fix(docs): fix broken wiki links + complete clawdie-ai era cleanup
Some checks failed
CI / rust (pull_request) Has been cancelled
CI / markdown (pull_request) Has been cancelled
CI / port (pull_request) Has been cancelled
CI / agent-jail-pkgs (pull_request) Has been cancelled

controlplane.md:
  - Fix 3 broken wiki links: ./wiki-file.md → ../../wiki/wiki-file.md

security.md:
  - Remove non-existent .agent/harness/safety.yaml path reference
  - Fix host-operator-model link (trailing slash → .md)
  - Remove stale ~/.config/clawdie-cp/mount-allowlist.json path
  - Replace Node.js examples (src/, dist/, package.json) with
    daemon binaries + config
  - Update session isolation: remove clawdie-ai data/ path, describe
    current JSONL sessions
  - Remove TypeScript code block (allowedVars array), describe in prose

wiki-lint: 185/0, prettier clean

(Sam & Claude)
This commit is contained in:
Sam & Claude 2026-06-28 12:38:30 +02:00
parent f261501477
commit f104e6bf55
2 changed files with 15 additions and 27 deletions

View file

@ -15,10 +15,10 @@ and cost tracking.
For the current architecture, see the wiki:
- [glasspane](./glasspane.md) — Agent state machine and event normalization
- [glasspane](../../wiki/glasspane.md) — Agent state machine and event normalization
- [daemon](./colibri.md) — Daemon internals
- [task-board](./task-board.md) — Task scheduling and capability matching
- [cost-model](./cost-model.md) — Cost tracking and metering
- [task-board](../../wiki/task-board.md) — Task scheduling and capability matching
- [cost-model](../../wiki/cost-model.md) — Cost tracking and metering
The previous TypeScript control plane (clawdie-ai era, v0.10.0) has been
retired. The Rust daemon is the sole control service.

View file

@ -98,9 +98,8 @@ mechanism is kernel-level.
### Safety Harness Gates
The agent's safety harness (`.agent/harness/safety.yaml`) inspects every
shell command before it runs. Privileged-looking commands trigger a confirm
prompt to the operator:
The agent's safety configuration inspects every shell command before it runs.
Privileged-looking commands trigger a confirm prompt to the operator:
- `sudo` in a bash command → `confirm-sudo`
- `mdo` in a bash command → `confirm-mdo`
@ -211,7 +210,7 @@ Why this matters:
- ownership does not silently drift because host and jail assigned different IDs
- shared tooling stays separate from the interactive operator account
For the current layout, see [Host operator model](../architecture/host-operator-model/).
For the current layout, see [Host operator model](../architecture/host-operator-model.md).
## Security Boundaries
@ -230,7 +229,7 @@ Rather than relying mainly on application-level permission checks, Clawdie reduc
**External allowlist**
Mount permissions are stored at `~/.config/clawdie-cp/mount-allowlist.json`, which is:
Mount permissions are stored in a config file that is:
- outside project root
- never mounted into jails
@ -256,13 +255,7 @@ The main group's project root is mounted read-only during normal jailed executio
Writable paths the agent needs, such as the group folder, IPC directory, and `.agent/`, are mounted separately.
This matters because otherwise the jailed agent could modify host application code such as:
- `src/`
- `dist/`
- `package.json`
- startup scripts
- security checks
This matters because otherwise the jailed agent could modify host application code such as daemon binaries, configuration, or startup scripts.
If that happened, the current jail might still be isolated, but the next host restart could run the modified code outside the jail. In other words, the attack would persist into the trusted host application.
@ -274,11 +267,10 @@ So:
### 4. Session Isolation
Each group has isolated Claude sessions at `data/sessions/{group}/.agent/`.
- groups cannot see each other's conversation history
- session data includes message history and file contents read during the session
- this helps prevent cross-group information disclosure
Each agent session has isolated JSONL session logs. Agents cannot read each
other's session history, and session data includes message history and file
contents read during the session. This prevents cross-session information
disclosure.
### 5. IPC Authorization
@ -315,13 +307,9 @@ via the typed Unix-socket protocol. See the [client crate](../../../crates/colib
Only these environment variables are exposed to jails:
```typescript
const allowedVars = [
'OPENROUTER_API_KEY',
'ANTHROPIC_API_KEY',
'OPENAI_API_KEY',
];
```
Currently exposed provider keys include `OPENROUTER_API_KEY`,
`ANTHROPIC_API_KEY`, and similar provider environment variables configured per
agent. The exact set is defined in the daemon's credential filtering logic.
Important limitation: