c79ade10e6
docs(plugins): add capability cookbook
2026-03-16 22:58:55 -07:00
cc88b4a72d
Commands: add /plugins chat command ( #48765 )
...
* Tests: stabilize MCP config merge follow-ups
* Commands: add /plugins chat command
* Docs: add /plugins slash command guide
2026-03-16 22:57:44 -07:00
f2bd76cd1a
refactor: finalize plugin sdk legacy boundary cleanup
2026-03-16 22:51:46 -07:00
2bbf33a9ec
docs(plugins): add multi-capability ownership example
2026-03-16 22:21:18 -07:00
06459ca0df
Agents: run bundle MCP tools in embedded Pi ( #48611 )
...
* Agents: run bundle MCP tools in embedded Pi
* Plugins: fix bundle MCP path resolution
* Plugins: warn on unsupported bundle MCP transports
* Commands: add embedded Pi MCP management
* Config: move MCP management to top-level config
2026-03-16 21:46:05 -07:00
4bba2888e7
feat(plugins): add web search runtime capability
2026-03-16 21:31:00 -07:00
afc0172cb1
docs(plugins): add capability checklist template
2026-03-16 21:13:52 -07:00
71a79bdf5c
docs(plugins): document media understanding runtime
2026-03-16 20:58:34 -07:00
3566e88c08
docs(plugins): document media capability ownership
2026-03-16 20:42:08 -07:00
14907d3de0
docs(plugins): note richer voice metadata
2026-03-16 20:27:34 -07:00
5602973b5d
docs(plugins): add capability contract example
2026-03-16 20:24:13 -07:00
ed248c76c7
docs(plugins): document speech runtime ownership
2026-03-16 20:01:24 -07:00
6da9ba3267
docs(plugins): document capability ownership model
2026-03-16 18:50:09 -07:00
1f1a93a1dc
Docs: document deferred channel startup opt-in
2026-03-16 14:03:25 +00:00
7deb543624
Browser: support non-Chrome existing-session profiles via userDataDir ( #48170 )
...
Merged via squash.
Prepared head SHA: e490035a24
2026-03-16 14:21:22 +01:00
3832f938fd
Docs: use placeholders for marketplace plugin examples
2026-03-16 02:09:20 -07:00
d896d8e0cd
Docs: add Claude marketplace plugin install guidance
2026-03-16 02:04:05 -07:00
7e74adef91
refactor: shrink public channel plugin sdk surfaces
2026-03-16 01:34:22 -07:00
b3025e6d8e
refactor(plugin-sdk): clean shared core imports
2026-03-16 00:25:32 -07:00
476d948732
!refactor(browser): remove Chrome extension path and add MCP doctor migration ( #47893 )
...
* Browser: replace extension path with Chrome MCP
* Browser: clarify relay stub and doctor checks
* Docs: mark browser MCP migration as breaking
* Browser: reject unsupported profile drivers
* Browser: accept clawd alias on profile create
* Doctor: narrow legacy browser driver migration
2026-03-15 23:56:08 -07:00
ae60094fb5
refactor(plugins): move onboarding auth metadata to manifests
2026-03-15 23:47:16 -07:00
ddd34b6cc3
refactor(plugins): simplify provider auth choice metadata
2026-03-15 23:01:12 -07:00
f9e185887f
docs: restore onboard docs references
2026-03-16 05:50:57 +00:00
e627a5069f
refactor(plugins): move auth profile hooks into providers
2026-03-15 22:23:55 -07:00
823039c000
docs: prefer setup wizard command
2026-03-15 22:01:04 -07:00
7a6be3d531
refactor(plugins): move auth and model policy to providers
2026-03-15 21:52:29 -07:00
5287ae3c06
docs: update setup wizard wording
2026-03-15 21:40:31 -07:00
c4a5fd8465
docs: update channel setup wording
2026-03-15 21:07:18 -07:00
a33caab280
refactor(plugins): move auth and model policy to providers
2026-03-15 20:59:06 -07:00
dfc237c319
docs: update channel setup docs
2026-03-15 20:44:26 -07:00
aa28d1c711
feat: add firecrawl onboarding search plugin
2026-03-16 03:38:58 +00:00
8ab01c5c93
refactor(core): land plugin auth and startup cleanup
2026-03-15 20:12:37 -07:00
acae0b60c2
perf(plugins): lazy-load channel setup entrypoints
2026-03-15 19:27:55 -07:00
47a9c1a893
refactor: merge minimax bundled plugins
2026-03-16 02:26:45 +00:00
fb991e6f31
perf(plugins): lazy-load setup surfaces
2026-03-15 18:46:54 -07:00
26a8aee01c
refactor: drop channel onboarding fallback
2026-03-15 18:24:39 -07:00
b54e37c71f
feat(plugins): merge openai vendor seams into one plugin
2026-03-15 18:20:52 -07:00
bc5054ce68
refactor(google): merge gemini auth into google plugin
2026-03-16 01:19:32 +00:00
ee7ecb2dd4
feat(plugins): move anthropic and openai vendors to plugins
2026-03-15 17:07:28 -07:00
e42d86afa9
docs: document richer setup wizard prompts
2026-03-15 17:06:42 -07:00
c05cfccc17
docs(plugins): document provider runtime usage hooks
2026-03-15 16:57:32 -07:00
c3ed3ba310
docs: update setup wizard capabilities
2026-03-15 16:48:43 -07:00
d040d48af4
docs: describe channel setup wizard surface
2026-03-15 16:26:09 -07:00
4adcfa3256
feat(plugins): move provider runtimes into bundled plugins
2026-03-15 16:09:40 -07:00
dd40741e18
feat(plugins): add compatible bundle support
2026-03-15 16:08:50 -07:00
4a0f72866b
feat(plugins): move provider runtimes into bundled plugins
2026-03-15 15:18:32 -07:00
a472f988d8
fix: harden remote cdp probes
2026-03-15 08:23:01 -07:00
e3b7ff2f1f
Docs: fix MDX markers blocking page refreshes ( #46695 )
...
Merged via squash.
Prepared head SHA: 56b25a9fb3
2026-03-15 02:58:59 +01:00
3704293e6f
browser: drop headless/remote MCP attach modes, simplify existing-session to autoConnect-only ( #46628 )
2026-03-14 15:54:22 -07:00
b1d8737017
browser: drop chrome-relay auto-creation, simplify to user profile only ( #46596 )
...
Merged via squash.
Prepared head SHA: 74becc8f7d
2026-03-14 15:40:02 -07:00
173fe3cb54
feat(browser): add headless existing-session MCP support esp for Linux/Docker/VPS ( #45769 )
...
* fix(browser): prefer managed default profile in headless mode
* test(browser): cover headless default profile fallback
* feat(browser): support headless MCP profile resolution
* feat(browser): add headless and target-url Chrome MCP modes
* feat(browser): allow MCP target URLs in profile creation
* docs(browser): document headless MCP existing-session flows
* fix(browser): restore playwright browser act helpers
* fix(browser): preserve strict selector actions
* docs(changelog): add existing-session MCP note
2026-03-14 14:59:30 -07:00
133cce23ce
fix(btw): stop persisting side questions ( #46328 )
...
* fix(btw): stop persisting side questions
* docs(btw): document side-question behavior
2026-03-14 19:01:13 +02:00
9aac55d306
Add /btw side questions ( #45444 )
...
* feat(agent): add /btw side questions
* fix(agent): gate and log /btw reviews
* feat(btw): isolate side-question delivery
* test(reply): update route reply runtime mocks
* fix(btw): complete side-result delivery across clients
* fix(gateway): handle streamed btw side results
* fix(telegram): unblock btw side questions
* fix(reply): make external btw replies explicit
* fix(chat): keep btw side results ephemeral in internal history
* fix(btw): address remaining review feedback
* fix(chat): preserve btw history on mobile refresh
* fix(acp): keep btw replies out of prompt history
* refactor(btw): narrow side questions to live channels
* fix(btw): preserve channel typing indicators
* fix(btw): keep side questions isolated in chat
* fix(outbound): restore typed channel send deps
* fix(btw): avoid blocking replies on transcript persistence
* fix(btw): keep side questions fast
* docs(commands): document btw slash command
* docs(changelog): add btw side questions entry
* test(outbound): align session transcript mocks
2026-03-14 17:27:54 +02:00
b6d1d0d72d
fix(browser): prefer user profile over chrome relay
2026-03-14 04:15:34 +00:00
5c40c1c78a
fix(browser): add browser session selection
2026-03-14 03:46:44 +00:00
4357cf4e37
fix: harden browser existing-session flows
2026-03-13 23:56:48 +00:00
593964560b
feat(browser): add chrome MCP existing-session support
2026-03-13 20:10:08 +00:00
fc408bba37
Fix incorrect rendering of brave costs in docs ( #44989 )
...
Merged via squash.
Prepared head SHA: 8c69de8222
2026-03-13 21:37:39 +03:00
3cf06f7939
docs(plugins): clarify workspace shadowing
2026-03-13 13:15:46 +00:00
2f03de029c
fix(node-host): harden pnpm approval binding
2026-03-13 12:59:55 +00:00
c80da4e72f
refactor: validate provider plugin metadata
2026-03-13 01:19:35 +00:00
35aafd7ca8
feat: add Anthropic fast mode support
2026-03-12 23:39:03 +00:00
d5bffcdeab
feat: add fast mode toggle for OpenAI models
2026-03-12 23:31:31 +00:00
319766639a
docs: explain plugin architecture
2026-03-12 22:24:35 +00:00
46f0bfc55b
Gateway: harden custom session-store discovery ( #44176 )
...
Merged via squash.
Prepared head SHA: 52ebbf5188
2026-03-12 16:44:46 +00:00
62a71361a9
Docs: clarify llm-task thinking presets
2026-03-12 19:27:07 +11:00
658bd54ecf
feat(llm-task): add thinking override
...
Co-authored-by: Xaden Ryan <165437834+xadenryan@users.noreply.github.com>
2026-03-12 19:21:35 +11:00
daaf211e20
fix(node-host): fail closed on unbound interpreter approvals
2026-03-11 02:36:38 +00:00
aad014c7c1
fix: harden subagent control boundaries
2026-03-11 01:44:38 +00:00
8eac939417
fix(security): enforce target account configWrites
2026-03-11 01:24:36 +00:00
466cc816a8
docs(acp): document resumeSessionId for session resume ( #42280 )
...
* docs(acp): document resumeSessionId for session resume
* docs: clarify ACP resumeSessionId thread/mode behavior (#42280 ) (thanks @pejmanjohn)
---------
Co-authored-by: Onur <onur@textcortex.com>
2026-03-10 18:06:09 +01:00
f0eb67923c
fix(secrets): resolve web tool SecretRefs atomically at runtime
2026-03-09 22:57:03 -05:00
de49a8b72c
Telegram: exec approvals for OpenCode/Codex ( #37233 )
...
Merged via squash.
Prepared head SHA: f243379094
2026-03-09 23:04:35 -04:00
0c7f07818f
acp: add regression coverage and smoke-test docs ( #41456 )
...
Merged via squash.
Prepared head SHA: 514d587352
2026-03-09 22:40:14 +01:00
adec8b28bb
alphabetize web search providers ( #40259 )
...
Merged via squash.
Prepared head SHA: be6350e5ae
2026-03-09 08:54:54 +05:30
9d467d1620
docs: add WSL2 + Windows remote Chrome CDP troubleshooting ( #39407 ) (thanks @Owlock)
2026-03-08 19:21:42 +00:00
d3111fbbcb
fix: make browser relay bind address configurable ( #39364 ) (thanks @mvanhorn)
2026-03-08 19:15:21 +00:00
f9c220e261
test+docs: comprehensive coverage and generic framing
...
- Add 12 new tests covering: isWebSocketUrl detection, parseHttpUrl WSS
acceptance/rejection, direct WS target creation with query params,
SSRF enforcement on WS URLs, WS reachability probing bypasses HTTP
- Reframe docs section as generic "Direct WebSocket CDP providers" with
Browserbase as one example — any WSS-based provider works
- Update security tips to mention WSS alongside HTTPS
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
75602014db
feat(browser): support direct WebSocket CDP URLs for Browserbase
...
Browserbase uses direct WebSocket connections (wss://) rather than the
standard HTTP-based /json/version CDP discovery flow used by Browserless.
This change teaches the browser tool to accept ws:// and wss:// URLs as
cdpUrl values: when a WebSocket URL is detected, OpenClaw connects
directly instead of attempting HTTP discovery.
Changes:
- config.ts: accept ws:// and wss:// in cdpUrl validation
- cdp.helpers.ts: add isWebSocketUrl() helper
- cdp.ts: skip /json/version when cdpUrl is already a WebSocket URL
- chrome.ts: probe WSS endpoints via WebSocket handshake instead of HTTP
- cdp.test.ts: add test for direct WebSocket target creation
- docs/tools/browser.md: update Browserbase section with correct URL
format and notes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
3cf75f760c
docs: simplify Browserbase section, drop pricing details
...
Restore platform-level feature description (CAPTCHA solving, stealth
mode, proxies) without plan-specific pricing gating. Keep free tier
note brief.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
ae39a152d8
docs: fact-check Browserbase section against official docs
...
- Fix CAPTCHA/stealth/proxy claims: these are Developer plan+ only,
not available on free tier
- Fix free tier limits: 1 browser hour, 15-min session duration
(not "60 minutes of monthly usage")
- Add link to pricing page for paid plan details
- Simplify structure to match Browserless section format
- Remove sub-headings to match Browserless section style
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
efa1204183
docs: restore direct wss://connect.browserbase.com URL
...
Browserbase exposes a direct WebSocket connect endpoint that
auto-creates a session, similar to how Browserless works. Simplified
the section to use this static URL pattern instead of requiring
manual session creation via the API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
9a4610c641
docs: fix Browserbase section to match official docs
...
Browserbase requires creating a session via their API to get a CDP
connect URL, unlike Browserless which uses a static endpoint. Updated
to show the correct curl-based session creation flow, removed
unverified static WebSocket URL, and added the 5-minute connect
timeout note from official docs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
c0a988f692
docs: fix duplicate heading lint error
...
Rename "Configuration" sub-heading to "Profile setup" to avoid
MD024/no-duplicate-heading conflict with the existing top-level
"Configuration" heading.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
641e1bacb4
docs: add Browserbase as hosted remote CDP option
...
Add Browserbase documentation section alongside the existing Browserless
section in the browser docs. Includes signup instructions, CDP connection
configuration, and environment variable setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
0252bdc837
Revert "docs: add Browserbase as hosted remote CDP option"
...
This reverts commit c469657c97848c7a3e1e5135bf4ce735d07d6614.
2026-03-08 18:48:10 +00:00
885199dcaa
docs: add Browserbase as hosted remote CDP option
...
Add Browserbase documentation section alongside the existing Browserless
section in the browser docs. Includes signup instructions, CDP connection
configuration, and environment variable setup for both English and Chinese
(zh-CN) translations.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-08 18:48:10 +00:00
55465d86d9
Docs: use placeholder OpenRouter key in web tool docs
2026-03-08 11:16:03 -07:00
2970d72554
docs: update Brave Search API docs for Feb 2026 plan restructuring ( #40111 )
...
Merged via squash.
Prepared head SHA: c651f07855
2026-03-08 14:06:21 -04:00
28e46d04e5
fix(web-search): restore OpenRouter compatibility for Perplexity ( #39937 ) ( #39937 )
2026-03-08 20:37:54 +05:30
6dadfaa18c
docs: use alphabetical provider ordering
2026-03-08 14:10:36 +00:00
acac7e3132
fix: land Brave llm-context gaps ( #33383 ) (thanks @thirumaleshp)
2026-03-08 13:57:12 +00:00
61000b8e4d
fix(acp): block sandboxed slash spawns
2026-03-08 00:23:07 +00:00
c76d29208b
fix(node-host): bind approved script operands
2026-03-07 23:04:00 +00:00
be9ea991de
fix(discord): avoid native plugin command collisions
2026-03-07 21:59:44 +00:00
ac86deccee
fix(gateway): harden plugin HTTP route auth
2026-03-07 19:55:06 +00:00
253e159700
fix: harden workspace skill path containment
2026-03-07 18:56:15 +00:00
f966dde476
tests: fix detect-secrets false positives ( #39084 )
...
* Tests: rename gateway status env token fixture
* Tests: allowlist feishu onboarding fixtures
* Tests: allowlist Google Chat private key fixture
* Docs: allowlist Brave API key example
* Tests: allowlist pairing password env fixtures
* Chore: refresh detect-secrets baseline
2026-03-07 13:21:29 -05:00
5290d97574
Docs: fix web tools MDX links
2026-03-07 10:15:22 -08:00
61273c072c
Docs: remove MDX-breaking secret markers
2026-03-07 10:09:00 -08:00
e4d80ed556
CI: restore main detect-secrets scan ( #38438 )
...
* Tests: stabilize detect-secrets fixtures
* Tests: fix rebased detect-secrets false positives
* Docs: keep snippets valid under detect-secrets
* Tests: finalize detect-secrets false-positive fixes
* Tests: reduce detect-secrets false positives
* Tests: keep detect-secrets pragmas inline
* Tests: remediate next detect-secrets batch
* Tests: tighten detect-secrets allowlists
* Tests: stabilize detect-secrets formatter drift
2026-03-07 10:06:35 -08:00
3d7bc5958d
feat(onboarding): add web search to onboarding flow ( #34009 )
...
* add web search to onboarding flow
* remove post onboarding step (now redundant)
* post-onboarding nudge if no web search set up
* address comments
* fix test mocking
* add enabled: false assertion to the no-key test
* --skip-search cli flag
* use provider that a user has a key for
* add assertions, replace the duplicated switch blocks
* test for quickstart fast-path with existing config key
* address comments
* cover quickstart falls through to key test
* bring back key source
* normalize secret inputs instead of direct string trimming
* preserve enabled: false if it's already set
* handle missing API keys in flow
* doc updates
* hasExistingKey to detect both plaintext strings and SecretRef objects
* preserve enabled state only on the "keep current" paths
* add test for preserving
* better gate flows
* guard against invalid provider values in config
* Update src/commands/configure.wizard.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
* format fix
* only mentions env var when it's actually available
* search apiKey fields now typed as SecretInput
* if no provider check if any search provider key is detectable
* handle both kimi keys
* remove .filter(Boolean)
* do not disable web_search after user enables it
* update resolveSearchProvider
* fix(onboarding): skip search key prompt in ref mode
* fix: add onboarding web search step (#34009 ) (thanks @kesku)
---------
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: Shadow <hi@shadowing.dev>
2026-03-06 13:09:00 -06:00
f392b81e95
Infra: require explicit opt-in for prerelease npm installs ( #38117 )
...
* Infra: tighten npm registry spec parsing
* Infra: block implicit prerelease npm installs
* Plugins: cover prerelease install policy
* Infra: add npm registry spec tests
* Hooks: cover prerelease install policy
* Docs: clarify plugin guide version policy
* Docs: clarify plugin install version policy
* Docs: clarify hooks install version policy
* Docs: clarify hook pack version policy
2026-03-06 11:13:30 -05:00
151f26070b
docs: context engine
2026-03-06 08:55:58 -05:00
eb2eebae22
docs(plugins): document context engine slots and registration
2026-03-06 08:53:30 -05:00
e88f6605ec
docs(tools): document slash-delimited config schema lookup paths
2026-03-06 08:53:29 -05:00
ff97195500
Gateway: add path-scoped config schema lookup ( #37266 )
...
Merged via squash.
Prepared head SHA: 0c4d187f6f
2026-03-06 02:50:48 -05:00
0e4245063f
CLI: make read-only SecretRef status flows degrade safely ( #37023 )
...
* CLI: add read-only SecretRef inspection
* CLI: fix read-only SecretRef status regressions
* CLI: preserve read-only SecretRef status fallbacks
* Docs: document read-only channel inspection hook
* CLI: preserve audit coverage for read-only SecretRefs
* CLI: fix read-only status account selection
* CLI: fix targeted gateway fallback analysis
* CLI: fix Slack HTTP read-only inspection
* CLI: align audit credential status checks
* CLI: restore Telegram read-only fallback semantics
2026-03-05 23:07:13 -06:00
5d4b04040d
feat(openai): add gpt-5.4 support for API and Codex OAuth ( #36590 )
...
