LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-07 22:44:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,177 Commits 633 Branches 70 Tags
76dabd5214b4513d457eb6c26e7ae511a29229b7
Commit Graph

14177 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vincent Koc
76dabd5214 CI/Skills: add Python lint and test harness for skills scripts (#24246) 
* CI: add skills Python checks job

* Chore: add Python lint and test pre-commit hooks

* Tests: fix skill-creator package test import path

* Chore: add Python tooling config for skills scripts

* CI: run all skills Python tests

* Chore: run all skills Python tests in pre-commit

* Chore: enable pytest discovery for all skills tests

* Changelog: note skills Python quality harness
 2026-02-23 01:52:00 -05:00
Vignesh Natarajan
de96f5fed2 CLI/Sessions: honor default agent for implicit store path 2026-02-22 22:47:10 -08:00
Vincent Koc
af4330ef75 Update CHANGELOG.md 2026-02-23 01:44:53 -05:00
Misha Kolesnik
ec1bc41cf2 fix(openrouter): remove conflicting reasoning_effort from payload (#24120) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: cc8ef4bb05
Co-authored-by: tenequm <22403766+tenequm@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 01:41:29 -05:00
CornBrother0x
f3adf142c1 fix(security): escape user input in HTML gallery to prevent stored XSS (#16958) 
* Security/openai-image-gen: escape HTML gallery user input

* Tests/openai-image-gen: add gallery XSS regression coverage

* Changelog: add openai-image-gen XSS hardening note

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:39:58 -05:00
Vignesh Natarajan
5ad5ea53cd Agent: resolve resumed session agent scope before run 2026-02-22 22:38:05 -08:00
brandonwise
7fab4d128a fix(security): redact sensitive data in OTEL log exports (CWE-532) (#18182) 
* fix(security): redact sensitive data in OTEL log exports (CWE-532)

The diagnostics-otel plugin exports ALL application logs to external
OTLP collectors without filtering. This leaks API keys, tokens, and
other sensitive data to third-party observability platforms.

Changes:
- Export redactSensitiveText from plugin-sdk for extension use
- Apply redaction to log messages before OTEL export
- Apply redaction to string attribute values
- Add tests for API key and token redaction

The existing redactSensitiveText function handles common patterns:
- API keys (sk-*, ghp_*, gsk_*, AIza*, etc.)
- Bearer tokens
- PEM private keys
- ENV-style assignments (KEY=value)
- JSON credential fields

Fixes #12542

* fix: also redact error/reason in trace spans

Address Greptile feedback:
- Redact evt.error in webhook.error span attributes and status
- Redact evt.reason in message.processed span attributes
- Redact evt.error in message.processed span status

* fix: handle undefined evt.error in type guard

* fix: redact session.state reason in OTEL metrics

Addresses Greptile feedback - session.state reason field now goes
through redactSensitiveText() like message.processed reason.

* test(diagnostics-otel): update service context for stateDir API change

* OTEL diagnostics: redact sensitive values before export

* OTEL diagnostics tests: cover message, attribute, and session reason redaction

* Changelog: note OTEL sensitive-data redaction fix

* Changelog: move OTEL redaction entry to current unreleased

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-23 01:35:32 -05:00
Ayaan Zaidi
61db3d4a16 fix(protocol): regenerate swift gateway models 2026-02-23 11:52:42 +05:30
Ayaan Zaidi
86fcca2352 fix(gateway): annotate connection test mocks 2026-02-23 11:47:27 +05:30
Ayaan Zaidi
fda98f5605 docs(changelog): add telegram topic target fix 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
d5105ca456 fix(telegram): unify topic target normalization path 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
fddc60d174 fix(telegram): preserve legacy prefixed messaging targets 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
bf732b88e7 test(cron): avoid delivery.mode type widening in isolated announce test 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
118611465c test(gateway): make strict-delivery bestEffort case deterministic 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
d589b3a95c test(gateway): clear agentCommand mock before strict bestEffort assert 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
03122e5933 fix(cron): preserve telegram announce target + delivery truth 2026-02-23 11:45:18 +05:30
Ayaan Zaidi
dcc52850c3 fix: persist resolved telegram delivery targets at runtime 2026-02-23 11:45:18 +05:30
Tak Hoffman
35fbf26d24 Gateway: suppress tools.catalog plugin conflict diagnostics 2026-02-23 00:05:57 -06:00
Tak Hoffman
9e1a13bf4c Gateway/UI: data-driven agents tools catalog with provenance (openclaw#24199) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- gh pr checks 24199 --watch --fail-fast

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-22 23:55:59 -06:00
Peter Steinberger
1c753ea786 test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
Peter Steinberger
8af19ddc5b refactor: extract shared dedupe helpers for runtime paths 2026-02-23 05:43:43 +00:00
Peter Steinberger
9f508056d3 test: collapse remaining trigger command shards 2026-02-23 05:22:24 +00:00
Peter Steinberger
d90e9f561f test: merge overlapping trigger-handling suites 2026-02-23 05:19:23 +00:00
Peter Steinberger
af547ec52c test: consolidate trigger-handling suites 2026-02-23 05:15:35 +00:00
Evgeny Zislis
78f801e243 Validate Telegram delivery targets to reject invalid formats (#21930) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 02c9b1c3dd
Co-authored-by: kesor <7056+kesor@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-23 10:44:46 +05:30
Peter Steinberger
23598e0e3a test: prune redundant abort case and speed stream cap test 2026-02-23 05:06:34 +00:00
Tak Hoffman
77c3b142a9 Web UI: add full cron edit parity, all-jobs run history, and compact filters (openclaw#24155) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-22 23:05:42 -06:00
Peter Steinberger
610863e733 test: speed up long-running async suites 2026-02-23 05:03:15 +00:00
Peter Steinberger
48f327c206 test: consolidate redundant suites and speed attachment tests 2026-02-23 04:55:43 +00:00
Peter Steinberger
86a8b65e9d test: consolidate redundant suites and speed up timers 2026-02-23 04:44:42 +00:00
Peter Steinberger
a6a2a9276e test: reduce exec timer test runtime 2026-02-23 04:25:00 +00:00
Peter Steinberger
384a161bbc test: consolidate media auto-detect coverage 2026-02-23 04:25:00 +00:00
Peter Steinberger
a53062ae3b refactor(test): deduplicate isolated agent cron test helpers 2026-02-23 04:20:41 +00:00
Peter Steinberger
382fe8009a refactor!: remove google-antigravity provider support 2026-02-23 05:20:14 +01:00
Peter Steinberger
558a0137bb chore(release): bump versions to 2026.2.23 2026-02-23 05:13:46 +01:00
Tak Hoffman
a54dc7fe80 Cron: suppress fallback main summary for delivery-target errors (openclaw#24074) thanks @Takhoffman 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
v2026.2.22 		2026-02-22 20:24:08 -06:00
Tak Hoffman
457835b104 Compaction: count only completed auto-compactions (#24056) 
* Compaction: count only completed auto-compactions

* Compaction: count only non-retry completions

* Changelog: note completed-only compaction counting

* Agents/Compaction: guard optional compaction increment
 2026-02-22 20:16:45 -06:00
Tak Hoffman
05691be511 Compaction: ignore tool result details in oversized checks (#24057) 
* Compaction: ignore tool result details in oversized checks

* Tests/Compaction: type estimateTokens message callback
 2026-02-22 20:13:59 -06:00
Tak Hoffman
5c9f9722af Agent runner: align compaction floor guidance (#24059) 2026-02-22 20:13:43 -06:00
Tak Hoffman
50c5f75904 Compaction: sanitize token split accounting (#24058) 
* Compaction: sanitize token split accounting

* Tests/Compaction: type sanitize token estimate callback
 2026-02-22 20:13:21 -06:00
Tak Hoffman
259d863353 Gateway: harden cron.runs jobId path handling (openclaw#24038) thanks @Takhoffman 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-22 19:35:26 -06:00
Peter Steinberger
45febecf2a fix(exec): keep implicit sandbox default and restore no-alert baseline 2026-02-23 02:17:43 +01:00
Tak Hoffman
f6c2e99f5d Cron: preserve due jobs after manual runs (#23994) 2026-02-22 19:02:05 -06:00
Peter Steinberger
bac26b4472 chore(release): bump version to 2026.2.22-1 2026-02-23 01:59:52 +01:00
Vignesh Natarajan
a10ec2607f Gateway/Chat UI: sanitize untrusted wrapper markup in final payloads 2026-02-22 16:53:54 -08:00
Peter Steinberger
b482da8c9a chore: update appcast for 2026.2.22 beta.1 2026-02-23 01:52:53 +01:00
Peter Steinberger
80f430c2be fix(daemon): extend restart health timeout and improve restart errors 2026-02-23 01:50:02 +01:00
Peter Steinberger
278331c49c fix(exec): restore sandbox as implicit host default 2026-02-23 01:48:24 +01:00
Tak Hoffman
211ab9e4f6 Cron: persist manual run marker before unlock (#23993) 
* Cron: persist manual run marker before unlock

* Cron tests: relax wakeMode now microtask wait after run lock persist
 2026-02-22 18:39:37 -06:00
SleuthCo.AI
9c87b53c8e security(cli): redact sensitive values in config get output (#23654) 
* security(cli): redact sensitive values in config get output

`runConfigGet()` reads raw config values but never applies redaction
before printing. When a user runs `openclaw config get gateway.token`
the real credential is printed to the terminal, leaking it into shell
history, scrollback buffers, and screenshots.

Use the existing `redactConfigObject()` (from redact-snapshot.ts,
already used by the Web UI path) to scrub sensitive fields before
`getAtPath()` resolves the requested key.

Fixes #13683

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* CLI/Config: add redaction regression test and changelog

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-22 19:37:33 -05:00