fix(voice-call): close webhook in-flight limiter fail-open on empty remote address#74453
Merged
clawsweeper[bot] merged 3 commits intoopenclaw:mainfrom Apr 30, 2026
Conversation
Contributor
Greptile SummaryThis PR fixes two places where the shared in-flight limiter was silently bypassed: the voice-call webhook was using an empty Confidence Score: 4/5Safe to merge; the core bug fixes are correct and the only remaining concern is a minor key-granularity issue in the Google Chat handler. Both changes correctly close the fail-open paths in the in-flight limiter. The only finding is P2: the Google Chat key embeds the full URL including query string rather than just the pathname, which could fragment rate-limit buckets under adversarial query-string variation. This does not break the limiter but weakens its effectiveness. extensions/googlechat/src/monitor-webhook.ts — verify whether per-pathname or per-full-URL keying is intended. Prompt To Fix All With AIThis is a comment left during a code review.
Path: extensions/googlechat/src/monitor-webhook.ts
Line: 194
Comment:
**Key includes query string, not just path**
The comment says "per-path", but `req.url` in Node.js includes the full query string. Each unique query-string combination gets its own 8-slot in-flight bucket, so a caller sending requests with varying query parameters will never be capped by a single bucket. Stripping the query string — e.g. via `(req.url ?? "/").split("?")[0]` — would match the documented intent and keep the key space bounded to the number of actual webhook paths.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "fix(googlechat): wire missing inFlightKe..." | Re-trigger Greptile |
Contributor
|
Codex review: passed for ClawSweeper automerge. What this changes: The PR changes the voice-call webhook pipeline to use a logged, constant non-empty fallback in-flight limiter key when socket remote-address metadata is missing, adds regression coverage, updates the changelog, and aligns one changed-test routing expectation. Automerge follow-up: No separate repair lane is appropriate because this active implementation PR is narrow, reviewed, and green; the remaining action is normal automerge or maintainer merge. Security review: Security review cleared: The diff narrows a pre-auth webhook limiter bypass and only changes TypeScript source/tests plus changelog/test-routing text; it does not add dependencies, workflows, lockfiles, secret handling, downloads, or command execution paths. Review detailsBest possible solution: Land the focused voice-call fallback-key fix with its regression test and changelog entry, and keep any broader change to the shared SDK empty-key opt-out contract as a separate hardening discussion. What I checked:
Likely related people:
Codex review notes: model gpt-5.5, reasoning high; reviewed against 5a631e1ee9fa. |
dc66a74 to
be55bfd
Compare
Contributor
|
Codex review: needs maintainer review before merge. What this changes: The PR updates the voice-call webhook pipeline to use a logged constant fallback in-flight limiter key when Maintainer follow-up before merge: This is an active external implementation PR whose latest diff appears narrow and correct; the next action is maintainer review, CI, and a decision on whether to require a regression test, not a separate ClawSweeper repair branch. Review detailsBest possible solution: Land the narrow voice-call fallback-key fix after maintainer validation, ideally with a focused missing-remote-address regression test if the test seam is acceptable. Keep the shared SDK empty-key opt-out contract and unrelated channel behavior out of this PR unless a separate API hardening decision is made. Acceptance criteria:
What I checked:
Likely related people:
Remaining risk / open question:
Codex review notes: model gpt-5.5, reasoning high; reviewed against e8b82d1cf92f. |
Contributor
|
/clawsweeper automerge |
Contributor
|
ClawSweeper automerge is enabled for this PR. I added A maintainer can pause this with |
Contributor
|
Codex review: needs maintainer review before merge. What this changes: The PR changes the voice-call webhook pipeline to log missing Maintainer follow-up before merge: No separate repair lane is needed; this is an active implementation PR whose latest patch appears narrow and correct, so the remaining action is normal CI/automerge or maintainer validation. Review detailsBest possible solution: Land the focused voice-call fallback-key fix after normal CI/automerge validation, ideally with a small regression test for missing remote-address requests if maintainers accept the private-method test seam. Keep the shared SDK empty-key opt-out contract and unrelated channels out of this PR. What I checked:
Likely related people:
Remaining risk / open question:
Codex review notes: model gpt-5.5, reasoning high; reviewed against e46dccb35374. |
Contributor
|
ClawSweeper is pausing automerge for human review. Source: I added |
Contributor
|
Codex review: passed for ClawSweeper automerge. What this changes: The PR changes Automerge follow-up: No separate repair lane is appropriate because this is an active implementation PR with maintainer automerge enabled and no blocking Codex finding on the latest narrow diff. Review detailsBest possible solution: Land the focused voice-call fallback-key change after CI/automerge validation, ideally with a small missing-remote-address regression test if maintainers accept the private-method seam; leave the shared SDK empty-key opt-out contract and unrelated channels out of this PR. What I checked:
Likely related people:
Remaining risk / open question:
Codex review notes: model gpt-5.5, reasoning high; reviewed against df0074768c97. |
Contributor
|
/clawsweeper re-review |
Contributor
|
🦞🦞 I asked ClawSweeper to review this item again. |
Contributor
|
🦞🦞 Source: I added |
Contributor
|
🦞🦞 Source: I left the PR open for the remaining gate instead of bypassing it. |
be55bfd to
db493ed
Compare
db493ed to
875bdcc
Compare
875bdcc to
673a6fe
Compare
Contributor
|
🦞🦞 Source: I left the PR open for the remaining gate instead of bypassing it. |
673a6fe to
8f46c21
Compare
cd49b04 to
6132046
Compare
32e9807 to
a82a6bd
Compare
a82a6bd to
e4e8b26
Compare
…dress
The webhook in-flight limiter (createWebhookInFlightLimiter in
src/plugin-sdk/webhook-request-guards.ts) returns true unconditionally
when tryAcquire is called with an empty key — that is its by-contract
fail-open path used to mean 'caller is opting out of the limiter'.
The voice-call webhook handler reached that path silently: it computed
'req.socket.remoteAddress ?? ""' and passed the empty string straight
into tryAcquire. Whenever req.socket.remoteAddress was absent (closed
socket, edge proxy quirk), the limiter became a no-op and the request
proceeded directly to readBody without any concurrency cap.
Fix: when remoteAddress is missing, log a warning and fall back to a
constant non-empty key ('__voice_call_no_remote__') so all such
requests share one in-flight bucket instead of bypassing the limiter
entirely. The bucket size stays maxInFlightPerKey (default 8), which
is the right defense-in-depth posture against slow-body attacks
arriving with stripped IP info.
Scoped to voice-call only. Other consumers of the SDK helper
(bluebubbles via openclaw/plugin-sdk/webhook-ingress) are not changed
to avoid drive-by edits to plugins this PR does not own. The shared
SDK contract (empty key = bypass) is left as-is and documented
implicitly by the fix's comment block.
The existing 8-concurrent test in webhook.test.ts continues to assert
the limiter engages on the happy path; no new test added since the
private handleRequest path is not unit-test exposed and the change is
two-line auditable from the diff alone.
e4e8b26 to
f1367a7
Compare
Contributor
|
@clawsweeper automerge |
Contributor
|
🦞🦞 I added Draft PRs stay fix-only until GitHub marks them ready for review. A maintainer can pause this with |
Contributor
|
@clawsweeper automerge |
Contributor
|
🦞🦞 Source: The automerge loop is complete. |
sragss
added a commit
to Merit-Systems/openclaw
that referenced
this pull request
May 1, 2026
* docs: refresh plugin sdk api baseline
* fix(google): support Vertex authorized_user ADC
* fix(cli): scope packaged compile cache
* test: align model list expectations
* changelog: Add inferred follow-up commitments for agents
Move commitment changelog entry to unreleased.
* test: avoid volatile model availability assertions
* feat: default active steering to batched delivery
* test(plugins): align release validation fixtures
* docs(config): document queue backlog alias
* refactor(channels): finish turn kernel migration
* fix(test): configure kitchen sink before enable
* fix(msteams): accept conversation id allowlists
* fix: changed explicit-path handling regression (#74672)
* fix: changed explicit-path handling regression
* fix: preserve unicode adc fallback paths
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Shakker <shakkerdroid@gmail.com>
* test: cover sdk gateway integration
* docs: clarify app sdk documentation
* test: align sdk gateway event e2e
* fix(discord): cool down Cloudflare 429 responses
* fix(discord): bound application summary probes
* fix(discord): allow configured application ids
* docs(discord): clarify application id account scope
* docs(discord): tag Cloudflare cooldown changelog
* fix(docs): bound i18n codex prompt cleanup
* fix: compatibility gaps in the new Google Vertex ADC manifest evidence
Tighten Google Vertex ADC manifest evidence to canonical project env vars and canonical ADC fallback paths only.
Local proof:
- OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/agents/model-auth.profiles.test.ts src/plugins/manifest-registry.test.ts src/secrets/provider-env-vars.dynamic.test.ts
- pnpm exec oxfmt --check --threads=1 docs/plugins/manifest.md extensions/google/openclaw.plugin.json src/agents/model-auth-env.ts src/agents/model-auth.profiles.test.ts src/plugins/manifest.ts
- git diff --check origin/main...HEAD
CI note: checks-node-core-support-boundary was red on an unrelated tooling assertion in test/scripts/test-projects.test.ts for packages/sdk/src/index.test.ts routing; that file and scripts/test-projects.mjs are unchanged from origin/main.
* test(sdk): remove redundant fake transport cast
* fix(status): resolve packaged channel setup loader
* docs: document shipped app sdk
* docs: update clawsweeper automerge workflow
* fix(voice-call): close webhook in-flight limiter fail-open on empty remote address (#74453)
* fix(voice-call): close in-flight limiter fail-open on empty remote address
The webhook in-flight limiter (createWebhookInFlightLimiter in
src/plugin-sdk/webhook-request-guards.ts) returns true unconditionally
when tryAcquire is called with an empty key — that is its by-contract
fail-open path used to mean 'caller is opting out of the limiter'.
The voice-call webhook handler reached that path silently: it computed
'req.socket.remoteAddress ?? ""' and passed the empty string straight
into tryAcquire. Whenever req.socket.remoteAddress was absent (closed
socket, edge proxy quirk), the limiter became a no-op and the request
proceeded directly to readBody without any concurrency cap.
Fix: when remoteAddress is missing, log a warning and fall back to a
constant non-empty key ('__voice_call_no_remote__') so all such
requests share one in-flight bucket instead of bypassing the limiter
entirely. The bucket size stays maxInFlightPerKey (default 8), which
is the right defense-in-depth posture against slow-body attacks
arriving with stripped IP info.
Scoped to voice-call only. Other consumers of the SDK helper
(bluebubbles via openclaw/plugin-sdk/webhook-ingress) are not changed
to avoid drive-by edits to plugins this PR does not own. The shared
SDK contract (empty key = bypass) is left as-is and documented
implicitly by the fix's comment block.
The existing 8-concurrent test in webhook.test.ts continues to assert
the limiter engages on the happy path; no new test added since the
private handleRequest path is not unit-test exposed and the change is
two-line auditable from the diff alone.
* test(voice-call): cover missing webhook remote address limiter
* test: align changed package sdk routing
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* fix(models): unconditionally suppress stale openai-codex/gpt-5.4-mini inline entries (#74451) (#74655)
* fix(models): block stale openai-codex/gpt-5.4-mini inline entries via unconditional suppression (#74451)
Suppress explicitly user-configured openai-codex/gpt-5.4-mini inline entries
so a stale models config written by `openclaw doctor --fix` cannot bypass the
manifest capability block and cause repeated assistant-turn failures when the
runtime switches to that model on ChatGPT-backed Codex accounts.
Adds `unconditionalOnly` flag to `buildManifestBuiltInModelSuppressionResolver`
and a `shouldUnconditionallySuppress` helper. Inside `resolveExplicitModelWithRegistry`,
inline matches are now gated on unconditional suppressions (no `when` clause)
before returning. Conditional suppressions such as the qwen Coding Plan endpoint
guard remain bypassable by explicit user configuration, preserving the existing
`resolves explicitly configured qwen3.6-plus before Coding Plan built-in suppression`
behaviour.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(changelog): add missing reporter attribution for #74451 models suppression fix
* docs: credit codex mini suppression contributors
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Shakker <shakkerdroid@gmail.com>
* test(scripts): align changed sdk routing expectation
* docs: document clawsweeper changelog gate
* docs: explain security autofix boundary
* fix(docs): allow partial i18n doc batches
* fix: refresh Google Meet speech retry readiness
* refactor(channels): share turn dispatch results
* test(core): stabilize changed gate mocks
* fix: harden slack command menus
* fix(codex): flush pending steering on completion
* chore: ignore Google OAuth client secrets
* docs(changelog): backfill last-24h sidebar trigger entry
For 323985f4ca (Val Alexander/@BunsDev): adds a Control UI/exports
entry covering the sidebar-trigger affordance alignment across the
resizable divider, mobile layout, and exported-HTML transcript template.
The other Val/@BunsDev fix (b1c515270e) was already covered by the
existing "Control UI/mobile: persist mobile chat settings" entry.
The rest of the last 24h's missing-CHANGELOG candidates are either:
- already covered by adjacent entries (Shakker manifest auth-evidence
series under "CLI/models: keep manifest auth-evidence credentials
visible", Discord application id + Cloudflare 429 under "Channels/
Discord: cool down Cloudflare/Error 1015 HTML 429", config patch
follow-ups under "Plugins/runtime-deps: add openclaw plugins deps",
etc.);
- internal/test/CI/refactor with no operator surface;
- Clawsweeper-bot self-fixes for already-merged PRs;
- Peter-only with no external collaborator (per the
attribution rule against thanking @steipete).
* fix(plugins): use tokenjuice published openclaw types
* chore(ci): add CodeQL PR security guard
Runs the narrow CodeQL critical-security matrix on non-draft pull requests for code and workflow security-boundary changes.
* fix: harden slack interactive blocks
* fix: mirror sqlite-vec for bundled memory runtime
* fix: bound slack interactive button urls
* fix(gateway): bound discovery advertise startup
* fix(gateway): refresh model catalog off request path
* fix(feishu): fallback to media resource download (#73986) (thanks @alex-xuweilong)
* test: cover app sdk gateway surfaces
* fix(amazon-bedrock): expose Opus 4.7 thinking profile
* fix(whatsapp): track provider-accepted auto-replies
* fix: bound slack command confirm text
* refactor(channels): move more turn policy into kernel
* fix(plugins): repair incomplete runtime-deps mirrors
* fix(bonjour): cap flapping advertiser restarts
* fix: bound slack approval metadata
* fix: interpolate heartbeat response prefix templates (#73996) (thanks @yweiii and @JunJD)
* fix(mattermost): add WebSocket ping/pong keepalive (#73979)
Adds Mattermost WebSocket ping/pong liveness checks so half-open sockets terminate and the existing reconnect loop recovers.
Fixes #41837.
Carries forward #57621.
Refs #50138, #44160, and #51104.
Thanks @JasonWang1124.
Co-authored-by: JasonWang1124 <56307673+JasonWang1124@users.noreply.github.com>
* fix(feishu): clean up bitable placeholder rows with empty defaults
Preserve the Feishu-local cleanup path while matching the Lark SDK record value shapes: recursively delete default-empty strings, nulls, arrays, and nested text spans, but keep meaningful links, attachments, users, locations, numbers, and booleans.\n\nCarries forward #40602. Thanks @boat2moon.
* fix(memory-lancedb): show full IDs in memory_forget candidate list
* fix(lint): resolve oxlint errors
* test(memory-lancedb): mock embedding transport in forget test
* docs(changelog): thank memory forget fix contributor
* fix: cap slack command menu blocks
* fix: drop overlong slack command values
* chore(ci): widen CodeQL PR guard
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
* refactor(channels): route inbound turns through kernel
* fix(macos): keep attach-only from stopping gateway launchd
* style(macos): order attach-only test modifiers
* docs: credit macos attach-only launchd fix
* fix(plugin-sdk): restore zalouser facade
* fix(plugins): repair configured runtime deps
* fix(plugins): resolve plugin paths from root
* fix(plugins): prefer require runtime aliases
* docs: update plugin runtime changelog
* docs: document high-confidence triage candidate filter
* fix(channels): preserve observe-only turn compatibility
* fix: warn before npm prefix redirection (#73890) (thanks @Sayeem3051)
* fix(sdk): stabilize run event chat projections (#74750) thanks @bitloi
Co-authored-by: bitloi <raphaelaloi.eth@gmail.com>
* fix(gateway): align sessions abort wait semantics (#74751) thanks @BunsDev
Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com>
* fix: stabilize full release validation
* fix(discord): avoid resolving tokens for read-only accessors
* docs: update changelog for Discord SecretRef accessor (#74737)
* fix(agents): drop metadata-only replay turns
Fixes #74745
* fix(file-transfer): require canonical node policy authorization (#74742)
* feat(file-transfer): add bundled plugin for binary file ops on nodes
New extensions/file-transfer/ plugin exposing four agent tools
(file_fetch, dir_list, dir_fetch, file_write) and four matching
node-host commands (file.fetch, dir.list, dir.fetch, file.write).
Lets agents read and write files on paired nodes by absolute path,
bypassing the bash output cap (200KB) and the live tool-result
text cap that would otherwise truncate base64 payloads.
Public surface
--------------
- file_fetch({ node, path, maxBytes? })
Image MIMEs return image content blocks; small text (<=8 KB) inlines
as text content; everything else returns a saved-media-path text
block. sha256-verified end-to-end.
- dir_list({ node, path, pageToken?, maxEntries? })
Structured directory listing — name, path, size, mimeType, isDir,
mtime. Paginated. No content transfer.
- dir_fetch({ node, path, maxBytes?, includeDotfiles? })
Server-side tar -czf streamed back, unpacked into the gateway media
store, returns a manifest of saved paths. Single round-trip.
60s wall-clock timeouts on tar create/unpack. tar -xzf without -P
rejects absolute paths in archive entries.
- file_write({ node, path, contentBase64, mimeType?, overwrite?,
createParents? })
Atomic write (temp + rename). Refuses to overwrite by default.
Refuses to write through symlinks (lstat check). Buffer-side
sha256 (no read-back race). Pair with file_fetch to round-trip
files between nodes — DO NOT use exec/cp for file copies.
All four commands gated by:
- dangerous-by-default node command policy
(gateway.nodes.allowCommands opt-in)
- per-node path policy (gateway.nodes.fileTransfer)
- optional operator approval prompt (ask: off | on-miss | always)
16 MB raw byte ceiling per single-frame round-trip (25 MB WS frame
with ~33% base64 overhead and JSON envelope). 8 MB defaults.
Path policy and approvals
-------------------------
Default behavior is DENY. The operator must explicitly opt in:
{
"gateway": {
"nodes": {
"fileTransfer": {
"<nodeId-or-displayName>": {
"ask": "off" | "on-miss" | "always",
"allowReadPaths": ["~/Screenshots/**", "/tmp/**"],
"allowWritePaths": ["~/Downloads/**"],
"denyPaths": ["**/.ssh/**", "**/.aws/**"],
"maxBytes": 16777216
},
"*": { "ask": "on-miss" }
}
}
}
}
ask modes:
off — silent: allow if matched, deny if not (default)
on-miss — silent allow if matched; prompt on miss
always — prompt every call (denyPaths still hard-deny)
denyPaths always wins. allow-always from the prompt persists the
exact path back into allowReadPaths/allowWritePaths via
mutateConfigFile so subsequent matching calls go silent.
Reuses existing primitives — no new gateway methods:
plugin.approval.request / plugin.approval.waitDecision
decision: allow-once | allow-always | deny
Pre-flight against requested path AND post-flight against the
canonicalPath returned by the node — closes symlink-escape attacks
where the requested path matched policy but realpath resolves
somewhere else.
Audit log
---------
JSONL at ~/.openclaw/audit/file-transfer.jsonl. Records every
decision (allow/allowed-once/allowed-always/denied/error) with
timestamp, op, nodeId, displayName, requestedPath, canonicalPath,
decision, error code, sizeBytes, sha256, durationMs. Best-effort
writes; never propagates failure.
Plugin layout
-------------
extensions/file-transfer/
index.ts definePluginEntry, nodeHostCommands
openclaw.plugin.json contracts.tools registration
package.json
src/node-host/{file-fetch,dir-list,dir-fetch,file-write}.ts
src/tools/{file-fetch,dir-list,dir-fetch,file-write}-tool.ts
src/shared/
mime.ts single-source extension->MIME map + image/text sets
errors.ts shared error code enum and helpers
params.ts shared param-validation helpers + GatewayCallOptions
policy.ts evaluateFilePolicy, persistAllowAlways
approval.ts plugin.approval.request wrapper
gatekeep.ts one-stop policy + approval + audit orchestrator
audit.ts JSONL audit sink
Core touch points
-----------------
- src/infra/node-commands.ts: NODE_FILE_FETCH_COMMAND,
NODE_DIR_LIST_COMMAND, NODE_DIR_FETCH_COMMAND,
NODE_FILE_WRITE_COMMAND, NODE_FILE_COMMANDS array
- src/gateway/node-command-policy.ts: all four added to
DEFAULT_DANGEROUS_NODE_COMMANDS
- src/security/audit-extra.sync.ts: audit detail mentions file ops
- src/agents/tools/nodes-tool-media.ts: MEDIA_INVOKE_ACTIONS entry
for file.fetch redirects raw nodes(action=invoke) callers to the
dedicated file_fetch tool to prevent base64 context bloat
- src/agents/tools/nodes-tool.ts: nodes tool description points to
the dedicated file_fetch tool
Known limitations / follow-ups
------------------------------
- No tests in this PR. For a security-sensitive surface this is a
gap; will follow up with a test pass.
- Direct CLI invocation (openclaw nodes invoke --command file.fetch)
bypasses the plugin policy entirely. Plugin-side gating is the
realistic threat model (agent on iMessage requesting paths it
shouldn't), but for true defense-in-depth, policy belongs in the
gateway-side node.invoke dispatch. Move-policy-to-core is a
separate PR.
- file_watch (long-lived filesystem event subscription) is not
included; it needs a new node-protocol primitive for streaming
event channels and was descoped from this PR.
- dir_fetch includeDotfiles: true is the only supported mode;
BSD tar exclude patterns reliably collapse dotfile filtering
to an empty archive. Reliable filtering needs a
`find ! -name ".*" | tar -T -` pipeline; deferred.
- dir_fetch du -sk preflight is a heuristic (du * 4 vs maxBytes);
the mid-stream byte cap is the actual safety net.
* test(file-transfer): add unit tests for handlers, policy, and shared utilities
Adds 77 tests covering:
- handleFileFetch: validation, fs errors, sha256, size cap, symlink canonicalization
- handleFileWrite: validation, atomic write, overwrite policy, parent dir handling, symlink refusal, integrity check, size cap
- handleDirList: validation, fs errors, sorted listing, dotfile inclusion, pagination
- handleDirFetch: validation, fs errors, gzipped tar with sha256, mid-stream byte cap
- evaluateFilePolicy: default-deny, denyPaths-wins, allow matching, ask modes (off/on-miss/always), node-id/displayName/'*' resolution
- persistAllowAlways: append, dedupe, create-on-missing
- shared/mime: extension lookup, image/text inline sets
- shared/errors: err helper, classifyFsError, throwFromNodePayload
Also fixes accumulated lint regressions in the prod source flagged once these
files moved into the changed-gate scope (parseInt -> Number.parseInt, redundant
type casts removed, single-statement if bodies wrapped in braces).
* fix(file-transfer): address PR review feedback (security + availability)
Reviewer findings addressed (greptile + aisle):
- policy: persistAllowAlways no longer escalates per-node approvals to the
'*' wildcard entry; allow-always now writes under the specific node's
own entry, never the wildcard (greptile P1 SECURITY).
- policy: add literal '..' segment short-circuit in evaluateFilePolicy,
raised before glob match. Stops "/allowed/../etc/passwd" from passing
preflight against "/allowed/**" globs (aisle MEDIUM CWE-22).
- file-write: replace no-op base64 try/catch with actual round-trip
validation. Buffer.from(s, "base64") never throws — invalid input
silently decoded to garbage bytes. Now re-encodes and compares
modulo padding/url-variant chars (greptile P1 SECURITY).
- file-write: document the parent-symlink residual risk and rely on the
existing gateway-side post-flight policy check; full rollback requires
a node-side file.unlink which is deferred to a follow-up. Initial
segment-walk attempt was reverted because it false-positives on system
symlinks like macOS /var → /private/var (aisle HIGH CWE-59).
- dir-fetch tool: add preValidateTarball pass that runs `tar -tzvf` and
rejects symlinks, hardlinks, absolute paths, '..' traversal,
uncompressed sizes >64MB, and entry counts >5000 — before any
extraction. Drops --no-overwrite-dir (GNU-only flag rejected by BSD
tar on macOS) (aisle HIGH x2 CWE-22 + CWE-409, greptile P2).
- dir-fetch tool: stream-hash files via fs.open + read loop instead of
fs.readFile to avoid full-buffer reads on large extracted entries.
- dir-fetch handler: replace spawnSync in countTarEntries with async
spawn + bounded buffer so tar -tzf can't park the node-host event
loop for up to 10s on a slow filesystem (greptile P1 AVAIL).
- audit: clear auditDirPromise on rejection so a transient mkdir
failure doesn't permanently silence the audit log (greptile P2).
New tests: wildcard escalation rejection, base64 malformed/url-variant,
'..' traversal short-circuit (3 cases). 84/84 passing.
* fix(file-transfer): CI failures + second-round PR review feedback
CI failures on previous push:
- Declare runtime deps (minimatch, typebox) in package.json — failed the
extension-runtime-dependencies contract test that scans imports.
- Switch policy.ts and policy.test.ts off the broad
openclaw/plugin-sdk/config-runtime barrel and onto the narrow
openclaw/plugin-sdk/config-mutation + runtime-config-snapshot subpaths.
This satisfies the deprecated-internal-config-api architecture guard.
Second-round Aisle findings:
- policy: traversal-segment check now treats backslash and forward slash
as equivalent, so a Windows node can't be hit with mixed-separator
"C:\\allowed\\..\\Windows\\system.ini" (Aisle HIGH CWE-22).
- dir-fetch tool: replace the single fragile `tar -tvzf` parser pass
(which broke for filenames containing whitespace) with two robust
passes: `tar -tzf` for paths only (one per line, no parsing of
fixed columns) and `tar -tzvf` for type chars only (FIRST CHAR of each
line, never the path column). Also reject backslash-containing entry
names. Drops the in-process uncompressed-size cap because reliably
parsing sizes from tar output is fragile and Aisle flagged it as a
bypass primitive — entry-count cap stays (Aisle HIGH CWE-22, MED).
Tests still 84/84 passing.
* fix(file-transfer): third-round PR review feedback
Aisle's re-analysis on b63daa6a05 surfaced 3 actionable findings:
- nodes.invoke bypass (HIGH CWE-285): generic nodes.action="invoke" let
agents call dir.list/dir.fetch/file.write directly, skipping the
file-transfer plugin's gatekeep + policy + approval flow. Only file.fetch
was redirected to its dedicated tool. Add the other three to
MEDIA_INVOKE_ACTIONS so the redirect-or-deny logic in
nodes-tool-commands fires for all four. The dedicated tools enforce
policy; the generic invoke surface no longer has a way to skip them
without an explicit allowMediaInvokeCommands opt-in.
- prototype pollution in persistAllowAlways (MED CWE-1321): a paired
node with displayName "__proto__" / "prototype" / "constructor" would
mutate the fileTransfer object's prototype when persisting allow-always.
Reject those keys explicitly. Switch the existing-key lookup to
Object.prototype.hasOwnProperty.call so a key like "constructor"
doesn't accidentally match Object.prototype.constructor.
- decompression-bomb cap in dir_fetch (MED CWE-409): compressed tar is
bounded upstream, but a highly compressible bomb can still expand to
gigabytes. Enforce DIR_FETCH_MAX_UNCOMPRESSED_BYTES (64MB) summed
across extracted files and DIR_FETCH_MAX_SINGLE_FILE_BYTES (16MB) per
entry, both checked during the post-extract walk. On bust, rm -rf the
rootDir and audit-log + throw UNCOMPRESSED_TOO_LARGE.
Tests: 85/85 passing (added prototype-pollution rejection test).
Aisle's HIGH parent-symlink finding remains documented as deferred — full
rollback requires a node-side file.unlink command which is out of scope
for this PR. The gateway-side post-flight policy check still detects and
loudly errors on canonical-path mismatches.
* fix(file-transfer): refuse symlink traversal by default with followSymlinks opt-in
Closes the deferred Aisle HIGH parent-symlink finding. Instead of
detecting the escape in a post-flight gateway check after the file is
already written, the node-side handler now refuses pre-flight if any
component of the requested path resolves through a symlink.
Behavior:
- Reads (file.fetch / dir.list / dir.fetch): node realpath()s the
requested path. If canonical != requested AND followSymlinks=false,
return SYMLINK_REDIRECT { canonicalPath } — no I/O happens.
- Writes (file.write): node realpath()s the parent dir. Same refusal
rule. The lstat-on-final check is kept to catch the case where the
target file itself is an existing symlink.
- Opt-in: set gateway.nodes.fileTransfer.<node>.followSymlinks=true to
bring back the previous "follow + post-flight check" behavior.
Operator UX: the SYMLINK_REDIRECT response includes the canonical path
so the operator can either update their allow list to the canonical form
or set followSymlinks=true on that node. On macOS, /var → /private/var
and /tmp → /private/tmp are system aliases that trip the new check, so
operators using those paths need followSymlinks=true OR canonical-path
allowlists.
Wiring:
- Add followSymlinks?: boolean to NodeFilePolicyConfig.
- evaluateFilePolicy returns followSymlinks (default false) on its
ok=true branches.
- gatekeep propagates it via GatekeepOutcome.
- Each tool passes it as a node.invoke param.
- Each handler honors it pre-flight before any read/write.
Tests updated: 89/89 passing.
- realpath(mkdtemp()) so existing happy-path tests don't trip the new
default on macOS where mkdtemp lands under symlinked /var/folders.
- New tests: SYMLINK_REDIRECT refusal for file.fetch and file.write
parent traversal; opt-in passthrough when followSymlinks=true.
- New policy test: followSymlinks propagation default false / true.
* fix(file-transfer): close two more aisle findings on 069bd66
Aisle re-analysis on 069bd66 surfaced two issues my earlier round-three
fix missed:
- HIGH (CWE-284): file.fetch / dir.fetch / dir.list / file.write were
still bypassable via the generic nodes.action="invoke" surface when
the operator had set allowMediaInvokeCommands=true. That flag was
meant to opt in to base64-bloat for camera/screen, not to disable
path policy on file-transfer. Split the redirect map: introduce
POLICY_REDIRECT_INVOKE_COMMANDS (file-transfer only) which ALWAYS
rerouts to its dedicated tool regardless of the bloat flag. Camera
and screen continue to use the bloat-only redirect (suppressed by
allowMediaInvokeCommands=true). Confirmed by clawsweeper P1.
- MED (CWE-276): tar -xzf in dir_fetch unpack preserved archive
ownership and permissions, so a malicious node could plant
setuid/setgid or world-writable files on a gateway running with
elevated privileges. Add --no-same-owner --no-same-permissions
(both flags are portable across BSD tar / GNU tar).
Tests: 89/89 passing.
* chore(file-transfer): drop file_watch from plugin description
Phase 5 (file_watch) was deferred earlier in this PR. Strip the watch
mention from the plugin description in package.json,
openclaw.plugin.json, and index.ts so the metadata reflects what's
actually shipped (file_fetch, dir_list, dir_fetch, file_write).
Closes clawsweeper P3.
* fix(file-transfer): hash before rename and allow zero-byte round-trip
Two of Peter's review findings on PR #74134:
- P2 (file-write integrity): hash the decoded buffer + compare against
expectedSha256 BEFORE temp+rename. Previously the rename happened
first, then the sha check unlinked the target on mismatch — with
overwrite=true a bad caller hash could replace + delete the original.
Now a hash mismatch returns INTEGRITY_FAILURE without touching disk.
Added a regression test that asserts the original file survives.
- P2/P3 (zero-byte round-trip): the tool layer's truthy checks on
contentBase64 and base64 rejected the empty string, blocking zero-byte
files from round-tripping through file_fetch -> file_write. Switched
to type-checks (typeof === "string") and added zero-byte tests at the
handler layer for both fetch and write (sha matches the known empty
digest).
Tests: 92/92 passing.
* fix(file-transfer): declare gateway.nodes.fileTransfer in core config schema
Peter's P1/P2 finding: the plugin reads/writes gateway.nodes.fileTransfer
via casts through unknown because the strict zod schema and OpenClawConfig
type didn't declare it. That meant `openclaw config validate` would
reject the very examples in the plugin's own documentation.
- Add fileTransfer block to gateway.nodes in src/config/zod-schema.ts
with the full per-node entry shape (ask, allowReadPaths,
allowWritePaths, denyPaths, maxBytes, followSymlinks).
- Add GatewayNodeFileTransferEntry + the fileTransfer field on
GatewayNodesConfig in src/config/types.gateway.ts.
- Drop the `as unknown` casts in the extension's policy.ts now that
gateway.nodes.fileTransfer is properly typed end-to-end.
- Regenerate docs/.generated/config-baseline.sha256.
Tests: 92/92 passing. pnpm config:docs:check OK.
* fix(file-transfer): enforce path policy at gateway dispatch
Closes Peter's P1 review finding on PR #74134.
The agent-tool-only redirect added in earlier commits left CLI
(`openclaw nodes invoke`), plugin-runtime, and raw `node.invoke` callers
able to skip the file-transfer path policy entirely. The fix moves the
security boundary down to the gateway: every code path that reaches
`node.invoke` for file.fetch / dir.list / dir.fetch / file.write now
runs the same allow/deny check.
- New: src/gateway/file-transfer-dispatch.ts with
`evaluateFileTransferDispatchPolicy` and `isFileTransferCommand`. Same
semantics as the extension-side `evaluateFilePolicy` minus the
operator-prompt flow (prompts stay at the agent-tool layer; the
gateway is silent enforcement).
- src/gateway/server-methods/nodes.ts: after the existing command
allowlist check, run the new gate before forwarding. Denies emit
INVALID_REQUEST with a structured `{ command, code, reason }`.
- Decision matrix mirrors the extension: NO_POLICY (no entry for
this node) deny, denyPaths-wins, '..' traversal short-circuit
(with backslash separator handling), allowPaths match → allow,
no allow match → deny.
- 19 new unit tests covering each branch including identity
resolution (nodeId/displayName/'*'), prototype-pollution-safe lookup,
and read-vs-write allow-list separation.
Note on allow-once approvals: the agent tool's interactive
`allow-once` decision now has to flow through the dedicated tool's
pre-flight (which forwards an approved request); raw `nodes.invoke`
callers cannot benefit from one-time approvals because the gateway is
silent. allow-always (which persists to allowReadPaths/allowWritePaths)
continues to work transparently because by the time the next request
hits the gateway the path is in the persisted allow list.
Tests: 92 extension + 19 gateway = 111 total, all passing.
* fix(file-transfer): enforce node policy in gateway
* fix(file-transfer): use plugin node policy only
* fix(file-transfer): harden node policy edge cases
* fix(file-transfer): close review hardening gaps
* fix(file-transfer): harden node invoke policy
* fix(file-transfer): align runtime dependency versions
* fix(file-transfer): keep minimatch extension-owned
* refactor(file-transfer): remove unused approval gate
* fix(file-transfer): require canonical node policy authorization
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
* fix(clawsweeper): address review for automerge-openclaw-openclaw-74134 (1)
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
* fix(file-transfer): recheck dir fetch archive policy after fetch
* fix(file-transfer): name file-transfer tool in invoke redirect
---------
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com>
* test: accept kitchen sink conformance diagnostics
* docs: update 2026.4.29 changelog
* docs(changelog): backfill 1f1f70a23f gateway sessions abort wait semantics
* fix(channels): keep status accessors config-only
* fix(doctor): suppress false-positive embedding warning when probe skipped
When `openclaw doctor` runs without --deep, the gateway probe is skipped
and returns { checked: false, ready: false } (SKIPPED_MEMORY_EMBEDDING_PROBE).
Key-optional providers (ollama, lmstudio, local) were incorrectly shown
"could not confirm embeddings are ready" in this case, misleading users
into thinking their fully-functional embedding setup had an issue.
Guard the key-optional provider path: if probe.checked is false (probe
was skipped, not run), return early without warning. A skipped probe
carries no readiness signal — it is not a failure.
- Adds two focused regression tests for ollama and lmstudio with
skipped probe (checked: false) → expect note() not called
- Updates the prior test that expected a warning on checked:false
to reflect the corrected behaviour
Fixes #74608
* fix(doctor): propagate gateway skipped-probe flag through adapter
clawsweeper P1: probeGatewayMemoryStatus always returned checked: true
on successful RPC, silently discarding payload.embedding.checked === false
from the SKIPPED_MEMORY_EMBEDDING_PROBE gateway response. The renderer
guard in noteMemorySearchHealth (added in prior commit) never saw checked:
false in real execution — only on timeout paths.
Fix: propagate checked flag from payload.embedding.checked so a skipped
gateway probe surfaces as checked: false to the renderer, allowing the
key-optional provider guard to suppress the false-positive warning.
Add adapter-level regression test that verifies the skipped payload shape
from doctor.memory.status reaches GatewayMemoryProbe as checked: false.
* fix(doctor): add skipped discriminator to distinguish probe skip from gateway timeout
Previously both a planned probe skip (probe:false path) and a transport timeout
returned checked:false, so the renderer's !checked early return would silently
suppress diagnostics for key-optional providers even when the gateway had timed out.
- Add `skipped?: boolean` to GatewayMemoryProbe: true for gateway-confirmed skip,
false for timeout/unavailable paths
- Renderer now guards on `probe.skipped` instead of `!probe.checked`, so timeouts
fall through to the existing warning path
- Update doctor-memory-search inline type and buildGatewayProbeWarning signature
- Update skipped-probe tests to pass { skipped: true }; add regression test for
key-optional timeout (lmstudio gateway timeout now warns)
Addresses clawsweeper P2: src/commands/doctor-memory-search.ts:416
* test(doctor): add skipped: false to gateway error and timeout test assertions
* docs: credit doctor memory probe fix (#74653) (thanks @hclsys)
* fix: keep slack message controls
* fix: cap slack block fallback text
* fix: cap slack edit fallback text
* fix: cap slack approval update text
* fix(active-memory): clarify modelFallbackPolicy deprecation warning text
Closes #74587. AI-assisted, fully tested.
The previous deprecation warning ("set config.modelFallback explicitly
if you want a fallback model") read naturally as runtime failover —
model A errors → switch to model B. The actual semantics in
`getModelRef` are different: `modelFallback` is the **last candidate
in the chain-resolution walk**, consulted only when `config.model`,
the current run's model, AND the agent's configured default have all
resolved to nothing. There is no error-recovery / retry-with-different-model
path.
The mismatch wastes real debug time. The issue filer reports ~1 hour of
cycles before reading source revealed the gap; users without source
access can debug for much longer assuming runtime failover exists.
## Fix
Rewrite the warning string to:
1. State the deprecation (preserved).
2. Describe `modelFallback`'s actual semantics — chain-resolution
last-resort, gated on the three earlier candidates resolving to
nothing.
3. Explicitly disclaim the wrong mental model — "it is NOT a runtime
failover that substitutes a different model when the resolved model
errors out" — so a quick read can't lead the operator astray.
No behavior change, only operator-facing copy. Surrounding code paths
(`getModelRef`, `hasDeprecatedModelFallbackPolicy`, the warn caller in
`register()`) are untouched.
## Tests
`extensions/active-memory/index.test.ts` extends the existing
deprecation-warning assertion to pin both the positive copy
(`chain-resolution`, `last-resort`) and the negative disclaimer
(`NOT a runtime failover`), so a future "let's reword this" change
that reintroduces the failover-implying language fails the test
instead of silently regressing.
`pnpm test extensions/active-memory/index.test.ts` — 94 passed.
`pnpm exec oxfmt --check` — clean. `pnpm exec oxlint` — 0 warnings,
0 errors.
## AI-assisted PR
- [x] Mark as AI-assisted (Claude). Lightly tested via the targeted
Vitest extension shard; not exercised against a live Ollama / AM
rollout because the change is a log-string update, not behavior.
- [x] Confirm I understand what the code does: yes — `getModelRef`
walks four candidates (`config.model`, `currentRunModel`,
`configuredDefaultModel`, `config.modelFallback`) and returns the
first non-null parse; `modelFallback` is purely a default-when-empty
selector, not a runtime failover.
* fix(active-memory): clarify fallback config help (#74602) (thanks @jeffrey701)
* config: accept browser.tabCleanup keys in zod schema (#74577) (#74638)
* config: accept browser.tabCleanup keys in zod schema (#74577)
* docs: update config baseline hash
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* chore: refresh a2ui bundle hash
* fix: accept extensionless runtime dependency mains
* fix: harden Windows Parallels update smoke
* fix: stabilize Parallels update restart checks
* fix(acp): fall through to thread-bound resolution when token is unresolvable (#66299) (#74641)
* fix(acp): fall through to thread-bound resolution when token is unresolvable (#66299)
resolveAcpTargetSessionKey returned an error immediately when an explicit
session token was supplied but could not be resolved as a key/id/label.
This blocked the thread-bound and requester-session fallback paths from
ever being reached.
Discord slash commands auto-fill the current thread ID as a positional
ACP target. That value is not a session identifier, so the gateway lookup
returns null, and the command returned 'Unable to resolve session target'
instead of falling through to the thread-bound session that was already
known via the binding context.
Fix: when the token lookup returns null, skip the early-exit error and
fall through to thread-bound → requester-session → error in the normal
way. The 'Missing session key' error still surfaces when neither fallback
produces a binding.
Adds a focused regression test: unresolvable token + bound thread session
→ steer command reaches the thread-bound session, not an error.
Fixes #66299
* fix(changelog): add Thanks @martingarramon attribution for #66299
Per clawsweeper P2 review — every new CHANGELOG entry must credit
at least one author. martingarramon authored the issue analysis and
explicitly invited the PR.
* fix(acp): preserve bad-token diagnostics after thread fallback
---------
Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com>
* fix(feishu): skip empty-text messages with no media to prevent blank session turns (#74634) (#74661)
Feishu delivers empty-text events (e.g. {"text":""}) when users send
blank messages or when a media-only message produces no text content.
Writing a blank user turn to the session file causes downstream LLM
providers such as MiniMax to reject requests with:
invalid params, messages must not be empty (2013)
Guard at the point after media resolution: if ctx.content.trim() is
empty AND mediaList is empty, log the skip and return without queuing
a reply. This preserves all existing behaviour for text, media, and
mixed messages.
Regression test: dispatch a DM with {"text":""} (no media), assert
mockDispatchReplyFromConfig is not called.
Closes #74634. Thanks @xdengli.
* fix(exec): preserve turnSourceChannel as messageProvider in approval followup runs (#74666)
When an exec-approval followup run has no deliverable route and no
gateway-internal channel, buildAgentFollowupArgs was passing channel=undefined
to the spawned agent. This left defaults.messageProvider=undefined in the
followup run, causing tools.elevated.allowFrom.<provider> checks to always
fail with provider=null after the user approved an async elevated command.
Thread turnSourceChannel through buildAgentFollowupArgs and use it as a
fallback when sessionOnlyOriginChannel is absent. Fixes #74646.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore(ci): add gateway CodeQL PR quality guard
Adds the gateway runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and documents the shard selector behavior.
* fix: reject invalid cron edits on disabled jobs (#74720)
* fix(cron): reject invalid disabled schedule updates
* docs: add cron validation changelog entry
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
* chore(ci): add provider CodeQL PR quality guard
Adds the provider runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and fixes selector overlap for Plugin SDK/package-contract paths.
* chore(deps): bump actions group
Bumps the actions group with 2 updates in the / directory: [useblacksmith/setup-docker-builder](https://github.com/useblacksmith/setup-docker-builder) and [useblacksmith/build-push-action](https://github.com/useblacksmith/build-push-action).
Updates `useblacksmith/setup-docker-builder` from 1.7.0 to 1.8.0
- [Release notes](https://github.com/useblacksmith/setup-docker-builder/releases)
- [Commits](https://github.com/useblacksmith/setup-docker-builder/compare/ac083cc84672d01c60d5e8561d0a939b697de542...722e97d12b1d06a961800dd6c05d79d951ad3c80)
Updates `useblacksmith/build-push-action` from 2.1.0 to 2.2.0
- [Release notes](https://github.com/useblacksmith/build-push-action/releases)
- [Commits](https://github.com/useblacksmith/build-push-action/compare/cbd1f60d194a98cb3be5523b15134501eaf0fbf3...fb9e3e6a9299c78462bfadd0d93352c316adc9b8)
---
updated-dependencies:
- dependency-name: useblacksmith/build-push-action
dependency-version: 2.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: actions
- dependency-name: useblacksmith/setup-docker-builder
dependency-version: 1.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: actions
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump swift-testing
Bumps [github.com/apple/swift-testing](https://github.com/apple/swift-testing) from 0.99.0 to 6.3.1.
- [Release notes](https://github.com/apple/swift-testing/releases)
- [Commits](https://github.com/apple/swift-testing/compare/0.99.0...6.3.1)
---
updated-dependencies:
- dependency-name: github.com/apple/swift-testing
dependency-version: 6.3.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(commands): require gateway memory probe skipped state
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(test): keep kitchen-sink conformance diagnostics clean
* fix: test-harness regression risk
* fix: keep kitchen-sink conformance diagnostics clean
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com>
* fix(gateway): avoid caching empty model catalogs
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* build(deps): bump debian docker base digest
Bumps the docker-images group with 1 update in the / directory: debian.
Updates `debian` from `4724b8c` to `f9c6a2f`
---
updated-dependencies:
- dependency-name: debian
dependency-version: bookworm-slim
dependency-type: direct:production
dependency-group: docker-images
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* chore(ci): add channel CodeQL PR quality guard
Adds the channel runtime quality shard to the PR CodeQL guard and keeps non-security quality analysis path-sharded by surface.
* docs(ci): rewrite for structure, deduplication, and findability
Splits the previous wall-of-prose docs/ci.md into discoverable sections
while preserving every operator-relevant detail:
- Lead orientation paragraph kept; cross-links to umbrella and prerelease
- Pipeline overview anchors the job table at the top
- Fail-fast order tightened; superseded-run/concurrency notes folded in
- Scope and routing surfaces ci-changed-scope.mjs, the routing-only fast
path, the Windows scope rule, Vitest shard balancing, the Android
dual-flavor rule, and the check-dependencies (Knip + unused-file
allowlist) pass that was buried in the lead
- Manual dispatches groups examples + include_android + target_ref
- Runners and Local equivalents tables/blocks preserved
- Full Release Validation: release_profile and rerun_group bulleted;
verifier-only rerun guidance and the shared release-package-under-test
artifact called out
- Live and E2E shards: native-live shard names listed, live-media-runner
image and openclaw-live-test:<sha> with OPENCLAW_SKIP_DOCKER_BUILD=1
broken out
- Package Acceptance split into Jobs / Candidate sources / Suite profiles
/ Legacy compatibility windows / Examples / debugging
- Install smoke: fast vs full paths, main-push policy, Bun gate
- Local Docker E2E: scheduler tunables in a table, reusable workflow
flow, release-path chunks list, rerun helpers
- Plugin Prerelease, QA Lab, CodeQL each get their own discoverable
sections; CodeQL uses tables for security and quality categories
instead of paragraph walls (kept the new provider-runtime-boundary
shard in the PR-quality-guard list)
- Maintenance workflows groups Docs Agent, Test Performance Agent, and
Duplicate PRs After Merge
- Local check gates and changed routing turn boundary lane rules into
bullets and keep the explicit-mapping prose
- Testbox validation kept; Related links preserved
Audited every workflow name and CodeQL category against
.github/workflows/ — no stale references. File goes from 527 to 413
lines while preserving shard names, env vars, profiles, chunks, and
legacy-compat windows. Layout obeys oxfmt.
* fix(slack): share edit fallback text truncation
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(slack): cap approval update fallback text
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(channels): suppress observe-only prepared dispatch
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* test(ci): guard install smoke docker cache removal
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(media): treat legacy Word docs as binary attachments
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
* chore(ci): add process CodeQL PR quality guard
Adds the MCP/process runtime quality shard to the PR CodeQL guard and keeps non-security quality analysis path-sharded by surface.
* fix(slack): cap select option values
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(slack): preserve mixed interactive blocks
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(plugins): prefer require export conditions
* fix: fixed condition order prefers a top-level require export before a node condition, which...
* fix(clawsweeper): address review for clawsweeper-commit-openclaw-openclaw-6877360218c9 (1)
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(bedrock): expose Opus 4.7 max thinking
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(google): accept Windows ADC manifest paths
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* chore(ci): add session CodeQL PR quality guard
Adds the session diagnostics quality shard to the PR CodeQL guard while keeping diagnostics and delivery queue analysis path-sharded by surface.
* fix(gateway): preserve rpc abort terminal snapshots
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(plugins): select runtime deps by configured models
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(sdk): emit replacement chat projection deltas
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(plugins): honor runtime deps fallback install option
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix: configs that used the previously documented WhatsApp exposeErrorText key now fail valida... (#74667)
* fix: configs that used the previously documented WhatsApp exposeErrorText key now fail valida...
* fix(clawsweeper): address review for clawsweeper-commit-openclaw-openclaw-4cba08df01ea (1)
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix: environment edge case launcher regression (#74696)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* chore(ui): refresh fa control ui locale
* fix: Windows-specific reliability gap in the new timeout cleanup path (#74703)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* chore(ci): add plugin SDK reply CodeQL PR guard
Adds the Plugin SDK reply runtime quality shard to the PR CodeQL guard while keeping reply runtime changes on the existing plugin and package-contract shards.
* fix(ui): refresh Persian locale copy
* chore(ci): add memory CodeQL PR quality guard
Adds the memory runtime quality shard to the PR CodeQL guard while preserving provider/plugin overlap only for the memory files that share those contracts.
* fix(control-ui): disable refresh during active runs
Disable the Control UI refresh button while chat is disconnected, loading, sending, running, or streaming.
This prevents manual chat-history refresh from racing active run/stream state and adds browser render coverage for the disabled-state matrix.
Closes #65522.
Validation:
- Exact PR head `1511a086614a727fc4200730e7ad9622134bb7d3` reached `CLEAN` merge state.
- GitHub CI for the exact head completed with no failed or pending checks.
* chore(ci): add auth CodeQL PR quality guard
Adds the core-auth-secrets quality shard to the PR CodeQL guard and documents the expanded ten-shard PR quality set.
* docs(changelog): backfill c34ed90822 control UI refresh-during-runs guard
* fix(slack): offset presentation controls after native blocks
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(plugins): keep disabled plugin runtime deps off
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* chore(ci): add config CodeQL PR quality guard
Adds the config-boundary quality shard to the PR CodeQL guard and documents the expanded eleven-shard PR quality set.
* fix(ci): disable install smoke Docker build cache
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* chore(ci): cover bundled channels in CodeQL PR guard
Extends the channel CodeQL quality shard to bundled channel plugin source directories and documents the scoped PR guard coverage.
* fix: enable native require fast path on Windows for bundled plugins (#74173)
Removes the win32 exclusion from supportsNativeJitiRuntime() and adds { allowWindows: true } to all tryNativeRequireJavaScriptModule call sites, so bundled plugin modules use native require() instead of Jiti on Windows. Also adds an attempted-load counter to the debug timing log and a changelog entry.
Fixes #68656
Co-authored-by: Galin Iliev <galiniliev@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix CLI text command hangs (#74220)
* fix(cli): keep agents list off plugin preload
* docs(changelog): note cli text hang fix
* test(cli): update preaction agents list expectations
* test(channels): align module loader jiti fixture
* fix(skills): scan grouped skill directories
* fix(skills): scan nested subdirectories for grouped skill layouts
Previously, skill discovery only checked immediate children of the
skills root for SKILL.md files. Skills organized in subdirectories
(e.g. ~/.openclaw/skills/coze/koze-retrieval/SKILL.md) were silently
ignored.
Now, when an immediate child directory does not contain a SKILL.md,
its own children are checked one level deeper. This supports grouped
skill layouts while keeping the scan depth bounded (max 2 levels) to
avoid unbounded filesystem traversal.
The existing per-source skill count limits and containment checks
still apply to nested discoveries.
Fixes #56915
* test(skills): cover nested grouped skill discovery
* fix(skills): cache contained-path checks and cap nested scans
- Reuse skillDirRealPath captured during the collection phase so the load
loop no longer re-runs resolveContainedSkillPath on the same directory.
- Apply the per-root candidate cap (and the matching warning log) when
descending into nested grouped skill directories, matching the outer
scan's behavior.
Addresses Greptile P2 feedback on PR #72534.
* fix(skills): load grouped skill directories under skills roots
* fix(clownfish): address review for ghcrawl-156697-autonomous-smoke (1)
---------
Co-authored-by: Otto Deng <otto@ottodeng.com>
Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: Otto Deng <ottodeng2@github.local>
* chore(ci): add agent CodeQL PR quality guard
Promotes the existing agent-runtime quality shard to PR/manual selection and documents the expanded twelve-shard PR quality set.
* fix(skills): bound grouped skill directory scans
* fix(security): remediate CodeQL alerts
* fix: existing doctor-contract Windows loader test still expects Jiti to be called for contrac... (#74923)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix: change disables bundled dependency repair when plugins.enabled: false, but the same fall... (#74916)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* docs(changelog): note outbound CodeQL remediation
Adds the requested changelog attribution for CodeQL alert 228.
* docs(changelog): note secret comparison CodeQL remediation
Adds the requested changelog attribution for CodeQL alert 229.
* fix(sdk): treat terminal wait timeouts as timed out (#74697)
* fix: wait-status mapping sdk regression
* fix(sdk): treat terminal wait timeouts as timed out
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com>
* fix(ci): committed Plugin SDK API baseline hash is not reproducible from the committed source... (#74789)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix: derive dynamic context-window guard thresholds
Derive context-window guard thresholds from the effective model window, keeping 10% hard-min and 20% warning ratios with 4k/8k floors.
Stop the embedded runner from forcing old fixed guard overrides so runtime admission uses the dynamic resolver.
Validation:
- CI run 25151866833 passed, including build-artifacts and checks-node-channels.
- Parity gate 25151866868 passed.
- Testbox pnpm test:channels passed: 54 files / 433 tests.
Fixes #42999.
Prepared head SHA: 9c80383639321871fe93e276c56459de096a2d70
* fix(security): sanitize QQBot debug log values
Sanitizes QQBot debug log values to remediate CodeQL alert 230.
* fix(pdf): resolve standard fonts from pdfjs package root (#70936)
* fix(pdf): resolve standard fonts from pdfjs package root
Resolve PDF.js standard fonts via pdfjs-dist/package.json instead of a
relative ../../node_modules path so the fallback renderer does not depend
on emitted dist chunk layout.
Add focused regression coverage that asserts the forwarded
standardFontDataUrl matches the installed pdfjs-dist package root and
exists on disk.
* fix(pdf): resolve pdfjs standard fonts from package root
* fix(pdf): use PDF.js font URL separator
---------
Co-authored-by: Dr JCai <jingxiao.cai@gmail.com>
Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(cron): warn when --agent is not specified on cron add (#42245)
* fix(cron): warn when --agent is not specified on cron add
Warn users when creating a cron job without specifying the --agent flag,
so they know the job will run with the default agent (main).
Fixes #42196
* fix(cron): warn when cron add omits --agent
* fix(cron): name default agent in warning
---------
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(security): emit QQBot debug logs as sanitized lines
Emits QQBot debug logs as CRLF-neutralized lines to remediate CodeQL alert 231.
* fix: bounded directory scan actionable regression (#74942)
* fix: bounded directory scan actionable regression
* fix: current main remaining regression
* fix(skills): compose workspace scan caps
---------
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* fix(memory-lancedb): get memory records through ltm list command (#67952)
* fix(mem-lancedb): get memory records through ltm list command
* code review
---------
Co-authored-by: zhangyue19921010 <zhangyue.1010@bytedance.com>
* feat(channel) update yuanbao plugin github location (#74253)
* feat(channel) update yuanbao plugin version and github location
* feat(channel) update yuanbao plugin github location
* fix(channel): update yuanbao plugin GitHub location and add yuanbao alias (#74253) (thanks @loongfay)
---------
Co-authored-by: loongzhao <loongzhao@tencent.com>
Co-authored-by: sliverp <870080352@qq.com>
* fix(security): align QQBot log sanitizer with CodeQL
Aligns QQBot debug log newline removal with the CodeQL js/log-injection sanitizer model to close alert 232.
* fix(github): skip maintainer-owned Barnacle targets
* docs(changelog): backfill 1e20babcf7 memory-lancedb ltm list
* fix(qqbot): unify slash command auth, c2cOnly gating, and file delivery (#73616)
* fix(qqbot): align clear-storage command with actual downloads directory
The /bot-clear-storage command previously targeted
~/.openclaw/media/qqbot/downloads/{appId}/, but inbound attachments
and outbound fallback downloads are stored directly under
~/.openclaw/media/qqbot/downloads/ without appId subdivision.
This mismatch caused the clear command to report 'no files to clean'
while downloaded files continued to occupy disk space.
Changes:
- Replace resolveQqbotDownloadsDirForApp(appId) with
resolveQqbotDownloadsDir() that returns the downloads root
- Use getQQBotMediaPath('downloads') instead of manual path assembly
- Remove appId-based path validation (no longer needed)
- Update usage text to reflect the new scope
* refactor(qqbot): unify slash command auth and c2cOnly gating in registry
Previously, slash command authorization and group-chat rejection were
scattered across individual handlers and a hardcoded GROUP_EXCLUDED set.
This led to inconsistent behavior: commandAuthorized was hardcoded to
true in the pre-dispatch path, some handlers checked allowFrom while
others did not, and group users received no response for auth-gated
commands.
Changes:
1. Add resolveSlashCommandAuth() (new file slash-command-auth.ts)
- Requires sender to appear in an explicit non-wildcard allowFrom
list; wildcard ['*'] does not grant admin command access
- Group messages use groupAllowFrom, falling back to allowFrom
2. Fix commandAuthorized in slash-command-handler.ts
- Replace hardcoded 'true' with resolveSlashCommandAuth() call
3. Add c2cOnly field to SlashCommand interface
- Commands declare c2cOnly: true instead of checking ctx.type
inside their handler
- Registry rejects c2cOnly commands in group chat before auth
check, returning a user-friendly hint
4. Remove GROUP_EXCLUDED hardcoded set from register-basic.ts
- /bot-help now filters by cmd.c2cOnly dynamically
5. Clean up handler-level auth and scene checks
- Remove hasExplicitCommandAllowlist check from register-logs
- Remove ctx.type !== 'c2c' guards from all c2cOnly handlers
- Improve rejection message to mention the correct config field
(allowFrom for c2c, groupAllowFrom for group)
6. Mark commands: bot-upgrade, bot-streaming, bot-logs,
bot-clear-storage, bot-approve as c2cOnly: true
* fix(qqbot): pass allowQQBotDataDownloads when sending slash command file attachments
The /bot-logs command writes temporary log files to the QQBot data
downloads directory (~/.openclaw/qqbot/downloads/), but sendDocument
was called without allowQQBotDataDownloads: true. This caused
resolveOutboundMediaPath to reject the file path as outside the
allowed media roots, silently failing the file attachment while
the text reply was sent successfully.
Add { allowQQBotDataDownloads: true } to the sendDocument call in
slash-command-handler.ts so file-bearing slash command results
(currently only /bot-logs) can deliver their attachments.
* feat(qqbot): add /bot-me command to display sender user ID
Add a new /bot-me slash command that returns the sender's user ID
(openid). This helps users quickly find the value they need to add
to allowFrom or groupAllowFrom configuration for admin command
access.
Marked as c2cOnly since the user ID is sensitive information.
* feat(qqbot): update response timeout
* feat(qqbot): add engine import boundary test and bump version
- Add engine-import-boundary.test.ts to enforce that engine/ sources
only import from openclaw/plugin-sdk/* and never reach into other
openclaw internals directly. Scans all 110 source files recursively.
- Bump plugin version to 2026.4.27.
* fix(qqbot): unify slash command auth, c2cOnly gating, and file delivery (#73616) (thanks @cxyhhhhh)
---------
Co-authored-by: sliverp <870080352@qq.com>
* fix: warning text cli correctness issue (#74964)
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(agents): preserve string user content when merging turns
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
* docs: cover qqbot /bot-me + c2cOnly admin gating (62fb87641e) and cron add --agent warning (dc0c54c7f1)
* test(gateway): avoid post-close auth rotation rpc
* ci: right-size OpenGrep PR scan
* ci: right-size opengrep pr scan
* ci: avoid opengrep rulepack self-scan
* ci: opt opengrep workflows into node24 actions
* ci: update opengrep workflow action majors
* chore(ci): tune stale policy and add backfill
* chore(ci): tune stale grace periods
* chore(ci): add stale closure backfill
* chore(ci): skip maintainer assignees in stale backfill
* ci: shallow checkout OpenGrep PR scan
* fix(channels): align Yuanbao catalog id
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(control-ui): wire slash menu accessibility
Wire the Control UI chat slash-command menu to the composer with stable listbox and option IDs, active-descendant updates, and a live status announcement. Keep the native textarea role conforming while preserving the menu relationships and tests.
* chore(barnacle): add false positive close label (#75014)
* fix(cli): avoid progress spinners in active TUI input (#75003)
Merged via squash.
Prepared head SHA: 129e23e71605c5158ac33ad30de088aca530f712
Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com>
Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com>
Reviewed-by: @velvet-shark
* fix(ci): bound manual stale closure backfill
Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com>
* fix(macos): repair stale gateway tls pins (#75038)
Merged via squash.
Prepared head SHA: 35196f8f714d4ab07ebb211802693d03385486ad
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman
* fix(macos): keep A2UI canvas content visible (#75039)
* fix(security): stop implicit tool grants from config sections (#47487) (#75055)
* fix(security): stop implicit tool grants from config sections (#47487)
Configured tool sections (tools.exec, tools.fs) no longer implicitly
widen restrictive profiles (messagin…
This was referenced May 1, 2026
lxe
pushed a commit
to lxe/openclaw
that referenced
this pull request
May 6, 2026
…emote address (openclaw#74453) * fix(voice-call): close in-flight limiter fail-open on empty remote address The webhook in-flight limiter (createWebhookInFlightLimiter in src/plugin-sdk/webhook-request-guards.ts) returns true unconditionally when tryAcquire is called with an empty key — that is its by-contract fail-open path used to mean 'caller is opting out of the limiter'. The voice-call webhook handler reached that path silently: it computed 'req.socket.remoteAddress ?? ""' and passed the empty string straight into tryAcquire. Whenever req.socket.remoteAddress was absent (closed socket, edge proxy quirk), the limiter became a no-op and the request proceeded directly to readBody without any concurrency cap. Fix: when remoteAddress is missing, log a warning and fall back to a constant non-empty key ('__voice_call_no_remote__') so all such requests share one in-flight bucket instead of bypassing the limiter entirely. The bucket size stays maxInFlightPerKey (default 8), which is the right defense-in-depth posture against slow-body attacks arriving with stripped IP info. Scoped to voice-call only. Other consumers of the SDK helper (bluebubbles via openclaw/plugin-sdk/webhook-ingress) are not changed to avoid drive-by edits to plugins this PR does not own. The shared SDK contract (empty key = bypass) is left as-is and documented implicitly by the fix's comment block. The existing 8-concurrent test in webhook.test.ts continues to assert the limiter engages on the happy path; no new test added since the private handleRequest path is not unit-test exposed and the change is two-line auditable from the diff alone. * test(voice-call): cover missing webhook remote address limiter * test: align changed package sdk routing --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
github-actions Bot
pushed a commit
to Desicool/openclaw
that referenced
this pull request
May 9, 2026
…emote address (openclaw#74453) * fix(voice-call): close in-flight limiter fail-open on empty remote address The webhook in-flight limiter (createWebhookInFlightLimiter in src/plugin-sdk/webhook-request-guards.ts) returns true unconditionally when tryAcquire is called with an empty key — that is its by-contract fail-open path used to mean 'caller is opting out of the limiter'. The voice-call webhook handler reached that path silently: it computed 'req.socket.remoteAddress ?? ""' and passed the empty string straight into tryAcquire. Whenever req.socket.remoteAddress was absent (closed socket, edge proxy quirk), the limiter became a no-op and the request proceeded directly to readBody without any concurrency cap. Fix: when remoteAddress is missing, log a warning and fall back to a constant non-empty key ('__voice_call_no_remote__') so all such requests share one in-flight bucket instead of bypassing the limiter entirely. The bucket size stays maxInFlightPerKey (default 8), which is the right defense-in-depth posture against slow-body attacks arriving with stripped IP info. Scoped to voice-call only. Other consumers of the SDK helper (bluebubbles via openclaw/plugin-sdk/webhook-ingress) are not changed to avoid drive-by edits to plugins this PR does not own. The shared SDK contract (empty key = bypass) is left as-is and documented implicitly by the fix's comment block. The existing 8-concurrent test in webhook.test.ts continues to assert the limiter engages on the happy path; no new test added since the private handleRequest path is not unit-test exposed and the change is two-line auditable from the diff alone. * test(voice-call): cover missing webhook remote address limiter * test: align changed package sdk routing --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The voice-call webhook handler silently bypasses its in-flight rate limiter when
req.socket.remoteAddressis unavailable. This PR closes that fail-open path with a constant fallback key.Bug
extensions/voice-call/src/webhook.ts:619(pre-PR):The shared SDK helper at
src/plugin-sdk/webhook-request-guards.ts:111-114returnstrueunconditionally for an empty key — that is its by-contract opt-out path. So whenreq.socket.remoteAddressis missing (closed socket, edge proxy quirk), the limiter silently becomes a no-op and the request proceeds toreadBodywithout a concurrency cap.Fix
Detect missing remoteAddress, log a warning, and fall back to a constant non-empty key so the limiter still engages:
All requests with absent IP info share one in-flight bucket of size
maxInFlightPerKey(default 8).Why only voice-call
I initially added a googlechat companion fix in this PR, but @clawsweeper Codex review correctly pointed out that
withResolvedWebhookRequestPipelinealready supplies a non-empty fallback key atsrc/plugin-sdk/webhook-targets.ts:144(${resolved.path}:${remoteAddress ?? "unknown"}), which is strictly better than what my fix was passing (it preserves the per-IP component). I reverted those two commits. Voice-call has its own pipeline that does not go through that helper, so the fail-open is real for voice-call specifically.Sweep results
I checked all callers of
createWebhookInFlightLimiter:?? ""fallback, direct call totryAcquireline:${normalizedPath}always non-emptyTest plan
pnpm test extensions/voice-call/src/webhook.test.ts— existing 8-concurrent in-flight test still asserts 429 on the 9th request (no regression on the happy path).No new automated test added: the private
handleRequestpath doesn't have a clean unit-test seam, the change is two-line auditable from the diff, and adding a focused test would require breaking encapsulation throughas unknown ascasts.Related context (not blockers)
Same shape as the silent-failure cluster fixed earlier this week:
copyFilecatch logged success on EACCESsocket.closecatches let evicted clients surviveThe shared SDK helper's empty-key bypass behavior at
webhook-request-guards.ts:111-114is preserved unchanged. Hardening that primitive (fail-closed by default) is a separate, larger-scope change worth its own PR.