@clawdstrike/openclaw 0.1.0

package/dist/guards/patch-integrity.js

@@ -0,0 +1,219 @@
+/**
+ * @clawdstrike/openclaw - Patch Integrity Guard
+ *
+ * Detects dangerous code patterns in patches and file writes.
+ */
+import { BaseGuard } from './types.js';
+/**
+ * Built-in dangerous pattern detection
+ */
+const DANGEROUS_PATTERNS = [
+    // Shell injection patterns
+    {
+        name: 'curl_pipe_bash',
+        pattern: /curl\s+[^|]*\|\s*(bash|sh|zsh)/gi,
+        severity: 'critical',
+        description: 'Curl piped to shell execution',
+    },
+    {
+        name: 'wget_pipe_bash',
+        pattern: /wget\s+[^|]*\|\s*(bash|sh|zsh)/gi,
+        severity: 'critical',
+        description: 'Wget piped to shell execution',
+    },
+    // Dangerous command patterns
+    {
+        name: 'rm_rf_root',
+        pattern: /rm\s+(-rf?|--recursive)\s+[/\\]/gi,
+        severity: 'critical',
+        description: 'Recursive removal from root',
+    },
+    {
+        name: 'fork_bomb',
+        pattern: /:\(\)\{\s*:\|:&\s*\};:/g,
+        severity: 'critical',
+        description: 'Fork bomb',
+    },
+    {
+        name: 'dd_disk_wipe',
+        pattern: /dd\s+if=\/dev\/(zero|random|urandom)\s+of=\/dev\//gi,
+        severity: 'critical',
+        description: 'DD disk wipe command',
+    },
+    // Dangerous JavaScript patterns
+    {
+        name: 'eval_usage',
+        pattern: /\beval\s*\([^)]*\)/gi,
+        severity: 'high',
+        description: 'Eval function usage',
+    },
+    {
+        name: 'new_function',
+        pattern: /new\s+Function\s*\([^)]*\)/gi,
+        severity: 'high',
+        description: 'new Function constructor',
+    },
+    {
+        name: 'document_write',
+        pattern: /document\.write\s*\([^)]*\)/gi,
+        severity: 'medium',
+        description: 'document.write usage',
+    },
+    {
+        name: 'inner_html_assignment',
+        pattern: /\.innerHTML\s*=/gi,
+        severity: 'medium',
+        description: 'innerHTML assignment (XSS risk)',
+    },
+    // Dangerous Python patterns
+    {
+        name: 'python_exec',
+        pattern: /\bexec\s*\([^)]*\)/gi,
+        severity: 'high',
+        description: 'Python exec usage',
+    },
+    {
+        name: 'python_compile',
+        pattern: /\bcompile\s*\([^)]*,\s*[^)]*,\s*['"]exec['"]\)/gi,
+        severity: 'high',
+        description: 'Python compile with exec mode',
+    },
+    {
+        name: 'python_subprocess_shell',
+        pattern: /subprocess\.(call|run|Popen)\s*\([^)]*shell\s*=\s*True/gi,
+        severity: 'high',
+        description: 'Subprocess with shell=True',
+    },
+    {
+        name: 'python_os_system',
+        pattern: /os\.system\s*\([^)]*\)/gi,
+        severity: 'high',
+        description: 'os.system usage',
+    },
+    // Environment manipulation
+    {
+        name: 'env_manipulation',
+        pattern: /process\.env\.[A-Z_]+\s*=\s*['"][^'"]+['"]/gi,
+        severity: 'medium',
+        description: 'Environment variable manipulation',
+    },
+    // Credential patterns in code
+    {
+        name: 'hardcoded_password',
+        pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]/gi,
+        severity: 'high',
+        description: 'Hardcoded password',
+    },
+    {
+        name: 'hardcoded_secret',
+        pattern: /(?:secret|api[_-]?key|auth[_-]?token)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+        severity: 'high',
+        description: 'Hardcoded secret/API key',
+    },
+    // File permission changes
+    {
+        name: 'chmod_777',
+        pattern: /chmod\s+(?:777|a\+rwx)/gi,
+        severity: 'medium',
+        description: 'Overly permissive chmod',
+    },
+    // Network exfiltration patterns
+    {
+        name: 'base64_encode_pipe',
+        pattern: /base64\s*[^|]*\|\s*(?:curl|wget|nc)/gi,
+        severity: 'high',
+        description: 'Base64 encoded data exfiltration',
+    },
+    // SQL injection patterns
+    {
+        name: 'sql_concat',
+        pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\s+[^;]*\+\s*[a-zA-Z_]+/gi,
+        severity: 'medium',
+        description: 'Potential SQL injection (string concatenation)',
+    },
+];
+/**
+ * PatchIntegrityGuard - detects dangerous patterns in patches
+ */
+export class PatchIntegrityGuard extends BaseGuard {
+    patterns;
+    constructor(additionalPatterns = []) {
+        super();
+        this.patterns = [...DANGEROUS_PATTERNS, ...additionalPatterns];
+    }
+    name() {
+        return 'patch_integrity';
+    }
+    handles() {
+        return ['patch_apply', 'file_write', 'command_exec'];
+    }
+    async check(event, policy) {
+        return this.checkSync(event, policy);
+    }
+    checkSync(event, policy) {
+        const data = event.data;
+        let contentToCheck;
+        // Get content to check based on event type
+        if (data.type === 'patch') {
+            contentToCheck = data.patchContent;
+        }
+        else if (data.type === 'command') {
+            contentToCheck = `${data.command} ${data.args.join(' ')}`;
+            // Also check against denied patterns from policy
+            const deniedPatterns = policy.execution?.denied_patterns ?? [];
+            for (const pattern of deniedPatterns) {
+                try {
+                    const regex = new RegExp(pattern, 'gi');
+                    if (regex.test(contentToCheck)) {
+                        return this.deny(`Command matches denied pattern: ${pattern}`, 'high');
+                    }
+                }
+                catch {
+                    // Invalid regex, skip
+                }
+            }
+        }
+        if (!contentToCheck) {
+            return this.allow();
+        }
+        // Check for dangerous patterns
+        const detected = this.detectDangerousPatterns(contentToCheck);
+        if (detected.length > 0) {
+            const highestSeverity = this.getHighestSeverity(detected);
+            const patternNames = detected.map((p) => p.name).join(', ');
+            return this.deny(`Detected dangerous patterns: ${patternNames}`, highestSeverity);
+        }
+        return this.allow();
+    }
+    /**
+     * Detect dangerous patterns in content
+     */
+    detectDangerousPatterns(content) {
+        const detected = [];
+        for (const pattern of this.patterns) {
+            // Reset regex state
+            pattern.pattern.lastIndex = 0;
+            if (pattern.pattern.test(content)) {
+                detected.push(pattern);
+            }
+            // Reset again after test
+            pattern.pattern.lastIndex = 0;
+        }
+        return detected;
+    }
+    /**
+     * Get the highest severity from detected patterns
+     */
+    getHighestSeverity(patterns) {
+        const severityOrder = ['low', 'medium', 'high', 'critical'];
+        let highest = 'low';
+        for (const pattern of patterns) {
+            if (severityOrder.indexOf(pattern.severity) >
+                severityOrder.indexOf(highest)) {
+                highest = pattern.severity;
+            }
+        }
+        return highest;
+    }
+}
+//# sourceMappingURL=patch-integrity.js.map

package/dist/guards/patch-integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patch-integrity.js","sourceRoot":"","sources":["../../src/guards/patch-integrity.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,kBAAkB,GAAuB;IAC7C,2BAA2B;IAC3B;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;IAED,6BAA6B;IAC7B;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6BAA6B;KAC3C;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,WAAW;KACzB;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sBAAsB;KACpC;IAED,gCAAgC;IAChC;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sBAAsB;KACpC;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,iCAAiC;KAC/C;IAED,4BAA4B;IAC5B;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,kDAAkD;QAC3D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iBAAiB;KAC/B;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mCAAmC;KACjD;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IAED,0BAA0B;IAC1B;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yBAAyB;KACvC;IAED,gCAAgC;IAChC;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kCAAkC;KAChD;IAED,yBAAyB;IACzB;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,+DAA+D;QACxE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,gDAAgD;KAC9D;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,SAAS;IACxC,QAAQ,CAAqB;IAErC,YAAY,qBAAyC,EAAE;QACrD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,kBAAkB,EAAE,GAAG,kBAAkB,CAAC,CAAC;IACjE,CAAC;IAED,IAAI;QACF,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,OAAO;QACL,OAAO,CAAC,aAAa,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,MAAc;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,IAAI,cAAkC,CAAC;QAEvC,2CAA2C;QAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,cAAc,GAAG,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAE1D,iDAAiD;YACjD,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,EAAE,eAAe,IAAI,EAAE,CAAC;YAC/D,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;gBACrC,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;oBACxC,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;wBAC/B,OAAO,IAAI,CAAC,IAAI,CACd,mCAAmC,OAAO,EAAE,EAC5C,MAAM,CACP,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,sBAAsB;gBACxB,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,uBAAuB,CAAC,cAAc,CAAC,CAAC;QAE9D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE5D,OAAO,IAAI,CAAC,IAAI,CACd,gCAAgC,YAAY,EAAE,EAC9C,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,uBAAuB,CAAC,OAAe;QACrC,MAAM,QAAQ,GAAuB,EAAE,CAAC;QAExC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;YAED,yBAAyB;YACzB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,QAA4B;QAE5B,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;QAErE,IAAI,OAAO,GAAmC,KAAK,CAAC;QAEpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IACE,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACvC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/guards/secret-leak.d.ts

@@ -0,0 +1,31 @@
+/**
+ * @clawdstrike/openclaw - Secret Leak Guard
+ *
+ * Detects and blocks exposure of secrets in tool outputs and patches.
+ */
+import type { PolicyEvent, Policy, GuardResult, EventType, SecretPattern } from '../types.js';
+import { BaseGuard } from './types.js';
+/**
+ * SecretLeakGuard - detects and blocks secret exposure
+ */
+export declare class SecretLeakGuard extends BaseGuard {
+    private patterns;
+    constructor(additionalPatterns?: SecretPattern[]);
+    name(): string;
+    handles(): EventType[];
+    check(event: PolicyEvent, policy: Policy): Promise<GuardResult>;
+    checkSync(event: PolicyEvent, _policy: Policy): GuardResult;
+    /**
+     * Detect secrets in content
+     */
+    detectSecrets(content: string): SecretPattern[];
+    /**
+     * Redact secrets from content
+     */
+    redact(content: string): string;
+    /**
+     * Get the highest severity from detected patterns
+     */
+    private getHighestSeverity;
+}
+//# sourceMappingURL=secret-leak.d.ts.map

package/dist/guards/secret-leak.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-leak.d.ts","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,MAAM,EACN,WAAW,EACX,SAAS,EACT,aAAa,EACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAmJvC;;GAEG;AACH,qBAAa,eAAgB,SAAQ,SAAS;IAC5C,OAAO,CAAC,QAAQ,CAAkB;gBAEtB,kBAAkB,GAAE,aAAa,EAAO;IAKpD,IAAI,IAAI,MAAM;IAId,OAAO,IAAI,SAAS,EAAE;IAIhB,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIrE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,GAAG,WAAW;IAiC3D;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE;IAkB/C;;OAEG;IACH,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAsB/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;CAkB3B"}

