gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cdb4ab7e245d210b8cacf66874f9eb491e93464
clawsec/skills/openclaw-audit-watchdog/CHANGELOG.md
T
Aldo Delgado 7cdb4ab7e2 fix(portability): harden cross-platform path handling and install workflows (#62) 
* docs: add agent collaboration and git safety rules to AGENTS.md

* fix(portability): harden cross-platform path handling and install workflows

- add shared path resolution utility for advisory guardian components
- expand and normalize home-path tokens: ~, $HOME, ${HOME}, %USERPROFILE%, $env:USERPROFILE
- reject unresolved/escaped home tokens to prevent literal "$HOME" directory creation
- fix install/runtime path handling in:
  - openclaw-audit-watchdog setup_cron and suppression config loader
  - clawsec-suite advisory hook handler, suppression loader, and guarded installer
- remove hardcoded Homebrew binary assumptions in watchdog scripts/tests
- add LF enforcement via .gitattributes to reduce CRLF script breakage
- expand CI Node checks to linux/macos/windows matrix
- add cross-platform test coverage for path expansion and token rejection
- update README and SKILL docs with bash/zsh/PowerShell-safe path guidance
- add compatibility deliverables:
  - docs/COMPATIBILITY_REPORT.md
  - docs/REMEDIATION_PLAN.md
  - docs/PLATFORM_VERIFICATION.md

Validation:
- node skills/clawsec-suite/test/path_resolution.test.mjs
- node skills/clawsec-suite/test/guarded_install.test.mjs
- node skills/clawsec-suite/test/advisory_suppression.test.mjs
- node skills/openclaw-audit-watchdog/test/suppression_config.test.mjs
- node skills/openclaw-audit-watchdog/test/render_report_suppression.test.mjs

* fix(advisory): avoid fail-open on invalid path vars and cover watchdog tests

* docs: move signing runbooks into docs folder

* docs: remove root-level signing runbooks after move

* chore(clawsec-suite): bump version to 0.1.3

* chore(openclaw-audit-watchdog): bump version to 0.1.1

* docs(changelog): add entries for clawsec-suite 0.1.3 and watchdog 0.1.1

* docs(changelog): credit @aldodelgado for PR #62 contributions

* feat(clawsec-suite): scope advisories to openclaw application

* fix(ci): run advisory scope tests without TypeScript loader

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-02-25 13:24:31 +02:00

2.5 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.1.1]

Added

  • Contributor credit: portability and path-hardening improvements in this release were contributed by @aldodelgado in PR #62.
  • Cross-shell home-path expansion support in watchdog path inputs (~, $HOME, ${HOME}, %USERPROFILE%, $env:HOME).
  • Regression coverage for suppression-config home-token expansion and escaped-token rejection (test/suppression_config.test.mjs).

Changed

  • scripts/codex_review.sh now resolves the Codex CLI from CODEX_BIN, then PATH, then Homebrew fallback for improved portability.
  • scripts/setup_cron.mjs now normalizes and validates install-dir/home-derived paths before job creation.
  • scripts/load_suppression_config.mjs now resolves/normalizes configured file paths consistently across shell styles.

Security

  • Escaped or unresolved home tokens in suppression config paths now fail fast to avoid silently using unintended literal paths.

[0.1.0]

Added

  • Suppression/allowlist mechanism with explicit opt-in gating (defense in depth).
  • --enable-suppressions CLI flag for run_audit_and_format.sh, render_report.mjs, and runner.sh.
  • enabledFor config sentinel -- config must declare "enabledFor": ["audit"] for audit suppression to activate.
  • 4-tier config file resolution: explicit --config path > OPENCLAW_AUDIT_CONFIG env var > ~/.openclaw/security-audit.json > .clawsec/allowlist.json.
  • INFO-SUPPRESSED section in report output showing suppressed findings with metadata.
  • Integration tests for suppression behavior (11 tests in render_report_suppression.test.mjs).
  • Unit tests for config loading and opt-in gating (15 tests in suppression_config.test.mjs).
  • Test fixtures: empty-suppressions.json, invalid-json.json, malformed-config.json.

Changed

  • load_suppression_config.mjs now requires explicit { enabled: true } parameter -- returns empty suppressions by default.
  • render_report.mjs passes suppression enabled state to config loader.
  • Summary counts in report output are recalculated after filtering suppressed findings.

Security

  • Suppression is never active by default -- requires BOTH CLI flag AND config sentinel (defense in depth).
  • Environment variables alone cannot activate suppression (prevents ambient attack vector).
Reference in New Issue View Git Blame Copy Permalink