Commit Graph

115 Commits

Author SHA1 Message Date
Peter Steinberger
e681646834 feat(cloud-workers): add crabbox worker provider plugin and profile-aware lease lifecycle (#104465)
* feat(cloud-workers): add Crabbox worker provider

* docs(cloud-workers): document Crabbox profiles

* chore(cloud-workers): drop changelog entry (release-only file)

* refactor(plugin-sdk): pass profiles to worker lease lifecycle

* docs(plugin-sdk): document worker lifecycle profiles

* chore(docs): regenerate plugin inventory, docs map, and sdk baseline after rebase

* fix(cloud-workers): state crabbox key-ref gap without warning-comment suppressions
2026-07-11 05:51:56 -07:00
Peter Steinberger
05aecc1d6f feat: show Codex transcripts in the sidebar (#104437)
* feat: show Codex transcripts in sidebar

* fix: clear Codex sidebar on Gateway switch

* chore: leave release notes to release workflow

* chore: refresh native i18n inventory

* fix: satisfy macOS Codex node lint

* fix: refresh native localization inventory

* docs: refresh documentation map

* chore: refresh UI locale metadata
2026-07-11 05:39:29 -07:00
Peter Steinberger
90e465833b feat(gateway): durable cloud worker environments, provider SDK contract, and lifecycle RPCs (#104401)
* docs(plan): add cloud workers design plan

* feat(plugin-sdk): add cloud worker provider foundations

* feat(protocol): add worker environment lifecycle shapes

* feat(gateway): persist worker environment lifecycles

* test(gateway): pin environment inventory assertion for damaged worker store

* style(cloud-workers): satisfy lint and docs formatting

* fix(gateway): narrow worker environment type boundaries

* chore(plugin-sdk): account for WorkerProvider surface growth

* docs: regenerate docs map
2026-07-11 04:54:27 -07:00
Peter Steinberger
0af8467137 feat(workspaces): add agent-composable Workspaces (#104139)
* feat(dashboard): modular dashboard — workspace store, Workspaces tab, sandboxed custom widgets

Squashes openclaw/openclaw#101094 + #101097 + #101098 onto current main and
applies the maintainer review fixes to the backend control plane.

Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>

* fix(dashboard): UI review fixes — grid, error boundary, embed sandbox, locale

* fix(dashboard): make the CLI and agent broadcasts actually reachable

Three defects only a live run surfaces, all invisible to the unit suites:

- The plugin claimed the CLI command name `dashboard`, which core already owns
  (it opens the Control UI). A plugin CLI group that overlaps a core command is
  dropped at registration behind a `logger.debug`, so the entire CLI face was
  unreachable while `cli.test.ts` kept passing against its own Commander
  program. Renamed to `openclaw workspaces`, matching the tab it drives.

- The manifest never declared `activation.onCommands`, so the CLI root resolved
  to no owning plugin even once the name was free.

- `dashboard.widget.approve` needs `operator.approvals`; the CLI asked for
  `operator.write` on every call. It now requests the approvals scope only for
  the approve call, matching `operator-approvals-client.ts`.

Also: agent tools resolved their broadcast from the plugin runtime's
gateway-request scope, an AsyncLocalStorage set only around gateway RPCs and
plugin HTTP routes. An agent turn started from a channel, cron, or heartbeat
therefore wrote the document without emitting `plugin.dashboard.changed`, so an
open Control UI never saw the edit — the feature's headline promise. The gateway
broadcast is server-lifetime, so the plugin now remembers it in a single slot and
agent tools fall back to it.

* docs(web): document dashboard workspaces, provenance, and the custom-widget sandbox

* fix(dashboard): agent-tool ergonomics + close two approval-boundary gaps

From a source-blind agent driving the dashboard_* tools with nothing but their
schemas, and from a Codex review of the hardening delta.

- dashboard_widget_update could never succeed. It passed its whole parameter
  record to the patch reader, whose allowlist rejects the very `tab`/`id` keys
  the tool's own schema marks required, so every call died on
  "unexpected param: tab". Its test only ran Value.Check against the schema and
  never executed the tool.
- dashboard_data_read surfaced an `rpc` binding as a thrown error, though its
  description promised `binding_client_resolved`. It now returns that as a
  result the model can act on.
- Valid widget kinds and the rpc allowlist were undiscoverable: a model saw only
  "builtin:<name> or custom:<name>" and "Allowlisted gateway read method", then
  brute-forced ~40 calls against errors that named no alternatives. Both schemas
  and both validator errors now enumerate them, and the kind description says
  what each builtin renders and which binding id it reads. widget_move documents
  that grid and toTab are exclusive; widget_scaffold says an operator must
  approve, because no agent tool can.
- workspace.replace could mint a pending registry entry for a name that was
  never scaffolded. An operator could then approve a widget whose code did not
  exist yet, and the agent could write it afterwards. Registry entries now come
  from dashboard_widget_scaffold and nowhere else, and approve refuses a name
  with no manifest on disk.
- dashboard.widget.approve answered with the whole workspace document, so a
  connection holding only operator.approvals could read it through the approvals
  door. It now returns the registry entry it changed.

* fix(dashboard): approval pins the code it approves

Codex review found the scaffold-before-approval gate still nameable rather than
binding: approve only proved that widget.json parsed, and the Control UI loaded a
hardcoded index.html rather than the manifest's entrypoint. An agent could
scaffold a widget, win approval on an innocuous or absent entrypoint, then write
the real payload afterwards — code appearing after the human said yes.

Approval now hashes every servable file in the widget directory and stores the
digests on the registry entry, refusing a manifest whose declared entrypoint is
missing. The asset route re-hashes each file it reads and 404s anything that does
not match, so a file edited or added after approval never reaches a browser. The
Control UI loads the manifest's entrypoint, which is the file that was hashed.

The content-type allowlist moves to manifest.ts so the set of files approval
hashes and the set the route can serve cannot drift apart.

Proof, against a running gateway: scaffold -> 404, approve -> 200, rewrite
index.html -> 404, add late.js -> 404.

* fix(dashboard): parse the approved manifest from the bytes that were hashed

Codex found a TOCTOU in the approval path: it loaded and validated widget.json,
then walked the directory again to compute the digests. An agent could swap
widget.json between the two reads, so the operator validated one entrypoint while
the digest froze — and the Control UI later mounted — a different one.

snapshotApprovedWidget now reads the widget directory once: it hashes every
servable file, parses the manifest out of the same widget.json bytes it hashed,
and requires the declared entrypoint to be among them.

Proof, against a running gateway: approve -> index.html 200; rewrite widget.json
to point at evil.html and drop evil.html in -> both 404.

* fix(dashboard): cap approval asset reads; bound the grid fallback search

Two findings from the fourth Codex pass.

Approval hashes agent-authored files that are untrusted until it runs, and read
each one into memory with no size check — dropping one huge .png into a scaffold
directory would stall or OOM the gateway during approve. Sizes are now checked
before the read, with a 2 MB per-file and 8 MB total cap.

nearestFreeSlot searched one band below the lowest occupied row, so a crowded
layout near the bottom could return y=500 as the closest free slot: a placement
the store rejects, which the UI applies optimistically and then snaps back. The
search now stops at the last row a widget of that height can legally occupy.

* fix(dashboard): refuse oversized widget assets before reading them

Approved widget files stay writable and the asset route is unauthenticated, so
swapping an approved small file for a very large one made every GET buffer the
whole file before the digest check rejected it. The route now refuses anything
past the same per-file cap approval enforces, on the stat it already performs.

* fix(dashboard): enforce widget approval boundaries

* docs(changelog): note modular dashboard workspaces

* fix(dashboard): enforce static custom-widget data boundary

* fix(dashboard): satisfy UI lint

* test(dashboard): avoid legacy proto access

* feat(dashboard): make plugin opt-in

* docs(dashboard): refresh workspaces map

* refactor(workspaces): standardize plugin naming

* fix(workspaces): make widget prompt sends idempotent

* docs(workspaces): fix internal path references

* test(workspaces): make prompt assertion lint-safe

* test(workspaces): type prompt request mock

* fix(workspaces): harden approval and binding boundaries

* test(workspaces): complete stale binding client mock

* fix(workspaces): harden widget file boundaries

* fix(workspaces): scope custom widget capabilities

* fix(workspaces): align approval provenance

* fix(workspaces): close branch contract gaps

* test(workspaces): complete builtin context fixtures

* fix(workspaces): aggregate overview usage

* chore(workspaces): defer release note

* chore(workspaces): refresh i18n metadata

---------

Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
2026-07-11 03:30:23 -07:00
Peter Steinberger
236d1b2484 feat(control-ui): selection popup with More details and Ask in side chat via /btw (#104205)
* feat(control-ui): add chat selection popup with More details and Ask in side chat

* fix(control-ui): keep BTW pending card visible and clear it on resultless terminal runs

* fix(control-ui): route failed BTW runs to an error side-result card and ignore stale side results

* fix(control-ui): correlate BTW pending cards by pre-generated run id and suppress superseded runs

* fix(control-ui): retire abandoned BTW runs so late side events never reach the transcript

* chore(docs): regenerate docs map for btw selection-popup section; fix selection-popup test lint
2026-07-11 01:42:17 -07:00
Vincent Koc
b01affeaee docs: refresh llama diagnostics map 2026-07-11 16:40:14 +08:00
Peter Steinberger
ebc848deec feat: sidebar update card (web + macOS) with app-first mac update flow and Sparkle beta track (#104171)
* feat: sidebar update card (web + macOS) with app-first mac update flow and Sparkle beta track

Squashed from claude/update-notification-display-c6cfb9 after semantic merge
with #104178 (channel-aware CLI installs). See PR #104171 body for details.

* chore(i18n): resync generated inventories after rebase

* chore(i18n): resync locale metadata after rebase
2026-07-11 00:34:10 -07:00
Peter Steinberger
f94a7dc183 feat(codex): supervise native Codex sessions (#104045)
* feat(codex): add native session supervision

* fix(codex): harden supervision integration

* fix(codex): preserve locked harness ownership

* fix(codex): fence native session archive

* fix(codex): revalidate archive binding ownership

* feat(codex): integrate supervision runtime

* feat(sessions): preserve harness-owned execution

* feat(sessions): persist harness ownership invariants

* feat(gateway): enforce harness-owned sessions

* feat(setup): enable detected Codex supervision

* feat(mac): expose supervised Codex sessions

* feat(ui): make Codex sessions actionable

* docs(codex): document session supervision

* test(codex): cover integration ownership

* chore(i18n): refresh supervision inventories

* fix(setup): finalize Codex activation atomically

* test(codex): narrow binding store update

* fix(sessions): preserve legacy model locks

* test(macos): serialize Codex catalog fixtures

* fix(sessions): preserve legacy lock admission

* chore(i18n): reconcile supervision metadata

* test(sessions): mark legacy lock fixture

* fix(macos): drain final Codex catalog frame

* docs: leave supervision note to release

* style(macos): satisfy Codex catalog type length

* chore: record session accessor seam owners

* fix(macos): honor configured Codex supervision

* fix(codex): preserve harness-owned model locks

* fix(codex): satisfy supervision lint gates

* chore(i18n): refresh native supervision inventory

* fix(codex): align supervision validation contracts

* fix(codex): close supervision boundary gaps

* fix(codex): preserve supervision activation contracts

* fix(codex): dispose standalone supervision runtime

* fix(codex): pin supervised source connection

* fix(plugins): bind delegated runs to exact session target

* fix(codex): scope supervised sessions to configured agents

* fix(codex): fingerprint effective supervision home

* fix(codex): normalize supervision plugin policy

* fix(codex): keep supervised bindings stable across upgrades

* fix(codex): guard all supervised binding connections

* fix(codex): preserve catalog filters and pending CAS identity

* fix(codex): preserve supervision identity for diagnostics

* fix(codex): bind uncertain commits to supervision connection

* fix(codex): satisfy supervision type boundaries

* fix(macos): reconcile current main validation

* fix(codex): handle absent runtime config in supervision

* fix(doctor): own local audio acceleration check

* fix(codex): satisfy integration lint gates

* fix(codex): satisfy lifecycle safety guards
2026-07-11 00:12:08 -07:00
Peter Steinberger
ae2c6117d3 feat(ui): full-page New session screen with gateway folder browser (#104238)
* feat(gateway): add admin-only fs.listDir host directory listing

* feat(ui): replace new-session dialog with full-page /new screen and folder browser

* fix(ui): drop unnecessary template literal in new-session page

* refactor(ui): rename request token locals for review-bundle hygiene

* fix(ui): preserve typed draft on agent hydration and clear stale folder listings

* fix(ui): gate new-session submit on agent hydration and keep live folder edits

* test(ui): use exact textbox selector in new-session e2e

* test(ui): deep-link new-session e2e so agents.list override supplies workspace

* chore(i18n): translate new-session strings and refresh native inventory

* chore(i18n): reconcile locale metadata after rebase
2026-07-11 00:10:48 -07:00
Peter Steinberger
dfa31af0d4 docs(plugins): document safe external cron projection (#104227)
* docs(plugins): document safe cron projection

* docs(plugins): serialize cron projection revisions

* docs: refresh generated map

* docs(plugins): cancel stale cron projections
2026-07-10 23:26:40 -07:00
Peter Steinberger
81a201df26 feat: add portable table presentation blocks (#103583)
* feat(presentation): add portable table blocks

* chore(presentation): refresh generated contracts

* fix(slack): preserve table fallback payloads

* docs(changelog): note portable message tables

* fix(presentation): preserve cross-channel fallback delivery

* chore(plugin-sdk): refresh rebased contracts

* test(slack): align accessibility expectations

* fix(presentation): harden cross-channel fallback delivery

* chore(plugin-sdk): refresh rebased contracts

* docs(changelog): defer portable table release note

* fix(presentation): satisfy extension lint

* chore(plugin-sdk): refresh surface budgets

* fix(telegram): preserve reactions after progress replies

* fix(slack): preserve rendered preview fallback text

* fix(feishu): preserve oversized presentation fallbacks

* docs(changelog): note portable message tables

* docs(changelog): defer portable table release note

* chore(plugin-sdk): refresh rebased contracts

---------

Co-authored-by: Peter Steinberger <steipete@openai.com>
2026-07-10 22:29:13 -07:00
Peter Steinberger
58b0ec9e50 feat(gateway): auto-approve node pairing via SSH device-key verification (#104180) 2026-07-10 22:23:10 -07:00
Ben Badejo
8a29e8c934 fix(docs): expose top-level docs hubs on mobile (#100908)
* fix(docs): expose docs hubs on mobile

* docs: refresh docs map

* docs: remove committed proof screenshots

---------

Co-authored-by: Benjamin Badejo <ben@benbadejo.com>
2026-07-10 20:30:35 -07:00
Peter Steinberger
04865fe44b feat(ui): gateway browser panel with annotate-to-prompt and element inspect in the web Control UI (#104012)
* feat(ui): add gateway browser panel with annotate and inspect modes

* chore(i18n): translate browser panel strings

* fix(ui): address browser panel review findings (stable tab handles, stale view guard, inspect click suppression)

* fix(ui): make the browser panel reload button reload the remote page

* fix(ui): tile the browser dock against the terminal dock and re-probe evaluate per connection

* fix(ui): label page-reported prompt text as untrusted and accept host:port URL entries

* fix(ui): sanitize inspected selector fragments in the annotation prompt

* fix(i18n): retranslate annotation prompt keys so the page-reported provenance label survives localization

* docs: regenerate docs map for the browser panel section

* chore(i18n): reconcile locale bundles with latest main after rebase

* style(ui): format chat-pane imports after rebase

* chore(i18n): refresh locale metadata after rebase
2026-07-10 19:54:47 -07:00
Peter Steinberger
fef5c61a3c docs(gateway): document restart and crash recovery behavior (#103985)
* docs(gateway): document restart and crash recovery behavior

* chore(docs): allowlist intentional command:nwe hook example in spellcheck
2026-07-11 00:44:16 +01:00
Peter Steinberger
42c80df6f5 docs(node): clarify headless identity and pairing state (#103964)
* docs(node): clarify headless identity storage

* docs: refresh node identity heading map
2026-07-10 22:55:45 +01:00
Peter Steinberger
1bcc4c5e70 feat(gateway): add cooperative host suspension (#103618)
* feat(gateway): add cooperative suspension preparation

* style: satisfy suspension lint checks

* test(gateway): reset work admission between shared suites

* fix(gateway): reject upgrades during suspension

* fix(gateway): preserve admitted work during suspension

* test(gateway): isolate suspension and restart state

* fix(gateway): close suspension false-ready gaps

* refactor(protocol): slim suspension declaration graph

* refactor(plugin-sdk): sever protocol registry edges

* fix(gateway): preserve admitted restart follow-ups

* fix(gateway): make suspension recovery fail closed

* fix(protocol): keep validation formatter re-export only

* test(gateway): simplify deferred fixture type

* style(gateway): clarify suspension entry name

* fix(gateway): retain detached work admission
2026-07-10 20:24:53 +01:00
Peter Steinberger
fd2a2411b9 feat(ui): sessions sidebar redesign with agent sections, smart groups, and draft sessions (#103498)
* feat(ui): sessions sidebar redesign with agent sections, smart groups, and draft sessions

- agents become collapsible top-level sidebar sections; expanding an agent
  browses its sessions without navigating, replacing the hidden scope select
- built-in smart groups: one section per channel (rows keep their chat
  titles), a Work section for worktree/exec-node sessions with a
  repo/branch/node subtitle, custom groups, and Chats
- session names never show raw keys or peer ids; DM fallbacks shorten ids,
  dashboard sessions read 'New session', unnamed work sessions read as
  their checkout
- one + opens the new-session draft dialog: agent, exec host (paired
  system.run nodes), folder, worktree toggle with base-branch picker
  (worktrees.branches) and optional name; the first message creates the
  session and starts the run in one sessions.create call
- custom group catalog/order moves to the gateway (sessions.groups.*) with
  a one-time localStorage migration; rename/delete update members
  server-side instead of client-side paging

Part of #103431

* fix(ui): resolve dragged sessions across browsed agent sections

Dropping a row dragged out of a non-active agent section now finds the
session in the per-agent row cache instead of only the active scope, so
the category patch is applied instead of silently doing nothing.

Part of #103431

* fix(ui): propagate group catalog changes to open clients

sessions.groups.put/rename/delete now always broadcast a groups-change
event, and the session capability reloads the gateway-owned catalog when
one arrives, so another browser's group create/reorder/rename/delete no
longer leaves this client on a stale snapshot for the rest of the
connection.

Part of #103431

* docs: restore new session dialog section after rebase

* fix(ui): translate new sidebar/session strings and refresh docs map

Real locale translations for the new-session dialog and sidebar keys
(the fallback gate requires zero recorded English fallbacks), plus the
regenerated docs map for the new Control UI section.

Part of #103431

* fix(ui): repair locale metadata after rebase conflict resolution

* fix(ui): merge mainline locale keys with the sidebar redesign strings

* fix(ui): refresh raw-copy baseline for mainline tool-card strings

* fix(ui): reconcile generated locale artifacts after rebase
2026-07-10 18:54:44 +01:00
Peter Steinberger
a238dead67 fix(docker): package selected external plugins in source-built images (#103629)
* build(docker): package selected external plugins

* test(docker): auto-clean plugin fixture

* fix(docker): preserve selected image provenance

* fix(docker): accept manifest-only plugin selections

* fix(docker): resolve selected plugin manifest ids

* fix(docker): isolate resolved plugin selection
2026-07-10 13:00:50 +01:00
Peter Steinberger
401f278f11 feat: add Control UI plugin management (#103176)
* feat(ui): add plugin catalog management

* feat(gateway): add plugins.uninstall and richer plugin catalog metadata

Adds a plugins.uninstall gateway method (operator.admin, control-plane write)
backed by a lock-guarded uninstallManagedPlugin that mirrors the CLI flow:
config cleanup, install-record removal, managed file deletion, and registry
refresh. Bundled plugins stay disable-only. Catalog entries now carry a
manifest-derived category and a removable flag; ClawHub search results expose
download counts and verification tiers.

* feat(ui): redesign plugins page with inventory, store shelves, and cover art

Rebuilds /settings/plugins around three tabs: Installed (category-grouped
inventory with overview stats, state filters, uninstall for external plugins,
and inline MCP server management through the shared config seam), Discover
(featured/official shelves plus one-click MCP connectors and curated ClawHub
searches), and ClawHub (search with download counts and verification badges).
Every catalog entry renders bundled cover art or a deterministic gradient
monogram tile - no more empty boxes. Artwork generated with Codex CLI, shipped
as 512px WebP under ui/public/plugin-art.

* chore(ui): regenerate locale bundles for plugins manager strings

* docs: describe plugins manager tabs, uninstall, and MCP connectors

* fix(plugins): human catalog labels and un-pinned hosted fallback ids

listManagedPlugins now prefers manifest names over registry package-name
backfill, falls back to channel catalog labels and blurbs, and stops pinning
expectedPluginId when a hosted feed entry only exposes its package name
(which rejected every legitimate install of that package). Found via live
gateway testing against ClawHub.

* fix(ui): send minimal RFC 7396 merge patches for MCP server edits

config.patch merges rather than replaces, so key removal needs an explicit
null; sending the full config back made MCP server removal a no-op. Found
via live gateway testing.

* fix(ui): write explicit MCP transports for URL servers

The MCP runtime defaults URL-only servers to SSE, so streamable HTTP
endpoints saved by the add form or connector templates would fail at
connect time. Connector templates now declare their transport and the
add form infers streamable-http unless the URL follows the /sse
convention. Flagged by autoreview against the transport resolver.

* test(ui): wait for deferred plugin requests before resolving in e2e

* feat(ui): plugins detail view, action menus, and unified ClawHub search

Reworks the plugins page from PR #103176 feedback: merges the ClawHub tab into
Discover (typing searches ClawHub inline and appends a quiet From ClawHub
section, with Browse ClawHub demoted to a header text link), makes every row and
store card open a plugin detail overlay (hero art, primary enable/install
action, metadata table), and replaces enable/disable switches with a state chip
plus an overflow menu (Enable/Disable, Remove for external plugins, View
details) matching the ChatGPT-store install+menu pattern. MCP rows use the same
menu; refresh is now icon-only.

* chore(ui): regenerate locale bundles for plugins UI iteration

* feat(ui): vetted, grouped connector catalog for the plugins store

Expands Connect your world to 28 connectors organized into use-case shelves
(Work & productivity, Coding & infrastructure, Home & media, Everyday life).
Every entry passed a three-stage subagent review: official-docs verification
plus live endpoint probes for MCP servers, ClawHub result-quality and
malware/typosquat screening for curated searches, and an adversarial pass
that dynamically registered OAuth clients to prove one-click viability.

That review removed Figma (registration allowlisted, 403) and Atlassian
(OAuth issuer-mismatch bug upstream), downgraded GitHub to PAT-based setup
(no dynamic client registration upstream), fixed Linear (/sse retired) and
Home Assistant (/api/mcp, streamable HTTP) endpoints, retargeted poisoned or
dead searches (youtube, finance, hue dropped; calendar -> google calendar;
stocks replaces finance), and added Todoist, Airtable, Canva, Stripe,
Context7, DeepWiki, Hugging Face one-click MCP servers plus Jira, PDF,
transcription, Kubernetes, Reddit, maps, translation, and notes searches.
Keyless servers get a ready-to-use success message; new cover art included.

* chore(ui): regenerate locale bundles for connector groups

* fix(plugins): suppress hosted catalog rows once their package is installed

Hosted feed entries without a declared runtime id fall back to their package
name as catalog id, which never matches the installed runtime id, so the
Discover shelf kept offering an already-installed package. Installed package
names now also suppress official rows. Flagged by autoreview.

* fix(plugins): pin declared runtime ids and surface connector errors in place

The runtime-id pin now keys off explicitly declared catalog ids (plugin,
channel, or provider) instead of string-comparing against the package name,
so declared ids that equal their package name stay enforced while entry-id
fallbacks stay unpinned. Connector add failures on Discover now render on the
triggering card instead of the Installed tab's MCP section. Both flagged by
autoreview; regression tests included.

* feat(ui): full inventory artwork, pulse header, and two-column plugin list

Every bundled plugin now ships distinctive cover art (113 new Codex CLI
illustrations; 172 total, ~2.1MB WebP), so inventory rows and detail views
never fall back to monogram tiles. The four stat cards give way to a compact
inventory pulse: a segmented enabled/disabled/issues meter whose legend and
counts live inside the filter chips. Inventory, MCP, and search rows flow
into two columns when the panel is wide enough.

* chore(ui): regenerate locale bundles for pulse header

* fix(ui): omit stdio args from the MCP server row target

Stdio MCP args routinely carry tokens, and the inventory is visible to
read-only operators; mirror the config page and show only the command.
Flagged by autoreview; regression test included.

* fix(merge): point crestodian setup at relocated plugin commit/refresh modules

* fix(merge): add bootstrapToken to plugins page test gateway harness

* fix(plugins): name catalog install-action branches so Swift emits the union

* fix(ui): satisfy strict lint on plugins page form parsing and mocks

* chore(build): regen docs map, raise plugin-sdk declaration budget for new protocol surface

* fix(ui): type the plugins page patch mock with its real call signature
2026-07-10 11:56:44 +01:00
heichl_xydigit
7eacd78c01 feat(devices): rename command for durable human-friendly device names (#94517)
Paired devices can now carry a durable operator-assigned label: device.pair.rename { deviceId, label } (schema-bounded, admin/ownership-gated) stores an operatorLabel that persists in the shared SQLite state DB, survives device repair and re-approval, and takes display precedence over the client-reported name in CLI devices list and the Control UI inventory (operatorLabel, then displayName, then clientId, then deviceId). The label was previously dropped on write because the pairing store had no column for it. CLI: openclaw devices rename --device <id> --name <label>. Docs cover the command and precedence.

Fixes #13870

Thanks to @bladin for the contribution.

Co-authored-by: heichl_xydigit <1740879+bladin@users.noreply.github.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-07-10 15:05:41 +05:30
Peter Steinberger
9ecb2f3a84 feat(ui): restore sidebar chrome, delete the pane workspace strip, compact native narrow header (#103561)
* feat(ui): restore sidebar chrome and remove the pane workspace strip

Reverse course from #103426 on the app chrome: the left sidebar owns
brand, pinned navigation + More, New session, sessions, and the footer
(status dot, Settings, Docs, pairing, theme) again, and the desktop
topbar is gone. What stays from that PR: the dockable workspace rail
(right/bottom, drag or button), the in-flow split-pane headers, and
Cmd+B now hides the sidebar entirely (no 78px icon rail) with a
floating expand control.

The real target of the original request: the vertical icon strip at
each pane's right edge is deleted. A collapsed workspace rail renders
nothing; the toggle (with a changed-file badge) lives in the split-pane
header next to split/close, or floats at the top-right in single-pane
chat. Shift+Cmd+B still toggles.

Narrow native macOS windows (e.g. the in-app link browser splitting
the window) previously stacked 50px of injected titlebar padding on
top of the 58px drawer row; the web CSS now folds that into one
compact 58px row beside the traffic lights, with selectors that
outrank the rules shipped Mac apps inject.

* chore(ui): regenerate locale bundles and docs map for sidebar restore

* fix(ui): bind showPaneHeader explicitly on the classic single pane

* chore(ui): reconcile locale metadata after rebase onto lobster wild cards
2026-07-10 09:35:14 +01:00
Peter Steinberger
26d200c6a3 feat(channels): narrated progress drafts + activity receipt on the final answer (#103463)
* feat(channels): narrated progress drafts + activity receipt on the final answer

Progress mode replaces raw tool lines with short utility-model narration of
what the agent is doing (streaming.progress.narration, default on, requires
an explicit utilityModel). On Discord the final answer now carries the
-# activity receipt and the working draft is deleted once the answer lands,
so busy channels keep no orphaned tool log above the reply.

Formatting verified remotely via Testbox oxfmt --check (hook bypassed:
no node_modules in this worktree).

* fix(channels): keep narration toggle independent of channel-default stream mode

Discord resolves its own progress default, so the resolver must not re-derive
mode with the generic partial fallback (narration was off for unset config).

* fix(auto-reply): honor status-only command text in narration model input

streaming.progress.commandText: "status" hides raw exec/bash text from the
channel draft; narration input now mirrors that policy so the utility model
never receives more command detail than the draft shows (Codex review P2).

Formatting verified remotely via Testbox oxfmt --check.

* fix(auto-reply): share the draft's command-tool set for narration and regen channel metadata

Reuse isCommandToolName (exec|shell|bash) so narration's commandText policy
matches the draft formatter exactly, and regenerate bundled channel config
metadata for the new streaming.progress.narration key (Codex review round 2).

Gates verified on Testbox: config:channels:check, oxfmt --check, 4 test shards.

* fix(channels): clear stale narration when the narrator stops mid-turn

An empty narration update now falls the draft back to raw tool lines, and the
narrator emits that clear when it disables after consecutive failures or the
per-turn cap, so drafts never pin stale status text (Codex review round 3).

Gates verified on Testbox: oxfmt --check + 4 test shards.

* chore(config): regen bundled channel metadata after rebase onto main

* chore: CI fixups — lint nits, test harness types, docs map, SDK surface budget

Two deliberate public SDK additions (resolveChannelStreamingProgressNarration,
isCommandToolName via the streaming wildcard re-export) bump the pinned
public-surface budgets to current counts (exports 10488, callable 5235).

Gates verified on Testbox: oxfmt, targeted oxlint, docs:map:check,
config:channels:check, check:test-types, 5 test shards.
2026-07-10 09:28:47 +01:00
Peter Steinberger
4a72a6cb2f feat(ui): move app chrome into a topbar and dock the session workspace rail (#103426)
* feat(ui): move app chrome into a topbar and dock the session workspace rail

The desktop shell now uses a slim topbar for brand, primary navigation
(Chat + pinned routes + More menu), command-palette search, pairing,
theme, and Settings; the left column slims down to a sessions-only
panel (Cmd+B hides it entirely — the 78px icon rail is gone). Split
view drops the fixed geometry-mirroring toolbar for in-flow per-pane
headers. The session workspace rail can dock right or bottom inside
its pane — drag its header between edges or use the dock button — and
the collapsed strip's file glyph is now a real button (it used to be a
dead, button-looking span) with a changed-file count badge. The Mac
app's injected chrome CSS slims down accordingly; its drag-region
geometry is unchanged and the topbar brand strip stays passive under
it.

