Skip to content

refactor: add session accessor seam with gateway consumer#90463

Merged
jalehman merged 23 commits into
mainfrom
clawdbot-9c3-ce2/session-accessor-gateway-entry
Jun 14, 2026
Merged

refactor: add session accessor seam with gateway consumer#90463
jalehman merged 23 commits into
mainfrom
clawdbot-9c3-ce2/session-accessor-gateway-entry

Conversation

@jalehman

@jalehman jalehman commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the storage-neutral session accessor seam and routes the first gateway session-entry production reads through it.

Why

This intentionally supersedes #88840 and #89120 as a single review unit. Reviewed in isolation, #88840 introduces the accessor before any production caller uses it, so the repository dead-code gate correctly reports src/config/sessions/session-accessor.ts as unused. Bundling the first non-SDK gateway consumer keeps the branch-by-abstraction shape while making the new seam production-reachable without adding temporary dead-code allowlist debt.

Changes

  • Add session accessor contract
  • Add file-backed accessor implementation
  • Route gateway entry reads
  • Preserve legacy lookup behavior
  • Update focused seam tests

Verification

  • node scripts/check-deadcode-unused-files.mjs
  • pnpm deadcode:dependencies
  • pnpm plugin-sdk:api:check
  • node scripts/run-vitest.mjs src/config/sessions/session-accessor.test.ts src/config/sessions/store-read.test.ts src/config/sessions/store-writer.test.ts src/gateway/session-utils.test.ts src/gateway/server-methods/server-methods.test.ts src/gateway/session-history-state.test.ts src/gateway/sessions-history-http.test.ts src/gateway/sessions-resolve.test.ts
  • ./node_modules/.bin/oxfmt --check src/config/sessions/combined-store-gateway.ts src/config/sessions/session-accessor.test.ts src/config/sessions/session-accessor.ts src/config/sessions/store.runtime.ts src/config/sessions/store.ts src/config/sessions/transcript-append.ts src/gateway/server-methods/sessions.ts src/gateway/session-utils.ts src/gateway/sessions-resolve.test.ts src/gateway/sessions-resolve.ts src/plugin-sdk/session-store-runtime.ts
  • git diff --check upstream/main..HEAD
  • .agents/skills/autoreview/scripts/autoreview --mode branch --base upstream/main --prompt ...

Known unrelated current-main drift: node scripts/run-vitest.mjs src/agents/tools/pdf-tool.model-config.test.ts fails because the unchanged PDF model-config test still expects openai/gpt-5.4-mini while current media defaults resolve openai/gpt-5.5.

Refs #88838. Supersedes #88840 and #89120.

Real behavior proof

  • Behavior addressed: Gateway session entry reads, session resolution, entry creation, and the routed transcript-append path must behave identically through the new storage-neutral session accessor seam introduced by this PR (seam + first production gateway consumer).

  • Real environment tested: Maintainer's live macOS gateway (launchd service ai.openclaw.gateway, port 18789) built from this branch in ~/Projects/clawdbot, running against the real ~/.openclaw state directory: 14 existing sessions, live Telegram and Discord channels, 45 active cron jobs. Branch was merged into current main locally before building.

  • Exact steps or command run after this patch: pnpm build; launchctl bootstrap gui/$UID ~/Library/LaunchAgents/ai.openclaw.gateway.plist; node dist/index.js gateway status; node dist/index.js sessions; node dist/index.js agent --agent main -m "Live seam proof probe for PR 90463. Reply with exactly one word: pong" --json; direct inspection of ~/.openclaw/agents/main/sessions/sessions.json and the newly created transcript JSONL.

  • Evidence after fix: Live terminal output and runtime logs. Gateway log shows http server listening (11 plugins…; 3.5s) then gateway ready. Seam-routed listing printed Sessions listed: 14, matching the 14 entries in the on-disk store snapshot taken before the restart. Live turn output excerpt:

    "status": "ok",
    "payloads": [ { "text": "pong", "mediaUrl": null } ],
    "sessionId": "538d6092-6323-4fcc-a7d0-d4f92a8b9bf1",
    "sessionFile": ".../agents/main/sessions/538d6092-6323-4fcc-a7d0-d4f92a8b9bf1.jsonl"
    

    The new transcript contains a valid session header with the matching id plus exactly the user and assistant records carrying the probe text and the pong reply. The agent:main:main entry was created with matching sessionId/sessionFile and fresh updatedAt. All 14 pre-existing store keys remain present afterward with no unattributable field changes.

  • Observed result after fix: Seam-routed gateway reads and writes produce the same observable artifacts and behavior as the previous direct store access — same store file, same entry shapes, same transcript format. One ERROR-level runtime log line occurred during the soak (a transient Telegram Bad Gateway 502; ingress self-recovered; unrelated to this change).

  • What was not tested: Channel-inbound end-to-end delivery (message in via Telegram → reply out) beyond ingress startup; concurrent CLI-plus-gateway writer contention; Windows.

@clawsweeper

clawsweeper Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 14, 2026, 9:06 AM ET / 13:06 UTC.

Summary
The PR adds a storage-neutral session accessor over the current file-backed session/transcript store, routes initial gateway session-entry reads through it, adds focused tests, and wires a CI boundary ratchet.

PR surface: Source +808, Tests +677, Config +6, Other +146. Total +1637 across 16 files.

Reproducibility: not applicable. as a bug reproduction; this is an internal refactor PR, and the relevant check is behavior-preservation proof for gateway session reads and transcript/session access.

Review metrics: 1 noteworthy metric.

  • Boundary Ratchet Added: 1 CI check added. The PR turns the new architecture boundary into a visible merge gate so migrated gateway files cannot silently return to direct legacy session-store reads.

Stored data model
Persistent data-model change detected: serialized state: src/config/sessions/combined-store-gateway.ts, serialized state: src/config/sessions/session-accessor.test.ts, serialized state: src/config/sessions/session-accessor.ts, serialized state: src/config/sessions/store.ts, serialized state: src/config/sessions/transcript-append.ts, serialized state: src/gateway/server-methods/sessions.ts, and 11 more. Confirm migration or upgrade compatibility proof before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Risk before merge

  • [P1] This PR establishes a permanent internal session/transcript accessor contract over shipped file-backed state; maintainers need to accept that boundary before downstream SQLite and SDK slices build on it.
  • [P2] The code is intended to be behavior-neutral now, but later slices depend on this seam preserving canonical keys, transcript target resolution, locking, update notifications, and plugin/SDK compatibility without runtime dual-read fallback.

Maintainer options:

  1. Accept The Accessor Contract (recommended)
    If maintainers agree this is the permanent session/transcript boundary for the tracker stack, land it with the ratchet and keep downstream slices gated by the tracker.
  2. Pause For Boundary Redesign
    If this is not the desired long-term API, pause this PR and update the tracker before downstream branches keep building on the seam.

Next step before merge

  • [P2] Protected maintainer label and architecture/session-state risks require human maintainer acceptance rather than an automated repair lane.

Security
Cleared: No concrete security or supply-chain concern found; the workflow change adds a repo-local lint shard and the new script uses existing TypeScript guard utilities without new dependencies, broader permissions, or secret handling.

Review details

Best possible solution:

Land this root slice only after maintainers explicitly accept the accessor contract as the root of the tracker stack and the current-head checks remain green; otherwise keep the stack open for boundary redesign.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction; this is an internal refactor PR, and the relevant check is behavior-preservation proof for gateway session reads and transcript/session access.

Is this the best way to solve the issue?

Yes, this is a maintainable root slice if maintainers accept the tracker direction: combining the accessor with its first gateway consumer avoids a dead-code seam while keeping the storage flip and broader caller migration out of this PR.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against d28691da97fc.

Label changes

Label justifications:

  • P2: This is a normal-priority but upgrade-sensitive internal session/gateway refactor, not an emergency outage fix by itself.
  • merge-risk: 🚨 compatibility: The PR establishes a new permanent session accessor contract over shipped file-backed session state and future SDK/storage migration work depends on that contract.
  • merge-risk: 🚨 session-state: Gateway reads and transcript/session entry resolution move through a new seam that must preserve persisted session identity, transcript targets, and update behavior.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-fix live gateway proof from a real macOS gateway against an existing state directory, with terminal output/log excerpts showing session listing, agent turn creation, transcript contents, and unchanged pre-existing store keys.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live gateway proof from a real macOS gateway against an existing state directory, with terminal output/log excerpts showing session listing, agent turn creation, transcript contents, and unchanged pre-existing store keys.
Evidence reviewed

PR surface:

Source +808, Tests +677, Config +6, Other +146. Total +1637 across 16 files.

View PR surface stats
Area Files Added Removed Net
Source 8 841 33 +808
Tests 5 710 33 +677
Docs 0 0 0 0
Config 2 6 0 +6
Generated 0 0 0 0
Other 1 146 0 +146
Total 16 1703 66 +1637

What I checked:

  • Repository policy read: Root AGENTS.md and scoped scripts/gateway/server-methods/test guides were read; their session-state compatibility, gateway, script-wrapper, and raw transcript message guidance applies to this review. (AGENTS.md:20, d28691da97fc)
  • Live PR state: Live GitHub reports this PR open at head 9a55d1b against main d28691d, with the protected maintainer label plus compatibility and session-state merge-risk labels. (9a55d1b2f400)
  • Current main behavior: Current main gateway combined-store loading still reads directly from the file-backed session store before this PR's seam routing. (src/config/sessions/combined-store-gateway.ts:75, d28691da97fc)
  • Accessor contract: The proposed head defines session-accessor.ts as the permanent storage-neutral session/transcript runtime boundary while delegating to existing file-backed helpers for this slice. (src/config/sessions/session-accessor.ts:35, 9a55d1b2f400)
  • Gateway consumer routing: The proposed head routes migrated gateway lookups through accessor-backed listSessionEntries and shares the resolved store with describe/get paths. (src/gateway/session-utils.ts:1415, 9a55d1b2f400)
  • Server method entry points: sessions.describe and sessions.get use loadSessionEntriesForTarget at the proposed head, so the new seam has production gateway consumers rather than dead code only. (src/gateway/server-methods/sessions.ts:263, 9a55d1b2f400)

Likely related people:

  • jalehman: Authored the open tracker and coordinated the stacked accessor, subsystem-adoption, SDK, and SQLite-foundation PRs beyond this single branch. (role: migration coordinator / feature owner; confidence: high; commits: 9a55d1b2f400; files: src/config/sessions/session-accessor.ts, src/gateway/session-utils.ts, src/gateway/server-methods/sessions.ts)
  • steipete: Recent live path history shows substantial session store, gateway session, and prior SQLite migration work in the same state surface, including the merged-and-reverted session metadata SQLite PR. (role: recent area contributor; confidence: high; commits: 538d36eaaaa6, fbac4a2ec77c, 467b068fdc7b; files: src/config/sessions/store.ts, src/gateway/session-utils.ts, src/gateway/server-methods/sessions.ts)
  • vincentkoc: Recent history includes the current-main revert of the earlier session metadata SQLite approach and session-utils CI repair work adjacent to this staged replacement path. (role: recent session migration/revert contributor; confidence: medium; commits: 7f1d82ab2518, 207359a056b9; files: src/config/sessions/store.ts, src/gateway/session-utils.ts)
  • anyech: Live path history shows recent work on single-session row metadata in src/gateway/session-utils.ts, one of the gateway read surfaces routed by this PR. (role: recent gateway session contributor; confidence: medium; commits: fff193402e8e; files: src/gateway/session-utils.ts)
  • shakkernerd: Live path history shows recent deleted-agent and ACP metadata guard fixes in src/gateway/session-utils.ts, adjacent to the session resolution behavior preserved by this PR. (role: recent adjacent gateway/session contributor; confidence: medium; commits: 3b7631e50db9, e16193bad54c, 784e86433c62; files: src/gateway/session-utils.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal backlog priority with limited blast radius. merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. labels Jun 4, 2026
@jalehman jalehman force-pushed the clawdbot-9c3-ce2/session-accessor-gateway-entry branch from 1c31222 to 4b0e698 Compare June 4, 2026 21:31
@jalehman

jalehman commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot removed the merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. label Jun 4, 2026
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. label Jun 4, 2026
@openclaw-barnacle openclaw-barnacle Bot added the scripts Repository scripts label Jun 4, 2026
@jalehman jalehman force-pushed the clawdbot-9c3-ce2/session-accessor-gateway-entry branch from a13e0eb to 890d5e3 Compare June 4, 2026 22:37
@jalehman jalehman force-pushed the clawdbot-9c3-ce2/session-accessor-gateway-entry branch from 890d5e3 to b496b4b Compare June 10, 2026 22:16
@jalehman

Copy link
Copy Markdown
Contributor Author

Rebased onto current main (05a3b44c93) following the #91322 revert (7f1d82ab25).

Rebase notes

  • Conflicts resolved in src/config/sessions/store.ts (revert churn) and .github/workflows/ci.yml; plugin SDK API baseline regenerated.
  • New commit b496b4bfa0 adapts src/gateway/sessions-resolve.test.ts to the Discord reply-hydration changes that landed on main after the previous head was cut.
  • Range-diff vs prior head 890d5e3645: 17/20 patches identical; 3 modified (generated baseline hash, the gateway-entry conflict resolution, the ci.yml ratchet hook).

Verification (local deps were network-blocked, so proof ran remotely; both runs are brokered AWS Crabbox — Testbox auth was unavailable)

  • pnpm check:changed remote child: exit 0 — oxfmt/oxlint, tsgo core/core-test/extensions/extensions-test, import-cycle and boundary guards including the new check-session-accessor-boundary ratchet. Run run_89da9fa21d36, lease cbx_3b284323a566.
  • Focused vitest via node scripts/run-vitest.mjs (session-accessor, store-read/writer, gateway session-utils / server-methods / history / sessions-resolve, boundary script tests): 17 test files, 707 tests passed. Run run_73b04ed586ba, lease cbx_204faf9c5580.
  • git diff --check origin/main...HEAD clean.

Known gaps: remote pnpm test:changed could not run (the Crabbox wrapper seeds git metadata only for check gates); covered by the explicit-file vitest run above plus PR CI on this push.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. proof: sufficient ClawSweeper judged the real behavior proof convincing. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 11, 2026
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jun 15, 2026
…0463)

Merged via squash.

Prepared head SHA: 58aa59e
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
saml212 added a commit to Rockielab/rockie-claw that referenced this pull request Jun 16, 2026
)

* fix(chunking): preserve surrogate pairs

* test(telegram): cover rich list and table limits

* fix(telegram): migrate retired native draft config

* fix(telegram): keep rich text media-free

* feat(telegram): nudge agents toward rich text

* fix(telegram): clean rich message CI gates

* test(telegram): align message flow fixture with rich drafts

* fix(telegram): allow rich tables in group prompts

* fix(telegram): show rich text prompt for final replies

* fix(telegram): pass rich text prompts to cli backends

* fix(ui): restore sidebar session picker interactivity above desktop workbench (#92705)

* fix(ui): restore sidebar session picker interactivity above desktop workbench

The collapsed sidebar session picker was covered by the chat content
area when the workspace rail was visible at wider viewports. Two
issues caused this:

1. .sidebar-session-select--collapsed .chat-session-picker used
   var(--z-dropdown) which was never defined, creating an invalid
   z-index declaration (falls back to auto).

2. .shell-nav and .content--chat are grid siblings with equal
   z-index (auto), and .content--chat (later DOM) paints above
   .shell-nav, covering the session picker that extends from the
   nav column into the content column.

Fix: add position:relative + z-index:10 to .shell-nav so it stacks
above .content--chat; change overflow from hidden to visible so
the session picker extends beyond the nav rail; replace undefined
var(--z-dropdown) with z-index:100.

* fix(ui): keep sidebar picker z-index tokenized

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(google): strip provider prefix from Vertex model path

Summary:
- Strip the redundant `google/` provider prefix before embedding Google Vertex model ids under `/publishers/google/models/`.
- Keep bare Vertex model ids unchanged.
- Add regression coverage for the provider-qualified Vertex path.

Verification:
- `node_modules/.bin/oxfmt --check --threads=1 extensions/google/transport-stream.ts extensions/google/transport-stream.test.ts`
- `node scripts/run-oxlint.mjs extensions/google/transport-stream.ts extensions/google/transport-stream.test.ts`
- `node scripts/run-vitest.mjs extensions/google/transport-stream.test.ts --maxWorkers=1 -t 'strips redundant google provider prefixes from Google Vertex model paths'`
- Autoreview clean
- AWS Crabbox `run_649b209478d2` focused Node 24 regression proof
- AWS Crabbox `run_e193db2707ad` remote `check:changed`
- Exact-head CI green for `23aca6f46f596e220df37d939317b433f7044ec6`
- Contributor live Google Vertex proof recorded in the PR body

* feat: support /btw in CLI-backed sessions (#92669)

* feat: support CLI btw side questions

* test: fix CLI prepare test fixture types

* fix: lazy load local btw runner

* fix(gateway): mark active main sessions before restart shutdown aborts (#91357)

* Mark active main sessions during restart shutdown

* Type restart marker mock in close tests

* fix(gateway): preserve active run ownership across restart

* fix(gateway): preserve active runs across restart

* fix(gateway): close restart recovery edge cases

* fix(cron): preserve lifecycle ownership across restart

* fix(gateway): release rejected run contexts

* fix(gateway): preserve restart lifecycle ownership

* fix(cron): retain overlapping run ownership

* fix(agents): preserve restart terminal precedence

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(parallel): send User-Agent on free MCP requests

Adds the OpenClaw Parallel User-Agent to free Parallel Search MCP requests so the zero-config web_search path is identifiable at the HTTP layer, matching the paid REST transport.\n\nProof: local focused format/lint/Vitest; live anonymous Parallel MCP handshake; autoreview clean; Crabbox AWS run_bf41ce86e862 focused regression; Crabbox AWS run_ee9b8954b081 check:changed; exact-head GitHub CI green on b7e45e3bfc83cec6ca8df3d9d2708e2c45f093a9.

* fix(ui): preserve dashboard session parent lineage

Preserves the selected Control UI session as the parent when creating dashboard child sessions even if the session list is stale or filtered, while avoiding the synthetic unknown session as a parent.\n\nFixes #90623.\n\nProof: local focused format/lint/Vitest/browser test; autoreview clean; Crabbox AWS run_a2bfdcd2315a UI proof; Crabbox AWS run_ce60fdc546ff check:changed; exact-head GitHub CI green on 03d1c6f646caeed2813e673446109751a50c610f.

* fix(ios): force stale foreground gateway reconnects (#92552)

* fix(telegram): expose thread create CLI remap

Exposes Telegram's thread-create CLI remap through the exported Telegram channel action adapter, preserving the existing plugin-owned mapping to topic-create before gateway dispatch.\n\nFixes #81581.\n\nProof: local focused format/lint/Vitest and dry-run; autoreview clean; Crabbox AWS run_07b98c939fce focused tests; Crabbox AWS run_1b7b35ce1de1 check:changed; exact-head GitHub CI green on 16f6afbdd7d8e1f1df81b71eaf10436e9771181c.

* feat: make workspace files panel collapsible

Signed-off-by: sallyom <somalley@redhat.com>

* fix: start workspace files collapsed

* fix(state): avoid sqlite wal on nfs state volumes

Detects NFS-backed SQLite database paths in the shared WAL helper and uses rollback journaling for those paths while preserving WAL/checkpoint maintenance on local filesystems. The NFS path now verifies SQLite's effective journal mode before disabling WAL maintenance, and core/memory/proxy-capture callers pass database path context into the centralized helper.

Fixes #90491.

Proof: local focused Vitest/format/lint; autoreview clean after fixing the journal-mode verification finding; Crabbox AWS focused test run `run_2ea7014350da`; Crabbox AWS changed gate `run_c828bbfe7d23`; exact-head GitHub CI green on `59674305ecd863d4815eec6098ccd3daab79ca4f`.

* fix(tui): show resolved model ref in confirmation

Uses the canonical model ref returned by `sessions.patch` for the TUI `/model` confirmation so alias inputs report the model that was actually applied. The fallback still shows the raw input when a backend does not return `resolved`, and the display path uses `modelKey` so nested model ids keep the provider prefix without double-prefixing self-prefixed ids.

Proof: local focused TUI Vitest/format/lint; autoreview clean; Crabbox AWS focused TUI test run `run_7d7cc5b040e8`; exact-head GitHub CI green on `6db4acfb08f9d477ee1bdab429bd7189b78ffc92`.

* fix(diagnostics): keep recovery scheduling out of the stuck-session warning backoff (#92752)

Summary:
- The branch changes diagnostic stuck/long-running warning backoff so recovery-eligible classifications are still returned during throttled warning ticks and updates the diagnostic tests.
- PR surface: Source +17, Tests +48. Total +65 across 2 files.
- Reproducibility: yes. Current main source shows logSessionAttention can return undefined during stuck or lon ... g backoff before the heartbeat reaches requestStuckSessionRecovery; I did not run a live QQ gateway replay.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(diagnostics): keep recovery scheduling out of the stuck-session w…

Validation:
- ClawSweeper review passed for head f61ec3a33f2c48b03306df38264b3ce9bd062f08.
- Required merge gates passed before the squash merge.

Prepared head SHA: f61ec3a33f2c48b03306df38264b3ce9bd062f08
Review: https://github.com/openclaw/openclaw/pull/92752#issuecomment-4699298908

Co-authored-by: Gnanam <gnanasekaran.sekareee@gmail.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: takhoffman
Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>

* fix(markdown-core): treat infinity chunk limit as unbounded

Fix render-aware markdown chunking so `Number.POSITIVE_INFINITY` is treated as an explicit unbounded chunk limit instead of falling back to `1`.

This preserves full Signal media captions and disabled Signal text chunking while keeping invalid non-finite limits on the existing fallback path.

Fixes #92734.
Thanks @yhterrance for the report and fix.

* docs(config): correct agent defaults concurrency comments

Correct the exported agent defaults type comments for `maxConcurrent` and `subagents.maxConcurrent` so they match the runtime defaults of 4 and 8.

No runtime behavior changes.
Thanks @ArielSmoliar for the fix.

* docs: clarify before_install hook scope (#92766)

Signed-off-by: sallyom <somalley@redhat.com>

* docs(nodes): add node config example

Add a Nodes overview `openclaw.json` example for node pairing, command allow/deny policy, node exec routing, and per-agent node pinning.

Also clarifies exact `denyCommands` matching and links readers to the config reference for pairing and command-policy field details.

Fixes #92662.
Thanks @liuhao1024 for the fix and @ZengWen-DT for the parallel docs wording on exact node command policy.

* Honor WhatsApp configured ACP bindings (#92513)

Merged via squash.

Prepared head SHA: 665080f48278a6af9d5595708bd9cfd30e36a29c
Co-authored-by: TurboTheTurtle <35905412+TurboTheTurtle@users.noreply.github.com>
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Reviewed-by: @mcaxtr

* fix(memory): split header-too-large embedding batches

Route OpenAI/OpenAI-compatible request_headers_too_large embedding failures into the existing memory-core batch splitter instead of aborting bulk memory indexing.

Tighten the classifier to require header-too-large wording rather than a bare 431 status token, so unrelated provider errors do not fan out into recursive requests.

Fixes #92465.
Thanks @mushuiyu886 for the fix and @BrettHamlin for the report and proof.

* feat(providers): add GLM-5.2 support (#92796)

* feat(providers): add GLM-5.2 support

* ci(live): add GLM-5.2 provider shard

* fix(sessions): enforce channel send policy for account-scoped DMs

Derive the channel from canonical account-scoped DM session keys when resolving session.sendPolicy, so channel-scoped allow/deny rules apply to per-account-channel-peer sessions.

Keep derivation limited to canonical channel peer key shapes and add malformed-key regressions so incomplete or non-channel keys do not accidentally match channel rules.

Compatibility note: existing channel-scoped send-policy rules can now block account-scoped DM sends that were previously allowed by this bug.

Thanks @yetval for the fix.

* docs(changelog): refresh 2026.6.8 notes

* fix(ui): localize workspace file rail labels

* fix(docker): remove stale nested openclaw package

Remove the stale nested openclaw package, its .bin shim, and the pnpm virtual-store copy from the runtime Docker image before final runtime assets are copied.

Run the package dist import-closure check after the cleanup so the check validates the final runtime-assets tree that the image ships.

Compatibility note: private Docker paths under /app/node_modules/openclaw and /app/node_modules/.bin/openclaw are removed; downstream images should use the documented /usr/local/bin/openclaw launcher or /app/openclaw.mjs.

Fixes #92551.
Thanks @lzyyzznl for the fix and @fxstein for the report.

* fix(release): repair beta validation fixtures

* chore(deps): bump macOS Swift dependencies

Updates the macOS Swift package resolution for patch releases of Peekaboo, Sparkle, and swift-log.

Verification:
- `swift package describe --type json`
- `swift build --target OpenClawIPC`
- `swift build --target OpenClawDiscovery`
- upstream tag/revision checks for Peekaboo 3.4.1, Sparkle 2.9.3, and swift-log 1.13.2
- autoreview clean
- exact PR head CI green for macOS, dependency, and security checks

* fix(qa): read rich Telegram replies in live checks

(cherry picked from commit 9c8b8803535b38ec204ead00c29c35e4ea1a8ee7)

* fix(agents): preserve compatible CLI session runtime pins

Preserves provider-compatible CLI runtime session pins across reply execution, follow-up execution, dispatch visibility, preflight compaction, and memory flush.

This keeps sessions pinned to compatible CLI runtimes such as `claude-cli` from leaking into embedded OpenClaw maintenance paths while still rejecting cross-provider runtime pins.

Original PR by @yu-xin-c; includes maintainer follow-up for the sibling memory paths.

Verification:
- `node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts src/auto-reply/reply/agent-runner-memory.test.ts src/agents/model-runtime-aliases.test.ts --maxWorkers=1`
- autoreview clean
- Crabbox AWS `cbx_44400b494e97` / `coral-prawn`, run `run_69dd43475e39`: `check:changed` passed
- exact PR head CI green: `303b2f794f6c01fcf21b62b27c536b5f6eceb421`

* test(macos): isolate exec approvals env

* test(macos): avoid real approvals migration in tests

* fix(matrix): validate CLI numeric option ranges

Validates Matrix CLI numeric option ranges before invoking setup or verification side effects.

`--initial-sync-limit` must now be non-negative, and `--timeout-ms` must now be positive.

Original PR by @rohitjavvadi.

Verification:
- `node scripts/run-vitest.mjs extensions/matrix/src/cli.test.ts --maxWorkers=1`
- autoreview clean
- Crabbox AWS `cbx_5c32f138ab3a` / `swift-lobster`, run `run_6e133b8b82e7`: `check:changed` passed
- exact PR head CI green: `d75f118299029b0516311646276cd2d6582379c5`

* fix(qa): accept rich Telegram canary presence

(cherry picked from commit e86eb7567a79fd3fe90115d3840222a292eefa55)

* test(matrix): avoid racy inbound dedupe TTL

(cherry picked from commit 8ae3662b1c7ad32fb79039ff3465e0b1c835fe4e)

* fix(canvas): validate CLI numeric options

Validate Canvas CLI numeric arguments before node invocation.

- Reject malformed `--invoke-timeout` values through the shared Canvas invoke path before resolving a node.
- Keep snapshot `--quality` bounded to the existing Canvas tool schema range of 0..1.
- Add focused CLI regressions for timeout validation, quality bounds, and accepted boundary values.

Verification:
- `node scripts/run-vitest.mjs extensions/canvas/src/cli.test.ts --maxWorkers=1`
- `.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main ...`
- AWS Crabbox `cbx_b7838c58daba`, run `run_bbb58ca536f4`: `check:changed`
- Exact PR head `a970ce594ea6e7284ace519352fc258b1b81cb80`: GitHub checks green

* fix: reflow composer beside workspace rail

Reflow the Control UI chat composer into the main chat column when the Workspace Files rail is expanded, so the composer stays beside the rail instead of extending underneath it.

Prepared head SHA: 7108d88cdad8c5e1c23d3f0e8b8965d723cea99d
Co-authored-by: Colin Johnson <211764741+Solvely-Colin@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd

* fix(configure): mask gateway token prompts

Mask gateway token/password prompts while preserving blank-token generation. Verified with focused configure wizard tests and clean CI.

* fix(ports): avoid stale cleanup for non-gateway SSH listeners

Limit SSH tunnel classification to actual queried-port forwards and keep SSH-like non-gateway listeners out of stale gateway cleanup. Verified with focused port/restart tests and clean CI.

* fix(tavily): keep web search contract executable

Keep the Tavily public artifact lightweight while lazily executing through the provider runtime. Verified with focused Tavily/provider artifact tests and clean CI.

* fix(daemon): keep duplicate Windows gateway tasks visible

Normalize Windows schtasks default gateway names without hiding similarly prefixed duplicate tasks. Verified with focused daemon tests, type proof, autoreview, and clean CI.

* fix(cron): isolate transient auth cooldowns

Keep cron-local transient auth failures from polluting shared cooldowns while preserving real auth/billing/rate-limit propagation. Verified with focused auth/cron tests, type proof, autoreview, and clean CI.

* fix(heartbeat): route outbound mirror to isolated session key (#92807)

* fix(heartbeat): route outbound mirror to isolated session key

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* fix(clownfish): address review for ghcrawl-143801-autonomous-smoke (1)

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* fix(clownfish): address review for ghcrawl-143801-autonomous-smoke (1)

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* test(gateway): preserve live Codex api-key auth

(cherry picked from commit 4aa50732f607d84e23c4e7d3ac8e77292c8c774e)

* fix(memory): surface skipped short-term recall hits (#92745)

Record diagnostic events when memory_search returns durable memory hits that are intentionally excluded from short-term promotion, so users can distinguish eligibility decisions from recall tracking failures.

* fix(gateway): forward image-only input on /v1/responses (parity with chat completions) (#92488)

* fix(gateway): accept image-only input on /v1/responses

The OpenResponses endpoint rejected requests whose `input` contained only
an `input_image` (no `input_text`) with `400 Missing user message in
input.`, even though the image was parsed and collected into `images`.
The guard only checked `prompt.message` and ignored `images`, unlike the
equivalent /v1/chat/completions guard which uses
`!prompt.message && images.length === 0`.

Align the OpenResponses guard with Chat Completions so image-only turns
are forwarded to the agent. Empty input (no text and no image) still
returns 400.

Adds regression tests: image-only base64 input -> 200 with image reaching
the agent, and empty content -> 400.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(gateway): pass image-only /v1/responses turns to the agent

The one-line guard alone was insufficient: even after letting image-only
input past the `Missing user message` check, the downstream agent command
(`prepareAgentCommandExecution`) throws `Message (--message) is required`
for an empty message, so image-only `/v1/responses` returned 500.

Mirror the /v1/chat/completions prompt builder: substitute the shared
IMAGE_ONLY_USER_MESSAGE placeholder for the active image-only user turn so
the turn is not dropped and the real image is still attached via `images`.
Promote the placeholder constant to the shared gateway agent-prompt module
so both endpoints stay in sync, and revert the responses guard back to the
original `!prompt.message` check (responses images are not scoped to the
active turn, so the placeholder is the correct, single source of truth).

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: retrigger CI (flaky startup-core test timeout, unrelated to change)

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: songwendong <songwendong@shuidi-inc.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(status): avoid cumulative usage for context percent (#92604)

* fix(status): avoid cumulative usage for context percent

* fix(status): preserve legacy context totals

* fix: reject unvalidated voice media streams

Reject voice media stream start frames when no acceptance validator is configured, preventing fail-open STT/TTS session creation. Verified locally, with autoreview, in a remote Linux dev box, and by green CI.

* test(gateway): wait for trajectory export guidance

(cherry picked from commit 4675423788a0ef48b0c46ed31b199762e1576c81)

* fix(telegram): acknowledge callbacks before sequentialize

Fixes #42156.

Answer Telegram callback queries before per-chat/topic sequentialize can queue the handler behind an active turn, and carry the in-flight answer promise on the grammY context so the normal handler reuses it instead of double-answering.

Proof:
- node scripts/run-vitest.mjs extensions/telegram/src/bot.create-telegram-bot.test.ts -- -t "answers callback queries before same-chat sequentialize delays handlers|sequentializes updates by chat and thread|routes callback_query payloads as messages"
- node scripts/run-vitest.mjs extensions/telegram/src/bot.test.ts extensions/telegram/src/bot-handlers.runtime.test.ts
- node_modules/.bin/oxfmt --check extensions/telegram/src/bot-core.ts extensions/telegram/src/bot-handlers.runtime.ts extensions/telegram/src/callback-query-answer-state.ts extensions/telegram/src/bot.create-telegram-bot.test.ts
- git diff --check origin/main...HEAD
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Azure Crabbox cbx_cba20c462ad5 / silver-barnacle: OPENCLAW_TESTBOX=1 node scripts/crabbox-wrapper.mjs run --provider azure --class Standard_D4ads_v6 --idle-timeout 90m --ttl 240m --timing-json -- env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed

Proof gap: live Telegram Desktop/burner-account proof was not run because openclaw-telegram-user-crabbox-proof is not installed in this shell.

* fix(nodes): surface pending reapproval diagnostics (#92547)

* fix(nodes): surface pending reapproval diagnostics

* fix(nodes): harden reapproval diagnostics

* fix(nodes): scope pending diagnostics

* fix(nodes): request pairing diagnostics in cli

* fix(nodes): reuse stored auth for diagnostics

* fix(nodes): preserve selected diagnostics credentials

* fix(nodes): prefer approved diagnostics auth

* fix(nodes): narrow diagnostics fallbacks

* fix(nodes): recover from stale diagnostics auth

* fix(gateway): preserve connect error narrowing

* fix(nodes): isolate privileged diagnostics auth

* fix(nodes): constrain privileged diagnostics auth

* fix(nodes): close diagnostics review gaps

* fix(nodes): guard reapproval cleanup races

* fix(nodes): defer stale pairing cleanup

* fix(nodes): preserve reapproval on hello failure

* test(nodes): await post-handshake reapproval cleanup

* test(nodes): avoid unbound websocket send capture

* fix(nodes): allow local auth-none diagnostics

* fix(nodes): preserve overlapping reapproval

* fix(nodes): preserve pending node metadata

* fix(nodes): keep connection age with status

* fix(nodes): preserve reapproval during reconnect races

* fix(nodes): serialize reapproval cleanup

* fix(nodes): bound reapproval reconnect races

* test(nodes): satisfy cleanup claim lint

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(memory): keep skipped recall diagnostics opt-in

Follow-up to #92745 after maintainer autoreview found that the skipped recall event widened the shipped MemoryHostEvent union and changed limited legacy reads.

Keep readMemoryHostEvents() source-compatible by filtering diagnostic records before applying limits, and expose skipped recall diagnostics through the opt-in MemoryHostEventRecord/readMemoryHostEventRecords path.

Original skipped-recall behavior landed in #92745 by @mushuiyu886.

* fix(doctor): avoid false-positive legacy cron store warning when store was already migrated (fixes #92683) (#92690)

* fix(doctor): avoid false-positive legacy cron store warning when store was already migrated

When rawJobs.length > 0 and other issues exist (notifyCount, dreamingStaleCount)
but legacyStoreDetected is false (file already removed after migration), the doctor
unconditionally printed 'Legacy cron job storage detected at ...' — misleading users
into thinking the migration was incomplete.

Fix: conditionally use 'Cron store issues detected' heading when no legacy store file
exists, reserving 'Legacy cron job storage detected' for actual legacy store presence.

Fixes #92683

* test(doctor): add test for false-positive legacy cron store warning (#92683)

* fix(telegram): skip IPv4 fallback when user explicitly configures non-ipv4first dnsResultOrder (fixes #41671) (#92806)

* fix(telegram): skip IPv4 fallback when user configures non-ipv4first dnsResultOrder

When the user explicitly configures channels.telegram.network.dnsResultOrder
to a non-ipv4first value (e.g. verbatim), the sticky IPv4 fallback dispatcher
should not be armed. Forcing autoSelectFamily=false + dnsResultOrder=ipv4first
overrides the user's explicit IPv6-friendly config, causing media downloads to
fail on hosts where IPv4 is broken but IPv6 works.

Fixes #41671

* fix(telegram): respect explicit DNS fallback policy

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* test(gateway): capture trajectory export command events

(cherry picked from commit b656a510468279aacad51515123b960b56a3fa87)

* fix(macos): defer isOverflowing mutation to break SwiftUI render loop (fixes #43480) (#92778)

* fix(macos): defer isOverflowing mutation to break SwiftUI render loop

measuredHeight() mutated model.isOverflowing synchronously during a SwiftUI
view update cycle. The onChange(of: attributed) handler triggered
updateWindowFrame → targetFrame → measuredHeight, which set isOverflowing,
invalidating the view and re-triggering onChange — an infinite render loop
causing 100% CPU pinwheel.

Fix: defer the isOverflowing mutation via DispatchQueue.main.async with an
equality guard to prevent redundant updates. The frame calculation itself
remains synchronous so the window size is correct immediately.

Fixes #43480

* fix(macos): preserve latest overflow measurement

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(gateway): use resolveNonNegativeNumber for totalTokens to display 0 instead of ? (fixes #43009) (#92795)

* fix(gateway): use resolveNonNegativeNumber for totalTokens to display 0 instead of ?

resolvePositiveNumber requires value > 0, filtering out the valid
totalTokens = 0 case (new session, no usage yet). This caused the TUI
to display 'tokens ?/200k' instead of 'tokens 0/200k (0%)'.

Use resolveNonNegativeNumber (>= 0) for the final totalTokens value
used in session display. The needsTranscriptTotalTokens check at line
2041 still correctly uses resolvePositiveNumber to decide whether to
fetch transcript data.

Fixes #43009

* fix(gateway): preserve fresh zero-token sessions

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(gateway): preserve active runs during plugin finalization (#92746)

* fix(gateway): preserve active run during plugin finalization

* fix(ui): skip session.message history reload while gateway reports active run

* fix(ui): remove unused eslint-disable directive

* fix(ui): preserve active runs through finalization

---------

Co-authored-by: scotthuang <scotthuang@tencent.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* UI: localize Logs tab labels (#92820)

Repair #61080 by routing Logs tab user-facing labels through Control UI locale keys while keeping export filename suffixes stable.

Validation:
- pnpm ui:i18n:check
- pnpm check:changed
- ui/src/ui/views/logs.test.ts
- Codex /review
- GitHub PR checks

Source PR credit: continues @rubensfox20's work from https://github.com/openclaw/openclaw/pull/61080.

Co-authored-by: rubensfox20 <111531429+rubensfox20@users.noreply.github.com>

* test(release): harden trajectory export live check

(cherry picked from commit b2d4cb7f868a7bd3abae1b775a0c26f32ec9a288)

* test(release): accept trajectory command session final

(cherry picked from commit 9458ffa7e8598608e582fd233fccb586ecc7b10b)

* fix(telegram): preserve command callbacks while prefixing generic callback data (#92825)

Fixes #54909.

Repair #54962 by preserving raw slash-command callbacks while routing generic callback data to agents as `callback_data: <value>`.

Validation:
- pnpm check:changed
- pnpm -s vitest run extensions/telegram/src/bot.create-telegram-bot.test.ts
- Codex /review
- Real behavior proof
- GitHub PR checks

Source PR credit: continues @hnshah's work from #54962 and preserves @timt80's report credit from #54909.

Co-authored-by: Hiten Shah <3155200+hnshah@users.noreply.github.com>

* fix: refresh model context metadata safely

Cap configured session context overrides by the selected model's known context window, refresh provider/model metadata consistently, and preserve the fixed Anthropic 1M context contract.

Fixes #39857

Co-authored-by: Kros Dai <7087+xdanger@users.noreply.github.com>

* fix(copilot): strip replayed thinking blocks

Remove replayed thinking and redacted-thinking blocks from GitHub Copilot Claude history and final Anthropic payloads while preserving visible content, tool turns, and non-empty assistant structure.

Fixes #81520
Supersedes #87060 and #81534

Co-authored-by: Gio Della-Libera <giodl73@gmail.com>

* feat(browser): extend --labels overlay to full-page and element captures (#92834)

Summary:
- The replacement PR extends Browser plugin labeled screenshots to honor Playwright full-page/ref/element scope, returns annotation bounding boxes, and updates docs, tests, and skill guidance.
- PR surface: Source +415, Tests +550, Docs +24. Total +989 across 12 files.
- Reproducibility: yes. Current main source shows the labeled Playwright helper ignores fullPage/ref/element and omits annotations, and the source PR supplies live before/after commands for the Browser plugin path.

Automerge notes:
- PR branch already contained follow-up commit before automerge: docs(browser): correct raw-CDP labels caveat in automation skill
- PR branch already contained follow-up commit before automerge: fix(browser): preserve labelsSkipped semantics for off-viewport refs
- PR branch already contained follow-up commit before automerge: docs(browser): scope labels docs by driver
- PR branch already contained follow-up commit before automerge: docs(browser): fix labels annotation indent and document scope fix
- PR branch already contained follow-up commit before automerge: docs(browser): indent annotations box schema under --labels bullet
- PR branch already contained follow-up commit before automerge: docs(browser): indent labels annotation schema

Validation:
- ClawSweeper review passed for head 70aca6c5065ae68bbf1037949e28045f479c0355.
- Required merge gates passed before the squash merge.

Prepared head SHA: 70aca6c5065ae68bbf1037949e28045f479c0355
Review: https://github.com/openclaw/openclaw/pull/92834#issuecomment-4700431344

Co-authored-by: FMLS <kfliuyang@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Mason Huang <masonxhuang@tencent.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: hxy91819
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>

* fix(discord): raise thread title timeout and tokens

Source PR: https://github.com/openclaw/openclaw/pull/64734

Co-authored-by: Hana Chang <741302+hanamizuki@users.noreply.github.com>

* fix(whatsapp): require durable auth before login success (#92095)

* fix(stale): exempt ClawSweeper actionable labels from stale lifecycle (#92801)

Add clawsweeper:queueable-fix, clawsweeper:source-repro, and
clawsweeper:fix-shape-clear to exempt-issue-labels in all 4 stale
workflow steps and the backfill-closures script's issueExemptLabels
set.

Previously, issues classified by ClawSweeper as actionable fix
candidates could still be marked stale and auto-closed, creating
a conflict between the two automation systems (e.g. #78640,
#81078, #81122 had both 'stale' and 'clawsweeper:queueable-fix').

Fixes #89564

* fix(status): render sub-1000 token counts as plain integers (#89736)

* fix(status): render sub-1000 token counts as plain integers

formatKTokens always divided by 1000 and appended "k", so token counts
below 1000 rendered as misleading fractional k in `openclaw status`
output (e.g. 999 rounded up across the boundary to "1.0k", 420 -> "0.4k",
a 300-token cache write -> "write 0.3k").

Guard value < 1000 to render the plain rounded integer, matching the
canonical formatTokenCount convention (src/utils/usage-format.ts). The
>=1000 "k" behavior is unchanged. Adds focused regression tests for the
0/420/999/1000/12000 boundary and small-session/small-cache status lines.

Fixes #89735

* fix(status): reuse canonical token formatter

* refactor(status): extract lightweight token formatter

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(agents): catch malformed image blocks in sanitizeContentBlocksImages (#92792)

* fix(agents): catch malformed image blocks in sanitizeContentBlocksImages

* fix(agents): sanitize malformed-only image results

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* ci: gate stable releases on Windows companion assets (#92555)

* ci: gate stable releases on Windows companion assets

* fix(release): reject malformed Windows checksum manifests

* fix(release): make Windows recovery fail closed

* fix(release): tighten Windows asset identity checks

* fix(release): validate prepared candidate tarballs

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(agents): add usage guidance to sessions_spawn tool description (fixes #91814) (#91824)

* fix(agents): add usage guidance to sessions_spawn tool description (fixes #91814)

* fix(agents): tighten sessions spawn guidance

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(feishu): await HTTP server shutdown during monitor cleanup

Source PR: https://github.com/openclaw/openclaw/pull/48588

Co-authored-by: alex sagit <267811734+alex-xuweilong@users.noreply.github.com>

* feat: add tool search directory mode

Add an experimental directory mode that keeps large authorized tool schemas deferred while exposing bounded discovery, exact deferred hydration, and normal OpenClaw policy/hook execution. Client tools remain directly visible; ambiguous hidden names fail closed.

* fix(qqbot): surface failed media sends (#92823)

* fix(qqbot): surface media send failures

* test(qqbot): cover text send failures

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(tailscale): preserve parse errors for malformed JSON

Accept the fail-closed behavior for malformed `tailscale funnel status --json`: noisy valid JSON should parse, but malformed status output should not silently become “route absent”.

Source PR: https://github.com/openclaw/openclaw/pull/63321

Co-authored-by: Francisco Maestre Torreblanca <2027043+franciscomaestre@users.noreply.github.com>

* Add diagnostics OTEL capability contract tests (#92045)

* fix(acp): accept MCP date protocolVersion in ACP server

Repairs https://github.com/openclaw/openclaw/pull/56176.
Fixes https://github.com/openclaw/openclaw/issues/56102.

Co-authored-by: Saurabh Mishra <2924124+bugkill3r@users.noreply.github.com>

* fix(hooks): reject slug-generator error payloads

Repairs https://github.com/openclaw/openclaw/pull/64181.

Co-authored-by: Cypher <28184436+Cypherm@users.noreply.github.com>

* fix(ui): repair iOS Safari chat viewport handling

Repairs https://github.com/openclaw/openclaw/pull/63644.

Review proof: local structured autoreview on branch review/pr-92855 against origin/main exited clean with no accepted/actionable findings.

Co-authored-by: Xi Qi <1311124+macdao@users.noreply.github.com>

* fix(update): continue after package doctor warnings (#91586)

* fix(update): continue after package doctor warnings

* fix(update): type advisory step rendering

* fix(update): preserve advisory doctor step state

* fix(update): share advisory doctor state

* fix(update): keep timed-out doctor failures blocking

* fix(update): require explicit doctor advisory result

* fix(update): reject malformed doctor advisory results

* fix(update): bound doctor advisory diagnostics

* fix(update): keep doctor advisory restart-neutral

* fix(update): protect doctor advisory IPC

* fix(update): scope doctor advisories to converging updater

* fix(update): scope doctor advisories to deferred repairs

* fix(update): secure doctor advisory IPC

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(feishu): target typing reaction on inbound message

Target Feishu Typing reactions at the inbound message id while preserving reply and thread routing to the topic root.

This keeps the fallback to replyToMessageId for flows without a separate inbound target, and adds regression coverage for topic/replyInThread behavior and synthetic Feishu turn sources.

Based on and credits #67783 by @huiwen01. This replacement branch carries the same user-visible fix forward because #67783 is dirty against main and earlier automation could not update the fork branch with available permissions. This intentionally does not reuse or expand #73958; root_id routing remains separate.

Validation:
- pnpm check:changed
- pnpm -s vitest run extensions/feishu/src/bot.test.ts extensions/feishu/src/reply-dispatcher.test.ts extensions/feishu/src/monitor.reaction.test.ts
- autoreview clean: no accepted/actionable findings
- GitHub checks: 127 pass, 0 fail, 0 pending

Co-authored-by: huiwen01 <89329207+huiwen01@users.noreply.github.com>

* fix(lobster): surface workflow path errors

Surface missing bare Lobster workflow file paths instead of silently falling through to inline pipeline parsing.

The runner now treats plain workflow file inputs as file paths, keeps inline commands with file-like arguments as pipelines, and preserves existing workflow file paths that contain spaces. Regression coverage covers missing bare workflow paths, inline false positives, and spaced workflow filenames.

Fixes #68101.

Based on and credits #68106 by @vvitovec. This replacement branch carries the focused fix forward because #68106 is dirty against current main and could not be repaired on the fork branch with available bot permissions.

Validation:
- node scripts/run-vitest.mjs extensions/lobster/src/lobster-runner.test.ts
- autoreview clean: no accepted/actionable findings after the spaced-path fix
- GitHub checks: 127 pass, 0 fail, 0 pending

Co-authored-by: Viktor Vítovec <230458341+vvitovec@users.noreply.github.com>

* fix(cli): clarify --tz help text for offset-less --at values

Clarifies cron edit --at help after maintainer rebase and preserves the Gateway-host timezone wording for cron --tz help.

Validation:
- git diff --check
- node scripts/run-vitest.mjs src/cli/cron-cli.test.ts
- local Codex autoreview clean, no actionable findings

Co-authored-by: rrrrrredy <rrrrrredy@users.noreply.github.com>

* fix(agents): preserve valid reasoning replay metadata (#90682)

Preserve validated provider reasoning ciphertext, signatures, and replay identifiers through transcript redaction without exempting malformed, nested, or credential-shaped values.

Fixes #90093.

Co-authored-by: Elfka Toruviel <aeb31988340aa87b@toruviel.online>

* fix(anthropic): omit stale thinking from disabled requests (#92373)

Preserve signed thinking for active Anthropic tool-result continuation while omitting native thinking from completed history when the new request disables or omits thinking. Applies the same replay rule to the legacy SDK provider and managed Anthropic transport. Fixes #92360.

* docs(crabbox): warm Testbox in parallel

* fix(anthropic): merge consecutive assistant replay turns (#87346)

Merge adjacent Anthropic assistant turns before dangling tool-use validation so signed tool calls remain immediately paired with their tool results. Preserve contributor credit. Fixes #87329.

* fix(anthropic): quarantine invalid direct tool schemas (#92896)

Quarantine unreadable and structurally invalid direct/custom Anthropic tool schemas in both canonical request builders while preserving healthy siblings, forced-choice semantics, OAuth name mapping, and official OpenAI behavior.

Supersedes #89418, #89221, #90228, #89622, #89229, and #90278.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(active-memory): preserve verbose recall summaries (#90739)

* fix(active-memory): preserve verbose recall summaries

* fix(active-memory): require recall evidence for recovery

* fix(active-memory): recognize capped recall results

* fix(active-memory): preserve grounded recall state

* refactor(active-memory): limit recovery to completed recalls

* fix(active-memory): ground terminal recall recovery

* fix(active-memory): limit unavailable recovery to completed replies

* fix(active-memory): harden recall evidence recovery

* fix(active-memory): preserve timeout recovery contract

* fix(active-memory): preserve capped failure evidence

* fix(active-memory): reject content-only recall failures

* fix(active-memory): ground completed recall summaries

* fix(active-memory): separate hook and recall timeouts

* fix(active-memory): classify custom tool failures

* fix(active-memory): preserve harness tool evidence

* fix(active-memory): reject explicit empty results

* fix(active-memory): wait for fallback recall evidence

* fix(codex): report dynamic tool results

* fix(active-memory): separate preflight recall deadline

* fix(active-memory): normalize recall tool names

* fix(agents): classify unavailable approvals

* docs(active-memory): clarify hook timeout phases

* test(active-memory): stabilize timeout abort proof

* fix(agents): preserve successful cancellation outcomes

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(gateway): deliver command block replies in webchat

(cherry picked from commit 33390ee88f5c8325efc60d1793c532a9489a5a72)

* docs(changelog): refresh 2026.6.8 notes

(cherry picked from commit 0b5cb00980c68a39b8fb1d77f6c04e9733bcbb09)

* fix(gateway): preserve slash command media replies

* Simplify QA scorecard mapping shape (#92558)

* test(qa): simplify scorecard mapping shape

* test(qa): use typed scorecard evidence refs

* test(qa): map scorecard categories by coverage id

* feat: align qa coverage with taxonomy features

* refactor: keep qa coverage ids canonical

* refactor: minimize qa coverage id churn

* test: align qa coverage id assertions

* test: update qa evidence coverage expectations

* refactor qa taxonomy coverage ids

* style qa taxonomy coverage ids

* test qa coverage lint fix

* test qa coverage type fix

* fix(memory-wiki): stop flagging raw source pages as malformed (#92876)

* fix(memory-wiki): stop flagging raw source pages as malformed

* fix(clownfish): address review for gitcrawl-11828-autonomous-smoke (1)

* fix(memory-wiki): skip freshness lint for raw source pages

* fix(memory-wiki): keep raw source ids linted

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(providers): quarantine unreadable Anthropic payload tools (#92908)

Quarantine unreadable and invalid Anthropic-family tool schemas before OpenAI-compatible serialization, keep tool choices aligned with surviving tools, and preserve provider metadata.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(memory): preserve reindex rollback recovery (#92881)

* fix(memory): preserve reindex rollback recovery

Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>

* fix(clownfish): address review for gitcrawl-5644-autonomous-smoke (1)

Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>

* test: update memory reindex test routing expectation

* chore(memory): remove release changelog entry

* fix(memory): complete reindex retry recovery

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* test(agents): skip anthropic billing drift in live tool checks

* test(qa): align tool coverage CLI expectation

* test(gateway): keep trajectory export live proof correlated

* fix(openai): quarantine unreadable tool schemas (#92921)

Snapshot unreadable OpenAI tool descriptors and schemas before payload construction, preserve healthy siblings, and reconcile hard tool choices with the surviving function inventory.

Adds live-tested Responses and Chat Completions coverage, including allowed_tools, while keeping Anthropic regressions green.

Related: #89413, #89013, #89016, #89378, #89543, #90200, #90283, #90286, #90397

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* Fold Telegram RTT sampling into live QA evidence (#92550)

* refactor(qa): fold telegram rtt into live evidence

* test: default package telegram rtt samples

* refactor(qa-lab): fold telegram rtt into live evidence

* fix(qa-lab): keep package telegram rtt optional for focused runs

* fix(qa-lab): avoid stale rtt evidence on failed samples

* fix(qa-lab): pass telegram live env into credential leasing

* fix(qa-lab): update telegram canary remediation artifacts

* docs(qa): remove stale telegram observed artifact guidance

* fix(qa-lab): clarify telegram empty-reply remediation

* fix(qa-lab): honor telegram rtt timeout

* ci(qa): drop stale telegram capture env

* refactor: align telegram evidence coverage fields

* fix: ignore stale telegram observed artifacts

* fix: preserve telegram rtt coverage mapping

* fix: omit unused telegram rtt catch binding

* docs: document telegram rtt check selector

* test(gateway): allow trajectory export instruction latency

* fix(media): route OAuth image defaults through Codex (#92824)

Route implicit OpenAI image understanding through the Codex app-server for eligible OpenAI OAuth profiles. Preserve scoped and persisted credential ownership plus the rotating-token refresh lifecycle for isolated clients.

Fixes #87168

Thanks @bek91.

* fix(cli): avoid false downgrade prompt for latest tag

Keep unresolved latest package targets moving while preserving downgrade confirmation for unresolved non-latest dist-tags.

Validation:

- node scripts/run-vitest.mjs src/cli/update-cli.test.ts

- node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr92911.tsbuildinfo

- git diff --check origin/main...HEAD && git diff --check

Direct-landed from #92911 because the source branch has maintainer edits disabled and ClawSweeper requested changelog removal plus behavior proof.

Co-authored-by: Andy Wu <31586206+Andy312432@users.noreply.github.com>

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(openai): guard post-hook tool payloads (#92928)

Guard OpenAI post-hook tool inspection and code-mode filtering against unreadable accessors and asynchronous payload replacements. Preserve valid official `exec` and `wait` function tools across Responses and Chat Completions paths.

Supersedes #89703.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(sessions): restore reset archive fallback reads

Fall back to valid reset transcript archives when active async session transcripts are missing, while keeping active transcript priority and choosing the newest valid archive across roots.

Validation:

- node scripts/run-vitest.mjs src/gateway/session-utils.fs.test.ts src/gateway/sessions-history-http.test.ts src/gateway/sessions-history-http.revocation.test.ts src/gateway/session-history-state.test.ts src/gateway/server.chat.gateway-server-chat-b.test.ts src/gateway/managed-image-attachments.test.ts src/agents/tools/embedded-gateway-stub.test.ts src/tui/embedded-backend.test.ts

- node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr92879.tsbuildinfo

- git diff --check origin/main...HEAD && git diff --check

- autoreview --mode branch --base origin/main: clean

Direct-landed from #92879 because the source branch has maintainer edits disabled and the landed diff needed maintainer repair before merge.

Co-authored-by: Masato Hoshino <246810661+masatohoshino@users.noreply.github.com>

Co-authored-by: Hu Yitao <39733381+CadanHu@users.noreply.github.com>

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(feishu): re-resolve route when dynamic agent binding already exists in runtime config (fixes #42837) (#92814)

* fix(feishu): re-resolve route when dynamic agent binding already exists in runtime config

When dynamicAgentCreation is enabled and a binding was previously written
to the config file (e.g. from a prior message), the in-memory cfg may be
stale and not contain the binding. Previously, maybeCreateDynamicAgent
returned { created: false, updatedCfg: cfg } with the stale cfg, and
bot.ts only re-resolved the route when created === true. This caused
subsequent messages to still route to agent:main.

Fix: check runtime.config.current() for the binding when it is missing
from the in-memory cfg. When found, return the runtime's current config
so the caller can re-resolve the route with up-to-date bindings.

Fixes #42837

* fix(feishu): serialize dynamic agent config updates

* fix(feishu): route with refreshed runtime config

* fix(feishu): use current dynamic-agent policy

* fix(feishu): reauthorize refreshed dynamic routes

* fix(feishu): authorize dynamic agent mutations

* fix(feishu): complete account-scoped dynamic routing

* fix(feishu): revalidate current direct routes

* fix(feishu): isolate named-account dynamic agents

* fix(feishu): bound named dynamic agent ids

* docs(feishu): explain legacy dynamic agent cap

* test(feishu): fix dynamic routing check types

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(release): harden beta validation gates

(cherry picked from commit 91eeda0d708c2d8dac7c09c259b7cf390193f83f)

* test(release): unblock beta validation checks

* fix: restart gateway after isolated cron setup timeout

Restart the gateway after isolated cron setup timeouts and harden stale cron-task finalization around restart/reload boundaries.

Verification: focused cron/tasks/CLI regression suites, gateway filesystem/session regression suite, test typecheck, core lint shards, git diff --check, autoreview, Blacksmith Testbox changed gate tbx_01kv2srgbex71w9ce5rwv2wtr4, and clean GitHub PR checks on 13d06b5d6f9be057510942314b133316aff0d7cc.

* fix(openai): omit gpt-5.5 tool reasoning effort (#90574)

Fix GPT-5.5 Chat Completions tool requests by omitting the incompatible reasoning effort only on verified OpenAI and Azure routes. Preserve no-tool requests and nonblank custom OpenAI-compatible providers; add official regional endpoint metadata plus OpenAI and Anthropic live regression proof.

Co-authored-by: Thomas Krohnfuß <thomas.krohnfuss@stud.th-luebeck.de>

* test(gateway): isolate trajectory export live seed turn

* test(installer): stabilize npm prefix probe test

* fix(openai): recover invalid reasoning signatures (#92941)

* test(gateway): authorize trajectory export live command

* fix(agents): clamp subagent spawn thinking overrides

Fixes #92412.

Subagent spawns that request an unsupported explicit thinking level now clamp through the existing provider/model thinking fallback instead of hard-failing after the orchestrator has already received an accepted ack. The exception is limited to trusted subagent spawn runs by requiring both the subagent lane and a subagent-shaped session key, so interactive and non-subagent explicit `--thinking` validation still fails loudly.

Verification:
- `node scripts/run-vitest.mjs src/agents/agent-command.live-model-switch.test.ts --maxWorkers=1`
- `.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main`
- Testbox-through-Crabbox `tbx_01kv2wt0nqavsmnvzzzy2antrc`: `OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed`
- GitHub PR checks clean on `c71186863337d9dfb9a18e5349ebef634a7d5ccd`

* test(openai): extend live STT fixture timeout

* fix(subagents): preserve config-selected child model overrides

* fix(subagents): handle configured bare model provenance

* fix(gateway): degrade config watcher to polling

Fixes #92851.

When native filesystem watching exhausts its retry budget, the gateway config reloader now falls back to polling instead of disabling hot reload for the rest of the process. The watcher state tracks the effective Chokidar polling mode, including CHOKIDAR_USEPOLLING overrides, so forced polling avoids a redundant native phase and forced native mode reports an accurate native-mode disable.

Verification:
- node scripts/run-vitest.mjs src/gateway/config-reload.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Testbox-through-Crabbox tbx_01kv2xvbqkv4dmvvvsswzm75hz: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on c9762c5159a2ef75aa23d2af2a5435d0d8bf6b63

* fix(gateway): build row metadata for single session lists

Refs #92057.

Build the request-scoped row metadata context for every non-empty sessions.list result, including limit=1, so single-row lists use the shared subagent metadata read index instead of direct per-row registry snapshot lookups. This keeps the existing single-row store child-session candidate optimization intact while removing the single-row metadata-cache gap.

Verification:
- node scripts/run-vitest.mjs src/gateway/session-utils.single-row-cache.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Crabbox run_f89b56ffea83 / cbx_f1b1f5013225: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on 1ba6619f2ee6491c40b49dd425597bb1b50638ca

* fix(memory-wiki): tolerate artifacts without agent ids

Fixes #92207.

Normalize public memory artifacts at the memory host boundary so providers that omit agentIds produce an empty list instead of throwing during artifact cloning, sorting, or memory-wiki bridge import. The bridge now renders those artifacts with unknown agents while downstream consumers still receive stable array-shaped metadata.

Verification:
- node scripts/run-vitest.mjs src/plugins/memory-state.test.ts extensions/memory-wiki/src/bridge.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Crabbox run_2a30de5d0a00 / cbx_3684cb0b7ea5: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on 19678ed60f79778f407700dc35f675cde0357054

* test(gateway): unblock trajectory export live release gate

* fix(lmstudio): honor thinking off for binary reasoning models (#92002)

Scope disabled-thinking payload repair to LM Studio's lightweight provider stream hook. Preserve official OpenAI and Anthropic tool-calling paths.

Co-authored-by: David <32288+nxmxbbd@users.noreply.github.com>

* fix(auto-reply): deliver channel message-tool final replies

Clarify that interim assistant text remains visible under message_tool_only delivery while the final answer must use the message tool, and forward progress for channel message-tool turns once the message tool has delivered the final reply.

Co-authored-by: Forge <forge@psiclawops.dev>

Co-authored-by: Chisel <chisel@psiclawops.dev>

* fix(auto-reply): align message-tool progress gating

* test(auto-reply): assert allowed suppressed progress gating

* test(auto-reply): trim duplicate progress assertion

* fix(auto-reply): share message-tool delivery hints

* fix(plugin-sdk): expose delivery hints without utility imports

* fix(auto-reply): strip delivery hints from leading metadata

* fix(release): preserve child release check refs

* fix(agents): recover genericized Anthropic thinking errors (#92916)

Recover invalid Anthropic thinking replays when provider details survive genericization in SDK, failover, cause-chain, or terminal stream error fields.

The recovery matcher now uses cycle-safe named error carriers, avoids scanning assistant content and tool arguments, and retains one retry per provider call. Focused regressions cover each carrier, cyclic causes, terminal errors, and false-positive payload text.

Addresses the recovery path in #92201. The separate root cause that creates or persists invalid signatures remains open for investigation.

Co-authored-by: wlzeng0668001202 <ceng.wenlong@xydigit.com>

* refactor: add session accessor seam with gateway consumer (#90463)

Merged via squash.

Prepared head SHA: 58aa59eaf8059c31a2a70f859eeb96ee35e5beb2
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman

* fix(webchat): route trajectory slash export before agent dispatch

* fix(ci): skip session accessor guard for older targets

* fix(agents): drop incomplete reasoning replay turns (#88656)

Drop assistant replay turns that ended at the token limit with only incomplete hidden reasoning while preserving visible text, tool calls, empty turns, and unknown content shapes. Apply the same classification to embedded replay and public transport transforms, with focused regression, live OpenAI/Anthropic provider proof, docs, autoreview, Testbox, and green CI.

Co-authored-by: clawstation <abel@stationzero.ai>

* fix(gateway): async trajectory export approvals

* feat(webui): add session workspace rail (#92856)

* feat(webui): add session workspace rail

* fix(webui): address session workspace review

* fix(webui): secure session workspace previews

* fix(webui): handle nested session workspace paths

* fix(webui): update session file protocol models

* fix(webui): clear session rail lint

* docs(browser-control): document OPENCLAW_EAGER_BROWSER_CONTROL_SERVER requirement (#92845)

The standalone loopback HTTP API only starts when
OPENCLAW_EAGER_BROWSER_CONTROL_SERVER=1 is set in the gateway
service environment. Without it, browser control works via CLI and
agent tools but nothing listens on the loopback control port.

Fixes #92841

* fix: use passive periodic sqlite wal checkpoints

Use PASSIVE for periodic SQLite WAL checkpoints while keeping explicit checkpoint() and close() on TRUNCATE by default.

Preserve the old interval export as a compatibility alias, add the neutral interval export, and update the task storage docs contract.

Fixes #81715.

* fix(google): route Gemini CLI OAuth through the env proxy (#46184) (#92815)

* fix(mattermost): merge progress preview lines by identity (#91331)

* fix(mattermost): merge progress preview lines by identity

* fix(mattermost): preserve progress across assistant boundaries

* fix(mattermost): compose reasoning with progress previews

* fix(channels): reset reasoning progress at block boundaries

* fix(channels): align tool progress line identities

* fix(channels): keep tool call identity mapping injective

---------

Co-authored-by: leon <leon@gmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(tui): keep spinner active when toggling tools (#92909)

* fix(tui): keep spinner active when toggling tools

* fix(tui): preserve finishing status when toggling tools

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(elevenlabs): use current TTS model ids (#92904)

* fix(elevenlabs): use current TTS model ids

* fix(elevenlabs): preserve served legacy model choices

---------

Co-authored-by: Ariel Bravy <ariel@vortexradar.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(gateway): run export helpers through cli entry

* fix #86872: Subagent run reports success but fails to write output file (#92642)

* fix(codex): wait for native subagent completion

Codex native subagent lifecycle status is only a progress signal; the task row should not report success until the transcript or native completion result is available.

* fix(codex): preserve later native subagent failures

* test(codex): freeze authoritative subagent results

* fix(codex): preserve remote V1 completion fallback

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(gateway): track effective watcher polling mode

* test(gateway): allow optional trajectory metadata bundle

* test(gateway): expect trajectory session branch bundle

* refactor: route command session reads through seam (#89122)

Merged via squash.

Prepared head SHA: 73218cc7cd336c7389785960364aed4049a1affd
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman

* fix(reply): deliver final reply when queued follow-up claims session; scope dedupe to routed thread (#90943)

* fix(reply): deliver final reply when queued follow-up claims session; scope dedupe to routed thread

Two core bugs caused composed replies to be silently dropped (no delivery,
no error) when a second message arrived in the same thread mid-run:

1. dispatch-from-config: ensureDispatchReplyOperation only kept the
   dispatch-owned operation authoritative while it had no result. Once
   runReplyAgent completed the operation to drain queued follow-ups, a
   second same-thread inbound could claim the session and the first final
   reply would try to re-acquire the lane instead of finishing delivery,
   deadlocking behind the queued work. Keep the dispatch-owned operation
   authoritative through final delivery.

2. reply-payloads-dedupe: messaging-tool reply dedupe compared only the
   channel target, not the routed thread, so a send in one thread could
   suppress a later reply in a different thread. Thread the routed thread
   id through buildReplyPayloads + follow-up delivery and only fall back to
   channel-only matching for providers without a thread-aware suppression
   matcher when neither side carries thread evidence.

Adds regression tests; existing Telegram topic-suppression behavior is
preserved by gating the thread guard to providers lacking a plugin matcher.

* fix(reply): preserve threaded message delivery evidence

* fix(reply): dedupe final payloads by delivery route

* fix(slack): preserve native send thread evidence

* fix(reply): preserve explicit reply thread evidence

* fix(reply): align explicit reply route dedupe

* fix(reply): preserve delivery lane through final dispatch

* fix(mattermost): preserve threaded tool send routes

* chore(plugin-sdk): refresh API baseline

* fix(reply): align final delivery route dedupe

* fix(reply): gate followups on final delivery

* fix(reply): keep send receipts private

* fix(reply): infer implicit message provider

* fix(reply): align routed threading policy

* fix(reply): preserve queued delivery context

* fix(reply): hydrate queued system event routes

* fix(reply): hydrate queued execution routes

* fix(reply): scope final delivery barriers

* fix(slack): preserve DM target aliases

* fix(reply): mirror resolved source thread routes

* fix(mattermost): retain delayed delivery barrier

* fix(codex): separate message routing from tool policy

* fix(reply): consume normalized Slack DM targets once

* fix(slack): remove stale target alias

* style(reply): satisfy changed lint gates

* fix(mattermost): preserve explicit reply targets

* test: align Slack reply branch checks

* fix(reply): persist overflow summaries to admitted session

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(skills): keep managed prompt paths readable (#92894)

* fix(skills): keep managed prompt paths readable

* fix(skills): preserve only managed skill prompt paths

* chore: refresh proof gate

* fix(skills): refresh managed prompt snapshots

* fix(skills): preserve plugin prompt paths in state roots

* test(skills): use generic state-root path names

Signed-off-by: sallyom <somalley@redhat.com>

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: sallyom <somalley@redhat.com>

* test(gateway): retry chat temp cleanup

* fix: refresh slash command routing config (#39617)

Use the active runtime snapshot for Discord and Slack native command routing and Discord autocomplete after config hot writes.

Fixes #39605

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(agents): retry thinking-only errored turns (#92191)

Retry replay-safe reasoning-only provider errors before assistant failover while preserving classified fallback and terminal-output ownership. Adds deterministic Anthropic gateway fault-injection coverage and focused regression tests.\n\nCo-authored-by: ai-hpc <mail.speedy.hpc@hotmail.com>

* fix(memory): clean stale reindex temp files (#92891)

* fix(memory): clean stale reindex temp files

* fix(memory): harden stale reindex cleanup

* fix(memory): serialize safe reindex cleanup

* fix(memory): satisfy reindex lock lint

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* feat(openrouter): surface Fusion panel config (#93005)

Signed-off-by: sallyom <somalley@redhat.com>

* fix(state): harden sqlite path caching

Resolve explicit relative SQLite DB paths before caching handles and centralize durable SQLite connection pragmas so busy_timeout is applied before WAL/NFS negotiation.

* fix(gateway): repair usage cost aggregation across agents (#93022)

* fix(gateway): aggregate usage co…
wangmiao0668000666 pushed a commit to wangmiao0668000666/openclaw that referenced this pull request Jun 17, 2026
…0463)

Merged via squash.

Prepared head SHA: 58aa59e
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
badgerbees pushed a commit to badgerbees/openclaw that referenced this pull request Jul 8, 2026
…0463)

Merged via squash.

Prepared head SHA: 58aa59e
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gateway Gateway runtime maintainer Maintainer-authored PR merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. P2 Normal backlog priority with limited blast radius. proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. scripts Repository scripts size: XL status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant