Sync/upstream 2026 03 23#108
Conversation
Differentiate titles that were identical across multiple pages: - Platform pages: add '(Platform)' suffix to distinguish from install guides - Legacy root-level pages: add '(legacy path)' suffix for files that redirect to canonical tools/ paths - Logging: 'Logging' -> 'Logging Overview' (root) and 'Gateway Logging' - building-extensions: add '(redirect)' suffix
resolvePackageEntrySource() treats all openBoundaryFileSync failures as path-escape security violations. When an extension entry file is simply missing (ENOENT, reason="path"), the gateway emits "extension entry escapes package directory" and aborts — crashing in a loop. Root cause: src/plugins/discovery.ts:478 checks !opened.ok but never inspects opened.reason. SafeOpenSyncResult already distinguishes "path" (ENOENT) from "validation" (actual path escape). Fix: only push the security diagnostic when opened.reason is "validation". For "path" or "io" failures, return null to skip the entry silently — a missing file is not a security violation. Closes openclaw#52445 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: HCL <chenglunhu@gmail.com>
Address Codex P1 + Greptile P2: the previous commit collapsed both "path" (ENOENT) and "io" (EACCES/EMFILE) into silent null returns. Now: - reason="path" (missing file): return null silently — not a security issue - reason="io" (permission/disk): push warn diagnostic — surface anomaly without aborting gateway - reason="validation" (path escape): push error diagnostic — security violation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: HCL <chenglunhu@gmail.com>
When building the gateway install plan, read and parse ~/.openclaw/.env (or $OPENCLAW_STATE_DIR/.env) and merge those key-value pairs into the service environment at the lowest priority — below config env vars, auth-profile refs, and the core service environment (HOME, PATH, OPENCLAW_*). This ensures that user-defined secrets stored in .env (e.g. BRAVE_API_KEY, OPENROUTER_API_KEY, DISCORD_BOT_TOKEN) are embedded in the LaunchAgent plist (macOS), systemd unit (Linux), and Scheduled Task (Windows) at install time, rather than relying solely on the gateway process loading them via dotenv.config() at startup. Previously, on macOS the LaunchAgent plist never included .env vars, which meant: - launchctl print did not show user secrets (hard to debug) - Child processes spawned before dotenv loaded had no access - If the same key existed in both .env and the plist, the stale plist value won via dotenv override:false semantics Dangerous host env vars (NODE_OPTIONS, LD_PRELOAD, etc.) are filtered using the same security policy applied to config env vars. Fixes openclaw#37101 Relates to openclaw#22663
- Apply normalizeEnvVarKey({ portable: true }) before security
filtering, matching the established pattern in env-vars.ts.
Rejects non-portable key names (spaces, special chars) that
would produce invalid plist/systemd syntax.
- Isolate existing tests from the developer's real ~/.openclaw/.env
by providing a temp HOME directory, preventing flaky failures
when the test machine has a populated .env file.
* feat(web-search): add DuckDuckGo bundled plugin * chore(changelog): restore main changelog * fix(web-search): harden DuckDuckGo challenge detection
- Mark as experimental (not just unofficial) - Add region and safeSearch tool parameters (from DDG schema) - Add plugin config example for region/safeSearch defaults - Document auto-detection order (100 = last) - Note SafeSearch defaults to moderate - Verified against extensions/duckduckgo/src/
Co-authored-by: oliviareid-svg <269669958+oliviareid-svg@users.noreply.github.com> Co-authored-by: Frank <vibespecs@gmail.com>
…orts - Add GetReplyFromConfigFn type alias and missing imports in test-helpers.mocks.ts - Add resolveSearchProviderSignupUrl import in setup.finalize.ts - Add isBundledCatalogEntry helper in plugin-install.ts - Fix SearchProviderEntry -> PluginWebSearchProviderEntry in onboard-search.ts - Add missing mockPinnedHostnameWithPolicyResolution imports in slack/whatsapp tests - Inline mockPinnedHostnameWithPolicyResolution in whatsapp test harness (boundary rule) - Migrate X plugin from removed listActions to describeMessageTool API - Adapt X plugin setupWizard typing for new ChannelSetupWizard interface - Remove invalid plugins property from SkillsConfig in skills test - Add GetReplyOptions type annotations in gateway chat tests - Cast qveris apiKey access in onboard-search.test.ts - Remove duplicate signal property in plugin-runtime-mock.ts - Sync plugin-sdk exports ordering - Stop tracking .agent/ (now gitignored by upstream) Made-with: Cursor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request encompasses a broad upstream synchronization, delivering substantial architectural improvements, new features, and enhanced developer tooling across the project. The core focus is on expanding maintainer capabilities through dedicated agent skills, modernizing the Android application with new functionalities and a more robust foundation, and reinforcing security practices for command execution on macOS. These changes collectively aim to improve the project's maintainability, security posture, and overall development experience. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
No description provided.