Commit Graph

4219 Commits

Author SHA1 Message Date
NianJiu
26dc42aa37 fix(android): cancel expired node invokes (#104225)
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
2026-07-11 04:43:00 -07:00
Peter Steinberger
1d84acf2c3 test(macos): remove Swift warning and timing flake (#104434) 2026-07-11 04:30:35 -07:00
Peter Steinberger
b4a9a4c3d4 fix(mac): silence lock result warning (#104408) 2026-07-11 03:53:28 -07:00
Peter Steinberger
7ec0d4abb8 chore: update Peekaboo to 3.9.0 (#104398)
* build(macos): update Peekaboo to 3.9.0

* chore: keep release notes in PR body

* fix(macos): trust current Peekaboo release signers
2026-07-11 03:44:13 -07:00
Peter Steinberger
df16372af3 fix(macos): host the dashboard sidebar toggle beside back/forward in the titlebar (#104380)
* fix(macos): host the dashboard sidebar toggle beside back/forward in the titlebar

The Control UI's floating sidebar-expand button rendered as a bordered web
control crowding the traffic lights in the dashboard window. The toggle now
lives as a native borderless button in the leading titlebar accessory ahead
of back/forward (Safari ordering) and bridges to the web UI via the
openclaw:native-toggle-sidebar event; the injected chrome script advertises
the capability with an openclaw-native-nav class so the web control retires
itself visually while staying keyboard/screen-reader reachable.

* docs: note the macOS app's native titlebar sidebar toggle in the Control UI guide
2026-07-11 03:19:33 -07:00
Peter Steinberger
518c5823d8 feat(macos): navigate dashboard history with Command brackets (#104328)
* feat(macos): add dashboard history shortcuts

* chore: leave release changelog to release flow

* chore(macos): sync native i18n inventory

* fix(macos): keep titlebar navigation on dashboard
2026-07-11 02:22:28 -07:00
Peter Steinberger
0ef9a62eaf fix(codex): allow slower Mac session catalogs (#104332) 2026-07-11 02:05:55 -07:00
Peter Steinberger
7c9cb54f09 fix: Codex CLI login fails during fresh Mac setup (#104150)
* fix(onboarding): preload Codex runtime for setup probe

* fix(onboarding): refresh Codex runtime discovery

* fix(onboarding): use native Codex CLI auth

* fix(onboarding): probe bundled Codex login

* chore(macos): refresh onboarding i18n inventory

* fix(onboarding): live-test custom Codex providers
2026-07-11 01:53:49 -07:00
Peter Steinberger
88c563b241 fix: address update-card review findings (channel normalization, hidden-nav affordance, prerelease pinning, policy-aware bridge) (#104316)
* fix(mac): prerelease-exact launch resolution and policy-aware update ownership

* fix(ui): keep update affordance when nav is hidden and fall back on native decline

* chore(i18n): sync native inventory
2026-07-11 01:44:26 -07:00
Peter Steinberger
e0e67abfa9 fix: cancel expired macOS node approvals (#104302)
* fix: cancel expired macOS node approvals

* chore: keep node approval fix out of release notes
2026-07-11 01:25:36 -07:00
Peter Steinberger
20fe3f46db fix: paired Mac Codex sessions finish loading (#104299)
* fix(codex): allow cold Mac session catalogs

* chore: keep release notes in PR body
2026-07-11 01:14:36 -07:00
Peter Steinberger
f9ebefba29 feat(macos): onboarding mascot reacts with moods, randomized idle behavior, and Easter eggs (#104255)
* feat(macos): mascot moods, randomized idle behavior, and onboarding Easter eggs

* feat(apps): opt About window and iOS hero marks into mascot Easter eggs

* chore(i18n): sync native app i18n inventory
2026-07-11 01:01:26 -07:00
Peter Steinberger
ebc848deec feat: sidebar update card (web + macOS) with app-first mac update flow and Sparkle beta track (#104171)
* feat: sidebar update card (web + macOS) with app-first mac update flow and Sparkle beta track

Squashed from claude/update-notification-display-c6cfb9 after semantic merge
with #104178 (channel-aware CLI installs). See PR #104171 body for details.

