6b49a604b4
fix: harden macos shell continuation parsing
2026-03-13 20:54:10 +00:00
9747da8682
fix: honor gateway command env in status reads
2026-03-13 20:50:48 +00:00
e1fedd4388
fix: harden macos env wrapper resolution
2026-03-13 20:49:17 +00:00
28a49aaa34
fix: harden powershell wrapper detection
2026-03-13 20:37:38 +00:00
b7afc7bf40
fix: harden external content marker sanitization
2026-03-13 20:28:45 +00:00
593964560b
feat(browser): add chrome MCP existing-session support
2026-03-13 20:10:08 +00:00
5189ba851c
fix: stop windows startup fallback gateways
2026-03-13 19:10:57 +00:00
96c48f5566
fix(ui): restore chat-new-messages class on scroll pill button ( #44856 )
...
Merged via squash.
Prepared head SHA: 621ef634a4
2026-03-13 22:03:00 +03:00
5ba1bfdb7b
refactor: remove redundant ?? undefined in Slack probe ( #44775 )
...
Merged via squash.
Prepared head SHA: ecc73fe47c
2026-03-13 21:52:15 +03:00
fc408bba37
Fix incorrect rendering of brave costs in docs ( #44989 )
...
Merged via squash.
Prepared head SHA: 8c69de8222
2026-03-13 21:37:39 +03:00
7778627b71
fix(ollama): hide native reasoning-only output ( #45330 ) Thanks @xi7ang
...
Co-authored-by: xi7ang <266449609+xi7ang@users.noreply.github.com>
Co-authored-by: Frank Yang <vibespecs@gmail.com>
2026-03-14 01:38:06 +08:00
202765c810
fix: quiet local windows gateway auth noise
2026-03-13 16:22:13 +00:00
394fd87c2c
fix: clarify gated core tool warnings
2026-03-13 15:38:07 +00:00
55e79adf69
fix: resolve target agent workspace for cross-agent subagent spawns ( #40176 )
...
Merged via squash.
Prepared head SHA: 2378e40383
2026-03-13 12:09:51 -03:00
72b6a11a83
fix: preserve persona and language continuity in compaction summaries ( #10456 )
...
Merged via squash.
Prepared head SHA: 4518fb20e1
2026-03-13 07:40:32 -07:00
80e7da92ce
fix: stabilize macos daemon onboarding
2026-03-13 13:47:09 +00:00
0a3b9a9a09
fix(ui): keep shared auth on insecure control-ui connects ( #45088 )
...
Merged via squash.
Prepared head SHA: 99eb3fd928
2026-03-13 14:25:31 +01:00
be8d51c301
fix(node-host): harden perl approval binding
2026-03-13 13:09:36 +00:00
2f03de029c
fix(node-host): harden pnpm approval binding
2026-03-13 12:59:55 +00:00
af4731aa5f
fix(discovery): add missing domain to wideArea Zod config schema ( #35615 )
...
Merged via squash.
Prepared head SHA: d81d3321b6
2026-03-13 15:52:54 +03:00
496176d738
feat(ios): add onboarding welcome pager ( #45054 )
...
* feat(ios): add onboarding welcome pager
* feat(ios): add onboarding welcome pager (#45054 ) (thanks @ngutman)
2026-03-13 14:24:15 +02:00
61429230b2
fix(signal): add groups config to Signal channel schema ( #27199 )
...
Merged via squash.
Prepared head SHA: 4ba4a39ddf
2026-03-13 15:14:30 +03:00
4e68684bd2
fix: restore web fetch firecrawl config in runtime zod schema ( #42583 )
...
Merged via squash.
Prepared head SHA: e37f965b8e
2026-03-13 14:56:26 +03:00
45721d5dec
fix: polish Android QR scanner onboarding ( #45021 )
2026-03-13 17:13:54 +05:30
b72c87712d
fix(config): add missing params field to agents.list[] validation schema ( #41171 )
...
Merged via squash.
Prepared head SHA: 9522761cf1
2026-03-13 14:29:36 +03:00
2c39cd0953
fix(agents): rephrase session reset prompt to avoid Azure content filter ( #43403 )
...
* fix(agents): rephrase session reset prompt to avoid Azure content filter
Azure OpenAI's content filter flags the phrase 'Execute your Session
Startup sequence now' as potentially harmful, causing /new and /reset
to return 400 for all Azure-hosted deployments.
Replace 'Execute ... now' with 'Run your Session Startup sequence' in
session-reset-prompt.ts and post-compaction-context.ts. The semantics
are identical but the softer phrasing avoids the false-positive.
Closes #42769
* ci: retrigger checks (windows shard timeout)
* fix: add changelog for Azure startup prompt fix (#43403 ) (thanks @xingsy97)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-03-13 15:07:03 +05:30
60cb1d683c
fix(agents): respect explicit user compat overrides for non-native openai-completions ( #44432 )
...
Reviewed-by: @frankekn
2026-03-13 17:30:24 +08:00
4d3a2f674b
Docker: add OPENCLAW_TZ timezone support ( #34119 )
...
* Docker: add OPENCLAW_TZ timezone support
* fix: validate docker timezone names
* fix: support Docker timezone override (#34119 ) (thanks @Lanfei)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-03-13 14:51:55 +05:30
a3eed2b70f
fix(agents): avoid injecting memory file twice on case-insensitive mounts ( #26054 )
...
* fix(agents): avoid injecting memory file twice on case-insensitive mounts
On case-insensitive file systems mounted into Docker from macOS, both
MEMORY.md and memory.md pass fs.access() even when they are the same
underlying file. The previous dedup via fs.realpath() failed in this
scenario because realpath does not normalise case through the Docker
mount layer, so both paths were treated as distinct entries and the
same content was injected into the bootstrap context twice, wasting
tokens.
Fix by replacing the collect-then-dedup approach with an early-exit:
try MEMORY.md first; fall back to memory.md only when MEMORY.md is
absent. This makes the function return at most one entry regardless
of filesystem case-sensitivity.
* docs: clarify singular memory bootstrap fallback
* fix: note memory bootstrap fallback docs and changelog (#26054 ) (thanks @Lanfei)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
2026-03-13 14:39:51 +05:30
7638052178
fix: note android chat settings redesign ( #44894 )
2026-03-13 14:31:39 +05:30
5ca0233db0
fix(agents): drop Anthropic thinking blocks on replay ( #44843 )
...
* agents: drop Anthropic thinking blocks on replay
* fix: extend anthropic replay sanitization openclaw#44429 thanks @jmcte
* fix: extend anthropic replay sanitization openclaw#44843 thanks @jmcte
* test: add bedrock replay sanitization coverage openclaw#44843
* test: cover anthropic provider drop-thinking hints openclaw#44843
---------
Co-authored-by: johnmteneyckjr <john.m.teneyck@gmail.com>
2026-03-13 16:57:56 +08:00
0705225274
docs: fix changelog credit for xhigh help ( #44874 )
2026-03-13 16:40:53 +08:00
4e27c9b958
CLI: align xhigh thinking help text ( #44819 )
...
Merged via squash.
Prepared head SHA: ff1f127176
2026-03-13 16:37:11 +08:00
f07033ed3f
fix: address delivery dedupe review follow-ups ( #44666 )
...
Merged via squash.
Prepared head SHA: 8e6d254cc4
2026-03-13 16:18:01 +08:00
d40a4e343c
fix: add gateway session reset routing coverage ( #44773 ) (thanks @Lanfei)
2026-03-13 12:39:44 +05:30
93e7fcaa73
docs: move post-release changelog entries to Unreleased ( #44691 )
...
4 entries were added to the 2026.3.12 section after the v2026.3.12
tag was cut. Move them to ## Unreleased where they belong.
