Purpose
This timer enforces mandatory webhook endpoint governance by auditing the delta between live paths and the FUNNEL-REGISTRY.md. It identifies unregistered endpoints, signature failure spikes, zero-event endpoints, and stale Cloudflare WAF rules to prevent security drift. Mandated by CLAUDE.md Webhook Endpoint Governance section.
Schedule
OnCalendar=Mon *-*-* 06:00:00 America/Los_Angeles
Runs every Monday at 06:00 PT (handles DST automatically), with a RandomizedDelaySec=1800s (up to 30 minutes of jitter) to prevent system stampedes.
Service
Runs security-audit-funnel.service, which executes the following Node.js script:
/usr/bin/node /home/opsadmin/.openclaw/workspace/scripts/security-audit-funnel.js
Can also be run manually with --dry-run flag for non-destructive audits.
Failure behavior
The service is a oneshot type. Failures are logged to the system journal under the security-audit-funnel identifier. Findings and critical failures are pushed as alerts to the #ops Discord channel.
Health signal
Verification can be performed via:
- Systemd Status:
systemctl --user status security-audit-funnel.timer - Logs:
journalctl --user -u security-audit-funnel - Notifications: Presence of the weekly audit report in the
#opsDiscord channel each Monday.
Related
- cron-timer-registry — Central registry of all systemd timers.
- funnel-registry — The source of truth for approved webhook paths.
- cloudflare — WAF and tunnel configuration managed by this audit.