Skip to content

docs: add Station profiles security roadmap#346

Merged
vincentkoc merged 6 commits into
openclaw:mainfrom
zozo123:docs/station-profiles-security-roadmap
Jun 24, 2026
Merged

docs: add Station profiles security roadmap#346
vincentkoc merged 6 commits into
openclaw:mainfrom
zozo123:docs/station-profiles-security-roadmap

Conversation

@zozo123

@zozo123 zozo123 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Documents the planned Station profile primitive, agent profile boundary, and phase gates from Roadmap: Station profiles for supervised agent workloads and reasoning access #193.
  • Adds the initial unwired internal/station package for parsing Station profiles, agent profile phase gates, and modelAccess policy checks.
  • Keeps modelAccess explicitly security-gated and separate from ordinary env.allow forwarding.
  • Links the roadmap from feature docs and the security secrets section.
  • Fixes the documented agent profile example so it is admitted by NewAgentProfile, with a regression test that extracts the roadmap YAML sample.

Scope / merge note

This is a roadmap and internal skeleton PR. It does not wire Station profiles into the runtime path yet and should not be treated as closing the full Station/modelAccess product roadmap.

Because this introduces new security-boundary code under internal/station, it still needs maintainer/security signoff even though current CI and local validation are green.

Verification

Maintainer validation on current head b0aeec9cc23c55d6b85f19d73af2da083e6a0158:

go test ./internal/station
go test ./internal/station ./internal/cli ./cmd/crabbox
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go vet ./...
go build -trimpath -o bin/crabbox ./cmd/crabbox
git diff --check
go test ./...

GitHub checks are green on the same head: Go, Apple VZ, Worker, Scripts, Docs, Release Check, and Socket checks.

Refs #193.

@clawsweeper

clawsweeper Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 24, 2026, 4:58 AM ET / 08:58 UTC.

Summary
Adds Station profile roadmap docs plus a disabled internal/station package with profile parsing, phase gates, agent-profile admission, modelAccess/env.allow boundary checks, and tests.

Reproducibility: not applicable. This PR implements a feature roadmap/skeleton rather than fixing a reproducible current-main bug. Source inspection and comments verify current main lacks the Station/modelAccess surface and the PR is additive.

Review metrics: 2 noteworthy metrics.

  • Changed surface: 8 files changed, 1046 additions, 0 deletions. The PR is an additive docs plus runtime skeleton change, not a small documentation-only update.
  • Runtime package added: 5 Go files added under internal/station. New internal code means API shape and security-boundary semantics need maintainer review before merge.

Root-cause cluster
Relationship: partial_overlap
Canonical: #193
Summary: This PR partially documents and codifies the open Station/modelAccess roadmap, while related harness and agent-runtime items remain distinct.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Get explicit maintainer/security signoff for the internal/station and modelAccess/env.allow contract, or split runtime code from the roadmap docs.

Risk before merge

  • [P1] Merging publishes internal/station, ModelAccessPolicy, and AuthorizeModelAccess as future security-boundary contracts before explicit maintainer/security acceptance.
  • [P1] The package is intentionally unwired, so the current tests do not prove Station lifecycle, credential issuance, revocation, egress, or evidence behavior; that is acceptable only if maintainers treat it as a roadmap skeleton.

Maintainer options:

  1. Sign off the skeleton deliberately (recommended)
    Maintainers/security can approve this unwired package as the baseline contract for later Station/modelAccess work before merging.
  2. Split docs from runtime code
    Keep the roadmap and security notes here, but remove internal/station until the product/security contract is explicitly approved.
  3. Pause for the umbrella roadmap
    Leave this PR open or close it in favor of Roadmap: Station profiles for supervised agent workloads and reasoning access #193 until Phase 1 Station boundaries are settled.

Next step before merge

  • [P2] Manual review remains because the blocker is explicit maintainer/security acceptance of the new Station/modelAccess boundary, not a narrow automated repair.

Security
Needs attention: Needs maintainer/security attention because the diff introduces a future credential-boundary API, even though it does not deliver secrets yet.

Review details

Best possible solution:

Merge the roadmap/skeleton only after maintainers explicitly accept the internal Station/modelAccess boundary; otherwise keep the docs roadmap and defer internal/station to a separate design-backed PR.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR implements a feature roadmap/skeleton rather than fixing a reproducible current-main bug. Source inspection and comments verify current main lacks the Station/modelAccess surface and the PR is additive.

Is this the best way to solve the issue?

Unclear: the staged docs and disabled skeleton are maintainable if maintainers want to bless this API seam. The safer alternative is to split docs from runtime code until the Station/modelAccess contract is approved.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 0301236b2752.

Label changes

Label changes:

  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): A member validation comment and PR body report current-head local commands plus green GitHub checks for the unwired package and docs link/sample checks.
  • remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

  • P2: This is a normal-priority feature/security-boundary PR with limited immediate runtime blast radius because the package is unwired.
  • merge-risk: 🚨 security-boundary: The PR creates future modelAccess credential-gate and env.allow separation semantics before the full Station security model is approved.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): A member validation comment and PR body report current-head local commands plus green GitHub checks for the unwired package and docs link/sample checks.
  • proof: sufficient: Contributor real behavior proof is sufficient. A member validation comment and PR body report current-head local commands plus green GitHub checks for the unwired package and docs link/sample checks.
Evidence reviewed

Security concerns:

  • [medium] Approve Station/modelAccess boundary before merge — internal/station/gate.go:113
    The new internal package defines ModelAccessPolicy and AuthorizeModelAccess, including env.allow conflict behavior, while docs state live credential delivery and station lifecycle are later phases; maintainers should explicitly accept this as the baseline before merge.
    Confidence: 0.88

What I checked:

  • Repository policy read and applied: AGENTS.md was read fully; its generic product positioning, provider-neutral boundary, and secret-handling guidance are relevant to this docs plus security-boundary PR. (AGENTS.md:1, 0301236b2752)
  • PR scope is not docs-only: GitHub PR metadata reports 8 changed files, 1046 additions, 0 deletions, and 5 added Go files under internal/station on head b0aeec9. (b0aeec9cc23c)
  • Roadmap explicitly says runtime wiring remains future work: The new roadmap says there is still no crabbox station command, no top-level stationProfile config wiring, and no live modelAccess credential delivery. (docs/features/station-profiles.md:6, b0aeec9cc23c)
  • Security-boundary seam is introduced in code: AuthorizeModelAccess defines the future modelAccess gate and rejects env.allow conflicts, establishing credential-boundary semantics even though no secret delivery is wired yet. (internal/station/gate.go:113, b0aeec9cc23c)
  • Selector-contract finding appears fixed: The documented agent profile now includes agent: true, and TestRoadmapAgentProfileExampleIsAdmitted extracts that YAML block and admits it through NewAgentProfile. (internal/station/station_test.go:48, b0aeec9cc23c)
  • Current main does not already implement the surface: A targeted current-main search found no StationProfile, NewAgentProfile, AuthorizeModelAccess, stationProfile, modelAccess, or crabbox station implementation in the checkout. (0301236b2752)

Likely related people:

  • Peter Steinberger: Recent current-main history touches command/config, provider backend, worker runtime, and evidence surfaces that Station would extend. (role: recent runtime and provider-contract contributor; confidence: high; commits: 0301236b2752, 7763eecdf759, 25eaa87cf3dc; files: internal/cli/config.go, internal/cli/provider_backend.go, worker/src/types.ts)
  • Coy Geek: Current-main history shows provider lifecycle, host-execution trust gates, and security-doc work adjacent to the proposed Station/modelAccess boundary. (role: recent provider and security-boundary contributor; confidence: high; commits: 2a4aa78ad111, 3f72d94e2ae7, c1c6745a1d2c; files: internal/cli/config.go, docs/security.md, internal/providers)
  • zozo123: This handle authored the Station roadmap and has current-main history in delegated providers, evidence artifacts, and config/runtime-adjacent surfaces. (role: roadmap proposer and adjacent current-main contributor; confidence: medium; commits: f50fa9691968, b2356e0f5173, 8b246f6f96b7; files: internal/cli/run_artifacts.go, internal/cli/provider_backend.go, internal/cli/config.go)
  • vincentkoc: This handle committed the latest modelAccess/env.allow hardening on the PR head and has recent current-main provider/security-adjacent fixes. (role: current-head hardening contributor and adjacent security contributor; confidence: medium; commits: d690067fec2e, b0aeec9cc23c, 938df1d9dfd5; files: internal/station/gate.go, internal/station/station_test.go, internal/providers)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@zozo123
zozo123 force-pushed the docs/station-profiles-security-roadmap branch from 30ebfc8 to 27c0d91 Compare June 14, 2026 06:58
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jun 14, 2026
zozo123 and others added 5 commits June 24, 2026 13:04
Document the Station profile and modelAccess boundaries from issue openclaw#193 so future implementation PRs have reviewable phase gates.

Co-authored-by: Cursor <cursoragent@cursor.com>
Scaffold the first buildable slice of the Station profile primitive from
issue openclaw#193, matching the disabled-by-default skeleton style used elsewhere
in the repo.

internal/station provides:
- StationProfile config struct with YAML parsing and validation
- the AgentProfile boundary type (repo-owned command, Crabbox-supervised)
- feature-gated phase enforcement (Gate) that returns clear
  "not yet enabled" errors until each roadmap phase is turned on
- ModelAccessPolicy as a separate, audited field that is never sourced
  from env.allow, with AuthorizeModelAccess rejecting any gateway leaked
  through env.allow forwarding

Nothing is enabled by default: profiles are inert unless explicitly
enabled, and no station command, lifecycle, or live credential delivery
is wired up yet (those land in later, separately reviewed phases).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the Station profiles roadmap status to reflect that
internal/station now ships the disabled-by-default config primitive,
agent-profile boundary, phase gates, and env.allow-separated modelAccess
gating, while the CLI command and live credential delivery remain future
phases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vincentkoc
vincentkoc force-pushed the docs/station-profiles-security-roadmap branch from 09be5ff to d690067 Compare June 24, 2026 05:09
@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Maintainer repair/proof update for current head d690067fec2e752a53da0bea03eb5e4b8739cccd:

Local validation passed after the modelAccess/env.allow boundary hardening:

go test ./internal/station
go test ./internal/station ./internal/cli ./cmd/crabbox
go vet ./...
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go build -trimpath -o bin/crabbox ./cmd/crabbox
go test ./...
git diff --check

GitHub PR checks are now green on the same head: CI/Go, CI/Apple VZ, CI/Worker, CI/Scripts, CI/Docs, CI/Release Check, and Socket checks.

Remaining maintainer note: this should still be treated as security/product-signoff gated unless ClawSweeper/maintainers accept the unwired Station/modelAccess skeleton and the hardened env boundary as sufficient for this roadmap PR.

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 24, 2026
@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Updated the PR body so it no longer presents this as docs-only. It now calls out the unwired internal/station package, the modelAccess/env.allow boundary, the current green validation, and the remaining maintainer/security-signoff gate.

@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Fixed the remaining source-reproducible finding: the roadmap agent profile example now includes agent: true, and TestRoadmapAgentProfileExampleIsAdmitted extracts that documented YAML block and admits it through NewAgentProfile with PhaseAgentProfile enabled.

Head: b0aeec9cc23c55d6b85f19d73af2da083e6a0158
CI: https://github.com/openclaw/crabbox/actions/runs/28080737246

Local verification passed:

go test ./internal/station
go test ./internal/station ./internal/cli ./cmd/crabbox
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go vet ./...
go build -trimpath -o bin/crabbox ./cmd/crabbox
git diff --check
go test ./...

Public CI is green across Go, Apple VZ, Worker, Scripts, Docs, and Release Check.

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Checked current head b0aeec9cc23c55d6b85f19d73af2da083e6a0158 against the selector-contract finding.

The earlier station.profiles.agent vs agent: true mismatch appears fixed on this head:

  • docs/features/station-profiles.md now shows the agent profile with agent: true;
  • internal/station/station_test.go has TestRoadmapAgentProfileExampleIsAdmitted, which extracts that roadmap YAML block and admits it through NewAgentProfile(DefaultGate().WithPhase(PhaseAgentProfile), profile);
  • internal/station/gate.go still intentionally requires p.Agent, matching the updated example and boundary type.

Current PR state has proof sufficient and green CI; remaining blocker should be maintainer/security signoff for the unwired Station/modelAccess seam, not the stale selector mismatch.

@clawsweeper clawsweeper Bot added status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels Jun 24, 2026
@vincentkoc

Copy link
Copy Markdown
Member

Maintainer/security signoff for current head b0aeec9cc23c55d6b85f19d73af2da083e6a0158.

I am accepting this as an unwired internal skeleton and roadmap boundary, not as shipped Station runtime behavior:

  • no crabbox station command is wired;
  • no top-level stationProfile config wiring exists;
  • DefaultGate() leaves every phase disabled;
  • modelAccess stores policy metadata only and does not deliver secrets;
  • AuthorizeModelAccess rejects ordinary env.allow overlap before any future credential path can be added.

Current validation:

go test ./internal/station ./internal/cli ./cmd/crabbox
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go vet ./...
go build -trimpath -o bin/crabbox ./cmd/crabbox
git diff --check
go test ./...

Public CI is green and merge state is clean. Merging with rebase, not squash.

@vincentkoc
vincentkoc merged commit 73549f3 into openclaw:main Jun 24, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants