#23586: Phase2 orchestrator

## Summary Describe the problem and fix in 2–5 bullets: - Problem: - Why it matters: - What changed: - What did NOT change (scope boundary): ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related # ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) - Secrets/tokens handling changed? (`Yes/No`) - New/changed network calls? (`Yes/No`) - Command/tool execution surface changed? (`Yes/No`) - Data access scope changed? (`Yes/No`) - If any `Yes`, explain risk + mitigation: ## Repro + Verification ### Environment - OS: - Runtime/container: - Model/provider: - Integration/channel (if any): - Relevant config (redacted): ### Steps 1. 2. 3. ### Expected - ### Actual - ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: - Edge cases checked: - What you did **not** verify: ## Compatibility / Migration - Backward compatible? (`Yes/No`) - Config/env changes? (`Yes/No`) - Migration needed? (`Yes/No`) - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: - Files/config to restore: - Known bad symptoms reviewers should watch for: ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: - Mitigation: <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR implements Phase 2 of the ClawOS orchestrator with security hardening, adding a kernel service with workspace isolation, capability-based token authorization, and an approval workflow for dangerous actions. **Key changes:** - New kernel service with SQLite-backed state management (workspaces, action requests, approvals, tokens) - Orchestrator dispatch system with action registry (`send_email`, `web_search`, `read_file`, `write_file`, `run_shell`) - Capability token system with HMAC signatures for authorizing write operations - Filesystem safety layer with path traversal protection for workspace isolation - Audit logging for action requests - Lock/unlock mechanism using recovery phrase - Docker compose configuration for multi-service architecture **Critical security issues found:** - Missing `assertUnlocked` checks on key endpoints allow bypassing kernel lock - Kernel binds to `0.0.0.0` exposing unauthenticated API to network - Path traversal protection doesn't handle symlinks or Windows UNC paths - Recovery phrase uses weak SHA-256 hashing without salt or KDF - Approval expiry not validated before approval - No workspace_id format validation in filesystem layer **What works well:** - Workspace validation against database before filesystem operations - Token expiry cleanup on startup - HMAC-based token signatures with timing-safe comparison - Idempotent request handling with payload immutability checks - `run_shell` action disabled by default <h3>Confidence Score: 2/5</h3> - This PR has multiple critical security vulnerabilities that must be fixed before merging - Score of 2 reflects serious security issues: (1) missing authentication checks allow bypassing kernel lock on critical endpoints, (2) binding to 0.0.0.0 exposes unauthenticated API to network, (3) path traversal protection has edge cases with symlinks, (4) weak password hashing makes recovery phrase vulnerable to attacks, (5) expired approvals can still be granted. While the architecture shows good security design (capability tokens, workspace isolation, audit logging), the implementation gaps create exploitable vulnerabilities. - `clawos-os/apps/kernel/src/index.js` (missing auth checks, weak hashing, network exposure) and `clawos-os/apps/kernel/src/orchestrator/fs-safe.js` (path traversal edge cases) _{Last reviewed commit: 4743547} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->