Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs (#208)

* Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs * fix(feed): add picoclaw to core platform taxonomy and filters * fix(picoclaw): resolve eslint errors in new skills * chore(nvd): include picoclaw in CVE polling and cleanup report --------- Co-authored-by: David Abutbul <David.a@prompt.security>
2026-06-13 05:28:02 +03:00 · 2026-04-26 14:19:18 +03:00
parent c53463c445
commit 0d2e38ddfd
35 changed files with 1618 additions and 16 deletions
@@ -0,0 +1,63 @@
+# Picoclaw Security Guardian
+
+## Summary
+
+Current package version: `v0.0.1`.
+
+`picoclaw-security-guardian` is the core Picoclaw package for:
+1. advisory awareness (fail-closed on unverified feed state),
+2. deterministic profile generation + drift detection,
+3. release artifact supply-chain verification.
+
+Self-pen-testing checks were intentionally split out into `picoclaw-self-pen-testing` so moderation-sensitive logic can be published/managed independently.
+
+## Responsibilities
+
+- Filter Picoclaw-relevant advisories from verified ClawSec feed state/cache.
+- Build deterministic posture profiles from Picoclaw config/security files and optional release artifacts.
+- Compare baseline vs current profile with severity-ranked findings.
+- Verify release artifacts with checksum manifest + required detached signature for passing provenance verdicts.
+
+## Default safety posture
+
+- Read-only by default
+- No scheduler creation
+- No outbound network by default
+- Advisory checks fail closed unless verification state is `verified` (or explicit `--allow-unsigned` override)
+- Supply-chain verification requires detached-signature verification for a passing provenance result
+
+## Verification commands
+
+```bash
+python utils/validate_skill.py skills/picoclaw-security-guardian
+node skills/picoclaw-security-guardian/test/profile.test.mjs
+node skills/picoclaw-security-guardian/test/drift.test.mjs
+node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
+bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh
+```
+
+## Picoclaw-native sandbox regression
+
+`skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh` publishes the package via a local ClawHub-compatible registry, installs through Picoclaw `find_skills` / `install_skill`, validates skill-loader visibility, and runs installed profile/drift/advisory/supply-chain flows against isolated Picoclaw fixtures.
+
+## Related package
+
+- `skills/picoclaw-self-pen-testing/` (optional separate self-pen-testing package)
+
+## Source references
+
+- `skills/picoclaw-security-guardian/skill.json`
+- `skills/picoclaw-security-guardian/SKILL.md`
+- `skills/picoclaw-security-guardian/README.md`
+- `skills/picoclaw-security-guardian/lib/profile.mjs`
+- `skills/picoclaw-security-guardian/lib/drift.mjs`
+- `skills/picoclaw-security-guardian/lib/advisories.mjs`
+- `skills/picoclaw-security-guardian/lib/supply_chain.mjs`
+- `skills/picoclaw-security-guardian/scripts/generate_profile.mjs`
+- `skills/picoclaw-security-guardian/scripts/check_drift.mjs`
+- `skills/picoclaw-security-guardian/scripts/check_advisories.mjs`
+- `skills/picoclaw-security-guardian/scripts/verify_supply_chain.mjs`
+- `skills/picoclaw-security-guardian/test/profile.test.mjs`
+- `skills/picoclaw-security-guardian/test/drift.test.mjs`
+- `skills/picoclaw-security-guardian/test/supply_chain.test.mjs`
+- `skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh`