9045 Commits

Author SHA1 Message Date
Peter Steinberger
9ae1b732ef fix: align tool definition adapter 2026-02-02 02:28:22 -08:00
Peter Steinberger
385e66cbd5 Docs: expand ClawHub overview 2026-02-02 02:26:11 -08:00
Peter Steinberger
2d317ce423 fix: align tool execute parameter order 2026-02-02 10:20:13 +00:00
Peter Steinberger
284d24209b fix: align tool execute signature 2026-02-02 10:14:29 +00:00
Peter Steinberger
b8174decf3 fix: resolve system prompt overrides 2026-02-02 02:10:13 -08:00
Peter Steinberger
41cc5bcd4f fix: gate Teams media auth retries 2026-02-02 02:08:13 -08:00
Peter Steinberger
f6d98a908a docs: add changelog entry for plugin install hardening 2026-02-02 02:07:47 -08:00
Peter Steinberger
d03eca8450 fix: harden plugin and hook install paths 2026-02-02 02:07:47 -08:00
Peter Steinberger
be9a2fb134 docs: clarify docker power-user setup 2026-02-02 02:07:08 -08:00
Tyler Yust
8d2f98fb01 Fix subagent announce failover race (always emit lifecycle end + treat timeout=0 as no-timeout) (#6621)
* Fix subagent announce race and timeout handling

Bug 1: Subagent announce fires before model failover retries finish
- Problem: CLI provider emitted lifecycle error on each attempt, causing
  subagent registry to prematurely call beginSubagentCleanup() and announce
  with incorrect status before failover retries completed
- Fix: Removed lifecycle error emission from CLI provider's attempt-level
  .catch() in agent-runner-execution.ts. Errors still propagate to
  runWithModelFallback for retry, but no intermediate lifecycle events
  are emitted. Only the final outcome (after all retries) emits lifecycle
  events.

Bug 2: Hard 600s per-prompt timeout ignores runTimeoutSeconds=0
- Problem: When runTimeoutSeconds=0 (meaning 'no timeout'), the code
  returned the default 600s timeout instead of respecting the 0 setting
- Fix: Modified resolveAgentTimeoutMs() to treat 0 as 'no timeout' and
  return a very large timeout value (30 days) instead of the default.
  This avoids setTimeout issues with Infinity while effectively providing
  unlimited time for long-running tasks.

* fix: emit lifecycle:error for CLI failures (#6621) (thanks @tyler6204)

* chore: satisfy format/lint gates (#6621) (thanks @tyler6204)

* fix: restore build after upstream type changes (#6621) (thanks @tyler6204)

* test: fix createSystemPromptOverride tests to match new return type (#6621) (thanks @tyler6204)
2026-02-02 02:06:14 -08:00
Peter Steinberger
d5f6caba3f docs: merge 2026.2.2 changelog into 2026.2.1 2026-02-02 01:31:24 -08:00
Peter Steinberger
4682c2e3e2 docs: add ClawHub registry overview 2026-02-02 01:26:29 -08:00
Peter Steinberger
34dd7324d9 fix: restore lint/build gates 2026-02-02 01:25:40 -08:00
Tyler Yust
9ef24fd400 fix: flush block streaming on paragraph boundaries for chunkMode=newline (#7014)
* feat: Implement paragraph boundary flushing in block streaming

- Added `flushOnParagraph` option to `BlockReplyChunking` for immediate flushing on paragraph breaks.
- Updated `EmbeddedBlockChunker` to handle paragraph boundaries during chunking.
- Enhanced `createBlockReplyCoalescer` to support flushing on enqueue.
- Added tests to verify behavior of flushing with and without `flushOnEnqueue` set.
- Updated relevant types and interfaces to include `flushOnParagraph` and `flushOnEnqueue` options.

* fix: Improve streaming behavior and enhance block chunking logic

- Resolved issue with stuck typing indicator after streamed BlueBubbles replies.
- Refactored `EmbeddedBlockChunker` to streamline fence-split handling and ensure maxChars fallback for newline chunking.
- Added tests to validate new chunking behavior, including handling of paragraph breaks and fence scenarios.
- Updated changelog to reflect these changes.

* test: Add test for clamping long paragraphs in EmbeddedBlockChunker

- Introduced a new test case to verify that long paragraphs are correctly clamped to maxChars when flushOnParagraph is enabled.
- Updated logic in EmbeddedBlockChunker to handle cases where the next paragraph break exceeds maxChars, ensuring proper chunking behavior.

* refactor: streamline logging and improve error handling in message processing

- Removed verbose logging statements from the `processMessage` function to reduce clutter.
- Enhanced error handling by using `runtime.error` for typing restart failures.
- Updated the `applySystemPromptOverrideToSession` function to accept a string directly instead of a function, simplifying the prompt application process.
- Adjusted the `runEmbeddedAttempt` function to directly use the system prompt override without invoking it as a function.
2026-02-02 01:22:41 -08:00
Peter Steinberger
85cd55e22b chore: bump to 2026.2.1 2026-02-02 08:51:54 +00:00
David Iach
4e4ed2ea17 fix(security): cap Slack media downloads and validate Slack file URLs (#6639)
* Security: cap Slack media downloads and validate Slack file URLs

* Security: relax web media fetch cap for compression

* Fixes: sync pi-coding-agent options

* Fixes: align system prompt override type

* Slack: clarify fetchImpl assumptions

* fix: respect raw media fetch cap (#6639) (thanks @davidiach)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-02 00:48:07 -08:00
Peter Steinberger
521b121815 fix: treat '*' tool allowlist as valid 2026-02-02 08:45:51 +00:00
vignesh07
e74235fdce ci(formal): compute drift for generated/ before model checking 2026-02-02 00:43:28 -08:00
vignesh07
f37b79cf4f ci(formal): add routing-trirule + proxy-header-spoof targets 2026-02-02 00:43:28 -08:00
vignesh07
889480cef9 ci(formal): include latest reliability/conformance model targets 2026-02-02 00:43:28 -08:00
Ayaan Zaidi
01449a2f41 fix: add telegram download timeouts (#6914) (thanks @hclsys) 2026-02-02 13:39:39 +05:30
chenglun.hu
d46b489e21 fix(telegram): add timeout to file download to prevent DoS (CWE-400)
Add AbortSignal.timeout() to both fetch calls in download.ts to prevent
indefinite hangs when Telegram API is slow or unresponsive.

- getTelegramFile(): 30s timeout for metadata API call
- downloadTelegramFile(): 60s timeout for file download

Both functions now accept optional timeoutMs parameter for configurability.

Fixes #6849

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 13:39:39 +05:30
cpojer
935a0e5708 chore: Enable typescript/no-explicit-any rule. 2026-02-02 16:18:09 +09:00
cpojer
baa1e95b9d chore: Enable no-unnecessary-template-expression lint rule. 2026-02-02 15:37:05 +09:00
cpojer
87a61c3b88 chore: Re-enable no-redundant-type-constituents rule. 2026-02-02 15:32:03 +09:00
cpojer
e9a32b83c2 chore: Manually fix lint issues in ui. 2026-02-02 15:23:36 +09:00
cpojer
5ba4586e58 chore: lint the ui folder. 2026-02-02 15:08:47 +09:00
Ayaan Zaidi
e25f8ed56c fix: add changelog for telegram thread spec (#6833) (thanks @obviyus) 2026-02-02 09:26:59 +05:30
Ayaan Zaidi
0bc8a592a6 fix: inline telegram thread scope type 2026-02-02 09:26:59 +05:30
Ayaan Zaidi
1d7dd5f261 fix: require thread specs for telegram sends 2026-02-02 09:26:59 +05:30
Ayaan Zaidi
19b8416a81 fix: unify telegram thread handling 2026-02-02 09:26:59 +05:30
Sk Akram
5020bfa2a9 fix: L2-normalize local embedding vectors to fix semantic search (#5332)
* fix: L2-normalize local embedding vectors to fix semantic search

* fix: handle non‑finite magnitude in L2 normalization and remove stale test reset

* refactor: add braces to l2Normalize guard clause in embeddings

* fix: sanitize local embeddings (#5332) (thanks @akramcodez)

---------

Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com>
2026-02-01 22:56:44 -05:00
Seb Slight
b9910ab037 Docs: fix Moonshot sync markers (#6789)
* Docs: fix Moonshot sync markers

* Docs: use MDX comment markers for Moonshot sync

* Docs: use markdown comment markers for Moonshot sync

* Docs: hide Moonshot sync markers in MDX
2026-02-02 03:38:14 +01:00
cpojer
902f968056 chore: Add pnpm check for fast repo checks. 2026-02-02 11:16:13 +09:00
cpojer
bd259eeb23 chore: Update deps. 2026-02-02 11:11:12 +09:00
Tyler Yust
476f367cf1 Gateway: avoid writing host config in tools invoke test 2026-02-01 17:19:23 -08:00
Mario Zechner
dda8a2b238 fix: format docs 2026-02-02 02:08:24 +01:00
Mario Zechner
7ee99af9f8 fix: convert HTML comments to MDX comments in docs 2026-02-02 02:05:02 +01:00
Mario Zechner
4347d2468c fix: format issues and lint error in oauth.ts 2026-02-02 01:59:42 +01:00
Mario Zechner
cf1d3f7a7c fix: update pi packages to 0.51.0, remove bogus type augmentation
- Update @mariozechner/pi-agent-core, pi-ai, pi-coding-agent, pi-tui to 0.51.0
- Delete src/types/pi-coding-agent.d.ts (declared additionalExtensionPaths which SDK never supported)
- Fix ToolDefinition.execute signature (parameter order changed in 0.51.0)
- Remove dead additionalExtensionPaths from createAgentSession calls
2026-02-02 01:52:33 +01:00
Sebastian
0fa55ed2b4 Docs: update clawtributors 2026-02-01 19:51:48 -05:00
Sebastian
63c9fac9fc Docs: clarify node host SSH tunnel flow
Co-authored-by: Dmytro Semchuk <x0m4ek@users.noreply.github.com>
2026-02-01 19:50:33 -05:00
Peter Steinberger
8c7901c984 fix(twitch): enforce allowFrom allowlist 2026-02-02 00:16:35 +00:00
Peter Steinberger
aa2eb48b9c fix: align pi-coding-agent typings and docs 2026-02-01 16:08:01 -08:00
Peter Steinberger
7aeabbabd4 fix: refine oauth provider guard 2026-02-01 15:52:56 -08:00
Peter Steinberger
e58291e070 fix: align embedded runner with pi-coding-agent API 2026-02-01 15:51:46 -08:00
hcl
411d5fda58 fix(tlon): add timeout to SSE client fetch calls (CWE-400) (#5926)
Add timeout protection to prevent indefinite hangs when Urbit server
becomes unresponsive or network partition occurs.

Changes:
- Add AbortSignal.timeout(30_000) to 7 one-shot fetch calls
- Add AbortController with 60s connection timeout to SSE stream fetch
  (clears timeout after headers received to avoid aborting active stream)

Affected methods: sendSubscription, connect, openStream, poke, scry, close

Fixes #5266

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 15:40:27 -08:00
Peter Steinberger
19775abdda fix: clean up plugin linting and types 2026-02-01 15:38:32 -08:00
Peter Steinberger
a87a07ec8a fix: harden host exec env validation (#4896) (thanks @HassanFleyah) 2026-02-01 15:37:19 -08:00
Hasan FLeyah
0a5821a811 fix(security): enforce strict environment variable validation in exec tool (#4896) 2026-02-01 15:36:24 -08:00