package/dist/guards/secret-leak.js

@@ -0,0 +1,235 @@
+/**
+ * @clawdstrike/openclaw - Secret Leak Guard
+ *
+ * Detects and blocks exposure of secrets in tool outputs and patches.
+ */
+import { BaseGuard } from './types.js';
+/**
+ * Built-in secret detection patterns
+ */
+const SECRET_PATTERNS = [
+    // AWS Keys
+    {
+        name: 'aws_access_key',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        severity: 'critical',
+        description: 'AWS Access Key ID',
+    },
+    {
+        name: 'aws_secret_key',
+        pattern: /[A-Za-z0-9/+=]{40}/g,
+        severity: 'critical',
+        description: 'AWS Secret Access Key',
+    },
+    // GitHub Tokens
+    {
+        name: 'github_pat',
+        pattern: /ghp_[A-Za-z0-9]{36}/g,
+        severity: 'critical',
+        description: 'GitHub Personal Access Token',
+    },
+    {
+        name: 'github_oauth',
+        pattern: /gho_[A-Za-z0-9]{36}/g,
+        severity: 'critical',
+        description: 'GitHub OAuth Token',
+    },
+    {
+        name: 'github_app_token',
+        pattern: /ghu_[A-Za-z0-9]{36}/g,
+        severity: 'critical',
+        description: 'GitHub App User Token',
+    },
+    {
+        name: 'github_fine_grained',
+        pattern: /github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}/g,
+        severity: 'critical',
+        description: 'GitHub Fine-grained PAT',
+    },
+    // OpenAI Keys
+    {
+        name: 'openai_api_key',
+        pattern: /sk-[A-Za-z0-9]{48}/g,
+        severity: 'critical',
+        description: 'OpenAI API Key',
+    },
+    {
+        name: 'openai_project_key',
+        pattern: /sk-proj-[A-Za-z0-9]{48}/g,
+        severity: 'critical',
+        description: 'OpenAI Project API Key',
+    },
+    // Anthropic Keys
+    {
+        name: 'anthropic_api_key',
+        pattern: /sk-ant-[A-Za-z0-9]{32,}/g,
+        severity: 'critical',
+        description: 'Anthropic API Key',
+    },
+    // Google Cloud
+    {
+        name: 'google_api_key',
+        pattern: /AIza[0-9A-Za-z\-_]{35}/g,
+        severity: 'critical',
+        description: 'Google API Key',
+    },
+    {
+        name: 'gcp_service_account',
+        pattern: /"type":\s*"service_account"/g,
+        severity: 'high',
+        description: 'GCP Service Account JSON',
+    },
+    // Private Keys
+    {
+        name: 'private_key_rsa',
+        pattern: /-----BEGIN RSA PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'RSA Private Key',
+    },
+    {
+        name: 'private_key_openssh',
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'OpenSSH Private Key',
+    },
+    {
+        name: 'private_key_ec',
+        pattern: /-----BEGIN EC PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'EC Private Key',
+    },
+    {
+        name: 'private_key_generic',
+        pattern: /-----BEGIN PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'Private Key',
+    },
+    // Stripe
+    {
+        name: 'stripe_secret_key',
+        pattern: /sk_live_[A-Za-z0-9]{24,}/g,
+        severity: 'critical',
+        description: 'Stripe Live Secret Key',
+    },
+    {
+        name: 'stripe_test_key',
+        pattern: /sk_test_[A-Za-z0-9]{24,}/g,
+        severity: 'medium',
+        description: 'Stripe Test Secret Key',
+    },
+    // Slack
+    {
+        name: 'slack_token',
+        pattern: /xox[baprs]-[A-Za-z0-9-]{10,}/g,
+        severity: 'high',
+        description: 'Slack Token',
+    },
+    // Generic high-entropy (likely secrets)
+    {
+        name: 'jwt_token',
+        pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/g,
+        severity: 'high',
+        description: 'JWT Token',
+    },
+    // Database URLs with credentials
+    {
+        name: 'database_url',
+        pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/g,
+        severity: 'critical',
+        description: 'Database URL with credentials',
+    },
+];
+/**
+ * SecretLeakGuard - detects and blocks secret exposure
+ */
+export class SecretLeakGuard extends BaseGuard {
+    patterns;
+    constructor(additionalPatterns = []) {
+        super();
+        this.patterns = [...SECRET_PATTERNS, ...additionalPatterns];
+    }
+    name() {
+        return 'secret_leak';
+    }
+    handles() {
+        return ['patch_apply', 'tool_call'];
+    }
+    async check(event, policy) {
+        return this.checkSync(event, policy);
+    }
+    checkSync(event, _policy) {
+        const data = event.data;
+        let contentToCheck;
+        // Get content to check based on event type
+        if (data.type === 'patch') {
+            contentToCheck = data.patchContent;
+        }
+        else if (data.type === 'tool') {
+            // Check tool result for secrets
+            contentToCheck =
+                typeof data.result === 'string' ? data.result : JSON.stringify(data.result ?? '');
+        }
+        if (!contentToCheck) {
+            return this.allow();
+        }
+        // Check for secret patterns
+        const detected = this.detectSecrets(contentToCheck);
+        if (detected.length > 0) {
+            const highestSeverity = this.getHighestSeverity(detected);
+            const secretNames = detected.map((s) => s.name).join(', ');
+            return this.deny(`Detected potential secrets in output: ${secretNames}`, highestSeverity);
+        }
+        return this.allow();
+    }
+    /**
+     * Detect secrets in content
+     */
+    detectSecrets(content) {
+        const detected = [];
+        for (const pattern of this.patterns) {
+            // Reset regex state
+            pattern.pattern.lastIndex = 0;
+            if (pattern.pattern.test(content)) {
+                detected.push(pattern);
+            }
+            // Reset again after test
+            pattern.pattern.lastIndex = 0;
+        }
+        return detected;
+    }
+    /**
+     * Redact secrets from content
+     */
+    redact(content) {
+        let redacted = content;
+        for (const pattern of this.patterns) {
+            // Reset regex state
+            pattern.pattern.lastIndex = 0;
+            redacted = redacted.replace(pattern.pattern, (match) => {
+                // Show first 4 chars and last 4 chars, redact the middle
+                if (match.length > 12) {
+                    return match.slice(0, 4) + '[REDACTED]' + match.slice(-4);
+                }
+                return '[REDACTED]';
+            });
+            // Reset again after replace
+            pattern.pattern.lastIndex = 0;
+        }
+        return redacted;
+    }
+    /**
+     * Get the highest severity from detected patterns
+     */
+    getHighestSeverity(patterns) {
+        const severityOrder = ['low', 'medium', 'high', 'critical'];
+        let highest = 'low';
+        for (const pattern of patterns) {
+            if (severityOrder.indexOf(pattern.severity) >
+                severityOrder.indexOf(highest)) {
+                highest = pattern.severity;
+            }
+        }
+        return highest;
+    }
+}
+//# sourceMappingURL=secret-leak.js.map

package/dist/guards/secret-leak.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-leak.js","sourceRoot":"","sources":["../../src/guards/secret-leak.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC,WAAW;IACX;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IAED,gBAAgB;IAChB;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IAED,cAAc;IACd;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IAED,eAAe;IACf;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IAED,eAAe;IACf;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,aAAa;KAC3B;IAED,SAAS;IACT;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wBAAwB;KACtC;IAED,QAAQ;IACR;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,aAAa;KAC3B;IAED,wCAAwC;IACxC;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,WAAW;KACzB;IAED,iCAAiC;IACjC;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,SAAS;IACpC,QAAQ,CAAkB;IAElC,YAAY,qBAAsC,EAAE;QAClD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI;QACF,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAkB,EAAE,MAAc;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,KAAkB,EAAE,OAAe;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,IAAI,cAAkC,CAAC;QAEvC,2CAA2C;QAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC1B,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAChC,gCAAgC;YAChC,cAAc;gBACZ,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC;QAEpD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3D,OAAO,IAAI,CAAC,IAAI,CACd,yCAAyC,WAAW,EAAE,EACtD,eAAe,CAChB,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,OAAe;QAC3B,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;YAED,yBAAyB;YACzB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAe;QACpB,IAAI,QAAQ,GAAG,OAAO,CAAC;QAEvB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBACrD,yDAAyD;gBACzD,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBACtB,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5D,CAAC;gBACD,OAAO,YAAY,CAAC;YACtB,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,QAAyB;QAEzB,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;QAErE,IAAI,OAAO,GAAmC,KAAK,CAAC;QAEpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IACE,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACvC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/guards/types.d.ts

@@ -0,0 +1,46 @@
+/**
+ * @clawdstrike/openclaw - Guard Types
+ *
+ * Type definitions for the guard system.
+ */
+import type { PolicyEvent, Policy, GuardResult, EventType } from '../types.js';
+/**
+ * Guard interface - modular policy enforcement
+ */
+export interface Guard {
+    /** Guard name for identification and logging */
+    name(): string;
+    /** Check an event against the policy (async) */
+    check(event: PolicyEvent, policy: Policy): Promise<GuardResult>;
+    /** Check an event against the policy (sync, optional) */
+    checkSync?(event: PolicyEvent, policy: Policy): GuardResult;
+    /** Whether this guard is enabled */
+    isEnabled(): boolean;
+    /** Event types this guard handles (empty = all) */
+    handles(): EventType[];
+}
+/**
+ * Base class for guards with common functionality
+ */
+export declare abstract class BaseGuard implements Guard {
+    protected enabled: boolean;
+    abstract name(): string;
+    abstract check(event: PolicyEvent, policy: Policy): Promise<GuardResult>;
+    abstract handles(): EventType[];
+    checkSync?(event: PolicyEvent, policy: Policy): GuardResult;
+    isEnabled(): boolean;
+    setEnabled(enabled: boolean): void;
+    /**
+     * Helper to create an allow result
+     */
+    protected allow(): GuardResult;
+    /**
+     * Helper to create a deny result
+     */
+    protected deny(reason: string, severity?: GuardResult['severity']): GuardResult;
+    /**
+     * Helper to create a warn result
+     */
+    protected warn(reason: string): GuardResult;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/guards/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/guards/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,MAAM,EACN,WAAW,EACX,SAAS,EACV,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB,gDAAgD;IAChD,IAAI,IAAI,MAAM,CAAC;IAEf,gDAAgD;IAChD,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAEhE,yDAAyD;IACzD,SAAS,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW,CAAC;IAE5D,oCAAoC;IACpC,SAAS,IAAI,OAAO,CAAC;IAErB,mDAAmD;IACnD,OAAO,IAAI,SAAS,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,8BAAsB,SAAU,YAAW,KAAK;IAC9C,SAAS,CAAC,OAAO,EAAE,OAAO,CAAQ;IAElC,QAAQ,CAAC,IAAI,IAAI,MAAM;IACvB,QAAQ,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IACxE,QAAQ,CAAC,OAAO,IAAI,SAAS,EAAE;IAE/B,SAAS,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW;IAE3D,SAAS,IAAI,OAAO;IAIpB,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAIlC;;OAEG;IACH,SAAS,CAAC,KAAK,IAAI,WAAW;IAI9B;;OAEG;IACH,SAAS,CAAC,IAAI,CACZ,MAAM,EAAE,MAAM,EACd,QAAQ,GAAE,WAAW,CAAC,UAAU,CAAU,GACzC,WAAW;IAId;;OAEG;IACH,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW;CAG5C"}

package/dist/guards/types.js

@@ -0,0 +1,36 @@
+/**
+ * @clawdstrike/openclaw - Guard Types
+ *
+ * Type definitions for the guard system.
+ */
+/**
+ * Base class for guards with common functionality
+ */
+export class BaseGuard {
+    enabled = true;
+    isEnabled() {
+        return this.enabled;
+    }
+    setEnabled(enabled) {
+        this.enabled = enabled;
+    }
+    /**
+     * Helper to create an allow result
+     */
+    allow() {
+        return { status: 'allow', guard: this.name() };
+    }
+    /**
+     * Helper to create a deny result
+     */
+    deny(reason, severity = 'high') {
+        return { status: 'deny', reason, severity, guard: this.name() };
+    }
+    /**
+     * Helper to create a warn result
+     */
+    warn(reason) {
+        return { status: 'warn', reason, guard: this.name() };
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/guards/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/guards/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA6BH;;GAEG;AACH,MAAM,OAAgB,SAAS;IACnB,OAAO,GAAY,IAAI,CAAC;IAQlC,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,UAAU,CAAC,OAAgB;QACzB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACO,KAAK;QACb,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;IACjD,CAAC;IAED;;OAEG;IACO,IAAI,CACZ,MAAc,EACd,WAAoC,MAAM;QAE1C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;IAClE,CAAC;IAED;;OAEG;IACO,IAAI,CAAC,MAAc;QAC3B,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;IACxD,CAAC;CACF"}

package/dist/hooks/agent-bootstrap/handler.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @clawdstrike/openclaw - Agent Bootstrap Hook Handler
+ *
+ * Injects a SECURITY.md file into the agent bootstrap context.
+ */
+import type { HookHandler, ClawdstrikeConfig } from '../../types.js';
+export declare function initialize(config: ClawdstrikeConfig): void;
+declare const handler: HookHandler;
+export default handler;
+//# sourceMappingURL=handler.d.ts.map

package/dist/hooks/agent-bootstrap/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAkC,WAAW,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAMrG,wBAAgB,UAAU,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAE1D;AASD,QAAA,MAAM,OAAO,EAAE,WAmBd,CAAC;AAEF,eAAe,OAAO,CAAC"}

package/dist/hooks/agent-bootstrap/handler.js

@@ -0,0 +1,35 @@
+/**
+ * @clawdstrike/openclaw - Agent Bootstrap Hook Handler
+ *
+ * Injects a SECURITY.md file into the agent bootstrap context.
+ */
+import { PolicyEngine } from '../../policy/engine.js';
+import { generateSecurityPrompt } from '../../security-prompt.js';
+let engine = null;
+export function initialize(config) {
+    engine = new PolicyEngine(config);
+}
+function getEngine(config) {
+    if (!engine) {
+        engine = new PolicyEngine(config ?? {});
+    }
+    return engine;
+}
+const handler = async (event) => {
+    if (event.type !== 'agent:bootstrap')
+        return;
+    const bootstrap = event;
+    const cfg = bootstrap.context.cfg;
+    const policyEngine = getEngine(cfg);
+    const policy = policyEngine.getPolicy();
+    const enabledGuards = policyEngine.enabledGuards();
+    const securityPrompt = generateSecurityPrompt(policy) +
+        `\n\n## Enabled Guards\n` +
+        enabledGuards.map((g) => `- ${g}`).join('\n');
+    bootstrap.context.bootstrapFiles.push({
+        path: 'SECURITY.md',
+        content: securityPrompt,
+    });
+};
+export default handler;
+//# sourceMappingURL=handler.js.map

package/dist/hooks/agent-bootstrap/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,IAAI,MAAM,GAAwB,IAAI,CAAC;AAEvC,MAAM,UAAU,UAAU,CAAC,MAAyB;IAClD,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,SAAS,CAAC,MAA0B;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,GAAgB,KAAK,EAAE,KAAgB,EAAiB,EAAE;IACrE,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB;QAAE,OAAO;IAE7C,MAAM,SAAS,GAAG,KAA4B,CAAC;IAC/C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC;IAClC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC;IACxC,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;IAEnD,MAAM,cAAc,GAClB,sBAAsB,CAAC,MAAM,CAAC;QAC9B,yBAAyB;QACzB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhD,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC;QACpC,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,cAAc;KACxB,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,eAAe,OAAO,CAAC"}

package/dist/hooks/audit-logger/handler.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @clawdstrike/openclaw - Audit Logger Hook Handler
+ *
+ * Logs security events for audit and compliance.
+ */
+import type { HookHandler, ClawdstrikeConfig } from '../../types.js';
+/**
+ * Initialize the hook with configuration
+ */
+export declare function initialize(config: ClawdstrikeConfig): void;
+/**
+ * Hook handler for audit logging
+ */
+declare const handler: HookHandler;
+export default handler;
+//# sourceMappingURL=handler.d.ts.map