diff --git a/README.md b/README.md index d08200b25aee..e0dea8667948 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@

Pre-authorization. Post-verification. Zero-trust AI agent security. +
+ See how it works β†’

@@ -18,7 +20,7 @@ MIT License

-**OpenClaw** is a _personal AI assistant_ you run on your own devices. +**SecureClaw** is a _personal AI assistant_ you run on your own devices. It answers you on the channels you already use (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat), plus extension channels like BlueBubbles, Matrix, Zalo, and Zalo Personal. It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane β€” the product is the assistant. If you want a personal, single-user assistant that feels local, fast, and always-on, this is it. @@ -72,7 +74,7 @@ openclaw onboard --install-daemon openclaw gateway --port 18789 --verbose # Send a message -openclaw message send --to +1234567890 --message "Hello from OpenClaw" +openclaw message send --to +1234567890 --message "Hello from SecureClaw" # Talk to the assistant (optionally deliver back to any connected channel: WhatsApp/Telegram/Slack/Discord/Google Chat/Signal/iMessage/BlueBubbles/Microsoft Teams/Matrix/Zalo/Zalo Personal/WebChat) openclaw agent --message "Ship checklist" --thinking high @@ -111,7 +113,7 @@ Note: `pnpm openclaw ...` runs TypeScript directly (via `tsx`). `pnpm build` pro ## Security defaults (DM access) -OpenClaw connects to real messaging surfaces. Treat inbound DMs as **untrusted input**. +SecureClaw connects to real messaging surfaces. Treat inbound DMs as **untrusted input**. Full security guide: [Security](https://docs.openclaw.ai/gateway/security) @@ -212,7 +214,7 @@ WhatsApp / Telegram / Slack / Discord / Google Chat / Signal / iMessage / BlueBu ## Tailscale access (Gateway dashboard) -OpenClaw can auto-configure Tailscale **Serve** (tailnet-only) or **Funnel** (public) while the Gateway stays bound to loopback. Configure `gateway.tailscale.mode`: +SecureClaw can auto-configure Tailscale **Serve** (tailnet-only) or **Funnel** (public) while the Gateway stays bound to loopback. Configure `gateway.tailscale.mode`: - `off`: no Tailscale automation (default). - `serve`: tailnet-only HTTPS via `tailscale serve` (uses Tailscale identity headers by default). @@ -220,7 +222,7 @@ OpenClaw can auto-configure Tailscale **Serve** (tailnet-only) or **Funnel** (pu Notes: -- `gateway.bind` must stay `loopback` when Serve/Funnel is enabled (OpenClaw enforces this). +- `gateway.bind` must stay `loopback` when Serve/Funnel is enabled (SecureClaw enforces this). - Serve can be forced to require a password by setting `gateway.auth.mode: "password"` or `gateway.auth.allowTailscale: false`. - Funnel refuses to start unless `gateway.auth.mode: "password"` is set. - Optional: `gateway.tailscale.resetOnExit` to undo Serve/Funnel on shutdown. @@ -286,7 +288,7 @@ The Gateway alone delivers a great experience. All apps are optional and add ext If you plan to build/run companion apps, follow the platform runbooks below. -### macOS (OpenClaw.app) (optional) +### macOS (SecureClaw.app) (optional) - Menu bar control for the Gateway and health. - Voice Wake + push-to-talk overlay. @@ -482,7 +484,7 @@ Use these when you’re past the onboarding flow and want the deeper reference. ## Molty -OpenClaw was built for **Molty**, a space lobster AI assistant. 🦞 +SecureClaw was built for **Molty**, a space lobster AI assistant. 🦞 by Peter Steinberger and the community. - [openclaw.ai](https://openclaw.ai) @@ -537,7 +539,7 @@ Thanks to all clawtributors: koala73 mitschabaude-bot mkbehr Oren shtse8 sibbl thesomewhatyou zats chrisrodz frankekn gabriel-trigo ghsmc iamadig ibrahimq21 irtiq7 jeann2013 jogelin Jonathan D. Rhyne (DJ-D) Justin Ling kelvinCB manmal Matthew MattQ Milofax mitsuhiko neist pejmanjohn ProspectOre rmorse rubyrunsstuff - rybnikov santiagomed Steve (OpenClaw) suminhthanh svkozak wes-davis 24601 AkashKobal ameno- awkoy + rybnikov santiagomed Steve (SecureClaw) suminhthanh svkozak wes-davis 24601 AkashKobal ameno- awkoy battman21 BinHPdev bonald dashed dawondyifraw dguido Django Navarro evalexpr henrino3 humanwritten hyojin joeykrug larlyssa liuy Mark Liu natedenh odysseus0 pcty-nextgen-service-account pi0 Syhids tmchow uli-will-code aaronveklabs andreabadesso BinaryMuse cash-echo-bot CJWTRUST cordx56 danballance Elarwei001 diff --git a/docs/secureclaw-architecture.md b/docs/secureclaw-architecture.md new file mode 100644 index 000000000000..bbcfb492fb49 --- /dev/null +++ b/docs/secureclaw-architecture.md @@ -0,0 +1,246 @@ +# SecureClaw Architecture + +## How SecureClaw Works + +SecureClaw adds a **zero-trust security layer** to OpenClaw by intercepting every tool call and enforcing authorization policies before execution. + +## Architecture Diagram + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ AI AGENT (OpenClaw) β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Read β”‚ β”‚ Write β”‚ β”‚ Bash β”‚ β”‚ WebFetch β”‚ β”‚ +β”‚ β”‚ Tool β”‚ β”‚ Tool β”‚ β”‚ Tool β”‚ β”‚ Tool β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ +β”‚ β–Ό β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ SECURECLAW PLUGIN β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ before_tool_call Hook β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ Extract β”‚ β”‚ Build β”‚ β”‚ Call β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ Action & │──│ Guard │──│ guardOrThrow() β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ Resource β”‚ β”‚ Request β”‚ β”‚ via SDK β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ + β–Ό +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ PREDICATE-CLAW SDK β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ GuardedProvider β”‚ β”‚ +β”‚ β”‚ β€’ Formats authorization request β”‚ β”‚ +β”‚ β”‚ β€’ Handles fail-open/fail-closed modes β”‚ β”‚ +β”‚ β”‚ β€’ Emits telemetry events β”‚ β”‚ +β”‚ β”‚ β€’ Manages retries and timeouts β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + β”‚ + β–Ό +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ PREDICATE AUTHORITY SIDECAR (Rust) β”‚ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Policy Engine β”‚ β”‚ Decision β”‚ β”‚ Audit Log β”‚ β”‚ +β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ Evaluator β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β”‚ β”‚ ALLOW β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β€’ Decision ID β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ rules β”‚ β”‚ β”‚ principal + β”‚ β”‚ β”‚ β€’ Timestamp β”‚ β”‚ β”‚ +β”‚ β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ │───▢│ action + │───▢│ β”‚ β€’ Action/Resource β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ DENY β”‚ β”‚ β”‚ resource β”‚ β”‚ β”‚ β€’ Outcome β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ rules β”‚ β”‚ β”‚ = ALLOW/DENY β”‚ β”‚ β”‚ β€’ Mandate ID β”‚ β”‚ β”‚ +β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +## Request Flow + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ Agent β”‚ β”‚ SecureClawβ”‚ β”‚ predicate- β”‚ β”‚ Sidecar β”‚ β”‚ Tool β”‚ +β”‚ Request β”‚ β”‚ Plugin β”‚ β”‚ claw SDK β”‚ β”‚ (Rust) β”‚ β”‚ Executionβ”‚ +β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ Tool Call β”‚ β”‚ β”‚ β”‚ + β”‚ (Read /etc/ β”‚ β”‚ β”‚ β”‚ + β”‚ passwd) β”‚ β”‚ β”‚ β”‚ + │────────────────▢│ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ Extract: β”‚ β”‚ β”‚ + β”‚ β”‚ action=fs.read β”‚ β”‚ β”‚ + β”‚ β”‚ resource= β”‚ β”‚ β”‚ + β”‚ β”‚ /etc/passwd β”‚ β”‚ β”‚ + β”‚ │─────────────────▢ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ POST /authorizeβ”‚ β”‚ + β”‚ β”‚ β”‚ {principal, β”‚ β”‚ + β”‚ β”‚ β”‚ action, β”‚ β”‚ + β”‚ β”‚ β”‚ resource} β”‚ β”‚ + β”‚ β”‚ │────────────────▢│ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ Evaluate β”‚ + β”‚ β”‚ β”‚ β”‚ Policies β”‚ + β”‚ β”‚ β”‚ β”‚ ────────┐ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚β—€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ DENY: β”‚ β”‚ + β”‚ β”‚ β”‚ sensitive_file β”‚ β”‚ + β”‚ β”‚ │◀────────────────│ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ ActionDenied β”‚ β”‚ β”‚ + β”‚ β”‚ Error β”‚ β”‚ β”‚ + β”‚ │◀────────────────│ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ BLOCKED: β”‚ β”‚ β”‚ β”‚ + β”‚ Action blocked β”‚ β”‚ β”‚ β”‚ + β”‚ sensitive_file β”‚ β”‚ β”‚ β”‚ + │◀────────────────│ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ + β”‚ β”‚ β”‚ β”‚ Tool NOTβ”‚ + β”‚ β”‚ β”‚ β”‚ Executedβ”‚ + β”‚ β”‚ β”‚ β”‚ β”‚ +``` + +## OpenClaw vs SecureClaw Security Comparison + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ OPENCLAW (Original) β”‚ +β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Agent │────────▢│ Tool │────────▢│ System Resource β”‚ β”‚ +β”‚ β”‚ (LLM) β”‚ Direct β”‚ Execution β”‚ Direct β”‚ (Files, Network, β”‚ β”‚ +β”‚ β”‚ β”‚ Access β”‚ β”‚ Access β”‚ Shell, etc.) β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ +β”‚ ⚠️ NO AUTHORIZATION GATE β”‚ +β”‚ ⚠️ Agent has direct access to all tools β”‚ +β”‚ ⚠️ No policy enforcement β”‚ +β”‚ ⚠️ No audit trail β”‚ +β”‚ ⚠️ Relies on LLM's judgment for safety β”‚ +β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + + vs + +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ SECURECLAW (Enhanced) β”‚ +β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ +β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ Agent │───▢│ SecureClaw │───▢│ Predicate │───▢│ System β”‚ β”‚ +β”‚ β”‚ (LLM) β”‚ β”‚ Plugin β”‚ β”‚ Authority β”‚ β”‚ Resource β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ +β”‚ β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β” β”‚ +β”‚ β”‚ BLOCKED β”‚ β”‚ ALLOW β”‚ β”‚ +β”‚ β”‚ if denied β”‚ β”‚ with β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ mandate β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ +β”‚ β”‚ +β”‚ βœ… Zero-trust authorization gate β”‚ +β”‚ βœ… Policy-based access control β”‚ +β”‚ βœ… Immutable audit trail β”‚ +β”‚ βœ… Fail-closed mode for critical environments β”‚ +β”‚ βœ… LLM cannot bypass security policies β”‚ +β”‚ β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +## Security Features Comparison + +| Feature | OpenClaw | SecureClaw | +| ------------------------- | ---------------- | ------------------------- | +| Tool execution | Direct | Policy-gated | +| Authorization | None | Pre-execution check | +| Policy engine | None | Predicate Authority | +| Audit logging | Limited | Full decision trail | +| Fail mode | N/A | Fail-open or fail-closed | +| Sensitive file protection | User prompt only | Policy-enforced block | +| Shell command filtering | None | Policy-based allow/deny | +| Network request control | None | URL/domain policies | +| Multi-tenant support | None | Principal-based isolation | + +## Policy Example + +```json +{ + "policies": [ + { + "id": "block-sensitive-files", + "effect": "DENY", + "actions": ["fs.read", "fs.write"], + "resources": ["/etc/passwd", "/etc/shadow", "**/.ssh/**", "**/.env", "**/credentials*"], + "reason": "Sensitive system files are blocked" + }, + { + "id": "allow-project-files", + "effect": "ALLOW", + "actions": ["fs.read", "fs.write"], + "resources": ["/home/*/projects/**"], + "principals": ["agent:claude-code"] + }, + { + "id": "block-dangerous-commands", + "effect": "DENY", + "actions": ["shell.exec"], + "resources": ["rm -rf /*", "sudo *", "chmod 777 *", "curl * | bash"], + "reason": "Dangerous shell commands are blocked" + } + ] +} +``` + +## Component Summary + +| Component | Role | Technology | +| ------------------------------- | ----------------------------------------------- | -------------------- | +| **SecureClaw Plugin** | Intercepts tool calls, extracts action/resource | TypeScript | +| **predicate-claw SDK** | Client library for authorization requests | TypeScript | +| **Predicate Authority Sidecar** | Policy evaluation, decision engine | Rust | +| **Policy Store** | Defines allow/deny rules | JSON/YAML | +| **Audit Log** | Records all authorization decisions | Tamper-proof storage | + +## Why SecureClaw is More Secure + +1. **Defense in Depth**: Even if an LLM is jailbroken or manipulated, the external policy engine enforces security boundaries. + +2. **Least Privilege**: Policies can restrict agents to only the resources they need, following the principle of least privilege. + +3. **Audit Trail**: Every authorization decision is logged with timestamp, action, resource, and outcome for compliance and forensics. + +4. **Fail-Closed Mode**: In high-security environments, if the sidecar is unavailable, all tool calls are blocked rather than allowed. + +5. **Separation of Concerns**: Security policy enforcement is decoupled from the AI agent, preventing prompt injection from bypassing security. + +6. **Multi-Tenant Isolation**: Different principals (agents, users, tenants) can have different permission sets. + +## Getting Started + +```bash +# Install SecureClaw +npm install secureclaw + +# Start the Predicate Authority sidecar +predicate-authorityd --config policy.json + +# Configure SecureClaw plugin +export SECURECLAW_SIDECAR_URL=http://localhost:8787 +export SECURECLAW_FAIL_CLOSED=true +``` + +See the [SecureClaw Plugin documentation](./secureclaw-plugin.md) for detailed configuration options.