64863 Commits

Author SHA1 Message Date
kenners22
ffa6ebda4c fix(cli): protect protocol stdout during startup (#89997)
* fix(cli): suppress mcp serve startup stdout

* fix(cli): suppress mcp serve startup stdout

* fix(cli): protect protocol stdout during startup

* fix(cli): match ACP protocol options at startup

* fix(cli): derive protocol ownership from command action

---------

Co-authored-by: JARVIS <kenners22@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
2026-07-06 17:55:50 -07:00
Dallin Romney
c1b9e36221 test(qa): migrate channel thread and DM isolation scenarios (#101112)
* test(qa): migrate channel thread isolation scenarios

* test(qa): remove stale Matrix scenario fixture

* test(qa): use canonical coverage taxonomy ids

* test(qa): preserve Matrix flow runtime identities

* test(qa): expose Slack thread polling helper

* test(qa): select Matrix for native thread smoke

* test(qa): keep Matrix subagent spawn opt-in

* test(qa): target selected live account in scenario patches
2026-07-06 17:52:38 -07:00
Peter Steinberger
2b6eb31999 chore(ci): refresh generated baselines (#101242) 2026-07-07 01:47:44 +01:00
Vincent Koc
0e8870da76 fix(ci): refresh Mythos plugin SDK export budget 2026-07-06 17:43:24 -07:00
Vincent Koc
74bb2ad7a5 fix(package): reuse bundled artifact for install smoke 2026-07-07 02:31:09 +02:00
Vincent Koc
9d86728795 refactor(ui): localize internal type exports (#101165) 2026-07-06 17:28:31 -07:00
huangjianxiong
c3c4d03f90 fix(browser): bound response text decoding (#98940)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 01:25:49 +01:00
Peter Steinberger
f95ca90378 fix(ios): persist voice notes through offline delivery (#101236)
* fix(ios): persist voice note delivery state

* fix(ios): pin chats during attachment staging

* fix(ios): keep voice notes on captured chat

* fix(ios): keep voice notes durable through staging

* fix(ios): harden voice note lifecycle

* test(ios): satisfy strict concurrency in voice note proof

* fix(ios): keep legacy attachment sends live

* fix(ios): retain legacy drafts during outbox restore

* fix(ios): pin voice note recipient presentation

* fix(ios): preserve confirmed voice note duration

* chore(i18n): refresh voice note source inventory

* chore: leave release notes to release automation
2026-07-07 01:21:16 +01:00
Vincent Koc
f305e707a3 feat(models): add Claude Mythos 5 support (#101238) 2026-07-06 17:19:49 -07:00
cxbAsDev
090c3a26d0 fix(msteams): bound Graph attachment JSON responses (#101082)
* fix(extensions/msteams): bound Graph collection JSON response read to prevent OOM

* fix(msteams): bound Graph message JSON reads

* test(msteams): exercise Graph overflow response

* refactor(msteams): stream Graph hosted content

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 01:18:09 +01:00
WhatsSkiLL
bce414d8b8 improve(android): align command palette row affordances (#101072)
* android: tidy command palette row affordances

* docs(android): credit command palette polish

---------

Co-authored-by: IWhatsskill <284122573+IWhatsskill@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 01:14:46 +01:00
Peter Steinberger
4c97aa1311 feat(mobile): rename, delete, and create session groups on iOS and Android (#101234)
* feat(mobile): rename, delete, and create sidebar session groups on iOS and Android

Group section headers on the iOS Command Center sessions screen and the
Android sessions screen gain Rename/New/Delete group actions. Bulk ops
enumerate every member (active + archived, explicit high list limit since
the gateway caps an absent limit at 100 rows) and patch category per
session; delete keeps sessions and moves them to Ungrouped. Known custom
groups persist client-side (iOS UserDefaults, Android SharedPreferences)
so empty groups stay visible as move targets.

* chore(i18n): refresh native string inventory after rebase onto main
2026-07-07 01:09:57 +01:00
Peter Steinberger
aed2482292 fix(qa): restore automatic smoke coverage across channels (#101186)
* fix(qa): restore channel-sharded smoke coverage

Co-authored-by: Peter Steinberger <steipete@gmail.com>

Co-authored-by: Dallin Romney <dallinromney@gmail.com>

* fix(qa): restore channel-sharded smoke coverage

* fix(qa): restore channel-sharded smoke coverage

* fix(qa): restore channel-sharded smoke coverage

---------

Co-authored-by: Vincent Koc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: Dallin Romney <dallinromney@gmail.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 17:09:40 -07:00
Vincent Koc
736c6743c1 chore(i18n): refresh native inventory line anchors (#101233) 2026-07-06 17:06:27 -07:00
Peter Steinberger
2b3a985b11 chore(i18n): refresh native source inventory (#101232) 2026-07-07 00:58:03 +01:00
Peter Steinberger
5157446a2c feat(ui): rename, delete, and toggle sidebar session groups (#101117)
* feat(ui): rename, delete, and toggle sidebar session groups

Sidebar group headers gain a kebab + right-click menu with Rename group,
New group, and Delete group. Rename/delete enumerate every member session
(active + archived, across agents) via unbounded sessions.list queries and
patch category per session; delete keeps sessions and moves them to
Ungrouped. Stored-but-empty groups render as sections, and the sidebar
sort popover gains a persisted Group by toggle (Custom groups / None).

* test(ui): capture sidebar group management UI proof shots

* fix(ui): page session-group enumeration past the gateway's 100-row default

sessions.list caps an absent limit at SESSIONS_LIST_DEFAULT_LIMIT (100), so
the rename/delete member enumeration now walks nextOffset pages explicitly;
a silent cap would strand members in the old group on stores >100 sessions.

* chore(i18n): restore fallback-key tracking for new sidebar group strings after rebase

* chore(i18n): translate new sidebar group strings across locales
2026-07-07 00:54:36 +01:00
Youssef Hemimy
333a77fde3 fix(memory-core): clamp widen-fallback kNN k to sqlite-vec 4096 limit (#96157)
* fix(memory-core): clamp widen-fallback kNN k to sqlite-vec 4096 limit

The widen fallback in searchVector re-runs the kNN with k = vectorCount
(the full vector table size), unclamped. sqlite-vec hard-caps `k` at 4096,
so once a memory index exceeds 4096 chunks any query that triggers the
fallback fails with "k value in knn query too large".

Clamp the widen re-query to MAX_VECTOR_KNN_K (4096). 4096 oversampled
candidates is far more than enough to feed top-N hybrid ranking, so there
is no meaningful recall loss.

* test(memory-core): cover widen-fallback kNN clamp to sqlite-vec 4096 ceiling

Add two regression tests for the searchVector widen-fallback clamp:
- asserts a >4096-vector widen re-query caps k at 4096 (out-of-range k
  would raise sqlite-vec "k out of range" and kill the whole search)
- asserts a sub-ceiling widen (30) passes through untouched, proving the
  clamp is a ceiling and not a fixed value

Uses a prepare-mock on the KNN/COUNT statements rather than materializing
4097+ real vectors plus the native extension; the assertion is purely on
the k bind handed to the widen re-query.

* fix(memory-core): preserve filtered recall beyond KNN cap

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 16:53:34 -07:00
Darren2030
7c0d11eac1 fix(gateway): don't over-claim a crash on a 1006 abnormal close (#101219)
* fix(gateway): don't over-claim a crash on a 1006 abnormal close

A 1006 close code means abnormal closure with no close frame, most often a
connection dropped under a burst of concurrent tool calls or event-loop
saturation — the gateway process typically stays healthy. The troubleshooting
text listed "Gateway crashed or was terminated unexpectedly" as a co-equal
cause, so an operator could pattern-match it and restart a healthy gateway.
Lead with the actionable dropped-under-load cause and demote the
unreachable/terminated case to "rare; confirm it is still running".

Addresses ask 3 of #100941. The connection-pooling and concurrency-cap asks
are architectural and intentionally out of scope, so this does not auto-close
the issue.

Refs #100941

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(gateway): keep 1006 diagnostics cause-neutral

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-06 16:47:17 -07:00
Peter Steinberger
054e3675e1 feat(android): publish signed APKs with stable releases (#101212)
* feat(android): publish signed release APKs

* fix(android): preserve fallback corrections

* test(android): isolate APK signer fixtures

* docs: refresh generated docs map
2026-07-07 00:39:59 +01:00
Peter Steinberger
dbba3d2a8e fix(ci): stabilize Windows startup fallback tests (#101223)
* test(windows): stabilize startup fallback fixtures

* ci(windows): route daemon scheduler changes
2026-07-07 00:37:50 +01:00
Peter Steinberger
c5161f96ce fix(macos): keep onboarding green across gateway plugin restart (#101218)
* fix(macos): keep onboarding green across gateway plugin restart

Activating the Codex candidate installs the codex plugin and the gateway
restarts itself to load it, dropping the activate RPC socket after the
server already persisted success. Onboarding then claimed every option
failed. Reconcile transport drops against crestodian.setup.detect before
reporting failure, and stop latching the finish-page skills load error
that fires while the pager pre-builds pages before the gateway exists.

