68d8e15a2e
fix(exec): satisfy allowlist predicate type checks
2026-04-03 02:25:48 +09:00
7c83cae425
fix(exec): keep strict inline-eval interpreter approvals reusable
2026-04-03 02:25:48 +09:00
d5865bbcc2
fix: decouple approval availability from native delivery enablement ( #59620 )
...
getActionAvailabilityState in createApproverRestrictedNativeApprovalAdapter
was gating on both hasApprovers AND isNativeDeliveryEnabled, causing
Telegram exec approvals to report "not allowed" when
channels.telegram.execApprovals.target was configured but
execApprovals.enabled was not explicitly true. The availability check
should only depend on whether approvers exist; native delivery mode is
a routing concern handled downstream.
2026-04-03 02:21:17 +09:00
2fd7f7ca52
fix(exec): hide windows console windows
2026-04-03 02:19:32 +09:00
7eb094a00d
fix(infra): align env key normalization in approval binding path ( #59182 )
...
* fix: address issue
* fix: address PR review feedback
* fix: address review feedback
* fix: address review feedback
* chore: add changelog for Windows env approval binding
---------
Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-04-02 11:14:33 -06:00
774beb8e5c
refactor(plugin-sdk): add task domain runtime surfaces ( #59805 )
...
* refactor(plugin-sdk): add task domain runtime views
* chore(plugin-sdk): refresh api baseline
* fix(plugin-sdk): preserve task runtime owner isolation
2026-04-03 02:11:21 +09:00
fc76f667c2
test: isolate task flow link validation stores
2026-04-03 02:04:26 +09:00
a406045f2f
test: accept Windows exec approval denial path
2026-04-03 02:04:26 +09:00
247a06813e
fix: avoid gateway cwd for node exec ( #58977 ) (thanks @Starhappysh)
2026-04-03 02:04:26 +09:00
50b270a86b
fix: widen HostExecApprovalParams.cwd to string | undefined
...
Remote node exec may have no explicit cwd when the gateway's own
process.cwd() is omitted. Allow undefined to flow through the
approval request type.
2026-04-03 02:04:26 +09:00
302c6e30bb
fix: resolve type errors where workdir (string | undefined) flows to string-only params
...
After the node early-return, narrow workdir back to string via
resolvedWorkdir for gateway/sandbox paths. Update
buildExecApprovalPendingToolResult and buildApprovalPendingMessage
to accept string | undefined for cwd since node execution may omit it.
2026-04-03 02:04:26 +09:00
3b3191ab3a
fix(exec): skip gateway cwd injection for remote node host
...
When exec runs with host=node and no explicit cwd is provided, the
gateway was injecting its own process.cwd() as the default working
directory. In cross-platform setups (e.g. Linux gateway + Windows node),
this gateway-local path does not exist on the node, causing
"SYSTEM_RUN_DENIED: approval requires an existing canonical cwd".
This change detects when no explicit workdir was provided (neither via
the tool call params.workdir nor via agent defaults.cwd) and passes
undefined instead of the gateway cwd. This lets the remote node use its
own default working directory.
Changes:
- bash-tools.exec.ts: Track whether workdir was explicitly provided;
when host=node and no explicit workdir, pass undefined instead of
gateway process.cwd()
- bash-tools.exec-host-node.ts: Accept workdir as string | undefined;
only send cwd to system.run.prepare when defined
- bash-tools.exec-approval-request.ts: Accept workdir as
string | undefined in HostExecApprovalParams
Fixes #58934
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 02:04:26 +09:00
8aceaf5d0f
fix(security): close fail-open bypass in exec script preflight [AI] ( #59398 )
...
* fix: address issue
* fix: finalize issue changes
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address review-pr skill feedback
* fix: address PR review feedback
* fix: address PR review feedback
* fix: address PR review feedback
* chore: add changelog for exec preflight fail-closed hardening
---------
Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-04-02 11:00:39 -06:00
e36c563775
refactor(exec): dedupe executable candidate resolution
2026-04-03 01:58:37 +09:00
990545181b
fix(ci): preserve strict inline-eval denial after durable awk trust
2026-04-03 01:55:01 +09:00
e6ce31eb54
fix(exec): ignore malformed drive-less windows exec paths
2026-04-03 01:53:25 +09:00
96b55821bc
fix: share ACP owner-only approval classes ( #201 ) ( #59255 )
...
Co-authored-by: OpenClaw Dummy Agent <octriage-dummy@example.invalid>
2026-04-02 10:45:41 -06:00
176c059b05
node-host: bind pnpm dlx approval scripts ( #58374 )
...
* node-host: bind pnpm dlx approval scripts
* node-host: cover pnpm dlx package alias
* node-host: cover pnpm dlx flag forms
* node-host: fail closed on unsafe pnpm dlx flags
* node-host: narrow pnpm dlx fail-closed guard
* node-host: scan pnpm dlx past global --
* node-host: allow pnpm dlx file args
* node-host: allow pnpm dlx data args
* node-host: fail closed on unknown pnpm dlx flags
* node-host: support pnpm workspace-root flag
* node-host: restrict pnpm dlx tail scan
* node-host: support pnpm parallel flag
* changelog: node-host pnpm dlx approval binding (#58374 )
2026-04-02 09:41:28 -07:00
e4818a345e
test(tasks): close flow registry before temp dir cleanup
2026-04-03 01:32:05 +09:00
17f6626ffe
feat(approvals): auto-enable native chat approvals
2026-04-02 17:30:40 +01:00
721cab2b8d
refactor(exec): split allowlist segment evaluation helpers
2026-04-03 01:22:25 +09:00
812a7636fb
refactor: simplify exec approval followup delivery
2026-04-02 17:19:42 +01:00
47dcfc49b8
fix: scope #57584 to shell allowlist changes
2026-04-03 01:11:20 +09:00
8d81e76f23
fix: evaluate shell wrapper inline commands against allowlist ( #57377 ) ( #57584 )
...
When a skill constructs a compound command via a shell wrapper
(e.g. `sh -c "cat SKILL.md && gog-wrapper calendar events"`),
the allowlist check was comparing `/bin/sh` instead of the actual
target binaries, causing the entire command to be silently rejected.
This adds recursive inline command evaluation that:
- Detects chain operators (&&, ||, ;) in the -c payload
- Parses each sub-command independently via analyzeShellCommand
- Evaluates every sub-command against the allowlist
- Preserves per-sub-command segmentSatisfiedBy for accurate tracking
- Limits recursion depth to 3 to prevent abuse
- Skips recursion on Windows (no POSIX shell semantics)
Closes #57377
Co-authored-by: WZBbiao <wangzhenbiao326@gmail.com>
2026-04-03 01:06:40 +09:00
578a0ed31a
refactor(agent): dedupe tool error summary
2026-04-02 17:05:05 +01:00
4207ca2eb8
Fix Telegram exec approval delivery and auto-resume fallback
2026-04-03 00:56:54 +09:00
77e636cf78
fix(agents): include received keys in missing-param error for write tool ( #55317 )
...
Merged via squash.
Prepared head SHA: c1cf0691c9
2026-04-02 08:54:28 -07:00
3b6825ab93
Cron: honor trigger for custom session timeouts
2026-04-03 00:43:42 +09:00
102462b7a6
Cron: restrict exec visibility to timeouts
2026-04-03 00:43:42 +09:00
d300a20440
Cron: surface exec timeouts in cron runs
2026-04-03 00:43:42 +09:00
423f7c3487
build: prep 2026.4.2-beta.1 release
2026-04-02 16:33:21 +01:00
0ad2dbd307
fix(providers): route image generation through shared transport ( #59729 )
...
* fix(providers): route image generation through shared transport
* fix(providers): use normalized minimax image base url
* fix(providers): fail closed on image private routes
* fix(providers): bound shared HTTP fetches
2026-04-03 00:32:37 +09:00
d2ce3e9acc
perf(plugins): keep gateway startup channel-only ( #59754 )
...
* perf(plugins): keep gateway startup channel-only
* fix(gateway): preserve startup sidecars in plugin scope
2026-04-03 00:28:15 +09:00
efe9464f5f
fix(tasks): tighten task-flow CLI surface ( #59757 )
...
* fix(tasks): tighten task-flow CLI surface
* fix(tasks): sanitize task-flow CLI text output
2026-04-03 00:25:10 +09:00
874a585d57
refactor(agent): share exec parser and runtime context codec
2026-04-03 00:15:43 +09:00
576337ef31
fix(tasks): use no-persist cleanup in executor tests
2026-04-03 00:15:02 +09:00
8c3295038c
test: harden task executor state-dir cleanup
2026-04-02 16:12:24 +01:00
36d953aab6
fix(exec): make Windows exec hints accurate and dynamic
2026-04-03 00:09:28 +09:00
fff6333773
fix(exec): implement Windows argPattern allowlist flow
2026-04-03 00:09:28 +09:00
cc5146b9c6
fix(tasks): reset heartbeat and system event state in executor tests
2026-04-03 00:02:32 +09:00
a5f99f4a30
test: stabilize docker test lanes
2026-04-02 15:59:23 +01:00
d46240090a
test(tasks): add task-flow operator coverage ( #59683 )
2026-04-02 23:58:33 +09:00
3872a866a1
fix(xai): make x_search auth plugin-owned ( #59691 )
...
* fix(xai): make x_search auth plugin-owned
* fix(xai): restore x_search runtime migration fallback
* fix(xai): narrow legacy x_search auth migration
* fix(secrets): drop legacy x_search target registry entry
* fix(xai): no-op knob-only x_search migration fallback
2026-04-02 23:54:07 +09:00
b6debb4382
fix(agent): close remaining internal-context leak paths ( #59649 )
...
* fix(status): strip internal runtime context from task detail surfaces
* fix(agent): narrow legacy internal-context stripping
* fix(tasks): sanitize user-facing task status surfaces
* fix(agent): close remaining internal-context leak paths
* fix(agent): harden internal context delimiter sanitization
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-04-02 23:45:06 +09:00
53c29df2a9
Channel setup: ignore untrusted workspace shadows ( #59158 )
...
Keeps untrusted workspace channel metadata from overriding setup/login resolution for built-in channels. Workspace channel entries are only eligible during setup when the plugin is already explicitly trusted in config.
- Track discovered origin on channel catalog entries and add a setup-time catalog lookup that excludes workspace discoveries when needed
- Add resolver regression coverage for untrusted shadowing and trusted workspace overrides
Thanks @mappel-nv
2026-04-02 07:40:23 -07:00
4251ad6638
fix(telegram): allow trusted explicit proxy media fetches
2026-04-02 23:36:17 +09:00
7fea8250fb
fix(approvals): use canonical decision values in interactive button payloads
2026-04-02 23:35:23 +09:00
316d10637b
refactor: canonicalize legacy x search secret target coverage
2026-04-02 15:30:05 +01:00
65c1716ad4
refactor(infra): clarify jsonl socket contract
2026-04-02 15:20:37 +01:00
ef86edacf7
fix: harden plugin auto-enable empty config handling
2026-04-02 15:19:53 +01:00
luoyanglang
joelnishanth
lawrence3699
pgondhi987
Vincent Koc
Peter Steinberger
jianxing zhang
SnowSky1
Devin Robison
Jacob Tomlinson
biao
seonang
Priyansh Gupta
spaceman1412
Leo Zhang
mappel-nv
James Cowan