Verified: 2026.3.12 section now matches the 74 entries present at
the v2026.3.12 release tag (28d64c48e
2026-03-12 22:42:06 -07:00
32d8ec9482
fix: harden windows gateway fallback launch
2026-03-13 04:58:35 +00:00
6d0939d84e
fix: handle Discord gateway metadata fetch failures ( #44397 )
...
Merged via squash.
Prepared head SHA: edd17c0eff
2026-03-12 21:52:17 -07:00
8023f4c701
fix(telegram): thread media transport policy into SSRF ( #44639 )
...
* fix(telegram): preserve media download transport policy
* refactor(telegram): thread media transport policy
* fix(telegram): sync fallback media policy
* fix: note telegram media transport fix (#44639 )
2026-03-13 10:11:43 +05:30
771066d122
fix(compaction): use full-session token count for post-compaction sanity check ( #28347 )
...
Merged via squash.
Prepared head SHA: cf4eab1c51
2026-03-12 21:26:30 -07:00
61d219cb39
feat: show status reaction during context compaction ( #35474 )
...
Merged via squash.
Prepared head SHA: 145a7b7c4e
2026-03-12 21:06:15 -07:00
255414032f
changelog: move ACP final-snapshot entry to active 2026.3.12 section
2026-03-12 20:31:03 -07:00
17c954c46e
fix(acp): preserve final assistant message snapshot before end_turn ( #44597 )
...
Process messageData via handleDeltaEvent for both delta and final states
before resolving the turn, so ACP clients no longer drop the last visible
assistant text when the gateway sends the final message body on the
terminal chat event.
Closes #15377
Based on #17615
Co-authored-by: PJ Eby <3527052+pjeby@users.noreply.github.com>
2026-03-12 20:23:57 -07:00
42efd98ff8
Slack: support Block Kit payloads in agent replies ( #44592 )
...
* Slack: route reply blocks through outbound adapter
* Slack: cover Block Kit outbound payloads
* Changelog: add Slack Block Kit agent reply entry
2026-03-12 23:18:59 -04:00
433e65711f
fix: fall back to a startup entry for windows gateway install
2026-03-13 03:18:17 +00:00
ff2368af57
fix: stop false cron payload-kind warnings in doctor ( #44012 ) (thanks @shuicici)
2026-03-13 08:38:52 +05:30
b858d6c3a9
fix: clarify windows onboarding gateway health
2026-03-13 02:40:40 +00:00
23c7fc745f
refactor(agents): replace console.warn with SubsystemLogger in compaction-safeguard.ts ( #9974 )
...
Merged via squash.
Prepared head SHA: 35dcc5ba35
2026-03-12 19:34:55 -07:00
4fb3b88e57
docs: reorder latest release changelog
2026-03-13 02:11:50 +00:00
d6d01f853f
fix: align Ollama onboarding docs before landing ( #43473 ) (thanks @BruceMacD)
...
(cherry picked from commit 19fa274343a102ca85c7679ec28c5a3503a99f55)
2026-03-13 02:03:54 +00:00
0068f55dd8
fix(memory): fail closed for Windows qmd wrappers
2026-03-13 01:56:20 +00:00
ddeb423944
fix: quiet Telegram command overflow retry logs
2026-03-13 01:45:56 +00:00
de3e6a8c5b
fix(routing): require ids for slack and msteams allowlists
2026-03-13 01:44:42 +00:00
c25e46a433
chore: prepare 2026.3.12 release
2026-03-13 01:38:20 +00:00
e951a42bcb
fix(mac): adopt canonical session key and add reset triggers ( #10898 )
...
Add shared native chat handling for /new, /reset, and /clear.
This also aligns main session key handling in the shared chat UI and includes follow-up test and CI fixes needed to keep the branch mergeable.
Co-authored-by: Nachx639 <71144023+Nachx639@users.noreply.github.com>
Co-authored-by: Luke <92253590+ImLukeF@users.noreply.github.com>
2026-03-13 12:35:39 +11:00
b14a5c6713
fix(zalouser): require ids for group allowlist auth
2026-03-13 01:31:17 +00:00
d5b3f2ed71
fix(models): keep codex spark codex-only
2026-03-13 00:53:21 +00:00
d4f535b203
fix(hooks): fail closed on unreadable loader paths ( #44437 )
...
* Hooks: fail closed on unreadable loader paths
* Changelog: note hooks loader hardening
* Tests: cover sanitized hook loader logs
* Hooks: use realpath containment for legacy loaders
* Hooks: sanitize unreadable workspace log path
2026-03-12 20:47:30 -04:00
2649c03cdb
fix(hooks): dedupe repeated agent deliveries by idempotency key ( #44438 )
...
* Hooks: add hook idempotency key resolution
* Hooks: dedupe repeated agent deliveries by idempotency key
* Tests: cover hook idempotency dedupe
* Changelog: note hook idempotency dedupe
* Hooks: cap hook idempotency key length
* Gateway: hash hook replay cache keys
* Tests: cover hook replay key hardening
2026-03-12 20:43:38 -04:00
91b701e183
fix: harden windows native updates
2026-03-12 23:42:14 +00:00
35aafd7ca8
feat: add Anthropic fast mode support
2026-03-12 23:39:03 +00:00
d5bffcdeab
feat: add fast mode toggle for OpenAI models
2026-03-12 23:31:31 +00:00
ddcaec89e9
fix(node-host): fail closed on ruby approval preload flags
2026-03-12 23:23:54 +00:00
2c8f31135b
test: cover provider plugin boundaries
2026-03-12 22:43:55 +00:00
9692dc7668
fix(security): harden nodes owner-only tool gating
2026-03-12 22:27:52 +00:00
bf89947a8e
fix: switch pairing setup codes to bootstrap tokens
2026-03-12 22:23:07 +00:00
9cd54ea882
fix: skip cache-ttl append after compaction to prevent double compaction ( #28548 )
...
Merged via squash.
Prepared head SHA: a4114a52bc
2026-03-12 15:17:18 -07:00
7332e6d609
fix(failover): classify HTTP 422 as format and OpenRouter credits as billing ( #43823 )
...
Merged via squash.
Prepared head SHA: 4f48e977fe
2026-03-13 00:50:28 +03:00
904db27019
fix(security): audit unrestricted hook agent routing
2026-03-12 21:36:19 +00:00
143e593ab8
Compaction Runner: wire post-compaction memory sync ( #25561 )
...
Merged via squash.
Prepared head SHA: 6d2bc02cc1
2026-03-12 14:24:29 -07:00
fd568c4f74
fix(failover): classify ZenMux quota-refresh 402 as rate_limit ( #43917 )
...
Merged via squash.
Prepared head SHA: 1d58a36a77
2026-03-13 00:06:43 +03:00
d93db0fc13
fix(failover): classify z.ai network_error stop reason as retryable timeout ( #43884 )
...
Merged via squash.
Prepared head SHA: 9660f6cd5b
2026-03-13 00:00:44 +03:00
50cc375c11
feat(context-engine): plumb sessionKey into all ContextEngine methods ( #44157 )
...
Merged via squash.
Prepared head SHA: 0b341f6f4c
2026-03-12 12:43:36 -07:00
e525957b4f
fix(sandbox): restore spawned workspace handoff ( #44307 )
2026-03-12 16:12:08 -03:00
08aa57a3de
Commands: require owner for /config and /debug ( #44305 )
...
* Commands: add non-owner gate helper
* Commands: enforce owner-only config and debug
* Commands/test: cover owner-only config and debug
* Changelog: add owner-only config debug entry
* Commands/test: split config owner gating section
* Commands: redact sender ids in verbose command logs
* Commands: preserve internal read-only config access
* Commands/test: keep operator.write config show coverage non-owner
2026-03-12 14:58:14 -04:00
5e389d5e7c
Gateway/ws: clear unbound scopes for shared-token auth ( #44306 )
...
* Gateway/ws: clear unbound shared-auth scopes
* Gateway/auth: cover shared-token scope stripping
* Changelog: add shared-token scope stripping entry
* Gateway/ws: preserve allowed control-ui scopes
* Gateway/auth: assert control-ui admin scopes survive allowed device-less auth
* Gateway/auth: cover shared-password scope stripping
2026-03-12 14:52:24 -04:00
1492ad20a9
Ollama/Kimi: apply Moonshot payload compatibility ( #44274 )
...
* Runner: extend Moonshot payload compat to Ollama Kimi
* Changelog: note Ollama Kimi tool routing
* Tests: cover Ollama Kimi payload compat
* Runner: narrow Ollama Kimi payload compat
2026-03-12 14:17:01 -04:00
2d42588a18
chore(changelog): update CHANGELOG.md to include new features in dashboard-v2, highlighting the refreshed gateway dashboard with modular views and enhanced chat tools ( #41503 )
2026-03-12 12:56:24 -05:00
9cb0fa58c2
fix: restore protocol outputs and stabilize Windows path CI ( #44266 )
...
* fix(ci): restore protocol outputs and stabilize Windows path test
Regenerate the Swift protocol models so protocol:check stops failing on main.
Align the session target test helper with the sync production realpath behavior so Windows does not compare runneradmin and RUNNER~1 spellings for the same file.
Regeneration-Prompt: |
Investigate the failing checks from merged PR #34485 and confirm whether they still affect current main before changing code. Keep the fix tight: do not alter runtime behavior beyond what is required to clear the reproduced CI regressions. Commit the generated Swift protocol outputs for the PushTestResult transport field because protocol:check was failing from stale generated files on main. Also fix the Windows-only session target test by making its helper use the same synchronous realpath behavior as production discovery, so path spelling differences like runneradmin versus RUNNER~1 do not cause a false assertion failure.
* fix(ci): align session target realpath behavior on Windows
Use native realpath for sync session target discovery so it matches the async path on Windows, and update the session target test helper to assert against the same canonical path form.
Regeneration-Prompt: |
After opening the follow-up PR for the CI regressions from merged PR #34485 , inspect the new failing Windows shard instead of assuming the first fix covered every case. Keep scope limited to the session target path mismatch exposed by CI. Fix the inconsistency at the source by making sync session target discovery use the same native realpath canonicalization as the async discovery path on Windows, then update the test helper to match that shared behavior and verify the touched file with targeted tests and file-scoped lint/format checks.
* test: make merge config fixtures satisfy provider type
After rebasing the PR onto current origin/main, the merge helper test fixtures no longer satisfied ProviderConfig because the anthropic provider examples were missing required provider and model fields. Add a shared fully-typed model fixture and explicit anthropic baseUrl values so the test keeps full type coverage under tsgo.
Regeneration-Prompt: |
Rebase the PR branch for #44266 onto the current origin/main because the failing CI error only reproduced on the merge ref. Re-run the type-check path and inspect src/agents/models-config.merge.test.ts at the exact compiler lines instead of weakening types globally. Keep the fix test-only: make the anthropic ProviderConfig fixtures structurally valid by supplying the required baseUrl and full model definition fields, and keep the shared fixture typed so tsgo accepts it without unknown casts.
* fix: align Windows session store test expectations
2026-03-12 10:55:29 -07:00
86135d5889
Kimi Coding: set default subscription user agent ( #44248 )
...
* Providers: set default Kimi coding user agent
* Tests: cover Kimi coding header overrides
* Changelog: note Kimi coding user agent
* Tests: satisfy Kimi provider fixture type
* Update CHANGELOG.md
* Providers: preserve Kimi headers through models merge
2026-03-12 13:30:07 -04:00
33ba3ce951
fix(node-host): harden ambiguous approval operand binding ( #44247 )
...
* fix(node-host): harden approval operand binding
* test(node-host): cover approval parser hardening
* docs(changelog): note approval hardening GHSA cluster
* Update CHANGELOG.md
* fix(node-host): remove dead approval parser entries
* test(node-host): cover bunx approval wrapper
* fix(node-host): unwrap pnpm shim exec forms
* test(node-host): cover pnpm shim wrappers
2026-03-12 13:28:35 -04:00
136adb4c02
docs: reorder unreleased changelog
2026-03-12 17:11:31 +00:00
b3e6f92fd2
runner: infer names from malformed toolCallId variants ( #34485 )
...
Merged via squash.
Prepared head SHA: 150ea1a7c9
2026-03-12 09:58:23 -07:00
0b34671de3
fix: canonicalize openrouter native model keys
2026-03-12 16:51:00 +00:00
115f24819e
fix: make node-llama-cpp optional for npm installs
2026-03-12 16:45:59 +00:00
46f0bfc55b
Gateway: harden custom session-store discovery ( #44176 )
...
Merged via squash.
Prepared head SHA: 52ebbf5188
2026-03-12 16:44:46 +00:00
f96ba87f03
Zalo: rate limit invalid webhook secret guesses before auth ( #44173 )
...
* Zalo: rate limit webhook guesses before auth
* Tests: cover pre-auth Zalo webhook rate limiting
* Changelog: note Zalo pre-auth rate limiting
* Zalo: preserve auth-before-content-type response ordering
* Tests: cover auth-before-content-type webhook ordering
* Zalo: split auth and unauth webhook rate-limit buckets
* Tests: cover auth bucket split for Zalo webhook rate limiting
* Zalo: use trusted proxy client IP for webhook rate limiting
* Tests: cover trusted proxy client IP rate limiting for Zalo
2026-03-12 12:30:50 -04:00
b77b7485e0
feat(push): add iOS APNs relay gateway ( #43369 )
...
* feat(push): add ios apns relay gateway
* fix(shared): avoid oslog string concatenation
# Conflicts:
# apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
* fix(push): harden relay validation and invalidation
* fix(push): persist app attest state before relay registration
* fix(push): harden relay invalidation and url handling
* feat(push): use scoped relay send grants
* feat(push): configure ios relay through gateway config
* feat(push): bind relay registration to gateway identity
* fix(push): tighten ios relay trust flow
* fix(push): bound APNs registration fields (#43369 ) (thanks @ngutman)
2026-03-12 18:15:35 +02:00
9342739d71
fix(providers): respect user-configured baseUrl for kimi-coding ( #36647 )
...
* fix(providers): respect user-configured baseUrl for kimi-coding
The kimi-coding provider was built exclusively from
`buildKimiCodingProvider()` defaults, ignoring any user-specified
`baseUrl` or other overrides in `openclaw.json` providers config.
This caused 404 errors when users configured a custom endpoint.
Now merge `explicitProviders["kimi-coding"]` on top of defaults,
matching the pattern used by ollama/vllm. User's `baseUrl`, `api`,
and `models` take precedence; env/profile API key still wins.
Fixes #36353
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Tests: use Kimi implicit provider harness
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 12:14:07 -04:00
3e28e10c2f
Plugins: require explicit trust for workspace-discovered plugins ( #44174 )
...
* Plugins: disable implicit workspace plugin auto-load
* Tests: cover workspace plugin trust gating
* Changelog: note workspace plugin trust hardening
* Plugins: keep workspace trust gate ahead of memory slot defaults
* Tests: cover workspace memory-slot trust bypass
2026-03-12 12:12:41 -04:00
0a8fa0e001
Moonshot: respect explicit baseUrl for CN endpoint so platform.moonshot.cn keys authenticate ( #33637 ) ( #33696 )
...
* Moonshot: respect explicit baseUrl for CN endpoint so platform.moonshot.cn keys authenticate (#33637 )
* Moonshot: address review - remove dead constant, import canonical URLs (#33696 )
2026-03-12 12:10:38 -04:00
3fa91cd69d
feat: add sessions_yield tool for cooperative turn-ending ( #36537 )
...
Merged via squash.
Prepared head SHA: 75d9204c86
2026-03-12 08:46:47 -07:00
e6897c800b
Plugins: fix env-aware root resolution and caching ( #44046 )
...
Merged via squash.
Prepared head SHA: 6e8852a188
2026-03-12 15:31:31 +00:00
688e3f0863
Compaction Runner: emit transcript updates post-compact ( #25558 )
...
Merged via squash.
Prepared head SHA: 8a858436ed
2026-03-12 08:22:12 -07:00
8ad0ca309e
Subagents: stop retrying external completion timeouts ( #41235 ) ( #43847 )
...
* Changelog: add subagent announce timeout note
* Tests: cover subagent completion timeout no-retry
* Subagents: stop retrying external completion timeouts
* Config: update subagent announce timeout default docs
* Tests: use fake timers for subagent timeout retry guard
2026-03-12 11:03:06 -04:00
7844bc89a1
Security: require Feishu webhook encrypt key ( #44087 )
...
* Feishu: require webhook encrypt key in schema
* Feishu: cover encrypt key webhook validation
* Feishu: enforce encrypt key at startup
* Feishu: add webhook forgery regression test
* Feishu: collect encrypt key during onboarding
* Docs: require Feishu webhook encrypt key
* Changelog: note Feishu webhook hardening
* Docs: clarify Feishu encrypt key screenshot
* Feishu: treat webhook encrypt key as secret input
* Feishu: resolve encrypt key only in webhook mode
2026-03-12 11:01:00 -04:00
99170e2408
Hardening: normalize Unicode command obfuscation detection ( #44091 )
...
* Exec: cover unicode obfuscation cases
* Exec: normalize unicode obfuscation detection
* Changelog: note exec detection hardening
* Exec: strip unicode tag character obfuscation
* Exec: harden unicode suppression and length guards
* Exec: require path boundaries for safe URL suppressions
2026-03-12 10:57:49 -04:00
eff0d5a947
Hardening: tighten preauth WebSocket handshake limits ( #44089 )
...
* Gateway: tighten preauth handshake limits
* Changelog: note WebSocket preauth hardening
* Gateway: count preauth frame bytes accurately
* Gateway: cap WebSocket payloads before auth
2026-03-12 10:55:41 -04:00
3e730c0332
Security: preserve Feishu reaction chat type ( #44088 )
...
* Feishu: preserve looked-up chat type
* Feishu: fail closed on ambiguous reaction chats
* Feishu: cover reaction chat type fallback
* Changelog: note Feishu reaction hardening
* Feishu: fail closed without resolved chat type
* Feishu: normalize reaction chat type at runtime
2026-03-12 10:53:40 -04:00
48cbfdfac0
Hardening: require LINE webhook signatures ( #44090 )
...
* LINE: require webhook signatures in express handler
* LINE: require webhook signatures in node handler
* LINE: update express signature tests
* LINE: update node signature tests
* Changelog: note LINE webhook hardening
* LINE: validate signatures before parsing webhook bodies
* LINE: reject missing signatures before body reads
2026-03-12 10:50:36 -04:00
Peter Steinberger
AstroHan
0xffee
Keelan Fadden-Hopper
Frank Yang
Max aka Mosheh
정우용
Radek Sienkiewicz
ingyukoh
Nimrod Gutman
Alex Zaytsev
stim64045-spec
Ayaan Zaidi
atian8179
xingsy97
cheapestinference
Jealous
Josh Lehman
Efe Büken
Cypherm
scoootscooob
scoootscooob
Vincent Koc
Dinakar Sarbada
Nachx639
ToToKr
jnMetaCode
Rodrigo Uroz
bwjoke
Wayne
Marcus Castro
Val Alexander
yuweuii
Gustavo Madeira Santana
2233admin
chengzhichao-xydt
Jacob Riff