e2ff0d5e96
fix(matrix): align local DM trust openclaw#57124 thanks @w-sss
2026-03-30 18:55:09 -04:00
19a3a30dc0
fix(matrix): correct DM classification without trusting remote user's is_direct flag
...
Problem: Matrix DM classification logic had security vulnerabilities:
1. Unreachable code branch when is_direct flag was absent
2. When is_direct: true, skipped 2-member check (shared rooms misclassified as DMs)
3. **CWE-285: Improper Authorization** - trusted remote user's is_direct flag
Security Issues:
- Remote attacker could set is_direct=true on their membership to force DM classification
- Remote attacker could set is_direct=false to bypass DM-only restrictions
- Both could lead to policy bypass (DM allowlist/pairing checks)
Fix:
- hasDirectMatrixMemberFlag() returns boolean | null for local user only
- isStrictDirectMembership() only trusts local user's is_direct (selfUserId)
- Removed directViaSender lookups entirely (do not trust remote-controlled data)
- Falls back to strict 2-member check when is_direct is false/null
Key Insights:
- In Matrix, m.room.member.content.is_direct is set by each member themselves
- Only trust signals the bot controls (local user's membership state)
- 2-member check remains as safe fallback that cannot be manipulated
Closes #56599
2026-03-30 18:55:09 -04:00
dd9d0bdd8e
fix(exec): harden shell-side approval guardrails ( #57839 )
...
* fix(exec): harden approval handling
* fix(exec): tighten approval guardrails
* fix(exec): reject prefixed approval commands
* fix(exec): isolate shell approval guardrails
* fix(exec): recurse through wrapped approval commands
* fix(exec): restore allowlist wrapper import
* fix(exec): strip env wrappers before approval detection
* fix(exec): inspect nested shell wrapper options
2026-03-30 15:49:24 -07:00
9ff57ac479
refactor(exec): unify channel approvals and restore routing/auth ( #57838 )
...
* fix(exec): add shared approval runtime
* fix(exec): harden shared approval runtime
* fix(exec): guard approval expiration callbacks
* fix(exec): handle approval runtime races
* fix(exec): clean up failed approval deliveries
* fix(exec): restore channel approval routing
* fix(exec): scope telegram legacy approval fallback
* refactor(exec): centralize native approval delivery
* fix(exec): harden approval auth and account routing
* test(exec): align telegram approval auth assertions
* fix(exec): align approval rebase followups
* fix(exec): clarify plugin approval not-found errors
* fix(exec): fall back to session-bound telegram accounts
* fix(exec): detect structured telegram approval misses
* test(exec): align discord approval auth coverage
* fix(exec): ignore discord dm origin channel routes
* fix(telegram): skip self-authored message echoes
* fix(exec): keep implicit approval auth non-explicit
2026-03-30 15:49:02 -07:00
e7e15b92bd
Chore: remove orphaned agent workflow
2026-03-30 18:43:14 -04:00
b9f5d02f04
fix(matrix): restore E2EE for one-off CLI sends ( #57936 )
...
Merged via squash.
Prepared head SHA: 4b79fbea22
2026-03-30 17:28:33 -04:00
5cc0bc936c
Gateway: open config files without shell interpolation ( #57921 )
...
* Gateway: open config files without shell interpolation
Co-authored-by: peteryuqin <peter.yuqin@gmail.com>
* Gateway: align config opener review fixes
* Gateway: tidy config opener logging
* Gateway: simplify config opener error path
* Gateway: cover Windows config opener test path
* Gateway: use literal Windows config open path
---------
Co-authored-by: peteryuqin <peter.yuqin@gmail.com>
2026-03-30 15:21:25 -06:00
62d6cfedee
fix(doctor/plugins): skip unused Matrix inspector loads and honor enabledByDefault startup plugins ( #57931 )
...
Merged via squash.
Prepared head SHA: 634794b954
2026-03-30 17:06:04 -04:00
9a94578d47
Diffs: fall back on invalid language hints ( #57902 )
...
Merged via squash.
Prepared head SHA: 567ca3a56f
2026-03-30 16:30:05 -04:00
66777e140e
Diffs: return schema-shaped plugin config ( #57904 )
...
Merged via squash.
Prepared head SHA: df95f53aaa
2026-03-30 16:27:11 -04:00
07900facf6
Diffs: skip unused render targets ( #57909 )
...
Merged via squash.
Prepared head SHA: 9972f3029f
2026-03-30 16:21:08 -04:00
30a1690323
fix(diffs): harden viewer proxy access ( #57912 )
...
* fix(diffs): harden viewer proxy access
* fix(diffs): restore mapped loopback access
2026-03-30 14:17:27 -06:00
910134b702
fix(memory): stabilize qmd collection scoping
2026-03-30 22:41:21 +03:00
9c25544e6c
test(ci): fix stale regression expectations ( #57899 )
2026-03-30 22:31:13 +03:00
4a6267bfe1
Diffs: preserve base paths for viewer assets
2026-03-30 15:28:16 -04:00
b96b1efc69
Changelog: restore Matrix history entry
2026-03-30 15:14:53 -04:00
943163a419
feat(matrix): add group chat history context for agent triggers ( #57022 )
...
Merged via squash.
Prepared head SHA: b6f88b72e8
2026-03-30 15:10:43 -04:00
8deb9522f3
Guard marketplace and Ollama network requests ( #57850 )
...
* Plugins: guard marketplace and Ollama fetches
* Ollama: pin guarded host allowlist
2026-03-30 20:08:38 +01:00
e277a37f89
Infra: block compiler env overrides ( #57832 )
2026-03-30 20:06:32 +01:00
cfe1445953
Sandbox: sanitize SSH subprocess env ( #57848 )
...
* Sandbox: sanitize SSH subprocess env
* Sandbox: add sanitize env undefined test
2026-03-30 20:05:57 +01:00
f0af186726
gateway: ignore bearer-declared HTTP operator scopes ( #57783 )
...
* gateway: ignore bearer-declared HTTP operator scopes
* gateway: key HTTP bearer guards to auth mode
* gateway: refresh rebased HTTP regression expectations
* gateway: honor resolved HTTP auth method
* gateway: remove duplicate openresponses owner flags
2026-03-30 20:04:33 +01:00
2a75416634
CLI: reset remote URL after trust decline ( #57828 )
...
Co-authored-by: zsxsoft <git@zsxsoft.com>
2026-03-30 20:03:06 +01:00
ad77666054
fix(voice-call): canonicalize Telnyx replay request keys ( #57829 )
2026-03-30 20:01:43 +01:00
e65c265e89
Security: block exec approval shell carrier targets ( #57871 )
...
* Security: block exec approval shell carrier targets
* Tests: tighten exec approval carrier regression assertions
2026-03-30 12:35:04 -06:00
9d9cf0d8ff
Tasks: route one-task emergence through parent flows ( #57874 )
2026-03-30 20:25:01 +02:00
7590c22db7
Tasks: add minimal flow registry scaffold ( #57865 )
2026-03-30 19:57:26 +02:00
8c83128fc3
Discord: fix Group DM component interaction routing and auth ( #57763 )
...
* Discord: fix Group DM component interaction routing and auth
* Update tests
2026-03-30 11:17:53 -06:00
8fdb19676a
Fix Discord native commands bypassing group DM channel allowlist ( #57735 )
...
* Fix Discord native commands bypassing group DM channel allowlist
* Fix linting
* Update tests
2026-03-30 11:17:36 -06:00
dd17dae3e5
Matrix: drop unused MatrixClient constructor params
2026-03-30 13:17:02 -04:00
1ea85a5d0b
Matrix: remove stale monitor mention regex param
2026-03-30 13:17:02 -04:00
e8b0d57eb6
test: isolate browser navigation tests from host proxy env
2026-03-30 18:10:08 +01:00
8746e2e216
fix: restore cli registry side-effect option
2026-03-30 18:10:08 +01:00
ba7c98ab51
fix: align outbound media root tests with config-derived tmp paths
2026-03-30 18:10:08 +01:00
1b557ffe65
fix(plugins): keep snapshot hook loads isolated
2026-03-30 22:00:54 +05:30
f849b8de97
hooks: default hooks.internal.enabled to true so bundled hooks load on fresh installs
...
Made-with: Cursor
2026-03-30 22:00:54 +05:30
3886b65ef2
fix(gateway): require node pairing before enabling node commands ( #57777 )
...
* Gateway: require node pairing for node commands
* Gateway: request node pairing on initial connect
* Gateway: filter pending node pairing commands
2026-03-30 17:29:28 +01:00
6b38815f86
fix(gateway): tighten tools invoke HTTP guardrails ( #57771 )
...
* fix(gateway): tighten tools invoke HTTP guardrails
Co-authored-by: Brian Mendonca <208517100+bmendonca3@users.noreply.github.com>
* fix(security): centralize gateway HTTP deny defaults
* fix(gateway): drop duplicate scope guard after rebase
---------
Co-authored-by: Brian Mendonca <208517100+bmendonca3@users.noreply.github.com>
2026-03-30 17:16:33 +01:00
1ca4261d7e
fix(media): keep local roots configuration-derived ( #57770 )
...
* fix(media): keep local roots configuration-derived
Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
* fix(media): simplify local root lookup
* fix(media): keep legacy local roots export
2026-03-30 17:15:03 +01:00
aff6883f93
fix: avoid over-sharding single include-file test batches
2026-03-30 17:14:02 +01:00
c22edbb8ee
test: align ci regression stubs with production behavior
2026-03-30 17:11:06 +01:00
555a4d896c
test: stabilize media attachment cache path assertions
2026-03-30 17:11:06 +01:00
4c45fc3575
test: remove telegram extension dependency from reply command tests
2026-03-30 17:11:06 +01:00
17d0be02f2
fix(gateway): bind OpenResponses HTTP ingress as non-owner ( #57778 )
...
* fix(gateway): bind OpenResponses HTTP ingress as non-owner
Co-authored-by: bmendonca3 <208517100+bmendonca3@users.noreply.github.com>
* test(gateway): cover streaming OpenResponses non-owner ingress
---------
Co-authored-by: bmendonca3 <208517100+bmendonca3@users.noreply.github.com>
2026-03-30 17:05:29 +01:00
1a75906a6f
Exec approvals: prevent interpreter allow-always persistence ( #57772 )
...
* Exec approvals: block interpreter allow-always persistence
* Exec approvals: normalize interpreter allowlist formatting
* Exec approvals: normalize interpreter allowlist wrapping
* Exec approvals: tighten awk regression coverage
* Exec approvals: harden awk interpreter coverage
2026-03-30 17:03:54 +01:00
b7b46ad185
fix(skills): replace readFileSync with symlink-safe, root-confined skill file loader ( #57519 )
...
* fix: replace readFileSync with symlink-safe, root-confined skill file loader
* fix(skills): preserve directory-name fallback when frontmatter omits name
* fix: harden skill loader path containment
---------
Co-authored-by: Jacob Tomlinson <jacobtomlinson@users.noreply.github.com>
2026-03-30 17:03:05 +01:00
7a5c5f33d0
Infra: block auth env vars from workspace dotenv ( #57767 )
...
* Infra: block auth env vars from workspace dotenv
* Infra: block workspace dotenv auth key variants
* Infra: block workspace dotenv live auth keys
2026-03-30 17:01:22 +01:00
29cb1e3c7e
Gateway: tighten HTTP tool invoke authorization ( #57773 )
...
* Gateway: harden HTTP tool invoke access
* Gateway: strengthen HTTP tools invoke regression coverage
* Gateway: keep owner-only tools off HTTP
2026-03-30 16:59:40 +01:00
ae703ab0e7
infra: harden identifier entropy and delay jitter ( #57744 )
...
* infra: harden identifier entropy and delay jitter
* test: make randomness hardening deterministic in CI
2026-03-30 16:57:30 +01:00
32a4a47d60
Agents: pin apply-patch workspace mutations ( #56016 )
...
* Agents: pin apply-patch file ops to workspace
* Agents: resolve apply-patch review feedback
* Infra: fallback pinned path helper spawn failures
2026-03-30 16:49:49 +01:00
6d341cf366
fix(auto-reply): thread per-agent tools.exec defaults into reply directives ( #57689 )
...
* fix(auto-reply): thread per-agent tools.exec defaults into exec overrides
* test(auto-reply): add session-override and inline-directive priority tests for exec agent defaults
2026-03-30 16:46:54 +01:00
Gustavo Madeira Santana
w-sss
scoootscooob
mappel-nv
Dinakar Sarbada
Agustin Rivera
Altay
chain710
Jacob Tomlinson
Mariano
Devin Robison
Shakker
Ayaan Zaidi
joelnishanth
pgondhi987