* refactor(matrix): adopt core claimable dedupe for inbound events
* fix(matrix): migrate legacy inbound dedupe markers via doctor
* fix(matrix): single-pool dedupe namespace and capacity-aware legacy import
* fix(matrix): keep unreadable legacy dedupe JSON in place during doctor import
* feat(dashboard): modular dashboard — workspace store, Workspaces tab, sandboxed custom widgets
Squashes openclaw/openclaw#101094 + #101097 + #101098 onto current main and
applies the maintainer review fixes to the backend control plane.
Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
* fix(dashboard): UI review fixes — grid, error boundary, embed sandbox, locale
* fix(dashboard): make the CLI and agent broadcasts actually reachable
Three defects only a live run surfaces, all invisible to the unit suites:
- The plugin claimed the CLI command name `dashboard`, which core already owns
(it opens the Control UI). A plugin CLI group that overlaps a core command is
dropped at registration behind a `logger.debug`, so the entire CLI face was
unreachable while `cli.test.ts` kept passing against its own Commander
program. Renamed to `openclaw workspaces`, matching the tab it drives.
- The manifest never declared `activation.onCommands`, so the CLI root resolved
to no owning plugin even once the name was free.
- `dashboard.widget.approve` needs `operator.approvals`; the CLI asked for
`operator.write` on every call. It now requests the approvals scope only for
the approve call, matching `operator-approvals-client.ts`.
Also: agent tools resolved their broadcast from the plugin runtime's
gateway-request scope, an AsyncLocalStorage set only around gateway RPCs and
plugin HTTP routes. An agent turn started from a channel, cron, or heartbeat
therefore wrote the document without emitting `plugin.dashboard.changed`, so an
open Control UI never saw the edit — the feature's headline promise. The gateway
broadcast is server-lifetime, so the plugin now remembers it in a single slot and
agent tools fall back to it.
* docs(web): document dashboard workspaces, provenance, and the custom-widget sandbox
* fix(dashboard): agent-tool ergonomics + close two approval-boundary gaps
From a source-blind agent driving the dashboard_* tools with nothing but their
schemas, and from a Codex review of the hardening delta.
- dashboard_widget_update could never succeed. It passed its whole parameter
record to the patch reader, whose allowlist rejects the very `tab`/`id` keys
the tool's own schema marks required, so every call died on
"unexpected param: tab". Its test only ran Value.Check against the schema and
never executed the tool.
- dashboard_data_read surfaced an `rpc` binding as a thrown error, though its
description promised `binding_client_resolved`. It now returns that as a
result the model can act on.
- Valid widget kinds and the rpc allowlist were undiscoverable: a model saw only
"builtin:<name> or custom:<name>" and "Allowlisted gateway read method", then
brute-forced ~40 calls against errors that named no alternatives. Both schemas
and both validator errors now enumerate them, and the kind description says
what each builtin renders and which binding id it reads. widget_move documents
that grid and toTab are exclusive; widget_scaffold says an operator must
approve, because no agent tool can.
- workspace.replace could mint a pending registry entry for a name that was
never scaffolded. An operator could then approve a widget whose code did not
exist yet, and the agent could write it afterwards. Registry entries now come
from dashboard_widget_scaffold and nowhere else, and approve refuses a name
with no manifest on disk.
- dashboard.widget.approve answered with the whole workspace document, so a
connection holding only operator.approvals could read it through the approvals
door. It now returns the registry entry it changed.
* fix(dashboard): approval pins the code it approves
Codex review found the scaffold-before-approval gate still nameable rather than
binding: approve only proved that widget.json parsed, and the Control UI loaded a
hardcoded index.html rather than the manifest's entrypoint. An agent could
scaffold a widget, win approval on an innocuous or absent entrypoint, then write
the real payload afterwards — code appearing after the human said yes.
Approval now hashes every servable file in the widget directory and stores the
digests on the registry entry, refusing a manifest whose declared entrypoint is
missing. The asset route re-hashes each file it reads and 404s anything that does
not match, so a file edited or added after approval never reaches a browser. The
Control UI loads the manifest's entrypoint, which is the file that was hashed.
The content-type allowlist moves to manifest.ts so the set of files approval
hashes and the set the route can serve cannot drift apart.
Proof, against a running gateway: scaffold -> 404, approve -> 200, rewrite
index.html -> 404, add late.js -> 404.
