vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-28 01:13:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
31,182 Commits 1,843 Branches 149 Tags
0eebb49fefab6eb445ea9e607f36c5df29ae4c21
Commit Graph

2510 Commits

Author SHA1 Message Date
ly85206559
36820f1676 Agents: fix Windows drive path join for read/sandbox tools (#54039) (#66193) 
* Agents: fix Windows drive path join for read/sandbox tools (#54039)

* fix(agents): harden Windows file URL path mapping

* fix(agents): reject encoded file URL separators

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-04-14 02:20:25 +01:00
Peter Steinberger
aac84372ab fix(outbound): suppress relay status placeholder leaks 2026-04-14 01:27:06 +01:00
Vincent Koc
955270fb73 fix(ci): repair telegram ui and watch regressions 2026-04-13 23:49:59 +01:00
Agustin Rivera
48aae82bbc fix(outbound): replay queued session context (#66025) 
* fix(outbound): preserve replay session context

* fix(outbound): remove user work log

* changelog: note outbound session-context replay fix (#66025)

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-13 13:30:42 -06:00
Pavan Kumar Gondhi
31281bc92f fix(heartbeat): force owner downgrade for untrusted hook:wake system events [AI-assisted] (#66031) 
* fix: address issue

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-14 00:14:17 +05:30
Vincent Koc
114ff23f2a perf(config): skip shell env fallback for explicit empty vars 2026-04-13 19:09:11 +01:00
Vincent Koc
b6abd68a29 perf(channels): split hot-path message channel normalization 2026-04-13 18:22:12 +01:00
Vincent Koc
96a6f55da8 perf(utils): isolate message channel normalization 2026-04-13 17:34:46 +01:00
Vincent Koc
be68309e7b perf(outbound): narrow loaded target channel reads 2026-04-13 17:34:27 +01:00
Vincent Koc
eed595bba9 perf(channels): isolate loaded target parsing 2026-04-13 17:28:09 +01:00
Mariano
b42c999633 fix(heartbeat): preserve Telegram topic routing for isolated heartbeats (#66035) 
Merged via squash.

Prepared head SHA: 83b986a4c3
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-04-13 18:26:19 +02:00
Vincent Koc
6eb04c8aab perf(outbound): isolate id-like target resolution 2026-04-13 17:17:26 +01:00
Vincent Koc
08ca248378 perf(outbound): use loaded-only channel plugin reads 2026-04-13 17:12:27 +01:00
Vincent Koc
ae3d731810 perf(outbound): use read-only channel registry seam 2026-04-13 17:05:53 +01:00
Bob
74f2c4a56b fix: stop repeated unknown-tool loops (#65922) 
Merged via squash.

Prepared head SHA: f352a270a6
Reviewed-by: @osolmaz
 2026-04-13 17:42:11 +02:00
Vincent Koc
418cb55cb9 perf(infra): cache login shell env probes 2026-04-13 16:12:33 +01:00
EVA
c15b295a85 Run context-engine turn maintenance as idle-aware background work (#65233) 
Merged via squash.

Prepared head SHA: e9f6c679ba
Co-authored-by: 100yenadmin <239388517+100yenadmin@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-04-13 06:50:22 -07:00
Pavan Kumar Gondhi
666f48d9b8 fix(security): remove busybox/toybox from interpreter-like safe bins [AI-assisted] (#65713) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-13 12:03:15 +05:30
Pavan Kumar Gondhi
0a105c0900 fix(approval-auth): prevent empty approver list from granting explicit approval authorization [AI] (#65714) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-13 12:00:13 +05:30
Pavan Kumar Gondhi
8f8492d172 fix(security): broaden shell-wrapper detection and block env-argv assignment injection [AI-assisted] (#65717) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-13 11:48:42 +05:30
joshavant
c4764095f8 Outbound: centralize payload normalization plan 2026-04-12 19:52:24 -05:00
Vincent Koc
ed1744bcaa test(heartbeat): cover isolated cron event consumption 2026-04-12 17:55:36 +01:00
Coy Geek
4938b2cc43 fix: Provider-supplied OAuth URLs inject Windows cmd.exe via openUrl (#64161) 
* fix: harden Windows browser URL opening

Use explorer.exe directly for OAuth/browser launch on Windows so provider-supplied URLs are never parsed through cmd.exe metacharacter rules.

* fix: harden Windows browser URL opening

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-04-12 16:42:24 +01:00
Richard Poelderl
6fec1ec2d6 fix(update): Suppress Corepack prompts during update preflight (#61456) 
Merged via squash.

Prepared head SHA: da1b791ce6
Co-authored-by: p6l-richard <18185649+p6l-richard@users.noreply.github.com>
Co-authored-by: osolmaz <2453968+osolmaz@users.noreply.github.com>
Reviewed-by: @osolmaz
 2026-04-12 13:59:36 +02:00
Nimrod Gutman
1fe14627a2 fix(tests): restore ci type and format checks 2026-04-12 14:13:57 +03:00
Vincent Koc
a1279f012b fix(infra): avoid empty test stub classes 2026-04-12 10:43:43 +01:00
Petr Sloup
2c918754c2 fix(exec): disable onUpdate after run settlement to prevent gateway crash (#64349) 
Co-authored-by: petr-sloup <13165948+petr-sloup@users.noreply.github.com>
Co-authored-by: openperf <16864032@qq.com>
 2026-04-12 17:29:20 +08:00
Tak Hoffman
847739d82c Fix dreaming replay, repair polluted artifacts, and gate wiki tabs (#65138) 
* fix(active-memory): preserve parent channel context for recall runs

* fix(active-memory): keep recall runs on the resolved channel

* fix(active-memory): prefer resolved recall channel over wrapper hints

* fix(active-memory): trust explicit recall channel hints

* fix(active-memory): rank recall channel fallbacks by trust

* Fix dreaming replay and recovery flows

* fix: prevent dreaming event loss and diary write races

* chore: add changelog entry for memory fixes

* fix: harden dreaming repair and diary writes

* fix: harden dreaming artifact archive naming
 2026-04-12 00:25:11 -05:00
Vincent Koc
9801ce7333 test(infra): align vitest script invariants 2026-04-12 05:00:24 +01:00
Josh Lehman
29142a9d47 fix: preserve Telegram topic routing for exec completions (#64580) 
* clawdbot-a2c: pin exec completion delivery context

Regeneration-Prompt: |
  Fix a Telegram forum topic misroute where delayed exec completion or similar async completion text could be delivered into the wrong topic after the session's stored route drifted. Keep the patch surgical. Preserve immutable origin deliveryContext when background exec completion events are queued, thread that context from the exec tool's ambient channel/session defaults into the process session, and ensure the queued system event carries it instead of relying on later heartbeat fallback to mutable session lastTo/lastThreadId data. Add one focused unit assertion that notifyOnExit events keep the original Telegram topic delivery context and one heartbeat regression that proves work started in topic 47 still delivers back to topic 47 even if the session store later points at topic 2175.

* fix: note Telegram exec topic routing

Regeneration-Prompt: |
  Prepare PR #64580 after review-pr with no blocking findings. The only required prep change was the workflow-mandated changelog entry under CHANGELOG.md -> Unreleased -> Fixes. Preserve the review conclusion that the code change is already acceptable, do not widen scope beyond the changelog, and include the PR number plus thanks attribution in the changelog line for the Telegram exec forum-topic completion routing fix.
 2026-04-11 15:47:53 -07:00
Vincent Koc
5cd9c2d2de fix(cycles): bypass context engine and config barrels 2026-04-11 23:12:24 +01:00
Peter Steinberger
b41091ac7f fix: quiet extension unresolved import warnings 2026-04-11 21:25:24 +01:00
Vincent Koc
462d8e3bc0 fix(cycles): narrow channel runtime surface 2026-04-11 19:30:33 +01:00
HDYA
26f633b604 feat(msteams): add federated credential support (certificate + managed identity) (#53615) 
* feat(msteams): add federated authentication support (certificate + managed identity + workload identity)

* msteams: fix vitest 4.1.2 compat, type errors, and regenerate config baseline

* msteams: fix lint errors, update fetch allowlist, regenerate protocol Swift

* fix(msteams): gate secret-only delegated auth flows

* fix(ci): unblock gateway watch and install smoke

* fix(ci): restore mergeability for pr 53615

* fix(ci): restore channel registry helper typing

* fix(ci): refresh raw fetch guard allowlist

---------

Co-authored-by: Chudi Huang <Chudi.Huang@microsoft.com>
Co-authored-by: Brad Groux <3053586+BradGroux@users.noreply.github.com>
 2026-04-11 13:29:22 -05:00
Vincent Koc
0f7d9c9570 fix(runtime): split approval and gateway client seams 2026-04-11 18:36:48 +01:00
Tak Hoffman
958c34e82c feat(qa-lab): Add proxy capture stack and QA Lab inspector (#64895) 
* Add proxy capture core and CLI

* Expand transport capture coverage

* Add QA Lab capture backend

* Refine QA Lab capture UI

* Fix proxy capture review feedback

* Fix proxy run cleanup and TTS capture

* Fix proxy capture transport follow-ups

* Fix debug proxy CONNECT target parsing

* Harden QA Lab asset path containment
 2026-04-11 12:34:57 -05:00
Vincent Koc
f630e8d440 fix(utils): bypass delivery context wrapper for shared consumers 2026-04-11 17:26:38 +01:00
Marcus Castro
aaae1aeb8f fix(whatsapp): route react through gateway (#64638) 
* fix(whatsapp): route react through gateway

* fix(gateway): accept full message action tool context
 2026-04-11 11:38:10 -03:00
Vincent Koc
3b4de1ac14 fix(cycles): split reply and gateway leaf seams 2026-04-11 13:53:20 +01:00
Vincent Koc
81535d394d fix(cycles): repair broken type surfaces 2026-04-11 13:42:17 +01:00
Ayaan Zaidi
43bd5545f8 fix: scope pinDns override to multipart audio (#64766) (thanks @GodsBoy) 2026-04-11 18:05:37 +05:30
GodsBoy
c159d22b34 fix(ssrf): validate hostname even when pinDns is disabled 
When pinDns=false was set to avoid undici dispatcher corruption of
FormData bodies, resolvePinnedHostnameWithPolicy was skipped entirely,
removing SSRF hostname/private-IP validation.

Now the pinDns=false path runs hostname validation as a preflight
before creating the non-pinned dispatcher, preserving defense-in-depth.

Also renames a stale test description per Greptile review feedback.
 2026-04-11 18:05:37 +05:30
Tak Hoffman
cc5c691f00 feat(ui): render assistant directives and add embed tag (#64104) 
* Add embed rendering for Control UI assistant output

* Add changelog entry for embed rendering

* Harden canvas path resolution and stage isolation

* Secure assistant media route and preserve UI avatar override

* Fix chat media and history regressions

* Harden embed iframe URL handling

* Fix embed follow-up review regressions

* Restore offloaded chat attachment persistence

* Harden hook and media routing

* Fix embed review follow-ups

* feat(ui): add configurable embed sandbox mode

* fix(gateway): harden assistant media and auth rotation

* fix(gateway): restore websocket pairing handshake flows

* fix(gateway): restore ws hello policy details

* Restore dropped control UI shell wiring

* Fix control UI reconnect cleanup regressions

* fix(gateway): restore media root and auth getter compatibility

* feat(ui): rename public canvas tag to embed

* fix(ui): address remaining media and gateway review issues

* fix(ui): address remaining embed and attachment review findings

* fix(ui): restore stop control and tool card inputs

* fix(ui): address history and attachment review findings

* fix(ui): restore prompt contribution wiring

* fix(ui): address latest history and directive reviews

* fix(ui): forward password auth for assistant media

* fix(ui): suppress silent transcript tokens with media

* feat(ui): add granular embed sandbox modes

* fix(ui): preserve relative media directives in history

* docs(ui): document embed sandbox modes

* fix(gateway): restrict canvas history hoisting to tool entries

* fix(gateway): tighten embed follow-up review fixes

* fix(ci): repair merged branch type drift

* fix(prompt): restore stable runtime prompt rendering

* fix(ui): harden local attachment preview checks

* fix(prompt): restore channel-aware approval guidance

* fix(gateway): enforce auth rotation and media cleanup

* feat(ui): gate external embed urls behind config

* fix(ci): repair rebased branch drift

* fix(ci): resolve remaining branch check failures
 2026-04-11 07:32:53 -05:00
Vincent Koc
74e7b8d47b fix(cycles): bulk extract leaf type surfaces 2026-04-11 13:26:50 +01:00
Vincent Koc
7308e72fac fix(cycles): continue seam extraction 2026-04-11 10:43:22 +01:00
Gustavo Garcia
bb543f71d9 fix(talk): fix ensure permissions on first execution of Talk Mode in MacOS (#62459) 
* fix(talk): fix ensure permissions on first execution of Talk Mode in MacOS

* macos: fix talk mode formatting

* test: fix CI shard regressions

* docs: add talk mode changelog

---------

Co-authored-by: ImLukeF <92253590+ImLukeF@users.noreply.github.com>
 2026-04-11 18:08:45 +10:00
Peter Steinberger
e2477ff726 test: move node pairing authz to pure coverage 2026-04-11 08:18:35 +01:00
Peter Steinberger
7e66a8fcfe test: move plugin uninstall selection to pure tests 2026-04-11 08:12:34 +01:00
Peter Steinberger
455535a4f9 perf: avoid plugin index for target normalization 2026-04-11 06:49:08 +01:00
Peter Steinberger
3edc8d3028 test: mock message action aliases in normalization 2026-04-11 06:45:53 +01:00