fix(attestation): include runtime libs in release sbom (#235)

* fix(attestation): include runtime libs in release sbom * ci: verify staged skill release import closure * fix(release): include missing skill runtime sbom files * fix(release): require files for import closure --------- Co-authored-by: David Abutbul <David.a@prompt.security>
2026-06-13 05:28:02 +03:00 · 2026-05-17 00:40:12 +03:00
parent 1e48a955cc
commit 19c5113511
12 changed files with 206 additions and 8 deletions
@@ -5,6 +5,12 @@ All notable changes to the ClawSec Suite will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.1.8] - 2026-05-16
+
+### Fixed
+
+- Added the advisory scope and suppression runtime helpers to `skill.json` SBOM metadata so release archives include every file required by the advisory guardian hook.
+
 ## [0.1.7] - 2026-04-16

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-suite
-version: 0.1.7
+version: 0.1.8
 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-suite",
-  "version": "0.1.7",
+  "version": "0.1.8",
  "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -85,6 +85,11 @@
        "required": true,
        "description": "Shared semver parsing and version matching logic"
      },
+      {
+        "path": "hooks/clawsec-advisory-guardian/lib/advisory_scope.mjs",
+        "required": true,
+        "description": "Advisory application-scope filtering helper for OpenClaw-facing flows"
+      },
      {
        "path": "hooks/clawsec-advisory-guardian/lib/feed.mjs",
        "required": true,
@@ -110,6 +115,11 @@
        "required": true,
        "description": "Advisory-to-skill matching and alert message generation"
      },
+      {
+        "path": "hooks/clawsec-advisory-guardian/lib/suppression.mjs",
+        "required": true,
+        "description": "Advisory suppression loading and matching helpers"
+      },
      {
        "path": "scripts/setup_advisory_hook.mjs",
        "required": true,
@@ -1,5 +1,10 @@
 # Changelog

+## [0.1.2] - 2026-05-15
+
+### Fixed
+- Included `lib/semver.mjs` and `lib/cron.mjs` in the release SBOM so signed archives contain every runtime library imported by shipped scripts.
+
 ## [0.1.1] - 2026-05-13

 ### Security
@@ -1,6 +1,6 @@
 ---
 name: hermes-attestation-guardian
-version: 0.1.1
+version: 0.1.2
 description: Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.
 homepage: https://clawsec.prompt.security
 hermes:
@@ -24,7 +24,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="hermes-attestation-guardian"
-VERSION="0.1.1"
+VERSION="0.1.2"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "hermes-attestation-guardian",
-  "version": "0.1.1",
+  "version": "0.1.2",
  "description": "Hermes-only runtime security attestation and drift detection skill. Generates deterministic posture artifacts, verifies integrity fail-closed, and classifies baseline drift severity.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -46,6 +46,16 @@
        "required": true,
        "description": "Hermes-native advisory feed verification and state helpers"
      },
+      {
+        "path": "lib/semver.mjs",
+        "required": true,
+        "description": "Advisory version-range parsing and matching helpers"
+      },
+      {
+        "path": "lib/cron.mjs",
+        "required": true,
+        "description": "Shared managed cron block and cadence helpers"
+      },
      {
        "path": "scripts/generate_attestation.mjs",
        "required": true,
@@ -1,5 +1,10 @@
 # Changelog

+## [0.1.6] - 2026-05-16
+
+### Fixed
+- Added `scripts/load_suppression_config.mjs` to `skill.json` SBOM metadata so release archives include the helper imported by `scripts/render_report.mjs`.
+
 ## [0.1.5] - 2026-05-14

 ### Security
@@ -1,6 +1,6 @@
 ---
 name: openclaw-audit-watchdog
-version: 0.1.5
+version: 0.1.6
 description: Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Runs deep audits, creates or updates a recurring cron job, and sends formatted reports to configured recipients.
 homepage: https://clawsec.prompt.security
 metadata:
@@ -74,7 +74,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="openclaw-audit-watchdog"
-VERSION="0.1.5"
+VERSION="0.1.6"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "openclaw-audit-watchdog",
-  "version": "0.1.5",
+  "version": "0.1.6",
  "description": "Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Creates or updates an unattended cron job and sends formatted reports to configured recipients.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -52,6 +52,11 @@
        "required": false,
        "description": "SMTP delivery (Node.js)"
      },
+      {
+        "path": "scripts/load_suppression_config.mjs",
+        "required": false,
+        "description": "Suppression configuration loading and path normalization used by report rendering"
+      },
      {
        "path": "scripts/setup_cron.mjs",
        "required": false,