Integration feb 2026#5
Closed
zeroaltitude wants to merge 518 commits intomainfrom
Closed
Conversation
|
The formal models extracted constants ( This check is informational (not blocking merges yet). If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there. |
2 similar comments
|
The formal models extracted constants ( This check is informational (not blocking merges yet). If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there. |
|
The formal models extracted constants ( This check is informational (not blocking merges yet). If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there. |
5c4de00 to
3acb7ec
Compare
…aw#27622) * Update onboard-auth.config-minimax.ts fix issue openclaw#27600 * fix(minimax): default authHeader for implicit + onboarding providers (openclaw#27600) Landed from contributor PR openclaw#27622 by @riccoyuanft and PR openclaw#27631 by @kevinWangSheng. Includes a small TS nullability guard in lane delivery to keep build green on rebased head. Co-authored-by: riccoyuanft <riccoyuan@gmail.com> Co-authored-by: Kevin Shenghui <shenghuikevin@github.com> --------- Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: Kevin Shenghui <shenghuikevin@github.com>
Co-authored-by: jaden-clovervnd <91520439+jaden-clovervnd@users.noreply.github.com> Co-authored-by: Sid <201593046+Sid-Qin@users.noreply.github.com> Co-authored-by: Marcus Widing <245375637+widingmarcus-cyber@users.noreply.github.com>
…#28707) thanks @tsu-builds Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: tsu-builds <264409075+tsu-builds@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…utbound (openclaw#29264) thanks @paceyw Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: paceyw <44923937+paceyw@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…hanks @Takhoffman Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…access control (openclaw#29174) thanks @1MoreBuild Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: 1MoreBuild <11406106+1MoreBuild@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
…ession (openclaw#10407) * fix(feishu): remove incorrect oc_ prefix assumption in resolveFeishuSession - Feishu oc_ is a generic chat_id that can represent both groups and DMs - Must use chat_mode field from API to distinguish, not ID prefix - Only ou_/on_ prefixes reliably indicate user IDs (always DM) - Fixes session misrouting for DMs with oc_ chat IDs This bug caused DM messages with oc_ chat_ids to be incorrectly created as group sessions, breaking session isolation and routing. * docs: update Feishu ID format comment to reflect oc_ ambiguity The previous comment incorrectly stated oc_ is always a group chat. This update clarifies that oc_ chat_ids can be either groups or DMs, and explicit prefixes (dm:/group:) should be used to distinguish. * feishu: add regression coverage for oc session routing --------- Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
Enrich every browser action response with the resolved page URL so downstream consumers (security plugins, audit loggers) know which page was targeted without a separate tabs query. - Add shared withRouteTabContext URL enrichment wrapper (agent.shared.ts) - Resolve live URL via Playwright, fall back to tab list URL - Include url field in browser-tool console message results - Push URL changes from Chrome extension background script Co-authored-by: Eddie Abrams <eddie@bighatbio.com>
… start thread When requireMention is enabled, thread replies were only routed to the bot if it authored the parent message. This missed the common case where a user @mentions the bot in a channel, the bot replies in-thread, and subsequent thread replies should route without repeated @mentions. Now checks for bot participation via: 1. Existing thread session (cheap file read) 2. Slack conversations.replies API (lightweight fallback) Both checks are gated behind wouldRequireMention to avoid unnecessary API calls in channels that don't require mentions. Includes 3 test cases covering session-based, API-based, and negative (no participation) scenarios. Co-authored-by: Eddie Abrams <eddie@bighatbio.com>
When a channel config has top-level tokens (botToken/appToken/token) AND named accounts in the accounts section, listAccountIds() omitted the default account. This meant only named accounts started, leaving the base-config bot disconnected. Now detects base-level tokens and includes 'default' alongside named accounts so both providers start. Includes 3 test cases: base tokens present, default already in accounts (no duplicate), and no base tokens (unchanged behavior). Co-authored-by: Eddie Abrams <eddie@bighatbio.com>
Add 6 new plugin hooks giving plugins fine-grained visibility and control over the agent loop: Observability hooks (before/after LLM call + context assembly): - before_llm_call: inspect/modify context, filter tools, or block - after_llm_call: inspect response, filter tool calls, or block - context_assembled: observe full assembled context (fire-and-forget) Lifecycle + output gating hooks: - loop_iteration_start/end: track agent loop iterations - before_response_emit: modify or block final response delivery Also includes: - Sender identity context (senderId, senderName, senderIsOwner, groupId, spawnedBy, sourceProvider) on PluginHookAgentContext - sessionKey on message_sending hook context - Registration-order (FIFO) hook execution replacing priority numbers - clearInternalHooks moved before plugin registration to ensure plugin hooks run before bundled hooks for the same event - Session-memory handler extensions (blockSessionSave, sessionSaveRedirectPath, sessionSaveContent) Co-authored-by: Eddie Abrams <eddie@bighatbio.com>
Validate and normalize Discord delivery targets at resolution time instead of failing silently at send. Adds: - parseDiscordTarget validation for ambiguous bare numeric IDs - Session-based fallback for implicit/heartbeat delivery modes - Clear error messages for ambiguous recipients Co-authored-by: Eddie Abrams <eddie@bighatbio.com>
758e5fa to
df163ee
Compare
zeroaltitude
pushed a commit
that referenced
this pull request
Apr 2, 2026
* feat: add QQ Bot channel extension * fix(qqbot): add setupWizard to runtime plugin for onboard re-entry * fix: fix review * fix: fix review * chore: sync lockfile and config-docs baseline for qqbot extension * refactor: 移除图床服务器相关代码 * fix * docs: 新增 QQ Bot 插件文档并修正链接路径 * refactor: remove credential backup functionality and update setup logic - Deleted the credential backup module to streamline the codebase. - Updated the setup surface to handle client secrets more robustly, allowing for configured secret inputs. - Simplified slash commands by removing unused hot upgrade compatibility checks and related functions. - Adjusted types to use SecretInput for client secrets in QQBot configuration. - Modified bundled plugin metadata to allow additional properties in the config schema. * feat: 添加本地媒体路径解析功能,修正 QQBot 媒体路径处理 * feat: 添加本地媒体路径解析功能,修正 QQBot 媒体路径处理 * feat: remove qqbot-media and qqbot-remind skills, add tests for config and setup - Deleted the qqbot-media and qqbot-remind skills documentation files. - Added unit tests for qqbot configuration and setup processes, ensuring proper handling of SecretRef-backed credentials and account configurations. - Implemented tests for local media path remapping, verifying correct resolution of media file paths. - Removed obsolete channel and remind tools, streamlining the codebase. * feat: 更新 QQBot 配置模式,添加音频格式和账户定义 * feat: 添加 QQBot 频道管理和定时提醒技能,更新媒体路径解析功能 * fix * feat: 添加 /bot-upgrade 指令以查看 QQBot 插件升级指引 * feat: update reminder and qq channel skills * feat: 更新remind工具投递目标地址格式 * feat: Refactor QQBot payload handling and improve code documentation - Simplified and clarified the structure of payload interfaces for Cron reminders and media messages. - Enhanced the parsing function to provide clearer error messages and improved validation. - Updated platform utility functions for better cross-platform compatibility and clearer documentation. - Improved text parsing utilities for better readability and consistency in emoji representation. - Optimized upload cache management with clearer comments and reduced redundancy. - Integrated QQBot plugin into the bundled channel plugins and updated metadata for installation. * OK apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift > openclaw@2026.3.26 check:bundled-channel-config-metadata /Users/yuehuali/code/PR/openclaw > node --import tsx scripts/generate-bundled-channel-config-metadata.ts --check [bundled-channel-config-metadata] stale generated output at src/config/bundled-channel-config-metadata.generated.ts ELIFECYCLE Command failed with exit code 1. ELIFECYCLE Command failed with exit code 1. * feat: 添加 QQBot 渠道配置及相关账户设置 * fix(qqbot): resolve 14 high-priority bugs from PR openclaw#52986 review DM routing (7 fixes): - #1: DM slash-command replies use sendDmMessage(guildId) instead of sendC2CMessage(senderId) - #2: DM qualifiedTarget uses qqbot:dm:${guildId} instead of qqbot:c2c:${senderId} - #3: sendTextChunks adds DM branch - #4: sendMarkdownReply adds DM branch for text and Base64 images - #5: parseAndSendMediaTags maps DM to targetType:dm + guildId - #6: sendTextToTarget DM branch uses sendDmMessage; MessageTarget adds guildId field - #7: handleImage/Audio/Video/FilePayload add DM branches Other high-priority fixes: - #8: Fix sendC2CVoiceMessage/sendGroupVoiceMessage parameter misalignment - #9: broadcastMessage uses groupOpenid instead of member_openid for group users - #10: Unify KnownUser storage - proactive.ts delegates to known-users.ts - #11: Remove invalid recordKnownUser calls for guild/DM users - #12: sendGroupMessage uses sendAndNotify to trigger onMessageSent hook - #13: sendPhoto channel unsupported returns error field - #14: sendTextAfterMedia adds channel and dm branches Type fixes: - DeliverEventContext adds guildId field - MediaTargetContext.targetType adds dm variant - sendPlainTextReply imgMediaTarget adds DM branch * fix(qqbot): resolve 2 blockers + 7 medium-priority bugs from PR openclaw#52986 review Blocker-1: Remove unused dmPolicy config knob - dmPolicy was declared in schema/types/plugin.json but never consumed at runtime - Removed from config-schema.ts, types.ts, and openclaw.plugin.json - allowFrom remains active (already wired into framework command-auth) Blocker-2: Gate sensitive slash commands with allowFrom authorization - SlashCommand interface adds requireAuth?: boolean - SlashCommandContext adds commandAuthorized: boolean - /bot-logs set to requireAuth: true (reads local log files) - matchSlashCommand rejects unauthorized senders for requireAuth commands - trySlashCommandOrEnqueue computes commandAuthorized from allowFrom config Medium-priority fixes: - #15: Strip non-HTTP/non-local markdown image tags to prevent path leakage - #16: applyQQBotAccountConfig clears clientSecret when setting clientSecretFile and vice versa - #17: getAdminMarkerFile sanitizes accountId to prevent path traversal - #18: URGENT_COMMANDS uses exact match instead of startsWith prefix match - #19: isCronExpression validates each token starts with a cron-valid character - openclaw#20: --token format validation rejects malformed input without colon separator - openclaw#21: resolveDefaultQQBotAccountId checks QQBOT_APP_ID environment variable * test(qqbot): add focused tests for slash command authorization path - Unauthorized sender rejected for /bot-logs (requireAuth: true) - Authorized sender allowed for /bot-logs - Non-requireAuth commands (/bot-ping, /bot-help, /bot-version) work for all senders - Unknown slash commands return null (passthrough) - Non-slash messages return null - Usage query (/bot-logs ?) also gated by auth check * fix(qqbot): align global TTS fallback with framework config resolution - Extract isGlobalTTSAvailable to utils/audio-convert.ts, mirroring core resolveTtsConfig logic: check auto !== 'off', fall back to legacy enabled boolean, default to off when neither is set. - Add pre-check in reply-dispatcher before calling globalTextToSpeech to avoid unnecessary TTS calls and noisy error logs when TTS is not configured. - Remove inline as any casts; use OpenClawConfig type throughout. - Refactor handleAudioPayload into flat early-return structure with unified send path (plugin TTS → global fallback → send). * fix(qqbot): break ESM circular dependency causing multi-account startup crash The bundled gateway chunk had a circular static import on the channel chunk (gateway -> outbound-deliver -> channel, while channel dynamically imports gateway). When two accounts start concurrently via Promise.all, the first dynamic import triggers module graph evaluation; the circular reference causes api exports (including runDiagnostics) to resolve as undefined before the module finishes evaluating. Fix: extract chunkText and TEXT_CHUNK_LIMIT from channel.ts into a new text-utils.ts leaf module. outbound-deliver.ts now imports from text-utils.ts, breaking the cycle. channel.ts re-exports for backward compatibility. * fix(qqbot): serialize gateway module import to prevent multi-account startup race When multiple accounts start concurrently via Promise.all, each calls await import('./gateway.js') independently. Due to ESM circular dependencies in the bundled output, the first import can resolve transitive exports as undefined before module evaluation completes. Fix: cache the dynamic import promise in a module-level variable so all concurrent startAccount calls share the same import, ensuring the gateway module is fully evaluated before any account uses it. * refactor(qqbot): remove startup greeting logic Remove getStartupGreetingPlan and related startup greeting delivery: - Delete startup-greeting.ts (greeting plan, marker persistence) - Delete admin-resolver.ts (admin resolution, greeting dispatch) - Remove startup greeting calls from gateway READY/RESUMED handlers - Remove isFirstReadyGlobal flag and adminCtx * fix(qqbot): skip octal escape decoding for Windows local paths Windows paths like C:\Users\1\file.txt contain backslash-digit sequences that were incorrectly matched as octal escape sequences and decoded, corrupting the file path. Detect Windows local paths (drive letter or UNC prefix) and skip the octal decoding step for them. * fix bot issue * feat: 支持 TTS 自动开关并清理配置中的 clientSecretFile * docs: 添加 QQBot 配置和消息处理的设计说明 * rebase * fix(qqbot): align slash-command auth with shared command-auth model Route requireAuth:true slash commands (e.g. /bot-logs) through the framework's api.registerCommand() so resolveCommandAuthorization() applies commands.allowFrom.qqbot precedence and qqbot: prefix normalization before any handler runs. - slash-commands.ts: registerCommand() now auto-routes by requireAuth into two maps (commands / frameworkCommands); getFrameworkCommands() exports the auth-required set for framework registration; bot-help lists both maps - index.ts: registerFull() iterates getFrameworkCommands() and calls api.registerCommand() for each; handler derives msgType from ctx.from, sends file attachments via sendDocument, supports multi-account via ctx.accountId - gateway.ts (inbound): replace raw allowFrom string comparison with qqbotPlugin.config.formatAllowFrom() to strip qqbot: prefix and uppercase before matching event.senderId - gateway.ts (pre-dispatch): remove stale auth computation; commandAuthorized is true (requireAuth:true commands never reach matchSlashCommand) - command-auth.test.ts: add regression tests for qqbot: prefix normalization in the inbound commandAuthorized computation - slash-commands.test.ts: update /bot-logs tests to expect null (command routed to framework, not in local registry) * rebase and solve conflict * fix(qqbot): preserve mixed env setup credentials --------- Co-authored-by: yuehuali <yuehuali@tencent.com> Co-authored-by: walli <walli@tencent.com> Co-authored-by: WideLee <limkuan24@gmail.com> Co-authored-by: Frank Yang <frank.ekn@gmail.com>
zeroaltitude
added a commit
that referenced
this pull request
Apr 28, 2026
Five issues raised by Aisle / Codex / Greptile review on PR openclaw#72869, addressed inline rather than deferred: 1. CWE-59 symlink-following chmod (Aisle high #1) ensureModelsFileModeForModelsJson called fs.chmod on a path that may be replaced by a symlink. If an attacker can write to the agent dir (or OPENCLAW_AGENT_DIR points there), the chmod followed the link and changed perms on an arbitrary owned file. Now lstat first and refuse to chmod symlinks or non-regular files. 2. Prototype pollution via JSON keys (Aisle medium #3 / CWE-1321) stripAuthProfilesVolatileFields() copied untrusted keys into a plain {} object. Special keys '__proto__', 'constructor', 'prototype' could mutate the result's prototype chain. Now uses Object.create(null) for the result and explicitly filters those three keys (belt-and-suspenders). 3. DoS via unbounded auth-profiles fingerprinting (Aisle medium #4) readAuthProfilesStableHash had no size or depth limits. - Added MAX_AUTH_PROFILES_BYTES = 8 MiB. Above the cap we hash raw bytes instead of running JSON.parse + recursive transform + stable-stringify. - Added MAX_AUTH_PROFILES_DEPTH = 64 with a depth-cap marker so the recursive walk can't stack-overflow on pathologically nested input. 4. 'token' incorrectly stripped from fingerprint (Codex P2 / Greptile P2) AUTH_PROFILE_VOLATILE_FIELDS included 'token' to keep OAuth session token rotation from invalidating the cache. But profiles with type: 'token' use the literal 'token' key as a long-lived static credential — stripping it would mask real auth-state changes when a user rotates a static API token. Removed 'token' from the volatile set and documented the boundary inline. OAuth session fields ('access', 'refresh') and timing fields stay stripped. Skipped from this commit (will reply on threads): - Cache short-circuit on stale on-disk credentials (Codex/Greptile P1): separate concern from the security fixes; needs design discussion on whether to validate disk-vs-config or remove the short-circuit. - models.json drift in cache key (Codex P1): same — touches the fingerprint shape and overlaps with the targetProvider short-circuit. - targetProvider short-circuit untested (Greptile P2): test follow-up once the short-circuit semantics are settled. - Aisle medium #5 (raw secrets in fingerprint cache): structurally larger refactor; needs to land separately to keep this commit\'s blast radius clear. Lint: 0 errors. TS: clean.
zeroaltitude
added a commit
that referenced
this pull request
Apr 28, 2026
…ests Three review-driven fixes per @zeroaltitude direction (b)+(c) + secret hygiene + tests: (b) Validate disk-vs-config before short-circuiting [Aisle High #2 / Codex P1 / Greptile P1 on PR openclaw#72869] The previous targetProvider short-circuit fired whenever the on-disk provider entry contained ANY non-empty credential. That silently bypassed: - rotated apiKey: cold start with new key, old key on disk, short-circuit fires, all calls fail until something else invalidates - attacker-tampered baseUrl: redirect to exfil endpoint kept - attacker-injected headers: arbitrary auth material kept New readExistingProviderMatchesConfig() does a strict structural comparison: apiKey - resolved through resolveSecretInputRef (env-ref expansion via createConfigRuntimeEnv) before string equality vs. disk baseUrl - exact string equality headers - stable structural equality (key-order independent) auth - stable structural equality Any mismatch (or any state we cannot conclusively verify, like a non-env secret ref) returns false and falls through to full planning. The short-circuit is now safe to use on cold start and after gateway restart. (c) Hash models.json content into the cache key [Codex P1 on PR openclaw#72869] Previous fingerprint had no models.json input \u2014 once the cache was populated, unchanged config/auth returned cached success even after the file was edited externally / partially corrupted / manually tampered. Now readyCache stores both the input fingerprint AND the post-write models.json SHA-256. Cache hit requires both to match; any external edit invalidates. Captures the hash at three points (skip path, noop path, write path) so the second factor is always recorded. Aisle medium #5: hash fingerprint before storage Raw stable-stringified config (including apiKey strings) used to sit verbatim in MODELS_JSON_STATE.readyCache. SHA-256 over the canonical payload is now the cache key \u2014 deterministic but not reversible, so heap snapshots / debug telemetry / core dumps can't leak secrets via the readyCache state. Greptile P2: targetProvider short-circuit tests New file models-config.target-provider-short-circuit.test.ts with 6 cases: - hit-on-match (full structural match short-circuits) - miss-on-rotated-key (config apiKey change forces plan) - miss-on-baseUrl-change (tampered disk baseUrl rejects) - miss-on-tampered-headers (any header drift rejects) - miss-on-cold-cache (no disk file forces plan) - hit-after-warm-fingerprint + invalidation on external models.json edit (modelsJsonHash second-factor verified) Existing fingerprint-cache test updated: The 'volatile fields rotate' test mixed type:oauth (correctly volatile) with type:token (now correctly NOT volatile after d505fa0). Split into two tests: - OAuth session-field rotation does NOT invalidate (existing intent, narrowed to oauth-only profiles) - Static type:token credential rotation DOES invalidate (Codex/Greptile P2 - new correct behavior) State shape change: MODELS_JSON_STATE.readyCache value extended with modelsJsonHash: { fingerprint, modelsJsonHash, result } All three return paths in the plan closure capture this. Tests: 13/13 (6 new + 7 existing fingerprint-cache + file-mode). Lint: 0 errors. TS: clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.