Browserless

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

Browserless AI

chore(deps): update updates-patch-minor

> ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Update | Change | |---|---|---| | 1password/connect-sync | patch | `1.8.1` → `1.8.2` | | [alpine/openclaw](https://openclaw.ai) ([source](https://redirect.github.com/openclaw/openclaw)) | minor | `2026.2.22` → `2026.3.8` | | [cloudflare/cloudflared](https://redirect.github.com/cloudflare/cloudflared) | minor | `2026.2.0` → `2026.3.0` | | kerberos/agent | patch | `v3.6.12` → `v3.6.15` | | [searxng/searxng](https://searxng.org) ([source](https://redirect.github.com/searxng/searxng)) | patch | `2026.3.8-a563127a2` → `2026.3.9-d4954a064` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/304) for more information. --- ### Release Notes <details> <summary>openclaw/openclaw (alpine/openclaw)</summary> ### [`v2026.3.8`](https://redirect.github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#202638) [Compare Source](https://redirect.github.com/openclaw/openclaw/compare/v2026.3.7...v2026.3.8) ##### Changes - CLI/backup: add `openclaw backup create` and `openclaw backup verify` for local state archives, including `--only-config`, `--no-include-workspace`, manifest/payload validation, and backup guidance in destructive flows. ([#&#8203;40163](https://redirect.github.com/openclaw/openclaw/issues/40163)) thanks [@&#8203;shichangs](https://redirect.github.com/shichangs). - macOS/onboarding: add a remote gateway token field for remote mode, preserve existing non-plaintext `gateway.remote.token` config values until explicitly replaced, and warn when the loaded token shape cannot be used directly from the macOS app. ([#&#8203;40187](https://redirect.github.com/openclaw/openclaw/issues/40187), supersedes [#&#8203;34614](https://redirect.github.com/openclaw/openclaw/issues/34614)) Thanks [@&#8203;cgdusek](https://redirect.github.com/cgdusek). - Talk mode: add top-level `talk.silenceTimeoutMs` config so Talk waits a configurable amount of silence before auto-sending the current transcript, while keeping each platform's existing default pause window when unset. ([#&#8203;39607](https://redirect.github.com/openclaw/openclaw/issues/39607)) Thanks [@&#8203;danodoesdesign](https://redirect.github.com/danodoesdesign). Fixes [#&#8203;17147](https://redirect.github.com/openclaw/openclaw/issues/17147). - TUI: infer the active agent from the current workspace when launched inside a configured agent workspace, while preserving explicit `agent:` session targets. ([#&#8203;39591](https://redirect.github.com/openclaw/openclaw/issues/39591)) thanks [@&#8203;arceus77-7](https://redirect.github.com/arceus77-7). - Tools/Brave web search: add opt-in `tools.web.search.brave.mode: "llm-context"` so `web_search` can call Brave's LLM Context endpoint and return extracted grounding snippets with source metadata, plus config/docs/test coverage. ([#&#8203;33383](https://redirect.github.com/openclaw/openclaw/issues/33383)) Thanks [@&#8203;thirumaleshp](https://redirect.github.com/thirumaleshp). - CLI/install: include the short git commit hash in `openclaw --version` output when metadata is available, and keep installer version checks compatible with the decorated format. ([#&#8203;39712](https://redirect.github.com/openclaw/openclaw/issues/39712)) thanks [@&#8203;sourman](https://redirect.github.com/sourman). - CLI/backup: improve archive naming for date sorting, add config-only backup mode, and harden backup planning, publication, and verification edge cases. ([#&#8203;40163](https://redirect.github.com/openclaw/openclaw/issues/40163)) Thanks [@&#8203;gumadeiras](https://redirect.github.com/gumadeiras). - ACP/Provenance: add optional ACP ingress provenance metadata and visible receipt injection (`openclaw acp --provenance off|meta|meta+receipt`) so OpenClaw agents can retain and report ACP-origin context with session trace IDs. ([#&#8203;40473](https://redirect.github.com/openclaw/openclaw/issues/40473)) thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Tools/web search: alphabetize provider ordering across runtime selection, onboarding/configure pickers, and config metadata, so provider lists stay neutral and multi-key auto-detect now prefers Grok before Kimi. ([#&#8203;40259](https://redirect.github.com/openclaw/openclaw/issues/40259)) thanks [@&#8203;kesku](https://redirect.github.com/kesku). - Docs/Web search: restore $5/month free-credit details, replace defunct "Data for Search"/"Data for AI" plan names with current "Search" plan, and note legacy subscription validity in Brave setup docs. Follows up on [#&#8203;26860](https://redirect.github.com/openclaw/openclaw/issues/26860). ([#&#8203;40111](https://redirect.github.com/openclaw/openclaw/issues/40111)) Thanks [@&#8203;remusao](https://redirect.github.com/remusao). - Extensions/ACPX tests: move the shared runtime fixture helper from `src/runtime-internals/` to `src/test-utils/` so the test-only he

upstream(agents): 移植 5 个冲突 commit (P0,P1) — v2026.3.7→v2026.3.8

## 任务 将以下 5 个上游 commit 的修改语义化应用到本 fork。这些 commit 无法直接 cherry-pick（存在冲突），需要理解修改意图后手动应用等效变更。 ### 上游版本范围 - **来源**: openclaw/openclaw v2026.3.7 → v2026.3.8 - **模块**: `agents` - **优先级**: P0,P1 ### 需要移植的 commit #### Commit 1: `e8775cda932f` (P1) **描述**: fix(agents): re-expose configured tools under restrictive profiles **涉及文件**: `src/agents/pi-tools.policy.test.ts,src/agents/pi-tools.policy.ts,src/plugins/config-state.test.ts,src/plugins/config-state.ts` <details> <summary>查看上游 diff</summary> ```diff diff --git a/src/agents/pi-tools.policy.test.ts b/src/agents/pi-tools.policy.test.ts index 4b7a16b4d..0cdc572c4 100644 --- a/src/agents/pi-tools.policy.test.ts +++ b/src/agents/pi-tools.policy.test.ts @@ -3,6 +3,7 @@ import type { OpenClawConfig } from "../config/config.js"; import { filterToolsByPolicy, isToolAllowedByPolicyName, + resolveEffectiveToolPolicy, resolveSubagentToolPolicy, } from "./pi-tools.policy.js"; import { createStubTool } from "./test-helpers/pi-tool-stubs.js"; @@ -176,3 +177,59 @@ describe("resolveSubagentToolPolicy depth awareness", () => { expect(isToolAllowedByPolicyName("sessions_spawn", policy)).toBe(false); }); }); + +describe("resolveEffectiveToolPolicy", () => { + it("implicitly re-exposes exec and process when tools.exec is configured", () => { + const cfg = { + tools: { + profile: "messaging", + exec: { host: "sandbox" }, + }, + } as OpenClawConfig; + const result = resolveEffectiveToolPolicy({ config: cfg }); + expect(result.profileAlsoAllow).toEqual(["exec", "process"]); + }); + + it("implicitly re-exposes read, write, and edit when tools.fs is configured", () => { + const cfg = { + tools: { + profile: "messaging", + fs: { workspaceOnly: false }, + }, + } as OpenClawConfig; + const result = resolveEffectiveToolPolicy({ config: cfg }); + expect(result.profileAlsoAllow).toEqual(["read", "write", "edit"]); + }); + + it("merges explicit alsoAllow with implicit tool-section exposure", () => { + const cfg = { + tools: { + profile: "messaging", + alsoAllow: ["web_search"], + exec: { host: "sandbox" }, + }, + } as OpenClawConfig; + const result = resolveEffectiveToolPolicy({ config: cfg }); + expect(result.profileAlsoAllow).toEqual(["web_search", "exec", "process"]); + }); + + it("uses agent tool sections when resolving implicit exposure", () => { + const cfg = { + tools: { + profile: "messaging", + }, + agents: { + list: [ + { + id: "coder", + tools: { + fs: { workspaceOnly: true }, + }, + }, + ], + }, + } as OpenClawConfig; + const result = resolveEffectiveToolPolicy({ config: cfg, agentId: "coder" }); + expect(result.profileAlsoAllow).toEqual(["read", "write", "edit"]); + }); +}); diff --git a/src/agents/pi-tools.policy.ts b/src/agents/pi-tools.policy.ts index db9a36755..61d037dd9 100644 --- a/src/agents/pi-tools.policy.ts +++ b/src/agents/pi-tools.policy.ts @@ -2,6 +2,7 @@ import { getChannelDock } from "../channels/dock.js"; import { DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH } from "../config/agent-limits.js"; import type { OpenClawConfig } from "../config/config.js"; import { resolveChannelGroupToolsPolicy } from "../config/group-policy.js"; +import type { AgentToolsConfig } from "../config/types.tools.js"; import { normalizeAgentId } from "../routing/session-key.js"; import { resolveThreadParentSessionKey } from "../sessions/session-key-utils.js"; import { normalizeMessageChannel } from "../utils/message-channel.js"; @@ -196,6 +197,37 @@ function resolveProviderToolPolicy(params: { return undefined; } +function resolveExplicitProfileAlsoAllow(tools?: OpenClawConfig["tools"]): string[] | undefined { + return Array.isArray(tools?.alsoAllow) ? tools.alsoAllow : undefined; +} + +function hasExplicitToolSection(section: unknown): boolean { + return section !== undefined && section !== null; +} + +function resolveImplicitProfileAlsoAllow(params: { + globalTools?: OpenClawConfig["tools"]; + agentTools?: AgentToolsConfig; +}): string[] | undefined { + const implicit = new Set<string>(); + if ( + hasExplicitToolSection(params.agentTools?.exec) || + hasExplicitToolSection(params.globalTools?.exec) + ) { + implicit.add("exec"); + implicit.add("process"); + } + if ( + hasExplicitToolSection(params.agentTools?.fs) || + hasExplicitToolSection(params.globalTools?.fs) + ) { + implicit.add("read"); + implicit.add("write"); + implicit.add("edit"); + } + return implicit.size > 0 ? Array.from(implicit) : undefined; +} + export function resolveEffectiveToolPolicy(params: { config?: OpenClawConfig; sessionKey?: string; @@ -226,6 +258,15 @@ export function resolveEffectiveToolPolicy(params: { modelProvider: params.modelProvider, modelId: params.modelId, }); + const explicitProfileAl