feat(browser): support allowed_private_hosts for browser tools#2
Closed
NiuBlibing wants to merge 900 commits into
Closed
feat(browser): support allowed_private_hosts for browser tools#2NiuBlibing wants to merge 900 commits into
NiuBlibing wants to merge 900 commits into
Conversation
…roclaw-labs#7515) - 66216f7 feat(zerocode): improve chat navigation and session controls - 610766e fix(providers): add retry failure diagnostics - acdfbf1 fix(gateway): clarify bind and paircode errors - 8bc5b6e fix(runtime): harden live model switching - a9fc6eb fix(zerocode): restore shared quickstart model sorting - 63e3a26 Merge remote-tracking branch 'origin/master' into codex/zerocode-followups-after-7380 - f46c7ee fix(zerocode): repair quickstart peer groups and shift-enter - 73ccf82 fix(zerocode): address provider and gateway review warnings - 35a821d Merge branch 'master' into codex/zerocode-followups-after-7380
…zeroclaw-labs#7448) - 087d05c fix(cron): inject Lark and Feishu delivery defaults from chat context - 508f00d Merge branch 'master' into fix/6880-lark-feishu-cron - cbda82c Merge branch 'master' into fix/6880-lark-feishu-cron
…law-labs#7503) The dialoguer Editor component (used by zerocode TUI) may spawn the default editor, which on Debian requires vi or vim. Add vim-tiny to the runtime stage of both Dockerfile and Dockerfile.debian so the editor flow does not fail with 'vi: command not found'. Fixes zeroclaw-labs#7469
… tools (zeroclaw-labs#7021) - ddbf794 feat(channels/email): XOAUTH2 auth and observer_mode read-only IMAP - 512ebdc feat(tools/email): add read-only email_search and email_read IMAP tools - bf9f52a test(channels/email): cover XOAUTH2 SASL format and observer_mode default - 6d5031c fix(channels/email): dedupe TLS wrapper and reject IMAP search injection - 7c538a9 fix(tools/email): validate since/before dates strictly and fail closed - e25b5e1 fix(tools/email): reject oversized UIDs in email_read with checked conversion - 08242b0 Merge origin/master into feat/email-xoauth2-imap-tools - ddc8f18 Merge branch 'master' into feat/email-xoauth2-imap-tools - 804a7c9 fix(config): remove email observer docs em dash - 231cb46 Merge branch 'master' into feat/email-xoauth2-imap-tools
…w-labs#7406) - 85898dc fix(runtime): suppress skill suggestions for installed tools - cad25b4 Merge branch 'master' into codex/issue-6289-installed-capability-suppression
… hardcoding (zeroclaw-labs#7524) - 3df10a3 feat(channels/discord): derive gateway intents from config instead of hardcoding - d43839a Merge branch 'master' into feat/discord-intent-resolver
…7593) The SOP execute/advance/approve tools accept an audit logger via `with_audit(...)`, but `all_tools_with_runtime` constructed them with bare `::new(...)`, leaving `self.audit` permanently `None`. Every audit branch (`log_run_start`, `log_step_result`, `log_run_complete`, `log_approval`) was dead code on the agent path, so the `sop_run_*` / `sop_step_*` / `sop_approval_*` Memory keys documented under category `sop` were never written in production. This is the agent-driven path the AMQP/`sop_execute` deployment relies on: a release event enters the agent loop and fires the SOP via the tool, not via the MQTT listener. Without the audit trail the run is not reconstructable and `SopMetricsCollector::rebuild_from_memory` returns empty after a restart. Construct a single `SopAuditLogger` over the agent's real Memory backend and pass it to the execute, advance, and approve tools at registration. Add a registration-level test that fires `sop_execute` through `all_tools` and asserts a `sop_run_*` entry is persisted; the per-tool unit tests already cover the audit behavior but none proved the wiring. Resolves the agent-path half of zeroclaw-labs#6689. The MQTT listener's `NoneMemory` use is the other half and is left to the engine-unification work in zeroclaw-labs#6687.
Localize the quickstart provider selector prompts through existing Fluent helpers. Adds matching locale keys for en/es/fr/ja/zh-CN and keeps the old English literals as fallback text. Refs zeroclaw-labs#7005.
….io SKILL.md) (zeroclaw-labs#6667) Closes the integration gap from zeroclaw-labs#4619 (SkillImprover shipped without a caller) by adopting a post-turn background review fork with a restricted toolset (skills_list, skill_view, skill_manage), retargeted to the agentskills.io SKILL.md YAML front-matter standard. Opt-in only: skills.skill-improvement.enabled defaults to false. Rebased onto master and integrated with the multi-agent V3 runtime: - review fork uses ModelProvider and zeroclaw_log::record! (the workspace logging surface), wired through agent_workspace_dir(agent_alias) so it operates on the same skills root the agent loads from - skill_manage tools register Attributable via the central tool_attribution! - run_tool_call_loop call updated for the current signature (Option<f64> temperature, strict_tool_parsing/parallel_tools) Cost accounting: the post-turn fork now runs under the SAME TOOL_LOOP_COST_TRACKING_CONTEXT scope as the parent turn, so its provider calls are recorded against — and bounded by — the parent's cost tracker and budget. Two regression tests prove usage is recorded and that an exceeded budget blocks the fork's provider call. Safety boundary preserved: safe_skill_dir canonical-root anchoring, symlink rejection for mutating ops, post-mutation audit rollback, and the should_improve_skill cooldown gate on the patch path. Supersedes zeroclaw-labs#6594. Ref zeroclaw-labs#3683, zeroclaw-labs#4619.
… paths (zeroclaw-labs#7443) - 2766613 chore(governance): remove departing owners from CODEOWNERS, fix stale paths - 405b7b2 chore(governance): fix zerocode rule ordering, pair governance paths - 5f89f7a chore(governance): add Nillth to providers and channels ownership - 119ff7c chore(governance): include channels co-owner in the channels Cargo override - 160d598 chore(governance): keep WareWolf on paired CODEOWNERS paths; scrub read-only offboarding refs - 8c9a835 Merge branch 'master' into chore/codeowners-update
…oviders (zeroclaw-labs#5797) - a869dec feat: add tls_ca_cert_path support for custom inference providers - 12a5a72 ci: remove crates-io publish job from release workflow (zeroclaw-labs#5929) - 3cdb432 feat(openrouter): add extra_body passthrough for generic request params (zeroclaw-labs#5623) - 2a72698 fix(config): preserve user-supplied providers.fallback through load/save (zeroclaw-labs#6099) - af84d48 feat(providers/groq): per-profile native_tools override on ModelProviderConfig (zeroclaw-labs#6380) - a9e1944 feat(config,cost): per-provider pricing on ModelProviderConfig (zeroclaw-labs#6357) - 571ba16 fix: resolve rebase conflicts and adapt TLS cert support to current master - bd1c4f1 fix(providers): remove duplicate openrouter test block from rebase artifact - 9d94b4e fix(config): remove extra blank line from rebase conflict resolution - 3464f83 docs(providers): clarify tls_ca_cert_pem lifecycle — not refreshed across config reloads - 7d0f8fc test(providers): add regression coverage for tls_ca_cert_path config-to-provider flow - 1834b1a fix(config): add #[tab(Connection)] and absolute-path docs to tls_ca_cert_path - 68ab8fc Merge remote-tracking branch 'origin/master' into codex/pr-5797-conflict-r1 - 7ce4afb Merge branch 'master' into feature/tls-ca-cert-support
…k delete (zeroclaw-labs#7525) - ac23767 feat(channels/discord): sync archive on message edit, delete, and bulk delete - e6ce385 Merge branch 'master' into feat/discord-edit-delete-events
…aw-labs#7116) - 07bf222 docs(providers): add OpenAI Codex over a ChatGPT subscription - 4d94010 docs(providers): align enc2 decryption error to runtime string - 623948e docs(providers): add runnable codex/models enumeration example - e124f06 docs(codex): correct cost model, add credential boundary, fix account-id curl - b07e0bb Merge remote-tracking branch 'upstream/master' into feat/docs-openai-codex-subscription - bc84949 Merge branch 'master' into feat/docs-openai-codex-subscription
…eroclaw-labs#7567) When Socket Mode rejected an inbound message the WARN said only "ignoring message from unauthorized user" with the user ID, giving no way to tell an empty resolved peer set (no matching [peer_groups] block, so every user is denied) from a populated allowlist that legitimately excludes the sender. An operator hit the empty-set case and had to read the source to discover the peer-resolution chain. Resolve the peer set once at each rejection site, include the channel alias and resolved peer count in the WARN attrs, and when the set is empty emit an actionable message naming the [peer_groups.<name>] block, the channel = "slack.<alias>" key, and external_peers (including the ["*"] allow-all form). Add a regression test pinning that an explicit user peer is allowed and a non-listed user is denied. Closes zeroclaw-labs#6992
…ig (zeroclaw-labs#7565) - cb6b714 fix(channels): select WhatsApp Web backend from personal/pairing config - a0c9669 fix(channels): align whatsapp ambiguity check with broadened web selection
…law-labs#7564) - 08c0d66 fix(channels): skip reply-intent classifier on direct messages
…labs#7562) - 02ab043 fix(channels): support WhatsApp as a cron delivery channel - e99ee79 fix(channels): use expect_err in cron whatsapp delivery test
…project shapes (zeroclaw-labs#7560) - c0dcf9e fix(providers/gemini): resolve OAuth project from object and current-project shapes
…t elimination) (zeroclaw-labs#7558) - 3667a12 feat(xtask): canonical install spec + cargo generate installers scaffold - 5e6a3e4 feat(xtask): generate setup.bat build modes from the canonical spec - 6df23ed feat(xtask): generate Containerfile feature sets; table-driven surfaces - 9b4a2f9 feat(xtask): generate Dockerfile/Dockerfile.debian feature ARG defaults - 346e008 feat(xtask): generate PKGBUILD and scoop manifest from the spec - d777aac feat(xtask): generate parameterized Nix flake packages from the spec - bf7a64d ci: enforce installer drift gate; setup.bat fails loud on zerocode build - f6b743a feat(xtask): generate docker tag matrix from the spec - e3cccb7 style(xtask): replace bare anyhow! with Error::msg per clippy policy - cfa94ac feat(xtask): render install.sh from the Plan; docker-publish workflow - b803340 fix(xtask): Containerfile feature injection must not break the StageX pipeline - b293a94 feat(release): run cargo generate installers from bump-version; purge drift - dc27d9a fix(release): bump-version must bump apps/ path-dep version pins - 36561b5 fix(installers): setup.bat dry-run parity, mode alignment, remove dead code - 47e13ca feat(nix): expose nixosModules.default and document nixosConfigurations - a670c33 fix(installers): carry cargo flag string through docker publish so minimal stays minimal - f904994 build(container): add web-build, check, config-gen, and fat-image stages - a46ff4a fix(container): make StageX musl pipeline actually build - 4d53ea9 fix(container): exclude doctests from StageX check via --all-targets - a410648 fix(container): scope StageX check tests to lib/bins/tests - a794686 fix(installers): exclude voice-wake from container kitchen-sink so all features build Co-authored-by: ConYel <yeles.konstantinos@gmail.com>
…back (zeroclaw-labs#7561) - e4537b9 fix(channels): route cron email delivery through the no-registry fallback - 1c5b4c0 fix(channels): use expect_err in cron email delivery test
…#7732) - d390fd3 fix(self-test): authenticate websocket handshake probe - 4d61aea fix(self-test): use write! for token query append (clippy) - 9aa67d3 chore: re-trigger CI - 5eb8592 fix(self-test): avoid hardcoded "default" agent alias fallback - 650b565 Merge branch 'master' into fix/self-test-websocket-auth - 7aa04ee fix(self-test): use `?` separator when appending token to no-agent probe URL - 9df96dc Merge branch 'master' into fix/self-test-websocket-auth
…me>/<skill> (zeroclaw-labs#7827) - 29ff137 feat(skills): user-configured extra skill registries via `registry:<name>/<skill>` - 8a6d3ee fix(skills): validate extra registry aliases - 80f4805 Merge branch 'master' into feat/skills-extra-registries
…oclaw-labs#7962) - a280816 initial byte-truncation audit draft, superseded by focused fix - ab048a9 fix(skills): guard truncate_output against UTF-8 char boundaries (zeroclaw-labs#7828) - 09d63c2 Merge master into PR branch after upstream moved
… loop (zeroclaw-labs#7983) - 90fdf2d fix(daemon): handle file-descriptor exhaustion in RPC accept loops - b9eec7b fix(runtime): match local IPC accept error as io::Error for recoverability check - 59ca556 Merge master into PR branch after upstream moved
…roclaw-labs#8035) - 6e7074b feat(skill-tool): expose ZEROCLAW_SESSION_ID to skill shell tools - ede6f30 Merge master into feat/skill-tool-session-id
…-labs#7857) - fb6f198 fix(zerocode): skip queue-paused state when backlog is empty - 164624a Merge branch 'master' into fix/7805-empty-queue-paused-hint
…apped (zeroclaw-labs#7912) - 02bd0ea fix(whatsapp_storage): store mutation MAC bytes raw - e2ec40e fix(whatsapp_storage): format mutation MAC regression - acd3139 Merge branch 'master' into patch-3
Add `[browser].allowed_private_hosts` so the `browser` and `browser_open` tools can reach explicitly listed private/LAN hosts (or `["*"]` for all), mirroring the existing `http_request` escape hatch. Listed private hosts bypass the SSRF block and the `allowed_domains` allowlist; everything else is unchanged. Default is empty (deny-by-default, fully backward compatible), public hosts still flow through `allowed_domains`, `file://` stays blocked, and `browser_open` remains HTTPS-only.
Owner
Author
|
Closing as duplicate — submitted upstream as zeroclaw-labs#8171 (same branch/commit). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
master[browser].allowed_private_hostsso thebrowserandbrowser_opentools can reach operator-listed private/LAN hosts — previously any private host was unconditionally blocked, with no escape hatch (onlyhttp_request/web_fetchhad one). This unblocks legitimate internal-service automation.http_requestdesign: exact/subdomain matches, and["*"]permits all private/local hosts.allowed_domainsallowlist; the wildcard is scoped to private hosts only and never widens public reach.browser_openstays HTTPS-only andfile://stays blocked everywhere. Does not touchhttp_request/web_fetch/text_browser/browser_delegateor the shareddomain_guardSSRF logic. No DNS-rebinding posture change.browser/browser_opentool registration inzeroclaw-runtime; the[browser]config surface. Deny-by-default means zero behavior change unless an operator opts in.risk: high(touchescrates/zeroclaw-tools/src/**SSRF access-control boundary per AGENTS.md),size: M— maintainers own final risk/size.Validation Evidence (required)
cargo fmt --all -- --check cargo clippy --workspace --all-targets -- -D warnings cargo test -p zeroclaw-tools -p zeroclaw-config -p zeroclaw-runtime --lib --testscargo fmt --all -- --check→ clean, exit 0.cargo clippy --workspace --all-targets -- -D warnings→Finished \dev` profile ... in 13m 37s`, exit 0, zero warnings across all crates.zeroclaw-toolslib:test result: ok. 1353 passed; 0 failedzeroclaw-configlib:ok. 942 passed; 0 failed;tests/migration.rs:ok. 90 passed;tests/comment_writer.rs:ok. 8 passedzeroclaw-runtimelib:2342 passed; 1 failed— the one failure iscron::store::tests::remove_job_emits_structured_cron_delete_event, unrelated to this diff (cron module). It passes in isolation (ok. 1 passed); it shares global log-capture state (__private_test_writer_lock/subscribe_or_install) and races other tests under parallel run. Pre-existing flake.validate_urlbranch in both tools for {public,private}×{listed,unlisted}×{http,https}. Added adversarial tests: wildcard private allowlist does not widen the publicallowed_domainsallowlist;file://stays blocked even with["*"]; empty list still denies all private hosts; private host bypassesallowed_domainsonly when listed. Not verified: live agent-browser/system-browser execution against a real internal host — validation is at the URL-gate layer; no live network was exercised.cargo test --docforzeroclaw-configskipped — pre-existing rustdoc env failure (error: Option 'default-theme' given more than once; rustdoc invoked with--default-theme=ayutwice), reproduced on a clean tree viagit stash, independent of this change.Security & Privacy Impact (required)
browser/browser_opento reach operator-listed private/LAN hosts that were previously always blocked. Off by default (empty list = deny).localhost, andexample.com.["*"]inallowed_private_hostsnever grants access to public hosts (those still flow throughallowed_domains).file://remains blocked;browser_openremains HTTPS-only. No change to DNS-rebinding posture or the shareddomain_guardmatcher.Compatibility (required)
[browser].allowed_private_hosts(Vec<String>, default[]).[browser].allowed_private_hosts = ["10.0.0.5", "internal.local"](or["*"]for all private hosts).Rollback (required for
risk: mediumandrisk: high)git revert 3fe8e6b5b2.[browser].allowed_private_hosts— set to[](the default) to fully disable; no rebuild needed.browser/browser_openreaching unexpected internal hosts; in logs, an unexpected drop inBlocked local/private hostrejections or tool-open events targeting RFC1918 / link-local / metadata addresses.