admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
15,652 Commits 1 Branch 0 Tags
412eabc42b5502f57bf0def5bbee71242ec52012
Commit Graph

15652 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
412eabc42b fix(session): retire stale dm main route after dmScope migration (#31010) 2026-03-02 00:33:54 +00:00
Peter Steinberger
68832f203e refactor(diagnostics): hot-reload stuck warning threshold 2026-03-02 00:32:33 +00:00
Peter Steinberger
fbd832d64f refactor(config): share byte-size parsing for memory flush 2026-03-02 00:32:33 +00:00
Peter Steinberger
9e727893ff refactor(session): consolidate transcript snapshot reads 2026-03-02 00:32:33 +00:00
Peter Steinberger
3a68c56264 refactor(security): unify webhook guardrails across channels 2026-03-02 00:31:42 +00:00
Peter Steinberger
58659b931b fix(gateway): enforce owner boundary for agent runs 2026-03-02 00:27:44 +00:00
Peter Steinberger
9005e8bc0a refactor(gateway): unify metadata canonicalization + platform rules 2026-03-02 00:26:36 +00:00
Peter Steinberger
0c0f556927 fix(discord): unify reconnect watchdog and land #31025/#30530 
Landed follow-up intent from contributor PR #31025 (@theotarr) and PR #30530 (@liuxiaopai-ai).

Co-authored-by: theotarr <theotarr@users.noreply.github.com>
Co-authored-by: liuxiaopai-ai <liuxiaopai-ai@users.noreply.github.com>
 2026-03-02 00:24:15 +00:00
Peter Steinberger
0eac494db7 fix(gateway): harden node metadata policy classification 2026-03-02 00:15:34 +00:00
Peter Steinberger
84d0a794ec fix: harden matrix startup errors + add regressions (#31023) (thanks @efe-arv) 2026-03-02 00:15:10 +00:00
efe-arv
235ed71e94 fix: handle late client.start() failures via single catch handler 
The .catch() handler now covers both early and late failures:
- Within 2s: sets settled=true, startup throws to caller
- After 2s: sets params.state.started=false so subsequent
  resolveSharedMatrixClient() calls detect the dead client

Removed redundant second .catch() — single handler covers all cases.
 2026-03-02 00:15:10 +00:00
efe-arv
4f9daf9821 fix: propagate client.start() errors to caller instead of swallowing 
Codex review feedback: ensureSharedClientStarted now throws the error
from client.start() if it rejects during the 2s grace window, so
resolveSharedMatrixClient() properly reports failure (e.g. bad token,
unreachable homeserver) instead of leaving the provider in a
running-but-not-syncing state.
 2026-03-02 00:15:10 +00:00
efe-arv
8884f99c92 fix: address review feedback — handle start failure, remove placeholder URL 
- Don't mark client as started if client.start() errors during init
- Remove placeholder issue URL from comment
 2026-03-02 00:15:10 +00:00
efe-arv
f66f563c1a fix(matrix): fix multiple Conduit compatibility issues preventing message delivery 
## Changes

### 1. Fix client.start() hanging forever (shared.ts)
The bot-sdk's `client.start()` returns a promise that never resolves
(infinite sync loop). The plugin awaited it, blocking the entire provider
startup — `logged in as` never printed, no messages were processed.

Fix: fire-and-forget with error handler + 2s initialization delay.

### 2. Fix DM false positive for 2-member rooms (direct.ts)
`memberCount === 2` heuristic misclassified explicitly configured group
rooms as DMs when only bot + one user were joined. Messages were routed
through DM policy and silently dropped.

Fix: remove member count heuristic; only trust `m.direct` account data
and `is_direct` room state flag.

Ref: #20145

### 3. Prevent duplicate event listener registration (events.ts)
When both bundled channel plugin and extension load, listeners were
registered twice on the same shared client, causing inconsistent state.

Fix: WeakSet guard to skip registration if client already has listeners.

Ref: #18330

### 4. Add startup grace period (index.ts)
`startupGraceMs = 0` dropped messages timestamped during async setup.
Especially problematic with Conduit which retries on `M_NOT_FOUND`
during filter creation.

Fix: 5-second grace period.

### 5. Fix room ID case sensitivity with Conduit (index.ts)
Room IDs (`!xyz`) without `:server` suffix failed the
`includes(':')` check and were sent to `resolveMatrixTargets`, which
called Conduit's `resolveRoom` — returning lowercased IDs. The bot-sdk
emits events with original-case IDs, causing config lookup mismatches
and reply delivery failures (`M_UNKNOWN: non-create event for room of
unknown version`).

Fix: treat `!`-prefixed entries as room IDs directly (skip resolution).
Only resolve `#alias:server` entries.

## Testing

Tested with Conduit homeserver (lightweight Rust Matrix server).
All fixes verified with gateway log tracing:
- `logged in as @arvi:matrix.local` — first successful login
- `room.message` events fire and reach handler
- Room config matching returns `allowed: true`
- Agent generates response and delivers it to Matrix room
 2026-03-02 00:15:10 +00:00
Peter Steinberger
43cad8268d fix(security): harden webhook memory guards across channels 2026-03-02 00:12:05 +00:00
Peter Steinberger
1c8ae978d2 test(lobster): preserve execFile in child_process mock 2026-03-02 00:10:51 +00:00
Peter Steinberger
53d10f8688 fix(gateway): land access/auth/config migration cluster 
Land #28960 by @Glucksberg (Tailscale origin auto-allowlist).
Land #29394 by @synchronic1 (allowedOrigins upgrade migration).
Land #29198 by @Mariana-Codebase (plugin HTTP auth guard + route precedence).
Land #30910 by @liuxiaopai-ai (tailscale bind/config.patch guard).

Co-authored-by: Glucksberg <markuscontasul@gmail.com>
Co-authored-by: synchronic1 <synchronic1@users.noreply.github.com>
Co-authored-by: Mariana Sinisterra <mariana.data@outlook.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
 2026-03-02 00:10:51 +00:00
Peter Steinberger
8e6b3ade3e docs(changelog): record session lifecycle and diagnostics fixes 2026-03-02 00:07:47 +00:00
Peter Steinberger
41cc46bbb4 feat(diagnostics): add configurable stuck-session warning threshold 2026-03-02 00:07:29 +00:00
Peter Steinberger
d729ab2150 fix(session): harden usage accounting and memory flush recovery 2026-03-02 00:07:29 +00:00
Vincent Koc
ee96e1751e docs(changelog): add missing contributor credits for 2026.3.1 (#31079) 
* changelog: credit @BUGKillerKing for #29315

* changelog: credit @liuweifly for #14674

* changelog: credit @Sid-Qin for #29709

* changelog: credit @lailoo for #21808

* changelog: credit @openperf for #26259

* changelog: credit @icesword0760 for #28959

* changelog: credit @cowboy129 for #28529

* changelog: credit @yfge for #17798

* changelog: credit @kcinzgg for #27325

* changelog: credit @guoqunabc for #28494

* changelog: credit @WilsonLiu95 for #12755

* changelog: credit @qiangu for #18529

* changelog: credit @lailoo for unreleased #27616

* changelog: credit @tumf for unreleased #18642

* changelog: normalize unreleased #24789 credit handle

* changelog: fill unreleased #24435 credit

* changelog: fill unreleased #25090 credit

* changelog: fill unreleased #29098 credit (entry 1)

* changelog: fill unreleased #29098 credit (entry 2)

* changelog: credit @liuxiaopai-ai for unreleased #30567

* changelog: credit @graysurf for unreleased #23169

* changelog: credit @pablohrcarvalho for unreleased #10686

* changelog: credit @Glucksberg for unreleased #21715

* changelog: credit @liuxiaopai-ai for unreleased #30586

* changelog: add missing credits for 2026.2.26

* changelog: add missing credits for 2026.2.25

* changelog: add missing credits for 2026.2.24

* changelog: add missing credits for 2026.2.23

* changelog: add missing credits for 2026.2.22
 2026-03-01 16:04:55 -08:00
Peter Steinberger
a62d55b283 test(discord): cover DM command decision flow 2026-03-02 00:00:05 +00:00
Peter Steinberger
75596e9370 refactor(discord): unify DM command auth handling 2026-03-02 00:00:05 +00:00
Peter Steinberger
12c1257023 fix(acpx): share windows wrapper resolver and add strict hardening mode 2026-03-01 23:57:06 +00:00
Peter Steinberger
881ac62005 test(discord): stabilize model picker timeout assertions 2026-03-01 23:53:07 +00:00
Peter Steinberger
ee03ade0d6 fix(agents): harden tool-name normalization and transcript repair 
Landed from contributor PRs #30620 and #30735 by @Sid-Qin, plus #30881 by @liuxiaopai-ai.

Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
 2026-03-01 23:51:54 +00:00
Peter Steinberger
50e2674dfc fix(discord): unify dm command auth gating 2026-03-01 23:50:24 +00:00
Peter Steinberger
577becf1ad fix(plugins): prioritize bundled duplicates in auto-discovery 
Landed from contributor PR #29710 by @Sid-Qin.

Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
 2026-03-01 23:48:30 +00:00
Peter Steinberger
5056b6438d fix(discord): harden reconnect recovery and preserve message delivery 
Landed from contributor PR #29508 by @cgdusek.

Co-authored-by: Charles Dusek <cgdusek@gmail.com>
 2026-03-01 23:46:07 +00:00
Peter Steinberger
a0d2f6e4fe docs(changelog): note skills security hardening 2026-03-01 23:45:41 +00:00
Peter Steinberger
23f434f98d fix(skills): constrain plugin skill paths 2026-03-01 23:45:41 +00:00
Peter Steinberger
4614222572 fix(skills): validate installer metadata specs 2026-03-01 23:45:41 +00:00
edincampara
577f2fa540 fix(docker): harden /app/extensions permissions to 755 (#30191) 
* fix(docker): harden /app/extensions permissions to 755

Bundled extension directories shipped as world-writable (mode 777)
in the Docker image. The plugin security scanner blocks any world-
writable path with:

  WARN: blocked plugin candidate: world-writable path
        (/app/extensions/memory-core, mode=777)

Add chmod -R 755 /app/extensions in the final USER root RUN step so
all bundled extensions are readable but not world-writable. This runs
as root before switching back to the node user, matching the pattern
already used for chmod 755 /app/openclaw.mjs.

Fixes #30139

* fix(docker): normalize plugin and agent path permissions

* docs(changelog): add docker permissions entry for #30191

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-01 15:45:21 -08:00
Peter Steinberger
9e6e7a3d69 fix(acpx): harden windows cmd wrapper spawning 2026-03-01 23:44:36 +00:00
Peter Steinberger
13bb80df9d fix(agents): land #20840 cross-channel message-tool actions from @altaywtf 
Include scoped cross-channel action/description behavior, regression tests, changelog note, and make Ollama discovery tests URL-scoped to avoid env-dependent fetch interference.

Co-authored-by: Altay <altay@hey.com>
 2026-03-01 23:37:55 +00:00
Peter Steinberger
912ddba81e fix(macos): harden exec approvals socket path and permissions 2026-03-01 23:37:11 +00:00
Peter Steinberger
6c5633598e fix(security): harden clawlog command execution 2026-03-01 23:33:13 +00:00
Peter Steinberger
ccb415b69a fix: align ACP permission docs defaults (#31044) (thanks @barronlroth) 2026-03-01 23:30:39 +00:00
Barron Roth
bed1cb9600 docs(acp): add permission configuration section and troubleshooting entries 
Document permissionMode and nonInteractivePermissions plugin config
keys for the acpx backend. Add troubleshooting entries for:
- Permission prompt errors in non-interactive ACP sessions
- Silent session failures from swallowed permission errors
- Stalled ACP sessions that never report completion

Relates to #29195

AI-assisted (lightly tested)
 2026-03-01 23:30:39 +00:00
Peter Steinberger
6a80e9db05 fix(browser): harden writable output paths 2026-03-01 23:25:13 +00:00
Peter Steinberger
51bccaf988 chore(changelog): note internal events and ingress hardening 2026-03-01 23:12:09 +00:00
Peter Steinberger
b99666a47a fix(security): harden inbound metadata sentinel stripping 2026-03-01 23:11:48 +00:00
Peter Steinberger
8e48520d74 fix(channels): align command-body parsing sources 2026-03-01 23:11:48 +00:00
Peter Steinberger
4c43fccb3e feat(agents): use structured internal completion events 2026-03-01 23:11:48 +00:00
Peter Steinberger
738dd9aa42 fix(agents): type openai websocket warmup passthrough 2026-03-01 23:10:08 +00:00
Vincent Koc
eb20793550 Docs: add all unlisted docs routes to navigation (#31027) 
* Docs: add missing platform pages to nav

* Docs: include all unlisted docs routes in nav

* Docs nav: classify routes by area and remove catch-all groups

* Docs nav: remove ja-JP AGENTS page entry

* Docs ja-JP: remove AGENTS translation workspace page

* Docs nav: remove refactor plans group

* Docs nav: remove .dev template pages

* Docs nav: remove operations hubs group
 2026-03-01 15:09:35 -08:00
Peter Steinberger
0f5348acb2 test(config): reject discord open DM with empty allowFrom 2026-03-01 23:08:37 +00:00
Peter Steinberger
d1615eb35f feat(openai): add websocket warm-up with configurable toggle 2026-03-01 22:45:03 +00:00
Agent
bc9f357ad7 test: fix fetch mock typing casts 2026-03-01 22:44:28 +00:00
Agent
002539c01e fix(security): harden sandbox novnc observer flow 2026-03-01 22:44:28 +00:00