@lark-tns/openclaw-guardian-plugin 2026.4.15

package/README.md

@@ -0,0 +1,61 @@
+# OpenClaw Guardian Plugin
+
+This plugin uses the new OpenClaw SDK entry style and reports trust-layer payloads for the active hook points below:
+
+- logs the payload to the official plugin logger
+- pulls runtime toggles from `http://localhost:8001/open-apis/security_plugin/v1/openclaw_plugin/config`
+- forwards detect requests to `http://localhost:8001/open-apis/security_plugin/v1/openclaw_plugin/detect`
+
+- `llm_input`
+- `llm_output`
+- `before_tool_call`
+- `after_tool_call`
+
+The runtime config polling is managed by `api.registerService(...)`. The service initializes remote config on startup, keeps an in-memory snapshot for hook handlers, and disposes the refresh timer on shutdown.
+
+## Files
+
+- `openclaw.plugin.json`: native plugin manifest
+- `src/index.ts`: plugin entry registered with `definePluginEntry`, hook registration, and `api.registerService(...)` wiring
+- `src/runtime-config.ts`: remote config store plus polling service, typed against `OpenClawPluginApi` / `api.registerService(...)`
+- `src/hook-payloads.ts`: hook-specific payload builders required by the trust-layer API
+- `src/logger.ts`: safe payload formatter and logger helper
+- `src/http-client.ts`: request body builder and detect/config service client
+- `src/fetch-interceptor.ts`: optional `before_llm_fetch` / `after_llm_fetch` request-response interceptor, currently not enabled in `src/index.ts`
+- `src/tool-effects.ts`: effect parser and hook-specific deny/rewrite handling
+
+## Install
+
+Link-install the plugin from this directory:
+
+```bash
+openclaw plugins install -l .
+```
+
+Then enable it in your OpenClaw config if needed:
+
+```json5
+{
+  plugins: {
+    entries: {
+      "openclaw-guardian-plugin": {
+        enabled: true
+      }
+    }
+  }
+}
+```
+
+Restart the Gateway after config changes.
+
+## Notes
+
+- The plugin logs via `api.logger.info(...)`.
+- The plugin registers a background service via `api.registerService(...)`; the service typing is derived from `OpenClawPluginApi`, GETs remote runtime config on startup, retries up to 3 times, defaults to all hooks disabled on first-start failure, and refreshes the config every 60 seconds.
+- The plugin POSTs `{ hook_name, payload }` to `http://localhost:8001/open-apis/security_plugin/v1/openclaw_plugin/detect`.
+- Hook handlers read the latest in-memory runtime-config snapshot instead of fetching `/config` inline on every hook invocation.
+- Hook payloads are sent as the trust-layer contract requires, such as tool/session fields for tool hooks and `domain` / `path` / `origin_req` or `origin_resp` for LLM fetch hooks.
+- `llm_input` and `llm_output` are report-only hooks; deny/rewrite responses are logged but not applied.
+- `after_tool_call` is also observe-only in runtime; detect decisions are logged but do not rewrite the actual hook return value.
+- Payloads are serialized defensively so circular references and `Error` objects do not break logging.
+- `before_llm_fetch` / `after_llm_fetch` support remains in `src/fetch-interceptor.ts`, but those hooks are not active until `installFetchInterceptor(api, configStore)` is enabled in `src/index.ts`.

package/openclaw.plugin.json

@@ -0,0 +1,40 @@
+{
+  "id": "openclaw-guardian-plugin",
+  "name": "OpenClaw Guardian Plugin",
+  "description": "Reports OpenClaw hook payloads to security_plugin config and detect endpoints.",
+  "version": "2026.4.10",
+  "uiHints": {
+    "appId": {
+      "label": "Feishu App ID",
+      "placeholder": "cli_xxx"
+    },
+    "appSecret": {
+      "label": "Feishu App Secret",
+      "sensitive": true
+    }
+  },
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "env": {
+        "type": "string",
+        "enum": [
+          "online",
+          "pre",
+          "boe",
+          "dev"
+        ],
+        "default": "online"
+      },
+      "appId": {
+        "type": "string",
+        "minLength": 1
+      },
+      "appSecret": {
+        "type": "string",
+        "minLength": 1
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@lark-tns/openclaw-guardian-plugin",
+  "version": "2026.4.15",
+  "type": "module",
+  "description": "OpenClaw plugin that reports hook payloads to the security_plugin detect service with remote hook toggles.",
+  "keywords": ["openclaw", "plugin", "security", "guardian"],
+  "files": [
+    "src/**/*.ts",
+    "openclaw.plugin.json",
+    "README.md"
+  ],
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "pack": "npm pack",
+    "upload": "node scripts/uploadManifest.mjs"
+  },
+  "openclaw": {
+    "extensions": [
+      "./src/index.ts"
+    ],
+    "installDependencies": true
+  },
+  "devDependencies": {
+    "@types/yazl": "^3.3.0",
+    "typescript": "^5.8.3"
+  },
+  "dependencies": {
+    "yazl": "^3.3.1"
+  },
+  "peerDependencies": {
+    "openclaw": ">=2026.3.24"
+  },
+  "peerDependenciesMeta": {
+    "openclaw": {
+      "optional": false
+    }
+  }
+}

package/src/common-payload.ts

@@ -0,0 +1,27 @@
+import { getHostname } from './hostname';
+
+export type CommonPayloadFields = {
+  hostname: string;
+};
+
+export function buildCommonPayloadFields(): CommonPayloadFields {
+  return {
+    hostname: getHostname(),
+  };
+}
+
+export function mergeCommonPayloadFields(payload: unknown): unknown {
+  if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+    return payload;
+  }
+
+  const record = payload as Record<string, unknown>;
+  if (Object.prototype.hasOwnProperty.call(record, 'hostname')) {
+    return payload;
+  }
+
+  return {
+    ...record,
+    ...buildCommonPayloadFields(),
+  };
+}

package/src/detect-service.ts

@@ -0,0 +1,16 @@
+import { DEFAULT_TIMEOUT_MS, fetchSecurityPluginApi, getDetectUrl, createDetectRequestBody } from './http-client';
+import { mergeCommonPayloadFields } from './common-payload';
+import type { OpenClawPluginApi } from 'openclaw/plugin-sdk';
+
+export async function detectHookPayload(api: OpenClawPluginApi, hookName: string, payload: unknown) {
+  const source = 'miaoda'; //TODO: Mock for now, should get from config later
+  const body = createDetectRequestBody(hookName, mergeCommonPayloadFields(payload), source);
+
+  return fetchSecurityPluginApi(api, hookName, getDetectUrl(api), {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+    },
+    body: JSON.stringify(body),
+  }, DEFAULT_TIMEOUT_MS);
+}

package/src/hook-handler/index.ts

@@ -0,0 +1,269 @@
+import { basename, dirname } from 'node:path';
+import type {
+  PluginHookAfterToolCallEvent,
+  PluginHookAgentContext,
+  PluginHookBeforeToolCallEvent,
+  PluginHookBeforeToolCallResult,
+  PluginHookLlmInputEvent,
+  PluginHookLlmOutputEvent,
+  PluginHookToolContext,
+} from 'openclaw/plugin-sdk/plugin-runtime';
+import type { OpenClawPluginApi } from 'openclaw/plugin-sdk';
+import { detectHookPayload } from '../detect-service';
+import { buildHookPayload } from '../hook-payloads';
+import { logHookPayloadWithEnv, withLogPrefix } from '../logger';
+import { getPluginEnv } from '../plugin-env';
+import type { RuntimeConfigStore } from '../runtime-config';
+import { loadSkillState, resolveStoragePath } from '../skill-scan/skill-storage';
+
+type UnknownRecord = Record<string, unknown>;
+
+/**
+ * Returns the SKILL.md file path if this tool call is a skill read:
+ * tool_name === "read" and tool_args.path ends with "SKILL.md".
+ */
+function extractSkillFilePath(payload: UnknownRecord): string | null {
+  if (payload.tool_name !== 'read') return null;
+  const args = payload.tool_args;
+  if (!args || typeof args !== 'object' || Array.isArray(args)) return null;
+  const values = Object.values(args as UnknownRecord);
+  return (values.find((v): v is string => typeof v === 'string' && v.endsWith('SKILL.md')) ?? null);
+}
+
+async function resolveSkillMeta(
+  api: OpenClawPluginApi,
+  skillFilePath: string,
+  agentId?: string,
+): Promise<{ skill_name: string; skill_hash: string } | null> {
+  // dirName is the cache key in skill-detect-state.json
+  const dirName = basename(dirname(skillFilePath));
+  try {
+    let storagePath: string | undefined;
+    if (agentId) {
+      const workspaceDir = api.runtime.agent.resolveAgentWorkspaceDir(api.config, agentId);
+      storagePath = resolveStoragePath(workspaceDir);
+    }
+    const state = await loadSkillState(api, storagePath);
+    const entry = state[dirName];
+    if (!entry || !entry.zip_hash) return null;
+    return { skill_name: entry.skill_name, skill_hash: entry.zip_hash };
+  } catch {
+    return null;
+  }
+}
+
+type DetectResponseLike = {
+  effect?: unknown;
+  deny_output?: unknown;
+  rewrite_output?: unknown;
+};
+
+type DetectDecision = {
+  effect: string;
+  denyOutput: string;
+  rewriteOutput: string;
+};
+
+type ReportOnlyHookName = 'llm_input' | 'llm_output' | 'after_tool_call';
+
+type ReportOnlyHookEventMap = {
+  llm_input: PluginHookLlmInputEvent;
+  llm_output: PluginHookLlmOutputEvent;
+  after_tool_call: PluginHookAfterToolCallEvent;
+};
+
+type ReportOnlyHookContextMap = {
+  llm_input: PluginHookAgentContext;
+  llm_output: PluginHookAgentContext;
+  after_tool_call: PluginHookToolContext;
+};
+
+function firstString(...values: unknown[]): string {
+  return values.find((value) => typeof value === 'string') ?? '';
+}
+
+function normalizeEffect(effect: unknown): string {
+  if (typeof effect !== 'string') {
+    return 'PERMIT';
+  }
+
+  return effect.toUpperCase();
+}
+
+function parseRewriteParams(text: string): UnknownRecord | undefined {
+  if (typeof text !== 'string' || text.length === 0) {
+    return undefined;
+  }
+
+  try {
+    const parsed = JSON.parse(text);
+    return parsed && typeof parsed === 'object' && !Array.isArray(parsed)
+      ? (parsed as UnknownRecord)
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function parseDetectDecision(response: DetectResponseLike | null | undefined): DetectDecision {
+  return {
+    effect: normalizeEffect(response?.effect),
+    denyOutput: firstString(response?.deny_output),
+    rewriteOutput: firstString(response?.rewrite_output),
+  };
+}
+
+function applyBeforeToolCallDecision(decision: DetectDecision) {
+  const effect = normalizeEffect(decision.effect);
+
+  if (effect === 'DENY') {
+    if (!decision.denyOutput) {
+      return {
+        action: 'permit',
+        returnValue: undefined,
+      };
+    }
+
+    return {
+      action: 'deny',
+      output: decision.denyOutput,
+      returnValue: {
+        block: true,
+        blockReason: decision.denyOutput || 'Tool call blocked by detect service',
+      },
+    };
+  }
+
+  if (effect === 'REWRITE') {
+    if (!decision.rewriteOutput) {
+      return {
+        action: 'permit',
+        returnValue: undefined,
+      };
+    }
+
+    const rewrittenParams = parseRewriteParams(decision.rewriteOutput);
+    if (!rewrittenParams) {
+      return {
+        action: 'rewrite_invalid',
+        returnValue: undefined,
+      };
+    }
+
+    return {
+      action: 'rewrite',
+      returnValue: {
+        params: rewrittenParams,
+      },
+    };
+  }
+
+  return {
+    action: 'permit',
+    returnValue: undefined,
+  };
+}
+
+async function handleReportOnlyHook<K extends ReportOnlyHookName>(
+  api: OpenClawPluginApi,
+  configStore: RuntimeConfigStore,
+  hookName: K,
+  event: ReportOnlyHookEventMap[K],
+  ctx: ReportOnlyHookContextMap[K],
+): Promise<void> {
+  if (!(await configStore.isHookEnabled(hookName))) {
+    api.logger.info(withLogPrefix(`[${hookName}] detect skipped: hook disabled by runtime config`));
+    return;
+  }
+
+  const totalStart = Date.now();
+  const payload = buildHookPayload(hookName, event, ctx);
+  logHookPayloadWithEnv(api, hookName, payload, getPluginEnv(api));
+
+  try {
+    const detectResponse = await detectHookPayload(api, hookName, payload);
+    const decision = parseDetectDecision(detectResponse);
+    api.logger.info(
+      withLogPrefix(`[${hookName}] detect effect observed: effect=${decision.effect} (report-only hook)`),
+    );
+  } catch (error) {
+    api.logger.error(
+      withLogPrefix(
+        `[${hookName}] detect request failed: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+  } finally {
+    const totalElapsed = Date.now() - totalStart;
+    api.logger.info(withLogPrefix(`[${hookName}] total_elapsed=${totalElapsed}ms`));
+  }
+}
+
+async function handleBeforeToolCall(
+  api: OpenClawPluginApi,
+  configStore: RuntimeConfigStore,
+  event: PluginHookBeforeToolCallEvent,
+  ctx: PluginHookToolContext,
+): Promise<PluginHookBeforeToolCallResult> {
+  const totalStart = Date.now();
+  if (!(await configStore.isHookEnabled('before_tool_call'))) {
+    api.logger.info(withLogPrefix('[before_tool_call] detect skipped: hook disabled by runtime config'));
+    return undefined;
+  }
+
+  const payload = buildHookPayload('before_tool_call', event, ctx);
+
+  // Enrich payload with skill metadata if this is a skill read
+  const skillFilePath = extractSkillFilePath(payload as UnknownRecord);
+  let enrichedPayload: UnknownRecord = payload as UnknownRecord;
+  if (skillFilePath) {
+    const skillMeta = await resolveSkillMeta(api, skillFilePath, ctx.agentId);
+    if (skillMeta) {
+      enrichedPayload = { ...enrichedPayload, ...skillMeta };
+      api.logger.info(
+        withLogPrefix(
+          `[before_tool_call] skill read detected: skill=${skillMeta.skill_name} hash=${skillMeta.skill_hash.slice(0, 12)}...`,
+        ),
+      );
+    }
+  }
+
+  logHookPayloadWithEnv(api, 'before_tool_call', enrichedPayload, getPluginEnv(api));
+
+  let hookReturnValue: PluginHookBeforeToolCallResult = undefined;
+
+  try {
+    const detectResponse = await detectHookPayload(api, 'before_tool_call', enrichedPayload);
+    const decision = parseDetectDecision(detectResponse);
+    const outcome = applyBeforeToolCallDecision(decision);
+    api.logger.info(withLogPrefix(`[before_tool_call] detect effect applied: ${JSON.stringify(outcome.returnValue)}`));
+    hookReturnValue = outcome.returnValue;
+  } catch (error) {
+    api.logger.error(
+      withLogPrefix(
+        `[before_tool_call] detect request failed: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+  }
+
+  const totalElapsed = Date.now() - totalStart;
+  api.logger.info(withLogPrefix(`[before_tool_call] total_elapsed=${totalElapsed}ms`));
+  return hookReturnValue;
+}
+
+export function registerDetectHooks(api: OpenClawPluginApi, configStore: RuntimeConfigStore): void {
+  api.on('llm_input', async (event, ctx) => {
+    await handleReportOnlyHook(api, configStore, 'llm_input', event, ctx);
+  });
+
+  api.on('llm_output', async (event, ctx) => {
+    await handleReportOnlyHook(api, configStore, 'llm_output', event, ctx);
+  });
+
+  api.on('after_tool_call', async (event, ctx) => {
+    await handleReportOnlyHook(api, configStore, 'after_tool_call', event, ctx);
+  });
+
+  api.on('before_tool_call', async (event, ctx) => {
+    return handleBeforeToolCall(api, configStore, event, ctx);
+  });
+}

package/src/hook-payloads/index.ts

@@ -0,0 +1,45 @@
+import type { ContextLike, FetchMeta, LlmEventLike, ToolEventLike } from './shared';
+import { safeObject } from './shared';
+import { buildAfterLlmFetchPayload, buildBeforeLlmFetchPayload } from './llm-fetch-payloads';
+import { buildLlmInputPayload, buildLlmOutputPayload } from './llm-payloads';
+import { buildAfterToolCallPayload, buildBeforeToolCallPayload } from './tool-payloads';
+
+export type HookName =
+  | 'before_tool_call'
+  | 'after_tool_call'
+  | 'before_llm_fetch'
+  | 'after_llm_fetch'
+  | 'llm_input'
+  | 'llm_output';
+
+export { buildAfterLlmFetchPayload, buildBeforeLlmFetchPayload } from './llm-fetch-payloads';
+export { buildLlmInputPayload, buildLlmOutputPayload } from './llm-payloads';
+export { buildAfterToolCallPayload, buildBeforeToolCallPayload } from './tool-payloads';
+
+export function buildHookPayload(
+  hookName: HookName,
+  event: unknown,
+  ctx: unknown,
+  extra?: unknown,
+) {
+  const toolEvent = event as ToolEventLike | null | undefined;
+  const llmEvent = event as LlmEventLike | null | undefined;
+  const safeContext = ctx as ContextLike | null | undefined;
+
+  switch (hookName) {
+    case 'before_tool_call':
+      return buildBeforeToolCallPayload(toolEvent, safeContext);
+    case 'after_tool_call':
+      return buildAfterToolCallPayload(toolEvent, safeContext);
+    case 'before_llm_fetch':
+      return buildBeforeLlmFetchPayload(extra as FetchMeta | null | undefined);
+    case 'after_llm_fetch':
+      return buildAfterLlmFetchPayload(extra as FetchMeta | null | undefined);
+    case 'llm_input':
+      return buildLlmInputPayload(llmEvent, safeContext);
+    case 'llm_output':
+      return buildLlmOutputPayload(llmEvent, safeContext);
+    default:
+      return safeObject(extra);
+  }
+}

package/src/hook-payloads/llm-fetch-payloads.ts

@@ -0,0 +1,26 @@
+import type { FetchMeta } from './shared';
+import { firstDefined, parseUrlParts, safeArray, safeString } from './shared';
+
+export function buildBeforeLlmFetchPayload(meta: FetchMeta | null | undefined) {
+  const { domain, path } = parseUrlParts(safeString(meta?.url));
+
+  return {
+    request_id: safeString(meta?.request_id),
+    domain,
+    path,
+    origin_req: firstDefined(meta?.jsonBody, meta?.rawBody, ''),
+  };
+}
+
+export function buildAfterLlmFetchPayload(meta: FetchMeta | null | undefined) {
+  const { domain, path } = parseUrlParts(safeString(meta?.url));
+
+  return {
+    request_id: safeString(meta?.request_id),
+    domain,
+    path,
+    is_sse: meta?.isSse ? 'true' : 'false',
+    chunks: safeArray(meta?.chunks),
+    origin_resp: meta?.isSse ? '' : safeString(firstDefined(meta?.originResp, '')),
+  };
+}

package/src/hook-payloads/llm-payloads.ts

@@ -0,0 +1,33 @@
+import type { ContextLike, LlmEventLike } from './shared';
+import { safeArray, safeString } from './shared';
+
+function createLlmBasePayload(event: LlmEventLike | null | undefined, ctx: ContextLike | null | undefined) {
+  return {
+    agent_name: safeString(ctx?.agentId),
+    session_id: safeString(ctx?.sessionId),
+    session_key: safeString(ctx?.sessionKey),
+    channel_id: safeString(ctx?.channelId),
+    message_provider: safeString(ctx?.messageProvider),
+    trigger: safeString(ctx?.trigger),
+    model: safeString(event?.model),
+    provider: safeString(event?.provider),
+    run_id: safeString(event?.runId),
+  };
+}
+
+export function buildLlmInputPayload(event: LlmEventLike | null | undefined, ctx: ContextLike | null | undefined) {
+  return {
+    ...createLlmBasePayload(event, ctx),
+    prompt: safeString(event?.prompt),
+    system_prompt: safeString(event?.systemPrompt),
+    history_messages: safeArray(event?.historyMessages),
+  };
+}
+
+export function buildLlmOutputPayload(event: LlmEventLike | null | undefined, ctx: ContextLike | null | undefined) {
+  return {
+    ...createLlmBasePayload(event, ctx),
+    assistant_texts: safeArray(event?.assistantTexts),
+    last_assistant: safeString(JSON.stringify(event?.lastAssistant)),
+  };
+}

package/src/hook-payloads/shared.ts

@@ -0,0 +1,78 @@
+export type UnknownRecord = Record<string, unknown>;
+
+export type ToolEventLike = UnknownRecord & {
+  toolCallId?: unknown;
+  toolName?: unknown;
+  params?: unknown;
+  runId?: unknown;
+  result?: unknown;
+  error?: unknown;
+  durationMs?: unknown;
+};
+
+export type LlmEventLike = UnknownRecord & {
+  model?: unknown;
+  provider?: unknown;
+  runId?: unknown;
+  prompt?: unknown;
+  systemPrompt?: unknown;
+  historyMessages?: unknown;
+  assistantTexts?: unknown;
+  lastAssistant?: unknown;
+};
+
+export type ContextLike = UnknownRecord & {
+  agentId?: unknown;
+  sessionId?: unknown;
+  sessionKey?: unknown;
+  channelId?: unknown;
+  messageProvider?: unknown;
+  trigger?: unknown;
+};
+
+export type FetchMeta = {
+  request_id?: unknown;
+  url?: unknown;
+  rawBody?: unknown;
+  jsonBody?: unknown;
+  isSse?: unknown;
+  chunks?: unknown;
+  originResp?: unknown;
+};
+
+export function firstDefined<T>(...values: Array<T | undefined | null>): T | undefined {
+  return values.find((value) => value !== undefined && value !== null);
+}
+
+export function safeString(value: unknown): string {
+  if (value === undefined || value === null) {
+    return '';
+  }
+
+  return typeof value === 'string' ? value : String(value);
+}
+
+export function safeObject(value: unknown): UnknownRecord {
+  return value && typeof value === 'object' && !Array.isArray(value)
+    ? (value as UnknownRecord)
+    : {};
+}
+
+export function safeArray(value: unknown): unknown[] {
+  return Array.isArray(value) ? value : [];
+}
+
+export function parseUrlParts(url: string): { domain: string; path: string } {
+  try {
+    const parsedUrl = new URL(url);
+    return {
+      domain: parsedUrl.host,
+      path: parsedUrl.pathname || '/',
+    };
+  } catch {
+    return {
+      domain: '',
+      path: '',
+    };
+  }
+}

package/src/hook-payloads/tool-payloads.ts

@@ -0,0 +1,33 @@
+import type { ContextLike, ToolEventLike } from './shared';
+import { firstDefined, safeString } from './shared';
+
+function createToolBasePayload(event: ToolEventLike | null | undefined, ctx: ContextLike | null | undefined) {
+  return {
+    agent_name: safeString(ctx?.agentId),
+    session_id: safeString(ctx?.sessionId),
+    session_key: safeString(ctx?.sessionKey),
+    tool_call_id: safeString(event?.toolCallId),
+    tool_name: safeString(event?.toolName),
+    tool_args: firstDefined(event?.params, {}),
+    run_id: safeString(event?.runId),
+  };
+}
+
+export function buildBeforeToolCallPayload(
+  event: ToolEventLike | null | undefined,
+  ctx: ContextLike | null | undefined,
+) {
+  return createToolBasePayload(event, ctx);
+}
+
+export function buildAfterToolCallPayload(
+  event: ToolEventLike | null | undefined,
+  ctx: ContextLike | null | undefined,
+) {
+  return {
+    ...createToolBasePayload(event, ctx),
+    tool_output: firstDefined(event?.result, ''),
+    tool_error: firstDefined(event?.error, ''),
+    tool_duration_ms: safeString(firstDefined(event?.durationMs, '')),
+  };
+}

package/src/hostname.ts

@@ -0,0 +1,10 @@
+import { hostname as osHostname } from 'node:os';
+
+let cachedHostname: string | null = null;
+
+export function getHostname(): string {
+  if (!cachedHostname) {
+    cachedHostname = osHostname();
+  }
+  return cachedHostname;
+}