f12aac13c3
FR-D1: Add least-privilege auth guidance to SECURITY-HARDENING.md
- Agent-scoped keys vs global API key comparison
- Auth hierarchy table (scoped key > global key > session > proxy)
- CLI examples for creating scoped keys
- Monitoring guidance for global key usage
FR-D2: Log security event when global admin API key is used
- Emits 'global_api_key_used' event to audit trail
- Hints toward agent-scoped keys for least-privilege
FR-D3: Add durable spawn history persistence
- New migration 043_spawn_history with indexed table
- spawn-history.ts with recordSpawnStart/Finish, getSpawnHistory,
getSpawnStats functions
- Replaces log-scraping fallback with DB-backed tracking
FR-D4: Document rate-limit backend strategy
- Current in-memory Map approach documented
- Pluggable backend plan for multi-instance (Redis, SQLite WAL)
- Per-agent rate limiter details documented
Also fixes MCP test type annotation (content: string → any).
|
||
|---|---|---|
| .. | ||
| fixtures/openclaw | ||
| README.md | ||
| actor-identity-hardening.spec.ts | ||
| agent-api-keys.spec.ts | ||
| agent-attribution.spec.ts | ||
| agent-comms.spec.ts | ||
| agent-costs.spec.ts | ||
| agent-diagnostics.spec.ts | ||
| agent-evals.spec.ts | ||
| agent-model-config.spec.ts | ||
| agent-optimize.spec.ts | ||
| agent-self-register.spec.ts | ||
| agents-crud.spec.ts | ||
| alerts-crud.spec.ts | ||
| api-index.spec.ts | ||
| auth-guards.spec.ts | ||
| channels-api.spec.ts | ||
| chat-session-prefs.spec.ts | ||
| cli-integration.spec.ts | ||
| cron-operations.spec.ts | ||
| csrf-validation.spec.ts | ||
| delete-body.spec.ts | ||
| device-identity.spec.ts | ||
| device-management.spec.ts | ||
| diagnostics-api.spec.ts | ||
| direct-cli.spec.ts | ||
| docker-mode.spec.ts | ||
| docs-knowledge.spec.ts | ||
| exec-approval-allowlist.spec.ts | ||
| gateway-config.spec.ts | ||
| gateway-connect.spec.ts | ||
| gateway-health-history.spec.ts | ||
| github-sync.spec.ts | ||
| helpers.ts | ||
| i18n-language-switcher.spec.ts | ||
| injection-guard-endpoints.spec.ts | ||
| legacy-cookie-removed.spec.ts | ||
| limit-caps.spec.ts | ||
| local-agent-sync.spec.ts | ||
| login-flow.spec.ts | ||
| mcp-server.spec.ts | ||
| memory-knowledge.spec.ts | ||
| mentions.spec.ts | ||
| notifications.spec.ts | ||
| onboarding-api.spec.ts | ||
| openapi.spec.ts | ||
| openclaw-harness.spec.ts | ||
| project-agents.spec.ts | ||
| projects-crud.spec.ts | ||
| quality-review.spec.ts | ||
| rate-limiting.spec.ts | ||
| search-and-export.spec.ts | ||
| security-audit.spec.ts | ||
| security-scan-api.spec.ts | ||
| session-controls.spec.ts | ||
| sessions-continue.spec.ts | ||
| skills-crud.spec.ts | ||
| skills-registry.spec.ts | ||
| task-comments.spec.ts | ||
| task-outcomes.spec.ts | ||
| task-queue.spec.ts | ||
| task-regression.spec.ts | ||
| tasks-crud.spec.ts | ||
| tenant-workspaces.spec.ts | ||
| timing-safe-auth.spec.ts | ||
| user-management.spec.ts | ||
| webhooks-crud.spec.ts | ||
| workflows-crud.spec.ts | ||
| workload-signals.spec.ts | ||
README.md
E2E Tests
Playwright end-to-end specs for Mission Control API and UI.
Running
# Start the dev server first (or let Playwright auto-start via reuseExistingServer)
pnpm dev --hostname 127.0.0.1 --port 3005
# Run all tests
pnpm test:e2e
# Run offline OpenClaw harness (no OpenClaw install required)
pnpm test:e2e:openclaw
# Run a specific spec
pnpm exec playwright test tests/tasks-crud.spec.ts
Test Environment
Tests require .env.local with:
API_KEY=test-api-key-e2e-12345MC_DISABLE_RATE_LIMIT=1(bypasses mutation/read rate limits, keeps login rate limit active)
OpenClaw Offline Harness
The harness runs Mission Control against fixture data and mock binaries/gateway:
- fixtures:
tests/fixtures/openclaw/ - mock CLI:
scripts/e2e-openclaw/bin/{openclaw,clawdbot} - mock gateway:
scripts/e2e-openclaw/mock-gateway.mjs
Profiles:
pnpm test:e2e:openclaw:local- local mode (gateway not running)pnpm test:e2e:openclaw:gateway- gateway mode (mock gateway running)
Spec Files
Security & Auth
auth-guards.spec.ts— All API routes return 401 without authcsrf-validation.spec.ts— CSRF origin header validationlegacy-cookie-removed.spec.ts— Old cookie format rejectedlogin-flow.spec.ts— Login, session, redirect lifecyclerate-limiting.spec.ts— Login brute-force protectiontiming-safe-auth.spec.ts— Constant-time API key comparison
CRUD Lifecycle
tasks-crud.spec.ts— Tasks POST/GET/PUT/DELETE with filters, Aegis gateagents-crud.spec.ts— Agents CRUD, lookup by name/id, admin-only deletetask-comments.spec.ts— Threaded comments on tasksworkflows-crud.spec.ts— Workflow template CRUDwebhooks-crud.spec.ts— Webhooks with secret masking and regenerationalerts-crud.spec.ts— Alert rule CRUD with full lifecycleuser-management.spec.ts— User admin CRUD
Features
notifications.spec.ts— Notification delivery and read trackingquality-review.spec.ts— Quality reviews with batch lookupsearch-and-export.spec.ts— Global search, data export, activity feed
Infrastructure
limit-caps.spec.ts— Endpoint limit caps enforceddelete-body.spec.ts— DELETE body standardization
Shared
helpers.ts— Factory functions (createTestTask,createTestAgent, etc.) and cleanup helpers