f9e185887f
docs: restore onboard docs references
2026-03-16 05:50:57 +00:00
823039c000
docs: prefer setup wizard command
2026-03-15 22:01:04 -07:00
5287ae3c06
docs: update setup wizard wording
2026-03-15 21:40:31 -07:00
0a2f95916b
test: expand ssh sandbox coverage and docs
2026-03-15 21:38:22 -07:00
b8bb8510a2
feat: move ssh sandboxing into core
2026-03-15 21:35:30 -07:00
be8fef3840
docs: expand openshell sandbox docs
2026-03-15 20:35:56 -07:00
ae7f18e503
feat: add remote openshell sandbox mode
2026-03-15 20:28:19 -07:00
a2cb81199e
secrets: harden read-only SecretRef command paths and diagnostics ( #47794 )
...
* secrets: harden read-only SecretRef resolution for status and audit
* CLI: add SecretRef degrade-safe regression coverage
* Docs: align SecretRef status and daemon probe semantics
* Security audit: close SecretRef review gaps
* Security audit: preserve source auth SecretRef configuredness
* changelog
Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
---------
Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-03-15 21:55:24 -05:00
dd40741e18
feat(plugins): add compatible bundle support
2026-03-15 16:08:50 -07:00
132e459009
fix(ci): config drift found and documented
2026-03-15 10:43:03 -07:00
ff61343d76
fix: harden mention pattern regex compilation
2026-03-15 08:44:12 -07:00
a472f988d8
fix: harden remote cdp probes
2026-03-15 08:23:01 -07:00
2806f2b878
Heartbeat: add isolatedSession option for fresh session per heartbeat run ( #46634 )
...
Reuses the cron isolated session pattern (resolveCronSession with forceNew)
to give each heartbeat a fresh session with no prior conversation history.
Reduces per-heartbeat token cost from ~100K to ~2-5K tokens.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 16:28:01 -07:00
b1d8737017
browser: drop chrome-relay auto-creation, simplify to user profile only ( #46596 )
...
Merged via squash.
Prepared head SHA: 74becc8f7d
2026-03-14 15:40:02 -07:00
b6d1d0d72d
fix(browser): prefer user profile over chrome relay
2026-03-14 04:15:34 +00:00
5225667e25
docs: trim duplicated wizard and gateway api examples
2026-03-13 20:19:39 +00:00
e986aa175f
docs: fix session key :dm: → :direct ( #26506 )
2026-03-13 14:28:33 +05:30
b14a5c6713
fix(zalouser): require ids for group allowlist auth
2026-03-13 01:31:17 +00:00
55f47e5ce6
onboard(minimax): flatten auth to 4 direct choices, unify CN/Global under single provider ( #44284 )
...
Replace the multi-step MiniMax onboarding wizard with 4 flat options:
- MiniMax Global — OAuth (minimax.io)
- MiniMax Global — API Key (minimax.io)
- MiniMax CN — OAuth (minimaxi.com)
- MiniMax CN — API Key (minimaxi.com)
Storage changes:
- Unify CN and Global under provider "minimax" (baseUrl distinguishes region)
- Profiles: minimax:global / minimax:cn (both regions can coexist)
- Model ref: minimax/MiniMax-M2.5 (no more minimax-cn/ prefix)
- Remove LM Studio local mode and Lightning/Highspeed choice
Backward compatibility:
- Keep minimax-cn in provider-env-vars for existing configs
- Accept minimax-cn as legacy tokenProvider in CI pipelines
- Error with migration hint for removed auth choices in non-interactive mode
- Warn when dual-profile overwrites shared provider baseUrl
Made-with: Cursor
2026-03-12 11:23:42 -07:00
b77b7485e0
feat(push): add iOS APNs relay gateway ( #43369 )
...
* feat(push): add ios apns relay gateway
* fix(shared): avoid oslog string concatenation
# Conflicts:
# apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
* fix(push): harden relay validation and invalidation
* fix(push): persist app attest state before relay registration
* fix(push): harden relay invalidation and url handling
* feat(push): use scoped relay send grants
* feat(push): configure ios relay through gateway config
* feat(push): bind relay registration to gateway identity
* fix(push): tighten ios relay trust flow
* fix(push): bound APNs registration fields (#43369 ) (thanks @ngutman)
2026-03-12 18:15:35 +02:00
0bcb95e8fa
Models: enforce source-managed SecretRef markers in models.json ( #43759 )
...
Merged via squash.
Prepared head SHA: 4a065ef5d8
2026-03-12 02:22:52 -05:00
5e324cf785
docs(ollama): align onboarding guidance with code
2026-03-11 20:11:51 +00:00
7761e7626f
Providers: add Opencode Go support ( #42313 )
...
* feat(providers): add opencode-go provider support and onboarding
* Onboard: unify OpenCode auth handling openclaw#42313 thanks @ImLukeF
* Docs: merge OpenCode Zen and Go docs openclaw#42313 thanks @ImLukeF
* Update CHANGELOG.md
---------
Co-authored-by: Ubuntu <ubuntu@vps-90352893.vps.ovh.ca>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-11 01:31:06 -04:00
0125ce1f44
Gateway: fail closed unresolved local auth SecretRefs ( #42672 )
...
* Gateway: fail closed unresolved local auth SecretRefs
* Docs: align node-host gateway auth precedence
* CI: resolve rebase breakages in checks lanes
* Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state
* Gateway: remove stale remote.enabled auth-surface semantics
* Changelog: note gateway SecretRef fail-closed fix
2026-03-10 21:41:56 -05:00
daaf211e20
fix(node-host): fail closed on unbound interpreter approvals
2026-03-11 02:36:38 +00:00
8eac939417
fix(security): enforce target account configWrites
2026-03-11 01:24:36 +00:00
201420a7ee
fix: harden secret-file readers
2026-03-10 23:40:10 +00:00
a76e810193
fix(gateway): harden token fallback/reconnect behavior and docs ( #42507 )
...
* fix(gateway): harden token fallback and auth reconnect handling
* docs(gateway): clarify auth retry and token-drift recovery
* fix(gateway): tighten auth reconnect gating across clients
* fix: harden gateway token retry (#42507 ) (thanks @joshavant)
2026-03-10 17:05:57 -05:00
d30dc28b8c
Secrets: reject exec SecretRef traversal ids across schema/runtime/gateway ( #42370 )
...
* Secrets: harden exec SecretRef validation and reload LKG coverage
* Tests: harden exec fast-exit stdin regression case
* Tests: align lifecycle daemon test formatting with oxfmt 0.36
2026-03-10 13:45:37 -05:00
0687e04760
fix: thread runtime config through Discord/Telegram sends ( #42352 ) (thanks @joshavant) ( #42352 )
2026-03-10 13:30:57 -05:00
f0eb67923c
fix(secrets): resolve web tool SecretRefs atomically at runtime
2026-03-09 22:57:03 -05:00
d4e59a3666
Cron: enforce cron-owned delivery contract ( #40998 )
...
Merged via squash.
Prepared head SHA: 5877389e33
2026-03-09 20:12:37 +01:00
d3111fbbcb
fix: make browser relay bind address configurable ( #39364 ) (thanks @mvanhorn)
2026-03-08 19:15:21 +00:00
caf1b84822
feat: allow compaction model override via config ( #38753 )
...
Merged via squash.
Prepared head SHA: a3d6d6c845
2026-03-08 10:47:34 -07:00
b4c8950417
refactor: centralize talk silence timeout defaults
2026-03-08 14:58:29 +00:00
6ff7e8f42e
talk: add configurable silence timeout
2026-03-08 14:30:25 +00:00
59102a1ff7
fix: add gemini 3.1 flash-lite support
2026-03-08 05:12:48 +00:00
100da9f45c
fix: correct gemini flash model id
2026-03-08 02:32:58 +00:00
25252ab5ab
gateway: harden shared auth resolution across systemd, discord, and node host
2026-03-07 18:28:32 -06:00
5f8f58ae25
fix(gateway): require admin for chat config writes
2026-03-07 19:38:49 +00:00
729ee165ed
docs(gateway): clarify trusted operator HTTP endpoints
2026-03-07 18:48:17 +00:00
61273c072c
Docs: remove MDX-breaking secret markers
2026-03-07 10:09:00 -08:00
e4d80ed556
CI: restore main detect-secrets scan ( #38438 )
...
* Tests: stabilize detect-secrets fixtures
* Tests: fix rebased detect-secrets false positives
* Docs: keep snippets valid under detect-secrets
* Tests: finalize detect-secrets false-positive fixes
* Tests: reduce detect-secrets false positives
* Tests: keep detect-secrets pragmas inline
* Tests: remediate next detect-secrets batch
* Tests: tighten detect-secrets allowlists
* Tests: stabilize detect-secrets formatter drift
2026-03-07 10:06:35 -08:00
8e20dd22d8
Secrets: harden SecretRef-safe models.json persistence ( #38955 )
2026-03-07 11:28:39 -06:00
1dd4f92ea2
fix: default local onboarding tools profile to coding
2026-03-07 16:41:27 +00:00
6017b738b1
Web: add HEIC media regression and doc fix ( #38294 )
...
* Web: add HEIC media normalization regression
* Docs: list HEIC input_image MIME types
* Update src/web/media.test.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---------
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-03-06 22:49:38 -05:00
42e3d8d693
Secrets: add inline allowlist review set ( #38314 )
...
* Secrets: add inline allowlist review set
* Secrets: narrow detect-secrets file exclusions
* Secrets: exclude Docker fingerprint false positive
* Secrets: allowlist test and docs false positives
* Secrets: refresh baseline after allowlist updates
* Secrets: fix gateway chat fixture pragma
* Secrets: format pre-commit config
* Android: keep talk mode fixture JSON valid
* Feishu: rely on client timeout injection
* Secrets: allowlist provider auth test fixtures
* Secrets: allowlist onboard search fixtures
* Secrets: allowlist onboard mode fixture
* Secrets: allowlist gateway auth mode fixture
* Secrets: allowlist APNS wake test key
* Secrets: allowlist gateway reload fixtures
* Secrets: allowlist moonshot video fixture
* Secrets: allowlist auto audio fixture
* Secrets: allowlist tiny audio fixture
* Secrets: allowlist embeddings fixtures
* Secrets: allowlist resolve fixtures
* Secrets: allowlist target registry pattern fixtures
* Secrets: allowlist gateway chat env fixture
* Secrets: refresh baseline after fixture allowlists
* Secrets: reapply gateway chat env allowlist
* Secrets: reapply gateway chat env allowlist
* Secrets: stabilize gateway chat env allowlist
* Secrets: allowlist runtime snapshot save fixture
* Secrets: allowlist oauth profile fixtures
* Secrets: allowlist compaction identifier fixture
* Secrets: allowlist model auth fixture
* Secrets: allowlist model status fixtures
* Secrets: allowlist custom onboarding fixture
* Secrets: allowlist mattermost token summary fixtures
* Secrets: allowlist gateway auth suite fixtures
* Secrets: allowlist channel summary fixture
* Secrets: allowlist provider usage auth fixtures
* Secrets: allowlist media proxy fixture
* Secrets: allowlist secrets audit fixtures
* Secrets: refresh baseline after final fixture allowlists
* Feishu: prefer explicit client timeout
* Feishu: test direct timeout precedence
2026-03-06 19:35:26 -05:00
03b9abab84
feat(compaction): make post-compaction context sections configurable ( #34556 )
...
Merged via squash.
Prepared head SHA: 491bb28544
2026-03-06 14:57:15 -08:00
042b2c867d
Docs: clarify main secret scan behavior
2026-03-06 14:41:23 -05:00
b529b7c6b7
Docs: update secret scan reproduction steps
2026-03-06 14:34:46 -05:00
Peter Steinberger
Josh Avant
Vincent Koc
George Zhang
Jealous
liyuan97
Nimrod Gutman
Luke
Mariano
GitBuck
dano does design
Efe Büken