diff --git a/CHANGELOG.md b/CHANGELOG.md index a4c2929eb..0c33025aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,87 +3,128 @@ ## 2026.1.14 (unreleased) ### Highlights -- Web search: add `web_search`/`web_fetch` tools (Brave API) plus onboarding/config docs. -- Browser: new Chrome extension relay takeover mode + remote browser control via `clawdbot browser serve`. -- Plugins: add Zalo channel plugin with gateway HTTP hooks + onboarding install prompt. (#854) — thanks @longmaba. -- Security: expanded `clawdbot security audit`, add detect-secrets CI scan, and publish a `SECURITY.md` reporting policy. +- Web search: `web_search`/`web_fetch` tools (Brave API) + first-time setup in onboarding/configure. +- Browser control: Chrome extension relay takeover mode + remote browser control via `clawdbot browser serve`. +- Plugins: channel plugins (gateway HTTP hooks) + Zalo plugin + onboarding install flow. (#854) — thanks @longmaba. +- Security: expanded `clawdbot security audit` (+ `--fix`), detect-secrets CI scan, and a `SECURITY.md` reporting policy. ### Changes -- Docs: clarify per-agent auth stores, sandboxed skill binaries, and elevated semantics. -- Daemon: support profile-aware service names for multi-gateway setups. (#671) — thanks @bjesuiter. -- Docs: add FAQ entries for missing provider auth after adding agents and Gemini thinking signature errors. -- Agents: add optional auth-profile copy prompt on `agents add` and improve auth error messaging. -- Security: expand `clawdbot security audit` checks (model hygiene, config includes, plugin allowlists, exposure matrix) and extend `--fix` to tighten more sensitive state paths. -- Security: add `SECURITY.md` reporting policy. -- Channels: add Matrix plugin (external) with docs + onboarding hooks. -- Plugins: add Zalo channel plugin with gateway HTTP hooks and onboarding install prompt. (#854) — thanks @longmaba. -- Onboarding: add a security checkpoint prompt (docs link + sandboxing hint); require `--accept-risk` for `--non-interactive`. -- Docs: expand gateway security hardening guidance and incident response checklist. -- Docs: document DM history limits for channel DMs. (#883) — thanks @pkrmf. -- Security: add detect-secrets CI scan and baseline guidance. (#227) — thanks @Hyaxia. -- Tools: add `web_search`/`web_fetch` (Brave API), auto-enable `web_fetch` for sandboxed sessions, and remove the `brave-search` skill. -- CLI/Docs: add a web tools configure section for storing Brave API keys and update onboarding tips. -- Tools: return a setup hint (docs link) when web_search runs without a Brave API key. -- Config/Doctor: remove legacy Clawdis env fallbacks and config/service migrations (Clawdbot-only). -- Browser: add Chrome extension relay takeover mode (toolbar button), plus `clawdbot browser extension install/path` and remote browser control via `clawdbot browser serve` + `browser.controlToken`. -- CLI/Docs: add per-command CLI doc pages and link them from `clawdbot --help`. -- Browser: copy the installed Chrome extension path to clipboard after `clawdbot browser extension install/path`. -- WhatsApp: add `channels.whatsapp.sendReadReceipts` to disable auto read receipts. (#882) — thanks @chrisrodz. -- Usage: add MiniMax coding plan usage tracking. -- Auth: label Claude Code CLI auth options. (#915) — thanks @SeanZoR. -- Docs: standardize Claude Code CLI naming across docs and prompts. (follow-up to #915) -- Telegram: add message delete action in the message tool. (#903) — thanks @sleontenko. -- Config: add `channels..configWrites` gating for channel-initiated config writes; migrate Slack channel IDs. +#### Web Tools +- Tools: add `web_search`/`web_fetch` (Brave API), including helpful setup hints when the key is missing. +- Tools: enable `web_fetch` by default (unless explicitly disabled in config). +- CLI/Docs: add `clawdbot configure --section web` for storing Brave API keys and update onboarding tips. -### Fixes -- Control UI: load cron run history on job selection and clarify empty-state messaging. (#866) -- Slack: isolate thread history and avoid inheriting channel transcripts for new threads by default. (#758) -- Gateway: forward termination signals to respawned CLI child processes to avoid orphaned systemd runs. (#933) — thanks @roshanasingh4. -- Browser: add tests for snapshot labels/efficient query params and labeled image responses. -- macOS: ensure launchd log directory exists with a test-only override. (#909) — thanks @roshanasingh4. -- macOS: format ConnectionsStore config to satisfy SwiftFormat lint. (#852) — thanks @mneves75. -- Packaging: run `pnpm build` on `prepack` so npm publishes include fresh `dist/` output. -- Telegram: register dock native commands with underscores to avoid `BOT_COMMAND_INVALID` (#929, fixes #901) — thanks @grp06. -- Google: downgrade unsigned thinking blocks before send to avoid missing signature errors. -- Agents: make user time zone and 24-hour time explicit in the system prompt. (#859) — thanks @CashWilliams. -- Agents: strip downgraded tool call text without eating adjacent replies and filter thinking-tag leaks. (#905) — thanks @erikpr1994. -- Agents: cap tool call IDs for OpenAI/OpenRouter to avoid request rejections. (#875) — thanks @j1philli. -- Doctor: avoid re-adding WhatsApp config when only legacy ack reactions are set. (#927, fixes #900) — thanks @grp06. -- Agents: scrub tuple `items` schemas for Gemini tool calls. (#926, fixes #746) — thanks @grp06. -- Agents: stabilize sub-agent announce status from runtime outcomes and normalize Result/Notes. (#835) — thanks @roshanasingh4. -- Apps: use canonical main session keys from gateway defaults across macOS/iOS/Android to avoid creating bare `main` sessions. +#### Browser / Control UI +- Browser: add Chrome extension relay takeover mode (toolbar button) + `clawdbot browser serve` remote control + `browser.controlToken`. - Browser: ship a built-in `chrome` profile for extension relay and start the relay automatically when running locally. - Browser: default `browser.defaultProfile` to `chrome` (existing Chrome takeover mode). -- Embedded runner: suppress raw API error payloads from replies. (#924) — thanks @grp06. -- Auth: normalize Claude Code CLI profile mode to oauth and auto-migrate config. (#855) — thanks @sebslight. +- Browser: add `clawdbot browser extension install/path` and copy extension path to clipboard. +- Control UI: show raw any-map entries in config views; move Docs link into the left nav. + +#### Plugins +- Plugins: add plugin HTTP hooks + loader updates to support channel plugins. (#854) — thanks @longmaba. +- Plugins: add onboarding plugin install flow. (#854) — thanks @longmaba. +- Channels: add Matrix plugin (external) with docs + onboarding hooks. +- Voice Call: add Plivo provider (no SDK dependency). (#846) — thanks @vrknetha. + +#### Security +- Security: expand `clawdbot security audit` checks and publish a `SECURITY.md` reporting policy. +- Security: extend `clawdbot security audit --fix` to tighten more sensitive state paths. +- Security: add detect-secrets CI scan and baseline guidance. (#227) — thanks @Hyaxia. + +#### Onboarding / Daemon +- Onboarding: add a security checkpoint prompt (docs link + sandboxing hint); require `--accept-risk` for `--non-interactive`. +- Daemon: support profile-aware service names for multi-gateway setups. (#671) — thanks @bjesuiter. + +#### Auth / Usage / Config +- Usage: add MiniMax coding plan usage tracking. +- Auth: label Claude Code CLI auth options. (#915) — thanks @SeanZoR. +- Agents: add optional auth-profile copy prompt on `agents add` and improve auth error messaging. +- Auth: add dynamic template variables to `messages.responsePrefix`. (#928) — thanks @sebslight. +- Config: add `channels..configWrites` gating for channel-initiated config writes; migrate Slack channel IDs. + +#### Channels +- Telegram: add message delete action in the message tool. (#903) — thanks @sleontenko. +- WhatsApp: add `channels.whatsapp.sendReadReceipts` to disable auto read receipts. (#882) — thanks @chrisrodz. + +#### Docs +- Docs: clarify per-agent auth