#15757: feat(security): add hardening gap audit checks

## Summary - Add new security audit checks to detect when hardened configuration options are not enabled - Based on gap analysis from `harden-config.ts` enforcement patterns - Includes 10 new check IDs covering sandbox, tools, gateway TLS, and command blocking ### New Audit Checks | Check ID | Severity | Description | |----------|----------|-------------| | `sandbox.mode_not_all` | Critical/Warn | Sandbox mode not set to "all" | | `sandbox.docker.network_not_isolated` | Critical | Sandbox network allows SSRF | | `tools.dangerous_not_denied` | Warn | Dangerous tools not in deny list | | `tools.elevated_enabled` | Info | Elevated mode is enabled | | `tools.elevated_enabled_no_allowlist` | Warn | Elevated mode without allowlist | | `gateway.tls_disabled` | Warn/Critical | TLS not enabled | | `tools.agent_to_agent_enabled` | Info | Agent-to-agent messaging enabled | | `sandbox.docker.writable_root` | Info | Sandbox root filesystem writable | | `sandbox.docker.capabilities_not_dropped` | Info | Linux capabilities not dropped | | `gateway.nodes.deny_commands_missing_defaults` | Info | Default dangerous commands not blocked | ## Why This Is Needed **The problem:** Users deploying OpenClaw with default configuration have zero isolation. There's no way to **audit** whether a deployment has these protections enabled. **Related issues requesting this:** - **#7139** - [Critical: Default configuration provides zero isolation](https://github.com/openclaw/openclaw/issues/7139) > "A user who downloads OpenClaw and runs it with default settings is giving an AI agent full filesystem access, credentials stored where any malware can read them, direct shell execution with no sandboxing, no network isolation." - **#11591** - [Infosec Audit: 65+ P0/P1 Vulnerabilities](https://github.com/openclaw/openclaw/issues/11591) > Documents 50+ P0 critical vulnerabilities including shell command injection, plaintext secrets, and authorization bypass. - **#12506** - [Unified Security Profile System with Preset Scenario Templates](https://github.com/openclaw/openclaw/issues/12506) > "OpenClaw deployments run with effectively zero security configuration despite the platform having partial security mechanisms available." - **#8093** - [RFC: Security Hardening Architecture & Vulnerability Report](https://github.com/openclaw/openclaw/issues/8093) - **#7604** - [Security Hardening: Request Timeouts, Credential Encryption, Skill Signing, and Prompt Injection Defense](https://github.com/openclaw/openclaw/issues/7604) **This PR addresses the gap** by making `openclaw security audit` proactively warn users when their configuration lacks hardening protections. Previously, users had to manually compare their config against `harden-config.ts` to know if they were protected. ## Test Plan - [x] All 77 unit tests pass (19 new tests added) - [x] Linter passes with no errors - [x] Manual verification: `openclaw security audit` shows new findings **Before this PR:** ``` Summary: 0 critical · 3 warn · 1 info ``` **After this PR:** ``` Summary: 1 critical · 5 warn · 1 info CRITICAL sandbox.mode_not_all Sandbox mode is "off" Sandbox is disabled. All tool execution runs on the host without isolation. Fix: Set agents.defaults.sandbox.mode="all" to isolate all tool execution. ``` 🤖 Generated with [Claude Code](https://claude.ai/code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Implements 10 new security audit checks to detect hardening configuration gaps based on EarlyCore security research findings. The implementation correctly uses the existing tool policy resolution system (`resolveToolPolicies`, `isToolAllowedByPolicies`) to determine tool availability, properly handles Tailscale exposure detection, and uses authoritative node command lists from `node-command-policy.ts`. **Key changes:** - Adds checks for sandbox mode, network isolation, dangerous tools, elevated mode, TLS configuration, and node commands - Severity levels escalate based on actual risk (e.g., `sandbox.mode_not_all` is critical when exec/web tools are available, warn otherwise) - All previously reported issues from review threads have been addressed - 19 new unit tests provide comprehensive coverage (77 total tests passing) **One minor issue found:** - Documentation table has incorrect check ID (`gateway.nodes.deny_commands_missing_defaults` should be `gateway.nodes.dangerous_commands_allowed`) <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with one minor documentation fix needed - The implementation is technically sound with proper use of existing policy resolution helpers, comprehensive test coverage (19 new tests), and all previously identified issues resolved. The only issue is a documentation typo for one check ID name. The security checks themselves are well-designed with appropriate severity levels based on actual risk assessment. - docs/gateway/security/index.md requires a one-line fix to correct the check ID name. All other files are production-ready. _{Last reviewed commit: 7fbdd21} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->