clawdstrike/rulesets/remote-desktop.yaml at main · backbay-labs/clawdstrike · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Remote Desktop Agent Ruleset
# Moderate CUA security policy for remote desktop AI agents
# HushSpec equivalent: https://github.com/backbay-labs/hush/blob/main/rulesets/remote-desktop.yaml
version: "1.2.0"
name: Remote Desktop Agent
description: Security rules for AI agents operating via remote desktop (CUA)
extends: ai-agent

guards:
  computer_use:
    enabled: true
    mode: guardrail
    allowed_actions:
      - "remote.session.connect"
      - "remote.session.disconnect"
      - "remote.session.reconnect"
      - "input.inject"
      - "remote.clipboard"
      - "remote.file_transfer"
      - "remote.audio"
      - "remote.drive_mapping"
      - "remote.printing"
      - "remote.session_share"

  remote_desktop_side_channel:
    # Matrix-aligned defaults for tier=dev, mode=guardrail.
    clipboard_enabled: false
    file_transfer_enabled: false
    audio_enabled: true
    drive_mapping_enabled: false
    printing_enabled: false
    session_share_enabled: false
    max_transfer_size_bytes: 104857600  # 100MB

  input_injection_capability:
    allowed_input_types:
      - "keyboard"
      - "mouse"
    require_postcondition_probe: false

settings:
  fail_fast: false
  verbose_logging: false
  session_timeout_secs: 7200  # 2 hours