mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-19 12:51:38 +00:00
e85a4f0ef286a9a25e5bc111ddace8648e61aa3f
4 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
401f278f11 |
feat: add Control UI plugin management (#103176)
* feat(ui): add plugin catalog management * feat(gateway): add plugins.uninstall and richer plugin catalog metadata Adds a plugins.uninstall gateway method (operator.admin, control-plane write) backed by a lock-guarded uninstallManagedPlugin that mirrors the CLI flow: config cleanup, install-record removal, managed file deletion, and registry refresh. Bundled plugins stay disable-only. Catalog entries now carry a manifest-derived category and a removable flag; ClawHub search results expose download counts and verification tiers. * feat(ui): redesign plugins page with inventory, store shelves, and cover art Rebuilds /settings/plugins around three tabs: Installed (category-grouped inventory with overview stats, state filters, uninstall for external plugins, and inline MCP server management through the shared config seam), Discover (featured/official shelves plus one-click MCP connectors and curated ClawHub searches), and ClawHub (search with download counts and verification badges). Every catalog entry renders bundled cover art or a deterministic gradient monogram tile - no more empty boxes. Artwork generated with Codex CLI, shipped as 512px WebP under ui/public/plugin-art. * chore(ui): regenerate locale bundles for plugins manager strings * docs: describe plugins manager tabs, uninstall, and MCP connectors * fix(plugins): human catalog labels and un-pinned hosted fallback ids listManagedPlugins now prefers manifest names over registry package-name backfill, falls back to channel catalog labels and blurbs, and stops pinning expectedPluginId when a hosted feed entry only exposes its package name (which rejected every legitimate install of that package). Found via live gateway testing against ClawHub. * fix(ui): send minimal RFC 7396 merge patches for MCP server edits config.patch merges rather than replaces, so key removal needs an explicit null; sending the full config back made MCP server removal a no-op. Found via live gateway testing. * fix(ui): write explicit MCP transports for URL servers The MCP runtime defaults URL-only servers to SSE, so streamable HTTP endpoints saved by the add form or connector templates would fail at connect time. Connector templates now declare their transport and the add form infers streamable-http unless the URL follows the /sse convention. Flagged by autoreview against the transport resolver. * test(ui): wait for deferred plugin requests before resolving in e2e * feat(ui): plugins detail view, action menus, and unified ClawHub search Reworks the plugins page from PR #103176 feedback: merges the ClawHub tab into Discover (typing searches ClawHub inline and appends a quiet From ClawHub section, with Browse ClawHub demoted to a header text link), makes every row and store card open a plugin detail overlay (hero art, primary enable/install action, metadata table), and replaces enable/disable switches with a state chip plus an overflow menu (Enable/Disable, Remove for external plugins, View details) matching the ChatGPT-store install+menu pattern. MCP rows use the same menu; refresh is now icon-only. * chore(ui): regenerate locale bundles for plugins UI iteration * feat(ui): vetted, grouped connector catalog for the plugins store Expands Connect your world to 28 connectors organized into use-case shelves (Work & productivity, Coding & infrastructure, Home & media, Everyday life). Every entry passed a three-stage subagent review: official-docs verification plus live endpoint probes for MCP servers, ClawHub result-quality and malware/typosquat screening for curated searches, and an adversarial pass that dynamically registered OAuth clients to prove one-click viability. That review removed Figma (registration allowlisted, 403) and Atlassian (OAuth issuer-mismatch bug upstream), downgraded GitHub to PAT-based setup (no dynamic client registration upstream), fixed Linear (/sse retired) and Home Assistant (/api/mcp, streamable HTTP) endpoints, retargeted poisoned or dead searches (youtube, finance, hue dropped; calendar -> google calendar; stocks replaces finance), and added Todoist, Airtable, Canva, Stripe, Context7, DeepWiki, Hugging Face one-click MCP servers plus Jira, PDF, transcription, Kubernetes, Reddit, maps, translation, and notes searches. Keyless servers get a ready-to-use success message; new cover art included. * chore(ui): regenerate locale bundles for connector groups * fix(plugins): suppress hosted catalog rows once their package is installed Hosted feed entries without a declared runtime id fall back to their package name as catalog id, which never matches the installed runtime id, so the Discover shelf kept offering an already-installed package. Installed package names now also suppress official rows. Flagged by autoreview. * fix(plugins): pin declared runtime ids and surface connector errors in place The runtime-id pin now keys off explicitly declared catalog ids (plugin, channel, or provider) instead of string-comparing against the package name, so declared ids that equal their package name stay enforced while entry-id fallbacks stay unpinned. Connector add failures on Discover now render on the triggering card instead of the Installed tab's MCP section. Both flagged by autoreview; regression tests included. * feat(ui): full inventory artwork, pulse header, and two-column plugin list Every bundled plugin now ships distinctive cover art (113 new Codex CLI illustrations; 172 total, ~2.1MB WebP), so inventory rows and detail views never fall back to monogram tiles. The four stat cards give way to a compact inventory pulse: a segmented enabled/disabled/issues meter whose legend and counts live inside the filter chips. Inventory, MCP, and search rows flow into two columns when the panel is wide enough. * chore(ui): regenerate locale bundles for pulse header * fix(ui): omit stdio args from the MCP server row target Stdio MCP args routinely carry tokens, and the inventory is visible to read-only operators; mirror the config page and show only the command. Flagged by autoreview; regression test included. * fix(merge): point crestodian setup at relocated plugin commit/refresh modules * fix(merge): add bootstrapToken to plugins page test gateway harness * fix(plugins): name catalog install-action branches so Swift emits the union * fix(ui): satisfy strict lint on plugins page form parsing and mocks * chore(build): regen docs map, raise plugin-sdk declaration budget for new protocol surface * fix(ui): type the plugins page patch mock with its real call signature |
||
|
|
a7c5b2c6e6 |
fix(onboarding): preserve plugin ownership from included config (#103372)
* fix(onboarding): preserve included plugin install records * fix(config): validate inherited plugin install records * fix(onboarding): preserve canonical plugin install ownership * test(onboarding): cover completed install migrations |
||
|
|
4e84981402 |
feat(crestodian): guide providerless model setup (#101887)
* feat(crestodian): guide providerless model setup * fix(crestodian): avoid TUI message shadowing * fix(crestodian): tighten provider setup handoff * fix(crestodian): simplify model setup result * fix(crestodian): audit committed config hash * fix(crestodian): contain embedded wizard exits * test(crestodian): auto-clean operation temp dirs |
||
|
|
07bf384a8b |
feat(crestodian): conversational agent-loop onboarding across CLI, web install, and macOS app (#99935)
* feat(crestodian): AI-first conversational onboarding with typed-op guardrails Interactive `openclaw onboard` (and bare `openclaw` on a fresh install) now opens the Crestodian conversation: detection-backed first-run proposal (Claude Code/Codex logins, API keys), persona AI turns for every free-form message (configless local-runtime fallback, 60s deadline, deterministic degradation), approval-gated typed operations, chat-hosted channel setup (`connect <channel>`), config get/schema read ops with secret redaction, and a post-write validation hook that feeds schema errors back for a self-fix turn. Adds the additive gateway `crestodian.chat` method so app clients run the same conversation. Classic wizard stays behind --classic/explicit flags; non-interactive automation unchanged; `--modern` becomes a deprecated alias for `openclaw crestodian`. * feat(macos): Crestodian chat onboarding and importance-ordered permissions Replace the gateway step-wizard page with a Crestodian chat over the new crestodian.chat method (works before any model auth exists), sort the permissions page by importance with no scrolling, drop the redundant manual refresh, and bump the onboarding version. * feat(crestodian): run the custodian on the real agent loop with a ring-zero tool Crestodian conversations now execute through the same embedded agent runner as regular agents: a persistent agent session with a single construction-gated `crestodian` tool wrapping the typed operations (read actions free; mutations require approved=true asserted from explicit user consent, audited, with post-write config validation fed back into the loop). The engine prefers the loop (configured models or the Codex app-server fallback) and degrades to the single-turn planner, then to deterministic commands. Setup approval seeds the crestodian exec approval so local model harnesses can run; the configless Codex backend config now enables exec and direct tool loading (it was dead-on-arrival behind tools.exec.mode=deny and the tool-search index). * test(crestodian): type the engine mock signatures for the core test lane * fix(crestodian): map the advertised create_agent tool action * fix(crestodian): host-verified approval arming and a macOS setup completion gate Review findings: the model-supplied approved flag alone could authorize ring-zero mutations (prompt injection / model error), and removing the macOS wizard gate let users Next past the Crestodian page with nothing configured. Mutating tool actions now also require host-verified consent (the engine arms approval only when the user's actual message is an explicit yes), and local macOS onboarding blocks advancing until setup authored the config, using the same signal the old step wizard checked. * fix(crestodian): bind approval to the exact proposed operation and gate dot navigation A generic yes no longer authorizes arbitrary mutations: denied mutating tool calls register a canonical operation fingerprint (host-owned, per session), and an armed turn executes only the identical call, once. The denial message is arming-aware so the approved turn self-heals in one roundtrip, and the agent protocol pre-registers proposals. macOS onboarding page dots now honor the same setup-completion gate as the Next button. * fix(crestodian): redact sensitive wizard answers, skip logged-out CLIs, gate programmatic advance Sensitive channel-wizard answers (tokens, passwords) are redacted from the AI-visible conversation history; setup and the onboarding welcome never pick or advertise a definitively logged-out CLI as the model; and macOS handleNext() honors the page gates for programmatic callers (chat handoff) just like the Next button. * fix(crestodian): align the onboarding welcome's configured predicate with the app gate A valid config carrying only a default model (partial/hand-written) now still gets the first-run proposal instead of the ready guide, so the macOS setup gate can always be satisfied from the conversation. * fix(crestodian): armed turns can never mint their own executable proposal An approval-mismatched call inside an armed turn no longer re-registers and invites a retry (which let the model swap the approved operation for another in the same turn); it voids the approval entirely and requires a fresh yes. Proposals register only in unarmed turns, which the agent protocol already does when proposing. * fix(onboard): route any explicit setup flag to the classic wizard * fix(ci): satisfy new lint rules, tool-display guard, and generated artifacts for crestodian * chore(i18n): refresh native inventory after permissions copy wrap * fix(crestodian): harden conversational onboarding * docs(crestodian): document conversational onboarding * test(crestodian): type embedded runner mock * fix(crestodian): close onboarding security gaps * chore: retrigger ci |