vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 20:10:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
42,312 Commits 1,843 Branches 149 Tags
404353ad4fc0ee443aa1e205f5f671fc31fac84f
Commit Graph

324 Commits

Author SHA1 Message Date
Peter Steinberger
b55dfd53b4 test: clarify browser doctor warning assertions 2026-05-08 08:43:51 +01:00
Peter Steinberger
3e53b19284 test: clarify browser client endpoint assertions 2026-05-08 08:17:08 +01:00
scotthuang
37af50f3db fix(browser): keep user tabs open on SSRF-denied reads (#78874) 
Summary:
- Split browser SSRF quarantine from tab closure so read-only browser operations do not close user-owned tabs on policy denial.
- Keep OpenClaw-initiated navigation/create paths closing blocked tabs, and add regression coverage for both contracts.
- Update changelog with contributor credit.

Verification:
- pnpm test extensions/browser/src/browser/pw-session.assert-navigation-safety.test.ts extensions/browser/src/browser/pw-tools-core.snapshot.navigate-guard.test.ts
- pnpm test extensions/browser/src/browser/pw-tools-core.browser-ssrf-guard.test.ts extensions/browser/src/browser/pw-tools-core.snapshot.test.ts
- Exact-head CI success: 25535578610
- Exact-head Real behavior proof success: 25536652326

Thanks @scotthuang.
 2026-05-08 08:13:04 +01:00
Jesse Merhi
a9377fe667 Harden browser download output writes (#78780) 
Summary:
- The PR exports `ensureAbsoluteDirectory` through the fs-safe/SDK runtime facades and routes browser download ... through safe output directory/file helpers with focused tests, a changelog entry, and SDK API hash updates.
- Reproducibility: yes. at source level: current main creates browser download/output roots with raw recursive ... jection coverage for that path. I did not run a live browser runtime reproduction in this read-only review.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(browser): use fs-safe output directory helper
- PR branch already contained follow-up commit before automerge: docs(changelog): mention browser fs-safe hardening
- PR branch already contained follow-up commit before automerge: fix(browser): harden download output writes

Validation:
- ClawSweeper review passed for head a9c9570f66.
- Required merge gates passed before the squash merge.

Prepared head SHA: a9c9570f66
Review: https://github.com/openclaw/openclaw/pull/78780#issuecomment-4394146682

Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
 2026-05-08 05:57:23 +00:00
Peter Steinberger
9ef37d1907 test: tighten assertions and harness coverage 2026-05-08 05:28:12 +01:00
Peter Steinberger
6a4069dead fix: share plugin runtime helpers 
Consolidate shared plugin runtime MIME/schema helpers, preserve canonical runtime behavior, and guard QQBot STT fetches.
 2026-05-08 00:28:43 +01:00
Peter Steinberger
252a76d25c refactor: stage external output writes through fs-safe 2026-05-07 06:05:24 +01:00
Vincent Koc
b680360fde test(browser): allow fs-safe download staging 2026-05-06 21:11:18 -07:00
Vincent Koc
dddd9cb3b6 test(browser): use existing outside trash path 2026-05-06 21:03:06 -07:00
Vincent Koc
0c4111de9d test(browser): use real trash fixture paths 2026-05-06 21:01:53 -07:00
Peter Steinberger
6da5eda488 test: avoid real waits in cdp and outbound tests 2026-05-06 05:43:48 +01:00
Peter Steinberger
afc2c2e207 test(browser): avoid real retry waits 2026-05-06 05:33:28 +01:00
Peter Steinberger
b85b1c68d1 Refactor file access to use fs-safe primitives (#78255) 
* refactor: use fs-safe primitives across file access

* fix: preserve invalid managed npm manifests

* fix: keep fs seams for startup metadata
 2026-05-06 05:03:11 +01:00
Peter Steinberger
b43efd3793 fix: clean up post-land CI guards 2026-05-06 02:51:53 +01:00
Peter Steinberger
538605ff44 [codex] Extract filesystem safety primitives (#77918) 
* refactor: extract filesystem safety primitives

* refactor: use fs-safe for file access helpers

* refactor: reuse fs-safe for media reads

* refactor: use fs-safe for image reads

* refactor: reuse fs-safe in qqbot media opener

* refactor: reuse fs-safe for local media checks

* refactor: consume cleaner fs-safe api

* refactor: align fs-safe json option names

* fix: preserve fs-safe migration contracts

* refactor: use fs-safe primitive subpaths

* refactor: use grouped fs-safe subpaths

* refactor: align fs-safe api usage

* refactor: adapt private state store api

* chore: refresh proof gate

* refactor: follow fs-safe json api split

* refactor: follow reduced fs-safe surface

* build: default fs-safe python helper off

* fix: preserve fs-safe plugin sdk aliases

* refactor: consolidate fs-safe usage

* refactor: unify fs-safe store usage

* refactor: trim fs-safe temp workspace usage

* refactor: hide low-level fs-safe primitives

* build: use published fs-safe package

* fix: preserve outbound recovery durability after rebase

* chore: refresh pr checks
 2026-05-06 02:15:17 +01:00
Peter Steinberger
4556707cb7 test(browser): mirror route URL guard in existing-session helper 2026-05-04 22:29:13 +01:00
Vincent Koc
a71f906837 fix(browser): guard existing-session screenshots 2026-05-04 13:56:33 -07:00
Agustin Rivera
ef0dbcf49d Guard current browser tab exports (#75731) 
* fix(browser): guard current tab exports

* fix(browser): expand tab guard coverage

* fix(browser): guard tab reads

* fix(browser): guard screenshot route

* changelog: PR #75731

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-05-04 14:07:17 -06:00
Peter Steinberger
5fa7d3b1a4 fix: repair Google Meet media permission grants 2026-05-03 22:40:20 +01:00
Peter Steinberger
3c8381c183 refactor: hide browser test and error internals 2026-05-02 09:02:40 +01:00
Peter Steinberger
68c99879e2 refactor: trim browser config facade 2026-05-02 09:00:30 +01:00
Peter Steinberger
a6f9c1f6e8 refactor: hide browser chrome platform finders 2026-05-02 08:57:41 +01:00
Peter Steinberger
ed8f50f240 refactor: simplify plugin dependency handling 
Simplify plugin installation and runtime loading around package-manager-owned dependencies, with Jiti reserved for local/TS fallback paths.

Also scans npm plugin install roots so hoisted transitive dependencies are covered by dependency denylist and node_modules symlink checks.
 2026-05-01 21:32:22 +01:00
Peter Steinberger
11dc38cd55 refactor: trim browser helper exports 2026-05-01 18:17:29 +01:00
Peter Steinberger
8b62e0fa96 refactor: trim browser helper types 2026-05-01 15:58:41 +01:00
Peter Steinberger
36eec68fb9 refactor: trim browser route exports 2026-05-01 15:24:50 +01:00
Peter Steinberger
524d28bed0 refactor: trim browser action barrel 2026-05-01 14:59:42 +01:00
Peter Steinberger
ae0e57eefc refactor: trim messaging runtime barrels 2026-05-01 14:42:47 +01:00
Peter Steinberger
5fdde9353e refactor: trim extension runtime reexports 2026-05-01 14:27:22 +01:00
Peter Steinberger
d7ea6d9f8c refactor: trim internal extension seams 2026-05-01 14:21:52 +01:00
Peter Steinberger
bfa48c4025 refactor: prune unused extension internals 2026-05-01 11:21:31 +01:00
Peter Steinberger
14ba8dc3f7 refactor: drop unused browser client wrappers 2026-05-01 10:42:37 +01:00
Peter Steinberger
996e0ae2f2 refactor: remove stale extension helpers 2026-05-01 10:39:00 +01:00
Peter Steinberger
29a35f04a9 fix(browser): use source config for proxy decisions 2026-04-30 15:56:49 +01:00
Peter Steinberger
cf772079c6 fix(browser): share control runtime state 2026-04-30 15:35:42 +01:00
Peter Steinberger
01254500df fix(cli): preserve lazy command parent flags 2026-04-30 00:48:46 +01:00
Peter Steinberger
34ec184dcb refactor: reuse shared dedupe helpers 2026-04-29 12:14:59 +01:00
Peter Steinberger
7a32d6a09f chore: remove unused plugin helper code 2026-04-29 09:24:51 +01:00
openclaw-clownfish[bot]
4d43daa7bb fix(browser): ignore Playwright dialog race rejections 
Carries forward #40067 from @randyjtw.

Validated:
- OPENCLAW_TESTBOX=1 pnpm check:changed (tbx_01kqc44esqmt15ygzvfxd1pqng)
- CI: https://github.com/openclaw/openclaw/actions/runs/25097879442
 2026-04-29 01:11:54 -07:00
Peter Steinberger
ca972f692f fix: keep browser fetch helper under test support 2026-04-29 08:47:43 +01:00
Peter Steinberger
e52b660749 fix(browser): repair test fetch helper export 2026-04-29 08:45:05 +01:00
Vincent Koc
eb7f305737 Merge branch 'main' of https://github.com/openclaw/openclaw 
* 'main' of https://github.com/openclaw/openclaw:
  fix: exclude test support from raw fetch guard
  fix(ollama): preserve aborts with stream timeouts
  ci: require maintainer permission for command reactions
  docs(hooks/bundled/readme): cover session compaction and message events
  refactor: share docker e2e harness runner
  fix: keep browser test fetch out of runtime scan
 2026-04-29 00:36:24 -07:00
Vincent Koc
c01244e859 test(browser): keep undici fetch helper test-only 2026-04-29 00:28:02 -07:00
Peter Steinberger
f6a2cf15c0 fix: keep browser test fetch out of runtime scan 2026-04-29 08:27:57 +01:00
Peter Steinberger
4a24b23e3e fix(ci): stabilize full release validation 2026-04-28 20:14:14 +01:00
Peter Steinberger
f2f34e5f35 fix: restore ci gates on main 2026-04-28 19:54:52 +01:00
Peter Steinberger
e2295b33c1 fix(ci): restore full release validation blockers 2026-04-28 19:20:18 +01:00
Pavan Kumar Gondhi
230f7122dd fix(security): prevent workspace PATH injection via service env and trash helpers (#73264) 
* fix: address issue

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address build feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-28 21:30:51 +05:30
Peter Steinberger
a68cc94c36 fix: resolve main ci shard failures 2026-04-28 05:52:19 +01:00
Peter Steinberger
b8c44bfc82 fix: restore main ci and speed tests 2026-04-28 05:34:28 +01:00