424 Commits

Author SHA1 Message Date
jam
62b697c90e fix(claude-code): extract assistant text from nested message.content in stream()
Claude CLI ≥2.x emits type=assistant events where the response text is
inside message.content[{"type":"text","text":"..."}] rather than a flat
content string. The old handler only checked event.content, so every
token was silently dropped and streaming always returned an empty response.

The handler now checks the flat content field first (backward-compatible),
then falls back to joining all text blocks from message.content[].

Refs: RightNow-AI/openfang#295
2026-03-23 09:35:22 +01:00
jam
4b3b602457 fix(claude-code): inject HOME and null stdin in stream() subprocess
Mirror the same environment fixes applied to complete(): inject HOME so
the CLI locates ~/.claude/credentials when running as a service, and set
stdin to null so the process does not block on interactive input.

Refs: RightNow-AI/openfang#295
2026-03-23 09:35:05 +01:00
jam
d7bd5c6636 fix(claude-code): prevent pipe-buffer deadlock in complete() via concurrent drain
When complete() called child.wait() before reading stdout/stderr, large
responses (>64 KB) caused a deadlock: the subprocess blocked on write()
because the OS pipe buffer was full, and wait() never returned.

Fix by spawning two tokio tasks to drain stdout/stderr concurrently with
child.wait(), then collecting after the process exits.

Also inject HOME from home_dir() so the CLI finds ~/.claude/credentials
when OpenFang runs as a service, and set stdin to null so the CLI does
not stall waiting for interactive input.

Refs: RightNow-AI/openfang#295
2026-03-23 09:34:55 +01:00
jam
66e6eb2509 fix(claude-code): add message field to ClaudeStreamEvent for nested assistant content
Newer Claude CLI versions (≥2.x) emit assistant responses inside a nested
`message.content[].text` structure in stream-json events, rather than a
flat `content` string.

Add ClaudeMessageBlock and ClaudeAssistantMessage structs, plus a new
`message` field on ClaudeStreamEvent, so the stream handler can extract
text from both layouts.

Refs: RightNow-AI/openfang#295
2026-03-23 09:33:35 +01:00
jam
1365fc9635 fix(claude-code): add #[serde(default)] to ClaudeJsonOutput.result
Without this attribute, serde treats a missing `result` field as a
deserialization error even though `Option<T>` implies the field is
optional.  Some Claude CLI versions emit the response in `content` or
`text` rather than `result`; the silent parse failure caused the
driver to fall through to a plain-text read which could be empty,
triggering the "model returned an empty response" guard in the agent
loop.

Closes #295.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-23 09:31:37 +01:00
b4iterdev
78669863b7 feat: add statically compiled native-tls to binary 2026-03-23 14:32:48 +07:00
Philippe Branchu
316bbe11c3 Add tests for sanitize_gemini_turns
- test_sanitize_drops_orphaned_function_call
- test_sanitize_keeps_valid_function_call_response_pair
- test_sanitize_drops_orphaned_function_response
- test_sanitize_merges_consecutive_same_role
- test_sanitize_empty_input

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 04:43:03 +00:00
Philippe Branchu
ff00499e8e Fix Gemini INVALID_ARGUMENT crash after message trimming
Add sanitize_gemini_turns() to enforce Gemini's strict turn-ordering
constraints after message history is trimmed. This merges consecutive
same-role turns, drops orphaned functionCall/functionResponse parts,
and removes empty turns. Also adds #[serde(default)] on GeminiContent.parts
and fixes two tests that were missing required ToolResult messages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 04:31:40 +00:00
Philippe Branchu
1a5ae4e3ce Prepend sender identity to channel messages for agent context
The bridge now prefixes messages with [From: Name <email>] so agents
know who is speaking. Essential for multi-user rooms and for agents
that need to act on behalf of specific users (e.g., checking the
correct email account or calendar).

Updated bridge integration tests to match the new format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 16:49:37 +00:00
Philippe Branchu
bf9066a602 Fix MCP bridge dropping tool results from servers that send notifications
Read response lines until finding a JSON-RPC response matching the
request ID. Previously, the bridge read one line and assumed it was
the response, causing "No result from MCP tools/call" when MCP
servers send notifications or log lines before the actual result.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 16:49:28 +00:00
Philippe Branchu
acf51e02a8 Fix Gemini driver crash on content entries without parts
Add #[serde(default)] to GeminiContent.parts so responses with
empty or missing parts arrays deserialize as empty Vec instead
of failing with "missing field parts".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 16:47:56 +00:00
copilot-swe-agent[bot]
1c9d53df11 chore: remove generated linux-schema.json build artifact
Co-authored-by: ilteoood <6383527+ilteoood@users.noreply.github.com>
Agent-Logs-Url: https://github.com/ilteoood/openfang/sessions/7944f50c-bf8e-47ca-a936-cc6c562e36ca
2026-03-22 15:23:09 +00:00
copilot-swe-agent[bot]
b298c4c273 feat: add NVIDIA NIM provider with ZeroClaw-recommended models
- Add NVIDIA_API_KEY to .env.example
- Add 3 new ZeroClaw-recommended models: meta/llama-3.3-70b-instruct,
  nvidia/llama-3.3-nemotron-super-49b-v1.5,
  nvidia/llama-3.1-nemotron-ultra-253b-v1
- Add nemotron, nemotron-super, nemotron-ultra aliases
- Add NVIDIA NIM provider section to docs/providers.md (provider #21)
- Add NVIDIA NIM models to Model Catalog table
- Add aliases to Aliases table
- Add NVIDIA NIM to Environment Variables Summary
- Update provider/model/alias counts

Closes #787

Co-authored-by: ilteoood <6383527+ilteoood@users.noreply.github.com>
Agent-Logs-Url: https://github.com/ilteoood/openfang/sessions/7944f50c-bf8e-47ca-a936-cc6c562e36ca
2026-03-22 15:22:34 +00:00
copilot-swe-agent[bot]
f407a41a98 Initial plan 2026-03-22 15:02:53 +00:00
rager306
173c843107 fix: replace unsafe-inline CSP with per-request nonce
The dashboard CSP uses 'unsafe-inline' for script-src, which permits
any inline <script> block to execute — including attacker-injected
scripts if any endpoint reflects user input (agent names, message
content, channel descriptions, etc.).

Replace with a per-request cryptographic nonce (UUID v4):
- webchat_page generates a unique nonce on every request
- All <script> tags embed the nonce at compile time via __NONCE__ placeholder
- CSP becomes: script-src 'self' 'nonce-{nonce}' 'unsafe-eval'
  ('unsafe-eval' is still required for Alpine.js x-data expressions)
- API endpoints receive a strict default-src 'none'; frame-ancestors 'none'
  policy instead of the permissive dashboard policy

This is a standard CSP Level 2 hardening; all modern browsers support nonces.
2026-03-22 16:18:15 +07:00
rager306
b3787e07ea fix: replace unsafe Arc mutation in update_budget with RwLock
PUT /api/budget casts &Arc<AppState> to *mut KernelConfig and mutates
the budget fields through a raw pointer. This is unsound: AppState is
shared across Tokio worker threads, so two concurrent PUT /api/budget
requests cause a data race on the same memory location.

Replace with Arc<tokio::sync::RwLock<BudgetConfig>> stored on AppState,
initialized from kernel.config.budget at startup. All readers use
.read().await and all writers use .write().await. No unsafe code remains
in the budget update path.

Fixes: data race / undefined behaviour under concurrent budget updates
2026-03-22 16:16:09 +07:00
Alaundo
935c8cad88 fix(mcp): handle Streamable HTTP MCP responses with SSE framing
MCP servers using Streamable HTTP (e.g., Hindsight) wrap JSON-RPC
responses in SSE framing (event: message\ndata: {...}\n\n). The SSE
transport handler expected raw JSON, causing 'Invalid MCP SSE JSON-RPC
response' errors when connecting to these servers.

Extract the JSON payload from SSE data: lines before deserializing.
Falls back to raw body parsing for servers that return plain JSON.

Fixes connection to MCP servers implementing the Streamable HTTP
transport (MCP spec 2025-03-26).
2026-03-21 20:15:54 +01:00
anierbeck
d95270da5a Fix agent template spawning
- Ensure all templates have manifest_toml field
- Use spawnFromTemplate for templates with manifest_toml
- Fix spawnBuiltin to handle missing fields gracefully
- Update HTML template to call correct spawn method
2026-03-21 18:16:16 +01:00
anierbeck
7a2211d0f4 Expose agent templates in web interface
- Replace hardcoded list of 6 templates with all 30+ available templates
- Add category information to templates
- Combine static and dynamic templates with static templates displayed first
- Add loading and error states for template list
- Fix showDetail method for agent configuration
2026-03-21 17:03:09 +01:00
Felix
e14885fa80 fix: Empty string IDs are overwritten, leading to inconsistencies in certain models. 2026-03-21 21:02:59 +08:00
pbranchu
ccbaf90a24 Expose heartbeat default_timeout_secs in config.toml
Add a [heartbeat] section to KernelConfig so users can tune the
inactivity timeout that determines when agents are marked unresponsive.
Reactive agents (hands) that sit idle between infrequent requests were
getting marked as crashed after the hardcoded 180s default, causing
the first request after idle to fail.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 12:45:47 +00:00
anierbeck
f66c2525cb Expose agent templates in web interface
- Modified agents.js to fetch templates dynamically from /api/templates endpoint
- Updated API endpoint to include category information for templates
- Added category mapping logic for proper template categorization
- Updated HTML template to handle loading and error states
- Implemented fallback to hardcoded templates if API fails

This change replaces the hardcoded list of 6 templates with all 32 available
agent templates from the agents/ directory, making the web interface more
dynamic and maintainable.
2026-03-21 12:14:48 +01:00
d 🔹
842d932ae6 fix(matrix): prevent bot self-reply loop with user_id mismatch and event dedup
Two fixes for the Matrix bot stuck in infinite reply loop (#757):

1. Use validated user ID from /whoami instead of config value for
   self-message filtering. Matrix server delegation or casing
   differences can cause the configured user_id to not match the
   sender field in timeline events, so the bot processes its own
   replies and enters an infinite loop.

2. Add event ID dedup set to prevent re-processing the same event
   on sync token races or reconnects. This is a defense-in-depth
   measure that also protects against edge cases where /sync returns
   overlapping event windows.

Fixes #757
2026-03-20 16:13:22 +00:00
Felix
37d1c822f2 fix: Fix the issue of duplicate tool calls with identical arguments in certain scenarios. 2026-03-20 19:31:37 +08:00
Felix
865fd28704 fix: The command succeeded, yet the model keeps calling it repeatedly. 2026-03-20 18:22:08 +08:00
Liu
43a92a764f fix: resolve page-header overlap and overflow 2026-03-20 16:07:40 +08:00
PR Bot
17f783073e fix: correct MiniMax M2.7 model specifications per official docs
- Pricing: $0.30/$1.20 per 1M tokens (was $1.10/$4.40)
- Context window: 204,800 tokens (was 1,048,576)
- Max output: 131,072 tokens (was 16,384)
- Vision: false — M2.7 is text-only (was true)
2026-03-20 13:11:34 +08:00
jaberjaber23
db86ff4ce3 bump v0.5.1 v0.5.1 2026-03-20 03:48:59 +03:00
Jaber Jaber
ee042769e2 Merge pull request #711 from Reaster0/fix/matrix-configurable-auto-accept-invites
fix(matrix): make auto_accept_invites configurable, default to false
2026-03-20 03:13:33 +03:00
Jaber Jaber
41ffb8537a Merge pull request #742 from RightNow-AI/dependabot/cargo/zip-4.6.1
Bump zip from 2.4.2 to 4.6.1
2026-03-20 03:13:22 +03:00
Jaber Jaber
80658c94e3 Merge pull request #744 from RightNow-AI/dependabot/cargo/roxmltree-0.21.1
Bump roxmltree from 0.20.0 to 0.21.1
2026-03-20 03:13:11 +03:00
Jaber Jaber
c35301e155 Merge pull request #740 from RightNow-AI/dependabot/github_actions/docker/setup-buildx-action-4
Bump docker/setup-buildx-action from 3 to 4
2026-03-20 03:13:02 +03:00
Jaber Jaber
14f0421e7b Merge pull request #741 from RightNow-AI/dependabot/github_actions/docker/build-push-action-7
Bump docker/build-push-action from 6 to 7
2026-03-20 03:12:52 +03:00
Jaber Jaber
3f772b5b27 Merge pull request #713 from CastleOneX/pr/approvals-visibility
Fix invisible approval requests in dashboard
2026-03-20 03:12:42 +03:00
Jaber Jaber
a12547081a Merge pull request #714 from CastleOneX/pr/provider-model-normalization
Normalize provider-backed model updates
2026-03-20 03:12:32 +03:00
Jaber Jaber
63f4befe80 Merge pull request #748 from lc-soft/fix/katex-load
Load KaTeX on demand to prevent first-paint blocking
2026-03-20 03:12:21 +03:00
Jaber Jaber
0f25386e2e Merge pull request #750 from lc-soft/fix/settings-page-error
fix: settingsLoading -> loading
2026-03-20 03:12:11 +03:00
jaberjaber23
7f752dde99 bump v0.5.0 v0.5.0 2026-03-20 00:46:15 +03:00
jaberjaber23
93ef98a429 bug fixes 2026-03-20 00:33:20 +03:00
Liu
b71bd801fb fix(api): settingsLoading -> loading 2026-03-19 19:29:09 +08:00
Liu
9badeb243e fix(api): load KaTeX on demand to prevent first-paint blocking 2026-03-19 19:12:25 +08:00
dependabot[bot]
9a683ec511 Bump roxmltree from 0.20.0 to 0.21.1
Bumps [roxmltree](https://github.com/RazrFalcon/roxmltree) from 0.20.0 to 0.21.1.
- [Changelog](https://github.com/RazrFalcon/roxmltree/blob/master/CHANGELOG.md)
- [Commits](https://github.com/RazrFalcon/roxmltree/compare/v0.20.0...v0.21.1)

