openclaw-mission-control

Author	SHA1	Message	Date
Hugh Brown	54279bf413	revert: restore truncated token_prefix in agent auth log messages A 6-character prefix of the token is standard practice for debugging failed auth attempts and is not a security risk. Restored in both required and optional auth paths, and removed the now-incorrect test that asserted its absence. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-07 23:35:10 +05:30
Hugh Brown	fcbde9b0e1	test: remove duplicate rate limiter tests from test_security_fixes These two tests were exact subsets of the dedicated test_rate_limit.py suite. Consolidating to a single file avoids maintenance drift. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-07 23:35:10 +05:30
Hugh Brown	86229038eb	Update backend/tests/test_security_fixes.py Seems like a simpler fix. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-03-07 23:35:10 +05:30
Hugh Brown	916dace3c8	Address ruff / formatting errors	2026-03-07 23:35:10 +05:30
Hugh Brown	858575cf6c	test: add comprehensive tests for all security fixes Add 20 tests covering: - require_user_actor: rejects agents and null users, passes valid users - Webhook HMAC: rejects missing/invalid signatures, accepts valid ones, allows unsigned when no secret configured - Prompt injection: sanitized skill name/URL, fenced external data in dispatch messages, system instructions precede data - Security headers: verify nosniff, DENY, referrer-policy defaults - Payload size: rejects oversized body and content-length - Rate limiting: blocks after threshold, independent per-key - Gateway token: has_token field present, token field absent - Agent auth logs: no token_prefix in source Also fix deprecated HTTP_413_REQUEST_ENTITY_TOO_LARGE status code. All 407 tests pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-07 23:35:10 +05:30

5 Commits