48cbfdfac0
Hardening: require LINE webhook signatures ( #44090 )
...
* LINE: require webhook signatures in express handler
* LINE: require webhook signatures in node handler
* LINE: update express signature tests
* LINE: update node signature tests
* Changelog: note LINE webhook hardening
* LINE: validate signatures before parsing webhook bodies
* LINE: reject missing signatures before body reads
2026-03-12 10:50:36 -04:00
c965049dc6
fix(mattermost): pass mediaLocalRoots through reply delivery ( #44021 )
...
Merged via squash.
Prepared head SHA: 856f11f129
2026-03-12 20:13:51 +05:30
797b6fe614
ci: tighten cache docs and node22 gate
2026-03-12 20:07:44 +05:30
e1d054547e
ci: restore PR pnpm cache fallback
2026-03-12 20:07:44 +05:30
29b36f8e4a
ci: harden pnpm sticky cache on PRs
2026-03-12 20:07:44 +05:30
b0f717aa02
build: align Node 22 guidance with 22.16 minimum
2026-03-12 20:07:44 +05:30
0a8d2b6200
build: raise Node 22 compatibility floor to 22.16
2026-03-12 20:07:44 +05:30
deada7edd3
build: default to Node 24 and keep Node 22 compat
2026-03-12 20:07:44 +05:30
2f037f0930
Agents: adapt pi-ai oauth and payload hooks
2026-03-12 10:19:14 -04:00
f3be1c828c
fix(status): resolve context window by provider-qualified key, prefer max on bare-id collision, solve #35976 ( #36389 )
...
Merged via squash.
Prepared head SHA: f8cf752c59
2026-03-12 07:00:36 -07:00
ff47876e61
fix: carry observed overflow token counts into compaction ( #40357 )
...
Merged via squash.
Prepared head SHA: b99eed4329
2026-03-12 06:58:42 -07:00
f2e28fc30f
fix(telegram): allow fallback models in /model validation ( #40105 )
...
Merged via squash.
Prepared head SHA: de07585e03
2026-03-12 13:55:51 +01:00
171d2df9e0
feat(mattermost): add replyToMode support (off | first | all) ( #29587 )
...
Merged via squash.
Prepared head SHA: 4a67791f53
2026-03-12 18:03:12 +05:30
8e0e4f736a
docs: add Kubernetes install guide, setup script, and manifests ( #34492 )
...
* add docs and manifests for k8s install
Signed-off-by: sallyom <somalley@redhat.com>
* changelog
Signed-off-by: sallyom <somalley@redhat.com>
---------
Signed-off-by: sallyom <somalley@redhat.com>
2026-03-12 07:28:21 -04:00
4f620bebe5
fix(doctor): canonicalize gateway service entrypoint paths ( #43882 )
...
Merged via squash.
Prepared head SHA: 9f530d2a86
2026-03-12 12:39:22 +02:00
783a0d540f
fix: add zalouser outbound chunker
2026-03-12 15:47:12 +05:30
8582cb08b5
fix: stop main-session UI replies inheriting channel routes ( #43918 )
2026-03-12 15:39:34 +05:30
5acf6cae8e
fix: stop main-session UI replies inheriting channel routes
2026-03-12 15:39:34 +05:30
8ea79b64d0
fix: preserve sandbox write payload stdin ( #43876 )
...
Merged via squash.
Prepared head SHA: a10fd4b21c
2026-03-12 12:42:57 +03:00
f640326e31
fix(failover): add missing network errno patterns to text-based timeout classifier ( #42830 )
...
Merged via squash.
Prepared head SHA: 91761487e8
2026-03-12 12:34:44 +03:00
a6711afdc2
feat(zalouser): add markdown-to-Zalo text style parsing ( #43324 )
...
* feat(zalouser): add markdown-to-Zalo text style parsing
Parse markdown formatting (bold, italic, strikethrough, headings, lists,
code blocks, blockquotes, custom color/style tags) into Zalo native
TextStyle ranges so outbound messages render with rich formatting.
- Add text-styles.ts with parseZalouserTextStyles() converter
- Wire markdown mode into send pipeline (sendMessageZalouser)
- Export TextStyle enum and Style type from zca-client
- Add textMode/textStyles to ZaloSendOptions
- Pass textStyles through sendZaloTextMessage to zca-js API
- Enable textMode:"markdown" in outbound sendText/sendMedia and monitor
- Add comprehensive tests for parsing, send, and channel integration
* fix(zalouser): harden markdown text parsing
* fix(zalouser): mirror zca-js text style types
* fix(zalouser): support tilde fenced code blocks
* fix(zalouser): handle quoted fenced code blocks
* fix(zalouser): preserve literal quote lines in code fences
* fix(zalouser): support indented quoted fences
* fix(zalouser): preserve quoted markdown blocks
* fix(zalouser): rechunk formatted messages
* fix(zalouser): preserve markdown structure across chunks
* fix(zalouser): honor chunk limits and CRLF fences
2026-03-12 16:24:15 +07:00
7c889e7113
Refactor: trim duplicate gateway/onboarding helpers and dead utils ( #43871 )
...
* Gateway: share input provenance schema
* Onboarding: dedupe top-level channel patching
* Utils: remove unused path helpers
* Protocol: refresh generated gateway models
2026-03-12 05:04:31 -04:00
cb7b38105f
Merge remote-tracking branch 'origin/vincentkoc-code/fix-terminal-table-width'
...
* origin/vincentkoc-code/fix-terminal-table-width:
Terminal: consume unsupported escape bytes in tables
Skills: normalize emoji presentation across outputs
Changelog: note terminal skills table fixes
Skills: use Terminal-safe emoji in list output
Terminal: stop shrinking CLI tables by one column
Terminal: refine table wrapping and width handling
Update CHANGELOG.md
Deps: patch file-type and hono
Tests: cover emoji table alignment
Terminal: wrap table cells by grapheme width
Terminal: measure grapheme display width
Tests: cover grapheme terminal width
Changelog: add unreleased March 9 entries
# Conflicts:
# CHANGELOG.md
# package.json
# pnpm-lock.yaml
# src/cli/skills-cli.format.ts
# src/terminal/table.test.ts
2026-03-12 04:56:21 -04:00
1dfc35fc28
Merge branch 'vincentkoc-code/fix-terminal-table-width' of https://github.com/openclaw/openclaw into vincentkoc-code/fix-terminal-table-width
...
* 'vincentkoc-code/fix-terminal-table-width' of https://github.com/openclaw/openclaw :
Update CHANGELOG.md
2026-03-12 04:51:56 -04:00
62a71361a9
Docs: clarify llm-task thinking presets
2026-03-12 19:27:07 +11:00
46cb73da37
feat(ui): utilities, theming, and i18n updates (slice 2/3 of dashboard-v2) ( #41500 )
...
* feat(ui): add utilities, theming, and i18n updates (slice 2 of dashboard-v2)
UI utilities and theming improvements extracted from dashboard-v2-structure:
Icons & formatting:
- icons.ts: expanded icon set for new dashboard views
- format.ts: date/number formatting helpers
- tool-labels.ts: human-readable tool name mappings
Theming:
- theme.ts: enhanced theme resolution and system theme support
- theme-transition.ts: simplified transition logic
- storage.ts: theme parsing improvements for settings persistence
Navigation & types:
- navigation.ts: extended tab definitions for dashboard-v2
- app-view-state.ts: expanded view state management
- types.ts: new type definitions (HealthSummary, ModelCatalogEntry, etc.)
Components:
- components/dashboard-header.ts: reusable header component
i18n:
- Updated en, pt-BR, zh-CN, zh-TW locales with new dashboard strings
All changes are additive or backwards-compatible. Build passes.
Part of #36853 .
* ui: fix theme and locale review regressions
* ui: fix review follow-ups for dashboard tabs
* ui: allowlist locale password placeholder false positives
* ui: fix theme mode and locale regressions
* Vincentkoc code/pr 41500 route fix (#43829 )
* UI: keep unfinished settings routes hidden
* UI: normalize light theme data token
* UI: restore cron type compatibility
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 04:26:39 -04:00
658bd54ecf
feat(llm-task): add thinking override
...
Co-authored-by: Xaden Ryan <165437834+xadenryan@users.noreply.github.com>
2026-03-12 19:21:35 +11:00
f37815b323
Gateway: block profile mutations via browser.request ( #43800 )
...
* Gateway: block profile mutations via browser.request
* Changelog: note GHSA-vmhq browser request fix
* Gateway: normalize browser.request profile guard paths
2026-03-12 04:21:03 -04:00
46a332385d
Gateway: keep spawned workspace overrides internal ( #43801 )
...
* Gateway: keep spawned workspace overrides internal
* Changelog: note GHSA-2rqg agent boundary fix
* Gateway: persist spawned workspace inheritance in sessions
* Agents: clean failed lineage spawn state
* Tests: cover lineage attachment cleanup
* Tests: cover lineage thread cleanup
2026-03-12 04:20:00 -04:00
97683071b5
Tests: extend exec allowlist glob coverage
2026-03-12 04:01:49 -04:00
9aeaa19e9e
Agents: clear invalidated Kimi tool arg repair ( #43824 )
2026-03-12 03:53:06 -04:00
c5ea6134d0
feat(ui): add chat infrastructure modules (slice 1/3 of dashboard-v2) ( #41497 )
...
* feat(ui): add chat infrastructure modules (slice 1 of dashboard-v2)
New self-contained chat modules extracted from dashboard-v2-structure:
- chat/slash-commands.ts: slash command definitions and completions
- chat/slash-command-executor.ts: execute slash commands via gateway RPC
- chat/slash-command-executor.node.test.ts: test coverage
- chat/speech.ts: speech-to-text (STT) support
- chat/input-history.ts: per-session input history navigation
- chat/pinned-messages.ts: pinned message management
- chat/deleted-messages.ts: deleted message tracking
- chat/export.ts: shared exportChatMarkdown helper
- chat-export.ts: re-export shim for backwards compat
Gateway fix:
- Restore usage/cost stripping in chat.history sanitization
- Add test coverage for sanitization behavior
These modules are additive and tree-shaken — no existing code
imports them yet. They will be wired in subsequent slices.
* Update ui/src/ui/chat/export.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
* fix(ui): address review feedback on chat infra slice
- export.ts: handle array content blocks (Claude API format) instead
of silently exporting empty strings
- slash-command-executor.ts: restrict /kill all to current session's
subagent subtree instead of all sessions globally
- slash-command-executor.ts: only count truly aborted runs (check
aborted !== false) in /kill summary
* fix: scope /kill <id> to current session subtree and preserve usage.cost in chat.history
- Restrict /kill <id> matching to only subagents belonging to the current
session's agent subtree (P1 review feedback)
- Preserve nested usage.cost in chat.history sanitization so cost badges
remain available (P2 review feedback)
* fix(ui): tighten slash kill scoping
* fix(ui): support legacy slash kill scopes
* fix(ci): repair pr branch checks
* Gateway: harden chat abort and export
* UI: align slash commands with session tree scope
* UI: resolve session aliases for slash command lookups
* Update .gitignore
* Cron: use shared nested lane resolver
---------
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 03:48:58 -04:00
ed0ec57a7b
fix: scope telegram polling restart to telegram errors ( #43799 )
...
* fix: scope telegram polling restart to telegram errors
* fix: make telegram error tagging best-effort
* fix: scope telegram polling restart to telegram errors (#43799 )
2026-03-12 13:14:17 +05:30
82e3ac21ee
Infra: tighten exec allowlist glob matching ( #43798 )
...
* Infra: tighten exec allowlist glob matching
* Changelog: note GHSA-f8r2 exec allowlist fix
2026-03-12 03:33:50 -04:00
d8ee97c466
Agents: recover malformed Anthropic-compatible tool call args ( #42835 )
...
* Agents: recover malformed anthropic tool call args
* Agents: add malformed tool call regression test
* Changelog: note Kimi tool call arg recovery
* Agents: repair toolcall end message snapshots
* Agents: narrow Kimi tool call arg repair
2026-03-12 03:28:22 -04:00
4dfd8eea90
BlueBubbles: require confirmed outbound for self-chat cache
2026-03-12 03:22:57 -04:00
0bcb95e8fa
Models: enforce source-managed SecretRef markers in models.json ( #43759 )
...
Merged via squash.
Prepared head SHA: 4a065ef5d8
2026-03-12 02:22:52 -05:00
e8a162d3d8
fix(mattermost): prevent duplicate messages when block streaming + threading are active ( #41362 )
...
* fix(mattermost): prevent duplicate messages when block streaming + threading are active
Remove replyToId from createBlockReplyPayloadKey so identical content is
deduplicated regardless of threading target. Add explicit threading dock
to the Mattermost plugin with resolveReplyToMode reading from config
(default "all"), and add replyToMode to the Mattermost config schema.
Fixes #41219
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(mattermost): address PR review — per-account replyToMode and test clarity
Read replyToMode from the merged per-account config via
resolveMattermostAccount so account-level overrides are honored in
multi-account setups. Add replyToMode to MattermostAccountConfig type.
Rename misleading test to clarify it exercises shouldDropFinalPayloads
short-circuit, not payload key dedup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Replies: keep block-pipeline reply targets distinct
* Tests: cover block reply target-aware dedupe
* Update CHANGELOG.md
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 03:15:17 -04:00
241e8cc553
fix(bluebubbles): dedupe reflected self-chat duplicates ( #38442 )
...
* BlueBubbles: drop reflected self-chat duplicates
* Changelog: add BlueBubbles self-chat echo dedupe entry
* BlueBubbles: gate self-chat cache and expand coverage
* BlueBubbles: require explicit sender ids for self-chat dedupe
* BlueBubbles: harden self-chat cache
* BlueBubbles: move self-chat cache identity into cache
* BlueBubbles: gate self-chat cache to confirmed outbound sends
* Update CHANGELOG.md
* BlueBubbles: bound self-chat cache input work
* Tests: cover BlueBubbles cache cap under cleanup throttle
* BlueBubbles: canonicalize self-chat DM scope
* Tests: cover BlueBubbles mixed self-chat scope aliases
2026-03-12 03:11:43 -04:00
6c196c913f
fix(cron): prevent duplicate proactive delivery on transient retry ( #40646 )
...
* fix(cron): prevent duplicate proactive delivery on transient retry
* refactor: scope skipQueue to retryTransient path only
Non-retrying direct delivery (structured content / thread) keeps the
write-ahead queue so recoverPendingDeliveries can replay after a crash.
Addresses review feedback from codex-connector.
* fix: preserve write-ahead queue on initial delivery attempt
The first call through retryTransientDirectCronDelivery now keeps the
write-ahead queue entry so recoverPendingDeliveries can replay after a
crash. Only subsequent retry attempts set skipQueue to prevent
duplicate sends.
Addresses second codex-connector review on ea5ae5c.
* ci: retrigger checks
* Cron: bypass write-ahead queue for direct isolated delivery
* Tests: assert isolated cron skipQueue invariants
* Changelog: add cron duplicate-delivery fix entry
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 03:01:19 -04:00
f3c00fce15
fix: prevent duplicate assistant messages in TUI ( fixes #35278 ) ( #35364 )
...
* fix: prevent duplicate assistant messages in TUI (fixes #35278 )
When startAssistant() is called multiple times with the same runId,
it was creating duplicate AssistantMessageComponent instances instead
of reusing the existing one. This caused messages to appear twice in
the terminal UI.
The fix checks if a component already exists for the runId before
creating a new one. If it exists, we update its text instead of
appending a duplicate component.
Test coverage includes verification that:
- Only one component is created when startAssistant is called twice
- The second text replaces the first
- Component count remains 1 (prevents regression)
Generated with [Claude Code](https://claude.ai/code )
via [Happy](https://happy.engineering )
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
* Changelog: add TUI duplicate-render fix entry
---------
Co-authored-by: 沐沐 <mumu@example.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Happy <yesreply@happy.engineering>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 02:59:42 -04:00
99ec687d7a
fix(agents): enforce sandboxed session_status visibility ( #43754 )
...
* agents: guard sandboxed session_status access
* test(agents): cover sandboxed session_status scope
* docs(changelog): credit session_status hardening
* agents: preflight sandboxed session_status checks
* test(agents): cover session_status existence oracle
* agents: preserve legacy session_status tree keys
* test(agents): cover legacy session_status tree keys
* Update CHANGELOG.md
2026-03-12 02:54:25 -04:00
12dc299cde
fix(imessage): dedupe reflected self-chat duplicates ( #38440 )
...
* iMessage: drop reflected self-chat duplicates
* Changelog: add iMessage self-chat echo dedupe entry
* iMessage: keep self-chat dedupe scoped to final group identity
* iMessage: harden self-chat cache
* iMessage: sanitize self-chat duplicate logs
* iMessage: scope group self-chat dedupe by sender
* iMessage: move self-chat cache identity into cache
* iMessage: hash full self-chat text
* Update CHANGELOG.md
2026-03-12 02:27:35 -04:00
8baf55d8ed
Changelog: note Reminders permission fix
2026-03-12 17:01:42 +11:00
cee8717020
fix(macos): add NSRemindersUsageDescription for apple-reminders skill
...
Fixes #5090
Without this plist key, macOS silently denies Reminders access when
running through OpenClaw.app, preventing the apple-reminders skill
from requesting permission.
(cherry picked from commit e5774471c8
2026-03-12 17:01:38 +11:00
f7416da905
style: format changelog
2026-03-12 11:28:27 +05:30
d8d8dc7421
Infra: fail closed without device scope baseline
2026-03-12 01:42:12 -04:00
276ee259ca
Tests: clean up temp git helper directory
2026-03-12 01:42:12 -04:00
99a5a3c16a
Update CHANGELOG.md
2026-03-12 01:37:33 -04:00
672924b01e
Update CHANGELOG.md
2026-03-12 01:36:16 -04:00
Vincent Koc
Lyle
Altay
0x4C33
rabsef-bicrym
avirweb
Teconomix
Sally O'Malley
Nimrod Gutman
Ayaan Zaidi
glitch
jnMetaCode
darkamenosa
Luke
Val Alexander
Xaden Ryan
Josh Avant
Mathias Nagler
wangchunyue(王春跃)
lisitan
Luke
Dinakar Sarbada