natureco-cli 5.18.2 → 5.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/airunway-aks-setup/SKILL.md +73 -0
- package/skills/algorithmic-art/SKILL.md +405 -0
- package/skills/appinsights-instrumentation/SKILL.md +76 -0
- package/skills/azure-ai/SKILL.md +71 -0
- package/skills/azure-aigateway/SKILL.md +129 -0
- package/skills/azure-cloud-migrate/SKILL.md +52 -0
- package/skills/azure-compliance/SKILL.md +108 -0
- package/skills/azure-compute/SKILL.md +46 -0
- package/skills/azure-cost/SKILL.md +45 -0
- package/skills/azure-deploy/SKILL.md +97 -0
- package/skills/azure-diagnostics/SKILL.md +151 -0
- package/skills/azure-enterprise-infra-planner/SKILL.md +54 -0
- package/skills/azure-hosted-copilot-sdk/SKILL.md +89 -0
- package/skills/azure-kubernetes/SKILL.md +153 -0
- package/skills/azure-kusto/SKILL.md +231 -0
- package/skills/azure-messaging/SKILL.md +57 -0
- package/skills/azure-prepare/SKILL.md +165 -0
- package/skills/azure-quotas/SKILL.md +276 -0
- package/skills/azure-rbac/SKILL.md +17 -0
- package/skills/azure-reliability/SKILL.md +387 -0
- package/skills/azure-resource-lookup/SKILL.md +108 -0
- package/skills/azure-resource-visualizer/SKILL.md +183 -0
- package/skills/azure-storage/SKILL.md +100 -0
- package/skills/azure-upgrade/SKILL.md +91 -0
- package/skills/azure-validate/SKILL.md +72 -0
- package/skills/brainstorming/SKILL.md +159 -0
- package/skills/brand-guidelines/SKILL.md +73 -0
- package/skills/brandkit/SKILL.md +798 -0
- package/skills/brutalist-skill/SKILL.md +92 -0
- package/skills/canvas-design/SKILL.md +130 -0
- package/skills/cavecrew/SKILL.md +82 -0
- package/skills/caveman-commit/SKILL.md +65 -0
- package/skills/caveman-help/SKILL.md +63 -0
- package/skills/caveman-review/SKILL.md +55 -0
- package/skills/caveman-stats/SKILL.md +10 -0
- package/skills/claude-api/SKILL.md +356 -0
- package/skills/composition-patterns/SKILL.md +89 -0
- package/skills/decision-mapping/SKILL.md +84 -0
- package/skills/deploy-to-vercel/SKILL.md +296 -0
- package/skills/design-an-interface/SKILL.md +94 -0
- package/skills/design-doc-mermaid/SKILL.md +498 -0
- package/skills/develop-userscripts/SKILL.md +84 -0
- package/skills/doc-coauthoring/SKILL.md +375 -0
- package/skills/documentation/SKILL.md +109 -0
- package/skills/docx/SKILL.md +590 -0
- package/skills/edit-article/SKILL.md +15 -0
- package/skills/entra-agent-id/SKILL.md +356 -0
- package/skills/entra-app-registration/SKILL.md +191 -0
- package/skills/faceless-explainer/SKILL.md +202 -0
- package/skills/fastify/SKILL.md +75 -0
- package/skills/general-video/SKILL.md +143 -0
- package/skills/git-guardrails-claude-code/SKILL.md +95 -0
- package/skills/github-actions-docs/SKILL.md +98 -0
- package/skills/gpt-tasteskill/SKILL.md +74 -0
- package/skills/grill-me/SKILL.md +7 -0
- package/skills/grilling/SKILL.md +10 -0
- package/skills/handoff/SKILL.md +16 -0
- package/skills/hyperframes/SKILL.md +152 -0
- package/skills/hyperframes-animation/SKILL.md +82 -0
- package/skills/hyperframes-cli/SKILL.md +109 -0
- package/skills/hyperframes-core/SKILL.md +78 -0
- package/skills/hyperframes-creative/SKILL.md +68 -0
- package/skills/hyperframes-media/SKILL.md +97 -0
- package/skills/image-to-code-skill/SKILL.md +1228 -0
- package/skills/imagegen-frontend-mobile/SKILL.md +1465 -0
- package/skills/imagegen-frontend-web/SKILL.md +987 -0
- package/skills/implement/SKILL.md +15 -0
- package/skills/init/SKILL.md +91 -0
- package/skills/internal-comms/SKILL.md +32 -0
- package/skills/lark-approval/SKILL.md +56 -0
- package/skills/lark-base/SKILL.md +157 -0
- package/skills/lark-doc/SKILL.md +81 -0
- package/skills/lark-shared/SKILL.md +168 -0
- package/skills/lark-workflow-meeting-summary/SKILL.md +122 -0
- package/skills/linting-neostandard-eslint9/SKILL.md +64 -0
- package/skills/loop-me/SKILL.md +32 -0
- package/skills/microsoft-foundry/SKILL.md +262 -0
- package/skills/migrate-to-shoehorn/SKILL.md +118 -0
- package/skills/minimalist-skill/SKILL.md +85 -0
- package/skills/motion-graphics/SKILL.md +170 -0
- package/skills/music-to-video/SKILL.md +197 -0
- package/skills/node/SKILL.md +94 -0
- package/skills/nodejs-core/SKILL.md +156 -0
- package/skills/oauth/SKILL.md +186 -0
- package/skills/obsidian-vault/SKILL.md +59 -0
- package/skills/octocat/SKILL.md +93 -0
- package/skills/openclaw-secure-linux-cloud/SKILL.md +157 -0
- package/skills/opensource-guide-coach/SKILL.md +218 -0
- package/skills/output-skill/SKILL.md +49 -0
- package/skills/pdf/SKILL.md +314 -0
- package/skills/pptx/SKILL.md +232 -0
- package/skills/pr-to-video/SKILL.md +235 -0
- package/skills/product-launch-video/SKILL.md +205 -0
- package/skills/python-appservice-deploy/SKILL.md +36 -0
- package/skills/qa/SKILL.md +130 -0
- package/skills/react-best-practices/SKILL.md +149 -0
- package/skills/react-native-skills/SKILL.md +121 -0
- package/skills/react-view-transitions/SKILL.md +320 -0
- package/skills/readme-i18n/SKILL.md +176 -0
- package/skills/redesign-skill/SKILL.md +178 -0
- package/skills/remotion/SKILL.md +364 -0
- package/skills/request-refactor-plan/SKILL.md +68 -0
- package/skills/resolving-merge-conflicts/SKILL.md +14 -0
- package/skills/running-claude-code-via-litellm-copilot/SKILL.md +263 -0
- package/skills/scaffold-exercises/SKILL.md +106 -0
- package/skills/secure-linux-web-hosting/SKILL.md +162 -0
- package/skills/setup-pre-commit/SKILL.md +91 -0
- package/skills/shadcn/SKILL.md +267 -0
- package/skills/simple/SKILL.md +52 -0
- package/skills/skill-creator/SKILL.md +485 -0
- package/skills/skill-optimizer/SKILL.md +47 -0
- package/skills/skills-cli/SKILL.md +281 -0
- package/skills/slack-gif-creator/SKILL.md +254 -0
- package/skills/snipgrapher/SKILL.md +58 -0
- package/skills/soft-skill/SKILL.md +98 -0
- package/skills/stitch-skill/SKILL.md +184 -0
- package/skills/supabase/SKILL.md +135 -0
- package/skills/supabase-postgres-best-practices/SKILL.md +64 -0
- package/skills/systematic-debugging/SKILL.md +296 -0
- package/skills/talking-head-recut/SKILL.md +1191 -0
- package/skills/taste-skill/SKILL.md +1206 -0
- package/skills/taste-skill-v1/SKILL.md +226 -0
- package/skills/tdd/SKILL.md +108 -0
- package/skills/teach/SKILL.md +140 -0
- package/skills/test-driven-development/SKILL.md +371 -0
- package/skills/theme-factory/SKILL.md +59 -0
- package/skills/to-prd/SKILL.md +75 -0
- package/skills/typescript-magician/SKILL.md +117 -0
- package/skills/tzst/SKILL.md +68 -0
- package/skills/ubiquitous-language/SKILL.md +93 -0
- package/skills/use-my-browser/SKILL.md +110 -0
- package/skills/using-superpowers/SKILL.md +121 -0
- package/skills/vercel-cli-with-tokens/SKILL.md +353 -0
- package/skills/vercel-optimize/SKILL.md +322 -0
- package/skills/viral-instagram-reels/SKILL.md +180 -0
- package/skills/viral-short-form/SKILL.md +147 -0
- package/skills/viral-short-form-ideas/SKILL.md +184 -0
- package/skills/viral-tiktok-content/SKILL.md +180 -0
- package/skills/web-artifacts-builder/SKILL.md +74 -0
- package/skills/web-design-guidelines/SKILL.md +39 -0
- package/skills/webapp-testing/SKILL.md +96 -0
- package/skills/website-to-video/SKILL.md +145 -0
- package/skills/writing-beats/SKILL.md +67 -0
- package/skills/writing-fragments/SKILL.md +79 -0
- package/skills/writing-great-skills/SKILL.md +82 -0
- package/skills/writing-guidelines/SKILL.md +39 -0
- package/skills/writing-plans/SKILL.md +174 -0
- package/skills/writing-shape/SKILL.md +79 -0
- package/skills/xdrop/SKILL.md +78 -0
- package/skills/xget/SKILL.md +87 -0
- package/skills/xlsx/SKILL.md +292 -0
- package/src/tools/browser_use.js +2 -1
- package/src/tools/skills_download.js +217 -0
- package/src/utils/tools.js +2 -2
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: nodejs-core
|
|
3
|
+
description: Debugs native module crashes, optimizes V8 performance, configures node-gyp builds, writes N-API/node-addon-api bindings, and diagnoses libuv event loop issues in Node.js. Use when working with C++ addons, native modules, binding.gyp, node-gyp errors, segfaults, memory leaks in native code, V8 optimization/deoptimization, libuv thread pool tuning, N-API or NAN bindings, build system failures, or any Node.js internals below the JavaScript layer.
|
|
4
|
+
metadata:
|
|
5
|
+
tags: nodejs, v8, libuv, cpp, native-addons, performance, debugging, internals
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## When to use
|
|
9
|
+
|
|
10
|
+
Use this skill when you need deep Node.js internals expertise, including:
|
|
11
|
+
- C++ addon development
|
|
12
|
+
- V8 engine debugging
|
|
13
|
+
- libuv event loop issues
|
|
14
|
+
- Build system problems
|
|
15
|
+
- Compilation failures
|
|
16
|
+
- Performance optimization at the engine level
|
|
17
|
+
- Understanding Node.js core architecture
|
|
18
|
+
|
|
19
|
+
## How to use
|
|
20
|
+
|
|
21
|
+
Read individual rule files for detailed explanations and code examples:
|
|
22
|
+
|
|
23
|
+
### V8 Engine
|
|
24
|
+
|
|
25
|
+
- [rules/v8-garbage-collection.md](rules/v8-garbage-collection.md) - Scavenger, Mark-Sweep, Mark-Compact, generational GC
|
|
26
|
+
- [rules/v8-hidden-classes.md](rules/v8-hidden-classes.md) - Hidden classes, inline caching, optimization
|
|
27
|
+
- [rules/v8-jit-compilation.md](rules/v8-jit-compilation.md) - TurboFan, optimization/deoptimization patterns
|
|
28
|
+
|
|
29
|
+
### libuv
|
|
30
|
+
|
|
31
|
+
- [rules/libuv-event-loop.md](rules/libuv-event-loop.md) - Event loop phases, timers, I/O, idle, check, close
|
|
32
|
+
- [rules/libuv-thread-pool.md](rules/libuv-thread-pool.md) - Thread pool size, blocking operations, UV_THREADPOOL_SIZE
|
|
33
|
+
- [rules/libuv-async-io.md](rules/libuv-async-io.md) - Async I/O patterns, handles, requests
|
|
34
|
+
|
|
35
|
+
### Native Addons
|
|
36
|
+
|
|
37
|
+
- [rules/napi.md](rules/napi.md) - N-API development, ABI stability, async workers
|
|
38
|
+
- [rules/node-addon-api.md](rules/node-addon-api.md) - C++ wrapper patterns, best practices
|
|
39
|
+
- [rules/native-memory.md](rules/native-memory.md) - Buffer handling, external memory, prevent leaks
|
|
40
|
+
|
|
41
|
+
### Core Modules Internals
|
|
42
|
+
|
|
43
|
+
- [rules/streams-internals.md](rules/streams-internals.md) - How Node.js streams work at C++ level
|
|
44
|
+
- [rules/net-internals.md](rules/net-internals.md) - TCP/UDP implementation, socket handling
|
|
45
|
+
- [rules/fs-internals.md](rules/fs-internals.md) - libuv fs operations, sync vs async
|
|
46
|
+
- [rules/crypto-internals.md](rules/crypto-internals.md) - OpenSSL integration, performance considerations
|
|
47
|
+
- [rules/child-process-internals.md](rules/child-process-internals.md) - IPC, spawn, fork implementation
|
|
48
|
+
- [rules/worker-threads-internals.md](rules/worker-threads-internals.md) - SharedArrayBuffer, Atomics, MessageChannel
|
|
49
|
+
|
|
50
|
+
### JavaScript Internals
|
|
51
|
+
|
|
52
|
+
- [rules/primordials.md](rules/primordials.md) - **Using primordials to prevent prototype pollution (required for `lib/internal/`)**
|
|
53
|
+
|
|
54
|
+
### Build & Contributing
|
|
55
|
+
|
|
56
|
+
- [rules/build-and-test-workflow.md](rules/build-and-test-workflow.md) - **The edit-build-lint-test cycle (start here)**
|
|
57
|
+
- [rules/configure.md](rules/configure.md) - `./configure` flags for debug builds, ASan, Ninja, etc.
|
|
58
|
+
- [rules/build-system.md](rules/build-system.md) - gyp, ninja, make, cross-platform compilation
|
|
59
|
+
- [rules/cli-options.md](rules/cli-options.md) - Adding CLI options and gating experimental modules
|
|
60
|
+
- [rules/contributing.md](rules/contributing.md) - How to contribute to Node.js core, the process
|
|
61
|
+
- [rules/commit-messages.md](rules/commit-messages.md) - Node.js-style commit message formatting and validation
|
|
62
|
+
- [rules/reviewing-prs.md](rules/reviewing-prs.md) - Reviewing PRs, quality signals, and spotting low-quality AI-generated contributions
|
|
63
|
+
|
|
64
|
+
### Documentation
|
|
65
|
+
|
|
66
|
+
- [rules/documentation.md](rules/documentation.md) - **Updating doc/api/*.md files: structure, link ordering, error docs, code example constraints**
|
|
67
|
+
|
|
68
|
+
### Debugging & Profiling
|
|
69
|
+
|
|
70
|
+
- [rules/debugging-native.md](rules/debugging-native.md) - gdb, lldb, debugging C++ addons
|
|
71
|
+
- [rules/profiling-v8.md](rules/profiling-v8.md) - --prof, --trace-opt, --trace-deopt, flame graphs
|
|
72
|
+
- [rules/memory-debugging.md](rules/memory-debugging.md) - Heap snapshots, memory leak detection
|
|
73
|
+
|
|
74
|
+
## Instructions
|
|
75
|
+
|
|
76
|
+
### MANDATORY: Rebuild before testing
|
|
77
|
+
|
|
78
|
+
Node.js embeds `lib/` JavaScript files into the binary at compile time via
|
|
79
|
+
`js2c`. **After ANY change to `src/` or `lib/`, you MUST rebuild before
|
|
80
|
+
running tests.** Without a rebuild, tests run against stale code and results
|
|
81
|
+
are meaningless.
|
|
82
|
+
|
|
83
|
+
```
|
|
84
|
+
edit src/ or lib/ → make -j$(nproc) → make lint → then test
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
Never skip the rebuild step. Never run `./node test/...` after editing
|
|
88
|
+
without building first.
|
|
89
|
+
|
|
90
|
+
Before starting work, **ask the user** about their build configuration
|
|
91
|
+
(Make vs Ninja, debug vs release, what configure flags they use). Do not
|
|
92
|
+
assume a specific setup. Most of the time, `./configure` has already been
|
|
93
|
+
run and only `make -j$(nproc)` is needed to rebuild.
|
|
94
|
+
|
|
95
|
+
See [rules/build-and-test-workflow.md](rules/build-and-test-workflow.md)
|
|
96
|
+
for the full workflow including configure flags, lint targets, and test
|
|
97
|
+
commands.
|
|
98
|
+
|
|
99
|
+
### Core knowledge domains
|
|
100
|
+
|
|
101
|
+
Apply deep knowledge of Node.js internals across these domains:
|
|
102
|
+
|
|
103
|
+
- **Core architecture**: Node.js core modules and their C++ implementations, V8 GC and JIT, libuv event loop mechanics, thread pool behavior, startup/module-loading lifecycle
|
|
104
|
+
- **Native development**: N-API, node-addon-api, and NAN addon development; V8 C++ API handle management; memory safety; native debugging with gdb/lldb
|
|
105
|
+
- **Build systems**: node-gyp, gyp, ninja, make; cross-platform compilation; linker errors; dependency issues; platform-specific considerations (Windows, macOS, Linux, embedded)
|
|
106
|
+
- **Performance & debugging**: Event loop profiling, memory leak detection in JS and native code, CPU flame graphs, V8 optimization/deoptimization tracing
|
|
107
|
+
|
|
108
|
+
### Quick-reference debugging commands
|
|
109
|
+
|
|
110
|
+
**V8 optimization tracing:**
|
|
111
|
+
```bash
|
|
112
|
+
node --trace-opt --trace-deopt script.js
|
|
113
|
+
# Checkpoint: confirm no unexpected deoptimization warnings before proceeding to profiling
|
|
114
|
+
node --prof script.js && node --prof-process isolate-*.log > processed.txt
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
**Event loop lag detection:**
|
|
118
|
+
```bash
|
|
119
|
+
node --trace-event-categories v8,node,node.async_hooks script.js
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
**Native addon debugging (gdb):**
|
|
123
|
+
```bash
|
|
124
|
+
gdb --args node --napi-modules ./build/Release/addon.node
|
|
125
|
+
# Inside gdb:
|
|
126
|
+
run
|
|
127
|
+
bt # backtrace on crash
|
|
128
|
+
# Checkpoint: verify backtrace shows the expected call site before applying a fix
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
**Heap snapshot for memory leaks:**
|
|
132
|
+
```bash
|
|
133
|
+
node --inspect script.js # then open chrome://inspect, take heap snapshot
|
|
134
|
+
# Checkpoint: compare two consecutive heap snapshots to confirm leak growth before and after the fix; run valgrind --leak-check=full node addon_test.js to confirm no native leaks remain
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
### Node.js-specific diagnostic decision trees
|
|
138
|
+
|
|
139
|
+
**Segfault / crash in native addon:**
|
|
140
|
+
1. Is the crash reproducible with `node --napi-modules`? → Run `gdb`, capture `bt`
|
|
141
|
+
2. Does `bt` point to a V8 handle scope issue? → Check `HandleScope` / `EscapableHandleScope` usage in the addon
|
|
142
|
+
3. Does it point to a libuv callback? → Inspect async handle lifetime and `uv_close()` sequencing
|
|
143
|
+
4. No clear C++ frame? → Check for JS-side type mismatches passed into the native binding
|
|
144
|
+
|
|
145
|
+
**V8 deoptimization / performance regression:**
|
|
146
|
+
1. Run `--trace-opt --trace-deopt` → identify the deoptimized function and reason (e.g., "not a Smi", "wrong map")
|
|
147
|
+
2. Checkpoint: confirm the same function deoptimizes consistently across runs
|
|
148
|
+
3. Inspect hidden class transitions (`--trace-ic`) and fix property addition order or type inconsistencies
|
|
149
|
+
4. Re-run `--trace-opt` to confirm the function is now optimized
|
|
150
|
+
|
|
151
|
+
**Build failure (node-gyp / binding.gyp):**
|
|
152
|
+
1. Is it a missing header? → Verify `include_dirs` in `binding.gyp` and Node.js header installation
|
|
153
|
+
2. Is it a linker error? → Check `libraries` and `link_settings` entries; confirm ABI compatibility
|
|
154
|
+
3. Is it platform-specific? → Consult `rules/build-system.md` for Windows/macOS/Linux differences
|
|
155
|
+
|
|
156
|
+
Always consider both JavaScript-level and native-level causes, explain performance implications and trade-offs, and indicate the stability status of any experimental features discussed. Code examples should demonstrate Node.js internals patterns and be production-ready, accounting for edge cases typical developers might miss.
|
|
@@ -0,0 +1,186 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: oauth
|
|
3
|
+
description: Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.
|
|
4
|
+
metadata:
|
|
5
|
+
tags: oauth, oauth2, security, authentication, authorization, jwt, fastify
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## When to use
|
|
9
|
+
|
|
10
|
+
Use this skill when you need to:
|
|
11
|
+
- Implement or debug an OAuth 2.0/2.1 flow in a Fastify application
|
|
12
|
+
- Validate tokens, configure PKCE, or set up refresh token rotation
|
|
13
|
+
- Secure Fastify routes and plugins with access-control middleware
|
|
14
|
+
- Resolve RFC compliance questions or identify security anti-patterns
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Step-by-step: Authorization Code + PKCE in Fastify
|
|
19
|
+
|
|
20
|
+
### 1. Install dependencies
|
|
21
|
+
|
|
22
|
+
```bash
|
|
23
|
+
npm install @fastify/oauth2 @fastify/cookie @fastify/session fastify-plugin
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### 2. Register the OAuth plugin
|
|
27
|
+
|
|
28
|
+
```typescript
|
|
29
|
+
// plugins/oauth.ts
|
|
30
|
+
import fp from 'fastify-plugin'
|
|
31
|
+
import oauth2, { OAuth2Namespace } from '@fastify/oauth2'
|
|
32
|
+
import { FastifyInstance } from 'fastify'
|
|
33
|
+
|
|
34
|
+
export default fp(async function (fastify: FastifyInstance) {
|
|
35
|
+
fastify.register(oauth2, {
|
|
36
|
+
name: 'oauth2',
|
|
37
|
+
scope: ['openid', 'profile', 'email'],
|
|
38
|
+
credentials: {
|
|
39
|
+
client: {
|
|
40
|
+
id: process.env.CLIENT_ID!,
|
|
41
|
+
secret: process.env.CLIENT_SECRET!,
|
|
42
|
+
},
|
|
43
|
+
auth: {
|
|
44
|
+
authorizeHost: process.env.AUTH_SERVER!,
|
|
45
|
+
authorizePath: '/authorize',
|
|
46
|
+
tokenHost: process.env.AUTH_SERVER!,
|
|
47
|
+
tokenPath: '/token',
|
|
48
|
+
},
|
|
49
|
+
},
|
|
50
|
+
startRedirectPath: '/login',
|
|
51
|
+
callbackUri: process.env.CALLBACK_URI!,
|
|
52
|
+
pkce: 'S256', // RFC 7636 — always use for public clients
|
|
53
|
+
generateStateFunction: (req) => req.session.state = crypto.randomUUID(),
|
|
54
|
+
checkStateFunction: (req, callback) =>
|
|
55
|
+
req.query.state === req.session.state ? callback() : callback(new Error('State mismatch')),
|
|
56
|
+
})
|
|
57
|
+
})
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
**Validation checkpoint:** Confirm `callbackUri` exactly matches a registered redirect URI at the authorization server before proceeding (RFC 6749 §3.1.2).
|
|
61
|
+
|
|
62
|
+
### 3. Handle the callback and exchange the code
|
|
63
|
+
|
|
64
|
+
```typescript
|
|
65
|
+
// routes/auth.ts
|
|
66
|
+
import { FastifyInstance } from 'fastify'
|
|
67
|
+
|
|
68
|
+
export default async function authRoutes(fastify: FastifyInstance) {
|
|
69
|
+
fastify.get('/login/callback', async (request, reply) => {
|
|
70
|
+
// @fastify/oauth2 verifies state and exchanges code automatically
|
|
71
|
+
const tokenResponse = await fastify.oauth2.getAccessTokenFromAuthorizationCodeFlow(request)
|
|
72
|
+
|
|
73
|
+
// Store only what you need; never log the raw token
|
|
74
|
+
request.session.set('accessToken', tokenResponse.token.access_token)
|
|
75
|
+
request.session.set('refreshToken', tokenResponse.token.refresh_token)
|
|
76
|
+
|
|
77
|
+
return reply.redirect('/')
|
|
78
|
+
})
|
|
79
|
+
|
|
80
|
+
fastify.get('/logout', async (request, reply) => {
|
|
81
|
+
await request.session.destroy()
|
|
82
|
+
return reply.redirect('/')
|
|
83
|
+
})
|
|
84
|
+
}
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### 4. JWT validation middleware (token introspection hook)
|
|
88
|
+
|
|
89
|
+
```typescript
|
|
90
|
+
// hooks/verifyToken.ts
|
|
91
|
+
import { FastifyRequest, FastifyReply } from 'fastify'
|
|
92
|
+
import jwt from '@fastify/jwt'
|
|
93
|
+
|
|
94
|
+
export async function verifyToken(request: FastifyRequest, reply: FastifyReply) {
|
|
95
|
+
try {
|
|
96
|
+
await request.jwtVerify()
|
|
97
|
+
// Validate required claims (RFC 7519)
|
|
98
|
+
const payload = request.user as Record<string, unknown>
|
|
99
|
+
const now = Math.floor(Date.now() / 1000)
|
|
100
|
+
|
|
101
|
+
if (typeof payload.exp === 'number' && payload.exp < now)
|
|
102
|
+
return reply.code(401).send({ error: 'token_expired' })
|
|
103
|
+
|
|
104
|
+
if (payload.iss !== process.env.EXPECTED_ISSUER)
|
|
105
|
+
return reply.code(401).send({ error: 'invalid_issuer' })
|
|
106
|
+
|
|
107
|
+
if (payload.aud !== process.env.EXPECTED_AUDIENCE)
|
|
108
|
+
return reply.code(401).send({ error: 'invalid_audience' })
|
|
109
|
+
|
|
110
|
+
} catch (err) {
|
|
111
|
+
return reply.code(401).send({ error: 'invalid_token', error_description: (err as Error).message })
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
**Validation checkpoints:**
|
|
117
|
+
- Verify `exp`, `iss`, `aud`, and `sub` on every request — never skip (RFC 7519 §4)
|
|
118
|
+
- Use `fastify.jwt.verify` (asymmetric RS256/ES256) rather than HS256 for tokens issued by a third-party server
|
|
119
|
+
|
|
120
|
+
### 5. Protecting routes
|
|
121
|
+
|
|
122
|
+
```typescript
|
|
123
|
+
// routes/api.ts
|
|
124
|
+
import { FastifyInstance } from 'fastify'
|
|
125
|
+
import { verifyToken } from '../hooks/verifyToken'
|
|
126
|
+
|
|
127
|
+
export default async function apiRoutes(fastify: FastifyInstance) {
|
|
128
|
+
fastify.addHook('onRequest', verifyToken) // applies to all routes in this scope
|
|
129
|
+
|
|
130
|
+
fastify.get('/me', {
|
|
131
|
+
schema: {
|
|
132
|
+
response: { 200: { type: 'object', properties: { sub: { type: 'string' } } } },
|
|
133
|
+
},
|
|
134
|
+
}, async (request) => {
|
|
135
|
+
const user = request.user as { sub: string }
|
|
136
|
+
return { sub: user.sub }
|
|
137
|
+
})
|
|
138
|
+
}
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
### 6. Refresh token rotation
|
|
142
|
+
|
|
143
|
+
```typescript
|
|
144
|
+
async function refreshAccessToken(fastify: FastifyInstance, refreshToken: string) {
|
|
145
|
+
const newToken = await fastify.oauth2.getNewAccessTokenUsingRefreshTokenFlow({ refresh_token: refreshToken })
|
|
146
|
+
|
|
147
|
+
// Always replace the stored refresh token if rotation is in use (RFC 6749 §10.4)
|
|
148
|
+
return {
|
|
149
|
+
accessToken: newToken.token.access_token,
|
|
150
|
+
refreshToken: newToken.token.refresh_token ?? refreshToken,
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
---
|
|
156
|
+
|
|
157
|
+
## Security checklist
|
|
158
|
+
|
|
159
|
+
| Requirement | RFC reference |
|
|
160
|
+
|---|---|
|
|
161
|
+
| Validate redirect URI against allowlist | RFC 6749 §3.1.2 |
|
|
162
|
+
| PKCE (S256) for all public clients | RFC 7636 §4.2 |
|
|
163
|
+
| Validate `state` to prevent CSRF | RFC 6749 §10.12 |
|
|
164
|
+
| Validate `iss`, `aud`, `exp` on every JWT | RFC 7519 §4 |
|
|
165
|
+
| Rotate refresh tokens on every use | RFC 6749 §10.4 |
|
|
166
|
+
| Use HTTPS everywhere; reject HTTP redirect URIs | RFC 6749 §3.1.2.1 |
|
|
167
|
+
| Rate-limit token endpoints | OAuth 2.1 §7 |
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
## Common anti-patterns
|
|
172
|
+
|
|
173
|
+
- **Storing tokens in localStorage** — use `HttpOnly`, `Secure`, `SameSite=Strict` cookies instead
|
|
174
|
+
- **Skipping audience validation** — allows token reuse across services
|
|
175
|
+
- **Using implicit flow** — deprecated in OAuth 2.1; use authorization code + PKCE
|
|
176
|
+
- **Accepting `response_type=token` in browser apps** — tokens in URL fragments leak in logs/referrers
|
|
177
|
+
- **Symmetric signing (HS256) for third-party tokens** — use RS256/ES256 with JWKS endpoint
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## Further implementation references
|
|
182
|
+
|
|
183
|
+
- See `DEVICE_FLOW.md` for device authorization flow (RFC 8628) implementation
|
|
184
|
+
- See `TOKEN_VALIDATION.md` for JWKS rotation, caching strategies, and opaque token introspection
|
|
185
|
+
- See `CLIENT_CREDENTIALS.md` for machine-to-machine service authentication patterns
|
|
186
|
+
- See `MOBILE_OAUTH.md` for native/mobile app flows (RFC 8252) and custom URI schemes
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: obsidian-vault
|
|
3
|
+
description: Search, create, and manage notes in the Obsidian vault with wikilinks and index notes. Use when user wants to find, create, or organize notes in Obsidian.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Obsidian Vault
|
|
7
|
+
|
|
8
|
+
## Vault location
|
|
9
|
+
|
|
10
|
+
`/mnt/d/Obsidian Vault/AI Research/`
|
|
11
|
+
|
|
12
|
+
Mostly flat at root level.
|
|
13
|
+
|
|
14
|
+
## Naming conventions
|
|
15
|
+
|
|
16
|
+
- **Index notes**: aggregate related topics (e.g., `Ralph Wiggum Index.md`, `Skills Index.md`, `RAG Index.md`)
|
|
17
|
+
- **Title case** for all note names
|
|
18
|
+
- No folders for organization - use links and index notes instead
|
|
19
|
+
|
|
20
|
+
## Linking
|
|
21
|
+
|
|
22
|
+
- Use Obsidian `[[wikilinks]]` syntax: `[[Note Title]]`
|
|
23
|
+
- Notes link to dependencies/related notes at the bottom
|
|
24
|
+
- Index notes are just lists of `[[wikilinks]]`
|
|
25
|
+
|
|
26
|
+
## Workflows
|
|
27
|
+
|
|
28
|
+
### Search for notes
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
# Search by filename
|
|
32
|
+
find "/mnt/d/Obsidian Vault/AI Research/" -name "*.md" | grep -i "keyword"
|
|
33
|
+
|
|
34
|
+
# Search by content
|
|
35
|
+
grep -rl "keyword" "/mnt/d/Obsidian Vault/AI Research/" --include="*.md"
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
Or use Grep/Glob tools directly on the vault path.
|
|
39
|
+
|
|
40
|
+
### Create a new note
|
|
41
|
+
|
|
42
|
+
1. Use **Title Case** for filename
|
|
43
|
+
2. Write content as a unit of learning (per vault rules)
|
|
44
|
+
3. Add `[[wikilinks]]` to related notes at the bottom
|
|
45
|
+
4. If part of a numbered sequence, use the hierarchical numbering scheme
|
|
46
|
+
|
|
47
|
+
### Find related notes
|
|
48
|
+
|
|
49
|
+
Search for `[[Note Title]]` across the vault to find backlinks:
|
|
50
|
+
|
|
51
|
+
```bash
|
|
52
|
+
grep -rl "\\[\\[Note Title\\]\\]" "/mnt/d/Obsidian Vault/AI Research/"
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### Find index notes
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
find "/mnt/d/Obsidian Vault/AI Research/" -name "*Index*"
|
|
59
|
+
```
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: octocat
|
|
3
|
+
description: Use this skill whenever the prompt contains any `github.com` URL, even if the user only pastes a link and gives no GitHub-specific keywords. Handles git and GitHub operations using the gh CLI. Triggers include any GitHub link to an issue, pull request, commit, compare page, Actions run, release, discussion, or repository. Covers creating and reviewing PRs, watching CI checks, interactive rebasing, branch cleanup, submodule management, and repository archaeology with git log/blame/bisect.
|
|
4
|
+
metadata:
|
|
5
|
+
tags: git, github, gh-cli, version-control, merge-conflicts, pull-requests
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## When to use
|
|
9
|
+
|
|
10
|
+
Use this skill for:
|
|
11
|
+
- Any prompt containing a pasted `github.com` URL, even without words like "GitHub", "issue", "PR", or "repo"
|
|
12
|
+
- Any GitHub link to an issue, pull request, commit, compare page, Actions run, release, discussion, or repository
|
|
13
|
+
- "Fix https://github.com/owner/repo/issues/123" style tasks
|
|
14
|
+
- Creating, reviewing, and managing pull requests and GitHub issues
|
|
15
|
+
- Merge conflict resolution and history rewriting
|
|
16
|
+
- Pre-commit hook debugging and fixes
|
|
17
|
+
- Branch management and cleanup
|
|
18
|
+
- GitHub Actions workflow optimization
|
|
19
|
+
- Any git command or GitHub workflow question
|
|
20
|
+
|
|
21
|
+
## Instructions
|
|
22
|
+
|
|
23
|
+
When invoked:
|
|
24
|
+
1. If the prompt includes a GitHub URL, treat that URL alone as sufficient reason to invoke this skill and inspect it with `gh`/`git` first
|
|
25
|
+
2. Assess the git/GitHub situation immediately
|
|
26
|
+
3. If the prompt includes a `github.com` URL, activate this skill immediately and translate that URL into the relevant `gh`/`git` workflow
|
|
27
|
+
4. Use gh CLI for all GitHub operations (never suggest the web interface)
|
|
28
|
+
5. Handle complex git operations with surgical precision
|
|
29
|
+
6. Fix pre-commit hook issues or delegate to typescript-magician for TypeScript linting
|
|
30
|
+
7. Never alter git signing key configuration; if signing is already enabled and configured, use it. Otherwise, proceed without signing
|
|
31
|
+
8. NEVER include "Co-Authored-By: Claude" or similar AI attribution
|
|
32
|
+
|
|
33
|
+
## Activation examples
|
|
34
|
+
|
|
35
|
+
- `Fix https://github.com/mercurius-js/mercurius/issues/1227`
|
|
36
|
+
- `Review https://github.com/nodejs/node/pull/12345`
|
|
37
|
+
- `What changed in https://github.com/org/repo/compare/v1.0.0...v1.1.0?`
|
|
38
|
+
- `Check https://github.com/org/repo/actions/runs/123456789`
|
|
39
|
+
- `Investigate https://github.com/org/repo/commit/abcdef1234567890`
|
|
40
|
+
|
|
41
|
+
## Capabilities
|
|
42
|
+
|
|
43
|
+
**Advanced git operations:**
|
|
44
|
+
- Interactive rebasing for clean history (commit splitting, squashing)
|
|
45
|
+
- Cherry-pick, bisect, worktrees
|
|
46
|
+
- Advanced merge strategies
|
|
47
|
+
- Submodule and subtree management
|
|
48
|
+
- Git hooks setup and maintenance
|
|
49
|
+
- Repository archaeology with git log/blame/show
|
|
50
|
+
|
|
51
|
+
**GitHub operations via gh CLI:**
|
|
52
|
+
- Create/manage PRs with proper templates
|
|
53
|
+
- Open PRs with explicit base/head and clear concise content, e.g. `gh pr create --base main --head <branch> --title "<title>" --body-file <file>`
|
|
54
|
+
- After opening a PR, wait for CI with `gh pr checks <num> --watch 2>&1` and proactively fix failures
|
|
55
|
+
- Validate unfamiliar gh commands first with `gh help <command>` before using them in guidance
|
|
56
|
+
- Handle issues and project boards
|
|
57
|
+
- Manage releases and artifacts
|
|
58
|
+
- Configure repository settings
|
|
59
|
+
- Automate workflows and notifications
|
|
60
|
+
|
|
61
|
+
## PR Body Formatting
|
|
62
|
+
|
|
63
|
+
When creating PRs with `gh pr create`, use `--body-file` to avoid newline escaping issues with the `--body` flag.
|
|
64
|
+
|
|
65
|
+
PR descriptions should stay simple:
|
|
66
|
+
- Write a short description of the change in plain prose
|
|
67
|
+
- Do not add subsections or headings such as `## Summary` or `## Testing`
|
|
68
|
+
- Do not include a testing section
|
|
69
|
+
- Architecture changes may need a slightly longer description if extra context is necessary
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
cat > /tmp/pr-body.md << 'EOF'
|
|
73
|
+
Refactor plugin loading so skills are discovered from the registry instead of being hardcoded.
|
|
74
|
+
EOF
|
|
75
|
+
gh pr create --body-file /tmp/pr-body.md
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
Using a temporary file is cleaner, more reliable, and easier to debug.
|
|
79
|
+
|
|
80
|
+
## Validation Checkpoints for Complex Operations
|
|
81
|
+
|
|
82
|
+
**Interactive rebase:** `git rebase -i <base>` → verify with `git log --oneline -n 10` → on conflict: resolve, `git add <file>`, `git rebase --continue` → abort anytime with `git rebase --abort`.
|
|
83
|
+
|
|
84
|
+
**Merge conflict resolution:** `git status` (find conflicts) → inspect with `git diff` or open file → resolve all markers → `git add <resolved-file>` → `git merge --continue` (or `git rebase --continue`) → confirm clean state with `git status`.
|
|
85
|
+
|
|
86
|
+
**Branch cleanup:** `git branch --merged main` → `git branch -d <branch>` → `git push origin --delete <branch>` → `git fetch --prune`.
|
|
87
|
+
|
|
88
|
+
## Commit Signing and Attribution Rules
|
|
89
|
+
|
|
90
|
+
- NEVER alter git signing key settings (`user.signingkey`) or signing mode in user/repo config
|
|
91
|
+
- If commit signing is already enabled and correctly configured, create signed commits using the existing setup
|
|
92
|
+
- If signing is not enabled/configured, do not force or configure signing; proceed without it
|
|
93
|
+
- NEVER add AI co-authorship attributions (e.g. "Co-Authored-By: Claude")
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: openclaw-secure-linux-cloud
|
|
3
|
+
description: Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or reviewing Podman, pairing, sandboxing, token auth, and tool-permission defaults for a secure personal deployment.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
## Overview
|
|
7
|
+
|
|
8
|
+
Use this skill for the conservative "deploy first, expose later" pattern for
|
|
9
|
+
OpenClaw on a cloud server.
|
|
10
|
+
|
|
11
|
+
Default to a private control plane:
|
|
12
|
+
|
|
13
|
+
- Harden the Linux host before exposing anything.
|
|
14
|
+
- Keep the gateway bound to `127.0.0.1`.
|
|
15
|
+
- Reach the Control UI through an SSH tunnel first.
|
|
16
|
+
- Keep token authentication, pairing, and sandboxing enabled.
|
|
17
|
+
- Start with a narrow tool profile and loosen only with an explicit need.
|
|
18
|
+
|
|
19
|
+
This skill is for secure Linux cloud hosting. If the user only wants the
|
|
20
|
+
fastest generic OpenClaw install on a local machine, prefer the official
|
|
21
|
+
OpenClaw onboarding docs instead of forcing this flow.
|
|
22
|
+
|
|
23
|
+
Open [`references/REFERENCE.md`](./references/REFERENCE.md) when you need the
|
|
24
|
+
command matrix, baseline config shape, checklist, or access-path comparison.
|
|
25
|
+
|
|
26
|
+
## When To Use
|
|
27
|
+
|
|
28
|
+
Use this skill when the user mentions any of the following:
|
|
29
|
+
|
|
30
|
+
- OpenClaw on a cloud server, VM, or other Linux host
|
|
31
|
+
- Secure self-hosting, hardening, or "run it privately"
|
|
32
|
+
- Podman, loopback binding, SSH tunneling, or remote Control UI access
|
|
33
|
+
- Tailscale vs reverse proxy for OpenClaw
|
|
34
|
+
- Pairing, sandboxing, token auth, or locked-down tool permissions
|
|
35
|
+
- Reviewing whether an existing OpenClaw host is too exposed
|
|
36
|
+
|
|
37
|
+
Do not use this skill for:
|
|
38
|
+
|
|
39
|
+
- General Linux hardening with no OpenClaw component
|
|
40
|
+
- Local single-machine onboarding where remote access is irrelevant
|
|
41
|
+
- Pure local onboarding with no remote-host hardening questions
|
|
42
|
+
- Non-Linux hosting unless the user explicitly wants this Linux-first pattern
|
|
43
|
+
adapted
|
|
44
|
+
|
|
45
|
+
## Workflow
|
|
46
|
+
|
|
47
|
+
### 1. Classify the request
|
|
48
|
+
|
|
49
|
+
Put the task in one of these buckets before giving detailed guidance:
|
|
50
|
+
|
|
51
|
+
1. **Fresh deploy**: the user wants to stand up OpenClaw securely on a Linux
|
|
52
|
+
cloud host from scratch.
|
|
53
|
+
2. **Hardening review**: the user already has OpenClaw running and wants to
|
|
54
|
+
reduce exposure or audit risky defaults.
|
|
55
|
+
3. **Access-model decision**: the user is choosing between SSH tunneling,
|
|
56
|
+
Tailscale, or a reverse proxy.
|
|
57
|
+
|
|
58
|
+
### 2. Start from the secure baseline
|
|
59
|
+
|
|
60
|
+
Unless the user clearly asks for something else, recommend this baseline:
|
|
61
|
+
|
|
62
|
+
- Harden the Linux host first: updates, SSH keys, SSH lock-down, and a
|
|
63
|
+
default-deny inbound firewall matched to the distro.
|
|
64
|
+
- Run OpenClaw under rootless Podman rather than as a root-owned long-lived
|
|
65
|
+
process.
|
|
66
|
+
- Keep the gateway on loopback only.
|
|
67
|
+
- Keep the Control UI private and access it through an SSH tunnel.
|
|
68
|
+
- Require token authentication.
|
|
69
|
+
- Keep pairing enabled for inbound messaging channels.
|
|
70
|
+
- Start with a minimal tool set and sandbox sessions by default.
|
|
71
|
+
|
|
72
|
+
Treat these as explicit red flags:
|
|
73
|
+
|
|
74
|
+
- Binding the gateway to `0.0.0.0`
|
|
75
|
+
- Opening port `18789` to the public internet
|
|
76
|
+
- Turning on broad runtime, filesystem, automation, or browser access by
|
|
77
|
+
default
|
|
78
|
+
- Leaving `~/.openclaw` readable by other local users
|
|
79
|
+
|
|
80
|
+
### 3. Separate local and server actions
|
|
81
|
+
|
|
82
|
+
Always distinguish between:
|
|
83
|
+
|
|
84
|
+
- **Local machine actions**: SSH key generation, tunnel setup, browser access
|
|
85
|
+
- **Server actions**: Linux hardening, Podman install path, OpenClaw service
|
|
86
|
+
setup, config permissions, service restarts
|
|
87
|
+
|
|
88
|
+
Do not blur the two execution contexts together. The user should be able to
|
|
89
|
+
tell which commands run on their laptop and which run on the Linux host.
|
|
90
|
+
|
|
91
|
+
### 4. Ask only for blocking facts
|
|
92
|
+
|
|
93
|
+
Only stop for missing facts that change the safe path, such as:
|
|
94
|
+
|
|
95
|
+
- Linux distro and host access details when package-manager or firewall
|
|
96
|
+
commands matter
|
|
97
|
+
- Whether OpenClaw is already installed
|
|
98
|
+
- Whether the user truly needs repeated remote private access or public access
|
|
99
|
+
- Whether an existing deployment is already reachable from the internet
|
|
100
|
+
|
|
101
|
+
If a detail is not safety-critical, make the reasonable secure assumption and
|
|
102
|
+
state it.
|
|
103
|
+
|
|
104
|
+
### 5. Use the access escalation ladder
|
|
105
|
+
|
|
106
|
+
Recommend remote access in this order:
|
|
107
|
+
|
|
108
|
+
1. **SSH tunnel**: default for first deployment and personal use
|
|
109
|
+
2. **Tailscale**: next step when the user needs repeated private access across
|
|
110
|
+
trusted devices
|
|
111
|
+
3. **Reverse proxy**: only when the user explicitly needs public exposure and
|
|
112
|
+
accepts the extra hardening burden
|
|
113
|
+
|
|
114
|
+
If the user asks for Tailscale or reverse proxy, still explain why the loopback
|
|
115
|
+
binding and private-first model remain the baseline.
|
|
116
|
+
|
|
117
|
+
## Output Expectations
|
|
118
|
+
|
|
119
|
+
For a fresh deployment, provide:
|
|
120
|
+
|
|
121
|
+
- A short architecture summary
|
|
122
|
+
- Local-vs-server steps
|
|
123
|
+
- A conservative config baseline
|
|
124
|
+
- A pre-launch checklist
|
|
125
|
+
- A short "what not to expose" warning
|
|
126
|
+
|
|
127
|
+
For a hardening review, provide:
|
|
128
|
+
|
|
129
|
+
- The likely risks in the current setup
|
|
130
|
+
- A prioritized remediation sequence
|
|
131
|
+
- Any immediate exposure concerns to fix before anything else
|
|
132
|
+
|
|
133
|
+
For an access-path decision, provide:
|
|
134
|
+
|
|
135
|
+
- A recommendation
|
|
136
|
+
- Why it is the lowest-risk fit
|
|
137
|
+
- What extra safeguards are required if the user chooses a broader exposure
|
|
138
|
+
model
|
|
139
|
+
|
|
140
|
+
## Common Mistakes
|
|
141
|
+
|
|
142
|
+
- Treating OpenClaw like a normal public web app on day one
|
|
143
|
+
- Assuming auth alone replaces network boundaries
|
|
144
|
+
- Turning on more tool power before the user has a clear workflow that needs it
|
|
145
|
+
- Disabling pairing just to save time during early setup
|
|
146
|
+
- Skipping follow-up audits after changing config or sandbox settings
|
|
147
|
+
|
|
148
|
+
## Reference Usage
|
|
149
|
+
|
|
150
|
+
Use [`references/REFERENCE.md`](./references/REFERENCE.md) when you need:
|
|
151
|
+
|
|
152
|
+
- The cross-distro hardening flow and Debian/Ubuntu example commands
|
|
153
|
+
- The Podman-based OpenClaw setup outline
|
|
154
|
+
- The baseline config skeleton
|
|
155
|
+
- The pre-launch checklist
|
|
156
|
+
- The day-to-day audit commands
|
|
157
|
+
- The SSH tunnel vs Tailscale vs reverse-proxy comparison
|