Baseline Kit
Generate profile-based OpenClaw configuration JSON and audit an existing config before rollout.
When to use
- - You need a starting profile for
development, team, enterprise, or airgapped. - You want an offline audit for
gateway.bind, auth rate limits, allowed skill sources, audit logging, backups, or secret-like values. - You need a reviewable JSON artifact without contacting external services.
Commands
CODEBLOCK0
Profiles
| Profile | Focus |
|---|
| INLINECODE5 | Faster local iteration with lighter rate limits and shorter retention |
| INLINECODE6 |
Shared team defaults with moderate auth protection and audit logging |
|
enterprise | Tighter auth windows, longer retention, and recovery guidance |
|
airgapped | Loopback-only and local-mirror oriented settings |
Audit checks
- -
NET_EXPOSURE: whether gateway.bind is loopback-only - INLINECODE11�: whether auth rate limiting is configured completely
- INLINECODE12�: whether allowed skill sources are too broad
- INLINECODE13�: whether audit logging is enabled
- INLINECODE14�: whether backup settings are present
- INLINECODE15�: whether the config tree contains plaintext secret-like values
Output
- - Each finding includes a severity, evidence path, recommendation, and compliance tag set.
- Compliance tags currently map to
SOC2, ISO27001, and NIST CSF.
Boundaries
- - This tool audits JSON structure only. It does not enforce runtime policy.
- Generated profiles are safer defaults, not a complete configuration management system.
Baseline Kit
生成基于配置文件的OpenClaw配置JSON,并在部署前审计现有配置。
使用场景
- - 你需要为development、team、enterprise或airgapped环境创建初始配置文件。
- 你需要对gateway.bind、认证速率限制、允许的技能来源、审计日志、备份或类密钥值进行离线审计。
- 你需要一份可审查的JSON产物,而无需联系外部服务。
命令
bash
node {baseDir}/bin/baseline-kit.js generate --profile enterprise --out ./openclaw.secure.json
node {baseDir}/bin/baseline-kit.js generate --profile development --out ./openclaw.dev.json
node {baseDir}/bin/baseline-kit.js audit --config ~/.openclaw/openclaw.json --format table
node {baseDir}/bin/baseline-kit.js audit --config ./openclaw.secure.json --format json
配置文件类型
| 配置文件类型 | 侧重点 |
|---|
| development | 更宽松的速率限制和更短的保留期,实现更快的本地迭代 |
| team |
团队共享默认配置,具备适度的认证保护和审计日志 |
| enterprise | 更严格的认证窗口、更长的保留期和恢复指导 |
| airgapped | 仅限回环地址和本地镜像导向的设置 |
审计检查项
- - NETEXPOSURE:gateway.bind是否仅限回环地址
- AUTHRATELIMIT:认证速率限制是否完整配置
- SOURCERESTRICTION:允许的技能来源是否过于宽泛
- AUDITLOGGING:审计日志是否启用
- BACKUPHINT:备份设置是否存在
- SECRET_HYGIENE:配置树中是否包含明文类密钥值
输出
- - 每个发现项包含严重级别、证据路径、建议和合规标签集。
- 合规标签目前映射到SOC2、ISO27001和NIST CSF。
边界说明
- - 本工具仅审计JSON结构,不强制执行运行时策略。
- 生成的配置文件是更安全的默认设置,并非完整的配置管理系统。