* chore(i18n): refresh native inventory line numbers
2026-07-07 00:32:34 +01:00
Peter Steinberger
91d4e8ed8e feat(apple): session search, archived browsing, and sheet management actions (#101053)
The shared chat session sheet (iOS chat + macOS webchat) gains server-backed
search (sessions.list search param, 250ms debounce, cancellation-safe local
fallback when offline), an Active/Archived scope, swipe/context actions for
pin/rename/archive with optimistic updates and rollback, pin indicators, and
restore-on-open for archived rows. Archiving the open session switches back
to the main session so the composer never points at a send-rejecting session.

OpenClawChatTransport consolidates the two list requirements into canonical
listSessions(limit:search:archived:) with forwarding sugars (unreleased
internal API; all in-repo conformers updated: iOS gateway transport, demo and
fixture transports, previews, macOS webchat, test fakes). macOS webchat also
implements patchSession, giving the sheet's controls a live transport there.

OpenClawChatSessionEntry becomes var-based and gains pinnedAt/archivedAt;
the two full-init rebuild blocks in ChatViewModel collapse to copy-mutation
(the pattern that silently dropped newly added fields), preserving main's
model-identity/thinking-metadata semantics. A shared session list organizer
mirrors gateway ordering (pinnedAt desc, updatedAt desc, key) for cached and
offline lists, and pinned sessions survive the 24h recency cutoff in the
session picker.

Refs #100712
2026-07-07 00:28:38 +01:00
Peter Steinberger
bab9952801 test(windows): isolate fallback ownership models 2026-07-06 19:28:02 -04:00
SnoutFirst
e5e721fdc5 fix(control-ui): make long /btw side results scrollable (#101169)
* fix(control-ui): make long /btw side results scrollable

The BTW side-result card in Control UI expanded to the full height of its
content on desktop, so answers taller than the viewport couldn't be read.
Constrain the result body with a max-height and overflow:auto so it scrolls
in place, while keeping the existing mobile overlay behavior intact.

- Add max-height/min(55vh,480px), overflow:auto, and overscroll-behavior:contain
  to .chat-side-result__body for non-mobile viewports.
- Reset those rules inside the mobile media query so the whole card still
  scrolls as a fixed overlay.
- Add a lightweight browser test that verifies the body is scrollable on
  desktop and the mobile overlay still scrolls as a whole.

* test(ui): consolidate side-result scroll coverage

* chore: keep release notes in PR metadata

* test(ui): verify side-result scroll interactions

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 00:26:24 +01:00
Dallin Romney
95e3b9243b test: execute media and Talk runtime boundaries (#101091)
* test: execute media and Talk runtime boundaries

* test(qa): centralize gateway fixture startup

* test(qa): check in voice call plugin fixture
2026-07-06 16:25:33 -07:00
zengLingbiao
db25e9ec52 fix(web-shared): bound response.text() fallback to honor maxBytes (#99884)
* fix(web-shared): bound response.text() fallback to honor maxBytes

readResponseText's .text() fallback path ignored the maxBytes option,
reading the full body unbounded. When a foreign Response lacks a body
stream (no getReader) and no arrayBuffer(), the .text() call was the
last resort — but maxBytes was never applied.

- Honor maxBytes in the .text() fallback: truncate + set truncated=true
- Under-cap responses pass through unchanged
- No maxBytes set → original behavior preserved (regression safe)

* fix(web-shared): use byte-level truncation in .text() fallback

Replace text.length/text.slice (character-level) with TextEncoder/
TextDecoder (byte-level) so the maxBytes cap is respected at byte
granularity, consistent with the bounded-stream path at lines 240-298.

- bytes.byteLength > maxBytes instead of text.length > maxBytes
- TextDecoder().decode(bytes.slice(0, maxBytes)) for byte-safe truncation
- bytesRead reports actual bytes, not character count

* fix(web-shared): refuse unbounded .text() when maxBytes is set

When maxBytes is set the caller expects bounded memory. The .text()
fallback path buffers the full body before any post-read check,
defeating the cap. Fail-closed by returning empty with truncated=true
instead of calling .text() unbounded.

Without maxBytes .text() is safe — the caller accepts full allocation.

* fix(web-shared): byte-level truncation in .text() fallback with maxBytes

The .text() fallback used text.length (characters) and text.slice
(char-level) against a byte-level maxBytes cap. Use TextEncoder/
TextDecoder for byte-accurate comparison and truncation.

- bytes.byteLength > maxBytes instead of text.length > maxBytes
- TextDecoder().decode(bytes.slice(0, maxBytes)) for byte-safe truncation
- bytesRead reports actual byte count, not character count

* fix(web): fail closed on unbounded response fallbacks

* test(web): use streaming response fixtures

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 00:24:36 +01:00
huangjianxiong
a89fe705b8 fix(openai): bound Codex OAuth token response body reads with readResponseWithLimit (#99479)
* fix(openai): bound Codex OAuth token response body reads with readResponseWithLimit

Replace unbounded response.arrayBuffer() in postTokenForm with
readResponseWithLimit using a 1 MiB cap to prevent OOM from oversized
token endpoint responses. Add real node:http loopback server tests.

* fix(openai): wrap readResponseWithLimit result in Uint8Array for TS BodyInit compat

- Fixes TS2345: Buffer<ArrayBufferLike> not assignable to BodyInit
- Resolves check-prod-types, check-test-types, and
  check-additional-extension-package-boundary CI failures

Ref. https://github.com/openclaw/openclaw/pull/99479

* test(openai): verify OAuth response release

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-07 00:18:20 +01:00
Vincent Koc
d09e2e738c fix(provider): satisfy Featherless release checks 2026-07-06 16:17:44 -07:00
Vincent Koc
8970fa2e83 docs(provider): document Featherless AI setup 2026-07-06 16:17:44 -07:00
Vincent Koc
2c11f11303 feat(provider): add Featherless AI integration 2026-07-06 16:17:44 -07:00
Peter Steinberger
317aa89af5 perf(test): unit-test parallels validation failures 2026-07-06 19:16:56 -04:00
Peter Steinberger
b978dcc63b feat(ios): record and send voice notes from the chat composer (#100946)
* feat(ios): record and send voice notes from the chat composer

Adds tap-to-record voice notes to the shared chat composer: m4a/AAC mono
capture with a 3-minute cap, lazy mic permission, cancel/finish controls,
audio attachment chips with duration, and a voice-note transcript row.
Voice-wake suppression becomes reason-scoped so recording and Talk cannot
clobber each other. Attachments stay online-only per the outbox contract.

Related: #100709

* fix(ios): harden voice note attachment staging

* chore(ios): keep voice note changelog release-owned

* fix(ios): gate voice notes with attachment availability

* chore(ios): refresh native localization inventory
2026-07-07 00:14:05 +01:00
Peter Steinberger
bb44c2311d fix(windows): repair legacy gateway fallback updates (#101213)
* fix(windows): repair doctor update fallback migration

* fix(windows): remove hidden startup fallback launchers

* fix(windows): preserve recovered gateway tokens

* fix(windows): harden update fallback migration

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): capture fallback runtime before task rewrite

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): complete legacy update restart handoff

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): verify fallback ownership during migration

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* fix(windows): honor update restart policy during repair

