…nnet and Opus

- Introduced Pattern openclaw#11 to document a critical incident where Sonnet's systems fix plan missed the PRIMARY APEX file, leading to potential enforcement issues with new Core Laws.
- Updated the historical patterns summary to include this new pattern and its implications for verification protocols.
- Adjusted related documentation to reflect the latest APEX version 6.3.3 compliance.

Claude/sync ios webapp parity qy h8h

…iner, Postgres traces, cost budgets, phase restructuring

Factsheet changes (12 architecture critiques):
- Add users table with auth provider (openclaw#1)
- Change all TEXT PKs to native UUID type (openclaw#2)
- Remove orphaned session_id from Task/TaskCommand/TaskResult (openclaw#3)
- Replace per-task containers with single shared Docker container (openclaw#4)
- Phase injection queue: in-memory Phase 1, Redis Phase 2+ (openclaw#5)
- Decouple Board Sync DB writes from WebSocket broadcasting (openclaw#6)
- Move trace storage from JSONL+index to Postgres-only (openclaw#7)
- Add chat_messages escalation to agent context (openclaw#8)
- Normalize discussion_messages into separate table (openclaw#9)
- Add PolicyEngine facade with single evaluate() entry point (openclaw#10)
- Add per-plugin Zod validation schemas for SourceConfig (openclaw#11)
- Add CostPolicy with token/cost budgets and cost_usage table (openclaw#12)

Blueprint changes (4 implementation improvements):
- Split Phase 1 into 4 sub-phases (1a-1d)
- Reorder: API skeleton before agent loop
- Defer frontend to Phase 5
- Add packages/shared for types and schemas

DB schema: 17 tables → 20 tables (added users, traces, discussion_messages, cost_usage)

https://claude.ai/code/session_01V2xvGqZqX6JKPGQeXyNMQW

…oad scanning

Phase 1 complete implementation of the Skill Guard system:

Core changes (4 files, ~110 lines):
- src/config/types.skills.ts: Add SkillGuardConfig, SkillStoreConfig types
- src/config/zod-schema.ts: Add guard validation schema (strict mode)
- src/agents/skills/load-guard.ts: New guard registration point
- src/agents/skills/workspace.ts: Insert guard evaluation in loadSkillEntries()

Extension (extensions/skill-guard/, 7 files, ~650 lines):
- cloud-client.ts: Multi-store manifest fetch with ETag/304 + fallback
- hash-cache.ts: In-memory + disk manifest cache
- verify-engine.ts: Full-directory SHA256 verification + sideload scanning
- audit-logger.ts: JSONL audit trail
- index.ts: Plugin entry wiring everything together
- types.ts: Cloud API response type definitions

Tests (51 tests, all passing):
- load-guard.test.ts: Guard registration/unregistration (4 tests)
- zod-schema.guard.test.ts: Config validation (9 tests)
- verify-engine.test.ts: All acceptance criteria (12 tests)
- hash-cache.test.ts: Cache persistence (5 tests)
- audit-logger.test.ts: JSONL logging (3 tests)
- cloud-client.test.ts: HTTP client behavior (6 tests)
- smoke.test.ts: E2E with Python mock store server (12 tests)

Smoke infrastructure:
- test/smoke/skill-guard-server.py: Zero-dep Python mock store API

All 11 acceptance criteria verified:
  openclaw#1 guard.enabled=false → all load
  openclaw#2 store skill hash match → pass
  openclaw#3 tampered file → blocked
  openclaw#4 injected file → blocked
  openclaw#5 blocklisted → blocked
  openclaw#6 sideload clean → pass
  openclaw#7 sideload critical + block-critical → blocked
  openclaw#8 sideload critical + warn → warning only
  openclaw#9 cloud down + cache → uses cache
  openclaw#10 cloud down + no cache → degrade allow
  openclaw#11 100 skills < 500ms → performance OK

Existing security tests (69) verified: zero regression.

Co-authored-by: Cursor <[email protected]>

…oad scanning

Phase 1 complete implementation of the Skill Guard system:

Core changes (4 files, ~110 lines):
- src/config/types.skills.ts: Add SkillGuardConfig, SkillStoreConfig types
- src/config/zod-schema.ts: Add guard validation schema (strict mode)
- src/agents/skills/load-guard.ts: New guard registration point
- src/agents/skills/workspace.ts: Insert guard evaluation in loadSkillEntries()

Extension (extensions/skill-guard/, 7 files, ~650 lines):
- cloud-client.ts: Multi-store manifest fetch with ETag/304 + fallback
- hash-cache.ts: In-memory + disk manifest cache
- verify-engine.ts: Full-directory SHA256 verification + sideload scanning
- audit-logger.ts: JSONL audit trail
- index.ts: Plugin entry wiring everything together
- types.ts: Cloud API response type definitions

Tests (51 tests, all passing):
- load-guard.test.ts: Guard registration/unregistration (4 tests)
- zod-schema.guard.test.ts: Config validation (9 tests)
- verify-engine.test.ts: All acceptance criteria (12 tests)
- hash-cache.test.ts: Cache persistence (5 tests)
- audit-logger.test.ts: JSONL logging (3 tests)
- cloud-client.test.ts: HTTP client behavior (6 tests)
- smoke.test.ts: E2E with Python mock store server (12 tests)

Smoke infrastructure:
- test/smoke/skill-guard-server.py: Zero-dep Python mock store API

All 11 acceptance criteria verified:
  openclaw#1 guard.enabled=false → all load
  openclaw#2 store skill hash match → pass
  openclaw#3 tampered file → blocked
  openclaw#4 injected file → blocked
  openclaw#5 blocklisted → blocked
  openclaw#6 sideload clean → pass
  openclaw#7 sideload critical + block-critical → blocked
  openclaw#8 sideload critical + warn → warning only
  openclaw#9 cloud down + cache → uses cache
  openclaw#10 cloud down + no cache → degrade allow
  openclaw#11 100 skills < 500ms → performance OK

Existing security tests (69) verified: zero regression.

Co-authored-by: Cursor <[email protected]>

…move deprecated skills

- Fix env var names throughout: COBROKER_BASE_URL, COBROKER_AGENT_SECRET,
  COBROKER_AGENT_USER_ID (replacing old COBROKER_API_URL/API_KEY/USER_ID)
- Add Gotcha openclaw#11: skill snapshot caching in sessions.json prevents new
  skills from loading without session reset
- Add Gotcha openclaw#12: COBROKER_AGENT_SECRET (Fly) must match AGENT_AUTH_SECRET
  (Vercel) for agent auth bypass in middleware
- Remove deprecated skills from appendix (site-selection, property-search,
  alerts) — only client-memory and import-properties are active
- Update import-properties SKILL.md: remove requires.env, use correct
  env var names in curl template

Co-Authored-By: Claude Opus 4.6 <[email protected]>

)

- Add optional AUTH_TOKEN bearer auth for agent/chat routes (openclaw#2)
- DRY CI with composite action, replace npx bun with setup-bun (openclaw#3, openclaw#4)
- Fix smoke test URL to use CF_WORKER_SUBDOMAIN secret (openclaw#5)
- Deduplicate types: import canonical model types in landscape-loader (openclaw#6, openclaw#7)
- Fix C4 direction logic to respect actual integration direction (openclaw#8)
- Add edges connecting current→target nodes in comparison diagram (openclaw#9)
- Add agents CDN version sync comment in index.html (openclaw#11)
- Add missing landscape directory guard in bundle script (openclaw#12)
- Update wrangler compatibility_date to 2026-02-13 (openclaw#13)
- Rename prebuild to predev/predeploy in package.json (openclaw#14)
- Remove sk- prefix from .dev.vars.example placeholder (openclaw#15)

Co-Authored-By: Claude Opus 4.6 <[email protected]>

…dflare Worker (#1)

* ArchiClaw Phase 1: foundation scaffold, data model, skills, and harness

Add the ArchiClaw enterprise architecture management foundation:

- Zod schemas for all EA data types (application passports, capabilities,
  data entities, change requests, domains, integrations, ADRs, IDs)
- ID generation system with domain-prefixed sequential IDs (FIN-APP-001)
- Landscape directory structure with config, templates, registries
- Landscape validation (schema compliance, ID uniqueness, cross-refs)
- Mermaid render wrapper using beautiful-mermaid with Archimate theming
- 3 initial skills: interview, passport-manage, landscape-query
- Evaluation harness framework with per-skill scoring and examples
- 5 seeded applications (SAP ERP, SAP BPC, TM1, Workday HR, Salesforce CRM)
  with passports, context diagrams, data matrices
- 5 data entities, 10 capabilities, 5 integrations across 5 domains
- 58 tests passing across 8 test files

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* ArchiClaw: address PR #1 review feedback

- Add TODO comment on nextId() race condition (file locking needed)
- Add negative landscape validation tests (duplicate IDs, folder mismatch,
  broken cross-refs, sequence counter exceeded)
- Clarify eval harness test names to "eval fixtures" with comments
- Wrap readIdSequences/writeIdSequences in try-catch with descriptive messages
- Validate IdSequencesSchema keys against EntityTypeSchema via refine()
- Fix CLI entrypoint detection in runner.ts using path.resolve()
- Fill empty domain lead fields with placeholder names
- Add expandTemplate() utility with tests
- Add render CLI (src/archiclaw/render/cli.ts) and update skill SKILL.md files
  with rendering documentation sections

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* ArchiClaw: add entire.io session tracking, entire skill, and enhance skill-creator

* ArchiClaw: address PR #1 review feedback (phantom refs, validation cross-refs, mermaid nits)

* ArchiClaw: deploy as Cloudflare Worker (Agents SDK)

* ArchiClaw: add Teams outgoing webhook integration (query-only MVP)

Pattern-matching dispatcher routes @mentions to landscape accessors for
sub-second responses without LLM. HMAC-SHA256 validation via CF Workers
Web Crypto API. Adaptive Card v1.5 responses for rich Teams rendering.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* ArchiClaw: address review feedback for Cloudflare Worker deploy (469580b)

- Add optional AUTH_TOKEN bearer auth for agent/chat routes (openclaw#2)
- DRY CI with composite action, replace npx bun with setup-bun (openclaw#3, openclaw#4)
- Fix smoke test URL to use CF_WORKER_SUBDOMAIN secret (openclaw#5)
- Deduplicate types: import canonical model types in landscape-loader (openclaw#6, openclaw#7)
- Fix C4 direction logic to respect actual integration direction (openclaw#8)
- Add edges connecting current→target nodes in comparison diagram (openclaw#9)
- Add agents CDN version sync comment in index.html (openclaw#11)
- Add missing landscape directory guard in bundle script (openclaw#12)
- Update wrangler compatibility_date to 2026-02-13 (openclaw#13)
- Rename prebuild to predev/predeploy in package.json (openclaw#14)
- Remove sk- prefix from .dev.vars.example placeholder (openclaw#15)

Co-Authored-By: Claude Opus 4.6 <[email protected]>

---------

Co-authored-by: KristjanAkk <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

…ment

- New design doc covering Task-Assign-Wait-Verify lifecycle for subagent work
- Addresses gap between task system and subagent spawn/announce systems
- Includes TaskDelegationManager, task_verify tool, and result snapshot design
- Updated architecture index and dependency graph with openclaw#11

Improvements completed:
- #1 A2A conversation index (O(1) lookup, 24 tests)
- #2 A2A durable jobs (JobManager + Reaper + Orchestrator, 43 tests)
- openclaw#3 task-tool.ts modularization (5 modules, 2296→45 LOC facade, 147 tests)
- openclaw#4 continuation state machine Phase 1 (pure decision functions, 56 tests)
- openclaw#5 gateway composition (6 init modules, 737→565 LOC, 80→48 imports)
- openclaw#7 A2A per-agent concurrency gate (semaphore + config, 25 tests)
- openclaw#8 structured handoff payload (types + parser, 42 tests)
- openclaw#9 coordination invariants test suite (TC-01~07, 22 tests)
- openclaw#11 subagent-task lifecycle (delegation manager + verify tool, 135 tests)
- openclaw#12 task enforcement bypass fix (session-scoped + stale cleanup, 20 tests)

N/A: openclaw#6 (DI already via GatewayRequestContext), openclaw#10 (partially resolved by #2)
Deferred: openclaw#4 Phase 2-5 (high risk, Phase 1 delivers core value)

Total: 514 new tests, 0 regressions, 11 implementation docs

…law#11) from feature/subagent-relay into main

Reviewed-on: https://gitea.hosting-cloud.net/dreamit/zulip-claw/pulls/11