vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,868 Commits 1,233 Branches 104 Tags
106256d896af6dfd30ebda5ffbcd456026b7b536
Commit Graph

5258 Commits

Author SHA1 Message Date
Peter Steinberger
106256d896 fix: address Codex harness review regressions 2026-04-10 21:22:16 +01:00
Peter Steinberger
b79f9f965e fix: address Codex harness review issues 2026-04-10 21:22:16 +01:00
Peter Steinberger
dd26e8c44d feat: add Codex app-server harness extension 2026-04-10 21:22:16 +01:00
Peter Steinberger
0ebeee8b0d chore: enable consistent-return 2026-04-10 20:56:43 +01:00
Peter Steinberger
bc27278d6d test: fix msteams thread parent fixture 2026-04-10 20:50:44 +01:00
Peter Steinberger
d015986265 fix: preserve browser cdp ssrf policy 2026-04-10 20:45:45 +01:00
sudie-codes
784318799b fix(msteams): handle fileConsent/invoke callback for bot-to-user file upload (#55386) (#64087) 
* fix(msteams): update FileConsentCard after user accepts upload

- Adds consentCardActivityId to PendingUpload so the consent card
  activity can be replaced in-place after upload succeeds
- Uses context.updateActivity() to replace the FileConsentCard with
  the file info card; falls back to sendActivity if update fails
- Adds updateActivity to MSTeamsTurnContext type
- Fixes timer leak in pending-uploads: clears TTL setTimeout on
  explicit removal and on clearPendingUploads()
- Adds pending-uploads.test.ts covering all new timer/cleanup paths

* msteams: wire consentCardActivityId from send response + add happy-path updateActivity test

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(msteams): retry consent uploads end-to-end

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Brad Groux <3053586+BradGroux@users.noreply.github.com>
 2026-04-10 14:42:54 -05:00
sudie-codes
99f76ec4c6 fix(msteams): keep streaming alive during long tool chains via typing indicator (#59731) (#64088) 
* fix(msteams): keep streaming alive during long tool chains via periodic typing (#59731)

* test(msteams): align thread-session store mock with interface

* fix(msteams): treat failed streams as inactive

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
Co-authored-by: Brad Groux <3053586+BradGroux@users.noreply.github.com>
 2026-04-10 14:42:41 -05:00
sudie-codes
01ea7e4921 feat(msteams): auto-inject parent message context for thread replies (#54932) (#63945) 
* feat(msteams): auto-inject parent message context for thread replies (#54932)

* msteams: use Promise.allSettled for thread context, remove no-op buildInjectedKey

* fix(msteams): gate thread parent context by visibility

---------

Co-authored-by: Brad Groux <3053586+BradGroux@users.noreply.github.com>
 2026-04-10 14:42:02 -05:00
Peter Steinberger
8e9e584b1e fix: validate browser profile driver before cdp policy 2026-04-10 20:31:27 +01:00
Peter Steinberger
d2c0440fac ci: fix current main additional checks 2026-04-10 20:28:48 +01:00
Peter Steinberger
cc6c5f3edb style: simplify lint-safe test helpers 2026-04-10 20:20:33 +01:00
Agustin Rivera
121c452d66 fix(browser): tighten strict browser hostname navigation (#64367) 
* fix(browser): tighten strict browser hostname navigation

* fix(browser): address review follow-ups

* chore(changelog): add strict browser hostname navigation entry

* fix(browser): remove stale state prop from SelectionDeps call site

The PR's SelectionDeps uses getSsrFPolicy instead of the full state
object; the state property was leftover from an earlier iteration.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 13:18:53 -06:00
Peter Steinberger
5580d7e2b1 style: simplify mattermost reaction test url checks 2026-04-10 20:14:49 +01:00
Peter Steinberger
04c8026d03 chore: enable no-unnecessary-type-arguments 2026-04-10 20:14:49 +01:00
Peter Steinberger
2786ed0f67 chore: enable no-base-to-string 2026-04-10 20:14:49 +01:00
Peter Steinberger
dfe4c2d16d chore: enable no-floating-promises 2026-04-10 20:14:49 +01:00
Peter Steinberger
2940379361 chore: enable no-unnecessary-template-expression 2026-04-10 20:14:49 +01:00
Peter Steinberger
01113566fd chore: enable await-thenable 2026-04-10 20:14:49 +01:00
Peter Steinberger
8640b89158 test: trim provider contract slow paths 2026-04-10 20:00:48 +01:00
Agustin Rivera
109267b82a Handle subframe document navigations in browser guards (#64371) 
* fix(browser): guard subframe document navigations

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): preserve quarantine on subframe blocks

* chore(changelog): add subframe SSRF guard entry

* fix(browser): fail closed when subframe frame resolution throws

isSubframeDocumentNavigationRequest now returns true (apply SSRF
check) instead of false (skip check) when request.frame() throws,
so transient renderer churn cannot bypass the subframe navigation
policy guard.

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:51:23 -06:00
Peter Steinberger
b2df0ed4b7 fix: align browser ssrf policy typing 2026-04-10 19:49:46 +01:00
Peter Steinberger
abc499ec49 fix: preserve cdp guarded fetch dispatchers 2026-04-10 19:49:09 +01:00
Peter Steinberger
81ead0bc5b fix(browser): keep legacy ssrf alias internal 2026-04-10 19:46:37 +01:00
Agustin Rivera
905f19230a Align external marker span mapping (#63885) 
* fix(markers): align external marker spans

* fix(browser): ssrfPolicy defaults fail-closed for unconfigured installs (GHSA-53vx-pmqw-863c)

* fix(browser): enforce strict default SSRF policy

* chore(changelog): add browser SSRF default + marker alignment entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:35:20 -06:00
Agustin Rivera
daeb74920d fix(browser): guard existing-session navigation (#64370) 
* fix(browser): guard existing-session navigation

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): tighten interaction navigation guard

* fix(browser): tighten existing-session nav guard

* fix(browser): fail closed on unstable existing-session probes

* fix(browser): add follow-up probe for late URL transitions in existing-session nav guard

* fix(browser): keep probing through full navigation window

* fix(browser): reset stability flag on probe error in existing-session nav guard

* chore(changelog): add Chrome MCP interaction SSRF guard entry

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:31:41 -06:00
Peter Steinberger
59925c1a74 chore: update dependencies and oxc tooling 2026-04-10 19:28:42 +01:00
Peter Steinberger
925a499d84 ci: fix additional guard failures 2026-04-10 19:23:10 +01:00
Peter Steinberger
f6ed276f51 style: apply updated formatter output 2026-04-10 19:17:39 +01:00
Peter Steinberger
8127c6cc15 build(deps): update workspace dependencies 2026-04-10 19:17:39 +01:00
Peter Steinberger
420e092d90 test: remove duplicate matrix approval fallback case 2026-04-10 18:50:40 +01:00
Gustavo Madeira Santana
457a33646c docs(matrix): track spec support gaps 2026-04-10 13:48:15 -04:00
Michael Appel
e0b8ddc1a5 fix(browser): apply three-phase interaction navigation guard to pressKey and type(submit) [AI-assisted] (#63889) 
* fix: address issue

* chore(changelog): add pressKey/type SSRF guard entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:27:53 -06:00
Peter Steinberger
527601d7a5 fix: align channel owner context test types 2026-04-10 18:14:14 +01:00
sudie-codes
2b5b58194b fix(msteams): include tenantId and aadObjectId on proactive sends (#58774) (#63949) 
* fix(msteams): capture and forward tenantId/aadObjectId on proactive sends (#58774)

* msteams: preserve tenantId/aadObjectId on sparse merges, thread recipientId on proactive sends
 2026-04-10 12:09:14 -05:00
Agustin Rivera
8dfbf3268b fix(browser): gate sandbox noVNC helper auth 
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.

Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts

Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.

Thanks @eleqtrizit.

Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
 2026-04-10 18:01:26 +01:00
Michael Appel
afadb7dae6 fix(voice-call): reject oversized realtime WebSocket frames 
Reject realtime voice WebSocket frames above 256 KB before JSON parsing or bridge setup, and absorb ws error events so oversized frames close the connection instead of crashing the gateway.

Local verification:
- pnpm test extensions/voice-call/src/webhook/realtime-handler.test.ts
- pnpm check

Thanks @mmaps.

Co-authored-by: mmaps <3399869+mmaps@users.noreply.github.com>
 2026-04-10 17:58:44 +01:00
Agustin Rivera
fe0f686c92 Gate Matrix profile updates for non-owner message tool runs (#62662) 
Merged via squash.

Prepared head SHA: 602b16a676
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:56:17 -04:00
Peter Steinberger
9031a9b2cc test: narrow legacy doctor migration hot paths 2026-04-10 17:51:15 +01:00
Peter Steinberger
777c6f7580 refactor: split manifest command alias helpers 2026-04-10 17:37:31 +01:00
Ayaan Zaidi
8755d2d3da fix: bound telegram qa api requests 2026-04-10 22:06:38 +05:30
Ayaan Zaidi
1512f9188d fix: reject unknown telegram qa scenarios 2026-04-10 22:06:38 +05:30
Peter Steinberger
81ae34c434 test: keep browser selection cdp guard profile-aware 2026-04-10 17:35:54 +01:00
Peter Steinberger
c077af987f perf: add narrow inbound roots sdk surface 2026-04-10 17:34:41 +01:00
Peter Steinberger
bac98d4218 test: reduce media contract import cost 2026-04-10 17:31:08 +01:00
Peter Steinberger
58ee5e48d1 test: fix browser and matrix verification 2026-04-10 17:25:04 +01:00
Peter Steinberger
d5df4cd4e5 test: add Anthropic Opus QA smokes 2026-04-10 17:24:54 +01:00
Ayaan Zaidi
9d3583bc2f fix(qa-lab): tighten telegram canary matching 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
ecb3e0a62d fix(qa-lab): harden telegram qa artifacts 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
d69cc5da5c fix(qa-lab): address remaining review comments 2026-04-10 21:53:31 +05:30