harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
772 commits 1 branch 0 tags 7.8 MiB
Commit graph

82 commits

Author SHA1 Message Date
harald
5b896f3378 feat(observability): add debug/trace logging to shell tool and command policy 
Shell tool now logs at debug level: command invocations, policy
allow/block decisions with reasons, exit codes, and output sizes.
Trace level adds full stdout/stderr content and risk assessment details.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 13:13:19 +01:00
harald
05e1102af9 feat(security): support wildcard "*" in allowed_commands 
Allow `allowed_commands = ["*"]` to bypass the command allowlist check.
Hardcoded safety blocks (subshell operators, redirections, tee,
background &) still apply regardless of wildcard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-25 12:21:04 +01:00
Chummy
75a9eb383c test(security): enforce lowercase token hex assertion 2026-02-18 16:56:45 +08:00
Chummy
918be53a30 test(security): harden token format regression coverage 2026-02-18 16:56:45 +08:00
Mike Boensel
0166f2d4de fix(token): update token generation to use rand::rng() to resolve deprecation warnings 2026-02-18 02:11:51 -05:00
Alex Gorevski
9a6fa76825 readd tests, remove markdown files 2026-02-18 14:42:39 +08:00
fettpl
4f9c87ff74 fix(policy): standardize side-effect tool autonomy gates 2026-02-18 12:42:56 +08:00
Will Sarg
42f1d40f1f
fix(ci): unblock dependabot dependency PR checks (#658) 2026-02-17 15:51:07 -05:00
stawky
ab561baa97 feat(approval): interactive approval workflow for supervised mode (#215) 
- Add auto_approve / always_ask fields to AutonomyConfig
- New src/approval/ module: ApprovalManager with session-scoped allowlist,
  ApprovalRequest/Response types, audit logging, CLI interactive prompt
- Insert approval hook in agent_turn before tool execution
- Non-CLI channels auto-approve; CLI shows Y/N/A prompt
- Skip approval for read-only tools (file_read, memory_recall) by default
- 15 unit tests covering all approval logic
 2026-02-17 23:06:12 +08:00
Will Sarg
9e0958dee5 fix(ci): repair parking_lot migration regressions in PR #535 2026-02-17 09:10:40 -05:00
Will Sarg
ee05d62ce4
Merge branch 'main' into pr-484-clean 2026-02-17 08:54:24 -05:00
Rin
9ec1106f53
security: fix argument injection in shell command validation (#465) 2026-02-17 08:11:20 -05:00
argenis de la rosa
1908af3248 fix(discord): use channel_id instead of sender for replies (fixes #483) 
fix(misc): complete parking_lot::Mutex migration (fixes #505)

- DiscordChannel: store actual channel_id in ChannelMessage.channel
  instead of hardcoded "discord" string
- channels/mod.rs: use msg.channel instead of msg.sender for replies
- Migrate all std::sync::Mutex to parking_lot::Mutex:
  * src/security/audit.rs
  * src/memory/sqlite.rs
  * src/memory/response_cache.rs
  * src/memory/lucid.rs
  * src/channels/email_channel.rs
  * src/gateway/mod.rs
  * src/observability/traits.rs
  * src/providers/reliable.rs
  * src/providers/router.rs
  * src/agent/agent.rs
- Remove all .lock().unwrap() and .map_err(PoisonError) patterns
  since parking_lot::Mutex never poisons

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 08:05:25 -05:00
fettpl
a2986db3d6
fix(security): enhance shell redirection blocking in security policy (#521) 
* fix(security): enhance shell redirection blocking in security policy

Block process substitution (<(...) and >(...)) and tee command in
is_command_allowed() to close shell escape vectors that bypass existing
redirect and subshell checks.

Closes #514

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: apply rustfmt to providers/mod.rs

Fix pre-existing formatting issue from main.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 07:54:26 -05:00
DeadManAI
4fca1abee8 fix: resolve all clippy warnings, formatting, and Mistral endpoint 
- Fix Mistral provider base URL (missing /v1 prefix caused 404s)
- Resolve 55 clippy warnings across 28 warning types
- Apply cargo fmt to 44 formatting violations
- Remove unused imports (process_message, MultiObserver, VerboseObserver,
  ChatResponse, ToolCall, Path, TempDir)
- Replace format!+push_str with write! macro
- Fix unchecked Duration subtraction, redundant closures, clamp patterns
- Declare missing feature flags (sandbox-landlock, sandbox-bubblewrap,
  browser-native) in Cargo.toml
- Derive Default where manual impls were redundant
- Add separators to long numeric literals (115200 → 115_200)
- Restructure unreachable code in arduino_flash platform branches

All 1,500 tests pass. Zero clippy warnings. Clean formatting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 20:00:08 +08:00
Chummy
1711f140be fix(security): remediate unassigned CodeQL findings 
- harden URL/request handling for composio and whatsapp integrations
- reduce cleartext logging exposure across providers/tools/gateway
- hash and constant-time compare gateway webhook secrets
- expand nested secret encryption coverage in config
- align feature aliases and add regression tests for security paths
- fix bubblewrap all-features test invocation surfaced during deep validation
 2026-02-17 19:19:06 +08:00
Lawyered
8cf6c89ebc docs(security): document single-ampersand blocking in command policy 2026-02-16 23:06:27 -05:00
Lawyered
e8088f624e test(security): cover background-chain validation path 2026-02-16 23:06:27 -05:00
Lawyered
0f56211892 fix(security): block single-ampersand command chaining bypass 2026-02-16 23:06:27 -05:00
Argenis
e8553a800a
fix(channels): use platform message IDs to prevent duplicate memories 
Fixes #430 - Prevents duplicate memories after restart by using platform message IDs instead of random UUIDs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 19:04:37 -05:00
Argenis
15e1d50a5d
fix: replace std::sync::Mutex with parking_lot::Mutex (#350) 
Merges #422
 2026-02-16 15:02:46 -05:00
Argenis
dc5a85c85c
fix: use 256-bit entropy for pairing tokens (#351) 
Merges #413
 2026-02-16 13:48:03 -05:00
Chummy
3234159c6c
chore(clippy): clear warning backlog and harden conversions (#383) 2026-02-17 00:32:33 +08:00
Chummy
49fcc7a2c4
test: deepen and complete project-wide test coverage (#297) 
* test: deepen coverage for health doctor provider and tunnels

* test: add broad trait and module re-export coverage
 2026-02-16 05:58:24 -05:00
Chummy
9d29f30a31
fix(channels): execute tool calls in channel runtime (#302) 
* fix(channels): execute tool calls in channel runtime (#302)

* chore(fmt): align repo formatting with rustfmt 1.92
 2026-02-16 05:07:01 -05:00
Argenis
0383a82a6f
feat(security): Add Phase 1 security features 
* test: add comprehensive recovery tests for agent loop

Add recovery test coverage for all edge cases and failure scenarios
in the agentic loop, addressing the missing test coverage for
recovery use cases.

Tool Call Parsing Edge Cases:
- Empty tool_result tags
- Empty tool_calls arrays
- Whitespace-only tool names
- Empty string arguments

History Management:
- Trimming without system prompt
- Role ordering consistency after trim
- Only system prompt edge case

Arguments Parsing:
- Invalid JSON string fallback
- None arguments handling
- Null value handling

JSON Extraction:
- Empty input handling
- Whitespace only input
- Multiple JSON objects
- JSON arrays

Tool Call Value Parsing:
- Missing name field
- Non-OpenAI format
- Empty tool_calls array
- Missing tool_calls field fallback
- Top-level array format

Constants Validation:
- MAX_TOOL_ITERATIONS bounds (prevent runaway loops)
- MAX_HISTORY_MESSAGES bounds (prevent memory bloat)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(security): Add Phase 1 security features - sandboxing, resource limits, audit logging

Phase 1 security enhancements with zero impact on the quick setup wizard:
-  Pluggable sandbox trait system (traits.rs)
-  Landlock sandbox support (Linux kernel 5.13+)
-  Firejail sandbox support (Linux user-space)
-  Bubblewrap sandbox support (Linux/macOS user namespaces)
-  Docker sandbox support (container isolation)
-  No-op fallback (application-layer security only)
-  Auto-detection logic (detect.rs)
-  Audit logging with HMAC signing support (audit.rs)
-  SecurityConfig schema (SandboxConfig, ResourceLimitsConfig, AuditConfig)
-  Feature-gated implementation (sandbox-landlock, sandbox-bubblewrap)
-  1,265 tests passing

Key design principles:
- Silent auto-detection: no new prompts in wizard
- Graceful degradation: works on all platforms
- Feature flags: zero overhead when disabled
- Pluggable architecture: swap sandbox backends via config
- Backward compatible: existing configs work unchanged

Config usage:
```toml
[security.sandbox]
enabled = false  # Explicitly disable
backend = "auto"  # auto, landlock, firejail, bubblewrap, docker, none

[security.resources]
max_memory_mb = 512
max_cpu_time_seconds = 60

[security.audit]
enabled = true
log_path = "audit.log"
sign_events = false
```

Security documentation:
- docs/sandboxing.md: Sandbox implementation strategies
- docs/resource-limits.md: Resource limit approaches
- docs/audit-logging.md: Audit logging specification
- docs/security-roadmap.md: 3-phase implementation plan
- docs/frictionless-security.md: Zero-impact wizard design
- docs/agnostic-security.md: Platform/hardware agnostic approach

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 04:14:16 -05:00
Chummy
b0e1e32819
feat(config): make config writes atomic with rollback-safe replacement (#190) 
* feat(runtime): add Docker runtime MVP and runtime-aware command builder

* feat(security): add shell risk classification, approval gates, and action throttling

* feat(gateway): add per-endpoint rate limiting and webhook idempotency

* feat(config): make config writes atomic with rollback-safe replacement

---------

Co-authored-by: chumyin <chumyin@users.noreply.github.com>
 2026-02-15 12:18:45 -05:00
Argenis
031683aae6
fix(security): use path-component matching for forbidden paths (#132) 
- Use Path::components() to check for actual .. path components instead of
  simple string matching (which was too conservative)
- Block URL-encoded traversal attempts (e.g., ..%2f)
- Expand tilde (~) for comparison
- Use path-component-aware matching for forbidden paths
- Update test to allow .. in filenames but block actual path traversal

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 08:30:48 -05:00
Edvard Schøyen
bd02d73ecc
test: add comprehensive pairing code consumption tests 
Add comprehensive tests for pairing code consumption feature
 2026-02-15 07:36:54 -05:00
argenis de la rosa
7a03a01fbf Merge remote-tracking branch 'origin/main' into fix/bearer-token-hashing 
# Conflicts:
#	src/security/pairing.rs
 2026-02-14 21:51:28 -05:00
Argenis
7468b39693
Merge pull request #68 from fettpl/fix/key-generation-csprng 
fix: replace UUID v4 key generation with direct CSPRNG
 2026-02-14 21:41:43 -05:00
Argenis
f70bf3f943
Merge pull request #72 from fettpl/fix/windows-key-permissions-warning 
fix: log warning when Windows key file permissions fail to set
 2026-02-14 21:21:30 -05:00
fettpl
6d68e89ef0 Merge remote-tracking branch 'origin/main' into fix/windows-key-permissions-warning 
# Conflicts:
#	src/security/secrets.rs
 2026-02-15 02:29:59 +01:00
fettpl
b5071c13f3 Merge remote-tracking branch 'origin/main' into fix/constant-time-eq-length-leak 
# Conflicts:
#	src/security/secrets.rs
 2026-02-15 02:29:24 +01:00
fettpl
65c22ff027 Merge remote-tracking branch 'origin/main' into fix/bearer-token-hashing 
# Conflicts:
#	src/security/secrets.rs
 2026-02-15 02:29:09 +01:00
fettpl
2741e0f024 Merge remote-tracking branch 'origin/main' into fix/key-generation-csprng 
# Conflicts:
#	src/security/secrets.rs
 2026-02-15 02:28:52 +01:00
argenis de la rosa
04a35144e8 feat: integrate open-skills library and cleanup clippy warnings 
- Add open-skills auto-clone/pull/sync support in skills loader
  - Clone https://github.com/besoeasy/open-skills to ~/open-skills
  - Weekly sync via .zeroclaw-open-skills-sync marker
  - Env controls: ZEROCLAW_OPEN_SKILLS_ENABLED, ZEROCLAW_OPEN_SKILLS_DIR
  - Load open-skills markdown files before workspace skills
  - Track Skill.location for accurate prompt rendering

- Update system prompt to render skill.location with fallback
  - Use actual file path when available
  - Maintain backward compatibility with workspace SKILL.md path

- Fix clippy warnings across tests and supporting files
  - Readable timestamp literals
  - Remove underscore bindings in tests
  - Use struct update syntax for Config::default() patterns
  - Fix module inception, duplicate attributes, manual strip
  - Clean raw string hashes and empty string construction

Resolves: #77
 2026-02-14 20:25:07 -05:00
fettpl
f7ae04e64e Merge remote-tracking branch 'origin/main' into fix/windows-key-permissions-warning 
# Conflicts:
#	src/security/secrets.rs
 2026-02-15 02:16:00 +01:00
fettpl
e0341e5996 fix: replace unstable is_multiple_of with modulo for Rust 1.83 compat 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 02:15:24 +01:00
fettpl
b3c995c849 Merge remote-tracking branch 'origin/main' into fix/constant-time-eq-length-leak 2026-02-15 02:15:13 +01:00
fettpl
0603bed843 fix: replace unstable is_multiple_of with modulo for Rust 1.83 compat 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 02:15:08 +01:00
fettpl
74648717f7 Merge remote-tracking branch 'origin/main' into fix/bearer-token-hashing 2026-02-15 02:14:45 +01:00
fettpl
dc0d6b6ca9 fix: replace unstable is_multiple_of with modulo for Rust 1.83 compat 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 02:14:25 +01:00
fettpl
8d7e9a7dde Merge remote-tracking branch 'origin/main' into fix/key-generation-csprng 2026-02-15 02:14:06 +01:00
fettpl
ac7c625368 fix: replace unstable is_multiple_of with modulo for Rust 1.83 compat 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 01:26:44 +01:00
fettpl
671c3b2a55 fix: replace unstable is_multiple_of and update Cargo.lock for sha2 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.
Also regenerates Cargo.lock to include the sha2 dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 01:26:24 +01:00
argenis de la rosa
a68004184c fix(secrets): harden windows icacls username edge cases 2026-02-14 19:25:30 -05:00
fettpl
41ba251686 fix: replace unstable is_multiple_of with modulo for Rust 1.83 compat 
The Docker image uses rust:1.83-slim where is_multiple_of is unstable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 01:24:24 +01:00
argenis de la rosa
db1366f3e5 fix(ci): restore stable hex check and satisfy browser clippy gate 2026-02-14 19:09:35 -05:00
Argenis
b931aeb56c
Merge pull request #69 from fettpl/fix/llm-error-leakage 
fix: stop leaking LLM error details to clients
 2026-02-14 18:34:30 -05:00