diff --git a/CHANGELOG.md b/CHANGELOG.md index eb01d1f6e..3e7bebcc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,83 +2,135 @@ Docs: https://docs.openclaw.ai -## 2026.2.4 +## 2026.2.6 ### Changes -- Agents: bump pi-mono packages to 0.52.5. (#9949) Thanks @gumadeiras. -- Antigravity: update the default Antigravity OAuth model to `google-antigravity/claude-opus-4-6-thinking`. (#10720) Thanks @calvin-hpnet. -- Memory: add native Voyage embeddings provider (including batching) for vector memory search. (#7078) Thanks @mcinteerj. -- Models: default Anthropic model to `anthropic/claude-opus-4-6`. (#9853) Thanks @TinyTb. -- Models/Onboarding: refresh provider defaults, update OpenAI/OpenAI Codex wizard defaults, and harden model allowlist initialization for first-time configs with matching docs/tests. (#9911) Thanks @gumadeiras. -- Telegram: auto-inject forum topic `threadId` in message tool and subagent announce so media, buttons, and subagent results land in the correct topic instead of General. (#7235) Thanks @Lukavyi. -- Security: add skill/plugin code safety scanner that detects dangerous patterns (command injection, eval, data exfiltration, obfuscated code, crypto mining, env harvesting) in installed extensions. Integrated into `openclaw security audit --deep` and plugin install flow; scan failures surface as warnings. (#9806) Thanks @abdelsfane. -- CLI: sort `openclaw --help` commands (and options) alphabetically. (#8068) Thanks @deepsoumya617. -- Telegram: remove last `@ts-nocheck` from `bot-handlers.ts`, use Grammy types directly, deduplicate `StickerMetadata`. Zero `@ts-nocheck` remaining in `src/telegram/`. (#9206) -- Telegram: remove `@ts-nocheck` from `bot-message.ts`, type deps via `Omit`, widen `allMedia` to `TelegramMediaRef[]`. (#9180) -- Telegram: remove `@ts-nocheck` from `bot.ts`, fix duplicate `bot.catch` error handler (Grammy overrides), remove dead reaction `message_thread_id` routing, harden sticker cache guard. (#9077) -- Telegram: allow per-group and per-topic `groupPolicy` overrides under `channels.telegram.groups`. (#9775) Thanks @nicolasstanley. -- Feishu: expand channel handling (posts with images, doc links, routing, reactions/typing, replies, native commands). (#8975) Thanks @jiulingyun. -- Onboarding: add Cloudflare AI Gateway provider setup and docs. (#7914) Thanks @roerohan. -- Onboarding: add Moonshot (.cn) auth choice and keep the China base URL when preserving defaults. (#7180) Thanks @waynelwz. -- Onboarding: add xAI (Grok) auth choice and provider defaults. (#9885) Thanks @grp06. -- Docs: clarify tmux send-keys for TUI by splitting text and Enter. (#7737) Thanks @Wangnov. -- Web UI: add Token Usage dashboard with session analytics. (#8462) Thanks @mcinteerj. -- Docs: mirror the landing page revamp for zh-CN (features, quickstart, docs directory, network model, credits). (#8994) Thanks @joshp123. -- Docs: strengthen secure DM mode guidance for multi-user inboxes with an explicit warning and example. (#9377) Thanks @Shrinija17. -- Docs: document `activeHours` heartbeat field with timezone resolution chain and example. (#9366) Thanks @unisone. -- Messages: add per-channel and per-account responsePrefix overrides across channels. (#9001) Thanks @mudrii. -- Cron: add announce delivery mode for isolated jobs (CLI + Control UI) and delivery mode config. -- Cron: default isolated jobs to announce delivery; accept ISO 8601 `schedule.at` in tool inputs. -- Cron: hard-migrate isolated jobs to announce/none delivery; drop legacy post-to-main/payload delivery fields and `atMs` inputs. -- Cron: delete one-shot jobs after success by default; add `--keep-after-run` for CLI. -- Cron: suppress messaging tools during announce delivery so summaries post consistently. -- Cron: avoid duplicate deliveries when isolated runs send messages directly. +- Tests: add test coverage for security/windows-acl.ts. (#9335) Thanks @M00N7682. +- Docs: streamline start and install docs. (#9648) Thanks @sebslight. +- enhancement(CLI): sort commands alphabetically in help output. (#8068) Thanks @deepsoumya617. +- docs: add bootstrapping page. (#9767) Thanks @sebslight. +- Docs: simplify onboarding IA for CLI and macOS. (#9830) Thanks @sebslight. +- 🔴 FIX: Telegram DM Topics — auto-inject threadId in message tool & subagent announce. (#7235) Thanks @Lukavyi. +- docs: fix incorrect model.fallback to model.fallbacks in Ollama config (#9384). (#9749) Thanks @lailoo. +- feat: add Claude Opus 4.6 to built-in model catalog. (#9853) Thanks @TinyTb. +- chore: add agent credentials to gitignore. (#9874) Thanks @caelum0x. +- Docs: escape hash symbol in help channel names in issue template. (#9695) Thanks @mattqdev. +- feat(skills): add QR code generation and reading skill. (#8817) Thanks @Omar-Khaleel. +- chore(agentsmd): add missing tsgo commands to AGENTS.md. (#9894) Thanks @vincentkoc. +- chore: apply local workspace updates. (#9911) Thanks @gumadeiras. +- docs: improve DM security guidance with concrete example. (#9377) Thanks @Shrinija17. +- Agents: bump pi-mono to 0.52.5. (#9949) Thanks @gumadeiras. +- docs: restructure Get Started tab and improve onboarding flow. (#9950) Thanks @sebslight. +- feat: add xAI (Grok) provider support. (#9885) Thanks @grp06. +- Thinking: accept extra-high alias and sync Codex 5.3 FAQ wording. (#9976) Thanks @slonce70. +- Model: add strict gpt-5.3-codex fallback for OpenAI Codex (fixes #9989). (#9995) Thanks @tyler6204. +- Cap sessions_history payloads to prevent context overflow. (#10000) Thanks @gut-puncture. +- Chore: Update memory.md with current default workspace path. (#9559) Thanks @mattezell. +- docs: add activeHours to heartbeat field notes and examples. (#9366) Thanks @unisone. +- Web UI: add token usage dashboard. (#10072) Thanks @Takhoffman. +- Docs: add PR and issue submission guides. (#10150) Thanks @Takhoffman. +- Update: harden control UI asset handling in update flow. (#10146) Thanks @gumadeiras. +- Docs: sharpen Install tab to stop duplicating Getting Started. (#10416) Thanks @sebslight. +- Docs: enable markdownlint autofixables except list numbering. (#10476) Thanks @sebslight. +- Docs: revamp installer internals for readability and accuracy. (#10499) Thanks @sebslight. +- Docs: add PR sign-off template. (#10561) Thanks @Takhoffman. +- Docs: revise PR and issue submission guides. (#10617) Thanks @Takhoffman. +- feat(memory): native Voyage AI support. (#7078) Thanks @mcinteerj. +- Memory: document Voyage embeddings env var. (#10699) Thanks @Takhoffman. +- feat(antigravity): update default model to Claude Opus 4.6. (#10720) Thanks @calvin-hpnet. ### Fixes -- Control UI: add hardened fallback for asset resolution in global npm installs. (#4855) Thanks @anapivirtua. -- Update: remove dead restore control-ui step that failed on gitignored dist/ output. -- Update: avoid wiping prebuilt Control UI assets during dev auto-builds (`tsdown --no-clean`), run update doctor via `openclaw.mjs`, and auto-restore missing UI assets after doctor. (#10146) Thanks @gumadeiras. -- Agents: harden embedded and CLI runner workspace resolution for missing/blank runtime inputs by falling back to per-agent workspace defaults (not CWD), preventing `sessions_spawn` early crashes. (#10176) Thanks @Yida-Dev. -- Models: add forward-compat fallback for `openai-codex/gpt-5.3-codex` when model registry hasn't discovered it yet. (#9989) Thanks @w1kke. -- Auto-reply/Docs: normalize `extra-high` (and spaced variants) to `xhigh` for Codex thinking levels, and align Codex 5.3 FAQ examples. (#9976) Thanks @slonce70. -- Compaction: remove orphaned `tool_result` messages during history pruning to prevent session corruption from aborted tool calls. (#9868, fixes #9769, #9724, #9672) -- Telegram: pass `parentPeer` for forum topic binding inheritance so group-level bindings apply to all topics within the group. (#9789, fixes #9545, #9351) -- CLI: pass `--disable-warning=ExperimentalWarning` as a Node CLI option when respawning (avoid disallowed `NODE_OPTIONS` usage; fixes npm pack). (#9691) Thanks @18-RAJAT. -- CLI: resolve bundled Chrome extension assets by walking up to the nearest assets directory; add resolver and clipboard tests. (#8914) Thanks @kelvinCB. -- Tests: stabilize Windows ACL coverage with deterministic os.userInfo mocking. (#9335) Thanks @M00N7682. -- Exec approvals: coerce bare string allowlist entries to objects to prevent allowlist corruption. (#9903, fixes #9790) Thanks @mcaxtr. -- Heartbeat: allow explicit accountId routing for multi-account channels. (#8702) Thanks @lsh411. -- TUI/Gateway: handle non-streaming finals, refresh history for non-local chat runs, and avoid event gap warnings for targeted tool streams. (#8432) Thanks @gumadeiras. -- Security: stop exposing Gateway auth tokens via URL query parameters in Control UI entrypoints, and reject hook tokens in query parameters. (#9436) Thanks @coygeek. -- Shell completion: auto-detect and migrate slow dynamic patterns to cached files for faster terminal startup; add completion health checks to doctor/update/onboard. -- Telegram: honor session model overrides in inline model selection. (#8193) Thanks @gildo. -- Web UI: fix agent model selection saves for default/non-default agents and wrap long workspace paths. Thanks @Takhoffman. -- Web UI: resolve header logo path when `gateway.controlUi.basePath` is set. (#7178) Thanks @Yeom-JinHo. -- Web UI: apply button styling to the new-messages indicator. -- Onboarding: infer auth choice from non-interactive API key flags. (#8484) Thanks @f-trycua. -- Usage: include estimated cost when breakdown is missing and keep `usage.cost` days support. (#8462) Thanks @mcinteerj. -- Security: keep untrusted channel metadata out of system prompts (Slack/Discord). Thanks @KonstantinMirin. -- Security: redact channel credentials (tokens, passwords, API keys, secrets) from gateway config APIs and preserve secrets during Control UI round-trips. (#9858) Thanks @abdelsfane. -- Discord: treat allowlisted senders as owner for system-prompt identity hints while keeping channel topics untrusted. -- Slack: strip `<@...>` mention tokens before command matching so `/new` and `/reset` work when prefixed with a mention. (#9971) Thanks @ironbyte-rgb. -- Agents: cap `sessions_history` tool output and strip oversized fields to prevent context overflow. (#10000) Thanks @gut-puncture. -- Security: normalize code safety finding paths in `openclaw security audit --deep` output for cross-platform consistency. (#10000) Thanks @gut-puncture. -- Security: enforce sandboxed media paths for message tool attachments. (#9182) Thanks @victormier. -- Security: require explicit credentials for gateway URL overrides to prevent credential leakage. (#8113) Thanks @victormier. -- Security: gate `whatsapp_login` tool to owner senders and default-deny non-owner contexts. (#8768) Thanks @victormier. -- Voice call: harden webhook verification with host allowlists/proxy trust and keep ngrok loopback bypass. -- Voice call: add regression coverage for anonymous inbound caller IDs with allowlist policy. (#8104) Thanks @victormier. -- Cron: accept epoch timestamps and 0ms durations in CLI `--at` parsing. -- Cron: reload store data when the store file is recreated or mtime changes. -- Cron: prevent `recomputeNextRuns` from skipping due jobs when timer fires late by reordering `onTimer` flow. (#9823, fixes #9788) Thanks @pycckuu. -- Cron: deliver announce runs directly, honor delivery mode, and respect wakeMode for summaries. (#8540) Thanks @tyler6204. -- Cron: correct announce delivery inference for thread session keys and null delivery inputs. (#9733) Thanks @tyler6204. -- Telegram: include forward_from_chat metadata in forwarded messages and harden cron delivery target checks. (#8392) Thanks @Glucksberg. -- Telegram: preserve DM topic threadId in deliveryContext. (#9039) Thanks @lailoo. -- macOS: fix cron payload summary rendering and ISO 8601 formatter concurrency safety. -- Security: require gateway auth for Canvas host and A2UI assets. (#9518) Thanks @coygeek. +- fix: gracefully downgrade xhigh thinking level in cron isolated agent. (#9363) Thanks @hyf0-agent. +- Fix chrome extension bundled path resolution. (#8914) Thanks @kelvinCB. +- fix(telegram): preserve DM topic threadId in deliveryContext. (#9039) Thanks @lailoo. +- fix(telegram): pass parentPeer for forum topic binding inheritance. (#9789) Thanks @christianklotz. +- fix(cli): pass --disable-warning via execArgv instead of NODE_OPTIONS. (#9691) Thanks @18-RAJAT. +- fix cron scheduling and reminder delivery regressions. (#9733) Thanks @tyler6204. +- fix(runtime): bump minimum Node.js version to 22.12.0. (#5370) Thanks @Glucksberg. +- fix: clear stale token metrics on /new and /reset. (#8929) Thanks @Glucksberg. +- fix: allow multiple compaction retries on context overflow. (#8928) Thanks @Glucksberg. +- fix(errors): show clear billing error instead of cryptic API response (#8136). (#8391) Thanks @Glucksberg. +- fix(telegram): accept messages from group members in allowlisted groups. (#9775) Thanks @nicolasstanley. +- Fix: Enable scrolling on the dashboard config page. (#1822) Thanks @dxd5001. +- fix(cron): prevent recomputeNextRuns from skipping due jobs in onTimer. (#9823) Thanks @pycckuu. +- fix(cron): re-arm timer in finally to survive transient errors. (#9948) Thanks @j2h4u. +- fix(cron): handle legacy atMs field in schedule when computing next run. (#9932) Thanks @fujiwara-tofu-shop. +- fix(exec-approvals): coerce bare string allowlist entries to objects (#9790). (#9903) Thanks @mcaxtr. +- security: add skill/plugin code safety scanner. (#9806) Thanks @abdelsfane. +- fix(agents): skip tool extraction for aborted/errored assistant messages. (#4598) Thanks @aisling404. +- fix(cron): handle undefined sessionTarget in list output (#9649). (#9752) Thanks @lailoo. +- fix(nextcloud-talk): sign message text instead of JSON body. (#2092) Thanks @wangai-studio. +- fix(slack): add mention stripPatterns for /new and /reset commands. (#9971) Thanks @ironbyte-rgb. +- security: redact credentials from config.get gateway responses. (#9858) Thanks @abdelsfane. +- fix: release session locks on process termination [AI-assisted]. (#1962) Thanks @zats. +- fix(ollama): add streaming config and fix OLLAMA_API_KEY env var support. (#9870) Thanks @rafelbev. +- fix: untrack dist/control-ui build artifacts. (#1856) Thanks @zerone0x. +- fix: wire onToolResult callback for verbose tool summaries. (#2022) Thanks @adam91holt. +- fix: Gateway canvas host bypasses auth and serves files unauthenticated. (#9518) Thanks @coygeek. +- fix(docs): correct OpenCode Zen description in code comment. (#9998) Thanks @therealZpoint-bot. +- fix: silence unused hook token url param. (#9436) Thanks @coygeek. +- fix: guard resolveUserPath against undefined input. (#10176) Thanks @Yida-Dev. +- fix(hooks): replace debug console.log with proper subsystem logging in session-memory. (#10730) Thanks @shadril238. + +### Non-PR Commits + +- d84eb464 fix: restore discord owner hint from allowlists (Peter Steinberger). +- 3b40227b fix: remove unused cron import (Peter Steinberger). +- 0621d0e9 fix(cli): resolve bundled chrome extension path (Kelvin Calcano). +- 1008c28f test(cli): use unique temp dir for extension install (Kelvin Calcano). +- 44bbe09b fix(cli): support bundled extension path in dist root (Kelvin Calcano). +- 34e78a70 style(cli): satisfy lint rules in extension path resolver (Kelvin Calcano). +- f26cc608 