惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
fix(voice-call): make webhook replays token-safe · openclaw/openclaw@cd0b692
clawsweeper · 2026-05-29 · via Recent Commits to openclaw:main

@@ -8,7 +8,8 @@ import {

88

} from "./config.js";

99

import type { CallManager } from "./manager.js";

1010

import type { VoiceCallProvider } from "./providers/base.js";

11-

import type { TwilioProvider } from "./providers/twilio.js";

11+

import { PlivoProvider } from "./providers/plivo.js";

12+

import { TwilioProvider } from "./providers/twilio.js";

1213

import type { CallRecord, NormalizedEvent } from "./types.js";

1314

import { VoiceCallWebhookServer } from "./webhook.js";

1415

import type { RealtimeCallHandler } from "./webhook/realtime-handler.js";

@@ -159,6 +160,21 @@ function expectWebhookUrl(url: string, expectedPath: string) {

159160

expect(parsed.port).not.toBe("0");

160161

}

161162163+

function expectNoTwilioStreamState(provider: TwilioProvider) {

164+

const state = provider as unknown as {

165+

streamAuthTokens: Map<string, string>;

166+

activeStreamCalls: Set<string>;

167+

};

168+

expect(state.streamAuthTokens.size).toBe(0);

169+

expect(state.activeStreamCalls.size).toBe(0);

170+

}

171+172+

async function expectTwilioReplayTwiML(response: Response) {

173+

expect(response.status).toBe(200);

174+

expect(response.headers.get("content-type")).toContain("text/xml");

175+

expect(await response.text()).toBe('<?xml version="1.0" encoding="UTF-8"?><Response></Response>');

176+

}

177+162178

function createTwilioVerificationProvider(

163179

overrides: Partial<TwilioProviderTestDouble> = {},

164180

): VoiceCallProvider {

@@ -686,24 +702,25 @@ describe("VoiceCallWebhookServer path matching", () => {

686702687703

describe("VoiceCallWebhookServer replay handling", () => {

688704

it("acknowledges replayed webhook requests and skips event side effects", async () => {

705+

const parseWebhookEvent = vi.fn(() => ({

706+

events: [

707+

{

708+

id: "evt-replay",

709+

dedupeKey: "stable-replay",

710+

type: "call.speech" as const,

711+

callId: "call-1",

712+

providerCallId: "provider-call-1",

713+

timestamp: Date.now(),

714+

transcript: "hello",

715+

isFinal: true,

716+

},

717+

],

718+

statusCode: 200,

719+

}));

689720

const replayProvider: VoiceCallProvider = {

690721

...provider,

691722

verifyWebhook: () => ({ ok: true, isReplay: true, verifiedRequestKey: "mock:req:replay" }),

692-

parseWebhookEvent: () => ({

693-

events: [

694-

{

695-

id: "evt-replay",

696-

dedupeKey: "stable-replay",

697-

type: "call.speech",

698-

callId: "call-1",

699-

providerCallId: "provider-call-1",

700-

timestamp: Date.now(),

701-

transcript: "hello",

702-

isFinal: true,

703-

},

704-

],

705-

statusCode: 200,

706-

}),

723+

parseWebhookEvent,

707724

};

708725

const { manager, processEvent } = createManager([]);

709726

const config = createConfig({ serve: { port: 0, bind: "127.0.0.1", path: "/voice/webhook" } });

@@ -714,14 +731,81 @@ describe("VoiceCallWebhookServer replay handling", () => {

714731

const response = await postWebhookForm(server, baseUrl, "CallSid=CA123&SpeechResult=hello");

715732716733

expect(response.status).toBe(200);

734+

expect(await response.text()).toBe("OK");

735+

expect(parseWebhookEvent).toHaveBeenCalledTimes(1);

736+

expect(processEvent).not.toHaveBeenCalled();

737+

} finally {

738+

await server.stop();

739+

}

740+

});

741+742+

it("returns Plivo XML for replayed answer callbacks while skipping event side effects", async () => {

743+

const plivoProvider = new PlivoProvider(

744+

{

745+

authId: "MA000000000000000000",

746+

authToken: "test-token",

747+

},

748+

{ skipVerification: true },

749+

);

750+

const parseWebhookEvent = vi.spyOn(plivoProvider, "parseWebhookEvent");

751+

const { manager, processEvent } = createManager([]);

752+

const config = createConfig({

753+

provider: "plivo",

754+

skipSignatureVerification: true,

755+

plivo: {

756+

authId: "MA000000000000000000",

757+

authToken: "test-token",

758+

},

759+

});

760+

const server = new VoiceCallWebhookServer(config, manager, plivoProvider);

761+762+

try {

763+

const baseUrl = await server.start();

764+

const requestUrl = requireBoundRequestUrl(server, baseUrl);

765+

requestUrl.searchParams.set("provider", "plivo");

766+

requestUrl.searchParams.set("flow", "answer");

767+

requestUrl.searchParams.set("callId", "internal-call-id");

768+

const body =

769+

"CallUUID=plivo-replay-answer-callback&CallStatus=in-progress&Direction=outbound&From=%2B15550000000&To=%2B15550000001&Event=StartApp";

770+771+

const first = await fetch(requestUrl.toString(), {

772+

method: "POST",

773+

headers: { "content-type": "application/x-www-form-urlencoded" },

774+

body,

775+

});

776+

expect(first.status).toBe(200);

777+

expect(first.headers.get("content-type")).toContain("text/xml");

778+

expect(await first.text()).toContain("<Wait");

779+

expect(parseWebhookEvent).toHaveBeenCalledTimes(1);

780+

expect(processEvent).toHaveBeenCalledTimes(1);

781+782+

parseWebhookEvent.mockClear();

783+

processEvent.mockClear();

784+785+

const replay = await fetch(requestUrl.toString(), {

786+

method: "POST",

787+

headers: { "content-type": "application/x-www-form-urlencoded" },

788+

body,

789+

});

790+791+

expect(replay.status).toBe(200);

792+

expect(replay.headers.get("content-type")).toContain("text/xml");

793+

expect(await replay.text()).toContain("<Wait");

794+

expect(parseWebhookEvent).not.toHaveBeenCalled();

717795

expect(processEvent).not.toHaveBeenCalled();

718796

} finally {

797+

parseWebhookEvent.mockRestore();

719798

await server.stop();

720799

}

721800

});

722801723-

it("returns realtime TwiML for replayed inbound twilio webhooks", async () => {

802+

it("does not return realtime TwiML for replayed inbound twilio webhooks", async () => {

724803

const parseWebhookEvent = vi.fn(() => ({ events: [], statusCode: 200 }));

804+

const buildTwiMLPayload = vi.fn(() => ({

805+

statusCode: 200,

806+

headers: { "Content-Type": "text/xml" },

807+

body: '<Response><Connect><Stream url="wss://example.test/voice/stream/realtime/token" /></Connect></Response>',

808+

}));

725809

const twilioProvider: VoiceCallProvider = {

726810

...provider,

727811

name: "twilio",

@@ -743,11 +827,7 @@ describe("VoiceCallWebhookServer replay handling", () => {

743827

});

744828

const server = new VoiceCallWebhookServer(config, manager, twilioProvider);

745829

server.setRealtimeHandler({

746-

buildTwiMLPayload: () => ({

747-

statusCode: 200,

748-

headers: { "Content-Type": "text/xml" },

749-

body: '<Response><Connect><Stream url="wss://example.test/voice/stream/realtime/token" /></Connect></Response>',

750-

}),

830+

buildTwiMLPayload,

751831

getStreamPathPattern: () => "/voice/stream/realtime",

752832

handleWebSocketUpgrade: () => {},

753833

registerToolHandler: () => {},

@@ -763,8 +843,8 @@ describe("VoiceCallWebhookServer replay handling", () => {

763843

{ "x-twilio-signature": "sig" },

764844

);

765845766-

expect(response.status).toBe(200);

767-

expect(await response.text()).toContain("<Connect><Stream");

846+

await expectTwilioReplayTwiML(response);

847+

expect(buildTwiMLPayload).not.toHaveBeenCalled();

768848

expect(parseWebhookEvent).not.toHaveBeenCalled();

769849

expect(processEvent).not.toHaveBeenCalled();

770850

} finally {

@@ -829,6 +909,127 @@ describe("VoiceCallWebhookServer replay handling", () => {

829909

},

830910

);

831911912+

it.each(["outbound-api", "outbound-dial"] as const)(

913+

"does not return realtime TwiML for replayed %s twilio TwiML fetches",

914+

async (direction) => {

915+

const parseWebhookEvent = vi.fn(() => ({ events: [], statusCode: 200 }));

916+

const buildTwiMLPayload = vi.fn(() => ({

917+

statusCode: 200,

918+

headers: { "Content-Type": "text/xml" },

919+

body: '<Response><Connect><Stream url="wss://example.test/voice/stream/realtime/token" /></Connect></Response>',

920+

}));

921+

const twilioProvider: VoiceCallProvider = {

922+

...provider,

923+

name: "twilio",

924+

verifyWebhook: () => ({

925+

ok: true,

926+

isReplay: true,

927+

verifiedRequestKey: "twilio:req:rt-outbound-replay",

928+

}),

929+

parseWebhookEvent,

930+

};

931+

const { manager, processEvent } = createManager([]);

932+

const config = createConfig({

933+

provider: "twilio",

934+

inboundPolicy: "disabled",

935+

realtime: {

936+

enabled: true,

937+

streamPath: "/voice/stream/realtime",

938+

instructions: "Be helpful.",

939+

toolPolicy: "safe-read-only",

940+

tools: [],

941+

providers: {},

942+

},

943+

});

944+

const server = new VoiceCallWebhookServer(config, manager, twilioProvider);

945+

server.setRealtimeHandler({

946+

buildTwiMLPayload,

947+

getStreamPathPattern: () => "/voice/stream/realtime",

948+

handleWebSocketUpgrade: () => {},

949+

registerToolHandler: () => {},

950+

setPublicUrl: () => {},

951+

} as unknown as RealtimeCallHandler);

952+953+

try {

954+

const baseUrl = await server.start();

955+

const response = await postWebhookFormWithHeaders(

956+

server,

957+

baseUrl,

958+

`CallSid=CA123&Direction=${direction}&CallStatus=in-progress&From=%2B15550001111&To=%2B15550002222`,

959+

{ "x-twilio-signature": "sig" },

960+

);

961+962+

await expectTwilioReplayTwiML(response);

963+

expect(buildTwiMLPayload).not.toHaveBeenCalled();

964+

expect(parseWebhookEvent).not.toHaveBeenCalled();

965+

expect(processEvent).not.toHaveBeenCalled();

966+

} finally {

967+

await server.stop();

968+

}

969+

},

970+

);

971+972+

it("does not let real Twilio provider parsing mint stream state for replayed realtime requests", async () => {

973+

const twilioProvider = new TwilioProvider(

974+

{ accountSid: "AC123", authToken: "secret" },

975+

{

976+

publicUrl: "https://example.test",

977+

streamPath: "/voice/stream/realtime",

978+

skipVerification: true,

979+

},

980+

);

981+

const parseWebhookEvent = vi.spyOn(twilioProvider, "parseWebhookEvent");

982+

const buildTwiMLPayload = vi.fn(() => ({

983+

statusCode: 200,

984+

headers: { "Content-Type": "text/xml" },

985+

body: '<Response><Connect><Stream url="wss://example.test/voice/stream/realtime/server-token" /></Connect></Response>',

986+

}));

987+

const { manager, processEvent } = createManager([]);

988+

const config = createConfig({

989+

provider: "twilio",

990+

inboundPolicy: "open",

991+

realtime: {

992+

enabled: true,

993+

streamPath: "/voice/stream/realtime",

994+

instructions: "Be helpful.",

995+

toolPolicy: "safe-read-only",

996+

tools: [],

997+

providers: {},

998+

},

999+

});

1000+

const server = new VoiceCallWebhookServer(config, manager, twilioProvider);

1001+

server.setRealtimeHandler({

1002+

buildTwiMLPayload,

1003+

getStreamPathPattern: () => "/voice/stream/realtime",

1004+

handleWebSocketUpgrade: () => {},

1005+

registerToolHandler: () => {},

1006+

setPublicUrl: () => {},

1007+

} as unknown as RealtimeCallHandler);

1008+1009+

try {

1010+

const baseUrl = await server.start();

1011+

const body = "CallSid=CAREALREPLAY1&Direction=inbound&CallStatus=ringing";

1012+

const first = await postWebhookFormWithHeaders(server, baseUrl, body, {

1013+

"x-twilio-signature": "sig",

1014+

});

1015+

const replay = await postWebhookFormWithHeaders(server, baseUrl, body, {

1016+

"x-twilio-signature": "sig",

1017+

});

1018+1019+

expect(first.status).toBe(200);

1020+

const firstBody = await first.text();

1021+

expect(firstBody).toContain("server-token");

1022+

await expectTwilioReplayTwiML(replay);

1023+

expect(buildTwiMLPayload).toHaveBeenCalledTimes(1);

1024+

expect(parseWebhookEvent).not.toHaveBeenCalled();

1025+

expectNoTwilioStreamState(twilioProvider);

1026+

expect(processEvent).not.toHaveBeenCalled();

1027+

} finally {

1028+

parseWebhookEvent.mockRestore();

1029+

await server.stop();

1030+

}

1031+

});

1032+8321033

it("serves initial provider TwiML before the realtime shortcut", async () => {

8331034

const parseWebhookEvent = vi.fn(() => ({ events: [], statusCode: 200 }));

8341035

const consumeInitialTwiML = vi.fn(