Peter Steinberger
7d658410e5
docs(changelog): clarify exec allowlist mode only
2026-02-14 23:51:15 +01:00
Peter Steinberger
db60b424a2
docs(changelog): note exec allowlist command substitution fix
2026-02-14 23:51:15 +01:00
Vishal Doshi
3efb752124
fix(gateway): abort active runs during sessions.reset ( #16576 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 43da87f2df212880+Grynn@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 17:42:33 -05:00
Peter Steinberger
a99ad11a41
fix: validate state for manual Chutes OAuth
2026-02-14 23:33:56 +01:00
Gustavo Madeira Santana
8217d77ece
fix(cli): run plugin gateway_stop hooks before message exit ( #16580 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 8542ac77ae5599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 17:33:08 -05:00
Peter Steinberger
d02202e765
docs(changelog): note clawtributors updater injection fix
2026-02-14 23:26:39 +01:00
Peter Steinberger
a429380e33
fix(scripts): harden clawtributors updater
2026-02-14 23:25:32 +01:00
Bruno Škvorc
dbdcbe03e7
fix: preserve bootstrap paths and expose failed mutations ( #16131 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 385dcbd8a91430603+Swader@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 17:01:16 -05:00
Peter Steinberger
c0c0e0f9ae
fix(security): block full-form IPv4-mapped IPv6 in SSRF guard
2026-02-14 22:58:38 +01:00
Peter Steinberger
9e7aab9baf
docs(changelog): credit logicx24 for plugin install traversal report
2026-02-14 22:54:38 +01:00
yinghaosang
8927c69b3f
fix(cli): stop message send from hanging forever after delivery ( #16460 ) ( #16491 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 78dffc9e99261132136+yinghaosang@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 16:53:56 -05:00
Peter Steinberger
576f7072a7
docs(changelog): credit @simecek for gateway connect auth fix
2026-02-14 22:42:35 +01:00
Gustavo Madeira Santana
48b3d7096c
fix: harden device pairing token generation and verification ( #16535 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: bcbb50e3685599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 16:23:33 -05:00
Peter Steinberger
0b20ee2722
docs(changelog): note gateway /approve scope fix
2026-02-14 22:14:18 +01:00
Peter Steinberger
938b1dd1e7
docs(changelog): fix gatewayUrl SSRF entry
2026-02-14 22:08:28 +01:00
Peter Steinberger
3513ff09de
docs(changelog): note Telegram webhookSecret hard requirement
2026-02-14 22:08:19 +01:00
Peter Steinberger
c5406e1d24
fix(security): prevent gatewayUrl SSRF
2026-02-14 22:01:11 +01:00
Peter Steinberger
e95ce05c1e
chore(security): soften gatewayUrl override messaging
2026-02-14 21:53:30 +01:00
Peter Steinberger
2d5647a804
fix(security): restrict tool gatewayUrl overrides
2026-02-14 21:53:14 +01:00
Marcus Castro
07850e8a93
fix(media): strip MEDIA: prefix in loadWebMediaInternal ( #13107 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 9d95e6af5a7562095+mcaxtr@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 21:41:26 +01:00
Peter Steinberger
1bde33c0bc
docs(changelog): note browser control path traversal fix
2026-02-14 21:37:34 +01:00
Peter Steinberger
9abf86f7e0
docs(changelog): document Slack/Discord dmPolicy aliases
2026-02-14 21:04:27 +01:00
Bin Deng
b9d14855d0
Fix: Force dashboard command to use localhost URL ( #16434 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 3c03b4cc9b219093083+BinHPdev@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 15:00:58 -05:00
Shadow
2fa78c17d1
Changelog: credit cron delivery fix
2026-02-14 13:37:33 -06:00
zerone0x
c60844931b
fix(cron): prevent list/status from silently skipping recurring jobs (openclaw#16201) thanks @zerone0x
...
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini
Co-authored-by: zerone0x <39543393+zerone0x@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-02-14 13:33:29 -06:00
Gustavo Madeira Santana
64b7f3455e
chore: fix changelog attribution
2026-02-14 14:26:27 -05:00
Peter Steinberger
90d1e9cd71
docs(changelog): note iMessage group allowlist auth fix
2026-02-14 20:25:35 +01:00
Michael Verrilli
e6f67d5f31
fix(agent): prevent session lock deadlock on timeout during compaction ( #9855 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 64a28900f1816450+mverrilli@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 14:24:20 -05:00
Glucksberg
f537bd1796
fix(telegram): exclude plugin commands from setMyCommands when native=false (openclaw#15164) thanks @Glucksberg
...
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test
Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-02-14 13:22:58 -06:00
Mariano
5544646a09
security: block apply_patch path traversal outside workspace ( #16405 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0fcd3f8c3a132747814+mbelinky@users.noreply.github.com >
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com >
Reviewed-by: @mbelinky
2026-02-14 19:11:12 +00:00
Bin Deng
4734f99108
Fix: Add type safety to models status command ( #16395 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 1554137ae3219093083+BinHPdev@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 14:07:38 -05:00
Peter Steinberger
013e8f6b3b
fix: harden exec PATH handling
2026-02-14 19:53:04 +01:00
Peter Steinberger
743f4b2849
fix(security): harden BlueBubbles webhook auth behind proxies
2026-02-14 19:47:51 +01:00
Vincent Koc
a042b32d2f
fix: Docker installation keeps hanging on MacOS ( #12972 )
...
* Onboarding: avoid stdin resume after wizard finish
* Changelog: remove Docker hang entry from PR
* Terminal: make stdin resume behavior explicit at call sites
* CI: rerun format check
* Onboarding: restore terminal before cancel exit
* test(onboard): align restoreTerminalState expectation
* chore(format): align onboarding restore test with updated oxfmt config
* chore(format): enforce updated oxfmt on restore test
* chore(format): apply updated oxfmt spacing to restore test
* fix: avoid stdin resume after onboarding (#12972 ) (thanks @vincentkoc)
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-02-14 19:46:07 +01:00
Robby
cab0abf52a
fix(sessions): resolve transcript paths with explicit agent context ( #16288 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 7cbe9deca9239660374+robbyczgw-cla@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 13:44:51 -05:00
Peter Steinberger
77b89719d5
fix(security): block safeBins shell expansion
2026-02-14 19:44:14 +01:00
Shadow
a73ccf2b53
fix: deliver cron output to explicit targets ( #16360 ) (thanks @rubyrunsstuff)
2026-02-14 12:43:11 -06:00
Marcus Castro
d14be8472e
fix(whatsapp): honor account-level dmPolicy override ( #10082 ) (thanks @mcaxtr)
...
Fixes openclaw#10082 (issue #8736 ): inbound WhatsApp DM policy now respects account-level dmPolicy overrides.
2026-02-14 19:41:42 +01:00
青雲
80407cbc6a
fix: recompute all cron next-run times after job update (openclaw#15905) thanks @echoVic
...
Verified:
- pnpm check
- pnpm vitest src/cron/service.issue-regressions.test.ts src/cron/service.issue-13992-regression.test.ts
Co-authored-by: echoVic <16428813+echoVic@users.noreply.github.com >
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com >
2026-02-14 12:37:22 -06:00
Peter Steinberger
0e046f61ab
fix(skills): avoid skills watcher FD exhaustion
...
Watch SKILL.md only (and one-level SKILL.md in skill roots) to prevent chokidar from tracking huge unrelated trees.
Co-authored-by: household-bard <shakespeare@hessianinformatics.com >
2026-02-14 19:26:20 +01:00
Peter Steinberger
01b3226ecb
fix(gateway): block node.invoke exec approvals
2026-02-14 19:22:37 +01:00
Christian Klotz
df7464ddf6
fix(bluebubbles): include sender identity in group chat envelopes ( #16326 )
...
* fix(bluebubbles): include sender identity in group chat envelopes
Use formatInboundEnvelope (matching iMessage/Signal pattern) so group
messages show the group label in the envelope header and include the
sender name in the message body. ConversationLabel now resolves to the
group name for groups instead of being undefined.
Fixes #16210
Co-authored-by: zerone0x <hi@trine.dev >
* fix(bluebubbles): use finalizeInboundContext and set BodyForAgent to raw text
Wrap ctxPayload with finalizeInboundContext (matching iMessage/Signal/
every other channel) so field normalization, ChatType, ConversationLabel
fallback, and MediaType alignment are applied consistently.
Change BodyForAgent from the envelope-formatted body to rawBody so the
agent prompt receives clean message text instead of the [BlueBubbles ...]
envelope wrapper.
Co-authored-by: zerone0x <hi@trine.dev >
* docs: add changelog entry for BlueBubbles group sender fix (#16326 )
* fix(bluebubbles): include id in fromLabel matching formatInboundFromLabel
Align fromLabel output with the shared formatInboundFromLabel pattern:
groups get 'GroupName id:peerId', DMs get 'Name id:senderId' when the
name differs from the id. Addresses PR review feedback.
Co-authored-by: zerone0x <hi@trine.dev >
---------
Co-authored-by: zerone0x <hi@trine.dev >
2026-02-14 18:17:26 +00:00
Peter Steinberger
4133f4bd37
refactor(tui): clarify searchable select list width layout ( #16378 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: fecbade82258493+steipete@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 19:15:38 +01:00
Peter Steinberger
f19eabee54
fix(slack): gate DM slash command authorization
2026-02-14 19:10:29 +01:00
Gustavo Madeira Santana
7d4078c704
CLI: fix lazy maintenance command registration ( #16374 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 29d7cca6745599352+gumadeiras@users.noreply.github.com >
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com >
Reviewed-by: @gumadeiras
2026-02-14 13:10:10 -05:00
Shadow
5ba72bd9bf
fix: add discord exec approval channel targeting ( #16051 ) (thanks @leonnardo)
2026-02-14 12:05:53 -06:00
Peter Steinberger
cb3290fca3
fix(node-host): enforce system.run rawCommand/argv consistency
2026-02-14 18:53:23 +01:00
Mariano
71f357d949
bluebubbles: harden local media path handling against LFI ( #16322 )
...
* bluebubbles: harden local media path handling
* bluebubbles: remove racy post-open symlink lstat
* fix: bluebubbles mediaLocalRoots docs + typing fix (#16322 ) (thanks @mbelinky)
2026-02-14 17:43:44 +00:00
Peter Steinberger
bfa7d21e99
fix(security): harden tlon Urbit requests against SSRF
2026-02-14 18:42:10 +01:00
Robby
5a313c83b7
fix(tui): use available terminal width for session name display ( #16109 ) ( #16238 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 19c18977e0239660374+robbyczgw-cla@users.noreply.github.com >
Co-authored-by: steipete <58493+steipete@users.noreply.github.com >
Reviewed-by: @steipete
2026-02-14 18:39:05 +01:00
