npm - @darkelogix/openclaw-trusted-mode - Versions diffs - 1.0.1 → 1.0.3 - Mend

@darkelogix/openclaw-trusted-mode 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +13 -9
package/README.md +195 -196
package/SELF_SERVICE_FAQ.md +149 -149
package/attestation/trusted_mode_attest_v1.json +21 -0
package/attestation/trusted_mode_attest_v1.sig +1 -0
package/dist/cli.js +8 -0
package/dist/constraints.js +1 -53
package/package.json +4 -2

package/CHANGELOG.md CHANGED Viewed

@@ -9,8 +9,16 @@ Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
 - `CLI`: Command Line Interface
 - `CI`: Continuous Integration
-## Unreleased
-- Add governed release artifacts (`SECURITY.md`, `RELEASE_v1.0.0.md`, compatibility matrix).
+## Unreleased
+- Add gateway/environment fields to the published Trusted Mode Check PDP requests so live Guard Pro runtime validation works against quota-aware runtime bundles.
+## v1.0.3
+- Include the signed attestation pack files in the public npm package so Trusted Mode Check can verify local attestation out of the box.
+## v1.0.2
+- Publish the gateway/environment-aware Trusted Mode Check flow so governed runtime validation uses the same tenant, gateway, and environment context as the customer runtime.
+- Add governed release artifacts (`SECURITY.md`, `RELEASE_v1.0.0.md`, compatibility matrix).
 - Add Trusted Mode Check attestation status contract (`ENFORCED_OK`, `LOCKDOWN_ONLY`, `UNSAFE`) with JSON output.
 - Add CI gates for release artifact and changelog version discipline.
 - Add runtime certification gating (`CERTIFIED_ENFORCED` vs `LOCKDOWN_ONLY`/`UNSUPPORTED`) in plugin.
@@ -25,13 +33,9 @@ Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
 - Add generated `SECURITY_RELEASE_INDEX.md` artifact and workflow integration for release evidence traceability.
 - Add enterprise hardening options in plugin config (`toolPolicyMode`, `allowedTools`, `requireTenantId`, `allowedTenantIds`) with fail-closed validation behavior.
 - Add plugin schema/runtime contract check (`verify-plugin-schema-contract`) and CI enforcement.
-- Add consolidated release evidence bundling command (`bundle-release-evidence`) and release workflow artifact publication.
-- Add enterprise TCTP/EVTP validation matrix runner (`npm run test-pack-matrix`) against live PDP.
-- Add release documentation for deterministic certification proof (`decision_proof`) vs timestamped operational `outcome_event`.
-## v1.0.1
-- normalize constrained paths before prefix enforcement so `/tmp-evil`, traversal segments, and Windows path-prefix collisions do not bypass policy
-- add regression coverage for path normalization and descendant-boundary checks
+- Add consolidated release evidence bundling command (`bundle-release-evidence`) and release workflow artifact publication.
+- Add enterprise TCTP/EVTP validation matrix runner (`npm run test-pack-matrix`) against live PDP.
+- Add release documentation for deterministic certification proof (`decision_proof`) vs timestamped operational `outcome_event`.
 ## v1.0.0
 - Add Trusted Mode Check CLI (Node) with mock PDP for CI.

package/README.md CHANGED Viewed

@@ -1,202 +1,201 @@
-# @darkelogix/openclaw-trusted-mode
-Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
-## Acronym Expansions
-- `SDE`: Strategic Decision Engine
-- `PDP`: Policy Decision Point
-- `WSL`: Windows Subsystem for Linux
-- `CI`: Continuous Integration
-OpenClaw plugin that enforces Trusted Mode policy checks on `before_tool_call`.
-Documentation index (by audience and task): [`docs/README.md`](./docs/README.md).
-## npm Package
-Install the public MIT adapter/plugin package with:
-```bash
-npm install @darkelogix/openclaw-trusted-mode
-```
-## What `npm install` gives you
-`npm install @darkelogix/openclaw-trusted-mode` gives you the MIT adapter/plugin layer and standalone hardening flow only. It does not grant access to the proprietary SDE runtime, enterprise deployment packs, or governed tenant entitlements.
-## Need governed mode?
-If you want SDE-backed governed mode, obtain your licensed SDE runtime and deployment instructions from the Darkelogix customer console. Use the public npm package for adapter installation, then connect it to your licensed SDE environment for governed authorization, evidence, and rollout controls.
-The npm package contains the MIT plugin files and standalone hardening logic only.
-It does not include the proprietary `sde-enterprise` runtime.
-## Licensing
-`openclaw-trusted-mode` is licensed under the MIT License.
-`sde-enterprise`, including the SDE PDP runtime and related enterprise deployment assets, is proprietary software and is not covered by the plugin's MIT license. Use, copying, modification, distribution, or deployment of the SDE runtime requires a separate commercial license or written permission from Darkelogix.
-First-time setup (download/install/configure/test/run): [`START_HERE.md`](./START_HERE.md).
-Troubleshooting decision tree: [`SELF_SERVICE_FAQ.md`](./SELF_SERVICE_FAQ.md).
-Org defaults and support metadata: `<org-values-file>`.
-One-command setup: `powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path>`.
-For full install/reinstall/uninstall/startup/config/troubleshooting guidance across both plugin and SDE-PDP, see [`OPERATIONS_GUIDE.md`](./OPERATIONS_GUIDE.md).
-For a simpler operator runbook, see [`RUNBOOK_NON_TECHNICAL.md`](./RUNBOOK_NON_TECHNICAL.md).
-For go-live gating, use [`PRODUCTION_READINESS_CHECKLIST.md`](./PRODUCTION_READINESS_CHECKLIST.md).
-For a pre-filled starting point, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md).
-For alternate port deployments, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md).
-For public launch readiness, use [`PUBLIC_RELEASE_READINESS_CHECKLIST.md`](./PUBLIC_RELEASE_READINESS_CHECKLIST.md).
-For end-to-end public release execution steps (what/where/how), use [`PUBLIC_RELEASE_PROCESS_RUNBOOK.md`](./PUBLIC_RELEASE_PROCESS_RUNBOOK.md).
-For certified runtime support status, see [`COMPATIBILITY_MATRIX.md`](./COMPATIBILITY_MATRIX.md).
-For vulnerability reporting and security posture, see [`SECURITY.md`](./SECURITY.md).
-For release hardening process, see [`RELEASE_OPERATIONS.md`](./RELEASE_OPERATIONS.md).
-For security evidence indexing, see [`SECURITY_EVIDENCE_BUNDLE.md`](./SECURITY_EVIDENCE_BUNDLE.md).
-For performance baseline evidence, see [`PERFORMANCE_BASELINE.md`](./PERFORMANCE_BASELINE.md).
-For governed release declaration, see [`RELEASE_v1.0.0.md`](./RELEASE_v1.0.0.md).
-## What it does
+# @darkelogix/openclaw-trusted-mode
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+## Acronym Expansions
+- `SDE`: Strategic Decision Engine
+- `PDP`: Policy Decision Point
+- `WSL`: Windows Subsystem for Linux
+- `CI`: Continuous Integration
+OpenClaw plugin that enforces Trusted Mode policy checks on `before_tool_call`.
+Documentation index (by audience and task): [`docs/README.md`](./docs/README.md).
+## npm Package
+Install the public MIT adapter/plugin package with:
+```bash
+npm install @darkelogix/openclaw-trusted-mode
+```
+## What `npm install` gives you
+`npm install @darkelogix/openclaw-trusted-mode` gives you the MIT adapter/plugin layer and standalone hardening flow only. It does not grant access to the proprietary SDE runtime, enterprise deployment packs, or governed tenant entitlements.
+## Need governed mode?
+If you want SDE-backed governed mode, obtain your licensed SDE runtime and deployment instructions from the Darkelogix customer console. Use the public npm package for adapter installation, then connect it to your licensed SDE environment for governed authorization, evidence, and rollout controls.
+The npm package contains the MIT plugin files and standalone hardening logic only.
+It does not include the proprietary `sde-enterprise` runtime.
+## Licensing
+`openclaw-trusted-mode` is licensed under the MIT License.
+`sde-enterprise`, including the SDE PDP runtime and related enterprise deployment assets, is proprietary software and is not covered by the plugin's MIT license. Use, copying, modification, distribution, or deployment of the SDE runtime requires a separate commercial license or written permission from Darkelogix.
+First-time setup (download/install/configure/test/run): [`START_HERE.md`](./START_HERE.md).
+Troubleshooting decision tree: [`SELF_SERVICE_FAQ.md`](./SELF_SERVICE_FAQ.md).
+Org defaults and support metadata: `<org-values-file>`.
+One-command setup: `powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path>`.
+For full install/reinstall/uninstall/startup/config/troubleshooting guidance across both plugin and SDE-PDP, see [`OPERATIONS_GUIDE.md`](./OPERATIONS_GUIDE.md).
+For a simpler operator runbook, see [`RUNBOOK_NON_TECHNICAL.md`](./RUNBOOK_NON_TECHNICAL.md).
+For go-live gating, use [`PRODUCTION_READINESS_CHECKLIST.md`](./PRODUCTION_READINESS_CHECKLIST.md).
+For a pre-filled starting point, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md).
+For alternate port deployments, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md).
+For public launch readiness, use [`PUBLIC_RELEASE_READINESS_CHECKLIST.md`](./PUBLIC_RELEASE_READINESS_CHECKLIST.md).
+For end-to-end public release execution steps (what/where/how), use [`PUBLIC_RELEASE_PROCESS_RUNBOOK.md`](./PUBLIC_RELEASE_PROCESS_RUNBOOK.md).
+For certified runtime support status, see [`COMPATIBILITY_MATRIX.md`](./COMPATIBILITY_MATRIX.md).
+For vulnerability reporting and security posture, see [`SECURITY.md`](./SECURITY.md).
+For release hardening process, see [`RELEASE_OPERATIONS.md`](./RELEASE_OPERATIONS.md).
+For security evidence indexing, see [`SECURITY_EVIDENCE_BUNDLE.md`](./SECURITY_EVIDENCE_BUNDLE.md).
+For performance baseline evidence, see [`PERFORMANCE_BASELINE.md`](./PERFORMANCE_BASELINE.md).
+For governed release declaration, see [`RELEASE_v1.0.0.md`](./RELEASE_v1.0.0.md).
+## What it does
 - Free standalone mode defaults to local hardening with a minimal allowlist:
   - `read_file`
   - `list_files`
   - `search_files`
 - Blocks high-risk tools such as `exec`, file writes/edits, and deletes unless you deliberately widen the policy.
-- Normalizes constrained paths before enforcing allowed prefixes so traversal and lookalike prefixes do not slip through.
 - Sends tool call context to a Policy Decision Point (PDP) endpoint.
-- Denies execution when PDP returns a deny decision.
-- Optionally enforces returned constraints.
-- Supports fail-closed (default) or fail-open behavior.
-## Free vs Paid
-The product boundary should be explicit at install time:
-- `npm install` gets you the adapter/plugin and standalone hardening path
-- governed mode requires a separately licensed SDE deployment
-- the customer console is the supported way to obtain governed runtime artifacts and deployment instructions
-- Free standalone use:
-  - useful as a local hardening layer
-  - works without `sde-enterprise`
-  - best for "read/search only" OpenClaw sessions
-- Paid / enterprise use:
-  - PDP-backed authorization and deny decisions
-  - signed policy packs
-  - tenant entitlements and governed rollout
-  - release attestation and compatibility certification
-## Build and test
-```powershell
-npm run build
-npm test
-npm run adversarial-check
-npm run performance-benchmark
-npm run test-pack-matrix
-```
-## Trusted Mode Check
-```bash
-npm run trusted-mode-check
-npm run trusted-mode-check -- --json
-```
-`trusted-mode-check` is a PDP-backed validation path. It is useful for SDE-integrated deployments, not for standalone free-mode validation.
-JSON output status values:
-- `ENFORCED_OK`
-- `LOCKDOWN_ONLY`
-- `UNSAFE`
-Attestation pack inputs:
-- `attestation/trusted_mode_attest_v1.json`
-- `attestation/trusted_mode_attest_v1.sig`
-Runtime/certification env vars:
-- `CERTIFICATION_STATUS` (`CERTIFIED_ENFORCED` | `LOCKDOWN_ONLY` | `UNSUPPORTED`)
-- `OPENCLAW_VERSION`
-- `EXPECTED_STATUS` (optional CI assertion override)
-## Local install in OpenClaw (WSL)
-```bash
-openclaw plugins install /mnt/c/path/to/openclaw-trusted-mode
-openclaw plugins info openclaw-trusted-mode
-```
-For a standalone free-mode config, start from [`openclaw.user-config.entry.example.json`](./openclaw.user-config.entry.example.json).
-## Plugin config
-See [`openclaw.plugin.json`](./openclaw.plugin.json) for config schema and defaults, including:
-- `pdpUrl`
-- `policyVariant`
-- `pdpTimeoutMs`
-- `failClosed`
-- `tenantId`
-- `certificationStatus`
-- `openclawVersion`
-- `certifiedOpenClawVersions`
-- `highRiskTools`
-- `toolPolicyMode`
-- `allowedTools`
-- `requireTenantId`
-- `allowedTenantIds`
-- `contextCurator`
-Recommended standalone free-mode baseline:
-```json
-{
-  "toolPolicyMode": "ALLOWLIST_ONLY",
-  "allowedTools": ["read_file", "list_files", "search_files"],
-  "failClosed": true,
-  "certificationStatus": "LOCKDOWN_ONLY"
-}
-```
-Recommended paid / PDP-backed baseline:
-```json
-{
-  "toolPolicyMode": "PDP",
-  "pdpUrl": "http://localhost:8001/v1/authorize",
-  "tenantId": "trial-tenant",
-  "failClosed": true,
-  "certificationStatus": "LOCKDOWN_ONLY"
-}
-```
-## Compatibility Matrix Automation
-```bash
-npm run update-compatibility-matrix
-npm run verify-compatibility-matrix
-```
-## Security Gates
-```bash
-npm run collect-security-evidence
-npm run generate-security-release-index
-npm run verify-security-gates
-```
-## Schema Contract and Evidence Bundle
-```bash
-npm run verify-plugin-schema-contract
-npm run bundle-release-evidence
-```
-## Startup Health Verification
-```bash
-npm run startup-health-check -- --skip-plugin-check
-```
+- Denies execution when PDP returns a deny decision.
+- Optionally enforces returned constraints.
+- Supports fail-closed (default) or fail-open behavior.
+## Free vs Paid
+The product boundary should be explicit at install time:
+- `npm install` gets you the adapter/plugin and standalone hardening path
+- governed mode requires a separately licensed SDE deployment
+- the customer console is the supported way to obtain governed runtime artifacts and deployment instructions
+- Free standalone use:
+  - useful as a local hardening layer
+  - works without `sde-enterprise`
+  - best for "read/search only" OpenClaw sessions
+- Paid / enterprise use:
+  - PDP-backed authorization and deny decisions
+  - signed policy packs
+  - tenant entitlements and governed rollout
+  - release attestation and compatibility certification
+## Build and test
+```powershell
+npm run build
+npm test
+npm run adversarial-check
+npm run performance-benchmark
+npm run test-pack-matrix
+```
+## Trusted Mode Check
+```bash
+npm run trusted-mode-check
+npm run trusted-mode-check -- --json
+```
+`trusted-mode-check` is a PDP-backed validation path. It is useful for SDE-integrated deployments, not for standalone free-mode validation.
+JSON output status values:
+- `ENFORCED_OK`
+- `LOCKDOWN_ONLY`
+- `UNSAFE`
+Attestation pack inputs:
+- `attestation/trusted_mode_attest_v1.json`
+- `attestation/trusted_mode_attest_v1.sig`
+Runtime/certification env vars:
+- `CERTIFICATION_STATUS` (`CERTIFIED_ENFORCED` | `LOCKDOWN_ONLY` | `UNSUPPORTED`)
+- `OPENCLAW_VERSION`
+- `EXPECTED_STATUS` (optional CI assertion override)
+## Local install in OpenClaw (WSL)
+```bash
+openclaw plugins install /mnt/c/path/to/openclaw-trusted-mode
+openclaw plugins info openclaw-trusted-mode
+```
+For a standalone free-mode config, start from [`openclaw.user-config.entry.example.json`](./openclaw.user-config.entry.example.json).
+## Plugin config
+See [`openclaw.plugin.json`](./openclaw.plugin.json) for config schema and defaults, including:
+- `pdpUrl`
+- `policyVariant`
+- `pdpTimeoutMs`
+- `failClosed`
+- `tenantId`
+- `certificationStatus`
+- `openclawVersion`
+- `certifiedOpenClawVersions`
+- `highRiskTools`
+- `toolPolicyMode`
+- `allowedTools`
+- `requireTenantId`
+- `allowedTenantIds`
+- `contextCurator`
+Recommended standalone free-mode baseline:
+```json
+{
+  "toolPolicyMode": "ALLOWLIST_ONLY",
+  "allowedTools": ["read_file", "list_files", "search_files"],
+  "failClosed": true,
+  "certificationStatus": "LOCKDOWN_ONLY"
+}
+```
+Recommended paid / PDP-backed baseline:
+```json
+{
+  "toolPolicyMode": "PDP",
+  "pdpUrl": "http://localhost:8001/v1/authorize",
+  "tenantId": "trial-tenant",
+  "failClosed": true,
+  "certificationStatus": "LOCKDOWN_ONLY"
+}
+```
+## Compatibility Matrix Automation
+```bash
+npm run update-compatibility-matrix
+npm run verify-compatibility-matrix
+```
+## Security Gates
+```bash
+npm run collect-security-evidence
+npm run generate-security-release-index
+npm run verify-security-gates
+```
+## Schema Contract and Evidence Bundle
+```bash
+npm run verify-plugin-schema-contract
+npm run bundle-release-evidence
+```
+## Startup Health Verification
+```bash
+npm run startup-health-check -- --skip-plugin-check
+```

package/SELF_SERVICE_FAQ.md CHANGED Viewed

@@ -1,151 +1,151 @@
-# Self-Service FAQ
-Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
-## Acronym Expansions
-- `SDE`: Strategic Decision Engine
-- `PDP`: Policy Decision Point
-- `CLI`: Command Line Interface
-- `FQDN`: Fully Qualified Domain Name
-- `SKU`: Stock Keeping Unit
-- `WSL`: Windows Subsystem for Linux
-## 1) `openclaw` command not found
-Install OpenClaw CLI and verify:
-```powershell
-openclaw --version
-```
-If still not found:
-1. Confirm CLI install location is on PATH.
-2. Open a new terminal and retry.
-## 2) PDP health check fails
-If you are using the free standalone plugin mode, you can ignore this section. PDP is required only for SDE-backed governed mode.
-1. Start/restart PDP:
-```powershell
-Set-Location <sde-enterprise-path>
-docker compose -f ops/docker-compose.pdp.yml up --build -d
-```
-2. Retry health:
-```powershell
-curl -s http://localhost:8001/healthz
-```
-Expected: `{"status":"ok"}`.
-If not:
-- Check container status: `docker ps`
-- Check PDP logs: `docker compose -f ops/docker-compose.pdp.yml logs`
-## 3) Plugin not loaded
-```powershell
-Set-Location <openclaw-trusted-mode-path>
-npm install
-npm run build
-openclaw plugins install <openclaw-trusted-mode-path> --no-color
-openclaw plugins info openclaw-trusted-mode --no-color
-```
-Expected: plugin status is `loaded`.
-If not loaded:
-1. Confirm plugin ID matches `openclaw-trusted-mode`.
-2. Reinstall plugin and restart OpenClaw gateway.
-## 4) Actions are allowed when they should be denied
-If you are using standalone free mode, check these first:
+# Self-Service FAQ
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+## Acronym Expansions
+- `SDE`: Strategic Decision Engine
+- `PDP`: Policy Decision Point
+- `CLI`: Command Line Interface
+- `FQDN`: Fully Qualified Domain Name
+- `SKU`: Stock Keeping Unit
+- `WSL`: Windows Subsystem for Linux
+## 1) `openclaw` command not found
+Install OpenClaw CLI and verify:
+```powershell
+openclaw --version
+```
+If still not found:
+1. Confirm CLI install location is on PATH.
+2. Open a new terminal and retry.
+## 2) PDP health check fails
+If you are using the free standalone plugin mode, you can ignore this section. PDP is required only for SDE-backed governed mode.
+1. Start/restart PDP:
+```powershell
+Set-Location <sde-enterprise-path>
+docker compose -f ops/docker-compose.pdp.yml up --build -d
+```
+2. Retry health:
+```powershell
+curl -s http://localhost:8001/healthz
+```
+Expected: `{"status":"ok"}`.
+If not:
+- Check container status: `docker ps`
+- Check PDP logs: `docker compose -f ops/docker-compose.pdp.yml logs`
+## 3) Plugin not loaded
+```powershell
+Set-Location <openclaw-trusted-mode-path>
+npm install
+npm run build
+openclaw plugins install <openclaw-trusted-mode-path> --no-color
+openclaw plugins info openclaw-trusted-mode --no-color
+```
+Expected: plugin status is `loaded`.
+If not loaded:
+1. Confirm plugin ID matches `openclaw-trusted-mode`.
+2. Reinstall plugin and restart OpenClaw gateway.
+## 4) Actions are allowed when they should be denied
+If you are using standalone free mode, check these first:
 1. Confirm `toolPolicyMode` is `ALLOWLIST_ONLY`.
 2. Confirm the blocked tool is not present in `allowedTools`.
-3. For shell execution, the runtime commonly emits `exec`; current SDE governance canonicalizes `exec`, `execute_shell`, and `run_shell_command` to the same shell policy, but verifying the observed tool id is still useful for troubleshooting.
-Run SDE smoke test:
-```powershell
-Set-Location <sde-enterprise-path>
-powershell -ExecutionPolicy Bypass -File scripts\first_success_smoke.ps1
-```
-Then verify:
-1. Active policy pack includes exact runtime tool key.
-2. Tenant variant mapping points to intended variant.
-3. Entitlement and tenant ID are correct.
-## 5) `[Trusted Mode BLOCKED] fetch failed`
-Meaning: plugin cannot reach PDP.
-If you intended to use the free standalone plugin only, switch to:
-- `toolPolicyMode = ALLOWLIST_ONLY`
-- a non-empty `allowedTools` list
-That removes the PDP dependency.
-Check in order:
-1. PDP is running and healthy.
-2. Plugin `pdpUrl` points to reachable host/port.
-3. If using WSL, test `host.docker.internal` endpoint.
-4. Keep `failClosed=true` in production.
-## 6) License endpoint or support placeholders are unresolved
-Define and verify the values from `START_HERE.md` section "Remaining org-specific values to fill once":
-1. License server FQDN.
-2. Support contacts and escalation channel.
-3. Artifact/registry coordinates used by your deployment.
-After setting values:
-1. Re-run licensing/activation check (`sde-cli license status`).
-2. Re-run pilot or production readiness checklist.
-## 7) `ENTITLEMENT_DENIED` for expected active tenant
-1. Inspect `ops/entitlements.json` for exact tenant key and SKU.
-2. Confirm request `tenant_id` matches exactly.
-3. Restart PDP after file changes.
-4. Re-test with:
-```powershell
-Set-Location <sde-enterprise-path>
-python ops\pdp_admin_cli.py authorize-test --tenant-id <tenant_id> --tool-name read_file --gateway-id gw-1 --environment prod
-```
-## 8) Policy pack signature verification errors
-1. Confirm both files exist for active variant:
-- `<variant>.json`
-- `<variant>.sig`
-2. Validate with:
-```powershell
-Set-Location <sde-enterprise-path>
-python ops\pdp_admin_cli.py validate-policy-pack --variant <variant>
-```
-3. If validation fails, restore known-good signed pair and restart PDP.
-## 9) Where to go next
-- First-time setup: `START_HERE.md`
-- Detailed operations: `OPERATIONS_GUIDE.md`
-- Non-technical operations: `RUNBOOK_NON_TECHNICAL.md`
-- Governance controls: `<sde-enterprise-path>\docs\governance_control_plane.md`
+3. For shell execution, verify the runtime tool name is `exec`.
+Run SDE smoke test:
+```powershell
+Set-Location <sde-enterprise-path>
+powershell -ExecutionPolicy Bypass -File scripts\first_success_smoke.ps1
+```
+Then verify:
+1. Active policy pack includes exact runtime tool key.
+2. Tenant variant mapping points to intended variant.
+3. Entitlement and tenant ID are correct.
+## 5) `[Trusted Mode BLOCKED] fetch failed`
+Meaning: plugin cannot reach PDP.
+If you intended to use the free standalone plugin only, switch to:
+- `toolPolicyMode = ALLOWLIST_ONLY`
+- a non-empty `allowedTools` list
+That removes the PDP dependency.
+Check in order:
+1. PDP is running and healthy.
+2. Plugin `pdpUrl` points to reachable host/port.
+3. If using WSL, test `host.docker.internal` endpoint.
+4. Keep `failClosed=true` in production.
+## 6) License endpoint or support placeholders are unresolved
+Define and verify the values from `START_HERE.md` section "Remaining org-specific values to fill once":
+1. License server FQDN.
+2. Support contacts and escalation channel.
+3. Artifact/registry coordinates used by your deployment.
+After setting values:
+1. Re-run licensing/activation check (`sde-cli license status`).
+2. Re-run pilot or production readiness checklist.
+## 7) `ENTITLEMENT_DENIED` for expected active tenant
+1. Inspect `ops/entitlements.json` for exact tenant key and SKU.
+2. Confirm request `tenant_id` matches exactly.
+3. Restart PDP after file changes.
+4. Re-test with:
+```powershell
+Set-Location <sde-enterprise-path>
+python ops\pdp_admin_cli.py authorize-test --tenant-id <tenant_id> --tool-name read_file --gateway-id gw-1 --environment prod
+```
+## 8) Policy pack signature verification errors
+1. Confirm both files exist for active variant:
+- `<variant>.json`
+- `<variant>.sig`
+2. Validate with:
+```powershell
+Set-Location <sde-enterprise-path>
+python ops\pdp_admin_cli.py validate-policy-pack --variant <variant>
+```
+3. If validation fails, restore known-good signed pair and restart PDP.
+## 9) Where to go next
+- First-time setup: `START_HERE.md`
+- Detailed operations: `OPERATIONS_GUIDE.md`
+- Non-technical operations: `RUNBOOK_NON_TECHNICAL.md`
+- Governance controls: `<sde-enterprise-path>\docs\governance_control_plane.md`

package/attestation/trusted_mode_attest_v1.json ADDED Viewed

@@ -0,0 +1,21 @@
+{
+  "pack_id": "trusted_mode_attest",
+  "pack_version": "v1.0.0",
+  "schema_version": "2026-03-01",
+  "issued_at": "2026-03-01T00:00:00Z",
+  "checks": [
+    "attestation_pack_signature",
+    "deny_high_impact",
+    "allow_low_impact",
+    "signature_failure"
+  ],
+  "output_contract": {
+    "status_values": ["ENFORCED_OK", "LOCKDOWN_ONLY", "UNSAFE"],
+    "axis_scores": [
+      "interception_proof",
+      "fail_safe_posture",
+      "integrity",
+      "certified_compatibility"
+    ]
+  }
+}

package/attestation/trusted_mode_attest_v1.sig ADDED Viewed

	@@ -0,0 +1 @@
1	+ sha256:6d58bfc4a02e6efeb0607864951deeb03a5d71bd4790c1d3aea9524e71456e08

package/dist/cli.js CHANGED Viewed

@@ -9,6 +9,8 @@ const packageVersion_1 = require("./packageVersion");
 const PDP_URL = process.env.PDP_URL || 'http://localhost:8001/v1/authorize';
 const POLICY_VARIANT = process.env.POLICY_VARIANT || 'guard-pro.v2026.02';
 const TENANT_ID = process.env.TENANT_ID || 'trial-tenant';
+const GATEWAY_ID = process.env.GATEWAY_ID || process.env.OPENCLAW_GATEWAY_ID || 'gw-smoke-1';
+const ENVIRONMENT = process.env.ENVIRONMENT || process.env.OPENCLAW_ENVIRONMENT || 'prod';
 const OPENCLAW_VERSION = (0, packageVersion_1.resolveOpenClawVersion)();
 const RUNTIME_CERTIFICATION_STATUS = (0, runtimeCertification_1.normalizeRuntimeCertificationStatus)(process.env.CERTIFICATION_STATUS || 'CERTIFIED_ENFORCED');
 const JSON_MODE = process.argv.includes('--json');
@@ -35,6 +37,8 @@ async function testDenyHighImpact() {
         decision_sku: 'openclaw.trusted_mode.authorize.v1',
         policy_variant: POLICY_VARIANT,
         tenant_id: TENANT_ID,
+        gateway_id: GATEWAY_ID,
+        environment: ENVIRONMENT,
         inputs: { action_request: { tool_name: 'exec', params: {} } },
     };
     try {
@@ -58,6 +62,8 @@ async function testAllowLowImpact() {
         decision_sku: 'openclaw.trusted_mode.authorize.v1',
         policy_variant: POLICY_VARIANT,
         tenant_id: TENANT_ID,
+        gateway_id: GATEWAY_ID,
+        environment: ENVIRONMENT,
         inputs: { action_request: { tool_name: 'read_file', params: {} } },
     };
     try {
@@ -78,6 +84,8 @@ async function testSignatureFailure() {
         decision_sku: 'openclaw.trusted_mode.authorize.v1',
         policy_variant: 'invalid-pack',
         tenant_id: TENANT_ID,
+        gateway_id: GATEWAY_ID,
+        environment: ENVIRONMENT,
         inputs: { action_request: { tool_name: 'exec', params: {} } },
     };
     try {

package/dist/constraints.js CHANGED Viewed

@@ -1,58 +1,6 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.enforceConstraints = enforceConstraints;
-const node_path_1 = __importDefault(require("node:path"));
-function normalizePathValue(value) {
-    const trimmed = String(value || '').trim();
-    if (!trimmed)
-        return null;
-    const windows = /^[a-zA-Z]:[\\/]/.test(trimmed) || trimmed.includes('\\');
-    const pathApi = windows ? node_path_1.default.win32 : node_path_1.default.posix;
-    const separator = windows ? '\\' : '/';
-    const root = pathApi.parse(trimmed).root;
-    let normalized = pathApi.normalize(trimmed);
-    if (windows)
-        normalized = normalized.replace(/\//g, '\\');
-    while (normalized.length > root.length &&
-        (normalized.endsWith('/') || normalized.endsWith('\\'))) {
-        normalized = normalized.slice(0, -1);
-    }
-    return {
-        normalized: normalized || root || separator,
-        root,
-        separator,
-        windows,
-    };
-}
-function isPathWithinPrefix(value, prefix) {
-    const normalizedValue = normalizePathValue(value);
-    const normalizedPrefix = normalizePathValue(prefix);
-    if (!normalizedValue || !normalizedPrefix)
-        return false;
-    if (normalizedValue.windows !== normalizedPrefix.windows)
-        return false;
-    const left = normalizedValue.windows
-        ? normalizedValue.normalized.toLowerCase()
-        : normalizedValue.normalized;
-    const right = normalizedPrefix.windows
-        ? normalizedPrefix.normalized.toLowerCase()
-        : normalizedPrefix.normalized;
-    if (left === right)
-        return true;
-    if (right === normalizedPrefix.root) {
-        return left.startsWith(right);
-    }
-    return left.startsWith(`${right}${normalizedPrefix.separator}`);
-}
-function matchesAllowedPrefix(key, value, prefix) {
-    if (key.toLowerCase().includes('path')) {
-        return isPathWithinPrefix(value, prefix);
-    }
-    return value.startsWith(prefix);
-}
 function enforceConstraints(params, constraints) {
     if (!Array.isArray(constraints)) {
         throw new Error(`[Trusted Mode ERROR] Invalid constraints format`);
@@ -67,7 +15,7 @@ function enforceConstraints(params, constraints) {
         const value = params?.[key];
         if (typeof value !== 'string')
             continue;
-        const ok = allowedPrefixes.some((prefix) => typeof prefix === 'string' && matchesAllowedPrefix(key, value, prefix));
+        const ok = allowedPrefixes.some((prefix) => value.startsWith(prefix));
         if (!ok) {
             throw new Error(`[Trusted Mode BLOCKED] Constraint violation for "${key}" (allowed prefixes: ${allowedPrefixes.join(', ')})`);
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@darkelogix/openclaw-trusted-mode",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "MIT-licensed OpenClaw Trusted Mode plugin with standalone hardening and optional SDE-backed governance",
   "license": "MIT",
   "main": "dist/index.js",
@@ -50,7 +50,9 @@
     "START_HERE.md",
     "GLOSSARY.md",
     "SELF_SERVICE_FAQ.md",
-    "CHANGELOG.md"
+    "CHANGELOG.md",
+    "attestation/trusted_mode_attest_v1.json",
+    "attestation/trusted_mode_attest_v1.sig"
   ],
   "scripts": {
     "build": "tsc",