admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
16,089 Commits 1 Branch 0 Tags
d94de5c4a163cbf41b876e61ce2d2389440a7047
Commit Graph

16089 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
efe-arv
f66f563c1a fix(matrix): fix multiple Conduit compatibility issues preventing message delivery 
## Changes

### 1. Fix client.start() hanging forever (shared.ts)
The bot-sdk's `client.start()` returns a promise that never resolves
(infinite sync loop). The plugin awaited it, blocking the entire provider
startup — `logged in as` never printed, no messages were processed.

Fix: fire-and-forget with error handler + 2s initialization delay.

### 2. Fix DM false positive for 2-member rooms (direct.ts)
`memberCount === 2` heuristic misclassified explicitly configured group
rooms as DMs when only bot + one user were joined. Messages were routed
through DM policy and silently dropped.

Fix: remove member count heuristic; only trust `m.direct` account data
and `is_direct` room state flag.

Ref: #20145

### 3. Prevent duplicate event listener registration (events.ts)
When both bundled channel plugin and extension load, listeners were
registered twice on the same shared client, causing inconsistent state.

Fix: WeakSet guard to skip registration if client already has listeners.

Ref: #18330

### 4. Add startup grace period (index.ts)
`startupGraceMs = 0` dropped messages timestamped during async setup.
Especially problematic with Conduit which retries on `M_NOT_FOUND`
during filter creation.

Fix: 5-second grace period.

### 5. Fix room ID case sensitivity with Conduit (index.ts)
Room IDs (`!xyz`) without `:server` suffix failed the
`includes(':')` check and were sent to `resolveMatrixTargets`, which
called Conduit's `resolveRoom` — returning lowercased IDs. The bot-sdk
emits events with original-case IDs, causing config lookup mismatches
and reply delivery failures (`M_UNKNOWN: non-create event for room of
unknown version`).

Fix: treat `!`-prefixed entries as room IDs directly (skip resolution).
Only resolve `#alias:server` entries.

## Testing

Tested with Conduit homeserver (lightweight Rust Matrix server).
All fixes verified with gateway log tracing:
- `logged in as @arvi:matrix.local` — first successful login
- `room.message` events fire and reach handler
- Room config matching returns `allowed: true`
- Agent generates response and delivers it to Matrix room
 2026-03-02 00:15:10 +00:00
Peter Steinberger
43cad8268d fix(security): harden webhook memory guards across channels 2026-03-02 00:12:05 +00:00
Peter Steinberger
1c8ae978d2 test(lobster): preserve execFile in child_process mock 2026-03-02 00:10:51 +00:00
Peter Steinberger
53d10f8688 fix(gateway): land access/auth/config migration cluster 
Land #28960 by @Glucksberg (Tailscale origin auto-allowlist).
Land #29394 by @synchronic1 (allowedOrigins upgrade migration).
Land #29198 by @Mariana-Codebase (plugin HTTP auth guard + route precedence).
Land #30910 by @liuxiaopai-ai (tailscale bind/config.patch guard).

Co-authored-by: Glucksberg <markuscontasul@gmail.com>
Co-authored-by: synchronic1 <synchronic1@users.noreply.github.com>
Co-authored-by: Mariana Sinisterra <mariana.data@outlook.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
 2026-03-02 00:10:51 +00:00
Peter Steinberger
8e6b3ade3e docs(changelog): record session lifecycle and diagnostics fixes 2026-03-02 00:07:47 +00:00
Peter Steinberger
41cc46bbb4 feat(diagnostics): add configurable stuck-session warning threshold 2026-03-02 00:07:29 +00:00
Peter Steinberger
d729ab2150 fix(session): harden usage accounting and memory flush recovery 2026-03-02 00:07:29 +00:00
Vincent Koc
ee96e1751e docs(changelog): add missing contributor credits for 2026.3.1 (#31079) 
* changelog: credit @BUGKillerKing for #29315

