openclaw

romtuck/openclaw

Fork 0

Commit Graph

Author	SHA1	Message	Date
gerald Ruby	8262a03060	feat: add GitHub 2FA gate extension for sensitive tools Add a new extension that gates sensitive tool calls (exec, Bash, Write, Edit, NotebookEdit) behind GitHub Device Flow authentication. Users must approve on GitHub Mobile or enter a code at github.com/login/device before the bot can execute dangerous operations. Key changes: - Wire up before_tool_call hook in tool execution path (tool-hook-wrapper.ts) - Create 2fa-github extension with: - GitHub Device Authorization Flow implementation - File-based session store with TTL (~/.clawdbot/2fa-sessions.json) - Non-blocking flow: returns immediately with code, user retries after approval - Configurable tool list and session TTL (default 30 min) Configuration: plugins.entries.2fa-github.config.clientId: "Ov23..." # or GITHUB_2FA_CLIENT_ID env var Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-29 11:32:13 -08:00

Author

SHA1

Message

Date

gerald Ruby

8262a03060

feat: add GitHub 2FA gate extension for sensitive tools

Add a new extension that gates sensitive tool calls (exec, Bash, Write,
Edit, NotebookEdit) behind GitHub Device Flow authentication. Users must
approve on GitHub Mobile or enter a code at github.com/login/device
before the bot can execute dangerous operations.

Key changes:
- Wire up before_tool_call hook in tool execution path (tool-hook-wrapper.ts)
- Create 2fa-github extension with:
  - GitHub Device Authorization Flow implementation
  - File-based session store with TTL (~/.clawdbot/2fa-sessions.json)
  - Non-blocking flow: returns immediately with code, user retries after approval
  - Configurable tool list and session TTL (default 30 min)

Configuration:
  plugins.entries.2fa-github.config.clientId: "Ov23..."
  # or GITHUB_2FA_CLIENT_ID env var

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-29 11:32:13 -08:00

1 Commits