vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-17 12:11:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,672 Commits 1,339 Branches 111 Tags
90e784cab8e34e28b10e32787224c2fb1fa17598
Commit Graph

123 Commits

Author SHA1 Message Date
Shakker
705d2dd03e fix: harden qa missing-key provider messages 2026-04-08 21:55:39 +01:00
Shakker
4ad9f166e2 fix: sanitize qa missing-key replies 2026-04-08 21:55:39 +01:00
Shakker
491e216c45 fix: fail fast on qa live auth errors 2026-04-08 21:55:39 +01:00
Frank Yang
5d46e4dc4f fix(gateway): clear auto-fallback model override on session reset (#63155) 
* fix(gateway): clear auto-fallback model override on session reset

When `persistFallbackCandidateSelection()` writes a fallback provider
override with `authProfileOverrideSource: "auto"`, the override was
incorrectly preserved across `/reset` and `/new` commands. This caused
sessions to keep using the fallback provider even after the user changed
the agent config primary provider, because the session store override
takes precedence over the config default.

Now the override fields (`providerOverride`, `modelOverride`,
`authProfileOverride`, `authProfileOverrideSource`,
`authProfileOverrideCompactionCount`) are only carried forward when
`authProfileOverrideSource === "user"` (i.e. explicit `/model` command).
System-driven overrides are dropped on reset so the session picks up the
current config default.

Introduced in cb0a752156 ("fix: preserve reset session behavior config")

* fix(gateway): preserve explicit reset model selection

* fix(gateway): track reset model override source

* fix(gateway): preserve legacy reset model overrides

* docs(changelog): add session reset merge note

---------

Co-authored-by: termtek <termtek@ubuntu.tail2b72cd.ts.net>
 2026-04-09 00:31:05 +08:00
Frank Yang
153e3add68 fix(auto-reply): strip leading NO_REPLY tokens to prevent silent-reply leak (#63068) 
* fix(auto-reply): strip leading NO_REPLY tokens to prevent silent-reply leak

* fix(auto-reply): preserve substantive NO_REPLY leading text

* fix(agents): preserve ACP silent-prefix cumulative deltas

* fix(auto-reply): harden silent-token streaming paths

* fix(auto-reply): normalize glued silent tokens consistently

---------

Co-authored-by: termtek <termtek@ubuntu.tail2b72cd.ts.net>
 2026-04-09 00:30:13 +08:00
Mariano
b77db8c0b6 Reply: surface OAuth reauth failures (#63217) 
Merged via squash.

Prepared head SHA: 68b7ffd59e
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-04-08 18:03:03 +02:00
Mariano
93e509ccfe fix(reply): use runtime snapshot for queued reply runs (#62693) 
Merged via squash.

Prepared head SHA: 2a3e4e5c60
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-04-08 10:31:01 +02:00
Peter Steinberger
cebfa70277 refactor: dedupe auto-reply lowercase helpers 2026-04-07 17:50:37 +01:00
Peter Steinberger
fbf7859f6d test(auto-reply): isolate fallback selection coverage 2026-04-07 12:17:03 +01:00
Peter Steinberger
8822f779d9 fix: restore ci after trim reader dedupe 2026-04-07 06:42:34 +01:00
Peter Steinberger
b514d61000 refactor: dedupe reply execution readers 2026-04-07 06:42:33 +01:00
Peter Steinberger
05e89ff117 refactor: dedupe agent string readers 2026-04-07 05:06:54 +01:00
Peter Steinberger
9b7c0bf8e9 refactor: dedupe auto-reply error formatting 2026-04-07 02:03:34 +01:00
Peter Steinberger
c39f061003 Revert "refactor(cli): remove bundled cli text providers" 
This reverts commit 05d351c430.
 2026-04-06 13:40:41 +01:00
Peter Steinberger
1a47675e6c fix: restore check after CLI seam cleanup 2026-04-05 19:06:34 +01:00
Peter Steinberger
05d351c430 refactor(cli): remove bundled cli text providers 2026-04-05 18:46:36 +01:00
Bob
3f6840230b fix: unify reply lifecycle across stop, rotation, and restart (#61267) (thanks @dutifulbob) 2026-04-05 19:32:27 +02:00
Peter Steinberger
deb212d3b0 fix(openai): tighten gpt chat action turns 2026-04-05 12:53:35 +01:00
Peter Steinberger
996dccb19c feat(agents): add structured execution item events 2026-04-05 12:36:33 +01:00
Peter Steinberger
af81ee9fee fix(agents): add embedded item lifecycle events 2026-04-05 11:16:28 +01:00
Peter Steinberger
3de09fbe74 fix: restore claude cli loopback mcp bridge (#35676) (thanks @mylukin) 2026-04-04 15:16:20 +09:00
Peter Steinberger
fe72474153 fix: persist fallback overrides safely 2026-04-04 09:00:16 +09:00
Shakker
fc8ab82aab refactor: trim cron session startup imports 2026-04-03 16:03:10 +01:00
Oguri Cap
1f99c87a44 feat: add agents.defaults.compaction.notifyUser config option (default: false) [Fix #54249] (#54251) 
Merged via squash.

Prepared head SHA: 6fd4cdb7c3
Co-authored-by: oguricap0327 <266246182+oguricap0327@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-04-01 12:29:17 -07:00
ImLukeF
4e63dc0b1c fix: hide raw provider errors from chat replies 2026-04-01 20:53:16 +11:00
Owen Wang
50cc28c559 fix: differentiate overloaded vs rate-limit user-facing error messages (#58562) 2026-03-31 21:10:38 -04:00
openperf
56b5ba0dcb fix: address security and review feedback 
- Fix CWE-209: use static safe message instead of raw provider error text
- Fix CWE-117: sanitize provider/model in logs via sanitizeForLog
- Hide CLI hints from external channels via shouldSurfaceToControlUi
- Move overload cap check before advanceAuthProfile to save setup latency
- Export MAX_LIVE_SWITCH_RETRIES as module-level constant
- Use exact toBe() assertions in tests
- Correct failover decision label to fallback_model
 2026-03-31 20:25:09 +05:30
openperf
1fcd179d8c fix(gateway): prevent session death loop on overloaded fallback 
- Add MAX_LIVE_SWITCH_RETRIES=2 guard in agent-runner-execution.ts
- Add MAX_OVERLOAD_PROFILE_ROTATIONS=1 cap in run.ts for overloaded errors
- Return kind:final with user-visible error on retry exhaustion
- Escalate to cross-provider fallback instead of exhausting same-provider profiles

Fixes #58348
 2026-03-31 20:25:09 +05:30
Sean
c6f2db1506 fix: prevent gateway attachment offload regressions (#55513) (thanks @Syysean) 
* feat(gateway): implement claim check pattern to prevent OOM on large attachments

* fix: sanitize mediaId, refine trimEnd, remove warn log, add threshold and absolute path

* fix: enforce maxBytes before decoding and use dynamic path from saveMediaBuffer

* fix: enforce absolute maxBytes limit before Buffer allocation and preserve file extensions

* fix: align saveMediaBuffer arguments and satisfy oxfmt linter

* chore: strictly enforce linting rules (curly braces, unused vars, and error typing)

* fix: restrict offload to mainstream mimes to avoid extension-loss bug in store.ts for BMP/TIFF

* fix: restrict offload to mainstream mimes to bypass store.ts extension-loss bug

* chore: document bmp/tiff exclusion from offload whitelist in MIME_TO_EXT

* feat: implement agent-side resolver for opaque media URIs and finalize contract

* fix: support unicode media URIs and allow consecutive dots in safe IDs based on Codex review

* fix(gateway): enforce strict fail-fast for oversized media to prevent OOM bypass

* refactor(gateway): harden media offload with performance and security optimizations

This update refines the Claim Check pattern with industrial-grade guards:

- Performance: Implemented sampled Base64 validation for large payloads (>4KB) to prevent event loop blocking.
- Security: Added null-byte (\u0000) detection and reinforced path traversal guards.
- I18n: Updated media-uri regex to a blacklist-based character class for Unicode/Chinese filename support, with oxlint bypass for intentional control regex.
- Robustness: Enhanced error diagnostics with JSON-serialized IDs.

* fix: add HEIC/HEIF to offload allowlist and pass maxBytes to saveMediaBuffer

* fix(gateway): clean up offloaded media files on attachment parse failure

Address Codex review feedback: track saved media IDs and implement best-effort cleanup via deleteMediaBuffer if subsequent attachments fail validation, preventing orphaned files on disk.

* fix(gateway): enforce full base64 validation to prevent whitespace padding bypass

Address Codex review feedback: remove early return in isValidBase64 so padded payloads cannot bypass offload thresholds and reintroduce memory pressure. Updated related comments.

* fix(gateway): preserve offloaded media metadata and fix validation error mapping

Address Codex review feedback:
- Add \offloadedRefs\ to \ParsedMessageWithImages\ to expose structured metadata for offloaded attachments, preventing transcript media loss.
- Move \erifyDecodedSize\ outside the storage try-catch block to correctly surface client base64 validation failures as 4xx errors instead of 5xx \MediaOffloadError\.
- Add JSDoc TODOs indicating that upstream callers (chat.ts, agent.ts, server-node-events.ts) must explicitly pass the \supportsImages\ flag.

* fix(agents): explicitly allow media store dir when loading offloaded images

Address Codex review feedback: Pass getMediaDir() to loadWebMedia's localRoots for media-uri refs to prevent legacy path resolution mismatches from silently dropping large attachments.

* fix(gateway): resolve attachment offload regressions and error mapping

Address Codex review feedback:
- Pass \supportsImages\ dynamically in \chat.ts\ and \gent.ts\ based on model catalog, and explicitly in \server-node-events.ts\.
- Persist \offloadedRefs\ into the transcript pipeline in \chat.ts\ to preserve media metadata for >2MB attachments.
- Correctly map \MediaOffloadError\ to 5xx (UNAVAILABLE) to differentiate server storage faults from 4xx client validation errors.

* fix(gateway): dynamically compute supportsImages for overrides and node events

Address follow-up Codex review feedback:

- Use effective model (including overrides) to compute \supportsImages\ in \gent.ts\.

- Move session load earlier in \server-node-events.ts\ to dynamically compute \supportsImages\ rather than hardcoding true.

* fix(gateway): resolve capability edge cases reported by codex

Address final Codex edge cases:
- Refactor \gent.ts\ to compute \supportsImages\ even when no session key is present, ensuring text-only override requests without sessions safely drop attachments.
- Update catalog lookups in \chat.ts\, \gent.ts\, and \server-node-events.ts\ to strictly match both \id\ and \provider\ to prevent cross-provider model collisions.

* fix(agents): restore before_install hook for skill installs

Restore the plugin scanner security hook that was accidentally dropped during merge conflict resolution.

* fix: resolve attachment pathing, defer parsing after auth gates, and clean up node-event mocks

* fix: resolve syntax errors in test-env, fix missing helper imports, and optimize parsing sequence in node events

* fix(gateway): re-enforce message length limit after attachment parsing

Adds a secondary check to ensure the 20,000-char cap remains effective even after media markers are appended during the offload flow.

* fix(gateway): prevent dropping valid small images and clean up orphaned media on size rejection

* fix(gateway): share attachment image capability checks

* fix(gateway): preserve mixed attachment order

* fix: fail closed on unknown image capability (#55513) (thanks @Syysean)

* fix: classify offloaded attachment refs explicitly (#55513) (thanks @Syysean)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-03-30 20:54:40 +05:30
Vincent Koc
af694def5b fix(agents): fail closed on silent turns (#52593) 
* fix(agents): fail closed on silent turns

* fix(agents): suppress all silent turn emissions

* fix(agents): pass silent turns into embedded subscribe
 2026-03-29 17:40:20 +09:00
Peter Steinberger
7dd196ed74 fix: apply live model switches during active retries 2026-03-27 12:01:55 +00:00
Peter Steinberger
12100719b8 fix: preserve cli sessions across model changes 2026-03-26 20:25:20 +00:00
kiranvk2011
84401223c7 fix: per-model cooldown scope, stepped backoff, and user-facing rate-limit message (#49834) 
Merged via squash.

Prepared head SHA: 7c488c070c
Co-authored-by: kiranvk-2011 <91108465+kiranvk-2011@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-25 22:03:49 +03:00
chenxingzhen
4ae4d1fabe fix: mid-turn 429 rate limit silent no-reply and context engine registration failure (#50930) 
Merged via squash.

Prepared head SHA: eea7800df3
Co-authored-by: infichen <13826604+infichen@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-25 10:43:08 -07:00
Tak Hoffman
8c89d0e7cd tests: add boundary coverage for media delivery (#53361) 
* tests: add boundary coverage for media delivery

* tests: isolate telegram outbound adapter transport

* tests: harden telegram webhook certificate assertion

* tests: fix guardrail false positives on rebased branch
 2026-03-23 23:37:34 -05:00
Peter Steinberger
7ba28d6dba fix: repair runtime seams after rebase 2026-03-23 09:14:17 +00:00
Vincent Koc
ac0fd26e16 fix(ci): resync generated baselines and line runtime seam 2026-03-22 19:53:26 -07:00
Vincent Koc
7bfa261c42 perf(reply): lazy-load media path normalization 2026-03-22 19:12:44 -07:00
zidongdesign
2b68d20ab3 feat: notify user when context compaction starts and completes (#38805) 
Merged via squash.

Prepared head SHA: 0f48c1bbf6
Co-authored-by: zidongdesign <81469543+zidongdesign@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-21 08:14:29 -07:00
Vincent Koc
ef1346e503 Plugin SDK: route reply payload through public subpath 2026-03-18 12:01:15 -07:00
Peter Steinberger
62edfdffbd refactor: deduplicate reply payload handling 2026-03-18 18:14:57 +00:00
Josh Lehman
eeb140b4f0 fix(plugins): late-binding subagent runtime for non-gateway load paths (#46648) 
Merged via squash.

Prepared head SHA: 44742652c9
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-16 14:27:54 -07:00
ufhy
3928b4872a fix: persist context-engine auto-compaction counts (#42629) 
Merged via squash.

Prepared head SHA: df8f292039
Co-authored-by: uf-hy <41638541+uf-hy@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-14 16:22:10 -07:00
Peter Steinberger
46d4fe2fa1 refactor: share embedded run and discord test helpers 2026-03-13 23:35:28 +00:00
Cypherm
61d219cb39 feat: show status reaction during context compaction (#35474) 
Merged via squash.

Prepared head SHA: 145a7b7c4e
Co-authored-by: Cypherm <28184436+Cypherm@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-12 21:06:15 -07:00
ademczuk
58634c9c65 fix(agents): check billing errors before context overflow heuristics (#40409) 
Merged via squash.

Prepared head SHA: c88f89c462
Co-authored-by: ademczuk <5212682+ademczuk@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-11 21:08:55 +03:00
Harold Hunt
de49a8b72c Telegram: exec approvals for OpenCode/Codex (#37233) 
Merged via squash.

Prepared head SHA: f243379094
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Reviewed-by: @huntharo
 2026-03-09 23:04:35 -04:00
Altay
531e8362b1 Agents: add fallback error observations (#41337) 
Merged via squash.

Prepared head SHA: 852469c82f
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 01:12:10 +03:00
Ayaan Zaidi
77ef672468 fix: normalize reply media paths 2026-03-07 10:52:16 +05:30
Altay
6e962d8b9e fix(agents): handle overloaded failover separately (#38301) 
* fix(agents): skip auth-profile failure on overload

* fix(agents): note overload auth-profile fallback fix

* fix(agents): classify overloaded failures separately

* fix(agents): back off before overload failover

* fix(agents): tighten overload probe and backoff state

* fix(agents): persist overloaded cooldown across runs

* fix(agents): tighten overloaded status handling

* test(agents): add overload regression coverage

* fix(agents): restore runner imports after rebase

* test(agents): add overload fallback integration coverage

* fix(agents): harden overloaded failover abort handling

* test(agents): tighten overload classifier coverage

* test(agents): cover all-overloaded fallback exhaustion

* fix(cron): retry overloaded fallback summaries

* fix(cron): treat HTTP 529 as overloaded retry
 2026-03-07 01:42:11 +03:00