Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,972 Commits 756 Branches 79 Tags
Commit Graph

2271 Commits

Author SHA1 Message Date
Ayaan Zaidi
e1cb73cdeb
fix: unblock Docker build by aligning commands schema default (#22558) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 1ad610176d0d08eb5ba055429a10d7e8f9ec07a4
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 14:47:28 +05:30
Vincent Koc
c20d519e05
feat(security): migrate sha1 hashes to sha256 for synthetic ids (#7343) (#22528) 
* feat(prompt): add explicit owner hash secret to obfuscation path

* feat(security): migrate synthetic IDs to sha256 for #7343
 2026-02-21 03:20:14 -05:00
Vincent Koc
9abab6a2c9
Add explicit ownerDisplaySecret for owner ID hash obfuscation (#22520) 
* feat(config): add owner display secret setting

* feat(prompt): add explicit owner hash secret to obfuscation path

* test(prompt): assert owner hash secret mode behavior

* Update src/agents/system-prompt.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-21 03:13:56 -05:00
Vincent Koc
c2f5628915
Fix formatting (#22474) 2026-02-21 01:37:02 -05:00
C.J. Winslow
58f7b7638a
Security: add per-wrapper IDs to untrusted-content markers (#19009) 
Fixes #10927

Adds unique per-wrapper IDs to external-content boundary markers to
prevent spoofing attacks where malicious content could inject fake
marker boundaries.

- Generate random 16-char hex ID per wrap operation
- Start/end markers share the same ID for pairing
- Sanitizer strips markers with or without IDs (handles legacy + spoofed)
- Added test for attacker-injected markers with fake IDs

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-21 01:16:02 -05:00
Vignesh Natarajan
93c2f20a23 Memory: surface explicit memory_search unavailable status 2026-02-20 20:30:52 -08:00
Vincent Koc
282a545130
chore: fix formatting on CI-drift files (#22391) 2026-02-20 22:40:30 -05:00
Glucksberg
1410d15c5e
fix: compaction safeguard extension not loading in production builds (openclaw#22349) thanks @Glucksberg 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini (local run had unrelated baseline failures; Tak approved proceed)

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 21:21:09 -06:00
Shadow
b294342d7f feat(discord): support forum tag edits via channel-edit (#12070) (thanks @xiaoyaner0201) 2026-02-20 21:17:04 -06:00
Vincent Koc
9a6b26d427
fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite) (#22346) 
* fix(ui): strip inbound metadata blocks from user messages

* chore: clean up metadata-strip format and changelog credit

* Update src/shared/chat-envelope.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
 2026-02-20 21:41:32 -05:00
Taras Lukavyi
0e068194ad
fix(tool-display): cd ~/dir && npm install shows as run cd — compound commands truncated to first stage (#21925) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 4728bfe8e75dfcdf21f9ac22e7a26d081dc95d93
Co-authored-by: Lukavyi <1013690+Lukavyi@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 08:03:32 +05:30
jackheuberger
feccac6723
fix: sanitize thinking blocks for GitHub Copilot Claude models (openclaw#19459) thanks @jackheuberger 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: jackheuberger <12731288+jackheuberger@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-20 19:48:09 -06:00
Shadow
f555835b09
Channels: add thread-aware model overrides 2026-02-20 19:26:25 -06:00
Tyler Yust
fe57bea088
Subagents: restore announce chain + fix nested retry/drop regressions (#22223) 
* Subagents: restore announce flow and fix nested delivery retries

* fix: prep subagent announce + docs alignment (#22223) (thanks @tyler6204)
 2026-02-20 15:39:09 -08:00
Shadow
4ab946eebf
Discord VC: voice channels, transcription, and TTS (#18774) 2026-02-20 16:06:07 -06:00
Shadow
3100b77f12
Agents: clarify authorized sender prompt (Closes #19794) 2026-02-20 15:55:36 -06:00
Shadow
c378439246
Security: harden tool media paths 2026-02-20 13:32:49 -06:00
Shadow
39816e61b0
Security: restrict canvas jsonlPath file reads 2026-02-20 13:21:55 -06:00
Mariano
5828708343
iOS/Gateway: harden pairing resolution and settings-driven capability refresh (#22120) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 55b8a93a999b7458c98f9d3b31abbd3665929b31
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 18:57:04 +00:00
Shadow
8c9f35cdb5
Agents: sanitize skill env overrides 2026-02-20 12:38:54 -06:00
Mariano
8e4f6c0384
fix(browser): block upload symlink escapes (#21972) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 4381ef9a4d9107798c9c7c00aac62ee81a878789
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 16:36:25 +00:00
mudrii
7ecfc1d93c
fix(auth): bidirectional mode/type compat + sync OAuth to all agents (#12692) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 2dee8e1174e637e50d10bf7020f1de2990b804dc
Co-authored-by: mudrii <220262+mudrii@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-20 16:01:09 +05:30
Vignesh Natarajan
ec4198954a Memory: harden readFile ENOENT handling 2026-02-19 23:33:28 -08:00
Daniel Zou
f3f47886ba fix(memory): handle ENOENT gracefully in readFile instead of throwing 
When a memory file doesn't exist yet (e.g. daily log `2026-02-19.md`),
`readFile` now returns `{ text: "", path }` instead of propagating the
ENOENT error. This prevents noisy error responses from the memory read
tool and aligns with the "graceful degradation" recommendation in #9307.

Closes #9307

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-19 23:33:28 -08:00
Sean McLellan
86f207adb0
fix: clean tool schemas and thinking blocks for google-antigravity (openclaw#19732) thanks @Oceanswave 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Oceanswave <760674+Oceanswave@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:49:57 -06:00
Ephraim Moss
59e58bf81c
fix: strip unsupported JSON Schema keywords for Claude via Cloud Code Assist (openclaw#20124) thanks @ephraimm 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check (fails on existing unrelated type error: src/agents/subagent-announce.format.e2e.test.ts:71)
- pnpm test:e2e src/agents/pi-embedded-runner/google.e2e.test.ts
- pnpm test:macmini (fails on existing unrelated test: src/agents/subagent-registry.steer-restart.test.ts)

Co-authored-by: ephraimm <2803669+ephraimm@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:31:20 -06:00
Nabbil Khan
f91034aa6b
fix(auth): clear all usage stats fields in clearAuthProfileCooldown (openclaw#19211) thanks @nabbilkhan 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: nabbilkhan <203121263+nabbilkhan@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:21:37 -06:00
Tak Hoffman
c1ac37a641
Config: expose Pi compaction tuning values (openclaw#21568) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:41:09 -06:00
Dale Babiy
10dab4f2c7
fix(anthropic): preserve pi-ai default betas when injecting anthropic-beta header (openclaw#19789) thanks @minupla 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: minupla <42547246+minupla@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:23:00 -06:00
Glucksberg
38b4fb5d55
fix(auth/session): preserve override reset behavior and repair oauth profile-id drift (openclaw#18820) thanks @Glucksberg 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:16:26 -06:00
Vishal
f1e1cc4ee3
feat: surface cached token counts in /status output (openclaw#21248) thanks @vishaltandale00 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: vishaltandale00 <9222298+vishaltandale00@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 21:06:13 -06:00
青雲
21448508a1
fix: Grok web_search extracts output_text blocks at top level (openclaw#20508) thanks @echoVic 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: echoVic <16428813+echoVic@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 20:37:15 -06:00
adhitShet
399781aaca
fix: remove duplicate comment in orderProfilesByMode (#21409) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 04271651d4fc0eb40f654b2bcb9ac919fbd7b8ab
Co-authored-by: adhitShet <131381638+adhitShet@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-19 19:46:51 -05:00
Val Alexander
82a1741336
fix: update formula handling in SKILL.md and frontmatter.ts (#11046) 
- Changed "cask" to "formula" in SKILL.md for consistency.
- Enhanced formula parsing in frontmatter.ts to trim whitespace and fallback to cask if formula is not provided.
 2026-02-19 16:57:08 -06:00
Protocol Zero
2af3415fac
fix: treat HTTP 503 as failover-eligible for LLM provider errors (#21086) 
* fix: treat HTTP 503 as failover-eligible for LLM provider errors

When LLM SDKs wrap 503 responses, the leading "503" prefix is lost
(e.g. Google Gemini returns "high demand" / "UNAVAILABLE" without a
numeric prefix). The existing isTransientHttpError only matches
messages starting with "503 ...", so these wrapped errors silently
skip failover — no profile rotation, no model fallback.

This patch closes that gap:

- resolveFailoverReasonFromError: map HTTP status 503 → rate_limit
  (covers structured error objects with a status field)
- ERROR_PATTERNS.overloaded: add /\b503\b/, "service unavailable",
  "high demand" (covers message-only classification when the leading
  status prefix is absent)

Existing isTransientHttpError behavior is unchanged; these additions
are complementary and only fire for errors that previously fell
through unclassified.

* fix: address review feedback — drop /\b503\b/ pattern, add test coverage

- Remove `/\b503\b/` from ERROR_PATTERNS.overloaded to resolve the
  semantic inconsistency noted by reviewers: `isTransientHttpError`
  already handles messages prefixed with "503" (→ "timeout"), so a
  redundant overloaded pattern would classify the same class of errors
  differently depending on message formatting.

- Keep "service unavailable" and "high demand" patterns — these are the
  real gap-fillers for SDK-rewritten messages that lack a numeric prefix.

- Add test case for JSON-wrapped 503 error body containing "overloaded"
  to strengthen coverage.

* fix: unify 503 classification — status 503 → timeout (consistent with isTransientHttpError)

resolveFailoverReasonFromError previously mapped status 503 → "rate_limit",
while the string-based isTransientHttpError mapped "503 ..." → "timeout".

Align both paths: structured {status: 503} now also returns "timeout",
matching the existing transient-error convention. Both reasons are
failover-eligible, so runtime behavior is unchanged.

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-19 12:45:09 -08:00
Peter Steinberger
3077c35831 fix(ui): unblock docker onboarding build 2026-02-19 16:32:33 +01:00
Peter Steinberger
a1cb700a05 test: dedupe and optimize test suites 2026-02-19 15:19:38 +00:00
Peter Steinberger
3a258e7ca8 fix(ci): add explicit mock export types for harnesses 2026-02-19 15:16:09 +00:00
Peter Steinberger
e96c6a7a3e fix(ci): format cron tool imports 2026-02-19 15:13:02 +00:00
Peter Steinberger
cc9be84b9c refactor(runtime): split runtime builders and stabilize cron tool seam 2026-02-19 16:09:56 +01:00
Peter Steinberger
d3bf6e1b90 test: harden mock order and shell path coverage 2026-02-19 15:09:19 +00:00
Peter Steinberger
dcd592a601 refactor: eliminate jscpd clones and boost tests 2026-02-19 15:08:54 +00:00
Peter Steinberger
a688ccf24a refactor(security): unify safe-bin argv parsing and harden regressions 2026-02-19 16:04:58 +01:00
Peter Steinberger
f76f98b268 chore: fix formatting drift and stabilize cron tool mocks 2026-02-19 15:41:38 +01:00
Peter Steinberger
c9dee59266 refactor(security): centralize trusted sender checks for discord moderation 2026-02-19 15:39:56 +01:00
Peter Steinberger
b40821b068 fix: harden ACP secret handling and exec preflight boundaries 2026-02-19 15:34:20 +01:00
Peter Steinberger
3d7ad1cfca fix(security): centralize owner-only tool gating and scope maps 2026-02-19 15:29:23 +01:00
Peter Steinberger
efca61e3ac test: share cron tool mock harness 2026-02-19 14:27:37 +00:00
Peter Steinberger
2581b67cdb refactor: share exec approval request helper 2026-02-19 14:27:37 +00:00
Peter Steinberger
775816035e fix(security): enforce trusted sender auth for discord moderation 2026-02-19 15:18:24 +01:00