Peter Steinberger
168e4159ad
fix(podman): honor OPENCLAW_GATEWAY_BIND env-file override ( #38785 , thanks @majinyu666)
...
Co-authored-by: majinyu666 <majy14miles@gmail.com >
2026-03-07 21:08:15 +00:00
Peter Steinberger
e27bbe4982
fix(exec): block dangerous override-only env pivots
2026-03-07 19:18:05 +00:00
Nimrod Gutman
43ab4f33ad
feat(ios): prepare app store connect release assets
2026-03-07 17:21:07 +02:00
Vincent Koc
a190220967
Tests: serialize low-memory test runner lanes
2026-03-06 17:45:44 -05:00
Vincent Koc
60d20f9daf
Install Smoke: allow reusing prebuilt test images
2026-03-06 14:23:00 -05:00
Vincent Koc
6a9deb21b8
CI: cover skill and extension tests
2026-03-06 11:21:03 -05:00
Shakker
60849f3335
chore(pr): enforce changelog placement and reduce merge sync churn
2026-03-05 06:37:53 +00:00
Shakker
5d5fa0dac8
fix(pr): make review claim step required
2026-03-05 04:53:32 +00:00
Shakker
4cc293d084
fix(review): enforce behavioral sweep validation
2026-03-04 18:49:36 +00:00
Gustavo Madeira Santana
7a2f5a0098
Plugin SDK: add full bundled subpath wiring
2026-03-04 02:35:12 -05:00
Gustavo Madeira Santana
802b9f6b19
Plugins: add root-alias shim and cache/docs updates
2026-03-04 01:20:48 -05:00
Gustavo Madeira Santana
1278ee9248
plugin-sdk: add channel subpaths and migrate bundled plugins
2026-03-03 22:07:03 -05:00
Igal Tabachnik
a4850b1b8f
fix(plugins): lazily initialize runtime and split plugin-sdk startup imports ( #28620 )
...
Merged via squash.
Prepared head SHA: 8bd7d6c13b601206+hmemcpy@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-03-03 19:58:48 -05:00
Shakker
b02a07655d
fix: harden pr review artifact validation
2026-03-03 21:14:37 +00:00
Shadow
3b3738e41e
fix(discord): use fetch for voice upload slots
2026-03-03 10:22:28 -06:00
Peter Steinberger
b52c9f2575
fix(ci): handle disabled systemd units in docker doctor flow
2026-03-03 05:52:14 +00:00
Peter Steinberger
f175a5d6d3
fix(ci): avoid shell interpolation in changed-scope git diff
2026-03-03 03:34:46 +00:00
Vincent Koc
2c6616b830
CI: gate Windows checks by windows-relevant scope ( #32456 )
...
* CI: add windows scope output for changed-scope
* Test: cover windows scope gating in changed-scope
* CI: gate checks-windows by windows scope
* Docs: update CI windows scope and runner label
* CI: move checks-windows to 32 vCPU runner
* Docs: align CI windows runner with workflow
2026-03-02 19:10:58 -08:00
Peter Steinberger
da6e6fb900
test: fix strict runtime mock types in channel tests
2026-03-03 03:06:22 +00:00
Peter Steinberger
7fd4328854
fix(e2e): include shared tool display resource in onboard docker build
2026-03-03 03:02:27 +00:00
Josh Avant
806803b7ef
feat(secrets): expand SecretRef coverage across user-supplied credentials ( #29580 )
...
* feat(secrets): expand secret target coverage and gateway tooling
* docs(secrets): align gateway and CLI secret docs
* chore(protocol): regenerate swift gateway models for secrets methods
* fix(config): restore talk apiKey fallback and stabilize runner test
* ci(windows): reduce test worker count for shard stability
* ci(windows): raise node heap for test shard stability
* test(feishu): make proxy env precedence assertion windows-safe
* fix(gateway): resolve auth password SecretInput refs for clients
* fix(gateway): resolve remote SecretInput credentials for clients
* fix(secrets): skip inactive refs in command snapshot assignments
* fix(secrets): scope gateway.remote refs to effective auth surfaces
* fix(secrets): ignore memory defaults when enabled agents disable search
* fix(secrets): honor Google Chat serviceAccountRef inheritance
* fix(secrets): address tsgo errors in command and gateway collectors
* fix(secrets): avoid auth-store load in providers-only configure
* fix(gateway): defer local password ref resolution by precedence
* fix(secrets): gate telegram webhook secret refs by webhook mode
* fix(secrets): gate slack signing secret refs to http mode
* fix(secrets): skip telegram botToken refs when tokenFile is set
* fix(secrets): gate discord pluralkit refs by enabled flag
* fix(secrets): gate discord voice tts refs by voice enabled
* test(secrets): make runtime fixture modes explicit
* fix(cli): resolve local qr password secret refs
* fix(cli): fail when gateway leaves command refs unresolved
* fix(gateway): fail when local password SecretRef is unresolved
* fix(gateway): fail when required remote SecretRefs are unresolved
* fix(gateway): resolve local password refs only when password can win
* fix(cli): skip local password SecretRef resolution on qr token override
* test(gateway): cast SecretRef fixtures to OpenClawConfig
* test(secrets): activate mode-gated targets in runtime coverage fixture
* fix(cron): support SecretInput webhook tokens safely
* fix(bluebubbles): support SecretInput passwords across config paths
* fix(msteams): make appPassword SecretInput-safe in onboarding/token paths
* fix(bluebubbles): align SecretInput schema helper typing
* fix(cli): clarify secrets.resolve version-skew errors
* refactor(secrets): return structured inactive paths from secrets.resolve
* refactor(gateway): type onboarding secret writes as SecretInput
* chore(protocol): regenerate swift models for secrets.resolve
* feat(secrets): expand extension credential secretref support
* fix(secrets): gate web-search refs by active provider
* fix(onboarding): detect SecretRef credentials in extension status
* fix(onboarding): allow keeping existing ref in secret prompt
* fix(onboarding): resolve gateway password SecretRefs for probe and tui
* fix(onboarding): honor secret-input-mode for local gateway auth
* fix(acp): resolve gateway SecretInput credentials
* fix(secrets): gate gateway.remote refs to remote surfaces
* test(secrets): cover pattern matching and inactive array refs
* docs(secrets): clarify secrets.resolve and remote active surfaces
* fix(bluebubbles): keep existing SecretRef during onboarding
* fix(tests): resolve CI type errors in new SecretRef coverage
* fix(extensions): replace raw fetch with SSRF-guarded fetch
* test(secrets): mark gateway remote targets active in runtime coverage
* test(infra): normalize home-prefix expectation across platforms
* fix(cli): only resolve local qr password refs in password mode
* test(cli): cover local qr token mode with unresolved password ref
* docs(cli): clarify local qr password ref resolution behavior
* refactor(extensions): reuse sdk SecretInput helpers
* fix(wizard): resolve onboarding env-template secrets before plaintext
* fix(cli): surface secrets.resolve diagnostics in memory and qr
* test(secrets): repair post-rebase runtime and fixtures
* fix(gateway): skip remote password ref resolution when token wins
* fix(secrets): treat tailscale remote gateway refs as active
* fix(gateway): allow remote password fallback when token ref is unresolved
* fix(gateway): ignore stale local password refs for none and trusted-proxy
* fix(gateway): skip remote secret ref resolution on local call paths
* test(cli): cover qr remote tailscale secret ref resolution
* fix(secrets): align gateway password active-surface with auth inference
* fix(cli): resolve inferred local gateway password refs in qr
* fix(gateway): prefer resolvable remote password over token ref pre-resolution
* test(gateway): cover none and trusted-proxy stale password refs
* docs(secrets): sync qr and gateway active-surface behavior
* fix: restore stability blockers from pre-release audit
* Secrets: fix collector/runtime precedence contradictions
* docs: align secrets and web credential docs
* fix(rebase): resolve integration regressions after main rebase
* fix(node-host): resolve gateway secret refs for auth
* fix(secrets): harden secretinput runtime readers
* gateway: skip inactive auth secretref resolution
* cli: avoid gateway preflight for inactive secret refs
* extensions: allow unresolved refs in onboarding status
* tests: fix qr-cli module mock hoist ordering
* Security: align audit checks with SecretInput resolution
* Gateway: resolve local-mode remote fallback secret refs
* Node host: avoid resolving inactive password secret refs
* Secrets runtime: mark Slack appToken inactive for HTTP mode
* secrets: keep inactive gateway remote refs non-blocking
* cli: include agent memory secret targets in runtime resolution
* docs(secrets): sync docs with active-surface and web search behavior
* fix(secrets): keep telegram top-level token refs active for blank account tokens
* fix(daemon): resolve gateway password secret refs for probe auth
* fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled
* fix(secrets): align token inheritance and exec timeout defaults
* docs(secrets): clarify active-surface notes in cli docs
* cli: require secrets.resolve gateway capability
* gateway: log auth secret surface diagnostics
* secrets: remove dead provider resolver module
* fix(secrets): restore gateway auth precedence and fallback resolution
* fix(tests): align plugin runtime mock typings
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-03-03 02:58:20 +00:00
Josh Lehman
3a8133d587
fix(scripts/pr): SSH-first prhead remote with GraphQL fallback for fork PRs ( #32126 )
...
