feat: enterprise security gaps — RBAC, audit, exceptions, baseline, SIEM, dedup#127
Merged
andres-linero merged 9 commits intomainfrom Mar 2, 2026
Merged
feat: enterprise security gaps — RBAC, audit, exceptions, baseline, SIEM, dedup#127andres-linero merged 9 commits intomainfrom
andres-linero merged 9 commits intomainfrom
Conversation
…ine, SIEM, dedup Address 10 critical enterprise gaps identified in security team evaluation: 1. RBAC (rbac.py) — admin/analyst/viewer roles with permission matrix, API key mapping, header-based resolution 2. Immutable audit trail (audit_log.py) — HMAC-signed append-only log, InMemory + SQLite backends, tamper detection 3. Exception/waiver management (exception_store.py) — CVE/package exceptions with PENDING→APPROVED→ACTIVE→EXPIRED lifecycle 4. Baseline comparison (baseline.py) — scan-to-scan diff showing new, resolved, persistent vulns and severity changes 5. Trend analysis (baseline.py) — historical posture score + vuln count tracking with InMemory + SQLite stores 6. SIEM connectors (siem/) — Splunk HEC, Datadog Logs, Elasticsearch with send_event, send_batch, health_check 7. Alert dedup (alerts/dedup.py) — content fingerprinting with configurable suppression window (default 24h) 8. API endpoints — /v1/audit, /v1/exceptions, /v1/baseline/compare, /v1/trends, /v1/siem/connectors, /v1/siem/test 57 new tests covering all features.
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
andres-linero
previously approved these changes
Mar 2, 2026
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…store Both SQL queries use parameterized values (?) with static column names — Bandit flags the f-string WHERE clause construction but all user input flows through parameter binding, not string interpolation.
…w trust feedback - Restructured to Agent Skills specification format (frontmatter + concise body) - Added top-level metadata fields (homepage, source, pypi, scorecard) to fix OpenClaw "source: unknown, homepage: none" metadata mismatch - Moved local-first installation to primary recommendation (before remote SSE) - De-emphasized Railway endpoint to optional convenience section - Added local MCP server config and self-host Docker instructions - Kept OpenClaw metadata in metadata.openclaw for backward compatibility - Condensed security boundaries and verification sections
The deployed Railway SSE server returned 404 on /, /health, and exposed no discoverable metadata — causing OpenClaw to flag "source: unknown, homepage: none". Now: - GET / returns JSON with name, version, homepage, source, license, pypi - GET /health returns status, name, version for monitoring - Trust evaluators that probe HTTP paths (not just MCP initialize) can now discover server identity without establishing an SSE session
… format
Tests expected old-format phrases ("Remote MCP server", "does not read your
local files"). Updated to match restructured SKILL.md which uses "remote MCP
endpoint" and "Never send" security boundaries section.
…hrough an exception Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Replace raw str(exc) with sanitize_error() in HTTPException detail fields to prevent stack trace information exposure to external users.
…string Copilot autofix (cdb8c50) changed sanitize_error to always return a constant generic message, breaking tests and removing useful error context for validation errors. Restore original behavior: strip paths/URLs but return the sanitized message so clients get actionable feedback.
andres-linero
previously approved these changes
Mar 2, 2026
…hrough an exception Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
andres-linero
approved these changes
Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses 10 critical enterprise gaps identified during the security team scenario evaluation:
rbac.pyapi/audit_log.pyapi/exception_store.pybaseline.pybaseline.pysiem/__init__.pyalerts/dedup.pyapi/server.pyNew API Endpoints
GET /v1/audit— list audit entries (filterable by action, resource, timestamp)GET /v1/audit/integrity— verify HMAC integrity of audit logPOST /v1/exceptions— request a vulnerability exceptionGET /v1/exceptions— list all exceptionsGET /v1/exceptions/{id}— get specific exceptionPUT /v1/exceptions/{id}/approve— approve pending exceptionPUT /v1/exceptions/{id}/revoke— revoke active exceptionDELETE /v1/exceptions/{id}— delete exceptionPOST /v1/baseline/compare— compare two scans for new/resolved vulnsGET /v1/trends— historical posture and vulnerability trendsGET /v1/siem/connectors— list available SIEM typesPOST /v1/siem/test— test SIEM connectivityTest plan
test_enterprise_gaps.py