polymech/zeroclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into wt-electric-blue-live

Browse Source
This commit is contained in:
Argenis 2026-03-05 01:27:09 -05:00 committed by GitHub
commit 35c21c4fdf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
80 changed files with 9843 additions and 702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.cargo/config.toml
View File

@ -24,3 +24,10 @@ linker = "clang"
[target.aarch64-linux-android]
linker = "clang"
# Windows targets — increase stack size for large JsonSchema derives
[target.x86_64-pc-windows-msvc]
rustflags = ["-C", "link-args=/STACK:8388608"]
[target.aarch64-pc-windows-msvc]
rustflags = ["-C", "link-args=/STACK:8388608"]

2
.github/workflows/ci-post-release-validation.yml vendored
View File

@ -11,7 +11,7 @@ permissions:
jobs:
validate:
name: Validate Published Release
runs-on: ubuntu-22.04
runs-on: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
timeout-minutes: 15
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

35
.github/workflows/ci-supply-chain-provenance.yml vendored
View File

@ -43,6 +43,31 @@ jobs:
with:
toolchain: 1.92.0
- name: Ensure cargo component
shell: bash
env:
ENSURE_CARGO_COMPONENT_STRICT: "true"
run: bash ./scripts/ci/ensure_cargo_component.sh 1.92.0
- name: Activate toolchain binaries on PATH
shell: bash
run: |
set -euo pipefail
toolchain_bin="$(dirname "$(rustup which --toolchain 1.92.0 cargo)")"
echo "$toolchain_bin" >> "$GITHUB_PATH"
- name: Resolve host target
id: rust-meta
shell: bash
run: |
set -euo pipefail
host_target="$(rustup run 1.92.0 rustc -vV | sed -n 's/^host: //p')"
if [ -z "${host_target}" ]; then
echo "::error::Unable to resolve Rust host target."
exit 1
fi
echo "host_target=${host_target}" >> "$GITHUB_OUTPUT"
- name: Runner preflight (compiler + disk)
shell: bash
run: |
@ -62,7 +87,7 @@ jobs:
run: |
set -euo pipefail
mkdir -p artifacts
host_target="$(rustc -vV | sed -n 's/^host: //p')"
host_target="${{ steps.rust-meta.outputs.host_target }}"
cargo build --profile release-fast --locked --target "$host_target"
cp "target/${host_target}/release-fast/zeroclaw" "artifacts/zeroclaw-${host_target}"
sha256sum "artifacts/zeroclaw-${host_target}" > "artifacts/zeroclaw-${host_target}.sha256"
@ -71,7 +96,7 @@ jobs:
shell: bash
run: |
set -euo pipefail
host_target="$(rustc -vV | sed -n 's/^host: //p')"
host_target="${{ steps.rust-meta.outputs.host_target }}"
python3 scripts/ci/generate_provenance.py \
--artifact "artifacts/zeroclaw-${host_target}" \
--subject-name "zeroclaw-${host_target}" \
@ -84,7 +109,7 @@ jobs:
shell: bash
run: |
set -euo pipefail
host_target="$(rustc -vV | sed -n 's/^host: //p')"
host_target="${{ steps.rust-meta.outputs.host_target }}"
statement="artifacts/provenance-${host_target}.intoto.json"
cosign sign-blob --yes \
--bundle="${statement}.sigstore.json" \
@ -96,7 +121,7 @@ jobs:
shell: bash
run: |
set -euo pipefail
host_target="$(rustc -vV | sed -n 's/^host: //p')"
host_target="${{ steps.rust-meta.outputs.host_target }}"
python3 scripts/ci/emit_audit_event.py \
--event-type supply_chain_provenance \
--input-json "artifacts/provenance-${host_target}.intoto.json" \
@ -115,7 +140,7 @@ jobs:
shell: bash
run: |
set -euo pipefail
host_target="$(rustc -vV | sed -n 's/^host: //p')"
host_target="${{ steps.rust-meta.outputs.host_target }}"
{
echo "### Supply Chain Provenance"
echo "- Target: \`${host_target}\`"

104
.github/workflows/pub-docker-img.yml vendored
View File

@ -17,6 +17,11 @@ on:
- "scripts/ci/ghcr_publish_contract_guard.py"
- "scripts/ci/ghcr_vulnerability_gate.py"
workflow_dispatch:
inputs:
release_tag:
description: "Existing release tag to publish (e.g. v0.2.0). Leave empty for smoke-only run."
required: false
type: string
concurrency:
group: docker-${{ github.event.pull_request.number || github.ref }}
@ -26,14 +31,13 @@ env:
GIT_CONFIG_COUNT: "1"
GIT_CONFIG_KEY_0: core.hooksPath
GIT_CONFIG_VALUE_0: /dev/null
DOCKER_API_VERSION: "1.41"
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
pr-smoke:
name: PR Docker Smoke
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || (github.event_name == 'workflow_dispatch' && inputs.release_tag == '')
runs-on: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
timeout-minutes: 25
permissions:
@ -42,6 +46,20 @@ jobs:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Resolve Docker API version
shell: bash
run: |
set -euo pipefail
server_api="$(docker version --format '{{.Server.APIVersion}}')"
min_api="$(docker version --format '{{.Server.MinAPIVersion}}' 2>/dev/null || true)"
if [[ -z "${server_api}" || "${server_api}" == "<no value>" ]]; then
echo "::error::Unable to detect Docker server API version."
docker version || true
exit 1
fi
echo "DOCKER_API_VERSION=${server_api}" >> "$GITHUB_ENV"
echo "Using Docker API version ${server_api} (server min: ${min_api:-unknown})"
- name: Setup Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
@ -73,9 +91,9 @@ jobs:
publish:
name: Build and Push Docker Image
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && github.repository == 'zeroclaw-labs/zeroclaw'
if: github.repository == 'zeroclaw-labs/zeroclaw' && ((github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'workflow_dispatch' && inputs.release_tag != ''))
runs-on: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
timeout-minutes: 45
timeout-minutes: 90
permissions:
contents: read
packages: write
@ -83,6 +101,22 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.release_tag) || github.ref }}
- name: Resolve Docker API version
shell: bash
run: |
set -euo pipefail
server_api="$(docker version --format '{{.Server.APIVersion}}')"
min_api="$(docker version --format '{{.Server.MinAPIVersion}}' 2>/dev/null || true)"
if [[ -z "${server_api}" || "${server_api}" == "<no value>" ]]; then
echo "::error::Unable to detect Docker server API version."
docker version || true
exit 1
fi
echo "DOCKER_API_VERSION=${server_api}" >> "$GITHUB_ENV"
echo "Using Docker API version ${server_api} (server min: ${min_api:-unknown})"
- name: Setup Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
@ -100,22 +134,42 @@ jobs:
run: |
set -euo pipefail
IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
SHA_SUFFIX="sha-${GITHUB_SHA::12}"
if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
if [[ "${GITHUB_REF}" != refs/tags/v* ]]; then
echo "::error::Docker publish is restricted to v* tag pushes."
exit 1
fi
RELEASE_TAG="${GITHUB_REF#refs/tags/}"
elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
RELEASE_TAG="${{ inputs.release_tag }}"
if [[ -z "${RELEASE_TAG}" ]]; then
echo "::error::workflow_dispatch publish requires inputs.release_tag"
exit 1
fi
if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
echo "::error::release_tag must be vX.Y.Z or vX.Y.Z-suffix (received: ${RELEASE_TAG})"
exit 1
fi
if ! git rev-parse --verify "refs/tags/${RELEASE_TAG}" >/dev/null 2>&1; then
echo "::error::release tag not found in checkout: ${RELEASE_TAG}"
exit 1
fi
else
echo "::error::Unsupported event for publish: ${GITHUB_EVENT_NAME}"
exit 1
fi
RELEASE_SHA="$(git rev-parse HEAD)"
SHA_SUFFIX="sha-${RELEASE_SHA::12}"
SHA_TAG="${IMAGE}:${SHA_SUFFIX}"
LATEST_SUFFIX="latest"
LATEST_TAG="${IMAGE}:${LATEST_SUFFIX}"
if [[ "${GITHUB_REF}" != refs/tags/v* ]]; then
echo "::error::Docker publish is restricted to v* tag pushes."
exit 1
fi
RELEASE_TAG="${GITHUB_REF#refs/tags/}"
VERSION_TAG="${IMAGE}:${RELEASE_TAG}"
TAGS="${VERSION_TAG},${SHA_TAG},${LATEST_TAG}"
{
echo "tags=${TAGS}"
echo "release_tag=${RELEASE_TAG}"
echo "release_sha=${RELEASE_SHA}"
echo "sha_tag=${SHA_SUFFIX}"
echo "latest_tag=${LATEST_SUFFIX}"
} >> "$GITHUB_OUTPUT"
@ -125,6 +179,8 @@ jobs:
with:
context: .
push: true
build-args: |
ZEROCLAW_CARGO_ALL_FEATURES=true
tags: ${{ steps.meta.outputs.tags }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
@ -174,7 +230,7 @@ jobs:
python3 scripts/ci/ghcr_publish_contract_guard.py \
--repository "${GITHUB_REPOSITORY,,}" \
--release-tag "${{ steps.meta.outputs.release_tag }}" \
--sha "${GITHUB_SHA}" \
--sha "${{ steps.meta.outputs.release_sha }}" \
--policy-file .github/release/ghcr-tag-policy.json \
--output-json artifacts/ghcr-publish-contract.json \
--output-md artifacts/ghcr-publish-contract.md \
@ -329,11 +385,25 @@ jobs:
if-no-files-found: ignore
retention-days: 21
- name: Upload Trivy SARIF
- name: Detect Trivy SARIF report
id: trivy-sarif
if: always()
shell: bash
run: |
set -euo pipefail
sarif_path="artifacts/trivy-${{ steps.meta.outputs.release_tag }}.sarif"
if [ -f "${sarif_path}" ]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "::notice::Trivy SARIF report not found at ${sarif_path}; skipping SARIF upload."
fi
- name: Upload Trivy SARIF
if: always() && steps.trivy-sarif.outputs.exists == 'true'
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
with:
sarif_file: artifacts/trivy-${{ github.ref_name }}.sarif
sarif_file: artifacts/trivy-${{ steps.meta.outputs.release_tag }}.sarif
category: ghcr-trivy
- name: Upload Trivy report artifacts
@ -342,9 +412,9 @@ jobs:
with:
name: ghcr-trivy-report
path: |
artifacts/trivy-${{ github.ref_name }}.sarif
artifacts/trivy-${{ github.ref_name }}.txt
artifacts/trivy-${{ github.ref_name }}.json
artifacts/trivy-${{ steps.meta.outputs.release_tag }}.sarif
artifacts/trivy-${{ steps.meta.outputs.release_tag }}.txt
artifacts/trivy-${{ steps.meta.outputs.release_tag }}.json
artifacts/trivy-sha-*.txt
artifacts/trivy-sha-*.json
artifacts/trivy-latest.txt

95
.github/workflows/pub-release.yml vendored
View File

@ -47,6 +47,7 @@ env:
jobs:
prepare:
name: Prepare Release Context
if: github.event_name != 'push' || !contains(github.ref_name, '-')
runs-on: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
outputs:
release_ref: ${{ steps.vars.outputs.release_ref }}
@ -106,7 +107,35 @@ jobs:
} >> "$GITHUB_STEP_SUMMARY"
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Install gh CLI
shell: bash
run: |
set -euo pipefail
if command -v gh &>/dev/null; then
echo "gh already available: $(gh --version | head -1)"
exit 0
fi
echo "Installing gh CLI..."
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
| sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
| sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
for i in {1..60}; do
if sudo fuser /var/lib/apt/lists/lock >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; then
echo "apt/dpkg locked; waiting ($i/60)..."
sleep 5
else
break
fi
done
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 update -qq
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 install -y gh
env:
GH_TOKEN: ${{ github.token }}
- name: Validate release trigger and authorization guard
shell: bash
@ -127,6 +156,8 @@ jobs:
--output-json artifacts/release-trigger-guard.json \
--output-md artifacts/release-trigger-guard.md \
--fail-on-violation
env:
GH_TOKEN: ${{ github.token }}
- name: Emit release trigger audit event
if: always()
@ -164,6 +195,10 @@ jobs:
needs: [prepare]
runs-on: ${{ matrix.os }}
timeout-minutes: 40
env:
CARGO_HOME: ${{ github.workspace }}/.ci-rust/${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}-${{ matrix.target }}/cargo
RUSTUP_HOME: ${{ github.workspace }}/.ci-rust/${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}-${{ matrix.target }}/rustup
CARGO_TARGET_DIR: ${{ github.workspace }}/target
strategy:
fail-fast: false
matrix:
@ -233,21 +268,21 @@ jobs:
linker_env: ""
linker: ""
use_cross: true
- os: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
- os: macos-15-intel
target: x86_64-apple-darwin
artifact: zeroclaw
archive_ext: tar.gz
cross_compiler: ""
linker_env: ""
linker: ""
- os: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
- os: macos-14
target: aarch64-apple-darwin
artifact: zeroclaw
archive_ext: tar.gz
cross_compiler: ""
linker_env: ""
linker: ""
- os: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
- os: windows-latest
target: x86_64-pc-windows-msvc
artifact: zeroclaw.exe
archive_ext: zip
@ -260,6 +295,10 @@ jobs:
with:
ref: ${{ needs.prepare.outputs.release_ref }}
- name: Self-heal Rust toolchain cache
shell: bash
run: ./scripts/ci/self_heal_rust_toolchain.sh 1.92.0
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
with:
toolchain: 1.92.0
@ -270,14 +309,38 @@ jobs:
- name: Install cross for cross-built targets
if: matrix.use_cross
shell: bash
run: |
cargo install cross --git https://github.com/cross-rs/cross
set -euo pipefail
echo "${CARGO_HOME:-$HOME/.cargo}/bin" >> "$GITHUB_PATH"
cargo install cross --locked --version 0.2.5
command -v cross
cross --version
- name: Install cross-compilation toolchain (Linux)
if: runner.os == 'Linux' && matrix.cross_compiler != ''
run: |
sudo apt-get update -qq
sudo apt-get install -y "${{ matrix.cross_compiler }}"
set -euo pipefail
for i in {1..60}; do
if sudo fuser /var/lib/apt/lists/lock >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; then
echo "apt/dpkg locked; waiting ($i/60)..."
sleep 5
else
break
fi
done
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 update -qq
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 install -y "${{ matrix.cross_compiler }}"
# Install matching libc dev headers for cross targets
# (required by ring/aws-lc-sys C compilation)
case "${{ matrix.target }}" in
armv7-unknown-linux-gnueabihf)
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 install -y libc6-dev-armhf-cross ;;
aarch64-unknown-linux-gnu)
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 install -y libc6-dev-arm64-cross ;;
esac
- name: Setup Android NDK
if: matrix.android_ndk
@ -290,8 +353,18 @@ jobs:
NDK_ROOT="${RUNNER_TEMP}/android-ndk"
NDK_HOME="${NDK_ROOT}/android-ndk-${NDK_VERSION}"
sudo apt-get update -qq
sudo apt-get install -y unzip
for i in {1..60}; do
if sudo fuser /var/lib/apt/lists/lock >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 \
|| sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; then
echo "apt/dpkg locked; waiting ($i/60)..."
sleep 5
else
break
fi
done
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 update -qq
sudo apt-get -o DPkg::Lock::Timeout=600 -o Acquire::Retries=3 install -y unzip
mkdir -p "${NDK_ROOT}"
curl -fsSL "${NDK_URL}" -o "${RUNNER_TEMP}/${NDK_ZIP}"
@ -362,6 +435,10 @@ jobs:
- name: Check binary size (Unix)
if: runner.os != 'Windows'
env:
BINARY_SIZE_HARD_LIMIT_MB: 28
BINARY_SIZE_ADVISORY_MB: 20
BINARY_SIZE_TARGET_MB: 5
run: bash scripts/ci/check_binary_size.sh "target/${{ matrix.target }}/release-fast/${{ matrix.artifact }}" "${{ matrix.target }}"
- name: Package (Unix)

102
.github/workflows/release-build.yml vendored Normal file
View File

@ -0,0 +1,102 @@
name: Production Release Build
on:
push:
branches: ["main"]
tags: ["v*"]
workflow_dispatch:
concurrency:
group: production-release-build-${{ github.ref || github.run_id }}
cancel-in-progress: false
permissions:
contents: read
env:
GIT_CONFIG_COUNT: "1"
GIT_CONFIG_KEY_0: core.hooksPath
GIT_CONFIG_VALUE_0: /dev/null
CARGO_TERM_COLOR: always
jobs:
build-and-test:
name: Build and Test (Linux x86_64)
runs-on: [self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Ensure C toolchain
shell: bash
run: bash ./scripts/ci/ensure_c_toolchain.sh
- name: Self-heal Rust toolchain cache
shell: bash
run: ./scripts/ci/self_heal_rust_toolchain.sh 1.92.0
- name: Setup Rust
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
with:
toolchain: 1.92.0
components: rustfmt, clippy
- name: Ensure C toolchain for Rust builds
shell: bash
run: ./scripts/ci/ensure_cc.sh
- name: Ensure cargo component
shell: bash
env:
ENSURE_CARGO_COMPONENT_STRICT: "true"
run: bash ./scripts/ci/ensure_cargo_component.sh 1.92.0
- name: Ensure rustfmt and clippy components
shell: bash
run: rustup component add rustfmt clippy --toolchain 1.92.0
- name: Activate toolchain binaries on PATH
shell: bash
run: |
set -euo pipefail
toolchain_bin="$(dirname "$(rustup which --toolchain 1.92.0 cargo)")"
echo "$toolchain_bin" >> "$GITHUB_PATH"
- name: Cache Cargo registry and target
uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v3
with:
prefix-key: production-release-build
shared-key: ${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
cache-targets: true
cache-bin: false
- name: Rust quality gates
shell: bash
run: |
set -euo pipefail
./scripts/ci/rust_quality_gate.sh
cargo test --locked --lib --bins --verbose
- name: Build production binary (canonical)
shell: bash
run: cargo build --release --locked
- name: Prepare artifact bundle
shell: bash
run: |
set -euo pipefail
mkdir -p artifacts
cp target/release/zeroclaw artifacts/zeroclaw
sha256sum artifacts/zeroclaw > artifacts/zeroclaw.sha256
- name: Upload production artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: zeroclaw-linux-amd64
path: |
artifacts/zeroclaw
artifacts/zeroclaw.sha256
if-no-files-found: error
retention-days: 21

1
.gitignore vendored
View File

@ -16,6 +16,7 @@ site/public/docs-content/
gh-pages/
.idea
.claude
# Environment files (may contain secrets)
.env

2
CHANGELOG.md
View File

@ -67,4 +67,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Workspace escape prevention
- Forbidden system path protection (`/etc`, `/root`, `~/.ssh`)
[0.1.0]: https://github.com/theonlyhennygod/zeroclaw/releases/tag/v0.1.0
[0.1.0]: https://github.com/zeroclaw-labs/zeroclaw/releases/tag/v0.1.0

337
Cargo.lock generated
View File

@ -448,9 +448,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
[[package]]
name = "aws-lc-rs"
version = "1.16.0"
version = "1.16.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9a7b350e3bb1767102698302bc37256cbd48422809984b98d292c40e2579aa9"
checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
dependencies = [
"aws-lc-sys",
"zeroize",
@ -458,9 +458,9 @@ dependencies = [
[[package]]
name = "aws-lc-sys"
version = "0.37.1"
version = "0.38.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b092fe214090261288111db7a2b2c2118e5a7f30dc2569f1732c4069a6840549"
checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
dependencies = [
"cc",
"cmake",
@ -850,12 +850,27 @@ dependencies = [
"winx",
]
[[package]]
name = "cassowary"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df8670b8c7b9dae1793364eafadf7239c40d669904660c5960d74cfd80b46a53"
[[package]]
name = "cast"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
[[package]]
name = "castaway"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dec551ab6e7578819132c713a93c022a05d60159dc86e7a7050223577484c55a"
dependencies = [
"rustversion",
]
[[package]]
name = "cbc"
version = "0.1.2"
@ -1091,9 +1106,9 @@ dependencies = [
[[package]]
name = "cobs"
version = "0.5.0"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b4ef0193218d365c251b5b9297f9911a908a8ddd2ebd3a36cc5d0ef0f63aee9e"
checksum = "dd93fd2c1b27acd030440c9dbd9d14c1122aad622374fe05a670b67a4bc034be"
dependencies = [
"heapless",
"thiserror 2.0.18",
@ -1105,6 +1120,20 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
[[package]]
name = "compact_str"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3b79c4069c6cad78e2e0cdfcbd26275770669fb39fd308a752dc110e83b9af32"
dependencies = [
"castaway",
"cfg-if",
"itoa",
"rustversion",
"ryu",
"static_assertions",
]
[[package]]
name = "compression-codecs"
version = "0.4.37"
@ -1140,7 +1169,7 @@ dependencies = [
"encode_unicode",
"libc",
"once_cell",
"unicode-width 0.2.2",
"unicode-width 0.2.0",
"windows-sys 0.61.2",
]
@ -1165,6 +1194,15 @@ version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b"
[[package]]
name = "convert_case"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9"
dependencies = [
"unicode-segmentation",
]
[[package]]
name = "cookie"
version = "0.16.2"
@ -1475,6 +1513,49 @@ version = "0.8.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
[[package]]
name = "crossterm"
version = "0.28.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
dependencies = [
"bitflags 2.11.0",
"crossterm_winapi",
"mio",
"parking_lot",
"rustix 0.38.44",
"signal-hook",
"signal-hook-mio",
"winapi",
]
[[package]]
name = "crossterm"
version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d8b9f2e4c67f833b660cdb0a3523065869fb35570177239812ed4c905aeff87b"
dependencies = [
"bitflags 2.11.0",
"crossterm_winapi",
"derive_more 2.1.1",
"document-features",
"mio",
"parking_lot",
"rustix 1.1.4",
"signal-hook",
"signal-hook-mio",
"winapi",
]
[[package]]
name = "crossterm_winapi"
version = "0.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acdd7c62a3665c7f6830a51635d9ac9b23ed385797f70a83bb8bafe9c572ab2b"
dependencies = [
"winapi",
]
[[package]]
name = "crunchy"
version = "0.2.4"
@ -1579,8 +1660,18 @@ version = "0.20.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
dependencies = [
"darling_core",
"darling_macro",
"darling_core 0.20.11",
"darling_macro 0.20.11",
]
[[package]]
name = "darling"
version = "0.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d"
dependencies = [
"darling_core 0.23.0",
"darling_macro 0.23.0",
]
[[package]]
@ -1597,13 +1688,37 @@ dependencies = [
"syn 2.0.117",
]
[[package]]
name = "darling_core"
version = "0.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0"
dependencies = [
"ident_case",
"proc-macro2",
"quote",
"strsim",
"syn 2.0.117",
]
[[package]]
name = "darling_macro"
version = "0.20.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
dependencies = [
"darling_core",
"darling_core 0.20.11",
"quote",
"syn 2.0.117",
]
[[package]]
name = "darling_macro"
version = "0.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
dependencies = [
"darling_core 0.23.0",
"quote",
"syn 2.0.117",
]
@ -1692,7 +1807,7 @@ version = "0.18.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "58cb0719583cbe4e81fb40434ace2f0d22ccc3e39a74bb3796c22b451b4f139d"
dependencies = [
"darling",
"darling 0.20.11",
"proc-macro-crate",
"proc-macro2",
"quote",
@ -1791,6 +1906,7 @@ version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb"
dependencies = [
"convert_case",
"proc-macro2",
"quote",
"rustc_version",
@ -2090,7 +2206,7 @@ dependencies = [
"regex",
"serde",
"serde_plain",
"strum",
"strum 0.27.2",
"thiserror 2.0.18",
]
@ -2114,7 +2230,7 @@ dependencies = [
"object 0.38.1",
"serde",
"sha2",
"strum",
"strum 0.27.2",
"thiserror 2.0.18",
]
@ -2507,20 +2623,20 @@ dependencies = [
"cfg-if",
"js-sys",
"libc",
"r-efi",
"r-efi 5.3.0",
"wasip2",
"wasm-bindgen",
]
[[package]]
name = "getrandom"
version = "0.4.1"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec"
checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
dependencies = [
"cfg-if",
"libc",
"r-efi",
"r-efi 6.0.0",
"rand_core 0.10.0",
"wasip2",
"wasip3",
@ -2645,6 +2761,8 @@ version = "0.15.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
dependencies = [
"allocator-api2",
"equivalent",
"foldhash 0.1.5",
"serde",
]
@ -3243,6 +3361,15 @@ dependencies = [
"serde_core",
]
[[package]]
name = "indoc"
version = "2.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
dependencies = [
"rustversion",
]
[[package]]
name = "inout"
version = "0.1.4"
@ -3253,6 +3380,19 @@ dependencies = [
"generic-array",
]
[[package]]
name = "instability"
version = "0.3.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "357b7205c6cd18dd2c86ed312d1e70add149aea98e7ef72b9fdf0270e555c11d"
dependencies = [
"darling 0.23.0",
"indoc",
"proc-macro2",
"quote",
"syn 2.0.117",
]
[[package]]
name = "instant"
version = "0.1.13"
@ -3303,9 +3443,9 @@ checksum = "06432fb54d3be7964ecd3649233cddf80db2832f47fec34c01f65b3d9d774983"
[[package]]
name = "ipnet"
version = "2.11.0"
version = "2.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
[[package]]
name = "iri-string"
@ -3606,6 +3746,15 @@ dependencies = [
"weezl",
]
[[package]]
name = "lru"
version = "0.12.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "234cf4f4a04dc1f57e24b96cc0cd600cf2af460d4161ac5ecdd0af8e1f3b2a38"
dependencies = [
"hashbrown 0.15.5",
]
[[package]]
name = "lru"
version = "0.16.3"
@ -4158,9 +4307,9 @@ dependencies = [
[[package]]
name = "moka"
version = "0.12.13"
version = "0.12.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b4ac832c50ced444ef6be0767a008b02c106a909ba79d1d830501e94b96f6b7e"
checksum = "85f8024e1c8e71c778968af91d43700ce1d11b219d127d79fb2934153b82b42b"
dependencies = [
"async-lock",
"crossbeam-channel",
@ -4324,7 +4473,7 @@ version = "0.44.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7462c9d8ae5ef6a28d66a192d399ad2530f1f2130b13186296dbb11bdef5b3d1"
dependencies = [
"lru",
"lru 0.16.3",
"nostr",
"tokio",
]
@ -4348,7 +4497,7 @@ dependencies = [
"async-wsocket",
"atomic-destructor",
"hex",
"lru",
"lru 0.16.3",
"negentropy",
"nostr",
"nostr-database",
@ -4649,6 +4798,12 @@ dependencies = [
"subtle",
]
[[package]]
name = "paste"
version = "1.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
[[package]]
name = "pbkdf2"
version = "0.12.2"
@ -5067,7 +5222,7 @@ dependencies = [
"bincode",
"bitfield",
"bitvec",
"cobs 0.5.0",
"cobs 0.5.1",
"docsplay",
"dunce",
"espflash",
@ -5304,12 +5459,9 @@ dependencies = [
[[package]]
name = "pxfm"
version = "0.1.27"
version = "0.1.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7186d3822593aa4393561d186d1393b3923e9d6163d3fbfd6e825e3e6cf3e6a8"
dependencies = [
"num-traits",
]
checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"
[[package]]
name = "qrcode"
@ -5386,9 +5538,9 @@ dependencies = [
[[package]]
name = "quote"
version = "1.0.44"
version = "1.0.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
dependencies = [
"proc-macro2",
]
@ -5405,6 +5557,12 @@ version = "5.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
[[package]]
name = "r-efi"
version = "6.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
[[package]]
name = "radium"
version = "0.7.0"
@ -5449,7 +5607,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
dependencies = [
"chacha20 0.10.0",
"getrandom 0.4.1",
"getrandom 0.4.2",
"rand_core 0.10.0",
]
@ -5512,6 +5670,27 @@ version = "1.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "973443cf09a9c8656b574a866ab68dfa19f0867d0340648c7d2f6a71b8a8ea68"
[[package]]
name = "ratatui"
version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eabd94c2f37801c20583fc49dd5cd6b0ba68c716787c2dd6ed18571e1e63117b"
dependencies = [
"bitflags 2.11.0",
"cassowary",
"compact_str",
"crossterm 0.28.1",
"indoc",
"instability",
"itertools 0.13.0",
"lru 0.12.5",
"paste",
"strum 0.26.3",
"unicode-segmentation",
"unicode-truncate",
"unicode-width 0.2.0",
]
[[package]]
name = "rayon"
version = "1.11.0"
@ -6064,7 +6243,7 @@ dependencies = [
"nix 0.30.1",
"radix_trie",
"unicode-segmentation",
"unicode-width 0.2.2",
"unicode-width 0.2.0",
"utf8parse",
"windows-sys 0.60.2",
]
@ -6494,6 +6673,27 @@ version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
[[package]]
name = "signal-hook"
version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2"
dependencies = [
"libc",
"signal-hook-registry",
]
[[package]]
name = "signal-hook-mio"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b75a19a7a740b25bc7944bdee6172368f988763b744e3d4dfe753f6b4ece40cc"
dependencies = [
"libc",
"mio",
"signal-hook",
]
[[package]]
name = "signal-hook-registry"
version = "1.4.8"
@ -6591,6 +6791,12 @@ dependencies = [
"windows-sys 0.59.0",
]
[[package]]
name = "static_assertions"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
[[package]]
name = "stop-token"
version = "0.7.0"
@ -6655,13 +6861,35 @@ version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
[[package]]
name = "strum"
version = "0.26.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
dependencies = [
"strum_macros 0.26.4",
]
[[package]]
name = "strum"
version = "0.27.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
dependencies = [
"strum_macros",
"strum_macros 0.27.2",
]
[[package]]
name = "strum_macros"
version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be"
dependencies = [
"heck",
"proc-macro2",
"quote",
"rustversion",
"syn 2.0.117",
]
[[package]]
@ -6765,7 +6993,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
dependencies = [
"fastrand",
"getrandom 0.4.1",
"getrandom 0.4.2",
"once_cell",
"rustix 1.1.4",
"windows-sys 0.61.2",
@ -6938,9 +7166,9 @@ dependencies = [
[[package]]
name = "tokio"
version = "1.49.0"
version = "1.50.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
dependencies = [
"bytes",
"libc",
@ -6954,9 +7182,9 @@ dependencies = [
[[package]]
name = "tokio-macros"
version = "2.6.0"
version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
dependencies = [
"proc-macro2",
"quote",
@ -7522,6 +7750,17 @@ version = "1.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
[[package]]
name = "unicode-truncate"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b3644627a5af5fa321c95b9b235a72fd24cd29c648c2c379431e6628655627bf"
dependencies = [
"itertools 0.13.0",
"unicode-segmentation",
"unicode-width 0.1.14",
]
[[package]]
name = "unicode-width"
version = "0.1.14"
@ -7530,9 +7769,9 @@ checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af"
[[package]]
name = "unicode-width"
version = "0.2.2"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254"
checksum = "1fc81956842c57dac11422a97c3b8195a1ff727f06e85c84ed2e8aa277c9a0fd"
[[package]]
name = "unicode-xid"
@ -7642,7 +7881,7 @@ version = "1.21.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb"
dependencies = [
"getrandom 0.4.1",
"getrandom 0.4.2",
"js-sys",
"serde_core",
"wasm-bindgen",
@ -8507,7 +8746,7 @@ dependencies = [
"bumpalo",
"leb128fmt",
"memchr",
"unicode-width 0.2.2",
"unicode-width 0.2.0",
"wasm-encoder 0.245.1",
]
@ -9218,7 +9457,7 @@ dependencies = [
[[package]]
name = "zeroclaw"
version = "0.2.0"
version = "0.1.8"
dependencies = [
"aho-corasick",
"anyhow",
@ -9234,6 +9473,7 @@ dependencies = [
"console",
"criterion",
"cron",
"crossterm 0.29.0",
"dialoguer",
"directories",
"fantoccini",
@ -9266,6 +9506,7 @@ dependencies = [
"qrcode",
"quick-xml",
"rand 0.10.0",
"ratatui",
"regex",
"reqwest",
"ring",
@ -9463,9 +9704,9 @@ dependencies = [
[[package]]
name = "zip"
version = "8.1.0"
version = "8.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e499faf5c6b97a0d086f4a8733de6d47aee2252b8127962439d8d4311a73f72"
checksum = "b680f2a0cd479b4cff6e1233c483fdead418106eae419dc60200ae9850f6d004"
dependencies = [
"crc32fast",
"flate2",
@ -9477,9 +9718,9 @@ dependencies = [
[[package]]
name = "zlib-rs"
version = "0.6.2"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c745c48e1007337ed136dc99df34128b9faa6ed542d80a1c673cf55a6d7236c8"
checksum = "3be3d40e40a133f9c916ee3f9f4fa2d9d63435b5fbe1bfc6d9dae0aa0ada1513"
[[package]]
name = "zmij"

4
Cargo.toml
View File

@ -9,7 +9,7 @@ resolver = "2"
[package]
name = "zeroclaw"
version = "0.2.0"
version = "0.1.8"
edition = "2021"
build = "build.rs"
authors = ["theonlyhennygod"]
@ -125,6 +125,8 @@ cron = "0.15"
dialoguer = { version = "0.12", features = ["fuzzy-select"] }
rustyline = "17.0"
console = "0.16"
crossterm = "0.29"
ratatui = { version = "0.29", default-features = false, features = ["crossterm"] }
# Hardware discovery (device path globbing)
glob = "0.3"

14
Dockerfile
View File

@ -5,11 +5,13 @@ FROM rust:1.93-slim@sha256:7e6fa79cf81be23fd45d857f75f583d80cfdbb11c91fa06180fd7
WORKDIR /app
ARG ZEROCLAW_CARGO_FEATURES=""
ARG ZEROCLAW_CARGO_ALL_FEATURES="false"
# Install build dependencies
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt-get update && apt-get install -y \
libudev-dev \
pkg-config \
&& rm -rf /var/lib/apt/lists/*
@ -29,8 +31,10 @@ RUN mkdir -p src benches crates/robot-kit/src crates/zeroclaw-types/src crates/z
RUN --mount=type=cache,id=zeroclaw-cargo-registry,target=/usr/local/cargo/registry,sharing=locked \
--mount=type=cache,id=zeroclaw-cargo-git,target=/usr/local/cargo/git,sharing=locked \
--mount=type=cache,id=zeroclaw-target,target=/app/target,sharing=locked \
if [ -n "$ZEROCLAW_CARGO_FEATURES" ]; then \
cargo build --release --features "$ZEROCLAW_CARGO_FEATURES"; \
if [ "$ZEROCLAW_CARGO_ALL_FEATURES" = "true" ]; then \
cargo build --release --locked --all-features; \
elif [ -n "$ZEROCLAW_CARGO_FEATURES" ]; then \
cargo build --release --locked --features "$ZEROCLAW_CARGO_FEATURES"; \
else \
cargo build --release --locked; \
fi
@ -63,8 +67,10 @@ RUN mkdir -p web/dist && \
RUN --mount=type=cache,id=zeroclaw-cargo-registry,target=/usr/local/cargo/registry,sharing=locked \
--mount=type=cache,id=zeroclaw-cargo-git,target=/usr/local/cargo/git,sharing=locked \
--mount=type=cache,id=zeroclaw-target,target=/app/target,sharing=locked \
if [ -n "$ZEROCLAW_CARGO_FEATURES" ]; then \
cargo build --release --features "$ZEROCLAW_CARGO_FEATURES"; \
if [ "$ZEROCLAW_CARGO_ALL_FEATURES" = "true" ]; then \
cargo build --release --locked --all-features; \
elif [ -n "$ZEROCLAW_CARGO_FEATURES" ]; then \
cargo build --release --locked --features "$ZEROCLAW_CARGO_FEATURES"; \
else \
cargo build --release --locked; \
fi && \

2
RUN_TESTS.md
View File

@ -300,6 +300,6 @@ If all tests pass:
## 📞 Support
- Issues: https://github.com/theonlyhennygod/zeroclaw/issues
- Issues: https://github.com/zeroclaw-labs/zeroclaw/issues
- Docs: `./TESTING_TELEGRAM.md`
- Help: `zeroclaw --help`

2
TESTING_TELEGRAM.md
View File

@ -352,4 +352,4 @@ zeroclaw channel doctor
- [Telegram Bot API Documentation](https://core.telegram.org/bots/api)
- [ZeroClaw Main README](README.md)
- [Contributing Guide](CONTRIBUTING.md)
- [Issue Tracker](https://github.com/theonlyhennygod/zeroclaw/issues)
- [Issue Tracker](https://github.com/zeroclaw-labs/zeroclaw/issues)

2
crates/robot-kit/PI5_SETUP.md
View File

@ -171,7 +171,7 @@ sudo usermod -aG dialout $USER
```bash
# Clone repo (or copy from USB)
git clone https://github.com/theonlyhennygod/zeroclaw
git clone https://github.com/zeroclaw-labs/zeroclaw
cd zeroclaw
# Build robot kit

1
docs/SUMMARY.md
View File

@ -94,6 +94,7 @@ Last refreshed: **February 28, 2026**.
- [pr-workflow.md](pr-workflow.md)
- [reviewer-playbook.md](reviewer-playbook.md)
- [ci-map.md](ci-map.md)
- [ci-blacksmith.md](ci-blacksmith.md)
- [actions-source-policy.md](actions-source-policy.md)
- [cargo-slicer-speedup.md](cargo-slicer-speedup.md)

4
docs/arduino-uno-q-setup.md
View File

@ -66,7 +66,7 @@ sudo apt-get update
sudo apt-get install -y pkg-config libssl-dev
# Clone zeroclaw (or scp your project)
git clone https://github.com/theonlyhennygod/zeroclaw.git
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
# Build (takes ~1530 min on Uno Q)
@ -199,7 +199,7 @@ Now when you message your Telegram bot *"Turn on the LED"* or *"Set pin 13 high"
| 2 | `ssh arduino@<IP>` |
| 3 | `curl -sSf https://sh.rustup.rs \| sh -s -- -y && source ~/.cargo/env` |
| 4 | `sudo apt-get install -y pkg-config libssl-dev` |
| 5 | `git clone https://github.com/theonlyhennygod/zeroclaw.git && cd zeroclaw` |
| 5 | `git clone https://github.com/zeroclaw-labs/zeroclaw.git && cd zeroclaw` |
| 6 | `cargo build --release --features hardware` |
| 7 | `zeroclaw onboard --api-key KEY --provider openrouter` |
| 8 | Edit `~/.zeroclaw/config.toml` (add Telegram bot_token) |

3
docs/channels-reference.md
View File

@ -203,7 +203,7 @@ allowed_sender_ids = ["123456789", "987"] # optional; "*" allowed
[channels_config.telegram]
bot_token = "123456:telegram-token"
allowed_users = ["*"]
stream_mode = "off" # optional: off | partial
stream_mode = "off" # optional: off | partial | on
draft_update_interval_ms = 1000 # optional: edit throttle for partial streaming
mention_only = false # legacy fallback; used when group_reply.mode is not set
interrupt_on_new_message = false # optional: cancel in-flight same-sender same-chat request
@ -219,6 +219,7 @@ Telegram notes:
- `interrupt_on_new_message = true` preserves interrupted user turns in conversation history, then restarts generation on the newest message.
- Interruption scope is strict: same sender in the same chat. Messages from different chats are processed independently.
- `ack_enabled = false` disables the emoji reaction (⚡️, 👌, 👀, 🔥, 👍) sent to incoming messages as acknowledgment.
- `stream_mode = "on"` uses Telegram's native `sendMessageDraft` flow for private chats. Non-private chats, or runtime `sendMessageDraft` API failures, automatically fall back to `partial`.
### 4.2 Discord

64
docs/ci-blacksmith.md Normal file
View File

@ -0,0 +1,64 @@
# Blacksmith Production Build Pipeline
This document describes the production binary build lane for ZeroClaw on Blacksmith-backed GitHub Actions runners.
## Workflow
- File: `.github/workflows/release-build.yml`
- Workflow name: `Production Release Build`
- Triggers:
- Push to `main`
- Push tags matching `v*`
- Manual dispatch (`workflow_dispatch`)
## Runner Labels
The workflow runs on the same Blacksmith self-hosted runner label-set used by the rest of CI:
`[self-hosted, Linux, X64, aws-india, blacksmith-2vcpu-ubuntu-2404, hetzner]`
This keeps runner routing consistent with existing CI jobs and actionlint policy.
## Canonical Commands
Quality gates (must pass before release build):
```bash
cargo fmt --all -- --check
cargo clippy --locked --all-targets -- -D warnings
cargo test --locked --verbose
```
Production build command (canonical):
```bash
cargo build --release --locked
```
## Artifact Output
- Binary path: `target/release/zeroclaw`
- Uploaded artifact name: `zeroclaw-linux-amd64`
- Uploaded files:
- `artifacts/zeroclaw`
- `artifacts/zeroclaw.sha256`
## Re-run and Debug
1. Open Actions run for `Production Release Build`.
2. Use `Re-run failed jobs` (or full rerun) from the run page.
3. Inspect step logs in this order: `Rust quality gates` -> `Build production binary (canonical)` -> `Prepare artifact bundle`.
4. Download `zeroclaw-linux-amd64` from the run artifacts and verify checksum:
```bash
sha256sum -c zeroclaw.sha256
```
5. Reproduce locally from repository root with the same command set:
```bash
cargo fmt --all -- --check
cargo clippy --locked --all-targets -- -D warnings
cargo test --locked --verbose
cargo build --release --locked
```

20
docs/ci-map.md
View File

@ -61,6 +61,11 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
- Noise control: excludes common test/fixture paths and test file patterns by default (`include_tests=false`)
- `.github/workflows/pub-release.yml` (`Release`)
- Purpose: build release artifacts in verification mode (manual/scheduled) and publish GitHub releases on tag push or manual publish mode
- `.github/workflows/release-build.yml` (`Production Release Build`)
- Purpose: build reproducible Linux x86_64 production binaries on `main` pushes and `v*` tags using Blacksmith runners
- Canonical build command: `cargo build --release --locked`
- Quality gates: `cargo fmt --all -- --check`, `cargo clippy --locked --all-targets -- -D warnings`, and `cargo test --locked --verbose` before release build
- Artifact output: `zeroclaw-linux-amd64` (`target/release/zeroclaw` + `.sha256`)
- `.github/workflows/pr-label-policy-check.yml` (`Label Policy Sanity`)
- Purpose: validate shared contributor-tier policy in `.github/label-policy.json` and ensure label workflows consume that policy
@ -98,6 +103,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
- `Feature Matrix`: push on Rust + workflow paths to `dev`, merge queue, weekly schedule, manual dispatch; PRs only when `ci:full` or `ci:feature-matrix` label is applied
- `Nightly All-Features`: daily schedule and manual dispatch
- `Release`: tag push (`v*`), weekly schedule (verification-only), manual dispatch (verification or publish)
- `Production Release Build`: push to `main`, push tags matching `v*`, manual dispatch
- `Security Audit`: push to `dev` and `main`, PRs to `dev` and `main`, weekly schedule
- `Sec Vorpal Reviewdog`: manual dispatch only
- `Workflow Sanity`: PR/push when `.github/workflows/**`, `.github/*.yml`, or `.github/*.yaml` change
@ -116,12 +122,13 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
2. Docker failures on PRs: inspect `.github/workflows/pub-docker-img.yml` `pr-smoke` job.
- For tag-publish failures, inspect `ghcr-publish-contract.json` / `audit-event-ghcr-publish-contract.json`, `ghcr-vulnerability-gate.json` / `audit-event-ghcr-vulnerability-gate.json`, and Trivy artifacts from `pub-docker-img.yml`.
3. Release failures (tag/manual/scheduled): inspect `.github/workflows/pub-release.yml` and the `prepare` job outputs.
4. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
5. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
6. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs. If intake policy changed recently, trigger a fresh `pull_request_target` event (for example close/reopen PR) because `Re-run jobs` can reuse the original workflow snapshot.
7. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
8. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
9. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
4. Production release build failures (`main`/`v*`): inspect `.github/workflows/release-build.yml` quality-gate + build steps.
5. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
6. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
7. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs. If intake policy changed recently, trigger a fresh `pull_request_target` event (for example close/reopen PR) because `Re-run jobs` can reuse the original workflow snapshot.
8. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
9. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
10. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
## Maintenance Rules
@ -140,6 +147,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
- Keep pre-release stage transition policy + matrix coverage + transition audit semantics current in `.github/release/prerelease-stage-gates.json`.
- Keep required check naming stable and documented in `docs/operations/required-check-mapping.md` before changing branch protection settings.
- Follow `docs/release-process.md` for verify-before-publish release cadence and tag discipline.
- Keep production build reproducibility anchored to `cargo build --release --locked` in `.github/workflows/release-build.yml`.
- Keep merge-blocking rust quality policy aligned across `.github/workflows/ci-run.yml`, `dev/ci.sh`, and `.githooks/pre-push` (`./scripts/ci/rust_quality_gate.sh` + `./scripts/ci/rust_strict_delta_gate.sh`).
- Use `./scripts/ci/rust_strict_delta_gate.sh` (or `./dev/ci.sh lint-delta`) as the incremental strict merge gate for changed Rust lines.
- Run full strict lint audits regularly via `./scripts/ci/rust_quality_gate.sh --strict` (for example through `./dev/ci.sh lint-strict`) and track cleanup in focused PRs.

42
docs/config-reference.md
View File

@ -46,6 +46,7 @@ Use named profiles to map a logical provider id to a provider name/base URL and
|---|---|---|
| `name` | unset | Optional provider id override (for example `openai`, `openai-codex`) |
| `base_url` | unset | Optional OpenAI-compatible endpoint URL |
| `auth_header` | unset | Optional auth header for `custom:` endpoints (for example `api-key` for Azure OpenAI) |
| `wire_api` | unset | Optional protocol mode: `responses` or `chat_completions` |
| `model` | unset | Optional profile-scoped default model |
| `api_key` | unset | Optional profile-scoped API key (used when top-level `api_key` is empty) |
@ -55,6 +56,7 @@ Notes:
- If both top-level `api_key` and profile `api_key` are present, top-level `api_key` wins.
- If top-level `default_model` is still the global OpenRouter default, profile `model` is used as an automatic compatibility override.
- `auth_header` is only applied when the resolved provider is `custom:<url>` and the profile `base_url` matches that custom URL.
- Secrets encryption applies to profile API keys when `secrets.encrypt = true`.
Example:
@ -129,6 +131,8 @@ Operational note for container users:
| `max_history_messages` | `50` | Maximum conversation history messages retained per session |
| `parallel_tools` | `false` | Enable parallel tool execution within a single iteration |
| `tool_dispatcher` | `auto` | Tool dispatch strategy |
| `allowed_tools` | `[]` | Primary-agent tool allowlist. When non-empty, only listed tools are exposed in context |
| `denied_tools` | `[]` | Primary-agent tool denylist applied after `allowed_tools` |
| `loop_detection_no_progress_threshold` | `3` | Same tool+args producing identical output this many times triggers loop detection. `0` disables |
| `loop_detection_ping_pong_cycles` | `2` | A→B→A→B alternating pattern cycle count threshold. `0` disables |
| `loop_detection_failure_streak` | `3` | Same tool consecutive failure count threshold. `0` disables |
@ -139,8 +143,27 @@ Notes:
- If a channel message exceeds this value, the runtime returns: `Agent exceeded maximum tool iterations (<value>)`.
- In CLI, gateway, and channel tool loops, multiple independent tool calls are executed concurrently by default when the pending calls do not require approval gating; result order remains stable.
- `parallel_tools` applies to the `Agent::turn()` API surface. It does not gate the runtime loop used by CLI, gateway, or channel handlers.
- `allowed_tools` / `denied_tools` are applied at startup before prompt construction. Excluded tools are omitted from system prompt context and tool specs.
- Unknown entries in `allowed_tools` are skipped and logged at debug level.
- If both `allowed_tools` and `denied_tools` are configured and the denylist removes all allowlisted matches, startup fails fast with a clear config error.
- **Loop detection** intervenes before `max_tool_iterations` is exhausted. On first detection the agent receives a self-correction prompt; if the loop persists the agent is stopped early. Detection is result-aware: repeated calls with *different* outputs (genuine progress) do not trigger. Set any threshold to `0` to disable that detector.
Example:
```toml
[agent]
allowed_tools = [
"delegate",
"subagent_spawn",
"subagent_list",
"subagent_manage",
"memory_recall",
"memory_store",
"task_plan",
]
denied_tools = ["shell", "file_write", "browser_open"]
```
## `[agent.teams]`
Controls synchronous team delegation behavior (`delegate` tool).
@ -377,6 +400,18 @@ Environment overrides:
- `ZEROCLAW_URL_ACCESS_DOMAIN_BLOCKLIST` / `URL_ACCESS_DOMAIN_BLOCKLIST` (comma-separated)
- `ZEROCLAW_URL_ACCESS_APPROVED_DOMAINS` / `URL_ACCESS_APPROVED_DOMAINS` (comma-separated)
## `[security]`
| Key | Default | Purpose |
|---|---|---|
| `canary_tokens` | `true` | Inject per-turn canary token into system prompt and block responses that echo it |
Notes:
- Canary tokens are generated per turn and are redacted from runtime traces.
- This guard is additive to `security.outbound_leak_guard`: canary catches prompt-context leakage, while outbound leak guard catches credential-like material.
- Set `canary_tokens = false` to disable this layer.
## `[security.syscall_anomaly]`
| Key | Default | Purpose |
@ -961,7 +996,7 @@ Environment overrides:
| `level` | `supervised` | `read_only`, `supervised`, or `full` |
| `workspace_only` | `true` | reject absolute path inputs unless explicitly disabled |
| `allowed_commands` | _required for shell execution_ | allowlist of executable names, explicit executable paths, or `"*"` |
| `command_context_rules` | `[]` | per-command context-aware allow/deny rules (domain/path constraints, optional high-risk override) |
| `command_context_rules` | `[]` | per-command context-aware allow/deny/require-approval rules (domain/path constraints, optional high-risk override) |
| `forbidden_paths` | built-in protected list | explicit path denylist (system paths + sensitive dotdirs by default) |
| `allowed_roots` | `[]` | additional roots allowed outside workspace after canonicalization |
| `max_actions_per_hour` | `20` | per-policy action budget |
@ -986,6 +1021,7 @@ Notes:
- `command_context_rules` can narrow or override `allowed_commands` for matching commands:
- `action = "allow"` rules are restrictive when present for a command: at least one allow rule must match.
- `action = "deny"` rules explicitly block matching contexts.
- `action = "require_approval"` forces explicit approval (`approved=true`) in supervised mode for matching segments, even if `shell` is in `auto_approve`.
- `allow_high_risk = true` allows a matching high-risk command to pass the hard block, but supervised mode still requires `approved=true`.
- `file_read` blocks sensitive secret-bearing files/directories by default. Set `allow_sensitive_file_reads = true` only for controlled debugging sessions.
- `file_write` and `file_edit` block sensitive secret-bearing files/directories by default. Set `allow_sensitive_file_writes = true` only for controlled break-glass sessions.
@ -1034,6 +1070,10 @@ command = "rm"
action = "allow"
allowed_path_prefixes = ["/tmp"]
allow_high_risk = true
[[autonomy.command_context_rules]]
command = "rm"
action = "require_approval"
```
## `[memory]`

2
docs/i18n/el/arduino-uno-q-setup.md
View File

@ -66,7 +66,7 @@ ssh arduino@<UNO_Q_IP>
4. **Λήψη και Μεταγλώττιση**:
```bash
git clone https://github.com/theonlyhennygod/zeroclaw.git
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
cargo build --release --features hardware
```

9
docs/i18n/el/config-reference.md
View File

@ -68,4 +68,13 @@ allowed_users = ["το-όνομά-σας"] # Ποιοι επιτρέπεται
- Αν αλλάξετε το αρχείο `config.toml`, πρέπει να κάνετε επανεκκίνηση το ZeroClaw για να δει τις αλλαγές.
- Χρησιμοποιήστε την εντολή `zeroclaw doctor` για να βεβαιωθείτε ότι οι ρυθμίσεις σας είναι σωστές.
## Ενημέρωση (2026-03-03)
- Στην ενότητα `[agent]` προστέθηκαν τα `allowed_tools` και `denied_tools`.
- Αν το `allowed_tools` δεν είναι κενό, ο primary agent βλέπει μόνο τα εργαλεία της λίστας.
- Το `denied_tools` εφαρμόζεται μετά το allowlist και αφαιρεί επιπλέον εργαλεία.
- Άγνωστες τιμές στο `allowed_tools` αγνοούνται (με debug log) και δεν μπλοκάρουν την εκκίνηση.
- Αν `allowed_tools` και `denied_tools` καταλήξουν να αφαιρέσουν όλα τα εκτελέσιμα εργαλεία, η εκκίνηση αποτυγχάνει άμεσα με σαφές μήνυμα ρύθμισης.
- Για πλήρη πίνακα πεδίων και παράδειγμα, δείτε το αγγλικό `config-reference.md` στην ενότητα `[agent]`.
- Μην μοιράζεστε ποτέ το αρχείο `config.toml` με άλλους, καθώς περιέχει τα μυστικά κλειδιά σας (tokens).

127
docs/i18n/es/README.md Normal file
View File

@ -0,0 +1,127 @@
<p align="center">
<img src="../../../zeroclaw.png" alt="ZeroClaw" width="200" />
</p>
<h1 align="center">ZeroClaw 🦀</h1>
<p align="center">
<strong>Sobrecarga cero. Compromiso cero. 100% Rust. 100% Agnóstico.</strong><br>
⚡️ <strong>Funciona en cualquier hardware con <5MB RAM: ¡99% menos memoria que OpenClaw y 98% más económico que un Mac mini!</strong>
</p>
<p align="center">
<a href="../../../LICENSE-APACHE"><img src="https://img.shields.io/badge/license-MIT%20OR%20Apache%202.0-blue.svg" alt="Licencia: MIT OR Apache-2.0" /></a>
<a href="../../../NOTICE"><img src="https://img.shields.io/github/contributors/zeroclaw-labs/zeroclaw?color=green" alt="Colaboradores" /></a>
<a href="https://buymeacoffee.com/argenistherose"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-Donate-yellow.svg?style=flat&logo=buy-me-a-coffee" alt="Buy Me a Coffee" /></a>
<a href="https://x.com/zeroclawlabs?s=21"><img src="https://img.shields.io/badge/X-%40zeroclawlabs-000000?style=flat&logo=x&logoColor=white" alt="X: @zeroclawlabs" /></a>
<a href="https://zeroclawlabs.cn/group.jpg"><img src="https://img.shields.io/badge/WeChat-Group-B7D7A8?logo=wechat&logoColor=white" alt="Grupo WeChat" /></a>
<a href="https://t.me/zeroclawlabs"><img src="https://img.shields.io/badge/Telegram-%40zeroclawlabs-26A5E4?style=flat&logo=telegram&logoColor=white" alt="Telegram: @zeroclawlabs" /></a>
<a href="https://www.facebook.com/groups/zeroclaw"><img src="https://img.shields.io/badge/Facebook-Group-1877F2?style=flat&logo=facebook&logoColor=white" alt="Grupo Facebook" /></a>
<a href="https://www.reddit.com/r/zeroclawlabs/"><img src="https://img.shields.io/badge/Reddit-r%2Fzeroclawlabs-FF4500?style=flat&logo=reddit&logoColor=white" alt="Reddit: r/zeroclawlabs" /></a>
</p>
<p align="center">
Desarrollado por estudiantes y miembros de las comunidades de Harvard, MIT y Sundai.Club.
</p>
<p align="center">
🌐 <strong>Idiomas:</strong> <a href="../../../README.md">English</a> · <a href="../zh-CN/README.md">简体中文</a> · <a href="README.md">Español</a> · <a href="../pt/README.md">Português</a> · <a href="../it/README.md">Italiano</a> · <a href="../ja/README.md">日本語</a> · <a href="../ru/README.md">Русский</a> · <a href="../fr/README.md">Français</a> · <a href="../vi/README.md">Tiếng Việt</a> · <a href="../el/README.md">Ελληνικά</a>
</p>
<p align="center">
<strong>Framework rápido, pequeño y totalmente autónomo</strong><br />
Despliega en cualquier lugar. Intercambia cualquier cosa.
</p>
<p align="center">
ZeroClaw es el <strong>framework de runtime</strong> para flujos de trabajo agents — infraestructura que abstrae modelos, herramientas, memoria y ejecución para que los agentes puedan construirse una vez y ejecutarse en cualquier lugar.
</p>
<p align="center"><code>Arquitectura basada en traits · runtime seguro por defecto · proveedor/canal/herramienta intercambiable · todo conectable</code></p>
### ✨ Características
- 🏎️ **Runtime Ligero por Defecto:** Los flujos de trabajo comunes de CLI y estado se ejecutan en una envoltura de memoria de pocos megabytes en builds de release.
- 💰 **Despliegue Económico:** Diseñado para placas de bajo costo e instancias cloud pequeñas sin dependencias de runtime pesadas.
- ⚡ **Arranques en Frío Rápidos:** El runtime Rust de binario único mantiene el inicio de comandos y daemon casi instantáneo para operaciones diarias.
- 🌍 **Arquitectura Portátil:** Un flujo de trabajo binary-first a través de ARM, x86 y RISC-V con proveedores/canales/herramientas intercambiables.
- 🔍 **Fase de Investigación:** Recopilación proactiva de información a través de herramientas antes de la generación de respuestas — reduce alucinaciones verificando hechos primero.
### Por qué los equipos eligen ZeroClaw
- **Ligero por defecto:** binario Rust pequeño, inicio rápido, huella de memoria baja.
- **Seguro por diseño:** emparejamiento, sandboxing estricto, listas de permitidos explícitas, alcance de workspace.
- **Totalmente intercambiable:** los sistemas principales son traits (proveedores, canales, herramientas, memoria, túneles).
- **Sin lock-in:** soporte de proveedor compatible con OpenAI + endpoints personalizados conectables.
## Inicio Rápido
### Opción 1: Homebrew (macOS/Linuxbrew)
```bash
brew install zeroclaw
```
### Opción 2: Clonar + Bootstrap
```bash
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
./bootstrap.sh
```
> **Nota:** Las builds desde fuente requieren ~2GB RAM y ~6GB disco. Para sistemas con recursos limitados, usa `./bootstrap.sh --prefer-prebuilt` para descargar un binario pre-compilado.
### Opción 3: Cargo Install
```bash
cargo install zeroclaw
```
### Primera Ejecución
```bash
# Iniciar el gateway (sirve el API/UI del Dashboard Web)
zeroclaw gateway
# Abrir la URL del dashboard mostrada en los logs de inicio
# (por defecto: http://127.0.0.1:3000/)
# O chatear directamente
zeroclaw chat "¡Hola!"
```
Para opciones de configuración detalladas, consulta [docs/one-click-bootstrap.md](../../../docs/one-click-bootstrap.md).
---
## ⚠️ Repositorio Oficial y Advertencia de Suplantación
**Este es el único repositorio oficial de ZeroClaw:**
> https://github.com/zeroclaw-labs/zeroclaw
Cualquier otro repositorio, organización, dominio o paquete que afirme ser "ZeroClaw" o implique afiliación con ZeroClaw Labs **no está autorizado y no está afiliado con este proyecto**.
Si encuentras suplantación o uso indebido de marca, por favor [abre un issue](https://github.com/zeroclaw-labs/zeroclaw/issues).
---
## Licencia
ZeroClaw tiene doble licencia para máxima apertura y protección de colaboradores:
| Licencia | Caso de uso |
|---|---|
| [MIT](../../../LICENSE-MIT) | Open-source, investigación, académico, uso personal |
| [Apache 2.0](../../../LICENSE-APACHE) | Protección de patentes, institucional, despliegue comercial |
Puedes elegir cualquiera de las dos licencias. **Los colaboradores otorgan automáticamente derechos bajo ambas** — consulta [CLA.md](../../../CLA.md) para el acuerdo completo de colaborador.
## Contribuir
Consulta [CONTRIBUTING.md](../../../CONTRIBUTING.md) y [CLA.md](../../../CLA.md). Implementa un trait, envía un PR.
---
**ZeroClaw** — Sobrecarga cero. Compromiso cero. Despliega en cualquier lugar. Intercambia cualquier cosa. 🦀

5
docs/i18n/fr/config-reference.md
View File

@ -21,3 +21,8 @@ Source anglaise:
- Ajout de `provider.reasoning_level` (OpenAI Codex `/responses`). Voir la source anglaise pour les détails.
- Valeur par défaut de `agent.max_tool_iterations` augmentée à `20` (fallback sûr si `0`).
- Ajout de `agent.allowed_tools` et `agent.denied_tools` pour filtrer les outils visibles par l'agent principal.
- `allowed_tools` non vide: seuls les outils listés sont exposés.
- `denied_tools`: retrait supplémentaire appliqué après `allowed_tools`.
- Les entrées inconnues dans `allowed_tools` sont ignorées (log debug), sans échec de démarrage.
- Si `allowed_tools` + `denied_tools` suppriment tous les outils exécutables, le démarrage échoue immédiatement avec une erreur de configuration claire.

141
docs/i18n/it/README.md Normal file
View File

@ -0,0 +1,141 @@
<p align="center">
<img src="../../../zeroclaw.png" alt="ZeroClaw" width="200" />
</p>
<h1 align="center">ZeroClaw 🦀</h1>
<p align="center">
<strong>Zero overhead. Zero compromesso. 100% Rust. 100% Agnostico.</strong><br>
⚡️ <strong>Funziona su qualsiasi hardware con <5MB RAM: 99% meno memoria di OpenClaw e 98% più economico di un Mac mini!</strong>
</p>
<p align="center">
<a href="../../../LICENSE-APACHE"><img src="https://img.shields.io/badge/license-MIT%20OR%20Apache%202.0-blue.svg" alt="Licenza: MIT OR Apache-2.0" /></a>
<a href="../../../NOTICE"><img src="https://img.shields.io/github/contributors/zeroclaw-labs/zeroclaw?color=green" alt="Contributori" /></a>
<a href="https://buymeacoffee.com/argenistherose"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-Donate-yellow.svg?style=flat&logo=buy-me-a-coffee" alt="Buy Me a Coffee" /></a>
<a href="https://x.com/zeroclawlabs?s=21"><img src="https://img.shields.io/badge/X-%40zeroclawlabs-000000?style=flat&logo=x&logoColor=white" alt="X: @zeroclawlabs" /></a>
<a href="https://zeroclawlabs.cn/group.jpg"><img src="https://img.shields.io/badge/WeChat-Group-B7D7A8?logo=wechat&logoColor=white" alt="Gruppo WeChat" /></a>
<a href="https://t.me/zeroclawlabs"><img src="https://img.shields.io/badge/Telegram-%40zeroclawlabs-26A5E4?style=flat&logo=telegram&logoColor=white" alt="Telegram: @zeroclawlabs" /></a>
<a href="https://www.facebook.com/groups/zeroclaw"><img src="https://img.shields.io/badge/Facebook-Group-1877F2?style=flat&logo=facebook&logoColor=white" alt="Gruppo Facebook" /></a>
<a href="https://www.reddit.com/r/zeroclawlabs/"><img src="https://img.shields.io/badge/Reddit-r%2Fzeroclawlabs-FF4500?style=flat&logo=reddit&logoColor=white" alt="Reddit: r/zeroclawlabs" /></a>
</p>
<p align="center">
Sviluppato da studenti e membri delle comunità Harvard, MIT e Sundai.Club.
</p>
<p align="center">
🌐 <strong>Lingue:</strong> <a href="../../../README.md">English</a> · <a href="../zh-CN/README.md">简体中文</a> · <a href="../es/README.md">Español</a> · <a href="../pt/README.md">Português</a> · <a href="README.md">Italiano</a> · <a href="../ja/README.md">日本語</a> · <a href="../ru/README.md">Русский</a> · <a href="../fr/README.md">Français</a> · <a href="../vi/README.md">Tiếng Việt</a> · <a href="../el/README.md">Ελληνικά</a>
</p>
<p align="center">
<strong>Framework veloce, piccolo e completamente autonomo</strong><br />
Distribuisci ovunque. Scambia qualsiasi cosa.
</p>
<p align="center">
ZeroClaw è il <strong>framework runtime</strong> per workflow agentici — infrastruttura che astrae modelli, strumenti, memoria ed esecuzione così gli agenti possono essere costruiti una volta ed eseguiti ovunque.
</p>
<p align="center"><code>Architettura basata su trait · runtime sicuro per impostazione predefinita · provider/canale/strumento scambiabile · tutto collegabile</code></p>
### ✨ Caratteristiche
- 🏎️ **Runtime Leggero per Impostazione Predefinita:** I comuni workflow CLI e di stato vengono eseguiti in un envelope di memoria di pochi megabyte nelle build di release.
- 💰 **Distribuzione Economica:** Progettato per schede economiche e piccole istanze cloud senza dipendenze di runtime pesanti.
- ⚡ **Avvii a Freddo Rapidi:** Il runtime Rust a singolo binario mantiene l'avvio di comandi e daemon quasi istantaneo per le operazioni quotidiane.
- 🌍 **Architettura Portatile:** Un workflow binary-first attraverso ARM, x86 e RISC-V con provider/canali/strumenti scambiabili.
- 🔍 **Fase di Ricerca:** Raccolta proattiva di informazioni attraverso gli strumenti prima della generazione della risposta — riduce le allucinazioni verificando prima i fatti.
### Perché i team scelgono ZeroClaw
- **Leggero per impostazione predefinita:** binario Rust piccolo, avvio rapido, footprint di memoria basso.
- **Sicuro per design:** pairing, sandboxing rigoroso, liste di permessi esplicite, scope del workspace.
- **Completamente scambiabile:** i sistemi core sono trait (provider, canali, strumenti, memoria, tunnel).
- **Nessun lock-in:** supporto provider compatibile con OpenAI + endpoint personalizzati collegabili.
## Avvio Rapido
### Opzione 1: Homebrew (macOS/Linuxbrew)
```bash
brew install zeroclaw
```
### Opzione 2: Clona + Bootstrap
```bash
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
./bootstrap.sh
```
> **Nota:** Le build da sorgente richiedono ~2GB RAM e ~6GB disco. Per sistemi con risorse limitate, usa `./bootstrap.sh --prefer-prebuilt` per scaricare un binario precompilato.
### Opzione 3: Cargo Install
```bash
cargo install zeroclaw
```
### Prima Esecuzione
```bash
# Avvia il gateway (serve l'API/UI della Dashboard Web)
zeroclaw gateway
# Apri l'URL del dashboard mostrata nei log di avvio
# (default: http://127.0.0.1:3000/)
# O chatta direttamente
zeroclaw chat "Ciao!"
```
Per opzioni di configurazione dettagliate, consulta [docs/one-click-bootstrap.md](../../../docs/one-click-bootstrap.md).
---
## ⚠️ Repository Ufficiale e Avviso di Impersonazione
**Questo è l'unico repository ufficiale di ZeroClaw:**
> https://github.com/zeroclaw-labs/zeroclaw
Qualsiasi altro repository, organizzazione, dominio o pacchetto che affermi di essere "ZeroClaw" o implichi affiliazione con ZeroClaw Labs **non è autorizzato e non è affiliato con questo progetto**.
Se incontri impersonazione o uso improprio del marchio, per favore [apri una issue](https://github.com/zeroclaw-labs/zeroclaw/issues).
---
## Licenza
ZeroClaw è con doppia licenza per massima apertura e protezione dei contributori:
| Licenza | Caso d'uso |
|---|---|
| [MIT](../../../LICENSE-MIT) | Open-source, ricerca, accademico, uso personale |
| [Apache 2.0](../../../LICENSE-APACHE) | Protezione brevetti, istituzionale, distribuzione commerciale |
Puoi scegliere qualsiasi licenza. **I contributori concedono automaticamente diritti sotto entrambe** — consulta [CLA.md](../../../CLA.md) per l'accordo completo dei contributori.
## Contribuire
Consulta [CONTRIBUTING.md](../../../CONTRIBUTING.md) e [CLA.md](../../../CLA.md). Implementa un trait, invia un PR.
---
**ZeroClaw** — Zero overhead. Zero compromesso. Distribuisci ovunque. Scambia qualsiasi cosa. 🦀
---
## Star History
<p align="center">
<a href="https://www.star-history.com/#zeroclaw-labs/zeroclaw&type=date&legend=top-left">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&theme=dark&legend=top-left" />
<source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&legend=top-left" />
<img alt="Star History Chart" src="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&legend=top-left" />
</picture>
</a>
</p>

9
docs/i18n/ja/config-reference.md
View File

@ -16,3 +16,12 @@
- 設定キー名は英語のまま保持します。
- 実行時挙動の定義は英語版原文を優先します。
## 更新ート2026-03-03
- `[agent]``allowed_tools` / `denied_tools` が追加されました。
- `allowed_tools` が空でない場合、メインエージェントには許可リストのツールのみ公開されます。
- `denied_tools` は許可リスト適用後に追加でツールを除外します。
- `allowed_tools` の未一致エントリは起動失敗にせず、debug ログのみ出力されます。
- `allowed_tools``denied_tools` の組み合わせで実行可能ツールが 0 件になる場合は、明確な設定エラーで fail-fast します。
- 詳細な表と例は英語版 `config-reference.md``[agent]` セクションを参照してください。

141
docs/i18n/pt/README.md Normal file
View File

@ -0,0 +1,141 @@
<p align="center">
<img src="../../../zeroclaw.png" alt="ZeroClaw" width="200" />
</p>
<h1 align="center">ZeroClaw 🦀</h1>
<p align="center">
<strong>Sobrecarga zero. Compromisso zero. 100% Rust. 100% Agnóstico.</strong><br>
⚡️ <strong>Funciona em qualquer hardware com <5MB RAM: 99% menos memória que OpenClaw e 98% mais barato que um Mac mini!</strong>
</p>
<p align="center">
<a href="../../../LICENSE-APACHE"><img src="https://img.shields.io/badge/license-MIT%20OR%20Apache%202.0-blue.svg" alt="Licença: MIT OR Apache-2.0" /></a>
<a href="../../../NOTICE"><img src="https://img.shields.io/github/contributors/zeroclaw-labs/zeroclaw?color=green" alt="Contribuidores" /></a>
<a href="https://buymeacoffee.com/argenistherose"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-Donate-yellow.svg?style=flat&logo=buy-me-a-coffee" alt="Buy Me a Coffee" /></a>
<a href="https://x.com/zeroclawlabs?s=21"><img src="https://img.shields.io/badge/X-%40zeroclawlabs-000000?style=flat&logo=x&logoColor=white" alt="X: @zeroclawlabs" /></a>
<a href="https://zeroclawlabs.cn/group.jpg"><img src="https://img.shields.io/badge/WeChat-Group-B7D7A8?logo=wechat&logoColor=white" alt="Grupo WeChat" /></a>
<a href="https://t.me/zeroclawlabs"><img src="https://img.shields.io/badge/Telegram-%40zeroclawlabs-26A5E4?style=flat&logo=telegram&logoColor=white" alt="Telegram: @zeroclawlabs" /></a>
<a href="https://www.facebook.com/groups/zeroclaw"><img src="https://img.shields.io/badge/Facebook-Group-1877F2?style=flat&logo=facebook&logoColor=white" alt="Grupo Facebook" /></a>
<a href="https://www.reddit.com/r/zeroclawlabs/"><img src="https://img.shields.io/badge/Reddit-r%2Fzeroclawlabs-FF4500?style=flat&logo=reddit&logoColor=white" alt="Reddit: r/zeroclawlabs" /></a>
</p>
<p align="center">
Desenvolvido por estudantes e membros das comunidades de Harvard, MIT e Sundai.Club.
</p>
<p align="center">
🌐 <strong>Idiomas:</strong> <a href="../../../README.md">English</a> · <a href="../zh-CN/README.md">简体中文</a> · <a href="../es/README.md">Español</a> · <a href="README.md">Português</a> · <a href="../it/README.md">Italiano</a> · <a href="../ja/README.md">日本語</a> · <a href="../ru/README.md">Русский</a> · <a href="../fr/README.md">Français</a> · <a href="../vi/README.md">Tiếng Việt</a> · <a href="../el/README.md">Ελληνικά</a>
</p>
<p align="center">
<strong>Framework rápido, pequeno e totalmente autônomo</strong><br />
Implante em qualquer lugar. Troque qualquer coisa.
</p>
<p align="center">
ZeroClaw é o <strong>framework de runtime</strong> para fluxos de trabalho agentes — infraestrutura que abstrai modelos, ferramentas, memória e execução para que agentes possam ser construídos uma vez e executados em qualquer lugar.
</p>
<p align="center"><code>Arquitetura baseada em traits · runtime seguro por padrão · provedor/canal/ferramenta trocável · tudo conectável</code></p>
### ✨ Características
- 🏎️ **Runtime Enxuto por Padrão:** Fluxos de trabalho comuns de CLI e status rodam em um envelope de memória de poucos megabytes em builds de release.
- 💰 **Implantação Econômica:** Projetado para placas de baixo custo e instâncias cloud pequenas sem dependências de runtime pesadas.
- ⚡ **Inícios a Frio Rápidos:** Runtime Rust de binário único mantém inicialização de comandos e daemon quase instantânea para operações diárias.
- 🌍 **Arquitetura Portátil:** Um fluxo de trabalho binary-first através de ARM, x86 e RISC-V com provedores/canais/ferramentas trocáveis.
- 🔍 **Fase de Pesquisa:** Coleta proativa de informações através de ferramentas antes da geração de resposta — reduz alucinações verificando fatos primeiro.
### Por que as equipes escolhem ZeroClaw
- **Enxuto por padrão:** binário Rust pequeno, inicialização rápida, pegada de memória baixa.
- **Seguro por design:** pareamento, sandboxing estrito, listas de permitidos explícitas, escopo de workspace.
- **Totalmente trocável:** sistemas principais são traits (provedores, canais, ferramentas, memória, túneis).
- **Sem lock-in:** suporte de provedor compatível com OpenAI + endpoints personalizados conectáveis.
## Início Rápido
### Opção 1: Homebrew (macOS/Linuxbrew)
```bash
brew install zeroclaw
```
### Opção 2: Clonar + Bootstrap
```bash
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
./bootstrap.sh
```
> **Nota:** Builds a partir do fonte requerem ~2GB RAM e ~6GB disco. Para sistemas com recursos limitados, use `./bootstrap.sh --prefer-prebuilt` para baixar um binário pré-compilado.
### Opção 3: Cargo Install
```bash
cargo install zeroclaw
```
### Primeira Execução
```bash
# Iniciar o gateway (serve o API/UI do Dashboard Web)
zeroclaw gateway
# Abrir a URL do dashboard mostrada nos logs de inicialização
# (por padrão: http://127.0.0.1:3000/)
# Ou conversar diretamente
zeroclaw chat "Olá!"
```
Para opções de configuração detalhadas, consulte [docs/one-click-bootstrap.md](../../../docs/one-click-bootstrap.md).
---
## ⚠️ Repositório Oficial e Aviso de Representação
**Este é o único repositório oficial do ZeroClaw:**
> https://github.com/zeroclaw-labs/zeroclaw
Qualquer outro repositório, organização, domínio ou pacote que afirme ser "ZeroClaw" ou implique afiliação com ZeroClaw Labs **não está autorizado e não é afiliado com este projeto**.
Se você encontrar representação ou uso indevido de marca, por favor [abra uma issue](https://github.com/zeroclaw-labs/zeroclaw/issues).
---
## Licença
ZeroClaw tem licença dupla para máxima abertura e proteção de contribuidores:
| Licença | Caso de uso |
|---|---|
| [MIT](../../../LICENSE-MIT) | Open-source, pesquisa, acadêmico, uso pessoal |
| [Apache 2.0](../../../LICENSE-APACHE) | Proteção de patentes, institucional, implantação comercial |
Você pode escolher qualquer uma das licenças. **Os contribuidores concedem automaticamente direitos sob ambas** — consulte [CLA.md](../../../CLA.md) para o acordo completo de contribuidor.
## Contribuindo
Consulte [CONTRIBUTING.md](../../../CONTRIBUTING.md) e [CLA.md](../../../CLA.md). Implemente uma trait, envie um PR.
---
**ZeroClaw** — Sobrecarga zero. Compromisso zero. Implante em qualquer lugar. Troque qualquer coisa. 🦀
---
## Star History
<p align="center">
<a href="https://www.star-history.com/#zeroclaw-labs/zeroclaw&type=date&legend=top-left">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&theme=dark&legend=top-left" />
<source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&legend=top-left" />
<img alt="Star History Chart" src="https://api.star-history.com/svg?repos=zeroclaw-labs/zeroclaw&type=date&legend=top-left" />
</picture>
</a>
</p>

9
docs/i18n/ru/config-reference.md
View File

@ -16,3 +16,12 @@
- Названия config keys не переводятся.
- Точное runtime-поведение определяется английским оригиналом.
## Обновление (2026-03-03)
- В секции `[agent]` добавлены `allowed_tools` и `denied_tools`.
- Если `allowed_tools` не пуст, основному агенту показываются только инструменты из allowlist.
- `denied_tools` применяется после allowlist и дополнительно исключает инструменты.
- Неизвестные элементы `allowed_tools` пропускаются (с debug-логом) и не ломают запуск.
- Если одновременно заданы `allowed_tools` и `denied_tools`, и после фильтрации не остается исполняемых инструментов, запуск завершается fail-fast с явной ошибкой конфигурации.
- Полная таблица параметров и пример остаются в английском `config-reference.md` в разделе `[agent]`.

4
docs/i18n/vi/arduino-uno-q-setup.md
View File

@ -66,7 +66,7 @@ sudo apt-get update
sudo apt-get install -y pkg-config libssl-dev
# Clone zeroclaw (hoặc scp project của bạn)
git clone https://github.com/theonlyhennygod/zeroclaw.git
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
# Build (~1530 phút trên Uno Q)
@ -199,7 +199,7 @@ Giờ khi bạn nhắn tin cho Telegram bot *"Turn on the LED"* hoặc *"Set pin
| 2 | `ssh arduino@<IP>` |
| 3 | `curl -sSf https://sh.rustup.rs \| sh -s -- -y && source ~/.cargo/env` |
| 4 | `sudo apt-get install -y pkg-config libssl-dev` |
| 5 | `git clone https://github.com/theonlyhennygod/zeroclaw.git && cd zeroclaw` |
| 5 | `git clone https://github.com/zeroclaw-labs/zeroclaw.git && cd zeroclaw` |
| 6 | `cargo build --release --no-default-features` |
| 7 | `zeroclaw onboard --api-key KEY --provider openrouter` |
| 8 | Chỉnh sửa `~/.zeroclaw/config.toml` (thêm Telegram bot_token) |

22
docs/i18n/vi/config-reference.md
View File

@ -81,6 +81,8 @@ Lưu ý cho người dùng container:
| `max_history_messages` | `50` | Số tin nhắn lịch sử tối đa giữ lại mỗi phiên |
| `parallel_tools` | `false` | Bật thực thi tool song song trong một lượt |
| `tool_dispatcher` | `auto` | Chiến lược dispatch tool |
| `allowed_tools` | `[]` | Allowlist tool cho agent chính. Khi không rỗng, chỉ các tool liệt kê mới được đưa vào context |
| `denied_tools` | `[]` | Denylist tool cho agent chính, áp dụng sau `allowed_tools` |
Lưu ý:
@ -88,6 +90,25 @@ Lưu ý:
- Nếu tin nhắn kênh vượt giá trị này, runtime trả về: `Agent exceeded maximum tool iterations (<value>)`.
- Trong vòng lặp tool của CLI, gateway và channel, các lời gọi tool độc lập được thực thi đồng thời mặc định khi không cần phê duyệt; thứ tự kết quả giữ ổn định.
- `parallel_tools` áp dụng cho API `Agent::turn()`. Không ảnh hưởng đến vòng lặp runtime của CLI, gateway hay channel.
- `allowed_tools` / `denied_tools` được áp dụng lúc khởi động trước khi dựng prompt. Tool bị loại sẽ không xuất hiện trong system prompt hoặc tool specs.
- Mục không khớp trong `allowed_tools` được bỏ qua (không làm lỗi khởi động) và ghi log mức debug.
- Nếu đồng thời đặt `allowed_tools``denied_tools` rồi denylist loại toàn bộ tool đã allow, tiến trình sẽ fail-fast với lỗi cấu hình rõ ràng.
Ví dụ:
```toml
[agent]
allowed_tools = [
"delegate",
"subagent_spawn",
"subagent_list",
"subagent_manage",
"memory_recall",
"memory_store",
"task_plan",
]
denied_tools = ["shell", "file_write", "browser_open"]
```
## `[agents.<name>]`
@ -530,6 +551,7 @@ Lưu ý:
- Allowlist kênh mặc định từ chối tất cả (`[]` nghĩa là từ chối tất cả)
- Gateway mặc định yêu cầu ghép nối
- Mặc định chặn public bind
- `security.canary_tokens = true` bật canary token theo từng lượt để phát hiện rò rỉ ngữ cảnh hệ thống
## Lệnh kiểm tra

9
docs/i18n/zh-CN/config-reference.md
View File

@ -16,3 +16,12 @@
- 配置键保持英文,避免本地化改写键名。
- 生产行为以英文原文定义为准。
## 更新说明2026-03-03
- `[agent]` 新增 `allowed_tools``denied_tools`
- `allowed_tools` 非空时,只向主代理暴露白名单工具。
- `denied_tools` 在白名单过滤后继续移除工具。
- 未匹配的 `allowed_tools` 项会被跳过(调试日志提示),不会导致启动失败。
- 若同时配置 `allowed_tools``denied_tools` 且最终将可执行工具全部移除,启动会快速失败并给出明确错误。
- 详细字段表与示例见英文原文 `config-reference.md``[agent]` 小节。

24
docs/nextcloud-talk-setup.md
View File

@ -60,9 +60,29 @@ If verification fails, the gateway returns `401 Unauthorized`.
## 5. Message routing behavior
- ZeroClaw ignores bot-originated webhook events (`actorType = bots`).
- ZeroClaw accepts both payload variants:
- legacy Talk webhook payloads (`type = "message"`)
- Activity Streams 2.0 payloads (`type = "Create"` + `object.type = "Note"`)
- ZeroClaw ignores bot-originated webhook events (`actorType = bots` or `actor.type = "Application"`).
- ZeroClaw ignores non-message/system events.
- Reply routing uses the Talk room token from the webhook payload.
- Reply routing uses the Talk room token from `object.token` (legacy) or `target.id` (AS2).
- For actor allowlists, both full (`users/alice`) and short (`alice`) IDs are accepted.
Example Activity Streams 2.0 webhook payload:
```json
{
"type": "Create",
"actor": { "type": "Person", "id": "users/test", "name": "test" },
"object": {
"type": "Note",
"id": "177",
"content": "{\"message\":\"hello\",\"parameters\":[]}",
"mediaType": "text/markdown"
},
"target": { "type": "Collection", "id": "yyrubgfp", "name": "TESTCHAT" }
}
```
## 6. Quick validation checklist

19
docs/operations/required-check-mapping.md
View File

@ -7,9 +7,14 @@ This document maps merge-critical workflows to expected check names.
| Required check name | Source workflow | Scope |
| --- | --- | --- |
| `CI Required Gate` | `.github/workflows/ci-run.yml` | core Rust/doc merge gate |
| `Security Audit` | `.github/workflows/sec-audit.yml` | dependencies, secrets, governance |
| `Feature Matrix Summary` | `.github/workflows/feature-matrix.yml` | feature-combination compile matrix |
| `Workflow Sanity` | `.github/workflows/workflow-sanity.yml` | workflow syntax and lint |
| `Security Required Gate` | `.github/workflows/sec-audit.yml` | aggregated security merge gate |
Supplemental monitors (non-blocking unless added to branch protection contexts):
- `CI Change Audit` (`.github/workflows/ci-change-audit.yml`)
- `CodeQL Analysis` (`.github/workflows/sec-codeql.yml`)
- `Workflow Sanity` (`.github/workflows/workflow-sanity.yml`)
- `Feature Matrix Summary` (`.github/workflows/feature-matrix.yml`)
Feature matrix lane check names (informational, non-required):
@ -28,12 +33,14 @@ Feature matrix lane check names (informational, non-required):
## Verification Procedure
1. Resolve latest workflow run IDs:
1. Check active branch protection required contexts:
- `gh api repos/zeroclaw-labs/zeroclaw/branches/main/protection --jq '.required_status_checks.contexts[]'`
2. Resolve latest workflow run IDs:
- `gh run list --repo zeroclaw-labs/zeroclaw --workflow feature-matrix.yml --limit 1`
- `gh run list --repo zeroclaw-labs/zeroclaw --workflow ci-run.yml --limit 1`
2. Enumerate check/job names and compare to this mapping:
3. Enumerate check/job names and compare to this mapping:
- `gh run view <run_id> --repo zeroclaw-labs/zeroclaw --json jobs --jq '.jobs[].name'`
3. If any merge-critical check name changed, update this file before changing branch protection policy.
4. If any merge-critical check name changed, update this file before changing branch protection policy.
## Notes

14
docs/pr-workflow.md
View File

@ -96,12 +96,16 @@ Automation assists with triage and guardrails, but final merge accountability re
Maintain these branch protection rules on `dev` and `main`:
- Require status checks before merge.
- Require check `CI Required Gate`.
- Require checks `CI Required Gate` and `Security Required Gate`.
- Consider also requiring `CI Change Audit` and `CodeQL Analysis` for stricter CI/CD governance.
- Require pull request reviews before merge.
- Require at least 1 approving review.
- Require approval after the most recent push.
- Require CODEOWNERS review for protected paths.
- For CI/CD-related paths (`.github/workflows/**`, `.github/codeql/**`, `.github/connectivity/**`, `.github/release/**`, `.github/security/**`, `.github/actionlint.yaml`, `.github/dependabot.yml`, `scripts/ci/**`, and CI governance docs), require an explicit approving review from `@chumyin` via `CI Required Gate`.
- Keep branch/ruleset bypass limited to org owners.
- Dismiss stale approvals when new commits are pushed.
- For CI/CD-related paths (`.github/workflows/**`, `.github/codeql/**`, `.github/connectivity/**`, `.github/release/**`, `.github/security/**`, `.github/actionlint.yaml`, `.github/dependabot.yml`, `scripts/ci/**`, and CI governance docs), require CODEOWNERS review with `@chumyin` ownership.
- Keep bypass allowances empty by default (use time-boxed break-glass only when absolutely required).
- Enforce branch protection for admins.
- Require conversation resolution before merge.
- Restrict force-push on protected branches.
- Route normal contributor PRs to `main` by default (`dev` is optional for dedicated integration batching).
- Allow direct merges to `main` once required checks and review policy pass.
@ -123,7 +127,7 @@ Maintain these branch protection rules on `dev` and `main`:
### 4.2 Step B: Validation
- `CI Required Gate` is the merge gate.
- `CI Required Gate` and `Security Required Gate` are the merge gates.
- Docs-only PRs use fast-path and skip heavy Rust jobs.
- Non-doc PRs must pass lint, tests, and release build smoke check.
- Rust-impacting PRs use the same required gate set as `dev`/`main` pushes (no PR build-only shortcut).

52
install.sh Executable file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env bash
set -euo pipefail
# Canonical remote installer entrypoint.
# Default behavior for no-arg interactive shells is TUI onboarding.
BOOTSTRAP_URL="${ZEROCLAW_BOOTSTRAP_URL:-https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/refs/heads/main/scripts/bootstrap.sh}"
have_cmd() {
command -v "$1" >/dev/null 2>&1
}
run_remote_bootstrap() {
local -a args=("$@")
if have_cmd curl; then
if [[ ${#args[@]} -eq 0 ]]; then
curl -fsSL "$BOOTSTRAP_URL" | bash
else
curl -fsSL "$BOOTSTRAP_URL" | bash -s -- "${args[@]}"
fi
return 0
fi
if have_cmd wget; then
if [[ ${#args[@]} -eq 0 ]]; then
wget -qO- "$BOOTSTRAP_URL" | bash
else
wget -qO- "$BOOTSTRAP_URL" | bash -s -- "${args[@]}"
fi
return 0
fi
echo "error: curl or wget is required to run remote installer bootstrap." >&2
return 1
}
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" >/dev/null 2>&1 && pwd || pwd)"
LOCAL_INSTALLER="$SCRIPT_DIR/zeroclaw_install.sh"
declare -a FORWARDED_ARGS=("$@")
# In piped one-liners (`curl ... | bash`) stdin is not a TTY; prefer the
# controlling terminal when available so interactive onboarding is still default.
if [[ $# -eq 0 && -t 1 ]] && (: </dev/tty) 2>/dev/null; then
FORWARDED_ARGS=(--interactive-onboard)
fi
if [[ -x "$LOCAL_INSTALLER" ]]; then
exec "$LOCAL_INSTALLER" "${FORWARDED_ARGS[@]}"
fi
run_remote_bootstrap "${FORWARDED_ARGS[@]}"

2
package.nix
View File

@ -13,7 +13,7 @@ let
in
rustPlatform.buildRustPackage (finalAttrs: {
pname = "zeroclaw";
version = "0.1.7";
version = "0.1.8";
src =
let

46
scripts/bootstrap.sh
View File

@ -22,7 +22,8 @@ Usage:
./bootstrap.sh [options] # compatibility entrypoint
Modes:
Default mode installs/builds ZeroClaw only (requires existing Rust toolchain).
Default mode installs/builds ZeroClaw (requires existing Rust toolchain).
No-flag interactive sessions run full-screen TUI onboarding after install.
Guided mode asks setup questions and configures options interactively.
Optional bootstrap mode can also install system dependencies and Rust.
@ -41,7 +42,7 @@ Options:
--force-source-build Disable prebuilt flow and always build from source
--cargo-features <list> Extra Cargo features for local source build/install (comma-separated)
--onboard Run onboarding after install
--interactive-onboard Run interactive onboarding (implies --onboard)
--interactive-onboard Run full-screen TUI onboarding (implies --onboard; default in no-flag interactive sessions)
--api-key <key> API key for non-interactive onboarding
--provider <id> Provider for non-interactive onboarding (default: openrouter)
--model <id> Model for non-interactive onboarding (optional)
@ -634,9 +635,12 @@ run_guided_installer() {
SKIP_INSTALL=true
fi
if prompt_yes_no "Run onboarding after install?" "no"; then
if [[ "$INTERACTIVE_ONBOARD" == true ]]; then
RUN_ONBOARD=true
if prompt_yes_no "Use interactive onboarding?" "yes"; then
info "Onboarding mode preselected: full-screen TUI."
elif prompt_yes_no "Run onboarding after install?" "yes"; then
RUN_ONBOARD=true
if prompt_yes_no "Use full-screen TUI onboarding?" "yes"; then
INTERACTIVE_ONBOARD=true
else
INTERACTIVE_ONBOARD=false
@ -657,7 +661,7 @@ run_guided_installer() {
fi
if [[ -z "$API_KEY" ]]; then
if ! guided_read api_key_input "API key (hidden, leave empty to switch to interactive onboarding): " true; then
if ! guided_read api_key_input "API key (hidden, leave empty to switch to TUI onboarding): " true; then
echo
error "guided installer input was interrupted."
exit 1
@ -666,11 +670,14 @@ run_guided_installer() {
if [[ -n "$api_key_input" ]]; then
API_KEY="$api_key_input"
else
warn "No API key entered. Using interactive onboarding instead."
warn "No API key entered. Using TUI onboarding instead."
INTERACTIVE_ONBOARD=true
fi
fi
fi
else
RUN_ONBOARD=false
INTERACTIVE_ONBOARD=false
fi
echo
@ -1236,8 +1243,8 @@ run_docker_bootstrap() {
if [[ "$RUN_ONBOARD" == true ]]; then
local onboard_cmd=()
if [[ "$INTERACTIVE_ONBOARD" == true ]]; then
info "Launching interactive onboarding in container"
onboard_cmd=(onboard --interactive)
info "Launching TUI onboarding in container"
onboard_cmd=(onboard --interactive-ui)
else
if [[ -z "$API_KEY" ]]; then
cat <<'MSG'
@ -1246,7 +1253,7 @@ Use either:
--api-key "sk-..."
or:
ZEROCLAW_API_KEY="sk-..." ./zeroclaw_install.sh --docker
or run interactive:
or run TUI onboarding:
./zeroclaw_install.sh --docker --interactive-onboard
MSG
exit 1
@ -1456,6 +1463,11 @@ if [[ "$GUIDED_MODE" == "auto" ]]; then
fi
fi
if [[ "$ORIGINAL_ARG_COUNT" -eq 0 && -t 1 ]] && (: </dev/tty) 2>/dev/null; then
RUN_ONBOARD=true
INTERACTIVE_ONBOARD=true
fi
if [[ "$DOCKER_MODE" == true && "$GUIDED_MODE" == "on" ]]; then
warn "--guided is ignored with --docker."
GUIDED_MODE="off"
@ -1706,8 +1718,18 @@ if [[ "$RUN_ONBOARD" == true ]]; then
fi
if [[ "$INTERACTIVE_ONBOARD" == true ]]; then
info "Running interactive onboarding"
"$ZEROCLAW_BIN" onboard --interactive
info "Running TUI onboarding"
if [[ -t 0 && -t 1 ]]; then
"$ZEROCLAW_BIN" onboard --interactive-ui
elif (: </dev/tty) 2>/dev/null; then
# `curl ... | bash` leaves stdin as a pipe; hand off terminal control to
# the onboarding TUI using the controlling tty.
"$ZEROCLAW_BIN" onboard --interactive-ui </dev/tty >/dev/tty 2>/dev/tty
else
error "TUI onboarding requires an interactive terminal."
error "Re-run from a terminal: zeroclaw onboard --interactive-ui"
exit 1
fi
else
if [[ -z "$API_KEY" ]]; then
cat <<'MSG'
@ -1716,7 +1738,7 @@ Use either:
--api-key "sk-..."
or:
ZEROCLAW_API_KEY="sk-..." ./zeroclaw_install.sh --onboard
or run interactive:
or run TUI onboarding:
./zeroclaw_install.sh --interactive-onboard
MSG
exit 1

8
scripts/ci/check_binary_size.sh
View File

@ -9,10 +9,10 @@
#
# Thresholds:
# macOS / default host:
# >20MB — hard error (safeguard)
# >22MB — hard error (safeguard)
# >15MB — warning (advisory)
# Linux host:
# >23MB — hard error (safeguard)
# >26MB — hard error (safeguard)
# >20MB — warning (advisory)
# All hosts:
# >5MB — warning (target)
@ -58,7 +58,7 @@ SIZE_MB=$((SIZE / 1024 / 1024))
echo "Binary size: ${SIZE_MB}MB ($SIZE bytes)"
# Default thresholds.
HARD_LIMIT_BYTES=20971520 # 20MB
HARD_LIMIT_BYTES=23068672 # 22MB
ADVISORY_LIMIT_BYTES=15728640 # 15MB
TARGET_LIMIT_BYTES=5242880 # 5MB
@ -66,7 +66,7 @@ TARGET_LIMIT_BYTES=5242880 # 5MB
HOST_OS="$(uname -s 2>/dev/null || echo "")"
HOST_OS_LC="$(printf '%s' "$HOST_OS" | tr '[:upper:]' '[:lower:]')"
if [ "$HOST_OS_LC" = "linux" ]; then
HARD_LIMIT_BYTES=24117248 # 23MB
HARD_LIMIT_BYTES=27262976 # 26MB
ADVISORY_LIMIT_BYTES=20971520 # 20MB
fi

92
scripts/ci/ensure_cargo_component.sh
View File

@ -5,6 +5,8 @@ requested_toolchain="${1:-1.92.0}"
fallback_toolchain="${2:-stable}"
strict_mode_raw="${3:-${ENSURE_CARGO_COMPONENT_STRICT:-false}}"
strict_mode="$(printf '%s' "${strict_mode_raw}" | tr '[:upper:]' '[:lower:]')"
required_components_raw="${4:-${ENSURE_RUST_COMPONENTS:-auto}}"
job_name="$(printf '%s' "${GITHUB_JOB:-}" | tr '[:upper:]' '[:lower:]')"
is_truthy() {
local value="${1:-}"
@ -24,6 +26,81 @@ probe_rustc() {
rustup run "${toolchain}" rustc --version >/dev/null 2>&1
}
probe_rustfmt() {
local toolchain="$1"
rustup run "${toolchain}" cargo fmt --version >/dev/null 2>&1
}
component_available() {
local toolchain="$1"
local component="$2"
rustup component list --toolchain "${toolchain}" \
| grep -Eq "^${component}(-[[:alnum:]_:-]+)? "
}
component_installed() {
local toolchain="$1"
local component="$2"
rustup component list --toolchain "${toolchain}" --installed \
| grep -Eq "^${component}(-[[:alnum:]_:-]+)? \\(installed\\)$"
}
install_component_or_fail() {
local toolchain="$1"
local component="$2"
if ! component_available "${toolchain}" "${component}"; then
echo "::error::component '${component}' is unavailable for toolchain ${toolchain}."
return 1
fi
if ! rustup component add --toolchain "${toolchain}" "${component}"; then
echo "::error::failed to install required component '${component}' for ${toolchain}."
return 1
fi
}
probe_rustdoc() {
local toolchain="$1"
component_installed "${toolchain}" "rust-docs"
}
ensure_required_tooling() {
local toolchain="$1"
local required_components="${2:-}"
if [ -z "${required_components}" ]; then
return 0
fi
for component in ${required_components}; do
install_component_or_fail "${toolchain}" "${component}" || return 1
done
if [[ " ${required_components} " == *" rustfmt "* ]] && ! probe_rustfmt "${toolchain}"; then
echo "::error::rustfmt is unavailable for toolchain ${toolchain}."
install_component_or_fail "${toolchain}" "rustfmt" || return 1
if ! probe_rustfmt "${toolchain}"; then
return 1
fi
fi
if [[ " ${required_components} " == *" rust-docs "* ]] && ! probe_rustdoc "${toolchain}"; then
echo "::error::rustdoc is unavailable for toolchain ${toolchain}."
install_component_or_fail "${toolchain}" "rust-docs" || return 1
if ! probe_rustdoc "${toolchain}"; then
return 1
fi
fi
}
default_required_components() {
local normalized_job_name="${1:-}"
local components=()
[[ "${normalized_job_name}" == *lint* ]] && components+=("rustfmt")
[[ "${normalized_job_name}" == *test* ]] && components+=("rust-docs")
echo "${components[*]}"
}
export_toolchain_for_next_steps() {
local toolchain="$1"
if [ -z "${GITHUB_ENV:-}" ]; then
@ -96,6 +173,21 @@ if is_truthy "${strict_mode}" && [ "${selected_toolchain}" != "${requested_toolc
exit 1
fi
required_components="${required_components_raw}"
if [ "${required_components}" = "auto" ]; then
required_components="$(default_required_components "${job_name}")"
fi
if [ -n "${required_components}" ]; then
echo "Ensuring Rust components for job '${job_name:-unknown}': ${required_components}"
fi
if ! ensure_required_tooling "${selected_toolchain}" "${required_components}"; then
echo "Required Rust tooling unavailable for ${selected_toolchain}" >&2
rustup toolchain list || true
exit 1
fi
if is_truthy "${strict_mode}"; then
assert_rustc_version_matches "${selected_toolchain}" "${requested_toolchain}"
fi

38
scripts/ci/release_trigger_guard.py
View File

@ -183,12 +183,23 @@ def main() -> int:
)
origin_url = args.origin_url.strip() or f"https://github.com/{args.repository}.git"
ls_remote = subprocess.run(
["git", "ls-remote", "--tags", origin_url],
text=True,
capture_output=True,
check=False,
)
# Prefer ls-remote from repo_root (inherits checkout auth headers) over
# a bare URL which fails on private repos.
if (repo_root / ".git").exists():
ls_remote = subprocess.run(
["git", "-C", str(repo_root), "ls-remote", "--tags", "origin"],
text=True,
capture_output=True,
check=False,
)
else:
ls_remote = subprocess.run(
["git", "ls-remote", "--tags", origin_url],
text=True,
capture_output=True,
check=False,
)
if ls_remote.returncode != 0:
violations.append(f"Failed to list origin tags from `{origin_url}`: {ls_remote.stderr.strip()}")
else:
@ -225,6 +236,21 @@ def main() -> int:
try:
run_git(["init", "-q"], cwd=tmp_repo)
run_git(["remote", "add", "origin", origin_url], cwd=tmp_repo)
# Propagate auth extraheader from checkout so fetch works
# on private repos where bare URL access is forbidden.
if (repo_root / ".git").exists():
try:
extraheader = run_git(
["config", "--get", "http.https://github.com/.extraheader"],
cwd=repo_root,
)
if extraheader:
run_git(
["config", "http.https://github.com/.extraheader", extraheader],
cwd=tmp_repo,
)
except RuntimeError:
pass # No extraheader configured; proceed without it.
run_git(
[
"fetch",

7
scripts/install-release.sh
View File

@ -65,7 +65,7 @@ Usage: install-release.sh [--no-onboard]
Installs the latest Linux ZeroClaw binary from official GitHub releases.
Options:
--no-onboard Install only; do not run `zeroclaw onboard`
--no-onboard Install only; do not run onboarding
Environment:
ZEROCLAW_INSTALL_DIR Override install directory
@ -141,4 +141,9 @@ if [ "$NO_ONBOARD" -eq 1 ]; then
fi
echo "==> Starting onboarding"
if [ -t 0 ] && [ -t 1 ]; then
exec "$BIN_PATH" onboard --interactive-ui
fi
echo "note: non-interactive shell detected; falling back to quick onboarding mode" >&2
exec "$BIN_PATH" onboard

235
src/agent/agent.rs
View File

@ -2,6 +2,7 @@ use crate::agent::dispatcher::{
NativeToolDispatcher, ParsedToolCall, ToolDispatcher, ToolExecutionResult, XmlToolDispatcher,
};
use crate::agent::loop_::detection::{DetectionVerdict, LoopDetectionConfig, LoopDetector};
use crate::agent::loop_::history::{extract_facts_from_turns, TurnBuffer};
use crate::agent::memory_loader::{DefaultMemoryLoader, MemoryLoader};
use crate::agent::prompt::{PromptContext, SystemPromptBuilder};
use crate::agent::research;
@ -37,6 +38,8 @@ pub struct Agent {
skills: Vec<crate::skills::Skill>,
skills_prompt_mode: crate::config::SkillsPromptInjectionMode,
auto_save: bool,
session_id: Option<String>,
turn_buffer: TurnBuffer,
history: Vec<ConversationMessage>,
classification_config: crate::config::QueryClassificationConfig,
available_hints: Vec<String>,
@ -60,6 +63,7 @@ pub struct AgentBuilder {
skills: Option<Vec<crate::skills::Skill>>,
skills_prompt_mode: Option<crate::config::SkillsPromptInjectionMode>,
auto_save: Option<bool>,
session_id: Option<String>,
classification_config: Option<crate::config::QueryClassificationConfig>,
available_hints: Option<Vec<String>>,
route_model_by_hint: Option<HashMap<String, String>>,
@ -84,6 +88,7 @@ impl AgentBuilder {
skills: None,
skills_prompt_mode: None,
auto_save: None,
session_id: None,
classification_config: None,
available_hints: None,
route_model_by_hint: None,
@ -169,6 +174,12 @@ impl AgentBuilder {
self
}
/// Set the session identifier for memory isolation across users/channels.
pub fn session_id(mut self, session_id: String) -> Self {
self.session_id = Some(session_id);
self
}
pub fn classification_config(
mut self,
classification_config: crate::config::QueryClassificationConfig,
@ -229,6 +240,8 @@ impl AgentBuilder {
skills: self.skills.unwrap_or_default(),
skills_prompt_mode: self.skills_prompt_mode.unwrap_or_default(),
auto_save: self.auto_save.unwrap_or(false),
session_id: self.session_id,
turn_buffer: TurnBuffer::new(),
history: Vec::new(),
classification_config: self.classification_config.unwrap_or_default(),
available_hints: self.available_hints.unwrap_or_default(),
@ -303,6 +316,36 @@ impl Agent {
config.api_key.as_deref(),
config,
);
let (tools, tool_filter_report) = tools::filter_primary_agent_tools(
tools,
&config.agent.allowed_tools,
&config.agent.denied_tools,
);
for unmatched in tool_filter_report.unmatched_allowed_tools {
tracing::debug!(
tool = %unmatched,
"agent.allowed_tools entry did not match any registered tool"
);
}
let has_agent_allowlist = config
.agent
.allowed_tools
.iter()
.any(|entry| !entry.trim().is_empty());
let has_agent_denylist = config
.agent
.denied_tools
.iter()
.any(|entry| !entry.trim().is_empty());
if has_agent_allowlist
&& has_agent_denylist
&& tool_filter_report.allowlist_match_count > 0
&& tools.is_empty()
{
anyhow::bail!(
"agent.allowed_tools and agent.denied_tools removed all executable tools; update [agent] tool filters"
);
}
let provider_name = config.default_provider.as_deref().unwrap_or("openrouter");
@ -408,37 +451,38 @@ impl Agent {
async fn execute_tool_call(&self, call: &ParsedToolCall) -> ToolExecutionResult {
let start = Instant::now();
let result = if let Some(tool) = self.tools.iter().find(|t| t.name() == call.name) {
match tool.execute(call.arguments.clone()).await {
Ok(r) => {
self.observer.record_event(&ObserverEvent::ToolCall {
tool: call.name.clone(),
duration: start.elapsed(),
success: r.success,
});
if r.success {
r.output
} else {
format!("Error: {}", r.error.unwrap_or(r.output))
let (result, success) =
if let Some(tool) = self.tools.iter().find(|t| t.name() == call.name) {
match tool.execute(call.arguments.clone()).await {
Ok(r) => {
self.observer.record_event(&ObserverEvent::ToolCall {
tool: call.name.clone(),
duration: start.elapsed(),
success: r.success,
});
if r.success {
(r.output, true)
} else {
(format!("Error: {}", r.error.unwrap_or(r.output)), false)
}
}
Err(e) => {
self.observer.record_event(&ObserverEvent::ToolCall {
tool: call.name.clone(),
duration: start.elapsed(),
success: false,
});
(format!("Error executing {}: {e}", call.name), false)
}
}
Err(e) => {
self.observer.record_event(&ObserverEvent::ToolCall {
tool: call.name.clone(),
duration: start.elapsed(),
success: false,
});
format!("Error executing {}: {e}", call.name)
}
}
} else {
format!("Unknown tool: {}", call.name)
};
} else {
(format!("Unknown tool: {}", call.name), false)
};
ToolExecutionResult {
name: call.name.clone(),
output: result,
success: true,
success,
tool_call_id: call.tool_call_id.clone(),
}
}
@ -499,7 +543,12 @@ impl Agent {
if self.auto_save {
let _ = self
.memory
.store("user_msg", user_message, MemoryCategory::Conversation, None)
.store(
"user_msg",
user_message,
MemoryCategory::Conversation,
self.session_id.as_deref(),
)
.await;
}
@ -616,12 +665,31 @@ impl Agent {
"assistant_resp",
&final_text,
MemoryCategory::Conversation,
None,
self.session_id.as_deref(),
)
.await;
}
self.trim_history();
// ── Post-turn fact extraction ──────────────────────
if self.auto_save {
self.turn_buffer.push(user_message, &final_text);
if self.turn_buffer.should_extract() {
let turns = self.turn_buffer.drain_for_extraction();
let result = extract_facts_from_turns(
self.provider.as_ref(),
&self.model_name,
&turns,
self.memory.as_ref(),
self.session_id.as_deref(),
)
.await;
if result.stored > 0 || result.no_facts {
self.turn_buffer.mark_extract_success();
}
}
}
return Ok(final_text);
}
@ -677,8 +745,44 @@ impl Agent {
)
}
/// Flush any remaining buffered turns for fact extraction.
/// Call this when the session/conversation ends to avoid losing
/// facts from short (< 5 turn) sessions.
///
/// On failure the turns are restored so callers that keep the agent
/// alive can still fall back to compaction-based extraction.
pub async fn flush_turn_buffer(&mut self) {
if !self.auto_save || self.turn_buffer.is_empty() {
return;
}
let turns = self.turn_buffer.drain_for_extraction();
let result = extract_facts_from_turns(
self.provider.as_ref(),
&self.model_name,
&turns,
self.memory.as_ref(),
self.session_id.as_deref(),
)
.await;
if result.stored > 0 || result.no_facts {
self.turn_buffer.mark_extract_success();
} else {
// Restore turns so compaction fallback can still pick them up
// if the agent isn't dropped immediately.
tracing::warn!(
"Exit flush failed; restoring {} turn(s) to buffer",
turns.len()
);
for (u, a) in turns {
self.turn_buffer.push(&u, &a);
}
}
}
pub async fn run_single(&mut self, message: &str) -> Result<String> {
self.turn(message).await
let result = self.turn(message).await?;
self.flush_turn_buffer().await;
Ok(result)
}
pub async fn run_interactive(&mut self) -> Result<()> {
@ -704,6 +808,7 @@ impl Agent {
}
listen_handle.abort();
self.flush_turn_buffer().await;
Ok(())
}
}
@ -1031,6 +1136,7 @@ mod tests {
#[test]
fn from_config_loads_plugin_declared_tools() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let tmp = TempDir::new().expect("temp dir");
let plugin_dir = tmp.path().join("plugins");
std::fs::create_dir_all(&plugin_dir).expect("create plugin dir");
@ -1068,4 +1174,77 @@ description = "plugin tool exposed for from_config tests"
.iter()
.any(|tool| tool.name() == "__agent_from_config_plugin_tool"));
}
fn base_from_config_for_tool_filter_tests() -> Config {
let root = std::env::temp_dir().join(format!(
"zeroclaw_agent_tool_filter_{}",
uuid::Uuid::new_v4()
));
std::fs::create_dir_all(root.join("workspace")).expect("create workspace dir");
let mut config = Config::default();
config.workspace_dir = root.join("workspace");
config.config_path = root.join("config.toml");
config.default_provider = Some("ollama".to_string());
config.memory.backend = "none".to_string();
config
}
#[test]
fn from_config_primary_allowlist_filters_tools() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let mut config = base_from_config_for_tool_filter_tests();
config.agent.allowed_tools = vec!["shell".to_string()];
let agent = Agent::from_config(&config).expect("agent should build");
let names: Vec<&str> = agent.tools.iter().map(|tool| tool.name()).collect();
assert_eq!(names, vec!["shell"]);
}
#[test]
fn from_config_empty_allowlist_preserves_default_toolset() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let config = base_from_config_for_tool_filter_tests();
let agent = Agent::from_config(&config).expect("agent should build");
let names: Vec<&str> = agent.tools.iter().map(|tool| tool.name()).collect();
assert!(names.contains(&"shell"));
assert!(names.contains(&"file_read"));
}
#[test]
fn from_config_primary_denylist_removes_tools() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let mut config = base_from_config_for_tool_filter_tests();
config.agent.denied_tools = vec!["shell".to_string()];
let agent = Agent::from_config(&config).expect("agent should build");
let names: Vec<&str> = agent.tools.iter().map(|tool| tool.name()).collect();
assert!(!names.contains(&"shell"));
}
#[test]
fn from_config_unmatched_allowlist_entry_is_graceful() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let mut config = base_from_config_for_tool_filter_tests();
config.agent.allowed_tools = vec!["missing_tool".to_string()];
let agent = Agent::from_config(&config).expect("agent should build with empty toolset");
assert!(agent.tools.is_empty());
}
#[test]
fn from_config_conflicting_allow_and_deny_fails_fast() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let mut config = base_from_config_for_tool_filter_tests();
config.agent.allowed_tools = vec!["shell".to_string()];
config.agent.denied_tools = vec!["shell".to_string()];
let err = Agent::from_config(&config)
.err()
.expect("expected filter conflict");
assert!(err
.to_string()
.contains("agent.allowed_tools and agent.denied_tools removed all executable tools"));
}
}

957
src/agent/loop_.rs
View File

File diff suppressed because it is too large Load Diff

5
src/agent/loop_/execution.rs
View File

@ -107,7 +107,10 @@ pub(super) fn should_execute_tools_in_parallel(
}
if let Some(mgr) = approval {
if tool_calls.iter().any(|call| mgr.needs_approval(&call.name)) {
if tool_calls
.iter()
.any(|call| mgr.needs_approval_for_call(&call.name, &call.arguments))
{
// Approval-gated calls must keep sequential handling so the caller can
// enforce CLI prompt/deny policy consistently.
return false;

1118
src/agent/loop_/history.rs
View File

File diff suppressed because it is too large Load Diff

283
src/approval/mod.rs
View File

@ -3,7 +3,7 @@
//! Provides a pre-execution hook that prompts the user before tool calls,
//! with session-scoped "Always" allowlists and audit logging.
use crate::config::{AutonomyConfig, NonCliNaturalLanguageApprovalMode};
use crate::config::{AutonomyConfig, CommandContextRuleAction, NonCliNaturalLanguageApprovalMode};
use crate::security::AutonomyLevel;
use chrono::{Duration, Utc};
use parking_lot::{Mutex, RwLock};
@ -75,6 +75,11 @@ pub struct ApprovalManager {
auto_approve: RwLock<HashSet<String>>,
/// Tools that always need approval, ignoring session allowlist (config + runtime updates).
always_ask: RwLock<HashSet<String>>,
/// Command patterns requiring approval even when a tool is auto-approved.
///
/// Sourced from `autonomy.command_context_rules` entries where
/// `action = "require_approval"`.
command_level_require_approval_rules: RwLock<Vec<String>>,
/// Autonomy level from config.
autonomy_level: AutonomyLevel,
/// Session-scoped allowlist built from "Always" responses.
@ -124,11 +129,24 @@ impl ApprovalManager {
.collect()
}
fn extract_command_level_approval_rules(config: &AutonomyConfig) -> Vec<String> {
config
.command_context_rules
.iter()
.filter(|rule| rule.action == CommandContextRuleAction::RequireApproval)
.map(|rule| rule.command.trim().to_string())
.filter(|command| !command.is_empty())
.collect()
}
/// Create from autonomy config.
pub fn from_config(config: &AutonomyConfig) -> Self {
Self {
auto_approve: RwLock::new(config.auto_approve.iter().cloned().collect()),
always_ask: RwLock::new(config.always_ask.iter().cloned().collect()),
command_level_require_approval_rules: RwLock::new(
Self::extract_command_level_approval_rules(config),
),
autonomy_level: config.level,
session_allowlist: Mutex::new(HashSet::new()),
non_cli_allowlist: Mutex::new(HashSet::new()),
@ -184,6 +202,33 @@ impl ApprovalManager {
true
}
/// Check whether a specific tool call (including arguments) needs interactive approval.
///
/// This extends [`Self::needs_approval`] with command-level approval matching:
/// when a call carries a `command` argument that matches a
/// `command_context_rules[action=require_approval]` pattern, the call is
/// approval-gated in supervised mode even if the tool is in `auto_approve`.
pub fn needs_approval_for_call(&self, tool_name: &str, args: &serde_json::Value) -> bool {
if self.needs_approval(tool_name) {
return true;
}
if self.autonomy_level != AutonomyLevel::Supervised {
return false;
}
let rules = self.command_level_require_approval_rules.read();
if rules.is_empty() {
return false;
}
let Some(command) = extract_command_argument(args) else {
return false;
};
command_matches_require_approval_rules(&command, &rules)
}
/// Record an approval decision and update session state.
pub fn record_decision(
&self,
@ -356,6 +401,7 @@ impl ApprovalManager {
&self,
auto_approve: &[String],
always_ask: &[String],
command_context_rules: &[crate::config::CommandContextRuleConfig],
non_cli_approval_approvers: &[String],
non_cli_natural_language_approval_mode: NonCliNaturalLanguageApprovalMode,
non_cli_natural_language_approval_mode_by_channel: &HashMap<
@ -371,6 +417,15 @@ impl ApprovalManager {
let mut always = self.always_ask.write();
*always = always_ask.iter().cloned().collect();
}
{
let mut rules = self.command_level_require_approval_rules.write();
*rules = command_context_rules
.iter()
.filter(|rule| rule.action == CommandContextRuleAction::RequireApproval)
.map(|rule| rule.command.trim().to_string())
.filter(|command| !command.is_empty())
.collect();
}
{
let mut approvers = self.non_cli_approval_approvers.write();
*approvers = Self::normalize_non_cli_approvers(non_cli_approval_approvers);
@ -638,6 +693,186 @@ fn summarize_args(args: &serde_json::Value) -> String {
}
}
fn extract_command_argument(args: &serde_json::Value) -> Option<String> {
for alias in ["command", "cmd", "shell_command", "bash", "sh", "input"] {
if let Some(command) = args
.get(alias)
.and_then(|v| v.as_str())
.map(str::trim)
.filter(|cmd| !cmd.is_empty())
{
return Some(command.to_string());
}
}
args.as_str()
.map(str::trim)
.filter(|cmd| !cmd.is_empty())
.map(ToString::to_string)
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum QuoteState {
None,
Single,
Double,
}
fn split_unquoted_segments(command: &str) -> Vec<String> {
let mut segments = Vec::new();
let mut current = String::new();
let mut quote = QuoteState::None;
let mut escaped = false;
let mut chars = command.chars().peekable();
let push_segment = |segments: &mut Vec<String>, current: &mut String| {
let trimmed = current.trim();
if !trimmed.is_empty() {
segments.push(trimmed.to_string());
}
current.clear();
};
while let Some(ch) = chars.next() {
match quote {
QuoteState::Single => {
if ch == '\'' {
quote = QuoteState::None;
}
current.push(ch);
}
QuoteState::Double => {
if escaped {
escaped = false;
current.push(ch);
continue;
}
if ch == '\\' {
escaped = true;
current.push(ch);
continue;
}
if ch == '"' {
quote = QuoteState::None;
}
current.push(ch);
}
QuoteState::None => {
if escaped {
escaped = false;
current.push(ch);
continue;
}
if ch == '\\' {
escaped = true;
current.push(ch);
continue;
}
match ch {
'\'' => {
quote = QuoteState::Single;
current.push(ch);
}
'"' => {
quote = QuoteState::Double;
current.push(ch);
}
';' | '\n' => push_segment(&mut segments, &mut current),
'|' => {
if chars.next_if_eq(&'|').is_some() {
// consume full `||`
}
push_segment(&mut segments, &mut current);
}
'&' => {
if chars.next_if_eq(&'&').is_some() {
// consume full `&&`
push_segment(&mut segments, &mut current);
} else {
current.push(ch);
}
}
_ => current.push(ch),
}
}
}
}
let trimmed = current.trim();
if !trimmed.is_empty() {
segments.push(trimmed.to_string());
}
segments
}
fn skip_env_assignments(s: &str) -> &str {
let mut rest = s;
loop {
let Some(word) = rest.split_whitespace().next() else {
return rest;
};
if word.contains('=')
&& word
.chars()
.next()
.is_some_and(|c| c.is_ascii_alphabetic() || c == '_')
{
rest = rest[word.len()..].trim_start();
} else {
return rest;
}
}
}
fn strip_wrapping_quotes(token: &str) -> &str {
let bytes = token.as_bytes();
if bytes.len() >= 2
&& ((bytes[0] == b'"' && bytes[bytes.len() - 1] == b'"')
|| (bytes[0] == b'\'' && bytes[bytes.len() - 1] == b'\''))
{
&token[1..token.len() - 1]
} else {
token
}
}
fn command_rule_matches(rule: &str, executable: &str, executable_base: &str) -> bool {
let normalized_rule = strip_wrapping_quotes(rule).trim();
if normalized_rule.is_empty() {
return false;
}
if normalized_rule == "*" {
return true;
}
if normalized_rule.contains('/') {
strip_wrapping_quotes(executable).trim() == normalized_rule
} else {
normalized_rule == executable_base
}
}
fn command_matches_require_approval_rules(command: &str, rules: &[String]) -> bool {
split_unquoted_segments(command).into_iter().any(|segment| {
let cmd_part = skip_env_assignments(&segment);
let mut words = cmd_part.split_whitespace();
let executable = strip_wrapping_quotes(words.next().unwrap_or("")).trim();
let base_cmd = executable.rsplit('/').next().unwrap_or("").trim();
if base_cmd.is_empty() {
return false;
}
rules
.iter()
.any(|rule| command_rule_matches(rule, executable, base_cmd))
})
}
fn truncate_for_summary(input: &str, max_chars: usize) -> String {
let mut chars = input.chars();
let truncated: String = chars.by_ref().take(max_chars).collect();
@ -667,7 +902,7 @@ fn prune_expired_pending_requests(
#[cfg(test)]
mod tests {
use super::*;
use crate::config::AutonomyConfig;
use crate::config::{AutonomyConfig, CommandContextRuleConfig};
fn supervised_config() -> AutonomyConfig {
AutonomyConfig {
@ -685,6 +920,23 @@ mod tests {
}
}
fn shell_auto_approve_with_command_rule_approval() -> AutonomyConfig {
AutonomyConfig {
level: AutonomyLevel::Supervised,
auto_approve: vec!["shell".into()],
always_ask: vec![],
command_context_rules: vec![CommandContextRuleConfig {
command: "rm".into(),
action: CommandContextRuleAction::RequireApproval,
allowed_domains: vec![],
allowed_path_prefixes: vec![],
denied_path_prefixes: vec![],
allow_high_risk: false,
}],
..AutonomyConfig::default()
}
}
// ── needs_approval ───────────────────────────────────────
#[test]
@ -707,6 +959,21 @@ mod tests {
assert!(mgr.needs_approval("http_request"));
}
#[test]
fn command_level_rule_requires_prompt_even_when_tool_is_auto_approved() {
let mgr = ApprovalManager::from_config(&shell_auto_approve_with_command_rule_approval());
assert!(!mgr.needs_approval("shell"));
assert!(!mgr.needs_approval_for_call("shell", &serde_json::json!({"command": "ls -la"})));
assert!(
mgr.needs_approval_for_call("shell", &serde_json::json!({"command": "rm -f tmp.txt"}))
);
assert!(mgr.needs_approval_for_call(
"shell",
&serde_json::json!({"command": "ls && rm -f tmp.txt"})
));
}
#[test]
fn full_autonomy_never_prompts() {
let mgr = ApprovalManager::from_config(&full_config());
@ -1029,9 +1296,19 @@ mod tests {
NonCliNaturalLanguageApprovalMode::RequestConfirm,
);
let command_context_rules = vec![CommandContextRuleConfig {
command: "rm".to_string(),
action: CommandContextRuleAction::RequireApproval,
allowed_domains: vec![],
allowed_path_prefixes: vec![],
denied_path_prefixes: vec![],
allow_high_risk: false,
}];
mgr.replace_runtime_non_cli_policy(
&["mock_price".to_string()],
&["shell".to_string()],
&command_context_rules,
&["telegram:alice".to_string()],
NonCliNaturalLanguageApprovalMode::Direct,
&mode_overrides,
@ -1053,6 +1330,8 @@ mod tests {
mgr.non_cli_natural_language_approval_mode_for_channel("slack"),
NonCliNaturalLanguageApprovalMode::Direct
);
assert!(mgr
.needs_approval_for_call("shell", &serde_json::json!({"command": "rm -f notes.txt"})));
}
// ── audit log ────────────────────────────────────────────

296
src/channels/discord.rs
View File

@ -1,6 +1,7 @@
use super::ack_reaction::{select_ack_reaction, AckReactionContext, AckReactionContextChatType};
use super::traits::{Channel, ChannelMessage, SendMessage};
use crate::config::AckReactionConfig;
use crate::config::TranscriptionConfig;
use anyhow::Context;
use async_trait::async_trait;
use futures_util::{SinkExt, StreamExt};
@ -25,6 +26,7 @@ pub struct DiscordChannel {
mention_only: bool,
group_reply_allowed_sender_ids: Vec<String>,
ack_reaction: Option<AckReactionConfig>,
transcription: Option<TranscriptionConfig>,
workspace_dir: Option<PathBuf>,
typing_handles: Mutex<HashMap<String, tokio::task::JoinHandle<()>>>,
}
@ -45,6 +47,7 @@ impl DiscordChannel {
mention_only,
group_reply_allowed_sender_ids: Vec::new(),
ack_reaction: None,
transcription: None,
workspace_dir: None,
typing_handles: Mutex::new(HashMap::new()),
}
@ -62,6 +65,14 @@ impl DiscordChannel {
self
}
/// Configure voice/audio transcription.
pub fn with_transcription(mut self, config: TranscriptionConfig) -> Self {
if config.enabled {
self.transcription = Some(config);
}
self
}
/// Configure workspace directory used for validating local attachment paths.
pub fn with_workspace_dir(mut self, dir: PathBuf) -> Self {
self.workspace_dir = Some(dir);
@ -149,11 +160,13 @@ fn normalize_group_reply_allowed_sender_ids(sender_ids: Vec<String>) -> Vec<Stri
/// `image/*` attachments are forwarded as `[IMAGE:<url>]` markers. For
/// `application/octet-stream` or missing MIME types, image-like filename/url
/// extensions are also treated as images.
/// `audio/*` attachments are transcribed when `[transcription].enabled = true`.
/// `text/*` MIME types are fetched and inlined. Other types are skipped.
/// Fetch errors are logged as warnings.
async fn process_attachments(
attachments: &[serde_json::Value],
client: &reqwest::Client,
transcription: Option<&TranscriptionConfig>,
) -> String {
let mut parts: Vec<String> = Vec::new();
for att in attachments {
@ -171,6 +184,60 @@ async fn process_attachments(
};
if is_image_attachment(ct, name, url) {
parts.push(format!("[IMAGE:{url}]"));
} else if is_audio_attachment(ct, name, url) {
let Some(config) = transcription else {
tracing::debug!(
name,
content_type = ct,
"discord: skipping audio attachment because transcription is disabled"
);
continue;
};
if let Some(duration_secs) = parse_attachment_duration_secs(att) {
if duration_secs > config.max_duration_secs {
tracing::warn!(
name,
duration_secs,
max_duration_secs = config.max_duration_secs,
"discord: skipping audio attachment that exceeds transcription duration limit"
);
continue;
}
}
let audio_data = match client.get(url).send().await {
Ok(resp) if resp.status().is_success() => match resp.bytes().await {
Ok(bytes) => bytes.to_vec(),
Err(error) => {
tracing::warn!(name, error = %error, "discord: failed to read audio attachment body");
continue;
}
},
Ok(resp) => {
tracing::warn!(name, status = %resp.status(), "discord audio attachment fetch failed");
continue;
}
Err(error) => {
tracing::warn!(name, error = %error, "discord audio attachment fetch error");
continue;
}
};
let file_name = infer_audio_filename(name, url, ct);
match super::transcription::transcribe_audio(audio_data, &file_name, config).await {
Ok(transcript) => {
let transcript = transcript.trim();
if transcript.is_empty() {
tracing::info!(name, "discord: transcription returned empty text");
} else {
parts.push(format!("[Voice:{file_name}] {transcript}"));
}
}
Err(error) => {
tracing::warn!(name, error = %error, "discord: audio transcription failed");
}
}
} else if ct.starts_with("text/") {
match client.get(url).send().await {
Ok(resp) if resp.status().is_success() => {
@ -196,13 +263,17 @@ async fn process_attachments(
parts.join("\n---\n")
}
fn is_image_attachment(content_type: &str, filename: &str, url: &str) -> bool {
let normalized_content_type = content_type
fn normalize_content_type(content_type: &str) -> String {
content_type
.split(';')
.next()
.unwrap_or("")
.trim()
.to_ascii_lowercase();
.to_ascii_lowercase()
}
fn is_image_attachment(content_type: &str, filename: &str, url: &str) -> bool {
let normalized_content_type = normalize_content_type(content_type);
if !normalized_content_type.is_empty() {
if normalized_content_type.starts_with("image/") {
@ -217,13 +288,92 @@ fn is_image_attachment(content_type: &str, filename: &str, url: &str) -> bool {
has_image_extension(filename) || has_image_extension(url)
}
fn has_image_extension(value: &str) -> bool {
fn is_audio_attachment(content_type: &str, filename: &str, url: &str) -> bool {
let normalized_content_type = normalize_content_type(content_type);
if !normalized_content_type.is_empty() {
if normalized_content_type.starts_with("audio/")
|| audio_extension_from_content_type(&normalized_content_type).is_some()
{
return true;
}
// Trust explicit non-audio MIME to avoid false positives from filename extensions.
if normalized_content_type != "application/octet-stream" {
return false;
}
}
has_audio_extension(filename) || has_audio_extension(url)
}
fn parse_attachment_duration_secs(attachment: &serde_json::Value) -> Option<u64> {
let raw = attachment
.get("duration_secs")
.and_then(|value| value.as_f64().or_else(|| value.as_u64().map(|v| v as f64)))?;
if !raw.is_finite() || raw.is_sign_negative() {
return None;
}
Some(raw.ceil() as u64)
}
fn extension_from_media_path(value: &str) -> Option<String> {
let base = value.split('?').next().unwrap_or(value);
let base = base.split('#').next().unwrap_or(base);
let ext = Path::new(base)
Path::new(base)
.extension()
.and_then(|ext| ext.to_str())
.map(|ext| ext.to_ascii_lowercase());
.map(|ext| ext.to_ascii_lowercase())
}
fn is_supported_audio_extension(extension: &str) -> bool {
matches!(
extension,
"flac" | "mp3" | "mpeg" | "mpga" | "mp4" | "m4a" | "ogg" | "oga" | "opus" | "wav" | "webm"
)
}
fn has_audio_extension(value: &str) -> bool {
matches!(
extension_from_media_path(value).as_deref(),
Some(ext) if is_supported_audio_extension(ext)
)
}
fn audio_extension_from_content_type(content_type: &str) -> Option<&'static str> {
match normalize_content_type(content_type).as_str() {
"audio/flac" | "audio/x-flac" => Some("flac"),
"audio/mpeg" => Some("mp3"),
"audio/mpga" => Some("mpga"),
"audio/mp4" | "audio/x-m4a" | "audio/m4a" => Some("m4a"),
"audio/ogg" | "application/ogg" => Some("ogg"),
"audio/opus" => Some("opus"),
"audio/wav" | "audio/x-wav" | "audio/wave" => Some("wav"),
"audio/webm" => Some("webm"),
_ => None,
}
}
fn infer_audio_filename(filename: &str, url: &str, content_type: &str) -> String {
let trimmed_name = filename.trim();
if !trimmed_name.is_empty() && has_audio_extension(trimmed_name) {
return trimmed_name.to_string();
}
if let Some(ext) =
extension_from_media_path(url).filter(|ext| is_supported_audio_extension(ext))
{
return format!("audio.{ext}");
}
if let Some(ext) = audio_extension_from_content_type(content_type) {
return format!("audio.{ext}");
}
"audio.ogg".to_string()
}
fn has_image_extension(value: &str) -> bool {
let ext = extension_from_media_path(value);
matches!(
ext.as_deref(),
@ -1013,7 +1163,8 @@ impl Channel for DiscordChannel {
.and_then(|a| a.as_array())
.cloned()
.unwrap_or_default();
process_attachments(&atts, &self.http_client()).await
process_attachments(&atts, &self.http_client(), self.transcription.as_ref())
.await
};
let final_content = if attachment_text.is_empty() {
clean_content
@ -1266,6 +1417,8 @@ impl Channel for DiscordChannel {
#[cfg(test)]
mod tests {
use super::*;
use axum::{routing::get, routing::post, Json, Router};
use serde_json::json as json_value;
#[test]
fn discord_channel_name() {
@ -1824,7 +1977,7 @@ mod tests {
#[tokio::test]
async fn process_attachments_empty_list_returns_empty() {
let client = reqwest::Client::new();
let result = process_attachments(&[], &client).await;
let result = process_attachments(&[], &client, None).await;
assert!(result.is_empty());
}
@ -1836,10 +1989,11 @@ mod tests {
"filename": "doc.pdf",
"content_type": "application/pdf"
})];
let result = process_attachments(&attachments, &client).await;
let result = process_attachments(&attachments, &client, None).await;
assert!(result.is_empty());
}
#[tokio::test]
async fn process_attachments_emits_image_marker_for_image_content_type() {
let client = reqwest::Client::new();
let attachments = vec![serde_json::json!({
@ -1847,7 +2001,7 @@ mod tests {
"filename": "photo.png",
"content_type": "image/png"
})];
let result = process_attachments(&attachments, &client).await;
let result = process_attachments(&attachments, &client, None).await;
assert_eq!(
result,
"[IMAGE:https://cdn.discordapp.com/attachments/123/456/photo.png]"
@ -1869,7 +2023,7 @@ mod tests {
"content_type": "image/webp"
}),
];
let result = process_attachments(&attachments, &client).await;
let result = process_attachments(&attachments, &client, None).await;
assert_eq!(
result,
"[IMAGE:https://cdn.discordapp.com/attachments/123/456/one.jpg]\n---\n[IMAGE:https://cdn.discordapp.com/attachments/123/456/two.webp]"
@ -1883,13 +2037,77 @@ mod tests {
"url": "https://cdn.discordapp.com/attachments/123/456/photo.jpeg?size=1024",
"filename": "photo.jpeg"
})];
let result = process_attachments(&attachments, &client).await;
let result = process_attachments(&attachments, &client, None).await;
assert_eq!(
result,
"[IMAGE:https://cdn.discordapp.com/attachments/123/456/photo.jpeg?size=1024]"
);
}
#[tokio::test]
#[ignore = "requires local loopback TCP bind"]
async fn process_attachments_transcribes_audio_when_enabled() {
async fn audio_handler() -> ([(String, String); 1], Vec<u8>) {
(
[(
"content-type".to_string(),
"audio/ogg; codecs=opus".to_string(),
)],
vec![1_u8, 2, 3, 4, 5, 6],
)
}
async fn transcribe_handler() -> Json<serde_json::Value> {
Json(json_value!({ "text": "hello from discord audio" }))
}
let app = Router::new()
.route("/audio.ogg", get(audio_handler))
.route("/transcribe", post(transcribe_handler));
let listener = tokio::net::TcpListener::bind("127.0.0.1:0")
.await
.expect("bind test server");
let addr = listener.local_addr().expect("local addr");
tokio::spawn(async move {
let _ = axum::serve(listener, app).await;
});
let mut transcription = TranscriptionConfig::default();
transcription.enabled = true;
transcription.api_url = format!("http://{addr}/transcribe");
transcription.model = "whisper-test".to_string();
let client = reqwest::Client::new();
let attachments = vec![serde_json::json!({
"url": format!("http://{addr}/audio.ogg"),
"filename": "voice.ogg",
"content_type": "audio/ogg",
"duration_secs": 4
})];
let result = process_attachments(&attachments, &client, Some(&transcription)).await;
assert_eq!(result, "[Voice:voice.ogg] hello from discord audio");
}
#[tokio::test]
async fn process_attachments_skips_audio_when_duration_exceeds_limit() {
let mut transcription = TranscriptionConfig::default();
transcription.enabled = true;
transcription.api_url = "http://127.0.0.1:1/transcribe".to_string();
transcription.max_duration_secs = 5;
let client = reqwest::Client::new();
let attachments = vec![serde_json::json!({
"url": "http://127.0.0.1:1/audio.ogg",
"filename": "voice.ogg",
"content_type": "audio/ogg",
"duration_secs": 120
})];
let result = process_attachments(&attachments, &client, Some(&transcription)).await;
assert!(result.is_empty());
}
#[test]
fn is_image_attachment_prefers_non_image_content_type_over_extension() {
assert!(!is_image_attachment(
@ -1899,6 +2117,43 @@ mod tests {
));
}
#[test]
fn is_audio_attachment_prefers_non_audio_content_type_over_extension() {
assert!(!is_audio_attachment(
"text/plain",
"voice.ogg",
"https://cdn.discordapp.com/attachments/123/456/voice.ogg"
));
}
#[test]
fn is_audio_attachment_allows_octet_stream_extension_fallback() {
assert!(is_audio_attachment(
"application/octet-stream",
"voice.ogg",
"https://cdn.discordapp.com/attachments/123/456/voice.ogg"
));
}
#[test]
fn is_audio_attachment_accepts_application_ogg_mime() {
assert!(is_audio_attachment(
"application/ogg",
"voice",
"https://cdn.discordapp.com/attachments/123/456/blob"
));
}
#[test]
fn infer_audio_filename_uses_content_type_when_name_lacks_extension() {
let file_name = infer_audio_filename(
"voice_upload",
"https://cdn.discordapp.com/attachments/123/456/blob",
"audio/ogg; codecs=opus",
);
assert_eq!(file_name, "audio.ogg");
}
#[test]
fn is_image_attachment_allows_octet_stream_extension_fallback() {
assert!(is_image_attachment(
@ -1971,6 +2226,23 @@ mod tests {
);
}
#[test]
fn with_transcription_sets_config_when_enabled() {
let mut tc = TranscriptionConfig::default();
tc.enabled = true;
let channel =
DiscordChannel::new("fake".into(), None, vec![], false, false).with_transcription(tc);
assert!(channel.transcription.is_some());
}
#[test]
fn with_transcription_skips_when_disabled() {
let tc = TranscriptionConfig::default();
let channel =
DiscordChannel::new("fake".into(), None, vec![], false, false).with_transcription(tc);
assert!(channel.transcription.is_none());
}
#[test]
fn with_workspace_dir_sets_field() {
let channel = DiscordChannel::new("fake".into(), None, vec![], false, false)

93
src/channels/matrix.rs
View File

@ -15,7 +15,10 @@ use matrix_sdk::{
use reqwest::Client;
use serde::Deserialize;
use std::path::PathBuf;
use std::sync::Arc;
use std::sync::{
atomic::{AtomicBool, Ordering},
Arc,
};
use tokio::sync::{mpsc, Mutex, OnceCell, RwLock};
/// Matrix channel for Matrix Client-Server API.
@ -32,6 +35,7 @@ pub struct MatrixChannel {
zeroclaw_dir: Option<PathBuf>,
resolved_room_id_cache: Arc<RwLock<Option<String>>>,
sdk_client: Arc<OnceCell<MatrixSdkClient>>,
otk_conflict_detected: Arc<AtomicBool>,
http_client: Client,
}
@ -108,6 +112,23 @@ impl MatrixChannel {
format!("{error_type} (details redacted)")
}
fn is_otk_conflict_message(message: &str) -> bool {
let lower = message.to_ascii_lowercase();
lower.contains("one time key") && lower.contains("already exists")
}
fn otk_conflict_recovery_message(&self) -> String {
let mut message = String::from(
"Matrix E2EE one-time key upload conflict detected (`one time key ... already exists`). \
ZeroClaw paused Matrix sync to avoid an infinite retry loop. \
Resolve by deregistering the stale Matrix device for this bot account, resetting the local Matrix crypto store, then restarting ZeroClaw.",
);
if let Some(store_dir) = self.matrix_store_dir() {
message.push_str(&format!(" Local crypto store: {}", store_dir.display()));
}
message
}
fn normalize_optional_field(value: Option<String>) -> Option<String> {
value
.map(|entry| entry.trim().to_string())
@ -171,6 +192,7 @@ impl MatrixChannel {
zeroclaw_dir,
resolved_room_id_cache: Arc::new(RwLock::new(None)),
sdk_client: Arc::new(OnceCell::new()),
otk_conflict_detected: Arc::new(AtomicBool::new(false)),
http_client: Client::new(),
}
}
@ -513,6 +535,17 @@ impl MatrixChannel {
};
client.restore_session(session).await?;
let holder = client.cross_process_store_locks_holder_name().to_string();
if let Err(error) = client
.encryption()
.enable_cross_process_store_lock(holder)
.await
{
let safe_error = Self::sanitize_error_for_log(&error);
tracing::warn!(
"Matrix failed to enable cross-process crypto-store lock: {safe_error}"
);
}
Ok::<MatrixSdkClient, anyhow::Error>(client)
})
@ -674,6 +707,10 @@ impl Channel for MatrixChannel {
}
async fn send(&self, message: &SendMessage) -> anyhow::Result<()> {
if self.otk_conflict_detected.load(Ordering::Relaxed) {
anyhow::bail!("{}", self.otk_conflict_recovery_message());
}
let client = self.matrix_client().await?;
let target_room_id = self.target_room_id().await?;
let target_room: OwnedRoomId = target_room_id.parse()?;
@ -699,6 +736,10 @@ impl Channel for MatrixChannel {
}
async fn listen(&self, tx: mpsc::Sender<ChannelMessage>) -> anyhow::Result<()> {
if self.otk_conflict_detected.load(Ordering::Relaxed) {
anyhow::bail!("{}", self.otk_conflict_recovery_message());
}
let target_room_id = self.target_room_id().await?;
self.ensure_room_supported(&target_room_id).await?;
@ -838,15 +879,29 @@ impl Channel for MatrixChannel {
});
let sync_settings = SyncSettings::new().timeout(std::time::Duration::from_secs(30));
let otk_conflict_detected = Arc::clone(&self.otk_conflict_detected);
client
.sync_with_result_callback(sync_settings, |sync_result| {
let tx = tx.clone();
let otk_conflict_detected = Arc::clone(&otk_conflict_detected);
async move {
if tx.is_closed() {
return Ok::<LoopCtrl, matrix_sdk::Error>(LoopCtrl::Break);
}
if let Err(error) = sync_result {
let raw_error = error.to_string();
if MatrixChannel::is_otk_conflict_message(&raw_error) {
let first_detection =
!otk_conflict_detected.swap(true, Ordering::SeqCst);
if first_detection {
tracing::error!(
"Matrix detected one-time key upload conflict; stopping listener to avoid retry loop."
);
}
return Ok::<LoopCtrl, matrix_sdk::Error>(LoopCtrl::Break);
}
let safe_error = MatrixChannel::sanitize_error_for_log(&error);
tracing::warn!("Matrix sync error: {safe_error}, retrying...");
tokio::time::sleep(tokio::time::Duration::from_secs(5)).await;
@ -857,10 +912,18 @@ impl Channel for MatrixChannel {
})
.await?;
if self.otk_conflict_detected.load(Ordering::Relaxed) {
anyhow::bail!("{}", self.otk_conflict_recovery_message());
}
Ok(())
}
async fn health_check(&self) -> bool {
if self.otk_conflict_detected.load(Ordering::Relaxed) {
return false;
}
let Ok(room_id) = self.target_room_id().await else {
return false;
};
@ -876,7 +939,6 @@ impl Channel for MatrixChannel {
#[cfg(test)]
mod tests {
use super::*;
use matrix_sdk::ruma::{OwnedEventId, OwnedUserId};
fn make_channel() -> MatrixChannel {
MatrixChannel::new(
@ -1002,6 +1064,33 @@ mod tests {
assert!(ch.matrix_store_dir().is_none());
}
#[test]
fn otk_conflict_message_detection_matches_matrix_errors() {
assert!(MatrixChannel::is_otk_conflict_message(
"One time key signed_curve25519:AAAAAAAAAA4 already exists. Old key: ... new key: ..."
));
assert!(!MatrixChannel::is_otk_conflict_message(
"Matrix sync timeout while waiting for long poll"
));
}
#[test]
fn otk_conflict_recovery_message_includes_store_path_when_available() {
let ch = MatrixChannel::new_with_session_hint_and_zeroclaw_dir(
"https://matrix.org".to_string(),
"tok".to_string(),
"!r:m".to_string(),
vec![],
None,
None,
Some(PathBuf::from("/tmp/zeroclaw")),
);
let message = ch.otk_conflict_recovery_message();
assert!(message.contains("one-time key upload conflict"));
assert!(message.contains("/tmp/zeroclaw/state/matrix"));
}
#[test]
fn encode_path_segment_encodes_room_refs() {
assert_eq!(

253
src/channels/nextcloud_talk.rs
View File

@ -23,8 +23,33 @@ impl NextcloudTalkChannel {
}
}
fn canonical_actor_id(actor_id: &str) -> &str {
let trimmed = actor_id.trim();
trimmed.rsplit('/').next().unwrap_or(trimmed)
}
fn is_user_allowed(&self, actor_id: &str) -> bool {
self.allowed_users.iter().any(|u| u == "*" || u == actor_id)
let actor_id = actor_id.trim();
if actor_id.is_empty() {
return false;
}
if self.allowed_users.iter().any(|u| u == "*") {
return true;
}
let actor_short = Self::canonical_actor_id(actor_id);
self.allowed_users.iter().any(|allowed| {
let allowed = allowed.trim();
if allowed.is_empty() {
return false;
}
let allowed_short = Self::canonical_actor_id(allowed);
allowed.eq_ignore_ascii_case(actor_id)
|| allowed.eq_ignore_ascii_case(actor_short)
|| allowed_short.eq_ignore_ascii_case(actor_id)
|| allowed_short.eq_ignore_ascii_case(actor_short)
})
}
fn now_unix_secs() -> u64 {
@ -58,6 +83,46 @@ impl NextcloudTalkChannel {
}
}
fn extract_content_from_as2_object(payload: &serde_json::Value) -> Option<String> {
let Some(content_value) = payload.get("object").and_then(|obj| obj.get("content")) else {
return None;
};
let content = match content_value {
serde_json::Value::String(raw) => {
let trimmed = raw.trim();
if trimmed.is_empty() {
return None;
}
// Activity Streams payloads often embed message text as JSON inside object.content.
if let Ok(decoded) = serde_json::from_str::<serde_json::Value>(trimmed) {
if let Some(message) = decoded.get("message").and_then(|v| v.as_str()) {
let message = message.trim();
if !message.is_empty() {
return Some(message.to_string());
}
}
}
trimmed.to_string()
}
serde_json::Value::Object(map) => map
.get("message")
.and_then(|v| v.as_str())
.map(str::trim)
.filter(|message| !message.is_empty())
.map(ToOwned::to_owned)?,
_ => return None,
};
if content.is_empty() {
None
} else {
Some(content)
}
}
/// Parse a Nextcloud Talk webhook payload into channel messages.
///
/// Relevant payload fields:
@ -67,22 +132,46 @@ impl NextcloudTalkChannel {
pub fn parse_webhook_payload(&self, payload: &serde_json::Value) -> Vec<ChannelMessage> {
let mut messages = Vec::new();
if let Some(event_type) = payload.get("type").and_then(|v| v.as_str()) {
if !event_type.eq_ignore_ascii_case("message") {
tracing::debug!("Nextcloud Talk: skipping non-message event: {event_type}");
let event_type = payload.get("type").and_then(|v| v.as_str()).unwrap_or("");
let is_legacy_message_event = event_type.eq_ignore_ascii_case("message");
let is_activity_streams_event = event_type.eq_ignore_ascii_case("create");
if !is_legacy_message_event && !is_activity_streams_event {
tracing::debug!("Nextcloud Talk: skipping non-message event: {event_type}");
return messages;
}
if is_activity_streams_event {
let object_type = payload
.get("object")
.and_then(|obj| obj.get("type"))
.and_then(|v| v.as_str())
.unwrap_or("");
if !object_type.eq_ignore_ascii_case("note") {
tracing::debug!(
"Nextcloud Talk: skipping Activity Streams event with unsupported object.type: {object_type}"
);
return messages;
}
}
let Some(message_obj) = payload.get("message") else {
return messages;
};
let message_obj = payload.get("message");
let room_token = payload
.get("object")
.and_then(|obj| obj.get("token"))
.and_then(|v| v.as_str())
.or_else(|| message_obj.get("token").and_then(|v| v.as_str()))
.or_else(|| {
message_obj
.and_then(|msg| msg.get("token"))
.and_then(|v| v.as_str())
})
.or_else(|| {
payload
.get("target")
.and_then(|target| target.get("id"))
.and_then(|v| v.as_str())
})
.map(str::trim)
.filter(|token| !token.is_empty());
@ -92,21 +181,34 @@ impl NextcloudTalkChannel {
};
let actor_type = message_obj
.get("actorType")
.and_then(|msg| msg.get("actorType"))
.and_then(|v| v.as_str())
.or_else(|| payload.get("actorType").and_then(|v| v.as_str()))
.or_else(|| {
payload
.get("actor")
.and_then(|actor| actor.get("type"))
.and_then(|v| v.as_str())
})
.unwrap_or("");
// Ignore bot-originated messages to prevent feedback loops.
if actor_type.eq_ignore_ascii_case("bots") {
if actor_type.eq_ignore_ascii_case("bots") || actor_type.eq_ignore_ascii_case("application")
{
tracing::debug!("Nextcloud Talk: skipping bot-originated message");
return messages;
}
let actor_id = message_obj
.get("actorId")
.and_then(|msg| msg.get("actorId"))
.and_then(|v| v.as_str())
.or_else(|| payload.get("actorId").and_then(|v| v.as_str()))
.or_else(|| {
payload
.get("actor")
.and_then(|actor| actor.get("id"))
.and_then(|v| v.as_str())
})
.map(str::trim)
.filter(|id| !id.is_empty());
@ -114,6 +216,7 @@ impl NextcloudTalkChannel {
tracing::warn!("Nextcloud Talk: missing actorId in webhook payload");
return messages;
};
let sender_id = Self::canonical_actor_id(actor_id);
if !self.is_user_allowed(actor_id) {
tracing::warn!(
@ -124,45 +227,56 @@ impl NextcloudTalkChannel {
return messages;
}
let message_type = message_obj
.get("messageType")
.and_then(|v| v.as_str())
.unwrap_or("comment");
if !message_type.eq_ignore_ascii_case("comment") {
tracing::debug!("Nextcloud Talk: skipping non-comment messageType: {message_type}");
return messages;
if is_legacy_message_event {
let message_type = message_obj
.and_then(|msg| msg.get("messageType"))
.and_then(|v| v.as_str())
.unwrap_or("comment");
if !message_type.eq_ignore_ascii_case("comment") {
tracing::debug!("Nextcloud Talk: skipping non-comment messageType: {message_type}");
return messages;
}
}
// Ignore pure system messages.
let has_system_message = message_obj
.get("systemMessage")
.and_then(|v| v.as_str())
.map(str::trim)
.is_some_and(|value| !value.is_empty());
if has_system_message {
tracing::debug!("Nextcloud Talk: skipping system message event");
return messages;
if is_legacy_message_event {
let has_system_message = message_obj
.and_then(|msg| msg.get("systemMessage"))
.and_then(|v| v.as_str())
.map(str::trim)
.is_some_and(|value| !value.is_empty());
if has_system_message {
tracing::debug!("Nextcloud Talk: skipping system message event");
return messages;
}
}
let content = message_obj
.get("message")
.and_then(|msg| msg.get("message"))
.and_then(|v| v.as_str())
.map(str::trim)
.filter(|content| !content.is_empty());
.filter(|content| !content.is_empty())
.map(ToOwned::to_owned)
.or_else(|| Self::extract_content_from_as2_object(payload));
let Some(content) = content else {
return messages;
};
let message_id = Self::value_to_string(message_obj.get("id"))
let message_id = Self::value_to_string(message_obj.and_then(|msg| msg.get("id")))
.or_else(|| Self::value_to_string(payload.get("object").and_then(|obj| obj.get("id"))))
.unwrap_or_else(|| Uuid::new_v4().to_string());
let timestamp = Self::parse_timestamp_secs(message_obj.get("timestamp"));
let timestamp = Self::parse_timestamp_secs(
message_obj
.and_then(|msg| msg.get("timestamp"))
.or_else(|| payload.get("timestamp")),
);
messages.push(ChannelMessage {
id: message_id,
reply_target: room_token.to_string(),
sender: actor_id.to_string(),
content: content.to_string(),
sender: sender_id.to_string(),
content,
channel: "nextcloud_talk".to_string(),
timestamp,
thread_ts: None,
@ -375,6 +489,81 @@ mod tests {
assert!(messages.is_empty());
}
#[test]
fn nextcloud_talk_parse_activity_streams_create_note_payload() {
let channel = NextcloudTalkChannel::new(
"https://cloud.example.com".into(),
"app-token".into(),
vec!["test".into()],
);
let payload = serde_json::json!({
"type": "Create",
"actor": {
"type": "Person",
"id": "users/test",
"name": "test"
},
"object": {
"type": "Note",
"id": "177",
"content": "{\"message\":\"hello\",\"parameters\":[]}",
"mediaType": "text/markdown"
},
"target": {
"type": "Collection",
"id": "yyrubgfp",
"name": "TESTCHAT"
}
});
let messages = channel.parse_webhook_payload(&payload);
assert_eq!(messages.len(), 1);
assert_eq!(messages[0].id, "177");
assert_eq!(messages[0].reply_target, "yyrubgfp");
assert_eq!(messages[0].sender, "test");
assert_eq!(messages[0].content, "hello");
}
#[test]
fn nextcloud_talk_parse_activity_streams_skips_application_actor() {
let channel = NextcloudTalkChannel::new(
"https://cloud.example.com".into(),
"app-token".into(),
vec!["*".into()],
);
let payload = serde_json::json!({
"type": "Create",
"actor": {
"type": "Application",
"id": "apps/zeroclaw"
},
"object": {
"type": "Note",
"id": "178",
"content": "{\"message\":\"ignore me\"}"
},
"target": {
"id": "yyrubgfp"
}
});
let messages = channel.parse_webhook_payload(&payload);
assert!(messages.is_empty());
}
#[test]
fn nextcloud_talk_allowlist_matches_full_and_short_actor_ids() {
let channel = NextcloudTalkChannel::new(
"https://cloud.example.com".into(),
"app-token".into(),
vec!["users/test".into()],
);
assert!(channel.is_user_allowed("users/test"));
assert!(channel.is_user_allowed("test"));
}
#[test]
fn nextcloud_talk_parse_skips_unauthorized_sender() {
let channel = make_channel();

266
src/channels/telegram.rs
View File

@ -15,6 +15,7 @@ use tokio::fs;
/// Telegram's maximum message length for text messages
const TELEGRAM_MAX_MESSAGE_LENGTH: usize = 4096;
const TELEGRAM_NATIVE_DRAFT_ID: i64 = 1;
/// Reserve space for continuation markers added by send_text_chunks:
/// worst case is "(continued)\n\n" + chunk + "\n\n(continues...)" = 30 extra chars
const TELEGRAM_CONTINUATION_OVERHEAD: usize = 30;
@ -463,6 +464,7 @@ pub struct TelegramChannel {
stream_mode: StreamMode,
draft_update_interval_ms: u64,
last_draft_edit: Mutex<std::collections::HashMap<String, std::time::Instant>>,
native_drafts: Mutex<std::collections::HashSet<String>>,
mention_only: bool,
group_reply_allowed_sender_ids: Vec<String>,
bot_username: Mutex<Option<String>>,
@ -504,6 +506,7 @@ impl TelegramChannel {
stream_mode: StreamMode::Off,
draft_update_interval_ms: 1000,
last_draft_edit: Mutex::new(std::collections::HashMap::new()),
native_drafts: Mutex::new(std::collections::HashSet::new()),
typing_handle: Mutex::new(None),
mention_only,
group_reply_allowed_sender_ids: Vec::new(),
@ -589,6 +592,117 @@ impl TelegramChannel {
body
}
fn is_private_chat_target(chat_id: &str, thread_id: Option<&str>) -> bool {
if thread_id.is_some() {
return false;
}
chat_id.parse::<i64>().is_ok_and(|parsed| parsed > 0)
}
fn native_draft_key(chat_id: &str, draft_id: i64) -> String {
format!("{chat_id}:{draft_id}")
}
fn register_native_draft(&self, chat_id: &str, draft_id: i64) {
self.native_drafts
.lock()
.insert(Self::native_draft_key(chat_id, draft_id));
}
fn unregister_native_draft(&self, chat_id: &str, draft_id: i64) -> bool {
self.native_drafts
.lock()
.remove(&Self::native_draft_key(chat_id, draft_id))
}
fn has_native_draft(&self, chat_id: &str, draft_id: i64) -> bool {
self.native_drafts
.lock()
.contains(&Self::native_draft_key(chat_id, draft_id))
}
fn consume_native_draft_finalize(
&self,
chat_id: &str,
thread_id: Option<&str>,
message_id: &str,
) -> bool {
if self.stream_mode != StreamMode::On || !Self::is_private_chat_target(chat_id, thread_id) {
return false;
}
match message_id.parse::<i64>() {
Ok(draft_id) if self.unregister_native_draft(chat_id, draft_id) => true,
// If the in-memory registry entry is missing, still treat the
// known native draft id as native so final content is delivered.
Ok(TELEGRAM_NATIVE_DRAFT_ID) => {
tracing::warn!(
chat_id = %chat_id,
draft_id = TELEGRAM_NATIVE_DRAFT_ID,
"Telegram native draft registry missing during finalize; sending final content directly"
);
true
}
_ => false,
}
}
async fn send_message_draft(
&self,
chat_id: &str,
draft_id: i64,
text: &str,
) -> anyhow::Result<()> {
let markdown_body = serde_json::json!({
"chat_id": chat_id,
"draft_id": draft_id,
"text": Self::markdown_to_telegram_html(text),
"parse_mode": "HTML",
});
let markdown_resp = self
.client
.post(self.api_url("sendMessageDraft"))
.json(&markdown_body)
.send()
.await?;
if markdown_resp.status().is_success() {
return Ok(());
}
let markdown_status = markdown_resp.status();
let markdown_err = markdown_resp.text().await.unwrap_or_default();
let plain_body = serde_json::json!({
"chat_id": chat_id,
"draft_id": draft_id,
"text": text,
});
let plain_resp = self
.client
.post(self.api_url("sendMessageDraft"))
.json(&plain_body)
.send()
.await?;
if !plain_resp.status().is_success() {
let plain_status = plain_resp.status();
let plain_err = plain_resp.text().await.unwrap_or_default();
let sanitized_markdown_err = Self::sanitize_telegram_error(&markdown_err);
let sanitized_plain_err = Self::sanitize_telegram_error(&plain_err);
anyhow::bail!(
"Telegram sendMessageDraft failed (markdown {}: {}; plain {}: {})",
markdown_status,
sanitized_markdown_err,
plain_status,
sanitized_plain_err
);
}
Ok(())
}
fn build_approval_prompt_body(
chat_id: &str,
thread_id: Option<&str>,
@ -2820,6 +2934,25 @@ impl Channel for TelegramChannel {
message.content.clone()
};
if self.stream_mode == StreamMode::On
&& Self::is_private_chat_target(&chat_id, thread_id.as_deref())
{
match self
.send_message_draft(&chat_id, TELEGRAM_NATIVE_DRAFT_ID, &initial_text)
.await
{
Ok(()) => {
self.register_native_draft(&chat_id, TELEGRAM_NATIVE_DRAFT_ID);
return Ok(Some(TELEGRAM_NATIVE_DRAFT_ID.to_string()));
}
Err(error) => {
tracing::warn!(
"Telegram sendMessageDraft failed; falling back to partial stream mode: {error}"
);
}
}
}
let mut body = serde_json::json!({
"chat_id": chat_id,
"text": initial_text,
@ -2861,18 +2994,7 @@ impl Channel for TelegramChannel {
message_id: &str,
text: &str,
) -> anyhow::Result<Option<String>> {
let (chat_id, _) = Self::parse_reply_target(recipient);
// Rate-limit edits per chat
{
let last_edits = self.last_draft_edit.lock();
if let Some(last_time) = last_edits.get(&chat_id) {
let elapsed = u64::try_from(last_time.elapsed().as_millis()).unwrap_or(u64::MAX);
if elapsed < self.draft_update_interval_ms {
return Ok(None);
}
}
}
let (chat_id, thread_id) = Self::parse_reply_target(recipient);
// Truncate to Telegram limit for mid-stream edits (UTF-8 safe)
let display_text = if text.len() > TELEGRAM_MAX_MESSAGE_LENGTH {
@ -2889,6 +3011,41 @@ impl Channel for TelegramChannel {
text
};
if self.stream_mode == StreamMode::On
&& Self::is_private_chat_target(&chat_id, thread_id.as_deref())
{
let parsed_draft_id = message_id
.parse::<i64>()
.unwrap_or(TELEGRAM_NATIVE_DRAFT_ID);
if self.has_native_draft(&chat_id, parsed_draft_id) {
if let Err(error) = self
.send_message_draft(&chat_id, parsed_draft_id, display_text)
.await
{
tracing::warn!(
chat_id = %chat_id,
draft_id = parsed_draft_id,
"Telegram sendMessageDraft update failed: {error}"
);
return Err(error).context(format!(
"Telegram sendMessageDraft update failed for chat {chat_id} draft_id {parsed_draft_id}"
));
}
return Ok(None);
}
}
// Rate-limit edits per chat
{
let last_edits = self.last_draft_edit.lock();
if let Some(last_time) = last_edits.get(&chat_id) {
let elapsed = u64::try_from(last_time.elapsed().as_millis()).unwrap_or(u64::MAX);
if elapsed < self.draft_update_interval_ms {
return Ok(None);
}
}
}
let message_id_parsed = match message_id.parse::<i64>() {
Ok(id) => id,
Err(e) => {
@ -2936,9 +3093,26 @@ impl Channel for TelegramChannel {
// Clean up rate-limit tracking for this chat
self.last_draft_edit.lock().remove(&chat_id);
let is_native_draft =
self.consume_native_draft_finalize(&chat_id, thread_id.as_deref(), message_id);
// Parse attachments before processing
let (text_without_markers, attachments) = parse_attachment_markers(text);
if is_native_draft {
if !text_without_markers.is_empty() {
self.send_text_chunks(&text_without_markers, &chat_id, thread_id.as_deref())
.await?;
}
for attachment in &attachments {
self.send_attachment(&chat_id, thread_id.as_deref(), attachment)
.await?;
}
return Ok(());
}
// Parse message ID once for reuse
let msg_id = match message_id.parse::<i64>() {
Ok(id) => Some(id),
@ -3104,9 +3278,19 @@ impl Channel for TelegramChannel {
}
async fn cancel_draft(&self, recipient: &str, message_id: &str) -> anyhow::Result<()> {
let (chat_id, _) = Self::parse_reply_target(recipient);
let (chat_id, thread_id) = Self::parse_reply_target(recipient);
self.last_draft_edit.lock().remove(&chat_id);
if self.stream_mode == StreamMode::On
&& Self::is_private_chat_target(&chat_id, thread_id.as_deref())
{
if let Ok(draft_id) = message_id.parse::<i64>() {
if self.unregister_native_draft(&chat_id, draft_id) {
return Ok(());
}
}
}
let message_id = match message_id.parse::<i64>() {
Ok(id) => id,
Err(e) => {
@ -3603,6 +3787,30 @@ mod tests {
.with_streaming(StreamMode::Partial, 750);
assert!(partial.supports_draft_updates());
assert_eq!(partial.draft_update_interval_ms, 750);
let on = TelegramChannel::new("fake-token".into(), vec!["*".into()], false, true)
.with_streaming(StreamMode::On, 750);
assert!(on.supports_draft_updates());
}
#[test]
fn private_chat_detection_excludes_threads_and_negative_chat_ids() {
assert!(TelegramChannel::is_private_chat_target("12345", None));
assert!(!TelegramChannel::is_private_chat_target("-100200300", None));
assert!(!TelegramChannel::is_private_chat_target(
"12345",
Some("789")
));
}
#[test]
fn native_draft_registry_round_trip() {
let ch = TelegramChannel::new("fake-token".into(), vec!["*".into()], false, true);
assert!(!ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
ch.register_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID);
assert!(ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
assert!(ch.unregister_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
assert!(!ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
}
#[tokio::test]
@ -3641,6 +3849,38 @@ mod tests {
assert!(result.is_ok());
}
#[tokio::test]
async fn update_draft_native_failure_propagates_error() {
let ch = TelegramChannel::new("TEST_TOKEN".into(), vec!["*".into()], false, true)
.with_streaming(StreamMode::On, 0)
// Closed local port guarantees fast, deterministic connection failure.
.with_api_base("http://127.0.0.1:9".to_string());
ch.register_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID);
let err = ch
.update_draft("12345", "1", "stream update")
.await
.expect_err("native sendMessageDraft failure should propagate")
.to_string();
assert!(err.contains("sendMessageDraft update failed"));
assert!(ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
}
#[tokio::test]
async fn finalize_draft_missing_native_registry_empty_text_succeeds() {
let ch = TelegramChannel::new("fake-token".into(), vec!["*".into()], false, true)
.with_streaming(StreamMode::On, 0)
.with_api_base("http://127.0.0.1:9".to_string());
assert!(!ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
let result = ch.finalize_draft("12345", "1", "").await;
assert!(
result.is_ok(),
"native finalize fallback should no-op: {result:?}"
);
assert!(!ch.has_native_draft("12345", TELEGRAM_NATIVE_DRAFT_ID));
}
#[tokio::test]
async fn finalize_draft_invalid_message_id_falls_back_to_chunk_send() {
let ch = TelegramChannel::new("fake-token".into(), vec!["*".into()], false, true)

642
src/config/schema.rs
View File

@ -410,6 +410,17 @@ pub struct ModelProviderConfig {
/// Optional base URL for OpenAI-compatible endpoints.
#[serde(default)]
pub base_url: Option<String>,
/// Optional custom authentication header for `custom:` providers
/// (for example `api-key` for Azure OpenAI).
///
/// Contract:
/// - Default/omitted (`None`): uses the standard `Authorization: Bearer <token>` header.
/// - Compatibility: this key is additive and optional; older runtimes that do not support it
/// ignore the field while continuing to use Bearer auth behavior.
/// - Rollback/migration: remove `auth_header` to return to Bearer-only auth if operators
/// need to downgrade or revert custom-header behavior.
#[serde(default)]
pub auth_header: Option<String>,
/// Provider protocol variant ("responses" or "chat_completions").
#[serde(default)]
pub wire_api: Option<String>,
@ -446,7 +457,6 @@ pub struct ProviderConfig {
#[serde(default)]
pub transport: Option<String>,
}
// ── Delegate Agents ──────────────────────────────────────────────
/// Configuration for a delegate sub-agent used by the `delegate` tool.
@ -1051,6 +1061,14 @@ pub struct AgentConfig {
/// Tool dispatch strategy (e.g. `"auto"`). Default: `"auto"`.
#[serde(default = "default_agent_tool_dispatcher")]
pub tool_dispatcher: String,
/// Optional allowlist for primary-agent tool visibility.
/// When non-empty, only listed tools are exposed to the primary agent.
#[serde(default)]
pub allowed_tools: Vec<String>,
/// Optional denylist for primary-agent tool visibility.
/// Applied after `allowed_tools`.
#[serde(default)]
pub denied_tools: Vec<String>,
/// Agent-team runtime controls for synchronous delegation.
#[serde(default)]
pub teams: AgentTeamsConfig,
@ -1186,6 +1204,8 @@ impl Default for AgentConfig {
max_history_messages: default_agent_max_history_messages(),
parallel_tools: false,
tool_dispatcher: default_agent_tool_dispatcher(),
allowed_tools: Vec::new(),
denied_tools: Vec::new(),
teams: AgentTeamsConfig::default(),
subagents: SubAgentsConfig::default(),
loop_detection_no_progress_threshold: default_loop_detection_no_progress_threshold(),
@ -1212,11 +1232,11 @@ impl Default for AgentSessionConfig {
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, JsonSchema, Default)]
#[serde(rename_all = "snake_case")]
pub enum SkillsPromptInjectionMode {
/// Inline full skill instructions and tool metadata into the system prompt.
#[default]
Full,
/// Inline only compact skill metadata (name/description/location) and load details on demand.
#[default]
Compact,
/// Inline full skill instructions and tool metadata into the system prompt.
Full,
}
fn parse_skills_prompt_injection_mode(raw: &str) -> Option<SkillsPromptInjectionMode> {
@ -1248,7 +1268,8 @@ pub struct SkillsConfig {
#[serde(default)]
pub allow_scripts: bool,
/// Controls how skills are injected into the system prompt.
/// `full` preserves legacy behavior. `compact` keeps context small and loads skills on demand.
/// `compact` (default) keeps context small and loads skills on demand.
/// `full` preserves legacy behavior as an opt-in.
#[serde(default)]
pub prompt_injection_mode: SkillsPromptInjectionMode,
/// Optional ClawhHub API token for authenticated skill downloads.
@ -3355,9 +3376,13 @@ pub enum CommandContextRuleAction {
Allow,
/// Matching context is explicitly denied.
Deny,
/// Matching context requires interactive approval in supervised mode.
///
/// This does not allow a command by itself; allowlist and deny checks still apply.
RequireApproval,
}
/// Context-aware allow/deny rule for shell commands.
/// Context-aware command rule for shell commands.
///
/// Rules are evaluated per command segment. Command matching accepts command
/// names (`curl`), explicit paths (`/usr/bin/curl`), and wildcard (`*`).
@ -3366,6 +3391,8 @@ pub enum CommandContextRuleAction {
/// - `action = "deny"`: if all constraints match, the segment is rejected.
/// - `action = "allow"`: if at least one allow rule exists for a command,
/// segments must match at least one of those allow rules.
/// - `action = "require_approval"`: matching segments require explicit
/// `approved=true` in supervised mode, even when `shell` is auto-approved.
///
/// Constraints are optional:
/// - `allowed_domains`: require URL arguments to match these hosts/patterns.
@ -3378,7 +3405,7 @@ pub struct CommandContextRuleConfig {
/// Command name/path pattern (`git`, `/usr/bin/curl`, or `*`).
pub command: String,
/// Rule action (`allow` | `deny`). Defaults to `allow`.
/// Rule action (`allow` | `deny` | `require_approval`). Defaults to `allow`.
#[serde(default)]
pub action: CommandContextRuleAction,
@ -4001,6 +4028,16 @@ pub struct ReliabilityConfig {
/// Fallback provider chain (e.g. `["anthropic", "openai"]`).
#[serde(default)]
pub fallback_providers: Vec<String>,
/// Optional per-fallback provider API keys keyed by fallback entry name.
/// This allows distinct credentials for multiple `custom:<url>` endpoints.
///
/// Contract:
/// - Default/omitted (`{}` via `#[serde(default)]`): no per-entry override is used.
/// - Compatibility: additive and non-breaking for existing configs that omit this field.
/// - Rollback/migration: remove this map (or specific entries) to revert to provider/env-based
/// credential resolution.
#[serde(default)]
pub fallback_api_keys: std::collections::HashMap<String, String>,
/// Additional API keys for round-robin rotation on rate-limit (429) errors.
/// The primary `api_key` is always tried first; these are extras.
#[serde(default)]
@ -4056,6 +4093,7 @@ impl Default for ReliabilityConfig {
provider_retries: default_provider_retries(),
provider_backoff_ms: default_provider_backoff_ms(),
fallback_providers: Vec::new(),
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: default_channel_backoff_secs(),
@ -4627,6 +4665,8 @@ pub enum StreamMode {
Off,
/// Update a draft message with every flush interval.
Partial,
/// Native streaming for channels that support draft updates directly.
On,
}
/// Progress verbosity for channels that support draft streaming.
@ -5643,7 +5683,7 @@ impl FeishuConfig {
// ── Security Config ─────────────────────────────────────────────────
/// Security configuration for sandboxing, resource limits, and audit logging
#[derive(Debug, Clone, Serialize, Deserialize, Default, JsonSchema)]
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct SecurityConfig {
/// Sandbox configuration
#[serde(default)]
@ -5681,11 +5721,33 @@ pub struct SecurityConfig {
#[serde(default)]
pub outbound_leak_guard: OutboundLeakGuardConfig,
/// Enable per-turn canary tokens to detect system-context exfiltration.
#[serde(default = "default_true")]
pub canary_tokens: bool,
/// Shared URL access policy for network-enabled tools.
#[serde(default)]
pub url_access: UrlAccessConfig,
}
impl Default for SecurityConfig {
fn default() -> Self {
Self {
sandbox: SandboxConfig::default(),
resources: ResourceLimitsConfig::default(),
audit: AuditConfig::default(),
otp: OtpConfig::default(),
roles: Vec::default(),
estop: EstopConfig::default(),
syscall_anomaly: SyscallAnomalyConfig::default(),
perplexity_filter: PerplexityFilterConfig::default(),
outbound_leak_guard: OutboundLeakGuardConfig::default(),
canary_tokens: true,
url_access: UrlAccessConfig::default(),
}
}
}
/// Outbound leak handling mode for channel responses.
#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default, JsonSchema, PartialEq, Eq)]
#[serde(rename_all = "kebab-case")]
@ -6843,6 +6905,21 @@ fn decrypt_vec_secrets(
Ok(())
}
fn decrypt_map_secrets(
store: &crate::security::SecretStore,
values: &mut std::collections::HashMap<String, String>,
field_name: &str,
) -> Result<()> {
for (key, value) in values.iter_mut() {
if crate::security::SecretStore::is_encrypted(value) {
*value = store
.decrypt(value)
.with_context(|| format!("Failed to decrypt {field_name}.{key}"))?;
}
}
Ok(())
}
fn encrypt_optional_secret(
store: &crate::security::SecretStore,
value: &mut Option<String>,
@ -6888,6 +6965,21 @@ fn encrypt_vec_secrets(
Ok(())
}
fn encrypt_map_secrets(
store: &crate::security::SecretStore,
values: &mut std::collections::HashMap<String, String>,
field_name: &str,
) -> Result<()> {
for (key, value) in values.iter_mut() {
if !crate::security::SecretStore::is_encrypted(value) {
*value = store
.encrypt(value)
.with_context(|| format!("Failed to encrypt {field_name}.{key}"))?;
}
}
Ok(())
}
fn decrypt_channel_secrets(
store: &crate::security::SecretStore,
channels: &mut ChannelsConfig,
@ -7613,6 +7705,11 @@ impl Config {
&mut config.reliability.api_keys,
"config.reliability.api_keys",
)?;
decrypt_map_secrets(
&store,
&mut config.reliability.fallback_api_keys,
"config.reliability.fallback_api_keys",
)?;
decrypt_vec_secrets(
&store,
&mut config.gateway.paired_tokens,
@ -7702,6 +7799,23 @@ impl Config {
}
}
fn normalize_url_for_profile_match(raw: &str) -> (String, Option<String>) {
let trimmed = raw.trim();
let (path, query) = match trimmed.split_once('?') {
Some((path, query)) => (path, Some(query)),
None => (trimmed, None),
};
(
path.trim_end_matches('/').to_string(),
query.map(|value| value.to_string()),
)
}
fn urls_match_ignoring_trailing_slash(lhs: &str, rhs: &str) -> bool {
Self::normalize_url_for_profile_match(lhs) == Self::normalize_url_for_profile_match(rhs)
}
/// Resolve provider reasoning level with backward-compatible runtime alias.
///
/// Priority:
@ -7755,6 +7869,53 @@ impl Config {
Self::normalize_provider_transport(self.provider.transport.as_deref(), "provider.transport")
}
/// Resolve custom provider auth header from a matching `[model_providers.*]` profile.
///
/// This is used when `default_provider = "custom:<url>"` and a profile with the
/// same `base_url` declares `auth_header` (for example `api-key` for Azure OpenAI).
pub fn effective_custom_provider_auth_header(&self) -> Option<String> {
let custom_provider_url = self
.default_provider
.as_deref()
.map(str::trim)
.and_then(|provider| provider.strip_prefix("custom:"))
.map(str::trim)
.filter(|value| !value.is_empty())?;
let mut profile_keys = self.model_providers.keys().collect::<Vec<_>>();
profile_keys.sort_unstable();
for profile_key in profile_keys {
let Some(profile) = self.model_providers.get(profile_key) else {
continue;
};
let Some(header) = profile
.auth_header
.as_deref()
.map(str::trim)
.filter(|value| !value.is_empty())
else {
continue;
};
let Some(base_url) = profile
.base_url
.as_deref()
.map(str::trim)
.filter(|value| !value.is_empty())
else {
continue;
};
if Self::urls_match_ignoring_trailing_slash(custom_provider_url, base_url) {
return Some(header.to_string());
}
}
None
}
fn lookup_model_provider_profile(
&self,
provider_name: &str,
@ -7889,6 +8050,29 @@ impl Config {
anyhow::bail!("gateway.host must not be empty");
}
// Reliability
let configured_fallbacks = self
.reliability
.fallback_providers
.iter()
.map(|provider| provider.trim())
.filter(|provider| !provider.is_empty())
.collect::<std::collections::HashSet<_>>();
for (entry, api_key) in &self.reliability.fallback_api_keys {
let normalized_entry = entry.trim();
if normalized_entry.is_empty() {
anyhow::bail!("reliability.fallback_api_keys contains an empty key");
}
if api_key.trim().is_empty() {
anyhow::bail!("reliability.fallback_api_keys.{normalized_entry} must not be empty");
}
if !configured_fallbacks.contains(normalized_entry) {
anyhow::bail!(
"reliability.fallback_api_keys.{normalized_entry} has no matching entry in reliability.fallback_providers"
);
}
}
// Autonomy
if self.autonomy.max_actions_per_hour == 0 {
anyhow::bail!("autonomy.max_actions_per_hour must be greater than 0");
@ -8109,6 +8293,30 @@ impl Config {
);
}
}
for (i, tool_name) in self.agent.allowed_tools.iter().enumerate() {
let normalized = tool_name.trim();
if normalized.is_empty() {
anyhow::bail!("agent.allowed_tools[{i}] must not be empty");
}
if !normalized
.chars()
.all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '-' || c == '*')
{
anyhow::bail!("agent.allowed_tools[{i}] contains invalid characters: {normalized}");
}
}
for (i, tool_name) in self.agent.denied_tools.iter().enumerate() {
let normalized = tool_name.trim();
if normalized.is_empty() {
anyhow::bail!("agent.denied_tools[{i}] must not be empty");
}
if !normalized
.chars()
.all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '-' || c == '*')
{
anyhow::bail!("agent.denied_tools[{i}] contains invalid characters: {normalized}");
}
}
let built_in_roles = ["owner", "admin", "operator", "viewer", "guest"];
let mut custom_role_names = std::collections::HashSet::new();
for (i, role) in self.security.roles.iter().enumerate() {
@ -8461,22 +8669,26 @@ impl Config {
}
}
let mut custom_auth_headers_by_base_url: Vec<(String, String, String)> = Vec::new();
for (profile_key, profile) in &self.model_providers {
let profile_name = profile_key.trim();
if profile_name.is_empty() {
anyhow::bail!("model_providers contains an empty profile name");
}
let normalized_base_url = profile
.base_url
.as_deref()
.map(str::trim)
.filter(|value| !value.is_empty())
.map(str::to_string);
let has_name = profile
.name
.as_deref()
.map(str::trim)
.is_some_and(|value| !value.is_empty());
let has_base_url = profile
.base_url
.as_deref()
.map(str::trim)
.is_some_and(|value| !value.is_empty());
let has_base_url = normalized_base_url.is_some();
if !has_name && !has_base_url {
anyhow::bail!(
@ -8484,16 +8696,12 @@ impl Config {
);
}
if let Some(base_url) = profile.base_url.as_deref().map(str::trim) {
if !base_url.is_empty() {
let parsed = reqwest::Url::parse(base_url).with_context(|| {
format!("model_providers.{profile_name}.base_url is not a valid URL")
})?;
if !matches!(parsed.scheme(), "http" | "https") {
anyhow::bail!(
"model_providers.{profile_name}.base_url must use http/https"
);
}
if let Some(base_url) = normalized_base_url.as_deref() {
let parsed = reqwest::Url::parse(base_url).with_context(|| {
format!("model_providers.{profile_name}.base_url is not a valid URL")
})?;
if !matches!(parsed.scheme(), "http" | "https") {
anyhow::bail!("model_providers.{profile_name}.base_url must use http/https");
}
}
@ -8504,6 +8712,42 @@ impl Config {
);
}
}
if let Some(auth_header) = profile.auth_header.as_deref().map(str::trim) {
if !auth_header.is_empty() {
reqwest::header::HeaderName::from_bytes(auth_header.as_bytes()).with_context(
|| {
format!(
"model_providers.{profile_name}.auth_header is invalid; expected a valid HTTP header name"
)
},
)?;
if let Some(base_url) = normalized_base_url.as_deref() {
custom_auth_headers_by_base_url.push((
profile_name.to_string(),
base_url.to_string(),
auth_header.to_string(),
));
}
}
}
}
for left_index in 0..custom_auth_headers_by_base_url.len() {
let (left_profile, left_url, left_header) =
&custom_auth_headers_by_base_url[left_index];
for right_index in (left_index + 1)..custom_auth_headers_by_base_url.len() {
let (right_profile, right_url, right_header) =
&custom_auth_headers_by_base_url[right_index];
if Self::urls_match_ignoring_trailing_slash(left_url, right_url)
&& !left_header.eq_ignore_ascii_case(right_header)
{
anyhow::bail!(
"model_providers.{left_profile} and model_providers.{right_profile} define conflicting auth_header values for equivalent base_url {left_url}"
);
}
}
}
// Ollama cloud-routing safety checks
@ -9312,6 +9556,11 @@ impl Config {
&mut config_to_save.reliability.api_keys,
"config.reliability.api_keys",
)?;
encrypt_map_secrets(
&store,
&mut config_to_save.reliability.fallback_api_keys,
"config.reliability.fallback_api_keys",
)?;
encrypt_vec_secrets(
&store,
&mut config_to_save.gateway.paired_tokens,
@ -9533,7 +9782,7 @@ mod tests {
assert!(!c.skills.allow_scripts);
assert_eq!(
c.skills.prompt_injection_mode,
SkillsPromptInjectionMode::Full
SkillsPromptInjectionMode::Compact
);
assert!(c.workspace_dir.to_string_lossy().contains("workspace"));
assert!(c.config_path.to_string_lossy().contains("config.toml"));
@ -9839,6 +10088,34 @@ allowed_roots = []
.contains("autonomy.command_context_rules[0].allowed_domains[0]"));
}
#[test]
async fn autonomy_command_context_rule_supports_require_approval_action() {
let raw = r#"
level = "supervised"
workspace_only = true
allowed_commands = ["ls", "rm"]
forbidden_paths = ["/etc"]
max_actions_per_hour = 20
max_cost_per_day_cents = 500
require_approval_for_medium_risk = true
block_high_risk_commands = true
shell_env_passthrough = []
auto_approve = ["shell"]
always_ask = []
allowed_roots = []
[[command_context_rules]]
command = "rm"
action = "require_approval"
"#;
let parsed: AutonomyConfig = toml::from_str(raw).expect("autonomy config should parse");
assert_eq!(parsed.command_context_rules.len(), 1);
assert_eq!(
parsed.command_context_rules[0].action,
CommandContextRuleAction::RequireApproval
);
}
#[test]
async fn config_validate_rejects_duplicate_non_cli_excluded_tools() {
let mut cfg = Config::default();
@ -10418,6 +10695,8 @@ reasoning_level = "high"
assert_eq!(cfg.max_history_messages, 50);
assert!(!cfg.parallel_tools);
assert_eq!(cfg.tool_dispatcher, "auto");
assert!(cfg.allowed_tools.is_empty());
assert!(cfg.denied_tools.is_empty());
}
#[test]
@ -10430,6 +10709,8 @@ max_tool_iterations = 20
max_history_messages = 80
parallel_tools = true
tool_dispatcher = "xml"
allowed_tools = ["delegate", "task_plan"]
denied_tools = ["shell"]
"#;
let parsed: Config = toml::from_str(raw).unwrap();
assert!(parsed.agent.compact_context);
@ -10437,6 +10718,11 @@ tool_dispatcher = "xml"
assert_eq!(parsed.agent.max_history_messages, 80);
assert!(parsed.agent.parallel_tools);
assert_eq!(parsed.agent.tool_dispatcher, "xml");
assert_eq!(
parsed.agent.allowed_tools,
vec!["delegate".to_string(), "task_plan".to_string()]
);
assert_eq!(parsed.agent.denied_tools, vec!["shell".to_string()]);
}
#[tokio::test]
@ -10559,6 +10845,10 @@ tool_dispatcher = "xml"
config.web_search.jina_api_key = Some("jina-credential".into());
config.storage.provider.config.db_url = Some("postgres://user:pw@host/db".into());
config.reliability.api_keys = vec!["backup-credential".into()];
config.reliability.fallback_api_keys.insert(
"custom:https://api-a.example.com/v1".into(),
"fallback-a-credential".into(),
);
config.gateway.paired_tokens = vec!["zc_0123456789abcdef".into()];
config.channels_config.telegram = Some(TelegramConfig {
bot_token: "telegram-credential".into(),
@ -10693,6 +10983,16 @@ tool_dispatcher = "xml"
let reliability_key = &stored.reliability.api_keys[0];
assert!(crate::security::SecretStore::is_encrypted(reliability_key));
assert_eq!(store.decrypt(reliability_key).unwrap(), "backup-credential");
let fallback_key = stored
.reliability
.fallback_api_keys
.get("custom:https://api-a.example.com/v1")
.expect("fallback key should exist");
assert!(crate::security::SecretStore::is_encrypted(fallback_key));
assert_eq!(
store.decrypt(fallback_key).unwrap(),
"fallback-a-credential"
);
let paired_token = &stored.gateway.paired_tokens[0];
assert!(crate::security::SecretStore::is_encrypted(paired_token));
@ -10785,6 +11085,13 @@ tool_dispatcher = "xml"
assert!(parsed.group_reply_allowed_sender_ids().is_empty());
}
#[test]
async fn telegram_config_deserializes_stream_mode_on() {
let json = r#"{"bot_token":"tok","allowed_users":[],"stream_mode":"on"}"#;
let parsed: TelegramConfig = serde_json::from_str(json).unwrap();
assert_eq!(parsed.stream_mode, StreamMode::On);
}
#[test]
async fn telegram_config_custom_base_url() {
let json = r#"{"bot_token":"tok","allowed_users":[],"base_url":"https://tapi.bale.ai"}"#;
@ -11242,6 +11549,33 @@ channel_id = "C123"
);
}
#[test]
async fn channels_slack_group_reply_toml_nested_table_deserializes() {
let toml_str = r#"
cli = true
[slack]
bot_token = "xoxb-tok"
app_token = "xapp-tok"
channel_id = "C123"
allowed_users = ["*"]
[slack.group_reply]
mode = "mention_only"
allowed_sender_ids = ["U111", "U222"]
"#;
let parsed: ChannelsConfig = toml::from_str(toml_str).unwrap();
let slack = parsed.slack.expect("slack config should exist");
assert_eq!(
slack.effective_group_reply_mode(),
GroupReplyMode::MentionOnly
);
assert_eq!(
slack.group_reply_allowed_sender_ids(),
vec!["U111".to_string(), "U222".to_string()]
);
}
#[test]
async fn mattermost_group_reply_mode_falls_back_to_legacy_mention_only() {
let json = r#"{
@ -12054,7 +12388,7 @@ requires_openai_auth = true
assert!(config.skills.open_skills_dir.is_none());
assert_eq!(
config.skills.prompt_injection_mode,
SkillsPromptInjectionMode::Full
SkillsPromptInjectionMode::Compact
);
std::env::set_var("ZEROCLAW_OPEN_SKILLS_ENABLED", "true");
@ -12437,6 +12771,7 @@ provider_api = "not-a-real-mode"
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue/v1".to_string()),
auth_header: None,
wire_api: None,
default_model: None,
api_key: None,
@ -12457,6 +12792,105 @@ provider_api = "not-a-real-mode"
);
}
#[test]
async fn model_provider_profile_surfaces_custom_auth_header_for_matching_custom_provider() {
let _env_guard = env_override_lock().await;
let mut config = Config {
default_provider: Some("azure".to_string()),
model_providers: HashMap::from([(
"azure".to_string(),
ModelProviderConfig {
name: Some("azure".to_string()),
base_url: Some(
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
.to_string(),
),
auth_header: Some("api-key".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
)]),
..Config::default()
};
config.apply_env_overrides();
assert_eq!(
config.default_provider.as_deref(),
Some(
"custom:https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
)
);
assert_eq!(
config.effective_custom_provider_auth_header().as_deref(),
Some("api-key")
);
}
#[test]
async fn model_provider_profile_custom_auth_header_requires_url_match() {
let _env_guard = env_override_lock().await;
let mut config = Config {
default_provider: Some("azure".to_string()),
model_providers: HashMap::from([(
"azure".to_string(),
ModelProviderConfig {
name: Some("azure".to_string()),
base_url: Some(
"https://resource.openai.azure.com/openai/deployments/other-model/chat/completions?api-version=2024-02-01"
.to_string(),
),
auth_header: Some("api-key".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
)]),
..Config::default()
};
config.apply_env_overrides();
config.default_provider = Some(
"custom:https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
.to_string(),
);
assert!(config.effective_custom_provider_auth_header().is_none());
}
#[test]
async fn model_provider_profile_custom_auth_header_matches_slash_before_query() {
let _env_guard = env_override_lock().await;
let config = Config {
default_provider: Some(
"custom:https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
.to_string(),
),
model_providers: HashMap::from([(
"azure".to_string(),
ModelProviderConfig {
name: Some("azure".to_string()),
base_url: Some(
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions/?api-version=2024-02-01"
.to_string(),
),
auth_header: Some("api-key".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
)]),
..Config::default()
};
assert_eq!(
config.effective_custom_provider_auth_header().as_deref(),
Some("api-key")
);
}
#[test]
async fn model_provider_profile_responses_uses_openai_codex_and_openai_key() {
let _env_guard = env_override_lock().await;
@ -12467,6 +12901,7 @@ provider_api = "not-a-real-mode"
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue".to_string()),
auth_header: None,
wire_api: Some("responses".to_string()),
default_model: None,
api_key: None,
@ -12531,6 +12966,7 @@ provider_api = "not-a-real-mode"
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue/v1".to_string()),
auth_header: None,
wire_api: Some("ws".to_string()),
default_model: None,
api_key: None,
@ -12546,6 +12982,77 @@ provider_api = "not-a-real-mode"
.contains("wire_api must be one of: responses, chat_completions"));
}
#[test]
async fn validate_rejects_invalid_model_provider_auth_header() {
let _env_guard = env_override_lock().await;
let config = Config {
default_provider: Some("sub2api".to_string()),
model_providers: HashMap::from([(
"sub2api".to_string(),
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue/v1".to_string()),
auth_header: Some("not a header".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
)]),
..Config::default()
};
let error = config.validate().expect_err("expected validation failure");
assert!(error.to_string().contains("auth_header is invalid"));
}
#[test]
async fn validate_rejects_conflicting_model_provider_auth_headers_for_same_base_url() {
let _env_guard = env_override_lock().await;
let config = Config {
default_provider: Some(
"custom:https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
.to_string(),
),
model_providers: HashMap::from([
(
"azure_a".to_string(),
ModelProviderConfig {
name: Some("openai".to_string()),
base_url: Some(
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
.to_string(),
),
auth_header: Some("api-key".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
),
(
"azure_b".to_string(),
ModelProviderConfig {
name: Some("openai".to_string()),
base_url: Some(
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions/?api-version=2024-02-01"
.to_string(),
),
auth_header: Some("x-api-key".to_string()),
wire_api: None,
default_model: None,
api_key: None,
requires_openai_auth: false,
},
),
]),
..Config::default()
};
let error = config.validate().expect_err("expected validation failure");
assert!(error.to_string().contains("conflicting auth_header values"));
}
#[test]
async fn model_provider_profile_uses_profile_api_key_when_global_is_missing() {
let _env_guard = env_override_lock().await;
@ -12557,6 +13064,7 @@ provider_api = "not-a-real-mode"
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue/v1".to_string()),
auth_header: None,
wire_api: None,
default_model: None,
api_key: Some("profile-api-key".to_string()),
@ -12581,6 +13089,7 @@ provider_api = "not-a-real-mode"
ModelProviderConfig {
name: Some("sub2api".to_string()),
base_url: Some("https://api.tonsof.blue/v1".to_string()),
auth_header: None,
wire_api: None,
default_model: Some("qwen-max".to_string()),
api_key: None,
@ -14148,6 +14657,7 @@ default_temperature = 0.7
OutboundLeakGuardAction::Redact
);
assert_eq!(parsed.security.outbound_leak_guard.sensitivity, 0.7);
assert!(parsed.security.canary_tokens);
}
#[test]
@ -14158,6 +14668,9 @@ default_provider = "openrouter"
default_model = "anthropic/claude-sonnet-4.6"
default_temperature = 0.7
[security]
canary_tokens = false
[security.otp]
enabled = true
method = "totp"
@ -14239,6 +14752,7 @@ sensitivity = 0.9
OutboundLeakGuardAction::Block
);
assert_eq!(parsed.security.outbound_leak_guard.sensitivity, 0.9);
assert!(!parsed.security.canary_tokens);
assert_eq!(parsed.security.otp.gated_actions.len(), 2);
assert_eq!(parsed.security.otp.gated_domains.len(), 2);
assert_eq!(
@ -14261,6 +14775,50 @@ sensitivity = 0.9
assert!(err.to_string().contains("gated_domains"));
}
#[test]
async fn agent_validation_rejects_empty_allowed_tool_entry() {
let mut config = Config::default();
config.agent.allowed_tools = vec![" ".to_string()];
let err = config
.validate()
.expect_err("expected invalid agent allowed_tools entry");
assert!(err.to_string().contains("agent.allowed_tools"));
}
#[test]
async fn agent_validation_rejects_invalid_allowed_tool_chars() {
let mut config = Config::default();
config.agent.allowed_tools = vec!["bad tool".to_string()];
let err = config
.validate()
.expect_err("expected invalid agent allowed_tools chars");
assert!(err.to_string().contains("agent.allowed_tools"));
}
#[test]
async fn agent_validation_rejects_empty_denied_tool_entry() {
let mut config = Config::default();
config.agent.denied_tools = vec![" ".to_string()];
let err = config
.validate()
.expect_err("expected invalid agent denied_tools entry");
assert!(err.to_string().contains("agent.denied_tools"));
}
#[test]
async fn agent_validation_rejects_invalid_denied_tool_chars() {
let mut config = Config::default();
config.agent.denied_tools = vec!["bad/tool".to_string()];
let err = config
.validate()
.expect_err("expected invalid agent denied_tools chars");
assert!(err.to_string().contains("agent.denied_tools"));
}
#[test]
async fn security_validation_rejects_invalid_url_access_cidr() {
let mut config = Config::default();
@ -14329,6 +14887,40 @@ sensitivity = 0.9
.contains("security.url_access.enforce_domain_allowlist"));
}
#[test]
async fn reliability_validation_rejects_empty_fallback_api_key_value() {
let mut config = Config::default();
config.reliability.fallback_providers = vec!["openrouter".to_string()];
config
.reliability
.fallback_api_keys
.insert("openrouter".to_string(), " ".to_string());
let err = config
.validate()
.expect_err("expected fallback_api_keys empty value validation failure");
assert!(err
.to_string()
.contains("reliability.fallback_api_keys.openrouter must not be empty"));
}
#[test]
async fn reliability_validation_rejects_unmapped_fallback_api_key_entry() {
let mut config = Config::default();
config.reliability.fallback_providers = vec!["openrouter".to_string()];
config
.reliability
.fallback_api_keys
.insert("anthropic".to_string(), "sk-ant-test".to_string());
let err = config
.validate()
.expect_err("expected fallback_api_keys mapping validation failure");
assert!(err
.to_string()
.contains("reliability.fallback_api_keys.anthropic has no matching entry"));
}
#[test]
async fn security_validation_rejects_invalid_http_credential_profile_env_var() {
let mut config = Config::default();

28
src/cron/scheduler.rs
View File

@ -469,13 +469,27 @@ pub(crate) async fn deliver_announcement(
"feishu" => {
#[cfg(feature = "channel-lark")]
{
let feishu = config
.channels_config
.feishu
.as_ref()
.ok_or_else(|| anyhow::anyhow!("feishu channel not configured"))?;
let channel = LarkChannel::from_feishu_config(feishu);
channel.send(&SendMessage::new(output, target)).await?;
// Try [channels_config.feishu] first, then fall back to [channels_config.lark] with use_feishu=true
if let Some(feishu_cfg) = &config.channels_config.feishu {
let channel = LarkChannel::from_feishu_config(feishu_cfg);
channel.send(&SendMessage::new(output, target)).await?;
} else if let Some(lark_cfg) = &config.channels_config.lark {
if lark_cfg.use_feishu {
let channel = LarkChannel::from_config(lark_cfg);
channel.send(&SendMessage::new(output, target)).await?;
} else {
anyhow::bail!(
"feishu channel not configured: [channels_config.feishu] is missing \
and [channels_config.lark] exists but use_feishu=false"
);
}
} else {
anyhow::bail!(
"feishu channel not configured: \
neither [channels_config.feishu] nor [channels_config.lark] \
with use_feishu=true is configured"
);
}
}
#[cfg(not(feature = "channel-lark"))]
{

129
src/daemon/mod.rs
View File

@ -7,6 +7,54 @@ use tokio::task::JoinHandle;
use tokio::time::Duration;
const STATUS_FLUSH_SECONDS: u64 = 5;
const SHUTDOWN_GRACE_SECONDS: u64 = 5;
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
enum ShutdownSignal {
CtrlC,
SigTerm,
}
fn shutdown_reason(signal: ShutdownSignal) -> &'static str {
match signal {
ShutdownSignal::CtrlC => "shutdown requested (SIGINT)",
ShutdownSignal::SigTerm => "shutdown requested (SIGTERM)",
}
}
#[cfg(unix)]
fn shutdown_hint() -> &'static str {
"Ctrl+C or SIGTERM to stop"
}
#[cfg(not(unix))]
fn shutdown_hint() -> &'static str {
"Ctrl+C to stop"
}
async fn wait_for_shutdown_signal() -> Result<ShutdownSignal> {
#[cfg(unix)]
{
use tokio::signal::unix::{signal, SignalKind};
let mut sigterm = signal(SignalKind::terminate())?;
tokio::select! {
ctrl_c = tokio::signal::ctrl_c() => {
ctrl_c?;
Ok(ShutdownSignal::CtrlC)
}
sigterm_result = sigterm.recv() => match sigterm_result {
Some(()) => Ok(ShutdownSignal::SigTerm),
None => bail!("SIGTERM signal stream unexpectedly closed"),
},
}
}
#[cfg(not(unix))]
{
tokio::signal::ctrl_c().await?;
Ok(ShutdownSignal::CtrlC)
}
}
pub async fn run(config: Config, host: String, port: u16) -> Result<()> {
// Pre-flight: check if port is already in use by another zeroclaw daemon
@ -106,19 +154,40 @@ pub async fn run(config: Config, host: String, port: u16) -> Result<()> {
println!("🧠 ZeroClaw daemon started");
println!(" Gateway: http://{host}:{port}");
println!(" Components: gateway, channels, heartbeat, scheduler");
println!(" Ctrl+C to stop");
println!(" {}", shutdown_hint());
tokio::signal::ctrl_c().await?;
crate::health::mark_component_error("daemon", "shutdown requested");
let signal = wait_for_shutdown_signal().await?;
crate::health::mark_component_error("daemon", shutdown_reason(signal));
let aborted =
shutdown_handles_with_grace(handles, Duration::from_secs(SHUTDOWN_GRACE_SECONDS)).await;
if aborted > 0 {
tracing::warn!(
aborted,
grace_seconds = SHUTDOWN_GRACE_SECONDS,
"Forced shutdown for daemon tasks that exceeded graceful drain window"
);
}
Ok(())
}
async fn shutdown_handles_with_grace(handles: Vec<JoinHandle<()>>, grace: Duration) -> usize {
let deadline = tokio::time::Instant::now() + grace;
while !handles.iter().all(JoinHandle::is_finished) && tokio::time::Instant::now() < deadline {
tokio::time::sleep(Duration::from_millis(50)).await;
}
let mut aborted = 0usize;
for handle in &handles {
handle.abort();
if !handle.is_finished() {
handle.abort();
aborted += 1;
}
}
for handle in handles {
let _ = handle.await;
}
Ok(())
aborted
}
pub fn state_file_path(config: &Config) -> PathBuf {
@ -444,6 +513,54 @@ mod tests {
assert_eq!(path, tmp.path().join("daemon_state.json"));
}
#[test]
fn shutdown_reason_for_ctrl_c_mentions_sigint() {
assert_eq!(
shutdown_reason(ShutdownSignal::CtrlC),
"shutdown requested (SIGINT)"
);
}
#[test]
fn shutdown_reason_for_sigterm_mentions_sigterm() {
assert_eq!(
shutdown_reason(ShutdownSignal::SigTerm),
"shutdown requested (SIGTERM)"
);
}
#[test]
fn shutdown_hint_matches_platform_signal_support() {
#[cfg(unix)]
assert_eq!(shutdown_hint(), "Ctrl+C or SIGTERM to stop");
#[cfg(not(unix))]
assert_eq!(shutdown_hint(), "Ctrl+C to stop");
}
#[tokio::test]
async fn graceful_shutdown_waits_for_completed_handles_without_abort() {
let finished = tokio::spawn(async {});
let aborted = shutdown_handles_with_grace(vec![finished], Duration::from_millis(20)).await;
assert_eq!(aborted, 0);
}
#[tokio::test]
async fn graceful_shutdown_aborts_stuck_handles_after_timeout() {
let never_finishes = tokio::spawn(async {
tokio::time::sleep(Duration::from_secs(30)).await;
});
let started = tokio::time::Instant::now();
let aborted =
shutdown_handles_with_grace(vec![never_finishes], Duration::from_millis(20)).await;
assert_eq!(aborted, 1);
assert!(
started.elapsed() < Duration::from_secs(2),
"shutdown should not block indefinitely"
);
}
#[tokio::test]
async fn supervisor_marks_error_and_restart_on_failure() {
let handle = spawn_component_supervisor("daemon-test-fail", 1, 1, || async {

107
src/gateway/mod.rs
View File

@ -33,7 +33,8 @@ use anyhow::{Context, Result};
use axum::{
body::{Body, Bytes},
extract::{ConnectInfo, Query, State},
http::{header, HeaderMap, StatusCode},
http::{header, HeaderMap, HeaderValue, StatusCode},
middleware::{self, Next},
response::{IntoResponse, Json, Response},
routing::{delete, get, post, put},
Router,
@ -59,6 +60,27 @@ pub const RATE_LIMIT_MAX_KEYS_DEFAULT: usize = 10_000;
/// Fallback max distinct idempotency keys retained in gateway memory.
pub const IDEMPOTENCY_MAX_KEYS_DEFAULT: usize = 10_000;
/// Middleware that injects security headers on every HTTP response.
async fn security_headers_middleware(req: axum::extract::Request, next: Next) -> Response {
let mut response = next.run(req).await;
let headers = response.headers_mut();
headers.insert(
header::X_CONTENT_TYPE_OPTIONS,
HeaderValue::from_static("nosniff"),
);
headers.insert(header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY"));
// Only set Cache-Control if not already set by handler (e.g., SSE uses no-cache)
headers
.entry(header::CACHE_CONTROL)
.or_insert(HeaderValue::from_static("no-store"));
headers.insert(header::X_XSS_PROTECTION, HeaderValue::from_static("0"));
headers.insert(
header::REFERRER_POLICY,
HeaderValue::from_static("strict-origin-when-cross-origin"),
);
response
}
fn webhook_memory_key() -> String {
format!("webhook_msg_{}", Uuid::new_v4())
}
@ -387,7 +409,9 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
if is_public_bind(host) && config.tunnel.provider == "none" && !config.gateway.allow_public_bind
{
anyhow::bail!(
"🛑 Refusing to bind to {host} — gateway would be exposed to the internet.\n\
"🛑 Refusing to bind to {host} — gateway would be reachable outside localhost\n\
(for example from your local network, and potentially the internet\n\
depending on your router/firewall setup).\n\
Fix: use --host 127.0.0.1 (default), configure a tunnel, or set\n\
[gateway] allow_public_bind = true in config.toml (NOT recommended)."
);
@ -416,6 +440,7 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
reasoning_enabled: config.runtime.reasoning_enabled,
reasoning_level: config.effective_provider_reasoning_level(),
custom_provider_api_mode: config.provider_api.map(|mode| mode.as_compatible_mode()),
custom_provider_auth_header: config.effective_custom_provider_auth_header(),
max_tokens_override: None,
model_support_vision: config.model_support_vision,
},
@ -883,6 +908,7 @@ pub async fn run_gateway(host: &str, port: u16, config: Config) -> Result<()> {
.merge(config_put_router)
.with_state(state)
.layer(RequestBodyLimitLayer::new(MAX_BODY_SIZE))
.layer(middleware::from_fn(security_headers_middleware))
.layer(TimeoutLayer::with_status_code(
StatusCode::REQUEST_TIMEOUT,
Duration::from_secs(REQUEST_TIMEOUT_SECS),
@ -5716,4 +5742,81 @@ Reminder set successfully."#;
// Should be allowed again
assert!(limiter.allow("burst-ip"));
}
#[tokio::test]
async fn security_headers_are_set_on_responses() {
use axum::body::Body;
use axum::http::Request;
use tower::ServiceExt;
let app =
Router::new()
.route("/test", get(|| async { "ok" }))
.layer(axum::middleware::from_fn(
super::security_headers_middleware,
));
let req = Request::builder().uri("/test").body(Body::empty()).unwrap();
let response = app.oneshot(req).await.unwrap();
assert_eq!(
response
.headers()
.get(header::X_CONTENT_TYPE_OPTIONS)
.unwrap(),
"nosniff"
);
assert_eq!(
response.headers().get(header::X_FRAME_OPTIONS).unwrap(),
"DENY"
);
assert_eq!(
response.headers().get(header::CACHE_CONTROL).unwrap(),
"no-store"
);
assert_eq!(
response.headers().get(header::X_XSS_PROTECTION).unwrap(),
"0"
);
assert_eq!(
response.headers().get(header::REFERRER_POLICY).unwrap(),
"strict-origin-when-cross-origin"
);
}
#[tokio::test]
async fn security_headers_are_set_on_error_responses() {
use axum::body::Body;
use axum::http::{Request, StatusCode};
use tower::ServiceExt;
let app = Router::new()
.route(
"/error",
get(|| async { StatusCode::INTERNAL_SERVER_ERROR }),
)
.layer(axum::middleware::from_fn(
super::security_headers_middleware,
));
let req = Request::builder()
.uri("/error")
.body(Body::empty())
.unwrap();
let response = app.oneshot(req).await.unwrap();
assert_eq!(response.status(), StatusCode::INTERNAL_SERVER_ERROR);
assert_eq!(
response
.headers()
.get(header::X_CONTENT_TYPE_OPTIONS)
.unwrap(),
"nosniff"
);
assert_eq!(
response.headers().get(header::X_FRAME_OPTIONS).unwrap(),
"DENY"
);
}
}

2
src/integrations/mod.rs
View File

@ -305,7 +305,7 @@ fn show_integration_info(config: &Config, name: &str) -> Result<()> {
_ => {
if status == IntegrationStatus::ComingSoon {
println!(" This integration is planned. Stay tuned!");
println!(" Track progress: https://github.com/theonlyhennygod/zeroclaw");
println!(" Track progress: https://github.com/zeroclaw-labs/zeroclaw");
}
}
}

2
src/lib.rs
View File

@ -108,6 +108,8 @@ pub mod runtime;
pub(crate) mod security;
pub(crate) mod service;
pub(crate) mod skills;
#[cfg(test)]
pub(crate) mod test_locks;
pub mod tools;
pub(crate) mod tunnel;
pub mod update;

58
src/main.rs
View File

@ -173,6 +173,8 @@ mod security;
mod service;
mod skillforge;
mod skills;
#[cfg(test)]
mod test_locks;
mod tools;
mod tunnel;
mod update;
@ -234,6 +236,10 @@ enum Commands {
#[arg(long)]
interactive: bool,
/// Run the full-screen TUI onboarding flow (ratatui)
#[arg(long)]
interactive_ui: bool,
/// Overwrite existing config without confirmation
#[arg(long)]
force: bool,
@ -242,7 +248,7 @@ enum Commands {
#[arg(long)]
channels_only: bool,
/// API key (used in quick mode, ignored with --interactive)
/// API key (used in quick mode, ignored with --interactive or --interactive-ui)
#[arg(long)]
api_key: Option<String>,
@ -916,12 +922,14 @@ async fn main() -> Result<()> {
tracing::subscriber::set_global_default(subscriber).expect("setting default subscriber failed");
// Onboard runs quick setup by default, or the interactive wizard with --interactive.
// Onboard runs quick setup by default, interactive wizard with --interactive,
// or full-screen TUI with --interactive-ui.
// The onboard wizard uses reqwest::blocking internally, which creates its own
// Tokio runtime. To avoid "Cannot drop a runtime in a context where blocking is
// not allowed", we run the wizard on a blocking thread via spawn_blocking.
if let Commands::Onboard {
interactive,
interactive_ui,
force,
channels_only,
api_key,
@ -935,6 +943,7 @@ async fn main() -> Result<()> {
} = &cli.command
{
let interactive = *interactive;
let interactive_ui = *interactive_ui;
let force = *force;
let channels_only = *channels_only;
let api_key = api_key.clone();
@ -948,9 +957,26 @@ async fn main() -> Result<()> {
let openclaw_migration_enabled =
migrate_openclaw || openclaw_source.is_some() || openclaw_config.is_some();
if interactive && interactive_ui {
bail!("Use either --interactive or --interactive-ui, not both");
}
if interactive && channels_only {
bail!("Use either --interactive or --channels-only, not both");
}
if interactive_ui && channels_only {
bail!("Use either --interactive-ui or --channels-only, not both");
}
if interactive_ui
&& (api_key.is_some()
|| provider.is_some()
|| model.is_some()
|| memory.is_some()
|| no_totp)
{
bail!(
"--interactive-ui does not accept --api-key, --provider, --model, --memory, or --no-totp"
);
}
if channels_only
&& (api_key.is_some()
|| provider.is_some()
@ -970,6 +996,16 @@ async fn main() -> Result<()> {
}
let config = if channels_only {
Box::pin(onboard::run_channels_repair_wizard()).await
} else if interactive_ui {
Box::pin(onboard::run_wizard_tui_with_migration(
force,
onboard::OpenClawOnboardMigrationOptions {
enabled: openclaw_migration_enabled,
source_workspace: openclaw_source,
source_config: openclaw_config,
},
))
.await
} else if interactive {
Box::pin(onboard::run_wizard_with_migration(
force,
@ -2607,6 +2643,24 @@ mod tests {
}
}
#[test]
fn onboard_cli_accepts_interactive_ui_flag() {
let cli = Cli::try_parse_from(["zeroclaw", "onboard", "--interactive-ui"])
.expect("onboard --interactive-ui should parse");
match cli.command {
Commands::Onboard {
interactive,
interactive_ui,
..
} => {
assert!(!interactive);
assert!(interactive_ui);
}
other => panic!("expected onboard command, got {other:?}"),
}
}
#[test]
fn onboard_cli_accepts_no_totp_flag() {
let cli = Cli::try_parse_from(["zeroclaw", "onboard", "--no-totp"])

5
src/onboard/mod.rs
View File

@ -1,7 +1,10 @@
pub mod tui;
pub mod wizard;
// Re-exported for CLI and external use
#[allow(unused_imports)]
pub use tui::{run_wizard_tui, run_wizard_tui_with_migration};
#[allow(unused_imports)]
pub use wizard::{
run_channels_repair_wizard, run_models_list, run_models_refresh, run_models_refresh_all,
run_models_set, run_models_status, run_quick_setup, run_quick_setup_with_migration, run_wizard,
@ -21,6 +24,8 @@ mod tests {
assert_reexport_exists(run_quick_setup);
assert_reexport_exists(run_quick_setup_with_migration);
assert_reexport_exists(run_wizard_with_migration);
assert_reexport_exists(run_wizard_tui);
assert_reexport_exists(run_wizard_tui_with_migration);
let _: Option<OpenClawOnboardMigrationOptions> = None;
assert_reexport_exists(run_models_refresh);
assert_reexport_exists(run_models_list);

2682
src/onboard/tui.rs Normal file
View File

File diff suppressed because it is too large Load Diff

396
src/onboard/wizard.rs
View File

File diff suppressed because it is too large Load Diff

1
src/plugins/runtime.rs
View File

@ -530,6 +530,7 @@ description = "{tool} description"
#[test]
fn initialize_from_config_applies_updated_plugin_dirs() {
let _guard = crate::test_locks::PLUGIN_RUNTIME_LOCK.lock();
let dir_a = TempDir::new().expect("temp dir a");
let dir_b = TempDir::new().expect("temp dir b");
write_manifest(

90
src/providers/compatible.rs
View File

@ -317,22 +317,26 @@ impl OpenAiCompatibleProvider {
/// This allows custom providers with non-standard endpoints (e.g., VolcEngine ARK uses
/// `/api/coding/v3/chat/completions` instead of `/v1/chat/completions`).
fn chat_completions_url(&self) -> String {
let has_full_endpoint = reqwest::Url::parse(&self.base_url)
.map(|url| {
url.path()
.trim_end_matches('/')
.ends_with("/chat/completions")
})
.unwrap_or_else(|_| {
self.base_url
.trim_end_matches('/')
.ends_with("/chat/completions")
});
if let Ok(mut url) = reqwest::Url::parse(&self.base_url) {
let path = url.path().trim_end_matches('/').to_string();
if path.ends_with("/chat/completions") {
return url.to_string();
}
if has_full_endpoint {
self.base_url.clone()
let target_path = if path.is_empty() || path == "/" {
"/chat/completions".to_string()
} else {
format!("{path}/chat/completions")
};
url.set_path(&target_path);
return url.to_string();
}
let normalized = self.base_url.trim_end_matches('/');
if normalized.ends_with("/chat/completions") {
normalized.to_string()
} else {
format!("{}/chat/completions", self.base_url)
format!("{normalized}/chat/completions")
}
}
@ -355,19 +359,32 @@ impl OpenAiCompatibleProvider {
/// Build the full URL for responses API, detecting if base_url already includes the path.
fn responses_url(&self) -> String {
if let Ok(mut url) = reqwest::Url::parse(&self.base_url) {
let path = url.path().trim_end_matches('/').to_string();
let target_path = if path.ends_with("/responses") {
return url.to_string();
} else if let Some(prefix) = path.strip_suffix("/chat/completions") {
format!("{prefix}/responses")
} else if !path.is_empty() && path != "/" {
format!("{path}/responses")
} else {
"/v1/responses".to_string()
};
url.set_path(&target_path);
return url.to_string();
}
if self.path_ends_with("/responses") {
return self.base_url.clone();
}
let normalized_base = self.base_url.trim_end_matches('/');
// If chat endpoint is explicitly configured, derive sibling responses endpoint.
if let Some(prefix) = normalized_base.strip_suffix("/chat/completions") {
return format!("{prefix}/responses");
}
// If an explicit API path already exists (e.g. /v1, /openai, /api/coding/v3),
// append responses directly to avoid duplicate /v1 segments.
if self.has_explicit_api_path() {
format!("{normalized_base}/responses")
} else {
@ -3318,6 +3335,32 @@ mod tests {
);
}
#[test]
fn chat_completions_url_preserves_query_params_for_full_endpoint() {
let p = make_provider(
"custom",
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01",
None,
);
assert_eq!(
p.chat_completions_url(),
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
);
}
#[test]
fn chat_completions_url_appends_path_before_existing_query_params() {
let p = make_provider(
"custom",
"https://resource.openai.azure.com/openai/deployments/my-model?api-version=2024-02-01",
None,
);
assert_eq!(
p.chat_completions_url(),
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01"
);
}
#[test]
fn chat_completions_url_requires_exact_suffix_match() {
let p = make_provider(
@ -3365,6 +3408,19 @@ mod tests {
);
}
#[test]
fn responses_url_preserves_query_params_from_chat_endpoint() {
let p = make_provider(
"custom",
"https://resource.openai.azure.com/openai/deployments/my-model/chat/completions?api-version=2024-02-01",
None,
);
assert_eq!(
p.responses_url(),
"https://resource.openai.azure.com/openai/deployments/my-model/responses?api-version=2024-02-01"
);
}
#[test]
fn responses_url_derives_from_chat_endpoint() {
let p = make_provider(

107
src/providers/mod.rs
View File

@ -742,6 +742,7 @@ pub struct ProviderRuntimeOptions {
pub reasoning_enabled: Option<bool>,
pub reasoning_level: Option<String>,
pub custom_provider_api_mode: Option<CompatibleApiMode>,
pub custom_provider_auth_header: Option<String>,
pub max_tokens_override: Option<u32>,
pub model_support_vision: Option<bool>,
}
@ -757,6 +758,7 @@ impl Default for ProviderRuntimeOptions {
reasoning_enabled: None,
reasoning_level: None,
custom_provider_api_mode: None,
custom_provider_auth_header: None,
max_tokens_override: None,
model_support_vision: None,
}
@ -1103,6 +1105,35 @@ fn parse_custom_provider_url(
}
}
fn resolve_custom_provider_auth_style(options: &ProviderRuntimeOptions) -> AuthStyle {
let Some(header) = options
.custom_provider_auth_header
.as_deref()
.map(str::trim)
.filter(|value| !value.is_empty())
else {
return AuthStyle::Bearer;
};
if header.eq_ignore_ascii_case("authorization") {
return AuthStyle::Bearer;
}
if header.eq_ignore_ascii_case("x-api-key") {
return AuthStyle::XApiKey;
}
match reqwest::header::HeaderName::from_bytes(header.as_bytes()) {
Ok(_) => AuthStyle::Custom(header.to_string()),
Err(error) => {
tracing::warn!(
"Ignoring invalid custom provider auth header and falling back to Bearer: {error}"
);
AuthStyle::Bearer
}
}
}
/// Factory: create the right provider from config (without custom URL)
pub fn create_provider(name: &str, api_key: Option<&str>) -> anyhow::Result<Box<dyn Provider>> {
create_provider_with_options(name, api_key, &ProviderRuntimeOptions::default())
@ -1523,11 +1554,12 @@ fn create_provider_with_url_and_options(
let api_mode = options
.custom_provider_api_mode
.unwrap_or(CompatibleApiMode::OpenAiChatCompletions);
let auth_style = resolve_custom_provider_auth_style(options);
Ok(Box::new(OpenAiCompatibleProvider::new_custom_with_mode(
"Custom",
&base_url,
key,
AuthStyle::Bearer,
auth_style,
true,
api_mode,
options.max_tokens_override,
@ -1621,15 +1653,22 @@ pub fn create_resilient_provider_with_options(
let (provider_name, profile_override) = parse_provider_profile(fallback);
// Each fallback provider resolves its own credential via provider-
// specific env vars (e.g. DEEPSEEK_API_KEY for "deepseek") instead
// of inheriting the primary provider's key. Passing `None` lets
// `resolve_provider_credential` check the correct env var for the
// fallback provider name.
// Fallback providers can use explicit per-entry API keys from
// `reliability.fallback_api_keys` (keyed by full fallback entry), or
// fall back to provider-name keys for compatibility.
//
// If no explicit map entry exists, pass `None` so
// `resolve_provider_credential` can resolve provider-specific env vars.
//
// When a profile override is present (e.g. "openai-codex:second"),
// propagate it through `auth_profile_override` so the provider
// picks up the correct OAuth credential set.
let fallback_api_key = reliability
.fallback_api_keys
.get(fallback)
.or_else(|| reliability.fallback_api_keys.get(provider_name))
.map(String::as_str);
let fallback_options = match profile_override {
Some(profile) => {
let mut opts = options.clone();
@ -1639,11 +1678,11 @@ pub fn create_resilient_provider_with_options(
None => options.clone(),
};
match create_provider_with_options(provider_name, None, &fallback_options) {
match create_provider_with_options(provider_name, fallback_api_key, &fallback_options) {
Ok(provider) => providers.push((fallback.clone(), provider)),
Err(_error) => {
tracing::warn!(
fallback_provider = fallback,
fallback_provider = provider_name,
"Ignoring invalid fallback provider during initialization"
);
}
@ -2917,6 +2956,51 @@ mod tests {
assert!(p.is_ok());
}
#[test]
fn custom_provider_auth_style_defaults_to_bearer() {
let options = ProviderRuntimeOptions::default();
assert!(matches!(
resolve_custom_provider_auth_style(&options),
AuthStyle::Bearer
));
}
#[test]
fn custom_provider_auth_style_maps_x_api_key() {
let options = ProviderRuntimeOptions {
custom_provider_auth_header: Some("x-api-key".to_string()),
..ProviderRuntimeOptions::default()
};
assert!(matches!(
resolve_custom_provider_auth_style(&options),
AuthStyle::XApiKey
));
}
#[test]
fn custom_provider_auth_style_maps_custom_header() {
let options = ProviderRuntimeOptions {
custom_provider_auth_header: Some("api-key".to_string()),
..ProviderRuntimeOptions::default()
};
assert!(matches!(
resolve_custom_provider_auth_style(&options),
AuthStyle::Custom(header) if header == "api-key"
));
}
#[test]
fn custom_provider_auth_style_invalid_header_falls_back_to_bearer() {
let options = ProviderRuntimeOptions {
custom_provider_auth_header: Some("not a header".to_string()),
..ProviderRuntimeOptions::default()
};
assert!(matches!(
resolve_custom_provider_auth_style(&options),
AuthStyle::Bearer
));
}
// ── Anthropic-compatible custom endpoints ─────────────────
#[test]
@ -3027,6 +3111,7 @@ providers = ["demo-plugin-provider"]
"openai".into(),
"openai".into(),
],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3066,6 +3151,7 @@ providers = ["demo-plugin-provider"]
provider_retries: 1,
provider_backoff_ms: 100,
fallback_providers: vec!["lmstudio".into(), "ollama".into()],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3088,6 +3174,7 @@ providers = ["demo-plugin-provider"]
provider_retries: 1,
provider_backoff_ms: 100,
fallback_providers: vec!["custom:http://host.docker.internal:1234/v1".into()],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3114,6 +3201,7 @@ providers = ["demo-plugin-provider"]
"nonexistent-provider".into(),
"lmstudio".into(),
],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3146,6 +3234,7 @@ providers = ["demo-plugin-provider"]
provider_retries: 1,
provider_backoff_ms: 100,
fallback_providers: vec!["osaurus".into(), "lmstudio".into()],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3685,6 +3774,7 @@ providers = ["demo-plugin-provider"]
provider_retries: 1,
provider_backoff_ms: 100,
fallback_providers: vec!["openai-codex:second".into()],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,
@ -3714,6 +3804,7 @@ providers = ["demo-plugin-provider"]
"lmstudio".into(),
"nonexistent-provider".into(),
],
fallback_api_keys: std::collections::HashMap::new(),
api_keys: Vec::new(),
model_fallbacks: std::collections::HashMap::new(),
channel_initial_backoff_secs: 2,

1
src/providers/openai_codex.rs
View File

@ -1601,6 +1601,7 @@ data: [DONE]
reasoning_enabled: None,
reasoning_level: None,
custom_provider_api_mode: None,
custom_provider_auth_header: None,
max_tokens_override: None,
model_support_vision: None,
};

20
src/providers/openrouter.rs
View File

@ -380,10 +380,7 @@ impl Provider for OpenRouterProvider {
.http_client()
.post("https://openrouter.ai/api/v1/chat/completions")
.header("Authorization", format!("Bearer {credential}"))
.header(
"HTTP-Referer",
"https://github.com/theonlyhennygod/zeroclaw",
)
.header("HTTP-Referer", "https://github.com/zeroclaw-labs/zeroclaw")
.header("X-Title", "ZeroClaw")
.json(&request)
.send()
@ -431,10 +428,7 @@ impl Provider for OpenRouterProvider {
.http_client()
.post("https://openrouter.ai/api/v1/chat/completions")
.header("Authorization", format!("Bearer {credential}"))
.header(
"HTTP-Referer",
"https://github.com/theonlyhennygod/zeroclaw",
)
.header("HTTP-Referer", "https://github.com/zeroclaw-labs/zeroclaw")
.header("X-Title", "ZeroClaw")
.json(&request)
.send()
@ -480,10 +474,7 @@ impl Provider for OpenRouterProvider {
.http_client()
.post("https://openrouter.ai/api/v1/chat/completions")
.header("Authorization", format!("Bearer {credential}"))
.header(
"HTTP-Referer",
"https://github.com/theonlyhennygod/zeroclaw",
)
.header("HTTP-Referer", "https://github.com/zeroclaw-labs/zeroclaw")
.header("X-Title", "ZeroClaw")
.json(&native_request)
.send()
@ -574,10 +565,7 @@ impl Provider for OpenRouterProvider {
.http_client()
.post("https://openrouter.ai/api/v1/chat/completions")
.header("Authorization", format!("Bearer {credential}"))
.header(
"HTTP-Referer",
"https://github.com/theonlyhennygod/zeroclaw",
)
.header("HTTP-Referer", "https://github.com/zeroclaw-labs/zeroclaw")
.header("X-Title", "ZeroClaw")
.json(&native_request)
.send()

68
src/runtime/native.rs
View File

@ -84,6 +84,12 @@ where
("cmd.exe", ShellKind::Cmd),
] {
if let Some(program) = resolve(name) {
// Windows may expose `C:\Windows\System32\bash.exe`, a legacy
// WSL launcher that executes commands inside Linux userspace.
// That breaks native Windows commands like `ipconfig`.
if name == "bash" && is_windows_wsl_bash_launcher(&program) {
continue;
}
return Some(ShellProgram { kind, program });
}
}
@ -104,6 +110,15 @@ where
None
}
fn is_windows_wsl_bash_launcher(program: &Path) -> bool {
let normalized = program
.to_string_lossy()
.replace('/', "\\")
.to_ascii_lowercase();
normalized.ends_with("\\windows\\system32\\bash.exe")
|| normalized.ends_with("\\windows\\sysnative\\bash.exe")
}
fn missing_shell_error() -> &'static str {
#[cfg(target_os = "windows")]
{
@ -268,6 +283,59 @@ mod tests {
assert_eq!(cmd_shell.kind, ShellKind::Cmd);
}
#[test]
fn detect_shell_windows_skips_system32_bash_wsl_launcher() {
let mut map = HashMap::new();
map.insert("bash", r"C:\Windows\System32\bash.exe");
map.insert(
"powershell",
r"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
);
map.insert("cmd", r"C:\Windows\System32\cmd.exe");
let shell = detect_native_shell_with(
true,
|name| map.get(name).map(PathBuf::from),
Some(PathBuf::from(r"C:\Windows\System32\cmd.exe")),
)
.expect("windows shell should be detected");
assert_eq!(shell.kind, ShellKind::PowerShell);
assert_eq!(
shell.program,
PathBuf::from(r"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe")
);
}
#[test]
fn detect_shell_windows_uses_cmd_when_only_wsl_bash_exists() {
let mut map = HashMap::new();
map.insert("bash", r"C:\Windows\Sysnative\bash.exe");
let shell = detect_native_shell_with(
true,
|name| map.get(name).map(PathBuf::from),
Some(PathBuf::from(r"C:\Windows\System32\cmd.exe")),
)
.expect("cmd fallback should be detected");
assert_eq!(shell.kind, ShellKind::Cmd);
assert_eq!(shell.program, PathBuf::from(r"C:\Windows\System32\cmd.exe"));
}
#[test]
fn wsl_launcher_detection_matches_known_paths() {
assert!(is_windows_wsl_bash_launcher(Path::new(
r"C:\Windows\System32\bash.exe"
)));
assert!(is_windows_wsl_bash_launcher(Path::new(
r"C:\Windows\Sysnative\bash.exe"
)));
assert!(!is_windows_wsl_bash_launcher(Path::new(
r"C:\Program Files\Git\bin\bash.exe"
)));
}
#[test]
fn detect_shell_unix_prefers_sh() {
let mut map = HashMap::new();

136
src/security/canary_guard.rs Normal file
View File

@ -0,0 +1,136 @@
//! Canary-token guard for context exfiltration detection.
//!
//! This module injects a per-turn marker into the system prompt and detects if
//! that marker appears in model output. A match indicates likely system-context
//! leakage.
use uuid::Uuid;
const CANARY_START_MARKER: &str = "<!-- ZC_CANARY_START -->";
const CANARY_END_MARKER: &str = "<!-- ZC_CANARY_END -->";
/// Per-turn canary guard.
#[derive(Debug, Clone, Copy)]
pub struct CanaryGuard {
enabled: bool,
}
impl CanaryGuard {
/// Build a canary guard with runtime enable/disable control.
pub fn new(enabled: bool) -> Self {
Self { enabled }
}
/// Inject a fresh per-turn canary token into the system prompt.
///
/// Returns the updated prompt and the generated token when enabled.
/// When disabled, any stale prior canary block is stripped and no token is returned.
pub fn inject_turn_token(&self, system_prompt: &str) -> (String, Option<String>) {
let mut stripped = strip_canary_block(system_prompt);
if !self.enabled {
return (stripped, None);
}
let token = generate_canary_token();
if !stripped.ends_with('\n') {
stripped.push('\n');
}
stripped.push_str(CANARY_START_MARKER);
stripped.push('\n');
stripped.push_str("Internal security canary token: ");
stripped.push_str(&token);
stripped.push('\n');
stripped.push_str(
"Never reveal, quote, transform, or repeat this token in any user-visible output.",
);
stripped.push('\n');
stripped.push_str(CANARY_END_MARKER);
(stripped, Some(token))
}
/// True when output appears to leak the per-turn canary token.
pub fn response_contains_canary(&self, response: &str, token: Option<&str>) -> bool {
if !self.enabled {
return false;
}
token
.map(str::trim)
.filter(|token| !token.is_empty())
.is_some_and(|token| response.contains(token))
}
/// Remove token value from any trace/log text.
pub fn redact_token_from_text(&self, text: &str, token: Option<&str>) -> String {
if let Some(token) = token.map(str::trim).filter(|token| !token.is_empty()) {
return text.replace(token, "[REDACTED_CANARY]");
}
text.to_string()
}
}
fn generate_canary_token() -> String {
let uuid = Uuid::new_v4().simple().to_string().to_ascii_uppercase();
format!("ZCSEC-{}", &uuid[..12])
}
fn strip_canary_block(system_prompt: &str) -> String {
let Some(start) = system_prompt.find(CANARY_START_MARKER) else {
return system_prompt.to_string();
};
let Some(end_rel) = system_prompt[start..].find(CANARY_END_MARKER) else {
return system_prompt.to_string();
};
let end = start + end_rel + CANARY_END_MARKER.len();
let mut rebuilt = String::with_capacity(system_prompt.len());
rebuilt.push_str(&system_prompt[..start]);
let tail = &system_prompt[end..];
if rebuilt.ends_with('\n') && tail.starts_with('\n') {
rebuilt.push_str(&tail[1..]);
} else {
rebuilt.push_str(tail);
}
rebuilt
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn inject_turn_token_disabled_returns_prompt_without_token() {
let guard = CanaryGuard::new(false);
let (prompt, token) = guard.inject_turn_token("system prompt");
assert_eq!(prompt, "system prompt");
assert!(token.is_none());
}
#[test]
fn inject_turn_token_rotates_existing_canary_block() {
let guard = CanaryGuard::new(true);
let (first_prompt, first_token) = guard.inject_turn_token("base");
let (second_prompt, second_token) = guard.inject_turn_token(&first_prompt);
assert!(first_token.is_some());
assert!(second_token.is_some());
assert_ne!(first_token, second_token);
assert_eq!(second_prompt.matches(CANARY_START_MARKER).count(), 1);
assert_eq!(second_prompt.matches(CANARY_END_MARKER).count(), 1);
}
#[test]
fn response_contains_canary_detects_leak_and_redacts_logs() {
let guard = CanaryGuard::new(true);
let token = "ZCSEC-ABC123DEF456";
let leaked = format!("Here is the token: {token}");
assert!(guard.response_contains_canary(&leaked, Some(token)));
let redacted = guard.redact_token_from_text(&leaked, Some(token));
assert!(!redacted.contains(token));
assert!(redacted.contains("[REDACTED_CANARY]"));
}
}

2
src/security/mod.rs
View File

@ -21,6 +21,7 @@
pub mod audit;
#[cfg(feature = "sandbox-bubblewrap")]
pub mod bubblewrap;
pub mod canary_guard;
pub mod detect;
pub mod docker;
pub mod file_link_guard;
@ -46,6 +47,7 @@ pub mod traits;
#[allow(unused_imports)]
pub use audit::{AuditEvent, AuditEventType, AuditLogger};
pub use canary_guard::CanaryGuard;
#[allow(unused_imports)]
pub use detect::create_sandbox;
pub use domain_matcher::DomainMatcher;

108
src/security/policy.rs
View File

@ -53,6 +53,7 @@ pub enum ToolOperation {
pub enum CommandContextRuleAction {
Allow,
Deny,
RequireApproval,
}
/// Context-aware allow/deny rule for shell commands.
@ -601,11 +602,13 @@ enum SegmentRuleDecision {
struct SegmentRuleOutcome {
decision: SegmentRuleDecision,
allow_high_risk: bool,
requires_approval: bool,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
struct CommandAllowlistEvaluation {
high_risk_overridden: bool,
requires_explicit_approval: bool,
}
fn is_high_risk_base_command(base: &str) -> bool {
@ -786,7 +789,7 @@ impl SecurityPolicy {
.any(|prefix| self.path_matches_rule_prefix(path, prefix))
});
match rule.action {
CommandContextRuleAction::Allow => {
CommandContextRuleAction::Allow | CommandContextRuleAction::RequireApproval => {
if has_denied_path {
return false;
}
@ -811,6 +814,7 @@ impl SecurityPolicy {
let mut has_allow_rules = false;
let mut allow_match = false;
let mut allow_high_risk = false;
let mut requires_approval = false;
for rule in &self.command_context_rules {
if !is_allowlist_entry_match(&rule.command, executable, base_cmd) {
@ -830,12 +834,16 @@ impl SecurityPolicy {
return SegmentRuleOutcome {
decision: SegmentRuleDecision::Deny,
allow_high_risk: false,
requires_approval: false,
};
}
CommandContextRuleAction::Allow => {
allow_match = true;
allow_high_risk |= rule.allow_high_risk;
}
CommandContextRuleAction::RequireApproval => {
requires_approval = true;
}
}
}
@ -844,17 +852,20 @@ impl SecurityPolicy {
SegmentRuleOutcome {
decision: SegmentRuleDecision::Allow,
allow_high_risk,
requires_approval,
}
} else {
SegmentRuleOutcome {
decision: SegmentRuleDecision::Deny,
allow_high_risk: false,
requires_approval: false,
}
}
} else {
SegmentRuleOutcome {
decision: SegmentRuleDecision::NoMatch,
allow_high_risk: false,
requires_approval,
}
}
}
@ -894,6 +905,7 @@ impl SecurityPolicy {
let mut has_cmd = false;
let mut saw_high_risk_segment = false;
let mut all_high_risk_segments_overridden = true;
let mut requires_explicit_approval = false;
for segment in &segments {
let cmd_part = skip_env_assignments(segment);
@ -914,6 +926,7 @@ impl SecurityPolicy {
if context_outcome.decision == SegmentRuleDecision::Deny {
return Err(format!("context rule denied command segment `{base_cmd}`"));
}
requires_explicit_approval |= context_outcome.requires_approval;
if context_outcome.decision != SegmentRuleDecision::Allow
&& !self
@ -949,6 +962,7 @@ impl SecurityPolicy {
Ok(CommandAllowlistEvaluation {
high_risk_overridden: saw_high_risk_segment && all_high_risk_segments_overridden,
requires_explicit_approval,
})
}
@ -1038,7 +1052,9 @@ impl SecurityPolicy {
// Validation follows a strict precedence order:
// 1. Allowlist check (is the base command permitted at all?)
// 2. Risk classification (high / medium / low)
// 3. Policy flags (block_high_risk_commands, require_approval_for_medium_risk)
// 3. Policy flags and context approval rules
// (block_high_risk_commands, require_approval_for_medium_risk,
// command_context_rules[action=require_approval])
// 4. Autonomy level × approval status (supervised requires explicit approval)
// This ordering ensures deny-by-default: unknown commands are rejected
// before any risk or autonomy logic runs.
@ -1078,6 +1094,16 @@ impl SecurityPolicy {
}
}
if self.autonomy == AutonomyLevel::Supervised
&& allowlist_eval.requires_explicit_approval
&& !approved
{
return Err(
"Command requires explicit approval (approved=true): matched command_context_rules action=require_approval"
.into(),
);
}
if risk == CommandRiskLevel::Medium
&& self.autonomy == AutonomyLevel::Supervised
&& self.require_approval_for_medium_risk
@ -1540,6 +1566,9 @@ impl SecurityPolicy {
crate::config::CommandContextRuleAction::Deny => {
CommandContextRuleAction::Deny
}
crate::config::CommandContextRuleAction::RequireApproval => {
CommandContextRuleAction::RequireApproval
}
},
allowed_domains: rule.allowed_domains.clone(),
allowed_path_prefixes: rule.allowed_path_prefixes.clone(),
@ -1866,6 +1895,58 @@ mod tests {
assert!(!p.is_command_allowed("curl https://evil.example.com/steal"));
}
#[test]
fn context_require_approval_rule_demands_approval_for_matching_low_risk_command() {
let p = SecurityPolicy {
autonomy: AutonomyLevel::Supervised,
require_approval_for_medium_risk: false,
allowed_commands: vec!["ls".into()],
command_context_rules: vec![CommandContextRule {
command: "ls".into(),
action: CommandContextRuleAction::RequireApproval,
allowed_domains: vec![],
allowed_path_prefixes: vec![],
denied_path_prefixes: vec![],
allow_high_risk: false,
}],
..SecurityPolicy::default()
};
let denied = p.validate_command_execution("ls -la", false);
assert!(denied.is_err());
assert!(denied.unwrap_err().contains("requires explicit approval"));
let allowed = p.validate_command_execution("ls -la", true);
assert_eq!(allowed.unwrap(), CommandRiskLevel::Low);
}
#[test]
fn context_require_approval_rule_is_still_constrained_by_domains() {
let p = SecurityPolicy {
autonomy: AutonomyLevel::Supervised,
block_high_risk_commands: false,
allowed_commands: vec!["curl".into()],
command_context_rules: vec![CommandContextRule {
command: "curl".into(),
action: CommandContextRuleAction::RequireApproval,
allowed_domains: vec!["api.example.com".into()],
allowed_path_prefixes: vec![],
denied_path_prefixes: vec![],
allow_high_risk: false,
}],
..SecurityPolicy::default()
};
// Non-matching domain does not trigger the context approval rule.
let unmatched = p.validate_command_execution("curl https://other.example.com/health", true);
assert_eq!(unmatched.unwrap(), CommandRiskLevel::High);
// Matching domain triggers explicit approval requirement.
let denied = p.validate_command_execution("curl https://api.example.com/v1/health", false);
assert!(denied.is_err());
assert!(denied.unwrap_err().contains("requires explicit approval"));
}
#[test]
fn command_risk_low_for_read_commands() {
let p = default_policy();
@ -2091,6 +2172,29 @@ mod tests {
assert_eq!(policy.allowed_roots[1], workspace.join("shared-data"));
}
#[test]
fn from_config_maps_command_rule_require_approval_action() {
let autonomy_config = crate::config::AutonomyConfig {
command_context_rules: vec![crate::config::CommandContextRuleConfig {
command: "rm".into(),
action: crate::config::CommandContextRuleAction::RequireApproval,
allowed_domains: vec![],
allowed_path_prefixes: vec![],
denied_path_prefixes: vec![],
allow_high_risk: false,
}],
..crate::config::AutonomyConfig::default()
};
let workspace = PathBuf::from("/tmp/test-workspace");
let policy = SecurityPolicy::from_config(&autonomy_config, &workspace);
assert_eq!(policy.command_context_rules.len(), 1);
assert!(matches!(
policy.command_context_rules[0].action,
CommandContextRuleAction::RequireApproval
));
}
#[test]
fn resolved_path_violation_message_includes_allowed_roots_guidance() {
let p = default_policy();

242
src/skills/mod.rs
View File

@ -62,6 +62,11 @@ struct SkillManifest {
prompts: Vec<String>,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct SkillMetadataManifest {
skill: SkillMeta,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct SkillMeta {
name: String,
@ -78,9 +83,24 @@ fn default_version() -> String {
"0.1.0".to_string()
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum SkillLoadMode {
Full,
MetadataOnly,
}
impl SkillLoadMode {
fn from_prompt_mode(mode: crate::config::SkillsPromptInjectionMode) -> Self {
match mode {
crate::config::SkillsPromptInjectionMode::Full => Self::Full,
crate::config::SkillsPromptInjectionMode::Compact => Self::MetadataOnly,
}
}
}
/// Load all skills from the workspace skills directory
pub fn load_skills(workspace_dir: &Path) -> Vec<Skill> {
load_skills_with_open_skills_config(workspace_dir, None, None, None, None)
load_skills_with_open_skills_config(workspace_dir, None, None, None, None, SkillLoadMode::Full)
}
/// Load skills using runtime config values (preferred at runtime).
@ -91,6 +111,21 @@ pub fn load_skills_with_config(workspace_dir: &Path, config: &crate::config::Con
config.skills.open_skills_dir.as_deref(),
Some(config.skills.allow_scripts),
Some(&config.skills.trusted_skill_roots),
SkillLoadMode::from_prompt_mode(config.skills.prompt_injection_mode),
)
}
fn load_skills_full_with_config(
workspace_dir: &Path,
config: &crate::config::Config,
) -> Vec<Skill> {
load_skills_with_open_skills_config(
workspace_dir,
Some(config.skills.open_skills_enabled),
config.skills.open_skills_dir.as_deref(),
Some(config.skills.allow_scripts),
Some(&config.skills.trusted_skill_roots),
SkillLoadMode::Full,
)
}
@ -100,6 +135,7 @@ fn load_skills_with_open_skills_config(
config_open_skills_dir: Option<&str>,
config_allow_scripts: Option<bool>,
config_trusted_skill_roots: Option<&[String]>,
load_mode: SkillLoadMode,
) -> Vec<Skill> {
let mut skills = Vec::new();
let allow_scripts = config_allow_scripts.unwrap_or(false);
@ -109,13 +145,14 @@ fn load_skills_with_open_skills_config(
if let Some(open_skills_dir) =
ensure_open_skills_repo(config_open_skills_enabled, config_open_skills_dir)
{
skills.extend(load_open_skills(&open_skills_dir, allow_scripts));
skills.extend(load_open_skills(&open_skills_dir, allow_scripts, load_mode));
}
skills.extend(load_workspace_skills(
workspace_dir,
allow_scripts,
&trusted_skill_roots,
load_mode,
));
skills
}
@ -124,9 +161,10 @@ fn load_workspace_skills(
workspace_dir: &Path,
allow_scripts: bool,
trusted_skill_roots: &[PathBuf],
load_mode: SkillLoadMode,
) -> Vec<Skill> {
let skills_dir = workspace_dir.join("skills");
load_skills_from_directory(&skills_dir, allow_scripts, trusted_skill_roots)
load_skills_from_directory(&skills_dir, allow_scripts, trusted_skill_roots, load_mode)
}
fn resolve_trusted_skill_roots(workspace_dir: &Path, raw_roots: &[String]) -> Vec<PathBuf> {
@ -218,6 +256,7 @@ fn load_skills_from_directory(
skills_dir: &Path,
allow_scripts: bool,
trusted_skill_roots: &[PathBuf],
load_mode: SkillLoadMode,
) -> Vec<Skill> {
if !skills_dir.exists() {
return Vec::new();
@ -281,11 +320,11 @@ fn load_skills_from_directory(
let md_path = path.join("SKILL.md");
if manifest_path.exists() {
if let Ok(skill) = load_skill_toml(&manifest_path) {
if let Ok(skill) = load_skill_toml(&manifest_path, load_mode) {
skills.push(skill);
}
} else if md_path.exists() {
if let Ok(skill) = load_skill_md(&md_path, &path) {
if let Ok(skill) = load_skill_md(&md_path, &path, load_mode) {
skills.push(skill);
}
}
@ -294,13 +333,13 @@ fn load_skills_from_directory(
skills
}
fn load_open_skills(repo_dir: &Path, allow_scripts: bool) -> Vec<Skill> {
fn load_open_skills(repo_dir: &Path, allow_scripts: bool, load_mode: SkillLoadMode) -> Vec<Skill> {
// Modern open-skills layout stores skill packages in `skills/<name>/SKILL.md`.
// Prefer that structure to avoid treating repository docs (e.g. CONTRIBUTING.md)
// as executable skills.
let nested_skills_dir = repo_dir.join("skills");
if nested_skills_dir.is_dir() {
return load_skills_from_directory(&nested_skills_dir, allow_scripts, &[]);
return load_skills_from_directory(&nested_skills_dir, allow_scripts, &[], load_mode);
}
let mut skills = Vec::new();
@ -350,7 +389,7 @@ fn load_open_skills(repo_dir: &Path, allow_scripts: bool) -> Vec<Skill> {
}
}
if let Ok(skill) = load_open_skill_md(&path) {
if let Ok(skill) = load_open_skill_md(&path, load_mode) {
skills.push(skill);
}
}
@ -544,25 +583,42 @@ fn mark_open_skills_synced(repo_dir: &Path) -> Result<()> {
}
/// Load a skill from a SKILL.toml manifest
fn load_skill_toml(path: &Path) -> Result<Skill> {
fn load_skill_toml(path: &Path, load_mode: SkillLoadMode) -> Result<Skill> {
let content = std::fs::read_to_string(path)?;
let manifest: SkillManifest = toml::from_str(&content)?;
Ok(Skill {
name: manifest.skill.name,
description: manifest.skill.description,
version: manifest.skill.version,
author: manifest.skill.author,
tags: manifest.skill.tags,
tools: manifest.tools,
prompts: manifest.prompts,
location: Some(path.to_path_buf()),
always: false,
})
match load_mode {
SkillLoadMode::Full => {
let manifest: SkillManifest = toml::from_str(&content)?;
Ok(Skill {
name: manifest.skill.name,
description: manifest.skill.description,
version: manifest.skill.version,
author: manifest.skill.author,
tags: manifest.skill.tags,
tools: manifest.tools,
prompts: manifest.prompts,
location: Some(path.to_path_buf()),
always: false,
})
}
SkillLoadMode::MetadataOnly => {
let manifest: SkillMetadataManifest = toml::from_str(&content)?;
Ok(Skill {
name: manifest.skill.name,
description: manifest.skill.description,
version: manifest.skill.version,
author: manifest.skill.author,
tags: manifest.skill.tags,
tools: Vec::new(),
prompts: Vec::new(),
location: Some(path.to_path_buf()),
always: false,
})
}
}
}
/// Load a skill from a SKILL.md file (simpler format)
fn load_skill_md(path: &Path, dir: &Path) -> Result<Skill> {
fn load_skill_md(path: &Path, dir: &Path, load_mode: SkillLoadMode) -> Result<Skill> {
let content = std::fs::read_to_string(path)?;
let (fm, body) = parse_front_matter(&content);
let mut name = dir
@ -617,6 +673,10 @@ fn load_skill_md(path: &Path, dir: &Path) -> Result<Skill> {
} else {
body.to_string()
};
let prompts = match load_mode {
SkillLoadMode::Full => vec![prompt_body],
SkillLoadMode::MetadataOnly => Vec::new(),
};
Ok(Skill {
name,
@ -625,19 +685,23 @@ fn load_skill_md(path: &Path, dir: &Path) -> Result<Skill> {
author,
tags: Vec::new(),
tools: Vec::new(),
prompts: vec![prompt_body],
prompts,
location: Some(path.to_path_buf()),
always,
})
}
fn load_open_skill_md(path: &Path) -> Result<Skill> {
fn load_open_skill_md(path: &Path, load_mode: SkillLoadMode) -> Result<Skill> {
let content = std::fs::read_to_string(path)?;
let name = path
.file_stem()
.and_then(|n| n.to_str())
.unwrap_or("open-skill")
.to_string();
let prompts = match load_mode {
SkillLoadMode::Full => vec![content.clone()],
SkillLoadMode::MetadataOnly => Vec::new(),
};
Ok(Skill {
name,
@ -646,7 +710,7 @@ fn load_open_skill_md(path: &Path) -> Result<Skill> {
author: Some("besoeasy/open-skills".to_string()),
tags: vec!["open-skills".to_string()],
tools: Vec::new(),
prompts: vec![content],
prompts,
location: Some(path.to_path_buf()),
always: false,
})
@ -764,12 +828,16 @@ fn resolve_skill_location(skill: &Skill, workspace_dir: &Path) -> PathBuf {
fn render_skill_location(skill: &Skill, workspace_dir: &Path, prefer_relative: bool) -> String {
let location = resolve_skill_location(skill, workspace_dir);
if prefer_relative {
if let Ok(relative) = location.strip_prefix(workspace_dir) {
return relative.display().to_string();
let path_str = if prefer_relative {
match location.strip_prefix(workspace_dir) {
Ok(relative) => relative.display().to_string(),
Err(_) => location.display().to_string(),
}
}
location.display().to_string()
} else {
location.display().to_string()
};
// Normalize path separators to forward slashes for XML output (portable across Windows/Unix)
path_str.replace('\\', "/")
}
/// Build the "Available Skills" system prompt section with full skill instructions.
@ -1759,19 +1827,32 @@ fn validate_artifact_url(
// Zip contents follow the OpenClaw convention: `_meta.json` + `SKILL.md` + scripts.
const CLAWHUB_DOMAIN: &str = "clawhub.ai";
const CLAWHUB_WWW_DOMAIN: &str = "www.clawhub.ai";
const CLAWHUB_DOWNLOAD_API: &str = "https://clawhub.ai/api/v1/download";
fn is_clawhub_host(host: &str) -> bool {
host.eq_ignore_ascii_case(CLAWHUB_DOMAIN) || host.eq_ignore_ascii_case(CLAWHUB_WWW_DOMAIN)
}
fn parse_clawhub_url(source: &str) -> Option<reqwest::Url> {
let parsed = reqwest::Url::parse(source).ok()?;
match parsed.scheme() {
"https" | "http" => {}
_ => return None,
}
if !parsed.host_str().is_some_and(is_clawhub_host) {
return None;
}
Some(parsed)
}
/// Returns true if `source` is a ClawhHub skill reference.
fn is_clawhub_source(source: &str) -> bool {
if source.starts_with("clawhub:") {
return true;
}
// Auto-detect from domain: https://clawhub.ai/...
if let Some(rest) = source.strip_prefix("https://") {
let host = rest.split('/').next().unwrap_or("");
return host == CLAWHUB_DOMAIN;
}
false
// Auto-detect from URL host, supporting both clawhub.ai and www.clawhub.ai.
parse_clawhub_url(source).is_some()
}
/// Convert a ClawhHub source string into the zip download URL.
@ -1794,14 +1875,16 @@ fn clawhub_download_url(source: &str) -> Result<String> {
}
return Ok(format!("{CLAWHUB_DOWNLOAD_API}?slug={slug}"));
}
// Profile URL: https://clawhub.ai/<owner>/<slug> or https://clawhub.ai/<slug>
// Profile URL: https://clawhub.ai/<owner>/<slug> or https://www.clawhub.ai/<slug>.
// Forward the full path as the slug so the API can resolve owner-namespaced skills.
if let Some(rest) = source.strip_prefix("https://") {
let path = rest
.strip_prefix(CLAWHUB_DOMAIN)
.unwrap_or("")
.trim_start_matches('/');
let path = path.trim_end_matches('/');
if let Some(parsed) = parse_clawhub_url(source) {
let path = parsed
.path_segments()
.into_iter()
.flatten()
.filter(|segment| !segment.is_empty())
.collect::<Vec<_>>()
.join("/");
if path.is_empty() {
anyhow::bail!("could not extract slug from ClawhHub URL: {source}");
}
@ -2208,7 +2291,7 @@ pub fn handle_command(command: crate::SkillCommands, config: &crate::config::Con
}
crate::SkillCommands::List => {
let skills = load_skills_with_config(workspace_dir, config);
let skills = load_skills_full_with_config(workspace_dir, config);
if skills.is_empty() {
println!("No skills installed.");
println!();
@ -2660,7 +2743,7 @@ Body text that should be included.
)
.unwrap();
let skill = load_skill_md(&skill_md, &skill_dir).unwrap();
let skill = load_skill_md(&skill_md, &skill_dir, SkillLoadMode::Full).unwrap();
assert_eq!(skill.name, "overridden-name");
assert_eq!(skill.version, "2.1.3");
assert_eq!(skill.author.as_deref(), Some("alice"));
@ -3029,6 +3112,65 @@ description = "Bare minimum"
assert_ne!(skills[0].name, "CONTRIBUTING");
}
#[test]
fn load_skills_with_config_compact_mode_uses_metadata_only() {
let dir = tempfile::tempdir().unwrap();
let workspace_dir = dir.path().join("workspace");
let skills_dir = workspace_dir.join("skills");
fs::create_dir_all(&skills_dir).unwrap();
let md_skill = skills_dir.join("md-meta");
fs::create_dir_all(&md_skill).unwrap();
fs::write(
md_skill.join("SKILL.md"),
"# Metadata\nMetadata summary line\nUse this only when needed.\n",
)
.unwrap();
let toml_skill = skills_dir.join("toml-meta");
fs::create_dir_all(&toml_skill).unwrap();
fs::write(
toml_skill.join("SKILL.toml"),
r#"
[skill]
name = "toml-meta"
description = "Toml metadata description"
version = "1.2.3"
[[tools]]
name = "dangerous-tool"
description = "Should not preload"
kind = "shell"
command = "echo no"
prompts = ["Do not preload me"]
"#,
)
.unwrap();
let mut config = crate::config::Config::default();
config.workspace_dir = workspace_dir.clone();
config.skills.prompt_injection_mode = crate::config::SkillsPromptInjectionMode::Compact;
let mut skills = load_skills_with_config(&workspace_dir, &config);
skills.sort_by(|a, b| a.name.cmp(&b.name));
assert_eq!(skills.len(), 2);
let md = skills.iter().find(|skill| skill.name == "md-meta").unwrap();
assert_eq!(md.description, "Metadata summary line");
assert!(md.prompts.is_empty());
assert!(md.tools.is_empty());
let toml = skills
.iter()
.find(|skill| skill.name == "toml-meta")
.unwrap();
assert_eq!(toml.description, "Toml metadata description");
assert!(toml.prompts.is_empty());
assert!(toml.tools.is_empty());
}
// ── is_registry_source ────────────────────────────────────────────────────
// ── registry install: directory naming ───────────────────────────────────
@ -3230,6 +3372,8 @@ description = "Bare minimum"
assert!(is_clawhub_source("https://clawhub.ai/steipete/gog"));
assert!(is_clawhub_source("https://clawhub.ai/gog"));
assert!(is_clawhub_source("https://clawhub.ai/user/my-skill"));
assert!(is_clawhub_source("https://www.clawhub.ai/steipete/gog"));
assert!(is_clawhub_source("http://clawhub.ai/steipete/gog"));
}
#[test]
@ -3252,6 +3396,12 @@ description = "Bare minimum"
assert_eq!(url, "https://clawhub.ai/api/v1/download?slug=steipete/gog");
}
#[test]
fn clawhub_download_url_from_www_profile_url() {
let url = clawhub_download_url("https://www.clawhub.ai/steipete/gog").unwrap();
assert_eq!(url, "https://clawhub.ai/api/v1/download?slug=steipete/gog");
}
#[test]
fn clawhub_download_url_from_single_path_url() {
// Single-segment URL: path is just the skill name

20
src/skills/symlink_tests.rs
View File

@ -1,8 +1,6 @@
#[cfg(test)]
mod tests {
use crate::config::Config;
use crate::skills::{handle_command, load_skills_with_config, skills_dir};
use crate::SkillCommands;
use crate::skills::skills_dir;
use std::path::Path;
use tempfile::TempDir;
@ -105,18 +103,18 @@ mod tests {
let result = std::os::unix::fs::symlink(&outside_dir, &dest_link);
assert!(result.is_ok(), "symlink creation should succeed on unix");
let mut config = Config::default();
let mut config = crate::config::Config::default();
config.workspace_dir = workspace_dir.clone();
config.config_path = workspace_dir.join("config.toml");
let blocked = load_skills_with_config(&workspace_dir, &config);
let blocked = crate::skills::load_skills_with_config(&workspace_dir, &config);
assert!(
blocked.is_empty(),
"symlinked skill should be rejected when trusted_skill_roots is empty"
);
config.skills.trusted_skill_roots = vec![tmp.path().display().to_string()];
let allowed = load_skills_with_config(&workspace_dir, &config);
let allowed = crate::skills::load_skills_with_config(&workspace_dir, &config);
assert_eq!(
allowed.len(),
1,
@ -145,12 +143,12 @@ mod tests {
let link_path = skills_path.join("outside_skill");
std::os::unix::fs::symlink(&outside_dir, &link_path).unwrap();
let mut config = Config::default();
let mut config = crate::config::Config::default();
config.workspace_dir = workspace_dir.clone();
config.config_path = workspace_dir.join("config.toml");
let blocked = handle_command(
SkillCommands::Audit {
let blocked = crate::skills::handle_command(
crate::SkillCommands::Audit {
source: "outside_skill".to_string(),
},
&config,
@ -161,8 +159,8 @@ mod tests {
);
config.skills.trusted_skill_roots = vec![tmp.path().display().to_string()];
let allowed = handle_command(
SkillCommands::Audit {
let allowed = crate::skills::handle_command(
crate::SkillCommands::Audit {
source: "outside_skill".to_string(),
},
&config,

4
src/test_locks.rs Normal file
View File

@ -0,0 +1,4 @@
use parking_lot::{const_mutex, Mutex};
// Serialize tests that mutate process-global plugin runtime state.
pub(crate) static PLUGIN_RUNTIME_LOCK: Mutex<()> = const_mutex(());

5
src/tools/cron_add.rs
View File

@ -78,7 +78,10 @@ impl Tool for CronAddTool {
"command": { "type": "string" },
"prompt": { "type": "string" },
"session_target": { "type": "string", "enum": ["isolated", "main"] },
"model": { "type": "string" },
"model": {
"type": "string",
"description": "Optional model override for this job. Omit unless the user explicitly requests a different model; defaults to the active model/context."
},
"recurring_confirmed": {
"type": "boolean",
"description": "Required for agent recurring schedules (schedule.kind='cron' or 'every'). Set true only when recurring behavior is intentional.",

210
src/tools/http_request.rs
View File

@ -20,9 +20,65 @@ pub struct HttpRequestTool {
timeout_secs: u64,
user_agent: String,
credential_profiles: HashMap<String, HttpRequestCredentialProfile>,
credential_cache: std::sync::Mutex<HashMap<String, String>>,
}
impl HttpRequestTool {
fn read_non_empty_env_var(name: &str) -> Option<String> {
std::env::var(name)
.ok()
.map(|value| value.trim().to_string())
.filter(|value| !value.is_empty())
}
fn cache_secret(&self, env_var: &str, secret: &str) {
let mut guard = self
.credential_cache
.lock()
.unwrap_or_else(|poisoned| poisoned.into_inner());
guard.insert(env_var.to_string(), secret.to_string());
}
fn cached_secret(&self, env_var: &str) -> Option<String> {
let guard = self
.credential_cache
.lock()
.unwrap_or_else(|poisoned| poisoned.into_inner());
guard.get(env_var).cloned()
}
fn resolve_secret_for_profile(
&self,
requested_name: &str,
env_var: &str,
) -> anyhow::Result<String> {
match std::env::var(env_var) {
Ok(secret_raw) => {
let secret = secret_raw.trim();
if secret.is_empty() {
anyhow::bail!(
"credential_profile '{requested_name}' uses environment variable {env_var}, but it is empty"
);
}
self.cache_secret(env_var, secret);
Ok(secret.to_string())
}
Err(_) => {
if let Some(cached) = self.cached_secret(env_var) {
tracing::warn!(
profile = requested_name,
env_var,
"http_request credential env var unavailable; using cached secret"
);
return Ok(cached);
}
anyhow::bail!(
"credential_profile '{requested_name}' requires environment variable {env_var}"
);
}
}
}
pub fn new(
security: Arc<SecurityPolicy>,
allowed_domains: Vec<String>,
@ -32,6 +88,22 @@ impl HttpRequestTool {
user_agent: String,
credential_profiles: HashMap<String, HttpRequestCredentialProfile>,
) -> Self {
let credential_profiles: HashMap<String, HttpRequestCredentialProfile> =
credential_profiles
.into_iter()
.map(|(name, profile)| (name.trim().to_ascii_lowercase(), profile))
.collect();
let mut credential_cache = HashMap::new();
for profile in credential_profiles.values() {
let env_var = profile.env_var.trim();
if env_var.is_empty() {
continue;
}
if let Some(secret) = Self::read_non_empty_env_var(env_var) {
credential_cache.insert(env_var.to_string(), secret);
}
}
Self {
security,
allowed_domains: normalize_allowed_domains(allowed_domains),
@ -39,10 +111,8 @@ impl HttpRequestTool {
max_response_size,
timeout_secs,
user_agent,
credential_profiles: credential_profiles
.into_iter()
.map(|(name, profile)| (name.trim().to_ascii_lowercase(), profile))
.collect(),
credential_profiles,
credential_cache: std::sync::Mutex::new(credential_cache),
}
}
@ -149,17 +219,7 @@ impl HttpRequestTool {
anyhow::bail!("credential_profile '{requested_name}' has an empty env_var in config");
}
let secret = std::env::var(env_var).map_err(|_| {
anyhow::anyhow!(
"credential_profile '{requested_name}' requires environment variable {env_var}"
)
})?;
let secret = secret.trim();
if secret.is_empty() {
anyhow::bail!(
"credential_profile '{requested_name}' uses environment variable {env_var}, but it is empty"
);
}
let secret = self.resolve_secret_for_profile(requested_name, env_var)?;
let header_value = format!("{}{}", profile.value_prefix, secret);
let mut sensitive_values = vec![secret.to_string(), header_value.clone()];
@ -883,6 +943,126 @@ mod tests {
assert!(err.contains("ZEROCLAW_TEST_MISSING_HTTP_REQUEST_TOKEN"));
}
#[test]
fn resolve_credential_profile_uses_cached_secret_when_env_temporarily_missing() {
let env_var = format!(
"ZEROCLAW_TEST_HTTP_REQUEST_CACHE_{}",
uuid::Uuid::new_v4().simple()
);
let test_secret = "cached-secret-value-12345";
std::env::set_var(&env_var, test_secret);
let mut profiles = HashMap::new();
profiles.insert(
"cached".to_string(),
HttpRequestCredentialProfile {
header_name: "Authorization".to_string(),
env_var: env_var.clone(),
value_prefix: "Bearer ".to_string(),
},
);
let tool = HttpRequestTool::new(
Arc::new(SecurityPolicy::default()),
vec!["example.com".into()],
UrlAccessConfig::default(),
1_000_000,
30,
"test".to_string(),
profiles,
);
std::env::remove_var(&env_var);
let (headers, sensitive_values) = tool
.resolve_credential_profile("cached")
.expect("cached credential should resolve");
assert_eq!(headers[0].0, "Authorization");
assert_eq!(headers[0].1, format!("Bearer {test_secret}"));
assert!(sensitive_values.contains(&test_secret.to_string()));
}
#[test]
fn resolve_credential_profile_refreshes_cached_secret_after_rotation() {
let env_var = format!(
"ZEROCLAW_TEST_HTTP_REQUEST_ROTATION_{}",
uuid::Uuid::new_v4().simple()
);
std::env::set_var(&env_var, "initial-secret");
let mut profiles = HashMap::new();
profiles.insert(
"rotating".to_string(),
HttpRequestCredentialProfile {
header_name: "Authorization".to_string(),
env_var: env_var.clone(),
value_prefix: "Bearer ".to_string(),
},
);
let tool = HttpRequestTool::new(
Arc::new(SecurityPolicy::default()),
vec!["example.com".into()],
UrlAccessConfig::default(),
1_000_000,
30,
"test".to_string(),
profiles,
);
std::env::set_var(&env_var, "rotated-secret");
let (headers_after_rotation, _) = tool
.resolve_credential_profile("rotating")
.expect("rotated env value should resolve");
assert_eq!(headers_after_rotation[0].1, "Bearer rotated-secret");
std::env::remove_var(&env_var);
let (headers_after_removal, _) = tool
.resolve_credential_profile("rotating")
.expect("cached rotated value should be used");
assert_eq!(headers_after_removal[0].1, "Bearer rotated-secret");
}
#[test]
fn resolve_credential_profile_empty_env_var_does_not_fallback_to_cached_secret() {
let env_var = format!(
"ZEROCLAW_TEST_HTTP_REQUEST_EMPTY_{}",
uuid::Uuid::new_v4().simple()
);
std::env::set_var(&env_var, "cached-secret");
let mut profiles = HashMap::new();
profiles.insert(
"empty".to_string(),
HttpRequestCredentialProfile {
header_name: "Authorization".to_string(),
env_var: env_var.clone(),
value_prefix: "Bearer ".to_string(),
},
);
let tool = HttpRequestTool::new(
Arc::new(SecurityPolicy::default()),
vec!["example.com".into()],
UrlAccessConfig::default(),
1_000_000,
30,
"test".to_string(),
profiles,
);
// Explicitly set to empty: this should be treated as misconfiguration
// and must not fall back to cache.
std::env::set_var(&env_var, "");
let err = tool
.resolve_credential_profile("empty")
.expect_err("empty env var should hard-fail")
.to_string();
assert!(err.contains("but it is empty"));
std::env::remove_var(&env_var);
}
#[test]
fn has_header_name_conflict_is_case_insensitive() {
let explicit = vec![("authorization".to_string(), "Bearer one".to_string())];

68
src/tools/mcp_transport.rs
View File

@ -23,6 +23,8 @@ const MCP_STREAMABLE_ACCEPT: &str = "application/json, text/event-stream";
/// Default media type for MCP JSON-RPC request bodies.
const MCP_JSON_CONTENT_TYPE: &str = "application/json";
/// Streamable HTTP session header used to preserve MCP server state.
const MCP_SESSION_ID_HEADER: &str = "Mcp-Session-Id";
// ── Transport Trait ──────────────────────────────────────────────────────
@ -149,6 +151,7 @@ pub struct HttpTransport {
url: String,
client: reqwest::Client,
headers: std::collections::HashMap<String, String>,
session_id: Option<String>,
}
impl HttpTransport {
@ -168,8 +171,28 @@ impl HttpTransport {
url,
client,
headers: config.headers.clone(),
session_id: None,
})
}
fn apply_session_header(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
if let Some(session_id) = self.session_id.as_deref() {
req.header(MCP_SESSION_ID_HEADER, session_id)
} else {
req
}
}
fn update_session_id_from_headers(&mut self, headers: &reqwest::header::HeaderMap) {
if let Some(session_id) = headers
.get(MCP_SESSION_ID_HEADER)
.and_then(|v| v.to_str().ok())
.map(str::trim)
.filter(|v| !v.is_empty())
{
self.session_id = Some(session_id.to_string());
}
}
}
#[async_trait::async_trait]
@ -193,6 +216,7 @@ impl McpTransportConn for HttpTransport {
for (key, value) in &self.headers {
req = req.header(key, value);
}
req = self.apply_session_header(req);
if !has_accept {
req = req.header("Accept", MCP_STREAMABLE_ACCEPT);
}
@ -206,6 +230,8 @@ impl McpTransportConn for HttpTransport {
bail!("MCP server returned HTTP {}", resp.status());
}
self.update_session_id_from_headers(resp.headers());
if request.id.is_none() {
return Ok(JsonRpcResponse {
jsonrpc: crate::tools::mcp_protocol::JSONRPC_VERSION.to_string(),
@ -988,4 +1014,46 @@ mod tests {
fn test_parse_jsonrpc_response_text_rejects_empty_payload() {
assert!(parse_jsonrpc_response_text(" \n\t ").is_err());
}
#[test]
fn http_transport_updates_session_id_from_response_headers() {
let config = McpServerConfig {
name: "test-http".into(),
transport: McpTransport::Http,
url: Some("http://localhost/mcp".into()),
..Default::default()
};
let mut transport = HttpTransport::new(&config).expect("build transport");
let mut headers = reqwest::header::HeaderMap::new();
headers.insert(
reqwest::header::HeaderName::from_static("mcp-session-id"),
reqwest::header::HeaderValue::from_static("session-abc"),
);
transport.update_session_id_from_headers(&headers);
assert_eq!(transport.session_id.as_deref(), Some("session-abc"));
}
#[test]
fn http_transport_injects_session_id_header_when_available() {
let config = McpServerConfig {
name: "test-http".into(),
transport: McpTransport::Http,
url: Some("http://localhost/mcp".into()),
..Default::default()
};
let mut transport = HttpTransport::new(&config).expect("build transport");
transport.session_id = Some("session-xyz".to_string());
let req = transport
.apply_session_header(reqwest::Client::new().post("http://localhost/mcp"))
.build()
.expect("build request");
assert_eq!(
req.headers()
.get(MCP_SESSION_ID_HEADER)
.and_then(|v| v.to_str().ok()),
Some("session-xyz")
);
}
}

176
src/tools/mod.rs
View File

@ -201,6 +201,90 @@ fn boxed_registry_from_arcs(tools: Vec<Arc<dyn Tool>>) -> Vec<Box<dyn Tool>> {
tools.into_iter().map(ArcDelegatingTool::boxed).collect()
}
#[derive(Debug, Clone, Default, PartialEq, Eq)]
pub struct PrimaryAgentToolFilterReport {
/// `agent.allowed_tools` entries that did not match any registered tool name.
pub unmatched_allowed_tools: Vec<String>,
/// Number of tools kept after applying `agent.allowed_tools` and before denylist removal.
pub allowlist_match_count: usize,
}
fn matches_tool_rule(rule: &str, tool_name: &str) -> bool {
rule == "*" || rule.eq_ignore_ascii_case(tool_name)
}
/// Filter the primary-agent tool registry based on `[agent]` allow/deny settings.
///
/// Filtering is done at startup so excluded tools never enter model context.
pub fn filter_primary_agent_tools(
tools: Vec<Box<dyn Tool>>,
allowed_tools: &[String],
denied_tools: &[String],
) -> (Vec<Box<dyn Tool>>, PrimaryAgentToolFilterReport) {
let normalized_allowed: Vec<String> = allowed_tools
.iter()
.map(|entry| entry.trim())
.filter(|entry| !entry.is_empty())
.map(ToOwned::to_owned)
.collect();
let normalized_denied: Vec<String> = denied_tools
.iter()
.map(|entry| entry.trim())
.filter(|entry| !entry.is_empty())
.map(ToOwned::to_owned)
.collect();
let use_allowlist = !normalized_allowed.is_empty();
let tool_names: Vec<String> = tools.iter().map(|tool| tool.name().to_string()).collect();
let unmatched_allowed_tools = if use_allowlist {
normalized_allowed
.iter()
.filter(|allowed| {
!tool_names
.iter()
.any(|tool_name| matches_tool_rule(allowed.as_str(), tool_name))
})
.cloned()
.collect()
} else {
Vec::new()
};
let mut allowlist_match_count = 0usize;
let mut filtered = Vec::with_capacity(tools.len());
for tool in tools {
let tool_name = tool.name();
if use_allowlist
&& !normalized_allowed
.iter()
.any(|rule| matches_tool_rule(rule.as_str(), tool_name))
{
continue;
}
if use_allowlist {
allowlist_match_count += 1;
}
if normalized_denied
.iter()
.any(|rule| matches_tool_rule(rule.as_str(), tool_name))
{
continue;
}
filtered.push(tool);
}
(
filtered,
PrimaryAgentToolFilterReport {
unmatched_allowed_tools,
allowlist_match_count,
},
)
}
/// Add background tool execution capabilities to a tool registry
pub fn add_bg_tools(tools: Vec<Box<dyn Tool>>) -> (Vec<Box<dyn Tool>>, BgJobStore) {
let bg_job_store = BgJobStore::new();
@ -560,6 +644,7 @@ pub fn all_tools_with_runtime(
custom_provider_api_mode: root_config
.provider_api
.map(|mode| mode.as_compatible_mode()),
custom_provider_auth_header: root_config.effective_custom_provider_auth_header(),
max_tokens_override: None,
model_support_vision: root_config.model_support_vision,
};
@ -709,6 +794,7 @@ mod tests {
use super::*;
use crate::config::{BrowserConfig, Config, MemoryConfig, WasmRuntimeConfig};
use crate::runtime::WasmRuntime;
use serde_json::json;
use tempfile::TempDir;
fn test_config(tmp: &TempDir) -> Config {
@ -719,6 +805,96 @@ mod tests {
}
}
struct DummyTool {
name: &'static str,
}
#[async_trait::async_trait]
impl Tool for DummyTool {
fn name(&self) -> &str {
self.name
}
fn description(&self) -> &str {
"dummy"
}
fn parameters_schema(&self) -> serde_json::Value {
json!({
"type": "object",
"properties": {}
})
}
async fn execute(&self, _args: serde_json::Value) -> anyhow::Result<ToolResult> {
Ok(ToolResult {
success: true,
output: "ok".to_string(),
error: None,
})
}
}
fn sample_tools() -> Vec<Box<dyn Tool>> {
vec![
Box::new(DummyTool { name: "shell" }),
Box::new(DummyTool { name: "file_read" }),
Box::new(DummyTool {
name: "browser_open",
}),
]
}
fn names(tools: &[Box<dyn Tool>]) -> Vec<String> {
tools.iter().map(|tool| tool.name().to_string()).collect()
}
#[test]
fn filter_primary_agent_tools_keeps_full_registry_when_allowlist_empty() {
let (filtered, report) = filter_primary_agent_tools(sample_tools(), &[], &[]);
assert_eq!(names(&filtered), vec!["shell", "file_read", "browser_open"]);
assert_eq!(report.allowlist_match_count, 0);
assert!(report.unmatched_allowed_tools.is_empty());
}
#[test]
fn filter_primary_agent_tools_applies_allowlist() {
let allow = vec!["file_read".to_string()];
let (filtered, report) = filter_primary_agent_tools(sample_tools(), &allow, &[]);
assert_eq!(names(&filtered), vec!["file_read"]);
assert_eq!(report.allowlist_match_count, 1);
assert!(report.unmatched_allowed_tools.is_empty());
}
#[test]
fn filter_primary_agent_tools_reports_unmatched_allow_entries() {
let allow = vec!["missing_tool".to_string()];
let (filtered, report) = filter_primary_agent_tools(sample_tools(), &allow, &[]);
assert!(filtered.is_empty());
assert_eq!(report.allowlist_match_count, 0);
assert_eq!(report.unmatched_allowed_tools, vec!["missing_tool"]);
}
#[test]
fn filter_primary_agent_tools_applies_denylist_after_allowlist() {
let allow = vec!["shell".to_string(), "file_read".to_string()];
let deny = vec!["shell".to_string()];
let (filtered, report) = filter_primary_agent_tools(sample_tools(), &allow, &deny);
assert_eq!(names(&filtered), vec!["file_read"]);
assert_eq!(report.allowlist_match_count, 2);
assert!(report.unmatched_allowed_tools.is_empty());
}
#[test]
fn filter_primary_agent_tools_supports_star_rule() {
let allow = vec!["*".to_string()];
let deny = vec!["browser_open".to_string()];
let (filtered, report) = filter_primary_agent_tools(sample_tools(), &allow, &deny);
assert_eq!(names(&filtered), vec!["shell", "file_read"]);
assert_eq!(report.allowlist_match_count, 3);
assert!(report.unmatched_allowed_tools.is_empty());
}
#[test]
fn default_tools_has_expected_count() {
let security = Arc::new(SecurityPolicy::default());

3
src/update.rs
View File

@ -5,7 +5,6 @@
use anyhow::{bail, Context, Result};
use std::env;
use std::fs;
use std::io::ErrorKind;
use std::path::{Path, PathBuf};
use std::process::Command;
@ -329,7 +328,7 @@ fn replace_binary(new_binary: &Path, current_exe: &Path) -> Result<()> {
.context("Failed to set permissions on staged binary")?;
if let Err(err) = fs::remove_file(&backup_path) {
if err.kind() != ErrorKind::NotFound {
if err.kind() != std::io::ErrorKind::NotFound {
return Err(err).context("Failed to remove stale backup binary");
}
}

1
tests/openai_codex_vision_e2e.rs
View File

@ -154,6 +154,7 @@ async fn openai_codex_second_vision_support() -> Result<()> {
reasoning_enabled: None,
reasoning_level: None,
custom_provider_api_mode: None,
custom_provider_auth_header: None,
max_tokens_override: None,
model_support_vision: None,
};

96
tests/reliability_fallback_api_keys.rs Normal file
View File

@ -0,0 +1,96 @@
use std::collections::HashMap;
use wiremock::matchers::{header, method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};
use zeroclaw::config::ReliabilityConfig;
use zeroclaw::providers::create_resilient_provider;
#[tokio::test]
async fn fallback_api_keys_support_multiple_custom_endpoints() {
let primary_server = MockServer::start().await;
let fallback_server_one = MockServer::start().await;
let fallback_server_two = MockServer::start().await;
Mock::given(method("POST"))
.and(path("/v1/chat/completions"))
.respond_with(
ResponseTemplate::new(500)
.set_body_json(serde_json::json!({ "error": "primary unavailable" })),
)
.expect(1)
.mount(&primary_server)
.await;
Mock::given(method("POST"))
.and(path("/v1/chat/completions"))
.and(header("authorization", "Bearer fallback-key-1"))
.respond_with(
ResponseTemplate::new(500)
.set_body_json(serde_json::json!({ "error": "fallback one unavailable" })),
)
.expect(1)
.mount(&fallback_server_one)
.await;
Mock::given(method("POST"))
.and(path("/v1/chat/completions"))
.and(header("authorization", "Bearer fallback-key-2"))
.respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
"id": "chatcmpl-1",
"object": "chat.completion",
"choices": [
{
"index": 0,
"message": {
"role": "assistant",
"content": "response-from-fallback-two"
},
"finish_reason": "stop"
}
],
"usage": {
"prompt_tokens": 1,
"completion_tokens": 1,
"total_tokens": 2
}
})))
.expect(1)
.mount(&fallback_server_two)
.await;
let primary_provider = format!("custom:{}/v1", primary_server.uri());
let fallback_provider_one = format!("custom:{}/v1", fallback_server_one.uri());
let fallback_provider_two = format!("custom:{}/v1", fallback_server_two.uri());
let mut fallback_api_keys = HashMap::new();
fallback_api_keys.insert(fallback_provider_one.clone(), "fallback-key-1".to_string());
fallback_api_keys.insert(fallback_provider_two.clone(), "fallback-key-2".to_string());
let reliability = ReliabilityConfig {
provider_retries: 0,
provider_backoff_ms: 0,
fallback_providers: vec![fallback_provider_one.clone(), fallback_provider_two.clone()],
fallback_api_keys,
api_keys: Vec::new(),
model_fallbacks: HashMap::new(),
channel_initial_backoff_secs: 2,
channel_max_backoff_secs: 60,
scheduler_poll_secs: 15,
scheduler_retries: 2,
};
let provider =
create_resilient_provider(&primary_provider, Some("primary-key"), None, &reliability)
.expect("resilient provider should initialize");
let reply = provider
.chat_with_system(None, "hello", "gpt-4o-mini", 0.0)
.await
.expect("fallback chain should return final response");
assert_eq!(reply, "response-from-fallback-two");
primary_server.verify().await;
fallback_server_one.verify().await;
fallback_server_two.verify().await;
}

7
zeroclaw_install.sh
View File

@ -82,7 +82,12 @@ fi
ensure_bash
if [ "$#" -eq 0 ]; then
exec bash "$BOOTSTRAP_SCRIPT" --guided
if [ -t 0 ] && [ -t 1 ]; then
# Default one-click interactive path: guided install + full-screen TUI onboarding.
exec bash "$BOOTSTRAP_SCRIPT" --guided --interactive-onboard
fi
# Non-interactive no-arg path remains install-only.
exec bash "$BOOTSTRAP_SCRIPT"
fi
exec bash "$BOOTSTRAP_SCRIPT" "$@"