admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
14,699 Commits 1 Branch 0 Tags
b35d00aaf8b68c77e9d4ef6ef4e6101acf830b7a
Commit Graph

1251 Commits

Author SHA1 Message Date
Peter Steinberger
3effffb491 refactor(commands): dedupe gateway self presence picker 2026-02-15 04:04:33 +00:00
Peter Steinberger
fef86e475b refactor: dedupe shared helpers across ui/gateway/extensions 2026-02-15 03:34:14 +00:00
Peter Steinberger
cdeedd8093 test(chutes): require redirect URL in manual oauth 2026-02-15 04:16:27 +01:00
Peter Steinberger
6c0dca30b8 fix: accept auth code in chutes oauth manual flow 2026-02-15 02:53:39 +00:00
Peter Steinberger
0e6aefde33 refactor(test): dedupe cloudflare onboarding provider auth cases 2026-02-15 00:26:46 +00:00
Vignesh Natarajan
c4dbcc3444 Memory/QMD: make status checks side-effect free 2026-02-14 15:42:02 -08:00
Peter Steinberger
a99ad11a41 fix: validate state for manual Chutes OAuth 2026-02-14 23:33:56 +01:00
Peter Steinberger
bc299ae17e refactor(wizard): dedupe gateway health check 2026-02-14 21:59:50 +00:00
Gustavo Madeira Santana
f94c06c53f test: add explicit harness mock types 2026-02-14 16:51:25 -05:00
Peter Steinberger
4136cdac63 refactor(test): reuse telegram health probe stubs 2026-02-14 21:29:22 +00:00
Peter Steinberger
5f55a53f0e refactor(test): share doctor legacy migration setup 2026-02-14 21:20:43 +00:00
Peter Steinberger
c06a962bb6 test(e2e): stabilize suite 2026-02-14 22:01:11 +01:00
Peter Steinberger
ee8d8be2e3 fix(chutes): accept manual OAuth code input 2026-02-14 22:01:11 +01:00
Peter Steinberger
d2857fbea9 refactor(test): reuse doctor e2e harness 2026-02-14 20:12:47 +00:00
Peter Steinberger
ffcf37f8c1 fix(doctor): avoid no-op legacy dmPolicy conflict notes 2026-02-14 21:04:27 +01:00
Peter Steinberger
52ad64f8f9 test(doctor): migrate Slack/Discord dmPolicy aliases 2026-02-14 21:04:27 +01:00
Peter Steinberger
bf76452b43 fix(doctor): migrate Slack/Discord dm.policy keys to aliases 2026-02-14 21:04:27 +01:00
Bin Deng
b9d14855d0 Fix: Force dashboard command to use localhost URL (#16434) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 3c03b4cc9b1dec96e0541df37910a697493ca285
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 15:00:58 -05:00
Peter Steinberger
994bcbf670 refactor: clarify restoreTerminalState stdin resume option 2026-02-14 20:47:00 +01:00
Bin Deng
4734f99108 Fix: Add type safety to models status command (#16395) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1554137ae34b8183a924d48e3894e9d60c4e2dde
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 14:07:38 -05:00
Vincent Koc
a042b32d2f fix: Docker installation keeps hanging on MacOS (#12972) 
* Onboarding: avoid stdin resume after wizard finish

* Changelog: remove Docker hang entry from PR

* Terminal: make stdin resume behavior explicit at call sites

* CI: rerun format check

* Onboarding: restore terminal before cancel exit

* test(onboard): align restoreTerminalState expectation

* chore(format): align onboarding restore test with updated oxfmt config

* chore(format): enforce updated oxfmt on restore test

* chore(format): apply updated oxfmt spacing to restore test

* fix: avoid stdin resume after onboarding (#12972) (thanks @vincentkoc)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 19:46:07 +01:00
Peter Steinberger
4133f4bd37 refactor(tui): clarify searchable select list width layout (#16378) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: fecbade822f8163f12b7da441b567acb42e6f809
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 19:15:38 +01:00
Peter Steinberger
fc5d147d1b fix(test-harness): annotate vitest mocks to avoid TS2742 2026-02-14 18:26:46 +01:00
Peter Steinberger
571c195c54 fix: support moltbot legacy state dir 2026-02-14 17:14:21 +00:00
Peter Steinberger
ae97f8f798 refactor(test): share doctor e2e harness 2026-02-14 17:13:24 +00:00
Steve
69ba9a0562 fix: add memory search health check to openclaw doctor (openclaw#16294) thanks @superlowburn 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test (noted unrelated local flakes)

Co-authored-by: superlowburn <24779772+superlowburn@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 11:09:51 -06:00
Peter Steinberger
684c18458a perf(test): speed up line, models list, and memory batch 2026-02-14 16:36:15 +00:00
Peter Steinberger
d583782ee3 fix(security): harden discovery routing and TLS pins 2026-02-14 17:18:14 +01:00
Peter Steinberger
9e147f00b4 fix(doctor): resolve telegram allowFrom usernames 2026-02-14 16:48:07 +01:00
Peter Steinberger
8d1a1d9e86 refactor(commands): share vllm setup 2026-02-14 15:39:46 +00:00
Peter Steinberger
64df787448 refactor(channels): share account summary helpers 2026-02-14 15:39:46 +00:00
Peter Steinberger
3150ece95a refactor(channels): pass setup input to mutator 2026-02-14 15:39:45 +00:00
Peter Steinberger
4c74a2f06e refactor(channels): reuse setup input types 2026-02-14 15:39:45 +00:00
Peter Steinberger
a1fc6a6ea6 refactor(daemon): share runtime status formatter 2026-02-14 15:39:45 +00:00
Peter Steinberger
1b03eb71aa refactor(health): share channel line styling 2026-02-14 15:39:45 +00:00
Aether AI
3967ece625 fix(security): OC-25 — Validate OAuth state parameter to prevent CSRF attacks (#16058) 
* fix(security): validate OAuth state parameter to prevent CSRF attacks (OC-25)

The parseOAuthCallbackInput() function in the Chutes OAuth flow had two
critical bugs that completely defeated CSRF state validation:

1. State extracted from callback URL was never compared against the
   expected cryptographic nonce, allowing attacker-controlled state values
2. When URL parsing failed (bare authorization code input), the catch block
   fabricated a matching state using expectedState, making the caller's
   CSRF check always pass

## Attack Flow

1. Victim runs `openclaw login chutes --manual`
2. System generates cryptographic state: randomBytes(16).toString("hex")
3. Browser opens: https://api.chutes.ai/idp/authorize?state=abc123...
4. Attacker obtains their OWN OAuth authorization code (out of band)
5. Attacker tricks victim into pasting just "EVIL_CODE" (not full URL)
6. parseOAuthCallbackInput("EVIL_CODE", "abc123...") is called
7. new URL("EVIL_CODE") throws → catch block executes
8. catch returns { code: "EVIL_CODE", state: "abc123..." } ← FABRICATED
9. Caller checks: parsed.state !== state → "abc123..." !== "abc123..." → FALSE
10. CSRF check passes! System calls exchangeChutesCodeForTokens()
11. Attacker's code exchanged for access + refresh tokens
12. Victim's account linked to attacker's OAuth session

Fix:
- Add explicit state validation against expectedState before returning
- Remove state fabrication from catch block; always return error for
  non-URL input
- Add comprehensive unit tests for state validation

Remediated by Aether AI Agent security analysis.

* fix(security): harden chutes manual oauth state check (#16058) (thanks @aether-ai-agent)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 15:28:52 +01:00
Peter Steinberger
3aa94afcfd fix(security): harden archive extraction (#16203) 
* fix(browser): confine upload paths for file chooser

* fix(browser): sanitize suggested download filenames

* chore(lint): avoid control regex in download sanitizer

* test(browser): cover absolute escape paths

* docs(browser): update upload example path

* refactor(browser): centralize upload path confinement

* fix(infra): harden tmp dir selection

* fix(security): harden archive extraction

* fix(infra): harden tar extraction filter
 2026-02-14 14:42:08 +01:00
Peter Steinberger
1ba266a8e8 refactor: split minimax-cn provider 2026-02-14 13:37:47 +01:00
Peter Steinberger
83248f7603 Merge remote-tracking branch 'origin/main' 2026-02-14 13:30:22 +01:00
Peter Steinberger
0cfea46293 fix: wire minimax-api-key-cn onboarding (#15191) (thanks @liuy) 2026-02-14 13:25:54 +01:00
Liu Yuan
9bb099736b feat: add minimax-api-key-cn option for China API endpoint 
- Add 'minimax-api-key-cn' auth choice for Chinese users
- Reuse existing --minimax-api-key CLI option
- Use MINIMAX_CN_API_BASE_URL (https://api.minimaxi.com/anthropic)
- Similar to how moonshot supports moonshot-api-key-cn

Tested: build , check , test
2026-02-14 13:25:54 +01:00
Peter Steinberger
6dd6bce997 fix(security): enforce sandbox bridge auth 2026-02-14 13:17:41 +01:00
Peter Steinberger
eb4215d570 perf(test): speed up Vitest bootstrap 2026-02-14 12:13:27 +00:00
Nicholas
f8ba8f7699 fix(docs): update outdated hooks documentation URLs (#16165) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8ed13fb02fae2cb6dd3cacdb3cd1ef37a5cdd4d8
Co-authored-by: nicholascyh <188132635+nicholascyh@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 13:05:37 +01:00
Peter Steinberger
3b56a6252b chore!: remove moltbot legacy state/config support 2026-02-14 12:40:47 +01:00
Nick Taylor
1fb52b4d7b feat(gateway): add trusted-proxy auth mode (#15940) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 279d4b304f83186fda44dfe63a729406a835dafa
Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 12:32:17 +01:00
Peter Steinberger
d8beddc8b7 refactor(onboard): unify auth-choice aliases and provider flags 2026-02-14 05:58:26 +01:00
Peter Steinberger
eab9dc538a refactor(onboard): unify auth-choice catalog for CLI help 2026-02-14 05:51:17 +01:00
AI-Reviewer-QS
28431b84cc fix(gateway): prune expired entries instead of clearing all hook auth failure state (#15848) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 188a40e8a35112b9ea2df23dd0a940b9be1eac1d
Co-authored-by: AI-Reviewer-QS <255312808+AI-Reviewer-QS@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 01:46:12 +01:00
Peter Steinberger
e7c3c27fd0 perf(test): trim browser and models suite overhead 2026-02-14 00:38:55 +00:00