Skip to content

ACP: add optional ingress provenance receipts#40473

Merged
mbelinky merged 3 commits intomainfrom
mariano/acp-provenance-receipts
Mar 9, 2026
Merged

ACP: add optional ingress provenance receipts#40473
mbelinky merged 3 commits intomainfrom
mariano/acp-provenance-receipts

Conversation

@mbelinky
Copy link
Copy Markdown
Contributor

@mbelinky mbelinky commented Mar 9, 2026

Summary

  • add optional ACP ingress provenance modes for structured metadata and visible receipt injection
  • extend chat.send to accept ACP-reserved system provenance fields and thread them into agent context
  • document acpx/ACP usage and add changelog coverage

Testing

  • pnpm exec vitest run src/acp/translator.prompt-prefix.test.ts src/gateway/server-methods/chat.directive-tags.test.ts
  • pnpm tsgo
  • end-to-end smoke test against jpclawhq using acpx -> openclaw acp --provenance meta+receipt

@aisle-research-bot
Copy link
Copy Markdown

aisle-research-bot bot commented Mar 9, 2026
edited
Loading

🔒 Aisle Security Analysis

We found 4 potential security issue(s) in this PR:

# Severity Title
1 🟡 Medium Receipt format injection via unescaped ACP sessionId/sessionKey/cwd in systemProvenanceReceipt
2 🟡 Medium ACP reserved system provenance fields can be enabled by spoofing gateway client identity
3 🔵 Low Sensitive host/path/session identifiers injected into agent-visible prompt and persisted to transcripts
4 🔵 Low Unbounded systemProvenanceReceipt enables resource-exhaustion via large agent prompt assembly

1. 🟡 Receipt format injection via unescaped ACP sessionId/sessionKey/cwd in systemProvenanceReceipt

Property Value
Severity Medium
CWE CWE-116
Location src/acp/translator.ts:74-88

Description

The ACP bridge constructs a plain-text systemProvenanceReceipt by concatenating unescaped values with \n. At least params.sessionId is derived from ACP client-controlled LoadSessionRequest.sessionId / PromptRequest.sessionId and is not validated to exclude newlines or receipt delimiter tokens.

Because Gateway sanitization explicitly allows newlines (\n, \r, \t) and only strips other control characters, an attacker who can influence sessionId (and potentially cwd / sessionKey) can inject additional receipt lines or even terminate the receipt block early, prepending arbitrary attacker-chosen text into the agent-visible message.

Impact:

  • Attacker can forge/alter the "Source Receipt" block (e.g., inject fake targetSession=..., add misleading fields, close [/Source Receipt] and inject instructions) which is prepended to the message sent to the agent.
  • This is a prompt-injection / format-injection primitive that can undermine provenance/trust assumptions by downstream agents or tooling that treat the receipt as authoritative.

Vulnerable code:

return [
  "[Source Receipt]",
  "bridge=openclaw-acp",
  `originHost=${os.hostname()}`,
  `originCwd=${shortenHomePath(params.cwd)}`,
  `acpSessionId=${params.sessionId}`,
  `originSessionId=${params.sessionId}`,
  `targetSession=${params.sessionKey}`,
  "[/Source Receipt]",
].join("\n");

Relevant sanitization allows newlines:

if (code === 9 || code === 10 || code === 13 || (code >= 32 && code !== 127)) {
  output += char;
}

Recommendation

Prevent receipt/format injection by encoding or validating each interpolated value before composing the receipt.

Option A (strict validation): reject values containing newlines/control characters and enforce a safe charset.

function assertNoNewlines(name: string, v: string) {
  if (/[\r\n]/.test(v)) throw new Error(`${name} must not contain newlines`);
}
assertNoNewlines("sessionId", params.sessionId);
assertNoNewlines("sessionKey", params.sessionKey);
assertNoNewlines("cwd", params.cwd);

Option B (escape values): render values using JSON string escaping (or similar) so embedded newlines become \\n sequences and cannot create new receipt lines.

const esc = (s: string) => JSON.stringify(s).slice(1, -1); // escapes \n, \r, \", etc.
return [
  "[Source Receipt]",
  "bridge=openclaw-acp",
  `originHost=${esc(os.hostname())}`,
  `originCwd=${esc(shortenHomePath(params.cwd))}`,
  `acpSessionId=${esc(params.sessionId)}`,
  `originSessionId=${esc(params.sessionId)}`,
  `targetSession=${esc(params.sessionKey)}`,
  "[/Source Receipt]",
].join("\n");

Additionally consider making provenance a structured field (metadata) rather than injecting it into agent-visible message text, or validate systemProvenanceReceipt on the Gateway side to match a strict line-oriented key=value grammar where values cannot contain \n.

2. 🟡 ACP reserved system provenance fields can be enabled by spoofing gateway client identity

Property Value
Severity Medium
CWE CWE-863
Location src/gateway/server-methods/chat.ts:904-913

Description

The new reserved-fields gate for chat.send relies solely on client-supplied connect.client metadata (id, mode, displayName, version) to identify the ACP bridge. Because these fields are provided by the remote peer during the WebSocket connect handshake and then stored directly on client.connect, any client that can connect can spoof these values to bypass the restriction.

What happens:

  • During handshake, the server accepts connectParams.client from the incoming connect request and stores it on the connection state (nextClient.connect = connectParams).
  • chat.send checks isAcpBridgeClient(client) which matches only on client.connect.client.*.
  • If spoofed, a non-ACP client can send systemProvenanceReceipt and systemInputProvenance.
  • systemProvenanceReceipt is prepended to agent-visible content (Body/BodyForAgent), and systemInputProvenance is attached to the message context (ctx.InputProvenance), affecting downstream behavior (e.g., provenance-based filtering/annotation).

Vulnerable code (authorization based on spoofable fields):

if ((p.systemInputProvenance || p.systemProvenanceReceipt) && !isAcpBridgeClient(client)) {
  respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST,
    "system provenance fields are reserved for the ACP bridge"));
  return;
}

Spoofable predicate:

return (
  info?.id === GATEWAY_CLIENT_NAMES.CLI &&
  info?.mode === GATEWAY_CLIENT_MODES.CLI &&
  info?.displayName === "ACP" &&
  info?.version === "acp"
);

Handshake stores peer-provided connect params without server-side assertion:

const connectParams = frame.params as ConnectParams;
...
const nextClient: GatewayWsClient = { ... , connect: connectParams, ... };
setClient(nextClient);

Impact:

  • Enables any spoofing client to inject a trusted-looking “Source Receipt” block ahead of user text in agent-visible content, increasing prompt-injection credibility.
  • Allows setting InputProvenance.kind (e.g., inter_session) which is used by downstream components for special handling/filtering (e.g., some features exclude inter-session user messages).

This is a classic trust-boundary violation: UI/identity metadata from the client is used as an authorization decision input.

Recommendation

Do not authorize privileged behavior using client-asserted identity metadata.

Use a server-asserted signal instead, e.g.:

  • A dedicated scope/capability that the server derives from authentication/pairing (device token claim, mTLS identity, or a specific shared secret), not from connect.client.
  • Or require the connection to be from a mutually authenticated ACP bridge (mTLS) or a dedicated bearer token claim.
  • Or set/override client.connect.client fields server-side after authentication (treat client-sent values as cosmetic only).

Example approach (capability set server-side at handshake and checked here):

// During handshake (server-side), after verifying ACP bridge auth:
client.serverCaps = new Set(["acp_bridge"]);// In chat.send:
if ((p.systemInputProvenance || p.systemProvenanceReceipt) && !client?.serverCaps?.has("acp_bridge")) {
  respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST,
    "system provenance fields are reserved for the ACP bridge"));
  return;
}

Also consider:

  • Enforcing that only ACP bridge connections may claim client.id="cli"+displayName="ACP" (and/or pin these to paired device metadata) if you must keep the heuristic for logging/display.

3. 🔵 Sensitive host/path/session identifiers injected into agent-visible prompt and persisted to transcripts

Property Value
Severity Low
CWE CWE-359
Location src/gateway/server-methods/chat.ts:1032-1061

Description

The ACP bridge can prepend a system provenance receipt to the message sent to the agent. This receipt includes potentially sensitive environment identifiers:

  • originHost from os.hostname() (often internal hostnames)
  • originCwd from the ACP client working directory (may include usernames, repo names, customer names)
  • targetSession (Gateway session key) and ACP session identifiers

The receipt is inserted into ctx.Body / BodyForAgent (not only hidden metadata). As a result, it can:

  • be processed by the model as part of the user prompt
  • be persisted into session transcripts (user messages) during normal agent runs
  • be exposed back to clients via transcript-backed endpoints such as chat.history and sessions.get, and via session previews that read transcript content

Vulnerable code (receipt creation + injection into agent-visible body):

// src/acp/translator.ts
`originHost=${os.hostname()}`
`originCwd=${shortenHomePath(params.cwd)}`
`targetSession=${params.sessionKey}`// src/gateway/server-methods/chat.ts
const messageForAgent = systemProvenanceReceipt
  ? [systemProvenanceReceipt, parsedMessage].filter(Boolean).join("\n\n")
  : parsedMessage;

const ctx: MsgContext = {
  Body: messageForAgent,
  BodyForAgent: injectTimestamp(messageForAgent, ...),
  RawBody: parsedMessage,
  ...
};

Even though --provenance is opt-in, enabling it can unintentionally leak local machine and filesystem information into transcripts/log exports/backups and to any UI/user with access to those transcript retrieval endpoints.

Recommendation

Do not inject host/path/session identifiers into user-visible/agent-visible message bodies that are likely to be persisted.

Recommended mitigation options (best → acceptable):

  1. Move provenance receipt to non-persisted metadata only

    • Keep systemInputProvenance (structured) and/or add a new dedicated field for provenance receipt that is never written into the transcript and never returned by chat.history/sessions.get.

  2. If the model must see it, inject it as ephemeral system/context at run-time (not stored)

    • e.g., pass it via an extraSystemPrompt/run-only system message that is not persisted.

  3. If keeping the receipt, redact/omit sensitive fields by default

    • omit originHost and originCwd unless explicitly requested
    • prefer stable, non-sensitive identifiers (e.g. bridge=openclaw-acp, originSessionId only)

Concrete code change example (stop putting the receipt in Body/BodyForAgent):

// Keep UI + transcript prompt clean
const ctx: MsgContext = {
  Body: parsedMessage,
  RawBody: parsedMessage,
  BodyForAgent: injectTimestamp(parsedMessage, timestampOptsFromConfig(cfg)),// add a separate field if needed:// SystemProvenanceReceipt: systemProvenanceReceipt,
};

Additionally, if receipts are stored anywhere, ensure chat.history/sessions.get sanitize or drop them before returning messages to end-users.

4. 🔵 Unbounded systemProvenanceReceipt enables resource-exhaustion via large agent prompt assembly

Property Value
Severity Low
CWE CWE-400
Location src/gateway/server-methods/chat.ts:238-253

Description

chat.send accepts the optional systemProvenanceReceipt string without any length/byte limit and prepends it into the agent-visible message.

Impact:

  • An attacker can send a very large systemProvenanceReceipt (up to the WebSocket maxPayload limit) which is:
    • processed by sanitizeChatSendMessageInput() (including stripDisallowedChatControlChars() which builds strings via repeated concatenation)
    • concatenated into messageForAgent
    • passed to injectTimestamp() and then into dispatchInboundMessage() / downstream agent prompt processing
  • This can cause excessive CPU and memory usage (and additional allocations due to string normalization + concatenation), enabling DoS.

Vulnerable code (receipt is sanitized/trimmed but never size-capped):

const sanitized = sanitizeChatSendMessageInput(value);
...
const receipt = sanitized.message.trim();
return { ok: true, receipt: receipt || undefined };

And later it is joined into the agent prompt:

const messageForAgent = systemProvenanceReceipt
  ? [systemProvenanceReceipt, parsedMessage].filter(Boolean).join("\n\n")
  : parsedMessage;

Additionally, the RPC schema allows systemProvenanceReceipt: Type.String() with no maxLength, so AJV validation will not constrain it.

Recommendation

Enforce a strict maximum size for systemProvenanceReceipt (and ideally for the combined messageForAgent) in both validation layers:

  1. Add a byte cap check in normalizeOptionalChatSystemReceipt() (and/or right after messageForAgent assembly):
const SYSTEM_PROVENANCE_RECEIPT_MAX_BYTES = 8 * 1024; // example

function normalizeOptionalChatSystemReceipt(value: unknown) {
  ...
  const sanitized = sanitizeChatSendMessageInput(value);
  if (!sanitized.ok) return sanitized;

  const receipt = sanitized.message.trim();
  if (Buffer.byteLength(receipt, "utf8") > SYSTEM_PROVENANCE_RECEIPT_MAX_BYTES) {
    return { ok: false, error: "systemProvenanceReceipt too large" };
  }
  return { ok: true, receipt: receipt || undefined };
}

  1. Update the TypeBox schema to include maxLength consistent with your byte cap (or use a custom AJV keyword for byte-length).

  2. Consider optimizing stripDisallowedChatControlChars() to avoid O(n^2) behavior for large inputs (e.g., push chars into an array and join("")).

Analyzed PR: #40473 at commit b63e46d

Last updated on: 2026-03-09T04:03:44Z

@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation app: ios App: ios app: web-ui App: web-ui gateway Gateway runtime cli CLI command changes extensions: device-pair size: XL maintainer Maintainer-authored PR labels Mar 9, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 9, 2026
edited
Loading

Greptile Summary

This PR adds optional ACP ingress provenance modes (off | meta | meta+receipt) to the openclaw acp bridge, extends chat.send to thread provenance metadata and visible receipt text into agent context, and bundles a separate iOS keychain hardening effort (migrating gateway metadata and TLS fingerprints from UserDefaults to Keychain with rollback-safe writes). The ACP side is well-structured and covered by new unit tests; the iOS migration is idempotent and safe for rollback.

Key findings from the review:

  • One-shot notify timestamp unit risk (extensions/device-pair/notify.ts): requestTimestampMs does not perform any unit conversion — if the SDK's listDevicePairing() returns ts in Unix epoch seconds, the ts >= subscriber.addedAtMs comparison (where addedAtMs is always milliseconds) will always evaluate to false, silently breaking all one-shot pairing notifications. Worth verifying and adding a conversion guard.
  • Redundant receipt fields (src/acp/translator.ts): acpSessionId and originSessionId are both assigned params.sessionId in buildSystemProvenanceReceipt, producing two identical lines in the receipt. One appears to be an alias of the other; if both are intentional for compatibility, a comment would clarify the design.
  • Stale comment (src/gateway/server-methods/chat.ts): The existing comment "Body stays raw for UI display" is no longer accurate — Body now carries messageForAgent (including the receipt) when meta+receipt mode is active. The comment should be updated.
  • Hardcoded ACP sentinel strings (src/gateway/server-methods/chat.ts): The isAcpBridgeClient guard checks displayName === "ACP" and version === "acp" as raw string literals. If the ACP gateway changes these identifiers, the guard silently breaks. Named constants (alongside the existing GATEWAY_CLIENT_NAMES/GATEWAY_CLIENT_MODES) would make the coupling explicit.

Confidence Score: 4/5

  • Safe to merge with attention to the one-shot notify timestamp issue before enabling that feature in production.
  • The core ACP provenance feature is well-designed with clear gating logic, good input sanitization, and solid unit test coverage. The iOS keychain migration is careful and safe. The score is reduced by one point due to the potential timestamp unit mismatch in the new one-shot notification path, which could silently break that feature if listDevicePairing() returns seconds-epoch timestamps. The remaining issues (stale comment, redundant receipt fields, hardcoded strings) are minor and do not affect correctness of the main provenance feature.
  • extensions/device-pair/notify.ts — verify the unit of request.ts returned by listDevicePairing() and confirm the ts >= subscriber.addedAtMs comparison is comparing like units.

Comments Outside Diff (2)

  1. src/gateway/server-methods/chat.ts, line 919-932 (link)

    Stale inline comment contradicts the new Body assignment

    The comment directly above this block says:

    // Only BodyForAgent gets the timestamp — Body stays raw for UI display.

    But the PR changes Body: parsedMessage to Body: messageForAgent, which now includes the injected provenance receipt. Body no longer "stays raw for UI display" when meta+receipt mode is active. The comment should be updated to reflect the new intent (e.g., noting that Body includes the receipt when provenance mode is meta+receipt, while RawBody always holds the original user text).

    Prompt To Fix With AI 
    This is a comment left during a code review.
Path: src/gateway/server-methods/chat.ts
Line: 919-932

Comment:
**Stale inline comment contradicts the new `Body` assignment**

The comment directly above this block says:

> `// Only BodyForAgent gets the timestamp — Body stays raw for UI display.`

But the PR changes `Body: parsedMessage` to `Body: messageForAgent`, which now includes the injected provenance receipt. `Body` no longer "stays raw for UI display" when `meta+receipt` mode is active. The comment should be updated to reflect the new intent (e.g., noting that `Body` includes the receipt when provenance mode is `meta+receipt`, while `RawBody` always holds the original user text).

How can I resolve this? If you propose a fix, please make it concise.

  2. src/gateway/server-methods/chat.ts, line 133-141 (link)

    Hardcoded "ACP" / "acp" strings in security-gating check

    isAcpBridgeClient relies on two hardcoded string literals (displayName === "ACP" and version === "acp") while the other two checks use named constants (GATEWAY_CLIENT_NAMES.CLI, GATEWAY_CLIENT_MODES.CLI). If the ACP gateway ever changes these metadata values, this guard silently stops working, either blocking legitimate ACP provenance injection or — more concerning — failing to reject non-ACP clients that happen to match the other two fields. Extracting these to constants alongside the existing GATEWAY_CLIENT_NAMES/GATEWAY_CLIENT_MODES exports would make the coupling explicit and easier to audit.

    Prompt To Fix With AI 
    This is a comment left during a code review.
Path: src/gateway/server-methods/chat.ts
Line: 133-141

Comment:
**Hardcoded `"ACP"` / `"acp"` strings in security-gating check**

`isAcpBridgeClient` relies on two hardcoded string literals (`displayName === "ACP"` and `version === "acp"`) while the other two checks use named constants (`GATEWAY_CLIENT_NAMES.CLI`, `GATEWAY_CLIENT_MODES.CLI`). If the ACP gateway ever changes these metadata values, this guard silently stops working, either blocking legitimate ACP provenance injection or — more concerning — failing to reject non-ACP clients that happen to match the other two fields. Extracting these to constants alongside the existing `GATEWAY_CLIENT_NAMES`/`GATEWAY_CLIENT_MODES` exports would make the coupling explicit and easier to audit.

