admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
13,058 Commits 1 Branch 0 Tags
905e355f651d7fa539e98f9d2ce47bf5364af5cf
Commit Graph

2299 Commits

Author SHA1 Message Date
Peter Steinberger
7c1a2ab085 test: tolerate transient zai and minimax live-model failures 2026-02-21 17:05:13 +01:00
Peter Steinberger
8588183abe test: stabilize docker e2e suites for pairing and model updates 2026-02-21 16:38:48 +01:00
Onur
8178ea472d feat: thread-bound subagents on Discord (#21805) 
* docs: thread-bound subagents plan

* docs: add exact thread-bound subagent implementation touchpoints

* Docs: prioritize auto thread-bound subagent flow

* Docs: add ACP harness thread-binding extensions

* Discord: add thread-bound session routing and auto-bind spawn flow

* Subagents: add focus commands and ACP/session binding lifecycle hooks

* Tests: cover thread bindings, focus commands, and ACP unbind hooks

* Docs: add plugin-hook appendix for thread-bound subagents

* Plugins: add subagent lifecycle hook events

* Core: emit subagent lifecycle hooks and decouple Discord bindings

* Discord: handle subagent bind lifecycle via plugin hooks

* Subagents: unify completion finalizer and split registry modules

* Add subagent lifecycle events module

* Hooks: fix subagent ended context key

* Discord: share thread bindings across ESM and Jiti

* Subagents: add persistent sessions_spawn mode for thread-bound sessions

* Subagents: clarify thread intro and persistent completion copy

* test(subagents): stabilize sessions_spawn lifecycle cleanup assertions

* Discord: add thread-bound session TTL with auto-unfocus

* Subagents: fail session spawns when thread bind fails

* Subagents: cover thread session failure cleanup paths

* Session: add thread binding TTL config and /session ttl controls

* Tests: align discord reaction expectations

* Agent: persist sessionFile for keyed subagent sessions

* Discord: normalize imports after conflict resolution

* Sessions: centralize sessionFile resolve/persist helper

* Discord: harden thread-bound subagent session routing

* Rebase: resolve upstream/main conflicts

* Subagents: move thread binding into hooks and split bindings modules

* Docs: add channel-agnostic subagent routing hook plan

* Agents: decouple subagent routing from Discord

* Discord: refactor thread-bound subagent flows

* Subagents: prevent duplicate end hooks and orphaned failed sessions

* Refactor: split subagent command and provider phases

* Subagents: honor hook delivery target overrides

* Discord: add thread binding kill switches and refresh plan doc

* Discord: fix thread bind channel resolution

* Routing: centralize account id normalization

* Discord: clean up thread bindings on startup failures

* Discord: add startup cleanup regression tests

* Docs: add long-term thread-bound subagent architecture

* Docs: split session binding plan and dedupe thread-bound doc

* Subagents: add channel-agnostic session binding routing

* Subagents: stabilize announce completion routing tests

* Subagents: cover multi-bound completion routing

* Subagents: suppress lifecycle hooks on failed thread bind

* tests: fix discord provider mock typing regressions

* docs/protocol: sync slash command aliases and delete param models

* fix: add changelog entry for Discord thread-bound subagents (#21805) (thanks @onutc)

---------

Co-authored-by: Shadow <hi@shadowing.dev>
 2026-02-21 16:14:55 +01:00
Peter Steinberger
166068dfbe test: add byteplus coding-plan live test 2026-02-21 15:42:44 +01:00
Peter Steinberger
c8466e516f fix(agents): raise dynamic retry cap budget 2026-02-21 15:41:30 +01:00
Peter Steinberger
b520e7ac38 fix: stabilize docker live model and doctor-switch tests 2026-02-21 15:36:24 +01:00
Peter Steinberger
b25d3652e7 fix(agents): cap embedded runner retry loop 2026-02-21 15:35:45 +01:00
Peter Steinberger
3101047234 feat(models): add Gemini 3.1 support 2026-02-21 15:08:06 +01:00
Peter Steinberger
581868365d fix: finish volcengine/byteplus landing polish (#7967) (thanks @funmore123) 2026-02-21 15:05:09 +01:00
fanziqing
559736a5a0 feat(volcengine): integrate Volcengine & Byteplus Provider 2026-02-21 15:05:09 +01:00
大猫子
c62a6e7040 fix(models): add kimi-coding implicit provider template (openclaw#22526) thanks @lailoo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: lailoo <20536249+lailoo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 07:35:09 -06:00
Peter Steinberger
10b8839a82 fix(security): centralize WhatsApp outbound auth and return 403 tool auth errors 2026-02-21 14:31:01 +01:00
Peter Steinberger
f23da067f6 fix(security): harden heredoc allowlist parsing 2026-02-21 14:27:51 +01:00
Peter Steinberger
2706cbd6d7 fix(agents): include filenames in image resize logs 2026-02-21 13:16:41 +00:00
Peter Steinberger
21bb46d304 fix(ci): include browser network in sandbox test fixture 2026-02-21 13:05:51 +00:00
Peter Steinberger
f48698a50b fix(security): harden sandbox browser network defaults 2026-02-21 14:02:53 +01:00
Peter Steinberger
26eb1f781d refactor(test): reuse state-dir env helper in auth profile override e2e 2026-02-21 13:00:16 +00:00
Peter Steinberger
50a8942c07 docs(changelog): add WhatsApp reaction allowlist security note 2026-02-21 13:57:54 +01:00
Aether AI Agent
e217f8c3f7 fix(security): OC-91 validate WhatsApp JID against allowlist in all send paths — Aether AI Agent 2026-02-21 13:57:54 +01:00
Peter Steinberger
8c1518f0f3 fix(sandbox): use one-time noVNC observer tokens 2026-02-21 13:56:58 +01:00
Peter Steinberger
621d8e1312 fix(sandbox): require noVNC observer password auth 2026-02-21 13:44:24 +01:00
Peter Steinberger
6cb7e16d40 fix(oauth): harden refresh token refresh-response validation 2026-02-21 13:44:14 +01:00
Peter Steinberger
1835dec200 fix(security): force sandbox browser hash migration and audit stale labels 2026-02-21 13:25:41 +01:00
Peter Steinberger
b2d84528f8 refactor(test): remove duplicate cron tool harnesses 2026-02-21 12:25:23 +00:00
Peter Steinberger
b577228d6b test(security): add overflow compaction truncation-budget regression 2026-02-21 12:59:10 +01:00
Aether AI Agent
084f621025 fix(security): OC-65 prevent compaction counter reset to enforce context exhaustion limit — Aether AI Agent 
Remove the `overflowCompactionAttempts = 0` reset inside the inner loop's
tool-result-truncation branch. The counter was being zeroed on each truncation
cycle, allowing prompt-injection attacks to bypass the MAX_OVERFLOW_COMPACTION_ATTEMPTS
guard and trigger unbounded auto-compaction, exhausting context window resources (DoS).

CWE-400 / GHSA-x2g4-7mj7-2hhj
 2026-02-21 12:59:10 +01:00
Peter Steinberger
5cc631cc9c fix(agents): harden model-skip and tool-policy imports 2026-02-21 11:48:02 +01:00
Peter Steinberger
2cdbadee1f fix(security): block startup-file env injection across host execution paths 2026-02-21 11:44:20 +01:00
Ayaan Zaidi
e1cb73cdeb fix: unblock Docker build by aligning commands schema default (#22558) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1ad610176d0d08eb5ba055429a10d7e8f9ec07a4
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 14:47:28 +05:30
Vincent Koc
c20d519e05 feat(security): migrate sha1 hashes to sha256 for synthetic ids (#7343) (#22528) 
* feat(prompt): add explicit owner hash secret to obfuscation path

* feat(security): migrate synthetic IDs to sha256 for #7343
 2026-02-21 03:20:14 -05:00
Vincent Koc
9abab6a2c9 Add explicit ownerDisplaySecret for owner ID hash obfuscation (#22520) 
* feat(config): add owner display secret setting

* feat(prompt): add explicit owner hash secret to obfuscation path

* test(prompt): assert owner hash secret mode behavior

* Update src/agents/system-prompt.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 03:13:56 -05:00
Vincent Koc
c2f5628915 Fix formatting (#22474) 2026-02-21 01:37:02 -05:00
C.J. Winslow
58f7b7638a Security: add per-wrapper IDs to untrusted-content markers (#19009) 
Fixes #10927

Adds unique per-wrapper IDs to external-content boundary markers to
prevent spoofing attacks where malicious content could inject fake
marker boundaries.

