activeclaw 2026.2.12 → 2026.2.13

package/dist/plugin-sdk/index.js

@@ -1476,6 +1476,7 @@ const DiscordGuildChannelSchema = z.object({
 	skills: z.array(z.string()).optional(),
 	enabled: z.boolean().optional(),
 	users: z.array(z.union([z.string(), z.number()])).optional(),
+	roles: z.array(z.union([z.string(), z.number()])).optional(),
 	systemPrompt: z.string().optional(),
 	includeThreadStarter: z.boolean().optional(),
 	autoThread: z.boolean().optional()
@@ -1492,6 +1493,7 @@ const DiscordGuildSchema = z.object({
 		"allowlist"
 	]).optional(),
 	users: z.array(z.union([z.string(), z.number()])).optional(),
+	roles: z.array(z.union([z.string(), z.number()])).optional(),
 	channels: z.record(z.string(), DiscordGuildChannelSchema.optional()).optional()
 }).strict();
 const DiscordAccountSchema = z.object({
@@ -2411,6 +2413,31 @@ function resolveGatewayPort(cfg, env = process.env) {
 	return DEFAULT_GATEWAY_PORT;
 }
 
+//#endregion
+//#region src/infra/tmp-openclaw-dir.ts
+const POSIX_OPENCLAW_TMP_DIR = "/tmp/openclaw";
+function isNodeErrorWithCode(err, code) {
+	return typeof err === "object" && err !== null && "code" in err && err.code === code;
+}
+function resolvePreferredOpenClawTmpDir(options = {}) {
+	const accessSync = options.accessSync ?? fs.accessSync;
+	const statSync = options.statSync ?? fs.statSync;
+	const tmpdir = options.tmpdir ?? os.tmpdir;
+	try {
+		if (!statSync(POSIX_OPENCLAW_TMP_DIR).isDirectory()) return path.join(tmpdir(), "openclaw");
+		accessSync(POSIX_OPENCLAW_TMP_DIR, fs.constants.W_OK | fs.constants.X_OK);
+		return POSIX_OPENCLAW_TMP_DIR;
+	} catch (err) {
+		if (!isNodeErrorWithCode(err, "ENOENT")) return path.join(tmpdir(), "openclaw");
+	}
+	try {
+		accessSync("/tmp", fs.constants.W_OK | fs.constants.X_OK);
+		return POSIX_OPENCLAW_TMP_DIR;
+	} catch {
+		return path.join(tmpdir(), "openclaw");
+	}
+}
+
 //#endregion
 //#region src/logging/config.ts
 function readLoggingConfig() {
@@ -2471,7 +2498,7 @@ const loggingState = {
 
 //#endregion
 //#region src/logging/logger.ts
-const DEFAULT_LOG_DIR = "/tmp/openclaw";
+const DEFAULT_LOG_DIR = resolvePreferredOpenClawTmpDir();
 const DEFAULT_LOG_FILE = path.join(DEFAULT_LOG_DIR, "openclaw.log");
 const LOG_PREFIX = "openclaw";
 const LOG_SUFFIX = ".log";
@@ -2815,17 +2842,10 @@ function restoreTerminalState(reason) {
 		reportRestoreFailure("progress line", err, reason);
 	}
 	const stdin = process.stdin;
-	if (stdin.isTTY && typeof stdin.setRawMode === "function") {
-		try {
-			stdin.setRawMode(false);
-		} catch (err) {
-			reportRestoreFailure("raw mode", err, reason);
-		}
-		if (typeof stdin.isPaused === "function" && stdin.isPaused()) try {
-			stdin.resume();
-		} catch (err) {
-			reportRestoreFailure("stdin resume", err, reason);
-		}
+	if (stdin.isTTY && typeof stdin.setRawMode === "function") try {
+		stdin.setRawMode(false);
+	} catch (err) {
+		reportRestoreFailure("raw mode", err, reason);
 	}
 	if (process.stdout.isTTY) try {
 		process.stdout.write(RESET_SEQUENCE);
@@ -7837,23 +7857,53 @@ function buildMinimaxProvider() {
 	return {
 		baseUrl: MINIMAX_API_BASE_URL,
 		api: "openai-completions",
-		models: [{
-			id: MINIMAX_DEFAULT_MODEL_ID,
-			name: "MiniMax M2.1",
-			reasoning: false,
-			input: ["text"],
-			cost: MINIMAX_API_COST,
-			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
-			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
-		}, {
-			id: MINIMAX_DEFAULT_VISION_MODEL_ID,
-			name: "MiniMax VL 01",
-			reasoning: false,
-			input: ["text", "image"],
-			cost: MINIMAX_API_COST,
-			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
-			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
-		}]
+		models: [
+			{
+				id: MINIMAX_DEFAULT_MODEL_ID,
+				name: "MiniMax M2.1",
+				reasoning: false,
+				input: ["text"],
+				cost: MINIMAX_API_COST,
+				contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+			},
+			{
+				id: "MiniMax-M2.1-lightning",
+				name: "MiniMax M2.1 Lightning",
+				reasoning: false,
+				input: ["text"],
+				cost: MINIMAX_API_COST,
+				contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+			},
+			{
+				id: MINIMAX_DEFAULT_VISION_MODEL_ID,
+				name: "MiniMax VL 01",
+				reasoning: false,
+				input: ["text", "image"],
+				cost: MINIMAX_API_COST,
+				contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+			},
+			{
+				id: "MiniMax-M2.5",
+				name: "MiniMax M2.5",
+				reasoning: true,
+				input: ["text"],
+				cost: MINIMAX_API_COST,
+				contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+			},
+			{
+				id: "MiniMax-M2.5-Lightning",
+				name: "MiniMax M2.5 Lightning",
+				reasoning: true,
+				input: ["text"],
+				cost: MINIMAX_API_COST,
+				contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+			}
+		]
 	};
 }
 function buildMinimaxPortalProvider() {
@@ -7868,6 +7918,14 @@ function buildMinimaxPortalProvider() {
 			cost: MINIMAX_API_COST,
 			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
 			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+		}, {
+			id: "MiniMax-M2.5",
+			name: "MiniMax M2.5",
+			reasoning: true,
+			input: ["text"],
+			cost: MINIMAX_API_COST,
+			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
 		}]
 	};
 }
@@ -10435,7 +10493,8 @@ const BindingsSchema = z.array(z.object({
 			id: z.string()
 		}).strict().optional(),
 		guildId: z.string().optional(),
-		teamId: z.string().optional()
+		teamId: z.string().optional(),
+		roles: z.array(z.string()).optional()
 	}).strict()
 }).strict()).optional();
 const BroadcastStrategySchema = z.enum(["parallel", "sequential"]);
@@ -10924,6 +10983,9 @@ const OpenClawSchema = z.object({
 		enabled: z.boolean().optional(),
 		path: z.string().optional(),
 		token: z.string().optional(),
+		defaultSessionKey: z.string().optional(),
+		allowRequestSessionKey: z.boolean().optional(),
+		allowedSessionKeyPrefixes: z.array(z.string()).optional(),
 		allowedAgentIds: z.array(z.string()).optional(),
 		maxBodyBytes: z.number().int().positive().optional(),
 		presets: z.array(z.string()).optional(),
@@ -11029,8 +11091,10 @@ const OpenClawSchema = z.object({
 			responses: z.object({
 				enabled: z.boolean().optional(),
 				maxBodyBytes: z.number().int().positive().optional(),
+				maxUrlParts: z.number().int().nonnegative().optional(),
 				files: z.object({
 					allowUrl: z.boolean().optional(),
