nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
24,084 Commits 925 Branches 94 Tags 6.2 GiB
Commit Graph

24084 Commits

Author SHA1 Message Date
Vincent Koc 4d912e0451
fix(exec): block proxy-style env overrides (#58202) 
* fix(exec): block proxy-style env overrides

* fix(exec): keep trusted host proxy env inherited

* fix(exec): block git tls override env vars

* fix(skills): block dangerous env override keys
 2026-03-31 21:25:36 +09:00
Gustavo Madeira Santana 28bb8c600e
Matrix: narrow thread binding runtime seam 2026-03-31 08:12:46 -04:00
Gustavo Madeira Santana 305977571d
Matrix: narrow storage and routing imports 2026-03-31 08:12:46 -04:00
Vincent Koc e6441760d2 test(telegram): normalize message-context timing inputs 2026-03-31 21:10:43 +09:00
Vincent Koc 415e7d941b test(slack): remove slash metadata polling 2026-03-31 21:02:06 +09:00
Vincent Koc 730ba40763
fix(exec): unwrap arch and xcrun dispatch wrappers (#58203) 
* fix(exec): unwrap arch and xcrun dispatch wrappers

* fix(infra): scope arch wrapper unwrapping to macos

* fix(exec): scope arch wrapper unwrapping to macos

* fix(infra): validate macos arch wrapper selectors

* test(infra): cover invalid arch name wrappers
 2026-03-31 21:00:14 +09:00
Jacob Tomlinson 2ce44ca6a1
fix(plugins): guard marketplace archive downloads (#58267) 
* Plugins: guard marketplace archive downloads

* Plugins: harden marketplace download cleanup

* Plugins: bound marketplace archive downloads

* Plugins: harden marketplace archive failures

* Plugins: reject drive-relative marketplace archives

* Plugins: stream marketplace archive downloads
 2026-03-31 12:59:42 +01:00
Mariano 607076d164
ClawFlow: add runtime substrate (#58336) 
Merged via squash.

Prepared head SHA: 6a6158179e
Reviewed-by: @mbelinky
 2026-03-31 13:58:29 +02:00
Vincent Koc f2d4089ca2 test(discord): remove monitor polling overhead 2026-03-31 20:56:37 +09:00
Vincent Koc 334085fbe9 test(channels): inject telegram reply pipeline for dispatch tests 2026-03-31 20:54:30 +09:00
Vincent Koc 5474796735 docs(security): clarify acpx yolo mode 2026-03-31 20:54:30 +09:00
pgondhi987 d8c68c8d42
fix: migrate Telegram pairing allowFrom to default account only (#58165) 
* fix: migrate Telegram pairing allowFrom to default account only

* fix: address PR review feedback

* fix: address PR review feedback
 2026-03-31 12:51:38 +01:00
Vincent Koc 62c28c0708 test(discord): isolate ACP binding routing seam 2026-03-31 20:49:31 +09:00
Vincent Koc b4ac69c652 docs(acp): align approval policy wording 2026-03-31 20:49:31 +09:00
Vincent Koc cd5179314d fix(acp): use semantic approval classes 2026-03-31 20:49:31 +09:00
Gustavo Madeira Santana d077faab1a
Matrix: narrow monitor runtime imports 2026-03-31 07:29:47 -04:00
Gustavo Madeira Santana 2bdf2fbf14
Matrix: trim storage test import churn 2026-03-31 07:29:47 -04:00
Vincent Koc 225dfe0094 fix(ci): stabilize planner executor fallback tests 2026-03-31 20:26:28 +09:00
Gustavo Madeira Santana 8c0245f57b
fix(matrix): tighten DM invite promotion state (#58099) 
Merged via squash.

Prepared head SHA: 6638d4b505
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-03-31 07:09:18 -04:00
Vincent Koc 1243e2c0b6 fix(telegram): keep test harness CJS-safe 2026-03-31 20:04:21 +09:00
Vincent Koc e704323ff3
fix(media): drop auth headers on cross-origin redirects (#58224) 
* fix(media): drop auth headers on cross-origin redirects

* chore(changelog): sync unreleased context

* fix(media): keep fetch-guard redirect helper working
 2026-03-31 19:57:42 +09:00
Vincent Koc 3d5af14984
fix(agents): reject escaping symlinks in ssh sandbox uploads (#58220) 
* fix(agents): reject escaping ssh sandbox upload symlinks

* fix(agents): allow safe ssh upload symlink aliases

* test(ssh): keep upload stdin open in fake ssh

* Update CHANGELOG.md
 2026-03-31 19:56:45 +09:00
FMLS 44caf1ee3d
fix(browser): prevent cross-origin images from disappearing in CDP screenshots (#54358) 
fromSurface: true + captureBeyondViewport: true triggers a Chromium compositor
bug where cross-origin image textures are lost when extending the capture
surface. Switch to fromSurface: false to use the software rendering path.

For full-page captures, temporarily expand the viewport via
Emulation.setDeviceMetricsOverride, preserving the current mobile/DPR/screen
state during capture and restoring it afterward so pre-existing device
emulation is not lost.

