feat: cron fix, extended hooks#2
Closed
zeroaltitude wants to merge 28 commits intomainfrom
Closed
Conversation
- Update default model from claude-opus-4-5 to claude-opus-4-6 - Add claude-opus-4-6 to ANTHROPIC_PREFIXES for model filtering - Add opus-4.6 alias, keep opus-4.5 as fallback alias - Add model costs, context windows, max tokens for 4.6 - Update all references in image tools, media understanding, etc. - Maintain backward compatibility with 4.5 references
recomputeNextRuns() is called by ensureLoaded(forceReload) which runs inside onTimer() before runDueJobs(). When the timer fires at (or just after) the exact trigger time, recomputeNextRuns would call computeNextRunAtMs(job, now) which advances nextRunAtMs to the *next* occurrence. By the time runDueJobs() checks 'now >= nextRunAtMs', the slot has already been advanced — the job is silently skipped. Fix: in recomputeNextRuns, if a job's nextRunAtMs is in the past (due), it has no runningAtMs (not currently executing), and lastRunAtMs is before the current slot (hasn't been executed for this occurrence), preserve the existing nextRunAtMs so runDueJobs can fire it. This is a TOCTOU race that affects all recurring schedule types (cron expressions, every-interval) when the timer callback runs at or just after the scheduled time. Adds 5 unit tests for recomputeNextRuns covering: - Due job with no prior execution (preserved) - Timer fires slightly late (preserved) - Job already executed for slot (advances) - Job not yet due (unchanged) - Currently-running job (advances)
fix(cron): preserve nextRunAtMs for due-but-unexecuted recurring jobs
Add 6 new plugin hooks that give plugins full visibility into the agent loop internals, enabling security/provenance, compliance, cost management, and A/B testing plugins without modifying core data models. New hooks: - before_llm_call: see/modify full context before each LLM API call - after_llm_call: intercept/filter tool calls after LLM response - context_assembled: observe assembled context with source metadata - loop_iteration_start/end: track agent loop recursion - before_response_emit: final gate before response delivery Based on RFC-PROVENANCE-HOOKS.md from openclaw-vestige.
Emit the 6 new plugin hooks from the agent loop: - before_llm_call: wraps streamFn to intercept every LLM API call, allowing plugins to inspect/modify context, filter tools, or block - after_llm_call: emitted at message_end with tool call extraction - context_assembled: emitted on first LLM call of each turn - loop_iteration_start/end: emitted via turn_start/turn_end events - before_response_emit: emitted after prompt completes, before return Uses streamFn wrapping pattern (same as cache trace + payload logger) and AgentEvent subscription for lifecycle tracking.
Comprehensive tests for all 6 new agent loop observability hooks: - hooks.extended.test.ts: unit tests for hook runners (dispatch, merge, block, error handling, priority ordering) - hook-stream-wrapper.test.ts: integration tests for streamFn wrapper (context_assembled fires once, before_llm_call fires every call, context modification, tool filtering, blocking, error resilience)
TypeScript strictness: CustomMessage<unknown> lacks index signature, so direct casts to Record<string, unknown> fail. Cast through unknown first as the canonical workaround.
Add senderId, senderName, senderIsOwner, groupId, and spawnedBy to PluginHookAgentContext. These fields are already available in the run params but were not forwarded to plugin hooks. This enables plugins to classify initial trust based on who sent the message and what channel it came from: - senderIsOwner=true in DM → trust: owner - senderIsOwner=false → trust: external or shared - groupId set → group chat context (may contain external messages) - spawnedBy set → sub-agent session - messageProvider=undefined → system event (cron, heartbeat)
…all sites The hookAgentCtx construction in attempt.ts already read these fields from params, but three runner call sites weren't forwarding them: - agent-runner-execution.ts (main reply) - agent-runner-memory.ts (memory flush) - followup-runner.ts (followup runs) This caused senderIsOwner to always be undefined in plugin hooks, making initial trust classification fall through to 'untrusted'.
…through all call sites The FollowupRun.run type was missing senderIsOwner and spawnedBy, causing TypeScript errors when forwarding these fields to runEmbeddedPiAgent. Added them to queue/types.ts.
…und messages Previously, the before_response_emit hook result was only checked for block/blockReason. The content field was ignored, making content modification impossible for plugins. Now when a plugin returns modified content, it is applied to both the messagesSnapshot and the active session messages so the delivery pipeline picks up the change. This enables use cases like the provenance plugin's developerMode taint headers.
Feature/extended security hooks
…lper - Make latencyMs, pendingToolResults, newMessagesAdded optional (were hardcoded 0) - Extract before_response_emit into hook-response-emit.ts (eliminates unsafe casts) - Add 11 tests for extracted helper - All 46 hook tests pass
refactor(hooks): clean up phantom fields and extract response-emit he…
zeroaltitude
pushed a commit
that referenced
this pull request
Apr 2, 2026
* feat: add QQ Bot channel extension * fix(qqbot): add setupWizard to runtime plugin for onboard re-entry * fix: fix review * fix: fix review * chore: sync lockfile and config-docs baseline for qqbot extension * refactor: 移除图床服务器相关代码 * fix * docs: 新增 QQ Bot 插件文档并修正链接路径 * refactor: remove credential backup functionality and update setup logic - Deleted the credential backup module to streamline the codebase. - Updated the setup surface to handle client secrets more robustly, allowing for configured secret inputs. - Simplified slash commands by removing unused hot upgrade compatibility checks and related functions. - Adjusted types to use SecretInput for client secrets in QQBot configuration. - Modified bundled plugin metadata to allow additional properties in the config schema. * feat: 添加本地媒体路径解析功能,修正 QQBot 媒体路径处理 * feat: 添加本地媒体路径解析功能,修正 QQBot 媒体路径处理 * feat: remove qqbot-media and qqbot-remind skills, add tests for config and setup - Deleted the qqbot-media and qqbot-remind skills documentation files. - Added unit tests for qqbot configuration and setup processes, ensuring proper handling of SecretRef-backed credentials and account configurations. - Implemented tests for local media path remapping, verifying correct resolution of media file paths. - Removed obsolete channel and remind tools, streamlining the codebase. * feat: 更新 QQBot 配置模式,添加音频格式和账户定义 * feat: 添加 QQBot 频道管理和定时提醒技能,更新媒体路径解析功能 * fix * feat: 添加 /bot-upgrade 指令以查看 QQBot 插件升级指引 * feat: update reminder and qq channel skills * feat: 更新remind工具投递目标地址格式 * feat: Refactor QQBot payload handling and improve code documentation - Simplified and clarified the structure of payload interfaces for Cron reminders and media messages. - Enhanced the parsing function to provide clearer error messages and improved validation. - Updated platform utility functions for better cross-platform compatibility and clearer documentation. - Improved text parsing utilities for better readability and consistency in emoji representation. - Optimized upload cache management with clearer comments and reduced redundancy. - Integrated QQBot plugin into the bundled channel plugins and updated metadata for installation. * OK apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift > openclaw@2026.3.26 check:bundled-channel-config-metadata /Users/yuehuali/code/PR/openclaw > node --import tsx scripts/generate-bundled-channel-config-metadata.ts --check [bundled-channel-config-metadata] stale generated output at src/config/bundled-channel-config-metadata.generated.ts ELIFECYCLE Command failed with exit code 1. ELIFECYCLE Command failed with exit code 1. * feat: 添加 QQBot 渠道配置及相关账户设置 * fix(qqbot): resolve 14 high-priority bugs from PR openclaw#52986 review DM routing (7 fixes): - #1: DM slash-command replies use sendDmMessage(guildId) instead of sendC2CMessage(senderId) - #2: DM qualifiedTarget uses qqbot:dm:${guildId} instead of qqbot:c2c:${senderId} - #3: sendTextChunks adds DM branch - #4: sendMarkdownReply adds DM branch for text and Base64 images - #5: parseAndSendMediaTags maps DM to targetType:dm + guildId - #6: sendTextToTarget DM branch uses sendDmMessage; MessageTarget adds guildId field - #7: handleImage/Audio/Video/FilePayload add DM branches Other high-priority fixes: - #8: Fix sendC2CVoiceMessage/sendGroupVoiceMessage parameter misalignment - #9: broadcastMessage uses groupOpenid instead of member_openid for group users - #10: Unify KnownUser storage - proactive.ts delegates to known-users.ts - #11: Remove invalid recordKnownUser calls for guild/DM users - #12: sendGroupMessage uses sendAndNotify to trigger onMessageSent hook - #13: sendPhoto channel unsupported returns error field - #14: sendTextAfterMedia adds channel and dm branches Type fixes: - DeliverEventContext adds guildId field - MediaTargetContext.targetType adds dm variant - sendPlainTextReply imgMediaTarget adds DM branch * fix(qqbot): resolve 2 blockers + 7 medium-priority bugs from PR openclaw#52986 review Blocker-1: Remove unused dmPolicy config knob - dmPolicy was declared in schema/types/plugin.json but never consumed at runtime - Removed from config-schema.ts, types.ts, and openclaw.plugin.json - allowFrom remains active (already wired into framework command-auth) Blocker-2: Gate sensitive slash commands with allowFrom authorization - SlashCommand interface adds requireAuth?: boolean - SlashCommandContext adds commandAuthorized: boolean - /bot-logs set to requireAuth: true (reads local log files) - matchSlashCommand rejects unauthorized senders for requireAuth commands - trySlashCommandOrEnqueue computes commandAuthorized from allowFrom config Medium-priority fixes: - #15: Strip non-HTTP/non-local markdown image tags to prevent path leakage - #16: applyQQBotAccountConfig clears clientSecret when setting clientSecretFile and vice versa - #17: getAdminMarkerFile sanitizes accountId to prevent path traversal - #18: URGENT_COMMANDS uses exact match instead of startsWith prefix match - #19: isCronExpression validates each token starts with a cron-valid character - openclaw#20: --token format validation rejects malformed input without colon separator - openclaw#21: resolveDefaultQQBotAccountId checks QQBOT_APP_ID environment variable * test(qqbot): add focused tests for slash command authorization path - Unauthorized sender rejected for /bot-logs (requireAuth: true) - Authorized sender allowed for /bot-logs - Non-requireAuth commands (/bot-ping, /bot-help, /bot-version) work for all senders - Unknown slash commands return null (passthrough) - Non-slash messages return null - Usage query (/bot-logs ?) also gated by auth check * fix(qqbot): align global TTS fallback with framework config resolution - Extract isGlobalTTSAvailable to utils/audio-convert.ts, mirroring core resolveTtsConfig logic: check auto !== 'off', fall back to legacy enabled boolean, default to off when neither is set. - Add pre-check in reply-dispatcher before calling globalTextToSpeech to avoid unnecessary TTS calls and noisy error logs when TTS is not configured. - Remove inline as any casts; use OpenClawConfig type throughout. - Refactor handleAudioPayload into flat early-return structure with unified send path (plugin TTS → global fallback → send). * fix(qqbot): break ESM circular dependency causing multi-account startup crash The bundled gateway chunk had a circular static import on the channel chunk (gateway -> outbound-deliver -> channel, while channel dynamically imports gateway). When two accounts start concurrently via Promise.all, the first dynamic import triggers module graph evaluation; the circular reference causes api exports (including runDiagnostics) to resolve as undefined before the module finishes evaluating. Fix: extract chunkText and TEXT_CHUNK_LIMIT from channel.ts into a new text-utils.ts leaf module. outbound-deliver.ts now imports from text-utils.ts, breaking the cycle. channel.ts re-exports for backward compatibility. * fix(qqbot): serialize gateway module import to prevent multi-account startup race When multiple accounts start concurrently via Promise.all, each calls await import('./gateway.js') independently. Due to ESM circular dependencies in the bundled output, the first import can resolve transitive exports as undefined before module evaluation completes. Fix: cache the dynamic import promise in a module-level variable so all concurrent startAccount calls share the same import, ensuring the gateway module is fully evaluated before any account uses it. * refactor(qqbot): remove startup greeting logic Remove getStartupGreetingPlan and related startup greeting delivery: - Delete startup-greeting.ts (greeting plan, marker persistence) - Delete admin-resolver.ts (admin resolution, greeting dispatch) - Remove startup greeting calls from gateway READY/RESUMED handlers - Remove isFirstReadyGlobal flag and adminCtx * fix(qqbot): skip octal escape decoding for Windows local paths Windows paths like C:\Users\1\file.txt contain backslash-digit sequences that were incorrectly matched as octal escape sequences and decoded, corrupting the file path. Detect Windows local paths (drive letter or UNC prefix) and skip the octal decoding step for them. * fix bot issue * feat: 支持 TTS 自动开关并清理配置中的 clientSecretFile * docs: 添加 QQBot 配置和消息处理的设计说明 * rebase * fix(qqbot): align slash-command auth with shared command-auth model Route requireAuth:true slash commands (e.g. /bot-logs) through the framework's api.registerCommand() so resolveCommandAuthorization() applies commands.allowFrom.qqbot precedence and qqbot: prefix normalization before any handler runs. - slash-commands.ts: registerCommand() now auto-routes by requireAuth into two maps (commands / frameworkCommands); getFrameworkCommands() exports the auth-required set for framework registration; bot-help lists both maps - index.ts: registerFull() iterates getFrameworkCommands() and calls api.registerCommand() for each; handler derives msgType from ctx.from, sends file attachments via sendDocument, supports multi-account via ctx.accountId - gateway.ts (inbound): replace raw allowFrom string comparison with qqbotPlugin.config.formatAllowFrom() to strip qqbot: prefix and uppercase before matching event.senderId - gateway.ts (pre-dispatch): remove stale auth computation; commandAuthorized is true (requireAuth:true commands never reach matchSlashCommand) - command-auth.test.ts: add regression tests for qqbot: prefix normalization in the inbound commandAuthorized computation - slash-commands.test.ts: update /bot-logs tests to expect null (command routed to framework, not in local registry) * rebase and solve conflict * fix(qqbot): preserve mixed env setup credentials --------- Co-authored-by: yuehuali <yuehuali@tencent.com> Co-authored-by: walli <walli@tencent.com> Co-authored-by: WideLee <limkuan24@gmail.com> Co-authored-by: Frank Yang <frank.ekn@gmail.com>
zeroaltitude
pushed a commit
that referenced
this pull request
Apr 14, 2026
* feat(skills): add secret-scanning-maintainer skill Add a maintainer-only skill for handling GitHub Secret Scanning alerts. Covers issue_comment, issue_body, pull_request_body, and commit leak types with redaction, history purge (delete+recreate for comments), author notification, and alert resolution workflows. * fix(skills): harden secret-scanning-maintainer based on security review - Remove all secret value fragments from redaction markers (type-only) - Remove alert URLs and partial secret previews from public comments - Use temp files with heredoc for all gh api body content (shell injection) - Add rule: never print raw API responses containing secrets to stdout - Notification comments now only reference secret type, no value hints Addresses 4 of 6 security findings from PR review: 1. Over-permissive redaction → type-only markers 3. Public partial preview + alert URL → removed from comments 4. Shell quoting risk → heredoc + temp file pattern 5. Stdout secret exposure → jq-only extraction rule Findings #2 (revoked without rotation) and #6 (public playbook) are accepted as-is with documented rationale. * fix(skills): address all bot review findings on secret-scanning skill Addresses findings from Codex, Greptile, and Aisle bot reviews: - Add pull_request_comment and pull_request_review_comment to location type routing table (was being skipped as unsupported) [Codex P1] - Use hide_secret=true on alert fetch to prevent plaintext in terminal [Codex P1] - Add jq filtering on all fetch commands to avoid printing .body or .secret to stdout [Codex P1, Aisle Medium] - Skip PATCH before DELETE for comments — PATCH creates an unnecessary edit history revision exposing plaintext [Greptile P1] - Use mktemp for all temp files instead of fixed /tmp paths [Aisle Medium] - Branch notification template by location type: comment says "removed and replaced", body says "redacted in place", commit says "committed" [Greptile P1] - Bump userContentEdits(first: 10) to first: 50 to reduce truncation risk [Greptile P2] - Fix batch listing jq query to use .html_url instead of .first_location_detected.html_url [Codex P2] - Use heredoc + temp file for comment recreation (was inline -f) [Codex P1] - Remove alert URLs from public notification templates [Codex P1] * feat(skills): extract secret-scanning operations into reusable script Add scripts/secret-scanning.mjs with subcommands: fetch-alert, fetch-content, redact-body, delete-comment, recreate-comment, notify, resolve, list-open, summary. Security enforcements now live in the script (not agent memory): - hide_secret=true on all alert fetches - mktemp with random UUIDs for all temp files - -F body=@file for all body uploads - .secret and .body never printed to stdout - notification templates branched by location type SKILL.md simplified from ~370 lines to ~170 lines — now a decision guide that references script commands instead of inline gh api calls. * fix(skills): enforce script summary output as final summary Agent was rewriting the summary table without URLs. Make SKILL.md explicit: the script output IS the final summary, do not reformat it. * fix(skills): add summary output markers for verbatim rendering Script summary now outputs ---BEGIN SUMMARY--- / ---END SUMMARY--- markers. SKILL.md instructs agent to output the content between markers verbatim, preventing reformatting that drops URLs. * fix(skills): address latest bot review findings on script - Restrict temp file permissions to 0600 (owner-only) [Codex P1] - Add --slurp to list-open and fetch-alert locations for correct multi-page JSON parsing [Codex P1, Codex P2] - Use commit_url/blob_url fallback for commit location URLs [Codex P2] - Add --paginate to locations fetch [Codex P2]
zeroaltitude
added a commit
that referenced
this pull request
Apr 27, 2026
Three concrete fixes for clawsweeper bot's review on PR openclaw#33845: 1. **Stop leaking test-only helpers through the public API barrel.** extensions/slack/api.ts previously did 'export * from ./src/sent-thread-cache.js', which re-exported the underscored test-only helpers (_flushPersist, _resetForTests) as part of the slack extension's public API. Same-process consumers could call _resetForTests('/some/path') to redirect the persist path and trigger arbitrary writes/renames/unlinks. Replace the wildcard with an explicit list of public exports (recordSlackThreadParticipation, hasSlackThreadParticipation, clearSlackThreadParticipationCache). 2. **Reinsert on update so Map insertion order reflects recency.** recordSlackThreadParticipation called Map.set on existing keys, which updates the value but keeps the key in its original insertion-order position. The serialise-time MAX_ENTRIES cap sorts by timestamp so this didn't affect on-disk output, but any future iteration-order-based eviction would silently use the wrong recency. Switch to delete-then-set so insertion order matches actual recency. 3. **Cap in-memory map size on insert, not just on serialise.** The pre-existing cap was applied only at serialisation time so busy workspaces accumulating thousands of unique threads between debounced persists could grow the in-memory Map unboundedly. Add insertion-time eviction: once persistState.entries.size exceeds MAX_ENTRIES, evict the oldest entry by Map insertion order (which now correctly reflects recency thanks to fix #2). New tests: - 'reinserts on update so Map insertion order reflects recency': records A, then B, then re-records A. Verifies on-disk insertion order is [B, A] (re-recorded A moves to most-recent position). - 'caps in-memory map size on insert (not just on serialise)': records 5005 unique threads, verifies the persisted file has exactly 5000 entries with the oldest 5 evicted. Tests: 17/17 pass (was 15; +2 new). Not addressed in this commit (acknowledged in the PR-comment follow-up): clawsweeper also recommended migrating from the hand-rolled persistence to src/plugin-sdk/persistent-dedupe.ts (or a future persistent-keyed-store from PR openclaw#70626) to inherit file locking, atomic writes, bounded/quarantined parsing, and the shared storage contract. That refactor is non-trivial because the SDK helper is async while the current public API is sync; maintainer guidance is needed on whether to make the API async or wrap with sync semantics. Tracked as a follow-up.
zeroaltitude
added a commit
that referenced
this pull request
Apr 27, 2026
opus-4-7 independent review found three issues missed by earlier review rounds: P1 — _persistPathOverride was still module-local Despite the Codex thread reply claiming the override moved into the shared persistState global, it was still a module-local 'let'. Tests passed by accident: in-memory dedupe shared via persistState.entries, but disk side effects from re-imported module copies leaked into STATE_DIR instead of the per-test temp dir. Moved into PersistState.persistPathOverride on the global singleton. P1 — CWE-59 symlink-follow on tmpPath (Aisle medium #2, unaddressed) tmpPath was ${filePath}.${process.pid}.tmp + default 'w' flag. A predictable name combined with a truncating O_CREAT would let an attacker who can write to the state dir pre-create a symlink at the tmp path pointing to e.g. /etc/passwd, and our write would follow it. Now uses randomUUID() for the name AND flag 'wx' (O_CREAT | O_EXCL) so any existing entry — file or symlink — fails the write safely. P2 — hydration ignored MAX_ENTRIES (Aisle medium #1) The 4 MB file-size cap permits ~250K entries through, blowing past the 5K in-memory MAX_ENTRIES on first load. Now collects valid candidates first, sorts DESC by ts, and slices to MAX_ENTRIES before inserting into the dedupe cache. Bounds memory regardless of file size up to MAX_PERSIST_FILE_BYTES. Tests: 26/26 pass (3 new tests covering each fix). Architectural note (per opus review): Land standalone. Don't migrate to plugin-sdk/persistent-dedupe — its hasRecent reads JSON on every miss, adding ~2-10ms to every Slack message in a thread the bot hasn't replied to (the dominant path for hasSlackThreadParticipation on the message-dispatch hot path). Warm-cache + debounced-write is correct here. Don't block on openclaw#70626.
zeroaltitude
added a commit
that referenced
this pull request
Apr 27, 2026
The user asked me to revisit items I had marked as 'follow-up' or 'could be added if you want' on PR openclaw#38162 and address them inline rather than carry them as future work. Three items qualified. 1) Aisle medium #2 — Unbounded transcript read for slug generation. getRecentSessionContent() called fs.readFile() on the entire session JSONL file. Long-running sessions can produce multi-hundred-MB transcripts (verbose tool I/O, base64 image content, etc.) and reading them whole into memory is a real OOM / DoS surface. Fix: cap the read at MAX_SESSION_FILE_TAIL_BYTES (8 MiB) using fs.open + fs.read with a trailing-window offset. Drop the (likely partial) first line after slicing so JSON.parse only sees whole records. The handler still produces correct slug input because we only use the last 15 user/assistant messages anyway. Test: synthesises a 12 MiB JSONL file with tail markers and verifies (a) no OOM, (b) the markers reach the resulting memory file (proving we read the END, not the beginning). 2) Aisle low #3 — Cross-platform path traversal hardening. The pre-flight guard rejected '..' and '../' and , but on POSIX hosts path.sep === '/' so backslash-style traversal ('..\') from a redirect path that originated on a Windows client slipped through. Same gap for UNC paths ('\\server\share', '\\?\C:\...') and Windows-style absolute paths ('C:\...'). These don't escape on Linux, but they create unpredictable cross-platform behavior and the snapshot-vs-realtime check is the classic Windows snapshot-bypass pattern. Fix: extended the pre-flight guard with explicit checks for backslash traversal, drive-letter prefixes, and UNC patterns. All are rejected with a structured log line that callouts the new reasons (windowsTraversal, unc) for diagnostics. Test: 3 candidates ('..\..\Windows\System32\stolen.md', '\\evil-server\share\stolen.md', '\\?\C:\Windows\stolen.md') all fail closed with no memory file produced. 3) Symlink rollback contract test (deferred when darfaz raised it). The retraction path resolves writtenFilePath via fs.realpath before touching the file, but there was no test that exercised this code path through a symlink. Added a test that: - Creates an in-workspace symlink (quarantine/redirected.md -> real/redirected.md) - Pre-populates the canonical target with 'pre-existing' - Drives the handler with a late blockSessionSave - Verifies the canonical target's pre-existing content is restored (not deleted, not clobbered, not escaped) and the workspace tree stays self-contained The test gracefully skips on filesystems that refuse fs.symlink so CI runners without symlink support don't block the PR. Tests: 39/39 pass on session-memory handler.test.ts (4 new tests). Net diff: +66/-9 handler.ts, +154/-1 handler.test.ts.
zeroaltitude
added a commit
that referenced
this pull request
Apr 28, 2026
…ests Three review-driven fixes per @zeroaltitude direction (b)+(c) + secret hygiene + tests: (b) Validate disk-vs-config before short-circuiting [Aisle High #2 / Codex P1 / Greptile P1 on PR openclaw#72869] The previous targetProvider short-circuit fired whenever the on-disk provider entry contained ANY non-empty credential. That silently bypassed: - rotated apiKey: cold start with new key, old key on disk, short-circuit fires, all calls fail until something else invalidates - attacker-tampered baseUrl: redirect to exfil endpoint kept - attacker-injected headers: arbitrary auth material kept New readExistingProviderMatchesConfig() does a strict structural comparison: apiKey - resolved through resolveSecretInputRef (env-ref expansion via createConfigRuntimeEnv) before string equality vs. disk baseUrl - exact string equality headers - stable structural equality (key-order independent) auth - stable structural equality Any mismatch (or any state we cannot conclusively verify, like a non-env secret ref) returns false and falls through to full planning. The short-circuit is now safe to use on cold start and after gateway restart. (c) Hash models.json content into the cache key [Codex P1 on PR openclaw#72869] Previous fingerprint had no models.json input \u2014 once the cache was populated, unchanged config/auth returned cached success even after the file was edited externally / partially corrupted / manually tampered. Now readyCache stores both the input fingerprint AND the post-write models.json SHA-256. Cache hit requires both to match; any external edit invalidates. Captures the hash at three points (skip path, noop path, write path) so the second factor is always recorded. Aisle medium #5: hash fingerprint before storage Raw stable-stringified config (including apiKey strings) used to sit verbatim in MODELS_JSON_STATE.readyCache. SHA-256 over the canonical payload is now the cache key \u2014 deterministic but not reversible, so heap snapshots / debug telemetry / core dumps can't leak secrets via the readyCache state. Greptile P2: targetProvider short-circuit tests New file models-config.target-provider-short-circuit.test.ts with 6 cases: - hit-on-match (full structural match short-circuits) - miss-on-rotated-key (config apiKey change forces plan) - miss-on-baseUrl-change (tampered disk baseUrl rejects) - miss-on-tampered-headers (any header drift rejects) - miss-on-cold-cache (no disk file forces plan) - hit-after-warm-fingerprint + invalidation on external models.json edit (modelsJsonHash second-factor verified) Existing fingerprint-cache test updated: The 'volatile fields rotate' test mixed type:oauth (correctly volatile) with type:token (now correctly NOT volatile after d505fa0). Split into two tests: - OAuth session-field rotation does NOT invalidate (existing intent, narrowed to oauth-only profiles) - Static type:token credential rotation DOES invalidate (Codex/Greptile P2 - new correct behavior) State shape change: MODELS_JSON_STATE.readyCache value extended with modelsJsonHash: { fingerprint, modelsJsonHash, result } All three return paths in the plan closure capture this. Tests: 13/13 (6 new + 7 existing fingerprint-cache + file-mode). Lint: 0 errors. TS: clean.
zeroaltitude
added a commit
that referenced
this pull request
Apr 28, 2026
Addresses Codex P1, Greptile P2, and Aisle Med #1/#2/#3 on openclaw#73260: # Streaming bounded hash (Codex P1 / Aisle Med #2) The previous oversize-branch in readAuthProfilesStableHash still did fs.readFile(path) which loaded the entire file into memory \u2014 the MAX_AUTH_PROFILES_BYTES cap was effectively unenforced. Same problem for readModelsJsonContentHash (no cap at all). New helper safeHashRegularFile(): - lstat first; reject symlinks and non-regular files - bail at lstat-time if size exceeds maxBytes (returns sentinel hash so size-change still invalidates the cache) - open with O_NOFOLLOW where supported (closes lstat\u2192open TOCTOU) - fstat after open to verify it's still a regular file - createReadStream(fd) with bounded highWaterMark; destroy if accumulated bytes exceed maxBytes (handles the case where attacker grows the file between lstat and stream completion) Both readers now route through safeHashRegularFile. Models.json gets a 1 MiB cap (MAX_MODELS_JSON_BYTES); auth-profiles keeps its 8 MiB cap. # O_NOFOLLOW chmod (Aisle Med #1, CWE-367) The previous lstat-then-chmod sequence was racy: an attacker who could rename/replace ${agentDir}/models.json between the two syscalls could have chmod() follow a swapped-in symlink to an arbitrary file. Replaced with fs.open(path, O_RDONLY | O_NOFOLLOW) \u2192 fchmod via the file handle. The open itself refuses symlinks atomically; the fchmod operates on the validated fd, eliminating the race. When O_NOFOLLOW is unavailable (rare but possible), falls back to plain O_RDONLY \u2014 the prior lstat protection was already best-effort. # Symlink-safe reads (Aisle Med #3, CWE-59) Previous fs.readFile in the hash readers followed symlinks. With the safeHashRegularFile refactor above, both auth-profiles.json and models.json now reject symlinks before reading. # JSDoc fix (Greptile P2) readModelsJsonContentHash's prior comment said "forces a re-plan" when the file is absent, but the call site does null === null comparison which is a cache hit, not a re-plan (the steady-state skip case for plan.action === 'skip'). Updated the comment to explain the actual semantics: stable absence is a stable result; drift is a re-plan. # Tests 14/14 existing tests pass. No new test cases needed \u2014 the existing file-mode and fingerprint-cache tests cover both the symlink-rejection paths (via lstat shortcut) and the modelsJsonHash second-factor. Lint: 0 errors.
zeroaltitude
added a commit
that referenced
this pull request
Apr 28, 2026
…tegration Addresses Codex P2, Greptile P1+P2x2, and Aisle High #1 + Med #2/#3/#4 on PR openclaw#73261: # Greptile P1 / Aisle High #1: asymmetric baseUrl (CWE-918, SSRF) The previous guard: if (typeof configuredProvider.baseUrl === 'string' && configuredProvider.baseUrl !== diskProvider.baseUrl) short-circuited the check entirely when config omitted baseUrl (common for providers with compiled-in defaults). An attacker who could tamper with on-disk models.json could set baseUrl to an exfil endpoint and the short-circuit would accept it silently \u2014 exactly the SSRF/credential-exfil vector this PR was meant to close. Replaced with symmetric stableEqual() so config-undefined vs disk-string is a mismatch and falls through to full planning, which re-applies provider/plugin defaults and rewrites the file. # Codex P2: env-ref API key comparison resolveConfiguredApiKeyForCompare resolved env refs to the env-var VALUE (env[ref.id]). But planOpenClawModelsJson persists env-source api keys to models.json as the env-var NAME (e.g. 'OPENAI_API_KEY'), not the value \u2014 that's what resolveApiKeyFromCredential returns for env source. Comparing value-vs-name always mismatched, so the short-circuit never fired for the most common config form ('apiKey: "${env.OPENAI_API_KEY}"'). Now the helper returns the env-var NAME for env-source refs, while still verifying the env is currently populated (so we don't short-circuit on a misconfigured environment). Plaintext values still compare directly. # Greptile P2 (perf): readyCache integration The short-circuit returned before the readyCache check, so warm callers paid the disk read + JSON.parse cost on every call. Reordered: 1. compute fingerprint (cheap) 2. check readyCache \u2014 warm hit returns immediately, no disk I/O 3. if cold, attempt short-circuit on disk 4. if short-circuit succeeds, populate readyCache so subsequent calls take the warm path Net effect: warm callers now skip disk entirely; cold callers with intact disk state still get the short-circuit benefit; full plan fires only on real drift. # Aisle Med #2 (CWE-59): symlink-following short-circuit reads readExistingProviderMatchesConfig used fs.readFile on a possibly- symlinked target. Now lstat-checks first and refuses symlinks / non-regular files. # Aisle Med #3 (CWE-1321): prototype-chain key access explicitProviders[targetProvider] could fall through to a prototype key like '__proto__' / 'constructor' / 'prototype'. Now uses Object.hasOwn at both lookup sites (caller AND readExistingProviderMatchesConfig) to refuse inherited keys. Also explicit string check rejects the three known dangerous keys. # Aisle Med #4 (CWE-400): unbounded models.json read Added MAX_MODELS_JSON_SHORT_CIRCUIT_BYTES = 1 MiB cap on the disk read in the short-circuit path. Files above the cap fall through to full planning rather than being parsed. # Tests Updated hit-after-warm-fingerprint test (Greptile P2) to use fs.readFile spy and assert no disk read occurs on the warm path. Added short-circuit-populates-cache test that drops the in-memory cache between runs, fires the short-circuit, then verifies the third call takes the warm path with no disk read. 14/14 tests pass. Lint: 0 errors.
zeroaltitude
added a commit
that referenced
this pull request
May 5, 2026
…ransport check + bounded compare (review feedback) Codex P1+P2 (and matching Aisle High #2 / medium #3) on PR openclaw#73261. ClawSweeper rejected the previous round's "wrong solution" \u2014 the global readyCache write after a provider-scoped check, an unbounded recursive stableEqual on disk-controlled state, no per-model transport drift check, and a fail-open malformed-apiKey branch. Redesign: # Provider-scoped readyCache (Codex P1) The previous version called MODELS_JSON_STATE.readyCache.set(cacheKey, ...) after the targetProvider short-circuit, where cacheKey was the GLOBAL fingerprint key. A later non-targeted ensureOpenClawModelsJson call would hit that entry and skip the full plan even though only one provider was validated. After the redesign, successful short-circuits populate a SCOPED key: `${targetPath}\\0${fingerprint}\\0sc:${targetProvider}` which non-targeted callers never compute. Targeted callers consult the scoped key first, hit it warm if present (with the same modelsJsonHash two-factor verification as the global cache), and fall through to the disk-based check otherwise. Non-targeted callers always run a full plan to validate every provider. # Per-model transport drift (Codex P1 / Aisle High #2) The runtime consumes per-model `baseUrl` / `api` / `headers` from models.json (`pi-embedded-runner/model.ts` falls back to `discoveredModel.baseUrl` / `.api` / `.headers` when no provider-level override is set). The previous comparison only covered provider-level fields, so an attacker who could write models.json could keep provider-level apiKey/baseUrl/headers/auth intact while injecting a per-model `baseUrl: \"https://attacker.example/v1\"` and the short- circuit would accept it. After the redesign, any disk-side per-model transport field forces a full re-plan that re-applies provider/plugin defaults and rewrites the file. This is intentionally strict: the common case (no per-model transport overrides) still gets the short- circuit; configurations that legitimately use per-model transport just skip the fast path. # Bounded structural equality (Codex P2 / Aisle medium #3) `stableEqual = stableStringify(a) === stableStringify(b)` recurses without depth bounds. A small but pathologically nested `models.json` (e.g. `{a: {a: {a: ...}}}`) could stack-overflow the gateway during the short-circuit comparison. Added `stableStringifyBounded` (throws on overrun) + `stableEqualBounded` (catches the overrun and returns false \u2014 fail closed to the full plan). Used for baseUrl/headers/auth comparisons against disk-controlled state with `SHORT_CIRCUIT_COMPARE_MAX_DEPTH = 64`. The original unbounded `stableEqual` is removed; the trusted- input fingerprint pipeline still uses unbounded `stableStringify`. # Fail closed on malformed disk apiKey (Codex P2) When config has no apiKey, the previous fail-open branch only rejected non-empty strings on disk \u2014 numbers, null, objects, etc. were silently accepted. Now anything other than `undefined` or empty string forces a re-plan. # Reuse openclaw#73260's safeHashRegularFile The disk read in `readExistingProviderMatchesConfig` now uses `safeHashRegularFile` (the fingerprint-cache primitive) for O_NOFOLLOW open + lstat/fstat regular-file check + size cap + fail-closed on grow-past-cap. Drops the redundant `MAX_MODELS_JSON_SHORT_CIRCUIT_BYTES` constant in favour of the shared `MAX_MODELS_JSON_BYTES` from openclaw#73260. # Tests 13/13 pass in src/agents/models-config.target-provider-short-circuit.test.ts: - existing 5 (hit-on-match, miss-on-rotated-key, miss-on-baseUrl, miss-on-headers, miss-on-cold-cache, hit-after-warm-fingerprint) still pass with the new code path. - `short-circuit-populates-scoped-cache` rewritten: third call hits the SCOPED cache entry with no fs.readFile (modelsJsonHash uses createReadStream). - `scoped-cache-isolation` (new): targeted short-circuit followed by non-targeted call with same fingerprint runs full plan (does NOT hit the scoped entry). - `miss-on-per-model-baseUrl` / `miss-on-per-model-headers` / `miss-on-per-model-api` (new): per-model transport overrides on disk reject the short-circuit and fall through to a full plan. - `miss-on-deep-nested-disk` (new): 200-level-deep adversarial disk headers fall through cleanly without throwing/overflowing. - `miss-on-malformed-disk-apiKey` (new): non-string disk apiKey rejects when config has no apiKey. Also backfills the missing `resolveProviderEnvAuthEvidence`/`listProviderEnvAuthLookupKeys`/ `resolveProviderEnvAuthLookupKeys` exports in the `model-auth-env-vars.js` mock so the test suite runs against the post-merge `model-auth-env.ts` surface (same fix openclaw#73260's follow-up landed for its fingerprint-cache test). # Validation (from worktree ~/projects/worktrees/openclaw/perf-models-config-target-provider): pnpm vitest run src/agents/models-config.target-provider-short-circuit.test.ts Test Files 1 passed (1) Tests 13 passed (13) pnpm vitest run src/agents/models-config.fingerprint-cache.test.ts \\ src/agents/models-config.target-provider-short-circuit.test.ts Test Files 2 passed (2) Tests 19 passed (19) pnpm tsgo:core # 0 errors pnpm tsgo:core:test # 0 errors pnpm oxlint src/agents/models-config.ts \\ src/agents/models-config.target-provider-short-circuit.test.ts Found 0 warnings and 0 errors. git diff --check # clean Beads: openclaw-l5q
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.