negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
18,249 Commits 1 Branch 0 Tags
a60a4b4b5eeb8f12be6d2f1dd501fdfd63449758
Commit Graph

25 Commits

Author SHA1 Message Date
Peter Steinberger
f7a7f08e15 refactor(gateway): dedupe probe route assertion loops 2026-03-07 17:58:31 +00:00
Vincent Koc
d070c44091 fix(gateway): keep probe routes reachable with root-mounted control ui (#38199) 
* fix(gateway): keep probe routes reachable with root-mounted control ui

* Changelog: add root-mounted probe precedence fix entry

* Update CHANGELOG.md
 2026-03-06 12:13:20 -05:00
Muhammed Mukhthar CM
b1b41eb443 feat(mattermost): add native slash command support (refresh) (#32467) 
Merged via squash.

Prepared head SHA: 989126574ead75c0eedc185293659eb0d4fc6844
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Co-authored-by: mukhtharcm <56378562+mukhtharcm@users.noreply.github.com>
Reviewed-by: @mukhtharcm
 2026-03-03 12:39:18 +05:30
Peter Steinberger
6a42d09129 refactor: dedupe gateway config and infra flows 2026-03-03 00:15:14 +00:00
Sid
41c8734afd fix(gateway): move plugin HTTP routes before Control UI SPA catch-all (#31885) 
* fix(gateway): move plugin HTTP routes before Control UI SPA catch-all

The Control UI handler (`handleControlUiHttpRequest`) acts as an SPA
catch-all that matches every path, returning HTML for GET requests and
405 for other methods.  Because it ran before `handlePluginRequest` in
the request chain, any plugin HTTP route that did not live under
`/plugins` or `/api` was unreachable — shadowed by the catch-all.

Reorder the handlers so plugin routes are evaluated first.  Core
built-in routes (hooks, tools, Slack, Canvas, etc.) still take
precedence because they are checked even earlier in the chain.
Unmatched plugin paths continue to fall through to Control UI as before.

Closes #31766

* fix: add changelog for plugin route precedence landing (#31885) (thanks @Sid-Qin)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-03-02 18:16:14 +00:00
Peter Steinberger
7a7eee920a refactor(gateway): harden plugin http route contracts 2026-03-02 16:48:00 +00:00
Peter Steinberger
2fd8264ab0 refactor(gateway): hard-break plugin wildcard http handlers 2026-03-02 16:24:06 +00:00
Peter Steinberger
b13d48987c refactor(gateway): unify control-ui and plugin webhook routing 2026-03-02 16:18:12 +00:00
SidQin-cyber
c4711a9b69 fix(gateway): let POST requests pass through root-mounted Control UI to plugin handlers 
The Control UI handler checked HTTP method before path routing, causing
all POST requests (including plugin webhook endpoints like /bluebubbles-webhook)
to receive 405 Method Not Allowed.  Move the method check after path-based
exclusions so non-GET/HEAD requests reach plugin HTTP handlers.

Closes #31344

Made-with: Cursor
 2026-03-02 16:06:48 +00:00
Peter Steinberger
93b0724025 fix(gateway): fail closed plugin auth path canonicalization 2026-03-02 15:55:32 +00:00
Peter Steinberger
e41f9998f7 refactor(test): extract shared gateway hook and vitest scoped config helpers 2026-03-02 14:36:41 +00:00
Peter Steinberger
d3e0c0b29c test(gateway): dedupe gateway and infra test scaffolds 2026-03-02 07:13:10 +00:00
Vincent Koc
eeb72097ba Gateway: add healthz/readyz probe endpoints for container checks (#31272) 
* Gateway: add HTTP liveness/readiness probe routes

* Gateway tests: cover probe route auth bypass and methods

* Docker Compose: add gateway /healthz healthcheck

* Docs: document Docker probe endpoints

* Dockerfile: note built-in probe endpoints

* Gateway: make probe routes fallback-only to avoid shadowing

* Gateway tests: verify probe paths do not shadow plugin routes

* Changelog: note gateway container probe endpoints
 2026-03-01 20:36:58 -08:00
Gustavo Madeira Santana
8e69fd80e0 Gateway: harden control-ui vs plugin HTTP precedence 2026-03-01 22:38:14 -05:00
Peter Steinberger
53d10f8688 fix(gateway): land access/auth/config migration cluster 
Land #28960 by @Glucksberg (Tailscale origin auto-allowlist).
Land #29394 by @synchronic1 (allowedOrigins upgrade migration).
Land #29198 by @Mariana-Codebase (plugin HTTP auth guard + route precedence).
Land #30910 by @liuxiaopai-ai (tailscale bind/config.patch guard).

Co-authored-by: Glucksberg <markuscontasul@gmail.com>
Co-authored-by: synchronic1 <synchronic1@users.noreply.github.com>
Co-authored-by: Mariana Sinisterra <mariana.data@outlook.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
 2026-03-02 00:10:51 +00:00
Peter Steinberger
08e3357480 refactor: share gateway security path canonicalization 2026-02-26 17:23:46 +01:00
Peter Steinberger
258d615c4d fix: harden plugin route auth path canonicalization 2026-02-26 17:02:06 +01:00
Peter Steinberger
6632fd1ea9 refactor(security): extract protected-route path policy helpers 2026-02-26 13:01:22 +01:00
Peter Steinberger
0ed675b1df fix(security): harden canonical auth matching for plugin channel routes 2026-02-26 12:55:33 +01:00
Peter Steinberger
da0ba1b73a fix(security): harden channel auth path checks and exec approval routing 2026-02-26 12:46:05 +01:00
Peter Steinberger
8c701ba1ff test(gateway): add hooks bind-host hardening coverage 2026-02-26 00:54:39 +00:00
Brian Mendonca
5a64f6d766 Gateway/Security: protect /api/channels plugin root 2026-02-24 23:44:32 +00:00
Peter Steinberger
9af3ec92a5 fix(gateway): add HSTS header hardening and docs 2026-02-23 19:47:29 +00:00
Peter Steinberger
93ca0ed54f refactor(channels): dedupe transport and gateway test scaffolds 2026-02-16 14:59:31 +00:00
Coy Geek
647d929c9d fix: Unauthenticated Nostr profile API allows remote config tampering (#13719) 
* fix(an-07): apply security fix

Generated by staged fix workflow.

* fix(an-07): apply security fix

Generated by staged fix workflow.

* fix(an-07): satisfy lint in plugin auth regression test

Replace unsafe unknown-to-string coercion in the gateway plugin auth test helper with explicit string/null/JSON handling so pnpm check passes.
 2026-02-12 07:55:22 -06:00