openclaw
diff --git a/‎.agents/skills/openclaw-parallels-smoke/SKILL.md‎
Lines changed: 11 additions & 0 deletions b/‎.agents/skills/openclaw-parallels-smoke/SKILL.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 188 additions & 174 deletions b/‎CHANGELOG.md‎
Lines changed: 188 additions & 174 deletions
diff --git a/‎apps/android/app/src/main/java/ai/openclaw/app/MainViewModel.kt‎
Lines changed: 4 additions & 0 deletions b/‎apps/android/app/src/main/java/ai/openclaw/app/MainViewModel.kt‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt‎
Lines changed: 4 additions & 0 deletions b/‎apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/android/app/src/main/java/ai/openclaw/app/node/A2UIHandler.kt‎
Lines changed: 7 additions & 0 deletions b/‎apps/android/app/src/main/java/ai/openclaw/app/node/A2UIHandler.kt‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt‎
Lines changed: 50 additions & 0 deletions b/‎apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt‎
Lines changed: 22 additions & 2 deletions b/‎apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎apps/android/app/src/test/java/ai/openclaw/app/node/CanvasActionTrustTest.kt‎
Lines changed: 42 additions & 0 deletions b/‎apps/android/app/src/test/java/ai/openclaw/app/node/CanvasActionTrustTest.kt‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/.generated/config-baseline.json‎
Lines changed: 22 additions & 2 deletions b/‎docs/.generated/config-baseline.json‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 5 additions & 3 deletions b/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 5 additions & 3 deletions
@@ -16,6 +16,15 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 - Pass `--json` for machine-readable summaries.
 - Per-phase logs land under `/tmp/openclaw-parallels-*`.
 - Do not run local and gateway agent turns in parallel on the same fresh workspace or session.
+- For `prlctl exec`, pass the VM name before `--current-user` (`prlctl exec "$VM" --current-user ...`), not the other way around.
+
+## npm install then update
+
+- Preferred entrypoint: `pnpm test:parallels:npm-update`
+- Flow: fresh snapshot -> install npm package baseline -> smoke -> install current main tgz on the same guest -> smoke again.
+- Same-guest update verification should set the default model explicitly to `openai/gpt-5.4` before the agent turn and use a fresh explicit `--session-id` so old session model state does not leak into the check.
+- On Windows same-guest update checks, restart the gateway after the npm upgrade before `gateway status` / `agent`; in-place global npm updates can otherwise leave stale hashed `dist/*` module imports alive in the running service.
+- Linux same-guest update verification should also export `HOME=/root`, pass `OPENAI_API_KEY` via `prlctl exec ... /usr/bin/env`, and use `openclaw agent --local`; the fresh Linux baseline does not rely on persisted gateway credentials.
 
 ## macOS flow
 
@@ -34,7 +43,9 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 - Always use `prlctl exec --current-user`; plain `prlctl exec` lands in `NT AUTHORITY\\SYSTEM`.
 - Prefer explicit `npm.cmd` and `openclaw.cmd`.
 - Use PowerShell only as the transport with `-ExecutionPolicy Bypass`, then call the `.cmd` shims from inside it.
+- Windows installer/tgz phases now retry once after guest-ready recheck; keep new Windows smoke steps idempotent so a transport-flake retry is safe.
 - Keep onboarding and status output ASCII-clean in logs; fancy punctuation becomes mojibake in current capture paths.
+- If you hit an older run with `rc=255` plus an empty `fresh.install-main.log` or `upgrade.install-main.log`, treat it as a likely `prlctl exec` transport drop after guest start-up, not immediate proof of an npm/package failure.
 
 ## Linux flow
 
 
@@ -237,6 +237,10 @@ class MainViewModel(app: Application) : AndroidViewModel(app) {
     ensureRuntime().handleCanvasA2UIActionFromWebView(payloadJson)
   }
 
+  fun isTrustedCanvasActionUrl(rawUrl: String?): Boolean {
+    return ensureRuntime().isTrustedCanvasActionUrl(rawUrl)
+  }
+
   fun requestCanvasRehydrate(source: String = "screen_tab") {
     ensureRuntime().requestCanvasRehydrate(source = source, force = true)
   }
 
@@ -904,6 +904,10 @@ class NodeRuntime(
     }
   }
 
+  fun isTrustedCanvasActionUrl(rawUrl: String?): Boolean {
+    return a2uiHandler.isTrustedCanvasActionUrl(rawUrl)
+  }
+
   fun loadChat(sessionKey: String) {
     val key = sessionKey.trim().ifEmpty { resolveMainSessionKey() }
     chat.load(key)
 
