gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-16 15:01:22 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
dependabot/github_actions/github/codeql-action-4.36.2
clawsec/wiki/remediation-plan.md
T
David Abutbul 26af277afd feat(hermes-attestation-guardian): v0.1.0 release hardening (verify gate + trust policy + .mjs scan context) (#200) 
* feat(hermes-attestation-guardian): release v0.0.2 hardening

* docs(wiki): add v0.0.2 hardening update note

* docs: add Hermes support coverage to README and compatibility report

* fix(hermes-attestation-guardian): address baz review on crontab detection and doc dedup

* feat(wiki): add PR-200 skill feature/platform matrix

* docs(wiki): rewrite PR-200 matrix as narrative capability mapping

* docs(readme): add skill feature matrix with requested headers

* docs(readme): replace unknowns with mapped yes/no feature matrix

* docs: move NanoClaw and CI/CD details from README to wiki modules

* docs(readme): remove platform/suite sections and keep wiki module pointers

* docs(readme): refresh project structure to match current repo

* feat(hermes-attestation-guardian): add signed advisory feed verification pipeline

* feat(hermes-attestation-guardian): add advisory-gated guarded skill verification

* feat(hermes-attestation-guardian): add advisory scheduler helper and phase-3 parity docs

* docs(wiki): expand hermes attestation guardian capability coverage

* fix(pr-200): address Baz review findings across Hermes parity rollout

* test(sandbox): extend Hermes regression to cover feed, guarded verify, and advisory scheduler

* fix(pr-200): address Baz semver parsing and feed-state fallback visibility

* fix(ci): suppress shellcheck false positives in sandbox inline docker script

* fix(hermes-attestation-guardian): fail closed on unsupported advisory ranges

* fix(hermes-attestation-guardian): restore safe install verdict in sandbox

* fix(sandbox): capture guarded verify exit under set -e

* fix(semver): fail closed on malformed affected specifiers

* docs(readme): clarify hermes capability matrix wording

* refactor(feed): share signed artifact verification flow

* refactor(cron): share managed block helpers across setup scripts

* fix(feed): require checksum manifest artifacts when enabled

* chore(hermes-skill): relocate sandbox test, refresh docs, and add v0.1.0 release notes

* chore(docs): remove remaining hermes parity plan file

* chore(release): roll hermes-attestation-guardian to v0.1.0

* chore(release): remove standalone v0.1.0 release notes file

* docs(hermes): update README status to v0.1.0

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-04-21 13:56:50 +03:00

85 lines
2.9 KiB
Markdown
Raw Permalink Blame History

# Cross-Platform Remediation Plan
## Phase 1: Immediate Risk Closure (Completed)
### Milestones
- Implement explicit home-path expansion + suspicious token rejection in high-risk runtime/install paths.
- Add regression tests for path expansion and escaped-token rejection.
- Add `.gitattributes` LF policy.
- Expand Node lint/type/build CI coverage to Linux/macOS/Windows.
- Update install docs with shell-specific guidance and literal `$HOME` troubleshooting.
### Outcomes
- Literal `$HOME` path propagation bug addressed at source.
- Core advisory/install path config now fails fast on invalid path tokens.
---
## Phase 2: Windows Parity for Critical Workflows (Next)
### Quick wins
- Add PowerShell equivalents for the most-used manual install/check commands in:
- `skills/clawsec-suite/SKILL.md`
- `skills/openclaw-audit-watchdog/SKILL.md`
- `README.md`
- Add a lightweight `scripts/preflight.mjs` to detect missing tools and print OS-specific install hints.
### Milestones
- Native PowerShell instructions for suite setup and advisory hook.
- WSL/Git Bash fallback documented where shell scripts are unavoidable.
---
## Phase 3: Reduce POSIX Shell Surface (Deeper Refactor)
### Refactor targets
- `scripts/populate-local-feed.sh`
- `scripts/populate-local-skills.sh`
- `scripts/release-skill.sh`
### Approach
- Re-implement critical paths in Node/Python to remove dependency on `jq/sed/awk/find/chmod` pipelines.
- Preserve shell wrappers for backward compatibility; route to new cross-platform implementations.
### Migration notes
- Keep old script entrypoints as wrappers for at least one minor release.
- Emit deprecation warnings with exact migration commands.
---
## Phase 4: CI Hardening and Ongoing Verification
### Milestones
- Keep Node matrix (Linux/macOS/Windows) as required check.
- Add targeted Windows smoke tests for install path handling.
- Add macOS check for OpenSSL command compatibility notes where relevant.
### Test strategy
- Local:
- Run Node test suites that cover path expansion/suppression/install behavior.
- Run syntax checks for modified scripts.
- CI:
- Matrix Node checks + guarded installer/suppression/path tests.
- Linux-only security scans remain, but explicitly marked as Linux-scoped.
---
## Rollout / Release Considerations
- No breaking interface changes introduced in this patch set; behavior is stricter only for invalid/unexpanded path tokens.
- Communicate in release notes:
- path token validation now enforced
- how to correct invalid quoted env values
- where PowerShell examples live
## Source References
- .gitattributes
- .github/workflows/ci.yml
- scripts/populate-local-feed.sh
- scripts/populate-local-skills.sh
- scripts/release-skill.sh
- skills/clawsec-suite/hooks/clawsec-advisory-guardian/handler.ts
- skills/clawsec-suite/scripts/guarded_skill_install.mjs
- skills/openclaw-audit-watchdog/scripts/load_suppression_config.mjs
- wiki/platform-verification.md
Reference in New Issue View Git Blame Copy Permalink