stores, sandboxed skill binaries, and elevated semantics. +- Docs: add FAQ entries for missing provider auth after adding agents and Gemini thinking signature errors. +- Docs: expand gateway security hardening guidance and incident response checklist. +- Docs: document DM history limits for channel DMs. (#883) — thanks @pkrmf. +- Docs: standardize Claude Code CLI naming across docs and prompts. (follow-up to #915) +- Docs: add per-command CLI doc pages and link them from `clawdbot --help`. +- Docs: add multi-gateway guide (sidebar + nav). + +### Fixes + +#### Gateway / Daemon / Sessions +- Gateway: forward termination signals to respawned CLI child processes to avoid orphaned systemd runs. (#933) — thanks @roshanasingh4. +- Gateway/UI: ship session defaults in the hello snapshot so the Control UI canonicalizes main session keys (no bare `main` alias). - Daemon: clear persisted launchd disabled state before bootstrap (fixes `daemon install` after uninstall). (#849) — thanks @ndraiman. -- Logging: tolerate `EIO` from console writes to avoid gateway crashes. (#925, fixes #878) — thanks @grp06. -- Sandbox: restore `docker.binds` config validation for custom bind mounts. (#873) — thanks @akonyer. -- Sandbox: preserve configured PATH for `docker exec` so custom tools remain available. (#873) — thanks @akonyer. -- Slack: respect `channels.slack.requireMention` default when resolving channel mention gating. (#850) — thanks @evalexpr. -- Telegram: aggregate split inbound messages into one prompt (reduces “one reply per fragment”). -- Telegram: let control commands bypass per-chat sequentialization; always allow abort triggers. -- Auto-reply: treat trailing `NO_REPLY` tokens as silent replies. -- Config: prevent partial config writes from clobbering unrelated settings (base hash guard + merge patch for connection saves). - Sessions: return deep clones (`structuredClone`) so cached session entries can't be mutated. (#934) — thanks @ronak-guliani. - Heartbeat: keep `updatedAt` monotonic when restoring heartbeat sessions. (#934) — thanks @ronak-guliani. - Agent: clear run context after CLI runs (`clearAgentRunContext`) to avoid runaway contexts. (#934) — thanks @ronak-guliani. -- macOS: pass auth token/password to dashboard URL for authenticated access. (#918) — thanks @rahthakor. -- UI: use application-defined WebSocket close code (browser compatibility). (#918) — thanks @rahthakor. -- macOS: reuse launchd gateway auth and skip wizard when gateway config already exists. (#917) +- Gateway/Dev: ensure `pnpm gateway:dev` always uses the dev profile config + state (`~/.clawdbot-dev`). + +#### CLI / Onboarding +- Onboarding: show web search setup at the end (not the beginning). +- Onboarding: show daemon install/restart progress (avoid “blinking cursor”) and fix daemon install output formatting. +- Health: colorize “not configured” provider lines for easier scanning. + +#### Control UI / TUI +- Control UI: load cron run history on job selection and clarify empty-state messaging. (#866) +- UI: use application-defined WebSocket close code and fix dashboard auth query items. (#918) — thanks @rahthakor. +- UI: always apply `?token=` from URL (fixes unauthorized after re-onboard). +- Browser: add tests for snapshot labels/efficient query params and labeled image responses. - TUI: render picker overlays via the overlay stack so /models and /settings display. (#921) — thanks @grizzdank. - TUI: add a bright spinner + elapsed time in the status line for send/stream/run states. - TUI: show LLM error messages (rate limits, auth, etc.) instead of `(no output)`. -- Gateway/Dev: ensure `pnpm gateway:dev` always uses the dev profile config + state (`~/.clawdbot-dev`). + +#### Agents / Auth / Tools / Sandbox +- Agents: make user time zone and 24-hour time explicit in the system prompt. (#859) — thanks @CashWilliams. +- Agents: strip downgraded tool call text without eating adjacent replies and filter thinking-tag leaks. (#905) — thanks @erikpr1994. +- Agents: cap tool call IDs for OpenAI/OpenRouter to avoid request