nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
26,513 Commits 968 Branches 100 Tags 6.5 GiB
Commit Graph

102 Commits

Author SHA1 Message Date
Vincent Koc 6f2e804182
fix(agents): prefer background completion wake over polling (#60877) 
* fix(agents): prefer completion wake over polling

* fix(changelog): note completion wake guidance

* fix(agents): qualify quiet exec completion wake

* fix(agents): qualify disabled exec completion wake

* fix(agents): split process polling from control actions
 2026-04-05 03:17:10 +09:00
Vincent Koc b742909dca
fix(agents): prefer cron for deferred follow-ups (#60811) 
* fix(agents): prefer cron for deferred follow-ups

* fix(agents): gate cron scheduling guidance

* fix(changelog): add scheduling guidance note

* fix(agents): restore exec approval agent hint
 2026-04-04 21:11:27 +09:00
Peter Steinberger 247a06813e fix: avoid gateway cwd for node exec (#58977) (thanks @Starhappysh) 2026-04-03 02:04:26 +09:00
jianxing zhang 302c6e30bb fix: resolve type errors where workdir (string | undefined) flows to string-only params 
After the node early-return, narrow workdir back to string via
resolvedWorkdir for gateway/sandbox paths. Update
buildExecApprovalPendingToolResult and buildApprovalPendingMessage
to accept string | undefined for cwd since node execution may omit it.
 2026-04-03 02:04:26 +09:00
jianxing zhang 3b3191ab3a fix(exec): skip gateway cwd injection for remote node host 
When exec runs with host=node and no explicit cwd is provided, the
gateway was injecting its own process.cwd() as the default working
directory. In cross-platform setups (e.g. Linux gateway + Windows node),
this gateway-local path does not exist on the node, causing
"SYSTEM_RUN_DENIED: approval requires an existing canonical cwd".

This change detects when no explicit workdir was provided (neither via
the tool call params.workdir nor via agent defaults.cwd) and passes
undefined instead of the gateway cwd. This lets the remote node use its
own default working directory.

Changes:
- bash-tools.exec.ts: Track whether workdir was explicitly provided;
  when host=node and no explicit workdir, pass undefined instead of
  gateway process.cwd()
- bash-tools.exec-host-node.ts: Accept workdir as string | undefined;
  only send cwd to system.run.prepare when defined
- bash-tools.exec-approval-request.ts: Accept workdir as
  string | undefined in HostExecApprovalParams

Fixes #58934

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-03 02:04:26 +09:00
pgondhi987 8aceaf5d0f
fix(security): close fail-open bypass in exec script preflight [AI] (#59398) 
* fix: address issue

* fix: finalize issue changes

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* chore: add changelog for exec preflight fail-closed hardening

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-02 11:00:39 -06:00
spaceman1412 102462b7a6 Cron: restrict exec visibility to timeouts 2026-04-03 00:43:42 +09:00
Peter Steinberger 36d953aab6 fix(exec): make Windows exec hints accurate and dynamic 2026-04-03 00:09:28 +09:00
Peter Steinberger c678ae7e7a
feat(exec): default host exec to yolo 2026-04-02 14:52:51 +01:00
Vincent Koc 2d53ffdec1
fix(exec): resolve remote approval regressions (#58792) 
* fix(exec): restore remote approval policy defaults

* fix(exec): handle headless cron approval conflicts

* fix(exec): make allow-always durable

* fix(exec): persist exact-command shell trust

* fix(doctor): match host exec fallback

* fix(exec): preserve blocked and inline approval state

* Doctor: surface allow-always ask bypass

* Doctor: match effective exec policy

* Exec: match node durable command text

* Exec: tighten durable approval security

* Exec: restore owner approver fallback

* Config: refresh Slack approval metadata

---------

Co-authored-by: scoootscooob <zhentongfan@gmail.com>
 2026-04-01 02:07:20 -07:00
scoootscooob dd9d0bdd8e
fix(exec): harden shell-side approval guardrails (#57839) 
* fix(exec): harden approval handling

* fix(exec): tighten approval guardrails

* fix(exec): reject prefixed approval commands

* fix(exec): isolate shell approval guardrails

* fix(exec): recurse through wrapped approval commands

* fix(exec): restore allowlist wrapper import

* fix(exec): strip env wrappers before approval detection

* fix(exec): inspect nested shell wrapper options
 2026-03-30 15:49:24 -07:00
Shakker 3ad747e25f style: apply formatter cleanups 2026-03-30 16:20:27 +01:00
Peter Steinberger 421acd27e1
style: finalize exec formatter cleanup 2026-03-30 06:03:08 +09:00
Peter Steinberger 276ccd2583
fix(exec): default implicit target to auto 2026-03-30 06:03:08 +09:00
Peter Steinberger 5d4c4bb850
fix(exec): restore runtime-aware implicit host default 2026-03-29 21:18:41 +01:00
wangchunyue fc3f6fa51f
fix: preserve node exec cwd on remote hosts (#50961) (thanks @openperf) 
* fix(gateway): skip local workdir resolution for remote node execution

* chore: add inline comment for non-obvious node workdir skip

* fix: preserve node exec cwd on remote hosts (#50961) (thanks @openperf)

---------

Co-authored-by: Ayaan Zaidi <hi@obviy.us>
 2026-03-29 17:46:49 +05:30
scoootscooob 5d81b64343
fix(exec): fail closed when sandbox is unavailable and harden deny followups (#56800) 
* fix(exec): fail closed when sandbox is unavailable and harden deny followups

* docs(changelog): note exec fail-closed fix
 2026-03-28 22:20:49 -07:00
Peter Steinberger 8e568142f6 refactor: extract exec outcome and tool result helpers 2026-03-23 04:47:12 +00:00
Martin Garramon 22c75a55b0 fix(exec): return plain-text tool result on failure instead of raw JSON 
When an exec command fails (e.g. timeout), the tool previously rejected
with an Error, which the tool adapter caught and wrapped in a JSON object
({ status, tool, error }). The model then received this raw JSON as the
tool result and could parrot it verbatim to the user.

Now exec failures resolve with a proper tool result containing the error
as human-readable text in content[], matching the success path structure.
The model sees plain text it can naturally incorporate into its reply.

Also fixes a pre-existing format issue in update-cli.test.ts.

Fixes #52484

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 19:19:07 -07:00
Peter Steinberger a94ec3b79b
fix(security): harden exec approval boundaries 2026-03-22 09:35:25 -07:00
Josh Avant 7abfff756d
Exec: harden host env override handling across gateway and node (#51207) 
* Exec: harden host env override enforcement and fail closed

* Node host: enforce env override diagnostics before shell filtering

* Env overrides: align Windows key handling and mac node rejection
 2026-03-20 15:44:15 -05:00
Peter Steinberger 57204b4fa9
fix(gateway): surface env override keys in exec approvals 2026-03-16 23:24:32 -07:00
Peter Steinberger c6575891c7 fix(exec): inherit ask from exec-approvals.json when tools.exec.ask unset 
Landed from contributor PR #29187 by @Bartok9.

Co-authored-by: Bartok9 <259807879+Bartok9@users.noreply.github.com>
 2026-03-08 00:35:50 +00:00
Peter Steinberger da0ba1b73a fix(security): harden channel auth path checks and exec approval routing 2026-02-26 12:46:05 +01:00
Brian Mendonca 48b052322b Security: sanitize inherited host exec env 2026-02-24 23:46:39 +00:00
Peter Steinberger 4355e08262 refactor: harden safe-bin trusted dir diagnostics 2026-02-24 23:29:44 +00:00
Peter Steinberger 278331c49c fix(exec): restore sandbox as implicit host default 2026-02-23 01:48:24 +01:00
Peter Steinberger c677be9d5f fix(exec): skip default timeout for background sessions 2026-02-22 23:03:44 +01:00
Peter Steinberger 64b273a71c fix(exec): harden safe-bin trust and add explicit trusted dirs 2026-02-22 22:43:18 +01:00
Peter Steinberger 0d0f4c6992 refactor(exec): centralize safe-bin policy checks 2026-02-22 13:18:25 +01:00
Peter Steinberger 47c3f742b6 fix(exec): require explicit safe-bin profiles 2026-02-22 12:58:55 +01:00
Peter Steinberger 1b327da6e3 fix: harden exec sandbox fallback semantics (#23398) (thanks @bmendonca3) 2026-02-22 11:12:01 +01:00
Brian Mendonca c76a47cce2 Exec: fail closed when sandbox host is unavailable 2026-02-22 11:12:01 +01:00
Peter Steinberger f76f98b268 chore: fix formatting drift and stabilize cron tool mocks 2026-02-19 15:41:38 +01:00
Peter Steinberger b40821b068 fix: harden ACP secret handling and exec preflight boundaries 2026-02-19 15:34:20 +01:00
Peter Steinberger fec48a5006 refactor(exec): split host flows and harden safe-bin trust 2026-02-19 14:22:01 +01:00
Peter Steinberger b8b43175c5 style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
Peter Steinberger 31f9be126c style: run oxfmt and fix gate failures 2026-02-18 01:29:02 +00:00
cpojer d0cb8c19b2
chore: wtf. 2026-02-17 13:36:48 +09:00
Sebastian ed11e93cf2 chore(format) 2026-02-16 23:20:16 -05:00
cpojer 6b8c0bc697
chore: Format files. 2026-02-17 12:00:38 +09:00
Sebastian 6070116382 revert(exec): undo accidental merge of PR #18521 2026-02-16 21:47:18 -05:00
cpojer 90ef2d6bdf
chore: Update formatting. 2026-02-17 09:18:40 +09:00
saurav470 d2dd282034 docs(exec): document pty for TTY-only CLIs (gog) 2026-02-16 23:51:22 +01:00
Vignesh b0a01fe482
Agents/Tools: preflight exec script files for shell var injection (#18457) 
* fix(agents): don't force store=true for codex responses

* test: stabilize respawn + subagent usage assertions

* Agents/Tools: preflight exec to detect shell variable injection in scripts

* Changelog: fix merge marker formatting
 2026-02-16 10:34:29 -08:00
Charlie Greenman dec6859702
agents: reduce prompt token bloat from exec and context (#16539) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8e1635fa3f
Co-authored-by: CharlieGreenman <8540141+CharlieGreenman@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 18:32:45 -05:00
Peter Steinberger e4d63818f5 fix: ignore tools.exec.pathPrepend for node hosts 2026-02-14 20:45:05 +01:00
Peter Steinberger 24d2c6292e refactor(security): refine safeBins hardening 2026-02-14 19:59:13 +01:00
Peter Steinberger 77b89719d5 fix(security): block safeBins shell expansion 2026-02-14 19:44:14 +01:00
Peter Steinberger b47fa9e715 refactor(exec): extract bash tool runtime internals 2026-02-13 19:08:37 +00:00