ocuclaw 1.2.4 → 1.3.1

package/dist/gateway/openclaw-client.js

@@ -3,6 +3,7 @@ import * as crypto from "node:crypto";
 import * as fs from "node:fs";
 import * as path from "node:path";
 import WebSocket from "ws";
+import { createGatewayTimingLedger } from "./gateway-timing-ledger.js";
 
 // --- Constants ---
 
@@ -19,9 +20,14 @@ const SCOPES = [
   "operator.approvals",
   "operator.admin",
 ];
-const PROTOCOL_VERSION = 3;
+const MIN_PROTOCOL_VERSION = 3;
+const MAX_PROTOCOL_VERSION = 4;
 const HISTORY_ACTIVITY_POLL_INTERVAL_MS = 500;
 const HISTORY_ACTIVITY_POLL_LIMIT = 40;
+// Per-request ACK timeout: fires only while waiting for the *initial* ack, not
+// during a mid-turn run. Comfortably above normal ack latency but below the
+// ~60s coarse tick-watch run backstop. Disarmed when an accepted ack arrives.
+const RPC_ACK_TIMEOUT_MS = 15000;
 
 const THINKING_SUMMARY_KEYS = [
   "summary",
@@ -411,6 +417,231 @@ function normalizeThinkingSummarySource(rawSource) {
   return null;
 }
 
+const FAILURE_LABEL_MAX_CHARS = 120;
+const FAILURE_DETAIL_MAX_CHARS = 240;
+const FAILOVER_REASON_ACTIVITY_CODE_MAP = Object.freeze({
+  rate_limit: "provider_rate_limited",
+  billing: "provider_quota_exhausted",
+  auth: "provider_auth_invalid",
+  auth_permanent: "provider_auth_invalid",
+  overloaded: "provider_unavailable",
+  timeout: "provider_timeout",
+  format: "provider_request_invalid",
+});
+
+function shortText(text, maxChars) {
+  if (!text) return "";
+  if (text.length <= maxChars) return text;
+  if (maxChars <= 3) return ".".repeat(Math.max(maxChars, 0));
+  return `${text.slice(0, maxChars - 3)}...`;
+}
+
+function sanitizeFailureText(rawText, maxChars) {
+  if (rawText === undefined || rawText === null) return null;
+  let text = String(rawText);
+
+  text = text.replace(
+    new RegExp(`([?&](?:token|access_token|api_key|key|password|secret)=)[^&#\\s]+`, "gi"),
+    "$1[redacted]",
+  );
+  text = text.replace(
+    /((?:api[_-]?key|token|password|secret)\s*[=:]\s*)([^,\s"'`]+)/gi,
+    "$1[redacted]",
+  );
+  text = text.replace(/(authorization\s*:\s*bearer\s+)[^\s"'`]+/gi, "$1[redacted]");
+  text = text.replace(/\bBearer\s+[A-Za-z0-9._-]{8,}\b/g, "Bearer [redacted]");
+  text = text.replace(
+    /\b(sk-[A-Za-z0-9]{16,}|ghp_[A-Za-z0-9]{20,}|xox[baprs]-[A-Za-z0-9-]{10,})\b/g,
+    "[redacted]",
+  );
+  text = text.replace(/\s+/g, " ").trim();
+  if (!text) return null;
+  return shortText(text, maxChars);
+}
+
+function normalizeFailureHint(rawHint) {
+  if (typeof rawHint !== "string") return "";
+  const trimmed = rawHint.trim().toLowerCase();
+  if (!trimmed) return "";
+  return trimmed.replace(/[\s-]+/g, "_");
+}
+
+function mapFailureHintToActivityCode(rawHint) {
+  const normalizedHint = normalizeFailureHint(rawHint);
+  if (!normalizedHint) return null;
+  if (Object.hasOwn(FAILOVER_REASON_ACTIVITY_CODE_MAP, normalizedHint)) {
+    return FAILOVER_REASON_ACTIVITY_CODE_MAP[normalizedHint];
+  }
+  if (
+    normalizedHint === "auth_scope" ||
+    normalizedHint === "auth_refresh" ||
+    normalizedHint === "auth_html_403"
+  ) {
+    return "provider_auth_invalid";
+  }
+  if (normalizedHint === "proxy") {
+    return "provider_unavailable";
+  }
+  return null;
+}
+
+function inferFailureHintFromText(rawText) {
+  if (typeof rawText !== "string") return null;
+  const text = rawText.trim().toLowerCase();
+  if (!text) return null;
+
+  if (
+    text.includes("rate_limit") ||
+    text.includes("rate limit") ||
+    text.includes("rate limited") ||
+    text.includes("too many requests") ||
+    text.includes("usage limit") ||
+    text.includes("organization usage limit")
+  ) {
+    return "rate_limit";
+  }
+
+  if (
+    text.includes("out of credits") ||
+    text.includes("insufficient credits") ||
+    text.includes("insufficient quota") ||
+    text.includes("quota exhausted") ||
+    text.includes("quota balance") ||
+    text.includes("payment required") ||
+    text.includes("billing hard limit") ||
+    text.includes("credit balance")
+  ) {
+    return "billing";
+  }
+
+  if (
+    text.includes("invalid api key") ||
+    text.includes("api key invalid") ||
+    text.includes("authentication failed") ||
+    text.includes("missing scopes") ||
+    text.includes("missing scope") ||
+    text.includes("invalid_api_key") ||
+    text.includes("permission_error") ||
+    text.includes("oauth token refresh failed")
+  ) {
+    return "auth";
+  }
+
+  if (text.includes("timed out") || text.includes("timeout")) {
+    return "timeout";
+  }
+
+  if (
+    text.includes("invalid request") ||
+    text.includes("bad request") ||
+    text.includes("provider_request_invalid")
+  ) {
+    return "format";
+  }
+
+  if (
+    text.includes("service unavailable") ||
+    text.includes("provider unavailable") ||
+    text.includes("temporarily unavailable") ||
+    text.includes("overloaded")
+  ) {
+    return "overloaded";
+  }
+
+  return null;
+}
+
+function resolveTerminalErrorCode(source, fallbackCode) {
+  const explicitCode = pickTrimmedString(source.code, source.errorCode);
+  if (explicitCode) {
+    return explicitCode;
+  }
+
+  const structuredHintCode = mapFailureHintToActivityCode(
+    pickTrimmedString(source.errorKind, source.failoverReason, source.providerRuntimeFailureKind),
+  );
+  if (structuredHintCode) {
+    return structuredHintCode;
+  }
+
+  const inferredHintCode = mapFailureHintToActivityCode(
+    inferFailureHintFromText(
+      pickTrimmedString(
+        source.detail,
+        source.message,
+        source.error,
+        source.label,
+        source.reason,
+      ),
+    ),
+  );
+  return inferredHintCode || fallbackCode || "agent_error";
+}
+
+function buildTerminalErrorActivity(data, fallbackRunId, fallbackSessionKey, fallbackCode) {
+  const source = isObject(data) ? data : {};
+  const code = resolveTerminalErrorCode(source, fallbackCode);
+  const labelSource = pickTrimmedString(
+    source.label,
+    source.title,
+    source.summary,
+    source.message,
+    source.error,
+    code,
+    "Run failed",
+  );
+  const detailSource = pickTrimmedString(
+    source.detail,
+    source.message,
+    source.error,
+    source.reason,
+    source.label,
+    code,
+  );
+  const runId = normalizeRunId(
+    pickTrimmedString(source.runId, fallbackRunId),
+  );
+  const sessionKey = normalizeSessionKey(
+    pickTrimmedString(source.sessionKey, fallbackSessionKey),
+  );
+  const activity = {
+    state: "idle",
+    sessionKey,
+    runId,
+    origin: "lifecycle",
+    phase: "error",
+    isError: true,
+    code,
+  };
+  const label = sanitizeFailureText(labelSource, FAILURE_LABEL_MAX_CHARS);
+  const detail = sanitizeFailureText(detailSource, FAILURE_DETAIL_MAX_CHARS);
+  if (label) activity.label = label;
+  if (detail) activity.detail = detail;
+  else if (label) activity.detail = label;
+  // failoverReason is set by the runtime when this terminal error is about to
+  // trigger a profile rotation or fallback retry. Surface it as a hint so the
+  // WebUI can suppress sticky failure feedback for runs that will retry on
+  // another auth profile or model rather than ending the user-visible turn.
+  if (pickTrimmedString(source.failoverReason)) {
+    activity.failoverPending = true;
+  }
+  return activity;
+}
+
+function buildStructuredError(data, fallbackMessage, fallbackCode) {
+  const source = isObject(data) ? data : {};
+  const error = new Error(
+    pickTrimmedString(source.message, source.error, fallbackMessage) || fallbackMessage,
+  );
+  const code = pickTrimmedString(source.code, source.errorCode, fallbackCode) || fallbackCode;
+  const requestId = pickTrimmedString(source.requestId);
+  const op = pickTrimmedString(source.op);
+  if (code) error.code = code;
+  if (requestId) error.requestId = requestId;
+  if (op) error.op = op;
+  return error;
+}
+
 function selectThinkingDisplayLabel({
   summaryText,
   boldLabelCandidate,
@@ -477,6 +708,7 @@ function parseThinkingSignatureId(rawSignature) {
 
 function extractThinkingPayload(raw) {
   if (!isObject(raw)) return null;
+  if (raw.redacted === true || raw.type === "redacted_thinking") return null;
   const summaryEntry = pickFirstStringEntry(raw, THINKING_SUMMARY_KEYS);
   const detailEntry = pickFirstStringEntry(raw, THINKING_DETAIL_KEYS);
   const summaryText = normalizeThinkingText(summaryEntry ? summaryEntry.value : null);
@@ -544,6 +776,11 @@ class OpenClawClient extends EventEmitter {
   constructor(opts = {}) {
     super();
     this._logger = normalizeLogger(opts.logger);
+    this._timingLedger = createGatewayTimingLedger({
+      logger: this._logger,
+      now: () => Date.now(),
+      emitTiming: (event) => this.emit("timing", event),
+    });
     this._gatewayUrl = pickTrimmedString(opts.gatewayUrl);
     this._gatewayToken = pickTrimmedString(opts.gatewayToken);
     this._persistencePaths = resolvePersistencePaths(opts.stateDir);
@@ -570,7 +807,7 @@ class OpenClawClient extends EventEmitter {
     this._activeRunSessionKey = null;
     this._activeRunStartedAtMs = null;
     this._activeRunGeneration = 0;
-    this._runTextBuffer = ""; // buffered assistant deltas for current run
+    this._runTextBuffer = ""; // accumulated assistant text for current run
 
     // --- Agent identity (step 6) ---
     this._agentIdentity = null;
@@ -589,6 +826,7 @@ class OpenClawClient extends EventEmitter {
 
   setLogger(logger) {
     this._logger = normalizeLogger(logger);
+    this._timingLedger.setLogger(this._logger);
   }
 
   /**
@@ -630,6 +868,7 @@ class OpenClawClient extends EventEmitter {
       clearTimeout(this._reconnectTimer);
       this._reconnectTimer = null;
     }
+    this._timingLedger.clear("stop");
     this._invalidateActiveRun();
     this._stopTickWatch();
     if (this._ws) {
@@ -654,10 +893,37 @@ class OpenClawClient extends EventEmitter {
     const id = crypto.randomUUID();
     const frame = { type: "req", id, method, params };
     const expectFinal = opts && opts.expectFinal === true;
+    const diagnostic = opts && opts.diagnostic;
     const promise = new Promise((resolve, reject) => {
-      this._pending.set(id, { resolve, reject, expectFinal });
+      this._pending.set(id, { resolve, reject, expectFinal, method, diagnostic });
     });
+    // Per-request ACK timeout: reject if the initial ack never arrives. Disarmed
+    // when an accepted ack arrives (keepPending branch) so a legitimately
+    // long-running mid-turn run is NOT killed by this timeout.
+    const timer = setTimeout(() => {
+      const pendingEntry = this._pending.get(id);
+      if (!pendingEntry) return;
+      this._pending.delete(id);
+      const err = new Error("rpc ack timeout");
+      err.code = "rpc_timeout";
+      err.retryable = true;
+      pendingEntry.reject(err);
+    }, RPC_ACK_TIMEOUT_MS);
+    if (timer.unref) {
+      timer.unref();
+    }
+    const pendingForTimer = this._pending.get(id);
+    if (pendingForTimer) {
+      pendingForTimer.timer = timer;
+    }
     const raw = JSON.stringify(frame);
+    this._timingLedger.recordRequestSent({
+      requestId: id,
+      method,
+      params,
+      expectFinal,
+      diagnostic,
+    });
     this.emit("protocol", { direction: "out", frame });
     this._ws.send(raw);
     return promise;
@@ -728,13 +994,17 @@ class OpenClawClient extends EventEmitter {
   }
 
