mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-15 16:46:30 +00:00
1c35795fce
* fix(slack): align interaction auth with allowlists * fix(slack): address review followups * fix(slack): preserve explicit owners with wildcard * chore: append Claude comments resolution worklog * fix(slack): harden interaction auth with default-deny, mandatory actor binding, and channel type validation - Add interactiveEvent flag to authorizeSlackSystemEventSender for stricter interactive control authorization - Default-deny when no allowFrom or channel users are configured for interactive events (block actions, modals) - Require expectedSenderId for all interactive event types; block actions pass Slack-verified userId, modals pass metadata-embedded userId - Reject ambiguous channel types for interactive events to prevent DM authorization bypass via channel-type fallback - Add comprehensive test coverage for all new behaviors * fix(slack): scope interactive owner/allowFrom enforcement to interactive paths only * fix(slack): preserve no-channel interactive default * Update context-engine-maintenance test * chore: remove USER.md worklog artifact Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * changelog: note Slack interactive auth allowlist alignment (#66028) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Devin Robison <drobison@nvidia.com> |
||
|---|---|---|
| .. | ||
| src | ||
| api.ts | ||
| channel-config-api.ts | ||
| channel-entry.ts | ||
| channel-plugin-api.ts | ||
| config-api.ts | ||
| configured-state.ts | ||
| contract-api.ts | ||
| doctor-contract-api.ts | ||
| index.test.ts | ||
| index.ts | ||
| interactive-replies-api.ts | ||
| openclaw.plugin.json | ||
| package.json | ||
| runtime-api.ts | ||
| secret-contract-api.ts | ||
| security-contract-api.ts | ||
| setup-entry.ts | ||
| setup-plugin-api.ts | ||
| test-api.ts | ||
| tsconfig.json | ||