@oked/openclaw 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 OKed
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,98 @@
+# @oked/openclaw
+
+[![npm version](https://img.shields.io/npm/v/@oked/openclaw.svg)](https://www.npmjs.com/package/@oked/openclaw)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](./LICENSE)
+[![Types: included](https://img.shields.io/npm/types/@oked/openclaw.svg)](./dist/index.d.ts)
+
+Zero-code integration for OpenClaw. Registers a `before_tool_call` hook that fires for **every** tool the OpenClaw agent calls (built-in or skill-registered), classifies it, and freezes the agent on dangerous actions until you approve from the OKed mobile app.
+
+## Why
+
+OpenClaw's built-in iOS approvals cover **shell commands** (`exec.approval.*`). They do **not** automatically cover the skill / plugin tools agents actually use to touch the real world (sending iMessages, making phone calls, deploying sites, charging cards). Skill authors have to opt in to `plugin.approval.request`, and most don't. This plugin closes that gap.
+
+## Install
+
+```bash
+npm install -g @oked/openclaw @oked/openclaw-cli
+oked-openclaw init
+```
+
+The CLI ([`@oked/openclaw-cli`](../openclaw-cli)) runs `openclaw plugins install --link` against this package, prompts for your API key + `minTier`, writes the entry into `~/.openclaw/openclaw.json`, and restarts the OpenClaw daemon.
+
+If you'd rather do it by hand:
+
+```bash
+openclaw plugins install --link <path-to-this-package>
+```
+
+Then in `~/.openclaw/openclaw.json`:
+
+```json
+{
+  "plugins": {
+    "allow": ["oked"],
+    "entries": {
+      "oked": {
+        "enabled": true,
+        "apiKey": "ok_...",
+        "backendUrl": "https://api.oked.ai",
+        "minTier": "review"
+      }
+    }
+  }
+}
+```
+
+Restart the OpenClaw gateway and you're done.
+
+## Configuration
+
+All keys go under `plugins.entries.oked`:
+
+| Key | Type | Default | Description |
+|---|---|---|---|
+| `apiKey` | `string` | `OKED_API_KEY` env | Your OKed API key. Required. |
+| `backendUrl` | `string` | `https://api.oked.ai` | Override the OKed backend URL. |
+| `minTier` | `"review" \| "high_stakes"` | `"review"` | Minimum risk tier that triggers approval. Set to `"high_stakes"` to only gate the most dangerous calls. `warning` is informational only and does not block. |
+| `alwaysApprove` | `string[]` | `[]` | Tool names to always require approval for, regardless of classifier. |
+| `alwaysAllow` | `string[]` | `[]` | Tool names to never gate. Use sparingly. |
+| `timeoutMs` | `number` | `300000` | Per-approval timeout in ms. |
+
+## What gets gated
+
+The classifier matches OpenClaw skill naming conventions:
+
+- **High stakes** (always approval): `*_send`, `*_post`, `*_publish`, `*_call`, `*_dial`, `*_charge`, `*_pay`, `*_delete`, `*_drop`, `*_deploy`, `*_release`, ...
+- **Review** (approval at default `minTier`): `*_create`, `*_update`, `*_write`, `*_edit`, `*_rename`, `*_modify`, and unknown tool names.
+- **Warning** (log / allow): lower-risk state changes from shared SDK classifiers.
+- **Safe** (never gated): `get_*`, `list_*`, `search_*`, `read_*`, `find_*`.
+- **Bash / shell / exec**: defers to the `@oked/sdk` shell classifier (`rm -rf`, `git push --force`, ...).
+
+For tool names the classifier doesn't recognize, the default tier is `review`, so they are gated by the default configuration.
+
+## Degraded-mode behavior
+
+Explicit denials, invalid API keys, missing API keys, and unexpected plugin errors deny sensitive tool calls. If the backend is unreachable, OKed denies `high_stakes` actions and, by default, allows lower tiers so a temporary outage does not stop every OpenClaw workflow. Set `OKED_STRICT_FAIL_CLOSED=1` to deny every sensitive action during backend outages.
+
+## Comparison to OpenClaw built-in approvals
+
+|  | OpenClaw `exec.approval.*` | `@oked/openclaw` |
+|---|---|---|
+| Shell commands | OK | OK (via classifier) |
+| Skill / plugin tools | Only if skill author opts in | OK all tools |
+| Mobile push | iOS app paired via `device-pairing` | OKed mobile app, unified across Claude Code + OpenClaw + future tools |
+| Audit log | Gateway-local | Centralized OKed dashboard |
+
+Use both. OpenClaw's exec approvals stay in place; this plugin layers on top to cover the skill surface.
+
+## Development
+
+```bash
+npm install
+npm run build
+npm test
+```
+
+## License
+
+[MIT](./LICENSE)

package/dist/classify-openclaw.d.ts

@@ -0,0 +1,6 @@
+import { type RiskTier } from "@oked/sdk";
+export interface ClassifyOptions {
+    alwaysApprove?: ReadonlyArray<string>;
+    alwaysAllow?: ReadonlyArray<string>;
+}
+export declare function classifyOpenClawTool(toolName: string, toolInput: Record<string, unknown>, opts?: ClassifyOptions): RiskTier;

package/dist/classify-openclaw.js

@@ -0,0 +1,84 @@
+import { classify as classifyClaude } from "@oked/sdk";
+/**
+ * OpenClaw-aware risk classifier.
+ *
+ * OpenClaw skills register tools with names like `imessage_send`, `phone_call`,
+ * `deploy_site`, `email_send`. Names that the @oked/sdk Claude-Code classifier
+ * doesn't recognize. We layer a suffix/prefix heuristic for OpenClaw skill
+ * conventions on top of the @oked/sdk classifier so well-known sensitive
+ * patterns (send, dial, deploy, charge, delete) trip approval automatically.
+ *
+ * Plugin users can override or extend behavior via plugin config:
+ *   {
+ *     "alwaysApprove": ["custom_tool_name", ...],
+ *     "alwaysAllow":   ["safe_tool_name",  ...]
+ *   }
+ */
+const SAFE_PATTERNS = [
+    /^get_/,
+    /^list_/,
+    /^search_/,
+    /^read_/,
+    /^find_/,
+    /^show_/,
+    /^check_/,
+    /^view_/,
+    /^describe_/,
+    /^inspect_/,
+    /_status$/,
+    /_info$/,
+    /_count$/,
+    /_exists$/,
+    /_version$/,
+    /_health$/,
+];
+const HIGH_STAKES_PATTERNS = [
+    // Communication that touches the real world
+    /(_|^)(send|reply|post|publish|broadcast|email|sms|imessage|whatsapp|slack|telegram|tweet|toot)$/,
+    /(_|^)(send|reply|post|publish|email|sms|imessage|whatsapp|slack|telegram|tweet)_/,
+    // Telephony
+    /(_|^)(call|dial|hangup|phone)$/,
+    /(_|^)(call|dial|hangup|phone)_/,
+    // Money / commerce
+    /(_|^)(charge|pay|transfer|refund|invoice|purchase|buy|sell)$/,
+    /(_|^)(charge|pay|transfer|refund|invoice|purchase|buy|sell)_/,
+    // Destructive
+    /(_|^)(delete|drop|destroy|wipe|truncate|remove)$/,
+    /(_|^)(delete|drop|destroy|wipe|truncate|remove)_/,
+    // Deploys / external publishing
+    /(_|^)(deploy|publish|release|launch|ship)$/,
+    /(_|^)(deploy|publish|release|launch|ship)_/,
+    // Account / identity changes
+    /(_|^)(rename|reset_password|revoke|grant|invite_user|remove_user)$/,
+    // Calendar / scheduling
+    /(_|^)(schedule_meeting|cancel_meeting|book|reschedule)$/,
+];
+const REVIEW_PATTERNS = [
+    /(_|^)(create|update|edit|write|modify|patch|set)$/,
+    /(_|^)(create|update|edit|write|modify|patch|set)_/,
+    /(_|^)(rename|move|copy)_/,
+];
+export function classifyOpenClawTool(toolName, toolInput, opts) {
+    const lower = toolName.toLowerCase();
+    if (opts?.alwaysAllow?.includes(toolName))
+        return "safe";
+    if (opts?.alwaysApprove?.includes(toolName))
+        return "high_stakes";
+    // Bash / shell / exec: defer to the SDK's bash classifier.
+    if (lower === "bash" || lower === "shell" || lower === "exec") {
+        return classifyClaude("Bash", toolInput);
+    }
+    for (const re of HIGH_STAKES_PATTERNS) {
+        if (re.test(lower))
+            return "high_stakes";
+    }
+    for (const re of SAFE_PATTERNS) {
+        if (re.test(lower))
+            return "safe";
+    }
+    for (const re of REVIEW_PATTERNS) {
+        if (re.test(lower))
+            return "review";
+    }
+    return "review";
+}

package/dist/index.d.ts

@@ -0,0 +1,96 @@
+/**
+ * @oked/openclaw. OKed plugin for OpenClaw.
+ *
+ * Registers a `before_tool_call` hook that runs for *every* tool the agent
+ * invokes (built-in or skill-registered). For tool calls classified as
+ * sensitive, the hook freezes the agent and asks for a human approval via
+ * the OKed backend (push to your phone). The agent only proceeds on Approve;
+ * any other outcome blocks the call.
+ *
+ * Failure semantics: fail safe always. If the OKed backend is unreachable,
+ * if the approval times out, or if the response is malformed, the tool call
+ * is denied. Never let an agent proceed when in doubt.
+ *
+ * Plugin config (set in openclaw.json under plugins.entries.oked):
+ * {
+ *   "apiKey": "ok_...",                  // OKed API key (or OKED_API_KEY env)
+ *   "backendUrl": "https://...",         // optional override
+ *   "alwaysApprove": ["custom_tool"],    // additional names to require approval for
+ *   "alwaysAllow":   ["safe_tool"],      // names to never gate
+ *   "minTier": "review"                  // minimum tier to require approval (default: "review")
+ * }
+ */
+import { type RiskTier } from "@oked/sdk";
+import { type ClassifyOptions } from "./classify-openclaw.js";
+interface OkedPluginConfig extends ClassifyOptions {
+    apiKey?: string;
+    backendUrl?: string;
+    minTier?: RiskTier;
+    /** Approval timeout in ms; defaults to OKed backend default. */
+    timeoutMs?: number;
+    /**
+     * When true, an unreachable backend hard-denies every sensitive tool call.
+     * When false (default), it degrades to allow for non-high-stakes tiers so a
+     * single outage does not mass-abort the agent. high_stakes always denies.
+     */
+    strictFailClosed?: boolean;
+}
+interface BeforeToolCallEvent {
+    toolName: string;
+    params: Record<string, unknown>;
+    runId?: string;
+    toolCallId?: string;
+}
+interface BeforeToolCallContext {
+    toolName: string;
+    agentId?: string;
+    sessionKey?: string;
+    sessionId?: string;
+    runId?: string;
+    toolCallId?: string;
+}
+interface BeforeToolCallResult {
+    block?: boolean;
+    blockReason?: string;
+    params?: Record<string, unknown>;
+}
+interface PluginLogger {
+    debug?: (msg: string) => void;
+    info?: (msg: string) => void;
+    warn?: (msg: string) => void;
+    error?: (msg: string) => void;
+}
+interface OpenClawPluginApi {
+    pluginConfig?: OkedPluginConfig;
+    logger?: PluginLogger;
+    on: (hookName: string, handler: (event: BeforeToolCallEvent, ctx: BeforeToolCallContext) => Promise<BeforeToolCallResult | void> | BeforeToolCallResult | void) => void;
+}
+/**
+ * Thrown to abort a tool call OKed denied.
+ *
+ * Why throw instead of only returning `{ block: true }`: a returned block
+ * directive is silently ignored unless the host recognizes that exact shape,
+ * which fails OPEN (observed in production: a denied `rm` still executed). A
+ * thrown exception from a pre-execution hook is the most universally honored
+ * "abort" signal across plugin/hook runtimes, so it is the safe default for a
+ * trust tool. `okedBlock`/`blockReason` are kept on the error so hosts that
+ * DO inspect a structured result still get one.
+ *
+ * Caveat: if the host fires `before_tool_call` without awaiting the async
+ * handler, neither a throw nor a return can stop the call - that is a host
+ * bug OKed cannot fix from the plugin side.
+ */
+export declare class OkedDeniedError extends Error {
+    readonly okedBlock: true;
+    readonly blockReason: string;
+    constructor(reason: string);
+}
+declare const plugin: {
+    id: string;
+    name: string;
+    description: string;
+    register(api: OpenClawPluginApi): void;
+};
+export default plugin;
+export { classifyOpenClawTool } from "./classify-openclaw.js";
+export type { OkedPluginConfig };

package/dist/index.js

@@ -0,0 +1,252 @@
+/**
+ * @oked/openclaw. OKed plugin for OpenClaw.
+ *
+ * Registers a `before_tool_call` hook that runs for *every* tool the agent
+ * invokes (built-in or skill-registered). For tool calls classified as
+ * sensitive, the hook freezes the agent and asks for a human approval via
+ * the OKed backend (push to your phone). The agent only proceeds on Approve;
+ * any other outcome blocks the call.
+ *
+ * Failure semantics: fail safe always. If the OKed backend is unreachable,
+ * if the approval times out, or if the response is malformed, the tool call
+ * is denied. Never let an agent proceed when in doubt.
+ *
+ * Plugin config (set in openclaw.json under plugins.entries.oked):
+ * {
+ *   "apiKey": "ok_...",                  // OKed API key (or OKED_API_KEY env)
+ *   "backendUrl": "https://...",         // optional override
+ *   "alwaysApprove": ["custom_tool"],    // additional names to require approval for
+ *   "alwaysAllow":   ["safe_tool"],      // names to never gate
+ *   "minTier": "review"                  // minimum tier to require approval (default: "review")
+ * }
+ */
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { OKedClient, describe as describeAction, degradedDecision, OKedAuthError, OKedBackendUnreachableError, TIER_ORDER, } from "@oked/sdk";
+import { classifyOpenClawTool } from "./classify-openclaw.js";
+const MAX_SCRIPT_READ = 4096;
+function tryReadScriptFile(command) {
+    // Match: python3 script.py, node script.js, ruby script.rb, etc.
+    // Skip -c/-e flags (handled by findSqlInCommand inline path).
+    const m = command.trim().match(/\b(?:python\d?(?:\.\d+)?|node|ruby|perl|deno\s+run|bun\s+run)\s+(?:-[^\s]+\s+)*(['"]?)([^\s'"]+\.(?:py|js|mjs|ts|rb|pl))\1/);
+    if (!m)
+        return undefined;
+    let target = m[2];
+    if (target.startsWith("~/"))
+        target = path.join(os.homedir(), target.slice(2));
+    else if (!path.isAbsolute(target))
+        target = path.resolve(target);
+    try {
+        const fd = fs.openSync(target, "r");
+        const buf = Buffer.alloc(MAX_SCRIPT_READ);
+        const bytesRead = fs.readSync(fd, buf, 0, MAX_SCRIPT_READ, 0);
+        fs.closeSync(fd);
+        return buf.toString("utf8", 0, bytesRead);
+    }
+    catch {
+        return undefined;
+    }
+}
+function tryStatRmTarget(command) {
+    const m = command.trim().match(/\b(?:rm|trash|trash-put|rmdir)\s+(?:-[^\s]+\s+)*(['"]?)([^\s'"]+)\1/);
+    if (!m)
+        return undefined;
+    let target = m[2];
+    if (target.startsWith("~/"))
+        target = path.join(os.homedir(), target.slice(2));
+    try {
+        return fs.statSync(target).size;
+    }
+    catch {
+        return undefined;
+    }
+}
+const APPROVAL_TIERS = new Set(["review", "high_stakes"]);
+/**
+ * Thrown to abort a tool call OKed denied.
+ *
+ * Why throw instead of only returning `{ block: true }`: a returned block
+ * directive is silently ignored unless the host recognizes that exact shape,
+ * which fails OPEN (observed in production: a denied `rm` still executed). A
+ * thrown exception from a pre-execution hook is the most universally honored
+ * "abort" signal across plugin/hook runtimes, so it is the safe default for a
+ * trust tool. `okedBlock`/`blockReason` are kept on the error so hosts that
+ * DO inspect a structured result still get one.
+ *
+ * Caveat: if the host fires `before_tool_call` without awaiting the async
+ * handler, neither a throw nor a return can stop the call - that is a host
+ * bug OKed cannot fix from the plugin side.
