Add blackwall-eliza-guardrail to the plugin registry#8302
Merged
lalalune merged 4 commits intoJun 15, 2026
Merged
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
Contributor
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Collaborator
|
Hey @bluetieroperations-create — could you rebase against latest |
bluetieroperations-create
force-pushed
the
add-blackwall-eliza-guardrail
branch
from
4bd407f to
db241fa
Compare
Contributor
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
Contributor
Author
|
Hey @standujar — rebased onto latest |
lalalune
pushed a commit
that referenced
this pull request
Jun 15, 2026
PR #8302 ('Add blackwall-eliza-guardrail') landed on develop carrying a second, undeclared entry — elizaos-plugin-coinrailz (tdnupe3), an x402/USDC micropayments + on-chain treasury plugin — despite the PR body stating 'existing entries unchanged.' An unvetted money-moving plugin should not enter the discovery registry under false pretenses. Removed the source entry and regenerated the wire file (blackwall, reddit-search #8347, @TheColony #8381 retained). If coinrailz is legitimate it should be re-listed via its own transparent, separately-reviewed PR.
lalalune
added a commit
that referenced
this pull request
Jun 16, 2026
* fix(remote-plugin): proxy action callbacks * fix(polymarket): keep agent action read-only * fix(remote-plugin): proxy dynamic event registration * fix(hyperliquid): keep agent action read-only * fix(eliza-classic): remove fake embedding handler * fix(documents): reject placeholder image uploads * wip: community registry (#8173) — checkpoint before moving to develop * style(core): format advanced-memory memory-items to biome (tabs -> spaces) pure whitespace reformat (no logic change) so the bugfix in the next commit lands a minimal, reviewable diff; the file was tab-indented and biome enforces 2-space. * fix(core): bound the rolling-summary prompt and first-store offset the advanced-memory summaryEvaluator had two coupled bugs that surface in busy rooms: 1. prompt() rendered the full allDialogueMessages (fetched with limit:1000, unbounded by tokens) on the no-existing-summary branch, while the stored lastMessageOffset only advances by summaryMaxNewMessages (default 50 / service config 20). a busy room's first summary therefore sent multi-million-token requests -> context_length_exceeded 400 -> the summary never stored -> the same oversized request retried forever, and messages were double-counted on the next run. 2. the first store set lastMessageOffset = totalDialogueCount (the whole backlog) while only the bounded slice was summarized, so every message past the slice was silently skipped on subsequent runs. fix: always prompt with the bounded summarizationMessages slice, and advance the first-store offset/messageCount by that slice (matching the existing-summary branch's newOffset) so the rolling summary builds up incrementally and bounded. drop the now-unused allDialogueMessages field from SummaryPrepared. add regression tests for the bounded prompt and the first-store offset. * feat(registry): register elizaos-plugin-reddit-search as third-party plugin * feat(cloud-shared): add domain_purchase_idempotency table An append-only idempotency ledger for domain purchases (unique key claimed before any money moves), mirroring app_image_generation_idempotency. Lets the buy route single-flight the credit debit + Cloudflare register so a retried or concurrent buy of the same domain cannot double-charge. * fix(cloud-api): make domain purchase idempotent Claim a unique domain_purchase_idempotency key BEFORE debiting credits or calling Cloudflare; a concurrent/retried buy of the same domain short-circuits on the completed row's cached response instead of charging again. The purchase flow is extracted so a success caches its response and any failure releases the claim. Verified end to end on the mock stack: a second buy of the same domain replays the response with no second debit. * Add EvoLink support to OpenAI plugin * registry: rebase @thecolony/elizaos-plugin onto develop Resolves the generated-registry.json conflict from other plugin-add PRs that landed on develop. Replays the original change (new third-party entry + generated-registry.json addition) on top of the current develop tree, adding only @thecolony/elizaos-plugin and leaving the other entries untouched. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(core): don't demote a model-chosen coding delegation to a simple direct reply the message-handler complete-direct-reply override (shouldPreferCompleteDirectReply) pulled a turn back to contexts=[simple]/requiresTool=false whenever the stage-1 ack read as a full sentence. terse-ack planners ("On it.") planned + spawned correctly, but a planner that writes a fuller ack ("On it — spawning a coding agent to build the page.") tripped looksLikeCompleteDirectReply and the coding sub-agent never spawned, even though the model had explicitly routed to a non-simple context AND named TASKS_SPAWN_AGENT in its own candidate list. guard the override: when the model committed to delegation on a structural coding-work request (non-simple context of its own + a runnable coding-delegation candidate it named itself), a verbose ack is still an ack, not a finished answer — keep planning. keyed on parsed plan shape + action registry + the existing coding-work classifier, so it's model-agnostic and regresses neither gpt-oss nor the poem/explanation direct-reply paths. live-proven: claude build now spawns + serves HTTP 200. * fix(plugin-agent-orchestrator): route app-build spawns on the originating user request, not the planner's terse task on the claude TASKS_SPAWN_AGENT path the action's message.content.text is empty (the planner carries the prompt in the task arg + an envelope overwrites .text), so workdir-route matching saw no 'web page' keyword and app builds fell back to the scratch workspace instead of the hosted apps dir. recover the genuine originating request synchronously — message.content.currentMessageText first, then the state-composed RECENT_MESSAGES window, getMemories only as last resort (it races the not-yet-persisted current message) — and feed it to resolveSpawnWorkdir in both runCreate and runSpawnAgent. planner-independent; matchAny keywords untouched. +11 tests incl. fail-on-old. * fix(plugin-codex-cli): make the codex planner work with the native-tools planner three gaps stopped the chatgpt codex backend from serving the v5 native-tools planner: - drop temperature + max_output_tokens from the request (the codex backend 400s on both for gpt-5.x reasoning models) - normalize strict:true tool schemas (required=all keys + additionalProperties:false + nullable optionals) so the backend accepts them - attach toolCalls to the streaming result so the runtime preserves native tool calls (mirrors plugin-openai); without it a tool-only response collapsed to an empty string and the planner logged no_tool_calls and replanned to the cap * fix(plugin-agent-orchestrator): don't surface route-prefix or data-source URLs as the sub-agent deliverable a live-info turn (sub-agent fetches a value and returns just the number) was delivering a bare https://nubilio.org/apps/ URL instead of the answer. the spawn task carries a route 'URL Path Mapping' hint containing the bare apps prefix; the verify step probed that prefix (200, the index exists) and promoted it to a verified deliverable, clobbering the real reply. the data-source URL the task told the sub-agent to fetch (e.g. a coingecko endpoint) was promoted the same way. gate verified deliverable URLs to ROUTED hosted-artifact PAGES (/apps/<slug>/ or route-mapped pages); filter bare route-mapping prefixes out of the probe set. keys on the route-mapping + page shape, never user text. real app-build URL verification + the unverified-url evaluator are unaffected. +1 fail-on-old test. * ci: make expensive lanes label-gated and explainable * ci: split deterministic e2e into parallel slices * ci: self-test path gate behavior * docs: explain CI path gate policy * ci: avoid coverage install on docs-only PRs * feat(plugin-agent-orchestrator): add ack progress mode + dedupe spawn acks Adds an "ack" sub-agent progress mode for chat surfaces (Discord etc.): post one clean spawn acknowledgment, never edit it in place, and let the completion evaluator's synthesis be the separate final message. - read progress settings from process.env as a fallback (runtime.getSetting reads character settings only, so an env-only ACPX_PROGRESS_MODE was silently ignored) - post the ack on the first session event of any kind, so it is reliable on fast backends that reach task_complete before any narration flush - guard duplicate acks: a synchronous in-flight claim for concurrent events plus a per-session marker that survives trailing post-completion events (some sub-agents emit message events after task_complete) - suppress the completion post in ack/silent mode so it cannot compete with the synthesis (the un-edited ack keeps its single ✅ completion reaction) - dedupe against the planner's own acknowledgment via plannerAlreadyAckedSpawn (unit-tested): if the planner already replied in the spawn turn, stay silent instead of posting a second ack * fix(core): bound relationships provider output The relationships provider JSON.stringify'd every entity's full metadata for up to 30 relationships, ballooning its output to 80k+ chars on busy agents. That pushed the planner prompt past small-context models' limits (e.g. Cerebras gpt-oss-120b's 131k ceiling: "Current length is 153785 while limit is 131000"), failing the turn outright. Bound the output: 240 chars of metadata per entity and 4000 chars total. Relationships are already sorted by interaction strength, so the kept ones are the most relevant. Names, tags, and interaction strength — the actual signal — are preserved; only the unbounded raw-metadata dump is trimmed. * fix: address CI docs review comments * fix(ci): stop Cloud Live E2E swallowing real failures as 'provider unavailable' The soft-fail grep matched the whole vitest log for loose phrases, and one of them ('credit balance') matches the test title 'gets credit balance and summary' — which prints on every run. So any non-zero exit got rewritten to exit 0 and the job shipped green. On the last green develop run the suite actually reported 2 failed | 4 passed | 12 skipped (a real 403 access_denied from a CI key missing containers:read, plus a CLI-login timeout) and nobody saw it. It also lumped 401/403 auth/permission into 'provider unavailable', so a genuine authz regression could never redden the job. Tighten the allowlist to only real provider-side unavailability (HTTP 429/5xx, quota/credit exhaustion, network errors), anchored to status codes/error tokens so it can't collide with a test title. 4xx auth/permission, assertion failures and timeouts now fall through to exit 1. * chore: regenerate prompt action docs * test: ignore optional vrm load warning in app smoke * fix: make scenario coverage gate deterministic * fix(cloud): default agent image to ghcr.io/elizaos/eliza:stable + anonymous-pull registry login (PR #8292 cloud subset) Curated subset of PR #8292: takes only the cloud-provisioning fix (the 'unauthorized' error was a Docker registry pull failure against docker.io for the bare elizaos/eliza:latest default, not an API auth bypass). Points the default at containersEnv.defaultAgentImage() (ghcr.io/elizaos/eliza:stable) and lets docker pull negotiate an anonymous token for public images. Drops the PR's unrelated iOS/onboarding/UI/lockfile churn (28 files). Added a logger.warn on the credential-absent path so a private-registry misconfig is observable instead of a silent early return. Reviewed: MERGE_WITH_FIXES (scope-limited). * fix(registry): remove smuggled elizaos-plugin-coinrailz; regenerate PR #8302 ('Add blackwall-eliza-guardrail') landed on develop carrying a second, undeclared entry — elizaos-plugin-coinrailz (tdnupe3), an x402/USDC micropayments + on-chain treasury plugin — despite the PR body stating 'existing entries unchanged.' An unvetted money-moving plugin should not enter the discovery registry under false pretenses. Removed the source entry and regenerated the wire file (blackwall, reddit-search #8347, @TheColony #8381 retained). If coinrailz is legitimate it should be re-listed via its own transparent, separately-reviewed PR. * fix(models): actually stop recommending flaky :nitro (PR #8426 follow-up) PR #8426 removed the inline recommended flag/tag from the openai/gpt-oss-120b:nitro catalog entry, but annotateCatalogModel re-added it from BITROUTER_RECOMMENDED_MODEL_IDS, so the served catalog still badged :nitro 'recommended'. Repoint that set at the healthy Cerebras small/large defaults so the recommended badge follows the models #8426 intended (and not the 503-prone gateway path). * style(cloud-shared): biome organizeImports for PR #8272 schema export + #8292 import Fixes the two assist/source/organizeImports errors the Cloud Tests lane caught: domain-purchase-idempotency export (PR #8272) and the docker-sandbox-provider import (PR #8292 subset) were inserted out of sort order. * style(plugin-codex-cli): biome format index.ts (PR #8409 reflow) Collapses the multi-line logger.info reflow PR #8409 introduced so format:check (Quality Extended lane) passes. * style(core): tabs for advanced-memory memory-items (PR #8290) packages/core/biome.json is an empty config (no extends) so core uses biome's default TAB indent, not the root space config. PR #8290 committed these two files in spaces; convert to tabs so packages/core format:check passes. * style(plugin-agent-orchestrator): biome format strip-progress-label-prefix test (PR #8416) --------- Co-authored-by: Shaw <shaw@elizaos.ai> Co-authored-by: NubsCarson <autonomousresearcher@gmail.com> Co-authored-by: Xavier Arosemena <arosemena.xavier@gmail.com> Co-authored-by: 2AM <96268540+2-A-M@users.noreply.github.com> Co-authored-by: EvolinkAI <hello@evolink.ai> Co-authored-by: Colin Easton <colonist.one@thecolony.cc> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: NubsCarson <nubs@nubs.site> Co-authored-by: Odilitime <janesmith@airmail.cc> Co-authored-by: standujar <s.andujar@proton.me>
lalalune
pushed a commit
that referenced
this pull request
Jun 16, 2026
…8382 listing My earlier removal targeted the DECEPTIVE injection in PR #8302 (coinrailz smuggled behind blackwall, PR body falsely claiming 'existing entries unchanged'). But coinrailz was also registered independently and transparently via PR #8382 (dedicated PR, full capability disclosure, non-custodial — agents sign their own txns). That resolves the deception concern, so honor the maintainer-accepted #8382 listing rather than revert it. blackwall + #8347 + #8381 entries retained.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a third-party registry entry for
blackwall-eliza-guardrail(published, v0.2.1) — a pre-action risk guardrail for elizaOS agents.It wraps every registered action handler at
init()with aforecast()risk check (BLACK_WALL) so STOP-rated actions abort before they run, plus an opt-ingateCall()for per-call gating inside multi-step handlers. Defaults toobservemode (logs verdicts, never aborts — zero behavior change), so it's safe to drop in; flip toenforceonce trusted.blackwall-eliza-guardrail@0.2.1· MIT · ESMkeywordsincludeelizaosChanges
entries/third-party/blackwall-eliza-guardrail.json— source entry.generated-registry.json— regenerated via the package's transform; only the new entry inserted, existing entries unchanged.Validates against
schema/registry-entry.schema.json(unscoped name, not@elizaos/*; requiredpackage/repository/kindpresent).