Skip to content

feat: Release P1 Mitigation Rules and PyPI Workflow#3

Merged
peeweeh merged 4 commits intomainfrom
nightly
Mar 15, 2026
Merged

feat: Release P1 Mitigation Rules and PyPI Workflow#3
peeweeh merged 4 commits intomainfrom
nightly

Conversation

@peeweeh
Copy link
Copy Markdown
Owner

@peeweeh peeweeh commented Mar 15, 2026

Merges recent engine evaluation fixes, P1 rules from phase 1, and newly configured auto-publish trusted pipeline for PyPI.

peeweeh added 4 commits March 12, 2026 20:09
@peeweeh
Add SEC-001, IDENT-001, ISO-011, MEM-001 rules for March 2026 CVEs
b6b7f71 
- SEC-001: Flag OpenClaw versions < v2026.3.2 (all 4 CVEs patched)
- IDENT-001: Detect group/channel IDs in allowFrom (GHSA-2CH6 auth bypass)
- ISO-011: Flag docker.network=container:<id> (GHSA-WW6V sandbox escape)
- MEM-001: Detect suspicious encoding in SOUL.md/MEMORY.md (poisoning vector)

New probe: group_ids_in_allowfrom with regex patterns for @g.us, @group, numeric IDs

Test fixtures:
- SOUL-with-poisoning.md: Memory poisoning attack pattern
- docker-compose-insecure.yml: Vulnerable namespace join config
- openclaw-insecure.json: Group IDs in allowFrom field

Resolves: CVE-2026-25253, CVE-2026-24763, CVE-2026-25157, CVE-2026-26325,
GHSA-2ch6-x3g4-7759, GHSA-ww6v-v748-x7g9, Snyk TOCTOU, ClawHavoc campaigns
@peeweeh
feat(rules): Add P1 mitigation rules & engine evaluator fixes
56fb9f6
@peeweeh
ci(release): Configure PyPI trusted publishing
0cc58fe
@peeweeh
ci: release system with CalVer, auto-merge, categorized notes; market…
74b12f3 
…ing README
@peeweeh peeweeh merged commit 115b748 into main Mar 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peeweeh