Peter Steinberger
4134875c31
fix: route discord native subagent announce to channel target
2026-02-18 02:42:52 +00:00
Peter Steinberger
c1928845ac
fix: route native subagent spawns to target session
2026-02-18 02:35:58 +00:00
Gustavo Madeira Santana
40a6661597
test(cli): fix option-collision mock typings
2026-02-17 21:32:04 -05:00
Peter Steinberger
c90b09cb02
feat(agents): support Anthropic 1M context beta header
2026-02-18 03:29:48 +01:00
Peter Steinberger
d1c00dbb7c
fix: harden include confinement edge cases ( #18652 ) (thanks @aether-ai-agent)
2026-02-18 03:27:16 +01:00
aether-ai-agent
b5f551d716
fix(security): OC-06 prevent path traversal in config includes
...
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.
Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets
Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths
Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes
Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)
Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)
Aether AI Agent Security Research
2026-02-18 03:27:16 +01:00
Peter Steinberger
ae3637b23b
test: expand subagent announce completion coverage
2026-02-18 03:21:52 +01:00
Peter Steinberger
edf7d6af61
fix: harden subagent completion announce retries
2026-02-18 03:19:50 +01:00
Peter Steinberger
d7c6136c1f
test: add sonnet 4.6 and opus 4.6 setup-token model tests
2026-02-18 03:12:32 +01:00
Gustavo Madeira Santana
5a31da8eec
chore: format imports in gateway and session tools
2026-02-17 21:10:38 -05:00
Peter Steinberger
81db059627
fix(subagents): always read latest assistant/tool output on subagent completion
2026-02-18 02:59:40 +01:00
Peter Steinberger
0dd97feb41
fix(subagents): include tool role in subagent completion output
2026-02-18 02:57:33 +01:00
Gustavo Madeira Santana
985ec71c55
CLI: resolve parent/subcommand option collisions ( #18725 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: b7e51cf9095599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-17 20:57:09 -05:00
Peter Steinberger
fa4f66255c
fix(subagents): return completion message for manual session spawns
2026-02-18 02:52:35 +01:00
Peter Steinberger
f6f5cda6ca
style: format subagent command files
2026-02-18 01:50:11 +00:00
Peter Steinberger
e2dd827ca4
fix: guarantee manual subagent spawn sends completion message
2026-02-18 02:45:05 +01:00
Peter Steinberger
5bd95bef5a
fix(protocol): regenerate swift gateway models
2026-02-18 01:37:34 +00:00
Peter Steinberger
b8b43175c5
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
Peter Steinberger
31f9be126c
style: run oxfmt and fix gate failures
2026-02-18 01:29:02 +00:00
Peter Steinberger
638853c6d2
fix(security): sanitize sandbox env vars before docker launch
2026-02-18 02:18:05 +01:00
Peter Steinberger
5487c9adeb
feat(security): add sandbox env sanitization helpers + tests
2026-02-18 02:18:02 +01:00
Peter Steinberger
71ad357bbe
test: remove obsolete mesh test file
2026-02-18 02:18:02 +01:00
Peter Steinberger
972d1b74d0
Revert "Add mesh orchestration gateway methods with DAG execution and retry"
...
This reverts commit 83990ed542
2026-02-18 02:18:02 +01:00
Peter Steinberger
01672a8f25
Revert "Add mesh auto-planning with chat command UX and hardened auth/session behavior"
...
This reverts commit 16e59b26a6
2026-02-18 02:18:02 +01:00
Peter Steinberger
6dcc052bb4
fix: stabilize model catalog and pi discovery auth storage compatibility
2026-02-18 02:09:40 +01:00
Peter Steinberger
653add918b
chore: bump workspace dependencies
2026-02-18 01:59:08 +01:00
Peter Steinberger
414b996b0c
fix(agents): make image resize logs single-line with size
2026-02-18 01:58:33 +01:00
Peter Steinberger
3459200444
docs: reorder unreleased changelog by user-impact highlights
2026-02-18 01:51:28 +01:00
Nick Lamb
f42e13c17c
feat(telegram): add forum topic creation support ( #17035 )
...
* Revert "fix(gateway): set explicit chat timeouts for mesh gateway calls"
This reverts commit c529e6005a8b14052ebe53af9f7437b6d934c2c7717caa97fb2ab6313d9932c66aff4959e0e7e4ffb91e43714bd4a142fd8f06b961b037d6acd7157634b18ea9db#18601
* fix(ui): preserve locale bootstrap and trusted-proxy overview behavior
* fix(scripts): harden Windows UI spawn behavior
* fix(slack): validate interaction payloads and handle malformed actions
* fix(mattermost): harden react remove flag parsing
* docs(changelog): record PR 18608 fixups
* fix(heartbeat): bound responsePrefix strip for ack detection
* chore: Fix types in tests 3/N.
* chore: chore: Fix types in tests 4/N.
* chore: Fix types in tests 5/N.
* chore: Fix types in tests 6/N.
* chore: Format files.
* chore: Fix types that were broken due to reverts.
* chore: Cleanup unused vars that were leftover from the reverts.
* fix(actions): layer per-account gate fallback
* fix(subagents): pass group context in /subagents spawn
* fix(failover): align abort timeout detection and regressions
* fix(models): sync auth-profiles before availability checks
* fix(ui): correct usage range totals and muted styles
* Revert "feat: show transcript file size in session status"
This reverts commit 15dd2cda20#18591
* fix(agents): align session lock hold budget with run timeouts
* Revert "fix: resolve #12770 - update Antigravity default model and trim leading whitespace in BlueBubbles replies"
This reverts commit e179d453c7#18584
* revert(tools): finish rollback of PR #18584
* chore: Fix Slack test.
* revert: remove accidentally merged video-quote-finder skill (#18550 )
* revert: accidental merge of OC-09 sandbox env sanitization change
* fix(doctor): move forced exit to top-level command
* chore: Fix types in tests 7/N.
* chore: Fix types in tests 8/N.
* chore: Fix types in tests 9/N.
* chore: Fix types in tests 10/N.
* chore: Fix types in tests 11/N.
* chore: chore: Fix types in tests 12/N.
* chore: Fix type errors from reverts.
* fix(gateway): remove watch-mode build/start race (#18782 )
* fix(doctor): repair googlechat open dm wildcard auto-fix
* test(extensions): cast fetch mocks to satisfy tsgo
* fix(gateway): harden channel health monitor recovery
* fix(reply): track messaging media aliases for dedupe
* refactor(plugins): split before-agent hooks by model and prompt phases
* revert(telegram): undo accidental merge of PR #18564
* fix(agents): restore multi-image image tool schema contract
* chore: Format files.
* fix(ui): gate sessions refresh on successful delete
* revert(docs): undo accidental merge of #18516
* revert(exec): undo accidental merge of PR #18521
* docs(cron): clarify webhook posting summary condition
* fix(gateway): preserve chat.history context under hard caps
* chore: Fix types in tests 13/N.
* chore: Fix types in tests 14/N.
* chore: Fix types in tests 15/N.
* chore: Fix types in tests 16/N.
* chore: Fix types in tests 17/N.
* chore: Fix types in tests 18/N.
* chore: Format files.
* revert(sandbox): revert SHA-1 slug restoration
* test(session): cover stale threadId fallback
* test(status): cover token summary variants
* test(telegram): cover getFile file-too-big errors
* test(voice-call): cover stream disconnect auto-end
* chore(format): fix test import order
* test(agents): cover tool result media placeholders
* chore: chore: Fix types in tests 19/N.
* chore: Fix types in tests 20/N.
* chore: Fix types in tests 21/N.
* chore: Fix types in tests 22/N.
* chore: Fix types in tests 23/N.
* docs(voice-call): document stale call reaper config
* fix(doctor): audit env-only gateway tokens
* fix(sessions): purge deleted transcript archives
* test(docker): cover browser install build arg
* revert(gateway): restore loopback auth setup
* revert(voice-call): undo cached greeting note
* revert(voice-call): undo oxfmt formatting
* revert(voice-call): undo oxfmt formatting pass
* revert(voice-call): remove cached inbound greeting
* test: stabilize infra tests
* fix(subagents): harden announce retry guards
* Revert "fix(whatsapp): allow per-message link preview override\n\nWhatsApp messages default to enabling link previews for URLs. This adds\nsupport for overriding this behavior per-message via the \nparameter (e.g. from tool options), consistent with Telegram.\n\nFix: Updated internal WhatsApp Web API layers to pass option\ndown to Baileys ."
This reverts commit 1bef2fc68bd24340d75b#18147 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 5e2285b6a011957602+Marvae@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
* style(telegram): format dispatch files
* chore: Fix types in tests 33/N.
* chore: Fix types in tests 34/N.
* chore: Fix types in tests 35/N.
* chore: Fix types in tests 36/N.
* chore: Fix types in tests 37/N.
* chore: Fix types in tests 38/N.
* chore: Fix types in tests 39/N.
* chore: Fix types in tests 40/N.
* chore: Fix types in tests 41/N.
* chore: Fix types in tests 42/N.
* chore: Fix types in tests 43/N.
* chore: Fix types in tests 44/N.
* chore: Fix types in tests 45/N.
* chore: Typecheck tests.
* chore: Fix broken test.
* chore: Fix hanging test.
* fix(telegram): avoid duplicate preview bubbles in partial stream mode (#18956 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: cf4eca71d422031114+obviyus@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
* fix: before_tool_call hook double-fires with abort signal (#16852 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 6269d617f3550246+sreuter@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
* Revert "Default Telegram polls to public"
This reverts commit c43e95e011556b531a145cbfaf5cc7#16977 )"
This reverts commit 7bb9a7dcfc#19007 )
* fix: preserve telegram dm topic thread ids
* style: drop aidev-note prefix in telegram comments
* test: pass extensionContext in abort dedupe e2e
* fix: align tool execute arg parsing for hooks
* test: type telegram action mock passthrough args
* Configure: make model picker allowlist searchable
* Configure: improve searchable model picker token matching
* Docs: add screenshot showing model picker usability issue
* fix: searchable model picker in configure (#19010 ) (thanks @bjesuiter)
* fix(extensions): revert openai codex auth plugin (PR #18009 )
* feat(telegram): add channel_post support for bot-to-bot communication (#17857 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 27a343cd4d35386211+theSamPadilla@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
* Revert "fix: handle forum/topics in Telegram DM thread routing (#17980 )"
This reverts commit e20b87f1ba#17974 README change
* voice-call: harden closed-loop turn loop and transcript routing (#19140 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 14a3edb005132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
* iOS onboarding: stop auth step-3 retry loop churn (#19153 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: a38ec42bdd132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
* Revert: fully roll back #17974 zh-cn UI README
* chore(subagents): add regression coverage and changelog
* fix(daemon): scope token drift warnings
* test(web): fix baileys mock typing
* test(cron): cover webhook session rollover overrides
* docs(changelog): note webhook session reuse fix
* fix(discord): normalize command allowFrom prefixes
* fix(cli): honor update restart overrides
* fix(cron): add spin-loop regression coverage
* test(gateway): cover trusted proxy trimming
* test(discord): cover audioAsVoice replies
* test(feishu): cover post mentions for other users
* fix(discord): preserve DM lastRoute user target
* Revert "fix(browser): track original port mapping for EADDRINUSE fallback"
This reverts commit 8e55503d770e6daa2e6e#17986 templates
* test: add fetch mock helper and reaction coverage
* CLI: approve latest pending device request
* docs(readme): remove Android install link
* revert(agents): remove llms.txt discovery prompt (#19192 )
* fix(ui): revert PR #18093 directive tags (#19188 )
* test(discord): cover auto-thread skip types
* test(update): cover restart gating
* docs(zai): document tool_stream defaults
* revert: per-model thinkingDefault override (#19195 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: fe2c59e22219554889+sebslight@users.noreply.github.com >
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com >
Reviewed-by: @sebslight
* fix(gateway): make stale token cleanup non-fatal
* Agents: add before_message_write persistence regression tests
* fix(mattermost): surface reactions support
* Tests: fix fetch mock typings for type-aware checks
* revert: fix models set catalog validation (#19194 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7e3b2ff7af19554889+sebslight@users.noreply.github.com >
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com >
Reviewed-by: @sebslight
* test: cover cron telemetry and typed fetch mocks
* revert(agents): revert base64 image validation (#19221 )
* docs(cli): add components send example
* test(sessions): add delivery info regression coverage
* fix(daemon): guard preferred node selection
* test(auto-reply): cover sender_id metadata
* revert: PR 18288 accidental merge (#19224 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 3cda31578c19554889+sebslight@users.noreply.github.com >
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com >
Reviewed-by: @sebslight
* test(telegram): cover autoSelectFamily env precedence
* test(cron): add model fallback regression coverage
* test(release): add appcast regression coverage
* docs(changelog): remove revert entries
* docs: add maintainer application section
* docs: refine maintainer application guidance
* docs: add vision doc and link from README
* docs: add community plugins guide
* Update auto-response message for third-party extensions
* update my contributing list
* iOS: use operator session for ChatSheet RPCs (#19320 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0753b3a1a2132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
* fix: sanitize native command names for Telegram API (#19257 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: b608be3488179671552+akramcodez@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Reviewed-by: @obviyus
* docs(slack): add assistant:write requirement for typing status
* chore: document sessions_spawn response note and subagent context prefix
* feat(ios): auto-select local signing team (#18421 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: bbb9c3aa481540134+ngutman@users.noreply.github.com >
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com >
Reviewed-by: @ngutman
* fix(bluebubbles): recover outbound message IDs and include sender metadata
* fix cron announce routing and timeout handling
* changelog: add @tyler6204 credit for today's entries
* feat: share to openclaw ios app (#19424 )
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0a7ab8589a132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
* Docs: expand multi-agent routing
* docs(changelog): add missing 2026.2.16 entries and reorder by user impact
* chore(release): bump version to 2026.2.17
* fix(signal): canonicalize message targets in tool and inbound flows
* docs: tighten contribution guidance and vision links
* docs: tighten PR scope and review-size policy in vision
* fix(gateway): block cross-session fallback in node event delivery
* fix(gateway): make health monitor checks single-flight
* fix(ios): harden share relay routing and delivery guards
* fix(telegram): normalize topic-create targets and add regression tests
* feat(cron): add default stagger controls for scheduled jobs
* fix(cron): retry next-second schedule compute on undefined
* docs(security): harden gateway security guidance
* feat(models): support anthropic sonnet 4.6
* fix: wire agents.defaults.imageModel into media understanding auto-discovery
resolveAutoEntries only checked a hardcoded list of providers
(openai, anthropic, google, minimax) when looking for an image model.
agents.defaults.imageModel was never consulted by the media understanding
pipeline — it was only wired into the explicit `image` tool.
Add resolveImageModelFromAgentDefaults that reads the imageModel config
(primary + fallbacks) and inserts it into the auto-discovery chain before
the hardcoded provider list. runProviderEntry already falls back to
describeImageWithModel (via pi-ai) for providers not in the media
understanding registry, so no additional provider registration is needed.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
(cherry picked from commit b381029ede#19508 )
* fix(gateway): avoid premature agent.wait completion on transient errors
* fix(agent): preemptively guard tool results against context overflow
* fix: harden tool-result context guard and add message_id metadata
* fix: use importOriginal in session-key mock to include DEFAULT_ACCOUNT_ID
The run.skill-filter test was mocking ../../routing/session-key.js with only
buildAgentMainSessionKey and normalizeAgentId, but the module also exports
DEFAULT_ACCOUNT_ID which is required transitively by src/web/auth-store.ts.
Switch to importOriginal pattern so all real exports are preserved alongside
the mocked functions.
* pi-runner: guard accumulated tool-result overflow in transformContext
* PI runner: compact overflowing tool-result context
* Subagent: harden tool-result context recovery
* Enhance tool-result context handling by adding support for legacy tool outputs and improving character estimation for message truncation. This includes a new function to create legacy tool results and updates to existing functions to better manage context overflow scenarios.
* Enhance iMessage handling by adding reply tag support in send functions and tests. This includes modifications to prepend or rewrite reply tags based on provided replyToId, ensuring proper message formatting for replies.
* Enhance message delivery across multiple channels by implementing sticky reply context for chunked messages. This includes preserving reply references in Discord, Telegram, and iMessage, ensuring that follow-up messages maintain their intended reply targets. Additionally, improve handling of reply tags in system prompts and tests to support consistent reply behavior.
* Enhance read tool functionality by implementing auto-paging across chunks when no explicit limit is provided, scaling output budget based on model context window. Additionally, add tests for adaptive reading behavior and capped continuation guidance for large outputs. Update related functions to support these features.
* Refine tool-result context management by stripping oversized read-tool details payloads during compaction, ensuring repeated read calls do not bypass context limits. Introduce new utility functions for handling truncation content and enhance character estimation for tool results. Add tests to validate the removal of excessive details in context overflow scenarios.
* Refine message delivery logic in Matrix and Telegram by introducing a flag to track if a text chunk was sent. This ensures that replies are only marked as delivered when a text chunk has been successfully sent, improving the accuracy of reply handling in both channels.
* fix: tighten reply threading coverage and prep fixes (#19508 ) (thanks @tyler6204)
* fix(hooks): backport internal message hook bridge with safe delivery semantics
* fix(subagent): update SUBAGENT_SPAWN_ACCEPTED_NOTE for clarity on auto-announcement behavior
* fix: follow-up slack streaming routing/tests (#9972 ) (thanks @natedenh)
* fix: reduce default image dimension from 2000px to 1200px
Large images (2000px) consume excessive context tokens when sent to LLMs.
1200px provides sufficient detail for most use cases while significantly
reducing token usage.
The 5MB byte limit remains unchanged as JPEG compression at 1200px
naturally produces smaller files.
(cherry picked from commit 40182123dd#19345 )
* test(whatsapp): add resolveWhatsAppOutboundTarget test suite
* style: auto-format files
* fix(test): correct mock order for invalid allowList entry test
* feat(skills): Add 'Use when / Don't use when' routing blocks (#14521 )
* feat(skills): add 'Use when / Don't use when' blocks to skill descriptions
Based on OpenAI's Shell + Skills + Compaction best practices article.
Key changes:
- Added clear routing logic to skill descriptions
- Added negative examples to prevent misfires
- Added templates/examples to github skill
- Included Blake's specific setup notes for openhue
Skills updated:
- apple-reminders: Clarify vs Clawdbot cron
- github: Clarify vs local git operations
- imsg: Clarify vs other messaging channels
- openhue: Add device inventory, room layout
- tmux: Clarify vs exec tool
- weather: Add location defaults, format codes
Reference: https://developers.openai.com/blog/skills-shell-tips
* fix(skills): restore metadata and generic CLI examples
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
* feat(agents): add generic provider api key rotation (#19587 )
* feat(skills): improve descriptions with routing logic (#14577 )
* feat(skills): improve descriptions with routing logic
Apply OpenAI's recommended pattern for skill descriptions:
- Add 'Use when' conditions for clear triggering
- Add 'NOT for' negative examples to reduce misfires
- Make descriptions act as routing logic, not marketing copy
Based on: https://developers.openai.com/blog/skills-shell-tips/
Skills updated:
- coding-agent: clarify when to delegate vs direct edit
- github: add boundaries vs browser/scripting
- weather: add scope limitations
Glean reported 20% drop in skill triggering without negative
examples, recovering after adding them. This change brings
Clawdbot skills in line with that pattern.
* docs(skills): clarify routing boundaries (openclaw#14577) (thanks @DylanWoodAkers)
* docs(changelog): add PR 14577 release note (openclaw#14577) (thanks @DylanWoodAkers)
---------
Co-authored-by: ClawdBotWolf <clawdbotwolf@proton.me >
Co-authored-by: Peter Steinberger <steipete@gmail.com >
* Add frontend-design skill
* feat(telegram): add forum topic creation support (#10427 )
Add `topic-create` action to the Telegram message adapter, enabling
programmatic creation of forum topics in supergroups.
Changes:
- Add `createForumTopicTelegram()` to `src/telegram/send.ts`
- Add `createForumTopic` handler in `telegram-actions.ts`
- Wire `topic-create` action in Telegram adapter
- Register `topic-create` in message action names and spec
The bot requires `can_manage_topics` permission in the target group.
Supports optional `iconColor` and `iconCustomEmojiId` parameters.
Closes #10427
* chore: fix formatting in frontend-design SKILL.md
* fix: add action gate check and config type for createForumTopic
Address review feedback:
- Add isActionEnabled() gate in telegram-actions.ts
- Add gate() check in telegram adapter listActions
- Add createForumTopic to TelegramActionConfig type
* fix(telegram): normalize topic-create targets and add regression tests
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com >
Co-authored-by: cpojer <christoph.pojer@gmail.com >
Co-authored-by: Sebastian <19554889+sebslight@users.noreply.github.com >
Co-authored-by: Josh Avant <830519+joshavant@users.noreply.github.com >
Co-authored-by: Shadow <hi@shadowing.dev >
Co-authored-by: Hongwei Ma <Marvae@users.noreply.github.com >
Co-authored-by: Marvae <11957602+Marvae@users.noreply.github.com >
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com >
Co-authored-by: Ayaan Zaidi <zaidi@uplause.io >
Co-authored-by: Ayaan Zaidi <hi@obviy.us >
Co-authored-by: Sascha Reuter <s.reuter@geek-it.de >
Co-authored-by: sreuter <550246+sreuter@users.noreply.github.com >
Co-authored-by: Nimrod Gutman <nimrod.g@singular.net >
Co-authored-by: Vignesh <mailvgnsh@gmail.com >
Co-authored-by: Benjamin Jesuiter <bjesuiter@gmail.com >
Co-authored-by: Sam Padilla <35386211+theSamPadilla@users.noreply.github.com >
Co-authored-by: Muhammed Mukhthar CM <mukhtharcm@gmail.com >
Co-authored-by: Mariano <132747814+mbelinky@users.noreply.github.com >
Co-authored-by: Shakker <shakkerdroid@gmail.com >
Co-authored-by: Mariano Belinky <mbelinky@gmail.com >
Co-authored-by: Shadow <shadow@openclaw.ai >
Co-authored-by: Sk Akram <skcodewizard786@gmail.com >
Co-authored-by: akramcodez <179671552+akramcodez@users.noreply.github.com >
Co-authored-by: Onur <onur@textcortex.com >
Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM >
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com >
Co-authored-by: Pablo Nunez <pnunfe@gmail.com >
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com >
Co-authored-by: Tyler Yust <64381258+tyler6204@users.noreply.github.com >
Co-authored-by: Han Xiao <han.xiao@jina.ai >
Co-authored-by: Verite Igiraneza <69280208+VeriteIgiraneza@users.noreply.github.com >
Co-authored-by: Blakeshannon <blake@blakeshannon.com >
Co-authored-by: Peter Steinberger <peter@steipete.me >
Co-authored-by: DylanWoodAkers <dylan@lec.com >
Co-authored-by: ClawdBotWolf <clawdbotwolf@proton.me >
Co-authored-by: Claw <claw@openclaw.ai >
2026-02-18 01:38:44 +01:00
Peter Steinberger
76949001ea
fix: compact skill paths in prompt ( #14776 ) (thanks @bitfish3)
2026-02-18 01:35:37 +01:00
mac26ai
4f2c57eb4e
feat(skills): compact skill paths with ~ to reduce prompt tokens
...
Replace absolute home directory prefix with ~ in skill <location> tags
injected into the system prompt. Models understand ~ expansion and the
read tool resolves it, so this is a safe, backward-compatible change.
Saves ~5-6 tokens per skill path. For a workspace with 90+ skills,
this reduces system prompt size by ~400-600 tokens.
Changes:
- Add compactSkillPaths() helper in workspace.ts
- Apply in buildWorkspaceSkillSnapshot and buildWorkspaceSkillsPrompt
- Add test for path compaction behavior
Before: /Users/alice/.bun/install/global/node_modules/openclaw/skills/github/SKILL.md
After: ~/.bun/install/global/node_modules/openclaw/skills/github/SKILL.md
2026-02-18 01:35:37 +01:00
DylanWoodAkers
cfd384ead2
feat(skills): improve descriptions with routing logic ( #14577 )
...
* feat(skills): improve descriptions with routing logic
Apply OpenAI's recommended pattern for skill descriptions:
- Add 'Use when' conditions for clear triggering
- Add 'NOT for' negative examples to reduce misfires
- Make descriptions act as routing logic, not marketing copy
Based on: https://developers.openai.com/blog/skills-shell-tips/
Skills updated:
- coding-agent: clarify when to delegate vs direct edit
- github: add boundaries vs browser/scripting
- weather: add scope limitations
Glean reported 20% drop in skill triggering without negative
examples, recovering after adding them. This change brings
Clawdbot skills in line with that pattern.
* docs(skills): clarify routing boundaries (openclaw#14577) (thanks @DylanWoodAkers)
* docs(changelog): add PR 14577 release note (openclaw#14577) (thanks @DylanWoodAkers)
---------
Co-authored-by: ClawdBotWolf <clawdbotwolf@proton.me >
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-02-18 01:31:28 +01:00
Peter Steinberger
2e91552f09
feat(agents): add generic provider api key rotation ( #19587 )
2026-02-18 01:31:11 +01:00
Blakeshannon
9cce40d123
feat(skills): Add 'Use when / Don't use when' routing blocks ( #14521 )
...
* feat(skills): add 'Use when / Don't use when' blocks to skill descriptions
Based on OpenAI's Shell + Skills + Compaction best practices article.
Key changes:
- Added clear routing logic to skill descriptions
- Added negative examples to prevent misfires
- Added templates/examples to github skill
- Included Blake's specific setup notes for openhue
Skills updated:
- apple-reminders: Clarify vs Clawdbot cron
- github: Clarify vs local git operations
- imsg: Clarify vs other messaging channels
- openhue: Add device inventory, room layout
- tmux: Clarify vs exec tool
- weather: Add location defaults, format codes
Reference: https://developers.openai.com/blog/skills-shell-tips
* fix(skills): restore metadata and generic CLI examples
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-02-18 01:28:20 +01:00
Verite Igiraneza
6b5199ba2a
Whatsapp/add resolve outbound target tests ( #19345 )
...
* test(whatsapp): add resolveWhatsAppOutboundTarget test suite
* style: auto-format files
* fix(test): correct mock order for invalid allowList entry test
2026-02-18 01:05:36 +01:00
Peter Steinberger
4c569ce246
docs(tokens): document image dimension token tradeoffs
2026-02-18 00:56:57 +01:00
Peter Steinberger
b05e89e5e6
fix(agents): make image sanitization dimension configurable
2026-02-18 00:54:20 +01:00
Han Xiao
5ee79f80eb
fix: reduce default image dimension from 2000px to 1200px
...
Large images (2000px) consume excessive context tokens when sent to LLMs.
1200px provides sufficient detail for most use cases while significantly
reducing token usage.
The 5MB byte limit remains unchanged as JPEG compression at 1200px
naturally produces smaller files.
(cherry picked from commit 40182123dd
2026-02-18 00:52:52 +01:00
Peter Steinberger
5b3ecadec3
Merge remote-tracking branch 'origin/main'
2026-02-18 00:51:04 +01:00
Peter Steinberger
1d23934c09
fix: follow-up slack streaming routing/tests ( #9972 ) (thanks @natedenh)
2026-02-18 00:50:22 +01:00
Peter Steinberger
bb9a539d1d
Merge remote-tracking branch 'prhead/feat/slack-text-streaming'
...
# Conflicts:
# docs/channels/slack.md
# src/config/types.slack.ts
# src/slack/monitor/message-handler/dispatch.ts
2026-02-18 00:49:30 +01:00
Tyler Yust
b2acfd606a
fix(subagent): update SUBAGENT_SPAWN_ACCEPTED_NOTE for clarity on auto-announcement behavior
2026-02-17 15:49:22 -08:00
Peter Steinberger
f07bb8e8fc
fix(hooks): backport internal message hook bridge with safe delivery semantics
2026-02-18 00:35:41 +01:00
Tyler Yust
087dca8fa9
fix(subagent): harden read-tool overflow guards and sticky reply threading ( #19508 )
...
* fix(gateway): avoid premature agent.wait completion on transient errors
* fix(agent): preemptively guard tool results against context overflow
* fix: harden tool-result context guard and add message_id metadata
* fix: use importOriginal in session-key mock to include DEFAULT_ACCOUNT_ID
The run.skill-filter test was mocking ../../routing/session-key.js with only
buildAgentMainSessionKey and normalizeAgentId, but the module also exports
DEFAULT_ACCOUNT_ID which is required transitively by src/web/auth-store.ts.
Switch to importOriginal pattern so all real exports are preserved alongside
the mocked functions.
* pi-runner: guard accumulated tool-result overflow in transformContext
* PI runner: compact overflowing tool-result context
* Subagent: harden tool-result context recovery
* Enhance tool-result context handling by adding support for legacy tool outputs and improving character estimation for message truncation. This includes a new function to create legacy tool results and updates to existing functions to better manage context overflow scenarios.
* Enhance iMessage handling by adding reply tag support in send functions and tests. This includes modifications to prepend or rewrite reply tags based on provided replyToId, ensuring proper message formatting for replies.
* Enhance message delivery across multiple channels by implementing sticky reply context for chunked messages. This includes preserving reply references in Discord, Telegram, and iMessage, ensuring that follow-up messages maintain their intended reply targets. Additionally, improve handling of reply tags in system prompts and tests to support consistent reply behavior.
* Enhance read tool functionality by implementing auto-paging across chunks when no explicit limit is provided, scaling output budget based on model context window. Additionally, add tests for adaptive reading behavior and capped continuation guidance for large outputs. Update related functions to support these features.
* Refine tool-result context management by stripping oversized read-tool details payloads during compaction, ensuring repeated read calls do not bypass context limits. Introduce new utility functions for handling truncation content and enhance character estimation for tool results. Add tests to validate the removal of excessive details in context overflow scenarios.
* Refine message delivery logic in Matrix and Telegram by introducing a flag to track if a text chunk was sent. This ensures that replies are only marked as delivered when a text chunk has been successfully sent, improving the accuracy of reply handling in both channels.
* fix: tighten reply threading coverage and prep fixes (#19508 ) (thanks @tyler6204)
2026-02-17 15:32:52 -08:00
Peter Steinberger
75e11fed5d
docs: update AGENTS instructions
2026-02-18 00:16:36 +01:00
Pablo Nunez
5acec7f79b
fix: wire agents.defaults.imageModel into media understanding auto-discovery
...
resolveAutoEntries only checked a hardcoded list of providers
(openai, anthropic, google, minimax) when looking for an image model.
agents.defaults.imageModel was never consulted by the media understanding
pipeline — it was only wired into the explicit `image` tool.
Add resolveImageModelFromAgentDefaults that reads the imageModel config
(primary + fallbacks) and inserts it into the auto-discovery chain before
the hardcoded provider list. runProviderEntry already falls back to
describeImageWithModel (via pi-ai) for providers not in the media
understanding registry, so no additional provider registration is needed.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
(cherry picked from commit b381029ede
2026-02-18 00:08:27 +01:00
Peter Steinberger
ae2c8f2cf0
feat(models): support anthropic sonnet 4.6
2026-02-18 00:00:31 +01:00
Peter Steinberger
a333d92013
docs(security): harden gateway security guidance
2026-02-17 23:48:49 +01:00
Peter Steinberger
dd4eb8bf63
fix(cron): retry next-second schedule compute on undefined
2026-02-17 23:48:14 +01:00
Peter Steinberger
c26cf6aa83
feat(cron): add default stagger controls for scheduled jobs
2026-02-17 23:48:14 +01:00
