From f104e6bf55024178f34e6ecb9ccca3df20216e50 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 28 Jun 2026 12:38:30 +0200 Subject: [PATCH] fix(docs): fix broken wiki links + complete clawdie-ai era cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit controlplane.md: - Fix 3 broken wiki links: ./wiki-file.md → ../../wiki/wiki-file.md security.md: - Remove non-existent .agent/harness/safety.yaml path reference - Fix host-operator-model link (trailing slash → .md) - Remove stale ~/.config/clawdie-cp/mount-allowlist.json path - Replace Node.js examples (src/, dist/, package.json) with daemon binaries + config - Update session isolation: remove clawdie-ai data/ path, describe current JSONL sessions - Remove TypeScript code block (allowedVars array), describe in prose wiki-lint: 185/0, prettier clean (Sam & Claude) --- docs/guide/architecture/controlplane.md | 6 ++--- docs/guide/operate/security.md | 36 +++++++++---------------- 2 files changed, 15 insertions(+), 27 deletions(-) diff --git a/docs/guide/architecture/controlplane.md b/docs/guide/architecture/controlplane.md index 2f1ed38..934c42a 100644 --- a/docs/guide/architecture/controlplane.md +++ b/docs/guide/architecture/controlplane.md @@ -15,10 +15,10 @@ and cost tracking. For the current architecture, see the wiki: -- [glasspane](./glasspane.md) — Agent state machine and event normalization +- [glasspane](../../wiki/glasspane.md) — Agent state machine and event normalization - [daemon](./colibri.md) — Daemon internals -- [task-board](./task-board.md) — Task scheduling and capability matching -- [cost-model](./cost-model.md) — Cost tracking and metering +- [task-board](../../wiki/task-board.md) — Task scheduling and capability matching +- [cost-model](../../wiki/cost-model.md) — Cost tracking and metering The previous TypeScript control plane (clawdie-ai era, v0.10.0) has been retired. The Rust daemon is the sole control service. diff --git a/docs/guide/operate/security.md b/docs/guide/operate/security.md index 3105f99..d154355 100644 --- a/docs/guide/operate/security.md +++ b/docs/guide/operate/security.md @@ -98,9 +98,8 @@ mechanism is kernel-level. ### Safety Harness Gates -The agent's safety harness (`.agent/harness/safety.yaml`) inspects every -shell command before it runs. Privileged-looking commands trigger a confirm -prompt to the operator: +The agent's safety configuration inspects every shell command before it runs. +Privileged-looking commands trigger a confirm prompt to the operator: - `sudo` in a bash command → `confirm-sudo` - `mdo` in a bash command → `confirm-mdo` @@ -211,7 +210,7 @@ Why this matters: - ownership does not silently drift because host and jail assigned different IDs - shared tooling stays separate from the interactive operator account -For the current layout, see [Host operator model](../architecture/host-operator-model/). +For the current layout, see [Host operator model](../architecture/host-operator-model.md). ## Security Boundaries @@ -230,7 +229,7 @@ Rather than relying mainly on application-level permission checks, Clawdie reduc **External allowlist** -Mount permissions are stored at `~/.config/clawdie-cp/mount-allowlist.json`, which is: +Mount permissions are stored in a config file that is: - outside project root - never mounted into jails @@ -256,13 +255,7 @@ The main group's project root is mounted read-only during normal jailed executio Writable paths the agent needs, such as the group folder, IPC directory, and `.agent/`, are mounted separately. -This matters because otherwise the jailed agent could modify host application code such as: - -- `src/` -- `dist/` -- `package.json` -- startup scripts -- security checks +This matters because otherwise the jailed agent could modify host application code such as daemon binaries, configuration, or startup scripts. If that happened, the current jail might still be isolated, but the next host restart could run the modified code outside the jail. In other words, the attack would persist into the trusted host application. @@ -274,11 +267,10 @@ So: ### 4. Session Isolation -Each group has isolated Claude sessions at `data/sessions/{group}/.agent/`. - -- groups cannot see each other's conversation history -- session data includes message history and file contents read during the session -- this helps prevent cross-group information disclosure +Each agent session has isolated JSONL session logs. Agents cannot read each +other's session history, and session data includes message history and file +contents read during the session. This prevents cross-session information +disclosure. ### 5. IPC Authorization @@ -315,13 +307,9 @@ via the typed Unix-socket protocol. See the [client crate](../../../crates/colib Only these environment variables are exposed to jails: -```typescript -const allowedVars = [ - 'OPENROUTER_API_KEY', - 'ANTHROPIC_API_KEY', - 'OPENAI_API_KEY', -]; -``` +Currently exposed provider keys include `OPENROUTER_API_KEY`, +`ANTHROPIC_API_KEY`, and similar provider environment variables configured per +agent. The exact set is defined in the daemon's credential filtering logic. Important limitation: