openclaw

mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 16:09:02 +00:00

Author	SHA1	Message	Date
Peter Steinberger	9f5429e528	docs: trim refactor-only and duplicate changelog entries	2026-02-19 16:34:10 +01:00
Peter Steinberger	b0e55283d5	chore: bump release metadata to 2026.2.19	2026-02-19 16:17:34 +01:00
Peter Steinberger	280c6b117b	fix(daemon): harden windows schtasks script quoting	2026-02-19 16:16:51 +01:00
Peter Steinberger	2e421f32df	fix(security): restore trusted plugin runtime exec default	2026-02-19 16:01:29 +01:00
Peter Steinberger	8288702f51	docs(changelog): add Windows schtasks injection fix note	2026-02-19 15:57:42 +01:00
Peter Steinberger	c45f3c5b00	fix(gateway): harden canvas auth with session capabilities	2026-02-19 15:51:22 +01:00
Peter Steinberger	63e39d7f57	fix(security): harden ACP prompt size guardrails	2026-02-19 15:41:01 +01:00
Peter Steinberger	c9dee59266	refactor(security): centralize trusted sender checks for discord moderation	2026-02-19 15:39:56 +01:00
Peter Steinberger	81b19aaa1a	fix(security): enforce plugin and hook path containment	2026-02-19 15:37:29 +01:00
Peter Steinberger	10379e7dcd	fix: harden voice-call tts deep merge	2026-02-19 15:37:01 +01:00
Peter Steinberger	b40821b068	fix: harden ACP secret handling and exec preflight boundaries	2026-02-19 15:34:20 +01:00
Peter Steinberger	3d7ad1cfca	fix(security): centralize owner-only tool gating and scope maps	2026-02-19 15:29:23 +01:00
Peter Steinberger	26c9b37f5b	fix(security): enforce strict IPv4 SSRF literal handling	2026-02-19 15:24:47 +01:00
Peter Steinberger	77c748304b	refactor(plugins): extract safety and provenance helpers	2026-02-19 15:24:14 +01:00
Peter Steinberger	775816035e	fix(security): enforce trusted sender auth for discord moderation	2026-02-19 15:18:24 +01:00
Peter Steinberger	baa335f258	fix(security): harden SSRF IPv4 literal parsing	2026-02-19 15:14:46 +01:00
Peter Steinberger	3561442a9f	fix(plugins): harden discovery trust checks	2026-02-19 15:14:12 +01:00
Peter Steinberger	5dc50b8a3f	fix(security): harden npm plugin and hook install integrity flow	2026-02-19 15:11:25 +01:00
Peter Steinberger	2777d8ad93	refactor(security): unify gateway scope authorization flows	2026-02-19 15:06:38 +01:00
Peter Steinberger	b54ba3391b	fix: credit contributor in changelog (#20916 ) (thanks @orlyjamie)	2026-02-19 15:00:10 +01:00
Peter Steinberger	29118995ad	refactor(lobster): remove lobsterPath overrides	2026-02-19 14:58:13 +01:00
Peter Steinberger	7426848913	test(feishu): add mention regex injection regressions	2026-02-19 14:51:41 +01:00
Peter Steinberger	e01011e3e4	fix(acp): harden session lifecycle against flooding	2026-02-19 14:50:17 +01:00
Peter Steinberger	cf6edc6d57	docs(changelog): credit allsmog for Lobster security report	2026-02-19 14:43:03 +01:00
Peter Steinberger	a40c10d3e2	fix: harden agent gateway authorization scopes	2026-02-19 14:37:56 +01:00
Peter Steinberger	ff74d89e86	fix: harden gateway control-plane restart protections	2026-02-19 14:30:15 +01:00
Peter Steinberger	e3e0ffd801	feat(security): audit gateway HTTP no-auth exposure	2026-02-19 14:25:56 +01:00
Thorfinn	b45bb6801c	fix(doctor): skip embedding provider check when QMD backend is active (openclaw#17295) thanks @miloudbelarebia Verified: - pnpm build - pnpm check (fails on baseline formatting drift in files identical to origin/main) - pnpm test:macmini Co-authored-by: miloudbelarebia <52387093+miloudbelarebia@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>	2026-02-19 07:21:27 -06:00
Peter Steinberger	bafdbb6f11	fix(security): eliminate safeBins file-existence oracle	2026-02-19 14:18:11 +01:00
Peter Steinberger	cfe8457a0f	fix(security): harden safeBins stdin-only enforcement	2026-02-19 14:10:45 +01:00
Peter Steinberger	6195660b1a	fix(browser): unify SSRF guard path for navigation	2026-02-19 13:44:01 +01:00
Peter Steinberger	3c419b7bd3	docs(security): document webhook hardening and changelog	2026-02-19 13:31:44 +01:00
Vincent Koc	043b2f5e7a	changelog: add unreleased fixes from recent PRs (#20897 )	2026-02-19 03:44:15 -08:00
Mariano	db73402235	Security: add explicit opt-in for deprecated plugin runtime exec (#20874 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `de69f81725` Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky	2026-02-19 11:30:36 +00:00
Vincent Koc	267bb3c81c	changelog: backfill PR release-note entries (#20839 ) * Docs: backfill changelog entries * Docs: mark PR 20836 as merged in changelog	2026-02-19 02:43:57 -08:00
Peter Steinberger	49d0def6d1	fix(security): harden imessage remote scp/ssh handling	2026-02-19 11:08:23 +01:00
Mariano	a7c0aa94d9	refactor(security): share safe temp media path builder (#20810 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `7a088e6801` Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky	2026-02-19 09:59:21 +00:00
Peter Steinberger	ee1d6427b5	fix(security): enforce symlink-safe skill packaging	2026-02-19 10:56:17 +01:00
Vincent Koc	981d266480	security(gateway): block webchat session mutators (#20800 ) * chore(ci): local claude settings gitignore * Gateway: block webchat session mutators * Changelog: note webchat session mutator guard * Changelog: credit report for webchat mutator guard	2026-02-19 01:54:02 -08:00
Mariano	8e6d1e6368	LINE/Security: harden inbound media temp-file naming (#20792 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `f6f3eecdb3` Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky	2026-02-19 09:37:33 +00:00
Peter Steinberger	ba7be018da	fix(security): remove lobster windows shell fallback	2026-02-19 10:22:59 +01:00
Mariano Belinky	65a7fc6de7	Changelog: note Feishu traversal hardening	2026-02-19 10:14:31 +01:00
Peter Steinberger	d51929ecb5	fix: block ISATAP SSRF bypass via shared host/ip guard	2026-02-19 09:59:47 +01:00
Peter Steinberger	cfc5e7bd82	fix(media): harden saveMediaSource against symlink TOCTOU	2026-02-19 09:51:57 +01:00
Vignesh Natarajan	d3dab089d7	fix: preserve reasoning stream partial contract (#20635 ) (thanks @obviyus)	2026-02-19 00:05:10 -08:00
Peter Steinberger	7e54b6c96f	fix(browser): unify extension relay auth on gateway token	2026-02-19 08:40:40 +01:00
Gustavo Madeira Santana	c5698caca3	Security: default gateway auth bootstrap and explicit mode none (#20686 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `be1b73182c` Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras	2026-02-19 02:35:50 -05:00
vikpos	f855d0be4f	fix: skip heartbeat when HEARTBEAT.md does not exist (#20461 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `f6e5f8172a` Co-authored-by: vikpos <24960005+vikpos@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras	2026-02-19 01:09:33 -05:00
Marcus Castro	48e6b4fca3	fix: run BOOT.md for each configured agent at startup (#20569 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `9098a4cc64` Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras	2026-02-19 00:58:56 -05:00
Ayaan Zaidi	d17a1f387b	fix(telegram): unify inbound handling for message-like updates (#20591 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `442a100071` Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com> Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com> Reviewed-by: @obviyus	2026-02-19 09:54:47 +05:30

... 29 30 31 32 33 ...

4423 Commits