fix(docs): fix broken wiki links + complete clawdie-ai era cleanup
controlplane.md:
- Fix 3 broken wiki links: ./wiki-file.md → ../../wiki/wiki-file.md
security.md:
- Remove non-existent .agent/harness/safety.yaml path reference
- Fix host-operator-model link (trailing slash → .md)
- Remove stale ~/.config/clawdie-cp/mount-allowlist.json path
- Replace Node.js examples (src/, dist/, package.json) with
daemon binaries + config
- Update session isolation: remove clawdie-ai data/ path, describe
current JSONL sessions
- Remove TypeScript code block (allowedVars array), describe in prose
wiki-lint: 185/0, prettier clean
(Sam & Claude)
This commit is contained in:
parent
f261501477
commit
f104e6bf55
2 changed files with 15 additions and 27 deletions
|
|
@ -15,10 +15,10 @@ and cost tracking.
|
|||
|
||||
For the current architecture, see the wiki:
|
||||
|
||||
- [glasspane](./glasspane.md) — Agent state machine and event normalization
|
||||
- [glasspane](../../wiki/glasspane.md) — Agent state machine and event normalization
|
||||
- [daemon](./colibri.md) — Daemon internals
|
||||
- [task-board](./task-board.md) — Task scheduling and capability matching
|
||||
- [cost-model](./cost-model.md) — Cost tracking and metering
|
||||
- [task-board](../../wiki/task-board.md) — Task scheduling and capability matching
|
||||
- [cost-model](../../wiki/cost-model.md) — Cost tracking and metering
|
||||
|
||||
The previous TypeScript control plane (clawdie-ai era, v0.10.0) has been
|
||||
retired. The Rust daemon is the sole control service.
|
||||
|
|
|
|||
|
|
@ -98,9 +98,8 @@ mechanism is kernel-level.
|
|||
|
||||
### Safety Harness Gates
|
||||
|
||||
The agent's safety harness (`.agent/harness/safety.yaml`) inspects every
|
||||
shell command before it runs. Privileged-looking commands trigger a confirm
|
||||
prompt to the operator:
|
||||
The agent's safety configuration inspects every shell command before it runs.
|
||||
Privileged-looking commands trigger a confirm prompt to the operator:
|
||||
|
||||
- `sudo` in a bash command → `confirm-sudo`
|
||||
- `mdo` in a bash command → `confirm-mdo`
|
||||
|
|
@ -211,7 +210,7 @@ Why this matters:
|
|||
- ownership does not silently drift because host and jail assigned different IDs
|
||||
- shared tooling stays separate from the interactive operator account
|
||||
|
||||
For the current layout, see [Host operator model](../architecture/host-operator-model/).
|
||||
For the current layout, see [Host operator model](../architecture/host-operator-model.md).
|
||||
|
||||
## Security Boundaries
|
||||
|
||||
|
|
@ -230,7 +229,7 @@ Rather than relying mainly on application-level permission checks, Clawdie reduc
|
|||
|
||||
**External allowlist**
|
||||
|
||||
Mount permissions are stored at `~/.config/clawdie-cp/mount-allowlist.json`, which is:
|
||||
Mount permissions are stored in a config file that is:
|
||||
|
||||
- outside project root
|
||||
- never mounted into jails
|
||||
|
|
@ -256,13 +255,7 @@ The main group's project root is mounted read-only during normal jailed executio
|
|||
|
||||
Writable paths the agent needs, such as the group folder, IPC directory, and `.agent/`, are mounted separately.
|
||||
|
||||
This matters because otherwise the jailed agent could modify host application code such as:
|
||||
|
||||
- `src/`
|
||||
- `dist/`
|
||||
- `package.json`
|
||||
- startup scripts
|
||||
- security checks
|
||||
This matters because otherwise the jailed agent could modify host application code such as daemon binaries, configuration, or startup scripts.
|
||||
|
||||
If that happened, the current jail might still be isolated, but the next host restart could run the modified code outside the jail. In other words, the attack would persist into the trusted host application.
|
||||
|
||||
|
|
@ -274,11 +267,10 @@ So:
|
|||
|
||||
### 4. Session Isolation
|
||||
|
||||
Each group has isolated Claude sessions at `data/sessions/{group}/.agent/`.
|
||||
|
||||
- groups cannot see each other's conversation history
|
||||
- session data includes message history and file contents read during the session
|
||||
- this helps prevent cross-group information disclosure
|
||||
Each agent session has isolated JSONL session logs. Agents cannot read each
|
||||
other's session history, and session data includes message history and file
|
||||
contents read during the session. This prevents cross-session information
|
||||
disclosure.
|
||||
|
||||
### 5. IPC Authorization
|
||||
|
||||
|
|
@ -315,13 +307,9 @@ via the typed Unix-socket protocol. See the [client crate](../../../crates/colib
|
|||
|
||||
Only these environment variables are exposed to jails:
|
||||
|
||||
```typescript
|
||||
const allowedVars = [
|
||||
'OPENROUTER_API_KEY',
|
||||
'ANTHROPIC_API_KEY',
|
||||
'OPENAI_API_KEY',
|
||||
];
|
||||
```
|
||||
Currently exposed provider keys include `OPENROUTER_API_KEY`,
|
||||
`ANTHROPIC_API_KEY`, and similar provider environment variables configured per
|
||||
agent. The exact set is defined in the daemon's credential filtering logic.
|
||||
|
||||
Important limitation:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue