fix(security): stop implicit tool grants from config sections (#47487) by amknight · Pull Request #75055 · openclaw/openclaw

amknight · 2026-04-30T11:35:43Z

Summary

Fixes #47487 - agent tool profile restrictions (e.g. messaging, minimal) are bypassed when tools.exec or tools.fs config sections exist anywhere in config.

Problem

Since v2026.3.8 (e8775cda93), the presence of a tools.exec or tools.fs config section - even one that only configures safety settings like security: "allowlist" - causes those tools to be implicitly added to profileAlsoAllow. This defeats restrictive profiles: an agent on tools.profile: "messaging" with alsoAllow: ["image"] still gets exec if tools.exec exists globally.

The same pattern exists independently in tool-fs-policy.ts, where tools.fs presence grants read/write/edit for filesystem root expansion regardless of the active profile.

Fix

Principle: config sections configure behavior, they do not grant access. Only alsoAllow and profiles grant access.

pi-tools.policy.ts: resolveImplicitProfileAlsoAllow renamed to detectImplicitProfileGrants and used only for a migration warning. Implicit grants are no longer merged into profileAlsoAllow. A logWarn tells affected users exactly which alsoAllow entries to add.
tool-fs-policy.ts: Removed implicit read/write/edit grant from resolveEffectiveToolFsRootExpansionAllowed. Root expansion now requires actual read access via the profile or explicit alsoAllow.

Migration

Users who relied on the implicit behavior will see a startup warning and need to add explicit alsoAllow:

{
  tools: {
    profile: "messaging",
    alsoAllow: ["exec", "process"],  // was implicit, now required
    exec: { security: "allowlist" }
  }
}

Compatibility impact

Most users should not need config changes. Only restrictive-profile configs (minimal/messaging) that relied on tools.exec or tools.fs to implicitly expose runtime/filesystem tools need to add explicit alsoAllow entries; configs that already use coding, full, or explicit alsoAllow are unchanged.

Tests

Updated 4 existing tests that asserted the buggy implicit-grant behavior
Added 3 new regression tests covering: global exec + agent messaging profile, agent-level fs + messaging profile, and explicit alsoAllow with exec
Added 1 new test for tool-fs-policy confirming explicit alsoAllow: ["read"] restores root expansion

Configured tool sections (tools.exec, tools.fs) no longer implicitly widen restrictive profiles (messaging, minimal). Previously, having a tools.exec section anywhere in config — even just safety settings like security: "allowlist" — would automatically add exec and process to the profile's allowed tools, defeating the purpose of the restrictive profile. The same pattern existed in tool-fs-policy.ts where tools.fs presence would add read/write/edit to the profile allowlist for root expansion. Changes: - pi-tools.policy.ts: Stop merging implicit grants into profileAlsoAllow. Renamed resolveImplicitProfileAlsoAllow → detectImplicitProfileGrants and use it only for a startup warning that tells users to add explicit alsoAllow entries. - tool-fs-policy.ts: Remove the implicit read/write/edit grant from resolveEffectiveToolFsRootExpansionAllowed when tools.fs is present. Root expansion now requires actual read access via profile or alsoAllow. - Updated 4 existing tests and added 3 new regression tests. Migration: users who relied on tools.exec or tools.fs implicitly granting access under a restrictive profile should add explicit alsoAllow entries: tools: profile: "messaging" alsoAllow: ["exec", "process"] # was implicit, now required exec: { security: "allowlist" } Fixes #47487

amknight · 2026-04-30T11:44:30Z

/clawsweeper automerge

clawsweeper · 2026-04-30T11:50:12Z

Codex review: passed for ClawSweeper automerge.

What this changes:

The PR removes implicit exec/process and filesystem profile grants from configured tools.exec/tools.fs sections, adds a migration warning, updates focused policy and media-root tests, and adds a changelog entry.

Automerge follow-up:

This is an active security-boundary PR with a protected maintainer label; the next action is maintainer review and final CI, not a separate automated repair lane.

Security review:

Security review cleared: The diff tightens tool authorization and does not add dependencies, workflows, secret handling, downloaded artifacts, or new supply-chain execution paths.

Review details

Best possible solution:

Land a maintainer-approved security fix that keeps configuration sections as behavior settings only, requires profiles or explicit alsoAllow entries for access, preserves deny precedence, and lets the linked #47487 close through the merged PR once CI is green.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main can be reproduced at the source level by resolving a messaging profile with configured tools.exec or tools.fs; the existing tests also assert the implicit-grant behavior that the PR changes.

Is this the best way to solve the issue?

Yes, with maintainer approval pending. Requiring profile or explicit alsoAllow to grant tools is the narrow maintainable direction, and the latest head addresses the prior media-root and warning-scope feedback.

Acceptance criteria:

pnpm test src/agents/pi-tools.policy.test.ts src/agents/tool-fs-policy.test.ts src/media/local-roots.test.ts
pnpm check:changed in Testbox after maintainer-approved changes

What I checked:

Protected label: The PR currently carries the protected maintainer label, so cleanup automation should not close or land it without explicit maintainer handling. (8630375ad3b4)
Current main still has implicit grants: Current main adds exec/process when tools.exec exists and read/write/edit when tools.fs exists, then merges those implicit values into profileAlsoAllow. (src/agents/pi-tools.policy.ts:370, 58a0b077c1c5)
Filesystem root expansion analogue: Current main treats an explicit tools.fs section as a filesystem opt-in for root expansion by adding fs tools to the profile allow set. (src/agents/tool-fs-policy.ts:49, 58a0b077c1c5)
Docs profile boundary: The tools docs define messaging without runtime or filesystem tools and list those as separate coding/tool-group capabilities. Public docs: docs/tools/index.md. (docs/tools/index.md:136, 58a0b077c1c5)
PR diff removes implicit widening: The PR head stops merging detected configured-tool grants into profileAlsoAllow and uses detection only to warn when the selected profile and explicit alsoAllow do not already cover those tools. (src/agents/pi-tools.policy.ts:429, 8630375ad3b4)
Prior review findings addressed: The latest diff updates the media-root test expectation to require explicit alsoAllow: ["read"], and the warning check now consults the resolved profile allowlist before warning. (src/media/local-roots.test.ts:154, 8630375ad3b4)

Likely related people:

steipete: GitHub commit history shows e8775cda932f introduced the configured-tool re-exposure behavior, with later nearby tool-policy and security-boundary work in the same area. (role: introduced behavior and central policy maintainer; confidence: high; commits: e8775cda932f, d94a981a3343, aad014c7c1fa; files: src/agents/pi-tools.policy.ts, src/agents/pi-tools.policy.test.ts)
jacobtomlinson: Commit 824e16f9dddd added resolveEffectiveToolFsRootExpansionAllowed() and the media-root expectations that this PR updates for explicit filesystem access. (role: filesystem media-root contract introducer; confidence: high; commits: 824e16f9dddd, 1ca4261d7e05; files: src/agents/tool-fs-policy.ts, src/agents/tool-fs-policy.test.ts, src/media/local-roots.ts)
drobison00: Commit 0e7a992d3f31 added the embedded-runner final policy path that consumes profileAlsoAllow, making it relevant to this authorization boundary. (role: adjacent policy consumer maintainer; confidence: medium; commits: 0e7a992d3f31; files: src/agents/pi-embedded-runner/effective-tool-policy.ts, src/agents/pi-tools.policy.ts)

Remaining risk / open question:

Final broad CI was still in progress at inspection, including build-artifacts, the parity gate, and two node shards.
This is a security-sensitive compatibility change for users who relied on configured tool sections to expose runtime or filesystem tools under restrictive profiles.
The protected maintainer label requires explicit maintainer handling even though this read-only pass found no blocking diff finding.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 58a0b077c1c5.

clawsweeper · 2026-04-30T12:01:02Z

🦞🦞
ClawSweeper automerge is enabled for this PR.

I added clawsweeper:automerge and asked ClawSweeper to review this head. If ClawSweeper emits a repair marker or requests changes, I will repair/rebase the branch and ask for another review, up to the configured round limit.

Draft PRs stay fix-only until GitHub marks them ready for review. A maintainer can pause this with /clawsweeper stop.

amknight · 2026-04-30T12:08:56Z

/clawsweeper stop

clawsweeper · 2026-04-30T12:48:41Z

🦞🦞
Got it. ClawSweeper will leave this item for human review.

I added clawsweeper:human-review and paused the automation trail until a maintainer asks again.

#75055) * fix(security): stop implicit tool grants from config sections (#47487) Configured tool sections (tools.exec, tools.fs) no longer implicitly widen restrictive profiles (messaging, minimal). Previously, having a tools.exec section anywhere in config — even just safety settings like security: "allowlist" — would automatically add exec and process to the profile's allowed tools, defeating the purpose of the restrictive profile. The same pattern existed in tool-fs-policy.ts where tools.fs presence would add read/write/edit to the profile allowlist for root expansion. Changes: - pi-tools.policy.ts: Stop merging implicit grants into profileAlsoAllow. Renamed resolveImplicitProfileAlsoAllow → detectImplicitProfileGrants and use it only for a startup warning that tells users to add explicit alsoAllow entries. - tool-fs-policy.ts: Remove the implicit read/write/edit grant from resolveEffectiveToolFsRootExpansionAllowed when tools.fs is present. Root expansion now requires actual read access via profile or alsoAllow. - Updated 4 existing tests and added 3 new regression tests. Migration: users who relied on tools.exec or tools.fs implicitly granting access under a restrictive profile should add explicit alsoAllow entries: tools: profile: "messaging" alsoAllow: ["exec", "process"] # was implicit, now required exec: { security: "allowlist" } Fixes #47487 * fix: address tool policy review feedback

* docs: refresh plugin sdk api baseline * fix(google): support Vertex authorized_user ADC * fix(cli): scope packaged compile cache * test: align model list expectations * changelog: Add inferred follow-up commitments for agents Move commitment changelog entry to unreleased. * test: avoid volatile model availability assertions * feat: default active steering to batched delivery * test(plugins): align release validation fixtures * docs(config): document queue backlog alias * refactor(channels): finish turn kernel migration * fix(test): configure kitchen sink before enable * fix(msteams): accept conversation id allowlists * fix: changed explicit-path handling regression (#74672) * fix: changed explicit-path handling regression * fix: preserve unicode adc fallback paths --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: Shakker <shakkerdroid@gmail.com> * test: cover sdk gateway integration * docs: clarify app sdk documentation * test: align sdk gateway event e2e * fix(discord): cool down Cloudflare 429 responses * fix(discord): bound application summary probes * fix(discord): allow configured application ids * docs(discord): clarify application id account scope * docs(discord): tag Cloudflare cooldown changelog * fix(docs): bound i18n codex prompt cleanup * fix: compatibility gaps in the new Google Vertex ADC manifest evidence Tighten Google Vertex ADC manifest evidence to canonical project env vars and canonical ADC fallback paths only. Local proof: - OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/agents/model-auth.profiles.test.ts src/plugins/manifest-registry.test.ts src/secrets/provider-env-vars.dynamic.test.ts - pnpm exec oxfmt --check --threads=1 docs/plugins/manifest.md extensions/google/openclaw.plugin.json src/agents/model-auth-env.ts src/agents/model-auth.profiles.test.ts src/plugins/manifest.ts - git diff --check origin/main...HEAD CI note: checks-node-core-support-boundary was red on an unrelated tooling assertion in test/scripts/test-projects.test.ts for packages/sdk/src/index.test.ts routing; that file and scripts/test-projects.mjs are unchanged from origin/main. * test(sdk): remove redundant fake transport cast * fix(status): resolve packaged channel setup loader * docs: document shipped app sdk * docs: update clawsweeper automerge workflow * fix(voice-call): close webhook in-flight limiter fail-open on empty remote address (#74453) * fix(voice-call): close in-flight limiter fail-open on empty remote address The webhook in-flight limiter (createWebhookInFlightLimiter in src/plugin-sdk/webhook-request-guards.ts) returns true unconditionally when tryAcquire is called with an empty key — that is its by-contract fail-open path used to mean 'caller is opting out of the limiter'. The voice-call webhook handler reached that path silently: it computed 'req.socket.remoteAddress ?? ""' and passed the empty string straight into tryAcquire. Whenever req.socket.remoteAddress was absent (closed socket, edge proxy quirk), the limiter became a no-op and the request proceeded directly to readBody without any concurrency cap. Fix: when remoteAddress is missing, log a warning and fall back to a constant non-empty key ('__voice_call_no_remote__') so all such requests share one in-flight bucket instead of bypassing the limiter entirely. The bucket size stays maxInFlightPerKey (default 8), which is the right defense-in-depth posture against slow-body attacks arriving with stripped IP info. Scoped to voice-call only. Other consumers of the SDK helper (bluebubbles via openclaw/plugin-sdk/webhook-ingress) are not changed to avoid drive-by edits to plugins this PR does not own. The shared SDK contract (empty key = bypass) is left as-is and documented implicitly by the fix's comment block. The existing 8-concurrent test in webhook.test.ts continues to assert the limiter engages on the happy path; no new test added since the private handleRequest path is not unit-test exposed and the change is two-line auditable from the diff alone. * test(voice-call): cover missing webhook remote address limiter * test: align changed package sdk routing --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> * fix(models): unconditionally suppress stale openai-codex/gpt-5.4-mini inline entries (#74451) (#74655) * fix(models): block stale openai-codex/gpt-5.4-mini inline entries via unconditional suppression (#74451) Suppress explicitly user-configured openai-codex/gpt-5.4-mini inline entries so a stale models config written by `openclaw doctor --fix` cannot bypass the manifest capability block and cause repeated assistant-turn failures when the runtime switches to that model on ChatGPT-backed Codex accounts. Adds `unconditionalOnly` flag to `buildManifestBuiltInModelSuppressionResolver` and a `shouldUnconditionallySuppress` helper. Inside `resolveExplicitModelWithRegistry`, inline matches are now gated on unconditional suppressions (no `when` clause) before returning. Conditional suppressions such as the qwen Coding Plan endpoint guard remain bypassable by explicit user configuration, preserving the existing `resolves explicitly configured qwen3.6-plus before Coding Plan built-in suppression` behaviour. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(changelog): add missing reporter attribution for #74451 models suppression fix * docs: credit codex mini suppression contributors --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Shakker <shakkerdroid@gmail.com> * test(scripts): align changed sdk routing expectation * docs: document clawsweeper changelog gate * docs: explain security autofix boundary * fix(docs): allow partial i18n doc batches * fix: refresh Google Meet speech retry readiness * refactor(channels): share turn dispatch results * test(core): stabilize changed gate mocks * fix: harden slack command menus * fix(codex): flush pending steering on completion * chore: ignore Google OAuth client secrets * docs(changelog): backfill last-24h sidebar trigger entry For 323985f4ca (Val Alexander/@BunsDev): adds a Control UI/exports entry covering the sidebar-trigger affordance alignment across the resizable divider, mobile layout, and exported-HTML transcript template. The other Val/@BunsDev fix (b1c515270e) was already covered by the existing "Control UI/mobile: persist mobile chat settings" entry. The rest of the last 24h's missing-CHANGELOG candidates are either: - already covered by adjacent entries (Shakker manifest auth-evidence series under "CLI/models: keep manifest auth-evidence credentials visible", Discord application id + Cloudflare 429 under "Channels/ Discord: cool down Cloudflare/Error 1015 HTML 429", config patch follow-ups under "Plugins/runtime-deps: add openclaw plugins deps", etc.); - internal/test/CI/refactor with no operator surface; - Clawsweeper-bot self-fixes for already-merged PRs; - Peter-only with no external collaborator (per the attribution rule against thanking @steipete). * fix(plugins): use tokenjuice published openclaw types * chore(ci): add CodeQL PR security guard Runs the narrow CodeQL critical-security matrix on non-draft pull requests for code and workflow security-boundary changes. * fix: harden slack interactive blocks * fix: mirror sqlite-vec for bundled memory runtime * fix: bound slack interactive button urls * fix(gateway): bound discovery advertise startup * fix(gateway): refresh model catalog off request path * fix(feishu): fallback to media resource download (#73986) (thanks @alex-xuweilong) * test: cover app sdk gateway surfaces * fix(amazon-bedrock): expose Opus 4.7 thinking profile * fix(whatsapp): track provider-accepted auto-replies * fix: bound slack command confirm text * refactor(channels): move more turn policy into kernel * fix(plugins): repair incomplete runtime-deps mirrors * fix(bonjour): cap flapping advertiser restarts * fix: bound slack approval metadata * fix: interpolate heartbeat response prefix templates (#73996) (thanks @yweiii and @JunJD) * fix(mattermost): add WebSocket ping/pong keepalive (#73979) Adds Mattermost WebSocket ping/pong liveness checks so half-open sockets terminate and the existing reconnect loop recovers. Fixes #41837. Carries forward #57621. Refs #50138, #44160, and #51104. Thanks @JasonWang1124. Co-authored-by: JasonWang1124 <56307673+JasonWang1124@users.noreply.github.com> * fix(feishu): clean up bitable placeholder rows with empty defaults Preserve the Feishu-local cleanup path while matching the Lark SDK record value shapes: recursively delete default-empty strings, nulls, arrays, and nested text spans, but keep meaningful links, attachments, users, locations, numbers, and booleans.\n\nCarries forward #40602. Thanks @boat2moon. * fix(memory-lancedb): show full IDs in memory_forget candidate list * fix(lint): resolve oxlint errors * test(memory-lancedb): mock embedding transport in forget test * docs(changelog): thank memory forget fix contributor * fix: cap slack command menu blocks * fix: drop overlong slack command values * chore(ci): widen CodeQL PR guard Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard. * refactor(channels): route inbound turns through kernel * fix(macos): keep attach-only from stopping gateway launchd * style(macos): order attach-only test modifiers * docs: credit macos attach-only launchd fix * fix(plugin-sdk): restore zalouser facade * fix(plugins): repair configured runtime deps * fix(plugins): resolve plugin paths from root * fix(plugins): prefer require runtime aliases * docs: update plugin runtime changelog * docs: document high-confidence triage candidate filter * fix(channels): preserve observe-only turn compatibility * fix: warn before npm prefix redirection (#73890) (thanks @Sayeem3051) * fix(sdk): stabilize run event chat projections (#74750) thanks @bitloi Co-authored-by: bitloi <raphaelaloi.eth@gmail.com> * fix(gateway): align sessions abort wait semantics (#74751) thanks @BunsDev Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com> * fix: stabilize full release validation * fix(discord): avoid resolving tokens for read-only accessors * docs: update changelog for Discord SecretRef accessor (#74737) * fix(agents): drop metadata-only replay turns Fixes #74745 * fix(file-transfer): require canonical node policy authorization (#74742) * feat(file-transfer): add bundled plugin for binary file ops on nodes New extensions/file-transfer/ plugin exposing four agent tools (file_fetch, dir_list, dir_fetch, file_write) and four matching node-host commands (file.fetch, dir.list, dir.fetch, file.write). Lets agents read and write files on paired nodes by absolute path, bypassing the bash output cap (200KB) and the live tool-result text cap that would otherwise truncate base64 payloads. Public surface -------------- - file_fetch({ node, path, maxBytes? }) Image MIMEs return image content blocks; small text (<=8 KB) inlines as text content; everything else returns a saved-media-path text block. sha256-verified end-to-end. - dir_list({ node, path, pageToken?, maxEntries? }) Structured directory listing — name, path, size, mimeType, isDir, mtime. Paginated. No content transfer. - dir_fetch({ node, path, maxBytes?, includeDotfiles? }) Server-side tar -czf streamed back, unpacked into the gateway media store, returns a manifest of saved paths. Single round-trip. 60s wall-clock timeouts on tar create/unpack. tar -xzf without -P rejects absolute paths in archive entries. - file_write({ node, path, contentBase64, mimeType?, overwrite?, createParents? }) Atomic write (temp + rename). Refuses to overwrite by default. Refuses to write through symlinks (lstat check). Buffer-side sha256 (no read-back race). Pair with file_fetch to round-trip files between nodes — DO NOT use exec/cp for file copies. All four commands gated by: - dangerous-by-default node command policy (gateway.nodes.allowCommands opt-in) - per-node path policy (gateway.nodes.fileTransfer) - optional operator approval prompt (ask: off | on-miss | always) 16 MB raw byte ceiling per single-frame round-trip (25 MB WS frame with ~33% base64 overhead and JSON envelope). 8 MB defaults. Path policy and approvals ------------------------- Default behavior is DENY. The operator must explicitly opt in: { "gateway": { "nodes": { "fileTransfer": { "<nodeId-or-displayName>": { "ask": "off" | "on-miss" | "always", "allowReadPaths": ["~/Screenshots/**", "/tmp/**"], "allowWritePaths": ["~/Downloads/**"], "denyPaths": ["**/.ssh/**", "**/.aws/**"], "maxBytes": 16777216 }, "*": { "ask": "on-miss" } } } } } ask modes: off — silent: allow if matched, deny if not (default) on-miss — silent allow if matched; prompt on miss always — prompt every call (denyPaths still hard-deny) denyPaths always wins. allow-always from the prompt persists the exact path back into allowReadPaths/allowWritePaths via mutateConfigFile so subsequent matching calls go silent. Reuses existing primitives — no new gateway methods: plugin.approval.request / plugin.approval.waitDecision decision: allow-once | allow-always | deny Pre-flight against requested path AND post-flight against the canonicalPath returned by the node — closes symlink-escape attacks where the requested path matched policy but realpath resolves somewhere else. Audit log --------- JSONL at ~/.openclaw/audit/file-transfer.jsonl. Records every decision (allow/allowed-once/allowed-always/denied/error) with timestamp, op, nodeId, displayName, requestedPath, canonicalPath, decision, error code, sizeBytes, sha256, durationMs. Best-effort writes; never propagates failure. Plugin layout ------------- extensions/file-transfer/ index.ts definePluginEntry, nodeHostCommands openclaw.plugin.json contracts.tools registration package.json src/node-host/{file-fetch,dir-list,dir-fetch,file-write}.ts src/tools/{file-fetch,dir-list,dir-fetch,file-write}-tool.ts src/shared/ mime.ts single-source extension->MIME map + image/text sets errors.ts shared error code enum and helpers params.ts shared param-validation helpers + GatewayCallOptions policy.ts evaluateFilePolicy, persistAllowAlways approval.ts plugin.approval.request wrapper gatekeep.ts one-stop policy + approval + audit orchestrator audit.ts JSONL audit sink Core touch points ----------------- - src/infra/node-commands.ts: NODE_FILE_FETCH_COMMAND, NODE_DIR_LIST_COMMAND, NODE_DIR_FETCH_COMMAND, NODE_FILE_WRITE_COMMAND, NODE_FILE_COMMANDS array - src/gateway/node-command-policy.ts: all four added to DEFAULT_DANGEROUS_NODE_COMMANDS - src/security/audit-extra.sync.ts: audit detail mentions file ops - src/agents/tools/nodes-tool-media.ts: MEDIA_INVOKE_ACTIONS entry for file.fetch redirects raw nodes(action=invoke) callers to the dedicated file_fetch tool to prevent base64 context bloat - src/agents/tools/nodes-tool.ts: nodes tool description points to the dedicated file_fetch tool Known limitations / follow-ups ------------------------------ - No tests in this PR. For a security-sensitive surface this is a gap; will follow up with a test pass. - Direct CLI invocation (openclaw nodes invoke --command file.fetch) bypasses the plugin policy entirely. Plugin-side gating is the realistic threat model (agent on iMessage requesting paths it shouldn't), but for true defense-in-depth, policy belongs in the gateway-side node.invoke dispatch. Move-policy-to-core is a separate PR. - file_watch (long-lived filesystem event subscription) is not included; it needs a new node-protocol primitive for streaming event channels and was descoped from this PR. - dir_fetch includeDotfiles: true is the only supported mode; BSD tar exclude patterns reliably collapse dotfile filtering to an empty archive. Reliable filtering needs a `find ! -name ".*" | tar -T -` pipeline; deferred. - dir_fetch du -sk preflight is a heuristic (du * 4 vs maxBytes); the mid-stream byte cap is the actual safety net. * test(file-transfer): add unit tests for handlers, policy, and shared utilities Adds 77 tests covering: - handleFileFetch: validation, fs errors, sha256, size cap, symlink canonicalization - handleFileWrite: validation, atomic write, overwrite policy, parent dir handling, symlink refusal, integrity check, size cap - handleDirList: validation, fs errors, sorted listing, dotfile inclusion, pagination - handleDirFetch: validation, fs errors, gzipped tar with sha256, mid-stream byte cap - evaluateFilePolicy: default-deny, denyPaths-wins, allow matching, ask modes (off/on-miss/always), node-id/displayName/'*' resolution - persistAllowAlways: append, dedupe, create-on-missing - shared/mime: extension lookup, image/text inline sets - shared/errors: err helper, classifyFsError, throwFromNodePayload Also fixes accumulated lint regressions in the prod source flagged once these files moved into the changed-gate scope (parseInt -> Number.parseInt, redundant type casts removed, single-statement if bodies wrapped in braces). * fix(file-transfer): address PR review feedback (security + availability) Reviewer findings addressed (greptile + aisle): - policy: persistAllowAlways no longer escalates per-node approvals to the '*' wildcard entry; allow-always now writes under the specific node's own entry, never the wildcard (greptile P1 SECURITY). - policy: add literal '..' segment short-circuit in evaluateFilePolicy, raised before glob match. Stops "/allowed/../etc/passwd" from passing preflight against "/allowed/**" globs (aisle MEDIUM CWE-22). - file-write: replace no-op base64 try/catch with actual round-trip validation. Buffer.from(s, "base64") never throws — invalid input silently decoded to garbage bytes. Now re-encodes and compares modulo padding/url-variant chars (greptile P1 SECURITY). - file-write: document the parent-symlink residual risk and rely on the existing gateway-side post-flight policy check; full rollback requires a node-side file.unlink which is deferred to a follow-up. Initial segment-walk attempt was reverted because it false-positives on system symlinks like macOS /var → /private/var (aisle HIGH CWE-59). - dir-fetch tool: add preValidateTarball pass that runs `tar -tzvf` and rejects symlinks, hardlinks, absolute paths, '..' traversal, uncompressed sizes >64MB, and entry counts >5000 — before any extraction. Drops --no-overwrite-dir (GNU-only flag rejected by BSD tar on macOS) (aisle HIGH x2 CWE-22 + CWE-409, greptile P2). - dir-fetch tool: stream-hash files via fs.open + read loop instead of fs.readFile to avoid full-buffer reads on large extracted entries. - dir-fetch handler: replace spawnSync in countTarEntries with async spawn + bounded buffer so tar -tzf can't park the node-host event loop for up to 10s on a slow filesystem (greptile P1 AVAIL). - audit: clear auditDirPromise on rejection so a transient mkdir failure doesn't permanently silence the audit log (greptile P2). New tests: wildcard escalation rejection, base64 malformed/url-variant, '..' traversal short-circuit (3 cases). 84/84 passing. * fix(file-transfer): CI failures + second-round PR review feedback CI failures on previous push: - Declare runtime deps (minimatch, typebox) in package.json — failed the extension-runtime-dependencies contract test that scans imports. - Switch policy.ts and policy.test.ts off the broad openclaw/plugin-sdk/config-runtime barrel and onto the narrow openclaw/plugin-sdk/config-mutation + runtime-config-snapshot subpaths. This satisfies the deprecated-internal-config-api architecture guard. Second-round Aisle findings: - policy: traversal-segment check now treats backslash and forward slash as equivalent, so a Windows node can't be hit with mixed-separator "C:\\allowed\\..\\Windows\\system.ini" (Aisle HIGH CWE-22). - dir-fetch tool: replace the single fragile `tar -tvzf` parser pass (which broke for filenames containing whitespace) with two robust passes: `tar -tzf` for paths only (one per line, no parsing of fixed columns) and `tar -tzvf` for type chars only (FIRST CHAR of each line, never the path column). Also reject backslash-containing entry names. Drops the in-process uncompressed-size cap because reliably parsing sizes from tar output is fragile and Aisle flagged it as a bypass primitive — entry-count cap stays (Aisle HIGH CWE-22, MED). Tests still 84/84 passing. * fix(file-transfer): third-round PR review feedback Aisle's re-analysis on b63daa6a05 surfaced 3 actionable findings: - nodes.invoke bypass (HIGH CWE-285): generic nodes.action="invoke" let agents call dir.list/dir.fetch/file.write directly, skipping the file-transfer plugin's gatekeep + policy + approval flow. Only file.fetch was redirected to its dedicated tool. Add the other three to MEDIA_INVOKE_ACTIONS so the redirect-or-deny logic in nodes-tool-commands fires for all four. The dedicated tools enforce policy; the generic invoke surface no longer has a way to skip them without an explicit allowMediaInvokeCommands opt-in. - prototype pollution in persistAllowAlways (MED CWE-1321): a paired node with displayName "__proto__" / "prototype" / "constructor" would mutate the fileTransfer object's prototype when persisting allow-always. Reject those keys explicitly. Switch the existing-key lookup to Object.prototype.hasOwnProperty.call so a key like "constructor" doesn't accidentally match Object.prototype.constructor. - decompression-bomb cap in dir_fetch (MED CWE-409): compressed tar is bounded upstream, but a highly compressible bomb can still expand to gigabytes. Enforce DIR_FETCH_MAX_UNCOMPRESSED_BYTES (64MB) summed across extracted files and DIR_FETCH_MAX_SINGLE_FILE_BYTES (16MB) per entry, both checked during the post-extract walk. On bust, rm -rf the rootDir and audit-log + throw UNCOMPRESSED_TOO_LARGE. Tests: 85/85 passing (added prototype-pollution rejection test). Aisle's HIGH parent-symlink finding remains documented as deferred — full rollback requires a node-side file.unlink command which is out of scope for this PR. The gateway-side post-flight policy check still detects and loudly errors on canonical-path mismatches. * fix(file-transfer): refuse symlink traversal by default with followSymlinks opt-in Closes the deferred Aisle HIGH parent-symlink finding. Instead of detecting the escape in a post-flight gateway check after the file is already written, the node-side handler now refuses pre-flight if any component of the requested path resolves through a symlink. Behavior: - Reads (file.fetch / dir.list / dir.fetch): node realpath()s the requested path. If canonical != requested AND followSymlinks=false, return SYMLINK_REDIRECT { canonicalPath } — no I/O happens. - Writes (file.write): node realpath()s the parent dir. Same refusal rule. The lstat-on-final check is kept to catch the case where the target file itself is an existing symlink. - Opt-in: set gateway.nodes.fileTransfer.<node>.followSymlinks=true to bring back the previous "follow + post-flight check" behavior. Operator UX: the SYMLINK_REDIRECT response includes the canonical path so the operator can either update their allow list to the canonical form or set followSymlinks=true on that node. On macOS, /var → /private/var and /tmp → /private/tmp are system aliases that trip the new check, so operators using those paths need followSymlinks=true OR canonical-path allowlists. Wiring: - Add followSymlinks?: boolean to NodeFilePolicyConfig. - evaluateFilePolicy returns followSymlinks (default false) on its ok=true branches. - gatekeep propagates it via GatekeepOutcome. - Each tool passes it as a node.invoke param. - Each handler honors it pre-flight before any read/write. Tests updated: 89/89 passing. - realpath(mkdtemp()) so existing happy-path tests don't trip the new default on macOS where mkdtemp lands under symlinked /var/folders. - New tests: SYMLINK_REDIRECT refusal for file.fetch and file.write parent traversal; opt-in passthrough when followSymlinks=true. - New policy test: followSymlinks propagation default false / true. * fix(file-transfer): close two more aisle findings on 069bd66 Aisle re-analysis on 069bd66 surfaced two issues my earlier round-three fix missed: - HIGH (CWE-284): file.fetch / dir.fetch / dir.list / file.write were still bypassable via the generic nodes.action="invoke" surface when the operator had set allowMediaInvokeCommands=true. That flag was meant to opt in to base64-bloat for camera/screen, not to disable path policy on file-transfer. Split the redirect map: introduce POLICY_REDIRECT_INVOKE_COMMANDS (file-transfer only) which ALWAYS rerouts to its dedicated tool regardless of the bloat flag. Camera and screen continue to use the bloat-only redirect (suppressed by allowMediaInvokeCommands=true). Confirmed by clawsweeper P1. - MED (CWE-276): tar -xzf in dir_fetch unpack preserved archive ownership and permissions, so a malicious node could plant setuid/setgid or world-writable files on a gateway running with elevated privileges. Add --no-same-owner --no-same-permissions (both flags are portable across BSD tar / GNU tar). Tests: 89/89 passing. * chore(file-transfer): drop file_watch from plugin description Phase 5 (file_watch) was deferred earlier in this PR. Strip the watch mention from the plugin description in package.json, openclaw.plugin.json, and index.ts so the metadata reflects what's actually shipped (file_fetch, dir_list, dir_fetch, file_write). Closes clawsweeper P3. * fix(file-transfer): hash before rename and allow zero-byte round-trip Two of Peter's review findings on PR #74134: - P2 (file-write integrity): hash the decoded buffer + compare against expectedSha256 BEFORE temp+rename. Previously the rename happened first, then the sha check unlinked the target on mismatch — with overwrite=true a bad caller hash could replace + delete the original. Now a hash mismatch returns INTEGRITY_FAILURE without touching disk. Added a regression test that asserts the original file survives. - P2/P3 (zero-byte round-trip): the tool layer's truthy checks on contentBase64 and base64 rejected the empty string, blocking zero-byte files from round-tripping through file_fetch -> file_write. Switched to type-checks (typeof === "string") and added zero-byte tests at the handler layer for both fetch and write (sha matches the known empty digest). Tests: 92/92 passing. * fix(file-transfer): declare gateway.nodes.fileTransfer in core config schema Peter's P1/P2 finding: the plugin reads/writes gateway.nodes.fileTransfer via casts through unknown because the strict zod schema and OpenClawConfig type didn't declare it. That meant `openclaw config validate` would reject the very examples in the plugin's own documentation. - Add fileTransfer block to gateway.nodes in src/config/zod-schema.ts with the full per-node entry shape (ask, allowReadPaths, allowWritePaths, denyPaths, maxBytes, followSymlinks). - Add GatewayNodeFileTransferEntry + the fileTransfer field on GatewayNodesConfig in src/config/types.gateway.ts. - Drop the `as unknown` casts in the extension's policy.ts now that gateway.nodes.fileTransfer is properly typed end-to-end. - Regenerate docs/.generated/config-baseline.sha256. Tests: 92/92 passing. pnpm config:docs:check OK. * fix(file-transfer): enforce path policy at gateway dispatch Closes Peter's P1 review finding on PR #74134. The agent-tool-only redirect added in earlier commits left CLI (`openclaw nodes invoke`), plugin-runtime, and raw `node.invoke` callers able to skip the file-transfer path policy entirely. The fix moves the security boundary down to the gateway: every code path that reaches `node.invoke` for file.fetch / dir.list / dir.fetch / file.write now runs the same allow/deny check. - New: src/gateway/file-transfer-dispatch.ts with `evaluateFileTransferDispatchPolicy` and `isFileTransferCommand`. Same semantics as the extension-side `evaluateFilePolicy` minus the operator-prompt flow (prompts stay at the agent-tool layer; the gateway is silent enforcement). - src/gateway/server-methods/nodes.ts: after the existing command allowlist check, run the new gate before forwarding. Denies emit INVALID_REQUEST with a structured `{ command, code, reason }`. - Decision matrix mirrors the extension: NO_POLICY (no entry for this node) deny, denyPaths-wins, '..' traversal short-circuit (with backslash separator handling), allowPaths match → allow, no allow match → deny. - 19 new unit tests covering each branch including identity resolution (nodeId/displayName/'*'), prototype-pollution-safe lookup, and read-vs-write allow-list separation. Note on allow-once approvals: the agent tool's interactive `allow-once` decision now has to flow through the dedicated tool's pre-flight (which forwards an approved request); raw `nodes.invoke` callers cannot benefit from one-time approvals because the gateway is silent. allow-always (which persists to allowReadPaths/allowWritePaths) continues to work transparently because by the time the next request hits the gateway the path is in the persisted allow list. Tests: 92 extension + 19 gateway = 111 total, all passing. * fix(file-transfer): enforce node policy in gateway * fix(file-transfer): use plugin node policy only * fix(file-transfer): harden node policy edge cases * fix(file-transfer): close review hardening gaps * fix(file-transfer): harden node invoke policy * fix(file-transfer): align runtime dependency versions * fix(file-transfer): keep minimatch extension-owned * refactor(file-transfer): remove unused approval gate * fix(file-transfer): require canonical node policy authorization Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com> * fix(clawsweeper): address review for automerge-openclaw-openclaw-74134 (1) Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com> * fix(file-transfer): recheck dir fetch archive policy after fetch * fix(file-transfer): name file-transfer tool in invoke redirect --------- Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com> * test: accept kitchen sink conformance diagnostics * docs: update 2026.4.29 changelog * docs(changelog): backfill 1f1f70a23f gateway sessions abort wait semantics * fix(channels): keep status accessors config-only * fix(doctor): suppress false-positive embedding warning when probe skipped When `openclaw doctor` runs without --deep, the gateway probe is skipped and returns { checked: false, ready: false } (SKIPPED_MEMORY_EMBEDDING_PROBE). Key-optional providers (ollama, lmstudio, local) were incorrectly shown "could not confirm embeddings are ready" in this case, misleading users into thinking their fully-functional embedding setup had an issue. Guard the key-optional provider path: if probe.checked is false (probe was skipped, not run), return early without warning. A skipped probe carries no readiness signal — it is not a failure. - Adds two focused regression tests for ollama and lmstudio with skipped probe (checked: false) → expect note() not called - Updates the prior test that expected a warning on checked:false to reflect the corrected behaviour Fixes #74608 * fix(doctor): propagate gateway skipped-probe flag through adapter clawsweeper P1: probeGatewayMemoryStatus always returned checked: true on successful RPC, silently discarding payload.embedding.checked === false from the SKIPPED_MEMORY_EMBEDDING_PROBE gateway response. The renderer guard in noteMemorySearchHealth (added in prior commit) never saw checked: false in real execution — only on timeout paths. Fix: propagate checked flag from payload.embedding.checked so a skipped gateway probe surfaces as checked: false to the renderer, allowing the key-optional provider guard to suppress the false-positive warning. Add adapter-level regression test that verifies the skipped payload shape from doctor.memory.status reaches GatewayMemoryProbe as checked: false. * fix(doctor): add skipped discriminator to distinguish probe skip from gateway timeout Previously both a planned probe skip (probe:false path) and a transport timeout returned checked:false, so the renderer's !checked early return would silently suppress diagnostics for key-optional providers even when the gateway had timed out. - Add `skipped?: boolean` to GatewayMemoryProbe: true for gateway-confirmed skip, false for timeout/unavailable paths - Renderer now guards on `probe.skipped` instead of `!probe.checked`, so timeouts fall through to the existing warning path - Update doctor-memory-search inline type and buildGatewayProbeWarning signature - Update skipped-probe tests to pass { skipped: true }; add regression test for key-optional timeout (lmstudio gateway timeout now warns) Addresses clawsweeper P2: src/commands/doctor-memory-search.ts:416 * test(doctor): add skipped: false to gateway error and timeout test assertions * docs: credit doctor memory probe fix (#74653) (thanks @hclsys) * fix: keep slack message controls * fix: cap slack block fallback text * fix: cap slack edit fallback text * fix: cap slack approval update text * fix(active-memory): clarify modelFallbackPolicy deprecation warning text Closes #74587. AI-assisted, fully tested. The previous deprecation warning ("set config.modelFallback explicitly if you want a fallback model") read naturally as runtime failover — model A errors → switch to model B. The actual semantics in `getModelRef` are different: `modelFallback` is the **last candidate in the chain-resolution walk**, consulted only when `config.model`, the current run's model, AND the agent's configured default have all resolved to nothing. There is no error-recovery / retry-with-different-model path. The mismatch wastes real debug time. The issue filer reports ~1 hour of cycles before reading source revealed the gap; users without source access can debug for much longer assuming runtime failover exists. ## Fix Rewrite the warning string to: 1. State the deprecation (preserved). 2. Describe `modelFallback`'s actual semantics — chain-resolution last-resort, gated on the three earlier candidates resolving to nothing. 3. Explicitly disclaim the wrong mental model — "it is NOT a runtime failover that substitutes a different model when the resolved model errors out" — so a quick read can't lead the operator astray. No behavior change, only operator-facing copy. Surrounding code paths (`getModelRef`, `hasDeprecatedModelFallbackPolicy`, the warn caller in `register()`) are untouched. ## Tests `extensions/active-memory/index.test.ts` extends the existing deprecation-warning assertion to pin both the positive copy (`chain-resolution`, `last-resort`) and the negative disclaimer (`NOT a runtime failover`), so a future "let's reword this" change that reintroduces the failover-implying language fails the test instead of silently regressing. `pnpm test extensions/active-memory/index.test.ts` — 94 passed. `pnpm exec oxfmt --check` — clean. `pnpm exec oxlint` — 0 warnings, 0 errors. ## AI-assisted PR - [x] Mark as AI-assisted (Claude). Lightly tested via the targeted Vitest extension shard; not exercised against a live Ollama / AM rollout because the change is a log-string update, not behavior. - [x] Confirm I understand what the code does: yes — `getModelRef` walks four candidates (`config.model`, `currentRunModel`, `configuredDefaultModel`, `config.modelFallback`) and returns the first non-null parse; `modelFallback` is purely a default-when-empty selector, not a runtime failover. * fix(active-memory): clarify fallback config help (#74602) (thanks @jeffrey701) * config: accept browser.tabCleanup keys in zod schema (#74577) (#74638) * config: accept browser.tabCleanup keys in zod schema (#74577) * docs: update config baseline hash --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> * chore: refresh a2ui bundle hash * fix: accept extensionless runtime dependency mains * fix: harden Windows Parallels update smoke * fix: stabilize Parallels update restart checks * fix(acp): fall through to thread-bound resolution when token is unresolvable (#66299) (#74641) * fix(acp): fall through to thread-bound resolution when token is unresolvable (#66299) resolveAcpTargetSessionKey returned an error immediately when an explicit session token was supplied but could not be resolved as a key/id/label. This blocked the thread-bound and requester-session fallback paths from ever being reached. Discord slash commands auto-fill the current thread ID as a positional ACP target. That value is not a session identifier, so the gateway lookup returns null, and the command returned 'Unable to resolve session target' instead of falling through to the thread-bound session that was already known via the binding context. Fix: when the token lookup returns null, skip the early-exit error and fall through to thread-bound → requester-session → error in the normal way. The 'Missing session key' error still surfaces when neither fallback produces a binding. Adds a focused regression test: unresolvable token + bound thread session → steer command reaches the thread-bound session, not an error. Fixes #66299 * fix(changelog): add Thanks @martingarramon attribution for #66299 Per clawsweeper P2 review — every new CHANGELOG entry must credit at least one author. martingarramon authored the issue analysis and explicitly invited the PR. * fix(acp): preserve bad-token diagnostics after thread fallback --------- Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com> * fix(feishu): skip empty-text messages with no media to prevent blank session turns (#74634) (#74661) Feishu delivers empty-text events (e.g. {"text":""}) when users send blank messages or when a media-only message produces no text content. Writing a blank user turn to the session file causes downstream LLM providers such as MiniMax to reject requests with: invalid params, messages must not be empty (2013) Guard at the point after media resolution: if ctx.content.trim() is empty AND mediaList is empty, log the skip and return without queuing a reply. This preserves all existing behaviour for text, media, and mixed messages. Regression test: dispatch a DM with {"text":""} (no media), assert mockDispatchReplyFromConfig is not called. Closes #74634. Thanks @xdengli. * fix(exec): preserve turnSourceChannel as messageProvider in approval followup runs (#74666) When an exec-approval followup run has no deliverable route and no gateway-internal channel, buildAgentFollowupArgs was passing channel=undefined to the spawned agent. This left defaults.messageProvider=undefined in the followup run, causing tools.elevated.allowFrom.<provider> checks to always fail with provider=null after the user approved an async elevated command. Thread turnSourceChannel through buildAgentFollowupArgs and use it as a fallback when sessionOnlyOriginChannel is absent. Fixes #74646. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(ci): add gateway CodeQL PR quality guard Adds the gateway runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and documents the shard selector behavior. * fix: reject invalid cron edits on disabled jobs (#74720) * fix(cron): reject invalid disabled schedule updates * docs: add cron validation changelog entry --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> * chore(ci): add provider CodeQL PR quality guard Adds the provider runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and fixes selector overlap for Plugin SDK/package-contract paths. * chore(deps): bump actions group Bumps the actions group with 2 updates in the / directory: [useblacksmith/setup-docker-builder](https://github.com/useblacksmith/setup-docker-builder) and [useblacksmith/build-push-action](https://github.com/useblacksmith/build-push-action). Updates `useblacksmith/setup-docker-builder` from 1.7.0 to 1.8.0 - [Release notes](https://github.com/useblacksmith/setup-docker-builder/releases) - [Commits](https://github.com/useblacksmith/setup-docker-builder/compare/ac083cc84672d01c60d5e8561d0a939b697de542...722e97d12b1d06a961800dd6c05d79d951ad3c80) Updates `useblacksmith/build-push-action` from 2.1.0 to 2.2.0 - [Release notes](https://github.com/useblacksmith/build-push-action/releases) - [Commits](https://github.com/useblacksmith/build-push-action/compare/cbd1f60d194a98cb3be5523b15134501eaf0fbf3...fb9e3e6a9299c78462bfadd0d93352c316adc9b8) --- updated-dependencies: - dependency-name: useblacksmith/build-push-action dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: useblacksmith/setup-docker-builder dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump swift-testing Bumps [github.com/apple/swift-testing](https://github.com/apple/swift-testing) from 0.99.0 to 6.3.1. - [Release notes](https://github.com/apple/swift-testing/releases) - [Commits](https://github.com/apple/swift-testing/compare/0.99.0...6.3.1) --- updated-dependencies: - dependency-name: github.com/apple/swift-testing dependency-version: 6.3.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(commands): require gateway memory probe skipped state Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(test): keep kitchen-sink conformance diagnostics clean * fix: test-harness regression risk * fix: keep kitchen-sink conformance diagnostics clean --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com> * fix(gateway): avoid caching empty model catalogs Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * build(deps): bump debian docker base digest Bumps the docker-images group with 1 update in the / directory: debian. Updates `debian` from `4724b8c` to `f9c6a2f` --- updated-dependencies: - dependency-name: debian dependency-version: bookworm-slim dependency-type: direct:production dependency-group: docker-images ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * chore(ci): add channel CodeQL PR quality guard Adds the channel runtime quality shard to the PR CodeQL guard and keeps non-security quality analysis path-sharded by surface. * docs(ci): rewrite for structure, deduplication, and findability Splits the previous wall-of-prose docs/ci.md into discoverable sections while preserving every operator-relevant detail: - Lead orientation paragraph kept; cross-links to umbrella and prerelease - Pipeline overview anchors the job table at the top - Fail-fast order tightened; superseded-run/concurrency notes folded in - Scope and routing surfaces ci-changed-scope.mjs, the routing-only fast path, the Windows scope rule, Vitest shard balancing, the Android dual-flavor rule, and the check-dependencies (Knip + unused-file allowlist) pass that was buried in the lead - Manual dispatches groups examples + include_android + target_ref - Runners and Local equivalents tables/blocks preserved - Full Release Validation: release_profile and rerun_group bulleted; verifier-only rerun guidance and the shared release-package-under-test artifact called out - Live and E2E shards: native-live shard names listed, live-media-runner image and openclaw-live-test:<sha> with OPENCLAW_SKIP_DOCKER_BUILD=1 broken out - Package Acceptance split into Jobs / Candidate sources / Suite profiles / Legacy compatibility windows / Examples / debugging - Install smoke: fast vs full paths, main-push policy, Bun gate - Local Docker E2E: scheduler tunables in a table, reusable workflow flow, release-path chunks list, rerun helpers - Plugin Prerelease, QA Lab, CodeQL each get their own discoverable sections; CodeQL uses tables for security and quality categories instead of paragraph walls (kept the new provider-runtime-boundary shard in the PR-quality-guard list) - Maintenance workflows groups Docs Agent, Test Performance Agent, and Duplicate PRs After Merge - Local check gates and changed routing turn boundary lane rules into bullets and keep the explicit-mapping prose - Testbox validation kept; Related links preserved Audited every workflow name and CodeQL category against .github/workflows/ — no stale references. File goes from 527 to 413 lines while preserving shard names, env vars, profiles, chunks, and legacy-compat windows. Layout obeys oxfmt. * fix(slack): share edit fallback text truncation Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(slack): cap approval update fallback text Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(channels): suppress observe-only prepared dispatch Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * test(ci): guard install smoke docker cache removal Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(media): treat legacy Word docs as binary attachments Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> * chore(ci): add process CodeQL PR quality guard Adds the MCP/process runtime quality shard to the PR CodeQL guard and keeps non-security quality analysis path-sharded by surface. * fix(slack): cap select option values Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(slack): preserve mixed interactive blocks Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(plugins): prefer require export conditions * fix: fixed condition order prefers a top-level require export before a node condition, which... * fix(clawsweeper): address review for clawsweeper-commit-openclaw-openclaw-6877360218c9 (1) --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(bedrock): expose Opus 4.7 max thinking Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(google): accept Windows ADC manifest paths Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * chore(ci): add session CodeQL PR quality guard Adds the session diagnostics quality shard to the PR CodeQL guard while keeping diagnostics and delivery queue analysis path-sharded by surface. * fix(gateway): preserve rpc abort terminal snapshots Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(plugins): select runtime deps by configured models Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(sdk): emit replacement chat projection deltas Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(plugins): honor runtime deps fallback install option Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix: configs that used the previously documented WhatsApp exposeErrorText key now fail valida... (#74667) * fix: configs that used the previously documented WhatsApp exposeErrorText key now fail valida... * fix(clawsweeper): address review for clawsweeper-commit-openclaw-openclaw-4cba08df01ea (1) --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix: environment edge case launcher regression (#74696) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * chore(ui): refresh fa control ui locale * fix: Windows-specific reliability gap in the new timeout cleanup path (#74703) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * chore(ci): add plugin SDK reply CodeQL PR guard Adds the Plugin SDK reply runtime quality shard to the PR CodeQL guard while keeping reply runtime changes on the existing plugin and package-contract shards. * fix(ui): refresh Persian locale copy * chore(ci): add memory CodeQL PR quality guard Adds the memory runtime quality shard to the PR CodeQL guard while preserving provider/plugin overlap only for the memory files that share those contracts. * fix(control-ui): disable refresh during active runs Disable the Control UI refresh button while chat is disconnected, loading, sending, running, or streaming. This prevents manual chat-history refresh from racing active run/stream state and adds browser render coverage for the disabled-state matrix. Closes #65522. Validation: - Exact PR head `1511a086614a727fc4200730e7ad9622134bb7d3` reached `CLEAN` merge state. - GitHub CI for the exact head completed with no failed or pending checks. * chore(ci): add auth CodeQL PR quality guard Adds the core-auth-secrets quality shard to the PR CodeQL guard and documents the expanded ten-shard PR quality set. * docs(changelog): backfill c34ed90822 control UI refresh-during-runs guard * fix(slack): offset presentation controls after native blocks Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(plugins): keep disabled plugin runtime deps off Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * chore(ci): add config CodeQL PR quality guard Adds the config-boundary quality shard to the PR CodeQL guard and documents the expanded eleven-shard PR quality set. * fix(ci): disable install smoke Docker build cache Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * chore(ci): cover bundled channels in CodeQL PR guard Extends the channel CodeQL quality shard to bundled channel plugin source directories and documents the scoped PR guard coverage. * fix: enable native require fast path on Windows for bundled plugins (#74173) Removes the win32 exclusion from supportsNativeJitiRuntime() and adds { allowWindows: true } to all tryNativeRequireJavaScriptModule call sites, so bundled plugin modules use native require() instead of Jiti on Windows. Also adds an attempted-load counter to the debug timing log and a changelog entry. Fixes #68656 Co-authored-by: Galin Iliev <galiniliev@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix CLI text command hangs (#74220) * fix(cli): keep agents list off plugin preload * docs(changelog): note cli text hang fix * test(cli): update preaction agents list expectations * test(channels): align module loader jiti fixture * fix(skills): scan grouped skill directories * fix(skills): scan nested subdirectories for grouped skill layouts Previously, skill discovery only checked immediate children of the skills root for SKILL.md files. Skills organized in subdirectories (e.g. ~/.openclaw/skills/coze/koze-retrieval/SKILL.md) were silently ignored. Now, when an immediate child directory does not contain a SKILL.md, its own children are checked one level deeper. This supports grouped skill layouts while keeping the scan depth bounded (max 2 levels) to avoid unbounded filesystem traversal. The existing per-source skill count limits and containment checks still apply to nested discoveries. Fixes #56915 * test(skills): cover nested grouped skill discovery * fix(skills): cache contained-path checks and cap nested scans - Reuse skillDirRealPath captured during the collection phase so the load loop no longer re-runs resolveContainedSkillPath on the same directory. - Apply the per-root candidate cap (and the matching warning log) when descending into nested grouped skill directories, matching the outer scan's behavior. Addresses Greptile P2 feedback on PR #72534. * fix(skills): load grouped skill directories under skills roots * fix(clownfish): address review for ghcrawl-156697-autonomous-smoke (1) --------- Co-authored-by: Otto Deng <otto@ottodeng.com> Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com> Co-authored-by: Otto Deng <ottodeng2@github.local> * chore(ci): add agent CodeQL PR quality guard Promotes the existing agent-runtime quality shard to PR/manual selection and documents the expanded twelve-shard PR quality set. * fix(skills): bound grouped skill directory scans * fix(security): remediate CodeQL alerts * fix: existing doctor-contract Windows loader test still expects Jiti to be called for contrac... (#74923) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix: change disables bundled dependency repair when plugins.enabled: false, but the same fall... (#74916) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs(changelog): note outbound CodeQL remediation Adds the requested changelog attribution for CodeQL alert 228. * docs(changelog): note secret comparison CodeQL remediation Adds the requested changelog attribution for CodeQL alert 229. * fix(sdk): treat terminal wait timeouts as timed out (#74697) * fix: wait-status mapping sdk regression * fix(sdk): treat terminal wait timeouts as timed out --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com> * fix(ci): committed Plugin SDK API baseline hash is not reproducible from the committed source... (#74789) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix: derive dynamic context-window guard thresholds Derive context-window guard thresholds from the effective model window, keeping 10% hard-min and 20% warning ratios with 4k/8k floors. Stop the embedded runner from forcing old fixed guard overrides so runtime admission uses the dynamic resolver. Validation: - CI run 25151866833 passed, including build-artifacts and checks-node-channels. - Parity gate 25151866868 passed. - Testbox pnpm test:channels passed: 54 files / 433 tests. Fixes #42999. Prepared head SHA: 9c80383639321871fe93e276c56459de096a2d70 * fix(security): sanitize QQBot debug log values Sanitizes QQBot debug log values to remediate CodeQL alert 230. * fix(pdf): resolve standard fonts from pdfjs package root (#70936) * fix(pdf): resolve standard fonts from pdfjs package root Resolve PDF.js standard fonts via pdfjs-dist/package.json instead of a relative ../../node_modules path so the fallback renderer does not depend on emitted dist chunk layout. Add focused regression coverage that asserts the forwarded standardFontDataUrl matches the installed pdfjs-dist package root and exists on disk. * fix(pdf): resolve pdfjs standard fonts from package root * fix(pdf): use PDF.js font URL separator --------- Co-authored-by: Dr JCai <jingxiao.cai@gmail.com> Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * fix(cron): warn when --agent is not specified on cron add (#42245) * fix(cron): warn when --agent is not specified on cron add Warn users when creating a cron job without specifying the --agent flag, so they know the job will run with the default agent (main). Fixes #42196 * fix(cron): warn when cron add omits --agent * fix(cron): name default agent in warning --------- Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * fix(security): emit QQBot debug logs as sanitized lines Emits QQBot debug logs as CRLF-neutralized lines to remediate CodeQL alert 231. * fix: bounded directory scan actionable regression (#74942) * fix: bounded directory scan actionable regression * fix: current main remaining regression * fix(skills): compose workspace scan caps --------- Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * fix(memory-lancedb): get memory records through ltm list command (#67952) * fix(mem-lancedb): get memory records through ltm list command * code review --------- Co-authored-by: zhangyue19921010 <zhangyue.1010@bytedance.com> * feat(channel) update yuanbao plugin github location (#74253) * feat(channel) update yuanbao plugin version and github location * feat(channel) update yuanbao plugin github location * fix(channel): update yuanbao plugin GitHub location and add yuanbao alias (#74253) (thanks @loongfay) --------- Co-authored-by: loongzhao <loongzhao@tencent.com> Co-authored-by: sliverp <870080352@qq.com> * fix(security): align QQBot log sanitizer with CodeQL Aligns QQBot debug log newline removal with the CodeQL js/log-injection sanitizer model to close alert 232. * fix(github): skip maintainer-owned Barnacle targets * docs(changelog): backfill 1e20babcf7 memory-lancedb ltm list * fix(qqbot): unify slash command auth, c2cOnly gating, and file delivery (#73616) * fix(qqbot): align clear-storage command with actual downloads directory The /bot-clear-storage command previously targeted ~/.openclaw/media/qqbot/downloads/{appId}/, but inbound attachments and outbound fallback downloads are stored directly under ~/.openclaw/media/qqbot/downloads/ without appId subdivision. This mismatch caused the clear command to report 'no files to clean' while downloaded files continued to occupy disk space. Changes: - Replace resolveQqbotDownloadsDirForApp(appId) with resolveQqbotDownloadsDir() that returns the downloads root - Use getQQBotMediaPath('downloads') instead of manual path assembly - Remove appId-based path validation (no longer needed) - Update usage text to reflect the new scope * refactor(qqbot): unify slash command auth and c2cOnly gating in registry Previously, slash command authorization and group-chat rejection were scattered across individual handlers and a hardcoded GROUP_EXCLUDED set. This led to inconsistent behavior: commandAuthorized was hardcoded to true in the pre-dispatch path, some handlers checked allowFrom while others did not, and group users received no response for auth-gated commands. Changes: 1. Add resolveSlashCommandAuth() (new file slash-command-auth.ts) - Requires sender to appear in an explicit non-wildcard allowFrom list; wildcard ['*'] does not grant admin command access - Group messages use groupAllowFrom, falling back to allowFrom 2. Fix commandAuthorized in slash-command-handler.ts - Replace hardcoded 'true' with resolveSlashCommandAuth() call 3. Add c2cOnly field to SlashCommand interface - Commands declare c2cOnly: true instead of checking ctx.type inside their handler - Registry rejects c2cOnly commands in group chat before auth check, returning a user-friendly hint 4. Remove GROUP_EXCLUDED hardcoded set from register-basic.ts - /bot-help now filters by cmd.c2cOnly dynamically 5. Clean up handler-level auth and scene checks - Remove hasExplicitCommandAllowlist check from register-logs - Remove ctx.type !== 'c2c' guards from all c2cOnly handlers - Improve rejection message to mention the correct config field (allowFrom for c2c, groupAllowFrom for group) 6. Mark commands: bot-upgrade, bot-streaming, bot-logs, bot-clear-storage, bot-approve as c2cOnly: true * fix(qqbot): pass allowQQBotDataDownloads when sending slash command file attachments The /bot-logs command writes temporary log files to the QQBot data downloads directory (~/.openclaw/qqbot/downloads/), but sendDocument was called without allowQQBotDataDownloads: true. This caused resolveOutboundMediaPath to reject the file path as outside the allowed media roots, silently failing the file attachment while the text reply was sent successfully. Add { allowQQBotDataDownloads: true } to the sendDocument call in slash-command-handler.ts so file-bearing slash command results (currently only /bot-logs) can deliver their attachments. * feat(qqbot): add /bot-me command to display sender user ID Add a new /bot-me slash command that returns the sender's user ID (openid). This helps users quickly find the value they need to add to allowFrom or groupAllowFrom configuration for admin command access. Marked as c2cOnly since the user ID is sensitive information. * feat(qqbot): update response timeout * feat(qqbot): add engine import boundary test and bump version - Add engine-import-boundary.test.ts to enforce that engine/ sources only import from openclaw/plugin-sdk/* and never reach into other openclaw internals directly. Scans all 110 source files recursively. - Bump plugin version to 2026.4.27. * fix(qqbot): unify slash command auth, c2cOnly gating, and file delivery (#73616) (thanks @cxyhhhhh) --------- Co-authored-by: sliverp <870080352@qq.com> * fix: warning text cli correctness issue (#74964) Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(agents): preserve string user content when merging turns Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> * docs: cover qqbot /bot-me + c2cOnly admin gating (62fb87641e) and cron add --agent warning (dc0c54c7f1) * test(gateway): avoid post-close auth rotation rpc * ci: right-size OpenGrep PR scan * ci: right-size opengrep pr scan * ci: avoid opengrep rulepack self-scan * ci: opt opengrep workflows into node24 actions * ci: update opengrep workflow action majors * chore(ci): tune stale policy and add backfill * chore(ci): tune stale grace periods * chore(ci): add stale closure backfill * chore(ci): skip maintainer assignees in stale backfill * ci: shallow checkout OpenGrep PR scan * fix(channels): align Yuanbao catalog id Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(control-ui): wire slash menu accessibility Wire the Control UI chat slash-command menu to the composer with stable listbox and option IDs, active-descendant updates, and a live status announcement. Keep the native textarea role conforming while preserving the menu relationships and tests. * chore(barnacle): add false positive close label (#75014) * fix(cli): avoid progress spinners in active TUI input (#75003) Merged via squash. Prepared head SHA: 129e23e71605c5158ac33ad30de088aca530f712 Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com> Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com> Reviewed-by: @velvet-shark * fix(ci): bound manual stale closure backfill Co-authored-by: openclaw-clawsweeper[bot] <280122609+openclaw-clawsweeper[bot]@users.noreply.github.com> * fix(macos): repair stale gateway tls pins (#75038) Merged via squash. Prepared head SHA: 35196f8f714d4ab07ebb211802693d03385486ad Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com> Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com> Reviewed-by: @ngutman * fix(macos): keep A2UI canvas content visible (#75039) * fix(security): stop implicit tool grants from config sections (#47487) (#75055) * fix(security): stop implicit tool grants from config sections (#47487) Configured tool sections (tools.exec, tools.fs) no longer implicitly widen restrictive profiles (messagin…

@BunsDev

* fix(security): stop implicit tool grants from config sections (openclaw#47487) (openclaw#75055) * fix(gateway): align sessions abort wait semantics (openclaw#74751) thanks @BunsDev Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com> * fix(cron): preserve model overrides for text payloads (openclaw#73946) Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> * fix(exec): preserve turnSourceChannel as messageProvider in approval followup runs (openclaw#74666) When an exec-approval followup run has no deliverable route and no gateway-internal channel, buildAgentFollowupArgs was passing channel=undefined to the spawned agent. This left defaults.messageProvider=undefined in the followup run, causing tools.elevated.allowFrom.<provider> checks to always fail with provider=null after the user approved an async elevated command. Thread turnSourceChannel through buildAgentFollowupArgs and use it as a fallback when sessionOnlyOriginChannel is absent. Fixes openclaw#74646. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(feishu): skip empty-text messages with no media to prevent blank session turns (openclaw#74634) (openclaw#74661) Feishu delivers empty-text events (e.g. {"text":""}) when users send blank messages or when a media-only message produces no text content. Writing a blank user turn to the session file causes downstream LLM providers such as MiniMax to reject requests with: invalid params, messages must not be empty (2013) Guard at the point after media resolution: if ctx.content.trim() is empty AND mediaList is empty, log the skip and return without queuing a reply. This preserves all existing behaviour for text, media, and mixed messages. Regression test: dispatch a DM with {"text":""} (no media), assert mockDispatchReplyFromConfig is not called. Closes openclaw#74634. Thanks @xdengli. * fix(security): bound bootstrap handoff scopes (openclaw#72919) * fix(security): remediate CodeQL alerts (#7c5bf1c675) Iterative HTML tag stripping to prevent nested-tag bypass in text sanitization. Timing-safe secret comparison for audit checks. Cherry-picked from 7c5bf1c onto ga/1.0 (v2026.4.20 baseline). * fix(device-pair): reject invalid remote setup URLs (#7c51cd2baf) Validate publicUrl and gateway.remote.url before issuing device pairing setup codes. Prevents user-facing errors from malformed URLs. Cherry-picked from 7c51cd2 onto ga/1.0 (v2026.4.20 baseline). * fix: gate startup context for sandboxed spawned sessions (openclaw#73611) Skip startup context injection for spawned sessions running in sandboxed mode without workspace write access, preventing context leak. Cherry-picked from 4808361 onto ga/1.0 (v2026.4.20 baseline). * fix(gateway): preserve rpc abort terminal snapshots (#0459206c40) Ensure terminal snapshots are captured when RPC agent runs are aborted, so wait-for-completion clients receive the final state. Cherry-picked from 0459206 onto ga/1.0 (v2026.4.20 baseline). * fix: environment edge case launcher regression (openclaw#74696) Use Boolean() for NODE_COMPILE_CACHE check instead of !== undefined, preventing crashes when the variable is set to an empty string. Cherry-picked from 9177fab onto ga/1.0 (v2026.4.20 baseline). * fix(agents): finalize embedded lifecycle backstop (#ebff12e84f) Add lifecycle backstop to embedded agent runs that notes events and ensures proper finalization when runs fail to terminate cleanly. Cherry-picked from ebff12e onto ga/1.0 (v2026.4.20 baseline). * fix(agents): preserve string user content when merging turns (#9061d1e4c3) Normalize string-form user content to content-part arrays before turn merge, preventing silent data loss in session history sanitization. Cherry-picked from 9061d1e onto ga/1.0 (v2026.4.20 baseline). * fix: derive dynamic context-window guard thresholds (#13e917e292) Replace hardcoded context-window guard thresholds with dynamic values derived from model capabilities, preventing unnecessary truncation. Cherry-picked from 13e917e onto ga/1.0 (v2026.4.20 baseline). * fix: reject invalid cron edits on disabled jobs (openclaw#74720) Validate cron expression before applying edits to disabled jobs, preventing silent corruption of job state. Cherry-picked from 3224075 onto ga/1.0 (v2026.4.20 baseline). * fix(cron): catch croner parse errors in add/update handlers (openclaw#74193) Wrap croner expression parsing in try-catch to return a structured error instead of crashing the gateway handler on invalid expressions. Cherry-picked from d2db67e onto ga/1.0 (v2026.4.20 baseline). * fix: accept previously documented WhatsApp exposeErrorText key (openclaw#74667) Add exposeErrorText as a passthrough key in the WhatsApp provider config schema to prevent validation failures on existing configs. Cherry-picked from 3c9437a onto ga/1.0 (v2026.4.20 baseline). * fix: interpolate heartbeat response prefix templates (openclaw#73996) Wire createReplyPrefixContext into heartbeat runner so template variables like {model} are interpolated instead of rendered literally. Cherry-picked from 2d1523e onto ga/1.0 (v2026.4.20 baseline). * fix(acp): fall through to thread-bound resolution on unresolvable token (openclaw#66299, openclaw#74641) When an ACP token can't be resolved, fall through to thread-bound session resolution instead of silently failing the auto-reply. Cherry-picked from 5716428 onto ga/1.0 (v2026.4.20 baseline). * fix(mattermost): add WebSocket ping/pong keepalive (openclaw#73979) Send periodic WebSocket pings to prevent idle connection drops on Mattermost servers with aggressive timeout policies. Cherry-picked from 0e97f96 onto ga/1.0 (v2026.4.20 baseline). * chore(release): bump version to 1.0.1-rc.1 21 cherry-picked fixes from upstream onto ga/1.0 (v2026.4.20 baseline). * docs(changelog): rewrite v1.0.1-rc.1 entries to RC contents only Replace the wholesale upstream feature-train entries that were mistakenly merged via 'git checkout --theirs CHANGELOG.md' during the cherry-pick batch with a single ProdClaw 1.0.1-rc.1 section listing only the 20 fixes actually included in this RC. Per the ProdClaw release-notes contract (Iris docs runbook §10), ProdClaw release notes describe only what the RC actually contains. Note count: 21 cherry-picks were originally batched; the CLI text command hangs fix (upstream openclaw#74220, commit 43ca739) was dropped via rebase --onto in the previous commit because its supporting implementation depends on a feature commit (upstream openclaw#70044) introduced after the v2026.4.20 baseline. 20 cherry-picks remain. FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix(cron): accept threaded delivery in gateway schema (b6be422) Backports the upstream gateway-schema fix that allows cron `delivery.threadId` (string or number) for threaded announce delivery (e.g. Telegram forum topics). Without this, cron-validation tests cherry-picked alongside the croner-parse-error fix (openclaw#74193) fail because they exercise threadId support that the v2026.4.20 baseline schema doesn't accept. Cherry-picked from b6be422 onto ga/1.0 (v2026.4.20 baseline). Removed the unused TestDelivery type alias from cron-tool.test.ts since the tests that referenced it on upstream are not present at baseline. Pre-flight checks (per Iris docs runbook §6): - (a) Bug exists at baseline: yes — schema rejects threadId for announce. - (b) Fix is self-contained: yes — touches only schema/cron.ts and a small protocol-helper change in cron-tool.ts. - (c) Test imports check: yes — adds 1 schema-shape test to cron-tool.test.ts and 5 validation tests to cron.validation.test.ts; both compile and exercise symbols present at baseline once the schema accepts threadId. FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(cron): mock loadConfig in cron.validation.test.ts for baseline The cherry-picked cron.validation.test.ts (from openclaw#74193 + #b6be422306) mocks getRuntimeConfig, but the v2026.4.20 baseline cron.ts validation still reads via loadConfig() directly. Upstream later refactored to getRuntimeConfig (commit 7f3f108, a broad refactor not appropriate to backport). Add loadConfig to the same mock factory so the test fixture is read regardless of which call path the handler uses. All 8 tests pass. FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(cron): add missing loadCronStore import to service.issue-regressions The cherry-pick of 'fix: reject invalid cron edits on disabled jobs (openclaw#74720)' added a new test that calls loadCronStore() but the upstream commit didn't include the import (the import had been added in a previous upstream commit not in our cherry-pick batch). loadCronStore exists at the v2026.4.20 baseline (src/cron/store.ts:77); just adding the import resolves the ReferenceError. All 10 tests in this file pass after the fix. FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix(outbound): hold active-delivery claim so reconnect drain skips live sends (c94a870) MK-51: prevents reconnect drain from re-driving an entry that the live send is still writing to the adapter. The live delivery path holds an in-memory active claim for queueId across its send; drain honors that claim via the same entriesInProgress set used for startup recovery. Cherry-picked from c94a870 onto ga/1.0 (v2026.4.20 baseline). Pre-flight checks (per Iris docs runbook §6): - (a) Bug exists at baseline: yes — without the claim, concurrent reconnect drain and live send race over the same entry. - (b) Fix is self-contained: yes — adds tryClaimActiveDelivery / releaseActiveDelivery wrappers around the existing claimRecoveryEntry / releaseRecoveryEntry primitives present at v2026.4.20. - (c) Test imports check: required two adjustments at the baseline: 1. Add `import { createRecoveryLog } from "./delivery-queue.test-helpers.js"` (file exists at baseline, just not previously imported here). 2. Add a local drainAcct1DirectChatReconnect helper that calls drainPendingDeliveries with the directchat key/selector. Upstream refactored the WhatsApp-specific helper into a generic drainDirectChatReconnectPending after our baseline; the local helper mirrors that shape without backporting the rename. All 49 tests pass. Refs: openclaw#70386, MK-51 FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix: isolate cron context-engine session keys (openclaw#72292) (a3c51f9) MK-51: prevents stale cron/system events from polluting unrelated user turns. Threads runSessionKey through the cron isolated-agent execution context (prepareCronRunContext / delivery-dispatch / run-executor) so the run-specific session entry is no longer silently aliased to the agent-wide session entry. Previous behavior could cause queued cron delivery context to bleed into the next user message in the main session. Cherry-picked from a3c51f9 onto ga/1.0 (v2026.4.20 baseline). Pre-flight checks (per Iris docs runbook §6): - (a) Bug exists at baseline: yes — at v2026.4.20 the cron run context reuses the agent session key for the per-run state, so cron-emitted system events accumulate against the main session and surface on the next user turn. - (b) Fix is self-contained: yes — runSessionKey already exists in run-session-state.ts at baseline; this commit threads it through prepareCronRunContext / dispatchCronDelivery / createCronPromptExecutor so the run-scoped entry is keyed to runSessionKey instead of being aliased to agentSessionKey. - (c) Test imports check: 75/75 tests pass after applying conflict resolution per runbook §7 (Pattern A: keep the fix's runSessionKey parameter at HEAD's structural call sites; Pattern E: take ours for CHANGELOG to rewrite at the end). The unused createMessageToolExecutor helper was removed since the upstream tests that exercise it are not cherry-picked here. Refs: openclaw#72292, MK-51 FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix(cron): preserve current delivery target context (e309fd4) MK-52: cron announce delivery jobs created from a Telegram (or other channel) context now persist the current delivery target metadata (channel/to/accountId/threadId) into the cron tool's job spec, so unattended runs deliver to the originating chat instead of erroring with "Delivering to <channel> requires target <chatId>". Cherry-picked from e309fd4 onto ga/1.0 (v2026.4.20 baseline). Pre-flight checks (per Iris docs runbook §6): - (a) Bug exists at baseline: yes — at v2026.4.20 createCronTool does not receive a current-delivery-context, so Telegram-originated cron announce jobs save without a routable target and silently fail on later runs (the WOD/Fajr scheduler incident, MK-52). - (b) Fix is self-contained: yes — adds an optional currentDeliveryContext field to CronToolOptions and threads it through createCronTool. Both the field shape and the agentChannel / currentChannelId / agentTo / agentAccountId / currentThreadTs / agentThreadId properties exist at the v2026.4.20 baseline. - (c) Test imports check: dropped one upstream test ("passes the resolved shared config into the tts tool") that depends on a post-baseline TTS config refactor (resolveSharedTtsConfig). The MK-52 fix is exercised by the kept "passes preserved channel delivery context into the cron tool" test. 53/53 tests pass. Conflict resolution per runbook §7: Pattern A (HEAD removed the embedded check around createCanvasTool/nodesTool/createCronTool; re-applied the fix's currentDeliveryContext into HEAD's flat call site). Refs: MK-52 FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(mattermost): skip unrelated post-baseline routing test The cherry-picked monitor.inbound-system-event.test.ts contains one test ('does not enqueue regular user posts as system events') that exercises a post-baseline routing decision in monitor.ts. This test was incidental context in cherry-pick 0e97f96 (the actual ping/pong keepalive fix for openclaw#73979 lives in monitor-websocket.ts and is exercised by monitor-websocket.test.ts). Skip the failing test with a comment pointing at the baseline gap so it can be re-enabled when the routing fix lands in a future GA line. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(qr-cli): skip URL-validation test that needs stricter parser The cherry-picked qr-cli.test.ts contains one test that asserts "Configured gateway.remote.url is invalid." for input "http://localhost:notaport". At the v2026.4.20 baseline, normalizeUrl() in setup-code.ts uses Node's URL parser, which silently accepts "http://localhost:notaport" as host=localhost with no port (treating :notaport as path). The stricter port validator that catches this case is upstream of our baseline and not part of cherry-pick a58c4d8. The remote-URL rejection path is still exercised end-to-end by setup-code.test.ts (which uses URLs the baseline parser does reject). Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(whatsapp): trim post-baseline systemPrompt tests from cherry-pick The cherry-picked zod-schema.providers-whatsapp.test.ts contained 4 tests for `systemPrompt` validation across groups/direct/accounts surfaces. That field is post-baseline and not part of cherry-pick 3c9437a (which adds deprecated `exposeErrorText` no-op handling). Trimmed the systemPrompt tests; kept the 2 exposeErrorText tests that exercise the actual fix. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(pairing): trim setup-code tests that need stricter URL parser Skip 2 tests + 2 it.each cases from cherry-pick a58c4d8 that exercise post-baseline URL validation: - "normalizes bare publicUrl host ports for setup code payloads": needs upstream's bare host:port normalizer. - "rejects invalid gateway.remote.url before falling back": needs upstream's stricter port validator. - it.each: dropped "http://localhost:notaport" and "http:/localhost:notaport" (Node URL parser accepts these; baseline normalizeUrl returns ws://localhost with no port). The other 6 invalid-URL cases still pass. The actual fix is preserved (the rejection error messages exist for parser-rejected URLs). Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(acp): skip 5 post-baseline ACP feature tests from cherry-pick Cherry-pick 5716428 (ACP fall-through to thread-bound resolution) brought 5 tests that exercise post-baseline ACP features not present at v2026.4.20: - Telegram topic ACP spawn binding (delivery.pin) - Matrix --bind here without thread spawn - Matrix thread-bound spawns from top-level rooms - Bound-thread /acp close with text commands disabled - acpx plugins.allow gating The actual fix (fall-through to thread-bound resolution when token is unresolvable) is exercised by the other 40 tests in this file, all of which pass at this baseline. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(device-pair): skip 9 URL-validation tests needing stricter parser Cherry-pick a58c4d8 (device-pair invalid setup URLs) brought 9 tests that exercise upstream's stricter URL validator: - 1 test for "localhost:notaport" bare host:port - 1 test for "http://localhost:notaport" remote URL - 7 it.each cases for various URL forms accepted by the baseline normalizeUrl() but rejected upstream The baseline uses Node's URL parser, which silently accepts URLs like "http://localhost:notaport" (treating :notaport as path) and many of the it.each cases. The actual fix (rejection error messages plus the validation hook in setup-code.ts) is preserved; only the parser strictness gap remains. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(agents): skip 16 post-baseline sanitize-history tests from cherry-pick Cherry-pick 9061d1e (preserve string user content in turn merge) brought a 56-test session-history sanitization file. 16 tests exercise post-baseline behavior not part of the cherry-pick: - Codex-style aborted tool result synthesis (4 tests) - openai reasoning paired-vs-orphaned model snapshot tracking (2) - copied inbound metadata stripping (2) - Gemma 4 OpenAI-compatible reasoning replay strip (1) - Anthropic latest-thinking-replay preservation (1) - it.each: thinking-only assistant turn preservation, invalid thinking signature stripping, omitted-reasoning fallback (3 it.each blocks × 2 providers = 6 cases) The actual fix (string user content normalization in turn merge) is exercised by the other 40 tests in this file, all of which pass at this baseline. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(auto-reply): skip 21 post-baseline tests in agent-runner-execution Cherry-pick ebff12e (embedded lifecycle backstop) brought a 57-test file. 21 tests exercise post-baseline behavior not part of the backstop fix: - compaction-buffer hint heartbeat-model evidence threading (3) - static extra system prompt forwarding to CLI backends - CLI messageProvider live-session resolution - model capacity error surfacing (mid-turn + pre-reply, 2) - GPT-5 result classification (5) - compaction completion notices (notifyUser-enabled + incomplete, 2) - sanitized generic errors on external chat channels with verbose - Discord raw runner failure copy variants (2 it.each + 1 standalone) - Codex API payload formatting for verbose external errors - direct provider auth guidance for missing API keys The actual lifecycle-backstop fix is exercised by the other 36 tests in this file, all of which pass at this baseline. Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * docs(changelog): add MK-51 / MK-52 fix entries to v1.0.1-rc.1 Update the CHANGELOG section to reflect the comprehensive fix set (now 24 cherry-picks from 21): - MK-51: c94a870 (outbound active-delivery claim) + a3c51f9 (cron context-engine session keys) - MK-52: e309fd4 (cron preserve current delivery target context) These are the upstream fixes that were the original motivation for needing a newer OpenClaw release (Iris was held on 2026.4.14 per MK-49; the runtime fixes for MK-51/52 landed upstream after our v2026.4.20 baseline). The fixes are highlighted in the CHANGELOG because they map directly to production incidents. Per Iris docs runbook §11 (release-notes contract). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix(gateway): import isAbortError in agent.ts (PR #4 review fix) Concrete runtime blocker reported by review: src/gateway/server-methods/agent.ts calls isAbortError(err) at line 319 (introduced by cherry-pick 0459206 "fix(gateway): preserve rpc abort terminal snapshots") but the import was not threaded through during conflict resolution. The export exists at src/infra/unhandled-rejections.ts:184 in the v2026.4.20 baseline and is already used elsewhere in that file at line 352. Reference: #4 (comment) FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * test(gateway): skip 41 post-baseline tests across agent/abort/dedupe PR #4 reviewer ran the exact changed-test-file command and found 41 failures across 3 files (after the isAbortError import was fixed in the previous commit). Triaged per runbook §6c: - src/gateway/server-methods/agent.test.ts (38 skipped) - 28 individual tests + 6 it.each cases (channel/replyChannel hint × heartbeat/cron/webhook) for post-baseline behavior: * trusted/forged group session metadata handling * plugin runtime session ownership tagging * ACP turn source markers * inter-session message timestamping * model-run prompt decoration * task registry runtime tracking * stale session resolution / freshness rules * detached task runtime seam dispatch * voice wake auto-routing * avatar source redaction * abort controller registration / chat.abort plumbing * pre-dispatch reactivation cleanup - src/gateway/server-methods/agent-wait-dedupe.test.ts (2 skipped) - RPC cancel snapshot preservation under late completion/rejection - src/gateway/server.chat.gateway-server-chat.test.ts (3 skipped) - sessions.abort dashboard runs - agent.wait stale dedupe handling All affected files now pass: agent.test.ts (42 passed | 38 skipped), agent-wait-dedupe.test.ts (7 passed | 2 skipped), server.chat.gateway-server-chat.test.ts (16 passed | 3 skipped). Per Iris docs runbook §6c (test imports check). FAST_COMMIT used: baseline pre-existing type errors, not introduced here. * fix(gateway): remove dead refs to upstream task-tracking helpers Second wave of PR #4 review fixes. After importing isAbortError, running the full reviewer validation surfaced two more issues: 1. agent.ts had dead ReferenceError-throwing calls to tryFinalizeTrackedAgentTask() and resolveFailedTrackedAgentTaskStatus() inside if (shouldTrackTask) blocks. Both helpers don't exist at the v2026.4.20 baseline (they're upstream wrappers added after our baseline; the baseline only exposes createRunningTaskRun / completeTaskRunByRunId / failTaskRunByRunId). The cherry-pick 0459206 brought the calls without the wrapper definitions. Removed the dead blocks with comments explaining why. The terminal-snapshot benefit (the `aborted` extraction and stopReason payload) is preserved. createRunningTaskRun (the only baseline-valid call) still fires inside shouldTrackTask. 2. src/agents/pi-tools.policy.test.ts imported ./test-helpers/provider-alias-cases.js which doesn't exist at baseline. Restored the helper from upstream main (15 lines, pure data table — no runtime dependencies). Per Iris docs runbook §6c. FAST_COMMIT used: baseline pre-existing type errors, not introduced here. Refs: #4 (comment) --------- Co-authored-by: Val Alexander <68980965+BunsDev@users.noreply.github.com> Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> Co-authored-by: hcl <chenglunhu@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

…aw#47487) (openclaw#75055) * fix(security): stop implicit tool grants from config sections (openclaw#47487) Configured tool sections (tools.exec, tools.fs) no longer implicitly widen restrictive profiles (messaging, minimal). Previously, having a tools.exec section anywhere in config — even just safety settings like security: "allowlist" — would automatically add exec and process to the profile's allowed tools, defeating the purpose of the restrictive profile. The same pattern existed in tool-fs-policy.ts where tools.fs presence would add read/write/edit to the profile allowlist for root expansion. Changes: - pi-tools.policy.ts: Stop merging implicit grants into profileAlsoAllow. Renamed resolveImplicitProfileAlsoAllow → detectImplicitProfileGrants and use it only for a startup warning that tells users to add explicit alsoAllow entries. - tool-fs-policy.ts: Remove the implicit read/write/edit grant from resolveEffectiveToolFsRootExpansionAllowed when tools.fs is present. Root expansion now requires actual read access via profile or alsoAllow. - Updated 4 existing tests and added 3 new regression tests. Migration: users who relied on tools.exec or tools.fs implicitly granting access under a restrictive profile should add explicit alsoAllow entries: tools: profile: "messaging" alsoAllow: ["exec", "process"] # was implicit, now required exec: { security: "allowlist" } Fixes openclaw#47487 * fix: address tool policy review feedback

openclaw-barnacle Bot added agents Agent runtime and tooling size: S maintainer Maintainer-authored PR labels Apr 30, 2026

amknight marked this pull request as ready for review April 30, 2026 11:37

amknight force-pushed the ak/fix-47487-exec-profile-bypass branch 2 times, most recently from 6d529cd to 25fe295 Compare April 30, 2026 11:43

amknight force-pushed the ak/fix-47487-exec-profile-bypass branch from 25fe295 to 457d28c Compare April 30, 2026 11:44

clawsweeper Bot added the clawsweeper:automerge Maintainer opted this PR into bounded ClawSweeper-reviewed automerge label Apr 30, 2026

fix: address tool policy review feedback

8630375

vincentkoc self-assigned this Apr 30, 2026

amknight merged commit 4aa08e9 into main Apr 30, 2026
84 of 85 checks passed

amknight deleted the ak/fix-47487-exec-profile-bypass branch April 30, 2026 12:19

clawsweeper Bot added the clawsweeper:human-review Needs maintainer review before ClawSweeper can continue label Apr 30, 2026

clawsweeper Bot mentioned this pull request Apr 30, 2026

security: default tools.fs.workspaceOnly to true, add sensitive path denylist #42207

Open

5 tasks

clawsweeper Bot mentioned this pull request May 1, 2026

[Bug]: 2026.4.29 silently drops exec/process from "messaging" tool profile, breaking isolated cron agent turns; cron run reports status: ok with error string as delivered output #75763

Closed

timeleft-- mentioned this pull request May 1, 2026

fix: ProdClaw v1.0.1-rc.1 — 21 cherry-picked fixes MachineWisdomAI/ProdClaw#4

Merged

16 tasks

rdevaul mentioned this pull request May 10, 2026

Tier 1 security backports — follow-up (3 deferred picks landed individually) rdevaul/sybilclaw#13

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(security): stop implicit tool grants from config sections (#47487)#75055

fix(security): stop implicit tool grants from config sections (#47487)#75055
amknight merged 2 commits intomainfrom
ak/fix-47487-exec-profile-bypass

amknight commented Apr 30, 2026 •

edited

Loading

Uh oh!

amknight commented Apr 30, 2026

Uh oh!

clawsweeper Bot commented Apr 30, 2026 •

edited

Loading

Uh oh!

clawsweeper Bot commented Apr 30, 2026

Uh oh!

amknight commented Apr 30, 2026

Uh oh!

Uh oh!

clawsweeper Bot commented Apr 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

amknight commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Problem

Fix

Migration

Compatibility impact

Tests

Uh oh!

amknight commented Apr 30, 2026

Uh oh!

clawsweeper Bot commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

clawsweeper Bot commented Apr 30, 2026

Uh oh!

amknight commented Apr 30, 2026

Uh oh!

Uh oh!

clawsweeper Bot commented Apr 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

amknight commented Apr 30, 2026 •

edited

Loading

clawsweeper Bot commented Apr 30, 2026 •

edited

Loading