Skip to content

feat(security): harden Command Center RBAC, auth, webhooks, and CI#3

Draft
mdtazizulislam wants to merge 1 commit into
mainfrom
cursor/security-hardening-cd8d
Draft

feat(security): harden Command Center RBAC, auth, webhooks, and CI#3
mdtazizulislam wants to merge 1 commit into
mainfrom
cursor/security-hardening-cd8d

Conversation

@mdtazizulislam

Copy link
Copy Markdown
Owner

Summary

Comprehensive security hardening for the OpenClaw platform, focused on the Command Center API and control-layer webhooks. All changes are additive — existing features and endpoints remain available.

Command Center API

  • Strict RBAC on every /api/* route via requireApiPermission() middleware
  • Founder-only access enforced for:
    • GET/POST /api/tasks
    • POST /api/agents/:id/action
    • GET /api/logs
    • GET /api/commands
    • Execution approval endpoints
  • Token security: scrypt hashing at rest, optional expiry (:exp:), rotation grace via OPENCLAW_COMMAND_CENTER_TOKEN_PREVIOUS
  • Failed-login audit logging to logs/auth-audit.jsonl
  • Sensitive log redaction for phones, emails, tokens, API keys, prompts, webhook payloads
  • Tiered rate limiting: auth verify (10/min), mutations (30/min), general (120/min)
  • Security headers: CSP, X-Frame-Options, HSTS (production), Cache-Control on API routes
  • Execution approval gate (default on): agent actions and task mutations return 202 with approvalId; founder approves via POST /api/executions/:id/approve

Control Layer

  • Meta WhatsApp Cloud API webhook at /webhooks/whatsapp/meta with X-Hub-Signature-256 verification (additive to Twilio)
  • Audit log redaction in control layer console and file output

CI & Documentation

  • GitHub Actions security pipeline: CodeQL, Gitleaks, Semgrep, npm audit, dependency review, security tests
  • SECURITY.md, root .env.example, docs/PRODUCTION-HARDENING.md

Tests

  • command-center: auth, RBAC, tokens, redaction, rate limits, API security, task permissions (29 tests)
  • control: Meta webhook validation, WhatsApp channel integration (42 tests)

Configuration

Variable Purpose
OPENCLAW_COMMAND_CENTER_TOKEN_PREVIOUS Rotation grace token
OPENCLAW_REQUIRE_EXECUTION_APPROVAL Set false to disable approval gate (not recommended in prod)
WHATSAPP_META_APP_SECRET Meta Cloud API signature verification
WHATSAPP_META_VERIFY_TOKEN Meta webhook challenge token

Breaking behavior notes

  • Admin/viewer roles can no longer access tasks, logs, commands, or agent actions (by design)
  • Task/agent mutations require approval by default — clients must call approve endpoint first or pass approvalId
  • Plaintext tokens in env are hashed at startup; stored hashes recommended for production (founder:scrypt:...)
Open in Web Open in Cursor 

…peline

- Add strict RBAC on every Command Center API endpoint with founder-only
  restrictions on tasks, agent actions, logs, and commands
- Hash tokens with scrypt, support expiry/rotation, and audit failed logins
- Redact sensitive data in logs and audit output
- Apply tiered rate limits for auth verify and mutation endpoints
- Add security headers middleware (CSP, HSTS, X-Frame-Options, etc.)
- Gate agent/script/task execution behind founder approval workflow
- Add Meta WhatsApp Cloud API webhook signature verification
- Add GitHub Actions security pipeline and production hardening docs
- Add comprehensive security unit tests

Co-authored-by: MD TAZIZUL ISLAM <vitorgarh@gmail.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants