* public-gh/master:
fix: disable secure cookies for HTTP deployments
feat(adapters): add claude-sonnet-4-6 and claude-haiku-4-6 models
Add opencode-ai to global npm install in Dockerfile
fix: correct env var priority for authDisableSignUp
Add pi-local package.json to Dockerfile
feat: add auth.disableSignUp config option
refactor: extract roleLabels to shared constants
fix(secrets): add secretKeys tracking to resolveEnvBindings for consistent redaction
fix(db): reuse MIGRATIONS_FOLDER constant instead of recomputing
fix(server): wake agent when issue status changes from backlog
fix(server): use home-based path for run logs instead of cwd
fix(db): use fileURLToPath for Windows-safe migration paths
fix(server): auto-deduplicate agent names on creation instead of rejecting
feat(ui): show human-readable role labels in agent list and properties
fix(ui): prevent blank screen when prompt template is emptied
fix(server): redact secret-sourced env vars in run logs by provenance
fix(cli): split path and query in buildUrl to prevent %3F encoding
fix(scripts): use shell on Windows to fix spawn EINVAL in dev-runner
Heartbeat runs recorded costs via direct SQL inserts into costEvents and
agents.spentMonthlyCents, bypassing costService.createEvent(). This skipped:
- companies.spentMonthlyCents update (company budget never incremented)
- Agent auto-pause when budget exceeded (enforcement gap)
Now calls costService(db).createEvent() which handles all three:
insert cost event, update agent spend, update company spend, and
auto-pause agent when budgetMonthlyCents is exceeded.
Fixes login failing silently on authenticated + private deployments
served over plain HTTP (e.g. Tailscale, LAN). Users can sign up and
sign in, but the session cookie is rejected by the browser so they
are immediately redirected back to the login page.
Better Auth defaults to __Secure- prefixed cookies with the Secure
flag when NODE_ENV=production. Browsers silently reject Secure cookies
on non-HTTPS origins. This detects when PAPERCLIP_PUBLIC_URL uses
http:// and sets useSecureCookies: false so session cookies work
without HTTPS.
- Env var now properly overrides file config in both directions
- Follows established pattern for boolean config flags
- Removed redundant ?? false (field is typed boolean)
- PAPERCLIP_AUTH_DISABLE_SIGN_UP can now set to 'false' to
override file config's 'true'
- Added disableSignUp to authConfigSchema in config-schema.ts
- Added authDisableSignUp to Config interface
- Added parsing from PAPERCLIP_AUTH_DISABLE_SIGN_UP env or config file
- Passed to better-auth emailAndPassword.disableSignUp
When true, blocks new user registrations on public instances.
Defaults to false (backward compatible).
Fixes#241
resolveEnvBindings now returns { env, secretKeys } matching the pattern
already used by resolveAdapterConfigForRuntime, so any caller can redact
secret-sourced values by provenance rather than key-name heuristics alone.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
res.sendFile can emit NotFoundError from the send module in certain
path resolution scenarios, causing 500s on company-scoped SPA routes.
Cache index.html at startup and serve it directly, which is both
more reliable and faster.
Fixes#233
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously, agents were only woken when the assignee changed. Now
also wakes the assigned agent when an issue transitions out of
backlog status (e.g. backlog -> todo).
Fixes#167
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Run logs defaulted to process.cwd()/data/run-logs, placing logs in
unexpected locations when launched from non-home directories. Now
defaults to ~/.paperclip/instances/<id>/data/run-logs/.
Fixes#89
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace assertCompanyShortnameAvailable with deduplicateAgentName in
the create path so duplicate names get auto-suffixed (e.g. Engineer 2)
instead of throwing a conflict error.
Fixes#232
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
resolveAdapterConfigForRuntime now returns a secretKeys set tracking
which env vars came from secret_ref bindings. The onAdapterMeta
callback uses this to redact them regardless of key name.
Fixes#234
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add 400 response for /issues without companyId, tag issue.updated
activity with source:comment when triggered by a comment, and mark
comment activities with updated:true when field changes accompany them.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract attachErrorContext helper to DRY up the error handler, attach the
original Error object to res.err so pino can serialize stack traces, and
rename the log context key from err to errorContext so it doesn't clash
with pino's built-in err serializer.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add catch-all handler after API router to return a proper 404 JSON
response instead of falling through to the SPA handler.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update cwd test to expect an error for missing directories (matches
createIfMissing: false accepted from review)
- Add warn-level check for non-ProviderModelNotFoundError failures
during best-effort model discovery when no model is configured
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update cwd test to expect an error for missing directories (matches
createIfMissing: false accepted from review)
- Add warn-level check for non-ProviderModelNotFoundError failures
during best-effort model discovery when no model is configured
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Ensure unique URL-safe shortnames by appending numeric suffixes when
collisions occur. Applied during project creation, update, and company
import flows.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New adapter type for invoking OpenClaw agents via the gateway protocol.
Registers in server, CLI, and UI adapter registries. Adds onboarding
wizard support with gateway URL field and e2e smoke test script.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a company has "require board approval for new agents" enabled,
hiring an agent creates a pending approval that requires the user
(as a board member) to approve before the agent can start working.
However, the sidebar inbox badge did not include pending approvals
in its count, so there was no visual indicator that action was needed.
Users had no way of knowing an approval was waiting unless they
happened to open the Inbox page manually.
The root cause: the sidebar-badges service correctly included
approvals in the inbox total, but the route handler overwrites
badges.inbox to add alertsCount and staleIssueCount — and in
doing so dropped badges.approvals from the sum.
Add badges.approvals to the inbox count recalculation so that
pending and revision-requested approvals surface in the sidebar
notification badge alongside failed runs, alerts, stale work,
and join requests.
Affected files:
- server/src/routes/sidebar-badges.ts
Accept x-openclaw-token as the preferred auth header for OpenClaw
invite/join flows, falling back to x-openclaw-auth for backwards
compatibility. Update diagnostics messages accordingly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
