negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,876 Commits 1 Branch 0 Tags
3100b77f12ebb1fb9eab66ff236a1fea4eae7977
Commit Graph

1127 Commits

Author SHA1 Message Date
Xinhua Gu
9c5249714d fix(gateway): trusted-proxy auth rejected when bind=loopback (#20097) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8de62f1a8f991f900fd1482f64976f234011f4d2
Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 17:51:35 +00:00
mudrii
7ecfc1d93c fix(auth): bidirectional mode/type compat + sync OAuth to all agents (#12692) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 2dee8e1174e637e50d10bf7020f1de2990b804dc
Co-authored-by: mudrii <220262+mudrii@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-20 16:01:09 +05:30
Glucksberg
38b4fb5d55 fix(auth/session): preserve override reset behavior and repair oauth profile-id drift (openclaw#18820) thanks @Glucksberg 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:16:26 -06:00
Vishal
f1e1cc4ee3 feat: surface cached token counts in /status output (openclaw#21248) thanks @vishaltandale00 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: vishaltandale00 <9222298+vishaltandale00@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:06:13 -06:00
Jeremy Mumford
6ef365d062 resolved bug with doing a raw call to anthropic compatible apis (#21336) 2026-02-19 15:04:49 -08:00
Peter Steinberger
a1cb700a05 test: dedupe and optimize test suites 2026-02-19 15:19:38 +00:00
Peter Steinberger
3a258e7ca8 fix(ci): add explicit mock export types for harnesses 2026-02-19 15:16:09 +00:00
Peter Steinberger
d3bf6e1b90 test: harden mock order and shell path coverage 2026-02-19 15:09:19 +00:00
Peter Steinberger
71983716ff test: share channels command mock harness 2026-02-19 15:08:14 +00:00
Peter Steinberger
f76f98b268 chore: fix formatting drift and stabilize cron tool mocks 2026-02-19 15:41:38 +01:00
Peter Steinberger
5dc50b8a3f fix(security): harden npm plugin and hook install integrity flow 2026-02-19 15:11:25 +01:00
Thorfinn
b45bb6801c fix(doctor): skip embedding provider check when QMD backend is active (openclaw#17295) thanks @miloudbelarebia 
Verified:
- pnpm build
- pnpm check (fails on baseline formatting drift in files identical to origin/main)
- pnpm test:macmini

Co-authored-by: miloudbelarebia <52387093+miloudbelarebia@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 07:21:27 -06:00
Jay Caldwell
9edec67a18 fix(security): block plaintext WebSocket connections to non-loopback addresses (#20803) 
* fix(security): block plaintext WebSocket connections to non-loopback addresses

Addresses CWE-319 (Cleartext Transmission of Sensitive Information).

Previously, ws:// connections to remote hosts were allowed, exposing
both credentials and chat data to network interception. This change
blocks ALL plaintext ws:// connections to non-loopback addresses,
regardless of whether explicit credentials are configured (device
tokens may be loaded dynamically).

Security policy:
- wss:// allowed to any host
- ws:// allowed only to loopback (127.x.x.x, localhost, ::1)
- ws:// to LAN/tailnet/remote hosts now requires TLS

Changes:
- Add isSecureWebSocketUrl() validation in net.ts
- Block insecure connections in GatewayClient.start()
- Block insecure URLs in buildGatewayConnectionDetails()
- Handle malformed URLs gracefully without crashing
- Update tests to use wss:// for non-loopback URLs

Fixes #12519

* fix(test): update gateway-chat mock to preserve net.js exports

Use importOriginal to spread actual module exports and mock only
the functions needed for testing. This ensures isSecureWebSocketUrl
and other exports remain available to the code under test.
 2026-02-19 03:13:08 -08:00
Peter Steinberger
90b05b18f1 test: collapse duplicate onboard auth assertions 2026-02-19 09:13:16 +00:00
Peter Steinberger
749edf25ca test: dedupe repeated onboarding provider config cases 2026-02-19 09:08:48 +00:00
Peter Steinberger
47bbef30f9 test: merge duplicate undefined api-key persistence checks 2026-02-19 08:27:40 +00:00
Peter Steinberger
fe3bd9d65b test: merge duplicate gateway token coercion checks 2026-02-19 08:26:43 +00:00
Peter Steinberger
ad4c784f20 test: collapse duplicate gateway token-generation cases 2026-02-19 08:15:32 +00:00
Peter Steinberger
8b17a369e9 refactor(agents): share agent entry and block reply payload types 2026-02-19 00:06:19 +00:00
Peter Steinberger
5c5c032f42 refactor(security): share DM allowlist state resolver 2026-02-18 23:58:11 +00:00
Peter Steinberger
89a0b95af4 refactor(security): reuse shared allowlist normalization 2026-02-18 23:48:32 +00:00
Peter Steinberger
aa8f87a3bf refactor(plugins): reuse plugin loader logger adapter 2026-02-18 23:48:32 +00:00
Peter Steinberger
0048af4e2d refactor(commands): dedupe auth-choice model notes 2026-02-18 23:34:15 +00:00
Peter Steinberger
1a030a544b test: table-drive sandbox formatter assertions 2026-02-18 23:19:33 +00:00
Peter Steinberger
c0c10f42e2 refactor(commands): share daemon runtime warning helper 2026-02-18 23:09:09 +00:00
Peter Steinberger
8e6a7a6343 refactor(models): reuse list format helpers in scan 2026-02-18 23:09:09 +00:00
Peter Steinberger
8369913c7a refactor(models): reuse validated config snapshot loader 2026-02-18 22:49:39 +00:00
Peter Steinberger
c0e0d4c63d test: dedupe empty-array counter checks in sandbox formatters 2026-02-18 22:46:10 +00:00
Peter Steinberger
4c096020a2 refactor(commands): share configure wizard channel/daemon steps 2026-02-18 18:37:17 +00:00
Peter Steinberger
4f36c813a7 refactor(commands): share custom api verification request flow 2026-02-18 18:30:13 +00:00
Peter Steinberger
d67942af1e refactor(telegram): share getChat id lookup helper 2026-02-18 17:48:02 +00:00
Peter Steinberger
005e1d5fd1 refactor(cli): share styled select prompt helper 2026-02-18 17:48:02 +00:00
Peter Steinberger
288015a9fc refactor(auth): share api key masking utility 2026-02-18 17:13:35 +00:00
the sun gif man
114736ed1a Doctor/Security: fix telegram numeric ID + symlink config permission warnings (#19844) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: e42bf1e48de947571007df1d65f25d157a399a84
Co-authored-by: joshp123 <1497361+joshp123@users.noreply.github.com>
Co-authored-by: joshp123 <1497361+joshp123@users.noreply.github.com>
Reviewed-by: @joshp123
 2026-02-18 00:09:51 -08:00
Peter Steinberger
e3292b9af1 test: dedupe sessions command tests and cover active filtering 2026-02-18 05:30:51 +00:00
Robby
5c69e625f5 fix(cli): display correct model for sub-agents in sessions list (#18660) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: ba54c5a351f7ba7f6ffcc690be0e15d8e052d0d9
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-17 23:59:20 -05:00
Peter Steinberger
a69e7682c1 refactor(test): dedupe channel and monitor action suites 2026-02-18 04:49:22 +00:00
Gustavo Madeira Santana
4d3403b7ac chore: fix CI errors 2026-02-17 23:46:40 -05:00
Peter Steinberger
e57628165a test: dedupe shared setup in channel and doctor config tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
516046dba8 fix: avoid doctor token regeneration on invalid repairs 2026-02-18 04:51:25 +01:00
Peter Steinberger
f25bbbc37e feat: switch anthropic onboarding defaults to sonnet 2026-02-18 04:37:58 +01:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
Peter Steinberger
b8b43175c5 style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
Peter Steinberger
31f9be126c style: run oxfmt and fix gate failures 2026-02-18 01:29:02 +00:00
Peter Steinberger
6dcc052bb4 fix: stabilize model catalog and pi discovery auth storage compatibility 2026-02-18 02:09:40 +01:00
Peter Steinberger
ae2c8f2cf0 feat(models): support anthropic sonnet 4.6 2026-02-18 00:00:31 +01:00
Seb Slight
f44e3b2a34 revert: fix models set catalog validation (#19194) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7e3b2ff7afe052097c4414fc64d7e66191e8fcc3
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com>
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com>
Reviewed-by: @sebslight
 2026-02-17 09:43:41 -05:00
Sebastian
cc359d338e test: add fetch mock helper and reaction coverage 2026-02-17 09:02:39 -05:00
Benjamin Jesuiter
01fcac0726 Configure: make model picker allowlist searchable 2026-02-17 09:15:55 +01:00
cpojer
6264c5e842 chore: Fix types in tests 41/N. 2026-02-17 15:50:07 +09:00