✨ feat(bot): gate device tools by sender identity by arvinxx · Pull Request #14634 · lobehub/lobehub

arvinxx · 2026-05-10T08:14:30Z

💻 Change Type

🔗 Related Issue

Fixes LOBE-8715
Fixes LOBE-8716
Fixes LOBE-8717
Fixes LOBE-8718
Fixes LOBE-8719
Fixes LOBE-8720

🔀 Description of Change

External users who @-mention a bot ran the agent as the bot owner and could
call LocalSystem / RemoteDevice tools — a confused-deputy hole that let
any group member indirectly read/write the owner's machine. Additionally,
RemoteDeviceManifest.systemRole was injected unconditionally, leaking the
owner's device list into every LLM context (including external-sender turns).

This PR introduces a single source of truth for device access — resolveDeviceAccessPolicy({ botContext }) → { canUseDevice, reason } — and makes
AgentToolsEngine consume only that boolean. Trusted-list and other future
rules will land in the resolver without engine changes.

Sub-tasks (all 5 in this PR):

#	Sub-issue	Change
[1]	LOBE-8716	`ChatTopicBotContext` carries required `senderExternalUserId` + `isOwner`
[2]	LOBE-8717	`BotMessageRouter` (3 call sites) + `MessengerRouter` compute `isOwner` at the entry point and propagate sender; fail-closed when `settings.userId` is missing
[3]	LOBE-8718	`resolveDeviceAccessPolicy` (pure function) maps sender identity to `{ canUseDevice, reason: 'first-party' \| 'bot-owner' \| 'bot-external-sender' \| 'bot-owner-not-configured' \| 'bot-trusted' (reserved) }`
[4]	LOBE-8719	`AgentToolsEngine` gates `LocalSystem` + `RemoteDevice` on `canUseDevice` (drops the `!isBotConversation` clause now subsumed by the policy); `RemoteDeviceManifest.systemRole` injection in `aiAgent/index.ts` is gated on `canUseDevice` — closes the device-list information leak
[5]	LOBE-8720	Per-call audit log (`debug('lobe-server:agent-device-tool-audit')`) at the dispatch site in `RuntimeExecutors`, emitted before dispatch with `userId / topicId / messageId / operationId / toolIdentifier / apiName / platform / senderExternalUserId / isOwner / reason / canUseDevice`. No file content / shell stdout / args

Behavior matrix:

Caller	`canUseDevice`	`reason`
Web/desktop UI (no `botContext`)	✅ true	`first-party`
Owner DM / public channel @ bot	✅ true	`bot-owner`
External user @ bot	❌ false	`bot-external-sender`
Bot with `settings.userId` unset	❌ false	`bot-owner-not-configured`

🧪 How to Test

Tested locally
Added/updated tests
No tests needed

Unit tests added:

src/server/services/aiAgent/deviceAccessPolicy.test.ts — 5 tests covering all 4 reason branches + future-extension guard
src/server/services/bot/__tests__/BotMessageRouter.test.ts — 3 tests asserting botContext.{senderExternalUserId,isOwner} for owner / external / unconfigured cases (65 → originally 62 tests, all pass)

Manual verification:

bunx vitest run --silent='passed-only' \
  src/server/services/aiAgent/deviceAccessPolicy.test.ts \
  src/server/services/bot/__tests__/BotMessageRouter.test.ts
# 70 / 70 pass

bunx vitest run --silent='passed-only' src/server/services/bot src/server/services/messenger
# all bot + messenger suites pass; 14 aiAgent tests fail to import due to a
# pre-existing missing package on canary (`@lobechat/builtin-tool-self-iteration`),
# verified unrelated by stashing the diff and re-running.

End-to-end smoke (per LOBE-8715 verification table) on a Discord bot:

Owner DM @ bot → device tools available, audit reason=bot-owner
Owner public-channel @ bot → device tools available (no downgrade), audit reason=bot-owner
External user @ bot → tools blocked, system prompt no longer mentions device list, audit reason=bot-external-sender
Bot with settings.userId blank → tools blocked even for the configurer, audit reason=bot-owner-not-configured

📝 Additional Information

Plumbing surface: OperationCreationParams gains botContext + deviceAccessPolicy; both are forwarded into state.metadata so the runtime dispatch site can read them. ToolExecutionContext itself was not extended — the audit lives in RuntimeExecutors where state is in scope.
Trusted external list is intentionally out of scope for this PR. The bot-trusted reason is reserved in DeviceAccessReason so a future PR can add the branch without touching AgentToolsEngine.
No DB migration, no new env vars, no API surface change. Pure security + audit hardening.

🤖 Generated with Claude Code

External users who @-mentioned a bot ran the agent as the bot owner and could call LocalSystem / RemoteDevice tools — a confused-deputy hole that let any group member indirectly read/write the owner's machine. - `ChatTopicBotContext` carries `senderExternalUserId` + `isOwner` - `BotMessageRouter` / `MessengerRouter` compute `isOwner` at the entry point (fail-closed when `settings.userId` is missing) - `resolveDeviceAccessPolicy` maps sender identity to `{ canUseDevice, reason }`; trusted-list branch is reserved for future work without engine changes - `AgentToolsEngine` gates `LocalSystem` + `RemoteDevice` on `canUseDevice` - `RemoteDeviceManifest.systemRole` is no longer injected on external-sender turns — closes the device-list information leak - Per-call audit log (`lobe-server:agent-device-tool-audit`) at the dispatch site records sender, isOwner, reason, identifier, apiName Fixes LOBE-8715 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

vercel · 2026-05-10T08:14:35Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lobehub	Ready	Preview, Comment	May 10, 2026 9:30am

sourcery-ai

Sorry @arvinxx, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

codecov · 2026-05-10T08:14:41Z

Codecov Report

❌ Patch coverage is 62.23776% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.86%. Comparing base (cfe618f) to head (3fa880e).
⚠️ Report is 5 commits behind head on canary.

Additional details and impacted files

@@            Coverage Diff             @@
##           canary   #14634      +/-   ##
==========================================
- Coverage   65.86%   65.86%   -0.01%     
==========================================
  Files        2892     2894       +2     
  Lines      250548   250674     +126     
  Branches    29209    25100    -4109     
==========================================
+ Hits       165020   165094      +74     
- Misses      85376    85428      +52     
  Partials      152      152

Flag	Coverage Δ
app	`60.07% <62.23%> (-0.01%)`	⬇️
database	`91.81% <ø> (ø)`
packages/agent-runtime	`80.48% <ø> (ø)`
packages/builtin-tool-lobe-agent	`83.41% <ø> (ø)`
packages/context-engine	`84.00% <ø> (ø)`
packages/conversation-flow	`92.43% <ø> (ø)`
packages/file-loaders	`87.60% <ø> (ø)`
packages/memory-user-memory	`74.74% <ø> (ø)`
packages/model-bank	`99.94% <ø> (ø)`
packages/model-runtime	`83.69% <ø> (ø)`
packages/prompts	`70.31% <ø> (ø)`
packages/python-interpreter	`92.90% <ø> (ø)`
packages/ssrf-safe-fetch	`0.00% <ø> (ø)`
packages/types	`4.86% <ø> (ø)`
packages/utils	`88.02% <ø> (ø)`
packages/web-crawler	`88.29% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
Store	`66.98% <ø> (ø)`
Services	`53.86% <ø> (ø)`
Server	`70.84% <62.23%> (-0.03%)`	⬇️
Libs	`55.22% <ø> (ø)`
Utils	`82.51% <ø> (ø)`

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a5f6e222af

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-05-10T08:17:16Z

          chatConfig: agentConfig.chatConfig ?? undefined,
          plugins: agentPlugins,
        },
+        canUseDevice,


Gate step device activation with canUseDevice

When a bot message comes from a non-owner sender and exactly one device is online, activeDeviceId is still auto-populated above, but this new canUseDevice plumbing only reaches AgentToolsEngine. RuntimeExecutors later calls buildStepToolDelta with state.metadata.activeDeviceId, and that helper injects LocalSystemManifest solely from the active device id, bypassing the engine's disabled enabledToolIds. In that scenario an external bot user can still get local-system tools against the owner's device; the auto-activation/device-context path needs to be gated or cleared when canUseDevice is false.

Useful? React with 👍 / 👎.

…oncrete types Picks up the existing `BotPlatformContext` (`@lobechat/context-engine`) and `ChatTopicBotContext` (`@lobechat/types`) — both already exported — instead of the inherited `any` placeholders on: - `OperationCreationParams.{botContext, botPlatformContext, deviceAccessPolicy}` - `InternalExecAgentParams.botPlatformContext` - `RuntimeExecutorContext.botPlatformContext` `deviceAccessPolicy.reason` is now `DeviceAccessReason` instead of `string`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

The previous patch gated `LocalSystemManifest` in the engine's enabledToolIds, but `buildStepToolDelta` re-injects local-system from `state.metadata.activeDeviceId` on every step regardless of whether the engine excluded it. Auto-activation in `aiAgent.execAgent` populated `activeDeviceId` whenever `(discordContext || botContext) && onlineDevices.length === 1`, so an external bot sender with one device online could still get local-system tools against the owner's device. - `aiAgent/index.ts`: skip `activeDeviceId` derivation entirely when `canUseDevice` is false. `deviceSystemInfo` short-circuits naturally on `if (activeDeviceId) {...}`, so no extra change needed there. - `RuntimeExecutors.ts`: belt-and-suspenders — if `state.metadata.deviceAccessPolicy.canUseDevice` is false, swallow `activeDeviceId` before passing to `buildStepToolDelta`, so a future plumbing bug at the source can't reopen the bypass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…(LOBE-8715) Not every bot platform can identify an owner. WeChat's LobeHub integration encodes every inbound thread as 1:1 (`packages/chat-adapter-wechat/src/adapter.ts:465`) and its settings schema has no `userId` field, so `isOwner` is structurally false on every WeChat turn. The previous policy denied every WeChat call with `bot-owner-not-configured` — fail-closed but unusable. This commit treats platforms whose integration is structurally personal- scope as trusted. WeChat is the only member today; LINE is intentionally excluded because its adapter handles group/room threads even though its schema also lacks `userId` — those must be fixed at the schema layer before being whitelisted. - New `bot-personal-platform` reason in `DeviceAccessReason` - `PERSONAL_SCOPE_BOT_PLATFORMS = new Set(['wechat'])` - Personal-scope check sits AFTER `isOwner` so a future WeChat schema with a `userId` field still resolves as the more specific `bot-owner` - Tests: WeChat without isOwner → allow; WeChat with isOwner=true → still `bot-owner` (more specific wins); regression guard ensuring Discord / Slack / Telegram / Feishu / Lark / QQ / LINE keep going through the standard isOwner gate Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

… (LOBE-8715) The `LocalSystem` / `RemoteDevice` enable rules now short-circuit on `canUseDevice` (default `false`), so tests that exercise the engine-internal gates (`runtimeMode`, `deviceContext`, `clientRuntime`) must explicitly pass `canUseDevice: true` — otherwise they assert the right behavior for the wrong reason or fail outright (e.g. the desktop RemoteDevice-suppression case the reviewer flagged). - All `LocalSystem` / `RemoteDevice` / `LocalSystem + RemoteDevice` / `clientRuntime === "desktop" (Phase 6.4)` blocks now set `canUseDevice: true`. - The "disable RemoteDevice in bot conversations" test was repurposed: the dropped `!isBotConversation` clause is now subsumed by `canUseDevice`, so for a trusted bot caller (canUseDevice=true) RemoteDevice DOES surface. The original intent — block when caller is untrusted — is captured in the new `canUseDevice gate` block. - New `canUseDevice gate` describe block asserts: 1. `canUseDevice=false` blocks LocalSystem even on a desktop caller 2. `canUseDevice=false` blocks RemoteDevice with proxy configured 3. Omitting `canUseDevice` → fail-closed default (deny) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…LOBE-8715) These pre-existing tests model an owner using the bot through Discord and assert that `activeDeviceId` auto-populates when one device is online. After LOBE-8715, `activeDeviceId` is gated on `canUseDevice` from `resolveDeviceAccessPolicy`, so a `botContext` without `isOwner: true` resolves to `bot-external-sender` → `canUseDevice=false` → `activeDeviceId=undefined`. Filling out the `botContext` mocks with `isOwner: true` (plus the other required fields the type now demands) preserves the tests' original intent while exercising the new gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ✨ feat(bot): gate device tools by sender identity (LOBE-8715) External users who @-mentioned a bot ran the agent as the bot owner and could call LocalSystem / RemoteDevice tools — a confused-deputy hole that let any group member indirectly read/write the owner's machine. - `ChatTopicBotContext` carries `senderExternalUserId` + `isOwner` - `BotMessageRouter` / `MessengerRouter` compute `isOwner` at the entry point (fail-closed when `settings.userId` is missing) - `resolveDeviceAccessPolicy` maps sender identity to `{ canUseDevice, reason }`; trusted-list branch is reserved for future work without engine changes - `AgentToolsEngine` gates `LocalSystem` + `RemoteDevice` on `canUseDevice` - `RemoteDeviceManifest.systemRole` is no longer injected on external-sender turns — closes the device-list information leak - Per-call audit log (`lobe-server:agent-device-tool-audit`) at the dispatch site records sender, isOwner, reason, identifier, apiName Fixes LOBE-8715 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * 🚨 chore(bot): replace `any` on botContext / botPlatformContext with concrete types Picks up the existing `BotPlatformContext` (`@lobechat/context-engine`) and `ChatTopicBotContext` (`@lobechat/types`) — both already exported — instead of the inherited `any` placeholders on: - `OperationCreationParams.{botContext, botPlatformContext, deviceAccessPolicy}` - `InternalExecAgentParams.botPlatformContext` - `RuntimeExecutorContext.botPlatformContext` `deviceAccessPolicy.reason` is now `DeviceAccessReason` instead of `string`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * 🔒 fix(bot): clear activeDeviceId when canUseDevice=false (LOBE-8715) The previous patch gated `LocalSystemManifest` in the engine's enabledToolIds, but `buildStepToolDelta` re-injects local-system from `state.metadata.activeDeviceId` on every step regardless of whether the engine excluded it. Auto-activation in `aiAgent.execAgent` populated `activeDeviceId` whenever `(discordContext || botContext) && onlineDevices.length === 1`, so an external bot sender with one device online could still get local-system tools against the owner's device. - `aiAgent/index.ts`: skip `activeDeviceId` derivation entirely when `canUseDevice` is false. `deviceSystemInfo` short-circuits naturally on `if (activeDeviceId) {...}`, so no extra change needed there. - `RuntimeExecutors.ts`: belt-and-suspenders — if `state.metadata.deviceAccessPolicy.canUseDevice` is false, swallow `activeDeviceId` before passing to `buildStepToolDelta`, so a future plumbing bug at the source can't reopen the bypass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * 🔒 feat(bot): allow device tools on personal-scope platforms (WeChat) (LOBE-8715) Not every bot platform can identify an owner. WeChat's LobeHub integration encodes every inbound thread as 1:1 (`packages/chat-adapter-wechat/src/adapter.ts:465`) and its settings schema has no `userId` field, so `isOwner` is structurally false on every WeChat turn. The previous policy denied every WeChat call with `bot-owner-not-configured` — fail-closed but unusable. This commit treats platforms whose integration is structurally personal- scope as trusted. WeChat is the only member today; LINE is intentionally excluded because its adapter handles group/room threads even though its schema also lacks `userId` — those must be fixed at the schema layer before being whitelisted. - New `bot-personal-platform` reason in `DeviceAccessReason` - `PERSONAL_SCOPE_BOT_PLATFORMS = new Set(['wechat'])` - Personal-scope check sits AFTER `isOwner` so a future WeChat schema with a `userId` field still resolves as the more specific `bot-owner` - Tests: WeChat without isOwner → allow; WeChat with isOwner=true → still `bot-owner` (more specific wins); regression guard ensuring Discord / Slack / Telegram / Feishu / Lark / QQ / LINE keep going through the standard isOwner gate Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ✅ test(engine): opt existing device gate tests into canUseDevice=true (LOBE-8715) The `LocalSystem` / `RemoteDevice` enable rules now short-circuit on `canUseDevice` (default `false`), so tests that exercise the engine-internal gates (`runtimeMode`, `deviceContext`, `clientRuntime`) must explicitly pass `canUseDevice: true` — otherwise they assert the right behavior for the wrong reason or fail outright (e.g. the desktop RemoteDevice-suppression case the reviewer flagged). - All `LocalSystem` / `RemoteDevice` / `LocalSystem + RemoteDevice` / `clientRuntime === "desktop" (Phase 6.4)` blocks now set `canUseDevice: true`. - The "disable RemoteDevice in bot conversations" test was repurposed: the dropped `!isBotConversation` clause is now subsumed by `canUseDevice`, so for a trusted bot caller (canUseDevice=true) RemoteDevice DOES surface. The original intent — block when caller is untrusted — is captured in the new `canUseDevice gate` block. - New `canUseDevice gate` describe block asserts: 1. `canUseDevice=false` blocks LocalSystem even on a desktop caller 2. `canUseDevice=false` blocks RemoteDevice with proxy configured 3. Omitting `canUseDevice` → fail-closed default (deny) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ✅ test(execAgent): set isOwner=true on device auto-activation tests (LOBE-8715) These pre-existing tests model an owner using the bot through Discord and assert that `activeDeviceId` auto-populates when one device is online. After LOBE-8715, `activeDeviceId` is gated on `canUseDevice` from `resolveDeviceAccessPolicy`, so a `botContext` without `isOwner: true` resolves to `bot-external-sender` → `canUseDevice=false` → `activeDeviceId=undefined`. Filling out the `botContext` mocks with `isOwner: true` (plus the other required fields the type now demands) preserves the tests' original intent while exercising the new gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

@hezhijie0327

# 🚀 LobeHub Release (20260518) **Release Date:** May 18, 2026 **Since v2.1.58:** 208 merged PRs · 209 commits · 16 contributors > v2.2.0 introduces the **Chief Agent Operator** — an agent that runs itself end-to-end. It self-iterates against its own output, assembles sub-agent teams on demand through the heterogeneous runtime, and drives a unified task system that knows when to pause for a human. Self-review, AssistantGroup, and tasks/scheduling all converge into one operator surface. --- ## ✨ Highlights ### 🎩 Chief Agent Operator - **Self-iteration exits Lab** — Agent Signal's self-review pipeline ships proposal actions straight into briefs and auto-executes the approved follow-ups, with prompts hardened against eval. The operator now critiques and re-runs its own work without a human in the loop. (#14769, #14583, #14647, #14882) - **Auto-formed agent teams** — Heterogeneous AssistantGroup gains Monitor-style signal callbacks, read-only SubAgent threads with breadcrumb headers, and a thread switcher. The operator dispatches sub-agents and you can step into any branch to see what the team is doing. (#14859, #14658, #14845, #14715) - **Task system as the operator's runway** — Claude Code surfaces task tools, AskUserQuestion freeform notes, and a dedicated `waitingForHuman` topic status; `lobe-task` exposes `setTaskSchedule`; the scheduler is hardened (maxExecutions cap, sub-10min heartbeat block, race-free SchedulerForm). Long-running operator runs no longer go silent and stop themselves when human input is needed. (#14870, #14639, #14713, #14865, #14853) ### 🚀 Cloud & runtime - **Cloud Claude Code V3** — Repo picker, GitHub token flow, and sandbox-aware context bring cloud-hosted Claude Code to feature parity with local; cloud sandbox completion now triggers the task lifecycle end-to-end. (#14568, #14822, #14681) - **Heterogeneous agent multi-replica safety** — Subagent threads, ingest refresh, and parallel-tool counts now survive replica swaps without losing parent_id or rolling back tool state. (#14897, #14631, #14806, #14838) - **Built-in tool lifecycle hooks** — `onBeforeCall` / `onAfterCall` land on the built-in tool runtime; sub-agent dispatch moves to `lobe-agent`; self-iteration aligns with the shared inspector pattern. (#14719, #14715, #14827) - **Knowledge base RAG unified** — Client and server share one `KnowledgeBaseSearchService`; KB files preserved on `NoSuchKey` instead of silently lost. (#14673, #14501) ### 💬 Workspace experience - **Home daily brief + recommendations** — The home screen opens with a linkable welcome, paired input hint, and a recommendations module sourced from the operator's hetero action library. (#14589, #14645, #14770) - **Chat mode + redesigned action bar** — The chat input gains a Chat/Agent mode toggle and a re-pitched action bar with icon-and-color action tag chips. (#14774, #14903, #14846) - **Documents tree, optimistic** — Document tree creates, deletes, and inline renames now apply optimistically; the agent-documents index hides web crawls and switches to a table layout. (#14714, #14292) - **Branded MCP inspectors** — Linear MCP tool calls render with the same branded inspector as the built-in Linear skill; CC MCP and built-in skills now share inspector code. (#14864, #14884) - **Bot identity gating** — Device tools are gated by sender identity, the activator bypass is closed, and Slack mpim plus Discord DM regressions are fixed. (#14634, #14664, #14733) --- ## 🏗️ Core Agent & Signal Pipeline ### Self-iteration & Agent Signal - Self-iteration graduates out of Lab, with service, tool, name, and concept structure unified across `agent-signal`, `prompts`, `database`, and `builtin-tool-self-iteration`. (#14699, #14769) - Self-review now proposes actions to briefs and auto-executes the approved set, with eval-verified prompt hardening. (#14583, #14657, #14647) - Self-iteration built-in tool aligns with the shared runtime + inspector patterns. (#14827) - Agent Signal prompts adapt their response language and avoid blocking agent execution. (#14890, #14775, #14882) - Receipt descriptions now carry an Agent Signal marker, and self-review hinted skill documents route correctly. (#14764, #14895) ### Heterogeneous agent runtime - Subagent threads render read-only with a breadcrumb header and thread switcher; SUBAGENT badge dropped, indentation tightened. (#14658, #14845, #14783) - Multi-replica safety: ingest refresh restores tools/model from DB to fix parent_id breaks; new-step assistants sync across replicas; subagent-tagged events no longer leak into the main gateway handler. (#14897, #14631, #14838) - Fetch-triggering events are deferred to keep parallel tool counts from rolling back. (#14806) - AskUserQuestion is wired for Claude Code, with auto-decline disabled and a freeform note input on the cloud side; `waitingForHuman` is a first-class topic status. (#14639, #14629, #14870) - AssistantGroup gains Monitor-style signal callbacks; project skills surface in the working sidebar and markdown preview. (#14859, #14896) - Cloud Claude Code V3 — repo picker, GitHub token, sandbox context; credentials alert and disabled input when not configured. (#14568, #14822) - Cloud sandbox completion now triggers the task lifecycle end-to-end. (#14681) ### Agent runtime & context engine - Built-in tool runtime gets `onBeforeCall` / `onAfterCall` lifecycle hooks. (#14719) - `CompletionLifecycle`, `HumanInterventionHandler`, and `stepPresentation` are extracted from the runtime monolith. (#14441) - Per-tool timeout is honored end-to-end for client tool dispatch. (#14817) - Compression budget accounts for `tool_calls`, reasoning content, and tool defs; `call_llm` forwards tools into the budget. (#14813, #14837) - Pre-flight context check now fails fast for OpenAI-compatible providers. (#14824) - Malformed `tool_call` names are recovered instead of finishing the step silently. (#14577) - Sub-agent dispatch moves from `lobe-gtd` to `lobe-agent`. (#14715) - Hidden built-in tools now appear in the system prompt @-mention list. (#14823) ### Agent tracing & operations - New `agent_operations` table and runtime persistence for every hetero-agent operation. (#14416, #14736) - `signOperationJwt` issues 4-hour signed operation tokens. (#14586) - S3 trace snapshots are zstd-compressed; DB `trace_s3_key` aligns with the `.json.zst` suffix; legacy `.json` fallback preserved on fetch. (#14807, #14860, #14826) --- ## 📱 Platform & Integrations ### Bot / Channels - Device tools are gated by sender identity. (#14634) - Activator bypass closed and device-access checks converged. (#14664) - Slack mpim supported; Discord DM regression fixed; Slack connect + slash commands repaired. (#14733, #14591) - Bot channels, bot watch, bot callback service, and system bot reliability fixes. (#14847, #14796, #14570, #14784, #14649) - Online Messager scaffolding. (#14755) ### Onboarding - Home daily brief with linkable welcome and paired input hint. (#14589) - Recommendations module sourced from the hetero agent action library. (#14645) - Chat onboarding passes request triggers via metadata and preserves the resume request. (#14770, #14798) - Discovery turn progress gated by phase, with a reminder on stalled discovery. (#14842, #14833) - FullNameStep back button rejoins the shared prefix; ModeSwitch hidden in production. (#14898, #14760) - Agent marketplace folds into the web onboarding tool. (#14578, #14672) - Onboarding interests stored as keys instead of free text; early-exit skips marketplace and drops CJK prompts. (#14624, #14598) ### Model providers - Gemini 3.1 Flash-Lite cards; Gemini schema sanitizer drops non-compliant `enum` / `required`; zero `cachedContentTokenCount` handled in usage conversion. (#14604, #14740, #14567) - DeepSeek-V4 model cards and pricing restored to official rates. (#14110, #14911) - ernie-5.1 and spark-x2-flash support; Grok 4.3 `reasoning_effort` support. (#14643, #14731, #14642) - SiliconCloud catalog synced with API; duplicates removed; reasoning params adjusted. (#14464) - Minimax derives `max_tokens` from context window to avoid `ExceededContextWindow`. (#14814) - aihubmix uses the full models endpoint for a complete list; stale empty-apiKey test dropped. (#14511, #14669) - Stream parse errors are enriched with provider + model context. (#14636) - Visual content parts are consumed in the server runtime; video image references move to a JSON object. (#14637, #14900) - Google function call magic `thoughtSignature` now attaches to every part, not just the last turn. (#14904) - Service model assignments settings added; model extend-param options removed. (#14712, #14607) ### Built-in tools & knowledge base - `lobe-task` exposes `setTaskSchedule`; task scheduler hardened (maxExecutions cap, sub-10min heartbeat blocked, SchedulerForm race fix, rapid automation-mode toggle stabilized). (#14713, #14865, #14853, #14801) - KnowledgeBaseSearchService shares RAG runtime across client and server. (#14673) - KB files preserved on `NoSuchKey` and orphan documents/tasks cleaned. (#14501) - Document tree gets optimistic create/delete + inline rename. (#14714) - agent-documents index hides web crawls and switches to a table layout. (#14292) - `lobe-clarify` and SKILL.md frontmatter parsing/edit validation are unified. (#14566) - AnalyzeVisualMedia inspector + Portal HTML preview refactor; HTML preview restored for AssistantGroup messages. (#14777, #14811) - Branded inspector shared between CC MCP and built-in Linear skill. (#14884, #14864) --- ## 🖥️ CLI & User Experience ### Chat & Conversation - Chat mode toggle and redesigned chat input action bar. (#14774) - Action tag chips switch to icon + colored label; ActionDropdown closes on sibling-open and focus-out; submenu uses native header/footer slots. (#14903, #14802, #14901) - Action bar padding equalized around the send button; skeleton shows in action bar while config loads. (#14846, #14656) - `useCmdEnterToSend` is respected in thread & task inputs; send button enables after pasting into thread/comment input. (#14850, #14816) - TopicChatDrawer state preserved during close animation. (#14803) - Only the last assistant block animates during markdown streaming. (#14906) - Right working panel no longer auto-collapses on chat mount; home agent config fetched so knowledge toggles reflect in UI. (#14883, #14834) ### Tasks - Task scheduler, hotkey, comment, and TodoList polish. (#14707) - Add Subtask button & card baseline aligned; activity card stop run; task agent manager polish. (#14848, #14559, #14569) - Task template skeleton CLS reduced; task page placeholder copy refreshed. (#14788, #14704) - Task agent model snapshotted into `task.config` at create time. (#14670) - User-feedback card, task card polish, and Run-now context menu in markdown. (#14727) - Inline skill auth in recommended task templates. (#14676) ### Navigation & Layout - Tab bar gains a Chrome-style divider between inactive tabs. (#14892) - SideBarDrawer & header layout polish; nav ActionIcon sizing unified; TodoList encapsulation improved. (#14762, #14692) - Desktop header icons, sidebar density, and task menus polished. (#14724) - Standardized header action icon sizes. (#14717) - Chat topic title length increased; copy session ID added to topic dropdown menu. (#14659, #14595) - Heterogeneous agent topic rows regain indentation. (#14783) ### Other polish - Usage token details shortened; tool execution time formatted as `Xmin Ys`. (#14849, #14641) - Tool arguments display gets word-wrap toggle; long tool-call params wrap instead of truncate. (#14706, #14640) - Editor stops showing per-line placeholder once content is present. (#14852) - Visible divider between queued messages; intervention confirmation bar polished. (#14593, #14587) - Credit top-up copy refreshed; auth captcha retry copy refreshed; brief recommendations layout polished. (#14821, #14561, #14871) --- ## 🔧 Tooling & Developer Experience - Dev-only feature flag override panel. (#14565) - `__DEV__` define replaces `process.env.NODE_ENV` in the SPA. (#14696) - Agent-settings drops Meta/Documents tabs and restores `inputTemplate`. (#14874) - `local-system` forwards all `grepContent` params and moves the executor to `/client`. (#14888) - `lobe-task` and `setTaskSchedule` exposed. (#14713) - Memory user-memory benchmark agent config and source-id extraction schemas. (#14779, #14778) - CLI man page drops stale cron entry; `clearMessages` hotkey removed. (#14709, #14906) - Skill docs simplified; cloud heteroContext gains sandbox TTL + public-repo fork push guide. (#14785, #14761) --- ## 🔒 Security & Reliability - **Security:** Sensitive comments and examples sanitized from the production JS bundle. (#14557) - **Security:** Inactive OIDC access rejected. (#14674) - **Security:** CASC `new Function()` template replaced with safe string builders. (#14751) - **Security:** Sign-in captcha flow removed in favor of safer flow. (#14573) - **Security:** Desktop local file previews restricted to safe roots. (#14789) - **Security:** Image binary capped at 3.75 MB so base64 payload stays under the Anthropic 5 MB limit. (#14711) - **Reliability:** Neon/Node pools get error listeners to prevent Lambda crashes. (#14606) - **Reliability:** `paradedb.match(...)` replaces hardcoded normalizer in memory search. (#14590) - **Reliability:** `PlaceholderVariablesProcessor` errors carry diagnostic context. (#14741) - **Reliability:** File storage upload checks are serialized; multiple account link bug fixed. (#14829, #14562) - **Reliability:** `ScrollShadow` replaced with `ScrollArea` to fix a React infinite render loop (error code 185). (#14689) - **Reliability:** Embedding token cap enforced — long memory queries are limited and truncated before search. (#14757) - **Reliability:** Embed binary blob guard + oversized output cap in `local-system.readFile`. (#14602) - **Reliability:** Windows npm CLI shims resolved before spawning agents. (#14772, #14720) - **Reliability:** Vite pinned to 8.0.12 to avoid the rolldown 1.0.1 preload regression; desktop runtime externals split from native deps. (#14804, #14776) - **Reliability:** Old lobehub cron job removed; WeChat URL rules dropped from web crawler. (#14630, #14633) --- ## 👥 Contributors Huge thanks to **16 contributors** who shipped **208 merged PRs** this cycle. @hezhijie0327 · @sxjeru · @hardy-one · @Bianzinan · @brone1323 · @YuSaZh · @Wxh16144 · @arvinxx · @Innei · @tjx666 · @neko · @lijian · @rdmclin2 · @sudongyuer · @AmAzing129 · @rivertwilight Plus @lobehubbot for maintenance translations. --- **Full Changelog**: v2.1.58...v2.2.0

dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label May 10, 2026

sourcery-ai Bot reviewed May 10, 2026

View reviewed changes

dosubot Bot added feature:agent Assistant/Agent configuration and behavior feature:tool Tool calling and function execution labels May 10, 2026

arvinxx changed the title ~~✨ feat(bot): gate device tools by sender identity (LOBE-8715)~~ ✨ feat(bot): gate device tools by sender identity May 10, 2026

chatgpt-codex-connector Bot reviewed May 10, 2026

View reviewed changes

vercel Bot deployed to Preview May 10, 2026 08:26 View deployment

vercel Bot deployed to Preview May 10, 2026 08:37 View deployment

vercel Bot deployed to Preview May 10, 2026 08:46 View deployment

vercel Bot deployed to Preview May 10, 2026 09:07 View deployment

vercel Bot deployed to Preview May 10, 2026 09:30 View deployment

arvinxx merged commit 2615c00 into canary May 10, 2026
35 checks passed

arvinxx deleted the feat/lobe-8715-bot-device-access-policy branch May 10, 2026 09:44

arvinxx mentioned this pull request May 11, 2026

♻️ refactor(bot): close activator bypass + converge device-access checks #14664

Merged

16 tasks

arvinxx mentioned this pull request May 12, 2026

🚀 release: 20260512 #14722

Closed

arvinxx mentioned this pull request May 18, 2026

🚀 release: v2.2.0 #14915

Merged

lobehubbot mentioned this pull request May 18, 2026

ProviderBizError: { message: 'fetch failed' } #14930

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

✨ feat(bot): gate device tools by sender identity#14634

✨ feat(bot): gate device tools by sender identity#14634
arvinxx merged 6 commits into
canaryfrom
feat/lobe-8715-bot-device-access-policy

arvinxx commented May 10, 2026

Uh oh!

vercel Bot commented May 10, 2026 •

edited

Loading

Uh oh!

sourcery-ai Bot left a comment

Uh oh!

codecov Bot commented May 10, 2026 •

edited

Loading

Uh oh!

chatgpt-codex-connector Bot left a comment

Uh oh!

chatgpt-codex-connector Bot May 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

arvinxx commented May 10, 2026

💻 Change Type

🔗 Related Issue

🔀 Description of Change

🧪 How to Test

📝 Additional Information

Uh oh!

vercel Bot commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sourcery-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

codecov Bot commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot May 10, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel Bot commented May 10, 2026 •

edited

Loading

codecov Bot commented May 10, 2026 •

edited

Loading