moltbot

LLM/moltbot

Fork 0

mirror of https://github.com/moltbot/moltbot.git synced 2026-05-13 23:56:07 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Peter Steinberger	f9c0dc2d2b	fix(feishu): fall back from missing thread replies (#80306 ) Summary: - The branch adds an opt-in Feishu top-level group-send fallback for withdrawn or missing normal quoted thread replies, plus regression coverage, a changelog entry, and CI/lint typing and baseline refreshes. - Reproducibility: yes. at source level. Current main hard-errors withdrawn/not-found Feishu reply targets when `replyInThread` is true, and the existing regression test asserts that no top-level create fallback occurs. Automerge notes: - PR branch already contained follow-up commit before automerge: fix(feishu): fall back from missing thread replies - PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-8030… - PR branch already contained follow-up commit before automerge: fix(clawsweeper): reconcile automerge-openclaw-openclaw-80306 with ma… - PR branch already contained follow-up commit before automerge: fix(ci): satisfy stricter lint and test types - PR branch already contained follow-up commit before automerge: fix(ci): align Node 24 test typing Validation: - ClawSweeper review passed for head `93146f9d13`. - Required merge gates passed before the squash merge. Prepared head SHA: `93146f9d13` Review: https://github.com/openclaw/openclaw/pull/80306#issuecomment-4415604729 Co-authored-by: Peter Steinberger <steipete@gmail.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>	2026-05-10 16:41:51 +00:00
Jesse Merhi	6de9d71bfb	feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows (#69483 ) * feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted] Stand up an end-to-end pipeline that turns every published openclaw GitHub Security Advisory into a reusable OpenGrep rule, and wire the compiled rules into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub Code Scanning. The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude Code, Codex, OpenCode, or anything you can shell out to) can drive it via the runner script's --harness flag. Built-in adapters cover the four common harnesses; --harness-cmd '<template>' supports anything else with shell-style {prompt}/{model}/{output_file} substitution. Pipeline pieces: - scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness in parallel against every advisory using the agent-agnostic detector-review spec at security/detector-review/detector-review-spec.md. Each case produces an opengrep general-rule.yml (precise) and broad-rule.yml (review-aid), plus a coverage-validated report against the vulnerable commit's changed files. - scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/ detector-bucket/source-rule-id metadata, and uses opengrep itself to drop rules with InvalidRuleSchemaError so the published super-configs load cleanly. Compiled outputs: - security/opengrep/precise.yml (336 rules) - security/opengrep/broad.yml (459 rules) - security/opengrep/compile-manifest.json (per-rule provenance map) CI workflows (manual workflow_dispatch only): - .github/workflows/opengrep-precise.yml - .github/workflows/opengrep-broad.yml Both install a pinned opengrep, run opengrep scan against src/, upload SARIF to Code Scanning under categories opengrep-precise / opengrep-broad, and use continue-on-error: true so findings never block the workflow. Detector-review spec and assets: - security/detector-review/detector-review-spec.md the agent-agnostic spec the runner injects into each per-case prompt - security/detector-review/references/{detector-rubric,report-template}.md - security/detector-review/scripts/init_case.py - security/prompt-suffix-coverage-first.md mandatory prompt addendum that enforces coverage-first validation (rule must catch the OG vuln, not just pass synthetic fixtures) Docs: - security/README.md end-to-end flow, supported harnesses, regen recipe - security/opengrep/README.md compiled-config details + recompile recipe * security: tighten GHSA OpenGrep detector workflow * chore: refine precise opengrep workflow * chore: remove stale opengrep metadata * fix: harden GHSA OpenGrep workflow * ci: split OpenGrep diff and full scans * chore: remove performance-only opengrep rule * ci: use OpenGrep installer path * chore: enforce opengrep rule metadata provenance * chore: generalize opengrep rule compilation * docs: align opengrep rulepack guidance * chore: support generic opengrep rule sources * fix: validate opengrep rulepack-only changes --------- Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>	2026-04-30 02:42:20 +10:00

Peter Steinberger

f9c0dc2d2b

fix(feishu): fall back from missing thread replies (#80306 )

Summary:
- The branch adds an opt-in Feishu top-level group-send fallback for withdrawn or missing normal quoted thread replies, plus regression coverage, a changelog entry, and CI/lint typing and baseline refreshes.
- Reproducibility: yes. at source level. Current main hard-errors withdrawn/not-found Feishu reply targets when `replyInThread` is true, and the existing regression test asserts that no top-level create fallback occurs.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(feishu): fall back from missing thread replies
- PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-8030…
- PR branch already contained follow-up commit before automerge: fix(clawsweeper): reconcile automerge-openclaw-openclaw-80306 with ma…
- PR branch already contained follow-up commit before automerge: fix(ci): satisfy stricter lint and test types
- PR branch already contained follow-up commit before automerge: fix(ci): align Node 24 test typing

Validation:
- ClawSweeper review passed for head 93146f9d13.
- Required merge gates passed before the squash merge.

Prepared head SHA: 93146f9d13
Review: https://github.com/openclaw/openclaw/pull/80306#issuecomment-4415604729

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>

2026-05-10 16:41:51 +00:00

Jesse Merhi

6de9d71bfb

feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows (#69483 )

* feat(security): add GHSA detector-review pipeline and OpenGrep CI workflows [AI-assisted]

Stand up an end-to-end pipeline that turns every published openclaw GitHub
Security Advisory into a reusable OpenGrep rule, and wire the compiled rules
into manual-dispatch GitHub Actions workflows that publish SARIF to GitHub
Code Scanning.

The pipeline is harness-agnostic: any coding-agent CLI (Rovo Dev, Claude
Code, Codex, OpenCode, or anything you can shell out to) can drive it via
the runner script's --harness flag. Built-in adapters cover the four common
harnesses; --harness-cmd '<template>' supports anything else with shell-style
{prompt}/{model}/{output_file} substitution.

Pipeline pieces:

- scripts/run-ghsa-detector-review-batch.mjs runs your chosen coding harness
  in parallel against every advisory using the agent-agnostic detector-review
  spec at security/detector-review/detector-review-spec.md. Each case
  produces an opengrep general-rule.yml (precise) and broad-rule.yml
  (review-aid), plus a coverage-validated report against the vulnerable
  commit's changed files.
- scripts/compile-opengrep-rules.mjs walks a run directory, rewrites each
  rule's id to ghsa-detector.<ghsa>.<orig-id>, injects ghsa/advisory-url/
  detector-bucket/source-rule-id metadata, and uses opengrep itself to drop
  rules with InvalidRuleSchemaError so the published super-configs load
  cleanly.

Compiled outputs:

- security/opengrep/precise.yml     (336 rules)
- security/opengrep/broad.yml       (459 rules)
- security/opengrep/compile-manifest.json    (per-rule provenance map)

CI workflows (manual workflow_dispatch only):

- .github/workflows/opengrep-precise.yml
- .github/workflows/opengrep-broad.yml

Both install a pinned opengrep, run opengrep scan against src/, upload SARIF
to Code Scanning under categories opengrep-precise / opengrep-broad, and use
continue-on-error: true so findings never block the workflow.

Detector-review spec and assets:

- security/detector-review/detector-review-spec.md   the agent-agnostic spec
  the runner injects into each per-case prompt
- security/detector-review/references/{detector-rubric,report-template}.md
- security/detector-review/scripts/init_case.py
- security/prompt-suffix-coverage-first.md   mandatory prompt addendum that
  enforces coverage-first validation (rule must catch the OG vuln, not just
  pass synthetic fixtures)

Docs:

- security/README.md          end-to-end flow, supported harnesses, regen recipe
- security/opengrep/README.md compiled-config details + recompile recipe

* security: tighten GHSA OpenGrep detector workflow

* chore: refine precise opengrep workflow

* chore: remove stale opengrep metadata

* fix: harden GHSA OpenGrep workflow

* ci: split OpenGrep diff and full scans

* chore: remove performance-only opengrep rule

* ci: use OpenGrep installer path

* chore: enforce opengrep rule metadata provenance

* chore: generalize opengrep rule compilation

* docs: align opengrep rulepack guidance

* chore: support generic opengrep rule sources

* fix: validate opengrep rulepack-only changes

---------

Co-authored-by: Jesse Merhi <security-engineering@atlassian.com>

2026-04-30 02:42:20 +10:00

2 Commits