* chore(i18n): resync generated inventories after rebase

* chore(i18n): resync locale metadata after rebase
2026-07-11 00:34:10 -07:00
Peter Steinberger
f94a7dc183 feat(codex): supervise native Codex sessions (#104045)
* feat(codex): add native session supervision

* fix(codex): harden supervision integration

* fix(codex): preserve locked harness ownership

* fix(codex): fence native session archive

* fix(codex): revalidate archive binding ownership

* feat(codex): integrate supervision runtime

* feat(sessions): preserve harness-owned execution

* feat(sessions): persist harness ownership invariants

* feat(gateway): enforce harness-owned sessions

* feat(setup): enable detected Codex supervision

* feat(mac): expose supervised Codex sessions

* feat(ui): make Codex sessions actionable

* docs(codex): document session supervision

* test(codex): cover integration ownership

* chore(i18n): refresh supervision inventories

* fix(setup): finalize Codex activation atomically

* test(codex): narrow binding store update

* fix(sessions): preserve legacy model locks

* test(macos): serialize Codex catalog fixtures

* fix(sessions): preserve legacy lock admission

* chore(i18n): reconcile supervision metadata

* test(sessions): mark legacy lock fixture

* fix(macos): drain final Codex catalog frame

* docs: leave supervision note to release

* style(macos): satisfy Codex catalog type length

* chore: record session accessor seam owners

* fix(macos): honor configured Codex supervision

* fix(codex): preserve harness-owned model locks

* fix(codex): satisfy supervision lint gates

* chore(i18n): refresh native supervision inventory

* fix(codex): align supervision validation contracts

* fix(codex): close supervision boundary gaps

* fix(codex): preserve supervision activation contracts

* fix(codex): dispose standalone supervision runtime

* fix(codex): pin supervised source connection

* fix(plugins): bind delegated runs to exact session target

* fix(codex): scope supervised sessions to configured agents

* fix(codex): fingerprint effective supervision home

* fix(codex): normalize supervision plugin policy

* fix(codex): keep supervised bindings stable across upgrades

* fix(codex): guard all supervised binding connections

* fix(codex): preserve catalog filters and pending CAS identity

* fix(codex): preserve supervision identity for diagnostics

* fix(codex): bind uncertain commits to supervision connection

* fix(codex): satisfy supervision type boundaries

* fix(macos): reconcile current main validation

* fix(codex): handle absent runtime config in supervision

* fix(doctor): own local audio acceleration check

* fix(codex): satisfy integration lint gates

* fix(codex): satisfy lifecycle safety guards
2026-07-11 00:12:08 -07:00
Peter Steinberger
ae2c6117d3 feat(ui): full-page New session screen with gateway folder browser (#104238)
* feat(gateway): add admin-only fs.listDir host directory listing

* feat(ui): replace new-session dialog with full-page /new screen and folder browser

* fix(ui): drop unnecessary template literal in new-session page

* refactor(ui): rename request token locals for review-bundle hygiene

* fix(ui): preserve typed draft on agent hydration and clear stale folder listings

* fix(ui): gate new-session submit on agent hydration and keep live folder edits

* test(ui): use exact textbox selector in new-session e2e

* test(ui): deep-link new-session e2e so agents.list override supplies workspace

* chore(i18n): translate new-session strings and refresh native inventory

* chore(i18n): reconcile locale metadata after rebase
2026-07-11 00:10:48 -07:00
Peter Steinberger
5228183ce2 fix(ci): register local-audio-acceleration doctor contribution and wrap overlong MLX log line (#104233)
* fix(ci): register local-audio-acceleration doctor contribution and wrap overlong MLX log line

* fix(ci): keep MLX log line under 120 cols and resync native i18n inventory

* chore: nudge PR head sync

* fix(mac): use throwing safe read in MLX transport readability handler
2026-07-11 00:04:50 -07:00
Peter Steinberger
1d72c0f423 feat(ui): session diff panel showing a session checkout's changes in chat (#104184)
Adds a git-backed session diff panel to the Control UI, complementing the existing PR status chips.

New sessions.diff gateway method (operator.read): resolves the session checkout and returns structured per-file diffs (status, renames, +/- counts, capped unified patch) of branch + uncommitted + untracked work against the default-branch merge base. Hardened against git textconv execution and hardlinked out-of-tree content leaks; handles repos before their first commit via the empty-tree base.

