* refactor(sessions): migrate runtime storage to sqlite
* test(sessions): fix sqlite CI regressions
* test(sessions): align remaining sqlite fixtures
* fix(codex): require sqlite trajectory recorder
* test(sessions): align orphan recovery sqlite fixture
* test(sessions): align sqlite rebase fixtures
* fix(sessions): finish current-main integration of the sqlite flip
Resolve the whole-store SDK removal across its owner boundary: drop the
loadSessionStore re-export and the registry whole-store wrappers, wire
hasTrackedActiveSessionRun into gateway chat, complete the
preserveLockedHarnessIds cleanup contract, flip the codex thread-history
import to storePath targets, and port remaining main-side tests from
file-store helpers to session accessor reads.
* chore: drop committed pebbles log, revert plugin-inspector bump, refresh generated docs
Remove the 1.8k-line .pebbles/events.jsonl work log from the branch, restore
the plugin-inspector advisory lane to main's pinned 0.3.10 so the supply-chain
bump gets its own review, and regenerate docs_map, the plugin SDK API baseline,
and the export-surface ratchet for the merged tree.
* feat(sessions): keep archived transcripts by default with zstd cold storage
Codex-style retention: deleting or resetting a session archives its
transcript as a zstd-compressed JSONL artifact (plain when the runtime
lacks node:zlib zstd) and keeps it until the disk budget evicts oldest
first. resetArchiveRetention now governs both deleted and reset archives
and defaults to keep; maxDiskBytes defaults to 2gb so retention stays
bounded, with archives evicted before live sessions. The cron reaper
follows the same knob instead of deleting archives on its own timer.
* fix(state): converge agent DB migration lineages and bound database growth
Merge coherence: run both structure-gated legacy memory-schema repairs
(flip-lineage drop, main-lineage identity rebuild) before the flip
migration so pre-flip v1/v2 and pre-merge flip v1/v4 databases all
converge, and hoist foreign_keys=OFF outside the schema transaction
where the pragma was silently ignored and the v1 sessions rebuild
cascade-deleted session_entries.
Growth guards: fresh agent DBs enable auto_vacuum=INCREMENTAL, WAL
maintenance releases freed pages in bounded passes (never a blocking
full VACUUM), and doctor reports state/agent DB bloat from freelist
stats.
* fix(codex): resolve the store path for thread-history import via the SDK
The supervision catalog passed the legacy sessionFile locator to the
storePath-targeted transcript mirror; resolve the agent store path with
the session-store SDK helper instead of a runtime-object seam so test
fakes and headless callers need no extra surface. Drop the obsolete
missing-session-id preprocessing case: sessions rows are NOT NULL on
session_id and upsert repairs id-less patches at write time.
* fix(sessions): fail safe on malformed disk-budget config and doctor stat errors
A malformed explicit maxDiskBytes disables the budget instead of
falling back to the destructive 2gb default the user never chose, and
the doctor bloat check skips databases whose paths stat-fail instead of
aborting doctor.
* fix(sessions): complete sqlite conflict translations
* test(sqlite): align hardening checks with maintenance
* test(sessions): inspect compressed transcript archives
* fix(tests): await session seeds and drop unused helpers flagged by CI lint
The five unawaited writeSessionStoreSeed calls raced their SQLite seeds
against the assertions, failing compact shards; the bloat probe drops a
useless initializer and the merged tests drop now-unused helpers.
* test(sessions): type legacy proof events directly
* test(sessions): align hardening contracts
* perf(sessions): read usage transcript sizes from SQL aggregates
Usage/cost scans walked every session and materialized every transcript
event just to re-stringify it for a byte estimate — the #86718 stall
class reborn on the DB. readTranscriptStatsSync sums stored JSON bytes
in SQLite without loading a single row.
* fix(sessions): re-root foreign-root transcript paths onto the current sessions dir
Restored backups, moved OPENCLAW_STATE_DIR, and rehearsal copies carry
absolute sessionFile paths from the old root; the containment fallback
kept those foreign paths, so migration read (and would archive) files in
the original root and reported local copies missing. Re-root the
canonical agents/<id>/sessions suffix onto the current dir when the file
exists there; genuine cross-root layouts still fall through unchanged.
* test(agents): seed harness admission through sqlite
* fix(sqlite): close agent db on pragma setup failure
* fix(doctor): compact and retrofit incremental auto-vacuum after session import
The migration is the sanctioned offline window: post-import compact
reclaims import churn and applies auto_vacuum=INCREMENTAL to databases
created before the fresh-DB pragma existed, so runtime maintenance can
release pages in bounded passes on every install.
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* refactor(ui): move dreams page modules to agents/memory (verbatim)
* refactor(ui): sidebar IA cleanup: Activity to Settings, Dreams into Agents Memory tab, single MCP mutation owner, Usage icon
Folds the per-agent Dreams page into the Agents page as a Memory panel and
deletes the dreams route; moves the session-scoped Activity page out of the
sidebar into Settings > System next to Logs; removes the MCP enable/disable
toggle from Settings > MCP so the Plugins page is the single mutation surface
for config.mcp.servers; gives Usage a coins icon so it no longer collides
with Overview.
Closes#104590
* docs: update Control UI docs for Activity/Memory/MCP sidebar changes
* fix(scripts): fail control-ui i18n sync closed on new untranslated keys without provider auth
An unauthenticated ui:i18n:sync silently recorded English fallbacks, which the
shipped-fallback CI gate then rejects; post-merge translation is owned by the
control-ui-locale-refresh workflow. Sync now errors on new untranslated keys
without a provider (OPENCLAW_CONTROL_UI_I18N_AUTH_OPTIONAL=1 opts back in),
and the ui AGENTS guide documents the commit-en.ts-only contributor flow.
* chore(ui): translate new sidebar keys, refresh i18n baseline, localize Memory tab expectation
* feat(openai): recognize GPT-Live realtime models and fail closed with guidance
OpenAI's gpt-live-1/gpt-live-1-mini full-duplex voice models are API
early-access only and use a WebRTC-only quicksilver session protocol with
handoff-based agent delegation that OpenClaw's realtime transports do not
implement yet. Configuring a gpt-live-* model now produces actionable
configuration errors on the realtime WebSocket bridge and Talk browser
sessions instead of opaque provider errors or audio-only sessions without
agent access. GA gpt-realtime behavior unchanged; default model stays
gpt-realtime-2.1.
Related: #104683
* test(openai): narrow browser session union before asserting offerUrl
The tasks rail (from #104010) only rendered as a right-docked 230-280px
column and vanished with its toggles below a 1120px viewport, so narrow
split-view panes got a crushed thread and compact windows lost access
to background tasks entirely — the same bug class #104033 fixed for the
workspace rail and detail panel.
The rail now follows the pane's measured width: it presents as a
full-width bottom strip (sections side by side like the workspace
rail's bottom dock) when the pane is too narrow for a side column, and
the workspace rail keeps first claim on the side slot when only one
column fits. Side-docked rails, not bottom strips, now count against
the width available to the chat + detail split.
Proof: check:changed + 212 focused tests green on Testbox at this exact
content; codex autoreview clean; chromium+webkit visual verification at
seven window widths plus split view with zero geometry overlaps.
Landed with maintainer CI override.
