vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-04 05:42:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
24,749 Commits 1,075 Branches 95 Tags
a406045f2f60e5b0ffa44c5709acac91cddfbdde
Commit Graph

3383 Commits

Author SHA1 Message Date
pgondhi987
8aceaf5d0f fix(security): close fail-open bypass in exec script preflight [AI] (#59398) 
* fix: address issue

* fix: finalize issue changes

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* chore: add changelog for exec preflight fail-closed hardening

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 11:00:39 -06:00
Agustin Rivera
a26f4d0f3e Separate Gemini OAuth state from PKCE verifier (#59116) 
* fix(google): separate oauth state from pkce verifier

* fix(google): drop unused oauth callback state arg

* docs(changelog): add #59116 google oauth state fix

---------

Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
 2026-04-02 09:51:11 -07:00
Vincent Koc
367969759c perf(memory): trim matrix host validation imports 2026-04-03 01:48:09 +09:00
pgondhi987
7cea7c2970 fix(zalo): scope replay dedupe cache key to path and account [AI] (#59387) 
* fix: address issue #139

* changelog: add zalo replay dedupe fix entry

---------

Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
 2026-04-02 09:36:35 -07:00
Peter Steinberger
d5b6bfc48c test(discord): align native approval fixture with auto mode 2026-04-02 17:33:35 +01:00
Peter Steinberger
17f6626ffe feat(approvals): auto-enable native chat approvals 2026-04-02 17:30:40 +01:00
pgondhi987
462b4020bc fix(browser): block SSRF redirect bypass via real-time route interception (#58771) 
Install a Playwright route handler before `page.goto()` so navigations
to private/internal IPs are intercepted and aborted mid-redirect instead
of being checked post-hoc after the request already reached the internal
host. Blocked targets are permanently marked and rejected for subsequent
tool calls.

Thanks @pgondhi987
 2026-04-02 09:07:57 -07:00
Gustavo Madeira Santana
b5161042b7 Diffs: validate viewerBaseUrl in manifest schema 
Reject invalid diffs viewerBaseUrl values during manifest config validation,
not later during plugin registration.

Keep runtime normalization intact and add manifest-level coverage so bad
protocols and query/hash values fail fast.
 2026-04-02 11:55:05 -04:00
Peter Steinberger
047b701859 refactor(telegram): unify callback-data byte limit checks 2026-04-03 00:38:44 +09:00
Vincent Koc
0ad2dbd307 fix(providers): route image generation through shared transport (#59729) 
* fix(providers): route image generation through shared transport

* fix(providers): use normalized minimax image base url

* fix(providers): fail closed on image private routes

* fix(providers): bound shared HTTP fetches
 2026-04-03 00:32:37 +09:00
Peter Steinberger
988f7627de refactor(telegram): centralize approval callback shaping 2026-04-03 00:26:27 +09:00
Vincent Koc
3872a866a1 fix(xai): make x_search auth plugin-owned (#59691) 
* fix(xai): make x_search auth plugin-owned

* fix(xai): restore x_search runtime migration fallback

* fix(xai): narrow legacy x_search auth migration

* fix(secrets): drop legacy x_search target registry entry

* fix(xai): no-op knob-only x_search migration fallback
 2026-04-02 23:54:07 +09:00
Peter Steinberger
52866656c3 fix(telegram): preserve allow-always callback alias 2026-04-02 23:41:12 +09:00
Vincent Koc
4251ad6638 fix(telegram): allow trusted explicit proxy media fetches 2026-04-02 23:36:17 +09:00
James Cowan
7fea8250fb fix(approvals): use canonical decision values in interactive button payloads 2026-04-02 23:35:23 +09:00
Vincent Koc
b0f94a227b refactor(providers): normalize transport policy wiring (#59682) 
* refactor(providers): normalize transport policy wiring

* fix(providers): address transport policy review

* fix(providers): harden transport overrides

* fix(providers): keep env proxy tls separate

* fix(changelog): note provider transport policy hardening
 2026-04-02 22:54:34 +09:00
Peter Steinberger
1ecd92af89 chore: refresh deps and backfill changelog 2026-04-02 14:49:47 +01:00
Agustin Rivera
b21c9840c2 OpenShell: constrain mirror sync roots (#58515) 
* fix(openshell): constrain mirror sync roots

* fix(openshell): restore config test types

* fix(openshell): simplify managed root sync
 2026-04-02 06:21:30 -07:00
Vincent Koc
3e4de956c0 !refactor(xai): move x_search config behind plugin boundary (#59674) 
* refactor(xai): move x_search config behind plugin boundary

* chore(changelog): note x_search config migration

* fix(xai): include x_search migration helpers
 2026-04-02 22:08:59 +09:00
Agustin Rivera
ef7c553dd1 fix(zalo): scope webhook replay dedupe (#58444) 
* fix(zalo): scope webhook replay dedupe

* fix(zalo): harden replay metadata reads

* docs(changelog): add Zalo replay scope fix entry

---------

Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
 2026-04-02 06:07:14 -07:00
Agustin Rivera
be10ecef77 fix(compare): reuse shared secret comparison helper (#58432) 
* fix(compare): reuse shared secret comparison helper

* fix(compare): reject empty bluebubbles auth tokens

* docs: add changelog entry for shared secret comparison fix

---------

Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
 2026-04-02 13:53:19 +01:00
mappel-nv
9c22d63669 Browser: normalize localhost absolute-form CDP hosts (#59236) 
* Browser: normalize localhost absolute-form CDP hosts

* CHANGELOG: note localhost absolute-form CDP fix

---------

Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
 2026-04-02 13:34:55 +01:00
Vincent Koc
6eca1949d5 refactor(plugins): tighten web fetch provider boundary (#59646) 
* refactor(plugins): tighten web fetch provider boundary

* fix(config): sync fetch secret parity and baseline

* fix(ci): enforce web fetch boundary guard
 2026-04-02 20:53:57 +09:00
Vincent Koc
c405bcfa98 refactor(providers): centralize request capabilities (#59636) 
* refactor(providers): centralize request capabilities

* fix(providers): harden comparable base url parsing
 2026-04-02 20:26:22 +09:00
Vincent Koc
38d2faee20 !feat(plugins): add web fetch provider boundary (#59465) 
* feat(plugins): add web fetch provider boundary

* feat(plugins): add web fetch provider modules

* refactor(web-fetch): remove remaining core firecrawl fetch config

* fix(web-fetch): address review follow-ups

* fix(web-fetch): harden provider runtime boundaries

* fix(web-fetch): restore firecrawl compare helper

* fix(web-fetch): restore env-based provider autodetect

* fix(web-fetch): tighten provider hardening

* fix(web-fetch): restore fetch autodetect and compat args

* chore(changelog): note firecrawl fetch config break
 2026-04-02 20:25:19 +09:00
Vincent Koc
d49460b417 fix(providers): centralize Anthropic endpoint classification (#59608) 
* fix(providers): centralize Anthropic endpoint classification

* fix(agents): share Anthropic thinking recovery gating
 2026-04-02 19:54:43 +09:00
Vincent Koc
0e9a9dae84 fix(providers): centralize Google endpoint classification (#59556) 
* fix(providers): centralize Google endpoint classification

* fix(providers): tighten Google endpoint fallback parsing

* fix(security): harden provider endpoint fallback parsing
 2026-04-02 19:21:31 +09:00
Jacob Tomlinson
ac5bc4fb37 Slack: filter thread context by allowlist (#58380) 
* Slack: filter thread context by allowlist

* Slack: honor room thread allowlists

* Slack: keep open-room thread context

* Slack: keep non-room thread context

* Changelog: add Slack thread context fix
 2026-04-02 11:01:11 +01:00
mappel-nv
2eaf5a695e Mattermost: guard probe fetches (#58529) 2026-04-02 10:30:33 +01:00
Jacob Tomlinson
2c45b06afd fix(qqbot): restrict structured payload local paths (#58453) 
* fix(qqbot): restrict structured payload local paths

* fix(qqbot): narrow structured payload file access

* test(qqbot): cover payload path traversal guards

* fix(qqbot): reduce structured payload log exposure

* fix(qqbot): preserve inline image payload URLs
 2026-04-02 10:20:52 +01:00
Ayaan Zaidi
b441cd2f4f fix: normalize kimi anthropic tool payloads (#59440) 
* fix: normalize kimi anthropic tool payloads

* fix: normalize kimi anthropic tool payloads (#59440)
 2026-04-02 13:39:51 +05:30
Gustavo Madeira Santana
68bb76519a Matrix: fix delayed draft block boundaries 2026-04-02 03:47:57 -04:00
Gustavo Madeira Santana
8748b7c54c Matrix: keep partial previews aligned with block streaming (#59384) 
Merged via squash.

Prepared head SHA: 981aa35a7c
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 03:39:27 -04:00
wittam-01
ce0ff42ff5 fix: harden Feishu comment-thread delivery (#59129) 
* fix: harden Feishu comment-thread delivery

* fix: harden Feishu comment-thread delivery (#59129) (thanks @wittam-01)

---------

Co-authored-by: George Zhang <georgezhangtj97@gmail.com>
 2026-04-02 00:31:52 -07:00
Gustavo Madeira Santana
a5cd921053 revert: remove TinyFish bundled plugin 2026-04-02 03:07:33 -04:00
Mingkuan
c15cfeb21c fix(qqbot): lazy-load silk-wasm to avoid hard failure when package is missing (#58829) 
* fix(qqbot): lazy-load silk-wasm to avoid hard failure when package is missing

Replace the static top-level import with a cached dynamic import helper.
If silk-wasm is unavailable the plugin loads normally; voice encode/decode
degrades gracefully instead of crashing the module at load time.

* fix(qqbot): store in-flight Promise in loadSilkWasm to prevent duplicate imports

Concurrent cold-start calls to loadSilkWasm() before the first import()
resolves would each fire a separate dynamic import. Storing the Promise
instead of the resolved value (matching the detectFfmpeg pattern in
platform.ts) ensures all concurrent callers await the same import,
keeping the codebase consistent and avoiding redundant parallel loads.

* QQBot: add changelog for silk-wasm lazy load

* QQBot: move changelog entry for PR #58829

---------

Co-authored-by: sliverp <870080352@qq.com>
Co-authored-by: Sliverp <38134380+sliverp@users.noreply.github.com>
 2026-04-02 14:46:53 +08:00
Gustavo Madeira Santana
0809c8d29a fix(matrix): preserve legacy mention edits 2026-04-02 02:33:00 -04:00
Vincent Koc
f28f0f29ba fix(providers): centralize media request shaping (#59469) 
* fix(providers): centralize media request shaping

* style(providers): normalize shared request imports

* fix(changelog): add media request shaping entry

* fix(google): preserve private network guard
 2026-04-02 15:28:57 +09:00
Gustavo Madeira Santana
9786946b2d fix(matrix): restore guided setup flow (#59462) 
Merged via squash.

Prepared head SHA: 9b29023c68
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 02:15:32 -04:00
Gustavo Madeira Santana
5c331687ff fix(matrix): ignore escaped backticks in mention masking 2026-04-02 02:06:50 -04:00
Gustavo Madeira Santana
be52594766 fix(matrix): emit spec-compliant mentions (#59323) 
Merged via squash.

Prepared head SHA: 4b641e35a2
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-02 02:00:24 -04:00
Simantak Dabhade
b880118d2d feat: add TinyFish as bundled browser automation plugin (#58645) 
* feat: add TinyFish as bundled browser automation plugin

Add a default-off bundled `tinyfish` plugin with one tool
(`tinyfish_automation`) for hosted browser automation of complex public
web workflows. Follows the existing plugin architecture pattern.

- Plugin entry, manifest with contracts, config schema, SecretRef support
- SSE stream parser with COMPLETE-terminal, SSRF guards, credential rejection
- Bundled skill with escalation guidance (web_fetch -> web_search -> tinyfish -> browser)
- Docs page, labeler rule, glossary entry, changelog entry
- 21 tests covering request serialization, auth, security, streaming, and error paths

Closes #41300

* plugins: address review feedback and regenerate baselines

- Split API_INTEGRATION into TINYFISH_API_INTEGRATION and CLIENT_SOURCE
  for semantic clarity (Greptile P2)
- Wrap post-finally parseEventBlock in try/catch so trailing malformed
  data does not mask "stream ended before COMPLETE" error (Greptile P2)
- Regenerate config-baseline and plugin-sdk-api-baseline for new plugin

---------

Co-authored-by: Simantak Dabhade <simantak@mac.local>
 2026-04-02 01:46:05 -04:00
Vincent Koc
93fa6920b4 perf(memory): lazy-load telegram message context runtime 2026-04-02 14:44:14 +09:00
Vincent Koc
16c5bd466c perf(memory): split telegram body helper surface 2026-04-02 14:41:26 +09:00
Vincent Koc
703a363589 perf(memory): lazy-load telegram context session helpers 2026-04-02 14:31:48 +09:00
Vincent Koc
0e8e986c95 perf(memory): narrow telegram bot deps skill/runtime imports 2026-04-02 14:16:13 +09:00
Vincent Koc
5b952836e3 perf(memory): trim telegram command runtime imports 2026-04-02 14:11:28 +09:00
Vincent Koc
1a037ff6cd refactor(providers): centralize request attribution policy (#59433) 
* refactor(providers): centralize request attribution policy

* style(providers): normalize request policy formatting

* style(providers): normalize request policy formatting

* style(providers): normalize request policy formatting

* docs(changelog): note provider request policy fix

* fix(providers): tighten request policy gates
 2026-04-02 14:10:53 +09:00
Vincent Koc
4309dc6d5e perf(memory): lazy-load telegram monitor runtime graphs 2026-04-02 14:07:35 +09:00
Vincent Koc
fcfb9ddb1d fix(matrix): preserve mocked auth context in bootstrap 2026-04-02 14:03:07 +09:00