- Generate random 16-char hex ID per wrap operation
- Start/end markers share the same ID for pairing
- Sanitizer strips markers with or without IDs (handles legacy + spoofed)
- Added test for attacker-injected markers with fake IDs

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-21 01:16:02 -05:00
Vignesh Natarajan
93c2f20a23 Memory: surface explicit memory_search unavailable status 2026-02-20 20:30:52 -08:00
Vincent Koc
282a545130 chore: fix formatting on CI-drift files (#22391) 2026-02-20 22:40:30 -05:00
Glucksberg
1410d15c5e fix: compaction safeguard extension not loading in production builds (openclaw#22349) thanks @Glucksberg 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini (local run had unrelated baseline failures; Tak approved proceed)

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 21:21:09 -06:00
Shadow
b294342d7f feat(discord): support forum tag edits via channel-edit (#12070) (thanks @xiaoyaner0201) 2026-02-20 21:17:04 -06:00
Vincent Koc
9a6b26d427 fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite) (#22346) 
* fix(ui): strip inbound metadata blocks from user messages

* chore: clean up metadata-strip format and changelog credit

* Update src/shared/chat-envelope.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-20 21:41:32 -05:00
Taras Lukavyi
0e068194ad fix(tool-display): cd ~/dir && npm install shows as run cd — compound commands truncated to first stage (#21925) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 4728bfe8e75dfcdf21f9ac22e7a26d081dc95d93
Co-authored-by: Lukavyi <1013690+Lukavyi@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 08:03:32 +05:30
jackheuberger
feccac6723 fix: sanitize thinking blocks for GitHub Copilot Claude models (openclaw#19459) thanks @jackheuberger 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: jackheuberger <12731288+jackheuberger@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 19:48:09 -06:00
Shadow
f555835b09 Channels: add thread-aware model overrides 2026-02-20 19:26:25 -06:00
Tyler Yust
fe57bea088 Subagents: restore announce chain + fix nested retry/drop regressions (#22223) 
* Subagents: restore announce flow and fix nested delivery retries

* fix: prep subagent announce + docs alignment (#22223) (thanks @tyler6204)
 2026-02-20 15:39:09 -08:00
Shadow
4ab946eebf Discord VC: voice channels, transcription, and TTS (#18774) 2026-02-20 16:06:07 -06:00
Shadow
3100b77f12 Agents: clarify authorized sender prompt (Closes #19794) 2026-02-20 15:55:36 -06:00
Shadow
c378439246 Security: harden tool media paths 2026-02-20 13:32:49 -06:00
Shadow
39816e61b0 Security: restrict canvas jsonlPath file reads 2026-02-20 13:21:55 -06:00
Mariano
5828708343 iOS/Gateway: harden pairing resolution and settings-driven capability refresh (#22120) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 55b8a93a999b7458c98f9d3b31abbd3665929b31
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 18:57:04 +00:00
Shadow
8c9f35cdb5 Agents: sanitize skill env overrides 2026-02-20 12:38:54 -06:00
Mariano
8e4f6c0384 fix(browser): block upload symlink escapes (#21972) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 4381ef9a4d9107798c9c7c00aac62ee81a878789
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 16:36:25 +00:00
mudrii
7ecfc1d93c fix(auth): bidirectional mode/type compat + sync OAuth to all agents (#12692) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 2dee8e1174e637e50d10bf7020f1de2990b804dc
Co-authored-by: mudrii <220262+mudrii@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-20 16:01:09 +05:30