* feat(mobile): rename, delete, and create sidebar session groups on iOS and Android
Group section headers on the iOS Command Center sessions screen and the
Android sessions screen gain Rename/New/Delete group actions. Bulk ops
enumerate every member (active + archived, explicit high list limit since
the gateway caps an absent limit at 100 rows) and patch category per
session; delete keeps sessions and moves them to Ungrouped. Known custom
groups persist client-side (iOS UserDefaults, Android SharedPreferences)
so empty groups stay visible as move targets.
* chore(i18n): refresh native string inventory after rebase onto main
* feat(ui): rename, delete, and toggle sidebar session groups
Sidebar group headers gain a kebab + right-click menu with Rename group,
New group, and Delete group. Rename/delete enumerate every member session
(active + archived, across agents) via unbounded sessions.list queries and
patch category per session; delete keeps sessions and moves them to
Ungrouped. Stored-but-empty groups render as sections, and the sidebar
sort popover gains a persisted Group by toggle (Custom groups / None).
* test(ui): capture sidebar group management UI proof shots
* fix(ui): page session-group enumeration past the gateway's 100-row default
sessions.list caps an absent limit at SESSIONS_LIST_DEFAULT_LIMIT (100), so
the rename/delete member enumeration now walks nextOffset pages explicitly;
a silent cap would strand members in the old group on stores >100 sessions.
* chore(i18n): restore fallback-key tracking for new sidebar group strings after rebase
* chore(i18n): translate new sidebar group strings across locales
* fix(memory-core): clamp widen-fallback kNN k to sqlite-vec 4096 limit
The widen fallback in searchVector re-runs the kNN with k = vectorCount
(the full vector table size), unclamped. sqlite-vec hard-caps `k` at 4096,
so once a memory index exceeds 4096 chunks any query that triggers the
fallback fails with "k value in knn query too large".
Clamp the widen re-query to MAX_VECTOR_KNN_K (4096). 4096 oversampled
candidates is far more than enough to feed top-N hybrid ranking, so there
is no meaningful recall loss.
* test(memory-core): cover widen-fallback kNN clamp to sqlite-vec 4096 ceiling
Add two regression tests for the searchVector widen-fallback clamp:
- asserts a >4096-vector widen re-query caps k at 4096 (out-of-range k
would raise sqlite-vec "k out of range" and kill the whole search)
- asserts a sub-ceiling widen (30) passes through untouched, proving the
clamp is a ceiling and not a fixed value
Uses a prepare-mock on the KNN/COUNT statements rather than materializing
4097+ real vectors plus the native extension; the assertion is purely on
the k bind handed to the widen re-query.
* fix(memory-core): preserve filtered recall beyond KNN cap
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(gateway): don't over-claim a crash on a 1006 abnormal close
A 1006 close code means abnormal closure with no close frame, most often a
connection dropped under a burst of concurrent tool calls or event-loop
saturation — the gateway process typically stays healthy. The troubleshooting
text listed "Gateway crashed or was terminated unexpectedly" as a co-equal
cause, so an operator could pattern-match it and restart a healthy gateway.
Lead with the actionable dropped-under-load cause and demote the
unreachable/terminated case to "rare; confirm it is still running".
Addresses ask 3 of #100941. The connection-pooling and concurrency-cap asks
are architectural and intentionally out of scope, so this does not auto-close
the issue.
Refs #100941
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
* fix(gateway): keep 1006 diagnostics cause-neutral
---------
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(macos): keep onboarding green across gateway plugin restart
Activating the Codex candidate installs the codex plugin and the gateway
restarts itself to load it, dropping the activate RPC socket after the
server already persisted success. Onboarding then claimed every option
failed. Reconcile transport drops against crestodian.setup.detect before
reporting failure, and stop latching the finish-page skills load error
that fires while the pager pre-builds pages before the gateway exists.
* chore(i18n): refresh native inventory line numbers
The shared chat session sheet (iOS chat + macOS webchat) gains server-backed
search (sessions.list search param, 250ms debounce, cancellation-safe local
fallback when offline), an Active/Archived scope, swipe/context actions for
pin/rename/archive with optimistic updates and rollback, pin indicators, and
restore-on-open for archived rows. Archiving the open session switches back
to the main session so the composer never points at a send-rejecting session.
OpenClawChatTransport consolidates the two list requirements into canonical
listSessions(limit:search:archived:) with forwarding sugars (unreleased
internal API; all in-repo conformers updated: iOS gateway transport, demo and
fixture transports, previews, macOS webchat, test fakes). macOS webchat also
implements patchSession, giving the sheet's controls a live transport there.
OpenClawChatSessionEntry becomes var-based and gains pinnedAt/archivedAt;
the two full-init rebuild blocks in ChatViewModel collapse to copy-mutation
(the pattern that silently dropped newly added fields), preserving main's
model-identity/thinking-metadata semantics. A shared session list organizer
mirrors gateway ordering (pinnedAt desc, updatedAt desc, key) for cached and
offline lists, and pinned sessions survive the 24h recency cutoff in the
session picker.
Refs #100712
* fix(control-ui): make long /btw side results scrollable
The BTW side-result card in Control UI expanded to the full height of its
content on desktop, so answers taller than the viewport couldn't be read.
Constrain the result body with a max-height and overflow:auto so it scrolls
in place, while keeping the existing mobile overlay behavior intact.
- Add max-height/min(55vh,480px), overflow:auto, and overscroll-behavior:contain
to .chat-side-result__body for non-mobile viewports.
- Reset those rules inside the mobile media query so the whole card still
scrolls as a fixed overlay.
- Add a lightweight browser test that verifies the body is scrollable on
desktop and the mobile overlay still scrolls as a whole.
* test(ui): consolidate side-result scroll coverage
* chore: keep release notes in PR metadata
* test(ui): verify side-result scroll interactions
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(web-shared): bound response.text() fallback to honor maxBytes
readResponseText's .text() fallback path ignored the maxBytes option,
reading the full body unbounded. When a foreign Response lacks a body
stream (no getReader) and no arrayBuffer(), the .text() call was the
last resort — but maxBytes was never applied.
- Honor maxBytes in the .text() fallback: truncate + set truncated=true
- Under-cap responses pass through unchanged
- No maxBytes set → original behavior preserved (regression safe)
* fix(web-shared): use byte-level truncation in .text() fallback
Replace text.length/text.slice (character-level) with TextEncoder/
TextDecoder (byte-level) so the maxBytes cap is respected at byte
granularity, consistent with the bounded-stream path at lines 240-298.
- bytes.byteLength > maxBytes instead of text.length > maxBytes
- TextDecoder().decode(bytes.slice(0, maxBytes)) for byte-safe truncation
- bytesRead reports actual bytes, not character count
* fix(web-shared): refuse unbounded .text() when maxBytes is set
When maxBytes is set the caller expects bounded memory. The .text()
fallback path buffers the full body before any post-read check,
defeating the cap. Fail-closed by returning empty with truncated=true
instead of calling .text() unbounded.
Without maxBytes .text() is safe — the caller accepts full allocation.
* fix(web-shared): byte-level truncation in .text() fallback with maxBytes
The .text() fallback used text.length (characters) and text.slice
(char-level) against a byte-level maxBytes cap. Use TextEncoder/
TextDecoder for byte-accurate comparison and truncation.
- bytes.byteLength > maxBytes instead of text.length > maxBytes
- TextDecoder().decode(bytes.slice(0, maxBytes)) for byte-safe truncation
- bytesRead reports actual byte count, not character count
* fix(web): fail closed on unbounded response fallbacks
* test(web): use streaming response fixtures
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(openai): bound Codex OAuth token response body reads with readResponseWithLimit
Replace unbounded response.arrayBuffer() in postTokenForm with
readResponseWithLimit using a 1 MiB cap to prevent OOM from oversized
token endpoint responses. Add real node:http loopback server tests.
* fix(openai): wrap readResponseWithLimit result in Uint8Array for TS BodyInit compat
- Fixes TS2345: Buffer<ArrayBufferLike> not assignable to BodyInit
- Resolves check-prod-types, check-test-types, and
check-additional-extension-package-boundary CI failures
Ref. https://github.com/openclaw/openclaw/pull/99479
* test(openai): verify OAuth response release
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
The single InstalledDistScanBudget is consumed across all three prune
walks (legacy-deps prepass, dist file listing, empty-dir sweep). During
an npm upgrade the dist dir transiently holds old+new content-hashed
files, so a real upgrade scan totals ~24k entries against the 25k cap;
one more release of dist growth would make 'npm install -g openclaw'
throw InstalledDistScanLimitError for every upgrading user. Raise the
cap to 100k for real headroom while keeping the unbounded-scan guard,
and ratchet the cap in the test so it cannot be lowered back.
