* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback
Created load_suppression_config.mjs with:
- Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json
- Environment variable support (OPENCLAW_AUDIT_CONFIG)
- Custom path support via CLI argument
- Schema validation (checkId, skill, reason, suppressedAt required)
- Malformed JSON error handling
- Graceful fallback to empty suppressions when no config exists
- ISO 8601 date format validation with warnings
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-1-2 - Create example config file template
- Added security-audit-config.example.json with two suppression examples
- Included examples for clawsec-suite and openclaw-audit-watchdog
- Created comprehensive README.md explaining configuration format
- All required fields documented (checkId, skill, reason, suppressedAt)
- ISO 8601 date format demonstrated
- JSON validated successfully
* auto-claude: subtask-1-3 - Add unit tests for config loading
Added comprehensive unit tests for suppression config loading:
- Valid config with all required fields
- Malformed date warning (non-blocking)
- Missing required field validation
- Malformed JSON error handling
- File not found graceful fallback
- Custom path priority
- Environment variable override
- Missing/empty suppressions array handling
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs
Implements suppression filtering logic for security audit findings:
- Import loadSuppressionConfig for config loading
- Add --config CLI argument for custom config paths
- Create extractSkillName() to extract skill names from findings (tries multiple fields)
- Create filterFindings() to split findings into active/suppressed
- Match suppressions by BOTH checkId AND skill name (exact match required)
- Attach suppression metadata (reason, suppressedAt) to suppressed findings
- Modify render() to accept suppressedFindings parameter
- Apply filtering in main execution before rendering
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output
- Added lineForSuppressedFinding() to format suppressed findings
- Added INFO-SUPPRESSED section showing suppressed findings with reason and date
- Suppressed findings are not counted in summary (already filtered)
- Follows existing code patterns for report sections
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh
- Added --config flag to accept path to config file
- Added --help flag with usage documentation
- Config flag is passed to openclaw audit commands when provided
- Follows existing pattern for --label flag
* auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions
Created comprehensive integration tests covering:
- Suppressed findings appear in INFO-SUPPRESSED section
- Active findings appear in CRITICAL/WARN section
- Summary counts exclude suppressed findings
- Backward compatibility (no config)
- Partial matches don't suppress (checkId or skill alone)
- Multiple suppressions work correctly
- Skill name extraction from path field
- Skill name extraction from title field
- Empty suppressions array behaves like no config
Bug fix in render_report.mjs:
- Summary counts now recalculated after filtering suppressed findings
- Previously summary showed original counts instead of filtered counts
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit
- Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs
- Enhanced lineForFinding() to display skill names for better clarity
- Enhanced lineForSuppressedFinding() to display skill names consistently
- Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md
- All E2E verification points passed:
* Config loading from custom paths
* Suppression matching by checkId + skill name
* INFO-SUPPRESSED section display
* Suppression reason and date display
* Summary count accuracy (excludes suppressed findings)
* Non-suppressed findings preservation
* Skill name display in all findings
- All integration tests still passing (10/10)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-5-1 - Update README.md with suppression feature
* auto-claude: subtask-5-2 - Update SKILL.md with usage examples
* - Add backslash escaping before quote escaping in oneline() function
- Prevents incomplete string escaping vulnerability
- Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16
* Fix regex in extractSkillName function and simplify error handling in suppression config tests
* Enhance suppression mechanism in OpenClaw Audit Watchdog
- Updated README.md to clarify suppression configuration and activation requirements.
- Improved SKILL.md with examples for suppressing known findings.
- Refactored load_suppression_config.mjs to implement opt-in gating for suppressions.
- Modified render_report.mjs to support suppression flag in report generation.
- Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag.
- Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior.
- Introduced new test files for empty and invalid suppression configurations.
* Fix type assertion for checksums file entries in Checksums component
* Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0
* Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements
* Refactor finding comparison logic in render_report.mjs to simplify equality checks
* chore(clawsec-suite): bump version to 0.1.2
* chore(openclaw-audit-watchdog): bump version to 0.1.0
* Remove suppressed matches tracking from state to prevent re-evaluation alerts
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* ci: sign advisory feed and checksums in workflows
* feat(clawsec-suite): add verifier-side signature and checksum enforcement
Implements cryptographic verification for advisory feed loading:
- Ed25519 detached signature verification for feed.json
- Supports raw base64 and JSON-wrapped signature formats
- Pinned public key at advisories/feed-signing-public.pem
- SHA-256 checksum manifest (checksums.json) verification
- Signed checksums.json.sig prevents partial artifact substitution
- Verifies feed.json, feed.json.sig, and public key against manifest
- Remote feed: returns null on verification failure (triggers fallback)
- Local feed: throws on verification failure (hard fail)
- No silent bypass of verification
- CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification
- Warning logged when bypass mode is enabled
- Intended for transition period only
- guarded_skill_install without --version matches any advisory for skill
- Encourages explicit version specification
- scripts/sign_detached_ed25519.mjs - signing utility
- scripts/verify_detached_ed25519.mjs - verification utility
- scripts/generate_checksums_json.mjs - checksum manifest generator
- test/feed_verification.test.mjs - 14 verification tests
- test/guarded_install.test.mjs - 6 install flow tests
- hooks/.../lib/feed.mjs - full rewrite with verification
- hooks/.../handler.ts - verification options integration
- scripts/guarded_skill_install.mjs - verification integration
- skill.json - v0.0.9, new SBOM entries, openssl requirement
- SKILL.md - signed install flow, env vars documentation
- HOOK.md - new environment variables
- ci.yml - added verification test job
Refs: fail-closed verification, Ed25519 signatures, checksum manifests
* fix: update action versions in CI workflows for improved stability
* chore(clawsec-suite): bump version to 0.0.10
* feat: enhance security measures in asset deployment and add changelog for version history
* feat: add dry-run signing for advisory artifacts and generate checksums
* fix: enhance error handling in loadRemoteFeed for security policy violations
* feat: implement Ed25519 signing and verification for advisory artifacts and checksums
* feat: implement signing and verification for advisory artifacts and checksums in workflows
* feat: update dry-run signing key generation to use Ed25519 algorithm
* feat: update Ed25519 signing and verification to use -rawin flag for compatibility
* feat: add public key copying to advisory directory and implement safe basename extraction for URLs
* feat: remove Product Hunt promotion section from README and Home page
* feat: add clawsec-advisory-guardian hook for advisory monitoring and user approval
- Implemented clawsec-advisory-guardian hook to detect advisories for installed skills.
- Added handler for processing advisory matches and notifying users.
- Created scripts for setting up advisory hooks and cron jobs for periodic scans.
- Introduced guarded skill installation script requiring user confirmation for high-risk advisories.
- Updated skill.json to reflect new features and embedded components for advisory monitoring.
* chore(clawsec-suite): bump version to 0.0.8
* feat: enhance release script to support version tagging and improve install function
* fix: use globalThis for AbortController and timeout functions in loadRemoteFeed
* Update scripts/release-skill.sh
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/scripts/guarded_skill_install.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update scripts/release-skill.sh
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Normalize version input by removing leading 'v' in versionMatches function
* Add dirName property to InstalledSkill and update alert message paths
* Enhance file permission handling in persistState function and add warning for chmod errors
* Refactor advisory guardian hook: modularize utility functions, version handling, and feed management
- Moved utility functions (isObject, normalizeSkillName, uniqueStrings) to lib/utils.mjs
- Created version handling functions (parseSemver, compareSemver, versionMatches) in lib/version.mjs
- Implemented feed management functions (parseAffectedSpecifier, isValidFeedPayload, loadRemoteFeed) in lib/feed.mjs
- Updated handler.ts to utilize new modular functions for improved readability and maintainability
- Added new types and state management in lib/types.ts and lib/state.ts
- Updated scripts to reflect new file structure and dependencies
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/matching.ts
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Add published field to Advisory type and refine version matching logic
* Set default version to "unknown" in discoverInstalledSkills and adjust versionMatches logic
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/version.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/matching.ts
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
* Update skills/clawsec-suite/hooks/clawsec-advisory-guardian/lib/version.mjs
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
---------
Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
Aldo Delgado
davida-ps