fix: Telegram native commands now respect commands.allowFrom#13
Open
newtontech wants to merge 248 commits intomainfrom
Open
fix: Telegram native commands now respect commands.allowFrom#13newtontech wants to merge 248 commits intomainfrom
newtontech wants to merge 248 commits intomainfrom
Conversation
Add a grace timer after markRunComplete so the typing controller cleans up even when markDispatchIdle is never called, preventing indefinite typing keepalive loops in cron and announce flows. Made-with: Cursor (cherry picked from commit 684eaf2)
When Telegram rejects native command registration for excessive commands, progressively retry with fewer commands instead of hard-failing startup. Made-with: Cursor (cherry picked from commit a02c404)
Prevent gateway startup failures when plugins.entries contains stale or removed plugin ids by downgrading unknown entry keys from validation errors to warnings. Made-with: Cursor (cherry picked from commit 34ef28c)
Introduce a sessions cleanup flag to prune entries whose transcript files are missing and surface the exact remediation command from doctor to resolve missing-transcript deadlocks. Made-with: Cursor (cherry picked from commit 690d3d5)
Azure OpenAI endpoints were not recognized by shouldForceResponsesStore(), causing store=false to be sent with all Azure Responses API requests. This broke multi-turn conversations because previous_response_id referenced responses that Azure never stored. Add "azure-openai-responses" to the provider whitelist and *.openai.azure.com to the URL check in isDirectOpenAIBaseUrl(). Fixes openclaw#27497 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> (cherry picked from commit 185f381)
When connecting via shared gateway token (no device identity), the operator scopes were being cleared, causing API operations to fail with 'missing scope' errors. This fix preserves scopes when sharedAuthOk is true, allowing headless/API operator clients to retain their requested scopes. Fixes openclaw#27494 (cherry picked from commit c71c894)
Guard sendMessageSlack against NO_REPLY tokens reaching the Slack API, which caused truncated push notifications before the reply filter could intercept them. Made-with: Cursor (cherry picked from commit fab9b52)
Landed follow-up for openclaw#27535 and aligned shared-auth gateway expectations after openclaw#27498. Co-authored-by: kevinWangSheng <118158941+kevinWangSheng@users.noreply.github.com>
Reworks browser relay CORS handling for extension-origin preflight and JSON responses, adds regression tests, and updates changelog. Landed from contributor @miloudbelarebia (PR openclaw#23962). Co-authored-by: Miloud Belarebia <miloudbelarebia@users.noreply.github.com>
…aw#27286) * fix(gateway): allow cron commands to use gateway.remote.token * fix(gateway): make local remote-token fallback effective --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
Flush pending extension request timers/rejections during relay shutdown and document in changelog. Landed from contributor @kevinWangSheng (PR openclaw#24142). Co-authored-by: Shawn <118158941+kevinWangSheng@users.noreply.github.com>
…ndling Bind relay WS message handling before onopen and add non-blocking connect.challenge response support without forcing handshake waits on current relay protocol. Landed from contributor @pandego (PR openclaw#22571). Co-authored-by: pandego <7780875+pandego@users.noreply.github.com>
Add shared per-port relay initialization dedupe so concurrent callers await a single startup lifecycle, with regression coverage and changelog entry. Landed from contributor @HOYALIM (PR openclaw#21277). Co-authored-by: Ho Lim <subhoya@gmail.com>
Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog. Landed from contributor @Yida-Dev (PR openclaw#11880). Co-authored-by: Yida-Dev <reyifeijun@gmail.com>
* Changelog: credit session path fixes * test(gemini-oauth): cover npm global shim credential discovery * fix(gemini-oauth): resolve npm global shim install roots
…nels When dmPolicy is set to "allowlist" but allowFrom is missing or empty, all DMs are silently dropped because no sender can match the empty allowlist. This is a common pitfall after upgrades that change how allowlist files are handled (e.g., external allowlist-dm.json files being deprecated in favor of inline allowFrom arrays). Changes: - Add requireAllowlistAllowFrom schema refinement (zod-schema.core.ts) - Apply validation to all channel schemas: Telegram, Discord, Slack, Signal, IRC, iMessage, BlueBubbles, MS Teams, Google Chat, WhatsApp - Add detectEmptyAllowlistPolicy to doctor-config-flow.ts so "openclaw doctor" surfaces a clear warning with remediation steps - Add 12 test cases covering reject/accept for multiple channels Fixes openclaw#27892
Account configs inherit channel-level fields at runtime (e.g., resolveTelegramAccount shallow-merges top-level and account values). An account can set dmPolicy='allowlist' and rely on the parent's allowFrom, so validating allowFrom on the account object alone incorrectly rejects valid multi-account configs. Removes requireAllowlistAllowFrom and requireOpenAllowFrom from all account-level schemas (Telegram, Signal, IRC, iMessage, BlueBubbles). Top-level config schemas still enforce the validation. Addresses Codex review feedback on openclaw#27936.
…-3.1-pro/flash-preview (openclaw#26570) * fix(agents): add "google" provider to isReasoningTagProvider to prevent reasoning leak The gemini-api-key auth flow creates a profile with provider "google" (e.g. google/gemini-3-pro-preview), but isReasoningTagProvider only matched "google-gemini-cli" (OAuth) and "google-generative-ai". As a result: - reasoningTagHint was false → system prompt omitted <think>/<final> formatting instructions - enforceFinalTag was false → <final> tag filtering was skipped Raw <think> reasoning output was delivered to the end user. Fix: add the bare "google" provider string to the match list and cover it with two new test cases (exact match + case-insensitive). Fixes openclaw#26551 * fix(agents): add forward-compat fallback for google-gemini-cli gemini-3.1-pro/flash-preview gemini-3.1-pro-preview and gemini-3.1-flash-preview are not yet present in pi-ai's built-in google-gemini-cli model catalog (only gemini-3-pro-preview and gemini-3-flash-preview are registered). When users configure these models they get "Unknown model" errors even though Gemini CLI OAuth supports them. The codebase already has isGemini31Model() in extra-params.ts, which proves intent to support these models. Add a resolveGoogleGeminiCli31ForwardCompatModel entry to resolveForwardCompatModel following the same clone-template pattern used for zai/glm-5 and anthropic 4.6 models. - gemini-3.1-pro-* clones gemini-3-pro-preview (with reasoning: true) - gemini-3.1-flash-* clones gemini-3-flash-preview (with reasoning: true) Also add test helpers and three test cases to model.forward-compat.test.ts. Fixes openclaw#26524 * Changelog: credit Google Gemini provider fallback fixes --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
…ravity (openclaw#24145) * fix(provider): normalize bare gemini-3 Pro model IDs for google-antigravity The Antigravity Cloud Code Assist API requires a thinking-tier suffix (-low or -high) for all Gemini 3 Pro variants. When a user configures a bare model ID like `gemini-3.1-pro`, the API returns a 404 because it only recognises `gemini-3.1-pro-low` or `gemini-3.1-pro-high`. Add `normalizeAntigravityModelId()` that appends `-low` (the default tier) to bare Pro model IDs, and apply it during provider normalisation for `google-antigravity`. Also refactor the per-provider model normalisation into a shared `normalizeProviderModels()` helper. Closes openclaw#24071 Co-authored-by: Cursor <cursoragent@cursor.com> * Tests: cover antigravity model ID normalization * Changelog: note antigravity pro tier normalization * Tests: type antigravity model helper inputs --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
…fe-inline'); fonts never loaded; closes openclaw#28038
…openclaw#24896) * fix(update): fallback to --omit=optional when global npm update fails * fix(update): add recovery hints and fallback for npm global update failures * chore(update): align fallback progress step index ordering * chore(update): label omit-optional retry step in progress output * chore(update): avoid showing 1/2 when fallback path is not used * chore(ci): retrigger after unrelated test OOM * fix(update): scope recovery hints to npm failures * test(update): cover non-npm hint suppression --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
launchd services do not inherit the shell environment, so Node's undici/fetch cannot locate the macOS system CA bundle (/etc/ssl/cert.pem). This causes TLS verification failures for all HTTPS requests (e.g. Telegram, webhooks) when the gateway runs as a LaunchAgent, while the same gateway works fine in a terminal. Add NODE_EXTRA_CA_CERTS defaulting to /etc/ssl/cert.pem on macOS in both buildServiceEnvironment and buildNodeServiceEnvironment. User-supplied NODE_EXTRA_CA_CERTS is always respected and takes precedence. Fixes openclaw#22856 Co-authored-by: Clawborn <tianrun.yang103@gmail.com>
…21039) * fix(plugins): recover npm pack archive when stdout is empty * test(plugins): create npm pack archive in metadata mock --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
The Telegram native command handler was not checking commands.allowFrom before falling through to channel-level allowFrom checks. This caused commands to be rejected in group chats even when the sender was explicitly authorized via commands.allowFrom. This fix adds the commands.allowFrom check to resolveTelegramCommandAuth, making it consistent with the text command handler. Fixes openclaw#28216
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixed the Telegram native command handler to properly check
commands.allowFrombefore falling through to channel-level authorization checks. This ensures commands work correctly in group chats when users are authorized viacommands.allowFrom.Changes
resolveTelegramCommandAuthintelegram/bot-native-commands.tsto checkcommands.allowFromviaresolveCommandsAllowFromList()resolveCommandsAllowFromListfromauto-reply/command-auth.tsfor reusecommands.allowFromis configured, it is now used as the sole authorization source (consistent with text command handler and documentation)Testing
commands.allowFromis not configured, falls back to existing behavior)Fixes openclaw#28216