let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: honor gateway env token for doctor/security

Browse Source 
Co-authored-by: azade-c <azade-c@users.noreply.github.com>
This commit is contained in:
Peter Steinberger
2026-01-23 03:13:44 +00:00
parent f1deffa681
commit ec2c69c230
6 changed files with 77 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/security/audit-extra.ts
View File

@@ -17,6 +17,7 @@ import {
resolveSandboxConfigForAgent,
resolveSandboxToolPolicyForAgent,
} from "../agents/sandbox.js";
import { resolveGatewayAuth } from "../gateway/auth.js";
import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
import { INCLUDE_KEY, MAX_INCLUDE_DEPTH } from "../config/includes.js";
import { normalizeAgentId } from "../routing/session-key.js";
@@ -186,9 +187,15 @@ export function collectHooksHardeningFindings(cfg: ClawdbotConfig): SecurityAudi
});
}
const gatewayAuth = resolveGatewayAuth({
authConfig: cfg.gateway?.auth,
tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
});
const gatewayToken =
typeof cfg.gateway?.auth?.token === "string" && cfg.gateway.auth.token.trim()
? cfg.gateway.auth.token.trim()
gatewayAuth.mode === "token" &&
typeof gatewayAuth.token === "string" &&
gatewayAuth.token.trim()
? gatewayAuth.token.trim()
: null;
if (token && gatewayToken && token === gatewayToken) {
findings.push({

25
src/security/audit.test.ts
View File

@@ -656,6 +656,31 @@ describe("security audit", () => {
);
});
it("warns when hooks token reuses the gateway env token", async () => {
const prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
process.env.CLAWDBOT_GATEWAY_TOKEN = "shared-gateway-token-1234567890";
const cfg: ClawdbotConfig = {
hooks: { enabled: true, token: "shared-gateway-token-1234567890" },
};
try {
const res = await runSecurityAudit({
config: cfg,
includeFilesystem: false,
includeChannelSecurity: false,
});
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({ checkId: "hooks.token_reuse_gateway_token", severity: "warn" }),
]),
);
} finally {
if (prevToken === undefined) delete process.env.CLAWDBOT_GATEWAY_TOKEN;
else process.env.CLAWDBOT_GATEWAY_TOKEN = prevToken;
}
});
it("warns when state/config look like a synced folder", async () => {
const cfg: ClawdbotConfig = {};