Thank you for your interest in contributing to Clawd Secure! This project implements enterprise-grade security for autonomous agents, and maintaining these security guarantees is critical.
Clawd Secure is built on 5 security directives. All contributions MUST maintain these guarantees.
- Network Fortress & Auth - All API requests require authentication
- Rootless Docker - No privileged containers, no root execution
- Data Encryption - All data at rest is encrypted with AES-256-GCM
- Sovereign Ollama - LLM inference isolated on internal network
- Sandboxed Execution - Commands validated, approved, and logged
// β WRONG - Bypasses security
app.get('/api/sensitive-data', (req, res) => {
// Missing securityMiddleware!
res.json({ data: sensitiveData });
});
// β
CORRECT - Enforces auth
app.get('/api/sensitive-data', securityMiddleware, (req, res) => {
res.json({ data: sensitiveData });
});// β WRONG - Shell injection vulnerability
import { exec } from 'child_process';
exec(`ls ${userInput}`); // NEVER DO THIS
// β
CORRECT - Use spawn without shell
import { spawn } from 'child_process';
const proc = spawn('ls', [userInput], { shell: false });// β WRONG - Plaintext storage
fs.writeFileSync('secrets.txt', apiKey);
// β
CORRECT - Use encrypted storage
import { writeEncrypted } from './core/memory/storage';
await writeEncrypted('secrets.txt', apiKey);// β WRONG - Path traversal vulnerability
const filePath = path.join('/app/data', req.body.filename);
fs.readFileSync(filePath);
// β
CORRECT - Validate paths
import { getPathValidator } from './core/security/path-validator';
const validator = getPathValidator();
const validation = await validator.validate(req.body.filename, '/app/data');
if (validation.valid) {
fs.readFileSync(validation.canonicalPath);
}// β WRONG - Breaks network isolation
const OLLAMA_URL = 'http://localhost:11434';
// β
CORRECT - Use Docker network
const OLLAMA_URL = 'http://ollama:11434';import { securityMiddleware } from './middleware/security';
// Apply to ALL routes
app.use(securityMiddleware);
// Or selectively
app.post('/api/protected', securityMiddleware, handler);import {
writeEncryptedJSON,
readEncryptedJSON
} from './core/memory/storage';
// Writing data
const userData = { name: 'Alice', role: 'admin' };
await writeEncryptedJSON('data/users/alice.json', userData);
// Reading data
const user = await readEncryptedJSON<User>('data/users/alice.json');import { getCommandExecutor } from './core/security/executor';
const executor = getCommandExecutor();
// Execute with security checks
const result = await executor.execute('ls', ['-la'], {
cwd: '/app/data',
userId: req.user?.id
});import { getAuditLogger } from './core/security/audit-log';
const logger = getAuditLogger();
await logger.log(
'security_event',
'User attempted unauthorized access',
'warning',
{ userId, resource },
userId,
req.ip
);git clone https://github.com/yourusername/clawd-secure.git
cd clawd-securenpm installgit checkout -b feature/your-feature-name- Follow existing code style (TypeScript strict mode)
- Add TypeScript types for all new code
- Document security-critical functions
- Add error handling
# Build
npm run build
# Run smoke tests
npm run test:smoke
# Test manually with Docker
docker-compose -f docker-compose.secure.yml up --buildgit commit -m "feat: Add new secure feature X"
git commit -m "fix: Patch path validation edge case"
git commit -m "docs: Update API documentation"Commit Prefixes:
feat:- New featurefix:- Bug fixsecurity:- Security patchdocs:- Documentationtest:- Testsrefactor:- Code refactoring
- Describe what your PR does
- Reference any related issues
- Confirm you've tested the security features
- Wait for code review
All contributions must include:
-
Build Verification
npm run build # Must succeed with 0 errors -
Smoke Tests
npm run test:smoke # Must pass all tests -
Manual Security Testing
- Test authentication rejection
- Test command blocking
- Test encryption verification
Before submitting, verify:
- No authentication bypasses
- No
exec()or shell usage - All file operations use encrypted storage
- All commands use the executor
- Path validation for file operations
- Audit logging for security events
- TypeScript strict mode compliance
- Build succeeds with no errors
- Smoke tests pass
- Documentation updated
/**
* Brief description of what the function does
*
* Security Note: Describe any security implications
*
* @param param1 - Description
* @param param2 - Description
* @returns Description
* @throws Error description
*/
export function secureFunction(param1: string, param2: number): Result {
// Implementation
}/**
* CLAWD SECURE - MODULE NAME
* Directive X: Brief Description
*
* Purpose of this module
* Security features implemented
*/DO NOT create public issues for security vulnerabilities.
Instead:
- Email: [security@your-domain.com]
- Use GitHub Security Advisories
- Provide detailed reproduction steps
- Allow 90 days for patch before public disclosure
- README.md - Project overview and setup
- Architecture Docs - System design and security model
- API Documentation - Endpoint reference
- Smoke Tests -
tests/smoke-test.ts- Security verification
- GitHub Issues - Bug reports and feature requests
- Discussions - Questions and community support
- Pull Requests - Code contributions
By contributing, you agree that your contributions will be licensed under the same license as the project (MIT License).
Security is a team effort. Your contributions help make autonomous agents safer for everyone.
Remember: When in doubt about security, ask. It's better to over-communicate than to introduce a vulnerability.
Made with π‘οΈ by the Clawd Secure Community