vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-26 16:41:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
24,929 Commits 1,519 Branches 139 Tags
4e22e756971b238edb00a94f30ee5d9b5cc9f340
Commit Graph

5855 Commits

Author SHA1 Message Date
Vincent Koc
53504b3662 fix(agents): suppress profile allowlist warnings 2026-04-03 19:55:05 +09:00
Peter Steinberger
d921784718 fix: support default subagent allowlists (#59944) (thanks @hclsys) 2026-04-03 19:43:17 +09:00
Ayaan Zaidi
1fabc96acc fix: keep device approval scopes aligned (#60208) 2026-04-03 15:34:05 +05:30
Ayaan Zaidi
403e0e6521 fix(pairing): mint tokens for merged device roles 2026-04-03 15:34:05 +05:30
Vincent Koc
61f13173c2 feat(providers): add model request transport overrides (#60200) 
* feat(providers): add model request transport overrides

* chore(providers): finalize request override follow-ups

* fix(providers): narrow model request overrides
 2026-04-03 19:00:06 +09:00
Peter Steinberger
86ff57518f fix: keep Discord proxy fallback local (#57465) (thanks @geekhuashan) 2026-04-03 18:49:14 +09:00
Peter Steinberger
4bfa9260ce fix(telegram): add dangerous private-network media opt-in 2026-04-03 18:39:17 +09:00
Ayaan Zaidi
9e58a0892b fix: align mobile pairing secure endpoint UX (#60128) 2026-04-03 14:51:24 +05:30
Ayaan Zaidi
fadd627467 fix: align mobile pairing secure endpoint UX (#60128) 2026-04-03 14:51:24 +05:30
@zimeg
f9785c63e7 docs(slack): add groups:history scope to app manifest 2026-04-03 02:15:53 -07:00
samzong
61fef8c689 [Fix] Isolate teardown steps so session lock release is unconditional (#59194) 
Merged via squash.

Prepared head SHA: 52b3bb46bb
Co-authored-by: samzong <13782141+samzong@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-04-03 17:07:24 +08:00
Vincent Koc
84970d325e docs(changelog): add missing media transport PR number 2026-04-03 17:41:48 +09:00
Vincent Koc
23719dd513 feat(media): add request transport overrides (#59848) 
* style(providers): normalize request policy formatting

* style(providers): normalize request policy formatting

* feat(media): add request transport overrides

* fix(secrets): resolve media request secret refs

* fix(secrets): cover shared media request refs

* fix(secrets): scope media request ref activity

* fix(media): align request ref gating
 2026-04-03 17:35:26 +09:00
Peter Steinberger
1849cf71c2 fix(image): skip inferred resolution for openai edits 2026-04-03 09:20:08 +01:00
Josh Lehman
2b28e75822 fix: enrich session_end lifecycle hooks (#59715) 
Merged via squash.

Prepared head SHA: b3ef62b973
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-04-03 00:16:14 -07:00
hengm3467
52d8dc5b56 feat: add bundled StepFun provider plugin (#60032) 
Co-authored-by: George Zhang <georgezhangtj97@gmail.com>
 2026-04-02 23:53:50 -07:00
Peter Steinberger
a064da3bef docs(changelog): align 2026.4.x release notes 2026-04-03 15:23:22 +09:00
Marcus Castro
d2d9a928b1 WhatsApp: honor block streaming config (#60069) 2026-04-03 03:12:37 -03:00
samzong
2b9981bd06 [Fix] Remove spurious plugin id mismatch warning (#59185) 
Merged via squash.

Prepared head SHA: 82859a0f92
Co-authored-by: samzong <13782141+samzong@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-04-03 12:58:56 +08:00
Ayaan Zaidi
251fa72798 fix: emit passive hooks for mention-skipped group messages (#60018) 
* fix(channels): emit passive hooks for mention-skipped group messages

* fix(channels): honor signal ingest overrides

* fix(channels): honor telegram ingest fallback

* fix: emit passive hooks for mention-skipped group messages (#60018)
 2026-04-03 10:14:48 +05:30
Ayaan Zaidi
d5ea5f27ac fix: parse kimi tagged tool calls (#60051) 
* fix: parse kimi tagged tool calls

* fix: parse kimi tagged tool calls (#60051)

* fix: parse kimi tagged tool calls (#60051)
 2026-04-03 09:39:19 +05:30
Vincent Koc
2f013b68f8 docs: add missing changelog entries and update context visibility security docs 2026-04-03 12:39:45 +09:00
v1p0r
3a7555a27b "fix(telegram): surface media placeholder and file_id when download f… (#59948) 
* "fix(telegram): surface media placeholder and file_id when download fails"

* fix: unify telegram media placeholder selection

* fix: preserve telegram media context on captioned download failures (#59948) (thanks @v1p0r)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-04-03 09:08:05 +05:30
samzong
0e0ad692b5 fix: persist Telegram reaction ownership across restart (#59207) (thanks @samzong) 2026-04-03 08:57:06 +05:30
Ayaan Zaidi
a5d6e519eb fix: preserve explicit Telegram topic targets on replies (#59634) (thanks @dashhuang) 2026-04-03 08:50:02 +05:30
saram ali
985533efbc fix: cover buffered Telegram apiRoot downloads (#59544) (thanks @SARAMALI15792) 
* test(telegram): add URL construction tests for custom apiRoot

Add comprehensive test cases to verify that file download URLs are correctly
constructed when using a custom apiRoot configuration for local Bot API servers.

Tests validate:
- Document downloads use the custom apiRoot in the constructed URL
- Sticker downloads use the custom apiRoot in the constructed URL
- SSRF policy correctly includes the custom hostname

This ensures issue #59512 (Telegram file downloads with local Bot API) is
properly covered by regression tests.

* refactor(telegram): improve media resolution code quality

Apply KISS and YAGNI principles to reduce code duplication and improve maintainability:

1. Extract media metadata resolution
   - Consolidate resolveMediaFileRef(), resolveTelegramFileName(), and
     resolveTelegramMimeType() into single resolveMediaMetadata() function
   - Returns typed MediaMetadata object with fileRef, fileName, mimeType
   - Reduces duplication and improves readability

2. Add logging for apiRoot parsing failures
   - Log when custom apiRoot URL parsing fails in buildTelegramMediaSsrfPolicy()
   - Helps debug configuration issues with local Bot API servers

3. Fix missing apiRoot in buffered messages
   - Add telegramCfg.apiRoot parameter to resolveMedia() calls in
     bot-handlers.buffers.ts (lines 150-159, 189)
   - Ensures reply media in buffered contexts respects custom apiRoot config
   - Fixes inconsistency where runtime handler passed apiRoot but buffers didn't

These changes improve code quality while maintaining backward compatibility and
ensuring issue #59512 (Telegram file downloads with local Bot API) works correctly
in all contexts.

* fix(telegram): resolve bot review issues

Address critical issues identified by Greptile code review:

1. Define telegramCfg in bot-handlers.buffers.ts
   - Extract telegramCfg from cfg.channels?.telegram
   - Fixes ReferenceError when accessing telegramCfg.apiRoot
   - Ensures buffered message handlers can access apiRoot configuration

2. Restore type safety for MediaMetadata.fileRef
   - Change from 'unknown' to proper union type
   - Preserves type information for downstream file_id access
   - Prevents TypeScript strict mode compilation errors

These fixes ensure the PR compiles correctly and handles buffered
media downloads with custom apiRoot configuration.

* fix(telegram): use optional chaining for telegramCfg.apiRoot

TypeScript strict mode requires optional chaining when accessing
properties on potentially undefined objects. Changed telegramCfg.apiRoot
to telegramCfg?.apiRoot to handle cases where telegramCfg is undefined.

Fixes TypeScript errors:
- TS18048: 'telegramCfg' is possibly 'undefined' (line 160)
- TS18048: 'telegramCfg' is possibly 'undefined' (line 191)

* fix(telegram): add missing optional chaining on line 191

Complete the fix for telegramCfg optional chaining.
Previous commit only fixed line 160, but line 191 also needs
the same fix to prevent TS18048 error.

* fix: cover buffered Telegram apiRoot downloads (#59544) (thanks @SARAMALI15792)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-04-03 08:41:41 +05:30
Neerav Makwana
7c7098fd1d fix: keep inbound images readable on upgraded installs (#59971) (thanks @neeravmakwana) 
* fix(telegram): allow inbound media from config dir

Made-with: Cursor

* test: simplify local roots regression

* fix: keep inbound images readable on upgraded installs (#59971) (thanks @neeravmakwana)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-04-03 08:24:29 +05:30
Gustavo Madeira Santana
1efa923ab8 Matrix: add native exec approvals (#58635) 
Merged via squash.

Prepared head SHA: d9f048e827
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 21:08:54 -04:00
Alejandro Martinez
3a91a4f8d4 fix(matrix): add advisory file locking to IDB crypto persistence (#59851) 
Merged via squash.

Prepared head SHA: 392e411ffd
Co-authored-by: al3mart <11448715+al3mart@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 20:19:40 -04:00
Alejandro Martinez
b894ca6702 fix(matrix): allow secret storage recreation during repair bootstrap (#59846) 
Merged via squash.

Prepared head SHA: 06b10f61eb
Co-authored-by: al3mart <11448715+al3mart@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 20:11:58 -04:00
Josh Lehman
ed8d5b3797 fix: add Telegram native progress placeholder opt-in for plugin commands (#59300) 
Merged via squash.

Prepared head SHA: 4f5bc22a89
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-04-02 15:55:46 -07:00
Peter Steinberger
49f67f54f4 docs: fix task flow release note command 2026-04-03 04:39:13 +09:00
Vincent Koc
883df8c6a8 fix(plugins): reuse runtime registries for web provider snapshots (#59865) 
* fix(plugins): reuse runtime registries for web providers

* test(plugins): clarify runtime reuse intent

* chore(changelog): note web provider runtime reuse
 2026-04-03 04:07:43 +09:00
Agustin Rivera
193fdd6e3b fix(policy): preserve restrictive tool allowlists (#58476) 
* fix(policy): preserve restrictive tool allowlists

Co-authored-by: David Silva <david.silva@gendigital.com>

* fix(policy): address review follow-ups

* fix(policy): restore additive alsoAllow semantics

* fix(policy): preserve optional tool opt-ins for allow-all configs

* fix(policy): narrow plugin-only allowlist warnings

* fix(policy): add changelog entry

* Revert "fix(policy): add changelog entry"

This reverts commit 4a996bf4ca.

* chore: add changelog for restrictive tool allowlists

---------

Co-authored-by: David Silva <david.silva@gendigital.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 12:55:36 -06:00
Agustin Rivera
d631326c5e fix(tailscale): gate test binary override (#58468) 
* fix(tailscale): gate test binary override

* fix(changelog): note tailscale override hardening

* fix(changelog): drop tailscale note from pr

* chore: add changelog for tailscale test binary gating

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 12:39:10 -06:00
Vincent Koc
4aeb0255f3 docs: rename TaskFlow to Task Flow in prose 2026-04-03 03:22:01 +09:00
Peter Steinberger
0ebb69b882 build: set release version to 2026.4.2 2026-04-02 19:09:58 +01:00
Agustin Rivera
49d08382a9 iOS: restrict A2UI action dispatch to trusted canvas URLs (#58471) 
* fix(ios): restrict a2ui bridge trust

* test(ios): cover fragment-strip trust and document raw-string equality

* fix(ios): normalize capability URL before trust comparison in canvas commands

* fix(ios): trim canvas.navigate url before trust comparison

* chore: add changelog for iOS A2UI trust boundary

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 11:51:09 -06:00
Peter Steinberger
00aa31a30c docs(changelog): remove duplicate entries 2026-04-02 18:48:27 +01:00
Agustin Rivera
676b748056 Limit connect snapshot metadata to admin-scoped clients (#58469) 
* fix(gateway): gate connect snapshot metadata by scope

* fix(gateway): clarify connect snapshot trust boundary

* fix(gateway): note connect snapshot change in changelog

* fix(gateway): remove changelog changes from PR

* chore: add changelog for scoped gateway snapshot metadata

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 11:41:47 -06:00
Peter Steinberger
a4a372825e docs(changelog): reorder unreleased fixes 2026-04-02 18:39:31 +01:00
Peter Steinberger
45c8207ef2 fix(exec): clarify auto routing semantics (#58897) (thanks @vincentkoc) 2026-04-03 02:37:12 +09:00
Agustin Rivera
5874a387ae fix(windows): reject unresolved cmd wrappers (#58436) 
* fix(windows): reject unresolved cmd wrappers

* fix(windows): add wrapper policy coverage

* fix(windows): document wrapper fallback migration

* fix(windows): drop changelog entry from pr

* chore: add changelog for Windows wrapper fail-closed behavior

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>
 2026-04-02 11:35:50 -06:00
Peter Steinberger
3e452f2671 fix: preserve strict inline-eval approval boundaries (#59780) (thanks @luoyanglang) 2026-04-02 18:30:29 +01:00
Peter Steinberger
d56415e353 fix(openai): support reference-image edits 2026-04-03 02:26:33 +09:00
Agustin Rivera
a941a4fef9 fix(android): require TLS for remote gateway endpoints (#58475) 
* fix(android): require tls for remote gateway endpoints

* fix(android): expand loopback gateway coverage

* fix(android): validate scanned gateway endpoints

* fix(android): handle mapped loopback literals

* fix(android): allow emulator bridge host

* fix(changelog): note android gateway tls hardening

* fix(android): preserve first-time tls trust prompts

* fix(changelog): drop android gateway entry from pr

* fix(android): scope emulator bridge tls bypass

* fix(android): normalize ipv6 gateway hosts

* fix(android): preserve ipv6 gateway url brackets

* fix(android): preserve auth across tls trust prompt

* fix(android): normalize bracketed ipv6 gateway hosts

* chore: add changelog for Android remote gateway TLS

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>
 2026-04-02 11:23:51 -06:00
Peter Steinberger
2ea0ca08f6 test: add cross-provider approval availability coverage (#59776) (thanks @joelnishanth) 2026-04-03 02:21:17 +09:00
Peter Steinberger
9b48a4d90a docs: fix changelog conflict markers (#59466) 2026-04-03 02:19:32 +09:00
Peter Steinberger
bacc938c2a docs: note windows exec landing (#59466) (thanks @lawrence3699) 2026-04-03 02:19:32 +09:00
pgondhi987
7eb094a00d fix(infra): align env key normalization in approval binding path (#59182) 
* fix: address issue

* fix: address PR review feedback

* fix: address review feedback

* fix: address review feedback

* chore: add changelog for Windows env approval binding

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 11:14:33 -06:00