Skip to content

Commit 9cb4c5f

Browse files
Auto-merge upstream openclaw/openclaw
2 parents 96b8d4e + a90f3ff commit 9cb4c5f

57 files changed

Lines changed: 664 additions & 207 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/brave-search.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ OpenClaw supports Brave Search API as a `web_search` provider.
2626
config: {
2727
webSearch: {
2828
apiKey: "BRAVE_API_KEY_HERE",
29+
mode: "web", // or "llm-context"
2930
},
3031
},
3132
},
@@ -46,6 +47,11 @@ OpenClaw supports Brave Search API as a `web_search` provider.
4647
Provider-specific Brave search settings now live under `plugins.entries.brave.config.webSearch.*`.
4748
Legacy `tools.web.search.apiKey` still loads through the compatibility shim, but it is no longer the canonical config path.
4849

50+
`webSearch.mode` controls the Brave transport:
51+
52+
- `web` (default): normal Brave web search with titles, URLs, and snippets
53+
- `llm-context`: Brave LLM Context API with pre-extracted text chunks and sources for grounding
54+
4955
## Tool parameters
5056

5157
| Parameter | Description |
@@ -54,6 +60,7 @@ Legacy `tools.web.search.apiKey` still loads through the compatibility shim, but
5460
| `count` | Number of results to return (1-10, default: 5) |
5561
| `country` | 2-letter ISO country code (e.g., "US", "DE") |
5662
| `language` | ISO 639-1 language code for search results (e.g., "en", "de", "fr") |
63+
| `search_lang` | Brave search-language code (e.g., `en`, `en-gb`, `zh-hans`) |
5764
| `ui_lang` | ISO language code for UI elements |
5865
| `freshness` | Time filter: `day` (24h), `week`, `month`, or `year` |
5966
| `date_after` | Only results published after this date (YYYY-MM-DD) |
@@ -88,6 +95,9 @@ await web_search({
8895
- OpenClaw uses the Brave **Search** plan. If you have a legacy subscription (e.g. the original Free plan with 2,000 queries/month), it remains valid but does not include newer features like LLM Context or higher rate limits.
8996
- Each Brave plan includes **\$5/month in free credit** (renewing). The Search plan costs \$5 per 1,000 requests, so the credit covers 1,000 queries/month. Set your usage limit in the Brave dashboard to avoid unexpected charges. See the [Brave API portal](https://brave.com/search/api/) for current plans.
9097
- The Search plan includes the LLM Context endpoint and AI inference rights. Storing results to train or tune models requires a plan with explicit storage rights. See the Brave [Terms of Service](https://api-dashboard.search.brave.com/terms-of-service).
98+
- `llm-context` mode returns grounded source entries instead of the normal web-search snippet shape.
99+
- `llm-context` mode does not support `ui_lang`, `freshness`, `date_after`, or `date_before`.
100+
- `ui_lang` must include a region subtag like `en-US`.
91101
- Results are cached for 15 minutes by default (configurable via `cacheTtlMinutes`).
92102

93103
See [Web tools](/tools/web) for the full web_search configuration.

docs/channels/signal.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,7 +142,7 @@ signal-cli -a +<BOT_PHONE_NUMBER> verify <VERIFICATION_CODE>
142142

143143
```bash
144144
# If you run the gateway as a user systemd service:
145-
systemctl --user restart openclaw-gateway
145+
systemctl --user restart openclaw-gateway.service
146146

147147
# Then verify:
148148
openclaw doctor

docs/ci.md

Lines changed: 34 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -12,46 +12,55 @@ The CI runs on every push to `main` and every pull request. It uses smart scopin
1212

1313
## Job Overview
1414

15-
| Job | Purpose | When it runs |
16-
| ----------------- | ------------------------------------------------------------------------- | ------------------------------------------------ |
17-
| `preflight` | Docs scope, change scope, key scan, workflow audit, prod dependency audit | Always; node-based audit only on non-doc changes |
18-
| `docs-scope` | Detect docs-only changes | Always |
19-
| `changed-scope` | Detect which areas changed (node/macos/android/windows) | Non-doc changes |
20-
| `check` | TypeScript types, lint, format | Non-docs, node changes |
21-
| `check-docs` | Markdown lint + broken link check | Docs changed |
22-
| `secrets` | Detect leaked secrets | Always |
23-
| `build-artifacts` | Build dist once, share with `release-check` | Pushes to `main`, node changes |
24-
| `release-check` | Validate npm pack contents | Pushes to `main` after build |
25-
| `checks` | Node tests + protocol check on PRs; Bun compat on push | Non-docs, node changes |
26-
| `compat-node22` | Minimum supported Node runtime compatibility | Pushes to `main`, node changes |
27-
| `checks-windows` | Windows-specific tests | Non-docs, windows-relevant changes |
28-
| `macos` | Swift lint/build/test + TS tests | PRs with macos changes |
29-
| `android` | Gradle build + tests | Non-docs, android changes |
15+
| Job | Purpose | When it runs |
16+
| ------------------------ | ---------------------------------------------------------------------------------------- | ----------------------------------- |
17+
| `preflight` | Detect docs-only changes, changed scopes, changed extensions, and build the CI manifest | Always on non-draft pushes and PRs |
18+
| `security-fast` | Private key detection, workflow audit via `zizmor`, production dependency audit | Always on non-draft pushes and PRs |
19+
| `build-artifacts` | Build `dist/` and the Control UI once, upload reusable artifacts for downstream jobs | Node-relevant changes |
20+
| `checks-fast-core` | Fast Linux correctness lanes such as bundled/plugin-contract/protocol checks | Node-relevant changes |
21+
| `checks-fast-extensions` | Aggregate the extension shard lanes after `checks-fast-extensions-shard` completes | Node-relevant changes |
22+
| `extension-fast` | Focused tests for only the changed bundled plugins | When extension changes are detected |
23+
| `check` | Main local gate in CI: `pnpm check` plus `pnpm build:strict-smoke` | Node-relevant changes |
24+
| `check-additional` | Architecture and boundary guards plus the gateway watch regression harness | Node-relevant changes |
25+
| `build-smoke` | Built-CLI smoke tests and startup-memory smoke | Node-relevant changes |
26+
| `checks` | Heavier Linux Node lanes: full tests, channel tests, and push-only Node 22 compatibility | Node-relevant changes |
27+
| `check-docs` | Docs formatting, lint, and broken-link checks | Docs changed |
28+
| `skills-python` | Ruff + pytest for Python-backed skills | Python-skill-relevant changes |
29+
| `checks-windows` | Windows-specific test lanes | Windows-relevant changes |
30+
| `macos-node` | macOS TypeScript test lane using the shared built artifacts | macOS-relevant changes |
31+
| `macos-swift` | Swift lint, build, and tests for the macOS app | macOS-relevant changes |
32+
| `android` | Android build and test matrix | Android-relevant changes |
3033

3134
## Fail-Fast Order
3235

3336
Jobs are ordered so cheap checks fail before expensive ones run:
3437

35-
1. `docs-scope` + `changed-scope` + `check` + `secrets` (parallel, cheap gates first)
36-
2. PRs: `checks` (Linux Node test split into 2 shards), `checks-windows`, `macos`, `android`
37-
3. Pushes to `main`: `build-artifacts` + `release-check` + Bun compat + `compat-node22`
38+
1. `preflight` decides which lanes exist at all. The `docs-scope` and `changed-scope` logic are steps inside this job, not standalone jobs.
39+
2. `security-fast`, `check`, `check-additional`, `check-docs`, and `skills-python` fail quickly without waiting on the heavier artifact and platform matrix jobs.
40+
3. `build-artifacts` overlaps with the fast Linux lanes so downstream consumers can start as soon as the shared build is ready.
41+
4. Heavier platform and runtime lanes fan out after that: `checks-fast-core`, `checks-fast-extensions`, `extension-fast`, `checks`, `checks-windows`, `macos-node`, `macos-swift`, and `android`.
3842

3943
Scope logic lives in `scripts/ci-changed-scope.mjs` and is covered by unit tests in `src/scripts/ci-changed-scope.test.ts`.
40-
The same shared scope module also drives the separate `install-smoke` workflow through a narrower `changed-smoke` gate, so Docker/install smoke only runs for install, packaging, and container-relevant changes.
44+
The separate `install-smoke` workflow reuses the same scope script through its own `preflight` job. It computes `run_install_smoke` from the narrower changed-smoke signal, so Docker/install smoke only runs for install, packaging, and container-relevant changes.
45+
46+
On pushes, the `checks` matrix adds the push-only `compat-node22` lane. On pull requests, that lane is skipped and the matrix stays focused on the normal test/channel lanes.
4147

4248
## Runners
4349

44-
| Runner | Jobs |
45-
| -------------------------------- | ------------------------------------------ |
46-
| `blacksmith-16vcpu-ubuntu-2404` | Most Linux jobs, including scope detection |
47-
| `blacksmith-32vcpu-windows-2025` | `checks-windows` |
48-
| `macos-latest` | `macos`, `ios` |
50+
| Runner | Jobs |
51+
| -------------------------------- | ---------------------------------------------------------------------------------------------------- |
52+
| `blacksmith-16vcpu-ubuntu-2404` | `preflight`, `security-fast`, `build-artifacts`, Linux checks, docs checks, Python skills, `android` |
53+
| `blacksmith-32vcpu-windows-2025` | `checks-windows` |
54+
| `macos-latest` | `macos-node`, `macos-swift` |
4955

5056
## Local Equivalents
5157

5258
```bash
5359
pnpm check # types + lint + format
60+
pnpm build:strict-smoke
61+
pnpm test:gateway:watch-regression
5462
pnpm test # vitest tests
63+
pnpm test:channels
5564
pnpm check:docs # docs format + lint + broken links
56-
pnpm release:check # validate npm pack
65+
pnpm build # build dist when CI artifact/build-smoke lanes matter
5766
```

docs/cli/backup.md

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ title: "backup"
88

99
# `openclaw backup`
1010

11-
Create a local backup archive for OpenClaw state, config, credentials, sessions, and optionally workspaces.
11+
Create a local backup archive for OpenClaw state, config, auth profiles, channel/provider credentials, sessions, and optionally workspaces.
1212

1313
```bash
1414
openclaw backup create
@@ -37,12 +37,19 @@ openclaw backup verify ./2026-03-09T00-00-00.000Z-openclaw-backup.tar.gz
3737

