* feat(ui): dismissible sidebar attention chips
* fix(ui): use toSorted for attention signatures
* refactor(ui): move attention dismissal store to its own module
* fix(ui): make attention dismissals safe across tabs
* style(ui): drop redundant String() in storage mock
* fix(ui): prune dismissals only after fresh data and key overdue snoozes by incident
A gateway-tool restart parks sentinel/continuation hooks in
pendingRestartEmitHooks, but emitPreparedGatewayRestartUnderAdmission only
drained them when emitting hookless. When the config-reload deferral won the
emission race with its own emitHooks, the restart sentinel was never written:
no post-restart notice, no continuation turn, stale pendingRestartSessionKey
surviving in-process restarts, and orphaned hooks never rejected.
Run the caller preflight first, then drain parked hooks with the original
replace/reject loop whose tail re-read also captures hooks accepted while the
caller's beforeEmit awaited; release session ownership only once the slot is
settled and no awaits remain before emission. Reject every prepared hook set
on non-emitted outcomes and error-isolate afterEmitFailed callbacks. The
empty-slot path stays await-free so mid-flight intent/deferral timing is
unchanged, and emission attempts remain single-flight behind the restart-signal
admission fence (now documented).
Fixes#106138
runDoctorStateSqliteCompact became async in #106210 but this caller
still read fields off the Promise, breaking check-test-types and the
bench-sqlite-reliability tooling test on main.
Post-merge review of #105921 flagged a synchronization race: the restart
fault fired before the pre-restart tail live event was guaranteed to
reach the gateway, making the replay trace assertion timing-dependent.
Pin the pre-restart prefix with vi.waitFor and assert the lost-window
invariants (resync replay renumbered from the fresh ack state) instead
of the exact retry trace, which legitimately varies with the ack/teardown
race. 5x stable locally.
* fix(workboard): resolve parent dependency status via targeted lookups, not a full-corpus scan
dependencyTargetStatus() called the fully unscoped store.list() (every card,
every board, fully materialized via entries()+readCard()) just to look up the
status of a card's own parent id(s) -- almost always exactly one. dispatch()
calls promoteDependencyReady() once per card in its board-scoped pass, so
every parented card in that pass re-paid for a full-corpus re-scan.
Confirmed via a live CDP CPU profile of a real "openclaw workboard dispatch"
call (--inspect attached to a running gateway, Profiler.start/stop scoped to
the repro, elapsed 161.8s matching a known 160s+ stall): 93.3% of the time
(142s + 8.7s of 162s) was inside native SQLite all()/prepare() bindings, all
funneling through dispatch -> promoteDependencyReady -> dependencyTargetStatus
-> list -> entries -> readCard (readCard issues 4 separate synchronous SQL
statements per card). On a corpus of ~5770 cards, this is O(parented_cards_in_pass
x corpus_size x 4_queries) -- a genuine algorithmic defect, not event-loop
starvation from a concurrent session as originally suspected for this symptom.
Replace the unscoped list()+Map lookup with targeted get(parentId) calls
(already a single indexed-row lookup used everywhere else in this file) --
O(parents.length), normally O(1), instead of O(corpus size). Behavior is
unchanged: parent?.status === "done" on the get() result is exactly what
cards.get(parentId)?.status === "done" computed from the unscoped list().
Adds a regression test asserting the underlying store's entries() is called
at most once while promoting 8 parented cards together in one dispatch pass
(would have been 9 calls before this fix -- 1 outer scoped list() + 1 inner
unscoped list() per parented card).
* fix(workboard): address review feedback on dependency-target-status fastpath
Two findings from the automated PR review, both confirmed real:
- Remove an incomplete, unrelated active-owner fast-path (listActiveOwnerIds()
in store.ts + its cross-board test in store.test.ts) that leaked into this
commit from separate, still-in-progress local work. It imported
WorkboardActiveOwnerQueryable, a type that isn't defined anywhere in this
PR's tree, breaking typecheck and the bundled-extension lint check. Not
part of the dependencyTargetStatus fix this PR is scoped to.
