Conversation
…osystem integrations Complete CUA (Computer-Use Agent) Gateway implementation across 14 research and execution passes. This adds runtime security enforcement for AI agents operating in remote desktop, browser automation, and input injection contexts. Rust: - 3 CUA guards: computer_use (observe/guardrail/fail_closed modes), remote_desktop_side_channel (per-channel enable/disable + transfer size), input_injection_capability (input type allowlist + postcondition probes) - 7 CUA event types in PolicyEventType including remote.session_share - CuaEventData struct with serde support and snake_case aliases - 3 built-in rulesets: remote-desktop, remote-desktop-strict, remote-desktop-permissive - Fail-closed fixes: deny missing input_type (C2), deny unknown side channels (C3) TypeScript: - CuaEventData interface + 7 EventType variants in adapter-core - 7 factory methods in PolicyEventFactory (including createCuaSessionShareEvent) - OpenClaw CUA bridge handler (283 lines) with 43 tests - 3 stable error codes (OCLAW_CUA_UNKNOWN_ACTION, MISSING_METADATA, SESSION_MISSING) Research & fixtures: - 9 deep-dive topic files, execution backlog, review log (14 passes) - 17 Python validation harnesses (130+ fixture checks) - 21 fixture groups across policy-events, receipts, and benchmarks - trycua/cua connector evaluation with compatibility matrix - Pass #14 code review report with 3 critical issues resolved CI: 17 roadmap harnesses run on every PR/push. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: acbcc293aa
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…type forwarding - InputInjectionCapabilityGuard now accepts both snake_case and camelCase for input_type/inputType and postcondition_probe_hash/postconditionProbeHash since the CUA pipeline serializes as camelCase via serde rename_all - OpenClaw CUA bridge buildCuaEvent now forwards input_type from tool params so the fail-closed guard receives it through canonical event data - Update pyo3 0.28.1 → 0.28.2 to resolve RUSTSEC-2026-0013 license check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes offline build/test CI job after Cargo.lock update for RUSTSEC-2026-0013. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
crates/libs/clawdstrike/src/guards/remote_desktop_side_channel.rs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 54869d21d0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
crates/libs/clawdstrike/src/guards/remote_desktop_side_channel.rs
Outdated
Show resolved
Hide resolved
crates/libs/clawdstrike/src/guards/remote_desktop_side_channel.rs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2bed2127e3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
packages/adapters/clawdstrike-adapter-core/src/engine-response.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 24bc0a9a88
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 06a47a2be4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 56b21ecded
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| drive_mapping_enabled: false | ||
| printing_enabled: false | ||
| session_share_enabled: false | ||
| max_transfer_size_bytes: 104857600 # 100MB |
There was a problem hiding this comment.
Policy contradiction in remote-desktop ruleset configuration
High Severity
The remote-desktop ruleset has contradictory policy configuration: computer_use.allowed_actions includes remote.clipboard and remote.file_transfer (lines 17-18), but remote_desktop_side_channel sets clipboard_enabled: false and file_transfer_enabled: false (lines 26-27). This creates a policy bypass where the computer_use guard in guardrail mode will allow these actions, but the remote_desktop_side_channel guard will deny them, causing inconsistent enforcement depending on guard evaluation order. Additionally, max_transfer_size_bytes is configured (line 32) even though file_transfer_enabled is false, making the size limit dead configuration.
| } | ||
|
|
||
| let verifying_key = VerifyingKey::from_public_key_pem(parsed.public_key_pem.trim()) | ||
| .map_err(|err| anyhow::anyhow!("invalid OpenClaw identity public key PEM: {err}"))?; |
There was a problem hiding this comment.
Missing empty public key validation before parsing
Medium Severity
The function load_openclaw_device_identity_from_path validates that private_key_pem is not empty (line 919) but does not validate that public_key_pem is not empty before calling VerifyingKey::from_public_key_pem on line 926. If public_key_pem is an empty string or contains only whitespace, the error message from the PEM parser will be cryptic rather than the clear validation error message that users get for empty private keys. This inconsistency makes debugging identity file issues unnecessarily difficult.
1 participant
Summary
computer_use(observe/guardrail/fail_closed),remote_desktop_side_channel(per-channel control + transfer size),input_injection_capability(type allowlist + postcondition probes)PolicyEventTypeand TSEventTypewith full cross-language parityremote-desktop,remote-desktop-strict,remote-desktop-permissivePolicyEventFactoryTest plan
cargo test --workspace— all Rust tests passcargo clippy --workspace -- -D warnings— cleandocs/roadmaps/cua/research/verify_*.py)input_typedenied, unknown side channels denied, unknown event types rejected🤖 Generated with Claude Code
Note
High Risk
Touches security-critical enforcement and attestation paths (new policy guards/rulesets, receipt verification error taxonomy, and gateway authentication handshake). Incorrect configuration or mapping could change allow/deny outcomes or interoperability with existing gateways/clients.
Overview
Adds first-class Computer Use Agent (CUA) policy support in
clawdstrike: three new guards (computer_use,remote_desktop_side_channel,input_injection_capability), three new built-in remote-desktop rulesets, and a shareddecision_taxonomythat standardizesreason_code+ severity mapping for CLI/daemon outputs.Extends the agent-owned OpenClaw gateway handshake to optionally include an Ed25519
deviceproof derived from local identity files, tightens auth payload handling, and expands tests around token rotation and proof validation. Also enhances receipt verification andhush verifyJSON to emit stableVFY_*error codes, adds CUA event types/mapping inhush-cli, and wires CUA roadmap Python harnesses into CI.Written by Cursor Bugbot for commit 11bcd83. This will update automatically on new commits. Configure here.