Security & Enterprise

Security & Password Protection

Password Protection

Set GITCLAW_PASSWORD to require authentication for the web UI:

GITCLAW_PASSWORD=mysecret gitclaw --voice --dir ~/assistant

When set:

• All HTTP routes show a login page instead of the UI
• WebSocket connections are rejected without valid auth cookie
• /health endpoint remains open (for load balancers)
• Cookie: HttpOnly, SameSite=Strict, 24-hour expiry
• Token is SHA-256 hash (password never stored in cookie)

Best Practices

• Use HTTPS in production (via nginx, Caddy, or Cloudflare Tunnel)
• Set GITCLAW_PASSWORD when exposing to a network
• Use OpenShell for kernel-level sandboxing in enterprise deployments
• Enable audit logging for compliance (compliance.recordkeeping.audit_logging: true)

Compliance & Audit

Compliance Configuration

In agent.yaml:

compliance:
  risk_level: critical          # low | medium | high | critical
  human_in_the_loop: true
  data_classification: "PCI-DSS"
  regulatory_frameworks: [SOX, GLBA, OCC]
  recordkeeping:
    audit_logging: true
    retention_days: 2555        # 7 years for banking
  review:
    required_approvers: 2
    auto_review: false

Validation Rules

Audit Log

When audit_logging: true, all actions are logged to .gitagent/audit.jsonl:

{"timestamp":"2026-01-15T14:23:45Z","session_id":"uuid","event":"session_start"}
{"timestamp":"2026-01-15T14:23:46Z","session_id":"uuid","event":"tool_use","tool":"cli","args":{"command":"ls"}}
{"timestamp":"2026-01-15T14:23:47Z","session_id":"uuid","event":"tool_result","tool":"cli","result":"file.txt"}
{"timestamp":"2026-01-15T14:23:48Z","session_id":"uuid","event":"response"}
{"timestamp":"2026-01-15T14:23:49Z","session_id":"uuid","event":"session_end"}