAngByg <wAngByg@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 22:22:19 -07:00
Peter Steinberger
01d6ea1f0e feat(browser): expose agent download actions (#101369)
* feat(browser): expose agent download actions

Co-authored-by: changcy <742592895@qq.com>

* chore: keep release notes in PR context

---------

Co-authored-by: changcy <742592895@qq.com>
2026-07-07 06:17:52 +01:00
Peter Steinberger
473b3cf789 fix(anthropic): keep error tool results non-empty (#101373)
Co-authored-by: Galin Iliev <5711535+galiniliev@users.noreply.github.com>
2026-07-07 06:17:27 +01:00
Josh Lehman
5d9a2b114f feat(context-engine): report compaction successors as typed session targets (#101182) 2026-07-06 22:14:46 -07:00
Peter Lee
6192b037bb fix(tui): deduplicate assistant messages across sessions.changed reload (#96980)
* fix(tui): suppress adjacent history-replay/live-final duplicate in ChatLog (#96967)

When sessions.changed triggers loadHistory(), assistant rows are replayed
via finalizeAssistant(text) without a runId. A late live final with the
same text and a runId can land immediately afterward, producing a visible
duplicate assistant reply.

Track the most recent history-replay assistant component in ChatLog and
suppress a following live final when the text matches and no other
component was appended in between. This is simpler and more targeted
than the prior event-handler approach because it operates at the
rendering layer where the duplicate is actually visible.

Fixes #96967

* fix(tui): bound replay-final dedupe window in ChatLog

* fix(tui): bound replay-final dedupe marker with TTL expiration

* fix(tui): satisfy no-promise-executor-return lint rule in chat-log test

* fix(tui): replace ChatLog text heuristic with runId-based surrender tracking

Drop the lastHistoryAssistant text-matching dedupe in ChatLog
(posed P1 false-suppression risk). Instead, track active runIds
surrendered to loadHistory() on sessions.changed 'new' — late
events for surrendered runs are suppressed by exact runId match.

Add ChatLog.hasStreamingRun() so the event handler can detect
when loadHistory restored a surrendered run as in-flight streaming.

Retain chatFinalizedRuns / chatFinalizedRunsWithDisplay from the
original fix for post-reload delta/error dedup of finalized runs.

Incorporates the precise surrender-tracking approach from closed
PRs #96979/#96986 while keeping the scoped ChatLog API minimal.

* fix(tui): render displayable late final for surrendered non-streaming run

When a sessions.changed 'new' surrenders an in-flight run and
loadHistory does not restore it as streaming, a late displayable
final must still be rendered — otherwise the user never sees the
assistant reply. Only suppress non-displayable finals (empty
message, no errorMessage).

Add focused test for non-displayable final suppression.

* test(tui): add coverage for empty in-flight restore + late displayable final

Covers the rank-up scenario from #96979: surrendered run restored
by loadHistory as empty streaming, late displayable final passes
through surrender check and renders to chatLog.

* fix(tui): suppress late finals for surrendered finalized runs to prevent history-replay duplicate

When sessions.changed 'new' fires, now surrender chatFinalizedRuns entries
too (as 'finalized'), not just sessionRuns ('in-flight'). This prevents
the finalized-before-reload history-replay duplicate: a late final for an
already-displayed run gets suppressed because the history-replay static
row covers the visible content.

In-flight surrendered runs still render displayable finals because the
user may not have seen the streaming text before the reload.

SurrenderedToHistoryRunIds is now Map<string,'in-flight'|'finalized'>
so the surrender check can branch on source. Move surrender check before
the finalizedRuns/chatFinalizedRuns guard so surrendered finalized runs
are routed correctly.

Add focused tests for history-replayed-visible (suppress) and
history-replay-missing (render) late finals.

* fix(tui): extend surrender coverage to sessions.changed reset reload path

Reset also calls clearTrackedRunState() + loadHistory() with the same
sessionKey, so late chat events for runs from the old session window
can race with the history replay the same way as 'new'. Surrender
sessionRuns and chatFinalizedRuns on both reasons (#96979 P1 rank-up).

* fix(tui): keep surrendered finalized marker after late delta to block later final

For finalized surrendered runs, a late delta must not clear the
surrender marker — otherwise a subsequent late final would slip
through and produce a duplicate. Only in-flight surrendered runs
clear the marker on delta (their final needs to render).

* fix(tui): gate session history reloads on persistence

Co-authored-by: xialonglee <li.xialong@xydigit.com>

* docs(changelog): note TUI external-run dedupe

* test(tui): type history load harness results

* test(tui): defer history results without async mocks

* chore(changelog): defer TUI note to release

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 06:06:53 +01:00
Jodok Batlogg
a2f95de750 feat(voice-call): support Twilio regions (#95832)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Jodok Batlogg <158125+jodok@users.noreply.github.com>
2026-07-07 06:05:31 +01:00
Vincent Koc
f643c9b2f8 perf(ci): raise Node shard parallelism to 28 (#101174) 2026-07-06 21:59:22 -07:00
Wynne668
78e4672d65 fix: pace delivery recovery after startup outages (#101118)
* fix: pace delivery recovery replays

* fix: preserve paced delivery recovery budget

* fix(delivery): preserve recovery deadline while pacing

* fix(delivery): coordinate recovery replay pacing

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 05:58:12 +01:00
Peter Steinberger
1898afe076 perf(test): overlap PowerShell installer exit checks 2026-07-07 00:57:24 -04:00
Peter Steinberger
ac24461252 fix(feishu): keep operator logs UTF-16 safe (#101364)
Co-authored-by: Wynne668 <ceng.wen@xydigit.com>
2026-07-07 05:54:50 +01:00
Vincent Koc
85d6d94afd refactor(memory): remove unused host SDK exports (#101362) 2026-07-06 21:54:06 -07:00
Peter Steinberger
90b680435a fix(minimax): clarify TTS volume boundary (#101359)
Co-authored-by: Quratulain-bilal <umayaimanshah@gmail.com>
2026-07-07 05:53:08 +01:00
shushushu
a596ca1795 fix(openai): allow fake-IP Realtime requests (#86526)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 05:48:57 +01:00
Peter Steinberger
e5798e5477 refactor(codex): raise app-server floor to 0.142, drop range compat, fix deferred spawn_agent steering (#101221)
* refactor(codex): raise app-server floor to 0.142 and drop range-compat protocol paths

* refactor(codex): model subagent mirror state as one map

* style(codex): format event-projector

* test(codex): drop unused shared-client test import

* refactor(codex): drop v1-era notification field aliases

* fix(codex): teach models to load deferred native spawn_agent via tool_search

* docs(codex): realign harness config tables

* docs(changelog): note Codex app-server protocol update
2026-07-07 05:48:53 +01:00
Wynne668
1ef4544871 fix(mattermost): strip internal tool-trace banners from outbound text (#98693)
* fix(mattermost): strip internal tool-trace banners from outbound text

Co-authored-by: Cursor <cursoragent@cursor.com>

* test(mattermost): prove outbound sanitizer send path

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 05:48:41 +01:00
Vincent Koc
d39d57edc3 ci(sdk): refresh plugin api baseline hash 2026-07-07 06:46:57 +02:00
Peter Steinberger
c5d42593be fix(anthropic): guard SDK client transport (#101357)
Co-authored-by: wangmiao0668000666 <wang.miao86@xydigit.com>
2026-07-07 05:45:49 +01:00
NickNMorty
59097783e2 fix(markdown-core): CJK-friendly emphasis flanking so **标签:**正文 renders bold (#101120) (#101230)
* test(telegram): reproduce CJK emphasis flanking bug

* fix(markdown-core): support CJK emphasis flanking

* fix(markdown-core): type CJK delimiter state (#101120)

* fix(markdown-core): mirror markdown-it Unicode whitespace in CJK delimiter override

Preserves markdown-it isWhiteSpace classification (U+3000, U+00A0, U+2000-200A, etc.) before forcing CJK-adjacent delimiter flags, and adds U+3000/U+2009 regressions. Addresses clawsweeper P1 finding on #101230.

* refactor(markdown): use maintained CJK flanking plugin

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 05:43:42 +01:00