@cernion/openclaw-energy-tools-sidecar 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,12 @@
+# Changelog
+
+All notable changes to the Cernion Energy Tools Sidecar for OpenClaw are documented here.
+
+## 0.1.0 - Unreleased
+
+- Initial dedicated Cernion Energy Tools Sidecar package for OpenClaw.
+- Exposes Cernion descriptor, tool-list, provider tool calls, Knowledge RAG, OSM grid context, Evidence Router, process-intake, capability/operation resolution, read-only REST plan execution, and direct read-only Cernion API requests.
+- Keeps read-only evidence and process-intake tokens separated.
+- Blocks admin/auth/token/HITL-resolve/provider-tool recursion paths in read-only REST execution.
+- Adds asset-list pagination and CSV/XLS export guidance for `/api/assets...` GET requests.
+- Includes Docker demo workspace and smoke test.

package/CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+This repository contains the dedicated Cernion Energy Tools Sidecar for OpenClaw.
+
+## Development
+
+```bash
+npm ci
+npm run build
+npm test
+npm run plugin:validate
+```
+
+## Design Rules
+
+- Keep Cernion Energy Tools as the provider and policy owner.
+- Do not hard-code new domain routing in the Sidecar when Cernion can expose it through `cernion.ask`, the Evidence Router, capabilities, or operation manifests.
+- Keep read-only evidence and process-intake boundaries separate.
+- Never add admin, auth, token, secret, HITL-resolve, provider-tool recursion, or mutation paths to read-only REST execution.
+- Scrub bearer tokens from all returned payloads and errors.
+- Update README, tests, and `dist/` for user-visible tool or package changes.
+
+## Release Checklist
+
+- `npm ci`
+- `npm run build`
+- `npm test`
+- `npm run plugin:validate`
+- `npm pack --dry-run`
+- update `CHANGELOG.md`
+- tag the release

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,202 @@
+# Cernion Energy Tools Sidecar for OpenClaw
+
+Dedicated OpenClaw tool plugin for Cernion Energy Tools.
+
+Cernion Energy Tools is a Swiss Army Knife for energy questions: it combines
+asset inventories, MaStR evidence, grid context, regulatory/procedural
+knowledge, process intake, and read-only operational APIs into one fachliche
+evidence layer. The Sidecar makes that layer available inside OpenClaw so an
+energy-domain assistant can answer with Cernion-backed facts instead of generic
+model memory.
+
+The plugin is the ideal fachliche companion for people working in the energy
+sector: grid planning, asset-MDM, Redispatch, Zielnetzplanung, §14a/§14d,
+market communication, storage/PV/load siting, and operational readiness checks.
+
+The plugin consumes the Cernion Sidecar contract implemented by Cernion Energy Tools:
+
+- `GET /api/agent-sidecar/descriptor`
+- `GET /api/agent-sidecar/mcp/tools`
+- `POST /api/agent-sidecar/mcp/tools/:name/call`
+- `POST /api/agent-sidecar/mcp/tools/cernion.ask/call`
+- `POST /api/knowledge-rag/query`
+- `POST /api/evidence-router/route`
+- `POST /api/copilot-process/intents`
+- `GET /api/_agent/capabilities[?domain=]`
+- `GET /api/_agent/capabilities/:name`
+- `GET /api/_agent/operations[?domain=]`
+
+The Cernion provider remains the policy owner. This plugin stores host-side configuration, discovers tools, and forwards calls through separated provider boundaries:
+
+- read-only evidence lookup/execution, using the read-only Cernion token
+- read-only regulatory and procedural knowledge lookup through Cernion Knowledge RAG
+- process intake, using a separate process token and creating only `pending_confirmation` receipts
+
+It does not implement Cernion domain logic and must not expose admin/token/HITL-resolve actions. Cernion Energy Tools remains the source of truth for capabilities, policies, evidence semantics, and executable read-only REST plans.
