Commit Graph

37714 Commits

Author SHA1 Message Date
Vincent Koc
fbfa1378c0 test(sqlite): allow schema version pragma (#104960) 2026-07-12 12:36:57 +08:00
Ayaan Zaidi
33186b0f54 test(plugins): fail closed when an api-key auth method cannot be probed
An unprobeable api-key choice left its flag/env literals unchecked while CI
stayed green (ClawSweeper finding). The probe now supplies a real agent dir
and placeholder preflight opts (sentinel still bound to the declared
optionKey only, preserving the key-correctness proof), so every api-key
method must reach resolveApiKey — this immediately exercised
cloudflare-ai-gateway's account/gateway preflight path.
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
fe9af7dfc7 test(plugins): keep auth-literal parity test out of the unit-fast lane
Loading built plugin dists pulls large module graphs into the shared vitest
worker cache and broke co-resident vi.mock unit tests (memory-host-sdk
embeddings, checks-node-compact-large-2). An explicit dynamic import of the
surface loader trips the lane classifier's dynamic-import rule, moving the
file to the plugins project where dist loading is the norm.
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
8f14f88690 test(plugins): fail auth-literal parity when a declared provider never registers
Silent skip on missing runtime registration recreated the drift class the
test guards (ClawSweeper finding); capability-only plugins now must register
zero text providers to be exempt.
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
0e154d0467 fix(auto-reply): keep typed overloaded failures on the surfaced-copy path
Shipped behavior pins overloaded FailoverErrors to immediate dedicated copy
(agent-runner-execution.test.ts 'surfaces typed overloaded failures'); only
timeout and server_error reasons join the transient retry gate.
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
57e0ea8f75 fix(auto-reply): honor structured FailoverError reasons in terminal catch classification
context_overflow and transient (timeout/server_error/overloaded) FailoverError
reasons now classify structurally like billing/rate_limit already do, instead
of relying on message text that may lack overflow or HTTP-status tokens. A
typed transient failure without a leading status token now takes the single
transient retry; typed context overflow suppresses the generic failure reply.
Part of #104219 (row 12).
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
d03defb8b4 refactor(plugins): single-source CORE_BUILT_IN_MODEL_APIS and add provider auth-literal parity test
gateway-startup-plugin-ids duplicated the built-in model-API set byte-for-byte
with nothing enforcing sync; provider-config-owner now owns it. New parity
test proves bundled provider manifests and runtime provider.auth declare the
same optionKey/cliFlag/envVar/method literals, guarding against silent
wizard-vs-runtime auth drift. Part of #104219 (row 12).
2026-07-12 10:06:26 +05:30
Ayaan Zaidi
596603f7d3 refactor(sessions): route get-reply-run session refresh through the accessor
Drops the last non-doctor whole-store resolveSessionStoreEntry read in the
reply pipeline; exact working-set key plus accessor disk read match the
sibling refresh sites in runPreparedReply. Part of #104219 (seam 8).
2026-07-12 10:06:11 +05:30
Vincent Koc
46aa7aed3a fix(sqlite): validate state before writable setup (#104952) 2026-07-12 12:13:37 +08:00
Vincent Koc
a4cc24d113 fix(sqlite): reject corrupt backup and compact sources (#104938) 2026-07-12 11:53:03 +08:00
Vincent Koc
630a8c256e test(cli): require numeric retry timeouts 2026-07-12 11:49:18 +08:00
Vincent Koc
97d4ee9c51 refactor(agents): centralize attempt terminal outcome (#104936) 2026-07-12 11:49:09 +08:00
Peter Steinberger
6b95f98fe7 fix(core): make indexed access explicit across remaining src (NUIA phase 3b) (#104773)
* fix(core): make indexed access explicit in auto-reply, infra, and config

Part 1/3 of the src NUIA phase-3b burn-down (#104600): iteration and
destructuring over index reads, boundary guards on parsed input, and
named invariants. Config path walkers bind the path head once; SQLite
migration key handling is hoisted without query-shape changes.

* fix(core): make indexed access explicit in cli, gateway, commands, security, shared

Part 2/3: argv/token selection restructured, gateway event/attachment
invariants named, security parsers stay fail-closed (invariant
violations throw), edit-distance matrices access checked entries.

