github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-02 06:48:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,277 Commits 702 Branches 79 Tags
4c2cb73055c8defa4e094c8a861712f390c8a687
Commit Graph

4423 Commits

Author SHA1 Message Date
Peter Steinberger
a67689a7e3 fix: harden allow-always shell multiplexer wrapper handling 2026-02-24 03:06:51 +00:00
Peter Steinberger
4a3f8438e5 fix(gateway): bind node exec approvals to nodeId 2026-02-24 03:05:58 +00:00
Peter Steinberger
c5ac90ab92 docs(changelog): add shell-env fallback hardening note 2026-02-24 03:04:49 +00:00
Peter Steinberger
d0ef4c75c7 docs(changelog): credit safeBins advisory reporters 2026-02-24 02:59:17 +00:00
Peter Steinberger
90383e00e9 fix(security): harden autoAllowSkills exec matching 2026-02-24 02:53:47 +00:00
Peter Steinberger
e578521ef4 fix(security): harden session export image data-url handling 2026-02-24 02:53:39 +00:00
Peter Steinberger
ff4e6ca0d9 fix(ios): gate agent deep links with local confirmation 2026-02-24 02:51:58 +00:00
Peter Steinberger
f8524ec77a fix(security): harden exported session html rendering 2026-02-24 02:40:29 +00:00
Peter Steinberger
1d28da55a5 fix(voice-call): block Twilio webhook replay and stale transitions 2026-02-24 02:37:24 +00:00
Peter Steinberger
3f923e8313 test: add env -S allowlist bypass regressions 2026-02-24 02:28:00 +00:00
Peter Steinberger
6634030be3 fix: enforce apply_patch workspaceOnly in sandbox mounts 2026-02-24 02:23:56 +00:00
Peter Steinberger
dd9d9c1c60 fix(security): enforce workspaceOnly for sandbox image tool 2026-02-24 02:17:55 +00:00
Gustavo Madeira Santana
5239b55c0a Config: expand Kilo catalog and persist selected Kilo models (#24921) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: f5a7e1a385
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 21:17:37 -05:00
Peter Steinberger
08e2aa44e7 fix(commands): restrict commands.allowFrom to sender principals 2026-02-24 02:01:01 +00:00
Peter Steinberger
223d7dc23d feat(gateway)!: require explicit non-loopback control-ui origins 2026-02-24 01:57:11 +00:00
Peter Steinberger
edfefdff7d docs(changelog): mark ACP hardening as next npm release 2026-02-24 01:56:22 +00:00
Peter Steinberger
a1c4bf07c6 fix(security): harden exec wrapper allowlist execution parity 2026-02-24 01:52:17 +00:00
Peter Steinberger
5eb72ab769 fix(security): harden browser SSRF defaults and migrate legacy key 2026-02-24 01:52:01 +00:00
Peter Steinberger
1f81677093 docs(changelog): note dangerous name-matching audit unification 2026-02-24 01:33:08 +00:00
Peter Steinberger
2e36bdda85 docs(changelog): credit ACP security reporter 2026-02-24 01:19:03 +00:00
Peter Steinberger
f97c0922e1 fix(security): harden account-key handling against prototype pollution 2026-02-24 01:09:31 +00:00
Peter Steinberger
12cc754332 fix(acp): harden permission auto-approval policy 2026-02-24 01:03:30 +00:00
Vincent Koc
30c622554f Providers: disable developer role for DashScope-compatible endpoints (#24675) 
* Agents: disable developer role for DashScope-compatible endpoints

