@axonflow/openclaw 0.1.0

package/dist/governance.js

@@ -0,0 +1,64 @@
+/**
+ * before_tool_call hook — input governance.
+ *
+ * Evaluates tool arguments against AxonFlow policies before execution.
+ * Can block the call, require human approval, or allow through.
+ */
+import { shouldGovernTool } from "./config.js";
+/** Derive connector_type from tool name for AxonFlow policy evaluation. */
+export function deriveConnectorType(toolName) {
+    return `openclaw.${toolName}`;
+}
+/**
+ * Create the before_tool_call hook handler.
+ *
+ * Decision logic:
+ * 1. If tool is excluded from governance: allow through (no check)
+ * 2. Call mcp_check_input with tool args serialized as JSON
+ * 3. If blocked by policy: return { block: true, blockReason }
+ * 4. If tool is in highRiskTools AND allowed: return { requireApproval }
+ * 5. Otherwise: allow through
+ */
+export function createBeforeToolCallHandler(client, config) {
+    return async (event) => {
+        if (!shouldGovernTool(event.toolName, config)) {
+            return undefined;
+        }
+        const connectorType = deriveConnectorType(event.toolName);
+        const statement = JSON.stringify(event.params);
+        let check;
+        try {
+            check = await client.mcpCheckInput(connectorType, statement, config.defaultOperation ?? "execute");
+        }
+        catch (err) {
+            if (config.onError === "allow") {
+                return undefined; // Fail-open: allow tool execution
+            }
+            return {
+                block: true,
+                blockReason: `AxonFlow unreachable: ${err instanceof Error ? err.message : "unknown error"}`,
+            };
+        }
+        if (!check.allowed) {
+            return {
+                block: true,
+                blockReason: check.block_reason ?? "Blocked by AxonFlow policy",
+            };
+        }
+        // High-risk tools get approval even when policy allows
+        if (config.highRiskTools &&
+            config.highRiskTools.includes(event.toolName)) {
+            return {
+                requireApproval: {
+                    title: `AxonFlow: ${event.toolName} requires approval`,
+                    description: `Tool call governed by AxonFlow. ${check.policies_evaluated} policies evaluated.`,
+                    severity: "warning",
+                    timeoutMs: 60_000,
+                    timeoutBehavior: "deny",
+                },
+            };
+        }
+        return undefined;
+    };
+}
+//# sourceMappingURL=governance.js.map

package/dist/governance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"governance.js","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAgB/C,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,YAAY,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAKb,EAA6C,EAAE;QAC9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAChC,aAAa,EACb,SAAS,EACT,MAAM,CAAC,gBAAgB,IAAI,SAAS,CACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC/B,OAAO,SAAS,CAAC,CAAC,kCAAkC;YACtD,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;aAC7F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,KAAK,CAAC,YAAY,IAAI,4BAA4B;aAChE,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,IACE,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAC7C,CAAC;YACD,OAAO;gBACL,eAAe,EAAE;oBACf,KAAK,EAAE,aAAa,KAAK,CAAC,QAAQ,oBAAoB;oBACtD,WAAW,EAAE,mCAAmC,KAAK,CAAC,kBAAkB,sBAAsB;oBAC9F,QAAQ,EAAE,SAAS;oBACnB,SAAS,EAAE,MAAM;oBACjB,eAAe,EAAE,MAAM;iBACxB;aACF,CAAC;QACJ,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,78 @@
+/**
+ * AxonFlow Governance Plugin for OpenClaw
+ *
+ * Adds centralized policy enforcement, PII detection, and audit trails
+ * to OpenClaw tool execution. Works with all OpenClaw tools: built-in,
+ * plugin-provided, and MCP-backed.
+ *
+ * Install:
+ *   openclaw plugins install @axonflow/openclaw
+ *
+ * Configure in your OpenClaw config:
+ *   plugins:
+ *     @axonflow/openclaw:
+ *       endpoint: http://localhost:8080
+ *       clientId: your-client-id
+ *       clientSecret: your-secret
+ *       highRiskTools:
+ *         - web_fetch
+ *         - message
+ *
+ * What this plugin does (5 hooks):
+ * 1. before_tool_call: evaluates tool arguments against AxonFlow policies
+ * 2. after_tool_call: logs tool execution to AxonFlow's audit trail
+ * 3. message_sending: scans outbound messages, cancels or redacts PII
+ * 4. llm_input: records prompt, model, provider to audit trail
+ * 5. llm_output: records response, token usage, latency to audit trail
+ *
+ * Note: tool_result_persist (output scanning) is not registered because
+ * OpenClaw's hook is sync-only and cannot make async HTTP calls to AxonFlow.
+ * Outbound messages ARE scanned via message_sending. See upstream issue
+ * for async hook support.
+ */
+export { AxonFlowClient } from "./axonflow-client.js";
+export type { AxonFlowPluginConfig } from "./config.js";
+export { resolveConfig, shouldGovernTool } from "./config.js";
+export { deriveConnectorType } from "./governance.js";
+/**
+ * Plugin registration function.
+ *
+ * Called by OpenClaw when the plugin is loaded. Reads configuration,
+ * creates the AxonFlow client, and registers five governance/audit hooks.
+ *
+ * Compatible with OpenClaw's `definePluginEntry` or direct registration:
+ *
+ *   // With definePluginEntry:
+ *   export default definePluginEntry({
+ *     id: "axonflow-governance",
+ *     register: registerAxonFlowGovernance,
+ *   });
+ *
+ *   // Or direct:
+ *   api.registerHook("before_tool_call", handler);
+ */
+export declare function registerAxonFlowGovernance(api: {
+    pluginConfig?: Record<string, unknown>;
+    logger: {
+        info: (msg: string) => void;
+        error: (msg: string) => void;
+    };
+    on: (hookName: string, handler: (...args: any[]) => any, opts?: {
+        priority?: number;
+    }) => void;
+}): void;
+/**
+ * Default export for OpenClaw plugin loader.
+ *
+ * OpenClaw expects extensions to export a default object with `id`, `name`,
+ * and `register` function. This is the entry point when installed via
+ * `openclaw plugins install @axonflow/openclaw`.
+ */
+declare const _default: {
+    id: string;
+    name: string;
+    description: string;
+    register: typeof registerAxonFlowGovernance;
+};
+export default _default;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAUH,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,YAAY,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE;IAC9C,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,MAAM,EAAE;QAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAAC,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IACtE,EAAE,EAAE,CACF,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EAChC,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,KACzB,IAAI,CAAC;CACX,GAAG,IAAI,CA4BP;AAED;;;;;;GAMG;;;;;;;AACH,wBAKE"}

package/dist/index.js

@@ -0,0 +1,94 @@
+/**
+ * AxonFlow Governance Plugin for OpenClaw
+ *
+ * Adds centralized policy enforcement, PII detection, and audit trails
+ * to OpenClaw tool execution. Works with all OpenClaw tools: built-in,
+ * plugin-provided, and MCP-backed.
+ *
+ * Install:
+ *   openclaw plugins install @axonflow/openclaw
+ *
+ * Configure in your OpenClaw config:
+ *   plugins:
+ *     @axonflow/openclaw:
+ *       endpoint: http://localhost:8080
+ *       clientId: your-client-id
+ *       clientSecret: your-secret
+ *       highRiskTools:
+ *         - web_fetch
+ *         - message
+ *
+ * What this plugin does (5 hooks):
+ * 1. before_tool_call: evaluates tool arguments against AxonFlow policies
+ * 2. after_tool_call: logs tool execution to AxonFlow's audit trail
+ * 3. message_sending: scans outbound messages, cancels or redacts PII
+ * 4. llm_input: records prompt, model, provider to audit trail
+ * 5. llm_output: records response, token usage, latency to audit trail
+ *
+ * Note: tool_result_persist (output scanning) is not registered because
+ * OpenClaw's hook is sync-only and cannot make async HTTP calls to AxonFlow.
+ * Outbound messages ARE scanned via message_sending. See upstream issue
+ * for async hook support.
+ */
+import { AxonFlowClient } from "./axonflow-client.js";
+import { resolveConfig } from "./config.js";
+import { createBeforeToolCallHandler } from "./governance.js";
+import { createAfterToolCallHandler } from "./audit.js";
+import { createMessageSendingHandler } from "./message-guard.js";
+import { createLlmInputHandler, createLlmOutputHandler } from "./llm-audit.js";
+// Re-export for external consumers
+export { AxonFlowClient } from "./axonflow-client.js";
+export { resolveConfig, shouldGovernTool } from "./config.js";
+export { deriveConnectorType } from "./governance.js";
+/**
+ * Plugin registration function.
+ *
+ * Called by OpenClaw when the plugin is loaded. Reads configuration,
+ * creates the AxonFlow client, and registers five governance/audit hooks.
+ *
+ * Compatible with OpenClaw's `definePluginEntry` or direct registration:
+ *
+ *   // With definePluginEntry:
+ *   export default definePluginEntry({
+ *     id: "axonflow-governance",
+ *     register: registerAxonFlowGovernance,
+ *   });
+ *
+ *   // Or direct:
+ *   api.registerHook("before_tool_call", handler);
+ */
+export function registerAxonFlowGovernance(api) {
+    const config = resolveConfig(api.pluginConfig);
+    const client = new AxonFlowClient(config);
+    api.logger.info(`AxonFlow governance active: endpoint=${config.endpoint}, ` +
+        `highRiskTools=[${(config.highRiskTools ?? []).join(",")}]`);
+    // Hook 1: Input governance (before tool execution)
+    const beforeToolCall = createBeforeToolCallHandler(client, config);
+    api.on("before_tool_call", beforeToolCall, { priority: 10 });
+    // Hook 2: Audit logging (after tool execution)
+    const afterToolCall = createAfterToolCallHandler(client, config);
+    api.on("after_tool_call", afterToolCall, { priority: 90 });
+    // Hook 3: Outbound message governance (before message reaches user)
+    const messageSending = createMessageSendingHandler(client, config);
+    api.on("message_sending", messageSending, { priority: 10 });
+    // Hook 4-5: LLM call audit (observe-only, cannot block/modify)
+    const llmCallState = new Map();
+    const llmInput = createLlmInputHandler(client, config, llmCallState);
+    api.on("llm_input", llmInput, { priority: 90 });
+    const llmOutput = createLlmOutputHandler(client, config, llmCallState);
+    api.on("llm_output", llmOutput, { priority: 90 });
+}
+/**
+ * Default export for OpenClaw plugin loader.
+ *
+ * OpenClaw expects extensions to export a default object with `id`, `name`,
+ * and `register` function. This is the entry point when installed via
+ * `openclaw plugins install @axonflow/openclaw`.
+ */
+export default {
+    id: "axonflow-governance",
+    name: "AxonFlow Governance",
+    description: "Policy enforcement for tool inputs, PII scanning on outbound messages, and audit trails for OpenClaw",
+    register: registerAxonFlowGovernance,
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAE/E,mCAAmC;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,0BAA0B,CAAC,GAQ1C;IACC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;IAE1C,GAAG,CAAC,MAAM,CAAC,IAAI,CACb,wCAAwC,MAAM,CAAC,QAAQ,IAAI;QACzD,kBAAkB,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAC9D,CAAC;IAEF,mDAAmD;IACnD,MAAM,cAAc,GAAG,2BAA2B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnE,GAAG,CAAC,EAAE,CAAC,kBAAkB,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAE7D,+CAA+C;IAC/C,MAAM,aAAa,GAAG,0BAA0B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjE,GAAG,CAAC,EAAE,CAAC,iBAAiB,EAAE,aAAa,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAE3D,oEAAoE;IACpE,MAAM,cAAc,GAAG,2BAA2B,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnE,GAAG,CAAC,EAAE,CAAC,iBAAiB,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAE5D,+DAA+D;IAC/D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAgF,CAAC;IAC7G,MAAM,QAAQ,GAAG,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IACrE,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IAEhD,MAAM,SAAS,GAAG,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IACvE,GAAG,CAAC,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;GAMG;AACH,eAAe;IACb,EAAE,EAAE,qBAAqB;IACzB,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,sGAAsG;IACnH,QAAQ,EAAE,0BAA0B;CACrC,CAAC"}

package/dist/llm-audit.d.ts

@@ -0,0 +1,55 @@
+/**
+ * llm_input and llm_output hooks — LLM call audit logging.
+ *
+ * Records what the LLM sees (prompt, model, provider) and produces
+ * (response, token usage) to AxonFlow's audit trail. These hooks are
+ * observe-only (cannot block or modify), so they provide audit
+ * evidence, not governance.
+ */
+import type { AxonFlowClient } from "./axonflow-client.js";
+import type { AxonFlowPluginConfig } from "./config.js";
+/** Shared state for correlating llm_input with llm_output. */
+interface LLMCallState {
+    provider: string;
+    model: string;
+    prompt: string;
+    startMs: number;
+}
+/**
+ * Create the llm_input hook handler.
+ *
+ * Records the prompt, model, and provider at the start of each LLM call.
+ * Stores state by runId for correlation with the llm_output handler.
+ */
+export declare function createLlmInputHandler(_client: AxonFlowClient, _config: AxonFlowPluginConfig, callState: Map<string, LLMCallState>): (event: {
+    runId: string;
+    sessionId: string;
+    provider: string;
+    model: string;
+    systemPrompt?: string;
+    prompt: string;
+    historyMessages: unknown[];
+    imagesCount: number;
+}) => void;
+/**
+ * Create the llm_output hook handler.
+ *
+ * Correlates with the stored llm_input state and sends a complete
+ * audit entry to AxonFlow (provider, model, prompt summary, response
+ * summary, token usage, latency).
+ */
+export declare function createLlmOutputHandler(client: AxonFlowClient, _config: AxonFlowPluginConfig, callState: Map<string, LLMCallState>): (event: {
+    runId: string;
+    sessionId: string;
+    provider: string;
+    model: string;
+    assistantTexts: string[];
+    lastAssistant?: unknown;
+    usage?: {
+        input?: number;
+        output?: number;
+        total?: number;
+    };
+}) => Promise<void>;
+export {};
+//# sourceMappingURL=llm-audit.d.ts.map

package/dist/llm-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-audit.d.ts","sourceRoot":"","sources":["../src/llm-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,8DAA8D;AAC9D,UAAU,YAAY;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,oBAAoB,EAC7B,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,IAE5B,OAAO;IACb,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,OAAO,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB,KAAG,IAAI,CAmBT;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,oBAAoB,EAC7B,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,IAEtB,OAAO;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE;QACN,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH,KAAG,OAAO,CAAC,IAAI,CAAC,CAwBlB"}

package/dist/llm-audit.js

@@ -0,0 +1,60 @@
+/**
+ * llm_input and llm_output hooks — LLM call audit logging.
+ *
+ * Records what the LLM sees (prompt, model, provider) and produces
+ * (response, token usage) to AxonFlow's audit trail. These hooks are
+ * observe-only (cannot block or modify), so they provide audit
+ * evidence, not governance.
+ */
+/**
+ * Create the llm_input hook handler.
+ *
+ * Records the prompt, model, and provider at the start of each LLM call.
+ * Stores state by runId for correlation with the llm_output handler.
+ */
+export function createLlmInputHandler(_client, _config, callState) {
+    return (event) => {
+        callState.set(event.runId, {
+            provider: event.provider,
+            model: event.model,
+            prompt: event.prompt.slice(0, 500),
+            startMs: Date.now(),
+        });
+        // Prevent unbounded growth: evict entries older than 5 minutes.
+        // Handles cases where llm_input fires without a matching llm_output
+        // (LLM errors, timeouts, network failures).
+        const MAX_AGE_MS = 5 * 60 * 1000;
+        const now = Date.now();
+        for (const [key, val] of callState) {
+            if (now - val.startMs > MAX_AGE_MS) {
+                callState.delete(key);
+            }
+        }
+    };
+}
+/**
+ * Create the llm_output hook handler.
+ *
+ * Correlates with the stored llm_input state and sends a complete
+ * audit entry to AxonFlow (provider, model, prompt summary, response
+ * summary, token usage, latency).
+ */
+export function createLlmOutputHandler(client, _config, callState) {
+    return async (event) => {
+        const inputState = callState.get(event.runId);
+        callState.delete(event.runId);
+        const responseSummary = event.assistantTexts.join(" ").slice(0, 200);
+        const latencyMs = inputState ? Date.now() - inputState.startMs : 0;
+        try {
+            await client.auditLLMCall(inputState?.provider ?? event.provider, inputState?.model ?? event.model, inputState?.prompt ?? "", responseSummary, {
+                prompt_tokens: event.usage?.input ?? 0,
+                completion_tokens: event.usage?.output ?? 0,
+                total_tokens: event.usage?.total ?? 0,
+            }, latencyMs);
+        }
+        catch {
+            // Audit failures are non-fatal
+        }
+    };
+}
+//# sourceMappingURL=llm-audit.js.map

package/dist/llm-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-audit.js","sourceRoot":"","sources":["../src/llm-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAaH;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAuB,EACvB,OAA6B,EAC7B,SAAoC;IAEpC,OAAO,CAAC,KASP,EAAQ,EAAE;QACT,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE;YACzB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAClC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE;SACpB,CAAC,CAAC;QAEH,gEAAgE;QAChE,oEAAoE;QACpE,4CAA4C;QAC5C,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;YACnC,IAAI,GAAG,GAAG,GAAG,CAAC,OAAO,GAAG,UAAU,EAAE,CAAC;gBACnC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAsB,EACtB,OAA6B,EAC7B,SAAoC;IAEpC,OAAO,KAAK,EAAE,KAYb,EAAiB,EAAE;QAClB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC9C,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE9B,MAAM,eAAe,GAAG,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnE,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,YAAY,CACvB,UAAU,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EACtC,UAAU,EAAE,KAAK,IAAI,KAAK,CAAC,KAAK,EAChC,UAAU,EAAE,MAAM,IAAI,EAAE,EACxB,eAAe,EACf;gBACE,aAAa,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,IAAI,CAAC;gBACtC,iBAAiB,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;gBAC3C,YAAY,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,IAAI,CAAC;aACtC,EACD,SAAS,CACV,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/message-guard.d.ts

@@ -0,0 +1,25 @@
+/**
+ * message_sending hook — outbound message governance.
+ *
+ * Scans messages before they reach the user's channel (Telegram,
+ * Discord, Slack, WhatsApp). Can cancel messages containing PII/secrets
+ * or redact sensitive content.
+ */
+import type { AxonFlowClient } from "./axonflow-client.js";
+import type { AxonFlowPluginConfig } from "./config.js";
+/**
+ * Create the message_sending hook handler.
+ *
+ * Evaluates outbound message content against AxonFlow output policies.
+ * Can cancel (prevent sending) or redact (modify content) before delivery.
+ * Respects config.onError for fail-open/fail-closed behavior.
+ */
+export declare function createMessageSendingHandler(client: AxonFlowClient, config: AxonFlowPluginConfig): (event: {
+    to: string;
+    content: string;
+    metadata?: Record<string, unknown>;
+}) => Promise<{
+    content?: string;
+    cancel?: boolean;
+} | undefined>;
+//# sourceMappingURL=message-guard.d.ts.map

package/dist/message-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"message-guard.d.ts","sourceRoot":"","sources":["../src/message-guard.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,KAAG,OAAO,CAAC;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,SAAS,CAAC,CAoChE"}

package/dist/message-guard.js

@@ -0,0 +1,46 @@
+/**
+ * message_sending hook — outbound message governance.
+ *
+ * Scans messages before they reach the user's channel (Telegram,
+ * Discord, Slack, WhatsApp). Can cancel messages containing PII/secrets
+ * or redact sensitive content.
+ */
+/**
+ * Create the message_sending hook handler.
+ *
+ * Evaluates outbound message content against AxonFlow output policies.
+ * Can cancel (prevent sending) or redact (modify content) before delivery.
+ * Respects config.onError for fail-open/fail-closed behavior.
+ */
+export function createMessageSendingHandler(client, config) {
+    return async (event) => {
+        if (!event.content) {
+            return undefined;
+        }
+        let check;
+        try {
+            check = await client.mcpCheckOutput("openclaw.message_sending", event.content);
+        }
+        catch {
+            if (config.onError === "allow") {
+                return undefined; // Fail-open: allow message through ungoverned
+            }
+            // Fail-closed: cancel the message rather than send ungoverned
+            return { cancel: true };
+        }
+        if (!check.allowed) {
+            return {
+                cancel: true,
+            };
+        }
+        if (check.redacted_data != null) {
+            return {
+                content: typeof check.redacted_data === "string"
+                    ? check.redacted_data
+                    : JSON.stringify(check.redacted_data),
+            };
+        }
+        return undefined;
+    };
+}
+//# sourceMappingURL=message-guard.js.map

package/dist/message-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"message-guard.js","sourceRoot":"","sources":["../src/message-guard.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH;;;;;;GAMG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAIb,EAA+D,EAAE;QAChE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,cAAc,CACjC,0BAA0B,EAC1B,KAAK,CAAC,OAAO,CACd,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC/B,OAAO,SAAS,CAAC,CAAC,8CAA8C;YAClE,CAAC;YACD,8DAA8D;YAC9D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO;gBACL,MAAM,EAAE,IAAI;aACb,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,aAAa,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EACL,OAAO,KAAK,CAAC,aAAa,KAAK,QAAQ;oBACrC,CAAC,CAAC,KAAK,CAAC,aAAa;oBACrB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}

package/openclaw.plugin.json

@@ -0,0 +1,96 @@
+{
+  "id": "axonflow-governance",
+  "uiHints": {
+    "endpoint": {
+      "label": "AxonFlow Endpoint",
+      "placeholder": "http://localhost:8080",
+      "help": "URL of your AxonFlow agent gateway"
+    },
+    "clientId": {
+      "label": "Client ID",
+      "placeholder": "your-client-id",
+      "help": "AxonFlow authentication client ID"
+    },
+    "clientSecret": {
+      "label": "Client Secret",
+      "sensitive": true,
+      "placeholder": "your-secret",
+      "help": "AxonFlow authentication client secret"
+    },
+    "highRiskTools": {
+      "label": "High-Risk Tools",
+      "placeholder": "web_fetch, message",
+      "help": "Comma-separated tool names requiring human approval even when policy allows"
+    },
+    "governedTools": {
+      "label": "Governed Tools",
+      "placeholder": "(empty = all tools)",
+      "help": "Only govern these tools. Empty means all tools are governed.",
+      "advanced": true
+    },
+    "excludedTools": {
+      "label": "Excluded Tools",
+      "placeholder": "(empty = none excluded)",
+      "help": "Exclude these tools from governance. Takes precedence over governedTools.",
+      "advanced": true
+    },
+    "defaultOperation": {
+      "label": "Default Operation",
+      "placeholder": "execute",
+      "help": "Operation type for mcp_check_input: 'execute' (default) or 'query' for read-only tools",
+      "advanced": true
+    }
+  },
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "endpoint": {
+        "type": "string"
+      },
+      "clientId": {
+        "type": "string"
+      },
+      "clientSecret": {
+        "type": "string"
+      },
+      "highRiskTools": {
+        "type": "array",
+        "items": {
+          "type": "string"
+        }
+      },
+      "governedTools": {
+        "type": "array",
+        "items": {
+          "type": "string"
+        }
+      },
+      "excludedTools": {
+        "type": "array",
+        "items": {
+          "type": "string"
+        }
+      },
+      "defaultOperation": {
+        "type": "string",
+        "enum": [
+          "execute",
+          "query"
+        ]
+      },
+      "onError": {
+        "type": "string",
+        "enum": [
+          "block",
+          "allow"
+        ]
+      }
+    },
+    "required": [
+      "endpoint",
+      "clientId",
+      "clientSecret"
+    ]
+  }
+}

package/package.json

@@ -0,0 +1,93 @@
+{
+  "name": "@axonflow/openclaw",
+  "version": "0.1.0",
+  "description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "policies",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE",
+    "openclaw.plugin.json"
+  ],
+  "scripts": {
+    "clean": "rm -rf dist",
+    "prebuild": "npm run clean",
+    "build": "tsc",
+    "lint": "eslint src/ tests/",
+    "test": "jest",
+    "test:coverage": "jest --coverage",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "axonflow",
+    "openclaw",
+    "openclaw-security",
+    "openclaw-plugin",
+    "ai-agent-security",
+    "ai-safety",
+    "governance",
+    "policy-enforcement",
+    "pii-detection",
+    "pii-redaction",
+    "data-exfiltration",
+    "prompt-injection",
+    "reverse-shell",
+    "credential-detection",
+    "audit-logging",
+    "audit-trail",
+    "tool-governance",
+    "supply-chain-security",
+    "compliance",
+    "ssrf-protection"
+  ],
+  "author": "AxonFlow Team <team@getaxonflow.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/getaxonflow/axonflow-openclaw-plugin.git"
+  },
+  "homepage": "https://docs.getaxonflow.com/docs/integration/openclaw/",
+  "bugs": {
+    "url": "https://github.com/getaxonflow/axonflow-openclaw-plugin/issues"
+  },
+  "peerDependencies": {
+    "@axonflow/sdk": ">=4.3.0",
+    "openclaw": ">=1.0.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.0",
+    "@types/node": "^20.0.0",
+    "eslint": "^9.0.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.0",
+    "typescript": "^5.4.0",
+    "typescript-eslint": "^8.58.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependenciesMeta": {
+    "@axonflow/sdk": {
+      "optional": true
+    }
+  },
+  "openclaw": {
+    "extensions": [
+      "./dist/index.js"
+    ],
+    "compat": {
+      "pluginApi": ">=2026.3.22",
+      "minGatewayVersion": "2026.3.22"
+    }
+  }
+}