- Remove duplicate title check from POST /api/tasks (closes#368)\n- Scope recurring tasks duplicate check by project_id\n- Fix task deletion error handling — show errors to user (closes#369)\n- Enable vertical scrolling on Kanban board (closes#376)\n- Refactor nodes route to use RPC via callOpenClawGateway\n- Handle read-only filesystem in gateway config registration\n- Add screenshot-drift CI workflow and guide\n- Docker compose: add host-gateway for reaching host gateway
Switches notification delivery from sessions_send to gateway call agent command. No longer requires session_key — uses agent name (recipient) directly. Timeout increased 10s to 30s.
When memoryAllowedPrefixes is configured, scan only those subdirectories instead of the entire MEMORY_PATH. Falls back to full scan if no prefixes are set.\n\nCloses #366
- Remove unconditional `dangerouslyDisableDeviceAuth = true` from MC
origin registration. MC should only add its origin to allowedOrigins,
not silently downgrade the gateway's device auth security posture.
- Replace invalid `sandbox` value with `allowlist` in security scan
and auto-fix for `tools.exec.security`. Current OpenClaw validates
only: deny, allowlist, full. The old `sandbox` value was rejected.
Closes#357, closes#356
- Move pids limit from service-level `pids_limit` to
`deploy.resources.limits.pids` for Compose v5+ compatibility.
Some Compose versions normalize both into the same field, causing
"can't set distinct values" errors.
- Clear OpenClaw update banner when `/api/openclaw/version` reports
`updateAvailable: false`. Previously the banner could persist after
a successful update because only the `true` path was handled.
Closes#353, closes#351
* fix: show all agents in command select, disable those without active session
Previously the agent select in the OrchestrationBar only listed agents
with a session_key set (agents.filter(a => a.session_key)), causing the
dropdown to appear completely empty when agents exist but none have an
active session. This was confusing — users thought no agents were
registered.
Fix: show all registered agents in the dropdown. Agents without an
active session_key are shown as disabled with a '— no session' suffix
and a tooltip explaining why they can't be messaged. The 'No agents
registered' placeholder is shown only when the agents array is truly
empty.
The send button remains correctly disabled when no valid agent is
selected.
Fixes#321
* test: add gateway health history e2e + utility unit tests
- Add tests/gateway-health-history.spec.ts: Playwright e2e tests for
GET /api/gateways/health/history and POST /api/gateways/health
covering auth guards, response shape validation, chronological
ordering, and gateway name resolution.
- Add src/app/api/gateways/health/health-utils.test.ts: 30 vitest
unit tests for the pure utility functions in the health probe route:
ipv4InCidr, isBlockedUrl (SSRF protection), buildGatewayProbeUrl,
parseGatewayVersion, and hasOpenClaw32ToolsProfileRisk.
All 30 unit tests pass. Covers the health history feature introduced
in feat(gateways): add health history logging and timeline (#300).
* test: add Docker-mode integration tests for gateway connectivity regressions
Covers three post-fix regression scenarios:
- 404 on gateway health (wizard used GET; endpoint is POST-only) — #334
- EROFS / build-phase DB eager init in Docker — #337
- Gateway connect resolves ws_url without OPENCLAW_HOME env var
Adds tests/docker-mode.spec.ts with four describe blocks:
1. Gateway health endpoint contract (POST=200, GET=405, no-auth=401)
2. Lazy DB init on first runtime request (read + write paths)
3. Gateway connect without home env vars
4. Onboarding gateway-link step lifecycle
* fix: show all agents in command select, disable those without active session
Previously the agent select in the OrchestrationBar only listed agents
with a session_key set (agents.filter(a => a.session_key)), causing the
dropdown to appear completely empty when agents exist but none have an
active session. This was confusing — users thought no agents were
registered.
Fix: show all registered agents in the dropdown. Agents without an
active session_key are shown as disabled with a '— no session' suffix
and a tooltip explaining why they can't be messaged. The 'No agents
registered' placeholder is shown only when the agents array is truly
empty.
The send button remains correctly disabled when no valid agent is
selected.
Fixes#321
* test: add gateway health history e2e + utility unit tests
- Add tests/gateway-health-history.spec.ts: Playwright e2e tests for
GET /api/gateways/health/history and POST /api/gateways/health
covering auth guards, response shape validation, chronological
ordering, and gateway name resolution.
- Add src/app/api/gateways/health/health-utils.test.ts: 30 vitest
unit tests for the pure utility functions in the health probe route:
ipv4InCidr, isBlockedUrl (SSRF protection), buildGatewayProbeUrl,
parseGatewayVersion, and hasOpenClaw32ToolsProfileRisk.
All 30 unit tests pass. Covers the health history feature introduced
in feat(gateways): add health history logging and timeline (#300).
The two-step agent → agent.wait pattern used in dispatchAssignedTasks and
runAegisReviews only returns lifecycle metadata (runId, status, timestamps).
The agent's actual response text is only available via --expect-final on the
initial agent call, which blocks until completion and returns the full payload
including result.payloads[0].text.
Without this fix:
- Task resolution is stored as the raw wait JSON instead of the agent's response
- Aegis cannot parse a VERDICT from the resolution, so it always defaults to rejected
- Tasks are permanently stuck in a reject/retry loop and never complete
Fix: replace the two-call pattern with a single --expect-final call in both
dispatchAssignedTasks and runAegisReviews. Also improve sessionId extraction
to use the agentMeta path from the final payload.
Co-authored-by: Tom Watts <tom@techteamup.com>
Previously the agent select in the OrchestrationBar only listed agents
with a session_key set (agents.filter(a => a.session_key)), causing the
dropdown to appear completely empty when agents exist but none have an
active session. This was confusing — users thought no agents were
registered.
Fix: show all registered agents in the dropdown. Agents without an
active session_key are shown as disabled with a '— no session' suffix
and a tooltip explaining why they can't be messaged. The 'No agents
registered' placeholder is shown only when the agents array is truly
empty.
The send button remains correctly disabled when no valid agent is
selected.
Fixes#321
Replace the unhelpful "POST /api/agents with X-Api-Key header" message
with a user-friendly hint explaining that agents are auto-discovered
from Claude, Codex, and Hermes directories, and that gateway mode shows
registered agents.
Adds missing noAgentsHint translation key across all 10 locales.
Closes#321
- Filter out cron jobs with missing/empty schedule before processing,
preventing TypeError on .toLowerCase() (#342)
- Add defensive .localeCompare() guard in sort comparator
- Exclude positive/instructional lines ("No ... warnings detected",
"Run: ...") from doctor issue extraction (#331)
- Strip negated warning phrases before keyword detection so "No channel
security warnings detected" doesn't trigger warning level
- Add 2 tests for the doctor parser fix
* docs: add screenshot drift prevention guide and CI workflow
- Add docs/SCREENSHOT-GUIDE.md with step-by-step instructions for
capturing, optimising, and committing fresh README screenshots
- Add .github/workflows/screenshot-drift.yml that detects UI file
changes in PRs, applies a 'screenshot-drift' label, and posts a
checklist comment reminding contributors to verify screenshots
Addresses: README screenshots may drift as the UI evolves quickly
(setup wizard, health history timeline, and onboarding were added
after the last screenshot refresh on 2026-03-11)
* fix(gateway): resolve Docker connectivity — 404 endpoints, EROFS write, missing OPENCLAW_HOME
Fixes#332, #333
Root causes
-----------
1. nodes/route.ts called non-existent HTTP REST endpoints on the gateway
(/api/presence, /api/devices, /api/rpc). The OpenClaw gateway only
exposes HTTP at /health; all other operations use WebSocket RPC.
