admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
13,083 Commits 1 Branch 0 Tags
ed960ba4eb3b3cfbe589ecff986b92cb802e3980
Commit Graph

8026 Commits

Author SHA1 Message Date
Peter Steinberger
ed960ba4eb refactor(security): centralize path guard helpers 2026-02-21 19:54:26 +01:00
Peter Steinberger
6ffca36284 fix(config): add shared streaming resolver module 2026-02-21 19:53:42 +01:00
Peter Steinberger
2c14b0cf4c refactor(config): unify streaming config across channels 2026-02-21 19:53:42 +01:00
Peter Steinberger
747bb581b3 fix(discord): canonicalize resolved allowlists to ids 2026-02-21 19:53:29 +01:00
Peter Steinberger
9632b9bcf0 fix(security): fail closed parsed chat allowlist 2026-02-21 19:51:36 +01:00
Simone Macario
09d5f508b1 fix(cron): persist delivered flag in job state to surface delivery failures (openclaw#19174) thanks @simonemacario 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: simonemacario <2116609+simonemacario@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 12:47:29 -06:00
Peter Steinberger
51149fcaf1 refactor(gateway): extract connect and role policy logic 2026-02-21 19:47:22 +01:00
Peter Steinberger
f97c45c5b5 fix(security): warn on Discord name-based allowlists in audit 2026-02-21 19:45:17 +01:00
Peter Steinberger
4b226b74f5 fix(security): block zip symlink escape in archive extraction 2026-02-21 19:42:33 +01:00
Peter Steinberger
ddcb2d79b1 fix(gateway): block node role when device identity is missing 2026-02-21 19:34:13 +01:00
Peter Steinberger
764b1f2932 refactor: simplify relay runtime state 2026-02-21 19:31:30 +01:00
Peter Steinberger
9fc6c8b713 fix: hide synthetic untrusted metadata in chat history 2026-02-21 19:26:04 +01:00
Peter Steinberger
afa22acc4a fix: harden extension relay auth token flow 2026-02-21 19:24:42 +01:00
Peter Steinberger
89aad7b922 refactor: tighten safe-bin policy model and docs parity 2026-02-21 19:24:23 +01:00
niceysam
5e423b596c fix: remove false-positive billing error rewrite on normal assistant text (openclaw#17834) thanks @niceysam 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: niceysam <256747835+niceysam@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 12:17:39 -06:00
Peter Steinberger
57fbbaebca fix: block safeBins sort --compress-program bypass 2026-02-21 19:13:53 +01:00
Thorfinn
efdec39254 fix: correct MiniMax M2.5 pricing (was ~50x too high) (openclaw#22755) thanks @miloudbelarebia 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: miloudbelarebia <136994453+miloudbelarebia@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 11:26:48 -06:00
Peter Steinberger
35a57bc940 fix: gate doctor oauth-dir repair by channel config 2026-02-21 18:08:15 +01:00
Peter Steinberger
905e355f65 fix: verify gateway restart health after daemon restart 2026-02-21 18:02:14 +01:00
Peter Steinberger
e93ba6ce2a fix: harden update restart service convergence 2026-02-21 17:40:28 +01:00
Peter Steinberger
7c1a2ab085 test: tolerate transient zai and minimax live-model failures 2026-02-21 17:05:13 +01:00
Peter Steinberger
fa89ae8e9e fix: stabilize swift protocol generation and flaky tests 2026-02-21 16:53:46 +01:00
Peter Steinberger
8588183abe test: stabilize docker e2e suites for pairing and model updates 2026-02-21 16:38:48 +01:00
Onur
8178ea472d feat: thread-bound subagents on Discord (#21805) 
* docs: thread-bound subagents plan

* docs: add exact thread-bound subagent implementation touchpoints

* Docs: prioritize auto thread-bound subagent flow

* Docs: add ACP harness thread-binding extensions

* Discord: add thread-bound session routing and auto-bind spawn flow

* Subagents: add focus commands and ACP/session binding lifecycle hooks

* Tests: cover thread bindings, focus commands, and ACP unbind hooks

* Docs: add plugin-hook appendix for thread-bound subagents

* Plugins: add subagent lifecycle hook events

* Core: emit subagent lifecycle hooks and decouple Discord bindings

* Discord: handle subagent bind lifecycle via plugin hooks

* Subagents: unify completion finalizer and split registry modules

* Add subagent lifecycle events module

* Hooks: fix subagent ended context key

* Discord: share thread bindings across ESM and Jiti

* Subagents: add persistent sessions_spawn mode for thread-bound sessions

* Subagents: clarify thread intro and persistent completion copy

* test(subagents): stabilize sessions_spawn lifecycle cleanup assertions

* Discord: add thread-bound session TTL with auto-unfocus

* Subagents: fail session spawns when thread bind fails

* Subagents: cover thread session failure cleanup paths

* Session: add thread binding TTL config and /session ttl controls

* Tests: align discord reaction expectations

* Agent: persist sessionFile for keyed subagent sessions

* Discord: normalize imports after conflict resolution

* Sessions: centralize sessionFile resolve/persist helper

* Discord: harden thread-bound subagent session routing

* Rebase: resolve upstream/main conflicts

* Subagents: move thread binding into hooks and split bindings modules

* Docs: add channel-agnostic subagent routing hook plan

* Agents: decouple subagent routing from Discord

* Discord: refactor thread-bound subagent flows

* Subagents: prevent duplicate end hooks and orphaned failed sessions

* Refactor: split subagent command and provider phases

* Subagents: honor hook delivery target overrides

* Discord: add thread binding kill switches and refresh plan doc

* Discord: fix thread bind channel resolution

* Routing: centralize account id normalization

* Discord: clean up thread bindings on startup failures

* Discord: add startup cleanup regression tests

* Docs: add long-term thread-bound subagent architecture

* Docs: split session binding plan and dedupe thread-bound doc

* Subagents: add channel-agnostic session binding routing

* Subagents: stabilize announce completion routing tests

* Subagents: cover multi-bound completion routing

* Subagents: suppress lifecycle hooks on failed thread bind

* tests: fix discord provider mock typing regressions

* docs/protocol: sync slash command aliases and delete param models

* fix: add changelog entry for Discord thread-bound subagents (#21805) (thanks @onutc)

---------

Co-authored-by: Shadow <hi@shadowing.dev>
 2026-02-21 16:14:55 +01:00
Peter Steinberger
166068dfbe test: add byteplus coding-plan live test 2026-02-21 15:42:44 +01:00
Peter Steinberger
c8466e516f fix(agents): raise dynamic retry cap budget 2026-02-21 15:41:30 +01:00
Peter Steinberger
b520e7ac38 fix: stabilize docker live model and doctor-switch tests 2026-02-21 15:36:24 +01:00
Peter Steinberger
b25d3652e7 fix(agents): cap embedded runner retry loop 2026-02-21 15:35:45 +01:00
Peter Steinberger
3101047234 feat(models): add Gemini 3.1 support 2026-02-21 15:08:06 +01:00
Peter Steinberger
581868365d fix: finish volcengine/byteplus landing polish (#7967) (thanks @funmore123) 2026-02-21 15:05:09 +01:00
fanziqing
559736a5a0 feat(volcengine): integrate Volcengine & Byteplus Provider 2026-02-21 15:05:09 +01:00
大猫子
c62a6e7040 fix(models): add kimi-coding implicit provider template (openclaw#22526) thanks @lailoo 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: lailoo <20536249+lailoo@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-21 07:35:09 -06:00
Peter Steinberger
10b8839a82 fix(security): centralize WhatsApp outbound auth and return 403 tool auth errors 2026-02-21 14:31:01 +01:00
Peter Steinberger
f23da067f6 fix(security): harden heredoc allowlist parsing 2026-02-21 14:27:51 +01:00
orlyjamie
92cada2aca fix(security): block command substitution in unquoted heredoc bodies 
The shell command analyzer (splitShellPipeline) skipped all token
validation while parsing heredoc bodies. When the heredoc delimiter
was unquoted, bash performs command substitution on the body content,
allowing $(cmd) and backtick expressions to execute arbitrary commands
that bypass the exec allowlist.

Track whether heredoc delimiters are quoted or unquoted. When unquoted,
scan the body for $( , ${ , and backtick tokens and reject the command.
Quoted heredocs (<<'EOF' / <<"EOF") are safe - the shell treats their
body as literal text.

Ref: https://github.com/openclaw/openclaw/security/advisories/GHSA-65rx-fvh6-r4h2
 2026-02-21 14:27:35 +01:00
Peter Steinberger
2706cbd6d7 fix(agents): include filenames in image resize logs 2026-02-21 13:16:41 +00:00
Peter Steinberger
3cfb402bda refactor(test): reuse state-dir helper in agent runner suite 2026-02-21 13:08:05 +00:00
Peter Steinberger
25db01fe08 refactor(test): use withEnvAsync in pairing store fixture 2026-02-21 13:06:12 +00:00
Peter Steinberger
21bb46d304 fix(ci): include browser network in sandbox test fixture 2026-02-21 13:05:51 +00:00
Peter Steinberger
7a27e2648a refactor(test): dedupe plugin env overrides via env helpers 2026-02-21 13:03:41 +00:00
Peter Steinberger
f48698a50b fix(security): harden sandbox browser network defaults 2026-02-21 14:02:53 +01:00
Peter Steinberger
cf82614259 refactor(test): reuse state-dir helper in telegram tests 2026-02-21 13:02:12 +00:00
Peter Steinberger
26eb1f781d refactor(test): reuse state-dir env helper in auth profile override e2e 2026-02-21 13:00:16 +00:00
Peter Steinberger
c2874aead7 refactor(test): centralize temporary state-dir env setup 2026-02-21 12:59:24 +00:00
Peter Steinberger
50a8942c07 docs(changelog): add WhatsApp reaction allowlist security note 2026-02-21 13:57:54 +01:00
Aether AI Agent
e217f8c3f7 fix(security): OC-91 validate WhatsApp JID against allowlist in all send paths — Aether AI Agent 2026-02-21 13:57:54 +01:00
Peter Steinberger
8c1518f0f3 fix(sandbox): use one-time noVNC observer tokens 2026-02-21 13:56:58 +01:00
Peter Steinberger
b43aadc34c refactor(test): dedupe temp-home setup in voicewake suite 2026-02-21 12:56:34 +00:00
Peter Steinberger
c529bafdc3 refactor(test): reuse temp-home helper in voicewake e2e 2026-02-21 12:54:54 +00:00
Peter Steinberger
577e5cc74b refactor(test): dedupe gateway env setup and add env util coverage 2026-02-21 12:52:21 +00:00