---
updated-dependencies:
- dependency-name: roxmltree
  dependency-version: 0.21.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-19 08:18:28 +00:00
dependabot[bot]
eaa89defd1 Bump zip from 2.4.2 to 4.6.1
Bumps [zip](https://github.com/zip-rs/zip2) from 2.4.2 to 4.6.1.
- [Release notes](https://github.com/zip-rs/zip2/releases)
- [Changelog](https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md)
- [Commits](https://github.com/zip-rs/zip2/compare/v2.4.2...v4.6.1)

---
updated-dependencies:
- dependency-name: zip
  dependency-version: 4.6.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-19 08:17:54 +00:00
dependabot[bot]
d245059a01 Bump docker/build-push-action from 6 to 7
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-19 08:17:10 +00:00
dependabot[bot]
c30bf3e557 Bump docker/setup-buildx-action from 3 to 4
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-19 08:17:06 +00:00
PR Bot
dd95f24980 feat: add MiniMax-M2.7 as new flagship model and update default alias
- Add MiniMax-M2.7 model entry (Frontier tier, 1M context, vision+tools)
- Update default 'minimax' alias to resolve to MiniMax-M2.7
- Add 'minimax-m2.7' alias for explicit model selection
- Add M2.7 pricing in metering (same as M2.5: $1.10/$4.40 per 1M tokens)
- Update model catalog tests for M2.7 as new default
- Increment MiniMax model count from 6 to 7
2026-03-19 11:48:22 +08:00
vnz
1cf36241e4 Apply rustfmt to kernel.rs (fixes CI format check)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 04:24:39 +01:00
vnz
2ab31f3d3e Apply rustfmt to changed files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 04:24:39 +01:00
vnz
2915cb2113 Fix failed manual run pushing next_run and premature last_run in UI
- record_failure() now only recomputes next_run when the job is already
  overdue (next_run <= now), preserving the scheduled fire time when a
  manual run fails before the job's natural next_run
- Remove premature job.last_run update in scheduler.js — the job runs
  asynchronously so last_run should only reflect the server-side
  completion timestamp on the next data refresh

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 04:24:39 +01:00
vnz
7b1057df0c Add complete JSON response examples to cron endpoint docs
- GET /api/cron/jobs: show actual {jobs: [...], total} wrapper and
  document the ?agent_id query filter
- POST /api/cron/jobs: fix status code to 201 Created, show the actual
  {result: "<stringified-json>"} response shape
- GET /api/cron/jobs/{id}/status: show full JobMeta structure with
  nested job object, one_shot, last_status, consecutive_errors

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 04:24:39 +01:00