   /**
-   * Resolve an exec approval request.
+   * Resolve an approval request.
    * @param {string} id - Approval request ID
    * @param {string} decision - "allow-once", "allow-always", or "deny"
    * @returns {Promise}
    */
   resolveApproval(id, decision) {
-    return this.request("exec.approval.resolve", { id, decision });
+    const method =
+      typeof id === "string" && id.startsWith("plugin:")
+        ? "plugin.approval.resolve"
+        : "exec.approval.resolve";
+    return this.request(method, { id, decision });
   }
 
   _beginActiveRun(runId, sessionKey) {
@@ -791,6 +1061,7 @@ class OpenClawClient extends EventEmitter {
     this._connectSent = false;
 
     // Reset per-connection state
+    this._timingLedger.clear("connect_reset");
     this._lastSeq = null;
     this._lastTick = null;
     this._historyResolved = false;
@@ -819,6 +1090,7 @@ class OpenClawClient extends EventEmitter {
       this._ws = null;
       this._stopTickWatch();
       this._stopHistoryActivityPolling();
+      this._timingLedger.clear("disconnect");
       this._flushPendingErrors(new Error(`gateway closed (${code}): ${reasonText}`));
       this.emit("disconnected", { code, reason: reasonText });
       this.emit("status", "disconnected");
@@ -865,7 +1137,23 @@ class OpenClawClient extends EventEmitter {
       // If expectFinal, skip intermediate acks (status: "accepted") (step 4)
       const payload = parsed.payload;
       const status = payload && payload.status;
-      if (pending.expectFinal && status === "accepted") {
+      const keepPending =
+        pending.expectFinal && parsed.ok === true && status === "accepted";
+      this._timingLedger.recordResponseReceived({
+        requestId: parsed.id,
+        ok: parsed.ok === true,
+        payload: parsed.payload,
+        response: parsed.payload,
+        error: parsed.error,
+        keepPending,
+      });
+      if (keepPending) {
+        // The accepted ack arrived: the run is legitimately long-running, so
+        // disarm the ACK timeout (the coarse tick-watch remains the run backstop).
+        if (pending.timer) {
+          clearTimeout(pending.timer);
+          pending.timer = null;
+        }
         // Track the runId from the ack
         if (payload.runId) {
           this._activeRunId = payload.runId;
@@ -874,6 +1162,11 @@ class OpenClawClient extends EventEmitter {
         return; // Keep the pending entry, wait for final response
       }
 
+      // Final settle: clear the ACK timeout before resolving/rejecting.
+      if (pending.timer) {
+        clearTimeout(pending.timer);
+        pending.timer = null;
+      }
       this._pending.delete(parsed.id);
       if (parsed.ok) {
         pending.resolve(parsed.payload);
@@ -951,7 +1244,7 @@ class OpenClawClient extends EventEmitter {
       return;
     }
 
-    // --- Exec approval events ---
+    // --- Approval events ---
     if (evt.event === "exec.approval.requested") {
       this.emit("approval", evt.payload);
       return;
@@ -962,11 +1255,57 @@ class OpenClawClient extends EventEmitter {
       return;
     }
 
+    if (evt.event === "plugin.approval.requested") {
+      this.emit("approval", { ...(evt.payload || {}), approvalKind: "plugin" });
+      return;
+    }
+
+    if (evt.event === "plugin.approval.resolved") {
+      this.emit("approvalResolved", { ...(evt.payload || {}), approvalKind: "plugin" });
+      return;
+    }
+
     // --- Agent events (step 5) ---
     if (evt.event === "agent") {
-      // If history hasn't resolved yet, queue the event (step 9)
-      if (!this._historyResolved) {
-        this._eventQueue.push(evt);
+      const payload = evt.payload || {};
+      const data = payload.data || {};
+      this._timingLedger.recordGatewayEventReceived({
+        eventName: evt.event,
+        payload: evt.payload,
+        kind: evt.event,
+        runId: payload.runId,
+        stream: payload.stream,
+        phase: data.phase,
+        data,
+      });
+      // History-gate decouple (F18, history half): only the run-end COMMIT
+      // mutates the persistent message list downstream (lifecycle:end ->
+      // emit("message") -> conversationState.addMessage, a blind push), and the
+      // history hydrate is a DESTRUCTIVE replace-all (conversation-state.ts
+      // hydrate()). To avoid the commit being clobbered/duplicated by a later
+      // hydrate, the commit must still run AFTER history resolves. Every other
+      // agent event (lifecycle:start, assistant/streaming, tool, error) emits
+      // only transient/live effects (activity/streaming/error) that hydrate
+      // never touches, so processing them immediately is safe and removes the
+      // reconnect responsiveness delay. The intact commit event is queued and
+      // replayed via _drainEventQueue, preserving the de-dup contract exactly.
+      const isCommitEvent = data.phase === "end" && payload.stream === "lifecycle";
+      if (isCommitEvent && !this._historyResolved) {
+        // Snapshot the commit-relevant LIVE instance state at enqueue time. The
+        // lifecycle:end branch reads _runTextBuffer / _activeRunId / _gapDuringRun
+        // (and _activeRunSessionKey as the session-key fallback) — all of which a
+        // LATER run's lifecycle:start (_beginActiveRun) or an _invalidateActiveRun
+        // mutates before the queue drains. Capturing now keeps the deferred commit
+        // contemporaneous with its own run, restoring pre-F18 replay semantics.
+        this._eventQueue.push({
+          payload: evt.payload,
+          capturedCommit: {
+            fullText: this._runTextBuffer,
+            activeRunId: this._activeRunId,
+            activeRunSessionKey: this._activeRunSessionKey,
+            gapDuringRun: this._gapDuringRun,
+          },
+        });
         return;
       }
       this._handleAgentEvent(evt.payload);
@@ -980,7 +1319,7 @@ class OpenClawClient extends EventEmitter {
    * Handle an agent event payload.
    * Buffers assistant text deltas, emits activity/message events.
    */
-  _handleAgentEvent(payload) {
+  _handleAgentEvent(payload, capturedCommit) {
     if (!payload) return;
 
     const { runId, stream, data } = payload;
@@ -988,7 +1327,7 @@ class OpenClawClient extends EventEmitter {
 
     switch (stream) {
       case "lifecycle":
-        this._handleLifecycleEvent(runId, data, payload.sessionKey);
+        this._handleLifecycleEvent(runId, data, payload.sessionKey, capturedCommit);
         break;
       case "assistant":
         this._handleAssistantEvent(runId, data);
@@ -998,14 +1337,32 @@ class OpenClawClient extends EventEmitter {
         break;
       case "error":
         this._logger.error(`[openclaw] Agent error: ${JSON.stringify(data)}`);
-        this.emit("error", new Error(data.message || "agent error"));
+        {
+          const terminalActivity = buildTerminalErrorActivity(
+            data,
+            runId || this._activeRunId,
+            payload.sessionKey || this._activeRunSessionKey,
+            "agent_error",
+          );
+          if (terminalActivity.runId && terminalActivity.sessionKey) {
+            this.emit("activity", terminalActivity);
+            this._timingLedger.recordRunTerminal({
+              runId: terminalActivity.runId,
+            });
+            this._invalidateActiveRun();
+          }
+          this.emit(
+            "error",
+            buildStructuredError(data, "agent error", terminalActivity.code || "agent_error"),
+          );
+        }
         break;
       default:
         break;
     }
   }
 
