chore(workspace): add hardened startup/security workflows and skill suite
This commit is contained in:
zap
72
BOOT.md
Normal file
72
BOOT.md
Normal file
@@ -0,0 +1,72 @@
|
||||
# BOOT.md
|
||||
|
||||
On gateway startup, run a silent security + readiness check for this workspace.
|
||||
|
||||
## Startup checklist
|
||||
|
||||
1. Confirm core workspace files exist:
|
||||
- `AGENTS.md`, `SOUL.md`, `USER.md`, `TOOLS.md`, `HEARTBEAT.md`
|
||||
2. Confirm required local skill folders exist:
|
||||
- `skills/searxng-local-search`
|
||||
- `skills/telegram-ops`
|
||||
- `skills/homelab-service-health`
|
||||
- `skills/task-capture-and-followup`
|
||||
- `skills/daily-brief`
|
||||
- `skills/calendar-sentinel`
|
||||
- `skills/inbox-triage`
|
||||
3. Ensure task state exists:
|
||||
- `memory/tasks.json` (create `[]` if missing)
|
||||
|
||||
## Security checks
|
||||
|
||||
4. Check internal hooks enabled state:
|
||||
- `session-memory`
|
||||
- `command-logger`
|
||||
- `bootstrap-extra-files`
|
||||
- `boot-md`
|
||||
- if any are disabled/missing, record warning with exact hook name
|
||||
5. Check permissions:
|
||||
- `~/.openclaw` should be `700`
|
||||
- credential files under `~/.openclaw/credentials/` should be `600`
|
||||
- if drift is found, log it as warning; do not auto-fix unless explicitly requested later
|
||||
6. Check network exposure:
|
||||
- verify gateway is not unexpectedly exposed on `0.0.0.0`
|
||||
- capture a compact listener snapshot for OpenClaw-related ports
|
||||
7. Check expected-service posture:
|
||||
- expected local services should be present/reachable (OpenClaw runtime + documented core services)
|
||||
- flag unexpected listeners only when confidence is high
|
||||
8. Check backup signal freshness:
|
||||
- verify `memory/minio-backup.log` contains `Backup complete:` within last 8 hours
|
||||
9. Check security-audit freshness:
|
||||
- verify a recent `openclaw security audit --deep` result exists (target: within 24 hours)
|
||||
- if stale/missing, record reminder (warning level)
|
||||
10. Check update status:
|
||||
- run/read `openclaw update status`
|
||||
- record whether update is available
|
||||
|
||||
## State recording
|
||||
|
||||
11. Write/update machine-readable status file: `memory/startup-health.json` with:
|
||||
- `last_run_utc`
|
||||
- `status` (`ok|warn|critical`)
|
||||
- `checks_passed` (array)
|
||||
- `checks_failed` (array)
|
||||
- `warnings` (array)
|
||||
- `gateway_exposure` (e.g., `local-only|public|unknown`)
|
||||
- `last_backup_age_hours`
|
||||
- `last_security_audit_age_hours`
|
||||
- `update_status` (short text)
|
||||
12. Write/update `memory/boot-last-run.json` with UTC timestamp + overall status.
|
||||
|
||||
## Notification policy
|
||||
|
||||
13. Stay silent when status is `ok` or non-actionable `warn`.
|
||||
14. Send one short proactive alert only for **critical** conditions:
|
||||
- credential permission drift on sensitive files,
|
||||
- unexpected public exposure of gateway,
|
||||
- backup signal stale/missing beyond threshold,
|
||||
- missing critical workspace files preventing normal operation.
|
||||
|
||||
## Critical issue logging
|
||||
|
||||
If any warning/critical issue is found, append a concise line to `memory/startup-health.md` with UTC timestamp, failing check, and suggested fix.
|
||||
Reference in New Issue
Block a user