openclaw/src/security/audit-extra.ts

/**
 * Re-export barrel for security audit collector functions.
 *
 * Maintains backward compatibility with existing imports from audit-extra.
 * Implementation split into:
 * - audit-extra.sync.ts: Config-based checks (no I/O)
 * - audit-extra.async.ts: Filesystem/plugin checks (async I/O)
 */

// Sync collectors
export {
  collectAttackSurfaceSummaryFindings,
  collectExposureMatrixFindings,
  collectGatewayHttpNoAuthFindings,
  collectGatewayHttpSessionKeyOverrideFindings,
  collectHooksHardeningFindings,
  collectLikelyMultiUserSetupFindings,
  collectMinimalProfileOverrideFindings,
  collectModelHygieneFindings,
  collectNodeDangerousAllowCommandFindings,
  collectNodeDenyCommandPatternFindings,
  collectSandboxDangerousConfigFindings,
  collectSandboxDockerNoopFindings,
  collectSecretsInConfigFindings,
  collectSmallModelRiskFindings,
  collectSyncedFolderFindings,
  type SecurityAuditFinding,
} from "./audit-extra.sync.js";

// Async collectors
export {
  collectSandboxBrowserHashLabelFindings,
  collectIncludeFilePermFindings,
  collectInstalledSkillsCodeSafetyFindings,
  collectPluginsCodeSafetyFindings,
  collectPluginsTrustFindings,
  collectStateDeepFilesystemFindings,
  readConfigSnapshotForAudit,
} from "./audit-extra.async.js";
refactor(security,config): split oversized files (#13182) refactor(security,config): split oversized files using dot-naming convention - audit-extra.ts (1,199 LOC) -> barrel (31) + sync (559) + async (668) - schema.ts (1,114 LOC) -> schema (353) + field-metadata (729) - Add tmp-refactoring-strategy.md documenting Wave 1-4 plan PR #13182 2026-02-09 22:22:29 -08:00			`/**`
			`* Re-export barrel for security audit collector functions.`
			`*`
			`* Maintains backward compatibility with existing imports from audit-extra.`
			`* Implementation split into:`
			`* - audit-extra.sync.ts: Config-based checks (no I/O)`
			`* - audit-extra.async.ts: Filesystem/plugin checks (async I/O)`
			`*/`

			`// Sync collectors`
			`export {`
			`collectAttackSurfaceSummaryFindings,`
			`collectExposureMatrixFindings,`
feat(security): audit gateway HTTP no-auth exposure 2026-02-19 14:25:45 +01:00			`collectGatewayHttpNoAuthFindings,`
feat(gateway): add trusted-proxy auth mode (#15940) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 279d4b304f83186fda44dfe63a729406a835dafa Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete 2026-02-14 06:32:17 -05:00			`collectGatewayHttpSessionKeyOverrideFindings,`
refactor(security,config): split oversized files (#13182) refactor(security,config): split oversized files using dot-naming convention - audit-extra.ts (1,199 LOC) -> barrel (31) + sync (559) + async (668) - schema.ts (1,114 LOC) -> schema (353) + field-metadata (729) - Add tmp-refactoring-strategy.md documenting Wave 1-4 plan PR #13182 2026-02-09 22:22:29 -08:00			`collectHooksHardeningFindings,`
feat(security): warn on likely multi-user trust-model mismatch 2026-02-24 14:03:04 +00:00			`collectLikelyMultiUserSetupFindings,`
fix(security): extend audit hardening checks 2026-02-13 16:26:37 +01:00			`collectMinimalProfileOverrideFindings,`
refactor(security,config): split oversized files (#13182) refactor(security,config): split oversized files using dot-naming convention - audit-extra.ts (1,199 LOC) -> barrel (31) + sync (559) + async (668) - schema.ts (1,114 LOC) -> schema (353) + field-metadata (729) - Add tmp-refactoring-strategy.md documenting Wave 1-4 plan PR #13182 2026-02-09 22:22:29 -08:00			`collectModelHygieneFindings,`
fix(security): harden gateway command/audit guardrails 2026-02-22 08:44:12 +01:00			`collectNodeDangerousAllowCommandFindings,`
fix(security): extend audit hardening checks 2026-02-13 16:26:37 +01:00			`collectNodeDenyCommandPatternFindings,`
fix(security): harden sandbox docker config validation 2026-02-16 03:03:55 +01:00			`collectSandboxDangerousConfigFindings,`
fix(security): extend audit hardening checks 2026-02-13 16:26:37 +01:00			`collectSandboxDockerNoopFindings,`
refactor(security,config): split oversized files (#13182) refactor(security,config): split oversized files using dot-naming convention - audit-extra.ts (1,199 LOC) -> barrel (31) + sync (559) + async (668) - schema.ts (1,114 LOC) -> schema (353) + field-metadata (729) - Add tmp-refactoring-strategy.md documenting Wave 1-4 plan PR #13182 2026-02-09 22:22:29 -08:00			`collectSecretsInConfigFindings,`
			`collectSmallModelRiskFindings,`
			`collectSyncedFolderFindings,`
			`type SecurityAuditFinding,`
			`} from "./audit-extra.sync.js";`

			`// Async collectors`
			`export {`
fix(security): force sandbox browser hash migration and audit stale labels 2026-02-21 13:25:35 +01:00			`collectSandboxBrowserHashLabelFindings,`
refactor(security,config): split oversized files (#13182) refactor(security,config): split oversized files using dot-naming convention - audit-extra.ts (1,199 LOC) -> barrel (31) + sync (559) + async (668) - schema.ts (1,114 LOC) -> schema (353) + field-metadata (729) - Add tmp-refactoring-strategy.md documenting Wave 1-4 plan PR #13182 2026-02-09 22:22:29 -08:00			`collectIncludeFilePermFindings,`
			`collectInstalledSkillsCodeSafetyFindings,`
			`collectPluginsCodeSafetyFindings,`
			`collectPluginsTrustFindings,`
			`collectStateDeepFilesystemFindings,`
			`readConfigSnapshotForAudit,`
			`} from "./audit-extra.async.js";`