Harden HTTP/network surfaces, add CI profiles, and polish dashboard controls

[shuv1337]

Summary

Replay of fork changes on top of current upstream/main with a clean 5-commit stack:

• feat(ui): keyboard sidebar toggle and scheduler delete confirmation
• feat(http): harden request handling and add health plus run filters
• feat(security): tighten setup validation and network egress policy
• chore(ci): add quick/security/race profiles and fmt-check gate
• docs: refresh API contracts and security guidance

What changed

Dashboard/UI

• Added keyboard sidebar toggle behavior.
• Added scheduler delete confirmation flow.
• Added accessibility/e2e coverage for these paths.

HTTP API hardening

• Strict JSON decoding (DisallowUnknownFields) on POST /v1/runs and POST /v1/chat/messages.
• Request body size limits with structured 413 responses.
• Defensive HTTP server timeouts (ReadHeaderTimeout, ReadTimeout, WriteTimeout, IdleTimeout).
• Constant-time bearer token comparison.
• Added unauthenticated GET|HEAD /v1/healthz.
• Extended GET /v1/runs with agent_id filter and sort=created_desc|created_asc.

Security/network policy

• Setup flow validation improvements (flag parsing, provider/model checks).
• Self-signed cert generation now includes loopback IP SANs (127.0.0.1, ::1).
• Added network.allow_private_networks config flag.
• Added DNS-resolved IP safety checks for http.request transport:
  • blocks loopback unless allow_localhosts=true
  • blocks private/link-local unless allow_private_networks=true
  • blocks unspecified/multicast
• Updated config tools and tests for the new network setting.

CI

• Added Make targets:
  • ci-quick
  • ci-security
  • ci-race
  • plus fmt-check
• GitHub workflow now runs those profiles directly.

Docs

• Updated contracts/usage/config/threat model/tool catalog to match behavior above.

Porting note

Upstream no longer has internal/tools/network_safe.go. The DNS/IP safety logic from fork commit 323e811 was ported into the active network path in internal/tools/network_tools.go.

Validation

Executed on this branch:

• go test ./...
• go test -race ./...
• make ci-quick
• make ci-security
• make ci-race

[Copilot]

Pull request overview

This PR replays a fork’s hardening work on top of upstream/main, focusing on tightening HTTP request handling, strengthening network egress controls for the http.request tool, adding CI “profile” targets, and polishing dashboard UX/testing.

Changes:

• Hardened HTTP server behavior (strict JSON decoding, body caps, defensive timeouts), added /v1/healthz, and extended run listing filters/sort.
• Added private-network blocking controls for http.request via DNS-resolved IP safety checks plus config plumbing/tests.
• Introduced CI profile Make targets and updated GitHub Actions to run them; updated UI behavior and docs accordingly.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
internal/tools/tools_test.go	Updates config.set safe-update test to include new network flag.
internal/tools/network_tools.go	Adds DNS/IP-based egress restrictions via custom HTTP transport for http.request.
internal/tools/network_safe_test.go	Unit tests for IP restriction helper logic.
internal/tools/config_tools.go	Enables config.get/config.set support for network.allow_private_networks.
internal/config/config.go	Extends NetworkConfig with allow_private_networks.
internal/config/config_test.go	Verifies default config disables private-network HTTP by default.
internal/channels/http/server.go	Adds /v1/healthz, strict JSON decoding + size limits, list filters/sort, defensive server timeouts, constant-time-ish token compare.
internal/channels/http/server_test.go	Adds coverage for new HTTP behaviors (healthz, sort/filter, strict JSON, caps, timeouts).
internal/channels/dashboard/ui/tests/e2e/qa_scripts.spec.js	Updates scheduler delete flow assertions for confirmation step.
internal/channels/dashboard/ui/tests/e2e/accessibility.spec.js	Adds e2e coverage for keyboard sidebar toggle behavior.
internal/channels/dashboard/ui/src/ui/layout.js	Adds Enter-key toggle behavior for pane resizers.
internal/channels/dashboard/ui/src/pages/scheduler.js	Adds delete confirmation UX for scheduler jobs.
docs/specs/CONTRACTS.md	Updates API contracts for strict JSON/caps, run filters/sort, and /v1/healthz.
docs/specs/CONFIG.md	Documents new network flags and HTTP hardening behavior.
docs/security/THREAT_MODEL.md	Updates threat model invariants and test expectations.
docs/USAGE.md	Refreshes HTTP API usage and filter/sort documentation.
docs/TOOL_CATALOG.md	Updates http.request notes to include private-network/DNS checks.
cmd/openclawssy/main.go	Tightens setup validation and adds loopback IP SANs to self-signed certs.
cmd/openclawssy/main_test.go	Adds tests for setup arg parsing and cert SANs.
Makefile	Adds CI profile targets and fmt-check gate; adds focused security test target.
.github/workflows/ci.yml	Switches CI to run Makefile CI profiles.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shuv1337]

Follow-up to Copilot review is complete in commit 60549cd.

Applied updates:

• Disabled environment proxy usage for http.request transport so destination IP validation is always direct.
• Changed DNS/IP handling to filter restricted IPs and attempt connections across remaining allowed IPs.
• Tightened IP restriction logic to block non-global-unicast edge cases (unspecified, multicast, broadcast), while preserving explicit localhost/private overrides where intended.
• Reworked secureTokenEquals to avoid early return on length mismatch.
• Expanded network safety test coverage (unspecified/multicast/broadcast, allowed/blocked IP filtering, proxy-disabled transport).
• Expanded test-security target regex so strict JSON/body/timeout/restricted-IP tests are included.

No Copilot items were skipped.