Merged
Conversation
…ession display names
Fix typo from 'p-mono' to 'pi-mono' in agent.md
…unce routing (#4957) * fix: prefer requesterOrigin over stale session entry in subagent announce routing When a subagent finishes and announces results back, resolveAnnounceOrigin merged the session entry (primary) with requesterOrigin (fallback). If the session store had a stale lastChannel (e.g. whatsapp) from a previous interaction but the user was now on a different channel (e.g. bluebubbles), the announce would route to the wrong channel. Swap the merge order so requesterOrigin (captured at spawn time, reflecting the actual current channel) takes priority, with the session entry as fallback for any missing fields. Error before fix: Delivery failed (whatsapp to bluebubbles:chat_guid:...): Unknown channel: whatsapp Adds regression test for the stale-channel scenario. * fix: match test to exact failure scenario and improve reliability (#4957) (thanks @tyler6204) - Remove lastTo from stale session store to match the exact mismatch scenario described in the PR - Replace 5ms setTimeout sleeps with expect.poll for better test reliability - Prevents flakiness on slower CI machines
…xt+image messages (#4984) * fix(bluebubbles): debounce by messageId to preserve attachments in text+image messages BlueBubbles fires multiple webhook events for a single message - first without attachment metadata, then ~350ms later with it. Previously, messages with attachments bypassed debouncing and were processed immediately, while the text-only version was also queued. Now the debouncer uses messageId as the key when available, coalescing all webhook events for the same message. The existing combineDebounceEntries function merges attachments from all events. Closes #4848 * fix: increase debounce and handle balloon messages - Increase DEFAULT_INBOUND_DEBOUNCE_MS from 350ms to 500ms - Update buildKey to use associatedMessageGuid for balloon messages - Add regression test for debouncing behavior Fixes issues identified in code review. --------- Co-authored-by: Yurii Chukhlib <yurii.chukhlib@viber.com> Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM>
…ent LFI (#4880) * Media: restrict local path extraction to prevent LFI * Lint: remove unused variable hasValidMediaOnLine
…for Zsh, Bash, PowerShell, and Fish.
feat: Add shell completion for Zsh, Bash, Fish, and PowerShell
…bled list automatically enables it because it is in the "suspicious" group).
This reverts commit b17e6fd.
centminmod
added a commit
that referenced
this pull request
Feb 9, 2026
…, Attack openclaw#27, Threat #7, Hardening #12)
centminmod
pushed a commit
that referenced
this pull request
Mar 2, 2026
… and docs (openclaw#16761) Add inline file attachment support for sessions_spawn (subagent runtime only): - Schema: attachments[] (name, content, encoding, mimeType) and attachAs.mountPath hint - Materialization: files written to .openclaw/attachments/<uuid>/ with manifest.json - Validation: strict base64 decode, filename checks, size limits, duplicate detection - Transcript redaction: sanitizeToolCallInputs redacts attachment content from persisted transcripts - Lifecycle cleanup: safeRemoveAttachmentsDir with symlink-safe path containment check - Config: tools.sessions_spawn.attachments (enabled, maxFiles, maxFileBytes, maxTotalBytes, retainOnSessionKeep) - Registry: attachmentsDir/attachmentsRootDir/retainAttachmentsOnKeep on SubagentRunRecord - ACP rejection: attachments rejected for runtime=acp with clear error message - Docs: updated tools/index.md, concepts/session-tool.md, configuration-reference.md - Tests: 85 new/updated tests across 5 test files Fixes: - Guard fs.rm in materialization catch block with try/catch (review concern #1) - Remove unreachable fallback in safeRemoveAttachmentsDir (review concern #7) - Move attachment cleanup out of retry path to avoid timing issues with announce loop Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM> Co-authored-by: napetrov <napetrov@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jan 31 upstream sync 2