fix: add missing @microsoft/agents-hosting dependency for msteams extension#44899
fix: add missing @microsoft/agents-hosting dependency for msteams extension#44899EthanHunter1229 wants to merge 8 commits intoopenclaw:mainfrom
Conversation
Greptile SummaryThis PR adds
Confidence Score: 2/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: package.json
Line: 356
Comment:
**`pnpm-lock.yaml` not updated**
The root `package.json` now declares `@microsoft/agents-hosting` as a dependency, but `pnpm-lock.yaml` was not updated — the root importer section (`.`) in the lockfile does not yet include this entry. While the package is already resolved in the lockfile as a dependency of the `extensions/msteams` workspace, pnpm still requires the root importer to be explicitly listed.
In many CI pipelines this manifests as a `pnpm install --frozen-lockfile` failure like:
```
ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with package.json
```
Please run `pnpm install` locally to update the lockfile and include `pnpm-lock.yaml` in this PR.
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: f9dfa07 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "@mariozechner/pi-ai": "0.57.1", | ||
| "@mariozechner/pi-coding-agent": "0.57.1", | ||
| "@mariozechner/pi-tui": "0.57.1", | ||
| "@microsoft/agents-hosting": "^1.3.1", |
There was a problem hiding this comment.
pnpm-lock.yaml not updated
The root package.json now declares @microsoft/agents-hosting as a dependency, but pnpm-lock.yaml was not updated — the root importer section (.) in the lockfile does not yet include this entry. While the package is already resolved in the lockfile as a dependency of the extensions/msteams workspace, pnpm still requires the root importer to be explicitly listed.
In many CI pipelines this manifests as a pnpm install --frozen-lockfile failure like:
ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with package.json
Please run pnpm install locally to update the lockfile and include pnpm-lock.yaml in this PR.
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 356
Comment:
**`pnpm-lock.yaml` not updated**
The root `package.json` now declares `@microsoft/agents-hosting` as a dependency, but `pnpm-lock.yaml` was not updated — the root importer section (`.`) in the lockfile does not yet include this entry. While the package is already resolved in the lockfile as a dependency of the `extensions/msteams` workspace, pnpm still requires the root importer to be explicitly listed.
In many CI pipelines this manifests as a `pnpm install --frozen-lockfile` failure like:
```
ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with package.json
```
Please run `pnpm install` locally to update the lockfile and include `pnpm-lock.yaml` in this PR.
How can I resolve this? If you propose a fix, please make it concise.
🔒 Automated Security AssessmentStatus: ✅ PASSED — No security issues detected by automated scan. Scan Date: 2026-03-13 09:11 UTC Checks Performed
RecommendationAutomated checks passed. Manual review is still recommended for:
This comment was posted by the automated PR security scanner. False positives may occur — please verify findings manually. |
…ension The msteams extension depends on @microsoft/agents-hosting but this dependency was not included in the root package.json, causing runtime errors when the MS Teams channel starts. Fixes openclaw#44857
…tems Add memory check before generating shell completion cache during updates. Skip cache generation if free memory is below 512MB to prevent OOM errors on low-memory systems (issue openclaw#45065). Also increased Node.js memory limit for the completion generation process and added error handling for graceful failure.
EthanHunter1229
force-pushed
the
fix/issue-44857-msteams-dependency
branch
from
f9dfa07 to
becd91d
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: becd91d2f7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "@mariozechner/pi-ai": "0.57.1", | ||
| "@mariozechner/pi-coding-agent": "0.57.1", | ||
| "@mariozechner/pi-tui": "0.57.1", | ||
| "@microsoft/agents-hosting": "^1.3.1", |
There was a problem hiding this comment.
Adding @microsoft/agents-hosting to the root dependencies without a corresponding pnpm-lock.yaml update breaks installs that use --frozen-lockfile (including default CI behavior), because the lockfile importer specifiers no longer match package.json. This causes pnpm install to fail with ERR_PNPM_OUTDATED_LOCKFILE before any build/test steps can run.
Useful? React with 👍 / 👎.
