vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,858 Commits 1,233 Branches 104 Tags
0ebeee8b0de41611a59500d257ae78b513cbd2d4
Commit Graph

18526 Commits

Author SHA1 Message Date
Peter Steinberger
0ebeee8b0d chore: enable consistent-return 2026-04-10 20:56:43 +01:00
Agustin Rivera
121c452d66 fix(browser): tighten strict browser hostname navigation (#64367) 
* fix(browser): tighten strict browser hostname navigation

* fix(browser): address review follow-ups

* chore(changelog): add strict browser hostname navigation entry

* fix(browser): remove stale state prop from SelectionDeps call site

The PR's SelectionDeps uses getSsrFPolicy instead of the full state
object; the state property was leftover from an earlier iteration.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 13:18:53 -06:00
Peter Steinberger
4164d6fc4c test: narrow auto-reply command imports 2026-04-10 20:16:54 +01:00
Peter Steinberger
04c8026d03 chore: enable no-unnecessary-type-arguments 2026-04-10 20:14:49 +01:00
Peter Steinberger
dfe4c2d16d chore: enable no-floating-promises 2026-04-10 20:14:49 +01:00
Peter Steinberger
01113566fd chore: enable await-thenable 2026-04-10 20:14:49 +01:00
Peter Steinberger
cdb944ef0a chore: enable no-misused-spread 2026-04-10 20:14:49 +01:00
Peter Steinberger
1088904a47 test: skip provider runtime hints in config test 2026-04-10 20:12:16 +01:00
Agustin Rivera
c949af9fab fix(media): honor sender policy for host media reads (#64459) 
* fix(media): honor sender policy for host media reads

* fix(media): clarify host read group policy gating

* fix(media): forward sender identity for outbound reads

* fix(media): propagate non-id sender fields through outbound session for e164/username/name policy matching

* fix(media): preserve requester provider for host read policy

* fix(media): forward full sender identity through followup and core send paths

* fix(media): forward requester session/account context through core send fallback

* fix(media): preserve account policy fallback for requester-scoped host reads

* chore(changelog): add outbound media sender-policy entry

* fix(media): align test call shape with production — omit messageProvider when sessionKey is set

Addresses P2 review: production call sites pass messageProvider: undefined
when sessionKey is present; tests should mirror that so regressions in
the precedence order are caught.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 13:07:56 -06:00
Peter Steinberger
5df7771d0c test: keep browser subpath test import-only 2026-04-10 20:06:00 +01:00
Peter Steinberger
a96b97979d test: align browser subpath ssrf default 2026-04-10 20:03:28 +01:00
Peter Steinberger
8640b89158 test: trim provider contract slow paths 2026-04-10 20:00:48 +01:00
Agustin Rivera
e3a845bde5 Normalize agent hook system event trust handling (#64372) 
* fix(hooks): sanitize agent hook system events

Co-authored-by: zsx <git@zsxsoft.com>

* chore(changelog): add agent hook trust normalization entry

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:56:00 -06:00
Peter Steinberger
a6edccad3d test: align plugin install denylist expectations 2026-04-10 19:42:38 +01:00
Agustin Rivera
905f19230a Align external marker span mapping (#63885) 
* fix(markers): align external marker spans

* fix(browser): ssrfPolicy defaults fail-closed for unconfigured installs (GHSA-53vx-pmqw-863c)

* fix(browser): enforce strict default SSRF policy

* chore(changelog): add browser SSRF default + marker alignment entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:35:20 -06:00
Peter Steinberger
a52d38275e test: remove duplicate agent reset e2e 2026-04-10 19:30:24 +01:00
Peter Steinberger
cbce38d78c style: format post-rebase files 2026-04-10 19:28:42 +01:00
Peter Steinberger
59925c1a74 chore: update dependencies and oxc tooling 2026-04-10 19:28:42 +01:00
Peter Steinberger
e7db987ce6 test: trim heavy imports and harden ci checks 2026-04-10 19:23:10 +01:00
Peter Steinberger
d9b33205dc test: move disabled compat routes to http harness 2026-04-10 19:21:55 +01:00
Peter Steinberger
15c6748c01 test: stabilize vitest full-suite runner 2026-04-10 19:17:39 +01:00
Peter Steinberger
f6ed276f51 style: apply updated formatter output 2026-04-10 19:17:39 +01:00
Peter Steinberger
ea8d0833c3 test: trim gateway auth slow paths 2026-04-10 19:16:55 +01:00
Peter Steinberger
56468cdb06 fix: align plugin install denylist scan tests 2026-04-10 18:57:52 +01:00
Peter Steinberger
d522dc637e test: trim embedded agents slow paths 2026-04-10 18:33:03 +01:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Gustavo Madeira Santana
9b44929f28 fix(gateway): preserve restart sentinel account routing 2026-04-10 13:16:19 -04:00
Peter Steinberger
527601d7a5 fix: align channel owner context test types 2026-04-10 18:14:14 +01:00
Michael Appel
19a2e9ddb5 fix(infra): extend exec completion detection to cover local background exec formats [AI-assisted] (#64376) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* chore(changelog): add exec completion owner-downgrade entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:07:14 -06:00
Peter Steinberger
e1a2a26ec9 test: isolate agent runtime mocks 2026-04-10 18:06:49 +01:00
Peter Steinberger
cbc4447d6b test: narrow doctor config matrix helper import 2026-04-10 18:05:02 +01:00
Agustin Rivera
8dfbf3268b fix(browser): gate sandbox noVNC helper auth 
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.

Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts

Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.

Thanks @eleqtrizit.

Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
 2026-04-10 18:01:26 +01:00
Michael Appel
979c6f09d6 fix: include image param in sandbox media normalization [AI-assisted] (#64377) 
* fix: address issue

* chore(changelog): add Discord event image sandbox entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:01:04 -06:00
Peter Steinberger
56d3f97e23 test: use lightweight channel status stubs 2026-04-10 18:00:45 +01:00
Peter Steinberger
710a19dd86 fix: repair latest main type drift 2026-04-10 18:00:45 +01:00
Peter Steinberger
b9981c8ee8 test: inject setup command side effects 2026-04-10 17:57:15 +01:00
Agustin Rivera
fe0f686c92 Gate Matrix profile updates for non-owner message tool runs (#62662) 
Merged via squash.

Prepared head SHA: 602b16a676
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:56:17 -04:00
Peter Steinberger
1c1fe8a405 test: remove duplicate workspace auth choice e2e 2026-04-10 17:52:44 +01:00
Peter Steinberger
9031a9b2cc test: narrow legacy doctor migration hot paths 2026-04-10 17:51:15 +01:00
Menglin Li
36c3a54b51 fix(gateway): plug long-running memory leaks 
Prune stale gateway control-plane rate-limit buckets, bound transcript-session lookup caching, clear agent event sequence state with run contexts, and clear node wake/nudge state on disconnect.\n\nVerified locally after rebasing onto main:\n\n- pnpm test src/gateway/control-plane-rate-limit.test.ts src/gateway/session-transcript-key.test.ts src/infra/agent-events.test.ts src/gateway/server-methods/nodes.invoke-wake.test.ts\n- pnpm check\n\nCo-authored-by: lml2468 <39320777+lml2468@users.noreply.github.com>
 2026-04-10 17:45:12 +01:00
Devin Robison
54ae138db7 fix: the cron isolated agent in openclaw unconditiona (#383) (#63878) 2026-04-10 10:44:22 -06:00
Gustavo Madeira Santana
9c44f10026 fix: preserve canonical restart sentinel routes (#64391) 
Merged via squash.

Prepared head SHA: 0183c1782f
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:44:07 -04:00
Devin Robison
dffad08529 fix: a sandboxed agent can request host node in an ex (#384) (#63880) 2026-04-10 10:40:27 -06:00
Peter Steinberger
777c6f7580 refactor: split manifest command alias helpers 2026-04-10 17:37:31 +01:00
Peter Steinberger
5f3356a746 refactor: split session store key helper 2026-04-10 17:37:25 +01:00
EVA
47c0a5135a fix: dedupe delivered subagent completion announces (#61525) (thanks @100yenadmin) 
* fix(subagents): dedupe delivered completion announces

* refactor(subagents): distill cleanup delivery status writes

* fix: dedupe delivered subagent completion announces (#61525) (thanks @100yenadmin)

---------

Co-authored-by: Eva <eva@100yen.org>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-04-10 22:06:46 +05:30
Peter Steinberger
c077af987f perf: add narrow inbound roots sdk surface 2026-04-10 17:34:41 +01:00
Peter Steinberger
bac98d4218 test: reduce media contract import cost 2026-04-10 17:31:08 +01:00
Gustavo Madeira Santana
5d2225212d fix(matrix): preserve ACP thread binding targets (#64343) 
Merged via squash.

Prepared head SHA: def7dcda96
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:30:08 -04:00
Ayaan Zaidi
2f84e73c18 fix(agents): always emit terminal lifecycle events 2026-04-10 21:58:20 +05:30