vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,842 Commits 1,233 Branches 104 Tags
dfe4c2d16d4e843c6280104a8718907d8b700158
Commit Graph

29842 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
dfe4c2d16d chore: enable no-floating-promises 2026-04-10 20:14:49 +01:00
Peter Steinberger
2940379361 chore: enable no-unnecessary-template-expression 2026-04-10 20:14:49 +01:00
Peter Steinberger
01113566fd chore: enable await-thenable 2026-04-10 20:14:49 +01:00
Peter Steinberger
cdb944ef0a chore: enable no-misused-spread 2026-04-10 20:14:49 +01:00
Peter Steinberger
fe05983d91 chore: enable no-unnecessary-type-assertion 2026-04-10 20:14:48 +01:00
Peter Steinberger
1088904a47 test: skip provider runtime hints in config test 2026-04-10 20:12:16 +01:00
Agustin Rivera
c949af9fab fix(media): honor sender policy for host media reads (#64459) 
* fix(media): honor sender policy for host media reads

* fix(media): clarify host read group policy gating

* fix(media): forward sender identity for outbound reads

* fix(media): propagate non-id sender fields through outbound session for e164/username/name policy matching

* fix(media): preserve requester provider for host read policy

* fix(media): forward full sender identity through followup and core send paths

* fix(media): forward requester session/account context through core send fallback

* fix(media): preserve account policy fallback for requester-scoped host reads

* chore(changelog): add outbound media sender-policy entry

* fix(media): align test call shape with production — omit messageProvider when sessionKey is set

Addresses P2 review: production call sites pass messageProvider: undefined
when sessionKey is present; tests should mirror that so regressions in
the precedence order are caught.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 13:07:56 -06:00
Peter Steinberger
5df7771d0c test: keep browser subpath test import-only 2026-04-10 20:06:00 +01:00
Peter Steinberger
a96b97979d test: align browser subpath ssrf default 2026-04-10 20:03:28 +01:00
Peter Steinberger
8640b89158 test: trim provider contract slow paths 2026-04-10 20:00:48 +01:00
Agustin Rivera
e3a845bde5 Normalize agent hook system event trust handling (#64372) 
* fix(hooks): sanitize agent hook system events

Co-authored-by: zsx <git@zsxsoft.com>

* chore(changelog): add agent hook trust normalization entry

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:56:00 -06:00
Agustin Rivera
109267b82a Handle subframe document navigations in browser guards (#64371) 
* fix(browser): guard subframe document navigations

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): preserve quarantine on subframe blocks

* chore(changelog): add subframe SSRF guard entry

* fix(browser): fail closed when subframe frame resolution throws

isSubframeDocumentNavigationRequest now returns true (apply SSRF
check) instead of false (skip check) when request.frame() throws,
so transient renderer churn cannot bypass the subframe navigation
policy guard.

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:51:23 -06:00
Peter Steinberger
b2df0ed4b7 fix: align browser ssrf policy typing 2026-04-10 19:49:46 +01:00
Peter Steinberger
abc499ec49 fix: preserve cdp guarded fetch dispatchers 2026-04-10 19:49:09 +01:00
Peter Steinberger
81ead0bc5b fix(browser): keep legacy ssrf alias internal 2026-04-10 19:46:37 +01:00
Peter Steinberger
a6edccad3d test: align plugin install denylist expectations 2026-04-10 19:42:38 +01:00
Agustin Rivera
905f19230a Align external marker span mapping (#63885) 
* fix(markers): align external marker spans

* fix(browser): ssrfPolicy defaults fail-closed for unconfigured installs (GHSA-53vx-pmqw-863c)

* fix(browser): enforce strict default SSRF policy

* chore(changelog): add browser SSRF default + marker alignment entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:35:20 -06:00
Agustin Rivera
daeb74920d fix(browser): guard existing-session navigation (#64370) 
* fix(browser): guard existing-session navigation

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): tighten interaction navigation guard

* fix(browser): tighten existing-session nav guard

* fix(browser): fail closed on unstable existing-session probes

* fix(browser): add follow-up probe for late URL transitions in existing-session nav guard

* fix(browser): keep probing through full navigation window

* fix(browser): reset stability flag on probe error in existing-session nav guard

* chore(changelog): add Chrome MCP interaction SSRF guard entry

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:31:41 -06:00
Peter Steinberger
a52d38275e test: remove duplicate agent reset e2e 2026-04-10 19:30:24 +01:00
Peter Steinberger
cbce38d78c style: format post-rebase files 2026-04-10 19:28:42 +01:00
Peter Steinberger
59925c1a74 chore: update dependencies and oxc tooling 2026-04-10 19:28:42 +01:00
Peter Steinberger
2fc3223ed4 ci: repair plugin boundary artifact freshness 2026-04-10 19:25:32 +01:00
Peter Steinberger
925a499d84 ci: fix additional guard failures 2026-04-10 19:23:10 +01:00
Peter Steinberger
e7db987ce6 test: trim heavy imports and harden ci checks 2026-04-10 19:23:10 +01:00
Peter Steinberger
d9b33205dc test: move disabled compat routes to http harness 2026-04-10 19:21:55 +01:00
Peter Steinberger
15c6748c01 test: stabilize vitest full-suite runner 2026-04-10 19:17:39 +01:00
Peter Steinberger
f6ed276f51 style: apply updated formatter output 2026-04-10 19:17:39 +01:00
Peter Steinberger
8127c6cc15 build(deps): update workspace dependencies 2026-04-10 19:17:39 +01:00
Peter Steinberger
ea8d0833c3 test: trim gateway auth slow paths 2026-04-10 19:16:55 +01:00
Peter Steinberger
56468cdb06 fix: align plugin install denylist scan tests 2026-04-10 18:57:52 +01:00
Peter Steinberger
420e092d90 test: remove duplicate matrix approval fallback case 2026-04-10 18:50:40 +01:00
Gustavo Madeira Santana
457a33646c docs(matrix): track spec support gaps 2026-04-10 13:48:15 -04:00
Peter Steinberger
d522dc637e test: trim embedded agents slow paths 2026-04-10 18:33:03 +01:00
Michael Appel
e0b8ddc1a5 fix(browser): apply three-phase interaction navigation guard to pressKey and type(submit) [AI-assisted] (#63889) 
* fix: address issue

* chore(changelog): add pressKey/type SSRF guard entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:27:53 -06:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Gustavo Madeira Santana
9b44929f28 fix(gateway): preserve restart sentinel account routing 2026-04-10 13:16:19 -04:00
Peter Steinberger
527601d7a5 fix: align channel owner context test types 2026-04-10 18:14:14 +01:00
sudie-codes
2b5b58194b fix(msteams): include tenantId and aadObjectId on proactive sends (#58774) (#63949) 
* fix(msteams): capture and forward tenantId/aadObjectId on proactive sends (#58774)

* msteams: preserve tenantId/aadObjectId on sparse merges, thread recipientId on proactive sends
 2026-04-10 12:09:14 -05:00
Michael Appel
19a2e9ddb5 fix(infra): extend exec completion detection to cover local background exec formats [AI-assisted] (#64376) 
* fix: address issue

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* chore(changelog): add exec completion owner-downgrade entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:07:14 -06:00
Peter Steinberger
e1a2a26ec9 test: isolate agent runtime mocks 2026-04-10 18:06:49 +01:00
Peter Steinberger
cbc4447d6b test: narrow doctor config matrix helper import 2026-04-10 18:05:02 +01:00
Agustin Rivera
8dfbf3268b fix(browser): gate sandbox noVNC helper auth 
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.

Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts

Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.

Thanks @eleqtrizit.

Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
 2026-04-10 18:01:26 +01:00
Michael Appel
979c6f09d6 fix: include image param in sandbox media normalization [AI-assisted] (#64377) 
* fix: address issue

* chore(changelog): add Discord event image sandbox entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:01:04 -06:00
Peter Steinberger
56d3f97e23 test: use lightweight channel status stubs 2026-04-10 18:00:45 +01:00
Peter Steinberger
710a19dd86 fix: repair latest main type drift 2026-04-10 18:00:45 +01:00
Michael Appel
afadb7dae6 fix(voice-call): reject oversized realtime WebSocket frames 
Reject realtime voice WebSocket frames above 256 KB before JSON parsing or bridge setup, and absorb ws error events so oversized frames close the connection instead of crashing the gateway.

Local verification:
- pnpm test extensions/voice-call/src/webhook/realtime-handler.test.ts
- pnpm check

Thanks @mmaps.

Co-authored-by: mmaps <3399869+mmaps@users.noreply.github.com>
 2026-04-10 17:58:44 +01:00
Peter Steinberger
b9981c8ee8 test: inject setup command side effects 2026-04-10 17:57:15 +01:00
Agustin Rivera
fe0f686c92 Gate Matrix profile updates for non-owner message tool runs (#62662) 
Merged via squash.

Prepared head SHA: 602b16a676
Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-10 12:56:17 -04:00
Peter Steinberger
1c1fe8a405 test: remove duplicate workspace auth choice e2e 2026-04-10 17:52:44 +01:00
Peter Steinberger
9031a9b2cc test: narrow legacy doctor migration hot paths 2026-04-10 17:51:15 +01:00