ahdernasr
e321f21daa
fix: serialize tool result delivery to preserve message ordering ( #21231 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 68adbf58c844983175+ahdernasr@users.noreply.github.com >
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com >
Reviewed-by: @joshavant
2026-02-19 17:23:23 -08:00
adhitShet
d871ee91d0
fix(config-cli): correct misleading --json flag description ( #21332 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: b6c8d1edfa131381638+adhitShet@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-19 20:09:17 -05:00
adhitShet
ae4907ce6e
fix(heartbeat): return false for zero-width active-hours window ( #21408 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 993860bd03131381638+adhitShet@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-19 20:03:57 -05:00
adhitShet
57f0ac21e9
fix(heartbeat): constrain 24-hour sentinel to 24:00 only in regex ( #21410 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7b8fe75738131381638+adhitShet@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-19 19:52:38 -05:00
Gustavo Madeira Santana
ffa7de0467
chore: add CHANGELOG entry
2026-02-19 19:34:30 -05:00
Josh Avant
29ad0736f4
fix(gateway): tolerate legacy paired metadata in ws upgrade checks ( #21447 )
...
Fixes the pairing required regression from #21236 for legacy paired devices
created without roles/scopes metadata. Detects legacy paired metadata shape
and skips upgrade enforcement while backfilling metadata in place on reconnect.
Co-authored-by: Josh Avant <830519+joshavant@users.noreply.github.com >
Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com >
2026-02-19 17:45:56 -06:00
Vincent Koc
ce2a39a271
Security: bump hono for timing-safe auth hardening
2026-02-19 15:13:38 -08:00
Vincent Koc
2c93f6656a
Docs: record PR #21336 anthropic onboarding fix
2026-02-19 15:13:38 -08:00
Vincent Koc
4883aa5439
docs(changelog): credit prior Slack recipient-id groundwork for 20988 ( #21434 )
2026-02-19 14:48:29 -08:00
Josh Avant
c2876b69fb
feat(auto-reply): add model fallback lifecycle visibility in status, verbose logs, and WebUI ( #20704 )
2026-02-19 14:33:02 -08:00
Vincent Koc
6cdcb5904d
chore: update changelog for merged fixes 7734 and 21086 ( #21254 )
2026-02-19 13:00:40 -08:00
Mariano
e98ccc8e17
iOS/Gateway: stabilize background wake and reconnect behavior ( #21226 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7705a7741e132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
2026-02-19 20:20:28 +00:00
Shadow
f7a8c2df2c
Discord: handle gateway 4014 close
2026-02-19 13:47:28 -06:00
George Pickett
85fee30e6b
fix: changelog for cross-origin redirect header stripping ( #20313 ) (thanks @afurm)
2026-02-19 11:42:25 -08:00
Shakker
eec5a6d6f1
Changelog: move prompt caching fix to unreleased
2026-02-19 19:22:46 +00:00
Shakker
45b54d90ab
Changelog: add auto-reply run-start fix ( #21165 ) (thanks @shakkernerd)
2026-02-19 19:15:09 +00:00
Isis Anisoptera
4b7d89100e
fix(auto-reply): restore prompt cache stability by moving per-turn ids to user context ( #20597 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 175919afb6768771+anisoptera@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
2026-02-19 19:11:47 +00:00
Shakker
ff3a7e5635
chore: bump release metadata to 2026.2.20
2026-02-19 18:57:08 +00:00
Mariano
a1d5dce7ab
iOS: use dedicated session key for chat sheet ( #21139 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 31a27b0c5b132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
2026-02-19 18:42:56 +00:00
Mariano
42d11a3ec5
iOS: auto-resync chat after reconnect gaps ( #21135 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 1beca3a76d132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
2026-02-19 18:37:13 +00:00
Peter Steinberger
9f5429e528
docs: trim refactor-only and duplicate changelog entries
2026-02-19 16:34:10 +01:00
Peter Steinberger
b0e55283d5
chore: bump release metadata to 2026.2.19
2026-02-19 16:17:34 +01:00
Peter Steinberger
280c6b117b
fix(daemon): harden windows schtasks script quoting
2026-02-19 16:16:51 +01:00
Peter Steinberger
2e421f32df
fix(security): restore trusted plugin runtime exec default
2026-02-19 16:01:29 +01:00
Peter Steinberger
8288702f51
docs(changelog): add Windows schtasks injection fix note
2026-02-19 15:57:42 +01:00
Peter Steinberger
c45f3c5b00
fix(gateway): harden canvas auth with session capabilities
2026-02-19 15:51:22 +01:00
Peter Steinberger
63e39d7f57
fix(security): harden ACP prompt size guardrails
2026-02-19 15:41:01 +01:00
Peter Steinberger
c9dee59266
refactor(security): centralize trusted sender checks for discord moderation
2026-02-19 15:39:56 +01:00
Peter Steinberger
81b19aaa1a
fix(security): enforce plugin and hook path containment
2026-02-19 15:37:29 +01:00
Peter Steinberger
10379e7dcd
fix: harden voice-call tts deep merge
2026-02-19 15:37:01 +01:00
Peter Steinberger
b40821b068
fix: harden ACP secret handling and exec preflight boundaries
2026-02-19 15:34:20 +01:00
Peter Steinberger
3d7ad1cfca
fix(security): centralize owner-only tool gating and scope maps
2026-02-19 15:29:23 +01:00
Peter Steinberger
26c9b37f5b
fix(security): enforce strict IPv4 SSRF literal handling
2026-02-19 15:24:47 +01:00
Peter Steinberger
77c748304b
refactor(plugins): extract safety and provenance helpers
2026-02-19 15:24:14 +01:00
Peter Steinberger
775816035e
fix(security): enforce trusted sender auth for discord moderation
2026-02-19 15:18:24 +01:00
Peter Steinberger
baa335f258
fix(security): harden SSRF IPv4 literal parsing
2026-02-19 15:14:46 +01:00
Peter Steinberger
3561442a9f
fix(plugins): harden discovery trust checks
2026-02-19 15:14:12 +01:00
Peter Steinberger
5dc50b8a3f
fix(security): harden npm plugin and hook install integrity flow
2026-02-19 15:11:25 +01:00
Peter Steinberger
2777d8ad93
refactor(security): unify gateway scope authorization flows
2026-02-19 15:06:38 +01:00
Peter Steinberger
b54ba3391b
fix: credit contributor in changelog ( #20916 ) (thanks @orlyjamie)
2026-02-19 15:00:10 +01:00
Peter Steinberger
29118995ad
refactor(lobster): remove lobsterPath overrides
2026-02-19 14:58:13 +01:00
Peter Steinberger
7426848913
test(feishu): add mention regex injection regressions
2026-02-19 14:51:41 +01:00
Peter Steinberger
e01011e3e4
fix(acp): harden session lifecycle against flooding
2026-02-19 14:50:17 +01:00
Peter Steinberger
cf6edc6d57
docs(changelog): credit allsmog for Lobster security report
2026-02-19 14:43:03 +01:00
Peter Steinberger
a40c10d3e2
fix: harden agent gateway authorization scopes
2026-02-19 14:37:56 +01:00
Peter Steinberger
ff74d89e86
fix: harden gateway control-plane restart protections
2026-02-19 14:30:15 +01:00
Peter Steinberger
e3e0ffd801
feat(security): audit gateway HTTP no-auth exposure
2026-02-19 14:25:56 +01:00
Thorfinn
b45bb6801c
fix(doctor): skip embedding provider check when QMD backend is active (openclaw#17295) thanks @miloudbelarebia
...
Verified:
- pnpm build
- pnpm check (fails on baseline formatting drift in files identical to origin/main)
- pnpm test:macmini
Co-authored-by: miloudbelarebia <52387093+miloudbelarebia@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-02-19 07:21:27 -06:00
Peter Steinberger
bafdbb6f11
fix(security): eliminate safeBins file-existence oracle
2026-02-19 14:18:11 +01:00
Peter Steinberger
cfe8457a0f
fix(security): harden safeBins stdin-only enforcement
2026-02-19 14:10:45 +01:00
