@agenshield/integrations 0.7.0

package/homebrew.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Agent User Homebrew Installation
+ *
+ * Installs a user-local Homebrew in the agent's $HOME/homebrew directory.
+ * This gives the sandboxed agent access to brew without relying on the
+ * host system's Homebrew installation.
+ */
+export interface HomebrewInstallResult {
+    success: boolean;
+    brewPath: string;
+    message: string;
+    error?: Error;
+}
+/**
+ * Install a user-local Homebrew for the agent user.
+ *
+ * Creates $HOME/homebrew and downloads the Homebrew tarball into it.
+ * Runs as the agent user via `sudo -u`.
+ */
+export declare function installAgentHomebrew(options: {
+    agentHome: string;
+    agentUsername: string;
+    socketGroupName: string;
+    verbose?: boolean;
+    onLog?: (msg: string) => void;
+}): Promise<HomebrewInstallResult>;
+/**
+ * Check if agent-local Homebrew is installed.
+ */
+export declare function isAgentHomebrewInstalled(agentHome: string): Promise<boolean>;
+//# sourceMappingURL=homebrew.d.ts.map

package/homebrew.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"homebrew.d.ts","sourceRoot":"","sources":["../src/homebrew.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkFH,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAyDjC;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOlF"}

package/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * AgenShield Integrations
+ *
+ * OpenClaw and third-party integration utilities.
+ * Extracted from @agenshield/sandbox to break circular dependency
+ * with @agenshield/broker.
+ *
+ * @packageDocumentation
+ */
+export { installAgentHomebrew, isAgentHomebrewInstalled, type HomebrewInstallResult, } from './homebrew';
+export { detectHostOpenClawVersion, installAgentOpenClaw, copyOpenClawConfig, stopHostOpenClaw, getOriginalUser, getHostOpenClawConfigPath, onboardAgentOpenClaw, startAgentOpenClawGateway, startAgentOpenClawDashboard, type OpenClawInstallResult, type OpenClawConfigCopyResult, type StopHostOpenClawResult, } from './openclaw-install';
+export { generateOpenClawGatewayPlist, installOpenClawLauncher, installOpenClawLaunchDaemons, startOpenClawServices, stopOpenClawServices, restartOpenClawServices, getOpenClawStatus, getOpenClawStatusSync, getOpenClawDashboardUrl, isOpenClawInstalled, uninstallOpenClawLaunchDaemons, OPENCLAW_GATEWAY_LABEL, OPENCLAW_DAEMON_PLIST, OPENCLAW_GATEWAY_PLIST, OPENCLAW_LAUNCHER_PATH, type OpenClawLaunchConfig, type OpenClawProcessStatus, type OpenClawStatus, type OpenClawDaemonResult, } from './openclaw-launchdaemon';
+//# sourceMappingURL=index.d.ts.map

package/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,yBAAyB,EACzB,oBAAoB,EACpB,yBAAyB,EACzB,2BAA2B,EAC3B,KAAK,qBAAqB,EAC1B,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,GAC5B,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,4BAA4B,EAC5B,uBAAuB,EACvB,4BAA4B,EAC5B,qBAAqB,EACrB,oBAAoB,EACpB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACrB,uBAAuB,EACvB,mBAAmB,EACnB,8BAA8B,EAC9B,sBAAsB,EACtB,qBAAqB,EACrB,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,oBAAoB,GAC1B,MAAM,yBAAyB,CAAC"}

package/index.js

@@ -0,0 +1,917 @@
+// libs/shield-integrations/src/homebrew.ts
+import { exec, spawn } from "node:child_process";
+import { promisify } from "node:util";
+import * as fs from "node:fs/promises";
+var execAsync = promisify(exec);
+function isNoiseLine(line) {
+  if (/^\s*%\s+Total/.test(line)) return true;
+  if (/^\s*Dload\s+Upload/.test(line)) return true;
+  if (/^[\d\s.kMG:\-/|]+$/.test(line)) return true;
+  if (/^=>?\s*$/.test(line)) return true;
+  return false;
+}
+async function execWithProgress(command, log, opts) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("/bin/bash", ["-c", command], {
+      cwd: opts?.cwd || "/",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    let timer;
+    if (opts?.timeout) {
+      timer = setTimeout(() => {
+        child.kill("SIGTERM");
+        reject(new Error(`Command timed out after ${opts.timeout}ms`));
+      }, opts.timeout);
+    }
+    child.stdout?.on("data", (data) => {
+      const text = data.toString();
+      stdout += text;
+      for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed && !isNoiseLine(trimmed)) log(trimmed);
+      }
+    });
+    child.stderr?.on("data", (data) => {
+      const text = data.toString();
+      stderr += text;
+      for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed && !isNoiseLine(trimmed)) log(trimmed);
+      }
+    });
+    child.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+      if (code === 0) {
+        resolve({ stdout, stderr });
+      } else {
+        const err = new Error(`Command failed with exit code ${code}: ${stderr.slice(0, 500)}`);
+        err.stdout = stdout;
+        err.stderr = stderr;
+        reject(err);
+      }
+    });
+    child.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+var HOMEBREW_TARBALL_URL = "https://github.com/Homebrew/brew/tarball/master";
+async function installAgentHomebrew(options) {
+  const { agentHome, agentUsername, socketGroupName, verbose, onLog } = options;
+  const brewDir = `${agentHome}/homebrew`;
+  const brewPath = `${brewDir}/bin/brew`;
+  const log = onLog || ((msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`));
+  try {
+    log(`Creating homebrew directory at ${brewDir}`);
+    await execAsync(`sudo mkdir -p "${brewDir}"`);
+    await execAsync(`sudo chown ${agentUsername}:${socketGroupName} "${brewDir}"`);
+    log("Downloading and extracting Homebrew");
+    const installCmd = [
+      `export HOME="${agentHome}"`,
+      `/usr/bin/curl -fsSL "${HOMEBREW_TARBALL_URL}" | /usr/bin/tar xz --strip 1 -C homebrew`
+    ].join(" && ");
+    await execWithProgress(
+      `sudo -H -u ${agentUsername} /bin/bash --norc --noprofile -c '${installCmd}'`,
+      log,
+      { cwd: agentHome, timeout: 12e4 }
+    );
+    try {
+      await fs.access(brewPath);
+    } catch {
+      return {
+        success: false,
+        brewPath,
+        message: "Homebrew downloaded but brew binary not found"
+      };
+    }
+    log("Setting ownership for homebrew directory");
+    await execAsync(`sudo chown -R ${agentUsername}:${socketGroupName} "${brewDir}"`);
+    log(`Homebrew installed at ${brewDir}`);
+    return {
+      success: true,
+      brewPath,
+      message: `Homebrew installed at ${brewDir}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      brewPath,
+      message: `Homebrew installation failed: ${error.message}`,
+      error
+    };
+  }
+}
+async function isAgentHomebrewInstalled(agentHome) {
+  try {
+    await fs.access(`${agentHome}/homebrew/bin/brew`);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// libs/shield-integrations/src/openclaw-install.ts
+import * as fs2 from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { exec as exec2, execSync, spawn as spawn2 } from "node:child_process";
+import { promisify as promisify2 } from "node:util";
+var execAsync2 = promisify2(exec2);
+function isNoiseLine2(line) {
+  if (/^\s*%\s+Total/.test(line)) return true;
+  if (/^\s*Dload\s+Upload/.test(line)) return true;
+  if (/^[\d\s.kMG:\-/|]+$/.test(line)) return true;
+  if (/^=>?\s*$/.test(line)) return true;
+  return false;
+}
+async function execWithProgress2(command, log, opts) {
+  return new Promise((resolve, reject) => {
+    const child = spawn2("/bin/bash", ["-c", command], {
+      cwd: opts?.cwd || "/",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    let timer;
+    if (opts?.timeout) {
+      timer = setTimeout(() => {
+        child.kill("SIGTERM");
+        reject(new Error(`Command timed out after ${opts.timeout}ms`));
+      }, opts.timeout);
+    }
+    child.stdout?.on("data", (data) => {
+      const text = data.toString();
+      stdout += text;
+      for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed && !isNoiseLine2(trimmed)) log(trimmed);
+      }
+    });
+    child.stderr?.on("data", (data) => {
+      const text = data.toString();
+      stderr += text;
+      for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed && !isNoiseLine2(trimmed)) log(trimmed);
+      }
+    });
+    child.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+      if (code === 0) {
+        resolve({ stdout, stderr });
+      } else {
+        const err = new Error(`Command failed with exit code ${code}: ${stderr.slice(0, 500)}`);
+        err.stdout = stdout;
+        err.stderr = stderr;
+        reject(err);
+      }
+    });
+    child.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+function sudoExec(cmd) {
+  try {
+    const output = execSync(`sudo ${cmd}`, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+    return { success: true, output: output.trim() };
+  } catch (err) {
+    const error = err;
+    return { success: false, error: error.stderr || error.message || "Unknown error" };
+  }
+}
+function detectHostOpenClawVersion() {
+  try {
+    const output = execSync("openclaw --version", { encoding: "utf-8", stdio: "pipe" }).trim();
+    const match = output.match(/(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.]+)?)/);
+    return match ? match[1] : output;
+  } catch {
+    return null;
+  }
+}
+async function installAgentOpenClaw(options) {
+  const { agentHome, agentUsername, socketGroupName, verbose, onLog } = options;
+  const targetVersion = options.targetVersion || "latest";
+  const nvmDir = `${agentHome}/.nvm`;
+  const log = onLog || ((msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`));
+  const empty = {
+    success: false,
+    version: "",
+    binaryPath: "",
+    message: ""
+  };
+  try {
+    const versionSpec = targetVersion === "latest" ? "openclaw" : `openclaw@${targetVersion}`;
+    log(`Installing ${versionSpec} for agent user via NVM npm`);
+    const installCmd = [
+      `export HOME="${agentHome}"`,
+      `export NVM_DIR="${nvmDir}"`,
+      `source "${nvmDir}/nvm.sh"`,
+      `npm install -g ${versionSpec}`
+    ].join(" && ");
+    await execWithProgress2(
+      `sudo -H -u ${agentUsername} /bin/bash --norc --noprofile -c '${installCmd}'`,
+      log,
+      { cwd: "/", timeout: 18e4 }
+    );
+    log("Resolving installed openclaw binary path");
+    const whichCmd = [
+      `export HOME="${agentHome}"`,
+      `export NVM_DIR="${nvmDir}"`,
+      `source "${nvmDir}/nvm.sh"`,
+      `which openclaw`
+    ].join(" && ");
+    const { stdout: binaryPath } = await execAsync2(
+      `sudo -H -u ${agentUsername} /bin/bash --norc --noprofile -c '${whichCmd}'`,
+      { cwd: "/" }
+    );
+    const resolvedPath = binaryPath.trim();
+    if (!resolvedPath) {
+      return { ...empty, message: "OpenClaw installed but binary path could not be resolved" };
+    }
+    log("Verifying OpenClaw installation");
+    const verifyCmd = [
+      `export HOME="${agentHome}"`,
+      `export NVM_DIR="${nvmDir}"`,
+      `source "${nvmDir}/nvm.sh"`,
+      `openclaw --version`
+    ].join(" && ");
+    const { stdout: versionOut } = await execAsync2(
+      `sudo -H -u ${agentUsername} /bin/bash --norc --noprofile -c '${verifyCmd}'`,
+      { cwd: "/" }
+    );
+    const installedVersion = versionOut.trim();
+    log(`OpenClaw ${installedVersion} installed at ${resolvedPath}`);
+    return {
+      success: true,
+      version: installedVersion,
+      binaryPath: resolvedPath,
+      message: `OpenClaw ${installedVersion} installed at ${resolvedPath}`
+    };
+  } catch (error) {
+    return {
+      ...empty,
+      message: `OpenClaw installation failed: ${error.message}`,
+      error
+    };
+  }
+}
+function copyOpenClawConfig(options) {
+  const { sourceConfigPath, agentHome, agentUsername, socketGroup, verbose, onLog } = options;
+  const targetConfigDir = path.join(agentHome, ".openclaw");
+  const log = onLog || ((msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`));
+  try {
+    if (!fs2.existsSync(sourceConfigPath)) {
+      log("Source config path does not exist, creating empty .openclaw");
+      sudoExec(`mkdir -p "${path.join(targetConfigDir, "skills")}" "${path.join(targetConfigDir, "canvas")}"`);
+      sudoExec(`chown -R ${agentUsername}:${socketGroup} "${targetConfigDir}"`);
+      sudoExec(`chmod 2775 "${targetConfigDir}"`);
+      return {
+        success: true,
+        configDir: targetConfigDir,
+        sanitized: false,
+        message: "Created empty .openclaw directory (source not found)"
+      };
+    }
+    if (fs2.existsSync(targetConfigDir)) {
+      sudoExec(`rm -rf "${targetConfigDir}"`);
+    }
+    log(`Copying ${sourceConfigPath} \u2192 ${targetConfigDir}`);
+    const cpResult = sudoExec(`cp -a "${sourceConfigPath}" "${targetConfigDir}"`);
+    if (!cpResult.success) {
+      return {
+        success: false,
+        configDir: targetConfigDir,
+        sanitized: false,
+        message: `cp -a failed: ${cpResult.error}`
+      };
+    }
+    log(`Setting ownership: ${agentUsername}:${socketGroup}`);
+    sudoExec(`chown -R ${agentUsername}:${socketGroup} "${targetConfigDir}"`);
+    const originalHome = path.dirname(sourceConfigPath);
+    if (originalHome !== agentHome) {
+      log(`Rewriting paths: ${originalHome} \u2192 ${agentHome}`);
+      sudoExec(
+        `find "${targetConfigDir}" -type f -exec sed -i '' "s|${originalHome}|${agentHome}|g" {} +`
+      );
+    }
+    sudoExec(`mkdir -p "${path.join(targetConfigDir, "skills")}"`);
+    sudoExec(`chmod 2775 "${path.join(targetConfigDir, "skills")}"`);
+    sudoExec(`mkdir -p "${path.join(targetConfigDir, "canvas")}"`);
+    sudoExec(`chmod 2775 "${path.join(targetConfigDir, "canvas")}"`);
+    sudoExec(`chown ${agentUsername}:${socketGroup} "${path.join(targetConfigDir, "canvas")}"`);
+    sudoExec(`chmod 2775 "${targetConfigDir}"`);
+    return {
+      success: true,
+      configDir: targetConfigDir,
+      sanitized: originalHome !== agentHome,
+      message: `Copied .openclaw config to ${targetConfigDir}${originalHome !== agentHome ? " (paths rewritten)" : ""}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      configDir: targetConfigDir,
+      sanitized: false,
+      message: `Failed to copy OpenClaw config: ${error.message}`,
+      error
+    };
+  }
+}
+function findOpenClawProcesses(username) {
+  const result = { daemon: [], gateway: [], other: [] };
+  try {
+    const { output } = sudoExec(`ps -u ${username} -o pid,command`);
+    if (!output) return result;
+    for (const line of output.split("\n")) {
+      if (!line.includes("openclaw")) continue;
+      const pidMatch = line.match(/^\s*(\d+)/);
+      if (!pidMatch) continue;
+      const pid = parseInt(pidMatch[1], 10);
+      if (line.includes("daemon")) {
+        result.daemon.push(pid);
+      } else if (line.includes("gateway")) {
+        result.gateway.push(pid);
+      } else {
+        result.other.push(pid);
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+async function stopHostOpenClaw(options) {
+  const { originalUser, verbose, onLog } = options;
+  const log = onLog || ((msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`));
+  let daemonStopped = false;
+  let gatewayStopped = false;
+  const procs = findOpenClawProcesses(originalUser);
+  const totalProcs = procs.daemon.length + procs.gateway.length + procs.other.length;
+  log(`Found ${totalProcs} OpenClaw process(es) for ${originalUser} (daemon: ${procs.daemon.length}, gateway: ${procs.gateway.length}, other: ${procs.other.length})`);
+  if (totalProcs === 0) {
+    log("No OpenClaw processes running \u2014 nothing to stop");
+    return {
+      success: true,
+      daemonStopped: true,
+      gatewayStopped: true,
+      message: "No OpenClaw processes were running"
+    };
+  }
+  if (procs.gateway.length > 0) {
+    log(`Stopping OpenClaw gateway for user: ${originalUser}`);
+    try {
+      await execAsync2(
+        `sudo -H -u ${originalUser} openclaw gateway stop`,
+        { cwd: "/", timeout: 15e3 }
+      );
+      gatewayStopped = true;
+      log("OpenClaw gateway stopped gracefully");
+    } catch {
+      log("OpenClaw gateway stop command failed, will try kill");
+    }
+  } else {
+    gatewayStopped = true;
+  }
+  if (procs.daemon.length > 0) {
+    log(`Stopping OpenClaw daemon for user: ${originalUser}`);
+    try {
+      await execAsync2(
+        `sudo -H -u ${originalUser} openclaw daemon stop`,
+        { cwd: "/", timeout: 15e3 }
+      );
+      daemonStopped = true;
+      log("OpenClaw daemon stopped gracefully");
+    } catch {
+      log("OpenClaw daemon stop command failed, will try kill");
+    }
+  } else {
+    daemonStopped = true;
+  }
+  const remaining = findOpenClawProcesses(originalUser);
+  const allPids = [...remaining.daemon, ...remaining.gateway, ...remaining.other];
+  if (allPids.length > 0) {
+    log(`${allPids.length} OpenClaw process(es) still running, sending SIGTERM`);
+    for (const pid of allPids) {
+      try {
+        sudoExec(`kill ${pid}`);
+      } catch {
+      }
+    }
+    await new Promise((resolve) => setTimeout(resolve, 2e3));
+    const stubborn = findOpenClawProcesses(originalUser);
+    const stubbornPids = [...stubborn.daemon, ...stubborn.gateway, ...stubborn.other];
+    if (stubbornPids.length > 0) {
+      log(`${stubbornPids.length} process(es) survived SIGTERM, sending SIGKILL`);
+      for (const pid of stubbornPids) {
+        try {
+          sudoExec(`kill -9 ${pid}`);
+        } catch {
+        }
+      }
+    }
+    daemonStopped = true;
+    gatewayStopped = true;
+  }
+  return {
+    success: true,
+    daemonStopped,
+    gatewayStopped,
+    message: `Daemon: stopped, Gateway: stopped`
+  };
+}
+function getOriginalUser() {
+  return process.env["SUDO_USER"] || os.userInfo().username;
+}
+function getHostOpenClawConfigPath(username) {
+  const user = username || getOriginalUser();
+  const configPath = `/Users/${user}/.openclaw`;
+  if (fs2.existsSync(configPath)) {
+    return configPath;
+  }
+  return null;
+}
+async function onboardAgentOpenClaw(options) {
+  const { agentHome, agentUsername, verbose, onLog } = options;
+  const nvmDir = `${agentHome}/.nvm`;
+  const log = onLog || ((msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`));
+  const onboardCmd = [
+    `export HOME="${agentHome}"`,
+    `export NVM_DIR="${nvmDir}"`,
+    `source "${nvmDir}/nvm.sh"`,
+    `openclaw onboard --non-interactive --accept-risk --flow quickstart --mode local --no-install-daemon --daemon-runtime node --skip-channels --skip-skills --skip-health --skip-ui --node-manager npm`
+  ].join(" && ");
+  log("Running openclaw onboard as agent user");
+  try {
+    await execWithProgress2(
+      `sudo -H -u ${agentUsername} /bin/bash --norc --noprofile -c '${onboardCmd}'`,
+      log,
+      { cwd: "/", timeout: 12e4 }
+    );
+    log("OpenClaw onboard completed");
+    return { success: true, message: "OpenClaw onboard completed" };
+  } catch (err) {
+    const msg = err.message;
+    log(`OpenClaw onboard failed (non-fatal): ${msg}`);
+    return { success: false, message: `OpenClaw onboard failed: ${msg}` };
+  }
+}
+async function startAgentOpenClawGateway(options) {
+  const { agentHome, agentUsername, socketGroupName, verbose } = options;
+  const nvmDir = `${agentHome}/.nvm`;
+  const log = (msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`);
+  const gatewayCmd = [
+    `export HOME="${agentHome}"`,
+    `export NVM_DIR="${nvmDir}"`,
+    `source "${nvmDir}/nvm.sh"`,
+    `exec openclaw gateway run`
+  ].join(" && ");
+  log("Starting openclaw gateway run in background");
+  try {
+    sudoExec("mkdir -p /var/log/agenshield");
+    sudoExec(`touch /var/log/agenshield/openclaw-gateway.log /var/log/agenshield/openclaw-gateway.error.log`);
+    sudoExec(`chown ${agentUsername}:${socketGroupName} /var/log/agenshield/openclaw-gateway.log /var/log/agenshield/openclaw-gateway.error.log`);
+    sudoExec(`chmod 666 /var/log/agenshield/openclaw-gateway.log /var/log/agenshield/openclaw-gateway.error.log`);
+    const outLog = fs2.openSync("/var/log/agenshield/openclaw-gateway.log", "a");
+    const errLog = fs2.openSync("/var/log/agenshield/openclaw-gateway.error.log", "a");
+    const child = spawn2(
+      "sudo",
+      ["-H", "-u", agentUsername, "/bin/bash", "--norc", "--noprofile", "-c", gatewayCmd],
+      {
+        cwd: "/",
+        detached: true,
+        stdio: ["ignore", outLog, errLog]
+      }
+    );
+    const pid = child.pid;
+    child.unref();
+    fs2.closeSync(outLog);
+    fs2.closeSync(errLog);
+    if (!pid) {
+      return { success: false, message: "Failed to spawn openclaw gateway \u2014 no PID returned" };
+    }
+    await new Promise((resolve) => setTimeout(resolve, 1500));
+    try {
+      process.kill(pid, 0);
+      log(`OpenClaw gateway started (PID: ${pid})`);
+      return { success: true, pid, message: `OpenClaw gateway running (PID: ${pid})` };
+    } catch {
+      log("OpenClaw gateway process exited immediately \u2014 check logs");
+      return { success: false, message: "OpenClaw gateway exited immediately. Check /var/log/agenshield/openclaw-gateway.error.log" };
+    }
+  } catch (err) {
+    const msg = err.message;
+    log(`Failed to start openclaw gateway: ${msg}`);
+    return { success: false, message: `Failed to start openclaw gateway: ${msg}` };
+  }
+}
+async function startAgentOpenClawDashboard(options) {
+  const { agentHome, agentUsername, socketGroupName, verbose } = options;
+  const nvmDir = `${agentHome}/.nvm`;
+  const log = (msg) => verbose && process.stderr.write(`[SETUP] ${msg}
+`);
+  const dashboardCmd = [
+    `export HOME="${agentHome}"`,
+    `export NVM_DIR="${nvmDir}"`,
+    `source "${nvmDir}/nvm.sh"`,
+    `exec openclaw dashboard`
+  ].join(" && ");
+  log("Starting openclaw dashboard in background");
+  try {
+    sudoExec(`touch /var/log/agenshield/openclaw-dashboard.log /var/log/agenshield/openclaw-dashboard.error.log`);
+    sudoExec(`chown ${agentUsername}:${socketGroupName} /var/log/agenshield/openclaw-dashboard.log /var/log/agenshield/openclaw-dashboard.error.log`);
+    sudoExec(`chmod 666 /var/log/agenshield/openclaw-dashboard.log /var/log/agenshield/openclaw-dashboard.error.log`);
+    const outLog = fs2.openSync("/var/log/agenshield/openclaw-dashboard.log", "a");
+    const errLog = fs2.openSync("/var/log/agenshield/openclaw-dashboard.error.log", "a");
+    const child = spawn2(
+      "sudo",
+      ["-H", "-u", agentUsername, "/bin/bash", "--norc", "--noprofile", "-c", dashboardCmd],
+      {
+        cwd: "/",
+        detached: true,
+        stdio: ["ignore", outLog, errLog]
+      }
+    );
+    const pid = child.pid;
+    child.unref();
+    fs2.closeSync(outLog);
+    fs2.closeSync(errLog);
+    if (!pid) {
+      return { success: false, message: "Failed to spawn openclaw dashboard \u2014 no PID returned" };
+    }
+    log(`OpenClaw dashboard started (PID: ${pid})`);
+    return { success: true, pid, message: `OpenClaw dashboard running (PID: ${pid})` };
+  } catch (err) {
+    const msg = err.message;
+    log(`Failed to start openclaw dashboard: ${msg}`);
+    return { success: false, message: `Failed to start openclaw dashboard: ${msg}` };
+  }
+}
+
+// libs/shield-integrations/src/openclaw-launchdaemon.ts
+import * as fs3 from "node:fs/promises";
+import * as path2 from "node:path";
+import { execSync as execSync2 } from "node:child_process";
+import { exec as exec3 } from "node:child_process";
+import { promisify as promisify3 } from "node:util";
+var execAsync3 = promisify3(exec3);
+var OPENCLAW_DAEMON_LABEL = "com.agenshield.openclaw.daemon";
+var OPENCLAW_GATEWAY_LABEL = "com.agenshield.openclaw.gateway";
+var OPENCLAW_DAEMON_PLIST = "/Library/LaunchDaemons/com.agenshield.openclaw.daemon.plist";
+var OPENCLAW_GATEWAY_PLIST = "/Library/LaunchDaemons/com.agenshield.openclaw.gateway.plist";
+var OPENCLAW_LAUNCHER_PATH = "/opt/agenshield/bin/openclaw-launcher.sh";
+var BROKER_LABEL = "com.agenshield.broker";
+function generateLauncherScript(config) {
+  const socketPath = config.socketPath || "/var/run/agenshield/agenshield.sock";
+  const interceptorPath = config.interceptorPath || "/opt/agenshield/lib/interceptor/register.cjs";
+  const httpPort = config.httpPort || 5201;
+  return `#!/bin/bash
+# OpenClaw Launcher \u2014 runs openclaw with AgenShield interceptor
+# Generated by AgenShield setup. Do not edit manually.
+
+export HOME="${config.agentHome}"
+export NVM_DIR="${config.agentHome}/.nvm"
+
+# Load NVM to get correct node/npm/openclaw in PATH
+if [ -s "$NVM_DIR/nvm.sh" ]; then
+  source "$NVM_DIR/nvm.sh"
+fi
+
+# Load interceptor via NODE_OPTIONS
+export NODE_OPTIONS="--require ${interceptorPath} \${NODE_OPTIONS:-}"
+
+# AgenShield environment
+export AGENSHIELD_SOCKET="${socketPath}"
+export AGENSHIELD_HTTP_PORT="${httpPort}"
+export AGENSHIELD_INTERCEPT_EXEC=true
+export AGENSHIELD_INTERCEPT_HTTP=true
+export AGENSHIELD_INTERCEPT_FETCH=true
+export AGENSHIELD_INTERCEPT_WS=true
+export AGENSHIELD_CONTEXT_TYPE=agent
+
+exec openclaw "$@"
+`;
+}
+function generateOpenClawGatewayPlist(config) {
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${OPENCLAW_GATEWAY_LABEL}</string>
+
+    <key>ProgramArguments</key>
+    <array>
+        <string>${OPENCLAW_LAUNCHER_PATH}</string>
+        <string>gateway</string>
+        <string>run</string>
+    </array>
+
+    <key>UserName</key>
+    <string>${config.agentUsername}</string>
+
+    <key>GroupName</key>
+    <string>${config.socketGroupName}</string>
+
+    <key>RunAtLoad</key>
+    <false/>
+
+    <key>KeepAlive</key>
+    <dict>
+        <key>OtherJobEnabled</key>
+        <dict>
+            <key>${BROKER_LABEL}</key>
+            <true/>
+        </dict>
+    </dict>
+
+    <key>ThrottleInterval</key>
+    <integer>10</integer>
+
+    <key>StandardOutPath</key>
+    <string>/var/log/agenshield/openclaw-gateway.log</string>
+
+    <key>StandardErrorPath</key>
+    <string>/var/log/agenshield/openclaw-gateway.error.log</string>
+
+    <key>WorkingDirectory</key>
+    <string>${config.agentHome}</string>
+
+    <key>SoftResourceLimits</key>
+    <dict>
+        <key>NumberOfFiles</key>
+        <integer>4096</integer>
+    </dict>
+</dict>
+</plist>
+`;
+}
+async function installOpenClawLauncher(config) {
+  try {
+    const content = generateLauncherScript(config);
+    await execAsync3(`sudo tee "${OPENCLAW_LAUNCHER_PATH}" > /dev/null << 'LAUNCHEREOF'
+${content}
+LAUNCHEREOF`);
+    await execAsync3(`sudo chmod 755 "${OPENCLAW_LAUNCHER_PATH}"`);
+    await execAsync3(`sudo chown root:wheel "${OPENCLAW_LAUNCHER_PATH}"`);
+    return {
+      success: true,
+      message: `Launcher script installed at ${OPENCLAW_LAUNCHER_PATH}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to install launcher: ${error.message}`,
+      error
+    };
+  }
+}
+async function installOpenClawLaunchDaemons(config) {
+  try {
+    const launcherResult = await installOpenClawLauncher(config);
+    if (!launcherResult.success) {
+      return launcherResult;
+    }
+    const agentUsername = config.agentUsername;
+    const socketGroupName = config.socketGroupName;
+    await execAsync3(`sudo touch /var/log/agenshield/openclaw-gateway.log /var/log/agenshield/openclaw-gateway.error.log`);
+    await execAsync3(`sudo chown ${agentUsername}:${socketGroupName} /var/log/agenshield/openclaw-gateway.log /var/log/agenshield/openclaw-gateway.error.log`);
+    try {
+      await execAsync3(`sudo launchctl bootout system/${OPENCLAW_DAEMON_LABEL} 2>/dev/null`);
+    } catch {
+    }
+    try {
+      await execAsync3(`sudo launchctl bootout system/${OPENCLAW_GATEWAY_LABEL} 2>/dev/null`);
+    } catch {
+    }
+    const gatewayPlist = generateOpenClawGatewayPlist(config);
+    await execAsync3(`sudo tee "${OPENCLAW_GATEWAY_PLIST}" > /dev/null << 'PLISTEOF'
+${gatewayPlist}
+PLISTEOF`);
+    await execAsync3(`sudo chown root:wheel "${OPENCLAW_GATEWAY_PLIST}"`);
+    await execAsync3(`sudo chmod 644 "${OPENCLAW_GATEWAY_PLIST}"`);
+    await execAsync3(`sudo launchctl load -w "${OPENCLAW_GATEWAY_PLIST}"`);
+    return {
+      success: true,
+      message: "OpenClaw LaunchDaemons installed and loaded"
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to install OpenClaw LaunchDaemons: ${error.message}`,
+      error
+    };
+  }
+}
+async function startOpenClawServices() {
+  try {
+    await execAsync3(`sudo launchctl kickstart system/${OPENCLAW_GATEWAY_LABEL}`);
+    return {
+      success: true,
+      message: "OpenClaw gateway started"
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to start OpenClaw gateway: ${error.message}`,
+      error
+    };
+  }
+}
+async function stopOpenClawServices() {
+  try {
+    await execAsync3(`sudo launchctl kill SIGTERM system/${OPENCLAW_GATEWAY_LABEL}`);
+    return {
+      success: true,
+      message: "OpenClaw gateway stopped"
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to stop OpenClaw gateway: ${error.message}`,
+      error
+    };
+  }
+}
+async function restartOpenClawServices() {
+  try {
+    await execAsync3(`sudo launchctl kickstart -k system/${OPENCLAW_GATEWAY_LABEL}`);
+    return {
+      success: true,
+      message: "OpenClaw gateway restarted"
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to restart OpenClaw gateway: ${error.message}`,
+      error
+    };
+  }
+}
+function parseLaunchctlStatus(stdout) {
+  const status = { running: false };
+  const lines = stdout.split("\n");
+  for (const line of lines) {
+    if (line.includes('"PID"')) {
+      const match = line.match(/"PID"\s*=\s*(\d+)/);
+      if (match) {
+        status.pid = parseInt(match[1], 10);
+        status.running = true;
+      }
+    }
+    if (line.includes('"LastExitStatus"')) {
+      const match = line.match(/"LastExitStatus"\s*=\s*(\d+)/);
+      if (match) {
+        status.lastExitStatus = parseInt(match[1], 10);
+      }
+    }
+  }
+  if (!status.pid) {
+    for (const line of lines) {
+      if (line.includes("PID")) {
+        const match = line.match(/PID\s*=\s*(\d+)/);
+        if (match) {
+          status.pid = parseInt(match[1], 10);
+          status.running = true;
+        }
+      }
+      if (line.includes("LastExitStatus")) {
+        const match = line.match(/LastExitStatus\s*=\s*(\d+)/);
+        if (match) {
+          status.lastExitStatus = parseInt(match[1], 10);
+        }
+      }
+    }
+  }
+  return status;
+}
+async function getOpenClawStatus() {
+  const result = {
+    daemon: { running: false },
+    gateway: { running: false }
+  };
+  try {
+    const { stdout } = await execAsync3(`sudo launchctl list ${OPENCLAW_GATEWAY_LABEL} 2>/dev/null`);
+    result.gateway = parseLaunchctlStatus(stdout);
+    if (!result.gateway.running) {
+      result.gateway.running = false;
+    }
+  } catch {
+  }
+  return result;
+}
+function getOpenClawStatusSync() {
+  const result = {
+    daemon: { running: false },
+    gateway: { running: false }
+  };
+  try {
+    const stdout = execSync2(`sudo launchctl list ${OPENCLAW_GATEWAY_LABEL} 2>/dev/null`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    result.gateway = parseLaunchctlStatus(stdout);
+  } catch {
+  }
+  return result;
+}
+async function getOpenClawDashboardUrl() {
+  try {
+    const agentHome = process.env["AGENSHIELD_AGENT_HOME"] || "/Users/ash_default_agent";
+    const configPath = path2.join(agentHome, ".openclaw", "openclaw.json");
+    let raw;
+    try {
+      raw = await fs3.readFile(configPath, "utf-8");
+    } catch (err) {
+      if (err.code === "EACCES") {
+        const agentUsername = path2.basename(agentHome);
+        const { stdout } = await execAsync3(
+          `sudo -H -u ${agentUsername} cat "${configPath}"`,
+          { cwd: "/" }
+        );
+        raw = stdout;
+      } else {
+        return { success: false, error: `Cannot read openclaw.json: ${err.message}` };
+      }
+    }
+    const config = JSON.parse(raw);
+    const port = config.gateway?.port;
+    const token = config.gateway?.auth?.token;
+    if (!port || !token) {
+      return { success: false, error: "Gateway port or auth token not found in openclaw.json" };
+    }
+    const url = `https://localhost:${port}/?token=${token}`;
+    return { success: true, url };
+  } catch (error) {
+    return { success: false, error: `Failed to get dashboard URL: ${error.message}` };
+  }
+}
+async function isOpenClawInstalled() {
+  try {
+    await fs3.access(OPENCLAW_GATEWAY_PLIST);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function uninstallOpenClawLaunchDaemons() {
+  try {
+    await stopOpenClawServices();
+    try {
+      await execAsync3(`sudo launchctl bootout system/${OPENCLAW_DAEMON_LABEL} 2>/dev/null`);
+    } catch {
+    }
+    try {
+      await execAsync3(`sudo launchctl bootout system/${OPENCLAW_GATEWAY_LABEL} 2>/dev/null`);
+    } catch {
+    }
+    await execAsync3(`sudo rm -f "${OPENCLAW_DAEMON_PLIST}" "${OPENCLAW_GATEWAY_PLIST}"`);
+    await execAsync3(`sudo rm -f "${OPENCLAW_LAUNCHER_PATH}"`);
+    return {
+      success: true,
+      message: "OpenClaw LaunchDaemons uninstalled"
+    };
+  } catch (error) {
+    return {
+      success: false,
+      message: `Failed to uninstall OpenClaw LaunchDaemons: ${error.message}`,
+      error
+    };
+  }
+}
+export {
+  OPENCLAW_DAEMON_PLIST,
+  OPENCLAW_GATEWAY_LABEL,
+  OPENCLAW_GATEWAY_PLIST,
+  OPENCLAW_LAUNCHER_PATH,
+  copyOpenClawConfig,
+  detectHostOpenClawVersion,
+  generateOpenClawGatewayPlist,
+  getHostOpenClawConfigPath,
+  getOpenClawDashboardUrl,
+  getOpenClawStatus,
+  getOpenClawStatusSync,
+  getOriginalUser,
+  installAgentHomebrew,
+  installAgentOpenClaw,
+  installOpenClawLaunchDaemons,
+  installOpenClawLauncher,
+  isAgentHomebrewInstalled,
+  isOpenClawInstalled,
+  onboardAgentOpenClaw,
+  restartOpenClawServices,
+  startAgentOpenClawDashboard,
+  startAgentOpenClawGateway,
+  startOpenClawServices,
+  stopHostOpenClaw,
+  stopOpenClawServices,
+  uninstallOpenClawLaunchDaemons
+};

package/openclaw-install.d.ts

@@ -0,0 +1,135 @@
+/**
+ * OpenClaw Installation for Agent User
+ *
+ * Handles installing OpenClaw via npm in the agent's sandboxed environment,
+ * copying and sanitizing the host user's .openclaw config, and stopping
+ * the host user's OpenClaw processes.
+ */
+export interface OpenClawInstallResult {
+    success: boolean;
+    version: string;
+    binaryPath: string;
+    message: string;
+    error?: Error;
+}
+export interface OpenClawConfigCopyResult {
+    success: boolean;
+    configDir: string;
+    sanitized: boolean;
+    message: string;
+    error?: Error;
+}
+export interface StopHostOpenClawResult {
+    success: boolean;
+    daemonStopped: boolean;
+    gatewayStopped: boolean;
+    message: string;
+}
+/**
+ * Detect the OpenClaw version installed on the host system.
+ * Returns the version string or null if not found.
+ */
+export declare function detectHostOpenClawVersion(): string | null;
+/**
+ * Install OpenClaw for the agent user via NVM's npm.
+ *
+ * Uses the agent's NVM environment to run `npm install -g openclaw@<version>`.
+ * Falls back to 'latest' if no version specified.
+ */
+export declare function installAgentOpenClaw(options: {
+    agentHome: string;
+    agentUsername: string;
+    socketGroupName: string;
+    /** Version to install (from host), or 'latest' */
+    targetVersion?: string;
+    verbose?: boolean;
+    onLog?: (msg: string) => void;
+}): Promise<OpenClawInstallResult>;
+/**
+ * Copy the host user's .openclaw config directory to the agent user.
+ *
+ * Does a full faithful copy using `cp -a` (archive mode) so the entire
+ * directory tree is preserved exactly as-is. Then sets ownership to the
+ * agent user. The host user's original .openclaw is never modified.
+ */
+export declare function copyOpenClawConfig(options: {
+    /** Path to the host user's .openclaw directory (e.g., /Users/david/.openclaw) */
+    sourceConfigPath: string;
+    /** Agent user's home directory */
+    agentHome: string;
+    /** Agent username (owns .openclaw and workspace) */
+    agentUsername: string;
+    /** Socket group name */
+    socketGroup: string;
+    verbose?: boolean;
+    onLog?: (msg: string) => void;
+}): OpenClawConfigCopyResult;
+/**
+ * Stop the host user's OpenClaw daemon and gateway processes.
+ *
+ * 1. Checks for running OpenClaw processes via `ps`
+ * 2. Tries graceful stop via `openclaw daemon/gateway stop`
+ * 3. Falls back to `kill` if processes are still alive
+ * 4. Never fails — all errors are caught and logged
+ */
+export declare function stopHostOpenClaw(options: {
+    /** The original user running OpenClaw (e.g., 'david') */
+    originalUser: string;
+    verbose?: boolean;
+    onLog?: (msg: string) => void;
+}): Promise<StopHostOpenClawResult>;
+/**
+ * Get the original (host) user who invoked the setup.
+ * Uses SUDO_USER env var or falls back to os.userInfo().
+ */
+export declare function getOriginalUser(): string;
+/**
+ * Get the host user's .openclaw config path.
+ */
+export declare function getHostOpenClawConfigPath(username?: string): string | null;
+/**
+ * Run `openclaw onboard --non-interactive ...` as the agent user to initialize
+ * OpenClaw's internal state (session files, local config). Must run after
+ * install-openclaw and copy-openclaw-config.
+ */
+export declare function onboardAgentOpenClaw(options: {
+    agentHome: string;
+    agentUsername: string;
+    verbose?: boolean;
+    onLog?: (msg: string) => void;
+}): Promise<{
+    success: boolean;
+    message: string;
+}>;
+/**
+ * Start `openclaw gateway` as the agent user in the background.
+ * Returns the PID of the spawned process.
+ *
+ * Uses `spawn` with `detached: true` so the gateway survives the parent
+ * process exiting. Logs go to /var/log/agenshield/openclaw-gateway.log.
+ */
+export declare function startAgentOpenClawGateway(options: {
+    agentHome: string;
+    agentUsername: string;
+    socketGroupName: string;
+    verbose?: boolean;
+}): Promise<{
+    success: boolean;
+    pid?: number;
+    message: string;
+}>;
+/**
+ * Start `openclaw dashboard` as the agent user in the background.
+ * Returns the PID of the spawned process.
+ */
+export declare function startAgentOpenClawDashboard(options: {
+    agentHome: string;
+    agentUsername: string;
+    socketGroupName: string;
+    verbose?: boolean;
+}): Promise<{
+    success: boolean;
+    pid?: number;
+    message: string;
+}>;
+//# sourceMappingURL=openclaw-install.d.ts.map

package/openclaw-install.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openclaw-install.d.ts","sourceRoot":"","sources":["../src/openclaw-install.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoFH,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;CACjB;AAgBD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,GAAG,IAAI,CASzD;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA+EjC;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAC1C,iFAAiF;IACjF,gBAAgB,EAAE,MAAM,CAAC;IACzB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,aAAa,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,GAAG,wBAAwB,CA8E3B;AAmCD;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,yDAAyD;IACzD,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,GAAG,OAAO,CAAC,sBAAsB,CAAC,CA6FlC;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAO1E;AAID;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA0BjD;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAAC,OAAO,EAAE;IACvD,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA2D/D;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA+C/D"}

package/openclaw-launchdaemon.d.ts

@@ -0,0 +1,91 @@
+/**
+ * OpenClaw LaunchDaemon Management
+ *
+ * Creates and manages macOS LaunchDaemons for OpenClaw daemon and gateway
+ * processes, running inside the AgenShield sandbox with intercepted Node.js.
+ *
+ * Both processes run as the agent user with NODE_OPTIONS set to load the
+ * interceptor, ensuring all network and exec operations are monitored.
+ */
+declare const OPENCLAW_GATEWAY_LABEL = "com.agenshield.openclaw.gateway";
+declare const OPENCLAW_DAEMON_PLIST = "/Library/LaunchDaemons/com.agenshield.openclaw.daemon.plist";
+declare const OPENCLAW_GATEWAY_PLIST = "/Library/LaunchDaemons/com.agenshield.openclaw.gateway.plist";
+declare const OPENCLAW_LAUNCHER_PATH = "/opt/agenshield/bin/openclaw-launcher.sh";
+export interface OpenClawLaunchConfig {
+    agentUsername: string;
+    socketGroupName: string;
+    agentHome: string;
+    socketPath?: string;
+    interceptorPath?: string;
+    httpPort?: number;
+}
+export interface OpenClawProcessStatus {
+    running: boolean;
+    pid?: number;
+    lastExitStatus?: number;
+}
+export interface OpenClawStatus {
+    daemon: OpenClawProcessStatus;
+    gateway: OpenClawProcessStatus;
+}
+export interface OpenClawDaemonResult {
+    success: boolean;
+    message: string;
+    error?: Error;
+}
+/**
+ * Generate LaunchDaemon plist for OpenClaw daemon process.
+ */
+export declare function generateOpenClawDaemonPlist(config: OpenClawLaunchConfig): string;
+/**
+ * Generate LaunchDaemon plist for OpenClaw gateway process.
+ */
+export declare function generateOpenClawGatewayPlist(config: OpenClawLaunchConfig): string;
+/**
+ * Install the openclaw-launcher.sh script to /opt/agenshield/bin/.
+ */
+export declare function installOpenClawLauncher(config: OpenClawLaunchConfig): Promise<OpenClawDaemonResult>;
+/**
+ * Install OpenClaw LaunchDaemon plists and launcher script.
+ */
+export declare function installOpenClawLaunchDaemons(config: OpenClawLaunchConfig): Promise<OpenClawDaemonResult>;
+/**
+ * Start OpenClaw daemon and gateway services via launchctl.
+ */
+export declare function startOpenClawServices(): Promise<OpenClawDaemonResult>;
+/**
+ * Stop OpenClaw daemon and gateway services via launchctl.
+ */
+export declare function stopOpenClawServices(): Promise<OpenClawDaemonResult>;
+/**
+ * Restart OpenClaw daemon and gateway services.
+ */
+export declare function restartOpenClawServices(): Promise<OpenClawDaemonResult>;
+/**
+ * Get OpenClaw process status (async).
+ */
+export declare function getOpenClawStatus(): Promise<OpenClawStatus>;
+/**
+ * Get OpenClaw process status (sync version for use in buildDaemonStatus).
+ */
+export declare function getOpenClawStatusSync(): OpenClawStatus;
+/**
+ * Get the OpenClaw dashboard URL by reading gateway config from openclaw.json.
+ *
+ * Constructs the URL from gateway.port and gateway.auth.token fields.
+ */
+export declare function getOpenClawDashboardUrl(): Promise<{
+    success: boolean;
+    url?: string;
+    error?: string;
+}>;
+/**
+ * Check if OpenClaw LaunchDaemon plists are installed.
+ */
+export declare function isOpenClawInstalled(): Promise<boolean>;
+/**
+ * Uninstall OpenClaw LaunchDaemons.
+ */
+export declare function uninstallOpenClawLaunchDaemons(): Promise<OpenClawDaemonResult>;
+export { OPENCLAW_GATEWAY_LABEL, OPENCLAW_DAEMON_PLIST, OPENCLAW_GATEWAY_PLIST, OPENCLAW_LAUNCHER_PATH, };
+//# sourceMappingURL=openclaw-launchdaemon.d.ts.map

package/openclaw-launchdaemon.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openclaw-launchdaemon.d.ts","sourceRoot":"","sources":["../src/openclaw-launchdaemon.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,QAAA,MAAM,sBAAsB,oCAAoC,CAAC;AACjE,QAAA,MAAM,qBAAqB,gEAAgE,CAAC;AAC5F,QAAA,MAAM,sBAAsB,iEAAiE,CAAC;AAC9F,QAAA,MAAM,sBAAsB,6CAA6C,CAAC;AAK1E,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,qBAAqB,CAAC;IAC9B,OAAO,EAAE,qBAAqB,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AA6CD;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAqDhF;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAqDjF;AAID;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAqB/B;AAED;;GAEG;AACH,wBAAsB,4BAA4B,CAChD,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CA4C/B;AAID;;GAEG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAc3E;AAED;;GAEG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAc1E;AAED;;GAEG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAc7E;AAiDD;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,cAAc,CAAC,CAkBjE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,cAAc,CAetD;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAqC3G;AAED;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO5D;AAED;;GAEG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,oBAAoB,CAAC,CA8BpF;AAGD,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,sBAAsB,EACtB,sBAAsB,GACvB,CAAC"}

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "@agenshield/integrations",
+  "version": "0.7.0",
+  "type": "module",
+  "description": "OpenClaw and third-party integration utilities for AgenShield",
+  "main": "./index.js",
+  "types": "./index.d.ts",
+  "exports": {
+    "./package.json": "./package.json",
+    ".": {
+      "types": "./index.d.ts",
+      "import": "./index.js",
+      "default": "./index.js"
+    }
+  },
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^24.0.0",
+    "typescript": "^5.9.3"
+  }
+}