gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
81c2e6051388094112c7a24b634a22a8147da4e3
clawsec/skills/clawsec-nanoclaw/CHANGELOG.md
T
davida-ps 81c2e60513 fix(ci): temporary clawhub publish workaround for MIT-0 consent (#117) 
* fix(ci): patch clawhub publish payload for temporary MIT-0 consent workaround

* fix(ci): make clawhub publish patch self-contained for tag republish

* fix(clawsec-nanoclaw): harden signature verification boundaries

* chore(clawsec-nanoclaw): bump version to 0.0.3

* fix(clawsec-nanoclaw): normalize integrity policy and baseline paths
2026-03-09 19:30:22 +02:00

2.0 KiB
Raw Blame History

Changelog

All notable changes to the ClawSec NanoClaw compatibility skill will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.0.3] - 2026-03-09

Security

  • Removed runtime public-key override from host-side package signature verification; verification now always uses the pinned ClawSec key.
  • Removed unsigned-package override path in host-side verification flow.
  • Added strict package/signature path policy for signature verification (/tmp, /var/tmp, /workspace/ipc, /workspace/project/data, /workspace/project/tmp, /workspace/project/downloads) with absolute-path, extension, symlink, and realpath boundary checks.
  • Added policy-bound path enforcement for integrity approvals: approvals now require normalized paths that are explicitly present in non-ignored integrity policy targets.

Changed

  • Updated MCP signature verification tool docs and behavior to align with bounded path policy and pinned-key-only verification.
  • Added regression tests for signature-verification and integrity-approval hardening invariants.

[0.0.2] - 2026-02-28

Added

  • Exploitability-aware advisory output in NanoClaw MCP tools (exploitability_score, exploitability_rationale).
  • Exploitability filtering (exploitabilityScore) for clawsec_list_advisories.

Changed

  • Updated NanoClaw advisory sorting and pre-install safety recommendation logic to prioritize exploitability context.
  • Updated NanoClaw integration docs to match current host/container integration points (src/ipc.ts, src/index.ts) and current cache schema.
  • Removed duplicate exploitability normalization logic from MCP advisory tools and now reuse normalizeExploitabilityScore from lib/risk.ts.
  • Reused matchesAffectedSpecifier from lib/advisories.ts in MCP advisory tools to keep skill/version matching logic centralized and consistent.
Reference in New Issue View Git Blame Copy Permalink