clawsweeper
aaa52a7f5f
fix(clawsweeper): address review for automerge-openclaw-openclaw-77010 (1)
2026-05-04 03:45:40 +00:00
jesse-merhi
878f5a57d0
fix: guard debug proxy CONNECT under managed proxy
2026-05-04 03:45:40 +00:00
Jesse Merhi
9c3b7b7b15
docs: clarify IRC managed proxy coverage ( #76822 )
...
Summary:
- The PR adds a changelog note plus IRC and network-proxy documentation stating that IRC raw TCP/TLS egress is outside operator-managed forward proxy routing and should be disabled unless direct egress is approved.
- Reproducibility: not applicable. for this docs-only PR. Source inspection establishes the documented premise ... kets while managed proxy routing covers normal HTTP/WebSocket paths and documents raw-socket bypass limits.
Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-7682…
Validation:
- ClawSweeper review passed for head 7dde35adb97dde35adb9https://github.com/openclaw/openclaw/pull/76822#issuecomment-4366671907
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com >
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-04 00:52:47 +00:00
Jesse Merhi
4ea0556f64
feat: add proxy validation command
...
Adds `openclaw proxy validate` for operator-managed proxy preflight checks, including allowed/denied destination validation, CLI output, tests, docs, and changelog coverage.
Maintainer follow-ups before landing:
- validate custom allowed URLs before probing;
- use a temporary loopback canary for default denied checks and fail custom denied transport errors as unverifiable;
- redact proxy URL userinfo, query strings, and fragments from text/JSON validation output.
Validation:
- `pnpm test src/infra/net/proxy/proxy-validation.test.ts src/cli/proxy-cli.runtime.test.ts src/cli/proxy-cli.test.ts -- --reporter=verbose`
- `pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/cli/proxy-cli.ts src/cli/proxy-cli.runtime.ts src/cli/proxy-cli.test.ts src/cli/proxy-cli.runtime.test.ts src/infra/net/proxy/proxy-validation.ts src/infra/net/proxy/proxy-validation.test.ts docs/cli/proxy.md docs/security/network-proxy.md`
- `pnpm exec oxlint src/cli/proxy-cli.runtime.ts src/cli/proxy-cli.runtime.test.ts`
- `git diff --check`
- Testbox `pnpm install && OPENCLAW_TESTBOX=1 pnpm check:changed` on `tbx_01kqgz68ff20n3dtrgq0j1mykt`
- GitHub CI success on `321b3aaf2b8be27dec6ce2ac5e4007ed064218b5`
2026-05-01 00:19:55 -05:00
Peter Steinberger
b113d92c6f
docs: clarify managed proxy routing hooks
2026-04-30 00:55:52 +01:00
Jesse Merhi
542821cd1e
docs(security): clarify proxy SSRF reporting scope ( #74338 )
...
Merged via squash.
Prepared head SHA: 7dd9fcfade79823012+jesse-merhi@users.noreply.github.com >
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com >
Reviewed-by: @jesse-merhi
2026-04-30 00:30:16 +10:00
Peter Steinberger
bdcd543ed7
fix(gateway): bypass proxies for localhost control plane
2026-04-29 11:59:33 +01:00
Jesse Merhi
2633b14914
feat(security): support operator-managed network proxy routing ( #70044 )
...
* feat: support operator-managed proxy routing
* docs: add network proxy changelog entry
* fix(proxy): restrict gateway bypass to loopback IPs
* fix(cli): harden container proxy URL checks
* docs(proxy): clarify gateway bypass scope
* docs: remove proxy changelog entry
* fix(proxy): clear startup CI guard failures
* fix(proxy): harden gateway proxy policy parsing
* fix(proxy): honor update shorthand proxy policy
* fix(cli): redact proxy URL suffixes
* test(proxy): keep gateway help off proxy startup
* fix(proxy): keep overlapping lifecycle active
* docs: add proxy changelog entry
---------
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com >
2026-04-28 00:20:47 -05:00