* chore(ui): regenerate locale bundles for topbar and workspace dock strings

* fix(ui): keep the native macOS drawer clear of the titlebar overlay

The narrow-width slide-over drawer sits fixed at the window top, over
the AppKit traffic lights and drag regions. The old Mac-app-injected
CSS padded .sidebar-shell for this; that rule moved web-side for the
desktop topbar, so restore drawer clearance here for both the app
drawer and the in-drawer settings sidebar.

* chore(ui): translate topbar and workspace dock strings; regen docs map
2026-07-10 07:32:57 +01:00
Peter Steinberger
98b8c8c4ae feat(memory-wiki): isolate vaults per agent (#103349)
* feat(memory-wiki): isolate per-agent vaults

Refs #63829.

Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>

* fix(memory-wiki): scope agent status metadata

Refs #103088 and #103196.

Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>

---------

Co-authored-by: SunnyShu <shu.zongyu@xydigit.com>
2026-07-10 05:19:13 +01:00
Peter Steinberger
a789b92b39 fix(macos): harden fresh AI onboarding (#102637)
* fix(macos): bootstrap Codex before onboarding test

* fix(plugins): activate deferred runtimes on demand

* fix(macos): stage Codex runtime for onboarding probe

* fix(macos): expose sanitized onboarding errors

* fix(codex): reuse native CLI auth during onboarding

* fix(macos): hide Crestodian without inference

* fix(codex): honor explicit runtime policy during setup

* fix(onboarding): redact verification errors

* fix(macos): reset onboarding state with gateway route

* fix(onboarding): persist Codex plugin install metadata

* chore: refresh onboarding inventories

* fix(macos): restart AI setup after gateway change

* chore: refresh native onboarding inventory

* fix(onboarding): defer gateway restart until setup persists

* fix(macos): reset Crestodian on gateway changes

* chore(macos): refresh native i18n inventory

* fix(onboarding): harden inference setup state

* docs(skills): reuse pristine Parallels snapshots

* chore(macos): refresh onboarding i18n inventory

* fix(onboarding): prevent stale gateway and install state

* docs(skills): preserve saved Parallels sessions

* fix(macos): balance AI onboarding layout

* fix(parallels): parse npm workspace pack output

* chore(macos): refresh onboarding i18n inventory

* fix(parallels): bundle workspace runtime in package artifact

* fix(parallels): isolate canonical package helper

* fix(parallels): pack self-contained workspace artifact

* fix(packaging): exclude macOS app bundle

* fix(macos): restart inference checks after route changes

* docs(changelog): defer onboarding note to release

* fix(onboarding): enforce inference-first gateway setup
2026-07-10 04:59:15 +01:00
Peter Steinberger
6db586a388 fix(clawrouter): support managed gateway configuration (#103299)
* fix(clawrouter): support managed gateway configuration

* docs(clawrouter): refresh provider map
2026-07-10 04:25:41 +01:00
Peter Steinberger
add2c586c2 feat(slack): support native chart presentations (#102635) 2026-07-10 04:05:23 +01:00
Peter Steinberger
db12cb7023 fix(xai): align current model catalog and tools (#103260)
* fix(xai): align current model catalog and tools

* chore(xai): defer release note to release closeout

* docs: refresh xai documentation map
2026-07-10 03:36:14 +01:00
Ayaan Zaidi
6da0af1cd3 fix(ci): use public plugin-sdk test seams and refresh generated surfaces 2026-07-10 07:53:37 +05:30
Peter Steinberger
2c622e19de docs(web): the Lobster gets its own page (#103175)
A fun field guide for the Control UI lobster: what it is, when it
visits, how to interact (hover names, pokes, right-click shoo), the
Appearance toggle, the Lobsterdex, reduced-motion and privacy notes.
Deliberately teases rather than documents the rare variants, events,
and the anniversary. Registered in the Web interfaces nav group and the
generated docs map.
2026-07-10 02:48:21 +01:00
colton-octaria
dc8c0aaaf2 fix(msteams): recover inbound channel and group-chat files safely (#90738)
* fix(msteams): read file attachments on Teams channel messages

Three bugs blocked reading files attached to channel messages:
- Graph /teams/{id} used channelData.team.id (the 19:..@thread.tacv2 thread id)
  instead of team.aadGroupId (the AAD group GUID) -> 400.
- The Graph fetch was gated on an <attachment id> HTML marker that channel
  @mention activities don't carry -> fetch skipped.
- A thread reply was fetched at /messages/{replyId} (404) then fell back to the
  bare thread root, returning the root's file for every reply. Replies live at
  /messages/{root}/replies/{replyId}.

Fixes #89594

* fix(msteams): gate Graph media fallback on text/html stub; run trigger tests in channel context

* fix(msteams): canonicalize Graph attachment recovery

Build one canonical Graph message URL per Teams activity, recover marker-free channel and group-chat file shares, and retain bounded current-main attachment handling.

Co-authored-by: Colton Williams <colton@coltons-apps.tech>

* fix(msteams): canonicalize Graph media recovery

Recover channel and group-chat files through one fail-closed Graph identity path, bound inbound enrichment, and remove invalid app-only Graph fallbacks.

Co-authored-by: Colton Williams <colton@coltons-apps.tech>
Co-authored-by: Joshua Packwood <joshua.packwood@gmail.com>

---------

Co-authored-by: Colton Williams <colton@coltons-apps.tech>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Joshua Packwood <joshua.packwood@gmail.com>
2026-07-10 02:34:12 +01:00
Ayaan Zaidi
f351288a0d chore(repo): remove stale repository artifacts (#103152)
* docs: remove merged cron design document
* chore(repo): remove stale planning and proof artifacts

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-07-10 05:28:12 +05:30
Peter Steinberger
f5806d08e2 refactor(gateway): retire the standalone node pairing store (#103120)
* refactor(gateway): fold node pairing store into device records

* docs+cli: retire standalone node pairing store references

* test(infra): respec node pairing as device-backed surface approvals

* test(infra): assemble migration token fixtures dynamically

* fix(pairing): preserve node surface across device re-approval, strip legacy tokens in CLI JSON

* test(gateway): drop retired node token from pairing fixtures

* chore(protocol): regenerate Swift models, drop dead pairing-pending module
2026-07-09 22:58:03 +01:00
Oliver Mee
ae11ea5ba9 feat(qwen): add Token Plan (Team Edition) provider (#94419)
* feat(qwen): add Token Plan provider

Co-authored-by: Oliver Mee <102673257+Omee11@users.noreply.github.com>

* docs: regenerate documentation map

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Oliver Mee <102673257+Omee11@users.noreply.github.com>
2026-07-09 22:07:01 +01:00
Vincent Koc
266ca5b3a2 fix(providers): publish Meta provider (#103070) 2026-07-09 12:11:56 -07:00
Hamid Shojanazeri
08a957e0ae feat(providers): add Meta Model API - muse-spark-1.1 (#102873)
* feat(providers): add Meta Model API - muse-spark-1.1

Adds meta-model-api provider via bundled extension:
- extensions/meta-model-api/ (provider, catalog, stream, thinking, onboarding)
- docs/providers/meta-model-api.md
- core wiring: env-api-keys, zod-schema, provider-display-names, dotenv, provider-env-vars

Model: meta-model-api/muse-spark-1.1 (Responses API at https://api.ai.meta.com/v1)
Auth: MODEL_API_KEY (Bearer)
Default reasoning: high, maps --thinking off -> minimal (model rejects none)

Fix: bump live test maxTokens 200->4000 (high reasoning uses ~300 tokens for reasoning alone)

Co-authored-by: Meta

* fix(meta-model-api): clean reasoning lint

* test(meta-model-api): align live proof checks

* chore(meta-model-api): bundle provider metadata

* docs: fix Meta Model API setup wording

* docs: format Meta Model API provider page

---------

Co-authored-by: Dave Morin <dave@morin.com>
Co-authored-by: Colin <colin@solvely.net>
Co-authored-by: Josh Lehman <josh@martian.engineering>
2026-07-09 10:27:09 -07:00
Peter Steinberger
d8d369b065 feat(macos): open dashboard links in a sidebar browser (#102899)
* feat(macos): add dashboard link browser

* fix(macos): preserve browser navigation state

* fix(macos): preserve accessible external link activation

* fix(macos): preserve trusted editor handoff

* docs: refresh dashboard link map

* chore: keep dashboard release note in PR

* fix(macos): harden sidebar browser lifecycle
2026-07-09 16:40:50 +01:00
Peter Steinberger
54f45a950b feat(watchos): connect directly to Gateway as a node (#102893)
* feat(watchos): add direct gateway node

* docs: refresh watch node docs map

* chore: leave release notes to release workflow

* chore(ios): refresh native localization inventory

* fix(watchos): keep direct node policy bounded
2026-07-09 15:53:02 +01:00
Peter Steinberger
8985598302 fix(gateway): stop paired-device duplication and redesign the Nodes page (#102810)
* fix(gateway): prune superseded silent device pairings on auto-approve

* feat(ui): unified nodes & devices inventory with dedupe and cleanup

* docs: nodes page inventory + silent pairing supersede cleanup

* refactor(gateway): run silent-pairing prune after approval broadcast

* fix(ui): surface node list errors on the nodes inventory card

* fix(gateway): restrict pairing auto-prune to same-host silent approvals

* fix(gateway): report live device connections and guard pairing prune races

* docs(ui): document bulk-cleanup name-collision tradeoff

* fix(gateway): avoid map-spread when marking live device connections

* docs: regenerate docs map
2026-07-09 15:40:30 +01:00
Peter Steinberger
f8dbd34ab8 feat(nodes): add computer use (computer.act) on macOS nodes via Peekaboo (#102776)
* feat(nodes): add computer use (computer.act) on macOS nodes via Peekaboo

* fix(nodes): release held computer.act input on node disconnect/stop/disable

* fix(nodes): release held computer.act input armed after a lifecycle release

* fix(nodes): scope computer.act lifecycle catch-up release to the arming action

* chore(nodes): register computer tool display metadata, sync native i18n, doc-comment constants

* fix(nodes): preserve caught-error cause in computer tool resolver; regen docs map
2026-07-09 15:28:09 +01:00
Peter Steinberger
e2a112a556 feat(onboard): guided CLI onboarding with live AI verification and classic fallback (#101880)
* feat(onboard): guided CLI onboarding with live AI verification and classic fallback

Interactive `openclaw onboard` (and bare `openclaw` on a fresh install) now
runs a guided flow with macOS-app parity: detect existing AI access, live-test
candidates with a real completion before persisting anything, walk down the
ladder on failure with mapped reasons, and offer verified manual API-key entry
from installed provider manifests (masked input). In-flow escapes: classic
wizard, Crestodian chat, skip-AI. Classic wizard gains an optional post-auth
live verification step. `--classic`, `--modern`, and `--non-interactive`
contracts unchanged. Docs corrected for post-#99935 routing.

Closes #101851

* improve(onboard): quiet probe diagnostics in wizard TTY, carry risk ack into classic escape

Candidate live-tests during guided setup are probes: rename their run id and
lane to the existing probe conventions (logging/subsystem.ts console
suppression, command-queue quiet probe lanes) so expected failures stop
leaking raw diagnostics into the Clack UI; file diagnostics unchanged. The
classic-wizard escape now passes the already-collected risk acknowledgement
through instead of re-prompting in the same session.

* fix(onboard): quiet the session-derived setup-inference probe lane too

The live-test run enqueues on two lanes: the explicit probe lane and one
derived from its temp session key. Extend the shared quiet-probe predicate to
cover the derived lane so a failing candidate cannot leak lane-task
diagnostics into the wizard TTY.

* improve(onboard): suppress subsystem console output during wizard live tests

Provider-transport subsystem loggers (model-fetch start/response, transport
errors) carry no run id, so probe suppression cannot catch them and a failing
candidate printed raw log lines into the Clack TTY. Reuse the TUI console
subsystem-filter seam via a finally-safe scoped helper around guided
activation and the classic live-verify; file logging is unchanged and the
gateway (macOS app) surface is unaffected.

* fix(onboard): never auto-replace a configured model when its live check fails

The re-run verification probe executes outside the configured workspace (setup
never runs workspace plugins), so a workspace-backed current model can fail
the check while working fine in the agent. Stop the auto ladder on an
existing-model failure and hand the decision to the manual stage instead of
silently persisting a different candidate as the default. Docs note the
fail-safe and the workspace caveat.

* feat(onboard): two-way switching between Crestodian chat and the menu wizards

From the chat, `open setup wizard`, `open classic wizard`, and `open channel
wizard for <channel>` hand off to the guided flow, the classic wizard, or the
masked `channels add` wizard after the chat TUI tears down (mirrors the
open-tui handoff; gateway surface gets a text pointer instead). The hosted
channel wizard no longer dead-ends at sensitive steps — it offers the switch
and remembers the channel. New read-only `channel info <channel>` operation
and ring-zero action surface label, blurb, configured state, and the real
docs URL from channel-setup discovery so the assistant can explain Slack or
Telegram prerequisites instead of guessing; both prompts instruct it to use
them. `channels add --channel <id>` now preselects the channel. Docs cover
the interchangeable flows.

* fix(onboard): avoid param reassignment in open-setup handoff

* improve(onboard): separate ask-about vs connect intent in channel prompt guidance

Live test showed the agent detouring an explicit connect request through
channel_info because the guidance said to consult it first. Both prompts now
distinguish asking about a channel (channel info + docs link) from asking to
connect (connect right away).

* fix(channels): mark channel token entry as sensitive input

The shared single-token prompt lacked sensitive:true, so terminal wizards
echoed pasted channel tokens and the Crestodian chat bridge (which refuses
plain-text secrets based on this flag) hosted the Telegram token step in
visible chat. Found live-testing the chat-to-wizard switch; pre-existing on
main but load-bearing for the masked-wizard contract this PR documents.

* fix(onboard): restore terminal state around the guided flow's TUI launch

Mirror the classic finalize handoff so the chat TUI never inherits the wizard
prompter's raw/paused terminal state on the default first-run path.

* fix(channels): type the token prompter mock for the sensitive-flag assertion

* fix(gateway): map the TUI-only open-setup action to none for app clients

Engine-side surface gating already prevents open-setup replies on the gateway
surface; this keeps the client-visible action enum stable even if that gate
ever regresses. (Reviewed with the switching round; missed in its commit.)

* docs: regenerate docs map for onboarding page changes
2026-07-09 12:40:55 +01:00
Peter Steinberger
3ccf2a0739 feat: render inline web chat widgets via capability-gated show_widget tool (#101840)
Adds client-capability-gated tool availability: gateway clients declare
capabilities at connect (new inline-widgets cap), chat.send stamps them into
the run context, and every tool assembly path (embedded runner, queued
followups, Codex app-server harness, plugin-only construction plans) drops
tools whose requiredClientCaps the originating client did not declare. The
Canvas plugin ships the first such tool, show_widget: agents pass SVG or an
HTML fragment plus a title; the plugin hosts it as a bounded, retention-scoped
Canvas document and returns the existing canvas preview handle, which web chat
renders as a sandboxed iframe fitted to the widget's reported content height.
Widget frames never get allow-same-origin (per-preview sandbox ceiling,
including the sidebar path) and the Canvas host serves widget documents with a
CSP sandbox header so direct navigation runs in an opaque origin. Verified
live end-to-end on a Testbox with gpt-5.5 (screenshots on the PR). CLI-backed
model backends do not carry client caps yet and stay fail-closed (#102577).

Closes #101790
2026-07-09 12:29:50 +01:00
Peter Steinberger
5154fe08fa feat: show Codex sessions across Gateway and paired nodes (#102586)
* feat(codex): add federated session catalog

* fix(codex): align session catalog checks

* fix(ui): translate Codex session catalog

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-09 03:42:03 -07:00
Sally O'Malley
e595a8c0ac Add Vault SecretRef plugin (#89255)
* Add Vault SecretRef plugin

Signed-off-by: sallyom <somalley@redhat.com>

* expand Vault setup to registered SecretRef targets

Signed-off-by: sallyom <somalley@redhat.com>

* fix(vault): use sdk secret target seam

* fix(vault): preserve auth profile target paths

* docs(vault): document plugin enable step

* fix(vault): make status provider-alias aware

* fix(vault): reject noncanonical secret ids

* fix(vault): separate resolver timeout deadlines

* fix(vault): forward private CA trust settings

* fix(secrets): preserve plugin policy boundaries

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-07-09 05:30:12 -05:00
Peter Steinberger
e7492c6fca feat(providers): refresh Qwen, Cohere, and Mistral catalogs (#102489)
* feat(providers): refresh popular model catalogs

* chore: leave release changelog to release automation

* docs: refresh provider docs map
2026-07-09 08:16:50 +01:00
kevinlin-openai
245b91b83d feat(slack): support Enterprise Grid org installs (#102372)
* feat(slack): support Enterprise Grid org installs

* docs: refresh generated docs map

* fix(slack): satisfy enterprise routing CI

* fix(slack): accept org auth without app id

* docs(plugin-sdk): document channel policy hooks

* fix(slack): reuse canonical sender for enterprise replies

* test(slack): fix enterprise sender lint

---------

Co-authored-by: Kevin Lin <kevin@dendron.so>
2026-07-08 23:53:19 -07:00
Peter Steinberger
e2a4973edf docs(slack): explain voice input and audio clips (#102410)
* docs(slack): document voice input support

* docs: refresh generated map

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-08 21:28:49 -07:00
Tobias Oort
0307deacfa feat(github-copilot): support GitHub Enterprise data-residency Copilot auth (#99221)
Adds GitHub Enterprise data-residency support to the existing bundled GitHub Copilot provider.

Maintainer proof:
- GitHub CI green on head 54010a6538
- `check-lint`, `check-additional-extension-bundled`, and `check-shrinkwrap` passed in CI
- local `pnpm lint:extensions:bundled`, `pnpm lint`, and focused GitHub Copilot Vitest passed
- AWS Crabbox proof passed
- live microsoft.ghe.com device-flow/token-exchange/model-catalog proof passed

Co-authored-by: Tobias Oort <tobias.oort@ict.nl>
Co-authored-by: Gio Della-Libera <235387111+giodl73-repo@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-08 18:59:41 -07:00
Sally O'Malley
b81666ca6a Fix container image upgrade migrations before gateway readiness (#101881)
* run all 'openclaw upgrade' migrations with container image upgrades

Signed-off-by: sallyom <somalley@redhat.com>

* fix: block gateway startup on plugin repair warnings

Signed-off-by: sallyom <somalley@redhat.com>

---------

Signed-off-by: sallyom <somalley@redhat.com>
2026-07-08 14:19:05 -04:00