Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
19,105 Commits 756 Branches 79 Tags
Commit Graph

4918 Commits

Author SHA1 Message Date
Peter Steinberger
ecdbd8aa52 fix(security): restrict leaf subagent control scope 2026-03-11 01:12:22 +00:00
Peter Steinberger
f604cbedf3 fix: remove stale allowlist matcher cache 2026-03-11 00:00:04 +00:00
Josh Avant
36d2ae2a22 SecretRef: harden custom/provider secret persistence and reuse (#42554) 
* Models: gate custom provider keys by usable secret semantics

* Config: project runtime writes onto source snapshot

* Models: prevent stale apiKey preservation for marker-managed providers

* Runner: strip SecretRef marker headers from resolved models

* Secrets: scan active agent models.json path in audit

* Config: guard runtime-source projection for unrelated configs

* Extensions: fix onboarding type errors in CI

* Tests: align setup helper account-enabled expectation

* Secrets audit: harden models.json file reads

* fix: harden SecretRef custom/provider secret persistence (#42554) (thanks @joshavant)
 2026-03-10 23:55:10 +00:00
Peter Steinberger
658cf4bd94 fix: harden archive extraction destinations 2026-03-10 23:49:35 +00:00
Peter Steinberger
201420a7ee fix: harden secret-file readers 2026-03-10 23:40:10 +00:00
David Guttman
b517dc089a
feat(discord): add autoArchiveDuration config option (#35065) 
* feat(discord): add autoArchiveDuration config option

Add config option to control auto-archive duration for auto-created threads:

- autoArchiveDuration: 60 (default), 1440, 4320, or 10080
  - Sets archive duration in minutes (1hr/1day/3days/1week)
  - Accepts both string and numeric values
  - Discord's default was 60 minutes (hardcoded)

Example config:
```yaml
channels:
  discord:
    guilds:
      GUILD_ID:
        channels:
          CHANNEL_ID:
            autoThread: true
            autoArchiveDuration: 10080  # 1 week
```

* feat(discord): add autoArchiveDuration changelog entry (#35065) (thanks @davidguttman)

---------

Co-authored-by: Onur <onur@textcortex.com>
 2026-03-10 23:13:24 +01:00
Josh Avant
a76e810193
fix(gateway): harden token fallback/reconnect behavior and docs (#42507) 
* fix(gateway): harden token fallback and auth reconnect handling

* docs(gateway): clarify auth retry and token-drift recovery

* fix(gateway): tighten auth reconnect gating across clients

* fix: harden gateway token retry (#42507) (thanks @joshavant)
 2026-03-10 17:05:57 -05:00
Matt Van Horn
5ed96da990
fix(browser): surface 429 rate limit errors with actionable hints (#40491) 
Merged via squash.

Prepared head SHA: 13839c2dbd0396d8a582aa2c5c206d2efaff1b07
Co-authored-by: mvanhorn <455140+mvanhorn@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-11 00:49:31 +03:00
Pejman Pour-Moezzi
7c76acafd6
fix(acp): scope cancellation and event routing by runId (#41331) 2026-03-10 22:37:21 +01:00
PonyX-lab
53374394fb
Fix stale runtime model reuse on session reset (#41173) 
Merged via squash.

Prepared head SHA: d8a04a466a3b110aa7d608cc1425a66fa65e326b
Co-authored-by: PonyX-lab <266766228+PonyX-lab@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-10 14:02:43 -07:00
David Guttman
9f5dee32f6
fix(acp): implicit streamToParent for mode=run without thread (#42404) 
* fix(acp): implicit streamToParent for mode=run without thread

When spawning ACP sessions with mode=run and no thread binding,
automatically route output to parent session instead of Discord.
This enables agent-to-agent supervision patterns where the spawning
agent wants results returned programmatically, not posted as chat.

The change makes sessions_spawn with runtime=acp and thread=false
behave like direct acpx invocation - output goes to the spawning
session, not to Discord.

Fixes the issue where mode=run without thread still posted to Discord
because hasDeliveryTarget was true when called from a Discord context.

* fix: use resolved spawnMode instead of params.mode

Move implicit streamToParent check to after resolveSpawnMode so that
both explicit mode="run" and omitted mode (which defaults to "run"
when thread is false) correctly trigger parent routing.

This fixes the issue where callers that rely on default mode selection
would not get the intended parent streaming behavior.

* fix: tighten implicit ACP parent relay gating (#42404) (thanks @davidguttman)

---------

Co-authored-by: Onur Solmaz <2453968+osolmaz@users.noreply.github.com>
 2026-03-10 21:42:15 +01:00
Peter Steinberger
6d4241cbd9 fix: wire modelstudio env discovery (#40634) (thanks @pomelo-nwu) 2026-03-10 19:58:43 +00:00
Mariano Belinky
67746a12de iOS: add welcome home canvas 2026-03-10 21:44:00 +02:00
Altay
0ff184397d
docs(telegram): clarify group and sender allowlists (#42451) 
Merged via squash.

Prepared head SHA: f30cacafb326a1ed0ef996424f049ae7b36ff1a6
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 21:56:30 +03:00
Josh Avant
b205de6154
Docs: add changelog entry for SecretRef traversal (#42455) 2026-03-10 13:52:50 -05:00
Josh Avant
0687e04760
fix: thread runtime config through Discord/Telegram sends (#42352) (thanks @joshavant) (#42352) 2026-03-10 13:30:57 -05:00
Yufeng He
c2d9386796
fix: log auth profile resolution failures instead of swallowing silently (#41271) 
Merged via squash.

Prepared head SHA: 049d1e119a4df88ae00870353a9e7134261fe9dd
Co-authored-by: he-yufeng <40085740+he-yufeng@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 20:38:49 +03:00
JiangNan
e9e8b81939
fix(failover): classify Gemini MALFORMED_RESPONSE as retryable timeout (#42292) 
Merged via squash.

Prepared head SHA: 68f106ff49fc7a28a806601bc8ca1e5e77c6e8c6
Co-authored-by: jnMetaCode <12096460+jnMetaCode@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 20:34:32 +03:00
jiarung
bc9b35d6ce
fix(logging): include model and provider in overload/error log (#41236) 
Merged via squash.

Prepared head SHA: bb16fecbf7173dbd8f49adacb6147635bad00c56
Co-authored-by: jiarung <16461359+jiarung@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 20:32:14 +03:00
Ayaan Zaidi
3b582f1d54
fix(telegram): chunk long html outbound messages (#42240) 
Merged via squash.

Prepared head SHA: 4d79c41ddf33f44749355641936f8c425224ec6f
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 22:53:04 +05:30
CryUshio
8bf64f219a
fix: recognize Poe 402 'used up your points' as billing for fallback (#42278) 
Merged via squash.

Prepared head SHA: f3cdfa76dd9afcb023504eef723036e826e6ebc5
Co-authored-by: CryUshio <30655354+CryUshio@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 20:17:36 +03:00
George Zhang
f50fc2966b
docs: add #42173 to CHANGELOG — strip leaked model control tokens (#42216) 
Thanks @imwyvern.
 2026-03-10 07:19:13 -07:00
Vincent Koc
208b636414 Changelog: add unreleased March 9 entries 2026-03-10 08:51:12 -04:00
smysle
d340ea92d1
chore: add .dev-state to .gitignore (#41848) 
Merged via squash.

Prepared head SHA: 85c4eb7d261271faa36cffa36a859d218af0378e
Co-authored-by: smysle <207193754+smysle@users.noreply.github.com>
Co-authored-by: hydro13 <6640526+hydro13@users.noreply.github.com>
Reviewed-by: @hydro13
 2026-03-10 13:35:04 +01:00
Charles Dusek
048e25c2b2
fix(agents): avoid duplicate same-provider cooldown probes in fallback runs (#41711) 
Merged via squash.

Prepared head SHA: 8be8967bcb4be81f6abc5ff078644ec4efcfe7a0
Co-authored-by: cgdusek <38732970+cgdusek@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 15:26:47 +03:00
Echo
bda63c3c7f
fix(mattermost): preserve markdown formatting and native tables (#18655) 
Merged via squash.

Prepared head SHA: d30fff1776ba94da0b68e5610248829c05450572
Co-authored-by: echo931 <259437483+echo931@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-10 17:40:01 +05:30
Pejman Pour-Moezzi
aca216bfcf
feat(acp): add resumeSessionId to sessions_spawn for ACP session resume (#41847) 
* feat(acp): add resumeSessionId to sessions_spawn for ACP session resume

Thread resumeSessionId through the ACP session spawn pipeline so agents
can resume existing sessions (e.g. a prior Codex conversation) instead
of starting fresh.

Flow: sessions_spawn tool → spawnAcpDirect → initializeSession →
ensureSession → acpx --resume-session flag → agent session/load

- Add resumeSessionId param to sessions-spawn-tool schema with
  description so agents can discover and use it
- Thread through SpawnAcpParams → AcpInitializeSessionInput →
  AcpRuntimeEnsureInput → acpx extension runtime
- Pass as --resume-session flag to acpx CLI
- Error hard (exit 4) on non-existent session, no silent fallback
- All new fields optional for backward compatibility

Depends on acpx >= 0.1.16 (openclaw/acpx#85, merged, pending release).

Tests: 26/26 pass (runtime + tool schema)
Verified e2e: Discord → sessions_spawn(resumeSessionId) → Codex
resumed session and recalled stored secret.

🤖 AI-assisted

* fix: guard resumeSessionId against non-ACP runtime

Add early-return error when resumeSessionId is passed without
runtime="acp" (mirrors existing streamTo guard). Without this,
the parameter is silently ignored and the agent gets a fresh
session instead of resuming.

Also update schema description to note the runtime=acp requirement.

Addresses Greptile review feedback.

* ACP: add changelog entry for session resume (#41847) (thanks @pejmanjohn)

---------

Co-authored-by: Pejman Pour-Moezzi <481729+pejmanjohn@users.noreply.github.com>
Co-authored-by: Onur <onur@textcortex.com>
 2026-03-10 10:36:13 +01:00
Bob
c2eb12bbc5
ACPX: bump bundled acpx to 0.1.16 (#41975) 
* ACPX: bump bundled acpx to 0.1.16

* fix: bump acpx pin to 0.1.16 (#41975) (thanks @dutifulbob)

---------

Co-authored-by: Onur <2453968+osolmaz@users.noreply.github.com>
 2026-03-10 10:18:09 +01:00
Teconomix
6d0547dc2e
mattermost: fix DM media upload for unprefixed user IDs (#29925) 
Merged via squash.

Prepared head SHA: 5cffcb072cc82394fe4c93d6c1c0c520325180b7
Co-authored-by: teconomix <6959299+teconomix@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-10 14:22:24 +05:30
Brad Groux
568b0a22bb
fix(msteams): use General channel conversation ID as team key for Bot Framework compatibility (#41838) 
* fix(msteams): use General channel conversation ID as team key for Bot Framework compatibility

Bot Framework sends `activity.channelData.team.id` as the General channel's
conversation ID (e.g. `19:abc@thread.tacv2`), not the Graph API group GUID
(e.g. `fa101332-cf00-431b-b0ea-f701a85fde81`). The startup resolver was
storing the Graph GUID as the team config key, so runtime matching always
failed and every channel message was silently dropped.

Fix: always call `listChannelsForTeam` during resolution to find the General
channel, then use its conversation ID as the stored `teamId`. When a specific
channel is also configured, reuse the same channel list rather than issuing a
second API call. Falls back to the Graph GUID if the General channel cannot
be found (renamed/deleted edge case).

Fixes #41390

* fix(msteams): handle listChannelsForTeam failure gracefully

* fix(msteams): trim General channel ID and guard against empty string

* fix: document MS Teams allowlist team-key fix (#41838) (thanks @BradGroux)

---------

Co-authored-by: bradgroux <bradgroux@users.noreply.github.com>
Co-authored-by: Onur <onur@textcortex.com>
 2026-03-10 09:13:41 +01:00
Daniel Hnyk
450d49ea52
fix(mattermost): read replyTo param in plugin handleAction send (#41176) 
Merged via squash.

Prepared head SHA: 33cac4c33f24d12a53189c4de01a39d0a6c2ada1
Co-authored-by: hnykda <2741256+hnykda@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-10 13:19:54 +05:30
Daniel Reis
3495563cfe
fix(sandbox): pass real workspace to sessions_spawn when workspaceAccess is ro (#40757) 
Merged via squash.

Prepared head SHA: 0e8b27bf80e41fcce77db8298ac74205c7b3b2c3
Co-authored-by: dsantoreis <66363641+dsantoreis@users.noreply.github.com>
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Reviewed-by: @mcaxtr
 2026-03-10 04:12:50 -03:00
Austin
9d403fd415
fix(ui): replace Manual RPC text input with sorted method dropdown (#14967) 
Merged via squash.

Prepared head SHA: 1bb49b2e64675d37882d0975eb19f8fafd3c6fe9
Co-authored-by: rixau <112558420+rixau@users.noreply.github.com>
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com>
Reviewed-by: @BunsDev
 2026-03-10 01:30:31 -05:00
Val Alexander
5296147c20
CI: select Swift 6.2 toolchain for CodeQL (#41787) 
Merged via squash.

Prepared head SHA: 8abc6c16571661450a6b932de17b74607ecacb8e
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com>
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com>
Reviewed-by: @BunsDev
 2026-03-10 01:22:41 -05:00
Frank Yang
8306eabf85
fix(agents): forward memory flush write path (#41761) 
Merged via squash.

Prepared head SHA: 0a8ebf8e5b426c5b402adc34509830f46e4bb849
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-10 14:18:41 +08:00
Eugene
45b74fb56c
fix(telegram): move network fallback to resolver-scoped dispatchers (#40740) 
Merged via squash.

Prepared head SHA: a4456d48b42d6c588b2858831a2391d015260a9b
Co-authored-by: sircrumpet <4436535+sircrumpet@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 11:28:51 +05:30
Urian Paul Danut
d1a59557b5
fix(security): harden replaceMarkers() to catch space/underscore boundary marker variants (#35983) 
Merged via squash.

Prepared head SHA: ff07dc45a9c9665c0a88c9898684a5c97f76473b
Co-authored-by: urianpaul94 <33277984+urianpaul94@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-10 13:54:23 +08:00
Laurie Luo
cf9db91b61
fix(web-search): recover OpenRouter Perplexity citations from message annotations (#40881) 
Merged via squash.

Prepared head SHA: 66c8bb2c6a4bbc95a5d23661c185f1e551c2929e
Co-authored-by: laurieluo <89195476+laurieluo@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 10:37:44 +05:30
futuremind2026
382287026b
cron: record lastErrorReason in job state (#14382) 
Merged via squash.

Prepared head SHA: baa6b5d566a41950dea0a214881eef48697326d8
Co-authored-by: futuremind2026 <258860756+futuremind2026@users.noreply.github.com>
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com>
Reviewed-by: @BunsDev
 2026-03-10 00:01:45 -05:00
Wayne
da4fec6641
fix(telegram): prevent duplicate messages when preview edit times out (#41662) 
Merged via squash.

Prepared head SHA: 2780e62d070d7b4c4d7447e966ca172e33e44ad4
Co-authored-by: hougangdev <105773686+hougangdev@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 10:17:39 +05:30
Frank Yang
96e4975922
fix: protect bootstrap files during memory flush (#38574) 
Merged via squash.

Prepared head SHA: a0b9a02e2ef1a6f5480621ccb799a8b35a10ce48
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-10 12:44:33 +08:00
Benji Peng
989ee21b24
ui: fix sessions table collapse on narrow widths (#12175) 
Merged via squash.

Prepared head SHA: b1fcfba868fcfb7b9ee3496725921f3f38f58ac4
Co-authored-by: benjipeng <11394934+benjipeng@users.noreply.github.com>
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com>
Reviewed-by: @BunsDev
 2026-03-09 23:14:07 -05:00
Josh Avant
f0eb67923c
fix(secrets): resolve web tool SecretRefs atomically at runtime 2026-03-09 22:57:03 -05:00
Ayane
391f9430ca
fix(feishu): pass mediaLocalRoots in sendText local-image auto-convert shim (openclaw#40623) 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: ayanesakura <40628300+ayanesakura@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-09 22:26:06 -05:00
Harold Hunt
de49a8b72c
Telegram: exec approvals for OpenCode/Codex (#37233) 
Merged via squash.

Prepared head SHA: f2433790941841ade0efe6292ff4909b2edd6f18
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Reviewed-by: @huntharo
 2026-03-09 23:04:35 -04:00
Zhe Liu
25c2facc2b
fix(agents): fix Brave llm-context empty snippets (#41387) 
Merged via squash.

Prepared head SHA: 1e6f1d9d51607a115e4bf912f53149a26a5cdd82
Co-authored-by: zheliu2 <15888718+zheliu2@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 08:09:57 +05:30
Julia Barth
c0cba7fb72
Fix one-shot exit hangs by tearing down cached memory managers (#40389) 
Merged via squash.

Prepared head SHA: 0e600e89cf10f5086ab9d93f445587373a54dcec
Co-authored-by: Julbarth <72460857+Julbarth@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-10 07:34:46 +08:00
Xinhua Gu
4790e40ac6
fix(plugins): expose model auth API to context-engine plugins (#41090) 
Merged via squash.

Prepared head SHA: ee96e96bb984cc3e1e152d17199357a8f6db312d
Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-09 16:07:26 -07:00
alan blount
c9a6c542ef
Add HTTP 499 to transient error codes for model fallback (#41468) 
Merged via squash.

Prepared head SHA: 0053bae14038e6df9264df364d1c9aa83d5b698e
Co-authored-by: zeroasterisk <23422+zeroasterisk@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 01:55:10 +03:00
Altay
de4c3db3e3
Logging: harden probe suppression for observations (#41338) 
Merged via squash.

Prepared head SHA: d18356cb8062935090466d4e142ce202381d4ef2
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-10 01:40:15 +03:00