Skip to content

Implement Comprehensive Security Framework#785

Open
notsointresting wants to merge 1 commit intosipeed:mainfrom
notsointresting:main
Open

Implement Comprehensive Security Framework#785
notsointresting wants to merge 1 commit intosipeed:mainfrom
notsointresting:main

Conversation

@notsointresting
Copy link

@notsointresting notsointresting commented Feb 25, 2026

📝 Description

This PR implements a comprehensive security framework for PicoClaw, addressing multiple security concerns:

Phase 1: Critical Security

  • SSRF Protection with IP blocklists, metadata endpoint blocking, and DNS rebinding defense
  • Privacy Redaction for API keys, tokens, passwords, and PII in logs
  • Unified Security Configuration Schema

Phase 2: Core Security

  • Audit Logging with tamper-evident HMAC hash chains
  • Rate Limiting using token bucket algorithm
  • Prompt Injection Defense with 40+ detection patterns

Phase 3: Credential Security

  • Add ChaCha20-Poly1305 encryption for credential storage
  • Integrate with OS keychain (Windows/macOS/Linux)
  • Create secure storage with fallback mechanisms
  • Update auth package to use encrypted storage
  • Add comprehensive tests

🗣️ Type of Change

  • 🐞 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 📖 Documentation update
  • ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

  • 🤖 Fully AI-generated (100% AI, 0% Human)
  • 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
  • 👨💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Closes #782

📚 Technical Context (Skip for Docs)

  • Reference URL: OWASP Top 10, CWE-918 (SSRF), OWASP Prompt Injection Guidelines
  • Reasoning: Security is foundational for any AI agent handling sensitive data and external communications. This implementation ensures PicoClaw can be safely deployed in production environments with defense-in-depth protection.

🧪 Test Environment

  • Hardware: PC
  • OS: Windows 11
  • Model/Provider: Multiple providers supported
  • Channels: All channels supported

📸 Evidence (Optional)

Click to view Test Results 
$ go test ./pkg/auth/... ./pkg/ssrf/... ./pkg/redaction/... ./pkg/audit/... ./pkg/ratelimit/... ./pkg/injection/...
ok      github.com/sipeed/picoclaw/pkg/auth
ok      github.com/sipeed/picoclaw/pkg/ssrf
ok      github.com/sipeed/picoclaw/pkg/redaction
ok      github.com/sipeed/picoclaw/pkg/audit
ok      github.com/sipeed/picoclaw/pkg/ratelimit
ok      github.com/sipeed/picoclaw/pkg/injection

☑️ Checklist

  • My code/docs follow the style of this project.
  • I have performed a self-review of my own changes.
  • I have updated the documentation accordingly.

@notsointresting
Implement credential encryption with OS keychain integration
e4dac83 
- Add ChaCha20-Poly1305 encryption for credential storage
- Integrate with OS keychain (Windows/macOS/Linux)
- Create secure storage with fallback mechanisms
- Update auth package to use encrypted storage
- Add comprehensive tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Comprehensive Security Framework

1 participant

@notsointresting