feat: add claw approval MVP with privileged broker
Implement Postgres-backed claw approval flow and integrate gateway methods for create/list/get/approve/reject/execute/audit. Add a minimal systemd-run privileged broker with bearer auth, strict scope and exact-command validation, dangerous-shell blocking, atomic once-grant consumption, and execution audit updates.
This commit is contained in:
Fedor
20
scripts/claw-broker/claw-broker.service
Normal file
20
scripts/claw-broker/claw-broker.service
Normal file
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=OpenClaw Privileged Broker (MVP)
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=root
|
||||
WorkingDirectory=/home/negodiy/claw-broker
|
||||
EnvironmentFile=/home/negodiy/claw-broker/.env
|
||||
ExecStart=/usr/bin/node /home/negodiy/claw-broker/broker.mjs
|
||||
Restart=always
|
||||
RestartSec=2
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=full
|
||||
ProtectHome=no
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user