Native slash commands (e.g. /verbose, /status) should not emit tool
summaries. Gate onToolResult behind CommandSource !== 'native' in
addition to the existing ChatType !== 'group' check.

Add test for native command exclusion.

(cherry picked from commit c13c39f)

(cherry picked from commit 4ac7aa4)

) (thanks @Chloe-VP)

(cherry picked from commit fcc53bc)

…ibility (openclaw#3750)

NTFS does not allow < or > in filenames, causing the XML filename
escaping test to fail on Windows CI with ENOENT.

Replace file<test>.txt with file&test.txt — & is valid on all platforms
and still requires XML escaping (&amp;), preserving the test's intent.

Fixes openclaw#3748

(cherry picked from commit c200350)

(cherry picked from commit 718bc3f)

# Conflicts:
#	CHANGELOG.md
#	src/telegram/bot-native-commands.ts
#	src/telegram/bot/delivery.ts

@vinaygit18)

(cherry picked from commit 4583f88)

# Conflicts:
#	CHANGELOG.md

(cherry picked from commit d47b4e6)

# Conflicts:
#	src/commands/onboard-auth.config-core.ts
#	src/plugins/config-state.ts

(cherry picked from commit 0257661)

# Conflicts:
#	docs/providers/xiaomi.md
#	package.json
#	src/cli/banner.ts
#	src/commands/doctor-gateway-services.ts
#	src/commands/doctor.ts
#	src/commands/onboard-helpers.ts
#	src/daemon/inspect.ts

(cherry picked from commit a155e2f)

# Conflicts:
#	src/commands/doctor-config-flow.ts

(cherry picked from commit 9886fd1)

# Conflicts:
#	package.json
#	src/commands/onboard-helpers.ts
#	src/config/paths.ts

(cherry picked from commit b9afa3d)

# Conflicts:
#	package.json
#	src/infra/state-migrations.ts

(cherry picked from commit 151ddd6)

# Conflicts:
#	package.json

…obhparker)

(cherry picked from commit 9025da2)

# Conflicts:
#	src/telegram/bot-native-commands.ts

…gway)

(cherry picked from commit 3a85cb1)

# Conflicts:
#	CHANGELOG.md

(cherry picked from commit bc432d8)

# Conflicts:
#	README.md

…bviyus)

(cherry picked from commit fa9ec6e)

# Conflicts:
#	CHANGELOG.md

(cherry picked from commit da71eae)

# Conflicts:
#	CHANGELOG.md
#	src/markdown/render.ts
#	src/telegram/format.test.ts

…penclaw#4593)

OAuth credentials with a refresh token auto-renew on first API call,
so the doctor should not warn about access token expiration when a
refresh token is present. This avoids unnecessary "expired" warnings
that prompt users to re-auth when no action is needed.

Fixes openclaw#3032

Co-authored-by: Ayush Ojha <[email protected]>
(cherry picked from commit 37e295f)

Co-authored-by: jlowin <[email protected]>
(cherry picked from commit f24e3cd)

# Conflicts:
#	src/cli/models-cli.ts
#	src/commands/models/list.status-command.ts
#	src/commands/models/list.status.test.ts

(cherry picked from commit daf27dd)

# Conflicts:
#	CHANGELOG.md

Co-authored-by: Hisleren <[email protected]>
(cherry picked from commit e5a95b5)

# Conflicts:
#	src/commands/configure.gateway.ts
#	src/wizard/onboarding.gateway-config.ts

…Hisleren)

Co-authored-by: Hisleren <[email protected]>
(cherry picked from commit 39eb0b7)

# Conflicts:
#	CHANGELOG.md

…hanks @YuriNachos)

Co-authored-by: YuriNachos <[email protected]>
(cherry picked from commit 34bdbdb)

# Conflicts:
#	CHANGELOG.md
#	src/infra/control-ui-assets.ts

…unce routing (openclaw#4957)

* fix: prefer requesterOrigin over stale session entry in subagent announce routing

When a subagent finishes and announces results back, resolveAnnounceOrigin
merged the session entry (primary) with requesterOrigin (fallback). If the
session store had a stale lastChannel (e.g. whatsapp) from a previous
interaction but the user was now on a different channel (e.g. bluebubbles),
the announce would route to the wrong channel.

Swap the merge order so requesterOrigin (captured at spawn time, reflecting
the actual current channel) takes priority, with the session entry as
fallback for any missing fields.

Error before fix:
  Delivery failed (whatsapp to bluebubbles:chat_guid:...): Unknown channel: whatsapp

Adds regression test for the stale-channel scenario.

* fix: match test to exact failure scenario and improve reliability (openclaw#4957) (thanks @tyler6204)

- Remove lastTo from stale session store to match the exact mismatch scenario described in the PR
- Replace 5ms setTimeout sleeps with expect.poll for better test reliability
- Prevents flakiness on slower CI machines

(cherry picked from commit 57248a7)

…jasonsschin)

(cherry picked from commit e849df6)

# Conflicts:
#	CHANGELOG.md
#	src/telegram/token.ts

(cherry picked from commit 310eed8)

# Conflicts:
#	src/config/sessions/store.ts
#	src/utils/delivery-context.test.ts
#	src/utils/delivery-context.ts

(cherry picked from commit 48aaf6c)

(cherry picked from commit 3c8fa0f)

# Conflicts:
#	src/cli/completion-cli.ts

(cherry picked from commit e9f0be0)

# Conflicts:
#	src/agents/pi-embedded-runner/compact.ts
#	src/agents/pi-model-discovery.ts

(cherry picked from commit de7b2ba)

# Conflicts:
#	docs/tools/thinking.md

Adds cleanup handlers to release held file locks when the process
terminates via SIGTERM, SIGINT, or normal exit. This prevents orphaned
lock files that would block future sessions.

Fixes openclaw#1951

(cherry picked from commit ec0728b)

The dist/control-ui/ files were committed before the dist/ gitignore
rule was effective. These build artifacts get regenerated during
builds, causing dirty repo errors that block the auto-update mechanism.

Removes the files from git tracking while keeping them locally and
respecting the existing dist/ gitignore entry.

Fixes openclaw#1838

Co-authored-by: Claude <[email protected]>
(cherry picked from commit 3ad7958)

…2022)

HOTFIX: Tool summaries were not being sent to chat channels when verbose mode
was enabled. The onToolResult callback was defined in the types but never
wired up in dispatch-from-config.ts.

This adds the missing callback alongside onBlockReply, using the same
dispatcher.sendBlockReply() path to deliver tool summaries to WhatsApp,
Telegram, and other chat channels.

Fixes verbose tool summaries not appearing in WhatsApp despite /verbose on.

(cherry picked from commit 05b28c1)

(cherry picked from commit 47538bc)

# Conflicts:
#	src/gateway/server-http.ts

(cherry picked from commit 8abce8a)

(cherry picked from commit f16e32b)

* fix: Gateway authentication token exposed in URL query parameters

* fix: silence unused hook token url param

* fix: remove gateway auth tokens from URLs (openclaw#9436) (thanks @coygeek)

* test: fix Windows path separators in audit test (openclaw#9436)

---------

Co-authored-by: George Pickett <[email protected]>
(cherry picked from commit 717129f)

# Conflicts:
#	docs/gateway/configuration.md
#	docs/help/faq.md
#	docs/platforms/exe-dev.md
#	docs/start/clawd.md
#	docs/web/dashboard.md
#	src/commands/dashboard.ts
#	src/gateway/hooks.ts
#	src/gateway/server-http.ts
#	src/wizard/onboarding.finalize.ts
#	ui/src/ui/app-settings.ts
#	ui/src/ui/views/overview.ts

(cherry picked from commit 7224585)

# Conflicts:
#	CHANGELOG.md
#	src/infra/control-ui-assets.ts

(cherry picked from commit b40da2c)

…resolution

(cherry picked from commit 4a59b77)

# Conflicts:
#	src/cli/update-cli.ts
#	src/version.ts

* fix: guard resolveUserPath against undefined input

When subagent spawner omits workspaceDir, resolveUserPath receives
undefined and crashes on .trim().  Add a falsy guard that falls back
to process.cwd(), matching the behavior callers already expect.

Closes openclaw#10089

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: harden runner workspace fallback (openclaw#10176) (thanks @Yida-Dev)

* fix: harden workspace fallback scoping (openclaw#10176) (thanks @Yida-Dev)

* refactor: centralize workspace fallback classification and redaction (openclaw#10176) (thanks @Yida-Dev)

* test: remove explicit any from utils mock (openclaw#10176) (thanks @Yida-Dev)

* security: reject malformed agent session keys for workspace resolution (openclaw#10176) (thanks @Yida-Dev)

---------

Co-authored-by: Yida-Dev <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: Gustavo Madeira Santana <[email protected]>
(cherry picked from commit 4216449)

# Conflicts:
#	CHANGELOG.md
#	src/agents/cli-runner.test.ts
#	src/agents/cli-runner.ts
#	src/agents/pi-embedded-runner/run.ts
#	src/agents/pi-embedded-runner/run/attempt.ts
#	src/auto-reply/reply/agent-runner-execution.ts
#	src/commands/status-all/channels.ts
#	src/utils.test.ts

…n session-memory (openclaw#10730)

* fix: replace debug console.log with proper subsystem logging in session-memory

* fix(hooks): normalize session-memory subsystem logging

---------

Co-authored-by: Tak Hoffman <[email protected]>
(cherry picked from commit 2c8af78)

…openclaw#10776)

* refactor: update cron job wake mode and run mode handling

- Changed default wake mode from 'next-heartbeat' to 'now' in CronJobEditor and related CLI commands.
- Updated cron-tool tests to reflect changes in run mode, introducing 'due' and 'force' options.
- Enhanced cron-tool logic to handle new run modes and ensure compatibility with existing job structures.
- Added new tests for delivery plan consistency and job execution behavior under various conditions.
- Improved normalization functions to handle wake mode and session target casing.

This refactor aims to streamline cron job configurations and enhance the overall user experience with clearer defaults and improved functionality.

* test: enhance cron job functionality and UI

- Added tests to ensure the isolated agent correctly announces the final payload text when delivering messages via Telegram.
- Implemented a new function to pick the last deliverable payload from a list of delivery payloads.
- Enhanced the cron service to maintain legacy "every" jobs while minute cron jobs recompute schedules.
- Updated the cron store migration tests to verify the addition of anchorMs to legacy every schedules.
- Improved the UI for displaying cron job details, including job state and delivery information, with new styles and layout adjustments.

These changes aim to improve the reliability and user experience of the cron job system.

* test: enhance sessions thinking level handling

- Added tests to verify that the correct thinking levels are applied during session spawning.
- Updated the sessions-spawn-tool to include a new parameter for overriding thinking levels.
- Enhanced the UI to support additional thinking levels, including "xhigh" and "full", and improved the handling of current options in dropdowns.

These changes aim to improve the flexibility and accuracy of thinking level configurations in session management.

* feat: enhance session management and cron job functionality

- Introduced passthrough arguments in the test-parallel script to allow for flexible command-line options.
- Updated session handling to hide cron run alias session keys from the sessions list, improving clarity.
- Enhanced the cron service to accurately record job start times and durations, ensuring better tracking of job execution.
- Added tests to verify the correct behavior of the cron service under various conditions, including zero-delay timers.

These changes aim to improve the usability and reliability of session and cron job management.

* feat: implement job running state checks in cron service

- Added functionality to prevent manual job runs if a job is already in progress, enhancing job management.
- Updated the `isJobDue` function to include checks for running jobs, ensuring accurate scheduling.
- Enhanced the `run` function to return a specific reason when a job is already running.
- Introduced a new test case to verify the behavior of forced manual runs during active job execution.

These changes aim to improve the reliability and clarity of cron job execution and management.

* feat: add session ID and key to CronRunLogEntry model

- Introduced `sessionid` and `sessionkey` properties to the `CronRunLogEntry` struct for enhanced tracking of session-related information.
- Updated the initializer and Codable conformance to accommodate the new properties, ensuring proper serialization and deserialization.

These changes aim to improve the granularity of logging and session management within the cron job system.

* fix: improve session display name resolution

- Updated the `resolveSessionDisplayName` function to ensure that both label and displayName are trimmed and default to an empty string if not present.
- Enhanced the logic to prevent returning the key if it matches the label or displayName, improving clarity in session naming.

These changes aim to enhance the accuracy and usability of session display names in the UI.

* perf: skip cron store persist when idle timer tick produces no changes

recomputeNextRuns now returns a boolean indicating whether any job
state was mutated. The idle path in onTimer only persists when the
return value is true, eliminating unnecessary file writes every 60s
for far-future or idle schedules.

* fix: prep for merge - explicit delivery mode migration, docs + changelog (openclaw#10776) (thanks @tyler6204)

(cherry picked from commit d90cac9)

# Conflicts:
#	CHANGELOG.md
#	docs/automation/cron-jobs.md
#	scripts/test-parallel.mjs
#	src/agents/openclaw-tools.subagents.sessions-spawn-applies-thinking-default.test.ts
#	src/cli/cron-cli/register.cron-add.ts
#	src/cron/delivery.ts
#	src/cron/isolated-agent.skips-delivery-without-whatsapp-recipient-besteffortdeliver-true.test.ts
#	src/cron/isolated-agent/run.ts
#	src/cron/normalize.ts
#	src/cron/run-log.ts
#	src/cron/service.every-jobs-fire.test.ts
#	src/cron/service.skips-main-jobs-empty-systemevent-text.test.ts
#	src/cron/service.store.migration.test.ts
#	src/cron/service/jobs.ts
#	src/cron/service/store.ts
#	src/cron/service/timer.ts
#	src/cron/store.ts
#	src/gateway/protocol/schema/cron.ts
#	src/gateway/session-utils.ts
#	ui/src/ui/app-defaults.ts
#	ui/src/ui/app-render.helpers.ts
#	ui/src/ui/app-render.ts
#	ui/src/ui/format.test.ts
#	ui/src/ui/format.ts
#	ui/src/ui/views/cron.ts
#	ui/src/ui/views/sessions.ts

* feat(bluebubbles): auto-strip markdown from outbound messages (openclaw#7402)

* fix(security): add timeout to webhook body reading (openclaw#6762)

Adds 30-second timeout to readBody() in voice-call, bluebubbles, and nostr
webhook handlers. Prevents Slow-Loris DoS (CWE-400, CVSS 7.5).
Merged with existing maxBytes protection in voice-call.

* fix(security): unify Error objects and lint fixes in webhook timeouts (openclaw#6762)

* fix: prevent plugins from auto-enabling without user consent (openclaw#3961)

Changes default plugin enabled state from true to false in enablePluginEntry().
Preserves existing enabled:true values. Fixes openclaw#3932.

* fix: apply hierarchical mediaMaxMb config to all channels (openclaw#8749)

Generalizes resolveAttachmentMaxBytes() to use account → channel → global
config resolution for all channels, not just BlueBubbles. Fixes openclaw#7847.

* fix(bluebubbles): sanitize attachment filenames against header injection (openclaw#10333)

Strip ", \r, \n, and \\ from filenames after path.basename() to prevent
multipart Content-Disposition header injection (CWE-93, CVSS 5.4).
Also adds sanitization to setGroupIconBlueBubbles which had zero filename
sanitization.

* fix(lint): exclude extensions/ from Oxlint preflight check (openclaw#9313)

Extensions use PluginRuntime|null patterns that trigger
no-redundant-type-constituents because PluginRuntime resolves to any.
Excluding extensions/ from Oxlint unblocks user upgrades.
Re-applies the approach from closed PR openclaw#10087.

* fix(bluebubbles): add tempGuid to createNewChatWithMessage payload (openclaw#7745)

Non-Private-API mode (AppleScript) requires tempGuid in send payloads.
The main sendMessageBlueBubbles already had it, but createNewChatWithMessage
was missing it, causing 400 errors for new chat creation without Private API.

* fix: send stop-typing signal when run ends with NO_REPLY (openclaw#8785)

Adds onCleanup callback to the typing controller that fires when the
controller is cleaned up while typing was active (e.g., after NO_REPLY).
Channels using createTypingCallbacks automatically get stop-typing on
cleanup. This prevents the typing indicator from lingering in group chats
when the agent decides not to reply.

* fix(telegram): deduplicate skill commands in multi-agent setup (openclaw#5717)

Two fixes:
1. Skip duplicate workspace dirs when listing skill commands across agents.
   Multiple agents sharing the same workspace would produce duplicate commands
   with _2, _3 suffixes.
2. Clear stale commands via deleteMyCommands before registering new ones.
   Commands from deleted skills now get cleaned up on restart.

* fix: add size limits to unbounded in-memory caches (openclaw#4948)

Adds max-size caps with oldest-entry eviction to prevent OOM in
long-running deployments:
- BlueBubbles serverInfoCache: 64 entries (already has TTL)
- Google Chat authCache: 32 entries
- Matrix directRoomCache: 1024 entries
- Discord presenceCache: 5000 entries per account

* fix: address review concerns (openclaw#11093)

- Chain deleteMyCommands → setMyCommands to prevent race condition (openclaw#5717)
- Rename enablePluginEntry to registerPluginEntry (now sets enabled: false)
- Add Slow-Loris timeout test for readJsonBody (openclaw#6023)

(cherry picked from commit 1007d71)

# Conflicts:
#	extensions/bluebubbles/src/chat.ts
#	extensions/bluebubbles/src/send.ts
#	extensions/voice-call/src/webhook.ts
#	src/auto-reply/skill-commands.ts
#	src/config/plugin-auto-enable.ts

* fix: add .caf to AUDIO_FILE_EXTENSIONS for iMessage voice messages

* fix: add caf audio extension regression coverage (openclaw#10982) (thanks @succ985)

---------

Co-authored-by: succ985 <[email protected]>
Co-authored-by: Gustavo Madeira Santana <[email protected]>
(cherry picked from commit b8f740f)

# Conflicts:
#	CHANGELOG.md
#	src/media/mime.test.ts

…penclaw#11579)

* fix: gracefully handle oversized tool results causing context overflow

When a subagent reads a very large file or gets a huge tool result (e.g.,
gh pr diff on a massive PR), it can exceed the model's context window in
a single prompt. Auto-compaction can't help because there's no older
history to compact — just one giant tool result.

This adds two layers of defense:

1. Pre-emptive: Hard cap on tool result size (400K chars ≈ 100K tokens)
   applied in the session tool result guard before persistence. This
   prevents extremely large tool results from being stored in full,
   regardless of model context window size.

2. Recovery: When context overflow is detected and compaction fails,
   scan session messages for oversized tool results relative to the
   model's actual context window (30% max share). If found, truncate
   them in the session via branching (creating a new branch with
   truncated content) and retry the prompt.

The truncation preserves the beginning of the content (most useful for
understanding what was read) and appends a notice explaining the
truncation and suggesting offset/limit parameters for targeted reads.

Includes comprehensive tests for:
- Text truncation with newline-boundary awareness
- Context-window-proportional size calculation
- In-memory message truncation
- Oversized detection heuristics
- Guard-level size capping during persistence

* fix: prep fixes for tool result truncation PR (openclaw#11579) (thanks @tyler6204)

(cherry picked from commit 0deb8b0)

# Conflicts:
#	src/agents/pi-embedded-runner/run.ts
#	src/agents/session-tool-result-guard.test.ts
#	src/agents/session-tool-result-guard.ts

(cherry picked from commit 95263f4)

# Conflicts:
#	src/memory/search-manager.test.ts

…canvas (openclaw#4824)

* fix: use STATE_DIR instead of hardcoded ~/.openclaw for identity and canvas

device-identity.ts and canvas-host/server.ts used hardcoded
path.join(os.homedir(), '.openclaw', ...) ignoring OPENCLAW_STATE_DIR
env var and the resolveStateDir() logic from config/paths.ts.

This caused ~/.openclaw/identity and ~/.openclaw/canvas directories
to be created even when state dir was overridden or resided elsewhere.

* fix: format and remove duplicate imports

* fix: scope state-dir patch + add regression tests (openclaw#4824) (thanks @kossoy)

* fix: align state-dir fallbacks in hooks and agent paths (openclaw#4824) (thanks @kossoy)

---------

Co-authored-by: Gustavo Madeira Santana <[email protected]>
(cherry picked from commit ebe5730)

# Conflicts:
#	CHANGELOG.md
#	src/agents/agent-scope.ts
#	src/agents/sandbox/constants.ts
#	src/canvas-host/server.ts
#	src/cli/update-cli.ts
#	src/commands/agents.test.ts
#	src/hooks/bundled/command-logger/handler.ts
#	src/hooks/bundled/session-memory/handler.ts
#	src/infra/device-identity.ts

…penclaw#11664) (thanks @tyler6204)

* initial commit

* feat: implement deriveSessionTotalTokens function and update usage tests

* Added deriveSessionTotalTokens function to calculate total tokens based on usage and context tokens.
* Updated usage tests to include cases for derived session total tokens.
* Refactored session usage calculations in multiple files to utilize the new function for improved accuracy.

* fix: restore overflow truncation fallback + changelog/test hardening (openclaw#11551) (thanks @tyler6204)

(cherry picked from commit 191da1f)

# Conflicts:
#	CHANGELOG.md
#	scripts/test-parallel.mjs
#	src/agents/clawdbot-tools.subagents.sessions-spawn-normalizes-allowlisted-agent-ids.test.ts
#	src/agents/pi-embedded-runner/run.overflow-compaction.test.ts
#	src/agents/pi-embedded-runner/run.ts
#	src/agents/pi-embedded-runner/run/types.ts
#	src/agents/pi-embedded-subscribe.handlers.messages.ts
#	src/agents/subagent-announce.format.test.ts
#	src/agents/subagent-announce.ts
#	src/agents/subagent-registry.ts
#	src/agents/timeout.ts
#	src/agents/usage.test.ts
#	src/commands/agent/session-store.ts
#	ui/src/styles/components.css
#	ui/src/ui/views/chat.ts