Security

Documentation Map

• Overview

• Quick Start

• Installation

• Configuration

• Operations

• Troubleshooting

• Release Notes

• Compatibility

• Architecture

• API Reference

• Security

• Integrations

• Capabilities

• Roadmap

• Contract Governance

• OSS Inventory

• Channel: latest

• Source repo: JaddaHelpifyr/jhf-bobbin

Security

Security Model

This repository does not expose a public runtime API. Its security model is centered on protecting:

• target-host access
• OpenClaw configuration files
• plugin source and patch state
• optional provider credentials
• LocalAI and Qdrant endpoints where deployments are hardened

Auth Model

Repository-local commands

• scripts/export-fabric-metadata.py and scripts/fabric-selfcheck.sh require no credentials

Host mutation flows

• install, reapply, rollback, and config patch flows require operator-level access to the target host filesystem and process environment

Runtime endpoints

• LocalAI and Qdrant may run unauthenticated in a trusted network or behind deployment-specific auth
• optional Mem0 LLM providers may require bearer tokens or API keys
• host runtime snapshots require operator SSH access and remain read-only

OAuth Decision Table

Scenario	OAuth required	OAuth not required	Reason
External user access to a runtime surface	yes	no	External user identity and delegated access become relevant.
Multi-tenant access across trust boundaries	yes	no	Tenant separation and delegated authorization need a stronger auth model.
Access outside the trusted platform network	yes	no	Network trust alone is no longer sufficient.
Internal Fabric metadata reads without user context	no	yes	No end-user identity is involved.
Internal service-to-service operation inside a trusted platform network	no	yes	Simpler internal auth or network controls are sufficient.
Operator-run local scripts from a trusted repo checkout	no	yes	The security boundary is operator host access, not OAuth.

Sensitive Data Types

• optional API keys for OpenAI-compatible LLM providers
• host-specific filesystem paths
• target runtime .env values
• any deployment-specific LocalAI or Qdrant credentials
• support-case recall summaries (tenant-scoped, approval-bound)

Secret Handling

• secrets must not be committed to this repository
• example env files may document variable names, but not live values
• operator credentials remain outside the repository and outside CI
• machine-readable secret rules are defined in fabric-manifest.json under auth.secretsContract

Standalone vs Integrated Credential Contract

Mode	Allowed sources	Ownership	Rotation boundary	Transfer / fallback
standalone	operator-managed env files, operator shell env, host secret store	operator	operator-controlled	adopt existing credentials into integrated mode only when compatible; otherwise explicit operator rebind
integrated	fabric-managed secret references, operator-provisioned runtime secrets, shared-service injected credentials	fabric-or-operator-by-contract	shared contract with explicit operator override	fail-closed unless operator explicitly allows degraded local mode

Interfaces That Must Be Protected

• target host SSH access
• OpenClaw config directories and .env files
• Qdrant write access
• LocalAI/Qdrant management surfaces where exposed beyond <internal-runtime-redacted> or a trusted LAN
• host runtime snapshot artifacts if they include sensitive path/network context
• any future support-summary feed into recall evaluation must be tenant-scoped and approval-scoped

Support Recall Guardrails

• approved summaries only; non-approved or revoked summaries are denied
• raw support ticket payload fields are prohibited in recall summary objects
• tenant mismatch is a hard deny
• retention/legal-hold policy is enforced:
  • expired summaries deny unless legal hold is active
  • legal hold can preserve summary eligibility while raw source data is removed

Inputs That Must Never Be Left Open

• unrestricted remote execution of installer or reapply scripts
• unprotected write access to openclaw.json
• destructive Qdrant cleanup or reconfiguration paths without operator intent
• any implied Fabric control channel into host mutation scripts

Actions That Must Not Be Uncontrolled

• full installation on a live host
• reapply after update
• rollback to memory-core
• destructive cleanup against Qdrant payloads or collections

These actions must remain operator-driven. Fabric should not directly trigger them.

Minimum Hardening Checklist

• keep host management access restricted to explicit operators
• keep secrets out of repo and CI logs
• apply network controls or auth for LocalAI/Qdrant when outside trusted LAN scope
• keep Fabric surfaces read-only (manifest, metadata export, status bundle)
• validate runtime snapshot outputs before sharing outside operator scope

Main Risks

• patch drift against the community plugin fork
• incorrect host path configuration
• misrouted model credentials
• weakly protected Qdrant or LocalAI endpoints in exposed deployments
• false confidence from repo-local checks when the live host differs

AGPLv3. See ../LICENSE (LICENSE).

Learn more at helpifyr.com.