`isBotMentionedFromTargets` derives a "self-chat" flag from
`isSelfChatMode(self.e164, allowFrom)`, which is a config-shaped check
("is the bot's own E.164 in allowFrom?") rather than a conversation-shaped
check. The flag flipped to true for ordinary group conversations whenever
the operator put their own number in allowFrom — the common config — and
the function then took the `hasMentions && isSelfChat` branch, dropping
the identity-overlap check entirely.
Group `@mention` JIDs (including WhatsApp LID mentions like
`216372600647751@lid` that resolve to the bot's E.164 via the LID reverse
mapping) silently failed mention detection. The empty fall-through then
fell back to body-regex / E.164-digit matching, which does not match
WhatsApp's tap-mention markup, so `wasMentioned` stayed false even when
the bot was clearly mentioned.
Confine the implicit `isSelfChat` derivation to non-group conversations.
Real group `@mentions` go through the identity-overlap check regardless of
allowFrom. Explicit `mentionCfg.isSelfChat` overrides from callers
(multi-account / precomputed paths) keep their existing behavior so we do
not regress callers that intentionally set the flag.
Closes#49317
Adds a narrow CodeQL Critical Quality shard for the Control UI/control-plane surface and fixes the custom-theme font-family ReDoS finding discovered by the new shard.
Adds a Slack attachment vision reference covering downloaded media handling, PDF/file limits, thread-starter media fallback, multi-attachment behavior, and known troubleshooting cases.
Fixes#51355
Thanks @haroldfabla2-hue.
* fix(onboarding): skip redundant install prompt when only one source exists
When the channel-setup flow asks 'Install <plugin>?' after the user has
already picked the channel in the previous menu, and the only real
install source available is npm (or local), the prompt degenerates into
'<that source> vs Skip'. The user already expressed intent by picking
the channel, so re-confirming adds friction without offering a
meaningful choice.
Resolve directly to the available source in that case. Keep the prompt
when both npm and local sources exist so the user can still pick which
to use, and keep it when no real source exists (the prompt then only
offers Skip, which is informative).
* fix ci
* fix ci
* fix(channel-setup): skip redundant install prompt when only one source exists
Add autoConfirmSingleSource opt-in parameter to promptInstallChoice /
ensureOnboardingPluginInstalled / ensureChannelSetupPluginInstalled.
When set and only one real install source (npm or local, not both)
exists, the 'Install <plugin>? / Skip' prompt is skipped and the
single source is used directly.
Only channel-setup.ts passes autoConfirmSingleSource: true — the user
already expressed intent by picking the channel in the previous menu,
so re-confirming adds friction without a meaningful choice. The
onboarding and quickstart entry points keep the existing prompt
behavior unchanged.
Also fix findBundledPluginSourceInMap mock type in
onboarding-plugin-install.test.ts to avoid TS2345.
* fix(tests): revert auto-confirm test expectations and fix mock leak
- Revert 'offers registry npm specs' test to expect the prompt
(autoConfirmSingleSource not passed)
- Revert channel-setup 'does not default to bundled local path' test
to expect the prompt
- Reset findBundledPluginSourceInMap and
resolveBundledInstallPlanForCatalogEntry mocks after the bundled
prompt test to prevent cross-test leakage
* fix ci
* docs(changelog): add #73419
* fix(logs): find active log file across date boundaries
Fixes#42875
When gateway runs across midnight, openclaw channels logs was looking
for today's log file instead of the active one. This change makes
the CLI find the most recently modified log file as a fallback.
(cherry picked from commit fba6b88e86)
* fix(channels): resolve active log file for channel logs
(cherry picked from commit ee87397a43)
---------
Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
