npm - @openclaw/voice-call - Versions diffs - 2026.2.17 → 2026.2.21 - Mend

@openclaw/voice-call 2026.2.17 → 2026.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +0 -132
package/package.json +1 -1
package/src/config.test.ts +69 -116
package/src/telephony-tts.test.ts +75 -0
package/src/telephony-tts.ts +3 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,83 +1,5 @@
 # Changelog
-## 2026.2.17
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.16
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.15
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.14
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.13
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.6-3
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.6-2
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.6
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.4
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.2.2
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.31
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.30
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.29
-### Changes
-- Version alignment with core OpenClaw release numbers.
 ## 2026.1.26
 ### Changes
@@ -87,60 +9,6 @@
 - Removed legacy `tts.model`/`tts.voice`/`tts.instructions` plugin fields.
 - Ngrok free-tier bypass renamed to `tunnel.allowNgrokFreeTierLoopbackBypass` and gated to loopback + `tunnel.provider="ngrok"`.
-## 2026.1.23
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.22
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.21
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.20
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.17-1
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.17
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.16
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.15
-### Changes
-- Version alignment with core OpenClaw release numbers.
-## 2026.1.14
-### Changes
-- Version alignment with core OpenClaw release numbers.
 ## 0.1.0
 ### Highlights

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/voice-call",
-  "version": "2026.2.17",
+  "version": "2026.2.21",
   "description": "OpenClaw voice-call plugin",
   "type": "module",
   "dependencies": {

