admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
12,976 Commits 1 Branch 0 Tags
2cdbadee1f8fcaa93302d7debbfc529e19868ea4
Commit Graph

12976 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
2cdbadee1f fix(security): block startup-file env injection across host execution paths 2026-02-21 11:44:20 +01:00
Peter Steinberger
6b2f2811dc fix(security): require BlueBubbles webhook auth 2026-02-21 11:41:50 +01:00
Peter Steinberger
220bd95eff fix(browser): block non-network navigation schemes 2026-02-21 11:31:53 +01:00
Peter Steinberger
c6ee14d60e fix(security): block grep safe-bin file-read bypass 2026-02-21 11:18:29 +01:00
Ayaan Zaidi
f81522af2e fix(docker): install Playwright Chromium into node cache (#22585) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 84dc9ffccd27a51a5c9b8793e55d44abfc7ee520
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 15:48:27 +05:30
Peter Steinberger
75d4f6d51b docs: reorder and trim 2026.2.21 changelog entries 2026-02-21 11:12:58 +01:00
Peter Steinberger
eccff0b6c0 docs: relabel dependency hygiene changelog entries 2026-02-21 11:05:05 +01:00
Peter Steinberger
9231d7d30f chore: bump version to 2026.2.21 2026-02-21 11:02:30 +01:00
Ayaan Zaidi
677384c519 refactor: simplify Telegram preview streaming to single boolean (#22012) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: a4017d3b9469d0c25c6ab3f4d9be06b98445474e
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 15:19:13 +05:30
Ayaan Zaidi
e1cb73cdeb fix: unblock Docker build by aligning commands schema default (#22558) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1ad610176d0d08eb5ba055429a10d7e8f9ec07a4
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 14:47:28 +05:30
Vincent Koc
3f19259843 Update bug_report.yml 2026-02-21 04:06:07 -05:00
Vincent Koc
d2a7293744 Docs: issue template copy cleanup (#22546) 
* docs: reduce channel-specific wording in feature template placeholder

* docs: make bug report template placeholders version-neutral

* docs: fix YAML indentation in bug report placeholder

* docs: fix indentation of version field in bug report template
 2026-02-21 03:43:35 -05:00
Vincent Koc
dcf2c6d7f1 docs: normalize Amazon Bedrock setup section labels (#22549) 
* docs(channels): promote Signal option setups to onboarding sections

* docs(channels): rename Microsoft Teams minimal setup section

* docs(channels): standardize onboarding option headings for Zalo and Twitch

* docs(providers): normalize Amazon Bedrock onboarding section labels
 2026-02-21 03:40:54 -05:00
Vincent Koc
e36245bd37 docs: finalize onboarding option heading normalization (#22547) 
* docs(channels): promote Signal option setups to onboarding sections

* docs(channels): rename Microsoft Teams minimal setup section

* docs(channels): standardize onboarding option headings for Zalo and Twitch
 2026-02-21 03:38:37 -05:00
Vincent Koc
ef42fe0094 docs: rename Tlon setup heading (#22544) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading

* docs(channels): normalize Discord configuration heading

* docs(channels): standardize Microsoft Teams onboarding heading

* docs(channels): rename Signal configuration reference heading

* docs(channels): rename Matrix configuration reference heading

* docs(channels): normalize WhatsApp configuration heading

* docs(thinking): link reasoning section heading to in-page anchor

* docs(channels): normalize BlueBubbles configuration heading

* docs(channels): normalize Feishu configuration heading

* docs(channels): standardize Signal setup option headings

* docs(channels): refine Twitch setup heading clarity

* docs(channels): simplify Zalo setup heading phrasing

* docs(channels): trim Microsoft Teams minimal setup heading

* docs(channels): rename Tlon setup to onboarding
 2026-02-21 03:37:27 -05:00
Vincent Koc
b5a77b9cb2 docs: finalize remaining setup heading phrasing (#22543) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading

* docs(channels): normalize Discord configuration heading

* docs(channels): standardize Microsoft Teams onboarding heading

* docs(channels): rename Signal configuration reference heading

* docs(channels): rename Matrix configuration reference heading

* docs(channels): normalize WhatsApp configuration heading

* docs(thinking): link reasoning section heading to in-page anchor

* docs(channels): normalize BlueBubbles configuration heading

* docs(channels): normalize Feishu configuration heading

* docs(channels): standardize Signal setup option headings

* docs(channels): refine Twitch setup heading clarity

* docs(channels): simplify Zalo setup heading phrasing

* docs(channels): trim Microsoft Teams minimal setup heading
 2026-02-21 03:36:39 -05:00
Vincent Koc
d7891badda docs: more channel heading consistency updates (#22541) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading

* docs(channels): normalize Discord configuration heading

* docs(channels): standardize Microsoft Teams onboarding heading

* docs(channels): rename Signal configuration reference heading

* docs(channels): rename Matrix configuration reference heading

* docs(channels): normalize WhatsApp configuration heading

* docs(thinking): link reasoning section heading to in-page anchor

* docs(channels): normalize BlueBubbles configuration heading

* docs(channels): normalize Feishu configuration heading

* docs(channels): standardize Signal setup option headings
 2026-02-21 03:36:03 -05:00
Nimrod Gutman
78caf9ec3d feat(ios): surface gateway talk defaults and refresh icon assets (#22530) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 54f3a40e223f64a48f22485e919951d7ccd7ac85
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman
 2026-02-21 10:34:20 +02:00
Vincent Koc
e93e67bc8e docs: fix thinking section heading link target (#22539) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading

* docs(channels): normalize Discord configuration heading

* docs(channels): standardize Microsoft Teams onboarding heading

* docs(channels): rename Signal configuration reference heading

* docs(channels): rename Matrix configuration reference heading

* docs(channels): normalize WhatsApp configuration heading

* docs(thinking): link reasoning section heading to in-page anchor
 2026-02-21 03:33:06 -05:00
Vincent Koc
7c593cd333 docs: finish onboarding/config heading consistency (#22537) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading

* docs(channels): normalize Discord configuration heading

* docs(channels): standardize Microsoft Teams onboarding heading

* docs(channels): rename Signal configuration reference heading

* docs(channels): rename Matrix configuration reference heading

* docs(channels): normalize WhatsApp configuration heading
 2026-02-21 03:32:37 -05:00
Vincent Koc
79183852f9 docs: more channel onboarding naming cleanup (#22536) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading

* docs(channels): standardize Google Chat onboarding heading

* docs(channels): standardize Mattermost onboarding heading

* docs(channels): standardize Zalo Personal onboarding heading
 2026-02-21 03:31:55 -05:00
Vincent Koc
4c4147fb0a docs: continue onboarding terminology cleanup (#22535) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading

* docs(channels): standardize Nostr onboarding and configuration headings

* docs(channels): standardize Zalo onboarding and configuration headings

* docs(channels): standardize Twitch onboarding heading
 2026-02-21 03:31:22 -05:00
Vincent Koc
5eca08dab7 Chore: trim stale TODOs and issue-template language (#22534) 
* docs: refresh issue template contact copy

* chore: remove OneDrive resumable upload TODO note
 2026-02-21 03:31:17 -05:00
Vincent Koc
12d75ff7f5 docs: continue channel onboarding/config naming cleanup (#22533) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading

* docs(channels): rename iMessage onboarding and configuration sections

* docs(channels): rename Slack onboarding and configuration sections

* docs(channels): rename Signal onboarding heading
 2026-02-21 03:30:35 -05:00
Vincent Koc
436f79839b docs: more channel onboarding heading consistency (#22532) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup

* docs(channels): standardize Discord onboarding heading

* docs(channels): standardize Telegram onboarding heading

* docs(channels): standardize WhatsApp onboarding heading
 2026-02-21 03:29:42 -05:00
Vincent Koc
325992b777 docs: small docs sweep consistency updates (#22531) 
* docs: fix thinking link and add reasoning anchor reference

* docs(channels): rename LINE setup heading to onboarding

* docs(channels): normalize Nextcloud Talk onboarding headings

* docs(channels): use onboarding heading for Matrix setup
 2026-02-21 03:29:17 -05:00
Vincent Koc
c20d519e05 feat(security): migrate sha1 hashes to sha256 for synthetic ids (#7343) (#22528) 
* feat(prompt): add explicit owner hash secret to obfuscation path

* feat(security): migrate synthetic IDs to sha256 for #7343
 2026-02-21 03:20:14 -05:00
Vincent Koc
9abab6a2c9 Add explicit ownerDisplaySecret for owner ID hash obfuscation (#22520) 
* feat(config): add owner display secret setting

* feat(prompt): add explicit owner hash secret to obfuscation path

* test(prompt): assert owner hash secret mode behavior

* Update src/agents/system-prompt.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 03:13:56 -05:00
SleuthCo.AI
fe609c0c77 security(hooks): block prototype-chain traversal in webhook template getByPath (#22213) 
* security(hooks): block prototype-chain traversal in webhook template getByPath

The getByPath() function in hooks-mapping.ts traverses attacker-controlled
webhook payload data using arbitrary property path expressions, but does not
filter dangerous property names (__proto__, constructor, prototype).

The config-paths module (config-paths.ts) already blocks these exact keys
for config path traversal via a BLOCKED_KEYS set, but the hooks template
system was not protected with the same guard.

Add a BLOCKED_PATH_KEYS set mirroring config-paths.ts and reject traversal
into __proto__, prototype, or constructor in getByPath(). Add three test
cases covering all three blocked keys.

Signed-off-by: Alan Ross <alan@sleuthco.ai>

* test(gateway): narrow hook action type in prototype-pollution tests

* changelog: credit hooks prototype-path guard in PR 22213

* changelog: move hooks prototype-path fix into security section

---------

Signed-off-by: Alan Ross <alan@sleuthco.ai>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-21 03:01:03 -05:00
Takayuki Maeda
0bee3f337a MSTeams: dedupe sent-message cache storage (#22514) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 88e14dcbe13006c4d1f353c0e7e196175747a4c8
Co-authored-by: TaKO8Ki <41065217+TaKO8Ki@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 13:27:50 +05:30
Vincent Koc
f4a59eb5d8 Chore: harden A2UI bundle dependency resolution (#22507) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: d84c5bde518a4b2f3d192b0446672afeecf3fa3d
Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 13:16:31 +05:30
Vincent Koc
187f4ea41f deadcode: remove unused extension dev dependencies (#22495) 
* Chore: remove unused extension dev dependencies

* Chore: fix changelog PR reference

* Chore: restore dropped deadcode changelog entries

* Chore: retag unused-dependency changelog entries
 2026-02-21 02:15:43 -05:00
Vincent Koc
92ac6c95cc CI: format github workflow (#22497) 2026-02-21 02:12:36 -05:00
Vincent Koc
55eab106ac chore: remove root long and rolldown deps (#22481) 
* chore(deadcode): add deadcode scanning and remove unused lockfile deps

* chore(changelog): mention deadcode CI scan pass

* ci: disable deadcode job temporarily

* docs(changelog): add PR ref and thanks for deadcode scan entry

* ci: comment out deadcode job condition while keeping it disabled

* Deps: remove dead root dependency from package manifest

* Changelog: reference PR for deadcode dependency cleanup

* Deps: remove unused root signal-utils

* Chore: remove unused lit context deps

* Chore: remove unused root lit dependency

* Chore: remove root long and rolldown deps

* Chore: add changelog for root long/rolldown removal

* Chore: fix a2ui bundling after root lit dependency removal

* Chore: simplify a2ui bundle script dependencies
 2026-02-21 02:05:41 -05:00
Takayuki Maeda
40f1a6c0d2 chore: Dedupe sent-message cache storage (#22127) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8401257b271b85cb5ec03574ef861703ba71ea08
Co-authored-by: TaKO8Ki <41065217+TaKO8Ki@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 12:34:59 +05:30
Vincent Koc
35fd322114 chore: format CI workflow (#22482) 
* chore: format files for oxfmt

* chore: format CI workflow
 2026-02-21 01:46:55 -05:00
Vincent Koc
7428f5a741 chore: format files for oxfmt (#22479) 2026-02-21 01:43:18 -05:00
Vincent Koc
c2f5628915 Fix formatting (#22474) 2026-02-21 01:37:02 -05:00
Vincent Koc
3002be76e4 docs: add custom spellcheck dictionary and fix docs typos (#22457) 
* docs: fix typos and add docs spellcheck workflow

* docs: add changelog entry for docs spellcheck updates

* docs: fix FAQ TOC fragment links for markdownlint

* docs: fix TOC nesting and spellcheck dictionary flags
 2026-02-21 01:35:35 -05:00
Vincent Koc
3b8d7b2e42 deps: remove dead root dependency (#22471) 
* chore(deadcode): add deadcode scanning and remove unused lockfile deps

* chore(changelog): mention deadcode CI scan pass

* ci: disable deadcode job temporarily

* docs(changelog): add PR ref and thanks for deadcode scan entry

* ci: comment out deadcode job condition while keeping it disabled

* Deps: remove dead root dependency from package manifest

* Changelog: reference PR for deadcode dependency cleanup

* Deps: remove unused root signal-utils
 2026-02-21 01:33:45 -05:00
Vincent Koc
569191fff1 extensions: fix MSTeams OneDrive fallback mention handling (#22472) 2026-02-21 01:30:33 -05:00
Vincent Koc
d3bb924709 chore(deadcode): add deadcode scanning and remove unused lockfile deps (#22468) 
* chore(deadcode): add deadcode scanning and remove unused lockfile deps

* chore(changelog): mention deadcode CI scan pass

* ci: disable deadcode job temporarily

* docs(changelog): add PR ref and thanks for deadcode scan entry

* ci: comment out deadcode job condition while keeping it disabled
 2026-02-21 01:29:20 -05:00
Vincent Koc
e7eba01efc Security: disable sandbox container --no-sandbox by default (#22451) 2026-02-21 01:23:49 -05:00
Vincent Koc
8877bfd11e gateway: trust-proxy-aware X-Forwarded-For resolution (#22466) 2026-02-21 01:23:21 -05:00
Vincent Koc
0fe8f07e0e Docs: add changelog entry for PR #19009 (#22464) 2026-02-21 01:17:22 -05:00
C.J. Winslow
58f7b7638a Security: add per-wrapper IDs to untrusted-content markers (#19009) 
Fixes #10927

Adds unique per-wrapper IDs to external-content boundary markers to
prevent spoofing attacks where malicious content could inject fake
marker boundaries.

- Generate random 16-char hex ID per wrap operation
- Start/end markers share the same ID for pairing
- Sanitizer strips markers with or without IDs (handles legacy + spoofed)
- Added test for attacker-injected markers with fake IDs

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-21 01:16:02 -05:00
Vincent Koc
45fff13b1d TUI: strip only leading inbound metadata (#22461) 2026-02-21 01:13:02 -05:00
Vincent Koc
59167f86ca test: correct trusted proxy X-Forwarded-For expectation 2026-02-21 00:48:22 -05:00
Shadow
c01e486fc0 chore: credit co-author for #21458 
Co-authored-by: Pejman Pour-Moezzi <481729+pejmanjohn@users.noreply.github.com>
 2026-02-20 23:03:07 -06:00
Vincent Koc
07039dc089 Gateway: harden trusted proxy X-Forwarded-For parsing (#22429) 2026-02-20 23:59:20 -05:00