- Dashboard/CLI: allow macOS browser launching through `open` even when SSH environment variables are present, while preserving Linux SSH no-display protection. Fixes #67088. Thanks @theglove44.

- Codex app-server: keep native web search observations out of mirrored chat transcripts while preserving tool progress telemetry. Fixes #85109. Thanks @ugitmebaby.

- OpenCode Go: strip unsupported Kimi reasoning replay fields before provider requests so repeated `kimi-k2.6` turns do not fail schema validation. Fixes #83812. Thanks @Sleeck.

- Browser/CDP: add a WSL2 portproxy self-loop hint when Chrome DevTools endpoints accept connections but return an empty HTTP reply. Fixes #59209. Thanks @Owlock.

- Agents/OpenAI: preserve structured provider error code, type, and redacted body metadata on boundary-aware transport failures.

- Doctor/Codex: point native Codex asset warnings at the canonical `openclaw migrate plan codex` preview command. Fixes #84948. Thanks @markoa.

- CLI/models: make `capability model auth logout --agent` remove auth profiles from the selected non-default agent store. Fixes #85092. Thanks @islandpreneur007.

export function safeChromeCdpErrorMessage(error: unknown): string {

const message = error instanceof Error ? error.message : String(error);

const cause = error instanceof Error ? error.cause : undefined;

const causeMessage =

cause instanceof Error ? cause.message : typeof cause === "string" ? cause : undefined;

if (message && causeMessage && !message.includes(causeMessage)) {

return redactSensitiveText(`${message}: ${causeMessage}`);

}

return redactSensitiveText(message || "unknown error");

}

return `CDP diagnostic: ready after ${diagnostic.elapsedMs}ms; cdp=${redactedCdpUrl}; websocket=${redactedWsUrl}.${browser}`;

}

const websocket = redactedWsUrl ? `; websocket=${redactedWsUrl}` : "";

return `CDP diagnostic: ${diagnostic.code} after ${diagnostic.elapsedMs}ms; cdp=${redactedCdpUrl}${websocket}; ${diagnostic.message}.`;

const wslPortproxyHint =

diagnostic.code === "http_unreachable" && isLikelyEmptyHttpReply(diagnostic.message)

? " In WSL2-to-Windows Chrome setups, this can be a stale netsh portproxy self-loop where svchost/iphlpsvc owns the CDP port instead of chrome.exe; verify with tasklist /svc and curl /json/version, then remove any 127.0.0.1:9222 -> 127.0.0.1:9222 portproxy rule."

: "";

return `CDP diagnostic: ${diagnostic.code} after ${diagnostic.elapsedMs}ms; cdp=${redactedCdpUrl}${websocket}; ${diagnostic.message}.${wslPortproxyHint}`;

}

function isLikelyEmptyHttpReply(message: string): boolean {

return /empty reply|other side closed|socket closed|terminated before response/i.test(message);

}

export async function diagnoseChromeCdp(

expect(formatted).not.toContain("supersecret123");

});

it("adds a WSL2 portproxy hint for empty HTTP CDP replies", () => {

const formatted = formatChromeCdpDiagnostic({

ok: false,

code: "http_unreachable",

cdpUrl: "http://172.30.144.1:9222",

message: "fetch failed: other side closed",

elapsedMs: 12,

});

expect(formatted).toContain("svchost/iphlpsvc owns the CDP port");

expect(formatted).toContain("127.0.0.1:9222 -> 127.0.0.1:9222");

});

it("probes direct ws:// CDP URLs (with /devtools/ path) via handshake instead of HTTP", async () => {

// A direct WS endpoint like ws://host/devtools/browser/<uuid> is already

// the handshake target — isChromeReachable must NOT hit /json/version.