Co-authored-by: Shakker <shakkerdroid@gmail.com >
2026-03-03 02:46:01 +00:00
Peter Steinberger
59567a8c5d
ci: move changed-scope logic into tested script
2026-03-03 02:37:23 +00:00
Peter Steinberger
493b560dfd
refactor(runtime): unify node version guard parsing
2026-03-03 02:19:34 +00:00
Jason Hargrove
f8ed48293c
fix(cli): align Node 22.12 preflight checks and clean runtime guard output
...
Tighten installer/runtime consistency so users on Node 22.0-22.11 are blocked before install/runtime drift, with cleaner CLI guidance.
- Enforce Node >=22.12 in scripts/install.sh preflight checks
- Align installer messages to the same 22.12+ runtime floor
- Replace openclaw.mjs thrown version error with stderr+exit to avoid noisy stack traces
2026-03-03 02:03:45 +00:00
Jason Hargrove
96a38d5aa4
fix(cli): fail fast on unsupported Node versions in install and runtime paths
...
Surface a clear Node 22.12+ requirement before npm/install bootstrap work so users avoid misleading downstream errors.
- Add installer shell preflight to block active Node <22 and suggest NVM recovery commands
- Add openclaw.mjs runtime preflight for npm/npx usage with explicit Node version guidance
- Keep messaging actionable for both NVM and non-NVM environments
2026-03-03 02:03:45 +00:00
Peter Steinberger
596621919c
chore(test): add vitest hotspot reporter script
2026-03-03 00:43:01 +00:00
Peter Steinberger
d37ad9d866
test(perf): slim ios team-id harness and add perf budget guard
2026-03-03 00:20:46 +00:00
Peter Steinberger
b8b8a5f314
fix(security): enforce explicit ingress owner context
2026-03-02 23:50:36 +00:00
Peter Steinberger
11adaa15a8
test: isolate high-variance suites in parallel scheduler
2026-03-02 22:29:13 +00:00
Peter Steinberger
453a1c179d
fix: restore release-check control flow after export guard merge
2026-03-02 21:35:12 +00:00
Glucksberg
58e9ca2fb6
fix(release-check): add 4 missing plugin-sdk exports to align with check script
2026-03-02 21:30:44 +00:00
Glucksberg
61d14e8a8a
fix(plugin-sdk): add export verification tests and release guard ( #27569 )
2026-03-02 21:30:44 +00:00
Peter Steinberger
eb816e0551
refactor: dedupe extension and ui helpers
2026-03-02 19:57:33 +00:00
Vincent Koc
a19a7f5e6e
feat(security): Harden Docker browser container chromium flags ( #23889 ) ( #31504 )
...
* Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls
* Agents: fix sandbox sessionKey usage for PI embedded subagent calls
* Sandbox: tighten browser container Chromium runtime flags
* fix: add sandbox browser defaults for container hardening
* docs: expand sandbox browser default flags list
* fix: make sandbox browser flags optional and preserve gateway env auth overrides
* docs: scope PR 31504 changelog entry
* style: format gateway call override handling
* fix: dedupe sandbox browser chrome args
* fix: preserve remote tls fingerprint for env gateway override
* fix: enforce auth for env gateway URL override
* chore: document gateway override auth security expectations
2026-03-02 11:28:27 -08:00
Peter Steinberger
1c9deeda97
refactor: split webhook ingress and policy guards
2026-03-02 18:02:21 +00:00
Peter Steinberger
d3e8b17aa6
fix: harden webhook auth-before-body handling
2026-03-02 17:21:09 +00:00
Hiren Thakore
193ad2f4f0
fix: handle PowerShell execution policy on Windows install ( #24794 )
...
* fix: add Arch Linux support to install.sh (GH#8051)
* fix: handle PowerShell execution policy on Windows install (GH#24784)
2026-03-02 11:09:01 -06:00
Peter Steinberger
a229ae6c3e
chore(lint): add registerHttpHandler usage guard script
2026-03-02 16:24:06 +00:00
Peter Steinberger
dbc78243f4
refactor(scripts): share guard runners and paged select UI
2026-03-02 14:36:41 +00:00
Peter Steinberger
4dcb16d696
ci: fix install smoke docker helper path
2026-03-02 11:01:56 +00:00
Peter Steinberger
756f9c9fef
refactor(scripts): dedupe installer CLI verification
2026-03-02 08:59:33 +00:00
Peter Steinberger
00a2456b72
refactor(scripts): dedupe guard checks and smoke helpers
2026-03-02 08:54:20 +00:00
Tyler Yust
f918b336d1
fix: agent-only announce path, BB message IDs, sender identity, SSRF allowlist ( #23970 )
...
* fix(agents): defer announces until descendant cleanup settles
* fix(bluebubbles): harden message metadata extraction
* feat(contributors): rank by composite score (commits, PRs, LOC, tenure)
* refactor(control-ui): move method guard after path checks to improve request handling
* fix subagent completion announce when only current run is pending
* fix(subagents): keep orchestrator runs active until descendants finish
* fix: prepare PR feedback follow-ups (#23970 ) (thanks @tyler6204)
2026-03-01 22:52:11 -08:00
Peter Steinberger
842deefe5d
test: split fast lane from channel and gateway suites
2026-03-02 05:33:07 +00:00
Peter Steinberger
d17f4432b3
chore: fix gate formatting and raw-fetch allowlist lines
2026-03-02 04:18:48 +00:00
Peter Steinberger
706cfcd54f
fix: isolate docker onboard e2e config env
2026-03-02 04:10:28 +00:00
Peter Steinberger
6c5633598e
fix(security): harden clawlog command execution
2026-03-01 23:33:13 +00:00
Vincent Koc
38da2d076c
CLI: add root --help fast path and lazy channel option resolution ( #30975 )
...
* CLI argv: add strict root help invocation guard
* Entry: add root help fast-path bootstrap bypass
* CLI context: lazily resolve channel options
* CLI context tests: cover lazy channel option resolution
* CLI argv tests: cover root help invocation detection
* Changelog: note additional startup path optimizations
* Changelog: split startup follow-up into #30975 entry
* CLI channel options: load precomputed startup metadata
* CLI channel options tests: cover precomputed metadata path
* Build: generate CLI startup metadata during build
* Build script: invoke CLI startup metadata generator
* CLI routes: preload plugins for routed health
* CLI routes tests: assert health plugin preload
* CLI: add experimental bundled entry and snapshot helper
* Tools: compare CLI startup entries in benchmark script
* Docs: add startup tuning notes for Pi and VM hosts
* CLI: drop bundled entry runtime toggle
* Build: remove bundled and snapshot scripts
* Tools: remove bundled-entry benchmark shortcut
* Docs: remove bundled startup bench examples
* Docs: remove Pi bundled entry mention
* Docs: remove VM bundled entry mention
* Changelog: remove bundled startup follow-up claims
* Build: remove snapshot helper script
* Build: remove CLI bundle tsdown config
* Doctor: add low-power startup optimization hints
* Doctor: run startup optimization hint checks
* Doctor tests: cover startup optimization host targeting
* Doctor tests: mock startup optimization note export
* CLI argv: require strict root-only help fast path
* CLI argv tests: cover mixed root-help invocations
* CLI channel options: merge metadata with runtime catalog
* CLI channel options tests: assert dynamic catalog merge
* Changelog: align #30975 startup follow-up scope
* Docs tests: remove secondary-entry startup bench note
* Docs Pi: add systemd recovery reference link
* Docs VPS: add systemd recovery reference link
2026-03-01 14:23:46 -08:00
Vincent Koc
94a5d28d26
CI: remove Vitest JSON report artifacts ( #30976 )
...
* CI: remove vitest JSON report upload steps
* Tests: stop injecting vitest JSON reporter
* Tests: remove vitest slowest report script
2026-03-01 13:03:06 -08:00
