goclaw

mirror of https://github.com/tiennm99/goclaw.git synced 2026-06-10 22:11:08 +00:00

Author	SHA1	Message	Date
Luan Vu	a7f5acc1e3	fix(security): harden SQL injection, MCP prompt injection, sandbox fallback, and file serving (#246 ) - execMapUpdate: validate column names with strict regex to prevent SQL injection - HTTP update handlers: add field allowlists (agents, providers, custom_tools, mcp, channel_instances) - pqStringArray: properly escape array elements to prevent PostgreSQL array literal injection - scanStringArray: handle quoted elements in PostgreSQL array format - MCP bridge: wrap tool results as external/untrusted content to prevent prompt injection - File serving: block access to sensitive system directories (/etc, /proc, /sys, etc.) - Sandbox: fail closed when Docker unavailable instead of silent fallback to host - Shell deny: fix base64 --decode bypass, add host exec 1MB output limit - ILIKE queries: escape % and _ wildcards in knowledge_graph, custom_tools, channel_instances Co-authored-by: Luvu182 <208665161+Luvu182@users.noreply.github.com>	2026-03-18 07:42:38 +07:00
Goon	75c570e951	feat(security): credentialed exec + HTTP RBAC + API key cache (#197 ) - Secure CLI credential injection via AES-256-GCM encrypted env vars - API key management with fine-grained RBAC scopes - resolveAuth/requireAuth middleware across all 25+ HTTP handlers - In-memory API key cache with TTL, negative caching, pubsub invalidation - Sandbox-first execution (fails if unavailable, no silent fallback) - Credential scrubbing, constant-time token comparison, Admin-only CLI creds - SQL migration 000020: secure_cli_binaries + api_keys tables - 14 unit tests for cache and RBAC with race detector Closes #197	2026-03-15 20:13:18 +07:00
viettranx	28fab9507a	feat(storage): add lazy folder loading, SSE size endpoint, and enhanced file viewer - Backend: depth-limited WalkDir (max 3 levels default) with on-demand subtree loading - Backend: new GET /v1/storage/size SSE endpoint with 60min in-memory cache - Backend: raw binary file serving (?raw=true) with MIME detection and download support - Frontend: lazy tree expansion with loading spinners for deep folders - Frontend: streaming size display with cache info tooltip - Frontend: image viewer (blob URL), unsupported file UI, download button, colored size badges - Frontend: file-type icons for 13 categories (md, json, yaml, images, video, etc.) - Fix sidebar connection status text overflow on collapse - Apply go fix modernization (interface{} → any) across http handlers	2026-03-14 18:13:52 +07:00
viettranx	9115169c03	feat: expand audit logging via pub/sub event pattern Replace direct ActivityStore injection with event-driven audit system. Handlers emit audit events via msgBus.Broadcast(), a single subscriber with buffered channel persists to activity_logs table. Coverage expanded from 3 agent CRUD actions to ~65 audit points across all HTTP handlers and WebSocket RPC methods including agents, providers, skills, MCP servers, cron, sessions, teams, pairing, and more.	2026-03-12 18:34:56 +07:00
viettranx	344e2ac7d1	feat(i18n): add full i18n support for backend and web UI - Add i18next + react-i18next with namespace-split locale files (27 namespaces x 3 languages) - Add language switcher in topbar (EN/VI/ZH) with localStorage persistence - Replace hardcoded strings in 160+ React components with t() translations - Add Go message catalog (internal/i18n) with T(locale, key, args...) function - Replace 81 hardcoded error strings in gateway methods and HTTP handlers - Add locale context propagation: WS connect param + HTTP Accept-Language header - Keep technical terms in English: Agent, Session, Channel, Provider, Skill, Team, MCP, Cron - Update CLAUDE.md and review-pr skill with i18n compliance checks	2026-03-09 22:22:42 +07:00
Viet Tran	6895e369f6	refactor: remove standalone mode, consolidate to managed-only (PostgreSQL) (#70 ) - Remove standalone mode code: file-based stores, standalone gateway, heartbeat service, SQLite memory, standalone docker-compose - Rename docker-compose.managed.yml → docker-compose.postgres.yml - Clean up ~130 Go comments referencing "managed mode" qualifier - Simplify docker-compose.yml env vars (providers/channels via web UI) - Update .env.example to essential vars only (token + encryption key) - Add setup wizard UI (provider → agent → channel bootstrap flow) - Add logs.tail WebSocket handler for live log streaming - Add cursor-pointer to interactive UI components - Clean up config page (remove standalone-only sections) - Update README and docs for managed-only architecture	2026-03-06 18:51:11 +07:00
viettranx	813c602bca	feat(ui): migrate to TanStack Query, add server-side pagination, and improve error handling - Add @tanstack/react-query with shared cache and centralized query keys - Migrate all 14 CRUD hooks from manual useState/useCallback to useQuery/useMutation - Add WS event-driven query invalidation (sessions, traces auto-refresh on run completion) - Consolidate LlmConfigSection to delegate provider/model UI to ProviderModelSelect - Add server-side pagination for custom-tools and channel-instances (Go store + HTTP handler) - Extract shared types into dedicated files (provider, custom-tool, mcp, channel, skill, trace) - Add network error handling in HTTP client and connectivity check on login - Add disconnect banner in app layout when gateway connection is lost Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-28 16:25:59 +07:00
viettranx	dfd91556f8	feat: Introduce agent teams, agent linking, and advanced agent orchestration features.	2026-02-25 23:24:52 +07:00
Viet Tran	f3f4c67b36	Initial commit: GoClaw AI agent gateway Multi-agent AI gateway with WebSocket RPC, HTTP API, and messaging channel integrations. Go port of OpenClaw with multi-tenant PostgreSQL, per-user isolation, security hardening, and production observability. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 14:58:07 +07:00

9 Commits