5e3a86fd2f
feat(secrets): expand onboarding secret-ref flows and custom-provider parity
2026-02-26 14:47:22 +00:00
e8637c79b3
fix(secrets): harden sops migration sops rule matching
2026-02-26 14:47:22 +00:00
0e69660c41
feat(secrets): finalize external secrets runtime and migration hardening
2026-02-26 14:47:22 +00:00
c5b89fbaea
Docs: address review feedback on secrets docs
2026-02-26 14:47:22 +00:00
9203d583f9
Docs: add secrets and CLI secrets reference pages
2026-02-26 14:47:22 +00:00
c0a3801086
Docs: document secrets refs runtime and migration
2026-02-26 14:47:22 +00:00
7d8aeaaf06
fix(gateway): pin paired reconnect metadata for node policy
2026-02-26 14:11:04 +01:00
5df9aacf68
fix(podman): default run-openclaw-podman bind to loopback (land #27491 , thanks @robbyczgw-cla)
...
Co-authored-by: robbyczgw-cla <robbyczgw@gmail.com>
2026-02-26 12:13:20 +00:00
8bdda7a651
fix(security): keep DM pairing allowlists out of group auth
2026-02-26 12:58:18 +01:00
caace61ba1
chore: bump versions to 2026.2.26
2026-02-26 12:11:02 +01:00
1ffc319831
Doctor: keep allowFrom account-scoped in multi-account configs
2026-02-26 05:34:58 -05:00
a7d56e3554
feat: ACP thread-bound agents ( #23580 )
...
* docs: add ACP thread-bound agents plan doc
* docs: expand ACP implementation specification
* feat(acp): route ACP sessions through core dispatch and lifecycle cleanup
* feat(acp): add /acp commands and Discord spawn gate
* ACP: add acpx runtime plugin backend
* fix(subagents): defer transient lifecycle errors before announce
* Agents: harden ACP sessions_spawn and tighten spawn guidance
* Agents: require explicit ACP target for runtime spawns
* docs: expand ACP control-plane implementation plan
* ACP: harden metadata seeding and spawn guidance
* ACP: centralize runtime control-plane manager and fail-closed dispatch
* ACP: harden runtime manager and unify spawn helpers
* Commands: route ACP sessions through ACP runtime in agent command
* ACP: require persisted metadata for runtime spawns
* Sessions: preserve ACP metadata when updating entries
* Plugins: harden ACP backend registry across loaders
* ACPX: make availability probe compatible with adapters
* E2E: add manual Discord ACP plain-language smoke script
* ACPX: preserve streamed spacing across Discord delivery
* Docs: add ACP Discord streaming strategy
* ACP: harden Discord stream buffering for thread replies
* ACP: reuse shared block reply pipeline for projector
* ACP: unify streaming config and adopt coalesceIdleMs
* Docs: add temporary ACP production hardening plan
* Docs: trim temporary ACP hardening plan goals
* Docs: gate ACP thread controls by backend capabilities
* ACP: add capability-gated runtime controls and /acp operator commands
* Docs: remove temporary ACP hardening plan
* ACP: fix spawn target validation and close cache cleanup
* ACP: harden runtime dispatch and recovery paths
* ACP: split ACP command/runtime internals and centralize policy
* ACP: harden runtime lifecycle, validation, and observability
* ACP: surface runtime and backend session IDs in thread bindings
* docs: add temp plan for binding-service migration
* ACP: migrate thread binding flows to SessionBindingService
* ACP: address review feedback and preserve prompt wording
* ACPX plugin: pin runtime dependency and prefer bundled CLI
* Discord: complete binding-service migration cleanup and restore ACP plan
* Docs: add standalone ACP agents guide
* ACP: route harness intents to thread-bound ACP sessions
* ACP: fix spawn thread routing and queue-owner stall
* ACP: harden startup reconciliation and command bypass handling
* ACP: fix dispatch bypass type narrowing
* ACP: align runtime metadata to agentSessionId
* ACP: normalize session identifier handling and labels
* ACP: mark thread banner session ids provisional until first reply
* ACP: stabilize session identity mapping and startup reconciliation
* ACP: add resolved session-id notices and cwd in thread intros
