@goplus/agentguard 1.1.18 → 1.1.26

package/dist/cli.js

@@ -10,6 +10,7 @@ const client_js_1 = require("./cloud/client.js");
 const config_js_1 = require("./config.js");
 const index_js_1 = require("./scanner/index.js");
 const protect_js_1 = require("./runtime/protect.js");
+const approvals_js_1 = require("./runtime/approvals.js");
 const policy_js_1 = require("./runtime/policy.js");
 const installers_js_1 = require("./installers.js");
 const version_js_1 = require("./version.js");
@@ -101,10 +102,11 @@ async function main() {
         .action(async (options) => {
         const apiKey = options.key || options.apiKey || process.env.AGENTGUARD_API_KEY;
         if (!apiKey) {
-            const config = (0, config_js_1.ensureConfig)();
+            let config = (0, config_js_1.ensureConfig)();
             if (!isOpenClawAgentConfigured(config)) {
-                throw new Error('Missing API key. Pass --key, --api-key, set AGENTGUARD_API_KEY, or run `agentguard init --agent openclaw` before using Agent JWT registration.');
+                throw new Error('AgentGuard Cloud connect supports API-key auth or OpenClaw Agent JWT registration. No API key was provided, and OpenClaw has not been initialized. Run `agentguard init --agent openclaw`, then rerun `agentguard connect`; or pass --key, --api-key, or AGENTGUARD_API_KEY for API-key auth.');
             }
+            config = withDetectedOpenClawAgentHost(config);
             const cloudUrl = (0, config_js_1.normalizeCloudUrl)(options.cloud || options.url || config.cloudUrl || 'https://agentguard.gopluslabs.io');
             if (config.agentId && config.agentJwt) {
                 const existingConfig = { ...config, cloudUrl };
@@ -117,10 +119,11 @@ async function main() {
                         agentRegisterUrl: config.agentRegisterUrl,
                         cloudUrl,
                     });
-                    (0, policy_js_1.saveCachedPolicy)(savedConfig.policyCachePath, policy);
-                    console.log(`Connected to AgentGuard Cloud (${savedConfig.cloudUrl}).`);
-                    console.log(`Agent JWT is active for local agent ${savedConfig.agentId}.`);
-                    console.log(`Cached policy ${policy.policyVersion} at ${savedConfig.policyCachePath}.`);
+                    const activeConfig = (0, config_js_1.clearAgentRegisterUrl)(savedConfig);
+                    (0, policy_js_1.saveCachedPolicy)(activeConfig.policyCachePath, policy);
+                    console.log(`Connected to AgentGuard Cloud (${activeConfig.cloudUrl}).`);
+                    console.log(`Agent JWT is active for local agent ${activeConfig.agentId}.`);
+                    console.log(`Cached policy ${policy.policyVersion} at ${activeConfig.policyCachePath}.`);
                     return;
                 }
                 catch (err) {
@@ -131,14 +134,20 @@ async function main() {
                     }
                 }
             }
-            const registration = await registerAgentCredential({
-                cloudUrl,
-                reason: 'connect',
-                notifyOpenClaw: true,
-                resetExistingJwt: true,
-            });
+            let registration;
+            try {
+                registration = await registerAgentCredential({
+                    cloudUrl,
+                    reason: 'connect',
+                    notifyOpenClaw: false,
+                    resetExistingJwt: true,
+                });
+            }
+            catch (err) {
+                throw new Error(`Could not register AgentGuard agent: ${err instanceof Error ? err.message : String(err)}`);
+            }
             console.log(`Registered local AgentGuard agent (${registration.config.agentId}).`);
-            console.log('Open this link to bind AgentGuard Cloud to your email:');
+            console.log('Open this link to bind this agent to your account:');
             console.log(registration.registerUrl);
             if (registration.openClawNotification.notified) {
                 console.log('Sent the activation link to the last OpenClaw channel.');
@@ -164,25 +173,30 @@ async function main() {
     program
         .command('disconnect')
         .description('Disconnect local AgentGuard from AgentGuard Cloud')
-        .action(() => {
+        .action(async () => {
+        const currentConfig = (0, config_js_1.ensureConfig)();
+        const cronRemoval = await (0, cron_js_1.removeThreatFeedCron)({
