feat: add security audit + onboarding checkpoint

2026-01-15 01:25:11 +00:00
parent c91c85532a
commit c2a4f256c8
13 changed files with 902 additions and 12 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -0,0 +1,97 @@
+import { describe, expect, it } from "vitest";
+
+import type { ClawdbotConfig } from "../config/config.js";
+import { runSecurityAudit } from "./audit.js";
+
+describe("security audit", () => {
+  it("flags non-loopback bind without auth as critical", async () => {
+    const cfg: ClawdbotConfig = {
+      gateway: {
+        bind: "lan",
+        auth: {},
+      },
+    };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+    });
+
+    expect(
+      res.findings.some((f) => f.checkId === "gateway.bind_no_auth" && f.severity === "critical"),
+    ).toBe(true);
+  });
+
+  it("flags logging.redactSensitive=off", async () => {
+    const cfg: ClawdbotConfig = {
+      logging: { redactSensitive: "off" },
+    };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+    });
+
+    expect(res.findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ checkId: "logging.redact_off", severity: "warn" }),
+      ]),
+    );
+  });
+
+  it("flags tools.elevated allowFrom wildcard as critical", async () => {
+    const cfg: ClawdbotConfig = {
+      tools: {
+        elevated: {
+          allowFrom: { whatsapp: ["*"] },
+        },
+      },
+    };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+    });
+
+    expect(res.findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          checkId: "tools.elevated.allowFrom.whatsapp.wildcard",
+          severity: "critical",
+        }),
+      ]),
+    );
+  });
+
+  it("adds a warning when deep probe fails", async () => {
+    const cfg: ClawdbotConfig = { gateway: { mode: "local" } };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      deep: true,
+      deepTimeoutMs: 50,
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+      probeGatewayFn: async () => ({
+        ok: false,
+        url: "ws://127.0.0.1:18789",
+        connectLatencyMs: null,
+        error: "connect failed",
+        close: null,
+        health: null,
+        status: null,
+        presence: null,
+        configSnapshot: null,
+      }),
+    });
+
+    expect(res.findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ checkId: "gateway.probe_failed", severity: "warn" }),
+      ]),
+    );
+  });
+});