惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
fix(telegram): use owners for exec approvals (#73852) · openclaw/openclaw@43fa40a
pashpashpash · 2026-04-29 · via Recent Commits to openclaw:main
Original file line numberDiff line numberDiff line change

@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai

1313
1414

### Fixes

1515
16+

- Telegram/exec approvals: stop treating general Telegram chat allowlists and `defaultTo` routes as native exec approvers; Telegram now uses explicit `execApprovals.approvers` or owner identity from `commands.ownerAllowFrom`, matching the first-pairing owner bootstrap path. Thanks @pashpashpash.

1617

- Plugin SDK/Discord: restore a deprecated `openclaw/plugin-sdk/discord` compatibility facade and the legacy compat group-policy warning export for the published `@openclaw/discord@2026.3.13` package, covering its config, account, directory, status, and thread-binding imports while keeping new plugins on generic SDK subpaths. Fixes #73685; supersedes #73703. Thanks @rderickson9 and @SymbolStar.

1718

- Channels/Discord: suppress duplicate gateway monitors when multiple enabled accounts resolve to the same bot token, preferring config tokens over default env fallback and reporting skipped duplicates as disabled. Supersedes #73608. Thanks @kagura-agent.

1819

- Control UI/Talk: decode Google Live binary WebSocket JSON frames and stop queued browser audio on interruption or shutdown, so browser Talk leaves `Connecting Talk...` and barge-in no longer plays stale audio. Fixes #73601 and #73460; supersedes #73466. Thanks @Spolen23 and @WadydX.

Original file line numberDiff line numberDiff line change

@@ -778,10 +778,12 @@ openclaw message poll --channel telegram --target -1001234567890:topic:42 \

778778

Config path:

779779
780780

- `channels.telegram.execApprovals.enabled` (auto-enables when at least one approver is resolvable)

781-

- `channels.telegram.execApprovals.approvers` (falls back to numeric owner IDs from `commands.ownerAllowFrom`, `allowFrom`, or `defaultTo`)

781+

- `channels.telegram.execApprovals.approvers` (falls back to numeric owner IDs from `commands.ownerAllowFrom`)

782782

- `channels.telegram.execApprovals.target`: `dm` (default) | `channel` | `both`

783783

- `agentFilter`, `sessionFilter`

784784
785+

`channels.telegram.allowFrom`, `groupAllowFrom`, and `defaultTo` control who can talk to the bot and where it sends normal replies. They do not make someone an exec approver. The first approved DM pairing bootstraps `commands.ownerAllowFrom` when no command owner exists yet, so the one-owner setup still works without duplicating IDs under `execApprovals.approvers`.

786+
785787

Channel delivery shows the command text in the chat; only enable `channel` or `both` in trusted groups/topics. When the prompt lands in a forum topic, OpenClaw preserves the topic for the approval prompt and the follow-up. Exec approvals expire after 30 minutes by default.

786788
787789

Inline approval buttons also require `channels.telegram.capabilities.inlineButtons` to allow the target surface (`dm`, `group`, or `all`). Approval IDs prefixed with `plugin:` resolve through plugin approvals; others resolve through exec approvals first.

Original file line numberDiff line numberDiff line change

@@ -271,8 +271,8 @@ Generic model:

271271

Native approval clients auto-enable DM-first delivery when all of these are true:

272272
273273

- the channel supports native approval delivery

274-

- approvers can be resolved from explicit `execApprovals.approvers` or that

275-

channel's documented fallback sources

274+

- approvers can be resolved from explicit `execApprovals.approvers` or owner

275+

identity such as `commands.ownerAllowFrom`

276276

- `channels.<channel>.execApprovals.enabled` is unset or `"auto"`

277277
278278

Set `enabled: false` to disable a native approval client explicitly. Set `enabled: true` to force

@@ -295,7 +295,7 @@ Shared behavior:

295295

- when a native approval client auto-enables, the default native delivery target is approver DMs

296296

- for Discord and Telegram, only resolved approvers can approve or deny

297297

- Discord approvers can be explicit (`execApprovals.approvers`) or inferred from `commands.ownerAllowFrom`

298-

- Telegram approvers can be explicit (`execApprovals.approvers`) or inferred from existing owner config (`allowFrom`, plus direct-message `defaultTo` where supported)

298+

- Telegram approvers can be explicit (`execApprovals.approvers`) or inferred from `commands.ownerAllowFrom`

299299

- Slack approvers can be explicit (`execApprovals.approvers`) or inferred from `commands.ownerAllowFrom`

300300

- Slack native buttons preserve approval id kind, so `plugin:` ids can resolve plugin approvals

301301

without a second Slack-local fallback layer

Original file line numberDiff line numberDiff line change

@@ -40,8 +40,8 @@ describe("telegram native approval adapter", () => {

4040
4141

expect(text).toContain("`channels.telegram.execApprovals.approvers`");

4242

expect(text).toContain("`commands.ownerAllowFrom`");

43-

expect(text).toContain("`channels.telegram.allowFrom`");

44-

expect(text).toContain("`channels.telegram.defaultTo`");

43+

expect(text).not.toContain("`channels.telegram.allowFrom`");

44+

expect(text).not.toContain("`channels.telegram.defaultTo`");

4545

expect(text).not.toContain("`channels.telegram.dm.allowFrom`");

4646

});

4747

@@ -54,8 +54,8 @@ describe("telegram native approval adapter", () => {

5454
5555

expect(text).toContain("`channels.telegram.accounts.work.execApprovals.approvers`");

5656

expect(text).toContain("`commands.ownerAllowFrom`");

57-

expect(text).toContain("`channels.telegram.accounts.work.allowFrom`");

58-

expect(text).toContain("`channels.telegram.accounts.work.defaultTo`");

57+

expect(text).not.toContain("`channels.telegram.accounts.work.allowFrom`");

58+

expect(text).not.toContain("`channels.telegram.accounts.work.defaultTo`");

5959

expect(text).not.toContain("`channels.telegram.allowFrom`");

6060

});

6161
Original file line numberDiff line numberDiff line change

@@ -92,7 +92,7 @@ const telegramNativeApprovalCapability = createApproverRestrictedNativeApprovalC

9292

accountId && accountId !== "default"

9393

? `channels.telegram.accounts.${accountId}`

9494

: "channels.telegram";

95-

return `Approve it from the Web UI or terminal UI for now. Telegram supports native exec approvals for this account. Configure \`${prefix}.execApprovals.approvers\`; if you leave it unset, OpenClaw can infer numeric owner IDs from \`commands.ownerAllowFrom\`, \`${prefix}.allowFrom\`, or direct-message \`${prefix}.defaultTo\` when possible. Leave \`${prefix}.execApprovals.enabled\` unset/\`auto\` or set it to \`true\`.`;

95+

return `Approve it from the Web UI or terminal UI for now. Telegram supports native exec approvals for this account. Configure \`${prefix}.execApprovals.approvers\` or \`commands.ownerAllowFrom\`; leave \`${prefix}.execApprovals.enabled\` unset/\`auto\` or set it to \`true\`.`;

9696

},

9797

listAccountIds: listTelegramAccountIds,

9898

hasApprovers: ({ cfg, accountId }) =>

Original file line numberDiff line numberDiff line change

@@ -135,7 +135,7 @@ export const telegramChannelConfigUiHints = {

135135

},

136136

"execApprovals.approvers": {

137137

label: "Telegram Exec Approval Approvers",

138-

help: "Telegram user IDs allowed to approve exec requests for this bot account. Use numeric Telegram user IDs. If you leave this unset, OpenClaw falls back to numeric owner IDs inferred from commands.ownerAllowFrom, channels.telegram.allowFrom, and direct-message defaultTo when possible.",

138+

help: "Telegram user IDs allowed to approve exec requests for this bot account. Use numeric Telegram user IDs. If you leave this unset, OpenClaw falls back to numeric owner IDs inferred from commands.ownerAllowFrom when possible.",

139139

},

140140

"execApprovals.agentFilter": {

141141

label: "Telegram Exec Approval Agent Filter",

Original file line numberDiff line numberDiff line change

@@ -121,7 +121,12 @@ describe("telegram exec approvals", () => {

121121

isTelegramExecApprovalClientEnabled({

122122

cfg: buildConfig(undefined, { allowFrom: ["123"] }),

123123

}),

124-

).toBe(true);

124+

).toBe(false);

125+

expect(

126+

isTelegramExecApprovalClientEnabled({

127+

cfg: buildConfig(undefined, { defaultTo: 123 }),

128+

}),

129+

).toBe(false);

125130

expect(

126131

isTelegramExecApprovalClientEnabled({

127132

cfg: buildConfig({ approvers: ["123"] }),

@@ -160,7 +165,7 @@ describe("telegram exec approvals", () => {

160165

expect(isTelegramExecApprovalApprover({ cfg, senderId: "67890" })).toBe(true);

161166

});

162167
163-

it("infers approvers from allowFrom and direct defaultTo", () => {

168+

it("does not infer approvers from Telegram chat allowlists", () => {

164169

const cfg = buildConfig(

165170

{ enabled: true },

166171

{

@@ -169,9 +174,10 @@ describe("telegram exec approvals", () => {

169174

},

170175

);

171176
172-

expect(getTelegramExecApprovalApprovers({ cfg })).toEqual(["12345", "67890"]);

173-

expect(isTelegramExecApprovalApprover({ cfg, senderId: "12345" })).toBe(true);

174-

expect(isTelegramExecApprovalApprover({ cfg, senderId: "67890" })).toBe(true);

177+

expect(getTelegramExecApprovalApprovers({ cfg })).toEqual([]);

178+

expect(isTelegramExecApprovalClientEnabled({ cfg })).toBe(false);

179+

expect(isTelegramExecApprovalApprover({ cfg, senderId: "12345" })).toBe(false);

180+

expect(isTelegramExecApprovalApprover({ cfg, senderId: "67890" })).toBe(false);

175181

});

176182
177183

it("defaults target to dm", () => {

Original file line numberDiff line numberDiff line change

@@ -58,12 +58,9 @@ export function getTelegramExecApprovalApprovers(params: {

5858

cfg: OpenClawConfig;

5959

accountId?: string | null;

6060

}): string[] {

61-

const account = resolveTelegramAccount(params).config;

6261

return resolveApprovalApprovers({

6362

explicit: resolveTelegramExecApprovalConfig(params)?.approvers,

64-

allowFrom: account.allowFrom,

65-

extraAllowFrom: resolveTelegramOwnerApprovers(params.cfg),

66-

defaultTo: account.defaultTo ? String(account.defaultTo) : null,

63+

allowFrom: resolveTelegramOwnerApprovers(params.cfg),

6764

normalizeApprover: normalizeTelegramDirectApproverId,

6865

});

6966

}

Original file line numberDiff line numberDiff line change

@@ -15287,7 +15287,7 @@ export const GENERATED_BUNDLED_CHANNEL_CONFIG_METADATA = [

1528715287

},

1528815288

"execApprovals.approvers": {

1528915289

label: "Telegram Exec Approval Approvers",

15290-

help: "Telegram user IDs allowed to approve exec requests for this bot account. Use numeric Telegram user IDs. If you leave this unset, OpenClaw falls back to numeric owner IDs inferred from channels.telegram.allowFrom and direct-message defaultTo when possible.",

15290+

help: "Telegram user IDs allowed to approve exec requests for this bot account. Use numeric Telegram user IDs. If you leave this unset, OpenClaw falls back to numeric owner IDs inferred from commands.ownerAllowFrom when possible.",

1529115291

},

1529215292

"execApprovals.agentFilter": {

1529315293

label: "Telegram Exec Approval Agent Filter",

Original file line numberDiff line numberDiff line change

@@ -67,7 +67,7 @@ export type TelegramExecApprovalTarget = "dm" | "channel" | "both";

6767

export type TelegramExecApprovalConfig = {

6868

/** Enable mode for Telegram exec approvals on this account. Default: auto when approvers can be resolved; false disables. */

6969

enabled?: import("./types.approvals.js").NativeExecApprovalEnableMode;

70-

/** Telegram user IDs allowed to approve exec requests. Optional: falls back to numeric owner IDs inferred from allowFrom/defaultTo when possible. */

70+

/** Telegram user IDs allowed to approve exec requests. Optional: falls back to numeric owner IDs inferred from commands.ownerAllowFrom when possible. */

7171

approvers?: Array<string | number>;

7272

/** Only forward approvals for these agent IDs. Omit = all agents. */

7373

agentFilter?: string[];