The sessions screen gains a debounced search field under the filter pills,
wired to server-side sessions.list search in Recent and Archived scopes.
Results flow through the existing filter/sort/grouping pipeline so pinned
and grouped rendering stay intact while searching.
ChatController.fetchSessionList performs the one-shot search without touching
live list state, falls back to locally filtering the cached active list when
the gateway is unreachable (archived rows exist only server-side, so archived
search is empty offline), and rethrows CancellationException before the
fallback so a superseded search never repaints stale rows over a newer query.
Refs #100712
Budget context engine assembly against the reserve and rendered prompt
pressure, and carry the preflight estimated prompt tokens, prompt budget,
and overflow tokens into the outer overflow recovery loop so compaction
engines compact against the prompt OpenClaw actually rendered instead of
a minimally over-budget guess.
* fix(discord): drain queued outbound deliveries after gateway reconnect (#56610)
Discord sends that failed while the gateway websocket was reconnecting
(close codes 1005/1006) stayed stuck in the outbound delivery queue and
were silently dropped. Classify sends that fail while the registered
gateway is disconnected as retryable, and drain pending discord queue
entries when the gateway reconnects, matching the WhatsApp/Telegram
reconnect drains.
* fix(discord): harden reconnect recovery
Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>
* refactor(discord): remove unsafe reconnect replay
* fix(discord): bound reconnect retry per request
Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>
* chore(changelog): leave reconnect fix to release flow
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* feat(android): record and send voice notes from the chat composer
Adds tap-to-record voice notes to both Android chat composers: MediaRecorder
AAC/m4a mono capture with a 3-minute cap, lazy RECORD_AUDIO permission,
cancel/finish controls, audio attachment chips with duration, and voice-note
transcript rows. Recording is mutually exclusive with MicCaptureManager voice
capture (no mic arbiter exists), and the MPEG-4 container brand is normalized
to M4A so gateway byte sniffing classifies the upload as audio, not video.
Attachments stay online-only per the outbox contract.
Related: #100709
* fix(android): coordinate voice note microphone ownership
* chore(android): refresh native localization inventory
* fix(discord): download attachments at receipt time, not after the run queue
Discord's CDN attachment URLs carry an expiring `ex` TTL. Media was
downloaded in processDiscordMessageInner, after the inbound run queue,
so messages delayed behind a busy run lost their attachments silently.
Resolve attachments/forwarded media during preflightDiscordMessage
instead, before the message is enqueued, and carry the result forward
on the context for process to reuse.
Fixes#96165
* refactor(discord): carry one prepared media snapshot
Co-authored-by: ZacharyYW <zachary.w.yuan123@gmail.com>
* fix(discord): guard bot media before download
* chore(discord): leave release notes to release flow
* docs(changelog): credit Discord attachment fix
* chore(changelog): leave attachment fix to release flow
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Translate chat.composer.realtimeTalkRequiresMicrophone across all
locales; it shipped as a recorded English fallback with the chat
composer redesign and broke the control-ui-i18n CI gate on main.
* fix(discord): bound gateway metadata response body reads to prevent OOM
The materializeGuardedResponse helper in the Discord gateway metadata path
buffered the full upstream Response body via response.arrayBuffer() without
any size cap. A malicious or malfunctioning /gateway/bot endpoint that returns
an oversized payload could exhaust gateway memory.
Replace arrayBuffer() with readResponseWithLimit(4 MiB), consistent with
DISCORD_API_RESPONSE_BODY_LIMIT_BYTES in api.ts. Overflow throws an Error
with the byte counts.
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(discord): wrap readResponseWithLimit result in Uint8Array for type compat
readResponseWithLimit returns Buffer which is not assignable to BodyInit in
the undici Response constructor type. Wrap in new Uint8Array() to satisfy the
boundary dts check. Also remove testExports export and mock fetchWithSsrFGuard
in tests via vi.hoisted + vi.mock to avoid leaking internal test-only exports.
Co-Authored-By: Claude <noreply@anthropic.com>
* test(discord): tighten gateway metadata proof
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>