Comprehensive Security Framework #782
Description
Here's the updated feature request template:
🎯 The Goal / Use Case
PicoClaw needs comprehensive security features to protect against common vulnerabilities when handling sensitive data like API keys, tokens, and user credentials. As an AI agent that interacts with external services and processes user input, it must defend against:
- SSRF attacks via web tools
- Data leakage through logs containing sensitive information
- Prompt injection attacks that could manipulate agent behavior
- Credential exposure from plain-text storage
- Abuse through unbounded API/tool usage
💡 Proposed Solution
Implement a three-phase security framework:
Phase 1: Critical Security
- SSRF Protection with IP blocklists, metadata endpoint blocking, and DNS rebinding defense
- Privacy Redaction for API keys, tokens, passwords, and PII in logs
- Unified Security Configuration Schema
Phase 2: Core Security
- Audit Logging with tamper-evident HMAC hash chains
- Rate Limiting using token bucket algorithm
- Prompt Injection Defense with 40+ detection patterns
Phase 3: Credential Security
- Credential Encryption using OS keychain (Windows/macOS/Linux) with ChaCha20-Poly1305/AES-256-GCM
🛠 Potential Implementation (Optional)
| Component | File | Description |
|---|---|---|
| SSRF Guard | pkg/ssrf/guard.go |
Private IP blocking, metadata endpoint protection, DNS rebinding defense |
| Privacy Redaction | pkg/redaction/redaction.go |
Auto-redact API keys, tokens, passwords, emails, phone numbers |
| Security Config | pkg/config/config.go |
SecurityConfig struct with all security settings |
| Audit Logging | pkg/audit/audit.go |
HMAC hash chain for tamper-evident security event logs |
| Rate Limiting | pkg/ratelimit/limiter.go |
Token bucket with global/per-user limits |
| Injection Defense | pkg/injection/defender.go |
Pattern detection, input sanitization, boundary wrapping |
| Credential Encryption | pkg/auth/encryption.go, pkg/auth/keychain.go, pkg/auth/secure_store.go |
OS keychain integration with encrypted file fallback |
Configuration Example:
{
"security": {
"ssrf": { "enabled": true, "block_private_ips": true },
"audit_logging": { "enabled": true, "retention_days": 30 },
"rate_limiting": { "enabled": true, "requests_per_minute": 60 },
"credential_encryption": { "enabled": true, "use_keychain": true },
"prompt_injection": { "enabled": true, "sanitize_user_input": true }
}
}🚦 Impact & Roadmap Alignment
- This is a Core Feature
- This is a Nice-to-Have / Enhancement
- This aligns with the current Roadmap
Security is foundational for any AI agent handling sensitive data and external communications. This implementation ensures PicoClaw can be safely deployed in production environments.
🔄 Alternatives Considered
- External security middleware - Rejected; security should be built-in, not optional layers
- Third-party security libraries - Evaluated but custom implementation provides better integration and smaller footprint
- Encryption-only approach - Insufficient; defense-in-depth requires multiple security layers
💬 Additional Context
All modules include comprehensive unit tests. The implementation is backward compatible—existing functionality remains unchanged, and all security features can be disabled via configuration if needed.
References:
- OWASP Top 10 security risks
- CWE-918 (SSRF)
- OWASP Prompt Injection guidelines