docs(wiki): sync from 369745821f

GENERATION.md

@@ -15,6 +15,7 @@
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -28,6 +29,7 @@
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/dependencies.md
 - wiki/data-flow.md
 - wiki/glossary.md

Home.md

@@ -42,6 +42,7 @@
 - [NanoClaw Integration](modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](modules/automation-release.md)
 - [Local Validation and Packaging Tools](modules/local-tooling.md)
 
@@ -52,6 +53,7 @@
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
 - 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
@@ -70,11 +72,16 @@
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/hermes-traffic-guardian/skill.json
+- skills/nanoclaw-traffic-guardian/skill.json
+- skills/openclaw-traffic-guardian/skill.json
 - skills/picoclaw-security-guardian/skill.json
 - skills/picoclaw-self-pen-testing/skill.json
+- skills/picoclaw-traffic-guardian/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - .github/workflows/ci.yml

INDEX.md

@@ -42,6 +42,7 @@
 - [NanoClaw Integration](modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](modules/automation-release.md)
 - [Local Validation and Packaging Tools](modules/local-tooling.md)
 
@@ -52,6 +53,7 @@
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
 - 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
@@ -70,11 +72,16 @@
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/hermes-traffic-guardian/skill.json
+- skills/nanoclaw-traffic-guardian/skill.json
+- skills/openclaw-traffic-guardian/skill.json
 - skills/picoclaw-security-guardian/skill.json
 - skills/picoclaw-self-pen-testing/skill.json
+- skills/picoclaw-traffic-guardian/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - .github/workflows/ci.yml

de/GENERATION.md

@@ -20,6 +20,7 @@ Review status: draft
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -31,6 +32,7 @@ Review status: draft
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md

de/INDEX.md

@@ -44,6 +44,7 @@ Review status: draft
 - [NanoClaw Integration](../modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](../modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](../modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](../modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](../modules/automation-release.md)
 - [Local Validation and Packaging Tools](../modules/local-tooling.md)
 
@@ -54,6 +55,7 @@ Review status: draft
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
 - 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
@@ -72,11 +74,16 @@ Review status: draft
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/hermes-traffic-guardian/skill.json
+- skills/nanoclaw-traffic-guardian/skill.json
+- skills/openclaw-traffic-guardian/skill.json
 - skills/picoclaw-security-guardian/skill.json
 - skills/picoclaw-self-pen-testing/skill.json
+- skills/picoclaw-traffic-guardian/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - .github/workflows/ci.yml

es/GENERATION.md

@@ -20,6 +20,7 @@ Review status: draft
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -31,6 +32,7 @@ Review status: draft
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md

es/INDEX.md

@@ -35,6 +35,7 @@
 - [NanoClaw Integration](../modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](../modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](../modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](../modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](../modules/automation-release.md)
 - [Local Validation and Packaging Tools](../modules/local-tooling.md)
 
@@ -45,6 +46,7 @@
 - [Generation Metadata](../GENERATION.md)
 
 ## Notas de actualización
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-27: Añadida traducción inicial al español (`wiki/es/INDEX.md`, `wiki/es/overview.md`) como fase 1.
 - 2026-04-26: Separado Picoclaw self-pen-testing en `picoclaw-self-pen-testing`; actualizados docs y referencias de módulo Picoclaw.
 - 2026-04-25: Añadido módulo Picoclaw Security Guardian para awareness de advisories, detección de drift de configuración y verificación de cadena de suministro.
@@ -60,6 +62,11 @@
 - `skills/clawsec-suite/skill.json`
 - `skills/clawsec-scanner/skill.json`
 - `skills/hermes-attestation-guardian/skill.json`
+- `skills/hermes-traffic-guardian/skill.json`
+- `skills/nanoclaw-traffic-guardian/skill.json`
+- `skills/openclaw-traffic-guardian/skill.json`
 - `skills/picoclaw-security-guardian/skill.json`
 - `skills/picoclaw-self-pen-testing/skill.json`
+- `skills/picoclaw-traffic-guardian/skill.json`
+- `wiki/modules/runtime-traffic-guardian-baseline.md`
 - `.github/workflows/ci.yml`

fr/GENERATION.md

@@ -20,6 +20,7 @@ Review status: draft
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -31,6 +32,7 @@ Review status: draft
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md

fr/INDEX.md

@@ -44,6 +44,7 @@ Review status: draft
 - [NanoClaw Integration](../modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](../modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](../modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](../modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](../modules/automation-release.md)
 - [Local Validation and Packaging Tools](../modules/local-tooling.md)
 
@@ -54,6 +55,7 @@ Review status: draft
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
 - 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
@@ -72,11 +74,16 @@ Review status: draft
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/hermes-traffic-guardian/skill.json
+- skills/nanoclaw-traffic-guardian/skill.json
+- skills/openclaw-traffic-guardian/skill.json
 - skills/picoclaw-security-guardian/skill.json
 - skills/picoclaw-self-pen-testing/skill.json
+- skills/picoclaw-traffic-guardian/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - .github/workflows/ci.yml

ja/GENERATION.md

@@ -20,6 +20,7 @@ Review status: draft
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -31,6 +32,7 @@ Review status: draft
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md

ja/INDEX.md

@@ -44,6 +44,7 @@ Review status: draft
 - [NanoClaw Integration](../modules/nanoclaw-integration.md)
 - [Picoclaw Security Guardian](../modules/picoclaw-security-guardian.md)
 - [Picoclaw Self Pen Testing](../modules/picoclaw-self-pen-testing.md)
+- [Runtime Traffic Guardian Baseline](../modules/runtime-traffic-guardian-baseline.md)
 - [Automation and Release Pipelines](../modules/automation-release.md)
 - [Local Validation and Packaging Tools](../modules/local-tooling.md)
 
@@ -54,6 +55,7 @@ Review status: draft
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-26: Split Picoclaw self-pen-testing into standalone `picoclaw-self-pen-testing`; updated Picoclaw module docs and references.
 - 2026-04-25: Added Picoclaw Security Guardian module for advisory awareness, config drift detection, and chain-of-supply verification.
 - 2026-04-19: Moved NanoClaw platform-support and CI/CD pipeline detail sections out of `README.md` into module pages (`modules/nanoclaw-integration.md`, `modules/automation-release.md`) and left README pointers.
@@ -72,11 +74,16 @@ Review status: draft
 - skills/clawsec-suite/skill.json
 - skills/clawsec-scanner/skill.json
 - skills/hermes-attestation-guardian/skill.json
+- skills/hermes-traffic-guardian/skill.json
+- skills/nanoclaw-traffic-guardian/skill.json
+- skills/openclaw-traffic-guardian/skill.json
 - skills/picoclaw-security-guardian/skill.json
 - skills/picoclaw-self-pen-testing/skill.json
+- skills/picoclaw-traffic-guardian/skill.json
 - wiki/modules/clawsec-scanner.md
 - wiki/modules/hermes-attestation-guardian.md
 - wiki/modules/hermes-attestation-guardian-draft-history.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - .github/workflows/ci.yml

ko/GENERATION.md

@@ -20,6 +20,7 @@ Review status: draft
 - Updated index and cross-links to use `wiki/` as the documentation source of truth.
 - Added a dedicated module page for `clawsec-scanner` and linked it from `wiki/INDEX.md`.
 - Future updates should preserve existing headings and append `Update Notes` sections when making deltas.
+- 2026-05-04: Added `wiki/modules/runtime-traffic-guardian-baseline.md` and platform-specific runtime traffic guardian skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-15: Expanded `wiki/modules/hermes-attestation-guardian.md` into full narrative claim breakdowns (people-speak + wiring + verification + scenario) and moved draft-plan context into `wiki/modules/hermes-attestation-guardian-draft-history.md`.
 - 2026-04-26: Split Picoclaw self-pen-testing into dedicated `wiki/modules/picoclaw-self-pen-testing.md`, and updated `wiki/modules/picoclaw-security-guardian.md` to cover advisory/drift/supply-chain scope only.
 - 2026-04-25: Added DeepWiki-friendly `wiki/modules/picoclaw-security-guardian.md` with support-matrix claims, threat model, default safety posture, frontend/advisory-board wiring, verification commands, and source references. Regenerated `public/wiki/**/llms.txt` exports with `npm run gen:wiki-llms`.
@@ -31,6 +32,7 @@ Review status: draft
 - wiki/overview.md
 - wiki/architecture.md
 - wiki/modules/clawsec-scanner.md
+- wiki/modules/runtime-traffic-guardian-baseline.md
 - wiki/modules/picoclaw-security-guardian.md
 - wiki/modules/picoclaw-self-pen-testing.md
 - wiki/dependencies.md

ko/INDEX.md

@@ -22,14 +22,21 @@
 ## 모듈
 - [Frontend Web App](../modules/frontend-web.md)
 - [ClawSec Suite Core](../modules/clawsec-suite.md)
+- [Runtime Traffic Guardian Baseline](../modules/runtime-traffic-guardian-baseline.md)
 - [NanoClaw Integration](../modules/nanoclaw-integration.md)
 - [Hermes Attestation Guardian](../modules/hermes-attestation-guardian.md)
 - [Picoclaw Security Guardian](../modules/picoclaw-security-guardian.md)
 
 ## 번역 노트
+- 2026-05-04: Added runtime traffic guardian baseline module and platform-specific skill scaffolds for OpenClaw, Hermes, NanoClaw, and Picoclaw.
 - 2026-04-27: 한국어 위키 초기 스캐폴드 추가 (`wiki/ko/INDEX.md`, `wiki/ko/overview.md`).
 
 ## 소스 참조
 - `wiki/INDEX.md`
 - `wiki/overview.md`
 - `wiki/localization.md`
+- `skills/hermes-traffic-guardian/skill.json`
+- `skills/nanoclaw-traffic-guardian/skill.json`
+- `skills/openclaw-traffic-guardian/skill.json`
+- `skills/picoclaw-traffic-guardian/skill.json`
+- `wiki/modules/runtime-traffic-guardian-baseline.md`

modules/runtime-traffic-guardian-baseline.md

@@ -0,0 +1,108 @@
+# Runtime Traffic Guardian Baseline
+
+## Summary
+
+This module defines the baseline for a new platform-specific runtime traffic monitoring family:
+
+- `skills/openclaw-traffic-guardian/`
+- `skills/hermes-traffic-guardian/`
+- `skills/nanoclaw-traffic-guardian/`
+- `skills/picoclaw-traffic-guardian/`
+
+These packages are intentionally specification scaffolds. They reserve the skill names, platform metadata, SBOM entries, frontmatter, folder structure, and safety contracts so platform builders can add implementations without changing the architectural decision.
+
+## Capability Gap
+
+The existing ClawSec matrix covers advisory verification, config drift, self-pen-testing/posture review, and supply-chain verification. It does not currently provide live runtime traffic monitoring:
+
+- HTTP request/response inspection
+- optional HTTPS inspection with explicit CA trust
+- outbound secret exfiltration detection
+- inbound command-injection detection
+- redacted local threat logging
+- platform-specific status/profile/attestation surfaces
+
+## Architecture Decision
+
+Runtime traffic monitoring is a separate skill family, not an extension of existing posture or scanner skills.
+
+Reasoning:
+
+- `clawsec-scanner` is periodic report-only vulnerability scanning and OpenClaw hook DAST.
+- `hermes-attestation-guardian` produces and verifies deterministic posture artifacts; it should attest monitor state, not run a proxy.
+- `clawsec-nanoclaw` owns advisory/signature/integrity MCP tools; traffic interception requires host-side network ownership and stricter container boundaries.
+- `picoclaw-security-guardian` is read-only posture/drift/supply-chain logic; proxy runtime would violate that safety posture.
+
+## Shared Safety Contract
+
+All traffic guardian implementations must preserve these constraints:
+
+1. Opt-in only.
+2. Detect-and-log by default.
+3. No automatic system CA installation.
+4. No global `HTTP_PROXY` or `HTTPS_PROXY` mutation.
+5. No blocking in the first implementation.
+6. Redact secret snippets before persistence or surfaced output.
+7. Bound scan bytes and log retention.
+8. Keep platform adapter state under platform-specific ClawSec security directories.
+
+## Platform Ownership
+
+| Skill | Runtime owner | Integration point |
+|---|---|---|
+| `openclaw-traffic-guardian` | OpenClaw adapter | Optional `clawsec-suite` add-on and optional OpenClaw hook/status integration |
+| `hermes-traffic-guardian` | Hermes adapter | Posture export watched by `hermes-attestation-guardian` |
+| `nanoclaw-traffic-guardian` | NanoClaw host service | Container-safe MCP tools and IPC result channel |
+| `picoclaw-traffic-guardian` | Picoclaw adapter | Profile fragment consumed by `picoclaw-security-guardian` |
+
+## Shared Finding Schema
+
+Builders should use the common schema described in each skill's `SPEC.md`:
+
+```json
+{
+  "schema_version": "clawsec-traffic-finding/v1",
+  "platform": "openclaw",
+  "direction": "outbound",
+  "protocol": "http",
+  "threat_type": "EXFIL",
+  "pattern": "ai_api_key",
+  "severity": "high",
+  "source": "127.0.0.1",
+  "dest": "api.example.com:443",
+  "snippet": "[REDACTED]",
+  "timestamp": "2026-04-26T00:00:00.000Z"
+}
+```
+
+## Minimum Detection Families
+
+Outbound EXFIL:
+
+- AI API keys
+- AWS access key IDs
+- private key PEM markers
+- SSH key file paths
+- sensitive Unix file paths
+- dotenv and cloud credential paths
+
+Inbound INJECTION:
+
+- pipe-to-shell commands
+- shell exec flags
+- reverse shell command shapes
+- destructive remove commands
+- SSH authorized-key injection shapes
+
+Platform builders may add stable platform-specific markers, such as NanoClaw WhatsApp session paths or Picoclaw gateway token paths, once those names are verified.
+
+## Source References
+
+- skills/openclaw-traffic-guardian/SKILL.md
+- skills/openclaw-traffic-guardian/SPEC.md
+- skills/hermes-traffic-guardian/SKILL.md
+- skills/hermes-traffic-guardian/SPEC.md
+- skills/nanoclaw-traffic-guardian/SKILL.md
+- skills/nanoclaw-traffic-guardian/SPEC.md
+- skills/picoclaw-traffic-guardian/SKILL.md
+- skills/picoclaw-traffic-guardian/SPEC.md