Skip to content

fix(core): propagate caller env PATHEXT through isExecutableFile on Windows#98093

Merged
vincentkoc merged 4 commits into
openclaw:mainfrom
wendy-chsy:fix/isExecutableFile-env-propagation
Jul 1, 2026
Merged

fix(core): propagate caller env PATHEXT through isExecutableFile on Windows#98093
vincentkoc merged 4 commits into
openclaw:mainfrom
wendy-chsy:fix/isExecutableFile-env-propagation

Conversation

@wendy-chsy

@wendy-chsy wendy-chsy commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What Problem This Solves

On Windows, isExecutableFile hardcodes undefined when calling resolveWindowsExecutableExtSet, ignoring any caller-provided custom env.PATHEXT. This means resolveExecutablePath and resolveExecutableFromPathEnv fall back to process.env.PATHEXT even when the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

The same invariant exists in the sibling system.which resolver in src/node-host/invoke.ts.

This affects Windows deployments using sandbox/container environments where PATHEXT differs from process.env (Docker Windows containers, CI runners, isolated test environments).

Evidence

Windows CI run (windows-latest, all 17 tests pass)

CI run: https://github.com/wendy-chsy/openclaw/actions/runs/28435337278

 ✓ caller env PATHEXT propagation > isExecutableFile respects caller env.PATHEXT on Windows
 ✓ caller env PATHEXT propagation > isExecutableFile fallback to process.env when no caller env is given
 ✓ caller env PATHEXT propagation > resolveExecutableFromPathEnv uses caller env PATHEXT on Windows
 ✓ caller env PATHEXT propagation > resolveExecutablePath with path separator passes env to PATHEXT check on Windows
 ✓ caller env PATHEXT propagation > resolveExecutablePath without path separator falls back to PATH env
 ✓ caller env PATHEXT propagation > resolveExecutablePath with path separator falls back to process.env when no caller env given

 Test Files  1 passed (1)
      Tests  17 passed | 1 skipped (18)

Real Windows terminal proof (Windows 11, standalone script)

=== Test 1: isExecutableFile with custom PATHEXT ===
File: D:\Temp\openclaw-pathtest-1782824699437\hello.ps1

with env { PATHEXT: '.PS1' } => true
Expected: true

with env { PATHEXT: '.TXT' } => false
Expected: false

=== Test 2: resolveExecutablePath with custom PATHEXT ===
resolveExecutablePath('tool.ps1', env with PATHEXT .PS1) => D:\Temp\openclaw-pathtest-1782824699437\bin\tool.ps1
Expected: D:\Temp\openclaw-pathtest-1782824699437\bin\tool.ps1

resolveExecutablePath('tool.ps1') without env => undefined
Expected: undefined (not executable via default PATHEXT)

=== All tests passed on REAL Windows ===

Evidence: A standalone Node.js script calling the actual exported functions (isExecutableFile, resolveExecutablePath) directly on a real Windows 11 machine — not a test framework. All 4 assertions passed, proving:

  1. isExecutableFile accepts caller env PATHEXT (.PS1true)
  2. isExecutableFile falls back to process.env when no env given (.TXTfalse)
  3. resolveExecutablePath finds the file when caller env has matching PATHEXT
  4. resolveExecutablePath returns undefined without caller env (backward compat preserved)

Behavior or issue addressed: isExecutableFile ignored caller env.PATHEXT on Windows, causing false negatives when custom env has extended PATHEXT.

Fix

  • src/infra/executable-path.ts: Added optional options.env parameter to isExecutableFile; resolveWindowsExecutableExtSet now reads from options?.env instead of undefined; all 3 callers pass their available env through
  • src/node-host/invoke.ts: system.which resolver now checks caller env PATHEXT before falling back to process.env.PATHEXT
  • Fully backward compatible: undefined env falls back to process.env.PATHEXT, preserving existing behavior

Tests and validation

  • pnpm test src/infra/executable-path.test.ts — 17 passed, 1 skipped (both Linux and real Windows)
  • 6 new tests specifically for caller env PATHEXT propagation on Windows
  • Real Windows standalone script proving the fix works outside test framework
  • The 3 unrelated errors.test.ts failures are pre-existing on main

Risk checklist

  • User-facing behavior change: No (backward compatible, undefined env = same behavior)
  • Config/API surface change: Yes — isExecutableFile signature changed (added optional param)
  • Security impact: No
  • Breaking for plugins: No (existing callers with single argument still work)

Co-Authored-By: Claude noreply@anthropic.com

Additional fixes (2026-06-30)

  • Added and casing to both PATHEXT lookup functions — callers using PascalCase in their env object are now supported
  • Isolated all positive PATHEXT tests from host by explicitly setting it to before each test

…indows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.
@openclaw-barnacle openclaw-barnacle Bot added size: XS triage: needs-pr-context Candidate: external PR body lacks required problem context or evidence. labels Jun 30, 2026
@clawsweeper

clawsweeper Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 30, 2026, 10:51 AM ET / 14:51 UTC.

Summary
The PR threads caller-provided Windows PATHEXT/PathExt values through shared executable-path checks and node-host system.which, with regression coverage.

PR surface: Source +11, Tests +126. Total +137 across 3 files.

Reproducibility: yes. Source inspection shows current main can expand candidates from caller PATHEXT but validate them against process PATHEXT, and the PR body includes real Windows terminal proof for the fixed exported functions.

Review metrics: 1 noteworthy metric.

  • Executable-resolution env surface: 1 optional helper parameter added; 2 PATHEXT lookup paths changed. Windows command discovery now depends on caller PATHEXT being handled consistently across the shared helper and node-host system.which.

Stored data model
Persistent data-model change detected: serialized state: src/infra/executable-path.test.ts. Confirm migration or upgrade compatibility proof before merge.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

  • [P1] Latest-head OpenClaw CI was still in progress during live inspection; this is routine merge gating rather than a code finding.

Maintainer options:

  1. Decide the mitigation before merge
    Land the narrow env-propagation fix after latest-head CI completes and maintainer review accepts the backward-compatible helper parameter.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • No ClawSweeper repair lane is needed; the remaining action is ordinary maintainer review and CI gating.

Security
Cleared: No concrete security or supply-chain concern found; the diff changes local executable lookup and tests without new dependencies, workflows, secrets, or downloaded code.

Review details

Best possible solution:

Land the narrow env-propagation fix after latest-head CI completes and maintainer review accepts the backward-compatible helper parameter.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main can expand candidates from caller PATHEXT but validate them against process PATHEXT, and the PR body includes real Windows terminal proof for the fixed exported functions.

Is this the best way to solve the issue?

Yes. Threading the same env into validation, PATH lookup, path-separator lookup, and node-host system.which is the narrow maintainable fix; a separate Windows resolver would duplicate existing helper responsibility.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 6cb82eaab865.

Label changes

Label changes:

  • add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

  • P2: The PR fixes a bounded Windows executable-resolution bug with limited blast radius and no blocking code finding.
  • rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes real Windows terminal output for the actual exported lookup functions after the fix, with a successful Windows CI run as supplemental evidence.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes real Windows terminal output for the actual exported lookup functions after the fix, with a successful Windows CI run as supplemental evidence.
Evidence reviewed

PR surface:

Source +11, Tests +126. Total +137 across 3 files.

View PR surface stats
Area Files Added Removed Net
Source 2 17 6 +11
Tests 1 126 0 +126
Docs 0 0 0 0
Config 0 0 0 0
Generated 0 0 0 0
Other 0 0 0 0
Total 3 143 6 +137

What I checked:

  • Repository policy read: Root AGENTS.md was read fully; no scoped AGENTS.md owns src/infra or src/node-host, so the root read-beyond-diff and source/proof/history review policy applied. (AGENTS.md:1, 6cb82eaab865)
  • Current-main shared helper bug: Current main expands Windows executable candidates from caller env but validates file extensions through resolveWindowsExecutableExtSet(undefined), so a caller PATHEXT such as .PS1 can be ignored during validation. (src/infra/executable-path.ts:85, 6cb82eaab865)
  • Current-main node-host mismatch: Current main resolves system.which PATH entries from the provided env but reads Windows PATHEXT only from process.env, creating the same caller-env mismatch in node-host command discovery. (src/node-host/invoke.ts:378, 6cb82eaab865)
  • PR-head fix shape: The PR diff adds an optional env argument to isExecutableFile, passes it from resolveExecutableFromPathEnv and resolveExecutablePath, and extends both shared and node-host PATHEXT lookups to include PATHEXT, PathExt, and Pathext casing. (src/infra/executable-path.ts:76, c4f400a7da39)
  • Regression coverage and real proof: The PR body includes real Windows terminal output for the exported executable lookup functions, and the linked fork Windows proof run completed successfully for src/infra/executable-path.test.ts. (src/infra/executable-path.test.ts:220, c4f400a7da39)
  • Caller and sibling surfaces checked: The node-host system.run path sanitizes and reuses env for authorization and execution, while the plugin SDK Windows resolver already honors env PATHEXT; the PR aligns the shared helper and system.which with that invariant rather than adding a duplicate resolver. (src/node-host/invoke-system-run.ts:454, 6cb82eaab865)

Likely related people:

  • steipete: History shows Peter Steinberger authored/refactored the shared executable-path helper and several node-host exec boundaries that this PR changes. (role: feature-history contributor; confidence: high; commits: e36c563775a2, 6058eacaec88, 1d46d3ae4ea3; files: src/infra/executable-path.ts, src/node-host/invoke.ts)
  • Angfr95: The May 2026 Windows PATHEXT shim fix touched the same executable-path and test surface and is directly adjacent to this PR's Windows lookup behavior. (role: adjacent Windows executable-resolution contributor; confidence: medium; commits: f126f72d6388; files: src/infra/executable-path.ts, src/infra/executable-path.test.ts)
  • jesse-merhi: Recent history shows command authorization and resolution changes in src/node-host/invoke.ts, the sibling runtime path updated by this PR. (role: recent node-host command-resolution contributor; confidence: medium; commits: c9707ab635b9; files: src/node-host/invoke.ts)
  • joshavant: History includes Windows-friendly executable path assertion work on the same helper and test surface. (role: adjacent executable-path test contributor; confidence: medium; commits: f4fef64fc141; files: src/infra/executable-path.ts, src/infra/executable-path.test.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal backlog priority with limited blast radius. labels Jun 30, 2026
…lver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths
@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@openclaw-barnacle openclaw-barnacle Bot removed the triage: needs-pr-context Candidate: external PR body lacks required problem context or evidence. label Jun 30, 2026
@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

2 similar comments
@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@openclaw-barnacle openclaw-barnacle Bot added the triage: needs-pr-context Candidate: external PR body lacks required problem context or evidence. label Jun 30, 2026
@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@openclaw-barnacle openclaw-barnacle Bot removed the triage: needs-pr-context Candidate: external PR body lacks required problem context or evidence. label Jun 30, 2026
@clawsweeper clawsweeper Bot added proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 30, 2026
… resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak
@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@wendy-chsy

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jun 30, 2026
@vincentkoc vincentkoc merged commit 8028269 into openclaw:main Jul 1, 2026
122 of 130 checks passed
vincentkoc added a commit that referenced this pull request Jul 1, 2026
* 'main' of https://github.com/openclaw/openclaw: (29 commits)
  refactor(gateway): trim attach grant implementation
  feat(gateway): scoped attach grants for external MCP loopback clients
  fix(gateway): iOS Talk treats SecretRef-backed API keys as missing (#98210)
  test(infra): add unit tests for SQLite number normalization (#98009)
  test(config): add unit tests for resolveExecCommandHighlighting (#98087)
  test(utils): add unit tests for chunkItems (#98219)
  fix(core): propagate caller env PATHEXT through isExecutableFile on Windows (#98093)
  fix(matrix): guard JSON.parse against malformed homeserver response bodies (#97973)
  fix(sms): guard Twilio JSON.parse against malformed API response bodies (#97999)
  Add Swedish mobile app localization (#98043)
  fix(anthropic): surface Discord pre-tool commentary
  fix(tui): correct disconnect copy for device scope upgrades (#98144)
  chore(ui): refresh fa control ui locale
  chore(ui): refresh nl control ui locale
  chore(ui): refresh vi control ui locale
  chore(ui): refresh th control ui locale
  chore(ui): refresh pl control ui locale
  chore(ui): refresh uk control ui locale
  chore(ui): refresh id control ui locale
  chore(ui): refresh tr control ui locale
  ...
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jul 1, 2026
…indows (openclaw#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request Jul 1, 2026
* 'main' of https://github.com/openclaw/openclaw: (29 commits)
  refactor(gateway): trim attach grant implementation
  feat(gateway): scoped attach grants for external MCP loopback clients
  fix(gateway): iOS Talk treats SecretRef-backed API keys as missing (openclaw#98210)
  test(infra): add unit tests for SQLite number normalization (openclaw#98009)
  test(config): add unit tests for resolveExecCommandHighlighting (openclaw#98087)
  test(utils): add unit tests for chunkItems (openclaw#98219)
  fix(core): propagate caller env PATHEXT through isExecutableFile on Windows (openclaw#98093)
  fix(matrix): guard JSON.parse against malformed homeserver response bodies (openclaw#97973)
  fix(sms): guard Twilio JSON.parse against malformed API response bodies (openclaw#97999)
  Add Swedish mobile app localization (openclaw#98043)
  fix(anthropic): surface Discord pre-tool commentary
  fix(tui): correct disconnect copy for device scope upgrades (openclaw#98144)
  chore(ui): refresh fa control ui locale
  chore(ui): refresh nl control ui locale
  chore(ui): refresh vi control ui locale
  chore(ui): refresh th control ui locale
  chore(ui): refresh pl control ui locale
  chore(ui): refresh uk control ui locale
  chore(ui): refresh id control ui locale
  chore(ui): refresh tr control ui locale
  ...
QiuYuang pushed a commit to QiuYuang/openclaw that referenced this pull request Jul 1, 2026
…indows (openclaw#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
shrad3r added a commit to shrad3r/openclaw that referenced this pull request Jul 1, 2026
* fix(ios): advance onboarding step after QR scan (#98302)

handleScannedLink does not set self.step = .connect after scanning a QR
code from the welcome step. The scanner sheet dismisses and the UI
returns to the welcome screen instead of showing connection progress.

The sibling handleScannedSetupCode path correctly advances the step;
this aligns the QR scan path.

Fixes #98297

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(anthropic-oauth): bound OAuth token endpoint response reads (#96644)

postJson reads the Anthropic OAuth token endpoint response body with
an unbounded await response.text(). A compromised or hijacked OAuth
endpoint can stream an arbitrarily large body and force the runtime
to buffer the entire payload before parsing — an OOM/DoS vector.

Replace with readResponseWithLimit at 16 MiB cap + TextDecoder decode
to match the sibling bounded-read pattern (provider-http-errors.ts:308).

Co-authored-by: Claude <noreply@anthropic.com>

* fix: warn when configured channel plugins cannot load (#96397)

* fix(gateway): warn for blocked configured channel plugins

* fix(gateway): preserve configured channel warning source

* test: migrate src/commands tests to shared temp dir helpers (#96359)

* test: migrate src/commands tests to shared temp dir helpers

* fix(test): remove unused path import in migrate apply test

* fix(cron): clear agentTurn thinking override by blanking the field (#96293)

* fix(cron): clear agentTurn thinking override when patched with null

Cron agentTurn patches could clear model/fallbacks/toolsAllow overrides by
sending an explicit null, but thinking had no clear path: the patch schema and
normalizer dropped thinking:null before it reached the merge logic, and the
payload merge only handled string values. Blanking the Thinking/Effort field in
the Cron Control UI therefore silently preserved the old value.

Add thinking:null support across the patch schema, exported type, normalizer,
and payload merge (mirroring model). The Control UI now sends an explicit clear
for model/thinking when an edited job blanks a previously stored override, and
the CLI gains --clear-thinking for parity with --clear-model.

* docs(cron): document --clear-thinking beside sibling clear flags

* test: migrate leaky raw mkdtemp calls to createSuiteTempRootTracker() (#96058)

Gap finding: tempdir-8h9i0j1k, tempdir-9i0j1k2l

Replace bare fs.mkdtemp/mkdtempSync calls in 4 test files with the
shared createSuiteTempRootTracker() helper, adding proper cleanup
where none existed.

Background: the project has standardized on shared temp dir helpers
since 88b87d893d (withTempDir) -> 13df67ebc8 (createSuiteTempRootTracker)
-> 06431fd99b / #87298 (CI guard + docs guidance). This PR continues
that migration for the highest-risk files.

Files changed:
- src/skills/lifecycle/install-fallback.test.ts: variable overwrite risk
- src/auto-reply/reply/session-hooks-context.test.ts: helper leaks temp dirs
- src/auto-reply/reply/abort.test.ts: createAbortConfig leaks root dir
- src/auto-reply/inbound.test.ts: test cases without cleanup

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(sessions): avoid cross-cwd recent resumes (#97785)

* fix(pdf): reject empty parsed page ranges (#97698)

* fix(discord): bound requestDiscord happy-path response reads to prevent OOM (#97693)

* fix(discord): bound happy-path API response reads to prevent OOM

Replace the unbounded res.text() call in requestDiscord's success path with
readResponseTextLimited capped at 4 MiB. Discord channel message lists and
attachment payloads can accumulate to large sizes; without a cap the process
can exhaust available memory. The error path already used readResponseTextLimited
with DISCORD_API_ERROR_BODY_LIMIT_BYTES — this applies the same guard to the
happy path using a separate DISCORD_API_RESPONSE_BODY_LIMIT_BYTES constant
sized appropriately for valid API payloads.

* test(discord): upgrade to real HTTP server proof for bound requestDiscord

* fix(discord): remove unnecessary type assertion in bound test

* fix(irc): guard surrogate-range codepoints in \u literal-escape decoder (#97683)

Two-step decode in decodeLiteralEscapes:
- Step 1: regex anchored to high-surrogate range (U+D800–U+DBFF) so a
  preceding BMP escape (e.g. \u0041) cannot consume the high-surrogate
  half of a valid pair like \uD83D\uDE00 (😀), leaving \uDE00 lone.
- Step 2: decode remaining BMP codepoints; preserve lone surrogates as
  six-character literals instead of corrupting them to U+FFFD in the
  outbound IRC UTF-8 stream.

* fix(utils): keep reply directive ids unicode-safe (#96938)

* fix(utils): keep reply directive ids unicode-safe

* test(utils): catch trailing lone surrogate in hasUnpairedSurrogate helper

Per PR #96938 review: the test helper missed a high surrogate at end of
string because charCodeAt(out-of-bounds) returns NaN, and NaN comparisons
are always false. Guard bounds explicitly so the truncation test actually
proves what it claims, plus two cases pinning helper behavior.

* chore(utils): rerun QA smoke to confirm memory-index timeout flake on #96938

---------

Co-authored-by: ly-wang19 <ly-wang19@users.noreply.github.com>

* fix(memory): detect unindexed session transcripts in status mode (fixes #97814) (#97857)

* fix(memory): detect unindexed session transcripts in status mode (fixes #97814)

The status-purpose MemoryIndexManager init skips ensureSessionStartupCatchup(),
so openclaw memory status reports dirty=false while unindexed session files
exist on disk. This is a false-clean state: the operator sees no backlog,
but memory search silently misses unindexed transcripts.

Fix: run markSessionStartupCatchupDirtyFiles() in status mode. It checks
for on-disk session files without corresponding memory_index_sources rows
and sets sessionsDirty=true if found, without triggering a full sync.

The full catchup+sync runs on the next non-transient manager cycle (CLI
sync or normal runtime init).

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(memory): await status dirty detection before status() reads the flag (fixes #97814)

The status-purpose MemoryIndexManager init skips ensureSessionStartupCatchup(),
so openclaw memory status reports dirty=false while unindexed session files
exist on disk. This is a false-clean state: the operator sees no backlog,
but memory search silently misses unindexed transcripts.

Fix: move status-mode markSessionStartupCatchupDirtyFiles() from the
constructor (fire-and-forget via void) into the create() factory method
where it is awaited. This guarantees sessionsDirty is set before any
caller reads manager.status(). The detection does NOT trigger a sync,
so status remains lightweight.

Review: verified manually — unit tests 21/21 pass, compilation 0 errors.

* test(memory): add regression test for status-purpose dirty detection (fixes #97814)

Adds a regression test that exercises the actual purpose:'status' manager
flow: create a session file without index row, create status manager, verify
status().dirty is true. This addresses the ClawSweeper P1 finding requesting
a test that exercises the real status path, not only the protected helper.

Also fixes the timing issue: move dirty detection from constructor (void)
to create() factory (await), guaranteeing sessionsDirty is set before any
caller reads manager.status().

---------

Co-authored-by: Claude <noreply@anthropic.com>

* fix(android): clarify gateway auth recovery states (#98094)

* fix(android): clarify gateway auth recovery states

* fix(android): preserve retryable pairing recovery copy

* fix(android): prefer auth recovery detail before stale address

* fix(android): show auth recovery while approval loads

* test(gateway): add unit tests for node wake state tracking and testing seam (#98205)

Add 17 unit tests for nodes-wake-state.ts covering:
- Exported wait/poll constants
- nodeWakeById Map operations (insert, overwrite, multi-entry, inFlight)
- nodeWakeNudgeById Map operations (independent tracking)
- clearNodeWakeState function (removal, no-op, scoped deletion)
- testing seam (getNodeWakeByIdSize, hasNodeWakeEntry, resetWakeState)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix: surface node approval guidance from devices CLI (#98115)

* fix: surface node approval guidance from devices CLI

* fix: preserve node approval connection guidance

* fix: handle admin retry unknown device approvals

* fix: require stable node approval matches

---------

Co-authored-by: welfo-beo <187608477+welfo-beo@users.noreply.github.com>
Co-authored-by: welfo-beo <welfo-beo@users.noreply.github.com>

* docs: clarify source checkout Node floor (#97898)

* docs: clarify source checkout Node floor

* chore: refresh CI for PR #97898

---------

Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>

* test(telegram): add regression test for forum topic message_thread_id with streamed reasoning (#94526)

* test(telegram): add regression test for forum topic message_thread_id with streamed reasoning

After thorough code tracing of all delivery paths (draft stream, durable,
non-durable, preview hooks), the current main branch already correctly
passes message_thread_id through all paths for the streaming reasoning +
final answer scenario in forum topics. The bug reported in #89352 may have
been resolved by earlier merged changes (media-path preservation,
draft/progress streaming, etc.).

This commit adds a focused regression test covering the combined
scenario to prevent future regressions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(telegram): assert forum thread at draft-stream boundary for both lanes

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(device-pairing): don't churn requestId on subset re-requests (#98145)

* fix(device-pairing): don't churn requestId on subset re-requests

A reconnect that re-requested a subset of an already-pending device
pairing request still superseded it with a fresh requestId. This is the
root cause of the "unknown requestId" failures during device approval:

1. A TUI connect files a broad scope-upgrade request; the owner copies its
   id from `openclaw devices list`.
2. `openclaw devices approve <id>` reconnects as a CLI probe that only needs
   `operator.pairing` — a subset of the pending scopes.
3. That subset re-request superseded the pending request with a new id, so
   the originally-listed id no longer existed and approve failed.

Refresh the existing request in place when the incoming request only asks
for roles/scopes a single pending request (same device key + role) already
covers. Escalations that request *more* than the pending request still
supersede with a fresh id, so the requestId stays bound to at least the
scope snapshot the owner saw (the existing security-motivated behavior and
its test are preserved).

AI-assisted (Claude Code).

* fix(device-pairing): align subset pairing with scope coverage

* fix(system-prompt): move exec-approval + Authorized Senders below cache boundary (#98267)

* fix(system-prompt): move exec-approval + Authorized Senders below cache boundary

buildExecApprovalPromptGuidance (channel-varying: CLI /approve vs native
approval UI) and buildUserIdentitySection / "## Authorized Senders"
(owner/identity-varying, dropped when minimal) were emitted into the static,
cacheable prefix *above* SYSTEM_PROMPT_CACHE_BOUNDARY. They fork the cacheable
prefix at ~token 1,460, invalidating client-side prefix caching for the rest of
the ~17.8K-token system prompt — causing minutes-long cold prefills on local
models (llama.cpp / MLX / Ollama) after any channel-varying cron/heartbeat turn.

Follow-on to #40256, which moved Messaging/Voice/Reactions below the boundary
but missed these two. Relocates both into the existing below-boundary
channel-guidance block. Pure cache-stability change with no behavioural change
(the guidance is position-independent for correctness). Extends the boundary
test to assert both sections sit below SYSTEM_PROMPT_CACHE_BOUNDARY.

Measured on a local deployment: shared cross-channel prefix grew ~1,460 ->
~15,486 tokens; post-cron interactive turns went from minutes to ~10s.

Fixes #98261

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H6Hz9UEpxQ4W3d8XecvupH

* fix(system-prompt): suppress relocated exec-approval line under tool_call_style override

Addresses review (clawsweeper): the exec-approval guidance lived inside the
`tool_call_style` fallback, so a provider override of that section previously
replaced it. Relocating it below the boundary emitted it unconditionally, which
changed behaviour for providers/plugins that override `tool_call_style`. Gate the
relocated line on the absence of a `tool_call_style` override, restoring the
original "override replaces the whole section" contract. Extends the
provider-override test to assert the default approval line is suppressed when
the section is overridden.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H6Hz9UEpxQ4W3d8XecvupH

* fix(system-prompt): tighten cache boundary proof

* fix(system-prompt): tighten cache boundary proof

* fix(system-prompt): tighten cache boundary proof

---------

Co-authored-by: headbouyJB <23249268+headbouyJB@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>

* Preserve chat soft line breaks on iOS (#98304)

* fix(openrouter): send explicit auth headers (#98187)

* fix(openrouter): send explicit auth headers

* test(openrouter): type stream mock calls

* fix(web): render WebChat preamble progress

Render Control UI item and preamble progressText events as chat stream segments and preserve pre-final stream commentary before appending final assistant messages. Keyed preamble segments stay independent from accumulated stream snapshots, so distinct same-text commentary items render intact.

Co-authored-by: Chisel <chisel@psiclawops.dev>

* fix(web): label preamble proof blocks

Co-authored-by: Chisel <chisel@psiclawops.dev>

* feat(web): make WebChat commentary persistence configurable

Add a per-viewer 'Keep commentary' toggle (UiSettings.chatPersistCommentary,
default true) that controls whether keyed Codex preamble/commentary blocks
stay after the final answer or clear with it.

- Persist (default): keyed commentary materializes as durable blocks, current
  behavior, existing proof unchanged.
- Transient (toggle off): commentary stays live during streaming but is never
  materialized, so it disappears as the final message arrives. This is the
  transient-only behavior from #92236, now user-selectable instead of a
  maintainer-level either/or policy choice.

Single gating point in materializeVisibleStreamState (skip itemId-keyed parts
when persistCommentary is false); threaded from settings through the chat
event handler. Adds desktop + mobile header toggles and an en.ts label
(locale bundles regenerated via ui:i18n:sync, English fallback).

Tests: reconciliation persist/transient coverage, final-event handler honors
the setting, settings round-trip + header button assertions updated.

* fix(web): order keyed commentary by timestamp with tool cards

Keyed preamble commentary was appended after the whole tool loop, so it relied solely on the final visible-time sort for placement and lost the insertion-order tiebreaker against tool cards. Splice each keyed commentary segment into the items list before the first item with a strictly-later timestamp, so a preamble that arrived before a later tool renders above that tool while the run is live (not only after final materialization). Tools sharing the commentary timestamp that are already visible stay above it. Adds a buildChatItems regression covering a keyed preamble between two tools.

* fix(web): distill WebChat commentary persistence

* fix(web): reconcile transient commentary history

* chore(ui): refresh zh-TW control ui locale

* chore(ui): refresh de control ui locale

* chore(ui): refresh zh-CN control ui locale

* chore(deadcode): remove stale ACP testing aliases

* chore(deadcode): remove stale outbound testing aliases

* chore(deadcode): remove stale CLI testing aliases

* chore(ui): refresh pt-BR control ui locale

* chore(ui): refresh es control ui locale

* chore(ui): refresh ja-JP control ui locale

* chore(ui): refresh ko control ui locale

* chore(ui): refresh fr control ui locale

* chore(ui): refresh ar control ui locale

* chore(ui): refresh it control ui locale

* chore(ui): refresh tr control ui locale

* chore(ui): refresh id control ui locale

* chore(ui): refresh uk control ui locale

* chore(ui): refresh pl control ui locale

* chore(ui): refresh th control ui locale

* chore(ui): refresh vi control ui locale

* chore(ui): refresh nl control ui locale

* chore(ui): refresh fa control ui locale

* fix(tui): correct disconnect copy for device scope upgrades (#98144)

* fix(tui): correct disconnect copy for device scope upgrades

On disconnect, the TUI told users "Pairing required. Run `openclaw devices
list`, approve your request ID, then reconnect." This is misleading: the
gateway is asking for a device *scope upgrade* (the device is already
paired), and "pairing" points users at `openclaw pairing`, which only
handles chat DM pairing — a different subsystem.

- Reword the hint to name the scope upgrade and the actual recovery command
  (`openclaw devices approve --latest`), including the `--token`/`--password`
  escape hatch for when the device can't approve its own upgrade.
- Also match the gateway's "scope upgrade" disconnect reason, not just
  "pairing required".

AI-assisted (Claude Code).

* fix(tui): clarify device approval preview hint

* fix(anthropic): surface Discord pre-tool commentary

Route Anthropic pre-tool narration through the commentary progress lane, preserve shared channel progress defaults, and keep Discord/Telegram reasoning gates explicit.

Thanks @Marvinthebored!

* Add Swedish mobile app localization (#98043)

* feat: add Swedish mobile app localization

* fix: remove dead Swedish watch extension localization

* docs: document iOS metadata locale directories

---------

Co-authored-by: Daniel Nylander <daniel@danielnylander.se>

* fix(sms): guard Twilio JSON.parse against malformed API response bodies (#97999)

Wrap JSON.parse in parseTwilioListPayload and retrieveTwilioMessagingService with try/catch to prevent a malformed Twilio API response from throwing an unhandled SyntaxError.

- parseTwilioListPayload: return [] on parse failure (fail-safe for phone number listing)
- retrieveTwilioMessagingService: throw descriptive Error on parse failure

Note: parseTwilioApiError and parseTwilioSuccessPayload already had try/catch guards (lines 85-97, 104-121).

Signed-off-by: lsr911 <liao.shirong@xydigit.com>
Co-authored-by: Claude <noreply@anthropic.com>

* fix(matrix): guard JSON.parse against malformed homeserver response bodies (#97973)

Wrap JSON.parse(text) in MatrixAuthedHttpClient.requestJson with try/catch to prevent a malformed Matrix homeserver response from throwing an unhandled SyntaxError.

On parse failure, throw an Error with statusCode attached (matching the buildHttpError convention) so callers can handle it like any other Matrix API error.

Signed-off-by: lsr911 <liao.shirong@xydigit.com>
Co-authored-by: Claude <noreply@anthropic.com>

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows (#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>

* test(utils): add unit tests for chunkItems (#98219)

Add 8 test cases covering fixed-size array splitting, empty input,
size <= 0, size=1, size > length, exact division, readonly input
preservation, and fractional size behavior.

* test(config): add unit tests for resolveExecCommandHighlighting (#98087)

* test(infra): add unit tests for SQLite number normalization (#98009)

* test(infra): add unit tests for SQLite number normalization

* fix: remove undefined param test, not in function signature

* fix(gateway): iOS Talk treats SecretRef-backed API keys as missing (#98210)

* fix(gateway): resolve Talk SecretRefs for scoped native clients

* fix(gateway): constrain Talk secret materialization

* fix(gateway): redact Talk source provider secrets

* fix(gateway): satisfy Talk config lint

* docs(gateway): clarify Talk secret config payload

---------

Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>

* feat(gateway): scoped attach grants for external MCP loopback clients

Per-session, TTL-bounded, revocable bearer grants (mcp-grant-store) let an external/interactive
harness reach the gateway's scoped MCP loopback tools without the cli-backend's process-global
token. A grant is a lower-trust boundary: it binds the session server-side AND fail-closes on every
caller-supplied context header (x-session-key plus message-channel/account/current-channel/thread/
source-reply/event-kind), so a grant holder can neither scope-shop the session nor spoof
delivery/action context into scoped tools or the message tool. New attach.grant/attach.revoke
operator methods mint/revoke grants and return the loopback MCP config. Owner/non-owner cli-backend
path unchanged.

* refactor(gateway): trim attach grant implementation

* fix(agents): keep merged delivery routes account-bound (#98240)

* fix(agents): keep merged delivery routes account-bound

mergeDeliveryContext gated route-field crossing on channel only, so a
completion origin that knew its account but not a concrete target
inherited a different account's to/threadId on the same channel. A
subagent, cron, or media completion for bot-a could be addressed to
bot-b's chat but sent through bot-a (cross-account misroute) or dropped.

This restores the account-bound guard added in 1ed8592467 and removed as
collateral by 025db6cf9e (PR #89949); same-account and missing-account
merges still backfill so the media route-pin path is preserved. Restores
the deleted regression test.

* fix(agents): centralize account-bound completion routes

---------

Co-authored-by: Peter Steinberger <steipete@golden-gate.local>

* Redact bare Fireworks API keys (#98226)

* Redact bare Fireworks API keys

* fix(logging): harden Fireworks key redaction

* fix(logging): harden Fireworks key redaction

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>

* docs: publish release notes for v2026.6.11 (#98319)

* fix: show in-progress status for channel runs (#98257)

Summary:
- Merged fix: show in-progress status for channel runs after ClawSweeper review.

Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.

Validation:
- ClawSweeper review passed for head 08eec41769bd918a21e247404ad691d5707a79e1.
- Required merge gates passed before the squash merge.

Prepared head SHA: 08eec41769bd918a21e247404ad691d5707a79e1
Review: https://github.com/openclaw/openclaw/pull/98257#issuecomment-4849525931

Co-authored-by: scotthuang <scotthuang@tencent.com>
Approved-by: takhoffman

* fix(gateway): keep provider-owned CLI sessions across the daily default reset (#97931)

The gateway agent.run freshness decision called evaluateSessionFreshness
directly at both of its decision sites with no provider-owned guard, so a
provider-owned CLI session (claude-cli, codex, gemini-cli) under the default
reset config was rotated after the daily boundary when a turn ran through the
gateway path (webchat, openclaw agent, ACP, control UI, cron, heartbeat). The
rotation cleared the CLI session binding and split the transcript, violating
the documented exemption that the inbound auto-reply path and the canonical
session helper already honor.

Route both gateway freshness decisions through the same
resetPolicy.configured !== true && hasProviderOwnedSession(entry) skip the
inbound path uses, and export hasProviderOwnedSession so the predicate has one
shared definition instead of a third copy. Explicit session.reset and /reset
still cut these sessions.

* docs: refresh docs map for v2026.6.11 (#98325)

* fix(auto-reply): stop level directives from eating the next message word (#97929)

matchLevelDirective consumed the token after a level directive
(/think, /verbose, /trace, /fast, /reasoning, /elevated) as the level
argument unconditionally, and extractLevelDirective stripped it from the
body whether or not it was a valid level. So a message like
"/verbose explain quantum computing" reached the agent as
"quantum computing", silently dropping the user's first word, and the
whitespace scan crossed newlines so "/verbose\nSummarize this" lost
"Summarize".

Treat the trailing token as the directive argument only when it
normalizes to a valid level or is the sole remaining token (preserving
the unrecognized-level hint and the default/inherit clear sentinels).
When two or more words follow, the directive acts argument-less and the
message text is preserved intact, matching the exec and queue parsers
that stop at an unrecognized token.

* fix(agents): estimate harness role sizes in context guard char estimator (#97928)

The in-loop context-overflow guard (installToolResultContextGuard) sizes
transcript messages via estimateMessageChars, which only handled user,
assistant, and toolResult roles. Harness roles (bashExecution,
compactionSummary, branchSummary, custom) fell through to a flat 256-char
return, causing the guard to undercount summary- and bash-dominated
context by orders of magnitude.

This is the sibling defect of the just-merged #97861 which fixed the same
class in estimateMessageTokenPressure (the pre-prompt precheck). This
commit applies the identical pattern to the live in-loop guard estimator.

Fixes #97927

* doctor: add memory search lint findings (#97137)

* doctor: add memory search lint findings

* fix(doctor): quiet memory lint for auth-profile sources

* fix(doctor): require provider-specific auth source for memory lint

* fix(doctor): preserve qmd memory lint warnings

* fix(doctor): validate auth source credentials

* Doctor: expose workspace status findings (#97358)

* doctor: expose workspace status findings

* fix(doctor): pass workspace drift into lint

* fix(doctor): pass allow-exec into workspace lint drift

* test(qa-lab): harden whatsapp qa scenarios (#95622)

* fix(whatsapp): preserve group participant identity in QA driver

* fix(whatsapp): infer same-chat action targets

* test(qa-lab): record whatsapp scenario posture

* test(qa-lab): harden whatsapp live scenario coverage

* docs(qa): describe whatsapp qa lane coverage

* fix: prevent skill-creator from bypassing workshop proposals (#98346)

Summary:
- The branch adds bundled skill-creator guidance to route durable OpenClaw skill work through Skill Workshop proposals and removes the direct `init_skill.py` scaffold helper plus its test.
- PR surface: Docs +6, Other -429. Total -423 across 3 files.
- Reproducibility: yes. source-level: current main has `init_skill.py` writing a live `SKILL.md` directly, whi ... `. I did not run the direct helper as a repro because this review was read-only and that path writes files.

Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.

Validation:
- ClawSweeper review passed for head 8eca1654472e50283ba7deed5f3220cc8213be94.
- Required merge gates passed before the squash merge.

Prepared head SHA: 8eca1654472e50283ba7deed5f3220cc8213be94
Review: https://github.com/openclaw/openclaw/pull/98346#issuecomment-4849855806

Co-authored-by: momothemage <niuzhengnan@163.com>
Approved-by: momothemage

* fix(heartbeat): scope commitment fan-out prompts (#98169)

* fix(heartbeat): scope commitment fan-out prompts

* fix(heartbeat): isolate commitment fan-out runs

* fix(heartbeat): isolate commitment fan-out runs

---------

Co-authored-by: Benjamin Badejo <ben@benbadejo.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>

* doctor: expose device pairing findings (#97366)

* Fix Android TLS fingerprint timeout handling (#98366)

* fix(ios): open app on chat by default (#98353)

Co-authored-by: BSnizND <199837910+BsnizND@users.noreply.github.com>

* fix(security): warn on agent skill MCP boundary drift (#98352)

Summary:
- Merged fix(security): warn on agent skill MCP boundary drift after ClawSweeper review.

Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.

Validation:
- ClawSweeper review passed for head ab3c29ef4c731dfdbff75f2f5c7ec65c63ec195d.
- Required merge gates passed before the squash merge.

Prepared head SHA: ab3c29ef4c731dfdbff75f2f5c7ec65c63ec195d
Review: https://github.com/openclaw/openclaw/pull/98352#issuecomment-4850104358

Co-authored-by: momothemage <niuzhengnan@163.com>
Approved-by: momothemage

* fix: retry image describe fallback models (#98347)

Summary:
- Merged fix: retry image describe fallback models after ClawSweeper review.

Automerge notes:
- Addressed earlier ClawSweeper review findings before merge.

Validation:
- ClawSweeper review passed for head 55b26bd37374de551fd13595751350f261d6a832.
- Required merge gates passed before the squash merge.

Prepared head SHA: 55b26bd37374de551fd13595751350f261d6a832
Review: https://github.com/openclaw/openclaw/pull/98347#issuecomment-4850122718

Co-authored-by: momothemage <niuzhengnan@163.com>
Approved-by: momothemage

* fix(ios): avoid transient duplicate final replies (#98117)

* Fix iOS final reply dedupe

* fix(ios): scope final message reconciliation

* docs(ios): explain final message reconciliation key

---------

Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>

* fix(gateway): emit stale exec approval followup diagnostics (#98293)

* fix(gateway): emit stale exec approval followup diagnostics

* fix(gateway): cover approval suppression diagnostics in ci

* fix(logging): preserve approval ids in stability bundles

* docs(exec): document suppression diagnostics

---------

Co-authored-by: BSnizND <199837910+BsnizND@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@golden-gate.local>

* fix(ios): use Gateway speech providers in Talk (#98376)

* fix(ios): route gateway speech through talk.speak

* fix(ios): preserve realtime fallback state

* fix(ios): satisfy audio delegate concurrency

* fix(ios): ignore stale audio callbacks

* fix(ios): ignore stale audio callbacks

---------

Co-authored-by: Peter Steinberger <steipete@golden-gate.local>

* Suppress expired exec approval followup warnings (#66685)

* fix(agents): suppress expired approval followup warnings

* fix(agents): suppress expired approval followup warnings

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>

* fix: show actionable mobile protocol mismatch recovery (#98385)

* Fix mobile protocol mismatch recovery

* Test iOS protocol mismatch connect failures

* Fix iOS protocol mismatch problem actions

* fix(cli): explain how to recover from device approve deadlock (#98146)

* fix(cli): explain how to recover from device approve deadlock

`openclaw devices approve` could fail two ways with no path forward:

- When the calling device can't approve its own scope upgrade (it lacks
  operator.approvals) and no loopback local fallback is available (e.g. a
  remote --url gateway), the raw "scope upgrade pending approval" error
  propagated with no guidance.
- When the request id wasn't found in pending state (already approved,
  expired, or superseded), it printed only "unknown requestId".

Surface actionable guidance instead:

- On an authorization failure, explain that the device can't approve its
  own upgrade and point to `--token`/`--password` (gateway owner creds) or
  approving from a device that already holds operator.approvals.
- On a missing request, point to `openclaw devices list` and
  `openclaw devices approve --latest`.

AI-assisted (Claude Code).

* fix(cli): clarify device approval recovery

* fix(cli): avoid unusable approval credential advice

* improve(ios): clarify Control and Talk visual hierarchy (#98423)

* feat(ios): refine control and talk visual hierarchy

* feat(ios): refine control and talk visual hierarchy

* feat(ios): refine control and talk visual hierarchy

* fix(doctor): recover legacy cron archive across devices (#98217)

* fix(doctor): recover legacy cron archive across devices

* fix(doctor): harden legacy cron archive retries

* fix(doctor): canonicalize shipped cron retry shape

* fix(doctor): persist legacy cron migration receipts

---------

Co-authored-by: Peter Steinberger <steipete@golden-gate.local>

* feat(openai): add GPT-5.6 series support (#98333)

* feat(openai): add GPT-5.6 series support

* docs: refresh map for GPT-5.6

* fix(openai): preserve GPT-5.6 thinking metadata

* fix(codex): sync managed app server version

* fix(codex): sync managed app server version

* fix(openai): account for GPT-5.6 cache writes

---------

Co-authored-by: Peter Steinberger <steipete@golden-gate.local>

* fix(cron): preserve action-required command output

* fix(cron): strip nested job diagnostics from webhook payloads

* test(gateway): remove cron redaction casts

* fix(ios): classify TLS fingerprint timeouts (#98429)

* fix(ios): classify gateway TLS fingerprint timeouts

* Add discovered TLS trust regression test

* fix: Android setup codes accept local mDNS gateway hosts (#98439)

* Fix Android mDNS setup-code cleartext policy

* Align Android gateway diagnostics cleartext guidance

* fix(ios): improve light and dark appearance contrast (#98443)

* fix(llm): preserve structured tool result replay

Preserve structured tool-result replay text across provider transports while keeping provider-facing redaction and Anthropic media ordering intact.

Thanks @snowzlmbot!

* fix(status): surface unregistered memory embedding providers (#97968)

* refactor(sessions): centralize scoped store path resolution

* refactor(agents): reuse process stdin writer

* refactor(security): centralize safe-bin config normalization

* refactor(sessions): centralize export transcript parsing

* fix(agents): preserve runtime settings overrides (#92237)

* Fix active-memory stale ops summaries (#95888)

Co-authored-by: costaff <costaff-lapclaw-001@efiducian.com>

* fix(gateway): surface systemd start-limit exhaustion (#98291)

* fix(gateway): surface systemd start-limit exhaustion

* fix(gateway): avoid start-limit false positive for exit 78

* fix(gateway): hint missing external plugin for web login (#90517)

* fix(gateway): hint missing official plugin for web login

* fix(gateway): keep missing web login hints actionable

* test(infra): add unit tests for SQLite user_version pragma helper (#98369)

* test(infra): add unit tests for SQLite user_version pragma helper

* ci: trigger re-review

* fix(android): hide status bar in release screenshots

* Fix extension exec process-tree termination (#98340)

* fix(ui): collapse duplicate assistant groups during segmented streaming (#92063)

Fold a contiguous run of in-flight stream/reading-indicator items into one
assistant group (one avatar/footer, segments stacked as bubbles) so a segmented
streaming reply no longer flashes a separate avatar+footer per segment.
Render-layer only: the shared ChatItem types and build-chat-items.ts are
untouched, and a message/group/divider breaks the run so interleaved tool calls
keep their own groups.

Refs #63956

AI-assisted (Claude Code).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix(infra): guard delivery queue inflate against corrupted entry_json (#98354)

* fix(infra): guard delivery queue inflate against corrupted entry_json

* fix(infra): use toSorted in delivery queue test

* fix(agents): warn on cron announce skip (#90566)

* fix(agents): warn on cron announce skip

* fix(agents): gate cron announce skip warnings

* fix(ports): validate lsof PID parsing before assignment (#98371)

* fix(ports): validate lsof PID parsing before assignment

Add Number.isFinite guard on lsof 'p' line PID parsing in
parseLsofOutput, consistent with the netstat branch in the same
function which already validates with Number.isNaN.

While the downstream if (current.pid) truthiness check catches
NaN (falsy), adding validation at the parse site is defense-in-
depth and eliminates an inconsistency within the same function.

* test(ports): add edge case tests for parseLsofOutput

Add test coverage for malformed lsof 'p' lines (empty PID, non-numeric
suffix), zero PID, and empty input to verify the Number.isFinite guard
correctly filters invalid entries.

* fix(cron): keep provider-owned CLI sessions across the daily default reset (#98356)

The provider-owned CLI session exemption added for the gateway agent.run path
in #97931 was not applied to the non-gateway session resolvers. Scheduled
isolated-agent cron jobs run through runCronIsolatedAgentTurn ->
resolveCronSession, and the local openclaw command runs through resolveSession;
both called evaluateSessionFreshness directly with no provider-owned guard.

Under the default reset config a persistent-target cron job on a CLI runtime
(claude-cli, codex, gemini-cli) therefore rotated its session after the daily
boundary, minting a new sessionId and dropping the cliSessionBindings, so the
agent silently lost its underlying CLI conversation every morning and the
transcript was split. Because resolveCronSession also backs the heartbeat
runner, that surface was affected too.

Route both resolvers through the same
resetPolicy.configured !== true && hasProviderOwnedSession(entry) skip the
gateway and inbound paths already use. Explicit session.reset and configured
resets still rotate these sessions, and the command path still rotates when the
terminal main transcript is newer than the registry.

* test(shared): add unit tests for account enabled guard (#98395)

* fix(agents): recover thinking errors from provider body (#98411)

* docs(skills): parameterize landable bug sweeps (#98494)

* fix: report codex chatgpt status auth (#91240)

* test(agents): add unit tests for thinking block detection (#98370)

* test: prefer shared temp dir helpers in config, gateway, cron, crestodian, and state tests (#96711)

* fix: add temp dir cleanup to 14 P0 test files (Group A)

* fix: restore os import and fix fs.rmSync call in temp dir cleanup

* fix: use shared temp dir helpers in config, gateway, cron, crestodian, and state tests

* fix(test): rename underscore-prefixed temp dir vars and remove unused imports

* fix(test): remove unused path import in crestodian audit test

* fix(test): reorder expected plans to match buildVitestRunPlans output after rebase

* Fix Android QR scan pairing flow (#98483)

* fix docs-list-mdx-pages (#95230)

* fix(minimax): bound OAuth JSON response via shared provider reader (#96322)

Use readProviderJsonResponse (shared 16 MiB default cap) instead of
unbounded response.json() for MiniMax OAuth authorization code endpoint.

Signed-off-by: lsr911 <liao.shirong@xydigit.com>
Co-authored-by: Claude <noreply@anthropic.com>

* fix(config): warn when permission hardening fails during recovery (#95348)

Surface chmod failures during config backup restore, last-known-good
promotion/recovery, and prefix recovery instead of swallowing them silently.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(copilot): guard against undefined runtime.state during cli-metadata registration (#95229)

Co-authored-by: sunlit-deng <sunlit.deng@example.com>

* fix(memory): skip raw snippets during promotion (#94636)

* [AI] fix(feishu): guard partial channelRuntime in monitor startup (#94013)

* [AI] fix(feishu): guard partial channelRuntime in monitor startup

When the gateway passes a partial channelRuntime (ChannelRuntimeSurface
with only runtimeContexts but no inbound/debounce), the ?? operator in
monitor.account.ts selects it over the full local runtime, causing
monitor startup to crash on channelRuntime.debounce access.

Mirror the same ?.inbound guard pattern from bot.ts:739 (PR #93466)
to monitor.account.ts:487. When the runtime lacks inbound, fall back
to getFeishuRuntime().channel which always has the full surface.

No test: the guard mirrors an already-merged pattern (#93466) and only
affects the partial-runtime edge case that requires a gateway context.

Related to #92595

* [AI] test(feishu): add channelRuntime guard tests for monitorSingleAccount

Three test cases for the channelRuntime guard at
monitor.account.ts:489:
1. Partial channelRuntime (no inbound) → falls back to local runtime
2. Full channelRuntime with inbound → uses provided runtime
3. No channelRuntime (undefined) → falls back to local runtime

Related to #92595

* fix: hide expired pairing QR cards in Control UI (#98049)

* Hide expired pairing QR codes

* Schedule pairing QR expiry refresh

* test(memory): cover live manager after CLI reindex (#96094)

* fix: advertise route-aware LAN Control UI links (#98482)

* Route LAN pairing URLs by default route

* Advertise route-aware LAN Control UI links

* Fix route-aware LAN test mocks

* Narrow advertised LAN SDK export

* Recover archived (.reset) session transcripts in memory hook + session-logs skill (#71537)

* fix(session-memory): recover archived reset transcripts

* docs(session-logs): include archived transcripts in skill examples

Plain .jsonl globs miss .jsonl.reset.*Z and .jsonl.deleted.*Z files,
which still contain real transcript content. Add explicit guidance and
a list_session_transcripts helper so searches can opt in to full
history when needed.

Pairs with the session-memory recover-from-archive fix in the same
branch.

* docs(session-logs): scope nullglob and use while-read in helper

Address Greptile review feedback on PR #71537:

* nullglob is now saved and restored inside list_session_transcripts so
  the helper does not change the caller shell environment when sourced.
* Replace 'for f in $(list_session_transcripts)' tip with a 'while
  IFS= read -r' loop so paths with spaces or other IFS characters are
  handled correctly. Include a worked example using the same date+size
  listing the surrounding section already documents.

Doc only, no runtime behavior change.

* docs(config-agents): correct built-in alias table for opus and gpt (#96375)

The built-in alias shorthands table listed stale model ids that no longer
match src/config/defaults.ts (DEFAULT_MODEL_ALIASES):

  opus: anthropic/claude-opus-4-6 -> anthropic/claude-opus-4-8
  gpt:  openai/gpt-5.5            -> openai/gpt-5.4

These now match defaults.ts and the help/faq-models alias table, and resolve
an internal contradiction on this same page (its runtime-policy example already
uses anthropic/claude-opus-4-8).

* docs(gateway): fix Telegram streaming default in config-channels.md (#98453)

The config example in docs/gateway/config-channels.md incorrectly
listed streaming default as "off". The actual runtime default is
"partial", as confirmed by the Telegram plugin's default resolver.

docs/channels/telegram.md already correctly documents the default
as "partial".

Co-authored-by: Claude <noreply@anthropic.com>

* test: repair hosted CI baseline assertions (#98533)

* feat(imessage): native poll support — create, read, vote (#98421)

* feat(imessage): add native poll action

Wire the imsg CLI 'poll send' bridge command into the iMessage channel
message-tool action surface, mirroring the existing Discord poll action.
Adds the 'poll' action (gate: polls), a sendPoll runtime, selector-gated
capability advertisement (pollPayloadMessage), config type + zod schema,
regenerated channel metadata, docs, and tests.

* feat(imessage): read inbound polls, vote, and suppress vote echo

Builds on the native poll send action:

- Inbound polls now render to the agent as a readable line (question +
  numbered options + tallies) instead of the raw 0xFFFD balloon placeholder,
  so a received poll no longer reads as an empty message.
- New `poll-vote` action casts a vote via `imsg poll vote`, resolving a
  1-based option index / text / UUID to the poll's option identifier.
- message_tool_only echo guard: the model tends to narrate its choice in a
  text reply right after voting ("Blue."), which is redundant since the vote
  shows on the poll. A new `poll_vote_echo` suppression reason (alongside
  inbound_metadata_echo / internal_runtime_context_echo) drops a send/reply
  that exactly restates the just-cast vote, using the option label imsg
  returns. Extra content passes through untouched.

* fix(imessage): gate poll-vote on imsg poll.vote rpc capability

Released imsg carries the pollPayloadMessage selector (poll create) but
predates the poll.vote CLI/RPC. Gating both poll and poll-vote on that
selector alone would advertise a vote action the released CLI rejects.
Gate poll-vote additionally on the advertised poll.vote rpc method so this
plugin can ship ahead of the imsg release.

* fix(imessage): enforce poll.vote capability at execution, not just discovery

Codex review flagged the discovery gate as bypassable: a caller that already
knows action=poll-vote skips describeMessageTool and reaches handleAction
directly. Add the same imessageRpcSupportsMethod(status, 'poll.vote') check in
the poll-vote execution path (after assertPrivateApiEnabled), so a direct
dispatch on released imsg fails closed with a clear message instead of an
opaque CLI rejection. Adds a negative handleAction test.

* fix(imessage): harden native poll support

* fix(message): validate targets before channel discovery

* fix(message): validate targets before channel discovery

---------

Co-authored-by: Omar Shahine <lobster@users.noreply.github.com>
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>

* docs(matrix): document missing streaming.progress mode, progress sub-fields, and mentionPatterns config (#98318)

* docs(matrix): document missing streaming.progress mode, progress sub-fields, and mentionPatterns config

* docs: clarify Matrix progress labels

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* docs(onboard): document 11 missing non-interactive CLI flags (#97753)

* docs(onboard): document 11 missing non-interactive CLI flags

* docs: correct token profile default wording

* docs: update generated docs map

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>

* fix(mattermost): bound null-body error response reads (#97851)

Co-authored-by: Pick-cat <266665499+Pick-cat@users.noreply.github.com>

* fix(memory-wiki): preserve notes after transient page reads (#98360)

* test: fix stale core test type failures (#98551)

* fix(browser): bound error body read in fetchHttpJson to prevent OOM (#98455)

* fix(browser): bound error body read in fetchHttpJson to prevent OOM

* fix(browser): enforce strict error response limit

---------

Co-authored-by: Peter Steinberger <58493+steipete@users.noreply.github.com>

* fix(code-mode): surface QuickJS error name and message to the model (#95906)

* fix(code-mode): surface QuickJS error name and message to the model

* fix(code-mode): preserve host error diagnostics

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(agents): don't crash autoreview copilot engine on Windows temp-dir cleanup (#97901)

On Windows the spawned copilot process and its MCP subprocesses keep the
TemporaryDirectory as their cwd briefly after exit, holding a directory handle.
That makes TemporaryDirectory's rmtree raise PermissionError (WinError 32) on
__exit__, aborting the run with a traceback even though the review completed
successfully. Pass ignore_cleanup_errors=True so cleanup is best-effort and a
post-review cleanup race never fails the run.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(slack): truncate served arg-menu option labels on a surrogate boundary (#97923)

* fix(update): validate bundle plugin payloads by manifest contract (#98010)

* fix(update): validate bundle plugin payloads by manifest contract

Closes #97985

* fix(update): preserve native payload checks for dual-format plugins

* fix(update): satisfy payload validation lint

* fix(update): cover persisted marketplace bundles

* fix(codex): derive terminal-idle watchdog from explicit run timeout (#85296)

* fix(codex): derive terminal-idle watchdog from effective run timeout

Fixes the early-abort half of #85242. The Codex app-server terminal-idle
watchdog used a hardcoded 30-minute default that was not derived from the
effective run timeout, so a scheduled turn configured with a longer
timeoutSeconds could be aborted early at 30 minutes even with budget left.

resolveCodexTurnTerminalIdleTimeoutMs (now in attempt-timeouts.ts after the
upstream split) accepts the effective run timeout and, with no explicit
override, follows the run budget instead of the 30-minute default:
- explicit override always wins (advanced config / tests)
- otherwise terminal-idle = max(30min floor, run budget), so a longer run is
  no longer cut short and existing protection is never shortened
- falls back to the 30min default when no run budget is known

Reuses the existing resolvePositiveIntegerTimeoutMs helper, matching the
neighbouring post-tool resolver. Adds focused unit tests for the derivation.

The diagnostic-wording half of #85242 (naming the terminal-idle watchdog in
the surfaced guidance) is left as a separate follow-up.

* fix(codex): derive terminal-idle watchdog from effective run timeout

* fix(codex): preserve default terminal idle watchdog

---------

Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* feat(i18n): inventory native app UI strings

* feat(i18n): define native locale matrix

* fix(i18n): keep native refresh inventory clean

* fix(i18n): guard native inventory in CI

* fix(i18n): skip non-runtime native source literals

* fix(i18n): preserve native placeholders and whitespace

* ci(i18n): run native checks for tooling changes

* fix(i18n): preserve Kotlin native placeholders

* fix(i18n): parse native interpolation expressions

* feat(i18n): inventory native resources and wrappers

* fix(i18n): align native scan scope and build exclusions

* fix(i18n): inventory conditional native labels

* fix(i18n): cover all native source roots

* fix(i18n): filter non-translatable native literals

* fix(i18n): restrict native UI extraction

* fix(i18n): route native inventory checks narrowly

* feat(i18n): add Swedish native locale

* fix(ci): route native locale refresh checks

* fix(i18n): cover structured native UI strings

* fix(i18n): scope native UI helper extraction

* fix(i18n): cover native conditional UI strings

* fix(i18n): parse native UI string expressions

* fix(i18n): include custom SwiftUI helper labels

* fix(i18n): stabilize native inventory generation

* chore(i18n): refresh native inventory line mappings

* fix(ui): localize expired pairing QR notice

* fix(ui): localize expired pairing QR notice

* fix: allow config.patch with defaulted provider baseUrl (#98396)

Summary:
- Merged fix: allow config.patch with defaulted provider baseUrl after ClawSweeper review.

Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.

Validation:
- ClawSweeper review passed for head 68fbf67640f7abe2d6e78ee935dddaa0caae0a27.
- Required merge gates passed before the squash merge.

Prepared head SHA: 68fbf67640f7abe2d6e78ee935dddaa0caae0a27
Review: https://github.com/openclaw/openclaw/pull/98396#issuecomment-4853365525

Co-authored-by: momothemage <niuzhengnan@163.com>
Approved-by: momothemage

* chore(ui): refresh zh-TW control ui locale

* chore(ui): refresh de control ui locale

* chore(ui): refresh pt-BR control ui locale

* chore(ui): refresh zh-CN control ui locale

* chore(ui): refresh es control ui locale

* chore(ui): refresh ja-JP control ui locale

* chore(ui): refresh ko control ui locale

* chore(ui): refresh fr control ui locale

* chore(ui): refresh ar control ui locale

* chore(ui): refresh tr control ui locale

* chore(ui): refresh uk control ui locale

* chore(ui): refresh it control ui locale

* chore(ui): refresh id control ui locale

* chore(ui): refresh pl control ui locale

* chore(ui): refresh th control ui locale

* chore(ui): refresh vi control ui locale

* chore(ui): refresh nl control ui locale

* chore(ui): refresh fa control ui locale

* fix(usage-bar): use Object.hasOwn instead of in operator to avoid prototype chain pollution (#98503)

The in operator traverses the prototype chain, causing keys like toString,
constructor, valueOf, and __proto__ to incorrectly match Object.prototype
inherited properties in alias table lookups and map segment case lookups.
Replace with Object.hasOwn (ES2022) which only checks own properties.

Fixes #98466

Co-authored-by: Claude <noreply@anthropic.com>

* feat(android): localize gateway onboarding

* feat(android): localize every native locale

* fix(android): complete localized gateway trust flows

* test(android): enforce localized resource coverage

* fix(android): preserve Swedish app name

* fix(android): validate resource apostrophe syntax

* fix(media): normalize Windows inbound paths case-insensitively

* fix Windows inbound media path casing

* test: cover Windows inbound path casing

* test(plugin-sdk): cover media runtime inbound path casing

* fix(agents): skip implicit discovery in models replace mode

* fix(agents): skip implicit provider discovery when models.mode is 'replace' [AI-assisted]

resolveProvidersForModelsJsonWithDeps unconditionally awaited the implicit
provider resolver before honoring models.mode. With mode: 'replace' the user
opts out of discovery, so add a 3-line early-return guard that returns only the
explicit providers — eliminating the (slow) discovery pass for replace-mode.

Closes #66957.
AI-assisted contribution.

* chore: re-trigger CI (transient checkout/flaky core-check failures + cancelled gates; no code change)

* fix(sessions): preserve lineage metadata in JSON

* fix(message-tool): apply responsePrefix to outbound sends

* fix(message-tool): apply messages.responsePrefix to outbound sends

* fix(message-tool): interpolate responsePrefix templates on sends and skip unresolved model tokens

* fix(embedded-agent): classify Cloudflare challenge HTML as upstream failure

* fix: #94432 classify Cloudflare challenge 403 as upstream_html instead of auth_html

* chore: trigger CI re-run for Real behavior proof validation

* fix: align Cloudflare challenge detector with shared challenge markers

Extend CLOUDFLARE_CHALLENGE_RE to also match cdn-cgi/challenge-platform
and challenge-error-text — patterns already recognized by the shared
STANDALONE_HTML_ERROR_HINT_RE in assistant-error-format.ts.

Add regression tests for both new marker variants to ensure coverage.

* fix(embedded-agent): suppress raw Cloudflare HTML in console after upstream_html reclassification

- Add upstream_html to RAW_ERROR_CONSOLE_SUPPRESSED_FAILURE_KINDS so
  Cloudflare challenge 403 pages classified as upstream_html do not
  leak raw HTML into lifecycle/failover console rawError= diagnostics
- Add regression test verifying upstream_html suppression in
  failover observation console messages

Re: #94432

---------

Co-authored-by: lzyyzznl <lzyyzznl@users.noreply.github.com>
Co-authored-by: lizeyu-xydt <lizeyu@xydigit.com>

* fix(docker): reduce local build memory pressure

* feat(node): add gateway context path support

* fix(irc): classify host-less nick!user allowlist entries as mutable

An IRC sender mask is nick!user@host where only host is server verified;
nick and user (ident) are client supplied and spoofable. The allowlist
identity classifier treated any entry containing "!" or "@" as a verified
stable identity, so a host-less nick!user entry was classified stable and
matched by the host-less nick!user subject candidate. With
dangerouslyAllowNameMatching at its secure default (off), the mutable
identifier policy only strips entries owned by a dangerous field, so the
host-less entry was never stripped and a remote sender presenting the same
nick and ident was admitted regardless of host.

Require a verified @host component before an entry or subject is classified
stable. Host-less nick and host-less nick!user are now both routed to a
dangerous (mutable) field so they are gated by the same name-matching policy.
The doctor mutable-allowlist detector now also flags host-less nick!user
entries so operators who typed that undocumented shape get a warning. The
documented full nick!user@host mask stays stable and unaffected.

* fix(matrix): bound raw transport response reads

* fix(matrix): bound raw transport response reads to prevent OOM

* test(matrix): add real node:http server proof for bound transport

Two new integration-style tests drive performMatrixRequest against a real
node:http server (no stubRuntimeFetch mock) using real undici + SSRF
dispatcher and ssrfPolicy.allowPrivateNetwork:

- over-cap: server declares Content-Length > MATRIX_SDK_RESPONSE_MAX_BYTES
  with maxBytes omitted → rejects MatrixMediaSizeLimitError (68 ms wall)
- under-cap: server returns small payload with maxBytes omitted → Buffer
  returned correctly (12 ms wall)

Addresses ClawSweeper feedback: previous proof showed only Vitest mock
output; these tests exercise the real Matrix runtime fetch path end-to-end.

* test(matrix): satisfy lint for transport proof

* fix(matrix): preserve encrypted media download limits

* test(matrix): add streaming OOM guard proof via real node:http server without Content-Length

Drive readResponseWithLimit directly by omitting Content-Length so that
enforceDeclaredResponseSize is a no-op and the streaming byte cap is the
sole enforcement path. A 20 MiB chunked server response with a 16 MiB
cap confirms the stream is canceled before full buffering (chunksWritten
< TOTAL_CHUNKS). A second case verifies under-cap payloads pass through.

* test(matrix): fix lint errors in real HTTP server proof (curly)

* test(matrix): add under-cap proof to real HTTP server test

* fix(feishu): hoist abortable delay timer binding

The finish() closure referenced timer which was declared with const after
finish was defined. If finish(false) ran via the abort signal check at
line 99 or via the abort event listener before the const timer assignment,
accessing timer in the temporal dead zone would throw a ReferenceError.

Hoist timer as a let binding above finish so it is safely undefined when
finish fires early, and the  guard in finish handles it.

* fix: clear Tailscale probe timeout

The checkBinary helper used Promise.race with a setTimeout-based timeout
but never cleared the timer when runExec completed first. Wrap the race
in a try/finally that clears the timer handle to avoid a dangling timer.

* fix(sms): strip internal tool traces from replies

* fix(browser): decode CDP URL credentials

* fix(reply): honor suppressToolErrors for progress

5.22 already drops the tool-error WARNING text via payloads.ts, but the
error tool-result payload was still delivered as channel progress unless
sourceReplyDeliveryMode was message_tool_only. Operators who opt into
messages.suppressToolErrors expect no tool-error noise in chat at all.
Add a config-gated early-return in the onToolResult dispatch path so the
visible progress delivery is dropped too, matching the warning-text policy.
No-op unless messages.suppressToolErrors is true. Folds the mac-mini deploy
hotfix into the tracked branch.

(cherry picked from commit a973410e6d3ddbbaa4c3fb308ad4247274a9633a)

Co-authored-by: amittell <mittell@me.com>

* fix(reload): cancel deferred channel reload on restart

Fixes #79487

* fix: restore main lint after timer repairs

Preserve the Tailscale timeout cleanup from #98134 and the Feishu TDZ fix from #98137 while satisfying the repository lint rules.

Credit: @zhangLei99586 authored both underlying fixes.

Co-authored-by: Peter Steinberger <58493+steipete@users.noreply.github.com>
Co-authored-by: zhangLei99586 <zhang.lei162@xydigit.com>

* fix(slack): guard relay frame parsing

* fix(slack): guard relay WebSocket frame JSON.parse against malformed input

Slack Socket Mode relay receives WebSocket frames from external
infrastructure. parseRelayFrame() used bare JSON.parse() which would
throw raw SyntaxError on malformed frames, potentially crashing the
relay connection.

Wrap JSON.parse in try/catch and throw SlackRelayMalformedFrameError
with the original SyntaxError as cause, so callers can distinguish
transport errors from parse errors.

D4 dimension — all competitors have zero coverage.

Signed-off-by: lsr911 <liao.shirong@xydigit.com>

* fix(slack): repair relay frame guard tests

---------

Signed-off-by: lsr911 <liao.shirong@xydigit.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(memory-core): skip qmd zero-hit search sync

* fix(transcripts): close stream on parse failure

* fix(cli): show exit code when plugin npm install returns empty output (#98497)

* fix(cli): show exit code when npm install returns empty output

installPackageDir previously produced 'npm install failed:' with an empty
suffix when npm exited non-zero without writing to stdout or stderr. Users
running 'openclaw plugins install @openclaw/acpx' saw only that empty line
followed by the misleading hook-pack fallback error, leaving nothing
actionable in the output.

Add a small helper that keeps npm's own output when it exists but falls
back to reporting the exit code, signal, and termination reason when both
streams are empty. Regression tests cover the empty-output exit case and
the signal-terminated case; the existing stderr surfacing test still
passes unchanged.

Refs #98484

* fix(cli): narrow npm install failure diagnostics

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* feat(apple): add Russian and Hindi app catalogs

* feat(apple): localize native app surfaces

* style(apple): format localized share extension

* feat(apple): complete core locale coverage

* test(apple): enforce phased catalog coverage

* fix(macos): package localized app resources

* fix(macos): compile packaged localizations

* fix(apple): preserve localized static labels

* fix: restore tooling CI after transcript test addition (#98610)

* test: update transcript helper routing expectation

* test: update transcript helper routing expectation

---------

Co-authored-by: Peter Steinberger <58493+steipete@users.noreply.github.com>

* fix(subagent): preserve steered task text on restart redispatch

Squashed from PR #77539 after maintainer CI repair.

* feat(i18n): refresh native locale artifacts

* feat(i18n): refresh every native locale

* fix(ci): commit first native locale artifacts

* docs(i18n): clarify native artifact ownership

* fix(i18n): validate native translation structure

* fix(ci): restrict native locale refresh dispatch

* fix(i18n): validate Kotlin and Swift placeholders

* fix(i18n): cover all native source roots

* fix(i18n): guard native refresh inputs

* test(i18n): prove native refresh creation and no-op

* test(ci): guard native locale refresh retries

* fix(i18n): allow locale placeholder reordering

* fix(i18n): validate native refresh inputs

* fix(i18n): name Swedish in translation prompts

* fix(i18n): preserve native printf placeholders

* fix(ci): refresh native locales for glossary changes

* test(i18n): use shared temp directory helper…
chenyangjun-xy pushed a commit to chenyangjun-xy/openclaw that referenced this pull request Jul 1, 2026
…indows (openclaw#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
@wendy-chsy wendy-chsy deleted the fix/isExecutableFile-env-propagation branch July 2, 2026 01:49
chenyangjun-xy pushed a commit to chenyangjun-xy/openclaw that referenced this pull request Jul 3, 2026
…indows (openclaw#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
Rorqualx pushed a commit to Rorqualx/cortex that referenced this pull request Jul 8, 2026
…indows (openclaw#98093)

* fix(core): propagate caller env PATHEXT through isExecutableFile on Windows

isExecutableFile hardcoded undefined when calling resolveWindowsExecutableExtSet,
ignoring any caller-provided custom env.PATHEXT. This meant resolveExecutablePath
and resolveExecutableFromPathEnv would fall back to process.env.PATHEXT even when
the caller supplied a different env with an extended PATHEXT (e.g. .PS1).

- Add optional options.env parameter to isExecutableFile
- resolveWindowsExecutableExtSet now reads from options?.env
- All 3 callers pass their available env through

Affects Windows deployments using sandbox/container environments where
PATHEXT differs from process.env (Docker Windows containers, CI runners, tests).
Fully backward compatible: undefined env falls back to process.env.PATHEXT.

* fix(core): also propagate caller env PATHEXT in node-host invoke resolver

- Fix sibling system.which resolver in src/node-host/invoke.ts:378
  to use caller env PATHEXT instead of process.env only
- Add comprehensive Windows-mocked tests for caller env PATHEXT
  propagation through isExecutableFile, resolveExecutableFromPathEnv,
  and resolveExecutablePath
- Tests cover: custom env accepted, fallback to process.env,
  path-separator and PATH-based resolution paths

* fix(core): also propagate caller env PATHEXT through node-host invoke resolver

- Add env?.PathExt and process.env.PathExt casing to both
  resolveWindowsExecutableExtSet and resolveWindowsExecutableExtensions
  for compatibility with callers using PascalCase env keys
- Isolate positive PATHEXT tests from process.env.PATHEXT by
  explicitly setting it to .TXT before each test, ensuring they
  prove caller env propagation rather than host env leak

* fix(core): add env?.PathExt casing to node-host system.which resolver

---------

Co-authored-by: wendy-chsy <wan.wenyan@xydigit.com>
(cherry picked from commit 8028269)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P2 Normal backlog priority with limited blast radius. proof: sufficient ClawSweeper judged the real behavior proof convincing. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. size: S status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants