Replace upstream AGENTS.md with thin DAISy rules#167
Merged
Conversation
…enclaw#30975) * CLI argv: add strict root help invocation guard * Entry: add root help fast-path bootstrap bypass * CLI context: lazily resolve channel options * CLI context tests: cover lazy channel option resolution * CLI argv tests: cover root help invocation detection * Changelog: note additional startup path optimizations * Changelog: split startup follow-up into openclaw#30975 entry * CLI channel options: load precomputed startup metadata * CLI channel options tests: cover precomputed metadata path * Build: generate CLI startup metadata during build * Build script: invoke CLI startup metadata generator * CLI routes: preload plugins for routed health * CLI routes tests: assert health plugin preload * CLI: add experimental bundled entry and snapshot helper * Tools: compare CLI startup entries in benchmark script * Docs: add startup tuning notes for Pi and VM hosts * CLI: drop bundled entry runtime toggle * Build: remove bundled and snapshot scripts * Tools: remove bundled-entry benchmark shortcut * Docs: remove bundled startup bench examples * Docs: remove Pi bundled entry mention * Docs: remove VM bundled entry mention * Changelog: remove bundled startup follow-up claims * Build: remove snapshot helper script * Build: remove CLI bundle tsdown config * Doctor: add low-power startup optimization hints * Doctor: run startup optimization hint checks * Doctor tests: cover startup optimization host targeting * Doctor tests: mock startup optimization note export * CLI argv: require strict root-only help fast path * CLI argv tests: cover mixed root-help invocations * CLI channel options: merge metadata with runtime catalog * CLI channel options tests: assert dynamic catalog merge * Changelog: align openclaw#30975 startup follow-up scope * Docs tests: remove secondary-entry startup bench note * Docs Pi: add systemd recovery reference link * Docs VPS: add systemd recovery reference link
* Doctor: detect macOS cloud-synced state directories * Doctor tests: cover cloud-synced macOS state detection * Docs: note cloud-synced state warning in doctor guide * Docs: recommend local macOS state dir placement * Changelog: add macOS cloud-synced state dir warning * Changelog: credit macOS cloud state warning PR * Doctor state: anchor cloud-sync roots to macOS home * Doctor tests: cover OPENCLAW_HOME cloud-sync override * Doctor state: prefer resolved target for cloud detection * Doctor tests: cover local-target cloud symlink case
Co-authored-by: Jonathan Jing <[email protected]>
* Docs: add missing platform pages to nav * Docs: include all unlisted docs routes in nav * Docs nav: classify routes by area and remove catch-all groups * Docs nav: remove ja-JP AGENTS page entry * Docs ja-JP: remove AGENTS translation workspace page * Docs nav: remove refactor plans group * Docs nav: remove .dev template pages * Docs nav: remove operations hubs group
…ntries Document permissionMode and nonInteractivePermissions plugin config keys for the acpx backend. Add troubleshooting entries for: - Permission prompt errors in non-interactive ACP sessions - Silent session failures from swallowed permission errors - Stalled ACP sessions that never report completion Relates to openclaw#29195 AI-assisted (lightly tested)
…rom @altaywtf Include scoped cross-channel action/description behavior, regression tests, changelog note, and make Ollama discovery tests URL-scoped to avoid env-dependent fetch interference. Co-authored-by: Altay <[email protected]>
* fix(docker): harden /app/extensions permissions to 755
Bundled extension directories shipped as world-writable (mode 777)
in the Docker image. The plugin security scanner blocks any world-
writable path with:
WARN: blocked plugin candidate: world-writable path
(/app/extensions/memory-core, mode=777)
Add chmod -R 755 /app/extensions in the final USER root RUN step so
all bundled extensions are readable but not world-writable. This runs
as root before switching back to the node user, matching the pattern
already used for chmod 755 /app/openclaw.mjs.
Fixes openclaw#30139
* fix(docker): normalize plugin and agent path permissions
* docs(changelog): add docker permissions entry for openclaw#30191
* Update CHANGELOG.md
---------
Co-authored-by: Vincent Koc <[email protected]>
Landed from contributor PR openclaw#29508 by @cgdusek. Co-authored-by: Charles Dusek <[email protected]>
Landed from contributor PR openclaw#29710 by @Sid-Qin. Co-authored-by: SidQin-cyber <[email protected]>
- Add `permissions: {contents: read}` to ci.yml, workflow-sanity.yml,
and sandbox-common-smoke.yml (addresses 11 CodeQL findings)
- Fix sandbox-common-smoke.yml branch filter: main → daisy/main + daisy/dev
(Copilot review comment)
Co-Authored-By: Claude Opus 4.6 <[email protected]>
- session-utils.fs: count archive removals only after deletion succeeds, preventing false cleanup counts when files are locked - usage: format startDate/endDate respecting the requested utcOffset/mode instead of always using UTC calendar fields Co-Authored-By: Claude Opus 4.6 <[email protected]>
Pass github event context through env vars instead of direct ${{ }}
interpolation in shell script to prevent code injection (CodeQL
alerts #255-#257).
Co-Authored-By: Claude Opus 4.6 <[email protected]>
We don't have Blacksmith runners. Replace all references: - blacksmith-16vcpu-ubuntu-2404 → ubuntu-latest - blacksmith-16vcpu-ubuntu-2404-arm → ubuntu-latest + QEMU - blacksmith-16vcpu-windows-2025 → windows-latest Add docker/setup-qemu-action for arm64 Docker builds on x86 runners. Remove Blacksmith labels and ignore patterns from actionlint config. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Remove invalid `branches` filter from pull_request_review and check_suite events in patchbot.yml (not supported per GitHub spec, router job already handles branch filtering). Suppress environment-scoped secret warnings in deploy.yml only (staging secrets are invisible to actionlint static analysis). Co-Authored-By: Claude Opus 4.6 <[email protected]>
…r-review Remove duplicate inputs block that broke ci.yml YAML parsing. Replace invalid toLower() calls with plain contains() which is already case-insensitive in GitHub Actions expressions. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Add lockfile entries for mongodb, @sinclair/typebox, and openai dependencies from extensions/memory-mongodb/package.json. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Run oxfmt --write on all 26 files flagged by CI format check, including mongodb extension, docs, workflows, and gateway files. Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Add logger field to CallManager class and getContext() method - Add logger to Pick types (InitiateContext, ConversationContext, MaxDurationTimerContext) so ctx.logger compiles - Add defaultLogger to events.test.ts context factory - Wrap bare URLs in docs/deployments.md with angle brackets (MD034) - Add blank lines before fenced code blocks in staging-setup.md (MD031) Co-Authored-By: Claude Opus 4.6 <[email protected]>
Co-Authored-By: Claude Opus 4.6 <[email protected]>
Co-Authored-By: Claude Opus 4.6 <[email protected]>
Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Update browser config/utils tests to expect 'daisy' profile name instead of 'openclaw' (DAISy rebranding) - Fix approval-id test mock to handle system.run.prepare and proper approval registration flow (ask defaults to 'always') - Remove deleted install-sh-smoke Dockerfile from digest test array - Remove dead test:install:smoke script from package.json Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Add command() to db mock (doInitialize now pings admin db) - Remove $match pipeline assertion (filtering moved to JS) TODO: replace mocked tests with integration tests against real MongoDB instance to validate actual connectivity. Co-Authored-By: Claude Opus 4.6 <[email protected]>
These were incorrectly deleted during the rebase and added to .gitignore. Upstream's versions are restored as-is. A future Patchbot task will replace these with thin, DAISy-specific versions that minimize token overhead for agents. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Pass explicit minimum scopes to gateway e2e test clients instead of relying on the default scope. Mock OpenAI test needs admin+write, wizard test needs admin+read. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Add .claude/settings.json to .gitignore and remove from index. This file is modified locally by Claude Code during sessions and causes checkout conflicts between branches. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Our fileParallelism:false and worker changes were causing the Linux test suite to hang (2h+) and triggering widespread mock resolution failures across dozens of test files. Restore upstream config which runs tests in parallel with forks pool. Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Bun: update 1.3.9+cf6cdbbba → 1.3.10 (old binary returns 404) - iOS: fix Clawdis → OpenClaw naming in ci.yml to match project.yml - bluebubbles: use explicit relative path in test instead of path.relative() which returns absolute on cross-drive Windows - deps: bump hono 4.11.10 → 4.12.4 and tar 7.5.9 → 7.5.10 to fix audit HIGH/CRITICAL advisories (lockfile regen needed) Co-Authored-By: Claude Opus 4.6 <[email protected]>
Remove pnpm-lock.yaml from git tracking (already in .gitignore). The fork's pnpm.overrides and extension deps diverge from upstream, making the lockfile a source of friction rather than safety. CI now resolves fresh from package.json on each run. Disable --frozen-lockfile default since there is no lockfile to freeze against. Co-Authored-By: Claude Opus 4.6 <[email protected]>
The fork diverges from upstream's dependency tree (pnpm.overrides, custom extensions), so we don't track pnpm-lock.yaml. Remove --frozen-lockfile from all Dockerfiles, scripts, and CI, and remove pnpm-lock.yaml from COPY commands since the file won't exist in the build context. Files changed: - Dockerfile: remove --frozen-lockfile and pnpm-lock.yaml COPY - scripts/e2e/Dockerfile: same - scripts/e2e/Dockerfile.qr-import: remove --frozen-lockfile - scripts/docker/cleanup-smoke/Dockerfile: both - scripts/codex-setup.sh: simplify install (no lockfile guard) - scripts/codex-maintenance.sh: same - scripts/pr: remove --frozen-lockfile from bootstrap - .github/workflows/ci.yml: Windows install step - src/dockerfile.test.ts: update assertion to match Dockerfile Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Disable iOS job (DAISy does not ship an iOS app) - Add @hono/[email protected] pnpm override to fix GHSA-wc8c-qw6v-h7f6 (authorization bypass via encoded slashes) Co-Authored-By: Claude Opus 4.6 <[email protected]>
The 257-line upstream AGENTS.md contains OpenClaw-specific instructions (exe.dev VMs, 1Password publishing, macOS app ops) irrelevant to DAISy. Replace with ~20 lines of DAISy-specific, non-inferable rules that are maintained as a known customization across upstream upgrades. Co-Authored-By: Claude Opus 4.6 <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU (arm64 emulation on x86 runner) | ||
| uses: docker/setup-qemu-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
Patchbot
Updated 2026-03-05T06:30:50.492Z · Run #22705437477 |
There was a problem hiding this comment.
Pull request overview
This PR substantially expands beyond the stated “AGENTS.md replacement” goal, introducing a large Android app rebuild/rebrand (OpenClaw), new gateway/node runtime plumbing, Docker hardening, and various repo tooling/docs updates alongside the new thin AGENTS.md.
Changes:
- Add a large set of new Android UI + node/gateway runtime components (chat UI, canvas/webview bridge, invoke dispatcher/handlers, TLS/auth utilities).
- Rebrand package namespaces and user-facing strings to
ai.openclaw.*/ “OpenClaw”, plus Android manifest/Gradle/proguard updates. - Add Dockerfile sandbox/common images + workflow/tooling/docs updates, and replace upstream
AGENTS.mdwith DAISy-specific rules.
Reviewed changes
Copilot reviewed 134 out of 7072 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| apps/android/app/src/main/java/ai/openclaw/android/ui/chat/ChatSheetContent.kt | New chat sheet UI incl. image attachment picking/encoding and session selector. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/chat/ChatMessageListCard.kt | New chat message list card with reverse layout + empty-state hint. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/TalkOrbOverlay.kt | Package rename to ai.openclaw.android.ui. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/RootScreen.kt | New root screen routing between onboarding and post-onboarding tabs. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/OpenClawTheme.kt | New theme wrapper and overlay color helpers. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/MobileUiTokens.kt | New UI tokens (colors/typography/font family). |
| apps/android/app/src/main/java/ai/openclaw/android/ui/GatewayConfigResolver.kt | New parsing/decoding for gateway endpoints/setup codes. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/ChatSheet.kt | Thin wrapper composable for chat sheet. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/CanvasScreen.kt | New WebView canvas surface + JS bridge wiring. |
| apps/android/app/src/main/java/ai/openclaw/android/ui/CameraHudOverlay.kt | Package rename to ai.openclaw.android.ui. |
| apps/android/app/src/main/java/ai/openclaw/android/tools/ToolDisplay.kt | Package rename to ai.openclaw.android.tools. |
| apps/android/app/src/main/java/ai/openclaw/android/protocol/OpenClawProtocolConstants.kt | New protocol/capability/command enums. |
| apps/android/app/src/main/java/ai/openclaw/android/protocol/OpenClawCanvasA2UIAction.kt | New helpers for A2UI action extraction/tag formatting + JS dispatch string. |
| apps/android/app/src/main/java/ai/openclaw/android/node/SystemHandler.kt | New system notification invoke handler. |
| apps/android/app/src/main/java/ai/openclaw/android/node/SmsManager.kt | Package rename + import fix for PermissionRequester. |
| apps/android/app/src/main/java/ai/openclaw/android/node/SmsHandler.kt | New SMS invoke wrapper returning GatewaySession.InvokeResult. |
| apps/android/app/src/main/java/ai/openclaw/android/node/ScreenRecordManager.kt | New screen recording implementation producing base64 MP4 payloads. |
| apps/android/app/src/main/java/ai/openclaw/android/node/ScreenHandler.kt | New screen-record invoke wrapper and active-state toggling. |
| apps/android/app/src/main/java/ai/openclaw/android/node/NotificationsHandler.kt | New notifications list/action invoke handler. |
| apps/android/app/src/main/java/ai/openclaw/android/node/NodeUtils.kt | New shared node utilities (JSON helpers, error parsing, color parsing). |
| apps/android/app/src/main/java/ai/openclaw/android/node/LocationHandler.kt | New location invoke handler with permission/mode gating. |
| apps/android/app/src/main/java/ai/openclaw/android/node/LocationCaptureManager.kt | Package rename to ai.openclaw.android.node. |
| apps/android/app/src/main/java/ai/openclaw/android/node/JpegSizeLimiter.kt | Package rename to ai.openclaw.android.node. |
| apps/android/app/src/main/java/ai/openclaw/android/node/InvokeDispatcher.kt | New invoke dispatcher routing protocol commands to handlers. |
| apps/android/app/src/main/java/ai/openclaw/android/node/InvokeCommandRegistry.kt | New command/capability registry + runtime-flag filtering. |
| apps/android/app/src/main/java/ai/openclaw/android/node/GatewayEventHandler.kt | New wake-words sync handler between prefs and gateway. |
| apps/android/app/src/main/java/ai/openclaw/android/node/DebugHandler.kt | New debug endpoints (ed25519 self-test, log capture). |
| apps/android/app/src/main/java/ai/openclaw/android/node/ConnectionManager.kt | New connect options builder + TLS param resolution + UA/version. |
| apps/android/app/src/main/java/ai/openclaw/android/node/CanvasController.kt | Package rename + add currentUrl StateFlow + JS global rename. |
| apps/android/app/src/main/java/ai/openclaw/android/node/CameraHandler.kt | New camera handler for list/snap/clip with payload sizing + HUD feedback. |
| apps/android/app/src/main/java/ai/openclaw/android/node/A2UIHandler.kt | New A2UI host resolution/ready checks and message decoding/validation. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/InvokeErrorParser.kt | New throwable/message parsing into structured invoke errors. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/GatewayTls.kt | New TLS pinning/probing utilities. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/GatewayProtocol.kt | New gateway protocol constant. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/GatewayEndpoint.kt | Package rename to ai.openclaw.android.gateway. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/GatewayDiscovery.kt | Rebrand service type/log tag + optional wide-area domain. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/DeviceIdentityStore.kt | New device identity + Ed25519 signing using BC lightweight API. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/DeviceAuthStore.kt | New token store backed by SecurePrefs. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/DeviceAuthPayload.kt | New v3 auth payload builder and deterministic normalization. |
| apps/android/app/src/main/java/ai/openclaw/android/gateway/BonjourEscapes.kt | Package rename to ai.openclaw.android.gateway. |
| apps/android/app/src/main/java/ai/openclaw/android/chat/ChatModels.kt | Package rename to ai.openclaw.android.chat. |
| apps/android/app/src/main/java/ai/openclaw/android/chat/ChatController.kt | Package/import rename + streaming delta handling and session scoping changes. |
| apps/android/app/src/main/java/ai/openclaw/android/WakeWords.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/VoiceWakeMode.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/SessionKey.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/ScreenCaptureRequester.kt | Rebrand screen recording rationale text. |
| apps/android/app/src/main/java/ai/openclaw/android/PermissionRequester.kt | Rebrand permission rationale text. |
| apps/android/app/src/main/java/ai/openclaw/android/NodeForegroundService.kt | Package rename + notification copy updates + action string rename. |
| apps/android/app/src/main/java/ai/openclaw/android/NodeApp.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/MainViewModel.kt | New ViewModel exposing runtime flows + command methods. |
| apps/android/app/src/main/java/ai/openclaw/android/MainActivity.kt | New Compose activity + requester wiring + keep-awake collection + service start. |
| apps/android/app/src/main/java/ai/openclaw/android/LocationMode.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/InstallResultReceiver.kt | New receiver for app update install results / user confirmation. |
| apps/android/app/src/main/java/ai/openclaw/android/DeviceNames.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/java/ai/openclaw/android/CameraHudState.kt | Package rename to ai.openclaw.android. |
| apps/android/app/src/main/AndroidManifest.xml | Add permissions/services/receiver + theme rename + activity config changes. |
| apps/android/app/proguard-rules.pro | New proguard rules for app/BC/CameraX/serialization/okhttp. |
| apps/android/app/build.gradle.kts | Namespace/appId rename, add ktlint, enable release minify, bump deps, rename APK output. |
| apps/android/THIRD_PARTY_LICENSES/MANROPE_OFL.txt | Add Manrope font license. |
| apps/android/README.md | Rewrite Android README with rebuild checklist + tooling/perf/testing docs. |
| VISION.md | Add OpenClaw vision doc. |
| Swabble/Package.resolved | Update Swift package pins. |
| Dockerfile.sandbox-common | Add common sandbox setup image with optional pnpm/bun/brew. |
| Dockerfile.sandbox-browser | Pin base image digest, rename entrypoint, run as non-root sandbox user. |
| Dockerfile.sandbox | Pin base image digest + run as non-root sandbox user. |
| Dockerfile | Pin base image digest, add OCI metadata, non-root build/run changes, optional browser install, CLI symlink. |
| CONTRIBUTING.md | Rebrand + expand maintainers, contribution rules, security reporting, DX notes. |
| CLAUDE.md | Keep as single-line reference to AGENTS.md (line ending normalization). |
| AGENTS.md | Replace upstream instructions with DAISy-specific thin rules. |
| .vscode/settings.json | Add editor defaults + formatter recommendations. |
| .vscode/extensions.json | Recommend oxc extension. |
| .prettierignore | Remove ignore entry. |
| .pre-commit-config.yaml | Add hooks (detect-private-key, ruff, pytest, pnpm audit) and quoting tweaks. |
| .pi/prompts/reviewpr.md | Add PR review command prompt. |
| .pi/prompts/landpr.md | Add PR landing workflow prompt. |
| .pi/prompts/is.md | Add issue analysis prompt. |
| .pi/prompts/cl.md | Add changelog audit prompt. |
| .pi/git/.gitignore | Ignore all under .pi/git except .gitignore. |
| .pi/extensions/redraws.ts | Add TUI redraw stats extension. |
| .pi/extensions/prompt-url-widget.ts | Add widget that extracts PR/issue URL from prompt and fetches GH metadata. |
| .pi/extensions/files.ts | Add /files command to show files touched by tool calls. |
| .pi/extensions/diff.ts | Add /diff command to browse git changes and open VS Code diffs. |
| .oxlintrc.json | Expand lint categories/rules and broaden ignore patterns. |
| .oxfmtrc.jsonc | Add experimental import/package.json sorting + new ignore patterns; rename tabWidth fields. |
| .npmrc | Replace build-script allowlist note pointing to package.json config. |
| .markdownlint-cli2.jsonc | Add markdownlint config. |
| .mailmap | Add contributor identity mappings. |
| .github/workflows/workflow-sanity.yml | Improve concurrency grouping; split actionlint into separate job w/ pinned install. |
| .github/workflows/upstream-triage.yml | Quoting/format tweaks. |
| .github/workflows/sandbox-common-smoke.yml | Add CI smoke build for sandbox-common. |
| .github/workflows/patchbot.yml | Remove invalid branches under non-PR triggers. |
| .github/workflows/claude-pr-review.yml | Remove toLower() around 'review' contains check. |
| .github/pull_request_template.md | Add comprehensive PR template. |
| .github/instructions/copilot.instructions.md | Add repo coding patterns and anti-redundancy guidance. |
| .github/dependabot.yml | Increase update cadence to daily, add npm token, add docker ecosystem. |
| .github/actions/setup-pnpm-store-cache/action.yml | Add composite action for pnpm + store cache. |
| .github/actions/setup-node-env/action.yml | Add composite action for submodules + Node/pnpm/Bun + install. |
| .github/actions/detect-docs-changes/action.yml | Add composite action for docs-only change detection. |
| .github/actionlint.yaml | Update ignores and remove self-hosted labels section. |
| .github/ISSUE_TEMPLATE/feature_request.yml | Add new feature request template (YAML form). |
| .github/ISSUE_TEMPLATE/feature_request.md | Remove legacy markdown template. |
| .github/ISSUE_TEMPLATE/config.yml | Disable blank issues; update contact link copy. |
| .github/ISSUE_TEMPLATE/bug_report.yml | Add new bug report template (YAML form). |
| .github/ISSUE_TEMPLATE/bug_report.md | Remove legacy markdown template. |
| .github/FUNDING.yml | Quote formatting tweak. |
| .gitattributes | Mark CLAUDE.md files as binary (-text). |
| .env.example | Rewrite env example to OpenClaw + expand documented env vars. |
| .dockerignore | Keep canvas A2UI build inputs while excluding most of apps/ and vendor/. |
| .claude/settings.json | Remove Claude settings from repo. |
| .agents/maintainers.md | Point maintainer skills to external repo. |
| .agent/workflows/update_clawdbot.md | Formatting fixes in upgrade workflow doc. |
Comments suppressed due to low confidence (1)
apps/android/app/src/main/java/ai/openclaw/android/chat/ChatController.kt:1
- When
runIdis missing,isPendingbecomestrue, which contradicts the comment “Only show streaming text for runs we initiated” and can display streaming deltas from runs the device didn’t start (or from malformed events). Consider treating missingrunIdas not pending for"delta"(e.g., return early ifrunIdis null) so streaming UI is only driven by tracked pending runs.
package ai.openclaw.android.chat
Comment on lines
+36
to
+39
|
|
||
| // With reverseLayout the newest item is at index 0 (bottom of screen). | ||
| LaunchedEffect(messages.size, pendingRunCount, pendingToolCalls.size, streamingAssistantText) { | ||
| listState.animateScrollToItem(index = 0) |
There was a problem hiding this comment.
LazyListState.animateScrollToItem(0) will throw if the LazyColumn has zero emitted items (e.g., messages empty, no streaming text, no pending tool calls, and pendingRunCount == 0). Guard the scroll call by checking that at least one item will be present before scrolling (or use listState.layoutInfo.totalItemsCount > 0).
Suggested change
| // With reverseLayout the newest item is at index 0 (bottom of screen). | |
| LaunchedEffect(messages.size, pendingRunCount, pendingToolCalls.size, streamingAssistantText) { | |
| listState.animateScrollToItem(index = 0) | |
| val hasItems = | |
| messages.isNotEmpty() || | |
| pendingRunCount > 0 || | |
| pendingToolCalls.isNotEmpty() || | |
| !streamingAssistantText.isNullOrBlank() | |
| // With reverseLayout the newest item is at index 0 (bottom of screen). | |
| LaunchedEffect(messages.size, pendingRunCount, pendingToolCalls.size, streamingAssistantText, hasItems) { | |
| if (hasItems) { | |
| listState.animateScrollToItem(index = 0) | |
| } |
| WebView(context).apply { | ||
| settings.javaScriptEnabled = true | ||
| settings.domStorageEnabled = true | ||
| settings.mixedContentMode = WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE |
There was a problem hiding this comment.
addJavascriptInterface is exposed to any content loaded in this WebView (and mixed content is allowed). If the WebView ever navigates to an untrusted origin (including MITM/HTTP content), that page can call the JS interface and trigger app actions. Mitigation: restrict navigation to a tight allowlist of origins/URLs in the WebViewClient (and block/ignore everything else), consider setting mixedContentMode to MIXED_CONTENT_NEVER_ALLOW when possible, and only add the JS interface when the loaded origin is trusted (or gate messages with an origin-bound token/handshake).
Suggested change
| settings.mixedContentMode = WebSettings.MIXED_CONTENT_COMPATIBILITY_MODE | |
| settings.mixedContentMode = WebSettings.MIXED_CONTENT_NEVER_ALLOW |
Comment on lines
+124
to
+126
| val bridge = CanvasA2UIActionBridge { payload -> viewModel.handleCanvasA2UIActionFromWebView(payload) } | ||
| addJavascriptInterface(bridge, CanvasA2UIActionBridge.interfaceName) | ||
| viewModel.canvas.attach(this) |
There was a problem hiding this comment.
addJavascriptInterface is exposed to any content loaded in this WebView (and mixed content is allowed). If the WebView ever navigates to an untrusted origin (including MITM/HTTP content), that page can call the JS interface and trigger app actions. Mitigation: restrict navigation to a tight allowlist of origins/URLs in the WebViewClient (and block/ignore everything else), consider setting mixedContentMode to MIXED_CONTENT_NEVER_ALLOW when possible, and only add the JS interface when the loaded origin is trusted (or gate messages with an origin-bound token/handshake).
Comment on lines
+2
to
+6
| -keep class ai.openclaw.android.** { *; } | ||
|
|
||
| # ── Bouncy Castle ───────────────────────────────────────────────── | ||
| -keep class org.bouncycastle.** { *; } | ||
| -dontwarn org.bouncycastle.** |
There was a problem hiding this comment.
Keeping all ai.openclaw.android.** classes/members prevents R8 from shrinking/optimizing most of the app, which can significantly increase APK size and reduce optimization benefits—especially now that release builds enable minify/shrinkResources. Prefer narrowly targeted keep rules (e.g., for reflection/serialization entry points, @Serializable models, WebView bridges, and specific public APIs) instead of a blanket keep.
Suggested change
| -keep class ai.openclaw.android.** { *; } | |
| # ── Bouncy Castle ───────────────────────────────────────────────── | |
| -keep class org.bouncycastle.** { *; } | |
| -dontwarn org.bouncycastle.** | |
| # ── Bouncy Castle ───────────────────────────────────────────────── | |
| -keep class org.bouncycastle.** { *; } | |
| -dontwarn org.bouncycastle.** | |
| -dontwarn org.bouncycastle.** |
| COPY ui/package.json ./ui/package.json | ||
| COPY patches ./patches | ||
| COPY scripts ./scripts | ||
| COPY --chown=node:node package.json pnpm-workspace.yaml .npmrc ./ |
There was a problem hiding this comment.
The Docker build installs dependencies without copying pnpm-lock.yaml into the image before pnpm install, which makes builds non-reproducible and can silently drift from the repo’s lockfile (and from CI/dev installs). Fix by copying pnpm-lock.yaml (and any other files pnpm needs for resolution, e.g. patches) before installing, and consider using pnpm install --frozen-lockfile for deterministic builds.
Comment on lines
+38
to
+41
| USER node | ||
| # Reduce OOM risk on low-memory hosts during dependency installation. | ||
| # Docker builds on small VMs may otherwise fail with "Killed" (exit 137). | ||
| RUN NODE_OPTIONS=--max-old-space-size=2048 pnpm install |
There was a problem hiding this comment.
The Docker build installs dependencies without copying pnpm-lock.yaml into the image before pnpm install, which makes builds non-reproducible and can silently drift from the repo’s lockfile (and from CI/dev installs). Fix by copying pnpm-lock.yaml (and any other files pnpm needs for resolution, e.g. patches) before installing, and consider using pnpm install --frozen-lockfile for deterministic builds.
|
|
||
| fun decodeA2uiMessages(command: String, paramsJson: String?): String { | ||
| val raw = paramsJson?.trim().orEmpty() | ||
| if (raw.isBlank()) throw IllegalArgumentException("INVALID_REQUEST: paramsJSON required") |
There was a problem hiding this comment.
The error message uses paramsJSON (capitalized) while the rest of the codebase and parameter naming uses paramsJson. Consider standardizing this to paramsJson to reduce confusion when debugging request payload issues.
Suggested change
| if (raw.isBlank()) throw IllegalArgumentException("INVALID_REQUEST: paramsJSON required") | |
| if (raw.isBlank()) throw IllegalArgumentException("INVALID_REQUEST: paramsJson required") |
💡 Codex ReviewLine 1 in a33fc4e  Restore CLAUDE.md as a symlink to AGENTS.md
This commit changes ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
AGENTS.mdcontains only DAISy rules (~20 lines, not 257)exe.dev,1password,macOS menubar) presentCLAUDE.mdstill referencesAGENTS.md🤖 Generated with Claude Code