Commit Graph

8965 Commits

Author SHA1 Message Date
xingzhou
8d5f7e27b2 fix(sms): replayed Twilio webhooks process again after high inbound traffic (#101107)
* fix(sms): replayed Twilio webhooks process again after high inbound traffic

* fix(sms): harden Twilio replay saturation

* test(sms): expose response header spy

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 17:58:53 +01:00
Peter Steinberger
baea671ef3 fix(anthropic): delegate adaptive Claude CLI effort (#103815)
* fix(anthropic): delegate adaptive CLI effort

Strip static --effort args for adaptive runs so Claude Code resolves effort from its environment, settings, and model default. Preserve configured effort for off or absent thinking and replace it only for concrete OpenClaw levels.

Fixes #103245

Co-authored-by: Dan Korotin <korotin.daniil@gmail.com>

* fix(anthropic): make effort dispatch exhaustive

---------

Co-authored-by: Dan Korotin <korotin.daniil@gmail.com>
2026-07-10 17:57:50 +01:00
Dallin Romney
0b9c2e6f95 fix(qa): simplify smoke lanes and isolate fanout (#102262)
* fix(qa): simplify smoke lanes and isolate fanout

* ci: re-enable repaired QA smoke lanes

* ci: split Crabline smoke into three shards

* ci: eliminate repeated QA smoke builds

* fix(qa): focus control ui smoke scenario

* ci(qa): remove smoke worker launch delay

* ci(qa): bound automatic smoke coverage
2026-07-10 09:48:40 -07:00
Peter Steinberger
5c260940bd fix: prevent CLI MCP children from widening sandbox tools (#103822)
* fix(gateway): bind CLI MCP grants to context

* chore: leave release changelog ownership intact
2026-07-10 17:44:29 +01:00
Peter Steinberger
845311cf97 fix(browser): prevent stale handles from switching duplicate-URL tabs (#103816)
* fix(browser): reject ambiguous tab replacements

* fix(browser): guide stale tab recovery
2026-07-10 17:40:14 +01:00
Peter Steinberger
97bbbc2271 feat(agents): derive a provider-declared default utility model when unset (#103769)
* feat(agents): derive a provider-declared default utility model when unset

When agents.defaults.utilityModel is not set, utility tasks (titles, progress
narration) now use the primary provider's declared small model
(modelCatalog.providers.<id>.defaultUtilityModel: OpenAI -> gpt-5.6-luna,
Anthropic -> claude-haiku-4-5). Auth is inherent because derivation follows
the agent's primary provider. Setting utilityModel to an empty string
disables utility routing entirely; narration turns on automatically when a
default resolves and stays off otherwise.

Formatting/lint/tests verified on Testbox (oxfmt, oxlint, plugins:inventory,
docs:map, import-cycles, check:test-types, 4 test files).

* fix(ai): drop the temperature parameter for models that reject it

The GPT-5.6 family 400s on temperature via the Responses API (live-verified:
gpt-5.6-luna/-terra reject it; gpt-5.5 and gpt-5.4-mini/nano accept it).
supportsOpenAITemperature gates all three OpenAI payload builders, with a
catalog compat override (compat.supportsTemperature) declared for the 5.6
family in the openai manifest. Without this, utility tasks (titles,
narration) would fail once gpt-5.6-luna becomes the derived default.

Gates on Testbox: oxfmt, oxlint, plugins:inventory, import-cycles,
check:test-types, 6 test files. Live proof on Testbox: gpt-5.6-luna and
claude-haiku-4-5 one-shot completions succeed with temperature requested.

* fix(agents): carry the primary model's auth profile onto the derived utility default

A primary like openai/gpt-5.5@work previously reached utility tasks via the
profiled fallback; the derived default shares the provider, so its trailing
auth profile carries over instead of silently switching to default
credentials (Codex review). Gates on Testbox: oxfmt, check:test-types, tests.

* docs: realign the manifest provider-fields table after adding defaultUtilityModel
2026-07-10 17:40:11 +01:00
Peter Steinberger
2d7472b3e4 fix(cron): emit scheduled events after durable wake changes (#103647)
* fix(cron): emit scheduled events after durable wake changes

* chore(changelog): defer cron note to release

* chore(docs): refresh plugin SDK baseline
2026-07-10 17:39:23 +01:00
Peter Steinberger
fc2afc83da feat(webui): redesign tool-call rendering with inline diffs, group summaries, and cheap-model purpose titles (#103748)
Kind-aware tool rows (terminal-style commands with wrapper stripping and
display highlighting, file edits with inline numbered diffs and diffstat,
write previews, key-value args), aggregate group summaries with live run
status, and a new batched chat.toolTitles gateway RPC that titles complex
calls via the configured utilityModel or the OpenAI Luna default (gated to
OpenAI-primary agents, cached in the per-agent SQLite cache_entries).

Also fixes two transcript pairing bugs: result blocks now inherit call
id/name/details at merge time, and results pair with any open call in the
current tool run so parallel calls render as single rows.

Fixes #103554
2026-07-10 17:26:22 +01:00
Peter Steinberger
366d09bcc7 fix(ci): harden release performance evidence (#103790) 2026-07-10 16:59:10 +01:00
Peter Steinberger
2d54be31ba feat(ui): detect session pull requests and pin status chips above the chat composer (#103600) 2026-07-10 16:23:28 +01:00
Vincent Koc
cbe3731f77 fix(release): make validation proof no-write (#103737)
* fix(release): make validation proof no-write

* test(release): align no-write workflow contracts
2026-07-10 08:18:44 -07:00
Peter Steinberger
48b0f4edf5 feat(gateway): session worktree targeting, branch listing, and server-side session groups (#103432)
* feat(gateway): session worktree targeting, branch listing, and group catalog

- sessions.create accepts worktreeBaseRef/worktreeName (write scope) and
  execNode (admin); worktree binding persists on the session entry as
  worktree { id, branch, repoRoot } and projects onto session rows with
  execNode so UIs can show checkout/branch/node state
- new worktrees.branches RPC lists local/remote branches (no fetch) for
  base-ref pickers; worktrees.remove now reports snapshotError
- sessions.delete reports preserved dirty checkouts as worktreePreserved
- gateway-owned session group catalog in the shared state DB with
  sessions.groups.list/put/rename/delete; rename/delete update member
  categories server-side without bumping recency; sessions.patch absorbs
  ad-hoc categories into the catalog
- group session display names prefer the human chat title (subject or
  space #channel) over stored compact tokens

Part of #103431

* fix(gateway): route group category updates through the session accessor and regen protocol models

- bulk member-category rename/clear uses applySessionEntryReplacements
  instead of legacy updateSessionStore call sites (session accessor
  boundary guard)
- regenerate Swift GatewayModels for the worktrees.branches schemas,
  snapshotError, and new sessions.create params

Part of #103431

* fix(gateway): resolvable remote branch refs and workspace-scoped branch listing

- worktrees.branches returns remote-only branches remote-qualified
  (origin/feature-a) so every advertised name works as a worktree base ref
- write-scoped worktrees.branches callers are limited to configured agent
  workspaces; other host paths require operator.admin, matching the
  sessions.create cwd bar

Part of #103431

* fix(gateway): guard worktree name reuse by owner and env-scope group transactions

- managedWorktrees.create rejects a caller-chosen name whose live or
  restorable record belongs to a different owner, so write-scoped
  sessions.create cannot bind a session into another session's or a
  manual checkout
- session group catalog writes run their SQLite transaction on the same
  env-scoped handle as their statements, keeping OPENCLAW_STATE_DIR
  overrides atomic and away from the default state DB

Part of #103431
2026-07-10 15:51:35 +01:00
JC
59e95fe3fd feat: support GPT-5.6 Ultra across OpenClaw and Codex runtimes (#98021)
* feat: support GPT-5.6 Ultra across agent runtimes

Co-authored-by: J Cai <anyech@gmail.com>

* fix: keep harness projections discovery-free

* fix(codex): mirror V2 native subagent tasks

* chore: refresh plugin SDK surface budgets

* test: expose Ultra wire effort proof

* test(cron): avoid hoisted mock initialization race

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 15:23:24 +01:00
lsr911
0990bccb32 fix(gateway): use truncateUtf16Safe for voice-wake trigger truncation (#103210)
* fix(gateway): use truncateUtf16Safe for voice-wake trigger truncation

Replace naive .slice(0, 64) with truncateUtf16Safe() in
normalizeVoiceWakeTriggers to prevent surrogate pair splitting
in user-configured voice wake trigger phrases.

Voice wake triggers are user-configurable text strings that may
contain emoji or non-BMP characters. A naive .slice(0, 64) at
a surrogate pair boundary produces a lone surrogate, which
corrupts the trigger text.

Co-Authored-By: Claude <noreply@anthropic.com>

* test: add proof scripts for C1 sanitize and voice-wake UTF-16

* chore: remove unrelated proof script from voice-wake PR

ClawSweeper review: the console-sanitization proof script belongs
to #103226, not this gateway voice-wake fix. Remove it to keep the
branch clean.

Ref: #103210 review

* fix(gateway): harden voice wake unicode boundary

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 14:41:25 +01:00
Yuval Dinodia
b7ab62c2cf fix(mattermost): preserve text-block boundaries in draft preview (#87322) (#87449)
* fix(mattermost): preserve text-block boundaries in draft preview (#87322)

* fix(mattermost): preserve block preview boundaries

* fix(mattermost): reset progress at tool boundaries

* docs(plugin-sdk): refresh API baseline

* fix(mattermost): group parallel tool previews

* fix(mattermost): stage tool previews before awaits

* fix(mattermost): satisfy tool boundary return contract

* fix(mattermost): serialize preview block generations

Co-authored-by: Yuval Dinodia <yetvald@gmail.com>

* fix(mattermost): preserve complete block previews

* test(agents): align streaming assertions

* test(telegram): align reply pipeline mock

* fix(plugin-sdk): keep reply prefix options compatible

* test(mattermost): exercise threaded final participation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 14:32:11 +01:00
Vincent Koc
0426f238c3 fix(providers): align Meta Model API contract (#103680)
* fix(providers): align Meta Model API contract

* fix(security): classify Meta endpoint as native
2026-07-10 05:24:14 -07:00
Peter Steinberger
a238dead67 fix(docker): package selected external plugins in source-built images (#103629)
* build(docker): package selected external plugins

* test(docker): auto-clean plugin fixture

* fix(docker): preserve selected image provenance

* fix(docker): accept manifest-only plugin selections

* fix(docker): resolve selected plugin manifest ids

* fix(docker): isolate resolved plugin selection
2026-07-10 13:00:50 +01:00
Peter Steinberger
401f278f11 feat: add Control UI plugin management (#103176)
* feat(ui): add plugin catalog management

* feat(gateway): add plugins.uninstall and richer plugin catalog metadata

Adds a plugins.uninstall gateway method (operator.admin, control-plane write)
backed by a lock-guarded uninstallManagedPlugin that mirrors the CLI flow:
config cleanup, install-record removal, managed file deletion, and registry
refresh. Bundled plugins stay disable-only. Catalog entries now carry a
manifest-derived category and a removable flag; ClawHub search results expose
download counts and verification tiers.

* feat(ui): redesign plugins page with inventory, store shelves, and cover art

Rebuilds /settings/plugins around three tabs: Installed (category-grouped
inventory with overview stats, state filters, uninstall for external plugins,
and inline MCP server management through the shared config seam), Discover
(featured/official shelves plus one-click MCP connectors and curated ClawHub
searches), and ClawHub (search with download counts and verification badges).
Every catalog entry renders bundled cover art or a deterministic gradient
monogram tile - no more empty boxes. Artwork generated with Codex CLI, shipped
as 512px WebP under ui/public/plugin-art.

* chore(ui): regenerate locale bundles for plugins manager strings

* docs: describe plugins manager tabs, uninstall, and MCP connectors

* fix(plugins): human catalog labels and un-pinned hosted fallback ids

listManagedPlugins now prefers manifest names over registry package-name
backfill, falls back to channel catalog labels and blurbs, and stops pinning
expectedPluginId when a hosted feed entry only exposes its package name
(which rejected every legitimate install of that package). Found via live
gateway testing against ClawHub.

* fix(ui): send minimal RFC 7396 merge patches for MCP server edits

config.patch merges rather than replaces, so key removal needs an explicit
null; sending the full config back made MCP server removal a no-op. Found
via live gateway testing.

* fix(ui): write explicit MCP transports for URL servers

The MCP runtime defaults URL-only servers to SSE, so streamable HTTP
endpoints saved by the add form or connector templates would fail at
connect time. Connector templates now declare their transport and the
add form infers streamable-http unless the URL follows the /sse
convention. Flagged by autoreview against the transport resolver.

* test(ui): wait for deferred plugin requests before resolving in e2e

* feat(ui): plugins detail view, action menus, and unified ClawHub search

Reworks the plugins page from PR #103176 feedback: merges the ClawHub tab into
Discover (typing searches ClawHub inline and appends a quiet From ClawHub
section, with Browse ClawHub demoted to a header text link), makes every row and
store card open a plugin detail overlay (hero art, primary enable/install
action, metadata table), and replaces enable/disable switches with a state chip
plus an overflow menu (Enable/Disable, Remove for external plugins, View
details) matching the ChatGPT-store install+menu pattern. MCP rows use the same
menu; refresh is now icon-only.

* chore(ui): regenerate locale bundles for plugins UI iteration

* feat(ui): vetted, grouped connector catalog for the plugins store

Expands Connect your world to 28 connectors organized into use-case shelves
(Work & productivity, Coding & infrastructure, Home & media, Everyday life).
Every entry passed a three-stage subagent review: official-docs verification
plus live endpoint probes for MCP servers, ClawHub result-quality and
malware/typosquat screening for curated searches, and an adversarial pass
that dynamically registered OAuth clients to prove one-click viability.

That review removed Figma (registration allowlisted, 403) and Atlassian
(OAuth issuer-mismatch bug upstream), downgraded GitHub to PAT-based setup
(no dynamic client registration upstream), fixed Linear (/sse retired) and
Home Assistant (/api/mcp, streamable HTTP) endpoints, retargeted poisoned or
dead searches (youtube, finance, hue dropped; calendar -> google calendar;
stocks replaces finance), and added Todoist, Airtable, Canva, Stripe,
Context7, DeepWiki, Hugging Face one-click MCP servers plus Jira, PDF,
transcription, Kubernetes, Reddit, maps, translation, and notes searches.
Keyless servers get a ready-to-use success message; new cover art included.

* chore(ui): regenerate locale bundles for connector groups

* fix(plugins): suppress hosted catalog rows once their package is installed

Hosted feed entries without a declared runtime id fall back to their package
name as catalog id, which never matches the installed runtime id, so the
Discover shelf kept offering an already-installed package. Installed package
names now also suppress official rows. Flagged by autoreview.

* fix(plugins): pin declared runtime ids and surface connector errors in place

The runtime-id pin now keys off explicitly declared catalog ids (plugin,
channel, or provider) instead of string-comparing against the package name,
so declared ids that equal their package name stay enforced while entry-id
fallbacks stay unpinned. Connector add failures on Discover now render on the
triggering card instead of the Installed tab's MCP section. Both flagged by
autoreview; regression tests included.

* feat(ui): full inventory artwork, pulse header, and two-column plugin list

Every bundled plugin now ships distinctive cover art (113 new Codex CLI
illustrations; 172 total, ~2.1MB WebP), so inventory rows and detail views
never fall back to monogram tiles. The four stat cards give way to a compact
inventory pulse: a segmented enabled/disabled/issues meter whose legend and
counts live inside the filter chips. Inventory, MCP, and search rows flow
into two columns when the panel is wide enough.

* chore(ui): regenerate locale bundles for pulse header

* fix(ui): omit stdio args from the MCP server row target

Stdio MCP args routinely carry tokens, and the inventory is visible to
read-only operators; mirror the config page and show only the command.
Flagged by autoreview; regression test included.

* fix(merge): point crestodian setup at relocated plugin commit/refresh modules

* fix(merge): add bootstrapToken to plugins page test gateway harness

* fix(plugins): name catalog install-action branches so Swift emits the union

* fix(ui): satisfy strict lint on plugins page form parsing and mocks

* chore(build): regen docs map, raise plugin-sdk declaration budget for new protocol surface

* fix(ui): type the plugins page patch mock with its real call signature
2026-07-10 11:56:44 +01:00
Peter Steinberger
8d66e47773 fix(release): prove registry tarball identity before resuming a publish
Codex review: version existence alone does not prove the npm registry
serves the tarball this tag's preflight built — the same version could
have been published from a different artifact and npm versions are
immutable. The resume resolver now downloads the preflight manifest,
requires its releaseSha to match the target, and compares the published
registry tarball's sha256 against the manifest before skipping the core
dispatch; mismatches abort with correction-tag guidance.
2026-07-10 03:09:10 -07:00
Peter Steinberger
ef22e77f0b perf(release): make publish reruns resumable and promote assets concurrently
The 2026.7.1 retro measured ~13h tag-to-published for beta.2 and stable
2026.6.11; any post-npm failure previously hard-aborted retries because
the already-published guard refused the whole run.

- resolve_openclaw_npm_publish_state replaces the abort guard: an
  already-published core version skips the core npm dispatch and resumes
  the remaining stages; verify_published_release still proves the
  registry state matches the tag before the page leaves draft.
- Windows and Android promotion runs concurrently with the core npm
  publish (their only shared prerequisite is the draft release page,
  which is now created before the dispatch) and each promotion
  short-circuits when the release already carries its verified asset
  contract, so retries only redo failed stages.
- The release proof cites the core npm run only when this run dispatched
  one; resumed publishes rely on the registry package check.
2026-07-10 03:09:09 -07:00
Yuval Dinodia
1bac1022e6 fix(exec): auto-approve recognized read-only boolean flags on default safe bins (#88953)
* fix(exec): auto-approve recognized read-only boolean flags on default safe bins

Default safe bins (cut, head, tail, tr, uniq, wc) auto-approve stdin-only
text-filter invocations, but the short-option validator only had an accept
path for value-consuming flags: a cluster of pure boolean short flags fell
through to a terminal reject, so common read-only forms like 'wc -l',
'tr -d', 'uniq -c' and 'sort -n' were force-routed to manual approval even
though the bins are stdin-only and the dangerous flags are already denied.

Add an allowedBooleanFlags allowlist to the safe-bin profile model and
populate it for the default bins with their read-only boolean flags. The
short-cluster validator now accepts recognized boolean flags and the long
validator reuses its existing boolean-flag accept branch (previously
unreachable). Unrecognized short flags (e.g. 'tr -S') stay fail-closed, and
denied flags are still rejected first.

* fix(exec): keep safe-bin allowedBooleanFlags off the config-facing fixture type

The boolean-flag allowlist for default safe bins leaked onto SafeBinProfileFixture, the type used for tools.exec.safeBinProfiles, while the strict zod schema and the config normalizer never accepted or preserved the key. Move allowedBooleanFlags to an internal BuiltinSafeBinProfileFixture used only for the curated built-in profiles; custom config profiles keep the allowedValueFlags/deniedFlags model.

Adds tests proving built-in profiles still honor the boolean allowlist and that a custom profile cannot widen it.

* fix(exec): keep tail follow approval-gated

* test(exec): stabilize safe-bin trust fixtures

* test(exec): isolate safe-bin argv fixtures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 10:53:56 +01:00
Peter Steinberger
7fe004d852 feat: show build identity in About screens (#103595)
* feat: show build identity in About screens

* chore: leave root changelog to release automation

* fix: translate Control UI About build details
2026-07-10 10:42:36 +01:00
heichl_xydigit
7eacd78c01 feat(devices): rename command for durable human-friendly device names (#94517)
Paired devices can now carry a durable operator-assigned label: device.pair.rename { deviceId, label } (schema-bounded, admin/ownership-gated) stores an operatorLabel that persists in the shared SQLite state DB, survives device repair and re-approval, and takes display precedence over the client-reported name in CLI devices list and the Control UI inventory (operatorLabel, then displayName, then clientId, then deviceId). The label was previously dropped on write because the pairing store had no column for it. CLI: openclaw devices rename --device <id> --name <label>. Docs cover the command and precedence.

Fixes #13870

Thanks to @bladin for the contribution.

Co-authored-by: heichl_xydigit <1740879+bladin@users.noreply.github.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-07-10 15:05:41 +05:30
Peter Steinberger
ecfea21eeb feat(webchat,cli): the lobster notices things (#103573)
The resident pauses its fidgeting and turns to watch passers cross the
ledge. After a droop it tidies up with a little broom. On lobster days
(shared day hash with the CLI banner cousin, now in src/shared) it wears
a sailor cap unless the seed already rolled headwear. The Dreams sleeper
half-opens one eye when pressed.
2026-07-10 10:25:08 +01:00
Peter Steinberger
ab5d143d59 feat(openai): default new setups to GPT-5.6 (#103581)
* feat(openai): default fresh setup to GPT-5.6

* test(crestodian): expect GPT-5.6 Codex defaults

* test(crestodian): expect GPT-5.6 bootstrap default
2026-07-10 10:22:58 +01:00
Peter Steinberger
dc476a7e7c fix(browser): stale Chrome MCP handles survive reconnect (#103576)
* fix(browser): expire Chrome MCP handles after reconnect

* chore(browser): satisfy Chrome MCP static checks
2026-07-10 10:10:20 +01:00
Peter Steinberger
336e43c314 fix(release): converge on the render-github-release-notes pipeline
Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:

- scripts/render-github-release-notes.mjs becomes the canonical release
  body renderer (full/compact 125k char+byte modes, tag-pinned record
  link, verification tail, canonical shipped-baseline format), now also
  preferring a correction tag's dedicated changelog section (from
  prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
  cumulative baselines, provenance checks, highlights gate, and the
  excluded-record rewrite fix, plus main's compact contribution rows,
  externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
  changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
  notes gate (retargeted to the renderer) and adopts release's
  render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
  release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
  runbooks and RELEASING.md document the converged contract.
2026-07-10 02:06:52 -07:00
Peter Steinberger
9ecb2f3a84 feat(ui): restore sidebar chrome, delete the pane workspace strip, compact native narrow header (#103561)
* feat(ui): restore sidebar chrome and remove the pane workspace strip

Reverse course from #103426 on the app chrome: the left sidebar owns
brand, pinned navigation + More, New session, sessions, and the footer
(status dot, Settings, Docs, pairing, theme) again, and the desktop
topbar is gone. What stays from that PR: the dockable workspace rail
(right/bottom, drag or button), the in-flow split-pane headers, and
Cmd+B now hides the sidebar entirely (no 78px icon rail) with a
floating expand control.

The real target of the original request: the vertical icon strip at
each pane's right edge is deleted. A collapsed workspace rail renders
nothing; the toggle (with a changed-file badge) lives in the split-pane
header next to split/close, or floats at the top-right in single-pane
chat. Shift+Cmd+B still toggles.

Narrow native macOS windows (e.g. the in-app link browser splitting
the window) previously stacked 50px of injected titlebar padding on
top of the 58px drawer row; the web CSS now folds that into one
compact 58px row beside the traffic lights, with selectors that
outrank the rules shipped Mac apps inject.

* chore(ui): regenerate locale bundles and docs map for sidebar restore

* fix(ui): bind showPaneHeader explicitly on the classic single pane

* chore(ui): reconcile locale metadata after rebase onto lobster wild cards
2026-07-10 09:35:14 +01:00
Eva
ae63a48e94 fix(auto-reply): recover stranded message-tool finals by default (#99536)
In messages.visibleReplies "message_tool" sessions, a successful agent turn that produced a substantive private final without calling message(action=send) previously left the user with silence and only an operator log. The gateway now enqueues one protected front-of-queue retry prompting the model to deliver the reply, and falls back to a sanitized visible diagnostic when the retry cannot be enqueued or also strands. Queue overflow protection is unified with the in-flight-aware drop policy (skip in-flight or protected items, reject when nothing is droppable), rejected overflow no longer refreshes the drain debounce, heartbeat turns are excluded from recovery, and recovery retries no longer share the client turn's queued-turn lifecycle.

Fixes #85714

Thanks to Eva (@100yenadmin) for the contribution.
2026-07-10 14:01:01 +05:30
Peter Steinberger
26d200c6a3 feat(channels): narrated progress drafts + activity receipt on the final answer (#103463)
* feat(channels): narrated progress drafts + activity receipt on the final answer

Progress mode replaces raw tool lines with short utility-model narration of
what the agent is doing (streaming.progress.narration, default on, requires
an explicit utilityModel). On Discord the final answer now carries the
-# activity receipt and the working draft is deleted once the answer lands,
so busy channels keep no orphaned tool log above the reply.

Formatting verified remotely via Testbox oxfmt --check (hook bypassed:
no node_modules in this worktree).

* fix(channels): keep narration toggle independent of channel-default stream mode

Discord resolves its own progress default, so the resolver must not re-derive
mode with the generic partial fallback (narration was off for unset config).

* fix(auto-reply): honor status-only command text in narration model input

streaming.progress.commandText: "status" hides raw exec/bash text from the
channel draft; narration input now mirrors that policy so the utility model
never receives more command detail than the draft shows (Codex review P2).

Formatting verified remotely via Testbox oxfmt --check.

* fix(auto-reply): share the draft's command-tool set for narration and regen channel metadata

Reuse isCommandToolName (exec|shell|bash) so narration's commandText policy
matches the draft formatter exactly, and regenerate bundled channel config
metadata for the new streaming.progress.narration key (Codex review round 2).

Gates verified on Testbox: config:channels:check, oxfmt --check, 4 test shards.

* fix(channels): clear stale narration when the narrator stops mid-turn

An empty narration update now falls the draft back to raw tool lines, and the
narrator emits that clear when it disables after consecutive failures or the
per-turn cap, so drafts never pin stale status text (Codex review round 3).

Gates verified on Testbox: oxfmt --check + 4 test shards.

* chore(config): regen bundled channel metadata after rebase onto main

* chore: CI fixups — lint nits, test harness types, docs map, SDK surface budget

Two deliberate public SDK additions (resolveChannelStreamingProgressNarration,
isCommandToolName via the streaming wildcard re-export) bump the pinned
public-surface budgets to current counts (exports 10488, callable 5235).

Gates verified on Testbox: oxfmt, targeted oxlint, docs:map:check,
config:channels:check, check:test-types, 5 test shards.
2026-07-10 09:28:47 +01:00
Peter Steinberger
4a4a32a5de feat(cli,webchat): lobster wild cards — a CLI cousin, moving day, and opt-in sounds (#103412)
* feat(cli,webchat): lobster wild cards - a CLI cousin, moving day, and opt-in sounds

The openclaw banner gains a rare day-seeded ASCII lobster (rich TTYs,
random tagline mode, never CI). The web pet notices gateway upgrades and
arrives carrying a bindle for one load. A new default-off Lobster sounds
quick setting adds tiny WebAudio chirps on pokes and pets. The lobster
docs page learns about petting, sounds, and this batch's field notes.

* chore(webchat): regenerate keyless raw-copy i18n baseline after rebase
2026-07-10 08:49:27 +01:00
Peter Steinberger
b07ebe3ff3 feat: correlate managed agent requests (#103476) 2026-07-10 08:42:55 +01:00
Peter Steinberger
3bec587d74 fix(computer): stop typing after cancellation (#103528) 2026-07-10 08:37:37 +01:00
Peter Steinberger
87f98090e1 feat(ci): reuse release validation evidence and speed up the release pipeline
- Full Release Validation now checks for a prior green validation whose
  target differs only by release metadata (changelog/version stamps) and
  reuses that evidence instead of re-running every lane; disable with
  reuse_evidence=false. Evidence manifests chain through reuse runs via
  evidenceReuse.runId and the summary re-verifies the chain root.
- The Docker runtime-assets preflight no longer serializes the CI,
  plugin-prerelease, release-checks, and performance lanes; it runs in
  parallel and stays enforced by the umbrella verifier.
- Umbrella runs for release/* refs now supersede in-progress runs with
  the same ref and rerun group instead of requiring manual cancels.
- release_profile=beta treats the live-provider E2E suites as advisory
  (third-party model deployments move underneath releases); stable and
  full profiles keep them blocking, and beta live failures no longer
  fail-fast-cancel the remaining release-check matrix.
2026-07-10 00:21:23 -07:00
Peter Steinberger
ce47e6ac53 fix(mcp): keep server config private in groups (#103502)
* fix(mcp): keep server config private in groups

* fix(config): redact underscore credential flags

* fix(config): redact plural credential flags
2026-07-10 08:09:48 +01:00
Peter Steinberger
a97633a9ad fix(codex): require human approval for app-server commands (#103457)
* fix(codex): require human approval for app-server commands

* docs(exec): clarify Codex approval fallback
2026-07-10 08:07:18 +01:00
Peter Steinberger
d7dc6ee845 fix(xai): validate x_search handle filters (#103393) 2026-07-10 08:02:18 +01:00
Peter Steinberger
0f3fb9ea58 fix(codex): prefer ChatGPT desktop resources (#103470)
Co-authored-by: Hiroshi Tanaka <solavrc@gmail.com>
2026-07-10 07:44:24 +01:00
Peter Steinberger
4a72a6cb2f feat(ui): move app chrome into a topbar and dock the session workspace rail (#103426)
* feat(ui): move app chrome into a topbar and dock the session workspace rail

The desktop shell now uses a slim topbar for brand, primary navigation
(Chat + pinned routes + More menu), command-palette search, pairing,
theme, and Settings; the left column slims down to a sessions-only
panel (Cmd+B hides it entirely — the 78px icon rail is gone). Split
view drops the fixed geometry-mirroring toolbar for in-flow per-pane
headers. The session workspace rail can dock right or bottom inside
its pane — drag its header between edges or use the dock button — and
the collapsed strip's file glyph is now a real button (it used to be a
dead, button-looking span) with a changed-file count badge. The Mac
app's injected chrome CSS slims down accordingly; its drag-region
geometry is unchanged and the topbar brand strip stays passive under
it.

* chore(ui): regenerate locale bundles for topbar and workspace dock strings

* fix(ui): keep the native macOS drawer clear of the titlebar overlay

The narrow-width slide-over drawer sits fixed at the window top, over
the AppKit traffic lights and drag regions. The old Mac-app-injected
CSS padded .sidebar-shell for this; that rule moved web-side for the
desktop topbar, so restore drawer clearance here for both the app
drawer and the in-drawer settings sidebar.

* chore(ui): translate topbar and workspace dock strings; regen docs map
2026-07-10 07:32:57 +01:00
Peter Steinberger
7f5dce8bbf fix(xai): discover TTS voices dynamically (#103446) 2026-07-10 07:05:45 +01:00
Peter Steinberger
477b2860d5 feat(macos): add tabs to the dashboard link browser sidebar (#103438)
Each inline link opens in its own tab (exact-URL dedupe); sidebar
target=_blank links open new tabs. Tab strip on top with click to
activate, close buttons, middle-click close, pointer-drag reorder, and
a per-tab context menu (Open in Default Browser, Copy Link, Reload,
Close Tab, Close Other Tabs). Navigation controls sit below the tabs
and follow the active tab. Closing the last tab collapses the sidebar
with no lingering webviews or history.
2026-07-10 06:51:49 +01:00
krissding
1a0dc9b83f fix(opencode-go): remove deprecated mimo-v2-omni and mimo-v2-pro model aliases (#103329)
* fix(opencode-go): remove deprecated mimo-v2-omni and mimo-v2-pro model aliases

These deprecated aliases reject agent requests from the OpenCode Go gateway.
Remove them from the provider catalog and clean up all references in probe
skip lists, CI workflows, and tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(opencode-go): complete deprecated MiMo cleanup

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 06:49:09 +01:00
Peter Steinberger
461772868d fix(computer): prevent stale, replayed, and post-cancel desktop actions (#103422)
* fix(ai): preserve streamed tool-call identity

* fix(computer): bind actions to current tool authority

* fix(macos): serialize computer control lifecycle

* docs(computer): document hardened control contract

* chore: follow release-owned changelog policy

* test(agents): cover node list cancellation
2026-07-10 06:47:56 +01:00
Peter Steinberger
9d4fb60e90 fix: harden exec auto-review approvals (#103430) 2026-07-10 06:44:03 +01:00
Peter Steinberger
fa3eb673cd feat(slack): accept spoken mentions in audio clips (#103416)
* feat(slack): support spoken audio mentions

* chore: keep release notes in PR body
2026-07-09 22:33:26 -07:00
Peter Steinberger
e7b652798f fix(xai): remove synthetic batch STT model (#103419) 2026-07-10 06:32:45 +01:00
iloveleon19
70a7e6e658 feat(mattermost): add opt-in DM threading by chat type (#98111)
* feat(mattermost): add opt-in DM threading via dmReplyToMode

Resolves #93203.

Mattermost direct messages are hardcoded non-threaded: resolveMattermostReplyToMode
returns "off" for direct chats before consulting config, and the reply-root /
effective-reply resolvers short-circuit for direct chats. So every DM accretes into
one ever-growing session with unbounded per-session token usage, with no way to
isolate each DM topic the way groups/channels (and Slack) can.

Add channels.mattermost.dmReplyToMode (same enum as replyToMode), default "off" so
existing flat-DM deployments are unchanged. When set to "first"/"all", a DM @mention
starts an independent, thread-scoped session:

- resolveMattermostReplyToMode: direct chats return config.dmReplyToMode ?? "off".
- resolveMattermostEffectiveReplyToId: direct early-return gated on replyToMode "off"
  (the value already reflects dmReplyToMode for direct chats).
- resolveMattermostReplyRootId: direct early-return gated on the absence of a thread
  root (a DM carries one only when DM threading is enabled).
- New DM threads start fresh (no parent-session inheritance) so each topic is isolated;
  a threaded DM keeps its own history key while a flat DM root keeps none.

Default-off preserves the documented flat-DM contract, so this changes no existing
behavior. Adds unit coverage and documents the opt-in. The only open question is the
knob shape (dmReplyToMode enum vs a boolean dmThreading) — happy to adjust.

Refs #65729.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(mattermost): register dmReplyToMode in config schema

dmReplyToMode was wired into the account config type and reply
resolution but never added to MattermostConfigSchema, so setting it in
openclaw.json failed config validation ("must not have additional
properties: dmReplyToMode") and the gateway refused to start — the knob
could not actually be enabled. Register it in the schema, regenerate the
bundled channel config metadata and doc baseline, and add a
config-schema test.

* fix(mattermost): thread direct reply transport when dmReplyToMode is on

resolveReplyTransport nulled the direct reply root/thread id
unconditionally, so routed replies and message-tool follow-ups in an
opted-in DM thread were still sent flat even when the effective
replyToMode was first/all. Keep direct transport flat only when the mode
is off (the historical contract) and preserve the thread root otherwise,
matching the monitor-level DM threading gates. Adds channel.test.ts
coverage for resolveReplyTransport.

* fix(mattermost): use per-chat reply mode overrides

* fix(mattermost): bound direct thread history

* chore(config): refresh docs baseline

---------

Co-authored-by: leon <leon@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 06:19:03 +01:00
Peter Steinberger
4a40f5d7f0 fix(xai): align image and video capability contracts (#103384)
* fix(xai): align media capability contracts

* chore: move xai media release note to pr
2026-07-10 06:06:50 +01:00
Peter Steinberger
cd9db5ed9a fix(doctor): keep automated repair from moving approval state (#103353)
* fix(doctor): isolate automated cross-state imports

* test(update): cover isolated doctor finalization
2026-07-10 05:42:36 +01:00
krissding
5ebe040eaa fix(xai): require consent for cross-provider billed tools (#97629)
* fix(xai): gate billed tools by active provider

Co-authored-by: 丁宇婷0668001435 <ding.yuting@xydigit.com>

* chore: remove contributor changelog entry

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 05:30:23 +01:00