* fix(core): make indexed access explicit across remaining src surfaces

Part 3/3: channels, plugins, process, cron, plugin-sdk, media, logging,
tui, hooks, daemon, and small directories. Latent bug fixed: a tailnet
resolver could leak undefined through a string|null contract and now
fails with a descriptive local error.

* fix(core): keep optional boundaries optional after per-commit review

Review findings: expectDefined misused where absence is a legitimate
state. CLI --profile/route-args missing next tokens take their existing
miss paths; help normalization compares --help against the last
positional again; first-time plugin install spreads absent cfg.plugins;
denylist scan iterates manifest dependency entries instead of throwing
on omitted sections; tailnet resolver returns a guaranteed string at
the source instead of a caller-side undefined throw.

* refactor(core): closed-key provider labels and honest optional passthroughs

PROVIDER_LABELS becomes a satisfies-typed closed record (static reads
provably defined; dynamic lookups go through providerUsageLabel with
honest string|undefined). Status-scan overview passes its optional
params through unchanged instead of asserting them.

* fix(channels): make getChatChannelMeta honestly optional

The original signature claimed ChatChannelMeta while leaking undefined
on bundled channel id metadata drift; three of four callers already
handled absence. The return type now says so, and the one assuming
caller falls back to the raw channel label.

* fix(core): index-safety for post-rebase main drift

Covers the sqlite-sessions flip and auth-source-plan code that landed
mid-phase, plus the channel-validation test consuming the now honestly
optional getChatChannelMeta.

* refactor(channels): split chat-meta accessors along the SDK contract

getChatChannelMeta keeps its shipped plugin-SDK signature (defined for
bundled ids, fail-loud on impossible misses); new findChatChannelMeta
carries the drift-tolerant optional contract for core auto-enable and
formatting paths.

* fix(qa-channel): own channel metadata instead of a guaranteed-undefined catalog lookup

qa-channel spread getChatChannelMeta over an id that is never in the
bundled catalog, shipping an empty setup meta by accident; the fail-loud
SDK accessor exposed it. The channel now declares its metadata once.

* fix(gateway): heartbeat projection lookahead is optional at the transcript tail

expectDefined wrapped messages[i + 1] whose absence on the final message
is the normal case; the adjacent ternary already handled it. Restores
the plain optional read with an explicit guard in the pair condition.

* fix(plugin-sdk): channel plugin factory tolerates non-bundled channel ids again

createChannelPluginBase spreads bundled catalog meta for ANY channel id,
where absence is the normal case for external plugins; the resolver is
honestly optional again while the exported bundled-id accessor keeps the
fail-loud contract.

* fix(core): spreads of optional config sections stay optional

Fresh-setup and first-install paths (crestodian setup inference, hook
installs, agent config base, target agent models) legitimately lack the
section being rebuilt; spreading undefined is the shipped {} semantics.
Removes the remaining gratuitous assertion wraps found by tree audit.
2026-07-11 20:47:34 -07:00
Vincent Koc
ddbec923d4 fix(plugin-sdk): cover the full public API baseline 2026-07-12 05:38:05 +02:00
Vincent Koc
350bac4e0e improve(sqlite): harden state lifecycle and snapshots (#104859)
* fix(sqlite): enable bounded vacuum and hot indexes

* fix(sqlite): serialize shared schema upgrades

* fix(sessions): reject stale transcript rewrites

* fix(sqlite): surface busy checkpoints and refresh registry

* fix(backup): verify sqlite snapshots

* feat(doctor): compact shared sqlite state

* test(sqlite): align hardening helpers

* fix(backup): respect plugin sqlite ownership

* fix(backup): snapshot plugin sqlite opaquely

* fix(doctor): reject mixed sqlite actions

* fix(backup): reject unsafe sqlite snapshots

* fix(sessions): track unconditional transcript replacements

* fix(backup): reject page-aligned sqlite truncation

* fix(backup): reject state-root case aliases

* docs: refresh sqlite maintenance map

* fix(sqlite): register doctor compaction boundary

* fix(sqlite): serialize fresh database initialization

* fix(sqlite): prove main v5 agent upgrade

* perf(sqlite): seek latest transcript messages

* test(sessions): align terminal freshness fixtures with SQLite

* docs: refresh generated map
2026-07-12 11:35:22 +08:00
Peter Steinberger
a74fb334a7 test(live): retry GPT-5.6 nonce mismatches (#104905) 2026-07-11 20:33:49 -07:00
Peter Steinberger
274f12493e test(cli): tolerate bounded usage-cost retries (#104883) 2026-07-11 20:32:38 -07:00
Vincent Koc
7984973a8c test(sessions): align terminal freshness fixtures with SQLite (#104925) 2026-07-12 11:21:07 +08:00
Alix-007
d0764f3566 fix(browser): preserve own profile entries (#101694)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 20:10:59 -07:00
Peter Lee
5e064bb7b4 chore: remove dead sanitizeThinkingSignatures field from transcript policy (#99880)
* chore: remove dead sanitizeThinkingSignatures field from transcript policy

