Shipped alpha tags carry a dedicated ## X-alpha.N heading with no base
section (see v2026.6.20-alpha.1's tagged CHANGELOG.md); the renderer and
candidate provenance now prefer that dedicated heading for alpha and
correction tags while beta/stable remain pinned to the stable base
section per #103222.
Codex review + test findings on the pipeline convergence:
- candidate changelog provenance now validates the same section the
renderer publishes (correction tags may carry their own heading) via a
shared correctionVersionForTag helper
- guard_existing_public_release accepts a canonical proofless body with
intact dependency evidence, matching the renderer's documented
proof-omitted-at-limit state; retries re-append the proof
- ledgerFor regains main's noteReferences threading so prose-cited PRs
keep their contribution-record rows, and the ledger/verify tests pin
the merged entry shape (externalReferences) and highlight gate
Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:
- scripts/render-github-release-notes.mjs becomes the canonical release
body renderer (full/compact 125k char+byte modes, tag-pinned record
link, verification tail, canonical shipped-baseline format), now also
preferring a correction tag's dedicated changelog section (from
prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
cumulative baselines, provenance checks, highlights gate, and the
excluded-record rewrite fix, plus main's compact contribution rows,
externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
notes gate (retargeted to the renderer) and adopts release's
render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
runbooks and RELEASING.md document the converged contract.
On the month/day anniversary of a palette's first Lobsterdex visit the
arriving lobster wears the party hat. Lifetime visit milestones add
honorifics to the hover name: Sir at 50, Captain at 100, Elder at 250.
* fix(ios): stop camera work when invoke is cancelled
* fix(ios): mark AVFoundation cancellation boundary
* chore(ios): refresh native i18n inventory
* fix(camera): clean up cancelled warm-up sessions
* fix(ios): make camera cancellation lifecycle-safe
---------
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
The Codex app-server projector now caps native tool output at 10k chars before it reaches OpenClaw's replayable surfaces (transcript tool results, trajectory output, progress text, streamed delta accumulation, MCP/dynamic tool text), with an explicit truncation notice carrying the original length. Assistant-item echo suppression is scoped to raw-lane promotions with bounded multi-shape signatures: typed agentMessage finals are never content-filtered (verbatim tool-output answers are preserved), fine-grained streams cannot evict the start-summary signature, and the post-truncation prefix freeze from main is restored so surrogate-boundary cuts cannot corrupt echo matching. This closes the projector-side replay amplification from #99465; native/provider-side replay budgets remain tracked in #99551.
Fixes#99465
Thanks to Eva (@100yenadmin) for the contribution.
* feat(ui): restore sidebar chrome and remove the pane workspace strip
Reverse course from #103426 on the app chrome: the left sidebar owns
brand, pinned navigation + More, New session, sessions, and the footer
(status dot, Settings, Docs, pairing, theme) again, and the desktop
topbar is gone. What stays from that PR: the dockable workspace rail
(right/bottom, drag or button), the in-flow split-pane headers, and
Cmd+B now hides the sidebar entirely (no 78px icon rail) with a
floating expand control.
The real target of the original request: the vertical icon strip at
each pane's right edge is deleted. A collapsed workspace rail renders
nothing; the toggle (with a changed-file badge) lives in the split-pane
header next to split/close, or floats at the top-right in single-pane
chat. Shift+Cmd+B still toggles.
Narrow native macOS windows (e.g. the in-app link browser splitting
the window) previously stacked 50px of injected titlebar padding on
top of the 58px drawer row; the web CSS now folds that into one
compact 58px row beside the traffic lights, with selectors that
outrank the rules shipped Mac apps inject.
* chore(ui): regenerate locale bundles and docs map for sidebar restore
* fix(ui): bind showPaneHeader explicitly on the classic single pane
* chore(ui): reconcile locale metadata after rebase onto lobster wild cards
In messages.visibleReplies "message_tool" sessions, a successful agent turn that produced a substantive private final without calling message(action=send) previously left the user with silence and only an operator log. The gateway now enqueues one protected front-of-queue retry prompting the model to deliver the reply, and falls back to a sanitized visible diagnostic when the retry cannot be enqueued or also strands. Queue overflow protection is unified with the in-flight-aware drop policy (skip in-flight or protected items, reject when nothing is droppable), rejected overflow no longer refreshes the drain debounce, heartbeat turns are excluded from recovery, and recovery retries no longer share the client turn's queued-turn lifecycle.
Fixes#85714
Thanks to Eva (@100yenadmin) for the contribution.
* feat(channels): narrated progress drafts + activity receipt on the final answer
Progress mode replaces raw tool lines with short utility-model narration of
what the agent is doing (streaming.progress.narration, default on, requires
an explicit utilityModel). On Discord the final answer now carries the
-# activity receipt and the working draft is deleted once the answer lands,
so busy channels keep no orphaned tool log above the reply.
Formatting verified remotely via Testbox oxfmt --check (hook bypassed:
no node_modules in this worktree).
* fix(channels): keep narration toggle independent of channel-default stream mode
Discord resolves its own progress default, so the resolver must not re-derive
mode with the generic partial fallback (narration was off for unset config).
* fix(auto-reply): honor status-only command text in narration model input
streaming.progress.commandText: "status" hides raw exec/bash text from the
channel draft; narration input now mirrors that policy so the utility model
never receives more command detail than the draft shows (Codex review P2).
Formatting verified remotely via Testbox oxfmt --check.
* fix(auto-reply): share the draft's command-tool set for narration and regen channel metadata
Reuse isCommandToolName (exec|shell|bash) so narration's commandText policy
matches the draft formatter exactly, and regenerate bundled channel config
metadata for the new streaming.progress.narration key (Codex review round 2).
Gates verified on Testbox: config:channels:check, oxfmt --check, 4 test shards.
* fix(channels): clear stale narration when the narrator stops mid-turn
An empty narration update now falls the draft back to raw tool lines, and the
narrator emits that clear when it disables after consecutive failures or the
per-turn cap, so drafts never pin stale status text (Codex review round 3).
Gates verified on Testbox: oxfmt --check + 4 test shards.
* chore(config): regen bundled channel metadata after rebase onto main
* chore: CI fixups — lint nits, test harness types, docs map, SDK surface budget
Two deliberate public SDK additions (resolveChannelStreamingProgressNarration,
isCommandToolName via the streaming wildcard re-export) bump the pinned
public-surface budgets to current counts (exports 10488, callable 5235).
Gates verified on Testbox: oxfmt, targeted oxlint, docs:map:check,
config:channels:check, check:test-types, 5 test shards.
* feat(cli,webchat): lobster wild cards - a CLI cousin, moving day, and opt-in sounds
The openclaw banner gains a rare day-seeded ASCII lobster (rich TTYs,
random tagline mode, never CI). The web pet notices gateway upgrades and
arrives carrying a bindle for one load. A new default-off Lobster sounds
quick setting adds tiny WebAudio chirps on pokes and pets. The lobster
docs page learns about petting, sounds, and this batch's field notes.
* chore(webchat): regenerate keyless raw-copy i18n baseline after rebase
* fix(agents): keep model fallback turn-local instead of persisting over user pins
* fix(telegram): use live config snapshots per operation
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
* test(telegram): fix config snapshot type coverage
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
Codex review round four: workflows execute helper scripts from the
workflow ref, so comparing only the .github/workflows tree missed
script-only harness changes. Harness equivalence now means the git tree
diff between the candidate run's head SHA and the current workflow SHA
is itself release-metadata-only, using the same canonical classifier as
the target delta. The classifier's worktree overlay no longer applies
when --head is an explicit SHA, keeping SHA-exact comparisons exact.
Codex review round three: a prior green run may have executed with
different lane definitions; the resolver now compares the candidate
run head SHA's .github/workflows tree against the current workflow
ref before accepting its manifest.
Codex review round two: the reusable advisory input is global, so beta
would also have softened hermetic repo/OpenShell E2E — add a scoped
live_advisory input that only covers the live-provider suite jobs and
narrow the umbrella fail-fast exclusion to those job names. Evidence
reuse now also runs the macOS source-version consistency check against
the target (release-preflight --macos-versions-only) so version-stamp
deltas cannot reuse evidence while version surfaces disagree.
Codex review findings: evidence reuse must not let a default-input run
stand in for a focused provider/mode/filter/package-spec run, and
recorded child runs can be re-run to failure while the parent stays
green. Manifests now record validationInputs; the resolver requires an
exact input match and healthy child runs, and the summary re-verifies
the chain root plus its recorded children. Reuse-mode evidence dispatch
notes now disclose the chain-root relationship.
- Full Release Validation now checks for a prior green validation whose
target differs only by release metadata (changelog/version stamps) and
reuses that evidence instead of re-running every lane; disable with
reuse_evidence=false. Evidence manifests chain through reuse runs via
evidenceReuse.runId and the summary re-verifies the chain root.
