Skip to content

fix: block rustup toolchain env overrides [AI]#91615

Merged
pgondhi987 merged 9 commits into
openclaw:mainfrom
pgondhi987:fix/fix-731
Jun 9, 2026
Merged

fix: block rustup toolchain env overrides [AI]#91615
pgondhi987 merged 9 commits into
openclaw:mainfrom
pgondhi987:fix/fix-731

Conversation

@pgondhi987

@pgondhi987 pgondhi987 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Blocks request-scoped Rustup environment overrides in the host exec sanitizer policy: RUSTUP_HOME, RUSTUP_TOOLCHAIN, RUSTUP_DIST_ROOT, RUSTUP_DIST_SERVER, and RUSTUP_UPDATE_ROOT.
  • Preserves trusted inherited operator Rustup environment values for custom local toolchains and mirrors.
  • Regenerates the macOS host-env policy mirror and updates reported-baseline/test coverage.

Verification

  • node scripts/run-vitest.mjs test/scripts/run-opengrep.test.ts src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts
  • pnpm check:host-env-policy:swift
  • GHSA dry-run: passed on head a4d2b51c91be6a40a927cb3e7479433c301a820c
  • GHSA real gate: passed before cleanup/rebase; dry-run revalidated the current head
  • GitHub PR CI: pending/settling on head a4d2b51c91be6a40a927cb3e7479433c301a820c

@openclaw-barnacle openclaw-barnacle Bot added app: macos App: macos size: XS maintainer Maintainer-authored PR labels Jun 9, 2026
@clawsweeper

clawsweeper Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 10:32 AM ET / 14:32 UTC.

Summary
The PR adds five Rustup environment keys to request-scoped host-env override blocking while preserving inherited operator Rustup values, then refreshes the macOS generated policy mirror and sanitizer tests.

PR surface: Source +15, Tests +39, Generated +5. Total +59 across 5 files.

Reproducibility: yes. from source, although not executed locally in this read-only review. Current main omits the Rustup keys from the shared override policy, and the host-exec/system.run call paths reject only keys found by that policy.

Review metrics: 1 noteworthy metric.

  • Rustup Env Policy Surface: 5 override-only keys added, 5 inherited allowlist entries added. This is the compatibility-sensitive part of the PR: request Rustup overrides are newly blocked while trusted inherited operator values remain allowed.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Risk before merge

  • [P1] Existing host-exec or system.run callers that deliberately pass RUSTUP_HOME, RUSTUP_TOOLCHAIN, or Rustup mirror roots per request will now receive an env-override rejection; inherited operator Rustup env remains supported.
  • [P1] The PR changes a host-exec security and compatibility boundary and has a protected maintainer label, so final merge needs explicit maintainer sign-off.

Maintainer options:

  1. Approve The Central Denylist (recommended)
    Accept the compatibility tradeoff because the patch blocks request-scoped Rustup pivots in the shared policy while preserving inherited operator Rustup settings across TS and macOS paths.
  2. Pause For Explicit Rustup Override Support
    If per-request Rustup toolchain or mirror selection must remain supported, pause this branch and require a narrower approved mechanism instead of the unconditional override block.

Next step before merge

  • Human maintainer review is the next action because the patch has no discrete contributor-facing blocker but intentionally changes a host-exec security/compatibility boundary and carries a protected maintainer label.

Security
Cleared: The diff strengthens host-exec env sanitization and does not add dependencies, workflow permissions, package-resolution changes, or new secret handling; compatibility risk is tracked separately.

Review details

Best possible solution:

Have a maintainer approve and merge the central policy change if they accept blocking request-scoped Rustup overrides; otherwise define an explicit supported Rustup selection path before changing the default boundary.

Do we have a high-confidence way to reproduce the issue?

Yes from source, although not executed locally in this read-only review. Current main omits the Rustup keys from the shared override policy, and the host-exec/system.run call paths reject only keys found by that policy.

Is this the best way to solve the issue?

Yes, subject to maintainer approval of the compatibility tradeoff. The shared host-env policy is the narrowest maintainable layer because both TypeScript and macOS sanitizer paths consume it, avoiding duplicated call-site checks.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9f413acc183d.

Label changes

Label changes:

  • remove merge-risk: 🚨 automation: Current PR review merge-risk labels are merge-risk: 🚨 compatibility.

Label justifications:

  • P2: This is normal-priority host-exec security hardening with bounded but real compatibility impact.
  • merge-risk: 🚨 compatibility: Merging can reject existing request-scoped Rustup env overrides that previously reached host exec and system.run.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor supplied structured after-fix proof with exact focused commands, GHSA dry-run and real-gate results, and the observed Rustup override rejection outcome; no external Rustup download was tested.
  • proof: sufficient: Contributor real behavior proof is sufficient. The contributor supplied structured after-fix proof with exact focused commands, GHSA dry-run and real-gate results, and the observed Rustup override rejection outcome; no external Rustup download was tested.
Evidence reviewed

PR surface:

Source +15, Tests +39, Generated +5. Total +59 across 5 files.

View PR surface stats
Area Files Added Removed Net
Source 2 16 1 +15
Tests 2 40 1 +39
Docs 0 0 0 0
Config 0 0 0 0
Generated 1 5 0 +5
Other 0 0 0 0
Total 5 61 2 +59

What I checked:

Likely related people:

  • pgondhi987: Recent merged work expanded the unsafe host-env denylist and earlier host-env policy Rust/Cargo denylist coverage; the author also appears in current-main history for this exact policy surface. (role: recent area contributor; confidence: high; commits: 9f413acc183d, 2d126fc62343, 23ab290a7146; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.test.ts, apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift)
  • steipete: History shows Peter Steinberger centralized the host-env policy and worked on system.run env override security behavior that consumes this policy. (role: feature introducer and adjacent owner; confidence: high; commits: f202e73077a2, e27bbe498243, e80c803fa887; files: src/infra/host-env-security.ts, src/infra/host-env-security-policy.js, src/node-host/invoke.ts)
  • vincentkoc: Recent merged commits touched risky/proxy env override blocking, Python/UV env policy, and macOS host-env policy regeneration near this surface. (role: recent area contributor; confidence: medium; commits: 4d912e04519b, eb8de6715f02, 7ae1bb0c7799; files: src/infra/host-env-security-policy.json, src/infra/host-env-security.test.ts, apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift)
  • joshavant: History shows Josh Avant worked on host env override enforcement across gateway and node, which is the execution boundary this policy feeds. (role: adjacent owner; confidence: medium; commits: 7abfff756d6c, cbe68ba1a190; files: src/infra/host-env-security.ts, src/node-host/invoke.ts, src/infra/host-env-security-policy.json)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal backlog priority with limited blast radius. merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. labels Jun 9, 2026
@pgondhi987

pgondhi987 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Updated the PR to preserve trusted inherited rustup env, added live sanitizer proof showing request overrides rejected, and reran focused validation/review gates.

@clawsweeper

clawsweeper Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 9, 2026
@openclaw-barnacle openclaw-barnacle Bot added scripts Repository scripts size: S and removed size: XS labels Jun 9, 2026
@clawsweeper clawsweeper Bot added status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jun 9, 2026
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 automation 🚨 May affect CI, automerge, proof capture, label sync, or maintainer automation. label Jun 9, 2026
@pgondhi987

pgondhi987 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Verification before merge:

Behavior addressed: Request-scoped host exec env overrides can no longer inject Rustup toolchain roots, toolchain selectors, or Rustup download roots into spawned host commands.
Real environment tested: local source checkout and GitHub Actions PR CI on head 01a433044a1445893f7b342f4933906646338269.
Exact steps or command run after this patch:

  • scripts/run-opengrep.sh --changed --sarif --error
  • node scripts/run-vitest.mjs test/scripts/run-opengrep.test.ts src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts
  • pnpm check:host-env-policy:swift
  • scripts/pr review-tests 91615 src/infra/host-env-security.test.ts src/infra/host-env-security.reported-baseline.test.ts src/infra/host-env-security.policy-parity.test.ts test/scripts/run-opengrep.test.ts
  • timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
  • auto-pr.sh issue 731 --run-stage ghsa_dry_run
  • auto-pr.sh issue 731 --run-stage ghsa_real_gate
    Evidence after fix:
  • Local OpenGrep changed-path scan reported 0 findings and the focused Vitest shards passed: 1 tooling file/3 tests and 3 infra files/34 tests.
  • review-pr passed on 01a433044a with READY FOR /prepare-pr and 0 findings; autoreview passed with no accepted/actionable findings.
  • GHSA dry-run and real gate both passed; GitHub PR CI is clean except neutral CodeQL.
    Observed result after fix: The sanitizer rejects agent/request Rustup overrides before env merge while trusted inherited operator Rustup env remains allowed.
    What was not tested: No live external Rustup download/update was exercised.

Regression Risk:
Low. This changes the host exec environment policy boundary only: request-scoped Rustup overrides are newly rejected, while auth, approvals, sandboxing, config, storage, provider/plugin/channel behavior, dependency versions, and persisted credentials are unchanged. The compatibility-sensitive operator case is bounded by preserving inherited Rustup settings.

Best fix verdict: Best targeted fix. The canonical host-env policy is the right layer because both host exec call paths consume the existing sanitizer, so the change closes the gap without adding parallel runtime checks.

User behavior change:
Before, an exec request could pass RUSTUP_HOME, RUSTUP_TOOLCHAIN, or related Rustup download-root env values through params.env. After this patch, those request overrides are rejected; Rustup values already present in the trusted operator process environment still pass through.

@pgondhi987

pgondhi987 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Final head 01a433044a1445893f7b342f4933906646338269 preserves trusted inherited Rustup env, blocks request-scoped Rustup override keys, includes the OpenGrep changed-path matcher fix, and has passing review-pr, autoreview, GHSA dry-run, GHSA real gate, focused local validation, and PR CI except neutral CodeQL.

@clawsweeper

clawsweeper Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels Jun 9, 2026
@clawsweeper clawsweeper Bot added the status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. label Jun 9, 2026
@openclaw-barnacle openclaw-barnacle Bot removed the scripts Repository scripts label Jun 9, 2026
@clawsweeper clawsweeper Bot removed the merge-risk: 🚨 automation 🚨 May affect CI, automerge, proof capture, label sync, or maintainer automation. label Jun 9, 2026
@pgondhi987 pgondhi987 merged commit 7cdec28 into openclaw:main Jun 9, 2026
167 of 168 checks passed
@github-actions github-actions Bot mentioned this pull request Jun 9, 2026
Open
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jun 10, 2026
@pgondhi987
fix: block rustup toolchain env overrides [AI] (openclaw#91615)
b471e03 
* fix: block rustup toolchain env overrides [AI]

* test: cover inherited rustup env stripping [AI]

* fix: preserve inherited rustup env [AI]

* fix: filter ignored opengrep changed paths [AI]

* fix: honor opengrep ignored directory globs [AI]

* fix: match ignored opengrep descendants [AI]

* fix: cover rustup mirror overrides [AI]

* fix: preserve opengrep directory-only ignores [AI]

* chore: drop opengrep cleanup from rustup fix [AI]
eleboucher pushed a commit to eleboucher/homelab that referenced this pull request Jun 12, 2026
@eleboucher
fix(container): update image ghcr.io/openclaw/openclaw (2026.6.5 ➔ 20…
bb872cc 
…26.6.6) (#1040)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://github.com/openclaw/openclaw)) | patch | `2026.6.5` → `2026.6.6` |

---

### Release Notes

<details>
<summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary>

### [`v2026.6.6`](https://github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#202666)

[Compare Source](openclaw/openclaw@v2026.6.5...v2026.6.6)

##### Highlights

- Security boundaries are substantially tighter across transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP access, native search policy, elevated sender checks, deleted-agent ACP bypasses, loopback tools, Discord moderation, and Teams group actions; exec approvals now fail closed on timeout. ([#&#8203;91529](openclaw/openclaw#91529), [#&#8203;91618](openclaw/openclaw#91618), [#&#8203;91615](openclaw/openclaw#91615), [#&#8203;91619](openclaw/openclaw#91619), [#&#8203;91741](openclaw/openclaw#91741), [#&#8203;91745](openclaw/openclaw#91745), [#&#8203;91746](openclaw/openclaw#91746), [#&#8203;91748](openclaw/openclaw#91748), [#&#8203;91749](openclaw/openclaw#91749), [#&#8203;91750](openclaw/openclaw#91750), [#&#8203;91751](openclaw/openclaw#91751), [#&#8203;91752](openclaw/openclaw#91752), [#&#8203;91763](openclaw/openclaw#91763), [#&#8203;89938](openclaw/openclaw#89938)) Thanks [@&#8203;joshavant](https://github.com/joshavant), [@&#8203;pgondhi987](https://github.com/pgondhi987), [@&#8203;mmaps](https://github.com/mmaps), [@&#8203;eleqtrizit](https://github.com/eleqtrizit), [@&#8203;shakkernerd](https://github.com/shakkernerd), and [@&#8203;drobison00](https://github.com/drobison00).
- Telegram delivery is safer and more coherent: account-scoped topics route to the right agent, streamed text survives tool calls, `/compact` works on generic ingress, callback handling uses concrete APIs, draft chunking is shared, durable dispatch dedupe moved into the SDK, and unauthorized DM text stays out of cache and prompt context. ([#&#8203;91189](openclaw/openclaw#91189), [#&#8203;88682](openclaw/openclaw#88682), [#&#8203;89588](openclaw/openclaw#89588), [#&#8203;90212](openclaw/openclaw#90212), [#&#8203;91876](openclaw/openclaw#91876), [#&#8203;91874](openclaw/openclaw#91874), [#&#8203;91904](openclaw/openclaw#91904), [#&#8203;91478](openclaw/openclaw#91478), [#&#8203;91915](openclaw/openclaw#91915)) Thanks [@&#8203;codysai001](https://github.com/codysai001), [@&#8203;alexzhu0](https://github.com/alexzhu0), [@&#8203;joelnishanth](https://github.com/joelnishanth), [@&#8203;snowzlm](https://github.com/snowzlm), [@&#8203;obviyus](https://github.com/obviyus), and [@&#8203;sallyom](https://github.com/sallyom).
- iMessage recovery and delivery now cover always-on inbound restart, durable echo markers, block streaming, idle approval discovery, hardened outbound transport, and actionable inbound startup diagnostics. ([#&#8203;91335](openclaw/openclaw#91335), [#&#8203;91449](openclaw/openclaw#91449), [#&#8203;88969](openclaw/openclaw#88969), [#&#8203;88530](openclaw/openclaw#88530), [#&#8203;91783](openclaw/openclaw#91783), [#&#8203;91785](openclaw/openclaw#91785)) Thanks [@&#8203;omarshahine](https://github.com/omarshahine), [@&#8203;jmissig](https://github.com/jmissig), and [@&#8203;colmbrogan](https://github.com/colmbrogan).
- Browser and MCP connectivity gained existing-session CDP support, discovered WebSocket validation, default-profile `cdpUrl` handling, safer browser-output boundaries, Streamable HTTP loopback transport, corrected OAuth/SSE authorization handling, and broader schema compatibility. ([#&#8203;91422](openclaw/openclaw#91422), [#&#8203;89851](openclaw/openclaw#89851), [#&#8203;91736](openclaw/openclaw#91736), [#&#8203;91747](openclaw/openclaw#91747), [#&#8203;91451](openclaw/openclaw#91451), [#&#8203;80143](openclaw/openclaw#80143)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987), [@&#8203;anagnorisis2peripeteia](https://github.com/anagnorisis2peripeteia), [@&#8203;lifuyue](https://github.com/lifuyue), [@&#8203;eleqtrizit](https://github.com/eleqtrizit), [@&#8203;LiuwqGit](https://github.com/LiuwqGit), and [@&#8203;HemantSudarshan](https://github.com/HemantSudarshan).
- Control UI startup and first-reply latency are lower through cached model metadata, removal of the startup catalog wait, lazy slash-command loading, and first-event tracing with slow-reply diagnostics. ([#&#8203;91531](openclaw/openclaw#91531), [#&#8203;91538](openclaw/openclaw#91538), [#&#8203;91568](openclaw/openclaw#91568), [#&#8203;91583](openclaw/openclaw#91583), [#&#8203;91598](openclaw/openclaw#91598))
- Provider support expands with OpenRouter OAuth onboarding and Claude Fable 5 adaptive thinking, while Codex sessions keep correct compaction ownership, local models skip guardian review, dynamic tool progress normalizes cleanly, and Gemma 4 reasoning replay is preserved. ([#&#8203;91830](openclaw/openclaw#91830), [#&#8203;91882](openclaw/openclaw#91882), [#&#8203;91590](openclaw/openclaw#91590), [#&#8203;88630](openclaw/openclaw#88630), [#&#8203;88768](openclaw/openclaw#88768), [#&#8203;91696](openclaw/openclaw#91696)) Thanks [@&#8203;Patrick-Erichsen](https://github.com/Patrick-Erichsen), [@&#8203;joshavant](https://github.com/joshavant), [@&#8203;bdjben](https://github.com/bdjben), and [@&#8203;Coder-Wangyankun](https://github.com/Coder-Wangyankun).

##### Changes

- CLI progress: emit Claude CLI commentary progress events and bridge inter-tool commentary into channel progress without exposing internal protocol scaffolding. ([#&#8203;89834](openclaw/openclaw#89834), [#&#8203;90883](openclaw/openclaw#90883)) Thanks [@&#8203;anagnorisis2peripeteia](https://github.com/anagnorisis2peripeteia).
- Observability: allow trusted diagnostics channels to capture tool input/output content, add first-assistant-event traces, and warn on slow initial replies. ([#&#8203;91256](openclaw/openclaw#91256), [#&#8203;91568](openclaw/openclaw#91568), [#&#8203;91583](openclaw/openclaw#91583)) Thanks [@&#8203;amknight](https://github.com/amknight).
- Plugins/ClawHub: dogfood reusable package publishing, let dry runs skip publish approval, allow declared installed trusted hooks, report managed plugin version drift, and warn instead of failing on retired Skill Workshop configuration. ([#&#8203;91574](openclaw/openclaw#91574), [#&#8203;91591](openclaw/openclaw#91591), [#&#8203;90004](openclaw/openclaw#90004), [#&#8203;90927](openclaw/openclaw#90927), [#&#8203;90838](openclaw/openclaw#90838)) Thanks [@&#8203;Patrick-Erichsen](https://github.com/Patrick-Erichsen), [@&#8203;brokemac79](https://github.com/brokemac79), and [@&#8203;lonexreb](https://github.com/lonexreb).
- Memory/providers: move the local llama.cpp runtime into its provider plugin, batch embeddings across files, persist the agent model catalog cache, and keep QMD JSON search one-shot while filtering stale REM recall previews. ([#&#8203;91324](openclaw/openclaw#91324), [#&#8203;89138](openclaw/openclaw#89138), [#&#8203;90457](openclaw/openclaw#90457), [#&#8203;91837](openclaw/openclaw#91837), [#&#8203;91851](openclaw/openclaw#91851)) Thanks [@&#8203;osolmaz](https://github.com/osolmaz), [@&#8203;mushuiyu886](https://github.com/mushuiyu886), [@&#8203;ai-hpc](https://github.com/ai-hpc), and [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Channels/mobile: add the QQBot group mention toggle, improve iPad and iPhone control surfaces, and expose the active connection host in the TUI footer. ([#&#8203;91423](openclaw/openclaw#91423), [#&#8203;91557](openclaw/openclaw#91557), [#&#8203;89909](openclaw/openclaw#89909)) Thanks [@&#8203;cxyhhhhh](https://github.com/cxyhhhhh), [@&#8203;Solvely-Colin](https://github.com/Solvely-Colin), and [@&#8203;baskduf](https://github.com/baskduf).
- Performance: prewarm TUI runtime plugins, deduplicate plugin auto-enable fanout, trim dense text-delta snapshots, and reuse prepared startup model metadata. ([#&#8203;90782](openclaw/openclaw#90782), [#&#8203;89978](openclaw/openclaw#89978), [#&#8203;91580](openclaw/openclaw#91580), [#&#8203;91531](openclaw/openclaw#91531)) Thanks [@&#8203;RomneyDa](https://github.com/RomneyDa) and [@&#8203;ai-hpc](https://github.com/ai-hpc).

##### Fixes

- Agent/session recovery: drop stale approval follow-ups after session rebind, remove drained reply-queue items by identity, recover stale main and visible replies, preserve Codex context-engine compaction ownership, lower the default compaction timeout to 180 seconds while respecting explicit configuration, and keep provider-failure terminal lifecycle state correct. ([#&#8203;85679](openclaw/openclaw#85679), [#&#8203;91450](openclaw/openclaw#91450), [#&#8203;91566](openclaw/openclaw#91566), [#&#8203;91840](openclaw/openclaw#91840), [#&#8203;91590](openclaw/openclaw#91590), [#&#8203;91361](openclaw/openclaw#91361), [#&#8203;91895](openclaw/openclaw#91895)) Thanks [@&#8203;openperf](https://github.com/openperf), [@&#8203;yetval](https://github.com/yetval), [@&#8203;joshavant](https://github.com/joshavant), [@&#8203;wangmiao0668000666](https://github.com/wangmiao0668000666), and [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- User-visible content boundaries: suppress Codex/Harmony protocol artifacts, neutralize browser and LanceDB memory media directives, redact transcript images, and preserve native `/compact` replies through source suppression. ([#&#8203;89151](openclaw/openclaw#89151), [#&#8203;91422](openclaw/openclaw#91422), [#&#8203;91425](openclaw/openclaw#91425), [#&#8203;91529](openclaw/openclaw#91529), [#&#8203;90212](openclaw/openclaw#90212)) Thanks [@&#8203;joelnishanth](https://github.com/joelnishanth), [@&#8203;pgondhi987](https://github.com/pgondhi987), [@&#8203;joshavant](https://github.com/joshavant), and [@&#8203;snowzlm](https://github.com/snowzlm).
- Channel delivery: keep WhatsApp captured replies attached to the successor controller after restart, retry Feishu rate limits, preserve Mattermost thread replies, canonicalize LINE webhook paths, restore Discord reply hydration and runtime timeout exports, and show OpenAI Realtime WebRTC assistant transcripts. ([#&#8203;85823](openclaw/openclaw#85823), [#&#8203;89659](openclaw/openclaw#89659), [#&#8203;91684](openclaw/openclaw#91684), [#&#8203;91649](openclaw/openclaw#91649), [#&#8203;90263](openclaw/openclaw#90263), [#&#8203;91686](openclaw/openclaw#91686), [#&#8203;90426](openclaw/openclaw#90426)) Thanks [@&#8203;itsuzef](https://github.com/itsuzef), [@&#8203;ladygege](https://github.com/ladygege), [@&#8203;jacobtomlinson](https://github.com/jacobtomlinson), [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev), and [@&#8203;shushushv](https://github.com/shushushv).
- Cron: cancel active task runs cleanly, preserve terminal timeout/cancel state, and recover no-deliver tool warnings instead of silently losing the outcome. ([#&#8203;90666](openclaw/openclaw#90666), [#&#8203;90678](openclaw/openclaw#90678)) Thanks [@&#8203;ai-hpc](https://github.com/ai-hpc).
- Gateway/config/auth: share the approval runtime socket token, replace arrays explicitly in `config.patch`, skip the deleted-agent guard only for valid ACP harness sessions, surface headless LaunchAgent state, verify SQLite auth migration before cleanup, and arm QMD startup maintenance. ([#&#8203;87105](openclaw/openclaw#87105), [#&#8203;91551](openclaw/openclaw#91551), [#&#8203;91219](openclaw/openclaw#91219), [#&#8203;91614](openclaw/openclaw#91614), [#&#8203;91740](openclaw/openclaw#91740), [#&#8203;91978](openclaw/openclaw#91978)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev) and [@&#8203;scotthuang](https://github.com/scotthuang).
- Providers/Codex: clarify quota errors, restore the Codex synthetic usage line, canonicalize Codex protocol assets, require API-key auth for realtime voice, normalize ACP model refs, preserve Gemma 4 `reasoning_content`, and avoid guardian review for local models. ([#&#8203;91390](openclaw/openclaw#91390), [#&#8203;91709](openclaw/openclaw#91709), [#&#8203;91507](openclaw/openclaw#91507), [#&#8203;91567](openclaw/openclaw#91567), [#&#8203;88630](openclaw/openclaw#88630), [#&#8203;91696](openclaw/openclaw#91696)) Thanks [@&#8203;hxy91819](https://github.com/hxy91819), [@&#8203;brokemac79](https://github.com/brokemac79), [@&#8203;RomneyDa](https://github.com/RomneyDa), [@&#8203;joshavant](https://github.com/joshavant), and [@&#8203;Coder-Wangyankun](https://github.com/Coder-Wangyankun).
- Updates/builds: recover package Gateway restarts after refresh failure, expose plugin convergence repair, fall back to Corepack in PATH-less pnpm environments, seed the correct Docker store packages, and keep ClawHub dry-run and publish paths reusable. ([#&#8203;91581](openclaw/openclaw#91581), [#&#8203;91599](openclaw/openclaw#91599), [#&#8203;91547](openclaw/openclaw#91547), [#&#8203;91591](openclaw/openclaw#91591)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev), [@&#8203;sallyom](https://github.com/sallyom), and [@&#8203;Patrick-Erichsen](https://github.com/Patrick-Erichsen).
- UI: require explicit user intent before opening chat sessions and drain restored chat queues after session switches. ([#&#8203;91480](openclaw/openclaw#91480)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Android: avoid the `dataSync` foreground-service type for persistent nodes. ([#&#8203;80082](openclaw/openclaw#80082)) Thanks [@&#8203;davelutztx](https://github.com/davelutztx).
- Native hooks: bound relay lifetimes so abandoned native hook connections cannot linger indefinitely. ([#&#8203;91550](openclaw/openclaw#91550)) Thanks [@&#8203;joshavant](https://github.com/joshavant).

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/1040
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

app: macos App: macos maintainer Maintainer-authored PR merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. P2 Normal backlog priority with limited blast radius. proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. size: S status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pgondhi987