@axonflow/openclaw 1.1.0 → 1.2.0

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [1.2.0] - 2026-04-09
+
+### Changed
+
+- **Smart error classification in governance hooks (issue #1545 Direction 3).** `before_tool_call` now distinguishes network/transport errors (timeouts, DNS failures, connection refused, HTTP 5xx) from auth/config errors (HTTP 401/403, invalid credentials, invalid tokens). **Network errors always fail-open** regardless of `config.onError` — transient infrastructure issues should never block legitimate dev workflows. **Auth errors respect `config.onError`** which defaults to `block` so misconfigured credentials are caught at the first tool call. This replaces the previous all-or-nothing `onError` behavior.
+
+### Added
+
+- **`isAxonFlowAuthError(err)` exported helper** classifies thrown errors from the AxonFlow client. Applications can use it to implement their own fail-open / fail-closed logic outside the built-in hook.
+- 11 new unit tests cover the auth-vs-network classification on the governance hook path and the standalone classifier.
+
+### Security
+
+- Pinned all GitHub Actions in test and publish workflows to immutable commit SHAs to prevent supply chain attacks.
+- Added Dependabot configuration for weekly GitHub Actions updates.
+
 ## [1.1.0] - 2026-04-06
 
 ### Added

package/README.md

@@ -58,10 +58,22 @@ See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for fu
 
 ## Install
 
+Available on [ClawHub](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw) and [npm](https://www.npmjs.com/package/@axonflow/openclaw).
+
 ```bash
 openclaw plugins install @axonflow/openclaw
 ```
 
+Or via the ClawHub install path:
+
+```bash
+openclaw plugins install clawhub:@axonflow/openclaw
+```
+
+Either install path works; the ClawHub form is included for users browsing plugins there.
+
+For the full integration walkthrough (architecture, hook coverage, policy examples, troubleshooting), see the [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/).
+
 ## Configure
 
 In your OpenClaw config:

package/dist/governance.d.ts

@@ -21,6 +21,20 @@ export interface BeforeToolCallResult {
 }
 /** Derive connector_type from tool name for AxonFlow policy evaluation. */
 export declare function deriveConnectorType(toolName: string): string;
+/**
+ * Classify an error thrown by the AxonFlow client as an auth/config error
+ * vs a transient network / server-side error.
+ *
+ * Auth/config errors: HTTP 401, 403, or error messages containing "auth",
+ * "unauthorized", "forbidden", "credentials", or "token invalid".
+ *
+ * Network/server errors: everything else (timeouts, DNS failures, 5xx,
+ * connection refused, aborts).
+ *
+ * Used by the fail-open / fail-closed decision in the before_tool_call
+ * hook handler (issue #1545 Direction 3).
+ */
+export declare function isAxonFlowAuthError(err: unknown): boolean;
 /**
  * Create the before_tool_call hook handler.
  *

package/dist/governance.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAUxD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;QAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;KACpC,CAAC;CACH;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAyD9C"}
+{"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAUxD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;QAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;KACpC,CAAC;CACH;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAuBzD;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAwE9C"}

package/dist/governance.js

@@ -10,6 +10,39 @@ import { recordToolCallEvaluated, recordToolCallBlocked, recordToolCallApprovalR
 export function deriveConnectorType(toolName) {
     return `openclaw.${toolName}`;
 }
+/**
+ * Classify an error thrown by the AxonFlow client as an auth/config error
+ * vs a transient network / server-side error.
+ *
+ * Auth/config errors: HTTP 401, 403, or error messages containing "auth",
+ * "unauthorized", "forbidden", "credentials", or "token invalid".
+ *
+ * Network/server errors: everything else (timeouts, DNS failures, 5xx,
+ * connection refused, aborts).
+ *
+ * Used by the fail-open / fail-closed decision in the before_tool_call
+ * hook handler (issue #1545 Direction 3).
+ */
+export function isAxonFlowAuthError(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    // Error objects with HTTP status (if the SDK exposes one)
+    const maybeStatus = err.status ??
+        err.statusCode;
+    if (maybeStatus === 401 || maybeStatus === 403)
+        return true;
+    const message = err instanceof Error
+        ? err.message.toLowerCase()
+        : String(err).toLowerCase();
+    return (message.includes("401") ||
+        message.includes("403") ||
+        message.includes("unauthorized") ||
+        message.includes("forbidden") ||
+        message.includes("credentials") ||
+        (message.includes("auth") && !message.includes("auth server")) ||
+        message.includes("token invalid") ||
+        message.includes("invalid token"));
+}
 /**
  * Create the before_tool_call hook handler.
  *
@@ -34,14 +67,27 @@ export function createBeforeToolCallHandler(client, config) {
         }
         catch (err) {
             recordGovernanceError();
+            // Issue #1545 Direction 3: classify the error to decide fail-open vs
+            // fail-closed. Network errors (timeout, DNS failure, connection
+            // refused, 5xx) always fail OPEN regardless of config.onError —
+            // transient infrastructure issues should never block legitimate dev
+            // workflows. Auth errors (401/403) respect config.onError, defaulting
+            // to fail-closed because they indicate a misconfiguration the
+            // operator can and should fix.
+            const isAuthError = isAxonFlowAuthError(err);
+            if (!isAuthError) {
+                recordToolCallAllowed();
+                return undefined; // Fail-open: transient network issue
+            }
+            // Auth error — respect config.onError (which defaults to "block").
             if (config.onError === "allow") {
                 recordToolCallAllowed();
-                return undefined; // Fail-open: allow tool execution
+                return undefined;
             }
             recordToolCallBlocked();
             return {
                 block: true,
-                blockReason: `AxonFlow unreachable: ${err instanceof Error ? err.message : "unknown error"}`,
+                blockReason: `AxonFlow auth error: ${err instanceof Error ? err.message : "unknown error"}. Fix configuration to restore tool access.`,
             };
         }
         if (!check.allowed) {

package/dist/governance.js.map

@@ -1 +1 @@
-{"version":3,"file":"governance.js","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,cAAc,CAAC;AAgBtB,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,YAAY,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAKb,EAA6C,EAAE;QAC9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,uBAAuB,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAChC,aAAa,EACb,SAAS,EACT,MAAM,CAAC,gBAAgB,IAAI,SAAS,CACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qBAAqB,EAAE,CAAC;YACxB,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC/B,qBAAqB,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC,CAAC,kCAAkC;YACtD,CAAC;YACD,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;aAC7F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,KAAK,CAAC,YAAY,IAAI,4BAA4B;aAChE,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,IACE,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAC7C,CAAC;YACD,8BAA8B,EAAE,CAAC;YACjC,OAAO;gBACL,eAAe,EAAE;oBACf,KAAK,EAAE,aAAa,KAAK,CAAC,QAAQ,oBAAoB;oBACtD,WAAW,EAAE,mCAAmC,KAAK,CAAC,kBAAkB,sBAAsB;oBAC9F,QAAQ,EAAE,SAAS;oBACnB,SAAS,EAAE,MAAM;oBACjB,eAAe,EAAE,MAAM;iBACxB;aACF,CAAC;QACJ,CAAC;QAED,qBAAqB,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"governance.js","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,cAAc,CAAC;AAgBtB,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,YAAY,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAElD,0DAA0D;IAC1D,MAAM,WAAW,GACd,GAAgD,CAAC,MAAM;QACvD,GAAgD,CAAC,UAAU,CAAC;IAC/D,IAAI,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE5D,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;QAClB,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE;QAC3B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QACvB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QACvB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;QAChC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC/B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC9D,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;QACjC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAClC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAKb,EAA6C,EAAE;QAC9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,uBAAuB,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAChC,aAAa,EACb,SAAS,EACT,MAAM,CAAC,gBAAgB,IAAI,SAAS,CACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qBAAqB,EAAE,CAAC;YAExB,qEAAqE;YACrE,gEAAgE;YAChE,gEAAgE;YAChE,oEAAoE;YACpE,sEAAsE;YACtE,8DAA8D;YAC9D,+BAA+B;YAC/B,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,qBAAqB,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC,CAAC,qCAAqC;YACzD,CAAC;YAED,mEAAmE;YACnE,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC/B,qBAAqB,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,wBAAwB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,6CAA6C;aACvI,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,KAAK,CAAC,YAAY,IAAI,4BAA4B;aAChE,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,IACE,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAC7C,CAAC;YACD,8BAA8B,EAAE,CAAC;YACjC,OAAO;gBACL,eAAe,EAAE;oBACf,KAAK,EAAE,aAAa,KAAK,CAAC,QAAQ,oBAAoB;oBACtD,WAAW,EAAE,mCAAmC,KAAK,CAAC,kBAAkB,sBAAsB;oBAC9F,QAAQ,EAAE,SAAS;oBACnB,SAAS,EAAE,MAAM;oBACjB,eAAe,EAAE,MAAM;iBACxB;aACF,CAAC;QACJ,CAAC;QAED,qBAAqB,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -31,7 +31,7 @@
  * for async hook support.
  */
 /** Plugin version — update before each release. */
-export declare const VERSION = "1.1.0";
+export declare const VERSION = "1.2.0";
 export { AxonFlowClient } from "./axonflow-client.js";
 export type { AxonFlowPluginConfig } from "./config.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/dist/index.js

@@ -39,7 +39,7 @@ import { createLlmInputHandler, createLlmOutputHandler } from "./llm-audit.js";
 import { sendTelemetryPing } from "./telemetry.js";
 import { resetMetrics } from "./metrics.js";
 /** Plugin version — update before each release. */
-export const VERSION = "1.1.0";
+export const VERSION = "1.2.0";
 // Re-export for external consumers
 export { AxonFlowClient } from "./axonflow-client.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axonflow/openclaw",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
   "type": "module",
   "main": "dist/index.js",
@@ -50,7 +50,7 @@
     "compliance",
     "ssrf-protection"
   ],
-  "author": "AxonFlow Team <team@getaxonflow.com>",
+  "author": "AxonFlow Team <hello@getaxonflow.com>",
   "license": "MIT",
   "repository": {
     "type": "git",