vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,267 Commits 680 Branches 76 Tags
e27bbe4982439da6864160fd1b66445058f74801
Commit Graph

4414 Commits

Author SHA1 Message Date
Peter Steinberger
e27bbe4982 fix(exec): block dangerous override-only env pivots 2026-03-07 19:18:05 +00:00
Peter Steinberger
6aa80844b8 fix(security): stage installs before publish 2026-03-07 19:11:07 +00:00
Peter Steinberger
31acad4e8f fix: harden zip extraction writes 2026-03-07 19:01:35 +00:00
Peter Steinberger
0f53177971 fix(tests): stabilize diffs localReq headers (supersedes #39063) 
Co-authored-by: Shennng <Shennng@users.noreply.github.com>
 2026-03-07 18:57:35 +00:00
Peter Steinberger
253e159700 fix: harden workspace skill path containment 2026-03-07 18:56:15 +00:00
Peter Steinberger
5effa6043e fix(agents): land #38935 from @MumuTW 
Co-authored-by: MumuTW <MumuTW@users.noreply.github.com>
 2026-03-07 18:55:49 +00:00
Peter Steinberger
231c1fa37a fix(models): land #38947 from @davidemanuelDEV 
Co-authored-by: davidemanuelDEV <davidemanuelDEV@users.noreply.github.com>
 2026-03-07 18:54:12 +00:00
Peter Steinberger
2f59a3cff3 fix(gateway): land #39064 from @Narcooo 
Co-authored-by: Narcooo <Narcooo@users.noreply.github.com>
 2026-03-07 18:52:42 +00:00
Peter Steinberger
2ada1b71b6 fix(models-auth): land #38951 from @MumuTW 
Co-authored-by: MumuTW <MumuTW@users.noreply.github.com>
 2026-03-07 18:51:17 +00:00
Peter Steinberger
8bd0eb5424 fix(outbound): land #38944 from @Narcooo 
Co-authored-by: Narcooo <Narcooo@users.noreply.github.com>
 2026-03-07 18:46:48 +00:00
Peter Steinberger
10d0e3f3ca fix(dashboard): keep gateway tokens out of URL storage 2026-03-07 18:33:30 +00:00
Peter Steinberger
46e324e269 docs(changelog): credit hook auth throttling report 2026-03-07 18:05:11 +00:00
Peter Steinberger
44820dcead fix(hooks): gate methods before auth lockout accounting 2026-03-07 18:05:09 +00:00
jsk
262fef6ac8 fix(discord): honor commands.allowFrom in guild slash auth (#38794) 
* fix(discord): honor commands.allowFrom in guild slash auth

* Update native-command.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update native-command.commands-allowfrom.test.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix(discord): address slash auth review feedback

* test(discord): add slash auth coverage for allowFrom variants

* fix: add changelog entry for discord slash auth fix (#38794) (thanks @jskoiz)

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Shadow <hi@shadowing.dev>
 2026-03-07 12:03:52 -06:00
Peter Steinberger
c6472c189f chore: land #39056 Node version hint sync (thanks @onstash) 
Land contributor change from #39056 and append changelog credit for @onstash.

Co-authored-by: Santosh Venkatraman <santosh.venk@gmail.com>
 2026-03-07 17:51:54 +00:00
Peter Steinberger
46715371b0 fix(security): strip custom auth headers on cross-origin redirects 2026-03-07 17:34:42 +00:00
Josh Avant
8e20dd22d8 Secrets: harden SecretRef-safe models.json persistence (#38955) 2026-03-07 11:28:39 -06:00
Peter Steinberger
b08337b902 docs(changelog): credit allowlist scoping report 2026-03-07 17:09:28 +00:00
Vincent Koc
70da80bcb5 Auto-reply: scope allowlist store writes by account (#39015) 
* Auto-reply: scope allowlist store writes

* Tests: cover allowlist store account scoping

* Changelog: note allowlist store scoping hardening
 2026-03-07 08:51:20 -08:00
Peter Steinberger
3a50e46cbf fix(nostr): harden profile mutation proxy guards 2026-03-07 16:44:21 +00:00
Peter Steinberger
1dd4f92ea2 fix: default local onboarding tools profile to coding 2026-03-07 16:41:27 +00:00
Muhammed Mukhthar CM
4f08dcccfd Mattermost: add interactive model picker (#38767) 
Merged via squash.

Prepared head SHA: 0883654e88
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-07 21:45:29 +05:30
Florian Hines
33e7394861 fix(providers): make all models available in kilocode provider (#32352) 
* kilocode: dynamic model discovery, kilo/auto default, cooldown exemption

- Replace 9-model hardcoded catalog with dynamic discovery from
  GET /api/gateway/models (Venice-like pattern with static fallback)
- Default model changed from anthropic/claude-opus-4.6 to kilo/auto
  (smart routing model)
- Add createKilocodeWrapper for X-KILOCODE-FEATURE header injection
  and reasoning.effort handling (skip for kilo/auto)
- Add kilocode to cooldown-exempt providers (proxy like OpenRouter)
- Keep sync buildKilocodeProvider for onboarding, add async
  buildKilocodeProviderWithDiscovery for implicit provider resolution
- Per-token gateway pricing converted to per-1M-token for cost fields

* kilocode: skip reasoning injection for x-ai models, harden discovery loop

* fix(kilocode): keep valid discovered duplicates (openclaw#32352, thanks @pandemicsyn)

* refactor(proxy): normalize reasoning payload guards (openclaw#32352, thanks @pandemicsyn)

* chore(changelog): note kilocode hardening (openclaw#32352, thanks @pandemicsyn and @vincentkoc)

* chore(changelog): fix kilocode note format (openclaw#32352, thanks @pandemicsyn and @vincentkoc)

* test(kilocode): support auto-model override cases (openclaw#32352, thanks @pandemicsyn)

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-07 08:14:06 -08:00
Jason
786ec21b5a docs(cli): improve memory command examples (#31803) 
Merged via squash.

Prepared head SHA: 15dcda3027
Co-authored-by: JasonOA888 <101583541+JasonOA888@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-03-07 19:03:23 +03:00
Nimrod Gutman
1eb7198bad fix(ios): skip quick setup when a gateway is configured (#38964) 
* fix(ios): hide quick setup when gateway is configured

* fix: note ios quick setup gating for configured gateways (#38964) (thanks @ngutman)
 2026-03-07 17:46:16 +02:00
Nimrod Gutman
0bac6e4d67 fix: add changelog note for ios app store connect release prep (#38936) (thanks @ngutman) 2026-03-07 17:21:07 +02:00
Rodrigo Uroz
4c0b873a4d Config/Compaction: expose safeguard preserve and quality settings (#25557) 
Merged via squash.

Prepared head SHA: ea9904039a
Co-authored-by: rodrigouroz <384037+rodrigouroz@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-07 07:13:13 -08:00
Ayaan Zaidi
bdd0f74188 docs: add changelog for markdown image hardening (#38895) 2026-03-07 19:46:41 +05:30
Ayaan Zaidi
9e1de97a69 fix(telegram): route native topic commands to the active session (#38871) 
* fix(telegram): resolve session entry for /stop in forum topics

Fixes #38675

- Export normalizeStoreSessionKey from store.ts for reuse
- Use it in resolveSessionEntryForKey so topic session keys (lowercase
  in store) are found when handling /stop
- Add test for forum topic session key lookup

* fix(telegram): share native topic routing with inbound messages

* fix: land telegram topic routing follow-up (#38871)

---------

Co-authored-by: xialonglee <li.xialong@xydigit.com>
 2026-03-07 19:01:16 +05:30
Ayaan Zaidi
05c240fad6 fix: restart Windows gateway via Scheduled Task (#38825) (#38825) 2026-03-07 18:00:38 +05:30
Ayaan Zaidi
26c9796736 fix: check managed systemd unit before is-enabled (#38819) 2026-03-07 17:11:07 +05:30
Peter Steinberger
f358c6f2fb docs: reorder 2026.3.7 changelog highlights 2026-03-07 10:10:42 +00:00
Peter Steinberger
997a9f5b9e chore: bump version to 2026.3.7 2026-03-07 10:09:02 +00:00
Ayaan Zaidi
2018d8aa99 docs: add changelog entry for Android package rename (#38712) 2026-03-07 14:51:03 +05:30
Tak Hoffman
8873e13f1e fix(gateway): stop stale-socket restarts before first event (#38643) 
* fix(gateway): guard stale-socket restarts by event liveness

* fix(gateway): centralize connect-time liveness tracking

* fix(web): apply connected status patch atomically

* fix(gateway): require active socket for stale checks

* fix(gateway): ignore inherited stale event timestamps
 2026-03-07 00:58:08 -06:00
ql-wade
a5c07fa115 fix(gateway): skip stale-socket restarts for Telegram polling (openclaw#38405) 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: ql-wade <262266039+ql-wade@users.noreply.github.com>
 2026-03-07 00:20:34 -06:00
拐爷&&老拐瘦
2e31aead39 fix(gateway): invalidate bootstrap cache on session rollover (openclaw#38535) 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: yfge <1186273+yfge@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-06 23:46:02 -06:00
Ayaan Zaidi
e802840b62 docs: update changelog for reply media delivery (#38572) 2026-03-07 10:52:16 +05:30
Xinhua Gu
024af2b738 fix(feishu): disable block streaming to prevent silent reply drops (openclaw#38422) 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-06 22:33:30 -06:00
ql-wade
e309a15d73 fix: suppress ACP NO_REPLY fragments in console output (#38436) 2026-03-07 09:34:45 +05:30
Xinhua Gu
1a022a31de fix(gateway): classify wrapped "fetch failed" messages as transient network errors (openclaw#38530) 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-06 21:47:32 -06:00
Jakob
fa69f836c4 fix: increase maxTokens for tool probe to support reasoning models 
Closes #7521
 2026-03-06 22:27:28 -05:00
Tak Hoffman
a01978ba96 fix(googlechat): inherit shared defaults for multi-account webhook auth (#38492) 
* fix(googlechat): inherit shared defaults from accounts.default

* fix(googlechat): do not inherit default enabled state

* fix(googlechat): avoid inheriting default credentials

* fix(googlechat): keep dangerous auth flags account-local
 2026-03-06 21:11:55 -06:00
Vincent Koc
563a125c66 fix(gateway): stop shared-main chat.send from inheriting stale external routes (#38418) 
* fix(gateway): prevent webchat messages from cross-routing to external channels

chat.send always originates from the webchat/control-UI surface.  Previously,
channel-scoped session keys (e.g. agent:main:slack:direct:U…) caused
OriginatingChannel to inherit the session's stored external route, so the
reply dispatcher would route responses to Slack/Telegram instead of back to
the gateway connection.  Remove the route-inheritance logic from chat.send and
always set OriginatingChannel to INTERNAL_MESSAGE_CHANNEL ("webchat").

Closes #34647

Made-with: Cursor

* Gateway: preserve configured-main connect gating

* Gateway: cover connect-without-client routing

* Gateway: add chat.send session key length limit

* Gateway: cap chat.send session key schema

* Gateway: bound chat.send session key parsing

* Gateway: cover oversized chat.send session keys

* Update CHANGELOG.md

---------

Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
 2026-03-06 21:59:08 -05:00
Vincent Koc
bf623a580b Agents: add skill API rate-limit guardrail (#38452) 
* Agents: add rate-limit guardrail for skill API writes

* Changelog: note skill API rate-limit awareness
 2026-03-06 20:20:00 -05:00
Vincent Koc
3070fafec1 fix(venice): switch default model to kimi-k2-5 (#38423) 
* Docs: refresh Venice default model guidance

* Venice: switch default model to Kimi K2.5

* Changelog: credit Venice default refresh
 2026-03-06 19:31:07 -05:00
OfflynAI
adb9234d03 fix(imessage): prevent echo loop from leaking internal metadata and amplifying NO_REPLY into queue overflow (#33295) 
* fix(imessage): prevent echo loop from leaking internal metadata and amplifying NO_REPLY into queue overflow

- Add outbound sanitization at channel boundary (sanitize-outbound.ts):
  strips thinking/reasoning tags, relevant-memories tags, model-specific
  separators (+#+#), and assistant role markers before iMessage delivery

- Add inbound reflection guard (reflection-guard.ts): detects and drops
  messages containing assistant-internal markers that indicate a reflected
  outbound message, preventing recursive echo amplification

- Harden echo cache: increase text TTL from 5s to 30s to catch delayed
  reflections that previously expired before the echo could be detected

- Add loop rate limiter (loop-rate-limiter.ts): per-conversation rapid-fire
  detection that suppresses conversations exceeding threshold within a
  time window, acting as a safety net against amplification

Closes #33281

* fix(imessage): address review — stricter reflection regex, loop-aware rate limiter

- Reflection guard: require closing > bracket on thinking/final/memory
  tag patterns to prevent false-positives on user phrases like
  '<final answer>' or '<thought experiment>' (#33295 review)

- Rate limiter: only record echo/reflection/from-me drops instead of
  all dispatches, so the limiter acts as a loop-specific escalation
  mechanism rather than a general throttle on normal conversation
  velocity (#33295 review)

* Changelog: add iMessage echo-loop hardening entry

* iMessage: restore short echo-text TTL

* iMessage: ignore reflection markers in code

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-06 19:19:57 -05:00
Vincent Koc
5320ee7731 fix(venice): harden discovery limits and tool support (#38306) 
* Config: add supportsTools compat flag

* Agents: add model tool support helper

* Venice: sync discovery and fallback metadata

* Agents: skip tools for unsupported models

* Changelog: note Venice provider hardening

* Update CHANGELOG.md

* Venice: cap degraded discovery metadata

* Apply suggestion from @greptile-apps[bot]

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Venice: tolerate partial discovery capabilities

* Venice: tolerate missing discovery specs

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-03-06 19:07:11 -05:00
SP
942c53e7f0 fix(agents): prevent totalTokens crash when assistant usage is missing (#34977) 
Merged via squash.

Prepared head SHA: 1c14094f3f
Co-authored-by: sp-hk2ldn <8068616+sp-hk2ldn@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-06 15:59:16 -08:00
Marcus Widing
48b3c4a043 fix(auth): treat unconfigured-owner sessions as owner for ownerOnly tools (#26331) 
Merged via squash.

Prepared head SHA: 1fbe1c7651
Co-authored-by: widingmarcus-cyber <245375637+widingmarcus-cyber@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-06 15:37:07 -08:00