41cc46bbb4
feat(diagnostics): add configurable stuck-session warning threshold
2026-03-02 00:07:29 +00:00
d729ab2150
fix(session): harden usage accounting and memory flush recovery
2026-03-02 00:07:29 +00:00
a62d55b283
test(discord): cover DM command decision flow
2026-03-02 00:00:05 +00:00
75596e9370
refactor(discord): unify DM command auth handling
2026-03-02 00:00:05 +00:00
12c1257023
fix(acpx): share windows wrapper resolver and add strict hardening mode
2026-03-01 23:57:06 +00:00
881ac62005
test(discord): stabilize model picker timeout assertions
2026-03-01 23:53:07 +00:00
ee03ade0d6
fix(agents): harden tool-name normalization and transcript repair
...
Landed from contributor PRs #30620 and #30735 by @Sid-Qin, plus #30881 by @liuxiaopai-ai.
Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
2026-03-01 23:51:54 +00:00
50e2674dfc
fix(discord): unify dm command auth gating
2026-03-01 23:50:24 +00:00
577becf1ad
fix(plugins): prioritize bundled duplicates in auto-discovery
...
Landed from contributor PR #29710 by @Sid-Qin.
Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
2026-03-01 23:48:30 +00:00
5056b6438d
fix(discord): harden reconnect recovery and preserve message delivery
...
Landed from contributor PR #29508 by @cgdusek.
Co-authored-by: Charles Dusek <cgdusek@gmail.com>
2026-03-01 23:46:07 +00:00
23f434f98d
fix(skills): constrain plugin skill paths
2026-03-01 23:45:41 +00:00
4614222572
fix(skills): validate installer metadata specs
2026-03-01 23:45:41 +00:00
577f2fa540
fix(docker): harden /app/extensions permissions to 755 ( #30191 )
...
* fix(docker): harden /app/extensions permissions to 755
Bundled extension directories shipped as world-writable (mode 777)
in the Docker image. The plugin security scanner blocks any world-
writable path with:
WARN: blocked plugin candidate: world-writable path
(/app/extensions/memory-core, mode=777)
Add chmod -R 755 /app/extensions in the final USER root RUN step so
all bundled extensions are readable but not world-writable. This runs
as root before switching back to the node user, matching the pattern
already used for chmod 755 /app/openclaw.mjs.
Fixes #30139
* fix(docker): normalize plugin and agent path permissions
* docs(changelog): add docker permissions entry for #30191
* Update CHANGELOG.md
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-01 15:45:21 -08:00
13bb80df9d
fix(agents): land #20840 cross-channel message-tool actions from @altaywtf
...
Include scoped cross-channel action/description behavior, regression tests, changelog note, and make Ollama discovery tests URL-scoped to avoid env-dependent fetch interference.
Co-authored-by: Altay <altay@hey.com>
2026-03-01 23:37:55 +00:00
6a80e9db05
fix(browser): harden writable output paths
2026-03-01 23:25:13 +00:00
b99666a47a
fix(security): harden inbound metadata sentinel stripping
2026-03-01 23:11:48 +00:00
8e48520d74
fix(channels): align command-body parsing sources
2026-03-01 23:11:48 +00:00
4c43fccb3e
feat(agents): use structured internal completion events
2026-03-01 23:11:48 +00:00
738dd9aa42
fix(agents): type openai websocket warmup passthrough
2026-03-01 23:10:08 +00:00
0f5348acb2
test(config): reject discord open DM with empty allowFrom
2026-03-01 23:08:37 +00:00
d1615eb35f
feat(openai): add websocket warm-up with configurable toggle
2026-03-01 22:45:03 +00:00
bc9f357ad7
test: fix fetch mock typing casts
2026-03-01 22:44:28 +00:00
002539c01e
fix(security): harden sandbox novnc observer flow
2026-03-01 22:44:28 +00:00
4ab13eca4d
test(agents): port OpenAI websocket coverage from #24911
...
Co-authored-by: Jonathan Jing <achillesjing@gmail.com>
2026-03-01 22:38:56 +00:00
eee870576d
doctor: warn on macOS cloud-synced state directories ( #31004 )
...
* Doctor: detect macOS cloud-synced state directories
* Doctor tests: cover cloud-synced macOS state detection
* Docs: note cloud-synced state warning in doctor guide
* Docs: recommend local macOS state dir placement
* Changelog: add macOS cloud-synced state dir warning
* Changelog: credit macOS cloud state warning PR
* Doctor state: anchor cloud-sync roots to macOS home
* Doctor tests: cover OPENCLAW_HOME cloud-sync override
* Doctor state: prefer resolved target for cloud detection
* Doctor tests: cover local-target cloud symlink case
2026-03-01 14:35:46 -08:00
063c4f00ea
docs: clarify Anthropic context1m long-context requirements
2026-03-01 22:35:26 +00:00
8da86f6995
chore(changelog): note openai websocket-first streaming
2026-03-01 22:33:21 +00:00
7ced38b5ef
feat(agents): make openai responses websocket-first with fallback
2026-03-01 22:32:37 +00:00
38da2d076c
CLI: add root --help fast path and lazy channel option resolution ( #30975 )
...
* CLI argv: add strict root help invocation guard
* Entry: add root help fast-path bootstrap bypass
* CLI context: lazily resolve channel options
* CLI context tests: cover lazy channel option resolution
* CLI argv tests: cover root help invocation detection
* Changelog: note additional startup path optimizations
* Changelog: split startup follow-up into #30975 entry
* CLI channel options: load precomputed startup metadata
* CLI channel options tests: cover precomputed metadata path
* Build: generate CLI startup metadata during build
* Build script: invoke CLI startup metadata generator
* CLI routes: preload plugins for routed health
* CLI routes tests: assert health plugin preload
* CLI: add experimental bundled entry and snapshot helper
* Tools: compare CLI startup entries in benchmark script
* Docs: add startup tuning notes for Pi and VM hosts
* CLI: drop bundled entry runtime toggle
* Build: remove bundled and snapshot scripts
* Tools: remove bundled-entry benchmark shortcut
* Docs: remove bundled startup bench examples
* Docs: remove Pi bundled entry mention
* Docs: remove VM bundled entry mention
* Changelog: remove bundled startup follow-up claims
* Build: remove snapshot helper script
* Build: remove CLI bundle tsdown config
* Doctor: add low-power startup optimization hints
* Doctor: run startup optimization hint checks
* Doctor tests: cover startup optimization host targeting
* Doctor tests: mock startup optimization note export
* CLI argv: require strict root-only help fast path
* CLI argv tests: cover mixed root-help invocations
* CLI channel options: merge metadata with runtime catalog
* CLI channel options tests: assert dynamic catalog merge
* Changelog: align #30975 startup follow-up scope
* Docs tests: remove secondary-entry startup bench note
* Docs Pi: add systemd recovery reference link
* Docs VPS: add systemd recovery reference link
2026-03-01 14:23:46 -08:00
dcd19da425
refactor: simplify sandbox boundary open flow
2026-03-01 21:49:42 +00:00
3be1343e00
fix: tighten sandbox mkdirp boundary checks ( #30610 ) (thanks @glitch418x)
2026-03-01 21:41:47 +00:00
687f5779d1
sandbox: allow directory boundary checks for mkdirp
2026-03-01 21:41:47 +00:00
4fc7ecf088
ACP: force sessions_spawn as the only harness thread creation path ( #30957 )
...
* ACP: enforce sessions_spawn-only thread creation for harness spawns
* skills(acpx): require acp-router preflight for ACP thread spawns
* fix: enforce ACP thread spawn via sessions_spawn only (#30957 ) (thanks @dutifulbob)
---------
Co-authored-by: Onur <2453968+osolmaz@users.noreply.github.com>
2026-03-01 22:41:06 +01:00
e4d22fb07a
fix(browser): fail closed browser auth bootstrap
2026-03-01 21:40:16 +00:00
3a93a7bb1e
fix(security): enforce auth for abort triggers and models
2026-03-01 21:30:07 +00:00
c89836a251
test: harden flaky timeout and resolver specs
2026-03-01 21:30:07 +00:00
c1428e8df9
fix(gateway): prevent /api/* routes from returning SPA HTML when basePath is empty ( #30333 )
...
Merged via squash.
Prepared head SHA: 12591f304e
2026-03-01 22:23:54 +01:00
e6049345db
fix(telegram): preserve HTTP proxy env in global dispatcher workaround ( #29940 )
...
* fix(telegram): preserve HTTP proxy env in global dispatcher workaround
* telegram: document request-scoped proxy dispatcher constraint
* telegram: assert proxy path never mutates global dispatcher
* changelog: credit telegram proxy env regression fix
---------
Co-authored-by: Rylen Anil <rylen.anil@gmail.com>
2026-03-01 13:21:01 -08:00
79f818e8a2
Status scan: guard deferred promise rejections
2026-03-01 12:56:56 -08:00
125ea585dd
CLI routes tests: assert status plugin preload
2026-03-01 12:56:56 -08:00
266084f4c8
CLI routes: preload plugins for status security parity
2026-03-01 12:56:56 -08:00
23c6e9836e
Status scan: overlap non-JSON async checks
2026-03-01 12:56:56 -08:00
8c4071f36a
Entry: enable Node compile cache on startup
2026-03-01 12:56:56 -08:00
e4b4fd5ce8
Entry: avoid top-level return in version fast-path
2026-03-01 12:56:56 -08:00
7aa9267d00
Status scan: fix JSON channels result typing
2026-03-01 12:56:56 -08:00
ba0aa3cfae
Status scan: add parallel JSON fast path
2026-03-01 12:56:56 -08:00
b0a73ae773
Status command: parallelize JSON security audit
2026-03-01 12:56:56 -08:00
07da843378
CLI argv: test root version fast-path detection
2026-03-01 12:56:56 -08:00
153adc4c8f
Entry: fast-path root version command
2026-03-01 12:56:56 -08:00
86a91cc01a
CLI argv: detect root-only version invocation
2026-03-01 12:56:56 -08:00
Peter Steinberger
edincampara
Agent
Vincent Koc
glitch418x
Bob
Sid