+
+`cernion.ask` is the generic learning/compile boundary for OpenClaw. It may return a direct read-only REST execution plan that was selected by Cernion's Blueprint/Capability runtime. OpenClaw can then ask this plugin to proxy that plan against the configured Cernion `baseUrl` without learning tokens or hard-coding domain routing in the Sidecar.
+
+## Tools
+
+- `cernion_sidecar_descriptor` loads the Cernion Energy Tools Sidecar descriptor.
+- `cernion_sidecar_tools` loads the MCP/OpenClaw-like tool list.
+- `cernion_sidecar_call` calls one curated Cernion provider tool through the provider policy gate.
+- `cernion_query_domain_knowledge` queries Cernion Knowledge RAG for regulatory, procedural, and fachliche evidence such as laws, BNetzA guidance, Verfahrensanweisungen, roles, obligations, definitions, and job-help context. It starts the async Knowledge RAG job, waits briefly for the result, and returns an `evidenceAssessment`. This assessment describes primary-source support for hard legal/procedural claims, not the value of Cernion domain knowledge itself. If `evidenceAdequacy` is `low`, OpenClaw should say that Cernion returned useful domain/strategy knowledge but not enough primary-source support for hard obligations.
+- `cernion_query_grid_context` queries Cernion OSM Geo for visible grid infrastructure context such as substations, transformers, voltage-level hints, lines, and topology metrics. Use it for ZNP, Netzanschluss, data-center/PV/BESS/HPC siting, fNAV, and likely critical voltage-level hypotheses. For broad county or region searches, query substations first and enable full topology only for candidate-place drill-down. Treat the result as OSM-based hypothesis evidence, not as a capacity proof or complete grid-operator asset model. For data centers and other large loads, explicit grid-connection availability maps, published capacity, and operator-confirmed Anschlusskapazität outrank generic grid-expansion or OSM proximity evidence.
+- `cernion_route_evidence` calls Cernion's backend Evidence Router and returns read-only endpoint recommendations plus result semantics.
+- `cernion_execute_evidence_endpoint` executes one GET or POST read-only endpoint recommended by `cernion_route_evidence`, requiring `policy.readOnly=true` and `sideEffects=none`. For `/api/assets...` GETs, the Sidecar sets an explicit default `limit=500` when no limit is supplied and adds `_sidecar` pagination/export guidance when the returned rows exhaust the requested limit.
+- `cernion_prepare_process_intent` calls Cernion's separate Process Intake boundary and creates only a `pending_confirmation` receipt. It uses a separate process token.
+- `cernion_ask` calls the generic `cernion.ask` provider tool and returns structured answers, evidence, capability/blueprint hints, and optional read-only REST execution plans.
+- `cernion_resolve_capabilities` resolves llm.txt capability cluster heads to full capability details, optionally filtered by `domain`.
+- `cernion_resolve_capability` resolves a single capability id to full detail.
+- `cernion_resolve_operations` resolves manifest operation clusters to deduplicated operation details, optionally filtered by `domain`.
+- `cernion_execute_rest_plan` proxies one GET-only REST execution plan emitted by Cernion. It validates that the plan is a relative `/api/` path and blocks admin/auth/token/HITL-resolve/provider-tool recursion paths. Asset-list GETs receive explicit limit and pagination/export guidance.
+- `cernion_api_request` performs an authenticated read-only GET against Cernion for fallback resolution or domain data queries. Asset-list GETs receive explicit limit and pagination/export guidance.
+
+`cernion_resolve_operations` uses the provider's canonicalized operation list: duplicate `operationId` entries that appear under trailing-slash or service-prefix aliases are returned once with a canonical path and an `aliases` list.
+
+The provider tool names currently exposed by Cernion are:
+
+- `cernion.ask`
+- `cernion.answer_dossier`
+- `cernion.recommend_capability`
+- `cernion.list_readonly_capabilities`
+- `cernion.get_evidence_status`
+
+## Configuration
+
+Configure through OpenClaw plugin settings or environment variables:
+
+- `baseUrl` or `CERNION_BASE_URL`: Cernion base URL, for example `https://cernion.example`.
+- `bearerToken` or `CERNION_READONLY_TOKEN`: read-only Cernion Sidecar token.
+- `bearerTokenEnv`: optional alternate token environment variable name.
+- `bearerTokenFile` or `CERNION_READONLY_TOKEN_FILE`: optional path to a local file containing the read-only token.
+- `processBearerToken` or `CERNION_PROCESS_TOKEN`: separate Cernion token for `cernion_prepare_process_intent`.
+- `processBearerTokenEnv`: optional alternate process-token environment variable name.
+- `processBearerTokenFile` or `CERNION_PROCESS_TOKEN_FILE`: optional path to a local file containing the process token.
+- `allowRestProxy` or `CERNION_ALLOW_REST_PROXY`: optional switch for `cernion_execute_rest_plan`, default enabled. Set to `false`, `0`, `no`, or `off` to disable.
+- `timeoutMs`: optional HTTP timeout, default `15000`.
+
+Store the token as an OpenClaw secret. The token is sent only as an `Authorization: Bearer ...` header and is scrubbed from returned payloads if a provider accidentally echoes it.
+
+## Asset Lists, Pagination, and Exports
+
+Cernion asset endpoints can return large MaStR-backed lists. The Sidecar does
+not let those lists silently fall back to the provider default limit:
+
+- for `/api/assets...` GET requests without `limit`, it sends `limit=500`;
+- when returned rows exhaust the requested limit, it adds `_sidecar.assetListPagination`;
+- the metadata includes `nextPage` parameters and CSV/XLS `exportOptions`;
+- assistants must not present the returned rows as complete when
+  `_sidecar.assetListPagination.limitExhausted=true` or `hasMore=true`.
+
+Example guidance for a user-facing answer:
+
+```text
+Cernion returned 500 rows for the current asset query, which exhausts the requested limit. I can continue with the next page or retrieve the complete list as CSV/XLS.
+```
+
+## Local Development
+
+```bash
+npm install
+npm run plugin:build
+npm run plugin:validate
+npm test
+```
+
+## Docker Demo Container
+
+The repository includes a Docker-based OpenClaw demo under `docker/`. It starts
+OpenClaw with this plugin installed and exposes the browser Control UI on
+`http://localhost:19101`.
+
+```bash
+cp docker/.env.example docker/.env
+# edit docker/.env: CERNION_BASE_URL, CERNION_TOKEN, OPENCLAW_MODEL, OPENCLAW_THINKING, and a model-provider key
+docker compose --env-file docker/.env -f docker/compose.yml up --build
+```
+
+The demo accepts `CERNION_BASE_URL`, `CERNION_TOKEN`,
+`CERNION_READONLY_TOKEN`, and `CERNION_PROCESS_TOKEN` through environment
+variables. No operator workspace, memory, transcripts, or personal OpenClaw
+state are mounted.
+
+See [docker/README.md](docker/README.md) for the full end-user walkthrough,
+including the Cernion demo workspace profile and the Meckesheim self-supply
+example prompt.
+
+## Local Install
+
+From this directory:
+
+```bash
+openclaw plugins install .
+```
+
+Or from GitHub:
+
+```bash
+openclaw plugins install https://github.com/SmartEnergySolutions/cernion-openclaw-sidecar
+```
+
+Or from npm after publication:
+
+```bash
+openclaw plugins install @cernion/openclaw-energy-tools-sidecar
+```
+
+Then configure:
+
+```bash
+export CERNION_BASE_URL="https://cernion.example"
+export CERNION_READONLY_TOKEN_FILE="$HOME/.config/cernion/readonly-token"
+```
+
+The token file should contain only the bearer token and should be readable only by the OpenClaw runtime user, for example mode `0600`.
+
+## Boundaries
+
+Allowed:
+
+- read-only/advisory tool discovery
+- calls to curated Cernion Sidecar tools
+- read-only Knowledge RAG queries for regulatory and procedural domain evidence
+- read-only OSM Geo grid-context queries for ZNP and Netzanschluss hypotheses
+- read-only Evidence Router calls and execution of router-recommended GET/POST evidence endpoints
+- Process Intake creation of `pending_confirmation` receipts through a separate process-token boundary
+- resolve calls to the Cernion agent manifest endpoints
+- generic `cernion.ask` calls where Cernion decides capabilities, blueprints, routing, policies, and evidence
+- GET-only proxy execution of Cernion-issued REST plans against the configured provider `baseUrl`
+- structured propagation of `sidecar_policy_blocked`
+
+Blocked:
+
+- Full Cernion OpenAPI export
+- admin/token/HITL-resolve actions
+- process execution or HITL resolution after Process Intake
+- Sidecar-owned domain routing such as hard-coded MaStR asset tools
+- arbitrary external URLs or non-`/api/` REST proxy paths
+- production mutation
+- secrets in descriptors, logs, or tool responses
+- OpenClaw workspace coupling inside Cernion
+
+## Publishing
+
+The package name is `@cernion/openclaw-energy-tools-sidecar`. Publishing under
+that scope requires:
+
+- access to the `@cernion` npm organization or user scope;
+- an npm automation token stored as `NPM_TOKEN` for GitHub Actions;
+- 2FA/provenance settings compatible with the selected npm release policy;
+- a release tag such as `v0.1.0`.
+
+Release checks should pass before publishing:
+
+```bash
+npm ci
+npm run build
+npm test
+npm run plugin:validate
+npm pack --dry-run
+```

package/SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are currently prepared on `main` until the first public release is tagged.
+
+## Reporting a Vulnerability
+
+Do not open public issues for secrets, token exposure, authentication bypasses, policy-boundary bypasses, or unintended write/process execution.
+
+Report security concerns privately to the Cernion maintainers through the configured project security channel or by contacting the repository owner directly. Include:
+
+- affected Sidecar version or commit;
+- OpenClaw version;
+- Cernion Energy Tools base version if known;
+- minimal reproduction steps;
+- whether any token, tenant data, or process action was exposed.
+
+## Security Boundaries
+
+The Sidecar must preserve these boundaries:
+
+- read-only evidence calls use the read-only Cernion token;
+- process intake uses a separate process token and creates only pending-confirmation receipts;
+- admin, auth, token, secret, HITL-resolve, and provider-tool recursion paths are blocked from read-only REST execution;
+- bearer tokens must not be returned in tool payloads, logs, descriptors, or error envelopes;
+- Cernion Energy Tools remains the policy owner for capabilities, evidence semantics, and process execution.

package/dist/index.d.ts

@@ -0,0 +1,107 @@
+type PluginConfig = {
+    baseUrl?: string;
+    bearerToken?: string;
+    bearerTokenEnv?: string;
+    bearerTokenFile?: string;
+    processBearerToken?: string;
+    processBearerTokenEnv?: string;
+    processBearerTokenFile?: string;
+    allowRestProxy?: boolean;
+    timeoutMs?: number;
+};
+type RequestOptions = {
+    method?: "GET" | "POST";
+    body?: unknown;
+    signal?: AbortSignal;
+};
+type RestExecutionPlan = {
+    method?: string;
+    path: string;
+    params?: Record<string, unknown>;
+    query?: Record<string, unknown>;
+    policy?: Record<string, unknown>;
+};
+type EvidenceEndpointPlan = RestExecutionPlan & {
+    body?: Record<string, unknown>;
+    resultKind?: string;
+    purpose?: string;
+};
+type KnowledgeQueryType = "semantic" | "scroll" | "fetch" | "collection_info";
+type DomainKnowledgeQuery = {
+    queryType?: KnowledgeQueryType;
+    query?: string;
+    limit?: number;
+    scoreThreshold?: number;
+    ids?: Array<string | number>;
+    offset?: unknown;
+    filter?: Record<string, unknown>;
+    withPayload?: boolean;
+    withVectors?: boolean;
+    waitForResult?: boolean;
+    maxWaitMs?: number;
+};
+type DomainKnowledgeEvidenceAssessment = {
+    assessmentScope: "primary_source_support";
+    evidenceAdequacy: "low" | "medium" | "high";
+    strongEvidenceCount: number;
+    routingCardCount: number;
+    weakOrOffTopicCount: number;
+    topScore?: number;
+    reasons: string[];
+    answerGuidance: string;
+};
+type GridContextQuery = {
+    location?: string;
+    boundingBox?: Record<string, unknown>;
+    gridOperator?: string;
+    gridOperatorId?: string;
+    voltageLevel?: "NS" | "MS" | "HS" | "EHS";
+    includeSubstations?: boolean;
+    includeTopology?: boolean;
+    includeGeometry?: boolean;
+    includeGraphData?: boolean;
+    maxResults?: number;
+};
+declare function requireConfig(config: PluginConfig): {
+    baseUrl: string;
+    bearerToken: string;
+    timeoutMs: number;
+};
+declare function requireProcessConfig(config: PluginConfig): {
+    baseUrl: string;
+    bearerToken: string;
+    timeoutMs: number;
+};
+declare function buildUrl(baseUrl: string, path: string): string;
+declare function buildQueryPath(path: string, params?: Record<string, unknown>): string;
+declare function isRestProxyAllowed(config: PluginConfig): boolean;
+declare function validateRestExecutionPlan(plan: RestExecutionPlan): {
+    method: "GET";
+    path: string;
+    params: Record<string, unknown>;
+};
+declare function validateEvidenceEndpointPlan(plan: EvidenceEndpointPlan): {
+    method: "GET" | "POST";
+    path: string;
+    params: Record<string, unknown>;
+    body?: Record<string, unknown>;
+};
+declare function executeRestExecutionPlan(config: PluginConfig, plan: RestExecutionPlan, signal?: AbortSignal): Promise<unknown>;
+declare function routeEvidence(config: PluginConfig, request: {
+    question: string;
+    context?: Record<string, unknown>;
+}, signal?: AbortSignal): Promise<unknown>;
+declare function normalizeDomainKnowledgeQuery(request: DomainKnowledgeQuery): Record<string, unknown>;
+declare function assessDomainKnowledgeEvidence(query: unknown, result: unknown): DomainKnowledgeEvidenceAssessment;
+declare function normalizeGridContextQuery(request: GridContextQuery): Record<string, unknown>;
+declare function assessGridContextEvidence(substations: unknown, topology: unknown): Record<string, unknown>;
+declare function queryGridContext(config: PluginConfig, request: GridContextQuery, signal?: AbortSignal): Promise<Record<string, unknown>>;
+declare function pollCernionJobResult(config: PluginConfig, jobId: string, maxWaitMs: number, signal?: AbortSignal): Promise<unknown>;
+declare function queryDomainKnowledge(config: PluginConfig, request: DomainKnowledgeQuery, signal?: AbortSignal): Promise<unknown>;
+declare function executeEvidenceEndpointPlan(config: PluginConfig, plan: EvidenceEndpointPlan, signal?: AbortSignal): Promise<unknown>;
+declare function requestCernion(config: PluginConfig, path: string, options?: RequestOptions): Promise<unknown>;
+declare function requestCernionProcess(config: PluginConfig, path: string, options?: RequestOptions): Promise<unknown>;
+declare function scrubSecretValues(value: unknown, token?: string): unknown;
+declare const _default: import("openclaw/plugin-sdk/tool-plugin").DefinedToolPluginEntry;
+export default _default;
+export { buildQueryPath, buildUrl, executeEvidenceEndpointPlan, executeRestExecutionPlan, isRestProxyAllowed, normalizeDomainKnowledgeQuery, normalizeGridContextQuery, assessDomainKnowledgeEvidence, assessGridContextEvidence, pollCernionJobResult, queryGridContext, queryDomainKnowledge, requireConfig, requireProcessConfig, requestCernion, requestCernionProcess, routeEvidence, scrubSecretValues, validateEvidenceEndpointPlan, validateRestExecutionPlan, };