Add audit warning when CLAWSEC_VERIFY_CHECKSUM_MANIFEST is disabled#100
Open
Add audit warning when CLAWSEC_VERIFY_CHECKSUM_MANIFEST is disabled#100
Conversation
…hen checksum verification is disabled
…uested) Fixes: - Bumped version from 0.1.3 to 0.1.4 in skill.json - Added 0.1.4 release entry to CHANGELOG.md documenting audit warning feature - Already rebased on origin/main (382db82) Changes document the new CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 audit warnings for release pipeline compatibility. Verified: - All tests pass (8/8 guarded_install tests) - ESLint clean with --max-warnings 0 QA Fix Session: 0 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
Comment on lines
+149
to
+152
| if (!verifyChecksumManifest) { | ||
| process.stderr.write( | ||
| "WARNING: CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 is enabled. Checksum verification for the advisory feed manifest is disabled. This reduces security guarantees.\n", | ||
| ); |
Contributor
There was a problem hiding this comment.
The CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 bypass warning is implemented twice: the same env var check and warning text exist at lines 149‑152 here and at lines 163‑170 of hooks/clawsec-advisory-guardian/handler.ts. Can we extract a shared helper in skills/clawsec-suite (e.g. lib/env-warnings or similar) so both the hook and the install script reuse the same once-per-process guard and message instead of duplicating the logic?
Finding type: Code Dedup and Conventions
Want Baz to fix this for you? Activate Fixer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Opener Type
Summary
Add audit warnings when
CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0is enabled to improve visibility of security-relevant configuration changes. The checksum manifest verification layer provides defense-in-depth beyond signature verification, and disabling it should be explicitly logged to prevent accidental long-term degradation of feed integrity verification.Changes Made
guarded_skill_install.mjsto stderr when checksum manifest verification is disabledhandler.tswith once-only flag pattern to prevent repeated warnings during the command lifecycleRelated Issues
Type of Change
Testing
Checklist
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Implements audit warnings to notify operators when
CLAWSEC_VERIFY_CHECKSUM_MANIFESTis disabled, ensuring visibility into security-relevant configuration changes. Updates the suite version and changelog to reflect these security enhancements.0.1.4and documents the new security visibility features in the changelog.Modified files (2)
Latest Contributors(2)
handler.tsandguarded_skill_install.mjsto emit warnings when checksum verification is bypassed, including a once-only flag to prevent log spam.Modified files (2)
Latest Contributors(2)