How can I resolve this? If you propose a fix, please make it concise.

Last reviewed commit: 3b93ef3

greptile-apps[bot]
greptile-apps bot reviewed Mar 9, 2026
View reviewed changes
extensions/device-pair/notify.ts
Comment on lines +198 to +210
function requestTimestampMs(request: PendingPairingRequest): number | null {
if (typeof request.ts !== "number" || !Number.isFinite(request.ts)) {
return null;
}
const ts = Math.trunc(request.ts);
return ts > 0 ? ts : null;
}

function shouldNotifySubscriberForRequest(
subscriber: NotifySubscription,
request: PendingPairingRequest,
): boolean {
if (subscriber.mode !== "once") {
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential timestamp unit mismatch breaks one-shot notifications

requestTimestampMs passes request.ts through without any unit conversion, but subscriber.addedAtMs is always milliseconds (Date.now()). If listDevicePairing() returns ts in Unix epoch seconds (which is common for ACP/SDK APIs), the comparison on line 214 (ts >= subscriber.addedAtMs) would compare something like 1_741_000_000 (seconds) against 1_741_000_000_000 (ms), which is always false. This means every one-shot subscription would silently refuse to fire for any real pairing request, making the feature completely broken in that scenario.

Please verify the unit that listDevicePairing().pending[*].ts actually uses. If it's seconds, the fix is:

Suggested change
function requestTimestampMs(request: PendingPairingRequest): number | null {
if (typeof request.ts !== "number" || !Number.isFinite(request.ts)) {
return null;
}
const ts = Math.trunc(request.ts);
return ts > 0 ? ts : null;
}
function shouldNotifySubscriberForRequest(
subscriber: NotifySubscription,
request: PendingPairingRequest,
): boolean {
if (subscriber.mode !== "once") {
function requestTimestampMs(request: PendingPairingRequest): number | null {
if (typeof request.ts !== "number" || !Number.isFinite(request.ts)) {
return null;
}
const ts = Math.trunc(request.ts);
if (ts <= 0) return null;
// Guard against seconds-epoch values (< year 3000 in ms, reasonable ceiling).
// If the SDK returns seconds, convert to ms.
return ts < 1e12 ? ts * 1000 : ts;
}
Prompt To Fix With AI 
This is a comment left during a code review.
Path: extensions/device-pair/notify.ts
Line: 198-210

Comment:
**Potential timestamp unit mismatch breaks one-shot notifications**

`requestTimestampMs` passes `request.ts` through without any unit conversion, but `subscriber.addedAtMs` is always milliseconds (`Date.now()`). If `listDevicePairing()` returns `ts` in Unix epoch **seconds** (which is common for ACP/SDK APIs), the comparison on line 214 (`ts >= subscriber.addedAtMs`) would compare something like `1_741_000_000` (seconds) against `1_741_000_000_000` (ms), which is **always false**. This means every one-shot subscription would silently refuse to fire for any real pairing request, making the feature completely broken in that scenario.

Please verify the unit that `listDevicePairing().pending[*].ts` actually uses. If it's seconds, the fix is:

```suggestion
function requestTimestampMs(request: PendingPairingRequest): number | null {
  if (typeof request.ts !== "number" || !Number.isFinite(request.ts)) {
    return null;
  }
  const ts = Math.trunc(request.ts);
  if (ts <= 0) return null;
  // Guard against seconds-epoch values (< year 3000 in ms, reasonable ceiling).
  // If the SDK returns seconds, convert to ms.
  return ts < 1e12 ? ts * 1000 : ts;
}
```

How can I resolve this? If you propose a fix, please make it concise.

src/acp/translator.ts
Comment on lines +73 to +90

function buildSystemProvenanceReceipt(params: {
cwd: string;
sessionId: string;
sessionKey: string;
}) {
return [
"[Source Receipt]",
"bridge=openclaw-acp",
`originHost=${os.hostname()}`,
`originCwd=${shortenHomePath(params.cwd)}`,
`acpSessionId=${params.sessionId}`,
`originSessionId=${params.sessionId}`,
`targetSession=${params.sessionKey}`,
"[/Source Receipt]",
].join("\n");
}

Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

acpSessionId and originSessionId are identical — one field is redundant

Both acpSessionId and originSessionId are set to params.sessionId, producing two receipt lines with the same value:

acpSessionId=session-1
originSessionId=session-1

If these are intentionally aliases for forward/backward compatibility, a brief comment would clarify the intent. If they're simply duplicates, removing one would make the receipt less confusing for consumers.

Suggested change
function buildSystemProvenanceReceipt(params: {
cwd: string;
sessionId: string;
sessionKey: string;
}) {
return [
"[Source Receipt]",
"bridge=openclaw-acp",
`originHost=${os.hostname()}`,
`originCwd=${shortenHomePath(params.cwd)}`,
`acpSessionId=${params.sessionId}`,
`originSessionId=${params.sessionId}`,
`targetSession=${params.sessionKey}`,
"[/Source Receipt]",
].join("\n");
}
function buildSystemProvenanceReceipt(params: {
cwd: string;
sessionId: string;
sessionKey: string;
}) {
return [
"[Source Receipt]",
"bridge=openclaw-acp",
`originHost=${os.hostname()}`,
`originCwd=${shortenHomePath(params.cwd)}`,
`originSessionId=${params.sessionId}`,
`targetSession=${params.sessionKey}`,
"[/Source Receipt]",
].join("\n");
}
Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/acp/translator.ts
Line: 73-90

Comment:
**`acpSessionId` and `originSessionId` are identical — one field is redundant**

Both `acpSessionId` and `originSessionId` are set to `params.sessionId`, producing two receipt lines with the same value:

```
acpSessionId=session-1
originSessionId=session-1
```

If these are intentionally aliases for forward/backward compatibility, a brief comment would clarify the intent. If they're simply duplicates, removing one would make the receipt less confusing for consumers.

```suggestion
function buildSystemProvenanceReceipt(params: {
  cwd: string;
  sessionId: string;
  sessionKey: string;
}) {
  return [
    "[Source Receipt]",
    "bridge=openclaw-acp",
    `originHost=${os.hostname()}`,
    `originCwd=${shortenHomePath(params.cwd)}`,
    `originSessionId=${params.sessionId}`,
    `targetSession=${params.sessionKey}`,
    "[/Source Receipt]",
  ].join("\n");
}
```

How can I resolve this? If you propose a fix, please make it concise.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3b93ef35a2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

extensions/device-pair/notify.ts
Comment on lines +297 to +301
if (oneShotDelivered.size > 0) {
const initialCount = state.subscribers.length;
state.subscribers = state.subscribers.filter(
(subscriber) => !oneShotDelivered.has(notifySubscriberKey(subscriber)),
);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Disable one-shot subscribers immediately after first send

In notifyPendingPairingRequests, one-shot subscribers are collected in oneShotDelivered but not removed until after all pending requests are processed, so if multiple new pairing requests exist in the same poll tick a /pair notify once subscriber can receive more than one notification before cleanup runs. This violates the documented "next request then auto-disable" behavior and is user-visible whenever two requests arrive within one polling window.

Useful? React with 👍 / 👎.

src/acp/translator.ts
Comment on lines +285 to +289
provenanceMode === "meta+receipt"
? buildSystemProvenanceReceipt({
cwd: session.cwd,
sessionId: params.sessionId,
sessionKey: session.sessionKey,
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Enforce prompt size limits on injected provenance receipt

When --provenance meta+receipt is enabled, the injected receipt includes session.cwd, but the existing MAX_PROMPT_BYTES guard still validates only message; with --no-prefix-cwd, a client can provide an extremely large cwd and bypass the size guard via systemProvenanceReceipt, forwarding an oversized payload to chat.send. This reopens the large-input path the ACP size limit was intended to block.

Useful? React with 👍 / 👎.

@mbelinky mbelinky force-pushed the mariano/acp-provenance-receipts branch from 3b93ef3 to 73e2c7c Compare March 9, 2026 02:50
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 73e2c7c2b5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

src/gateway/server-methods/chat.ts
Comment on lines +258 to +262
info?.id === GATEWAY_CLIENT_NAMES.CLI &&
info?.mode === GATEWAY_CLIENT_MODES.CLI &&
info?.displayName === "ACP" &&
info?.version === "acp"
);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Gate system provenance fields on trusted auth, not client claims

chat.send treats systemInputProvenance and systemProvenanceReceipt as ACP-only based on isAcpBridgeClient, but that helper relies on client.connect.client fields (id/mode/displayName/version) that come from the caller’s connect payload and are not server-assigned. An authenticated non-ACP client can simply claim {id:"cli", mode:"cli", displayName:"ACP", version:"acp"} and bypass this guard, allowing spoofed system provenance data to be injected despite the "reserved for the ACP bridge" check.

Useful? React with 👍 / 👎.

@mbelinky mbelinky force-pushed the mariano/acp-provenance-receipts branch from 2d49f9b to b63e46d Compare March 9, 2026 03:18
@mbelinky mbelinky merged commit e3df943 into main Mar 9, 2026
25 of 27 checks passed
@mbelinky mbelinky deleted the mariano/acp-provenance-receipts branch March 9, 2026 03:19
@mbelinky
Copy link
Copy Markdown
Contributor Author

mbelinky commented Mar 9, 2026

Merged via squash.

Thanks @mbelinky!

@github-actions github-actions bot mentioned this pull request Mar 9, 2026
Open
@chaosreload chaosreload mentioned this pull request Mar 9, 2026
Open
@github-actions github-actions bot mentioned this pull request Mar 9, 2026
Open
vincentkoc pushed a commit that referenced this pull request Mar 9, 2026
@mbelinky @vincentkoc
ACP: add optional ingress provenance receipts (#40473)
a95cce9 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
hougangdev added a commit to hougangdev/clawdbot that referenced this pull request Mar 10, 2026
@hougangdev
docs: fix stale documentation across 4 files
2014873 
- environment.md: add OPENCLAW_CLI=1 runtime marker (landed in openclaw#41411
  without docs update)
- acp.md: document --provenance flag with off/meta/meta+receipt modes
  (landed in openclaw#40473 without Options section update)
- onboarding.md: document remote gateway token field added in 6b338dd
- gmail-pubsub.md: standardize hook token to ${OPENCLAW_HOOKS_TOKEN} to
  match webhook.md (was using literal "OPENCLAW_HOOK_TOKEN")
@hougangdev hougangdev mentioned this pull request Mar 10, 2026
Open
3 tasks
jenawant pushed a commit to jenawant/openclaw that referenced this pull request Mar 10, 2026
@mbelinky @jenawant
ACP: add optional ingress provenance receipts (openclaw#40473)
83857d0 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
@gemini-code-assist gemini-code-assist bot mentioned this pull request Mar 10, 2026
Merged
Get-windy pushed a commit to Get-windy/JieZi-ai-PS that referenced this pull request Mar 10, 2026
chore: sync upstream to v2026.3.8 (bda63c3)
63d7082 
上游更新摘要(abb8f6310 → bda63c3,164 commits):

### 新功能
- ACP: 新增 resumeSessionId 支持 ACP session 恢复(openclaw#41847)
- CLI: 新增 openclaw backup create/verify 本地状态归档命令(openclaw#40163)
- Talk: 新增 talk.silenceTimeoutMs 配置项,可自定义静默超时(openclaw#39607)
- ACP Provenance: 新增 ACP 入站溯源元数据和回执注入(openclaw#40473)
- Brave 搜索: 新增 llm-context 模式,返回 AI 精炼摘要(openclaw#33383)
- browser.relayBindHost: Chrome relay 可绑定非 loopback 地址(WSL2 支持)(openclaw#39364)
- node-pending-work: 新增 node.pending.pull/ack RPC 接口
- Telegram: 新增 exec-approvals 处理器,支持 Telegram 内命令执行审批
- Mattermost: 新增 target-resolution,修复 markdown 保留和 DM media 上传
- MS Teams: 修复 Bot Framework General channel 对话 ID 兼容性(openclaw#41838)
- secrets/runtime-web-tools: 全新 web runtime secrets 工具模块
- cron: 新增 store-migration,isolated-agent 直送核心通道,delivery failure notify
- TUI: 自动检测浅色终端主题(COLORFGBG),支持 OPENCLAW_THEME 覆盖(openclaw#38636)

### 修复
- macOS: launchd 重启前重启已禁用服务,修复 openclaw update 卡死问题
- Telegram DM: 按 agent 去重入站 DM,防止同一条消息触发重复回复(openclaw#40519)
- Matrix DM: 修复 m.direct homeserver 检测,保留房间绑定优先级(openclaw#19736)
- 飞书: 清理插件发现缓存,修复 onboarding 安装后重复弹窗(openclaw#39642)
- config/runtime snapshots: 修复 config 写入后 secret 快照丢失问题(openclaw#37313)
- browser/CDP: 修复 ws:// CDP URL 反向代理和 wildcard 地址重写
- agents/failover: 识别 Bedrock tokens per day 限额为 rate limit

### 版本
- ACPX 0.1.16
- iOS/macOS 版本号更新
- Android: 精简后台权限

构建验证:待执行
aiwatching pushed a commit to aiwatching/openclaw that referenced this pull request Mar 10, 2026
@mbelinky @aiwatching
ACP: add optional ingress provenance receipts (openclaw#40473)
a9363f3 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 10, 2026
Closed
4 tasks
Moshiii pushed a commit to Moshiii/openclaw that referenced this pull request Mar 11, 2026
@mbelinky @Moshiii
ACP: add optional ingress provenance receipts (openclaw#40473)
1c4284c 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
Moshiii pushed a commit to Moshiii/openclaw that referenced this pull request Mar 11, 2026
@mbelinky @Moshiii
ACP: add optional ingress provenance receipts (openclaw#40473)
7538abf 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
dhoman pushed a commit to dhoman/chrono-claw that referenced this pull request Mar 11, 2026
@mbelinky @dhoman
ACP: add optional ingress provenance receipts (openclaw#40473)
214506f 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
alexey-pelykh pushed a commit to remoteclaw/remoteclaw that referenced this pull request Mar 12, 2026
@mbelinky @alexey-pelykh
ACP: add optional ingress provenance receipts (openclaw#40473)
f4f613f 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 12, 2026
Merged
alexey-pelykh added a commit to remoteclaw/remoteclaw that referenced this pull request Mar 12, 2026
@alexey-pelykh @mbelinky
ACP: add optional ingress provenance receipts (openclaw#40473) (#1083)
3e16bb2 
Merged via squash.

Prepared head SHA: b63e46d


Reviewed-by: @mbelinky

Co-authored-by: Mariano <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Taskle pushed a commit to Taskle/openclaw that referenced this pull request Mar 14, 2026
@mbelinky
ACP: add optional ingress provenance receipts (openclaw#40473)
173ad83 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
senw-developers pushed a commit to senw-developers/va-openclaw that referenced this pull request Mar 17, 2026
@mbelinky @Shlemon
ACP: add optional ingress provenance receipts (openclaw#40473)
0d392c5 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
V-Gutierrez pushed a commit to V-Gutierrez/openclaw-vendor that referenced this pull request Mar 17, 2026
@mbelinky @V-Gutierrez
ACP: add optional ingress provenance receipts (openclaw#40473)
b2eb347 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
dustin-olenslager pushed a commit to dustin-olenslager/ironclaw-supreme that referenced this pull request Mar 24, 2026
@mbelinky @vincentkoc
ACP: add optional ingress provenance receipts (openclaw#40473)
1e41370 
Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky
0x666c6f added a commit to 0x666c6f/openclaw that referenced this pull request Mar 26, 2026
@0x666c6f @steipete
@Takhoffman @obviyus @darkamenosa @rbutera @altaywtf @echoVic @vincentkoc @starbuck100 @jalehman @yuweuii @remusao @gumadeiras @mbelinky @shrey150 @claude @joeharouni @mvanhorn @cgdusek @ngutman @shichangs @langdon @sallyom @tyler6204 @ademczuk @dorukardahan @Sline @bbblending @velvet-shark @tysoncung @kesku @kyledh @derbronko @GazeKingNuWu @scoootscooob @dsantoreis @lml2468 @dimat @rexlunae @opriz @JoshuaLelon @xaeon2026 @hydro13 @pejmanjohn @onutc @zerone0x
chore(sre:PLA-760): sync upstream main into main (openclaw#38)
0701adf 
* refactor: share Apple talk config parsing

* refactor: add canonical talk config payload

* refactor: centralize talk silence timeout defaults

* test: cover invalid talk config inputs

* test: decouple ios talk parsing coverage

* fix: resolve live config paths in status and gateway metadata (openclaw#39952)

* fix: resolve live config paths in status and gateway metadata

* fix: resolve remaining runtime config path references

* test: cover gateway config.set config path response

* fix(web-search): restore OpenRouter compatibility for Perplexity (openclaw#39937) (openclaw#39937)

* Zalo: fix provider lifecycle restarts (openclaw#39892)

* Zalo: fix provider lifecycle restarts

* Zalo: add typing indicators, smart webhook cleanup, and API type fixes

* fix review

* add allow list test secrect

* Zalo: bound webhook cleanup during shutdown

* Zalo: bound typing chat action timeout

* Zalo: use plugin-safe abort helper import

* fix(plugins): ship Feishu bundled runtime dependency (openclaw#39990)

* fix: ship feishu bundled runtime dependency

* test: align feishu bundled dependency specs

* fix(hooks): use resolveAgentIdFromSessionKey in runBeforeReset  (openclaw#39875)

Merged via squash.

Prepared head SHA: 00a2b24
Co-authored-by: rbutera <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* CLI: include commit hash in --version output (openclaw#39712)

* CLI: include commit hash in --version output

* fix(version): harden commit SHA resolution and keep output consistent

* CLI: keep install checks compatible with commit-tagged version output

* fix(cli): include commit hash in root version fast path

* test(cli): allow null commit-hash mocks

* Installer: share version parser across install scripts

* Installer: avoid sourcing helpers from stdin cwd

* CLI: note commit-tagged version output

* CLI: anchor commit hash resolution to module root

* CLI: harden commit hash resolution

* CLI: fix commit hash lookup edge cases

* CLI: prefer live git metadata in dev builds

* CLI: keep git lookup inside package root

* Infra: tolerate invalid moduleUrl hints

* CLI: cache baked commit metadata fallbacks

* CLI: align changelog attribution with prep gate

* CLI: restore changelog contributor credit

---------

Co-authored-by: echoVic <[email protected]>
Co-authored-by: echoVic <[email protected]>

* fix: fail closed talk provider selection

* fix: align talk config secret schemas

* refactor: require canonical talk resolved payload

* test: add talk config contract fixtures

* refactor: split talk gateway config loaders

* refactor: avoid checkout during prep head verification

* refactor: dedupe prep branch push flow

* fix: treat model api drift as baseUrl refresh

* refactor: extract pure models config merge helpers

* refactor: expand provider capability registry

* refactor: reuse one models.json read per write

* fix: publish models.json atomically

* refactor: scope prep push results to env artifacts

* refactor: fold implicit provider injection into resolver

* fix(telegram): use message previews in DMs

* CI: scope CodeQL JavaScript analysis

* feat: allow compaction model override via config (openclaw#38753)

Merged via squash.

Prepared head SHA: a3d6d6c
Co-authored-by: starbuck100 <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* fix(sessions): clear stale contextTokens on model switch (openclaw#38044)

Merged via squash.

Prepared head SHA: bac2df4
Co-authored-by: yuweuii <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* fix: prefer bundled channel plugins over npm duplicates (openclaw#40094)

* fix: prefer bundled channel plugins over npm duplicates

* fix: tighten bundled plugin review follow-ups

* fix: address check gate follow-ups

* docs: add changelog for bundled plugin install fix

* fix: align lifecycle test formatting with CI oxfmt

* docs: update Brave Search API docs for Feb 2026 plan restructuring (openclaw#40111)

Merged via squash.

Prepared head SHA: c651f07
Co-authored-by: remusao <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras

* Add too-many-prs override label handling

* CI: satisfy provider merge fixture typing

* Tests: reduce web search secret-scan noise

* Web search: rename Perplexity auth source helper

* Docs: use placeholder OpenRouter key in Perplexity guide

* Docs: use placeholder OpenRouter key in web tool docs

* Fixtures: normalize talk config API key placeholder

* Tests: lower entropy git commit fixtures

* Chore: widen xxxxx detect-secrets allowlist

* Chore: refresh detect-secrets baseline

* Web search: allowlist Perplexity auth source type name

* Chore: refresh detect-secrets baseline after docs line changes

* Chore: refresh detect-secrets baseline after final scan

* Chore: refresh detect-secrets baseline for Feishu docs

* CLI: set local gateway mode in setup

* Tests: format daemon lifecycle CLI coverage

* refactor: use model compat for anthropic tool payload normalization

* refactor: move bundled extension gap allowlists into manifests

* refactor: thread config runtime env through models config

* refactor: split models registry loading from persistence

* refactor: centralize transcript provider quirks

* refactor: decompose implicit provider resolution

* refactor: extract openai stream wrappers

* refactor: validate bundled extension release metadata

* refactor: extract static provider builders

* refactor: extract provider stream wrappers

* refactor: extract bundled extension manifest parser

* test: standardize hermetic provider env snapshots

* test: add implicit provider matrix coverage

* fix(acp): persist spawned child session history (openclaw#40137)

Merged via squash.

Prepared head SHA: 62de5d5
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* fix: require talk resolved payload

* refactor: dedupe android talk config parsing

* test: expand talk config contract fixtures

* refactor: split android talk voice resolution

* test: isolate plugin loader from mocked module cache

* test: isolate legacy plugin-sdk root import check

* test: isolate git commit resolution fallbacks

* refactor: simplify plugin sdk compatibility aliases

* refactor: centralize acp session resolution guards

* refactor: neutralize context engine runtime bridge

* refactor: split doctor config analysis helpers

* refactor: extract ios watch reply coordinator

* fix: restore acp session meta narrowing

* refactor: extract qmd process runner

* fix: restore gate after rebase

* docs: add Browserbase as hosted remote CDP option

Add Browserbase documentation section alongside the existing Browserless
section in the browser docs. Includes signup instructions, CDP connection
configuration, and environment variable setup for both English and Chinese
(zh-CN) translations.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* Revert "docs: add Browserbase as hosted remote CDP option"

This reverts commit c469657.

* docs: add Browserbase as hosted remote CDP option

Add Browserbase documentation section alongside the existing Browserless
section in the browser docs. Includes signup instructions, CDP connection
configuration, and environment variable setup.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: fix duplicate heading lint error

Rename "Configuration" sub-heading to "Profile setup" to avoid
MD024/no-duplicate-heading conflict with the existing top-level
"Configuration" heading.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: fix Browserbase section to match official docs

Browserbase requires creating a session via their API to get a CDP
connect URL, unlike Browserless which uses a static endpoint. Updated
to show the correct curl-based session creation flow, removed
unverified static WebSocket URL, and added the 5-minute connect
timeout note from official docs.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: restore direct wss://connect.browserbase.com URL

Browserbase exposes a direct WebSocket connect endpoint that
auto-creates a session, similar to how Browserless works. Simplified
the section to use this static URL pattern instead of requiring
manual session creation via the API.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: fact-check Browserbase section against official docs

- Fix CAPTCHA/stealth/proxy claims: these are Developer plan+ only,
  not available on free tier
- Fix free tier limits: 1 browser hour, 15-min session duration
  (not "60 minutes of monthly usage")
- Add link to pricing page for paid plan details
- Simplify structure to match Browserless section format
- Remove sub-headings to match Browserless section style

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* docs: simplify Browserbase section, drop pricing details

Restore platform-level feature description (CAPTCHA solving, stealth
mode, proxies) without plan-specific pricing gating. Keep free tier
note brief.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* feat(browser): support direct WebSocket CDP URLs for Browserbase

Browserbase uses direct WebSocket connections (wss://) rather than the
standard HTTP-based /json/version CDP discovery flow used by Browserless.
This change teaches the browser tool to accept ws:// and wss:// URLs as
cdpUrl values: when a WebSocket URL is detected, OpenClaw connects
directly instead of attempting HTTP discovery.

Changes:
- config.ts: accept ws:// and wss:// in cdpUrl validation
- cdp.helpers.ts: add isWebSocketUrl() helper
- cdp.ts: skip /json/version when cdpUrl is already a WebSocket URL
- chrome.ts: probe WSS endpoints via WebSocket handshake instead of HTTP
- cdp.test.ts: add test for direct WebSocket target creation
- docs/tools/browser.md: update Browserbase section with correct URL
  format and notes

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* test+docs: comprehensive coverage and generic framing

- Add 12 new tests covering: isWebSocketUrl detection, parseHttpUrl WSS
  acceptance/rejection, direct WS target creation with query params,
  SSRF enforcement on WS URLs, WS reachability probing bypasses HTTP
- Reframe docs section as generic "Direct WebSocket CDP providers" with
  Browserbase as one example — any WSS-based provider works
- Update security tips to mention WSS alongside HTTPS

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(browser): update existing tests for ws/wss protocol support

Two pre-existing tests still expected ws:// URLs to be rejected by
parseHttpUrl, which now accepts them. Switch the invalid-protocol
fixture to ftp:// and tighten the assertion to match the full
"must be http(s) or ws(s)" error message.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(browser): preserve wss:// cdpUrl in legacy default profile resolution

* chore: remove vendor-specific references from code comments

* style(browser): fix oxfmt formatting in config.ts

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix: preserve loopback ws cdp tab ops (openclaw#31085) (thanks @shrey150)

* fix: share context engine registry across bundled chunks (openclaw#40115)

Merged via squash.

Prepared head SHA: 6af4820
Co-authored-by: jalehman <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* fix(browser): rewrite 0.0.0.0 and [::] wildcard addresses in CDP WebSocket URLs

Containerized browsers (e.g. browserless in Docker) report
`ws://0.0.0.0:<internal-port>` in their `/json/version` response.
`normalizeCdpWsUrl` rewrites loopback WS hosts to the external
CDP host:port, but `0.0.0.0` and `[::]` were not treated as
addresses needing rewriting, causing OpenClaw to try connecting
to `ws://0.0.0.0:3000` literally — which always fails.

Fixes openclaw#17752

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: normalize wildcard remote CDP websocket URLs (openclaw#17760) (thanks @joeharouni)

* fix(browser): wait for extension tabs after relay drop (openclaw#32331)

* fix: wait for extension relay tab reconnects (openclaw#32461) (thanks @AaronWander)

* fix(infra): make browser relay bind address configurable

Add browser.relayBindHost config option so the Chrome extension relay
server can bind to a non-loopback address (e.g. 0.0.0.0 for WSL2).
Defaults to 127.0.0.1 when unset, preserving current behavior.

Closes openclaw#39214

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(browser): add IP validation, fix upgrade handler for non-loopback bind

- Zod schema: validate relayBindHost with ipv4/ipv6 instead of bare string
- Upgrade handler: allow non-loopback connections when bindHost is explicitly
  non-loopback (e.g. 0.0.0.0 for WSL2), keeping loopback-only default
- Test: verify actual bind address via relay.bindHost instead of just checking
  reachability on 127.0.0.1 which passes regardless
- Expose bindHost on ChromeExtensionRelayServer type for inspection

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: make browser relay bind address configurable (openclaw#39364) (thanks @mvanhorn)

* docs: add WSL2 + Windows remote Chrome CDP troubleshooting (openclaw#39407) (thanks @Owlock)

* macos: add remote gateway token field for remote mode

* macos: clarify remote token placeholder text

* macos: add mode-toggle remote token sync coverage

* tests: document remote token persistence across mode toggle

* fix(macos): preserve unsupported remote gateway tokens

* docs(changelog): credit macos remote token author

* fix(macos): improve tailscale gateway discovery (openclaw#40167)

Sanitized test tailnet hostnames and re-ran the targeted macOS gateway discovery test suite before merge.

* refactor(browser): scope CDP sessions and harden stale target recovery

* feat: add local backup CLI (openclaw#40163)

Merged via squash.

Prepared head SHA: ed46625
Co-authored-by: shichangs <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras

* fix(ci): scope secrets scan to branch changes

* fix(ci): refresh detect-secrets baseline

* fix: harden backup verify path validation

* fix(plugin-sdk): lazily load legacy root alias

* fix(setup-podman): cd to TMPDIR before podman load to avoid cwd permission error (openclaw#39435)

* fix(setup-podman): cd to TMPDIR before podman load to avoid inherited cwd permission error

* fix(podman): safe cwd in run_as_user to prevent chdir errors

Co-Authored-By: Claude Opus 4.6  <[email protected]>
Signed-off-by: sallyom <[email protected]>

---------

Signed-off-by: sallyom <[email protected]>
Co-authored-by: sallyom <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

* fix(cron): consolidate announce delivery, fire-and-forget trigger, and minimal prompt mode (openclaw#40204)

* fix(cron): consolidate announce delivery and detach manual runs

* fix: queue detached cron runs (openclaw#40204)

* Gateway/iOS: replay queued foreground actions safely after resume (openclaw#40281)

Merged via squash.

- Local validation: `pnpm exec vitest run --config vitest.gateway.config.ts src/gateway/server-methods/nodes.invoke-wake.test.ts`
- Local validation: `pnpm build`
- mb-server validation: `pnpm exec vitest run --config vitest.gateway.config.ts src/gateway/server-methods/nodes.invoke-wake.test.ts`
- mb-server validation: `pnpm build`
- mb-server validation: `pnpm protocol:check`

* iOS: auto-load the scoped gateway canvas with safe fallback (openclaw#40282)

Merged via squash.

- mb-server validation: `swift test --package-path apps/shared/OpenClawKit --filter GatewayNodeSessionTests`
- mb-server validation: `pnpm build`
- Scope note: top-level `RootTabs` shell change was intentionally removed from this PR before merge

* Update CHANGELOG.md

* Update CHANGELOG.md

* fix(run-openclaw-podman): add SELinux :Z mount option on enforcing/permissive hosts (openclaw#39449)

* fix(run-openclaw-podman): add SELinux :Z mount option on Linux with enforcing/permissive SELinux

* fix(quadlet): add SELinux :Z label to openclaw.container.in volume mount

* fix(podman): add SELinux :Z mount option for Fedora/RHEL hosts

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Signed-off-by: sallyom <[email protected]>

---------

Signed-off-by: sallyom <[email protected]>
Co-authored-by: sallyom <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>

* Docker: trim runtime image payload (openclaw#40307)

* Docker: shrink runtime image payload

* Docker: add runtime pnpm opt-in

* Docker: collapse helper entrypoint chmod layers

* Docker: restore bundled pnpm runtime

* Update CHANGELOG.md

* docs(changelog): move post-2026.3.8 entries to unreleased (openclaw#40342)

* docs(changelog): move post-2026.3.8 entries to unreleased

* Update CHANGELOG.md

* fix(tui): improve color contrast for light-background terminals (openclaw#40345)

* fix(tui): improve colour contrast for light-background terminals (openclaw#38636)

Detect light terminal backgrounds via COLORFGBG and apply a WCAG
AA-compliant light palette. Adds OPENCLAW_THEME=light|dark env var
override for terminals without auto-detection.

Uses proper sRGB linearisation and WCAG 2.1 contrast ratios to pick
whichever text palette (dark or light) has higher contrast against
the detected background colour.

Co-authored-by: ademczuk <[email protected]>

* Update CHANGELOG.md

---------

Co-authored-by: ademczuk <[email protected]>
Co-authored-by: ademczuk <[email protected]>

* fix(models): keep --all aligned with synthetic catalog rows

* test(models): refresh list assertions after main sync

* fix: normalize openai-codex gpt-5.4 transport overrides

* docs: add refactor cluster backlog

* refactor: dedupe plugin runtime stores

* refactor: share gateway argv parsing

* refactor: extract gateway port diagnostics helper

* refactor: reuse broadcast route key construction

* refactor: share multi-account config schema fragments

* test: dedupe brave llm-context rejection cases

* refactor: share channel config adapter base

* fix(agents): bootstrap runtime plugins before context-engine resolution

* docs(changelog): remove rebase marker

* refactor: harden browser relay CDP flows

* fix(config): refresh runtime snapshot from disk after write. Fixes openclaw#37175 (openclaw#37313)

Merged via squash.

Prepared head SHA: 69e1861
Co-authored-by: bbblending <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Reviewed-by: @gumadeiras

* refactor: harden browser runtime profile handling

* refactor(models): extract list row builders

* refactor(agents): extract provider model normalization

* refactor(models): split models.json planning from writes

* refactor(models): split provider discovery helpers

* chore(docs): drop refactor cleanup tracker

* gateway: fix global Control UI 404s for symlinked wrappers and bundled package roots (openclaw#40385)

Merged via squash.

Prepared head SHA: 567b3ed
Co-authored-by: velvet-shark <[email protected]>
Co-authored-by: velvet-shark <[email protected]>
Reviewed-by: @velvet-shark

* Docker: improve build cache reuse (openclaw#40351)

* Docker: improve build cache reuse

* Tests: cover Docker build cache layout

* Docker: fix sandbox cache mount continuations

* Docker: document qr-import manifest scope

* Docker: narrow e2e install inputs

* CI: cache Docker builds in workflows

* CI: route sandbox smoke through setup script

* CI: keep sandbox smoke on script path

* fix(tests): correct security check failure

* docs(changelog): correct Control UI contributor credit (openclaw#40420)

Merged via squash.

Prepared head SHA: e4295fe
Co-authored-by: velvet-shark <[email protected]>
Co-authored-by: velvet-shark <[email protected]>
Reviewed-by: @velvet-shark

* fix(models): use 1M context for openai-codex gpt-5.4 (openclaw#37876)

Merged via squash.

Prepared head SHA: c410207
Co-authored-by: yuweuii <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* fix(telegram): add download timeout to prevent polling loop hang (openclaw#40098)

Merged via squash.

Prepared head SHA: abdfa1a
Co-authored-by: tysoncung <[email protected]>
Co-authored-by: obviyus <[email protected]>
Reviewed-by: @obviyus

* ACP: add optional ingress provenance receipts (openclaw#40473)

Merged via squash.

Prepared head SHA: b63e46d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* alphabetize web search providers (openclaw#40259)

Merged via squash.

Prepared head SHA: be6350e
Co-authored-by: kesku <[email protected]>
Co-authored-by: obviyus <[email protected]>
Reviewed-by: @obviyus

* fix(plugin-sdk): remove remaining bundled plugin src imports (openclaw#39638)

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Kyle <[email protected]>
Co-authored-by: Tak Hoffman <[email protected]>

* test: fix android talk config contract fixture

* chore(acpx): move runtime test fixtures to test-utils (openclaw#40548)

Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

* fix(agents): re-expose configured tools under restrictive profiles

* fix(media): accept reader read result type

* build(protocol): sync generated swift models

* fix: dedupe inbound Telegram DM replies per agent (openclaw#40519)

Merged via squash.

Prepared head SHA: 6e235e7
Co-authored-by: obviyus <[email protected]>
Co-authored-by: obviyus <[email protected]>
Reviewed-by: @obviyus

* fix(matrix): restore robust DM routing without the memberCount heuristic (openclaw#19736)

* fix(matrix): remove memberCount heuristic from DM detection

The memberCount === 2 check in isDirectMessage() misclassifies 2-person
group rooms (admin channels, monitoring rooms) as DMs, routing them to
the main session instead of their room-specific session.

Matrix already distinguishes DMs from groups at the protocol level via
m.direct account data and is_direct member state flags. Both are already
checked by client.dms.isDm() and hasDirectFlag(). The memberCount
heuristic only adds false positives for 2-person groups.

Move resolveMemberCount() below the protocol-level checks so it is only
reached for rooms not matched by m.direct or is_direct. This narrows its
role to diagnostic logging for confirmed group rooms.

Refs: openclaw#19739

* fix(matrix): add conservative fallback for broken DM flags

Some homeservers (notably Continuwuity) have broken m.direct account
data or never set is_direct on invite events. With the memberCount
heuristic removed, these DMs are no longer detected.

Add a conservative fallback that requires two signals before classifying
as DM: memberCount === 2 AND no explicit m.room.name. Group rooms almost
always have explicit names; DMs almost never do.

Error handling distinguishes M_NOT_FOUND (missing state event, expected
for unnamed rooms) from network/auth errors. Non-404 errors fall through
to group classification rather than guessing.

This is independently revertable — removing this commit restores pure
protocol-based detection without any heuristic fallback.

* fix(matrix): add parentPeer for DM room binding support

Add parentPeer to DM routes so conversations are bindable by room ID
while preserving DM trust semantics (secure 1:1, no group restrictions).

Suggested by @KirillShchetinin.

* fix(matrix): override DM detection for explicitly configured rooms

Builds on @robertcorreiro's config-driven approach from openclaw#9106.

Move resolveMatrixRoomConfig() before the DM check. If a room matches
a non-wildcard config entry (matchSource === "direct") and was
classified as DM, override the classification to group. This gives users
a deterministic escape hatch for misclassified rooms.

Wildcards are excluded from the override to avoid breaking DM routing
when a "*" catch-all exists. roomConfig is gated behind isRoom so DMs
never inherit group settings (skills, systemPrompt, autoReply).

This commit is independently droppable if the scope is too broad.

* test(matrix): add DM detection and config override tests

- 15 unit tests for direct.ts: all detection paths, priority order,
  M_NOT_FOUND vs network error handling, edge cases (whitespace names,
  API failures)
- 8 unit tests for rooms.ts: matchSource classification, wildcard
  safety for DM override, direct match priority over wildcard

* Changelog: note matrix DM routing follow-up

* fix(matrix): preserve DM fallback and room bindings

---------

Co-authored-by: Tak Hoffman <[email protected]>

* Fix cron text announce delivery for Telegram targets (openclaw#40575)

Merged via squash.

Prepared head SHA: 54b1513
Co-authored-by: obviyus <[email protected]>
Co-authored-by: obviyus <[email protected]>
Reviewed-by: @obviyus

* fix: clear plugin discovery cache after plugin installation (openclaw#39752)

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: GazeKingNuWu <[email protected]>
Co-authored-by: Tak Hoffman <[email protected]>

* test: fix windows secrets runtime ci

* fix(daemon): enable LaunchAgent before bootstrap on restart

restartLaunchAgent was missing the launchctl enable call that
installLaunchAgent already performs. launchd can persist a "disabled"
state after bootout, causing bootstrap to silently fail and leaving the
gateway unloaded until a manual reinstall.

Fixes openclaw#39211

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(daemon): also enable LaunchAgent in repairLaunchAgentBootstrap

The repair/recovery path had the same missing `enable` guard as
`restartLaunchAgent`.  If launchd persists a "disabled" state after a
previous `bootout`, the `bootstrap` call in `repairLaunchAgentBootstrap`
fails silently, leaving the gateway unloaded in the recovery flow.

Add the same `enable` guard before `bootstrap` that was already applied
to `installLaunchAgent` and (in this PR) `restartLaunchAgent`.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(gateway): exit non-zero on restart shutdown timeout

When a config-change restart hits the force-exit timeout, exit with
code 1 instead of 0 so launchd/systemd treats it as a failure and
triggers a clean process restart. Stop-timeout stays at exit(0)
since graceful stops should not cause supervisor recovery.

Closes openclaw#36822

* test(secrets): skip ACL-dependent runtime snapshot tests on windows

* fix: add changelog for restart timeout recovery (openclaw#40380) (thanks @dsantoreis)

* fix(browser): enforce redirect-hop SSRF checks

* fix(cron): restore owner-only tools for isolated runs

* test(cron): cover owner-only tool availability

* fix(msteams): enforce sender allowlists with route allowlists

* fix(gateway): validate config before restart to prevent crash + macOS permission loss (openclaw#35862)

When 'openclaw gateway restart' is run with an invalid config, the new
process crashes on startup due to config validation failure. On macOS,
this causes Full Disk Access (TCC) permissions to be lost because the
respawned process has a different PID.

Add getConfigValidationError() helper and pre-flight config validation
in both runServiceRestart() and runServiceStart(). If config is invalid,
abort with a clear error message instead of crashing.

The config watcher's hot-reload path already had this guard
(handleInvalidSnapshot), but the CLI restart/start commands did not.

AI-assisted (OpenClaw agent, fully tested)

* fix(gateway): catch startup failure in run loop to prevent process exit (openclaw#35862)

When an in-process restart (SIGUSR1) triggers a config-triggered restart
and the new config is invalid, params.start() throws and the while loop
exits, killing the process. On macOS this loses TCC permissions.

Wrap params.start() in try/catch: on failure, set server=null, log the
error, and wait for the next SIGUSR1 instead of crashing.

* test: add runServiceStart config pre-flight tests (openclaw#35862)

Address Greptile review: add test coverage for runServiceStart path.
The error message copy-paste issue was already fixed in the DRY refactor
(uses params.serviceNoun instead of hardcoded 'restart').

* fix: address bot review feedback on openclaw#35862

- Remove dead 'return false' in runServiceStart (Greptile)
- Include stack trace in run-loop crash guard error log (Greptile)
- Only catch startup errors on subsequent restarts, not initial start (Codex P1)
- Add JSDoc note about env var false positive edge case (Codex P1)

* fix: move config pre-flight before onNotLoaded in runServiceRestart (Codex P2)

The config check was positioned after onNotLoaded, which could send
SIGUSR1 to an unmanaged process before config was validated.

* fix: release gateway lock on restart failure + reply to Codex reviews

- Release gateway lock when in-process restart fails, so daemon
  restart/stop can still manage the process (Codex P2)
- P1 (env mismatch) already addressed: best-effort by design, documented
  in JSDoc

* fix(gateway): detect launchd supervision via XPC_SERVICE_NAME

On macOS, launchd sets XPC_SERVICE_NAME on managed processes but does
not set LAUNCH_JOB_LABEL or LAUNCH_JOB_NAME. Without checking
XPC_SERVICE_NAME, isLikelySupervisedProcess() returns false for
launchd-managed gateways, causing restartGatewayProcessWithFreshPid()
to fork a detached child instead of returning "supervised". The
detached child holds the gateway lock while launchd simultaneously
respawns the original process (KeepAlive=true), leading to an infinite
lock-timeout / restart loop.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: detect launchd supervision via xpc service name (openclaw#20555) (thanks @dimat)

* fix(node-host): bind bun and deno approval scripts

* fix(skills): pin validated download roots

* fix(telegram): abort in-flight getUpdates fetch on shutdown

When the gateway receives SIGTERM, runner.stop() stops the grammY polling
loop but does not abort the in-flight getUpdates HTTP request. That request
hangs for up to 30 seconds (the Telegram API timeout). If a new gateway
instance starts polling during that window, Telegram returns a 409 Conflict
error, causing message loss and requiring exponential backoff recovery.

This is especially problematic with service managers (launchd, systemd)
that restart the process immediately after SIGTERM.

Wire an AbortController into the fetch layer so every Telegram API request
(especially the long-polling getUpdates) aborts immediately on shutdown:

- bot.ts: Accept optional fetchAbortSignal in TelegramBotOptions; wrap
  the grammY fetch with AbortSignal.any() to merge the shutdown signal.
- monitor.ts: Create a per-iteration AbortController, pass its signal to
  createTelegramBot, and abort it from the SIGTERM handler, force-restart
  path, and finally block.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix(telegram): use manual signal forwarding to avoid cross-realm AbortSignal

AbortSignal.any() fails in Node.js when signals come from different module
contexts (grammY's internal signal vs local AbortController), producing:
"The signals[0] argument must be an instance of AbortSignal. Received an
instance of AbortSignal".

Replace with manual event forwarding that works across all realms.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

* fix: abort telegram getupdates on shutdown (openclaw#23950) (thanks @Gkinthecodeland)

* fix(cron): stagger missed jobs on restart to prevent gateway overload

When the gateway restarts with many overdue cron jobs, they are now
executed with staggered delays to prevent overwhelming the gateway.

- Add missedJobStaggerMs config (default 5s between jobs)
- Add maxMissedJobsPerRestart limit (default 5 jobs immediately)
- Prioritize most overdue jobs by sorting by nextRunAtMs
- Reschedule deferred jobs to fire gradually via normal timer

Fixes openclaw#18892

* fix: stagger missed cron jobs on restart (openclaw#18925) (thanks @rexlunae)

* build: update app deps except carbon

* refactor: extract telegram polling session

* refactor: split cron startup catch-up flow

* refactor: flatten supervisor marker hints

* docs: reorder 2026.3.8 changelog by impact

* build: sync pnpm lockfile

* chore: refresh secrets baseline

* docs: move 2026.3.8 entries back to unreleased

* test: fix Node 24+ test runner and subagent registry mocks

* test: fix Windows fake runtime bin fixtures

* fix: normalize windows runtime shim executables

* chore: prepare 2026.3.8-beta.1 release

* chore: update appcast for 2026.3.8-beta.1

* test: fix windows runtime and restart loop harnesses

* fix(update): re-enable launchd service before updater bootstrap

* chore: prepare 2026.3.8 npm release

* test: narrow gateway loop signal harness

* fix(launchd): harden macOS launchagent install permissions

* fix(onboard): avoid persisting talk fallback on fresh setup

* build: bump unreleased version to 2026.3.9

* fix: stabilize launchd paths and appcast secret scan

* build: sync plugin versions for 2026.3.9

* fix(ui): preserve control-ui auth across refresh (openclaw#40892)

Merged via squash.

Prepared head SHA: f9b2375
Co-authored-by: velvet-shark <[email protected]>
Co-authored-by: velvet-shark <[email protected]>
Reviewed-by: @velvet-shark

* fix(kimi-coding): fix kimi tool format: use native Anthropic tool schema instead of OpenAI … (openclaw#40008)

Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: opriz <[email protected]>
Co-authored-by: Tak Hoffman <[email protected]>

* fix(swiftformat): exclude HostEnvSecurityPolicy.generated.swift from formatters (openclaw#39969)

* test(context-engine): add bundle chunk isolation tests for registry (openclaw#40460)

Merged via squash.

Prepared head SHA: 44622ab
Co-authored-by: dsantoreis <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* fix(agents): bound compaction retry wait and drain embedded runs on restart (openclaw#40324)

Merged via squash.

Prepared head SHA: cfd9956
Co-authored-by: cgdusek <[email protected]>
Co-authored-by: jalehman <[email protected]>
Reviewed-by: @jalehman

* Allow ACP sessions.patch lineage fields on ACP session keys (openclaw#40995)

Merged via squash.

Prepared head SHA: c1191ed
Co-authored-by: xaeon2026 <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* Update CONTRIBUTING.md

* Add Robin Waslander to maintainers

* Update CONTRIBUTING.md

* fix(acp): map error states to end_turn instead of unconditional refusal (openclaw#41187)

* fix(acp): map error states to end_turn instead of unconditional refusal

* fix: map ACP error stop reason to end_turn (openclaw#41187) (thanks @pejmanjohn)

---------

Co-authored-by: Pejman Pour-Moezzi <[email protected]>
Co-authored-by: Onur <[email protected]>

* fix(acp): propagate setSessionMode gateway errors to client (openclaw#41185)

* fix(acp): propagate setSessionMode gateway errors to client

* fix: add changelog entry for ACP setSessionMode propagation (openclaw#41185) (thanks @pejmanjohn)

---------

Co-authored-by: Pejman Pour-Moezzi <[email protected]>
Co-authored-by: Onur <[email protected]>

* plugins: harden global hook runner state (openclaw#40184)

* fix(telegram): bridge direct delivery to internal message:sent hooks (openclaw#40185)

* telegram: bridge direct delivery message hooks

* telegram: align sent hooks with command session

* Cron: enforce cron-owned delivery contract (openclaw#40998)

Merged via squash.

Prepared head SHA: 5877389
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* Agents: add embedded error observations (openclaw#41336)

Merged via squash.

Prepared head SHA: 4900042
Co-authored-by: altaywtf <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* Doctor: fix non-interactive cron repair gating (openclaw#41386)

* iOS: reconnect gateway on foreground return (openclaw#41384)

Merged via squash.

Prepared head SHA: 0e2e0dc
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* fix(cron): do not misclassify empty/NO_REPLY as interim acknowledgement (openclaw#41401)

* fix(cron): do not misclassify empty/NO_REPLY as interim acknowledgement

When a cron task's agent returns NO_REPLY, the payload filter strips the
silent token, leaving an empty text string. isLikelyInterimCronMessage()
previously returned true for empty input, causing the cron runner to
inject a forced rerun prompt ('Your previous response was only an
acknowledgement...').

Change the empty-string branch to return false: empty text after payload
filtering means the agent deliberately chose silent completion, not that
it sent an interim 'on it' message.

Fixes openclaw#41246

* fix(cron): do not misclassify empty/NO_REPLY as interim acknowledgement

Fixes openclaw#41246. (openclaw#41383) thanks @jackal092927.

---------

Co-authored-by: xaeon2026 <[email protected]>

* fix(auth): reset cooldown error counters on expiry to prevent infinite escalation (openclaw#41028)

Merged via squash.

Prepared head SHA: 89bd83f
Co-authored-by: zerone0x <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* Gateway: add pending node work primitives (openclaw#41409)

Merged via squash.

Prepared head SHA: a6d7ca9
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* Gateway: tighten node pending drain semantics (openclaw#41429)

Merged via squash.

Prepared head SHA: 361c2eb
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* acp: fail honestly in bridge mode (openclaw#41424)

Merged via squash.

Prepared head SHA: b5e6e13
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* acp: restore session context and controls (openclaw#41425)

Merged via squash.

Prepared head SHA: fcabdf7
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* Sandbox: import STATE_DIR from paths directly (openclaw#41439)

* acp: enrich streaming updates for ide clients (openclaw#41442)

Merged via squash.

Prepared head SHA: 0764368
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* acp: forward attachments into ACP runtime sessions (openclaw#41427)

Merged via squash.

Prepared head SHA: f2ac51d
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* acp: add regression coverage and smoke-test docs (openclaw#41456)

Merged via squash.

Prepared head SHA: 514d587
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* fix(agents): probe single-provider billing cooldowns (openclaw#41422)

Merged via squash.

Prepared head SHA: bbc4254
Co-authored-by: altaywtf <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* acp: harden follow-up reliability and attachments (openclaw#41464)

Merged via squash.

Prepared head SHA: 7d167df
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* Agents: add fallback error observations (openclaw#41337)

Merged via squash.

Prepared head SHA: 852469c
Co-authored-by: altaywtf <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* build(protocol): regenerate Swift models after pending node work schemas (openclaw#41477)

Merged via squash.

Prepared head SHA: cae0aaf
Co-authored-by: mbelinky <[email protected]>
Co-authored-by: mbelinky <[email protected]>
Reviewed-by: @mbelinky

* fix(discord): apply effective maxLinesPerMessage in live replies (openclaw#40133)

Merged via squash.

Prepared head SHA: 031d032
Co-authored-by: rbutera <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* Logging: harden probe suppression for observations (openclaw#41338)

Merged via squash.

Prepared head SHA: d18356c
Co-authored-by: altaywtf <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Reviewed-by: @altaywtf

* ci(sre:PLA-760): fix smoke workflow fallbacks

* test(sre:PLA-760): allowlist secret-scan false positives

* test(sre:PLA-760): refresh secret baseline for upstream sync

* test(sre:PLA-760): update detect-secrets baseline

* ci(sre:PLA-760): exclude auto-response from zizmor

* fix(ci:PLA-760): unblock audit and bun test lane

* ci(sre:PLA-760): run linux-only ci

---------

Signed-off-by: sallyom <[email protected]>
Co-authored-by: Peter Steinberger <[email protected]>
Co-authored-by: Tak Hoffman <[email protected]>
Co-authored-by: Ayaan Zaidi <[email protected]>
Co-authored-by: darkamenosa <[email protected]>
Co-authored-by: Hermione <[email protected]>
Co-authored-by: rbutera <[email protected]>
Co-authored-by: altaywtf <[email protected]>
Co-authored-by: Altay <[email protected]>
Co-authored-by: echoVic <[email protected]>
Co-authored-by: echoVic <[email protected]>
Co-authored-by: Ayaan Zaidi <[email protected]>
Co-authored-by: Vincent Koc <[email protected]>
Co-authored-by: GitBuck <[email protected]>
Co-authored-by: starbuck100 <[email protected]>
Co-authored-by: jalehman <[email protected]>
Co-authored-by: yuweuii <[email protected]>
Co-authored-by: Rémi <[email protected]>
Co-authored-by: remusao <[email protected]>
Co-authored-by: gumadeiras <[email protected]>
Co-authored-by: Mariano <[email protected]>
Co-authored-by: Shrey Pandya <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: Josh Lehman <[email protected]>
Co-authored-by: Joe Harouni <[email protected]>
Co-authored-by: AaronWander <[email protected]>
Co-authored-by: Matt Van Horn <[email protected]>
Co-authored-by: Charles Dusek <[email protected]>
Co-authored-by: Nimrod Gutman <[email protected]>
Co-authored-by: shichangs <[email protected]>
Co-authored-by: Gustavo Madeira Santana <[email protected]>
Co-authored-by: langdon <[email protected]>
Co-authored-by: sallyom <[email protected]>
Co-authored-by: Tyler Yust <[email protected]>
Co-authored-by: langdon <[email protected]>
Co-authored-by: ademczuk <[email protected]>
Co-authored-by: ademczuk <[email protected]>
Co-authored-by: Doruk Ardahan <[email protected]>
Co-authored-by: 0xsline <[email protected]>
Co-authored-by: bbblending <[email protected]>
Co-authored-by: Radek Sienkiewicz <[email protected]>
Co-authored-by: velvet-shark <[email protected]>
Co-authored-by: Tyson Cung <[email protected]>
Co-authored-by: obviyus <[email protected]>
Co-authored-by: Mariano <[email protected]>
Co-authored-by: Kesku <[email protected]>
Co-authored-by: Kyle <[email protected]>
Co-authored-by: Kyle <[email protected]>
Co-authored-by: Bronko <[email protected]>
Co-authored-by: GazeKingNuWu <[email protected]>
Co-authored-by: GazeKingNuWu <[email protected]>
Co-authored-by: scoootscooob <[email protected]>
Co-authored-by: Daniel dos Santos Reis <[email protected]>
Co-authored-by: DevMac <[email protected]>
Co-authored-by: merlin <[email protected]>
Co-authored-by: dimatu <[email protected]>
Co-authored-by: George Kalogirou <[email protected]>
Co-authored-by: rexlunae <[email protected]>
Co-authored-by: opriz <[email protected]>
Co-authored-by: opriz <[email protected]>
Co-authored-by: Joshua Lelon Mitchell <[email protected]>
Co-authored-by: dsantoreis <[email protected]>
Co-authored-by: Charles Dusek <[email protected]>
Co-authored-by: xaeon2026 <[email protected]>
Co-authored-by: xaeon2026 <[email protected]>
Co-authored-by: Robin Waslander <[email protected]>
Co-authored-by: Pejman Pour-Moezzi <[email protected]>
Co-authored-by: Pejman Pour-Moezzi <[email protected]>
Co-authored-by: Onur <[email protected]>
Co-authored-by: zerone0x <[email protected]>
Co-authored-by: zerone0x <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

app: web-ui App: web-ui cli CLI command changes docs Improvements or additions to documentation gateway Gateway runtime maintainer Maintainer-authored PR size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbelinky