eeb140b4f0
fix(plugins): late-binding subagent runtime for non-gateway load paths ( #46648 )
...
Merged via squash.
Prepared head SHA: 44742652c9
2026-03-16 14:27:54 -07:00
8cc0c9baf2
fix(gateway): run before_tool_call for HTTP tools
2026-03-11 20:18:24 +00:00
7b5e64ef2e
fix: preserve raw media invoke for HTTP tool clients ( #34365 )
2026-03-04 17:17:39 +05:30
8796c78b3d
Gateway: propagate message target and thread headers into tools invoke context
2026-02-24 04:12:25 +00:00
10b8839a82
fix(security): centralize WhatsApp outbound auth and return 403 tool auth errors
2026-02-21 14:31:01 +01:00
be7f825006
refactor(gateway): harden proxy client ip resolution
2026-02-21 13:36:23 +01:00
36a0df423d
refactor(gateway): make ws and http auth surfaces explicit
2026-02-21 13:33:09 +01:00
356d61aacf
fix(gateway): scope tailscale tokenless auth to websocket
2026-02-21 13:03:13 +01:00
b8b43175c5
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
31f9be126c
style: run oxfmt and fix gate failures
2026-02-18 01:29:02 +00:00
d0cb8c19b2
chore: wtf.
2026-02-17 13:36:48 +09:00
ed11e93cf2
chore(format)
2026-02-16 23:20:16 -05:00
90ef2d6bdf
chore: Update formatting.
2026-02-17 09:18:40 +09:00
9143f33a80
refactor(tools): dedupe alsoAllow merge
2026-02-15 16:52:14 +00:00
268c14f021
refactor(tools): centralize default policy steps
2026-02-14 15:39:45 +00:00
f97ad8f288
refactor(tools): share tool policy pipeline
2026-02-14 15:39:45 +00:00
a2b45e1c13
fix(gateway): relax http tool deny typing
2026-02-14 13:30:05 +01:00
233483d2b9
refactor(security): centralize dangerous tool lists
2026-02-14 13:27:05 +01:00
767fd9f222
fix: classify /tools/invoke errors and sanitize 500s ( #13185 ) (thanks @davidrudduck)
2026-02-13 16:58:30 +01:00
242f2f1480
fix: return 500 for tool execution failures instead of 400
...
Tool runtime errors are server-side faults, not client input errors.
Returning 400 causes clients to mishandle retries/backoff.
Addresses Greptile review feedback on #13185 .
2026-02-13 16:58:30 +01:00
f788de30c8
fix(security): sanitize error responses to prevent information leakage ( #5 )
...
* fix(security): sanitize error responses to prevent information leakage
Replace raw error messages in HTTP responses with generic messages.
Internal error details (stack traces, module paths, error messages)
were being returned to clients in 4 gateway endpoints.
* fix: sanitize 2 additional error response leaks in openresponses-http
Address CodeRabbit feedback: non-stream and streaming error paths in
openresponses-http.ts were still returning String(err) to clients.
* fix: add server-side error logging to sanitized catch blocks
Restore err parameter and add logWarn() calls so errors are still
captured server-side for diagnostics while keeping client responses
sanitized. Addresses CodeRabbit feedback about silently discarded errors.
2026-02-13 16:58:30 +01:00
30b6eccae5
feat(gateway): add auth rate-limiting & brute-force protection ( #15035 )
...
* feat(gateway): add auth rate-limiting & brute-force protection
Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).
When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.
The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.
* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses
---------
Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-13 15:32:38 +01:00
ee31cd47b4
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config ( #15390 ) (thanks @aether-ai-agent)
2026-02-13 14:30:06 +01:00
749e28dec7
fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)
...
Two critical RCE vectors patched:
Vector 1 - Gateway HTTP /tools/invoke:
- Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn,
sessions_send, gateway, whatsapp_login from HTTP invocation
- Apply deny filter after existing policy cascade, before tool lookup
- Add gateway.tools.{allow,deny} config override in GatewayConfig
Vector 2 - ACP client auto-approval:
- Replace blind allow_once selection with danger-aware permission handler
- Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation
- Safe tools retain auto-approve behavior (backward compatible)
- Empty options array now denied (was hardcoded "allow")
- 30s timeout auto-denies to prevent hung sessions
CWE-78 | CVSS:3.1 9.8 Critical
2026-02-13 14:30:06 +01:00
935a0e5708
chore: Enable `typescript/no-explicit-any` rule.
2026-02-02 16:18:09 +09:00
f06dd8df06
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
5ceff756e1
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
15792b153f
chore: Enable more lint rules, disable some that trigger a lot. Will clean up later.
2026-01-31 16:04:04 +09:00
9a7160786a
refactor: rename to openclaw
2026-01-30 03:16:21 +01:00
4b5514a259
Tests: default-disable plugins in VITEST
2026-01-29 17:14:14 +01:00
6d16a658e5
refactor: rename clawdbot to moltbot with legacy compat
2026-01-27 12:21:02 +00:00
3497be2963
docs: recommend tools.alsoAllow for optional plugin tools
2026-01-26 10:05:31 -08:00
2ad3508a33
feat(config): add tools.alsoAllow additive allowlist
2026-01-26 10:05:31 -08:00
e6e71457e0
fix: honor trusted proxy client IPs (PR #1654 )
...
Thanks @ndbroadbent.
Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
2026-01-25 01:52:19 +00:00
d73e8ecca3
fix: document tools invoke + honor main session key ( #1575 ) (thanks @vignesh07)
2026-01-24 09:29:32 +00:00
f1083cd52c
gateway: add /tools/invoke HTTP endpoint
2026-01-24 09:29:32 +00:00
Josh Lehman
Peter Steinberger
Ayaan Zaidi
Sahil Satralkar
cpojer
Sebastian
David Rudduck
David Rudduck
Harald Buerbaumer
aether-ai-agent
Josh Palmer
Vignesh Natarajan