ocuclaw 1.3.3 → 1.3.4

package/dist/tools/glasses-ui-voicemail.js

@@ -1,43 +1,14 @@
-// Voicemail delivery for parked glasses events (roadmap 7b, §2.6 W+P+L).
-//
-// A parked, ✓-acked event whose wake could not run (no dispatch lane, or the
-// dispatch failed past its retry — the 6f wake outbox) or whose surface was
-// destructively reaped (the 6a per-session dead-letter) must not wait in
-// silence for the wearer to speak first. This module drains both sources into
-// a refs-only system-context fragment for the session's NEXT genuine turn —
-// the before_prompt_build hook registered by registerGlassesUiTool calls
-// buildInjection(sessionKey) and returns {appendSystemContext} (Channel-2
-// class: hash-exempt, per-turn).
-//
-// Locked rules carried over from the 6f security review (§2.6 amendments):
-// - REFS ONLY: surfaceUuid is pattern-validated against the plugin-mint shape
-//   and REPLACED WHOLESALE when off-pattern; result is enum-allowlisted; ints
-//   are Number.isFinite-coerced. Outcome/label text (selected_text etc.)
-//   NEVER reaches the prompt — tapped content arrives only through a surface
-//   collect, as tool-result data.
-// - Explicit non-wearer provenance header.
-// - Idempotency: an entry injects at most once (keyed on the wake
-//   idempotencyKey / a minted voicemail key), so re-entering entries and
-//   double-firing hooks cannot duplicate a delivery.
-// - TTL: stale voicemail drops LOUDLY (voicemail_expired lifecycle), never
-//   silently; dead-letter staleAfterMs (6b) additionally flags entries the
-//   agent should re-confirm before acting on.
-//
-// Leaf module (CJS emitter constraint): all state injected, no runtime deps.
-
 import { sanitizeWakeToken } from "./glasses-ui-wake.js";
 import { normalizeGlassesSessionKey } from "./glasses-ui-surfaces.js";
 
 export const DEFAULT_VOICEMAIL_TTL_MS = 30 * 60_000;
 export const VOICEMAIL_MAX_ENTRIES_PER_INJECTION = 8;
-// Bound on a session's buffered (not-yet-prompting) entries — a rotated or
-// disconnected session that never speaks again must not grow memory forever
-// (review P3). Newest kept, eviction is loud.
+
 export const VOICEMAIL_PENDING_CAP_PER_SESSION = 32;
 const DELIVERED_KEY_CAP = 256;
 
 const RESULT_ENUM = new Set(["selected", "back"]);
-// Store reap reasons (glasses-ui-surfaces deadLetterEntryEvents call sites).
+
 const REAP_REASON_ENUM = new Set(["drain_session", "drain_all", "exit", "pop_back"]);
 
 function coerceInt(value) {
@@ -48,8 +19,6 @@ function sanitizeResult(value) {
   return RESULT_ENUM.has(value) ? value : "event";
 }
 
-// idempotencyKey reaches the prompt verbatim-ish; constrain to the same safe
-// charset family as the minted forms and replace wholesale when off-pattern.
 const IDEMPOTENCY_KEY_PATTERN = /^[a-z0-9:._-]{1,80}$/i;
 function sanitizeIdempotencyKey(value) {
   const raw = String(value == null ? "" : value);
@@ -69,15 +38,8 @@ export function createGlassesVoicemail(deps = {}) {
   const emitLifecycle =
     typeof deps.emitLifecycle === "function" ? deps.emitLifecycle : () => {};
 
-  // Outbox entries arrive for ALL sessions on each drain; buffer the
-  // non-target sessions' entries here so one session's prompt build never
-  // destroys another session's owed voicemail. Bounded per session and
-  // TTL-checked AT INGESTION (review P3) — buckets for silent sessions
-  // cannot grow without bound, and empty buckets are deleted.
-  const pendingBySession = new Map(); // normalized sessionKey -> [entry]
-  // Injected-once guard (bounded FIFO), keyed on the CANONICAL per-event key
-  // (surfaceUuid:eventId) so the same parked tap arriving via BOTH the wake
-  // outbox and the dead-letter injects exactly once (review P2).
+  const pendingBySession = new Map();
+
   const deliveredKeys = new Set();
 
   function rememberDelivered(key) {
@@ -92,9 +54,6 @@ export function createGlassesVoicemail(deps = {}) {
     return `${entry.surfaceUuid}:${entry.eventId === null ? 0 : entry.eventId}`;
   }
 
-  // Route a batch of normalized entries into their sessions' pending buffers:
-  // TTL-expired entries drop here (loudly), and each bucket trims to the cap
-  // (newest kept, loudly). One emit per session per batch.
   function ingest(entries, nowMs) {
     const bySession = new Map();
     for (const entry of entries) {
@@ -125,7 +84,6 @@ export function createGlassesVoicemail(deps = {}) {
     }
   }
 
-  // Normalize an owed wake (outbox shape) into the voicemail entry form.
   function fromOutbox(record) {
     const surfaceUuid = sanitizeWakeToken(record && record.surfaceUuid);
     const eventId = coerceInt(record && record.eventId);
@@ -144,7 +102,6 @@ export function createGlassesVoicemail(deps = {}) {
     };
   }
 
-  // Normalize a dead-letter record's events (store shape) into entries.
   function fromDeadLetter(sessionKey, record) {
     const surfaceUuid = sanitizeWakeToken(record && record.surfaceUuid);
     const reason =
@@ -192,11 +149,6 @@ export function createGlassesVoicemail(deps = {}) {
     return parts.join(" ");
   }
 
-  // Sweep ALL buffered buckets for TTL expiry on every build (review round 2):
-  // session keys rotate on relay restarts/reconnects, so abandoned sessions
-  // are a recurring shape — without this, their buckets (each capped, but
-  // unbounded in NUMBER) would outlive them forever. After a sweep, total
-  // buffered memory is bounded by sessions active within one TTL window.
   function sweepExpired(nowMs) {
     for (const [key, list] of pendingBySession) {
       const fresh = list.filter((entry) => {
@@ -225,8 +177,6 @@ export function createGlassesVoicemail(deps = {}) {
     const nowMs = now();
     sweepExpired(nowMs);
 
-    // Pull both sources through the bounded ingest. The outbox drain returns
-    // every session's entries — non-target ones land in their own buffers.
     ingest(
       [
         ...drainWakeOutbox().map((record) => fromOutbox(record)),
@@ -237,15 +187,11 @@ export function createGlassesVoicemail(deps = {}) {
 
     const pending = pendingBySession.get(sessionKey);
     if (!pending || pending.length === 0) {
-      pendingBySession.delete(sessionKey); // no empty buckets left behind
+      pendingBySession.delete(sessionKey);
       return null;
     }
     pendingBySession.delete(sessionKey);
 
-    // In-batch collapse by the canonical per-event key (review P2): the same
-    // parked tap can arrive via the wake outbox AND the dead-letter in one
-    // pass — the dead-letter entry wins (the surface is genuinely gone, so a
-    // "may still be live" line for it would be false).
     const byEvent = new Map();
     for (const entry of pending) {
       const key = dedupeKeyOf(entry);
@@ -266,13 +212,11 @@ export function createGlassesVoicemail(deps = {}) {
       deliverable.push(entry);
     }
     if (dropped > 0) {
-      // Loud, never silent: a ✓-acked event aged out while buffered.
+
       emitLifecycle("voicemail_expired", "warn", { sessionKey, dropped, ttlMs });
     }
     if (deliverable.length === 0) return null;
 
-    // Newest entries are the wearer's most recent intent — keep those when
-    // capping, in chronological order.
     const shown = deliverable.slice(-maxEntries);
     const overflow = deliverable.length - shown.length;
     const lines = [
@@ -295,5 +239,4 @@ export function createGlassesVoicemail(deps = {}) {
   return { buildInjection, pendingSessionCount };
 }
 
-// Single line: the CJS emitter strips only `^export default .*;$` (one line).
 export default { createGlassesVoicemail, DEFAULT_VOICEMAIL_TTL_MS, VOICEMAIL_MAX_ENTRIES_PER_INJECTION };

package/dist/tools/glasses-ui-wake.js

@@ -1,59 +1,11 @@
-// Tap-to-wake for parked glasses surfaces (roadmap 6f, §2.6 W).
-//
-// A REAL parked gesture buys ONE agent turn via the plugin's own gateway
-// client (the voice-send lane — request("agent", ...)). This module is a
-// dependency-free LEAF (CJS emitter constraint — see glasses-ui-limits.ts):
-// it builds the wake envelope and owns the arbitration policy; transport is
-// injected (the relay facade's dispatchGlassesWake).
-//
-// Locked contract (§2.6, panel amendments 3-4):
-// - wake payload = STRUCTURED REFERENCES ONLY with explicit non-wearer
-//   provenance framing; never interpolated label text. SECURITY (review
-//   pinned to this ship): every token that reaches the prompt is either
-//   numeric-coerced or charset-filtered ([a-zA-Z0-9._:-], <=64 chars), so a
-//   hostile client cannot smuggle instruction text through the wake lane —
-//   tapped CONTENT only ever reaches the agent through the surface collect
-//   (onReattached delivery), where it arrives as data in a tool result, not
-//   as a user-role message.
-// - origin-typed envelope: ONLY "gesture" enabled at launch. schedule/
-//   threshold/system are reserved categories (event-to-wake is deferred,
-//   not foreclosed) — enabling one later is a policy edit here, not a
-//   schema migration.
-// - voice absorbs wake: an in-flight/imminent genuine turn (voice send,
-//   user send, or an earlier wake's run) suppresses the dispatch; the
-//   parked tap rides that turn's collect instead.
-// - taps during an in-flight wake COALESCE into its delivery — never a
-//   second submission. A per-session cooldown additionally bounds gesture
-//   storms (hostile/buggy client spamming taps) to <=1 turn per window;
-//   suppressed taps stay parked in the 6a event log — bounded, never silent.
-// - failed submission: one retry (same idempotencyKey — the gateway honors
-//   it as the runId, so a double-delivery dedupes), then the durable wake
-//   outbox + a warn lifecycle. Never silent after the ✓-ack (amendment 1);
-//   the parked event itself survives in the surface log / dead-letter
-//   regardless, so the worst case is delayed collect, not loss. The 7b
-//   voicemail leg drains the outbox via enqueueNextTurnInjection.
-
 export const GLASSES_WAKE_ENABLED_ORIGINS = ["gesture"];
 
 export const DEFAULT_WAKE_COOLDOWN_MS = 5_000;
 
-// Outbox bound (review P3 sibling): the no-lane branch pushes per parked tap
-// with no cooldown gate, so a tap storm on a legacy host would otherwise grow
-// this without limit. Newest kept; eviction is loud. The parked events
-// themselves still survive in the surface log / dead-letter — eviction here
-// only forfeits the voicemail NOTICE for the oldest entries.
 export const WAKE_OUTBOX_CAP = 64;
 
-// Busy-signal decay: if no activity update arrives for this long, treat the
-// session as idle again (fail open — a stuck-busy would suppress wakes
-// forever, while a wrongly-idle wake merely queues as the next turn).
 export const DEFAULT_AGENT_TURN_BUSY_DECAY_MS = 180_000;
 
-// SECURITY: charset-FILTERING is not enough — stripping separators from
-// hostile input still concatenates readable instruction words into the
-// prompt ("su-x\" IGNORE ALL..." -> "su-xIGNOREALL..."). Tokens are instead
-// VALIDATED against the exact plugin-minted shape / a closed enum and
-// replaced wholesale when off-pattern, so hostile bytes never pass through.
 const SURFACE_UUID_PATTERN = /^su-[a-z0-9]{4,24}$/i;
 const WAKE_RESULT_ENUM = new Set(["selected", "back"]);
 
@@ -85,24 +37,13 @@ export function buildWakeMessage(ref) {
   ].join(" ");
 }
 
-// Per-session "an agent turn is in flight or imminent" signal. Fed by the
-// relay: markBusy on every dispatched send (voice/user/wake) and onActivity
-// from the gateway activity stream (normalized phase: start/update = busy
-// refresh, end = idle). Lives here (leaf) so it is unit-testable and shared
-// with the relay without a runtime-module cycle.
 export function createAgentTurnTracker(deps = {}) {
   const now = typeof deps.now === "function" ? deps.now : Date.now;
   const busyDecayMs = Number.isFinite(deps.busyDecayMs)
     ? deps.busyDecayMs
     : DEFAULT_AGENT_TURN_BUSY_DECAY_MS;
-  const lastSeenBySession = new Map(); // normalized sessionKey -> lastSeenMs
+  const lastSeenBySession = new Map();
 
-  // One session arrives under TWO key forms: the relay send path marks busy
-  // with the stripped relay key ("ocuclaw:<ts>") while the surface store /
-  // gateway hook contexts use the canonical "agent:<id>:<key>". Normalize so
-  // both name the same busy slot — without this, a tap in the send→run-start
-  // window dispatches a second agent submission during an in-flight genuine
-  // turn (live-proven, 2026-06-12 Wave-1 e2e leg 3a).
   function normalizeKey(sessionKey) {
     return sessionKey.replace(/^agent:[^:]+:/, "");
   }
@@ -147,9 +88,9 @@ export function createGlassesWakeController(deps = {}) {
     ? deps.wakeCooldownMs
     : DEFAULT_WAKE_COOLDOWN_MS;
 
-  const inFlightBySession = new Map(); // sessionKey -> promise
-  const lastWakeAtBySession = new Map(); // sessionKey -> ms
-  const outbox = []; // failed/unavailable wakes owed to the 7b voicemail leg
+  const inFlightBySession = new Map();
+  const lastWakeAtBySession = new Map();
+  const outbox = [];
 
   function pushOutbox(entry) {
     outbox.push(entry);
@@ -166,8 +107,7 @@ export function createGlassesWakeController(deps = {}) {
       eventId: coerceInt(ref.eventId),
       result: sanitizeWakeResult(ref.result),
       itemIndex: coerceInt(ref.itemIndex),
-      // The origin gate below compares against the enum, so a non-enum
-      // origin can never dispatch; keep the raw string for the gate.
+
       origin: typeof ref.origin === "string" ? ref.origin : "gesture",
       queuedAtMs: coerceInt(ref.queuedAtMs),
     };
@@ -181,11 +121,7 @@ export function createGlassesWakeController(deps = {}) {
   function onParkedGesture(ref) {
     const refs = refsOnly(ref || {});
     if (!dispatchWake) {
-      // Wake disabled (legacy host without the relay lane): the parked tap
-      // keeps its collect-on-next-render semantics AND is owed to the 7b
-      // voicemail leg so the next genuine turn hears about it — no longer a
-      // silent early-return. Same gates as a dispatch: enabled origin + a
-      // session to deliver to.
+
       if (GLASSES_WAKE_ENABLED_ORIGINS.includes(refs.origin) && refs.sessionKey) {
         if (refs.queuedAtMs === null) refs.queuedAtMs = now();
         const idempotencyKey = `glasses-wake:${refs.surfaceUuid}:${refs.eventId === null ? 0 : refs.eventId}`;
@@ -205,8 +141,7 @@ export function createGlassesWakeController(deps = {}) {
     const sessionKey = refs.sessionKey;
     if (!sessionKey) return suppress("no_session", refs);
     if (isAgentTurnBusy(sessionKey)) {
-      // Voice absorbs wake (§2.6c): the parked event rides the active turn's
-      // collect render or the next genuine turn — no second submission.
+
       return suppress("absorbed_by_active_turn", refs);
     }
     if (inFlightBySession.has(sessionKey)) {
@@ -225,13 +160,12 @@ export function createGlassesWakeController(deps = {}) {
     lastWakeAtBySession.set(sessionKey, now());
     const attempt = () => Promise.resolve(dispatchWake(payload));
     const flight = attempt()
-      .catch(() => attempt()) // one retry; same idempotencyKey dedupes upstream
+      .catch(() => attempt())
       .then(() => {
         emitLifecycle("wake_dispatched", "debug", { ...refs, idempotencyKey });
       })
       .catch((err) => {
-        // Never silent after the ✓-ack: the owed wake lands in the durable
-        // outbox for the 7b voicemail leg, loudly.
+
         pushOutbox({
           ...refs,
           idempotencyKey,
@@ -258,5 +192,4 @@ export function createGlassesWakeController(deps = {}) {
   return { onParkedGesture, peekWakeOutbox, drainWakeOutbox };
 }
 
-// Single line: the CJS emitter strips only `^export default .*;$` (one line).
 export default { createGlassesWakeController, createAgentTurnTracker, buildWakeMessage, sanitizeWakeToken, GLASSES_WAKE_ENABLED_ORIGINS };

package/dist/tools/session-title-tool.js

@@ -1,5 +1,5 @@
 export const SESSION_TITLE_LIMITS = {
-  titleMax: 55, // 64 SDK list-item cap minus ~9 chars headroom for "<time> - " prefix
+  titleMax: 55,
 };
 
 export const sessionTitleParametersSchema = {
@@ -51,12 +51,7 @@ function isEvenAiDedicatedKey(sessionKey) {
 }
 
 function gateReason(sessionKey, deps) {
-  // Explicit-rename-only: the Neural Session Names toggle governs AUTOMATIC
-  // titling (the distiller), not user-requested renames, so feature_disabled is
-  // gone. session_user_locked is gone too — a user who already named a session
-  // must be able to rename it again (the lock only blocks the distiller).
-  // The structural no_active_session / EvenAI-renamable guards live in the
-  // handler body. Only the no-user-message guard remains here.
+
   if (
     typeof deps.hasRecordedUserMessage === "function" &&
     !deps.hasRecordedUserMessage(sessionKey)

package/dist/tools/session-title-tool.test.js

@@ -26,7 +26,7 @@ test("explicit rename passes origin user_tool", async () => {
 test("a user-locked session can STILL be renamed via the tool", async () => {
   const d = deps({
     setSessionTitle: (k, t, o) => {
-      // service-layer would allow user_tool over a lock; tool must not pre-block
+
       return { ok: true };
     },
   });

package/dist/version.js

@@ -1,2 +1,3 @@
-export const PLUGIN_VERSION = "1.3.3";
-export const REQUIRES_CLIENT_VERSION = "1.3.3";
+export const PLUGIN_VERSION = "1.3.4";
+export const REQUIRES_CLIENT_VERSION = "1.3.4";
+export const BUILD_INPUT_HASH = "sha256:2e70aa3160e383e95d494d26249e07351ccc4d5372ff13e40c532a5c408e21d0";

package/openclaw.plugin.json

@@ -28,6 +28,11 @@
       "help": "Optional. Enables Soniox speech-to-text for voice input.",
       "sensitive": true
     },
+    "cartesiaApiKey": {
+      "label": "Cartesia API key",
+      "help": "Optional. Enables Cartesia Ink-2 speech-to-text for voice input.",
+      "sensitive": true
+    },
     "evenAiEnabled": {
       "label": "Enable Even AI",
       "help": "Routes Even AI agent requests through OcuClaw. Requires evenAiToken when enabled."
@@ -45,7 +50,7 @@
     },
     "sessionTitleModel": {
       "label": "Session-title model",
-      "help": "Optional model override (\"provider/model\") for the background session-title distiller. Leave blank to use your normal model.",
+      "help": "Optional model override (\"provider/model\") for the background session-title distiller. This is a lightweight background task, so a small, fast, inexpensive model is a good choice (e.g. anthropic/claude-haiku-4-5). Leave blank to use your normal model.",
       "advanced": true
     },
     "evenAiRoutingMode": {
@@ -64,13 +69,8 @@
       "advanced": true
     },
     "sessionLimit": {
-      "label": "Concurrent session limit",
-      "help": "Maximum simultaneous client sessions accepted by the relay.",
-      "advanced": true
-    },
-    "debugPayloadMaxBytes": {
-      "label": "Debug payload size limit",
-      "help": "Maximum byte size for debug payloads recorded for debugctl.",
+      "label": "WebUI session list size",
+      "help": "Recent sessions fetched for the WebUI switcher/search list. Glasses clamp to their own item-count cap.",
       "advanced": true
     },
     "debugNoisyPolicies": {
@@ -83,6 +83,26 @@
       "help": "Allow debugctl-style external tools to call debug-set, debug-dump, and remote-control.",
       "advanced": true
     },
+    "allowDebugUpload": {
+      "label": "Allow debug-trace upload",
+      "help": "Allow the relay to assemble user-initiated debug-trace bundles and hand them to the phone for upload. Requires External debug tools. Off by default.",
+      "advanced": true
+    },
+    "debugUploadMaxZipBytes": {
+      "label": "Debug upload max zip size (bytes)",
+      "help": "Maximum compressed (uploaded) bundle size; the binding upload cap. Oldest events are trimmed until the zip fits.",
+      "advanced": true
+    },
+    "debugUploadCapturePreset": {
+      "label": "Debug upload capture preset (override)",
+      "help": "Optional override of the always-armed debug-upload capture category list.",
+      "advanced": true
+    },
+    "debugBundleSaveDir": {
+      "label": "Debug bundle save directory",
+      "help": "Directory for locally-saved debug bundles. Empty = ~/.openclaw/ocuclaw-debug-bundles.",
+      "advanced": true
+    },
     "evenAiRequestTimeoutMs": {
       "label": "Even AI request timeout (ms) (deprecated)",
       "advanced": true
@@ -136,14 +156,13 @@
       "sessionLimit": {
         "type": "integer",
         "minimum": 1,
-        "default": 10,
-        "description": "Maximum concurrent client sessions accepted by the relay."
+        "default": 80,
+        "description": "Number of recent sessions fetched for the WebUI session switcher/search list (glasses clamp to their own item-count cap)."
       },
       "debugPayloadMaxBytes": {
         "type": "integer",
         "minimum": 1,
-        "default": 2048,
-        "description": "Maximum byte size for individual debug payloads recorded for debugctl."
+        "description": "Deprecated and ignored: debug payload truncation was removed (2026-05-13); this key has no effect. Retained in the schema only so existing configs that still set it continue to validate."
       },
       "debugNoisyPolicies": {
         "anyOf": [
@@ -164,10 +183,38 @@
         "default": false,
         "description": "Allow debugctl-style external debug tools to use debug-set, debug-dump, and remote-control."
       },
+      "allowDebugUpload": {
+        "type": "boolean",
+        "default": false,
+        "description": "Allow the relay to assemble user-initiated debug-trace upload bundles and hand them to the phone (requires externalDebugToolsEnabled). Off by default."
+      },
+      "debugUploadMaxZipBytes": {
+        "type": "integer",
+        "minimum": 100000,
+        "maximum": 4300000,
+        "default": 4000000,
+        "description": "Maximum compressed (uploaded) bundle size (bytes); the binding upload cap, kept under the upload backend's limit. Oldest events are trimmed until the zip fits."
+      },
+      "debugUploadCapturePreset": {
+        "type": "array",
+        "items": {
+          "type": "string"
+        },
+        "description": "Optional override of the always-armed debug-upload capture preset (list of category names)."
+      },
+      "debugBundleSaveDir": {
+        "type": "string",
+        "default": "",
+        "description": "Directory for locally-saved debug bundles; empty = ~/.openclaw/ocuclaw-debug-bundles."
+      },
       "sonioxApiKey": {
         "type": "string",
         "description": "Optional Soniox API key. Enables Soniox speech-to-text for voice input."
       },
+      "cartesiaApiKey": {
+        "type": "string",
+        "description": "Optional Cartesia API key. Enables Cartesia Ink-2 speech-to-text for voice input."
+      },
       "evenAiEnabled": {
         "type": "boolean",
         "default": false,
@@ -234,7 +281,7 @@
       },
       "sessionTitleModel": {
         "type": "string",
-        "description": "Optional model override (\"provider/model\") for the background session-title distiller. When absent, the user's normal model is used."
+        "description": "Optional model override (\"provider/model\") for the background session-title distiller. This is a lightweight background task, so a small, fast, inexpensive model is a good choice (e.g. anthropic/claude-haiku-4-5). When absent, the user's normal model is used."
       }
     },
     "if": {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ocuclaw",
-  "version": "1.3.3",
-  "requiresClientVersion": "1.3.3",
+  "version": "1.3.4",
+  "requiresClientVersion": "1.3.4",
   "description": "OcuClaw for Even Realities G2 smart glasses.",
   "type": "module",
   "main": "./dist/index.js",
@@ -34,6 +34,7 @@
     }
   },
   "dependencies": {
+    "fflate": "^0.8.3",
     "marked": "^17.0.2",
     "undici": "^6.26.0",
     "ws": "^8.19.0"