2. gateway-runtime.ts attempted fs.writeFileSync on openclaw.json which
fails with EROFS when the container or mount is read-only (docker-compose
uses read_only: true by default).
3. install.sh never wrote the detected OPENCLAW_HOME or Docker host gateway
IP into .env, leaving OPENCLAW_HOME empty after a fresh install.
Fixes
-----
- nodes/route.ts: replace HTTP calls to /api/presence and /api/devices
with gateway /health reachability check + callOpenClawGateway() RPC
(node.list / device.pair.list). When the openclaw CLI is unavailable
inside Docker, the RPC falls back gracefully and returns connected=true
with an empty list rather than a misleading 'Gateway offline' error.
POST device actions likewise use callOpenClawGateway instead of /api/rpc.
- gateway-runtime.ts: catch EROFS / EACCES / EPERM on config write and
emit a warn-level log with a hint, instead of an error. This eliminates
the 'Failed to register MC in gateway config EROFS: read-only file
system' log spam on Docker installs where openclaw.json is read-only.
- install.sh: after generating .env, write the detected OPENCLAW_HOME.
In --docker mode also detect the Docker host IP (host-gateway or bridge
default) and set OPENCLAW_GATEWAY_HOST so the container can reach a
gateway running on the host out of the box.
- docker-compose.yml: add extra_hosts host-gateway so the container can
resolve the Docker host IP; add a commented volume snippet for mounting
the OpenClaw state directory read-only.
- Add busy_timeout = 5000 pragma to prevent SQLITE_BUSY errors under
concurrent Next.js route-handler requests (WAL mode helps but is not
sufficient without a retry budget).
- Guard module-level getDatabase() call with !isBuildPhase to prevent
build-time vs runtime SQLite state conflicts on cold starts.
- Add tests covering both pragmas and build-phase skip behaviour.
The test connection button in the onboarding wizard was using GET to
call /api/gateways/health, which only exports POST — resulting in a
405 and "Gateway unreachable" shown to the user.
Fixes the HTTP method to POST so the health probe works correctly.
Co-authored-by: Firefloc <firefloc@MacBook-Pro-de-Firefloc.local>
The existing Tailscale Serve detection only looked for a /gw path handler,
missing configurations where the gateway is proxied on a separate port
(e.g. :8443 → localhost:18789). This caused remote browsers to attempt
direct wss connections to the gateway port, which fails through Tailscale.
Extract Tailscale Serve detection into src/lib/tailscale-serve.ts and
extend it to discover port-based proxy mappings from the Tailscale Serve
JSON config. Also adds the macOS app bundle path for the Tailscale CLI
binary, which is not on PATH when installed via the Mac App Store.
* feat: add i18n with 10 languages (en, zh, ja, ko, es, fr, de, pt, ru, ar)
Add internationalization infrastructure using next-intl with cookie-based
locale detection (NEXT_LOCALE cookie -> Accept-Language header -> default).
- Install next-intl and wire into Next.js config + root layout
- Create translation files for 10 languages covering auth pages,
navigation labels, common UI strings, and settings
- Translate login page, setup page, and nav-rail labels
- Add LanguageSwitcher component (compact dropdown) to login page,
setup page, nav-rail sidebar, and settings panel
- Support RTL layout for Arabic (dir="rtl" on html element)
- No URL-based locale routing — uses cookie-only approach to avoid
breaking existing URLs and the custom proxy middleware
Panel internals are left with English strings for incremental
translation in follow-up PRs.
Based on the approach from PR #312 by richard-able, expanded to
10 languages with proper infrastructure.
* test(e2e): add i18n language switcher Playwright tests
Tests verify English default, all 10 language options, Chinese/Spanish
translations, cookie persistence across reload, and round-trip switching.
* test(e2e): fix i18n language switcher tests for cookie-based reload
Use direct cookie injection + page.goto instead of selectOption to
avoid race conditions with window.location.reload(). Fix Spanish
translation text to match actual es.json content.
* feat: complete full-app i18n — all components translated to 10 languages
Wire useTranslations() across 13 components with 293 keys in 12 namespaces:
- Boot loader: step labels, title, tagline
- Main page: skip-link, footer, full/local mode nudges
- Header bar: search, command palette, mode badge, SSE badge, tooltips
- Banners: local-mode, update, openclaw-update, openclaw-doctor
- Live feed: header, empty states, session labels
- Nav rail: context switcher, interface toggle, org section
- Onboarding wizard: all 4 steps (welcome, interface, gateway, credentials)
- Error boundary: extracted functional component for hook support
All 10 languages fully translated (en, zh, ja, ko, es, fr, de, pt, ru, ar)
with ICU plural format and proper per-language plural rules.
* feat(i18n): translate all panels and redesign language switcher
- Internationalize all 38 panel components with useTranslations()
- Expand translation keys from 293 to 1752 across 45 namespaces
- All 10 languages: en, zh, ja, ko, es, fr, de, pt, ru, ar
- Redesign language switcher: popover dropdown in header bar
(replaces native <select> in sidebar)
- Keep LanguageSwitcherSelect for login, setup, and settings pages
- Fix github-sync-panel to use t.rich() for JSX interpolation
* fix(ui): null-safe trim calls in agent model config (#319)
Guard against undefined values in .trim() calls when editing agent
model configuration (primary model and fallback array entries).
Closes#319
* test: add unit tests for null-safe trim in agent model config
Tests verify that undefined/null values in model primary and fallback
arrays don't cause trim() TypeError crashes.
* test(e2e): add agent model config edge case tests
Tests verify PUT /api/agents/:id with valid config, empty fallbacks,
empty primary, and whitespace-only fallback entries.
* fix(ui): persist doctor banner dismiss with 24h expiry (#320)
Replace ephemeral useState dismiss with Zustand store + localStorage.
Banner stays hidden for 24 hours after dismiss, then resurfaces so
users can re-check. Mirrors the existing UpdateBanner pattern.
Closes#320
* test: add unit tests for doctor banner dismiss persistence
Tests verify localStorage persistence, 24h expiry, page refresh
survival, and graceful handling of corrupted values.
* fix(docker): move pids to service-level pids_limit and copy public assets
- Move `pids: 256` from `deploy.resources.limits` to service-level
`pids_limit` for Docker Compose v5+ compatibility (#322)
- Add `COPY --from=build /app/public ./public` to Dockerfile runtime
stage so static assets (logos, icons) are available at runtime (#323)
Closes#322, closes#323
* test: add Docker config validation tests
Verifies pids_limit is at service level (Compose v5+), public dir
is copied in Dockerfile, and all required COPY instructions exist.
Eliminate friction for new users by adding a web-based setup wizard,
auto-generating infrastructure secrets, and providing actionable
feedback when no admin account exists.
- Add /setup page with visual progress steps for admin account creation
- Add /api/setup route (GET: check status, POST: create admin + auto-login)
- Auto-generate AUTH_SECRET and API_KEY when not set (persisted to .data/)
- Add docker-entrypoint.sh for zero-config Docker startup
- Login page auto-redirects to /setup when no users exist
- Login API returns NO_USERS error code with setup guidance
- Remove insecure defaults from .env.example
- Update README Quick Start for zero-config Docker and web setup
- Add CLAUDE.md for AI agent discoverability
Task dispatch and Aegis review were sending `agents.name` (the display
name) as `agentId` to the gateway. When `identity.name` differs from
the gateway agent `id`, the gateway rejects the call with
"unknown agent id".
Now extracts `openclawId` from the agent's config JSON (set during
agent sync) and uses that for gateway invocations, falling back to
the display name for backwards compatibility.
Closes#310
- Replace unconditional HTTP→HTTPS redirect with opt-in via NEXT_PUBLIC_FORCE_HTTPS=1
- Propagate CSP nonce into forwarded request headers so SSR inline scripts get the nonce
- Bind nonce attribute to layout's inline theme script to prevent CSP violations
- Extract CSP and browser-security helpers into dedicated modules with tests
Closes#308, #309, #311
Adds MC_PROXY_AUTH_HEADER env var. When configured, getUserFromRequest
reads the named header for the authenticated username and resolves (or
optionally auto-provisions) the MC user without requiring a password.
This enables SSO via a trusted gateway such as Envoy OIDC — the gateway
injects preferred_username as a header from the validated JWT claim, and
MC maps it to an existing user, skipping the local login form entirely.
New env vars:
MC_PROXY_AUTH_HEADER — header name to read username from
MC_PROXY_AUTH_DEFAULT_ROLE — role for auto-provisioned users (optional)
Auto-provisioned users receive a random unusable password so they cannot
bypass the proxy and log in locally.
Closes#305
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(session-cookie): migrate to __Host- prefix for secure contexts
- Update session-cookie.ts to use __Host-mc-session for HTTPS requests
- Add LEGACY_MC_SESSION_COOKIE_NAME for backward compatibility with HTTP
- Add parseMcSessionCookieHeader() to parse both cookie names
- Add isRequestSecure() helper to detect HTTPS requests
- Update cookie options to enforce Secure, HttpOnly, SameSite=Strict
- Update all call sites (login, logout, google, me, proxy, auth)
- Update e2e tests to support both cookie names
- Update documentation (README.md, SKILL.md, openapi.json)
This addresses the high-priority TODO about migrating to the __Host- prefix
for enhanced security. The __Host- prefix enforces Secure + Path=/ and
prevents subdomain attacks. Legacy mc-session is still supported for HTTP
contexts.
* fix(tests): keep login-flow cookie name aligned with response
- remove unreachable nullish expression in session cookie secure flag
- use returned cookie pair in login-flow spec instead of forcing __Host- prefix
---------
Co-authored-by: Nyk <0xnykcd@googlemail.com>
- Added support for specifying authentication mode ('token' or 'password') in the gateway configuration.
- Updated `getDetectedGatewayToken` function to return the appropriate credential based on the selected mode.
- Improved security scan checks for gateway authentication, ensuring both token and password modes are validated correctly.
- Adjusted the onboarding wizard's content area to have a maximum height of 70vh for better responsiveness.
- Updated the credentials step to ensure the content area can overflow and scroll, enhancing usability during input.
- allow /api/status?action=health through proxy without session/API key
- short-circuit health action in status route before role gating
- add proxy regression tests for health probe allow + non-health deny
Regression checks:
- pnpm vitest run src/proxy.test.ts src/lib/__tests__/auth.test.ts
- pnpm playwright test tests/auth-guards.spec.ts
- smoke: /api/status?action=health=200, login=200, /api/auth/me=200
* fix: route coordinator sends to live sessions and parse boxed doctor output
* feat: make coordinator routing user-configurable and deployment-agnostic
* feat: add coordinator target dropdown in settings
* feat(settings): preview live coordinator routing resolution
* security(csp): remove unsafe-inline via per-request nonce policy
* fix(ui): disable new organization CTA; improve skills registry and panel defaults
- disable non-functional New organization button in nav rail
- gate Hermes Memory visibility on actual Hermes CLI binary detection
- optimize agents task stats API by replacing N+1 with grouped query
- make task board render primary data first and hydrate quality-review async
- default skills panel registry source to awesome-openclaw
- add resilient registry search fallbacks for ClawdHub/skills.sh endpoint variants
HonzysClawdbot
Héctor Arriola
Brixyy
nyk
Tom Watts
firefloc-nox
Clint Baxley
jonboirama
Nyk
dk-blackfuel
Joshua Mo
RazorFin
Jonatan