vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-20 00:24:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
47,666 Commits 1,843 Branches 149 Tags
7fd5d45ae4eaec89c17de024ec4f22de8a08a721
Commit Graph

98 Commits

Author SHA1 Message Date
NVIDIAN
2db6bde617 fix(plugins): fail unresolved openclaw peer installs (#79494) 2026-05-09 17:19:54 +09:00
Vincent Koc
3ba2ce6694 fix(plugins): avoid managed npm prefix on Windows 
Fixes #78514.
 2026-05-09 07:51:49 +08:00
Vincent Koc
aa9247e0ce fix(plugins): skip managed npm peer resolution (#78348) 2026-05-06 12:17:34 -07:00
Vincent Koc
5d557171b3 fix(plugins): apply npm overrides to managed roots (#78386) 2026-05-06 02:47:25 -07:00
Vincent Koc
0ddbf2e258 fix(plugins): keep managed npm mutations in legacy peer mode 2026-05-06 01:29:52 -07:00
Peter Steinberger
2eaf8ad712 feat(plugins): support npm pack installs 2026-05-06 09:16:49 +01:00
Peter Steinberger
8e533490ab fix(plugins): repair managed npm openclaw peers 
Remove stale managed-root openclaw manifests, locks, hidden locks, and installed copies before npm plugin installs.

Relink plugin-local openclaw peer symlinks after shared-root npm install, rollback, update, and uninstall mutations so SDK-using plugins keep resolving openclaw/plugin-sdk/*.

Force safe npm commands out of inherited legacy/strict peer-dependency modes.

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: Patrick Erichsen <patrick.a.erichsen@gmail.com>
 2026-05-06 07:32:25 +01:00
Peter Steinberger
538605ff44 [codex] Extract filesystem safety primitives (#77918) 
* refactor: extract filesystem safety primitives

* refactor: use fs-safe for file access helpers

* refactor: reuse fs-safe for media reads

* refactor: use fs-safe for image reads

* refactor: reuse fs-safe in qqbot media opener

* refactor: reuse fs-safe for local media checks

* refactor: consume cleaner fs-safe api

* refactor: align fs-safe json option names

* fix: preserve fs-safe migration contracts

* refactor: use fs-safe primitive subpaths

* refactor: use grouped fs-safe subpaths

* refactor: align fs-safe api usage

* refactor: adapt private state store api

* chore: refresh proof gate

* refactor: follow fs-safe json api split

* refactor: follow reduced fs-safe surface

* build: default fs-safe python helper off

* fix: preserve fs-safe plugin sdk aliases

* refactor: consolidate fs-safe usage

* refactor: unify fs-safe store usage

* refactor: trim fs-safe temp workspace usage

* refactor: hide low-level fs-safe primitives

* build: use published fs-safe package

* fix: preserve outbound recovery durability after rebase

* chore: refresh pr checks
 2026-05-06 02:15:17 +01:00
Vincent Koc
5ca0aa1d15 fix(plugins): accept stable correction releases 2026-05-03 20:53:23 -07:00
Vincent Koc
cde9591168 fix(plugins): prefer newest official prerelease install 2026-05-03 16:25:02 -07:00
Peter Steinberger
88b983a713 fix: stabilize Google Meet realtime audio 2026-05-04 00:17:57 +01:00
Vincent Koc
3efa82de86 fix(plugins): allow prerelease-only official packages 2026-05-03 16:12:39 -07:00
Vincent Koc
250be27f64 fix(plugins): fall back to stable official npm versions 2026-05-03 16:07:53 -07:00
Peter Steinberger
41bbc4c048 test(plugins): cover pinned npm installs 2026-05-03 14:27:58 +01:00
Lucenx9
fb3ee066d8 fix(plugins): pin npm plugin installs 2026-05-03 14:27:58 +01:00
byungskers
f7522edb96 fix(plugins): preserve sibling npm installs 
Run npm install from the managed npm-root manifest so sequential @openclaw/* plugin installs preserve siblings on disk.

Fixes #76571.
Thanks @byungskers and @crpol.
 2026-05-03 12:51:50 +01:00
Vincent Koc
5ecd01ff94 fix(plugins): trust managed npm peer links 2026-05-03 01:49:24 -07:00
Vincent Koc
2a22eb68aa fix(plugins): require provenance for official npm trust 
Require OpenClaw-owned install provenance before granting official npm plugin scanner trust. Direct npm package names now scan normally; catalog, onboarding, and doctor paths pass explicit provenance.\n\nValidation:\n- pnpm test:serial src/plugins/install.npm-spec.test.ts src/cli/plugins-cli.install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/channels/plugins/contracts/channel-catalog.contract.test.ts src/commands/auth-choice.apply.plugin-provider.test.ts\n- pnpm test:serial src/plugins/install.test.ts src/plugins/provider-auth-choices.test.ts src/plugins/provider-install-catalog.test.ts src/commands/channel-setup/plugin-install.test.ts\n- pnpm exec oxfmt --check --threads=1 ...\n- node scripts/run-oxlint.mjs ...\n- Crabbox cbx_6157440c9bbe / run_cbd813956eed: pnpm check:changed passed\n\nThanks @fede-kamel and @vincentkoc.
 2026-05-02 23:30:45 -07:00
Vincent Koc
ba3c0fc78e fix(plugins): roll back failed npm install debris 2026-05-02 19:41:16 -07:00
Vincent Koc
006bd56dd6 fix(plugins): trust reviewed official npm launch packages 2026-05-02 19:41:15 -07:00
Vincent Koc
d7dbf11504 fix(plugins): preserve npm plugin installs across repairs 2026-05-02 18:31:59 -07:00
Val Alexander
05c9492bff fix: reduce WebUI session latency churn (#76277) thanks @BunsDev 
Reduce WebUI/Gateway latency churn by avoiding redundant session reloads, carrying session keys through transcript update events, and deferring explicit media provider discovery. Includes changelog attribution and closes the referenced runtime latency issues.
 2026-05-02 18:39:06 -05:00
Vincent Koc
5ed7f1fd26 fix: trusted installs 2026-05-02 16:14:52 -07:00
Peter Steinberger
23ac9ccfd5 test: add codex npm plugin Docker live proof 2026-05-02 20:08:48 +01:00
Peter Steinberger
db06fcd990 refactor: unify lazy module loaders 2026-05-02 10:15:25 +01:00
Peter Steinberger
eaf1f53d60 fix: stabilize plugin metadata release checks 2026-05-02 07:27:27 +01:00
Peter Steinberger
5ac0ff1812 fix: install ClawHub package dependencies 2026-05-02 06:57:04 +01:00
Peter Steinberger
355680f1f2 fix: trust official ClawHub archive installs 2026-05-02 06:07:22 +01:00
Peter Steinberger
87f43ca88c fix: trust official source-linked ClawHub plugins 2026-05-02 05:16:10 +01:00
Peter Steinberger
23fd8a90f9 refactor: simplify plugin module loading 2026-05-02 01:41:09 +01:00
Peter Steinberger
d93867baf3 docs: remove stale plugin dependency staging wording 2026-05-01 22:30:10 +01:00
Vincent Koc
e302353d61 fix(plugins): harden managed plugin install lifecycle 2026-05-01 14:09:04 -07:00
Peter Steinberger
257a3c068d refactor: simplify plugin dependency loading 2026-05-01 21:56:40 +01:00
Peter Steinberger
ed8f50f240 refactor: simplify plugin dependency handling 
Simplify plugin installation and runtime loading around package-manager-owned dependencies, with Jiti reserved for local/TS fallback paths.

Also scans npm plugin install roots so hoisted transitive dependencies are covered by dependency denylist and node_modules symlink checks.
 2026-05-01 21:32:22 +01:00
Peter Steinberger
7ddf28c0d4 feat: support git plugin installs 2026-05-01 10:59:10 +01:00
Peter Steinberger
6956e8406d fix: honor profile plugin install roots 2026-04-27 14:30:12 +01:00
Peter Steinberger
f337c9019c refactor: share plugin package entry resolution 2026-04-26 11:11:58 +01:00
Peter Steinberger
f33a812c07 fix: validate plugin package extension entries 2026-04-26 11:01:10 +01:00
Peter Steinberger
ee2ab9a644 fix(plugins): install optional plugin dependencies 2026-04-26 07:00:16 +01:00
Shakker
f5f4477bae fix: reject manifestless plugin archives 2026-04-26 04:16:33 +01:00
Peter Steinberger
e93b3f60fa fix: harden openclaw peer dependency installs (#70462) 2026-04-23 20:28:02 +01:00
Anish Kataria
44820f859e fix(plugin-sdk): scan dependency tree before materialising openclaw symlink 
The dependency-tree security scan rejects node_modules symlinks whose
targets resolve outside the install root. Our trusted host-to-plugin
symlink violates that rule by design, so running the scan AFTER
linkOpenClawPeerDependencies would fail every install with
SECURITY_SCAN_FAILED.

Reorder afterInstall so the scan runs first (walking only the plugin's
own staged source, catching any pre-existing malicious openclaw-named
symlink a source might smuggle in), then the trusted link is
materialised on the now-safe tree.

Also use braces on guard clauses in the new unit tests to satisfy the
oxlint no-unreachable-single-statement-if rule.
 2026-04-23 20:28:02 +01:00
Anish Kataria
56dd249a07 test(plugin-sdk): add unit tests for linkOpenClawPeerDependencies 
Tests three cases via installPluginFromDir:
- symlink created when peerDependencies declares openclaw
- no symlink when peer list is empty
- idempotent re-install replaces existing symlink
- warns and skips when host root cannot be resolved

Also removes the single-element Set in favour of a direct name
comparison (peerName === "openclaw"), and adds Closes #54428 to
address the same root cause in the weixin connector.

Closes #54428
 2026-04-23 20:28:02 +01:00
anish k
2e9c1faef6 fix(plugin-sdk): symlink openclaw peerDependencies after plugin install 
## Summary

Signed-off-by: anish k <ak8686@princeton.edu>
 2026-04-23 20:28:02 +01:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Peter Steinberger
4cfa4b95c3 refactor: dedupe plugin trimmed readers 2026-04-08 01:36:38 +01:00
Peter Steinberger
8aeee0dc6d refactor: dedupe plugin config helpers 2026-04-06 16:52:41 +01:00
Peter Steinberger
a6a379b37c refactor: re-duplicate plugin config helpers 2026-04-06 16:38:57 +01:00
Peter Steinberger
1d8d2ddaa1 refactor: dedupe plugin and outbound helpers 2026-04-06 07:41:08 +01:00
Gustavo Madeira Santana
9004ef65df Plugins: add install --force overwrite flag (#60544) 
Merged via squash.

Prepared head SHA: 28ae50b615
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-03 18:09:14 -04:00