Skip to content

Latest commit

Β 

History

History
185 lines (146 loc) Β· 5.77 KB

security-roadmap.md

File metadata and controls

185 lines (146 loc) Β· 5.77 KB

ZeroClaw Security Improvement Roadmap

⚠️ Status: Proposal / Roadmap

This document describes proposed approaches and may include hypothetical commands or config. For current runtime behavior, see config-reference.md, operations-runbook.md, and troubleshooting.md.

Current State: Strong Foundation

ZeroClaw already has excellent application-layer security:

βœ… Command allowlist (not blocklist) βœ… Path traversal protection βœ… Command injection blocking ($(...), backticks, &&, >) βœ… Secret isolation (API keys not leaked to shell) βœ… Rate limiting (20 actions/hour) βœ… Channel authorization (empty = deny all, * = allow all) βœ… Risk classification (Low/Medium/High) βœ… Environment variable sanitization βœ… Forbidden paths blocking βœ… Comprehensive test coverage (1,017 tests)

What's Missing: OS-Level Containment

πŸ”΄ No OS-level sandboxing (chroot, containers, namespaces) πŸ”΄ No resource limits (CPU, memory, disk I/O caps) πŸ”΄ No tamper-evident audit logging πŸ”΄ No syscall filtering (seccomp)

Comparison: ZeroClaw vs PicoClaw vs Production Grade

Feature PicoClaw ZeroClaw Now ZeroClaw + Roadmap Production Target
Binary Size ~8MB 3.4MB βœ… 3.5-4MB < 5MB
RAM Usage < 10MB < 5MB βœ… < 10MB < 20MB
Startup Time < 1s < 10ms βœ… < 50ms < 100ms
Command Allowlist Unknown βœ… Yes βœ… Yes βœ… Yes
Path Blocking Unknown βœ… Yes βœ… Yes βœ… Yes
Injection Protection Unknown βœ… Yes βœ… Yes βœ… Yes
OS Sandbox No ❌ No βœ… Firejail/Landlock βœ… Container/namespaces
Resource Limits No ❌ No βœ… cgroups/Monitor βœ… Full cgroups
Audit Logging No ❌ No βœ… HMAC-signed βœ… SIEM integration
Security Score C B+ A- A+

Implementation Roadmap

Phase 1: Quick Wins (1-2 weeks)

Goal: Address critical gaps with minimal complexity

Task File Effort Impact
Landlock filesystem sandbox src/security/landlock.rs 2 days High
Memory monitoring + OOM kill src/resources/memory.rs 1 day High
CPU timeout per command src/tools/shell.rs 1 day High
Basic audit logging src/security/audit.rs 2 days Medium
Config schema updates src/config/schema.rs 1 day -

Deliverables:

  • Linux: Filesystem access restricted to workspace
  • All platforms: Memory/CPU guards against runaway commands
  • All platforms: Tamper-evident audit trail

Phase 2: Platform Integration (2-3 weeks)

Goal: Deep OS integration for production-grade isolation

Task Effort Impact
Firejail auto-detection + wrapping 3 days Very High
Bubblewrap wrapper for macOS/*nix 4 days Very High
cgroups v2 systemd integration 3 days High
seccomp syscall filtering 5 days High
Audit log query CLI 2 days Medium

Deliverables:

  • Linux: Full container-like isolation via Firejail
  • macOS: Bubblewrap filesystem isolation
  • Linux: cgroups resource enforcement
  • Linux: Syscall allowlisting

Phase 3: Production Hardening (1-2 weeks)

Goal: Enterprise security features

Task Effort Impact
Docker sandbox mode option 3 days High
Certificate pinning for channels 2 days Medium
Signed config verification 2 days Medium
SIEM-compatible audit export 2 days Medium
Security self-test (zeroclaw audit --check) 1 day Low

Deliverables:

  • Optional Docker-based execution isolation
  • HTTPS certificate pinning for channel webhooks
  • Config file signature verification
  • JSON/CSV audit export for external analysis

New Config Schema Preview

[security]
level = "strict"  # relaxed | default | strict | paranoid

# Sandbox configuration
[security.sandbox]
enabled = true
backend = "auto"  # auto | firejail | bubblewrap | landlock | docker | none

# Resource limits
[resources]
max_memory_mb = 512
max_memory_per_command_mb = 128
max_cpu_percent = 50
max_cpu_time_seconds = 60
max_subprocesses = 10

# Audit logging
[security.audit]
enabled = true
log_path = "~/.config/zeroclaw/audit.log"
sign_events = true
max_size_mb = 100

# Autonomy (existing, enhanced)
[autonomy]
level = "supervised"  # readonly | supervised | full
allowed_commands = ["git", "ls", "cat", "grep", "find"]
forbidden_paths = ["/etc", "/root", "~/.ssh"]
require_approval_for_medium_risk = true
block_high_risk_commands = true
max_actions_per_hour = 20

CLI Commands Preview

# Security status check
zeroclaw security --check
# β†’ βœ“ Sandbox: Firejail active
# β†’ βœ“ Audit logging enabled (42 events today)
# β†’ β†’ Resource limits: 512MB mem, 50% CPU

# Audit log queries
zeroclaw audit --user @alice --since 24h
zeroclaw audit --risk high --violations-only
zeroclaw audit --verify-signatures

# Sandbox test
zeroclaw sandbox --test
# β†’ Testing isolation...
#   βœ“ Cannot read /etc/passwd
#   βœ“ Cannot access ~/.ssh
#   βœ“ Can read /workspace

Summary

ZeroClaw is already more secure than PicoClaw with:

  • 50% smaller binary (3.4MB vs 8MB)
  • 50% less RAM (< 5MB vs < 10MB)
  • 100x faster startup (< 10ms vs < 1s)
  • Comprehensive security policy engine
  • Extensive test coverage

By implementing this roadmap, ZeroClaw becomes:

  • Production-grade with OS-level sandboxing
  • Resource-aware with memory/CPU guards
  • Audit-ready with tamper-evident logging
  • Enterprise-ready with configurable security levels

Estimated effort: 4-7 weeks for full implementation Value: Transforms ZeroClaw from "safe for testing" to "safe for production"