admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
14,205 Commits 1 Branch 0 Tags
e048ed1efdd2014f7fb58fb60485faeb8aa97cc7
Commit Graph

14205 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Peter Steinberger
e048ed1efd test: merge elevated allowlist directive shard 2026-02-23 13:05:39 +00:00
Peter Steinberger
706c9ec729 test: consolidate directive behavior suites 2026-02-23 13:02:56 +00:00
Peter Steinberger
fbdb1b3e73 test: merge elevated status directive shards 2026-02-23 12:57:39 +00:00
Peter Steinberger
b11ff9f7dd test: collapse directive behavior shards 2026-02-23 12:54:52 +00:00
Peter Steinberger
be422a9d18 test: merge model picker tests into native command suite 2026-02-23 12:50:08 +00:00
Peter Steinberger
9757d2bb64 fix(agents): normalize strict openai-compatible turn ordering 
Co-authored-by: liuwenyong1985 <48443240+liuwenyong1985@users.noreply.github.com>
 2026-02-23 12:44:23 +00:00
Peter Steinberger
15e32c7341 fix(models): refresh Moonshot Kimi vision capabilities 
Co-authored-by: manikv12 <mac1317@live.missouristate.edu>
 2026-02-23 12:44:23 +00:00
Peter Steinberger
9bd04849ed fix(agents): detect Kimi model-token-limit overflows 
Co-authored-by: Danilo Falcão <danilo@falcao.org>
 2026-02-23 12:44:23 +00:00
Peter Steinberger
3640484e28 fix(agents): map Moonshot developer role compatibility 
Co-authored-by: Sheng-Fu Chuang <sedernet@gmail.com>

# Conflicts:
#	CHANGELOG.md
 2026-02-23 12:44:23 +00:00
Julia HeySalad
8897c9d53a ci: install pyyaml in skills-python job 2026-02-23 10:44:18 +00:00
Ayaan Zaidi
2247b81219 fix(auto-reply): hide direct-chat metadata without sender-id sentinel (openclaw#24373) thanks @jd316 
Co-authored-by: jd316 <138361777+jd316@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
 2026-02-23 15:25:31 +05:30
Gustavo Madeira Santana
c92c3ad224 Tests: isolate quick_validate stub and remove DS_Store 2026-02-23 03:25:37 -05:00
边黎安
a4c373935f fix(agents): fall back to agents.defaults.model when agent has no model config (#24210) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 0f272b102763736001a82cfda23f35ff2ee9cac8
Co-authored-by: bianbiandashen <16240681+bianbiandashen@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 03:18:55 -05:00
Vincent Koc
db32677f1d Update CHANGELOG.md 2026-02-23 03:03:06 -05:00
taw0002
3c57bf4c85 fix: treat HTTP 502/503/504 as failover-eligible (timeout reason) (#21017) 
* fix: treat HTTP 502/503/504 as failover-eligible (timeout reason)

When a model API returns 502 Bad Gateway, 503 Service Unavailable, or
504 Gateway Timeout, the error object carries the status code directly.
resolveFailoverReasonFromError() only checked 402/429/401/403/408/400,
so 5xx server errors fell through to message-based classification which
requires the status code to appear at the start of the error message.

Many API SDKs (Google, Anthropic) set err.status = 503 without prefixing
the message with '503', so the message classifier never matched and
failover never triggered — the run retried the same broken model.

Add 502/503/504 to the status-code branch, returning 'timeout' (matching
the existing behavior of isTransientHttpError in the message classifier).

Fixes #20999

* Changelog: add failover 502/503/504 note with credits

* Failover: classify HTTP 504 as transient in message parser

* Changelog: credit taw0002 and vincentkoc for failover fix

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 03:01:57 -05:00
Vincent Koc
07edadfa8a skill-creator: reject unclosed YAML frontmatter (#24289) 2026-02-23 02:51:51 -05:00
Frank Yang
f208518cb9 fix(config): keep write inputs immutable when using unsetPaths (#24134) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 951f8480c30b9b22bdb0e8047c74c9460080f326
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 02:51:13 -05:00
Vincent Koc
0e28e50b45 fix(security): detect obfuscated commands that bypass allowlist filters (#24287) 
* security(exec): add obfuscated command detector

* test(exec): cover obfuscation detector patterns

* security(exec): enforce obfuscation approval on gateway host

* security(exec): enforce obfuscation approval on node host

* test(exec): prevent obfuscation timeout bypass

* chore(changelog): credit obfuscation security fix
 2026-02-23 02:50:06 -05:00
Henry Loenwind
7568ae52ce Typo (#24288) 2026-02-23 02:47:06 -05:00
Henry Loenwind
ad666c5f37 Fixed Discord channel name (#24281) 2026-02-23 02:37:45 -05:00
Vincent Koc
c8a62e1cea Skills/Python: harden script edge cases and add regression tests (#24277) 
* Skill creator: skip self-including .skill output

* Skill creator tests: cover output-dir-inside-skill case

* Skill validator: parse frontmatter robustly across newlines

* Skill validator tests: add CRLF and malformed frontmatter coverage

* Model usage: require positive --days value

* Model usage tests: cover --days validation and filtering

* Nano banana: close input image handles after loading

* Skill validator: keep type hints compatible with older python

* Changelog: credit @vincentkoc for Python skills hardening
 2026-02-23 02:34:23 -05:00
Glucksberg
36400df086 fix: pass agentDir to /compact command for agent-specific auth (#24133) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 4bb10ca78ca064e05669ccb358cdff9efc0da6fc
Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 02:33:35 -05:00
Vignesh Natarajan
9ea740afb6 Sessions: canonicalize mixed-case session keys 2026-02-22 23:27:08 -08:00
Vincent Koc
1be8897339 Security: enforce pre-commit security checks in hooks and CI (#24265) 
* chore(pre-commit): add security audit hooks

* ci(security): enforce security hooks in ci

* docs(changelog): add security hooks and ci attribution
 2026-02-23 02:20:00 -05:00
Vincent Koc
4ab4754bdf chore(changelog): credit skill packager hardening follow-up 2026-02-23 02:09:05 -05:00
Vincent Koc
844924cf8d fix(skill-creator): harden skill packaging path handling (#24260) 
* fix(skill-creator): skip symlinks during skill packaging

* test(skill-creator): cover symlink skipping and root-escape guard
 2026-02-23 02:07:36 -05:00
Vignesh Natarajan
8d9d01447e chore: align plugin versions and harden outbound cross-provider test 2026-02-22 23:04:17 -08:00
Vignesh Natarajan
5a0eb695fa chore: format pre-commit config for CI 2026-02-22 22:54:44 -08:00
Vincent Koc
76dabd5214 CI/Skills: add Python lint and test harness for skills scripts (#24246) 
* CI: add skills Python checks job

* Chore: add Python lint and test pre-commit hooks

* Tests: fix skill-creator package test import path

* Chore: add Python tooling config for skills scripts

* CI: run all skills Python tests

* Chore: run all skills Python tests in pre-commit

* Chore: enable pytest discovery for all skills tests

* Changelog: note skills Python quality harness
 2026-02-23 01:52:00 -05:00
Vignesh Natarajan
de96f5fed2 CLI/Sessions: honor default agent for implicit store path 2026-02-22 22:47:10 -08:00
Vincent Koc
af4330ef75 Update CHANGELOG.md 2026-02-23 01:44:53 -05:00
Misha Kolesnik
ec1bc41cf2 fix(openrouter): remove conflicting reasoning_effort from payload (#24120) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: cc8ef4bb05a71626152109ca0d70f3c17cb0100c
Co-authored-by: tenequm <22403766+tenequm@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 01:41:29 -05:00
CornBrother0x
f3adf142c1 fix(security): escape user input in HTML gallery to prevent stored XSS (#16958) 
* Security/openai-image-gen: escape HTML gallery user input

* Tests/openai-image-gen: add gallery XSS regression coverage

* Changelog: add openai-image-gen XSS hardening note

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:39:58 -05:00
Vignesh Natarajan
5ad5ea53cd Agent: resolve resumed session agent scope before run 2026-02-22 22:38:05 -08:00
brandonwise
7fab4d128a fix(security): redact sensitive data in OTEL log exports (CWE-532) (#18182) 
* fix(security): redact sensitive data in OTEL log exports (CWE-532)

The diagnostics-otel plugin exports ALL application logs to external
OTLP collectors without filtering. This leaks API keys, tokens, and
other sensitive data to third-party observability platforms.

Changes:
- Export redactSensitiveText from plugin-sdk for extension use
- Apply redaction to log messages before OTEL export
- Apply redaction to string attribute values
- Add tests for API key and token redaction

The existing redactSensitiveText function handles common patterns:
- API keys (sk-*, ghp_*, gsk_*, AIza*, etc.)
- Bearer tokens
- PEM private keys
- ENV-style assignments (KEY=value)
- JSON credential fields

Fixes #12542

* fix: also redact error/reason in trace spans

Address Greptile feedback:
- Redact evt.error in webhook.error span attributes and status
- Redact evt.reason in message.processed span attributes
- Redact evt.error in message.processed span status

* fix: handle undefined evt.error in type guard

* fix: redact session.state reason in OTEL metrics

Addresses Greptile feedback - session.state reason field now goes
through redactSensitiveText() like message.processed reason.

* test(diagnostics-otel): update service context for stateDir API change

* OTEL diagnostics: redact sensitive values before export

* OTEL diagnostics tests: cover message, attribute, and session reason redaction

* Changelog: note OTEL sensitive-data redaction fix

* Changelog: move OTEL redaction entry to current unreleased

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:35:32 -05:00
Ayaan Zaidi
61db3d4a16 fix(protocol): regenerate swift gateway models 2026-02-23 11:52:42 +05:30
Ayaan Zaidi
86fcca2352 fix(gateway): annotate connection test mocks 2026-02-23 11:47:27 +05:30
Ayaan Zaidi
fda98f5605 docs(changelog): add telegram topic target fix 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
d5105ca456 fix(telegram): unify topic target normalization path 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
fddc60d174 fix(telegram): preserve legacy prefixed messaging targets 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
bf732b88e7 test(cron): avoid delivery.mode type widening in isolated announce test 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
118611465c test(gateway): make strict-delivery bestEffort case deterministic 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
d589b3a95c test(gateway): clear agentCommand mock before strict bestEffort assert 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
03122e5933 fix(cron): preserve telegram announce target + delivery truth 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
dcc52850c3 fix: persist resolved telegram delivery targets at runtime 2026-02-23 11:45:18 +05:30
Tak Hoffman
35fbf26d24 Gateway: suppress tools.catalog plugin conflict diagnostics 2026-02-23 00:05:57 -06:00
Tak Hoffman
9e1a13bf4c Gateway/UI: data-driven agents tools catalog with provenance (openclaw#24199) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- gh pr checks 24199 --watch --fail-fast

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-22 23:55:59 -06:00
Peter Steinberger
1c753ea786 test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
Peter Steinberger
8af19ddc5b refactor: extract shared dedupe helpers for runtime paths 2026-02-23 05:43:43 +00:00
Peter Steinberger
9f508056d3 test: collapse remaining trigger command shards 2026-02-23 05:22:24 +00:00