Made-with: Cursor

Co-authored-by: hakunaliu <hakunaliu@tencent.com>
 2026-03-31 18:55:25 +08:00
Vincent Koc 57700d716f
fix(config): redact Nostr privateKey in config views (#58177) 
* wip(config): preserve nostr redaction progress

* fix(config): add private key redaction fallback

* fix(config): align nostr privateKey secret input handling

* fix(config): require resolved nostr private keys
 2026-03-31 19:55:03 +09:00
Vincent Koc efe9183f9d
fix(voice-call): pin plivo callback origins (#58238) 2026-03-31 19:50:35 +09:00
Vincent Koc cf3ae2612b fix(ci): reduce slow channel test skew 2026-03-31 19:49:40 +09:00
Vincent Koc da7f016db6 fix(doctor): align qmd probe cwd with runtime 2026-03-31 19:49:40 +09:00
Vincent Koc 6b3f99a11f
fix(gateway): enforce trusted-proxy HTTP origin checks (#58229) 
* fix(gateway): enforce trusted-proxy HTTP origin checks

* Update CHANGELOG.md
 2026-03-31 19:49:26 +09:00
Vincent Koc 9abcfdadf5
fix(voice-call): reject oversized pre-start media frames (#58241) 
* fix(voice-call): reject oversized pre-start frames

* fix(voice-call): avoid normalizing oversized frames

* chore(changelog): remove stray spacing

* fix(voice-call): remove dead inbound size guard
 2026-03-31 19:47:10 +09:00
Vincent Koc 9bc1f896c8
fix(pairing): scope pending request caps per account (#58239) 
* fix(pairing): scope pending pairing caps per account

* fix(pairing): count legacy default-account requests
 2026-03-31 19:45:45 +09:00
Vincent Koc f45e5a6569
fix(feishu): filter fetched group thread context (#58237) 
* fix(feishu): filter fetched group thread context

* fix(feishu): preserve filtered thread bootstrap
 2026-03-31 19:43:54 +09:00
Vincent Koc 2194587d70
fix(tlon): cap inbound image downloads (#58223) 2026-03-31 19:40:15 +09:00
Vincent Koc 9023a0436c
fix(exec): unwrap transparent approval wrappers (#58215) 
* fix(exec): unwrap transparent approval wrappers

* fix(exec): normalize sandbox-exec -D wrapper parsing
 2026-03-31 19:38:34 +09:00
Vincent Koc eb8de6715f
fix(exec): block risky host env overrides (#58209) 
* fix(exec): block risky host env overrides

* fix(exec): block GOPRIVATE host env overrides
 2026-03-31 19:37:43 +09:00
Vincent Koc 57c47d8c7f
fix(line): bound preverify webhook concurrency (#58199) 
* fix(line): bound preverify webhook concurrency

* test(line): cover preauth release timing

* fix(line): release webhook preauth slots earlier
 2026-03-31 19:34:25 +09:00
Vincent Koc 4d038bb242
fix(zalo): scope webhook replay dedupe per target (#58196) 2026-03-31 19:33:57 +09:00
Vincent Koc 57fccca2dc
fix(exec): keep awk and sed out of safeBins fast path (#58175) 
* wip(exec): preserve safe-bin semantics progress

* test(exec): cover safe-bin semantic variants

* fix(exec): address safe-bin review follow-up
 2026-03-31 19:29:53 +09:00
Vincent Koc 330a9f98cb
fix(config): block workspace bundled-root dotenv overrides (#58170) 
* wip(config): preserve bundled hooks root progress

* test(config): cover bundled trust-root dotenv blocking
 2026-03-31 19:25:12 +09:00
Vincent Koc b9f857708c
wip(config): preserve bundled plugins root progress (#58168) 2026-03-31 19:23:11 +09:00
Jacob Tomlinson 781775ec08
Media: secure image temp dirs (#58270) 2026-03-31 11:12:47 +01:00
Ayaan Zaidi 6be0c7ef09
fix(android): drop bootstrap auth after manual endpoint changes 2026-03-31 15:32:36 +05:30
Jacob Tomlinson 7bd2761b92
Exec approvals: detect command carriers in strict inline eval (#57842) 
* Exec approvals: detect command carriers in strict inline eval

* Exec approvals: cover carrier option edge cases

* Exec approvals: cover make and find carriers

* Exec approvals: catch attached eval flags

* Exec approvals: keep sed -E out of inline eval

* Exec approvals: treat sed in-place flags as optional
 2026-03-31 10:58:17 +01:00
Ayaan Zaidi cbc75f13b2 test(android): cover node-only onboarding state 2026-03-31 15:21:39 +05:30
Ayaan Zaidi 132208c01f fix(android): require node connection before onboarding finish 2026-03-31 15:21:39 +05:30
Ayaan Zaidi c1269eddb8 fix(android): preserve bootstrap auth for manual reconnect 2026-03-31 15:21:39 +05:30
Jacob Tomlinson eb84d91a80
UI: build delete confirm popover without HTML strings (#58269) 
* UI: build delete confirm popover safely

* UI: share delete confirm storage key
 2026-03-31 10:42:07 +01:00
Jacob Tomlinson df0e136bc7
Canvas Host: build default status with DOM nodes (#58266) 2026-03-31 10:29:28 +01:00
Vincent Koc e95f786aa2 fix(dev): sync run-node test types 2026-03-31 18:04:22 +09:00
Jacob Tomlinson a23c33a681
macOS: use MagicDNS for wide-area gateway discovery (#57833) 
* macOS: use MagicDNS for wide-area gateway discovery

Co-authored-by: nexrin <268879349+nexrin@users.noreply.github.com>

* macOS: tighten wide-area discovery review follow-ups

---------

Co-authored-by: nexrin <268879349+nexrin@users.noreply.github.com>
 2026-03-31 10:04:11 +01:00
Vincent Koc f288ff3f9f fix(tests): stabilize cron and blocked-flow assertions 2026-03-31 17:58:41 +09:00