admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
9,533 Commits 1 Branch 0 Tags
e90caa66d82fa2b2021e73fb779e4174a69151df
Commit Graph

9533 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marcus Castro
e90caa66d8 fix(exec): allow heredoc operator (<<) in allowlist security mode (#13811) 
* fix(exec): allow heredoc operator (<<) in allowlist security mode

* fix: allow multiline heredoc parsing in exec approvals (#13811) (thanks @mcaxtr)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-13 04:41:51 +01:00
Peter Steinberger
7c25696ab0 fix(config): enforce default-free persistence in write path 2026-02-13 04:41:04 +01:00
Marcus Castro
2a9745c9a1 fix(config): redact resolved field in config snapshots 
The newly added 'resolved' field contains secrets after ${ENV}
substitution. This commit ensures redactConfigSnapshot also redacts
the resolved field to prevent credential leaks in config.get responses.
 2026-02-13 04:41:04 +01:00
Marcus Castro
3189e2f11b fix(config): add resolved field to ConfigFileSnapshot for pre-defaults config 
The initial fix using snapshot.parsed broke configs with $include directives.
This commit adds a new 'resolved' field to ConfigFileSnapshot that contains
the config after $include and ${ENV} substitution but BEFORE runtime defaults
are applied. This is now used by config set/unset to avoid:
1. Breaking configs with $include directives
2. Leaking runtime defaults into the written config file

Also removes applyModelDefaults from writeConfigFile since runtime defaults
should only be applied when loading, not when writing.
 2026-02-13 04:41:04 +01:00
Marcus Castro
9e8d9f114d fix(cli): use raw config instead of runtime-merged config in config set/unset 
Fixes #6070

The config set/unset commands were using snapshot.config (which contains
runtime-merged defaults) instead of snapshot.parsed (the raw user config).
This caused runtime defaults like agents.defaults to leak into the written
config file when any value was set or unset.

Changed both set and unset commands to use structuredClone(snapshot.parsed)
to preserve only user-specified config values.
 2026-02-13 04:41:04 +01:00
George Pickett
a067565db5 fix: pass sandbox docker env into containers (#15138) (thanks @stevebot-alive) 2026-02-12 19:39:22 -08:00
Steve (OpenClaw)
92567765e6 fix(sandbox): pass docker.env into sandbox container 2026-02-12 19:39:22 -08:00
Joseph Krug
40aff672c1 fix: prevent heartbeat scheduler silent death from wake handler race (#15108) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: fd7165b93547251c48904fa60b4b608d96bfb65c
Co-authored-by: joeykrug <5925937+joeykrug@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-12 22:30:21 -05:00
Marcus Castro
ec44e262be fix(security): prevent String(undefined) coercion in credential inputs (#12287) 
* fix(security): prevent String(undefined) coercion in credential inputs

When a prompter returns undefined (due to cancel, timeout, or bug),
String(undefined).trim() produces the literal string "undefined" instead
of "". This truthy string prevents secure fallbacks from triggering,
allowing predictable credential values (e.g., gateway password = "undefined").

Fix all 8 occurrences by using String(value ?? "").trim(), which correctly
yields "" for null/undefined inputs and triggers downstream validation or
fallback logic.

Fixes #8054

* fix(security): also fix String(undefined) in api-provider credential inputs

Address codex review feedback: 4 additional occurrences of the unsafe
String(variable).trim() pattern in auth-choice.apply.api-providers.ts
(Cloudflare Account ID, Gateway ID, synthetic API key inputs + validators).

* fix(test): strengthen password coercion test per review feedback

* fix(security): harden credential prompt coercion

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-13 04:25:05 +01:00
Peter Steinberger
63bb1e02b0 chore(release): bump version to 2026.2.13 2026-02-13 04:13:07 +01:00
Peter Steinberger
711597c02b fix(update): repair daemon-cli compat exports after self-update 2026-02-13 04:08:13 +01:00
Flash-LHR
c32b92b7a5 fix(macos): prevent Voice Wake crash on CJK trigger transcripts (openclaw#11052) thanks @Flash-LHR 
Verified:
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: Flash-LHR <47357603+Flash-LHR@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:36:14 -06:00
Marcus Castro
585c9a7265 fix(session): preserve verbose/thinking/tts overrides across /new and /reset (openclaw#10881) thanks @mcaxtr 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:27:12 -06:00
Peter Steinberger
cd50b5ded2 fix(onboarding): exit cleanly after web ui hatch 2026-02-13 03:20:32 +01:00
LeftX
65be9ccf63 feat(feishu): add streaming card support via Card Kit API (openclaw#10379) thanks @xzq-xu 
Verified:
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: xzq-xu <53989315+xzq-xu@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:19:27 -06:00
Peter Steinberger
d8d69ccbf4 chore: update appcast for 2026.2.12 2026-02-13 03:18:24 +01:00
Sk Akram
7cbf607a8f feat: expose /compact command in Telegram native menu (openclaw#10352) thanks @akramcodez 
Verified:
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: akramcodez <179671552+akramcodez@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:17:25 -06:00
Milofax
89503e1451 fix(browser): hide navigator.webdriver from reCAPTCHA v3 detection (openclaw#10735) thanks @Milofax 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: Milofax <2537423+Milofax@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:16:28 -06:00
JustasM
57d0f65e7d CLI: add plugins uninstall command (#5985) (openclaw#6141) thanks @JustasMonkev 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: JustasMonkev <59362982+JustasMonkev@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:11:26 -06:00
Shadow
e982489f77 Changelog: note Discord admin permission fix 2026-02-12 19:53:34 -06:00
Shadow
34c304727b Discord: honor Administrator in permission checks 2026-02-12 19:53:22 -06:00
Shadow
22fe30c1df fix: add discord role allowlists (#10650) (thanks @Minidoracat) 2026-02-12 19:52:24 -06:00
Minidoracat
f7adc21d31 fix: exclude role-restricted bindings from guild-only matching 2026-02-12 19:52:24 -06:00
Minidoracat
e084f07420 fix: add missing role-based type definitions for RBAC routing 2026-02-12 19:52:24 -06:00
Minidoracat
ad508c8c89 fix: use member.roles as string[] per Discord API types 2026-02-12 19:52:24 -06:00
Minidoracat
e1e6e3f477 fix: add curly braces to resolve-route.ts for eslint(curly) compliance 2026-02-12 19:52:24 -06:00
Minidoracat
4bf06e7824 Discord: add unit tests for role-based agent routing 2026-02-12 19:52:24 -06:00
Minidoracat
334a291fb7 Discord: pass member role IDs to agent route resolution 2026-02-12 19:52:24 -06:00
Minidoracat
75fc8cf25c Discord: implement role-based agent routing in resolveAgentRoute 2026-02-12 19:52:24 -06:00
Minidoracat
4c0ce46ac3 Discord: implement role allowlist with OR logic in preflight 2026-02-12 19:52:24 -06:00
Peter Steinberger
8ff89ba14c fix(ci): resolve windows test path assertion and sync protocol swift models 2026-02-13 02:39:34 +01:00
Tak Hoffman
89bfe0c944 fix: add adapter-path after_tool_call coverage (follow-up to #15012) (#15105) 2026-02-12 19:39:23 -06:00
Tak Hoffman
1d8bda4a21 fix: emit message_sent hook for all successful outbound paths (#15104) 2026-02-12 19:39:09 -06:00
Peter Steinberger
f9e444dd56 fix: include plugin sdk dts tsconfig in onboard docker image 2026-02-13 02:37:28 +01:00
Tak Hoffman
e103991b6a fix: remove accidental root package-lock.json (#15102) 2026-02-12 19:24:07 -06:00
Peter Steinberger
83662ba5bb test: stabilize telegram media timing tests 2026-02-13 02:13:15 +01:00
Peter Steinberger
3421b2ec1e fix: harden hook session key routing defaults 2026-02-13 02:09:14 +01:00
Peter Steinberger
0a7201fa84 docs: add Windows installer debug equivalents 2026-02-13 02:07:03 +01:00
Peter Steinberger
9230a2ae14 fix(browser): require auth on control HTTP and auto-bootstrap token 2026-02-13 02:02:28 +01:00
Peter Steinberger
85409e401b fix: preserve inter-session input provenance (thanks @anbecker) 2026-02-13 02:02:01 +01:00
Arkadiusz Mastalerz
7081dee1af fix(media): strip audio attachments after successful transcription (openclaw#9076) thanks @nobrainer-tech 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test (fails in known unrelated telegram suite)
- pnpm vitest run src/auto-reply/media-note.test.ts src/auto-reply/reply.media-note.test.ts

Co-authored-by: nobrainer-tech <445466+nobrainer-tech@users.noreply.github.com>
 2026-02-12 19:01:53 -06:00
Tak Hoffman
a6003d6711 Changelog: add missing entries for #14882 and #15012 2026-02-12 18:56:34 -06:00
Shadow
926bf84772 fix: update replyToMode notes (#11062) (thanks @cordx56) 2026-02-12 18:50:36 -06:00
CHISEN Kaoru
e25ae55879 fix(discord): replyToMode first behaviour 2026-02-12 18:50:36 -06:00
CHISEN Kaoru
4b3c9c9c5a fix(discord): respect replyToMode in thread channel 2026-02-12 18:50:36 -06:00
Patrick Barletta
d34138dfee fix: dispatch before_tool_call and after_tool_call hooks from both tool execution paths (openclaw#15012) thanks @Patrick-Barletta 
Verified:
- pnpm check

Co-authored-by: Patrick-Barletta <67929313+Patrick-Barletta@users.noreply.github.com>
 2026-02-12 18:48:11 -06:00
Ember 🔥
da2d09f57a fix(memory-flush): instruct agents to append rather than overwrite memory files (openclaw#6878) thanks @EmberCF 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test (fails on unrelated existing telegram test file)

Co-authored-by: EmberCF <258471336+EmberCF@users.noreply.github.com>
 2026-02-12 18:47:43 -06:00
cpojer
7b34b46363 chore: Update deps. 2026-02-13 09:43:41 +09:00
Peter Steinberger
99f28031e5 fix: harden OpenResponses URL input fetching 2026-02-13 01:38:49 +01:00
Peter Steinberger
4199f9889f fix: harden session transcript path resolution 2026-02-13 01:28:17 +01:00