Harden channel auth, file safety, and update integrity

[coreyone]

Summary

This PR fixes the full security/code-review audit set by hardening chat ingress, agent invocation, outbound file handling, and bundle update/install integrity.

What changed

• Enforce sender allowlists (default-on) across Telegram, Discord, WhatsApp, and queue processing.
• Restrict outbound [send_file: ...] paths to .tinyclaw/files by default (realpath checks + defense in depth).
• Gate dangerous CLI flags behind explicit config/env opt-in (allow_dangerous_agent_flags, TINYCLAW_ALLOW_DANGEROUS_FLAGS).
• Add attachment download guards (size limits, timeouts, redirects, status checks).
• Add SHA-256 checksum verification to update/install flows and publish checksum in release workflow.
• Fix stale build detection by checking all TypeScript sources via a build stamp.
• Rework setup JSON generation to use jq safely (no raw interpolation) and add security prompts/defaults.
• Reduce sensitive persistence in events/logging and make full team chat persistence opt-in.

Validation

• bash -n passed for modified shell scripts.
• npm run build passed.

Notes

• Default behavior now requires allowlisted sender IDs in settings; unknown senders are denied until configured.

[jlia0]

Thanks for the great PR.

Sender allowlist with pairing approach implemented in #43

Will review the rest.

[mczabca-boop]

Thanks for the security-focused improvements in this PR. I ran local verification and found a few important issues.

Findings

1. Blocking: update path fails for existing releases without checksum asset

Area: lib/update.sh, scripts/remote-install.sh
Issue: Update now requires downloading tinyclaw-bundle.sha256. For existing releases that do not publish this asset (e.g. v0.0.3), update fails hard with 404 and aborts.

Observed behavior (local):

• Run: ./tinyclaw.sh update
• Download step succeeds
• Verify step fails:
  • curl: (22) The requested URL returned error: 404
  • Error: Could not download checksum file

Why this matters: This breaks upgrade compatibility for users on older release assets.

Suggestion: Add backward-compatible fallback behavior (e.g. prompt user to continue without checksum), or ensure all target releases include checksum assets.

---

2. Non-blocking (important): config behavior mismatch for outbound file path override

Area: queue processor vs channel clients

• Queue side supports security.allow_outbound_file_paths_outside_files_dir=true
• Channel clients still enforce FILES_DIR only

Issue: The config implies outside-files-dir outbound paths can be allowed, but Telegram client still blocks them.

Repro (local, Telegram):

1. files: ["/home/user/.tinyclaw/files/a.txt"] -> file sent successfully.
2. files: ["/tmp/a.txt"] with default config -> blocked (expected), log:
   • Blocked unsafe outbound file path: /tmp/a.txt
3. Set:
   • security.allow_outbound_file_paths_outside_files_dir=true
4. Send files: ["/tmp/a.txt"] again -> still blocked, same log.

Why this matters: Runtime behavior does not match config semantics.

Suggestion: Align policy across layers (apply override in channel clients too, or remove/clarify the setting).

---

3. Non-blocking: setup now hard-requires jq

Area: lib/setup-wizard.sh
Issue: setup exits immediately if jq is missing.

Why this matters: Minimal environments can no longer run setup out-of-the-box.

Suggestion: Document jq as a hard prerequisite (installer/docs), or provide fallback for a basic setup path.

---

Additional Notes

• Sender allowlist behavior is confirmed working after adding sender ID to allowlist.
• However, users with older configs lacking security block may see unexpected Access denied until configured.

---

Summary

The security direction is good, but I recommend addressing the update compatibility blocker before merge, and aligning the outbound path override behavior to avoid config/runtime mismatch.

[coreyone]

Thanks for the review — I’ve pushed follow-up fixes in 570b463.

Addressed items:

1. Update compatibility blocker: now supports legacy releases without checksum assets by prompting to continue unverified (or via ). Checksum mismatch still hard-fails.
2. Outbound path override mismatch: Telegram/Discord/WhatsApp clients now honor , aligned with queue behavior.
3. jq prerequisite clarity: Added as an explicit dependency in installer checks and docs (
   �[0;34m╔════════════════════════════════════════╗�[0m
   �[0;34m║ TinyClaw Remote Installer ║�[0m
   �[0;34m╚════════════════════════════════════════╝�[0m

�[0;34m[1/6] Checking dependencies...�[0m
�[0;32m✓ All dependencies found�[0m

�[0;34m[2/6] Choosing installation directory...�[0m
Installing to: �[0;32m/Users/coreyoneal/.tinyclaw�[0m

�[0;34m[3/6] Selecting installation method...�[0m
�[1;33mWarning: Checksum asset not found for v0.0.3 (legacy release).�[0m
�[1;33mProceeding without checksum verification.�[0m
�[1;33m⚠ Bundle checksum missing; falling back to source install�[0m

�[0;34m[4/6] Downloading TinyClaw...�[0m
Cloning repository...
�[0;32m✓ Repository cloned�[0m

�[0;34m[5/6] Installing dependencies...�[0m
Running npm install (this may take a few minutes)...
Building TypeScript...
Pruning development dependencies...
�[0;32m✓ Dependencies installed�[0m

�[0;34m[6/6] Installing CLI command...�[0m
�[0;34mTinyClaw CLI Installer�[0m

Installing to: �[0;32m~/.local/bin�[0m (user)

Creating symlink...
�[0;32m✓ TinyClaw CLI installed successfully!�[0m

You can now run 'tinyclaw' from any directory:

�[0;32mtinyclaw start�[0m - Start TinyClaw
�[0;32mtinyclaw status�[0m - Check status
�[0;32mtinyclaw --help�[0m - Show all commands

�[0;32m✓ 'tinyclaw' command is available�[0m

To uninstall, run:
�[0;32m./uninstall.sh�[0m

�[0;32m╔════════════════════════════════════════╗�[0m
�[0;32m║ TinyClaw Installed Successfully! ║�[0m
�[0;32m╚════════════════════════════════════════╝�[0m

Installation directory: �[0;34m/Users/coreyoneal/.tinyclaw�[0m

Next steps:

�[0;32m1.�[0m Start TinyClaw:
�[0;34mtinyclaw start�[0m

�[0;32m2.�[0m Check status:
�[0;34mtinyclaw status�[0m

�[0;32m3.�[0m View all commands:
�[0;34mtinyclaw --help�[0m

Documentation: https://github.com/jlia0/tinyclaw, , ).

If you want, I can also split the insecure-bundle fallback in remote installer behind a stricter opt-in only policy.

[coreyone]

Follow-up is pushed in 570b463.

Addressed:

1. Update compatibility blocker: lib/update.sh now supports legacy releases with no checksum asset (404) by prompting to continue unverified, or via TINYCLAW_ALLOW_INSECURE_UPDATE=1. Checksum mismatch still hard-fails.
2. Outbound path policy mismatch: Telegram/Discord/WhatsApp clients now honor security.allow_outbound_file_paths_outside_files_dir=true, aligned with queue behavior.
3. jq prerequisite clarity: added jq to installer dependency checks and docs (scripts/remote-install.sh, README.md, docs/INSTALL.md).

[mczabca-boop]

Re-checked follow-up commit 570b463 on a clean worktree. The previously raised items are addressed:

1. Update compatibility blocker

• lib/update.sh now handles checksum 404 (legacy releases) with explicit confirmation (Continue without checksum verification?) and TINYCLAW_ALLOW_INSECURE_UPDATE=1.
• Non-404 checksum download failures still fail.
• Checksum mismatch still hard-fails.

2. Outbound path policy mismatch

• security.allow_outbound_file_paths_outside_files_dir is now read in:
  • src/queue-processor.ts
  • src/channels/telegram-client.ts
  • src/channels/discord-client.ts
  • src/channels/whatsapp-client.ts
• Queue/channel behavior is now aligned.

3. jq prerequisite clarity

• jq is now part of remote installer dependency checks and docs:
  • scripts/remote-install.sh
  • README.md
  • docs/INSTALL.md

Thanks for the follow-up; this resolves my previous review findings.