feat: add security audit + onboarding checkpoint

2026-01-15 01:25:11 +00:00
parent c91c85532a
commit c2a4f256c8
13 changed files with 902 additions and 12 deletions
--- a/src/commands/doctor-security.ts
+++ b/src/commands/doctor-security.ts
@@ -7,6 +7,7 @@ import { note } from "../terminal/note.js";

 export async function noteSecurityWarnings(cfg: ClawdbotConfig) {
  const warnings: string[] = [];
+  const auditHint = `- Run: clawdbot security audit --deep`;

  const warnDmPolicy = async (params: {
    label: string;
@@ -100,7 +101,7 @@ export async function noteSecurityWarnings(cfg: ClawdbotConfig) {
    }
  }

-  if (warnings.length > 0) {
-    note(warnings.join("\n"), "Security");
-  }
+  const lines = warnings.length > 0 ? warnings : ["- No channel security warnings detected."];
+  lines.push(auditHint);
+  note(lines.join("\n"), "Security");
 }
--- a/src/commands/onboard-types.ts
+++ b/src/commands/onboard-types.ts
@@ -40,6 +40,8 @@ export type OnboardOptions = {
  flow?: "quickstart" | "advanced";
  workspace?: string;
  nonInteractive?: boolean;
+  /** Required for non-interactive onboarding; skips the interactive risk prompt when true. */
+  acceptRisk?: boolean;
  reset?: boolean;
  authChoice?: AuthChoice;
  /** Used when `authChoice=token` in non-interactive mode. */
--- a/src/commands/onboard.ts
+++ b/src/commands/onboard.ts
@@ -13,6 +13,18 @@ export async function onboardCommand(opts: OnboardOptions, runtime: RuntimeEnv =
  const authChoice = opts.authChoice === "oauth" ? ("setup-token" as const) : opts.authChoice;
  const normalizedOpts = authChoice === opts.authChoice ? opts : { ...opts, authChoice };

+  if (normalizedOpts.nonInteractive && normalizedOpts.acceptRisk !== true) {
+    runtime.error(
+      [
+        "Non-interactive onboarding requires explicit risk acknowledgement.",
+        "Read: https://docs.clawd.bot/security",
+        "Re-run with: clawdbot onboard --non-interactive --accept-risk ...",
+      ].join("\n"),
+    );
+    runtime.exit(1);
+    return;
+  }
+
  if (normalizedOpts.reset) {
    const snapshot = await readConfigFileSnapshot();
    const baseConfig = snapshot.valid ? snapshot.config : {};
--- a/src/commands/status-all.ts
+++ b/src/commands/status-all.ts
@@ -338,9 +338,10 @@ export async function statusAllCommand(
        Item: "Gateway",
        Value: `${gatewayMode}${remoteUrlMissing ? " (remote.url missing)" : ""} · ${gatewayTarget} (${connection.urlSource}) · ${gatewayStatus}${gatewayAuth}`,
      },
+      { Item: "Security", Value: "Run: clawdbot security audit --deep" },
      gatewaySelfLine
-        ? { Item: "Gateway self", Value: gatewaySelfLine }
-        : { Item: "Gateway self", Value: "unknown" },
+	        ? { Item: "Gateway self", Value: gatewaySelfLine }
+	        : { Item: "Gateway self", Value: "unknown" },
      daemon
        ? {
            Item: "Daemon",