gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-16 15:01:22 +03:00
Code Issues Packages Projects Releases Wiki Activity
221 Commits 16 Branches 95 Tags
d164e3ec2c5f63d633f5ec374071fd8cdca525d1
Commit Graph

9 Commits

Author SHA1 Message Date
davida-ps 4a4b547b92 ci(skills): pin clawhub CLI by hash via committed lockfile (#268) 
* ci(skills): pin clawhub CLI by hash via committed lockfile

Scorecard flags the skill-release workflow's npm install of the clawhub
CLI (code-scanning alerts #25/#26): version pinning alone carries no
integrity guarantee. Install it with npm ci from a committed
package-lock.json instead, so every package (clawhub + 35 transitive
deps) is verified against its sha512 hash at install time.

The publish-payload patch step now resolves the module from the local
node_modules instead of npm root -g.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(skill-release): authenticate pinned clawhub install

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
 2026-06-15 18:12:36 +03:00
davida-ps 1b676fd42c fix(skills): scan staged payload with SkillSpector (#264) 
* fix(skills): scan staged payload with skillspector

* fix(skills): embed skillspector report in releases

* fix(skills): use body path for release notes
 2026-06-10 17:18:54 +03:00
davida-ps 59d54ed778 fix(skills): namespace ClawHub skill slugs (#263) 
* fix(release): map ClawHub publish slugs

* fix(release): share skill platform parsing
 2026-06-10 16:39:19 +03:00
davida-ps c1d1824f86 ci(skills): publish release trust packets + expand skill installer awareness (vercel) (#262) 
* ci(skills): publish release trust packets

* ci(skills): simulate beta tag releases

* ci(skills): match release version bump rules

* chore(skills): group agent skills for installer

* chore(skills): make clawtributor global

* chore(skills): bump all skills for trust release

* ci(skills): require npx install docs

* fix(skills): simulate prerelease tag versions

* fix(skills): aggregate trust artifact checksum failures

* fix(frontend): advertise npx skills suite install

* chore(frontend): drop ad hoc homepage copy test

* fix(ci): run skill release tooling tests
 2026-06-10 13:22:22 +03:00
davida-ps 4dbac421ab feat(advisories): add provisional GHSA feed (#242) 
* feat(advisories): add provisional ghsa feed

* fix(workflows): include advisory signatures in checksums

* fix(workflows): mirror ghsa feed at release root

* feat(advisories): consolidate ghsa into agent feed

* ci(advisories): consolidate ghsa during nvd poll

* fix(advisories): retain unreplaced ghsa feed entries

* chore(skills): bump advisory feed consumers

* fix(release): resolve ts import closure dry run

* fix(release): preserve urls while stripping comments

* fix(release): ignore skill test-only changes

* fix(advisories): follow ghsa pagination links

* test(advisories): add nvd ghsa pipeline dry run
 2026-05-24 21:41:59 +03:00
David Abutbul 19c5113511 fix(attestation): include runtime libs in release sbom (#235) 
* fix(attestation): include runtime libs in release sbom

* ci: verify staged skill release import closure

* fix(release): include missing skill runtime sbom files

* fix(release): require files for import closure

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
 2026-05-17 00:40:12 +03:00
David Abutbul 1e48a955cc fix(release): exclude tests from skill payloads (#230) 
* fix(release): exclude tests from skill payloads

* fix(release): normalize test path filtering

* fix(release): prefer GitHub artifacts for non-OpenClaw installs

* fix(release): keep legacy ClawHub publishing

* fix(release): address skill packaging review feedback

* chore(skills): bump release versions

* feat(skills): surface recommended platforms

* docs(skills): add signed release verification

* fix(skills): normalize PR version bumps

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
 2026-05-14 14:38:58 +03:00
davida-ps e0eae65586 refactor(ci): extract shared exploitability enrichment helper (#95) 
* refactor(ci): share exploitability enrichment script

* refactor(scripts): reuse shared exploitability enricher in local feed
 2026-03-01 21:50:10 +02:00
davida-ps 51532bc753 Added dynamic skill-catalog discovery in clawsec-suite (#26) 
* feat(clawsec-suite): integrate audit-watchdog and add email-gated setup

* fix(clawsec-suite): escape shell env assignments in watchdog setup

* fix(lint): remove unnecessary escapes in watchdog exec template

* clawsec-suite: add dynamic remote skill catalog discovery with fallback

* clawsec-suite: align signed feed defaults and checksum key compatibility

* fix(lint): use globalThis fetch/AbortController in catalog script

* Revert "fix(lint): remove unnecessary escapes in watchdog exec template"

This reverts commit 09e40d2a8861e2d179137467c9ba938776609a56.

* Revert "fix(clawsec-suite): escape shell env assignments in watchdog setup"

This reverts commit 54d97653a6f8ac14c125ef14c59bca7532cfee15.

* Revert "feat(clawsec-suite): integrate audit-watchdog and add email-gated setup"

This reverts commit 1ba55dd69ecb7a248a53123277158ce27474d5f7.

* fix(openclaw-audit-watchdog): escape shell env interpolation in setup_cron

* ci(signing): enforce key consistency across docs, repo, and generated assets

* docs(readme): document signing key consistency CI guardrails

* chore(clawsec-suite): bump to 0.1.0 and record release changelog

* chore(changelog): update to version 0.1.1 and enhance signing key drift control documentation

* chore(clawsec-suite): bump version to 0.1.1
 2026-02-16 14:47:32 +02:00