Commit Graph

37298 Commits

Author SHA1 Message Date
Peter Steinberger
8b300e57f0 fix(browser): keep remote CDP credentials out of responses (#103139)
* fix(browser): contain remote CDP credentials

* fix(browser): probe authenticated discovery before attach

* chore: keep release note in PR metadata
2026-07-10 01:12:51 +01:00
SunnyShu
9526224f42 fix(gateway): guard thinkingLevel re-validation against only relevant patch fields (#102866)
* fix(gateway): guard thinkingLevel re-validation against only relevant patch fields

The second thinkingLevel validation block used `if (next.thinkingLevel)`,
which enters on ANY patch when the session already has a thinkingLevel
inherited from the existing entry. This caused unnecessary model catalog
loading and could silently delete or modify the existing value.

Fix: change guard to also check that the patch explicitly touches
thinkingLevel or changes the model (which may alter the effective
provider/model that thinkingLevel is validated against).

Ref: BUG-002 (local finding)
Co-Authored-By: Claude <claude@anthropic.com>

* test(gateway): prove session patch catalog isolation

---------

Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 01:01:33 +01:00
Peter Steinberger
53378459cd fix: release startup migration lease before exit (#103157) 2026-07-10 00:53:10 +01:00
NianJiu
7e20018b69 fix: count multi-failure tool summaries accurately (#102981)
* fix: count tool summary failures

* fix(agents): preserve per-call tool failures

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>

---------

Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 00:53:06 +01:00
ANIRUDDHA ADAK
991262e2e7 fix(utils): fetchWithTimeout ignores caller-provided AbortSignal in RequestInit (#102951)
* fix(utils): fetchWithTimeout ignores caller-provided AbortSignal in RequestInit

* fix(fetch): preserve caller abort through response body

* test(fetch): satisfy abort rejection lint

* test(mattermost): satisfy promise executor lint

---------

Co-authored-by: Aniruddha Adak <aniruddhaadak80@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 00:39:18 +01:00
lin-hongkuan
3f16718b0c fix: keep heredoc bodies out of shell stage splits (#102889)
* fix: keep heredoc bodies out of shell stage splits

* chore: refresh PR #102889 checks

* fix: handle multiple same-line heredocs

* fix: keep heredoc bodies with declaring stages

* test: cover escaped heredoc delimiters

* style: format escaped heredoc regression

* fix: distinguish here-strings from heredocs

* fix: ignore non-heredoc shell syntax

---------

Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 00:35:58 +01:00
Peter Steinberger
88908d5ce6 perf(test): trim secrets and media setup 2026-07-09 19:32:12 -04:00
Yuval Dinodia
beda4218af fix(secrets): reject prototype-polluting mutation paths (#102840)
* fix(secrets): reject prototype-polluting mutation paths

Co-authored-by: yetval <yetvald@gmail.com>

* docs(secrets): document blocked mutation segments

* chore(secrets): keep release notes in PR metadata

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 00:17:31 +01:00
Peter Steinberger
e7a6ed8eb6 chore(pairing): retire vestigial node token plumbing and flatten cleanup claims (#103140) 2026-07-09 23:48:01 +01:00
Peter Steinberger
d185f9a0b4 fix(infra): preserve characters in truncated response snippets (#103136)
* fix(infra): preserve bounded response text characters

Co-authored-by: qingminlong <34085845+qingminglong@users.noreply.github.com>

* ci(plugin-sdk): refresh API baseline

---------

Co-authored-by: qingminlong <34085845+qingminglong@users.noreply.github.com>
2026-07-09 23:43:26 +01:00
Peter Steinberger
a1ce77d2a9 fix(cli): reduce plugin listing startup memory (#103132) 2026-07-09 23:28:11 +01:00
Alix-007
2f057e1be7 fix(tlon): remove auth retry abort listener after delay (#101661)
* fix(tlon): remove auth retry abort listener after delay

* fix(tlon): reuse abort-aware retry sleep

Co-authored-by: Alix <267018309+Alix-007@users.noreply.github.com>

* test(tlon): complete runtime fixture

* test(infra): cover abortable sleep cleanup

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 23:04:19 +01:00
Peter Steinberger
fdde2ecde4 fix(status): preserve OAuth JSON diagnostics (#103106)
Co-authored-by: 0668001336 <wang.lizhang@xydigit.com>
2026-07-09 23:03:48 +01:00
SunnyShu
1074bf62a1 fix(heartbeat): preserve selected agent in global scope (#102307)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 23:03:05 +01:00
qingminlong
9a60629693 fix(web_fetch): preserve content length when output is truncated (#102978)
* fix(web_fetch): preserve content length when output is truncated

* fix(web_fetch): preserve provider raw length

* test(web-fetch): cover wrapper-overhead source length

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 23:02:50 +01:00
Peter Steinberger
5c8b54854b fix(cli): reject unsafe byte sizes (#103100)
Co-authored-by: ly-wang19 <ly-wang19@users.noreply.github.com>
2026-07-09 23:02:31 +01:00
Peter Steinberger
41236e6d4f perf(test): avoid full config runtime imports 2026-07-09 17:58:17 -04:00
Peter Steinberger
f5806d08e2 refactor(gateway): retire the standalone node pairing store (#103120)
* refactor(gateway): fold node pairing store into device records

* docs+cli: retire standalone node pairing store references

* test(infra): respec node pairing as device-backed surface approvals

* test(infra): assemble migration token fixtures dynamically

* fix(pairing): preserve node surface across device re-approval, strip legacy tokens in CLI JSON

* test(gateway): drop retired node token from pairing fixtures

* chore(protocol): regenerate Swift models, drop dead pairing-pending module
2026-07-09 22:58:03 +01:00
Peter Steinberger
b4428fb9df fix(nodes): keep Gateway connections healthy and consistent (#103093)
* fix(gateway): evict unresponsive node sockets

Co-authored-by: hoangsaga123 <hoangsaga123@gmail.com>

* fix(nodes): align invoke timeout semantics

* fix(node): preserve managed connection settings

* docs(changelog): note node connection fixes

* fix(node): redact service credentials in status

* fix(systemd): preserve escaped operator values

* fix(node): carry explicit plaintext service mode

* fix(systemd): avoid promoting stale shell references

* fix(node): clear fingerprints for plaintext runs

* docs(changelog): defer node notes to release

* fix(nodes): normalize forwarded system run timeout

* fix(systemd): preserve operator environment values

* fix(nodes): type normalized invoke payload

---------

Co-authored-by: hoangsaga123 <hoangsaga123@gmail.com>
2026-07-09 22:48:25 +01:00
Peter Steinberger
db44b284ff fix: keep usage day buckets correct across DST (#103097)
* fix: bucket usage days across DST

* docs: document DST-aware usage dates

* perf: reuse usage day formatters

* fix: preserve usage fallback on older gateways

* docs: normalize usage changelog entry

* docs: leave release changelog unchanged

* fix: handle skipped timezone dates
2026-07-09 22:39:57 +01:00
Wynne668
a1c16f0a3d fix(usage-bar): cap warnedTemplateOverrides warn-once dedupe cache (#102659)
* fix(usage-bar): cap warnedTemplateOverrides warn-once dedupe cache

Replace unbounded warnedTemplateOverrides Set with createDedupeCache(maxSize=256)
for consistency with the bounded fileCache Map (MAX_CACHED_TEMPLATE_FILES=64)
already present in the same file.

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(usage-bar): bound invalid-template warnings

Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 22:29:12 +01:00
sunlit-deng
8dedb0ebca fix(infra): cap session-maintenance-warning dedupe cache with LRU eviction (#101643)
* fix(infra): cap session-maintenance-warning dedupe cache with LRU eviction

The warnedContexts Map accumulated every warned session key forever
with no eviction, TTL, or size cap. A long-running gateway would grow
this unboundedly.

Add a 4 096-entry LRU cache with touch-on-read so frequently re-warned
sessions survive and old entries are evicted on overflow.

* fix(test): restore original unicode escapes and add LRU eviction tests

* fix(test): seed eviction entries with real warning context keys

ClawSweeper P3: the eviction test seeded  but the production
buildWarningContext computes .  The mismatch
meant params1 could redeliver because the context changed, not because
LRU eviction actually worked.  Seed the exact context pattern so the
test fails when eviction breaks.

* fix(infra): bound maintenance warning cache

Co-authored-by: sunlit-deng <sunlit-deng@users.noreply.github.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: sunlit-deng <sunlit-deng@users.noreply.github.com>
2026-07-09 22:21:11 +01:00
VACInc
740e7687e8 fix(anthropic): don't crash models list when a configured Sonnet 5 model has no cost (#102186)
* fix(anthropic): don't crash models list when a configured Sonnet 5 model has no cost

applyAnthropicSonnet5Cost read params.model.cost.input unconditionally, so
'openclaw models list' aborted with 'Cannot read properties of undefined
(reading input)' whenever config supplied an anthropic Sonnet 5 model row
without cost metadata (e.g. an agents.defaults.models runtime binding).
Guard with optional chaining — a costless model now falls through and gets
the canonical Sonnet 5 cost applied.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(models): normalize missing Sonnet 5 costs

Co-authored-by: VACInc <3279061+VACInc@users.noreply.github.com>

* chore(plugin-sdk): refresh API baseline

* ci(plugin-sdk): update surface budgets

---------

Co-authored-by: VACInc <3279061+VACInc@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 22:13:56 +01:00
Oliver Mee
ae11ea5ba9 feat(qwen): add Token Plan (Team Edition) provider (#94419)
* feat(qwen): add Token Plan provider

Co-authored-by: Oliver Mee <102673257+Omee11@users.noreply.github.com>

* docs: regenerate documentation map

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Oliver Mee <102673257+Omee11@users.noreply.github.com>
2026-07-09 22:07:01 +01:00
Peter Steinberger
129e2795ae fix: stabilize SwiftFormat 0.62 lint (#103098) 2026-07-09 21:48:14 +01:00
Simon-XYDT
bb16ca50d6 fix(identity): keep bounded identity values UTF-16 safe (#103034)
* fix(identity): keep bounded values UTF-16 safe

Co-authored-by: simon-w <weng.qimeng@xydigit.com>

* test(identity): cover reachable surrogate boundary

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 21:27:01 +01:00
Vincent Koc
ee9d9ea6db fix(ci): verify live provider traffic in performance runs (#103073)
* fix(diagnostics): emit provider request timeline events

* fix(ci): verify Kova live provider evidence
2026-07-09 12:39:41 -07:00
Peter Steinberger
7647d5cfbe perf(test): isolate session provider artifacts 2026-07-09 15:24:40 -04:00
abel-zer0
b47405954e fix(skills): preserve compact prompt descriptions (#88426)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 20:23:05 +01:00
Vincent Koc
266ca5b3a2 fix(providers): publish Meta provider (#103070) 2026-07-09 12:11:56 -07:00
Gio Della-Libera
188d109eda feat: show marketplace feed trust state (#98350) 2026-07-09 11:27:04 -07:00
Gio Della-Libera
9f248969f6 Verify signed marketplace feed refresh (#98338)
* feat: verify signed marketplace feed refresh

* test: fix signed marketplace feed CI

* Guard signed feed refresh trust state

* test(feeds): sign decoded hosted feed payloads

* fix(feeds): make signed snapshot writes monotonic

---------

Co-authored-by: Patrick Erichsen <patrick.a.erichsen@gmail.com>
Co-authored-by: Gio Della-Libera <giodl@microsoft.com>
2026-07-09 10:46:06 -07:00
Peter Steinberger
745b8c315e fix(codex-supervisor): ship CLI metadata entry (#102803)
* fix(codex-supervisor): ship CLI metadata entry

* chore: keep release notes in PR body

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
2026-07-09 10:31:47 -07:00
mushuiyu886
b714fdb3ae fix(sandbox): keep redacted session keys UTF-16 safe (#102969)
* fix(sandbox): keep redacted session keys UTF-16 safe

* test(sandbox): cover UTF-16 redaction boundaries

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 18:31:21 +01:00
Hamid Shojanazeri
08a957e0ae feat(providers): add Meta Model API - muse-spark-1.1 (#102873)
* feat(providers): add Meta Model API - muse-spark-1.1

Adds meta-model-api provider via bundled extension:
- extensions/meta-model-api/ (provider, catalog, stream, thinking, onboarding)
- docs/providers/meta-model-api.md
- core wiring: env-api-keys, zod-schema, provider-display-names, dotenv, provider-env-vars

Model: meta-model-api/muse-spark-1.1 (Responses API at https://api.ai.meta.com/v1)
Auth: MODEL_API_KEY (Bearer)
Default reasoning: high, maps --thinking off -> minimal (model rejects none)

Fix: bump live test maxTokens 200->4000 (high reasoning uses ~300 tokens for reasoning alone)

Co-authored-by: Meta

* fix(meta-model-api): clean reasoning lint

* test(meta-model-api): align live proof checks

* chore(meta-model-api): bundle provider metadata

* docs: fix Meta Model API setup wording

* docs: format Meta Model API provider page

---------

Co-authored-by: Dave Morin <dave@morin.com>
Co-authored-by: Colin <colin@solvely.net>
Co-authored-by: Josh Lehman <josh@martian.engineering>
2026-07-09 10:27:09 -07:00
mushuiyu886
b451d8b5e5 fix(workshop): keep approval target names UTF-16 safe (#102963)
* fix(workshop): keep approval target names UTF-16 safe

* test(workshop): tighten UTF-16 approval regression

* test(workshop): mirror approval budget exactly

* docs(plugins): correct approval description limit

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 18:26:08 +01:00
Peter Steinberger
8c78e1c035 fix(cli): keep session key truncation UTF-16 safe (#103010) 2026-07-09 18:17:09 +01:00
zhangqueping
921b6c1e2d fix(agent-runner-memory): use truncateUtf16Safe for memory flush error truncation (#102685)
* fix(agent-runner-memory): use truncateUtf16Safe for memory flush error truncation

Replace raw UTF-16 slices in buildMemoryFlushErrorPayload and
truncateMemoryFlushErrorMessage with truncateUtf16Safe to prevent
surrogate pair splitting in error messages shown to users.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

* test(auto-reply): cover UTF-16-safe memory errors

* test(auto-reply): tighten UTF-16 memory error coverage

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 18:13:49 +01:00
Peter Steinberger
cd50d4983b test(ci): serialize real TUI PTY backends (#103006) 2026-07-09 17:55:39 +01:00
wendy
5f77553f6c fix(heartbeat): remove static iteration cap in seekNextActivePhaseDueMs (#96684)
* fix(heartbeat): remove static iteration cap in seekNextActivePhaseDueMs

* fix(heartbeat): floor seek step at 60s to bound active-hours seek iterations

The static MAX_SEEK_ITERATIONS cap (10,080 ≈ 7 days / 1 min) was removed
in the previous fix but replaced the risk with unbounded iteration for
sub-minute intervals.  Floor the seek step at 60s via MIN_SEEK_STEP_MS
so the loop is always bounded by MAX_SEEK_HORIZON_MS / 60_000 = ~10,080
iterations regardless of the configured intervalMs.  Active-hours windows
are minute-granular, so finer steps add no precision.

* fix(heartbeat): batch seek in whole-interval multiples to preserve phase alignment

Use the smallest intervalMs multiple >= 60s as the seek step so every
candidate checked is reachable from startMs by whole intervalMs steps.
This fixes the phase-alignment regression from the previous fix where
Math.max(intervalMs, 60_000) could return off-phase slots for non-divisor
sub-minute intervals like 45s.

Added a regression test for 45s interval to verify the returned candidate
is phase-aligned.

* fix(heartbeat): check every phase candidate, bound only by 1M-iter safety cap

Drop batched seeking (intervalMs-multiple steps) because any multiplier > 1
can skip phase slots inside narrow active windows.  Instead check every
phase candidate, with a 1M-iteration safety cap that prevents event-loop
stalls from sub-ms intervals while covering the full 7-day horizon for
intervals >= 605ms.

Added regression test for 59s interval / 1min active window where batched
steps (118s) would skip from 08:59:44 past 09:00:43 to 09:01:42.

* fix(heartbeat): bound sub-second seek with batch-step + backward-walk

Replace the 1M-iteration per-candidate cap with a two-tier strategy:
- intervalMs >= 1s: per-candidate scan (naturally bounded by horizon)
- intervalMs < 1s: batch in whole-interval multiples >= 1s, with
  backward walk on inactive->active transitions to find the earliest
  phase-aligned active slot

Max iterations <= 604,800 in all cases (~10 ms for trivial predicates,
~0.6-6 s for production isWithinActiveHours with Intl.DateTimeFormat).

Added tests:
- Sub-second interval, startMs already active -> returns directly
- Sub-second interval, inactive->active transition -> backward walk
  finds earliest phase-aligned slot

* fix(heartbeat): unify seek at >= 30s batch step, max 20,160 predicate calls

Use a single batched-seek path for all intervals: step in whole-interval
multiples >= 30 s with backward walk on inactive->active transitions.

For intervalMs >= 30 s (30 s, 59 s, 60 s+): multiplier = 1, effectively
per-candidate with no batch overhead.

For intervalMs < 30 s (1 s, 500 ms, 1 ms): batched at >= 30 s, backward
walk finds the first active phase-aligned slot in the window.

Max predicate calls <= 20,160 for any interval (30 s minimum step /
7-day horizon). Production isWithinActiveHours (Intl.DateTimeFormat)
cost: ~20–200 ms worst case vs 0.6–6 s for the per-candidate approach.

* fix(heartbeat): bound active-hours seek cost

* fix(heartbeat): resolve current main

* test(heartbeat): isolate active-window regression

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 17:37:32 +01:00
Peter Steinberger
44ee7b3fa6 test(ci): harden live tool nonce retries (#102980) 2026-07-09 17:17:09 +01:00
tayoun
4f9a371c95 fix(launchd): verify profile updater jobs by metadata (#97264)
* fix(launchd): verify profile updater jobs by metadata

* fix(launchd): bind updater proof to job metadata

---------

Co-authored-by: Peter Steinberger <peter@steipete.me>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 16:55:23 +01:00
Chunyue Wang
f6c16d22b4 fix(agents): isolated cron busts prompt prefix cache via per-run session id (#96686)
* fix(agents): isolated cron busts prompt prefix cache via per-run session id

Isolated cron runs carry a per-run :run:<id> session scope (#91685) rendered
verbatim into the cached system-prompt Runtime line, re-busting byte-exact
prefix caching for the tool catalog after it every run (#96677, #43148 class).
buildRuntimeLine now renders the stable base session key and drops the per-run
id the run scope duplicates; parseCronRunScopeSuffix is gated to the
isolated-cron key shape so a :run: segment in any other session key is never
truncated.

* fix(agents): preserve mixed-case cron run markers

* test(agents): cover rotated cron session identity

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 16:51:04 +01:00
Qiong
ef53c20497 fix(oauth): remove base64 obfuscation from public OAuth client IDs (#96537) 2026-07-09 16:45:03 +01:00
Pavan Kumar Gondhi
436ed5f308 fix: redact diagnostics config with schema hints (#102426) 2026-07-09 20:49:21 +05:30
Peter Steinberger
14558dee87 fix: let Codex start with computer control enabled (#102944)
* fix(agents): make computer schema Codex-compatible

* docs(changelog): note Codex computer schema fix
2026-07-09 16:15:24 +01:00
Pavan Kumar Gondhi
9775f09194 fix: scope ACP search path approvals [AI] (#102416)
* fix: scope acp search path approvals

* fix: include acp search locations in approval scope

* fix: keep acp read path approval unchanged

* fix: keep acp search title text display-only

* fix: parse explicit acp search title paths
2026-07-09 20:33:18 +05:30
Peter Steinberger
36227737c5 fix(slack): preserve standalone reply anchors (#102905)
Co-authored-by: ZengWen-DT <ceng.wen@xydigit.com>
2026-07-09 15:56:52 +01:00
Peter Steinberger
a99ecff78a fix(plugins): enforce own install record lookups (#102872)
* fix(plugins): enforce own install record lookups

Co-authored-by: Alix-007 <li.long15@xydigit.com>

* test(plugins): use valid prototype-key package fixtures

---------

Co-authored-by: Alix-007 <li.long15@xydigit.com>
2026-07-09 15:54:21 +01:00
Peter Steinberger
54f45a950b feat(watchos): connect directly to Gateway as a node (#102893)
* feat(watchos): add direct gateway node

* docs: refresh watch node docs map

* chore: leave release notes to release workflow

* chore(ios): refresh native localization inventory

* fix(watchos): keep direct node policy bounded
2026-07-09 15:53:02 +01:00