github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 02:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,049 Commits 702 Branches 79 Tags
14fb2c05b1331223e4063a376b5f8ae8786eef31
Commit Graph

31 Commits

Author SHA1 Message Date
Peter Steinberger
31980bcaf1 refactor(test): dedupe gateway env restores 2026-02-15 23:18:16 +00:00
Peter Steinberger
99909f7bc7 refactor(test): share gateway server start helper 2026-02-15 23:02:27 +00:00
Peter Steinberger
98bb4225fd perf(test): minimize gateway startup in vitest 2026-02-14 05:25:40 +00:00
Peter Steinberger
2378d770d1 perf(test): speed gateway suite resets with unique config roots 2026-02-13 23:33:08 +00:00
Peter Steinberger
fdfc34fa1f perf(test): stabilize e2e harness and reduce flaky gateway coverage 2026-02-13 17:32:14 +00:00
Peter Steinberger
1eccfa8934 perf(test): trim duplicate e2e suites and harden signal hooks 2026-02-13 16:46:43 +00:00
Peter Steinberger
cfd112952e fix(gateway): default-deny missing connect scopes 2026-02-11 12:04:30 +01:00
Abdel Sy Fane
0c7fa2b0d5 security: redact credentials from config.get gateway responses (#9858) 
* security: add skill/plugin code safety scanner module

* security: integrate skill scanner into security audit

* security: add pre-install code safety scan for plugins

* style: fix curly brace lint errors in skill-scanner.ts

* docs: add changelog entry for skill code safety scanner

* security: redact credentials from config.get gateway responses

The config.get gateway method returned the full config snapshot
including channel credentials (Discord tokens, Slack botToken/appToken,
Telegram botToken, Feishu appSecret, etc.), model provider API keys,
and gateway auth tokens in plaintext.

Any WebSocket client—including the unauthenticated Control UI when
dangerouslyDisableDeviceAuth is set—could read every secret.

This adds redactConfigSnapshot() which:
- Deep-walks the config object and masks any field whose key matches
  token, password, secret, or apiKey patterns
- Uses the existing redactSensitiveText() to scrub the raw JSON5 source
- Preserves the hash for change detection
- Includes 15 test cases covering all channel types

* security: make gateway config writes return redacted values

* test: disable control UI by default in gateway server tests

* fix: redact credentials in gateway config APIs (#9858) (thanks @abdelsfane)

---------

Co-authored-by: George Pickett <gpickett00@gmail.com>
 2026-02-05 16:34:48 -08:00
Abdel Sy Fane
bc88e58fcf security: add skill/plugin code safety scanner (#9806) 
* security: add skill/plugin code safety scanner module

* security: integrate skill scanner into security audit

* security: add pre-install code safety scan for plugins

* style: fix curly brace lint errors in skill-scanner.ts

* docs: add changelog entry for skill code safety scanner

* style: append ellipsis to truncated evidence strings

* fix(security): harden plugin code safety scanning

* fix: scan skills on install and report code-safety details

* fix: dedupe audit-extra import

* fix(security): make code safety scan failures observable

* fix(test): stabilize smoke + gateway timeouts (#9806) (thanks @abdelsfane)

---------

Co-authored-by: Darshil <ddhameliya@mail.sfsu.edu>
Co-authored-by: Darshil <81693876+dvrshil@users.noreply.github.com>
Co-authored-by: George Pickett <gpickett00@gmail.com>
 2026-02-05 16:06:11 -08:00
Peter Steinberger
fe81b1d712 fix(gateway): require shared auth before device bypass 2026-02-02 16:56:38 -08:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer
5ceff756e1 chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
Peter Steinberger
9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Peter Steinberger
6d16a658e5 refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Peter Steinberger
3314b3996e fix: harden gateway auth defaults 2026-01-26 18:24:26 +00:00
Peter Steinberger
c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
Peter Steinberger
64be2b2cd1 test: speed up gateway suite setup 2026-01-23 04:28:02 +00:00
Peter Steinberger
f76e3c1419 fix: enforce secure control ui auth 2026-01-21 23:58:42 +00:00
Peter Steinberger
dfbf6ac263 feat: enforce device-bound connect challenge 2026-01-20 13:04:19 +00:00
Peter Steinberger
9dbc1435a6 fix: enforce ws3 roles + node allowlist 2026-01-20 09:24:01 +00:00
Peter Steinberger
9e06d945a2 fix: stabilize gateway tests on windows 2026-01-19 12:12:51 +00:00
Peter Steinberger
2f8206862a refactor: remove bridge protocol 2026-01-19 10:08:29 +00:00
Seb Slight
2f6b5ffdfe Web: trim HTML error bodies in web_fetch (#1193) 
* Web: trim HTML error bodies in web_fetch

* fix: trim web_fetch HTML error bodies (#1193) (thanks @sebslight)

---------

Co-authored-by: Sebastian Slight <sbarrios93@gmail.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-19 00:24:16 +00:00
Peter Steinberger
ab340c82fb fix: stabilize tests and logging 2026-01-18 18:43:31 +00:00
Peter Steinberger
208398973b test: stabilize gateway suites 2026-01-18 05:44:22 +00:00
Peter Steinberger
1a0d1cb7b2 test: stabilize gateway ports and timers 2026-01-18 05:44:22 +00:00
Peter Steinberger
c92265a51b refactor: canonicalize gateway session store keys 2026-01-17 07:41:24 +00:00
Peter Steinberger
757243993c fix: stabilize gateway config tests + tool schema 2026-01-15 05:16:28 +00:00
Peter Steinberger
c379191f80 chore: migrate to oxlint and oxfmt 
Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com>
 2026-01-14 15:02:19 +00:00
Peter Steinberger
1089444807 fix(gateway): reduce flaky ws rpc timeouts 2026-01-14 05:41:02 +00:00
Peter Steinberger
bcbfb357be refactor(src): split oversized modules 2026-01-14 01:17:56 +00:00