Skip to content

feat: Security hardening, CLI refactoring, and agent metrics#1

Open
foozio wants to merge 4 commits into
volumeee:mainfrom
foozio:main
Open

feat: Security hardening, CLI refactoring, and agent metrics#1
foozio wants to merge 4 commits into
volumeee:mainfrom
foozio:main

Conversation

@foozio

@foozio foozio commented Mar 8, 2026

Copy link
Copy Markdown

This PR introduces several requested improvements:

  • P0: Hardened rate limiting and added execution guardrails for process/shell tools. Addressed panic-prone unwrap cases and redacted sensitive logs.
  • P1: Refactored CLI into command modules for better maintainability.
  • P2: Enhanced RAG with BM25 ranking, added history pruning for long-running deployments, and execution metrics. Added documentation for production security baselines.

foozio added 4 commits March 8, 2026 10:30
…hell tools, enhance stream error handling, improve rate limit key extraction, and refine OpenAI message logging.
…hat, and refactor `web_search` and `shell` tools for explicit configuration.
…hance RAG with BM25 ranking, and update README with production security guidelines.
@volumeee

Copy link
Copy Markdown
Owner

🔍 Review untuk PR #1 - Security & Architecture Check

Terima kasih atas PR ini, @foozio! Secara keseluruhan ini adalah improvement yang solid.
Saya punya beberapa pertanyaan untuk memastikan security hardening-nya solid:

1️⃣ ZENCLAW_ALLOW_COMMAND_EXEC Enforcement

Status: ✅ Good - tapi need clarification

Saya lihat policy ini ditambahkan di Commit b56b5bf. Pertanyaan:

  • Apakah enforcement-nya default DENY (safe by default) atau default ALLOW?
  • Jika env var ZENCLAW_ALLOW_COMMAND_EXEC tidak diset, sistem akan:
    • Reject semua command execution (preferred)
    • Allow execution dengan warning
    • Something else?

Bisa tunjukkan code snippet enforcement-nya?

2️⃣ Rate Limiting & IP Spoofing Risk

Status: ⚠️ Needs Clarification

Di crates/zenclaw-hub/src/middleware.rs, rate limiting key pakai:

let key = headers
    .get("x-forwarded-for")
    .and_then(|v| v.to_str().ok())
    .unwrap_or("unknown")
    .to_string();

@volumeee volumeee assigned volumeee and foozio and unassigned volumeee Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants