fix: ensure CDP health checks bypass proxy by adding loopback to no_proxy#45
Open
newtontech wants to merge 473 commits intomainfrom
Open
fix: ensure CDP health checks bypass proxy by adding loopback to no_proxy#45newtontech wants to merge 473 commits intomainfrom
newtontech wants to merge 473 commits intomainfrom
Conversation
…chilu18 Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: chilu18 <7957943+chilu18@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…on (openclaw#29165) * feat(slack): track thread participation for auto-reply without @mention * fix(slack): scope thread participation cache by accountId and capture actual reply thread ts * fix(slack): capture reply thread ts from all delivery paths and only after success * Slack: add changelog for thread participation cache behavior --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…penclaw#23787) thanks @graysurf Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: graysurf <10785178+graysurf@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
* fix(slack): reconnect socket mode after disconnect * fix(slack): avoid orphaned disconnect waiters on start failure * docs(changelog): record slack socket reconnect reliability fix --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…penclaw#27616) (openclaw#27642) Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini
* feat: detect stale Slack sockets and auto-restart
Slack Socket Mode connections can silently stop delivering events while
still appearing connected (health checks pass, WebSocket stays open).
This "half-dead socket" problem causes messages to go unanswered.
This commit adds two layers of protection:
1. **Event liveness tracking**: Every inbound Slack event (messages,
reactions, member joins/leaves, channel events, pins) now calls
`setStatus({ lastEventAt, lastInboundAt })` to update the channel
account snapshot with the timestamp of the last received event.
2. **Health monitor stale socket detection**: The channel health monitor
now checks `lastEventAt` against a configurable threshold (default
30 minutes). If a channel has been running longer than the threshold
and hasn't received any events in that window, it is flagged as
unhealthy and automatically restarted — the same way disconnected
or crashed channels are already handled.
The restart reason is logged as "stale-socket" for observability, and
the existing cooldown/rate-limit logic (3 restarts/hour max) prevents
restart storms.
* Slack: gate liveness tracking to accepted events
---------
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…claw#26251) * fix(slack): honor direct replyToMode when thread label exists ThreadLabel is a session/conversation label, not a reliable indicator of an actual Slack thread reply. Using it to force replyToMode="all" overrides replyToModeByChatType.direct="off" in DMs. Switch to MessageThreadId which indicates a real thread target is available, preserving expected behavior: thread replies stay threaded, normal DMs respect the configured mode. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Slack: add changelog for threading tool context fix --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…8103) * fix(slack): use SLACK_USER_TOKEN when connecting to Slack (closes openclaw#26480) * test(slack): fix account fixture typing for user token source --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
* fix(slack): reject HTML responses when downloading media Slack sometimes returns HTML login pages instead of binary media when authentication fails or URLs expire. This change detects HTML responses by checking content-type header and buffer content, then skips to the next available file URL. * fix: format import order and add braces to continue statement * chore: format Slack media tests * chore: apply formatter to Slack media tests * fix(slack): merge auth-header forwarding and html media guard --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…claw#26849) * feat(slack): create thread sessions for auto-threaded DM messages When replyToMode="all", every top-level message starts a new Slack thread. Previously, only subsequent replies in that thread got an isolated session (via 🧵<threadTs> suffix). The initial message fell back to the base DM session, mixing context across unrelated conversations. Now, when replyToMode="all" and a message is not already a thread reply, the message's own ts is used as the threadId for session key resolution. This gives the initial message AND all subsequent thread replies the same isolated session. This enables per-thread session isolation for Slack DMs — each new message starts its own thread and session, keeping conversations separate. * Slack: fix auto-thread session key mode check and add changelog --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…@JcMinarro Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: JcMinarro <4047514+JcMinarro@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…ronments (openclaw#25475) * fix(discord,slack): add SSRF policy for media downloads in proxy environments Discord and Slack media downloads (attachments, stickers, forwarded images) call fetchRemoteMedia without any ssrfPolicy. When running behind a local transparent proxy (Clash, mihomo, Shadowrocket) in fake-ip mode, DNS returns virtual IPs in the 198.18.0.0/15 range, which the SSRF guard blocks. Add per-channel SSRF policy constants—matching the pattern already applied to Telegram on main—that allowlist known CDN hostnames and set allowRfc2544BenchmarkRange: true. Refs openclaw#25355, openclaw#25322 Co-authored-by: Cursor <cursoragent@cursor.com> * chore(slack): keep raw-fetch allowlist line anchors stable --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…sing_scope error (openclaw#17558) * fix(slack): replace files.uploadV2 with 3-step upload flow files.uploadV2 from @slack/web-api internally calls the deprecated files.upload endpoint, which fails with missing_scope even when files:write is correctly granted in the bot token scopes. Replace with Slack's recommended 3-step upload flow: 1. files.getUploadURLExternal - get presigned URL + file_id 2. fetch(upload_url) - upload file content 3. files.completeUploadExternal - finalize & share to channel/thread This preserves all existing behavior including thread replies via thread_ts and caption via initial_comment. * fix(slack): harden external upload flow and tests --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…ccess (openclaw#24723) * feat(slack): add download-file action for on-demand file attachment access Adds a new `download-file` message tool action that allows the agent to download Slack file attachments by file ID on demand. This is a prerequisite for accessing images posted in thread history, where file attachments are not automatically resolved. Changes: - Add `files` field to `SlackMessageSummary` type so file IDs are visible in message read results - Add `downloadSlackFile()` to fetch a file by ID via `files.info` and resolve it through the existing `resolveSlackMedia()` pipeline - Register `download-file` in `CHANNEL_MESSAGE_ACTION_NAMES`, `MESSAGE_ACTION_TARGET_MODE`, and `listSlackMessageActions` - Add `downloadFile` dispatch case in `handleSlackAction` - Wire agent-facing `download-file` → internal `downloadFile` in `handleSlackMessageAction` Closes openclaw#24681 * style: fix formatting in slack-actions and actions * test(slack): cover download-file action path --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…law#30846) thanks @yzhong52 Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: yzhong52 <3712071+yzhong52@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
… mixing (openclaw#10686) * fix(slack): use thread-level sessions for channels to prevent context mixing All messages in a Slack channel share a single session, causing context from different threads to mix together. When users have multiple conversations in different threads of the same channel, the agent sees combined context from all threads, leading to confused responses. Session key was: `slack:channel:${channelId}` (no thread identifier) 1. **Thread-level session keys**: Each message in channels/groups now gets its own session based on thread_ts: - Thread replies: use the parent thread's ts - New messages: use the message's own ts (becomes thread root) - DMs: unchanged (no thread-level sessions needed) New session key format: `slack:channel:${channelId}:thread:${threadTs}` 2. **Increased thread cache TTL**: Changed from 60 seconds to 6 hours. Users often pause conversations, and the short TTL caused unnecessary API calls and thread resolution failures. 3. **Increased cache size**: Changed from 500 to 10,000 entries to support busy workspaces with many active threads. 1. Create two threads in the same Slack channel 2. In Thread A: tell the bot your name is "Alice" and ask about "billing" 3. In Thread B: tell the bot your name is "Bob" and ask about "API" 4. Reply in Thread A and ask "what's my name?" - should say "Alice" 5. Check sessions: each thread should have a unique session key with :thread: suffix Fixes context bleed issues related to openclaw#758 * fix(slack): also update resolveSlackSystemEventSessionKey for thread-level sessions The context.ts file has a separate function for resolving session keys for system events (reactions, file uploads, etc.). This also needs to support thread-level sessions to ensure all Slack events route to the correct thread-specific session. Added threadTs and messageTs parameters to resolveSlackSystemEventSessionKey and updated the implementation to use thread-level keys for channels/groups. * fix(slack): preserve DM thread sessions for thread replies The previous change broke thread-level sessions for DMs that have threads. DMs with parent_user_id should still get thread-level sessions. - For channels/groups: always use thread-level sessions - For DMs: use thread-level sessions only when isThreadReply is true * fix(slack): use thread-level sessionKey for previousTimestamp Fixes the bug where previousTimestamp was read from the base channel session key (route.sessionKey) instead of the resolved thread-level sessionKey. This caused the elapsed-time calculation in the inbound envelope to always pull from the channel session rather than the thread session. Also adds regression tests for the thread-level session key behavior. Co-authored-by: Tony Dehnke <tdehnke@gmail.com> * fix(slack): narrow openclaw#10686 to surgical thread-session patch * test(slack): satisfy context/account typing in thread-session tests * docs(changelog): record surgical slack thread-session fix --------- Co-authored-by: Pablo Carvalho <pablo@telnyx.com> Co-authored-by: Tony Dehnke <tdehnke@gmail.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…p failure (openclaw#28900) thanks @Glucksberg Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…w#30964) * fix(ollama): honor provider baseUrl in embedded runner * Embedded Ollama: clarify provider baseUrl precedence comment * Changelog: note embedded Ollama baseUrl precedence fix * Telegram: apply required formatter update in accounts config merge * Revert "Telegram: apply required formatter update in accounts config merge" This reverts commit d372b26. * Update CHANGELOG.md --------- Co-authored-by: User <user@example.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
…openclaw#31184) Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
* fix(telegram): scope DM topic thread keys by chat id * test(telegram): update dm topic session-key expectation * fix(telegram): parse scoped dm thread ids in outbound recovery * chore(telegram): format accounts config merge block * test(nodes): simplify mocked exports for ts tuple spreads
… chunk The `replyToMessageIdForPayload` was computed once outside the chunk and media loops, so all chunks received the same reply-to ID even when replyToMode was set to "first". This replaces the static binding with a lazy `resolveReplyTo()` function that checks `hasReplied` at each send site, and updates `hasReplied` immediately after the first successful send. Fixes openclaw#31039 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nclaw#30554) * telegram: retry fetch once with IPv4 fallback on connect errors * test(telegram): format fetch fallback test * style(telegram): apply oxfmt for fetch test * fix(telegram): retry ipv4 fallback per request * test: harden telegram ipv4 fallback coverage (openclaw#30554) --------- Co-authored-by: root <root@vultr.guest> Co-authored-by: Peter Steinberger <steipete@gmail.com>
…aosenwang1018) Landed from contributor PR openclaw#30932 by @haosenwang1018. Co-authored-by: haosenwang1018 <haosenwang1018@users.noreply.github.com>
Preserve inbound attachment/sticker metadata in Discord message context when media download fails (for example due to SSRF blocking), so agents still see file references instead of silent drops. Closes openclaw#28816
Assign distinct sentinel registration ids to Discord wildcard handlers while preserving wildcard parser keys, so select/menu/modal handlers no longer get dropped on runtimes that dedupe by raw customId.
) Landed from contributor PR openclaw#31201 by @williamos-dev. Co-authored-by: williamos-dev <williamos-dev@users.noreply.github.com>
…keswky) Landed from contributor PR openclaw#31202 by @stakeswky. Co-authored-by: stakeswky <stakeswky@users.noreply.github.com>
…BlueBirdBack) Landed from contributor PR openclaw#30891 by @BlueBirdBack. Co-authored-by: BlueBirdBack <BlueBirdBack@users.noreply.github.com>
) Landed from contributor PR openclaw#30965 by @novan. Co-authored-by: novan <novan@users.noreply.github.com>
…roxy When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY is set, CDP health checks to 127.0.0.1 were being routed through the proxy instead of directly to localhost. This fix ensures loopback addresses are always in no_proxy. Fixes openclaw#31219
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are set, CDP health checks to 127.0.0.1 were being routed through the proxy instead of directly to localhost, causing browser control to fail.
Changes
ensureLoopbackInNoProxy()helper function that checks for proxy environment variablesRoot Cause
Node.js (via undichi's EnvHttpProxyAgent) routes HTTP requests through the proxy when proxy environment variables are set. CDP health checks to 127.0.0.1 were being sent through the proxy instead of directly to localhost, causing them to fail or time out.
Testing
Fixes openclaw#31219