nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
24,443 Commits 901 Branches 93 Tags 6.5 GiB
Commit Graph

342 Commits

Author SHA1 Message Date
Vincent Koc 5474796735 docs(security): clarify acpx yolo mode 2026-03-31 20:54:30 +09:00
Vincent Koc b4ac69c652 docs(acp): align approval policy wording 2026-03-31 20:49:31 +09:00
Jacob Tomlinson 7bd2761b92
Exec approvals: detect command carriers in strict inline eval (#57842) 
* Exec approvals: detect command carriers in strict inline eval

* Exec approvals: cover carrier option edge cases

* Exec approvals: cover make and find carriers

* Exec approvals: catch attached eval flags

* Exec approvals: keep sed -E out of inline eval

* Exec approvals: treat sed in-place flags as optional
 2026-03-31 10:58:17 +01:00
Peter Steinberger 6b6ddcd2a6
test: speed up core runtime suites 2026-03-31 02:25:02 +01:00
joelnishanth f849b8de97 hooks: default hooks.internal.enabled to true so bundled hooks load on fresh installs 
Made-with: Cursor
 2026-03-30 22:00:54 +05:30
Jacob Tomlinson 6b38815f86
fix(gateway): tighten tools invoke HTTP guardrails (#57771) 
* fix(gateway): tighten tools invoke HTTP guardrails

Co-authored-by: Brian Mendonca <208517100+bmendonca3@users.noreply.github.com>

* fix(security): centralize gateway HTTP deny defaults

* fix(gateway): drop duplicate scope guard after rebase

---------

Co-authored-by: Brian Mendonca <208517100+bmendonca3@users.noreply.github.com>
 2026-03-30 17:16:33 +01:00
Jacob Tomlinson 1a75906a6f
Exec approvals: prevent interpreter allow-always persistence (#57772) 
* Exec approvals: block interpreter allow-always persistence

* Exec approvals: normalize interpreter allowlist formatting

* Exec approvals: normalize interpreter allowlist wrapping

* Exec approvals: tighten awk regression coverage

* Exec approvals: harden awk interpreter coverage
 2026-03-30 17:03:54 +01:00
Jacob Tomlinson 29cb1e3c7e
Gateway: tighten HTTP tool invoke authorization (#57773) 
* Gateway: harden HTTP tool invoke access

* Gateway: strengthen HTTP tools invoke regression coverage

* Gateway: keep owner-only tools off HTTP
 2026-03-30 16:59:40 +01:00
qsam 47839d3b9a
fix(mattermost): detect stale websocket after bot disable/enable cycle (#53604) 
Merged via squash.

Prepared head SHA: 818d437a54
Co-authored-by: Qinsam <19649380+Qinsam@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-30 07:54:59 +05:30
Peter Steinberger 471e059b69
refactor(plugin-sdk): remove channel-specific sdk shims 2026-03-30 01:03:24 +01:00
Peter Steinberger 276ccd2583
fix(exec): default implicit target to auto 2026-03-30 06:03:08 +09:00
Peter Steinberger c48e0f8e6a
style: normalize import order and formatting 2026-03-29 16:33:22 +09:00
scoootscooob 5d81b64343
fix(exec): fail closed when sandbox is unavailable and harden deny followups (#56800) 
* fix(exec): fail closed when sandbox is unavailable and harden deny followups

* docs(changelog): note exec fail-closed fix
 2026-03-28 22:20:49 -07:00
Vignesh Natarajan c3a0304f63
chore(test): fix stale web search audit coverage 2026-03-28 17:18:57 -07:00
Robin Waslander 31112d5985
fix(security): audit web search keys for all bundled providers (#56540) 
hasWebSearchKey() was hardcoded to only check Brave and Perplexity
credentials. Replace with provider-aware check using
resolveBundledPluginWebSearchProviders() so Gemini, Grok/XAI, Kimi,
Moonshot, and OpenRouter credentials are recognized by the audit.

Add focused regression tests for each provider.

Fixes #34509
 2026-03-28 18:55:38 +01:00
Peter Steinberger 4e50548e46 fix: restore skill sourceInfo provenance handling 2026-03-28 04:05:18 +00:00
Peter Steinberger 5853b1aab8 fix: replay skill source drift 2026-03-28 03:53:59 +00:00
Peter Steinberger 8147f5075b refactor: inline canonical skill source reads 2026-03-28 03:48:17 +00:00
Peter Steinberger 2accc0391a test: dedupe security utility suites 2026-03-28 01:38:12 +00:00
Peter Steinberger 0ffd6b202f test: dedupe security audit and acl suites 2026-03-28 01:17:57 +00:00
Peter Steinberger d38ec0c9c9 test: dedupe loader heartbeat and audit cases 2026-03-28 00:53:34 +00:00
Peter Steinberger 6a039bca30 test: dedupe loader and audit suites 2026-03-28 00:46:53 +00:00
Peter Steinberger b4fe0faf1b test: dedupe config and utility suites 2026-03-28 00:46:53 +00:00
Peter Steinberger c52f89bd60 test: dedupe helper-heavy test suites 2026-03-27 22:35:27 +00:00
Peter Steinberger 7d4fab3e73 test: debrand pairing and dm policy fixtures 2026-03-27 22:18:20 +00:00
Peter Steinberger 8d054e7892 test: move shared seams into contract suites 2026-03-27 16:33:53 +00:00
Peter Steinberger 4d630b7e92 refactor: expose dm policy test seams 2026-03-27 13:46:17 +00:00
Peter Steinberger 9a775aa59c refactor: continue plugin seam cleanup 2026-03-27 13:46:16 +00:00
Ayaan Zaidi 85d5e4360d
fix(skills): use skill sourceInfo 2026-03-27 10:59:07 +05:30
Marcus Castro 38adeb888c
fix: align Skill consumers with sourceInfo → source rename 2026-03-27 01:49:58 -03:00
Ayaan Zaidi 51d851e092
fix(skills): use skill sourceInfo 2026-03-27 09:57:02 +05:30
Peter Steinberger 70184d0a5e fix: compaction API drift + Skill sourceInfo→source migration 
- compaction.ts: drop removed 'headers' param from generateSummary call
- compaction.retry.test.ts: align test call with new generateSummary signature
- compaction-safeguard.ts: replace getApiKeyAndHeaders with getApiKey (upstream removed)
- Migrate all Skill sourceInfo.source → flat source field across agents, cli, security
- Update 6 test files to match new Skill shape
 2026-03-27 04:23:39 +00:00
Peter Steinberger be6b841334
fix: align skill and compaction API usage 2026-03-27 03:27:51 +00:00
Peter Steinberger a331270f8a
fix: restore green build after upstream API drift 2026-03-27 02:49:53 +00:00
Peter Steinberger 10527ff8a3 build: refresh deps and vitest cache lanes 2026-03-27 02:26:07 +00:00
Peter Steinberger 83ca6fbfc6 refactor: finish browser compat untangle 2026-03-26 22:42:41 +00:00
Nimrod Gutman 501190d2e8
refactor(sandbox): remove tool policy facade (#54684) 
* refactor(sandbox): remove tool policy facade

* fix(sandbox): harden blocked-tool guidance

* fix(sandbox): avoid control-char guidance leaks

* fix: harden sandbox blocked-tool guidance (#54684) (thanks @ngutman)
 2026-03-25 23:03:24 +02:00
Nimrod Gutman edb5123f26
fix(sandbox): honor sandbox alsoAllow and explicit re-allows (#54492) 
* fix(sandbox): honor effective sandbox alsoAllow policy

* fix(sandbox): prefer resolved sandbox context policy

* fix: honor sandbox alsoAllow policy (#54492) (thanks @ngutman)
 2026-03-25 16:51:13 +02:00
Harold Hunt da60aff17a
Tests: isolate security audit home skill resolution (#54473) 
Merged via squash.

Prepared head SHA: 82181e15fb
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Reviewed-by: @huntharo
 2026-03-25 09:43:19 -04:00
Peter Steinberger 4029ce738c test: speed up targeted unit suites 2026-03-24 19:36:08 +00:00
Peter Steinberger c42cb1ca66
refactor: audit synology dangerous name matching 2026-03-22 23:32:22 -07:00
Peter Steinberger ea579ef858
fix(gateway): preserve async hook ingress provenance 2026-03-22 22:21:49 -07:00
Peter Steinberger 6b9915a106
refactor!: drop legacy CLAWDBOT env compatibility 2026-03-22 22:13:39 -07:00
Peter Steinberger 405d808409 fix: restore repo-wide gate after exec safe-bin refactor 2026-03-22 17:28:04 +00:00
Peter Steinberger 0ac939059e
refactor(exec): split safe-bin semantics 2026-03-22 10:14:46 -07:00
Peter Steinberger a94ec3b79b
fix(security): harden exec approval boundaries 2026-03-22 09:35:25 -07:00
Peter Steinberger 8b7f40580d perf: split telegram audit runtime seams 2026-03-22 00:53:12 +00:00
Peter Steinberger 994b42a5a5 test: parallelize safe audit case tables 2026-03-20 21:16:01 +00:00
Peter Steinberger 62ddc9d9e0 refactor: consolidate plugin sdk surface 2026-03-20 19:24:10 +00:00
Tak Hoffman 53a34c39f6
Fix windows ACL os mock typing 2026-03-18 23:49:53 -05:00