Commit Graph

3437 Commits

Author SHA1 Message Date
Peter Steinberger
a1ce77d2a9 fix(cli): reduce plugin listing startup memory (#103132) 2026-07-09 23:28:11 +01:00
Peter Steinberger
5c8b54854b fix(cli): reject unsafe byte sizes (#103100)
Co-authored-by: ly-wang19 <ly-wang19@users.noreply.github.com>
2026-07-09 23:02:31 +01:00
Peter Steinberger
41236e6d4f perf(test): avoid full config runtime imports 2026-07-09 17:58:17 -04:00
Peter Steinberger
f5806d08e2 refactor(gateway): retire the standalone node pairing store (#103120)
* refactor(gateway): fold node pairing store into device records

* docs+cli: retire standalone node pairing store references

* test(infra): respec node pairing as device-backed surface approvals

* test(infra): assemble migration token fixtures dynamically

* fix(pairing): preserve node surface across device re-approval, strip legacy tokens in CLI JSON

* test(gateway): drop retired node token from pairing fixtures

* chore(protocol): regenerate Swift models, drop dead pairing-pending module
2026-07-09 22:58:03 +01:00
Peter Steinberger
b4428fb9df fix(nodes): keep Gateway connections healthy and consistent (#103093)
* fix(gateway): evict unresponsive node sockets

Co-authored-by: hoangsaga123 <hoangsaga123@gmail.com>

* fix(nodes): align invoke timeout semantics

* fix(node): preserve managed connection settings

* docs(changelog): note node connection fixes

* fix(node): redact service credentials in status

* fix(systemd): preserve escaped operator values

* fix(node): carry explicit plaintext service mode

* fix(systemd): avoid promoting stale shell references

* fix(node): clear fingerprints for plaintext runs

* docs(changelog): defer node notes to release

* fix(nodes): normalize forwarded system run timeout

* fix(systemd): preserve operator environment values

* fix(nodes): type normalized invoke payload

---------

Co-authored-by: hoangsaga123 <hoangsaga123@gmail.com>
2026-07-09 22:48:25 +01:00
Gio Della-Libera
188d109eda feat: show marketplace feed trust state (#98350) 2026-07-09 11:27:04 -07:00
Peter Steinberger
a99ecff78a fix(plugins): enforce own install record lookups (#102872)
* fix(plugins): enforce own install record lookups

Co-authored-by: Alix-007 <li.long15@xydigit.com>

* test(plugins): use valid prototype-key package fixtures

---------

Co-authored-by: Alix-007 <li.long15@xydigit.com>
2026-07-09 15:54:21 +01:00
Peter Steinberger
54f45a950b feat(watchos): connect directly to Gateway as a node (#102893)
* feat(watchos): add direct gateway node

* docs: refresh watch node docs map

* chore: leave release notes to release workflow

* chore(ios): refresh native localization inventory

* fix(watchos): keep direct node policy bounded
2026-07-09 15:53:02 +01:00
Peter Steinberger
c8c1f37d2f feat(cli): add roast taglines to startup banner (#102789) 2026-07-09 13:35:01 +01:00
Peter Steinberger
292e1cfa1b feat(cli): refresh startup taglines (#102750) 2026-07-09 12:42:31 +01:00
Peter Steinberger
e2a112a556 feat(onboard): guided CLI onboarding with live AI verification and classic fallback (#101880)
* feat(onboard): guided CLI onboarding with live AI verification and classic fallback

Interactive `openclaw onboard` (and bare `openclaw` on a fresh install) now
runs a guided flow with macOS-app parity: detect existing AI access, live-test
candidates with a real completion before persisting anything, walk down the
ladder on failure with mapped reasons, and offer verified manual API-key entry
from installed provider manifests (masked input). In-flow escapes: classic
wizard, Crestodian chat, skip-AI. Classic wizard gains an optional post-auth
live verification step. `--classic`, `--modern`, and `--non-interactive`
contracts unchanged. Docs corrected for post-#99935 routing.

Closes #101851

* improve(onboard): quiet probe diagnostics in wizard TTY, carry risk ack into classic escape

Candidate live-tests during guided setup are probes: rename their run id and
lane to the existing probe conventions (logging/subsystem.ts console
suppression, command-queue quiet probe lanes) so expected failures stop
leaking raw diagnostics into the Clack UI; file diagnostics unchanged. The
classic-wizard escape now passes the already-collected risk acknowledgement
through instead of re-prompting in the same session.

* fix(onboard): quiet the session-derived setup-inference probe lane too

The live-test run enqueues on two lanes: the explicit probe lane and one
derived from its temp session key. Extend the shared quiet-probe predicate to
cover the derived lane so a failing candidate cannot leak lane-task
diagnostics into the wizard TTY.

* improve(onboard): suppress subsystem console output during wizard live tests

Provider-transport subsystem loggers (model-fetch start/response, transport
errors) carry no run id, so probe suppression cannot catch them and a failing
candidate printed raw log lines into the Clack TTY. Reuse the TUI console
subsystem-filter seam via a finally-safe scoped helper around guided
activation and the classic live-verify; file logging is unchanged and the
gateway (macOS app) surface is unaffected.

* fix(onboard): never auto-replace a configured model when its live check fails

The re-run verification probe executes outside the configured workspace (setup
never runs workspace plugins), so a workspace-backed current model can fail
the check while working fine in the agent. Stop the auto ladder on an
existing-model failure and hand the decision to the manual stage instead of
silently persisting a different candidate as the default. Docs note the
fail-safe and the workspace caveat.

* feat(onboard): two-way switching between Crestodian chat and the menu wizards

From the chat, `open setup wizard`, `open classic wizard`, and `open channel
wizard for <channel>` hand off to the guided flow, the classic wizard, or the
masked `channels add` wizard after the chat TUI tears down (mirrors the
open-tui handoff; gateway surface gets a text pointer instead). The hosted
channel wizard no longer dead-ends at sensitive steps — it offers the switch
and remembers the channel. New read-only `channel info <channel>` operation
and ring-zero action surface label, blurb, configured state, and the real
docs URL from channel-setup discovery so the assistant can explain Slack or
Telegram prerequisites instead of guessing; both prompts instruct it to use
them. `channels add --channel <id>` now preselects the channel. Docs cover
the interchangeable flows.

* fix(onboard): avoid param reassignment in open-setup handoff

* improve(onboard): separate ask-about vs connect intent in channel prompt guidance

Live test showed the agent detouring an explicit connect request through
channel_info because the guidance said to consult it first. Both prompts now
distinguish asking about a channel (channel info + docs link) from asking to
connect (connect right away).

* fix(channels): mark channel token entry as sensitive input

The shared single-token prompt lacked sensitive:true, so terminal wizards
echoed pasted channel tokens and the Crestodian chat bridge (which refuses
plain-text secrets based on this flag) hosted the Telegram token step in
visible chat. Found live-testing the chat-to-wizard switch; pre-existing on
main but load-bearing for the masked-wizard contract this PR documents.

* fix(onboard): restore terminal state around the guided flow's TUI launch

Mirror the classic finalize handoff so the chat TUI never inherits the wizard
prompter's raw/paused terminal state on the default first-run path.

* fix(channels): type the token prompter mock for the sensitive-flag assertion

* fix(gateway): map the TUI-only open-setup action to none for app clients

Engine-side surface gating already prevents open-setup replies on the gateway
surface; this keeps the client-visible action enum stable even if that gate
ever regresses. (Reviewed with the switching round; missed in its commit.)

* docs: regenerate docs map for onboarding page changes
2026-07-09 12:40:55 +01:00
Vincent Koc
0ac8933721 fix(text): keep diagnostic truncation UTF-16 safe
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
Co-authored-by: wangmiao0668000666 <wang.miao86@xydigit.com>
Co-authored-by: 黄剑雄0668001315 <huang.jianxiong@xydigit.com>
2026-07-09 04:02:39 -07:00
qingminlong
b40e5b974f fix(cli): clarify nodes invoke params errors (#101838) 2026-07-09 08:33:47 +01:00
wm0018
7de325d060 fix: keep task title truncation UTF-16 safe in restart/diagnostic output (#101934)
* fix: keep task title truncation UTF-16 safe in restart/diagnostic output

Three private copies of formatTaskBlocker share the same pattern —
task.title.slice(0, 80) — which can split surrogate pairs in task
titles, producing broken U+FFFD in restart blocker diagnostics,
gateway reload logs, and CLI run-loop output.

Replace raw slice with truncateUtf16Safe in all three locations.

Relevant files:
- gateway/server-reload-handlers.ts:270
- infra/restart-coordinator.ts:73
- cli/gateway-cli/run-loop.ts:569

* refactor(tasks): centralize restart blocker formatting

* fix(tasks): keep restart formatter side-effect free

* refactor(tasks): tighten restart blocker ownership

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-09 07:10:25 +01:00
Patrick Erichsen
1252a3da59 fix: send owner-qualified install telemetry (#102377) 2026-07-08 20:18:09 -07:00
Sally O'Malley
b81666ca6a Fix container image upgrade migrations before gateway readiness (#101881)
* run all 'openclaw upgrade' migrations with container image upgrades

Signed-off-by: sallyom <somalley@redhat.com>

* fix: block gateway startup on plugin repair warnings

Signed-off-by: sallyom <somalley@redhat.com>

---------

Signed-off-by: sallyom <somalley@redhat.com>
2026-07-08 14:19:05 -04:00
Vincent Koc
f565138ddc refactor(deadcode): localize core helpers (#101869) 2026-07-07 13:16:57 -07:00
NianJiu
dbbab1044e fix: require full frontmatter delimiter lines (#101795)
Co-authored-by: NianJiuZst <180004567+NianJiuZst@users.noreply.github.com>
2026-07-07 11:53:03 -07:00
Peter Steinberger
a6768d9de5 feat(cron): event triggers — polled condition-watcher scripts via code mode (#101195)
* feat(cron): add headless code-mode driver and trigger-script evaluator

Part A of cron event triggers: runCodeModeScriptHeadless runs a script
to completion (exec/settle/resume, no snapshots, no session), plus the
cron-facing evaluator with per-job tool catalog cache, semaphore, 16KB
state cap, and closed failure taxonomy.

* fix(cron): correct trigger-script bootstrap flags and cache narrowing

* feat(cron): add event triggers (polled condition-watcher scripts)

Part B: trigger field on cron jobs gated by cron.triggers.enabled;
timer evaluates the script each due tick, quiet ticks leave no run
history, fired runs append the script message to the payload; once
semantics, min-interval floor, SQLite columns, RPC/CLI/agent-tool
surfaces, and docs.

* fix(cron): propagate triggerEval through startup catch-up outcomes

* fix(cron): honor cron staggering on quiet trigger ticks; fix trigger test types

* fix(cron): reject with Error reason in trigger-script abort test

* fix(cron): regenerate protocol/docs/snapshot artifacts and break madge cycle for trigger types

CI fixes for #101195: trigger evaluator result types move to the cron
types leaf (madge cycle), cron tool schema inventory gains trigger,
Swift protocol bindings + docs map + Linux prompt snapshots regenerated.

* fix(cron): drop underscore-dangle names in trigger code sync assert

* fix(cron): adopt registerHeadlessToolSearchCatalog after tool-search symbol localization

Upstream #101831 made registerToolSearchCatalog module-private; fold the
headless ref-only catalog registration into one public seam.
2026-07-07 19:12:38 +01:00
Vincent Koc
b88f80940a refactor: localize internal implementation symbols (#101831) 2026-07-07 10:23:36 -07:00
Vincent Koc
fdc7892a6e refactor: localize internal implementation types (#101731) 2026-07-07 07:41:04 -07:00
Vincent Koc
c8d95da14c refactor: localize file-private exports (#101701) 2026-07-07 06:57:19 -07:00
Peter Steinberger
a7faec8ca1 fix(gateway): support native Windows exec approvals (#101669)
* fix(gateway): support native Windows exec approvals

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* chore: defer changelog entry to release

* test: use tracked approvals temp directories

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 14:50:59 +01:00
Peter Steinberger
a9582a1bb6 fix: keep bounded text truncation UTF-16 safe (#101654)
* fix: keep bounded text UTF-16 safe

Co-authored-by: wm0018 <wu.min5@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 0668000787 <ma.weibin@xydigit.com>

* chore: keep UTF-16 release note in PR body

---------

Co-authored-by: wm0018 <wu.min5@xydigit.com>
Co-authored-by: 廖石荣 0668000909 <liao.shirong@xydigit.com>
Co-authored-by: 0668000787 <ma.weibin@xydigit.com>
2026-07-07 13:44:32 +01:00
Peter Steinberger
a2a68d154b fix(agent): preserve explicit recipient sessions (#101507)
* fix(agent): honor recipient session routing

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: pingfanfan <pingfan.work@gmail.com>

* fix(agent): preserve canonical recipient routes

* fix(agent): require exact recipient routes

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>

Co-authored-by: pingfanfan <pingfan.work@gmail.com>

* fix(agent): harden recipient route resolution

* fix(imessage): require canonical recipient handles

* fix(agent): refine provider recipient exactness

* fix(agent): bound direct alias session routing

* fix(signal): preserve direct alias route type

* fix(agent): honor binding-scoped recipient sessions

* fix(routing): honor configured main session aliases

* fix(clickclack): align account-owned session routes

* fix(twitch): preserve canonical recipient sessions

* fix(routing): isolate stable outbound identities

* chore: defer recipient session changelog

* fix(sms): use dedicated channel SDK facade

---------

Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: pingfanfan <pingfan.work@gmail.com>
2026-07-07 10:07:13 +01:00
ml12580
c1f9087e8e fix(cli): accept parent options placed after lazy subcommands (#55563 regression 1) [AI-assisted] (#94431)
* fix(cli): restore lazy parent option ordering

Co-authored-by: ml12580 <long.xinyuan3@xydigit.com>

* chore: defer release-owned changelog entry

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 09:45:04 +01:00
Jason (Json)
f7e962d6e3 feat(cli): add openclaw promos to discover and claim ClawHub promotional model offers (#100236)
* feat: add openclaw promos CLI for ClawHub promotional model offers

* fix: harden promos claim auth validation and sanitize remote promo text

* fix: enforce promo window client-side and validate slug contract

* fix: shell-safe model ref contract and explicit --api-key override

* fix: hold promotion aliases to the models alias contract

* docs: document argv-credential contract and env alternative for promos claim

* fix: enforce provider plugin enablement on the credential-reuse claim path

* fix: require plugin install before credential-reuse shortcut in promos claim

* fix: run runtime plugin repair on promo defaults and harden identifier parsing

* fix: distinct message for contract-invalid promo aliases

* fix(cli): validate promotion plugin contracts

* fix(cli): recheck promotion window before claim

* feat(cli): surface ClawHub promotions in models list via the hosted feed

Passive discovery for promotional model offers. A cadence-gated (24h),
fail-silent conditional GET of ClawHub's immutable promotions feed
snapshot (If-None-Match -> 304, short 2.5s timeout, unauthenticated so
CDN caches stay unfragmented) is cached in two new shared-state-DB
tables, fully separate from update_check_state. models list renders an
'Available via promotion' group for live offers whose models are not in
the user's configured set (including the zero-row fresh-install path),
tags claimed models promo / promo ended from provenance recorded at
claim time, and prints a one-time notice per newly seen offer; promos
list and claim mark offers as seen. Machine outputs stay clean, snapshot
sequence is monotonic against stale edges, and claims still revalidate
against the live API so the kill switch always wins.

* style: satisfy lint on promotions feed additions

no-useless-fallback-in-spread on the optional request headers and
no-map-spread in claim-provenance row mapping.

* fix(cli): harden promotions feed cache

* fix(cli): honor live promotion validity
2026-07-07 01:10:42 -06:00
QiuYuang
769b8260cb fix(ports): ignore malformed lsof listener pids (#98505)
* fix(ports): ignore malformed lsof listener pids

* fix(infra): strictly reject malformed lsof pid tokens

Number.parseInt truncated tokens like "111abc" to 111, silently accepting
a corrupted lsof pid record. Switch to parseStrictPositiveInteger so the
whole token must be a valid positive integer, and restore the deduped
listener test that a prior change had replaced instead of extended.

* fix(cli): strictly reject malformed lsof pid tokens

Harden the force-free lsof parser to reject digit-prefixed garbage like
p111abc instead of truncating it to pid 111, and cover the sibling parser
with a focused regression test.

* fix(infra): strictly parse stale lsof pid tokens

Harden the stale gateway cleanup parser to reject digit-prefixed garbage
like p111abc instead of truncating it to pid 111, and add a focused
regression test without dropping the existing argv verification coverage.

* fix(ports): fail closed on malformed lsof pids

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 07:40:26 +01:00
Ashd.LW.
70c2e837cd fix(gateway): show last error when status probe fails (#95902)
* fix(gateway): show last error when status probe fails

* fix(gateway): scope status log diagnostics

---------

Co-authored-by: wAngByg <wAngByg@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 22:22:19 -07:00
Peter Steinberger
1a307be2e0 feat(skills): add lifecycle curator for workshop-created skills (#101214)
Tracks per-skill usage from the skill.used diagnostic event (trusted-only
delivery, file-scoped identity), sweeps workshop-created skills daily from
gateway maintenance (active -> stale 30d -> archived 90d, pinned bypass,
restore-only unarchive, files never touched), filters archived skills from
snapshots fail-open, reports workspace-scoped overlap candidates, and adds
openclaw skills curator CLI, additive gateway methods, and a warn-only
doctor finding. Zero new config keys; SQLite/Kysely state only.
2026-07-07 03:25:44 +01:00
kenners22
ffa6ebda4c fix(cli): protect protocol stdout during startup (#89997)
* fix(cli): suppress mcp serve startup stdout

* fix(cli): suppress mcp serve startup stdout

* fix(cli): protect protocol stdout during startup

* fix(cli): match ACP protocol options at startup

* fix(cli): derive protocol ownership from command action

---------

Co-authored-by: JARVIS <kenners22@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-06 17:55:50 -07:00
Peter Steinberger
bb44c2311d fix(windows): repair legacy gateway fallback updates (#101213)
* fix(windows): repair doctor update fallback migration

* fix(windows): remove hidden startup fallback launchers

* fix(windows): preserve recovered gateway tokens

* fix(windows): harden update fallback migration

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): capture fallback runtime before task rewrite

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): complete legacy update restart handoff

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): verify fallback ownership during migration

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): honor update restart policy during repair

* fix(windows): wait for task takeover evidence

* fix(windows): preserve fallback after direct task launch

* fix(windows): preserve repaired task identity

* fix(windows): snapshot gateway before repair

* fix: scope update service repair ownership

* style: satisfy update lint checks

* fix: restart gateways stopped during updates

* fix(windows): enforce fallback process takeover

* fix(windows): prove fallback ownership during takeover

* fix(windows): verify process exit during takeover

* fix(windows): wait through fallback reloads

* fix(windows): harden fallback takeover ownership

* fix(windows): type takeover preflight inputs

* fix(windows): recognize booting replacement task

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* chore: leave changelog release-owned

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 00:09:48 +01:00
Ben.Li
afcc93bfc7 fix(cli): keep UTF-8 log tails valid (#101029)
* fix(cli): keep UTF-8 log tails valid

* fix(cli): share UTF-8-safe byte tails

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 19:47:22 +01:00
Moes
673b87a403 fix(cli): explain inherited config defaults cannot be unset (#96557)
* fix(cli): clarify config unset runtime defaults

* fix(cli): explain runtime-only config unset

Co-authored-by: Moe Ghashim <mohanadgh@gmail.com>

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 19:15:19 +01:00
Dallin Romney
5af7ba92ce refactor: consolidate byte-size formatting (#99768)
* refactor: consolidate byte-size formatting

* fix: stabilize byte formatter import boundary

* fix: keep byte formatter within SDK budget

* fix: emit byte formatter package entry

* refactor: trim byte formatter surface

* fix: use narrow byte formatter import

* refactor: remove byte formatter dependency changes

* fix: refresh rebased byte formatter baseline
2026-07-06 09:26:04 -07:00
machine3at
f1fb19351a fix(cron): do not set delivery mode to announce when disabling best-effort on payload edits (#100846)
* fix(cron): do not set delivery mode to announce when disabling best-effort on payload edits

* fix(cron-cli): update sibling test to expect undefined mode on no-best-effort-deliver

* fix(cron): preserve delivery mode when disabling best effort

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 17:05:22 +01:00
cxbAsDev
9606fe4323 fix(cli): handle stdout/stderr stream errors in execFileUtf8Tail (#100850)
* fix(cli): handle stdout/stderr stream errors in execFileUtf8Tail

* chore(proof): add real behavior proof for logs-cli runtime stream errors

* chore(proof): fix promise executor lint in logs-cli proof

* fix(cli): terminate log tail children on stream errors

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 08:24:43 -07:00
dorukardahan
919811cf85 fix(cli): exit bounded hooks commands (#76922)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 16:21:17 +01:00
machine3at
5c2604f8cd fix(cron): use direct lookup instead of paginated search in cron edit (#100836)
* fix(cron): use direct lookup instead of paginated search in cron edit

* fix(test): update cron-cli tests to mock cron.get and remove obsolete pagination checks

* fix(cron): preserve edit compatibility with older gateways

* fix(cron): preserve legacy lookup error cause

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 06:58:22 -07:00
dorukardahan
9344bb8b48 fix(cli): exit after model inspection output (#77904)
* fix(cli): exit after model inspection output

* fix(cli): drain stderr before one-shot exit

* fix(cli): exit after model inspection output

* fix(clownfish): address review for live-pr-inventory-20260706T090631-001 (1)

* fix(cli): defer model command exit until teardown

* test(cli): isolate one-shot exit spies

* fix(cli): defer models status check exit

* fix(cli): satisfy lint for Vitest markers

* fix(cli): always wait for stream flush callbacks

* test(cli): wait for deferred exit callback

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-06 06:16:59 -07:00
Jesse Merhi
5cd71db85e fix(diagnostics-otel): route OTLP exports through env proxy
* fix(diagnostics-otel): route OTLP exports through env proxy

* fix(diagnostics-otel): harden OTLP proxy agent options

* fix(ci): refresh rebased gateway checks

* fix(ci): avoid proxy boundary scan
2026-07-06 22:52:22 +10:00
Peter Steinberger
f53346944d feat: correlate native search outcomes in audit history (#98704)
* feat: correlate native search outcomes in audit history

Metadata-only audit ledger for agent runs and tool actions in the shared
state DB: stable event identity, closed action/status/error vocabularies,
one-way-hashed tool-call ids, never-inferred terminal outcomes for native
web-search (explicit completed/failed only; otherwise unknown), bounded
retention, audit.list gateway RPC and openclaw audit CLI. Squashed from
the 82-commit audit stack for replay onto current main.

* feat(audit): add audit.enabled config gate (default on)

The metadata-only audit ledger records by default: an audit trail enabled
only after an incident cannot explain the incident, and the rows are
strictly less sensitive than the transcripts every install already
stores. audit.enabled=false stops new writes at the gateway subscription
seam; audit.list and openclaw audit keep serving existing records until
they expire. Documented in the configuration reference, protocol page,
and CLI reference.

* fix: repair full-matrix CI findings after rebase

- break the dynamic-tools/dynamic-tool-execution import cycle by
  extracting resolveCodexToolAbortTerminalReason into a leaf module
- restore main's session-worktree protocol exports lost in the
  index.ts auto-merge
- register the audit event writer worker as a knip entry point
- docs table formatting; subagent wait-cancellation test scoped to its
  audit intent (outcome + timing) and advanced past main's new
  lifecycle-timeout retry grace
2026-07-06 12:30:12 +01:00
Peter Steinberger
a13a198a4b fix(update): guard Windows task autostart during package updates (#100757)
* fix(update): guard Windows task autostart

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(update): preserve recovery error causes

* fix(update): retain restore failure causes

* fix(update): recover task on Ctrl+Break

* chore(update): document aggregate lint intent

* fix(update): tolerate deleted Windows tasks

* fix(update): preserve combined recovery failures

* fix(update): preserve aggregate error causes

* fix(update): construct aggregate causes consistently

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 10:33:47 +01:00
Masato Hoshino
310c2f58b9 improve(cron): show consecutive failure count and last error in cron CLI output (#99602)
* improve(cron): show consecutive failure count and last error in cron list/show

* improve(cron): show consecutive failure count and last error in cron CLI output

* fix(clownfish): address review for live-pr-inventory-20260706T074223-002 (1)

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
2026-07-06 01:44:51 -07:00
Masato Hoshino
e7ca90e3af fix(hooks): flag hook event names that no core trigger emits (#99456)
* fix(hooks): flag hook event names that no trigger site emits

* docs(hooks): clarify bare family subscriptions in unknown-event note

* fix(hooks): word unknown-event diagnostics around core-emitted keys

* fix(hooks): apply unknown-event advisory to legacy config handlers too
2026-07-06 01:30:13 -07:00
ZOOWH
b8b946e43d fix(infra): include update timeout in managed-service handoff parent exit wait (#99695)
* fix(infra): include update timeout in managed-service handoff parent exit wait

The handoff parent exit grace was hard-coded to 60s regardless of
the overall update timeout. When the gateway is draining active
tasks, 60s is often not enough, causing
managed-service-handoff-parent-timeout.

Use the existing timeoutMs parameter as a floor for the parent
exit wait so callers can extend it for long-running drains.

Refs #99666

* fix(infra): add shutdown reserve to managed-service handoff parent exit wait

* fix(infra): align update handoff with restart drain

Co-authored-by: 徐闻涵0668001344 <xu.wenhan1@xydigit.com>

* fix(infra): arm restart with managed handoff

* fix(infra): use live restart drain for auto-update

* fix(infra): force process exit for managed updates

* fix(infra): normalize managed handoff restart delay

* test(infra): cover handoff drain argument

* fix(gateway): upgrade accepted restarts for managed updates

* fix(gateway): bound managed update restart upgrades

* test(gateway): stabilize managed update handoff proof

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 08:40:14 +01:00
Peter Steinberger
62d5961b5d fix(ci): restore gateway architecture and lint gates (#100703)
* fix(ci): restore gateway architecture and lint gates

* fix(state): refresh gateway boot Kysely type
2026-07-06 08:19:04 +01:00
Ayaan Zaidi
a18708c5c1 feat(gateway): add persisted crash-loop breaker and fatal-config exit contract
Gateways that crash-loop under systemd/launchd previously flapped forever
with no persisted state and no supervisor signal. The gateway now records
every boot outcome in the shared state DB (gateway_boot_lifecycle); three
unclean boots within five minutes trip a breaker that boots the gateway in
safe mode: full control plane available, channel/provider auto-start
suppressed at the channel-manager seam (startup, config hot-reload,
secrets.reload) with manual channels.start override, one stability bundle
per trip. The breaker re-evaluates each boot and logs recovery when the
window drains. Slow shutdowns record forced_stop and never count as
crashes; /readyz stays ready and reports suppressed channels; the health
monitor treats suppressed accounts as expected-stopped. Fatal invalid-config
errors now exit 78 (EX_CONFIG) on both the startup and unhandled-rejection
paths, engaging the systemd unit's pre-existing RestartPreventExitStatus=78
so supervisors stop relaunching until the config is fixed.
2026-07-06 06:45:55 +00:00
Vincent Koc
c8ddcd116c fix(cli): align root command descriptions (#100670)
Co-authored-by: AmirF194 <amirfathi@fastinfer.org>
2026-07-05 23:29:40 -07:00
Peter Steinberger
133ca4b469 feat(skills): diagnose skill_workshop hidden by tool policy (#100654)
* feat(skills): diagnose skill_workshop hidden by tool policy (#87570)

Workshop can be enabled and auto-capturing while tools.profile hides the
skill_workshop tool; every inspection surface looked healthy. plugins
inspect and openclaw doctor now name the excluding policy layer (global/
agent/provider profile, allowlist, denylist) and the exact alsoAllow
grant to add, via a shared resolveSkillWorkshopToolPolicyAvailability
helper that /learn's guard now reuses instead of composing policy
itself. Diagnosis only; no policy behavior change.

* ci: retrigger
2026-07-06 07:21:08 +01:00