Conversation
…200)
* feat(gateway): deprecate query param hook token auth for security
Query parameter tokens appear in:
- Server access logs
- Browser history
- Referrer headers
- Network monitoring tools
This change adds a deprecation warning when tokens are provided via
query parameter, encouraging migration to header-based authentication
(Authorization: Bearer <token> or X-Clawdbot-Token header).
Changes:
- Modified extractHookToken to return { token, fromQuery } object
- Added deprecation warning in server-http.ts when fromQuery is true
- Updated tests to verify the new return type and fromQuery flag
Fixes #2148
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Landed PR #2181. Thanks @YuriNachos! Co-authored-by: YuriNachos <YuriNachos@users.noreply.github.com>
…aniz) (#2016) Co-authored-by: Peter Steinberger <steipete@gmail.com>
…ences, GuildMembers) (#2266)
* feat(discord): add configurable privileged Gateway Intents (GuildPresences, GuildMembers)
Add support for optionally enabling Discord privileged Gateway Intents
via config, starting with GuildPresences and GuildMembers.
When `channels.discord.intents.presence` is set to true:
- GatewayIntents.GuildPresences is added to the gateway connection
- A PresenceUpdateListener caches user presence data in memory
- The member-info action includes user status and activities
(e.g. Spotify listening activity) from the cache
This enables use cases like:
- Seeing what music a user is currently listening to
- Checking user online/offline/idle/dnd status
- Tracking user activities through the bot API
Both intents require Portal opt-in (Discord Developer Portal →
Privileged Gateway Intents) before they can be used.
Changes:
- config: add `channels.discord.intents.{presence,guildMembers}`
- provider: compute intents dynamically from config
- listeners: add DiscordPresenceListener (extends PresenceUpdateListener)
- presence-cache: simple in-memory Map<userId, GatewayPresenceUpdate>
- discord-actions-guild: include cached presence in member-info response
- schema: add labels and descriptions for new config fields
* fix(test): add PresenceUpdateListener to @buape/carbon mock
* Discord: scope presence cache by account
---------
Co-authored-by: kugutsushi <kugutsushi@clawd>
Co-authored-by: Shadow <hi@shadowing.dev>
- Add fly.private.toml template for deployments with no public IP - Add "Private Deployment (Hardened)" section to Fly docs - Document how to convert existing deployment to private-only - Add security notes recommending env vars over config file for secrets This addresses security concerns about Clawdbot gateways being discoverable on internet scanners (Shodan, Censys). Private deployments are accessible only via fly proxy, WireGuard, or SSH. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add sendPayload handler to Telegram outbound adapter to support channel-specific data via the channelData pattern. This enables features like inline keyboard buttons without custom ReplyPayload fields. Implementation: - Extract telegram.buttons from payload.channelData - Pass buttons to sendMessageTelegram (already supports this) - Follows existing sendText/sendMedia patterns - Completes optional ChannelOutboundAdapter.sendPayload interface This enables plugins to send Telegram-specific features (buttons, etc.) using the standard channelData envelope pattern instead of custom fields. Related: delivery system in src/infra/outbound/deliver.ts:324 already checks for sendPayload handler and routes accordingly. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…ay types - Add plugin command specs to Telegram setMyCommands for autocomplete - Export GatewayRequestHandler types in plugin-sdk for plugin authors - Enables plugins to register gateway methods and appear in command menus
Plugin commands were added to setMyCommands menu but didn't have bot.command() handlers registered. This meant /flow-start and other plugin commands would fall through to the general message handler instead of being dispatched to the plugin command executor. Now we register bot.command() handlers for each plugin command, with full authorization checks and proper result delivery.
Plugin commands can return buttons in channelData.telegram.buttons, but deliverReplies() was ignoring them. Now we: 1. Extract buttons from reply.channelData?.telegram?.buttons 2. Build inline keyboard using buildInlineKeyboard() 3. Pass reply_markup to sendMessage() Buttons are attached to the first text chunk when text is chunked.
Co-authored-by: Glucksberg <markuscontasul@gmail.com>
Co-authored-by: Glucksberg <markuscontasul@gmail.com>
Signed-off-by: Shaun Loo <shaun@bold.dev>
Wraps plugin.actions.listActions() in a try/catch so a single broken channel plugin cannot crash the entire agent boot sequence. Errors are logged once per plugin+message (deduped) via defaultRuntime.error() and the call gracefully returns an empty array instead of propagating the exception. Fixes: 'Cannot read properties of undefined (reading listActions)' after the clawdbot→moltbot rename left some plugin state undefined.
MiniMax has updated their API. The previous configuration used an incorrect endpoint (api.minimax.io/anthropic) with anthropic-messages format, which no longer works. Changes: - Update MINIMAX_API_BASE_URL to https://api.minimax.chat/v1 - Change API format from anthropic-messages to openai-completions - Remove minimax from isAnthropicApi check in transcript-policy This fixes the issue where MiniMax API calls return no results.
…shes - Expand recoverable error codes (ECONNABORTED, ERR_NETWORK) - Add message patterns for 'typeerror: fetch failed' and 'undici' errors - Add isNetworkRelatedError() helper for broad network failure detection - Retry on all network-related errors instead of crashing gateway - Remove unnecessary 'void' from fire-and-forget patterns - Add tests for new error patterns Fixes #3005
Set up moltbot project from https://github.com/moltbot/moltbot.git https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
- SQLite + FTS5 for hybrid search (vector + keyword) - Local embeddings with sentence-transformers (fallback to hash-based) - CLI interface: remember, recall, list, stats, export, forget - Privacy-first: all data stays on user's device (~/.astrai/memory.db) - Embedding cache to avoid redundant API calls Inspired by moltbot's memory architecture for Personal Market Brain product. https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
Security features added: - AES-256-GCM encryption for memory content (via cryptography lib) - Fallback XOR encryption when cryptography unavailable - Password-based key derivation (PBKDF2, 600k iterations) - Secure file permissions (chmod 600) on database - Directory permissions (chmod 700) on ~/.astrai/ CLI updates: - --password flag for encrypted databases - --password-env to read password from environment variable - Stats now shows encryption status and file permissions Privacy architecture: - All data stays on user's device (~/.astrai/memory.db) - Embeddings run 100% locally (sentence-transformers) - Search runs locally (SQLite FTS5 + vector similarity) - Only LLM calls leave the device (user controls what is sent) https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
Multi-agent alpha generation system: - SEC EDGAR filing fetcher (10-K, 10-Q, 8-K) - Sentiment drift detector comparing filing changes - Signal generator with Comparator/Analyst/Skeptic agents - Paper trading executor with Kelly criterion sizing - CLI for scanning, analyzing, and trading Built to route inference through Astrai for 90% cost reduction. https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
Execution model (Renaissance-style): - Bid-ask spread by liquidity tier - Market impact (Almgren-Chriss sqrt model) - Latency simulation - Partial fill probability - Commission and SEC fee modeling Immutable ledger (proof engine): - Append-only JSON Lines format - SHA-256 hash chain (tamper detection) - Full audit report export - Daily snapshots - Statistics: cost_bps, slippage, win rate This is what makes paper trading credible to investors. If your edge disappears after conservative costs, it's not real. https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
Real fills. Real latency. Real proof. Gateway features: - Alpaca paper trading API integration - Risk gate: max position, daily loss limit, trade frequency - Automatic ledger logging (immutable proof) - Position tracking with real prices - Market-neutral universe (40 liquid ETFs + mega-caps) Risk controls (non-negotiable): - Max position: $10,000 - Max portfolio: $100,000 - Max daily loss: $2,000 (2%) - Max trades/day: 50 - Max concentration: 20% Works in mock mode without Alpaca API keys. https://claude.ai/code/session_01RJEz4n4rCrgALH86kGBezG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.