nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
24,170 Commits 913 Branches 94 Tags 6.2 GiB
Commit Graph

1996 Commits

Author SHA1 Message Date
Peter Steinberger 759d37635d
Revert "refactor: move tasks behind plugin-sdk seam" 
This reverts commit da6e9bb76f.
 2026-04-01 01:30:22 +09:00
openperf 56b5ba0dcb fix: address security and review feedback 
- Fix CWE-209: use static safe message instead of raw provider error text
- Fix CWE-117: sanitize provider/model in logs via sanitizeForLog
- Hide CLI hints from external channels via shouldSurfaceToControlUi
- Move overload cap check before advanceAuthProfile to save setup latency
- Export MAX_LIVE_SWITCH_RETRIES as module-level constant
- Use exact toBe() assertions in tests
- Correct failover decision label to fallback_model
 2026-03-31 20:25:09 +05:30
openperf 1fcd179d8c fix(gateway): prevent session death loop on overloaded fallback 
- Add MAX_LIVE_SWITCH_RETRIES=2 guard in agent-runner-execution.ts
- Add MAX_OVERLOAD_PROFILE_ROTATIONS=1 cap in run.ts for overloaded errors
- Return kind:final with user-visible error on retry exhaustion
- Escalate to cross-provider fallback instead of exhausting same-provider profiles

Fixes #58348
 2026-03-31 20:25:09 +05:30
Peter Steinberger da6e9bb76f
refactor: move tasks behind plugin-sdk seam 2026-03-31 15:22:09 +01:00
Gabriel M. f7ced438f7
fix: restore Telegram forum-topic routing (#56060) (thanks @one27001) 
* feat(telegram): add child thread-binding placement via createForumTopic

Enable ACP subagent spawn on Telegram by adding "child" placement
support to the thread-bindings adapter. When a child binding is
requested, the adapter creates a new forum topic via the Telegram
Bot API and binds the subagent session to it using the canonical
chatId:topic:topicId conversation ID format.

When the ACP spawn context provides only a topic ID (not a full
group chat ID), the adapter resolves the group from the configured
Telegram groups in openclaw.json.

This mirrors the Discord adapter's child placement behavior
(thread creation + session binding) and unblocks the orchestrator
pattern on Telegram forum-enabled groups.

Closes #5737
Ref #23414

* fix(telegram): return null with warning instead of silent group fallback for bare topic IDs in child bind

* telegram: fix ACP child thread spawn with group chat ID from agentGroupId

* telegram: scope agentGroupId substitution to telegram channel only

* Telegram: fix forum topic replies routing to root chat instead of topic thread

* fix: clean up dead guard in child bind + add explicit threadId override test

- Simplify bare-topic-ID guards in thread-bindings.ts: split into
  separate !chatId and !chatId.startsWith("-") checks, removing
  unreachable second condition
- Add regression test confirming explicit turnSourceThreadId overrides
  session lastThreadId on same channel

* fix: guard threadId fallback against shared-session race

Codex review P1: when turnSourceTo differs from the session's stored
to, the session threadId may belong to a different chat/topic. Only
fall back to context.threadId when the destination also matches.

* fix(telegram): enable ACP spawn from forum topics without thread binding

extractExplicitGroupId returned topic-qualified IDs (-100...:topic:1264)
instead of bare group chat IDs, breaking agentGroupId resolution.
agentGroupId was also never wired in the inline actions path.

For Telegram forum topics, skip thread binding entirely — the delivery
plan already routes correctly via requester origin (to + threadId).
Creating new forum topics per child session is unnecessary; output goes
back to the same topic the user asked from.

* fix(acp): bind Telegram forum sessions to current topic

* fix: restore Telegram forum-topic routing (#56060) (thanks @one27001)

---------

Co-authored-by: openclaw <mgabrie.dev@gmail.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-03-31 10:18:09 +05:30
Josh Avant 44674525f2
feat(tts): add structured provider diagnostics and fallback attempt analytics (#57954) 
* feat(tts): add structured fallback diagnostics and attempt analytics

* docs(tts): document attempt-detail and provider error diagnostics

* TTS: harden fallback loops and share error helpers

* TTS: bound provider error-body reads

* tts: add double-prefix regression test and clean baseline drift

* tests(tts): satisfy error narrowing in double-prefix regression

* changelog

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>

---------

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
 2026-03-30 22:55:28 -05:00
Josh Avant c918ab4faf
fix(tts): restore 3.28 schema compatibility and fallback observability (#57953) 
* fix(tts): restore legacy config compatibility and fallback observability

* fix(tts): surface fallback attempts in status and telephony

* test(tts): cover /tts audio to /tts status fallback flow

* docs(tts): align migration and fallback observability guidance

* TTS: redact fallback logs and scope legacy plugin migration

* Infra: dedupe UV_EXTRA_INDEX_URL in host env policy

* Docs: scope doctor TTS migration to voice-call

* voice-call: restore strict known TTS provider validation
 2026-03-30 22:05:03 -05:00
Teconomix 697dddbeb6
feat(matrix): thread-isolated sessions and per-chat-type threadReplies (#57995) 
Merged via squash.

Prepared head SHA: 9ed96dd063
Co-authored-by: teconomix <6959299+teconomix@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-03-30 22:45:32 -04:00
Peter Steinberger 6b6ddcd2a6
test: speed up core runtime suites 2026-03-31 02:25:02 +01:00
Vincent Koc 1f6a964e57 fix(ci): handle missing native command capabilities 2026-03-31 10:16:06 +09:00
Vincent Koc 8bcaf1a147 fix(test): trim reply command plugin imports 2026-03-31 09:43:54 +09:00
Vincent Koc a30214a624
fix(heartbeat): block owner-only auth inheritance for exec events (#57652) 2026-03-31 09:06:51 +09:00
scoootscooob 9ff57ac479
refactor(exec): unify channel approvals and restore routing/auth (#57838) 
* fix(exec): add shared approval runtime

* fix(exec): harden shared approval runtime

* fix(exec): guard approval expiration callbacks

* fix(exec): handle approval runtime races

* fix(exec): clean up failed approval deliveries

* fix(exec): restore channel approval routing

* fix(exec): scope telegram legacy approval fallback

* refactor(exec): centralize native approval delivery

* fix(exec): harden approval auth and account routing

* test(exec): align telegram approval auth assertions

* fix(exec): align approval rebase followups

* fix(exec): clarify plugin approval not-found errors

* fix(exec): fall back to session-bound telegram accounts

* fix(exec): detect structured telegram approval misses

* test(exec): align discord approval auth coverage

* fix(exec): ignore discord dm origin channel routes

* fix(telegram): skip self-authored message echoes

* fix(exec): keep implicit approval auth non-explicit
 2026-03-30 15:49:02 -07:00
Shakker c22edbb8ee test: align ci regression stubs with production behavior 2026-03-30 17:11:06 +01:00
Shakker 4c45fc3575 test: remove telegram extension dependency from reply command tests 2026-03-30 17:11:06 +01:00
Jacob Tomlinson ae703ab0e7
infra: harden identifier entropy and delay jitter (#57744) 
* infra: harden identifier entropy and delay jitter

* test: make randomness hardening deterministic in CI
 2026-03-30 16:57:30 +01:00
pgondhi987 6d341cf366
fix(auto-reply): thread per-agent tools.exec defaults into reply directives (#57689) 
* fix(auto-reply): thread per-agent tools.exec defaults into exec overrides

* test(auto-reply): add session-override and inline-directive priority tests for exec agent defaults
 2026-03-30 16:46:54 +01:00
samzong 09bb93c6e0
fix(subagents): correct duration display showing 5-6x inflated runtime (#57739) 
Merged via squash.

Prepared head SHA: 018bbbca4d
Co-authored-by: samzong <13782141+samzong@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-30 23:44:36 +08:00
Sean c6f2db1506
fix: prevent gateway attachment offload regressions (#55513) (thanks @Syysean) 
* feat(gateway): implement claim check pattern to prevent OOM on large attachments

* fix: sanitize mediaId, refine trimEnd, remove warn log, add threshold and absolute path

* fix: enforce maxBytes before decoding and use dynamic path from saveMediaBuffer

* fix: enforce absolute maxBytes limit before Buffer allocation and preserve file extensions

* fix: align saveMediaBuffer arguments and satisfy oxfmt linter

* chore: strictly enforce linting rules (curly braces, unused vars, and error typing)

* fix: restrict offload to mainstream mimes to avoid extension-loss bug in store.ts for BMP/TIFF

* fix: restrict offload to mainstream mimes to bypass store.ts extension-loss bug