* Agents: test DashScope developer-role compatibility

* Gateway: test allowlisted sessions.patch model selection

* Changelog: add DashScope role-compat fix note
 2026-02-23 19:51:16 -05:00
Peter Steinberger
f0c3c8b6a3 fix(config): redact dynamic catchall secret keys 2026-02-24 00:21:29 +00:00
Peter Steinberger
25f6fcc63a docs(changelog): note safeBins exec hardening 2026-02-23 23:58:58 +00:00
Peter Steinberger
e6484cb65f refactor: harden kilocode auth ordering and dedupe provider wiring 2026-02-23 23:37:13 +00:00
Gustavo Madeira Santana
eff3c5c707 Session/Cron maintenance hardening and cleanup UX (#24753) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7533b85156
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd
 2026-02-23 22:39:48 +00:00
Peter Steinberger
5a475259bb fix(telegram): suppress reasoning-only leaks when reasoning is off 
Co-authored-by: avirweb <avirweb@users.noreply.github.com>
 2026-02-23 20:06:16 +00:00
Peter Steinberger
9af3ec92a5 fix(gateway): add HSTS header hardening and docs 2026-02-23 19:47:29 +00:00
Peter Steinberger
46dee26600 docs(reference): add prompt-caching guide and knobs 
Co-authored-by: Axel Svensson <svenssonaxel@users.noreply.github.com>
 2026-02-23 19:19:45 +00:00
Peter Steinberger
31e4c21b67 fix(auto-reply): move volatile inbound flags out of system metadata 
Co-authored-by: aidiffuser <aidiffuser@users.noreply.github.com>
 2026-02-23 19:19:45 +00:00
Peter Steinberger
cf38339f25 fix(tools): improve session_status cache-aware usage reporting 
Co-authored-by: Lucian Feraru <1ucian@users.noreply.github.com>
 2026-02-23 19:19:45 +00:00
Peter Steinberger
40db3fef49 fix(agents): cache bootstrap snapshots per session key 
Co-authored-by: Isis Anisoptera <github@lotuswind.net>
 2026-02-23 19:19:45 +00:00
Nimrod Gutman
8b3eee71ec fix: tier local vitest worker defaults by host memory (#24719) (thanks @ngutman) 2026-02-23 21:19:21 +02:00
Ruslan Kharitonov
8d69251475 fix(doctor): use gateway health status for memory search key check (#22327) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 2f02ec9403
Co-authored-by: therk <901920+therk@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 14:07:16 -05:00
Gustavo Madeira Santana
5de1f540e7 CLI: fix gateway restart health ownership for child listener pids (#24696) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: d6d4b43f7e
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 13:53:10 -05:00
Peter Steinberger
160bd61fff feat(agents): add per-agent stream params overrides for cache tuning (#17470) (thanks @rrenamed) 2026-02-23 18:46:40 +00:00
Peter Steinberger
be6f0b8c84 fix(providers): support Bedrock Anthropic cacheRetention defaults/pass-through (#22303) (thanks @snese) 2026-02-23 18:46:40 +00:00
Peter Steinberger
ca5c0bc02b fix(providers): disable Bedrock prompt caching for non-Anthropic models (#20866) (thanks @pierreeurope) 2026-02-23 18:46:40 +00:00
Peter Steinberger
e40ee3c2c7 docs(changelog): note /new and /reset auth-label removal (#24409) 2026-02-23 18:30:30 +00:00
Peter Steinberger
4c21ef9ce9 docs(changelog): correct kimi issue references 2026-02-23 18:28:56 +00:00
Peter Steinberger
7837d23103 feat(media): add moonshot video provider and wiring 
Co-authored-by: xiaoyaner0201 <xiaoyaner0201@users.noreply.github.com>
 2026-02-23 18:27:37 +00:00
Peter Steinberger
e02c470d5e feat(tools): add kimi web_search provider 
Co-authored-by: adshine <adshine@users.noreply.github.com>
 2026-02-23 18:27:37 +00:00
Peter Steinberger
f93ca93498 fix(agents): extend cache-ttl eligibility for moonshot and zai 
Co-authored-by: lailoo <lailoo@users.noreply.github.com>
 2026-02-23 18:27:36 +00:00
Peter Steinberger
65d57eac12 docs(changelog): reorder 2026.2.23 entries by user impact 2026-02-23 18:02:21 +00:00
Peter Steinberger
97787d73c2 docs(changelog): align 2026.2.22 release heading with tags 2026-02-23 18:00:39 +00:00
Vincent Koc
6a0fcf6518 Sessions: consolidate path hardening and fallback resilience (#24657) 
* Changelog: credit session path fixes

* Sessions: harden path resolution for symlink and stale metadata

* Tests: cover fallback for invalid absolute sessionFile

* Tests: add symlink alias session path coverage

* Tests: guard symlink escape in sessionFile resolution
 2026-02-23 12:36:01 -05:00
Matthew
ce1f12ff33 fix(slack): prevent Zod default groupPolicy from breaking multi-account config (#17579) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7d2da57b50
Co-authored-by: ZetiMente <76985631+ZetiMente@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 12:35:41 -05:00
Vincent Koc
f03ff39754 Providers: skip context1m beta for Anthropic OAuth tokens (#24620) 
* Providers: skip context1m beta for Anthropic OAuth tokens

* Tests: cover OAuth context1m beta skip behavior

* Docs: note context1m OAuth incompatibility

* Agents: add context1m-aware context token resolver

* Agents: cover context1m context-token resolver

* Commands: apply context1m-aware context tokens in session store

* Commands: apply context1m-aware context tokens in status summary

* Status: resolve context tokens with context1m model params

* Status: test context1m status context display
 2026-02-23 12:29:09 -05:00
Vincent Koc
ae66a4b5d2 Changelog: add PR #22855 entry 2026-02-23 12:15:50 -05:00