feat: initial release — ZeroClaw v0.1.0
- 22 AI providers (OpenRouter, Anthropic, OpenAI, Mistral, etc.) - 7 channels (CLI, Telegram, Discord, Slack, iMessage, Matrix, Webhook) - 5-step onboarding wizard with Project Context personalization - OpenClaw-aligned system prompt (SOUL.md, IDENTITY.md, USER.md, AGENTS.md, etc.) - SQLite memory backend with auto-save - Skills system with on-demand loading - Security: autonomy levels, command allowlists, cost limits - 532 tests passing, 0 clippy warnings
This commit is contained in:
argenis de la rosa
commit
05cb353f7f
71 changed files with 15757 additions and 0 deletions
63
SECURITY.md
Normal file
63
SECURITY.md
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 0.1.x | :white_check_mark: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
**Please do NOT open a public GitHub issue for security vulnerabilities.**
|
||||
|
||||
Instead, please report them responsibly:
|
||||
|
||||
1. **Email**: Send details to the maintainers via GitHub private vulnerability reporting
|
||||
2. **GitHub**: Use [GitHub Security Advisories](https://github.com/theonlyhennygod/zeroclaw/security/advisories/new)
|
||||
|
||||
### What to Include
|
||||
|
||||
- Description of the vulnerability
|
||||
- Steps to reproduce
|
||||
- Impact assessment
|
||||
- Suggested fix (if any)
|
||||
|
||||
### Response Timeline
|
||||
|
||||
- **Acknowledgment**: Within 48 hours
|
||||
- **Assessment**: Within 1 week
|
||||
- **Fix**: Within 2 weeks for critical issues
|
||||
|
||||
## Security Architecture
|
||||
|
||||
ZeroClaw implements defense-in-depth security:
|
||||
|
||||
### Autonomy Levels
|
||||
- **ReadOnly** — Agent can only read, no shell or write access
|
||||
- **Supervised** — Agent can act within allowlists (default)
|
||||
- **Full** — Agent has full access within workspace sandbox
|
||||
|
||||
### Sandboxing Layers
|
||||
1. **Workspace isolation** — All file operations confined to workspace directory
|
||||
2. **Path traversal blocking** — `..` sequences and absolute paths rejected
|
||||
3. **Command allowlisting** — Only explicitly approved commands can execute
|
||||
4. **Forbidden path list** — Critical system paths (`/etc`, `/root`, `~/.ssh`) always blocked
|
||||
5. **Rate limiting** — Max actions per hour and cost per day caps
|
||||
|
||||
### What We Protect Against
|
||||
- Path traversal attacks (`../../../etc/passwd`)
|
||||
- Command injection (`rm -rf /`, `curl | sh`)
|
||||
- Workspace escape via symlinks or absolute paths
|
||||
- Runaway cost from LLM API calls
|
||||
- Unauthorized shell command execution
|
||||
|
||||
## Security Testing
|
||||
|
||||
All security mechanisms are covered by automated tests (129 tests):
|
||||
|
||||
```bash
|
||||
cargo test -- security
|
||||
cargo test -- tools::shell
|
||||
cargo test -- tools::file_read
|
||||
cargo test -- tools::file_write
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue