- Created comprehensive skill.json with metadata following clawsec-suite pattern
- Defined complete SBOM listing all 22 files to be created (required + optional)
- Added OpenClaw configuration (emoji: 🔍, triggers, environment variables)
- Specified Claude API integration details (model, retry strategy, cache TTL)
- Version 0.1.0 matches package.json
- Includes capabilities, compatibility, and integration sections
Verification:
- JSON structure is valid
- All required fields present (name, version, description, author, license, sbom)
- Version consistency verified between skill.json and package.json
- Ready for subsequent subtasks to create SBOM files
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: add severity filter tabs to advisory feed page
Add horizontal severity filter tabs (All, Critical, High, Medium, Low)
to the advisory feed page. Advisories are filtered by CVSS score ranges
matching NVD conventions. Tab counts update dynamically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract severity filter tabs into data-driven map
Replace five duplicated button blocks with a SEVERITY_TABS metadata
array and a single .map() loop. Class strings are kept as full literals
for Tailwind purge compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: replace filteredAdvisories state with useMemo
filteredAdvisories is derived from advisories + selectedSeverity and
should not be independent state. Replace useState + filtering useEffect
with a single useMemo. Keep a minimal useEffect that only resets
currentPage on dependency changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add platform filter tabs (OpenClaw / NanoClaw) to advisory feed
Add a second row of filter tabs for platform selection using the clawd
color palette. Add platforms field to Advisory type to match feed data.
Both severity and platform filters compose via useMemo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: extract shared FilterTabs component and treat missing platforms as universal
Extract a reusable FilterTabs component so severity and platform tab
rows share identical markup. Fix platform filter to treat advisories
with missing or empty platforms as matching all platforms, preventing
legacy entries from being silently dropped.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: extract shared test harness module from 9 test files
Extract duplicated test utilities into a reusable test_harness.mjs module
to eliminate ~200-250 lines of boilerplate code across test files.
Changes:
- Create skills/clawsec-suite/test/lib/test_harness.mjs with:
- Test reporting: pass(), fail(), report(), exitWithResults()
- Crypto utilities: generateEd25519KeyPair(), signPayload()
- Temp directory: createTempDir() with cleanup
- Environment helpers: withEnv() for isolated env vars
- Test runner factory: createTestRunner() for isolated counters
- Refactor 9 test files to use shared harness:
- feed_verification.test.mjs
- guarded_install.test.mjs
- skill_catalog_discovery.test.mjs
- advisory_suppression.test.mjs
- advisory_application_scope.test.mjs
- path_resolution.test.mjs
- fuzz_properties.test.mjs
- suppression_config.test.mjs
- render_report_suppression.test.mjs
Benefits:
- Single source of truth for test utilities
- Consistent test reporting across all files
- Easier to add new test files
- Reduced maintenance burden
Verification:
- All 80 tests pass (15+8+3+15+4+6+1+17+11)
- Zero ESLint warnings
- No behavior changes - only code deduplication
- Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities
Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity
ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74).
Also add .venv/ to ESLint ignores to prevent linting Python venv files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix(readme): use github-safe demo previews and links
* fix(readme): use only github-hosted demo links
* fix(wiki): map wiki root to index
* feat(readme): add lightweight animated gif demo previews
* refactor(wiki): generate Home from INDEX during sync
* fix(ci): remove github token write scopes in workflows
* chore(ci): use existing poll token for write automation
- Introduced glossary for key terms and definitions related to security advisories, skill packaging, and CI/CD processes.
- Documented the Automation and Release Pipelines module, detailing responsibilities, key files, public interfaces, and configuration.
- Added ClawSec Suite Core module documentation, outlining its responsibilities, key files, public interfaces, and configuration.
- Created Frontend Web App module documentation, covering responsibilities, key files, public interfaces, and configuration.
- Added Local Validation and Packaging Tools module documentation, detailing responsibilities, key files, public interfaces, and configuration.
- Documented NanoClaw Integration module, including responsibilities, key files, public interfaces, and configuration.
- Introduced an overview of ClawSec, including purpose, repo layout, entry points, key artifacts, and workflows.
- Added a Security section outlining the security model, cryptographic controls, runtime enforcement, and incident playbooks.
- Created a Testing section detailing the testing strategy, verification layers, CI workflow coverage, and local testing commands.
- Documented the Workflow section, covering the end-to-end lifecycle, primary workflow map, local operator workflow, and operational risks.
* auto-claude: subtask-1-1 - Create config loading utility with multi-path fallback
Created load_suppression_config.mjs with:
- Multi-path fallback: ~/.openclaw/security-audit.json -> .clawsec/allowlist.json
- Environment variable support (OPENCLAW_AUDIT_CONFIG)
- Custom path support via CLI argument
- Schema validation (checkId, skill, reason, suppressedAt required)
- Malformed JSON error handling
- Graceful fallback to empty suppressions when no config exists
- ISO 8601 date format validation with warnings
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-1-2 - Create example config file template
- Added security-audit-config.example.json with two suppression examples
- Included examples for clawsec-suite and openclaw-audit-watchdog
- Created comprehensive README.md explaining configuration format
- All required fields documented (checkId, skill, reason, suppressedAt)
- ISO 8601 date format demonstrated
- JSON validated successfully
* auto-claude: subtask-1-3 - Add unit tests for config loading
Added comprehensive unit tests for suppression config loading:
- Valid config with all required fields
- Malformed date warning (non-blocking)
- Missing required field validation
- Malformed JSON error handling
- File not found graceful fallback
- Custom path priority
- Environment variable override
- Missing/empty suppressions array handling
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-1 - Add suppression filtering to render_report.mjs
Implements suppression filtering logic for security audit findings:
- Import loadSuppressionConfig for config loading
- Add --config CLI argument for custom config paths
- Create extractSkillName() to extract skill names from findings (tries multiple fields)
- Create filterFindings() to split findings into active/suppressed
- Match suppressions by BOTH checkId AND skill name (exact match required)
- Attach suppression metadata (reason, suppressedAt) to suppressed findings
- Modify render() to accept suppressedFindings parameter
- Apply filtering in main execution before rendering
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-2-2 - Add INFO-SUPPRESSED section to report output
- Added lineForSuppressedFinding() to format suppressed findings
- Added INFO-SUPPRESSED section showing suppressed findings with reason and date
- Suppressed findings are not counted in summary (already filtered)
- Follows existing code patterns for report sections
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-3-1 - Add --config flag to run_audit_and_format.sh
- Added --config flag to accept path to config file
- Added --help flag with usage documentation
- Config flag is passed to openclaw audit commands when provided
- Follows existing pattern for --label flag
* auto-claude: subtask-4-1 - Create integration tests for render_report with suppressions
Created comprehensive integration tests covering:
- Suppressed findings appear in INFO-SUPPRESSED section
- Active findings appear in CRITICAL/WARN section
- Summary counts exclude suppressed findings
- Backward compatibility (no config)
- Partial matches don't suppress (checkId or skill alone)
- Multiple suppressions work correctly
- Skill name extraction from path field
- Skill name extraction from title field
- Empty suppressions array behaves like no config
Bug fix in render_report.mjs:
- Summary counts now recalculated after filtering suppressed findings
- Previously summary showed original counts instead of filtered counts
All 10 tests passing.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-4-2 - Manual E2E test with real openclaw audit
- Fixed run_audit_and_format.sh to pass --config flag to render_report.mjs
- Enhanced lineForFinding() to display skill names for better clarity
- Enhanced lineForSuppressedFinding() to display skill names consistently
- Created comprehensive E2E test documentation in E2E-TEST-RESULTS.md
- All E2E verification points passed:
* Config loading from custom paths
* Suppression matching by checkId + skill name
* INFO-SUPPRESSED section display
* Suppression reason and date display
* Summary count accuracy (excludes suppressed findings)
* Non-suppressed findings preservation
* Skill name display in all findings
- All integration tests still passing (10/10)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* auto-claude: subtask-5-1 - Update README.md with suppression feature
* auto-claude: subtask-5-2 - Update SKILL.md with usage examples
* - Add backslash escaping before quote escaping in oneline() function
- Prevents incomplete string escaping vulnerability
- Resolves CodeQL alert: https://github.com/prompt-security/clawsec/security/code-scanning/16
* Fix regex in extractSkillName function and simplify error handling in suppression config tests
* Enhance suppression mechanism in OpenClaw Audit Watchdog
- Updated README.md to clarify suppression configuration and activation requirements.
- Improved SKILL.md with examples for suppressing known findings.
- Refactored load_suppression_config.mjs to implement opt-in gating for suppressions.
- Modified render_report.mjs to support suppression flag in report generation.
- Enhanced run_audit_and_format.sh and runner.sh scripts to accept --enable-suppressions flag.
- Added test cases for suppression configuration, including validation for enabledFor sentinel and opt-in behavior.
- Introduced new test files for empty and invalid suppression configurations.
* Fix type assertion for checksums file entries in Checksums component
* Update ESLint configuration and dependencies to pin @eslint/js to version 9.28.0
* Update CHANGELOG.md for advisory suppression module and OpenClaw Audit Watchdog enhancements
* Refactor finding comparison logic in render_report.mjs to simplify equality checks
* chore(clawsec-suite): bump version to 0.1.2
* chore(openclaw-audit-watchdog): bump version to 0.1.0
* Remove suppressed matches tracking from state to prevent re-evaluation alerts
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
David Abutbul
github-actions[bot]
dependabot[bot]
Aldo Delgado
David Abutbul