Skip to content

Sync/upstream 2026 03 23#108

Merged
linfangw merged 2404 commits into
mainfrom
sync/upstream-2026-03-23
Mar 23, 2026
Merged

Sync/upstream 2026 03 23#108
linfangw merged 2404 commits into
mainfrom
sync/upstream-2026-03-23

Conversation

@linfangw

Copy link
Copy Markdown
Member

No description provided.

steipete and others added 30 commits March 22, 2026 16:02
Differentiate titles that were identical across multiple pages:
- Platform pages: add '(Platform)' suffix to distinguish from install guides
- Legacy root-level pages: add '(legacy path)' suffix for files that
  redirect to canonical tools/ paths
- Logging: 'Logging' -> 'Logging Overview' (root) and 'Gateway Logging'
- building-extensions: add '(redirect)' suffix
resolvePackageEntrySource() treats all openBoundaryFileSync failures
as path-escape security violations. When an extension entry file is
simply missing (ENOENT, reason="path"), the gateway emits "extension
entry escapes package directory" and aborts — crashing in a loop.

Root cause: src/plugins/discovery.ts:478 checks !opened.ok but never
inspects opened.reason. SafeOpenSyncResult already distinguishes
"path" (ENOENT) from "validation" (actual path escape).

Fix: only push the security diagnostic when opened.reason is
"validation". For "path" or "io" failures, return null to skip the
entry silently — a missing file is not a security violation.

Closes openclaw#52445

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: HCL <chenglunhu@gmail.com>
Address Codex P1 + Greptile P2: the previous commit collapsed both
"path" (ENOENT) and "io" (EACCES/EMFILE) into silent null returns.

Now:
- reason="path" (missing file): return null silently — not a security issue
- reason="io" (permission/disk): push warn diagnostic — surface anomaly
  without aborting gateway
- reason="validation" (path escape): push error diagnostic — security violation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: HCL <chenglunhu@gmail.com>
steipete and others added 27 commits March 23, 2026 04:41
When building the gateway install plan, read and parse
~/.openclaw/.env (or $OPENCLAW_STATE_DIR/.env) and merge those
key-value pairs into the service environment at the lowest
priority — below config env vars, auth-profile refs, and the
core service environment (HOME, PATH, OPENCLAW_*).

This ensures that user-defined secrets stored in .env (e.g.
BRAVE_API_KEY, OPENROUTER_API_KEY, DISCORD_BOT_TOKEN) are
embedded in the LaunchAgent plist (macOS), systemd unit (Linux),
and Scheduled Task (Windows) at install time, rather than
relying solely on the gateway process loading them via
dotenv.config() at startup.

Previously, on macOS the LaunchAgent plist never included .env
vars, which meant:
- launchctl print did not show user secrets (hard to debug)
- Child processes spawned before dotenv loaded had no access
- If the same key existed in both .env and the plist, the stale
  plist value won via dotenv override:false semantics

Dangerous host env vars (NODE_OPTIONS, LD_PRELOAD, etc.) are
filtered using the same security policy applied to config env
vars.

Fixes openclaw#37101
Relates to openclaw#22663
- Apply normalizeEnvVarKey({ portable: true }) before security
  filtering, matching the established pattern in env-vars.ts.
  Rejects non-portable key names (spaces, special chars) that
  would produce invalid plist/systemd syntax.

- Isolate existing tests from the developer's real ~/.openclaw/.env
  by providing a temp HOME directory, preventing flaky failures
  when the test machine has a populated .env file.
* feat(web-search): add DuckDuckGo bundled plugin

* chore(changelog): restore main changelog

* fix(web-search): harden DuckDuckGo challenge detection
- Mark as experimental (not just unofficial)
- Add region and safeSearch tool parameters (from DDG schema)
- Add plugin config example for region/safeSearch defaults
- Document auto-detection order (100 = last)
- Note SafeSearch defaults to moderate
- Verified against extensions/duckduckgo/src/
Merged via squash.

Prepared head SHA: 49ed6c2
Co-authored-by: rcrick <23069968+rcrick@users.noreply.github.com>
Co-authored-by: frankekn <4488090+frankekn@users.noreply.github.com>
Reviewed-by: @frankekn
Co-authored-by: oliviareid-svg <269669958+oliviareid-svg@users.noreply.github.com>
Co-authored-by: Frank <vibespecs@gmail.com>
…orts

- Add GetReplyFromConfigFn type alias and missing imports in test-helpers.mocks.ts
- Add resolveSearchProviderSignupUrl import in setup.finalize.ts
- Add isBundledCatalogEntry helper in plugin-install.ts
- Fix SearchProviderEntry -> PluginWebSearchProviderEntry in onboard-search.ts
- Add missing mockPinnedHostnameWithPolicyResolution imports in slack/whatsapp tests
- Inline mockPinnedHostnameWithPolicyResolution in whatsapp test harness (boundary rule)
- Migrate X plugin from removed listActions to describeMessageTool API
- Adapt X plugin setupWizard typing for new ChannelSetupWizard interface
- Remove invalid plugins property from SkillsConfig in skills test
- Add GetReplyOptions type annotations in gateway chat tests
- Cast qveris apiKey access in onboard-search.test.ts
- Remove duplicate signal property in plugin-runtime-mock.ts
- Sync plugin-sdk exports ordering
- Stop tracking .agent/ (now gitignored by upstream)

Made-with: Cursor
@linfangw linfangw merged commit 7e4d383 into main Mar 23, 2026
2 of 9 checks passed
@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request encompasses a broad upstream synchronization, delivering substantial architectural improvements, new features, and enhanced developer tooling across the project. The core focus is on expanding maintainer capabilities through dedicated agent skills, modernizing the Android application with new functionalities and a more robust foundation, and reinforcing security practices for command execution on macOS. These changes collectively aim to improve the project's maintainability, security posture, and overall development experience.

Highlights

  • New Agent Skills: Introduced a suite of new agent skills designed to streamline maintainer workflows, covering areas such as GitHub Security Advisories (GHSA), Parallels smoke testing, PR management, release management, and heap leak investigation.
  • Android Application Enhancements: Undertook a significant refactoring of the Android application's architecture, leading to improved runtime initialization, enhanced UI theming, and the addition of new features like Call Log integration and advanced SMS search capabilities.
  • Repository Governance & Security: Strengthened repository governance with the addition of a CODEOWNERS file, explicitly defining ownership for security-sensitive and release-related paths, alongside refined exec approval logic and environment variable sanitization for macOS.
  • CI/CD and Contribution Guidelines: Enhanced CI/CD robustness through improved base commit fetching and updated Bun setup actions, complemented by streamlined documentation and contribution guidelines that emphasize evidence-based bug reporting and clearer PR submission policies.
  • TTS and Media Handling Refactoring: Refactored the Android application's Text-to-Speech (TTS) and media handling mechanisms, removing ElevenLabs-specific streaming implementations in favor of a more generic gateway-driven approach, and improving image processing efficiency.
  • Chrome Extension Removal: Removed the Chrome extension and its associated assets, indicating a strategic shift in how browser integration is managed or prioritized within the project.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: .github/workflows/** (10)
    • .github/workflows/auto-response.yml
    • .github/workflows/ci.yml
    • .github/workflows/codeql.yml
    • .github/workflows/docker-release.yml
    • .github/workflows/install-smoke.yml
    • .github/workflows/openclaw-npm-release.yml
    • .github/workflows/plugin-npm-release.yml
    • .github/workflows/sandbox-common-smoke.yml
    • .github/workflows/stale.yml
    • .github/workflows/workflow-sanity.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist

Copy link
Copy Markdown

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.