GitShow/denoland/clawpatrol
denoland

clawpatrol

Security firewall for agents

by denoland
Star on GitHubForkWebsite

Go

903 stars41 forks12 contributorsActive · 19h agoSince 2026v0.5.3MIT

Meet the team

See all 12 on GitHub →
littledivy
littledivy134 contributions
piscisaureus
piscisaureus120 contributions
ry
ry99 contributions
arnauorriols
arnauorriols65 contributions
magurotuna
magurotuna61 contributions
josh-collinsworth
josh-collinsworth29 contributions
divybot
divybot17 contributions
crowlKats
crowlKats3 contributions

Languages

View on GitHub →
Go87.4%
TypeScript9.8%
Swift1.7%
CSS0.5%
Shell0.3%
HTML0.2%

Commit activity

Last 12 weeks · 536 commits

Full graph →

Community health

2 of 6 standards met

Community profile →
37
✓README✓License○Contributing○Code of Conduct○Issue Template○PR Template

Recent PRs & issues

Active · Last activity 19h ago
See all on GitHub →
magurotuna
oauth: add remote MCP credential flowOpenPR

Summary add a credential plugin bound to exactly one endpoint discover protected-resource and authorization-server metadata, perform dynamic client registration, and start PKCE OAuth with the MCP resource indicator persist discovered non-secret OAuth metadata in while keeping tokens in the existing OAuth credential store inject refreshed bearer tokens through the existing credential runtime path and fail closed on issuer/metadata ambiguity or endpoint substitution Testing Notes stacked on #752 () because it uses the new endpoint and MCP facet foundation this intentionally implements the strict generic OAuth path only; provider-specific compatibility shims such as Grain issuer-mismatch handling remain a follow-up

magurotuna · 18h ago
dhruvkelawala
macOS clawpatrol run: VIP-intercepted endpoints unreachable (NXDOMAIN) while upstream-forwarded hosts work; Linux clients unaffectedOpenIssue

Summary On macOS, (per-process NE / tsnet exit-node path) can only reach upstream-forwarded hosts. Endpoints that the gateway intercepts via a dnsvip VIP (e.g. Notion, Jira, Slack, Customer.io, Amplitude, Metabase, Figma) fail to resolve/route and time out, while hosts that fall through to upstream forwarding (e.g. , ) work fine. The identical gateway config + profile works completely on Linux (, netns path) — so this is specific to the macOS NE/tsnet DNS path, not the config. Environment clawpatrol v0.5.3 () on both client and gateway Client: macOS (Apple Silicon, arm64), NE installed + system extension , joined in Tailscale (tsnet) mode with a per-process profile Gateway: Linux (Ubuntu 24.04, EC2), tsnet mode; advertised exit routes Observed behavior From the macOS client, inside : (and the other intercepted endpoints) resolve fine outside (system DNS → 208.103.161.x), but return NXDOMAIN/empty inside the tunnel. The same profile/config works for all endpoints on a Linux client (, netns) against the same gateway. Gateway-side: is logged for / (they reach the gateway and succeed), but the intercepted hosts never produce a connection (no SNI), so the client never connects. Diagnosis Tracing → /: Non-intercepted hosts → → real IP → the NE routes the connection via the exit node () → gateway SNI-peeks → endpoint match → works. (github/chatgpt path.) Intercepted endpoints → gateway returns a VIP in the configured CIDR ( / ), but the macOS client gets an empty/unroutable answer and never connects. Additional facts: table is empty (no persisted VIPs), no "dropping persisted entry — VIP outside configured CIDRs" logs. Persisted across: gateway restart, fresh NE session ( + reconnect), and macOS DNS cache flush. Device→profile mapping is correct (verified in the gateway DB); the profile's compiled endpoint set is identical to the working Linux profile. This points at the macOS NE not handling the gateway's advertised VIP subnet route ( / ) — it appears to honor the exit-node default route (so real-IP/forwarded hosts work) but not the VIP CIDR, so VIP-intercepted endpoints are unreachable, and the dnsvip answer the client sees for those names is effectively empty. Expected behavior on macOS should reach all endpoints granted by the device's profile (matching Linux behavior), including the VIP-intercepted ones. Repro 1. Gateway with several endpoints + credentials (e.g. github, notion, jira, slack) and a profile granting them. 2. macOS client: , install . 3. → 200 4. → 000 (times out / NXDOMAIN inside tunnel) 5. Same commands from a Linux client on the same gateway/profile → both succeed.

dhruvkelawala · 1d ago
magurotuna
onboard: add OIDC ephemeral enrollmentOpenPR

Summary add config grammar and compile/runtime matching for claim-constrained ephemeral profiles add OIDC ID token verification with issuer discovery, audience checks, expiry handling, and replay rejection add an OIDC ephemeral lease store plus for unattended GitHub Actions-style enrollment add flags for the CLI entry point Testing with Notes this is the OIDC ephemeral enrollment foundation; the CLI currently exposes the join flags but the end-to-end runner UX may still need follow-up hardening OIDC enrollment uses the gateway as the expected audience and requires target profiles to opt in with

magurotuna · 1d ago

Recent fixes

View closed PRs →
piscisaureus
spike: wireguard + socks tunnel plugins (live via-chaining PoC)MergedPR

Spike — not for merge.** Kept for reference: the proof-of-concept that drove the brokered transport-dial interface (#714) and the SOCKS example (#719), now rebased onto main. Two standalone external tunnel plugins, both , and an env-gated live e2e that exercised them end to end: — wireguard-go + gVisor netstack; a small carries WG's UDP over the gateway's brokered instead of a raw socket. — SOCKS5 (CONNECT + UDP ASSOCIATE), usable as a parent. (The landable version of this is in #719; this standalone copy is what the e2e builds.) — , gated by . / flags select the stacking. Validated live (userspace WireGuard server + SOCKS5 UDP proxy): all three stackings returned the target's response — wireguard direct, wireguard socks (WG handshake UDP over the SOCKS5 UDP relay), socks wireguard (SOCKS TCP transport over the WG tunnel). Known gap: the HCL attribute on a plugin tunnel block isn't peeled yet, so the e2e wires on the compiled tunnel directly.

piscisaureus · 1d ago
13pass
feat(credentials): add signal_cli HITL notifierMergedPR

Notification-only Signal notifier via signal-cli-rest-api (POST /v2/send). Implements HITLNotifier; configured through dashboard secret slots (api_url, number, auth) with the recipient set as the approver's channel. Signal has no interactive buttons, so the prompt carries an Open dashboard link. Includes unit tests and a config-reference entry.

13pass · 3d ago
magurotuna
codex: support codex CLI >=0.142MergedPR

Problem breaks on codex CLI 0.142.0+ with . Root cause (codex git diff , ) is as follows. codex ≤0.141 built the agent task-registration URL from the ChatGPT base, which we redirected onto a MITM'd host via . 0.142 removed that override** and hardcoded registration to (a new allowlist that s on non-OpenAI hosts). We don't MITM , so the synthetic reaches real OpenAI, thus 400. The registration path suffix is unchanged (); only the host moved. JWKS, JWT claims, and the response shape still work. Fix : auto-claims (works on upgrade with no HCL edit). stubs task-register scoped to our synthetic runtime id, matching both the ≤0.141 () and 0.142 () shapes. Real Agent Identities (different runtime id) and are forwarded untouched. : skips (case-insensitive) so forwarded / token-refresh keep their native auth instead of being clobbered with the ChatGPT bearer. Verification End-to-end with codex 0.142.2 through a patched gateway: task-register now served locally (/200, no ); a real model turn returns. Auto-claim confirmed (config listed only ). Regression: ≤0.141 legacy path still stubbed (covered by unit test).

magurotuna · 3d ago
Structured data for AI agents

Repository: denoland/clawpatrol. Description: Security firewall for agents Stars: 903, Forks: 41. Primary language: Go. Languages: Go (87.4%), TypeScript (9.8%), Swift (1.7%), CSS (0.5%), Shell (0.3%). License: MIT. Homepage: https://clawpatrol.dev Latest release: v0.5.3 (3d ago). Open PRs: 39, open issues: 44. Last activity: 19h ago. Community health: 37%. Top contributors: littledivy, piscisaureus, ry, arnauorriols, magurotuna, josh-collinsworth, divybot, crowlKats, rajiteh, avocet-bot and others.

·@ofershap

Replace github.com with gitshow.dev