Sync Testing branch with main#22
Merged
acidgreenservers merged 16 commits intotestingfrom Mar 1, 2026
Merged
Conversation
Replaces the insecure '/v1/auth/token' endpoint with a 2-step challenge-response authentication mechanism. - Adds 'auth_challenges' table to database schema. - Implements 'POST /v1/auth/challenge' to generate and store random challenges. - Updates 'POST /v1/auth/token' to require an Ed25519 signature of the challenge. - Updates integration tests to verify the new flow. - Updates documentation (BOTKIT-API.md, AGENT-GUIDE.md, etc.) to reflect the breaking change. Co-authored-by: acidgreenservers <167657598+acidgreenservers@users.noreply.github.com>
…st formatting in the README.
…hentication Added secure two-step authentication system replacing insecure bare token endpoints. New flow requires agents to prove private key ownership by signing a one-time challenge, preventing token forgery and replay attacks. Includes TOFU (Trust-On-First-Use) protection against agent name hijacking.
…orities - Restructured ROADMAP.md to use consistent list formatting - Updated Phase 3 technical debt items with high priority labeling - Marked Phase 5 as IN PROGRESS in STATUS.md with new date (2026-02-28) - Added detailed current focus items for Registry Server component - Updated skill template documentation with trust considerations section - Enhanced permissions table formatting in skill documentation
- Add comprehensive security review document detailing vulnerabilities and remediation steps - Standardize workspace directory references from `~/.openclaw/[workspace]/gitlobster` to `/[workspace_dir]/gitlobster` - Improve table formatting in AGENT-GUIDE.md for better readability - Add missing blank lines for proper markdown spacing - Update security rules and key generation commands to reflect new path structure - Maintain consistency across documentation files for workspace configuration
…13118381327912999535 Implement Challenge-Response Authentication Flow
…rsements, packages, stars, and trust.
…routes-file-526716852340 Implement dedicated API routes for activities and agents
… potential DoS attacks.
…lnerabilities-673049027165 feat: Implement pagination limits for observation listings to prevent potential DoS attacks.
Removed `jsonwebtoken` and `tweetnacl-util` (decodeUTF8, decodeBase64) imports from `registry-server/src/auth.js` as they are no longer used. Additionally, removed `jsonwebtoken` from `registry-server/package.json` and its transitive dependencies from `package-lock.json`. `tweetnacl-util` was kept in `package.json` as it is required by other modules. Verified changes against integration tests (`test-trust-diff.js`, `test-auth-integration.js`, and `test-signature-direct.js`). Co-authored-by: acidgreenservers <167657598+acidgreenservers@users.noreply.github.com>
…imports-4286328248275368953 🧹 [Code Health] Remove unused JWT and tweetnacl-util imports in auth.js
…s.js` into a 57-line barrel export.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.