Commit 3cc5d4e
fix: address all P1/P2 review findings from Greptile + Codex
- F5: read gateway token from env var OPENCLAW_GATEWAY_TOKEN too (not just file)
- F6: treat empty sig file as suspicious (attacker truncation bypass)
- F7: sync loadConfig now returns {} on HMAC rejection (degraded safe mode)
- F8: add writeConfigHmacSigSync for internal createConfigIO write paths
- Remove redundant async HMAC write from exported wrapper (internal path handles it)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 211bdb7 commit 3cc5d4e
11,313 files changed
Lines changed: 68 additions & 29 deletions
File tree
- .agents/skills
- openclaw-parallels-smoke
- openclaw-qa-testing
- agents
- openclaw-release-maintainer
- openclaw-secret-scanning-maintainer
- scripts
- openclaw-test-heap-leaks
- scripts
- security-triage
- .github
- ISSUE_TEMPLATE
- actions
- ensure-base-commit
- setup-node-env
- setup-pnpm-store-cache
- pr-assets
- compaction-checkpoints
- workflows
- .vscode
- apps
- android/app
- src
- main
- java/ai/openclaw/app
- chat
- gateway
- node
- ui
- chat
- voice
- res
- values
- xml
- test/java/ai/openclaw/app
- chat
- gateway
- node
- protocol
- ui
- chat
- voice
- ios
- Config
- Sources
- Chat
- Device
- Gateway
- LiveActivity
- Model
- Onboarding
- Push
- Screen
- Services
- Settings
- Status
- Tests
- WatchExtension/Sources
- fastlane
- metadata
- en-US
- macos
- Sources
- OpenClawDiscovery
- OpenClawProtocol
- OpenClaw
- Resources
- Tests/OpenClawIPCTests
- docs
- .generated
- .i18n
- assets/sponsors
- automation
- channels
- cli
- concepts
- gateway
- security
- help
- images
- install
- nodes
- platforms
- mac
- plugins
- providers
- refactor
- reference
- templates
- security
- snippets
- plugin-publish
- start
- tools
- web
- extensions
- acpx
- skills/acp-router
- src
- runtime-internals
- active-memory
- alibaba
- amazon-bedrock-mantle
- amazon-bedrock
- anthropic-vertex
- anthropic
- arcee
- bluebubbles
- src
- test-support
- brave
- src
- browser
- src
- browser
- routes
- cli
- browser-cli-actions-input
- config
- gateway
- infra
- net
- logging
- media
- node-host
- process
- security
- test-utils
- utils
- byteplus
- chutes
- cloudflare-ai-gateway
- codex
- src
- app-server
- comfy
- copilot-proxy
- deepgram
- deepseek
- device-pair
- diagnostics-otel
- src
- diffs
- assets
- skills/diffs
- src
- discord
- src
- actions
- monitor
- test-support
- voice
- duckduckgo
- src
- elevenlabs
- exa
- src
- fal
- feishu
- src
- test-support
- firecrawl
- src
- fireworks
- github-copilot
- googlechat
- src
- google
- src
- groq
- huggingface
- image-generation-core
- src
- imessage
- src
- monitor
- irc
- src
- kilocode
- kimi-coding
- line
- src
- flex-templates
- litellm
- llm-task
- src
- lmstudio
- src
- lobster
- src
- matrix
- src
- matrix
- actions
- client
- monitor
- sdk
- send
- test-support
- mattermost
- src
- mattermost
- media-understanding-core
- src
- memory-core
- src
- memory
- test-helpers
- memory-lancedb
- memory-wiki
- skills
- obsidian-vault-maintainer
- wiki-maintainer
- src
- microsoft-foundry
- microsoft
- minimax
- src
- mistral
- moonshot
- src
- msteams
- src
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
0 commit comments