Conversation
* Agents: add provider attribution registry * Agents: record provider attribution matrix * Agents: align OpenRouter attribution headers
* Agents: run bundle MCP tools in embedded Pi * Plugins: fix bundle MCP path resolution * Plugins: warn on unsupported bundle MCP transports * Commands: add embedded Pi MCP management * Config: move MCP management to top-level config
…atus paths (openclaw#48728) * fix(secrets): scope message runtime resolution and harden doctor/status * docs: align message/doctor/status SecretRef behavior notes * test(cli): accept scoped targetIds wiring in secret-resolution coverage * fix(secrets): keep scoped allowedPaths isolation and tighten coverage gate * fix(secrets): avoid default-account coercion in scoped target selection * test(doctor): cover inactive telegram secretref inspect path * docs Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> * changelog Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --------- Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
…native commands (openclaw#48707) The commit 9ebe38b refactored bot-native-commands.ts to import from openclaw/plugin-sdk/* instead of direct src/ paths. The test file bot-native-commands.session-meta.test.ts was not updated accordingly, causing 8 of 11 tests to fail. Root causes: 1. vi.mock() paths still pointed to old src/ paths for reply-runtime, channel-runtime, and plugin-runtime modules 2. The channel-runtime mock needed to also intercept resolveConfiguredAcpRoute, ensureConfiguredAcpRouteReady, and getSessionBindingService since conversation-route.ts now loads these via openclaw/plugin-sdk/conversation-runtime, bypassing the src/acp/persistent-bindings.js mock 3. recordInboundSessionMetaSafe needed to be mocked at the channel-runtime level to forward calls to sessionMocks.recordSessionMetaFromInbound Changes: - Replace individual src/ path mocks with consolidated plugin-sdk mocks - Add openclaw/plugin-sdk/conversation-runtime mock with delegating wrappers for resolveConfiguredAcpRoute, ensureConfiguredAcpRouteReady, and getSessionBindingService - Mock recordInboundSessionMetaSafe to forward to sessionMocks chain All 11 tests now pass.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| ui/src/ui/__screenshots__ | ||
| ui/src/ui/views/__screenshots__ | ||
| ui/.vitest-attachments | ||
| docs/superpowers |
There was a problem hiding this comment.
.gitignore ignoring itself and local dev artifacts accidentally committed
Medium Severity
The .gitignore file now contains .gitignore on line 130, causing git to ignore the .gitignore file itself. While already-tracked files aren't immediately untracked, this will hide future .gitignore modifications from git status in some workflows. The surrounding lines (128–132, 136) also add specific dated doc files (docs/superpowers/plans/2026-03-10-...), specific non-existent test files (test/config-form.analyze.telegram.test.ts, ui/src/ui/theme-variants.browser.test.ts), and an entire docs/superpowers directory — these look like local developer exclusions that belong in .git/info/exclude, not the shared .gitignore.
| else | ||
| BASE="${{ github.event.pull_request.base.sha }}" | ||
| fi | ||
| BASE="$( |
There was a problem hiding this comment.
Secret detection scanning removed from CI pipeline
Medium Severity
The Detect secrets step (which ran pre-commit run detect-secrets on changed or all files) was completely removed from the secrets CI job. Only detect-private-key remains. The detect-secrets hook still exists in .pre-commit-config.yaml and .detect-secrets.cfg is maintained, but CI no longer enforces it. This means PRs and pushes can now land committed secrets without CI catching them — relying solely on developers having pre-commit hooks locally installed.
|
|
||
| checks: | ||
| needs: [docs-scope, changed-scope] | ||
| if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true') |
There was a problem hiding this comment.
Unreachable PR step inside push-only job
Low Severity
The build-artifacts job condition was narrowed from allowing both push and pull_request events to github.event_name == 'push' only, but the internal step "Ensure secrets base commit (PR fast path)" still gates on github.event_name == 'pull_request'. This step can never execute since the enclosing job only runs on push events, making it dead code.
20 participants
Summary
Describe the problem and fix in 2–5 bullets:
Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
User-visible / Behavior Changes
List user-visible changes (including defaults/config).
If none, write
None.Security Impact (required)
Yes/No)Yes/No)Yes/No)Yes/No)Yes/No)Yes, explain risk + mitigation:Repro + Verification
Environment
Steps
Expected
Actual
Evidence
Attach at least one:
Human Verification (required)
What you personally verified (not just CI), and how:
Review Conversations
If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.
Compatibility / Migration
Yes/No)Yes/No)Yes/No)Failure Recovery (if this breaks)
Risks and Mitigations
List only real risks for this PR. Add/remove entries as needed. If none, write
None.Note
Medium Risk
Touches critical CI and release automation (including Docker publishing and new gating/sharding), which could break builds or alter release behavior if misconfigured; no product runtime logic changes are included.
Overview
CI/CD overhaul: switches composite
setup-node-envdefault to Node 24 (with cache key suffix), updates many workflows/actions to newer major versions, disables sticky-disk caching on PRs, and simplifies job gating to run heavy jobs only when relevant scopes change.New automation: adds
changed-extensionsdetection plus per-extension fast tests, splits Linux tests into shards, adds a CLI startup memory smoke job, and adds a Node 22 compatibility lane on pushes. Docker releases gain a manual tag backfill path gated by an environment and move builds to GitHub-hosted runners with official Docker actions.Repo governance & hygiene: introduces
CODEOWNERS(including secops/release-manager review requirements), expands issue template fields (model/provider routing), adds spam auto-close+lock handling, ignores.envin Docker build contexts, and updates secret scanning allowlists for Sparkle appcast signatures. Also adds a Parallels Discord roundtrip skill doc and assorted ignore/tooling config files (.jscpd.json,.npmignore,.prettierignore,.gitignoretweaks).Written by Cursor Bugbot for commit d33c166. This will update automatically on new commits. Configure here.