Add SOC2/ISO 27001 compliance documentation suite: - incident-response.md: P1-P4 severity, 5-phase response, templates - access-control-policy.md: RBAC governance, provisioning/revocation - readiness-checklist.md: Self-assessment for all SOC2 TSC criteria - change-management.md: Standard/normal/emergency change workflows - vulnerability-disclosure.md: Safe harbor, reporting channels - security-metrics.md: KPIs, Prometheus alerts, Grafana dashboard - index.md: Navigation hub with control mapping Documents reference existing technical controls (audit-log.ts, rbac.ts) and provide practical audit log queries and alerting configurations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
12 KiB
| title | summary | permalink |
|---|---|---|
| Change Management Procedure | Procedures for managing configuration, version, and operational changes in Clawdbot deployments. | /compliance/change-management/ |
Change Management Procedure
This document defines procedures for managing changes to Clawdbot configuration, versions, channels, and plugins in a controlled manner.
Purpose
Ensure all changes to Clawdbot systems are:
- Authorized before implementation
- Tested appropriately
- Documented with audit trail
- Reversible if issues arise
Scope
This procedure covers:
- Configuration changes (settings, credentials, policies)
- Version upgrades (Clawdbot releases)
- Channel modifications (adding, removing, reconfiguring)
- Plugin management (installation, updates, removal)
- Infrastructure changes (gateway, networking)
Change Categories
Standard Changes
Pre-approved, low-risk changes with established procedures.
| Change Type | Examples | Approval | Testing |
|---|---|---|---|
| User access | RBAC assignment, pairing approval | Self-service | None required |
| Agent config | System prompt updates, model selection | Self-service | Functional test |
| Logging | Log level changes | Self-service | None required |
Normal Changes
Planned changes requiring approval and testing.
| Change Type | Examples | Approval | Testing |
|---|---|---|---|
| Version upgrade | Minor/patch releases | Change owner | Staging verification |
| Channel addition | New messaging platform | Security review | Integration test |
| Plugin installation | New extension | Security review | Compatibility test |
| Security config | Auth mode, RBAC roles | Security team | Security audit |
Emergency Changes
Urgent changes to address incidents or critical vulnerabilities.
| Change Type | Examples | Approval | Testing |
|---|---|---|---|
| Security patch | Critical vulnerability fix | Verbal, documented post-hoc | Smoke test only |
| Incident response | Credential rotation, access revocation | Incident commander | Verification only |
| Service restoration | Gateway restart, config rollback | On-call engineer | Health check |
Change Process
Standard Change Workflow
Request → Implement → Verify → Document
- Implement the change
- Verify using established procedure
- Document in change log (audit trail automatic)
Normal Change Workflow
Request → Review → Approve → Test → Implement → Verify → Document
-
Request: Submit change request with:
- Description of change
- Business justification
- Risk assessment
- Rollback plan
- Testing plan
-
Review: Designated reviewer assesses:
- Completeness of request
- Risk level appropriate
- Rollback plan viable
-
Approve: Approver authorizes change
-
Test: Execute testing plan:
- Staging environment (if available)
- Security audit pre-check
-
Implement: Apply change
-
Verify: Confirm success:
- Functional verification
- Security audit post-check
- Health check
-
Document: Record in change log
Emergency Change Workflow
Assess → Approve (verbal) → Implement → Verify → Document (post-hoc)
- Assess: Confirm emergency criteria met
- Approve: Verbal approval from authorized person
- Implement: Apply minimal change to address issue
- Verify: Confirm issue resolved
- Document: Complete change record within 24 hours
Change Implementation Procedures
Configuration Changes
All configuration changes are logged to the audit trail automatically.
Pre-change checklist:
- Current config backed up
- Change command prepared
- Rollback command prepared
- Verification steps defined
Implementation:
# Backup current configuration
clawdbot config show > config-backup-$(date +%Y%m%d-%H%M%S).yaml
# Apply configuration change
clawdbot config set KEY VALUE
# Verify change applied
clawdbot config get KEY
# Run security audit to verify no new issues
clawdbot security audit --deep
Audit trail:
Configuration changes emit config.change audit events:
{
"ts": "2026-01-27T10:30:00.000Z",
"type": "config.change",
"actor": { "type": "user", "id": "admin" },
"outcome": "success",
"metadata": {
"changes": { "rbac.enabled": true }
}
}
Version Upgrades
Pre-upgrade checklist:
- Current version documented
- Release notes reviewed
- Breaking changes identified
- Backup completed
- Rollback procedure prepared
Implementation:
# Document current version
clawdbot --version > version-before.txt
# Stop gateway gracefully
clawdbot gateway stop
# Backup state directory
cp -r ~/.clawdbot ~/.clawdbot-backup-$(date +%Y%m%d)
# Update Clawdbot
clawdbot update
# or: npm update -g clawdbot
# Verify new version
clawdbot --version
# Start gateway
clawdbot gateway run
# Verify health
clawdbot status --all
clawdbot security audit --deep
Rollback (if needed):
# Stop gateway
clawdbot gateway stop
# Restore previous version
npm install -g clawdbot@PREVIOUS_VERSION
# Restore state if needed
rm -rf ~/.clawdbot
cp -r ~/.clawdbot-backup-YYYYMMDD ~/.clawdbot
# Restart
clawdbot gateway run
Channel Changes
Adding a new channel:
- Security review: Assess channel-specific risks
- Configuration:
# Configure channel credentials
clawdbot config set channels.CHANNEL.token "BOT_TOKEN"
clawdbot config set channels.CHANNEL.enabled true
# Configure access policy
clawdbot config set channels.CHANNEL.dm.policy "pairing"
- Verification:
# Check channel status
clawdbot channels status --channel CHANNEL
# Run security audit
clawdbot security audit --deep | grep CHANNEL
Removing a channel:
# Disable channel
clawdbot config set channels.CHANNEL.enabled false
# Revoke any pairings
clawdbot pairing list --channel CHANNEL
clawdbot pairing revoke --channel CHANNEL --all
# Remove credentials (optional)
clawdbot config unset channels.CHANNEL.token
# Restart gateway
clawdbot gateway stop && clawdbot gateway run
Plugin Changes
Installing a plugin:
- Security review: Verify plugin source and permissions
- Installation:
# Install plugin
clawdbot plugins install PLUGIN_NAME
# Verify installation
clawdbot plugins list
# Configure plugin
clawdbot config set plugins.PLUGIN_NAME.enabled true
- Verification:
# Test plugin functionality
clawdbot plugins test PLUGIN_NAME
# Security audit
clawdbot security audit --deep
Updating a plugin:
# Update specific plugin
clawdbot plugins update PLUGIN_NAME
# Or update all plugins
clawdbot plugins update --all
# Verify
clawdbot plugins list
Removing a plugin:
# Disable plugin
clawdbot config set plugins.PLUGIN_NAME.enabled false
# Uninstall
clawdbot plugins uninstall PLUGIN_NAME
# Verify removal
clawdbot plugins list
RBAC Changes
Adding a new role:
# config.yaml addition
rbac:
roles:
new_role:
name: "New Role Name"
description: "Purpose of this role"
permissions:
- exec
tools:
deny:
- bash
# Apply via CLI
clawdbot config set rbac.roles.new_role.name "New Role Name"
clawdbot config set rbac.roles.new_role.permissions '["exec"]'
# Verify
clawdbot config get rbac.roles.new_role
Modifying role permissions:
# Backup current role config
clawdbot config get rbac.roles.ROLE > role-backup.yaml
# Update permissions
clawdbot config set rbac.roles.ROLE.permissions '["exec", "exec.approve"]'
# Verify no unintended access
clawdbot security audit --deep | grep rbac
Risk Assessment
Risk Categories
| Risk Level | Criteria | Examples |
|---|---|---|
| High | Security impact, data exposure | Auth changes, RBAC modifications, channel credentials |
| Medium | Service disruption potential | Version upgrades, plugin changes |
| Low | Minimal impact | Log levels, cosmetic changes |
Risk Mitigation
| Risk Level | Required Controls |
|---|---|
| High | Security team approval, staging test, documented rollback |
| Medium | Change owner approval, basic testing, rollback plan |
| Low | Self-service, verification |
Testing Requirements
Test Types by Change Category
| Change Type | Unit Test | Integration Test | Security Audit | Staging |
|---|---|---|---|---|
| Standard | - | - | - | - |
| Normal (Low) | - | Verify | Post-change | - |
| Normal (Medium) | - | Functional | Pre/Post | Optional |
| Normal (High) | If applicable | Full | Pre/Post | Required |
| Emergency | - | Smoke | Post-change | - |
Security Audit Verification
Run before and after high-risk changes:
# Pre-change baseline
clawdbot security audit --deep > audit-pre-$(date +%Y%m%d-%H%M%S).txt
# [Apply change]
# Post-change verification
clawdbot security audit --deep > audit-post-$(date +%Y%m%d-%H%M%S).txt
# Compare findings
diff audit-pre-*.txt audit-post-*.txt
Documentation Requirements
Change Record Template
# Change Record: CHG-YYYY-NNN
## Summary
- **Type**: Standard/Normal/Emergency
- **Risk Level**: Low/Medium/High
- **Status**: Requested/Approved/Implemented/Verified/Closed
- **Requested**: YYYY-MM-DD
- **Implemented**: YYYY-MM-DD
## Description
[What is being changed and why]
## Business Justification
[Why this change is needed]
## Risk Assessment
- **Impact if change fails**: [Description]
- **Likelihood of failure**: Low/Medium/High
- **Mitigation**: [Rollback plan]
## Testing Plan
1. [Test step 1]
2. [Test step 2]
## Implementation Steps
1. [Step 1]
2. [Step 2]
## Rollback Plan
1. [Rollback step 1]
2. [Rollback step 2]
## Verification
- [ ] Change applied successfully
- [ ] Functionality verified
- [ ] Security audit passed
- [ ] No unexpected side effects
## Approvals
| Role | Name | Date |
|------|------|------|
| Requester | [Name] | YYYY-MM-DD |
| Approver | [Name] | YYYY-MM-DD |
| Implementer | [Name] | YYYY-MM-DD |
## Post-Implementation Notes
[Any observations or follow-up actions]
Audit Trail
All changes are automatically logged:
# View recent config changes
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -10
# View changes by actor
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .actor.id == "ACTOR_ID")'
# View changes in time range
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .ts >= "2026-01-01" and .ts <= "2026-01-31")'
Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| Change Requester | Submit request, provide justification, execute standard changes |
| Change Approver | Review requests, approve/reject, ensure compliance |
| Change Implementer | Execute approved changes, verify success |
| Security Team | Review high-risk changes, maintain procedures |
| On-call Engineer | Handle emergency changes, escalate as needed |
Compliance
This procedure supports:
- SOC2 CC8.1: Change management for system components
- ISO 27001 A.12.1.2: Change management
- ISO 27001 A.14.2.2: System change control procedures
Related Documentation
- Security Hardening - Security configuration
- Incident Response - Emergency procedures
- Access Control Policy - Authorization for changes
- Gateway Configuration - Configuration reference
Procedure owner: Operations Team Last reviewed: 2026-01-27 Next review: 2026-07-27