* Discord: prefix thread meta notices consistently
* Discord: unify ACP/thread meta notices with gear prefix
* Discord: split thread persona naming from meta formatting
* Extensions: bump acpx plugin dependency to 0.1.9
* Agents: gate ACP prompt guidance behind acp.enabled
* Docs: remove temp experiment plan docs
* Docs: scope streaming plan to holy grail refactor
* Docs: refactor ACP agents guide for human-first flow
* Docs/Skill: add ACP feature-flag guidance and direct acpx telephone-game flow
* Docs/Skill: add OpenCode and Pi to ACP harness lists
* Docs/Skill: align ACP harness list with current acpx registry
* Dev/Test: move ACP plain-language smoke script and mark as keep
* Docs/Skill: reorder ACP harness lists with Pi first
* ACP: split control-plane manager into core/types/utils modules
* Docs: refresh ACP thread-bound agents plan
* ACP: extract dispatch lane and split manager domains
* ACP: centralize binding context and remove reverse deps
* Infra: unify system message formatting
* ACP: centralize error boundaries and session id rendering
* ACP: enforce init concurrency cap and strict meta clear
* Tests: fix ACP dispatch binding mock typing
* Tests: fix Discord thread-binding mock drift and ACP request id
* ACP: gate slash bypass and persist cleared overrides
* ACPX: await pre-abort cancel before runTurn return
* Extension: pin acpx runtime dependency to 0.1.11
* Docs: add pinned acpx install strategy for ACP extension
* Extensions/acpx: enforce strict local pinned startup
* Extensions/acpx: tighten acp-router install guidance
* ACPX: retry runtime test temp-dir cleanup
* Extensions/acpx: require proactive ACPX repair for thread spawns
* Extensions/acpx: require restart offer after acpx reinstall
* extensions/acpx: remove workspace protocol devDependency
* extensions/acpx: bump pinned acpx to 0.1.13
* extensions/acpx: sync lockfile after dependency bump
* ACPX: make runtime spawn Windows-safe
* fix: align doctor-config-flow repair tests with default-account migration (#23580 ) (thanks @osolmaz)
2026-02-26 11:00:09 +01:00
dfa0b5b4fc
Channels: move single-account config into accounts.default ( #27334 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 50b5771808
2026-02-26 04:06:03 -05:00
c289b5ff9f
fix(config): preserve agent-level apiKey/baseUrl during models.json merge ( #27293 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 6b4b37b03d
2026-02-26 03:46:36 -05:00
92c309f2e1
docs: fix wrong Providers link in configuration examples
2026-02-26 02:41:07 -06:00
96c7702526
Agents: add account-scoped bind and routing commands ( #27195 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: ad35a458a5
2026-02-26 02:36:56 -05:00
f08fe02a1b
Onboarding: support plugin-owned interactive channel flows ( #27191 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 53872cf8e7
2026-02-26 01:14:57 -05:00
91a3f0a3fe
pairing: enforce strict account-scoped state
2026-02-26 00:31:24 -05:00
35976da7a0
fix: harden Docker/GCP onboarding flow ( #26253 ) (thanks @pandego)
2026-02-26 04:46:18 +00:00
e8197404d0
Docker/docs: reduce docker build OOM risk on small GCP hosts
2026-02-26 04:46:18 +00:00
cb3e5c35b0
docs: fix onboarding markdown list spacing
2026-02-26 05:23:30 +01:00
4ada143794
docs(heartbeat): add directPolicy to config examples
2026-02-26 03:59:38 +01:00
8a006a3260
feat(heartbeat): add directPolicy and restore default direct delivery
2026-02-26 03:57:03 +01:00
b8bb8ab3ca
docs: clarify personal-by-default onboarding security notice
2026-02-26 02:59:34 +01:00
c736f11a16
fix(gateway): harden browser websocket auth chain
2026-02-26 01:22:49 +01:00
e56b0cf1a0
fix: enforce telegram reaction authorization
2026-02-26 01:03:03 +01:00
42f455739f
fix(security): clarify denyCommands exact-match guidance
2026-02-26 00:55:35 +01:00
eb73e87f18
fix(session): prevent silent overflow on parent thread forks ( #26912 )
...
Lands #26912 from @markshields-tl with configurable session.parentForkMaxTokens and docs/tests/changelog updates.
Co-authored-by: Mark Shields <239231357+markshields-tl@users.noreply.github.com>
2026-02-25 23:54:02 +00:00
8f3310000a
refactor(macos): remove anthropic oauth onboarding flow
2026-02-26 00:17:03 +01:00
8f5f599a34
docs(security): note narrow filesystem roots for tool access
2026-02-25 05:10:10 +00:00
52d933b3a9
refactor: replace bot.molt identifiers with ai.openclaw
2026-02-25 05:03:24 +00:00
480cc4b85c
chore: roll to 2026.2.25 unreleased
2026-02-25 03:35:33 +00:00
069c495df6
docs: clarify pairing commands in faq and troubleshooting
2026-02-25 02:50:17 +00:00
c2a837565c
docs: fix configure section example
2026-02-25 02:44:49 +00:00
bfafec2271
docs: expand doctor and devices CLI references
2026-02-25 02:41:13 +00:00
a12cbf8994
docs: refresh CLI and trusted-proxy docs
2026-02-25 02:40:12 +00:00
24d7612ddf
refactor(heartbeat): harden dm delivery classification
2026-02-25 02:13:07 +00:00
a805d6b439
fix(heartbeat): block dm targets and internalize blocked prompts
2026-02-25 02:05:45 +00:00
eb4a93a8db
refactor(sandbox): share container-path utils and tighten fs bridge tests
2026-02-25 01:59:53 +00:00
e2362d352d
fix(heartbeat): default target none and internalize relay prompts
2026-02-25 01:28:47 +00:00
ee6fec36eb
docs(discord): document DAVE defaults and decrypt recovery
2026-02-25 00:28:06 +00:00
9cd50c51b0
fix(discord): harden voice DAVE receive reliability ( #25861 )
...
Reimplements and consolidates related work:
- #24339 stale disconnect/destroyed session guards
- #25312 voice listener cleanup on stop
- #23036 restore @snazzah/davey runtime dependency
Adds Discord voice DAVE config passthrough, repeated decrypt failure
rejoin recovery, regression tests, docs, and changelog updates.
Co-authored-by: Frank Yang <frank.ekn@gmail.com>
Co-authored-by: Do Cao Hieu <admin@docaohieu.com>
2026-02-25 00:19:50 +00:00
b4010a0b62
fix(zalo): enforce group sender policy in groups
2026-02-24 23:30:43 +00:00
9fccf60733
refactor(synology-chat): centralize DM auth and fail fast startup
2026-02-24 23:28:40 +00:00
14b6eea6e3
feat(sandbox): block container namespace joins by default
2026-02-24 23:20:34 +00:00
0ee30361b8
fix(synology-chat): fail closed empty allowlist
2026-02-24 23:18:17 +00:00
b67e600bff
fix(security): restrict default safe-bin trusted dirs
2026-02-24 23:13:37 +00:00
e806b34779
chore: remove changelog add helper script
2026-02-24 15:33:09 +00:00
d18ae2256f
refactor: unify channel plugin resolution, family ordering, and changelog entry tooling
2026-02-24 15:15:22 +00:00
370d115549
fix: enforce workspaceOnly for native prompt image autoload
2026-02-24 14:47:59 +00:00
31b1b20b3c
docs: add WeChat community plugin listing
...
Add @icesword760/openclaw-wechat to the community plugins page.
This plugin connects OpenClaw to WeChat personal accounts via
WeChatPadPro (iPad protocol) with support for text, image, and
file exchange.
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-24 08:41:28 -06:00
8cc841766c
docs(security): enumerate dangerous config parameters
2026-02-24 14:25:43 +00:00
4d124e4a9b
feat(security): warn on likely multi-user trust-model mismatch
2026-02-24 14:03:19 +00:00
2bad30b4d3
chore(release): bump version to 2026.2.24
2026-02-24 13:42:43 +00:00
8ea936cdda
docs: clarify prompt caching intro
2026-02-24 05:22:00 +00:00
8c5cf2d5b2
docs(subagents): document default runTimeoutSeconds config ( #24594 ) (thanks @mitchmcalister)
2026-02-24 04:22:43 +00:00
1fdaaaedd3
Docs: clarify Chrome extension relay port derivation (gateway + 3)
2026-02-24 04:16:08 +00:00
aea28e26fb
fix(auto-reply): expand standalone stop phrases
2026-02-24 04:02:43 +00:00
a67689a7e3
fix: harden allow-always shell multiplexer wrapper handling
2026-02-24 03:06:51 +00:00
1d28da55a5
fix(voice-call): block Twilio webhook replay and stale transitions
2026-02-24 02:37:24 +00:00
5239b55c0a
Config: expand Kilo catalog and persist selected Kilo models ( #24921 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: f5a7e1a385
2026-02-23 21:17:37 -05:00
6c441ea797
fix: support legacy and beta prerelease version formats
2026-02-24 02:05:37 +00:00
223d7dc23d
feat(gateway)!: require explicit non-loopback control-ui origins
2026-02-24 01:57:11 +00:00
5eb72ab769
fix(security): harden browser SSRF defaults and migrate legacy key
2026-02-24 01:52:01 +00:00
f0f886ecc4
docs(security): clarify gateway-node trust boundary in docs
2026-02-24 01:35:44 +00:00
12cc754332
fix(acp): harden permission auto-approval policy
2026-02-24 01:03:30 +00:00
ddf93d9845
docs(security): add vps trust-boundary guidance
2026-02-24 01:02:11 +00:00
cfa44ea6b4
fix(security): make allowFrom id-only by default with dangerous name opt-in ( #24907 )
...
* fix(channels): default allowFrom to id-only; add dangerous name opt-in
* docs(security): align channel allowFrom docs with id-only default
2026-02-24 01:01:51 +00:00
41b0568b35
docs(security): clarify shared-agent trust boundaries
2026-02-24 01:00:05 +00:00
400220275c
docs: clarify multi-instance recommendations for user isolation
2026-02-24 00:40:08 +00:00
7d55277d72
docs: clarify operator trust boundary for shared gateways
2026-02-24 00:25:01 +00:00
3b8e33037a
fix(security): harden safeBins long-option validation
2026-02-23 23:58:58 +00:00
13f32e2f7d
feat: Add Kilo Gateway provider ( #20212 )
...
* feat: Add Kilo Gateway provider
Add support for Kilo Gateway as a model provider, similar to OpenRouter.
Kilo Gateway provides a unified API that routes requests to many models
behind a single endpoint and API key.
Changes:
- Add kilocode provider option to auth-choice and onboarding flows
- Add KILOCODE_API_KEY environment variable support
- Add kilocode/ model prefix handling in model-auth and extra-params
- Add provider documentation in docs/providers/kilocode.md
- Update model-providers.md with Kilo Gateway section
- Add design doc for the integration
* kilocode: add provider tests and normalize onboard auth-choice registration
* kilocode: register in resolveImplicitProviders so models appear in provider filter
* kilocode: update base URL from /api/openrouter/ to /api/gateway/
* docs: fix formatting in kilocode docs
* fix: address PR review — remove kilocode from cacheRetention, fix stale model refs and CLI name in docs, fix TS2742
* docs: fix stale refs in design doc — Moltbot to OpenClaw, MoltbotConfig to OpenClawConfig, remove extra-params section, fix doc path
* fix: use resolveAgentModelPrimaryValue for AgentModelConfig union type
---------
Co-authored-by: Mark IJbema <mark@kilocode.ai>
2026-02-23 23:29:27 +00:00
eff3c5c707
Session/Cron maintenance hardening and cleanup UX ( #24753 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7533b85156
2026-02-23 22:39:48 +00:00
9af3ec92a5
fix(gateway): add HSTS header hardening and docs
2026-02-23 19:47:29 +00:00
69b17a37e8
docs(reference): add cache trace diagnostics knobs to prompt-caching guide
2026-02-23 19:39:35 +00:00
46dee26600
docs(reference): add prompt-caching guide and knobs
...
Co-authored-by: Axel Svensson <svenssonaxel@users.noreply.github.com>
2026-02-23 19:19:45 +00:00
78e7f41d28
docs: detail per-agent prompt caching configuration
2026-02-23 18:46:40 +00:00
f03ff39754
Providers: skip context1m beta for Anthropic OAuth tokens ( #24620 )
...
* Providers: skip context1m beta for Anthropic OAuth tokens
* Tests: cover OAuth context1m beta skip behavior
* Docs: note context1m OAuth incompatibility
* Agents: add context1m-aware context token resolver
* Agents: cover context1m context-token resolver
* Commands: apply context1m-aware context tokens in session store
* Commands: apply context1m-aware context tokens in status summary
* Status: resolve context tokens with context1m model params
* Status: test context1m status context display
2026-02-23 12:29:09 -05:00
eb4ff6df81
Allow Claude model requests to route through Google Vertex AI ( #23985 )
...
* feat: add anthropic-vertex provider for Claude via GCP Vertex AI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: sallyom <somalley@redhat.com>
* docs: add anthropic-vertex provider guide
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: sallyom <somalley@redhat.com>
* Agents: validate Anthropic Vertex project env
* Changelog: format update for Vertex entry
* Providers: rename Anthropic Vertex to Google Vertex Claude
* Providers: remove Vertex Claude provider path
* Models: normalize Vercel Claude shorthand refs
* Onboarding: default Vercel model to Claude shorthand
* Changelog: add @vincentkoc credit for #23985
* Onboarding: keep canonical Vercel default model ref
* Tests: expand Vercel model normalization coverage
---------
Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-23 11:04:31 -05:00
3a3c2da916
[Feature]: Add Gemini (Google Search grounding) as web_search provider ( #13075 )
...
* feat: add Gemini (Google Search grounding) as web_search provider
Add Gemini as a fourth web search provider alongside Brave, Perplexity,
and Grok. Uses Gemini's built-in Google Search grounding tool to return
search results with citations.
- Add runGeminiSearch() with Google Search grounding via tools API
- Resolve Gemini's grounding redirect URLs to direct URLs via parallel
HEAD requests (5s timeout, graceful fallback)
- Add Gemini config block (apiKey, model) with env var fallback
- Default model: gemini-2.5-flash (fast, cheap, grounding-capable)
- Strip API key from error messages for security
- Add config validation tests for Gemini provider
- Update docs/tools/web.md with Gemini provider documentation
Closes #13074
* feat: auto-detect search provider from available API keys
When no explicit provider is configured, resolveSearchProvider now
checks for available API keys in priority order (Brave → Gemini →
Perplexity → Grok) and selects the first provider with a valid key.
- Add auto-detection logic using existing resolve*ApiKey functions
- Export resolveSearchProvider via __testing_provider for tests
- Add 8 tests covering auto-detection, priority order, and explicit override
- Update docs/tools/web.md with auto-detection documentation
* fix: merge __testing exports, downgrade auto-detect log to debug
* fix: use defaultRuntime.log instead of .debug (not in RuntimeEnv type)
* fix: mark gemini apiKey as sensitive in zod schema
* fix: address Greptile review — add externalContent to Gemini payload, add Gemini/Grok entries to schema labels/help, remove dead schema-fields.ts
* fix(web-search): add JSON parse guard for Gemini API responses
Addresses Greptile review comment: add try/catch to handle non-JSON
responses from Gemini API gracefully, preventing runtime errors on
malformed responses.
Note: FIELD_HELP entries for gemini.apiKey and gemini.model were
already present in schema.help.ts, and gemini.apiKey was already
marked as sensitive in zod-schema.agent-runtime.ts (both fixed in
earlier commits).
* fix: use structured readResponseText result in Gemini error path
readResponseText returns { text, truncated, bytesRead }, not a string.
The Gemini error handler was using the result object directly, which
would always be truthy and never fall through to res.statusText.
Align with Perplexity/xAI/Brave error patterns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* style: fix import order and formatting after rebase onto main
* Web search: send Gemini API key via header
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-23 09:30:51 -05:00
c92c3ad224
Tests: isolate quick_validate stub and remove DS_Store
2026-02-23 03:25:37 -05:00
a4c373935f
fix(agents): fall back to agents.defaults.model when agent has no model config ( #24210 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0f272b1027
2026-02-23 03:18:55 -05:00
9e1a13bf4c
Gateway/UI: data-driven agents tools catalog with provenance (openclaw#24199) thanks @Takhoffman
...
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- gh pr checks 24199 --watch --fail-fast
Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
2026-02-22 23:55:59 -06:00
77c3b142a9
Web UI: add full cron edit parity, all-jobs run history, and compact filters (openclaw#24155) thanks @Takhoffman
...
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini
Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
2026-02-22 23:05:42 -06:00
558a0137bb
chore(release): bump versions to 2026.2.23
2026-02-23 05:13:46 +01:00
278331c49c
fix(exec): restore sandbox as implicit host default
2026-02-23 01:48:24 +01:00
1c2c7843a8
docs: add synology channel docs and fix unreleased changelog
2026-02-23 01:16:05 +01:00
d92ba4f8aa
feat: Provider/Mistral full support for Mistral on OpenClaw 🇫🇷 ( #23845 )
...
* Onboard: add Mistral auth choice and CLI flags
* Onboard/Auth: add Mistral provider config defaults
* Auth choice: wire Mistral API-key flow
* Onboard non-interactive: support --mistral-api-key
* Media understanding: add Mistral Voxtral audio provider
* Changelog: note Mistral onboarding and media support
* Docs: add Mistral provider and onboarding/media references
* Tests: cover Mistral media registry/defaults and auth mapping
* Memory: add Mistral embeddings provider support
* Onboarding: refresh Mistral model metadata
* Docs: document Mistral embeddings and endpoints
* Memory: persist Mistral embedding client state in managers
* Memory: add regressions for mistral provider wiring
* Gateway: add live tool probe retry helper
* Gateway: cover live tool probe retry helper
* Gateway: retry malformed live tool-read probe responses
* Memory: support plain-text batch error bodies
* Tests: add Mistral Voxtral live transcription smoke
* Docs: add Mistral live audio test command
* Revert: remove Mistral live voice test and docs entry
* Onboard: re-export Mistral default model ref from models
* Changelog: credit joeVenner for Mistral work
* fix: include Mistral in auto audio key fallback
* Update CHANGELOG.md
* Update CHANGELOG.md
---------
Co-authored-by: Shakker <shakkerdroid@gmail.com>
2026-02-23 00:03:56 +00:00
1d8968c8a8
fix(voice-call): harden media stream pre-start websocket handling
2026-02-22 23:25:32 +01:00
24c954d972
fix(security): harden allow-always wrapper persistence
2026-02-22 22:55:33 +01:00
64b273a71c
fix(exec): harden safe-bin trust and add explicit trusted dirs
2026-02-22 22:43:18 +01:00
e4d67137db
fix(node): default mac headless system.run to local host
...
Co-authored-by: aethnova <262512133+aethnova@users.noreply.github.com>
2026-02-22 22:24:28 +01:00
6817c0ec7b
fix(security): tighten elevated allowFrom sender matching
2026-02-22 22:00:08 +01:00
3a088c9f4f
docs: prune completed experiment plan notes
2026-02-22 21:56:01 +01:00
b0252ab90c
docs: fix canonical session doc path hint
2026-02-22 21:35:14 +01:00
acfbe158c6
docs: point pi extension paths to real source files
2026-02-22 21:32:28 +01:00
820d765553
docs: update outbound refactor test path
2026-02-22 21:28:08 +01:00
6ed08ddc24
docs: fix stale test file paths in experiment plans
2026-02-22 21:24:48 +01:00
c73837d269
docs: replace stale pi test file list with maintained patterns
2026-02-22 21:21:08 +01:00
dff9ead59a
docs: refresh gateway test references in testing guide
2026-02-22 21:16:53 +01:00
30e8f41cfc
docs: fix stale release checklist source paths
2026-02-22 21:15:09 +01:00
06b4baf67f
docs: remove internal hook import paths from examples
2026-02-22 21:12:49 +01:00
5dba7501c9
docs: update stale tsgo reference in pty plan
2026-02-22 21:10:14 +01:00
9c480d4dea
docs: replace removed pi test script with current commands
2026-02-22 21:07:34 +01:00
5547a2275c
fix(security): harden toolsBySender sender-key matching
2026-02-22 21:04:37 +01:00
3461dda880
docs: fix voicecall expose disable example
2026-02-22 20:58:28 +01:00
0d4c806406
docs: fix devices approve command in exe.dev guide
2026-02-22 20:52:46 +01:00
e0d4194869
docs: add missing summary/read_when metadata
2026-02-22 20:45:09 +01:00
371a7da9c8
docs: add missing summaries and read_when hints
2026-02-22 20:37:02 +01:00
f5814cc002
docs: add extension channels to Channels nav
2026-02-22 20:28:05 +01:00
290f375aa1
docs: fix Together provider env path
2026-02-22 20:23:40 +01:00
6fef318fda
docs: replace legacy chat examples in Venice provider guide
2026-02-22 20:15:07 +01:00
72446f419f
docs: align CLI docs and help surface
2026-02-22 20:05:01 +01:00
0c1f491a02
fix(gateway): clarify pairing and node auth guidance
2026-02-22 19:50:29 +01:00
89a1e99815
fix(slack): finalize replyToMode off threading behavior ( #23799 )
...
* fix: make replyToMode 'off' actually prevent threading in Slack
Three independent bugs caused Slack replies to always create threads
even when replyToMode was set to 'off':
1. Typing indicator created threads via statusThreadTs fallback (#16868 )
- resolveSlackThreadTargets fell back to messageTs for statusThreadTs
- 'is typing...' was posted as thread reply, creating a thread
- Fix: remove messageTs fallback, let statusThreadTs be undefined
2. [[reply_to_current]] tags bypassed replyToMode entirely (#16080 )
- Slack dock had allowExplicitReplyTagsWhenOff: true
- Reply tags from system prompt always threaded regardless of config
- Fix: set allowExplicitReplyTagsWhenOff to false for Slack
3. Contradictory replyToMode defaults in codebase (#20827 )
- monitor/provider.ts defaulted to 'all'
- accounts.ts defaulted to 'off' (matching docs)
- Fix: align provider.ts default to 'off' per documentation
Fixes : openclaw/openclaw#16868 , openclaw/openclaw#16080 , openclaw/openclaw#20827
* fix(slack): respect replyToMode in DMs even with typing indicator thread
When replyToMode is 'off' in DMs, replies should stay in the main
conversation even when the typing indicator creates a thread context.
Previously, when incomingThreadTs was set (from the typing indicator's
thread), replyToMode was forced to 'all', causing all replies to go
into the thread.
Now, for direct messages, the user's configured replyToMode is always
respected. For channels/groups, the existing behavior is preserved
(stay in thread if already in one).
This fix:
- Keeps the typing indicator working (statusThreadTs fallback preserved)
- Prevents DM replies from being forced into threads
- Maintains channel thread continuity
Fixes #16868
* refactor(slack): eliminate redundant resolveSlackThreadContext call
- Add isThreadReply to resolveSlackThreadTargets return value
- Remove duplicate call in dispatch.ts
- Addresses greptile review feedback with cleaner DRY approach
* docs(slack): add JSDoc to resolveSlackThreadTargets
Document return values including isThreadReply distinction between
genuine user thread replies vs bot status message thread context.
