chore: sync with upstream openclaw/openclaw + replay all custom commits#4
Closed
siofra-seksbot wants to merge 2964 commits intomainfrom
Closed
chore: sync with upstream openclaw/openclaw + replay all custom commits#4siofra-seksbot wants to merge 2964 commits intomainfrom
siofra-seksbot wants to merge 2964 commits intomainfrom
Conversation
…arding-overview, features, and openclaw pages
…arted, windows, and onboarding-overview
… hierarchy, better hosting cards
…ces, add next-steps sections
…note, frontmatter
…osting titles, move dev channels to Maintenance
…ines) for readability
… improved readability
…/Lossless Claw/Opik, A-Z order
Merged via squash. Prepared head SHA: 10d9770 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
…law#50772) Merged via squash. Prepared head SHA: 095e645 Co-authored-by: Jaaneek <25470423+Jaaneek@users.noreply.github.com> Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com> Reviewed-by: @huntharo
…50935) Merged via squash. Prepared head SHA: e1c7d72 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
…claw#50523) * security: add SSRF guard tests for URL credential bypass vectors * test(security): strengthen SSRF redirect guard coverage --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Implements a Zulip channel plugin with: - Long-polling event monitor for real-time messages - DM and stream message support with topic threading - Pairing flow for DM access control - Health check/probe functionality - Account configuration with multi-account support Backported from SEKSBot/seksbot (f8459359) with branding updated from seksbot to openclaw.
Port broker integration from SEKSBot/seksbot to openclaw: - Add src/seks/ with broker client, types, and exports - Add seks.broker config section to OpenClawConfig - Integrate broker auth into model-auth provider resolution - Add async Discord token resolution via broker - Add 'broker' to DiscordTokenSource union type Broker provides centralized credential management — agents authenticate with a single agent token, broker injects API keys and channel tokens at runtime.
When seks-broker is configured, auth resolution now returns mode 'broker' instead of pretending to be 'api-key'. This makes the auth semantics explicit — the broker token is a proxy credential, not a provider API key. No functional change: the broker token is still passed as the API key to the provider SDK, which sends it to the broker proxy URL where it gets swapped for the real credential. But now code inspecting the auth mode can distinguish broker-proxied auth from direct API key auth.
- broker-client.ts: [botster-broker-client] prefix on all errors - model-auth.ts: [botster-auth] prefix, rename SEKS references to botster - discord/token.ts: [botster-auth] prefix, rename SEKS references to botster
* docs: add actuator routing status report and port implementation plan * docs: reframe actuator port plan as compatibility specification --------- Co-authored-by: FootGun <footgun@FootGuns-Mac-Studio.local>
When BOTSTER_EXEC_VIA_SPINE=1 is set (along with SEKS_BROKER_URL and SEKS_BROKER_TOKEN), tool calls route through the broker to a remote actuator via POST /v1/command instead of executing locally. New files: - src/seks/spine-client.ts: HTTP client for broker command endpoint - src/seks/spine-exec-intercept.ts: Tool wrappers that intercept and route exec/process/read/write/edit through the spine Modified: - src/agents/pi-tools.ts: Wire up spine wrappers at tool assembly time Design: wrapper pattern — zero code paths change when spine is off. Brain sends sync HTTP to broker, broker relays via WS to actuator.
…raint) Codex used AgentTool<unknown, unknown> but unknown doesn't satisfy the TSchema constraint. Changed to AgentTool<any, any> to match codebase conventions (AgentState.tools uses AgentTool<any>). Added eslint-disable for the file since every function signature needs it. Added review notes in REVIEW.md.
…AL=1 - Invert BOTSTER_EXEC_VIA_SPINE opt-in to BOTSTER_EXEC_NORMAL opt-out - Remove SEKS_BROKER_TOKEN requirement (superego proxy injects real token) - Only SEKS_BROKER_URL needed for spine routing to activate
|
Closing, we will re-do this sync |
This was referenced Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Syncs
TheBotsters/botster-egowith upstreamopenclaw/openclawmain (+2,953 commits). All custom botster commits are replayed on top of upstream head.What This PR Does
Creates a new branch from
upstream/mainand cherry-picks all 11 custom botster commits on top:feat: add Zulip channel pluginfeat: add SEKS broker client for credential resolutionfeat: add first-class 'broker' auth modefix: add botster- prefixes to error messages for TUI disambiguationdocs: actuator routing status + port planfeat: spine routing for exec/process/read/write/edit tools(from brain)fix: use any instead of unknown for AgentTool generics(from brain)feat: default-secure exec routing — spine on unless BOTSTER_EXEC_NORMAL=1(from brain)feat: actuator list and select tools (brain-level, via superego proxy)(from brain)docs: add brain-level actuator_list/actuator_select guide(from brain)chore: update pnpm-lock, fix Zulip plugin-sdk imports, Discord broker typeConflicts Resolved
3 files had merge conflicts, all additive (upstream added things, we added things):
extensions/discord/src/token.ts— Import paths changed to plugin-sdk subpaths. AddedBrokerClientimport with corrected relative path (../../../src/seks/broker-client.js).src/agents/model-auth.ts— Two conflict regions:createSubsystemLogger(upstream) andBrokerClient(ours) importsconst log = createSubsystemLogger(...)(upstream) and broker helper functions (ours)src/config/types.openclaw.ts— Kept both upstream'smcp?: McpConfigand ourseks.brokerconfig block.Additional Fixes (chore commit)
Zulip plugin — upstream reorganized
openclaw/plugin-sdkfrom a flat export into subpath exports. Updatedextensions/zulip/src/channel.tsandmonitor.tsto use the new paths:openclaw/plugin-sdk/routing→DEFAULT_ACCOUNT_ID,normalizeAccountIdopenclaw/plugin-sdk/channel-setup→ account section helpersopenclaw/plugin-sdk/channel-config-helpers→ config section helpersopenclaw/plugin-sdk/channel-pairing→formatPairingApproveHintCreated
src/plugin-sdk/zulip.tsas a thin re-export shim for Zulip-specific helpers.Discord —
InspectedDiscordSetupAccount.tokenSourceextended to include"broker".normalizeDiscordTokencall fixed to pass required second argument.Checks
pnpm tsgo— 0 errors ✅pnpm exec oxfmt --check— all clean ✅--no-verifyfor the chore commit (checks were run manually first)Testing Plan
After merge: deploy to Nira (currently on botster-brain) as a pilot. Validate via mock agent that exec routing, broker auth, and actuator tools all work end-to-end before rolling out to the rest of the family.