Conversation
* Agents: add provider attribution registry * Agents: record provider attribution matrix * Agents: align OpenRouter attribution headers
* Agents: run bundle MCP tools in embedded Pi * Plugins: fix bundle MCP path resolution * Plugins: warn on unsupported bundle MCP transports * Commands: add embedded Pi MCP management * Config: move MCP management to top-level config
…atus paths (openclaw#48728) * fix(secrets): scope message runtime resolution and harden doctor/status * docs: align message/doctor/status SecretRef behavior notes * test(cli): accept scoped targetIds wiring in secret-resolution coverage * fix(secrets): keep scoped allowedPaths isolation and tighten coverage gate * fix(secrets): avoid default-account coercion in scoped target selection * test(doctor): cover inactive telegram secretref inspect path * docs Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> * changelog Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --------- Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
…native commands (openclaw#48707) The commit 9ebe38b refactored bot-native-commands.ts to import from openclaw/plugin-sdk/* instead of direct src/ paths. The test file bot-native-commands.session-meta.test.ts was not updated accordingly, causing 8 of 11 tests to fail. Root causes: 1. vi.mock() paths still pointed to old src/ paths for reply-runtime, channel-runtime, and plugin-runtime modules 2. The channel-runtime mock needed to also intercept resolveConfiguredAcpRoute, ensureConfiguredAcpRouteReady, and getSessionBindingService since conversation-route.ts now loads these via openclaw/plugin-sdk/conversation-runtime, bypassing the src/acp/persistent-bindings.js mock 3. recordInboundSessionMetaSafe needed to be mocked at the channel-runtime level to forward calls to sessionMocks.recordSessionMetaFromInbound Changes: - Replace individual src/ path mocks with consolidated plugin-sdk mocks - Add openclaw/plugin-sdk/conversation-runtime mock with delegating wrappers for resolveConfiguredAcpRoute, ensureConfiguredAcpRouteReady, and getSessionBindingService - Mock recordInboundSessionMetaSafe to forward to sessionMocks chain All 11 tests now pass.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| ui/src/ui/__screenshots__ | ||
| ui/src/ui/views/__screenshots__ | ||
| ui/.vitest-attachments | ||
| docs/superpowers |
There was a problem hiding this comment.
Gitignore adds itself and specific dev-local file paths
High Severity
The .gitignore now ignores itself (line 130) and several specific developer-local paths: docs/superpowers/plans/2026-03-10-collapsed-side-nav.md, docs/superpowers/specs/2026-03-10-collapsed-side-nav-design.md, test/config-form.analyze.telegram.test.ts, ui/src/ui/theme-variants.browser.test.ts, and the entire docs/superpowers directory. None of these test/doc files exist in the repo — they look like local work-in-progress being suppressed from git status. Adding .gitignore to itself is a well-known footgun and strongly signals this block was committed by accident.
| else: | ||
| print(event["pull_request"]["base"]["sha"]) | ||
| PY | ||
| )" |
There was a problem hiding this comment.
Secret detection CI step completely removed
High Severity
The Detect secrets CI step (which ran pre-commit run detect-secrets) was removed from the secrets job with no replacement. The Yelp detect-secrets hook is still defined in .pre-commit-config.yaml and the .secrets.baseline is still maintained, but the hook no longer executes in CI. Only detect-private-key remains, which has much narrower coverage — it misses API keys, tokens, passwords, and other secret types that detect-secrets catches.
|
|
||
| checks: | ||
| needs: [docs-scope, changed-scope] | ||
| if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true') |
There was a problem hiding this comment.
Dead PR-only step inside push-only job
Low Severity
The build-artifacts job condition was narrowed to github.event_name == 'push', but the "Ensure secrets base commit (PR fast path)" step still guards on github.event_name == 'pull_request'. This step can never execute since the job itself only runs on push events — it's dead code left over from the refactoring.
20 participants
test
Note
Medium Risk
Touches CI and release automation (Node version defaults, caching, and publish/backfill workflows), which can break builds or releases if misconfigured despite being mostly configuration changes.
Overview
CI/release automation overhaul. GitHub Actions is updated to default to Node 24 (with cache-key suffix support) and to use newer action versions, while making pnpm caching safer by avoiding sticky disks on untrusted PRs and switching caches to
actions/cache@v5.CI scope + test strategy changes. CI now adds extension-change detection with per-changed-extension test jobs, splits Node tests into shards, adds dedicated lanes for
test:channels,test:contracts, and astartup-memorysmoke, and introduces a push-onlycompat-node22lane.Release workflow changes. Docker release moves to GitHub-hosted runners, adds a manually approved
workflow_dispatchtag backfill path, and swaps Blacksmith docker actions for official Docker actions. A newopenclaw-npm-releaseworkflow adds tag-based preview checks and a gated manual publish path using trusted publishing.Repo hygiene + governance. Adds
CODEOWNERSfor security/release-sensitive paths, expands bug report issue template with model/provider routing fields, updates secrets scanning allowlists (including Sparkle signatures), ignores.envin Docker build context, and adds docs/skills guidance (including a new Parallels Discord roundtrip skill playbook).Written by Cursor Bugbot for commit d33c166. This will update automatically on new commits. Configure here.