Closes#104091
* feat: add metadata-only message audit events
* chore(protocol): restore generated swift models and config baseline after rebase
* fix(state): gate agent-db ownership check before schema version
* fix(cli): sync audit command description into the root-help catalog
* fix(audit): require destination proof before classifying outbound messages as direct
* refactor(audit): drop dead migration guard and add contract comments
* docs(gateway): add dedicated audit history page and cross-links
* test(e2e): enable direct-mode message audit in the telegram proof SUT config
* test(channels): expect declared conversationKind in durable delivery session context
* fix(audit): record the routing channel id for inbound rows from plugin channels
* fix(audit): match channel-prefixed delivery targets in the destination route gate
* fix(audit): validate explicit target kind against the destination route kind
* fix(audit): use the canonical target-prefix grammar in the destination route gate and fail closed on foreign migration tables
* fix(audit): normalize nested provider and kind target prefixes in the destination gate
* fix(audit): strip registered provider aliases and the direct kind prefix in the destination gate
* chore(docs): refresh config baseline after rebase
* feat(sessions): durable session state events with parent invalidation
Parents no longer act on stale child-session state: a durable, typed
signal log (session_state_events + per-agent heads) records direct human
messages to children, child spawn/terminal outcomes, goal changes, and
compaction at the seams where those facts are created. A frozen-watermark
cursor protocol (session_watch_cursors) delivers one coalesced system
notice to the parent through the existing system-event + heartbeat wake
idiom, acknowledged at the shared generic drain, with a deferred startup
sweep for restart recovery. session_status gains stateVersion and
changesSince (with exact pruned-history gap signaling); sessions_list
rows gain stateVersion.
Closes#104565
* chore: regenerate docs map and prompt snapshots for session_status changesSince
* fix(outbound): preserve backticks on <code> tags with attributes
The plain-text sanitizer only matched bare <code> openers, so attributed
variants such as <code class="language-ts"> lost their backtick wrapping
and were stripped to raw text before channel delivery.
Allow optional attributes on the opening <code> tag, consistent with the
existing handling for <h[1-6]> and <li> in the same function.
Fixes#104117
* fix(outbound): preserve attributed inline formatting
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
* test(outbound): compact attributed tag coverage
* fix(outbound): normalize attributed formatting tags
* docs(outbound): clarify attribute normalization invariant
* fix(outbound): preserve native formatting semantics
* docs(plugin-sdk): document sanitizer markup styles
* docs(plugin-sdk): refresh docs map
---------
Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
* feat(fleet): add openclaw fleet cell supervisor for multi-tenant hosting
* test(fleet): cover cell profile, registry, containers, and service flows
* docs(fleet): document multi-tenant hosting and the fleet CLI
* fix(fleet): verify upgrade replacements and release foreign-collision reservations
* fix(fleet): gate upgrade commit on replacement health
* docs(fleet): mark fleet experimental and pin its single-host scope
* test(fleet): make incomplete-profile casts explicit for test-type lane
* fix(state): regenerate kysely schema artifacts after rebase conflict
The Codex/Claude sidebar sections leaked long titles across the row
timestamps and past the sidebar edge because the row body was never a
flex container, so the title span stayed inline and ellipsis rules did
not apply. The sections also rendered every loaded session (Codex swept
up to 100 catalog pages per host every 30s) with no height cap, growing
past the sidebar shell and painting over the footer.
Rows now reuse the regular session-row __text anatomy so titles
ellipsize, the sidebar renders only the newest 10 sessions per host
with a derived truncation note (the full catalog stays on the sessions
page), each section shrinks and scrolls inside the sidebar body, and
the shell body clips as a final guard. The sidebar full-catalog
hydration loop and the one-off __body class are deleted.
Formatting proof: oxfmt --check clean on changed files via Testbox
tbx_01kx92cwpr1x9ccp2fgn441y8h (local hook skipped: no node_modules).
Fixes#104584
* feat: node-hosted plugins — dynamic tools, MCP servers, and skills
Nodes become declarative plugin hosts:
- node.pluginTools.update: node hosts publish plugin-registered agent tool
descriptors; gateway materializes them as agent tools executing via
node.invoke under the node command allowlist, with tools.effective
invalidation and node online/offline removal.
- Trusted paired-node descriptors: no gateway-side plugin registration
required; gateway.nodes.pluginTools.enabled off-switch (default on);
description/count caps; deterministic node-prefixed collision names.
- Declarative node-hosted MCP: nodeHost.mcp.servers (McpServerConfig shape)
starts MCP clients on the node host, publishes tools as pluginId node-mcp,
executes via built-in mcp.tools.call.v1 with per-layer timeouts, failure
isolation, and orphan-safe shutdown. No re-pairing when servers change.
- Node-hosted skills: node.skills.update publishes ~/.openclaw/skills
content (64 skills/64KB/512KB caps both sides); gateway merges them into
the skills snapshot while connected and exec host=node is available, with
node:// locators, node-prefixed collisions, disabled command dispatch,
and gateway.nodes.skills.enabled + nodeHost.skills.enabled switches.
- Security: node-supplied pluginIds cannot satisfy pluginId-scoped tool
allowlists unless gateway-registered; reserved node-mcp id requires the
core MCP descriptor shape; protocol registry kept out of public
plugin-sdk dts.
- E2E: pond harness proves publication, MCP round-trip, skills locator, and
disconnect/reconnect for all three surfaces.
* style: format node-plugin-tools test
* fix(skills): keep status loader unfiltered when eligibility is passed
skills.status started passing eligibility for the node-skill merge, which
flipped loadWorkspaceSkillEntries into filtered mode and dropped disabled
skills from status reports (QA plugin-lifecycle-hot-reload timeout). Status
now merges node skills explicitly around an unfiltered load. Also: regen
docs_map for new node docs sections; add the intentional node-host MCP
onclose suppression to the lint-suppression allowlist.
* fix (Computer Use) Stabilize Codex Computer Use readiness
Co-authored-by: Ben Badejo <188106718+bdjben@users.noreply.github.com>
* fix (Computer Use) Stabilize Codex Computer Use readiness
* fix (Computer Use) Stabilize Codex Computer Use readiness
* fix (Computer Use) Stabilize Codex Computer Use readiness
* fix(clawsweeper): address review for automerge-openclaw-openclaw-103331 (1)
* fix (Computer Use) Stabilize Codex Computer Use readiness
---------
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Ben Badejo <188106718+bdjben@users.noreply.github.com>
* feat(ui): multi-select sessions in the sidebar with batch menu actions
* chore(i18n): sync locale bundles for sidebar multi-select strings
* docs(control-ui): document sidebar session multi-select and batch menu
* refactor(matrix): adopt core claimable dedupe for inbound events
* fix(matrix): migrate legacy inbound dedupe markers via doctor
* fix(matrix): single-pool dedupe namespace and capacity-aware legacy import
* fix(matrix): keep unreadable legacy dedupe JSON in place during doctor import
* feat(dashboard): modular dashboard — workspace store, Workspaces tab, sandboxed custom widgets
Squashes openclaw/openclaw#101094 + #101097 + #101098 onto current main and
applies the maintainer review fixes to the backend control plane.
Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
* fix(dashboard): UI review fixes — grid, error boundary, embed sandbox, locale
* fix(dashboard): make the CLI and agent broadcasts actually reachable
Three defects only a live run surfaces, all invisible to the unit suites:
- The plugin claimed the CLI command name `dashboard`, which core already owns
(it opens the Control UI). A plugin CLI group that overlaps a core command is
dropped at registration behind a `logger.debug`, so the entire CLI face was
unreachable while `cli.test.ts` kept passing against its own Commander
program. Renamed to `openclaw workspaces`, matching the tab it drives.
- The manifest never declared `activation.onCommands`, so the CLI root resolved
to no owning plugin even once the name was free.
- `dashboard.widget.approve` needs `operator.approvals`; the CLI asked for
`operator.write` on every call. It now requests the approvals scope only for
the approve call, matching `operator-approvals-client.ts`.
Also: agent tools resolved their broadcast from the plugin runtime's
gateway-request scope, an AsyncLocalStorage set only around gateway RPCs and
plugin HTTP routes. An agent turn started from a channel, cron, or heartbeat
therefore wrote the document without emitting `plugin.dashboard.changed`, so an
open Control UI never saw the edit — the feature's headline promise. The gateway
broadcast is server-lifetime, so the plugin now remembers it in a single slot and
agent tools fall back to it.
* docs(web): document dashboard workspaces, provenance, and the custom-widget sandbox
* fix(dashboard): agent-tool ergonomics + close two approval-boundary gaps
From a source-blind agent driving the dashboard_* tools with nothing but their
schemas, and from a Codex review of the hardening delta.
- dashboard_widget_update could never succeed. It passed its whole parameter
record to the patch reader, whose allowlist rejects the very `tab`/`id` keys
the tool's own schema marks required, so every call died on
"unexpected param: tab". Its test only ran Value.Check against the schema and
never executed the tool.
- dashboard_data_read surfaced an `rpc` binding as a thrown error, though its
description promised `binding_client_resolved`. It now returns that as a
result the model can act on.
- Valid widget kinds and the rpc allowlist were undiscoverable: a model saw only
"builtin:<name> or custom:<name>" and "Allowlisted gateway read method", then
brute-forced ~40 calls against errors that named no alternatives. Both schemas
and both validator errors now enumerate them, and the kind description says
what each builtin renders and which binding id it reads. widget_move documents
that grid and toTab are exclusive; widget_scaffold says an operator must
approve, because no agent tool can.
- workspace.replace could mint a pending registry entry for a name that was
never scaffolded. An operator could then approve a widget whose code did not
exist yet, and the agent could write it afterwards. Registry entries now come
from dashboard_widget_scaffold and nowhere else, and approve refuses a name
with no manifest on disk.
- dashboard.widget.approve answered with the whole workspace document, so a
connection holding only operator.approvals could read it through the approvals
door. It now returns the registry entry it changed.
* fix(dashboard): approval pins the code it approves
Codex review found the scaffold-before-approval gate still nameable rather than
binding: approve only proved that widget.json parsed, and the Control UI loaded a
hardcoded index.html rather than the manifest's entrypoint. An agent could
scaffold a widget, win approval on an innocuous or absent entrypoint, then write
the real payload afterwards — code appearing after the human said yes.
Approval now hashes every servable file in the widget directory and stores the
digests on the registry entry, refusing a manifest whose declared entrypoint is
missing. The asset route re-hashes each file it reads and 404s anything that does
not match, so a file edited or added after approval never reaches a browser. The
Control UI loads the manifest's entrypoint, which is the file that was hashed.
The content-type allowlist moves to manifest.ts so the set of files approval
hashes and the set the route can serve cannot drift apart.
Proof, against a running gateway: scaffold -> 404, approve -> 200, rewrite
index.html -> 404, add late.js -> 404.
* fix(dashboard): parse the approved manifest from the bytes that were hashed
Codex found a TOCTOU in the approval path: it loaded and validated widget.json,
then walked the directory again to compute the digests. An agent could swap
widget.json between the two reads, so the operator validated one entrypoint while
the digest froze — and the Control UI later mounted — a different one.
snapshotApprovedWidget now reads the widget directory once: it hashes every
servable file, parses the manifest out of the same widget.json bytes it hashed,
and requires the declared entrypoint to be among them.
Proof, against a running gateway: approve -> index.html 200; rewrite widget.json
to point at evil.html and drop evil.html in -> both 404.
* fix(dashboard): cap approval asset reads; bound the grid fallback search
Two findings from the fourth Codex pass.
Approval hashes agent-authored files that are untrusted until it runs, and read
each one into memory with no size check — dropping one huge .png into a scaffold
directory would stall or OOM the gateway during approve. Sizes are now checked
before the read, with a 2 MB per-file and 8 MB total cap.
nearestFreeSlot searched one band below the lowest occupied row, so a crowded
layout near the bottom could return y=500 as the closest free slot: a placement
the store rejects, which the UI applies optimistically and then snaps back. The
search now stops at the last row a widget of that height can legally occupy.
* fix(dashboard): refuse oversized widget assets before reading them
Approved widget files stay writable and the asset route is unauthenticated, so
swapping an approved small file for a very large one made every GET buffer the
whole file before the digest check rejected it. The route now refuses anything
past the same per-file cap approval enforces, on the stat it already performs.
* fix(dashboard): enforce widget approval boundaries
* docs(changelog): note modular dashboard workspaces
* fix(dashboard): enforce static custom-widget data boundary
* fix(dashboard): satisfy UI lint
* test(dashboard): avoid legacy proto access
* feat(dashboard): make plugin opt-in
* docs(dashboard): refresh workspaces map
* refactor(workspaces): standardize plugin naming
* fix(workspaces): make widget prompt sends idempotent
* docs(workspaces): fix internal path references
* test(workspaces): make prompt assertion lint-safe
* test(workspaces): type prompt request mock
* fix(workspaces): harden approval and binding boundaries
* test(workspaces): complete stale binding client mock
* fix(workspaces): harden widget file boundaries
* fix(workspaces): scope custom widget capabilities
* fix(workspaces): align approval provenance
* fix(workspaces): close branch contract gaps
* test(workspaces): complete builtin context fixtures
* fix(workspaces): aggregate overview usage
* chore(workspaces): defer release note
* chore(workspaces): refresh i18n metadata
---------
Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
* fix(macos): host the dashboard sidebar toggle beside back/forward in the titlebar
The Control UI's floating sidebar-expand button rendered as a bordered web
control crowding the traffic lights in the dashboard window. The toggle now
lives as a native borderless button in the leading titlebar accessory ahead
of back/forward (Safari ordering) and bridges to the web UI via the
openclaw:native-toggle-sidebar event; the injected chrome script advertises
the capability with an openclaw-native-nav class so the web control retires
itself visually while staying keyboard/screen-reader reachable.
* docs: note the macOS app's native titlebar sidebar toggle in the Control UI guide
* test: wire Control UI suite into CI, fix its broken tests, drop dead harness surface
- fix 7 Control UI tests broken on main: module-mock factories are unreliable
under isolate:false shared workers; use RealtimeTalkSession prototype spies
and real jsdom storage instead (chat-realtime, chat-pull-requests)
- add gated checks-ui CI job (runUiTests changed-scope output): chromium
provisioning, lint:ui:no-raw-window-open, pnpm --dir ui test; ~30s on a
4vcpu runner, runs only when ui-affecting paths change
- add weekly node22-compat workflow exercising the supported lower Node bound
with the same command set as the dispatch-only ci.yml job
- delete the unreachable channels entry in EXTENSION_TEST_CONFIG_ROUTES and
the never-populated extensionRoutedChannelTestFiles override machinery
(born empty in 2ccb5cff22); resolved globs are provably identical
- guard run-vitest.mjs hardcoded path maps with existence tests so renames
cannot silently drop extended stall watchdogs
- remove unenforced coverage thresholds; test:coverage is informational, docs
updated (reference/test, help/testing, plugins/sdk-testing)
Closes#104321
* test: pin OPENCLAW_CI_RUN_UI_TESTS in the manifest env expectation
* test(ui): capture the realtime start spy instead of referencing the unbound prototype method
* test(ui): raise ui vitest timeouts for real-browser layout tests on small CI runners
* feat(control-ui): add chat selection popup with More details and Ask in side chat
* fix(control-ui): keep BTW pending card visible and clear it on resultless terminal runs
* fix(control-ui): route failed BTW runs to an error side-result card and ignore stale side results
* fix(control-ui): correlate BTW pending cards by pre-generated run id and suppress superseded runs
* fix(control-ui): retire abandoned BTW runs so late side events never reach the transcript
* chore(docs): regenerate docs map for btw selection-popup section; fix selection-popup test lint