activeclaw 2026.2.11 → 2026.2.13

package/dist/{agent-scope-BEf5crnU.js → agent-scope-DPIFau3f.js}

@@ -1,5 +1,5 @@
 import { s as resolveStateDir, u as resolveRequiredHomeDir } from "./paths-rb94mUrR.js";
-import { F as pathExists, R as resolveUserPath, t as runCommandWithTimeout } from "./exec-57A8Rlc8.js";
+import { F as pathExists, R as resolveUserPath, t as runCommandWithTimeout } from "./exec-CJFFoM7H.js";
 import path from "node:path";
 import fs from "node:fs";
 import os from "node:os";
@@ -217,6 +217,10 @@ function findPackageRootSync(startDir, maxDepth = 12) {
 function candidateDirsFromArgv1(argv1) {
 	const normalized = path.resolve(argv1);
 	const candidates = [path.dirname(normalized)];
+	try {
+		const resolved = fs.realpathSync(normalized);
+		if (resolved !== normalized) candidates.push(path.dirname(resolved));
+	} catch {}
 	const parts = normalized.split(path.sep);
 	const binIndex = parts.lastIndexOf(".bin");
 	if (binIndex > 0 && parts[binIndex - 1] === "node_modules") {

package/dist/audio-preflight-BU8W7uxc.js

@@ -0,0 +1,60 @@
+import "./paths-rb94mUrR.js";
+import "./agent-scope-DPIFau3f.js";
+import { J as logVerbose, X as shouldLogVerbose } from "./exec-CJFFoM7H.js";
+import "./model-selection-C1GmkTAV.js";
+import "./github-copilot-token-wCk9Fg_E.js";
+import "./pi-embedded-helpers-CUzTc1v6.js";
+import "./config-QYrbd7x7.js";
+import "./pi-model-discovery-EhM2JAQo.js";
+import "./chrome-DL0avO8n.js";
+import "./paths-D0O87MfH.js";
+import "./image-RKwc3fsL.js";
+import "./redact-BIMJ3ntQ.js";
+import "./fetch-timeout-DEoXG_SF.js";
+import { a as runCapability, l as isAudioAttachment, n as createMediaAttachmentCache, r as normalizeMediaAttachments, t as buildProviderRegistry } from "./runner-DrGYLH5K.js";
+
+//#region src/media-understanding/audio-preflight.ts
+/**
+* Transcribes the first audio attachment BEFORE mention checking.
+* This allows voice notes to be processed in group chats with requireMention: true.
+* Returns the transcript or undefined if transcription fails or no audio is found.
+*/
+async function transcribeFirstAudio(params) {
+	const { ctx, cfg } = params;
+	const audioConfig = cfg.tools?.media?.audio;
+	if (!audioConfig || audioConfig.enabled === false) return;
+	const attachments = normalizeMediaAttachments(ctx);
+	if (!attachments || attachments.length === 0) return;
+	const firstAudio = attachments.find((att) => att && isAudioAttachment(att) && !att.alreadyTranscribed);
+	if (!firstAudio) return;
+	if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribing attachment ${firstAudio.index} for mention check`);
+	const providerRegistry = buildProviderRegistry(params.providers);
+	const cache = createMediaAttachmentCache(attachments);
+	try {
+		const result = await runCapability({
+			capability: "audio",
+			cfg,
+			ctx,
+			attachments: cache,
+			media: attachments,
+			agentDir: params.agentDir,
+			providerRegistry,
+			config: audioConfig,
+			activeModel: params.activeModel
+		});
+		if (!result || result.outputs.length === 0) return;
+		const audioOutput = result.outputs.find((output) => output.kind === "audio.transcription");
+		if (!audioOutput || !audioOutput.text) return;
+		firstAudio.alreadyTranscribed = true;
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribed ${audioOutput.text.length} chars from attachment ${firstAudio.index}`);
+		return audioOutput.text;
+	} catch (err) {
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcription failed: ${String(err)}`);
+		return;
+	} finally {
+		await cache.cleanup();
+	}
+}
+
+//#endregion
+export { transcribeFirstAudio };

package/dist/audio-preflight-CGsumMzb.js

@@ -0,0 +1,60 @@
+import "./paths-BZtyHNCi.js";
+import "./agent-scope-BIEhVP4_.js";
+import { Y as logVerbose, Z as shouldLogVerbose } from "./exec-B8lXct-k.js";
+import "./pi-embedded-helpers-WDwx99UA.js";
+import "./model-auth-CabXIF6O.js";
+import "./config-BvMsmctM.js";
+import "./github-copilot-token-DkiRbJdR.js";
+import "./pi-model-discovery-DqgqUyAv.js";
+import "./chrome-BfB6JdKF.js";
+import "./paths-B0a4ywSO.js";
+import "./image-Brk1sJbw.js";
+import "./redact-BrXLgslJ.js";
+import "./fetch-timeout-BEtUjM1S.js";
+import { a as runCapability, l as isAudioAttachment, n as createMediaAttachmentCache, r as normalizeMediaAttachments, t as buildProviderRegistry } from "./runner-Cfm5nTMc.js";
+
+//#region src/media-understanding/audio-preflight.ts
+/**
+* Transcribes the first audio attachment BEFORE mention checking.
+* This allows voice notes to be processed in group chats with requireMention: true.
+* Returns the transcript or undefined if transcription fails or no audio is found.
+*/
+async function transcribeFirstAudio(params) {
+	const { ctx, cfg } = params;
+	const audioConfig = cfg.tools?.media?.audio;
+	if (!audioConfig || audioConfig.enabled === false) return;
+	const attachments = normalizeMediaAttachments(ctx);
+	if (!attachments || attachments.length === 0) return;
+	const firstAudio = attachments.find((att) => att && isAudioAttachment(att) && !att.alreadyTranscribed);
+	if (!firstAudio) return;
+	if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribing attachment ${firstAudio.index} for mention check`);
+	const providerRegistry = buildProviderRegistry(params.providers);
+	const cache = createMediaAttachmentCache(attachments);
+	try {
+		const result = await runCapability({
+			capability: "audio",
+			cfg,
+			ctx,
+			attachments: cache,
+			media: attachments,
+			agentDir: params.agentDir,
+			providerRegistry,
+			config: audioConfig,
+			activeModel: params.activeModel
+		});
+		if (!result || result.outputs.length === 0) return;
+		const audioOutput = result.outputs.find((output) => output.kind === "audio.transcription");
+		if (!audioOutput || !audioOutput.text) return;
+		firstAudio.alreadyTranscribed = true;
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribed ${audioOutput.text.length} chars from attachment ${firstAudio.index}`);
+		return audioOutput.text;
+	} catch (err) {
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcription failed: ${String(err)}`);
+		return;
+	} finally {
+		await cache.cleanup();
+	}
+}
+
+//#endregion
+export { transcribeFirstAudio };

package/dist/audio-preflight-SLmkJI6-.js

@@ -0,0 +1,74 @@
+import "./paths-DVBShlw6.js";
+import { A as logVerbose, N as shouldLogVerbose } from "./subsystem-BoExtIHo.js";
+import "./utils-Cd9QdCHh.js";
+import "./pi-embedded-helpers-CMKLjW6X.js";
+import "./exec-YIosokWE.js";
+import "./agent-scope-CQCus0rI.js";
+import "./model-selection-BLuqsGVB.js";
+import "./github-copilot-token-BW-SEg7E.js";
+import "./boolean-BgXe2hyu.js";
+import "./env-ONzUVAG2.js";
+import "./config-aFQssWKX.js";
+import "./manifest-registry-CQhdnDBZ.js";
+import "./plugins-X7d_tfTE.js";
+import "./sandbox-Bhjnh1Xg.js";
+import { a as runCapability, l as isAudioAttachment, n as createMediaAttachmentCache, r as normalizeMediaAttachments, t as buildProviderRegistry } from "./runner-D_dujMod.js";
+import "./image-C4Nn2p3e.js";
+import "./pi-model-discovery-EwKVHlZB.js";
+import "./chrome-Cvr-57lg.js";
+import "./skills-DprQj9X2.js";
+import "./routes-CmOI1hIH.js";
+import "./server-context-Cl0U0vE3.js";
+import "./message-channel-BLi2a6Yw.js";
+import "./logging-fywhKCmE.js";
+import "./accounts-DeqIQjo1.js";
+import "./paths-B49s6UZQ.js";
+import "./redact-BRsnXqwD.js";
+import "./tool-display-CZRIDMRm.js";
+import "./fetch-DmiOpALK.js";
+
+//#region src/media-understanding/audio-preflight.ts
+/**
+* Transcribes the first audio attachment BEFORE mention checking.
+* This allows voice notes to be processed in group chats with requireMention: true.
+* Returns the transcript or undefined if transcription fails or no audio is found.
+*/
+async function transcribeFirstAudio(params) {
+	const { ctx, cfg } = params;
+	const audioConfig = cfg.tools?.media?.audio;
+	if (!audioConfig || audioConfig.enabled === false) return;
+	const attachments = normalizeMediaAttachments(ctx);
+	if (!attachments || attachments.length === 0) return;
+	const firstAudio = attachments.find((att) => att && isAudioAttachment(att) && !att.alreadyTranscribed);
+	if (!firstAudio) return;
+	if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribing attachment ${firstAudio.index} for mention check`);
+	const providerRegistry = buildProviderRegistry(params.providers);
+	const cache = createMediaAttachmentCache(attachments);
+	try {
+		const result = await runCapability({
+			capability: "audio",
+			cfg,
+			ctx,
+			attachments: cache,
+			media: attachments,
+			agentDir: params.agentDir,
+			providerRegistry,
+			config: audioConfig,
+			activeModel: params.activeModel
+		});
+		if (!result || result.outputs.length === 0) return;
+		const audioOutput = result.outputs.find((output) => output.kind === "audio.transcription");
+		if (!audioOutput || !audioOutput.text) return;
+		firstAudio.alreadyTranscribed = true;
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribed ${audioOutput.text.length} chars from attachment ${firstAudio.index}`);
+		return audioOutput.text;
+	} catch (err) {
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcription failed: ${String(err)}`);
+		return;
+	} finally {
+		await cache.cleanup();
+	}
+}
+
+//#endregion
+export { transcribeFirstAudio };

package/dist/audio-preflight-jZc5mFCZ.js

@@ -0,0 +1,71 @@
+import { S as logVerbose, T as shouldLogVerbose } from "./entry.js";
+import "./auth-profiles-ByNs3eEm.js";
+import "./utils-BLJAc3ZV.js";
+import "./exec-CACT5OAW.js";
+import "./agent-scope-CsRbLH4l.js";
+import "./github-copilot-token-Cfs0Wxr8.js";
+import "./pi-model-discovery-DzEIEgHL.js";
+import "./config-Bdhomfei.js";
+import "./manifest-registry-u0okVSkU.js";
+import "./server-context-BGpGs3qd.js";
+import "./chrome-foEwx3lN.js";
+import "./message-channel-C_MmebBt.js";
+import "./plugins-4Hqd1WGf.js";
+import "./logging-CfEk_PnX.js";
+import "./accounts-DCDeFTra.js";
+import "./paths-DLINmNFQ.js";
+import "./redact-Br9GfacZ.js";
+import "./routes-DewK5tq2.js";
+import "./pi-embedded-helpers-DfwkwPYD.js";
+import "./fetch-timeout-DTK9vxex.js";
+import "./sandbox-BKYnhYQH.js";
+import "./skills-DRjfSQT3.js";
+import "./image-DgtfXMcX.js";
+import "./tool-display-ClRud3pg.js";
+import { a as runCapability, n as createMediaAttachmentCache, o as isAudioAttachment, r as normalizeMediaAttachments, t as buildProviderRegistry } from "./runner-CY0nmVme.js";
+
+//#region src/media-understanding/audio-preflight.ts
+/**
+* Transcribes the first audio attachment BEFORE mention checking.
+* This allows voice notes to be processed in group chats with requireMention: true.
+* Returns the transcript or undefined if transcription fails or no audio is found.
+*/
+async function transcribeFirstAudio(params) {
+	const { ctx, cfg } = params;
+	const audioConfig = cfg.tools?.media?.audio;
+	if (!audioConfig || audioConfig.enabled === false) return;
+	const attachments = normalizeMediaAttachments(ctx);
+	if (!attachments || attachments.length === 0) return;
+	const firstAudio = attachments.find((att) => att && isAudioAttachment(att) && !att.alreadyTranscribed);
+	if (!firstAudio) return;
+	if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribing attachment ${firstAudio.index} for mention check`);
+	const providerRegistry = buildProviderRegistry(params.providers);
+	const cache = createMediaAttachmentCache(attachments);
+	try {
+		const result = await runCapability({
+			capability: "audio",
+			cfg,
+			ctx,
+			attachments: cache,
+			media: attachments,
+			agentDir: params.agentDir,
+			providerRegistry,
+			config: audioConfig,
+			activeModel: params.activeModel
+		});
+		if (!result || result.outputs.length === 0) return;
+		const audioOutput = result.outputs.find((output) => output.kind === "audio.transcription");
+		if (!audioOutput || !audioOutput.text) return;
+		firstAudio.alreadyTranscribed = true;
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribed ${audioOutput.text.length} chars from attachment ${firstAudio.index}`);
+		return audioOutput.text;
+	} catch (err) {
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcription failed: ${String(err)}`);
+		return;
+	} finally {
+		await cache.cleanup();
+	}
+}
+
+//#endregion
+export { transcribeFirstAudio };

package/dist/{audit-C4wLaF0D.js → audit-Dmww_503.js}

@@ -1,23 +1,24 @@
 import { g as resolveStateDir, m as resolveOAuthDir, o as resolveConfigPath } from "./paths-DVBShlw6.js";
 import { l as normalizeAgentId } from "./session-key-BWxPj0z_.js";
-import { n as runExec } from "./exec-Cv_Ofd1m.js";
-import { c as resolveDefaultAgentId, s as resolveAgentWorkspaceDir } from "./agent-scope-CGmuusG9.js";
+import { n as runExec } from "./exec-YIosokWE.js";
+import { c as resolveDefaultAgentId, s as resolveAgentWorkspaceDir } from "./agent-scope-CQCus0rI.js";
 import { t as formatCliCommand } from "./command-format-ChfKqObn.js";
-import { D as INCLUDE_KEY, O as MAX_INCLUDE_DEPTH, r as createConfigIO } from "./config--NUdpACy.js";
-import { a as MANIFEST_KEY } from "./manifest-registry-3It8Z8yN.js";
-import { n as listChannelPlugins } from "./plugins-CNaHNND_.js";
-import { $ as resolveSandboxToolPolicyForAgent, Z as resolveSandboxConfigForAgent, ot as resolveToolProfilePolicy } from "./sandbox-DqUO2K83.js";
-import { i as loadWorkspaceSkillEntries } from "./skills-ccAgQ3Ad.js";
-import { n as formatErrorMessage } from "./errors-B0eT3jVv.js";
-import { a as resolveProfile, i as resolveBrowserConfig } from "./server-context-8Qt35QdF.js";
-import { h as GATEWAY_CLIENT_NAMES, m as GATEWAY_CLIENT_MODES } from "./message-channel-Cu61-7H6.js";
-import { t as GatewayClient } from "./client-6xKrRC-1.js";
-import { t as buildGatewayConnectionDetails } from "./call-Bek1xlgk.js";
-import { i as readChannelAllowFromStore } from "./pairing-store-c-QQ2u8p.js";
-import { c as resolveNativeSkillsEnabled, n as isToolAllowedByPolicies, s as resolveNativeCommandsEnabled } from "./pi-tools.policy-akYsGFiA.js";
-import { t as resolveChannelDefaultAccountId } from "./helpers-C89IG08W.js";
-import { t as scanDirectoryWithSummary } from "./skill-scanner-DrVEHfC6.js";
-import { i as resolveGatewayAuth } from "./auth-BvIPpm7G.js";
+import { D as INCLUDE_KEY, O as MAX_INCLUDE_DEPTH, r as createConfigIO } from "./config-aFQssWKX.js";
+import { a as MANIFEST_KEY } from "./manifest-registry-CQhdnDBZ.js";
+import { n as listChannelPlugins } from "./plugins-X7d_tfTE.js";
+import { $ as resolveSandboxToolPolicyForAgent, Z as resolveSandboxConfigForAgent, ot as resolveToolProfilePolicy } from "./sandbox-Bhjnh1Xg.js";
+import { i as loadWorkspaceSkillEntries } from "./skills-DprQj9X2.js";
+import { n as formatErrorMessage } from "./errors-Bv81hF2P.js";
+import { a as resolveProfile, i as resolveBrowserConfig } from "./server-context-Cl0U0vE3.js";
+import { h as GATEWAY_CLIENT_NAMES, m as GATEWAY_CLIENT_MODES } from "./message-channel-BLi2a6Yw.js";
+import { t as GatewayClient } from "./client-BrYfyoDK.js";
+import { t as buildGatewayConnectionDetails } from "./call-SolyGS1r.js";
+import { i as readChannelAllowFromStore } from "./pairing-store-CmlRVqOz.js";
+import { c as resolveNativeSkillsEnabled, n as isToolAllowedByPolicies, s as resolveNativeCommandsEnabled } from "./pi-tools.policy-BpsROZbz.js";
+import { i as resolveGatewayAuth } from "./auth-CQNl_IaI.js";
+import { n as resolveBrowserControlAuth } from "./control-auth-DBCu3qyv.js";
+import { t as resolveChannelDefaultAccountId } from "./helpers-HyeZXsnu.js";
+import { t as scanDirectoryWithSummary } from "./skill-scanner-CucvxYhu.js";
 import os from "node:os";
 import path from "node:path";
 import JSON5 from "json5";
@@ -143,6 +144,11 @@ function looksLikeEnvRef(value) {
 	const v = value.trim();
 	return v.startsWith("${") && v.endsWith("}");
 }
+function isGatewayRemotelyExposed(cfg) {
+	if ((typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback") !== "loopback") return true;
+	const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+	return tailscaleMode === "serve" || tailscaleMode === "funnel";
+}
 function addModel(models, raw, source) {
 	if (typeof raw !== "string") return;
 	const id = raw.trim();
@@ -353,6 +359,31 @@ function collectHooksHardeningFindings(cfg) {
 		detail: "hooks.path='/' would shadow other HTTP endpoints and is unsafe.",
 		remediation: "Use a dedicated path like '/hooks'."
 	});
+	const allowRequestSessionKey = cfg.hooks?.allowRequestSessionKey === true;
+	const defaultSessionKey = typeof cfg.hooks?.defaultSessionKey === "string" ? cfg.hooks.defaultSessionKey.trim() : "";
+	const allowedPrefixes = Array.isArray(cfg.hooks?.allowedSessionKeyPrefixes) ? cfg.hooks.allowedSessionKeyPrefixes.map((prefix) => prefix.trim()).filter((prefix) => prefix.length > 0) : [];
+	const remoteExposure = isGatewayRemotelyExposed(cfg);
+	if (!defaultSessionKey) findings.push({
+		checkId: "hooks.default_session_key_unset",
+		severity: "warn",
+		title: "hooks.defaultSessionKey is not configured",
+		detail: "Hook agent runs without explicit sessionKey use generated per-request keys. Set hooks.defaultSessionKey to keep hook ingress scoped to a known session.",
+		remediation: "Set hooks.defaultSessionKey (for example, \"hook:ingress\")."
+	});
+	if (allowRequestSessionKey) findings.push({
+		checkId: "hooks.request_session_key_enabled",
+		severity: remoteExposure ? "critical" : "warn",
+		title: "External hook payloads may override sessionKey",
+		detail: "hooks.allowRequestSessionKey=true allows `/hooks/agent` callers to choose the session key. Treat hook token holders as full-trust unless you also restrict prefixes.",
+		remediation: "Set hooks.allowRequestSessionKey=false (recommended) or constrain hooks.allowedSessionKeyPrefixes."
+	});
+	if (allowRequestSessionKey && allowedPrefixes.length === 0) findings.push({
+		checkId: "hooks.request_session_key_prefixes_missing",
+		severity: remoteExposure ? "critical" : "warn",
+		title: "Request sessionKey override is enabled without prefix restrictions",
+		detail: "hooks.allowRequestSessionKey=true and hooks.allowedSessionKeyPrefixes is unset/empty, so request payloads can target arbitrary session key shapes.",
+		remediation: "Set hooks.allowedSessionKeyPrefixes (for example, [\"hook:\"]) or disable request overrides."
+	});
 	return findings;
 }
 function collectModelHygieneFindings(cfg) {
@@ -1361,6 +1392,7 @@ function collectGatewayConfigFindings(cfg, env) {
 	const hasSharedSecret = auth.mode === "token" && hasToken || auth.mode === "password" && hasPassword;
 	const hasTailscaleAuth = auth.allowTailscale && tailscaleMode === "serve";
 	const hasGatewayAuth = hasSharedSecret || hasTailscaleAuth;
+	const remotelyExposed = bind !== "loopback" || tailscaleMode === "serve" || tailscaleMode === "funnel";
 	if (bind !== "loopback" && !hasSharedSecret) findings.push({
 		checkId: "gateway.bind_no_auth",
 		severity: "critical",
@@ -1416,9 +1448,21 @@ function collectGatewayConfigFindings(cfg, env) {
 		title: "Gateway token looks short",
 		detail: `gateway auth token is ${token.length} chars; prefer a long random token.`
 	});
+	const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
+	const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
+	if (chatCompletionsEnabled || responsesEnabled) {
+		const enabledEndpoints = [chatCompletionsEnabled ? "/v1/chat/completions" : null, responsesEnabled ? "/v1/responses" : null].filter((value) => Boolean(value));
+		findings.push({
+			checkId: "gateway.http.session_key_override_enabled",
+			severity: remotelyExposed ? "warn" : "info",
+			title: "HTTP APIs accept explicit session key override headers",
+			detail: `${enabledEndpoints.join(", ")} support x-openclaw-session-key. Any authenticated caller can route requests into arbitrary sessions.`,
+			remediation: "Treat HTTP API credentials as full-trust, disable unused endpoints, and avoid sharing tokens across tenants."