Fix GHSA-qpjj-47vm-64pj: Missing authentication for local browser-control endpoints. Previously, when gateway.auth.mode was set to 'none' or 'trusted-proxy', the browser control server would start without authentication, allowing unauthorized local callers to invoke privileged browser operations. This fix removes the bypass for 'none' and 'trusted-proxy' modes, ensuring browser control always requires authentication regardless of gateway auth mode. CVSS: 7.5 (High) CWE: CWE-306 Missing Authentication for Critical Function
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 889c218e97
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| // Use increased memory limit for completion cache generation | ||
| try { | ||
| const result = spawnSync(process.execPath, [binPath, "completion", "--write-state"], { |
There was a problem hiding this comment.
Moving result into the try block leaves the existing fallback return result.status === 0; below the try/catch referring to an out-of-scope identifier. In any workflow that type-checks this file (for example the repository's normal check pipeline), this produces Cannot find name 'result' and blocks validation/build before runtime.
Useful? React with 👍 / 👎.
…urce Resolves openclaw#46494 - health command was showing running=false and tokenSource=none for Telegram even when channels status showed running=true and tokenSource=config. The health command was building channel status from config only, not querying the gateway for runtime status. Now it calls channels.status from gateway and merges runtime fields.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f9f35a598f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
src/commands/health.ts
Outdated
| } | ||
|
|
||
| // Merge with gateway runtime status for accurate running/tokenSource at account level | ||
| const gatewayChannel = (gatewayChannelStatus.channels as Record<string, unknown>?)?.[plugin.id]; |
There was a problem hiding this comment.
The assertion as Record<string, unknown>? is not valid TypeScript syntax, so this line makes src/commands/health.ts fail to parse/compile (e.g. parser error Unexpected )), which blocks builds and any command path that imports this module. The same malformed assertion appears again later in this function, so the health command cannot be shipped in this state.
Useful? React with 👍 / 👎.
| try { | ||
| gatewayChannelStatus = (await callGateway({ | ||
| method: "channels.status", | ||
| params: { probe: doProbe, timeoutMs: cappedTimeout }, |
There was a problem hiding this comment.
Passing probe: doProbe into the new channels.status gateway call causes every account to be probed once in channels.status (see src/gateway/server-methods/channels.ts), and then this function probes the same accounts again in its own per-account loop when doProbe is true. In verbose/probe mode (health with probe: true), this doubles probe work, increasing latency and timeout/rate-limit risk without improving accuracy.
Useful? React with 👍 / 👎.
- Add runtime validation for gateway response structure - Extract getGatewayChannelData helper to avoid code duplication - Use proper TypeScript types instead of unsafe as assertions - Use const assertion for key arrays for better type safety
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f761a4dfa2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| try { | ||
| const result = spawnSync(process.execPath, [binPath, "completion", "--write-state"], { | ||
| cwd: root, | ||
| env: { ...process.env, NODE_OPTIONS: "--max-old-space-size=2048" }, |
There was a problem hiding this comment.
This spawn call now replaces NODE_OPTIONS instead of inheriting and extending it, which drops any flags the operator already set (for example --require, custom CA settings, or runtime loaders). In environments that rely on those flags, openclaw completion --write-state can fail or run with different behavior only during this doctor path, even though it worked before when process.env was passed through unchanged.
Useful? React with 👍 / 👎.
| const gwAccounts = gwChannel?.accounts as Record<string, unknown> | undefined; | ||
| const gwAccount = gwAccounts?.[accountId]; |
There was a problem hiding this comment.
The new merge logic expects account runtime details at channels[channelId].accounts, but channels.status returns account snapshots in a separate channelAccounts[channelId] map (with channels containing only channel summaries). As a result, gwAccounts is always undefined and the loop never backfills running, tokenSource, or timestamps for per-account health, so the intended accuracy improvement does not take effect.
Useful? React with 👍 / 👎.
Resolves openclaw#46369 - cron.remove now cleans up: 1. Session record in sessions.json (by sessionKey or jobId) 2. Run history file in ~/.openclaw/cron/runs/ The fix adds cleanup logic in the gateway's cron.remove method to delete associated session records and history files when a cron job is removed.
Resolves openclaw#46411 - console.log with PATH was printed on every node start. Now only shown when OPENCLAW_DEBUG or VERBOSE is set.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0e25b4231d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const keyToDelete = Object.keys(store).find( | ||
| (k) => k.includes(sessionKey) || k.includes(jobId) | ||
| ); |
There was a problem hiding this comment.
Using Object.keys(store).find((k) => k.includes(sessionKey) || k.includes(jobId)) can select unrelated sessions, because many valid keys share prefixes/substrings (for example agent:main:main vs agent:main:main:thread:..., or job-1 inside job-10). The subsequent delete s[keyToDelete] then removes whichever matching entry appears first, which can erase the wrong conversation state when cron.remove is called.
Useful? React with 👍 / 👎.
| context.logGateway.info("cron: job removed", { jobId }); | ||
|
|
||
| // Clean up associated session record if exists | ||
| if (sessionKey) { |
There was a problem hiding this comment.
The run-log cleanup is inside if (sessionKey), but sessionKey is optional on cron jobs and run logs are written per jobId regardless (for example via resolveCronRunLogPath({ jobId }) in src/gateway/server-cron.ts). Jobs created without a session key will therefore never have cron/runs/<jobId>.jsonl removed, leaving stale history files after cron.remove.
Useful? React with 👍 / 👎.
| const defaultAgentId = "main"; // Default agent for cron jobs | ||
| const sessionsPath = await import("../../config/sessions/paths.js").then(m => | ||
| m.resolveStorePath(undefined, { agentId: defaultAgentId }) | ||
| ).catch(() => undefined); |
There was a problem hiding this comment.
Session cleanup always reads the main agent store (resolveStorePath(..., { agentId: "main" })), but cron jobs can run under other agentIds and those session entries are stored in that agent-specific path (for example resolveCronSession resolves store path with agentId). In multi-agent setups, deleting a non-main cron job will miss its actual session entry and the new cleanup silently does nothing.
Useful? React with 👍 / 👎.
Resolves openclaw#46520 - Origin validation now accepts custom URL schemes like tauri://, electron://, capacitor:// when listed in allowedOrigins. The parseOrigin function now handles non-standard schemes that fail new URL() parsing.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 57cad8682d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| try { | ||
| const { rm } = await import("node:fs/promises"); | ||
| const { join } = await import("node:path"); | ||
| const cronRunsDir = join(process.env.OPENCLAW_HOME || process.env.HOME || "~", ".openclaw", "cron", "runs"); |
There was a problem hiding this comment.
This cleanup computes cron/runs from OPENCLAW_HOME/HOME instead of the active cron store location, but the rest of the handler reads run logs via resolveCronRunLogPath({ storePath: context.cronStorePath, ... }). When cron.store or OPENCLAW_STATE_DIR points to a non-default location, cron.remove reports success yet deletes the wrong file path, leaving the real <jobId>.jsonl behind and causing stale run history for removed jobs.
Useful? React with 👍 / 👎.
| const [hostname, port] = withoutScheme.split(":"); | ||
| const host = port ? `${hostname}:${port}` : hostname; |
There was a problem hiding this comment.
The new custom-scheme branch parses host/port with split(":"), which breaks bracketed IPv6 origins such as tauri://[::1]:18789 (the parsed hostname becomes "["). In that case both host-header fallback and loopback fallback fail (parsedOrigin.host/hostname are wrong), so local Control UI/WebChat connections over IPv6 are rejected even though loopback IPv6 is supported elsewhere.
Useful? React with 👍 / 👎.
- fix(origin-check): support custom URL schemes (tauri://, electron://) - fix(node-host): hide PATH debug log by default - fix(cron): clean up session records when removing cron jobs - refactor(health): improve type safety and reduce code duplication - fix(health): use gateway channels.status for accurate running/tokenSource (60 files changed, +1269/-748)
|
Closing as resolved by #51808 (merged 2026-03-24), which migrated the Teams extension to the official Microsoft Agents SDK and eliminated the @microsoft/agents-hosting dependency entirely. This fix is no longer needed. |
3 participants
The msteams extension depends on @microsoft/agents-hosting but this dependency was not included in the root package.json, causing runtime errors when the MS Teams channel starts.
Fixes #44857