@clawdstrike/openclaw 0.1.1 → 0.1.2

package/dist/hooks/agent-bootstrap/handler.js

@@ -3,17 +3,17 @@
  *
  * Injects a SECURITY.md file into the agent bootstrap context.
  */
-import { PolicyEngine } from '../../policy/engine.js';
+import { initializeEngine, getSharedEngine } from '../../engine-holder.js';
 import { generateSecurityPrompt } from '../../security-prompt.js';
-let engine = null;
+/**
+ * Initialize the hook with configuration.
+ * Delegates to the shared engine holder so all hooks share one PolicyEngine.
+ */
 export function initialize(config) {
-    engine = new PolicyEngine(config);
+    initializeEngine(config);
 }
 function getEngine(config) {
-    if (!engine) {
-        engine = new PolicyEngine(config ?? {});
-    }
-    return engine;
+    return getSharedEngine(config);
 }
 const handler = async (event) => {
     if (event.type !== 'agent:bootstrap')

package/dist/hooks/agent-bootstrap/handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,IAAI,MAAM,GAAwB,IAAI,CAAC;AAEvC,MAAM,UAAU,UAAU,CAAC,MAAyB;IAClD,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,SAAS,CAAC,MAA0B;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,OAAO,GAAgB,KAAK,EAAE,KAAgB,EAAiB,EAAE;IACrE,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB;QAAE,OAAO;IAE7C,MAAM,SAAS,GAAG,KAA4B,CAAC;IAC/C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC;IAClC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC;IACxC,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;IAEnD,MAAM,cAAc,GAClB,sBAAsB,CAAC,MAAM,CAAC;QAC9B,yBAAyB;QACzB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhD,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC;QACpC,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,cAAc;KACxB,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,eAAe,OAAO,CAAC"}
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/hooks/agent-bootstrap/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,MAAyB;IAClD,gBAAgB,CAAC,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,SAAS,CAAC,MAA0B;IAC3C,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,OAAO,GAAgB,KAAK,EAAE,KAAgB,EAAiB,EAAE;IACrE,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB;QAAE,OAAO;IAE7C,MAAM,SAAS,GAAG,KAA4B,CAAC;IAC/C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC;IAClC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC;IACxC,MAAM,aAAa,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;IAEnD,MAAM,cAAc,GAClB,sBAAsB,CAAC,MAAM,CAAC;QAC9B,yBAAyB;QACzB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhD,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC;QACpC,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,cAAc;KACxB,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,eAAe,OAAO,CAAC"}

package/dist/hooks/approval-state.d.ts

@@ -0,0 +1,31 @@
+/**
+ * @clawdstrike/openclaw - Shared Approval State
+ *
+ * Tracks user approval decisions from preflight so post-exec can honor them.
+ *
+ * Notes:
+ * - In-memory only (process lifetime). Not persisted to disk.
+ * - Keys are hashed to avoid embedding potentially sensitive resource strings.
+ * - TTL + LRU eviction prevents unbounded growth.
+ */
+export type ApprovalResolutionType = 'allow-once' | 'allow-session' | 'allow-always';
+export interface ApprovalRecord {
+    resolution: ApprovalResolutionType;
+    createdAt: number;
+    lastUsedAt: number;
+    expiresAt: number;
+}
+export declare function recordApproval(sessionId: string, toolName: string, resource: string, resolution: ApprovalResolutionType): void;
+/**
+ * Check if an approval exists for this (session, tool, resource) without consuming it.
+ * Only returns session/always approvals (allow-once is intentionally ignored here).
+ */
+export declare function peekApproval(sessionId: string, toolName: string, resource: string): ApprovalRecord | null;
+/**
+ * Check and consume an approval for this (session, tool, resource).
+ * Consumes allow-once; keeps allow-session/allow-always.
+ */
+export declare function checkAndConsumeApproval(sessionId: string, toolName: string, resource: string): ApprovalRecord | null;
+export declare function clearSessionApprovals(sessionId: string): void;
+export declare function clearAllApprovals(): void;
+//# sourceMappingURL=approval-state.d.ts.map

package/dist/hooks/approval-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-state.d.ts","sourceRoot":"","sources":["../../src/hooks/approval-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,MAAM,MAAM,sBAAsB,GAAG,YAAY,GAAG,eAAe,GAAG,cAAc,CAAC;AAErF,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,sBAAsB,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AA2CD,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,sBAAsB,GACjC,IAAI,CAuBN;AAsED;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,cAAc,GAAG,IAAI,CAkBvB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,cAAc,GAAG,IAAI,CAwBvB;AAED,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAE7D;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAGxC"}

package/dist/hooks/approval-state.js

@@ -0,0 +1,189 @@
+/**
+ * @clawdstrike/openclaw - Shared Approval State
+ *
+ * Tracks user approval decisions from preflight so post-exec can honor them.
+ *
+ * Notes:
+ * - In-memory only (process lifetime). Not persisted to disk.
+ * - Keys are hashed to avoid embedding potentially sensitive resource strings.
+ * - TTL + LRU eviction prevents unbounded growth.
+ */
+import { createHash } from 'node:crypto';
+const MAX_SESSION_APPROVALS = 256;
+const MAX_ALWAYS_APPROVALS = 256;
+const TTL_ALLOW_ONCE_MS = 10 * 60 * 1000; // 10 minutes (covers slow tool runs)
+const TTL_ALLOW_SESSION_MS = 6 * 60 * 60 * 1000; // 6 hours
+const TTL_ALLOW_ALWAYS_MS = 7 * 24 * 60 * 60 * 1000; // 7 days (still memory-only)
+/** Session-scoped approvals: sessionId -> (hashedKey -> record) */
+const sessionApprovals = new Map();
+/** Global approvals for "allow-always": hashedKey -> record */
+const alwaysApprovals = new Map();
+function normalizeToolName(toolName) {
+    return toolName.trim().toLowerCase();
+}
+function normalizeResource(resource) {
+    return resource.trim();
+}
+function hashKey(toolName, resource) {
+    // Avoid embedding raw resource strings in keys (resource may contain secrets).
+    // Include a separator that cannot appear in JS strings.
+    return createHash('sha256')
+        .update(normalizeToolName(toolName))
+        .update('\0')
+        .update(normalizeResource(resource))
+        .digest('hex');
+}
+function ttlFor(resolution) {
+    switch (resolution) {
+        case 'allow-once':
+            return TTL_ALLOW_ONCE_MS;
+        case 'allow-session':
+            return TTL_ALLOW_SESSION_MS;
+        case 'allow-always':
+            return TTL_ALLOW_ALWAYS_MS;
+    }
+}
+export function recordApproval(sessionId, toolName, resource, resolution) {
+    const now = Date.now();
+    cleanupExpired(now);
+    const key = hashKey(toolName, resource);
+    const record = {
+        resolution,
+        createdAt: now,
+        lastUsedAt: now,
+        expiresAt: now + ttlFor(resolution),
+    };
+    if (resolution === 'allow-always') {
+        setLru(alwaysApprovals, key, record, MAX_ALWAYS_APPROVALS);
+        return;
+    }
+    let m = sessionApprovals.get(sessionId);
+    if (!m) {
+        m = new Map();
+        sessionApprovals.set(sessionId, m);
+    }
+    setLru(m, key, record, MAX_SESSION_APPROVALS);
+}
+function cleanupExpired(now) {
+    for (const [key, rec] of alwaysApprovals.entries()) {
+        if (now > rec.expiresAt)
+            alwaysApprovals.delete(key);
+    }
+    for (const [sid, m] of sessionApprovals.entries()) {
+        for (const [key, rec] of m.entries()) {
+            if (now > rec.expiresAt)
+                m.delete(key);
+        }
+        if (m.size === 0)
+            sessionApprovals.delete(sid);
+    }
+}
+function touch(m, key, rec, now) {
+    // LRU: delete+set moves to most-recently-used.
+    m.delete(key);
+    rec.lastUsedAt = now;
+    // Sliding expiration for session/always approvals.
+    if (rec.resolution === 'allow-session' || rec.resolution === 'allow-always') {
+        rec.expiresAt = now + ttlFor(rec.resolution);
+    }
+    m.set(key, rec);
+}
+function setLru(m, key, rec, maxSize) {
+    if (m.has(key))
+        m.delete(key);
+    m.set(key, rec);
+    while (m.size > maxSize) {
+        const oldest = m.keys().next().value;
+        if (oldest === undefined)
+            break;
+        m.delete(oldest);
+    }
+}
+function getRecord(sessionId, toolName, resource, now) {
+    const key = hashKey(toolName, resource);
+    const m = sessionApprovals.get(sessionId);
+    if (m) {
+        const rec = m.get(key);
+        if (rec) {
+            if (now > rec.expiresAt) {
+                m.delete(key);
+            }
+            else {
+                return { scope: 'session', key, record: rec };
+            }
+        }
+        if (m.size === 0)
+            sessionApprovals.delete(sessionId);
+    }
+    const rec = alwaysApprovals.get(key);
+    if (rec) {
+        if (now > rec.expiresAt) {
+            alwaysApprovals.delete(key);
+        }
+        else {
+            return { scope: 'always', key, record: rec };
+        }
+    }
+    return null;
+}
+/**
+ * Check if an approval exists for this (session, tool, resource) without consuming it.
+ * Only returns session/always approvals (allow-once is intentionally ignored here).
+ */
+export function peekApproval(sessionId, toolName, resource) {
+    const now = Date.now();
+    cleanupExpired(now);
+    const found = getRecord(sessionId, toolName, resource, now);
+    if (!found)
+        return null;
+    const { scope, key, record } = found;
+    if (record.resolution === 'allow-once')
+        return null;
+    if (scope === 'session') {
+        const m = sessionApprovals.get(sessionId);
+        if (m)
+            touch(m, key, record, now);
+    }
+    else {
+        touch(alwaysApprovals, key, record, now);
+    }
+    return record;
+}
+/**
+ * Check and consume an approval for this (session, tool, resource).
+ * Consumes allow-once; keeps allow-session/allow-always.
+ */
+export function checkAndConsumeApproval(sessionId, toolName, resource) {
+    const now = Date.now();
+    cleanupExpired(now);
+    const found = getRecord(sessionId, toolName, resource, now);
+    if (!found)
+        return null;
+    const { scope, key, record } = found;
+    if (scope === 'session') {
+        const m = sessionApprovals.get(sessionId);
+        if (m) {
+            if (record.resolution === 'allow-once') {
+                m.delete(key);
+            }
+            else {
+                touch(m, key, record, now);
+            }
+            if (m.size === 0)
+                sessionApprovals.delete(sessionId);
+        }
+    }
+    else {
+        // allow-always only
+        touch(alwaysApprovals, key, record, now);
+    }
+    return record;
+}
+export function clearSessionApprovals(sessionId) {
+    sessionApprovals.delete(sessionId);
+}
+export function clearAllApprovals() {
+    sessionApprovals.clear();
+    alwaysApprovals.clear();
+}
+//# sourceMappingURL=approval-state.js.map

package/dist/hooks/approval-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-state.js","sourceRoot":"","sources":["../../src/hooks/approval-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAWzC,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAClC,MAAM,oBAAoB,GAAG,GAAG,CAAC;AAEjC,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qCAAqC;AAC/E,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAC3D,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6BAA6B;AAElF,mEAAmE;AACnE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAuC,CAAC;AACxE,+DAA+D;AAC/D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA0B,CAAC;AAE1D,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB,EAAE,QAAgB;IACjD,+EAA+E;IAC/E,wDAAwD;IACxD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;SACnC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,MAAM,CAAC,UAAkC;IAChD,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,YAAY;YACf,OAAO,iBAAiB,CAAC;QAC3B,KAAK,eAAe;YAClB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,cAAc;YACjB,OAAO,mBAAmB,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,QAAgB,EAChB,QAAgB,EAChB,UAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACxC,MAAM,MAAM,GAAmB;QAC7B,UAAU;QACV,SAAS,EAAE,GAAG;QACd,UAAU,EAAE,GAAG;QACf,SAAS,EAAE,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC;KACpC,CAAC;IAEF,IAAI,UAAU,KAAK,cAAc,EAAE,CAAC;QAClC,MAAM,CAAC,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;QAC3D,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,CAAC,GAAG,IAAI,GAAG,EAA0B,CAAC;QACtC,gBAAgB,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,MAAM,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,qBAAqB,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;QACnD,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS;YAAE,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,gBAAgB,CAAC,OAAO,EAAE,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YACrC,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS;gBAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC;YAAE,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,SAAS,KAAK,CAAC,CAA8B,EAAE,GAAW,EAAE,GAAmB,EAAE,GAAW;IAC1F,+CAA+C;IAC/C,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;IAErB,mDAAmD;IACnD,IAAI,GAAG,CAAC,UAAU,KAAK,eAAe,IAAI,GAAG,CAAC,UAAU,KAAK,cAAc,EAAE,CAAC;QAC5E,GAAG,CAAC,SAAS,GAAG,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/C,CAAC;IACD,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,MAAM,CAAC,CAA8B,EAAE,GAAW,EAAE,GAAmB,EAAE,OAAe;IAC/F,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChB,OAAO,CAAC,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACrC,IAAI,MAAM,KAAK,SAAS;YAAE,MAAM;QAChC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAChB,SAAiB,EACjB,QAAgB,EAChB,QAAgB,EAChB,GAAW;IAEX,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAExC,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,CAAC;QACN,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;gBACxB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;YAChD,CAAC;QACH,CAAC;QACD,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC;YAAE,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;YACxB,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,SAAiB,EACjB,QAAgB,EAChB,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACrC,IAAI,MAAM,CAAC,UAAU,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IAEpD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC;YAAE,KAAK,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAiB,EACjB,QAAgB,EAChB,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACrC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,EAAE,CAAC;YACN,IAAI,MAAM,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;gBACvC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC;gBAAE,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,oBAAoB;QACpB,KAAK,CAAC,eAAe,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,SAAiB;IACrD,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,gBAAgB,CAAC,KAAK,EAAE,CAAC;IACzB,eAAe,CAAC,KAAK,EAAE,CAAC;AAC1B,CAAC"}

