feat(cua): CUA Gateway — guards, rulesets, research, ecosystem integrations (#88)

* feat(cua): CUA Gateway passes #7-#14 — guards, rulesets, research, ecosystem integrations

Complete CUA (Computer-Use Agent) Gateway implementation across 14 research
and execution passes. This adds runtime security enforcement for AI agents
operating in remote desktop, browser automation, and input injection contexts.

Rust:
- 3 CUA guards: computer_use (observe/guardrail/fail_closed modes),
  remote_desktop_side_channel (per-channel enable/disable + transfer size),
  input_injection_capability (input type allowlist + postcondition probes)
- 7 CUA event types in PolicyEventType including remote.session_share
- CuaEventData struct with serde support and snake_case aliases
- 3 built-in rulesets: remote-desktop, remote-desktop-strict, remote-desktop-permissive
- Fail-closed fixes: deny missing input_type (C2), deny unknown side channels (C3)

TypeScript:
- CuaEventData interface + 7 EventType variants in adapter-core
- 7 factory methods in PolicyEventFactory (including createCuaSessionShareEvent)
- OpenClaw CUA bridge handler (283 lines) with 43 tests
- 3 stable error codes (OCLAW_CUA_UNKNOWN_ACTION, MISSING_METADATA, SESSION_MISSING)

Research & fixtures:
- 9 deep-dive topic files, execution backlog, review log (14 passes)
- 17 Python validation harnesses (130+ fixture checks)
- 21 fixture groups across policy-events, receipts, and benchmarks
- trycua/cua connector evaluation with compatibility matrix
- Pass #14 code review report with 3 critical issues resolved

CI: 17 roadmap harnesses run on every PR/push.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(cua): address PR #88 review — camelCase field acceptance + input_type forwarding

- InputInjectionCapabilityGuard now accepts both snake_case and camelCase
  for input_type/inputType and postcondition_probe_hash/postconditionProbeHash
  since the CUA pipeline serializes as camelCase via serde rename_all
- OpenClaw CUA bridge buildCuaEvent now forwards input_type from tool params
  so the fail-closed guard receives it through canonical event data
- Update pyo3 0.28.1 → 0.28.2 to resolve RUSTSEC-2026-0013 license check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore(vendor): re-vendor pyo3 0.28.1 → 0.28.2

Fixes offline build/test CI job after Cargo.lock update for RUSTSEC-2026-0013.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(cua): close runtime enforcement gaps and add fixture-backed bridge tests

* fix(cua): enforce connect egress and plain computer_use bridge mapping

* feat(cua): harden runtime parity, reason codes, and drift checks

* docs(cua): reconcile roadmap status and TODO consistency

* fix(cua): resolve side-channel review gaps and dedupe reason taxonomy

* fix(agent): align OpenClaw gateway device auth handshake

* test(hush-cli): harden abuse harness stability in CI

* chore(cua): add pass18 notarization and soak execution playbook

* docs(cua): add notarization credential discovery checklist

* fix(cua): harden soak and rdp matrix harness stability

* docs(cua): align roadmap status with pass18 release gates

* fix(cua): add hush-cli CUA parity and sync remote desktop rulesets

* docs(cua): refresh pass18 roadmap and readiness status

* fix(cua): close remaining policy parity review gaps

* docs(cua): track post-pass policy_event dedupe follow-up

* fix(cua): align computer_use default allowlist with 10-action surface

* style(rust): format cua_rulesets test for ci

* fix(cua): resolve identity fallback and guardrail warn semantics

* docs(readme): refresh computer-use gateway positioning

* fix(taxonomy): preserve deny/warn reason-code precedence

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: bb-connor

.github/workflows/ci.yml

@@ -880,6 +880,29 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           python -m pip install -e ".[dev]"
+          python -m pip install "jsonschema>=4,<5"
+
+      - name: Run CUA roadmap fixture harnesses
+        working-directory: ${{ github.workspace }}
+        run: |
+          python docs/roadmaps/cua/research/verify_cua_migration_fixtures.py
+          python docs/roadmaps/cua/research/verify_remote_desktop_policy_matrix.py
+          python docs/roadmaps/cua/research/verify_remote_desktop_ruleset_alignment.py
+          python docs/roadmaps/cua/research/verify_injection_capabilities.py
+          python docs/roadmaps/cua/research/verify_policy_event_mapping.py
+          python docs/roadmaps/cua/research/verify_postcondition_probes.py
+          python docs/roadmaps/cua/research/verify_remote_session_continuity.py
+          python docs/roadmaps/cua/research/verify_envelope_semantic_equivalence.py
+          python docs/roadmaps/cua/research/verify_repeatable_latency_harness.py
+          python docs/roadmaps/cua/research/verify_verification_bundle.py
+          python docs/roadmaps/cua/research/verify_browser_action_policy.py
+          python docs/roadmaps/cua/research/verify_session_recording_evidence.py
+          python docs/roadmaps/cua/research/verify_orchestration_isolation.py
+          python docs/roadmaps/cua/research/verify_cua_policy_evaluation.py
+          python docs/roadmaps/cua/research/verify_canonical_adapter_contract.py
+          python docs/roadmaps/cua/research/verify_provider_conformance.py
+          python docs/roadmaps/cua/research/verify_openclaw_cua_bridge.py
+          python docs/roadmaps/cua/research/verify_trycua_connector.py
 
       - name: Run tests
         run: python -m pytest

Cargo.lock

@@ -62,7 +62,7 @@
 
 > **Alpha software** — APIs and import paths may change between releases. See GitHub Releases and the package registries (crates.io / npm / PyPI) for published versions.
 
-Clawdstrike provides runtime security enforcement for agents, designed for developers building EDR solutions and security infrastructure on top of OpenClaw.
+Clawdstrike is a fail-closed policy + attestation runtime for AI agents and computer-use systems, designed for developers building EDR solutions and security infrastructure for autonomous agent swarms. It sits at the boundary between intent and execution: normalize actions, enforce policy, and sign what happened.
 
 <img src=".github/assets/sigils/boundary-light.svg#gh-light-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" /> <img src=".github/assets/sigils/boundary-dark.svg#gh-dark-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" />**Guards** — Block sensitive paths, control network egress, detect secrets, validate patches, restrict tools, catch jailbreaks
 
@@ -72,8 +72,42 @@ Clawdstrike provides runtime security enforcement for agents, designed for devel
 
 <img src=".github/assets/sigils/ruleset-light.svg#gh-light-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" /> <img src=".github/assets/sigils/ruleset-dark.svg#gh-dark-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" />**Multi-framework** — OpenClaw, Vercel AI, LangChain, Claude, OpenAI, and more
 
+## Computer Use Gateway
+
+Clawdstrike now includes dedicated CUA gateway coverage for real runtime paths (not just static policy checks):
+
+- Canonical CUA action translation across providers/runtimes.
+- Side-channel policy controls for remote desktop surfaces (`clipboard`, `audio`, `drive_mapping`, `printing`, `session_share`, file transfer bounds).
+- Deterministic decision metadata (`reason_code`, guard, severity) for machine-checkable analytics.
+- Fixture-driven validator suites plus runtime bridge tests for regression safety.
+
+## Architecture At A Glance
+
+```mermaid
+flowchart LR
+    A[Provider Runtime<br/>OpenAI / Claude / OpenClaw] --> B[Clawdstrike Adapter]
+    B --> C[Canonical Action Event]
+    C --> D[Policy Engine + Guard Evaluation]
+    D -->|allow| E[Gateway / Tool / Remote Action]
+    D -->|deny| F[Fail-Closed Block]
+    D --> G[Signed Receipt + reason_code]
+```
+
 ## Quick Start
 
+### Computer use gateway smoke (agent-owned OpenClaw path)
+
+```bash
+scripts/openclaw-agent-smoke.sh \
+  --start-local-gateway \
+  --gateway-url ws://127.0.0.1:18789 \
+  --gateway-token dev-token
+```
+
+Runbook and flow details:
+- `docs/src/guides/agent-openclaw-operations.md`
+- `apps/desktop/docs/openclaw-gateway-testing.md`
+
 ### CLI (Rust)
 
 ```bash
@@ -120,18 +154,22 @@ if (!preflight.proceed) throw new Error("Blocked by policy");
 
 ### OpenClaw plugin
 
-See `packages/adapters/clawdstrike-openclaw/docs/getting-started.md`.
+- Quick start: `packages/adapters/clawdstrike-openclaw/docs/getting-started.md`
+- Integration guide: `docs/src/guides/openclaw-integration.md`
 
 ## Highlights
 
-| Feature                         | Description                                                                   |
-| ------------------------------- | ----------------------------------------------------------------------------- |
-| **7 Built-in Guards**           | Path, egress, secrets, patches, tools, prompt injection, jailbreak            |
+| Feature | Description |
+| --- | --- |
+| **Computer Use Gateway Controls** | Canonical CUA policy evaluation for click/type/scroll/key-chord and remote side-channel actions |
+| **Provider Translation Layer** | Runtime translators for OpenAI/Claude/OpenClaw flows into a unified policy surface |
+| **7 Built-in Guards** | Path, egress, secrets, patches, tools, prompt injection, jailbreak |
 | **4-Layer Jailbreak Detection** | Heuristic + statistical + ML + optional LLM-as-judge with session aggregation |
-| **Output Sanitization**         | Redact secrets, PII, internal data from LLM output with streaming support     |
-| **Prompt Watermarking**         | Embed signed provenance markers for attribution and forensics                 |
-| **Fail-Closed Design**          | Invalid policies reject at load time; errors deny access                      |
-| **Signed Receipts**             | Tamper-evident audit trail with Ed25519 signatures                            |
+| **Deterministic Decisions** | Stable `reason_code` + severity metadata for enforcement analytics and regression checks |
+| **Fail-Closed Design** | Invalid policies reject at load time; evaluation errors deny access |
+| **Signed Receipts** | Tamper-evident audit trail with Ed25519 signatures |
+| **Output Sanitization** | Redact secrets/PII/internal data from model output with streaming support |
+| **Prompt Watermarking** | Embed signed provenance markers for attribution and forensics |
 
 ## Performance
 
@@ -147,13 +185,20 @@ No external API calls required for core detection. [Full benchmarks →](docs/sr
 
 ## Documentation
 
-- [Design Philosophy](docs/src/concepts/design-philosophy.md) — Fail-closed, defense in depth
-- [Enforcement Tiers & Integration Contract](docs/src/concepts/enforcement-tiers.md) — What is enforceable at the tool boundary (and what requires a sandbox/broker)
-- [Guards Reference](docs/src/reference/guards/README.md) — All 7 guards documented
-- [Policy Schema](docs/src/reference/policy-schema.md) — YAML configuration
-- [Framework Integrations](docs/src/concepts/multi-language.md) — OpenClaw, Vercel AI, LangChain
-- [Repository Map](docs/REPO_MAP.md) — Newcomer guide to project layout and component maturity
-- [Documentation Map](docs/DOCS_MAP.md) — Canonical source-of-truth guide for docs
+- [Quick Start (Rust)](docs/src/getting-started/quick-start.md)
+- [Quick Start (TypeScript)](docs/src/getting-started/quick-start-typescript.md)
+- [Quick Start (Python)](docs/src/getting-started/quick-start-python.md)
+- [OpenClaw Integration Guide](docs/src/guides/openclaw-integration.md)
+- [Agent OpenClaw Operations Runbook](docs/src/guides/agent-openclaw-operations.md)
+- [OpenClaw Gateway Testing Guide](apps/desktop/docs/openclaw-gateway-testing.md)
+- [CUA Production Readiness Test Plan](production-readiness-test-plan.md)
+- [CUA Roadmap Index](docs/roadmaps/cua/INDEX.md)
+- [Design Philosophy](docs/src/concepts/design-philosophy.md)
+- [Enforcement Tiers & Integration Contract](docs/src/concepts/enforcement-tiers.md)
+- [Guards Reference](docs/src/reference/guards/README.md)
+- [Policy Schema](docs/src/reference/policy-schema.md)
+- [Repository Map](docs/REPO_MAP.md)
+- [Documentation Map](docs/DOCS_MAP.md)
 
 ## Security
 

README.md

@@ -57,6 +57,8 @@ which = "6"
 
 # Shared crypto/data primitives
 hush-core = { path = "../../../crates/libs/hush-core" }
+base64 = "0.22"
+ed25519-dalek = { version = "2.2", features = ["pem", "pkcs8"] }
 
 # Logging
 tracing = "0.1"