romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,373 Commits 258 Branches 39 Tags 276 MiB
b10174ace0
Commit Graph

4 Commits

Author SHA1 Message Date
Ulrich Diedrichsen
b10174ace0 test(security): fix failing tests 
- Add CIDR matching to isBlocked() and getBlocklistEntry() methods
- Fix event aggregator threshold logic to only trigger once on first crossing
- Add securityEventAggregator.clearAll() in intrusion-detector tests
- Fix RateLimiter constructor to accept custom maxSize parameter
- Fix token bucket getRetryAfterMs() to return Infinity for impossible requests
- Fix rate limiter peek() to return full capacity for non-existent keys
- Fix shield extractIp() to handle array X-Forwarded-For headers
- Fix ip-manager test mocks to include sync fs methods
- All security tests now passing (173 tests across 8 files)
 2026-01-30 12:09:26 +01:00
Ulrich Diedrichsen
8f42141f75 fix: resolve lint, format, and TypeScript compilation errors 2026-01-30 11:44:33 +01:00
Ulrich Diedrichsen
88bcb61c7b feat(security): implement firewall integration (iptables/ufw) 2026-01-30 11:11:48 +01:00
Ulrich Diedrichsen
73ce95d9cc feat(security): implement core security shield infrastructure (Phase 1) 
Add foundational security components for rate limiting, intrusion detection,
and activity logging:

Core Components:
- Security event logging system (schema, logger, aggregator)
- Rate limiting with token bucket + sliding window algorithm
- IP blocklist/allowlist management with auto-expiration
- Security configuration schema with opt-out mode defaults

Features:
- JSONL security log files (/tmp/openclaw/security-*.jsonl)
- LRU cache-based rate limiter (10k entry limit, auto-cleanup)
- File-based IP blocklist storage (~/.openclaw/security/blocklist.json)
- Tailscale CGNAT range auto-allowlisted (100.64.0.0/10)
- Configurable rate limits per-IP, per-device, per-sender
- Auto-blocking rules with configurable duration

Configuration:
- New security config section in OpenClawConfig
- Enabled by default for new deployments (opt-out mode)
- Comprehensive defaults for VPS security

Related to: Security shield implementation plan
Part of: Phase 1 - Core Features

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-30 11:11:48 +01:00