Mirrors/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-05 00:43:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,384 Commits 929 Branches 94 Tags
3a80934aaaba2c7310ebbfcf216dd90fa9735d03
Commit Graph

1014 Commits

Author SHA1 Message Date
Peter Steinberger
e0db04a50d fix(security): harden avatar validation and size limits 2026-02-22 08:35:32 +01:00
Vignesh Natarajan
29a782b9cd Models/Config: default missing Anthropic model api fields 2026-02-21 22:50:43 -08:00
Vignesh Natarajan
73b4330d4c CLI/Config: keep explicitly unset keys removed 2026-02-21 21:08:04 -08:00
Vignesh
3317b49d3b feat(memory): allow QMD searches via mcporter keep-alive (openclaw#19617) thanks @vignesh07 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: vignesh07 <1436853+vignesh07@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 18:54:33 -06:00
Peter Steinberger
98790339ef test: dedupe repeated validation and throw assertions 2026-02-21 23:28:07 +00:00
Peter Steinberger
b97691f3a7 test(config): avoid duplicate include resolution in throw assertions 2026-02-21 23:28:06 +00:00
Peter Steinberger
95dab6e019 fix: harden config prototype-key guards (#22968) (thanks @Clawborn) 2026-02-22 00:25:22 +01:00
Clawborn
e23c08b5f4 Fix prototype pollution in applyMergePatch via blocked key filter 
applyMergePatch in merge-patch.ts iterates Object.entries(patch) without
filtering dangerous keys. When a caller passes a JSON-parsed object with
a "__proto__" key, the loop assigns result["__proto__"] = value, which
replaces the prototype of result and pollutes Object.prototype for the
entire process.

Add a BLOCKED_KEYS set ({"__proto__", "constructor", "prototype"}) and
skip those keys during iteration, matching the guard already present in
deepMerge (includes.ts) via isBlockedObjectKey.

Adds four tests covering __proto__, constructor, prototype, and nested
__proto__ injection.

Co-authored-by: Clawborn <tianrun.yang103@gmail.com>
 2026-02-22 00:25:22 +01:00
Peter Steinberger
8752203f59 refactor(test): stabilize case tables and readonly helper inputs 2026-02-22 00:10:07 +01:00
Peter Steinberger
5164822cd5 test: table-drive status reactions and session key cases 2026-02-21 23:02:44 +00:00
Brian Mendonca
21087c5c70 test: fix rebase-introduced tsgo regressions 2026-02-21 23:57:34 +01:00
Brian Mendonca
a186036814 test: fix latest tsgo inference regressions in test suites 2026-02-21 23:57:34 +01:00
Brian Mendonca
c7c047287e test: fix readonly typing regressions in check baseline 2026-02-21 23:57:34 +01:00
Gustavo Madeira Santana
0e1aa77928 chore(tsgo/format): fix CI errors 2026-02-21 17:51:56 -05:00
Gustavo Madeira Santana
2f46308d5a refactor(logging): migrate non-agent internal console calls to subsystem logger (#22964) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b4a5b12422
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-21 17:44:00 -05:00
Peter Steinberger
0608587bc3 test: streamline config, audit, and qmd coverage 2026-02-21 22:23:43 +00:00
Peter Steinberger
861718e4dc test: group remaining suite cleanups 2026-02-21 21:44:57 +00:00
Peter Steinberger
5d9e7c942c test: consolidate agent command and config scenarios 2026-02-21 21:44:01 +00:00
Peter Steinberger
1794f42ac0 test(config): dedupe io fixture wiring and cover legacy config-path override 2026-02-21 21:40:39 +00:00
Peter Steinberger
7036352d94 test(config): dedupe temp roots and cover legacy state-dir fallback 2026-02-21 21:40:39 +00:00
Peter Steinberger
194ebd9e30 refactor(test): dedupe env setup in envelope and config tests 2026-02-21 19:13:47 +00:00
Peter Steinberger
7724abeee0 refactor(test): dedupe env setup across suites 2026-02-21 19:13:46 +00:00
Peter Steinberger
25e89cc863 fix(security): harden shell env fallback 2026-02-21 20:01:08 +01:00
Peter Steinberger
6ffca36284 fix(config): add shared streaming resolver module 2026-02-21 19:53:42 +01:00
Peter Steinberger
2c14b0cf4c refactor(config): unify streaming config across channels 2026-02-21 19:53:42 +01:00
Onur
8178ea472d feat: thread-bound subagents on Discord (#21805) 
* docs: thread-bound subagents plan

* docs: add exact thread-bound subagent implementation touchpoints

* Docs: prioritize auto thread-bound subagent flow

* Docs: add ACP harness thread-binding extensions

* Discord: add thread-bound session routing and auto-bind spawn flow

* Subagents: add focus commands and ACP/session binding lifecycle hooks

* Tests: cover thread bindings, focus commands, and ACP unbind hooks

* Docs: add plugin-hook appendix for thread-bound subagents

* Plugins: add subagent lifecycle hook events

* Core: emit subagent lifecycle hooks and decouple Discord bindings

* Discord: handle subagent bind lifecycle via plugin hooks

* Subagents: unify completion finalizer and split registry modules

* Add subagent lifecycle events module

* Hooks: fix subagent ended context key

* Discord: share thread bindings across ESM and Jiti

* Subagents: add persistent sessions_spawn mode for thread-bound sessions

* Subagents: clarify thread intro and persistent completion copy

* test(subagents): stabilize sessions_spawn lifecycle cleanup assertions

* Discord: add thread-bound session TTL with auto-unfocus

* Subagents: fail session spawns when thread bind fails

* Subagents: cover thread session failure cleanup paths

* Session: add thread binding TTL config and /session ttl controls

* Tests: align discord reaction expectations

* Agent: persist sessionFile for keyed subagent sessions

* Discord: normalize imports after conflict resolution

* Sessions: centralize sessionFile resolve/persist helper

* Discord: harden thread-bound subagent session routing

* Rebase: resolve upstream/main conflicts

* Subagents: move thread binding into hooks and split bindings modules

* Docs: add channel-agnostic subagent routing hook plan

* Agents: decouple subagent routing from Discord

* Discord: refactor thread-bound subagent flows

* Subagents: prevent duplicate end hooks and orphaned failed sessions

* Refactor: split subagent command and provider phases

* Subagents: honor hook delivery target overrides

* Discord: add thread binding kill switches and refresh plan doc

* Discord: fix thread bind channel resolution

* Routing: centralize account id normalization

* Discord: clean up thread bindings on startup failures

* Discord: add startup cleanup regression tests

* Docs: add long-term thread-bound subagent architecture

* Docs: split session binding plan and dedupe thread-bound doc

* Subagents: add channel-agnostic session binding routing

* Subagents: stabilize announce completion routing tests

* Subagents: cover multi-bound completion routing

* Subagents: suppress lifecycle hooks on failed thread bind

* tests: fix discord provider mock typing regressions

* docs/protocol: sync slash command aliases and delete param models

* fix: add changelog entry for Discord thread-bound subagents (#21805) (thanks @onutc)

---------

Co-authored-by: Shadow <hi@shadowing.dev>
 2026-02-21 16:14:55 +01:00
Peter Steinberger
f48698a50b fix(security): harden sandbox browser network defaults 2026-02-21 14:02:53 +01:00
Peter Steinberger
be7f825006 refactor(gateway): harden proxy client ip resolution 2026-02-21 13:36:23 +01:00
Ayaan Zaidi
8b1fe0d1e2 fix(telegram): split streaming preview per assistant block (#22613) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 26f35f4411
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 18:05:23 +05:30
Peter Steinberger
f265d45840 fix(tts): make model provider overrides opt-in 2026-02-21 13:16:07 +01:00
Peter Steinberger
f202e73077 refactor(security): centralize host env policy and harden env ingestion 2026-02-21 13:04:39 +01:00
Peter Steinberger
08e020881d refactor(security): unify command gating and blocked-key guards 2026-02-21 13:04:37 +01:00
Peter Steinberger
99048dbec2 fix(gateway): align insecure-auth toggle messaging 2026-02-21 12:57:22 +01:00
Peter Steinberger
fbb79d4013 fix(security): harden runtime command override gating 2026-02-21 12:49:57 +01:00
Peter Steinberger
2cdbadee1f fix(security): block startup-file env injection across host execution paths 2026-02-21 11:44:20 +01:00
Ayaan Zaidi
677384c519 refactor: simplify Telegram preview streaming to single boolean (#22012) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: a4017d3b94
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 15:19:13 +05:30
Ayaan Zaidi
e1cb73cdeb fix: unblock Docker build by aligning commands schema default (#22558) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1ad610176d
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 14:47:28 +05:30
Vincent Koc
c20d519e05 feat(security): migrate sha1 hashes to sha256 for synthetic ids (#7343) (#22528) 
* feat(prompt): add explicit owner hash secret to obfuscation path

* feat(security): migrate synthetic IDs to sha256 for #7343
 2026-02-21 03:20:14 -05:00
Vincent Koc
9abab6a2c9 Add explicit ownerDisplaySecret for owner ID hash obfuscation (#22520) 
* feat(config): add owner display secret setting

* feat(prompt): add explicit owner hash secret to obfuscation path

* test(prompt): assert owner hash secret mode behavior

* Update src/agents/system-prompt.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 03:13:56 -05:00
Wei He
122bdfa4e1 feat(discord): add configurable ephemeral option for slash commands 2026-02-20 21:19:21 -06:00
Shadow
f555835b09 Channels: add thread-aware model overrides 2026-02-20 19:26:25 -06:00
Tyler Yust
fe57bea088 Subagents: restore announce chain + fix nested retry/drop regressions (#22223) 
* Subagents: restore announce flow and fix nested delivery retries

* fix: prep subagent announce + docs alignment (#22223) (thanks @tyler6204)
 2026-02-20 15:39:09 -08:00
Shadow
4ab946eebf Discord VC: voice channels, transcription, and TTS (#18774) 2026-02-20 16:06:07 -06:00
Shadow
30a0d3fce1 Status reactions: fix stall timers and gating (#22190) 
* feat: add shared status reaction controller

* feat: add statusReactions config schema

* feat: wire status reactions for Discord and Telegram

* fix: restore original 10s/30s stall defaults for Discord compatibility

* Status reactions: fix stall timers and gating

* Format status reaction imports

---------

Co-authored-by: Matt <mateus.carniatto@gmail.com>
 2026-02-20 15:27:42 -06:00
Shadow
8c9f35cdb5 Agents: sanitize skill env overrides 2026-02-20 12:38:54 -06:00
Shadow
09e6970386 Discord: implement stream preview mode (#22111) 
* Discord: implement stream preview mode

* Changelog: note Discord stream preview mode

* Tests: type discord draft stream mocks

* Docs: document Discord stream preview
 2026-02-20 12:37:15 -06:00
Kirill Shchetynin
ee519086f6 Feature/default messenger delivery target (openclaw#16985) thanks @KirillShchetinin 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: KirillShchetinin <13061871+KirillShchetinin@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:37:19 -06:00
Mr. Guy
dece0fa146 fix: add customBindHost to gateway config validation (openclaw#20318) thanks @MisterGuy420 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: MisterGuy420 <255743668+MisterGuy420@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:06:22 -06:00
Tak Hoffman
c1ac37a641 Config: expose Pi compaction tuning values (openclaw#21568) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:41:09 -06:00
Vishal
f1e1cc4ee3 feat: surface cached token counts in /status output (openclaw#21248) thanks @vishaltandale00 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: vishaltandale00 <9222298+vishaltandale00@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:06:13 -06:00