fix: harden webhook auth-before-body handling

2026-03-12 07:20:45 +00:00 · 2026-03-02 17:20:46 +00:00
parent dded569626
commit d3e8b17aa6
15 changed files with 789 additions and 251 deletions
--- a/package.json
+++ b/package.json
@@ -59,7 +59,7 @@
    "build:plugin-sdk:dts": "tsc -p tsconfig.plugin-sdk.dts.json",
    "build:strict-smoke": "pnpm canvas:a2ui:bundle && tsdown && pnpm build:plugin-sdk:dts",
    "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh",
-    "check": "pnpm format:check && pnpm tsgo && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:plugins:no-register-http-handler && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope && pnpm check:host-env-policy:swift",
+    "check": "pnpm format:check && pnpm tsgo && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:plugins:no-register-http-handler && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope && pnpm check:host-env-policy:swift",
    "check:docs": "pnpm format:docs:check && pnpm lint:docs && pnpm docs:check-links",
    "check:host-env-policy:swift": "node scripts/generate-host-env-security-policy-swift.mjs --check",
    "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500",
@@ -108,6 +108,7 @@
    "lint:tmp:no-random-messaging": "node scripts/check-no-random-messaging-tmp.mjs",
    "lint:tmp:no-raw-channel-fetch": "node scripts/check-no-raw-channel-fetch.mjs",
    "lint:ui:no-raw-window-open": "node scripts/check-no-raw-window-open.mjs",
+    "lint:webhook:no-low-level-body-read": "node scripts/check-webhook-auth-body-order.mjs",
    "mac:open": "open dist/OpenClaw.app",
    "mac:package": "bash scripts/package-mac-app.sh",
    "mac:restart": "bash scripts/restart-mac.sh",