46f49eb6eb
refactor: shrink plugin sdk public surface
2026-03-18 23:31:08 +00:00
b4f16bad32
Plugin SDK: export windows spawn and temp path
2026-03-18 09:46:24 -07:00
e4c61723cd
ACP: fail closed on conflicting tool identity hints ( #46817 )
...
* ACP: fail closed on conflicting tool identity hints
* ACP: restore rawInput fallback for safe tool resolution
* ACP tests: cover rawInput-only safe tool approval
2026-03-15 08:39:49 -07:00
ff2e7a2945
fix(acp): strip provider auth env for child ACP processes (openclaw#42250)
...
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini
Co-authored-by: rodrigouroz <384037+rodrigouroz@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
2026-03-10 16:50:10 -05:00
ae96a81916
fix: strip skill-injected env vars from ACP harness spawn env ( #36280 ) ( #36316 )
...
* fix: strip skill-injected env vars from ACP harness spawn env
Skill apiKey entries (e.g., openai-image-gen with primaryEnv=OPENAI_API_KEY)
are set on process.env during agent runs and only reverted after the run
completes. ACP harnesses like Codex CLI inherit these vars, causing them
to silently use API billing instead of their own auth (e.g., OAuth).
The fix tracks which env vars are actively injected by skill overrides in
a module-level Set (activeSkillEnvKeys) and strips them in
resolveAcpClientSpawnEnv() before spawning ACP child processes.
Fixes #36280
* ACP: type spawn env for stripped keys
* Skills: cover active env key lifecycle
* Changelog: note ACP skill env isolation
* ACP: preserve shell marker after env stripping
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-06 18:18:13 -05:00
cd653c55d7
windows: unify non-core spawn handling across acp qmd and docker (openclaw#31750) thanks @Takhoffman
...
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check (fails on pre-existing unrelated src/slack/monitor/events/messages.ts typing errors)
- pnpm vitest run src/acp/client.test.ts src/memory/qmd-manager.test.ts src/agents/sandbox/docker.execDockerRaw.enoent.test.ts src/agents/sandbox/docker.windows.test.ts extensions/acpx/src/runtime-internals/process.test.ts
Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
2026-03-02 08:05:39 -06:00
b7615e0ce3
Exec/ACP: inject OPENCLAW_SHELL into child shell env ( #31271 )
...
* exec: mark runtime shell context in exec env
* tests(exec): cover OPENCLAW_SHELL in gateway exec
* tests(exec): cover OPENCLAW_SHELL in pty mode
* acpx: mark runtime shell context for spawned process
* tests(acpx): log OPENCLAW_SHELL in runtime fixture
* tests(acpx): assert OPENCLAW_SHELL in runtime prompt
* docs(env): document OPENCLAW_SHELL runtime markers
* docs(exec): describe OPENCLAW_SHELL exec marker
* docs(acp): document OPENCLAW_SHELL acp marker
* docs(gateway): note OPENCLAW_SHELL for background exec
* tui: tag local shell runs with OPENCLAW_SHELL
* tests(tui): assert OPENCLAW_SHELL in local shell runner
* acp client: tag spawned bridge env with OPENCLAW_SHELL
* tests(acp): cover acp client OPENCLAW_SHELL env helper
* docs(env): include acp-client and tui-local shell markers
* docs(acp): document acp-client OPENCLAW_SHELL marker
* docs(tui): document tui-local OPENCLAW_SHELL marker
* exec: keep shell runtime env string-only for docker args
* changelog: note OPENCLAW_SHELL runtime markers
2026-03-01 20:31:06 -08:00
63dcd28ae0
fix(acp): harden permission tool-name validation
2026-02-24 01:11:34 +00:00
12cc754332
fix(acp): harden permission auto-approval policy
2026-02-24 01:03:30 +00:00
b8b43175c5
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
31f9be126c
style: run oxfmt and fix gate failures
2026-02-18 01:29:02 +00:00
d0cb8c19b2
chore: wtf.
2026-02-17 13:36:48 +09:00
ed11e93cf2
chore(format)
2026-02-16 23:20:16 -05:00
90ef2d6bdf
chore: Update formatting.
2026-02-17 09:18:40 +09:00
013e8f6b3b
fix: harden exec PATH handling
2026-02-14 19:53:04 +01:00
233483d2b9
refactor(security): centralize dangerous tool lists
2026-02-14 13:27:05 +01:00
153a7644ea
fix(acp): tighten safe kind inference
2026-02-14 13:18:49 +01:00
bb1c3dfe10
fix(acp): prompt for non-read/search permissions
2026-02-14 12:53:27 +01:00
ee31cd47b4
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config ( #15390 ) (thanks @aether-ai-agent)
2026-02-13 14:30:06 +01:00
749e28dec7
fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)
...
Two critical RCE vectors patched:
Vector 1 - Gateway HTTP /tools/invoke:
- Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn,
sessions_send, gateway, whatsapp_login from HTTP invocation
- Apply deny filter after existing policy cascade, before tool lookup
- Add gateway.tools.{allow,deny} config override in GatewayConfig
Vector 2 - ACP client auto-approval:
- Replace blind allow_once selection with danger-aware permission handler
- Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation
- Safe tools retain auto-approve behavior (backward compatible)
- Empty options array now denied (was hardcoded "allow")
- 30s timeout auto-denies to prevent hung sessions
CWE-78 | CVSS:3.1 9.8 Critical
2026-02-13 14:30:06 +01:00
f06dd8df06
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
5ceff756e1
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
9a7160786a
refactor: rename to openclaw
2026-01-30 03:16:21 +01:00
6d16a658e5
refactor: rename clawdbot to moltbot with legacy compat
2026-01-27 12:21:02 +00:00
b739a3897f
fix: stabilize acp streams and tests
2026-01-18 08:54:00 +00:00
9241e21114
fix: address acp client typing
2026-01-18 08:51:57 +00:00
9809b47d45
feat(acp): add interactive client harness
2026-01-18 08:27:37 +00:00
Peter Steinberger
Vincent Koc
Rodrigo Uroz
Drew Wagner
Tak Hoffman
cpojer
Sebastian
aether-ai-agent