Related #1926
Signal mentions were appearing as  (object replacement character)
instead of readable identifiers. This caused Clawdbot to misinterpret
messages and respond inappropriately.
Now parses dataMessage.mentions array and replaces the placeholder
character with @{uuid} or @{phone} from the mention metadata.
Fixes#5260
The DISCORD_THREAD_STARTER_CACHE Map was growing unbounded during
long-running gateway sessions, causing memory exhaustion.
This fix adds:
- 5-minute TTL expiry (thread starters rarely change)
- Max 500 entries with LRU eviction
- Same caching pattern used by Slack's thread resolver
The implementation mirrors src/slack/monitor/thread-resolution.ts
which already handles this correctly.
Comprehensive update to complete the openclaw → ironclaw CLI rename across the
codebase, fix build/runtime issues, and add test coverage for infra modules.
CLI binary rename (openclaw → ironclaw):
- Update DEFAULT_CLI_NAME and all argv parsing to recognize "ironclaw" binary
- Extend package name sets (CORE_PACKAGE_NAMES, ALL_PACKAGE_NAMES) to include
both "ironclaw" and "openclaw" for backward compatibility
- Update NPM registry URL to fetch from ironclaw package
- Update gateway lock detection, port listener classification, and launchd/systemd
service scanning to recognize ironclaw-prefixed services and binaries
- Update daemon inspect markers and legacy detection for ironclaw
- Update voice-call extension core-bridge to resolve ironclaw package root
- Fix install instructions in embeddings error messages (npm i -g ironclaw@latest)
Web app / Next.js fixes:
- Replace fragile `npx next` invocations with direct `node next-bin` resolution
to avoid broken pnpm virtual-store symlinks in global installs
- Add resolveNextBin() helper that resolves apps/web/node_modules/next directly
Infra hardening:
- Workspace templates: compute both source and dist fallback paths for template
directory resolution (fixes templates not found in bundled builds)
- Control UI assets: recognize both "openclaw" and "ironclaw" package names
- Update-check, update-runner, update-cli: normalize ironclaw@ tag prefixes
New tests:
- Add openclaw-root.test.ts, ports-format.test.ts, update-global.test.ts
- Add workspace-templates.test.ts and control-ui-assets.test.ts coverage
- Add argv.test.ts coverage for ironclaw binary detection
Test fixes (28 failures → 0):
- Update all test assertions expecting "openclaw" CLI command output to "ironclaw"
- Fix version.test.ts package name from "openclaw" to "ironclaw"
- Fix camera/canvas temp path patterns in nodes-camera and program.nodes-media tests
- Fix pairing message, telegram bot, channels, daemon, onboard, gateway tool,
status, and profile test expectations
Version: 2026.2.10-1.2 (published to npm as ironclaw@2026.2.10-1.2)
Co-authored-by: Cursor <cursoragent@cursor.com>
Overhaul the Dench web app with a comprehensive visual redesign and several
major feature additions across the chat interface, workspace, and agent
runtime layer.
Theme & Design System
- Replace the dark-only palette with a full light/dark theme system that
respects system preference via localStorage + inline script (no FOUC).
- Introduce new design tokens: glassmorphism surfaces, semantic colors
(success/warning/error/info), object-type chip palettes, and a tiered
shadow scale (sm/md/lg/xl).
- Add Instrument Serif + Inter via Google Fonts for a refined typographic
hierarchy; headings use the serif face, body uses Inter.
- Rebrand UI from "Ironclaw" to "Dench" across the landing page and
metadata.
Chat & Chain-of-Thought
- Rewrite the chain-of-thought component with inline media detection and
rendering — images, video, audio, and PDFs referenced in agent output
are now displayed directly in the conversation thread.
- Add status indicator parts (e.g. "Preparing response...",
"Optimizing session context...") that render as subtle activity badges
instead of verbose reasoning blocks.
- Integrate react-markdown with remark-gfm for proper markdown rendering
in assistant messages (tables, strikethrough, autolinks, etc.).
- Improve report-block splitting and lazy-loaded ReportCard rendering.
Workspace
- Introduce @tanstack/react-table for the object table, replacing the
hand-rolled table with full column sorting, fuzzy filtering via
match-sorter-utils, row selection, and bulk actions.
- Add a new media viewer component for in-workspace image/video/PDF
preview.
- New API routes: bulk-delete entries, field management (CRUD + reorder),
raw-file serving endpoint for media assets.
- Redesign workspace sidebar, empty state, and entry detail modal with
the new theme tokens and improved layout.
Agent Runtime
- Switch web agent execution from --local to gateway-routed mode so
concurrent chat threads share the gateway's lane-based concurrency
system, eliminating cross-process file-lock contention.
- Advertise "tool-events" capability during WebSocket handshake so the
gateway streams tool start/update/result events to the UI.
- Add new agent callback hooks: onLifecycleStart, onCompactionStart/End,
and onToolUpdate for richer real-time feedback.
- Forward media URLs emitted by agent events into the chat stream.
Dependencies
- Add @tanstack/match-sorter-utils and @tanstack/react-table to the web
app.
Published as ironclaw@2026.2.10-1.
Co-authored-by: Cursor <cursoragent@cursor.com>
formatConsoleTimestamp previously used Date.toISOString() which always
returns UTC time (suffixed with Z). This confused users whose local
timezone differs from UTC.
Now uses local time methods (getHours, getMinutes, etc.) and appends the
local UTC offset (e.g. +08:00) instead of Z. The pretty style returns
local HH:MM:SS. The hasTimestampPrefix regex is updated to accept both
Z and +/-HH:MM offset suffixes.
Closes#14699
Skills install runs package manager install commands (npm, pnpm, yarn,
bun) without --ignore-scripts, allowing malicious npm packages to
execute arbitrary code via postinstall/preinstall lifecycle scripts
during global installation.
This is inconsistent with the security fix in commit 92702af7a which
added --ignore-scripts to both plugin installs (src/plugins/install.ts)
and hook installs (src/hooks/install.ts). Skills install was overlooked
in that change.
Global install (-g) is particularly dangerous as scripts execute with
the user's full permissions and can modify globally-accessible binaries.