package/dist/hooks/approval-utils.d.ts

@@ -0,0 +1,5 @@
+import type { PolicyEngine } from '../policy/engine.js';
+export declare function extractPath(params: Record<string, unknown>): string | undefined;
+export declare function extractNetworkTarget(params: Record<string, unknown>): string | undefined;
+export declare function normalizeApprovalResource(policyEngine: PolicyEngine, toolName: string, params: Record<string, unknown>): string;
+//# sourceMappingURL=approval-utils.d.ts.map

package/dist/hooks/approval-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-utils.d.ts","sourceRoot":"","sources":["../../src/hooks/approval-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,SAAS,CAiB/E;AAiBD,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,SAAS,CAmCxF;AAED,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAU/H"}

package/dist/hooks/approval-utils.js

@@ -0,0 +1,77 @@
+export function extractPath(params) {
+    const pathKeys = ['path', 'file', 'file_path', 'filepath', 'filename', 'target'];
+    for (const key of pathKeys) {
+        const value = params[key];
+        if (typeof value === 'string') {
+            return value;
+        }
+    }
+    // Best-effort extraction from a command string (e.g., "cat /path/to/file").
+    const cmdLine = typeof params.command === 'string' ? params.command : typeof params.cmd === 'string' ? params.cmd : undefined;
+    if (cmdLine) {
+        const match = cmdLine.match(/(?:cat|head|tail|less|more|vim|nano|read)\s+([^\s|><]+)/);
+        if (match)
+            return match[1];
+    }
+    return undefined;
+}
+function formatHostPort(hostRaw, port) {
+    const trimmed = hostRaw.trim();
+    if (!trimmed)
+        return '';
+    // If the host already looks like `host:port`, prefer leaving it as-is to avoid
+    // producing invalid forms like `[example.com:8080]:443`.
+    const unbracketed = trimmed.replace(/^\[|\]$/g, '');
+    const colonCount = (unbracketed.match(/:/g) ?? []).length;
+    if (colonCount === 1 && !trimmed.startsWith('[')) {
+        return trimmed;
+    }
+    return colonCount >= 2 ? `[${unbracketed}]:${port}` : `${unbracketed}:${port}`;
+}
+export function extractNetworkTarget(params) {
+    const url = typeof params.url === 'string' ? params.url
+        : typeof params.endpoint === 'string' ? params.endpoint
+            : typeof params.href === 'string' ? params.href
+                : undefined;
+    if (url) {
+        try {
+            const parsed = new URL(url);
+            const host = parsed.hostname;
+            if (host) {
+                const port = parsed.port
+                    ? parseInt(parsed.port, 10)
+                    : parsed.protocol === 'https:' ? 443 : parsed.protocol === 'http:' ? 80 : undefined;
+                if (typeof port === 'number' && Number.isFinite(port)) {
+                    return formatHostPort(host, port);
+                }
+                return host;
+            }
+        }
+        catch {
+            // Not a valid URL; fall through to host/port keys.
+        }
+    }
+    const host = typeof params.host === 'string' ? params.host
+        : typeof params.hostname === 'string' ? params.hostname
+            : undefined;
+    if (!host || !host.trim())
+        return undefined;
+    const portRaw = params.port;
+    const port = typeof portRaw === 'number' ? portRaw : typeof portRaw === 'string' ? parseInt(portRaw, 10) : undefined;
+    if (typeof port === 'number' && Number.isFinite(port)) {
+        return formatHostPort(host, port);
+    }
+    return host.trim();
+}
+export function normalizeApprovalResource(policyEngine, toolName, params) {
+    const raw = extractPath(params)
+        ?? extractNetworkTarget(params)
+        ?? (typeof params.command === 'string' ? params.command : typeof params.cmd === 'string' ? params.cmd : undefined)
+        ?? toolName;
+    const redacted = policyEngine.redactSecrets(raw).trim();
+    const maxChars = 1024;
+    if (redacted.length <= maxChars)
+        return redacted;
+    return redacted.slice(0, maxChars) + '...[truncated]';
+}
+//# sourceMappingURL=approval-utils.js.map

package/dist/hooks/approval-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-utils.js","sourceRoot":"","sources":["../../src/hooks/approval-utils.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,WAAW,CAAC,MAA+B;IACzD,MAAM,QAAQ,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACjF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,OAAO,GAAG,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9H,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACvF,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,IAAY;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,+EAA+E;IAC/E,yDAAyD;IACzD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAC1D,IAAI,UAAU,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,WAAW,IAAI,IAAI,EAAE,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAA+B;IAClE,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG;QACrD,CAAC,CAAC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ;YACvD,CAAC,CAAC,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI;gBAC/C,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC7B,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI;oBACtB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;oBAC3B,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;gBACtF,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtD,OAAO,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBACpC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI;QACxD,CAAC,CAAC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ;YACvD,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IAE5C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;IAC5B,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACrH,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,OAAO,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,YAA0B,EAAE,QAAgB,EAAE,MAA+B;IACrH,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC;WAC1B,oBAAoB,CAAC,MAAM,CAAC;WAC5B,CAAC,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;WAC/G,QAAQ,CAAC;IACd,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAExD,MAAM,QAAQ,GAAG,IAAI,CAAC;IACtB,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACjD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,gBAAgB,CAAC;AACxD,CAAC"}

package/dist/hooks/audit-logger/handler.d.ts

@@ -2,6 +2,10 @@
  * @clawdstrike/openclaw - Audit Logger Hook Handler
  *
  * Logs security events for audit and compliance.
+ *
+ * NOTE: Not currently registered in plugin.ts. The audit logger needs to be
+ * redesigned to capture structured policy decisions (not just console output)
+ * before it can be connected end-to-end. See docs/audits/2026-02-25-openclaw-correctness-findings.md#C6.
  */
 import type { HookHandler, ClawdstrikeConfig } from '../../types.js';
 /**

package/dist/hooks/audit-logger/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/audit-logger/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,WAAW,EAGX,iBAAiB,EAElB,MAAM,gBAAgB,CAAC;AAMxB;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAG1D;AAED;;GAEG;AACH,QAAA,MAAM,OAAO,EAAE,WAyBd,CAAC;AAyBF,eAAe,OAAO,CAAC"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/audit-logger/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,WAAW,EAGX,iBAAiB,EAElB,MAAM,gBAAgB,CAAC;AAMxB;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAG1D;AAED;;GAEG;AACH,QAAA,MAAM,OAAO,EAAE,WAyBd,CAAC;AAyBF,eAAe,OAAO,CAAC"}

package/dist/hooks/audit-logger/handler.js

@@ -2,6 +2,10 @@
  * @clawdstrike/openclaw - Audit Logger Hook Handler
  *
  * Logs security events for audit and compliance.
+ *
+ * NOTE: Not currently registered in plugin.ts. The audit logger needs to be
+ * redesigned to capture structured policy decisions (not just console output)
+ * before it can be connected end-to-end. See docs/audits/2026-02-25-openclaw-correctness-findings.md#C6.
  */
 import { mergeConfig } from '../../config.js';
 /** Logger instance */

package/dist/hooks/audit-logger/handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/hooks/audit-logger/handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,sBAAsB;AACtB,IAAI,MAAM,GAAkB,IAAI,CAAC;AAEjC;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAyB;IAClD,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,GAAgB,KAAK,EAAE,KAAgB,EAAiB,EAAE;IACrE,IAAI,KAAK,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACzC,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,KAA+B,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAEhD,MAAM,UAAU,GAAG;QACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,qBAAqB;QAChC,SAAS,EAAE,SAAS,CAAC,OAAO,CAAC,SAAS;QACtC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ;QAC/C,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK;QAC9C,YAAY,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM;KACxC,CAAC;IAEF,uBAAuB;IACvB,IAAI,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACvC,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAC/C,CAAC;SAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,UAAU,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;AACH,CAAC,CAAC;AAEF;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAa;IACtC,MAAM,MAAM,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAEvC,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YACjB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YAChB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YAChB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YACjB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,eAAe,OAAO,CAAC"}
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/hooks/audit-logger/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C,sBAAsB;AACtB,IAAI,MAAM,GAAkB,IAAI,CAAC;AAEjC;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAyB;IAClD,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,GAAgB,KAAK,EAAE,KAAgB,EAAiB,EAAE;IACrE,IAAI,KAAK,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACzC,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,KAA+B,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAEhD,MAAM,UAAU,GAAG;QACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,qBAAqB;QAChC,SAAS,EAAE,SAAS,CAAC,OAAO,CAAC,SAAS;QACtC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ;QAC/C,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK;QAC9C,YAAY,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM;KACxC,CAAC;IAEF,uBAAuB;IACvB,IAAI,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACvC,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAC/C,CAAC;SAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,IAAI,CAAC,qCAAqC,EAAE,UAAU,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;AACH,CAAC,CAAC;AAEF;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAa;IACtC,MAAM,MAAM,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAEvC,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YACjB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YAChB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YAChB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YACjB,IAAI,QAAQ,IAAI,CAAC;gBAAE,OAAO,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,eAAe,OAAO,CAAC"}

package/dist/hooks/cua-bridge/handler.d.ts

@@ -0,0 +1,57 @@
+/**
+ * @clawdstrike/openclaw - CUA Bridge Hook Handler
+ *
+ * Detects CUA (Computer Use Agent) actions from OpenClaw tool calls and emits
+ * canonical CUA policy events via PolicyEventFactory from adapter-core.
+ *
+ * CUA actions are identified by toolName prefix or explicit metadata. When
+ * detected, the bridge creates the appropriate canonical CUA event, evaluates
+ * it through the policy engine, and applies the decision (allow/warn/deny).
+ *
+ * Design: fail-closed on unknown CUA action types. Non-CUA tool calls are
+ * passed through unchanged (no regression on existing behavior).
+ */
+import { type PolicyEvent } from '@clawdstrike/adapter-core';
+import type { HookHandler, ClawdstrikeConfig } from '../../types.js';
+export declare const CUA_ERROR_CODES: {
+    readonly UNKNOWN_ACTION: "OCLAW_CUA_UNKNOWN_ACTION";
+    readonly MISSING_METADATA: "OCLAW_CUA_MISSING_METADATA";
+    readonly SESSION_MISSING: "OCLAW_CUA_SESSION_MISSING";
+};
+/** Maps recognized CUA action tokens to factory method selectors. */
+type CuaActionKind = 'connect' | 'disconnect' | 'reconnect' | 'input_inject' | 'clipboard_read' | 'clipboard_write' | 'file_upload' | 'file_download' | 'session_share' | 'audio' | 'drive_mapping' | 'printing';
+/**
+ * Initialize the hook with configuration.
+ * Delegates to the shared engine holder so all hooks share one PolicyEngine.
+ */
+export declare function initialize(config: ClawdstrikeConfig): void;
+/**
+ * Check if a tool call is a CUA action (by prefix or explicit cua metadata).
+ */
+export declare function isCuaToolCall(toolName: string, params: Record<string, unknown>): boolean;
+/**
+ * Extract the CUA action token from a tool name or params.
+ */
+declare function extractActionToken(toolName: string, params: Record<string, unknown>): string | null;
+/**
+ * Classify a CUA action token into a known CuaActionKind.
+ * Returns null for unknown actions (fail-closed).
+ */
+declare function classifyCuaAction(token: string): CuaActionKind | null;
+/**
+ * Build a canonical CUA PolicyEvent using the PolicyEventFactory.
+ */
+export declare function buildCuaEvent(sessionId: string, kind: CuaActionKind, params: Record<string, unknown>): PolicyEvent;
+/**
+ * CUA bridge hook handler for tool_call (pre-execution) events.
+ *
+ * Only activates for CUA tool calls. Non-CUA tools pass through untouched
+ * so existing preflight behavior is preserved.
+ *
+ * Fail-closed: unknown CUA action types are denied with stable error code.
+ * Missing session ID or CUA metadata also fail closed.
+ */
+declare const handler: HookHandler;
+export default handler;
+export { classifyCuaAction, extractActionToken, type CuaActionKind, };
+//# sourceMappingURL=handler.d.ts.map

package/dist/hooks/cua-bridge/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/cua-bridge/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAKL,KAAK,WAAW,EACjB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EACV,WAAW,EAMX,iBAAiB,EAClB,MAAM,gBAAgB,CAAC;AAOxB,eAAO,MAAM,eAAe;;;;CAIlB,CAAC;AAWX,qEAAqE;AACrE,KAAK,aAAa,GACd,SAAS,GACT,YAAY,GACZ,WAAW,GACX,cAAc,GACd,gBAAgB,GAChB,iBAAiB,GACjB,aAAa,GACb,eAAe,GACf,eAAe,GACf,OAAO,GACP,eAAe,GACf,UAAU,CAAC;AAqBf;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAE1D;AAeD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAYT;AAED;;GAEG;AACH,iBAAS,kBAAkB,CACzB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,MAAM,GAAG,IAAI,CAsBf;AAED;;;GAGG;AACH,iBAAS,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAO9D;AAID;;GAEG;AACH,wBAAgB,aAAa,CAC3B,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,WAAW,CAqDb;AAkBD;;;;;;;;GAQG;AACH,QAAA,MAAM,OAAO,EAAE,WA6Hd,CAAC;AAEF,eAAe,OAAO,CAAC;AAGvB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,KAAK,aAAa,GACnB,CAAC"}