* feat(openai): add gpt-5.4 support and priority processing
* feat(openai-codex): add gpt-5.4 oauth support
* fix(openai): preserve provider overrides in gpt-5.4 fallback
* fix(openai-codex): keep xhigh for gpt-5.4 default
* fix(models): preserve configured overrides in list output
* fix(models): close gpt-5.4 integration gaps
* fix(openai): scope service tier to public api
* fix(openai): complete prep followups for gpt-5.4 support (#36590 ) (thanks @dorukardahan)
---------
Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM>
2026-03-05 21:01:37 -08:00
8c85ad540a
fix: remove config.schema from agent gateway tool ( #7382 )
...
Merged via squash.
Prepared head SHA: f34a778069
2026-03-05 23:53:08 -05:00
81b93b9ce0
fix(subagents): announce delivery with descendant gating, frozen result refresh, and cron retry ( #35080 )
...
Thanks @tyler6204
2026-03-05 19:20:24 -08:00
d58dafae88
feat(telegram/acp): Topic Binding, Pin Binding Message, Fix Spawn Param Parsing ( #36683 )
...
* fix(acp): normalize unicode flags and Telegram topic binding
* feat(telegram/acp): restore topic-bound ACP and session bindings
* fix(acpx): clarify permission-denied guidance
* feat(telegram/acp): pin spawn bind notice in topics
* docs(telegram): document ACP topic thread binding behavior
* refactor(reply): share Telegram conversation-id resolver
* fix(telegram/acp): preserve bound session routing semantics
* fix(telegram): respect binding persistence and expiry reporting
* refactor(telegram): simplify binding lifecycle persistence
* fix(telegram): bind acp spawns in direct messages
* fix: document telegram ACP topic binding changelog (#36683 ) (thanks @huntharo)
---------
Co-authored-by: Onur <2453968+osolmaz@users.noreply.github.com>
2026-03-06 02:17:50 +01:00
1a67cf57e3
Diffs: restore system prompt guidance ( #36904 )
...
Merged via squash.
Prepared head SHA: 1b3be3c879
2026-03-05 19:46:39 -05:00
688b72e158
plugins: enforce prompt hook policy with runtime validation ( #36567 )
...
Merged via squash.
Prepared head SHA: 6b9d883b6a
2026-03-05 18:15:54 -05:00
98aecab7bd
Docs: cover heartbeat, cron, and plugin route updates
2026-03-05 17:05:21 -05:00
09c68f8f0e
add prependSystemContext and appendSystemContext to before_prompt_build ( fixes #35131 ) ( #35177 )
...
Merged via squash.
Prepared head SHA: d9a2869ad6
2026-03-05 13:06:59 -05:00
6a705a37f2
ACP: add persistent Discord channel and Telegram topic bindings ( #34873 )
...
* docs: add ACP persistent binding experiment plan
* docs: align ACP persistent binding spec to channel-local config
* docs: scope Telegram ACP bindings to forum topics only
* docs: lock bound /new and /reset behavior to in-place ACP reset
* ACP: add persistent discord/telegram conversation bindings
* ACP: fix persistent binding reuse and discord thread parent context
* docs: document channel-specific persistent ACP bindings
* ACP: split persistent bindings and share conversation id helpers
* ACP: defer configured binding init until preflight passes
* ACP: fix discord thread parent fallback and explicit disable inheritance
* ACP: keep bound /new and /reset in-place
* ACP: honor configured bindings in native command flows
* ACP: avoid configured fallback after runtime bind failure
* docs: refine ACP bindings experiment config examples
* acp: cut over to typed top-level persistent bindings
* ACP bindings: harden reset recovery and native command auth
* Docs: add ACP bound command auth proposal
* Tests: normalize i18n registry zh-CN assertion encoding
* ACP bindings: address review findings for reset and fallback routing
* ACP reset: gate hooks on success and preserve /new arguments
* ACP bindings: fix auth and binding-priority review findings
* Telegram ACP: gate ensure on auth and accepted messages
* ACP bindings: fix session-key precedence and unavailable handling
* ACP reset/native commands: honor fallback targets and abort on bootstrap failure
* Config schema: validate ACP binding channel and Telegram topic IDs
* Discord ACP: apply configured DM bindings to native commands
* ACP reset tails: dispatch through ACP after command handling
* ACP tails/native reset auth: fix target dispatch and restore full auth
* ACP reset detection: fallback to active ACP keys for DM contexts
* Tests: type runTurn mock input in ACP dispatch test
* ACP: dedup binding route bootstrap and reset target resolution
* reply: align ACP reset hooks with bound session key
* docs: replace personal discord ids with placeholders
* fix: add changelog entry for ACP persistent bindings (#34873 ) (thanks @dutifulbob)
---------
Co-authored-by: Onur <2453968+osolmaz@users.noreply.github.com>
2026-03-05 09:38:12 +01:00
257e2f5338
fix: relay ACP sessions_spawn parent streaming ( #34310 ) (thanks @vincentkoc) ( #34310 )
...
Co-authored-by: Onur Solmaz <2453968+osolmaz@users.noreply.github.com>
2026-03-04 11:44:20 +01:00
7a2f5a0098
Plugin SDK: add full bundled subpath wiring
2026-03-04 02:35:12 -05:00
802b9f6b19
Plugins: add root-alias shim and cache/docs updates
2026-03-04 01:20:48 -05:00
230fea1ca6
feat(web-search): switch Perplexity to native Search API ( #33822 )
...
* feat: Add Perplexity Search API as web_search provider
* docs fixes
* domain_filter validation
* address comments
* provider-specific options in cache key
* add validation for unsupported date filters
* legacy fields
* unsupported_language guard
* cache key matches the request's precedence order
* conflicting_time_filters guard
* unsupported_country guard
* invalid_date_range guard
* pplx validate for ISO 639-1 format
* docs: add Perplexity Search API changelog entry
* unsupported_domain_filter guard
---------
Co-authored-by: Shadow <hi@shadowing.dev>
2026-03-03 22:57:19 -06:00
1278ee9248
plugin-sdk: add channel subpaths and migrate bundled plugins
2026-03-03 22:07:03 -05:00
d89e1e40f9
docs(loop-detection): fix config keys to match schema ( #33182 )
...
Merged via squash.
Prepared head SHA: 612ecc00d3
2026-03-03 11:02:30 -05:00
5341b5c71c
Diffs: Migrate tool usage guidance from before_prompt_build to a plugin skill ( #32630 )
...
Merged via squash.
Prepared head SHA: 585697a4e1
2026-03-03 01:50:59 -05:00
75775f2fe6
chore: Updated Brave documentation ( #26860 )
...
Merged via squash.
Prepared head SHA: f8fc4bf01e
2026-03-03 01:34:15 -05:00
d9d604c6ad
docs: add dedicated pdf tool docs page
2026-03-03 04:07:04 +00:00
806803b7ef
feat(secrets): expand SecretRef coverage across user-supplied credentials ( #29580 )
...
* feat(secrets): expand secret target coverage and gateway tooling
* docs(secrets): align gateway and CLI secret docs
* chore(protocol): regenerate swift gateway models for secrets methods
* fix(config): restore talk apiKey fallback and stabilize runner test
* ci(windows): reduce test worker count for shard stability
* ci(windows): raise node heap for test shard stability
* test(feishu): make proxy env precedence assertion windows-safe
* fix(gateway): resolve auth password SecretInput refs for clients
* fix(gateway): resolve remote SecretInput credentials for clients
* fix(secrets): skip inactive refs in command snapshot assignments
* fix(secrets): scope gateway.remote refs to effective auth surfaces
* fix(secrets): ignore memory defaults when enabled agents disable search
* fix(secrets): honor Google Chat serviceAccountRef inheritance
* fix(secrets): address tsgo errors in command and gateway collectors
* fix(secrets): avoid auth-store load in providers-only configure
* fix(gateway): defer local password ref resolution by precedence
* fix(secrets): gate telegram webhook secret refs by webhook mode
* fix(secrets): gate slack signing secret refs to http mode
* fix(secrets): skip telegram botToken refs when tokenFile is set
* fix(secrets): gate discord pluralkit refs by enabled flag
* fix(secrets): gate discord voice tts refs by voice enabled
* test(secrets): make runtime fixture modes explicit
* fix(cli): resolve local qr password secret refs
* fix(cli): fail when gateway leaves command refs unresolved
* fix(gateway): fail when local password SecretRef is unresolved
* fix(gateway): fail when required remote SecretRefs are unresolved
* fix(gateway): resolve local password refs only when password can win
* fix(cli): skip local password SecretRef resolution on qr token override
* test(gateway): cast SecretRef fixtures to OpenClawConfig
* test(secrets): activate mode-gated targets in runtime coverage fixture
* fix(cron): support SecretInput webhook tokens safely
* fix(bluebubbles): support SecretInput passwords across config paths
* fix(msteams): make appPassword SecretInput-safe in onboarding/token paths
* fix(bluebubbles): align SecretInput schema helper typing
* fix(cli): clarify secrets.resolve version-skew errors
* refactor(secrets): return structured inactive paths from secrets.resolve
* refactor(gateway): type onboarding secret writes as SecretInput
* chore(protocol): regenerate swift models for secrets.resolve
* feat(secrets): expand extension credential secretref support
* fix(secrets): gate web-search refs by active provider
* fix(onboarding): detect SecretRef credentials in extension status
* fix(onboarding): allow keeping existing ref in secret prompt
* fix(onboarding): resolve gateway password SecretRefs for probe and tui
* fix(onboarding): honor secret-input-mode for local gateway auth
* fix(acp): resolve gateway SecretInput credentials
* fix(secrets): gate gateway.remote refs to remote surfaces
* test(secrets): cover pattern matching and inactive array refs
* docs(secrets): clarify secrets.resolve and remote active surfaces
* fix(bluebubbles): keep existing SecretRef during onboarding
* fix(tests): resolve CI type errors in new SecretRef coverage
* fix(extensions): replace raw fetch with SSRF-guarded fetch
* test(secrets): mark gateway remote targets active in runtime coverage
* test(infra): normalize home-prefix expectation across platforms
* fix(cli): only resolve local qr password refs in password mode
* test(cli): cover local qr token mode with unresolved password ref
* docs(cli): clarify local qr password ref resolution behavior
* refactor(extensions): reuse sdk SecretInput helpers
* fix(wizard): resolve onboarding env-template secrets before plaintext
* fix(cli): surface secrets.resolve diagnostics in memory and qr
* test(secrets): repair post-rebase runtime and fixtures
* fix(gateway): skip remote password ref resolution when token wins
* fix(secrets): treat tailscale remote gateway refs as active
* fix(gateway): allow remote password fallback when token ref is unresolved
* fix(gateway): ignore stale local password refs for none and trusted-proxy
* fix(gateway): skip remote secret ref resolution on local call paths
* test(cli): cover qr remote tailscale secret ref resolution
* fix(secrets): align gateway password active-surface with auth inference
* fix(cli): resolve inferred local gateway password refs in qr
* fix(gateway): prefer resolvable remote password over token ref pre-resolution
* test(gateway): cover none and trusted-proxy stale password refs
* docs(secrets): sync qr and gateway active-surface behavior
* fix: restore stability blockers from pre-release audit
* Secrets: fix collector/runtime precedence contradictions
* docs: align secrets and web credential docs
* fix(rebase): resolve integration regressions after main rebase
* fix(node-host): resolve gateway secret refs for auth
* fix(secrets): harden secretinput runtime readers
* gateway: skip inactive auth secretref resolution
* cli: avoid gateway preflight for inactive secret refs
* extensions: allow unresolved refs in onboarding status
* tests: fix qr-cli module mock hoist ordering
* Security: align audit checks with SecretInput resolution
* Gateway: resolve local-mode remote fallback secret refs
* Node host: avoid resolving inactive password secret refs
* Secrets runtime: mark Slack appToken inactive for HTTP mode
* secrets: keep inactive gateway remote refs non-blocking
* cli: include agent memory secret targets in runtime resolution
* docs(secrets): sync docs with active-surface and web search behavior
* fix(secrets): keep telegram top-level token refs active for blank account tokens
* fix(daemon): resolve gateway password secret refs for probe auth
* fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled
* fix(secrets): align token inheritance and exec timeout defaults
* docs(secrets): clarify active-surface notes in cli docs
* cli: require secrets.resolve gateway capability
* gateway: log auth secret surface diagnostics
* secrets: remove dead provider resolver module
* fix(secrets): restore gateway auth precedence and fallback resolution
* fix(tests): align plugin runtime mock typings
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-03 02:58:20 +00:00
fa4ff5f3d2
refactor(acp): extract install hint resolver
2026-03-03 02:51:24 +00:00
04ac688dff
fix(acp): use publishable acpx install hint
2026-03-03 02:34:07 +00:00
42626648d7
docs(models): clarify moonshot thinking and failover stop-reason errors
2026-03-03 01:11:29 +00:00
287606e445
feat(acp): add kimi harness support surfaces
2026-03-03 01:05:24 +00:00
7de4204e57
docs(acp): document sandbox limitation
2026-03-03 00:52:09 +00:00
36dfd462a8
feat(acp): enable dispatch by default
2026-03-03 00:47:35 +00:00
f9025c3f55
feat(zalouser): add reactions, group context, and receipt acks
2026-03-02 22:08:11 +00:00
a183656f8f
fix: apply missed media/runtime follow-ups from merged PRs
2026-03-02 21:45:39 +00:00
1727279598
fix(browser): default to openclaw profile when unspecified ( #32031 )
2026-03-02 18:34:37 +00:00
be65dc8acc
docs(diffs): clarify file size limitations
2026-03-02 11:34:12 -05:00
5f49a5da3c
Diffs: extend image quality configs and add PDF as a format option ( #31342 )
...
Merged via squash.
Prepared head SHA: cc12097851
2026-03-02 04:38:50 -05:00
d0ac1b0195
feat: add PDF analysis tool with native provider support ( #31319 )
...
* feat: add PDF analysis tool with native provider support
New `pdf` tool for analyzing PDF documents with model-powered analysis.
Architecture:
- Native PDF path: sends raw PDF bytes directly to providers that support
inline document input (Anthropic via DocumentBlockParam, Google Gemini
via inlineData with application/pdf MIME type)
- Extraction fallback: for providers without native PDF support, extracts
text via pdfjs-dist and rasterizes pages to images via @napi-rs/canvas,
then sends through the standard vision/text completion path
Key features:
- Single PDF (`pdf` param) or multiple PDFs (`pdfs` array, up to 10)
- Page range selection (`pages` param, e.g. "1-5", "1,3,7-9")
- Model override (`model` param) and file size limits (`maxBytesMb`)
- Auto-detects provider capability and falls back gracefully
- Same security patterns as image tool (SSRF guards, sandbox support,
local path roots, workspace-only policy)
Config (agents.defaults):
- pdfModel: primary/fallbacks (defaults to imageModel, then session model)
- pdfMaxBytesMb: max PDF file size (default: 10)
- pdfMaxPages: max pages to process (default: 20)
Model catalog:
- Extended ModelInputType to include "document" alongside "text"/"image"
- Added modelSupportsDocument() capability check
Files:
- src/agents/tools/pdf-tool.ts - main tool factory
- src/agents/tools/pdf-tool.helpers.ts - helpers (page range, config, etc.)
- src/agents/tools/pdf-native-providers.ts - direct API calls for Anthropic/Google
- src/agents/tools/pdf-tool.test.ts - 43 tests covering all paths
- Modified: model-catalog.ts, openclaw-tools.ts, config schema/types/labels/help
* fix: prepare pdf tool for merge (#31319 ) (thanks @tyler6204)
2026-03-01 22:39:12 -08:00
bc0288bcfb
docs: clarify adaptive thinking and openai websocket docs
2026-03-02 05:46:57 +00:00
a9f1188785
sessions_spawn: inline attachments with redaction, lifecycle cleanup, and docs ( #16761 )
...
Add inline file attachment support for sessions_spawn (subagent runtime only):
- Schema: attachments[] (name, content, encoding, mimeType) and attachAs.mountPath hint
- Materialization: files written to .openclaw/attachments/<uuid>/ with manifest.json
- Validation: strict base64 decode, filename checks, size limits, duplicate detection
- Transcript redaction: sanitizeToolCallInputs redacts attachment content from persisted transcripts
- Lifecycle cleanup: safeRemoveAttachmentsDir with symlink-safe path containment check
- Config: tools.sessions_spawn.attachments (enabled, maxFiles, maxFileBytes, maxTotalBytes, retainOnSessionKeep)
- Registry: attachmentsDir/attachmentsRootDir/retainAttachmentsOnKeep on SubagentRunRecord
- ACP rejection: attachments rejected for runtime=acp with clear error message
- Docs: updated tools/index.md, concepts/session-tool.md, configuration-reference.md
- Tests: 85 new/updated tests across 5 test files
Fixes:
- Guard fs.rm in materialization catch block with try/catch (review concern #1 )
- Remove unreachable fallback in safeRemoveAttachmentsDir (review concern #7 )
- Move attachment cleanup out of retry path to avoid timing issues with announce loop
Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM>
Co-authored-by: napetrov <napetrov@users.noreply.github.com>
2026-03-01 21:33:51 -08:00
4a1be98254
fix(diffs): harden viewer security and docs
2026-03-02 05:07:09 +00:00
b7615e0ce3
Exec/ACP: inject OPENCLAW_SHELL into child shell env ( #31271 )
...
* exec: mark runtime shell context in exec env
* tests(exec): cover OPENCLAW_SHELL in gateway exec
* tests(exec): cover OPENCLAW_SHELL in pty mode
* acpx: mark runtime shell context for spawned process
* tests(acpx): log OPENCLAW_SHELL in runtime fixture
* tests(acpx): assert OPENCLAW_SHELL in runtime prompt
* docs(env): document OPENCLAW_SHELL runtime markers
* docs(exec): describe OPENCLAW_SHELL exec marker
* docs(acp): document OPENCLAW_SHELL acp marker
* docs(gateway): note OPENCLAW_SHELL for background exec
* tui: tag local shell runs with OPENCLAW_SHELL
* tests(tui): assert OPENCLAW_SHELL in local shell runner
* acp client: tag spawned bridge env with OPENCLAW_SHELL
* tests(acp): cover acp client OPENCLAW_SHELL env helper
* docs(env): include acp-client and tui-local shell markers
* docs(acp): document acp-client OPENCLAW_SHELL marker
* docs(tui): document tui-local OPENCLAW_SHELL marker
* exec: keep shell runtime env string-only for docker args
* changelog: note OPENCLAW_SHELL runtime markers
2026-03-01 20:31:06 -08:00
6532757cdf
Diffs: add viewer payload validation and presentation defaults
2026-03-01 22:38:14 -05:00
b0c7f1ebe2
fix: harden sessions_spawn delivery params and telegram account routing ( #31000 , #31110 )
2026-03-02 02:35:48 +00:00
bfeadb80b6
feat(agents): add sessions_spawn sandbox require mode
2026-03-02 01:27:34 +00:00
155118751f
refactor!: remove versioned system-run approval contract
2026-03-02 01:12:53 +00:00
b9aa2d436b
fix(security): enforce sandbox inheritance for sessions_spawn
2026-03-02 01:11:13 +00:00
085c23ce5a
fix(security): block private-network web_search citation redirects
2026-03-02 01:05:20 +00:00
ccb415b69a
fix: align ACP permission docs defaults ( #31044 ) (thanks @barronlroth)
2026-03-01 23:30:39 +00:00
Peter Steinberger
Vincent Koc
Gustavo Madeira Santana
Radek Sienkiewicz
George Zhang
Nimrod Gutman
Keelan Fadden-Hopper
Luke
Xaden Ryan
Pejman Pour-Moezzi
Josh Avant
Harold Hunt
Mariano
Kesku
shrey150
Rémi
Ayaan Zaidi
dorukardahan
Hinata Kaga (samon)
Tyler Yust
maweibin
Bob
Mylszd
Eugene
Henry Loenwind
john
Mark L
Nikolay Petrov