+            name: currentConfig.threatFeedCronName || 'agentguard-threat-feed',
+            backend: 'auto',
+            agentHost: resolveCronAgentHost(currentConfig),
+            agentGuardHome: (0, config_js_1.getAgentGuardPaths)().home,
+        });
         const config = (0, config_js_1.disconnectCloud)();
         console.log('Disconnected from AgentGuard Cloud.');
         console.log('Removed local Cloud API key, Agent JWT, connection timestamp, pending event spool, and cached Cloud policy.');
+        printCronRemovalSummary(cronRemoval);
         console.log(`Local protection remains active using the built-in policy. Audit log: ${config.auditPath}`);
     });
     program
         .command('status')
         .description('Show local and Cloud connection status')
-        .action(() => {
-        const config = (0, config_js_1.ensureConfig)();
+        .action(async () => {
+        const config = await refreshAgentAccountBinding((0, config_js_1.ensureConfig)());
         const paths = (0, config_js_1.getAgentGuardPaths)();
         console.log(`Config: ${paths.configPath}`);
         console.log(`Protection level: ${config.level}`);
         console.log(`Cloud URL: ${config.cloudUrl || 'not configured'}`);
-        console.log(`API key: ${(0, config_js_1.maskApiKey)(config.apiKey)}`);
-        console.log(`Agent ID: ${config.agentId || 'not configured'}`);
-        console.log(`Agent JWT: ${config.agentJwt ? 'configured' : 'not configured'}`);
-        console.log(`Agent activation URL: ${config.agentRegisterUrl || 'not configured'}`);
+        printCloudAuthStatus(config);
         console.log(`Agent host: ${config.agentHost || 'not configured'}`);
         console.log(`Agent hosts: ${config.agentHosts?.join(', ') || 'not configured'}`);
         console.log(`Policy cache: ${config.policyCachePath}`);
@@ -324,6 +338,55 @@ async function main() {
         }
         process.exitCode = result.risk_level === 'critical' ? 2 : 0;
     });
+    program
+        .command('approve')
+        .description('Approve one pending runtime action')
+        .option('--action-id <id>', 'Pending action id returned by agentguard protect')
+        .option('--last', 'Approve the most recent unambiguous pending action')
+        .option('--once', 'Approve only the next matching retry')
+        .option('--json', 'Print JSON output')
+        .action((options) => {
+        if (!options.once) {
+            throw new Error('Approvals must be scoped with --once.');
+        }
+        const config = (0, config_js_1.ensureConfig)();
+        const approved = (0, approvals_js_1.approvePendingApproval)(config.approvalStorePath, {
+            actionId: options.actionId,
+            last: Boolean(options.last),
+            once: true,
+            sessionId: process.env.AGENTGUARD_SESSION_ID,
+        });
+        if (options.json) {
+            console.log(JSON.stringify({ success: true, approval: approved }, null, 2));
+        }
+        else {
+            console.log(`Approved once: ${approved.actionId}`);
+            console.log(`Expires: ${approved.expiresAt}`);
+        }
+    });
+    const approvals = program
+        .command('approvals')
+        .description('Inspect pending runtime approvals');
+    approvals
+        .command('list')
+        .description('List unexpired pending approvals')
+        .option('--json', 'Print JSON output')
+        .action((options) => {
+        const config = (0, config_js_1.ensureConfig)();
+        const pending = (0, approvals_js_1.listPendingApprovals)(config.approvalStorePath);
+        if (options.json) {
+            console.log(JSON.stringify({ success: true, approvals: pending }, null, 2));
+        }
+        else if (pending.length === 0) {
+            console.log('No pending approvals.');
+        }
+        else {
+            for (const approval of pending) {
+                console.log(`${approval.actionId} ${approval.actionType} ${approval.toolName} expires=${approval.expiresAt}`);
+                console.log(`  ${approval.inputPreview}`);
+            }
+        }
+    });
     program
         .command('protect')
         .description('Evaluate one runtime action from stdin or hook environment')
@@ -370,6 +433,7 @@ async function main() {
         const since = options.since;
         const quiet = Boolean(options.quiet);
         const cronNotifyRun = Boolean(options.cronNotifyRun);
+        const cronInternalRun = Boolean(options.cronRun || options.cronNotifyRun);
         const cronTarget = validateCronTarget(options.cronTarget);
         const cronRunSendsToOpenClaw = Boolean(options.cronRun) && cronAgentHost === 'openclaw';
         const cronExpression = options.cron && !options.cronRun
@@ -411,47 +475,39 @@ async function main() {
                 return;
             }
         }
-        try {
-            await client.subscribeFeed();
-        }
-        catch (err) {
-            if (err instanceof client_js_2.CloudRequestError && err.status === 401) {
-                if (!isOpenClawAgentConfigured(config)) {
-                    console.error('! AgentGuard Cloud credential was rejected. Run `agentguard connect --key <key>` again.');
-                    process.exitCode = 1;
-                    return;
-                }
-                try {
-                    registration = await registerAgentCredential({
-                        cloudUrl: config.cloudUrl,
-                        reason: 'subscribe',
-                        notifyOpenClaw: resolveCronAgentHost(config) === 'openclaw',
-                        resetExistingJwt: true,
-                    });
-                    config = registration.config;
-                    client = registration.client;
-                    await client.subscribeFeed();
-                }
-                catch (retryErr) {
-                    if (cronNotifyRun) {
-                        console.log('NO_REPLY');
-                        process.exitCode = 0;
+        if (!cronInternalRun) {
+            try {
+                await client.subscribeFeed();
+            }
+            catch (err) {
+                if (err instanceof client_js_2.CloudRequestError && err.status === 401) {
+                    if (!isOpenClawAgentConfigured(config)) {
+                        console.error('! AgentGuard Cloud credential was rejected. Run `agentguard connect --key <key>` again.');
+                        process.exitCode = 1;
+                        return;
+                    }
+                    try {
+                        registration = await registerAgentCredential({
+                            cloudUrl: config.cloudUrl,
+                            reason: 'subscribe',
+                            notifyOpenClaw: resolveCronAgentHost(config) === 'openclaw',
+                            resetExistingJwt: true,
+                        });
+                        config = registration.config;
+                        client = registration.client;
+                        await client.subscribeFeed();
+                    }
+                    catch (retryErr) {
+                        printAgentActivationRequired(registration, retryErr);
+                        process.exitCode = 1;
                         return;
                     }
-                    printAgentActivationRequired(registration, retryErr);
-                    process.exitCode = 1;
-                    return;
                 }
-            }
-            else {
-                if (cronNotifyRun) {
-                    console.log('NO_REPLY');
-                    process.exitCode = 0;
+                else {
+                    console.error(`! Could not subscribe to AgentGuard Cloud feed: ${err.message}`);
+                    process.exitCode = 1;
                     return;
                 }
-                console.error(`! Could not subscribe to AgentGuard Cloud feed: ${err.message}`);
-                process.exitCode = 1;
-                return;
             }
         }
         if (registration && !cronNotifyRun && !quiet && !options.json) {
@@ -463,6 +519,11 @@ async function main() {
         }
         catch (err) {
             if (err instanceof client_js_2.CloudRequestError && err.status === 401) {
+                if (cronInternalRun) {
+                    await printSubscribeConnectRequired(options, cronRunSendsToOpenClaw);
+                    process.exitCode = 1;
+                    return;
+                }
                 if (!isOpenClawAgentConfigured(config)) {
                     console.error('! AgentGuard Cloud credential was rejected. Run `agentguard connect --key <key>` again.');
                     process.exitCode = 1;
@@ -545,22 +606,35 @@ async function main() {
                     // match, we must NOT mark the advisory seen, otherwise a
                     // transient network blip silently buries a real hit.
                     try {
-                        const reportResult = await runCloudRequestWithAgentJwtReauth({
-                            config,
-                            client,
-                            reason: 'reauth',
-                            notifyOpenClaw: resolveCronAgentHost(config) === 'openclaw',
-                            operation: (activeClient) => activeClient.reportSelfCheck(advisory.id, result.matchedArtifacts, {
+                        if (cronInternalRun) {
+                            await client.reportSelfCheck(advisory.id, result.matchedArtifacts, {
                                 elapsedMs: result.elapsedMs,
                                 warnings: result.warnings,
-                            }),
-                        });
-                        config = reportResult.config;
-                        client = reportResult.client;
-                        if (reportResult.registration)
-                            registration = reportResult.registration;
+                            });
+                        }
+                        else {
+                            const reportResult = await runCloudRequestWithAgentJwtReauth({
+                                config,
+                                client,
+                                reason: 'reauth',
+                                notifyOpenClaw: resolveCronAgentHost(config) === 'openclaw',
+                                operation: (activeClient) => activeClient.reportSelfCheck(advisory.id, result.matchedArtifacts, {
+                                    elapsedMs: result.elapsedMs,
+                                    warnings: result.warnings,
+                                }),
+                            });
+                            config = reportResult.config;
+                            client = reportResult.client;
+                            if (reportResult.registration)
+                                registration = reportResult.registration;
+                        }
                     }
                     catch (err) {
+                        if (cronInternalRun && err instanceof client_js_2.CloudRequestError && err.status === 401) {
+                            await printSubscribeConnectRequired(options, cronRunSendsToOpenClaw);
+                            process.exitCode = 1;
+                            return;
+                        }
                         console.error(`! Failed to report self-check for ${advisory.id}: ${err.message}`);
                         processed = false;
                         hardFailures += 1;
@@ -611,6 +685,13 @@ async function main() {
                     backend: cronTarget,
                     agentHost: resolveCronAgentHost(config),
                     agentGuardHome: (0, config_js_1.getAgentGuardPaths)().home,
+                }, {
+                    gateway: resolveOpenClawGatewayOptionsFromEnv(),
+                });
+                (0, config_js_1.saveConfig)({
+                    ...config,
+                    threatFeedCronName: summary.cron.result.name,
+                    threatFeedCronInstalledAt: new Date().toISOString(),
                 });
                 summary.cron.installed = true;
             }
@@ -663,8 +744,8 @@ async function main() {
         if (!quiet && fresh.length > 0) {
             console.log(summary.notification?.body ?? formatNewAdvisoryNotification(fresh));
         }
-        else if (quiet && fresh.length > 0) {
-            console.log(`Self-check found ${totalMatches} match(es) across the new advisories.`);
+        else if (quiet && (fresh.length > 0 || summary.cron.result)) {
+            console.log(`Self-check found ${totalMatches} match(es) across ${fresh.length} new advisory record(s).`);
             for (const r of results) {
                 if (r.matchedArtifacts.length === 0)
                     continue;
@@ -844,6 +925,85 @@ function printInitGuidanceIfNeeded(config) {
     console.log('Required next step:');
     console.log(`  ${REQUIRED_INIT_COMMAND}`);
 }
+function printCloudAuthStatus(config) {
+    if (config.agentJwt) {
+        console.log('Cloud auth: connected via Agent JWT');
+        console.log('API key: not used for this connection');
+        console.log(`Agent ID: ${config.agentId || 'configured'}`);
+        console.log('Agent JWT: configured');
+        if (config.agentRegisterUrl) {
+            console.log('Agent account: not bound (activation required)');
+            console.log(`Agent activation URL: ${config.agentRegisterUrl}`);
+        }
+        else {
+            console.log('Agent account: bound');
+            console.log('Agent activation URL: not required');
+        }
+        return;
+    }
+    if (config.apiKey) {
+        console.log('Cloud auth: connected via API key');
+        console.log(`API key: ${(0, config_js_1.maskApiKey)(config.apiKey)}`);
+        console.log('Agent JWT: not used for this connection');
+        return;
+    }
+    console.log('Cloud auth: not connected');
+    console.log('API key: not configured');
+    console.log('Agent JWT: not configured');
+}
+async function printSubscribeConnectRequired(options, notifyOpenClaw) {
+    const message = 'AgentGuard Cloud credential was rejected. Run `agentguard connect` again before the next subscribe cron run.';
+    if (notifyOpenClaw) {
+        const notification = await (0, openclaw_notify_js_1.notifyOpenClawMessage)(message, resolveOpenClawGatewayOptionsFromEnv(), {
+            idempotencyKeyPrefix: 'agentguard-subscribe-auth',
+        });
+        if (notification.notified) {
+            console.log('NO_REPLY');
+            return;
+        }
+        console.error(`! Could not send OpenClaw cron auth notification: ${notification.reason ?? 'Unknown error'}`);
+        return;
+    }
+    if (options.cronNotifyRun) {
+        console.log(message);
+    }
+    else if (options.json) {
+        console.log(JSON.stringify({ success: false, error: message }, null, 2));
+    }
+    else {
+        console.error(`! ${message}`);
+    }
+}
+async function refreshAgentAccountBinding(config) {
+    if (!config.agentJwt || !config.agentRegisterUrl)
+        return config;
+    const client = new client_js_1.AgentGuardCloudClient(config);
+    try {
+        const policy = await client.fetchEffectivePolicy();
+        const activeConfig = (0, config_js_1.clearAgentRegisterUrl)(config);
+        (0, policy_js_1.saveCachedPolicy)(activeConfig.policyCachePath, policy);
+        return activeConfig;
+    }
+    catch {
+        return config;
+    }
+}
+function printCronRemovalSummary(results) {
+    const removed = results.filter((result) => result.removed);
+    if (removed.length > 0) {
+        console.log(`Removed AgentGuard subscribe cron job "${removed[0].name}" from: ${removed.map((result) => result.backend).join(', ')}.`);
+        return;
+    }
+    const errors = results.filter((result) => result.error);
+    if (errors.length > 0) {
+        console.log('No AgentGuard subscribe cron job was removed; some cron backends were unavailable.');
+        for (const result of errors) {
+            console.error(`! ${result.backend}: ${result.error}`);
+        }
+        return;
+    }
+    console.log('No AgentGuard subscribe cron job was found.');
+}
 function resolveCronAgentHost(config) {
     return config.agentHost ?? config.agentHosts?.[0];
 }
@@ -1200,16 +1360,37 @@ function printAgentActivationRequired(registration, err) {
     console.error(`! AgentGuard Cloud authorization is not active yet. ${message}`);
     const registerUrl = registration?.registerUrl || (0, config_js_1.ensureConfig)().agentRegisterUrl;
     if (registerUrl) {
-        console.error('Open this link to bind this agent to your email, then rerun the command:');
+        console.error('Open this link to bind this agent to your account, then rerun the command:');
         console.error(registerUrl);
     }
 }
 function isOpenClawAgentConfigured(config) {
-    return config.agentHost === 'openclaw' || config.agentHosts?.includes('openclaw') === true;
+    return config.agentHost === 'openclaw' || config.agentHosts?.includes('openclaw') === true || detectOpenClawRuntime();
+}
+function withDetectedOpenClawAgentHost(config) {
+    if (hasSavedAgentHost(config) || !detectOpenClawRuntime())
+        return config;
+    const next = {
+        ...config,
+        agentHost: 'openclaw',
+        agentHosts: appendAgentHost(config.agentHosts, 'openclaw'),
+    };
+    (0, config_js_1.saveConfig)(next);
+    return next;
+}
+function detectOpenClawRuntime() {
+    const configPath = process.env.OPENCLAW_CONFIG_PATH?.trim();
+    if (configPath && (0, node_fs_1.existsSync)(configPath))
+        return true;
+    const stateDir = process.env.OPENCLAW_STATE_DIR?.trim();
+    if (stateDir && ((0, node_fs_1.existsSync)(stateDir) || (0, node_fs_1.existsSync)((0, node_path_1.join)(stateDir, 'openclaw.json'))))
+        return true;
+    return (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.openclaw', 'openclaw.json'));
 }
 function resolveOpenClawGatewayOptionsFromEnv() {
     const url = process.env.AGENTGUARD_OPENCLAW_GATEWAY_URL?.trim();
     const host = process.env.AGENTGUARD_OPENCLAW_GATEWAY_HOST?.trim();
+    const token = process.env.AGENTGUARD_OPENCLAW_GATEWAY_TOKEN?.trim();
     const portRaw = process.env.AGENTGUARD_OPENCLAW_GATEWAY_PORT?.trim();
     const timeoutRaw = process.env.AGENTGUARD_OPENCLAW_GATEWAY_TIMEOUT_MS?.trim();
     const port = portRaw ? Number(portRaw) : undefined;
@@ -1217,6 +1398,7 @@ function resolveOpenClawGatewayOptionsFromEnv() {
     return {
         ...(url ? { url } : {}),
         ...(host ? { host } : {}),
+        ...(token ? { token } : {}),
         ...(Number.isFinite(port) ? { port } : {}),
         ...(Number.isFinite(timeoutMs) ? { timeoutMs } : {}),
     };