From 41912ca27431738b845c06d70df12b56d3d40c8a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 11:19:28 +0000
Subject: [PATCH] docs(wiki): sync from
 0d2e38ddfd954742b93d7e5b44b24d29c0a298b6

---
 GENERATION.md                         |  4 ++
 Home.md                               |  8 ++++
 INDEX.md                              |  8 ++++
 modules/picoclaw-security-guardian.md | 63 +++++++++++++++++++++++++++
 modules/picoclaw-self-pen-testing.md  | 44 +++++++++++++++++++
 5 files changed, 127 insertions(+)
 create mode 100644 modules/picoclaw-security-guardian.md
 create mode 100644 modules/picoclaw-self-pen-testing.md

diff --git a/GENERATION.md b/GENERATION.md
index bf327fb..e4f14da 100644
--- a/GENERATION.md
+++ b/GENERATION.md
@@ -16,6 +16,8 @@
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
+- 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
+- 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
 
 ## Source References
 - README.md
@@ -24,6 +26,8 @@
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/picoclaw-security-guardian.md
+- wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md
 - wiki/data-flow.md
 - wiki/glossary.md
diff --git a/Home.md b/Home.md
index 0571344..a9ffb32 100644
--- a/Home.md
+++ b/Home.md
@@ -32,6 +32,8 @@
 - [Hermes Attestation Guardian](modules/hermes-attestation-guardian.md)
 - [Hermes Attestation Guardian Draft History (Archived)](modules/hermes-attestation-guardian-draft-history.md)
 - [NanoClaw Integration](modules/nanoclaw-integration.md)
+- [Picoclaw Security Guardian](modules/picoclaw-security-guardian.md)
+- [Picoclaw Self Pen Testing](modules/picoclaw-self-pen-testing.md)
 - [Automation and Release Pipelines](modules/automation-release.md)
 - [Local Validation and Packaging Tools](modules/local-tooling.md)
 
@@ -42,6 +44,8 @@
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
+- 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
 - 2026-04-16: Added install-guard compatibility note for Hermes Attestation Guardian (community-source install now SAFE without `--force`; behavior unchanged).
 - 2026-04-15: Expanded Hermes Attestation Guardian module page into full narrative, claim-by-claim operator guidance (no claim tables), and added archived draft-history module page.
@@ -58,7 +62,11 @@
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/picoclaw-security-guardian/skill.json
+- skills/picoclaw-self-pen-testing/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
+- wiki/modules/picoclaw-security-guardian.md
+- wiki/modules/picoclaw-self-pen-testing.md
 - .github/workflows/ci.yml
diff --git a/INDEX.md b/INDEX.md
index 0571344..a9ffb32 100644
--- a/INDEX.md
+++ b/INDEX.md
@@ -32,6 +32,8 @@
 - [Hermes Attestation Guardian](modules/hermes-attestation-guardian.md)
 - [Hermes Attestation Guardian Draft History (Archived)](modules/hermes-attestation-guardian-draft-history.md)
 - [NanoClaw Integration](modules/nanoclaw-integration.md)
+- [Picoclaw Security Guardian](modules/picoclaw-security-guardian.md)
+- [Picoclaw Self Pen Testing](modules/picoclaw-self-pen-testing.md)
 - [Automation and Release Pipelines](modules/automation-release.md)
 - [Local Validation and Packaging Tools](modules/local-tooling.md)
 
@@ -42,6 +44,8 @@
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
+- 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
 - 2026-04-16: Added install-guard compatibility note for Hermes Attestation Guardian (community-source install now SAFE without `--force`; behavior unchanged).
 - 2026-04-15: Expanded Hermes Attestation Guardian module page into full narrative, claim-by-claim operator guidance (no claim tables), and added archived draft-history module page.
@@ -58,7 +62,11 @@
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/picoclaw-security-guardian/skill.json
+- skills/picoclaw-self-pen-testing/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
+- wiki/modules/picoclaw-security-guardian.md
+- wiki/modules/picoclaw-self-pen-testing.md
 - .github/workflows/ci.yml
diff --git a/modules/picoclaw-security-guardian.md b/modules/picoclaw-security-guardian.md
new file mode 100644
index 0000000..baa4d07
--- /dev/null
+++ b/modules/picoclaw-security-guardian.md
@@ -0,0 +1,63 @@
+# Picoclaw Security Guardian
+
+## Summary
+
+Current package version: `v0.0.1`.
+
+`picoclaw-security-guardian` is the core Picoclaw package for:
+1. advisory awareness (fail-closed on unverified feed state),
+2. deterministic profile generation + drift detection,
+3. release artifact supply-chain verification.
+
+Self-pen-testing checks were intentionally split out into `picoclaw-self-pen-testing` so moderation-sensitive logic can be published/managed independently.
+
+## Responsibilities
+
+- Filter Picoclaw-relevant advisories from verified ClawSec feed state/cache.
+- Build deterministic posture profiles from Picoclaw config/security files and optional release artifacts.
+- Compare baseline vs current profile with severity-ranked findings.
+- Verify release artifacts with checksum manifest + required detached signature for passing provenance verdicts.
+
+## Default safety posture
+
+- Read-only by default
+- No scheduler creation
+- No outbound network by default
+- Advisory checks fail closed unless verification state is `verified` (or explicit `--allow-unsigned` override)
+- Supply-chain verification requires detached-signature verification for a passing provenance result
+
+## Verification commands
+
+```bash
+python utils/validate_skill.py skills/picoclaw-security-guardian
+node skills/picoclaw-security-guardian/test/profile.test.mjs
+node skills/picoclaw-security-guardian/test/drift.test.mjs
+node skills/picoclaw-security-guardian/test/supply_chain.test.mjs
+bash -n skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh
+```
+
+## Picoclaw-native sandbox regression
+
+`skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh` publishes the package via a local ClawHub-compatible registry, installs through Picoclaw `find_skills` / `install_skill`, validates skill-loader visibility, and runs installed profile/drift/advisory/supply-chain flows against isolated Picoclaw fixtures.
+
+## Related package
+
+- `skills/picoclaw-self-pen-testing/` (optional separate self-pen-testing package)
+
+## Source references
+
+- `skills/picoclaw-security-guardian/skill.json`
+- `skills/picoclaw-security-guardian/SKILL.md`
+- `skills/picoclaw-security-guardian/README.md`
+- `skills/picoclaw-security-guardian/lib/profile.mjs`
+- `skills/picoclaw-security-guardian/lib/drift.mjs`
+- `skills/picoclaw-security-guardian/lib/advisories.mjs`
+- `skills/picoclaw-security-guardian/lib/supply_chain.mjs`
+- `skills/picoclaw-security-guardian/scripts/generate_profile.mjs`
+- `skills/picoclaw-security-guardian/scripts/check_drift.mjs`
+- `skills/picoclaw-security-guardian/scripts/check_advisories.mjs`
+- `skills/picoclaw-security-guardian/scripts/verify_supply_chain.mjs`
+- `skills/picoclaw-security-guardian/test/profile.test.mjs`
+- `skills/picoclaw-security-guardian/test/drift.test.mjs`
+- `skills/picoclaw-security-guardian/test/supply_chain.test.mjs`
+- `skills/picoclaw-security-guardian/test/picoclaw_security_guardian_sandbox_regression.sh`
diff --git a/modules/picoclaw-self-pen-testing.md b/modules/picoclaw-self-pen-testing.md
new file mode 100644
index 0000000..c45df6a
--- /dev/null
+++ b/modules/picoclaw-self-pen-testing.md
@@ -0,0 +1,44 @@
+# Picoclaw Self Pen Testing
+
+## Summary
+
+Current package version: `v0.0.1`.
+
+`picoclaw-self-pen-testing` is a standalone Picoclaw package that runs local, read-only self-pen-testing style checks from a generated Picoclaw posture profile.
+
+This package is intentionally separate from `picoclaw-security-guardian` so moderation-sensitive findings can be shipped independently.
+
+## What it checks
+
+- Public Web UI exposure
+- Disabled Web UI auth
+- Unrestricted workspace/tooling posture
+- Unsafely unsigned verification mode
+- MCP trust-boundary review needs
+- Scheduler persistence review
+- Plaintext secret markers
+- Multi-channel auth review
+
+## Usage
+
+```bash
+node skills/picoclaw-self-pen-testing/scripts/self_pen_test.mjs \
+  --profile ~/.picoclaw/security/clawsec/current-profile.json
+```
+
+## Validation
+
+```bash
+python utils/validate_skill.py skills/picoclaw-self-pen-testing
+node skills/picoclaw-self-pen-testing/test/self_pen_test.test.mjs
+```
+
+## Source references
+
+- `skills/picoclaw-self-pen-testing/skill.json`
+- `skills/picoclaw-self-pen-testing/SKILL.md`
+- `skills/picoclaw-self-pen-testing/README.md`
+- `skills/picoclaw-self-pen-testing/lib/self_pen_test.mjs`
+- `skills/picoclaw-self-pen-testing/lib/format.mjs`
+- `skills/picoclaw-self-pen-testing/scripts/self_pen_test.mjs`
+- `skills/picoclaw-self-pen-testing/test/self_pen_test.test.mjs`