package/src/config.test.ts CHANGED Viewed

@@ -44,9 +44,7 @@ function createBaseConfig(provider: "telnyx" | "twilio" | "plivo" | "mock"): Voi
 describe("validateProviderConfig", () => {
   const originalEnv = { ...process.env };
-  beforeEach(() => {
-    // Clear all relevant env vars before each test
+  const clearProviderEnv = () => {
     delete process.env.TWILIO_ACCOUNT_SID;
     delete process.env.TWILIO_AUTH_TOKEN;
     delete process.env.TELNYX_API_KEY;
@@ -54,6 +52,10 @@ describe("validateProviderConfig", () => {
     delete process.env.TELNYX_PUBLIC_KEY;
     delete process.env.PLIVO_AUTH_ID;
     delete process.env.PLIVO_AUTH_TOKEN;
+  };
+  beforeEach(() => {
+    clearProviderEnv();
   });
   afterEach(() => {
@@ -61,29 +63,43 @@ describe("validateProviderConfig", () => {
     process.env = { ...originalEnv };
   });
-  describe("twilio provider", () => {
-    it("passes validation when credentials are in config", () => {
-      const config = createBaseConfig("twilio");
-      config.twilio = { accountSid: "AC123", authToken: "secret" };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
-    it("passes validation when credentials are in environment variables", () => {
-      process.env.TWILIO_ACCOUNT_SID = "AC123";
-      process.env.TWILIO_AUTH_TOKEN = "secret";
-      let config = createBaseConfig("twilio");
-      config = resolveVoiceCallConfig(config);
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
+  describe("provider credential sources", () => {
+    it("passes validation when credentials come from config or environment", () => {
+      for (const provider of ["twilio", "telnyx", "plivo"] as const) {
+        clearProviderEnv();
+        const fromConfig = createBaseConfig(provider);
+        if (provider === "twilio") {
+          fromConfig.twilio = { accountSid: "AC123", authToken: "secret" };
+        } else if (provider === "telnyx") {
+          fromConfig.telnyx = {
+            apiKey: "KEY123",
+            connectionId: "CONN456",
+            publicKey: "public-key",
+          };
+        } else {
+          fromConfig.plivo = { authId: "MA123", authToken: "secret" };
+        }
+        expect(validateProviderConfig(fromConfig)).toMatchObject({ valid: true, errors: [] });
+        clearProviderEnv();
+        if (provider === "twilio") {
+          process.env.TWILIO_ACCOUNT_SID = "AC123";
+          process.env.TWILIO_AUTH_TOKEN = "secret";
+        } else if (provider === "telnyx") {
+          process.env.TELNYX_API_KEY = "KEY123";
+          process.env.TELNYX_CONNECTION_ID = "CONN456";
+          process.env.TELNYX_PUBLIC_KEY = "public-key";
+        } else {
+          process.env.PLIVO_AUTH_ID = "MA123";
+          process.env.PLIVO_AUTH_TOKEN = "secret";
+        }
+        const fromEnv = resolveVoiceCallConfig(createBaseConfig(provider));
+        expect(validateProviderConfig(fromEnv)).toMatchObject({ valid: true, errors: [] });
+      }
     });
+  });
+  describe("twilio provider", () => {
     it("passes validation with mixed config and env vars", () => {
       process.env.TWILIO_AUTH_TOKEN = "secret";
       let config = createBaseConfig("twilio");
@@ -96,57 +112,27 @@ describe("validateProviderConfig", () => {
       expect(result.errors).toEqual([]);
     });
-    it("fails validation when accountSid is missing everywhere", () => {
+    it("fails validation when required twilio credentials are missing", () => {
       process.env.TWILIO_AUTH_TOKEN = "secret";
-      let config = createBaseConfig("twilio");
-      config = resolveVoiceCallConfig(config);
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(false);
-      expect(result.errors).toContain(
+      const missingSid = validateProviderConfig(resolveVoiceCallConfig(createBaseConfig("twilio")));
+      expect(missingSid.valid).toBe(false);
+      expect(missingSid.errors).toContain(
         "plugins.entries.voice-call.config.twilio.accountSid is required (or set TWILIO_ACCOUNT_SID env)",
       );
-    });
-    it("fails validation when authToken is missing everywhere", () => {
+      delete process.env.TWILIO_AUTH_TOKEN;
       process.env.TWILIO_ACCOUNT_SID = "AC123";
-      let config = createBaseConfig("twilio");
-      config = resolveVoiceCallConfig(config);
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(false);
-      expect(result.errors).toContain(
+      const missingToken = validateProviderConfig(
+        resolveVoiceCallConfig(createBaseConfig("twilio")),
+      );
+      expect(missingToken.valid).toBe(false);
+      expect(missingToken.errors).toContain(
         "plugins.entries.voice-call.config.twilio.authToken is required (or set TWILIO_AUTH_TOKEN env)",
       );
     });
   });
   describe("telnyx provider", () => {
-    it("passes validation when credentials are in config", () => {
-      const config = createBaseConfig("telnyx");
-      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456", publicKey: "public-key" };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
-    it("passes validation when credentials are in environment variables", () => {
-      process.env.TELNYX_API_KEY = "KEY123";
-      process.env.TELNYX_CONNECTION_ID = "CONN456";
-      process.env.TELNYX_PUBLIC_KEY = "public-key";
-      let config = createBaseConfig("telnyx");
-      config = resolveVoiceCallConfig(config);
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
     it("fails validation when apiKey is missing everywhere", () => {
       process.env.TELNYX_CONNECTION_ID = "CONN456";
       let config = createBaseConfig("telnyx");
@@ -160,69 +146,36 @@ describe("validateProviderConfig", () => {
       );
     });
-    it("fails validation when allowlist inbound policy lacks public key", () => {
-      const config = createBaseConfig("telnyx");
-      config.inboundPolicy = "allowlist";
-      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(false);
-      expect(result.errors).toContain(
+    it("requires a public key unless signature verification is skipped", () => {
+      const missingPublicKey = createBaseConfig("telnyx");
+      missingPublicKey.inboundPolicy = "allowlist";
+      missingPublicKey.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
+      const missingPublicKeyResult = validateProviderConfig(missingPublicKey);
+      expect(missingPublicKeyResult.valid).toBe(false);
+      expect(missingPublicKeyResult.errors).toContain(
         "plugins.entries.voice-call.config.telnyx.publicKey is required (or set TELNYX_PUBLIC_KEY env)",
       );
-    });
-    it("passes validation when allowlist inbound policy has public key", () => {
-      const config = createBaseConfig("telnyx");
-      config.inboundPolicy = "allowlist";
-      config.telnyx = {
+      const withPublicKey = createBaseConfig("telnyx");
+      withPublicKey.inboundPolicy = "allowlist";
+      withPublicKey.telnyx = {
         apiKey: "KEY123",
         connectionId: "CONN456",
         publicKey: "public-key",
       };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
-    it("passes validation when skipSignatureVerification is true (even without public key)", () => {
-      const config = createBaseConfig("telnyx");
-      config.skipSignatureVerification = true;
-      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
+      expect(validateProviderConfig(withPublicKey)).toMatchObject({ valid: true, errors: [] });
+      const skippedVerification = createBaseConfig("telnyx");
+      skippedVerification.skipSignatureVerification = true;
+      skippedVerification.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
+      expect(validateProviderConfig(skippedVerification)).toMatchObject({
+        valid: true,
+        errors: [],
+      });
     });
   });
   describe("plivo provider", () => {
-    it("passes validation when credentials are in config", () => {
-      const config = createBaseConfig("plivo");
-      config.plivo = { authId: "MA123", authToken: "secret" };
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
-    it("passes validation when credentials are in environment variables", () => {
-      process.env.PLIVO_AUTH_ID = "MA123";
-      process.env.PLIVO_AUTH_TOKEN = "secret";
-      let config = createBaseConfig("plivo");
-      config = resolveVoiceCallConfig(config);
-      const result = validateProviderConfig(config);
-      expect(result.valid).toBe(true);
-      expect(result.errors).toEqual([]);
-    });
     it("fails validation when authId is missing everywhere", () => {
       process.env.PLIVO_AUTH_TOKEN = "secret";
       let config = createBaseConfig("plivo");

package/src/telephony-tts.test.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import { afterEach, describe, expect, it } from "vitest";
+import type { VoiceCallTtsConfig } from "./config.js";
+import type { CoreConfig } from "./core-bridge.js";
+import { createTelephonyTtsProvider } from "./telephony-tts.js";
+function createCoreConfig(): CoreConfig {
+  const tts: VoiceCallTtsConfig = {
+    provider: "openai",
+    openai: {
+      model: "gpt-4o-mini-tts",
+      voice: "alloy",
+    },
+  };
+  return { messages: { tts } };
+}
+async function mergeOverride(override: unknown): Promise<Record<string, unknown>> {
+  let mergedConfig: CoreConfig | undefined;
+  const provider = createTelephonyTtsProvider({
+    coreConfig: createCoreConfig(),
+    ttsOverride: override as VoiceCallTtsConfig,
+    runtime: {
+      textToSpeechTelephony: async ({ cfg }) => {
+        mergedConfig = cfg;
+        return {
+          success: true,
+          audioBuffer: Buffer.alloc(2),
+          sampleRate: 8000,
+        };
+      },
+    },
+  });
+  await provider.synthesizeForTelephony("hello");
+  expect(mergedConfig?.messages?.tts).toBeDefined();
+  return mergedConfig?.messages?.tts as Record<string, unknown>;
+}
+afterEach(() => {
+  delete (Object.prototype as Record<string, unknown>).polluted;
+});
+describe("createTelephonyTtsProvider deepMerge hardening", () => {
+  it("merges safe nested overrides", async () => {
+    const tts = await mergeOverride({
+      openai: { voice: "coral" },
+    });
+    const openai = tts.openai as Record<string, unknown>;
+    expect(openai.voice).toBe("coral");
+    expect(openai.model).toBe("gpt-4o-mini-tts");
+  });
+  it("blocks top-level __proto__ keys", async () => {
+    const tts = await mergeOverride(
+      JSON.parse('{"__proto__":{"polluted":"top"},"openai":{"voice":"coral"}}'),
+    );
+    const openai = tts.openai as Record<string, unknown>;
+    expect((Object.prototype as Record<string, unknown>).polluted).toBeUndefined();
+    expect(tts.polluted).toBeUndefined();
+    expect(openai.voice).toBe("coral");
+  });
+  it("blocks nested __proto__ keys", async () => {
+    const tts = await mergeOverride(
+      JSON.parse('{"openai":{"model":"safe","__proto__":{"polluted":"nested"}}}'),
+    );
+    const openai = tts.openai as Record<string, unknown>;
+    expect((Object.prototype as Record<string, unknown>).polluted).toBeUndefined();
+    expect(openai.polluted).toBeUndefined();
+    expect(openai.model).toBe("safe");
+  });
+});

package/src/telephony-tts.ts CHANGED Viewed

@@ -20,6 +20,8 @@ export type TelephonyTtsProvider = {
   synthesizeForTelephony: (text: string) => Promise<Buffer>;
 };
+const BLOCKED_MERGE_KEYS = new Set(["__proto__", "prototype", "constructor"]);
 export function createTelephonyTtsProvider(params: {
   coreConfig: CoreConfig;
   ttsOverride?: VoiceCallTtsConfig;
@@ -86,7 +88,7 @@ function deepMerge<T>(base: T, override: T): T {
   }
   const result: Record<string, unknown> = { ...base };
   for (const [key, value] of Object.entries(override)) {
-    if (value === undefined) {
+    if (BLOCKED_MERGE_KEYS.has(key) || value === undefined) {
       continue;
     }
     const existing = (base as Record<string, unknown>)[key];