3838
- The state directory returned by OpenClaw's local state resolver, usually `~/.openclaw`
3939
- The active config file path
40-
- The OAuth / credentials directory
40+
- The resolved `credentials/` directory when it exists outside the state directory
4141
- Workspace directories discovered from the current config, unless you pass `--no-include-workspace`
4242

43-
If you use `--only-config`, OpenClaw skips state, credentials, and workspace discovery and archives only the active config file path.
43+
Model auth profiles are already part of the state directory under
44+
`agents/<agentId>/agent/auth-profiles.json`, so they are normally covered by the
45+
state backup entry.
4446

45-
OpenClaw canonicalizes paths before building the archive. If config, credentials, or a workspace already live inside the state directory, they are not duplicated as separate top-level backup sources. Missing paths are skipped.
47+
If you use `--only-config`, OpenClaw skips state, credentials-directory, and workspace discovery and archives only the active config file path.
48+
49+
OpenClaw canonicalizes paths before building the archive. If config, the
50+
credentials directory, or a workspace already live inside the state directory,
51+
they are not duplicated as separate top-level backup sources. Missing paths are
52+
skipped.
4653

4754
The archive payload stores file contents from those source trees, and the embedded `manifest.json` records the resolved absolute source paths plus the archive layout used for each asset.
4855

@@ -56,7 +63,8 @@ If you still want a partial backup in that situation, rerun:
5663
openclaw backup create --no-include-workspace
5764
```
5865

59-
That keeps state, config, and credentials in scope while skipping workspace discovery entirely.
66+
That keeps state, config, and the external credentials directory in scope while
67+
skipping workspace discovery entirely.
6068

6169
If you only need a copy of the config file itself, `--only-config` also works when the config is malformed because it does not rely on parsing the config for workspace discovery.
6270

docs/concepts/agent-workspace.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,8 @@ files.
130130
These live under `~/.openclaw/` and should NOT be committed to the workspace repo:
131131

132132
- `~/.openclaw/openclaw.json` (config)
133-
- `~/.openclaw/credentials/` (OAuth tokens, API keys)
133+
- `~/.openclaw/agents/<agentId>/agent/auth-profiles.json` (model auth profiles: OAuth + API keys)
134+
- `~/.openclaw/credentials/` (channel/provider state plus legacy OAuth import data)
134135
- `~/.openclaw/agents/<agentId>/sessions/` (session transcripts + metadata)
135136
- `~/.openclaw/skills/` (managed skills)
136137

docs/concepts/models.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ Related:
2929
- `agents.defaults.pdfModel` is used by the `pdf` tool. If omitted, the tool
3030
falls back to `agents.defaults.imageModel`, then the resolved session/default
3131
model.
32-
- `agents.defaults.imageGenerationModel` is used by the shared image-generation capability. If omitted, `image_generate` can still infer a provider default from compatible auth-backed image-generation plugins. If you set a specific provider/model, also configure that provider's auth/API key.
32+
- `agents.defaults.imageGenerationModel` is used by the shared image-generation capability. If omitted, `image_generate` can still infer an auth-backed provider default. It tries the current default provider first, then the remaining registered image-generation providers in provider-id order. If you set a specific provider/model, also configure that provider's auth/API key.
3333
- Per-agent defaults can override `agents.defaults.model` via `agents.list[].model` plus bindings (see [/concepts/multi-agent](/concepts/multi-agent)).
3434

3535
## Quick model policy

docs/gateway/configuration-reference.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -970,12 +970,12 @@ Time format in system prompt. Default: `auto` (OS preference).
970970
- Also used as fallback routing when the selected/default model cannot accept image input.
971971
- `imageGenerationModel`: accepts either a string (`"provider/model"`) or an object (`{ primary, fallbacks }`).
972972
- Used by the shared image-generation capability and any future tool/plugin surface that generates images.
973-
- Typical values: `google/gemini-3-pro-image-preview` for native Gemini image generation, `fal/fal-ai/flux/dev` for fal, or `openai/gpt-image-1` for OpenAI Images.
973+
- Typical values: `google/gemini-3.1-flash-image-preview` for native Gemini image generation, `fal/fal-ai/flux/dev` for fal, or `openai/gpt-image-1` for OpenAI Images.
974974
- If you select a provider/model directly, configure the matching provider auth/API key too (for example `GEMINI_API_KEY` or `GOOGLE_API_KEY` for `google/*`, `OPENAI_API_KEY` for `openai/*`, `FAL_KEY` for `fal/*`).
975-
- If omitted, `image_generate` can still infer a best-effort provider default from compatible auth-backed image-generation providers.
975+
- If omitted, `image_generate` can still infer an auth-backed provider default. It tries the current default provider first, then the remaining registered image-generation providers in provider-id order.
976976
- `pdfModel`: accepts either a string (`"provider/model"`) or an object (`{ primary, fallbacks }`).
977977
- Used by the `pdf` tool for model routing.
978-
- If omitted, the PDF tool falls back to `imageModel`, then to best-effort provider defaults.
978+
- If omitted, the PDF tool falls back to `imageModel`, then to the resolved session/default model.
979979
- `pdfMaxBytesMb`: default PDF size limit for the `pdf` tool when `maxBytesMb` is not passed at call time.
980980
- `pdfMaxPages`: default maximum pages considered by extraction fallback mode in the `pdf` tool.
981981
- `verboseDefault`: default verbose level for agents. Values: `"off"`, `"on"`, `"full"`. Default: `"off"`.

docs/gateway/index.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,10 +177,47 @@ For persistence after logout, enable lingering:
177177

178178
```bash
179179
sudo loginctl enable-linger <user>
180+
```
181+
182+
Manual user-unit example when you need a custom install path:
183+
184+
```ini
185+
[Unit]
186+
Description=OpenClaw Gateway
187+
After=network-online.target
188+
Wants=network-online.target
189+
190+
[Service]
191+
ExecStart=/usr/local/bin/openclaw gateway --port 18789
192+
Restart=always
193+
RestartSec=5
194+
TimeoutStopSec=30
195+
TimeoutStartSec=30
196+
SuccessExitStatus=0 143
197+
KillMode=control-group
198+
199+
[Install]
200+
WantedBy=default.target
180201
```
181202

182203
</Tab>
183204

205+
<Tab title="Windows (native)">
206+
207+
```powershell
208+
openclaw gateway install
209+
openclaw gateway status --json
210+
openclaw gateway restart
211+
openclaw gateway stop
212+
```
213+
214+
Native Windows managed startup uses a Scheduled Task named `OpenClaw Gateway`
215+
(or `OpenClaw Gateway (<profile>)` for named profiles). If Scheduled Task
216+
creation is denied, OpenClaw falls back to a per-user Startup-folder launcher
217+
that points at `gateway.cmd` inside the state directory.
218+
219+
</Tab>
220+
184221
<Tab title="Linux (system service)">
185222

186223
Use a system unit for multi-user/always-on hosts.
@@ -190,6 +227,10 @@ sudo systemctl daemon-reload
190227
sudo systemctl enable --now openclaw-gateway[-<profile>].service
191228
```
192229

230+
Use the same service body as the user unit, but install it under
231+
`/etc/systemd/system/openclaw-gateway[-<profile>].service` and adjust
232+
`ExecStart=` if your `openclaw` binary lives elsewhere.
233+
193234
</Tab>
194235
</Tabs>
195236

docs/help/faq.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1266,7 +1266,7 @@ for usage/billing and raise limits as needed.
12661266
- **Workspace (per agent)**: `AGENTS.md`, `SOUL.md`, `IDENTITY.md`, `USER.md`,
12671267
`MEMORY.md` (or legacy fallback `memory.md` when `MEMORY.md` is absent),
12681268
`memory/YYYY-MM-DD.md`, optional `HEARTBEAT.md`.
1269-
- **State dir (`~/.openclaw`)**: config, credentials, auth profiles, sessions, logs,
1269+
- **State dir (`~/.openclaw`)**: config, channel/provider state, auth profiles, sessions, logs,
12701270
and shared skills (`~/.openclaw/skills`).
12711271

12721272
Default workspace is `~/.openclaw/workspace`, configurable via:

docs/install/clawdock.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -93,10 +93,11 @@ clawdock-approve <request-id>
9393
ClawDock works with the same Docker config split described in [Docker](/install/docker):
9494

9595
- `<project>/.env` for Docker-specific values like image name, ports, and the gateway token
96-
- `~/.openclaw/.env` for provider keys and bot tokens
96+
- `~/.openclaw/.env` for env-backed provider keys and bot tokens
97+
- `~/.openclaw/agents/<agentId>/agent/auth-profiles.json` for stored provider OAuth/API-key auth
9798
- `~/.openclaw/openclaw.json` for behavior config
9899

99-
Use `clawdock-show-config` when you want to inspect those files quickly. It redacts `.env` values in its printed output.
100+
Use `clawdock-show-config` when you want to inspect the `.env` files and `openclaw.json` quickly. It redacts `.env` values in its printed output.
100101

101102
## Related pages
102103

0 commit comments

Comments
 (0)