fix: 5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth) by zmanian · Pull Request #1083 · nearai/ironclaw

zmanian · 2026-03-12T22:09:57Z

Summary

Fixes 11 bugs from the issue tracker, prioritized by severity.

Batch 1: Critical security and stability fixes

[CRITICAL] Webhook authentication bypass when secret is not configured (src/channels/http.r #1033 (CRITICAL): Webhook auth bypass when secret cleared at runtime via update_secret(None) - rejects requests with 503
[CRITICAL] Missing consecutive_failures reset on successful reconnection — Stream end inc #908 (CRITICAL): Relay channel consecutive_failures not reset on successful SSE reconnection
[HIGH] Unbounded recursion in validate_tool_schema() #975 (HIGH): validate_tool_schema() unbounded recursion - added depth limit of 16
[HIGH] Unbounded recursion in resolve_nested() #974 (HIGH): resolve_nested() unbounded recursion - added depth limit of 8
[HIGH:82] Unbounded message Vec growth in routine tool loop #826 (CRITICAL): Unbounded tool output in routine loop - truncated to 8KB per result

Batch 2: Routine cache, job signals, and input validation

web routine toggle does not recompute next_fire_at when re-enabling cron routines #1077 (P1): Recompute next_fire_at when re-enabling cron routines via web toggle
web/CLI routine mutations do not refresh live event trigger cache #1076 (P1): Refresh event trigger cache after web toggle/delete operations
[HIGH] JobDelegate::check_signals() treats non-terminal states as terminal, will block #892 (HIGH): Remove Stuck from check_signals() stop-states (recoverable via self-repair)
[HIGH] Unbounded description string in CapabilitiesFile #976 (HIGH): Truncate oversized description strings in CapabilitiesFile to 4KB
[HIGH] Unbounded parameters schema JSON #977 (HIGH): Drop oversized parameters schema JSON (>64KB) in CapabilitiesFile

Batch 3: Security hardening

[HIGH:82] ReDoS risk in event trigger regex patterns #825 (HIGH): Prevent ReDoS by using RegexBuilder with 64KB size limit for user-supplied event trigger patterns

Test plan

All 2993 tests pass (6 new regression tests added)
webhook_rejects_when_secret_cleared_at_runtime - auth bypass fix
test_validate_schema_depth_limit - schema recursion limit
test_resolve_nested_depth_limit - capabilities recursion limit
test_description_truncated_at_limit - description size limit
test_oversized_parameters_schema_dropped - schema size limit
Clippy clean (zero warnings)

Closes #1033, #908, #975, #974, #826, #1077, #1076, #892, #976, #977, #825

Generated with Claude Code

- nearai#1033: reject webhook requests when secret is cleared at runtime via update_secret(None), preventing auth bypass through SIGHUP hot-swap - nearai#908: reset consecutive_failures counter on successful SSE stream reconnection in relay channel, so circuit breaker counts truly consecutive failures - nearai#975: add depth limit (16) to validate_tool_schema() to prevent stack overflow on deeply nested schemas - nearai#974: add depth limit (8) to resolve_nested() to prevent stack overflow on deeply nested capabilities wrappers - nearai#826: truncate oversized tool outputs (>8KB) in routine lightweight loop to prevent unbounded context growth across iterations Each fix includes a regression test. Closes nearai#1033, nearai#908, nearai#975, nearai#974, nearai#826 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

gemini-code-assist · 2026-03-12T22:15:45Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers significant stability and security enhancements by resolving several critical and high-priority bugs. It introduces robust measures for webhook authentication, ensures reliable operation of relay channels, and prevents potential denial-of-service attacks through unbounded recursion in schema and capability parsing. Additionally, it optimizes resource usage by truncating large tool outputs in automated routines and modularizes core safety features into a new, dedicated crate.

Highlights

Webhook Authentication Bypass Fix: Requests are now rejected with a 503 status code if no webhook secret is configured, preventing authentication bypass when the secret is cleared at runtime.
Relay Channel Failure Counter Reset: The consecutive_failures counter in relay channels is now correctly reset upon successful SSE reconnection, ensuring the circuit breaker accurately tracks consecutive failures.
Unbounded Recursion Prevention: Depth limits have been added to validate_tool_schema() (16 levels) and resolve_nested() (8 levels) to prevent unbounded recursion on deeply nested schemas and capabilities wrappers.
Routine Tool Output Truncation: Tool output content in routine lightweight loops is now truncated to 8KB per tool result, preventing unbounded context growth and excessive resource consumption.
New ironclaw_safety Crate: Safety logic for prompt injection defense, input validation, and secret leak detection has been extracted into a dedicated ironclaw_safety crate, improving modularity and maintainability.

Changelog

.env.example
- Added MiniMax LLM configuration options.
- Included detailed instructions for webhook authentication using HMAC-SHA256 signatures.
- Introduced Docker Sandbox configuration parameters.
.githooks/pre-push
- Added a new pre-push hook to automatically run cargo clippy with all warnings as errors and cargo test before allowing a push.
CHANGELOG.md
- Updated the project version to 0.18.0 and included recent merge pull requests.
CLAUDE.md
- Updated project structure documentation to reflect the extraction of safety logic into the crates/ironclaw_safety/ directory.
Cargo.lock
- Updated numerous Rust dependency versions across the project.
Cargo.toml
- Added ironclaw_safety crate to the workspace members and dependencies.
- Updated the main ironclaw package version to 0.18.0.
FEATURE_PARITY.md
- Updated the status of channels, skills, cron, and GLM-5 features to reflect recent developments and clarifications.
README.md
- Added a link to the newly translated Russian README.
README.ru.md
- Added a new Russian translation of the project's main README file.
README.zh-CN.md
- Added a link to the Russian README in the Chinese translation.
channels-src/discord/Cargo.lock
- Updated dependencies, including the addition of ed25519-dalek and hex for cryptographic operations.
channels-src/discord/Cargo.toml
- Added ed25519-dalek and hex dependencies to enable in-channel Discord signature verification.
channels-src/discord/README.md
- Updated instructions for webhook secret configuration.
- Added new sections detailing mention polling and access control options.
- Clarified troubleshooting steps for invalid signature errors.
channels-src/discord/discord.capabilities.json
- Updated the channel description to reflect new features like mention polling.
- Enabled polling capability for the channel.
- Added new configuration fields for webhook secret, polling settings, and access control.
channels-src/discord/src/lib.rs
- Implemented in-channel Discord signature verification using Ed25519 headers.
- Added logic for mention polling in configured channels.
- Refined response handling for slash commands and mentions, including initial 'Thinking...' responses.
crates/ironclaw_safety/Cargo.toml
- Added a new crate ironclaw_safety with dependencies for prompt injection defense, validation, and leak detection.
crates/ironclaw_safety/fuzz/Cargo.toml
- Added fuzzing targets for the ironclaw_safety crate.
crates/ironclaw_safety/fuzz/README.md
- Added README for the ironclaw_safety fuzz targets, detailing setup and usage.
crates/ironclaw_safety/fuzz/corpus/fuzz_config_env/all_attacks
- Added fuzzing corpus for fuzz_config_env.
crates/ironclaw_safety/fuzz/corpus/fuzz_config_env/clean
- Added fuzzing corpus for fuzz_config_env.
crates/ironclaw_safety/fuzz/corpus/fuzz_config_env/injection_with_secret
- Added fuzzing corpus for fuzz_config_env.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/api_key_header
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/array_headers
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/auth_header
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/bearer_value
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/empty_object
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/invalid_url
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/no_creds
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/not_json
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/safe_headers
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/url_access_token
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/url_api_key
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_credential_detect/url_userinfo
- Added fuzzing corpus for fuzz_credential_detect.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/anthropic_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/aws_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/bearer_token
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/clean_text
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/github_pat
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/github_token
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/hex_64
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/multiple_secrets
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/near_miss_short
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/openai_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/pem_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/sendgrid_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/slack_token
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/ssh_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_leak_detector/stripe_key
- Added fuzzing corpus for fuzz_leak_detector.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/base64_payload
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/clean_text
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/eval_exec
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/ignore_previous
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/inst_tokens
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/markdown_code
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/mixed_case
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/role_markers
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/special_tokens
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/system_injection
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_sanitizer/unicode_mixed
- Added fuzzing corpus for fuzz_safety_sanitizer.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/empty
- Renamed from fuzz/corpus/fuzz_config_env/.gitkeep and added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/excessive_whitespace
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/json_array
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/json_deep
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/json_nested
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/long_input
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/normal_input
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/corpus/fuzz_safety_validator/repetition
- Added fuzzing corpus for fuzz_safety_validator.
crates/ironclaw_safety/fuzz/fuzz_targets/fuzz_config_env.rs
- Renamed from fuzz/fuzz_targets/fuzz_config_env.rs and updated imports to use ironclaw_safety crate.
crates/ironclaw_safety/fuzz/fuzz_targets/fuzz_credential_detect.rs
- Added new fuzz target for credential detection.
crates/ironclaw_safety/fuzz/fuzz_targets/fuzz_leak_detector.rs
- Renamed from fuzz/fuzz_targets/fuzz_leak_detector.rs and updated imports to use ironclaw_safety crate.
crates/ironclaw_safety/fuzz/fuzz_targets/fuzz_safety_sanitizer.rs
- Renamed from fuzz/fuzz_targets/fuzz_safety_sanitizer.rs and updated imports to use ironclaw_safety crate.
crates/ironclaw_safety/fuzz/fuzz_targets/fuzz_safety_validator.rs
- Renamed from fuzz/fuzz_targets/fuzz_safety_validator.rs and updated imports to use ironclaw_safety crate.
crates/ironclaw_safety/src/credential_detect.rs
- Renamed from src/safety/credential_detect.rs.
crates/ironclaw_safety/src/leak_detector.rs
- Renamed from src/safety/leak_detector.rs and updated imports.
crates/ironclaw_safety/src/lib.rs
- Added new library root for the ironclaw_safety crate, re-exporting safety modules.
crates/ironclaw_safety/src/policy.rs
- Renamed from src/safety/policy.rs.
crates/ironclaw_safety/src/sanitizer.rs
- Renamed from src/safety/sanitizer.rs and updated imports.
crates/ironclaw_safety/src/validator.rs
- Renamed from src/safety/validator.rs.
deny.toml
- Added a new deny.toml file for cargo-deny configuration, specifying advisories, allowed licenses, and package bans.
deploy/env.example
- Added IRONCLAW_VERSION variable to pin Docker image versions for deterministic deployments.
deploy/ironclaw.service
- Updated the Docker run command to utilize the IRONCLAW_VERSION variable and explicitly expose port 3000.
deploy/setup.sh
- Added SHA256 checksum verification for the Cloud SQL Auth Proxy download to enhance security.
docs/LLM_PROVIDERS.md
- Added documentation for the MiniMax LLM provider, including API key and regional endpoint selection.
- Included details for the Z.AI provider, noting its OpenAI-compatible chat completions.
fuzz/Cargo.toml
- Removed safety-related fuzz targets, indicating their relocation to the crates/ironclaw_safety/fuzz directory.
fuzz/README.md
- Updated the README to reflect the relocation of safety-specific fuzz targets to the new crates/ironclaw_safety/fuzz directory.
fuzz/fuzz_targets/fuzz_tool_params.rs
- Updated imports to reflect the new ironclaw_safety crate.
providers.json
- Added Z.AI and MiniMax LLM provider configurations to the registry.
registry/channels/discord.json
- Updated the WASM artifact SHA256 checksum and version for the Discord channel.
registry/channels/slack.json
- Updated the WASM artifact SHA256 checksum and version for the Slack channel.
registry/channels/telegram.json
- Updated the WASM artifact SHA256 checksum and version for the Telegram channel.
registry/channels/whatsapp.json
- Updated the WASM artifact SHA256 checksum and version for the WhatsApp channel.
registry/tools/github.json
- Updated the WASM artifact SHA256 checksum and version for the GitHub tool.
registry/tools/gmail.json
- Updated the WASM artifact SHA256 checksum and version for the Gmail tool.
registry/tools/google-calendar.json
- Updated the WASM artifact SHA256 checksum and version for the Google Calendar tool.
registry/tools/google-docs.json
- Updated the WASM artifact SHA256 checksum and version for the Google Docs tool.
registry/tools/google-drive.json
- Updated the WASM artifact SHA256 checksum and version for the Google Drive tool.
registry/tools/google-sheets.json
- Updated the WASM artifact SHA256 checksum and version for the Google Sheets tool.
registry/tools/google-slides.json
- Updated the WASM artifact SHA256 checksum and version for the Google Slides tool.
registry/tools/llm-context.json
- Added a new llm-context tool to fetch pre-extracted web content from Brave Search for LLM grounding.
registry/tools/slack.json
- Updated the WASM artifact SHA256 checksum and version for the Slack tool.
registry/tools/telegram.json
- Updated the WASM artifact SHA256 checksum and version for the Telegram tool.
registry/tools/web-search.json
- Updated the WASM artifact SHA256 checksum and version for the Web Search tool.
scripts/ci/quality_gate_strict.sh
- Added cargo deny check to the CI quality gate to enforce dependency policies.
scripts/test-ci-artifact-naming.sh
- Added a new script to test CI artifact naming conventions, ensuring correct parsing of kind-prefixed bundles.
skills/ironclaw-workflow-orchestrator/SKILL.md
- Updated GitHub webhook configuration details and changed event filter keys from repository to repository_name and sender to sender_login.
skills/ironclaw-workflow-orchestrator/references/workflow-routines.md
- Updated event filter keys from repository to repository_name in routine definitions.