* fix(windows): wait for task takeover evidence

* fix(windows): preserve fallback after direct task launch

* fix(windows): preserve repaired task identity

* fix(windows): snapshot gateway before repair

* fix: scope update service repair ownership

* style: satisfy update lint checks

* fix: restart gateways stopped during updates

* fix(windows): enforce fallback process takeover

* fix(windows): prove fallback ownership during takeover

* fix(windows): verify process exit during takeover

* fix(windows): wait through fallback reloads

* fix(windows): harden fallback takeover ownership

* fix(windows): type takeover preflight inputs

* fix(windows): recognize booting replacement task

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

* chore: leave changelog release-owned

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-07-07 00:09:48 +01:00
Peter Steinberger
4c6c9660c3 fix(install): raise postinstall dist scan budget so npm upgrades cannot trip the shared cap (#101206)
The single InstalledDistScanBudget is consumed across all three prune
walks (legacy-deps prepass, dist file listing, empty-dir sweep). During
an npm upgrade the dist dir transiently holds old+new content-hashed
files, so a real upgrade scan totals ~24k entries against the 25k cap;
one more release of dist growth would make 'npm install -g openclaw'
throw InstalledDistScanLimitError for every upgrading user. Raise the
cap to 100k for real headroom while keeping the unbounded-scan guard,
and ratchet the cap in the test so it cannot be lowered back.
2026-07-07 00:07:05 +01:00
Vortex Openclaw
1f6ddb5df0 feat(models): add Claude Sonnet 5 support (#98254)
* feat(models): add Claude Sonnet 5 support

Co-authored-by: Ariel Bravy <ariel@vortexradar.com>

* fix(models): align Sonnet 5 validation baselines

* fix(models): satisfy Sonnet 5 CI contracts

* fix(models): enforce Sonnet 5 provider contracts

* docs(changelog): defer Sonnet 5 release note

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: Ariel Bravy <ariel@vortexradar.com>
2026-07-07 00:05:35 +01:00
Peter Steinberger
93eaf5affb feat(android): server-backed session search with offline fallback (#101102)
The sessions screen gains a debounced search field under the filter pills,
wired to server-side sessions.list search in Recent and Archived scopes.
Results flow through the existing filter/sort/grouping pipeline so pinned
and grouped rendering stay intact while searching.

ChatController.fetchSessionList performs the one-shot search without touching
live list state, falls back to locally filtering the cached active list when
the gateway is unreachable (archived rows exist only server-side, so archived
search is empty offline), and rethrows CancellationException before the
fallback so a superseded search never repaints stale rows over a newer query.

Refs #100712
2026-07-07 00:03:28 +01:00
Josh Lehman
d5e9b4d1a3 fix: preserve preflight overflow token counts into recovery budgeting (#101181)
Budget context engine assembly against the reserve and rendered prompt
pressure, and carry the preflight estimated prompt tokens, prompt budget,
and overflow tokens into the outer overflow recovery loop so compaction
engines compact against the prompt OpenClaw actually rendered instead of
a minimally over-budget guess.
2026-07-06 15:58:11 -07:00
tiffanychum
da0103f025 fix(discord): messages sent during gateway reconnect are silently dropped (#100896)
* fix(discord): drain queued outbound deliveries after gateway reconnect (#56610)

Discord sends that failed while the gateway websocket was reconnecting
(close codes 1005/1006) stayed stuck in the outbound delivery queue and
were silently dropped. Classify sends that fail while the registered
gateway is disconnected as retryable, and drain pending discord queue
entries when the gateway reconnects, matching the WhatsApp/Telegram
reconnect drains.

* fix(discord): harden reconnect recovery

Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>

* refactor(discord): remove unsafe reconnect replay

* fix(discord): bound reconnect retry per request

Co-authored-by: tiffanychum <71036662+tiffanychum@users.noreply.github.com>

* chore(changelog): leave reconnect fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:56:17 +01:00
Peter Steinberger
e8b0412781 perf(test): defer plugin sdk compiler startup 2026-07-06 18:55:55 -04:00
Peter Steinberger
ef1767baca feat(android): record and send voice notes from the chat composer (#101193)
* feat(android): record and send voice notes from the chat composer

Adds tap-to-record voice notes to both Android chat composers: MediaRecorder
AAC/m4a mono capture with a 3-minute cap, lazy RECORD_AUDIO permission,
cancel/finish controls, audio attachment chips with duration, and voice-note
transcript rows. Recording is mutually exclusive with MicCaptureManager voice
capture (no mic arbiter exists), and the MPEG-4 container brand is normalized
to M4A so gateway byte sniffing classifies the upload as audio, not video.
Attachments stay online-only per the outbox contract.

Related: #100709

* fix(android): coordinate voice note microphone ownership

* chore(android): refresh native localization inventory
2026-07-06 23:54:44 +01:00
Peter Steinberger
66c764b269 feat(ios): tap-to-expand link previews in chat transcript (#101198) 2026-07-06 23:47:33 +01:00
Zachary Yuan
01f0b2340f fix(discord): download attachments at receipt time, not after the run queue (#96183)
* fix(discord): download attachments at receipt time, not after the run queue

Discord's CDN attachment URLs carry an expiring `ex` TTL. Media was
downloaded in processDiscordMessageInner, after the inbound run queue,
so messages delayed behind a busy run lost their attachments silently.
Resolve attachments/forwarded media during preflightDiscordMessage
instead, before the message is enqueued, and carry the result forward
on the context for process to reuse.

Fixes #96165

* refactor(discord): carry one prepared media snapshot

Co-authored-by: ZacharyYW <zachary.w.yuan123@gmail.com>

* fix(discord): guard bot media before download

* chore(discord): leave release notes to release flow

* docs(changelog): credit Discord attachment fix

* chore(changelog): leave attachment fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:45:32 +01:00
Peter Steinberger
68c85effcd chore(ui): refresh control ui locales
Translate chat.composer.realtimeTalkRequiresMicrophone across all
locales; it shipped as a recorded English fallback with the chat
composer redesign and broke the control-ui-i18n CI gate on main.
2026-07-06 23:45:10 +01:00
Peter Steinberger
4babbb2f6f feat(ios): context-window usage indicator in the chat composer (#101183) 2026-07-06 23:43:19 +01:00
velanir-ai-manager
8d46971129 fix: sanitize streamed assistant payload text (#101036)
* fix: sanitize streamed assistant payload text

* test(agents): cover streamed reply sanitization

---------

Co-authored-by: Yash Inani <yashinani@Yashs-MacBook-Pro.local>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:38:04 +01:00
wings1029
fc77c2b04b fix(discord): bound gateway metadata response body reads to prevent OOM (#98682)
* fix(discord): bound gateway metadata response body reads to prevent OOM

The materializeGuardedResponse helper in the Discord gateway metadata path
buffered the full upstream Response body via response.arrayBuffer() without
any size cap. A malicious or malfunctioning /gateway/bot endpoint that returns
an oversized payload could exhaust gateway memory.

Replace arrayBuffer() with readResponseWithLimit(4 MiB), consistent with
DISCORD_API_RESPONSE_BODY_LIMIT_BYTES in api.ts. Overflow throws an Error
with the byte counts.

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(discord): wrap readResponseWithLimit result in Uint8Array for type compat

readResponseWithLimit returns Buffer which is not assignable to BodyInit in
the undici Response constructor type. Wrap in new Uint8Array() to satisfy the
boundary dts check. Also remove testExports export and mock fetchWithSsrFGuard
in tests via vi.hoisted + vi.mock to avoid leaking internal test-only exports.

Co-Authored-By: Claude <noreply@anthropic.com>

* test(discord): tighten gateway metadata proof

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:34:03 +01:00
Peter Steinberger
d931839e0c feat(android): multi-gateway registry, per-gateway credentials, and switching (#100947) 2026-07-06 23:31:49 +01:00
Martin Moellenbeck
cac05ff695 Fix realtime voice-call barge-in cancellation (#90749)
* fix voice call realtime barge-in cancellation

* chore: retrigger PR checks

* chore: retrigger PR checks

* fix voice call realtime barge-in fallback

* fix voice call provider barge-in precedence

* fix voice call speech-started fallback contract

* fix late provider barge-in queued audio clear

* fix realtime handler test raw message parsing

* chore rerun ci

* Document realtime speech-start capability

* fix voice call barge-in interruption policy

* fix(voice-call): centralize realtime barge-in

Co-authored-by: Martin Möllenbeck <martin.moellenbeck@5minds.de>

* chore(changelog): leave voice fix to release flow

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:30:16 +01:00
Peter Steinberger
2655bf4dac fix(clawhub): bound archive download bodies (#101176)
* fix(clawhub): bound archive download bodies

Co-authored-by: NIO <nocodet@mail.com>

* docs(changelog): note ClawHub archive bounds

* chore(changelog): defer ClawHub release note

* fix(clawhub): avoid response-limit shadowing

---------

Co-authored-by: NIO <nocodet@mail.com>
2026-07-06 23:29:25 +01:00
cxbAsDev
a464620141 fix(extensions/huggingface): bound model discovery JSON response read to prevent OOM (#101079)
* fix(extensions/huggingface): bound model discovery JSON response read to prevent OOM

* test(huggingface): prove bounded discovery cleanup

* test(huggingface): avoid unbound reader assertions

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-06 23:26:27 +01:00