95c14d9b5f
docs: prune low-signal changelog entries
2026-02-21 15:02:10 +01:00
892620ddab
chore: update workspace dependencies
2026-02-21 14:35:13 +01:00
14b3743228
fix(ci): stabilize Windows path handling in sandbox tests
2026-02-21 14:32:15 +01:00
283029bdea
refactor(security): unify webhook auth matching paths
2026-02-21 11:52:34 +01:00
6b2f2811dc
fix(security): require BlueBubbles webhook auth
2026-02-21 11:41:50 +01:00
9231d7d30f
chore: bump version to 2026.2.21
2026-02-21 11:02:30 +01:00
5eca08dab7
Chore: trim stale TODOs and issue-template language ( #22534 )
...
* docs: refresh issue template contact copy
* chore: remove OneDrive resumable upload TODO note
2026-02-21 03:31:17 -05:00
0bee3f337a
MSTeams: dedupe sent-message cache storage ( #22514 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 88e14dcbe1
2026-02-21 13:27:50 +05:30
f4a59eb5d8
Chore: harden A2UI bundle dependency resolution ( #22507 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: d84c5bde51
2026-02-21 13:16:31 +05:30
187f4ea41f
deadcode: remove unused extension dev dependencies ( #22495 )
...
* Chore: remove unused extension dev dependencies
* Chore: fix changelog PR reference
* Chore: restore dropped deadcode changelog entries
* Chore: retag unused-dependency changelog entries
2026-02-21 02:15:43 -05:00
569191fff1
extensions: fix MSTeams OneDrive fallback mention handling ( #22472 )
2026-02-21 01:30:33 -05:00
d94d21f9b0
test: isolate local media regression fixtures to allowed roots ( #22369 )
...
* fix(tui): strip inbound metadata blocks from user text
* chore: clean up metadata-strip format and changelog credit
* chore: format tui metadata-strip tests
* test(web): isolate local media fixture paths to allow-listed roots
2026-02-20 21:50:50 -05:00
f555835b09
Channels: add thread-aware model overrides
2026-02-20 19:26:25 -06:00
2dba150c16
Fix path-root flaky tests and restore status emoji defaults ( #22274 )
2026-02-20 15:45:33 -08:00
ee519086f6
Feature/default messenger delivery target (openclaw#16985) thanks @KirillShchetinin
...
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini
Co-authored-by: KirillShchetinin <13061871+KirillShchetinin@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
2026-02-19 22:37:19 -06:00
f66b23de75
chore(release): bump versions to 2026.2.20
2026-02-20 00:02:53 +01:00
b0e55283d5
chore: bump release metadata to 2026.2.19
2026-02-19 16:17:34 +01:00
10379e7dcd
fix: harden voice-call tts deep merge
2026-02-19 15:37:01 +01:00
3d7ad1cfca
fix(security): centralize owner-only tool gating and scope maps
2026-02-19 15:29:23 +01:00
f4b288b8f7
refactor(feishu): dedupe mention regex escaping
2026-02-19 15:04:40 +01:00
29118995ad
refactor(lobster): remove lobsterPath overrides
2026-02-19 14:58:13 +01:00
7426848913
test(feishu): add mention regex injection regressions
2026-02-19 14:51:41 +01:00
7e67ab75cc
fix(feishu): escape regex metacharacters in stripBotMention
...
stripBotMention() passed mention.name and mention.key directly into
new RegExp() without escaping, allowing regex injection and ReDoS via
crafted Feishu mention metadata. extractMessageBody() in mention.ts
already escapes correctly — this applies the same pattern.
Ref: GHSA-c6hr-w26q-c636
2026-02-19 14:51:41 +01:00
0e85380e56
style: format files and fix safe-bins e2e typing
2026-02-19 14:26:12 +01:00
ec232a9e2d
refactor(security): harden temp-path handling for inbound media
2026-02-19 14:06:37 +01:00
aa267812d3
test(security): add webhook hardening regressions
2026-02-19 13:31:28 +01:00
a23e0d5140
fix(security): harden feishu and zalo webhook ingress
2026-02-19 13:31:27 +01:00
3feb7fc3a3
fix(matrix): detect mentions in formatted_body matrix.to links ( #16941 )
...
* fix(matrix): detect mentions in formatted_body matrix.to links
Many Matrix clients (including Element) send mentions using HTML links
in formatted_body instead of or in addition to the m.mentions field:
```json
{
"formatted_body": "<a href=\"https://matrix.to/#/@bot:matrix.org \">Bot</a>: hello",
"m.mentions": null
}
```
This change adds detection for matrix.to links in formatted_body,
supporting both plain and URL-encoded user IDs.
Changes:
- Add checkFormattedBodyMention() helper function
- Check formatted_body in resolveMentions()
- Add comprehensive test coverage
Fixes #6982
* Update extensions/matrix/src/matrix/monitor/mentions.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---------
Co-authored-by: zerone0x <zerone0x@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-02-19 03:40:21 -08:00
de656e3194
fix(otel): complete diagnostics-otel OpenTelemetry v2 API migration ( #12897 )
...
* fix(otel): complete diagnostics-otel OpenTelemetry v2 API migration
* chore(format): align otel files with updated oxfmt config
* chore(format): apply updated oxfmt spacing to otel diagnostics
2026-02-19 02:36:47 -08:00
1faa7a87a0
lobster: parse windows cmd shim paths with rooted tokens ( #20833 )
2026-02-19 02:34:08 -08:00
e8e343aeee
test(ci): fix launchd and diagnostics-otel test harnesses
2026-02-19 10:17:48 +00:00
45db2aa0cd
Security: disable plugin runtime command execution primitive ( #20828 )
...
Co-authored-by: mbelinky <mbelinky@users.noreply.github.com>
2026-02-19 10:17:29 +00:00
771af40913
chore(ci): fix main check blockers and stabilize tests
2026-02-19 10:15:25 +00:00
53aecf7a8e
test(bluebubbles): merge typing start stop method checks
2026-02-19 10:09:34 +00:00
cdb00fe242
fix(feishu): isolate temp download writes in mkdtemp dirs
2026-02-19 11:05:04 +01:00
88f698974a
fix(otel): sanitize OTLP endpoint URL resolution ( #13791 )
...
* fix(otel): sanitize OTLP endpoint signal URL resolution
* fix(otel): preserve signal URLs with query params
* fix(otel): accept case-insensitive signal paths
2026-02-19 02:02:57 -08:00
a7c0aa94d9
refactor(security): share safe temp media path builder ( #20810 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7a088e6801
2026-02-19 09:59:21 +00:00
c06ad38a71
test(voice-call): merge provider credential source cases
2026-02-19 09:55:43 +00:00
32ba62dc69
test(bluebubbles): merge setGroupIcon credential checks
2026-02-19 09:51:35 +00:00
0c1d3b866c
test(bluebubbles): collapse duplicate credential and chatGuid cases
2026-02-19 09:48:47 +00:00
02123e591c
refactor(lobster): extract windows spawn resolver
2026-02-19 10:44:22 +01:00
6b14498d2f
test(lobster): use lobster.exe in windows plugin path case
2026-02-19 09:35:38 +00:00
8b34719b3a
style: apply oxfmt import ordering for ci
2026-02-19 09:26:29 +00:00
c241bf0049
test: dedupe voice-call provider config validation cases
2026-02-19 09:24:09 +00:00
ba7be018da
fix(security): remove lobster windows shell fallback
2026-02-19 10:22:59 +01:00
c821099157
Feishu: harden temp media download paths
2026-02-19 10:13:48 +01:00
d51929ecb5
fix: block ISATAP SSRF bypass via shared host/ip guard
2026-02-19 09:59:47 +01:00
983a68c23e
test(matrix): cover directory context and group exact-match resolution
2026-02-18 16:22:20 +00:00
eb4f1e765c
refactor(matrix): dedupe directory/target match helpers
2026-02-18 16:22:20 +00:00
98fac87a9e
test(matrix): add coverage for deduped action helpers
2026-02-18 16:18:01 +00:00
Peter Steinberger
Vincent Koc
Takayuki Maeda
Shadow
Tyler Yust
Kirill Shchetynin
Jamie
zerone0x
Mariano
Mariano Belinky