The cost bar was falling back to summing estimatedCost from ALL Claude
Code sessions (all-time) when the token_usage table was empty, showing
inflated costs like $3678. Now only uses the token_usage table which
is already filtered to the 24h timeframe.
The task detail view was setting inputMode for status/assign/priority/
comment but never rendering the input bar — keystrokes were captured
but invisible. Add input bar rendering before the footer in
renderTaskDetail().
Tasks in inbox status are now automatically assigned to the best
matching agent based on role affinity and capability scoring:
- Role keywords: coder matches code/implement/fix, researcher matches
research/analyze/audit, etc.
- Agent capabilities from config are matched against task text
- Idle agents preferred over busy ones
- Capacity limit: agents with 3+ in-progress tasks are skipped
- Runs every 60s before task dispatch (inbox → assigned → dispatch)
Flow: create task (inbox) → auto-route picks best agent (assigned)
→ scheduler dispatches to Claude API (in_progress) → response stored
(review) → Aegis approves (done). Fully hands-free.
* feat: direct Claude API task dispatch (gateway-free)
Add a built-in task executor that calls the Anthropic Messages API
directly when no OpenClaw gateway is available. This makes the full
task lifecycle work out of the box — tasks are actually executed by
Claude, not just tracked as metadata.
How it works:
- Scheduler checks: is a gateway registered? If yes, use gateway
dispatch (existing path). If no, check for ANTHROPIC_API_KEY.
- When dispatching via direct API: builds prompt from task + agent
SOUL, selects model by complexity (Opus/Sonnet/Haiku), calls
Claude Messages API, stores response as resolution.
- Aegis reviews also work via direct API — same fallback logic.
- Token usage is recorded in the token_usage table.
- After dispatch, task moves to 'review' for Aegis quality check.
Setup: add ANTHROPIC_API_KEY=sk-ant-... to .env.local
No gateway, no OpenClaw, no extra dependencies needed.
* fix(tui): add missing ansi.blue color function
* fix: add inline token editor to gateway card (#459)
The gateway card showed token status as read-only (set/none) with no
way to update it. Users with a registered gateway but missing token
had to delete and re-add the gateway.
Add [edit] link next to the token indicator that expands an inline
password input. Supports Enter to save, Escape to cancel. Calls
PUT /api/gateways with the token field (already supported by API).
* feat(tui): multi-step task creation + assign/priority actions
- [n]ew now prompts: title → description → priority → assign agent
(Enter skips optional steps)
- [a]ssign key to assign selected task to an agent (shows available
agent names)
- [p]riority key to change task priority (low/medium/high/critical)
- Updated help bar and usage text with new keybindings
* feat(tui): task detail view, activity feed, comments, priority column
- Enter on a task opens full detail view showing: status, priority,
assignment, description, resolution, quality reviews, and comments
- Task detail supports [s]tatus, [a]ssign, [p]riority, [c]omment,
[r]efresh actions
- Activity feed below task list shows recent task/agent events with
timestamps and icons
- Priority column added to task list with color coding
- [e]dit key for title editing (moved from Enter)
The gateway card showed token status as read-only (set/none) with no
way to update it. Users with a registered gateway but missing token
had to delete and re-add the gateway.
Add [edit] link next to the token indicator that expands an inline
password input. Supports Enter to save, Escape to cancel. Calls
PUT /api/gateways with the token field (already supported by API).
The multi-gateway panel was constructing WebSocket URLs client-side
using buildGatewayWebSocketUrl() with the gateway's DB host/port,
ignoring the server-side URL resolution that respects
NEXT_PUBLIC_GATEWAY_URL, Tailscale Serve, and reverse-proxy configs.
