Peter Steinberger
|
370d115549
|
fix: enforce workspaceOnly for native prompt image autoload
|
2026-02-24 14:47:59 +00:00 |
|
Peter Steinberger
|
8cc841766c
|
docs(security): enumerate dangerous config parameters
|
2026-02-24 14:25:43 +00:00 |
|
Peter Steinberger
|
4d124e4a9b
|
feat(security): warn on likely multi-user trust-model mismatch
|
2026-02-24 14:03:19 +00:00 |
|
Peter Steinberger
|
8c5cf2d5b2
|
docs(subagents): document default runTimeoutSeconds config (#24594) (thanks @mitchmcalister)
|
2026-02-24 04:22:43 +00:00 |
|
Peter Steinberger
|
223d7dc23d
|
feat(gateway)!: require explicit non-loopback control-ui origins
|
2026-02-24 01:57:11 +00:00 |
|
Peter Steinberger
|
5eb72ab769
|
fix(security): harden browser SSRF defaults and migrate legacy key
|
2026-02-24 01:52:01 +00:00 |
|
Peter Steinberger
|
f0f886ecc4
|
docs(security): clarify gateway-node trust boundary in docs
|
2026-02-24 01:35:44 +00:00 |
|
Peter Steinberger
|
cfa44ea6b4
|
fix(security): make allowFrom id-only by default with dangerous name opt-in (#24907)
* fix(channels): default allowFrom to id-only; add dangerous name opt-in
* docs(security): align channel allowFrom docs with id-only default
|
2026-02-24 01:01:51 +00:00 |
|
Peter Steinberger
|
41b0568b35
|
docs(security): clarify shared-agent trust boundaries
|
2026-02-24 01:00:05 +00:00 |
|
Peter Steinberger
|
400220275c
|
docs: clarify multi-instance recommendations for user isolation
|
2026-02-24 00:40:08 +00:00 |
|
Peter Steinberger
|
7d55277d72
|
docs: clarify operator trust boundary for shared gateways
|
2026-02-24 00:25:01 +00:00 |
|
Gustavo Madeira Santana
|
eff3c5c707
|
Session/Cron maintenance hardening and cleanup UX (#24753)
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7533b85156186863609fee9379cd9aedf74435af
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd
|
2026-02-23 22:39:48 +00:00 |
|
Peter Steinberger
|
9af3ec92a5
|
fix(gateway): add HSTS header hardening and docs
|
2026-02-23 19:47:29 +00:00 |
|
Peter Steinberger
|
78e7f41d28
|
docs: detail per-agent prompt caching configuration
|
2026-02-23 18:46:40 +00:00 |
|
边黎安
|
a4c373935f
|
fix(agents): fall back to agents.defaults.model when agent has no model config (#24210)
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0f272b102763736001a82cfda23f35ff2ee9cac8
Co-authored-by: bianbiandashen <16240681+bianbiandashen@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
|
2026-02-23 03:18:55 -05:00 |
|
Tak Hoffman
|
9e1a13bf4c
|
Gateway/UI: data-driven agents tools catalog with provenance (openclaw#24199) thanks @Takhoffman
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- gh pr checks 24199 --watch --fail-fast
Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
|
2026-02-22 23:55:59 -06:00 |
|
Peter Steinberger
|
e0d4194869
|
docs: add missing summary/read_when metadata
|
2026-02-22 20:45:09 +01:00 |
|
Peter Steinberger
|
08431da5d5
|
refactor(gateway): unify credential precedence across entrypoints
|
2026-02-22 18:55:44 +01:00 |
|
Peter Steinberger
|
e58054b85c
|
docs(telegram): align Node22 network defaults and setup guidance
|
2026-02-22 17:54:16 +01:00 |
|
Peter Steinberger
|
0d0f4c6992
|
refactor(exec): centralize safe-bin policy checks
|
2026-02-22 13:18:25 +01:00 |
|
Peter Steinberger
|
65dccbdb4b
|
fix: document onboarding dmScope default as breaking change (#23468) (thanks @bmendonca3)
|
2026-02-22 12:36:49 +01:00 |
|
Peter Steinberger
|
85e5ed3f78
|
refactor(channels): centralize runtime group policy handling
|
2026-02-22 12:35:41 +01:00 |
|
Brian Mendonca
|
bc78b343ba
|
Security: expand audit checks for mDNS and real-IP fallback
|
2026-02-22 11:26:17 +01:00 |
|
Peter Steinberger
|
8887f41d7d
|
refactor(gateway)!: remove legacy v1 device-auth handshake
