openclaw

Commit Graph

Author	SHA1	Message	Date
Peter Steinberger	a99ad11a41	fix: validate state for manual Chutes OAuth	2026-02-14 23:33:56 +01:00
Peter Steinberger	bc299ae17e	refactor(wizard): dedupe gateway health check	2026-02-14 21:59:50 +00:00
Gustavo Madeira Santana	f94c06c53f	test: add explicit harness mock types	2026-02-14 16:51:25 -05:00
Peter Steinberger	4136cdac63	refactor(test): reuse telegram health probe stubs	2026-02-14 21:29:22 +00:00
Peter Steinberger	5f55a53f0e	refactor(test): share doctor legacy migration setup	2026-02-14 21:20:43 +00:00
Peter Steinberger	c06a962bb6	test(e2e): stabilize suite	2026-02-14 22:01:11 +01:00
Peter Steinberger	ee8d8be2e3	fix(chutes): accept manual OAuth code input	2026-02-14 22:01:11 +01:00
Peter Steinberger	d2857fbea9	refactor(test): reuse doctor e2e harness	2026-02-14 20:12:47 +00:00
Peter Steinberger	ffcf37f8c1	fix(doctor): avoid no-op legacy dmPolicy conflict notes	2026-02-14 21:04:27 +01:00
Peter Steinberger	52ad64f8f9	test(doctor): migrate Slack/Discord dmPolicy aliases	2026-02-14 21:04:27 +01:00
Peter Steinberger	bf76452b43	fix(doctor): migrate Slack/Discord dm.policy keys to aliases	2026-02-14 21:04:27 +01:00
Bin Deng	b9d14855d0	Fix: Force dashboard command to use localhost URL (#16434 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `3c03b4cc9b` Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras	2026-02-14 15:00:58 -05:00
Peter Steinberger	994bcbf670	refactor: clarify restoreTerminalState stdin resume option	2026-02-14 20:47:00 +01:00
Bin Deng	4734f99108	Fix: Add type safety to models status command (#16395 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `1554137ae3` Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras	2026-02-14 14:07:38 -05:00
Vincent Koc	a042b32d2f	fix: Docker installation keeps hanging on MacOS (#12972 ) * Onboarding: avoid stdin resume after wizard finish * Changelog: remove Docker hang entry from PR * Terminal: make stdin resume behavior explicit at call sites * CI: rerun format check * Onboarding: restore terminal before cancel exit * test(onboard): align restoreTerminalState expectation * chore(format): align onboarding restore test with updated oxfmt config * chore(format): enforce updated oxfmt on restore test * chore(format): apply updated oxfmt spacing to restore test * fix: avoid stdin resume after onboarding (#12972) (thanks @vincentkoc) --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>	2026-02-14 19:46:07 +01:00
Peter Steinberger	4133f4bd37	refactor(tui): clarify searchable select list width layout (#16378 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `fecbade822` Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete	2026-02-14 19:15:38 +01:00
Peter Steinberger	fc5d147d1b	fix(test-harness): annotate vitest mocks to avoid TS2742	2026-02-14 18:26:46 +01:00
Peter Steinberger	571c195c54	fix: support moltbot legacy state dir	2026-02-14 17:14:21 +00:00
Peter Steinberger	ae97f8f798	refactor(test): share doctor e2e harness	2026-02-14 17:13:24 +00:00
Steve	69ba9a0562	fix: add memory search health check to openclaw doctor (openclaw#16294) thanks @superlowburn Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test (noted unrelated local flakes) Co-authored-by: superlowburn <24779772+superlowburn@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>	2026-02-14 11:09:51 -06:00
Peter Steinberger	684c18458a	perf(test): speed up line, models list, and memory batch	2026-02-14 16:36:15 +00:00
Peter Steinberger	d583782ee3	fix(security): harden discovery routing and TLS pins	2026-02-14 17:18:14 +01:00
Peter Steinberger	9e147f00b4	fix(doctor): resolve telegram allowFrom usernames	2026-02-14 16:48:07 +01:00
Peter Steinberger	8d1a1d9e86	refactor(commands): share vllm setup	2026-02-14 15:39:46 +00:00
Peter Steinberger	64df787448	refactor(channels): share account summary helpers	2026-02-14 15:39:46 +00:00
Peter Steinberger	3150ece95a	refactor(channels): pass setup input to mutator	2026-02-14 15:39:45 +00:00
Peter Steinberger	4c74a2f06e	refactor(channels): reuse setup input types	2026-02-14 15:39:45 +00:00
Peter Steinberger	a1fc6a6ea6	refactor(daemon): share runtime status formatter	2026-02-14 15:39:45 +00:00
Peter Steinberger	1b03eb71aa	refactor(health): share channel line styling	2026-02-14 15:39:45 +00:00
Aether AI	3967ece625	fix(security): OC-25 — Validate OAuth state parameter to prevent CSRF attacks (#16058 ) * fix(security): validate OAuth state parameter to prevent CSRF attacks (OC-25) The parseOAuthCallbackInput() function in the Chutes OAuth flow had two critical bugs that completely defeated CSRF state validation: 1. State extracted from callback URL was never compared against the expected cryptographic nonce, allowing attacker-controlled state values 2. When URL parsing failed (bare authorization code input), the catch block fabricated a matching state using expectedState, making the caller's CSRF check always pass ## Attack Flow 1. Victim runs `openclaw login chutes --manual` 2. System generates cryptographic state: randomBytes(16).toString("hex") 3. Browser opens: https://api.chutes.ai/idp/authorize?state=abc123... 4. Attacker obtains their OWN OAuth authorization code (out of band) 5. Attacker tricks victim into pasting just "EVIL_CODE" (not full URL) 6. parseOAuthCallbackInput("EVIL_CODE", "abc123...") is called 7. new URL("EVIL_CODE") throws → catch block executes 8. catch returns { code: "EVIL_CODE", state: "abc123..." } ← FABRICATED 9. Caller checks: parsed.state !== state → "abc123..." !== "abc123..." → FALSE 10. CSRF check passes! System calls exchangeChutesCodeForTokens() 11. Attacker's code exchanged for access + refresh tokens 12. Victim's account linked to attacker's OAuth session Fix: - Add explicit state validation against expectedState before returning - Remove state fabrication from catch block; always return error for non-URL input - Add comprehensive unit tests for state validation Remediated by Aether AI Agent security analysis. * fix(security): harden chutes manual oauth state check (#16058) (thanks @aether-ai-agent) --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>	2026-02-14 15:28:52 +01:00
Peter Steinberger	3aa94afcfd	fix(security): harden archive extraction (#16203 ) * fix(browser): confine upload paths for file chooser * fix(browser): sanitize suggested download filenames * chore(lint): avoid control regex in download sanitizer * test(browser): cover absolute escape paths * docs(browser): update upload example path * refactor(browser): centralize upload path confinement * fix(infra): harden tmp dir selection * fix(security): harden archive extraction * fix(infra): harden tar extraction filter	2026-02-14 14:42:08 +01:00
Peter Steinberger	1ba266a8e8	refactor: split minimax-cn provider	2026-02-14 13:37:47 +01:00
Peter Steinberger	83248f7603	Merge remote-tracking branch 'origin/main'	2026-02-14 13:30:22 +01:00
Peter Steinberger	0cfea46293	fix: wire minimax-api-key-cn onboarding (#15191 ) (thanks @liuy)	2026-02-14 13:25:54 +01:00
Liu Yuan	9bb099736b	feat: add minimax-api-key-cn option for China API endpoint - Add 'minimax-api-key-cn' auth choice for Chinese users - Reuse existing --minimax-api-key CLI option - Use MINIMAX_CN_API_BASE_URL (https://api.minimaxi.com/anthropic) - Similar to how moonshot supports moonshot-api-key-cn Tested: build ✅, check ✅, test ✅	2026-02-14 13:25:54 +01:00
Peter Steinberger	6dd6bce997	fix(security): enforce sandbox bridge auth	2026-02-14 13:17:41 +01:00
Peter Steinberger	eb4215d570	perf(test): speed up Vitest bootstrap	2026-02-14 12:13:27 +00:00
Nicholas	f8ba8f7699	fix(docs): update outdated hooks documentation URLs (#16165 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `8ed13fb02f` Co-authored-by: nicholascyh <188132635+nicholascyh@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete	2026-02-14 13:05:37 +01:00
Peter Steinberger	3b56a6252b	chore!: remove moltbot legacy state/config support	2026-02-14 12:40:47 +01:00
Nick Taylor	1fb52b4d7b	feat(gateway): add trusted-proxy auth mode (#15940 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `279d4b304f` Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete	2026-02-14 12:32:17 +01:00
Peter Steinberger	d8beddc8b7	refactor(onboard): unify auth-choice aliases and provider flags	2026-02-14 05:58:26 +01:00
Peter Steinberger	eab9dc538a	refactor(onboard): unify auth-choice catalog for CLI help	2026-02-14 05:51:17 +01:00
AI-Reviewer-QS	28431b84cc	fix(gateway): prune expired entries instead of clearing all hook auth failure state (#15848 ) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: `188a40e8a3` Co-authored-by: AI-Reviewer-QS <255312808+AI-Reviewer-QS@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete	2026-02-14 01:46:12 +01:00
Peter Steinberger	e7c3c27fd0	perf(test): trim browser and models suite overhead	2026-02-14 00:38:55 +00:00
Shadril Hassan Shifat	1c928e493d	fix(hooks): replace console logging with proper subsystem logging in loader (openclaw#11029) thanks @shadril238 Verified: - pnpm build - pnpm check - pnpm test Co-authored-by: shadril238 <63901551+shadril238@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>	2026-02-13 18:21:11 -06:00
Peter Steinberger	05524bb5ef	perf(test): remove duplicate models list e2e suite	2026-02-14 00:20:47 +00:00
Peter Steinberger	ec4da3aca9	perf(test): lighten models list e2e registry mock	2026-02-14 00:17:49 +00:00
Peter Steinberger	fecb3f326e	perf(test): trim models/browser suite overhead	2026-02-14 00:08:02 +00:00
Peter Steinberger	cf2524b8b9	refactor(models): share auth helpers and forward-compat list fallbacks	2026-02-14 01:07:35 +01:00
Vincent Koc	a0cbf9002d	fix(models): antigravity opus 4.6 availability follow-up (#12845 ) * fix(models): antigravity opus 4.6 availability follow-up * chore(format): apply updated oxfmt config to models files * fix(models): retain zai glm-5 forward-compat fallback after extraction * chore(format): apply updated oxfmt config * fix(models): fail fast on unknown auth login provider --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>	2026-02-14 00:54:46 +01:00

1 2 3 4 5 ...

945 Commits