Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openclaw/src
History
Marcus Castro e355f6e093
fix(security): distinguish webhooks from internal hooks in audit summary (#13474) 
* fix(security): distinguish webhooks from internal hooks in audit summary

The attack surface summary reported a single 'hooks: disabled/enabled' line
that only checked the external webhook endpoint (hooks.enabled), ignoring
internal hooks (hooks.internal.enabled). Users who enabled internal hooks
(session-memory, command-logger, etc.) saw 'hooks: disabled' and thought
something was broken.

Split into two separate lines:
- hooks.webhooks: disabled/enabled
- hooks.internal: disabled/enabled

Fixes #13466

* test(security): move attack surface tests to focused test file

Move the 3 new hook-distinction tests from the monolithic audit.test.ts
(1,511 lines) into a dedicated audit-extra.sync.test.ts that tests
collectAttackSurfaceSummaryFindings directly. Avoids growing the
already-large test file and keeps tests focused on the changed unit.

* fix: add changelog entry for security audit hook split (#13474) (thanks @mcaxtr)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-13 04:46:27 +01:00
..
acp
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
agents
fix: pass sandbox docker env into containers (#15138) (thanks @stevebot-alive)
2026-02-12 19:39:22 -08:00
auto-reply
fix(session): preserve verbose/thinking/tts overrides across /new and /reset (openclaw#10881) thanks @mcaxtr
2026-02-12 20:27:12 -06:00
browser
fix(browser): hide navigator.webdriver from reCAPTCHA v3 detection (openclaw#10735) thanks @Milofax
2026-02-12 20:16:28 -06:00
canvas-host
fix: use STATE_DIR instead of hardcoded ~/.openclaw for identity and canvas (#4824)
2026-02-07 22:16:59 -05:00
channels
Signal: harden E.164 validation
2026-02-12 15:28:31 -08:00
cli
fix(config): add resolved field to ConfigFileSnapshot for pre-defaults config
2026-02-13 04:41:04 +01:00
commands
fix(security): prevent String(undefined) coercion in credential inputs (#12287)
2026-02-13 04:25:05 +01:00
compat
refactor: rename to openclaw
2026-01-30 03:16:21 +01:00
config
fix(config): enforce default-free persistence in write path
2026-02-13 04:41:04 +01:00
cron
fix(agents): stabilize overflow compaction retries and session context accounting (openclaw#14102) thanks @vpesh
2026-02-12 17:53:13 -06:00
daemon
fix(daemon): suppress EPIPE error in restartLaunchAgent stdout write (#14343)
2026-02-12 07:55:29 -06:00
discord
Discord: honor Administrator in permission checks
2026-02-12 19:53:22 -06:00
docs
Docs: landing page revamp (#8885)
2026-02-04 10:37:14 -05:00
gateway
fix(ci): resolve windows test path assertion and sync protocol swift models
2026-02-13 02:39:34 +01:00
hooks
fix: preserve inter-session input provenance (thanks @anbecker)
2026-02-13 02:02:01 +01:00
imessage
fix(auto-reply): prevent sender spoofing in group prompts
2026-02-10 00:44:38 -06:00
infra
fix(exec): allow heredoc operator (<<) in allowlist security mode (#13811)
2026-02-13 04:41:51 +01:00
line
fix(auto-reply): prevent sender spoofing in group prompts
2026-02-10 00:44:38 -06:00
link-understanding
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logging
Browser/Logging: share default openclaw tmp dir resolver
2026-02-12 16:44:04 -05:00
macos
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
markdown
feat(telegram): render blockquotes as native <blockquote> tags (#14608) (#14626)
2026-02-12 08:11:57 -05:00
media
fix: harden OpenResponses URL input fetching
2026-02-13 01:38:49 +01:00
media-understanding
fix: fix: transcribe audio before mention check in groups with requireMention (openclaw#9973) thanks @mcinteerj
2026-02-12 09:58:01 -06:00
memory
(fix): handle Cloudflare 521 and transient 5xx errors gracefully (#13500)
2026-02-11 21:42:33 -06:00
node-host
fix: prevent act:evaluate hangs from getting browser tool stuck/killed (#13498)
2026-02-11 07:54:48 +08:00
pairing
fix(pairing): use actual code in pairing approval text
2026-02-10 19:48:02 -05:00
plugin-sdk
Update contributing, deduplicate more functions
2026-02-09 19:21:33 -08:00
plugins
CLI: add plugins uninstall command (#5985) (openclaw#6141) thanks @JustasMonkev
2026-02-12 20:11:26 -06:00
process
fix(gateway): drain active turns before restart to prevent message loss (#13931)
2026-02-12 07:55:19 -06:00
providers
chore: Fix failing test.
2026-02-09 09:58:58 +09:00
routing
fix: add discord role allowlists (#10650) (thanks @Minidoracat)
2026-02-12 19:52:24 -06:00
scripts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
security
fix(security): distinguish webhooks from internal hooks in audit summary (#13474)
2026-02-13 04:46:27 +01:00
sessions
fix: preserve inter-session input provenance (thanks @anbecker)
2026-02-13 02:02:01 +01:00
shared/text
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
signal
Signal: satisfy lint
2026-02-12 14:37:55 -08:00
slack
fix(discord): replyToMode first behaviour
2026-02-12 18:50:36 -06:00
telegram
test: stabilize telegram media timing tests
2026-02-13 02:13:15 +01:00
terminal
fix(onboarding): exit cleanly after web ui hatch
2026-02-13 03:20:32 +01:00
test-helpers
fix: use STATE_DIR instead of hardcoded ~/.openclaw for identity and canvas (#4824)
2026-02-07 22:16:59 -05:00
test-utils
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
tts
fix(tts): strip markdown before sending text to TTS engines (#13237)
2026-02-12 10:46:57 -05:00
tui
Centralize date/time formatting utilities (#11831)
2026-02-08 04:53:31 -08:00
types
fix: update pi packages to 0.51.0, remove bogus type augmentation
2026-02-02 01:52:33 +01:00
utils
refactor: consolidate fetchWithTimeout into shared utility
2026-02-09 20:34:56 -08:00
web
fix: default MIME type for WhatsApp voice messages when Baileys omits it (#14444)
2026-02-11 23:09:09 -06:00
whatsapp
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
wizard
fix(security): prevent String(undefined) coercion in credential inputs (#12287)
2026-02-13 04:25:05 +01:00
channel-web.barrel.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
channel-web.ts
docker-setup.test.ts
fix(tts): strip markdown before sending text to TTS engines (#13237)
2026-02-12 10:46:57 -05:00
entry.ts
Centralize date/time formatting utilities (#11831)
2026-02-08 04:53:31 -08:00
extensionAPI.ts
chore: Migrate to tsdown, speed up JS bundling by ~10x (thanks @hyf0).
2026-02-03 20:18:16 +09:00
globals.test.ts
globals.ts
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
index.test.ts
index.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logger.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logger.ts
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
logging.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
polls.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
polls.ts
runtime.ts
CLI: restore terminal state on exit
2026-02-03 06:10:19 +00:00
utils.test.ts
fix(paths): structurally resolve home dir to prevent Windows path bugs (#12125)
2026-02-08 20:06:29 -05:00
utils.ts
Deduplicate more
2026-02-09 18:56:58 -08:00
version.test.ts
fix: CLI harden update restart imports and fix nested bundle version resolution
2026-02-06 00:09:48 -05:00
version.ts
fix: CLI harden update restart imports and fix nested bundle version resolution
2026-02-06 00:09:48 -05:00