* chore: document bmp/tiff exclusion from offload whitelist in MIME_TO_EXT

* feat: implement agent-side resolver for opaque media URIs and finalize contract

* fix: support unicode media URIs and allow consecutive dots in safe IDs based on Codex review

* fix(gateway): enforce strict fail-fast for oversized media to prevent OOM bypass

* refactor(gateway): harden media offload with performance and security optimizations

This update refines the Claim Check pattern with industrial-grade guards:

- Performance: Implemented sampled Base64 validation for large payloads (>4KB) to prevent event loop blocking.
- Security: Added null-byte (\u0000) detection and reinforced path traversal guards.
- I18n: Updated media-uri regex to a blacklist-based character class for Unicode/Chinese filename support, with oxlint bypass for intentional control regex.
- Robustness: Enhanced error diagnostics with JSON-serialized IDs.

* fix: add HEIC/HEIF to offload allowlist and pass maxBytes to saveMediaBuffer

* fix(gateway): clean up offloaded media files on attachment parse failure

Address Codex review feedback: track saved media IDs and implement best-effort cleanup via deleteMediaBuffer if subsequent attachments fail validation, preventing orphaned files on disk.

* fix(gateway): enforce full base64 validation to prevent whitespace padding bypass

Address Codex review feedback: remove early return in isValidBase64 so padded payloads cannot bypass offload thresholds and reintroduce memory pressure. Updated related comments.

* fix(gateway): preserve offloaded media metadata and fix validation error mapping

Address Codex review feedback:
- Add \offloadedRefs\ to \ParsedMessageWithImages\ to expose structured metadata for offloaded attachments, preventing transcript media loss.
- Move \erifyDecodedSize\ outside the storage try-catch block to correctly surface client base64 validation failures as 4xx errors instead of 5xx \MediaOffloadError\.
- Add JSDoc TODOs indicating that upstream callers (chat.ts, agent.ts, server-node-events.ts) must explicitly pass the \supportsImages\ flag.

* fix(agents): explicitly allow media store dir when loading offloaded images

Address Codex review feedback: Pass getMediaDir() to loadWebMedia's localRoots for media-uri refs to prevent legacy path resolution mismatches from silently dropping large attachments.

* fix(gateway): resolve attachment offload regressions and error mapping

Address Codex review feedback:
- Pass \supportsImages\ dynamically in \chat.ts\ and \gent.ts\ based on model catalog, and explicitly in \server-node-events.ts\.
- Persist \offloadedRefs\ into the transcript pipeline in \chat.ts\ to preserve media metadata for >2MB attachments.
- Correctly map \MediaOffloadError\ to 5xx (UNAVAILABLE) to differentiate server storage faults from 4xx client validation errors.

* fix(gateway): dynamically compute supportsImages for overrides and node events

Address follow-up Codex review feedback:

- Use effective model (including overrides) to compute \supportsImages\ in \gent.ts\.

- Move session load earlier in \server-node-events.ts\ to dynamically compute \supportsImages\ rather than hardcoding true.

* fix(gateway): resolve capability edge cases reported by codex

Address final Codex edge cases:
- Refactor \gent.ts\ to compute \supportsImages\ even when no session key is present, ensuring text-only override requests without sessions safely drop attachments.
- Update catalog lookups in \chat.ts\, \gent.ts\, and \server-node-events.ts\ to strictly match both \id\ and \provider\ to prevent cross-provider model collisions.

* fix(agents): restore before_install hook for skill installs

Restore the plugin scanner security hook that was accidentally dropped during merge conflict resolution.

* fix: resolve attachment pathing, defer parsing after auth gates, and clean up node-event mocks

* fix: resolve syntax errors in test-env, fix missing helper imports, and optimize parsing sequence in node events

* fix(gateway): re-enforce message length limit after attachment parsing

Adds a secondary check to ensure the 20,000-char cap remains effective even after media markers are appended during the offload flow.

* fix(gateway): prevent dropping valid small images and clean up orphaned media on size rejection

* fix(gateway): share attachment image capability checks

* fix(gateway): preserve mixed attachment order

* fix: fail closed on unknown image capability (#55513) (thanks @Syysean)

* fix: classify offloaded attachment refs explicitly (#55513) (thanks @Syysean)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-03-30 20:54:40 +05:30
Shakker 3ad747e25f style: apply formatter cleanups 2026-03-30 16:20:27 +01:00
Jacob Tomlinson a77928b108
Gateway: harden node event trust boundaries (#57691) 
* Gateway: harden node event trust boundaries

* Gateway: preserve trusted summary prefixes

* Gateway: prefix multiline channel summaries
 2026-03-30 14:22:15 +01:00
Jacob Tomlinson 566fb73d9d
reply: enforce ACP attachment roots (#57690) 
* reply: enforce ACP attachment roots

* media: harden local attachment cache reads

* reply: clarify ACP attachment skip logs

* reply: keep ACP attachments path-only
 2026-03-30 14:04:02 +01:00
Vincent Koc 2fbd5e3f5f fix(test): trim telegram command registry imports 2026-03-30 19:34:47 +09:00
Vincent Koc 85f3136cfc fix(test): use plugin public surfaces in reply command tests 2026-03-30 19:28:10 +09:00
Vincent Koc 104f006916 fix(test): trim reply command registry imports 2026-03-30 19:02:40 +09:00
Vincent Koc 9670bd0823 fix(test): trim session binding registry imports 2026-03-30 17:46:44 +09:00
Vincent Koc 12ae4eee7e
fix(slack): complete interactive block delivery (#57473) 
* fix(slack): complete interactive block delivery

Related #12602
Related #49528

* docs(changelog): add Slack interactive delivery note

Related #12602

* fix(slack): add reply-blocks helper and tighten directives

Related #12602
Related #49528

* fix(slack): scope style parsing and recheck merged blocks

Related #12602
Related #49528
 2026-03-30 16:25:51 +09:00
Vincent Koc 0a014ca63a perf(tasks): optimize session lookups and sqlite upserts 2026-03-30 16:19:28 +09:00
Vincent Koc 1fd8164f01 fix(test): trim acp command registry imports 2026-03-30 14:08:48 +09:00
Vincent Koc 69793db948 fix(test): trim acp context registry imports 2026-03-30 13:39:29 +09:00
Yauheni Shauchenka a6bc51f944
feat(openai): forward text verbosity (#47106) 
* feat(openai): forward text verbosity across responses transports

* fix(openai): remove stale verbosity rebase artifact

* chore(changelog): add openai text verbosity entry

---------

Co-authored-by: Ubuntu <ubuntu@vps-1c82b947.vps.ovh.net>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-30 12:04:35 +09:00
Vincent Koc 3034adfdb3 fix(commands): harden fast status and Telegram callbacks 2026-03-30 09:32:53 +09:00
Peter Steinberger 63cbc097b5
refactor(channels): route core through registered plugin capabilities 2026-03-30 01:03:42 +01:00
Peter Steinberger 3b878e6b86
refactor: move approval auth and payload hooks to generic channel capabilities 2026-03-30 08:46:44 +09:00
Peter Steinberger 6d9a7224aa
refactor: unify approval command authorization 2026-03-30 07:06:29 +09:00
Peter Steinberger 3ec000b995
refactor: align same-chat approval routing 2026-03-30 06:52:28 +09:00
Peter Steinberger 276ccd2583
fix(exec): default implicit target to auto 2026-03-30 06:03:08 +09:00
Peter Steinberger f5f8ba6d35 fix: harden bundle MCP session runtime cache (#55090) (thanks @allan0509) 2026-03-30 05:10:32 +09:00
无忌 6477d783e8 Agents: cache bundle MCP runtime per session 2026-03-30 05:10:32 +09:00
Thomas M 0a01386756
fix: canonicalize session keys at write time (#30654) (thanks @thomasxm) 
* fix: canonicalize session keys at write time to prevent orphaned sessions (#29683)

resolveSessionKey() uses hardcoded DEFAULT_AGENT_ID="main", but all read
paths canonicalize via cfg. When the configured default agent differs
(e.g. "ops" with mainKey "work"), writes produce "agent:main:main" while
reads look up "agent:ops:work", orphaning transcripts on every restart.

Fix all three write-path call sites by wrapping with
canonicalizeMainSessionAlias:
- initSessionState (auto-reply/reply/session.ts)
- runWebHeartbeatOnce (web/auto-reply/heartbeat-runner.ts)
- resolveCronAgentSessionKey (cron/isolated-agent/session-key.ts)

Add startup migration (migrateOrphanedSessionKeys) to rename existing
orphaned keys to canonical form, merging by most-recent updatedAt.

* fix: address review — track agent IDs in migration map, align snapshot key

P1: migrateOrphanedSessionKeys now tracks agentId alongside each store
path in a Map instead of inferring from the filesystem path. This
correctly handles custom session.store templates outside the default
agents/<id>/ layout.

P2: Pass the already-canonicalized sessionKey to getSessionSnapshot so
the heartbeat snapshot reads/restores use the same key as the write path.

* fix: log migration results at all early return points

migrateOrphanedSessionKeys runs before detectLegacyStateMigrations, so
it can canonicalize legacy keys (e.g. "main" → "agent:main:main") before
the legacy detector sees them. This caused the early return path to skip
logging, breaking doctor-state-migrations tests that assert log.info was
called.

Extract logMigrationResults helper and call it at every return point.

* fix: handle shared stores and ~ expansion in migration

P1: When session.store has no {agentId}, all agents resolve to the same
file. Track all agentIds per store path (Map<path, Set<id>>) and run
canonicalization once per agent. Skip cross-agent "agent:main:*"
remapping when "main" is a legitimate configured agent sharing the store,
to avoid merging its data into another agent's namespace.

P2: Use expandHomePrefix (environment-aware ~ resolution) instead of
os.homedir() in resolveStorePathFromTemplate, matching the runtime
resolveStorePath behavior for OPENCLAW_HOME/HOME overrides.

* fix: narrow cross-agent remap to provable orphan aliases only

Only remap agent:main:* keys where the suffix is a main session alias
("main" or the configured mainKey). Other agent:main:* keys — hooks,
subagents, cron sessions, per-sender keys — may be intentional
cross-agent references and must not be silently moved into another
agent's namespace.

* fix: run orphan-key session migration at gateway startup (#29683)

* fix: canonicalize cross-agent legacy main aliases in session keys (#29683)

* fix: guard shared-store migration against cross-agent legacy alias remap (#29683)

* refactor: split session-key migration out of pr 30654

---------

Co-authored-by: Your Name <your_email@example.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-03-29 18:59:25 +05:30
Mariano 17c36b5093
Gateway: track background task lifecycle (#52518) 
Merged via squash.

Prepared head SHA: 7c4554204e
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-03-29 12:48:02 +02:00
助爪 443295448c
Track ACP sessions_spawn runs and emit ACP lifecycle events (#40885) 
* Fix ACP sessions_spawn lifecycle tracking

* fix(tests): resolve leftover merge markers in sessions spawn lifecycle test

* fix(agents): clarify acp spawn cleanup semantics

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-29 18:20:10 +09:00
Vincent Koc af694def5b
fix(agents): fail closed on silent turns (#52593) 
* fix(agents): fail closed on silent turns

* fix(agents): suppress all silent turn emissions

* fix(agents): pass silent turns into embedded subscribe
 2026-03-29 17:40:20 +09:00
Peter Steinberger 8e0ab35b0e
refactor(plugins): decouple bundled plugin runtime loading 2026-03-29 09:10:38 +01:00
Vincent Koc 9777781001
fix(subagents): preserve requester agent for inline announces (#55998) 
* fix(subagents): preserve requester agent on inline announce

* docs(changelog): remove maintainer follow-up entry
 2026-03-29 17:00:05 +09:00
Ayaan Zaidi d5e59621a7 fix: keep telegram plugin fallback explicit (#45911) (thanks @suboss87) 2026-03-29 10:45:57 +05:30
Ayaan Zaidi 1791c7c304 fix: unify telegram exec approval auth 2026-03-29 10:45:57 +05:30
Subash Natarajan aee7992629 fix(telegram): accept approval callbacks from forwarding target recipients 
When approvals.exec.targets routes to a Telegram DM, the recipient
receives inline approval buttons but may not have explicit
channels.telegram.execApprovals configured. This adds a fallback
isTelegramExecApprovalTargetRecipient check so those DM recipients
can act on the buttons they were sent.

Includes accountId scoping for multi-bot deployments and 9 new tests.
 2026-03-29 10:45:57 +05:30
Tak Hoffman f1970b8aef
fix(line): normalize canonical ACP targets (#56713) 2026-03-28 21:05:34 -05:00
Tak Hoffman 6f7ff545dd
fix(line): add ACP binding parity (#56700) 
* fix(line): support ACP current-conversation binding

* fix(line): add ACP binding routing parity

* docs(changelog): note LINE ACP parity

* fix(line): accept canonical ACP binding targets
 2026-03-28 20:52:31 -05:00