vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-07 23:31:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
25,009 Commits 1,146 Branches 96 Tags
a05daaa83229b452789e94de6b42fe5290ba7b0b
Commit Graph

27 Commits

Author SHA1 Message Date
Devin Robison
7eae9c0e62 Block remaining host env override pivots (#59233) 
* Blck remaining host env override pivots

* Feedback update
 2026-04-02 06:00:26 -07:00
Vincent Koc
4d912e0451 fix(exec): block proxy-style env overrides (#58202) 
* fix(exec): block proxy-style env overrides

* fix(exec): keep trusted host proxy env inherited

* fix(exec): block git tls override env vars

* fix(skills): block dangerous env override keys
 2026-03-31 21:25:36 +09:00
Vincent Koc
eb8de6715f fix(exec): block risky host env overrides (#58209) 
* fix(exec): block risky host env overrides

* fix(exec): block GOPRIVATE host env overrides
 2026-03-31 19:37:43 +09:00
Josh Avant
c918ab4faf fix(tts): restore 3.28 schema compatibility and fallback observability (#57953) 
* fix(tts): restore legacy config compatibility and fallback observability

* fix(tts): surface fallback attempts in status and telephony

* test(tts): cover /tts audio to /tts status fallback flow

* docs(tts): align migration and fallback observability guidance

* TTS: redact fallback logs and scope legacy plugin migration

* Infra: dedupe UV_EXTRA_INDEX_URL in host env policy

* Docs: scope doctor TTS migration to voice-call

* voice-call: restore strict known TTS provider validation
 2026-03-30 22:05:03 -05:00
Vincent Koc
5d8ca42c7d fix(ci): regenerate mac host env policy 2026-03-31 10:12:20 +09:00
Vincent Koc
7ae1bb0c77 fix(host-env): block Python package index redirection env vars (#58011) 
* fix(host-env): block Python package index redirection vars

* docs(changelog): note Python index override block

* Update src/infra/host-env-security-policy.json

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* fix(exec): block remaining uv index override env vars

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-03-31 09:53:32 +09:00
Jacob Tomlinson
e277a37f89 Infra: block compiler env overrides (#57832) 2026-03-30 20:06:32 +01:00
pgondhi987
bc3b05dce4 fix(infra): block BROWSER, GIT_EDITOR, GIT_SEQUENCE_EDITOR from inherited host env (#57559) 2026-03-30 12:31:04 +01:00
Tak Hoffman
4430805719 Allow inherited AWS config file paths 2026-03-27 15:16:19 -05:00
Jacob Tomlinson
6eb82fba3c Infra: block additional host exec env keys (#55977) 2026-03-27 18:50:37 +00:00
Josh Avant
7abfff756d Exec: harden host env override handling across gateway and node (#51207) 
* Exec: harden host env override enforcement and fail closed

* Node host: enforce env override diagnostics before shell filtering

* Env overrides: align Windows key handling and mac node rejection
 2026-03-20 15:44:15 -05:00
Andrew Demczuk
089a43f5e8 fix(security): block build-tool and glibc env injection vectors in host exec sandbox (#49702) 
Add GLIBC_TUNABLES, MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, ANT_OPTS,
DOTNET_ADDITIONAL_DEPS to blockedKeys and GRADLE_USER_HOME to
blockedOverrideKeys in the host exec security policy.

Closes #22681
 2026-03-18 13:11:01 +01:00
Andrew Demczuk
f84a41dcb8 fix(security): block JVM, Python, and .NET env injection vectors in host exec sandbox (#49025) 
Add JAVA_TOOL_OPTIONS, _JAVA_OPTIONS, JDK_JAVA_OPTIONS, PYTHONBREAKPOINT, and
DOTNET_STARTUP_HOOKS to blockedKeys in the host exec security policy.

Closes #22681
 2026-03-17 15:37:55 +01:00
Vincent Koc
1dcef7b644 Infra: block GIT_EXEC_PATH in host env sanitizer (#43685) 
* Infra: block GIT_EXEC_PATH in host env sanitizer

* Changelog: note host env hardening
 2026-03-12 01:16:03 -04:00
Peter Steinberger
eba9dcc67a Refactor release hardening follow-ups (#39959) 
* build: fail fast on stale host-env swift policy

* build: sync generated host env swift policy

* build: guard bundled extension root dependency gaps

* refactor: centralize provider capability quirks

* test: table-drive provider regression coverage

* fix: block merge when prep branch has unpushed commits

* refactor: simplify models config merge preservation
 2026-03-08 14:49:58 +00:00
Peter Steinberger
53fb317e7f fix(macos): clean swiftformat pass and sendable warning 2026-03-08 13:22:46 +00:00
Peter Steinberger
e27bbe4982 fix(exec): block dangerous override-only env pivots 2026-03-07 19:18:05 +00:00
Peter Steinberger
46b62c53f0 fix(ci): restore scope-test require import and sync host policy 2026-03-03 03:18:45 +00:00
Peter Steinberger
80efcb75c7 style(swift): apply lint and format cleanup 2026-03-03 03:07:55 +00:00
Peter Steinberger
1c0d36eed0 fix(ci): resolve i18n typing and generated-policy drift 2026-03-02 04:29:18 +00:00
Peter Steinberger
7b3f506e64 style(swift): apply swiftformat and swiftlint fixes 2026-03-02 04:15:43 +00:00
Frank Yang
ed86252aa5 fix: handle CLI session expired errors gracefully instead of crashing gateway (#31090) 
* fix: handle CLI session expired errors gracefully

- Add session_expired to FailoverReason type
- Add isCliSessionExpiredErrorMessage to detect expired CLI sessions
- Modify runCliAgent to retry with new session when session expires
- Update agentCommand to clear expired session IDs from session store
- Add proper error handling to prevent gateway crashes on expired sessions

Fixes #30986

* fix: add session_expired to AuthProfileFailureReason and missing log import

* fix: type cli-runner usage field to match EmbeddedPiAgentMeta

* fix: harden CLI session-expiry recovery handling

* build: regenerate host env security policy swift

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-03-02 01:11:05 +00:00
Vincent Koc
ac3e1e769b chore(format): swiftformat host env and exec approvals (#31115) 2026-03-01 17:00:17 -08:00
Peter Steinberger
5b62d5603d fix: unblock CI minimatch audit and host policy check 2026-02-26 22:48:09 +00:00
Peter Steinberger
c35368c6dd fix(ios): eliminate Swift warnings and clean build logs 2026-02-26 22:42:23 +00:00
Peter Steinberger
10481097f8 refactor(security): enforce v1 node exec approval binding 2026-02-26 18:09:01 +01:00
Peter Steinberger
4894d907fa refactor(exec-approvals): unify system.run binding and generate host env policy 2026-02-26 16:58:01 +01:00