vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-24 05:59:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
61,823 Commits 1,843 Branches 149 Tags
a9024741c247b61ba691d0819eda9ba0dabc3bd2
Commit Graph

15 Commits

Author SHA1 Message Date
Gio Della-Libera
55263b3dfa feat(policy): cover exec approvals artifact (#90003) 
Add exec approvals artifact evidence to Policy.

- add the execApprovals policy namespace and check IDs for required artifact presence, default/per-agent security posture, autoAllowSkills, and allowlist drift
- read the active exec-approvals.json artifact only when execApprovals policy rules are configured, honoring OPENCLAW_STATE_DIR before the default ~/.openclaw path
- emit redacted posture evidence and stable oc:// references without socket tokens, command text, resolved paths, timestamps, or approval-session details
- document the public policy surface and add focused scanner, doctor, conformance, and CLI coverage

Validation:
- GitHub Actions for head b82eefe492 are green, including Real behavior proof.
- ClawSweeper re-review completed for the same head with proof: sufficient and status: ready for maintainer look.
- Maintainer artifact-boundary acceptance is recorded in the PR discussion and body.

Co-authored-by: Gio Della-Libera <235387111+giodl73-repo@users.noreply.github.com>
 2026-06-15 17:30:48 -07:00
Gio Della-Libera
646974b7d8 fix(policy): reject unsupported policy keys (#87074) 
Merged via squash.

Prepared head SHA: 3ab4ff1d8f
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo
 2026-06-02 15:01:57 -07:00
Gio Della-Libera
1d3cfc4b01 Policy: add data handling conformance checks (#87056) 
Merged via squash.

Prepared head SHA: 6a0e9730aa
Co-authored-by: giodl73-repo <
>
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo
 2026-06-02 10:48:07 -07:00
Gio Della-Libera
08beb6b0e8 Policy: add policy file comparison command (#86768) 
Merged via squash.

Prepared head SHA: 2023e8cba1
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo
 2026-05-28 23:10:27 -07:00
Gio Della-Libera
5fb83af3e3 Policy: add ingress channel conformance checks (#85744) 
Policy: add ingress channel conformance checks (#85744)

Merged via squash.

Prepared head SHA: bd63c8d153
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo
 2026-05-28 22:07:49 -07:00
Gio Della-Libera
af64a824a1 Policy: add sandbox posture conformance checks (#85572) 
Policy: add sandbox posture conformance checks (#85572)

Merged via squash.

Prepared head SHA: 1cf1953d8c
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Co-authored-by: giodl73-repo <235387111+giodl73-repo@users.noreply.github.com>
Reviewed-by: @giodl73-repo
 2026-05-28 21:00:24 -07:00
Gio Della-Libera
fbb6340542 Policy: add agent-scoped policy overlays (#85817) 
* feat(policy): add agent-scoped policy overlays

* docs(policy): use generic agent-scoped examples

* fix(policy): generalize scoped policy overlays

* fix(policy): clean scoped overlay checks

* fix(policy): evaluate inherited scoped agent posture

* chore(policy): keep agent harness out of scoped policy pr
 2026-05-25 08:45:16 -07:00
Gio Della-Libera
4ffbd07c06 docs(policy): add policy rule reference tables (#85795) 2026-05-23 16:59:33 -07:00
Gio Della-Libera
1e2e614748 Policy: add tool posture conformance checks (#85482) 
* feat(policy): add tool posture conformance

* fix(policy): attest tool alsoAllow posture
 2026-05-23 16:44:42 -07:00
Gio Della-Libera
a94f3444a0 Policy: add agent workspace conformance checks (#85096) 
* feat(policy): add agent workspace conformance

* chore(policy): refresh agent workspace checks

* fix(policy): require enabled sandbox for workspace policy

* fix(policy): align agent workspace evidence with runtime
 2026-05-22 20:24:31 -07:00
Gio Della-Libera
dcc5e45b50 Policy: add gateway exposure checks (#81981) 
* feat(policy): add gateway exposure conformance

* fix(policy): align custom bind exposure evidence
 2026-05-22 14:18:01 -07:00
Gio Della-Libera
c85feace54 Policy: add secret and auth conformance checks (#81974) 
* feat(policy): add secrets auth conformance

* fix(policy): include sandbox ssh secret data

* fix(policy): complete secret input provenance

* fix(policy): cover media request secrets

* fix(policy): satisfy policy lint

* fix(policy): narrow secret conformance evidence

* fix(policy): cover request bearer token secrets
 2026-05-22 12:48:14 -07:00
Gio Della-Libera
6dbd5bd446 Policy: add model, network, and MCP conformance checks (#80783) 
* feat(policy): add model network and mcp conformance checks

* fix(policy): validate conformance rule shapes

* fix(policy): quote dynamic evidence paths

* fix(policy): scan per-agent model maps

* fix(policy): normalize model provider conformance
 2026-05-21 07:27:16 -07:00
Gio Della-Libera
a30ac3f8d7 Policy: add tool metadata conformance (#80056) 
* feat(policy): add tool metadata conformance checks

* Add policy trusted tool runtime gate

* Use requireMetadata for tool policy

Make tools.requireMetadata the canonical policy schema for risk, sensitivity, and owner requirements. Update runtime enforcement, doctor findings, evidence parsing, tests, and policy docs to use the new schema.

* fix(policy): persist approval metadata

* fix(policy): refresh approval metadata artifacts

* docs(policy): list all tool finding checks

* fix(policy): parse multiline tool metadata

* test(policy): cover unparseable policy check output

* fix(policy): resolve oc-path api in packaged dist

* fix(policy): clear post-rebase CI failures

* test(policy): clear post-rebase CI failures

* fix(policy): restore watch and align validation

* fix(policy): clear ci gate failures

* Simplify policy tool evidence parsing
 2026-05-20 20:47:32 -07:00
Gio Della-Libera
cbf72e5e26 feat(policy): add channel conformance checks (#80407) 
Summary:
- Add the bundled Policy plugin with policy-backed doctor checks for channel conformance.
- Add `openclaw policy check` attestations, accepted-attestation drift checks, and opt-in doctor repair.
- Add policy CLI docs, generated plugin inventory/reference docs, and changelog credit.

Verification:
- node --import tsx scripts/sync-plugin-versions.ts --check
- pnpm plugins:inventory:check
- pnpm docs:list
- git diff --check origin/main..HEAD
- node scripts/run-vitest.mjs extensions/policy/src/policy-state.test.ts extensions/policy/src/cli.test.ts extensions/policy/src/doctor/register.test.ts src/flows/bundled-health-checks.test.ts src/cli/program/register.maintenance.test.ts
- codex review --uncommitted; accepted finding fixed, reran clean
- codex review --commit HEAD
- GitHub CI for 4e09b067f4: CI, Workflow Sanity, CodeQL, CodeQL Critical Quality, OpenGrep PR Diff, Real behavior proof, Dependency Change Awareness all green; reran failed Windows Node setup job successfully

Co-authored-by: Gio Della-Libera <giodl73@gmail.com>
Co-authored-by: Gio Della-Libera <giodl@microsoft.com>
 2026-05-20 11:50:21 +01:00