rejections. (#875) — thanks @j1philli. +- Agents: scrub tuple `items` schemas for Gemini tool calls. (#926, fixes #746) — thanks @grp06. +- Agents: stabilize sub-agent announce status from runtime outcomes and normalize Result/Notes. (#835) — thanks @roshanasingh4. +- Auth: normalize Claude Code CLI profile mode to oauth and auto-migrate config. (#855) — thanks @sebslight. +- Embedded runner: suppress raw API error payloads from replies. (#924) — thanks @grp06. +- Logging: tolerate `EIO` from console writes to avoid gateway crashes. (#925, fixes #878) — thanks @grp06. +- Sandbox: restore `docker.binds` config validation and preserve configured PATH for `docker exec`. (#873) — thanks @akonyer. +- Google: downgrade unsigned thinking blocks before send to avoid missing signature errors. + +#### macOS / Apps +- macOS: ensure launchd log directory exists with a test-only override. (#909) — thanks @roshanasingh4. +- macOS: format ConnectionsStore config to satisfy SwiftFormat lint. (#852) — thanks @mneves75. +- macOS: pass auth token/password to dashboard URL for authenticated access. (#918) — thanks @rahthakor. +- macOS: reuse launchd gateway auth and skip wizard when gateway config already exists. (#917) +- Apps: use canonical main session keys from gateway defaults across macOS/iOS/Android to avoid creating bare `main` sessions. - macOS: fix cron preview/testing payload to use `channel` key. (#867) — thanks @wes-davis. -- Telegram: honor `channels.telegram.timeoutSeconds` for grammY API requests. (#863) — thanks @Snaver. -- Telegram: split long captions into media + follow-up text messages. (#907) — thanks @jalehman. -- Telegram: migrate group config when supergroups change chat IDs. (#906) — thanks @sleontenko. -- Messaging: unify markdown formatting + format-first chunking for Slack/Telegram/Signal. (#920) — thanks @TheSethRose. +- macOS: update cron testing channel arg. (#896) — thanks @ngutman. + +#### Channels / Messaging +- Slack: isolate thread history and avoid inheriting channel transcripts for new threads by default. (#758) +- Slack: respect `channels.slack.requireMention` default when resolving channel mention gating. (#850) — thanks @evalexpr. - Slack: drop Socket Mode events with mismatched `api_app_id`/`team_id`. (#889) — thanks @roshanasingh4. - Discord: isolate autoThread thread context. (#856) — thanks @davidguttman. +- Telegram: honor `channels.telegram.timeoutSeconds` for grammY API requests. (#863) — thanks @Snaver. +- Telegram: aggregate split inbound messages into one prompt (reduces “one reply per fragment”). +- Telegram: let control commands bypass per-chat sequentialization; always allow abort triggers. +- Telegram: split long captions into media + follow-up text messages. (#907) — thanks @jalehman. +- Telegram: migrate group config when supergroups change chat IDs. (#906) — thanks @sleontenko. +- Telegram: register dock native commands with underscores to avoid `BOT_COMMAND_INVALID` (#929, fixes #901) — thanks @grp06. +- Messaging: unify markdown formatting + format-first chunking for Slack/Telegram/Signal. (#920) — thanks @TheSethRose. +- iMessage: prefer handle routing for direct-message replies; include imsg RPC error details. (#935) - WhatsApp: fix context isolation using wrong ID (was bot's number, now conversation ID). (#911) — thanks @tristanmanchester. - WhatsApp: normalize user JIDs with device suffix for allowlist checks in groups. (#838) — thanks @peschee. +- WhatsApp: harden owner command auth. +- Auto-reply: treat trailing `NO_REPLY` tokens as silent replies. + +#### Config / Doctor / Packaging +- Config: prevent partial config writes from clobbering unrelated settings (base hash guard + merge patch for connection saves). +- Config/Doctor: remove legacy Clawdis env fallbacks and config/service migrations (Clawdbot-only). +- Doctor: avoid re-adding WhatsApp config when only legacy ack reactions are set. (#927, fixes #900) — thanks @grp06. +- Packaging: run `pnpm build` on `prepack` so npm publishes include fresh `dist/` output. ## 2026.1.13