src/agent/agent_loop.rs
- Modified maybe_hydrate_thread to return an error message on failure.
- Updated SubmissionResult::NeedApproval handling to reflect that status updates are now sent by thread_ops.rs.
src/agent/dispatcher.rs
- Implemented auto-denial for approval-requiring tools in non-DM relay channels to prevent prompt injection and stuck states.
src/agent/mod.rs
- Removed re-exports for Worker and WorkerDeps.
src/agent/routine.rs
- Extended RoutineAction::Lightweight to include use_tools and max_tool_rounds parameters.
- Added clamping logic for max_tool_rounds to prevent runaway loops.
src/agent/routine_engine.rs
- Modified execute_lightweight to support tool execution based on use_tools and max_tool_rounds parameters.
- Introduced a denylist (ROUTINE_TOOL_DENYLIST) for tools that pose autonomy-escalation risks in lightweight routines.
- Truncated tool output to 8KB in lightweight routines to prevent unbounded context growth.
src/agent/thread_ops.rs
- Added checks for thread ID ownership and channel requirements during conversation hydration and persistence.
- Updated auth token configuration logic to use configure_token.
src/app.rs
- Integrated AgentSessionManager with AppComponents.
- Added logic for handling invalid MCP server configurations, logging warnings instead of panicking.
src/bootstrap.rs
- Updated DATABASE_BACKEND environment variable setting to use a thread-safe runtime overlay if a Tokio runtime is already active, avoiding undefined behavior.
src/channels/http.rs
- Implemented HMAC-SHA256 signature verification for incoming webhooks.
- Deprecated the secret field in the request body, advising migration to the X-IronClaw-Signature header.
- Added checks for Content-Type header and webhook secret configuration, rejecting requests if the secret is cleared at runtime.
src/channels/relay/channel.rs
- Reset consecutive_failures and backoff_ms on successful SSE reconnection to accurately track failures.
- Implemented send_status to forward ApprovalNeeded status updates to messaging providers, enabling interactive tool approval.
src/channels/wasm/host.rs
- Added truncate_utf8 utility function for safe UTF-8 string truncation.
- Used truncate_utf8 for message content truncation to prevent invalid UTF-8 sequences.
src/channels/wasm/wrapper.rs
- Cloned message sender before send().await to prevent holding RwLock read guard across async calls, resolving a potential deadlock.
src/channels/web/CLAUDE.md
- Updated the web gateway's request body limit to 10 MB to accommodate larger payloads, such as image uploads.
src/channels/web/handlers/chat.rs
- Cloned message sender before send().await to prevent holding RwLock read guard across async calls.
- Updated auth token configuration logic to use the new configure_token method.
src/channels/web/server.rs
- Added Content Security Policy (CSP) headers to web server responses to enhance security.
- Updated OAuth callback handling to support RFC 8707 resource parameter and auto-activate extensions after successful authentication.
src/channels/web/static/app.js
- Migrated inline event handlers to addEventListener for CSP compliance.
- Implemented DOMPurify for robust HTML sanitization of rendered markdown.
- Added copy buttons for messages and code blocks to improve user experience.
src/channels/web/static/index.html
- Added DOMPurify CDN link for enhanced HTML sanitization.
- Removed inline event handlers to comply with Content Security Policy.
src/channels/web/static/style.css
- Added styles for message copy buttons, including hover effects and responsive adjustments.
src/channels/web/ws.rs
- Cloned message sender before send().await to prevent holding RwLock read guard across async calls.
- Updated auth token configuration logic to use the new configure_token method.
src/cli/channels.rs
- Added a new CLI module for managing channels, including commands to list configured built-in and WASM channels.
src/cli/doctor.rs
- Updated check_nearai_session to use env_or_override for checking the NEAR AI API key, ensuring compatibility with runtime environment overrides.
src/cli/mcp.rs
- Updated test_server to use McpClient::with_session_manager and create_client_from_config for better MCP client management.
src/cli/mod.rs
- Added new top-level CLI commands: channels, routines, and skills.
src/cli/oauth_defaults.rs
- Added exchange_oauth_code_with_resource to support the RFC 8707 resource parameter for MCP OAuth flows.
- Included client_id_secret_name in PendingOAuthFlow for persisting client IDs in MCP OAuth.
src/cli/routines.rs
- Added a new CLI module for managing routines, providing commands to list, create, edit, enable/disable, delete, and view history.
src/cli/skills.rs
- Added a new CLI module for managing skills, including commands to list, search, and inspect SKILL.md-based skills.
src/cli/snapshots/ironclaw__cli__tests__help_output_without_import.snap
- Updated CLI help snapshots to reflect new commands and changes.
src/config/helpers.rs
- Added set_runtime_env and env_or_override functions for thread-safe management of environment variables at runtime.
src/config/llm.rs
- Added a test case to ensure registry provider aliases correctly resolve Z.AI.
src/config/mod.rs
- Added a new search module for workspace search configuration.
- Re-exported env_or_override and set_runtime_env from helpers.
- Included WorkspaceSearchConfig in the main Config structure.
src/config/safety.rs
- Replaced the internal SafetyConfig structure with the one from the new ironclaw_safety crate.
src/config/sandbox.rs
- Added an allow_full_access field to SandboxModeConfig to enforce a double opt-in for the FullAccess policy.
- Clarified the implications of the FullAccess policy in comments.
src/config/search.rs
- Added a new configuration module for workspace search, allowing specification of fusion strategy and weights.
src/db/libsql/conversations.rs
- Modified ensure_conversation to return a boolean indicating whether the conversation was successfully created or updated for the current user, improving ownership checks.
src/db/libsql/mod.rs
- Changed the log level for parsing naive timestamps from warn to debug for less verbose logging.
src/db/libsql/workspace.rs
- Replaced the direct call to reciprocal_rank_fusion with fuse_results, allowing dynamic selection of fusion strategies.
src/db/mod.rs
- Updated the ensure_conversation trait method signature to return a boolean.
src/db/postgres.rs
- Updated the ensure_conversation implementation to match the new trait method signature.
src/extensions/manager.rs
- Refactored auth and configure methods for improved handling of OAuth flows, Dynamic Client Registration (DCR), and secret validation.
- Introduced gateway_mode and gateway_base_url for seamless integration with the web gateway's OAuth process.
- Added inject_registry_entry for testing purposes.
src/extensions/mod.rs
- Added ConfigureResult struct to represent the outcome of extension configuration.
- Introduced new AuthNotSupported and ValidationFailed error variants for more granular error handling.
src/history/store.rs
- Modified ensure_conversation to return a boolean indicating whether the conversation was successfully created or updated for the current user, enhancing ownership verification.
src/llm/session.rs
- Updated the API key login process to use the thread-safe runtime environment overlay, ensuring compatibility with multi-threaded environments.
src/main.rs
- Integrated new CLI commands (channels, routines, skills) into the main application entry point.
- Updated agent initialization to use the agent_session_manager provided by AppBuilder.
- Enabled gateway mode for the extension manager when running the web gateway.
src/registry/installer.rs
- Added regression tests to address tool/channel artifact name collision issues, ensuring correct installation paths.
src/safety/mod.rs
- Replaced internal safety modules with re-exports from the new ironclaw_safety crate, centralizing security logic.
src/sandbox/config.rs
- Added allow_full_access to SandboxConfig to enforce a double opt-in for the FullAccess policy, preventing accidental host execution.
- Clarified the implications and risks of the FullAccess policy in comments.
src/sandbox/manager.rs
- Enforced the allow_full_access check for FullAccess policy execution, ensuring explicit consent for host-level commands.
src/service.rs
- Added CLI_ENABLED=false to the systemd service unit to ensure proper daemonization.
src/setup/README.md
- Updated the LLM setup process documentation to clarify that selected_model is preserved when re-running setup for the same backend.
src/setup/channels.rs
- Implemented credential validation for WASM channels using validation_endpoint defined in capabilities files.
- Added robust URL validation to prevent SSRF attacks during credential validation.
src/setup/prompts.rs
- Added drain_pending_events for improved terminal input handling, especially on Windows.
- Included print_banner function to display the IronClaw ASCII art banner during setup.
src/setup/wizard.rs
- Added print_banner to the setup wizard for a more engaging user experience.
- Implemented set_llm_backend_preserving_model to intelligently manage selected_model when switching LLM backends.
- Updated API key persistence to use the thread-safe runtime environment overlay.
src/testing/mod.rs
- Updated test_ensure_conversation_foreign_conflict_does_not_touch_last_activity test to reflect changes in ensure_conversation behavior.
src/tools/builtin/extension_tools.rs
- Updated tool_auth to use the new auth method without a token parameter.
- Adjusted approval requirements for tool_auth in gateway mode, removing the need for explicit approval.
src/tools/builtin/http.rs
- Refactored the HTTP tool to incorporate DNS pinning for enhanced SSRF protection.
- Added robust redirect following logic for simple GET requests, with per-hop SSRF validation.
- Improved parameter parsing for headers, timeouts, and save_to options.
src/tools/builtin/memory.rs
- Added validation to memory_write and memory_read to prevent their misuse with local filesystem paths, guiding users to appropriate tools.
src/tools/builtin/routine.rs
- Extended routine_create to support use_tools and max_tool_rounds parameters for lightweight routines, offering more control over automated tasks.
src/tools/mcp/auth.rs
- Added a state parameter to OAuth authorization URLs for compatibility with MCP servers that require it, such as Attio.
src/tools/mcp/client.rs
- Introduced an initialized flag for idempotency in MCP client initialization.
- Added has_custom_auth_header check to prevent overwriting user-defined Authorization headers with OAuth tokens.
src/tools/mcp/config.rs
- Added validation for custom HTTP headers in MCP server configurations, ensuring RFC 9110 compliance.
- Introduced has_custom_auth_header method to detect explicit Authorization header configurations.
src/tools/mcp/factory.rs
- Ensured that non-OAuth HTTP clients created by the factory carry a session manager for consistent behavior.
src/tools/mcp/http_transport.rs
- Added wire-level echo server tests to verify custom headers and authorization handling in the HTTP transport.
src/tools/mcp/stdio_transport.rs
- Handled JSON-RPC notifications (requests without an ID) as fire-and-forget, preventing the client from waiting for a non-existent response.
src/tools/mcp/unix_transport.rs
- Handled JSON-RPC notifications (requests without an ID) as fire-and-forget, similar to stdio transport.
src/tools/registry.rs
- Added tool_definitions_excluding method to filter tool definitions based on a denylist and approval requirements, useful for routine execution.
src/tools/tool.rs
- Introduced MAX_SCHEMA_DEPTH and validate_tool_schema_inner to prevent unbounded recursion in tool schema validation, enhancing stability.
src/tools/wasm/capabilities_schema.rs
- Added description and parameters fields to CapabilitiesFile for richer tool metadata.
- Introduced MAX_NESTED_DEPTH for capabilities resolution to prevent unbounded recursion in nested wrappers.
src/tools/wasm/loader.rs
- Updated WasmToolLoader to load tool descriptions and parameter schemas directly from capabilities files.
- Implemented validation for loaded parameter schemas to ensure correctness.
src/tools/wasm/runtime.rs
- Updated extract_tool_description and extract_tool_schema to reflect that descriptions and schemas are now loaded from capabilities files, rather than being introspected from the WASM component directly.
src/tunnel/cloudflare.rs
- Improved error reporting for cloudflared startup failures, providing more diagnostic information.
- Added background draining for stdout/stderr to prevent pipe stalls and ensure graceful process termination.
src/tunnel/custom.rs
- Added background draining for stdout/stderr to prevent pipe stalls and ensure custom tunnel processes do not block.
src/tunnel/ngrok.rs
- Improved error reporting for ngrok startup failures, offering clearer diagnostics.
- Added background draining for stdout/stderr to prevent pipe stalls and ensure graceful process termination.
src/workspace/mod.rs
- Introduced FusionStrategy for hybrid search, allowing configurable combinations of full-text and vector search results.
- Added with_search_config to Workspace for setting default search parameters.
src/workspace/repository.rs
- Replaced the direct call to reciprocal_rank_fusion with fuse_results, enabling dynamic selection of search fusion strategies.
src/workspace/search.rs
- Introduced FusionStrategy enum and weighted_score_fusion algorithm for hybrid search, providing more flexible result combination options.
- Updated SearchConfig to include fusion_strategy, fts_weight, and vector_weight.
tests/e2e/scenarios/test_csp.py
- Added new E2E tests to ensure Content Security Policy (CSP) compliance, checking for violations and inline event handlers.
tests/e2e_advanced_traces.rs
- Updated tool call assertion to reflect that auto-approve allows more tool calls per iteration.
- Added a new E2E test for the MCP extension lifecycle, covering search, install, activate, and use of mock MCP tools.
tests/e2e_routine_heartbeat.rs
- Added use_tools and max_tool_rounds parameters to routine creation in tests.
tests/e2e_thread_id_isolation.rs
- Added new E2E tests to verify thread ID isolation, ensuring that forged thread IDs cannot access or modify other users' conversations.
tests/fixtures/llm_traces/advanced/mcp_extension_lifecycle.json
- Added a new LLM trace fixture specifically for the MCP extension lifecycle E2E test.
tests/gateway_workflow_integration.rs
- Added a new E2E integration test for the gateway workflow, covering routine creation via tool calls and webhook ingestion.
tests/openai_compat_integration.rs
- Updated test_chat_completions_body_too_large to use axum::Router directly for testing, ensuring accurate body limit enforcement.
tests/support/gateway_workflow_harness.rs
- Added a new support module providing a harness for E2E gateway workflow integration tests.
tests/support/mock_mcp_server.rs
- Added a new support module for a mock MCP server, facilitating E2E testing of MCP extension lifecycle.
tests/support/mock_openai_server.rs
- Added a new support module for a mock OpenAI server, enabling controlled testing of LLM interactions.
tests/support/mod.rs
- Added new support modules for gateway workflow harness, mock MCP server, and mock OpenAI server.
tests/support/test_channel.rs
- Added TestChannelHandle to wrap Arc<TestChannel> as a Box<dyn Channel>, allowing flexible channel management in tests.
tests/support/test_rig.rs
- Updated TestRig to include an extension_manager for direct extension operations in tests.
tools-src/github/Cargo.toml
- Updated the GitHub tool version to 0.2.1.
tools-src/github/README.md
- Updated the GitHub tool's features list.
- Added new actions for creating/merging pull requests, listing/adding issue comments, and managing PR review comments and combined statuses.
tools-src/github/github-tool.capabilities.json
- Added webhook capability configuration for GitHub webhooks, including HMAC secret and signature headers.
- Updated allowed HTTP methods to include PUT for new GitHub actions.
tools-src/github/src/lib.rs
- Implemented new GitHub actions for issues, pull requests, and webhooks, expanding the tool's functionality.
tools-src/llm-context/Cargo.toml
- Added a new tool llm-context-tool for fetching Brave Search LLM context.
tools-src/llm-context/llm-context-tool.capabilities.json
- Added capabilities configuration for the new llm-context-tool, including HTTP allowlist, credentials, and authentication setup.

Ignored Files

Ignored by pattern: .github/workflows/** (5)
- .github/workflows/code_style.yml
- .github/workflows/e2e.yml
- .github/workflows/regression-test-check.yml
- .github/workflows/release.yml
- .github/workflows/staging-ci.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This is an excellent pull request that addresses several critical and high-priority bugs while also introducing significant security hardening and reliability improvements. The fixes for the five documented bugs (auth bypass, relay failures, unbounded recursion, and context growth) are well-implemented. I'm particularly impressed with the security enhancements, including the robust SSRF/DNS-rebinding protection in the http tool, the move to a dedicated ironclaw_safety crate, the implementation of a Content Security Policy in the web UI, and the additional safeguards for FullAccess sandbox policy. The code quality is high, and the refactoring improves modularity. I have one minor suggestion to further improve the SSRF protection.

gemini-code-assist · 2026-03-12T22:18:56Z

+        || v4.is_link_local()
+        || v4.is_multicast()
+        || v4.is_unspecified()
+        || *v4 == Ipv4Addr::new(169, 254, 169, 254)


The SSRF protection is missing a check for the Carrier-Grade NAT (CGNAT) address space (100.64.0.0/10). While not strictly a private range, it's not globally routable and should be blocked to prevent potential SSRF to internal carrier services. A similar check was correctly added in src/setup/channels.rs.

|| *v4 == Ipv4Addr::new(169, 254, 169, 254) || (v4.octets()[0] == 100 && (v4.octets()[1] & 0xC0) == 64)

References

To prevent DNS-based SSRF vulnerabilities, resolve hostnames to IP addresses, validate all resolved IPs against restricted ranges, and pin the validated addresses for the connection to prevent TOCTOU race conditions.

…its) - nearai#1077: recompute next_fire_at when re-enabling cron routines via web toggle, mirroring CLI behavior so cron ticker picks them up - nearai#1076: refresh event trigger cache after web toggle/delete operations so event/system_event routines reflect changes immediately - nearai#892: remove Stuck from check_signals() stop-states in JobDelegate since Stuck is recoverable (Stuck -> InProgress via self-repair) - nearai#976: truncate oversized description strings in CapabilitiesFile to 4KB to prevent memory abuse from malicious capabilities files - nearai#977: drop oversized parameters schema JSON (>64KB) in CapabilitiesFile to prevent unbounded memory growth Each fix includes regression tests where applicable. Closes nearai#1077, nearai#1076, nearai#892, nearai#976, nearai#977 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- nearai#825: use RegexBuilder with 64KB size limit when compiling user-supplied event trigger patterns, both at creation time (routine tool) and at cache refresh (routine engine) Note: Rust's regex crate already guarantees O(n) matching, so the size limit prevents excessive memory use during compilation rather than catastrophic backtracking at match time. Closes nearai#825 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…ed-in-issues-and-prioritize-and # Conflicts: # src/channels/http.rs # src/channels/web/handlers/routines.rs

ilblackdragon · 2026-03-13T16:04:33Z

+        }
+        let expected_secret = webhook_secret
+            .as_ref()
+            .expect("checked is_none above")


expect is production code

ilblackdragon

Approved, but need to fix expect in prod code.

…unded recursion, context growth) (#1083) * fix: address 5 critical and high-priority bugs from issue tracker - #1033: reject webhook requests when secret is cleared at runtime via update_secret(None), preventing auth bypass through SIGHUP hot-swap - #908: reset consecutive_failures counter on successful SSE stream reconnection in relay channel, so circuit breaker counts truly consecutive failures - #975: add depth limit (16) to validate_tool_schema() to prevent stack overflow on deeply nested schemas - #974: add depth limit (8) to resolve_nested() to prevent stack overflow on deeply nested capabilities wrappers - #826: truncate oversized tool outputs (>8KB) in routine lightweight loop to prevent unbounded context growth across iterations Each fix includes a regression test. Closes #1033, #908, #975, #974, #826 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: 5 more high-priority bugs (routine cache, job signals, input limits) - #1077: recompute next_fire_at when re-enabling cron routines via web toggle, mirroring CLI behavior so cron ticker picks them up - #1076: refresh event trigger cache after web toggle/delete operations so event/system_event routines reflect changes immediately - #892: remove Stuck from check_signals() stop-states in JobDelegate since Stuck is recoverable (Stuck -> InProgress via self-repair) - #976: truncate oversized description strings in CapabilitiesFile to 4KB to prevent memory abuse from malicious capabilities files - #977: drop oversized parameters schema JSON (>64KB) in CapabilitiesFile to prevent unbounded memory growth Each fix includes regression tests where applicable. Closes #1077, #1076, #892, #976, #977 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: prevent ReDoS in event trigger regex patterns - #825: use RegexBuilder with 64KB size limit when compiling user-supplied event trigger patterns, both at creation time (routine tool) and at cache refresh (routine engine) Note: Rust's regex crate already guarantees O(n) matching, so the size limit prevents excessive memory use during compilation rather than catastrophic backtracking at match time. Closes #825 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Harden HTTP SSRF IP filtering * Apply rustfmt after staging merge --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

…unded recursion, context growth) (nearai#1083) * fix: address 5 critical and high-priority bugs from issue tracker - nearai#1033: reject webhook requests when secret is cleared at runtime via update_secret(None), preventing auth bypass through SIGHUP hot-swap - nearai#908: reset consecutive_failures counter on successful SSE stream reconnection in relay channel, so circuit breaker counts truly consecutive failures - nearai#975: add depth limit (16) to validate_tool_schema() to prevent stack overflow on deeply nested schemas - nearai#974: add depth limit (8) to resolve_nested() to prevent stack overflow on deeply nested capabilities wrappers - nearai#826: truncate oversized tool outputs (>8KB) in routine lightweight loop to prevent unbounded context growth across iterations Each fix includes a regression test. Closes nearai#1033, nearai#908, nearai#975, nearai#974, nearai#826 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: 5 more high-priority bugs (routine cache, job signals, input limits) - nearai#1077: recompute next_fire_at when re-enabling cron routines via web toggle, mirroring CLI behavior so cron ticker picks them up - nearai#1076: refresh event trigger cache after web toggle/delete operations so event/system_event routines reflect changes immediately - nearai#892: remove Stuck from check_signals() stop-states in JobDelegate since Stuck is recoverable (Stuck -> InProgress via self-repair) - nearai#976: truncate oversized description strings in CapabilitiesFile to 4KB to prevent memory abuse from malicious capabilities files - nearai#977: drop oversized parameters schema JSON (>64KB) in CapabilitiesFile to prevent unbounded memory growth Each fix includes regression tests where applicable. Closes nearai#1077, nearai#1076, nearai#892, nearai#976, nearai#977 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: prevent ReDoS in event trigger regex patterns - nearai#825: use RegexBuilder with 64KB size limit when compiling user-supplied event trigger patterns, both at creation time (routine tool) and at cache refresh (routine engine) Note: Rust's regex crate already guarantees O(n) matching, so the size limit prevents excessive memory use during compilation rather than catastrophic backtracking at match time. Closes nearai#825 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Harden HTTP SSRF IP filtering * Apply rustfmt after staging merge --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

gemini-code-assist bot reviewed Mar 12, 2026

View reviewed changes

github-actions bot added the scope: worker Container worker label Mar 12, 2026

zmanian and others added 2 commits March 12, 2026 15:24

Harden HTTP SSRF IP filtering

bea50ef

zmanian changed the base branch from main to staging March 12, 2026 22:29

github-actions bot added size: L 200-499 changed lines risk: medium Business logic, config, or moderate-risk modules and removed size: XL 500+ changed lines risk: high Safety, secrets, auth, or critical infrastructure labels Mar 12, 2026

zmanian added 2 commits March 12, 2026 15:34

Merge remote-tracking branch 'origin/staging' into look-a-bug-resport…

b9d85da

…ed-in-issues-and-prioritize-and # Conflicts: # src/channels/http.rs # src/channels/web/handlers/routines.rs

Apply rustfmt after staging merge

b45b950

zmanian added the skip-regression-check Bypass regression test CI gate (tests exist but not in tests/ dir) label Mar 12, 2026

zmanian closed this Mar 12, 2026

zmanian reopened this Mar 12, 2026

zmanian enabled auto-merge (squash) March 12, 2026 23:14

github-actions bot mentioned this pull request Mar 13, 2026

🦞 OpenClaw 生态日报 2026-03-13 gsscsd/big_model_radar#28

Open

zmanian requested review from henrypark133 and ilblackdragon March 13, 2026 03:40

ilblackdragon reviewed Mar 13, 2026

View reviewed changes

ilblackdragon approved these changes Mar 13, 2026

View reviewed changes

zmanian merged commit e805ec6 into nearai:staging Mar 13, 2026
30 of 31 checks passed

ironclaw-ci bot mentioned this pull request Mar 13, 2026

chore: promote staging to main (2026-03-13 16:09 UTC) #1132

Merged

zmanian mentioned this pull request Mar 13, 2026

fix(http): replace .expect() with match in webhook handler #1133

Merged

3 tasks

ironclaw-ci bot mentioned this pull request Mar 13, 2026

chore: promote staging to staging-promote/e805ec61-23059634819 (2026-03-13 17:11 UTC) #1134

Merged

ironclaw-ci bot mentioned this pull request Mar 17, 2026

chore: release v0.19.0 #973

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: 5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth)#1083

fix: 5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth)#1083
zmanian merged 6 commits intonearai:stagingfrom
zmanian:look-a-bug-resported-in-issues-and-prioritize-and

zmanian commented Mar 12, 2026 •

edited

Loading

Uh oh!

gemini-code-assist bot commented Mar 12, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

gemini-code-assist bot Mar 12, 2026

Uh oh!

ilblackdragon Mar 13, 2026

Uh oh!

ilblackdragon left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

zmanian commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Batch 1: Critical security and stability fixes

Batch 2: Routine cache, job signals, and input validation

Batch 3: Security hardening

Test plan

Uh oh!

gemini-code-assist bot commented Mar 12, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Mar 12, 2026

Choose a reason for hiding this comment

Uh oh!

ilblackdragon Mar 13, 2026

Choose a reason for hiding this comment

Uh oh!

ilblackdragon left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

zmanian commented Mar 12, 2026 •

edited

Loading