github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 12:27:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
9,938 Commits 702 Branches 79 Tags
842499d6c57766e9f4f4f88d6647cb72edbf2d61
Commit Graph

9938 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
842499d6c5 test(security): reject hook archives with traversal entries (#16224) 2026-02-14 14:53:33 +01:00
Peter Steinberger
3aa94afcfd fix(security): harden archive extraction (#16203) 
* fix(browser): confine upload paths for file chooser

* fix(browser): sanitize suggested download filenames

* chore(lint): avoid control regex in download sanitizer

* test(browser): cover absolute escape paths

* docs(browser): update upload example path

* refactor(browser): centralize upload path confinement

* fix(infra): harden tmp dir selection

* fix(security): harden archive extraction

* fix(infra): harden tar extraction filter
 2026-02-14 14:42:08 +01:00
Peter Steinberger
9a134c8a10 perf(test): tune parallel vitest worker split 2026-02-14 13:27:18 +00:00
Peter Steinberger
ce0eddd384 test: isolate test home before runtime imports 2026-02-14 13:27:18 +00:00
Peter Steinberger
7d3e5788e8 fix: stop enforcing <final> for ollama (#16191) (thanks @Glucksberg) 2026-02-14 14:21:34 +01:00
Glucksberg
74193ff754 fix(ollama): remove Ollama from isReasoningTagProvider (#2279) 
Ollama's OpenAI-compatible endpoint handles reasoning natively via the
`reasoning` field in streaming chunks. Treating Ollama as a
reasoning-tag provider incorrectly forces <think>/<final> tag
enforcement, which causes stripBlockTags() to discard all output
(since Ollama models don't emit <final> tags), resulting in
'(no output)' for every Ollama model.

This fix removes 'ollama' from the isReasoningTagProvider() check,
allowing Ollama models to work correctly through the standard
content/reasoning field separation.
 2026-02-14 14:21:34 +01:00
Tanwa Arpornthip
c76288bdf1 fix(slack): download all files in multi-image messages (#15447) 
* fix(slack): download all files in multi-image messages

resolveSlackMedia() previously returned after downloading the first
file, causing multi-image Slack messages to lose all but the first
attachment. This changes the function to collect all successfully
downloaded files into an array, matching the pattern already used by
Telegram, Line, Discord, and iMessage adapters.

The prepare handler now populates MediaPaths, MediaUrls, and
MediaTypes arrays so downstream media processing (vision, sandbox
staging, media notes) works correctly with multiple attachments.

Fixes #11892, #7536

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(slack): preserve MediaTypes index alignment with MediaPaths/MediaUrls

The filter(Boolean) on MediaTypes removed entries with undefined contentType,
shrinking the array and breaking index correlation with MediaPaths and MediaUrls.
Downstream code (media-note.ts, attachments.ts) requires these arrays to have
equal lengths for correct per-attachment MIME type lookup. Replace filter(Boolean)
with a nullish coalescing fallback to "application/octet-stream".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(slack): align MediaType fallback and tests (#15447) (thanks @CommanderCrowCode)

* fix: unblock plugin-sdk account-id typing (#15447)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 14:16:02 +01:00
Peter Steinberger
ef70a55b7a refactor(reply): clarify explicit reply tags in off mode (#16189) 
* refactor(reply): clarify explicit reply tags in off mode

* fix(plugin-sdk): alias account-id subpath for extensions
 2026-02-14 14:15:37 +01:00
Peter Steinberger
6f7d31c426 fix(security): harden plugin/hook npm installs 2026-02-14 14:07:14 +01:00
Peter Steinberger
d69b32a073 docs(changelog): clarify hooks transform dir restriction 2026-02-14 14:02:16 +01:00
Peter Steinberger
d73b48b32c fix(ts): map plugin-sdk subpaths 2026-02-14 13:01:02 +00:00
Peter Steinberger
ec399aaddf perf(test): parallelize unit-isolated 2026-02-14 13:01:02 +00:00
Peter Steinberger
18e8bd68c5 fix(security): block hook manifest path escapes 2026-02-14 14:00:37 +01:00
Peter Steinberger
3bbd29bef9 perf(gateway): cache session list transcript fields 2026-02-14 12:52:51 +00:00
Peter Steinberger
a0361b8ba9 fix(security): restrict hook transform module loading 2026-02-14 13:46:09 +01:00
Peter Steinberger
6543ce717c perf(test): avoid plugin-sdk barrel imports 2026-02-14 12:42:19 +00:00
Peter Steinberger
1ba266a8e8 refactor: split minimax-cn provider 2026-02-14 13:37:47 +01:00
Peter Steinberger
bf080c2338 Merge remote-tracking branch 'origin/main' 2026-02-14 13:36:18 +01:00
Tak Hoffman
274da72c38 Revert "fix: don't auto-create HEARTBEAT.md on workspace init (openclaw#12027) thanks @shadril238" (#16183) 
This reverts commit 386bb0c618.
 2026-02-14 06:33:14 -06:00
Peter Steinberger
83248f7603 Merge remote-tracking branch 'origin/main' 2026-02-14 13:30:22 +01:00
Peter Steinberger
af50b914a4 refactor(browser): centralize http auth 2026-02-14 13:30:11 +01:00
Peter Steinberger
a2b45e1c13 fix(gateway): relax http tool deny typing 2026-02-14 13:30:05 +01:00
Aldo
7b39543e8d fix(reply): honour explicit [[reply_to_*]] tags when replyToMode is off (#16174) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 778fc2559a
Co-authored-by: aldoeliacim <17973757+aldoeliacim@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 13:29:42 +01:00
Peter Steinberger
0af76f5f0e refactor(gateway): centralize node.invoke param sanitization 2026-02-14 13:27:45 +01:00
Peter Steinberger
c15946274e fix(gateway): allowlist system.run params 2026-02-14 13:27:45 +01:00
Peter Steinberger
a7af646fdf fix(gateway): bind approval ids to device identity 2026-02-14 13:27:45 +01:00
Peter Steinberger
318379cdba fix(gateway): bind system.run approvals to exec approvals 2026-02-14 13:27:45 +01:00
Peter Steinberger
233483d2b9 refactor(security): centralize dangerous tool lists 2026-02-14 13:27:05 +01:00
Peter Steinberger
0cfea46293 fix: wire minimax-api-key-cn onboarding (#15191) (thanks @liuy) 2026-02-14 13:25:54 +01:00
Liu Yuan
9bb099736b feat: add minimax-api-key-cn option for China API endpoint 
- Add 'minimax-api-key-cn' auth choice for Chinese users
- Reuse existing --minimax-api-key CLI option
- Use MINIMAX_CN_API_BASE_URL (https://api.minimaxi.com/anthropic)
- Similar to how moonshot supports moonshot-api-key-cn

Tested: build , check , test
2026-02-14 13:25:54 +01:00
Peter Steinberger
cd84885a4a test(browser): cover bridge auth registry fallback 2026-02-14 13:23:24 +01:00
Peter Steinberger
586176730c perf(gateway): optimize sessions/ws/routing 2026-02-14 12:21:44 +00:00
Peter Steinberger
c90b3e4d5e perf(cli): speed up startup 2026-02-14 12:21:44 +00:00
Peter Steinberger
a7a08b6650 test(gateway): cover tools allow/deny precedence 2026-02-14 13:18:49 +01:00
Peter Steinberger
153a7644ea fix(acp): tighten safe kind inference 2026-02-14 13:18:49 +01:00
Peter Steinberger
6dd6bce997 fix(security): enforce sandbox bridge auth 2026-02-14 13:17:41 +01:00
Peter Steinberger
eb4215d570 perf(test): speed up Vitest bootstrap 2026-02-14 12:13:27 +00:00
Mariano Belinky
626a225c08 docs: fix merge-pr comment variable expansion 2026-02-14 12:07:00 +00:00
Nicholas
f8ba8f7699 fix(docs): update outdated hooks documentation URLs (#16165) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8ed13fb02f
Co-authored-by: nicholascyh <188132635+nicholascyh@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 13:05:37 +01:00
Mariano
01d2ad2050 docs: harden maintainer and advisory workflow (#16173) 2026-02-14 11:59:19 +00:00
Peter Steinberger
79e78cff3b docs(changelog): thank reporter for ACP hardening 2026-02-14 12:54:47 +01:00
Peter Steinberger
4711a943e3 fix(browser): authenticate sandbox browser bridge server 2026-02-14 12:54:16 +01:00
Peter Steinberger
bb1c3dfe10 fix(acp): prompt for non-read/search permissions 2026-02-14 12:53:27 +01:00
Peter Steinberger
9e24eee52c docs(changelog): note audit warning for gateway tools override 2026-02-14 12:48:48 +01:00
Peter Steinberger
539689a2f2 feat(security): warn when gateway.tools.allow re-enables dangerous HTTP tools 2026-02-14 12:48:02 +01:00
Peter Steinberger
fba19fe942 docs: link trusted-proxy auth from gateway docs (#16172) 2026-02-14 12:44:25 +01:00
Peter Steinberger
3b56a6252b chore!: remove moltbot legacy state/config support 2026-02-14 12:40:47 +01:00
Peter Steinberger
e21a7aad54 docs: recommend loopback-only gateway bind 2026-02-14 12:36:32 +01:00
Nick Taylor
1fb52b4d7b feat(gateway): add trusted-proxy auth mode (#15940) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 279d4b304f
Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 12:32:17 +01:00
Artale
3a330e681b fix(feishu): remove typing indicator on NO_REPLY cleanup (openclaw#15508) thanks @arosstale 
Verified:
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: arosstale <117890364+arosstale@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 05:24:27 -06:00