Cherry-pick batch: Security hardening (1/2) (50 commits)#1956
Merged
alexey-pelykh merged 17 commits intomainfrom Mar 23, 2026
Merged
Cherry-pick batch: Security hardening (1/2) (50 commits)#1956alexey-pelykh merged 17 commits intomainfrom
alexey-pelykh merged 17 commits intomainfrom
Conversation
(cherry picked from commit 0f637b5)
(cherry picked from commit 742c005)
(cherry picked from commit 88d39b1)
(cherry picked from commit b26edfe)
(cherry picked from commit c713727)
(cherry picked from commit 03b4056)
(cherry picked from commit 093e51f)
…penclaw#44597) Process messageData via handleDeltaEvent for both delta and final states before resolving the turn, so ACP clients no longer drop the last visible assistant text when the gateway sends the final message body on the terminal chat event. Closes openclaw#15377 Based on openclaw#17615 Co-authored-by: PJ Eby <[email protected]> (cherry picked from commit 17c954c)
(cherry picked from commit 32fdd21)
(cherry picked from commit 74b9ad0)
(cherry picked from commit 7c76aca)
(cherry picked from commit 904db27)
(cherry picked from commit 9b6790e)
(cherry picked from commit a97b901)
(cherry picked from commit b7afc7b)
- Add shared/global-singleton.ts utility (upstream dependency) - Fix OpenClawConfig → RemoteClawConfig in cherry-picked files - Fix audit-channel.runtime.ts paths to fork layout - Remove missing exports from audit runtime re-export files - Fix windows-acl.test.ts os mock typing for strict TS Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The isHookAgentRoutingUnrestricted helper and its finding emission were lost when audit-extra.sync.ts conflicts were resolved during cherry-pick #41 (904db27). Re-apply the upstream logic. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick batch from upstream
Issue: #1867
Commits: 15 cherry-picked, 35 skipped (fork-diverged audit.test.ts sections)
Picked (15)
0f637b5e30refactor: share acp conversation text normalization742c005ac8fix(acp): preserve hidden thought chunks from gateway chat88d39b1542refactor: simplify remaining runtime singletonsb26edfe1fftest: trim plugin-heavy unit test importsc7137270d1Security: split audit runtime surfaces03b405659btest: merge audit auth precedence cases093e51f2b3Security: lazy-load channel audit provider helpers17c954c46efix(acp): preserve final assistant message snapshot before end_turn (fix(acp): preserve final assistant message snapshot before end_turn openclaw/openclaw#44597)32fdd21c80fix(acp): preserve hidden thought replay on session load74b9ad010atest: preserve node os exports in windows acl mock7c76acafd6fix(acp): scope cancellation and event routing by runId (fix(acp): scope cancellation and event routing by runId openclaw/openclaw#41331)904db27019fix(security): audit unrestricted hook agent routing9b6790e3a6refactor: share acp binding resolution helpera97b9014a2External content: sanitize wrapped metadata (External content: sanitize wrapped metadata openclaw/openclaw#46816)b7afc7bf40fix: harden external content marker sanitizationSkipped (35)
Most test-merge commits (audit.test.ts, persistent-bindings.test.ts) became empty after conflict resolution because the fork's audit test structure has diverged significantly from upstream. These tests target sections of audit.test.ts that don't exist in the fork's version.
Adaptation commit
src/shared/global-singleton.tsutility (upstream dependency)OpenClawConfig→RemoteClawConfigin cherry-picked filesCloses #1867
🤖 Generated with Claude Code