Lobster: add managed TaskFlow mode#61555
Merged
Merged
Conversation
25 tasks
Contributor
Greptile SummaryThis PR adds managed TaskFlow support to the bundled Lobster plugin: a new
Confidence Score: 4/5Mostly safe to merge; one runtime-visible validation gap in the managed resume path can cause silent bad-data forwarding to the runner. Score is 4 rather than 5 because of the P1 missing validation: a caller that triggers managed resume without supplying token/approve will receive a confusing runner-level failure instead of a clear early error, and the type cast hides the gap from TypeScript. extensions/lobster/src/lobster-tool.ts — specifically the managed resume branch and its runnerParams cast. Prompt To Fix All With AIThis is a comment left during a code review.
Path: extensions/lobster/src/lobster-tool.ts
Line: 247-260
Comment:
**Missing validation for `token` and `approve` before managed resume cast**
`parseResumeFlowParams` validates `flowId` and `expectedRevision` but never checks that `token` and `approve` are present in `params`. Because `LobsterRunnerParams` declares both fields as optional, a caller that supplies `flowId` + `flowExpectedRevision` while omitting `token` and `approve` will silently forward `undefined` to the runner under a false type assertion — the type cast on line 250 asserts `token: string; approve: boolean` at the type level while the values remain `undefined` at runtime.
Add an explicit guard before handing off to `resumeManagedLobsterFlow`:
```typescript
if (typeof params.token !== "string" || typeof params.approve !== "boolean") {
throw new Error(
"token and approve are required for managed TaskFlow resume mode"
);
}
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: extensions/lobster/src/lobster-taskflow.test.ts
Line: 10-52
Comment:
**Duplicated `createFakeTaskFlow` helper**
`createFakeTaskFlow` is defined identically in both `lobster-taskflow.test.ts` (lines 10–52) and `lobster-tool.test.ts` (lines 37–77). If `BoundTaskFlow` gains new methods or the mock shape changes, both copies must be updated in lockstep. Consider extracting it into `extensions/lobster/src/test-helpers.ts` (or an equivalent shared test fixture) and importing from there.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "Lobster: add managed TaskFlow mode" | Re-trigger Greptile |
Comment on lines
+247
to
+260
| const result = await resumeManagedLobsterFlow({ | ||
| taskFlow, | ||
| runner, | ||
| runnerParams: runnerParams as LobsterRunnerParams & { | ||
| action: "resume"; | ||
| token: string; | ||
| approve: boolean; | ||
| }, | ||
| flowId: flowParams.flowId, | ||
| expectedRevision: flowParams.expectedRevision, | ||
| ...(flowParams.currentStep ? { currentStep: flowParams.currentStep } : {}), | ||
| ...(flowParams.waitingStep ? { waitingStep: flowParams.waitingStep } : {}), | ||
| }); | ||
| if (!result.ok) { |
Contributor
There was a problem hiding this comment.
token and approve before managed resume cast
parseResumeFlowParams validates flowId and expectedRevision but never checks that token and approve are present in params. Because LobsterRunnerParams declares both fields as optional, a caller that supplies flowId + flowExpectedRevision while omitting token and approve will silently forward undefined to the runner under a false type assertion — the type cast on line 250 asserts token: string; approve: boolean at the type level while the values remain undefined at runtime.
Add an explicit guard before handing off to resumeManagedLobsterFlow:
if (typeof params.token !== "string" || typeof params.approve !== "boolean") {
throw new Error(
"token and approve are required for managed TaskFlow resume mode"
);
}Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/lobster/src/lobster-tool.ts
Line: 247-260
Comment:
**Missing validation for `token` and `approve` before managed resume cast**
`parseResumeFlowParams` validates `flowId` and `expectedRevision` but never checks that `token` and `approve` are present in `params`. Because `LobsterRunnerParams` declares both fields as optional, a caller that supplies `flowId` + `flowExpectedRevision` while omitting `token` and `approve` will silently forward `undefined` to the runner under a false type assertion — the type cast on line 250 asserts `token: string; approve: boolean` at the type level while the values remain `undefined` at runtime.
Add an explicit guard before handing off to `resumeManagedLobsterFlow`:
```typescript
if (typeof params.token !== "string" || typeof params.approve !== "boolean") {
throw new Error(
"token and approve are required for managed TaskFlow resume mode"
);
}
```
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+10
to
+52
| function createFakeTaskFlow(overrides?: Partial<BoundTaskFlow>) { | ||
| const baseFlow = { | ||
| flowId: "flow-1", | ||
| revision: 1, | ||
| syncMode: "managed" as const, | ||
| controllerId: "tests/lobster", | ||
| ownerKey: "agent:main:main", | ||
| status: "running" as const, | ||
| goal: "Run Lobster workflow", | ||
| }; | ||
|
|
||
| const taskFlow: BoundTaskFlow = { | ||
| sessionKey: "agent:main:main", | ||
| createManaged: vi.fn().mockReturnValue(baseFlow), | ||
| get: vi.fn(), | ||
| list: vi.fn().mockReturnValue([]), | ||
| findLatest: vi.fn(), | ||
| resolve: vi.fn(), | ||
| getTaskSummary: vi.fn(), | ||
| setWaiting: vi.fn().mockImplementation((input) => ({ | ||
| applied: true, | ||
| flow: { ...baseFlow, revision: input.expectedRevision + 1, status: "waiting" as const }, | ||
| })), | ||
| resume: vi.fn().mockImplementation((input) => ({ | ||
| applied: true, | ||
| flow: { ...baseFlow, revision: input.expectedRevision + 1, status: "running" as const }, | ||
| })), | ||
| finish: vi.fn().mockImplementation((input) => ({ | ||
| applied: true, | ||
| flow: { ...baseFlow, revision: input.expectedRevision + 1, status: "completed" as const }, | ||
| })), | ||
| fail: vi.fn().mockImplementation((input) => ({ | ||
| applied: true, | ||
| flow: { ...baseFlow, revision: input.expectedRevision + 1, status: "failed" as const }, | ||
| })), | ||
| requestCancel: vi.fn(), | ||
| cancel: vi.fn(), | ||
| runTask: vi.fn(), | ||
| ...overrides, | ||
| }; | ||
|
|
||
| return taskFlow; | ||
| } |
Contributor
There was a problem hiding this comment.
createFakeTaskFlow helper
createFakeTaskFlow is defined identically in both lobster-taskflow.test.ts (lines 10–52) and lobster-tool.test.ts (lines 37–77). If BoundTaskFlow gains new methods or the mock shape changes, both copies must be updated in lockstep. Consider extracting it into extensions/lobster/src/test-helpers.ts (or an equivalent shared test fixture) and importing from there.
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/lobster/src/lobster-taskflow.test.ts
Line: 10-52
Comment:
**Duplicated `createFakeTaskFlow` helper**
`createFakeTaskFlow` is defined identically in both `lobster-taskflow.test.ts` (lines 10–52) and `lobster-tool.test.ts` (lines 37–77). If `BoundTaskFlow` gains new methods or the mock shape changes, both copies must be updated in lockstep. Consider extracting it into `extensions/lobster/src/test-helpers.ts` (or an equivalent shared test fixture) and importing from there.
How can I resolve this? If you propose a fix, please make it concise.There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3f0e5f5d05
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+250
to
+254
| runnerParams: runnerParams as LobsterRunnerParams & { | ||
| action: "resume"; | ||
| token: string; | ||
| approve: boolean; | ||
| }, |
There was a problem hiding this comment.
Validate token/approve before managed resume cast
This cast forces runnerParams to look like it always has token and approve, but parseResumeFlowParams never verifies those fields. A call with action:"resume", flowId, and flowExpectedRevision but missing token/approve will still enter managed mode, call taskFlow.resume, then the runner throws (token required/approve required) and resumeManagedLobsterFlow marks the flow as failed. That turns malformed tool input into a terminal flow mutation instead of a validation error before state changes.
Useful? React with 👍 / 👎.
Comment on lines
+185
to
+189
| return { | ||
| ok: true, | ||
| envelope, | ||
| flow, | ||
| mutation, |
There was a problem hiding this comment.
Fail managed run when flow mutation is rejected
After applyEnvelopeToFlow, this success branch only checks envelope.ok and ignores whether the TaskFlow mutation actually applied. If setWaiting/finish returns { applied: false, code: "revision_conflict" | "not_found" } (for example due to concurrent updates/cancel), the function still reports ok: true, so callers can believe a flow is waiting/completed when the registry state was not updated.
Useful? React with 👍 / 👎.
25 tasks
justuseapen
added a commit
to justuseapen/else-core
that referenced
this pull request
Apr 6, 2026
* refactor: dedupe discord native command auth * docs: add discord native command changelog note * fix(video): queue fal provider jobs * feat(agents): track video generation tasks * fix(discord): short-circuit bound thread self-loop drops * refactor: harden plugin metadata and bundled channel entry seams * test: fold xai extra params coverage into hot lane * fix: ignore unsupported image generation overrides * docs: document channel persisted auth metadata * test(live): prefer google models over big-pickle * Lobster: run workflows in process (openclaw#61523) * Lobster: run workflows in process * docs: note in-process lobster runtime * docs: add lobster changelog attribution * Lobster: add managed TaskFlow mode (openclaw#61555) * test: split inline provider model coverage * docs: update Lobster in-process mode and REM preview tooling * test: speed up nodes camera coverage * fix: defer plugin sync after git switch * test: optimize macos release-to-dev smoke lane * fix(openai): avoid em dashes in gpt-5 overlay (openclaw#61560) * feat(agents): detach video generation completion * feat(video): add runway provider * docs(video): document runway support * fix: clarify dirty dev update error * fix: ignore unsupported video generation overrides * refactor: add metadata-first channel configured-state probes * fix(video): guard active async generation tasks * docs(providers): surface new video provider pages * feat(qa): add live suite runner and harness * feat(qa): improve qa lab debugger ui * fix: restore pnpm check type safety * test: trim slow agent web and lifecycle coverage * fix: restore green checks * fix(qa): stop embedded control ui reload loop * test: reset guest git root before dev update * test: speed up openai tool id preservation replay coverage * fix: restore qa lab config typing * matrix: align bundled channel metadata * docs: note Matrix persisted auth detection * docs: add changelog note for qa lab config fix * refactor(video): share async task status helpers * memory-core: checkpoint mode-first dreaming refactor * Dreaming: simplify sweep flow and add diary surface * docs: rewrite video generation docs for readability * docs(faq): add gpt-5.4 fast mode entry * feat(memory): add Bedrock embedding provider for memory search (openclaw#61547) * feat(memory): add Bedrock embedding provider for memory search Add Amazon Bedrock as a native embedding provider for memory search. Supports Titan Embed Text v1/v2 and Cohere Embed models via AWS SDK. - New embeddings-bedrock.ts: BedrockRuntimeClient + InvokeModel - Auth via AWS default credential chain (same as Bedrock inference) - Auto-selected in 'auto' mode when AWS credentials are detected - Titan V2: configurable dimensions (256/512/1024), normalization - Cohere: native batch support with search_query/search_document types - 16 new tests covering all model types, auth detection, edge cases Closes openclaw#26289 * fix(memory): harden bedrock embedding selection --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs(openai): clarify gpt-5.4 fast mode * test: speed up models config env provider coverage * test: speed up sanitize session history policy smoke * build: refresh lockfile for control ui deps * refactor: narrow bundled channel entry surfaces * test: speed up sanitize session history coverage * fix: skip old-process config writes after git switch * fix(update): bootstrap pnpm for dev preflight * fix(memory-qmd): restore qmd compatibility defaults * test: speed up image tool auth-heavy coverage * test: seed channel setup contract registry in helper tests * Dreaming: update multiphase stats and UI polish * test: add irc runtime api smoke coverage * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-… (openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * refactor(update): extract package manager bootstrap logic * feat: add comfy workflow media support * fix: stabilize line and feishu ci shards * feat: add music generation tooling * chore: remove stray finder metadata * docs: document music generation async flow * fix(memory-qmd): streamline compatibility coverage * test: speed up dispatch-from-config thread fallback coverage * docs: improve music generation docs * docs: reorder changelog highlights * fix: skip stale post-switch update follow-ups * test: harden macos release-to-dev smoke verification * fix: route comfy music through shared tool * refactor: remove comfy music tool shim * Gateway: bound websocket shutdown close (openclaw#61565) Merged via squash. Prepared head SHA: 9040dd5 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * Docs: clarify Matrix quiet push rules * memory: chunk daily dreaming ingestion (openclaw#61583) Merged via squash. Prepared head SHA: 88816a0 Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix: stop old cli after package-to-git switch * fix(gateway): accept music generation internal events * docs: update unreleased provider notes * fix(agents): keep large read tool results visible * feat: add vydra media provider * fix(agents): ignore unsupported music generation hints * fix(agents): preserve latest read output during compaction * docs: update changelog for read visibility fixes * test: fix current-main prep blockers (openclaw#61582) Merged via squash. Prepared head SHA: 49f7b12 Reviewed-by: @mbelinky * test: use explicit node entrypoint in macos update smoke * fix: exit after package-to-git handoff * fix: prune staged feishu sdk types from npm pack * fix(qa): harden new scenario suite * fix(agents): prefer overflow compaction for fresh reads * perf(auto-reply): lazy-load TTS helpers on demand * test(plugin-sdk): tighten ACP command dispatch guards * docs(web): clarify control ui language picker * test(auto-reply): split ACP and reply-dispatch regressions * memory: trim generic daily chunk headings (openclaw#61597) * memory: trim generic daily chunk headings * docs: tag dreaming heading cleanup changelog * docs: attribute dreaming heading cleanup changelog * fix(cli): narrow post-update root * fix(ui): localize control ui strings * Lobster: harden embedded runtime integration (openclaw#61566) Merged via squash. Prepared head SHA: a6f4830 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix(matrix): reuse raw default account key during onboarding promotion * fix: unblock comfy live plugin loading * fix(agents): extend subagent announce timeout * fix(agents): carry async media wake attachments structurally * fix(tasks): hide internal completion wake rows * test(auto-reply): isolate reply abort dispatch seams * test: fix reply dispatch mock contract * fix(ui): localize more control ui strings * fix: deliver async media generation results directly * perf(test): trim send-policy and abort hot paths * perf(agents): isolate subagent announce origin helper * fix(discord): raise default media cap * Matrix: recover from pinned dispatcher runtime failures (openclaw#61595) Merged via squash. Prepared head SHA: f9a2d9b Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * fix: harden async media completion delivery * fix: gate async media direct delivery behind config * docs: add changelog note for async media delivery flag * perf(test): trim announce and sessions tool imports * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) * fix(gateway): resolve globally-installed bundled plugins in facade-runtime * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * chore: prepare 2026.4.6-beta.1 release * style: trim facade fallback comment noise * test: stabilize browser and provider ci shards * fix: restore latest-main ci gates * (chore): delete dream-diary-preview file * perf(test): trim runReplyAgent misc mock imports * fix(ci): harden control ui locale refresh rebases * Matrix: clear undici test override after transport test * chore(ui): refresh zh-CN control ui locale * chore(ui): refresh pt-BR control ui locale * chore(ui): refresh zh-TW control ui locale * chore(ui): refresh de control ui locale * fix: support corepack cmd shim on windows * test: add windows dev-update smoke lanes * chore(ui): refresh es control ui locale * chore(ui): refresh ja-JP control ui locale * chore(ui): refresh ko control ui locale * chore(ui): refresh fr control ui locale * test: capture windows npm debug tails in smoke logs * chore(ui): refresh tr control ui locale * chore(ui): refresh uk control ui locale * chore(ui): refresh id control ui locale * chore(ui): refresh pl control ui locale * fix: restore plugin boundary and ui locale ci gates * fix(ci): stabilize control ui locale checks * chore: release 2026.4.5 * perf(test): split subagent command coverage * fix(ci): patch main regression surfaces * fix: install bun in npm release preflight * test: fix subagent command result assertions * perf(test): split allowlist and models command coverage * fix(openai): allow qa image generation mock routing * feat(qa): execute ten new repo-backed scenarios * fix(matrix): harden startup auth bootstrap (openclaw#61383) Merged via squash. Prepared head SHA: d8011a9 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * Docs: clarify Matrix autoJoin invite scope * fix(discord): narrow binding runtime imports * fix: stabilize contract loader seams * test: tighten allowlist fixture typing * fix(qa): support image understanding inputs * feat(qa): add attachment understanding scenario * docs(matrix): clarify historyLimit default * feat(memory-wiki): restore llm wiki stack * chore: update appcast for 2026.4.5 * perf(test): split reply command coverage * perf(reply): lazy load compact runtime * refactor(reply): extract subagent text helper * style(reply): normalize subagent import order * fix: restore protocol and extension ci * chore: bump version to 2026.4.6 * fix(config): normalize channel streaming config shape (openclaw#61381) * feat(config): add canonical streaming config helpers * refactor(runtime): prefer canonical streaming accessors * feat(config): normalize preview channel streaming shape * test(config): lock streaming normalization followups * fix(config): polish streaming migration edges * chore(config): refresh streaming baseline hash * docs(memory): add promote-explain and rem-harness CLI reference * build: refresh pnpm lockfile * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix(exec ): stop emitting tool updates after session is backgrounded When an exec session is backgrounded (background: true), the owning agent run resolves its tool-call promise and may finish. The stdout handler's emitUpdate() closure, however, kept invoking opts.onUpdate(), delivering tool_execution_update events to a listener whose active run had already ended. This surfaced as an unhandled rejection and crashed the gateway process. Guard emitUpdate() with a session.backgrounded || session.exited check so that post-background output is still captured via appendOutput() but no longer forwarded to the (now-stale) agent-loop callback. Fixes openclaw#61592 * style: trim exec backgrounding comments * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix: place exec changelog entry at end of fixes (openclaw#61627) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * test(memory-core): align dreaming expectations * test(memory-wiki): share plugin test helpers * test(memory-core): share workspace test helper * test(memory-core): reuse narrative workspace helper * test(plugin-sdk): share temp dir test helper * test(plugin-sdk): reuse temp dir helpers in facade tests * test(memory-core): reuse workspace helper in dreaming tests * perf(agents): add continuation-skip context injection (openclaw#61268) * test(agents): cover continuation bootstrap reuse * perf(agents): add continuation-skip context injection * docs(changelog): note context injection reuse * perf(agents): bound continuation bootstrap scan * fix(agents): require full bootstrap proof for continuation skip * fix(agents): decide continuation skip under lock * fix(commands): re-export subagent chat message type * fix(agents): clean continuation rebase leftovers * test(memory-core): reuse workspace helper in temp dir tests * docs: add contextInjection config key to reference * test(scripts): share temp dir helpers * test(scripts): reuse temp dir helpers in runtime tests * test(scripts): reuse temp dir helpers in repo fixtures * test(scripts): add async temp dir helper * fix: restore main ci type checks * test(root): reuse temp repo helper in clawhub release tests * test(root): clean up pre-commit temp repos * fix(matrix): pass deviceId through health probe to prevent storage-meta overwrite (openclaw#61317) (openclaw#61581) Merged via squash. Prepared head SHA: b0495dc Co-authored-by: MoerAI <26067127+MoerAI@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * test(root): share temp dir helper across root tests * test(root): reuse temp dir helper in scoped vitest config * test(root): reuse temp dir helper in launcher e2e * test(tooling): reuse temp dir helpers in script tests * test(unit): reuse temp dir helper in install-sh version tests * test: reset telegram dispatch mocks between cases * test(plugins): reuse tracked temp helpers in runtime staging tests * test(plugins): reuse tracked temp helpers in path resolution tests * test(plugins): reuse tracked temp helpers in fixture tests * test(plugins): share async temp helpers in marketplace tests * test(plugins): reuse tracked temp helpers in loader fixture tests * test(plugins): share suite temp root helper in install path tests * test(plugins): reuse suite temp root helper in install fixture tests * test(plugins): reuse tracked temp helpers in package contract tests * test(plugins): reuse suite temp helper in bundle contract test * test(infra): reuse shared temp dir helpers in small file tests * test(infra): reuse temp dir helper in utility file tests * test(infra): reuse temp dir helper in run-node tests * test(infra): reuse temp dir helpers in install source tests * test(infra): reuse temp dir helper in install path safety tests * perf(test): split reply command coverage * perf(test): trim subagent command imports * test: remove legacy commands monolith * test(infra): reuse temp dir helper in node path tests * test(infra): reuse temp dir helper in state and watch tests * test(infra): reuse temp dir helper in sentinel and provider tests * test(infra): share temp dir cleanup in git metadata tests * test(infra): share tracked temp dirs in apns tests * test(infra): reuse temp dir helper in fs safety tests * test(infra): reuse temp dir helper in update status tests * test(infra): share sync temp dir helper in approval tests * test(infra): share suite temp root tracker in infra tests * test(infra): reuse suite temp root tracker in update tests * test(infra): reuse suite temp root tracker in provider auth tests * test(infra): reuse suite temp root tracker in install tests * test(infra): reuse suite temp root tracker in startup checks * test(infra): reuse temp dir helper in global update tests * test(infra): reuse temp dir helper in clawhub tests * test(core): reuse shared temp dir helpers in utils tests * test(infra): reuse temp dir helper in node pairing tests * test(infra): reuse suite temp root tracker in device pairing tests * test(core): reuse shared temp dir helper in logger tests * test(e2e): reuse suite temp root tracker in docker setup tests * test(infra): reuse suite temp root tracker in session cost tests * test(config): reuse temp dir helper in config surface tests * test(config): reuse temp dir helper in disk budget tests * test(config): share session test fixture helper * test(config): reuse suite temp root tracker in session key normalization tests * test(config): reuse suite temp root tracker in store pruning integration tests * test(config): reuse shared temp dir helpers in sessions tests * test(config): reuse shared temp dir helper in store read tests * perf(test): split subagent command coverage * perf(test): trim secrets runtime coverage * perf(test): split extra params resolver coverage * fix(anthropic): restore OAuth guard in service-tier stream wrappers (openclaw#60356) Merged via squash. Prepared head SHA: 7d58bef Co-authored-by: openperf <80630709+openperf@users.noreply.github.com> Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com> Reviewed-by: @jalehman * perf(test): split extra params wrapper coverage * perf(secrets): trim runtime import walls * perf(test): split security audit coverage * refactor: dedupe plugin and outbound helpers * refactor: share gateway auth and approval helpers * refactor: share command config resolution * refactor: consolidate status reporting helpers * fix: resolve upstream sync conflicts (branding, firecrawl, lockfile) Resolve 7 merge conflicts from sync/upstream-2026-04-06 (v2026.4.5): - pnpm-lock.yaml: keep our platform-channel + upstream's qa-channel/qa-lab - app-render.ts: add upstream session-key imports, deduplicate agentLogoUrl - control-ui-bootstrap.ts: keep our branding (resolveUiBrand, title, agentId) - control-ui-bootstrap.test.ts: keep our test expectations + upstream null checks - schema.base.generated.ts: keep our Firecrawl + profile config entries - schema.labels.ts: keep our Firecrawl + profile labels Includes CVE-2026-33579 fix (callerScopes in /pair approve handler). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com> Co-authored-by: Mariano <132747814+mbelinky@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: Vignesh Natarajan <vignesh.natarajan92@gmail.com> Co-authored-by: wirjo <daniel@wirjo.com> Co-authored-by: Mariano <mbelinky@gmail.com> Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: Chunyue Wang <80630709+openperf@users.noreply.github.com> Co-authored-by: Ayaan Zaidi <hi@obviy.us> Co-authored-by: Vignesh <mailvgnsh@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: ToToKr <friendnt@g.skku.edu> Co-authored-by: MoerAI <26067127+MoerAI@users.noreply.github.com> Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Caocaoha
added a commit
to Caocaoha/openclaw
that referenced
this pull request
Apr 8, 2026
* feat(memory-wiki): add import gateway methods * feat(memory-wiki): add shared memory search bridge * feat(memory-wiki): add prompt supplement integration * feat(memory-wiki): surface imported source provenance * feat(memory-wiki): lint imported provenance gaps * feat(memory-wiki): allow per-call search corpus overrides * feat(memory-core): bridge wiki corpus into memory tools * feat(memory-wiki): compile related backlinks blocks * docs(memory-wiki): prefer shared corpus recall guidance * docs(memory-wiki): document shared recall and backlinks * feat(memory-wiki): generate dashboard report pages * test: isolate exec approval suite from bundled plugins * fix(sandbox): harden EXDEV rename fallback * Gateway: keep outbound session metadata in owner store * revert(memory-wiki): back out llm wiki stack * fix: align models status provider auth reporting * fix(ci): narrow control ui locale refresh push runs * style: format remaining local edits * fix: prevent duplicate block reply delivery for text_end channels (openclaw#61530) * fix(gateway): bound silent local pairing scopes * fix: resolve repo check drift * fix: clean rebase leftovers * test: isolate agent runtime seams * docs: refine unreleased changelog * feat(video): add xai and alibaba providers * Revert "fix(gateway): bound silent local pairing scopes" This reverts commit 7f1b159. * fix(build): correct node require typing * docs(security): clarify localhost shared-auth trust model * refactor: move browser runtime seams behind plugin metadata * test: speed up provider policy and auth suites * Memory: move dreaming trail to dreams.md (openclaw#61537) * Memory: move dreaming trail to dreams.md * docs(changelog): add dreams.md entry --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * fix(ci): stabilize ui i18n and gateway watch checks * docs(providers): add generation setup pages * docs(providers): link generation guides * feat: add qa channel foundation * refactor: hide qa channels with exposure metadata * feat: add qa lab extension * chore: polish qa lab follow-ups * feat(qa): recreate qa lab docker stack * fix(qa): restore embedded control ui gateway startup * fix(qa): stabilize docker gateway bootstrap * feat(qa): add repo-backed qa suite runner * fix(qa): stabilize hermetic suite runtime * fix(matrix): split partial and quiet preview streaming (openclaw#61450) Merged via squash. Prepared head SHA: 6a0d7d1 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * docs(providers): unify qwen docs * fix(matrix): honor canonical private-network opt-in * fix(matrix): restore cli metadata registrar * test(matrix): isolate migration snapshot seam * fix: prevent duplicate gateway watchers * feat(memory-core): add REM preview and safe promotion replay (openclaw#61540) * memory: add REM preview and safe promotion replay thanks @mbelinky * changelog: note REM preview and promotion replay --------- Co-authored-by: Vignesh <mailvgnsh@gmail.com> * test: fix abort cascade and workspace edit inputs * refactor: harden plugin metadata and browser sdk seams * fix(memory-core): preserve dated DREAMS trail * docs(memory): point dreaming trail docs to dreams.md * fix(memory): standardize DREAMS trail path * fix(google): restore gemini cli provider contract * test(contracts): drop removed claude cli auth export * test(config): align markdown tables with active registry * style(tests): normalize registry mock wrapping * fix: normalize video provider durations * fix: harden video provider transports * fix: honor discord allowlisted channels for native commands * fix: bootstrap pnpm for git updates * docs: add tahoe release-to-dev smoke lane * test: isolate openclaw plugin context coverage * test: stabilize subagent persistence registry coverage * test: isolate gateway tool coverage * fix: surface normalized video durations * fix(google): restore forward-compat provider hooks * test(config): fix markdown table mock typing * test: drop redundant openai extra params coverage * refactor: dedupe discord native command auth * docs: add discord native command changelog note * fix(video): queue fal provider jobs * feat(agents): track video generation tasks * fix(discord): short-circuit bound thread self-loop drops * refactor: harden plugin metadata and bundled channel entry seams * test: fold xai extra params coverage into hot lane * fix: ignore unsupported image generation overrides * docs: document channel persisted auth metadata * test(live): prefer google models over big-pickle * Lobster: run workflows in process (openclaw#61523) * Lobster: run workflows in process * docs: note in-process lobster runtime * docs: add lobster changelog attribution * Lobster: add managed TaskFlow mode (openclaw#61555) * test: split inline provider model coverage * docs: update Lobster in-process mode and REM preview tooling * test: speed up nodes camera coverage * fix: defer plugin sync after git switch * test: optimize macos release-to-dev smoke lane * fix(openai): avoid em dashes in gpt-5 overlay (openclaw#61560) * feat(agents): detach video generation completion * feat(video): add runway provider * docs(video): document runway support * fix: clarify dirty dev update error * fix: ignore unsupported video generation overrides * refactor: add metadata-first channel configured-state probes * fix(video): guard active async generation tasks * docs(providers): surface new video provider pages * feat(qa): add live suite runner and harness * feat(qa): improve qa lab debugger ui * fix: restore pnpm check type safety * test: trim slow agent web and lifecycle coverage * fix: restore green checks * fix(qa): stop embedded control ui reload loop * test: reset guest git root before dev update * test: speed up openai tool id preservation replay coverage * fix: restore qa lab config typing * matrix: align bundled channel metadata * docs: note Matrix persisted auth detection * docs: add changelog note for qa lab config fix * refactor(video): share async task status helpers * memory-core: checkpoint mode-first dreaming refactor * Dreaming: simplify sweep flow and add diary surface * docs: rewrite video generation docs for readability * docs(faq): add gpt-5.4 fast mode entry * feat(memory): add Bedrock embedding provider for memory search (openclaw#61547) * feat(memory): add Bedrock embedding provider for memory search Add Amazon Bedrock as a native embedding provider for memory search. Supports Titan Embed Text v1/v2 and Cohere Embed models via AWS SDK. - New embeddings-bedrock.ts: BedrockRuntimeClient + InvokeModel - Auth via AWS default credential chain (same as Bedrock inference) - Auto-selected in 'auto' mode when AWS credentials are detected - Titan V2: configurable dimensions (256/512/1024), normalization - Cohere: native batch support with search_query/search_document types - 16 new tests covering all model types, auth detection, edge cases Closes openclaw#26289 * fix(memory): harden bedrock embedding selection --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs(openai): clarify gpt-5.4 fast mode * test: speed up models config env provider coverage * test: speed up sanitize session history policy smoke * build: refresh lockfile for control ui deps * refactor: narrow bundled channel entry surfaces * test: speed up sanitize session history coverage * fix: skip old-process config writes after git switch * fix(update): bootstrap pnpm for dev preflight * fix(memory-qmd): restore qmd compatibility defaults * test: speed up image tool auth-heavy coverage * test: seed channel setup contract registry in helper tests * Dreaming: update multiphase stats and UI polish * test: add irc runtime api smoke coverage * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-… (openclaw#61563) * feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK). This adds automatic bearer token generation from IAM credentials using the official @aws/bedrock-token-generator package. Auth priority: 1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console) 2. IAM credentials via getTokenProvider() → Bearer token (instance roles, SSO profiles, access keys, EKS IRSA, ECS task roles) Token is cached in memory (1hr TTL, generated with 2hr validity) and in process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads. Falls back gracefully when package is not installed or credentials are unavailable — Mantle provider simply not registered. Closes openclaw#45152 * fix(bedrock-mantle): harden IAM auth --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * refactor(update): extract package manager bootstrap logic * feat: add comfy workflow media support * fix: stabilize line and feishu ci shards * feat: add music generation tooling * chore: remove stray finder metadata * docs: document music generation async flow * fix(memory-qmd): streamline compatibility coverage * test: speed up dispatch-from-config thread fallback coverage * docs: improve music generation docs * docs: reorder changelog highlights * fix: skip stale post-switch update follow-ups * test: harden macos release-to-dev smoke verification * fix: route comfy music through shared tool * refactor: remove comfy music tool shim * Gateway: bound websocket shutdown close (openclaw#61565) Merged via squash. Prepared head SHA: 9040dd5 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * Docs: clarify Matrix quiet push rules * memory: chunk daily dreaming ingestion (openclaw#61583) Merged via squash. Prepared head SHA: 88816a0 Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix: stop old cli after package-to-git switch * fix(gateway): accept music generation internal events * docs: update unreleased provider notes * fix(agents): keep large read tool results visible * feat: add vydra media provider * fix(agents): ignore unsupported music generation hints * fix(agents): preserve latest read output during compaction * docs: update changelog for read visibility fixes * test: fix current-main prep blockers (openclaw#61582) Merged via squash. Prepared head SHA: 49f7b12 Reviewed-by: @mbelinky * test: use explicit node entrypoint in macos update smoke * fix: exit after package-to-git handoff * fix: prune staged feishu sdk types from npm pack * fix(qa): harden new scenario suite * fix(agents): prefer overflow compaction for fresh reads * perf(auto-reply): lazy-load TTS helpers on demand * test(plugin-sdk): tighten ACP command dispatch guards * docs(web): clarify control ui language picker * test(auto-reply): split ACP and reply-dispatch regressions * memory: trim generic daily chunk headings (openclaw#61597) * memory: trim generic daily chunk headings * docs: tag dreaming heading cleanup changelog * docs: attribute dreaming heading cleanup changelog * fix(cli): narrow post-update root * fix(ui): localize control ui strings * Lobster: harden embedded runtime integration (openclaw#61566) Merged via squash. Prepared head SHA: a6f4830 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky * fix(matrix): reuse raw default account key during onboarding promotion * fix: unblock comfy live plugin loading * fix(agents): extend subagent announce timeout * fix(agents): carry async media wake attachments structurally * fix(tasks): hide internal completion wake rows * test(auto-reply): isolate reply abort dispatch seams * test: fix reply dispatch mock contract * fix(ui): localize more control ui strings * fix: deliver async media generation results directly * perf(test): trim send-policy and abort hot paths * perf(agents): isolate subagent announce origin helper * fix(discord): raise default media cap * Matrix: recover from pinned dispatcher runtime failures (openclaw#61595) Merged via squash. Prepared head SHA: f9a2d9b Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * fix: harden async media completion delivery * fix: gate async media direct delivery behind config * docs: add changelog note for async media delivery flag * perf(test): trim announce and sessions tool imports * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) * fix(gateway): resolve globally-installed bundled plugins in facade-runtime * fix: resolve global bundled plugin facade fallback (openclaw#61297) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * chore: prepare 2026.4.6-beta.1 release * style: trim facade fallback comment noise * test: stabilize browser and provider ci shards * fix: restore latest-main ci gates * (chore): delete dream-diary-preview file * perf(test): trim runReplyAgent misc mock imports * fix(ci): harden control ui locale refresh rebases * Matrix: clear undici test override after transport test * chore(ui): refresh zh-CN control ui locale * chore(ui): refresh pt-BR control ui locale * chore(ui): refresh zh-TW control ui locale * chore(ui): refresh de control ui locale * fix: support corepack cmd shim on windows * test: add windows dev-update smoke lanes * chore(ui): refresh es control ui locale * chore(ui): refresh ja-JP control ui locale * chore(ui): refresh ko control ui locale * chore(ui): refresh fr control ui locale * test: capture windows npm debug tails in smoke logs * chore(ui): refresh tr control ui locale * chore(ui): refresh uk control ui locale * chore(ui): refresh id control ui locale * chore(ui): refresh pl control ui locale * fix: restore plugin boundary and ui locale ci gates * fix(ci): stabilize control ui locale checks * chore: release 2026.4.5 * perf(test): split subagent command coverage * fix(ci): patch main regression surfaces * fix: install bun in npm release preflight * test: fix subagent command result assertions * perf(test): split allowlist and models command coverage * fix(openai): allow qa image generation mock routing * feat(qa): execute ten new repo-backed scenarios * fix(matrix): harden startup auth bootstrap (openclaw#61383) Merged via squash. Prepared head SHA: d8011a9 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras * Docs: clarify Matrix autoJoin invite scope * fix(discord): narrow binding runtime imports * fix: stabilize contract loader seams * test: tighten allowlist fixture typing * fix(qa): support image understanding inputs * feat(qa): add attachment understanding scenario * docs(matrix): clarify historyLimit default * feat(memory-wiki): restore llm wiki stack * chore: update appcast for 2026.4.5 * perf(test): split reply command coverage * perf(reply): lazy load compact runtime * refactor(reply): extract subagent text helper * style(reply): normalize subagent import order * fix: restore protocol and extension ci * chore: bump version to 2026.4.6 * fix(config): normalize channel streaming config shape (openclaw#61381) * feat(config): add canonical streaming config helpers * refactor(runtime): prefer canonical streaming accessors * feat(config): normalize preview channel streaming shape * test(config): lock streaming normalization followups * fix(config): polish streaming migration edges * chore(config): refresh streaming baseline hash * docs(memory): add promote-explain and rem-harness CLI reference * build: refresh pnpm lockfile * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix(exec ): stop emitting tool updates after session is backgrounded When an exec session is backgrounded (background: true), the owning agent run resolves its tool-call promise and may finish. The stdout handler's emitUpdate() closure, however, kept invoking opts.onUpdate(), delivering tool_execution_update events to a listener whose active run had already ended. This surfaced as an unhandled rejection and crashed the gateway process. Guard emitUpdate() with a session.backgrounded || session.exited check so that post-background output is still captured via appendOutput() but no longer forwarded to the (now-stale) agent-loop callback. Fixes openclaw#61592 * style: trim exec backgrounding comments * fix: stop emitting post-background exec updates (openclaw#61627) (thanks @openperf) * fix: place exec changelog entry at end of fixes (openclaw#61627) (thanks @openperf) --------- Co-authored-by: Ayaan Zaidi <hi@obviy.us> * test(memory-core): align dreaming expectations * test(memory-wiki): share plugin test helpers * test(memory-core): share workspace test helper * test(memory-core): reuse narrative workspace helper * test(plugin-sdk): share temp dir test helper * test(plugin-sdk): reuse temp dir helpers in facade tests * test(memory-core): reuse workspace helper in dreaming tests * perf(agents): add continuation-skip context injection (openclaw#61268) * test(agents): cover continuation bootstrap reuse * perf(agents): add continuation-skip context injection * docs(changelog): note context injection reuse * perf(agents): bound continuation bootstrap scan * fix(agents): require full bootstrap proof for continuation skip * fix(agents): decide continuation skip under lock * fix(commands): re-export subagent chat message type * fix(agents): clean continuation rebase leftovers * test(memory-core): reuse workspace helper in temp dir tests * docs: add contextInjection config key to reference * feat(gateway): preserve session history on /new command Backend changes for session sidebar feature: - session.ts: create compound key entry for old session when /new triggered - agent.ts: pass preserveHistory=true to session reset - session-reset-service.ts: add file reuse optimization for preserved sessions - types.ts: add previousSessionKey field to SessionEntry - session-utils.ts: add compound key support in session key resolution This enables the UI to show previous sessions in sidebar while preserving complete chat history for archived sessions. --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com> Co-authored-by: Tyler Yust <64381258+tyler6204@users.noreply.github.com> Co-authored-by: Dave Morin <dave@morin.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: Mariano <132747814+mbelinky@users.noreply.github.com> Co-authored-by: Vignesh <mailvgnsh@gmail.com> Co-authored-by: Vignesh Natarajan <vignesh.natarajan92@gmail.com> Co-authored-by: wirjo <daniel@wirjo.com> Co-authored-by: Mariano <mbelinky@gmail.com> Co-authored-by: mbelinky <17249097+mbelinky@users.noreply.github.com> Co-authored-by: Chunyue Wang <80630709+openperf@users.noreply.github.com> Co-authored-by: Ayaan Zaidi <hi@obviy.us> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: OpenClaw Agent <caoha@openclaw.ai>
lovewanwan
pushed a commit
to lovewanwan/openclaw
that referenced
this pull request
Apr 28, 2026
ogt-redknie
pushed a commit
to ogt-redknie/OPENX
that referenced
this pull request
May 2, 2026
github-actions Bot
pushed a commit
to Desicool/openclaw
that referenced
this pull request
May 9, 2026
github-actions Bot
pushed a commit
to Desicool/openclaw
that referenced
this pull request
May 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/tasks/**,src/plugins/runtime/**, or Lobster core itself; this stays insideextensions/lobster.Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
Root Cause / Regression History (if applicable)
git blame, prior PR, issue, or refactor if known): this is the planned follow-up to Lobster: run workflows in process #61523.Regression Test Plan (if applicable)
extensions/lobster/src/lobster-taskflow.test.tsextensions/lobster/src/lobster-tool.test.tsextensions/lobster/src/lobster-runner.test.tscovers the embedded runner, but not managed TaskFlow mode.User-visible / Behavior Changes
lobstertool can now optionally create a managed TaskFlow when called with flow parameters.lobstertool can now optionally resume an existing managed TaskFlow when called with flow id and revision parameters.Diagram (if applicable)
Security Impact (required)
Yes/No) NoYes/No) NoYes/No) NoYes/No) YesYes/No) NoYes, explain risk + mitigation:Repro + Verification
Environment
Steps
Expected
Actual
Evidence
Human Verification (required)
pnpm buildin this replacement worktree because currentmaintest noise is outside Lobster and the changed surface was already covered on the earlier server-tested stackReview Conversations
Compatibility / Migration
Yes/No) YesYes/No) NoYes/No) NoRisks and Mitigations
Risk:
Risk:
extensions/lobster/src/lobster-taskflow.tsnormalizes approval items into JSON-safe values before storing them inwaitJsonAI Assistance