Skip to content

Persist Copilot SDK session bindings#88064

Merged
steipete merged 3 commits into
mainfrom
fix/copilot-sdk-session-persistence
May 29, 2026
Merged

Persist Copilot SDK session bindings#88064
steipete merged 3 commits into
mainfrom
fix/copilot-sdk-session-persistence

Conversation

@steipete

@steipete steipete commented May 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • persist Copilot SDK session bindings in the trusted plugin-state SQLite store
  • resume stored SDK sessions only when the current compatibility fingerprint matches provider, model, cwd, resolved agent id, resolved Copilot home, and auth identity
  • make plugin-state lookup/register/delete failures non-fatal, with stale-row invalidation and reset tombstones to preserve reset semantics
  • route QQBot token fetches through the plugin SDK SSRF guard with debug capture disabled for the secret-bearing token POST

Verification

  • pnpm test extensions/copilot/harness.test.ts extensions/copilot/index.test.ts -- --run
  • pnpm test extensions/qqbot/src/engine/api/token.test.ts extensions/copilot/harness.test.ts extensions/copilot/index.test.ts -- --run
  • pnpm test extensions/qqbot/src/engine/api/token.test.ts -- --run
  • pnpm run lint:tmp:no-raw-channel-fetch
  • pnpm check:changed via Blacksmith Testbox tbx_01kst9fwjmsfzwaxqatszcbf40
  • .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --prompt 'Review final rebased Copilot SDK session persistence and QQBot token guarded-fetch patch after adding capture:false for the token secret POST. Focus on concrete regressions in session binding/reset behavior, token lifetime handling, secret capture, release/error behavior, and tests. Reject speculative broad rewrites.'
  • local live Copilot smoke with temp config: first turn returned COPILOT-FINAL-TURN-1; second turn on the same OpenClaw session returned COPILOT-FINAL-TURN-1:TURN-2; both turns reported the same Copilot SDK session id and the plugin-state SQLite row stored the binding under copilot / sdk-sessions

Real behavior proof

Behavior addressed: Copilot harness sessions now survive separate OpenClaw process turns by persisting the GitHub Copilot SDK session id.
Real environment tested: Local OpenClaw CLI with github-copilot/gpt-5.5, Copilot harness, temp OpenClaw config/state, logged-in Copilot auth.
Exact steps or command run after this patch: pnpm openclaw agent --local --agent main --session-key copilot-final-smoke --message ... --json --timeout 180 twice against the same temp config/state.
Evidence after fix: Turn 1 returned COPILOT-FINAL-TURN-1; turn 2 returned COPILOT-FINAL-TURN-1:TURN-2; both runs reported the same SDK session id 888fca86-46be-417f-9547-022eded3383c and the SQLite plugin-state row stored that id.
Observed result after fix: The second process resumed the persisted Copilot SDK session instead of creating an unrelated SDK session.
What was not tested: Cross-machine Copilot SDK session portability and corrupt-on-disk SQLite recovery beyond mocked plugin-state failures.

@clawsweeper

clawsweeper Bot commented May 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed May 29, 2026, 12:29 PM ET / 16:29 UTC.

Summary
The PR persists Copilot SDK session bindings in plugin-state SQLite and changes QQBot token acquisition to use the plugin SDK SSRF-guarded fetch path.

PR surface: Source +135, Tests +341. Total +476 across 6 files.

Reproducibility: yes. from source: current main only keeps Copilot SDK session IDs in the in-memory trackedSessions map, so a fresh harness or process has no stored SDK session to resume. The PR body also reports a live two-turn Copilot smoke after the patch.

Review metrics: 1 noteworthy metric.

  • Durable plugin-state surface: 1 added namespace: sdk-sessions, 90-day TTL, maxEntries 5000. This is new persisted session-state behavior, so reset, expiry, and upgrade semantics need review beyond ordinary unit tests.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Preserve current-main QQBot token expiry validation and tests while adding fetchWithSsrFGuard.
  • Make Copilot reset invalidation durable across a fresh harness or process after plugin-state delete failure.
  • [P1] Add redacted real QQBot token-fetch proof, or have a maintainer explicitly override that proof gap.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The PR body gives solid after-fix live Copilot proof, but the later QQBot token-fetch guard has only test/check proof and no redacted real runtime evidence or maintainer override. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

  • [P1] Durable Copilot SDK session persistence changes session-state lifetime across OpenClaw process restarts; reset must not accidentally resume a stale SQLite binding after a reset delete failure and restart.
  • [P1] The QQBot token-fetch guard is based across a current-main token-expiry validation change; the final merge must preserve both the SSRF guard and bounded expires_in handling.

Maintainer options:

  1. Fix reset durability and rebase QQBot (recommended)
    Persist or otherwise carry reset invalidation across harness/process restarts, then rebase the QQBot SSRF guard while preserving resolveTokenExpiresInSeconds and its unsafe expires_in tests.
  2. Accept only with explicit reset semantics
    Maintainers could intentionally accept best-effort reset behavior only if they document that plugin-state delete failure may leave a resumable Copilot SDK session until the row expires.
  3. Split the incidental QQBot change
    If the conflict repair keeps expanding, split the QQBot SSRF guard into a separate current-main PR and keep this PR focused on Copilot session persistence.
Copy recommended automerge instruction 
@clawsweeper automerge

Special instructions:
Persist Copilot reset invalidation across harness/process boundaries or make stale bindings impossible to resume after a failed durable delete, add a fresh-harness regression test for that case, and rebase the QQBot SSRF-guard change on current main preserving resolveTokenExpiresInSeconds plus unsafe expires_in coverage.

Next step before merge

  • [P1] A focused repair can address the two blockers by making Copilot reset invalidation durable and rebasing the QQBot guard without losing current-main token expiry validation.

Security
Needs attention: The SSRF guard direction is good, but the branch currently drops current-main QQBot token lifetime validation while touching credentialed token fetches.

Review findings

  • [P1] Preserve QQBot token expiry validation with the guard — extensions/qqbot/src/engine/api/token.ts:262
  • [P1] Make reset tombstones survive process restart — extensions/copilot/harness.ts:359
Review details

Best possible solution:

Land this after making Copilot reset invalidation durable across process boundaries and rebasing the QQBot guard on current main without losing token lifetime validation or its tests.

Do we have a high-confidence way to reproduce the issue?

Yes from source: current main only keeps Copilot SDK session IDs in the in-memory trackedSessions map, so a fresh harness or process has no stored SDK session to resume. The PR body also reports a live two-turn Copilot smoke after the patch.

Is this the best way to solve the issue?

No, not yet: durable plugin-state storage is the right boundary, but reset invalidation must survive process restarts and the QQBot SSRF guard must preserve current-main token expiry validation.

Full review comments:

  • [P1] Preserve QQBot token expiry validation with the guard — extensions/qqbot/src/engine/api/token.ts:262
    Current main validates expires_in with resolveTokenExpiresInSeconds and has regression tests for unsafe and non-positive lifetimes. This branch returns to (data.expires_in ?? 7200) * 1000 and removes those tests, and the virtual merge reports changed-in-both conflicts in these files, so the SSRF guard needs to be rebased while keeping the current-main expiry validation.
    Confidence: 0.93
  • [P1] Make reset tombstones survive process restart — extensions/copilot/harness.ts:359
    When deleteStoredBinding fails during reset, the stale SQLite row remains and the only tombstone is resetBlockedStoredSessions, an in-memory Set cleared on process exit. A later harness or process can start with an empty Set, look up the stale binding, and resume the SDK session that reset was meant to invalidate; add a durable invalidation path or make the stale row impossible to resume after reset failure.
    Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.91

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8c0aaee88237.

Label changes

Label changes:

  • add merge-risk: 🚨 auth-provider: The PR changes QQBot credentialed token fetching and currently conflicts with current-main token lifetime validation.
  • add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🧂 unranked krab.
  • add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body gives solid after-fix live Copilot proof, but the later QQBot token-fetch guard has only test/check proof and no redacted real runtime evidence or maintainer override. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
  • remove proof: sufficient: Current real behavior proof status is insufficient, not sufficient.
  • remove rating: 🦐 gold shrimp: Current PR rating is rating: 🧂 unranked krab, so this older rating label is no longer current.
  • remove status: ⏳ waiting on author: Current PR status label is status: 📣 needs proof.

Label justifications:

  • P2: The PR is a normal-priority session persistence improvement with concrete merge blockers but no evidence of emergency production breakage.
  • merge-risk: 🚨 session-state: The PR persists Copilot SDK session IDs across process restarts and must preserve reset semantics when durable deletion fails.
  • merge-risk: 🚨 auth-provider: The PR changes QQBot credentialed token fetching and currently conflicts with current-main token lifetime validation.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🧂 unranked krab.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body gives solid after-fix live Copilot proof, but the later QQBot token-fetch guard has only test/check proof and no redacted real runtime evidence or maintainer override. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
Evidence reviewed

PR surface:

Source +135, Tests +341. Total +476 across 6 files.

View PR surface stats
Area Files Added Removed Net
Source 3 173 38 +135
Tests 3 359 18 +341
Docs 0 0 0 0
Config 0 0 0 0
Generated 0 0 0 0
Other 0 0 0 0
Total 6 532 56 +476

Security concerns:

  • [medium] Keep bounded QQBot token lifetimes — extensions/qqbot/src/engine/api/token.ts:262
    The branch removes the current-main parser that prevents unsafe expires_in values from creating unbounded or unintended token cache lifetimes, so the guarded fetch change should be rebased without losing that auth-token protection.
    Confidence: 0.88

Acceptance criteria:

  • [P1] node scripts/run-vitest.mjs extensions/copilot/harness.test.ts extensions/copilot/index.test.ts extensions/qqbot/src/engine/api/token.test.ts.
  • [P1] node scripts/crabbox-wrapper.mjs run ... --shell -- "pnpm check:changed".

What I checked:

  • Repository policy read and applied: Root policy marks auth/session state, persisted preferences, plugin APIs, provider routing, and fallback behavior as compatibility-sensitive review surfaces; that directly applies to this PR's durable session binding and token-fetch changes. (AGENTS.md:16, 8c0aaee88237)
  • Scoped extension policy read: The extension boundary requires bundled plugin production code to use plugin SDK seams rather than core internals; the Copilot state store and QQBot SSRF guard both use plugin SDK subpaths, so the boundary direction is appropriate. (extensions/AGENTS.md:3, 8c0aaee88237)
  • Current main only tracks Copilot SDK sessions in memory: Current main's Copilot harness keeps SDK session bindings in a process-local trackedSessions map, so a new process or harness instance cannot resume the SDK session without the PR's durable store path. (extensions/copilot/harness.ts:129, 8c0aaee88237)
  • PR uses durable plugin-state for Copilot bindings: The PR opens a trusted plugin-state sync keyed store under namespace sdk-sessions with a 90-day TTL and passes it to createCopilotAgentHarness. (extensions/copilot/index.ts:32, 2ddff8495347)
  • Reset tombstone is only process-local: When durable delete fails, resetBlockedStoredSessions is only an in-memory Set; after process exit a later harness starts with an empty Set and can still look up the stale row. (extensions/copilot/harness.ts:359, 2ddff8495347)
  • Reset regression test misses process restart: The added failed-delete reset test resets and reruns on the same harness instance, so it does not cover a later fresh harness or process reading the stale SQLite row. (extensions/copilot/harness.test.ts:1003, 2ddff8495347)

Likely related people:

  • joshavant: Git blame and file history show the current Copilot harness, plugin-state store, and original QQBot token manager paths dating to commit 765477d. (role: introduced behavior and adjacent owner; confidence: high; commits: 765477d77ae6; files: extensions/copilot/harness.ts, src/plugin-state/plugin-state-store.ts, extensions/qqbot/src/engine/api/token.ts)
  • steipete: Current main's QQBot token expiry validation in the same token files was authored in commit 91ecd96, so this person is a likely routing candidate for preserving that behavior during the SSRF-guard rebase. (role: recent adjacent contributor; confidence: high; commits: 91ecd9645f12; files: extensions/qqbot/src/engine/api/token.ts, extensions/qqbot/src/engine/api/token.test.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal backlog priority with limited blast radius. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. labels May 29, 2026
@clawsweeper clawsweeper Bot mentioned this pull request May 29, 2026
Closed
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. merge-risk: 🚨 auth-provider 🚨 May break OAuth, tokens, provider routing, model choice, or credentials. and removed proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels May 29, 2026
@steipete steipete force-pushed the fix/copilot-sdk-session-persistence branch from 2ddff84 to 600bdf2 Compare May 29, 2026 16:40
@steipete steipete merged commit ece92bc into main May 29, 2026
99 checks passed
@steipete steipete deleted the fix/copilot-sdk-session-persistence branch May 29, 2026 16:46
ch1kim0n1 added a commit to ch1kim0n1/openclaw that referenced this pull request May 30, 2026
@ch1kim0n1 @joshavant
@vincentkoc @jesse-merhi @steipete @thewilloftheshadow @giodl73-repo @obviyus @shakkernerd @benjamin1492 @ngutman @RomneyDa @1052326311 @zhangguiping-xydt @giordano-lucas @claude @sallyom @kevinslin @keshavbotagent
fix(reply): hide ACP tool traces from Telegram (#1)
08d85ed 
* fix(exec): bind node auto-review commands

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): honor node runtime policy for auto-review

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): harden auto-review prompt boundaries

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): align release validation surfaces

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): align release validation checks

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* test(e2e): repair release docker smoke fixtures

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): resolve auto approvals as runtime

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* ci: relax native OpenAI live proof timing

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(exec): include mode in doctor policy warnings

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* test(release): repair live matrix expectations

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>

* fix(tts): centralize directive number parsing

* fix(provider): bound Vydra and Comfy media downloads

* fix(discord): validate error code integers

* fix(discord): reject unsafe rate limit headers

* ci(release): make plugin publish retries idempotent

* perf(agent): lazy load embedded agent cli path

* fix(whatsapp): validate inbound timestamps

* refactor: share agent harness loader helpers

* fix(agents): cap unsafe retry-after delays

* perf(agent): defer session resolver for scoped gateway turns

* fix(msteams): ignore unsafe retry-after delays

* refactor: share store writer queue

* fix(slack): reject unsafe inbound timestamps

* fix(discord): reject unsafe retry-after delays

* fix(qa-matrix): cap fault proxy bodies

* fix(discord): bound delivery retry delays

* refactor: share cron state parsing

* Delete changelog directory

* fix(zalouser): reject unsafe inbound timestamps

* fix(cli): avoid underscored gateway test export

* fix(scripts): cap clawtributor avatar probes

* fix(telegram): centralize safe thread id parsing

* fix(googlechat): drop invalid inbound timestamps

* fix(doctor): label auth health by agent (openclaw#85924)

Merged via squash.

Prepared head SHA: 8c179fc
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo

* fix(qqbot): validate token expiry lifetimes

* fix(openai): validate codex oauth token lifetimes

* refactor: share node pairing surface helpers

* fix(anthropic): validate oauth token lifetimes

* fix(scripts): cap memory FD repro RPC bodies

* fix(github-copilot): validate device code lifetimes

* fix(msteams): validate oauth token lifetimes

* refactor: share cli help argv scan

* fix(github-copilot): validate oauth expiry values

* fix(scripts): cap realtime smoke responses

* fix(chutes): validate oauth token lifetimes

* fix(auto-reply): reuse cli sessions for room events

* fix(auto-reply): keep room event cli sessions transient

* fix(agent-core): reject invalid session timestamps

* fix(scripts): cap Claude usage response reads

* refactor: centralize skills subsystem

* refactor: move skill lifecycle code into skills subsystem

* fix: bound skill index cache invalidation

* fix: preserve skill snapshot freshness

* fix: preserve preloaded skill snapshot entries

* refactor: move session skill loader into skills subsystem

* fix: preserve empty skill filter short circuit

* fix: align empty default skill filter behavior

* fix: align skills branch with upstream tar verbose test

* fix: drop stale system prompt override imports

* refactor: centralize skills runtime paths

* refactor: remove stale agents skills barrel

* refactor: use direct skills imports

* refactor: organize skills subsystem layout

* fix: lint centralized skills subsystem

* refactor: split skills index follow-up

* refactor: centralize skills subsystem

* fix: unblock skills centralization checks

* fix: route moved skills tests through unit-fast

* refactor: centralize skills runtime tests

* refactor: share web secret target selection

* refactor: centralize safe expiry parsing

* fix(exec): normalize unsafe timeout values

* fix: persist Copilot SDK session bindings

Persist GitHub Copilot SDK session ids in the plugin-state SQLite store so separate OpenClaw process turns can resume the same Copilot-side session when the compatibility fingerprint still matches.

The fingerprint covers provider/model/cwd, resolved agent id, resolved Copilot home, and auth identity. Plugin-state lookup/register/delete failures are non-fatal, stale rows are invalidated, and reset delete failures use an in-process tombstone so reset does not accidentally reuse a durable binding.

Also routes the QQBot token POST through the plugin SDK SSRF guard with capture disabled for the secret-bearing request, preserving the current token lifetime validation from main.

Verification: focused Copilot and QQBot Vitest suites, raw channel fetch guard, autoreview clean, Blacksmith Testbox pnpm check:changed tbx_01kst9fwjmsfzwaxqatszcbf40, live local Copilot two-turn smoke with the same SDK session id persisted in SQLite.

Refs openclaw#88064

* fix(exec): cap node run timeouts

* perf(agent): skip plugin validation for gateway dispatch

* fix(scripts): cap firecrawl compare HTML reads

* fix(xai): normalize unsafe oauth lifetimes

* refactor: share e2e text file helpers

* fix(google): normalize unsafe oauth expiry

* fix(openai): normalize codex device lifetimes

* refactor: reuse e2e text tail helper

* test(xai): type device-code note mock

* fix(minimax): reject unsafe oauth expiry

* fix(ci): cap dependency guard error bodies

* fix(google-meet): normalize oauth expiry

* fix(command): stabilize claude-cli transcript resume (openclaw#81048)

Fix claude-cli transcript resume so session-id rotation and transcript flush timing do not drop valid resume state.

- Capture the latest claude-cli session_id from JSONL output.
- Resolve Claude project transcript paths through the shared canonical project-dir resolver.
- Probe transcript content from the actual CLI process cwd.
- Thanks @benjamin1492!

* refactor: share codex e2e install helpers

* fix(feishu): bound streaming token expiry

* fix(openshell): cap command timeout config

* refactor: centralize timer-safe timeout bounds

* refactor: share e2e websocket open helper

* fix(minimax): guard oauth token fetches (openclaw#88088)

* fix(feishu): normalize app registration poll timers

* fix(google): reject unsafe vertex adc lifetimes

* fix(scripts): cap npm packument reads

* fix(auth): reject unsafe wham reset windows

* refactor: share qa report arg parsing

* fix(retry): cap unsafe retry delays

* fix(sandbox): bound novnc observer token ttl

* feat(workboard): add agent coordination tools

Summary:
- Add Workboard agent coordination tools for list/read/claim/heartbeat/release/comment/proof/unblock flows.
- Store artifacts, claims, diagnostics, and notifications in the Workboard SQLite-backed plugin state; surface the new metadata through Gateway, Control UI, docs, and plugin manifest contracts.
- Add scoped claim authorization, token redaction, stale diagnostic cleanup, atomic proof artifact writes, and generated i18n metadata.

Verification:
- pnpm test ui/src/i18n/test/translate.test.ts extensions/browser/src/cli/browser-cli-actions-input/register.element.test.ts extensions/workboard/src/store.test.ts extensions/workboard/src/gateway.test.ts extensions/workboard/src/tools.test.ts ui/src/ui/controllers/workboard.test.ts ui/src/ui/views/workboard.test.ts
- pnpm ui:i18n:check
- env -u OPENCLAW_TESTBOX pnpm check:changed
- autoreview --mode local: clean
- PR CI passed; Windows checkout failure rerun passed on attempt 2

* perf(gateway): reuse session maintenance config during turns

* fix(node-host): cap timeout wrapper delays

* fix(talk): cap fast context timeout delay

* fix(e2e): harden kitchen sink probe body caps

* refactor: share bounded response reader

* fix(providers): cap model request timeout delays

* fix(oauth): cap request abort timeout delays

* test: speed up slow assertions

* test: stabilize slow assertion timings

* test: shard channel import guardrails

* perf(sessions): patch single-entry store writes

* refactor: share script bounded response helper

* fix(codex): cap responses request timeout delays

* fix(scripts): cap gh-read json bodies

* fix(lmstudio): cap model fetch timeout delays

* feat(ios): default to hosted push relay (openclaw#88096)

Merged via squash.

Prepared head SHA: 75f939a
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman

* fix(minimax): cap tts timeout delays

* build(plugins): externalize copilot runtime

* refactor: share codex app server start context

* test(file-transfer): remove stale tar fixture awaits

* fix(runtime): centralize safe timer timeout resolution

* refactor: share ui chat send wrapper

* docs(plugins): clarify external plugin installs

* fix: close native hook relay replacement race

* fix(qa-lab): cap credential broker request timeouts

* refactor: share e2e incremental line reader

* test(ci): fix main test expectations (openclaw#88122)

* fix(copilot): cap oauth request timeouts

* fix(oauth): cap tls preflight timeout

* build(plugins): externalize tokenjuice

* docs(plugins): add external package readmes

* perf: reuse gateway session and plugin metadata paths

* fix(exec): bind node auto-review to prepared plans

* fix(auth): cap GitHub Copilot OAuth timeouts

* docs(skills): expand Discrawl archive workflow

* fix(discord): cap request timeout signals

* fix(agents): preserve rotated compaction session identity

Fix `sessions.json` persistence after compaction transcript rotation.

When the agent runtime rotates from the pre-compaction session transcript to the post-compaction transcript, post-run consumers now receive the effective OpenClaw session id and session file. Backend CLI session ids remain backend metadata and no longer overwrite the top-level OpenClaw session identity.

Refs openclaw#88040.
Thanks @1052326311.

Verification:
- `node scripts/run-vitest.mjs src/agents/agent-command.compaction-rotation.test.ts src/agents/agent-command.live-model-switch.test.ts src/agents/command/session-store.test.ts`
- Autoreview clean
- GitHub CI green on PR head `c3d3c77ddf675bbba0b9ba6681b030a2f69a898c`

* fix: keep compaction timeout snapshots continuable

* feat(ios): add talk tab realtime playback (openclaw#88105)

Merged via squash.

Prepared head SHA: f41112a
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman

* fix(signal): cap container timeout timers

* fix(agents): forward ACP spawn attachments

Forward initial image/file attachments when spawning ACP subagents through the existing sessions_spawn attachment opt-in. Remove the PR-only acpEnabled config split so ACP uses the same attachment gate as other runtimes.

Also fix the PR branch CI fallout: type the browser element CLI request mock and use Vitest env stubs in the Azure speech test to satisfy the changed-path security scan.

Verification:
- GitHub CI passed on f6ca26b.
- Autoreview clean.
- Crabbox AWS live OpenAI proof passed: cbx_a576d49493fe / run_081dcc6c6a1b.

Thanks @zhangguiping-xydt.

* refactor: share e2e bounded response reader

* docs(browser): add Notte cloud browser to direct WebSocket CDP providers

Notte exposes a CDP-compatible WebSocket gateway at
wss://us-prod.notte.cc/sessions/connect?token=<NOTTE_API_KEY> that
auto-creates a session on connect — the same shape OpenClaw's existing
"Direct WebSocket CDP providers" section was generically framed for
(per openclaw#31085).

Real behaviour proof (against wss://us-prod.notte.cc/sessions/connect):

  $ openclaw browser --browser-profile notte open https://example.com
  opened: https://example.com/
  tab: t4
  id: 7FE04AC44931A6E1C799DE4ABF0DC807

A screenshot captured against the same session is a 1254x1111 PNG of
the rendered example.com page.

Playwright connectOverCDP flow against the same URL (today):

  connectOverCDP                                      695ms
  context.newCDPSession(page)                         169ms
  session.send('Target.getTargetInfo') → targetId     87ms
  page.goto('https://example.com')                    631ms
  total                                               1.8s

AI-assisted (Claude Opus 4.7). codex review --base origin/main returned
clean. See PR description for the full pre-flight checklist.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* fix(zalo): cap api request timeouts

* fix: stabilize codex supervisor session listing

* fix(qa-matrix): cap substrate request timeouts

* fix(xiaomi): cap tts request timeouts

* refactor: share e2e mock http helpers

* docs(skills): require grouped release changelogs

* fix(zai): cap endpoint probe timeouts

* fix(mattermost): cap dm retry timeouts

* perf: reuse provider handles and strict tool schemas

* feat: add core session goals (openclaw#87469)

* feat: add core session goals

* feat: polish session goals in tui

* fix: resolve goal tool session stores

* fix: keep get goal read-only

* fix: migrate legacy goal session slots

* fix: persist goal token accounting

* fix: validate goal session rows

* refactor: remove unshipped goal legacy handling

* fix: handle goal commands in local tui

* fix: satisfy goal tool display checks

* fix: reset goal budget on overdue resume

* feat: surface session goals across control surfaces

* test: update gateway protocol test import

* test: align goal fixture types with protocol

* fix: scope selected global transcript usage fallback

* fix: scope selected global web subscriptions

* fix: preserve selected global agent during chat dispatch

* fix: scope chat inject to selected global agents

* test: fix timeout mock return types

* fix(crestodian): cap probe timeouts

* fix: keep live OpenClaw session locks during cleanup (openclaw#88129)

Keep session lock cleanup from removing live OpenClaw-owned locks solely because they are old. Cleanup now reports age-only stale locks without deleting them, while still removing dead, orphaned, recycled, malformed-old, and non-OpenClaw-owned locks.

Update doctor docs and regression coverage for the cleanup/repair contract.

Refs openclaw#87779

* fix(agents): cap model scan timeouts

* refactor: share script budget number parsing

* fix(provider): cap operation timeouts

* fix(usage): cap provider usage fetch timeouts

* fix: bound default heartbeat run timeout (openclaw#88133)

Fixes openclaw#87438.

Bound unset heartbeat run timeouts so background heartbeat turns no longer inherit the built-in 48-hour interactive agent default. Timeout precedence is explicit heartbeat timeout, explicit global agent timeout, then heartbeat cadence capped at 600 seconds.

Verification:
- git diff --check
- Testbox tbx_01kstna69zvznn4fq7zrqr04a1: corepack pnpm test src/infra/heartbeat-runner.model-override.test.ts -- --reporter=verbose passed 13 tests
- Direct node --import tsx runtime probe verified 300s, 600s, 60s, and 45s timeout precedence cases
- Autoreview clean

Known CI state:
- PR CI run 26661465248 has failures matching latest main CI run 26661386468 at a7820b2; failures are outside this six-file heartbeat/docs diff.

* fix(signal): cap client request timeouts

* fix(feishu): cap async helper timeouts

* refactor: share script bounded response reader

* fix: move compaction planning off the event loop

Move compaction planning work to a bounded worker-thread path so large transcript planning no longer monopolizes the agent event loop. Extract pure planning helpers, sanitize worker inputs before structured clone, package the worker entrypoint, and keep synchronous fallback only for worker-unavailable cases.

Fixes openclaw#86358.

* fix(browser): cap control fetch timeouts

* fix(ci): repair main checks

* fix(browser): cap node runtime timeouts

* fix(codex-supervisor): centralize session limit parsing

* fix(discord): cap monitor helper timeouts

* perf: reuse gateway runtime metadata

* fix(acp): cap turn timeout timers

* refactor: share media temp save wrapper

* fix(tts): cap speech provider timeouts

* fix(media): cap generation provider timeouts

* fix ci mainline checks (openclaw#88137)

* fix(infra): cap request body timeouts

* ci: stabilize main checks

* feat: add skills index

* perf: avoid unnecessary skills index maps

* refactor: share skill command exposure policy

* perf: centralize skill status lookup

* refactor: reuse shared skills prompt formatter

* perf: reuse resolved skills allowlist

* perf: speed up skills filtering

* perf: prepare bundled skill allowlist once

* perf: use set for bundled skill allowlist

* test: preserve real skills status exports

* test: share skills entry fixtures

* test: remove duplicate skill fixture wrappers

* test: complete skills status mock surface

* fix(gateway-client): cap stop wait timeout

* perf: prefer package-local bundled plugin artifacts

* fix(openai): cap codex oauth preflight timeout

* fix(supervisor): narrow stored session limit parsing

* refactor: share diagnostics timeline span helpers

* fix(ci): repair main checks

* fix(ci): break skills loading cycle

* test: fix main CI regressions

* fix(apns): cap relay timeout

* fix(infra): cap jsonl socket timeouts

* fix(infra): cap shell env timeouts

* test: stabilize remaining CI flakes

* fix(apns): cap direct timeout paths

* Add plugin manifest contract for SecretRef provider integrations (openclaw#82326)

* secret-provider-integrations

Signed-off-by: sallyom <somalley@redhat.com>

* feat(secrets): configure plugin provider presets

* secrets: use plugin-managed provider refs

Signed-off-by: sallyom <somalley@redhat.com>

* fix secretref auth profile service env

* test secret provider integration e2e

* fix secretref plugin config service env

* fix secret provider preset schema alignment

* stabilize secret provider service proof

* validate secret provider plugin integrations

* harden secret provider resolver paths

* scope secret provider config validation

* stabilize openai secret provider proof

* fix secret provider metadata proof

* stabilize config baseline proof

* fix secret provider e2e lint

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>

* fix(proxy): cap connect tunnel timeouts

* fix: route media completions through requester agent (openclaw#88141)

* fix(scripts): cap issue labeler response bodies

* refactor: share media understanding post params

* fix(infra): cap transport readiness timeouts

* ci: reduce main workflow critical path

* test(gateway): stabilize live helper shard

* refactor: share native approval route gates

Share native approval route gate helpers across mainstream channel approval runtimes and keep PR openclaw#87770 green on current main.

* fix(channels): centralize stall watchdog timer bounds

* perf: resolve native esm plugin sdk imports

* test: stabilize infra state shard

* fix(nostr): cap profile import relay timers

* test(infra): stabilize main CI tests

* test(infra): preserve script wrapper fixture

* fix(web): cap guarded fetch timeout seconds

* fix(zalouser): cap probe timeout timer

* refactor: add shared sqlite state database

Adds the shared SQLite state database base, moves plugin keyed state into it with doctor migration coverage, and keeps generated Kysely guardrails aligned. Proof: focused SQLite/plugin-state tests, db:kysely:check, lint:kysely, architecture/dependency guards, autoreview, and PR CI all clean.

* fix(codex): recover app-server completion stalls

Fix Codex app-server completion-stall recovery so replay-safe stdio completion-idle failures retry once, while progress/terminal turn-watch timeouts only surface timeout payloads.

Also preserve post-tool completion guards for scoped native response deltas and stabilize the oversized CONNECT timeout regression test picked up from latest main.

Co-authored-by: Kelaw - Keshav's Agent <keshavbotagent@gmail.com>

* fix(ci): repair main normalization checks

* fix(zalouser): cap qr login timeouts

* fix(dev): cap Discord smoke response bodies

* fix(agents): centralize terminal run outcome precedence (openclaw#88136)

* fix(agents): centralize terminal run outcome precedence

* docs(agents): explain terminal outcome precedence

* docs(agents): note terminal outcome helper

* fix(agents): preserve pending hard timeout over late completion

* test(agents): align global session scoping expectation

* Revert "test(agents): align global session scoping expectation"

This reverts commit 9b4a0c3.

* test(infra): stabilize CONNECT timeout cap test

* fix(agents): prioritize hard timeout terminal evidence

* fix(gateway): preserve pending hard timeout snapshots

* ci: skip bundled dts in artifact build

* fix(memory): cap qmd process timeouts

* fix(ci): repair main lint gates

* test(infra): avoid max fake-timer jumps (openclaw#88155)

* fix(whatsapp): cap credential flush timeout

* ci: satisfy build profile lint

* refactor: share live transport scenario helpers

* fix(telegram): cap polling lease wait timer

* fix(release): avoid gh api for candidate reads

* fix(release): harden candidate run status polling

* fix(feishu): reopen retryable bot menu replay

* fix(release): avoid gh api in beta smoke

* fix(release): build beta smoke REST curl command

* test(realtime): stabilize websocket timeout test

* test: stabilize realtime websocket timeout

* fix(telegram): centralize positive timer bounds

* fix(providers): cap local service timers

* refactor: share provider oauth runtime helpers

* fix(openrouter): cap music stream timeout

* fix(release): harden release ci summary lookup

* fix(fal): cap video queue deadline

* test(ci): stabilize tool search gateway timeout helper

* fix(reply): hide ACP tool traces from Telegram

Telegram's surface renders tool-call traces poorly compared to Discord's. Add a
per-channel visibility isolation list (currently just `telegram`) so the
dispatch-acp delivery coordinator drops tool/status payloads to those channels
and rewrites error payloads to a sanitized message that points to local logs
instead of leaking the trace.

- New ACP_VISIBILITY_ISOLATED_CHANNELS set + helper prepareAcpPayloadForChannelVisibility
- Coordinator picks the effective target channel (originating or direct) and
  skips delivery when the payload is a tool / status / error trace
- 89 lines of test coverage in dispatch-acp.test.ts for the new path

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: Shadow <shadow@openclaw.ai>
Co-authored-by: Gio Della-Libera <giodl73@gmail.com>
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
Co-authored-by: Shakker <shakkerdroid@gmail.com>
Co-authored-by: Peter Steinberger <peter@steipete.me>
Co-authored-by: benjamin1492 <35176637+benjamin1492@users.noreply.github.com>
Co-authored-by: Nimrod Gutman <nimrod.gutman@gmail.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: Dallin Romney <dallinromney@gmail.com>
Co-authored-by: xin zhuang <65798732+1052326311@users.noreply.github.com>
Co-authored-by: zhang-guiping <zhang.guiping@xydigit.com>
Co-authored-by: Lucas Giordano <giordano3102lucas@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Sally O'Malley <somalley@redhat.com>
Co-authored-by: Kevin Lin <kevin@dendron.so>
Co-authored-by: keshavbotagent <keshavbotagent@gmail.com>
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request May 30, 2026
@steipete
fix: persist Copilot SDK session bindings
1113d98 
Persist GitHub Copilot SDK session ids in the plugin-state SQLite store so separate OpenClaw process turns can resume the same Copilot-side session when the compatibility fingerprint still matches.

The fingerprint covers provider/model/cwd, resolved agent id, resolved Copilot home, and auth identity. Plugin-state lookup/register/delete failures are non-fatal, stale rows are invalidated, and reset delete failures use an in-process tombstone so reset does not accidentally reuse a durable binding.

Also routes the QQBot token POST through the plugin SDK SSRF guard with capture disabled for the secret-bearing request, preserving the current token lifetime validation from main.

Verification: focused Copilot and QQBot Vitest suites, raw channel fetch guard, autoreview clean, Blacksmith Testbox pnpm check:changed tbx_01kst9fwjmsfzwaxqatszcbf40, live local Copilot two-turn smoke with the same SDK session id persisted in SQLite.

Refs openclaw#88064
SYU8384 pushed a commit to SYU8384/openclaw that referenced this pull request Jun 3, 2026
@steipete
fix: persist Copilot SDK session bindings
106a24c 
Persist GitHub Copilot SDK session ids in the plugin-state SQLite store so separate OpenClaw process turns can resume the same Copilot-side session when the compatibility fingerprint still matches.

The fingerprint covers provider/model/cwd, resolved agent id, resolved Copilot home, and auth identity. Plugin-state lookup/register/delete failures are non-fatal, stale rows are invalidated, and reset delete failures use an in-process tombstone so reset does not accidentally reuse a durable binding.

Also routes the QQBot token POST through the plugin SDK SSRF guard with capture disabled for the secret-bearing request, preserving the current token lifetime validation from main.

Verification: focused Copilot and QQBot Vitest suites, raw channel fetch guard, autoreview clean, Blacksmith Testbox pnpm check:changed tbx_01kst9fwjmsfzwaxqatszcbf40, live local Copilot two-turn smoke with the same SDK session id persisted in SQLite.

Refs openclaw#88064
sablehead pushed a commit to sablehead/openclaw that referenced this pull request Jun 10, 2026
@steipete
fix: persist Copilot SDK session bindings
2c6f01a 
Persist GitHub Copilot SDK session ids in the plugin-state SQLite store so separate OpenClaw process turns can resume the same Copilot-side session when the compatibility fingerprint still matches.

The fingerprint covers provider/model/cwd, resolved agent id, resolved Copilot home, and auth identity. Plugin-state lookup/register/delete failures are non-fatal, stale rows are invalidated, and reset delete failures use an in-process tombstone so reset does not accidentally reuse a durable binding.

Also routes the QQBot token POST through the plugin SDK SSRF guard with capture disabled for the secret-bearing request, preserving the current token lifetime validation from main.

Verification: focused Copilot and QQBot Vitest suites, raw channel fetch guard, autoreview clean, Blacksmith Testbox pnpm check:changed tbx_01kst9fwjmsfzwaxqatszcbf40, live local Copilot two-turn smoke with the same SDK session id persisted in SQLite.

Refs openclaw#88064
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

channel: qqbot extensions: copilot maintainer Maintainer-authored PR merge-risk: 🚨 auth-provider 🚨 May break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. P2 Normal backlog priority with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. size: L status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steipete