Control UI renders a "Changes" panel in the chat detail sidebar with collapsible per-file diffs, hunk-gap markers, stat chips, and untracked/binary badges, gated on gateway method advertisement. Schemas additive (Swift models regenerated), 20 locales translated.

Closes #104182
2026-07-10 23:57:55 -07:00
Vincent Koc
96b1be10f5 feat(macos): keep MLX TTS model resident (#104200)
* test(macos): cover MLX helper packaging

* feat(macos): define framed MLX TTS protocol

* feat(macos): keep MLX TTS model resident

* feat(macos): reuse MLX TTS helper transport

* fix(macos): preserve MLX TTS fallback lifecycle

* chore(swift): lint MLX TTS protocol sources

* fix(macos): keep MLX helper input nonblocking

* test(macos): cover forced MLX helper shutdown

* fix(macos): fall back after MLX memory eviction

* fix(macos): discard canceled MLX audio
2026-07-11 13:45:27 +08:00
Peter Steinberger
4b3d4020d3 fix(macos): offer CLI channels for unreleased builds (#104178)
* fix(macos): choose CLI channel for dev builds

* chore: leave release notes to automation

* chore(macos): sync native string inventory

* style(macos): wrap CLI channel guidance

* fix(macos): return CLI version policy
2026-07-10 22:27:57 -07:00
Peter Steinberger
dc42c893c3 improve(ios): redesign share extension compose sheet (#104187) 2026-07-10 22:22:15 -07:00
Peter Steinberger
9f53f8a256 feat(macos): import local browser login (#104177)
* feat(macos): import local browser login

* chore: leave release notes to release workflow

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory

* chore: sync release summary executable bit

* chore(macos): refresh native i18n inventory

* style(macos): wrap browser import result

* chore(macos): refresh native i18n inventory

* chore(macos): refresh native i18n inventory
2026-07-10 22:14:36 -07:00
Peter Steinberger
1c08d96d8b feat(android): durable offline chat with attachments and history-proof retirement (#104089)
* feat(android): durable offline chat with attachments and history-proof retirement

Every chat send is journaled to the per-gateway Room outbox before any
network attempt, so process death always has one durable recovery owner.
Rows survive gateway ACKs as 'accepted' and retire only once the turn is
proven in canonical chat.history by idempotency key; ambiguous outcomes
(lost ACK, kill mid-send, gateway restart before the transcript write)
park as delivery-unconfirmed for explicit retry, per the fail-closed
model #103273 landed. An unproven accepted head briefly holds only its
own session's queue, and retrying a parked head re-orders still-queued
successors behind it. Offline sends now accept picked images and voice
notes; attachment bytes persist as chunked BLOBs (512 KB chunks, 8 MB
per message, 48 MB per gateway) admitted and retired atomically with
their row. Pre-hello 'main' rows pin to the canonical session at first
dispatch so later default-agent changes cannot retarget captured input;
slash commands are connection-gated by a persisted epoch (legacy queued
command rows migrate to a never-matching sentinel) and never auto-replay
across reconnects. The Room store moves to schema v4 on top of v3's
data-parking migration, adding the epoch column and attachment tables
while preserving queued rows. The queued->sending claim is an atomic
compare-and-set shared by the direct dispatch and the flush loop, the
direct path waits for the startup recovery sweep before claiming, and
failed reconnect attempts republish outbox rows so queued sends stay
visible on offline cold starts.

Proof: 1151 Android unit tests and :app:ktlintCheck green (new
migration, storage, and controller coverage for admission, restarts,
claims, pinning, gating, ordering, and byte round-trips); a live
emulator scenario on the pre-integration build queued text+image
offline, survived force-stop plus a device reboot, resent exactly once
on reconnect (single <rowId>:user turn in the gateway transcript), and
drained the outbox after canonical-history confirmation.

Closes #104087.

* fix(android): rearm outbox recovery when direct-send state persistence fails

* fix(android): keep direct dispatch alive across caller cancellation

The direct send's network phase now runs in the controller scope, so a
cancelled UI scope (leaving the chat screen mid-send) can no longer
strand a claimed row in 'sending' with no user action available; the
dispatch completes and settles the row exactly once. Direct-path state
persistence failures also re-arm the startup recovery sweep, mirroring
the flush path's fail-closed handling.

* fix(android): hand claim-persistence failures to the flush lane

A direct-send claim that fails to persist no longer reads as a lost race:
the admitted row is handed to the flush lane so a healthy connection still
delivers it, and the flush path's fail-closed handling owns any repeated
storage failure instead of the UI reporting success with no active owner.

* fix(android): enforce connection gating and fail-closed parking on every send path

The direct dispatch now rechecks a slash command's connection epoch after
its durable claim, so a reconnect between admission and dispatch parks the
command instead of replaying it on the new connection. Parking a stale
gated row only counts once the write persists; a storage failure drops
health, re-arms recovery, and halts the flush pass instead of spinning or
dispatching the stale row.

* fix(android): recognize gateway-acknowledged run ids in outbox ownership checks

A chat.send ACK can return a run id that differs from the row's
idempotency key (the direct path transfers local run ownership to it).
Ownership, in-flight, backlog, and timeout-park checks now consider both
ids, so reconciliation can no longer park — and Retry can no longer
duplicate — a turn that is still running on the gateway.

* fix(android): close remaining ack-ownership and persistence-failure gaps in the outbox

Flushed sends acked under a divergent run id now transfer local run
ownership like the direct path, so live runs cannot time out and surface
spurious errors for delivered turns. A session pin that cannot persist
stops the dispatch while the row is still safely queued. Reconcile and
timeout parking only report changes their writes actually persisted,
failing closed on storage errors.

* docs(android): record why acknowledged run ids stay in-memory
2026-07-10 22:12:25 -07:00
Josh Avant
fbd330b7aa fix(channels): honor configured read target policies (#99905)
* fix(channels): enforce configured read targets

* test(channels): align policy checks with boundaries

* fix: bind channel reads to trusted turn context

* test: satisfy gateway lint

* fix: narrow message action channel imports

* fix(feishu): authorize message reads before provider access

* fix(slack): await reaction clear authorization

* fix(channels): align provider action contracts

* fix(matrix): read direct-room account data before sync

* fix(channels): reject unsupported attachment actions early

* fix: restore trusted operator conversation reads

* fix(matrix): authorize pin actions before provider reads

* fix: preserve trusted channel read workflows

* fix(discord): resolve current channel ids consistently

* fix(agents): preserve message action turn capability

* fix(plugins): enforce host-owned read provenance

* fix(channels): harden Teams and Discord read policy

* fix(channels): preserve exact-current action compatibility

* fix(imessage): authorize trusted current chat aliases

* fix(channels): preserve normalized current aliases

* fix(channels): preserve external current target aliases

* fix: reconcile channel policy with current main

* fix(discord): isolate DM read policy

* fix(channels): enforce provider read gates

* fix(gateway): await serialized message action identity tokens

* fix(ci): refresh channel protocol contracts
2026-07-10 22:29:37 -05:00
lin-hongkuan
f4732576bd fix(ios): preserve prefixed share text (#103453)
* fix(ios): preserve prefixed share text

* fix(ios): harden shared text normalization

---------

Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 20:01:06 -07:00
Peter Steinberger
dba64d574f chore(release): set version to 2026.7.2 2026-07-11 04:00:49 +01:00
NianJiu
df36c821a4 fix(android): require explicit retry after interrupted sends (#103273)
* fix(android): require retry after interrupted outbox sends

* fix(android): fail ambiguous outbox sends closed

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(android): preserve run-id-only acknowledgements

* style(android): format outbox assertion

* fix(android): fail outbox recovery closed

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* test(android): prove dropped ack is not replayed

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(android): accept terminal outbox acknowledgements

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(android): persist rejected outbox retries

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

* fix(android): require manual retry after transmitted failures

* fix(android): migrate ambiguous outbox rows safely

* test(android): import outbox cancellation type

* fix(android): limit destructive chat cache migration

* fix(android): guard outbox retry transitions

* fix(android): reject malformed chat acknowledgements

* test(android): type migration bind arguments

* test(android): separate migration and replay proof

* fix(android): accept admitted outbox acknowledgements

* fix(android): preserve gateway health after acknowledged outbox failures

* fix(android): stop outbox flush on persistence failure

* fix(android): stop outbox flush when claims fail

* fix(android): enforce durable outbox barriers

* fix(android): coalesce outbox flush requests

* style(android): format outbox assertions

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 19:41:40 -07:00
WhatsSkiLL
5c38f62b27 [AI-assisted] Make Android chat thinking selection explicit (#103893) 2026-07-10 22:27:56 -04:00
Peter Steinberger
7b5854bee8 feat(webui): reintroduce opt-in AI purpose titles for tool calls (#103989)
* feat(webui): reintroduce opt-in AI purpose titles for tool calls

Restores the chat.toolTitles path removed in #103821, gated behind the new
gateway.controlUi.toolTitles opt-in (default false) so tool rendering stays
fully deterministic with no background model calls unless an operator enables
it. Disabled gateways answer { titles: {}, disabled: true } without loading
the completion runtime, and clients stop asking for the session.

When enabled, titles use canonical utility-model routing: an explicit
utilityModel (operator-chosen provider, like every utility task), else the
session provider's declared small-model default, honoring per-session model
overrides and auth profiles; utilityModel "" disables titles and malformed
refs fail closed — never the primary model. Tool inputs are redacted with the
tools-mode redactor before cache keys or prompts, caller ids are bounded and
never reach the model, and results cache in the per-agent SQLite
cache_entries so repeat views never re-bill.

Also completes two crestodian model-input mock factories that leaked into
sibling tests under shared-registry CI shards.

Fixes #103987

* fix(webui): redact tool-title inputs before truncation
2026-07-10 19:18:02 -07:00
Peter Steinberger
b7156ce688 fix(macos): drag the window from split-view pane headers (#104048)
* fix(macos): drag the window from split-view pane headers

In the macOS app, split-screen pane header rows (session title strip) now
start a native window drag instead of selecting the title text. The Control
UI posts an openclawWindowDrag script message on mousedown over passive
header chrome; the dashboard window validates the trusted main-frame source
and the in-flight left-mouse press before calling NSWindow.performDrag.
Pane headers are chrome, so they are also no longer text-selectable.

* refactor(macos): move the dashboard failure page out of the window controller

SwiftLint type_body_length: the drag-message handler pushed
DashboardWindowController past 800 lines; the failure-page HTML is
presentation-only and now lives in DashboardFailurePage.
2026-07-10 19:07:04 -07:00
Peter Steinberger
b29fe954f1 fix(macos): start existing CLI gateway during onboarding (#104051)
* fix(macos): start detected CLI gateway during onboarding

* chore(macos): refresh native i18n inventory
2026-07-10 19:02:51 -07:00
Peter Steinberger
425c5b9f26 fix(macos): reject revoked forwarded exec approvals (#103968)
* fix(macos): reject revoked forwarded exec approvals

* fix(macos): split approval plan validation

* chore(i18n): refresh native source lines
2026-07-10 19:01:17 -07:00
WhatsSkiLL
db817e72ce [AI-assisted] Simplify Android Canvas standby surface (#104001)
* [AI-assisted] Simplify Android Canvas standby surface

* chore(android): sync native i18n inventory

---------

Co-authored-by: IWhatsskill <284122573+IWhatsskill@users.noreply.github.com>
2026-07-10 21:07:56 -04:00
Peter Steinberger
df067770d7 fix(mac): deflake exec-approvals socket guard test and create state dir with 0700 directly (#104028) 2026-07-10 18:07:35 -07:00
Peter Steinberger
249e6efe63 feat(mac): add bulk Approve All / Reject All to the pairing approval panel (#104011)
* feat(mac): add bulk Approve All / Reject All to the pairing approval panel

* fix(mac): resolve bulk pairing decisions against the rendered snapshot
2026-07-11 01:44:34 +01:00
Peter Steinberger
0120cacf9e fix(macos): let onboarding use taller windows (#104004)
* fix(macos): make onboarding resize vertically

* chore(macos): refresh onboarding i18n inventory

* chore: leave changelog to release generation
2026-07-11 01:39:49 +01:00
Peter Steinberger
3ec2a50d6c fix(exec): prevent revoked policy from authorizing delayed node runs (#103950)
* fix(cli): fail closed on exec policy rollback races

* refactor(cli): reuse canonical exec policy ordering

* fix(exec): bind delayed approvals to prepared policy

* fix(macos): revalidate delayed exec approvals

* fix(exec): align approval snapshot validation gates
2026-07-11 01:37:37 +01:00
Peter Steinberger
98902c790f fix(macos): preserve launchd gateway during port sweep (#103972) 2026-07-10 23:46:30 +01:00
Peter Steinberger
a0354e5243 fix(onboarding): make fresh AI setup reliable and transparent (#103962)
* fix(onboarding): harden inference setup

* fix(mac): preserve setup request cancellation

* test(crestodian): align setup audit expectation

* test(crestodian): cover approval persistence warning

* fix(crestodian): preserve setup credentials and success

* chore(pr): leave changelog to release flow

* fix(onboarding): repair native CI gates
2026-07-10 23:44:53 +01:00
Peter Steinberger
d92d5774f5 fix(node): report Mac exec policy defaults (#103945) 2026-07-10 22:07:44 +01:00
Peter Steinberger
9b1c36d23c fix: prevent exec approval revocation races (#103515)
* fix(security): serialize exec approval mutations

* fix(security): preserve additive approval writes

* test(cli): expect normalized approval shape

* fix(security): preserve exec approval compatibility

* test(security): exercise locked approval initialization

* test(security): mock serialized approval helpers

* test(exec): derive enforced command path from plan

* fix(gateway): always return approval CAS conflicts

* fix(macos): serialize exec approvals writes

* fix(security): repair approval build errors

* fix(security): serialize exec approval mutations

* fix(security): fail closed on approval persistence errors

* test(security): cover detached approval persistence failures

* fix(security): harden exec approval state

* style(macos): format exec approval sources

* fix(security): complete exec approval hardening

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(macos): preserve approved login-shell semantics

* fix(macos): keep login shell approvals one-shot

* fix(security): linearize exec authorization

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): preserve durable approval basis

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): bind exec grants to current policy

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* test(security): fix exec revocation fixtures

* test(security): align gateway approval fixtures

* fix(macos): return approval decisions

* chore(i18n): sync native approval strings

* test(security): align approval hardening fixtures

* test(node): authorize completed event fixture

* test(security): fix approval decision fixtures

* test(security): await durable approval visibility

* fix(exec): preserve concurrent approval grants

* fix(exec): address exact-head CI failures

* fix(exec): preserve concurrent approval promotions

* fix(exec): make Swift shutdown state explicit

* test(macos): handle approval read failures

* fix(macos): harden approval socket paths

* fix(macos): preserve exact shell payload bytes

* test(macos): make approval fixtures explicit

* test(macos): fix approval suite compilation

* fix(macos): bound approval socket JSONL reads

* chore: move exec approval note to release process

* chore: move exec approval note to release process

---------

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>
2026-07-10 21:35:05 +01:00
Peter Steinberger
1bcc4c5e70 feat(gateway): add cooperative host suspension (#103618)
* feat(gateway): add cooperative suspension preparation

* style: satisfy suspension lint checks

* test(gateway): reset work admission between shared suites

* fix(gateway): reject upgrades during suspension

* fix(gateway): preserve admitted work during suspension

* test(gateway): isolate suspension and restart state

* fix(gateway): close suspension false-ready gaps

* refactor(protocol): slim suspension declaration graph

* refactor(plugin-sdk): sever protocol registry edges

* fix(gateway): preserve admitted restart follow-ups

* fix(gateway): make suspension recovery fail closed

* fix(protocol): keep validation formatter re-export only

* test(gateway): simplify deferred fixture type

* style(gateway): clarify suspension entry name

* fix(gateway): retain detached work admission
2026-07-10 20:24:53 +01:00
Peter Steinberger
5a48e73973 fix(macos): duplicate launches open SSH tunnels before handoff (#103892)
* fix(macos): gate tunnels behind singleton launch

* chore(macos): leave changelog to release workflow

* chore(macos): sync native i18n inventory
2026-07-10 19:54:04 +01:00
WhatsSkiLL
eb7613cecd fix(android): ellipsize onboarding permission labels (#103649)
Co-authored-by: IWhatsskill <284122573+IWhatsskill@users.noreply.github.com>
2026-07-10 14:17:28 -04:00
Peter Steinberger
5aea34ad8c fix(webui): keep tool activity paired without model calls (#103821)
* fix(webui): make tool activity rendering deterministic

* fix(protocol): remove stale tool-title models

* fix(i18n): translate tool activity labels

* fix(i18n): translate tool activity labels
2026-07-10 18:21:08 +01:00
Peter Steinberger
091584b197 chore(swift): restore compact conditional bodies (#103832)
* style(swift): restore compact conditional bodies

* fix(ios): remove redundant startup timeout await

* chore(swift): sync native i18n inventory
2026-07-10 18:12:00 +01:00
WhatsSkiLL
1754292217 [AI-assisted] Tidy Android Sessions row affordances (#103108)
* fix(android): clean up Sessions row visuals

* chore(android): refresh native i18n inventory

* fix(android): consolidate session sorting controls

---------

Co-authored-by: IWhatsskill <284122573+IWhatsskill@users.noreply.github.com>
2026-07-10 12:43:18 -04:00
Peter Steinberger
fc2afc83da feat(webui): redesign tool-call rendering with inline diffs, group summaries, and cheap-model purpose titles (#103748)
Kind-aware tool rows (terminal-style commands with wrapper stripping and
display highlighting, file edits with inline numbered diffs and diffstat,
write previews, key-value args), aggregate group summaries with live run
status, and a new batched chat.toolTitles gateway RPC that titles complex
calls via the configured utilityModel or the OpenAI Luna default (gated to
OpenAI-primary agents, cached in the per-agent SQLite cache_entries).

Also fixes two transcript pairing bugs: result blocks now inherit call
id/name/details at merge time, and results pair with any open call in the
current tool run so parallel calls render as single rows.

Fixes #103554
2026-07-10 17:26:22 +01:00
Peter Steinberger
d628e35574 fix(apple): prevent stale thinking after model switches and reconnects (#103767)
* fix(apple): prevent stale model thinking state

* test(apple): complete attachment transport fixture

* fix(apple): scope model patch ordering by route identity

* chore(apple): sync native CI metadata
2026-07-10 16:48:11 +01:00
openclaw-mantis[bot]
983c0df2c3 chore(i18n): refresh native locales (#103743)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-07-10 16:13:49 +01:00
Peter Steinberger
48b0f4edf5 feat(gateway): session worktree targeting, branch listing, and server-side session groups (#103432)
* feat(gateway): session worktree targeting, branch listing, and group catalog

- sessions.create accepts worktreeBaseRef/worktreeName (write scope) and
  execNode (admin); worktree binding persists on the session entry as
  worktree { id, branch, repoRoot } and projects onto session rows with
  execNode so UIs can show checkout/branch/node state
- new worktrees.branches RPC lists local/remote branches (no fetch) for
  base-ref pickers; worktrees.remove now reports snapshotError
- sessions.delete reports preserved dirty checkouts as worktreePreserved
- gateway-owned session group catalog in the shared state DB with
  sessions.groups.list/put/rename/delete; rename/delete update member
  categories server-side without bumping recency; sessions.patch absorbs
  ad-hoc categories into the catalog
- group session display names prefer the human chat title (subject or
  space #channel) over stored compact tokens

Part of #103431

* fix(gateway): route group category updates through the session accessor and regen protocol models

- bulk member-category rename/clear uses applySessionEntryReplacements
  instead of legacy updateSessionStore call sites (session accessor
  boundary guard)
- regenerate Swift GatewayModels for the worktrees.branches schemas,
  snapshotError, and new sessions.create params

Part of #103431

* fix(gateway): resolvable remote branch refs and workspace-scoped branch listing

- worktrees.branches returns remote-only branches remote-qualified
  (origin/feature-a) so every advertised name works as a worktree base ref
- write-scoped worktrees.branches callers are limited to configured agent
  workspaces; other host paths require operator.admin, matching the
  sessions.create cwd bar

Part of #103431

* fix(gateway): guard worktree name reuse by owner and env-scope group transactions

- managedWorktrees.create rejects a caller-chosen name whose live or
  restorable record belongs to a different owner, so write-scoped
  sessions.create cannot bind a session into another session's or a
  manual checkout
- session group catalog writes run their SQLite transaction on the same
  env-scoped handle as their statements, keeping OPENCLAW_STATE_DIR
  overrides atomic and away from the default state DB

Part of #103431
2026-07-10 15:51:35 +01:00