chore: promote develop to main (release)#1710
Merged
OneStepAt4time merged 186 commits intomainfrom Apr 12, 2026
Merged
Conversation
- Add P1 auto-escalation for critical keywords (auth bypass, RCE, data loss, etc.) - Add dedicated CI gate for auto-label changes (runs when .github/actions/auto-label/** changes) - Reduce false positives: require explicit 'tmux' or 'terminal' for tmux area label - Improve observability: log applied rules and matched keywords - Add 11 new unit tests for P1 escalation and false-positive reduction Refs: #1174 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
) Bumps [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) from 1.28.0 to 1.29.0. - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.19.37 to 25.5.2. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.5.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4 to 5. - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@v4...v5) --- updated-dependencies: - dependency-name: actions/deploy-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
β¦nstead of silently swallowing (#1244) Generated by Hephaestus (Aegis dev agent) Co-authored-by: Hephaestus <hephaestus@aegis.dev>
Bumps [actions/configure-pages](https://github.com/actions/configure-pages) from 5 to 6. - [Release notes](https://github.com/actions/configure-pages/releases) - [Commits](actions/configure-pages@v5...v6) --- updated-dependencies: - dependency-name: actions/configure-pages dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- All 25 MCP tools documented with parameters, descriptions, and examples - 3 MCP prompts documented (implement_issue, review_pr, debug_session) - 6 categories: Session Management, Communication, Observability, Permissions, Orchestration, State - Tool summary table for quick reference - README updated with link to MCP Tools doc Co-authored-by: Hephaestus <hephaestus@aegis.dev>
Add integration tests for: - Session lifecycle: create -> poll -> kill - Auth + rate limiting: token validation, throttle enforcement - SSE events: session isolation, event emission - Permission flow: mode changes, pending permission 25 new tests in src/__tests__/integration/ Refs: #1205 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
* fix: resolve 11 macOS test failures and add macos-latest to CI (#1228) * fix: resolve 11 macOS test failures and add macos-latest to CI (#1228) - Fix tmux window ID parsing for macOS pty format - Update jsonl-watcher tests for macOS compatibility - Add macOS to CI matrix [no design doc] --------- Co-authored-by: Argus <argus@openclaw.ai>
β¦1246) - Remove describe.skipIf(process.platform === 'win32') from tmux-polling-395.test.ts - Remove describe.skipIf from worktree-lookup-884.test.ts - Fix /tmp paths to use tmpdir() for cross-platform compatibility - Add mock-tmux.ts helper for future TmuxManager mocking Windows CI can now run these tests without tmux/psmux binary. Refs: #1194 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
The auto-label-test CI job runs vitest from the action directory but vitest was not listed as a dependency. This caused develop CI to fail with ERR_MODULE_NOT_FOUND.
Prevents vitest from loading root vitest.config.ts which imports vitest/config not available in the action directory.
β¦vel code splitting (#1249) Generated by Hephaestus (Aegis dev agent) Co-authored-by: Hephaestus <hephaestus@aegis.dev>
Add TTL cache (30s) for cleanupStaleSessionHooks to avoid running on every createSession during batch session creation. Before: N sessions created = N file reads + N parses + N writes After: N sessions created = 1 file read + 1 parse + at most 1 write per 30s window Refs: #1134 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
β¦nt cleanup The 'GET /v1/sessions lists all sessions' test expected exactly 2 sessions but could see fewer if the stale session cleanup timer fires between POST and GET. Use >= instead of exact count. Fixes #1251.
β¦ test POST /v1/sessions returns 200 (not 201). Use >= 2 for list count to tolerate concurrent stale session cleanup in CI (#1251).
The SessionMonitor cleans up sessions without real tmux windows between POST and GET in CI. Assert >= 1 instead of >= 2, and verify session has an id property. Root cause is monitor, not cleanupStaleSessionHooks. Fixes #1251.
The bug: cleanupStaleSessionHooks runs BEFORE the new session is added to this.state.sessions (line 692). So cleanup doesn't see the new session and may remove its hooks from settings.local.json. Fix: add the new session's ID to activeIds before cleanup runs, so the new session's hooks are preserved. This is the root cause fix β not just a test workaround. Refs: #1134 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
windowExistsCache (src/tmux.ts:80) was dead code β declared but never referenced anywhere in the codebase. The actual cache in use is windowCache (line 94), which is properly: - TTL-based (WINDOW_CACHE_TTL_MS = 2s) - Deleted on killWindow (line 963 β now ~962 after removal) Refs: #1126 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
Previously, signal-cleanup-helper.ts called sessions.killSession but did NOT call cleanupTerminatedSessionState. When SIGTERM/SIGINT fired, all monitor/metrics/toolRegistry per-session Maps accumulated stale entries. Fix: pass SessionCleanupDeps to killAllSessions and killAllSessionsWithTimeout, call cleanupTerminatedSessionState for each killed session. Refs: #1115 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
#1257) Previously, when tickPoll detected a dead session (no session entry or capturePane failure), it evicted all subscribers and returned β but the interval timer kept firing and the poll entry remained in sessionPolls. Fix: explicitly clear the interval timer and null the reference in BOTH error cases: - !session (session entry gone) - capturePane failure (tmux window dead) This prevents orphaned poll timers and ensures immediate cleanup. Refs: #1122 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
β¦1128) (#1259) Removed continue-on-error: true from ClawHub login step. Added if: secrets.CLAWHUB_TOKEN != '' to both login and publish steps. This makes auth failures explicit (clear error) instead of silently continuing and failing later with an opaque error on publish. Refs: #1128 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
β¦#1260) * fix(ci): harden GitHub Actions permissions to least privilege (#1172) Move from broad workflow-level permissions to per-job least-privilege: release.yml: - Removed top-level permissions (contents: write, id-token: write) - test: contents: read only - publish-npm: contents: write + id-token: write (required for npm publish + OIDC) - publish-clawhub: contents: write only (required for ClawHub publish) auto-label.yml: - Added contents: read (needed for actions/checkout) Other workflows (ci.yml, pages.yml, discord-notify.yml, ci-failure-alert.yml, release-please.yml) already have minimal permissions. Refs: #1172 * Update base --------- Co-authored-by: Hephaestus <hephaestus@aegis.dev> Co-authored-by: Argus <argus@openclaw.ai>
β¦blish (#1258) Co-authored-by: Hephaestus <hephaestus@aegis.dev>
Previously redactPayload replaced session.id and name (which are NOT secrets) with '[REDACTED]', making webhooks useless for automation. Now: - session.id: kept (not a secret β UUID visible in CI logs anyway) - session.name: kept (not a secret β window name) - session.workDir: redacted (contains filesystem paths) Also removed the fake API URLs from the redaction β they added no value and were misleading. Updated tests to match new behavior. Refs: #1123 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
β¦1262) Combine 3 sequential tmux calls (2x set-option + select-pane) into a single shell script executed with 'sh /tmp/script.sh'. This reduces per-window creation overhead from 6 to 4 process spawns. Implementation: - New protected tmuxShellBatch() method writes commands to a temp script and runs: sh /tmp/script.sh (avoids shell escaping issues) - createWindow calls tmuxShellBatch() with the 3 window setup commands - Protected for testability (spyOnable in tests) Test: Updated tmux-race-403.test.ts to mock tmuxShellBatch. Refs: #1116 Co-authored-by: Hephaestus <hephaestus@aegis.dev>
β¦) (#1673) * test: enforce hook coverage and add focused hook path tests * fix: correct hook coverage import extension
# Conflicts: # CHANGELOG.md # package-lock.json # package.json # src/__tests__/audit.test.ts # src/__tests__/auth-rate-limiter.test.ts # src/__tests__/pipeline.test.ts # src/__tests__/server-core-coverage.test.ts # src/audit.ts # src/mcp-server.ts # src/permission-routes.ts # src/pipeline.ts # src/server.ts # src/services/auth/RateLimiter.ts
β¦1680) * docs: update alerting docs (AlertManager) and add key rotation API * fix: correct AlertManager and key rotation API documentation - Fix API key rotation parameter from expiresAt (ISO timestamp) to ttlDays (integer) - Remove false request body parameters from /v1/alerts/test endpoint - Add authorization requirements for both alert endpoints - Add missing api_error_rate alert type to monitoring list - Add environment variable and config.yaml configuration examples - Format cURL examples with proper line breaks and comments --------- Co-authored-by: Argus <argus@openclaw.ai>
β¦l auth gates (#1681) Fixes three P0 security issues: - O0-1 #1636: Add requireRole guard to GET /v1/sessions/health - O0-2 #1638: Verify all 5 session action endpoints have requireRole - O0-3 #1639: Verify all 4 system endpoints have requireRole Changes: - Add requireRole('admin', 'operator', 'viewer') to /v1/sessions/health - Verified send, escape, interrupt, command, bash handlers have auth - Verified metrics, diagnostics, swarm, alerts/stats endpoints have auth
β¦ion role gates (O0-4..O0-8)
β¦e cleanup (#1685) * fix: TD-3 TD-4 TD-6 TD-11 console logger dep cleanup pipeline * fix: separate no-console block to preserve no-unused-vars warn in tests
- Create src/platform/shell.ts with shellEscape, quoteShellArg, buildClaudeLaunchCommand, runShellScript, isPidAlive - runShellScript uses powershell on Windows instead of sh (fixes #1692) - isPidAlive uses /proc/<pid>/stat zombie check on POSIX - Refactor tmux.ts to import from platform/shell.ts - Add 13 unit tests for platform-shell module Closes #1694 Fixes #1692
- Remove 'dashboard/dist' from package.json files array to prevent wrong-path duplicate in npm tarball - Add post-copy validation in copy-dashboard.mjs (checks index.html) - Add CI-aware error handling: hard fail if dashboard missing in CI - Improve server.ts dashboard check to validate index.html presence Closes #1699 Fixes #1691
* refactor: extract route modules from server.ts monolith (ARC-2) Extract 11 route module files from the 2,720-line server.ts monolith: - routes/context.ts: RouteContext interface, guards, helpers - routes/health.ts: health, prometheus, alerts, handshake, swarm - routes/auth.ts: auth verify, API keys CRUD, SSE token - routes/audit.ts: audit log, global metrics, diagnostics - routes/sessions.ts: session CRUD, listing, batch delete - routes/session-actions.ts: send, read, answer, interrupt, kill, etc. - routes/session-data.ts: transcript, summary, screenshot, tools, SSE - routes/events.ts: global SSE stream - routes/templates.ts: template CRUD - routes/pipelines.ts: batch create, pipeline CRUD - routes/index.ts: barrel export server.ts reduced from 2,720 to 1,130 lines (58% reduction). Guards and helpers parameterized instead of closing over module vars. Closes #1695 * Potential fix for pull request finding 'CodeQL / Missing rate limiting' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Missing rate limiting' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Missing rate limiting' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Prototype-polluting assignment' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Missing rate limiting' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * fix: remove redundant manual rate limiter and restore session create limit - health.ts: remove isRateLimited() manual Map-based tracker (memory leak, redundant with @fastify/rate-limit config.rateLimit per-route override) - sessions.ts: restore session create rate limit from 20 to 120 req/min to match server.ts RATE_LIMITS.sessionCreate value * fix: add rate limiting to template CRUD routes (CodeQL) All template routes now use config.rateLimit (60 req/min) via @fastify/rate-limit per-route override, replacing the conditional preHandler approach that CodeQL flagged as missing rate limiting. --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* refactor: decompose SessionManager into focused services (ARC-3) Extract two focused service classes from the 1,747-line SessionManager: - SessionTranscripts: JSONL reading, caching, pagination, summaries (313 lines) Owns parsedEntriesCache, getCachedEntries, readMessages, readMessagesForMonitor, readTranscript, readTranscriptCursor, getSummary - SessionDiscovery: discovery polling, session map sync, filesystem scan (321 lines) Owns pollTimers, discoveryTimeouts, startDiscoveryPolling, stopDiscoveryPolling, syncSessionMap, maybeDiscoverFromFilesystem, cleanSessionMapForWindow, purgeStaleSessionMapEntries SessionManager retains lifecycle (create/kill), persistence (load/save/encrypt), terminal interaction (send/escape/interrupt), and health monitoring. Delegates to extracted services via composition with dependency injection. session.ts reduced from 1,747 to 1,321 lines (24% reduction). Public API unchanged β all consumers see the same SessionManager interface. Closes #1696 * fix: resolve CodeQL prototype pollution and CI test failures - session.ts: use Object.create(null) for sessions dictionary to eliminate prototype chain (fixes CodeQL js/prototype-polluting-assignment in session-transcripts.ts lines 48-49) - tmux-polling-395.test.ts: access discovery methods/properties through sm.discovery instead of sm directly after ARC-3 extraction (fixes CI test failures on ubuntu)
- Add registerWithLegacy() to register both /v1/ and legacy paths in one call - Add withOwnership() wrapper to eliminate inline requireOwnership checks - Add withValidation() wrapper for Zod body parsing (available for future use) - Apply to 20 dual-registration sites across session-actions, session-data, sessions, and health route modules - Convert 15 inline ownership checks to withOwnership wrapper - Remove dead rate limit code from server.ts (RATE_LIMITS, createRateLimitPreHandler, 8 unused preHandler variables) - Net reduction: 49 lines of boilerplate Closes #1698
) Decompose the 1228-line mcp-server.ts into 9 focused modules: - mcp/client.ts (296 lines) β AegisClient REST client + response types - mcp/auth.ts (100 lines) β RBAC withAuth wrapper + role maps - mcp/resources.ts (113 lines) β 4 MCP resource handlers - mcp/tools/session-tools.ts (296 lines) β 12 session lifecycle tools - mcp/tools/monitoring-tools.ts (142 lines) β 6 observability tools - mcp/tools/pipeline-tools.ts (86 lines) β 3 batch/pipeline tools - mcp/tools/management-tools.ts (81 lines) β 3 state management tools - mcp/prompts.ts (141 lines) β 3 MCP prompt templates - mcp/server.ts (50 lines) β createMcpServer orchestrator + stdio entry mcp-server.ts becomes a 10-line re-export facade for backward compatibility. All existing consumers (cli.ts, mcp-server.test.ts) continue to work unchanged. Closes #1700
- Define shared service interfaces (ISessionService, IServerService, IPipelineService, IMemoryService, IAuthService) in services/interfaces.ts - Compose IAegisBackend as a union of all domain interfaces - AegisClient implements IAegisBackend (remote HTTP adapter) - Create EmbeddedBackend implementing IAegisBackend (in-process adapter) - Update all MCP modules to accept IAegisBackend instead of AegisClient - Add createMcpServerFromBackend factory for backend injection - Fix createPipeline to map steps->stages matching API schema - Keep AegisClient as default for CLI remote mode (startMcpServer) Closes #1697
β¦1583) (#1709) Remove all documentation references to deleted features (PR #1583). REMOVED FEATURES: - Consensus Review endpoints (/v1/sessions/:id/consensus, /v1/consensus/:id) - Model Router config and tiered routing FILES CHANGED: - README.md: Remove consensus/model router from features list - docs/advanced.md: Remove Consensus Review section - docs/api-reference.md: Remove consensus endpoints; remove consensus.completed SSE event - docs/architecture.md: Remove consensus.ts and model-router.ts from module overview - docs/getting-started.md: Update advanced features reference - docs/enterprise.md: Remove modelRouter from config example - docs/enterprise/01-architecture.md: Remove consensus/model-router; mark findings RESOLVED - docs/enterprise/03-testing-observability.md: Remove model-router.ts from thin-tests list - docs/enterprise/05-enterprise-roadmap.md: Remove E4-1 (consensus); update M-E4 scope - docs/enterprise/index.md: Remove consensus reliability finding RESOLVED IN v0.3.3: - P-3 (PipelineManager persistence): PR #1585 - P-1 (Pipeline stage timeout): PR #1606 - CON-1 (Consensus): PR #1583 (feature removed) NOTE: openapi.yaml still contains /consensus endpoints β separate update needed. Co-authored-by: Argus <argus@openclaw.ai>
* fix: audit trail invalid-date and abort-on-navigation errors
- Rename AuditRecord.timestamp -> ts to match backend field name
(backend emits 'ts', not 'timestamp', causing 'Invalid Date' in table)
- Guard AbortError in AuditPage catch block so navigating away
no longer shows the 'Failed to load audit logs' error state
- Update AuditPage.test.tsx mock records to use 'ts' field
* fix: stabilize hook payload handling for Claude lifecycle events
- Accept empty hook bodies by normalizing undefined/null to {}
- Strip unknown top-level hook fields instead of rejecting them
- Add regression tests for empty Stop payload and unknown fields
- Update hook coverage expectations to the new strip behavior
* fix: stabilize audit row keys when id is absent
Use a deterministic fallback key from timestamp, actor, and index so
Audit Trail rows render without duplicate-key warnings when backend
records do not include an id field.
* fix: harden dashboard SSE + audit row rendering
- Add fallback key for audit rows when record.id is absent
- Normalize global SSE events with missing sessionId/data to avoid
noisy validation warnings and keep activity stream resilient
* fix: prevent session detail hook-order crash
Move the keyboard-shortcuts useEffect above conditional early returns
so SessionDetailPage always calls hooks in a stable order across
loading/notFound/loaded renders.
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/\ --exclude .tmp/\ β
pm --prefix dashboard run typecheck β
pm --prefix dashboard run build β
pm --prefix dashboard run test β
Aegis version
Developed with: v0.3.2-alpha