clawmoat 0.7.0 → 1.0.0

package/docs/integrations/openclaw.html

@@ -66,14 +66,14 @@ footer{border-top:1px solid var(--navy-mid);padding:40px 0;text-align:center;col
 <body>
 
 <nav>
-<div class="container" style="max-width:1140px">
+<div class="container">
   <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
   <div class="nav-links">
-    <a href="/">Home</a>
-    <a href="/integrations/openclaw.html" style="color:var(--white)">Integrations</a>
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
     <a href="/blog/">Blog</a>
-    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    <a href="/#waitlist" class="btn-sm">Get Early Access</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
 </div>
 </nav>
@@ -293,19 +293,67 @@ done</code></pre>
   </div>
 </div>
 
+<h2>Official Sanitizer Plugin</h2>
+
+<div class="callout">
+  <strong>🔌 NEW:</strong> ClawMoat is now the <strong>reference implementation</strong> for OpenClaw's pluggable sanitizer pipeline. Every piece of content — transcripts, MCP tool results, agent messages — can pass through ClawMoat before reaching the AI agent.
+</div>
+
+<pre><code><span class="lang-label">Shell</span>npm install @openclaw/plugin-clawmoat</code></pre>
+
+<pre><code><span class="lang-label">JSON</span>// openclaw.json
+{
+  "sanitizers": [{
+    "module": "@openclaw/plugin-clawmoat",
+    "threshold": "medium",
+    "scanSecrets": true
+  }]
+}</code></pre>
+
+<p>The plugin provides:</p>
+<ul>
+  <li><strong>Configurable block thresholds</strong> — low, medium, high, critical</li>
+  <li><strong>Clean threat mapping</strong> — ClawMoat threat types → OpenClaw ruleIds</li>
+  <li><strong>Full audit logging</strong> — every scan result recorded</li>
+  <li><strong>10 test cases</strong> covering injection, credentials, thresholds, and edge cases</li>
+</ul>
+
+<p>See the <a href="https://github.com/darfaz/clawmoat/tree/main/plugins/openclaw-adapter">full spec and implementation guide</a> on GitHub.</p>
+
+<h2>ClawMoat Dashboard</h2>
+
+<p>Pro subscribers get access to the <a href="https://app.clawmoat.com"><strong>ClawMoat Dashboard</strong></a> — a hosted security console where you can:</p>
+
+<ul>
+  <li><strong>Scan text in your browser</strong> — paste any content and get instant threat analysis</li>
+  <li><strong>Generate API keys</strong> — integrate ClawMoat scanning into your own tools via REST API</li>
+  <li><strong>View scan history</strong> — full audit trail of every scan with threat level badges</li>
+  <li><strong>Monitor stats</strong> — total scans, threats detected, last scan time</li>
+</ul>
+
+<p>No terminal required. Log in with your email and start scanning.</p>
+
 <h2>Next Steps</h2>
 <ul>
+  <li><a href="https://app.clawmoat.com">ClawMoat Dashboard</a> — scan, monitor, and manage API keys</li>
   <li><a href="/integrations/langchain.html">LangChain Integration</a> — use ClawMoat with LangChain agents</li>
   <li><a href="/integrations/openai.html">OpenAI Integration</a> — secure function calling</li>
   <li><a href="https://github.com/darfaz/clawmoat">GitHub</a> — contribute, report issues, star the repo</li>
-  <li><a href="/#waitlist">Join the waitlist</a> — get early access to ClawMoat Pro with cloud dashboards</li>
 </ul>
 
 </div>
 </article>
 
 <footer>
-  <p>🏰 ClawMoat — Security moat for AI agents</p>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 
 </body>

package/docs/plans/2026-03-26-threat-intel-api.md

@@ -0,0 +1,255 @@
+# ClawMoat Threat Intel API — Implementation Plan
+
+> **For implementation:** Use the executing-plans skill to implement this plan task-by-task.
+
+**Goal:** Ship an MVP API endpoint that serves structured AI agent security threat intelligence, with Stripe metered billing.
+
+**Architecture:** Express.js server (extends existing ~/clawmoat/server/), backed by a JSON threat database that Leo populates from daily security news scans. Endpoints serve filtered threat data. Stripe usage-based billing tracks API calls per key. Deployed on Railway.
+
+**Tech Stack:** Express.js, Stripe metered billing, JSON flat-file storage (MVP), API key auth, Railway deploy
+
+---
+
+## Task 1: Threat Database Schema & Seed Data
+
+**Files:**
+- Create: `server/data/threats.json`
+- Create: `server/data/schema.md`
+
+**Step 1: Define the threat schema**
+
+```json
+{
+  "id": "CLAWMOAT-2026-0001",
+  "title": "LiteLLM .pth File Injection",
+  "published": "2026-03-24T00:00:00Z",
+  "updated": "2026-03-26T00:00:00Z",
+  "severity": "critical",
+  "category": "supply-chain",
+  "tags": ["python", "pypi", "credential-theft", "pth-injection"],
+  "summary": "LiteLLM versions 1.82.7-1.82.8 contain credential-stealing .pth payload",
+  "affected": {
+    "packages": ["litellm==1.82.7", "litellm==1.82.8"],
+    "ecosystems": ["pypi"]
+  },
+  "ioc": {
+    "domains": ["models.litellm.cloud"],
+    "files": ["litellm_init.pth"],
+    "hashes": [],
+    "patterns": ["exec(base64.b64decode(", ".pth import subprocess"]
+  },
+  "detection": {
+    "clawmoat_module": "scanners/supply-chain",
+    "clawmoat_function": "scanSkillContent",
+    "rules_triggered": ["obfuscated_exec_b64", "pth_file_injection", "exfil_litellm_lookalike"]
+  },
+  "references": [
+    "https://github.com/BerriAI/litellm/issues/24512",
+    "https://news.ycombinator.com/item?id=47501426",
+    "https://awesomeagents.ai/news/litellm-supply-chain-compromise-credential-theft/"
+  ],
+  "mitigation": "Rotate all credentials on affected systems. Check: pip show litellm | grep Version. Search: find / -name litellm_init.pth"
+}
+```
+
+**Step 2: Seed with this week's 5 threats**
+
+Populate threats.json with:
+1. LiteLLM .pth injection (CLAWMOAT-2026-0001)
+2. Meta AI agent data leak (CLAWMOAT-2026-0002)
+3. API key exposure on 10K websites (CLAWMOAT-2026-0003)
+4. LeakBase credential marketplace (CLAWMOAT-2026-0004)
+5. Gemini API key theft — $82K bill (CLAWMOAT-2026-0005)
+
+**Step 3: Commit**
+
+```
+git commit -m "feat: threat intel database schema + seed data (5 threats)"
+```
+
+---
+
+## Task 2: API Endpoint — GET /api/v1/threats
+
+**Files:**
+- Create: `server/routes/threats.js`
+- Modify: `server/index.js` (mount route)
+- Create: `server/middleware/api-key-auth.js`
+- Test: `server/tests/threats.test.js`
+
+**Step 1: Write failing test**
+
+```javascript
+const request = require('supertest');
+const app = require('../index');
+
+describe('GET /api/v1/threats', () => {
+  it('returns 401 without API key', async () => {
+    const res = await request(app).get('/api/v1/threats');
+    expect(res.status).toBe(401);
+  });
+
+  it('returns threats with valid API key', async () => {
+    const res = await request(app)
+      .get('/api/v1/threats')
+      .set('X-API-Key', 'test-key-123');
+    expect(res.status).toBe(200);
+    expect(res.body.threats).toBeInstanceOf(Array);
+    expect(res.body.threats.length).toBeGreaterThan(0);
+  });
+
+  it('filters by category', async () => {
+    const res = await request(app)
+      .get('/api/v1/threats?category=supply-chain')
+      .set('X-API-Key', 'test-key-123');
+    expect(res.body.threats.every(t => t.category === 'supply-chain')).toBe(true);
+  });
+
+  it('filters by severity', async () => {
+    const res = await request(app)
+      .get('/api/v1/threats?severity=critical')
+      .set('X-API-Key', 'test-key-123');
+    expect(res.body.threats.every(t => t.severity === 'critical')).toBe(true);
+  });
+
+  it('filters by date range', async () => {
+    const res = await request(app)
+      .get('/api/v1/threats?since=2026-03-24')
+      .set('X-API-Key', 'test-key-123');
+    expect(res.body.threats.length).toBeGreaterThan(0);
+  });
+});
+```
+
+**Step 2: Run test, confirm failure**
+
+**Step 3: Implement API key middleware**
+
+```javascript
+// server/middleware/api-key-auth.js
+const validKeys = new Map(); // loaded from server/data/api-keys.json
+
+function apiKeyAuth(req, res, next) {
+  const key = req.headers['x-api-key'];
+  if (!key) return res.status(401).json({ error: 'API key required' });
+  const record = validKeys.get(key);
+  if (!record) return res.status(403).json({ error: 'Invalid API key' });
+  req.apiUser = record;
+  next();
+}
+```
+
+**Step 4: Implement threats route**
+
+Query params: `category`, `severity`, `since`, `tags`, `limit` (default 20, max 100)
+
+Response format:
+```json
+{
+  "threats": [...],
+  "count": 5,
+  "total": 5,
+  "updated": "2026-03-26T15:00:00Z"
+}
+```
+
+**Step 5: Run tests, confirm pass**
+
+**Step 6: Commit**
+
+```
+git commit -m "feat: GET /api/v1/threats endpoint with filtering + API key auth"
+```
+
+---
+
+## Task 3: GET /api/v1/threats/:id — Single Threat Detail
+
+**Files:**
+- Modify: `server/routes/threats.js`
+- Modify: `server/tests/threats.test.js`
+
+Returns full threat object including IOCs, detection rules, mitigation steps.
+
+---
+
+## Task 4: GET /api/v1/ioc — Indicators of Compromise Feed
+
+**Files:**
+- Create: `server/routes/ioc.js`
+- Test: `server/tests/ioc.test.js`
+
+Aggregates all IOCs across threats into a flat feed. Useful for agents to bulk-update their blocklists.
+
+```json
+{
+  "domains": ["models.litellm.cloud", ...],
+  "files": ["litellm_init.pth", ...],
+  "patterns": ["exec(base64.b64decode(", ...],
+  "updated": "2026-03-26T15:00:00Z"
+}
+```
+
+---
+
+## Task 5: Stripe Metered Billing
+
+**Files:**
+- Create: `server/middleware/usage-tracker.js`
+- Create: `server/billing/stripe.js`
+- Modify: `server/middleware/api-key-auth.js` (link to Stripe customer)
+
+**Pricing:**
+- Free tier: 100 calls/month (no card required)
+- Pro: $4.99/mo flat + $0.001/call over 5,000
+- Unlimited: $19.99/mo
+
+**Implementation:**
+1. On each API call, increment usage counter in api-keys.json
+2. Stripe webhook on subscription create → generate API key → email to user
+3. Daily cron: report usage to Stripe metered billing
+4. Free tier: check call count, return 429 when exceeded
+
+---
+
+## Task 6: API Key Self-Service
+
+**Files:**
+- Create: `server/routes/keys.js`
+- Test: `server/tests/keys.test.js`
+
+POST /api/v1/keys — generate a free-tier API key (email required)
+GET /api/v1/keys/:key/usage — check your usage
+
+---
+
+## Task 7: Railway Deploy
+
+**Files:**
+- Modify: `server/package.json` (start script)
+- Create: `server/Procfile`
+- Create: `server/.env.example`
+
+Environment vars: STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, API_MASTER_KEY
+
+Deploy to Railway on clawmoat.com subdomain: `api.clawmoat.com`
+
+---
+
+## Task 8: Documentation
+
+**Files:**
+- Create: `docs/api/README.md`
+- Create: `docs/api/openapi.yaml`
+- Modify: `README.md` (add Threat Intel API section)
+
+OpenAPI spec for the full API. Add to clawmoat.com as /docs/api page.
+
+---
+
+## MVP Scope (Tonight)
+
+Tasks 1-3 + 7 = working API with seed data, deployed on Railway.
+Tasks 4-6 + 8 = fast follow (this week).
+
+**Total estimated time: 4-5 hours for MVP, 2-3 more for billing + docs.**

package/docs/plans/2026-04-14-bugmageddon-marketing-pack.md

@@ -0,0 +1,329 @@
+# ClawMoat marketing pack — Bugmageddon / WSJ / Mythos
+
+## Core angle
+
+WSJ gave the market a clean phrase: **bugmageddon**.
+
+Use it to sharpen ClawMoat's category:
+
+**Old framing:** prompt injection scanner / AI security tool<br>
+**Better framing:** **agent firewall for the bugmageddon era**
+
+The point is simple:
+
+- AI is getting much better at finding vulnerabilities
+- Attackers will get that capability too
+- Patching will stay slower than discovery
+- AI agents have the permissions needed to turn bugs into impact
+- Therefore the missing layer is **runtime containment**
+
+## Best ClawMoat message
+
+**They protect the model. ClawMoat protects the machine.**
+
+Variants:
+- **Bug discovery is accelerating. Containment needs to catch up.**
+- **When AI finds more bugs, agent runtime security stops being optional.**
+- **The patch queue is about to get longer. Your agent permissions should get tighter.**
+
+---
+
+## X post options
+
+### Option 1, sharpest
+
+WSJ called it “bugmageddon.”
+
+Anthropic’s Mythos reportedly found a 27-year-old bug plus thousands more high-severity flaws.
+
+That doesn’t just mean defenders get faster.
+It means exploit discovery gets cheaper.
+
+And AI agents already have shell, browser, file system, API key, and MCP access.
+
+The question is no longer just “can AI find bugs?”
+It’s “what stops your agent from turning them into damage?”
+
+That’s the layer ClawMoat is built for.
+
+Open-source agent firewall.
+https://clawmoat.com
+
+### Option 2, more founder-voice
+
+The WSJ bugmageddon piece got one thing very right:
+we’re heading into a world where AI finds vulnerabilities faster than most teams can fix them.
+
+That changes the job.
+
+Static scanning matters.
+Patching matters.
+But once agents have real permissions, you also need runtime controls.
+
+What can it read?
+What can it run?
+What can it send out?
+What gets blocked?
+What gets logged?
+
+That’s ClawMoat.
+https://clawmoat.com
+
+### Option 3, shortest
+
+Bugmageddon = AI finds bugs faster, attackers exploit faster, patches lag.
+
+Agents make that worse because they already have the keys.
+
+ClawMoat is the firewall between the agent and the machine.
+https://clawmoat.com
+
+---
+
+## X thread
+
+1. WSJ called it “bugmageddon.” Good term.
+
+If frontier models can find vulnerabilities humans missed for decades, the economics of attack just changed.
+
+2. The issue is not just more bugs found by defenders.
+
+It’s that exploit discovery gets cheaper, faster, and eventually available to anyone with a decent model stack.
+
+3. Most teams still think in old security terms:
+find bug → patch bug → move on.
+
+But patching is slow. Backlogs are real. And agents now sit on top of the blast radius.
+
+4. Your agent has shell access, browser control, file I/O, MCP tools, secrets, cloud creds, internal docs.
+
+So the question becomes:
+what happens when something gets through?
+
+5. Prompt filters are not enough.
+Static scans are not enough.
+You need runtime containment.
+
+What can the agent read?
+What can it execute?
+What can it exfiltrate?
+What gets blocked automatically?
+
+6. That’s the ClawMoat thesis.
+
+Not “make prompts safer.”
+Make agents safe to run on real machines.
+
+7. ClawMoat scans inbound content, outbound content, MCP configs, and tool use.
+Then it enforces policy at runtime.
+
+Because in the bugmageddon era, detection without containment is not enough.
+
+8. Open source.
+Agent firewall.
+Built for the moment the market is finally waking up.
+
+https://clawmoat.com
+https://github.com/darfaz/clawmoat
+
+---
+
+## Reddit post
+
+### Suggested subreddits
+- r/LocalLLaMA
+- r/ClaudeAI
+- r/OpenAI
+- r/artificial
+- r/cybersecurity
+- r/netsec (more technical, tone down the marketing)
+- r/mcp
+
+### Title option 1
+WSJ says AI is finding bugs humans missed for decades. I think the real issue is agent containment.
+
+### Title option 2
+If bug discovery gets automated, AI agent runtime security becomes mandatory
+
+### Body
+The WSJ bugmageddon article is getting attention because of the headline claim: frontier AI can now find serious vulnerabilities that sat undiscovered for years.
+
+That’s interesting, but I think the more important implication is downstream.
+
+If exploit discovery gets faster, while patching stays slow, then AI agents become a very uncomfortable part of the stack.
+
+They already have:
+- shell access
+- browser control
+- file system access
+- API keys and local secrets
+- MCP servers with broad permissions
+
+So the real question stops being “can AI find bugs?” and becomes “what stops an agent from turning a bug, prompt injection, or bad tool chain into a real compromise?”
+
+That’s why I’ve been building ClawMoat.
+It’s an open-source agent firewall that sits between the agent and the machine.
+
+It does a few concrete things:
+- scans inbound content for prompt injection and poisoned instructions
+- scans outbound content for secrets and exfiltration
+- audits MCP configs and risky permissions
+- enforces policy on shell, file, browser, and network actions
+
+I think this category is going to matter a lot more over the next 12 months.
+
+Curious if people here agree with the core thesis:
+**as bug discovery gets automated, runtime containment becomes more important than prompt-level safety alone.**
+
+Repo: https://github.com/darfaz/clawmoat
+Site: https://clawmoat.com
+
+---
+
+## Hacker News post draft
+
+### Title
+Show HN: ClawMoat, an open-source agent firewall for the bugmageddon era
+
+### Text
+WSJ just popularized “bugmageddon” as shorthand for AI finding vulnerabilities faster than humans can fix them.
+
+I think that creates a second-order problem for agent builders.
+
+Even if you patch aggressively, agents now have shell, browser, filesystem, and MCP access. So once a prompt injection, poisoned dependency, risky plugin, or newly discovered vuln gets through, the real question is what the agent is still allowed to do.
+
+ClawMoat is my attempt at that layer.
+
+It’s an open-source agent firewall that:
+- scans inbound content
+- scans outbound content
+- audits MCP configs
+- enforces policies on tool use
+- logs everything for audit
+
+I’d love technical feedback, especially from people running local agents on real machines.
+
+https://github.com/darfaz/clawmoat
+
+---
+
+## LinkedIn post
+
+The WSJ “bugmageddon” framing is worth paying attention to.
+
+If frontier AI can find vulnerabilities humans missed for decades, then security teams are about to face a new asymmetry:
+
+bug discovery speeds up<br>
+weaponization speeds up<br>
+patching does not
+
+That matters even more in the age of AI agents.
+
+Agents are not chatbots. They sit on top of shell access, browsers, files, API keys, MCP servers, and internal systems.
+
+So the new question is not just whether AI can find more bugs.
+The question is whether your runtime controls are strong enough when something gets through.
+
+That is exactly why I built ClawMoat.
+
+ClawMoat is an open-source agent firewall that scans content, audits MCP setups, and enforces policy between the agent and the machine.
+
+I think this layer becomes much more important over the next year.
+
+If you’re building or deploying AI agents, I’d love to compare notes.
+
+https://clawmoat.com
+https://github.com/darfaz/clawmoat
+
+---
+
+## Dev.to article draft
+
+### Title
+Bugmageddon Is Coming. AI Agent Runtime Security Just Became Mandatory.
+
+### Subtitle
+If AI can find bugs faster than teams can patch them, the missing layer is containment.
+
+### Outline
+
+1. Open with WSJ framing and the 27-year-old bug claim
+2. Explain the shift in attack economics
+3. Explain why patching remains the limiting factor
+4. Explain why agents amplify blast radius
+5. Distinguish prompt safety from runtime security
+6. Walk through what a practical containment layer does
+7. Position ClawMoat as open-source agent firewall
+8. End with concrete checklist + repo link
+
+### Strong opener
+The scary part of the WSJ bugmageddon article is not that AI can find vulnerabilities.
+
+The scary part is that once exploit discovery gets cheap, every over-permissioned AI agent becomes part of the attack surface.
+
+---
+
+## Homepage / hero update suggestions
+
+Current category is good. Tighten it.
+
+### Hero copy test A
+**The open-source agent firewall**<br>
+AI is finding bugs faster. Stop agents from turning them into breaches.
+
+### Hero copy test B
+**They protect the model. ClawMoat protects the machine.**<br>
+Runtime security for AI agents with shell, browser, file system, and MCP access.
+
+### Hero copy test C
+**Built for bugmageddon.**<br>
+Contain what AI agents can do when vulnerabilities are inevitable.
+
+### Subhead inserts
+- Scan prompts, outputs, MCP configs, and tool calls
+- Enforce policy before the command runs
+- Audit everything after
+
+---
+
+## CTA ideas
+
+- **Run a free agent exposure scan**
+- **Audit your MCP setup**
+- **See what your agent can actually reach**
+- **Install the firewall between your agent and your machine**
+
+---
+
+## Good discussion hooks
+
+Use these to get replies instead of just impressions:
+
+- “What’s the bigger risk: automated bug discovery or over-permissioned agents?”
+- “Do you think prompt-level safety is enough once agents have shell access?”
+- “If your coding agent gets exploited tomorrow, what actually stops data exfiltration?”
+- “How many teams have real runtime policy around MCP today?”
+
+---
+
+## Recommended execution order
+
+1. Publish the blog post on ClawMoat site
+2. Post the short X post manually if API credits are still dead
+3. Post the Reddit piece in r/LocalLLaMA or r/cybersecurity
+4. Turn the blog into a Dev.to article the same day
+5. Update homepage hero with bugmageddon-era framing
+6. Reply to any comments with the same thesis: **detection matters, containment is the missing layer**
+
+---
+
+## Notes on source discipline
+
+Use “reportedly” when referencing the 27-year-old bug and thousands-of-flaws claims unless citing Anthropic directly.
+
+Good safe framing:
+- “reported by WSJ / follow-on coverage”
+- “Anthropic says”
+- “the broader trend is what matters”
+
+Avoid overstating details we cannot independently verify.