+					urlAllowlist: z.array(z.string()).optional(),
 					allowedMimes: z.array(z.string()).optional(),
 					maxBytes: z.number().int().positive().optional(),
 					maxChars: z.number().int().positive().optional(),
@@ -11044,6 +11108,7 @@ const OpenClawSchema = z.object({
 				}).strict().optional(),
 				images: z.object({
 					allowUrl: z.boolean().optional(),
+					urlAllowlist: z.array(z.string()).optional(),
 					allowedMimes: z.array(z.string()).optional(),
 					maxBytes: z.number().int().positive().optional(),
 					maxRedirects: z.number().int().nonnegative().optional(),
@@ -13248,6 +13313,22 @@ function normalizeHostnameSet(values) {
 	if (!values || values.length === 0) return /* @__PURE__ */ new Set();
 	return new Set(values.map((value) => normalizeHostname(value)).filter(Boolean));
 }
+function normalizeHostnameAllowlist(values) {
+	if (!values || values.length === 0) return [];
+	return Array.from(new Set(values.map((value) => normalizeHostname(value)).filter((value) => value !== "*" && value !== "*." && value.length > 0)));
+}
+function isHostnameAllowedByPattern(hostname, pattern) {
+	if (pattern.startsWith("*.")) {
+		const suffix = pattern.slice(2);
+		if (!suffix || hostname === suffix) return false;
+		return hostname.endsWith(`.${suffix}`);
+	}
+	return hostname === pattern;
+}
+function matchesHostnameAllowlist(hostname, allowlist) {
+	if (allowlist.length === 0) return true;
+	return allowlist.some((pattern) => isHostnameAllowedByPattern(hostname, pattern));
+}
 function parseIpv4(address) {
 	const parts = address.split(".");
 	if (parts.length !== 4) return null;
@@ -13348,7 +13429,10 @@ async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
 	const normalized = normalizeHostname(hostname);
 	if (!normalized) throw new Error("Invalid hostname");
 	const allowPrivateNetwork = Boolean(params.policy?.allowPrivateNetwork);
-	const isExplicitAllowed = normalizeHostnameSet(params.policy?.allowedHostnames).has(normalized);
+	const allowedHostnames = normalizeHostnameSet(params.policy?.allowedHostnames);
+	const hostnameAllowlist = normalizeHostnameAllowlist(params.policy?.hostnameAllowlist);
+	const isExplicitAllowed = allowedHostnames.has(normalized);
+	if (!matchesHostnameAllowlist(normalized, hostnameAllowlist)) throw new SsrFBlockedError(`Blocked hostname (not in allowlist): ${hostname}`);
 	if (!allowPrivateNetwork && !isExplicitAllowed) {
 		if (isBlockedHostname(normalized)) throw new SsrFBlockedError(`Blocked hostname: ${hostname}`);
 		if (isPrivateIpAddress(normalized)) throw new SsrFBlockedError("Blocked: private/internal IP address");
@@ -13369,9 +13453,6 @@ async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
 		})
 	};
 }
-async function resolvePinnedHostname(hostname, lookupFn = lookup$1) {
-	return await resolvePinnedHostnameWithPolicy(hostname, { lookupFn });
-}
 function createPinnedDispatcher(pinned) {
 	return new Agent({ connect: { lookup: pinned.lookup } });
 }
@@ -13541,10 +13622,10 @@ async function fetchWithSsrFGuard(params) {
 		}
 		let dispatcher = null;
 		try {
-			const pinned = Boolean(params.policy?.allowPrivateNetwork || params.policy?.allowedHostnames?.length) ? await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
+			const pinned = await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
 				lookupFn: params.lookupFn,
 				policy: params.policy
-			}) : await resolvePinnedHostname(parsedUrl.hostname, params.lookupFn);
+			});
 			if (params.pinDns !== false) dispatcher = createPinnedDispatcher(pinned);
 			const init = {
 				...params.init ? { ...params.init } : {},
@@ -13581,6 +13662,7 @@ async function fetchWithSsrFGuard(params) {
 				release: async () => release(dispatcher)
 			};
 		} catch (err) {
+			if (err instanceof SsrFBlockedError) logWarn(`security: blocked URL fetch (${params.auditContext ?? "url-fetch"}) target=${parsedUrl.origin}${parsedUrl.pathname} reason=${err.message}`);
 			await release(dispatcher);
 			throw err;
 		}
@@ -13960,6 +14042,8 @@ async function optimizeImageToJpeg(buffer, maxBytes, opts = {}) {
 //#endregion
 //#region src/discord/send.permissions.ts
 const PERMISSION_ENTRIES = Object.entries(PermissionFlagsBits).filter(([, value]) => typeof value === "bigint");
+const ALL_PERMISSIONS = PERMISSION_ENTRIES.reduce((acc, [, value]) => acc | value, 0n);
+const ADMINISTRATOR_BIT = PermissionFlagsBits.Administrator;
 
 //#endregion
 //#region src/discord/send.types.ts
@@ -15318,6 +15402,14 @@ function buildDeviceAuthPayload(params) {
 	return base.join("|");
 }
 
+//#endregion
+//#region src/sessions/input-provenance.ts
+const INPUT_PROVENANCE_KIND_VALUES = [
+	"external_user",
+	"inter_session",
+	"internal_system"
+];
+
 //#endregion
 //#region src/sessions/session-label.ts
 const SESSION_LABEL_MAX_LENGTH = 64;
@@ -15389,6 +15481,12 @@ const AgentParamsSchema = Type.Object({
 	timeout: Type.Optional(Type.Integer({ minimum: 0 })),
 	lane: Type.Optional(Type.String()),
 	extraSystemPrompt: Type.Optional(Type.String()),
+	inputProvenance: Type.Optional(Type.Object({
+		kind: Type.String({ enum: [...INPUT_PROVENANCE_KIND_VALUES] }),
+		sourceSessionKey: Type.Optional(Type.String()),
+		sourceChannel: Type.Optional(Type.String()),
+		sourceTool: Type.Optional(Type.String())
+	}, { additionalProperties: false })),
 	idempotencyKey: NonEmptyString,
 	label: Type.Optional(SessionLabelString),
 	spawnedBy: Type.Optional(Type.String())
@@ -18264,6 +18362,18 @@ async function installSignalCli(runtime) {
 //#endregion
 //#region src/channels/plugins/onboarding/signal.ts
 const channel$1 = "signal";
+const MIN_E164_DIGITS = 5;
+const MAX_E164_DIGITS = 15;
+const DIGITS_ONLY = /^\d+$/;
+const INVALID_SIGNAL_ACCOUNT_ERROR = "Invalid E.164 phone number (must start with + and country code, e.g. +15555550123)";
+function normalizeSignalAccountInput(value) {
+	const trimmed = value?.trim();
+	if (!trimmed) return null;
+	const digits = normalizeE164(trimmed).slice(1);
+	if (!DIGITS_ONLY.test(digits)) return null;
+	if (digits.length < MIN_E164_DIGITS || digits.length > MAX_E164_DIGITS) return null;
+	return `+${digits}`;
+}
 function setSignalDmPolicy(cfg, dmPolicy) {
 	const allowFrom = dmPolicy === "open" ? addWildcardAllowFrom(cfg.channels?.signal?.allowFrom) : void 0;
 	return {
@@ -18417,15 +18527,22 @@ const signalOnboardingAdapter = {
 		if (!cliDetected) await prompter.note("signal-cli not found. Install it, then rerun this step or set channels.signal.cliPath.", "Signal");
 		let account = accountConfig.account ?? "";
 		if (account) {
-			if (!await prompter.confirm({
-				message: `Signal account set (${account}). Keep it?`,
-				initialValue: true
-			})) account = "";
+			const normalizedExisting = normalizeSignalAccountInput(account);
+			if (!normalizedExisting) {
+				await prompter.note("Existing Signal account isn't a valid E.164 number. Please enter it again.", "Signal");
+				account = "";
+			} else {
+				account = normalizedExisting;
+				if (!await prompter.confirm({
+					message: `Signal account set (${account}). Keep it?`,
+					initialValue: true
+				})) account = "";
+			}
 		}
-		if (!account) account = String(await prompter.text({
+		if (!account) account = normalizeSignalAccountInput(String(await prompter.text({
 			message: "Signal bot number (E.164)",
-			validate: (value) => value?.trim() ? void 0 : "Required"
-		})).trim();
+			validate: (value) => normalizeSignalAccountInput(String(value ?? "")) ? void 0 : INVALID_SIGNAL_ACCOUNT_ERROR
+		}))) ?? "";
 		if (account) if (signalAccountId === DEFAULT_ACCOUNT_ID) next = {
 			...next,
 			channels: {
@@ -18674,6 +18791,61 @@ const SANDBOX_STATE_DIR = path.join(STATE_DIR, "sandbox");
 const SANDBOX_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "containers.json");
 const SANDBOX_BROWSER_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "browsers.json");
 
+//#endregion
+//#region src/agents/sandbox-paths.ts
+const UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
+function normalizeUnicodeSpaces(str) {
+	return str.replace(UNICODE_SPACES, " ");
+}
+function expandPath(filePath) {
+	const normalized = normalizeUnicodeSpaces(filePath);
+	if (normalized === "~") return os.homedir();
+	if (normalized.startsWith("~/")) return os.homedir() + normalized.slice(1);
+	return normalized;
+}
+function resolveToCwd(filePath, cwd) {
+	const expanded = expandPath(filePath);
+	if (path.isAbsolute(expanded)) return expanded;
+	return path.resolve(cwd, expanded);
+}
+function resolveSandboxPath(params) {
+	const resolved = resolveToCwd(params.filePath, params.cwd);
+	const rootResolved = path.resolve(params.root);
+	const relative = path.relative(rootResolved, resolved);
+	if (!relative || relative === "") return {
+		resolved,
+		relative: ""
+	};
+	if (relative.startsWith("..") || path.isAbsolute(relative)) throw new Error(`Path escapes sandbox root (${shortPath(rootResolved)}): ${params.filePath}`);
+	return {
+		resolved,
+		relative
+	};
+}
+async function assertSandboxPath(params) {
+	const resolved = resolveSandboxPath(params);
+	await assertNoSymlink(resolved.relative, path.resolve(params.root));
+	return resolved;
+}
+async function assertNoSymlink(relative, root) {
+	if (!relative) return;
+	const parts = relative.split(path.sep).filter(Boolean);
+	let current = root;
+	for (const part of parts) {
+		current = path.join(current, part);
+		try {
+			if ((await fs$1.lstat(current)).isSymbolicLink()) throw new Error(`Symlink not allowed in sandbox path: ${current}`);
+		} catch (err) {
+			if (err.code === "ENOENT") return;
+			throw err;
+		}
+	}
+}
+function shortPath(value) {
+	if (value.startsWith(os.homedir())) return `~${value.slice(os.homedir().length)}`;
+	return value;
+}
+
 //#endregion
 //#region src/agents/skills/plugin-skills.ts
 const log$17 = createSubsystemLogger("skills");
@@ -18695,6 +18867,10 @@ const SELECTOR_UNSUPPORTED_MESSAGE = [
 	"This is more reliable for modern SPAs."
 ].join("\n");
 
+//#endregion
+//#region src/browser/routes/agent.debug.ts
+const DEFAULT_TRACE_DIR = resolvePreferredOpenClawTmpDir();
+
 //#endregion
 //#region src/browser/screenshot.ts
 const DEFAULT_BROWSER_SCREENSHOT_MAX_BYTES = 5 * 1024 * 1024;
@@ -18726,11 +18902,80 @@ function isContextOverflowError(errorMessage) {
 	const hasContextWindow = lower.includes("context window") || lower.includes("context length") || lower.includes("maximum context length");
 	return lower.includes("request_too_large") || lower.includes("request exceeds the maximum size") || lower.includes("context length exceeded") || lower.includes("maximum context length") || lower.includes("prompt is too long") || lower.includes("exceeds model context window") || hasRequestSizeExceeds && hasContextWindow || lower.includes("context overflow:") || lower.includes("413") && lower.includes("too large");
 }
+const CONTEXT_WINDOW_TOO_SMALL_RE = /context window.*(too small|minimum is)/i;
+const CONTEXT_OVERFLOW_HINT_RE = /context.*overflow|context window.*(too (?:large|long)|exceed|over|limit|max(?:imum)?|requested|sent|tokens)|prompt.*(too (?:large|long)|exceed|over|limit|max(?:imum)?)|(?:request|input).*(?:context|window|length|token).*(too (?:large|long)|exceed|over|limit|max(?:imum)?)/i;
+const RATE_LIMIT_HINT_RE = /rate limit|too many requests|requests per (?:minute|hour|day)|quota|throttl|429\b/i;
+function isLikelyContextOverflowError(errorMessage) {
+	if (!errorMessage) return false;
+	if (CONTEXT_WINDOW_TOO_SMALL_RE.test(errorMessage)) return false;
+	if (isRateLimitErrorMessage(errorMessage)) return false;
+	if (isContextOverflowError(errorMessage)) return true;
+	if (RATE_LIMIT_HINT_RE.test(errorMessage)) return false;
+	return CONTEXT_OVERFLOW_HINT_RE.test(errorMessage);
+}
 function isCompactionFailureError(errorMessage) {
 	if (!errorMessage) return false;
 	const lower = errorMessage.toLowerCase();
 	if (!(lower.includes("summarization failed") || lower.includes("auto-compaction") || lower.includes("compaction failed") || lower.includes("compaction"))) return false;
-	return isContextOverflowError(errorMessage) || lower.includes("context overflow");
+	if (isLikelyContextOverflowError(errorMessage)) return true;
+	return lower.includes("context overflow");
+}
+const ERROR_PATTERNS = {
+	rateLimit: [
+		/rate[_ ]limit|too many requests|429/,
+		"exceeded your current quota",
+		"resource has been exhausted",
+		"quota exceeded",
+		"resource_exhausted",
+		"usage limit"
+	],
+	overloaded: [/overloaded_error|"type"\s*:\s*"overloaded_error"/i, "overloaded"],
+	timeout: [
+		"timeout",
+		"timed out",
+		"deadline exceeded",
+		"context deadline exceeded"
+	],
+	billing: [
+		/["']?(?:status|code)["']?\s*[:=]\s*402\b|\bhttp\s*402\b|\berror(?:\s+code)?\s*[:=]?\s*402\b|\b(?:got|returned|received)\s+(?:a\s+)?402\b|^\s*402\s+payment/i,
+		"payment required",
+		"insufficient credits",
+		"credit balance",
+		"plans & billing",
+		"insufficient balance"
+	],
+	auth: [
+		/invalid[_ ]?api[_ ]?key/,
+		"incorrect api key",
+		"invalid token",
+		"authentication",
+		"re-authenticate",
+		"oauth token refresh failed",
+		"unauthorized",
+		"forbidden",
+		"access denied",
+		"expired",
+		"token has expired",
+		/\b401\b/,
+		/\b403\b/,
+		"no credentials found",
+		"no api key found"
+	],
+	format: [
+		"string should match pattern",
+		"tool_use.id",
+		"tool_use_id",
+		"messages.1.content.1.tool_use.id",
+		"invalid request format"
+	]
+};
+function matchesErrorPatterns(raw, patterns) {
+	if (!raw) return false;
+	const value = raw.toLowerCase();
+	return patterns.some((pattern) => pattern instanceof RegExp ? pattern.test(value) : value.includes(pattern));
+}
+function isRateLimitErrorMessage(raw) {
+	return matchesErrorPatterns(raw, ERROR_PATTERNS.rateLimit);
 }
 
 //#endregion
@@ -20340,6 +20585,10 @@ const discordEventQueueLog = createSubsystemLogger("discord/event-queue");
 //#region src/pairing/pairing-store.ts
 const PAIRING_PENDING_TTL_MS = 3600 * 1e3;
 
+//#endregion
+//#region src/discord/monitor/threading.ts
+const DISCORD_THREAD_STARTER_CACHE_TTL_MS = 300 * 1e3;
+
 //#endregion
 //#region src/security/external-content.ts
 /**
@@ -20367,6 +20616,7 @@ const EXTERNAL_SOURCE_LABELS = {
 	email: "Email",
 	webhook: "Webhook",
 	api: "API",
+	browser: "Browser",
 	channel_metadata: "Channel metadata",
 	web_search: "Web Search",
 	web_fetch: "Web Fetch",
@@ -20832,61 +21082,6 @@ async function loginWeb(verbose, waitForConnection, runtime = defaultRuntime, ac
 //#region src/plugins/tools.ts
 const log$6 = createSubsystemLogger("plugins");
 
-//#endregion
-//#region src/agents/sandbox-paths.ts
-const UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
-function normalizeUnicodeSpaces(str) {
-	return str.replace(UNICODE_SPACES, " ");
-}
-function expandPath(filePath) {
-	const normalized = normalizeUnicodeSpaces(filePath);
-	if (normalized === "~") return os.homedir();
-	if (normalized.startsWith("~/")) return os.homedir() + normalized.slice(1);
-	return normalized;
-}
-function resolveToCwd(filePath, cwd) {
-	const expanded = expandPath(filePath);
-	if (path.isAbsolute(expanded)) return expanded;
-	return path.resolve(cwd, expanded);
-}
-function resolveSandboxPath(params) {
-	const resolved = resolveToCwd(params.filePath, params.cwd);
-	const rootResolved = path.resolve(params.root);
-	const relative = path.relative(rootResolved, resolved);
-	if (!relative || relative === "") return {
-		resolved,
-		relative: ""
-	};
-	if (relative.startsWith("..") || path.isAbsolute(relative)) throw new Error(`Path escapes sandbox root (${shortPath(rootResolved)}): ${params.filePath}`);
-	return {
-		resolved,
-		relative
-	};
-}
-async function assertSandboxPath(params) {
-	const resolved = resolveSandboxPath(params);
-	await assertNoSymlink(resolved.relative, path.resolve(params.root));
-	return resolved;
-}
-async function assertNoSymlink(relative, root) {
-	if (!relative) return;
-	const parts = relative.split(path.sep).filter(Boolean);
-	let current = root;
-	for (const part of parts) {
-		current = path.join(current, part);
-		try {
-			if ((await fs$1.lstat(current)).isSymbolicLink()) throw new Error(`Symlink not allowed in sandbox path: ${current}`);
-		} catch (err) {
-			if (err.code === "ENOENT") return;
-			throw err;
-		}
-	}
-}
-function shortPath(value) {
-	if (value.startsWith(os.homedir())) return `~${value.slice(os.homedir().length)}`;
-	return value;
-}
-
 //#endregion
 //#region src/agents/apply-patch.ts
 const applyPatchSchema = Type.Object({ input: Type.String({ description: "Patch content using the *** Begin Patch/End Patch format." }) });
@@ -24965,6 +25160,7 @@ const log = createSubsystemLogger("agent/claude-cli");
 const DEFAULT_MEMORY_FLUSH_PROMPT = [
 	"Pre-compaction memory flush.",
 	"Store durable memories now (use memory/YYYY-MM-DD.md; create memory/ if needed).",
+	"IMPORTANT: If the file already exists, APPEND new content only and do not overwrite existing entries.",
 	`If nothing to store, reply with ${SILENT_REPLY_TOKEN}.`
 ].join(" ");
 const DEFAULT_MEMORY_FLUSH_SYSTEM_PROMPT = [

package/dist/plugin-sdk/infra/binaries.d.ts

@@ -0,0 +1,3 @@
+import { runExec } from "../process/exec.js";
+import { type RuntimeEnv } from "../runtime.js";
+export declare function ensureBinary(name: string, exec?: typeof runExec, runtime?: RuntimeEnv): Promise<void>;

package/dist/plugin-sdk/infra/heartbeat-runner.d.ts

@@ -20,6 +20,7 @@ export type HeartbeatSummary = {
     model?: string;
     ackMaxChars: number;
 };
+export declare function isCronSystemEvent(evt: string): boolean;
 export type HeartbeatRunner = {
     stop: () => void;
     updateConfig: (cfg: OpenClawConfig) => void;

package/dist/plugin-sdk/infra/net/fetch-guard.d.ts

@@ -10,6 +10,7 @@ export type GuardedFetchOptions = {
     policy?: SsrFPolicy;
     lookupFn?: LookupFn;
     pinDns?: boolean;
+    auditContext?: string;
 };
 export type GuardedFetchResult = {
     response: Response;

package/dist/plugin-sdk/infra/net/ssrf.d.ts

@@ -8,6 +8,7 @@ export type LookupFn = typeof dnsLookup;
 export type SsrFPolicy = {
     allowPrivateNetwork?: boolean;
     allowedHostnames?: string[];
+    hostnameAllowlist?: string[];
 };
 export declare function isPrivateIpAddress(address: string): boolean;
 export declare function isBlockedHostname(hostname: string): boolean;

package/dist/plugin-sdk/infra/tailscale.d.ts

@@ -0,0 +1,34 @@
+import { promptYesNo } from "../cli/prompt.js";
+import { runExec } from "../process/exec.js";
+import { type RuntimeEnv } from "../runtime.js";
+/**
+ * Locate Tailscale binary using multiple strategies:
+ * 1. PATH lookup (via which command)
+ * 2. Known macOS app path
+ * 3. find /Applications for Tailscale.app
+ * 4. locate database (if available)
+ *
+ * @returns Path to Tailscale binary or null if not found
+ */
+export declare function findTailscaleBinary(): Promise<string | null>;
+export declare function getTailnetHostname(exec?: typeof runExec, detectedBinary?: string): Promise<string>;
+export declare function getTailscaleBinary(): Promise<string>;
+export declare function readTailscaleStatusJson(exec?: typeof runExec, opts?: {
+    timeoutMs?: number;
+}): Promise<Record<string, unknown>>;
+export declare function ensureGoInstalled(exec?: typeof runExec, prompt?: typeof promptYesNo, runtime?: RuntimeEnv): Promise<void>;
+export declare function ensureTailscaledInstalled(exec?: typeof runExec, prompt?: typeof promptYesNo, runtime?: RuntimeEnv): Promise<void>;
+export type TailscaleWhoisIdentity = {
+    login: string;
+    name?: string;
+};
+export declare function ensureFunnel(port: number, exec?: typeof runExec, runtime?: RuntimeEnv, prompt?: typeof promptYesNo): Promise<void>;
+export declare function enableTailscaleServe(port: number, exec?: typeof runExec): Promise<void>;
+export declare function disableTailscaleServe(exec?: typeof runExec): Promise<void>;
+export declare function enableTailscaleFunnel(port: number, exec?: typeof runExec): Promise<void>;
+export declare function disableTailscaleFunnel(exec?: typeof runExec): Promise<void>;
+export declare function readTailscaleWhoisIdentity(ip: string, exec?: typeof runExec, opts?: {
+    timeoutMs?: number;
+    cacheTtlMs?: number;
+    errorTtlMs?: number;
+}): Promise<TailscaleWhoisIdentity | null>;

package/dist/plugin-sdk/infra/tmp-openclaw-dir.d.ts

@@ -0,0 +1,10 @@
+export declare const POSIX_OPENCLAW_TMP_DIR = "/tmp/openclaw";
+type ResolvePreferredOpenClawTmpDirOptions = {
+    accessSync?: (path: string, mode?: number) => void;
+    statSync?: (path: string) => {
+        isDirectory(): boolean;
+    };
+    tmpdir?: () => string;
+};
+export declare function resolvePreferredOpenClawTmpDir(options?: ResolvePreferredOpenClawTmpDirOptions): string;
+export {};

package/dist/plugin-sdk/logging/logger.d.ts

@@ -1,7 +1,7 @@
 import { Logger as TsLogger } from "tslog";
 import type { ConsoleStyle } from "./console.js";
 import { type LogLevel } from "./levels.js";
-export declare const DEFAULT_LOG_DIR = "/tmp/openclaw";
+export declare const DEFAULT_LOG_DIR: string;
 export declare const DEFAULT_LOG_FILE: string;
 export type LoggerSettings = {
     level?: LogLevel;