Merge branch 'pr-7891' into develop

PR #7891: harden Steward checkout callback

Conflict resolutions:
- gitleaks.yml: took pr-7891 env-var/RANGE_ARGS pattern, dropped dangling --log-opts
- dev-route-catalog.ts: kept HEAD Hidden/requiresAuth=true (newer)
- build-llama-cpp-dflash-targets.test.mjs: kept HEAD darwin-arm64-metal-fused assertion
- android-bridge.test.ts: kept HEAD test description
- _router.generated.ts: regenerated (560 routes)

Post-merge fixes:
- steward-nonce-exchange/route.ts: removed unconditional token/refreshToken
  override that bypassed shouldReturnClientToken origin gate (Greptile P1).

Author: Shaw

.github/workflows/cloud-e2e.yml

@@ -52,6 +52,7 @@ jobs:
         run: bun run cloud:e2e
         env:
           CI: "true"
+          CLOUD_E2E: "1"
           # mocks read these
           MOCK_REDIS: "1"
           MOCK_HETZNER_LATENCY: "0"

.github/workflows/gitleaks.yml

@@ -39,31 +39,30 @@ jobs:
           gitleaks version
 
       - name: Run gitleaks
-        # Scan only the PR/push commit range. The checkout still fetches full
-        # history above so these ranges resolve, but pre-existing historical
-        # findings do not block unrelated source-only PRs.
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          BEFORE_SHA: ${{ github.event.before }}
+          CURRENT_SHA: ${{ github.sha }}
         run: |
           set -euo pipefail
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            log_opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
-          else
-            before="${{ github.event.before }}"
-            if [[ "$before" =~ ^0+$ ]]; then
-              log_opts="${{ github.sha }}^..${{ github.sha }}"
-            else
-              log_opts="${before}..${{ github.sha }}"
-            fi
+          RANGE_ARGS=()
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            RANGE_ARGS=(--log-opts "${PR_BASE_SHA}..${PR_HEAD_SHA}")
+          elif [[ -n "$BEFORE_SHA" && "$BEFORE_SHA" != "0000000000000000000000000000000000000000" ]]; then
+            RANGE_ARGS=(--log-opts "${BEFORE_SHA}..${CURRENT_SHA}")
           fi
-          echo "Scanning gitleaks range: ${log_opts}"
+
           gitleaks detect \
             --config .gitleaks.toml \
             --source . \
-            --log-opts "$log_opts" \
             --verbose \
             --redact \
             --report-format sarif \
             --report-path gitleaks.sarif \
-            --no-banner
+            --no-banner \
+            "${RANGE_ARGS[@]}"
 
       - name: Upload SARIF
         if: always()

packages/app-core/scripts/build-llama-cpp-dflash-targets.test.mjs

@@ -30,11 +30,14 @@ test("unsupported mobile fused targets fail closed with explicit diagnostics", (
   ];
 
   for (const [target, pattern] of cases) {
-    assert.throws(() => parseArgs(["--target", target, "--dry-run"]), (err) => {
-      const message = err instanceof Error ? err.message : String(err);
-      assert.match(message, pattern, message);
-      assert.match(message, new RegExp(target), message);
-      return true;
-    });
+    assert.throws(
+      () => parseArgs(["--target", target, "--dry-run"]),
+      (err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        assert.match(message, pattern, message);
+        assert.match(message, new RegExp(target), message);
+        return true;
+      },
+    );
   }
 });

packages/app-core/scripts/pack-upstreams.mjs

@@ -55,6 +55,10 @@ const SEED_TARGETS = [
     label: "@elizaos/skills",
     dir: path.join(ELIZA_ROOT, "packages", "skills"),
   },
+  {
+    label: "@elizaos/security",
+    dir: path.join(ELIZA_ROOT, "packages", "security"),
+  },
   {
     label: "@elizaos/app-core",
     dir: path.join(ELIZA_ROOT, "packages", "app-core"),

packages/cloud-api/auth/steward-nonce-exchange/route.ts

@@ -9,9 +9,14 @@
  * 3. This route forwards to Steward `POST /auth/oauth/exchange`, which
  *    consumes the code and returns `{ token, refreshToken, expiresAt }`.
  * 4. We verify the JWT (same path as `/api/auth/steward-session`), sync the
- *    user, set the HttpOnly cookies, and return `{ ok, userId }`.
+ *    user, set the HttpOnly cookies, and return `{ ok, userId }`. The
+ *    elizaos.ai hardware checkout origin also receives the access token so
+ *    its cross-site Stripe checkout POST can use Bearer auth; refresh stays
+ *    cookie-only.
  *
- * The access and refresh tokens never enter the browser process at any point.
+ * The refresh token never enters the browser process; the access token is
+ * returned only to the hardware checkout origin that still has to authenticate
+ * a cross-site Stripe checkout request with Bearer auth.
  *
  * Origin/Referer CSRF check mirrors `/api/auth/steward-session` exactly — the
  * route is callable from `*.elizacloud.ai` and `elizaos.ai` only (plus
@@ -99,6 +104,16 @@ function checkOrigin(
   };
 }
 
+function shouldReturnClientToken(
+  c: { req: { header: (name: string) => string | undefined } },
+  isProduction: boolean,
+): boolean {
+  const origin =
+    originHost(c.req.header("origin")) ?? originHost(c.req.header("referer"));
+  if (origin === "elizaos.ai" || origin === "www.elizaos.ai") return true;
+  return !isProduction && origin !== null && LOCAL_DEV_ORIGIN_HOSTS.has(origin);
+}
+
 // ─── Helpers ──────────────────────────────────────────────────────────────
 
 function stewardSecretConfigured(env: StewardVerifyEnv): boolean {
@@ -396,8 +411,7 @@ app.post("/", async (c) => {
     stewardUserId: claims.userId,
     expiresAt: exchange.data.expiresAt,
     expiresIn: exchange.data.expiresIn,
-    token,
-    refreshToken,
+    ...(shouldReturnClientToken(c, isProduction) ? { token, refreshToken } : {}),
   });
 });
 

packages/cloud-api/crypto/direct-payments/config/route.ts

@@ -0,0 +1,16 @@
+import { Hono } from "hono";
+
+import {
+  RateLimitPresets,
+  rateLimit,
+} from "@/lib/middleware/rate-limit-hono-cloudflare";
+import { directWalletPaymentsService } from "@/lib/services/direct-wallet-payments";
+import type { AppEnv } from "@/types/cloud-worker-env";
+
+const app = new Hono<AppEnv>();
+
+app.get("/", rateLimit(RateLimitPresets.STANDARD), (c) => {
+  return c.json(directWalletPaymentsService.getConfig(c.env));
+});
+
+export default app;

packages/cloud-api/src/_router.generated.ts

@@ -2,7 +2,7 @@
  * AUTO-GENERATED by src/_generate-router.mjs - do not edit by hand.
  * Re-run `bun run codegen` after adding or removing a route.ts file.
  *
- * 559 routes mounted, 0 skipped (still Next-shaped).
+ * 560 routes mounted, 0 skipped (still Next-shaped).
  */
 
 /* eslint-disable */
@@ -77,6 +77,7 @@ import _route_cron_process_stripe_queue_route from "../cron/process-stripe-queue
 import _route_cron_release_pending_earnings_route from "../cron/release-pending-earnings/route";
 import _route_cron_sample_eliza_price_route from "../cron/sample-eliza-price/route";
 import _route_cron_social_automation_route from "../cron/social-automation/route";
+import _route_crypto_direct_payments_config_route from "../crypto/direct-payments/config/route";
 import _route_crypto_direct_payments_p_id_attach_tx_route from "../crypto/direct-payments/[id]/attach-tx/route";
 import _route_crypto_direct_payments_p_id_confirm_route from "../crypto/direct-payments/[id]/confirm/route";
 import _route_crypto_direct_payments_p_id_route from "../crypto/direct-payments/[id]/route";
@@ -722,6 +723,10 @@ export function mountRoutes(app: Hono<AppEnv>): void {
     _route_cron_sample_eliza_price_route,
   );
   app.route("/api/cron/social-automation", _route_cron_social_automation_route);
+  app.route(
+    "/api/crypto/direct-payments/config",
+    _route_crypto_direct_payments_config_route,
+  );
   app.route(
     "/api/crypto/direct-payments/:id/attach-tx",
     _route_crypto_direct_payments_p_id_attach_tx_route,

packages/cloud-frontend/src/dashboard/security/permissions/_components/plugin-permissions-page-client.tsx

@@ -6,7 +6,7 @@ import {
   useSetPageHeader,
 } from "@elizaos/ui";
 import { Puzzle } from "lucide-react";
-import { useCallback, useEffect, useState } from "react";
+import { useEffect, useState } from "react";
 import { toast } from "sonner";
 import { ApiError, api, apiFetch } from "@/lib/api-client";
 import { emitAuditEvent } from "@/lib/security/audit-client";

packages/cloud-shared/src/lib/services/__tests__/direct-wallet-payments.integration.test.ts

@@ -161,16 +161,13 @@ if (SUPPORTS_VITEST_MOCK_API)
     };
   });
 
-// Solana — we don't test the Solana confirm path through verify (would need a
-// huge mock of getParsedTransaction + ATA owner check). The Solana createPayment
-// is exercised separately though, so we still need these imports to resolve.
-// Mutable state read by the spl-token / Connection mocks to flip behavior per
-// test. Hoisted so `vi.mock(...)` factories — which run before module init —
-// can capture a reference.
-const solanaTestState = vi.hoisted(() => ({
+const createSolanaTestState = () => ({
   ataOwnerOverride: null as Uint8Array | null,
   parsedTxOverride: null as unknown,
-}));
+});
+
+const solanaTestState =
+  typeof vi.hoisted === "function" ? vi.hoisted(createSolanaTestState) : createSolanaTestState();
 
 if (SUPPORTS_VITEST_MOCK_API)
   vi.mock("@solana/spl-token", async () => {

packages/core/src/__tests__/service-type-collisions.test.ts

@@ -50,6 +50,29 @@ const serviceTypeValuesByMember = new Map(
 );
 
 const duplicateServiceTypeAllowlist = new Map<string, AllowlistEntry>([
+	[
+		"capability-router",
+		{
+			reason:
+				"Runtime capability routing keeps local, remote, and E2B implementations in one capability-router discovery slot while the strategy-table migration is in progress.",
+			classes: new Set([
+				"packages/core/src/services/runtime-capability-service.ts:RuntimeCapabilityService",
+				"packages/agent/src/services/e2b-capability-router.ts:E2BRemoteCapabilityRouterService",
+				"packages/agent/src/services/remote-capability-router.ts:RemoteCapabilityRouterService",
+			]),
+		},
+	],
+	[
+		"xr-session",
+		{
+			reason:
+				"Hearwear and XR plugins expose the same XR session service contract for different runtime surfaces; only the enabled plugin registers its implementation.",
+			classes: new Set([
+				"plugins/plugin-hearwear/src/services/xr-session-service.ts:XRSessionService",
+				"plugins/plugin-xr/src/services/xr-session-service.ts:XRSessionService",
+			]),
+		},
+	],
 	[
 		"trajectories",
 		{