vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 15:30:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
18,096 Commits 682 Branches 76 Tags
e6c7fa984c3fd0f2fc9082aa5655e488d4c0b677
Commit Graph

18096 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vincent Koc
e6c7fa984c Telegram: share draft stream runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
05ac9e53cf Tests: document fresh import helper 2026-03-12 02:07:20 -04:00
Vincent Koc
cced4823b1 Slack: share sent thread participation state 2026-03-12 02:07:20 -04:00
Vincent Koc
c5b597db74 Tests: cover shared Slack thread participation state 2026-03-12 02:07:20 -04:00
Vincent Koc
f3282182f4 Tests: cover shared inbound dedupe state 2026-03-12 02:07:20 -04:00
Vincent Koc
f94b36f45f Tests: cover shared followup queue runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
9ef77362ee Tests: cover shared embedded run runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
c7ffea6373 Tests: cover shared command queue runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
631998287a Reply: share inbound dedupe state 2026-03-12 02:07:20 -04:00
Vincent Koc
6ab0f0e1f7 Reply: share queued message dedupe state 2026-03-12 02:07:20 -04:00
Vincent Koc
412818bbaf Reply: share followup drain callback state 2026-03-12 02:07:20 -04:00
Vincent Koc
1a5794f65a Reply: share followup queue runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
a744a48a0d Agents: share embedded run runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
fb303d7d67 Process: share command queue runtime state 2026-03-12 02:07:20 -04:00
Vincent Koc
2aa1270fdd Tests: add fresh module import helper 2026-03-12 02:07:20 -04:00
Luke
8baf55d8ed Changelog: note Reminders permission fix 2026-03-12 17:01:42 +11:00
Dinakar Sarbada
cee8717020 fix(macos): add NSRemindersUsageDescription for apple-reminders skill 
Fixes #5090

Without this plist key, macOS silently denies Reminders access when
running through OpenClaw.app, preventing the apple-reminders skill
from requesting permission.

(cherry picked from commit e5774471c8)
 2026-03-12 17:01:38 +11:00
Ayaan Zaidi
f7416da905 style: format changelog 2026-03-12 11:28:27 +05:30
Vincent Koc
d8d8dc7421 Infra: fail closed without device scope baseline 2026-03-12 01:42:12 -04:00
Vincent Koc
276ee259ca Tests: clean up temp git helper directory 2026-03-12 01:42:12 -04:00
Vincent Koc
99a5a3c16a Update CHANGELOG.md 2026-03-12 01:37:33 -04:00
Vincent Koc
672924b01e Update CHANGELOG.md 2026-03-12 01:36:16 -04:00
Vincent Koc
4f462facda Infra: cap device tokens to approved scopes (#43686) 
* Infra: cap device tokens to approved scopes

* Changelog: note device token hardening
 2026-03-12 01:25:52 -04:00
Vincent Koc
2504cb6a1e Security: escape invisible exec approval format chars (#43687) 
* Infra: escape invisible exec approval chars

* Gateway: sanitize exec approval display text

* Tests: cover sanitized exec approval payloads

* Tests: cover sanitized exec approval forwarding

* Changelog: note exec approval prompt hardening
 2026-03-12 01:20:04 -04:00
Vincent Koc
1dcef7b644 Infra: block GIT_EXEC_PATH in host env sanitizer (#43685) 
* Infra: block GIT_EXEC_PATH in host env sanitizer

* Changelog: note host env hardening
 2026-03-12 01:16:03 -04:00
Vincent Koc
18f15850e6 fix(browser): restore proxy attachment media size cap (#43684) 
* browser: honor shared proxy file size cap

* test(browser): cover proxy file size cap

* docs(changelog): note browser proxy size cap fix
 2026-03-12 01:04:31 -04:00
Peter Steinberger
29dc65403f build: prepare 2026.3.11 release v2026.3.11 2026-03-12 05:01:07 +00:00
Neerav Makwana
c65390cbde docs: update Raspberry Pi dashboard access instructions (#43584) 
* docs(pi): update dashboard access instructions

* docs(i18n): refresh raspberry pi source hash

* docs: clarify Raspberry Pi dashboard access

* fix: clarify Raspberry Pi dashboard access (#43584) (thanks @neeravmakwana)

---------

Co-authored-by: Neerav Makwana <261249544+neeravmakwana@users.noreply.github.com>
Co-authored-by: Ayaan Zaidi <zaidi@uplause.io>
 2026-03-12 10:04:44 +05:30
Peter Steinberger
b125c3ba06 build: bump openclaw to 2026.3.11-beta.1 v2026.3.11-beta.1 2026-03-12 04:08:19 +00:00
Ayaan Zaidi
fbc1bd6f8e fix: clear telegram polling cleanup timers 2026-03-12 09:36:04 +05:30
Huang X
70abee69e9 fix(telegram): avoid polling restart hang after stall detection 2026-03-12 09:36:04 +05:30
Peter Steinberger
ce5dd742f8 build: sync versions to 2026.3.11 2026-03-12 04:01:57 +00:00
Peter Steinberger
96485701a7 docs: update 2026.3.11 release examples 2026-03-12 04:01:56 +00:00
Toven
ade748176f OpenRouter: surface free Hunter and Healer stealth models for the next week (#43642) 
* Models: add temporary Hunter and Healer alpha to OpenRouter catalog

* Add temporary OpenRouter stealth catalog entries

---------

Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-11 22:58:48 -05:00
Peter Steinberger
1fcee52a5c docs: reorder unreleased changelog by user impact 2026-03-12 03:42:39 +00:00
David Rudduck
f01c41b27a fix(context-engine): guard compact() throw + fire hooks for ownsCompaction engines (#41361) 
Merged via squash.

Prepared head SHA: 0957b32dc6
Co-authored-by: davidrudduck <47308254+davidrudduck@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-11 20:19:20 -07:00
Frank Yang
5231277163 fix(acp): rehydrate restarted main ACP sessions (#43285) 
Merged via squash.

Prepared head SHA: f06318e58f
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
 2026-03-12 11:05:09 +08:00
Peter Steinberger
5ca780fa78 feat: expose runtime version in gateway status 2026-03-12 02:55:31 +00:00
Robin Waslander
e95f2dcd6e fix(sandbox): anchor fs-bridge writeFile commit to canonical parent path 
Refs: GHSA-xvx8-77m6-gwg6
 2026-03-12 03:52:24 +01:00
Peter Steinberger
43a10677ed fix: isolate plugin discovery env from global state 2026-03-12 02:46:29 +00:00
Peter Steinberger
17fd46ab66 test: fix websocket tool shape coverage 2026-03-12 02:16:56 +00:00
Robin Waslander
487a3ba8ce fix(discord): enforce users/roles allowlist in reaction ingress 
References GHSA-9vvh-2768-c8vp.
 2026-03-12 03:13:46 +01:00
Peter Steinberger
980619b9be fix: harden openai websocket replay 2026-03-12 02:13:06 +00:00
Peter Steinberger
607c158a75 test(cli): update daemon coverage restart contract 2026-03-12 01:43:27 +00:00
Peter Steinberger
b31836317a fix(cli): handle scheduled gateway restarts consistently 2026-03-12 01:38:39 +00:00
Robin Waslander
841ee24340 fix(daemon): address clanker review findings for kickstart restart 
Bug 1 (high): replace fixed sleep 1 with caller-PID polling in both
kickstart and start-after-exit handoff modes. The helper now waits until
kill -0 $caller_pid fails before issuing launchctl kickstart -k.

Bug 2 (medium): gate enable+bootstrap fallback on isLaunchctlNotLoaded().
Only attempt re-registration when kickstart -k fails because the job is
absent; all other kickstart failures now re-throw the original error.

Follows up on 3c0fd3dffe.
Fixes #43311, #43406, #43035, #43049
 2026-03-12 02:16:24 +01:00
Robin Waslander
b7a37c2023 fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 
tsx, jiti, ts-node, ts-node-esm, vite-node, and esno were not recognized
as interpreter-style script runners in invoke-system-run-plan.ts. These
runners produced mutableFileOperand: null, causing invoke-system-run.ts
to skip revalidation entirely. A mutated script payload would execute
without the approval binding check that node ./run.js already enforced.

Two-part fix:
- Add tsx, jiti, and related TypeScript/ESM loaders to the known script
  runner set so they produce a valid mutableFileOperand from the planner
- Add a fail-closed runtime guard in invoke-system-run.ts that denies
  execution when a script run should have a mutable-file binding but the
  approval plan is missing it, preventing unknown future runners from
  silently bypassing revalidation

Fixes GHSA-qc36-x95h-7j53
 2026-03-12 01:34:35 +01:00
Luke
a5ceb62d44 fix(whatsapp): trim leading whitespace in direct outbound sends (#43539) 
Trim leading whitespace from direct WhatsApp text and media caption sends.

Also guard empty text-only web sends after trimming.
 2026-03-12 11:32:04 +11:00
Peter Steinberger
7e3787517f fix: harden state dir permissions during onboard 2026-03-12 00:26:36 +00:00
Robin Waslander
ebed3bbde1 fix(gateway): enforce browser origin check regardless of proxy headers 
In trusted-proxy mode, enforceOriginCheckForAnyClient was set to false
whenever proxy headers were present. This allowed browser-originated
WebSocket connections from untrusted origins to bypass origin validation
entirely, as the check only ran for control-ui and webchat client types.

An attacker serving a page from an untrusted origin could connect through
a trusted reverse proxy, inherit proxy-injected identity, and obtain
operator.admin access via the sharedAuthOk / roleCanSkipDeviceIdentity
path without any origin restriction.

Remove the hasProxyHeaders exemption so origin validation runs for all
browser-originated connections regardless of how the request arrived.

Fixes GHSA-5wcw-8jjv-m286
 2026-03-12 01:16:52 +01:00