Documentation

RBAC & Security

Agent identity, role-based access control, network policy enforcement, and the immutable audit trail.

Agent Identity

Every agent in ClawPilot has a cryptographic identity. No action can be attributed to an anonymous actor — every log entry, task mutation, and API call is signed with the originating agent's identity.

interface AgentIdentity {
  id: string;            // "openclaw" | "claude-code" | "dombot" | custom
  displayName: string;
  role: "owner" | "agent" | "viewer";
  apiKeyHash: string;    // SHA-256 of the agent's API key
  registeredAt: string;  // ISO 8601
}

Roles

Role	Who	Permissions
Owner	Ldom (human)	Full access: create/delete tasks, read/write logs, modify config, veto any agent action, manage agents.
Agent	Claude Code, OpenClaw, Gemini	Execute tasks, append logs, update task status. Cannot delete tasks, cannot modify other agents' entries.
Viewer	Read-only dashboards, monitoring	Read logs, read task list. No write access whatsoever.

Network Policy

ClawPilot enforces network-level access control between services. Three modes:

Unrestricted (development only)

All services can reach all other services and the public internet. Do not use in production.

NETWORK_POLICY=unrestricted

Restricted (recommended)

Services can only call services they are explicitly allowed to reach. Agents cannot call each other directly — all coordination goes through the Hub.

NETWORK_POLICY=restricted

# Explicit allowlist per service (in network-policy.yml)
openclaw:
  allowed_outbound:
    - hub          # submit results
    - logger       # append logs
    # NOT kanban — openclaw doesn't modify tasks directly

claude-code:
  allowed_outbound:
    - hub
    - logger
    - kanban       # can update task status
    - api.anthropic.com

Allowlist (enterprise)

Full IP/domain allowlist with egress filtering. Useful for compliance environments where agents must not reach arbitrary external endpoints.

Immutable Audit Trail

The audit log is append-only. Once a log entry is written, it cannot be modified or deleted — not even by the Owner role. This is enforced at the storage layer (append-only file + hash chain).

Each entry contains a chain hash: SHA-256(previous_entry_hash + entry_content). Any tampering with historical entries breaks the chain and is immediately detectable.

{
  "id": "log-8823",
  "ts": "2026-03-17T08:14:32Z",
  "agent": "claude-code",
  "agent_role": "agent",
  "action": "EXECUTE",
  "confidence": 0.91,
  "message": "Optimization applied",
  "task_id": "task-001",
  "chain_hash": "sha256:a3f8c2..."  // links to previous entry
}

Human Veto

The Owner role can veto any agent action before it is executed. The Hub surfaces all pending high-risk actions (confidence < 0.5) for human review. Vetoed actions are logged as SKIP with reason: human_veto — never silently dropped.

Secret Management

API keys are never stored in plaintext. ClawPilot uses a local secrets store (backed by the OS keyring or a local Vault instance):

# Store a secret
labos secrets set CLAUDE_API_KEY sk-ant-...

# Reference it in config (never in .env for production)
agent:
  claude-code:
    api_key: ${{ secrets.CLAUDE_API_KEY }}

Security Checklist

Change default AUTHELIA_ADMIN_PASSWORD on first boot
Set NETWORK_POLICY=restricted before exposing to the internet
Enable TLS (Let's Encrypt compose override)
Rotate agent API keys monthly via labos secrets rotate
Review audit log weekly for SKIP confidence<0.3 patterns
Keep Docker images updated: docker-compose pull