* docs(changelog): record Slack replyToMode off threading fixes
---------
Co-authored-by: James <jamesrp13@gmail.com>
Co-authored-by: theoseo <suhong.seo@gmail.com>
2026-02-22 13:27:50 -05:00
08431da5d5
refactor(gateway): unify credential precedence across entrypoints
2026-02-22 18:55:44 +01:00
e58054b85c
docs(telegram): align Node22 network defaults and setup guidance
2026-02-22 17:54:16 +01:00
f442a3539f
feat(update): add core auto-updater and dry-run preview
2026-02-22 17:11:36 +01:00
a5e2bd4eaa
docs: document verbose-gated tool error details
2026-02-22 15:26:48 +01:00
adfbbcf1f6
chore: merge origin/main into main
2026-02-22 13:42:52 +00:00
3308c86002
docs: keep channel names only in thread-support list
2026-02-22 14:39:40 +01:00
418e4e32c9
docs: clarify thread-bound subagents are Discord-only
2026-02-22 14:39:40 +01:00
c952334808
docs: list thread supporting channels in subagents guide
2026-02-22 14:39:40 +01:00
0b9b9d4301
docs: make subagents thread guidance channel-first
2026-02-22 14:39:40 +01:00
0d0f4c6992
refactor(exec): centralize safe-bin policy checks
2026-02-22 13:18:25 +01:00
47c3f742b6
fix(exec): require explicit safe-bin profiles
2026-02-22 12:58:55 +01:00
e80c803fa8
fix(security): block shell env allowlist bypass in system.run
2026-02-22 12:47:05 +01:00
6fda04e938
refactor: tighten onboarding dmScope typing and docs links
2026-02-22 12:46:09 +01:00
65dccbdb4b
fix: document onboarding dmScope default as breaking change ( #23468 ) (thanks @bmendonca3)
2026-02-22 12:36:49 +01:00
85e5ed3f78
refactor(channels): centralize runtime group policy handling
2026-02-22 12:35:41 +01:00
777817392d
fix: fail closed missing provider group policy across message channels ( #23367 ) (thanks @bmendonca3)
2026-02-22 12:21:04 +01:00
3700151ec0
Channels: fail closed when Slack/Discord config is missing
2026-02-22 12:18:43 +01:00
b98d3330f6
docs: update pty supervision test command paths
2026-02-22 10:48:37 +00:00
2739328508
fix(telegram): classify undici fetch errors as recoverable for retry ( #16699 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 67b5bce44f
2026-02-22 16:16:11 +05:30
c995f9be07
test: reclassify mocked announce and sandbox suites as unit tests
2026-02-22 10:28:43 +00:00
bc78b343ba
Security: expand audit checks for mDNS and real-IP fallback
2026-02-22 11:26:17 +01:00
98a03c490b
Feat/logger support log level validation0222 ( #23436 )
...
* 1、环境变量**:新增 `OPENCLAW_LOG_LEVEL`,可取值 `silent|fatal|error|warn|info|debug|trace`。设置后同时覆盖**文件日志**与**控制台**的级别,优先级高于配置文件。
2、启动参数**:在 `openclaw gateway run` 上新增 `--log-level <level>`,对该次进程同时生效于文件与控制台;未传时仍使用环境变量或配置文件。
* fix(logging): make log-level override global and precedence-safe
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-22 11:15:13 +01:00
1b327da6e3
fix: harden exec sandbox fallback semantics ( #23398 ) (thanks @bmendonca3)
2026-02-22 11:12:01 +01:00
c76a47cce2
Exec: fail closed when sandbox host is unavailable
2026-02-22 11:12:01 +01:00
8887f41d7d
refactor(gateway)!: remove legacy v1 device-auth handshake
2026-02-22 09:27:03 +01:00
008a8c9dc6
chore(docs): normalize security finding table formatting
2026-02-22 08:03:29 +00:00
265da4dd2a
fix(security): harden gateway command/audit guardrails
2026-02-22 08:45:48 +01:00
121d027229
chore: remove dead plugin hook loader
2026-02-22 08:45:24 +01:00
049b8b14bc
fix(security): flag open-group runtime/fs exposure in audit
2026-02-22 08:22:51 +01:00
817905f3a0
docs: document thread-bound subagent sessions and remove plan
2026-02-21 19:59:55 +01:00
2c14b0cf4c
refactor(config): unify streaming config across channels
2026-02-21 19:53:42 +01:00
f97c45c5b5
fix(security): warn on Discord name-based allowlists in audit
2026-02-21 19:45:17 +01:00
89aad7b922
refactor: tighten safe-bin policy model and docs parity
2026-02-21 19:24:23 +01:00
4c1dd9d068
fix(security): harden macos rawCommand allowlist resolution
2026-02-21 19:17:56 +01:00
joshavant
Peter Steinberger
Gustavo Madeira Santana
Onur Solmaz
Sid
yinghaosang
pandego
zzzz
Kriz Poon
Peter Steinberger
John Fawcett
Gustavo Madeira Santana
Vincent Koc
Sally O'Malley
AkosCz
边黎安
Tak Hoffman
Brian Mendonca
Glucksberg
maweibin