vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,813 Commits 1,233 Branches 104 Tags
56468cdb06afd1959a5ff849f36cfefaa28dff25
Commit Graph

29813 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
56468cdb06 fix: align plugin install denylist scan tests 2026-04-10 18:57:52 +01:00
Peter Steinberger
420e092d90 test: remove duplicate matrix approval fallback case 2026-04-10 18:50:40 +01:00
Gustavo Madeira Santana
457a33646c docs(matrix): track spec support gaps 2026-04-10 13:48:15 -04:00
Peter Steinberger
d522dc637e test: trim embedded agents slow paths 2026-04-10 18:33:03 +01:00
Michael Appel
e0b8ddc1a5 fix(browser): apply three-phase interaction navigation guard to pressKey and type(submit) [AI-assisted] (#63889) 
* fix: address issue

* chore(changelog): add pressKey/type SSRF guard entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:27:53 -06:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Gustavo Madeira Santana
9b44929f28 fix(gateway): preserve restart sentinel account routing 2026-04-10 13:16:19 -04:00
Peter Steinberger
527601d7a5 fix: align channel owner context test types 2026-04-10 18:14:14 +01:00
sudie-codes
2b5b58194b fix(msteams): include tenantId and aadObjectId on proactive sends (#58774) (#63949) 
* fix(msteams): capture and forward tenantId/aadObjectId on proactive sends (#58774)

* msteams: preserve tenantId/aadObjectId on sparse merges, thread recipientId on proactive sends
 2026-04-10 12:09:14 -05:00
Michael Appel
19a2e9ddb5 fix(infra): extend exec completion detection to cover local background exec formats [AI-assisted] (#64376) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* chore(changelog): add exec completion owner-downgrade entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:07:14 -06:00
Peter Steinberger
e1a2a26ec9 test: isolate agent runtime mocks 2026-04-10 18:06:49 +01:00
Peter Steinberger
cbc4447d6b test: narrow doctor config matrix helper import 2026-04-10 18:05:02 +01:00
Agustin Rivera
8dfbf3268b fix(browser): gate sandbox noVNC helper auth 
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.

Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts

Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.

Thanks @eleqtrizit.

Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
 2026-04-10 18:01:26 +01:00
Michael Appel
979c6f09d6 fix: include image param in sandbox media normalization [AI-assisted] (#64377) 
* fix: address issue

* chore(changelog): add Discord event image sandbox entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:01:04 -06:00
Peter Steinberger
56d3f97e23 test: use lightweight channel status stubs 2026-04-10 18:00:45 +01:00
Peter Steinberger
710a19dd86 fix: repair latest main type drift 2026-04-10 18:00:45 +01:00
Michael Appel
afadb7dae6 fix(voice-call): reject oversized realtime WebSocket frames 
Reject realtime voice WebSocket frames above 256 KB before JSON parsing or bridge setup, and absorb ws error events so oversized frames close the connection instead of crashing the gateway.

Local verification:
- pnpm test extensions/voice-call/src/webhook/realtime-handler.test.ts
- pnpm check

Thanks @mmaps.

Co-authored-by: mmaps <3399869+mmaps@users.noreply.github.com>
 2026-04-10 17:58:44 +01:00
Peter Steinberger
b9981c8ee8 test: inject setup command side effects 2026-04-10 17:57:15 +01:00
Agustin Rivera
fe0f686c92 Gate Matrix profile updates for non-owner message tool runs (#62662) 
Merged via squash.

Prepared head SHA: 602b16a676
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:56:17 -04:00
Peter Steinberger
1c1fe8a405 test: remove duplicate workspace auth choice e2e 2026-04-10 17:52:44 +01:00
Peter Steinberger
9031a9b2cc test: narrow legacy doctor migration hot paths 2026-04-10 17:51:15 +01:00
Menglin Li
36c3a54b51 fix(gateway): plug long-running memory leaks 
Prune stale gateway control-plane rate-limit buckets, bound transcript-session lookup caching, clear agent event sequence state with run contexts, and clear node wake/nudge state on disconnect.\n\nVerified locally after rebasing onto main:\n\n- pnpm test src/gateway/control-plane-rate-limit.test.ts src/gateway/session-transcript-key.test.ts src/infra/agent-events.test.ts src/gateway/server-methods/nodes.invoke-wake.test.ts\n- pnpm check\n\nCo-authored-by: lml2468 <39320777+lml2468@users.noreply.github.com>
 2026-04-10 17:45:12 +01:00
Devin Robison
54ae138db7 fix: the cron isolated agent in openclaw unconditiona (#383) (#63878) 2026-04-10 10:44:22 -06:00
Gustavo Madeira Santana
9c44f10026 fix: preserve canonical restart sentinel routes (#64391) 
Merged via squash.

Prepared head SHA: 0183c1782f
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:44:07 -04:00
Devin Robison
dffad08529 fix: a sandboxed agent can request host node in an ex (#384) (#63880) 2026-04-10 10:40:27 -06:00
Peter Steinberger
777c6f7580 refactor: split manifest command alias helpers 2026-04-10 17:37:31 +01:00
Peter Steinberger
5f3356a746 refactor: split session store key helper 2026-04-10 17:37:25 +01:00
EVA
47c0a5135a fix: dedupe delivered subagent completion announces (#61525) (thanks @100yenadmin) 
* fix(subagents): dedupe delivered completion announces

* refactor(subagents): distill cleanup delivery status writes

* fix: dedupe delivered subagent completion announces (#61525) (thanks @100yenadmin)

---------

Co-authored-by: Eva <eva@100yen.org>
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-04-10 22:06:46 +05:30
Ayaan Zaidi
8755d2d3da fix: bound telegram qa api requests 2026-04-10 22:06:38 +05:30
Ayaan Zaidi
1512f9188d fix: reject unknown telegram qa scenarios 2026-04-10 22:06:38 +05:30
Peter Steinberger
81ae34c434 test: keep browser selection cdp guard profile-aware 2026-04-10 17:35:54 +01:00
Peter Steinberger
c077af987f perf: add narrow inbound roots sdk surface 2026-04-10 17:34:41 +01:00
Peter Steinberger
bac98d4218 test: reduce media contract import cost 2026-04-10 17:31:08 +01:00
Gustavo Madeira Santana
5d2225212d fix(matrix): preserve ACP thread binding targets (#64343) 
Merged via squash.

Prepared head SHA: def7dcda96
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:30:08 -04:00
Ayaan Zaidi
2f84e73c18 fix(agents): always emit terminal lifecycle events 2026-04-10 21:58:20 +05:30
Peter Steinberger
58ee5e48d1 test: fix browser and matrix verification 2026-04-10 17:25:04 +01:00
Peter Steinberger
d5df4cd4e5 test: add Anthropic Opus QA smokes 2026-04-10 17:24:54 +01:00
Ayaan Zaidi
5df09052e0 fix: add Telegram QA E2E lane (#64303) 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
9d3583bc2f fix(qa-lab): tighten telegram canary matching 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
ecb3e0a62d fix(qa-lab): harden telegram qa artifacts 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
d69cc5da5c fix(qa-lab): address remaining review comments 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
2aaf5a3baa fix(qa-lab): address telegram qa review comments 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
7348c3193d test(telegram): cover threaded qa replies 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
88a7970f84 fix(telegram): thread native command replies 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
0ff03a74a8 fix(qa-lab): trust telegram canary send result 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
653a110ef6 fix(qa-lab): refine telegram canary output 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
5c7a232ebc fix(qa-lab): improve telegram canary diagnostics 2026-04-10 21:53:31 +05:30
Ayaan Zaidi
e093cb6c93 feat(qa-lab): add telegram live qa lane 2026-04-10 21:53:31 +05:30
Peter Steinberger
fa2ee2af85 test: enforce browser cdp policy before playwright 2026-04-10 17:21:19 +01:00
Gustavo Madeira Santana
0dd8ce72a2 Matrix: consolidate migration status routing (#64373) 
Merged via squash.

Prepared head SHA: dfe29e36bb
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:20:13 -04:00