247a06813e
fix: avoid gateway cwd for node exec ( #58977 ) (thanks @Starhappysh)
2026-04-03 02:04:26 +09:00
50b270a86b
fix: widen HostExecApprovalParams.cwd to string | undefined
...
Remote node exec may have no explicit cwd when the gateway's own
process.cwd() is omitted. Allow undefined to flow through the
approval request type.
2026-04-03 02:04:26 +09:00
302c6e30bb
fix: resolve type errors where workdir (string | undefined) flows to string-only params
...
After the node early-return, narrow workdir back to string via
resolvedWorkdir for gateway/sandbox paths. Update
buildExecApprovalPendingToolResult and buildApprovalPendingMessage
to accept string | undefined for cwd since node execution may omit it.
2026-04-03 02:04:26 +09:00
3b3191ab3a
fix(exec): skip gateway cwd injection for remote node host
...
When exec runs with host=node and no explicit cwd is provided, the
gateway was injecting its own process.cwd() as the default working
directory. In cross-platform setups (e.g. Linux gateway + Windows node),
this gateway-local path does not exist on the node, causing
"SYSTEM_RUN_DENIED: approval requires an existing canonical cwd".
This change detects when no explicit workdir was provided (neither via
the tool call params.workdir nor via agent defaults.cwd) and passes
undefined instead of the gateway cwd. This lets the remote node use its
own default working directory.
Changes:
- bash-tools.exec.ts: Track whether workdir was explicitly provided;
when host=node and no explicit workdir, pass undefined instead of
gateway process.cwd()
- bash-tools.exec-host-node.ts: Accept workdir as string | undefined;
only send cwd to system.run.prepare when defined
- bash-tools.exec-approval-request.ts: Accept workdir as
string | undefined in HostExecApprovalParams
Fixes #58934
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 02:04:26 +09:00
8aceaf5d0f
fix(security): close fail-open bypass in exec script preflight [AI] ( #59398 )
...
* fix: address issue
* fix: finalize issue changes
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* chore: add changelog for exec preflight fail-closed hardening
---------
Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-04-02 11:00:39 -06:00
96b55821bc
fix: share ACP owner-only approval classes ( #201 ) ( #59255 )
...
Co-authored-by: OpenClaw Dummy Agent <octriage-dummy@example.invalid>
2026-04-02 10:45:41 -06:00
812a7636fb
refactor: simplify exec approval followup delivery
2026-04-02 17:19:42 +01:00
47dcfc49b8
fix: scope #57584 to shell allowlist changes
2026-04-03 01:11:20 +09:00
8d81e76f23
fix: evaluate shell wrapper inline commands against allowlist ( #57377 ) ( #57584 )
...
When a skill constructs a compound command via a shell wrapper
(e.g. `sh -c "cat SKILL.md && gog-wrapper calendar events"`),
the allowlist check was comparing `/bin/sh` instead of the actual
target binaries, causing the entire command to be silently rejected.
This adds recursive inline command evaluation that:
- Detects chain operators (&&, ||, ;) in the -c payload
- Parses each sub-command independently via analyzeShellCommand
- Evaluates every sub-command against the allowlist
- Preserves per-sub-command segmentSatisfiedBy for accurate tracking
- Limits recursion depth to 3 to prevent abuse
- Skips recursion on Windows (no POSIX shell semantics)
Closes #57377
Co-authored-by: WZBbiao <wangzhenbiao326@gmail.com>
2026-04-03 01:06:40 +09:00
578a0ed31a
refactor(agent): dedupe tool error summary
2026-04-02 17:05:05 +01:00
4207ca2eb8
Fix Telegram exec approval delivery and auto-resume fallback
2026-04-03 00:56:54 +09:00
77e636cf78
fix(agents): include received keys in missing-param error for write tool ( #55317 )
...
Merged via squash.
Prepared head SHA: c1cf0691c9
2026-04-02 08:54:28 -07:00
3b6825ab93
Cron: honor trigger for custom session timeouts
2026-04-03 00:43:42 +09:00
102462b7a6
Cron: restrict exec visibility to timeouts
2026-04-03 00:43:42 +09:00
d300a20440
Cron: surface exec timeouts in cron runs
2026-04-03 00:43:42 +09:00
874a585d57
refactor(agent): share exec parser and runtime context codec
2026-04-03 00:15:43 +09:00
36d953aab6
fix(exec): make Windows exec hints accurate and dynamic
2026-04-03 00:09:28 +09:00
fff6333773
fix(exec): implement Windows argPattern allowlist flow
2026-04-03 00:09:28 +09:00
b6debb4382
fix(agent): close remaining internal-context leak paths ( #59649 )
...
* fix(status): strip internal runtime context from task detail surfaces
* fix(agent): narrow legacy internal-context stripping
* fix(tasks): sanitize user-facing task status surfaces
* fix(agent): close remaining internal-context leak paths
* fix(agent): harden internal context delimiter sanitization
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-04-02 23:45:06 +09:00
b40ef364b7
fix: pin admin-only subagent gateway scopes ( #59555 ) (thanks @openperf)
...
* fix(agents): pin subagent gateway calls to admin scope to prevent scope-upgrade pairing failures
callSubagentGateway forwards params to callGateway without explicit scopes,
so callGatewayLeastPrivilege negotiates the minimum scope per method
independently. The first connection pairs the device at a lower tier and
every subsequent higher-tier call triggers a scope-upgrade handshake that
headless gateway-client connections cannot complete interactively
(close 1008 "pairing required").
Pin callSubagentGateway to operator.admin so the device is paired at the
ceiling scope on the very first (silent, local-loopback) handshake, avoiding
any subsequent scope-upgrade negotiation entirely.
Fixes #59428
* fix: pin admin-only subagent gateway scopes (#59555 ) (thanks @openperf)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-04-02 19:40:03 +05:30
b0f94a227b
refactor(providers): normalize transport policy wiring ( #59682 )
...
* refactor(providers): normalize transport policy wiring
* fix(providers): address transport policy review
* fix(providers): harden transport overrides
* fix(providers): keep env proxy tls separate
* fix(changelog): note provider transport policy hardening
2026-04-02 22:54:34 +09:00
c678ae7e7a
feat(exec): default host exec to yolo
2026-04-02 14:52:51 +01:00
cfbad0a4f9
fix(providers): unify request policy resolution ( #59653 )
...
* fix(providers): unify request policy resolution
* fix(providers): preserve request config SDK contract
* fix(providers): harden request header policy
2026-04-02 21:42:11 +09:00
6eca1949d5
refactor(plugins): tighten web fetch provider boundary ( #59646 )
...
* refactor(plugins): tighten web fetch provider boundary
* fix(config): sync fetch secret parity and baseline
* fix(ci): enforce web fetch boundary guard
2026-04-02 20:53:57 +09:00
5abd5d889f
fix(providers): classify copilot native endpoints ( #59644 )
...
* fix(providers): classify copilot native endpoints
* fix(changelog): add copilot endpoint note
* fix(providers): handle copilot proxy hints
2026-04-02 20:51:46 +09:00
c405bcfa98
refactor(providers): centralize request capabilities ( #59636 )
...
* refactor(providers): centralize request capabilities
* fix(providers): harden comparable base url parsing
2026-04-02 20:26:22 +09:00
38d2faee20
!feat(plugins): add web fetch provider boundary ( #59465 )
...
* feat(plugins): add web fetch provider boundary
* feat(plugins): add web fetch provider modules
* refactor(web-fetch): remove remaining core firecrawl fetch config
* fix(web-fetch): address review follow-ups
* fix(web-fetch): harden provider runtime boundaries
* fix(web-fetch): restore firecrawl compare helper
* fix(web-fetch): restore env-based provider autodetect
* fix(web-fetch): tighten provider hardening
* fix(web-fetch): restore fetch autodetect and compat args
* chore(changelog): note firecrawl fetch config break
2026-04-02 20:25:19 +09:00
d49460b417
fix(providers): centralize Anthropic endpoint classification ( #59608 )
...
* fix(providers): centralize Anthropic endpoint classification
* fix(agents): share Anthropic thinking recovery gating
2026-04-02 19:54:43 +09:00
707f5485b9
fix(ci): tighten thinking recovery stream types
2026-04-02 19:47:52 +09:00
9aa2ef2736
fix(agents): recover Anthropic thinking after crash ( #59062 )
...
* fix(agents): recover Anthropic thinking after crash
* fix(agents): avoid duplicate Anthropic recovery chunks
* fix(agents): preserve Anthropic stream result
2026-04-02 19:30:25 +09:00
0e9a9dae84
fix(providers): centralize Google endpoint classification ( #59556 )
...
* fix(providers): centralize Google endpoint classification
* fix(providers): tighten Google endpoint fallback parsing
* fix(security): harden provider endpoint fallback parsing
2026-04-02 19:21:31 +09:00
176ff18d18
fix: strip antml thinking tags
2026-04-02 14:28:54 +05:30
331e835dab
fix(providers): centralize stream request headers ( #59542 )
...
* fix(providers): centralize stream request headers
* Update src/agents/provider-request-config.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---------
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-04-02 17:21:46 +09:00
08962b6812
fix(browser): keep static helper seams cold ( #59471 )
...
* fix(browser): keep static helper seams cold
* fix(browser): narrow sandbox helper facade imports
* fix(browser): harden host inspection helpers
2026-04-02 17:12:32 +09:00
b441cd2f4f
fix: normalize kimi anthropic tool payloads ( #59440 )
...
* fix: normalize kimi anthropic tool payloads
* fix: normalize kimi anthropic tool payloads (#59440 )
2026-04-02 13:39:51 +05:30
8748b7c54c
Matrix: keep partial previews aligned with block streaming ( #59384 )
...
Merged via squash.
Prepared head SHA: 981aa35a7c
2026-04-02 03:39:27 -04:00
ed6012eb5b
fix(agents): honor cacheRetention for custom anthropic providers ( #59049 )
...
* fix(agents): honor cacheRetention for custom anthropic providers
* docs(changelog): add cache retention entry
* Update CHANGELOG.md
* test(agents): add direct cache retention assertions
2026-04-02 14:34:01 +09:00
1707493be4
refactor(providers): add internal request config seam ( #59454 )
2026-04-02 14:28:25 +09:00
f69570f820
Exec approvals: fix policy source attribution ( #59367 )
...
Merged via squash.
Prepared head SHA: 974945a9f0
2026-04-02 01:28:14 -04:00
1a037ff6cd
refactor(providers): centralize request attribution policy ( #59433 )
...
* refactor(providers): centralize request attribution policy
* style(providers): normalize request policy formatting
* style(providers): normalize request policy formatting
* style(providers): normalize request policy formatting
* docs(changelog): note provider request policy fix
* fix(providers): tighten request policy gates
2026-04-02 14:10:53 +09:00
b9c74fc884
fix(image-tool): resolve relative paths against workspaceDir ( #57222 )
...
Relative paths like "inbox/receipt.png" were resolved against
process.cwd() instead of the agent's workspaceDir, causing the
allowlist check to fail with "Local media path is not under an
allowed directory". This matches how the read tool already behaves.
Fixes #57215
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 00:41:09 -04:00
7771c69caf
fix(plugins): enforce activation before shipped imports ( #59136 )
...
* fix(plugins): enforce activation before shipped imports
* fix(plugins): remove more ambient bundled loads
* fix(plugins): tighten scoped loader matching
* fix(plugins): remove channel-id scoped loader matches
* refactor(plugin-sdk): relocate ambient provider helpers
* fix(plugin-sdk): preserve unicode ADC credential paths
* fix(plugins): restore safe setup fallback
2026-04-02 11:18:49 +09:00
ba735d0158
Exec approvals: unify effective policy reporting and actions ( #59283 )
...
Merged via squash.
Prepared head SHA: d579b97a93
2026-04-01 22:02:39 -04:00
32fa5c3be5
fix(agents): resolve compaction wait before channel flush ( #59308 )
...
Merged via squash.
Prepared head SHA: bf17502df8
2026-04-01 21:40:23 -04:00
c22233d96c
Revert "refactor(plugins): remove before_install hook"
2026-04-01 19:57:07 -05:00
560ea25294
Matrix: restore ordered progress delivery with explicit streaming modes ( #59266 )
...
Merged via squash.
Prepared head SHA: 523623b7e1
2026-04-01 19:35:03 -04:00
d9a7ffe003
failover: classify AbortError / stream-abort messages as timeout ( #58315 ) ( #58324 )
...
Merged via squash.
Prepared head SHA: d8412f27e6
2026-04-02 00:02:31 +03:00
71346940ad
refactor: add provider replay runtime hook surfaces ( #59143 )
...
Merged via squash.
Prepared head SHA: 56b41e87a5
2026-04-01 13:45:41 -07:00
ca76e2fedc
fix(cron-tool): add typed properties to job/patch schemas ( #55043 )
...
Merged via squash.
Prepared head SHA: 979bb0e8b7
2026-04-01 23:41:19 +03:00
5cf254a5f7
fix: honor authHeader provider config by injecting Authorization Bear… ( #54390 )
...
Merged via squash.
Prepared head SHA: 9889615571
2026-04-01 13:18:37 -07:00
Peter Steinberger
jianxing zhang
pgondhi987
Devin Robison
biao
seonang
Priyansh Gupta
spaceman1412
Leo Zhang
wangchunyue
Vincent Koc
Ayaan Zaidi
Gustavo Madeira Santana
joshavant
Logan Ye
Josh Lehman
Bruno Lorente
9ra55