Skip to content

feat(cua): CUA Gateway — guards, rulesets, research, ecosystem integrations #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bb-connor merged 23 commits into from
Feb 20, 2026
Merged

feat(cua): CUA Gateway — guards, rulesets, research, ecosystem integrations #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
acbcc29
feat(cua): CUA Gateway passes #7-#14 — guards, rulesets, research, ec…
bb-connor Feb 18, 2026
c207c94
fix(cua): address PR #88 review — camelCase field acceptance + input_…
bb-connor Feb 18, 2026
c186b29
chore(vendor): re-vendor pyo3 0.28.1 → 0.28.2
bb-connor Feb 18, 2026
4e710c7
feat(cua): close runtime enforcement gaps and add fixture-backed brid…
bb-connor Feb 18, 2026
01e3b14
fix(cua): enforce connect egress and plain computer_use bridge mapping
bb-connor Feb 18, 2026
54869d2
feat(cua): harden runtime parity, reason codes, and drift checks
bb-connor Feb 18, 2026
94ece01
docs(cua): reconcile roadmap status and TODO consistency
bb-connor Feb 18, 2026
2bed212
fix(cua): resolve side-channel review gaps and dedupe reason taxonomy
bb-connor Feb 18, 2026
de34d0a
fix(agent): align OpenClaw gateway device auth handshake
bb-connor Feb 18, 2026
1f4f11c
test(hush-cli): harden abuse harness stability in CI
bb-connor Feb 19, 2026
7ae45fb
chore(cua): add pass18 notarization and soak execution playbook
bb-connor Feb 19, 2026
24bc0a9
docs(cua): add notarization credential discovery checklist
bb-connor Feb 19, 2026
33ccd60
fix(cua): harden soak and rdp matrix harness stability
bb-connor Feb 19, 2026
6f147f3
docs(cua): align roadmap status with pass18 release gates
bb-connor Feb 19, 2026
c5e2fd8
fix(cua): add hush-cli CUA parity and sync remote desktop rulesets
bb-connor Feb 19, 2026
3394c7a
docs(cua): refresh pass18 roadmap and readiness status
bb-connor Feb 19, 2026
23edf4f
fix(cua): close remaining policy parity review gaps
bb-connor Feb 19, 2026
44b3b17
docs(cua): track post-pass policy_event dedupe follow-up
bb-connor Feb 19, 2026
06a47a2
fix(cua): align computer_use default allowlist with 10-action surface
bb-connor Feb 19, 2026
39d3d46
style(rust): format cua_rulesets test for ci
bb-connor Feb 19, 2026
56b21ec
fix(cua): resolve identity fallback and guardrail warn semantics
bb-connor Feb 20, 2026
dea0b8d
docs(readme): refresh computer-use gateway positioning
bb-connor Feb 20, 2026
11bcd83
fix(taxonomy): preserve deny/warn reason-code precedence
bb-connor Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,29 @@ jobs:
run: |
python -m pip install --upgrade pip
python -m pip install -e ".[dev]"
python -m pip install "jsonschema>=4,<5"

- name: Run CUA roadmap fixture harnesses
working-directory: ${{ github.workspace }}
run: |
python docs/roadmaps/cua/research/verify_cua_migration_fixtures.py
python docs/roadmaps/cua/research/verify_remote_desktop_policy_matrix.py
python docs/roadmaps/cua/research/verify_remote_desktop_ruleset_alignment.py
python docs/roadmaps/cua/research/verify_injection_capabilities.py
python docs/roadmaps/cua/research/verify_policy_event_mapping.py
python docs/roadmaps/cua/research/verify_postcondition_probes.py
python docs/roadmaps/cua/research/verify_remote_session_continuity.py
python docs/roadmaps/cua/research/verify_envelope_semantic_equivalence.py
python docs/roadmaps/cua/research/verify_repeatable_latency_harness.py
python docs/roadmaps/cua/research/verify_verification_bundle.py
python docs/roadmaps/cua/research/verify_browser_action_policy.py
python docs/roadmaps/cua/research/verify_session_recording_evidence.py
python docs/roadmaps/cua/research/verify_orchestration_isolation.py
python docs/roadmaps/cua/research/verify_cua_policy_evaluation.py
python docs/roadmaps/cua/research/verify_canonical_adapter_contract.py
python docs/roadmaps/cua/research/verify_provider_conformance.py
python docs/roadmaps/cua/research/verify_openclaw_cua_bridge.py
python docs/roadmaps/cua/research/verify_trycua_connector.py

- name: Run tests
run: python -m pytest
20 changes: 10 additions & 10 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

77 changes: 61 additions & 16 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@

> **Alpha software** — APIs and import paths may change between releases. See GitHub Releases and the package registries (crates.io / npm / PyPI) for published versions.

Clawdstrike provides runtime security enforcement for agents, designed for developers building EDR solutions and security infrastructure on top of OpenClaw.
Clawdstrike is a fail-closed policy + attestation runtime for AI agents and computer-use systems, designed for developers building EDR solutions and security infrastructure for autonomous agent swarms. It sits at the boundary between intent and execution: normalize actions, enforce policy, and sign what happened.

<img src=".github/assets/sigils/boundary-light.svg#gh-light-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" /> <img src=".github/assets/sigils/boundary-dark.svg#gh-dark-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" />**Guards** — Block sensitive paths, control network egress, detect secrets, validate patches, restrict tools, catch jailbreaks

Expand All @@ -72,8 +72,42 @@ Clawdstrike provides runtime security enforcement for agents, designed for devel

<img src=".github/assets/sigils/ruleset-light.svg#gh-light-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" /> <img src=".github/assets/sigils/ruleset-dark.svg#gh-dark-mode-only" width="16" height="16" alt="" style="vertical-align:-3px;margin-right:6px;" />**Multi-framework** — OpenClaw, Vercel AI, LangChain, Claude, OpenAI, and more

## Computer Use Gateway

Clawdstrike now includes dedicated CUA gateway coverage for real runtime paths (not just static policy checks):

- Canonical CUA action translation across providers/runtimes.
- Side-channel policy controls for remote desktop surfaces (`clipboard`, `audio`, `drive_mapping`, `printing`, `session_share`, file transfer bounds).
- Deterministic decision metadata (`reason_code`, guard, severity) for machine-checkable analytics.
- Fixture-driven validator suites plus runtime bridge tests for regression safety.

## Architecture At A Glance

```mermaid
flowchart LR
A[Provider Runtime<br/>OpenAI / Claude / OpenClaw] --> B[Clawdstrike Adapter]
B --> C[Canonical Action Event]
C --> D[Policy Engine + Guard Evaluation]
D -->|allow| E[Gateway / Tool / Remote Action]
D -->|deny| F[Fail-Closed Block]
D --> G[Signed Receipt + reason_code]
```

## Quick Start

### Computer use gateway smoke (agent-owned OpenClaw path)

```bash
scripts/openclaw-agent-smoke.sh \
--start-local-gateway \
--gateway-url ws://127.0.0.1:18789 \
--gateway-token dev-token
```

Runbook and flow details:
- `docs/src/guides/agent-openclaw-operations.md`
- `apps/desktop/docs/openclaw-gateway-testing.md`

### CLI (Rust)

```bash
Expand Down Expand Up @@ -120,18 +154,22 @@ if (!preflight.proceed) throw new Error("Blocked by policy");

### OpenClaw plugin

See `packages/adapters/clawdstrike-openclaw/docs/getting-started.md`.
- Quick start: `packages/adapters/clawdstrike-openclaw/docs/getting-started.md`
- Integration guide: `docs/src/guides/openclaw-integration.md`

## Highlights

| Feature | Description |
| ------------------------------- | ----------------------------------------------------------------------------- |
| **7 Built-in Guards** | Path, egress, secrets, patches, tools, prompt injection, jailbreak |
| Feature | Description |
| --- | --- |
| **Computer Use Gateway Controls** | Canonical CUA policy evaluation for click/type/scroll/key-chord and remote side-channel actions |
| **Provider Translation Layer** | Runtime translators for OpenAI/Claude/OpenClaw flows into a unified policy surface |
| **7 Built-in Guards** | Path, egress, secrets, patches, tools, prompt injection, jailbreak |
| **4-Layer Jailbreak Detection** | Heuristic + statistical + ML + optional LLM-as-judge with session aggregation |
| **Output Sanitization** | Redact secrets, PII, internal data from LLM output with streaming support |
| **Prompt Watermarking** | Embed signed provenance markers for attribution and forensics |
| **Fail-Closed Design** | Invalid policies reject at load time; errors deny access |
| **Signed Receipts** | Tamper-evident audit trail with Ed25519 signatures |
| **Deterministic Decisions** | Stable `reason_code` + severity metadata for enforcement analytics and regression checks |
| **Fail-Closed Design** | Invalid policies reject at load time; evaluation errors deny access |
| **Signed Receipts** | Tamper-evident audit trail with Ed25519 signatures |
| **Output Sanitization** | Redact secrets/PII/internal data from model output with streaming support |
| **Prompt Watermarking** | Embed signed provenance markers for attribution and forensics |

## Performance

Expand All @@ -147,13 +185,20 @@ No external API calls required for core detection. [Full benchmarks →](docs/sr

## Documentation

- [Design Philosophy](docs/src/concepts/design-philosophy.md) — Fail-closed, defense in depth
- [Enforcement Tiers & Integration Contract](docs/src/concepts/enforcement-tiers.md) — What is enforceable at the tool boundary (and what requires a sandbox/broker)
- [Guards Reference](docs/src/reference/guards/README.md) — All 7 guards documented
- [Policy Schema](docs/src/reference/policy-schema.md) — YAML configuration
- [Framework Integrations](docs/src/concepts/multi-language.md) — OpenClaw, Vercel AI, LangChain
- [Repository Map](docs/REPO_MAP.md) — Newcomer guide to project layout and component maturity
- [Documentation Map](docs/DOCS_MAP.md) — Canonical source-of-truth guide for docs
- [Quick Start (Rust)](docs/src/getting-started/quick-start.md)
- [Quick Start (TypeScript)](docs/src/getting-started/quick-start-typescript.md)
- [Quick Start (Python)](docs/src/getting-started/quick-start-python.md)
- [OpenClaw Integration Guide](docs/src/guides/openclaw-integration.md)
- [Agent OpenClaw Operations Runbook](docs/src/guides/agent-openclaw-operations.md)
- [OpenClaw Gateway Testing Guide](apps/desktop/docs/openclaw-gateway-testing.md)
- [CUA Production Readiness Test Plan](production-readiness-test-plan.md)
- [CUA Roadmap Index](docs/roadmaps/cua/INDEX.md)
- [Design Philosophy](docs/src/concepts/design-philosophy.md)
- [Enforcement Tiers & Integration Contract](docs/src/concepts/enforcement-tiers.md)
- [Guards Reference](docs/src/reference/guards/README.md)
- [Policy Schema](docs/src/reference/policy-schema.md)
- [Repository Map](docs/REPO_MAP.md)
- [Documentation Map](docs/DOCS_MAP.md)

## Security

Expand Down
12 changes: 12 additions & 0 deletions apps/agent/src-tauri/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions apps/agent/src-tauri/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ which = "6"

# Shared crypto/data primitives
hush-core = { path = "../../../crates/libs/hush-core" }
base64 = "0.22"
ed25519-dalek = { version = "2.2", features = ["pem", "pkcs8"] }

# Logging
tracing = "0.1"
Expand Down
Loading
Loading