vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-21 06:02:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
28,007 Commits 1,381 Branches 113 Tags
7d54f2a3c2dddf0c87f6de0aec4ee2980ec5fbca
Commit Graph

445 Commits

Author SHA1 Message Date
Vincent Koc
78639eff76 perf(secrets): narrow channel secret sdk seam 2026-04-06 20:40:11 +01:00
Peter Steinberger
8ff570ee42 refactor: resolve channel env vars from plugin manifests 2026-04-06 19:53:27 +01:00
Vincent Koc
8e2ecd053f fix(secrets): restore source-mode contract loading 2026-04-06 17:59:53 +01:00
Peter Steinberger
8b79cbcd06 build(plugins): align package versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Peter Steinberger
860721f28d build(plugins): sync bundled versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Vincent Koc
c3b19d204a perf(test): lazy-load bundled channel secrets 2026-04-06 16:40:41 +01:00
Peter Steinberger
378b2c2f5c fix(check): absorb latest main lint drift 2026-04-06 15:56:02 +01:00
Lewis
1234c873bc fix(msteams): add SSRF validation to file consent upload URL (#23596) 
* fix(msteams): add SSRF validation to file consent upload URL

The uploadToConsentUrl() function previously accepted any URL from the
fileConsent/invoke response without validation. A malicious Teams tenant
user could craft an invoke activity with an attacker-controlled uploadUrl,
causing the bot to PUT file data to arbitrary destinations (SSRF).

This commit adds validateConsentUploadUrl() which enforces:

1. HTTPS-only protocol
2. Hostname must match a strict allowlist of Microsoft/SharePoint
   domains (sharepoint.com, graph.microsoft.com, onedrive.com, etc.)
3. DNS resolution check rejects private/reserved IPs (RFC 1918,
   loopback, link-local) to prevent DNS rebinding attacks

The CONSENT_UPLOAD_HOST_ALLOWLIST is intentionally narrower than the
existing DEFAULT_MEDIA_HOST_ALLOWLIST, excluding overly broad domains
like blob.core.windows.net and trafficmanager.net that any Azure
customer can create endpoints under.

Includes 47 tests covering IPv4/IPv6 private IP detection, protocol
enforcement, hostname allowlist matching, DNS failure handling, and
end-to-end upload validation.

* fix(msteams): validate all DNS answers for consent uploads

* fix(msteams): restore changelog header

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-06 09:52:56 -05:00
Vincent Koc
620537914b fix(plugins): clean bundled extension lint tail 2026-04-06 15:21:46 +01:00
Peter Steinberger
8d095147b4 fix: restore check gate 2026-04-06 15:20:03 +01:00
Peter Steinberger
af62a2c2e4 style: fix extension lint violations 2026-04-06 14:53:55 +01:00
Peter Steinberger
ce8492f9a0 chore: bump version to 2026.4.5 2026-04-05 21:33:04 +01:00
Peter Steinberger
3126809cb0 refactor: clean bundled channel bootstrap boundaries 2026-04-05 18:18:59 +01:00
Peter Steinberger
89e8c8672c fix: break bundled channel bootstrap cycles 2026-04-05 14:20:31 +01:00
Peter Steinberger
41e39eb46f refactor: register channel bootstrap capabilities 2026-04-05 09:13:48 +01:00
coolramukaka-sys
70015be8b5 fix(msteams): replace deprecated HttpPlugin with httpServerAdapter (#60939) 
Merged via squash.

Prepared head SHA: 7fe7f3c6bb
Co-authored-by: coolramukaka-sys <271658891+coolramukaka-sys@users.noreply.github.com>
Co-authored-by: BradGroux <3053586+BradGroux@users.noreply.github.com>
Reviewed-by: @BradGroux
 2026-04-04 17:21:45 -05:00
Peter Steinberger
67d6fc8847 chore(plugins): sync versions to 2026.4.4 2026-04-04 20:03:01 +01:00
Peter Steinberger
c5c5c77ebb fix(ci): restore contract-safe core imports 2026-04-04 15:09:48 +01:00
Peter Steinberger
5c32dddb1c fix(ci): restore heartbeat task batching checks 2026-04-04 15:09:48 +01:00
Peter Steinberger
1037af01ad style(agents): normalize runtime prompt formatting 2026-04-04 12:19:08 +01:00
Peter Steinberger
87d840e9ee fix: tighten Teams and device typing 2026-04-04 19:39:22 +09:00
Brad Groux
fce81fccd8 msteams: add typingIndicator config and prevent duplicate DM typing indicator (#60771) 
* msteams: add typingIndicator config and avoid duplicate DM typing

* fix(msteams): validate typingIndicator config

* fix(msteams): stop streaming before Teams timeout

* fix(msteams): classify expired streams correctly

* fix(msteams): handle link text from html attachments

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 04:34:24 -05:00
Peter Steinberger
edfaa01d1d refactor(plugin-sdk): split runtime helper seams 2026-04-04 08:53:19 +01:00
sudie-codes
928a5128f4 msteams: add channel-list and channel-info actions (#57529) 
* msteams: add channel-list and channel-info actions via Graph API

* msteams: use action helpers, add channel-list pagination

* msteams: address PR #57529 review feedback
 2026-04-04 02:43:08 -05:00
Brad Groux
c88d6d67c8 feat(msteams): add OpenClaw User-Agent header to Microsoft HTTP calls (#51568) (#60433) 
Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:57 -05:00
Brad Groux
dd2faa3764 fix(msteams): persist conversation reference during DM pairing (#60432) 
* fix(msteams): persist conversation reference during DM pairing (#43323)

* ci: retrigger checks

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:54 -05:00
Brad Groux
06c6ff6670 fix(msteams): handle Adaptive Card Action.Submit invoke activities (#60431) 
* fix(msteams): handle Adaptive Card Action.Submit invoke activities (#55384)

* ci: retrigger checks

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:51 -05:00
Brad Groux
1b2fb6b98b feat: add bundled StepFun provider plugin (#60032) (#60430) 
Co-authored-by: hengm3467 <100685635+hengm3467@users.noreply.github.com>
Co-authored-by: George Zhang <georgezhangtj97@gmail.com>
 2026-04-04 02:38:49 -05:00
Peter Steinberger
b0e1551eb8 refactor(extensions): add channel-owned config schema seams 2026-04-04 05:31:11 +01:00
Peter Steinberger
1246e2b03a refactor(extensions): move channel-specific config surfaces out of core 2026-04-04 05:06:32 +01:00
Vincent Koc
c4bae0f7bf refactor(msteams): narrow channel runtime imports 2026-04-04 12:08:38 +09:00
Peter Steinberger
e4b5027c5e refactor(plugins): move extension seams into extensions 2026-04-04 00:10:16 +01:00
Peter Steinberger
ab96520bba refactor(plugins): move channel behavior into plugins 2026-04-03 19:09:20 +01:00
Vincent Koc
6366010884 fix(ci): route extension test helpers through public sdk seams 2026-04-04 00:03:48 +09:00
Peter Steinberger
0dad4072b4 fix: keep extension helper imports behind local runtime barrels (#60153) 2026-04-03 23:01:43 +09:00
Vincent Koc
f6e99bd514 refactor(msteams): narrow messenger sdk imports 2026-04-03 22:50:54 +09:00
Vincent Koc
8b5e80fcaa refactor(msteams): narrow store sdk imports 2026-04-03 22:49:27 +09:00
Vincent Koc
6f9b4b52f8 refactor(msteams): narrow send sdk imports 2026-04-03 22:47:07 +09:00
Vincent Koc
875c3813aa refactor(msteams): narrow outbound sdk imports 2026-04-03 22:45:09 +09:00
Onur
fa9e1e3d8e CI: add ClawHub plugin release workflow (#59179) 
* CI: add ClawHub plugin release workflow

* CI: harden ClawHub plugin release workflow

* CI: finish ClawHub plugin release hardening

* CI: watch shared ClawHub release inputs

* CI: harden ClawHub publish workflow

* CI: watch more ClawHub release deps

* CI: match shared release inputs by prefix

* CI: pin ClawHub publish source commit

* CI: refresh pinned ClawHub release commit

* CI: rename ClawHub plugin release environment

---------

Co-authored-by: Onur Solmaz <onur@solmaz.io>
 2026-04-03 15:40:07 +02:00
Vincent Koc
bd1e78ea34 test(msteams): avoid loading graph upload module in messenger tests 2026-04-03 20:50:00 +09:00
Vincent Koc
82fca281b6 test(msteams): avoid loading graph module in message tests 2026-04-03 20:50:00 +09:00
Vincent Koc
b410c5434c test(msteams): avoid loading graph module in member tests 2026-04-03 20:50:00 +09:00
Vincent Koc
b53ab34d04 perf(msteams): split graph message tests 2026-04-03 19:23:26 +09:00
Vincent Koc
1bba19decb perf(msteams): narrow secret and ssrf runtime seams 2026-04-03 18:47:31 +09:00
Vincent Koc
5e0decd9b5 test(msteams): slim messenger runtime fixtures 2026-04-03 18:42:59 +09:00
Vincent Koc
b55ac9e64d test(msteams): trim attachment test runtime footprint 2026-04-03 18:39:50 +09:00
Peter Steinberger
847faa3d04 test: trim extension test import churn 2026-04-03 04:41:08 +01:00
Ted-developer
dd080b6fb0 fix(msteams): download DM inline images via Graph API (#52212) 
Fix three bugs preventing inline image downloads in Teams 1:1 DM chats: wrong conversation ID format for Graph API, missing media URL extraction, and incorrect content type detection.

Fixes #24797

Thanks @Ted-developer
 2026-04-02 22:14:02 -05:00
Hyojin Kwak
739ed1bf29 fix(msteams): preserve channel reply threading in proactive fallback (#55198) 
When a thread reply's turn context is revoked and falls back to proactive messaging, the normalized conversation ID lost the thread suffix, causing replies to land in the channel root instead of the original thread.

Reconstructs the threaded conversation ID (`;messageid=<activityId>`) for channel conversations in the proactive fallback path, while correctly leaving group chat conversations flat.

Fixes #27189

Thanks @hyojin
 2026-04-02 18:27:13 -05:00