jep-guard
v1.0.2JEP Guard拦截高风险命令,需用户确认后发放临时令牌,记录操作并生成可导出审计凭证。
Sourced from ClawHub,
Authored by JEP (Judgment Event Protocol)
Installation
JEP Guard
Add responsibility layer to Clawbot - intercept high-risk commands, log actions, and optionally generate verifiable JEP receipts.
⚠️ IMPORTANT PRIVACY NOTICE
JEP Guard logs commands to ~/.jep-guard-audit.log
Log Levels
| Level | What gets logged | Risk |
|---|---|---|
minimal (default) |
Command names only | ✅ Safe |
normal |
Commands + redacted arguments | ⚠️ Medium |
verbose |
Full command lines | ❌ High |
Sensitive data (passwords, tokens, API keys) may be logged if you:
- Set log level to verbose
- Use commands with sensitive arguments
You are responsible for: Reviewing logs regularly and choosing appropriate log level.
📦 Dependencies
Optional: @jep-eth/sdk for real JEP signatures
- Without it: Receipts are not generated
- Install: npm install -g @jep-eth/sdk
- Generate keys: claw run jep-guard keygen (requires SDK)
✨ Features
- 🛡️ High-risk command interception - Blocks
rm,mv,cpbefore execution - ✅ User confirmation dialog - Prompts for approval before allowing risky operations
- 🔐 Temporary authorization tokens - 5-minute expiry tokens for approved commands
- 📝 Audit logging - Records all actions with timestamps
- 🔑 Optional JEP receipts - Cryptographically verifiable proofs (requires SDK + your key)
- 📤 Export functionality - Export audit logs as JSON
📥 Installation
claw install jep-guard
During installation, you will see a privacy warning. Read it carefully before proceeding.
🚀 Quick Start
# 1. View current configuration
claw run jep-guard config
# 2. (Optional) Generate JEP keys for signed receipts
claw run jep-guard keygen
# 3. Test protection
rm test.txt
# JEP Guard will ask for confirmation
# 4. Export audit logs
claw run jep-guard export
⚙️ Configuration
# Show current settings
claw run jep-guard config
# Change log level
claw run jep-guard config set logLevel minimal # Safe (default)
claw run jep-guard config set logLevel normal # Redacted args
claw run jep-guard config set logLevel verbose # Full args (caution!)
# View recent logs
claw run jep-guard config show
🔐 JEP Signing
JEP Guard never uses placeholder or default keys. Receipts are only generated if you:
- Install JEP SDK:
npm install -g @jep-eth/sdk - Generate your own key pair:
claw run jep-guard keygen - Your private key is stored in
~/.jep-guard-config.json
Without a valid private key, no receipts are generated.
⚠️ Private Key Security
- Your private key is stored in plain text in
~/.jep-guard-config.json - Treat this file as highly sensitive
- Back up securely if needed
- The file is deleted during uninstall (if you choose)
📤 Export Logs
claw run jep-guard export
Exports audit logs as JSON with redaction based on your current log level setting.
Export includes: - All logged commands with timestamps - User information - JEP receipt hashes (if generated) - Privacy redaction applied according to log level
🗑️ Uninstall
claw uninstall jep-guard
During uninstall, you will be asked: - Keep audit logs? (files remain) - Delete audit logs? (files removed)
Configuration file (containing private key) is always deleted on uninstall.
📄 License
MIT-0
🔗 Links
- Repository: https://github.com/hjs-eth/jep-claw-integration/tree/main/jep-guard
- JEP Protocol: https://github.com/hjs-spec
⚠️ Known Limitations
- Private key storage: Keys are stored unencrypted in config file
- JEP SDK required: Receipt generation needs separate SDK installation
- No network features: All processing is local
- Sensitive data risk: Verbose logging may capture passwords/tokens
- Documentation: All features listed here are implemented (no exaggerated claims)
✅ Verified Features
This skill has been reviewed and verified to implement exactly what is documented:
✓ Command interception
✓ User confirmation dialogs
✓ Temporary auth tokens
✓ Audit logging (configurable levels)
✓ JEP receipt generation (with SDK + key)
✓ Log export
✓ Clean uninstall
✓ Privacy warnings
✓ No placeholder keys
✓ No network calls