Conversation
- Fact-check (#5): openclaw tasks -> openclaw flows across Part 24, 26, 27, README; expanded March CVE wave to Feb-Mar with CVE-2026-25253/25157/25158 and CVSS 9.9 WebSocket bypass; added ClawHavoc / Antiy CERT / Trend Micro / Kaspersky framing to Part 23; hedged 'openclaw secrets reload' verb since it varies across 2026.4.x betas and pointed at the Canvas Model Auth status card + models.authStatus gateway method; added OpenClaw docs (clawdocs.org) + changelog (openclawai.io/changelog) links; tightened Part 25 version table (v4.0 Agent OS, v4.1 ClawHub, v4.2 ACP with accurate dates); Unicode em-dash cleanup across files. - Retire Part 16 (#3): deleted part16-autodream-memory-consolidation.md; added one-paragraph retirement note in Part 22 (README) and updated inbound links in README, Part 26, CONTRIBUTING.md; retired-pattern checklist items now point at Part 22 / Part 26. - Decision trees (#4): every part (14 external + 12 README-embedded + the new Part 28) now opens with a 'Read this if / Skip if' callout so readers can self-route. - Glossary (#2): new Part 28 with ~30 terms (MOC, autoDream, Task Brain, ACP, Ralph loop, ClawHub, ClawHavoc, memory-lancedb, LightRAG, DREAMS.md, semantic approval categories, localModelLean, gateway daemon, coordinator protocol, CVE wave, etc.), cross-linked from the themed TOC, 'Navigate By Goal', and 'Primers & references' blocks. Co-Authored-By: Rob <onerobby@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| **📖 Reference** | ||
| 25. [Architecture Overview (v4.0+)](./part25-architecture-overview.md) — gateway / agents / memory / skills / surfaces primer | ||
| 26. [Migration Guide](./part26-migration-guide.md) — opinionated upgrade paths with rollback | ||
| 27. [Common Gotchas & FAQ](./part27-gotchas-and-faq.md) — symptom-indexed troubleshooting | ||
| 28. [Glossary & Terminology](./part28-glossary-and-terminology.md) — every term this guide assumes, on one page |
There was a problem hiding this comment.
🟡 Parts 25–28 duplicated in the Full Table of Contents ("Links > inline duplication" rule violation)
The PR adds a new 📖 Reference section (lines 168–172) to the Full Table of Contents that re-lists Parts 25, 26, 27, and 28 — all of which are already listed under the 🎯 Primers & references section (lines 128–131). This violates the CONTRIBUTING.md style rule: "Links > inline duplication. If something is already covered in another part, link to it." The same four parts appear twice in the same TOC with slightly different descriptions, creating maintenance burden and visual noise.
Was this helpful? React with 👍 or 👎 to provide feedback.
|
|
||
| - **Covered in:** [Part 15 — Infrastructure Hardening](./part15-infrastructure-hardening.md), [Part 25 — Architecture Overview](./part25-architecture-overview.md). | ||
|
|
||
| ## MOC — Map of Contents |
There was a problem hiding this comment.
🟡 Glossary defines MOC as "Map of Contents" but the rest of the guide consistently uses "Map of Content"
The glossary entry at part28-glossary-and-terminology.md:148 defines MOC as "Map of Contents" (with a trailing 's' on "Contents"). Every other usage across the guide says "Maps of Content" (plural, no 's') or "Map of Content" (singular, no 's') — see README.md:1039 ("MOCs (Maps of Content)"), README.md:1068 ("MOCs - Maps of Content"), part9-vault-memory.md:46 ("MOCs (Maps of Content)"), and part9-vault-memory.md:70 ("MOCs — Maps of Content"). Since the glossary is the canonical terminology reference for the guide, this inconsistency is especially problematic — readers will learn the wrong expansion.
Was this helpful? React with 👍 or 👎 to provide feedback.
| | **v2026.4.x** | 2026-04 | memory-core built-in dreaming; plus rolling fixes | Part 22 replaces the custom autoDream from Part 16. | | ||
| | **v2026.4.15-beta.1** | 2026-04-15 | memory-lancedb cloud storage, Copilot embeddings, `localModelLean`, compaction reserve-token cap, gateway auth hot-reload, approvals secret redaction, `memory_get` canonical-only | This guide's current baseline. | | ||
| | **v4.0 — "The Agent OS"** | 2026-02-20 | Ground-up rewrite: gateway daemon, Canvas UI, native cron scheduling, 15+ messaging platforms (WhatsApp, Telegram, Discord, Slack, iMessage, WeChat, Line, Signal, Matrix, Teams…), new plugin API | The architecture the rest of this guide assumes. | | ||
| | **v4.1 — ClawHub** | 2026-03-15 | Official skills marketplace, Claude Code ACP harness, Soul.md semantic memory | 13K+ skills in a week; also the ClawHavoc supply-chain incident (1,184 malicious skills confirmed by Antiy CERT). See [Part 23](./part23-clawhub-skills-marketplace.md). | |
There was a problem hiding this comment.
🟡 Factual contradiction: glossary and Part 25 say "13K+ skills in the first week" but Part 23 says "first ~30 days"
This PR introduces two new claims that contradict the existing authoritative source:
part25-architecture-overview.md:112: "13K+ skills in a week"part28-glossary-and-terminology.md:55: "13K+ skills published in the first week"
But part23-clawhub-skills-marketplace.md:26 (the dedicated skills marketplace part and the canonical source for this claim) says "13,000+ skills published in the first ~30 days." A week vs ~30 days is a 4x difference in timeframe. Since Part 23 is the detailed source, the new text in Parts 25 and 28 should match it.
Prompt for agents
The version history table in part25-architecture-overview.md line 112 says '13K+ skills in a week' but the authoritative source — part23-clawhub-skills-marketplace.md line 26 — says '13,000+ skills published in the first ~30 days.' The same incorrect 'first week' claim also appears in the new part28-glossary-and-terminology.md line 55. Both should be updated to match Part 23's '~30 days' timeframe. Check for any other occurrences of this claim and ensure consistency.
Was this helpful? React with 👍 or 👎 to provide feedback.
…_get excerpt cap, tool-name collision rejection Co-Authored-By: Rob <onerobby@gmail.com>
|
|
||
| | Cause | Fix | | ||
| |-------|-----| | ||
| | 2026.4.15 stable flipped `dreaming.storage.mode` default from `inline` → `separate` | They're now at `memory/dreaming/{light-sleep,rem-sleep}/YYYY-MM-DD.md`. If you want the old behavior, set `plugins.entries.memory-core.config.dreaming.storage.mode: "inline"` in memory-core config. See [Part 22](./README.md#part-22-built-in-dreaming) + [Part 26](./part26-migration-guide.md#path-5-v20264-15-beta-1-v20264-15-stable). | |
There was a problem hiding this comment.
🟡 Broken anchor fragment in link to Part 26 Path 5 (dot-to-hyphen mismatch in slug)
The link ./part26-migration-guide.md#path-5-v20264-15-beta-1-v20264-15-stable uses a hand-written anchor that doesn't match the slug GitHub actually generates from the heading ## Path 5: v2026.4.15-beta.1 → v2026.4.15 (stable) at part26-migration-guide.md:131. GitHub's github-slugger strips dots (.) entirely, producing path-5-v2026415-beta1--v2026415-stable, but the link treats dots as hyphens yielding path-5-v20264-15-beta-1-v20264-15-stable. Users clicking the link land on the page but don't scroll to the section. CI won't catch this because lychee.toml sets include_fragments = false.
Prompt for agents
The anchor fragment #path-5-v20264-15-beta-1-v20264-15-stable does not match the GitHub-generated slug for the heading '## Path 5: v2026.4.15-beta.1 → v2026.4.15 (stable)' in part26-migration-guide.md. GitHub's github-slugger strips dots entirely, so '2026.4.15' becomes '2026415' not '20264-15', and '.1' in 'beta.1' becomes '1' not '-1'. The correct anchor is likely #path-5-v2026415-beta1--v2026415-stable (note the double-hyphen from the arrow removal leaving adjacent spaces). This same broken anchor also appears in part28-glossary-and-terminology.md line 170. Fix both occurrences, or alternatively add an explicit HTML anchor id to the heading in part26-migration-guide.md to match the slug used in the links.
Was this helpful? React with 👍 or 👎 to provide feedback.
|
|
||
| As of **2026.4.15 stable**, `memory_get` no longer returns whole files by default. Excerpts are capped and the tool response includes **explicit continuation metadata** (a cursor the agent uses to fetch the next chunk deterministically). Combined with trimmed startup/skills prompt budgets, this keeps long sessions from silently ballooning. Skills that assumed full-file reads need a small cursor loop after the upgrade. | ||
|
|
||
| - **Covered in:** [Part 4 — Memory](./README.md#part-4-memory-stop-forgetting-everything), [Part 26 — Migration Guide](./part26-migration-guide.md#path-5-v20264-15-beta-1-v20264-15-stable), [Part 27 — Gotchas & FAQ](./part27-gotchas-and-faq.md). |
There was a problem hiding this comment.
🟡 Same broken anchor fragment in Part 28 glossary link to Part 26 Path 5
Same issue as the Part 27 instance: part26-migration-guide.md#path-5-v20264-15-beta-1-v20264-15-stable won't resolve because GitHub's slug generation strips dots rather than converting them to hyphens. The actual anchor generated from the heading at part26-migration-guide.md:131 would be path-5-v2026415-beta1--v2026415-stable.
Prompt for agents
The anchor fragment #path-5-v20264-15-beta-1-v20264-15-stable does not match the GitHub-generated slug for the heading at part26-migration-guide.md:131. GitHub's github-slugger strips dots, so the correct slug is approximately #path-5-v2026415-beta1--v2026415-stable. Fix the anchor here and in part27-gotchas-and-faq.md:103 which has the same issue, or add an explicit HTML anchor to the heading in part26.
Was this helpful? React with 👍 or 👎 to provide feedback.
devin-ai-integration
bot
changed the title
1 participant
Summary
Originally four targeted improvements from the PR #4 follow-up list. While this PR was open, OpenClaw cut 2026.4.15 stable (April 16, 2026), so scope grew to also fold the stable-release changes into the guide:
dreaming.storage.modeflip,memory_getexcerpt cap + continuation metadata, gateway tool-name collision rejection, and the other stable-release items folded into existing parts (no new parts needed).Type of change
Review checklist
markdownlint-cli2locally (CI runs lychee too)What landed — 2026.4.15 stable refresh (new to this PR)
opusaliases + Claude CLI defaults + bundled image understanding)dreaming.storage.modedefault flippedinline→separate(phase blocks now atmemory/dreaming/{phase}/YYYY-MM-DD.md)memory_getdefault excerpt cap + continuation metadata; trimmed startup/skills prompt budgetsBrowser,Exec,exec+ trailing space) that normalize-collide with a built-in return400 invalid_request_error; closes local-media trust-inheritance vectorv2026.4.15-beta.1(Apr 15) andv2026.4.15 stable(Apr 16) now separate rows in Part 25README badge + tested-version header moved to 2026.4.15 (April 16, 2026).
What landed — original four improvements
#5 Fact-check
openclaw tasks …CLIopenclaw flows list / show / cancel, backed by "task flow registry" in release notes.openclaw secrets reloadmodels.authStatusis the supported hot-reload path.models.authStatus.agents.defaults.experimental.localModelLeanCVE-2026-25253(one-click RCE),CVE-2026-25157(command injection),CVE-2026-25158(path traversal), WebSocket shared-auth scope escalation at CVSS 9.9.openclaw-team/*skill names\u2014/\u2013/ curly-quote byte sequences.#3 Retire Part 16
part16-autodream-memory-consolidation.mddeleted.CONTRIBUTING.mddeprecation guidance points at Part 22's tombstone as canonical example.grep -rn 'part16\|part-16-'→ zero matches.#4 Decision trees
Every part opens with a two-line "Read this if / Skip if" callout:
#2 Glossary
Part 28 — Glossary & Terminology: ~30 alphabetical entries, each cross-linked to the part that introduces the term. New 4.15-stable entries: Claude Opus 4.7,
dreaming.storage.mode,memory_getexcerpt cap (default), Tool-name normalize-collision rejection. Linked from README in three places.Sources
Notes / flagged items
These are softened rather than asserted — public sources don't contradict them, but I can't fully verify them either:
openclaw secrets reloadCLI verb spelling (verb has moved across betas; left hedged).openclaw-team/*skill slugs (placeholder; read as role descriptions, not specific slugs).CI
markdownlint + lychee (internal) + Devin Review — 3/3 green at
735f204.Link to Devin session: https://app.devin.ai/sessions/df6f8c16f82e448b915735660ed94fb7
Requested by: @OnlyTerp