github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
8,617 Commits 404 Branches 56 Tags
fix/local-embedding-l2-normalization
Commit Graph

395 Commits

Author SHA1 Message Date
Peter Steinberger
a1e89afcc1 fix: secure chrome extension relay cdp 2026-02-01 02:25:14 -08:00
Armin Ronacher
ca92597e1f Merge commit from fork 2026-02-01 10:43:54 +01:00
Aldo
66e33abd7b Docs: mention weak gateway auth tokens 2026-01-31 20:48:00 -05:00
Stefan Förster
7a2c4d3cf1 fix(docs): use canonical openclaw.ai domain instead of openclaw.bot 2026-01-31 20:34:51 -05:00
Seb Slight
abcaa8c7a9 Docs: add nav titles across docs (#5689) 2026-01-31 15:04:03 -06:00
Josh Palmer
7a6c40872d Agents: add system prompt safety guardrails (#5445) 
* 🤖 agents: add system prompt safety guardrails

What:
- add safety guardrails to system prompt
- update system prompt docs
- update prompt tests

Why:
- discourage power-seeking or self-modification behavior
- clarify safety/oversight priority when conflicts arise

Tests:
- pnpm lint (pass)
- pnpm build (fails: DefaultResourceLoader missing in pi-coding-agent)
- pnpm test (not run; build failed)

* 🤖 agents: tighten safety wording for prompt guardrails

What:
- scope safety wording to system prompts/safety/tool policy changes
- document Safety inclusion in minimal prompt mode
- update safety prompt tests

Why:
- avoid blocking normal code changes or PR workflows
- keep prompt mode docs consistent with implementation

Tests:
- pnpm lint (pass)
- pnpm build (fails: DefaultResourceLoader missing in pi-coding-agent)
- pnpm test (not run; build failed)

* 🤖 docs: note safety guardrails are soft

What:
- document system prompt safety guardrails as advisory
- add security note on prompt guardrails vs hard controls

Why:
- clarify threat model and operator expectations
- avoid implying prompt text is an enforcement layer

Tests:
- pnpm lint (pass)
- pnpm build (fails: DefaultResourceLoader missing in pi-coding-agent)
- pnpm test (not run; build failed)
 2026-01-31 15:50:15 +01:00
cpojer
8cab78abbc chore: Run pnpm format:fix. 2026-01-31 21:13:13 +09:00
Mario Zechner
bf15d0a3f5 Auth: switch Kimi Coding to built-in provider 2026-01-31 06:04:10 +01:00
Peter Steinberger
9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Gustavo Madeira Santana
a44da67069 fix: local updates for PR #3600 
Co-authored-by: kira-ariaki <kira-ariaki@users.noreply.github.com>
 2026-01-28 22:00:11 -05:00
Ayaan Zaidi
b6a3a91edf fix: wire per-account dm scope guidance (#3095) (thanks @jarvis-sam) 2026-01-28 11:42:33 +05:30
Boran Cui
394308076a Update Moonshot Kimi model references from kimi-k2-0905-preview to the latest kimi-k2.5 2026-01-27 21:10:59 -06:00
vignesh07
0b2b501856 docs: clarify v1++ claims (not just target lists) 2026-01-27 15:35:24 -08:00
vignesh07
ead73f86f0 docs: add v1++ formal model targets (pairing/ingress/routing) 2026-01-27 15:32:37 -08:00
Vignesh
f7a014228d Update permalink for formal verification document 2026-01-27 15:30:42 -08:00
vignesh07
90a6bbdbda docs: restore gateway/security formal verification redirect copy 2026-01-27 15:29:35 -08:00
Vignesh
2bcd7655e4 Replace 'clawdbot' with 'moltbot' in security documentation 
Updated references from 'clawdbot' to 'moltbot' throughout the document, including security settings, file paths, and command usage.
 2026-01-27 15:25:04 -08:00
vignesh07
98b136541b docs: fix Moltbot naming in security + formal verification pages 2026-01-27 15:15:18 -08:00
vignesh07
8198e826da docs: update security + formal verification pages for Moltbot rename 2026-01-27 15:12:26 -08:00
Shadow
f7a0b0934d Branding: update bot.molt bundle IDs + launchd labels 2026-01-27 14:46:50 -06:00
Peter Steinberger
6d16a658e5 refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Peter Steinberger
83460df96f chore: update molt.bot domains 2026-01-27 12:21:01 +00:00
Vignesh
d3a6333ef7 docs: allow nested gateway security pages (#2641) 2026-01-26 23:41:35 -08:00
Vignesh
9a2be717b7 docs: redirect gateway/security/formal-verification (#2594) 2026-01-26 21:28:45 -08:00
Peter Steinberger
78f0bc3ec0 fix(browser): gate evaluate behind config flag 2026-01-27 05:00:39 +00:00
Vignesh
f72b881276 docs: fix formal verification route (#2583) 2026-01-26 20:50:11 -08:00
vignesh07
39260e7055 docs(security): publish formal verification page under gateway/security 2026-01-26 20:32:12 -08:00
Peter Steinberger
e7fdccce39 refactor: route browser control via gateway/node 2026-01-27 03:24:54 +00:00
Gustavo Madeira Santana
b861a0bd73 Telegram: harden network retries and config 
Co-authored-by: techboss <techboss@users.noreply.github.com>
 2026-01-26 19:36:43 -05:00
Peter Steinberger
0f8f0fb9d7 docs: clarify command authorization for exec directives 2026-01-26 22:18:41 +00:00
Peter Steinberger
820ab8765a docs: clarify exec defaults 2026-01-26 21:37:56 +00:00
Peter Steinberger
1371e95e57 docs: clarify onboarding + credentials 2026-01-26 20:26:30 +00:00
Peter Steinberger
320b45c051 docs: note sandbox opt-in in gateway security 2026-01-26 20:13:10 +00:00
Peter Steinberger
000d5508aa docs(auth): remove external CLI OAuth reuse 2026-01-26 19:05:00 +00:00
Peter Steinberger
b9098f3401 fix: remove unsupported gateway auth off option 2026-01-26 17:44:23 +00:00
Peter Steinberger
e6bdffe568 feat: add control ui device auth bypass 2026-01-26 17:40:28 +00:00
Peter Steinberger
ded366d9ab docs: expand security guidance for prompt injection and browser control 2026-01-26 15:20:14 +00:00
Jamieson O'Reilly
a1f9825d63 security: add mDNS discovery config to reduce information disclosure (#1882) 
* security: add mDNS discovery config to reduce information disclosure

mDNS broadcasts can expose sensitive operational details like filesystem
paths (cliPath) and SSH availability (sshPort) to anyone on the local
network. This information aids reconnaissance and should be minimized
for gateways exposed beyond trusted networks.

Changes:
- Add discovery.mdns.enabled config option to disable mDNS entirely
- Add discovery.mdns.minimal option to omit cliPath/sshPort from TXT records
- Update security docs with operational security guidance

Minimal mode still broadcasts enough for device discovery (role, gatewayPort,
transport) while omitting details that help map the host environment.
Apps that need CLI path can fetch it via the authenticated WebSocket.

* fix: default mDNS discovery mode to minimal (#1882) (thanks @orlyjamie)

---------

Co-authored-by: theonejvo <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-26 13:32:11 +00:00
Peter Steinberger
c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
Peter Steinberger
fd9be79be1 fix: harden tailscale serve auth 2026-01-26 12:49:19 +00:00
Ross Morsali
ffaeee4c39 fix: preserve CLI session IDs for session resume 
- Add resumeArgs to DEFAULT_CLAUDE_BACKEND for proper --resume flag usage
- Fix gateway not preserving cliSessionIds/claudeCliSessionId in nextEntry
- Add test for CLI session ID preservation in gateway agent handler
- Update docs with new resumeArgs default
 2026-01-25 21:09:04 +00:00
Jamieson O'Reilly
6aec34bc60 fix(gateway): prevent auth bypass when behind unconfigured reverse proxy (#1795) 
* fix(gateway): prevent auth bypass when behind unconfigured reverse proxy

When proxy headers (X-Forwarded-For, X-Real-IP) are present but
gateway.trustedProxies is not configured, the gateway now treats
connections as non-local. This prevents a scenario where all proxied
requests appear to come from localhost and receive automatic trust.

Previously, running behind nginx/Caddy without configuring trustedProxies
would cause isLocalClient=true for all external connections, potentially
bypassing authentication and auto-approving device pairing.

The gateway now logs a warning when this condition is detected, guiding
operators to configure trustedProxies for proper client IP detection.

Also adds documentation for reverse proxy security configuration.

* fix: harden reverse proxy auth (#1795) (thanks @orlyjamie)

---------

Co-authored-by: orlyjamie <orlyjamie@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-25 15:08:03 +00:00
Peter Steinberger
0130ecd800 fix: paragraph-aware newline chunking (#1726) 
Thanks @tyler6204

Co-authored-by: Tyler Yust <64381258+tyler6204@users.noreply.github.com>
 2026-01-25 13:24:19 +00:00
Peter Steinberger
8f3da653b0 fix: allow control ui token auth without pairing 2026-01-25 12:47:17 +00:00
Peter Steinberger
653401774d fix(telegram): honor linkPreview on fallback (#1730) 
* feat: add notice directive parsing

* fix: honor telegram linkPreview config (#1700) (thanks @zerone0x)
 2026-01-25 07:55:39 +00:00
Seb Slight
d4f60bf16a TTS: gate auto audio on inbound voice notes (#1667) 
Co-authored-by: Sebastian <sebslight@gmail.com>
 2026-01-25 04:35:20 +00:00
Peter Steinberger
ede5145191 docs: sweep support troubleshooting updates 2026-01-25 04:33:14 +00:00
Peter Steinberger
458e731f8b fix: newline chunking across channels 2026-01-25 04:11:36 +00:00
Peter Steinberger
629ce4454d docs: add tips + clawd-to-clawd faq 2026-01-25 04:04:18 +00:00
Peter Steinberger
e6e71457e0 fix: honor trusted proxy client IPs (PR #1654) 
Thanks @ndbroadbent.

Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
 2026-01-25 01:52:19 +00:00