mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-19 00:11:20 +03:00

Files

T

History

davida-ps 4dbac421ab feat(advisories): add provisional GHSA feed (#242 )

* feat(advisories): add provisional ghsa feed

* fix(workflows): include advisory signatures in checksums

* fix(workflows): mirror ghsa feed at release root

* feat(advisories): consolidate ghsa into agent feed

* ci(advisories): consolidate ghsa during nvd poll

* fix(advisories): retain unreplaced ghsa feed entries

* chore(skills): bump advisory feed consumers

* fix(release): resolve ts import closure dry run

* fix(release): preserve urls while stripping comments

* fix(release): ignore skill test-only changes

* fix(advisories): follow ghsa pagination links

* test(advisories): add nvd ghsa pipeline dry run

2026-05-24 21:41:59 +03:00

lib

feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200 )

2026-04-21 13:56:50 +03:00

scripts

feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200 )

2026-04-21 13:56:50 +03:00

test

feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200 )

2026-04-21 13:56:50 +03:00

CHANGELOG.md

feat(advisories): add provisional GHSA feed (#242 )

2026-05-24 21:41:59 +03:00

README.md

feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200 )

2026-04-21 13:56:50 +03:00

skill.json

feat(advisories): add provisional GHSA feed (#242 )

2026-05-24 21:41:59 +03:00

SKILL.md

feat(advisories): add provisional GHSA feed (#242 )

2026-05-24 21:41:59 +03:00

README.md

hermes-attestation-guardian

Hermes-only attestation, advisory verification, and guarded verification workflow.

Status: implemented (v0.1.0), Hermes-only.

Capabilities

This skill now covers the full Hermes-side capability set expected from the clawsec-suite parity workstream:

Deterministic runtime posture attestation generation.
Fail-closed attestation verification (schema + canonical digest).
Optional detached signature verification for attestation artifacts.
Authenticated baseline diffing with stable severity classification.
Scoped output-path enforcement under $HERMES_HOME.
Signed advisory feed verification (Ed25519) with optional checksum-manifest verification.
Fail-closed advisory verification state persistence under $HERMES_HOME/security/advisories.
Advisory-aware guarded skill verification with explicit --confirm-advisory override.
Optional recurring scheduler helpers for attestation and advisory checks (print-only by default, explicit apply mode).
Sandboxed end-to-end regression harness for install + verify + advisory gates.

Quickstart

Canonical release verification and trust-policy guidance lives in SKILL.md:

Mandatory release verification gate (before install)
Hermes guard trust policy note

After running that gate, use:

node scripts/generate_attestation.mjs
node scripts/verify_attestation.mjs --input ~/.hermes/security/attestations/current.json
node scripts/refresh_advisory_feed.mjs
node scripts/check_advisories.mjs
node scripts/guarded_skill_verify.mjs --skill some-skill --version 1.2.3
node scripts/setup_attestation_cron.mjs --every 6h --print-only
node scripts/setup_advisory_check_cron.mjs --every 6h --skill some-skill --print-only

Scheduler safety warning: never leave --allow-unsigned enabled in recurring advisory check jobs except during short emergency recovery windows.

Runtime requirements

Required:

node

Optional tooling (for local verification workflows):

openssl, bash, docker

Tests

node test/attestation_schema.test.mjs
node test/attestation_diff.test.mjs
node test/attestation_cli.test.mjs
node test/setup_attestation_cron.test.mjs
node test/setup_advisory_check_cron.test.mjs
node test/feed_verification.test.mjs
node test/guarded_skill_verify.test.mjs
bash test/hermes_attestation_sandbox_regression.sh