fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots by justinhuangcode · Pull Request #31882 · openclaw/openclaw

justinhuangcode · 2026-03-02T16:21:48Z

Summary

Extends the tools.fs.workspaceOnly fix (originally applied to Write/Edit tools in fix(tools): honor tools.fs.workspaceOnly=false for host write/edit #28822) to the image and PDF tools
When fsPolicy.workspaceOnly is true, localRoots is restricted to only the workspace directory instead of unconditionally including default local roots (~/.openclaw/media, ~/.openclaw/agents, etc.)
Files outside the workspace are now correctly rejected by assertLocalMediaAllowed() in non-sandbox mode

Test plan

New test in image-tool.test.ts: verifies workspace image is allowed and outside-workspace image is rejected when workspaceOnly: true
New test in pdf-tool.test.ts: verifies outside-workspace PDF is rejected when workspaceOnly: true
All 27 image-tool tests pass
All 50 pdf-tool tests pass

Relates to #31716

🤖 Coded with Claude Code

greptile-apps · 2026-03-02T16:26:47Z

Greptile Summary

This PR extends the fsPolicy.workspaceOnly security fix to the image and PDF tools, preventing file access outside the workspace when the policy is enabled. The implementation correctly modifies the localRoots calculation in both tools to return only the workspace directory when workspaceOnly: true, rather than including default local roots like ~/.openclaw/media.

Key changes:

Modified localRoots logic in both image-tool.ts and pdf-tool.ts to check fsPolicy.workspaceOnly
When enabled, restricts file access to workspace directory only
Added test in image-tool.test.ts verifying both workspace files are allowed and outside files are rejected
Added test in pdf-tool.test.ts verifying outside files are rejected
Implementation is identical between both tools, ensuring consistency

The fix properly integrates with the existing assertLocalMediaAllowed() validation mechanism, which checks file paths against the provided localRoots array. This is the appropriate approach for read-only tools (vs. the different pattern used for Write/Edit tools in #28822).

Confidence Score: 5/5

This PR is safe to merge with minimal risk - it's a focused security fix with clear test coverage
The implementation is straightforward, correct, and consistent between both tools. The changes properly restrict file access when workspaceOnly: true by modifying the localRoots array, which is then validated by the existing assertLocalMediaAllowed() mechanism. Test coverage validates the security boundary works as expected. No issues or bugs identified.
No files require special attention

_{Last reviewed commit: 36939c9}

PR openclaw#28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to openclaw#31716 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

steipete · 2026-03-02T19:24:41Z

Landed via temp rebase onto main.

Gate: pnpm exec vitest run src/agents/tools/image-tool.test.ts src/agents/tools/pdf-tool.test.ts
Land commit: 745ce77
Merge commit: 4a2329e

Thanks @justinhuangcode!

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

@afurm

* fix(plugins): fallback install entrypoints for legacy manifests * Voice Call: enforce exact webhook path match * Tests: isolate webhook path suite and reset cron auth state * chore: keep #31930 scoped to voice webhook path fix * fix: add changelog for exact voice webhook path match (#31930) (thanks @afurm) * fix: handle HTTP 529 (Anthropic overloaded) in failover error classification Classify Anthropic's 529 status code as "rate_limit" so model fallback triggers reliably without depending on fragile message-based detection. Closes #28502 * fix: add changelog for HTTP 529 failover classification (#31854) (thanks @bugkill3r) * fix(slack): guard against undefined text in includes calls during mention handling * fix: add changelog for mentions/slack null-safe guards (#31865) (thanks @stone-jin) * fix(memory-lancedb): pass dimensions to embedding API call - Add dimensions parameter to Embeddings constructor - Pass dimensions to OpenAI embeddings.create() API call - Fixes dimension mismatch when using custom embedding models like DashScope text-embedding-v4 * fix: add regression for memory-lancedb dimensions pass-through (#32036) (thanks @scotthuang) * fix(telegram): guard malformed native menu specs * fix: harden plugin command registration + telegram menu guard (#31997) (thanks @liuxiaopai-ai) * fix(gateway): restart heartbeat on model config changes * fix: add changelog credit for heartbeat model reload (#32046) (thanks @stakeswky) * test(process): replace no-output timer subprocess with spawn mock * test(perf): trim repeated setup in cron memory and config suites * test(perf): reduce per-case setup in script and git-hook tests * fix(slack): scope debounce key by message timestamp to prevent cross-thread collisions Top-level channel messages from the same sender shared a bare channel debounce key, causing concurrent messages in different threads to merge into a single reply on the wrong thread. Now the debounce key includes the message timestamp for top-level messages, matching how the downstream session layer already scopes by canonicalThreadId. Extracted buildSlackDebounceKey() for testability. Closes #31935 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden slack debounce key routing and ordering (#31951) (thanks @scoootscooob) * fix(openrouter): skip reasoning.effort injection for x-ai/grok models x-ai/grok models on OpenRouter do not support the reasoning.effort parameter and reject payloads containing it with "Invalid arguments passed to the model." Skip reasoning injection for these models, the same way we already skip it for the dynamic "auto" routing model. Closes #32039 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for openrouter x-ai reasoning guard (#32054) (thanks @scoootscooob) * fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution The configure flow stores auth credentials under `provider: "volcengine"`, but the coding model uses `volcengine-plan` as its provider. Add a scoped `normalizeProviderIdForAuth` function used only by `listProfilesForProvider` so coding-plan variants resolve to their base provider for auth credential lookup without affecting global provider routing. Closes #31731 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots PR #28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to #31716 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for fsPolicy image/pdf propagation (#31882) (thanks @justinhuangcode) * fix: skip Telegram command sync when menu is unchanged (#32017) Hash the command list and cache it to disk per account. On restart, compare the current hash against the cached one and skip the deleteMyCommands + setMyCommands round-trip when nothing changed. This prevents 429 rate-limit errors when the gateway restarts several times in quick succession. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(telegram): scope command-sync hash cache by bot identity (#32059) * fix: normalize coding-plan providers in auth order validation * feat(security): Harden Docker browser container chromium flags (#23889) (#31504) * Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls * Agents: fix sandbox sessionKey usage for PI embedded subagent calls * Sandbox: tighten browser container Chromium runtime flags * fix: add sandbox browser defaults for container hardening * docs: expand sandbox browser default flags list * fix: make sandbox browser flags optional and preserve gateway env auth overrides * docs: scope PR 31504 changelog entry * style: format gateway call override handling * fix: dedupe sandbox browser chrome args * fix: preserve remote tls fingerprint for env gateway override * fix: enforce auth for env gateway URL override * chore: document gateway override auth security expectations * fix(delivery): strip HTML tags for plain-text messaging surfaces Models occasionally produce HTML tags in their output. While these render fine on web surfaces, they appear as literal text on WhatsApp, Signal, SMS, IRC, and Telegram. Add sanitizeForPlainText() utility that converts common inline HTML to lightweight-markup equivalents and strips remaining tags. Applied in the outbound delivery pipeline for non-HTML surfaces only. Closes #31884 See also: #18558 * fix(outbound): harden plain-text HTML sanitization paths (#32034) * fix(security): harden file installs and race-path tests * matrix: bootstrap crypto runtime when npm scripts are skipped * fix(matrix): keep plugin register sync while bootstrapping crypto runtime (#31989) * perf(runtime): reduce cron persistence and logger overhead * test(perf): use prebuilt plugin install archive fixtures * test(perf): increase guardrail scan read concurrency * fix(queue): restart drain when message enqueued after idle window After a drain loop empties the queue it deletes the key from FOLLOWUP_QUEUES. If a new message arrives at that moment enqueueFollowupRun creates a fresh queue object with draining:false but never starts a drain, leaving the message stranded until the next run completes and calls finalizeWithFollowup. Fix: persist the most recent runFollowup callback per queue key in FOLLOWUP_RUN_CALLBACKS (drain.ts). enqueueFollowupRun now calls kickFollowupDrainIfIdle after a successful push; if a cached callback exists and no drain is running it calls scheduleFollowupDrain to restart immediately. clearSessionQueues cleans up the callback cache alongside the queue state. * fix: avoid stale followup drain callbacks (#31902) (thanks @Lanfei) * fix(synology-chat): read cfg from outbound context so incomingUrl resolves * fix: require openclaw.extensions for plugin installs (#32055) (thanks @liuxiaopai-ai) --------- Co-authored-by: Andrii Furmanets <furmanets.andriy@gmail.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Saurabh <skmishra1991@gmail.com> Co-authored-by: stone-jin <1520006273@qq.com> Co-authored-by: scotthuang <scotthuang@tencent.com> Co-authored-by: User <user@example.com> Co-authored-by: scoootscooob <zhentongfan@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: justinhuangcode <justinhuangcode@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: AytuncYildizli <cryptosquanch@gmail.com> Co-authored-by: bmendonca3 <bmendonca3@users.noreply.github.com> Co-authored-by: Jealous <CooLanfei@163.com> Co-authored-by: white-rm <zhang.xujin@xydigit.com>

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

@afurm

* fix(plugins): fallback install entrypoints for legacy manifests * Voice Call: enforce exact webhook path match * Tests: isolate webhook path suite and reset cron auth state * chore: keep openclaw#31930 scoped to voice webhook path fix * fix: add changelog for exact voice webhook path match (openclaw#31930) (thanks @afurm) * fix: handle HTTP 529 (Anthropic overloaded) in failover error classification Classify Anthropic's 529 status code as "rate_limit" so model fallback triggers reliably without depending on fragile message-based detection. Closes openclaw#28502 * fix: add changelog for HTTP 529 failover classification (openclaw#31854) (thanks @bugkill3r) * fix(slack): guard against undefined text in includes calls during mention handling * fix: add changelog for mentions/slack null-safe guards (openclaw#31865) (thanks @stone-jin) * fix(memory-lancedb): pass dimensions to embedding API call - Add dimensions parameter to Embeddings constructor - Pass dimensions to OpenAI embeddings.create() API call - Fixes dimension mismatch when using custom embedding models like DashScope text-embedding-v4 * fix: add regression for memory-lancedb dimensions pass-through (openclaw#32036) (thanks @scotthuang) * fix(telegram): guard malformed native menu specs * fix: harden plugin command registration + telegram menu guard (openclaw#31997) (thanks @liuxiaopai-ai) * fix(gateway): restart heartbeat on model config changes * fix: add changelog credit for heartbeat model reload (openclaw#32046) (thanks @stakeswky) * test(process): replace no-output timer subprocess with spawn mock * test(perf): trim repeated setup in cron memory and config suites * test(perf): reduce per-case setup in script and git-hook tests * fix(slack): scope debounce key by message timestamp to prevent cross-thread collisions Top-level channel messages from the same sender shared a bare channel debounce key, causing concurrent messages in different threads to merge into a single reply on the wrong thread. Now the debounce key includes the message timestamp for top-level messages, matching how the downstream session layer already scopes by canonicalThreadId. Extracted buildSlackDebounceKey() for testability. Closes openclaw#31935 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden slack debounce key routing and ordering (openclaw#31951) (thanks @scoootscooob) * fix(openrouter): skip reasoning.effort injection for x-ai/grok models x-ai/grok models on OpenRouter do not support the reasoning.effort parameter and reject payloads containing it with "Invalid arguments passed to the model." Skip reasoning injection for these models, the same way we already skip it for the dynamic "auto" routing model. Closes openclaw#32039 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for openrouter x-ai reasoning guard (openclaw#32054) (thanks @scoootscooob) * fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution The configure flow stores auth credentials under `provider: "volcengine"`, but the coding model uses `volcengine-plan` as its provider. Add a scoped `normalizeProviderIdForAuth` function used only by `listProfilesForProvider` so coding-plan variants resolve to their base provider for auth credential lookup without affecting global provider routing. Closes openclaw#31731 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots PR openclaw#28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to openclaw#31716 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for fsPolicy image/pdf propagation (openclaw#31882) (thanks @justinhuangcode) * fix: skip Telegram command sync when menu is unchanged (openclaw#32017) Hash the command list and cache it to disk per account. On restart, compare the current hash against the cached one and skip the deleteMyCommands + setMyCommands round-trip when nothing changed. This prevents 429 rate-limit errors when the gateway restarts several times in quick succession. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(telegram): scope command-sync hash cache by bot identity (openclaw#32059) * fix: normalize coding-plan providers in auth order validation * feat(security): Harden Docker browser container chromium flags (openclaw#23889) (openclaw#31504) * Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls * Agents: fix sandbox sessionKey usage for PI embedded subagent calls * Sandbox: tighten browser container Chromium runtime flags * fix: add sandbox browser defaults for container hardening * docs: expand sandbox browser default flags list * fix: make sandbox browser flags optional and preserve gateway env auth overrides * docs: scope PR 31504 changelog entry * style: format gateway call override handling * fix: dedupe sandbox browser chrome args * fix: preserve remote tls fingerprint for env gateway override * fix: enforce auth for env gateway URL override * chore: document gateway override auth security expectations * fix(delivery): strip HTML tags for plain-text messaging surfaces Models occasionally produce HTML tags in their output. While these render fine on web surfaces, they appear as literal text on WhatsApp, Signal, SMS, IRC, and Telegram. Add sanitizeForPlainText() utility that converts common inline HTML to lightweight-markup equivalents and strips remaining tags. Applied in the outbound delivery pipeline for non-HTML surfaces only. Closes openclaw#31884 See also: openclaw#18558 * fix(outbound): harden plain-text HTML sanitization paths (openclaw#32034) * fix(security): harden file installs and race-path tests * matrix: bootstrap crypto runtime when npm scripts are skipped * fix(matrix): keep plugin register sync while bootstrapping crypto runtime (openclaw#31989) * perf(runtime): reduce cron persistence and logger overhead * test(perf): use prebuilt plugin install archive fixtures * test(perf): increase guardrail scan read concurrency * fix(queue): restart drain when message enqueued after idle window After a drain loop empties the queue it deletes the key from FOLLOWUP_QUEUES. If a new message arrives at that moment enqueueFollowupRun creates a fresh queue object with draining:false but never starts a drain, leaving the message stranded until the next run completes and calls finalizeWithFollowup. Fix: persist the most recent runFollowup callback per queue key in FOLLOWUP_RUN_CALLBACKS (drain.ts). enqueueFollowupRun now calls kickFollowupDrainIfIdle after a successful push; if a cached callback exists and no drain is running it calls scheduleFollowupDrain to restart immediately. clearSessionQueues cleans up the callback cache alongside the queue state. * fix: avoid stale followup drain callbacks (openclaw#31902) (thanks @Lanfei) * fix(synology-chat): read cfg from outbound context so incomingUrl resolves * fix: require openclaw.extensions for plugin installs (openclaw#32055) (thanks @liuxiaopai-ai) --------- Co-authored-by: Andrii Furmanets <furmanets.andriy@gmail.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Saurabh <skmishra1991@gmail.com> Co-authored-by: stone-jin <1520006273@qq.com> Co-authored-by: scotthuang <scotthuang@tencent.com> Co-authored-by: User <user@example.com> Co-authored-by: scoootscooob <zhentongfan@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: justinhuangcode <justinhuangcode@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: AytuncYildizli <cryptosquanch@gmail.com> Co-authored-by: bmendonca3 <bmendonca3@users.noreply.github.com> Co-authored-by: Jealous <CooLanfei@163.com> Co-authored-by: white-rm <zhang.xujin@xydigit.com>

justinhuangcode · 2026-03-02T20:35:00Z

Landed via temp rebase onto main.
Thanks @justinhuangcode!

Thanks for reviewing and landing!

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

@afurm

* fix(plugins): fallback install entrypoints for legacy manifests * Voice Call: enforce exact webhook path match * Tests: isolate webhook path suite and reset cron auth state * chore: keep openclaw#31930 scoped to voice webhook path fix * fix: add changelog for exact voice webhook path match (openclaw#31930) (thanks @afurm) * fix: handle HTTP 529 (Anthropic overloaded) in failover error classification Classify Anthropic's 529 status code as "rate_limit" so model fallback triggers reliably without depending on fragile message-based detection. Closes openclaw#28502 * fix: add changelog for HTTP 529 failover classification (openclaw#31854) (thanks @bugkill3r) * fix(slack): guard against undefined text in includes calls during mention handling * fix: add changelog for mentions/slack null-safe guards (openclaw#31865) (thanks @stone-jin) * fix(memory-lancedb): pass dimensions to embedding API call - Add dimensions parameter to Embeddings constructor - Pass dimensions to OpenAI embeddings.create() API call - Fixes dimension mismatch when using custom embedding models like DashScope text-embedding-v4 * fix: add regression for memory-lancedb dimensions pass-through (openclaw#32036) (thanks @scotthuang) * fix(telegram): guard malformed native menu specs * fix: harden plugin command registration + telegram menu guard (openclaw#31997) (thanks @liuxiaopai-ai) * fix(gateway): restart heartbeat on model config changes * fix: add changelog credit for heartbeat model reload (openclaw#32046) (thanks @stakeswky) * test(process): replace no-output timer subprocess with spawn mock * test(perf): trim repeated setup in cron memory and config suites * test(perf): reduce per-case setup in script and git-hook tests * fix(slack): scope debounce key by message timestamp to prevent cross-thread collisions Top-level channel messages from the same sender shared a bare channel debounce key, causing concurrent messages in different threads to merge into a single reply on the wrong thread. Now the debounce key includes the message timestamp for top-level messages, matching how the downstream session layer already scopes by canonicalThreadId. Extracted buildSlackDebounceKey() for testability. Closes openclaw#31935 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden slack debounce key routing and ordering (openclaw#31951) (thanks @scoootscooob) * fix(openrouter): skip reasoning.effort injection for x-ai/grok models x-ai/grok models on OpenRouter do not support the reasoning.effort parameter and reject payloads containing it with "Invalid arguments passed to the model." Skip reasoning injection for these models, the same way we already skip it for the dynamic "auto" routing model. Closes openclaw#32039 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for openrouter x-ai reasoning guard (openclaw#32054) (thanks @scoootscooob) * fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution The configure flow stores auth credentials under `provider: "volcengine"`, but the coding model uses `volcengine-plan` as its provider. Add a scoped `normalizeProviderIdForAuth` function used only by `listProfilesForProvider` so coding-plan variants resolve to their base provider for auth credential lookup without affecting global provider routing. Closes openclaw#31731 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots PR openclaw#28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to openclaw#31716 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for fsPolicy image/pdf propagation (openclaw#31882) (thanks @justinhuangcode) * fix: skip Telegram command sync when menu is unchanged (openclaw#32017) Hash the command list and cache it to disk per account. On restart, compare the current hash against the cached one and skip the deleteMyCommands + setMyCommands round-trip when nothing changed. This prevents 429 rate-limit errors when the gateway restarts several times in quick succession. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(telegram): scope command-sync hash cache by bot identity (openclaw#32059) * fix: normalize coding-plan providers in auth order validation * feat(security): Harden Docker browser container chromium flags (openclaw#23889) (openclaw#31504) * Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls * Agents: fix sandbox sessionKey usage for PI embedded subagent calls * Sandbox: tighten browser container Chromium runtime flags * fix: add sandbox browser defaults for container hardening * docs: expand sandbox browser default flags list * fix: make sandbox browser flags optional and preserve gateway env auth overrides * docs: scope PR 31504 changelog entry * style: format gateway call override handling * fix: dedupe sandbox browser chrome args * fix: preserve remote tls fingerprint for env gateway override * fix: enforce auth for env gateway URL override * chore: document gateway override auth security expectations * fix(delivery): strip HTML tags for plain-text messaging surfaces Models occasionally produce HTML tags in their output. While these render fine on web surfaces, they appear as literal text on WhatsApp, Signal, SMS, IRC, and Telegram. Add sanitizeForPlainText() utility that converts common inline HTML to lightweight-markup equivalents and strips remaining tags. Applied in the outbound delivery pipeline for non-HTML surfaces only. Closes openclaw#31884 See also: openclaw#18558 * fix(outbound): harden plain-text HTML sanitization paths (openclaw#32034) * fix(security): harden file installs and race-path tests * matrix: bootstrap crypto runtime when npm scripts are skipped * fix(matrix): keep plugin register sync while bootstrapping crypto runtime (openclaw#31989) * perf(runtime): reduce cron persistence and logger overhead * test(perf): use prebuilt plugin install archive fixtures * test(perf): increase guardrail scan read concurrency * fix(queue): restart drain when message enqueued after idle window After a drain loop empties the queue it deletes the key from FOLLOWUP_QUEUES. If a new message arrives at that moment enqueueFollowupRun creates a fresh queue object with draining:false but never starts a drain, leaving the message stranded until the next run completes and calls finalizeWithFollowup. Fix: persist the most recent runFollowup callback per queue key in FOLLOWUP_RUN_CALLBACKS (drain.ts). enqueueFollowupRun now calls kickFollowupDrainIfIdle after a successful push; if a cached callback exists and no drain is running it calls scheduleFollowupDrain to restart immediately. clearSessionQueues cleans up the callback cache alongside the queue state. * fix: avoid stale followup drain callbacks (openclaw#31902) (thanks @Lanfei) * fix(synology-chat): read cfg from outbound context so incomingUrl resolves * fix: require openclaw.extensions for plugin installs (openclaw#32055) (thanks @liuxiaopai-ai) --------- Co-authored-by: Andrii Furmanets <furmanets.andriy@gmail.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Saurabh <skmishra1991@gmail.com> Co-authored-by: stone-jin <1520006273@qq.com> Co-authored-by: scotthuang <scotthuang@tencent.com> Co-authored-by: User <user@example.com> Co-authored-by: scoootscooob <zhentongfan@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: justinhuangcode <justinhuangcode@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: AytuncYildizli <cryptosquanch@gmail.com> Co-authored-by: bmendonca3 <bmendonca3@users.noreply.github.com> Co-authored-by: Jealous <CooLanfei@163.com> Co-authored-by: white-rm <zhang.xujin@xydigit.com>

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

@afurm

* fix(plugins): fallback install entrypoints for legacy manifests * Voice Call: enforce exact webhook path match * Tests: isolate webhook path suite and reset cron auth state * chore: keep openclaw#31930 scoped to voice webhook path fix * fix: add changelog for exact voice webhook path match (openclaw#31930) (thanks @afurm) * fix: handle HTTP 529 (Anthropic overloaded) in failover error classification Classify Anthropic's 529 status code as "rate_limit" so model fallback triggers reliably without depending on fragile message-based detection. Closes openclaw#28502 * fix: add changelog for HTTP 529 failover classification (openclaw#31854) (thanks @bugkill3r) * fix(slack): guard against undefined text in includes calls during mention handling * fix: add changelog for mentions/slack null-safe guards (openclaw#31865) (thanks @stone-jin) * fix(memory-lancedb): pass dimensions to embedding API call - Add dimensions parameter to Embeddings constructor - Pass dimensions to OpenAI embeddings.create() API call - Fixes dimension mismatch when using custom embedding models like DashScope text-embedding-v4 * fix: add regression for memory-lancedb dimensions pass-through (openclaw#32036) (thanks @scotthuang) * fix(telegram): guard malformed native menu specs * fix: harden plugin command registration + telegram menu guard (openclaw#31997) (thanks @liuxiaopai-ai) * fix(gateway): restart heartbeat on model config changes * fix: add changelog credit for heartbeat model reload (openclaw#32046) (thanks @stakeswky) * test(process): replace no-output timer subprocess with spawn mock * test(perf): trim repeated setup in cron memory and config suites * test(perf): reduce per-case setup in script and git-hook tests * fix(slack): scope debounce key by message timestamp to prevent cross-thread collisions Top-level channel messages from the same sender shared a bare channel debounce key, causing concurrent messages in different threads to merge into a single reply on the wrong thread. Now the debounce key includes the message timestamp for top-level messages, matching how the downstream session layer already scopes by canonicalThreadId. Extracted buildSlackDebounceKey() for testability. Closes openclaw#31935 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: harden slack debounce key routing and ordering (openclaw#31951) (thanks @scoootscooob) * fix(openrouter): skip reasoning.effort injection for x-ai/grok models x-ai/grok models on OpenRouter do not support the reasoning.effort parameter and reject payloads containing it with "Invalid arguments passed to the model." Skip reasoning injection for these models, the same way we already skip it for the dynamic "auto" routing model. Closes openclaw#32039 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for openrouter x-ai reasoning guard (openclaw#32054) (thanks @scoootscooob) * fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution The configure flow stores auth credentials under `provider: "volcengine"`, but the coding model uses `volcengine-plan` as its provider. Add a scoped `normalizeProviderIdForAuth` function used only by `listProfilesForProvider` so coding-plan variants resolve to their base provider for auth credential lookup without affecting global provider routing. Closes openclaw#31731 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots PR openclaw#28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to openclaw#31716 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add changelog credit for fsPolicy image/pdf propagation (openclaw#31882) (thanks @justinhuangcode) * fix: skip Telegram command sync when menu is unchanged (openclaw#32017) Hash the command list and cache it to disk per account. On restart, compare the current hash against the cached one and skip the deleteMyCommands + setMyCommands round-trip when nothing changed. This prevents 429 rate-limit errors when the gateway restarts several times in quick succession. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(telegram): scope command-sync hash cache by bot identity (openclaw#32059) * fix: normalize coding-plan providers in auth order validation * feat(security): Harden Docker browser container chromium flags (openclaw#23889) (openclaw#31504) * Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls * Agents: fix sandbox sessionKey usage for PI embedded subagent calls * Sandbox: tighten browser container Chromium runtime flags * fix: add sandbox browser defaults for container hardening * docs: expand sandbox browser default flags list * fix: make sandbox browser flags optional and preserve gateway env auth overrides * docs: scope PR 31504 changelog entry * style: format gateway call override handling * fix: dedupe sandbox browser chrome args * fix: preserve remote tls fingerprint for env gateway override * fix: enforce auth for env gateway URL override * chore: document gateway override auth security expectations * fix(delivery): strip HTML tags for plain-text messaging surfaces Models occasionally produce HTML tags in their output. While these render fine on web surfaces, they appear as literal text on WhatsApp, Signal, SMS, IRC, and Telegram. Add sanitizeForPlainText() utility that converts common inline HTML to lightweight-markup equivalents and strips remaining tags. Applied in the outbound delivery pipeline for non-HTML surfaces only. Closes openclaw#31884 See also: openclaw#18558 * fix(outbound): harden plain-text HTML sanitization paths (openclaw#32034) * fix(security): harden file installs and race-path tests * matrix: bootstrap crypto runtime when npm scripts are skipped * fix(matrix): keep plugin register sync while bootstrapping crypto runtime (openclaw#31989) * perf(runtime): reduce cron persistence and logger overhead * test(perf): use prebuilt plugin install archive fixtures * test(perf): increase guardrail scan read concurrency * fix(queue): restart drain when message enqueued after idle window After a drain loop empties the queue it deletes the key from FOLLOWUP_QUEUES. If a new message arrives at that moment enqueueFollowupRun creates a fresh queue object with draining:false but never starts a drain, leaving the message stranded until the next run completes and calls finalizeWithFollowup. Fix: persist the most recent runFollowup callback per queue key in FOLLOWUP_RUN_CALLBACKS (drain.ts). enqueueFollowupRun now calls kickFollowupDrainIfIdle after a successful push; if a cached callback exists and no drain is running it calls scheduleFollowupDrain to restart immediately. clearSessionQueues cleans up the callback cache alongside the queue state. * fix: avoid stale followup drain callbacks (openclaw#31902) (thanks @Lanfei) * fix(synology-chat): read cfg from outbound context so incomingUrl resolves * fix: require openclaw.extensions for plugin installs (openclaw#32055) (thanks @liuxiaopai-ai) --------- Co-authored-by: Andrii Furmanets <furmanets.andriy@gmail.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Saurabh <skmishra1991@gmail.com> Co-authored-by: stone-jin <1520006273@qq.com> Co-authored-by: scotthuang <scotthuang@tencent.com> Co-authored-by: User <user@example.com> Co-authored-by: scoootscooob <zhentongfan@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: justinhuangcode <justinhuangcode@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: AytuncYildizli <cryptosquanch@gmail.com> Co-authored-by: bmendonca3 <bmendonca3@users.noreply.github.com> Co-authored-by: Jealous <CooLanfei@163.com> Co-authored-by: white-rm <zhang.xujin@xydigit.com>

@justinhuangcode

…w#31882) (thanks @justinhuangcode)

@afurm

* fix(plugins): fallback install entrypoints for legacy manifests * Voice Call: enforce exact webhook path match * Tests: isolate webhook path suite and reset cron auth state * chore: keep openclaw#31930 scoped to voice webhook path fix * fix: add changelog for exact voice webhook path match (openclaw#31930) (thanks @afurm) * fix: handle HTTP 529 (Anthropic overloaded) in failover error classification Classify Anthropic's 529 status code as "rate_limit" so model fallback triggers reliably without depending on fragile message-based detection. Closes openclaw#28502 * fix: add changelog for HTTP 529 failover classification (openclaw#31854) (thanks @bugkill3r) * fix(slack): guard against undefined text in includes calls during mention handling * fix: add changelog for mentions/slack null-safe guards (openclaw#31865) (thanks @stone-jin) * fix(memory-lancedb): pass dimensions to embedding API call - Add dimensions parameter to Embeddings constructor - Pass dimensions to OpenAI embeddings.create() API call - Fixes dimension mismatch when using custom embedding models like DashScope text-embedding-v4 * fix: add regression for memory-lancedb dimensions pass-through (openclaw#32036) (thanks @scotthuang) * fix(telegram): guard malformed native menu specs * fix: harden plugin command registration + telegram menu guard (openclaw#31997) (thanks @liuxiaopai-ai) * fix(gateway): restart heartbeat on model config changes * fix: add changelog credit for heartbeat model reload (openclaw#32046) (thanks @stakeswky) * test(process): replace no-output timer subprocess with spawn mock * test(perf): trim repeated setup in cron memory and config suites * test(perf): reduce per-case setup in script and git-hook tests * fix(slack): scope debounce key by message timestamp to prevent cross-thread collisions Top-level channel messages from the same sender shared a bare channel debounce key, causing concurrent messages in different threads to merge into a single reply on the wrong thread. Now the debounce key includes the message timestamp for top-level messages, matching how the downstream session layer already scopes by canonicalThreadId. Extracted buildSlackDebounceKey() for testability. Closes openclaw#31935 * fix: harden slack debounce key routing and ordering (openclaw#31951) (thanks @scoootscooob) * fix(openrouter): skip reasoning.effort injection for x-ai/grok models x-ai/grok models on OpenRouter do not support the reasoning.effort parameter and reject payloads containing it with "Invalid arguments passed to the model." Skip reasoning injection for these models, the same way we already skip it for the dynamic "auto" routing model. Closes openclaw#32039 * fix: add changelog credit for openrouter x-ai reasoning guard (openclaw#32054) (thanks @scoootscooob) * fix(agents): scope volcengine-plan/byteplus-plan auth lookup to profile resolution The configure flow stores auth credentials under `provider: "volcengine"`, but the coding model uses `volcengine-plan` as its provider. Add a scoped `normalizeProviderIdForAuth` function used only by `listProfilesForProvider` so coding-plan variants resolve to their base provider for auth credential lookup without affecting global provider routing. Closes openclaw#31731 * fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots PR openclaw#28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`, but the image and PDF tools still unconditionally include default local roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing the `localRoots` allowlist for non-sandbox mode. When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the workspace directory so that files outside the workspace are rejected by `assertLocalMediaAllowed()`. Relates to openclaw#31716 * fix: add changelog credit for fsPolicy image/pdf propagation (openclaw#31882) (thanks @justinhuangcode) * fix: skip Telegram command sync when menu is unchanged (openclaw#32017) Hash the command list and cache it to disk per account. On restart, compare the current hash against the cached one and skip the deleteMyCommands + setMyCommands round-trip when nothing changed. This prevents 429 rate-limit errors when the gateway restarts several times in quick succession. * fix(telegram): scope command-sync hash cache by bot identity (openclaw#32059) * fix: normalize coding-plan providers in auth order validation * feat(security): Harden Docker browser container chromium flags (openclaw#23889) (openclaw#31504) * Gateway: honor OPENCLAW_GATEWAY_URL override for remote/local calls * Agents: fix sandbox sessionKey usage for PI embedded subagent calls * Sandbox: tighten browser container Chromium runtime flags * fix: add sandbox browser defaults for container hardening * docs: expand sandbox browser default flags list * fix: make sandbox browser flags optional and preserve gateway env auth overrides * docs: scope PR 31504 changelog entry * style: format gateway call override handling * fix: dedupe sandbox browser chrome args * fix: preserve remote tls fingerprint for env gateway override * fix: enforce auth for env gateway URL override * chore: document gateway override auth security expectations * fix(delivery): strip HTML tags for plain-text messaging surfaces Models occasionally produce HTML tags in their output. While these render fine on web surfaces, they appear as literal text on WhatsApp, Signal, SMS, IRC, and Telegram. Add sanitizeForPlainText() utility that converts common inline HTML to lightweight-markup equivalents and strips remaining tags. Applied in the outbound delivery pipeline for non-HTML surfaces only. Closes openclaw#31884 See also: openclaw#18558 * fix(outbound): harden plain-text HTML sanitization paths (openclaw#32034) * fix(security): harden file installs and race-path tests * matrix: bootstrap crypto runtime when npm scripts are skipped * fix(matrix): keep plugin register sync while bootstrapping crypto runtime (openclaw#31989) * perf(runtime): reduce cron persistence and logger overhead * test(perf): use prebuilt plugin install archive fixtures * test(perf): increase guardrail scan read concurrency * fix(queue): restart drain when message enqueued after idle window After a drain loop empties the queue it deletes the key from FOLLOWUP_QUEUES. If a new message arrives at that moment enqueueFollowupRun creates a fresh queue object with draining:false but never starts a drain, leaving the message stranded until the next run completes and calls finalizeWithFollowup. Fix: persist the most recent runFollowup callback per queue key in FOLLOWUP_RUN_CALLBACKS (drain.ts). enqueueFollowupRun now calls kickFollowupDrainIfIdle after a successful push; if a cached callback exists and no drain is running it calls scheduleFollowupDrain to restart immediately. clearSessionQueues cleans up the callback cache alongside the queue state. * fix: avoid stale followup drain callbacks (openclaw#31902) (thanks @Lanfei) * fix(synology-chat): read cfg from outbound context so incomingUrl resolves * fix: require openclaw.extensions for plugin installs (openclaw#32055) (thanks @liuxiaopai-ai) --------- Co-authored-by: Andrii Furmanets <furmanets.andriy@gmail.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Saurabh <skmishra1991@gmail.com> Co-authored-by: stone-jin <1520006273@qq.com> Co-authored-by: scotthuang <scotthuang@tencent.com> Co-authored-by: User <user@example.com> Co-authored-by: scoootscooob <zhentongfan@gmail.com> Co-authored-by: justinhuangcode <justinhuangcode@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> Co-authored-by: AytuncYildizli <cryptosquanch@gmail.com> Co-authored-by: bmendonca3 <bmendonca3@users.noreply.github.com> Co-authored-by: Jealous <CooLanfei@163.com> Co-authored-by: white-rm <zhang.xujin@xydigit.com>

openclaw-barnacle bot added agents Agent runtime and tooling size: S trusted-contributor labels Mar 2, 2026

justinhuangcode force-pushed the fix/image-pdf-workspace-only-propagation branch 2 times, most recently from 367739e to f95992c Compare March 2, 2026 17:05

justinhuangcode and others added 2 commits March 2, 2026 19:23

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

745ce77

…w#31882) (thanks @justinhuangcode)

steipete force-pushed the fix/image-pdf-workspace-only-propagation branch from f95992c to 745ce77 Compare March 2, 2026 19:24

steipete merged commit 4a2329e into openclaw:main Mar 2, 2026
2 checks passed

steipete added a commit to liuxiaopai-ai/openclaw that referenced this pull request Mar 2, 2026

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

e2ceaca

…w#31882) (thanks @justinhuangcode)

execute008 pushed a commit to execute008/openclaw that referenced this pull request Mar 2, 2026

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

601e8c6

…w#31882) (thanks @justinhuangcode)

justinhuangcode deleted the fix/image-pdf-workspace-only-propagation branch March 2, 2026 20:24

dawi369 pushed a commit to dawi369/davis that referenced this pull request Mar 3, 2026

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

7eda8af

…w#31882) (thanks @justinhuangcode)

OWALabuy pushed a commit to kcinzgg/openclaw that referenced this pull request Mar 4, 2026

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

20b9a32

…w#31882) (thanks @justinhuangcode)

zooqueen pushed a commit to hanzoai/bot that referenced this pull request Mar 6, 2026

fix: add changelog credit for fsPolicy image/pdf propagation (opencla…

59f2235

…w#31882) (thanks @justinhuangcode)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots#31882

fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots#31882
steipete merged 2 commits intoopenclaw:mainfrom
justinhuangcode:fix/image-pdf-workspace-only-propagation

justinhuangcode commented Mar 2, 2026 •

edited

Loading

Uh oh!

greptile-apps bot commented Mar 2, 2026

Uh oh!

Uh oh!

steipete commented Mar 2, 2026

Uh oh!

justinhuangcode commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

justinhuangcode commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

greptile-apps bot commented Mar 2, 2026

Greptile Summary

Confidence Score: 5/5

Uh oh!

Uh oh!

steipete commented Mar 2, 2026

Uh oh!

justinhuangcode commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

justinhuangcode commented Mar 2, 2026 •

edited

Loading