* fix(dashboard): parse the approved manifest from the bytes that were hashed
Codex found a TOCTOU in the approval path: it loaded and validated widget.json,
then walked the directory again to compute the digests. An agent could swap
widget.json between the two reads, so the operator validated one entrypoint while
the digest froze — and the Control UI later mounted — a different one.
snapshotApprovedWidget now reads the widget directory once: it hashes every
servable file, parses the manifest out of the same widget.json bytes it hashed,
and requires the declared entrypoint to be among them.
Proof, against a running gateway: approve -> index.html 200; rewrite widget.json
to point at evil.html and drop evil.html in -> both 404.
* fix(dashboard): cap approval asset reads; bound the grid fallback search
Two findings from the fourth Codex pass.
Approval hashes agent-authored files that are untrusted until it runs, and read
each one into memory with no size check — dropping one huge .png into a scaffold
directory would stall or OOM the gateway during approve. Sizes are now checked
before the read, with a 2 MB per-file and 8 MB total cap.
nearestFreeSlot searched one band below the lowest occupied row, so a crowded
layout near the bottom could return y=500 as the closest free slot: a placement
the store rejects, which the UI applies optimistically and then snaps back. The
search now stops at the last row a widget of that height can legally occupy.
* fix(dashboard): refuse oversized widget assets before reading them
Approved widget files stay writable and the asset route is unauthenticated, so
swapping an approved small file for a very large one made every GET buffer the
whole file before the digest check rejected it. The route now refuses anything
past the same per-file cap approval enforces, on the stat it already performs.
* fix(dashboard): enforce widget approval boundaries
* docs(changelog): note modular dashboard workspaces
* fix(dashboard): enforce static custom-widget data boundary
* fix(dashboard): satisfy UI lint
* test(dashboard): avoid legacy proto access
* feat(dashboard): make plugin opt-in
* docs(dashboard): refresh workspaces map
* refactor(workspaces): standardize plugin naming
* fix(workspaces): make widget prompt sends idempotent
* docs(workspaces): fix internal path references
* test(workspaces): make prompt assertion lint-safe
* test(workspaces): type prompt request mock
* fix(workspaces): harden approval and binding boundaries
* test(workspaces): complete stale binding client mock
* fix(workspaces): harden widget file boundaries
* fix(workspaces): scope custom widget capabilities
* fix(workspaces): align approval provenance
* fix(workspaces): close branch contract gaps
* test(workspaces): complete builtin context fixtures
* fix(workspaces): aggregate overview usage
* chore(workspaces): defer release note
* chore(workspaces): refresh i18n metadata
---------
Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
* fix(macos): host the dashboard sidebar toggle beside back/forward in the titlebar
The Control UI's floating sidebar-expand button rendered as a bordered web
control crowding the traffic lights in the dashboard window. The toggle now
lives as a native borderless button in the leading titlebar accessory ahead
of back/forward (Safari ordering) and bridges to the web UI via the
openclaw:native-toggle-sidebar event; the injected chrome script advertises
the capability with an openclaw-native-nav class so the web control retires
itself visually while staying keyboard/screen-reader reachable.
* docs: note the macOS app's native titlebar sidebar toggle in the Control UI guide
* origin/main:
fix(cron): abort superseded reconciliation hooks (#104368)
ci(release): expose Telegram runtime preflight stage (#104387)
fix(status): avoid false shell-wrapper audit warnings (#81778)
fix: retry live Gateway readiness proof (#104374)
fix(exec-approval): stop misattributing Allow Always unavailability to policy (#97740)
fix: preserve Mac bundle during live builds (#104376)
chore(docs): translate with GPT-5.6 xhigh
test: wire Control UI suite into CI, fix its broken tests, drop dead harness surface (#104361)
fix(ui): hide group submenu separator when New group is the only entry (#104370)
fix(discord): reset progress drafts across queued turns (#102341)
docs(cli): clarify that exec-policy show and approvals get exclude per-session /exec overrides (#94999)
fix(discord): single-source thread-binding default placement and guard artifact parity (#104342)
fix(agents): add tool-activity heartbeat to keep subagent alive during tool calls (#95536)
fix(maint): reuse recent same-PR hosted gates (#104355)
* fix(exec-approval): stop misattributing Allow Always unavailability to policy
Allow Always is dropped both when policy ask=always AND when a command is
non-persistable (e.g. shell redirect `2>&1` -> one-shot), but the prompt always
claimed 'effective approval policy requires approval every time'. That's
misleading for the non-persistable case (#97069). Reword to reason-neutral
'Allow Always is unavailable for this command.' across all approval surfaces,
update en + 20 locale bundles, refresh i18n meta, and the matching tests.
Closes#97069
* fix(exec-approval): stop misattributing Allow Always unavailability to policy
* test(ui): await exec approval render updates
* chore(ui): sync approval i18n metadata
---------
Co-authored-by: saju01 <saju01@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
* test: wire Control UI suite into CI, fix its broken tests, drop dead harness surface
- fix 7 Control UI tests broken on main: module-mock factories are unreliable
under isolate:false shared workers; use RealtimeTalkSession prototype spies
and real jsdom storage instead (chat-realtime, chat-pull-requests)
- add gated checks-ui CI job (runUiTests changed-scope output): chromium
provisioning, lint:ui:no-raw-window-open, pnpm --dir ui test; ~30s on a
4vcpu runner, runs only when ui-affecting paths change
- add weekly node22-compat workflow exercising the supported lower Node bound
with the same command set as the dispatch-only ci.yml job
- delete the unreachable channels entry in EXTENSION_TEST_CONFIG_ROUTES and
the never-populated extensionRoutedChannelTestFiles override machinery
(born empty in 2ccb5cff22); resolved globs are provably identical
- guard run-vitest.mjs hardcoded path maps with existence tests so renames
cannot silently drop extended stall watchdogs
- remove unenforced coverage thresholds; test:coverage is informational, docs
updated (reference/test, help/testing, plugins/sdk-testing)
Closes#104321
* test: pin OPENCLAW_CI_RUN_UI_TESTS in the manifest env expectation
* test(ui): capture the realtime start spy instead of referencing the unbound prototype method
* test(ui): raise ui vitest timeouts for real-browser layout tests on small CI runners
* fix(discord): guard progress draft collapse to prevent re-collapse on cleaned stream
Commit 86ea382 added a progressDraftStartedBeforeFinal latch that snapshots
hasStarted at markFinalReplyStarted time. This correctly preserves collapse
eligibility when an abort cancels the compositor gate before
shouldCollapseProgressDraft runs.
However the latch was never cleared. After markPreviewFinalized turned the
draft into a summary, hasProgressDraftStarted remained true permanently. In
multi-tool turns with multiple final-payload deliveries, this caused
shouldCollapseProgressDraft to re-trigger collapse on an already-cleaned or
sealed draft stream, corrupting downstream delivery state and causing tool
results to render as image content blocks instead of text.
Fix: add a progressDraftCollapsed guard set by markPreviewFinalized that
prevents hasProgressDraftStarted from returning true after the draft has been
collapsed into a summary. Reset the guard on handleAssistantMessageBoundary
so followup/queued turns start fresh.
Per Discord channel session, all tool results rendered as image content
blocks. Model received (see attached image) placeholders instead of text.
Fixes#100782
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(discord): use valid table/chunk mode literals in collapse-guard tests
* test(discord): add abort-race gate-cancellation latch survival test
* fix(discord): consume progress draft collapse once
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* fix(discord): retain progress receipt on retry
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* fix(discord): rearm queued progress drafts
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* test(discord): assert progress lifecycle outcomes
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* fix(discord): reset queued progress turn state
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* test(discord): model recreated progress drafts
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* fix(discord): serialize progress draft rotation
Co-authored-by: xialonglee <li.xialong@xydigit.com>
* fix(discord): isolate queued draft generations
Co-authored-by: Peter Lee <xialonglee@users.noreply.github.com>
* test(discord): align synchronous draft rotation
Co-authored-by: Peter Lee <xialonglee@users.noreply.github.com>
* fix(discord): distinguish draft rotation ownership
Co-authored-by: Peter Lee <xialonglee@users.noreply.github.com>
* chore: keep release notes in pull request
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* [AI] fix(agents): add run-scoped tool-activity heartbeat to prevent premature subagent idle timeout
Subagent LLM idle watchdog tripped during long-running tool calls because
tool completions did not reset the idle timer.
Implement a per-run tool-activity heartbeat:
1. notifyToolActivity(runId) — published from embedded-runner tool
execution wrappers (attempt.ts) whenever a tool completes
2. onToolActivity(runId, listener) — consumed by streamWithIdleTimeout
to reset the idle watchdog on tool completion
3. getLastToolActivityMs(runId) — shared timestamp Map so pre-stream
activity is visible to armTimer before the first stream iteration
4. clearToolActivityRun(runId) — wired into the run lifecycle finally
block to clean up listener sets and timestamps when the run exits
Scoped per-run via runId-keyed Maps to prevent concurrent runs from
resetting each other's idle watchdogs.
Related to #94124
* [AI] fix(agents): copy plugin/channel/before-tool-call metadata onto heartbeat tool wrappers
* [AI] test(agents): add metadata preservation regression tests for heartbeat tool wrapper
* [AI] fix(agents): preserve terminal presentation metadata on heartbeat tool wrapper
* [AI] chore: update test comment for four metadata copy calls
* fix: add periodic heartbeat during tool execution
Fire notifyToolActivity at tool start and every 60s via setInterval
so long-running tools survive the 120s LLM idle watchdog.
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: remove useless catch clause (no-useless-catch)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: preserve Code Mode control-tool identity through heartbeat wrapper
Adds copyCodeModeControlToolIdentity() to replicate the WeakSet
membership that markCodeModeControlTool() sets. Without this,
the heartbeat wrapper drops Code Mode identity for exec/wait
tools, weakening before_tool_call policy and approval handling.
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: wrap deferred directory tools with heartbeat
resolveDeferredTool hydrates hidden catalog tools outside the
effectiveTools.map() wrapper, so they bypassed the periodic
notifyToolActivity heartbeat. Wrap the hydrated execute function
with the same start/interval/complete notification pattern.
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* feat(tooling): add tsgo typecheck lane for scripts/**
* fix(scripts): burn down scripts type debt surfaced by the new lane
Typing-only except bugs the lane surfaced: gh-read timeout race,
Discord Headers spread dropping entries, undefined allowedHeadBranches
match, plugin-boundary matchAll crash. Deletes retired config keys from
fixtures/benches (prompt snapshots regenerated, config dump only) and
the orphaned non-runnable sync-moonshot-docs script. Adds full-surface
.d.mts declarations for existing .mjs boundaries.
* fix(watch): defer restart when dist/ is mid-rebuild (#99603)
Defer gateway:watch child restart when run-node's build/runtime-postbuild
readiness contract reports a hard dist/ failure. Only defers on conditions
where the child physically cannot start, preserving normal restart behavior
for soft staleness that run-node can rebuild on start.
Hard failures (defer restart):
- missing_dist_entry (mid-rebuild)
- missing_bundled_plugin_dist_entry
- missing_private_qa_dist
- missing_runtime_postbuild_output
Soft staleness (allow restart, run-node rebuilds):
- missing_build_stamp (w/ direct entry.js check for masked case)
- git_head_changed, dirty_watched_tree
- config_newer, build_stamp_missing_head, source_mtime_newer
isBuildReadyForRestart delegates to resolveBuildRequirement and
resolveRuntimePostBuildRequirement from run-node.mjs, using the
watcher process environment for consistency with the child runner.
200ms polling with 5-min timeout. Child-exit bounded recovery.
Clears stale restartRequested on timeout/poll errors.
Ref: #99603
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(watch): deduplicate deferral loops, add single-flight guard, remove lint suppression
- Extract deferUntilBuildReady(onReady, onTimeout) shared helper,
replacing the near-identical pollBuildReady and pollAfterChildExit.
- Add single-flight guard (deferredRestartActive) so concurrent file
change events during deferral coalesce into one poll loop instead of
spawning a git-subprocess storm.
- Replace inline .catch arrow callback with method-style call, removing
the oxlint-disable-next-line suppression and its allowlist entry.
- Add tests: coalescing multiple changes, requestRestart recovery.
Ref: #99603
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: keep gateway watch alive during concurrent builds
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(mac): prerelease-exact launch resolution and policy-aware update ownership
* fix(ui): keep update affordance when nav is hidden and fall back on native decline
* chore(i18n): sync native inventory
* feat(control-ui): add chat selection popup with More details and Ask in side chat
* fix(control-ui): keep BTW pending card visible and clear it on resultless terminal runs
* fix(control-ui): route failed BTW runs to an error side-result card and ignore stale side results
* fix(control-ui): correlate BTW pending cards by pre-generated run id and suppress superseded runs
* fix(control-ui): retire abandoned BTW runs so late side events never reach the transcript
* chore(docs): regenerate docs map for btw selection-popup section; fix selection-popup test lint