-  _handleLifecycleEvent(runId, data, sessionKey) {
+  _handleLifecycleEvent(runId, data, sessionKey, capturedCommit) {
     switch (data.phase) {
       case "start":
         this._beginActiveRun(runId, sessionKey);
@@ -1021,18 +1378,48 @@ class OpenClawClient extends EventEmitter {
         break;
 
       case "end": {
+        // Prefer the snapshot captured at history-gate enqueue time (F18 commit
+        // defer). When the end event is processed IMMEDIATELY (history already
+        // resolved), capturedCommit is undefined and live instance state is read
+        // exactly as before — byte-for-byte unchanged. When DEFERRED, a later
+        // run's start (or an invalidate) may have already clobbered these shared
+        // fields, so the snapshot keeps the commit contemporaneous with its run.
+        const committedActiveRunId = capturedCommit
+          ? capturedCommit.activeRunId
+          : this._activeRunId;
+        const committedActiveRunSessionKey = capturedCommit
+          ? capturedCommit.activeRunSessionKey
+          : this._activeRunSessionKey;
         // Assemble full response from buffered text
-        const fullText = this._runTextBuffer;
-        const completedRunId = normalizeRunId(this._activeRunId) || normalizeRunId(runId);
+        const fullText = capturedCommit ? capturedCommit.fullText : this._runTextBuffer;
+        const completedRunId = normalizeRunId(committedActiveRunId) || normalizeRunId(runId);
         const completedSessionKey =
           normalizeSessionKey(sessionKey) ||
-          normalizeSessionKey(this._activeRunSessionKey) ||
+          normalizeSessionKey(committedActiveRunSessionKey) ||
           null;
-        const gapDuringRun = this._gapDuringRun;
+        const gapDuringRun = capturedCommit ? capturedCommit.gapDuringRun : this._gapDuringRun;
 
         // Invalidate run state before emitting terminal idle so late history polls
         // cannot reopen thinking for a completed run.
-        this._invalidateActiveRun();
+        this._timingLedger.recordRunTerminal({
+          runId: completedRunId,
+        });
+        // Reconnect-window guard (F18 successor-run protection): a DEFERRED
+        // commit (capturedCommit present) drains AFTER its run ended, and a
+        // LATER run's lifecycle:start may already have become the live active
+        // run (set _activeRunId, armed history polling, started buffering its
+        // own text) before drain. An unconditional invalidate here would tear
+        // down that live successor — stop its thinking-summary polling, null
+        // its _activeRunId, and clear its _runTextBuffer — wiping state that
+        // belongs to a run that has NOT ended. Only invalidate when this commit
+        // IS the live active run (its own run, or a non-deferred/live commit
+        // where the snapshot is absent). When _activeRunId is already null there
+        // is nothing live to protect, so skipping the invalidate is a no-op.
+        const commitIsLiveActiveRun =
+          normalizeRunId(this._activeRunId) === normalizeRunId(committedActiveRunId);
+        if (!capturedCommit || commitIsLiveActiveRun) {
+          this._invalidateActiveRun();
+        }
 
         this.emit("message", {
           runId: completedRunId,
@@ -1066,20 +1453,27 @@ class OpenClawClient extends EventEmitter {
       case "error":
         this._logger.error(`[openclaw] Agent lifecycle error: ${JSON.stringify(data)}`);
         {
-          const completedRunId = normalizeRunId(runId) || normalizeRunId(this._activeRunId);
-          const completedSessionKey =
-            normalizeSessionKey(sessionKey) ||
-            normalizeSessionKey(this._activeRunSessionKey) ||
-            null;
-          this._invalidateActiveRun();
-          this.emit("error", new Error(data.message || "agent lifecycle error"));
-          this.emit("activity", {
-            state: "idle",
-            sessionKey: completedSessionKey,
-            runId: completedRunId || null,
-            origin: "lifecycle",
-            phase: "error",
+          const terminalActivity = buildTerminalErrorActivity(
+            data,
+            runId || this._activeRunId,
+            sessionKey || this._activeRunSessionKey,
+            "agent_lifecycle_error",
+          );
+          if (terminalActivity.runId && terminalActivity.sessionKey) {
+            this.emit("activity", terminalActivity);
+          }
+          this._timingLedger.recordRunTerminal({
+            runId: terminalActivity.runId,
           });
+          this._invalidateActiveRun();
+          this.emit(
+            "error",
+            buildStructuredError(
+              data,
+              "agent lifecycle error",
+              terminalActivity.code || "agent_lifecycle_error",
+            ),
+          );
         }
         break;
 
@@ -1098,11 +1492,20 @@ class OpenClawClient extends EventEmitter {
 
     // Gateway sends accumulated text (full text so far), not deltas
     if (typeof data.text === "string") {
+      const previousTextLength = this._runTextBuffer.length;
+      const gatewayReceivedAtMs = Date.now();
+      const rawAssistantChars = data.text.length;
+      const assistantDeltaChars = Math.max(0, rawAssistantChars - previousTextLength);
+      const firstGatewayChunk = previousTextLength <= 0;
       this._runTextBuffer = data.text;
       this.emit("streaming", {
         text: data.text,
         sessionKey: this._activeRunSessionKey,
         runId: runId || this._activeRunId || null,
+        gatewayReceivedAtMs,
+        rawAssistantChars,
+        assistantDeltaChars,
+        firstGatewayChunk,
       });
     }
   }
@@ -1130,7 +1533,9 @@ class OpenClawClient extends EventEmitter {
     if (args) activity.args = args;
     if (path) activity.path = path;
     if (typeof data.toolCallId === "string" && data.toolCallId.trim()) {
-      activity.activityId = data.toolCallId.trim();
+      const trimmedToolCallId = data.toolCallId.trim();
+      activity.activityId = trimmedToolCallId;
+      activity.toolCallId = trimmedToolCallId;
     }
     if (Number.isFinite(data.seq)) {
       activity.seq = Math.floor(data.seq);
@@ -1155,7 +1560,8 @@ class OpenClawClient extends EventEmitter {
       });
     };
 
-    poll();
+    // Let setInterval fire the first poll one interval out so the initial
+    // chat.history fetch doesn't contend with the first streaming chunk landing.
     this._historyActivityPollTimer = setInterval(
       poll,
       HISTORY_ACTIVITY_POLL_INTERVAL_MS,
@@ -1300,6 +1706,7 @@ class OpenClawClient extends EventEmitter {
       summary: extracted.label,
       thinking: extracted.detail,
       thinkingSummarySource: extracted.thinkingSummarySource,
+      thinkingSignatureId: extracted.signatureId || null,
     });
   }
 
@@ -1344,8 +1751,8 @@ class OpenClawClient extends EventEmitter {
 
     // Build connect request params
     const params = {
-      minProtocol: PROTOCOL_VERSION,
-      maxProtocol: PROTOCOL_VERSION,
+      minProtocol: MIN_PROTOCOL_VERSION,
+      maxProtocol: MAX_PROTOCOL_VERSION,
       client: {
         id: CLIENT_ID,
         version: CLIENT_VERSION,
@@ -1480,7 +1887,7 @@ class OpenClawClient extends EventEmitter {
     const queue = this._eventQueue;
     this._eventQueue = [];
     for (const evt of queue) {
-      this._handleAgentEvent(evt.payload);
+      this._handleAgentEvent(evt.payload, evt.capturedCommit);
     }
   }
 
@@ -1493,13 +1900,24 @@ class OpenClawClient extends EventEmitter {
   _scheduleReconnect(delayOverride) {
     if (this._stopped) return;
 
-    const delay = typeof delayOverride === "number" ? delayOverride : this._backoffMs;
+    // Capture the current base before advancing so jitter is computed from the
+    // same epoch value that would previously have been used as the raw delay.
+    const base = this._backoffMs;
 
     // Advance backoff for next time (unless overridden)
     if (typeof delayOverride !== "number") {
       this._backoffMs = Math.min(this._backoffMs * 2, 30000);
     }
 
+    // Apply equal jitter to the scheduled delay so concurrent reconnect storms
+    // don't all fire at the same instant. The stored _backoffMs base is NOT
+    // mutated — doubling/cap/reset invariants are preserved.
+    // delayOverride bypasses jitter (used for e.g. shutdown-driven reconnects).
+    const delay =
+      typeof delayOverride === "number"
+        ? delayOverride
+        : Math.floor(base / 2 + Math.random() * (base / 2));
+
     this._logger.info(
       `[openclaw] Reconnecting in ${delay}ms (backoff: ${this._backoffMs}ms)`
     );
@@ -1559,6 +1977,12 @@ class OpenClawClient extends EventEmitter {
 
   _flushPendingErrors(err) {
     for (const [, pending] of this._pending) {
+      // Clear the per-request ACK timeout so a flushed entry cannot fire a
+      // late reject after the map is cleared.
+      if (pending.timer) {
+        clearTimeout(pending.timer);
+        pending.timer = null;
+      }
       pending.reject(err);
     }
     this._pending.clear();