Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
17,856 Commits 756 Branches 79 Tags
Commit Graph

4601 Commits

Author SHA1 Message Date
Peter Steinberger
e95ce05c1e chore(security): soften gatewayUrl override messaging 2026-02-14 21:53:30 +01:00
Peter Steinberger
2d5647a804 fix(security): restrict tool gatewayUrl overrides 2026-02-14 21:53:14 +01:00
Marcus Castro
07850e8a93
fix(media): strip MEDIA: prefix in loadWebMediaInternal (#13107) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 9d95e6af5aad7fb18f0ab3f941a0043ec18ca604
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 21:41:26 +01:00
Peter Steinberger
1bde33c0bc docs(changelog): note browser control path traversal fix 2026-02-14 21:37:34 +01:00
Peter Steinberger
9abf86f7e0 docs(changelog): document Slack/Discord dmPolicy aliases 2026-02-14 21:04:27 +01:00
Bin Deng
b9d14855d0
Fix: Force dashboard command to use localhost URL (#16434) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 3c03b4cc9b1dec96e0541df37910a697493ca285
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 15:00:58 -05:00
Shadow
2fa78c17d1
Changelog: credit cron delivery fix 2026-02-14 13:37:33 -06:00
zerone0x
c60844931b
fix(cron): prevent list/status from silently skipping recurring jobs (openclaw#16201) thanks @zerone0x 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: zerone0x <39543393+zerone0x@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 13:33:29 -06:00
Gustavo Madeira Santana
64b7f3455e
chore: fix changelog attribution 2026-02-14 14:26:27 -05:00
Peter Steinberger
90d1e9cd71 docs(changelog): note iMessage group allowlist auth fix 2026-02-14 20:25:35 +01:00
Michael Verrilli
e6f67d5f31
fix(agent): prevent session lock deadlock on timeout during compaction (#9855) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 64a28900f183941a496a6fd5baaa9efcfb38f0f8
Co-authored-by: mverrilli <816450+mverrilli@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 14:24:20 -05:00
Glucksberg
f537bd1796
fix(telegram): exclude plugin commands from setMyCommands when native=false (openclaw#15164) thanks @Glucksberg 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 13:22:58 -06:00
Mariano
5544646a09
security: block apply_patch path traversal outside workspace (#16405) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 0fcd3f8c3a15993980eb89ecdae3e76de4f3f72d
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-14 19:11:12 +00:00
Bin Deng
4734f99108
Fix: Add type safety to models status command (#16395) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1554137ae34b8183a924d48e3894e9d60c4e2dde
Co-authored-by: BinHPdev <219093083+BinHPdev@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 14:07:38 -05:00
Peter Steinberger
013e8f6b3b fix: harden exec PATH handling 2026-02-14 19:53:04 +01:00
Peter Steinberger
743f4b2849 fix(security): harden BlueBubbles webhook auth behind proxies 2026-02-14 19:47:51 +01:00
Vincent Koc
a042b32d2f
fix: Docker installation keeps hanging on MacOS (#12972) 
* Onboarding: avoid stdin resume after wizard finish

* Changelog: remove Docker hang entry from PR

* Terminal: make stdin resume behavior explicit at call sites

* CI: rerun format check

* Onboarding: restore terminal before cancel exit

* test(onboard): align restoreTerminalState expectation

* chore(format): align onboarding restore test with updated oxfmt config

* chore(format): enforce updated oxfmt on restore test

* chore(format): apply updated oxfmt spacing to restore test

* fix: avoid stdin resume after onboarding (#12972) (thanks @vincentkoc)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 19:46:07 +01:00
Robby
cab0abf52a
fix(sessions): resolve transcript paths with explicit agent context (#16288) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 7cbe9deca9b7fc9efa5d2320acb058bc9fbea48c
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:44:51 -05:00
Peter Steinberger
77b89719d5 fix(security): block safeBins shell expansion 2026-02-14 19:44:14 +01:00
Shadow
a73ccf2b53 fix: deliver cron output to explicit targets (#16360) (thanks @rubyrunsstuff) 2026-02-14 12:43:11 -06:00
Marcus Castro
d14be8472e
fix(whatsapp): honor account-level dmPolicy override (#10082) (thanks @mcaxtr) 
Fixes openclaw#10082 (issue #8736): inbound WhatsApp DM policy now respects account-level dmPolicy overrides.
 2026-02-14 19:41:42 +01:00
青雲
80407cbc6a
fix: recompute all cron next-run times after job update (openclaw#15905) thanks @echoVic 
Verified:
- pnpm check
- pnpm vitest src/cron/service.issue-regressions.test.ts src/cron/service.issue-13992-regression.test.ts

Co-authored-by: echoVic <16428813+echoVic@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 12:37:22 -06:00
Peter Steinberger
0e046f61ab fix(skills): avoid skills watcher FD exhaustion 
Watch SKILL.md only (and one-level SKILL.md in skill roots) to prevent chokidar from tracking huge unrelated trees.

Co-authored-by: household-bard <shakespeare@hessianinformatics.com>
 2026-02-14 19:26:20 +01:00
Peter Steinberger
01b3226ecb fix(gateway): block node.invoke exec approvals 2026-02-14 19:22:37 +01:00
Christian Klotz
df7464ddf6
fix(bluebubbles): include sender identity in group chat envelopes (#16326) 
* fix(bluebubbles): include sender identity in group chat envelopes

Use formatInboundEnvelope (matching iMessage/Signal pattern) so group
messages show the group label in the envelope header and include the
sender name in the message body. ConversationLabel now resolves to the
group name for groups instead of being undefined.

Fixes #16210

Co-authored-by: zerone0x <hi@trine.dev>

* fix(bluebubbles): use finalizeInboundContext and set BodyForAgent to raw text

Wrap ctxPayload with finalizeInboundContext (matching iMessage/Signal/
every other channel) so field normalization, ChatType, ConversationLabel
fallback, and MediaType alignment are applied consistently.

Change BodyForAgent from the envelope-formatted body to rawBody so the
agent prompt receives clean message text instead of the [BlueBubbles ...]
envelope wrapper.

Co-authored-by: zerone0x <hi@trine.dev>

* docs: add changelog entry for BlueBubbles group sender fix (#16326)

* fix(bluebubbles): include id in fromLabel matching formatInboundFromLabel

Align fromLabel output with the shared formatInboundFromLabel pattern:
groups get 'GroupName id:peerId', DMs get 'Name id:senderId' when the
name differs from the id. Addresses PR review feedback.

Co-authored-by: zerone0x <hi@trine.dev>

---------

Co-authored-by: zerone0x <hi@trine.dev>
 2026-02-14 18:17:26 +00:00
Peter Steinberger
4133f4bd37
refactor(tui): clarify searchable select list width layout (#16378) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: fecbade822f8163f12b7da441b567acb42e6f809
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 19:15:38 +01:00
Peter Steinberger
f19eabee54 fix(slack): gate DM slash command authorization 2026-02-14 19:10:29 +01:00
Gustavo Madeira Santana
7d4078c704
CLI: fix lazy maintenance command registration (#16374) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 29d7cca6742bc33793fe8a38df456214fef0da3d
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:10:10 -05:00
Shadow
5ba72bd9bf fix: add discord exec approval channel targeting (#16051) (thanks @leonnardo) 2026-02-14 12:05:53 -06:00
Peter Steinberger
cb3290fca3 fix(node-host): enforce system.run rawCommand/argv consistency 2026-02-14 18:53:23 +01:00
Mariano
71f357d949
bluebubbles: harden local media path handling against LFI (#16322) 
* bluebubbles: harden local media path handling

* bluebubbles: remove racy post-open symlink lstat

* fix: bluebubbles mediaLocalRoots docs + typing fix (#16322) (thanks @mbelinky)
 2026-02-14 17:43:44 +00:00
Peter Steinberger
bfa7d21e99 fix(security): harden tlon Urbit requests against SSRF 2026-02-14 18:42:10 +01:00
Robby
5a313c83b7
fix(tui): use available terminal width for session name display (#16109) (#16238) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 19c18977e0d2350825502d07adfcc00dbde6e073
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:39:05 +01:00
Robby
8e5689a84d
feat(telegram): add sendPoll support (#16193) (#16209) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b58492cfed34eebe4b32af5292928092a11ecfed
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:34:30 +01:00
Peter Steinberger
29b587e73c fix(voice-call): fail closed when Telnyx webhook public key missing 2026-02-14 18:17:20 +01:00
Peter Steinberger
ff11d8793b fix(voice-call): require Twilio signature in ngrok loopback mode 2026-02-14 18:14:59 +01:00
Shadow
c16bc71279 fix: add discord routing debug logging (#16202) (thanks @jayleekr) 2026-02-14 11:03:30 -06:00
Peter Steinberger
3e6d1e9cf8 docs: update changelog 2026-02-14 17:43:44 +01:00
Shadow
ff32f43459
Discord: prefer gateway guild id in verbose log 2026-02-14 10:39:36 -06:00
Christoph Spörk
81b5e2766b
feat(podman): add optional Podman setup and documentation (#16273) 
* feat(podman): add optional Podman setup and documentation

- Introduced `setup-podman.sh` for one-time host setup of OpenClaw in a rootless Podman environment, including user creation, image building, and launch script installation.
- Added `run-openclaw-podman.sh` for running the OpenClaw gateway as a Podman container.
- Created `openclaw.podman.env` for environment variable configuration.
- Updated documentation to include Podman installation instructions and a new dedicated Podman guide.
- Added a systemd Quadlet unit for managing the OpenClaw service as a user service.

* fix: harden Podman setup and docs (#16273) (thanks @DarwinsBuddy)

* style: format cli credentials

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 17:39:06 +01:00
Peter Steinberger
188c4cd076 fix(security): reject ambiguous webhook target matches 2026-02-14 17:28:28 +01:00
Peter Steinberger
66d7178f2d fix(security): eliminate shell from Claude CLI keychain refresh 2026-02-14 17:24:29 +01:00
Peter Steinberger
d583782ee3 fix(security): harden discovery routing and TLS pins 2026-02-14 17:18:14 +01:00
Peter Steinberger
61d59a8028 fix(googlechat): reject ambiguous webhook routing 2026-02-14 17:11:55 +01:00
Peter Steinberger
3e0e78f82a fix(nostr): guard profile mutations 2026-02-14 16:51:04 +01:00
Peter Steinberger
9e147f00b4 fix(doctor): resolve telegram allowFrom usernames 2026-02-14 16:48:07 +01:00
Peter Steinberger
6084d13b95 fix(security): scope CLI cleanup to owned child PIDs 2026-02-14 16:43:35 +01:00
Peter Steinberger
5b4121d601
fix: harden Feishu media URL fetching (#16285) (thanks @mbelinky) 
Security fix for Feishu extension media fetching.
 2026-02-14 16:42:35 +01:00
Peter Steinberger
50a6e0e69e
fix: strip leading empty lines in sanitizeUserFacingText (#16280) 
* fix: strip leading empty lines in sanitizeUserFacingText (#16158) (thanks @mcinteerj)

* fix: strip leading empty lines in sanitizeUserFacingText (#16158) (thanks @mcinteerj)

* fix: strip leading empty lines in sanitizeUserFacingText (#16158) (thanks @mcinteerj)
 2026-02-14 16:34:02 +01:00
Jake
3881af5b37
fix: strip leading whitespace from sanitizeUserFacingText output (#16158) 
* fix: strip leading whitespace from sanitizeUserFacingText output

LLM responses frequently begin with \n\n, which survives through
sanitizeUserFacingText and reaches the channel as visible blank lines.

Root cause: the function used trimmed text for empty-checks but returned
the untrimmed 'stripped' variable. Two one-line fixes:
1. Return empty string (not whitespace-only 'stripped') for blank input
2. Apply trimStart() to the final return value

Fixes the same issue as #8052 and #10612 but at the root cause
(sanitizeUserFacingText) rather than scattering trimStart across
multiple delivery paths.

* Changelog: note sanitizeUserFacingText whitespace normalization

Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>

---------

Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 09:23:05 -06:00