Commit Graph

3690 Commits

Author SHA1 Message Date
Peter Steinberger
efc8f05cc2 fix(release): allow Telegram preload in workers (#104252) 2026-07-11 00:09:35 -07:00
Peter Steinberger
1e660ac7b2 fix: preserve runtime plugin assets after build (#104229) 2026-07-11 00:07:59 -07:00
Sebastien Tardif
1fa1507fc4 fix(install): harden stdin consumers to prevent pipe corruption in curl | bash (#87799)
* fix(install): harden stdin consumers to prevent pipe corruption in curl | bash

Redirect stdin from /dev/null for non-interactive subprocesses (npm install,
openclaw daemon restart, openclaw plugins update, openclaw dashboard) and
from /dev/tty for interactive ones (openclaw onboard in bootstrap). Also
protect the fallback paths in run_with_spinner and run_quiet_step.

This prevents subprocesses from consuming the script stream when the
installer is piped via curl | bash, which causes truncated function names
and hangs (reported in #73814).

Unlike the global pipe guard in #82918 (closed as too broad), this approach
has no detection heuristics and no re-execution. Each subprocess simply gets
the correct stdin for its purpose.

Fixes #73814

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* chore: retrigger proof evaluation

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* fix: redirect stdin in run_with_spinner raw-mode fallback

The success-path raw-mode fallback in run_with_spinner invoked the
command with inherited stdin. In a curl | bash scenario, this allowed
the child process to consume bytes from the script stream, causing
truncation. Add < /dev/null to match the other two fallback paths.

* retrigger proof check

* fix(test): update gum fallback assertion for stdin redirect

* fix: redirect gum-wrapped stdin and preserve TTY for interactive commands

Address ClawSweeper P1 and P2 findings:

- P1: Redirect stdin from /dev/null on the normal gum spin path so child
  commands cannot consume the piped script stream (gum v0.17.0 passes
  os.Stdin to wrapped commands).

- P2: Use is_non_interactive_shell to conditionally redirect stdin in
  fallback paths. When running interactively (bash install.sh), commands
  that need user input (e.g. Homebrew prompts) keep terminal stdin.
  When piped (curl | bash), stdin is redirected from /dev/null.

- P2: Revert labeler.yml changes to keep the PR focused on installer
  stdin safety. Size-label best-effort handling belongs in a separate PR.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* chore: retrigger proof evaluation

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* retrigger proof check

* fix: base stdin isolation on stdin TTY check, not stdout

Replace is_non_interactive_shell with needs_stdin_isolation for stdin
redirection decisions. The new function checks stdin directly (! -t 0)
and NO_PROMPT, without checking stdout (-t 1). This ensures that
stdout redirection (e.g. install.sh > log.txt) does not suppress
interactive prompts when stdin is a terminal.

* test(install): add stdin isolation and NO_PROMPT coverage

Three focused tests for the needs_stdin_isolation function:

1. Verify needs_stdin_isolation returns true when stdin is piped
   (the core curl|bash scenario).
2. Verify needs_stdin_isolation returns true when NO_PROMPT=1 is set
   (explicit non-interactive override).
3. Verify run_quiet_step redirects subprocess stdin to /dev/null
   when running in a piped context, preventing script consumption.

* test(install): strengthen stdin isolation test with sentinel data

Replace the weak TTY check (which passes even without the fix since
the test pipe is also non-TTY) with a sentinel-based test: pipe
SENTINEL_DATA on stdin and verify the child process reads nothing,
proving run_quiet_step actually redirects stdin to /dev/null.

* test(install): add counterproof and cat-based stdin isolation tests

Add two new tests to prove the stdin isolation fix is necessary and
works correctly:

- counterproof: demonstrates that pipe data DOES leak to the child
  when stdin is not redirected through run_quiet_step, proving the
  /dev/null redirect is the isolation barrier
- cat-based test: uses cat (reads all of stdin) instead of read -t 1
  (timeout-based) for a deterministic assertion that run_quiet_step
  produces empty stdin

* fix: gate gum spin stdin redirect on needs_stdin_isolation

The gum spin command unconditionally redirected stdin from /dev/null,
which also killed interactive prompts for direct installs since gum
v0.17 passes os.Stdin to the wrapped command. Now only redirect
stdin when needs_stdin_isolation returns true (piped install context).

Adds focused tests verifying both paths: piped installs get /dev/null
redirect, direct interactive installs preserve terminal stdin.

* test: assert gum stdin is not /dev/null for direct interactive installs

The direct gum runtime test now reads the child command's stdin-source
log file and asserts stdin was NOT /dev/null, using device:inode
comparison (stat -f on macOS, stat -c on Linux) for reliable detection
across both platforms.

* retrigger proof check

* retrigger proof check with real installer evidence

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

* fix(install): preserve interactive post-install stdin

* fix(install): route piped prompts through controlling tty

* fix(install): keep quiet piped steps noninteractive

* fix(install): avoid hidden prompts with redirected output

* fix(install): preserve visible prompt output state

---------

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-11 14:00:53 +08:00
Peter Steinberger
b8502e1c0a test(gateway): prove suspension lifecycle in Docker (#104203) 2026-07-10 22:53:35 -07:00
Peter Steinberger
2ace363e98 feat: add live updater maintainer skill (#104202)
* feat: add live updater maintainer skill

* fix: restore updater dependencies before probes
2026-07-10 22:52:02 -07:00
Vincent Koc
96b1be10f5 feat(macos): keep MLX TTS model resident (#104200)
* test(macos): cover MLX helper packaging

* feat(macos): define framed MLX TTS protocol

* feat(macos): keep MLX TTS model resident

* feat(macos): reuse MLX TTS helper transport

* fix(macos): preserve MLX TTS fallback lifecycle

* chore(swift): lint MLX TTS protocol sources

* fix(macos): keep MLX helper input nonblocking

* test(macos): cover forced MLX helper shutdown

* fix(macos): fall back after MLX memory eviction

* fix(macos): discard canceled MLX audio
2026-07-11 13:45:27 +08:00
Peter Steinberger
afa3212e90 fix(release): stage Telegram QA inside runtime root (#104125) 2026-07-10 22:39:09 -07:00
Vincent Koc
daf3b86f45 Merge pull request #104181 from openclaw/fix/preserve-release-efficiency-history
chore(release): preserve efficiency change history
2026-07-11 13:35:30 +08:00
Peter Steinberger
6e9e64bd30 fix: current-tree package checks support unreleased versions (#104186)
* fix(ci): package unreleased QA builds safely

* style(ci): format QA changelog intent
2026-07-10 22:31:42 -07:00
Vincent Koc
358d4cd4cc fix(pr): reject stale canonical wrapper code 2026-07-10 22:24:36 -07:00
Vincent Koc
31484524a5 fix(release): preserve node across telegram qa masks (#104175) 2026-07-11 13:22:06 +08:00
Vincent Koc
2158873a3c fix(release): preserve canonical main PR provenance (#104166)
* fix(release): canonicalize changelog PR provenance

* fix(release): finalize changelog provenance policy

* fix(release): resolve canonical PRs from current main

* fix(release): support divergent beta baselines
2026-07-11 13:21:15 +08:00
Vincent Koc
c47ceb0f3d improve(release): reuse exact-SHA validation evidence (#104162)
* perf(release): share changelog verification snapshots

* perf(release): reuse exact-SHA validation evidence

* feat(release): checkpoint candidate workflow state

* feat(release): watch CI transitions compactly

* fix(testbox): rotate stale reusable leases

* refactor(release): move CI verifier into scripts

* fix(release): preserve verifier executable mode

* fix(testbox): force noninteractive remote hydration

* perf(testbox): skip sync for proven clean heads

* fix(testbox): keep changed gates synchronized

* fix(testbox): isolate git state probes

* fix(testbox): isolate wrapper git commands

* fix(testbox): preserve git command contracts

* fix(release): validate reused SHA evidence

* fix(release): resume serialized plugin selections

* fix(testbox): sync source on every lease reuse

* fix(release): verify from trusted workflow checkout

* fix(release): gate evidence reuse on trusted lineage

* fix(release): support legacy verifier checkouts

* fix(testbox): export CI across shell snippets

* fix(release): revalidate reused evidence before publish

* fix(release): reject untrusted reuse before lookup

* fix(release): reuse SHA-pinned root evidence

* fix(ci): allow unreleased notes in QA packages

* fix(release): satisfy script lint contracts

* fix(release): handle Unicode workflow refs safely
2026-07-11 12:48:27 +08:00
Vincent Koc
ad9d142245 style(test): format release workflow guard 2026-07-11 11:45:23 +08:00
Vincent Koc
b0258a5d8b fix(release): isolate frozen Telegram QA temp roots 2026-07-11 11:45:23 +08:00
Vincent Koc
543b0e7794 fix(ci): support frozen Swift lint targets 2026-07-11 11:45:23 +08:00
Vincent Koc
ffc8051cac test(release): align trusted SHA workflow guard 2026-07-11 11:09:58 +08:00
Vincent Koc
553f543bdf fix(release): support frozen validation targets 2026-07-11 11:09:58 +08:00
Peter Steinberger
feae1faf06 fix(release): expose Telegram launcher failures safely (#104099)
* fix(release): expose Telegram launcher failures safely

* test(release): prove namespace launcher diagnostics
2026-07-10 20:03:36 -07:00
Peter Steinberger
4b7a5a4e8b fix(installer): default to Node 22.22.2 (#104073) 2026-07-10 19:28:49 -07:00
Peter Steinberger
7febbad017 fix(release): dispatch Telegram QA with environment access (#104066) 2026-07-10 19:19:04 -07:00
Peter Steinberger
f50293c9e7 fix: installer removes temporary files after failed commands (#104049)
* fix(installer): retain temp cleanup registrations

* chore: keep installer release notes release-owned
2026-07-10 18:54:56 -07:00
Peter Steinberger
070b7928fd fix(release): declare Telegram QA environment secrets (#104036) 2026-07-10 18:30:20 -07:00
Peter Steinberger
f0facb4cca fix(release): raise Telegram attestor buffer (#104025) 2026-07-10 18:03:26 -07:00
Sebastien Tardif
95b205eac2 fix(installer): clean temporary files on failure (#103725) 2026-07-10 17:53:23 -07:00
Vincent Koc
e6bde5599d fix(release): keep correction tags at base version 2026-07-10 17:47:32 -07:00
Vincent Koc
90ad9251df fix(pr): support rebase landings 2026-07-10 17:47:32 -07:00
Vincent Koc
6f9afda10c fix(release): align plugin shrinkwrap scope 2026-07-10 17:47:32 -07:00
Vincent Koc
89bb79f6ae fix(pr): allow merge-commit landings 2026-07-10 17:47:32 -07:00
Vincent Koc
eefd6248f4 fix(release): manage tracked private shrinkwraps 2026-07-10 17:47:32 -07:00
Vincent Koc
968c9549b4 fix(release): avoid pnpm bootstrap in version prep 2026-07-10 17:47:32 -07:00
Vincent Koc
a960b5f3aa fix(release): keep JSON output machine-readable 2026-07-10 17:47:32 -07:00
Vincent Koc
38abdb64e8 fix(release): serialize root package generation 2026-07-10 17:47:32 -07:00
Vincent Koc
14ebfc88c4 fix(release): avoid caching GitHub errors 2026-07-10 17:47:32 -07:00
Vincent Koc
14a8cdc7c6 fix(release): keep Android notes aligned 2026-07-10 17:47:32 -07:00
Vincent Koc
0c16193bec chore(release): satisfy parallel runner lint 2026-07-10 17:47:32 -07:00
Vincent Koc
80d44bf000 feat(release): add shadow preparation controller 2026-07-10 17:47:32 -07:00
Vincent Koc
a835584537 perf(release): cache changelog GitHub discovery 2026-07-10 17:47:32 -07:00
Vincent Koc
897a66881d perf(release): parallelize shrinkwrap generation 2026-07-10 17:47:32 -07:00
Vincent Koc
82461afedb perf(release): parallelize scoped preflight tasks 2026-07-10 17:47:32 -07:00
Vincent Koc
d801384b3b feat(release): add atomic version preparation 2026-07-10 17:47:32 -07:00
Vincent Koc
2841edf01e fix(ci): pin Kova auth startup fixes (#104002) 2026-07-10 17:42:08 -07:00
Vincent Koc
f4b3a4841f fix(release): accept Kova collector-only phases (#104008) 2026-07-10 17:31:42 -07:00
Peter Steinberger
5f7a67f186 fix(release): avoid token-shaped Claude live probe (#103994) 2026-07-11 01:03:30 +01:00
Peter Steinberger
a0354e5243 fix(onboarding): make fresh AI setup reliable and transparent (#103962)
* fix(onboarding): harden inference setup

* fix(mac): preserve setup request cancellation

* test(crestodian): align setup audit expectation

* test(crestodian): cover approval persistence warning

* fix(crestodian): preserve setup credentials and success

* chore(pr): leave changelog to release flow

* fix(onboarding): repair native CI gates
2026-07-10 23:44:53 +01:00
Peter Steinberger
49941fab6d fix(ci): keep hydrate-github pnpm shims writable (#103971) 2026-07-10 23:36:10 +01:00
soldforaloss
0e0c922cc5 fix: preserve current Node for node.exe env wrappers (#103907)
* fix: preserve current Node for node.exe env wrappers

* fix(scripts): preserve Windows Node aliases

* chore: keep contributor PR release-note only

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 23:30:57 +01:00
Vincent Koc
b0e3c85a61 fix(release): bind publish children to trusted SHAs (#103913)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 23:25:26 +01:00
Vincent Koc
b1e688c657 fix(release): consume Kova model contract (#103966) 2026-07-10 15:17:15 -07:00
Vincent Koc
022dd9dc27 fix(release): unblock Meta npm bootstrap publication (#103951)
* fix(release): isolate Meta npm bootstrap

* test(release): assert OIDC npm version guard
2026-07-10 14:50:00 -07:00