Baseline Kit

Generate profile-based OpenClaw configuration JSON and audit an existing config before rollout.

When to use

• You need a starting profile for development, team, enterprise, or airgapped.
• You want an offline audit for gateway.bind, auth rate limits, allowed skill sources, audit logging, backups, or secret-like values.
• You need a reviewable JSON artifact without contacting external services.

Commands

node {baseDir}/bin/baseline-kit.js generate --profile enterprise --out ./openclaw.secure.json
node {baseDir}/bin/baseline-kit.js generate --profile development --out ./openclaw.dev.json
node {baseDir}/bin/baseline-kit.js audit --config ~/.openclaw/openclaw.json --format table
node {baseDir}/bin/baseline-kit.js audit --config ./openclaw.secure.json --format json

Profiles

Profile	Focus
development	Faster local iteration with lighter rate limits and shorter retention
team	Shared team defaults with moderate auth protection and audit logging
enterprise	Tighter auth windows, longer retention, and recovery guidance
airgapped	Loopback-only and local-mirror oriented settings

Audit checks

• NET_EXPOSURE: whether gateway.bind is loopback-only
• AUTH_RATE_LIMIT: whether auth rate limiting is configured completely
• SOURCE_RESTRICTION: whether allowed skill sources are too broad
• AUDIT_LOGGING: whether audit logging is enabled
• BACKUP_HINT: whether backup settings are present
• SECRET_HYGIENE: whether the config tree contains plaintext secret-like values

Output

• Each finding includes a severity, evidence path, recommendation, and compliance tag set.
• Compliance tags currently map to SOC2, ISO27001, and NIST CSF.

Boundaries

• This tool audits JSON structure only. It does not enforce runtime policy.
• Generated profiles are safer defaults, not a complete configuration management system.