- Replace the comparator-free, mutating .sort() calls in the new dependency
regression test with .toSorted() plus an explicit localeCompare comparator,
per the repo's lint rules.
Re-ran locally against just these two files (the actual PR diff, review WIP
set aside): pnpm lint --threads=8, pnpm format:check, pnpm tsgo:prod, pnpm
check:test-types, pnpm run lint:extensions:bundled all pass; full workboard
extension suite 111/111 (two removed tests belonged to the unrelated
active-owner code, not this fix).
---------
Co-authored-by: ClawBox <clawbox@cayk.ca>
* feat(usage): surface plan windows and account email in the chat context popover
The context-window popover now shows which account a session runs on:
provider usage snapshots carry an accountEmail resolved from the auth
profile when stored, the ChatGPT access-token JWT claims (openai/codex),
or the Claude CLI config file (~/.claude.json oauthAccount) for
keychain-synced logins. models.authStatus embeds it, quota groups keep
distinct accounts separate, and the popover renders the email under the
plan header for local CLI sessions and OpenClaw-configured subscriptions
alike.
* test(openai): assemble the fake usage JWT from parts
* test(usage): keep fixture tokens and identity plumbing scanner-safe
* fix(usage): verify the Claude CLI login before labeling usage with its email
Review findings: the CLI-config email fallback now requires the usage token
to match the cached CLI credential (and honors CLAUDE_CONFIG_DIR), so an
ambient login for another account never labels a snapshot; token-type
credentials propagate their stored email alongside oauth ones.
* style(anthropic): scanner-safe local for the CLI login read
* fix(usage): capture the Claude CLI account email on the credential
Review findings: reading ambient CLI config at usage-fetch time could not
verify keychain-only logins and could go stale across account switches.
The credential reader now captures oauthAccount.emailAddress next to the
credential it belongs to, the synced claude-cli profile carries it, and
the anthropic fetcher uses only the credential-borne identity.
* style(usage): scanner-safe credential fixtures and helper naming
* fix(auth): backfill the CLI account email onto existing synced profiles
Profiles synced before identity capture stay usable and skip CLI reads,
so upgraded installs would never gain the email until token rotation.
While the stored token material matches the CLI login, merge the
non-secret email onto the stored profile.
* style(test): scanner-safe email assertion
* test(auth): pin the no-reread invariant to identity-complete profiles
* feat(ui): move Devices page into settings and redesign device inventory
- Devices now lives at /settings/devices (System group); /nodes stays as alias
- per-device form-factor icons (phone/browser/terminal/machine) with status dot
- equal-height header actions; stale cleanup and pairing only
- drop manual Refresh button; page already auto-refreshes via presence events + 30s poll
- dynamic connected/pending summary replaces static card subtitle
* style(ui): oxfmt pass + loading empty state for devices inventory
* chore(ui): sync locale bundles for devices settings copy; docs point at Settings → Devices
* refactor(ui): split device tile + pending rows out of view-inventory; drop unused icons
Keeps the TypeScript LOC ratchet green: view-inventory.ts returns below its
baseline and icons.ts sheds unused folderOpen/micOff/volumeOff glyphs.
* fix(ui): ratchet LOC baseline, drop unused DeviceIconSource export, settle devices settings copy
- baseline: icons.ts 693, view-inventory.ts back under the 500 ceiling
- subtitles.nodes now describes the settings page; nav tests updated
- locale bundles resynced (fallbacks=0)
* refactor(ui): rename token row param for reviewer-tool clarity
* fix(ui): collapse device rows in narrow containers and classify the TUI as a terminal client
Review findings: the nodes-entry grid override beat the shared 560px
list-item collapse, overflowing phone-width rows; openclaw-tui connects
with mode ui so only its client id marks it as a terminal.
* chore(ui): translate pending locale keys after rebase (fallbacks=0)