openclaw/docs/compliance/change-management.md
ronitchidara 7ff1dc3bba compliance: add Phase 7 governance and procedure documentation
Add SOC2/ISO 27001 compliance documentation suite:
- incident-response.md: P1-P4 severity, 5-phase response, templates
- access-control-policy.md: RBAC governance, provisioning/revocation
- readiness-checklist.md: Self-assessment for all SOC2 TSC criteria
- change-management.md: Standard/normal/emergency change workflows
- vulnerability-disclosure.md: Safe harbor, reporting channels
- security-metrics.md: KPIs, Prometheus alerts, Grafana dashboard
- index.md: Navigation hub with control mapping

Documents reference existing technical controls (audit-log.ts, rbac.ts)
and provide practical audit log queries and alerting configurations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 17:01:41 +05:30

481 lines
12 KiB
Markdown

---
title: Change Management Procedure
summary: Procedures for managing configuration, version, and operational changes in Clawdbot deployments.
permalink: /compliance/change-management/
---
# Change Management Procedure
This document defines procedures for managing changes to Clawdbot configuration, versions, channels, and plugins in a controlled manner.
## Purpose
Ensure all changes to Clawdbot systems are:
- Authorized before implementation
- Tested appropriately
- Documented with audit trail
- Reversible if issues arise
## Scope
This procedure covers:
- Configuration changes (settings, credentials, policies)
- Version upgrades (Clawdbot releases)
- Channel modifications (adding, removing, reconfiguring)
- Plugin management (installation, updates, removal)
- Infrastructure changes (gateway, networking)
## Change Categories
### Standard Changes
Pre-approved, low-risk changes with established procedures.
| Change Type | Examples | Approval | Testing |
|-------------|----------|----------|---------|
| User access | RBAC assignment, pairing approval | Self-service | None required |
| Agent config | System prompt updates, model selection | Self-service | Functional test |
| Logging | Log level changes | Self-service | None required |
### Normal Changes
Planned changes requiring approval and testing.
| Change Type | Examples | Approval | Testing |
|-------------|----------|----------|---------|
| Version upgrade | Minor/patch releases | Change owner | Staging verification |
| Channel addition | New messaging platform | Security review | Integration test |
| Plugin installation | New extension | Security review | Compatibility test |
| Security config | Auth mode, RBAC roles | Security team | Security audit |
### Emergency Changes
Urgent changes to address incidents or critical vulnerabilities.
| Change Type | Examples | Approval | Testing |
|-------------|----------|----------|---------|
| Security patch | Critical vulnerability fix | Verbal, documented post-hoc | Smoke test only |
| Incident response | Credential rotation, access revocation | Incident commander | Verification only |
| Service restoration | Gateway restart, config rollback | On-call engineer | Health check |
## Change Process
### Standard Change Workflow
```
Request → Implement → Verify → Document
```
1. **Implement** the change
2. **Verify** using established procedure
3. **Document** in change log (audit trail automatic)
### Normal Change Workflow
```
Request → Review → Approve → Test → Implement → Verify → Document
```
1. **Request**: Submit change request with:
- Description of change
- Business justification
- Risk assessment
- Rollback plan
- Testing plan
2. **Review**: Designated reviewer assesses:
- Completeness of request
- Risk level appropriate
- Rollback plan viable
3. **Approve**: Approver authorizes change
4. **Test**: Execute testing plan:
- Staging environment (if available)
- Security audit pre-check
5. **Implement**: Apply change
6. **Verify**: Confirm success:
- Functional verification
- Security audit post-check
- Health check
7. **Document**: Record in change log
### Emergency Change Workflow
```
Assess → Approve (verbal) → Implement → Verify → Document (post-hoc)
```
1. **Assess**: Confirm emergency criteria met
2. **Approve**: Verbal approval from authorized person
3. **Implement**: Apply minimal change to address issue
4. **Verify**: Confirm issue resolved
5. **Document**: Complete change record within 24 hours
## Change Implementation Procedures
### Configuration Changes
All configuration changes are logged to the audit trail automatically.
**Pre-change checklist:**
- [ ] Current config backed up
- [ ] Change command prepared
- [ ] Rollback command prepared
- [ ] Verification steps defined
**Implementation:**
```bash
# Backup current configuration
clawdbot config show > config-backup-$(date +%Y%m%d-%H%M%S).yaml
# Apply configuration change
clawdbot config set KEY VALUE
# Verify change applied
clawdbot config get KEY
# Run security audit to verify no new issues
clawdbot security audit --deep
```
**Audit trail:**
Configuration changes emit `config.change` audit events:
```json
{
"ts": "2026-01-27T10:30:00.000Z",
"type": "config.change",
"actor": { "type": "user", "id": "admin" },
"outcome": "success",
"metadata": {
"changes": { "rbac.enabled": true }
}
}
```
### Version Upgrades
**Pre-upgrade checklist:**
- [ ] Current version documented
- [ ] Release notes reviewed
- [ ] Breaking changes identified
- [ ] Backup completed
- [ ] Rollback procedure prepared
**Implementation:**
```bash
# Document current version
clawdbot --version > version-before.txt
# Stop gateway gracefully
clawdbot gateway stop
# Backup state directory
cp -r ~/.clawdbot ~/.clawdbot-backup-$(date +%Y%m%d)
# Update Clawdbot
clawdbot update
# or: npm update -g clawdbot
# Verify new version
clawdbot --version
# Start gateway
clawdbot gateway run
# Verify health
clawdbot status --all
clawdbot security audit --deep
```
**Rollback (if needed):**
```bash
# Stop gateway
clawdbot gateway stop
# Restore previous version
npm install -g clawdbot@PREVIOUS_VERSION
# Restore state if needed
rm -rf ~/.clawdbot
cp -r ~/.clawdbot-backup-YYYYMMDD ~/.clawdbot
# Restart
clawdbot gateway run
```
### Channel Changes
**Adding a new channel:**
1. **Security review**: Assess channel-specific risks
2. **Configuration**:
```bash
# Configure channel credentials
clawdbot config set channels.CHANNEL.token "BOT_TOKEN"
clawdbot config set channels.CHANNEL.enabled true
# Configure access policy
clawdbot config set channels.CHANNEL.dm.policy "pairing"
```
3. **Verification**:
```bash
# Check channel status
clawdbot channels status --channel CHANNEL
# Run security audit
clawdbot security audit --deep | grep CHANNEL
```
**Removing a channel:**
```bash
# Disable channel
clawdbot config set channels.CHANNEL.enabled false
# Revoke any pairings
clawdbot pairing list --channel CHANNEL
clawdbot pairing revoke --channel CHANNEL --all
# Remove credentials (optional)
clawdbot config unset channels.CHANNEL.token
# Restart gateway
clawdbot gateway stop && clawdbot gateway run
```
### Plugin Changes
**Installing a plugin:**
1. **Security review**: Verify plugin source and permissions
2. **Installation**:
```bash
# Install plugin
clawdbot plugins install PLUGIN_NAME
# Verify installation
clawdbot plugins list
# Configure plugin
clawdbot config set plugins.PLUGIN_NAME.enabled true
```
3. **Verification**:
```bash
# Test plugin functionality
clawdbot plugins test PLUGIN_NAME
# Security audit
clawdbot security audit --deep
```
**Updating a plugin:**
```bash
# Update specific plugin
clawdbot plugins update PLUGIN_NAME
# Or update all plugins
clawdbot plugins update --all
# Verify
clawdbot plugins list
```
**Removing a plugin:**
```bash
# Disable plugin
clawdbot config set plugins.PLUGIN_NAME.enabled false
# Uninstall
clawdbot plugins uninstall PLUGIN_NAME
# Verify removal
clawdbot plugins list
```
### RBAC Changes
**Adding a new role:**
```yaml
# config.yaml addition
rbac:
roles:
new_role:
name: "New Role Name"
description: "Purpose of this role"
permissions:
- exec
tools:
deny:
- bash
```
```bash
# Apply via CLI
clawdbot config set rbac.roles.new_role.name "New Role Name"
clawdbot config set rbac.roles.new_role.permissions '["exec"]'
# Verify
clawdbot config get rbac.roles.new_role
```
**Modifying role permissions:**
```bash
# Backup current role config
clawdbot config get rbac.roles.ROLE > role-backup.yaml
# Update permissions
clawdbot config set rbac.roles.ROLE.permissions '["exec", "exec.approve"]'
# Verify no unintended access
clawdbot security audit --deep | grep rbac
```
## Risk Assessment
### Risk Categories
| Risk Level | Criteria | Examples |
|------------|----------|----------|
| High | Security impact, data exposure | Auth changes, RBAC modifications, channel credentials |
| Medium | Service disruption potential | Version upgrades, plugin changes |
| Low | Minimal impact | Log levels, cosmetic changes |
### Risk Mitigation
| Risk Level | Required Controls |
|------------|-------------------|
| High | Security team approval, staging test, documented rollback |
| Medium | Change owner approval, basic testing, rollback plan |
| Low | Self-service, verification |
## Testing Requirements
### Test Types by Change Category
| Change Type | Unit Test | Integration Test | Security Audit | Staging |
|-------------|-----------|------------------|----------------|---------|
| Standard | - | - | - | - |
| Normal (Low) | - | Verify | Post-change | - |
| Normal (Medium) | - | Functional | Pre/Post | Optional |
| Normal (High) | If applicable | Full | Pre/Post | Required |
| Emergency | - | Smoke | Post-change | - |
### Security Audit Verification
Run before and after high-risk changes:
```bash
# Pre-change baseline
clawdbot security audit --deep > audit-pre-$(date +%Y%m%d-%H%M%S).txt
# [Apply change]
# Post-change verification
clawdbot security audit --deep > audit-post-$(date +%Y%m%d-%H%M%S).txt
# Compare findings
diff audit-pre-*.txt audit-post-*.txt
```
## Documentation Requirements
### Change Record Template
```markdown
# Change Record: CHG-YYYY-NNN
## Summary
- **Type**: Standard/Normal/Emergency
- **Risk Level**: Low/Medium/High
- **Status**: Requested/Approved/Implemented/Verified/Closed
- **Requested**: YYYY-MM-DD
- **Implemented**: YYYY-MM-DD
## Description
[What is being changed and why]
## Business Justification
[Why this change is needed]
## Risk Assessment
- **Impact if change fails**: [Description]
- **Likelihood of failure**: Low/Medium/High
- **Mitigation**: [Rollback plan]
## Testing Plan
1. [Test step 1]
2. [Test step 2]
## Implementation Steps
1. [Step 1]
2. [Step 2]
## Rollback Plan
1. [Rollback step 1]
2. [Rollback step 2]
## Verification
- [ ] Change applied successfully
- [ ] Functionality verified
- [ ] Security audit passed
- [ ] No unexpected side effects
## Approvals
| Role | Name | Date |
|------|------|------|
| Requester | [Name] | YYYY-MM-DD |
| Approver | [Name] | YYYY-MM-DD |
| Implementer | [Name] | YYYY-MM-DD |
## Post-Implementation Notes
[Any observations or follow-up actions]
```
### Audit Trail
All changes are automatically logged:
```bash
# View recent config changes
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -10
# View changes by actor
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .actor.id == "ACTOR_ID")'
# View changes in time range
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .ts >= "2026-01-01" and .ts <= "2026-01-31")'
```
## Roles and Responsibilities
| Role | Responsibilities |
|------|------------------|
| Change Requester | Submit request, provide justification, execute standard changes |
| Change Approver | Review requests, approve/reject, ensure compliance |
| Change Implementer | Execute approved changes, verify success |
| Security Team | Review high-risk changes, maintain procedures |
| On-call Engineer | Handle emergency changes, escalate as needed |
## Compliance
This procedure supports:
- **SOC2 CC8.1**: Change management for system components
- **ISO 27001 A.12.1.2**: Change management
- **ISO 27001 A.14.2.2**: System change control procedures
## Related Documentation
- [Security Hardening](/enterprise/security-hardening) - Security configuration
- [Incident Response](/compliance/incident-response) - Emergency procedures
- [Access Control Policy](/compliance/access-control-policy) - Authorization for changes
- [Gateway Configuration](/gateway/configuration) - Configuration reference
---
*Procedure owner: Operations Team*
*Last reviewed: 2026-01-27*
*Next review: 2026-07-27*