openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/infra/heartbeat-runner.scheduler.test.ts‎
Lines changed: 73 additions & 25 deletions b/‎src/infra/heartbeat-runner.scheduler.test.ts‎
Lines changed: 73 additions & 25 deletions
@@ -115,12 +115,20 @@ Docs: https://docs.openclaw.ai
 - Daemon/gateway: prevent systemd restart storms on configuration errors by exiting with `EX_CONFIG` and adding generated unit restart-prevention guards. (#63913) Thanks @neo1027144-creator.
 - Agents/exec: prevent gateway crash ("Agent listener invoked outside active run") when a subagent exec tool produces stdout/stderr after the agent run has ended or been aborted. (#62821) Thanks @openperf.
 - Gateway/OpenAI compat: return real `usage` for non-stream `/v1/chat/completions` responses, emit the final usage chunk when `stream_options.include_usage=true`, and bound usage-gated stream finalization after lifecycle end. (#62986) Thanks @Lellansin.
+- Matrix/migration: keep packaged warning-only crypto migrations from being misclassified as actionable when only helper chunks are present, so startup and doctor stay on the warning-only path instead of creating unnecessary migration snapshots. (#64373) Thanks @gumadeiras.
+- Matrix/ACP thread bindings: preserve canonical room casing and parent conversation routing during ACP session spawn so mixed-case room ids bind correctly from top-level rooms and existing Matrix threads. (#64343) Thanks @gumadeiras.
 - Agents/subagents: deduplicate delivered completion announces so retry or re-entry cleanup does not inject duplicate internal-context completion turns into the parent session. (#61525) Thanks @100yenadmin.
 - Agents/exec: keep sandboxed `tools.exec.host=auto` sessions from honoring per-call `host=node` or `host=gateway` overrides while a sandbox runtime is active, and stop advertising node routing in that state so exec stays on the sandbox host. (#63880)
 - Agents/subagents: preserve archived delete-mode runs until `sessions.delete` succeeds and prevent overlapping archive sweeps from duplicating in-flight cleanup attempts. (#61801) Thanks @100yenadmin.
 - Cron/isolated agent: run scheduled agent turns as non-owner senders so owner-only tools stay unavailable during cron execution. (#63878)
 - Discord/sandbox: include `image` in sandbox media param normalization so Discord event cover images cannot bypass sandbox path rewriting. (#64377) Thanks @mmaps.
 - Agents/exec: extend exec completion detection to cover local background exec formats so the owner-downgrade fires correctly for all exec paths. (#64376) Thanks @mmaps.
+- Security/dependencies: pin axios to 1.15.0 and add a plugin install dependency denylist that blocks known malicious packages before install. (#63891) Thanks @mmaps.
+- Browser/security: apply three-phase interaction navigation guard to pressKey and type(submit) so delayed JS redirects from keypress cannot bypass SSRF policy. (#63889) Thanks @mmaps.
+
+- Browser/security: guard existing-session Chrome MCP interaction routes with SSRF post-checks so delayed navigation from click, type, press, and evaluate cannot bypass the configured policy. (#64370) Thanks @eleqtrizit.
+- Browser/security: default browser SSRF policy to strict mode so unconfigured installs block private-network navigation, and align external-content marker span mapping so ZWS-injected boundary spoofs are fully sanitized. (#63885) Thanks @eleqtrizit.
+- Browser/security: apply SSRF navigation policy to subframe document navigations so iframe-targeted private-network hops are blocked without quarantining the parent page. (#64371) Thanks @eleqtrizit.
 - Hooks/security: mark agent hook system events as untrusted and sanitize hook display names before cron metadata reuse. (#64372) Thanks @eleqtrizit.
 - Daemon/launchd: keep `openclaw gateway stop` persistent without uninstalling the macOS LaunchAgent, re-enable it on explicit restart or repair, and harden launchd label handling. (#64447) Thanks @ngutman.
 - Plugins/context engines: preserve `plugins.slots.contextEngine` through normalization and keep explicitly selected workspace context-engine plugins enabled, so loader diagnostics and plugin activation stop dropping that slot selection. (#64192) Thanks @hclsys.
@@ -131,6 +139,7 @@ Docs: https://docs.openclaw.ai
 - Media/security: honor sender-scoped `toolsBySender` policy for outbound host-media reads so denied senders cannot trigger host file disclosure via attachment hydration. (#64459) Thanks @eleqtrizit.
 - Browser/security: reject strict-policy hostname navigation unless the hostname is an explicit allowlist exception or IP literal, and route CDP HTTP discovery through the pinned SSRF fetch path. (#64367) Thanks @eleqtrizit.
 - Models/vLLM: ignore empty `tool_calls` arrays from reasoning-model OpenAI-compatible replies, reset false `toolUse` stop reasons when no actual tool calls were parsed, and stop sending `tool_choice` unless tools are present so vLLM reasoning responses no longer hang indefinitely. (#61197, #61534) Thanks @balajisiva.
+- Heartbeat/scheduling: spread interval heartbeats across stable per-agent phases derived from gateway identity, so provider traffic is distributed more uniformly across the configured interval instead of clustering around startup-relative times. (#64560) Thanks @odysseus0.
 
 ## 2026.4.9
 
 
@@ -1,10 +1,12 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
 import { startHeartbeatRunner } from "./heartbeat-runner.js";
+import { computeNextHeartbeatPhaseDueMs, resolveHeartbeatPhaseMs } from "./heartbeat-schedule.js";
 import { requestHeartbeatNow, resetHeartbeatWakeStateForTests } from "./heartbeat-wake.js";
 
 describe("startHeartbeatRunner", () => {
   type RunOnce = Parameters<typeof startHeartbeatRunner>[0]["runOnce"];
+  const TEST_SCHEDULER_SEED = "heartbeat-runner-test-seed";
 
   function useFakeHeartbeatTime() {
     vi.useFakeTimers();
@@ -15,6 +17,7 @@ describe("startHeartbeatRunner", () => {
     return startHeartbeatRunner({
       cfg: heartbeatConfig(),
       runOnce,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
     });
   }
 
@@ -29,6 +32,18 @@ describe("startHeartbeatRunner", () => {
     } as OpenClawConfig;
   }
 
+  function resolveDueFromNow(nowMs: number, intervalMs: number, agentId: string) {
+    return computeNextHeartbeatPhaseDueMs({
+      nowMs,
+      intervalMs,
+      phaseMs: resolveHeartbeatPhaseMs({
+        schedulerSeed: TEST_SCHEDULER_SEED,
+        agentId,
+        intervalMs,
+      }),
+    });
+  }
+
   function createRequestsInFlightRunSpy(skipCount: number) {
     let callCount = 0;
     return vi.fn().mockImplementation(async () => {
@@ -49,6 +64,7 @@ describe("startHeartbeatRunner", () => {
     const runner = startHeartbeatRunner({
       cfg: params.cfg,
       runOnce: params.runSpy,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
     });
 
     requestHeartbeatNow(params.wake);
@@ -72,8 +88,9 @@ describe("startHeartbeatRunner", () => {
     const runSpy = vi.fn().mockResolvedValue({ status: "ran", durationMs: 1 });
 
     const runner = startDefaultRunner(runSpy);
+    const firstDueMs = resolveDueFromNow(0, 30 * 60_000, "main");
 
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    await vi.advanceTimersByTimeAsync(firstDueMs + 1);
 
     expect(runSpy).toHaveBeenCalledTimes(1);
     expect(runSpy.mock.calls[0]?.[0]).toEqual(
@@ -90,19 +107,26 @@ describe("startHeartbeatRunner", () => {
       },
     } as OpenClawConfig);
 
-    await vi.advanceTimersByTimeAsync(10 * 60_000 + 1_000);
+    const nowAfterReload = Date.now();
+    const nextMainDueMs = resolveDueFromNow(nowAfterReload, 10 * 60_000, "main");
+    const nextOpsDueMs = resolveDueFromNow(nowAfterReload, 15 * 60_000, "ops");
+    const finalDueMs = Math.max(nextMainDueMs, nextOpsDueMs);
 
-    expect(runSpy).toHaveBeenCalledTimes(2);
-    expect(runSpy.mock.calls[1]?.[0]).toEqual(
-      expect.objectContaining({ agentId: "main", heartbeat: { every: "10m" } }),
-    );
+    await vi.advanceTimersByTimeAsync(finalDueMs - Date.now() + 1);
 
-    await vi.advanceTimersByTimeAsync(5 * 60_000 + 1_000);
-
-    expect(runSpy).toHaveBeenCalledTimes(3);
-    expect(runSpy.mock.calls[2]?.[0]).toEqual(
-      expect.objectContaining({ agentId: "ops", heartbeat: { every: "15m" } }),
+    expect(runSpy.mock.calls.slice(1).map((call) => call[0]?.agentId)).toEqual(
+      expect.arrayContaining(["main", "ops"]),
     );
+    expect(
+      runSpy.mock.calls.some(
+        (call) => call[0]?.agentId === "main" && call[0]?.heartbeat?.every === "10m",
+      ),
+    ).toBe(true);
+    expect(
+      runSpy.mock.calls.some(
+        (call) => call[0]?.agentId === "ops" && call[0]?.heartbeat?.every === "15m",
+      ),
+    ).toBe(true);
 
     runner.stop();
   });
@@ -121,13 +145,14 @@ describe("startHeartbeatRunner", () => {
     });
 
     const runner = startDefaultRunner(runSpy);
+    const firstDueMs = resolveDueFromNow(0, 30 * 60_000, "main");
 
     // First heartbeat fires and throws
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    await vi.advanceTimersByTimeAsync(firstDueMs + 1);
     expect(runSpy).toHaveBeenCalledTimes(1);
 
     // Second heartbeat should still fire (scheduler must not be dead)
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    await vi.advanceTimersByTimeAsync(30 * 60_000);
     expect(runSpy).toHaveBeenCalledTimes(2);
 
     runner.stop();
@@ -142,18 +167,27 @@ describe("startHeartbeatRunner", () => {
     const cfg = {
       agents: { defaults: { heartbeat: { every: "30m" } } },
     } as OpenClawConfig;
+    const firstDueMs = resolveDueFromNow(0, 30 * 60_000, "main");
 
     // Start runner A
-    const runnerA = startHeartbeatRunner({ cfg, runOnce: runSpy1 });
+    const runnerA = startHeartbeatRunner({
+      cfg,
+      runOnce: runSpy1,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
+    });
 
     // Start runner B (simulates lifecycle reload)
-    const runnerB = startHeartbeatRunner({ cfg, runOnce: runSpy2 });
+    const runnerB = startHeartbeatRunner({
+      cfg,
+      runOnce: runSpy2,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
+    });
 
     // Stop runner A (stale cleanup) — should NOT kill runner B's handler
     runnerA.stop();
 
     // Runner B should still fire
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    await vi.advanceTimersByTimeAsync(firstDueMs + 1);
     expect(runSpy2).toHaveBeenCalledTimes(1);
     expect(runSpy1).not.toHaveBeenCalled();
 
@@ -185,10 +219,12 @@ describe("startHeartbeatRunner", () => {
     const runner = startHeartbeatRunner({
       cfg: heartbeatConfig(),
       runOnce: runSpy,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
     });
+    const firstDueMs = resolveDueFromNow(0, 30 * 60_000, "main");
 
     // First heartbeat returns requests-in-flight
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    await vi.advanceTimersByTimeAsync(firstDueMs + 1);
     expect(runSpy).toHaveBeenCalledTimes(1);
 
     // The wake layer retries after DEFAULT_RETRY_MS (1 s).  No scheduleNext()
@@ -204,28 +240,40 @@ describe("startHeartbeatRunner", () => {
 
     // Simulate a long-running heartbeat: the first 5 calls return
     // requests-in-flight (retries from the wake layer), then the 6th succeeds.
-    const runSpy = createRequestsInFlightRunSpy(5);
+    const callTimes: number[] = [];
+    let callCount = 0;
+    const runSpy = vi.fn().mockImplementation(async () => {
+      callTimes.push(Date.now());
+      callCount++;
+      if (callCount <= 5) {
+        return { status: "skipped", reason: "requests-in-flight" } as const;
+      }
+      return { status: "ran", durationMs: 1 } as const;
+    });
 
     const runner = startHeartbeatRunner({
       cfg: heartbeatConfig(),
       runOnce: runSpy,
+      stableSchedulerSeed: TEST_SCHEDULER_SEED,
     });
+    const intervalMs = 30 * 60_000;
+    const firstDueMs = resolveDueFromNow(0, intervalMs, "main");
 
-    // Trigger the first heartbeat at t=30m — returns requests-in-flight.
-    await vi.advanceTimersByTimeAsync(30 * 60_000 + 1_000);
+    // Trigger the first heartbeat at the agent's first slot — returns requests-in-flight.
+    await vi.advanceTimersByTimeAsync(firstDueMs + 1);
     expect(runSpy).toHaveBeenCalledTimes(1);
 
     // Simulate 4 more retries at short intervals (wake layer retries).
     for (let i = 0; i < 4; i++) {
       requestHeartbeatNow({ reason: "retry", coalesceMs: 0 });
       await vi.advanceTimersByTimeAsync(1_000);
     }
-    expect(runSpy).toHaveBeenCalledTimes(5);
+    expect(callTimes.some((time) => time >= firstDueMs + intervalMs)).toBe(false);
 
-    // The next interval tick at ~t=60m should still fire — the schedule
-    // must not have been pushed to t=30m * 6 = 180m by the 5 retries.
-    await vi.advanceTimersByTimeAsync(30 * 60_000);
-    expect(runSpy).toHaveBeenCalledTimes(6);
+    // The next interval tick at the next scheduled slot should still fire —
+    // the retries must not push the phase out by multiple intervals.
+    await vi.advanceTimersByTimeAsync(firstDueMs + intervalMs - Date.now() + 1);
+    expect(callTimes.some((time) => time >= firstDueMs + intervalMs)).toBe(true);
 
     runner.stop();
   });