f692288301
feat(cron): add --session-key option to cron add/edit CLI commands
...
Expose the existing CronJob.sessionKey field through the CLI so users
can target cron jobs at specific named sessions without needing an
external shell script + system crontab workaround.
The backend already fully supports sessionKey on cron jobs - this
change wires it to the CLI surface with --session-key on cron add,
and --session-key / --clear-session-key on cron edit.
Closes #27158
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 12:28:49 +00:00
452a8c9db9
fix: use canonical cron session detection for spawn note
2026-02-26 17:54:27 +05:30
69590de276
fix: suppress SUBAGENT_SPAWN_ACCEPTED_NOTE for cron isolated sessions
...
The 'do not poll/sleep' note added to sessions_spawn tool results causes
cron isolated agents to immediately end their turn, since the note tells
them not to wait for subagent results. In cron isolated sessions, the
agent turn IS the entire run, so ending early means subagent results
are never collected.
Fix: detect cron sessions via includes(':cron:') in agentSessionKey
and suppress the note, allowing the agent to poll/wait naturally.
Note: PR #27330 used startsWith('cron:') which never matches because
the session key format is 'agent:main:cron:...' (starts with 'agent:').
Fixes #27308
Fixes #25069
2026-02-26 17:54:27 +05:30
46eba86b45
fix: harden workspace boundary path resolution
2026-02-26 13:19:59 +01:00
ecb2053fdd
chore(pr): guard against dropped changelog refs
2026-02-26 13:19:25 +01:00
125dc322f5
refactor(feishu): unify account-aware tool routing and message body
2026-02-26 13:19:25 +01:00
5df9aacf68
fix(podman): default run-openclaw-podman bind to loopback (land #27491 , thanks @robbyczgw-cla)
...
Co-authored-by: robbyczgw-cla <robbyczgw@gmail.com>
2026-02-26 12:13:20 +00:00
a288f3066f
fix(gateway): warn on non-loopback bind at startup (land #25397 , thanks @let5sne)
...
Co-authored-by: let5sne <let5sne@users.noreply.github.com>
2026-02-26 12:13:20 +00:00
327f0526d1
fix(gateway): use loopback for CLI status probe when bind=lan (land #26997 , thanks @chikko80)
...
Co-authored-by: Manuel Seitz <seitzmanuel0@gmail.com>
2026-02-26 12:13:20 +00:00
da53015ef5
fix(onboard): seed Control UI origins for non-loopback binds (land #26157 , thanks @stakeswky)
...
Co-authored-by: 不做了睡大觉 <stakeswky@users.noreply.github.com>
2026-02-26 12:13:20 +00:00
a97cec0018
refactor: harden remaining plugin manifest reads
2026-02-26 13:12:44 +01:00
892a9c24b0
refactor(security): centralize channel allowlist auth policy
2026-02-26 13:06:33 +01:00
eac86c2081
refactor: unify boundary hardening for file reads
2026-02-26 13:04:37 +01:00
cf4853e2b8
fix: avoid duplicate feishu permission-error dispatch replies ( #27381 ) (thanks @byungsker)
2026-02-26 12:03:41 +00:00
736ec9690f
fix(feishu): merge permission error notice into main dispatch instead of separate agent turn
...
When the sender-name lookup fails with a Feishu permission error (code
99991672), the bot was dispatching two separate agent turns:
1. A dedicated permission-error notification turn
2. The regular inbound user message turn
This caused two bot replies for a single user message, degrading UX and
wasting tokens.
Fix: instead of a separate dispatch, append the permission error notice
directly to the main messageBody. The agent receives both the user's
message and the system notice in a single turn, and responds once.
Fixes #27372
2026-02-26 12:03:41 +00:00
d671d7a0a2
fix: preserve feishu message_id in agent-visible body ( #27253 ) (thanks @xss925175263)
2026-02-26 12:02:00 +00:00
6d52b47076
feishu: send message_id in BodyForAgent ( fix #27218 )
2026-02-26 12:02:00 +00:00
db6c513d1e
feishu: include message_id in agent message body ( fix #27218 )
2026-02-26 12:02:00 +00:00
6632fd1ea9
refactor(security): extract protected-route path policy helpers
2026-02-26 13:01:22 +01:00
39b5ffdaa6
fix: route feishu doc tools by agent account context ( #27338 ) (thanks @AaronL725)
2026-02-26 12:00:45 +00:00
58c100f66f
fix(feishu): remove hook registration, fix docx getClient call
2026-02-26 12:00:45 +00:00
10d9549764
fix(feishu): fix hook types and docx client call
2026-02-26 12:00:45 +00:00
151ee6014a
fix(feishu): route doc tools by agent account
...
Previously feishu_doc always used accounts[0], so multi-account setups created docs under the first bot regardless of the calling agent.
This change resolves accountId via a before_tool_call hook (defaulting from agentAccountId) and selects the Feishu client per call.
Fixes #27321
2026-02-26 12:00:45 +00:00
8bdda7a651
fix(security): keep DM pairing allowlists out of group auth
2026-02-26 12:58:18 +01:00
d08dafb08f
fix(feishu): bitable tools use listEnabledFeishuAccounts for multi-account mode ( #27244 )
...
The bitable tool registration was reading credentials directly from
top-level feishuCfg.appId/appSecret, missing the accounts.* path used
in multi-account mode. Align with drive.ts and wiki.ts by using
listEnabledFeishuAccounts() which handles both legacy and multi-account
configurations.
2026-02-26 11:56:18 +00:00
0ed675b1df
fix(security): harden canonical auth matching for plugin channel routes
2026-02-26 12:55:33 +01:00
0231cac957
feat(typing): add TTL safety-net for stuck indicators (land #27428 , thanks @Crpdim)
...
Co-authored-by: Crpdim <crpdim@users.noreply.github.com>
2026-02-26 11:48:50 +00:00
3d30ba18a2
fix(slack): gate member and message subtype system events
2026-02-26 12:48:20 +01:00
da0ba1b73a
fix(security): harden channel auth path checks and exec approval routing
2026-02-26 12:46:05 +01:00
b096ad267e
fix(telegram): add sendChatAction 401 backoff guard (land #27415 , thanks @widingmarcus-cyber)
...
Co-authored-by: Marcus Widing <widing.marcus@gmail.com>
2026-02-26 11:45:57 +00:00
b74be2577f
refactor(web): unify proxy-guarded fetch path for web tools
2026-02-26 12:44:18 +01:00
8bf1c9a23a
fix(typing): stop keepalive restarts after run completion (land #27413 , thanks @widingmarcus-cyber)
...
Co-authored-by: Marcus Widing <widing.marcus@gmail.com>
2026-02-26 11:42:38 +00:00
fec3fdf7ef
test(msteams): align silent-prefix expectation with exact NO_REPLY semantics
2026-02-26 11:42:38 +00:00
242188b7b1
refactor: unify boundary-safe reads for bootstrap and includes
2026-02-26 12:42:14 +01:00
199ef9f8ea
fix(typing): add main-run dispatch idle safety net (land #27250 , thanks @Sid-Qin)
...
Co-authored-by: Sid Qin <s3734389@gmail.com>
2026-02-26 11:36:08 +00:00
46003e85bf
fix: unify web tool proxy path ( #27430 ) (thanks @kevinWangSheng)
2026-02-26 11:32:43 +00:00
d8e2030d47
fix(web-search): honor HTTP_PROXY environment variable for Brave Search API
...
The web_search tool was not respecting HTTP_PROXY/HTTPS_PROXY environment
variables, causing 'fetch failed' errors when running behind a proxy.
This fix adds ProxyAgent support for the Brave Search API, similar to how
other tools in OpenClaw handle proxy configuration.
Fixes #27405
2026-02-26 11:32:43 +00:00
9925ac6a2d
fix(config): harden include file loading path checks
2026-02-26 12:23:31 +01:00
caace61ba1
chore: bump versions to 2026.2.26
2026-02-26 12:11:02 +01:00
e7b600e318
chore(acpx): bump package version to 2026.2.25
2026-02-26 16:29:12 +05:30
4f869b2b76
docs(changelog): thank @emanuelst for telegram preview fix ( #27449 )
2026-02-26 16:24:31 +05:30
d9ed2c425a
fix(telegram): prime final preview before stop flush
2026-02-26 16:24:31 +05:30
e273b9851e
Tests: tighten discord work account type in doctor config flow
2026-02-26 05:38:53 -05:00
1ffc319831
Doctor: keep allowFrom account-scoped in multi-account configs
2026-02-26 05:34:58 -05:00
97fa44dc82
fix: changelog for NO_REPLY streaming fix ( #19576 ) (thanks @aldoeliacim)
2026-02-26 16:04:48 +05:30
133f14c0af
docs(auto-reply): align silent token comment with regex
2026-02-26 16:04:48 +05:30
e64d72299e
fix(auto-reply): tighten silent token semantics and prefix streaming
2026-02-26 16:04:48 +05:30
2f2110a32c
fix: tighten isSilentReplyText to match whole-text only
...
The suffix regex matched NO_REPLY at the end of any response,
suppressing substantive replies when models (e.g. Gemini 3 Pro)
appended NO_REPLY to real content.
Replace prefix+suffix regexes with a single whole-string match.
Only responses that are entirely the silent token (with optional
whitespace) are now suppressed.
Add unit tests for the fix.
Fixes #19537
2026-02-26 16:04:48 +05:30
a7d56e3554
feat: ACP thread-bound agents ( #23580 )
...
* docs: add ACP thread-bound agents plan doc
* docs: expand ACP implementation specification
* feat(acp): route ACP sessions through core dispatch and lifecycle cleanup
* feat(acp): add /acp commands and Discord spawn gate
* ACP: add acpx runtime plugin backend
* fix(subagents): defer transient lifecycle errors before announce
* Agents: harden ACP sessions_spawn and tighten spawn guidance
* Agents: require explicit ACP target for runtime spawns
* docs: expand ACP control-plane implementation plan
* ACP: harden metadata seeding and spawn guidance
* ACP: centralize runtime control-plane manager and fail-closed dispatch
* ACP: harden runtime manager and unify spawn helpers
* Commands: route ACP sessions through ACP runtime in agent command
* ACP: require persisted metadata for runtime spawns
* Sessions: preserve ACP metadata when updating entries
* Plugins: harden ACP backend registry across loaders
* ACPX: make availability probe compatible with adapters
* E2E: add manual Discord ACP plain-language smoke script
* ACPX: preserve streamed spacing across Discord delivery
* Docs: add ACP Discord streaming strategy
* ACP: harden Discord stream buffering for thread replies
* ACP: reuse shared block reply pipeline for projector
* ACP: unify streaming config and adopt coalesceIdleMs
* Docs: add temporary ACP production hardening plan
* Docs: trim temporary ACP hardening plan goals
* Docs: gate ACP thread controls by backend capabilities
* ACP: add capability-gated runtime controls and /acp operator commands
* Docs: remove temporary ACP hardening plan
* ACP: fix spawn target validation and close cache cleanup
* ACP: harden runtime dispatch and recovery paths
* ACP: split ACP command/runtime internals and centralize policy
* ACP: harden runtime lifecycle, validation, and observability
* ACP: surface runtime and backend session IDs in thread bindings
* docs: add temp plan for binding-service migration
* ACP: migrate thread binding flows to SessionBindingService
* ACP: address review feedback and preserve prompt wording
* ACPX plugin: pin runtime dependency and prefer bundled CLI
* Discord: complete binding-service migration cleanup and restore ACP plan
* Docs: add standalone ACP agents guide
* ACP: route harness intents to thread-bound ACP sessions
* ACP: fix spawn thread routing and queue-owner stall
* ACP: harden startup reconciliation and command bypass handling
* ACP: fix dispatch bypass type narrowing
* ACP: align runtime metadata to agentSessionId
* ACP: normalize session identifier handling and labels
* ACP: mark thread banner session ids provisional until first reply
* ACP: stabilize session identity mapping and startup reconciliation
* ACP: add resolved session-id notices and cwd in thread intros
* Discord: prefix thread meta notices consistently
* Discord: unify ACP/thread meta notices with gear prefix
* Discord: split thread persona naming from meta formatting
* Extensions: bump acpx plugin dependency to 0.1.9
* Agents: gate ACP prompt guidance behind acp.enabled
* Docs: remove temp experiment plan docs
* Docs: scope streaming plan to holy grail refactor
* Docs: refactor ACP agents guide for human-first flow
* Docs/Skill: add ACP feature-flag guidance and direct acpx telephone-game flow
* Docs/Skill: add OpenCode and Pi to ACP harness lists
* Docs/Skill: align ACP harness list with current acpx registry
* Dev/Test: move ACP plain-language smoke script and mark as keep
* Docs/Skill: reorder ACP harness lists with Pi first
* ACP: split control-plane manager into core/types/utils modules
* Docs: refresh ACP thread-bound agents plan
* ACP: extract dispatch lane and split manager domains
* ACP: centralize binding context and remove reverse deps
* Infra: unify system message formatting
* ACP: centralize error boundaries and session id rendering
* ACP: enforce init concurrency cap and strict meta clear
* Tests: fix ACP dispatch binding mock typing
* Tests: fix Discord thread-binding mock drift and ACP request id
* ACP: gate slash bypass and persist cleared overrides
* ACPX: await pre-abort cancel before runTurn return
* Extension: pin acpx runtime dependency to 0.1.11
* Docs: add pinned acpx install strategy for ACP extension
* Extensions/acpx: enforce strict local pinned startup
* Extensions/acpx: tighten acp-router install guidance
* ACPX: retry runtime test temp-dir cleanup
* Extensions/acpx: require proactive ACPX repair for thread spawns
* Extensions/acpx: require restart offer after acpx reinstall
* extensions/acpx: remove workspace protocol devDependency
* extensions/acpx: bump pinned acpx to 0.1.13
* extensions/acpx: sync lockfile after dependency bump
* ACPX: make runtime spawn Windows-safe
* fix: align doctor-config-flow repair tests with default-account migration (#23580 ) (thanks @osolmaz)
2026-02-26 11:00:09 +01:00
a9d9a968ed
chore(changelog): move post release entries to unreleased section
2026-02-26 04:59:54 -05:00
Matt Hulme
Ayaan Zaidi
Taras Lukavyi
Peter Steinberger
lbo728
xianshishan
root
echoVic
Kevin Shenghui
Gustavo Madeira Santana
HAL
Onur Solmaz