8127c6cc15
build(deps): update workspace dependencies
2026-04-10 19:17:39 +01:00
ea8d0833c3
test: trim gateway auth slow paths
2026-04-10 19:16:55 +01:00
56468cdb06
fix: align plugin install denylist scan tests
2026-04-10 18:57:52 +01:00
420e092d90
test: remove duplicate matrix approval fallback case
2026-04-10 18:50:40 +01:00
457a33646c
docs(matrix): track spec support gaps
2026-04-10 13:48:15 -04:00
d522dc637e
test: trim embedded agents slow paths
2026-04-10 18:33:03 +01:00
e0b8ddc1a5
fix(browser): apply three-phase interaction navigation guard to pressKey and type(submit) [AI-assisted] ( #63889 )
...
* fix: address issue
* chore(changelog): add pressKey/type SSRF guard entry
---------
Co-authored-by: Devin Robison <drobison@nvidia.com >
2026-04-10 11:27:53 -06:00
9f97ad857a
fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] ( #63891 )
...
* fix: address issue
* fix: address review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* Plugins: fix install security CI regressions
* Plugins: make manifest traversal linear
* Plugins: bound manifest security traversal
* Plugins: block denied node_modules package dirs
* Plugins: match node_modules case-insensitively
* Plugins: block denied package symlink paths
* Tests: normalize blocked symlink assertion
* Plugins: fail closed on unreadable denied paths
* Plugins: block denied node_modules file aliases
* Plugins: inspect node_modules symlink targets
* Plugins: preserve symlink target package paths
* fix: address PR review feedback
* chore(changelog): add axios pin and dependency denylist entry
---------
Co-authored-by: Devin Robison <drobison@nvidia.com >
2026-04-10 11:20:05 -06:00
9b44929f28
fix(gateway): preserve restart sentinel account routing
2026-04-10 13:16:19 -04:00
527601d7a5
fix: align channel owner context test types
2026-04-10 18:14:14 +01:00
2b5b58194b
fix(msteams): include tenantId and aadObjectId on proactive sends ( #58774 ) ( #63949 )
...
* fix(msteams): capture and forward tenantId/aadObjectId on proactive sends (#58774 )
* msteams: preserve tenantId/aadObjectId on sparse merges, thread recipientId on proactive sends
2026-04-10 12:09:14 -05:00
19a2e9ddb5
fix(infra): extend exec completion detection to cover local background exec formats [AI-assisted] ( #64376 )
...
* fix: address issue
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* chore(changelog): add exec completion owner-downgrade entry
---------
Co-authored-by: Devin Robison <drobison@nvidia.com >
2026-04-10 11:07:14 -06:00
e1a2a26ec9
test: isolate agent runtime mocks
2026-04-10 18:06:49 +01:00
cbc4447d6b
test: narrow doctor config matrix helper import
2026-04-10 18:05:02 +01:00
8dfbf3268b
fix(browser): gate sandbox noVNC helper auth
...
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.
Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts
Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.
Thanks @eleqtrizit.
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com >
2026-04-10 18:01:26 +01:00
979c6f09d6
fix: include image param in sandbox media normalization [AI-assisted] ( #64377 )
...
* fix: address issue
* chore(changelog): add Discord event image sandbox entry
---------
Co-authored-by: Devin Robison <drobison@nvidia.com >
2026-04-10 11:01:04 -06:00
56d3f97e23
test: use lightweight channel status stubs
2026-04-10 18:00:45 +01:00
710a19dd86
fix: repair latest main type drift
2026-04-10 18:00:45 +01:00
afadb7dae6
fix(voice-call): reject oversized realtime WebSocket frames
...
Reject realtime voice WebSocket frames above 256 KB before JSON parsing or bridge setup, and absorb ws error events so oversized frames close the connection instead of crashing the gateway.
Local verification:
- pnpm test extensions/voice-call/src/webhook/realtime-handler.test.ts
- pnpm check
Thanks @mmaps.
Co-authored-by: mmaps <3399869+mmaps@users.noreply.github.com >
2026-04-10 17:58:44 +01:00
b9981c8ee8
test: inject setup command side effects
2026-04-10 17:57:15 +01:00
fe0f686c92
Gate Matrix profile updates for non-owner message tool runs ( #62662 )
...
Merged via squash.
Prepared head SHA: 602b16a676d1fd7ad8bd2a5ab3126b1a35f1ae9f
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-04-10 12:56:17 -04:00
1c1fe8a405
test: remove duplicate workspace auth choice e2e
2026-04-10 17:52:44 +01:00
9031a9b2cc
test: narrow legacy doctor migration hot paths
2026-04-10 17:51:15 +01:00
36c3a54b51
fix(gateway): plug long-running memory leaks
...
Prune stale gateway control-plane rate-limit buckets, bound transcript-session lookup caching, clear agent event sequence state with run contexts, and clear node wake/nudge state on disconnect.\n\nVerified locally after rebasing onto main:\n\n- pnpm test src/gateway/control-plane-rate-limit.test.ts src/gateway/session-transcript-key.test.ts src/infra/agent-events.test.ts src/gateway/server-methods/nodes.invoke-wake.test.ts\n- pnpm check\n\nCo-authored-by: lml2468 <39320777+lml2468@users.noreply.github.com >
2026-04-10 17:45:12 +01:00
54ae138db7
fix: the cron isolated agent in openclaw unconditiona ( #383 ) ( #63878 )
2026-04-10 10:44:22 -06:00
9c44f10026
fix: preserve canonical restart sentinel routes ( #64391 )
...
Merged via squash.
Prepared head SHA: 0183c1782f58942bd975f4f99899f614a0651439
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-04-10 12:44:07 -04:00
dffad08529
fix: a sandboxed agent can request host node in an ex ( #384 ) ( #63880 )
2026-04-10 10:40:27 -06:00
777c6f7580
refactor: split manifest command alias helpers
2026-04-10 17:37:31 +01:00
5f3356a746
refactor: split session store key helper
2026-04-10 17:37:25 +01:00
47c0a5135a
fix: dedupe delivered subagent completion announces ( #61525 ) (thanks @100yenadmin)
...
* fix(subagents): dedupe delivered completion announces
* refactor(subagents): distill cleanup delivery status writes
* fix: dedupe delivered subagent completion announces (#61525 ) (thanks @100yenadmin)
---------
Co-authored-by: Eva <eva@100yen.org >
Co-authored-by: Ayaan Zaidi <hi@obviy.us >
2026-04-10 22:06:46 +05:30
8755d2d3da
fix: bound telegram qa api requests
2026-04-10 22:06:38 +05:30
1512f9188d
fix: reject unknown telegram qa scenarios
2026-04-10 22:06:38 +05:30
81ae34c434
test: keep browser selection cdp guard profile-aware
2026-04-10 17:35:54 +01:00
c077af987f
perf: add narrow inbound roots sdk surface
2026-04-10 17:34:41 +01:00
bac98d4218
test: reduce media contract import cost
2026-04-10 17:31:08 +01:00
5d2225212d
fix(matrix): preserve ACP thread binding targets ( #64343 )
...
Merged via squash.
Prepared head SHA: def7dcda967f158b07a32137d3c4902a19779e48
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-04-10 12:30:08 -04:00
2f84e73c18
fix(agents): always emit terminal lifecycle events
2026-04-10 21:58:20 +05:30
58ee5e48d1
test: fix browser and matrix verification
2026-04-10 17:25:04 +01:00
d5df4cd4e5
test: add Anthropic Opus QA smokes
2026-04-10 17:24:54 +01:00
5df09052e0
fix: add Telegram QA E2E lane ( #64303 )
2026-04-10 21:53:31 +05:30
9d3583bc2f
fix(qa-lab): tighten telegram canary matching
2026-04-10 21:53:31 +05:30
ecb3e0a62d
fix(qa-lab): harden telegram qa artifacts
2026-04-10 21:53:31 +05:30
d69cc5da5c
fix(qa-lab): address remaining review comments
2026-04-10 21:53:31 +05:30
2aaf5a3baa
fix(qa-lab): address telegram qa review comments
2026-04-10 21:53:31 +05:30
7348c3193d
test(telegram): cover threaded qa replies
2026-04-10 21:53:31 +05:30
88a7970f84
fix(telegram): thread native command replies
2026-04-10 21:53:31 +05:30
0ff03a74a8
fix(qa-lab): trust telegram canary send result
2026-04-10 21:53:31 +05:30
653a110ef6
fix(qa-lab): refine telegram canary output
2026-04-10 21:53:31 +05:30
5c7a232ebc
fix(qa-lab): improve telegram canary diagnostics
2026-04-10 21:53:31 +05:30
e093cb6c93
feat(qa-lab): add telegram live qa lane
2026-04-10 21:53:31 +05:30
Peter Steinberger