|
2026-02-22 09:27:03 +01:00 |
|
Peter Steinberger
|
008a8c9dc6
|
chore(docs): normalize security finding table formatting
|
2026-02-22 08:03:29 +00:00 |
|
Peter Steinberger
|
265da4dd2a
|
fix(security): harden gateway command/audit guardrails
|
2026-02-22 08:45:48 +01:00 |
|
Peter Steinberger
|
049b8b14bc
|
fix(security): flag open-group runtime/fs exposure in audit
|
2026-02-22 08:22:51 +01:00 |
|
Peter Steinberger
|
817905f3a0
|
docs: document thread-bound subagent sessions and remove plan
|
2026-02-21 19:59:55 +01:00 |
|
Peter Steinberger
|
2c14b0cf4c
|
refactor(config): unify streaming config across channels
|
2026-02-21 19:53:42 +01:00 |
|
Peter Steinberger
|
f48698a50b
|
fix(security): harden sandbox browser network defaults
|
2026-02-21 14:02:53 +01:00 |
|
Peter Steinberger
|
8c1518f0f3
|
fix(sandbox): use one-time noVNC observer tokens
|
2026-02-21 13:56:58 +01:00 |
|
Peter Steinberger
|
621d8e1312
|
fix(sandbox): require noVNC observer password auth
|
2026-02-21 13:44:24 +01:00 |
|
Peter Steinberger
|
be7f825006
|
refactor(gateway): harden proxy client ip resolution
|
2026-02-21 13:36:23 +01:00 |
|
Peter Steinberger
|
14b0d2b816
|
refactor: harden control-ui auth flow and add insecure-flag audit summary
|
2026-02-21 13:18:23 +01:00 |
|
Peter Steinberger
|
f265d45840
|
fix(tts): make model provider overrides opt-in
|
2026-02-21 13:16:07 +01:00 |
|
Peter Steinberger
|
356d61aacf
|
fix(gateway): scope tailscale tokenless auth to websocket
|
2026-02-21 13:03:13 +01:00 |
|
Peter Steinberger
|
99048dbec2
|
fix(gateway): align insecure-auth toggle messaging
|
2026-02-21 12:57:22 +01:00 |
|
Peter Steinberger
|
810218756d
|
docs(security): clarify trusted-host deployment assumptions
|
2026-02-21 12:53:12 +01:00 |
|
Peter Steinberger
|
ede496fa1a
|
docs: clarify trusted-host assumption for tokenless tailscale
|
2026-02-21 12:52:49 +01:00 |
|
Ayaan Zaidi
|
677384c519
|
refactor: simplify Telegram preview streaming to single boolean (#22012)
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: a4017d3b9469d0c25c6ab3f4d9be06b98445474e
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
|
2026-02-21 15:19:13 +05:30 |
|
Shadow
|
f555835b09
|
Channels: add thread-aware model overrides
|
2026-02-20 19:26:25 -06:00 |
|
Shadow
|
4ab946eebf
|
Discord VC: voice channels, transcription, and TTS (#18774)
|
2026-02-20 16:06:07 -06:00 |
|
Mariano
|
094dbdaf2b
|
fix(gateway): require loopback proxy IP for trusted-proxy + bind=loopback (#22082)
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 6ff3ca9b5db530c2ea4abbd027ee98a9c4a1be67
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
|
2026-02-20 18:03:53 +00:00 |
|
adhitShet
|
ae4907ce6e
|
fix(heartbeat): return false for zero-width active-hours window (#21408)
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 993860bd0393fe9f48022f36c950c069863b4a61
Co-authored-by: adhitShet <131381638+adhitShet@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
|
2026-02-19 20:03:57 -05:00 |
|
Peter Steinberger
|
c45f3c5b00
|
fix(gateway): harden canvas auth with session capabilities
|
2026-02-19 15:51:22 +01:00 |
|
Peter Steinberger
|
b40821b068
|
fix: harden ACP secret handling and exec preflight boundaries
|
2026-02-19 15:34:20 +01:00 |
|
Peter Steinberger
|
a40c10d3e2
|
fix: harden agent gateway authorization scopes
|
2026-02-19 14:37:56 +01:00 |
|
Peter Steinberger
|
ff74d89e86
|
fix: harden gateway control-plane restart protections
|
2026-02-19 14:30:15 +01:00 |
|
Peter Steinberger
|
e3e0ffd801
|
feat(security): audit gateway HTTP no-auth exposure
|
2026-02-19 14:25:56 +01:00 |
|
Peter Steinberger
|
1316e57403
|
fix: enforce inbound attachment root policy across pipelines
|
2026-02-19 14:15:51 +01:00 |
|