Peter Steinberger
f182c3a292
test: inject thread-safe deps for agent tools
2026-03-23 04:16:53 -07:00
Peter Steinberger
75b65c2a35
fix: restore provider runtime lazy boundary
2026-03-23 09:24:20 +00:00
Peter Steinberger
4240c64491
test: harden no-isolate oauth contract coverage
2026-03-22 12:31:36 -07:00
Peter Steinberger
1ceaad18a6
test: harden vitest no-isolate coverage
2026-03-22 10:48:21 -07:00
Vincent Koc
ab38f6471c
perf(inbound): narrow reply startup imports ( #51943 )
...
* perf(inbound): narrow reply startup imports
* fix(reply): restore activation parsing semantics
Cherry-picked review fixes for activation parsing semantics and native command surface cache invalidation.
* fix(reply): preserve case-insensitive command matching
Cherry-picked review fix to lowercase only the slash-command token in commands-context while preserving argument casing.
2026-03-21 18:18:41 -07:00
Vincent Koc
5024967e57
fix(core): trim inbound startup churn ( #51899 )
...
* perf(core): narrow sandbox status imports for error helpers
* fix(core): trim inbound startup churn
* fix(auth): expire cached external cli sync state
* test(auth): avoid mtime sleep race in cache test
2026-03-21 15:55:19 -07:00
Vincent Koc
99641f01a5
perf(auth): reduce plugin auth cold-start heap ( #51891 )
...
* fix(test): recycle unit-fast ci batches
* refactor(config): narrow discord timeout import
* test(outbound): lighten target plugin stubs
* refactor(auth): narrow env api key resolution
* docs(auth): restore anthropic vertex sentinel comment
* refactor(auth): isolate console sanitizer
2026-03-21 15:07:08 -07:00
Vincent Koc
805aaa4ee8
fix(agents): avoid model catalog startup tax on telegram replies
2026-03-21 15:03:55 -07:00
Peter Steinberger
1ffe8fde84
fix: stabilize docker test suite
2026-03-17 03:02:03 +00:00
Gustavo Madeira Santana
771fbeae79
Gateway: simplify startup and stabilize mock responses tests
2026-03-16 14:32:55 +00:00
Gustavo Madeira Santana
b7f99a57bf
Plugins: decouple bundled web search discovery
2026-03-16 12:19:32 +00:00
Gustavo Madeira Santana
c08f2aa21a
Providers: centralize setup defaults and helper boundaries
2026-03-16 12:06:32 +00:00
Peter Steinberger
7cc5789202
refactor(plugins): finish provider auth boundary cleanup
2026-03-16 01:20:56 -07:00
Peter Steinberger
e627a5069f
refactor(plugins): move auth profile hooks into providers
2026-03-15 22:23:55 -07:00
Peter Steinberger
656848dcd7
refactor: rename setup wizard surfaces
2026-03-15 21:40:31 -07:00
Gugu-sugar
c1a0196826
Fix Codex CLI auth profile sync ( #45353 )
...
Merged via squash.
Prepared head SHA: e5432ec4e1201366873+Gugu-sugar@users.noreply.github.com >
Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com >
Reviewed-by: @grp06
2026-03-14 16:36:09 -07:00
Peter Steinberger
c5d905871f
test: share oauth profile fixtures
2026-03-14 02:40:28 +00:00
Peter Steinberger
c8439f6587
fix: import oauth types from the oauth entrypoint
2026-03-13 02:17:00 +00:00
Vincent Koc
2f037f0930
Agents: adapt pi-ai oauth and payload hooks
2026-03-12 10:19:14 -04:00
rabsef-bicrym
ff47876e61
fix: carry observed overflow token counts into compaction ( #40357 )
...
Merged via squash.
Prepared head SHA: b99eed432952549148+rabsef-bicrym@users.noreply.github.com >
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com >
Reviewed-by: @jalehman
2026-03-12 06:58:42 -07:00
VibhorGautam
4473242b4f
fix: use unknown instead of rate_limit as default cooldown reason ( #42911 )
...
Merged via squash.
Prepared head SHA: bebf6704d755019395+VibhorGautam@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-11 21:34:14 +03:00
Ayaan Zaidi
ac88a39acc
fix: align pi-ai 0.57.1 oauth imports and payload hooks
2026-03-10 20:29:03 +05:30
joshavant
59bc3c6630
Agents: align onPayload callback and OAuth imports
2026-03-10 08:50:30 -05:00
Altay
531e8362b1
Agents: add fallback error observations ( #41337 )
...
Merged via squash.
Prepared head SHA: 852469c82f9790196+altaywtf@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-10 01:12:10 +03:00
zerone0x
5f90883ad3
fix(auth): reset cooldown error counters on expiry to prevent infinite escalation ( #41028 )
...
Merged via squash.
Prepared head SHA: 89bd83f09a39543393+zerone0x@users.noreply.github.com >
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com >
Reviewed-by: @altaywtf
2026-03-09 23:40:11 +03:00
Peter Steinberger
2e79d82198
build: update app deps except carbon
2026-03-09 06:09:33 +00:00
Peter Steinberger
d228a62143
refactor: share trimmed string entry normalization
2026-03-07 23:27:51 +00:00
Vincent Koc
e4d80ed556
CI: restore main detect-secrets scan ( #38438 )
...
* Tests: stabilize detect-secrets fixtures
* Tests: fix rebased detect-secrets false positives
* Docs: keep snippets valid under detect-secrets
* Tests: finalize detect-secrets false-positive fixes
* Tests: reduce detect-secrets false positives
* Tests: keep detect-secrets pragmas inline
* Tests: remediate next detect-secrets batch
* Tests: tighten detect-secrets allowlists
* Tests: stabilize detect-secrets formatter drift
2026-03-07 10:06:35 -08:00
Peter Steinberger
b7733d6f5c
refactor(agents): dedupe oauth token env setup tests
2026-03-07 17:58:31 +00:00
Florian Hines
33e7394861
fix(providers): make all models available in kilocode provider ( #32352 )
...
* kilocode: dynamic model discovery, kilo/auto default, cooldown exemption
- Replace 9-model hardcoded catalog with dynamic discovery from
GET /api/gateway/models (Venice-like pattern with static fallback)
- Default model changed from anthropic/claude-opus-4.6 to kilo/auto
(smart routing model)
- Add createKilocodeWrapper for X-KILOCODE-FEATURE header injection
and reasoning.effort handling (skip for kilo/auto)
- Add kilocode to cooldown-exempt providers (proxy like OpenRouter)
- Keep sync buildKilocodeProvider for onboarding, add async
buildKilocodeProviderWithDiscovery for implicit provider resolution
- Per-token gateway pricing converted to per-1M-token for cost fields
* kilocode: skip reasoning injection for x-ai models, harden discovery loop
* fix(kilocode): keep valid discovered duplicates (openclaw#32352, thanks @pandemicsyn)
* refactor(proxy): normalize reasoning payload guards (openclaw#32352, thanks @pandemicsyn)
* chore(changelog): note kilocode hardening (openclaw#32352, thanks @pandemicsyn and @vincentkoc)
* chore(changelog): fix kilocode note format (openclaw#32352, thanks @pandemicsyn and @vincentkoc)
* test(kilocode): support auto-model override cases (openclaw#32352, thanks @pandemicsyn)
* Update CHANGELOG.md
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org >
2026-03-07 08:14:06 -08:00
Vincent Koc
42e3d8d693
Secrets: add inline allowlist review set ( #38314 )
...
* Secrets: add inline allowlist review set
* Secrets: narrow detect-secrets file exclusions
* Secrets: exclude Docker fingerprint false positive
* Secrets: allowlist test and docs false positives
* Secrets: refresh baseline after allowlist updates
* Secrets: fix gateway chat fixture pragma
* Secrets: format pre-commit config
* Android: keep talk mode fixture JSON valid
* Feishu: rely on client timeout injection
* Secrets: allowlist provider auth test fixtures
* Secrets: allowlist onboard search fixtures
* Secrets: allowlist onboard mode fixture
* Secrets: allowlist gateway auth mode fixture
* Secrets: allowlist APNS wake test key
* Secrets: allowlist gateway reload fixtures
* Secrets: allowlist moonshot video fixture
* Secrets: allowlist auto audio fixture
* Secrets: allowlist tiny audio fixture
* Secrets: allowlist embeddings fixtures
* Secrets: allowlist resolve fixtures
* Secrets: allowlist target registry pattern fixtures
* Secrets: allowlist gateway chat env fixture
* Secrets: refresh baseline after fixture allowlists
* Secrets: reapply gateway chat env allowlist
* Secrets: reapply gateway chat env allowlist
* Secrets: stabilize gateway chat env allowlist
* Secrets: allowlist runtime snapshot save fixture
* Secrets: allowlist oauth profile fixtures
* Secrets: allowlist compaction identifier fixture
* Secrets: allowlist model auth fixture
* Secrets: allowlist model status fixtures
* Secrets: allowlist custom onboarding fixture
* Secrets: allowlist mattermost token summary fixtures
* Secrets: allowlist gateway auth suite fixtures
* Secrets: allowlist channel summary fixture
* Secrets: allowlist provider usage auth fixtures
* Secrets: allowlist media proxy fixture
* Secrets: allowlist secrets audit fixtures
* Secrets: refresh baseline after final fixture allowlists
* Feishu: prefer explicit client timeout
* Feishu: test direct timeout precedence
2026-03-06 19:35:26 -05:00
Altay
6e962d8b9e
fix(agents): handle overloaded failover separately ( #38301 )
...
* fix(agents): skip auth-profile failure on overload
* fix(agents): note overload auth-profile fallback fix
* fix(agents): classify overloaded failures separately
* fix(agents): back off before overload failover
* fix(agents): tighten overload probe and backoff state
* fix(agents): persist overloaded cooldown across runs
* fix(agents): tighten overloaded status handling
* test(agents): add overload regression coverage
* fix(agents): restore runner imports after rebase
* test(agents): add overload fallback integration coverage
* fix(agents): harden overloaded failover abort handling
* test(agents): tighten overload classifier coverage
* test(agents): cover all-overloaded fallback exhaustion
* fix(cron): retry overloaded fallback summaries
* fix(cron): treat HTTP 529 as overloaded retry
2026-03-07 01:42:11 +03:00
Vignesh Natarajan
fa3fafdde5
fix(auth): harden openai-codex oauth refresh fallback
2026-03-05 19:17:58 -08:00
Josh Avant
1c200ca7ae
follow-up: align ingress, atomic paths, and channel tests with credential semantics ( #33733 )
...
Merged via squash.
Prepared head SHA: c290c2ab6a830519+joshavant@users.noreply.github.com >
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com >
Reviewed-by: @joshavant
2026-03-03 20:29:46 -06:00
Shadow
e28ff1215c
fix: discord auto presence health signal ( #33277 ) (thanks @thewilloftheshadow) ( #33277 )
2026-03-03 11:20:59 -06:00
Peter Steinberger
9617ac9dd5
refactor: dedupe agent and reply runtimes
2026-03-02 19:57:33 +00:00
Peter Steinberger
ea1fe77c83
fix: normalize coding-plan providers in auth order validation
2026-03-02 19:26:09 +00:00
justinhuangcode
aab87ec880
fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution
...
The configure flow stores auth credentials under `provider: "volcengine"`,
but the coding model uses `volcengine-plan` as its provider. Add a scoped
`normalizeProviderIdForAuth` function used only by `listProfilesForProvider`
so coding-plan variants resolve to their base provider for auth credential
lookup without affecting global provider routing.
Closes #31731
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-02 19:22:19 +00:00
Frank Yang
ed86252aa5
fix: handle CLI session expired errors gracefully instead of crashing gateway ( #31090 )
...
* fix: handle CLI session expired errors gracefully
- Add session_expired to FailoverReason type
- Add isCliSessionExpiredErrorMessage to detect expired CLI sessions
- Modify runCliAgent to retry with new session when session expires
- Update agentCommand to clear expired session IDs from session store
- Add proper error handling to prevent gateway crashes on expired sessions
Fixes #30986
* fix: add session_expired to AuthProfileFailureReason and missing log import
* fix: type cli-runner usage field to match EmbeddedPiAgentMeta
* fix: harden CLI session-expiry recovery handling
* build: regenerate host env security policy swift
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-03-02 01:11:05 +00:00
Peter Steinberger
47fc6a0806
fix: stabilize secrets land + docs note ( #26155 ) (thanks @joshavant)
2026-02-26 14:47:22 +00:00
joshavant
ba2eb583c0
fix(secrets): make apply idempotent and keep audit read-only
2026-02-26 14:47:22 +00:00
joshavant
8944b75e16
fix(secrets): align ref contracts and non-interactive ref persistence
2026-02-26 14:47:22 +00:00
joshavant
4e7a833a24
feat(security): add provider-based external secrets management
2026-02-26 14:47:22 +00:00
joshavant
6a251d8d74
Auth profiles: resolve keyRef/tokenRef outside gateway
2026-02-26 14:47:22 +00:00
joshavant
e1301c31e7
Auth profiles: never persist plaintext when refs are present
2026-02-26 14:47:22 +00:00
joshavant
45ec5aaf2b
Secrets: keep read-only runtime sync in-memory
2026-02-26 14:47:22 +00:00
joshavant
8e33ebe471
Secrets: make runtime activation auth loads read-only
2026-02-26 14:47:22 +00:00
joshavant
b50c4c2c44
Gateway: add eager secrets runtime snapshot activation
2026-02-26 14:47:22 +00:00
Peter Steinberger
8315c58675
refactor(auth-profiles): unify coercion and add rejected-entry diagnostics
2026-02-26 14:42:11 +01:00
lbo728
7e7ca43a79
fix(auth-profiles): accept mode/apiKey aliases to prevent silent credential loss
...
Users following openclaw.json auth.profiles examples (which use 'mode' for
the credential type) would write their auth-profiles.json entries with:
{ provider: "anthropic", mode: "api_key", apiKey: "sk-ant-..." }
The actual auth-profiles.json schema uses:
{ provider: "anthropic", type: "api_key", key: "sk-ant-..." }
coerceAuthStore() and coerceLegacyStore() validated entries strictly on
typed.type, silently skipping any entry that used the mode/apiKey spelling.
The user would get 'No API key found for provider anthropic' with no hint
about the field name mismatch.
Add normalizeRawCredentialEntry() which, before validation:
- coerces mode → type when type is absent
- coerces apiKey → key when key is absent
Both functions now call the normalizer before the type guard so
mode/apiKey entries are loaded and resolved correctly.
Fixes #26916
2026-02-26 13:32:05 +00:00