The sanitizeThinkingSignatures field on TranscriptPolicy and
AgentRuntimeTranscriptPolicy was orphaned when the google-antigravity
provider was removed in 382fe8009a. That commit deleted the only
consumer (sanitizeSessionHistory in google.ts) but left the field
declaration in both types and the default value, plus stale
references across test fixtures.

Remove the field from:
- TranscriptPolicy type and DEFAULT_TRANSCRIPT_POLICY (transcript-policy.ts)
- AgentRuntimeTranscriptPolicy (runtime-plan/types.ts)
- All test/mock/compact-harness references (14 sites)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore: remove blank lines from transcript policy cleanup

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Colin <colin@solvely.net>
2026-07-11 22:47:40 -04:00
scoootscooob
f5eafc1515 Recover cron tool warnings with final text (#104908) 2026-07-11 19:45:33 -07:00
Vincent Koc
2f946506bb fix(sessions): restore SQLite terminal freshness 2026-07-12 04:43:33 +02:00
Vincent Koc
d2ad471a8c refactor(plugins): centralize registration rollback (#104902) 2026-07-12 10:39:15 +08:00
Peter Steinberger
d54722fbce test(sessions): stabilize reply init timestamps (#104900) 2026-07-11 19:37:46 -07:00
Peter Steinberger
68f0eee5ae fix(ui): harden workspace file editing (#104885)
* fix(ui): retain unsaved workspace file drafts

* fix(ui): reset restored draft hash

* fix(ui): keep all unsaved file drafts

* fix(ui): harden workspace file editing

* fix(ui): canonicalize workspace file identity

* fix(gateway): serialize workspace file saves globally

* chore: keep release notes in PR body

* docs: refresh generated docs map
2026-07-11 19:25:47 -07:00
Peter Steinberger
63e00eb573 fix(tui): preserve terminal errors across history reloads (#104864) 2026-07-11 19:18:06 -07:00
Peter Steinberger
4eb1f5225c feat(ui): add standalone operator approval links (#103698)
* feat(gateway): standalone approval deep-link page

Squash-rebased #103698 segment onto the typed-actions tip on current main.
Adds the tokenless /approve/{id} standalone approval UI served by the
gateway control-UI router, gateway-store ephemeral login fix (selectGateway
only on changed URL), and approval-page i18n strings.

Drift reconciliation: union-merged i18n translation-memory caches and
regenerated locale metadata via control-ui-i18n sync (33 approvalPage keys
remain English fallbacks in minor locales, as on the original branch).

(cherry picked from commit c82f56011bfe9f0debb8ebe052f14590c187340d)
(cherry picked from commit 80f5636a8b67a3d6a5f330620541a39d4ef3fe6f)
(cherry picked from commit a3e300d337a92bf1b593a0bb52b7ec4549910a21)
(cherry picked from commit 860ad01f9658bba54cb3d59644e5e1a032c0bb3f)
(cherry picked from commit d8b697b28a847950a1797da07fc0ae4c24928492)
(cherry picked from commit 8a654e3271fd5721358812f961a7a7bb386d6726)
(cherry picked from commit 2f776d2e7bf910271fcbd9697597f6f5478b0f30)
(cherry picked from commit 14e64e6e4d763be830830801eeec1a6f17441688)
(cherry picked from commit 4df9ec828d0034fdc76540ff0fe341e599b0f281)
(cherry picked from commit e52968f4ab)
(cherry picked from commit 7214fc25013966f99ff4b2d506aa2f5f789e2113)
(cherry picked from commit c6259ff79787c759c136086e1a54c9ead8e89539)
(cherry picked from commit a58d9f271d27481615f0c94a828704c563d5354f)
(cherry picked from commit dcf1cb6d98)

* fix(ui): preserve approval page gateway auth

* fix(ui): keep approval disconnects fail closed

* style(ui): format approval disconnect copy
2026-07-11 19:16:23 -07:00
Peter Steinberger
2d4f09de22 fix(ci): repair typed approval main gates (#104882) 2026-07-11 19:03:25 -07:00
Vincent Koc
dfa580e989 fix(plugins): complete session catalog contracts 2026-07-12 03:49:16 +02:00
Vincent Koc
b575b5ee9b fix(gateway): restore chat protocol type import 2026-07-12 03:49:04 +02:00
Peter Steinberger
7a456e362d feat(channels): add typed cross-surface approval actions (#103679)
* fix(gateway): approval registry hardening and protocol-surface follow-ups

Follow-up delta to the merged #103579 head, rebased onto current main:
- gateway-protocol wire types derive from owner-module schema consts
  (types.ts tombstone) and ProtocolSchemas leaves the package index so the
  public plugin-sdk d.ts graph tree-shakes the registry declaration
- approval access authority follows the operator.approvals scope tier with
  reviewerDeviceIds as the opt-in restriction (cross-surface
  first-answer-wins; requester identity gates only legacy adapters)
- plugin node.invoke approvals register directly so unrenderable
  presentations fail closed before request routing
- exec-approval manager reconciliation with #103515 revocation hardening
  (resolution source attribution, one-shot ask-fallback consumption)
- surface-report pins and plugin-sdk API baseline refreshed; Swift models
  regenerated

* feat(channels): add typed operator approval actions

Squash-rebased #103679 segment onto the durable-approval-registry tip on
current main. Typed approval/command/select presentation actions replace
raw-string inference across slack/telegram/discord/matrix/imessage/whatsapp,
approval.resolve carries an explicit kind, and channel adapters map native
callback envelopes through the typed action registry.

Drift reconciliation: deprecated buildExecApprovalInteractiveReply assertions
dropped (#104650 removed the shims); worker_environments bootstrap-column
migration kept alongside the approval resolution_ref backfill; plugin-sdk API
baseline regenerated.

(cherry picked from commit 68765a5d39d2118c88a7a54d00387337912d4494)
(cherry picked from commit 8642ac12af142e4b751f4f30d4b114615e7e5f66)
(cherry picked from commit 036c4bc39499925fc03de16ec9302e346769350a)
(cherry picked from commit 19dc350d6bc34e29a5169c6bc80971b0ad12adde)
(cherry picked from commit fc978b0bad86aef421c79f6a211b25cc1b743c01)
(cherry picked from commit 10de4d1ed5071f9be6ad1ee5d1e32c0fa8c9d11c)
(cherry picked from commit 9a664ced1b1fa740172b258f355f1a82925ae41c)
(cherry picked from commit c5ff69abbf444139e9e007bfa45beb0f00ffea54)
(cherry picked from commit d466a80795)
(cherry picked from commit f5b4fe40dd5c961322f8553cc80b2fdfb3f6503e)
(cherry picked from commit 7340b4749a4cc4c72f7a41cce1bc9cb550cae038)
(cherry picked from commit a151f41808f23ae60b10305ccd2bc959b9169a86)

* fix(approvals): preserve typed transport ownership

* test(imessage): narrow chunked approval text

* refactor(protocol): remove retired type tombstone

* fix(plugin-sdk): align surface budgets after rebase

* docs(changelog): note typed operator approvals

* docs(changelog): defer typed approval release note
2026-07-11 18:31:05 -07:00
Peter Steinberger
11ea4df29c feat(fleet): per-cell disk limits, egress policy, backup/restore, and cell diagnostics (#104828)
* feat(fleet): per-cell disk limits, egress policy, backup/restore, logs, and doctor

- fleet create --disk <size> caps the container writable layer via --storage-opt;
  unsupported storage backends fail create with an actionable support-matrix
  error, and the limit replays across upgrade/restore through a fleet-owned
  container label because Podman inspect has no HostConfig.StorageOpt.
- fleet create --network bridge|internal adds an opt-in no-egress mode on
  Podman (published loopback port keeps working, verified live); Docker
  internal cells are rejected fail-closed because Docker does not publish
  loopback ports on internal networks.
- fleet backup/restore: per-tenant 0600 tar archives with manifest tenant
  binding, symlink/hardlink rejection, byte and path-segment budgets,
  root-bounded extraction, atomic no-overwrite publish, lease fencing, and
  Gateway token rotation on restore; failures preserve displaced data and
  never leave a force-stopped or half-started cell serving silently.
- fleet logs: ownership-asserted, bounded, token-redacted on both streams,
  with a generation re-check so a concurrent restore cannot leak a rotated
  token.
- fleet doctor: read-only per-cell audit of ownership labels, health,
  hardening drift, loopback port binding, token presence, network egress
  mode, and 0700 state-dir permissions; any failed finding exits nonzero.
  Cross-runtime checks are grounded in live-verified Docker 28/Podman 4.9
  inspect shapes (CapDrop vs EffectiveCaps, missing StorageOpt, missing
  network containers map).

Related: #104436 (v1 shipped in #104527)

* fix(fleet): harden streamed log redaction and root restore ownership

- redacting stream writer honors target backpressure, retains secret-prefix
  overlap across forced long-line flushes, and never splits a token between
  emitted chunks
- root-invoked restores repair ownership for explicit non-root user mappings
  instead of leaving root-owned 0700 state trees
- fleet logs merges the shipped --follow streaming surface (#104669) with the
  v1.1 token-redaction contract

* fix(fleet): stream partial log lines live and report phase-accurate restore recovery paths

- the redacting log writer emits safe text on every chunk (retaining only a
  possible token prefix) so unterminated progress output streams immediately
- restore failure notes distinguish pre-swap, displaced, and swapped states so
  operators recover the correct tree, and an unavailable runtime inspection is
  reported as an unverified replacement instead of silence

* fix(fleet): reject backslash archive paths, guard stderr pipes, and validate disk-limit labels in doctor

- restore/backup path rules reject literal backslashes so a tampered entry
  cannot validate as one path and extract as another on POSIX
- fleet logs handles broken pipes on stderr as well as stdout
- fleet doctor fails malformed disk-limit labels that would break
  upgrade/restore replay instead of reporting them as passing
2026-07-11 18:24:01 -07:00
Peter Steinberger
508f6a2996 refactor(config): retire legacy flat streaming keys to doctor-owned migration (#104693)
* chore(config): regenerate bundled channel config metadata for retired flat streaming keys

* refactor(config): retire legacy flat streaming keys to doctor-owned migration

* fix(config): restore zod locale installer dropped in rebase and repin SDK surface
2026-07-11 18:15:03 -07:00
Ayaan Zaidi
4bbca30990 fix(plugin-sdk): keep shipped ErrorKind/detectErrorKind as deprecated compat
The latest stable package exposes both names via the deprecated
openclaw/plugin-sdk/infra-runtime subpath. Compat now lives in the barrel
itself with the old substring semantics and a removal plan; core runtime no
longer uses them. Also converts the chat mapping switch to an if-chain for
switch-exhaustiveness lint.
2026-07-12 06:25:54 +05:30
Ayaan Zaidi
a303ca607c fix(gateway): badge timeout only for timeout-shaped errors
FailoverReason timeout is the retryable-transient bucket and deliberately
swallows generic 5xx, so it cannot drive the user-facing timeout badge.
Rate-limit/overload/context mapping stays on the canonical reason; the
timeout badge now requires isTimeoutError. HTTP 500 badges stay unknown.
2026-07-12 06:25:54 +05:30
Ayaan Zaidi
5ffa6db0de fix(gateway): classify chat error kind via canonical failover reasons
Deletes the naive substring detectErrorKind from infra/errors; the chat error
badge now maps resolveFailoverReasonFromError into the protocol errorKind set,
with refusal kept as a chat-local stop-reason check. Fixes drift where a Groq
TPM 413 showed context_length instead of rate_limit and quota/CJK/socket
errors showed unknown.

Part of #104219 (seam 5, slice 1).
2026-07-12 06:25:54 +05:30
Peter Steinberger
0d84eb4e70 fix(skills): read node-hosted skills from their publishing node (#104832)
* fix(skills): make node skill locators readable

* test(skills): track node skill temp directory

* chore: defer node skill changelog to release process
2026-07-11 17:54:14 -07:00
Peter Steinberger
d05391b9b3 fix: prevent Slack startup from loading stale builds (#104831) 2026-07-11 17:51:19 -07:00
Peter Steinberger
a37962e90c refactor(cron): compress trigger tool guidance (#104826) 2026-07-11 17:42:49 -07:00
Vincent Koc
12f6a79481 fix(test): contain TUI validation abort teardown 2026-07-12 08:40:22 +08:00
Vincent Koc
c2819d5cfa test(gateway): expect provider policy context 2026-07-12 08:40:22 +08:00
Vincent Koc
d826581d26 test(gateway): mock provider policy surface 2026-07-12 08:40:22 +08:00
Vincent Koc
bbdb24a278 test(agents): mock provider policy surface 2026-07-12 08:40:22 +08:00
Vincent Koc
16a647041c fix(providers): load trusted external thinking policies 2026-07-12 08:40:22 +08:00
Peter Steinberger
82667a66e5 feat(ui): editable file panel with CodeMirror and sessions.files.set hash-CAS writes (#104757)
* feat(gateway): add sessions.files.set workspace file write with hash CAS (#104698)

* feat(ui): CodeMirror file editor panel with CAS save + clickable tool-card paths (#104698)

* fix(gateway): issue the file CAS hash only for strict-UTF-8 text (#104698)

* docs(web): document the editable file detail panel (#104698)

* fix(gateway,ui): round-trip BOM and CRLF bytes through the file editor (#104698)

* fix(ui): keep mixed-line-ending files read-only in the file editor (#104698)

* fix(ui): re-gate editability when a conflict reload returns non-editable content (#104698)

* fix(gateway): reject NUL bytes in sessions.files.set replacement content (#104698)

* fix(gateway,ui): regenerate protocol bindings, fix prod types and lint for file editor (#104698)
2026-07-11 17:36:28 -07:00
Vincent Koc
39e2da5bb6 fix(cli): cap usage cost RPC timeout (#104823) 2026-07-12 08:36:23 +08:00
Peter Steinberger
04f945fabe feat(cloud-workers): durable transcript commit protocol for worker sessions (#104809)
* feat(cloud-workers): add transcript commit protocol

* feat(cloud-workers): persist transcript commit replay state

* feat(cloud-workers): apply transcript commits to sessions

* fix(cloud-workers): harden transcript commit admission

* fix(cloud-workers): recover branched transcript commits

* fix(cloud-workers): preserve diagnostic semantics
2026-07-11 17:29:07 -07:00
Peter Steinberger
2e6c1090c1 fix: quiet expected live updater warnings (#104813) 2026-07-11 17:27:01 -07:00
Peter Steinberger
3255b3218a feat: unify external sessions with native catalog pagination (#104717)
* feat(gateway): add generic sessions.catalog surface with plugin SDK registration seam

* feat(agents): support one-shot forked CLI session resume with successor rebinding

* feat(anthropic): adopt local Claude CLI sessions into native chats via catalog continue

* feat(codex): register the session catalog provider independently of supervision

* refactor(ui): delete the retired custom Claude/Codex session tab views

* feat(ui): render external session catalogs as native sidebar sessions and chat panes

* docs: describe the unified native session catalog

* fix: harden forked CLI resume and catalog transcript mapping after review

* fix: satisfy strict typecheck for catalog source guard and imported message cast

* chore(i18n): regenerate session catalog locales

* fix(codex): simplify session source guard type

* fix(ui): paginate sidebar session catalogs

* chore(i18n): refresh catalog metadata after main merge

* fix(ui): harden session catalog pagination refresh

* test(agents): use sqlite session accessor in fork tests

* fix(ci): refresh session catalog generated surfaces

* fix(ui): align session catalog locales

* fix: address session catalog review findings

* fix(sessions): roll back failed plugin catalog adoption

* test(sessions): preserve CLI binding literals

* fix(ui): restore native session pagination label

* docs: note external session catalogs

* Revert "docs: note external session catalogs"

This reverts commit cfb503f160.
2026-07-11 17:26:26 -07:00
NIO
9c0c932c33 fix(mcp): bound short-lived OAuth requests (#103704)
* fix(mcp): bound CLI OAuth login through guarded fetch timeout

* fix(mcp): bound OAuth request lifecycles

Co-authored-by: NIO <nocodet@mail.com>

* fix(mcp): preserve caller cancellation

* test(mcp): centralize timeout rejection capture

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: NIO <nocodet@mail.com>
2026-07-11 17:22:55 -07:00