Skip to content

Commit 376f1db

Browse files
authored
docs: sync with goclaw source changes c5bfbc96..c083622f (EN+VI+ZH) (#47)
P1 — High priority updates: - reference/database-schema: migration 036 (secure_cli_agent_grants table) - agents/system-prompt-anatomy: 19+ → 23 sections, added Credentialed CLI - deployment/upgrading: added migration 036 - advanced/cli-credentials: full per-agent grants documentation - providers/openai: reasoning_defaults + override_mode API P2 — Medium priority updates: - providers/overview: BytePlus Seedream/Seedance, Codex pool routing - core-concepts/tools-overview: BytePlus media tools - channels/slack: mention dedup behavior - advanced/exec-approval: 15 shell deny groups + per-agent override - reference/rest-api: CLI credential agent grants endpoints - reference/websocket-protocol: VI/ZH sync P3 — Verified & fixed: - advanced/skills: 5-tier → 6-tier hierarchy fix - advanced/api-keys-rbac: no-auth role RoleOperator → RoleAdmin fix - reference/config-reference: pending_compaction defaults 50/15 → 200/40 - deployment/security-hardening, advanced/sandbox: SHA bump (accurate)
1 parent 6735615 commit 376f1db

47 files changed

Lines changed: 1550 additions & 224 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

advanced/api-keys-rbac.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ A key can hold multiple scopes — the highest-privilege scope wins.
6363

6464
## Backward Compatibility
6565

66-
If `GOCLAW_GATEWAY_TOKEN` is empty (no gateway token configured), all requests — including unauthenticated ones — are granted `RoleOperator` access automatically. This lets self-hosted setups work without strict auth. Once a token is set, all requests must provide valid credentials or they receive `401 Unauthorized`.
66+
If `gateway.token` is empty (no gateway token configured), all requests — including unauthenticated ones — are granted `RoleAdmin` access automatically. This lets self-hosted setups work without strict auth. Once a token is set, all requests must provide valid credentials or they receive `401 Unauthorized`.
6767

6868
---
6969

@@ -259,4 +259,4 @@ When a key is created or revoked, a `cache.invalidate` event is broadcast on the
259259
- [Security Hardening](/deploy-security) — full 5-layer permission overview
260260
- [CLI Credentials](./cli-credentials.md) — SecureCLI: inject credentials into CLI tools (gh, aws, gcloud) without exposing secrets to the agent
261261

262-
<!-- goclaw-source: 57754a5 | updated: 2026-03-23 -->
262+
<!-- goclaw-source: c083622f | updated: 2026-04-05 -->

advanced/cli-credentials.md

Lines changed: 134 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,146 @@
11
# CLI Credentials
22

3-
> Securely store and manage named credential sets for shell tool execution.
4-
5-
🚧 **This page is under construction.** Content coming soon.
3+
> Securely store and manage named credential sets for shell tool execution, with per-agent access control via grants.
64
75
## Overview
86

9-
CLI Credentials let you define named credential sets (API keys, tokens, connection strings) that agents can reference when running shell commands via the `exec` tool — without exposing secrets in the system prompt or conversation history. Includes built-in preset templates for common tools.
7+
CLI Credentials let you define named credential sets (API keys, tokens, connection strings) that agents can reference when running shell commands via the `exec` tool — without exposing secrets in the system prompt or conversation history.
8+
9+
Each credential is stored as a **secure CLI binary** — a named configuration that maps a binary (e.g. `gh`, `gcloud`, `aws`) to an AES-256-GCM encrypted set of environment variables. When an agent runs the binary, GoClaw decrypts the env vars and injects them into the child process at execution time.
10+
11+
## Global vs Per-Agent Binaries
12+
13+
Since migration 036, the access model uses a **grants system** instead of per-binary agent assignment:
14+
15+
- **Global binaries** (`is_global = true`): available to all agents unless a grant overrides settings
16+
- **Restricted binaries** (`is_global = false`): only accessible to agents that have an explicit grant
17+
18+
This separates credential definition from access control, allowing you to define a binary once and grant it to specific agents with optional per-agent overrides.
19+
20+
```
21+
secure_cli_binaries (credential + defaults)
22+
23+
├── is_global = true → all agents can use it
24+
└── is_global = false → only agents with a grant
25+
26+
└── secure_cli_agent_grants (per-agent override)
27+
├── deny_args (NULL = use binary default)
28+
├── deny_verbose (NULL = use binary default)
29+
├── timeout_seconds (NULL = use binary default)
30+
├── tips (NULL = use binary default)
31+
└── enabled
32+
```
33+
34+
## Agent Grants
35+
36+
The `secure_cli_agent_grants` table links a binary to a specific agent and optionally overrides any of the binary's default settings. `NULL` fields inherit the binary default.
37+
38+
| Field | Behaviour |
39+
|-------|-----------|
40+
| `deny_args` | Override forbidden argument patterns for this agent |
41+
| `deny_verbose` | Override verbose flag stripping for this agent |
42+
| `timeout_seconds` | Override process timeout for this agent |
43+
| `tips` | Override the hint injected into TOOLS.md for this agent |
44+
| `enabled` | Disable a grant without deleting it |
45+
46+
When an agent runs a binary, GoClaw resolves settings in this order:
47+
1. Binary defaults
48+
2. Grant overrides (any non-null fields replace the binary default)
49+
50+
## REST API
51+
52+
All grant endpoints are nested under the binary resource and require the `admin` role.
53+
54+
### List grants for a binary
55+
56+
```
57+
GET /v1/cli-credentials/{id}/agent-grants
58+
```
59+
60+
```json
61+
{
62+
"grants": [
63+
{
64+
"id": "019...",
65+
"binary_id": "019...",
66+
"agent_id": "019...",
67+
"deny_args": null,
68+
"timeout_seconds": 60,
69+
"enabled": true,
70+
"created_at": "2026-04-05T00:00:00Z",
71+
"updated_at": "2026-04-05T00:00:00Z"
72+
}
73+
]
74+
}
75+
```
76+
77+
### Create a grant
78+
79+
```
80+
POST /v1/cli-credentials/{id}/agent-grants
81+
```
82+
83+
```json
84+
{
85+
"agent_id": "019...",
86+
"timeout_seconds": 120,
87+
"tips": "Use --output json for all commands"
88+
}
89+
```
90+
91+
Omitted fields (`deny_args`, `deny_verbose`, `tips`, `enabled`) default to `null` / `true`.
92+
93+
### Get a grant
94+
95+
```
96+
GET /v1/cli-credentials/{id}/agent-grants/{grantId}
97+
```
98+
99+
### Update a grant
100+
101+
```
102+
PUT /v1/cli-credentials/{id}/agent-grants/{grantId}
103+
```
104+
105+
Send only the fields to change. Allowed fields: `deny_args`, `deny_verbose`, `timeout_seconds`, `tips`, `enabled`.
106+
107+
### Delete a grant
108+
109+
```
110+
DELETE /v1/cli-credentials/{id}/agent-grants/{grantId}
111+
```
112+
113+
Deleting a grant from a restricted binary (`is_global = false`) immediately revokes the agent's access to that binary.
114+
115+
## Common Patterns
116+
117+
### Allow only one agent to use a sensitive CLI tool
118+
119+
1. Create the binary with `is_global = false`
120+
2. Create a grant for the target agent
121+
122+
### Give all agents access but restrict args for one agent
123+
124+
1. Create the binary with `is_global = true`
125+
2. Create a grant for the restricted agent with `deny_args` set to additional blocked patterns
126+
127+
### Temporarily disable an agent's access
128+
129+
Update the grant: `{"enabled": false}`. The binary remains accessible to other agents.
130+
131+
## Common Issues
132+
133+
| Problem | Solution |
134+
|---------|----------|
135+
| Agent cannot run a binary | Check `is_global` on the binary — if `false`, the agent needs an explicit grant |
136+
| Grant overrides not applied | Verify the grant `enabled = true` and that override fields are non-null |
137+
| `403` on grant endpoints | Requires admin role — check API key scopes |
10138

11139
## What's Next
12140

141+
- [Database Schema → secure_cli_agent_grants](/database-schema)
13142
- [Exec Approval](/exec-approval)
14143
- [API Keys & RBAC](/api-keys-rbac)
15144
- [Security Hardening](/deploy-security)
16145

17-
<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
146+
<!-- goclaw-source: c083622f | updated: 2026-04-05 -->

advanced/exec-approval.md

Lines changed: 64 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,69 @@ Set `"always": true` to permanently allow this binary for the lifetime of the pr
180180

181181
---
182182

183+
## Shell Deny Groups
184+
185+
In addition to the approval flow, GoClaw applies **deny groups** — named sets of shell command patterns that are blocked regardless of approval settings. All groups are enabled by default.
186+
187+
### Available Deny Groups
188+
189+
| Group | Description | Examples Blocked |
190+
|-------|-------------|-----------------|
191+
| `destructive_ops` | Destructive Operations | `rm -rf`, `dd if=`, `shutdown`, fork bombs |
192+
| `data_exfiltration` | Data Exfiltration | `curl \| sh`, `wget --post-data`, DNS lookups via dig/nslookup |
193+
| `reverse_shell` | Reverse Shell | `nc`, `socat`, `python -c '...socket...'`, `mkfifo` |
194+
| `code_injection` | Code Injection & Eval | `eval $()`, `base64 -d \| sh` |
195+
| `privilege_escalation` | Privilege Escalation | `sudo`, `su`, `mount`, `nsenter`, `pkexec` |
196+
| `dangerous_paths` | Dangerous Path Operations | `chmod +x /tmp/...`, `chown ... /` |
197+
| `env_injection` | Environment Variable Injection | `LD_PRELOAD=`, `DYLD_INSERT_LIBRARIES=`, `BASH_ENV=` |
198+
| `container_escape` | Container Escape | `/var/run/docker.sock`, `/proc/sys/kernel/`, `/sys/kernel/` |
199+
| `crypto_mining` | Crypto Mining | `xmrig`, `cpuminer`, `stratum+tcp://` |
200+
| `filter_bypass` | Filter Bypass (CVE mitigations) | `sed .../e`, `sort --compress-program`, `git --upload-pack=` |
201+
| `network_recon` | Network Reconnaissance & Tunneling | `nmap`, `ssh user@host`, `ngrok`, `chisel` |
202+
| `package_install` | Package Installation | `pip install`, `npm install`, `apk add` |
203+
| `persistence` | Persistence Mechanisms | `crontab`, writing to `~/.bashrc` or `~/.profile` |
204+
| `process_control` | Process Manipulation | `kill -9`, `killall`, `pkill` |
205+
| `env_dump` | Environment Variable Dumping | `printenv`, `env \| ...`, reading `GOCLAW_` secrets |
206+
207+
### Per-Agent Deny Group Overrides
208+
209+
Each agent can selectively enable or disable specific deny groups via `shell_deny_groups` in its config. This is a `map[string]bool` where `true` means deny (block) and `false` means allow (unblock).
210+
211+
All groups default to `true` (denied). Explicitly set a group to `false` to allow those commands for a specific agent.
212+
213+
**Example: allow package installs but keep everything else blocked**
214+
215+
```json
216+
{
217+
"agents": {
218+
"my-agent": {
219+
"shell_deny_groups": {
220+
"package_install": false
221+
}
222+
}
223+
}
224+
}
225+
```
226+
227+
**Example: allow SSH/tunneling for a DevOps agent, but block crypto mining**
228+
229+
```json
230+
{
231+
"agents": {
232+
"devops-agent": {
233+
"shell_deny_groups": {
234+
"network_recon": false,
235+
"crypto_mining": true
236+
}
237+
}
238+
}
239+
}
240+
```
241+
242+
Deny groups and the exec approval flow operate independently — a command can pass the deny-group check but still be held for human approval based on your `ask` mode setting.
243+
244+
---
245+
183246
## Common Issues
184247

185248
| Problem | Cause | Fix |
@@ -198,4 +261,4 @@ Set `"always": true` to permanently allow this binary for the lifetime of the pr
198261
- [Custom Tools](/custom-tools) — define tools backed by shell commands
199262
- [Security Hardening](/deploy-security) — full five-layer security overview
200263

201-
<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
264+
<!-- goclaw-source: c083622f | updated: 2026-04-05 -->

advanced/sandbox.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -246,4 +246,4 @@ docker ps --filter "label=goclaw.sandbox=true"
246246
- [Exec Approval](/exec-approval) — require human approval before any command runs, sandboxed or not
247247
- [Scheduling & Cron](/scheduling-cron) — run sandboxed agent turns on a schedule
248248

249-
<!-- goclaw-source: 941a965 | updated: 2026-03-19 -->
249+
<!-- goclaw-source: c083622f | updated: 2026-04-05 -->

advanced/skills.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -48,19 +48,20 @@ The `{baseDir}` placeholder is replaced at load time with the absolute path to t
4848
| `name` | Human-readable display name (defaults to directory name) |
4949
| `description` | One-line summary used by `skill_search` to match queries |
5050

51-
## 5-Tier Hierarchy
51+
## 6-Tier Hierarchy
5252

53-
GoClaw loads skills from five locations in priority order. A skill in a higher-priority location overrides one with the same slug from a lower one:
53+
GoClaw loads skills from six locations in priority order. A skill in a higher-priority location overrides one with the same slug from a lower one:
5454

5555
| Priority | Location | Source label |
5656
|---|---|---|
5757
| 1 (highest) | `<workspace>/skills/` | `workspace` |
5858
| 2 | `<workspace>/.agents/skills/` | `agents-project` |
5959
| 3 | `~/.agents/skills/` | `agents-personal` |
60-
| 4 | `~/.goclaw/skills/` (managed DB) | `managed-skills` |
61-
| 5 (lowest) | Built-in (bundled with binary) | `builtin` |
60+
| 4 | `~/.goclaw/skills/` | `global` |
61+
| 5 | `~/.goclaw/skills-store/` (DB-seeded, versioned) | `managed` |
62+
| 6 (lowest) | Built-in (bundled with binary) | `builtin` |
6263

63-
Skills uploaded via the Dashboard are stored in `~/.goclaw/skills-store/` (managed directory, backed by PostgreSQL) and act at the `managed-skills` level. The `file_path` DB column is used to resolve the versioned directory for each skill on disk.
64+
Skills uploaded via the Dashboard are stored in `~/.goclaw/skills-store/` using a versioned subdirectory structure (`<slug>/<version>/SKILL.md`). They act at the `managed` level — above builtin but below the four file-system tiers. The loader always serves the highest-numbered version for each slug.
6465

6566
**Precedence example:** if you have a `code-reviewer` skill in both `~/.goclaw/skills/` and `<workspace>/skills/`, the workspace version wins.
6667

@@ -342,4 +343,4 @@ See [Agent Evolution](agent-evolution.md) for full details on the `skill_manage`
342343
- [Custom Tools](/custom-tools) — add shell-backed tools to your agents
343344
- [Scheduling & Cron](/scheduling-cron) — run agents on a schedule
344345

345-
<!-- goclaw-source: 941a965 | updated: 2026-03-23 -->
346+
<!-- goclaw-source: c083622f | updated: 2026-04-05 -->

0 commit comments

Comments
 (0)