admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,729 Commits 1 Branch 0 Tags
9130fd2b06d64e5453bc70516eaaa0453baa7914
Commit Graph

1117 Commits

Author SHA1 Message Date
Peter Steinberger
5dc50b8a3f fix(security): harden npm plugin and hook install integrity flow 2026-02-19 15:11:25 +01:00
Thorfinn
b45bb6801c fix(doctor): skip embedding provider check when QMD backend is active (openclaw#17295) thanks @miloudbelarebia 
Verified:
- pnpm build
- pnpm check (fails on baseline formatting drift in files identical to origin/main)
- pnpm test:macmini

Co-authored-by: miloudbelarebia <52387093+miloudbelarebia@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 07:21:27 -06:00
Jay Caldwell
9edec67a18 fix(security): block plaintext WebSocket connections to non-loopback addresses (#20803) 
* fix(security): block plaintext WebSocket connections to non-loopback addresses

Addresses CWE-319 (Cleartext Transmission of Sensitive Information).

Previously, ws:// connections to remote hosts were allowed, exposing
both credentials and chat data to network interception. This change
blocks ALL plaintext ws:// connections to non-loopback addresses,
regardless of whether explicit credentials are configured (device
tokens may be loaded dynamically).

Security policy:
- wss:// allowed to any host
- ws:// allowed only to loopback (127.x.x.x, localhost, ::1)
- ws:// to LAN/tailnet/remote hosts now requires TLS

Changes:
- Add isSecureWebSocketUrl() validation in net.ts
- Block insecure connections in GatewayClient.start()
- Block insecure URLs in buildGatewayConnectionDetails()
- Handle malformed URLs gracefully without crashing
- Update tests to use wss:// for non-loopback URLs

Fixes #12519

* fix(test): update gateway-chat mock to preserve net.js exports

Use importOriginal to spread actual module exports and mock only
the functions needed for testing. This ensures isSecureWebSocketUrl
and other exports remain available to the code under test.
 2026-02-19 03:13:08 -08:00
Peter Steinberger
90b05b18f1 test: collapse duplicate onboard auth assertions 2026-02-19 09:13:16 +00:00
Peter Steinberger
749edf25ca test: dedupe repeated onboarding provider config cases 2026-02-19 09:08:48 +00:00
Peter Steinberger
47bbef30f9 test: merge duplicate undefined api-key persistence checks 2026-02-19 08:27:40 +00:00
Peter Steinberger
fe3bd9d65b test: merge duplicate gateway token coercion checks 2026-02-19 08:26:43 +00:00
Peter Steinberger
ad4c784f20 test: collapse duplicate gateway token-generation cases 2026-02-19 08:15:32 +00:00
Peter Steinberger
8b17a369e9 refactor(agents): share agent entry and block reply payload types 2026-02-19 00:06:19 +00:00
Peter Steinberger
5c5c032f42 refactor(security): share DM allowlist state resolver 2026-02-18 23:58:11 +00:00
Peter Steinberger
89a0b95af4 refactor(security): reuse shared allowlist normalization 2026-02-18 23:48:32 +00:00
Peter Steinberger
aa8f87a3bf refactor(plugins): reuse plugin loader logger adapter 2026-02-18 23:48:32 +00:00
Peter Steinberger
0048af4e2d refactor(commands): dedupe auth-choice model notes 2026-02-18 23:34:15 +00:00
Peter Steinberger
1a030a544b test: table-drive sandbox formatter assertions 2026-02-18 23:19:33 +00:00
Peter Steinberger
c0c10f42e2 refactor(commands): share daemon runtime warning helper 2026-02-18 23:09:09 +00:00
Peter Steinberger
8e6a7a6343 refactor(models): reuse list format helpers in scan 2026-02-18 23:09:09 +00:00
Peter Steinberger
8369913c7a refactor(models): reuse validated config snapshot loader 2026-02-18 22:49:39 +00:00
Peter Steinberger
c0e0d4c63d test: dedupe empty-array counter checks in sandbox formatters 2026-02-18 22:46:10 +00:00
Peter Steinberger
4c096020a2 refactor(commands): share configure wizard channel/daemon steps 2026-02-18 18:37:17 +00:00
Peter Steinberger
4f36c813a7 refactor(commands): share custom api verification request flow 2026-02-18 18:30:13 +00:00
Peter Steinberger
d67942af1e refactor(telegram): share getChat id lookup helper 2026-02-18 17:48:02 +00:00
Peter Steinberger
005e1d5fd1 refactor(cli): share styled select prompt helper 2026-02-18 17:48:02 +00:00
Peter Steinberger
288015a9fc refactor(auth): share api key masking utility 2026-02-18 17:13:35 +00:00
the sun gif man
114736ed1a Doctor/Security: fix telegram numeric ID + symlink config permission warnings (#19844) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: e42bf1e48de947571007df1d65f25d157a399a84
Co-authored-by: joshp123 <1497361+joshp123@users.noreply.github.com>
Co-authored-by: joshp123 <1497361+joshp123@users.noreply.github.com>
Reviewed-by: @joshp123
 2026-02-18 00:09:51 -08:00
Peter Steinberger
e3292b9af1 test: dedupe sessions command tests and cover active filtering 2026-02-18 05:30:51 +00:00
Robby
5c69e625f5 fix(cli): display correct model for sub-agents in sessions list (#18660) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: ba54c5a351f7ba7f6ffcc690be0e15d8e052d0d9
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-17 23:59:20 -05:00
Peter Steinberger
a69e7682c1 refactor(test): dedupe channel and monitor action suites 2026-02-18 04:49:22 +00:00
Gustavo Madeira Santana
4d3403b7ac chore: fix CI errors 2026-02-17 23:46:40 -05:00
Peter Steinberger
e57628165a test: dedupe shared setup in channel and doctor config tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
516046dba8 fix: avoid doctor token regeneration on invalid repairs 2026-02-18 04:51:25 +01:00
Peter Steinberger
f25bbbc37e feat: switch anthropic onboarding defaults to sonnet 2026-02-18 04:37:58 +01:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
Peter Steinberger
b8b43175c5 style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
Peter Steinberger
31f9be126c style: run oxfmt and fix gate failures 2026-02-18 01:29:02 +00:00
Peter Steinberger
6dcc052bb4 fix: stabilize model catalog and pi discovery auth storage compatibility 2026-02-18 02:09:40 +01:00
Peter Steinberger
ae2c8f2cf0 feat(models): support anthropic sonnet 4.6 2026-02-18 00:00:31 +01:00
Seb Slight
f44e3b2a34 revert: fix models set catalog validation (#19194) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7e3b2ff7afe052097c4414fc64d7e66191e8fcc3
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com>
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com>
Reviewed-by: @sebslight
 2026-02-17 09:43:41 -05:00
Sebastian
cc359d338e test: add fetch mock helper and reaction coverage 2026-02-17 09:02:39 -05:00
Benjamin Jesuiter
01fcac0726 Configure: make model picker allowlist searchable 2026-02-17 09:15:55 +01:00
cpojer
6264c5e842 chore: Fix types in tests 41/N. 2026-02-17 15:50:07 +09:00
cpojer
ecf1c955a1 chore: Fix types in tests 29/N. 2026-02-17 14:32:43 +09:00
cpojer
d0cb8c19b2 chore: wtf. 2026-02-17 13:36:48 +09:00
Sebastian
ed11e93cf2 chore(format) 2026-02-16 23:20:16 -05:00
Sebastian
4b40bdb98e fix(telegram): clear offsets on token change 2026-02-16 23:07:26 -05:00
Sebastian
1486eb66fd revert(gateway): restore loopback auth setup 2026-02-16 22:35:27 -05:00
Sebastian
52b624ccae fix(doctor): audit env-only gateway tokens 2026-02-16 22:35:27 -05:00
cpojer
245018fd6b chore: Fix types in tests 21/N. 2026-02-17 12:23:12 +09:00
Sebastian
68634468f5 chore(format): fix test import order 2026-02-16 22:18:03 -05:00
Sebastian
d137f33281 test(status): cover token summary variants 2026-02-16 22:10:07 -05:00
cpojer
7bc783cb03 chore: Fix types in tests 16/N. 2026-02-17 12:00:29 +09:00