docs: http_request tool broken by three zero-value config defaults#12
Open
walterpembery wants to merge 30 commits intoopenagen:mainfrom
Open
docs: http_request tool broken by three zero-value config defaults#12walterpembery wants to merge 30 commits intoopenagen:mainfrom
walterpembery wants to merge 30 commits intoopenagen:mainfrom
Conversation
… MCU + Linux tools Expand the existing UNO Q Bridge peripheral from 2 GPIO tools to 13 tools covering the board's full capability set. ZeroClaw can now run as an edge-native agent directly on the UNO Q's Debian Linux (Cortex-A53). MCU tools (via Bridge socket to STM32U585): - GPIO read/write (D0-D21), ADC read (A0-A5, 12-bit, 3.3V) - PWM write (D3/D5/D6/D9/D10/D11), I2C scan/transfer, SPI transfer - CAN send (stub), LED matrix (8x13), RGB LED (LED3-4) Linux tools (direct MPU access): - Camera capture (MIPI-CSI via GStreamer) - Linux RGB LED (sysfs), System info (temp/mem/disk/wifi) Also includes: - Expanded Arduino sketch with all MCU peripheral handlers - Expanded Python Bridge server with command routing - DeployUnoQ CLI command for edge-native deployment via SSH - Cross-compile script (dev/cross-uno-q.sh) for aarch64 - UNO Q datasheet for RAG pipeline (docs/datasheets/arduino-uno-q.md) - Pin validation with datasheet constraints (PWM pins, ADC channels, etc.) - 19 unit tests covering validation, response parsing, and tool schemas
Three issues discovered during deployment to actual UNO Q hardware:
1. Bridge.call() takes positional args, not a list — changed from
Bridge.call("digitalRead", [pin]) to Bridge.call("digitalRead", pin)
2. Bridge.call() must run on main thread (not thread-safe) — restructured
socket server to use a queue pattern: accept thread enqueues requests,
main App.run() loop drains queue and calls Bridge
3. Docker container networking requires 0.0.0.0 bind (not 127.0.0.1)
4. Wire/SPI are built into Zephyr platform, removed from sketch.yaml
5. Renamed C++ functions to bridge_* prefix to avoid Arduino built-in clashes
6. Changed const char* params to String for MsgPack RPC compatibility
Tested on hannah.local: gpio_read, gpio_write, adc_read, pwm_write,
capabilities all confirmed working.
…l cross-compile config - Camera capture tool now uses v4l2-ctl instead of GStreamer (works with USB cameras like NETUM, not just MIPI-CSI) - Tool output includes [IMAGE:<path>] hint so Telegram channel sends the captured photo directly to the user - Added width/height/device parameters (defaults: 1280x720, /dev/video0) - Added aarch64-unknown-linux-musl linker config to .cargo/config.toml
…camera for USB The daemon's channel server was missing peripheral tools — only the interactive `agent` command loaded them. Now `start_channels()` calls `create_peripheral_tools()` so Telegram/Discord/Slack channels get access to all UNO Q hardware tools. Also updated camera capture tool description to guide the LLM to use [IMAGE:<path>] markers for Telegram photo delivery.
…tive feat(peripherals): Arduino UNO Q edge-native agent with full MCU + Linux peripheral tools
Minor Cargo.lock update from running cargo commands during security analysis — normalizes `rustix 1.1.3` version reference to `rustix`. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
…260221 Fix default-feature build regressions on main
…tation Fix 5 compilation errors blocking the build: - reliable.rs: remove duplicate `chat` method implementation - agent.rs, loop_.rs: replace `futures::` with `futures_util::` (correct crate name) - Cargo.toml: add `alloc` feature to futures-util (required for join_all) - memory/cli.rs: gate PostgresMemory behind #[cfg(feature = "memory-postgres")] with a clear compile-time error when the feature is absent Security hardening: - Enable Landlock sandbox by default on Linux: remove `optional = true` from the Linux-specific landlock dependency; replace all `cfg(feature = "sandbox-landlock")` gates with `cfg(target_os = "linux")` in mod.rs, detect.rs, and landlock.rs. The `sandbox-landlock` feature flag is kept as a no-op for backward compatibility. - Add explicit security warning to channels-reference.md for the whatsapp-web feature flag (unofficial API, account-suspension risk, unpredictable attack surface). - Add SSRF threat model document for the http_request tool: docs/security/http-request-ssrf-threat-model.md covering existing defenses (allowlist, private-host blocking, redirect-none, scheme restriction), known residual risks (DNS rebinding, HTTP cleartext), and operator guidance. - Register the SSRF doc in docs/security/README.md. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
Document the security model of the shell tool: - Defenses in place: autonomy policy, command validation, rate limiting, env_clear + SAFE_ENV_VARS whitelist, 60s timeout, 1MB output truncation - Residual risks: no FS isolation without Landlock, no network egress filter, parent fd inheritance, shell injection via interpolated command strings - Full test coverage matrix - Operator configuration guidance https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
Add a dated security audit table covering 8 tool surfaces identified during the 2026-02-22 security analysis. Each entry includes the risk area, current grade, finding, and a concrete recommended remediation. Surfaces covered: http_request (MITM, DNS rebinding), file_write (path traversal), shell (network egress), git_operations (unintended push), browser/browser_open (SSRF-adjacent, phishing), delegate (prompt injection), and compiler hygiene (allow suppression). https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
…urfaces Full source-code re-audit of every tool in src/tools/. Previous table covered 8 surfaces with preliminary grades. Updated table: - Covers all 31 tool surfaces organized by tier (file, network, command execution, memory, delegation, scheduling, external APIs, utility, hardware, compiler hygiene) - Corrects grades based on actual code inspection (e.g. file_read upgraded to A, git_operations to A-, http_request SSRF to B+) - Adds new surfaces: file_read, glob_search, pdf_read, image_info, web_search_tool, browser_open, memory_*, cron_*, composio, pushover, proxy_config, screenshot, hardware_*, delegate - Each entry includes a verified finding and a concrete recommended action - Adds an overall posture summary table by tier https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
The `build_system_prompt_with_mode` function signature was extended with a new `skills_prompt_mode: SkillsPromptInjectionMode` parameter, but the call in the `native_tools_system_prompt_contains_zero_xml` test was not updated to match. This caused a compile-time error (E0061: wrong number of arguments) that blocked all test compilation. Fix: pass `SkillsPromptInjectionMode::Full` as the 8th argument, consistent with the default used throughout the codebase. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
Fix 36 clippy errors and formatting violations to make the codebase pass `cargo fmt --all -- --check` and `cargo clippy --all-targets -- -D warnings` with zero diagnostics. Key fixes by category: Correctness: - Replace invalid regex backreferences (\1) in XML tool-tag parser with a manual closing-tag search (iter_xml_tagged_sections); the `regex` crate does not support backreferences, so the original code would have panicked at runtime on first use of the XML dispatcher path. MSRV: - Bump rust-version 1.87 → 1.91 to align with str::floor_char_boundary (stable since 1.91) already used in shell/screenshot/memory tools. Visibility / privacy: - Narrow channels::handle_command to pub(crate) to match ChannelCommands visibility; eliminates private-interface-in-public-API lint. Lint suppressions (intentional API surface): - #[allow(unused_imports)] on pub use re-exports in cost/mod.rs, onboard/mod.rs, tools/mod.rs, peripherals/mod.rs that are used from the binary crate or are intentional public API. - #[allow(clippy::unused_async)] on the hardware-feature stub for create_peripheral_tools (must stay async for call-site consistency). - #[allow(clippy::assertions_on_constants)] on a platform-guard assertion in the landlock test. - #[allow(clippy::type_complexity)] on the pairing guard's brute-force field. Style / idiomatic fixes: - Replace format!-collect with fold+writeln! in discord/telegram tests. - Elide explicit lifetimes in providers/copilot.rs. - Merge identical match arms (bedrock, compatible, telegram, wizard, main.rs unreachable arms). - Use ? operator instead of let-else for question_mark lint. - Use array-of-char pattern for manual_pattern_char_comparison. - Remove needless return / continue statements. - Derive Default for SkillsConfig (all fields use standard defaults). - Replace criterion::black_box (deprecated) with std::hint::black_box. - Box::pin large heartbeat future directly to move it off the stack. - Use struct initializer syntax in config_persistence tests. - Use array literals instead of vec! where Vec is not needed. - Remove duplicate unreachable cfg block in memory/cli.rs. - Fix unreadable long literal in nextcloud_talk test. - Replace ALLOWED_IMAGE_MIME_TYPES.iter().any() with .contains(). - Suppress cast_possible_truncation for intentional u64→usize casts. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
…onality-analysis-al5ZG Claude/security functionality analysis al5 zg
Adds README.pt-br.md with full translation.
docs(i18n): add README Brazilian Portuguese translation
Adds Brazilian Portuguese (README.pt-br.md) to the languages section in README.md. The translation file was previously merged.
docs(readme): add Portuguese (Brazil) language link
|
Thanks for contributing to ZeroClaw. For faster review, please ensure:
See |
PR intake checks found warnings (non-blocking)Fast safe checks found advisory issues. CI lint/test/build gates still enforce merge quality.
Action items:
Run logs: https://github.com/openagen/zeroclaw/actions/runs/22529266994 Detected blocking line issues (sample):
Detected advisory line issues (sample):
|
github-actions
bot
added
docs
walterpembery
changed the title
|
Hi @walterpembery, friendly automation nudge from PR hygiene. This PR has had no new commits for 180h and still needs an update before merge:
Recommended next steps
Maintainers: apply |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
http_requesttool fails silently in multiple independent ways when config values are left at their default zero values## Docker Deploymentsection todocs/troubleshooting.mddocumenting all three issuesThe Three Bugs
When enabling
[http_request]inconfig.toml, three separate config values all default to zero, each independently breaking the tool in a different way:1. Empty
allowed_domains = []Contrary to what you might expect, an empty allowlist does not mean "allow all" — it means
http_requestimmediately errors with:Fix: Add domains explicitly, e.g.:
2.
timeout_secs = 0→ every request fails immediatelyA zero timeout causes every outbound request to fail at the transport layer before any data is exchanged. Error looks like a network failure.
Fix:
3.
max_response_size = 0→ all responses silently discardedA zero max response size causes every response to be truncated to zero bytes. The request succeeds, but the tool returns an empty string. No error is surfaced.
Fix:
Full working
[http_request]configLabel Snapshot (required)
risk: lowsize: XSdocstool: http_requestChange Metadata
docsdocsLinked Issue
Validation Evidence (required)
All three bugs reproduced and verified on macOS (arm64), native launchd deployment, ZeroClaw 0.1.0:
timeout_secs = 0: confirmed immediate transport failuremax_response_size = 0: confirmed empty response, tool returned empty string; setting to 524288 resolvedSecurity Impact (required)
Privacy and Data Hygiene (required)
Compatibility / Migration
Human Verification (required)
http_requestconfirmed working end-to-end after all three fixes appliedSide Effects / Blast Radius (required)
Rollback Plan (required)
Risks and Mitigations