Sarge started as a Linux-only NIST 800-53 gap analysis tool for OpenClaw deployments. Three months and thirteen releases later, it runs on three platforms, backs up your config before touching anything, and can tell you when your baseline drifts. Here's what shipped between v0.3 and v0.6.
Windows Hardening Support
This was the big one. Sarge now has breadth-first detection and recommendations across all six NIST 800-53 control families on Windows. That's Access Control, Audit, Configuration Management, Identification & Authentication, System & Communications Protection, and System & Information Integrity.
The Windows assessment runs as a read-only PowerShell script. It probes your enterprise context automatically. Domain-joined or AAD-joined? Intune-enrolled or standalone? AppLocker, WDAC, Defender status? Sarge captures all of it and maps findings to specific 800-53 controls with concrete remediation steps.
If you pass --inspect-policy, Sarge goes deeper. On AAD-joined hosts, it queries Intune MDM CSP to see what's actually enforced by your management platform. On AD-joined hosts, it checks GPO via gpresult. Controls that your MDM or GPO already enforce get marked as ENFORCED-EXTERNALLY instead of FAIL. That matters because a FAIL on a domain-joined machine that's already covered by Group Policy is noise, not signal.
# Run the Windows assessment
pwsh assessment/assess.ps1
# Include managed-policy overlay
pwsh assessment/assess.ps1 --inspect-policy
Every finding on a domain-joined host that could be overridden by GPO says so. No false alarms.
Cross-Platform Backup and Rollback
Before Sarge hardens anything, it now captures a snapshot so you can undo the changes. This landed for all three platforms.
Ubuntu gets the deepest support. Sarge probes for Btrfs/ZFS snapshots, timeshift, and LVM thin snapshots in that order. Regardless of which block-level tool is available, it also captures a file-level backup of every /etc/ path that hardening touches, plus UFW state, audit rules, enabled services, and installed packages. A generated rollback.sh script reverses everything.
macOS captures an APFS local snapshot via tmutil, with optional Time Machine backup. File-level captures cover /etc/pam.d/, SSH config, sudoers, firewall state, and security policy status. The APFS snapshot is your heavy-lift fallback if granular rollback doesn't fully restore things.
Windows creates a System Restore checkpoint and exports registry policy hives, local security policy via secedit, audit policy via auditpol, service states, and scheduled tasks. If System Protection is disabled, Sarge fails loud. It will not silently proceed without a safety net.
The principle is simple: a misapplied security control should never leave a host in an unrecoverable state.
Host-Only Mode
Sarge was built for hosts running AI agents. But sometimes you want a clean NIST 800-53 baseline without the agent-runtime findings. Maybe you're scanning a workstation that runs an OpenClaw agent but you only care about the OS posture right now. Maybe you're evaluating a server that doesn't run agents at all.
Pass --host-only and Sarge excludes all agent-scoped findings. Not SKIP. Excluded entirely. The report header tells you which mode was used.
# Linux/macOS
./assessment/assess.sh --host-only
# Windows
pwsh assessment/assess.ps1 --host-only
This makes Sarge useful as a standalone baseline tool, not just an agent-safety check.
Drift Detection
Hardening is a point-in-time activity. What happens a week later when someone changes a firewall rule? Or a package update overwrites an SSH config?
Sarge's drift detection answers that. Run snapshot.sh to capture your current security baseline after hardening. Later, run compare.sh to diff the current state against that snapshot. Any changes are flagged as drift. You can automate this on a schedule with drift-cron.sh, which runs the comparison and notifies you through your configured OpenClaw channel when something moves.
# Capture your baseline
./drift/snapshot.sh
# Check for drift later
./drift/compare.sh
# Or automate it
# (add drift-cron.sh to your crontab)
Drift detection runs on Ubuntu and macOS today. It's read-only. No sudo required.
Integration Tests You Can Run
We ship tests. Not just our CI tests. Tests you can run in your environment to verify Sarge works correctly on your system.
On Windows, the Pester test suite covers the assessment and backup/rollback flows with mocked cmdlets. Run them locally:
Invoke-Pester -Path tests/Pester
On Linux, integration smoke tests validate the backup and rollback round-trip:
bash tests/integration/backup-ubuntu-smoke.sh
If a test fails in your environment, that's a finding we want to know about. Open an issue.
What's Next
Windows hardening scripts (Phase 2) are the next milestone. They're gated on the backup work that just shipped. Now that every platform has a pre-hardening safety net, we can start writing the scripts that actually change Windows configuration with confidence that you can undo them.
macOS hardening modules for firewall and SSH already landed. Native logging policy and additional modules are tracked in GitHub issues.
The goal hasn't changed: if you run an AI agent, you should be able to verify the host it runs on meets a documented security baseline. And if hardening changes something you didn't expect, you should be able to roll it back.
Focus Forward. We've Got Your Six.
Explore Sarge on GitHub. Clone it, run it, open issues.