- Add prompt-injection fencing to _webhook_memory_content (was missing
the --- BEGIN/END EXTERNAL DATA --- fence applied elsewhere)
- Wrap Content-Length parsing in try/except to avoid 500 on malformed
header values
- Move _to_gateway_read below imports (was incorrectly placed between
import blocks) and tighten transformer types
- Replace list-rebuild with deque.popleft in rate limiter for O(expired)
amortized pruning instead of O(n) per call
- Make organization_id required in send_session_message to prevent
fail-open cross-tenant check
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
send_gateway_session_message only required basic auth (AUTH_DEP) while
all other gateway endpoints required ORG_ADMIN_DEP. Any authenticated
user could send messages to any gateway session. Now requires org-admin
and verifies the board belongs to the caller's organization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
User-controlled fields (skill name, source URL, webhook payloads) were
interpolated directly into agent instruction messages. Sanitize skill
fields by stripping newlines/control chars, and fence all external data
behind "BEGIN EXTERNAL DATA" / "BEGIN STRUCTURED DATA" delimiters with
explicit "do not interpret as instructions" markers. Move system
instructions above the data section so they cannot be overridden.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The function only checked that the caller was an authenticated user
(not an agent) but its name implied privilege enforcement. Rename to
require_user_actor and add docstring clarifying the distinction between
actor-type checks and privilege/role checks (require_org_admin, is_super_admin).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three related provisioning fixes:
1. **tools.exec.host auto-configuration**: Add `_tools_exec_host_patch()`
that ensures `tools.exec.host` is set to `"gateway"` during
`patch_agent_heartbeats()`. Without this, heartbeat-driven agents
cannot execute `curl`, `bash`, or any shell command — making
HEARTBEAT.md instructions unexecutable. The function is idempotent
and respects existing user configuration.
2. **agents.update hot-reload race**: After `agents.create` writes to
disk, the gateway triggers a ~500ms debounced hot-reload. If
`agents.update` arrives before the reload completes, it returns
"agent not found". Fix: add a 750ms delay after create + exponential
backoff retry (5 attempts, 0.5s → 4s) on the update call.
3. **Skip no-op config.patch**: When `patch_agent_heartbeats()` detects
no changes to agents, channels, or tools config, skip the
`config.patch` RPC entirely. Each unnecessary patch triggers a
gateway SIGUSR1 restart that rotates agent tokens and breaks active
sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix docstring formatting in _create_ssl_context
- Break long line in provisioning.py for better readability
Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
- Added allow_insecure_tls boolean field to Gateway model and schemas
- Created database migration for the new field
- Updated GatewayConfig to include allow_insecure_tls parameter
- Modified openclaw_call to create SSL context that disables verification when allow_insecure_tls is true
- Updated all GatewayConfig instantiations throughout the backend
- Added checkbox to frontend gateway form (create and edit pages)
- Updated API endpoints to handle the new field
Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
