vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-28 05:26:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
52,066 Commits 1,843 Branches 149 Tags
367d584ee3bc563bfb74eee96f16017eceb6b41a
Commit Graph

130 Commits

Author SHA1 Message Date
Vincent Koc
295339d616 fix(test): fail live gateway false greens 2026-05-24 12:38:23 +02:00
Vincent Koc
bca1ac03fe fix(ci): keep Crabbox pnpm hydration shims writable 2026-05-24 11:31:36 +02:00
Peter Steinberger
d2e9f91cec test: align full release dispatch assertion 2026-05-23 20:24:30 +01:00
Peter Steinberger
9cef99f184 test: clean up Codex app-server run failures 2026-05-23 20:12:44 +01:00
Jason O'Neal
7fffbf60b0 fix: harden package URL downloads (#85578) 
* fix: harden package URL downloads

Guard package acceptance URL downloads with HTTPS-only validation, no embedded credentials, private/special-use DNS and IP rejection, manual redirect checks, bounded timeout/size limits, pinned lookup, and atomic temp-file writes. Add tooling tests for unsafe URLs, redirect validation, size limits, and successful writes.

* fix: cancel redirect response bodies before closing dispatcher

ClawSweeper P2: the redirect branch in openPackageDownloadResponse cleared
the timeout and awaited dispatcher.close() without first cancelling
response.body. Undici's close() is graceful — it waits for in-flight
requests to complete — so a malicious redirect with a slow/never-ending
body could hang the hardened downloader.

Fix: call response.body?.cancel() before dispatcher.close() to abort the
redirect body immediately.

Test: add a regression test that uses a ReadableStream with an indefinite
interval to simulate a hanging body, and asserts cancel() was called.

Refs: clawsweeper review on PR #85512

* test: harden redirect body cancellation race in regression test

Guard the ReadableStream controller.enqueue() call with a cancelled
flag and try/catch to prevent ERR_INVALID_STATE when the interval
fires after cancel() closes the controller.

* fix: cancel final response body before closing dispatcher in downloadUrl

ClawSweeper P2: the HTTP-error and declared-oversize early-exit paths
in downloadUrl threw before consuming or canceling response.body. The
finally block then cleared the timeout and awaited graceful
dispatcher.close() with the body still open, allowing a slow/never-ending
response to hang release tooling.

Fix: add response.body?.cancel() in the finally block before
dispatcher.close().

Tests: add two regressions:
- HTTP 500 with slow body: asserts cancel() called before dispatcher close
- Declared content-length oversize with slow body: same assertion

* fix: add trusted package URL source policy

* fix: keep package URL resolver dependency-free

* test: cover encoded IPv6 package URL bypasses

* docs: sync package acceptance source overview

* docs: restore release doc formatting

* docs: sync package acceptance trusted-url source

* test: cover dotted IPv4 embedded IPv6 package URLs

* fix: parse dotted IPv4 embedded in IPv6 package URLs

* test: isolate anthropic pruning defaults

* test: move anthropic dated model coverage

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-05-23 17:28:29 +01:00
Peter Steinberger
35969ff440 ci: retry npm Telegram release dispatch 2026-05-23 17:19:00 +01:00
Vincent Koc
0d7d99befa fix(ci): repair crabbox hydrate replay (#85706) 2026-05-23 20:02:07 +08:00
Vincent Koc
1e21121021 fix(ci): require live docker credentials by resource 2026-05-23 12:39:02 +02:00
Vincent Koc
cc6c3728c7 fix(ci): require factory auth for droid live docker 2026-05-23 12:20:26 +02:00
Dallin Romney
423f525438 test: align release validation package acceptance check (#85515) 2026-05-22 14:30:35 -07:00
Peter Steinberger
dcfc7e58fa ci: unblock advisory Tideclaw alpha release checks 2026-05-22 22:09:18 +01:00
Peter Steinberger
4b63502279 ci: run binding command escape in release checks 2026-05-22 20:12:53 +01:00
Peter Steinberger
a0702e195d build(pnpm): use packageManager as pnpm source 
Recreated from #85108 because the original branch could not be updated by maintainers.

Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.

Co-authored-by: Altay <altay@hey.com>
 2026-05-22 19:17:43 +01:00
Vincent Koc
52759294ca ci(package): gate acceptance on package integrity 2026-05-22 21:17:20 +08:00
Peter Steinberger
3eb2d64392 ci: add live Codex plugin release check 2026-05-21 08:44:18 +01:00
Peter Steinberger
624d920351 ci(release): keep focused validation reruns independent 2026-05-21 07:58:15 +01:00
Peter Steinberger
0604d25101 ci(release): preserve direct repair publishes 2026-05-21 07:58:15 +01:00
Peter Steinberger
1c5fda115f ci(release): streamline beta publish verification 2026-05-21 07:58:15 +01:00
Peter Steinberger
3844513431 test: align release timeout budget expectations 
(cherry picked from commit a185ca283a)
 2026-05-20 22:38:43 +01:00
Peter Steinberger
2a01fbb56c ci: keep ClawHub advisory for alpha publish 2026-05-20 01:57:00 +01:00
Peter Steinberger
eea71708ac test(release): update workflow concurrency expectations 2026-05-20 01:16:43 +01:00
Peter Steinberger
af62fd45cd test: stabilize release qa gates 2026-05-17 17:45:58 +01:00
Vincent Koc
1926982c4c fix(qa-lab): refresh parity model targets 2026-05-17 23:12:26 +08:00
Peter Steinberger
1ceebf8a01 ci: harden release publish evidence 2026-05-17 06:34:58 +01:00
Peter Steinberger
c4d8e0be18 ci: harden release validation flow 2026-05-17 06:34:58 +01:00
Peter Steinberger
4859edd9f8 test(release): align hosted runner assertions 2026-05-15 17:34:29 +01:00
Peter Steinberger
55c275b00a ci(release): require full validation before npm publish 2026-05-15 17:33:28 +01:00
Peter Steinberger
c91e20ac0c ci(release): add candidate evidence checklist 2026-05-15 14:54:46 +01:00
Peter Steinberger
a0f35574d0 Remove codex-cli backend and migrate to Codex runtime 
Remove the bundled codex-cli backend, migrate legacy codex-cli refs and runtime pins to the Codex app-server runtime, and update live/backend workflow coverage for the supported CLI lanes.
 2026-05-14 10:07:18 +01:00
Vincent Koc
d08f68dee7 test(e2e): cover root-managed VPS upgrades 2026-05-14 06:50:58 +08:00
Peter Steinberger
1c28e4a0bb test: add docker live subagent announce proof 2026-05-13 15:21:37 +01:00
Peter Steinberger
a4acd33097 ci: speed up beta release verification 
(cherry picked from commit 7ca9b58a27)
 2026-05-12 06:21:09 +01:00
Shakker
957d7d5461 test: tighten package workflow env assertion 2026-05-11 06:53:19 +01:00
Peter Steinberger
cbc804bad7 ci: bound live cache release retries 2026-05-11 02:36:17 +01:00
Peter Steinberger
08134a1c09 test(pnpm): update pnpm 11 workflow guards 2026-05-11 00:48:14 +01:00
Peter Steinberger
18997be120 ci: speed up release validation reruns 2026-05-11 00:22:19 +01:00
Peter Steinberger
c14b01eea8 ci: cap advisory live release sweep timeouts 2026-05-10 21:07:56 +01:00
Peter Steinberger
1538df5a66 ci: mark full release live sweeps advisory 2026-05-10 20:52:29 +01:00
Peter Steinberger
522f3296a7 ci: forward-port release validation fixes 2026-05-10 20:38:36 +01:00
Peter Steinberger
b52773870f ci: speed up release validation profiles 2026-05-10 15:55:24 +01:00
Peter Steinberger
ac15c919c4 ci: tighten release publish timeouts 2026-05-10 15:55:24 +01:00
Peter Steinberger
c8d82e4535 ci(release): raise build heap for validation gates 2026-05-10 03:03:55 +01:00
Peter Steinberger
f8fee34aef ci(release): stabilize full validation gates 2026-05-10 02:54:37 +01:00
samzong
d832ad214c [Feat] Add upload archive install RPC (#74430) 
* feat(skills): add upload archive install RPC

- src/agents/skills-archive-install.ts:83 [BOT-SCOPE]: `withExtractedArchiveRoot()` still returns unstructured extract failures, so exact transient-vs-terminal classification should be moved into the shared install-flow layer in a follow-up rather than expanding this PR.

Signed-off-by: samzong <samzong.lu@gmail.com>

* fix(skills): address archive upload review findings

Signed-off-by: samzong <samzong.lu@gmail.com>

* fix(skills): regen protocol bindings and classify transient archive errors

* feat: gate uploaded skill installs by config

* test: add docker skill install proof

* docs: clarify uploaded skill archive gate

* chore: refresh config docs baseline

* style: format docker e2e plan test

* fix: use fs-safe path checks for skill archives

* fix: classify skill publish failures as unavailable

* test: update skill clawhub path mock

* fix: pass mutable archive root markers

* fix: use current json dir mode option

* test: satisfy skill upload lint

* test: refresh core support expectations

---------

Signed-off-by: samzong <samzong.lu@gmail.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-05-09 20:44:18 -04:00
Peter Steinberger
bcb4c8d597 fix(release): stabilize Codex live validation 2026-05-09 23:25:26 +01:00
Peter Steinberger
16f3350b84 fix(release): repair full validation gates 2026-05-09 23:25:26 +01:00
Peter Steinberger
be793e2d85 ci(release): skip npm acceptance hash pin 2026-05-09 23:25:26 +01:00
Peter Steinberger
7d91fcbe21 test: tighten package acceptance workflow assertions 2026-05-09 10:10:05 +01:00
Shakker
ae8b3de2d9 test: sync telegram release scenario assertion 2026-05-08 12:00:07 +01:00
Peter Steinberger
9ef37d1907 test: tighten assertions and harness coverage 2026-05-08 05:28:12 +01:00