@@ -13,6 +13,13 @@ class A2UIHandler(
   private val getNodeCanvasHostUrl: () -> String?,
   private val getOperatorCanvasHostUrl: () -> String?,
 ) {
+  fun isTrustedCanvasActionUrl(rawUrl: String?): Boolean {
+    return CanvasActionTrust.isTrustedCanvasActionUrl(
+      rawUrl = rawUrl,
+      trustedA2uiUrls = listOfNotNull(resolveA2uiHostUrl()),
+    )
+  }
+
   fun resolveA2uiHostUrl(): String? {
     val nodeRaw = getNodeCanvasHostUrl()?.trim().orEmpty()
     val operatorRaw = getOperatorCanvasHostUrl()?.trim().orEmpty()
 
@@ -0,0 +1,50 @@
+package ai.openclaw.app.node
+
+import java.net.URI
+
+object CanvasActionTrust {
+  const val scaffoldAssetUrl: String = "file:///android_asset/CanvasScaffold/scaffold.html"
+
+  fun isTrustedCanvasActionUrl(rawUrl: String?, trustedA2uiUrls: List<String>): Boolean {
+    val candidate = rawUrl?.trim().orEmpty()
+    if (candidate.isEmpty()) return false
+    if (candidate == scaffoldAssetUrl) return true
+
+    val candidateUri = parseUri(candidate) ?: return false
+    if (candidateUri.scheme.equals("file", ignoreCase = true)) {
+      return false
+    }
+
+    return trustedA2uiUrls.any { trusted ->
+      isTrustedA2uiPage(candidateUri, trusted)
+    }
+  }
+
+  private fun isTrustedA2uiPage(candidateUri: URI, trustedUrl: String): Boolean {
+    val trustedUri = parseUri(trustedUrl) ?: return false
+    if (!candidateUri.scheme.equals(trustedUri.scheme, ignoreCase = true)) return false
+    if (candidateUri.host?.equals(trustedUri.host, ignoreCase = true) != true) return false
+    if (effectivePort(candidateUri) != effectivePort(trustedUri)) return false
+
+    val trustedPath = trustedUri.rawPath?.takeIf { it.isNotBlank() } ?: return false
+    val candidatePath = candidateUri.rawPath?.takeIf { it.isNotBlank() } ?: return false
+    val trustedPrefix = if (trustedPath.endsWith("/")) trustedPath else "$trustedPath/"
+    return candidatePath == trustedPath || candidatePath.startsWith(trustedPrefix)
+  }
+
+  private fun effectivePort(uri: URI): Int {
+    if (uri.port >= 0) return uri.port
+    return when (uri.scheme?.lowercase()) {
+      "https" -> 443
+      "http" -> 80
+      else -> -1
+    }
+  }
+
+  private fun parseUri(raw: String): URI? =
+    try {
+      URI(raw)
+    } catch (_: Throwable) {
+      null
+    }
+}
@@ -22,13 +22,15 @@ import androidx.compose.ui.viewinterop.AndroidView
 import androidx.webkit.WebSettingsCompat
 import androidx.webkit.WebViewFeature
 import ai.openclaw.app.MainViewModel
+import java.util.concurrent.atomic.AtomicReference
 
 @SuppressLint("SetJavaScriptEnabled")
 @Composable
 fun CanvasScreen(viewModel: MainViewModel, visible: Boolean, modifier: Modifier = Modifier) {
   val context = LocalContext.current
   val isDebuggable = (context.applicationInfo.flags and android.content.pm.ApplicationInfo.FLAG_DEBUGGABLE) != 0
   val webViewRef = remember { mutableStateOf<WebView?>(null) }
+  val currentPageUrlRef = remember { AtomicReference<String?>(null) }
 
   DisposableEffect(viewModel) {
     onDispose {
@@ -68,6 +70,14 @@ fun CanvasScreen(viewModel: MainViewModel, visible: Boolean, modifier: Modifier
         isHorizontalScrollBarEnabled = true
         webViewClient =
           object : WebViewClient() {
+            override fun onPageStarted(
+              view: WebView,
+              url: String?,
+              favicon: android.graphics.Bitmap?,
+            ) {
+              currentPageUrlRef.set(url)
+            }
+
             override fun onReceivedError(
               view: WebView,
               request: WebResourceRequest,
@@ -90,6 +100,7 @@ fun CanvasScreen(viewModel: MainViewModel, visible: Boolean, modifier: Modifier
             }
 
             override fun onPageFinished(view: WebView, url: String?) {
+              currentPageUrlRef.set(url)
               if (isDebuggable) {
                 Log.d("OpenClawWebView", "onPageFinished: $url")
               }
@@ -122,7 +133,12 @@ fun CanvasScreen(viewModel: MainViewModel, visible: Boolean, modifier: Modifier
             }
           }
 
-        val bridge = CanvasA2UIActionBridge { payload -> viewModel.handleCanvasA2UIActionFromWebView(payload) }
+        val bridge =
+          CanvasA2UIActionBridge(
+            isTrustedPage = { viewModel.isTrustedCanvasActionUrl(currentPageUrlRef.get()) },
+          ) { payload ->
+            viewModel.handleCanvasA2UIActionFromWebView(payload)
+          }
         addJavascriptInterface(bridge, CanvasA2UIActionBridge.interfaceName)
         viewModel.canvas.attach(this)
         webViewRef.value = this
@@ -147,11 +163,15 @@ private fun disableForceDarkIfSupported(settings: WebSettings) {
   WebSettingsCompat.setForceDark(settings, WebSettingsCompat.FORCE_DARK_OFF)
 }
 
-private class CanvasA2UIActionBridge(private val onMessage: (String) -> Unit) {
+private class CanvasA2UIActionBridge(
+  private val isTrustedPage: () -> Boolean,
+  private val onMessage: (String) -> Unit,
+) {
   @JavascriptInterface
   fun postMessage(payload: String?) {
     val msg = payload?.trim().orEmpty()
     if (msg.isEmpty()) return
+    if (!isTrustedPage()) return
     onMessage(msg)
   }
 
 
@@ -0,0 +1,42 @@
+package ai.openclaw.app.node
+
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertTrue
+import org.junit.Test
+
+class CanvasActionTrustTest {
+  @Test
+  fun acceptsBundledScaffoldAsset() {
+    assertTrue(CanvasActionTrust.isTrustedCanvasActionUrl(CanvasActionTrust.scaffoldAssetUrl, emptyList()))
+  }
+
+  @Test
+  fun acceptsTrustedA2uiPageOnAdvertisedCanvasHost() {
+    assertTrue(
+      CanvasActionTrust.isTrustedCanvasActionUrl(
+        rawUrl = "https://canvas.example.com:9443/__openclaw__/cap/token/__openclaw__/a2ui/?platform=android",
+        trustedA2uiUrls = listOf("https://canvas.example.com:9443/__openclaw__/cap/token/__openclaw__/a2ui/?platform=android"),
+      ),
+    )
+  }
+
+  @Test
+  fun rejectsDifferentOriginEvenIfPathMatches() {
+    assertFalse(
+      CanvasActionTrust.isTrustedCanvasActionUrl(
+        rawUrl = "https://evil.example.com:9443/__openclaw__/cap/token/__openclaw__/a2ui/?platform=android",
+        trustedA2uiUrls = listOf("https://canvas.example.com:9443/__openclaw__/cap/token/__openclaw__/a2ui/?platform=android"),
+      ),
+    )
+  }
+
+  @Test
+  fun rejectsUntrustedCanvasPagePathOnTrustedOrigin() {
+    assertFalse(
+      CanvasActionTrust.isTrustedCanvasActionUrl(
+        rawUrl = "https://canvas.example.com:9443/untrusted/index.html",
+        trustedA2uiUrls = listOf("https://canvas.example.com:9443/__openclaw__/cap/token/__openclaw__/a2ui/?platform=android"),
+      ),
+    )
+  }
+}
@@ -31097,6 +31097,26 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "channels.synology-chat.dangerouslyAllowInheritedWebhookPath",
+      "kind": "channel",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "channels.synology-chat.dangerouslyAllowNameMatching",
+      "kind": "channel",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "channels.telegram",
       "kind": "channel",
@@ -45733,7 +45753,7 @@
         "storage"
       ],
       "label": "Node Browser Proxy Allowed Profiles",
-      "help": "Optional allowlist of browser profile names exposed through node proxy routing. Leave empty to expose all configured profiles, or use a tight list to enforce least-privilege profile access.",
+      "help": "Optional allowlist of browser profile names exposed through node proxy routing. Leave empty to preserve the default full profile surface, including profile create/delete routes. When set, OpenClaw enforces least-privilege profile access and blocks persistent profile create/delete through the proxy.",
       "hasChildren": true
     },
     {
@@ -46044,7 +46064,7 @@
         "advanced"
       ],
       "label": "Expected acpx Version",
-      "help": "Exact version to enforce (for example 0.1.16) or \"any\" to skip strict version matching.",
+      "help": "Exact version to enforce or \"any\" to skip strict version matching.",
       "hasChildren": false
     },
     {
 
@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5617}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5619}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -2804,6 +2804,8 @@
 {"recordType":"path","path":"channels.slack.webhookPath","kind":"channel","type":"string","required":true,"defaultValue":"/slack/events","deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.synology-chat","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["channels","network"],"label":"Synology Chat","help":"Connect your Synology NAS Chat to OpenClaw with full agent capabilities.","hasChildren":true}
 {"recordType":"path","path":"channels.synology-chat.*","kind":"channel","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"channels.synology-chat.dangerouslyAllowInheritedWebhookPath","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"channels.synology-chat.dangerouslyAllowNameMatching","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["channels","network"],"label":"Telegram","help":"simplest way to get started — register a bot with @BotFather and get going.","hasChildren":true}
 {"recordType":"path","path":"channels.telegram.accounts","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"channels.telegram.accounts.*","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
@@ -4058,7 +4060,7 @@
 {"recordType":"path","path":"models.providers.*.models.*.reasoning","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"nodeHost","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Node Host","help":"Node host controls for features exposed from this gateway node to other nodes or clients. Keep defaults unless you intentionally proxy local capabilities across your node network.","hasChildren":true}
 {"recordType":"path","path":"nodeHost.browserProxy","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["network"],"label":"Node Browser Proxy","help":"Groups browser-proxy settings for exposing local browser control through node routing. Enable only when remote node workflows need your local browser profiles.","hasChildren":true}
-{"recordType":"path","path":"nodeHost.browserProxy.allowProfiles","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access","network","storage"],"label":"Node Browser Proxy Allowed Profiles","help":"Optional allowlist of browser profile names exposed through node proxy routing. Leave empty to expose all configured profiles, or use a tight list to enforce least-privilege profile access.","hasChildren":true}
+{"recordType":"path","path":"nodeHost.browserProxy.allowProfiles","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access","network","storage"],"label":"Node Browser Proxy Allowed Profiles","help":"Optional allowlist of browser profile names exposed through node proxy routing. Leave empty to preserve the default full profile surface, including profile create/delete routes. When set, OpenClaw enforces least-privilege profile access and blocks persistent profile create/delete through the proxy.","hasChildren":true}
 {"recordType":"path","path":"nodeHost.browserProxy.allowProfiles.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"nodeHost.browserProxy.enabled","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["network"],"label":"Node Browser Proxy Enabled","help":"Expose the local browser control server through node proxy routing so remote clients can use this host's browser capabilities. Keep disabled unless remote automation explicitly depends on it.","hasChildren":false}
 {"recordType":"path","path":"plugins","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugins","help":"Plugin system controls for enabling extensions, constraining load scope, configuring entries, and tracking installs. Keep plugin policy explicit and least-privilege in production environments.","hasChildren":true}
@@ -4082,7 +4084,7 @@
 {"recordType":"path","path":"plugins.entries.acpx.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACPX Runtime Config","help":"Plugin-defined config payload for acpx.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.acpx.config.command","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"acpx Command","help":"Optional path/command override for acpx (for example /home/user/repos/acpx/dist/cli.js). Leave unset to use plugin-local bundled acpx.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.acpx.config.cwd","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Default Working Directory","help":"Default cwd for ACP session operations when not set per session.","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.acpx.config.expectedVersion","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Expected acpx Version","help":"Exact version to enforce (for example 0.1.16) or \"any\" to skip strict version matching.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.acpx.config.expectedVersion","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Expected acpx Version","help":"Exact version to enforce or \"any\" to skip strict version matching.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.acpx.config.mcpServers","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"MCP Servers","help":"Named MCP server definitions to inject into ACPX-backed session bootstrap. Each entry needs a command and can include args and env.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.acpx.config.mcpServers.*","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"plugins.entries.acpx.config.mcpServers.*.args","kind":"plugin","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
Original file line number	Diff line number	Diff line change
`@@ -237,6 +237,10 @@ class MainViewModel(app: Application) : AndroidViewModel(app) {`
`237`	`237`	`ensureRuntime().handleCanvasA2UIActionFromWebView(payloadJson)`
`238`	`238`	`}`
`239`	`239`
	`240`	`+ fun isTrustedCanvasActionUrl(rawUrl: String?): Boolean {`
	`241`	`+ return ensureRuntime().isTrustedCanvasActionUrl(rawUrl)`
	`242`	`+ }`
	`243`	`+`
`240`	`244`	`fun requestCanvasRehydrate(source: String = "screen_tab") {`
`241`	`245`	`ensureRuntime().requestCanvasRehydrate(source = source, force = true)`
`242`	`246`	`}`
Original file line number	Diff line number	Diff line change
`@@ -904,6 +904,10 @@ class NodeRuntime(`
`904`	`904`	`}`
`905`	`905`	`}`
`906`	`906`
	`907`	`+ fun isTrustedCanvasActionUrl(rawUrl: String?): Boolean {`
	`908`	`+ return a2uiHandler.isTrustedCanvasActionUrl(rawUrl)`
	`909`	`+ }`
	`910`	`+`
`907`	`911`	`fun loadChat(sessionKey: String) {`
`908`	`912`	`val key = sessionKey.trim().ifEmpty { resolveMainSessionKey() }`
`909`	`913`	`chat.load(key)`