fix: Bump clawsec-suite version to 0.1.4 and update CHANGELOG (qa-requested)

Fixes: - Bumped version from 0.1.3 to 0.1.4 in skill.json - Added 0.1.4 release entry to CHANGELOG.md documenting audit warning feature - Already rebased on origin/main (382db82) Changes document the new CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 audit warnings for release pipeline compatibility. Verified: - All tests pass (8/8 guarded_install tests) - ESLint clean with --max-warnings 0 QA Fix Session: 0 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
auto-claude: subtask-1-2 - Add warning in handler.ts when checksum verificati
2026-06-16 06:51:21 +03:00 · 2026-02-27 21:22:19 +02:00 · 2026-02-27 20:32:46 +02:00 · 2026-02-27 20:31:30 +02:00
4 changed files with 27 additions and 1 deletions
@@ -5,6 +5,17 @@ All notable changes to the ClawSec Suite will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.1.4]
+
+### Added
+
+- Audit warning when `CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0` is enabled in `guarded_skill_install.mjs` to match visibility pattern of `CLAWSEC_ALLOW_UNSIGNED_FEED` bypass.
+- Audit warning when `CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0` is enabled in `handler.ts` with once-only flag pattern to prevent repeated warnings.
+
+### Security
+
+- Enhanced visibility for checksum verification bypass: operators are now immediately notified when the checksum manifest verification layer is disabled, following the fail-open visibility principle.
+
 ## [0.1.3]

 ### Added
@@ -12,6 +12,7 @@ const DEFAULT_FEED_URL =
  "https://clawsec.prompt.security/advisories/feed.json";
 const DEFAULT_SCAN_INTERVAL_SECONDS = 300;
 let unsignedModeWarningShown = false;
+let checksumBypassWarningShown = false;

 function parsePositiveInteger(value: string | undefined, fallback: number): number {
  const parsed = Number.parseInt(String(value ?? ""), 10);
@@ -160,6 +161,14 @@ const handler = async (event: HookEvent): Promise<void> => {
    );
  }

+  if (!verifyChecksumManifest && !checksumBypassWarningShown) {
+    checksumBypassWarningShown = true;
+    console.warn(
+      "[clawsec-advisory-guardian] CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 is enabled. " +
+        "This disables checksum verification and should be used with caution.",
+    );
+  }
+
  const forceScan = toEventName(event) === "command:new";
  const state = await loadState(stateFile);
  if (!forceScan && scannedRecently(state.last_hook_scan, scanIntervalSeconds)) {
@@ -146,6 +146,12 @@ async function loadFeed() {
    );
  }

+  if (!verifyChecksumManifest) {
+    process.stderr.write(
+      "WARNING: CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 is enabled. Checksum verification for the advisory feed manifest is disabled. This reduces security guarantees.\n",
+    );
+  }
+
  const publicKeyPem = allowUnsigned ? "" : await fs.readFile(feedPublicKeyPath, "utf8");

  const remoteFeed = await loadRemoteFeed(feedUrl, {
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-suite",
-  "version": "0.1.3",
+  "version": "0.1.4",
  "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",