Skip to content

fix(memory): clean stale reindex temp files#92891

Merged
vincentkoc merged 4 commits into
openclaw:mainfrom
ZengWen-DT:fix/92874-memory-temp-cleanup
Jun 14, 2026
Merged

fix(memory): clean stale reindex temp files#92891
vincentkoc merged 4 commits into
openclaw:mainfrom
ZengWen-DT:fix/92874-memory-temp-cleanup

Conversation

@ZengWen-DT

Copy link
Copy Markdown
Contributor

Summary

  • Cleans up orphaned builtin memory reindex temp SQLite files left behind by hard restarts.
  • Adds a startup sweep before the live memory DB opens, limited to sibling <db>.tmp-<uuid> files and their WAL/SHM sidecars.
  • Adds a pid lock for active safe reindexes so another OpenClaw process does not delete a long-running rebuild.
  • Intentionally leaves normal atomic swap behavior unchanged.

Linked context

Closes #92874

Requested by ClawSweeper triage on the issue as a focused memory-core startup cleanup.

Real behavior proof (required for external PRs)

  • Behavior or issue addressed: builtin memory backend orphaned main.sqlite.tmp-<uuid> reindex files after a hard restart because startup did not sweep stale temp DB triplets.
  • Real environment tested: local OpenClaw source checkout, isolated HOME, isolated OPENCLAW_HOME, isolated OPENCLAW_CONFIG_PATH, isolated workspace, memorySearch.provider: "none" for FTS-only memory indexing.
  • Exact steps or command run after this patch:
    1. Created an isolated workspace with MEMORY.md.
    2. Ran pnpm openclaw memory index --force --agent main.
    3. Created main.sqlite.tmp-11111111-2222-3333-4444-555555555555, -wal, -shm, and .lock beside the real memory index with an old mtime and stale pid.
    4. Ran pnpm openclaw memory status --agent main.
    5. Ran find "$OPENCLAW_HOME/.openclaw/memory" \( -name '*.tmp-*' -o -name '*.tmp-*.lock' \) -print | sort.
  • Evidence after fix:
Memory index updated (main).
before startup sweep:
/tmp/openclaw-mem-proof-MNBMWI/home/.openclaw/memory/main.sqlite.tmp-11111111-2222-3333-4444-555555555555
/tmp/openclaw-mem-proof-MNBMWI/home/.openclaw/memory/main.sqlite.tmp-11111111-2222-3333-4444-555555555555-shm
/tmp/openclaw-mem-proof-MNBMWI/home/.openclaw/memory/main.sqlite.tmp-11111111-2222-3333-4444-555555555555-wal
/tmp/openclaw-mem-proof-MNBMWI/home/.openclaw/memory/main.sqlite.tmp-11111111-2222-3333-4444-555555555555.lock
Memory Search (main)
Provider: none (requested: none)
Indexed: 1/1 files · 1 chunks
Dirty: no
Store: $OPENCLAW_HOME/.openclaw/memory/main.sqlite
Vector store: disabled
FTS: ready
after startup sweep:
  • Observed result after fix: memory status opened the real memory DB and removed the stale temp main file, WAL, SHM, and lock; the after-sweep scan printed no temp files.
  • What was not tested: destructive live SIGKILL during a remote embedding batch was not run.
  • Proof limitations or environment constraints: proof uses a deliberately seeded stale temp triplet and stale pid lock to simulate the post-crash on-disk state without killing a live OpenClaw process.
  • Before evidence: the new regression test removes aged orphan reindex temp files before opening the live database failed before the startup sweep because fs.access(orphanBase) still resolved.

Tests and validation

  • pnpm test extensions/memory-core/src/memory/manager-db-probe.test.ts -- --reporter=verbose
  • pnpm test extensions/memory-core/src/memory/manager.atomic-reindex.test.ts -- --reporter=verbose
  • pnpm test extensions/memory-core/src/memory/index.test.ts -- --reporter=verbose
  • pnpm test:changed
  • pnpm format:check -- extensions/memory-core/src/memory/manager-db.ts extensions/memory-core/src/memory/manager-db-probe.test.ts extensions/memory-core/src/memory/manager-sync-ops.ts
  • git diff --check
  • .agents/skills/autoreview/scripts/autoreview --mode local

Regression coverage added:

  • Aged lockless temp triplets are removed only after the conservative no-lock age threshold.
  • Young temp triplets are preserved.
  • Aged temp triplets with a live owner pid are preserved.
  • Aged temp triplets with a stale owner lock are removed with the lock file.

Risk checklist

Did user-visible behavior change? Yes

Did config, environment, or migration behavior change? No

Did security, auth, secrets, network, or tool execution behavior change? No

Highest-risk area: deleting a temp DB that still belongs to an active reindex.

How is that risk mitigated? Active safe reindexes now write a pid lock, startup cleanup skips live owner pids, and lockless temp files must be much older before cleanup.

Current review state

Next action: maintainer review and CI.

Bot comments addressed: ClawSweeper issue triage requested startup cleanup with a race guard; local autoreview initially found the age-only race, and the current patch adds the pid lock guard. Final local autoreview reported no accepted/actionable findings.

AI-assisted (Codex). Proof above was run manually.

@openclaw-barnacle openclaw-barnacle Bot added extensions: memory-core Extension: memory-core size: M proof: supplied External PR includes structured after-fix real behavior proof. labels Jun 14, 2026
@clawsweeper

clawsweeper Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 14, 2026, 11:25 AM ET / 15:25 UTC.

Summary
The PR adds memory-core startup cleanup for stale reindex temp SQLite files, writes a PID lock around active safe reindexes, and expands regression coverage for stale, young, live-owned, stale-lock, and scan-failure cases.

PR surface: Source +142, Tests +176. Total +318 across 3 files.

Reproducibility: yes. Source inspection shows current main creates memory reindex temp SQLite files and only removes them through in-process success/error cleanup paths that a hard kill cannot run; I did not run a destructive SIGKILL repro in this read-only review.

Review metrics: 1 noteworthy metric.

Stored data model
Persistent data-model change detected: database schema: extensions/memory-core/src/memory/manager-db-probe.test.ts, migration/backfill/repair: extensions/memory-core/src/memory/manager-db-probe.test.ts, migration/backfill/repair: extensions/memory-core/src/memory/manager-sync-ops.ts, serialized state: extensions/memory-core/src/memory/manager-db-probe.test.ts, serialized state: extensions/memory-core/src/memory/manager-db.ts, serialized state: extensions/memory-core/src/memory/manager-sync-ops.ts, and 6 more. Confirm migration or upgrade compatibility proof before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

Risk before merge

  • [P1] The branch is currently GitHub-conflicting against main, so the PID-lock cleanup must be rebased while preserving current main's reindex retry, embedding-cache mirror, and published-index recovery state from fix(memory): preserve reindex rollback recovery #92881.
  • [P1] There is a clean competing cleanup PR at fix(memory): sweep orphaned reindex temp files #92972; landing both would create duplicate startup sweep behavior, so maintainers should choose one path.
  • [P1] The supplied proof simulates an aged stale temp triplet rather than killing a live remote embedding batch, so the destructive crash path remains source/test-backed rather than live SIGKILL-backed.

Maintainer options:

  1. Rebase and make this the guarded cleanup path (recommended)
    Resolve the current conflicts against main, keep the live-DB, PID-lock, uncertain-state, and age safeguards, then close or rebase fix(memory): sweep orphaned reindex temp files #92972 so only one startup sweep ships.
  2. Use the clean competing PR instead
    If maintainers prefer fix(memory): sweep orphaned reindex temp files #92972, first confirm it covers the active-owner race or intentionally accepts that risk, then close this PR as superseded.
  3. Defer live-crash confidence
    Maintainers can require a destructive SIGKILL or cross-platform live reindex proof before landing either cleanup path if the source/test proof is not enough for this risk.

Next step before merge

  • [P2] The remaining blocker is maintainer or author conflict resolution plus canonical-PR selection, not an automated code repair on a clean branch.

Security
Cleared: No concrete security or supply-chain concern found; the diff changes memory-core SQLite cleanup and tests without new dependencies, workflows, package scripts, permissions, or secret handling.

Review details

Best possible solution:

Resolve the conflict by integrating this PR's conservative PID-lock cleanup with current main, then land one canonical cleanup PR and close or rebase the competing cleanup PR.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main creates memory reindex temp SQLite files and only removes them through in-process success/error cleanup paths that a hard kill cannot run; I did not run a destructive SIGKILL repro in this read-only review.

Is this the best way to solve the issue?

Yes, conditionally. The guarded startup sweep plus PID lock is the strongest owner-boundary fix I saw, but it must be rebased onto current main and deduplicated against #92972 before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 40093f5a93ed.

Label changes

Label changes:

  • add merge-risk: 🚨 availability: The PR adds destructive startup cleanup for SQLite temp files, so an incorrect race guard could disrupt an active reindex or startup path in ways green CI cannot fully prove.
  • add merge-risk: 🚨 other: A second open PR implements the same cleanup, and merging both could create duplicate cleanup paths and maintenance drift.
  • add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies terminal proof from a real local CLI flow showing a seeded stale temp SQLite triplet and lock removed by memory status after the patch; destructive live SIGKILL proof was not supplied.
  • add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.

Label justifications:

  • P2: This is a normal-priority memory-core disk-bloat cleanup bug with a narrow surface and no emergency security or core-runtime outage signal.
  • merge-risk: 🚨 availability: The PR adds destructive startup cleanup for SQLite temp files, so an incorrect race guard could disrupt an active reindex or startup path in ways green CI cannot fully prove.
  • merge-risk: 🚨 other: A second open PR implements the same cleanup, and merging both could create duplicate cleanup paths and maintenance drift.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body supplies terminal proof from a real local CLI flow showing a seeded stale temp SQLite triplet and lock removed by memory status after the patch; destructive live SIGKILL proof was not supplied.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies terminal proof from a real local CLI flow showing a seeded stale temp SQLite triplet and lock removed by memory status after the patch; destructive live SIGKILL proof was not supplied.
Evidence reviewed

PR surface:

Source +142, Tests +176. Total +318 across 3 files.

View PR surface stats
Area Files Added Removed Net
Source 2 157 15 +142
Tests 1 178 2 +176
Docs 0 0 0 0
Config 0 0 0 0
Generated 0 0 0 0
Other 0 0 0 0
Total 3 335 17 +318

Acceptance criteria:

  • [P1] node scripts/run-vitest.mjs extensions/memory-core/src/memory/manager-db-probe.test.ts extensions/memory-core/src/memory/manager.atomic-reindex.test.ts extensions/memory-core/src/memory/index.test.ts.
  • [P1] git diff --check.

What I checked:

Likely related people:

  • vincentkoc: Recent main history and blame touch the memory reindex rollback/retry path, and this PR's maintainer follow-up hardening also came from this person. (role: recent area contributor and reviewer; confidence: high; commits: e99ab385cfe1, d46dc39b18ec, 4aa40a2a701e; files: extensions/memory-core/src/memory/manager-sync-ops.ts, extensions/memory-core/src/memory/manager-atomic-reindex.ts, extensions/memory-core/src/memory/manager-db.ts)
  • xydt-tanshanshan: Authored the recent live SQLite index preservation change that shaped the current atomic swap/open behavior this cleanup must preserve. (role: recent SQLite swap contributor; confidence: high; commits: 865fdab07501, 1a2eb74b9df6; files: extensions/memory-core/src/memory/manager-sync-ops.ts, extensions/memory-core/src/memory/manager-atomic-reindex.ts, extensions/memory-core/src/memory/manager-db.ts)
  • steipete: Authored earlier memory atomic reindex helper extraction and cleanup hardening commits in the helper this PR depends on. (role: area refactor contributor; confidence: medium; commits: c9f288ceafbf, 53a97fe0a76a, 483075ddd4ff; files: extensions/memory-core/src/memory/manager-atomic-reindex.ts, extensions/memory-core/src/memory/manager-sync-ops.ts, extensions/memory-core/src/memory/manager-db.ts)
  • kunpeng-ai-lab: Authored the Windows transient index swap retry change in the same atomic reindex helper and tests, relevant to cleanup and sidecar semantics. (role: prior atomic swap contributor; confidence: medium; commits: f3fd0eedff21; files: extensions/memory-core/src/memory/manager-atomic-reindex.ts, extensions/memory-core/src/memory/manager.atomic-reindex.test.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P2 Normal backlog priority with limited blast radius. labels Jun 14, 2026
@vincentkoc vincentkoc self-assigned this Jun 14, 2026
@vincentkoc

vincentkoc commented Jun 14, 2026

Copy link
Copy Markdown
Member

land-ready maintainer verification after final edge-case repair:

  • head: ac56931d8c, rebased cleanly onto current origin/main
  • autoreview: three design repair passes plus the CI lint follow-up; final results clean with no accepted/actionable findings (patch is correct, confidence 0.93 for the full design and 0.98 for the follow-up)
  • accepted findings fixed: canonical opens can no longer create an empty DB during the Windows swap window, and healthy existing DB opens do not fail for the full duration of a reindex
  • best-fix judgment: yes. A dedicated SQLite BEGIN EXCLUSIVE coordination DB replaces PID/lease sidecars, so crash/container death releases ownership automatically. The same lock guards safe reindex, destructive aged-temp cleanup, and genuinely missing canonical-path creation; existing DB opens keep a read-only probe through the read-write open to close the swap race without blocking normal status/search reads
  • current-main integration: preserves the published-index, retry-state, embedding-cache mirror, and recovery behavior from fix(memory): preserve reindex rollback recovery #92881
  • focused post-fix proof: node scripts/run-vitest.mjs extensions/memory-core/src/memory/manager-db-probe.test.ts extensions/memory-core/src/memory/manager.atomic-reindex.test.ts extensions/memory-core/src/memory/manager.reindex-recovery.test.ts extensions/memory-core/src/memory/index.test.ts extensions/memory-core/src/memory/manager.readonly-recovery.test.ts (95 passed)
  • lint/hygiene: node scripts/run-oxlint.mjs extensions/memory-core/src/memory/manager-reindex-lock.ts passed; git diff --check and privacy scan clean
  • CI follow-up: the prior exact-head CI run's only code failure was two oxlint findings in the new lock helper; both are fixed at this head and the focused lint/autoreview proof above is green
  • known proof gap: no destructive live SIGKILL, Windows, or Docker roundtrip in this pass; those paths are source- and regression-test-backed

@openclaw-barnacle openclaw-barnacle Bot removed the proof: sufficient ClawSweeper judged the real behavior proof convincing. label Jun 14, 2026
@clawsweeper clawsweeper Bot added proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. merge-risk: 🚨 availability 🚨 May cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jun 14, 2026
@vincentkoc vincentkoc force-pushed the fix/92874-memory-temp-cleanup branch from 4aa40a2 to 2f8a72b Compare June 14, 2026 16:30
@openclaw-barnacle openclaw-barnacle Bot removed the proof: sufficient ClawSweeper judged the real behavior proof convincing. label Jun 14, 2026
@vincentkoc vincentkoc merged commit a42bda5 into openclaw:main Jun 14, 2026
157 checks passed
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jun 15, 2026
* fix(memory): clean stale reindex temp files

* fix(memory): harden stale reindex cleanup

* fix(memory): serialize safe reindex cleanup

* fix(memory): satisfy reindex lock lint

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
saml212 added a commit to Rockielab/rockie-claw that referenced this pull request Jun 16, 2026
)

* fix(chunking): preserve surrogate pairs

* test(telegram): cover rich list and table limits

* fix(telegram): migrate retired native draft config

* fix(telegram): keep rich text media-free

* feat(telegram): nudge agents toward rich text

* fix(telegram): clean rich message CI gates

* test(telegram): align message flow fixture with rich drafts

* fix(telegram): allow rich tables in group prompts

* fix(telegram): show rich text prompt for final replies

* fix(telegram): pass rich text prompts to cli backends

* fix(ui): restore sidebar session picker interactivity above desktop workbench (#92705)

* fix(ui): restore sidebar session picker interactivity above desktop workbench

The collapsed sidebar session picker was covered by the chat content
area when the workspace rail was visible at wider viewports. Two
issues caused this:

1. .sidebar-session-select--collapsed .chat-session-picker used
   var(--z-dropdown) which was never defined, creating an invalid
   z-index declaration (falls back to auto).

2. .shell-nav and .content--chat are grid siblings with equal
   z-index (auto), and .content--chat (later DOM) paints above
   .shell-nav, covering the session picker that extends from the
   nav column into the content column.

Fix: add position:relative + z-index:10 to .shell-nav so it stacks
above .content--chat; change overflow from hidden to visible so
the session picker extends beyond the nav rail; replace undefined
var(--z-dropdown) with z-index:100.

* fix(ui): keep sidebar picker z-index tokenized

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(google): strip provider prefix from Vertex model path

Summary:
- Strip the redundant `google/` provider prefix before embedding Google Vertex model ids under `/publishers/google/models/`.
- Keep bare Vertex model ids unchanged.
- Add regression coverage for the provider-qualified Vertex path.

Verification:
- `node_modules/.bin/oxfmt --check --threads=1 extensions/google/transport-stream.ts extensions/google/transport-stream.test.ts`
- `node scripts/run-oxlint.mjs extensions/google/transport-stream.ts extensions/google/transport-stream.test.ts`
- `node scripts/run-vitest.mjs extensions/google/transport-stream.test.ts --maxWorkers=1 -t 'strips redundant google provider prefixes from Google Vertex model paths'`
- Autoreview clean
- AWS Crabbox `run_649b209478d2` focused Node 24 regression proof
- AWS Crabbox `run_e193db2707ad` remote `check:changed`
- Exact-head CI green for `23aca6f46f596e220df37d939317b433f7044ec6`
- Contributor live Google Vertex proof recorded in the PR body

* feat: support /btw in CLI-backed sessions (#92669)

* feat: support CLI btw side questions

* test: fix CLI prepare test fixture types

* fix: lazy load local btw runner

* fix(gateway): mark active main sessions before restart shutdown aborts (#91357)

* Mark active main sessions during restart shutdown

* Type restart marker mock in close tests

* fix(gateway): preserve active run ownership across restart

* fix(gateway): preserve active runs across restart

* fix(gateway): close restart recovery edge cases

* fix(cron): preserve lifecycle ownership across restart

* fix(gateway): release rejected run contexts

* fix(gateway): preserve restart lifecycle ownership

* fix(cron): retain overlapping run ownership

* fix(agents): preserve restart terminal precedence

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(parallel): send User-Agent on free MCP requests

Adds the OpenClaw Parallel User-Agent to free Parallel Search MCP requests so the zero-config web_search path is identifiable at the HTTP layer, matching the paid REST transport.\n\nProof: local focused format/lint/Vitest; live anonymous Parallel MCP handshake; autoreview clean; Crabbox AWS run_bf41ce86e862 focused regression; Crabbox AWS run_ee9b8954b081 check:changed; exact-head GitHub CI green on b7e45e3bfc83cec6ca8df3d9d2708e2c45f093a9.

* fix(ui): preserve dashboard session parent lineage

Preserves the selected Control UI session as the parent when creating dashboard child sessions even if the session list is stale or filtered, while avoiding the synthetic unknown session as a parent.\n\nFixes #90623.\n\nProof: local focused format/lint/Vitest/browser test; autoreview clean; Crabbox AWS run_a2bfdcd2315a UI proof; Crabbox AWS run_ce60fdc546ff check:changed; exact-head GitHub CI green on 03d1c6f646caeed2813e673446109751a50c610f.

* fix(ios): force stale foreground gateway reconnects (#92552)

* fix(telegram): expose thread create CLI remap

Exposes Telegram's thread-create CLI remap through the exported Telegram channel action adapter, preserving the existing plugin-owned mapping to topic-create before gateway dispatch.\n\nFixes #81581.\n\nProof: local focused format/lint/Vitest and dry-run; autoreview clean; Crabbox AWS run_07b98c939fce focused tests; Crabbox AWS run_1b7b35ce1de1 check:changed; exact-head GitHub CI green on 16f6afbdd7d8e1f1df81b71eaf10436e9771181c.

* feat: make workspace files panel collapsible

Signed-off-by: sallyom <somalley@redhat.com>

* fix: start workspace files collapsed

* fix(state): avoid sqlite wal on nfs state volumes

Detects NFS-backed SQLite database paths in the shared WAL helper and uses rollback journaling for those paths while preserving WAL/checkpoint maintenance on local filesystems. The NFS path now verifies SQLite's effective journal mode before disabling WAL maintenance, and core/memory/proxy-capture callers pass database path context into the centralized helper.

Fixes #90491.

Proof: local focused Vitest/format/lint; autoreview clean after fixing the journal-mode verification finding; Crabbox AWS focused test run `run_2ea7014350da`; Crabbox AWS changed gate `run_c828bbfe7d23`; exact-head GitHub CI green on `59674305ecd863d4815eec6098ccd3daab79ca4f`.

* fix(tui): show resolved model ref in confirmation

Uses the canonical model ref returned by `sessions.patch` for the TUI `/model` confirmation so alias inputs report the model that was actually applied. The fallback still shows the raw input when a backend does not return `resolved`, and the display path uses `modelKey` so nested model ids keep the provider prefix without double-prefixing self-prefixed ids.

Proof: local focused TUI Vitest/format/lint; autoreview clean; Crabbox AWS focused TUI test run `run_7d7cc5b040e8`; exact-head GitHub CI green on `6db4acfb08f9d477ee1bdab429bd7189b78ffc92`.

* fix(diagnostics): keep recovery scheduling out of the stuck-session warning backoff (#92752)

Summary:
- The branch changes diagnostic stuck/long-running warning backoff so recovery-eligible classifications are still returned during throttled warning ticks and updates the diagnostic tests.
- PR surface: Source +17, Tests +48. Total +65 across 2 files.
- Reproducibility: yes. Current main source shows logSessionAttention can return undefined during stuck or lon ... g backoff before the heartbeat reaches requestStuckSessionRecovery; I did not run a live QQ gateway replay.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(diagnostics): keep recovery scheduling out of the stuck-session w…

Validation:
- ClawSweeper review passed for head f61ec3a33f2c48b03306df38264b3ce9bd062f08.
- Required merge gates passed before the squash merge.

Prepared head SHA: f61ec3a33f2c48b03306df38264b3ce9bd062f08
Review: https://github.com/openclaw/openclaw/pull/92752#issuecomment-4699298908

Co-authored-by: Gnanam <gnanasekaran.sekareee@gmail.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: takhoffman
Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>

* fix(markdown-core): treat infinity chunk limit as unbounded

Fix render-aware markdown chunking so `Number.POSITIVE_INFINITY` is treated as an explicit unbounded chunk limit instead of falling back to `1`.

This preserves full Signal media captions and disabled Signal text chunking while keeping invalid non-finite limits on the existing fallback path.

Fixes #92734.
Thanks @yhterrance for the report and fix.

* docs(config): correct agent defaults concurrency comments

Correct the exported agent defaults type comments for `maxConcurrent` and `subagents.maxConcurrent` so they match the runtime defaults of 4 and 8.

No runtime behavior changes.
Thanks @ArielSmoliar for the fix.

* docs: clarify before_install hook scope (#92766)

Signed-off-by: sallyom <somalley@redhat.com>

* docs(nodes): add node config example

Add a Nodes overview `openclaw.json` example for node pairing, command allow/deny policy, node exec routing, and per-agent node pinning.

Also clarifies exact `denyCommands` matching and links readers to the config reference for pairing and command-policy field details.

Fixes #92662.
Thanks @liuhao1024 for the fix and @ZengWen-DT for the parallel docs wording on exact node command policy.

* Honor WhatsApp configured ACP bindings (#92513)

Merged via squash.

Prepared head SHA: 665080f48278a6af9d5595708bd9cfd30e36a29c
Co-authored-by: TurboTheTurtle <35905412+TurboTheTurtle@users.noreply.github.com>
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Reviewed-by: @mcaxtr

* fix(memory): split header-too-large embedding batches

Route OpenAI/OpenAI-compatible request_headers_too_large embedding failures into the existing memory-core batch splitter instead of aborting bulk memory indexing.

Tighten the classifier to require header-too-large wording rather than a bare 431 status token, so unrelated provider errors do not fan out into recursive requests.

Fixes #92465.
Thanks @mushuiyu886 for the fix and @BrettHamlin for the report and proof.

* feat(providers): add GLM-5.2 support (#92796)

* feat(providers): add GLM-5.2 support

* ci(live): add GLM-5.2 provider shard

* fix(sessions): enforce channel send policy for account-scoped DMs

Derive the channel from canonical account-scoped DM session keys when resolving session.sendPolicy, so channel-scoped allow/deny rules apply to per-account-channel-peer sessions.

Keep derivation limited to canonical channel peer key shapes and add malformed-key regressions so incomplete or non-channel keys do not accidentally match channel rules.

Compatibility note: existing channel-scoped send-policy rules can now block account-scoped DM sends that were previously allowed by this bug.

Thanks @yetval for the fix.

* docs(changelog): refresh 2026.6.8 notes

* fix(ui): localize workspace file rail labels

* fix(docker): remove stale nested openclaw package

Remove the stale nested openclaw package, its .bin shim, and the pnpm virtual-store copy from the runtime Docker image before final runtime assets are copied.

Run the package dist import-closure check after the cleanup so the check validates the final runtime-assets tree that the image ships.

Compatibility note: private Docker paths under /app/node_modules/openclaw and /app/node_modules/.bin/openclaw are removed; downstream images should use the documented /usr/local/bin/openclaw launcher or /app/openclaw.mjs.

Fixes #92551.
Thanks @lzyyzznl for the fix and @fxstein for the report.

* fix(release): repair beta validation fixtures

* chore(deps): bump macOS Swift dependencies

Updates the macOS Swift package resolution for patch releases of Peekaboo, Sparkle, and swift-log.

Verification:
- `swift package describe --type json`
- `swift build --target OpenClawIPC`
- `swift build --target OpenClawDiscovery`
- upstream tag/revision checks for Peekaboo 3.4.1, Sparkle 2.9.3, and swift-log 1.13.2
- autoreview clean
- exact PR head CI green for macOS, dependency, and security checks

* fix(qa): read rich Telegram replies in live checks

(cherry picked from commit 9c8b8803535b38ec204ead00c29c35e4ea1a8ee7)

* fix(agents): preserve compatible CLI session runtime pins

Preserves provider-compatible CLI runtime session pins across reply execution, follow-up execution, dispatch visibility, preflight compaction, and memory flush.

This keeps sessions pinned to compatible CLI runtimes such as `claude-cli` from leaking into embedded OpenClaw maintenance paths while still rejecting cross-provider runtime pins.

Original PR by @yu-xin-c; includes maintainer follow-up for the sibling memory paths.

Verification:
- `node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts src/auto-reply/reply/agent-runner-memory.test.ts src/agents/model-runtime-aliases.test.ts --maxWorkers=1`
- autoreview clean
- Crabbox AWS `cbx_44400b494e97` / `coral-prawn`, run `run_69dd43475e39`: `check:changed` passed
- exact PR head CI green: `303b2f794f6c01fcf21b62b27c536b5f6eceb421`

* test(macos): isolate exec approvals env

* test(macos): avoid real approvals migration in tests

* fix(matrix): validate CLI numeric option ranges

Validates Matrix CLI numeric option ranges before invoking setup or verification side effects.

`--initial-sync-limit` must now be non-negative, and `--timeout-ms` must now be positive.

Original PR by @rohitjavvadi.

Verification:
- `node scripts/run-vitest.mjs extensions/matrix/src/cli.test.ts --maxWorkers=1`
- autoreview clean
- Crabbox AWS `cbx_5c32f138ab3a` / `swift-lobster`, run `run_6e133b8b82e7`: `check:changed` passed
- exact PR head CI green: `d75f118299029b0516311646276cd2d6582379c5`

* fix(qa): accept rich Telegram canary presence

(cherry picked from commit e86eb7567a79fd3fe90115d3840222a292eefa55)

* test(matrix): avoid racy inbound dedupe TTL

(cherry picked from commit 8ae3662b1c7ad32fb79039ff3465e0b1c835fe4e)

* fix(canvas): validate CLI numeric options

Validate Canvas CLI numeric arguments before node invocation.

- Reject malformed `--invoke-timeout` values through the shared Canvas invoke path before resolving a node.
- Keep snapshot `--quality` bounded to the existing Canvas tool schema range of 0..1.
- Add focused CLI regressions for timeout validation, quality bounds, and accepted boundary values.

Verification:
- `node scripts/run-vitest.mjs extensions/canvas/src/cli.test.ts --maxWorkers=1`
- `.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main ...`
- AWS Crabbox `cbx_b7838c58daba`, run `run_bbb58ca536f4`: `check:changed`
- Exact PR head `a970ce594ea6e7284ace519352fc258b1b81cb80`: GitHub checks green

* fix: reflow composer beside workspace rail

Reflow the Control UI chat composer into the main chat column when the Workspace Files rail is expanded, so the composer stays beside the rail instead of extending underneath it.

Prepared head SHA: 7108d88cdad8c5e1c23d3f0e8b8965d723cea99d
Co-authored-by: Colin Johnson <211764741+Solvely-Colin@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd

* fix(configure): mask gateway token prompts

Mask gateway token/password prompts while preserving blank-token generation. Verified with focused configure wizard tests and clean CI.

* fix(ports): avoid stale cleanup for non-gateway SSH listeners

Limit SSH tunnel classification to actual queried-port forwards and keep SSH-like non-gateway listeners out of stale gateway cleanup. Verified with focused port/restart tests and clean CI.

* fix(tavily): keep web search contract executable

Keep the Tavily public artifact lightweight while lazily executing through the provider runtime. Verified with focused Tavily/provider artifact tests and clean CI.

* fix(daemon): keep duplicate Windows gateway tasks visible

Normalize Windows schtasks default gateway names without hiding similarly prefixed duplicate tasks. Verified with focused daemon tests, type proof, autoreview, and clean CI.

* fix(cron): isolate transient auth cooldowns

Keep cron-local transient auth failures from polluting shared cooldowns while preserving real auth/billing/rate-limit propagation. Verified with focused auth/cron tests, type proof, autoreview, and clean CI.

* fix(heartbeat): route outbound mirror to isolated session key (#92807)

* fix(heartbeat): route outbound mirror to isolated session key

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* fix(clownfish): address review for ghcrawl-143801-autonomous-smoke (1)

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* fix(clownfish): address review for ghcrawl-143801-autonomous-smoke (1)

Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Merkava <263752781+agent-merkava@users.noreply.github.com>

* test(gateway): preserve live Codex api-key auth

(cherry picked from commit 4aa50732f607d84e23c4e7d3ac8e77292c8c774e)

* fix(memory): surface skipped short-term recall hits (#92745)

Record diagnostic events when memory_search returns durable memory hits that are intentionally excluded from short-term promotion, so users can distinguish eligibility decisions from recall tracking failures.

* fix(gateway): forward image-only input on /v1/responses (parity with chat completions) (#92488)

* fix(gateway): accept image-only input on /v1/responses

The OpenResponses endpoint rejected requests whose `input` contained only
an `input_image` (no `input_text`) with `400 Missing user message in
input.`, even though the image was parsed and collected into `images`.
The guard only checked `prompt.message` and ignored `images`, unlike the
equivalent /v1/chat/completions guard which uses
`!prompt.message && images.length === 0`.

Align the OpenResponses guard with Chat Completions so image-only turns
are forwarded to the agent. Empty input (no text and no image) still
returns 400.

Adds regression tests: image-only base64 input -> 200 with image reaching
the agent, and empty content -> 400.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(gateway): pass image-only /v1/responses turns to the agent

The one-line guard alone was insufficient: even after letting image-only
input past the `Missing user message` check, the downstream agent command
(`prepareAgentCommandExecution`) throws `Message (--message) is required`
for an empty message, so image-only `/v1/responses` returned 500.

Mirror the /v1/chat/completions prompt builder: substitute the shared
IMAGE_ONLY_USER_MESSAGE placeholder for the active image-only user turn so
the turn is not dropped and the real image is still attached via `images`.
Promote the placeholder constant to the shared gateway agent-prompt module
so both endpoints stay in sync, and revert the responses guard back to the
original `!prompt.message` check (responses images are not scoped to the
active turn, so the placeholder is the correct, single source of truth).

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: retrigger CI (flaky startup-core test timeout, unrelated to change)

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: songwendong <songwendong@shuidi-inc.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(status): avoid cumulative usage for context percent (#92604)

* fix(status): avoid cumulative usage for context percent

* fix(status): preserve legacy context totals

* fix: reject unvalidated voice media streams

Reject voice media stream start frames when no acceptance validator is configured, preventing fail-open STT/TTS session creation. Verified locally, with autoreview, in a remote Linux dev box, and by green CI.

* test(gateway): wait for trajectory export guidance

(cherry picked from commit 4675423788a0ef48b0c46ed31b199762e1576c81)

* fix(telegram): acknowledge callbacks before sequentialize

Fixes #42156.

Answer Telegram callback queries before per-chat/topic sequentialize can queue the handler behind an active turn, and carry the in-flight answer promise on the grammY context so the normal handler reuses it instead of double-answering.

Proof:
- node scripts/run-vitest.mjs extensions/telegram/src/bot.create-telegram-bot.test.ts -- -t "answers callback queries before same-chat sequentialize delays handlers|sequentializes updates by chat and thread|routes callback_query payloads as messages"
- node scripts/run-vitest.mjs extensions/telegram/src/bot.test.ts extensions/telegram/src/bot-handlers.runtime.test.ts
- node_modules/.bin/oxfmt --check extensions/telegram/src/bot-core.ts extensions/telegram/src/bot-handlers.runtime.ts extensions/telegram/src/callback-query-answer-state.ts extensions/telegram/src/bot.create-telegram-bot.test.ts
- git diff --check origin/main...HEAD
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Azure Crabbox cbx_cba20c462ad5 / silver-barnacle: OPENCLAW_TESTBOX=1 node scripts/crabbox-wrapper.mjs run --provider azure --class Standard_D4ads_v6 --idle-timeout 90m --ttl 240m --timing-json -- env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed

Proof gap: live Telegram Desktop/burner-account proof was not run because openclaw-telegram-user-crabbox-proof is not installed in this shell.

* fix(nodes): surface pending reapproval diagnostics (#92547)

* fix(nodes): surface pending reapproval diagnostics

* fix(nodes): harden reapproval diagnostics

* fix(nodes): scope pending diagnostics

* fix(nodes): request pairing diagnostics in cli

* fix(nodes): reuse stored auth for diagnostics

* fix(nodes): preserve selected diagnostics credentials

* fix(nodes): prefer approved diagnostics auth

* fix(nodes): narrow diagnostics fallbacks

* fix(nodes): recover from stale diagnostics auth

* fix(gateway): preserve connect error narrowing

* fix(nodes): isolate privileged diagnostics auth

* fix(nodes): constrain privileged diagnostics auth

* fix(nodes): close diagnostics review gaps

* fix(nodes): guard reapproval cleanup races

* fix(nodes): defer stale pairing cleanup

* fix(nodes): preserve reapproval on hello failure

* test(nodes): await post-handshake reapproval cleanup

* test(nodes): avoid unbound websocket send capture

* fix(nodes): allow local auth-none diagnostics

* fix(nodes): preserve overlapping reapproval

* fix(nodes): preserve pending node metadata

* fix(nodes): keep connection age with status

* fix(nodes): preserve reapproval during reconnect races

* fix(nodes): serialize reapproval cleanup

* fix(nodes): bound reapproval reconnect races

* test(nodes): satisfy cleanup claim lint

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(memory): keep skipped recall diagnostics opt-in

Follow-up to #92745 after maintainer autoreview found that the skipped recall event widened the shipped MemoryHostEvent union and changed limited legacy reads.

Keep readMemoryHostEvents() source-compatible by filtering diagnostic records before applying limits, and expose skipped recall diagnostics through the opt-in MemoryHostEventRecord/readMemoryHostEventRecords path.

Original skipped-recall behavior landed in #92745 by @mushuiyu886.

* fix(doctor): avoid false-positive legacy cron store warning when store was already migrated (fixes #92683) (#92690)

* fix(doctor): avoid false-positive legacy cron store warning when store was already migrated

When rawJobs.length > 0 and other issues exist (notifyCount, dreamingStaleCount)
but legacyStoreDetected is false (file already removed after migration), the doctor
unconditionally printed 'Legacy cron job storage detected at ...' — misleading users
into thinking the migration was incomplete.

Fix: conditionally use 'Cron store issues detected' heading when no legacy store file
exists, reserving 'Legacy cron job storage detected' for actual legacy store presence.

Fixes #92683

* test(doctor): add test for false-positive legacy cron store warning (#92683)

* fix(telegram): skip IPv4 fallback when user explicitly configures non-ipv4first dnsResultOrder (fixes #41671) (#92806)

* fix(telegram): skip IPv4 fallback when user configures non-ipv4first dnsResultOrder

When the user explicitly configures channels.telegram.network.dnsResultOrder
to a non-ipv4first value (e.g. verbatim), the sticky IPv4 fallback dispatcher
should not be armed. Forcing autoSelectFamily=false + dnsResultOrder=ipv4first
overrides the user's explicit IPv6-friendly config, causing media downloads to
fail on hosts where IPv4 is broken but IPv6 works.

Fixes #41671

* fix(telegram): respect explicit DNS fallback policy

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* test(gateway): capture trajectory export command events

(cherry picked from commit b656a510468279aacad51515123b960b56a3fa87)

* fix(macos): defer isOverflowing mutation to break SwiftUI render loop (fixes #43480) (#92778)

* fix(macos): defer isOverflowing mutation to break SwiftUI render loop

measuredHeight() mutated model.isOverflowing synchronously during a SwiftUI
view update cycle. The onChange(of: attributed) handler triggered
updateWindowFrame → targetFrame → measuredHeight, which set isOverflowing,
invalidating the view and re-triggering onChange — an infinite render loop
causing 100% CPU pinwheel.

Fix: defer the isOverflowing mutation via DispatchQueue.main.async with an
equality guard to prevent redundant updates. The frame calculation itself
remains synchronous so the window size is correct immediately.

Fixes #43480

* fix(macos): preserve latest overflow measurement

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(gateway): use resolveNonNegativeNumber for totalTokens to display 0 instead of ? (fixes #43009) (#92795)

* fix(gateway): use resolveNonNegativeNumber for totalTokens to display 0 instead of ?

resolvePositiveNumber requires value > 0, filtering out the valid
totalTokens = 0 case (new session, no usage yet). This caused the TUI
to display 'tokens ?/200k' instead of 'tokens 0/200k (0%)'.

Use resolveNonNegativeNumber (>= 0) for the final totalTokens value
used in session display. The needsTranscriptTotalTokens check at line
2041 still correctly uses resolvePositiveNumber to decide whether to
fetch transcript data.

Fixes #43009

* fix(gateway): preserve fresh zero-token sessions

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(gateway): preserve active runs during plugin finalization (#92746)

* fix(gateway): preserve active run during plugin finalization

* fix(ui): skip session.message history reload while gateway reports active run

* fix(ui): remove unused eslint-disable directive

* fix(ui): preserve active runs through finalization

---------

Co-authored-by: scotthuang <scotthuang@tencent.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* UI: localize Logs tab labels (#92820)

Repair #61080 by routing Logs tab user-facing labels through Control UI locale keys while keeping export filename suffixes stable.

Validation:
- pnpm ui:i18n:check
- pnpm check:changed
- ui/src/ui/views/logs.test.ts
- Codex /review
- GitHub PR checks

Source PR credit: continues @rubensfox20's work from https://github.com/openclaw/openclaw/pull/61080.

Co-authored-by: rubensfox20 <111531429+rubensfox20@users.noreply.github.com>

* test(release): harden trajectory export live check

(cherry picked from commit b2d4cb7f868a7bd3abae1b775a0c26f32ec9a288)

* test(release): accept trajectory command session final

(cherry picked from commit 9458ffa7e8598608e582fd233fccb586ecc7b10b)

* fix(telegram): preserve command callbacks while prefixing generic callback data (#92825)

Fixes #54909.

Repair #54962 by preserving raw slash-command callbacks while routing generic callback data to agents as `callback_data: <value>`.

Validation:
- pnpm check:changed
- pnpm -s vitest run extensions/telegram/src/bot.create-telegram-bot.test.ts
- Codex /review
- Real behavior proof
- GitHub PR checks

Source PR credit: continues @hnshah's work from #54962 and preserves @timt80's report credit from #54909.

Co-authored-by: Hiten Shah <3155200+hnshah@users.noreply.github.com>

* fix: refresh model context metadata safely

Cap configured session context overrides by the selected model's known context window, refresh provider/model metadata consistently, and preserve the fixed Anthropic 1M context contract.

Fixes #39857

Co-authored-by: Kros Dai <7087+xdanger@users.noreply.github.com>

* fix(copilot): strip replayed thinking blocks

Remove replayed thinking and redacted-thinking blocks from GitHub Copilot Claude history and final Anthropic payloads while preserving visible content, tool turns, and non-empty assistant structure.

Fixes #81520
Supersedes #87060 and #81534

Co-authored-by: Gio Della-Libera <giodl73@gmail.com>

* feat(browser): extend --labels overlay to full-page and element captures (#92834)

Summary:
- The replacement PR extends Browser plugin labeled screenshots to honor Playwright full-page/ref/element scope, returns annotation bounding boxes, and updates docs, tests, and skill guidance.
- PR surface: Source +415, Tests +550, Docs +24. Total +989 across 12 files.
- Reproducibility: yes. Current main source shows the labeled Playwright helper ignores fullPage/ref/element and omits annotations, and the source PR supplies live before/after commands for the Browser plugin path.

Automerge notes:
- PR branch already contained follow-up commit before automerge: docs(browser): correct raw-CDP labels caveat in automation skill
- PR branch already contained follow-up commit before automerge: fix(browser): preserve labelsSkipped semantics for off-viewport refs
- PR branch already contained follow-up commit before automerge: docs(browser): scope labels docs by driver
- PR branch already contained follow-up commit before automerge: docs(browser): fix labels annotation indent and document scope fix
- PR branch already contained follow-up commit before automerge: docs(browser): indent annotations box schema under --labels bullet
- PR branch already contained follow-up commit before automerge: docs(browser): indent labels annotation schema

Validation:
- ClawSweeper review passed for head 70aca6c5065ae68bbf1037949e28045f479c0355.
- Required merge gates passed before the squash merge.

Prepared head SHA: 70aca6c5065ae68bbf1037949e28045f479c0355
Review: https://github.com/openclaw/openclaw/pull/92834#issuecomment-4700431344

Co-authored-by: FMLS <kfliuyang@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Mason Huang <masonxhuang@tencent.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Approved-by: hxy91819
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>

* fix(discord): raise thread title timeout and tokens

Source PR: https://github.com/openclaw/openclaw/pull/64734

Co-authored-by: Hana Chang <741302+hanamizuki@users.noreply.github.com>

* fix(whatsapp): require durable auth before login success (#92095)

* fix(stale): exempt ClawSweeper actionable labels from stale lifecycle (#92801)

Add clawsweeper:queueable-fix, clawsweeper:source-repro, and
clawsweeper:fix-shape-clear to exempt-issue-labels in all 4 stale
workflow steps and the backfill-closures script's issueExemptLabels
set.

Previously, issues classified by ClawSweeper as actionable fix
candidates could still be marked stale and auto-closed, creating
a conflict between the two automation systems (e.g. #78640,
#81078, #81122 had both 'stale' and 'clawsweeper:queueable-fix').

Fixes #89564

* fix(status): render sub-1000 token counts as plain integers (#89736)

* fix(status): render sub-1000 token counts as plain integers

formatKTokens always divided by 1000 and appended "k", so token counts
below 1000 rendered as misleading fractional k in `openclaw status`
output (e.g. 999 rounded up across the boundary to "1.0k", 420 -> "0.4k",
a 300-token cache write -> "write 0.3k").

Guard value < 1000 to render the plain rounded integer, matching the
canonical formatTokenCount convention (src/utils/usage-format.ts). The
>=1000 "k" behavior is unchanged. Adds focused regression tests for the
0/420/999/1000/12000 boundary and small-session/small-cache status lines.

Fixes #89735

* fix(status): reuse canonical token formatter

* refactor(status): extract lightweight token formatter

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(agents): catch malformed image blocks in sanitizeContentBlocksImages (#92792)

* fix(agents): catch malformed image blocks in sanitizeContentBlocksImages

* fix(agents): sanitize malformed-only image results

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* ci: gate stable releases on Windows companion assets (#92555)

* ci: gate stable releases on Windows companion assets

* fix(release): reject malformed Windows checksum manifests

* fix(release): make Windows recovery fail closed

* fix(release): tighten Windows asset identity checks

* fix(release): validate prepared candidate tarballs

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(agents): add usage guidance to sessions_spawn tool description (fixes #91814) (#91824)

* fix(agents): add usage guidance to sessions_spawn tool description (fixes #91814)

* fix(agents): tighten sessions spawn guidance

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(feishu): await HTTP server shutdown during monitor cleanup

Source PR: https://github.com/openclaw/openclaw/pull/48588

Co-authored-by: alex sagit <267811734+alex-xuweilong@users.noreply.github.com>

* feat: add tool search directory mode

Add an experimental directory mode that keeps large authorized tool schemas deferred while exposing bounded discovery, exact deferred hydration, and normal OpenClaw policy/hook execution. Client tools remain directly visible; ambiguous hidden names fail closed.

* fix(qqbot): surface failed media sends (#92823)

* fix(qqbot): surface media send failures

* test(qqbot): cover text send failures

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(tailscale): preserve parse errors for malformed JSON

Accept the fail-closed behavior for malformed `tailscale funnel status --json`: noisy valid JSON should parse, but malformed status output should not silently become “route absent”.

Source PR: https://github.com/openclaw/openclaw/pull/63321

Co-authored-by: Francisco Maestre Torreblanca <2027043+franciscomaestre@users.noreply.github.com>

* Add diagnostics OTEL capability contract tests (#92045)

* fix(acp): accept MCP date protocolVersion in ACP server

Repairs https://github.com/openclaw/openclaw/pull/56176.
Fixes https://github.com/openclaw/openclaw/issues/56102.

Co-authored-by: Saurabh Mishra <2924124+bugkill3r@users.noreply.github.com>

* fix(hooks): reject slug-generator error payloads

Repairs https://github.com/openclaw/openclaw/pull/64181.

Co-authored-by: Cypher <28184436+Cypherm@users.noreply.github.com>

* fix(ui): repair iOS Safari chat viewport handling

Repairs https://github.com/openclaw/openclaw/pull/63644.

Review proof: local structured autoreview on branch review/pr-92855 against origin/main exited clean with no accepted/actionable findings.

Co-authored-by: Xi Qi <1311124+macdao@users.noreply.github.com>

* fix(update): continue after package doctor warnings (#91586)

* fix(update): continue after package doctor warnings

* fix(update): type advisory step rendering

* fix(update): preserve advisory doctor step state

* fix(update): share advisory doctor state

* fix(update): keep timed-out doctor failures blocking

* fix(update): require explicit doctor advisory result

* fix(update): reject malformed doctor advisory results

* fix(update): bound doctor advisory diagnostics

* fix(update): keep doctor advisory restart-neutral

* fix(update): protect doctor advisory IPC

* fix(update): scope doctor advisories to converging updater

* fix(update): scope doctor advisories to deferred repairs

* fix(update): secure doctor advisory IPC

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(feishu): target typing reaction on inbound message

Target Feishu Typing reactions at the inbound message id while preserving reply and thread routing to the topic root.

This keeps the fallback to replyToMessageId for flows without a separate inbound target, and adds regression coverage for topic/replyInThread behavior and synthetic Feishu turn sources.

Based on and credits #67783 by @huiwen01. This replacement branch carries the same user-visible fix forward because #67783 is dirty against main and earlier automation could not update the fork branch with available permissions. This intentionally does not reuse or expand #73958; root_id routing remains separate.

Validation:
- pnpm check:changed
- pnpm -s vitest run extensions/feishu/src/bot.test.ts extensions/feishu/src/reply-dispatcher.test.ts extensions/feishu/src/monitor.reaction.test.ts
- autoreview clean: no accepted/actionable findings
- GitHub checks: 127 pass, 0 fail, 0 pending

Co-authored-by: huiwen01 <89329207+huiwen01@users.noreply.github.com>

* fix(lobster): surface workflow path errors

Surface missing bare Lobster workflow file paths instead of silently falling through to inline pipeline parsing.

The runner now treats plain workflow file inputs as file paths, keeps inline commands with file-like arguments as pipelines, and preserves existing workflow file paths that contain spaces. Regression coverage covers missing bare workflow paths, inline false positives, and spaced workflow filenames.

Fixes #68101.

Based on and credits #68106 by @vvitovec. This replacement branch carries the focused fix forward because #68106 is dirty against current main and could not be repaired on the fork branch with available bot permissions.

Validation:
- node scripts/run-vitest.mjs extensions/lobster/src/lobster-runner.test.ts
- autoreview clean: no accepted/actionable findings after the spaced-path fix
- GitHub checks: 127 pass, 0 fail, 0 pending

Co-authored-by: Viktor Vítovec <230458341+vvitovec@users.noreply.github.com>

* fix(cli): clarify --tz help text for offset-less --at values

Clarifies cron edit --at help after maintainer rebase and preserves the Gateway-host timezone wording for cron --tz help.

Validation:
- git diff --check
- node scripts/run-vitest.mjs src/cli/cron-cli.test.ts
- local Codex autoreview clean, no actionable findings

Co-authored-by: rrrrrredy <rrrrrredy@users.noreply.github.com>

* fix(agents): preserve valid reasoning replay metadata (#90682)

Preserve validated provider reasoning ciphertext, signatures, and replay identifiers through transcript redaction without exempting malformed, nested, or credential-shaped values.

Fixes #90093.

Co-authored-by: Elfka Toruviel <aeb31988340aa87b@toruviel.online>

* fix(anthropic): omit stale thinking from disabled requests (#92373)

Preserve signed thinking for active Anthropic tool-result continuation while omitting native thinking from completed history when the new request disables or omits thinking. Applies the same replay rule to the legacy SDK provider and managed Anthropic transport. Fixes #92360.

* docs(crabbox): warm Testbox in parallel

* fix(anthropic): merge consecutive assistant replay turns (#87346)

Merge adjacent Anthropic assistant turns before dangling tool-use validation so signed tool calls remain immediately paired with their tool results. Preserve contributor credit. Fixes #87329.

* fix(anthropic): quarantine invalid direct tool schemas (#92896)

Quarantine unreadable and structurally invalid direct/custom Anthropic tool schemas in both canonical request builders while preserving healthy siblings, forced-choice semantics, OAuth name mapping, and official OpenAI behavior.

Supersedes #89418, #89221, #90228, #89622, #89229, and #90278.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(active-memory): preserve verbose recall summaries (#90739)

* fix(active-memory): preserve verbose recall summaries

* fix(active-memory): require recall evidence for recovery

* fix(active-memory): recognize capped recall results

* fix(active-memory): preserve grounded recall state

* refactor(active-memory): limit recovery to completed recalls

* fix(active-memory): ground terminal recall recovery

* fix(active-memory): limit unavailable recovery to completed replies

* fix(active-memory): harden recall evidence recovery

* fix(active-memory): preserve timeout recovery contract

* fix(active-memory): preserve capped failure evidence

* fix(active-memory): reject content-only recall failures

* fix(active-memory): ground completed recall summaries

* fix(active-memory): separate hook and recall timeouts

* fix(active-memory): classify custom tool failures

* fix(active-memory): preserve harness tool evidence

* fix(active-memory): reject explicit empty results

* fix(active-memory): wait for fallback recall evidence

* fix(codex): report dynamic tool results

* fix(active-memory): separate preflight recall deadline

* fix(active-memory): normalize recall tool names

* fix(agents): classify unavailable approvals

* docs(active-memory): clarify hook timeout phases

* test(active-memory): stabilize timeout abort proof

* fix(agents): preserve successful cancellation outcomes

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(gateway): deliver command block replies in webchat

(cherry picked from commit 33390ee88f5c8325efc60d1793c532a9489a5a72)

* docs(changelog): refresh 2026.6.8 notes

(cherry picked from commit 0b5cb00980c68a39b8fb1d77f6c04e9733bcbb09)

* fix(gateway): preserve slash command media replies

* Simplify QA scorecard mapping shape (#92558)

* test(qa): simplify scorecard mapping shape

* test(qa): use typed scorecard evidence refs

* test(qa): map scorecard categories by coverage id

* feat: align qa coverage with taxonomy features

* refactor: keep qa coverage ids canonical

* refactor: minimize qa coverage id churn

* test: align qa coverage id assertions

* test: update qa evidence coverage expectations

* refactor qa taxonomy coverage ids

* style qa taxonomy coverage ids

* test qa coverage lint fix

* test qa coverage type fix

* fix(memory-wiki): stop flagging raw source pages as malformed (#92876)

* fix(memory-wiki): stop flagging raw source pages as malformed

* fix(clownfish): address review for gitcrawl-11828-autonomous-smoke (1)

* fix(memory-wiki): skip freshness lint for raw source pages

* fix(memory-wiki): keep raw source ids linted

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(providers): quarantine unreadable Anthropic payload tools (#92908)

Quarantine unreadable and invalid Anthropic-family tool schemas before OpenAI-compatible serialization, keep tool choices aligned with surviving tools, and preserve provider metadata.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(memory): preserve reindex rollback recovery (#92881)

* fix(memory): preserve reindex rollback recovery

Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>

* fix(clownfish): address review for gitcrawl-5644-autonomous-smoke (1)

Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>

* test: update memory reindex test routing expectation

* chore(memory): remove release changelog entry

* fix(memory): complete reindex retry recovery

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Shiwen Han <46259514+TSHOGX@users.noreply.github.com>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* test(agents): skip anthropic billing drift in live tool checks

* test(qa): align tool coverage CLI expectation

* test(gateway): keep trajectory export live proof correlated

* fix(openai): quarantine unreadable tool schemas (#92921)

Snapshot unreadable OpenAI tool descriptors and schemas before payload construction, preserve healthy siblings, and reconcile hard tool choices with the surviving function inventory.

Adds live-tested Responses and Chat Completions coverage, including allowed_tools, while keeping Anthropic regressions green.

Related: #89413, #89013, #89016, #89378, #89543, #90200, #90283, #90286, #90397

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* Fold Telegram RTT sampling into live QA evidence (#92550)

* refactor(qa): fold telegram rtt into live evidence

* test: default package telegram rtt samples

* refactor(qa-lab): fold telegram rtt into live evidence

* fix(qa-lab): keep package telegram rtt optional for focused runs

* fix(qa-lab): avoid stale rtt evidence on failed samples

* fix(qa-lab): pass telegram live env into credential leasing

* fix(qa-lab): update telegram canary remediation artifacts

* docs(qa): remove stale telegram observed artifact guidance

* fix(qa-lab): clarify telegram empty-reply remediation

* fix(qa-lab): honor telegram rtt timeout

* ci(qa): drop stale telegram capture env

* refactor: align telegram evidence coverage fields

* fix: ignore stale telegram observed artifacts

* fix: preserve telegram rtt coverage mapping

* fix: omit unused telegram rtt catch binding

* docs: document telegram rtt check selector

* test(gateway): allow trajectory export instruction latency

* fix(media): route OAuth image defaults through Codex (#92824)

Route implicit OpenAI image understanding through the Codex app-server for eligible OpenAI OAuth profiles. Preserve scoped and persisted credential ownership plus the rotating-token refresh lifecycle for isolated clients.

Fixes #87168

Thanks @bek91.

* fix(cli): avoid false downgrade prompt for latest tag

Keep unresolved latest package targets moving while preserving downgrade confirmation for unresolved non-latest dist-tags.

Validation:

- node scripts/run-vitest.mjs src/cli/update-cli.test.ts

- node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr92911.tsbuildinfo

- git diff --check origin/main...HEAD && git diff --check

Direct-landed from #92911 because the source branch has maintainer edits disabled and ClawSweeper requested changelog removal plus behavior proof.

Co-authored-by: Andy Wu <31586206+Andy312432@users.noreply.github.com>

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(openai): guard post-hook tool payloads (#92928)

Guard OpenAI post-hook tool inspection and code-mode filtering against unreadable accessors and asynchronous payload replacements. Preserve valid official `exec` and `wait` function tools across Responses and Chat Completions paths.

Supersedes #89703.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(sessions): restore reset archive fallback reads

Fall back to valid reset transcript archives when active async session transcripts are missing, while keeping active transcript priority and choosing the newest valid archive across roots.

Validation:

- node scripts/run-vitest.mjs src/gateway/session-utils.fs.test.ts src/gateway/sessions-history-http.test.ts src/gateway/sessions-history-http.revocation.test.ts src/gateway/session-history-state.test.ts src/gateway/server.chat.gateway-server-chat-b.test.ts src/gateway/managed-image-attachments.test.ts src/agents/tools/embedded-gateway-stub.test.ts src/tui/embedded-backend.test.ts

- node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src-pr92879.tsbuildinfo

- git diff --check origin/main...HEAD && git diff --check

- autoreview --mode branch --base origin/main: clean

Direct-landed from #92879 because the source branch has maintainer edits disabled and the landed diff needed maintainer repair before merge.

Co-authored-by: Masato Hoshino <246810661+masatohoshino@users.noreply.github.com>

Co-authored-by: Hu Yitao <39733381+CadanHu@users.noreply.github.com>

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(feishu): re-resolve route when dynamic agent binding already exists in runtime config (fixes #42837) (#92814)

* fix(feishu): re-resolve route when dynamic agent binding already exists in runtime config

When dynamicAgentCreation is enabled and a binding was previously written
to the config file (e.g. from a prior message), the in-memory cfg may be
stale and not contain the binding. Previously, maybeCreateDynamicAgent
returned { created: false, updatedCfg: cfg } with the stale cfg, and
bot.ts only re-resolved the route when created === true. This caused
subsequent messages to still route to agent:main.

Fix: check runtime.config.current() for the binding when it is missing
from the in-memory cfg. When found, return the runtime's current config
so the caller can re-resolve the route with up-to-date bindings.

Fixes #42837

* fix(feishu): serialize dynamic agent config updates

* fix(feishu): route with refreshed runtime config

* fix(feishu): use current dynamic-agent policy

* fix(feishu): reauthorize refreshed dynamic routes

* fix(feishu): authorize dynamic agent mutations

* fix(feishu): complete account-scoped dynamic routing

* fix(feishu): revalidate current direct routes

* fix(feishu): isolate named-account dynamic agents

* fix(feishu): bound named dynamic agent ids

* docs(feishu): explain legacy dynamic agent cap

* test(feishu): fix dynamic routing check types

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(release): harden beta validation gates

(cherry picked from commit 91eeda0d708c2d8dac7c09c259b7cf390193f83f)

* test(release): unblock beta validation checks

* fix: restart gateway after isolated cron setup timeout

Restart the gateway after isolated cron setup timeouts and harden stale cron-task finalization around restart/reload boundaries.

Verification: focused cron/tasks/CLI regression suites, gateway filesystem/session regression suite, test typecheck, core lint shards, git diff --check, autoreview, Blacksmith Testbox changed gate tbx_01kv2srgbex71w9ce5rwv2wtr4, and clean GitHub PR checks on 13d06b5d6f9be057510942314b133316aff0d7cc.

* fix(openai): omit gpt-5.5 tool reasoning effort (#90574)

Fix GPT-5.5 Chat Completions tool requests by omitting the incompatible reasoning effort only on verified OpenAI and Azure routes. Preserve no-tool requests and nonblank custom OpenAI-compatible providers; add official regional endpoint metadata plus OpenAI and Anthropic live regression proof.

Co-authored-by: Thomas Krohnfuß <thomas.krohnfuss@stud.th-luebeck.de>

* test(gateway): isolate trajectory export live seed turn

* test(installer): stabilize npm prefix probe test

* fix(openai): recover invalid reasoning signatures (#92941)

* test(gateway): authorize trajectory export live command

* fix(agents): clamp subagent spawn thinking overrides

Fixes #92412.

Subagent spawns that request an unsupported explicit thinking level now clamp through the existing provider/model thinking fallback instead of hard-failing after the orchestrator has already received an accepted ack. The exception is limited to trusted subagent spawn runs by requiring both the subagent lane and a subagent-shaped session key, so interactive and non-subagent explicit `--thinking` validation still fails loudly.

Verification:
- `node scripts/run-vitest.mjs src/agents/agent-command.live-model-switch.test.ts --maxWorkers=1`
- `.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main`
- Testbox-through-Crabbox `tbx_01kv2wt0nqavsmnvzzzy2antrc`: `OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed`
- GitHub PR checks clean on `c71186863337d9dfb9a18e5349ebef634a7d5ccd`

* test(openai): extend live STT fixture timeout

* fix(subagents): preserve config-selected child model overrides

* fix(subagents): handle configured bare model provenance

* fix(gateway): degrade config watcher to polling

Fixes #92851.

When native filesystem watching exhausts its retry budget, the gateway config reloader now falls back to polling instead of disabling hot reload for the rest of the process. The watcher state tracks the effective Chokidar polling mode, including CHOKIDAR_USEPOLLING overrides, so forced polling avoids a redundant native phase and forced native mode reports an accurate native-mode disable.

Verification:
- node scripts/run-vitest.mjs src/gateway/config-reload.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Testbox-through-Crabbox tbx_01kv2xvbqkv4dmvvvsswzm75hz: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on c9762c5159a2ef75aa23d2af2a5435d0d8bf6b63

* fix(gateway): build row metadata for single session lists

Refs #92057.

Build the request-scoped row metadata context for every non-empty sessions.list result, including limit=1, so single-row lists use the shared subagent metadata read index instead of direct per-row registry snapshot lookups. This keeps the existing single-row store child-session candidate optimization intact while removing the single-row metadata-cache gap.

Verification:
- node scripts/run-vitest.mjs src/gateway/session-utils.single-row-cache.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Crabbox run_f89b56ffea83 / cbx_f1b1f5013225: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on 1ba6619f2ee6491c40b49dd425597bb1b50638ca

* fix(memory-wiki): tolerate artifacts without agent ids

Fixes #92207.

Normalize public memory artifacts at the memory host boundary so providers that omit agentIds produce an empty list instead of throwing during artifact cloning, sorting, or memory-wiki bridge import. The bridge now renders those artifacts with unknown agents while downstream consumers still receive stable array-shaped metadata.

Verification:
- node scripts/run-vitest.mjs src/plugins/memory-state.test.ts extensions/memory-wiki/src/bridge.test.ts --maxWorkers=1
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
- Crabbox run_2a30de5d0a00 / cbx_3684cb0b7ea5: OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed
- GitHub PR checks clean on 19678ed60f79778f407700dc35f675cde0357054

* test(gateway): unblock trajectory export live release gate

* fix(lmstudio): honor thinking off for binary reasoning models (#92002)

Scope disabled-thinking payload repair to LM Studio's lightweight provider stream hook. Preserve official OpenAI and Anthropic tool-calling paths.

Co-authored-by: David <32288+nxmxbbd@users.noreply.github.com>

* fix(auto-reply): deliver channel message-tool final replies

Clarify that interim assistant text remains visible under message_tool_only delivery while the final answer must use the message tool, and forward progress for channel message-tool turns once the message tool has delivered the final reply.

Co-authored-by: Forge <forge@psiclawops.dev>

Co-authored-by: Chisel <chisel@psiclawops.dev>

* fix(auto-reply): align message-tool progress gating

* test(auto-reply): assert allowed suppressed progress gating

* test(auto-reply): trim duplicate progress assertion

* fix(auto-reply): share message-tool delivery hints

* fix(plugin-sdk): expose delivery hints without utility imports

* fix(auto-reply): strip delivery hints from leading metadata

* fix(release): preserve child release check refs

* fix(agents): recover genericized Anthropic thinking errors (#92916)

Recover invalid Anthropic thinking replays when provider details survive genericization in SDK, failover, cause-chain, or terminal stream error fields.

The recovery matcher now uses cycle-safe named error carriers, avoids scanning assistant content and tool arguments, and retains one retry per provider call. Focused regressions cover each carrier, cyclic causes, terminal errors, and false-positive payload text.

Addresses the recovery path in #92201. The separate root cause that creates or persists invalid signatures remains open for investigation.

Co-authored-by: wlzeng0668001202 <ceng.wenlong@xydigit.com>

* refactor: add session accessor seam with gateway consumer (#90463)

Merged via squash.

Prepared head SHA: 58aa59eaf8059c31a2a70f859eeb96ee35e5beb2
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman

* fix(webchat): route trajectory slash export before agent dispatch

* fix(ci): skip session accessor guard for older targets

* fix(agents): drop incomplete reasoning replay turns (#88656)

Drop assistant replay turns that ended at the token limit with only incomplete hidden reasoning while preserving visible text, tool calls, empty turns, and unknown content shapes. Apply the same classification to embedded replay and public transport transforms, with focused regression, live OpenAI/Anthropic provider proof, docs, autoreview, Testbox, and green CI.

Co-authored-by: clawstation <abel@stationzero.ai>

* fix(gateway): async trajectory export approvals

* feat(webui): add session workspace rail (#92856)

* feat(webui): add session workspace rail

* fix(webui): address session workspace review

* fix(webui): secure session workspace previews

* fix(webui): handle nested session workspace paths

* fix(webui): update session file protocol models

* fix(webui): clear session rail lint

* docs(browser-control): document OPENCLAW_EAGER_BROWSER_CONTROL_SERVER requirement (#92845)

The standalone loopback HTTP API only starts when
OPENCLAW_EAGER_BROWSER_CONTROL_SERVER=1 is set in the gateway
service environment. Without it, browser control works via CLI and
agent tools but nothing listens on the loopback control port.

Fixes #92841

* fix: use passive periodic sqlite wal checkpoints

Use PASSIVE for periodic SQLite WAL checkpoints while keeping explicit checkpoint() and close() on TRUNCATE by default.

Preserve the old interval export as a compatibility alias, add the neutral interval export, and update the task storage docs contract.

Fixes #81715.

* fix(google): route Gemini CLI OAuth through the env proxy (#46184) (#92815)

* fix(mattermost): merge progress preview lines by identity (#91331)

* fix(mattermost): merge progress preview lines by identity

* fix(mattermost): preserve progress across assistant boundaries

* fix(mattermost): compose reasoning with progress previews

* fix(channels): reset reasoning progress at block boundaries

* fix(channels): align tool progress line identities

* fix(channels): keep tool call identity mapping injective

---------

Co-authored-by: leon <leon@gmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(tui): keep spinner active when toggling tools (#92909)

* fix(tui): keep spinner active when toggling tools

* fix(tui): preserve finishing status when toggling tools

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(elevenlabs): use current TTS model ids (#92904)

* fix(elevenlabs): use current TTS model ids

* fix(elevenlabs): preserve served legacy model choices

---------

Co-authored-by: Ariel Bravy <ariel@vortexradar.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(gateway): run export helpers through cli entry

* fix #86872: Subagent run reports success but fails to write output file (#92642)

* fix(codex): wait for native subagent completion

Codex native subagent lifecycle status is only a progress signal; the task row should not report success until the transcript or native completion result is available.

* fix(codex): preserve later native subagent failures

* test(codex): freeze authoritative subagent results

* fix(codex): preserve remote V1 completion fallback

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(gateway): track effective watcher polling mode

* test(gateway): allow optional trajectory metadata bundle

* test(gateway): expect trajectory session branch bundle

* refactor: route command session reads through seam (#89122)

Merged via squash.

Prepared head SHA: 73218cc7cd336c7389785960364aed4049a1affd
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman

* fix(reply): deliver final reply when queued follow-up claims session; scope dedupe to routed thread (#90943)

* fix(reply): deliver final reply when queued follow-up claims session; scope dedupe to routed thread

Two core bugs caused composed replies to be silently dropped (no delivery,
no error) when a second message arrived in the same thread mid-run:

1. dispatch-from-config: ensureDispatchReplyOperation only kept the
   dispatch-owned operation authoritative while it had no result. Once
   runReplyAgent completed the operation to drain queued follow-ups, a
   second same-thread inbound could claim the session and the first final
   reply would try to re-acquire the lane instead of finishing delivery,
   deadlocking behind the queued work. Keep the dispatch-owned operation
   authoritative through final delivery.

2. reply-payloads-dedupe: messaging-tool reply dedupe compared only the
   channel target, not the routed thread, so a send in one thread could
   suppress a later reply in a different thread. Thread the routed thread
   id through buildReplyPayloads + follow-up delivery and only fall back to
   channel-only matching for providers without a thread-aware suppression
   matcher when neither side carries thread evidence.

Adds regression tests; existing Telegram topic-suppression behavior is
preserved by gating the thread guard to providers lacking a plugin matcher.

* fix(reply): preserve threaded message delivery evidence

* fix(reply): dedupe final payloads by delivery route

* fix(slack): preserve native send thread evidence

* fix(reply): preserve explicit reply thread evidence

* fix(reply): align explicit reply route dedupe

* fix(reply): preserve delivery lane through final dispatch

* fix(mattermost): preserve threaded tool send routes

* chore(plugin-sdk): refresh API baseline

* fix(reply): align final delivery route dedupe

* fix(reply): gate followups on final delivery

* fix(reply): keep send receipts private

* fix(reply): infer implicit message provider

* fix(reply): align routed threading policy

* fix(reply): preserve queued delivery context

* fix(reply): hydrate queued system event routes

* fix(reply): hydrate queued execution routes

* fix(reply): scope final delivery barriers

* fix(slack): preserve DM target aliases

* fix(reply): mirror resolved source thread routes

* fix(mattermost): retain delayed delivery barrier

* fix(codex): separate message routing from tool policy

* fix(reply): consume normalized Slack DM targets once

* fix(slack): remove stale target alias

* style(reply): satisfy changed lint gates

* fix(mattermost): preserve explicit reply targets

* test: align Slack reply branch checks

* fix(reply): persist overflow summaries to admitted session

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(skills): keep managed prompt paths readable (#92894)

* fix(skills): keep managed prompt paths readable

* fix(skills): preserve only managed skill prompt paths

* chore: refresh proof gate

* fix(skills): refresh managed prompt snapshots

* fix(skills): preserve plugin prompt paths in state roots

* test(skills): use generic state-root path names

Signed-off-by: sallyom <somalley@redhat.com>

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: sallyom <somalley@redhat.com>

* test(gateway): retry chat temp cleanup

* fix: refresh slash command routing config (#39617)

Use the active runtime snapshot for Discord and Slack native command routing and Discord autocomplete after config hot writes.

Fixes #39605

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* fix(agents): retry thinking-only errored turns (#92191)

Retry replay-safe reasoning-only provider errors before assistant failover while preserving classified fallback and terminal-output ownership. Adds deterministic Anthropic gateway fault-injection coverage and focused regression tests.\n\nCo-authored-by: ai-hpc <mail.speedy.hpc@hotmail.com>

* fix(memory): clean stale reindex temp files (#92891)

* fix(memory): clean stale reindex temp files

* fix(memory): harden stale reindex cleanup

* fix(memory): serialize safe reindex cleanup

* fix(memory): satisfy reindex lock lint

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* feat(openrouter): surface Fusion panel config (#93005)

Signed-off-by: sallyom <somalley@redhat.com>

* fix(state): harden sqlite path caching

Resolve explicit relative SQLite DB paths before caching handles and centralize durable SQLite connection pragmas so busy_timeout is applied before WAL/NFS negotiation.

* fix(gateway): repair usage cost aggregation across agents (#93022)

* fix(gateway): aggregate usage co…
wangmiao0668000666 pushed a commit to wangmiao0668000666/openclaw that referenced this pull request Jun 17, 2026
* fix(memory): clean stale reindex temp files

* fix(memory): harden stale reindex cleanup

* fix(memory): serialize safe reindex cleanup

* fix(memory): satisfy reindex lock lint

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
zhfnini-rgb added a commit to zhfnini-rgb/openclaw that referenced this pull request Jun 22, 2026
…w backup

On hard kill (SIGKILL, OOM, host reboot), the in-process finally block in createBackupArchive cannot fire, orphaning multi-GB staging dirs (openclaw-backup-*) and temp archives (*.uuid.tmp) in os.tmpdir(). Nothing reaps them, so they accumulate across interrupted runs.

Add sweepStaleBackupArtifacts() that runs at the start of each backup create, removing the tool's own stale artifacts older than a 1-hour grace window. This follows the same pattern as openclaw#92891 (memory backend reindex temps).

Fixes openclaw#95582
badgerbees pushed a commit to badgerbees/openclaw that referenced this pull request Jul 8, 2026
* fix(memory): clean stale reindex temp files

* fix(memory): harden stale reindex cleanup

* fix(memory): serialize safe reindex cleanup

* fix(memory): satisfy reindex lock lint

---------

Co-authored-by: zengwen <zeng_wen@foxmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

extensions: memory-core Extension: memory-core merge-risk: 🚨 availability 🚨 May cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. P2 Normal backlog priority with limited blast radius. proof: supplied External PR includes structured after-fix real behavior proof. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. size: L status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Builtin memory backend leaks orphaned *.sqlite.tmp-<uuid> reindex files on hard restart (no startup sweep)

3 participants