- Update LICENSE copyright from Clawdbot to OpenClaw Contributors
- Change CLAWDBOT_DEV_DIR to OPENCLAW_DEV_DIR in docs and upgrade notes
- Update security.md overview text
- Update UPGRADE_NOTES.md section heading
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Resolves conflicts between OpenClaw rename and security hardening:
- Applied scoped sudo permissions with openclaw naming
- Added dynamic UID to service template
- Merged security features (fail2ban, unattended-upgrades)
- Added ansible.posix collection and fixed authorized_key FQCN
- Updated comments to reference OpenClaw instead of Clawdbot
Co-Authored-By: olsonale <olsonale@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security improvements:
1. CRITICAL: Scope sudo access for clawdbot user
- Changed from 'ALL=(ALL) NOPASSWD: ALL' to specific commands only
- Now limited to: systemctl for clawdbot service, tailscale, journalctl
- Prevents full root compromise if application is exploited
2. CRITICAL: Fix hardcoded UID in systemd template
- Changed XDG_RUNTIME_DIR from /run/user/1000 to dynamic
- Uses clawdbot_uid_value variable with fallback
3. Add fail2ban for SSH brute-force protection
- 5 failed attempts = 1 hour ban
- Protects against automated attacks on exposed SSH
4. Add unattended-upgrades for automatic security updates
- Security-only updates enabled by default
- Automatic reboots disabled (manual control)
5. Update documentation
- security.md: Document all 8 security layers
- README.md: Add security features to list
- AGENTS.md: Document security rationale and known limitations
Known limitations documented:
- macOS support incomplete (no launchd/pf)
- IPv6 disabled in Docker
- curl|bash pattern inherent risks
Signed-off-by: Andrew Lauppe <andy@t5tele.com>
