negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
13,042 Commits 1 Branch 0 Tags
352b5262da32d23bbac200defe167891d57f4c21
Commit Graph

13042 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
352b5262da fix(ci): make docs spellcheck fallback deterministic 2026-02-21 15:08:28 +01:00
Peter Steinberger
3101047234 feat(models): add Gemini 3.1 support 2026-02-21 15:08:06 +01:00
Peter Steinberger
581868365d fix: finish volcengine/byteplus landing polish (#7967) (thanks @funmore123) 2026-02-21 15:05:09 +01:00
fanziqing
559736a5a0 feat(volcengine): integrate Volcengine & Byteplus Provider 2026-02-21 15:05:09 +01:00
Peter Steinberger
95c14d9b5f docs: prune low-signal changelog entries 2026-02-21 15:02:10 +01:00
Peter Steinberger
7bd5c5d5a4 docs(changelog): reorder unreleased fixes by user impact 2026-02-21 14:37:49 +01:00
Peter Steinberger
892620ddab chore: update workspace dependencies 2026-02-21 14:35:13 +01:00
大猫子
c62a6e7040 fix(models): add kimi-coding implicit provider template (openclaw#22526) thanks @lailoo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: lailoo <20536249+lailoo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 07:35:09 -06:00
Peter Steinberger
14b3743228 fix(ci): stabilize Windows path handling in sandbox tests 2026-02-21 14:32:15 +01:00
Peter Steinberger
10b8839a82 fix(security): centralize WhatsApp outbound auth and return 403 tool auth errors 2026-02-21 14:31:01 +01:00
Peter Steinberger
f64d5ddf60 fix: replace README sponsors HTML table with markdown 2026-02-21 14:29:55 +01:00
Peter Steinberger
f23da067f6 fix(security): harden heredoc allowlist parsing 2026-02-21 14:27:51 +01:00
orlyjamie
92cada2aca fix(security): block command substitution in unquoted heredoc bodies 
The shell command analyzer (splitShellPipeline) skipped all token
validation while parsing heredoc bodies. When the heredoc delimiter
was unquoted, bash performs command substitution on the body content,
allowing $(cmd) and backtick expressions to execute arbitrary commands
that bypass the exec allowlist.

Track whether heredoc delimiters are quoted or unquoted. When unquoted,
scan the body for $( , ${ , and backtick tokens and reject the command.
Quoted heredocs (<<'EOF' / <<"EOF") are safe - the shell treats their
body as literal text.

Ref: https://github.com/openclaw/openclaw/security/advisories/GHSA-65rx-fvh6-r4h2
 2026-02-21 14:27:35 +01:00
Peter Steinberger
2706cbd6d7 fix(agents): include filenames in image resize logs 2026-02-21 13:16:41 +00:00
Peter Steinberger
3cfb402bda refactor(test): reuse state-dir helper in agent runner suite 2026-02-21 13:08:05 +00:00
Peter Steinberger
25db01fe08 refactor(test): use withEnvAsync in pairing store fixture 2026-02-21 13:06:12 +00:00
Peter Steinberger
21bb46d304 fix(ci): include browser network in sandbox test fixture 2026-02-21 13:05:51 +00:00
Peter Steinberger
7a27e2648a refactor(test): dedupe plugin env overrides via env helpers 2026-02-21 13:03:41 +00:00
Peter Steinberger
f48698a50b fix(security): harden sandbox browser network defaults 2026-02-21 14:02:53 +01:00
Peter Steinberger
cf82614259 refactor(test): reuse state-dir helper in telegram tests 2026-02-21 13:02:12 +00:00
Peter Steinberger
26eb1f781d refactor(test): reuse state-dir env helper in auth profile override e2e 2026-02-21 13:00:16 +00:00
Peter Steinberger
c2874aead7 refactor(test): centralize temporary state-dir env setup 2026-02-21 12:59:24 +00:00
Peter Steinberger
50a8942c07 docs(changelog): add WhatsApp reaction allowlist security note 2026-02-21 13:57:54 +01:00
Aether AI Agent
e217f8c3f7 fix(security): OC-91 validate WhatsApp JID against allowlist in all send paths — Aether AI Agent 2026-02-21 13:57:54 +01:00
Peter Steinberger
8c1518f0f3 fix(sandbox): use one-time noVNC observer tokens 2026-02-21 13:56:58 +01:00
Peter Steinberger
b43aadc34c refactor(test): dedupe temp-home setup in voicewake suite 2026-02-21 12:56:34 +00:00
Peter Steinberger
c529bafdc3 refactor(test): reuse temp-home helper in voicewake e2e 2026-02-21 12:54:54 +00:00
Peter Steinberger
577e5cc74b refactor(test): dedupe gateway env setup and add env util coverage 2026-02-21 12:52:21 +00:00
Peter Steinberger
621d8e1312 fix(sandbox): require noVNC observer password auth 2026-02-21 13:44:24 +01:00
Peter Steinberger
6cb7e16d40 fix(oauth): harden refresh token refresh-response validation 2026-02-21 13:44:14 +01:00
Henry Loenwind
24d18d0d72 fix: Correct data path in SKILL.md (coding-agent) (#11009) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: f7e56b80c64b6d8e001e768ca718b9fb433123b8
Co-authored-by: HenryLoenwind <1485873+HenryLoenwind@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 18:09:25 +05:30
Peter Steinberger
be7f825006 refactor(gateway): harden proxy client ip resolution 2026-02-21 13:36:23 +01:00
Ayaan Zaidi
8b1fe0d1e2 fix(telegram): split streaming preview per assistant block (#22613) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 26f35f4411e65cf14587efeedc4e326a71d54ee0
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 18:05:23 +05:30
Peter Steinberger
36a0df423d refactor(gateway): make ws and http auth surfaces explicit 2026-02-21 13:33:09 +01:00
Peter Steinberger
1835dec200 fix(security): force sandbox browser hash migration and audit stale labels 2026-02-21 13:25:41 +01:00
Peter Steinberger
b2d84528f8 refactor(test): remove duplicate cron tool harnesses 2026-02-21 12:25:23 +00:00
Peter Steinberger
f4c89aa66e docs(changelog): add tts provider-override hardening note 2026-02-21 13:24:42 +01:00
Peter Steinberger
9516ace3c9 docs(changelog): note ACP resource-link prompt hardening 2026-02-21 13:23:51 +01:00
Peter Steinberger
14b0d2b816 refactor: harden control-ui auth flow and add insecure-flag audit summary 2026-02-21 13:18:23 +01:00
Peter Steinberger
4cd7d95746 style(browser): apply oxfmt cleanup for gate 2026-02-21 13:16:07 +01:00
Peter Steinberger
f265d45840 fix(tts): make model provider overrides opt-in 2026-02-21 13:16:07 +01:00
Peter Steinberger
d25a106628 docs(changelog): add tailscale auth hardening release note 2026-02-21 13:08:06 +01:00
Peter Steinberger
f202e73077 refactor(security): centralize host env policy and harden env ingestion 2026-02-21 13:04:39 +01:00
Peter Steinberger
08e020881d refactor(security): unify command gating and blocked-key guards 2026-02-21 13:04:37 +01:00
Peter Steinberger
356d61aacf fix(gateway): scope tailscale tokenless auth to websocket 2026-02-21 13:03:13 +01:00
Peter Steinberger
6aa11f3092 fix(acp): harden resource link metadata formatting 2026-02-21 13:00:02 +01:00
Peter Steinberger
073651fb57 docs: add sponsors section to README 2026-02-21 13:00:02 +01:00
Peter Steinberger
b577228d6b test(security): add overflow compaction truncation-budget regression 2026-02-21 12:59:10 +01:00
Aether AI Agent
084f621025 fix(security): OC-65 prevent compaction counter reset to enforce context exhaustion limit — Aether AI Agent 
Remove the `overflowCompactionAttempts = 0` reset inside the inner loop's
tool-result-truncation branch. The counter was being zeroed on each truncation
cycle, allowing prompt-injection attacks to bypass the MAX_OVERFLOW_COMPACTION_ATTEMPTS
guard and trigger unbounded auto-compaction, exhausting context window resources (DoS).

CWE-400 / GHSA-x2g4-7mj7-2hhj
 2026-02-21 12:59:10 +01:00
Peter Steinberger
2b76901f35 docs(changelog): credit reporter for control-ui auth hardening 2026-02-21 12:57:22 +01:00