nav/Fabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: bump Plugin (MediaPaths SSRF fix); P14 verified-extent notes

Browse Source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
h z
2026-05-15 21:50:40 +01:00
parent edb2af5cbc
commit 5ab0eaf038
2 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/TEST_POINTS.md
View File

@@ -150,7 +150,7 @@ Guild1 :7002 = `test-guild1`, Guild2 :7003 = `test-guild2`, Frontend :8088).
| P11 | tools | `fabric-register`; `create-{chat,work,report,discussion}-channel` (→ x_type); `discussion-complete` (summary + close) |
| P12 | gateway lifecycle | starts inbound on `gateway_start`, stops on `gateway_stop`; no separate sidecar |
| P13 | full round-trip | human posts in Fabric → wakeup → agent runs → reply lands in channel as agent |
| P14 | file delivery to agent | message attachments downloaded with the agent's guild token to a temp dir; `MediaPaths`/`MediaTypes`/`MediaUrls` (+ singular) set on the finalized inbound context so the model receives the files |
| P14 | file delivery to agent | message attachments downloaded with the agent's guild token to a temp dir; **only local** `MediaPaths`/`MediaTypes` (+ singular) set on the finalized inbound context. No `MediaUrls` — the guild URL is a private host and openclaw's SSRF guard blocks re-fetching it (verified live: `fabric: fetched N attachment(s)`, SSRF WARN gone after the fix) |
## 8. Fabric.Backend.Guild — files & canvas
@@ -194,9 +194,17 @@ Guild1 :7002 = `test-guild1`, Guild2 :7003 = `test-guild2`, Frontend :8088).
`?access_token` download, 401, attachment persistence, canvas
share/update/replace/delete + sharer-only/access enforcement; retention
deadline asserted, sweep logic unit-level only — not waited out).
- **Plugin file delivery (P14)** is build- + install-verified and follows
the documented openclaw inbound media contract; a live agent media
round-trip was not re-exercised (reuses the validated P13 path).
- **Plugin file delivery (P14)** verified live up to the agent boundary:
human posts a file in Fabric → `wakeup` → plugin admits → **downloads
the attachment with the agent's guild token** and sets local
`MediaPaths` → inbound turn runs through the kernel and returns cleanly.
The agent→Fabric **reply leg (P13) could not be exercised** in the local
openclaw instance: it emits **zero agent replies on any channel** (no
responder wired — `echo` agentId is undefined so it falls back to
`main`, whose model produces no deliverable output). That is a
pre-existing environment gap, independent of Fabric. Bug found & fixed
during this test: `MediaUrls` (a `localhost` URL) tripped openclaw's
SSRF guard — now only local `MediaPaths` are passed.
- `discuss`/`work` differ only in x_type label; turn semantics identical —
test one, both covered.
- Desktop / Android submodules are out of scope (untouched).