Skip to content

fix: merge PR #1540 #1524 #1523 #1522 #1521#1542

Closed
xuwei-xy wants to merge 11 commits intosipeed:mainfrom
xuwei-xy:fix-pr-batch-2
Closed

fix: merge PR #1540 #1524 #1523 #1522 #1521#1542
xuwei-xy wants to merge 11 commits intosipeed:mainfrom
xuwei-xy:fix-pr-batch-2

Conversation

@xuwei-xy
Copy link

@xuwei-xy xuwei-xy commented Mar 14, 2026

Summary

Merges fixes from open PRs #1540, #1524, #1523, #1522, #1521.

PR #1540 - SpawnStatusTool

PR #1524 - Skills helpers

PR #1523 - Repo skill examples

PR #1522 - Credential encryption

PR #1521 - Passphrase/gateway

sky5454 and others added 11 commits March 14, 2026 04:52
@sky5454
feat(credential): add AES-GCM encryption, SecureStore, and onboard ke…
4921690 
…ygen

- pkg/credential: new package with AES-256-GCM enc:// credential format,
  HKDF-SHA256 key derivation (passphrase + optional SSH key binding),
  ErrPassphraseRequired / ErrDecryptionFailed sentinel errors,
  and PassphraseProvider hook for runtime passphrase injection

- pkg/credential/store: lock-free SecureStore via atomic.Pointer[string];
  passphrase never written to disk or os.Environ

- pkg/credential/keygen: ed25519 SSH key generation helper used by onboard

- pkg/config: replace os.Getenv(PassphraseEnvVar) with
  credential.PassphraseProvider() at all three call sites so that
  LoadConfig and SaveConfig use whatever passphrase source is active

- cmd/picoclaw/onboard: prompt for passphrase with echo-off, generate
  picoclaw-specific SSH key, re-encrypt existing config on re-onboard

- docs/credential_encryption.md: design doc for the enc:// format
@sky5454
feat(launcher): in-memory passphrase store with web UI unlock
adc073e 
Replace env-var passphrase forwarding with a SecureStore-backed flow:

- web/backend/main.go: seed passphrase from env var into SecureStore at
  startup, then clear the env var and redirect credential.PassphraseProvider
  to apiHandler.GetPassphrase so all LoadConfig calls share one source

- web/backend/api/passphrase.go: POST /api/credential/passphrase stores
  passphrase and auto-starts gateway; GET status endpoint

- web/backend/api/gateway.go: build child env via filterEnv() (strips
  PassphraseEnvVar from parent env) then inject only from SecureStore;
  passphraseState machine (pending/failed/none) tracks gateway start outcome;
  expose passphrase_state in /api/gateway/status response

- web/backend/api/router.go: add passphraseStore, passphraseMu,
  passphraseLastState fields; SeedPassphrase / GetPassphrase methods

- frontend: PassphraseCard component on credentials page; chat-empty-state
  shows passphrase input when start_reason contains 'passphrase' or
  passphraseState is failed; i18n keys for en + zh

- Makefile: add -buildvcs=false to GOFLAGS
@sky5454
fix(credential): address Copilot review comments on PR sipeed#1521
23c0ca1 
- credential.go: decouple ErrPassphraseRequired from env var name;
  message is now 'enc:// passphrase required' since PassphraseProvider
  may come from any source, not just os.Environ

- credential.go: Resolver resolves symlinks via EvalSymlinks before the
  isWithinDir containment check, preventing symlink-based path traversal
  for file:// credential references

- store.go: tighten comment to describe only what SecureStore guarantees
  (in-memory only); remove claims about how callers transport the value

- store_test.go: replace the meaningless GetReturnsCopy test (Go strings
  are immutable, equality across two calls proves nothing) with
  TestSecureStore_ConcurrentSetGet that exercises atomic.Pointer under
  10-goroutine concurrent Set/Get load

- config_test.go: update error-message assertion to match new sentinel text

- docs/credential_encryption.md: remove reference to non-existent
  'picoclaw encrypt' subcommand; describe the onboard flow instead
@yzxlr
docs(skills): add python script skill example
6eedc42
@sky5454
Merge remote-tracking branch 'upstream/main' into feat/launcher-passp…
333ff0c 
…hrase-ui
@yzxlr
fix(skills): show scanned roots when no skills found
6bf92a5
@SHINE-six
feat(tools): add SpawnStatusTool for reporting subagent statuses
e60b456
Merge PR sipeed#1524
dd82d8e
Merge PR sipeed#1521
404f717
Merge PR sipeed#1523
a43dc9d
Merge PR sipeed#1522
e431fd5
@CLAassistant
Copy link

CLAassistant commented Mar 14, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 4 committers have signed the CLA.

✅ sky5454
✅ SHINE-six
❌ yzxlr
❌ OpenClaw-User

OpenClaw-User seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@wj-xiao wj-xiao closed this Mar 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@xuwei-xy @CLAassistant @wj-xiao @sky5454 @yzxlr @SHINE-six