yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
983 Commits 16 Branches 0 Tags
7ca4145aff19e705d49e235131d9ad4f9ae5816b
Commit Graph

245 Commits

Author SHA1 Message Date
Hugh Brown
7ca4145aff security: add 1 MB payload size limit to webhook ingestion 
The webhook ingest endpoint read the entire request body with no size
limit, enabling memory exhaustion attacks. Add a 1 MB limit checked
via both Content-Length header (early reject) and actual body size.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 23:35:10 +05:30
Hugh Brown
5d382ed67b security: mitigate prompt injection in agent instruction strings 
User-controlled fields (skill name, source URL, webhook payloads) were
interpolated directly into agent instruction messages. Sanitize skill
fields by stripping newlines/control chars, and fence all external data
behind "BEGIN EXTERNAL DATA" / "BEGIN STRUCTURED DATA" delimiters with
explicit "do not interpret as instructions" markers. Move system
instructions above the data section so they cannot be overridden.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 23:35:10 +05:30
Hugh Brown
4d1dbb4098 security: add HMAC signature verification to webhook ingest 
Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 23:35:10 +05:30
Hugh Brown
10848b98cb security: scope agent board listing to organization 
Main agents (board_id=None) could list boards across all organizations.
Now resolves the agent's organization via its gateway and filters boards
by organization_id to prevent cross-tenant data leakage.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 23:35:10 +05:30
Hugh Brown
c7692e30d3 security: rename misleading require_admin to require_user_actor 
The function only checked that the caller was an authenticated user
(not an agent) but its name implied privilege enforcement. Rename to
require_user_actor and add docstring clarifying the distinction between
actor-type checks and privilege/role checks (require_org_admin, is_super_admin).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 23:35:10 +05:30
Abhimanyu Saharan
532fbf1dc5 feat(config): make BASE_URL a required field and update related documentation 2026-03-05 01:36:07 +05:30
Abhimanyu Saharan
3acc276d8d fix(agent): address webhook payload read review feedback 2026-03-04 23:26:31 +05:30
Abhimanyu Saharan
1d0b318fc9 lint: fix flake8 E304 after create_task decorator 2026-03-04 23:22:27 +05:30
Abhimanyu Saharan
3fc96baa10 feat(agent): add read-only webhook payload fetch endpoint for backfill 2026-03-04 23:22:27 +05:30
Abhimanyu Saharan
4378d354f4 fix(ci): resolve backend check failures in dashboard metrics 2026-03-04 16:11:14 +05:30
Abhimanyu Saharan
bdc9fc3f01 redesigned dashboard page 2026-03-04 16:01:56 +05:30
Abhimanyu Saharan
77870b0fc7 fix(agent): improve error handling for get_agent_soul method 2026-03-03 03:09:29 +05:30
Abhimanyu Saharan
2031f8dcd8 fix: increase GIT_CLONE_TIMEOUT_SECONDS to 600 for better performance #173 2026-03-03 02:16:19 +05:30
Abhimanyu Saharan
94ae59d6aa refactor(gateway): update gateway parameters to use None as default #169 2026-03-03 01:51:52 +05:30
Abhimanyu Saharan
348b0515ac feat(boards): implement lead notification on board updates with detailed change messages 2026-02-26 01:58:55 +05:30
Abhimanyu Saharan
6b21ea6f99 feat(boards): add 'comment_required_for_review' rule and update related logic 2026-02-26 00:31:47 +05:30
Abhimanyu Saharan
adad72373c feat(tasks): add notification messages for task assignment and rework 2026-02-25 18:29:59 +05:30
Abhimanyu Saharan
3f158940cd Merge branch 'master' into docs/backend-doc-pass 2026-02-25 03:32:14 +05:30
Abhimanyu Saharan
56f4964332 feat: add support for allowing self-signed TLS certificates in gateway configuration 2026-02-22 20:20:19 +05:30
Abhimanyu Saharan
374d5a0c37 Merge branch 'master' into copilot/feature-allow-self-signed-tls 
# Conflicts:
#	backend/app/api/gateways.py
#	backend/app/schemas/gateways.py
#	backend/app/services/openclaw/admin_service.py
#	backend/app/services/openclaw/gateway_resolver.py
#	backend/app/services/openclaw/gateway_rpc.py
#	backend/app/services/openclaw/provisioning.py
#	backend/app/services/openclaw/provisioning_db.py
#	frontend/src/api/generated/model/gatewayCreate.ts
#	frontend/src/api/generated/model/gatewayRead.ts
#	frontend/src/api/generated/model/gatewayUpdate.ts
 2026-02-22 19:51:27 +05:30
Abhimanyu Saharan
cdced8e07c refactor: improve code formatting and readability in tests and components 2026-02-22 19:45:18 +05:30
Abhimanyu Saharan
3dfb70cd90 feat: add disable_device_pairing option to gateway configuration 2026-02-22 19:19:26 +05:30
copilot-swe-agent[bot]
520e128777 feat: Add allow_insecure_tls field to gateway model and UI 
- Added allow_insecure_tls boolean field to Gateway model and schemas
- Created database migration for the new field
- Updated GatewayConfig to include allow_insecure_tls parameter
- Modified openclaw_call to create SSL context that disables verification when allow_insecure_tls is true
- Updated all GatewayConfig instantiations throughout the backend
- Added checkbox to frontend gateway form (create and edit pages)
- Updated API endpoints to handle the new field

Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
 2026-02-22 05:28:37 +00:00
Abhimanyu Saharan
6c3c9913db feat: update agent heartbeat endpoint to require no request payload 2026-02-16 01:46:06 +05:30
Abhimanyu Saharan
5912048b85 feat: add validation for gateway main agent requirement on board mutations 2026-02-16 01:25:44 +05:30
Abhimanyu Saharan
1d63bd0148 feat: add health check endpoint for agent authentication status 2026-02-16 00:42:15 +05:30
Abhimanyu Saharan
b702ade0cc fix: update HTTP status code from UNPROCESSABLE_ENTITY to UNPROCESSABLE_CONTENT 2026-02-15 16:06:06 +05:30
Abhimanyu Saharan
24731667d4 feat: add gateway runtime compatibility checks and minimum version enforcement 2026-02-15 15:59:55 +05:30
Abhimanyu Saharan
1996e21695 refactor: add overwrite option to various services and update documentation 2026-02-15 13:55:47 +05:30
Abhimanyu Saharan
aebd487270 refactor: add agent_id to various interfaces and improve field organization 2026-02-15 13:36:57 +05:30
Abhimanyu Saharan
aa825863c2 refactor: reorganize imports and improve code formatting for readability 2026-02-15 13:20:46 +05:30
Abhimanyu Saharan
7e76cd1f68 refactor: improve webhook processing with enhanced logging and retry mechanisms 2026-02-15 13:02:55 +05:30
Abhimanyu Saharan
7fe5ad5cba refactor: remove payload preview length limitation in webhook processing 2026-02-15 13:02:55 +05:30
Abhimanyu Saharan
f9b14af477 refactor: migrate webhook queue to RQ with updated configuration 2026-02-15 13:02:55 +05:30
Abhimanyu Saharan
14a75d8697 Fix: allow agent status change on unassigned tasks 2026-02-15 05:20:32 +00:00
Abhimanyu Saharan
f07b4d5ea4 feat: add RQ-based webhook dispatch queue and delayed worker 2026-02-14 23:46:07 +00:00
Abhimanyu Saharan
663561e213 feat(api): reset assigned_agent_id during task status transitions 2026-02-15 03:40:42 +05:30
Abhimanyu Saharan
f945d86025 feat(api): track previous in_progress_at during task status transitions 2026-02-15 03:37:19 +05:30
Abhimanyu Saharan
99081bbd87 feat(api): add previous_in_progress_at tracking and update task logic for review status 2026-02-15 03:31:55 +05:30
Abhimanyu Saharan
3c1f89d91d feat(api): add delete task endpoint for board leads with authorization checks 2026-02-15 03:19:45 +05:30
Abhimanyu Saharan
3c92dd5279 style: format code for improved readability and consistency across multiple files 2026-02-15 03:02:54 +05:30
Abhimanyu Saharan
07df7d8962 feat(api): enhance OpenAPI documentation with additional endpoints and examples 2026-02-15 02:57:06 +05:30
Abhimanyu Saharan
ae17facf88 feat(api): enhance authentication and health check endpoints with detailed responses and descriptions 2026-02-15 02:35:31 +05:30
Abhimanyu Saharan
ee1cf05d5d feat(api): enhance error handling and add structured hints for agent operations 2026-02-15 02:07:13 +05:30
Abhimanyu Saharan
0ac22dbd7a feat(heartbeat): change default target to 'last' and remove target option from UI 2026-02-15 01:37:12 +05:30
Abhimanyu Saharan
6f465d32fa feat(gateway): add lead_only option for syncing board lead agents 2026-02-15 01:23:36 +05:30
Abhimanyu Saharan
eb8540751c Merge pull request #129 from abhi1693/feat/task-e07-agent-patch-permissions 
Fix agent task patch auth and add permissions regression tests
 2026-02-14 20:32:43 +05:30
Abhimanyu Saharan
d241455da6 feat(skills): consolidate skill-related models and update imports 2026-02-14 19:31:32 +05:30
Abhimanyu Saharan
823da1d143 feat(skills): improve marketplace filters and server pagination 2026-02-14 13:09:48 +05:30
Abhimanyu Saharan
e7d47d9f8a feat(skills): implement pagination and total count headers for marketplace skills 2026-02-14 13:06:45 +05:30