PredicateSystems · rcholic · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    branches: [main] # Skip heavy CI on secureclaw branch PRs (use secureclaw-ci.yml instead)
 
 concurrency:
   group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

diff --git a/.github/workflows/install-smoke.yml b/.github/workflows/install-smoke.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    branches: [main] # Skip on secureclaw branch PRs
   workflow_dispatch:
 
 concurrency:

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,8 +1,10 @@
 name: Labeler
 
+# Skip on SecureClaw fork - only runs on upstream openclaw/openclaw
 on:
   pull_request_target:
     types: [opened, synchronize, reopened]
+    branches: [main]
   issues:
     types: [opened]
   workflow_dispatch:

diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -0,0 +1,76 @@
+# Publish SecureClaw to NPM on version tags
+#
+# Workflow:
+#   1. Bump version in package.json (line 3)
+#   2. Commit and push: git add package.json && git commit -m "release: v1.0.1"
+#   3. Tag and push: git tag v1.0.1 && git push origin secureclaw --tags
+#
+# Required secrets:
+#   NPM_TOKEN - NPM access token with publish permissions
+#   Create at: https://www.npmjs.com/settings/<username>/tokens
+
+name: NPM Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+concurrency:
+  group: npm-release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: "https://registry.npmjs.org"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Verify version matches tag
+        run: |
+          TAG_VERSION="${GITHUB_REF#refs/tags/v}"
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [[ "$TAG_VERSION" != "$PKG_VERSION" ]]; then
+            echo "::error::Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
+            exit 1
+          fi
+          echo "Version verified: $PKG_VERSION"
+
+      - name: Publish to NPM
+        run: pnpm publish --access public --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Create release summary
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          echo "## NPM Release Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Published **secureclaw@${VERSION}** to NPM" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Install with:" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "npm install secureclaw@${VERSION}" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/secureclaw-ci.yml b/.github/workflows/secureclaw-ci.yml
@@ -0,0 +1,98 @@
+# Lightweight CI for SecureClaw branch
+# Runs faster checks, skips Windows/macOS/Android native builds
+#
+# The full upstream CI runs on main branch syncs.
+# This workflow runs only essential checks for SecureClaw PRs.
+
+name: SecureClaw CI
+
+on:
+  push:
+    branches: [secureclaw, phase2]
+  pull_request:
+    branches: [secureclaw, phase2]
+
+concurrency:
+  group: secureclaw-ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: "lint & typecheck"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck and lint
+        run: pnpm check
+
+  test:
+    name: "secureclaw tests"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Run SecureClaw tests
+        run: pnpm exec vitest run --config vitest.unit.config.ts src/plugins/secureclaw/
+
+  build:
+    name: "build"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.23.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Verify dist
+        run: |
+          test -s dist/index.js
+          test -s dist/plugin-sdk/index.js
diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
@@ -6,7 +6,7 @@ name: Sync Upstream
 on:
   schedule:
     # Run daily at 6 AM UTC
-    - cron: '0 6 * * *'
+    - cron: "0 6 * * *"
   workflow_dispatch:
     # Allow manual triggering
 
@@ -51,4 +51,4 @@ jobs:
           echo "git fetch origin" >> $GITHUB_STEP_SUMMARY
           echo "git checkout secureclaw" >> $GITHUB_STEP_SUMMARY
           echo "git rebase origin/main" >> $GITHUB_STEP_SUMMARY
-          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/workflow-sanity.yml b/.github/workflows/workflow-sanity.yml
@@ -2,6 +2,7 @@ name: Workflow Sanity
 
 on:
   pull_request:
+    branches: [main] # Skip on secureclaw branch PRs
   push:
     branches: [main]
 

diff --git a/README.md b/README.md
@@ -1,20 +1,20 @@
-# 🦞 OpenClaw — Personal AI Assistant
+# SecureClaw — Zero-Trust Security for AI Agents
 
 <p align="center">
     <picture>
-        <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/openclaw/openclaw/main/docs/assets/openclaw-logo-text-dark.png">
-        <img src="https://raw.githubusercontent.com/openclaw/openclaw/main/docs/assets/openclaw-logo-text.png" alt="OpenClaw" width="500">
+        <source media="(prefers-color-scheme: light)" srcset="docs/assets/secureclaw-logo-text-dark.png">
+        <img src="docs/assets/secureclaw-logo-text-dark.png" alt="SecureClaw" width="500">
     </picture>
 </p>
 
 <p align="center">
-  <strong>EXFOLIATE! EXFOLIATE!</strong>
+  <strong>Pre-authorization. Post-verification. Zero-trust AI agent security.</strong>
 </p>
 
 <p align="center">
-  <a href="https://github.com/openclaw/openclaw/actions/workflows/ci.yml?branch=main"><img src="https://img.shields.io/github/actions/workflow/status/openclaw/openclaw/ci.yml?branch=main&style=for-the-badge" alt="CI status"></a>
-  <a href="https://github.com/openclaw/openclaw/releases"><img src="https://img.shields.io/github/v/release/openclaw/openclaw?include_prereleases&style=for-the-badge" alt="GitHub release"></a>
-  <a href="https://discord.gg/clawd"><img src="https://img.shields.io/discord/1456350064065904867?label=Discord&logo=discord&logoColor=white&color=5865F2&style=for-the-badge" alt="Discord"></a>
+  <a href="https://github.com/predicatesystems/secureclaw/actions/workflows/secureclaw-ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/predicatesystems/secureclaw/secureclaw-ci.yml?branch=secureclaw&style=for-the-badge" alt="CI status"></a>
+  <a href="https://github.com/predicatesystems/secureclaw/releases"><img src="https://img.shields.io/github/v/release/predicatesystems/secureclaw?include_prereleases&style=for-the-badge" alt="GitHub release"></a>
+  <a href="https://www.npmjs.com/package/secureclaw"><img src="https://img.shields.io/npm/v/secureclaw?style=for-the-badge" alt="npm version"></a>
   <a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge" alt="MIT License"></a>
 </p>
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ name: Workflow Sanity @@
     on:
       pull_request:
+        branches: [main] # Skip on secureclaw branch PRs
       push:
         branches: [main]
@@ Expand Down @@