* ci(skills): publish release trust packets
* ci(skills): simulate beta tag releases
* ci(skills): match release version bump rules
* chore(skills): group agent skills for installer
* chore(skills): make clawtributor global
* chore(skills): bump all skills for trust release
* ci(skills): require npx install docs
* fix(skills): simulate prerelease tag versions
* fix(skills): aggregate trust artifact checksum failures
* fix(frontend): advertise npx skills suite install
* chore(frontend): drop ad hoc homepage copy test
* fix(ci): run skill release tooling tests
* refactor: extract shared test harness module from 9 test files
Extract duplicated test utilities into a reusable test_harness.mjs module
to eliminate ~200-250 lines of boilerplate code across test files.
Changes:
- Create skills/clawsec-suite/test/lib/test_harness.mjs with:
- Test reporting: pass(), fail(), report(), exitWithResults()
- Crypto utilities: generateEd25519KeyPair(), signPayload()
- Temp directory: createTempDir() with cleanup
- Environment helpers: withEnv() for isolated env vars
- Test runner factory: createTestRunner() for isolated counters
- Refactor 9 test files to use shared harness:
- feed_verification.test.mjs
- guarded_install.test.mjs
- skill_catalog_discovery.test.mjs
- advisory_suppression.test.mjs
- advisory_application_scope.test.mjs
- path_resolution.test.mjs
- fuzz_properties.test.mjs
- suppression_config.test.mjs
- render_report_suppression.test.mjs
Benefits:
- Single source of truth for test utilities
- Consistent test reporting across all files
- Easier to add new test files
- Reduced maintenance burden
Verification:
- All 80 tests pass (15+8+3+15+4+6+1+17+11)
- Zero ESLint warnings
- No behavior changes - only code deduplication
- Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities
Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity
ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74).
Also add .venv/ to ESLint ignores to prevent linting Python venv files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback
Created load_suppression_config.mjs with:
- Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json
- Environment variable support (OPENCLAW_AUDIT_CONFIG)
- Custom path support via CLI argument
- Schema validation (checkId, skill, reason, suppressedAt required)
- Malformed JSON error handling
- Graceful fallback to empty suppressions when no config exists
- ISO 8601 date format validation with warnings
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-1-2 - Create example config file template
- Added security-audit-config.example.json with two suppression examples
- Included examples for clawsec-suite and openclaw-audit-watchdog
- Created comprehensive README.md explaining configuration format
- All required fields documented (checkId, skill, reason, suppressedAt)
- ISO 8601 date format demonstrated
- JSON validated successfully
* auto-claude: subtask-1-3 - Add unit tests for config loading
Added comprehensive unit tests for suppression config loading:
- Valid config with all required fields
- Malformed date warning (non-blocking)
- Missing required field validation
- Malformed JSON error handling
- File not found graceful fallback
- Custom path priority
- Environment variable override
- Missing/empty suppressions array handling
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs
Implements suppression filtering logic for security audit findings:
- Import loadSuppressionConfig for config loading
- Add --config CLI argument for custom config paths
- Create extractSkillName() to extract skill names from findings (tries multiple fields)
- Create filterFindings() to split findings into active/suppressed
- Match suppressions by BOTH checkId AND skill name (exact match required)
- Attach suppression metadata (reason, suppressedAt) to suppressed findings
- Modify render() to accept suppressedFindings parameter
- Apply filtering in main execution before rendering
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output
- Added lineForSuppressedFinding() to format suppressed findings
- Added INFO-SUPPRESSED section showing suppressed findings with reason and date
- Suppressed findings are not counted in summary (already filtered)
- Follows existing code patterns for report sections
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh
- Added --config flag to accept path to config file
- Added --help flag with usage documentation
- Config flag is passed to openclaw audit commands when provided
- Follows existing pattern for --label flag
* auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions
Created comprehensive integration tests covering:
- Suppressed findings appear in INFO-SUPPRESSED section
- Active findings appear in CRITICAL/WARN section
- Summary counts exclude suppressed findings
- Backward compatibility (no config)
- Partial matches don't suppress (checkId or skill alone)
- Multiple suppressions work correctly
- Skill name extraction from path field
- Skill name extraction from title field
- Empty suppressions array behaves like no config
Bug fix in render_report.mjs:
- Summary counts now recalculated after filtering suppressed findings
- Previously summary showed original counts instead of filtered counts
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit
- Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs
- Enhanced lineForFinding() to display skill names for better clarity
- Enhanced lineForSuppressedFinding() to display skill names consistently
- Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md
- All E2E verification points passed:
* Config loading from custom paths
* Suppression matching by checkId + skill name
* INFO-SUPPRESSED section display
* Suppression reason and date display
* Summary count accuracy (excludes suppressed findings)
* Non-suppressed findings preservation
* Skill name display in all findings
- All integration tests still passing (10/10)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-5-1 - Update README.md with suppression feature
* auto-claude: subtask-5-2 - Update SKILL.md with usage examples
* - Add backslash escaping before quote escaping in oneline() function
- Prevents incomplete string escaping vulnerability
- Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16
* Fix regex in extractSkillName function and simplify error handling in suppression config tests
* Enhance suppression mechanism in OpenClaw Audit Watchdog
- Updated README.md to clarify suppression configuration and activation requirements.
- Improved SKILL.md with examples for suppressing known findings.
- Refactored load_suppression_config.mjs to implement opt-in gating for suppressions.
- Modified render_report.mjs to support suppression flag in report generation.
- Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag.
- Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior.
- Introduced new test files for empty and invalid suppression configurations.
* Fix type assertion for checksums file entries in Checksums component
* Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0
* Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements
* Refactor finding comparison logic in render_report.mjs to simplify equality checks
* chore(clawsec-suite): bump version to 0.1.2
* chore(openclaw-audit-watchdog): bump version to 0.1.0
* Remove suppressed matches tracking from state to prevent re-evaluation alerts
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
davida-ps
David Abutbul
Aldo Delgado