da0ba1b73a
fix(security): harden channel auth path checks and exec approval routing
2026-02-26 12:46:05 +01:00
b74be2577f
refactor(web): unify proxy-guarded fetch path for web tools
2026-02-26 12:44:18 +01:00
242188b7b1
refactor: unify boundary-safe reads for bootstrap and includes
2026-02-26 12:42:14 +01:00
46003e85bf
fix: unify web tool proxy path ( #27430 ) (thanks @kevinWangSheng)
2026-02-26 11:32:43 +00:00
d8e2030d47
fix(web-search): honor HTTP_PROXY environment variable for Brave Search API
...
The web_search tool was not respecting HTTP_PROXY/HTTPS_PROXY environment
variables, causing 'fetch failed' errors when running behind a proxy.
This fix adds ProxyAgent support for the Brave Search API, similar to how
other tools in OpenClaw handle proxy configuration.
Fixes #27405
2026-02-26 11:32:43 +00:00
a7d56e3554
feat: ACP thread-bound agents ( #23580 )
...
* docs: add ACP thread-bound agents plan doc
* docs: expand ACP implementation specification
* feat(acp): route ACP sessions through core dispatch and lifecycle cleanup
* feat(acp): add /acp commands and Discord spawn gate
* ACP: add acpx runtime plugin backend
* fix(subagents): defer transient lifecycle errors before announce
* Agents: harden ACP sessions_spawn and tighten spawn guidance
* Agents: require explicit ACP target for runtime spawns
* docs: expand ACP control-plane implementation plan
* ACP: harden metadata seeding and spawn guidance
* ACP: centralize runtime control-plane manager and fail-closed dispatch
* ACP: harden runtime manager and unify spawn helpers
* Commands: route ACP sessions through ACP runtime in agent command
* ACP: require persisted metadata for runtime spawns
* Sessions: preserve ACP metadata when updating entries
* Plugins: harden ACP backend registry across loaders
* ACPX: make availability probe compatible with adapters
* E2E: add manual Discord ACP plain-language smoke script
* ACPX: preserve streamed spacing across Discord delivery
* Docs: add ACP Discord streaming strategy
* ACP: harden Discord stream buffering for thread replies
* ACP: reuse shared block reply pipeline for projector
* ACP: unify streaming config and adopt coalesceIdleMs
* Docs: add temporary ACP production hardening plan
* Docs: trim temporary ACP hardening plan goals
* Docs: gate ACP thread controls by backend capabilities
* ACP: add capability-gated runtime controls and /acp operator commands
* Docs: remove temporary ACP hardening plan
* ACP: fix spawn target validation and close cache cleanup
* ACP: harden runtime dispatch and recovery paths
* ACP: split ACP command/runtime internals and centralize policy
* ACP: harden runtime lifecycle, validation, and observability
* ACP: surface runtime and backend session IDs in thread bindings
* docs: add temp plan for binding-service migration
* ACP: migrate thread binding flows to SessionBindingService
* ACP: address review feedback and preserve prompt wording
* ACPX plugin: pin runtime dependency and prefer bundled CLI
* Discord: complete binding-service migration cleanup and restore ACP plan
* Docs: add standalone ACP agents guide
* ACP: route harness intents to thread-bound ACP sessions
* ACP: fix spawn thread routing and queue-owner stall
* ACP: harden startup reconciliation and command bypass handling
* ACP: fix dispatch bypass type narrowing
* ACP: align runtime metadata to agentSessionId
* ACP: normalize session identifier handling and labels
* ACP: mark thread banner session ids provisional until first reply
* ACP: stabilize session identity mapping and startup reconciliation
* ACP: add resolved session-id notices and cwd in thread intros
* Discord: prefix thread meta notices consistently
* Discord: unify ACP/thread meta notices with gear prefix
* Discord: split thread persona naming from meta formatting
* Extensions: bump acpx plugin dependency to 0.1.9
* Agents: gate ACP prompt guidance behind acp.enabled
* Docs: remove temp experiment plan docs
* Docs: scope streaming plan to holy grail refactor
* Docs: refactor ACP agents guide for human-first flow
* Docs/Skill: add ACP feature-flag guidance and direct acpx telephone-game flow
* Docs/Skill: add OpenCode and Pi to ACP harness lists
* Docs/Skill: align ACP harness list with current acpx registry
* Dev/Test: move ACP plain-language smoke script and mark as keep
* Docs/Skill: reorder ACP harness lists with Pi first
* ACP: split control-plane manager into core/types/utils modules
* Docs: refresh ACP thread-bound agents plan
* ACP: extract dispatch lane and split manager domains
* ACP: centralize binding context and remove reverse deps
* Infra: unify system message formatting
* ACP: centralize error boundaries and session id rendering
* ACP: enforce init concurrency cap and strict meta clear
* Tests: fix ACP dispatch binding mock typing
* Tests: fix Discord thread-binding mock drift and ACP request id
* ACP: gate slash bypass and persist cleared overrides
* ACPX: await pre-abort cancel before runTurn return
* Extension: pin acpx runtime dependency to 0.1.11
* Docs: add pinned acpx install strategy for ACP extension
* Extensions/acpx: enforce strict local pinned startup
* Extensions/acpx: tighten acp-router install guidance
* ACPX: retry runtime test temp-dir cleanup
* Extensions/acpx: require proactive ACPX repair for thread spawns
* Extensions/acpx: require restart offer after acpx reinstall
* extensions/acpx: remove workspace protocol devDependency
* extensions/acpx: bump pinned acpx to 0.1.13
* extensions/acpx: sync lockfile after dependency bump
* ACPX: make runtime spawn Windows-safe
* fix: align doctor-config-flow repair tests with default-account migration (#23580 ) (thanks @osolmaz)
2026-02-26 11:00:09 +01:00
a0cf753b2e
refactor(agents): dedupe node read invoke commands
2026-02-26 14:33:14 +05:30
c0073b3d47
feat(agents): add nodes notifications_list action
2026-02-26 14:33:14 +05:30
c289b5ff9f
fix(config): preserve agent-level apiKey/baseUrl during models.json merge ( #27293 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 6b4b37b03d
2026-02-26 03:46:36 -05:00
8117a13dd6
fix(nodes): default camera snap to front high-quality image
2026-02-26 12:17:32 +05:30
e35fe7888b
refactor: centralize message-provider tool filtering
2026-02-26 04:22:49 +01:00
e4d62c21be
test: expand voice provider tts regression coverage
2026-02-26 04:15:11 +01:00
8f8e2b13b4
fix: disable tts tool for voice provider
2026-02-26 04:12:39 +01:00
8a97803474
fix(agents): normalize malformed tool results in adapter ( #27007 )
2026-02-26 04:11:44 +01:00
de61e9c977
refactor(security): unify path alias guard policies
2026-02-26 03:59:17 +01:00
04d91d0319
fix(security): block workspace hardlink alias escapes
2026-02-26 03:42:54 +01:00
03e689fc89
fix(security): bind system.run approvals to argv identity
2026-02-26 03:41:31 +01:00
acbb93be48
fix(agents): comprehensive quota fallback fixes - session overrides + surgical cooldown logic ( #23816 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: e6f2b4742b
2026-02-25 20:35:40 -05:00
c0026274d9
fix(auth): distinguish revoked API keys from transient auth errors ( #25754 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 8f9c07a200
2026-02-25 19:47:16 -05:00
aaeed3c4ea
test(agents): add missing announce delivery regressions
2026-02-26 00:38:34 +00:00
4258a3307f
refactor(agents): unify subagent announce delivery pipeline
...
Co-authored-by: Smith Labs <SmithLabsLLC@users.noreply.github.com>
Co-authored-by: Do Cao Hieu <docaohieu2808@users.noreply.github.com>
2026-02-26 00:30:44 +00:00
975c9f4b54
Agents: emphasize config.schema usage
2026-02-25 09:45:39 -06:00
fb76e316fb
fix(test): use valid brave ui_lang locale
2026-02-25 11:58:52 +05:30
177386ed73
fix(tui): resolve wrong provider prefix when session has model without modelProvider ( #25874 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: f0953a7284
2026-02-25 00:36:27 -05:00
6e97470515
fix(brave-search): clarify ui_lang and search_lang format requirements ( #25130 )
...
* fix(brave-search): swap ui_lang and search_lang formats (#23826 )
* fix(web-search): normalize Brave ui_lang/search_lang params
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-25 04:59:38 +00:00
156f13aa64
fix(agents): continue fallback loop for unrecognized provider errors ( #26106 )
...
* fix(agents): continue fallback loop for unrecognized provider errors
When a provider returns an error that coerceToFailoverError cannot
classify (e.g., custom error messages without standard HTTP status
codes), the fallback loop threw immediately instead of trying the
next candidate. This caused fallback to stop after 2 models even
when 17 were configured.
Only rethrow unrecognized errors when they occur on the last
candidate. For intermediate candidates, record the error as an
attempt and continue to the next model.
Closes #25926
Co-authored-by: Cursor <cursoragent@cursor.com>
* test: cover unknown-error fallback telemetry and land #26106 (thanks @Sid-Qin)
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-25 04:53:26 +00:00
146c92069b
fix: stabilize live docker test handling
2026-02-25 04:35:05 +00:00
9beec48e9c
refactor(agents): centralize model fallback resolution
2026-02-25 04:32:31 +00:00
dd6ad0da8c
test(exec): stabilize Windows PATH prepend assertion
2026-02-25 04:29:48 +00:00
d2597d5ecf
fix(agents): harden model fallback failover paths
2026-02-25 03:46:34 +00:00
7c59b78aee
test: cap docker live model sweeps and harden timeouts
2026-02-25 02:48:34 +00:00
45b5c35b21
test: fix CI failures in heartbeat and typing tests
2026-02-25 02:28:42 +00:00
91ae82ae19
refactor(sandbox): centralize dangerous docker override key handling
2026-02-25 02:12:15 +00:00
c267b5edf6
refactor(sandbox): unify tmp alias checks and dedupe hardlink tests
2026-02-25 02:01:12 +00:00
eb4a93a8db
refactor(sandbox): share container-path utils and tighten fs bridge tests
2026-02-25 01:59:53 +00:00
22689b9dc9
fix(sandbox): reject hardlinked tmp media aliases
2026-02-25 01:56:44 +00:00
fa525bf212
fix(shell): prefer PowerShell 7 on Windows with tested fallbacks ( #25684 )
2026-02-25 01:49:33 +00:00
bf5a96ad63
fix(agents): keep fallback chain reachable on configured fallback models ( #25922 )
2026-02-25 01:46:20 +00:00
c7ae4ed04d
fix: harden sandbox fs dash-path regression coverage ( #25891 ) (thanks @albertlieyingadrian)
2026-02-25 01:40:30 +00:00
5e3502df5f
fix(sandbox): prevent shell option interpretation for paths with leading hyphens
...
Paths starting with "-" (like those containing "---" pattern) can be
interpreted as shell options by the sh shell. This fix adds a helper
function that prepends "./" to paths starting with "-" to prevent
this interpretation.
This fixes the issue where sandbox filesystem operations fail with
"Syntax error: ; unexpected" when file paths contain the "---" pattern
used in auto-generated inbound media filenames like:
file_1095---f00a04a2-99a0-4d98-99b0-dfe61c5a4198.ogg
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-25 01:40:30 +00:00
b35d00aaf8
fix: sanitize Gemini 3.1 Google reasoning payloads
2026-02-25 01:40:14 +00:00
a177b10b79
test(windows): normalize risky-path assertions
2026-02-25 01:28:47 +00:00
43f318cd9a
fix(agents): reduce billing false positives on long text ( #25680 )
...
Land PR #25680 from @lairtonlelis.
Retain explicit status/code/http 402 detection for oversized structured payloads.
Co-authored-by: Ailton <lairton@telnyx.com>
2026-02-25 01:22:17 +00:00
bd213cf2ad
fix(agents): normalize SiliconFlow Pro thinking=off payload ( #25435 )
...
Land PR #25435 from @Zjianru.
Changelog: add 2026.2.24 fix entry with contributor credit.
Co-authored-by: codez <codezhujr@gmail.com>
2026-02-25 01:11:34 +00:00
5c6b2cbc8e
refactor: extract iMessage echo cache and unify suppression guards
2026-02-25 00:53:39 +00:00
2a11c09a8d
fix: harden iMessage echo dedupe and reasoning suppression ( #25897 )
2026-02-25 00:46:56 +00:00
f34325ec01
Tests: cover allowlist refs missing from catalog
2026-02-24 19:16:02 -05:00
e9068e2571
Agents: trust explicit allowlist refs beyond catalog
2026-02-24 19:16:02 -05:00
aee38c42d3
Tests: preserve OpenRouter explicit auth order under cooldown fields
2026-02-24 19:12:08 -05:00
06f0b4a193
Tests: keep OpenRouter runnable with legacy cooldown markers
2026-02-24 19:12:08 -05:00
Peter Steinberger
Kevin Shenghui
Onur Solmaz
Ayaan Zaidi
Sid
Ramez
Aleksandrs Tihenko
Shadow
byungsker
Glucksberg
Brian Mendonca
Albert Lie
Vincent Koc