- Remove client-side buildGatewayWebSocketUrl fallback in connectTo()
— server's /api/gateways/connect already handles all URL resolution
- Simplify gatewayMatchesConnection() to use direct host/port string
matching without constructing a derived WS URL
- Remove unused buildGatewayWebSocketUrl import
Fixes#468
- [n] new task with inline title input
- [enter] edit task title on selected task
- [s] change task status (inbox/assigned/in_progress/done/failed)
- [d] delete task with y/n confirmation
- Full text input mode with backspace, esc cancel, enter submit
- Input bar renders at footer with context-aware hints
The E2E tests run the standalone server (NODE_ENV=production) but need
rate limiting disabled. Allow MC_DISABLE_RATE_LIMIT bypass when
MISSION_CONTROL_TEST_MODE=1 is also set, even in production.
Fixes 100 E2E failures (429 rate limited) in CI.
- Fall back to updated_at/created_at when last_seen is null
- Sum session estimatedCost when token_usage table is empty
- Dark navy blue header background (256-color 17)
- Arrow keys navigate agent/task lists with highlighted selection
- Tab switches between agents and tasks panels
- Enter on agent opens detail view with sessions list
- Enter on session loads chat transcript
- PgUp/PgDn scrolls chat history
- Esc goes back to dashboard
- Scrolling window keeps cursor visible in long lists
- Use alternate screen buffer so terminal doesn't scroll
- Show "healthy (no gateway)" when core checks pass but gateway is down
- Restore original terminal state on exit
- Add stale task watchdog (requeueStaleTasks) to scheduler — detects
in_progress tasks with offline agents and requeues or fails them
- Fix Aegis rejection loop: rejected tasks now requeue to 'assigned'
instead of staying in 'in_progress', with max 3 retries before failing
- Track dispatch_attempts on tasks (migration 044) to prevent infinite
retry loops — tasks fail after 5 dispatch attempts
- Include error_message and reason in SSE event broadcasts so UI can
show why a task reverted
- Atomic task queue claim: replace SELECT-then-UPDATE race with single
UPDATE...RETURNING statement
- Gateway agent auto-registration: POST/PUT /api/gateways accepts
optional 'agents' array to upsert agents (k8s sidecar support)
- Document k8s sidecar deployment in docs/deployment.md
Fixes: tasks stuck in assigned, Aegis rejection loops, agents invisible
in k8s sidecar deployments
FR-D1: Add least-privilege auth guidance to SECURITY-HARDENING.md
- Agent-scoped keys vs global API key comparison
- Auth hierarchy table (scoped key > global key > session > proxy)
- CLI examples for creating scoped keys
- Monitoring guidance for global key usage
FR-D2: Log security event when global admin API key is used
- Emits 'global_api_key_used' event to audit trail
- Hints toward agent-scoped keys for least-privilege
FR-D3: Add durable spawn history persistence
- New migration 043_spawn_history with indexed table
- spawn-history.ts with recordSpawnStart/Finish, getSpawnHistory,
getSpawnStats functions
- Replaces log-scraping fallback with DB-backed tracking
FR-D4: Document rate-limit backend strategy
- Current in-memory Map approach documented
- Pluggable backend plan for multi-instance (Redis, SQLite WAL)
- Per-agent rate limiter details documented
Also fixes MCP test type annotation (content: string → any).
Zero-dependency TUI using raw ANSI escape codes. Shows:
- System health status with connection indicator
- Agents panel (sorted by status, with last heartbeat)
- Tasks panel (recent tasks with status and assignee)
- Token costs summary (24h)
Keyboard controls:
- r: refresh now
- a: focus agents panel
- t: focus tasks panel
- w: wake first sleeping agent
- q/Esc: quit
Auto-refreshes every 5s (configurable with --refresh flag).
Uses same profile/auth system as CLI and MCP server.
Run with: pnpm mc:tui
- Debug panel now probes both legacy (/api/status, /api/health) and current
OpenClaw routes (/healthz, /health, /ready) with automatic fallback.
Returns probedPath in response so admins know which route succeeded.
- POST proxy allowlist updated to include current gateway health routes.
- Path validation relaxed from /api/ prefix to / prefix (health routes
don't use /api/).
- Dockerfile: chmod 755 entrypoint (was +x/711, shell needs read permission)
and chmod -R a+rX on public/ and src/ for nextjs user access.
- Hash session tokens (SHA-256) before storing in DB; migration for existing tokens
- Enforce 12-char password minimum on self-service change (was 8, creation was 12)
- Increase scrypt cost N=16384→65536 with progressive rehash on login
- Add MC_PROXY_AUTH_TRUSTED_IPS to restrict proxy auth header spoofing
- Enable HSTS by default in production (opt-out via MC_DISABLE_HSTS=1)
- Restrict debug endpoint to allowlisted gateway API paths (SSRF prevention)
- Default session cookie secure=true in production
- Gate MC_DISABLE_RATE_LIMIT on NODE_ENV !== 'production'
- Remove password value from insecure-default log warning
- chmod 600 generated secrets file in Docker entrypoint
- add bounded timeout+retry helper for /api/setup checks
- show actionable setup error state with Retry button
- avoid blank-screen fallback when setup status check fails
- add unit tests for retry helper
Fixes#456
* feat: add system monitor panel with live CPU, memory, disk, and GPU metrics
New btop-inspired monitoring page in the OBSERVE sidebar group.
Polls /api/system-monitor every 2s and renders rolling Recharts area
charts for CPU/memory/GPU and progress bars for disk usage.
* feat: add network I/O monitoring to system monitor panel
Add live network throughput (rx/tx bytes/sec) as a dual area chart.
API returns cumulative byte counters per interface (stateless), frontend
computes rates from deltas between 2s polls. Supports Linux (/proc/net/dev)
and macOS (netstat -ib).
* feat: add top processes list to system monitor
Shows top 8 processes by CPU usage in a compact table with CPU%, Mem%,
and RSS columns. Color-codes high usage values. Uses ps on both Linux
and macOS with fallback for platforms without --sort support.
* fix: normalize process CPU% to 0-100 and filter out ps itself
CPU% from ps is per-core (e.g. 200% on 4 cores), now divided by core
count to show total system percentage. Also filters out the ps command
that briefly appears while collecting process data.
---------
Co-authored-by: Dan <github@bookkept.com.au>
Add ability to hide agents from the dashboard without deleting them.
Hidden agents still receive heartbeats and exist in the DB — they are
purely hidden from the default UI view.
- Migration 042: adds `hidden` column to agents table
- API: POST/DELETE /api/agents/[id]/hide to toggle visibility
- GET /api/agents filters hidden by default, ?show_hidden=true to include
- UI: "Show hidden" toggle in panel header, Hide/Unhide button on cards
Co-authored-by: Dan <github@bookkept.com.au>
Add min-h-0 to the kanban board flex container and its column children
so that overflow-y-auto on column bodies can actually trigger. Without
this, flexbox min-height:auto causes containers to grow unbounded
instead of constraining height and enabling scroll.
Fixes#376
Co-authored-by: Dan <github@bookkept.com.au>
- make /api/spawn compatible with gateway-managed default models
- add regression coverage for gateway dashboard registration
- publish official multi-arch images to Docker Hub when configured
Add awaiting_owner column to task board with keyword-based detection
for tasks requiring human action. Tasks matching keywords like
"waiting for", "needs human", "approval needed" are automatically
placed in a dedicated column with orange styling.
Supersedes #397
Add a CSS-only Dunk It button to task cards with a 4-phase state
machine (idle, success, error, dismissing). Uses inline CSS
transitions for animations with no external dependencies.
Supersedes #373
Dynamically scan workspace-* directories under the openclaw state dir
to discover per-agent skill roots. Display them in the Skills Hub with
agent-specific labels and violet badge styling.
Closes#412
Supersedes #413
Replace style-src nonce directive with unsafe-inline to support
reagraph's runtime <style> injection. Add style-src-elem and
style-src-attr directives for CSP Level 3 compliance. Extend
fitNodesInView retries from 2 to 4 for more reliable canvas sizing.
Closes#414
Supersedes #415
nyk
Nyk
danielaustralia1