gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cdb4ab7e245d210b8cacf66874f9eb491e93464
clawsec/docs/PLATFORM_VERIFICATION.md
T
Aldo Delgado 7cdb4ab7e2 fix(portability): harden cross-platform path handling and install workflows (#62) 
* docs: add agent collaboration and git safety rules to AGENTS.md

* fix(portability): harden cross-platform path handling and install workflows

- add shared path resolution utility for advisory guardian components
- expand and normalize home-path tokens: ~, $HOME, ${HOME}, %USERPROFILE%, $env:USERPROFILE
- reject unresolved/escaped home tokens to prevent literal "$HOME" directory creation
- fix install/runtime path handling in:
  - openclaw-audit-watchdog setup_cron and suppression config loader
  - clawsec-suite advisory hook handler, suppression loader, and guarded installer
- remove hardcoded Homebrew binary assumptions in watchdog scripts/tests
- add LF enforcement via .gitattributes to reduce CRLF script breakage
- expand CI Node checks to linux/macos/windows matrix
- add cross-platform test coverage for path expansion and token rejection
- update README and SKILL docs with bash/zsh/PowerShell-safe path guidance
- add compatibility deliverables:
  - docs/COMPATIBILITY_REPORT.md
  - docs/REMEDIATION_PLAN.md
  - docs/PLATFORM_VERIFICATION.md

Validation:
- node skills/clawsec-suite/test/path_resolution.test.mjs
- node skills/clawsec-suite/test/guarded_install.test.mjs
- node skills/clawsec-suite/test/advisory_suppression.test.mjs
- node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
- node skills/openclaw-audit-watchdog/test/render_report_suppression.test.mjs

* fix(advisory): avoid fail-open on invalid path vars and cover watchdog tests

* docs: move signing runbooks into docs folder

* docs: remove root-level signing runbooks after move

* chore(clawsec-suite): bump version to 0.1.3

* chore(openclaw-audit-watchdog): bump version to 0.1.1

* docs(changelog): add entries for clawsec-suite 0.1.3 and watchdog 0.1.1

* docs(changelog): credit @aldodelgado for PR #62 contributions

* feat(clawsec-suite): scope advisories to openclaw application

* fix(ci): run advisory scope tests without TypeScript loader

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-02-25 13:24:31 +02:00

3.1 KiB
Raw Blame History

Platform Verification Checklist

Use this checklist to validate portability and path-handling behavior after changes.

Linux Verification

  1. Run core Node tests:

    node skills/clawsec-suite/test/path_resolution.test.mjs
node skills/clawsec-suite/test/guarded_install.test.mjs
node skills/clawsec-suite/test/advisory_suppression.test.mjs
node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs

    Expected: all tests pass.

  2. Verify no literal $HOME path acceptance:

    CLAWSEC_LOCAL_FEED='\$HOME/advisories/feed.json' \
node skills/clawsec-suite/scripts/guarded_skill_install.mjs --skill test-skill --dry-run

    Expected: exits non-zero with Unexpanded home token error.

  3. Verify $HOME expansion works:

    HOME=/tmp/clawsec-home node skills/clawsec-suite/test/path_resolution.test.mjs

    Expected: $HOME expansion tests pass.

macOS Verification

  1. Run the same Node test suite as Linux.
  2. Confirm OpenSSL tooling path assumptions are documented:
    • If using LibreSSL/OpenSSL variations, ensure checks use tested command forms from docs.
  3. Verify tilde expansion in config path: 
    OPENCLAW_AUDIT_CONFIG=~/.openclaw/security-audit.json \
node skills/openclaw-audit-watchdog/scripts/load_suppression_config.mjs --enable-suppressions
    Expected: path resolves correctly (or clear file-not-found error at expanded location).

Windows Verification (PowerShell)

  1. Run Node tests:

    node skills/clawsec-suite/test/path_resolution.test.mjs
node skills/clawsec-suite/test/guarded_install.test.mjs
node skills/clawsec-suite/test/advisory_suppression.test.mjs

    Expected: all pass.

  2. Verify PowerShell env path expansion behavior:

    $env:CLAWSEC_LOCAL_FEED = '$env:USERPROFILE\advisories\feed.json'
node skills/clawsec-suite/scripts/guarded_skill_install.mjs --skill test-skill --dry-run

    Expected: path token is expanded/normalized or fails with a clear error if target files are missing.

  3. Verify escaped literal token rejection:

    $env:CLAWSEC_LOCAL_FEED = '\$HOME\advisories\feed.json'
node skills/clawsec-suite/scripts/guarded_skill_install.mjs --skill test-skill --dry-run

    Expected: Unexpanded home token error; no directory creation with literal $HOME.

Line Endings Sanity

  1. Confirm LF policy is present:

    test -f .gitattributes && grep -n "eol=lf" .gitattributes

    Expected: script/config file patterns enforce LF.

  2. After a CRLF-prone checkout, verify scripts still parse:

    bash -n scripts/populate-local-feed.sh
bash -n scripts/populate-local-skills.sh

    Expected: no ^M shebang/parse errors.

Explicit Bug Check: No Literal $HOME Directory Creation

  1. Configure a path with a literal/escaped token.
  2. Run setup/install command.
  3. Verify command fails early with token error.
  4. Confirm no $HOME segment directory was created under working directories.

Expected outcome: no directories containing literal $HOME are created by supported setup scripts.

Reference in New Issue View Git Blame Copy Permalink