Add SOC2/ISO 27001 compliance documentation suite: - incident-response.md: P1-P4 severity, 5-phase response, templates - access-control-policy.md: RBAC governance, provisioning/revocation - readiness-checklist.md: Self-assessment for all SOC2 TSC criteria - change-management.md: Standard/normal/emergency change workflows - vulnerability-disclosure.md: Safe harbor, reporting channels - security-metrics.md: KPIs, Prometheus alerts, Grafana dashboard - index.md: Navigation hub with control mapping Documents reference existing technical controls (audit-log.ts, rbac.ts) and provide practical audit log queries and alerting configurations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
481 lines
12 KiB
Markdown
481 lines
12 KiB
Markdown
---
|
|
title: Change Management Procedure
|
|
summary: Procedures for managing configuration, version, and operational changes in Clawdbot deployments.
|
|
permalink: /compliance/change-management/
|
|
---
|
|
|
|
# Change Management Procedure
|
|
|
|
This document defines procedures for managing changes to Clawdbot configuration, versions, channels, and plugins in a controlled manner.
|
|
|
|
## Purpose
|
|
|
|
Ensure all changes to Clawdbot systems are:
|
|
- Authorized before implementation
|
|
- Tested appropriately
|
|
- Documented with audit trail
|
|
- Reversible if issues arise
|
|
|
|
## Scope
|
|
|
|
This procedure covers:
|
|
- Configuration changes (settings, credentials, policies)
|
|
- Version upgrades (Clawdbot releases)
|
|
- Channel modifications (adding, removing, reconfiguring)
|
|
- Plugin management (installation, updates, removal)
|
|
- Infrastructure changes (gateway, networking)
|
|
|
|
## Change Categories
|
|
|
|
### Standard Changes
|
|
|
|
Pre-approved, low-risk changes with established procedures.
|
|
|
|
| Change Type | Examples | Approval | Testing |
|
|
|-------------|----------|----------|---------|
|
|
| User access | RBAC assignment, pairing approval | Self-service | None required |
|
|
| Agent config | System prompt updates, model selection | Self-service | Functional test |
|
|
| Logging | Log level changes | Self-service | None required |
|
|
|
|
### Normal Changes
|
|
|
|
Planned changes requiring approval and testing.
|
|
|
|
| Change Type | Examples | Approval | Testing |
|
|
|-------------|----------|----------|---------|
|
|
| Version upgrade | Minor/patch releases | Change owner | Staging verification |
|
|
| Channel addition | New messaging platform | Security review | Integration test |
|
|
| Plugin installation | New extension | Security review | Compatibility test |
|
|
| Security config | Auth mode, RBAC roles | Security team | Security audit |
|
|
|
|
### Emergency Changes
|
|
|
|
Urgent changes to address incidents or critical vulnerabilities.
|
|
|
|
| Change Type | Examples | Approval | Testing |
|
|
|-------------|----------|----------|---------|
|
|
| Security patch | Critical vulnerability fix | Verbal, documented post-hoc | Smoke test only |
|
|
| Incident response | Credential rotation, access revocation | Incident commander | Verification only |
|
|
| Service restoration | Gateway restart, config rollback | On-call engineer | Health check |
|
|
|
|
## Change Process
|
|
|
|
### Standard Change Workflow
|
|
|
|
```
|
|
Request → Implement → Verify → Document
|
|
```
|
|
|
|
1. **Implement** the change
|
|
2. **Verify** using established procedure
|
|
3. **Document** in change log (audit trail automatic)
|
|
|
|
### Normal Change Workflow
|
|
|
|
```
|
|
Request → Review → Approve → Test → Implement → Verify → Document
|
|
```
|
|
|
|
1. **Request**: Submit change request with:
|
|
- Description of change
|
|
- Business justification
|
|
- Risk assessment
|
|
- Rollback plan
|
|
- Testing plan
|
|
|
|
2. **Review**: Designated reviewer assesses:
|
|
- Completeness of request
|
|
- Risk level appropriate
|
|
- Rollback plan viable
|
|
|
|
3. **Approve**: Approver authorizes change
|
|
|
|
4. **Test**: Execute testing plan:
|
|
- Staging environment (if available)
|
|
- Security audit pre-check
|
|
|
|
5. **Implement**: Apply change
|
|
|
|
6. **Verify**: Confirm success:
|
|
- Functional verification
|
|
- Security audit post-check
|
|
- Health check
|
|
|
|
7. **Document**: Record in change log
|
|
|
|
### Emergency Change Workflow
|
|
|
|
```
|
|
Assess → Approve (verbal) → Implement → Verify → Document (post-hoc)
|
|
```
|
|
|
|
1. **Assess**: Confirm emergency criteria met
|
|
2. **Approve**: Verbal approval from authorized person
|
|
3. **Implement**: Apply minimal change to address issue
|
|
4. **Verify**: Confirm issue resolved
|
|
5. **Document**: Complete change record within 24 hours
|
|
|
|
## Change Implementation Procedures
|
|
|
|
### Configuration Changes
|
|
|
|
All configuration changes are logged to the audit trail automatically.
|
|
|
|
**Pre-change checklist:**
|
|
- [ ] Current config backed up
|
|
- [ ] Change command prepared
|
|
- [ ] Rollback command prepared
|
|
- [ ] Verification steps defined
|
|
|
|
**Implementation:**
|
|
```bash
|
|
# Backup current configuration
|
|
clawdbot config show > config-backup-$(date +%Y%m%d-%H%M%S).yaml
|
|
|
|
# Apply configuration change
|
|
clawdbot config set KEY VALUE
|
|
|
|
# Verify change applied
|
|
clawdbot config get KEY
|
|
|
|
# Run security audit to verify no new issues
|
|
clawdbot security audit --deep
|
|
```
|
|
|
|
**Audit trail:**
|
|
Configuration changes emit `config.change` audit events:
|
|
```json
|
|
{
|
|
"ts": "2026-01-27T10:30:00.000Z",
|
|
"type": "config.change",
|
|
"actor": { "type": "user", "id": "admin" },
|
|
"outcome": "success",
|
|
"metadata": {
|
|
"changes": { "rbac.enabled": true }
|
|
}
|
|
}
|
|
```
|
|
|
|
### Version Upgrades
|
|
|
|
**Pre-upgrade checklist:**
|
|
- [ ] Current version documented
|
|
- [ ] Release notes reviewed
|
|
- [ ] Breaking changes identified
|
|
- [ ] Backup completed
|
|
- [ ] Rollback procedure prepared
|
|
|
|
**Implementation:**
|
|
```bash
|
|
# Document current version
|
|
clawdbot --version > version-before.txt
|
|
|
|
# Stop gateway gracefully
|
|
clawdbot gateway stop
|
|
|
|
# Backup state directory
|
|
cp -r ~/.clawdbot ~/.clawdbot-backup-$(date +%Y%m%d)
|
|
|
|
# Update Clawdbot
|
|
clawdbot update
|
|
# or: npm update -g clawdbot
|
|
|
|
# Verify new version
|
|
clawdbot --version
|
|
|
|
# Start gateway
|
|
clawdbot gateway run
|
|
|
|
# Verify health
|
|
clawdbot status --all
|
|
clawdbot security audit --deep
|
|
```
|
|
|
|
**Rollback (if needed):**
|
|
```bash
|
|
# Stop gateway
|
|
clawdbot gateway stop
|
|
|
|
# Restore previous version
|
|
npm install -g clawdbot@PREVIOUS_VERSION
|
|
|
|
# Restore state if needed
|
|
rm -rf ~/.clawdbot
|
|
cp -r ~/.clawdbot-backup-YYYYMMDD ~/.clawdbot
|
|
|
|
# Restart
|
|
clawdbot gateway run
|
|
```
|
|
|
|
### Channel Changes
|
|
|
|
**Adding a new channel:**
|
|
|
|
1. **Security review**: Assess channel-specific risks
|
|
2. **Configuration**:
|
|
```bash
|
|
# Configure channel credentials
|
|
clawdbot config set channels.CHANNEL.token "BOT_TOKEN"
|
|
clawdbot config set channels.CHANNEL.enabled true
|
|
|
|
# Configure access policy
|
|
clawdbot config set channels.CHANNEL.dm.policy "pairing"
|
|
```
|
|
3. **Verification**:
|
|
```bash
|
|
# Check channel status
|
|
clawdbot channels status --channel CHANNEL
|
|
|
|
# Run security audit
|
|
clawdbot security audit --deep | grep CHANNEL
|
|
```
|
|
|
|
**Removing a channel:**
|
|
```bash
|
|
# Disable channel
|
|
clawdbot config set channels.CHANNEL.enabled false
|
|
|
|
# Revoke any pairings
|
|
clawdbot pairing list --channel CHANNEL
|
|
clawdbot pairing revoke --channel CHANNEL --all
|
|
|
|
# Remove credentials (optional)
|
|
clawdbot config unset channels.CHANNEL.token
|
|
|
|
# Restart gateway
|
|
clawdbot gateway stop && clawdbot gateway run
|
|
```
|
|
|
|
### Plugin Changes
|
|
|
|
**Installing a plugin:**
|
|
|
|
1. **Security review**: Verify plugin source and permissions
|
|
2. **Installation**:
|
|
```bash
|
|
# Install plugin
|
|
clawdbot plugins install PLUGIN_NAME
|
|
|
|
# Verify installation
|
|
clawdbot plugins list
|
|
|
|
# Configure plugin
|
|
clawdbot config set plugins.PLUGIN_NAME.enabled true
|
|
```
|
|
3. **Verification**:
|
|
```bash
|
|
# Test plugin functionality
|
|
clawdbot plugins test PLUGIN_NAME
|
|
|
|
# Security audit
|
|
clawdbot security audit --deep
|
|
```
|
|
|
|
**Updating a plugin:**
|
|
```bash
|
|
# Update specific plugin
|
|
clawdbot plugins update PLUGIN_NAME
|
|
|
|
# Or update all plugins
|
|
clawdbot plugins update --all
|
|
|
|
# Verify
|
|
clawdbot plugins list
|
|
```
|
|
|
|
**Removing a plugin:**
|
|
```bash
|
|
# Disable plugin
|
|
clawdbot config set plugins.PLUGIN_NAME.enabled false
|
|
|
|
# Uninstall
|
|
clawdbot plugins uninstall PLUGIN_NAME
|
|
|
|
# Verify removal
|
|
clawdbot plugins list
|
|
```
|
|
|
|
### RBAC Changes
|
|
|
|
**Adding a new role:**
|
|
```yaml
|
|
# config.yaml addition
|
|
rbac:
|
|
roles:
|
|
new_role:
|
|
name: "New Role Name"
|
|
description: "Purpose of this role"
|
|
permissions:
|
|
- exec
|
|
tools:
|
|
deny:
|
|
- bash
|
|
```
|
|
|
|
```bash
|
|
# Apply via CLI
|
|
clawdbot config set rbac.roles.new_role.name "New Role Name"
|
|
clawdbot config set rbac.roles.new_role.permissions '["exec"]'
|
|
|
|
# Verify
|
|
clawdbot config get rbac.roles.new_role
|
|
```
|
|
|
|
**Modifying role permissions:**
|
|
```bash
|
|
# Backup current role config
|
|
clawdbot config get rbac.roles.ROLE > role-backup.yaml
|
|
|
|
# Update permissions
|
|
clawdbot config set rbac.roles.ROLE.permissions '["exec", "exec.approve"]'
|
|
|
|
# Verify no unintended access
|
|
clawdbot security audit --deep | grep rbac
|
|
```
|
|
|
|
## Risk Assessment
|
|
|
|
### Risk Categories
|
|
|
|
| Risk Level | Criteria | Examples |
|
|
|------------|----------|----------|
|
|
| High | Security impact, data exposure | Auth changes, RBAC modifications, channel credentials |
|
|
| Medium | Service disruption potential | Version upgrades, plugin changes |
|
|
| Low | Minimal impact | Log levels, cosmetic changes |
|
|
|
|
### Risk Mitigation
|
|
|
|
| Risk Level | Required Controls |
|
|
|------------|-------------------|
|
|
| High | Security team approval, staging test, documented rollback |
|
|
| Medium | Change owner approval, basic testing, rollback plan |
|
|
| Low | Self-service, verification |
|
|
|
|
## Testing Requirements
|
|
|
|
### Test Types by Change Category
|
|
|
|
| Change Type | Unit Test | Integration Test | Security Audit | Staging |
|
|
|-------------|-----------|------------------|----------------|---------|
|
|
| Standard | - | - | - | - |
|
|
| Normal (Low) | - | Verify | Post-change | - |
|
|
| Normal (Medium) | - | Functional | Pre/Post | Optional |
|
|
| Normal (High) | If applicable | Full | Pre/Post | Required |
|
|
| Emergency | - | Smoke | Post-change | - |
|
|
|
|
### Security Audit Verification
|
|
|
|
Run before and after high-risk changes:
|
|
|
|
```bash
|
|
# Pre-change baseline
|
|
clawdbot security audit --deep > audit-pre-$(date +%Y%m%d-%H%M%S).txt
|
|
|
|
# [Apply change]
|
|
|
|
# Post-change verification
|
|
clawdbot security audit --deep > audit-post-$(date +%Y%m%d-%H%M%S).txt
|
|
|
|
# Compare findings
|
|
diff audit-pre-*.txt audit-post-*.txt
|
|
```
|
|
|
|
## Documentation Requirements
|
|
|
|
### Change Record Template
|
|
|
|
```markdown
|
|
# Change Record: CHG-YYYY-NNN
|
|
|
|
## Summary
|
|
- **Type**: Standard/Normal/Emergency
|
|
- **Risk Level**: Low/Medium/High
|
|
- **Status**: Requested/Approved/Implemented/Verified/Closed
|
|
- **Requested**: YYYY-MM-DD
|
|
- **Implemented**: YYYY-MM-DD
|
|
|
|
## Description
|
|
[What is being changed and why]
|
|
|
|
## Business Justification
|
|
[Why this change is needed]
|
|
|
|
## Risk Assessment
|
|
- **Impact if change fails**: [Description]
|
|
- **Likelihood of failure**: Low/Medium/High
|
|
- **Mitigation**: [Rollback plan]
|
|
|
|
## Testing Plan
|
|
1. [Test step 1]
|
|
2. [Test step 2]
|
|
|
|
## Implementation Steps
|
|
1. [Step 1]
|
|
2. [Step 2]
|
|
|
|
## Rollback Plan
|
|
1. [Rollback step 1]
|
|
2. [Rollback step 2]
|
|
|
|
## Verification
|
|
- [ ] Change applied successfully
|
|
- [ ] Functionality verified
|
|
- [ ] Security audit passed
|
|
- [ ] No unexpected side effects
|
|
|
|
## Approvals
|
|
| Role | Name | Date |
|
|
|------|------|------|
|
|
| Requester | [Name] | YYYY-MM-DD |
|
|
| Approver | [Name] | YYYY-MM-DD |
|
|
| Implementer | [Name] | YYYY-MM-DD |
|
|
|
|
## Post-Implementation Notes
|
|
[Any observations or follow-up actions]
|
|
```
|
|
|
|
### Audit Trail
|
|
|
|
All changes are automatically logged:
|
|
|
|
```bash
|
|
# View recent config changes
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change")' | tail -10
|
|
|
|
# View changes by actor
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .actor.id == "ACTOR_ID")'
|
|
|
|
# View changes in time range
|
|
cat ~/.clawdbot/audit.jsonl | jq 'select(.type == "config.change" and .ts >= "2026-01-01" and .ts <= "2026-01-31")'
|
|
```
|
|
|
|
## Roles and Responsibilities
|
|
|
|
| Role | Responsibilities |
|
|
|------|------------------|
|
|
| Change Requester | Submit request, provide justification, execute standard changes |
|
|
| Change Approver | Review requests, approve/reject, ensure compliance |
|
|
| Change Implementer | Execute approved changes, verify success |
|
|
| Security Team | Review high-risk changes, maintain procedures |
|
|
| On-call Engineer | Handle emergency changes, escalate as needed |
|
|
|
|
## Compliance
|
|
|
|
This procedure supports:
|
|
- **SOC2 CC8.1**: Change management for system components
|
|
- **ISO 27001 A.12.1.2**: Change management
|
|
- **ISO 27001 A.14.2.2**: System change control procedures
|
|
|
|
## Related Documentation
|
|
|
|
- [Security Hardening](/enterprise/security-hardening) - Security configuration
|
|
- [Incident Response](/compliance/incident-response) - Emergency procedures
|
|
- [Access Control Policy](/compliance/access-control-policy) - Authorization for changes
|
|
- [Gateway Configuration](/gateway/configuration) - Configuration reference
|
|
|
|
---
|
|
|
|
*Procedure owner: Operations Team*
|
|
*Last reviewed: 2026-01-27*
|
|
*Next review: 2026-07-27*
|