Tests: add test coverage for security/windows-acl.ts (M00N7682). +- bdb90ea4 test: register discord plugin in allowlist test (Peter Steinberger). +- 5031b283 chore: bump version to 2026.2.4 (Peter Steinberger). +- a4d1af1b fix: resolve discord owner allowFrom matches (Peter Steinberger). +- 8860d2ed fix(telegram): preserve DM topic threadId in deliveryContext (damaozi). +- c0b267a0 test(telegram): add DM topic threadId deliveryContext test for #8891 (damaozi). +- 460808e0 Update deps. (cpojer). +- 8b845123 chore: Typecheck test helper files. (cpojer). +- 34424ce5 docs(install): rename install overview page (sebslight). +- 203e3804 CLI: sort commands alphabetically in help output (Soumyadeep Ghosh). +- c8f4bca0 docs: fix onboarding rendering issues (Sebastian). +- 54737422 chore: reset appcast to 2026.2.3 (Peter Steinberger). +- eef247b7 fix: auto-inject Telegram forum topic threadId in message tool (Clawdbot). +- 6ac5dd2c test: cover telegram topic threadId auto-injection and subagent origin threading (Clawdbot). +- a13efbe2 fix: pass threadId/to/accountId from parent to subagent gateway call (Clawdbot). +- 1473fb19 update handle (Gustavo Madeira Santana). +- 4fc4c525 🤖 Feishu: expand channel support (Josh Palmer). +- 7c951b01 🤖 Feishu: tighten mention gating (Josh Palmer). +- f32eeae3 fix: remove orphaned tool_results during compaction pruning (Christian Klotz). +- b8004a28 docs: improve DM security guidance with concrete example (Shrinija Kummari). +- 873182ec docs: tighten secure DM example (George Pickett). +- 8577d015 chore: remove tracked .DS_Store files (Gustavo Madeira Santana). +- db31c0cc feat: add xAI Grok provider support (George Pickett). +- 155dfa93 fix(onboard): align xAI default model to grok-4 (George Pickett). +- 6ff209e9 fix(exec-approvals): coerce bare string allowlist entries to objects (#9790) (Marcus Castro). +- 5958e569 Thinking: accept extra-high alias and sync Codex FAQ wording (slonce70). +- 7db83954 Changelog: note #9976 thinking alias + Codex 5.3 docs sync (slonce70). +- 6f4665dd chore: Update deps. (cpojer). +- 2267d58a feat(feishu): replace built-in SDK with community plugin (Yifeng Wang). +- 7e32f1ce fix(feishu): add targeted eslint-disable comments for SDK integration (Yifeng Wang). +- 8ba1387b fix(feishu): fix webhook mode silent exit and receive_id_type default (Yifeng Wang). +- 7e005acd chore: update pnpm-lock.yaml for feishu extension deps (Yifeng Wang). +- 5f6e1c19 feat(feishu): sync with clawdbot-feishu #137 (multi-account support) (Yifeng Wang). +- 0a485924 add PR review workflow templates (Gustavo Madeira Santana). +- 47538bca fix: Gateway canvas host bypasses auth and serves files unauthenticated (Coy Geek). +- ee1ec3fa Add proper `onToolResult` fallback. (cpojer). +- 6c42d346 chore: Add VS Code defaults and extensions so that Oxlint/Oxfmt work automatically. (cpojer). +- 8abce8a8 fix: `onToolResult` fallback is not expected. (cpojer). +- f16e32b7 fix: Do not `process.exit(0)` in the middle of a test. (cpojer). +- 328b69be chore: Fix audit test on Windows. (cpojer). +- ac0c2f26 docs: update clawtributors (add @unisone) (Sebastian). +- 7b2a2212 chore: run lint step after build during preflight check (Gustavo Madeira Santana). +- 72245855 fix: add fallback for Control UI asset resolution in global installs (Gustavo Madeira Santana). +- b40da2cb fix: remove dead restore control-ui step from update runner (Gustavo Madeira Santana). +- 4a59b778 fix: CLI harden update restart imports and fix nested bundle version resolution (Gustavo Madeira Santana). +- 134c03a9 feat: add markdownlint configuration for documentation formatting and linting (Sebastian). +- 1bf9f237 docs: linting (Sebastian). +- c7aec066 docs(markdownlint): enable autofixable rules and normalize links (Sebastian). +- 0a1f4f66 revert(docs): undo markdownlint autofix churn (Sebastian). ## 2026.2.2-3