--- name: picoclaw-traffic-guardian version: 0.0.1-beta2 description: Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration. homepage: https://clawsec.prompt.security author: prompt-security license: AGPL-3.0-or-later picoclaw: emoji: "TG" requires: bins: [node, python3] --- # Picoclaw Traffic Guardian This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet. ## Release Artifact Verification For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key. ```bash set -euo pipefail SKILL_NAME="picoclaw-traffic-guardian" VERSION="0.0.1-beta2" REPO="prompt-security/clawsec" TAG="${SKILL_NAME}-v${VERSION}" BASE="https://github.com/${REPO}/releases/download/${TAG}" ZIP_NAME="${SKILL_NAME}-v${VERSION}.zip" TMP_DIR="$(mktemp -d)" trap 'rm -rf "$TMP_DIR"' EXIT RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8" curl -fsSL "$BASE/checksums.json" -o "$TMP_DIR/checksums.json" curl -fsSL "$BASE/checksums.sig" -o "$TMP_DIR/checksums.sig" curl -fsSL "$BASE/signing-public.pem" -o "$TMP_DIR/signing-public.pem" curl -fsSL "$BASE/$ZIP_NAME" -o "$TMP_DIR/$ZIP_NAME" curl -fsSL "$BASE/SKILL.md" -o "$TMP_DIR/SKILL.md" curl -fsSL "$BASE/skill.json" -o "$TMP_DIR/skill.json" ACTUAL_PUBKEY_SHA256="$(openssl pkey -pubin -in "$TMP_DIR/signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')" if [ "$ACTUAL_PUBKEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then echo "ERROR: signing-public.pem fingerprint mismatch" >&2 exit 1 fi openssl base64 -d -A -in "$TMP_DIR/checksums.sig" -out "$TMP_DIR/checksums.sig.bin" openssl pkeyutl -verify -rawin -pubin \ -inkey "$TMP_DIR/signing-public.pem" \ -sigfile "$TMP_DIR/checksums.sig.bin" \ -in "$TMP_DIR/checksums.json" >/dev/null hash_file() { if command -v shasum >/dev/null 2>&1; then shasum -a 256 "$1" | awk '{print $1}' else sha256sum "$1" | awk '{print $1}' fi } verify_manifest_file() { asset="$1" path="$2" expected="$(jq -r --arg asset "$asset" '.files[$asset].sha256 // empty' "$TMP_DIR/checksums.json")" if [ -z "$expected" ]; then echo "ERROR: checksums.json missing $asset" >&2 exit 1 fi actual="$(hash_file "$path")" if [ "$actual" != "$expected" ]; then echo "ERROR: checksum mismatch for $asset" >&2 exit 1 fi } expected_archive="$(jq -r '.archive.sha256 // empty' "$TMP_DIR/checksums.json")" if [ -z "$expected_archive" ]; then echo "ERROR: checksums.json missing archive.sha256" >&2 exit 1 fi actual_archive="$(hash_file "$TMP_DIR/$ZIP_NAME")" if [ "$actual_archive" != "$expected_archive" ]; then echo "ERROR: archive checksum mismatch" >&2 exit 1 fi verify_manifest_file "SKILL.md" "$TMP_DIR/SKILL.md" verify_manifest_file "skill.json" "$TMP_DIR/skill.json" echo "Signed release manifest, archive, SKILL.md, and skill.json verified." ``` Only install or extract the archive after this verification succeeds. ## Scope Builders should use this skill as the Picoclaw landing zone for runtime traffic monitoring: - lightweight AI gateway HTTP proxy inspection - optional HTTPS inspection with per-process CA trust - outbound exfiltration detection - inbound injection detection - redacted local threat logs - profile export for `picoclaw-security-guardian` Do not add proxy runtime ownership to `picoclaw-security-guardian` or `picoclaw-self-pen-testing`. Those skills should profile, drift-check, or review this monitor's status, not run it. ## Safety Contract - Opt-in only. - Detect-and-log by default. - No automatic system CA installation. - No global proxy environment changes. - No blocking in the first implementation. - Redact secrets before logs, summaries, or profile outputs. - Keep all state under `PICOCLAW_TRAFFIC_GUARDIAN_HOME` or `$PICOCLAW_HOME/security/clawsec/traffic-guardian`. ## Builder Entry Points Read `SPEC.md` before implementing. Use the placeholder folders as follows: | Path | Intended use | |---|---| | `lib/` | Detector rules, redaction, profile export, report formatting | | `scripts/` | Start, stop, status, config validation, log query, profile export helpers | | `test/` | Unit tests, proxy fixture tests, redaction tests, profile integration tests | ## Required First Implementation Behavior 1. Validate config without starting the proxy. 2. Start monitor in foreground or explicit background mode. 3. Scope proxy environment variables to the target Picoclaw gateway process. 4. Inspect HTTP request/response text up to a bounded byte limit. 5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration. 6. Emit JSONL findings with redacted snippets. 7. Export a small profile fragment that `picoclaw-security-guardian` can include in deterministic posture profiles. ## Out of Scope for v0.0.1 Implementation - automatic system trust-store mutation - transparent network interception - default blocking - sending traffic to external services - collecting full request/response bodies