admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
14,871 Commits 1 Branch 0 Tags
b37dc42240726c4778ea193d172cfbb74bfa9912
Commit Graph

9418 Commits

Author SHA1 Message Date
Peter Steinberger
b37dc42240 fix(cron): suppress fallback summary after attempted announce delivery 2026-02-26 03:09:14 +00:00
Peter Steinberger
e16e8f5af2 refactor(slack): share system-event ingress and test harness 2026-02-26 04:01:33 +01:00
Peter Steinberger
de61e9c977 refactor(security): unify path alias guard policies 2026-02-26 03:59:17 +01:00
Peter Steinberger
8a006a3260 feat(heartbeat): add directPolicy and restore default direct delivery 2026-02-26 03:57:03 +01:00
Harold Hunt
ee594e2fdb fix(telegram): webhook hang - tests and fix (openclaw#26933) thanks @huntharo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-25 20:56:53 -06:00
Peter Steinberger
1e7ec8bfd2 fix(routing): preserve explicit cron account and bound message defaults 
Co-authored-by: lbo728 <72309817+lbo728@users.noreply.github.com>
Co-authored-by: stakeswky <64798754+stakeswky@users.noreply.github.com>
 2026-02-26 02:56:03 +00:00
Peter Steinberger
92eb3dfc9d refactor(security): unify exec approval request matching 2026-02-26 03:54:37 +01:00
Peter Steinberger
75dfb71e4e fix(slack): gate pin/reaction system events by sender auth 2026-02-26 03:48:58 +01:00
Peter Steinberger
61b3246a7f fix(ssrf): unify ipv6 special-use blocking 2026-02-26 03:43:42 +01:00
Peter Steinberger
04d91d0319 fix(security): block workspace hardlink alias escapes 2026-02-26 03:42:54 +01:00
Peter Steinberger
53fcfdf794 fix(telegram): preserve finalized previews on mixed text+voice turns 2026-02-26 03:42:47 +01:00
Peter Steinberger
03e689fc89 fix(security): bind system.run approvals to argv identity 2026-02-26 03:41:31 +01:00
Peter Steinberger
baf656bc6f fix: block IPv6 multicast SSRF bypass 2026-02-26 03:35:10 +01:00
Peter Steinberger
b786d11fea refactor(telegram): simplify polling restart flow 2026-02-26 03:33:20 +01:00
Peter Steinberger
069bbf9741 fix(slack): land #26878 allowlist channel ID case-insensitive match (thanks @lbo728) 
Land contributor PR #26878 from @lbo728; include changelog credit and regression tests.

Co-authored-by: lbo728 <extreme0728@gmail.com>
 2026-02-26 02:21:02 +00:00
Peter Steinberger
b8bb8ab3ca docs: clarify personal-by-default onboarding security notice 2026-02-26 02:59:34 +01:00
Peter Steinberger
1f004e6640 refactor(tmp): simplify trusted tmp dir state checks 2026-02-26 02:46:53 +01:00
Ramez
acbb93be48 fix(agents): comprehensive quota fallback fixes - session overrides + surgical cooldown logic (#23816) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: e6f2b4742b82b9fe44a7e103170c2f96565b09c5
Co-authored-by: ramezgaberiel <844893+ramezgaberiel@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-25 20:35:40 -05:00
Peter Steinberger
0cc3e8137c refactor(gateway): centralize trusted-proxy control-ui bypass policy 2026-02-26 02:26:52 +01:00
sten moocow
95c6b3a912 fix(telegram): recover polling after prolonged network outages 
When grammY's runner exceeds maxRetryTime during a network outage,
runner.task() resolves cleanly. Previously, the polling loop treated
this as an intentional stop and exited permanently — killing Telegram
polling for the lifetime of the gateway process.

Now the outer loop detects this case and restarts with exponential
backoff, so polling recovers once connectivity is restored.

Also bumps maxRetryTime from 5 minutes to 60 minutes so the runner
itself survives longer outages (e.g. scheduled internet downtime)
without needing the outer loop restart path.
 2026-02-26 01:25:02 +00:00
Peter Steinberger
ce8c67c314 fix(slack): gate interactive system events by sender auth 2026-02-26 02:11:50 +01:00
Peter Steinberger
8c701ba1ff test(gateway): add hooks bind-host hardening coverage 2026-02-26 00:54:39 +00:00
Peter Steinberger
ec45c317f5 fix(gateway): block trusted-proxy control-ui node bypass 2026-02-26 01:54:19 +01:00
codexGW
6fb082e131 fix(typing): call markDispatchIdle in followup runner to prevent stuck indicator (#26881) 
The followup runner (used for queued messages, inter-agent sends,
heartbeat followups, etc.) only called typing.markRunComplete() in
its finally block.  The typing controller requires BOTH markRunComplete
AND markDispatchIdle to trigger cleanup — but markDispatchIdle was
only wired through the buffered dispatcher path, which followup turns
bypass entirely.

This caused the typing indicator to persist indefinitely on channels
like Telegram when the agent replied with NO_REPLY or produced empty
payloads, because the keepalive loop was never stopped.

Adds markDispatchIdle() alongside markRunComplete() in the followup
runner's finally block, and four test cases covering NO_REPLY, empty
payloads, agent errors, and successful delivery.

Complements #26295 which addressed the channel-level callback layer.

Fixes #26595

Co-authored-by: Samantha <samantha@Samanthas-Mac-mini.local>
 2026-02-26 00:53:38 +00:00
Peter Steinberger
70e31c6f68 fix(gateway): harden hooks URL parsing (#26864) 2026-02-26 00:47:35 +00:00
Aleksandrs Tihenko
c0026274d9 fix(auth): distinguish revoked API keys from transient auth errors (#25754) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 8f9c07a200644284e11adae76368adab40c5fa4e
Co-authored-by: rrenamed <87486610+rrenamed@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-25 19:47:16 -05:00
Peter Steinberger
f312222159 test: preserve config exports in agent handler mock 2026-02-26 00:42:51 +00:00
Peter Steinberger
aaeed3c4ea test(agents): add missing announce delivery regressions 2026-02-26 00:38:34 +00:00
Peter Steinberger
20c2db2103 refactor(gateway): split browser auth hardening paths 2026-02-26 01:37:00 +01:00
Peter Steinberger
8f8e46d898 refactor: unify reaction ingress policy guards across channels 2026-02-26 01:34:47 +01:00
Peter Steinberger
4258a3307f refactor(agents): unify subagent announce delivery pipeline 
Co-authored-by: Smith Labs <SmithLabsLLC@users.noreply.github.com>
Co-authored-by: Do Cao Hieu <docaohieu2808@users.noreply.github.com>
 2026-02-26 00:30:44 +00:00
Peter Steinberger
aedf62ac7e fix: harden discord and slack reaction ingress authorization 2026-02-26 01:26:47 +01:00
Peter Steinberger
c736f11a16 fix(gateway): harden browser websocket auth chain 2026-02-26 01:22:49 +01:00
Peter Steinberger
f41715a18f refactor(browser): split act route modules and dedupe path guards 2026-02-26 01:21:34 +01:00
Peter Steinberger
046feb6b0e refactor: simplify telegram event authorization flow 2026-02-26 01:14:05 +01:00
Peter Steinberger
496a76c03b fix(security): harden browser trace/download temp path handling 2026-02-26 01:04:05 +01:00
Peter Steinberger
e56b0cf1a0 fix: enforce telegram reaction authorization 2026-02-26 01:03:03 +01:00
Peter Steinberger
c6dfa26f03 refactor(signal): unify reaction auth flow and table-drive tests 2026-02-26 01:02:05 +01:00
Shakker
a0a229a3bb Discord: align embed fallback in thread starter parsing 2026-02-25 23:58:42 +00:00
User
39cc547f74 fix(discord): include embed title in fallback text (#26907) 2026-02-25 23:58:42 +00:00
Peter Steinberger
b090d6019b test(agent-runner): add overflow empty-payload regression coverage (#26905) 2026-02-25 23:57:58 +00:00
Peter Steinberger
42f455739f fix(security): clarify denyCommands exact-match guidance 2026-02-26 00:55:35 +01:00
Peter Steinberger
eb73e87f18 fix(session): prevent silent overflow on parent thread forks (#26912) 
Lands #26912 from @markshields-tl with configurable session.parentForkMaxTokens and docs/tests/changelog updates.

Co-authored-by: Mark Shields <239231357+markshields-tl@users.noreply.github.com>
 2026-02-25 23:54:02 +00:00
Peter Steinberger
8d1481cb4a fix(gateway): require pairing for unpaired operator device auth 2026-02-26 00:52:50 +01:00
Peter Steinberger
2aa7842ade fix(signal): enforce auth before reaction notification enqueue 2026-02-26 00:44:46 +01:00
Peter Steinberger
ef326f5cd0 fix(browser): revalidate upload paths at use time 2026-02-26 00:40:56 +01:00
Youyou972
15cfba7075 fix: cron model fallback to agent defaults when payload.model fails (#26717) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 06454bd55b44ea864c10ad828649b293946cea8d
Co-authored-by: Youyou972 <50808411+Youyou972@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd
 2026-02-25 23:34:31 +00:00
Peter Steinberger
2011edc9e5 fix(gateway): preserve agentId through gateway send path 
Landed from #23249 by @Sid-Qin.
Includes extra regression tests for agentId precedence + blank fallback.

Co-authored-by: Sid <201593046+Sid-Qin@users.noreply.github.com>
 2026-02-25 23:31:35 +00:00
Peter Steinberger
125f4071bc fix(gateway): block agents.files symlink escapes 2026-02-26 00:31:08 +01:00
Shadow
975c9f4b54 Agents: emphasize config.schema usage 2026-02-25 09:45:39 -06:00