Security Hardening
Comprehensive security audit and fixes in response to responsible disclosure:
Shell Execution Sandbox (CRITICAL)
- Allowlist mode now uses direct argv execution via
shlex— no shell interpreter invoked - Commands are split into program + arguments and passed to
execve()directly - Eliminates entire class of injection attacks: encoding tricks,
$IFS, glob expansion, variable expansion - Full mode (user opt-in) still uses
sh -cwith metacharacter filtering as defense-in-depth - Metacharacter filter blocks:
;|><{}\0&&&||
API Auth Hardening (CRITICAL)
- All public endpoints are now GET-only — POST/PUT/DELETE always require authentication
- Prevents unauthenticated cron job creation, skill installation, integration reload, agent spawning
- WebSocket auth now uses constant-time comparison (fixes timing side-channel)
OFP Wire Protocol (HIGH)
send_to_peer()derives session key and uses per-message HMAC authenticated I/Obroadcast_notification()requires shared secret and uses authenticated writesconnection_loop()uses authenticated reads/writes for all post-handshake messages- No plaintext message paths exist after any successful handshake
Audit Trail Persistence (MEDIUM)
- V8 migration adds
audit_entriesSQLite table with Merkle chain fields - Entries persisted immediately on every write
- Boot-time integrity verification detects tampering
Bug Fixes
- #437 Gemini API key sent as query parameter + enhanced error parsing
- #429 CJK IME composition no longer triggers send on Enter key
- #434 OpenClaw migration handles nested JSON objects in tool config
- #403 Discord
ignore_botsconfig option (default true) - #407 Browser Hand requires chromium instead of obsolete python3/playwright
Stats
- 24 files changed, 957 insertions, 224 deletions
- 1,886 tests passing, 0 clippy warnings