| 2544 |
fix(security): XSS vulnerability in Canvas Host + Windows CI stability
|
Kiwitwitter |
2026-01-27 |
View
|
| 6590 |
Harden Debug UI defaults: loopback-only binding + warnings
|
dinakars777 |
2026-02-01 |
View
|
| 6906 |
Add baseline HTTP security headers to gateway responses
|
QuantumEdu |
2026-02-02 |
View
|
| 8846 |
fix(tools): block LLM writes to hooks directories
|
yubrew |
2026-02-04 |
View
|
| 9146 |
Fix: Allow null-origin WebSocket connections from loopback
|
vishaltandale00 |
2026-02-04 |
View
|
| 10930 |
fix: validate WebSocket Origin for all client types, not just browser UIs
|
OneZeroEight-ai |
2026-02-07 |
View
|
| 11435 |
fix(security): validate OPENCLAW_BROWSER_CONTROL_MODULE before dynamic import
|
coygeek |
2026-02-07 |
View
|
| 14026 |
gateway: expose fork/upstream identity metadata with override
|
DeanoC |
2026-02-11 |
View
|
| 18845 |
feat(config): add strictLoopback config option for Debug UI security
|
cedillarack |
2026-02-17 |
View
|
| 19519 |
security: add HSTS, Cache-Control, and security response headers
|
Mozzzaic |
2026-02-17 |
View
|
| 19539 |
security: strengthen CSRF protection with SameSite cookies
|
Mozzzaic |
2026-02-17 |
View
|
| 20498 |
UI: modularize control UI architecture and normalize spacing.
|
MAGE-VOID |
2026-02-19 |
View
|
| 21051 |
security(gateway): audit logging + model allowlist enforcement
|
richvincent |
2026-02-19 |
View
|
| 21100 |
Security/Gateway: require explicit break-glass env for Control UI bypass flags
rep
|
bmendonca3 |
2026-02-19 |
View
|
| 21119 |
Security/Browser: fail closed when control server has no auth
|
bmendonca3 |
2026-02-19 |
View
|
| 21120 |
Security/Gateway: guard dangerous HTTP /tools/invoke re-enables
|
bmendonca3 |
2026-02-19 |
View
|
| 21186 |
fix(gateway): strict loopback guard for Control UI (v2)
|
dinakars777 |
2026-02-19 |
View
|
| 21326 |
Security/UI: harden Control UI gatewayUrl URL overrides
|
bmendonca3 |
2026-02-19 |
View
|
| 21667 |
fix(canvas): add CSP and security headers to HTML responses
|
AI-Reviewer-QS |
2026-02-20 |
View
|
| 22873 |
fix(tools): enforce global inline-secret blocking for tool inputs
|
Kansodata |
2026-02-21 |
View
|
| 23060 |
Security/Test: isolate node.invoke approval e2e identity
|
bmendonca3 |
2026-02-21 |
View
|
| 23181 |
fix(gateway): allow Google Fonts in Control UI CSP header
|
SidQin-cyber |
2026-02-22 |
View
|
| 23277 |
fix(gateway): preserve scopes for localhost token-auth without device identity
|
dashed |
2026-02-22 |
View
|
| 23352 |
Gateway: enforce origin checks for browser-context WS clients
|
bmendonca3 |
2026-02-22 |
View
|
| 23361 |
Gateway: reject scope assertions without identity binding
|
bmendonca3 |
2026-02-22 |
View
|
| 23364 |
Gateway: add risk-ack interlock for dangerous Control UI flags
|
bmendonca3 |
2026-02-22 |
View
|
| 23465 |
Gateway: strengthen Control UI security headers
|
bmendonca3 |
2026-02-22 |
View
|
| 23719 |
Gateway: fail closed startup on insecure state/config permissions
|
bmendonca3 |
2026-02-22 |
View
|
| 23780 |
Gateway: fail closed on insecure state directory permissions
|
bmendonca3 |
2026-02-22 |
View
|
| 23814 |
Gateway: block unauthenticated tool-invocation HTTP surfaces
|
bmendonca3 |
2026-02-22 |
View
|