@axonflow/openclaw 1.3.1 → 1.3.2

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.3.2] - 2026-04-22
+
+### Deprecated
+
+- `DO_NOT_TRACK=1` as an AxonFlow telemetry opt-out — scheduled for removal after 2026-05-05 in the next major release. Use `AXONFLOW_TELEMETRY=off` instead. The plugin emits a one-time `console.warn` when `DO_NOT_TRACK=1` is the active control and `AXONFLOW_TELEMETRY=off` is not also set.
+
 ## [1.3.1] - 2026-04-19
 
 Patch release. Fixes a v1.3.0 gap surfaced by install-and-use E2E

package/README.md

@@ -1,81 +1,121 @@
 # @axonflow/openclaw
 
-**Policy enforcement, approval gates, and audit trails for [OpenClaw](https://github.com/openclaw/openclaw).**
+**Governance for OpenClaw agents: block dangerous tool calls, require human approval on high-risk actions, redact PII from outbound messages, and keep a compliance-grade audit trail — without changing a single line of your agent code.**
 
-## Why
+[![npm](https://img.shields.io/npm/v/%40axonflow%2Fopenclaw?color=%2300A36C)](https://www.npmjs.com/package/@axonflow/openclaw)
+[![ClawHub](https://img.shields.io/badge/ClawHub-listed-00A36C)](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE)
 
-OpenClaw is widely deployed with [13+ CVEs disclosed in 2026](https://github.com/jgamblin/OpenClawCVEs/) (multiple CVSS 9.8+), [135,000+ publicly exposed instances](https://www.bitsight.com/blog/openclaw-ai-security-risks-exposed-instances), and [1,184 malicious skills](https://cyberpress.org/clawhavoc-poisons-openclaws-clawhub-with-1184-malicious-skills/) poisoned in ClawHub via the ClawHavoc supply chain attack. OpenClaw provides agent runtime and tool execution but no centralized policy enforcement, no PII scanning, and no compliance-grade audit trails.
+> **→ Full integration walkthrough:** **[docs.getaxonflow.com/docs/integration/openclaw](https://docs.getaxonflow.com/docs/integration/openclaw/)** — architecture, hook coverage, policy examples, and troubleshooting.
 
-This plugin adds the governance layer. AxonFlow governs, OpenClaw orchestrates. No LLM provider keys needed — OpenClaw handles all LLM calls, AxonFlow only enforces policies and records audit trails. Your data stays on your infrastructure.
+---
 
-This plugin is useful when you want to:
-- block dangerous tool calls (reverse shells, SSRF, destructive commands) before they run
-- detect and redact PII and secrets in outbound messages before delivery
-- require human approval for high-risk tools (exec, web_fetch, message)
-- keep a compliance-grade audit trail of every tool call and LLM interaction
-- gain visibility into token usage and LLM activity across agents via audit trails
+## Why this plugin exists
 
-## What It Does
+OpenClaw is a strong agent runtime. It is also a serious production security problem the moment you take it past a prototype:
 
-| Hook | Purpose |
-|------|---------|
-| `before_tool_call` | Evaluate tool inputs against AxonFlow policies before execution |
-| `after_tool_call` | Record tool execution in AxonFlow audit trail |
-| `message_sending` | Scan outbound messages for PII/secrets before delivery |
-| `llm_input` | Record prompt, model, and provider for audit |
-| `llm_output` | Record response summary, token usage, and latency for audit |
+- **[135,000+ publicly exposed instances](https://www.bitsight.com/blog/openclaw-ai-security-risks-exposed-instances)** deployed without central policy enforcement
+- **[13+ CVEs disclosed in 2026](https://github.com/jgamblin/OpenClawCVEs/)**, several at CVSS 9.8+
+- **[1,184 malicious skills](https://cyberpress.org/clawhavoc-poisons-openclaws-clawhub-with-1184-malicious-skills/)** poisoned in ClawHub via the ClawHavoc supply-chain attack
+- **No native PII/secrets scanning**, no SQL-injection defense, no compliance-grade audit trail, no org-wide tool policy, no approval workflow
 
-The plugin also:
-- **Verifies AxonFlow connectivity** on startup and logs a warning if unreachable
-- **Tracks governance metrics** in-process (tool calls blocked/allowed, messages redacted, etc.) accessible via `getMetrics()`
+OpenClaw handles agent runtime, MCP connectivity, channels, and tool execution. It was never intended to be the place you enforce governance. This plugin adds the governance layer on top, so OpenClaw keeps doing what it does well and AxonFlow takes over the "is this allowed, should this redact, who approved, where is the audit record" questions.
 
-## Current Limitation
+**AxonFlow governs. OpenClaw orchestrates. Your data stays on your infrastructure.** No LLM provider keys leave your machine — OpenClaw still makes every LLM call; AxonFlow only evaluates policies and records audit trails.
 
-Tool results written into the OpenClaw session transcript are not yet scanned by this plugin. OpenClaw's `tool_result_persist` hook is synchronous today, so it cannot call AxonFlow's HTTP policy APIs.
+---
 
-What is protected today:
-- tool inputs before execution
-- outbound messages before delivery
-- tool and LLM audit trails
+## What you get
 
-What is not protected yet:
-- tool results entering the LLM context through the session transcript
+| Capability | What it means in practice |
+|---|---|
+| **Pre-execution policy check** | Every tool call is scored against 80+ built-in policies (reverse shells, SSRF, credential access, SQLi, prompt injection, path traversal, PII in arguments) before it runs |
+| **Approval gates** | Any tool in `highRiskTools` pauses execution and posts a native OpenClaw approval request with policy severity surfaced as approval priority |
+| **Outbound message scanning** | Every message to Telegram/Discord/Slack/webhook is scanned for PII and secrets before delivery — redacted, blocked, or passed through per policy |
+| **Compliance-grade audit trail** | Every tool call and LLM interaction records the input, output summary, matched policies, decision, and duration |
+| **Decision explainability** | Blocked calls return a `decision_id` the agent can pass to `explainDecision()` to see exactly which policy family triggered and why |
+| **Session overrides** | Operators can request a time-bounded, audit-logged exception when policy allows it — without leaving the agent |
+| **Per-user identity** | `config.userEmail` threads the actual human operator through to every explain/override call, so shared chat agents still produce attributable audits |
 
-If OpenClaw adds async support for `tool_result_persist`, AxonFlow can add transcript/result scanning immediately. Upstream issue: [openclaw/openclaw#58558](https://github.com/openclaw/openclaw/issues/58558).
+---
 
-## Prerequisites
+## How it plugs in
 
-This plugin connects to [AxonFlow](https://github.com/getaxonflow/axonflow), a self-hosted governance platform, for policy evaluation and audit logging. AxonFlow must be running before you use the plugin. Your data stays on your infrastructure.
-
-```bash
-# Start AxonFlow (Docker — runs entirely on your machine)
-git clone https://github.com/getaxonflow/axonflow.git
-cd axonflow
-docker compose up -d
+```
+┌──────────────────────────────────────────────────────────────┐
+│                        OpenClaw Agent                        │
+│                                                              │
+│  User Message → LLM Call → Tool Execution → Response → User  │
+│        │           │             │                       │   │
+│        ▼           ▼             ▼                       ▼   │
+│  ┌────────────────────────────────────────────────────────┐  │
+│  │            @axonflow/openclaw                          │  │
+│  │                                                        │  │
+│  │  GOVERNANCE (can block / modify):                      │  │
+│  │  before_tool_call   (priority 10) → check_input        │  │
+│  │  message_sending    (priority 10) → check_output       │  │
+│  │                                                        │  │
+│  │  AUDIT (observe-only, non-blocking):                   │  │
+│  │  after_tool_call    (priority 90) → audit_tool_call    │  │
+│  │  llm_input          (priority 90) → record prompt      │  │
+│  │  llm_output         (priority 90) → record response    │  │
+│  └────────────────────────┬───────────────────────────────┘  │
+└───────────────────────────┼──────────────────────────────────┘
+                            │
+                            ▼
+                    ┌───────────────────┐
+                    │     AxonFlow      │
+                    │  ┌─────┐ ┌─────┐  │
+                    │  │Policy│ │Audit│  │
+                    │  │Engine│ │Trail│  │
+                    │  └─────┘ └─────┘  │
+                    │  ┌─────┐          │
+                    │  │ PII │          │
+                    │  │Scan │          │
+                    │  └─────┘          │
+                    └───────────────────┘
 ```
 
-See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for full setup options.
+**What stays the same:** your OpenClaw agent config, ClawHub skills, MCP connectors, and channel integrations are unchanged. The plugin only adds lifecycle hooks.
 
-## Install
+---
 
-Available on [ClawHub](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw) and [npm](https://www.npmjs.com/package/@axonflow/openclaw).
+## The production problems this solves
 
-**Recommended:**
+These are the three questions that reliably surface the moment an OpenClaw agent hits real users or regulators.
 
-```bash
-openclaw plugins install @axonflow/openclaw
-```
+### 1. "The tool that phones home"
+
+A `web_fetch` skill is installed from ClawHub. An agent uses it to look up product docs. Then a user asks, *"Summarize my customer list"* — the agent calls `web_fetch` with customer emails in the URL. The data leaves your infrastructure. OpenClaw executed the tool correctly; nobody checked what it was sending.
+
+**What the plugin does:** `check_input` fires before `web_fetch` runs, scans the URL arguments against PII and exfiltration policies, and blocks the call with a decision ID.
+
+### 2. "The MCP response full of PII"
+
+An MCP connector queries your CRM for "recent support tickets." The MCP server returns 50 rows with names, emails, phone numbers. All of it flows into the LLM context. OpenClaw managed the connection; SecretRef protected the credentials; the *data itself* was never inspected.
+
+**What the plugin does:** `check_output` fires on `message_sending` before anything reaches the user channel, and scans every outbound message for SSN, credit card, API key, and other 80+ policy matches — redacting or blocking per policy.
+
+### 3. "The compliance question nobody can answer"
+
+Six months later, a regulator asks: *"For this interaction on March 14, which tools were called, what data did they access, which policies were in effect, and why was the response allowed?"* OpenClaw's execution logs show a tool was called and succeeded. The *decision context* does not exist.
+
+**What the plugin does:** every governed call emits a structured audit record with tool, input, output summary, matched policies, decision, and duration. Search via `searchAuditEvents()` or the Customer Portal.
+
+---
+
+## Install
 
-The `clawhub:@axonflow/openclaw` form also works if you prefer to be explicit about the source:
+Requires OpenClaw **2026.4.14 or later**. Upgrade with `npm install -g openclaw@latest` if needed.
 
 ```bash
-openclaw plugins install clawhub:@axonflow/openclaw
+openclaw plugins install @axonflow/openclaw
 ```
 
-Requires OpenClaw **2026.4.14 or later**. If you are not on the latest, upgrade with `npm install -g openclaw@latest`.
+Available on [ClawHub](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw) and [npm](https://www.npmjs.com/package/@axonflow/openclaw). The `clawhub:@axonflow/openclaw` form works if you prefer to be explicit about the source.
 
 <details>
-<summary>On an older OpenClaw CLI? The old workaround is still needed.</summary>
+<summary>On an older OpenClaw CLI? The ENOENT workaround still applies.</summary>
 
 OpenClaw versions before 2026.4.14 had a bug ([openclaw/openclaw#66618](https://github.com/openclaw/openclaw/issues/66618)) that made scoped packages fail with `ENOENT .../openclaw-clawhub-package-XXXXXX/@axonflow/openclaw.zip` — both forms of the install command hit it. The fix shipped in 2026.4.14. If you cannot upgrade, install from npm directly:
 
@@ -86,111 +126,157 @@ openclaw plugins install "./$TGZ"
 ```
 </details>
 
-For the full integration walkthrough (architecture, hook coverage, policy examples, troubleshooting), see the [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/).
+### Start AxonFlow
+
+The plugin connects to AxonFlow, a self-hosted governance platform. AxonFlow must be running before the plugin loads. Everything stays on your infrastructure.
+
+```bash
+git clone https://github.com/getaxonflow/axonflow.git
+cd axonflow && docker compose up -d
+```
+
+See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for production deployment options.
+
+---
 
 ## Configure
 
-In your OpenClaw config:
+Minimal configuration — community mode needs nothing beyond `endpoint`:
 
 ```yaml
+# openclaw.config.yaml
 plugins:
   @axonflow/openclaw:
     endpoint: http://localhost:8080
-    # In community mode, clientId defaults to "community"
-    # and clientSecret can be left unset.
-    # Set both only for evaluation/enterprise credentials.
-    # clientId: your-client-id
-    # clientSecret: your-client-secret
-    # requestTimeoutMs: 8000
     highRiskTools:
       - web_fetch
       - message
 ```
 
-### Configuration Options
+That's it. Every governed tool call now flows through AxonFlow policy enforcement. `clientId` defaults to `"community"` and `clientSecret` can be left unset — add them only for evaluation or enterprise credentials.
+
+### Full configuration reference
 
 | Option | Required | Default | Description |
 |--------|----------|---------|-------------|
 | `endpoint` | Yes | — | AxonFlow agent gateway URL |
 | `clientId` | No | `"community"` | Tenant identity for data isolation. Override for evaluation/enterprise. |
-| `clientSecret` | No | `""` | License key for evaluation/enterprise features. Requires `clientId` to be set. |
+| `clientSecret` | No | `""` | Basic-auth secret paired with `clientId`. Required for evaluation/enterprise tenants; leave unset in community mode. |
+| `userEmail` | No | — | Per-user identity forwarded on explain/override calls. Shared agents should set this from session context. |
 | `highRiskTools` | No | `[]` | Tools that require human approval even when policy allows |
 | `governedTools` | No | `[]` (all) | Tools to govern. Empty = all tools. |
-| `excludedTools` | No | `[]` | Tools to exclude from governance |
-| `defaultOperation` | No | `"execute"` | Operation type for mcp_check_input (`"execute"` or `"query"`) |
-| `onError` | No | `"block"` | Behavior when AxonFlow is unreachable: `"block"` (fail-closed) or `"allow"` (fail-open) |
-| `requestTimeoutMs` | No | `8000` | Timeout for policy checks, output scans, audit writes, and health checks. Increase for remote AxonFlow deployments. |
+| `excludedTools` | No | `[]` | Tools to exclude from governance. Takes precedence over `governedTools`. |
+| `defaultOperation` | No | `"execute"` | Operation type for `check_input` (`"execute"` or `"query"`) |
+| `onError` | No | `"block"` | Governs behavior on **auth/config errors only** (401/403). `"block"` denies the tool call with a message telling the operator to fix configuration; `"allow"` lets the call through ungoverned. Does not apply to network/transient errors — see Fail behavior below. |
+| `requestTimeoutMs` | No | `8000` | Timeout for policy checks, output scans, audit writes, and health checks |
+
+### Fail behavior
+
+The plugin classifies errors from the AxonFlow client into two buckets and applies different rules per hook.
+
+| Hook | Transient network error (timeout, DNS, connection refused, 5xx) | Auth/config error (401 / 403) |
+|---|---|---|
+| `before_tool_call` | **Always fail-open** — tool call proceeds regardless of `onError`. Transient infrastructure issues should not block legitimate dev workflows. |  Respects `onError`. With the default `"block"`, the tool call is denied with a message pointing at the misconfiguration. With `"allow"`, the call proceeds ungoverned. |
+| `message_sending` | Respects `onError`. With `"block"` (default), the outbound message is cancelled. With `"allow"`, it is delivered ungoverned. | Same as network error — respects `onError`. |
+| `after_tool_call`, `llm_input`, `llm_output` (audit) | Always silently caught. Governance was already enforced on the pre-execution hook. | Always silently caught. |
+
+If you need tool-execution itself to fail-closed during an AxonFlow outage (for example on a production infrastructure agent), pair the plugin with an OpenClaw-side health check or a front-door liveness gate — the plugin alone will not achieve that for `before_tool_call`.
 
-**Valid configurations:**
-- Both omitted → community mode (`clientId` defaults to `"community"`)
-- `clientId` only → community mode with custom tenant identity
-- Both set → licensed mode (evaluation/enterprise)
-- `clientSecret` only → **error** (licensed mode requires explicit tenant identity to prevent data going to the wrong tenant)
+---
+
+## Use-case recipes
+
+### DevOps / coding agent — heavy exec usage
+
+```yaml
+plugins:
+  @axonflow/openclaw:
+    endpoint: http://localhost:8080
+    highRiskTools: [exec, process]
+    excludedTools: [get_current_time, list_models]
+    onError: block
+```
 
-## How It Works
+### Customer support agent — Slack/Discord/Telegram
 
+```yaml
+plugins:
+  @axonflow/openclaw:
+    endpoint: http://localhost:8080
+    highRiskTools: [message, execute_sql, send_email]
+    onError: block
 ```
-User sends message → OpenClaw receives
-    │
-    ▼
-┌─────────────────────────────────────────────┐
-│ llm_input (audit)                           │
-│ → Record prompt, model, provider            │
-└─────────────────────────────────────────────┘
-    │
-    ▼
-LLM generates response (may include tool calls)
-    │
-    ▼
-┌─────────────────────────────────────────────┐
-│ llm_output (audit)                          │
-│ → Record response, tokens, latency          │
-└─────────────────────────────────────────────┘
-    │
-    ▼  (if tool calls in response)
-┌─────────────────────────────────────────────┐
-│ before_tool_call (governance)               │
-│ → mcp_check_input(openclaw.{tool}, args)    │
-│ → BLOCK / REQUIRE APPROVAL / ALLOW          │
-└─────────────────────────────────────────────┘
-    │
-    ▼
-Tool executes (web_fetch, message, MCP, etc.)
-    │
-    ▼
-Tool result persisted to session transcript
-(not scanned — pending async hook support)
-    │
-    ▼
-┌─────────────────────────────────────────────┐
-│ after_tool_call (audit)                     │
-│ → audit_tool_call(tool, params, result)     │
-└─────────────────────────────────────────────┘
-    │
-    ▼
-┌─────────────────────────────────────────────┐
-│ message_sending (governance)                │
-│ → mcp_check_output(openclaw.message_sending) │
-│ → CANCEL / REDACT / ALLOW                   │
-└─────────────────────────────────────────────┘
-    │
-    ▼
-Message delivered to user channel
+
+### Self-healing infrastructure agent — highest risk
+
+```yaml
+plugins:
+  @axonflow/openclaw:
+    endpoint: http://localhost:8080
+    highRiskTools: [exec, process, web_fetch]
+    onError: block  # auth-error path and message_sending fail-closed; see Fail behavior above
 ```
 
-## Telemetry
+More examples — content/social agents, data analysts, RAG pipelines — in the [integration guide](https://docs.getaxonflow.com/docs/integration/openclaw/#use-case-configuration-examples).
+
+---
+
+## MCP tools available to your agent
+
+Beyond the lifecycle hooks, OpenClaw agents can call **10 MCP tools** via the agent's MCP server at `/api/v1/mcp-server`. These are served by the platform (not the plugin), so new tools become available to every plugin without a code change.
 
-This plugin sends an anonymous telemetry ping on initialization to help us understand usage patterns, including local and self-hosted evaluations. The ping includes: plugin version, platform info (OS, architecture, Node.js version), AxonFlow platform version, and hook configuration (count, onError mode). No PII, no tool arguments, no policy data.
+**Governance (6):** `check_policy`, `check_output`, `audit_tool_call`, `list_policies`, `get_policy_stats`, `search_audit_events`
 
-Opt out:
-- `DO_NOT_TRACK=1` (standard)
-- `AXONFLOW_TELEMETRY=off`
+**Explainability & overrides (4):** `explain_decision`, `create_override`, `delete_override`, `list_overrides`
 
-The startup ping is enabled by default for local, self-hosted, and remote deployments. Opt-out controls always win.
+When a tool call is blocked, the agent can surface the `decision_id` to the operator, call `explain_decision` to reveal the triggering policy family, and — if the decision is overridable — call `create_override` with mandatory justification for a short-lived, audit-logged exception. Operators never leave the OpenClaw session.
 
-## Starter Policies
+See [Decision Explainability](https://docs.getaxonflow.com/docs/governance/explainability/) and [Session Overrides](https://docs.getaxonflow.com/docs/governance/overrides/).
 
-See [policies/README.md](./policies/README.md) for recommended policy setup for OpenClaw deployments, including protections against reverse shells, credential exfiltration, SSRF, path traversal, and agent config file poisoning.
+---
+
+## What's covered today, and what's not
+
+**Protected today:**
+- Tool inputs before execution
+- Outbound messages before delivery
+- Tool and LLM audit trails (including search & explainability)
+- Decision-level overrides with per-user attribution
+
+**Not protected yet:**
+- Tool results written into the session transcript (OpenClaw's `tool_result_persist` hook is synchronous and cannot call AxonFlow's HTTP APIs)
+
+PII in tool results is still caught by `message_sending` before it reaches the end user, but it is visible to the LLM. When OpenClaw adds async support for `tool_result_persist`, this plugin will add transcript scanning immediately. Upstream issue: [openclaw/openclaw#58558](https://github.com/openclaw/openclaw/issues/58558).
+
+---
+
+## Latency
+
+| Operation | Typical overhead |
+|-----------|-----------------|
+| Policy pre-check | 2–5 ms |
+| PII / secrets detection | 1–3 ms |
+| SQL-injection scan | 1–2 ms |
+| Audit write (async) | 0 ms (non-blocking) |
+| **Total per-tool overhead** | **3–10 ms** |
+
+Imperceptible for interactive agents.
+
+---
+
+## Starter policies
+
+The [policies directory](./policies) ships research-backed starter policies addressing the top 10 OpenClaw security risks — reverse shells, SSRF, credential exfiltration, path traversal, agent config poisoning, prompt injection, and more. Ready-to-use SQL INSERT statements and setup instructions included.
+
+---
+
+## Telemetry
+
+The plugin sends a one-time anonymous ping on initialization so AxonFlow can understand adoption and environment shape. Includes plugin version, OS/arch, Node.js version, AxonFlow platform version, hook configuration summary. **Never** includes message contents, tool arguments, or policy data.
+
+Opt out with `AXONFLOW_TELEMETRY=off` (canonical). `DO_NOT_TRACK=1` is still honored for backward compatibility but is **deprecated** and scheduled for removal after 2026-05-05 in the next major release — the plugin emits a one-time warning when `DO_NOT_TRACK=1` is the active control and `AXONFLOW_TELEMETRY=off` is not also set.
+
+---
 
 ## Testing
 
@@ -204,25 +290,27 @@ Smoke E2E (requires a live AxonFlow stack at `localhost:8080`):
 
 ```bash
 npm ci && npm run build
-# Start a stack via axonflow-enterprise (see its setup-e2e-testing.sh)
+# Start a local AxonFlow stack first — `docker compose up -d` in
+# the axonflow repo, or point AXONFLOW_ENDPOINT at an existing one.
 node tests/e2e/smoke-block-context.mjs
 ```
 
-The smoke scenario uses `AxonFlowClient.mcpCheckInput` to fire a
-SQLi-bearing statement against a running platform and asserts the
-response carries Plugin Batch 1 richer-context fields (`decision_id`,
-`risk_level`, `policy_matches`). Exits 0 with a `SKIP:` message if no
-stack is reachable. In CI, run manually via `workflow_dispatch` with a
-reachable endpoint (GitHub-hosted runners have no local stack).
+The smoke scenario uses `AxonFlowClient.mcpCheckInput` to fire a SQLi-bearing statement against a running platform and asserts the response carries richer-context fields (`decision_id`, `risk_level`, `policy_matches`). Exits 0 with a `SKIP:` message if no stack is reachable.
+
+For the broader validation story — explain-decision, override lifecycle, audit-filter parity, cache invalidation — see the [OpenClaw integration guide](https://docs.getaxonflow.com/docs/integration/openclaw/).
 
-Full install-and-use matrix (explain, override lifecycle, audit filter
-parity, cache invalidation) lives in `axonflow-enterprise/tests/e2e/plugin-batch-1/openclaw-install/`.
+---
 
 ## Links
 
+- **[OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/)** — the full walkthrough (recommended starting point)
 - [AxonFlow Documentation](https://docs.getaxonflow.com)
-- [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/)
 - [Policy Enforcement](https://docs.getaxonflow.com/docs/mcp/policy-enforcement/)
+- [Decision Explainability](https://docs.getaxonflow.com/docs/governance/explainability/)
+- [Session Overrides](https://docs.getaxonflow.com/docs/governance/overrides/)
+- [PII Detection](https://docs.getaxonflow.com/docs/security/pii-detection/)
+- [Audit Logging](https://docs.getaxonflow.com/docs/governance/audit-logging/)
+- Sister plugins: [Claude Code](https://github.com/getaxonflow/axonflow-claude-plugin) · [Cursor](https://github.com/getaxonflow/axonflow-cursor-plugin) · [Codex](https://github.com/getaxonflow/axonflow-codex-plugin)
 
 ## License
 

package/dist/index.d.ts

@@ -31,7 +31,7 @@
  * for async hook support.
  */
 /** Plugin version — update before each release. */
-export declare const VERSION = "1.3.1";
+export declare const VERSION = "1.3.2";
 export { AxonFlowClient } from "./axonflow-client.js";
 export type { AxonFlowPluginConfig } from "./config.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/dist/index.js

@@ -39,7 +39,7 @@ import { createLlmInputHandler, createLlmOutputHandler } from "./llm-audit.js";
 import { sendTelemetryPing } from "./telemetry.js";
 import { resetMetrics } from "./metrics.js";
 /** Plugin version — update before each release. */
-export const VERSION = "1.3.1";
+export const VERSION = "1.3.2";
 // Re-export for external consumers
 export { AxonFlowClient } from "./axonflow-client.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/dist/telemetry-config.d.ts

@@ -6,7 +6,11 @@
  * does not co-locate environment reads and outbound HTTP in the same file.
  */
 export interface TelemetryConfig {
-    /** True if the user has opted out via DO_NOT_TRACK or AXONFLOW_TELEMETRY=off. */
+    /**
+     * True if the user has opted out via AXONFLOW_TELEMETRY=off (canonical) or
+     * DO_NOT_TRACK=1 (deprecated — scheduled for removal after 2026-05-05 in the
+     * next major release).
+     */
     optedOut: boolean;
     /** Endpoint that receives the anonymous ping. Configurable for self-hosted checkpoint deployments. */
     checkpointUrl: string;

package/dist/telemetry-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"telemetry-config.d.ts","sourceRoot":"","sources":["../src/telemetry-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,WAAW,eAAe;IAC9B,iFAAiF;IACjF,QAAQ,EAAE,OAAO,CAAC;IAClB,sGAAsG;IACtG,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,mBAAmB,IAAI,eAAe,CAcrD"}
+{"version":3,"file":"telemetry-config.d.ts","sourceRoot":"","sources":["../src/telemetry-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,WAAW,eAAe;IAC9B;;;;OAIG;IACH,QAAQ,EAAE,OAAO,CAAC;IAClB,sGAAsG;IACtG,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,mBAAmB,IAAI,eAAe,CA0BrD"}

package/dist/telemetry-config.js

@@ -11,9 +11,22 @@ export function loadTelemetryConfig() {
         return { optedOut: false, checkpointUrl: DEFAULT_CHECKPOINT_URL };
     }
     const env = process.env;
-    const optedOut = env.DO_NOT_TRACK?.trim() === "1" ||
-        env.AXONFLOW_TELEMETRY?.trim().toLowerCase() === "off";
+    const dntActive = env.DO_NOT_TRACK?.trim() === "1";
+    const axonflowTelemetryOff = env.AXONFLOW_TELEMETRY?.trim().toLowerCase() === "off";
+    const optedOut = dntActive || axonflowTelemetryOff;
+    // Deprecation warning — fires only when DO_NOT_TRACK is the active control
+    // and AXONFLOW_TELEMETRY=off is NOT set. If both are set, the operator has
+    // already migrated to the canonical switch; no warning. Guarded to run at
+    // most once per plugin process via a module-level sentinel.
+    if (dntActive && !axonflowTelemetryOff && !doNotTrackDeprecationWarningShown) {
+        doNotTrackDeprecationWarningShown = true;
+        // eslint-disable-next-line no-console
+        console.warn("[AxonFlow] DO_NOT_TRACK=1 is deprecated as an AxonFlow telemetry opt-out and will be removed after 2026-05-05 in the next major release. Set AXONFLOW_TELEMETRY=off to opt out going forward. See https://docs.getaxonflow.com/docs/telemetry for details.");
+    }
     const checkpointUrl = env.AXONFLOW_CHECKPOINT_URL || DEFAULT_CHECKPOINT_URL;
     return { optedOut, checkpointUrl };
 }
+// Module-level sentinel keeps the deprecation warning to one emission per
+// process even if loadTelemetryConfig is called from multiple code paths.
+let doNotTrackDeprecationWarningShown = false;
 //# sourceMappingURL=telemetry-config.js.map

package/dist/telemetry-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"telemetry-config.js","sourceRoot":"","sources":["../src/telemetry-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,sBAAsB,GAAG,4CAA4C,CAAC;AAS5E,MAAM,UAAU,mBAAmB;IACjC,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,sBAAsB,EAAE,CAAC;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAExB,MAAM,QAAQ,GACZ,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,GAAG;QAChC,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC;IAEzD,MAAM,aAAa,GAAG,GAAG,CAAC,uBAAuB,IAAI,sBAAsB,CAAC;IAE5E,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;AACrC,CAAC"}
+{"version":3,"file":"telemetry-config.js","sourceRoot":"","sources":["../src/telemetry-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,sBAAsB,GAAG,4CAA4C,CAAC;AAa5E,MAAM,UAAU,mBAAmB;IACjC,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,sBAAsB,EAAE,CAAC;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAExB,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC;IACnD,MAAM,oBAAoB,GAAG,GAAG,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC;IACpF,MAAM,QAAQ,GAAG,SAAS,IAAI,oBAAoB,CAAC;IAEnD,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,4DAA4D;IAC5D,IAAI,SAAS,IAAI,CAAC,oBAAoB,IAAI,CAAC,iCAAiC,EAAE,CAAC;QAC7E,iCAAiC,GAAG,IAAI,CAAC;QACzC,sCAAsC;QACtC,OAAO,CAAC,IAAI,CACV,4PAA4P,CAC7P,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,GAAG,CAAC,uBAAuB,IAAI,sBAAsB,CAAC;IAE5E,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;AACrC,CAAC;AAED,0EAA0E;AAC1E,0EAA0E;AAC1E,IAAI,iCAAiC,GAAG,KAAK,CAAC"}

package/dist/telemetry.d.ts

@@ -5,7 +5,10 @@
  * checkpoint.getaxonflow.com. Collects SDK version, platform info,
  * and OpenClaw version. No PII, no tool arguments, no policy data.
  *
- * Opt out: DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off
+ * Opt out: AXONFLOW_TELEMETRY=off (canonical)
+ * Also honored for backward compatibility: DO_NOT_TRACK=1 (deprecated — removed
+ * after 2026-05-05 in the next major release; a one-time warning emits when
+ * it's the active opt-out so operators can migrate).
  *
  * Configuration resolution (opt-out flags and checkpoint URL) lives in
  * telemetry-config.ts so this file only handles the network-sending side.

package/dist/telemetry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAwBH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AA2BD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,IAAI,CA4DP"}
+{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAwBH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AA2BD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,IAAI,CA4DP"}

package/dist/telemetry.js

@@ -5,7 +5,10 @@
  * checkpoint.getaxonflow.com. Collects SDK version, platform info,
  * and OpenClaw version. No PII, no tool arguments, no policy data.
  *
- * Opt out: DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off
+ * Opt out: AXONFLOW_TELEMETRY=off (canonical)
+ * Also honored for backward compatibility: DO_NOT_TRACK=1 (deprecated — removed
+ * after 2026-05-05 in the next major release; a one-time warning emits when
+ * it's the active opt-out so operators can migrate).
  *
  * Configuration resolution (opt-out flags and checkpoint URL) lives in
  * telemetry-config.ts so this file only handles the network-sending side.
@@ -64,7 +67,7 @@ export function sendTelemetryPing(options) {
         return;
     }
     if (typeof console !== "undefined") {
-        console.log("[AxonFlow] Anonymous telemetry enabled for local and self-hosted use. Opt out: DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off | https://docs.getaxonflow.com/docs/telemetry");
+        console.log("[AxonFlow] Anonymous telemetry enabled for local and self-hosted use. Opt out: AXONFLOW_TELEMETRY=off | https://docs.getaxonflow.com/docs/telemetry");
     }
     // Runtime metadata (platform, arch, runtime version) for the payload.
     const proc = typeof process !== "undefined" ? process : null;

package/dist/telemetry.js.map

@@ -1 +1 @@
-{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAElC,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,IACE,OAAO,MAAM,KAAK,WAAW;YAC7B,OAAO,MAAM,CAAC,UAAU,KAAK,UAAU,EACvC,CAAC;YACD,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,sCAAsC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACnE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC;QAC1C,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC;AAcD;;GAEG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAAgB;IAEhB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,SAAS,EAAE;YAC7C,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC5D,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO;YACrD,CAAC,CAAC,IAAI,CAAC,OAAO;YACd,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAMjC;IACC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CACT,uKAAuK,CACxK,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAE7D,MAAM,OAAO,GAAqB;QAChC,GAAG,EAAE,iBAAiB;QACtB,WAAW,EAAE,OAAO,CAAC,aAAa;QAClC,gBAAgB,EAAE,IAAI;QACtB,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACpC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAClC,eAAe,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;QAClE,eAAe,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa;QAC3E,QAAQ,EAAE;YACR,SAAS,OAAO,CAAC,SAAS,EAAE;YAC5B,mBAAmB,OAAO,CAAC,iBAAiB,EAAE;YAC9C,YAAY,OAAO,CAAC,OAAO,EAAE;SAC9B;QACD,WAAW,EAAE,kBAAkB,EAAE;KAClC,CAAC;IAEF,IAAI,CAAC;QACH,KAAK,CAAC,KAAK,IAAI,EAAE;YACf,IAAI,CAAC;gBACH,OAAO,CAAC,gBAAgB,GAAG,MAAM,qBAAqB,CACpD,OAAO,CAAC,QAAQ,CACjB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,oBAAoB,CAAC,CAAC;YAE7E,IAAI,CAAC;gBACH,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;oBAChC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;oBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;YACL,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;YACd,iEAAiE;QACnE,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;AACH,CAAC"}
+{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAElC,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,IACE,OAAO,MAAM,KAAK,WAAW;YAC7B,OAAO,MAAM,CAAC,UAAU,KAAK,UAAU,EACvC,CAAC;YACD,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,sCAAsC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACnE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC;QAC1C,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC;AAcD;;GAEG;AACH,KAAK,UAAU,qBAAqB,CAClC,QAAgB;IAEhB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,SAAS,EAAE;YAC7C,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC5D,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO;YACrD,CAAC,CAAC,IAAI,CAAC,OAAO;YACd,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAMjC;IACC,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;IACrC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CACT,qJAAqJ,CACtJ,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAE7D,MAAM,OAAO,GAAqB;QAChC,GAAG,EAAE,iBAAiB;QACtB,WAAW,EAAE,OAAO,CAAC,aAAa;QAClC,gBAAgB,EAAE,IAAI;QACtB,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACpC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAClC,eAAe,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;QAClE,eAAe,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa;QAC3E,QAAQ,EAAE;YACR,SAAS,OAAO,CAAC,SAAS,EAAE;YAC5B,mBAAmB,OAAO,CAAC,iBAAiB,EAAE;YAC9C,YAAY,OAAO,CAAC,OAAO,EAAE;SAC9B;QACD,WAAW,EAAE,kBAAkB,EAAE;KAClC,CAAC;IAEF,IAAI,CAAC;QACH,KAAK,CAAC,KAAK,IAAI,EAAE;YACf,IAAI,CAAC;gBACH,OAAO,CAAC,gBAAgB,GAAG,MAAM,qBAAqB,CACpD,OAAO,CAAC,QAAQ,CACjB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,oBAAoB,CAAC,CAAC;YAE7E,IAAI,CAAC;gBACH,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;oBAChC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;oBAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;YACL,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;YACd,iEAAiE;QACnE,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axonflow/openclaw",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
   "type": "module",
   "main": "dist/index.js",