惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
N
News and Events Feed by Topic
Recent Announcements
Recent Announcements
D
Docker
M
MIT News - Artificial intelligence
L
LangChain Blog
I
InfoQ
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
博客园_首页
MongoDB | Blog
MongoDB | Blog
美团技术团队
S
Schneier on Security
G
GRAHAM CLULEY
月光博客
月光博客
有赞技术团队
有赞技术团队
Vercel News
Vercel News
Scott Helme
Scott Helme
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
Attack and Defense Labs
Attack and Defense Labs
Google Online Security Blog
Google Online Security Blog
Simon Willison's Weblog
Simon Willison's Weblog
量子位
S
Security @ Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Visual Studio Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
N
Netflix TechBlog - Medium
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
小众软件
小众软件
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threatpost
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security Affairs
Cloudbric
Cloudbric
爱范儿
爱范儿
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
refactor(github): share guard request helpers · openclaw/openclaw@aa479ac
vincentkoc · 2026-06-20 · via Recent Commits to openclaw:main

@@ -3,16 +3,29 @@

33

// GitHub dependency-change guard: detects dependency files, manages override

44

// comments/labels, and can autoscrub lockfile-only PR changes.

55

import { appendFile, readFile } from "node:fs/promises";

6-

import { readBoundedResponseText } from "../lib/bounded-response.mjs";

6+

import {

7+

GITHUB_API_REQUEST_TIMEOUT_MS,

8+

GITHUB_ERROR_BODY_MAX_BYTES,

9+

GITHUB_RESPONSE_BODY_MAX_BYTES,

10+

createGitHubApi,

11+

createGuardApproverChecks,

12+

guardTrustedActorCandidates,

13+

readBoundedGitHubErrorText,

14+

readBoundedGitHubJson,

15+

} from "./guard-shared.mjs";

716817

/** Marker used to identify dependency guard comments. */

918

export const dependencyChangeMarker = "<!-- openclaw:dependency-guard -->";

1019

export const dependencyGraphGuardMarker = "<!-- openclaw:dependency-graph-guard -->";

1120

export const dependencyChangedLabel = "dependencies-changed";

1221

export const allowDependenciesCommand = "/allow-dependencies-change";

13-

export const GITHUB_ERROR_BODY_MAX_BYTES = 64 * 1024;

14-

export const GITHUB_RESPONSE_BODY_MAX_BYTES = 4 * 1024 * 1024;

15-

export const GITHUB_API_REQUEST_TIMEOUT_MS = 30_000;

22+

export {

23+

GITHUB_API_REQUEST_TIMEOUT_MS,

24+

GITHUB_ERROR_BODY_MAX_BYTES,

25+

GITHUB_RESPONSE_BODY_MAX_BYTES,

26+

readBoundedGitHubErrorText,

27+

readBoundedGitHubJson,

28+

};

16291730

const maxListedFiles = 25;

1831

const autoscrubCommitMessage = "chore: remove dependency lockfile change";

@@ -445,28 +458,7 @@ function renderAutoscrubStatusLines(status) {

445458

}

446459447460

export function dependencyGuardTrustedActorCandidates({ pullRequest, event, currentHeadSha }) {

448-

const eventHeadSha = event?.pull_request?.head?.sha;

449-

const eventAfterSha = event?.after;

450-

const eventMatchesCurrentHead =

451-

Boolean(currentHeadSha) &&

452-

(eventHeadSha === currentHeadSha || eventAfterSha === currentHeadSha);

453-

if (!eventMatchesCurrentHead) {

454-

return [];

455-

}

456-

const candidates = [];

457-

const seen = new Set();

458-

for (const [source, login] of [["pull request author", pullRequest?.user?.login]]) {

459-

if (typeof login !== "string" || login.length === 0) {

460-

continue;

461-

}

462-

const normalizedLogin = login.toLowerCase();

463-

if (seen.has(normalizedLogin)) {

464-

continue;

465-

}

466-

seen.add(normalizedLogin);

467-

candidates.push({ login, source });

468-

}

469-

return candidates;

461+

return guardTrustedActorCandidates({ pullRequest, event, currentHeadSha });

470462

}

471463472464

export async function findTrustedDependencyGuardActor({ candidates, isDependencyApprover }) {

@@ -486,112 +478,12 @@ function renderManifestChangeLine(change) {

486478

return `- ${markdownCode(change.path)} changed ${change.fields.map(markdownCode).join(", ")}.`;

487479

}

488480489-

function githubErrorBodyTooLarge(maxBytes) {

490-

return new Error(`GitHub error response body exceeded ${maxBytes} bytes`);

491-

}

492-493-

function githubResponseBodyTooLarge(maxBytes) {

494-

return new Error(`GitHub response body exceeded ${maxBytes} bytes`);

495-

}

496-497-

export async function readBoundedGitHubErrorText(

498-

response,

499-

maxBytes = GITHUB_ERROR_BODY_MAX_BYTES,

500-

options = {},

501-

) {

502-

return await readBoundedResponseText(response, "GitHub error", maxBytes, {

503-

createTooLargeError: () => githubErrorBodyTooLarge(maxBytes),

504-

...options,

505-

});

506-

}

507-508-

export async function readBoundedGitHubJson(

509-

response,

510-

maxBytes = GITHUB_RESPONSE_BODY_MAX_BYTES,

511-

options = {},

512-

) {

513-

const text = await readBoundedResponseText(response, "GitHub", maxBytes, {

514-

createTooLargeError: () => githubResponseBodyTooLarge(maxBytes),

515-

...options,

516-

});

517-

return JSON.parse(text);

518-

}

519-520-

function timeoutError(path, method, timeoutMs) {

521-

return new Error(`GitHub API ${method} ${path} exceeded timeout ${timeoutMs}ms`);

522-

}

523-524-

function combineAbortSignals(signals) {

525-

const activeSignals = signals.filter(Boolean);

526-

if (activeSignals.length === 0) {

527-

return undefined;

528-

}

529-

if (activeSignals.length === 1) {

530-

return activeSignals[0];

531-

}

532-

return AbortSignal.any(activeSignals);

533-

}

534-535481

export function githubApi(token, options = {}) {

536-

const fetchImpl = options.fetchImpl ?? fetch;

537-

const timeoutMs = options.timeoutMs ?? GITHUB_API_REQUEST_TIMEOUT_MS;

538-

const responseMaxBodyBytes = options.responseMaxBodyBytes ?? GITHUB_RESPONSE_BODY_MAX_BYTES;

539-

const baseHeaders = {

540-

accept: "application/vnd.github+json",

541-

authorization: `Bearer ${token}`,

542-

"user-agent": "openclaw-dependency-guard",

543-

"x-github-api-version": "2022-11-28",

544-

};

545-

const request = async (path, requestOptions = {}) => {

546-

const method = requestOptions.method ?? "GET";

547-

const timeoutController = new AbortController();

548-

let timeout;

549-

const timeoutPromise = new Promise((_, reject) => {

550-

timeout = setTimeout(() => {

551-

timeoutController.abort();

552-

reject(timeoutError(path, method, timeoutMs));

553-

}, timeoutMs);

554-

timeout.unref?.();

555-

});

556-

const operationPromise = (async () => {

557-

const response = await fetchImpl(`https://api.github.com${path}`, {

558-

...requestOptions,

559-

signal: combineAbortSignals([requestOptions.signal, timeoutController.signal]),

560-

headers: { ...baseHeaders, ...requestOptions.headers },

561-

});

562-

if (response.status === 204) {

563-

return null;

564-

}

565-

if (!response.ok) {

566-

let errorText;

567-

try {

568-

errorText = await readBoundedGitHubErrorText(response, GITHUB_ERROR_BODY_MAX_BYTES, {

569-

signal: timeoutController.signal,

570-

timeoutPromise,

571-

});

572-

} catch (bodyError) {

573-

errorText = bodyError instanceof Error ? bodyError.message : String(bodyError);

574-

}

575-

const error = new Error(`${response.status} ${response.statusText}: ${errorText}`);

576-

error.status = response.status;

577-

throw error;

578-

}

579-

return await readBoundedGitHubJson(response, responseMaxBodyBytes, {

580-

signal: timeoutController.signal,

581-

timeoutPromise,

582-

});

583-

})();

584-

operationPromise.catch(() => {});

585-

try {

586-

return await Promise.race([operationPromise, timeoutPromise]);

587-

} finally {

588-

clearTimeout(timeout);

589-

}

590-

};

482+

const api = createGitHubApi(token, { ...options, userAgent: "openclaw-dependency-guard" });

591483

return {

592-

request,

484+

...api,

593485

graphql: async (query, variables) => {

594-

const result = await request("/graphql", {

486+

const result = await api.request("/graphql", {

595487

method: "POST",

596488

headers: { "content-type": "application/json" },

597489

body: JSON.stringify({ query, variables }),

@@ -609,7 +501,7 @@ export function githubApi(token, options = {}) {

609501

const items = [];

610502

for (let page = 1; ; page += 1) {

611503

const separator = path.includes("?") ? "&" : "?";

612-

const pageItems = await request(`${path}${separator}per_page=100&page=${page}`);

504+

const pageItems = await api.request(`${path}${separator}per_page=100&page=${page}`);

613505

items.push(...pageItems);

614506

if (pageItems.length < 100) {

615507

return items;

@@ -925,51 +817,13 @@ async function main() {

925817

return;

926818

}

927819928-

const membershipCache = new Map();

929-

const permissionCache = new Map();

930-

const isSecurityMember = async (login) => {

931-

const normalizedLogin = login.toLowerCase();

932-

if (explicitSecurityApprovers.has(normalizedLogin)) {

933-

return true;

934-

}

935-

if (membershipCache.has(normalizedLogin)) {

936-

return membershipCache.get(normalizedLogin);

937-

}

938-

try {

939-

const membership = await api.request(

940-

`/orgs/${owner}/teams/${securityTeamSlug}/memberships/${encodeURIComponent(login)}`,

941-

);

942-

const allowed = membership?.state === "active";

943-

membershipCache.set(normalizedLogin, allowed);

944-

return allowed;

945-

} catch (error) {

946-

if (error?.status !== 404) {

947-

console.warn(`Could not verify ${login} against ${securityTeamSlug}: ${error.message}`);

948-

}

949-

membershipCache.set(normalizedLogin, false);

950-

return false;

951-

}

952-

};

953-

const isRepositoryAdmin = async (login) => {

954-

const normalizedLogin = login.toLowerCase();

955-

if (permissionCache.has(normalizedLogin)) {

956-

return permissionCache.get(normalizedLogin);

957-

}

958-

try {

959-

const result = await api.request(

960-

`/repos/${owner}/${repo}/collaborators/${encodeURIComponent(login)}/permission`,

961-

);

962-

const allowed = result?.permission === "admin";

963-

permissionCache.set(normalizedLogin, allowed);

964-

return allowed;

965-

} catch (error) {

966-

if (error?.status !== 404) {

967-

console.warn(`Could not verify repository permission for ${login}: ${error.message}`);

968-

}

969-

permissionCache.set(normalizedLogin, false);

970-

return false;

971-

}

972-

};

820+

const { isSecurityMember, isRepositoryAdmin } = createGuardApproverChecks({

821+

api,

822+

owner,

823+

repo,

824+

securityTeamSlug,

825+

explicitSecurityApprovers,

826+

});

973827

const isDependencyApprover = async (login) => {

974828

if (await isSecurityMember(login)) {

975829

return securityTeamSlug;