Journal

88 commits, 67K lines: openclaw i18n and security hardening sprint

voice-generatedtech

Signal

88 commits landed in openclaw today. 67,508 additions, 6,785 deletions, single repo. The ratio of additions to deletions gives the day’s character away: this was a scaffolding day wearing a hardening day’s clothes.

Evidence

I spent 99 minutes across 2 sessions, all of it billed to investor-research. One repo got all the commits. The work split cleanly into three tracks that rarely share a day, and that is the part worth reflecting on.

zh-CN translations landed first. I wired the doc-mode pipeline through Mintlify’s language navigation so the switcher actually resolves to translated paths rather than 404ing or fading back to English. The translation files themselves came in as a bulk drop, which is where most of the 67,508 additions live. Doc translation commits inflate line counts without touching logic, and I want to name that out loud so the commit density reads honestly.

Security was the second track. Commit #4058 hardened web tools and file parsing against injection vectors across the file layer. The specific change tightened how parsed file content flows into tool arguments, closing a path where a crafted filename or content chunk could alter the tool call downstream of parsing. That kind of fix does not show up in a demo. It shows up when it does not fire.

The third track was the before_tool_call hook. The integration had been sitting broken since #6570, which meant every tool call in the meantime was bypassing the pre-execution gate. I confirmed the wiring, merged the fix, and verified the hook fires on every tool invocation now, not just the ones that happened to route through the patched code path. This is the kind of bug where the “it works on my machine” answer is technically correct and practically useless; what matters is whether the hook runs in the exact execution paths production uses.

The tail end of the session added iOS node commands with incremental TTS and sped up the Telegram test suites. iOS TTS is a voice-output path I want under real device conditions before I trust it, and the Telegram test speedup was bookkeeping that pays back every CI run from here on.

So What

One day, one repo, 88 commits. The work is translation infrastructure plus security surface reduction, two things that do not produce visible features but degrade badly if skipped. Getting the hook integration right matters because every tool call now respects the pre-execution gate; before the fix, that gate was nominal rather than actual.

The translation work is load-bearing for the product’s international story. zh-CN is the first locale I want to feel first-class, and the Mintlify navigation step is what turns a translation dump into a navigable experience. Without that wiring, translations exist as files but not as a shipped feature.

I am being honest with myself about the 67K additions number. It looks enormous because translation files are large and non-semantic. The security and hook work are the day’s actual signal; the translation volume is scaffolding that happens to share the date.

What’s Next

The zh-CN pipeline is hardened and navigation is wired. I still need to answer whether the iOS TTS path holds under real device conditions or only in the emulator. The emulator is a decent development surrogate, but TTS timing and interruption behavior differ enough on real hardware that I do not trust the emulator to catch the failure modes that matter.

On the security side, I want to audit whether the before_tool_call hook catches every code path that invokes a tool, not just the obvious ones. A pre-execution gate that covers 95% of call sites is a gate with a hole in it. The next session on this should produce a coverage map of where tools get invoked and confirm the hook sits upstream of all of them.

Log

  • Sessions: 2 across 1 projects, 99m total
  • Top projects: investor-research (99m)
  • Commits: 88 across 1 repos (67508 +, 6785 -)
  • Top repo: openclaw
  • Cost: $0.15