@axonflow/openclaw 1.1.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/README.md +12 -0
- package/dist/axonflow-client.d.ts +17 -0
- package/dist/axonflow-client.d.ts.map +1 -1
- package/dist/axonflow-client.js +30 -2
- package/dist/axonflow-client.js.map +1 -1
- package/dist/governance.d.ts +18 -0
- package/dist/governance.d.ts.map +1 -1
- package/dist/governance.js +74 -2
- package/dist/governance.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,37 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [1.2.1] - 2026-04-10
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
|
|
7
|
+
- **`AxonFlowHttpError` typed error class** exported from `src/axonflow-client.ts`. Carries `.status`, `.statusText`, and `.responseBody` as dedicated fields. The client now throws this on any non-403 HTTP failure from `mcpCheckInput` / `mcpCheckOutput`, so downstream consumers can reliably check the HTTP status without pattern-matching the error message string. Previous code path threw a plain `Error` with the status number embedded in the message text, which forced `isAxonFlowAuthError` in `governance.ts` to use fragile substring matching (fine in practice because the v1.2.0 message format happened to include the status digits, but one refactor away from a silent classifier regression).
|
|
8
|
+
|
|
9
|
+
### Changed
|
|
10
|
+
|
|
11
|
+
- **`isAxonFlowAuthError` tightened with word-boundary regex.** The v1.2.0 classifier used raw `String.includes()` checks, which matched "auth" inside "author" / "authority" / "authoritative". Now uses a single regex with `\b` word boundaries for `401`, `403`, `unauthorized`, `forbidden`, `credentials`, `auth(entication|orization)?`, and `(invalid|expired)[_ -]?token`. The previous special-case exclusion for `"auth server"` is no longer needed.
|
|
12
|
+
- Classifier checks the typed `.status` / `.statusCode` path first; the regex fallback is only used for errors that don't expose an HTTP status field (third-party fetch wrappers, legacy code).
|
|
13
|
+
|
|
14
|
+
### Tests
|
|
15
|
+
|
|
16
|
+
- New regression test in `tests/axonflow-client.test.ts` asserts that non-403 failures throw `AxonFlowHttpError` with `.status` populated (using `instanceof` + field check). This guards the "classifier must work via `.status`, not just message match" invariant.
|
|
17
|
+
- Existing throw-test assertions updated to use a regex matcher (`/check-input failed.*500/`) instead of exact substring, since the error message format now includes "HTTP \<status\>".
|
|
18
|
+
|
|
19
|
+
## [1.2.0] - 2026-04-08
|
|
20
|
+
|
|
21
|
+
### Changed
|
|
22
|
+
|
|
23
|
+
- **Smart error classification in governance hooks.** `before_tool_call` now distinguishes network/transport errors (timeouts, DNS failures, connection refused, HTTP 5xx) from auth/config errors (HTTP 401/403, invalid credentials, invalid tokens). **Network errors always fail-open** regardless of `config.onError` — transient infrastructure issues should never block legitimate dev workflows. **Auth errors respect `config.onError`** which defaults to `block` so misconfigured credentials are caught at the first tool call. This replaces the previous all-or-nothing `onError` behavior.
|
|
24
|
+
|
|
25
|
+
### Added
|
|
26
|
+
|
|
27
|
+
- **`isAxonFlowAuthError(err)` exported helper** classifies thrown errors from the AxonFlow client. Applications can use it to implement their own fail-open / fail-closed logic outside the built-in hook.
|
|
28
|
+
- 11 new unit tests cover the auth-vs-network classification on the governance hook path and the standalone classifier.
|
|
29
|
+
|
|
30
|
+
### Security
|
|
31
|
+
|
|
32
|
+
- Pinned all GitHub Actions in test and publish workflows to immutable commit SHAs to prevent supply chain attacks.
|
|
33
|
+
- Added Dependabot configuration for weekly GitHub Actions updates.
|
|
34
|
+
|
|
3
35
|
## [1.1.0] - 2026-04-06
|
|
4
36
|
|
|
5
37
|
### Added
|
package/README.md
CHANGED
|
@@ -58,10 +58,22 @@ See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for fu
|
|
|
58
58
|
|
|
59
59
|
## Install
|
|
60
60
|
|
|
61
|
+
Available on [ClawHub](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw) and [npm](https://www.npmjs.com/package/@axonflow/openclaw).
|
|
62
|
+
|
|
61
63
|
```bash
|
|
62
64
|
openclaw plugins install @axonflow/openclaw
|
|
63
65
|
```
|
|
64
66
|
|
|
67
|
+
Or via the ClawHub install path:
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
openclaw plugins install clawhub:@axonflow/openclaw
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Either install path works; the ClawHub form is included for users browsing plugins there.
|
|
74
|
+
|
|
75
|
+
For the full integration walkthrough (architecture, hook coverage, policy examples, troubleshooting), see the [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/).
|
|
76
|
+
|
|
65
77
|
## Configure
|
|
66
78
|
|
|
67
79
|
In your OpenClaw config:
|
|
@@ -5,6 +5,23 @@
|
|
|
5
5
|
* as a runtime dependency.
|
|
6
6
|
*/
|
|
7
7
|
import type { AxonFlowPluginConfig } from "./config.js";
|
|
8
|
+
/**
|
|
9
|
+
* Typed error thrown by the AxonFlow client on non-2xx HTTP responses
|
|
10
|
+
* (except 403, which is a policy block and handled separately).
|
|
11
|
+
*
|
|
12
|
+
* Exposes `.status` as a dedicated field so downstream consumers —
|
|
13
|
+
* specifically the `isAxonFlowAuthError` classifier in `governance.ts` —
|
|
14
|
+
* can reliably check the HTTP status instead of pattern-matching the
|
|
15
|
+
* error message string. Previously the client threw a plain `Error`
|
|
16
|
+
* with the status number embedded in the message, which forced the
|
|
17
|
+
* classifier to use fragile substring matching.
|
|
18
|
+
*/
|
|
19
|
+
export declare class AxonFlowHttpError extends Error {
|
|
20
|
+
readonly status: number;
|
|
21
|
+
readonly statusText: string;
|
|
22
|
+
readonly responseBody: Record<string, unknown>;
|
|
23
|
+
constructor(status: number, statusText: string, responseBody: Record<string, unknown>, context: string);
|
|
24
|
+
}
|
|
8
25
|
export interface MCPCheckInputResponse {
|
|
9
26
|
allowed: boolean;
|
|
10
27
|
block_reason?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"axonflow-client.d.ts","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAyBD,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAC9B,MAAM,EAAE,oBAAoB;IAYxC,OAAO,CAAC,WAAW;YASL,gBAAgB;IAiBxB,aAAa,CACjB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAkB,GAC5B,OAAO,CAAC,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"axonflow-client.d.ts","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD;;;;;;;;;;GAUG;AACH,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAG7C,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACrC,OAAO,EAAE,MAAM;CAalB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAyBD,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAC9B,MAAM,EAAE,oBAAoB;IAYxC,OAAO,CAAC,WAAW;YASL,gBAAgB;IAiBxB,aAAa,CACjB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAkB,GAC5B,OAAO,CAAC,qBAAqB,CAAC;IA8C3B,cAAc,CAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,sBAAsB,CAAC;IA8ClC;;;OAGG;IACG,aAAa,CACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,CAAC,EAAE,OAAO,EAChB,KAAK,CAAC,EAAE,MAAM,EACd,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAqBhB;;;;;;;OAOG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,EACtF,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC;IAoBhB;;;;;OAKG;IACG,iBAAiB,CAAC,OAAO,CAAC,EAAE;QAChC,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IA2B5D,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAQtC"}
|
package/dist/axonflow-client.js
CHANGED
|
@@ -4,6 +4,34 @@
|
|
|
4
4
|
* Uses direct HTTP calls to avoid requiring the full @axonflow/sdk
|
|
5
5
|
* as a runtime dependency.
|
|
6
6
|
*/
|
|
7
|
+
/**
|
|
8
|
+
* Typed error thrown by the AxonFlow client on non-2xx HTTP responses
|
|
9
|
+
* (except 403, which is a policy block and handled separately).
|
|
10
|
+
*
|
|
11
|
+
* Exposes `.status` as a dedicated field so downstream consumers —
|
|
12
|
+
* specifically the `isAxonFlowAuthError` classifier in `governance.ts` —
|
|
13
|
+
* can reliably check the HTTP status instead of pattern-matching the
|
|
14
|
+
* error message string. Previously the client threw a plain `Error`
|
|
15
|
+
* with the status number embedded in the message, which forced the
|
|
16
|
+
* classifier to use fragile substring matching.
|
|
17
|
+
*/
|
|
18
|
+
export class AxonFlowHttpError extends Error {
|
|
19
|
+
status;
|
|
20
|
+
statusText;
|
|
21
|
+
responseBody;
|
|
22
|
+
constructor(status, statusText, responseBody, context) {
|
|
23
|
+
const serverError = typeof responseBody["error"] === "string"
|
|
24
|
+
? responseBody["error"]
|
|
25
|
+
: "";
|
|
26
|
+
super(`AxonFlow ${context} failed: HTTP ${status} ${statusText}${serverError ? " — " + serverError : ""}`);
|
|
27
|
+
this.name = "AxonFlowHttpError";
|
|
28
|
+
this.status = status;
|
|
29
|
+
this.statusText = statusText;
|
|
30
|
+
this.responseBody = responseBody;
|
|
31
|
+
// Preserve prototype chain for instanceof checks across module boundaries.
|
|
32
|
+
Object.setPrototypeOf(this, AxonFlowHttpError.prototype);
|
|
33
|
+
}
|
|
34
|
+
}
|
|
7
35
|
/**
|
|
8
36
|
* Extract policies_evaluated count from API response.
|
|
9
37
|
* The platform returns this as a top-level number on 403 responses,
|
|
@@ -85,7 +113,7 @@ export class AxonFlowClient {
|
|
|
85
113
|
};
|
|
86
114
|
}
|
|
87
115
|
if (!response.ok) {
|
|
88
|
-
throw new
|
|
116
|
+
throw new AxonFlowHttpError(response.status, response.statusText, data, "check-input");
|
|
89
117
|
}
|
|
90
118
|
return {
|
|
91
119
|
allowed: data["allowed"] === true,
|
|
@@ -118,7 +146,7 @@ export class AxonFlowClient {
|
|
|
118
146
|
};
|
|
119
147
|
}
|
|
120
148
|
if (!response.ok) {
|
|
121
|
-
throw new
|
|
149
|
+
throw new AxonFlowHttpError(response.status, response.statusText, data, "check-output");
|
|
122
150
|
}
|
|
123
151
|
return {
|
|
124
152
|
allowed: data["allowed"] === true,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"axonflow-client.js","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;
|
|
1
|
+
{"version":3,"file":"axonflow-client.js","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,MAAM,CAAS;IACf,UAAU,CAAS;IACnB,YAAY,CAA0B;IAE/C,YACE,MAAc,EACd,UAAkB,EAClB,YAAqC,EACrC,OAAe;QAEf,MAAM,WAAW,GAAG,OAAO,YAAY,CAAC,OAAO,CAAC,KAAK,QAAQ;YAC3D,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC;YACvB,CAAC,CAAC,EAAE,CAAC;QACP,KAAK,CAAC,YAAY,OAAO,iBAAiB,MAAM,IAAI,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3G,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,2EAA2E;QAC3E,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC;CACF;AAeD;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAA6B;IAC7D,IAAI,OAAO,IAAI,CAAC,oBAAoB,CAAC,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;IACvC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QAC1D,MAAM,EAAE,GAAG,UAAqC,CAAC;QACjD,IAAI,OAAO,EAAE,CAAC,oBAAoB,CAAC,KAAK,QAAQ,EAAE,CAAC;YACjD,OAAO,EAAE,CAAC,oBAAoB,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,EAAE,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,OAAO,cAAc;IACR,QAAQ,CAAS;IACjB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IAC1C,YAAY,MAA4B;QACtC,6EAA6E;QAC7E,IAAI,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;QACzB,OAAO,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC;QACnB,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,IAAI,IAAI,CAAC;QACxD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAC5C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,SAAS,WAAW,EAAE,CAAC;IAC3C,CAAC;IAEO,WAAW;QACjB,+EAA+E;QAC/E,wEAAwE;QACxE,OAAO;YACL,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,IAAI,CAAC,UAAU;SAC/B,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,GAAW,EACX,IAAkB;QAElB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAE9E,IAAI,CAAC;YACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE;gBACtB,GAAG,IAAI;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,aAAqB,EACrB,SAAiB,EACjB,YAAoB,SAAS;QAE7B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;YAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,aAAa;gBAC7B,SAAS;gBACT,SAAS;aACV,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAEhE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;oBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;oBACtB,CAAC,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ;wBACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;wBACf,CAAC,CAAC,mBAAmB;gBAC3B,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;aACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,iBAAiB,CACzB,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,EACJ,aAAa,CACd,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI;YACjC,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;gBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;gBACtB,CAAC,CAAC,SAAS;YACf,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;SACnD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,aAAqB,EACrB,OAAe;QAEf,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,0BAA0B,CAAC;QACvD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;YAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,aAAa;gBAC7B,OAAO;aACR,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAEhE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;oBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;oBACtB,CAAC,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ;wBACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;wBACf,CAAC,CAAC,mBAAmB;gBAC3B,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;aACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,iBAAiB,CACzB,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,UAAU,EACnB,IAAI,EACJ,cAAc,CACf,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI;YACjC,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;gBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;gBACtB,CAAC,CAAC,SAAS;YACf,aAAa,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI,SAAS;YACjD,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;SACnD,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,MAA+B,EAC/B,MAAgB,EAChB,KAAc,EACd,UAAmB;QAEnB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;gBAC/B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,QAAQ;oBACnB,SAAS,EAAE,UAAU;oBACrB,KAAK,EAAE,MAAM;oBACb,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;oBACrF,OAAO,EAAE,KAAK,IAAI,IAAI;oBACtB,aAAa,EAAE,KAAK;oBACpB,WAAW,EAAE,UAAU;iBACxB,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,KAAa,EACb,KAAa,EACb,eAAuB,EACvB,UAAsF,EACtF,SAAiB;QAEjB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;gBAC/B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,GAAG,QAAQ,IAAI,KAAK,EAAE;oBACjC,SAAS,EAAE,UAAU;oBACrB,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACrC,MAAM,EAAE,EAAE,gBAAgB,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE;oBACpF,OAAO,EAAE,IAAI;oBACb,WAAW,EAAE,SAAS;iBACvB,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,OAKvB;QACC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,sBAAsB,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE5D,MAAM,IAAI,GAAG;YACX,UAAU,EAAE,OAAO,EAAE,SAAS,IAAI,UAAU,CAAC,WAAW,EAAE;YAC1D,QAAQ,EAAE,OAAO,EAAE,OAAO,IAAI,GAAG,CAAC,WAAW,EAAE;YAC/C,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,EAAE,GAAG,CAAC;YAC1C,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,YAAY,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;SACnE,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE;gBAChD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;aAC3B,CAAC,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YACrE,CAAC;YACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0C,CAAC;QAC1E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;QAC5F,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,QAAQ,SAAS,CAAC,CAAC;YACxE,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}
|
package/dist/governance.d.ts
CHANGED
|
@@ -21,6 +21,24 @@ export interface BeforeToolCallResult {
|
|
|
21
21
|
}
|
|
22
22
|
/** Derive connector_type from tool name for AxonFlow policy evaluation. */
|
|
23
23
|
export declare function deriveConnectorType(toolName: string): string;
|
|
24
|
+
/**
|
|
25
|
+
* Classify an error thrown by the AxonFlow client as an auth/config error
|
|
26
|
+
* vs a transient network / server-side error.
|
|
27
|
+
*
|
|
28
|
+
* Decision order:
|
|
29
|
+
* 1. If the error exposes `.status` or `.statusCode` === 401/403 → auth.
|
|
30
|
+
* (v1.2.1 prefers this path — the AxonFlowHttpError class exported from
|
|
31
|
+
* `axonflow-client.ts` always exposes `.status`, so new code paths never
|
|
32
|
+
* need to fall through to message matching.)
|
|
33
|
+
* 2. Otherwise, regex-match the error message against AUTH_ERROR_PATTERN
|
|
34
|
+
* with word-boundary anchors. Still needed because thrown errors from
|
|
35
|
+
* third-party fetch wrappers and legacy code may not expose `.status`.
|
|
36
|
+
* 3. Everything else is a network/transient error — fail-open.
|
|
37
|
+
*
|
|
38
|
+
* Used by the fail-open / fail-closed decision in the before_tool_call
|
|
39
|
+
* hook handler.
|
|
40
|
+
*/
|
|
41
|
+
export declare function isAxonFlowAuthError(err: unknown): boolean;
|
|
24
42
|
/**
|
|
25
43
|
* Create the before_tool_call hook handler.
|
|
26
44
|
*
|
package/dist/governance.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAUxD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;QAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;KACpC,CAAC;CACH;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAUxD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;QAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;KACpC,CAAC;CACH;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE5D;AAoCD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAazD;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAwE9C"}
|
package/dist/governance.js
CHANGED
|
@@ -10,6 +10,65 @@ import { recordToolCallEvaluated, recordToolCallBlocked, recordToolCallApprovalR
|
|
|
10
10
|
export function deriveConnectorType(toolName) {
|
|
11
11
|
return `openclaw.${toolName}`;
|
|
12
12
|
}
|
|
13
|
+
/**
|
|
14
|
+
* Regex used by the auth-error classifier for message-based matching.
|
|
15
|
+
*
|
|
16
|
+
* v1.2.1 change: word-boundary anchors (`\b`) instead of raw substring
|
|
17
|
+
* matches. The previous version's `.includes("auth")` accidentally matched
|
|
18
|
+
* "author", "authority", "authoritative", etc. It also had a special-case
|
|
19
|
+
* exclusion for "auth server" to work around that. With word boundaries,
|
|
20
|
+
* the false positives go away and the special-case exclusion is no longer
|
|
21
|
+
* needed.
|
|
22
|
+
*
|
|
23
|
+
* The pattern matches any of:
|
|
24
|
+
* \b401\b — HTTP 401 as a standalone token
|
|
25
|
+
* \b403\b — HTTP 403 as a standalone token
|
|
26
|
+
* \bunauthorized\b
|
|
27
|
+
* \bforbidden\b
|
|
28
|
+
* \bcredentials?\b
|
|
29
|
+
* \bauth(?:entication|orization)?\b — "auth", "authentication", "authorization" but NOT "author" / "authoritative"
|
|
30
|
+
* \b(?:invalid|expired)[ _-]?token\b — "invalid token" / "expired token" / "invalid_token" / "expired-token"
|
|
31
|
+
* \btoken[ _-]?invalid\b — "token invalid" / "token_invalid"
|
|
32
|
+
*/
|
|
33
|
+
const AUTH_ERROR_PATTERN = new RegExp([
|
|
34
|
+
"\\b401\\b",
|
|
35
|
+
"\\b403\\b",
|
|
36
|
+
"\\bunauthorized\\b",
|
|
37
|
+
"\\bforbidden\\b",
|
|
38
|
+
"\\bcredentials?\\b",
|
|
39
|
+
"\\bauth(?:entication|orization)?\\b",
|
|
40
|
+
"\\b(?:invalid|expired)[ _-]?token\\b",
|
|
41
|
+
"\\btoken[ _-]?invalid\\b",
|
|
42
|
+
].join("|"), "i");
|
|
43
|
+
/**
|
|
44
|
+
* Classify an error thrown by the AxonFlow client as an auth/config error
|
|
45
|
+
* vs a transient network / server-side error.
|
|
46
|
+
*
|
|
47
|
+
* Decision order:
|
|
48
|
+
* 1. If the error exposes `.status` or `.statusCode` === 401/403 → auth.
|
|
49
|
+
* (v1.2.1 prefers this path — the AxonFlowHttpError class exported from
|
|
50
|
+
* `axonflow-client.ts` always exposes `.status`, so new code paths never
|
|
51
|
+
* need to fall through to message matching.)
|
|
52
|
+
* 2. Otherwise, regex-match the error message against AUTH_ERROR_PATTERN
|
|
53
|
+
* with word-boundary anchors. Still needed because thrown errors from
|
|
54
|
+
* third-party fetch wrappers and legacy code may not expose `.status`.
|
|
55
|
+
* 3. Everything else is a network/transient error — fail-open.
|
|
56
|
+
*
|
|
57
|
+
* Used by the fail-open / fail-closed decision in the before_tool_call
|
|
58
|
+
* hook handler.
|
|
59
|
+
*/
|
|
60
|
+
export function isAxonFlowAuthError(err) {
|
|
61
|
+
if (!err || typeof err !== "object")
|
|
62
|
+
return false;
|
|
63
|
+
// Preferred path: typed error with HTTP status.
|
|
64
|
+
const maybeStatus = err.status ??
|
|
65
|
+
err.statusCode;
|
|
66
|
+
if (maybeStatus === 401 || maybeStatus === 403)
|
|
67
|
+
return true;
|
|
68
|
+
// Fallback: message-based pattern match with word boundaries.
|
|
69
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
70
|
+
return AUTH_ERROR_PATTERN.test(message);
|
|
71
|
+
}
|
|
13
72
|
/**
|
|
14
73
|
* Create the before_tool_call hook handler.
|
|
15
74
|
*
|
|
@@ -34,14 +93,27 @@ export function createBeforeToolCallHandler(client, config) {
|
|
|
34
93
|
}
|
|
35
94
|
catch (err) {
|
|
36
95
|
recordGovernanceError();
|
|
96
|
+
// Issue #1545 Direction 3: classify the error to decide fail-open vs
|
|
97
|
+
// fail-closed. Network errors (timeout, DNS failure, connection
|
|
98
|
+
// refused, 5xx) always fail OPEN regardless of config.onError —
|
|
99
|
+
// transient infrastructure issues should never block legitimate dev
|
|
100
|
+
// workflows. Auth errors (401/403) respect config.onError, defaulting
|
|
101
|
+
// to fail-closed because they indicate a misconfiguration the
|
|
102
|
+
// operator can and should fix.
|
|
103
|
+
const isAuthError = isAxonFlowAuthError(err);
|
|
104
|
+
if (!isAuthError) {
|
|
105
|
+
recordToolCallAllowed();
|
|
106
|
+
return undefined; // Fail-open: transient network issue
|
|
107
|
+
}
|
|
108
|
+
// Auth error — respect config.onError (which defaults to "block").
|
|
37
109
|
if (config.onError === "allow") {
|
|
38
110
|
recordToolCallAllowed();
|
|
39
|
-
return undefined;
|
|
111
|
+
return undefined;
|
|
40
112
|
}
|
|
41
113
|
recordToolCallBlocked();
|
|
42
114
|
return {
|
|
43
115
|
block: true,
|
|
44
|
-
blockReason: `AxonFlow
|
|
116
|
+
blockReason: `AxonFlow auth error: ${err instanceof Error ? err.message : "unknown error"}. Fix configuration to restore tool access.`,
|
|
45
117
|
};
|
|
46
118
|
}
|
|
47
119
|
if (!check.allowed) {
|
package/dist/governance.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"governance.js","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,cAAc,CAAC;AAgBtB,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,YAAY,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAKb,EAA6C,EAAE;QAC9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,uBAAuB,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAChC,aAAa,EACb,SAAS,EACT,MAAM,CAAC,gBAAgB,IAAI,SAAS,CACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qBAAqB,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"governance.js","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,cAAc,CAAC;AAgBtB,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,YAAY,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,kBAAkB,GAAG,IAAI,MAAM,CACnC;IACE,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,iBAAiB;IACjB,oBAAoB;IACpB,qCAAqC;IACrC,sCAAsC;IACtC,0BAA0B;CAC3B,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,GAAG,CACJ,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAY;IAC9C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAElD,gDAAgD;IAChD,MAAM,WAAW,GACd,GAAgD,CAAC,MAAM;QACvD,GAAgD,CAAC,UAAU,CAAC;IAC/D,IAAI,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE5D,8DAA8D;IAC9D,MAAM,OAAO,GACX,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnD,OAAO,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAKb,EAA6C,EAAE;QAC9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,uBAAuB,EAAE,CAAC;QAC1B,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC;QACV,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAChC,aAAa,EACb,SAAS,EACT,MAAM,CAAC,gBAAgB,IAAI,SAAS,CACrC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,qBAAqB,EAAE,CAAC;YAExB,qEAAqE;YACrE,gEAAgE;YAChE,gEAAgE;YAChE,oEAAoE;YACpE,sEAAsE;YACtE,8DAA8D;YAC9D,+BAA+B;YAC/B,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,qBAAqB,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC,CAAC,qCAAqC;YACzD,CAAC;YAED,mEAAmE;YACnE,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC/B,qBAAqB,EAAE,CAAC;gBACxB,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,wBAAwB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,6CAA6C;aACvI,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,qBAAqB,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,KAAK,CAAC,YAAY,IAAI,4BAA4B;aAChE,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,IACE,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAC7C,CAAC;YACD,8BAA8B,EAAE,CAAC;YACjC,OAAO;gBACL,eAAe,EAAE;oBACf,KAAK,EAAE,aAAa,KAAK,CAAC,QAAQ,oBAAoB;oBACtD,WAAW,EAAE,mCAAmC,KAAK,CAAC,kBAAkB,sBAAsB;oBAC9F,QAAQ,EAAE,SAAS;oBACnB,SAAS,EAAE,MAAM;oBACjB,eAAe,EAAE,MAAM;iBACxB;aACF,CAAC;QACJ,CAAC;QAED,qBAAqB,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -31,7 +31,7 @@
|
|
|
31
31
|
* for async hook support.
|
|
32
32
|
*/
|
|
33
33
|
/** Plugin version — update before each release. */
|
|
34
|
-
export declare const VERSION = "1.1
|
|
34
|
+
export declare const VERSION = "1.2.1";
|
|
35
35
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
36
36
|
export type { AxonFlowPluginConfig } from "./config.js";
|
|
37
37
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/dist/index.js
CHANGED
|
@@ -39,7 +39,7 @@ import { createLlmInputHandler, createLlmOutputHandler } from "./llm-audit.js";
|
|
|
39
39
|
import { sendTelemetryPing } from "./telemetry.js";
|
|
40
40
|
import { resetMetrics } from "./metrics.js";
|
|
41
41
|
/** Plugin version — update before each release. */
|
|
42
|
-
export const VERSION = "1.1
|
|
42
|
+
export const VERSION = "1.2.1";
|
|
43
43
|
// Re-export for external consumers
|
|
44
44
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
45
45
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axonflow/openclaw",
|
|
3
|
-
"version": "1.1
|
|
3
|
+
"version": "1.2.1",
|
|
4
4
|
"description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -50,7 +50,7 @@
|
|
|
50
50
|
"compliance",
|
|
51
51
|
"ssrf-protection"
|
|
52
52
|
],
|
|
53
|
-
"author": "AxonFlow Team <
|
|
53
|
+
"author": "AxonFlow Team <hello@getaxonflow.com>",
|
|
54
54
|
"license": "MIT",
|
|
55
55
|
"repository": {
|
|
56
56
|
"type": "git",
|