+		});
+	}
 	return findings;
 }
-function collectBrowserControlFindings(cfg) {
+function collectBrowserControlFindings(cfg, env) {
 	const findings = [];
 	let resolved;
 	try {
@@ -1434,6 +1478,14 @@ function collectBrowserControlFindings(cfg) {
 		return findings;
 	}
 	if (!resolved.enabled) return findings;
+	const browserAuth = resolveBrowserControlAuth(cfg, env);
+	if (!browserAuth.token && !browserAuth.password) findings.push({
+		checkId: "browser.control_no_auth",
+		severity: "critical",
+		title: "Browser control has no auth",
+		detail: "Browser control HTTP routes are enabled but no gateway.auth token/password is configured. Any local process (or SSRF to loopback) can call browser control endpoints.",
+		remediation: "Set gateway.auth.token (recommended) or gateway.auth.password so browser control HTTP routes require authentication. Restarting the gateway will auto-generate gateway.auth.token when browser control is enabled."
+	});
 	for (const name of Object.keys(resolved.profiles)) {
 		const profile = resolveProfile(resolved, name);
 		if (!profile || profile.cdpIsLoopback) continue;
@@ -1778,7 +1830,7 @@ async function runSecurityAudit(opts) {
 		configPath
 	}));
 	findings.push(...collectGatewayConfigFindings(cfg, env));
-	findings.push(...collectBrowserControlFindings(cfg));
+	findings.push(...collectBrowserControlFindings(cfg, env));
 	findings.push(...collectLoggingFindings(cfg));
 	findings.push(...collectElevatedFindings(cfg));
 	findings.push(...collectHooksHardeningFindings(cfg));

package/dist/{audit-CY-yopxa.js → audit-wPu26VMb.js}

@@ -1,23 +1,24 @@
-import { B as resolveConfigPath, J as resolveOAuthDir, X as resolveStateDir } from "./entry.js";
-import { t as formatCliCommand } from "./command-format-ayFsmwwz.js";
+import { V as resolveConfigPath, Y as resolveOAuthDir, Z as resolveStateDir } from "./entry.js";
+import { t as formatCliCommand } from "./command-format-Bxe0mWee.js";
 import { l as normalizeAgentId } from "./session-key-DVvxnFKg.js";
-import { n as runExec } from "./exec-B8JKbXKW.js";
-import { c as resolveDefaultAgentId, s as resolveAgentWorkspaceDir } from "./agent-scope-DQuy3dwI.js";
-import { D as INCLUDE_KEY, O as MAX_INCLUDE_DEPTH, r as createConfigIO } from "./config-B00lvFac.js";
-import { a as MANIFEST_KEY } from "./manifest-registry-D5SiA3xq.js";
-import { a as resolveBrowserConfig, o as resolveProfile } from "./server-context-fX4xiYRh.js";
-import { n as formatErrorMessage } from "./errors-x4NYs-1P.js";
-import { i as resolveGatewayAuth } from "./auth-BcNHFK-i.js";
-import { t as GatewayClient } from "./client-DMloFP_O.js";
-import { t as buildGatewayConnectionDetails } from "./call-7yrB6v4I.js";
-import { h as GATEWAY_CLIENT_NAMES, m as GATEWAY_CLIENT_MODES } from "./message-channel-BlgPSDAh.js";
-import { n as listChannelPlugins } from "./plugins-Db5BiELK.js";
+import { n as runExec } from "./exec-CACT5OAW.js";
+import { c as resolveDefaultAgentId, s as resolveAgentWorkspaceDir } from "./agent-scope-CsRbLH4l.js";
+import { D as INCLUDE_KEY, O as MAX_INCLUDE_DEPTH, r as createConfigIO } from "./config-Bdhomfei.js";
+import { a as MANIFEST_KEY } from "./manifest-registry-u0okVSkU.js";
+import { a as resolveBrowserConfig, o as resolveProfile } from "./server-context-BGpGs3qd.js";
+import { i as resolveGatewayAuth } from "./auth-9x3lqfIY.js";
+import { n as resolveBrowserControlAuth } from "./control-auth-8Cf4WXpR.js";
+import { n as formatErrorMessage } from "./errors-DjZBTJJ3.js";
+import { t as GatewayClient } from "./client-CTwXnRl7.js";
+import { t as buildGatewayConnectionDetails } from "./call-DVYCIV8m.js";
+import { h as GATEWAY_CLIENT_NAMES, m as GATEWAY_CLIENT_MODES } from "./message-channel-C_MmebBt.js";
+import { n as listChannelPlugins } from "./plugins-4Hqd1WGf.js";
 import { t as resolveChannelDefaultAccountId } from "./helpers-DdwqKAAS.js";
-import { t as scanDirectoryWithSummary } from "./skill-scanner-C_fQzVDu.js";
-import { G as resolveSandboxToolPolicyForAgent, Q as resolveToolProfilePolicy, U as resolveSandboxConfigForAgent } from "./sandbox-Aks-9EcZ.js";
-import { i as loadWorkspaceSkillEntries } from "./skills-D5UZZZSY.js";
-import { a as isToolAllowedByPolicies, n as resolveNativeCommandsEnabled, r as resolveNativeSkillsEnabled } from "./commands-CjEGXOZ_.js";
-import { i as readChannelAllowFromStore } from "./pairing-store-CgXR3ZWJ.js";
+import { t as scanDirectoryWithSummary } from "./skill-scanner-rHMtUHtP.js";
+import { G as resolveSandboxToolPolicyForAgent, Q as resolveToolProfilePolicy, U as resolveSandboxConfigForAgent } from "./sandbox-BKYnhYQH.js";
+import { i as loadWorkspaceSkillEntries } from "./skills-DRjfSQT3.js";
+import { a as isToolAllowedByPolicies, n as resolveNativeCommandsEnabled, r as resolveNativeSkillsEnabled } from "./commands-BX_OIIVR.js";
+import { i as readChannelAllowFromStore } from "./pairing-store-Dp5_JGnG.js";
 import path from "node:path";
 import os from "node:os";
 import JSON5 from "json5";
@@ -143,6 +144,11 @@ function looksLikeEnvRef(value) {
 	const v = value.trim();
 	return v.startsWith("${") && v.endsWith("}");
 }
+function isGatewayRemotelyExposed(cfg) {
+	if ((typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback") !== "loopback") return true;
+	const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+	return tailscaleMode === "serve" || tailscaleMode === "funnel";
+}
 function addModel(models, raw, source) {
 	if (typeof raw !== "string") return;
 	const id = raw.trim();
@@ -353,6 +359,31 @@ function collectHooksHardeningFindings(cfg) {
 		detail: "hooks.path='/' would shadow other HTTP endpoints and is unsafe.",
 		remediation: "Use a dedicated path like '/hooks'."
 	});
+	const allowRequestSessionKey = cfg.hooks?.allowRequestSessionKey === true;
+	const defaultSessionKey = typeof cfg.hooks?.defaultSessionKey === "string" ? cfg.hooks.defaultSessionKey.trim() : "";
+	const allowedPrefixes = Array.isArray(cfg.hooks?.allowedSessionKeyPrefixes) ? cfg.hooks.allowedSessionKeyPrefixes.map((prefix) => prefix.trim()).filter((prefix) => prefix.length > 0) : [];
+	const remoteExposure = isGatewayRemotelyExposed(cfg);
+	if (!defaultSessionKey) findings.push({
+		checkId: "hooks.default_session_key_unset",
+		severity: "warn",
+		title: "hooks.defaultSessionKey is not configured",
+		detail: "Hook agent runs without explicit sessionKey use generated per-request keys. Set hooks.defaultSessionKey to keep hook ingress scoped to a known session.",
+		remediation: "Set hooks.defaultSessionKey (for example, \"hook:ingress\")."
+	});
+	if (allowRequestSessionKey) findings.push({
+		checkId: "hooks.request_session_key_enabled",
+		severity: remoteExposure ? "critical" : "warn",
+		title: "External hook payloads may override sessionKey",
+		detail: "hooks.allowRequestSessionKey=true allows `/hooks/agent` callers to choose the session key. Treat hook token holders as full-trust unless you also restrict prefixes.",
+		remediation: "Set hooks.allowRequestSessionKey=false (recommended) or constrain hooks.allowedSessionKeyPrefixes."
+	});
+	if (allowRequestSessionKey && allowedPrefixes.length === 0) findings.push({
+		checkId: "hooks.request_session_key_prefixes_missing",
+		severity: remoteExposure ? "critical" : "warn",
+		title: "Request sessionKey override is enabled without prefix restrictions",
+		detail: "hooks.allowRequestSessionKey=true and hooks.allowedSessionKeyPrefixes is unset/empty, so request payloads can target arbitrary session key shapes.",
+		remediation: "Set hooks.allowedSessionKeyPrefixes (for example, [\"hook:\"]) or disable request overrides."
+	});
 	return findings;
 }
 function collectModelHygieneFindings(cfg) {
@@ -1361,6 +1392,7 @@ function collectGatewayConfigFindings(cfg, env) {
 	const hasSharedSecret = auth.mode === "token" && hasToken || auth.mode === "password" && hasPassword;
 	const hasTailscaleAuth = auth.allowTailscale && tailscaleMode === "serve";
 	const hasGatewayAuth = hasSharedSecret || hasTailscaleAuth;
+	const remotelyExposed = bind !== "loopback" || tailscaleMode === "serve" || tailscaleMode === "funnel";
 	if (bind !== "loopback" && !hasSharedSecret) findings.push({
 		checkId: "gateway.bind_no_auth",
 		severity: "critical",
@@ -1416,9 +1448,21 @@ function collectGatewayConfigFindings(cfg, env) {
 		title: "Gateway token looks short",
 		detail: `gateway auth token is ${token.length} chars; prefer a long random token.`
 	});
+	const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
+	const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
+	if (chatCompletionsEnabled || responsesEnabled) {
+		const enabledEndpoints = [chatCompletionsEnabled ? "/v1/chat/completions" : null, responsesEnabled ? "/v1/responses" : null].filter((value) => Boolean(value));
+		findings.push({
+			checkId: "gateway.http.session_key_override_enabled",
+			severity: remotelyExposed ? "warn" : "info",
+			title: "HTTP APIs accept explicit session key override headers",
+			detail: `${enabledEndpoints.join(", ")} support x-openclaw-session-key. Any authenticated caller can route requests into arbitrary sessions.`,
+			remediation: "Treat HTTP API credentials as full-trust, disable unused endpoints, and avoid sharing tokens across tenants."
+		});
+	}
 	return findings;
 }
-function collectBrowserControlFindings(cfg) {
+function collectBrowserControlFindings(cfg, env) {
 	const findings = [];
 	let resolved;
 	try {
@@ -1434,6 +1478,14 @@ function collectBrowserControlFindings(cfg) {
 		return findings;
 	}
 	if (!resolved.enabled) return findings;
+	const browserAuth = resolveBrowserControlAuth(cfg, env);
+	if (!browserAuth.token && !browserAuth.password) findings.push({
+		checkId: "browser.control_no_auth",
+		severity: "critical",
+		title: "Browser control has no auth",
+		detail: "Browser control HTTP routes are enabled but no gateway.auth token/password is configured. Any local process (or SSRF to loopback) can call browser control endpoints.",
+		remediation: "Set gateway.auth.token (recommended) or gateway.auth.password so browser control HTTP routes require authentication. Restarting the gateway will auto-generate gateway.auth.token when browser control is enabled."
+	});
 	for (const name of Object.keys(resolved.profiles)) {
 		const profile = resolveProfile(resolved, name);
 		if (!profile || profile.cdpIsLoopback) continue;
@@ -1778,7 +1830,7 @@ async function runSecurityAudit(opts) {
 		configPath
 	}));
 	findings.push(...collectGatewayConfigFindings(cfg, env));
-	findings.push(...collectBrowserControlFindings(cfg));
+	findings.push(...collectBrowserControlFindings(cfg, env));
 	findings.push(...collectLoggingFindings(cfg));
 	findings.push(...collectElevatedFindings(cfg));
 	findings.push(...collectHooksHardeningFindings(cfg));