feat: refactor sgclaw around zeroclaw compat runtime

third_party/zeroclaw/docs/security/security-roadmap.md

@@ -0,0 +1,185 @@
+# ZeroClaw Security Improvement Roadmap
+
+> ⚠️ **Status: Proposal / Roadmap**
+>
+> This document describes proposed approaches and may include hypothetical commands or config.
+> For current runtime behavior, see [config-reference.md](../reference/api/config-reference.md), [operations-runbook.md](../ops/operations-runbook.md), and [troubleshooting.md](../ops/troubleshooting.md).
+
+## Current State: Strong Foundation
+
+ZeroClaw already has **excellent application-layer security**:
+
+✅ Command allowlist (not blocklist)
+✅ Path traversal protection
+✅ Command injection blocking (`$(...)`, backticks, `&&`, `>`)
+✅ Secret isolation (API keys not leaked to shell)
+✅ Rate limiting (20 actions/hour)
+✅ Channel authorization (empty = deny all, `*` = allow all)
+✅ Risk classification (Low/Medium/High)
+✅ Environment variable sanitization
+✅ Forbidden paths blocking
+✅ Comprehensive test coverage (1,017 tests)
+
+## What's Missing: OS-Level Containment
+
+🔴 No OS-level sandboxing (chroot, containers, namespaces)
+🔴 No resource limits (CPU, memory, disk I/O caps)
+🔴 No tamper-evident audit logging
+🔴 No syscall filtering (seccomp)
+
+---
+
+## Comparison: ZeroClaw vs PicoClaw vs Production Grade
+
+| Feature | PicoClaw | ZeroClaw Now | ZeroClaw + Roadmap | Production Target |
+|---------|----------|--------------|-------------------|-------------------|
+| **Binary Size** | ~8MB | **3.4MB** ✅ | 3.5-4MB | < 5MB |
+| **RAM Usage** | < 10MB | **< 5MB** ✅ | < 10MB | < 20MB |
+| **Startup Time** | < 1s | **< 10ms** ✅ | < 50ms | < 100ms |
+| **Command Allowlist** | Unknown | ✅ Yes | ✅ Yes | ✅ Yes |
+| **Path Blocking** | Unknown | ✅ Yes | ✅ Yes | ✅ Yes |
+| **Injection Protection** | Unknown | ✅ Yes | ✅ Yes | ✅ Yes |
+| **OS Sandbox** | No | ❌ No | ✅ Firejail/Landlock | ✅ Container/namespaces |
+| **Resource Limits** | No | ❌ No | ✅ cgroups/Monitor | ✅ Full cgroups |
+| **Audit Logging** | No | ❌ No | ✅ HMAC-signed | ✅ SIEM integration |
+| **Security Score** | C | **B+** | **A-** | **A+** |
+
+---
+
+## Implementation Roadmap
+
+### Phase 1: Quick Wins (1-2 weeks)
+**Goal**: Address critical gaps with minimal complexity
+
+| Task | File | Effort | Impact |
+|------|------|--------|-------|
+| Landlock filesystem sandbox | `src/security/landlock.rs` | 2 days | High |
+| Memory monitoring + OOM kill | `src/resources/memory.rs` | 1 day | High |
+| CPU timeout per command | `src/tools/shell.rs` | 1 day | High |
+| Basic audit logging | `src/security/audit.rs` | 2 days | Medium |
+| Config schema updates | `src/config/schema.rs` | 1 day | - |
+
+**Deliverables**:
+- Linux: Filesystem access restricted to workspace
+- All platforms: Memory/CPU guards against runaway commands
+- All platforms: Tamper-evident audit trail
+
+---
+
+### Phase 2: Platform Integration (2-3 weeks)
+**Goal**: Deep OS integration for production-grade isolation
+
+| Task | Effort | Impact |
+|------|--------|-------|
+| Firejail auto-detection + wrapping | 3 days | Very High |
+| Bubblewrap wrapper for macOS/*nix | 4 days | Very High |
+| cgroups v2 systemd integration | 3 days | High |
+| seccomp syscall filtering | 5 days | High |
+| Audit log query CLI | 2 days | Medium |
+
+**Deliverables**:
+- Linux: Full container-like isolation via Firejail
+- macOS: Bubblewrap filesystem isolation
+- Linux: cgroups resource enforcement
+- Linux: Syscall allowlisting
+
+---
+
+### Phase 3: Production Hardening (1-2 weeks)
+**Goal**: Enterprise security features
+
+| Task | Effort | Impact |
+|------|--------|-------|
+| Docker sandbox mode option | 3 days | High |
+| Certificate pinning for channels | 2 days | Medium |
+| Signed config verification | 2 days | Medium |
+| SIEM-compatible audit export | 2 days | Medium |
+| Security self-test (`zeroclaw audit --check`) | 1 day | Low |
+
+**Deliverables**:
+- Optional Docker-based execution isolation
+- HTTPS certificate pinning for channel webhooks
+- Config file signature verification
+- JSON/CSV audit export for external analysis
+
+---
+
+## New Config Schema Preview
+
+```toml
+[security]
+level = "strict"  # relaxed | default | strict | paranoid
+
+# Sandbox configuration
+[security.sandbox]
+enabled = true
+backend = "auto"  # auto | firejail | bubblewrap | landlock | docker | none
+
+# Resource limits
+[resources]
+max_memory_mb = 512
+max_memory_per_command_mb = 128
+max_cpu_percent = 50
+max_cpu_time_seconds = 60
+max_subprocesses = 10
+
+# Audit logging
+[security.audit]
+enabled = true
+log_path = "~/.config/zeroclaw/audit.log"
+sign_events = true
+max_size_mb = 100
+
+# Autonomy (existing, enhanced)
+[autonomy]
+level = "supervised"  # readonly | supervised | full
+allowed_commands = ["git", "ls", "cat", "grep", "find"]
+forbidden_paths = ["/etc", "/root", "~/.ssh"]
+require_approval_for_medium_risk = true
+block_high_risk_commands = true
+max_actions_per_hour = 20
+```
+
+---
+
+## CLI Commands Preview
+
+```bash
+# Security status check
+zeroclaw security --check
+# → ✓ Sandbox: Firejail active
+# → ✓ Audit logging enabled (42 events today)
+# → → Resource limits: 512MB mem, 50% CPU
+
+# Audit log queries
+zeroclaw audit --user @alice --since 24h
+zeroclaw audit --risk high --violations-only
+zeroclaw audit --verify-signatures
+
+# Sandbox test
+zeroclaw sandbox --test
+# → Testing isolation...
+#   ✓ Cannot read /etc/passwd
+#   ✓ Cannot access ~/.ssh
+#   ✓ Can read /workspace
+```
+
+---
+
+## Summary
+
+**ZeroClaw is already more secure than PicoClaw** with:
+- 50% smaller binary (3.4MB vs 8MB)
+- 50% less RAM (< 5MB vs < 10MB)
+- 100x faster startup (< 10ms vs < 1s)
+- Comprehensive security policy engine
+- Extensive test coverage
+
+**By implementing this roadmap**, ZeroClaw becomes:
+- Production-grade with OS-level sandboxing
+- Resource-aware with memory/CPU guards
+- Audit-ready with tamper-evident logging
+- Enterprise-ready with configurable security levels
+
+**Estimated effort**: 4-7 weeks for full implementation
+**Value**: Transforms ZeroClaw from "safe for testing" to "safe for production"