* changelog: credit @liuweifly for #14674

* changelog: credit @Sid-Qin for #29709

* changelog: credit @lailoo for #21808

* changelog: credit @openperf for #26259

* changelog: credit @icesword0760 for #28959

* changelog: credit @cowboy129 for #28529

* changelog: credit @yfge for #17798

* changelog: credit @kcinzgg for #27325

* changelog: credit @guoqunabc for #28494

* changelog: credit @WilsonLiu95 for #12755

* changelog: credit @qiangu for #18529

* changelog: credit @lailoo for unreleased #27616

* changelog: credit @tumf for unreleased #18642

* changelog: normalize unreleased #24789 credit handle

* changelog: fill unreleased #24435 credit

* changelog: fill unreleased #25090 credit

* changelog: fill unreleased #29098 credit (entry 1)

* changelog: fill unreleased #29098 credit (entry 2)

* changelog: credit @liuxiaopai-ai for unreleased #30567

* changelog: credit @graysurf for unreleased #23169

* changelog: credit @pablohrcarvalho for unreleased #10686

* changelog: credit @Glucksberg for unreleased #21715

* changelog: credit @liuxiaopai-ai for unreleased #30586

* changelog: add missing credits for 2026.2.26

* changelog: add missing credits for 2026.2.25

* changelog: add missing credits for 2026.2.24

* changelog: add missing credits for 2026.2.23

* changelog: add missing credits for 2026.2.22
 2026-03-01 16:04:55 -08:00
Peter Steinberger
a62d55b283 test(discord): cover DM command decision flow 2026-03-02 00:00:05 +00:00
Peter Steinberger
75596e9370 refactor(discord): unify DM command auth handling 2026-03-02 00:00:05 +00:00
Peter Steinberger
12c1257023 fix(acpx): share windows wrapper resolver and add strict hardening mode 2026-03-01 23:57:06 +00:00
Peter Steinberger
881ac62005 test(discord): stabilize model picker timeout assertions 2026-03-01 23:53:07 +00:00
Peter Steinberger
ee03ade0d6 fix(agents): harden tool-name normalization and transcript repair 
Landed from contributor PRs #30620 and #30735 by @Sid-Qin, plus #30881 by @liuxiaopai-ai.

Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
Co-authored-by: liuxiaopai-ai <73659136+liuxiaopai-ai@users.noreply.github.com>
 2026-03-01 23:51:54 +00:00
Peter Steinberger
50e2674dfc fix(discord): unify dm command auth gating 2026-03-01 23:50:24 +00:00
Peter Steinberger
577becf1ad fix(plugins): prioritize bundled duplicates in auto-discovery 
Landed from contributor PR #29710 by @Sid-Qin.

Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
 2026-03-01 23:48:30 +00:00
Peter Steinberger
5056b6438d fix(discord): harden reconnect recovery and preserve message delivery 
Landed from contributor PR #29508 by @cgdusek.

Co-authored-by: Charles Dusek <cgdusek@gmail.com>
 2026-03-01 23:46:07 +00:00
Peter Steinberger
a0d2f6e4fe docs(changelog): note skills security hardening 2026-03-01 23:45:41 +00:00
Peter Steinberger
23f434f98d fix(skills): constrain plugin skill paths 2026-03-01 23:45:41 +00:00
Peter Steinberger
4614222572 fix(skills): validate installer metadata specs 2026-03-01 23:45:41 +00:00
edincampara
577f2fa540 fix(docker): harden /app/extensions permissions to 755 (#30191) 
* fix(docker): harden /app/extensions permissions to 755

Bundled extension directories shipped as world-writable (mode 777)
in the Docker image. The plugin security scanner blocks any world-
writable path with:

  WARN: blocked plugin candidate: world-writable path
        (/app/extensions/memory-core, mode=777)

Add chmod -R 755 /app/extensions in the final USER root RUN step so
all bundled extensions are readable but not world-writable. This runs
as root before switching back to the node user, matching the pattern
already used for chmod 755 /app/openclaw.mjs.

Fixes #30139

* fix(docker): normalize plugin and agent path permissions

* docs(changelog): add docker permissions entry for #30191

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-03-01 15:45:21 -08:00
Peter Steinberger
9e6e7a3d69 fix(acpx): harden windows cmd wrapper spawning 2026-03-01 23:44:36 +00:00
Peter Steinberger
13bb80df9d fix(agents): land #20840 cross-channel message-tool actions from @altaywtf 
Include scoped cross-channel action/description behavior, regression tests, changelog note, and make Ollama discovery tests URL-scoped to avoid env-dependent fetch interference.

Co-authored-by: Altay <altay@hey.com>
 2026-03-01 23:37:55 +00:00
Peter Steinberger
912ddba81e fix(macos): harden exec approvals socket path and permissions 2026-03-01 23:37:11 +00:00
Peter Steinberger
6c5633598e fix(security): harden clawlog command execution 2026-03-01 23:33:13 +00:00
Peter Steinberger
ccb415b69a fix: align ACP permission docs defaults (#31044) (thanks @barronlroth) 2026-03-01 23:30:39 +00:00
Barron Roth
bed1cb9600 docs(acp): add permission configuration section and troubleshooting entries 
Document permissionMode and nonInteractivePermissions plugin config
keys for the acpx backend. Add troubleshooting entries for:
- Permission prompt errors in non-interactive ACP sessions
- Silent session failures from swallowed permission errors
- Stalled ACP sessions that never report completion

Relates to #29195

AI-assisted (lightly tested)
 2026-03-01 23:30:39 +00:00
Peter Steinberger
6a80e9db05 fix(browser): harden writable output paths 2026-03-01 23:25:13 +00:00
Peter Steinberger
51bccaf988 chore(changelog): note internal events and ingress hardening 2026-03-01 23:12:09 +00:00
Peter Steinberger
b99666a47a fix(security): harden inbound metadata sentinel stripping 2026-03-01 23:11:48 +00:00
Peter Steinberger
8e48520d74 fix(channels): align command-body parsing sources 2026-03-01 23:11:48 +00:00
Peter Steinberger
4c43fccb3e feat(agents): use structured internal completion events 2026-03-01 23:11:48 +00:00
Peter Steinberger
738dd9aa42 fix(agents): type openai websocket warmup passthrough 2026-03-01 23:10:08 +00:00
Vincent Koc
eb20793550 Docs: add all unlisted docs routes to navigation (#31027) 
* Docs: add missing platform pages to nav

* Docs: include all unlisted docs routes in nav

* Docs nav: classify routes by area and remove catch-all groups

* Docs nav: remove ja-JP AGENTS page entry

* Docs ja-JP: remove AGENTS translation workspace page

* Docs nav: remove refactor plans group

* Docs nav: remove .dev template pages

* Docs nav: remove operations hubs group
 2026-03-01 15:09:35 -08:00
Peter Steinberger
0f5348acb2 test(config): reject discord open DM with empty allowFrom 2026-03-01 23:08:37 +00:00
Peter Steinberger
d1615eb35f feat(openai): add websocket warm-up with configurable toggle 2026-03-01 22:45:03 +00:00
Agent
bc9f357ad7 test: fix fetch mock typing casts 2026-03-01 22:44:28 +00:00
Agent
002539c01e fix(security): harden sandbox novnc observer flow 2026-03-01 22:44:28 +00:00
Peter Steinberger
4ab13eca4d test(agents): port OpenAI websocket coverage from #24911 
Co-authored-by: Jonathan Jing <achillesjing@gmail.com>
 2026-03-01 22:38:56 +00:00
Vincent Koc
eee870576d doctor: warn on macOS cloud-synced state directories (#31004) 
* Doctor: detect macOS cloud-synced state directories

* Doctor tests: cover cloud-synced macOS state detection

* Docs: note cloud-synced state warning in doctor guide

* Docs: recommend local macOS state dir placement

* Changelog: add macOS cloud-synced state dir warning

* Changelog: credit macOS cloud state warning PR

* Doctor state: anchor cloud-sync roots to macOS home

* Doctor tests: cover OPENCLAW_HOME cloud-sync override

* Doctor state: prefer resolved target for cloud detection

* Doctor tests: cover local-target cloud symlink case
 2026-03-01 14:35:46 -08:00
Agent
063c4f00ea docs: clarify Anthropic context1m long-context requirements 2026-03-01 22:35:26 +00:00
Agent
a374325fc2 docs(security): clarify local link-priming reports as out-of-scope 2026-03-01 22:34:32 +00:00
Peter Steinberger
8da86f6995 chore(changelog): note openai websocket-first streaming 2026-03-01 22:33:21 +00:00
Peter Steinberger
7ced38b5ef feat(agents): make openai responses websocket-first with fallback 2026-03-01 22:32:37 +00:00
Vincent Koc
38da2d076c CLI: add root --help fast path and lazy channel option resolution (#30975) 
* CLI argv: add strict root help invocation guard

* Entry: add root help fast-path bootstrap bypass

* CLI context: lazily resolve channel options

* CLI context tests: cover lazy channel option resolution

* CLI argv tests: cover root help invocation detection

* Changelog: note additional startup path optimizations

* Changelog: split startup follow-up into #30975 entry

* CLI channel options: load precomputed startup metadata

* CLI channel options tests: cover precomputed metadata path

* Build: generate CLI startup metadata during build

* Build script: invoke CLI startup metadata generator

* CLI routes: preload plugins for routed health

* CLI routes tests: assert health plugin preload

* CLI: add experimental bundled entry and snapshot helper

* Tools: compare CLI startup entries in benchmark script

* Docs: add startup tuning notes for Pi and VM hosts

* CLI: drop bundled entry runtime toggle

* Build: remove bundled and snapshot scripts

* Tools: remove bundled-entry benchmark shortcut

* Docs: remove bundled startup bench examples

* Docs: remove Pi bundled entry mention

* Docs: remove VM bundled entry mention

* Changelog: remove bundled startup follow-up claims

* Build: remove snapshot helper script

* Build: remove CLI bundle tsdown config

* Doctor: add low-power startup optimization hints

* Doctor: run startup optimization hint checks

* Doctor tests: cover startup optimization host targeting

* Doctor tests: mock startup optimization note export

* CLI argv: require strict root-only help fast path

* CLI argv tests: cover mixed root-help invocations

* CLI channel options: merge metadata with runtime catalog

* CLI channel options tests: assert dynamic catalog merge

* Changelog: align #30975 startup follow-up scope

* Docs tests: remove secondary-entry startup bench note

* Docs Pi: add systemd recovery reference link

* Docs VPS: add systemd recovery reference link
 2026-03-01 14:23:46 -08:00
Agent
dcd19da425 refactor: simplify sandbox boundary open flow 2026-03-01 21:49:42 +00:00
Agent
3be1343e00 fix: tighten sandbox mkdirp boundary checks (#30610) (thanks @glitch418x) 2026-03-01 21:41:47 +00:00
glitch418x
687f5779d1 sandbox: allow directory boundary checks for mkdirp 2026-03-01 21:41:47 +00:00
Bob
4fc7ecf088 ACP: force sessions_spawn as the only harness thread creation path (#30957) 
* ACP: enforce sessions_spawn-only thread creation for harness spawns

* skills(acpx): require acp-router preflight for ACP thread spawns

* fix: enforce ACP thread spawn via sessions_spawn only (#30957) (thanks @dutifulbob)

---------

Co-authored-by: Onur <2453968+osolmaz@users.noreply.github.com>
 2026-03-01 22:41:06 +01:00
Agent
e4d22fb07a fix(browser): fail closed browser auth bootstrap 2026-03-01 21:40:16 +00:00
Agent
3a93a7bb1e fix(security): enforce auth for abort triggers and models 2026-03-01 21:30:07 +00:00