From e71fa4a14527a8410e233ae16829070f309a7fa5 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 17 Jan 2026 19:30:40 +0000 Subject: [PATCH] docs: note session log disk access --- docs/concepts/memory.md | 1 + docs/gateway/security.md | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/docs/concepts/memory.md b/docs/concepts/memory.md index 138f475b3..bab96b973 100644 --- a/docs/concepts/memory.md +++ b/docs/concepts/memory.md @@ -165,6 +165,7 @@ Notes: - Session updates are debounced and indexed lazily on the next `memory_search` (or manual `clawdbot memory index`). - Results still include snippets only; `memory_get` remains limited to memory files. - Session indexing is isolated per agent (only that agent’s session logs are indexed). +- Session logs live on disk (`~/.clawdbot/agents//sessions/*.jsonl`). Any process/user with filesystem access can read them, so treat disk access as the trust boundary. For stricter isolation, run agents under separate OS users or hosts. ### SQLite vector acceleration (sqlite-vec) diff --git a/docs/gateway/security.md b/docs/gateway/security.md index f830bb098..4625ed610 100644 --- a/docs/gateway/security.md +++ b/docs/gateway/security.md @@ -52,6 +52,14 @@ When the audit prints findings, treat this as a priority order: 5. **Plugins/extensions**: only load what you explicitly trust. 6. **Model choice**: prefer modern, instruction-hardened models for any bot with tools. +## Local session logs live on disk + +Clawdbot stores session transcripts on disk under `~/.clawdbot/agents//sessions/*.jsonl`. +This is required for session continuity and (optionally) session memory indexing, but it also means +**any process/user with filesystem access can read those logs**. Treat disk access as the trust +boundary and lock down permissions on `~/.clawdbot` (see the audit section below). If you need +stronger isolation between agents, run them under separate OS users or separate hosts. + ## Node execution (system.run) If a macOS node is paired, the Gateway can invoke `system.run` on that node. This is **remote code execution** on the Mac: