github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 15:34:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,404 Commits 702 Branches 79 Tags
cef02df9d5551fcc1b99ff461fb9be711fd02839
Commit Graph

2707 Commits

Author SHA1 Message Date
Peter Steinberger
576f7072a7 docs(changelog): credit @simecek for gateway connect auth fix 2026-02-14 22:42:35 +01:00
Gustavo Madeira Santana
48b3d7096c fix: harden device pairing token generation and verification (#16535) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: bcbb50e368
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 16:23:33 -05:00
Peter Steinberger
0b20ee2722 docs(changelog): note gateway /approve scope fix 2026-02-14 22:14:18 +01:00
Peter Steinberger
938b1dd1e7 docs(changelog): fix gatewayUrl SSRF entry 2026-02-14 22:08:28 +01:00
Peter Steinberger
3513ff09de docs(changelog): note Telegram webhookSecret hard requirement 2026-02-14 22:08:19 +01:00
Peter Steinberger
c5406e1d24 fix(security): prevent gatewayUrl SSRF 2026-02-14 22:01:11 +01:00
Peter Steinberger
e95ce05c1e chore(security): soften gatewayUrl override messaging 2026-02-14 21:53:30 +01:00
Peter Steinberger
2d5647a804 fix(security): restrict tool gatewayUrl overrides 2026-02-14 21:53:14 +01:00
Marcus Castro
07850e8a93 fix(media): strip MEDIA: prefix in loadWebMediaInternal (#13107) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 9d95e6af5a
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 21:41:26 +01:00
Peter Steinberger
1bde33c0bc docs(changelog): note browser control path traversal fix 2026-02-14 21:37:34 +01:00
Peter Steinberger
9abf86f7e0 docs(changelog): document Slack/Discord dmPolicy aliases 2026-02-14 21:04:27 +01:00
Bin Deng
b9d14855d0 Fix: Force dashboard command to use localhost URL (#16434) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 3c03b4cc9b
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 15:00:58 -05:00
Shadow
2fa78c17d1 Changelog: credit cron delivery fix 2026-02-14 13:37:33 -06:00
zerone0x
c60844931b fix(cron): prevent list/status from silently skipping recurring jobs (openclaw#16201) thanks @zerone0x 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: zerone0x <39543393+zerone0x@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 13:33:29 -06:00
Gustavo Madeira Santana
64b7f3455e chore: fix changelog attribution 2026-02-14 14:26:27 -05:00
Peter Steinberger
90d1e9cd71 docs(changelog): note iMessage group allowlist auth fix 2026-02-14 20:25:35 +01:00
Michael Verrilli
e6f67d5f31 fix(agent): prevent session lock deadlock on timeout during compaction (#9855) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 64a28900f1
Co-authored-by: mverrilli <816450+mverrilli@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 14:24:20 -05:00
Glucksberg
f537bd1796 fix(telegram): exclude plugin commands from setMyCommands when native=false (openclaw#15164) thanks @Glucksberg 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 13:22:58 -06:00
Mariano
5544646a09 security: block apply_patch path traversal outside workspace (#16405) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 0fcd3f8c3a
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-14 19:11:12 +00:00
Bin Deng
4734f99108 Fix: Add type safety to models status command (#16395) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1554137ae3
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 14:07:38 -05:00
Peter Steinberger
013e8f6b3b fix: harden exec PATH handling 2026-02-14 19:53:04 +01:00
Peter Steinberger
743f4b2849 fix(security): harden BlueBubbles webhook auth behind proxies 2026-02-14 19:47:51 +01:00
Vincent Koc
a042b32d2f fix: Docker installation keeps hanging on MacOS (#12972) 
* Onboarding: avoid stdin resume after wizard finish

* Changelog: remove Docker hang entry from PR

* Terminal: make stdin resume behavior explicit at call sites

* CI: rerun format check

* Onboarding: restore terminal before cancel exit

* test(onboard): align restoreTerminalState expectation

* chore(format): align onboarding restore test with updated oxfmt config

* chore(format): enforce updated oxfmt on restore test

* chore(format): apply updated oxfmt spacing to restore test

* fix: avoid stdin resume after onboarding (#12972) (thanks @vincentkoc)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 19:46:07 +01:00
Robby
cab0abf52a fix(sessions): resolve transcript paths with explicit agent context (#16288) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7cbe9deca9
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:44:51 -05:00
Peter Steinberger
77b89719d5 fix(security): block safeBins shell expansion 2026-02-14 19:44:14 +01:00
Shadow
a73ccf2b53 fix: deliver cron output to explicit targets (#16360) (thanks @rubyrunsstuff) 2026-02-14 12:43:11 -06:00
Marcus Castro
d14be8472e fix(whatsapp): honor account-level dmPolicy override (#10082) (thanks @mcaxtr) 
Fixes openclaw#10082 (issue #8736): inbound WhatsApp DM policy now respects account-level dmPolicy overrides.
 2026-02-14 19:41:42 +01:00
青雲
80407cbc6a fix: recompute all cron next-run times after job update (openclaw#15905) thanks @echoVic 
Verified:
- pnpm check
- pnpm vitest src/cron/service.issue-regressions.test.ts src/cron/service.issue-13992-regression.test.ts

Co-authored-by: echoVic <16428813+echoVic@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 12:37:22 -06:00
Peter Steinberger
0e046f61ab fix(skills): avoid skills watcher FD exhaustion 
Watch SKILL.md only (and one-level SKILL.md in skill roots) to prevent chokidar from tracking huge unrelated trees.

Co-authored-by: household-bard <shakespeare@hessianinformatics.com>
 2026-02-14 19:26:20 +01:00
Peter Steinberger
01b3226ecb fix(gateway): block node.invoke exec approvals 2026-02-14 19:22:37 +01:00
Christian Klotz
df7464ddf6 fix(bluebubbles): include sender identity in group chat envelopes (#16326) 
* fix(bluebubbles): include sender identity in group chat envelopes

Use formatInboundEnvelope (matching iMessage/Signal pattern) so group
messages show the group label in the envelope header and include the
sender name in the message body. ConversationLabel now resolves to the
group name for groups instead of being undefined.

Fixes #16210

Co-authored-by: zerone0x <hi@trine.dev>

* fix(bluebubbles): use finalizeInboundContext and set BodyForAgent to raw text

Wrap ctxPayload with finalizeInboundContext (matching iMessage/Signal/
every other channel) so field normalization, ChatType, ConversationLabel
fallback, and MediaType alignment are applied consistently.

Change BodyForAgent from the envelope-formatted body to rawBody so the
agent prompt receives clean message text instead of the [BlueBubbles ...]
envelope wrapper.

Co-authored-by: zerone0x <hi@trine.dev>

* docs: add changelog entry for BlueBubbles group sender fix (#16326)

* fix(bluebubbles): include id in fromLabel matching formatInboundFromLabel

Align fromLabel output with the shared formatInboundFromLabel pattern:
groups get 'GroupName id:peerId', DMs get 'Name id:senderId' when the
name differs from the id. Addresses PR review feedback.

Co-authored-by: zerone0x <hi@trine.dev>

---------

Co-authored-by: zerone0x <hi@trine.dev>
 2026-02-14 18:17:26 +00:00
Peter Steinberger
4133f4bd37 refactor(tui): clarify searchable select list width layout (#16378) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: fecbade822
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 19:15:38 +01:00
Peter Steinberger
f19eabee54 fix(slack): gate DM slash command authorization 2026-02-14 19:10:29 +01:00
Gustavo Madeira Santana
7d4078c704 CLI: fix lazy maintenance command registration (#16374) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 29d7cca674
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:10:10 -05:00
Shadow
5ba72bd9bf fix: add discord exec approval channel targeting (#16051) (thanks @leonnardo) 2026-02-14 12:05:53 -06:00
Peter Steinberger
cb3290fca3 fix(node-host): enforce system.run rawCommand/argv consistency 2026-02-14 18:53:23 +01:00
Mariano
71f357d949 bluebubbles: harden local media path handling against LFI (#16322) 
* bluebubbles: harden local media path handling

* bluebubbles: remove racy post-open symlink lstat

* fix: bluebubbles mediaLocalRoots docs + typing fix (#16322) (thanks @mbelinky)
 2026-02-14 17:43:44 +00:00
Peter Steinberger
bfa7d21e99 fix(security): harden tlon Urbit requests against SSRF 2026-02-14 18:42:10 +01:00
Robby
5a313c83b7 fix(tui): use available terminal width for session name display (#16109) (#16238) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 19c18977e0
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:39:05 +01:00
Robby
8e5689a84d feat(telegram): add sendPoll support (#16193) (#16209) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b58492cfed
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:34:30 +01:00
Peter Steinberger
29b587e73c fix(voice-call): fail closed when Telnyx webhook public key missing 2026-02-14 18:17:20 +01:00
Peter Steinberger
ff11d8793b fix(voice-call): require Twilio signature in ngrok loopback mode 2026-02-14 18:14:59 +01:00
Shadow
c16bc71279 fix: add discord routing debug logging (#16202) (thanks @jayleekr) 2026-02-14 11:03:30 -06:00
Peter Steinberger
3e6d1e9cf8 docs: update changelog 2026-02-14 17:43:44 +01:00
Shadow
ff32f43459 Discord: prefer gateway guild id in verbose log 2026-02-14 10:39:36 -06:00
Christoph Spörk
81b5e2766b feat(podman): add optional Podman setup and documentation (#16273) 
* feat(podman): add optional Podman setup and documentation

- Introduced `setup-podman.sh` for one-time host setup of OpenClaw in a rootless Podman environment, including user creation, image building, and launch script installation.
- Added `run-openclaw-podman.sh` for running the OpenClaw gateway as a Podman container.
- Created `openclaw.podman.env` for environment variable configuration.
- Updated documentation to include Podman installation instructions and a new dedicated Podman guide.
- Added a systemd Quadlet unit for managing the OpenClaw service as a user service.

* fix: harden Podman setup and docs (#16273) (thanks @DarwinsBuddy)

* style: format cli credentials

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 17:39:06 +01:00
Peter Steinberger
188c4cd076 fix(security): reject ambiguous webhook target matches 2026-02-14 17:28:28 +01:00
Peter Steinberger
66d7178f2d fix(security): eliminate shell from Claude CLI keychain refresh 2026-02-14 17:24:29 +01:00
Peter Steinberger
d583782ee3 fix(security): harden discovery routing and TLS pins 2026-02-14 17:18:14 +01:00
Peter Steinberger
61d59a8028 fix(googlechat): reject ambiguous webhook routing 2026-02-14 17:11:55 +01:00