Comprehensive update to complete the openclaw → ironclaw CLI rename across the
codebase, fix build/runtime issues, and add test coverage for infra modules.
CLI binary rename (openclaw → ironclaw):
- Update DEFAULT_CLI_NAME and all argv parsing to recognize "ironclaw" binary
- Extend package name sets (CORE_PACKAGE_NAMES, ALL_PACKAGE_NAMES) to include
both "ironclaw" and "openclaw" for backward compatibility
- Update NPM registry URL to fetch from ironclaw package
- Update gateway lock detection, port listener classification, and launchd/systemd
service scanning to recognize ironclaw-prefixed services and binaries
- Update daemon inspect markers and legacy detection for ironclaw
- Update voice-call extension core-bridge to resolve ironclaw package root
- Fix install instructions in embeddings error messages (npm i -g ironclaw@latest)
Web app / Next.js fixes:
- Replace fragile `npx next` invocations with direct `node next-bin` resolution
to avoid broken pnpm virtual-store symlinks in global installs
- Add resolveNextBin() helper that resolves apps/web/node_modules/next directly
Infra hardening:
- Workspace templates: compute both source and dist fallback paths for template
directory resolution (fixes templates not found in bundled builds)
- Control UI assets: recognize both "openclaw" and "ironclaw" package names
- Update-check, update-runner, update-cli: normalize ironclaw@ tag prefixes
New tests:
- Add openclaw-root.test.ts, ports-format.test.ts, update-global.test.ts
- Add workspace-templates.test.ts and control-ui-assets.test.ts coverage
- Add argv.test.ts coverage for ironclaw binary detection
Test fixes (28 failures → 0):
- Update all test assertions expecting "openclaw" CLI command output to "ironclaw"
- Fix version.test.ts package name from "openclaw" to "ironclaw"
- Fix camera/canvas temp path patterns in nodes-camera and program.nodes-media tests
- Fix pairing message, telegram bot, channels, daemon, onboard, gateway tool,
status, and profile test expectations
Version: 2026.2.10-1.2 (published to npm as ironclaw@2026.2.10-1.2)
Co-authored-by: Cursor <cursoragent@cursor.com>
- Remove standalone Next.js output; gateway now installs deps and builds
on first start, skips if .next/BUILD_ID already exists
- Rename openclaw→ironclaw workspace refs in all 30 extensions + clawdbot/moltbot
- Add @tiptap/core as explicit dep in apps/web (pnpm strict mode requires it)
- Improve ensureDepsInstalled: detect pnpm workspace vs npm global install
- Remove pre-build step from deploy.sh; ship source, build on user machine
- Update package.json files to include full apps/web/ source
Co-authored-by: Cursor <cursoragent@cursor.com>
* TypeScript: add extensions to tsconfig and fix type errors
- Add extensions/**/* to tsconfig.json includes
- Export ProviderAuthResult, AnyAgentTool from plugin-sdk
- Fix optional chaining for messageActions across channels
- Add missing type imports (MSTeamsConfig, GroupPolicy, etc.)
- Add type annotations for provider auth handlers
- Fix undici/fetch type compatibility in zalo proxy
- Correct ChannelAccountSnapshot property usage
- Add type casts for tool registrations
- Extract usage view styles and types to separate files
* TypeScript: fix optional debug calls and handleAction guards
- Create shared PNG encoder module (src/media/png-encode.ts)
- Refactor qr-image.ts and live-image-probe.ts to use shared encoder
- Add safeParseJson to utils.ts and plugin-sdk exports
- Update msteams and pairing-store to use centralized safeParseJson
* refactor: consolidate duplicate utility functions
- Add escapeRegExp to src/utils.ts and remove 10 local duplicates
- Rename bash-tools clampNumber to clampWithDefault (different signature)
- Centralize formatError calls to use formatErrorMessage from infra/errors.ts
- Re-export formatErrorMessage from cli/cli-utils.ts to preserve API
* refactor: consolidate remaining escapeRegExp duplicates
* refactor: consolidate sleep, stripAnsi, and clamp duplicates
* fix: use .js extension for ESM imports of RoutePeerKind
The imports incorrectly used .ts extension which doesn't resolve
with moduleResolution: NodeNext. Changed to .js and added 'type'
import modifier.
* fix tsconfig
* refactor: unify peer kind to ChatType, rename dm to direct
- Replace RoutePeerKind with ChatType throughout codebase
- Change 'dm' literal values to 'direct' in routing/session keys
- Keep backward compat: normalizeChatType accepts 'dm' -> 'direct'
- Add ChatType export to plugin-sdk, deprecate RoutePeerKind
- Update session key parsing to accept both 'dm' and 'direct' markers
- Update all channel monitors and extensions to use ChatType
BREAKING CHANGE: Session keys now use 'direct' instead of 'dm'.
Existing 'dm' keys still work via backward compat layer.
* fix tests
* test: update session key expectations for dmdirect migration
- Fix test expectations to expect :direct: in generated output
- Add explicit backward compat test for normalizeChatType('dm')
- Keep input test data with :dm: keys to verify backward compat
* fix: accept legacy 'dm' in session key parsing for backward compat
getDmHistoryLimitFromSessionKey now accepts both :dm: and :direct:
to ensure old session keys continue to work correctly.
* test: add explicit backward compat tests for dmdirect migration
- session-key.test.ts: verify both :dm: and :direct: keys are valid
- getDmHistoryLimitFromSessionKey: verify both formats work
* feat: backward compat for resetByType.dm config key
* test: skip unix-path Nix tests on Windows
* Tests: harden flake hotspots and consolidate provider-auth suites
* Tests: restore env vars by deleting missing snapshot values
* Tests: use real newline in memory summary filter case
* Tests(memory): use fake timers for qmd timeout coverage
* Changelog: add tests hardening entry for #11598
* feat(bluebubbles): auto-strip markdown from outbound messages (#7402)
* fix(security): add timeout to webhook body reading (#6762)
Adds 30-second timeout to readBody() in voice-call, bluebubbles, and nostr
webhook handlers. Prevents Slow-Loris DoS (CWE-400, CVSS 7.5).
Merged with existing maxBytes protection in voice-call.
* fix(security): unify Error objects and lint fixes in webhook timeouts (#6762)
* fix: prevent plugins from auto-enabling without user consent (#3961)
Changes default plugin enabled state from true to false in enablePluginEntry().
Preserves existing enabled:true values. Fixes#3932.
* fix: apply hierarchical mediaMaxMb config to all channels (#8749)
Generalizes resolveAttachmentMaxBytes() to use account → channel → global
config resolution for all channels, not just BlueBubbles. Fixes#7847.
* fix(bluebubbles): sanitize attachment filenames against header injection (#10333)
Strip ", \r, \n, and \\ from filenames after path.basename() to prevent
multipart Content-Disposition header injection (CWE-93, CVSS 5.4).
Also adds sanitization to setGroupIconBlueBubbles which had zero filename
sanitization.
* fix(lint): exclude extensions/ from Oxlint preflight check (#9313)
Extensions use PluginRuntime|null patterns that trigger
no-redundant-type-constituents because PluginRuntime resolves to any.
Excluding extensions/ from Oxlint unblocks user upgrades.
Re-applies the approach from closed PR #10087.
* fix(bluebubbles): add tempGuid to createNewChatWithMessage payload (#7745)
Non-Private-API mode (AppleScript) requires tempGuid in send payloads.
The main sendMessageBlueBubbles already had it, but createNewChatWithMessage
was missing it, causing 400 errors for new chat creation without Private API.
* fix: send stop-typing signal when run ends with NO_REPLY (#8785)
Adds onCleanup callback to the typing controller that fires when the
controller is cleaned up while typing was active (e.g., after NO_REPLY).
Channels using createTypingCallbacks automatically get stop-typing on
cleanup. This prevents the typing indicator from lingering in group chats
when the agent decides not to reply.
* fix(telegram): deduplicate skill commands in multi-agent setup (#5717)
Two fixes:
1. Skip duplicate workspace dirs when listing skill commands across agents.
Multiple agents sharing the same workspace would produce duplicate commands
with _2, _3 suffixes.
2. Clear stale commands via deleteMyCommands before registering new ones.
Commands from deleted skills now get cleaned up on restart.
* fix: add size limits to unbounded in-memory caches (#4948)
Adds max-size caps with oldest-entry eviction to prevent OOM in
long-running deployments:
- BlueBubbles serverInfoCache: 64 entries (already has TTL)
- Google Chat authCache: 32 entries
- Matrix directRoomCache: 1024 entries
- Discord presenceCache: 5000 entries per account
* fix: address review concerns (#11093)
- Chain deleteMyCommands → setMyCommands to prevent race condition (#5717)
- Rename enablePluginEntry to registerPluginEntry (now sets enabled: false)
- Add Slow-Loris timeout test for readJsonBody (#6023)
* feat(antigravity): update default model to Claude Opus 4.6
Claude Opus 4.5 has been replaced by Claude Opus 4.6 on the
Antigravity (Google Cloud Code Assist) platform.
- Update DEFAULT_MODEL in google-antigravity-auth extension
- Update testing docs to reference the new model
* fix: update remaining antigravity opus 4.5 refs in zh-CN docs and tests
Address review comments from Greptile:
- Update zh-CN/testing.md antigravity model references
- Update pi-tools-agent-config.test.ts model IDs
* Antigravity: default OAuth model to Opus 4.6 (#10720) (thanks @calvin-hpnet)
---------
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
- Sync latest changes from clawdbot-feishu including multi-account support
- Add eslint-disable comments for SDK-related any types
- Remove unused imports
- Fix no-floating-promises in monitor.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- monitor.ts: throw error for webhook mode instead of silently returning,
so gateway properly marks channel as failed
- targets.ts: default receive_id_type to "user_id" instead of "open_id"
for non-prefixed IDs, fixing message delivery for enterprise user IDs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add line-specific eslint-disable-next-line comments for SDK type casts
and union type issues, rather than file-level disables.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Nextcloud Talk's ChecksumVerificationService verifies HMAC against the
extracted message/reaction text, not the full JSON body. This fixes 401
authentication errors when sending messages via the bot API.
- sendMessageNextcloudTalk: sign 'message' text only
- sendReactionNextcloudTalk: sign 'reaction' string only
What:
- add post parsing, doc link extraction, routing, replies, reactions, typing, and user lookup
- fix media download/send flows and make doc fetches domain-aware
- update Feishu docs and clawtributor credits
Why:
- raise Feishu parity with other channels and avoid dropped group messages
- keep replies threaded while supporting Lark domains
- document new configuration and credit the contributor
Tests:
- pnpm build
- pnpm check
- pnpm test (gateway suite timed out; reran pnpm vitest run --config vitest.gateway.config.ts)
Co-authored-by: 九灵云 <server@jiulingyun.cn>
