* test(e2e): live-model scenarios for node-hosted MCP tools and skills
Adds --live to the node-plugin pond E2E: three real Anthropic
(claude-sonnet-4-6) agent turns prove the model can (1) call a node-hosted
MCP tool with a proof token verified in the MCP server's call log, (2) use
a node-published skill from its context, and (3) disambiguate identically
named tools from two nodes via deterministic node-prefixed names. Requires
ANTHROPIC_API_KEY; mock mode unchanged.
* style: explicit sort compare in pond tool-id assertion
* feat(openai): recognize GPT-Live realtime models and fail closed with guidance
OpenAI's gpt-live-1/gpt-live-1-mini full-duplex voice models are API
early-access only and use a WebRTC-only quicksilver session protocol with
handoff-based agent delegation that OpenClaw's realtime transports do not
implement yet. Configuring a gpt-live-* model now produces actionable
configuration errors on the realtime WebSocket bridge and Talk browser
sessions instead of opaque provider errors or audio-only sessions without
agent access. GA gpt-realtime behavior unchanged; default model stays
gpt-realtime-2.1.
Related: #104683
* test(openai): narrow browser session union before asserting offerUrl
The tasks rail (from #104010) only rendered as a right-docked 230-280px
column and vanished with its toggles below a 1120px viewport, so narrow
split-view panes got a crushed thread and compact windows lost access
to background tasks entirely — the same bug class #104033 fixed for the
workspace rail and detail panel.
The rail now follows the pane's measured width: it presents as a
full-width bottom strip (sections side by side like the workspace
rail's bottom dock) when the pane is too narrow for a side column, and
the workspace rail keeps first claim on the side slot when only one
column fits. Side-docked rails, not bottom strips, now count against
the width available to the chat + detail split.
Proof: check:changed + 212 focused tests green on Testbox at this exact
content; codex autoreview clean; chromium+webkit visual verification at
seven window widths plus split view with zero geometry overlaps.
Landed with maintainer CI override.
Closes#104091
* fix(slack): use endsWith instead of includes for _all_ action_id matching
* fix(slack): codify bulk action IDs and add confirmation regressions
Extract isSlackBulkActionId() with the documented _all suffix grammar,
use it for bulk-row detection, and add whole-path chat.update tests for
bulk-row cleanup plus deploy_all_services false-positive control.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): use OpenClaw bulk block marker instead of _all suffix
Replace global endsWith("_all") bulk detection with an explicit
openclaw:bulk: block_id prefix and closed action IDs, export a shared
producer helper, and add live Slack chat.update proof for bulk-row
removal and deploy_all_services preservation.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): keep bulk contract private and add legacy upgrade path
Drop speculative bulk-action exports from the Slack plugin API, keep
accepted ID collections private and immutable, and recognize legacy bare
select_all/deselect_all rows while still rejecting deploy_all_services
false positives.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): drop unsupported bare bulk compatibility branch
Remove the legacy select_all/deselect_all classifier that overmatched
single-ID and duplicate-ID rows, and add negative whole-path regressions
preserving unrelated custom action rows.
Co-authored-by: Cursor <cursoragent@cursor.com>
* fix(slack): remove unsupported bulk-row cleanup heuristic
Delete the undocumented bulk-row inference and namespaced replacement
contract. Confirmation updates now replace only the selected actions row
and preserve every other authored Block Kit row.
* refactor(slack): tighten interaction confirmation fix
* chore(changelog): preserve historical TTS entries
* chore(slack): move release note to PR body
---------
Co-authored-by: zw-xysk <zw-xysk@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* feat: add metadata-only message audit events
* chore(protocol): restore generated swift models and config baseline after rebase
* fix(state): gate agent-db ownership check before schema version
* fix(cli): sync audit command description into the root-help catalog
* fix(audit): require destination proof before classifying outbound messages as direct
* refactor(audit): drop dead migration guard and add contract comments
* docs(gateway): add dedicated audit history page and cross-links
* test(e2e): enable direct-mode message audit in the telegram proof SUT config
* test(channels): expect declared conversationKind in durable delivery session context
* fix(audit): record the routing channel id for inbound rows from plugin channels
* fix(audit): match channel-prefixed delivery targets in the destination route gate
* fix(audit): validate explicit target kind against the destination route kind
* fix(audit): use the canonical target-prefix grammar in the destination route gate and fail closed on foreign migration tables
* fix(audit): normalize nested provider and kind target prefixes in the destination gate
* fix(audit): strip registered provider aliases and the direct kind prefix in the destination gate
* chore(docs): refresh config baseline after rebase
* fix(agents): protect provider auth exchange output by sensitivity, not input marker
protectPreparedProviderRuntimeAuth decided whether to protect a credential from
the shape of the input sourceApiKey: if the input was not a sentinel and not
registered for redaction it returned the exchange output untouched. That
assumes output sensitivity mirrors input sensitivity, which is false for any
provider that turns a non-secret marker into a real credential.
The bundled amazon-bedrock-mantle plugin hits this live: its stored apiKey is
the marker __amazon_bedrock_mantle_iam__ (not declared in nonSecretAuthMarkers,
so resolved raw), and its prepareRuntimeAuth mints a real IAM-derived Bedrock
bearer token. That real token flowed through the guard unprotected, so it was
stored and logged unredacted.
Gate protection per output value instead: skip empty values and non-secret
markers, protect everything else. Sibling providers that echo their own markers
(ollama-local, lmstudio-local, codex-app-server, gcp-vertex-credentials) are
unaffected. Drops the now-dead sourceApiKey parameter and its call sites.
* test(agents): assert sentinel storage and egress restoration for protected provider auth
* test(agents): assert protected runtime auth state
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(crabbox): preserve UTF-16 boundaries in CLI failure detail truncation
commandDetail replaced raw .slice(0, MAX_ERROR_DETAIL_CHARS) with
truncateUtf16Safe on the whitespace-compressed error detail output.
A 511-code-unit prefix with an emoji at the boundary produces a lone
high surrogate (U+D83D) on current main; the shared surrogate-aware
helper backs the cut up to preserve well-formed UTF-16.
* fix(crabbox): add provider-path UTF-16 regression test for inspect boundary
The existing test exercised commandDetail directly; ClawSweeper's P1
requires proof through the real provider boundary. The new test calls
provider.inspect() with a CLI runner that returns 511 ASCII + emoji in
stderr, proving commandDetail → truncateUtf16Safe works through the
full inspect → commandError → commandDetail chain.
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor(crabbox): keep error proof on provider path
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* improve(pr): trust origin/main-matching wrappers when the canonical checkout is parked elsewhere
* improve(crabbox): hint at lease expiry when reused-lease runs fail fast
* fix(pr): pin the wrapper trust anchor to the remote-tracking ref