clawsec

gnezim/clawsec

Fork 0

mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00

Commit Graph

Author	SHA1	Message	Date
davida-ps	c9a66d5c99	Extract Shared Test Harness Module from 9 Test Files (#85 ) * refactor: extract shared test harness module from 9 test files Extract duplicated test utilities into a reusable test_harness.mjs module to eliminate ~200-250 lines of boilerplate code across test files. Changes: - Create skills/clawsec-suite/test/lib/test_harness.mjs with: - Test reporting: pass(), fail(), report(), exitWithResults() - Crypto utilities: generateEd25519KeyPair(), signPayload() - Temp directory: createTempDir() with cleanup - Environment helpers: withEnv() for isolated env vars - Test runner factory: createTestRunner() for isolated counters - Refactor 9 test files to use shared harness: - feed_verification.test.mjs - guarded_install.test.mjs - skill_catalog_discovery.test.mjs - advisory_suppression.test.mjs - advisory_application_scope.test.mjs - path_resolution.test.mjs - fuzz_properties.test.mjs - suppression_config.test.mjs - render_report_suppression.test.mjs Benefits: - Single source of truth for test utilities - Consistent test reporting across all files - Easier to add new test files - Reduced maintenance burden Verification: - All 80 tests pass (15+8+3+15+4+6+1+17+11) - Zero ESLint warnings - No behavior changes - only code deduplication - Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74). Also add .venv/ to ESLint ignores to prevent linting Python venv files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-27 09:20:36 +02:00
davida-ps	51532bc753	Added dynamic skill-catalog discovery in clawsec-suite (#26 ) * feat(clawsec-suite): integrate audit-watchdog and add email-gated setup * fix(clawsec-suite): escape shell env assignments in watchdog setup * fix(lint): remove unnecessary escapes in watchdog exec template * clawsec-suite: add dynamic remote skill catalog discovery with fallback * clawsec-suite: align signed feed defaults and checksum key compatibility * fix(lint): use globalThis fetch/AbortController in catalog script * Revert "fix(lint): remove unnecessary escapes in watchdog exec template" This reverts commit 09e40d2a8861e2d179137467c9ba938776609a56. * Revert "fix(clawsec-suite): escape shell env assignments in watchdog setup" This reverts commit 54d97653a6f8ac14c125ef14c59bca7532cfee15. * Revert "feat(clawsec-suite): integrate audit-watchdog and add email-gated setup" This reverts commit 1ba55dd69ecb7a248a53123277158ce27474d5f7. * fix(openclaw-audit-watchdog): escape shell env interpolation in setup_cron * ci(signing): enforce key consistency across docs, repo, and generated assets * docs(readme): document signing key consistency CI guardrails * chore(clawsec-suite): bump to 0.1.0 and record release changelog * chore(changelog): update to version 0.1.1 and enhance signing key drift control documentation * chore(clawsec-suite): bump version to 0.1.1	2026-02-16 14:47:32 +02:00
davida-ps	5ee8587b1e	Integration/signing work (#20 ) * ci: sign advisory feed and checksums in workflows * feat(clawsec-suite): add verifier-side signature and checksum enforcement Implements cryptographic verification for advisory feed loading: - Ed25519 detached signature verification for feed.json - Supports raw base64 and JSON-wrapped signature formats - Pinned public key at advisories/feed-signing-public.pem - SHA-256 checksum manifest (checksums.json) verification - Signed checksums.json.sig prevents partial artifact substitution - Verifies feed.json, feed.json.sig, and public key against manifest - Remote feed: returns null on verification failure (triggers fallback) - Local feed: throws on verification failure (hard fail) - No silent bypass of verification - CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification - Warning logged when bypass mode is enabled - Intended for transition period only - guarded_skill_install without --version matches any advisory for skill - Encourages explicit version specification - scripts/sign_detached_ed25519.mjs - signing utility - scripts/verify_detached_ed25519.mjs - verification utility - scripts/generate_checksums_json.mjs - checksum manifest generator - test/feed_verification.test.mjs - 14 verification tests - test/guarded_install.test.mjs - 6 install flow tests - hooks/.../lib/feed.mjs - full rewrite with verification - hooks/.../handler.ts - verification options integration - scripts/guarded_skill_install.mjs - verification integration - skill.json - v0.0.9, new SBOM entries, openssl requirement - SKILL.md - signed install flow, env vars documentation - HOOK.md - new environment variables - ci.yml - added verification test job Refs: fail-closed verification, Ed25519 signatures, checksum manifests * fix: update action versions in CI workflows for improved stability * chore(clawsec-suite): bump version to 0.0.10 * feat: enhance security measures in asset deployment and add changelog for version history * feat: add dry-run signing for advisory artifacts and generate checksums * fix: enhance error handling in loadRemoteFeed for security policy violations * feat: implement Ed25519 signing and verification for advisory artifacts and checksums * feat: implement signing and verification for advisory artifacts and checksums in workflows * feat: update dry-run signing key generation to use Ed25519 algorithm * feat: update Ed25519 signing and verification to use -rawin flag for compatibility * feat: add public key copying to advisory directory and implement safe basename extraction for URLs * feat: remove Product Hunt promotion section from README and Home page	2026-02-12 18:49:34 +02:00

Author

SHA1

Message

Date

davida-ps

c9a66d5c99

Extract Shared Test Harness Module from 9 Test Files (#85 )

* refactor: extract shared test harness module from 9 test files

Extract duplicated test utilities into a reusable test_harness.mjs module
to eliminate ~200-250 lines of boilerplate code across test files.

Changes:
- Create skills/clawsec-suite/test/lib/test_harness.mjs with:
  - Test reporting: pass(), fail(), report(), exitWithResults()
  - Crypto utilities: generateEd25519KeyPair(), signPayload()
  - Temp directory: createTempDir() with cleanup
  - Environment helpers: withEnv() for isolated env vars
  - Test runner factory: createTestRunner() for isolated counters

- Refactor 9 test files to use shared harness:
  - feed_verification.test.mjs
  - guarded_install.test.mjs
  - skill_catalog_discovery.test.mjs
  - advisory_suppression.test.mjs
  - advisory_application_scope.test.mjs
  - path_resolution.test.mjs
  - fuzz_properties.test.mjs
  - suppression_config.test.mjs
  - render_report_suppression.test.mjs

Benefits:
- Single source of truth for test utilities
- Consistent test reporting across all files
- Easier to add new test files
- Reduced maintenance burden

Verification:
- All 80 tests pass (15+8+3+15+4+6+1+17+11)
- Zero ESLint warnings
- No behavior changes - only code deduplication
- Cross-skill module sharing works (openclaw-audit-watchdog → clawsec-suite)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: update minimatch override to 10.2.4 to resolve ReDoS vulnerabilities

Bump minimatch from 10.2.1 to 10.2.4 in overrides to fix 10 high-severity
ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74).
Also add .venv/ to ESLint ignores to prevent linting Python venv files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-27 09:20:36 +02:00

davida-ps

51532bc753

Added dynamic skill-catalog discovery in clawsec-suite (#26 )

* feat(clawsec-suite): integrate audit-watchdog and add email-gated setup

* fix(clawsec-suite): escape shell env assignments in watchdog setup

* fix(lint): remove unnecessary escapes in watchdog exec template

* clawsec-suite: add dynamic remote skill catalog discovery with fallback

* clawsec-suite: align signed feed defaults and checksum key compatibility

* fix(lint): use globalThis fetch/AbortController in catalog script

* Revert "fix(lint): remove unnecessary escapes in watchdog exec template"

This reverts commit 09e40d2a8861e2d179137467c9ba938776609a56.

* Revert "fix(clawsec-suite): escape shell env assignments in watchdog setup"

This reverts commit 54d97653a6f8ac14c125ef14c59bca7532cfee15.

* Revert "feat(clawsec-suite): integrate audit-watchdog and add email-gated setup"

This reverts commit 1ba55dd69ecb7a248a53123277158ce27474d5f7.

* fix(openclaw-audit-watchdog): escape shell env interpolation in setup_cron

* ci(signing): enforce key consistency across docs, repo, and generated assets

* docs(readme): document signing key consistency CI guardrails

* chore(clawsec-suite): bump to 0.1.0 and record release changelog

* chore(changelog): update to version 0.1.1 and enhance signing key drift control documentation

* chore(clawsec-suite): bump version to 0.1.1

2026-02-16 14:47:32 +02:00

davida-ps

5ee8587b1e

Integration/signing work (#20 )

* ci: sign advisory feed and checksums in workflows

* feat(clawsec-suite): add verifier-side signature and checksum enforcement

Implements cryptographic verification for advisory feed loading:

- Ed25519 detached signature verification for feed.json
- Supports raw base64 and JSON-wrapped signature formats
- Pinned public key at advisories/feed-signing-public.pem

- SHA-256 checksum manifest (checksums.json) verification
- Signed checksums.json.sig prevents partial artifact substitution
- Verifies feed.json, feed.json.sig, and public key against manifest

- Remote feed: returns null on verification failure (triggers fallback)
- Local feed: throws on verification failure (hard fail)
- No silent bypass of verification

- CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification
- Warning logged when bypass mode is enabled
- Intended for transition period only

- guarded_skill_install without --version matches any advisory for skill
- Encourages explicit version specification

- scripts/sign_detached_ed25519.mjs - signing utility
- scripts/verify_detached_ed25519.mjs - verification utility
- scripts/generate_checksums_json.mjs - checksum manifest generator
- test/feed_verification.test.mjs - 14 verification tests
- test/guarded_install.test.mjs - 6 install flow tests

- hooks/.../lib/feed.mjs - full rewrite with verification
- hooks/.../handler.ts - verification options integration
- scripts/guarded_skill_install.mjs - verification integration
- skill.json - v0.0.9, new SBOM entries, openssl requirement
- SKILL.md - signed install flow, env vars documentation
- HOOK.md - new environment variables
- ci.yml - added verification test job

Refs: fail-closed verification, Ed25519 signatures, checksum manifests

* fix: update action versions in CI workflows for improved stability

* chore(clawsec-suite): bump version to 0.0.10

* feat: enhance security measures in asset deployment and add changelog for version history

* feat: add dry-run signing for advisory artifacts and generate checksums

* fix: enhance error handling in loadRemoteFeed for security policy violations

* feat: implement Ed25519 signing and verification for advisory artifacts and checksums

* feat: implement signing and verification for advisory artifacts and checksums in workflows

* feat: update dry-run signing key generation to use Ed25519 algorithm

* feat: update Ed25519 signing and verification to use -rawin flag for compatibility

* feat: add public key copying to advisory directory and implement safe basename extraction for URLs

* feat: remove Product Hunt promotion section from README and Home page

2026-02-12 18:49:34 +02:00

3 Commits