Commit graph

67 commits

Author SHA1 Message Date
Jason (Json)
cccc856b82
fix: reject incompatible Node 23 runtimes (#99832)
* fix: reject incompatible Node 23 runtimes

* fix: repair installer CI coverage

* docs: clarify supported Node ranges

* fix: fail closed on unreadable runtime versions

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-04 00:03:49 -07:00
Jacob Tomlinson
e9bd90d209
docs(security): clarify env var report scope (#91765) 2026-06-10 06:14:24 +09:00
Peter Steinberger
b9f975b64e
Replace Sharp image backend with Photon (#86437)
* refactor: replace sharp image backend with photon

* refactor: remove whatsapp jimp dependency

* chore: remove stale sharp install workarounds

* test: keep image fixtures off photon

* test: use valid prompt image fixtures

* test: account for optimized PNG fixtures

* test: use valid minimax image fixtures
2026-05-25 15:04:44 +01:00
Peter Steinberger
e453a39d6b
build: align node version floor 2026-05-18 06:28:14 +01:00
Peter Steinberger
955b025697
feat: add native sqlite Kysely dialect
Add an owned Kysely dialect for native node:sqlite, raise the Node 22 floor to 22.16+ for StatementSync.columns(), and cover select/returning/stale insert id behavior.
2026-05-07 13:07:03 +01:00
Peter Steinberger
79f77d877e
docs: move incident response plan 2026-05-03 12:30:11 +01:00
Ayaan Zaidi
47de32ac21
chore(security): remove stale secret baseline 2026-05-02 15:10:45 +05:30
Vincent Koc
148a34679f
Update SECURITY.md 2026-04-30 16:04:53 -07:00
Vincent Koc
4429ee7d2e
docs(security): clarify disclosure policy 2026-04-30 13:41:51 -07:00
Jesse Merhi
542821cd1e
docs(security): clarify proxy SSRF reporting scope (#74338)
Merged via squash.

Prepared head SHA: 7dd9fcfade
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Reviewed-by: @jesse-merhi
2026-04-30 00:30:16 +10:00
Peter Steinberger
abaa4326d8
docs: classify media decode overhead as performance-only (#74311)
* docs: classify media decode overhead as hardening

* docs: classify decode overhead as performance

---------

Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
2026-04-29 05:54:35 -07:00
Vincent Koc
c88c2328c2
docs: align Node minimum requirement 2026-04-25 01:36:01 -07:00
Peter Steinberger
24d50acc70
docs: clarify dependency parser advisory triage 2026-04-20 20:13:37 +01:00
Peter Steinberger
8f4331e3b4
docs: clarify test-only vulnerability scope 2026-04-15 07:23:07 -07:00
Peter Steinberger
1351bacaa4
docs(security): clarify localhost shared-auth trust model 2026-04-05 23:12:52 +01:00
Peter Steinberger
35e1605147
feat: add configurable context visibility 2026-04-03 04:34:57 +09:00
Peter Steinberger
dc0e0b0f68
docs(security): mark shared-secret HTTP auth as designed 2026-03-31 22:58:09 +09:00
Vincent Koc
cd5179314d fix(acp): use semantic approval classes 2026-03-31 20:49:31 +09:00
Peter Steinberger
0633406ff6
fix(gateway): restore compat HTTP operator auth 2026-03-31 16:49:30 +09:00
Peter Steinberger
276ccd2583
fix(exec): default implicit target to auto 2026-03-30 06:03:08 +09:00
Peter Steinberger
5d4c4bb850
fix(exec): restore runtime-aware implicit host default 2026-03-29 21:18:41 +01:00
Peter Steinberger
9692dc7668
fix(security): harden nodes owner-only tool gating 2026-03-12 22:27:52 +00:00
Peter Steinberger
dc3bb1890b
docs: clarify gateway HTTP trust boundary 2026-03-12 16:40:36 +00:00
Peter Steinberger
daaf211e20 fix(node-host): fail closed on unbound interpreter approvals 2026-03-11 02:36:38 +00:00
Peter Steinberger
53a7e3b6e5 docs(security): clarify trusted operator control surfaces 2026-03-07 13:52:22 +00:00
Peter Steinberger
d4ec0ed3c7 docs(security): clarify trusted-local hardening-only cases 2026-03-02 23:28:54 +00:00
Peter Steinberger
cf5702233c docs(security)!: document messaging-only onboarding default and hook/model risk 2026-03-02 18:15:49 +00:00
Peter Steinberger
f8459ef46c docs(security): document sessions_spawn sandbox=require hardening 2026-03-02 01:29:19 +00:00
Agent
a374325fc2 docs(security): clarify local link-priming reports as out-of-scope 2026-03-01 22:34:32 +00:00
Peter Steinberger
58171c8918 docs(security): clarify parity-only command-risk reports 2026-02-26 22:37:12 +01:00
Peter Steinberger
f4391c1725 docs(security): clarify Teams fileConsent uploadUrl report scope 2026-02-26 17:58:38 +01:00
Peter Steinberger
9597cf1890 docs(security): scope obfuscation parity reports as hardening 2026-02-26 17:58:25 +01:00
Peter Steinberger
38c4944d76 docs(security): clarify trusted plugin boundary 2026-02-25 04:39:11 +00:00
Peter Steinberger
def993dbd8 refactor(tmp): harden temp boundary guardrails 2026-02-24 23:51:10 +00:00
Peter Steinberger
2d159e5e87 docs(security): document openclaw temp-folder boundary 2026-02-24 23:11:19 +00:00
Peter Steinberger
370d115549 fix: enforce workspaceOnly for native prompt image autoload 2026-02-24 14:47:59 +00:00
Peter Steinberger
f6afc8c5b6 docs(security): clarify host-side exec trust model defaults 2026-02-24 02:40:18 +00:00
Peter Steinberger
4032390572 docs(security): clarify trusted user-triggered local actions 2026-02-24 02:29:09 +00:00
Peter Steinberger
f0f886ecc4 docs(security): clarify gateway-node trust boundary in docs 2026-02-24 01:35:44 +00:00
Peter Steinberger
cfa44ea6b4
fix(security): make allowFrom id-only by default with dangerous name opt-in (#24907)
* fix(channels): default allowFrom to id-only; add dangerous name opt-in

* docs(security): align channel allowFrom docs with id-only default
2026-02-24 01:01:51 +00:00
Peter Steinberger
41b0568b35 docs(security): clarify shared-agent trust boundaries 2026-02-24 01:00:05 +00:00
Peter Steinberger
400220275c docs: clarify multi-instance recommendations for user isolation 2026-02-24 00:40:08 +00:00
Peter Steinberger
7d55277d72 docs: clarify operator trust boundary for shared gateways 2026-02-24 00:25:01 +00:00
Peter Steinberger
d68380bb7f docs(security): clarify exposed-secret report scope 2026-02-24 00:17:21 +00:00
Peter Steinberger
7b4d2cb5cb docs(security): clarify trusted-config dos scope 2026-02-23 23:57:26 +00:00
Peter Steinberger
9af3ec92a5 fix(gateway): add HSTS header hardening and docs 2026-02-23 19:47:29 +00:00
Peter Steinberger
b13fc7eccd docs(security): clarify workspace memory trust boundary 2026-02-22 11:22:29 +01:00
Peter Steinberger
de2e5c7b74 docs(security): clarify dangerous control-ui bypass policy 2026-02-22 10:11:46 +01:00
Peter Steinberger
17c9d550e9 docs: clarify sessionKey trust boundary in security policy 2026-02-22 08:21:53 +01:00
Peter Steinberger
810218756d docs(security): clarify trusted-host deployment assumptions 2026-02-21 12:53:12 +01:00