- The Docker runtime-assets preflight no longer serializes the CI,
plugin-prerelease, release-checks, and performance lanes; it runs in
parallel and stays enforced by the umbrella verifier.
- Umbrella runs for release/* refs now supersede in-progress runs with
the same ref and rerun group instead of requiring manual cancels.
- release_profile=beta treats the live-provider E2E suites as advisory
(third-party model deployments move underneath releases); stable and
full profiles keep them blocking, and beta live failures no longer
fail-fast-cancel the remaining release-check matrix.
The release-preflight macOS source-version check requires
CFBundleShortVersionString/CFBundleVersion to match the package.json
base version; main drifted to 2026.6.10 and the cherry-picked check
carried release-branch 2026.7.1 literals.
* fix(agents): recover xAI/Grok "could not decrypt encrypted_content" 400 instead of tripping the circuit breaker
openclaw already strips a stale reasoning replay and retries the Responses call, but the
recovery is gated on isInvalidEncryptedContentError(), which only recognizes the
`invalid_encrypted_content` / `thinking_signature_invalid` codes/messages. xAI/Grok returns
a prose 400 with no error code — "Could not decrypt the provided encrypted_content. Ensure
the value is the unmodified encrypted_content from a previous response." — so the matcher
returns false, the call fails, and the per-model circuit breaker trips, blocking ALL
grok-4.3 traffic through the gateway until manual intervention.
Match that message (contains `encrypted_content` and a decrypt-failure phrase) so the
existing strip-and-retry path handles it too. Narrow enough to avoid unrelated
"could not decrypt" messages (e.g. the OAuth sidecar warning), which do not mention
`encrypted_content`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(agents): narrow xAI decrypt retry detection
Co-authored-by: rvdlaar <rvdlaar@gmail.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
The Lobsterdex upgrades to a v2 object schema (v1 arrays migrate in
place, memories backfill on the next visit): each palette remembers its
first visitor's name and date, shown in the gallery tooltips ('Goldie -
first visited 7/5/2026'). Familiarity counters (visits, shoos) shape
behavior with no UI: fewer than three lifetime visits is shy (shorter
stays, later arrivals), fifteen or more is a friend (longer stays,
sooner returns, and a hello wave on the first arrival of each load),
and shooing it too often makes it wary, stretching the gaps between
visits. All best-effort localStorage; tuning lives in one exported
table.
* fix(gateway): re-check session runtime model against current agent defaults after hot-reload
Agent model hot-reload silently did not take effect because session entries
cached modelProvider/model from agent defaults during reset, and the resolver
returned these cached values before checking current config.
Fix (three-pronged):
1. Reset-side: only cache modelProvider/model when the resolved model came
from a user override — default-derived values are no longer persisted.
2. Resolver-side: when runtime metadata exists without overrides and an
agentId is available, the values are default-derived and may be stale —
skip them in the persisted-model fallback so current config defaults win.
3. Inheritance: only inherit runtime model metadata from parent when it
carries explicit user overrides (align with reset-side contract).
Reset response includes resolvedModel so API and TUI consumers always get
the effective model identity.
Fixes#102269
* fix(gateway): restore truncateUtf16Safe and emoji-boundary title test per ClawSweeper review
* fix(gateway): only skip stale session runtime model metadata when it actually differs from current defaults
The previous change unconditionally skipped cached modelProvider/model when no
user overrides were present and an agentId was available, assuming it was always
stale. This broke sessions that legitimately had non-default models set through
normal session creation (e.g. custom vision models).
Now the resolver resolves the current agent default first and compares: if the
cached runtime metadata matches the current default it is returned directly
(not stale); only when it differs is it treated as stale and re-resolved.
Also updates tests that set modelProvider/model without overrides to configure
their agent defaults so the expected model matches the resolution result.
* fix(session-model-ref): add stale-metadata detection for config hot-reload
* fix(test): remove strict timeoutMs assertion in provider catalog live-runtime test
The remainingTimeoutMs calculation can be off by 1ms depending on timing
(Date.now() - startedAt = 1ms on fast CI runners), causing a flaky failure.
This assertion is not the test's focus — dedicated timeout behavior is already
covered by 'uses one timeout budget across paginated live catalog discovery'.
* fix: restore AVATAR_MAX_BYTES to 2MB (revert accidental merge contamination)
* fix(gateway): resolve session models from current config
---------
Co-authored-by: Peter Steinberger <peter@steipete.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* improve(ui): mark the default model inline
* chore: leave changelog to release workflow
---------
Co-authored-by: Peter Steinberger <peter@steipete.me>