* ci(skills): publish release trust packets
* ci(skills): simulate beta tag releases
* ci(skills): match release version bump rules
* chore(skills): group agent skills for installer
* chore(skills): make clawtributor global
* chore(skills): bump all skills for trust release
* ci(skills): require npx install docs
* fix(skills): simulate prerelease tag versions
* fix(skills): aggregate trust artifact checksum failures
* fix(frontend): advertise npx skills suite install
* chore(frontend): drop ad hoc homepage copy test
* fix(ci): run skill release tooling tests
* feat(i18n): add multilingual wiki scaffolding, language switcher, and translation QA pipeline
* docs(readme): adopt picoclaw-style multilingual link bar
* fix(i18n): repair localized index links and tighten partial-pair QA
* ci(i18n): fail on broken markdown links in README/wiki
* ci(i18n): add changed-files mode for markdown link checks
* i18n(de): use local Argos MT to fill untranslated German sections
* i18n(es,fr): fill untranslated sections via local Argos workflow
* i18n(ja): fill untranslated sections with scoped local Argos pass
* i18n(ko): fill untranslated sections with scoped local Argos pass
* fix(i18n): address review feedback
---------
Co-authored-by: David Abutbul <David.a@prompt.security>
* Add Picoclaw guardian + posture-review skills at v0.0.1 with wiki docs
* fix(feed): add picoclaw to core platform taxonomy and filters
* fix(picoclaw): resolve eslint errors in new skills
* chore(nvd): include picoclaw in CVE polling and cleanup report
---------
Co-authored-by: David Abutbul <David.a@prompt.security>
* feat: add severity filter tabs to advisory feed page
Add horizontal severity filter tabs (All, Critical, High, Medium, Low)
to the advisory feed page. Advisories are filtered by CVSS score ranges
matching NVD conventions. Tab counts update dynamically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract severity filter tabs into data-driven map
Replace five duplicated button blocks with a SEVERITY_TABS metadata
array and a single .map() loop. Class strings are kept as full literals
for Tailwind purge compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: replace filteredAdvisories state with useMemo
filteredAdvisories is derived from advisories + selectedSeverity and
should not be independent state. Replace useState + filtering useEffect
with a single useMemo. Keep a minimal useEffect that only resets
currentPage on dependency changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add platform filter tabs (OpenClaw / NanoClaw) to advisory feed
Add a second row of filter tabs for platform selection using the clawd
color palette. Add platforms field to Advisory type to match feed data.
Both severity and platform filters compose via useMemo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: extract shared FilterTabs component and treat missing platforms as universal
Extract a reusable FilterTabs component so severity and platform tab
rows share identical markup. Fix platform filter to treat advisories
with missing or empty platforms as matching all platforms, preventing
legacy entries from being silently dropped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback
Created load_suppression_config.mjs with:
- Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json
- Environment variable support (OPENCLAW_AUDIT_CONFIG)
- Custom path support via CLI argument
- Schema validation (checkId, skill, reason, suppressedAt required)
- Malformed JSON error handling
- Graceful fallback to empty suppressions when no config exists
- ISO 8601 date format validation with warnings
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-1-2 - Create example config file template
- Added security-audit-config.example.json with two suppression examples
- Included examples for clawsec-suite and openclaw-audit-watchdog
- Created comprehensive README.md explaining configuration format
- All required fields documented (checkId, skill, reason, suppressedAt)
- ISO 8601 date format demonstrated
- JSON validated successfully
* auto-claude: subtask-1-3 - Add unit tests for config loading
Added comprehensive unit tests for suppression config loading:
- Valid config with all required fields
- Malformed date warning (non-blocking)
- Missing required field validation
- Malformed JSON error handling
- File not found graceful fallback
- Custom path priority
- Environment variable override
- Missing/empty suppressions array handling
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs
Implements suppression filtering logic for security audit findings:
- Import loadSuppressionConfig for config loading
- Add --config CLI argument for custom config paths
- Create extractSkillName() to extract skill names from findings (tries multiple fields)
- Create filterFindings() to split findings into active/suppressed
- Match suppressions by BOTH checkId AND skill name (exact match required)
- Attach suppression metadata (reason, suppressedAt) to suppressed findings
- Modify render() to accept suppressedFindings parameter
- Apply filtering in main execution before rendering
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output
- Added lineForSuppressedFinding() to format suppressed findings
- Added INFO-SUPPRESSED section showing suppressed findings with reason and date
- Suppressed findings are not counted in summary (already filtered)
- Follows existing code patterns for report sections
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh
- Added --config flag to accept path to config file
- Added --help flag with usage documentation
- Config flag is passed to openclaw audit commands when provided
- Follows existing pattern for --label flag
* auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions
Created comprehensive integration tests covering:
- Suppressed findings appear in INFO-SUPPRESSED section
- Active findings appear in CRITICAL/WARN section
- Summary counts exclude suppressed findings
- Backward compatibility (no config)
- Partial matches don't suppress (checkId or skill alone)
- Multiple suppressions work correctly
- Skill name extraction from path field
- Skill name extraction from title field
- Empty suppressions array behaves like no config
Bug fix in render_report.mjs:
- Summary counts now recalculated after filtering suppressed findings
- Previously summary showed original counts instead of filtered counts
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit
- Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs
- Enhanced lineForFinding() to display skill names for better clarity
- Enhanced lineForSuppressedFinding() to display skill names consistently
- Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md
- All E2E verification points passed:
* Config loading from custom paths
* Suppression matching by checkId + skill name
* INFO-SUPPRESSED section display
* Suppression reason and date display
* Summary count accuracy (excludes suppressed findings)
* Non-suppressed findings preservation
* Skill name display in all findings
- All integration tests still passing (10/10)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-5-1 - Update README.md with suppression feature
* auto-claude: subtask-5-2 - Update SKILL.md with usage examples
* - Add backslash escaping before quote escaping in oneline() function
- Prevents incomplete string escaping vulnerability
- Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16
* Fix regex in extractSkillName function and simplify error handling in suppression config tests
* Enhance suppression mechanism in OpenClaw Audit Watchdog
- Updated README.md to clarify suppression configuration and activation requirements.
- Improved SKILL.md with examples for suppressing known findings.
- Refactored load_suppression_config.mjs to implement opt-in gating for suppressions.
- Modified render_report.mjs to support suppression flag in report generation.
- Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag.
- Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior.
- Introduced new test files for empty and invalid suppression configurations.
* Fix type assertion for checksums file entries in Checksums component
* Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0
* Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements
* Refactor finding comparison logic in render_report.mjs to simplify equality checks
* chore(clawsec-suite): bump version to 0.1.2
* chore(openclaw-audit-watchdog): bump version to 0.1.0
* Remove suppressed matches tracking from state to prevent re-evaluation alerts
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* ci: sign advisory feed and checksums in workflows
* feat(clawsec-suite): add verifier-side signature and checksum enforcement
Implements cryptographic verification for advisory feed loading:
- Ed25519 detached signature verification for feed.json
- Supports raw base64 and JSON-wrapped signature formats
- Pinned public key at advisories/feed-signing-public.pem
- SHA-256 checksum manifest (checksums.json) verification
- Signed checksums.json.sig prevents partial artifact substitution
- Verifies feed.json, feed.json.sig, and public key against manifest
- Remote feed: returns null on verification failure (triggers fallback)
- Local feed: throws on verification failure (hard fail)
- No silent bypass of verification
- CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification
- Warning logged when bypass mode is enabled
- Intended for transition period only
- guarded_skill_install without --version matches any advisory for skill
- Encourages explicit version specification
- scripts/sign_detached_ed25519.mjs - signing utility
- scripts/verify_detached_ed25519.mjs - verification utility
- scripts/generate_checksums_json.mjs - checksum manifest generator
- test/feed_verification.test.mjs - 14 verification tests
- test/guarded_install.test.mjs - 6 install flow tests
- hooks/.../lib/feed.mjs - full rewrite with verification
- hooks/.../handler.ts - verification options integration
- scripts/guarded_skill_install.mjs - verification integration
- skill.json - v0.0.9, new SBOM entries, openssl requirement
- SKILL.md - signed install flow, env vars documentation
- HOOK.md - new environment variables
- ci.yml - added verification test job
Refs: fail-closed verification, Ed25519 signatures, checksum manifests
* fix: update action versions in CI workflows for improved stability
* chore(clawsec-suite): bump version to 0.0.10
* feat: enhance security measures in asset deployment and add changelog for version history
* feat: add dry-run signing for advisory artifacts and generate checksums
* fix: enhance error handling in loadRemoteFeed for security policy violations
* feat: implement Ed25519 signing and verification for advisory artifacts and checksums
* feat: implement signing and verification for advisory artifacts and checksums in workflows
* feat: update dry-run signing key generation to use Ed25519 algorithm
* feat: update Ed25519 signing and verification to use -rawin flag for compatibility
* feat: add public key copying to advisory directory and implement safe basename extraction for URLs
* feat: remove Product Hunt promotion section from README and Home page
* Refactor skill packaging and checksum generation process
- Removed .skill package creation from the skill-release workflow and scripts, focusing on checksum generation only.
- Updated README and SKILL.md files to reflect new installation methods using clawhub.
- Simplified the skill checksums generator script to only generate checksums without packaging.
- Adjusted installation instructions across various skills to promote clawhub for easier installation.
- Enhanced error handling and verification steps in the installation scripts for individual files.
* Add ext-docs to .gitignore to exclude documentation files from version control
* Update installation instructions and remove deprecated SKILL_URL
* Remove redundant installation instruction from Home component
* Remove unused SKILL_URL import from Home component
davida-ps
David Abutbul