Commit Graph

15028 Commits

Author SHA1 Message Date
huangjianxiong
a89fe705b8 fix(openai): bound Codex OAuth token response body reads with readResponseWithLimit (#99479)
* fix(openai): bound Codex OAuth token response body reads with readResponseWithLimit

Replace unbounded response.arrayBuffer() in postTokenForm with
readResponseWithLimit using a 1 MiB cap to prevent OOM from oversized
token endpoint responses. Add real node:http loopback server tests.

* fix(openai): wrap readResponseWithLimit result in Uint8Array for TS BodyInit compat

- Fixes TS2345: Buffer<ArrayBufferLike> not assignable to BodyInit
- Resolves check-prod-types, check-test-types, and
  check-additional-extension-package-boundary CI failures

Ref. https://github.com/openclaw/openclaw/pull/99479

* test(openai): verify OAuth response release

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 00:18:20 +01:00
Vincent Koc
d09e2e738c fix(provider): satisfy Featherless release checks 2026-07-06 16:17:44 -07:00
Vincent Koc
2c11f11303 feat(provider): add Featherless AI integration 2026-07-06 16:17:44 -07:00
Vortex Openclaw
1f6ddb5df0 feat(models): add Claude Sonnet 5 support (#98254)
* feat(models): add Claude Sonnet 5 support

Co-authored-by: Ariel Bravy <ariel@vortexradar.com>

* fix(models): align Sonnet 5 validation baselines

* fix(models): satisfy Sonnet 5 CI contracts

* fix(models): enforce Sonnet 5 provider contracts

* docs(changelog): defer Sonnet 5 release note

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Ariel Bravy <ariel@vortexradar.com>
2026-07-07 00:05:35 +01:00
tiffanychum
da0103f025 fix(discord): messages sent during gateway reconnect are silently dropped (#100896)
* fix(discord): drain queued outbound deliveries after gateway reconnect (#56610)

Discord sends that failed while the gateway websocket was reconnecting
(close codes 1005/1006) stayed stuck in the outbound delivery queue and
were silently dropped. Classify sends that fail while the registered
gateway is disconnected as retryable, and drain pending discord queue
entries when the gateway reconnects, matching the WhatsApp/Telegram
reconnect drains.

* fix(discord): harden reconnect recovery

Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>

* refactor(discord): remove unsafe reconnect replay

* fix(discord): bound reconnect retry per request

Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>

* chore(changelog): leave reconnect fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:56:17 +01:00
Zachary Yuan
01f0b2340f fix(discord): download attachments at receipt time, not after the run queue (#96183)
* fix(discord): download attachments at receipt time, not after the run queue

Discord's CDN attachment URLs carry an expiring `ex` TTL. Media was
downloaded in processDiscordMessageInner, after the inbound run queue,
so messages delayed behind a busy run lost their attachments silently.
Resolve attachments/forwarded media during preflightDiscordMessage
instead, before the message is enqueued, and carry the result forward
on the context for process to reuse.

Fixes #96165

* refactor(discord): carry one prepared media snapshot

Co-authored-by: ZacharyYW <zachary.w.yuan123@gmail.com>

* fix(discord): guard bot media before download

* chore(discord): leave release notes to release flow

* docs(changelog): credit Discord attachment fix

* chore(changelog): leave attachment fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:45:32 +01:00
wings1029
fc77c2b04b fix(discord): bound gateway metadata response body reads to prevent OOM (#98682)
* fix(discord): bound gateway metadata response body reads to prevent OOM

The materializeGuardedResponse helper in the Discord gateway metadata path
buffered the full upstream Response body via response.arrayBuffer() without
any size cap. A malicious or malfunctioning /gateway/bot endpoint that returns
an oversized payload could exhaust gateway memory.

Replace arrayBuffer() with readResponseWithLimit(4 MiB), consistent with
DISCORD_API_RESPONSE_BODY_LIMIT_BYTES in api.ts. Overflow throws an Error
with the byte counts.

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(discord): wrap readResponseWithLimit result in Uint8Array for type compat

readResponseWithLimit returns Buffer which is not assignable to BodyInit in
the undici Response constructor type. Wrap in new Uint8Array() to satisfy the
boundary dts check. Also remove testExports export and mock fetchWithSsrFGuard
in tests via vi.hoisted + vi.mock to avoid leaking internal test-only exports.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(discord): tighten gateway metadata proof

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:34:03 +01:00
Martin Moellenbeck
cac05ff695 Fix realtime voice-call barge-in cancellation (#90749)
* fix voice call realtime barge-in cancellation

* chore: retrigger PR checks

* chore: retrigger PR checks

* fix voice call realtime barge-in fallback

* fix voice call provider barge-in precedence

* fix voice call speech-started fallback contract

* fix late provider barge-in queued audio clear

* fix realtime handler test raw message parsing

* chore rerun ci

* Document realtime speech-start capability

* fix voice call barge-in interruption policy

* fix(voice-call): centralize realtime barge-in

Co-authored-by: Martin Möllenbeck <martin.moellenbeck@5minds.de>

* chore(changelog): leave voice fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:30:16 +01:00
cxbAsDev
a464620141 fix(extensions/huggingface): bound model discovery JSON response read to prevent OOM (#101079)
* fix(extensions/huggingface): bound model discovery JSON response read to prevent OOM

* test(huggingface): prove bounded discovery cleanup

* test(huggingface): avoid unbound reader assertions

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:26:27 +01:00
cxbAsDev
2b868cac57 fix(tlon): bound Memex upload JSON response read (#101115)
* fix(tlon): bound Memex upload JSON response read

* test(tlon): prove upload response cancellation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:26:15 +01:00
crh-code
d4b38a2160 fix(device-pair): remove INADDR_ANY and IPv6 unspecified from isLoopbackHost (#98617)
* fix(device-pair): remove INADDR_ANY and IPv6 unspecified from isLoopbackHost

0.0.0.0 (INADDR_ANY — bind to all interfaces) and :: (IPv6 unspecified)
are NOT loopback addresses. The canonical implementation in
src/gateway/net.ts explicitly excludes both. Classifying them as
loopback in isLoopbackHost causes incorrect behavior in mobile
pairing cleartext host validation.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(device-pair): reject unspecified setup URLs

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:25:35 +01:00
Peter Steinberger
5a7c67682f fix(browser): isolate CDP control host policy (#101171) 2026-07-06 23:14:48 +01:00
lsr911
e924f30bf5 fix(browser): guard readFields JSON.parse against malformed CLI input (#98861)
* fix(browser): guard readFields JSON.parse against malformed user input

Wraps JSON.parse(payload) in readFields() with try/catch, throwing a
descriptive Error when CLI --fields or --fields-file input contains
malformed JSON instead of raw SyntaxError.

8/8 proof assertions pass using standalone script that imports and
calls the real exported readFields() with malformed field strings.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: lsr911 <liao.shirong@xydigit.com>

* fix(browser): add vitest malformed JSON tests, remove standalone proof

ClawSweeper feedback: added 2 vitest tests (malformed JSON, empty fields)
to the existing shared.test.ts, removed standalone proof script.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: lsr911 <liao.shirong@xydigit.com>

* fix(browser): cover malformed fields at CLI boundary

---------

Signed-off-by: lsr911 <liao.shirong@xydigit.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:14:00 +01:00
Peter Steinberger
e29efa6852 fix(discord): terminate ffmpeg on stream errors (#101124)
* fix(discord): terminate ffmpeg on stream errors

* docs(changelog): note Discord ffmpeg cleanup

* fix(discord): force-stop ffmpeg after output failures

* chore: defer Discord release note to changelog batch
2026-07-06 23:11:45 +01:00
xingzhou
e80e8a2b67 fix(device-pair): mobile pairing rejects local IPv6 cleartext URLs (#101008)
* fix(device-pair): allow local IPv6 pairing URLs

* test(device-pair): cover IPv6 cleartext lower bound
2026-07-06 22:35:09 +01:00
Dallin Romney
19491fe34c Revert "fix(qa): keep smoke profile on one channel (#101173)" (#101184)
This reverts commit b773f7981a.
2026-07-06 13:29:07 -07:00
Dallin Romney
b773f7981a fix(qa): keep smoke profile on one channel (#101173) 2026-07-06 13:26:58 -07:00
Dallin Romney
66b4dcf184 chore(docker): execute Compose and package artifact proofs (#101045)
* test(docker): prove Compose and package artifacts

* test(docker): use bounded container cleanup

* test(docker): bound package proof launch

* test(qa): keep Docker artifact proofs release-only

* test(docker): simplify artifact proof names

* test(docker): satisfy identity writer lint
2026-07-06 13:05:34 -07:00
Dallin Romney
2f7299eaa5 test(qa): add provider runtime evidence (#101051) 2026-07-06 13:01:32 -07:00
Peter Steinberger
80537c1ba4 feat(macos): load provider catalog during AI onboarding (#101132)
* feat(macos): load onboarding providers from gateway

* test(crestodian): widen setup config mock

* fix(crestodian): satisfy onboarding lint gate

* chore(macos): refresh onboarding localization inventory

* test(plugins): cover guided Copilot secret metadata
2026-07-06 20:57:56 +01:00
ANIRUDDHA ADAK
1d375c31da test(browser): replace broad win32 skip with dynamic directory symlink check (#90365)
* test(browser): replace broad win32 skip with dynamic directory symlink check

* fix(browser): refine directory symlink probe to ensure cleanup and remove random string usage

* test(browser): scope symlink capability checks to the case

---------

Co-authored-by: Aniruddha Adak <aniruddhaadak80@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 20:52:02 +01:00
mushuiyu886
8f7d0a36f9 fix(browser): bound client fetch success JSON reads (#100889)
* fix(browser): bound client fetch success JSON reads

* fix(browser): preserve supported response body sizes

* docs(changelog): note browser response bounds

* chore: keep release changelog owner-only

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 20:48:07 +01:00
Vincent Koc
e75223286d fix(qa): require live channel driver for access-gate scenarios 2026-07-06 21:34:27 +02:00
pash-openai
806a116f9d Let owner-operated Codex agents use connected account apps (#100973)
* Allow connected Codex account apps

* Preserve explicit plugin app policy

* Refresh Codex documentation map

* Unify connected apps with Codex plugin policy

* Format Codex configuration reference
2026-07-06 12:31:45 -07:00
weiqinl
e938461aa2 fix(discord): use configured statusReactions.timing instead of DEFAULT_TIMING (#94736)
* fix(discord): use configured statusReactions.timing instead of DEFAULT_TIMING

Makes the Discord message finalizer respect user-configured
doneHoldMs/errorHoldMs instead of always using hardcoded
DEFAULT_TIMING values. Brings Discord to parity with Telegram
and Slack which already use configured timing.

Fixes #78431

* test(discord): strengthen configured-timing regression with old-default assertion

Add a no-cleanup assertion at DEFAULT_TIMING.doneHoldMs (1500ms) before
advancing to the configured 2000ms hold, so the test fails against the
old hardcoded-default behavior. Add a matching errorHoldMs regression
test using failedCounts to drive the error terminal path.

Address ClawSweeper [P2] review finding on #94736: the previous test
advanced straight to 2000ms and would pass without the runtime fix
because main already removes the done reaction at 1500ms.

* refactor(discord): unify status reaction timing proof

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 12:18:40 -07:00
Dallin Romney
e3671e0980 refactor(qa): canonicalize channel command scenarios (#101080)
* test(qa): migrate channel command scenarios

* test(qa): distinguish portable command headings

* test(qa): preserve canonical scenario ownership
2026-07-06 12:18:06 -07:00
Mark
db38127c22 [codex] Allow reply_payload_sending to add portable buttons (#98922)
* fix(telegram): retry plugin callback submit text

* fix(telegram): harden plugin callback submit text

* fix(telegram): preserve plugin callback submit semantics

* fix(telegram): release callback dedupe after submit failure

* fix(telegram): settle skipped plugin callback submissions

* style(telegram): format public API exports

* chore: leave changelog to release generation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 20:17:41 +01:00
NianJiu
06efc2ae41 fix(browser): navigate works with CDP hostname allowlist (#100986)
* fix(browser): allow CDP host through hostname allowlist

* test(browser): prove CDP grants stay control-only

* docs(changelog): note remote browser CDP policy fix

* fix(browser): honor restrictive CDP host policy

* chore: keep release changelog owner-only

* fix(browser): align profile CDP creation policy

* fix(browser): keep remote CDP policy explicit

* test(browser): prove Playwright control allowlist isolation

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 20:11:52 +01:00
Vincent Koc
2f89de8165 fix(codex): preserve yielded native subagent delivery 2026-07-06 11:58:00 -07:00
Dallin Romney
627f6988a0 test(qa): migrate restart and policy scenarios to yaml (#101063) 2026-07-06 11:50:16 -07:00
Masato Hoshino
b6c7a77d3f fix(discord): handle ffmpeg stderr stream errors in voice playback (#101088)
* fix(discord): handle ffmpeg stderr stream errors in voice playback

createDiscordOpusPlaybackStream guards ffmpeg stdout and stdin against raw
stream 'error' events (an unhandled stream error throws and crashes the
gateway via uncaughtException), but the stderr stream on the same child was
left unguarded. Add the symmetric stderr error handler, routing it through
opusStream.destroy like stdout. Add a regression test covering stdout and
stderr stream errors.

* refactor(discord): unify ffmpeg stream errors

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 19:43:10 +01:00
Vincent Koc
c3e46e710d test(discord): align proxy websocket override helper type 2026-07-06 20:26:45 +02:00
Masato Hoshino
f859d78b61 fix(line): surface partial delivery when rich or media send fails alongside text (#100996)
* fix(line): surface partial delivery when rich or media send fails alongside text

* fix(line): harden partial delivery result

* test(line): preserve frozen error type

* chore: keep release changelog owner-only

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 19:21:29 +01:00
Alix-007
962d1096d4 fix(memory-core): keep daily ingestion outside session repair (#93389)
* fix(memory-core): clear daily-ingestion sqlite namespace on dreaming repair

repairDreamingArtifacts() cleared the dreaming-session-ingestion-files and
dreaming-session-ingestion-seen namespaces but not the migrated
dreaming-daily-ingestion namespace. After #92020 taught auditDreamingArtifacts()
to treat all three ingestion namespaces as ingestion state, the repair path
became asymmetric: the memory status --fix re-audit still reported
sessionIngestionExists=true from the surviving daily rows, and the daily
ingestion bookkeeping leaked past repair so daily memory files were not
re-ingested on the next sweep.

Clear DREAMING_DAILY_INGESTION_NAMESPACE alongside the session files/seen
namespaces so repair fully resets dreaming ingestion state, matching the audit.

* chore: retrigger CI for real behavior proof check

* fix(memory-core): keep daily ingestion outside session repair

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: Alix-007 <li.long15@xydigit.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 19:16:26 +01:00
davelutztx
8aaf9fc6bc fix(discord): send fresh final messages after previews (#99711)
* fix(discord): send fresh final messages after previews

* fix(discord): suppress broadcast mentions on fresh finals

* docs(changelog): note Discord streamed final fix

* fix(discord): stabilize targeted mention policy

---------

Co-authored-by: Dave Lutz <dave@lutzfamily.net>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 19:14:09 +01:00
Ben.Li
6bc661ce14 fix(msteams): bound Bot Framework attachmentInfo JSON response reads (#99125)
* fix(msteams): bound Bot Framework attachmentInfo JSON response reads

* test(msteams): prove attachmentInfo stream cancellation
2026-07-06 19:07:24 +01:00
xingzhou
f805bb4e02 fix(feishu): avoid mention forwarding when bot open id is unavailable (#100891)
* fix(feishu): avoid forwarding mentions without bot open id

* fix(feishu): require bot identity for mention forwarding

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 18:54:02 +01:00
Peter Steinberger
b3e68a093c fix(lmstudio): honor embedding preload context (#100750)
Co-authored-by: Zakaria Rahali <zakariarahali288@gmail.com>
Co-authored-by: 徐闻涵0668001344 <xu.wenhan1@xydigit.com>
2026-07-06 18:28:48 +01:00
Vincent Koc
3ad77774f0 fix: carry 2026.7.1 stability repairs into main (#101043)
* fix(telegram): throttle reconnect delivery drains

(cherry picked from commit 7182c74d04)

* fix(agents): honor aborts during session lock acquisition

(cherry picked from commit 6443c2a552)

* fix(cli): prefer installed launcher package roots

(cherry picked from commit 37e1b324db)

* fix(e2e): allow Linux onboarding to finish

(cherry picked from commit 88192552a0)

* fix(e2e): scrub single-plugin allowlists on Windows

(cherry picked from commit bee5dee521)

* fix(e2e): preserve Windows config shape during updates

(cherry picked from commit a580a7fe3f)
2026-07-06 10:17:36 -07:00
Vincent Koc
bf8626c0e9 feat(providers): add LongCat API support (#100501)
* fix(ai): honor provider reasoning compatibility

* feat(longcat): add hosted provider plugin

* chore(longcat): register package metadata

* docs(longcat): add provider setup guide

* docs(longcat): document self-hosted model routing

* refactor(longcat): externalize provider plugin

* chore(longcat): add npm release artifacts
2026-07-06 10:07:08 -07:00
NIO
db334b3cf7 fix(qa-channel): bound bus JSON response reads (#99169)
Co-authored-by: NIO <nocodet@mail.com>
2026-07-06 13:02:42 -04:00
NIO
2e967ea61d fix(google): bound OAuth JSON response reads (#97587)
Co-authored-by: NIO <nocodet@mail.com>
2026-07-06 13:01:25 -04:00
Gio Della-Libera
5b06eba9fe policy: repair required deny tool findings (#99700) 2026-07-06 09:56:03 -07:00
Peter Steinberger
bfb89d3ea6 fix(discord): limit implicit reply fanout (#100784)
* fix(discord): limit implicit reply fanout

Co-authored-by: qingminlong <qing.minlong@xydigit.com>

* fix(discord): preserve oversized fallback fanout

* refactor(discord): make reply metadata per-message

* fix(discord): keep reply receipts serializable

* docs(changelog): defer Discord entry to release

* refactor(discord): model native reply fanout

---------

Co-authored-by: qingminlong <qing.minlong@xydigit.com>
2026-07-06 17:55:23 +01:00
cxbAsDev
68487e4c1e fix(codex): honor timeoutSeconds for dynamic tool calls when timeoutMs is absent (#100722)
* fix(codex): honor timeoutSeconds for dynamic tool calls when timeoutMs is absent

* fix(codex): enforce integer timeoutSeconds and cover side-question path

* chore(proof): extend codex timeoutSeconds proof to side-question path and fractional rejection

* fix(codex): leave headroom when arming watchdog from timeoutSeconds

* fix(codex): preserve dynamic tool timeout budgets

* test(codex): satisfy dynamic tool response types

* test(codex): type structured timeout promise

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 17:52:51 +01:00
Mukunda Rao Katta
675045f49f fix(browser): read Windows Chrome version from build dir in doctor (#87937)
* fix(browser): read Windows Chrome version metadata

Read PE ProductVersion before a conservative unambiguous install-layout fallback, without interpolating configured paths into PowerShell code.\n\nCo-authored-by: Mukunda Rao Katta <mukunda.vjcs6@gmail.com>

* style(browser): clarify Windows version probe

* fix(browser): use trusted Windows PowerShell path

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 17:50:34 +01:00
ZZIPP
979d198fd1 fix(media): recognize m2a as MPEG audio (#92167)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 17:48:37 +01:00
Peter Steinberger
cc147c6a40 test(discord): align websocket mock constructor type 2026-07-06 12:30:35 -04:00
Dallin Romney
5af7ba92ce refactor: consolidate byte-size formatting (#99768)
* refactor: consolidate byte-size formatting

* fix: stabilize byte formatter import boundary

* fix: keep byte formatter within SDK budget

* fix: emit byte formatter package entry

* refactor: trim byte formatter surface

* fix: use narrow byte formatter import

* refactor: remove byte formatter dependency changes

* fix: refresh rebased byte formatter baseline
2026-07-06 09:26:04 -07:00
Dallin Romney
b29d472e41 refactor(qa): add canonical live channel adapters (#99707) 2026-07-06 09:24:34 -07:00