+ */
+export class OkedDeniedError extends Error {
+    okedBlock = true;
+    blockReason;
+    constructor(reason) {
+        super(reason);
+        this.name = "OkedDeniedError";
+        this.blockReason = reason;
+    }
+}
+const PLUGIN_ID = "oked";
+const plugin = {
+    id: PLUGIN_ID,
+    name: "OKed Approvals",
+    description: "Freeze the agent before sensitive tool calls and ask for human approval via the OKed mobile app.",
+    register(api) {
+        const cfg = api.pluginConfig ?? {};
+        const log = api.logger;
+        const oked = new OKedClient({
+            apiKey: cfg.apiKey ?? process.env.OKED_API_KEY,
+            backendUrl: cfg.backendUrl ?? process.env.OKED_BACKEND_URL,
+            ...(cfg.timeoutMs ? { timeout: cfg.timeoutMs } : {}),
+            ...(cfg.strictFailClosed !== undefined
+                ? { strictFailClosed: cfg.strictFailClosed }
+                : {}),
+        });
+        if (!oked.apiKey) {
+            log?.warn?.(`[oked] no apiKey configured. Plugin will fail-safe DENY every sensitive tool call. ` +
+                `Set OKED_API_KEY env var or plugins.entries.oked.apiKey in openclaw.json.`);
+        }
+        // minTier resolution order: openclaw.json > OKED_MIN_TIER env var > default.
+        // (The env-var fallback exists because some OpenClaw versions reject
+        // unknown keys under plugins.entries.<id>, so cfg.minTier is unavailable.)
+        const envMinTier = process.env.OKED_MIN_TIER;
+        const resolvedMinTier = cfg.minTier ?? (envMinTier && envMinTier in TIER_ORDER ? envMinTier : undefined) ?? "review";
+        const minTier = resolvedMinTier;
+        const minTierLevel = TIER_ORDER[minTier];
+        api.on("before_tool_call", async (event, ctx) => {
+            const { toolName, params } = event;
+            // Presence ping (throttled to once/day on disk, never throws). Fired for
+            // every tool call, before the allow-fast-path below, so installs that
+            // only run low-tier tools still register for retention. Fire-and-forget:
+            // this is a long-lived process, so we never add latency to the call.
+            if (oked.apiKey)
+                void oked.heartbeat().catch(() => { });
+            // Why return `{ block: true, blockReason }` instead of throwing:
+            // OpenClaw's `runBeforeToolCallHook` wraps any thrown error - even our
+            // OkedDeniedError - into a generic `kind: "failure"` outcome and
+            // overwrites the reason with the hardcoded string
+            // "Tool call blocked because before_tool_call hook failed". That generic
+            // string is what reaches the LLM, which reads it as a transient
+            // tool-runtime error and retries the SAME denied action (observed in
+            // production: 17 retries of a denied DELETE).
+            //
+            // Returning `{ block: true, blockReason }` instead routes through the
+            // host's `kind: "veto"` path: the tool is NOT executed, AND our reason
+            // is surfaced verbatim to the agent via `buildBlockedToolResult`. So
+            // the LLM actually reads our "do NOT retry, ask the user" instruction.
+            //
+            // History: an earlier OpenClaw build did not honor a returned veto
+            // (the tool ran anyway), which is why this code originally threw. The
+            // current host (v2026.5.4+) correctly blocks on the return path - it
+            // builds a blocked tool result without ever calling `tool.execute`.
+            const deny = (reason) => {
+                log?.info?.(`[oked] X blocking ${toolName}: ${reason}`);
+                return { block: true, blockReason: reason };
+            };
+            let tier;
+            try {
+                tier = classifyOpenClawTool(toolName, params, {
+                    alwaysApprove: cfg.alwaysApprove,
+                    alwaysAllow: cfg.alwaysAllow,
+                });
+            }
+            catch (err) {
+                // Classifier should never throw, but if it does, fail safe.
+                log?.error?.(`[oked] classifier error on ${toolName}: ${String(err)}`);
+                return deny("OKed classifier error. Fail-safe deny.");
+            }
+            // Warning is informational only; only review/high_stakes can block.
+            if (TIER_ORDER[tier] < minTierLevel || !APPROVAL_TIERS.has(tier)) {
+                return; // void = allow
+            }
+            // Sensitive. Ask the human.
+            const description = describeAction(toolName, params);
+            log?.info?.(`[oked] requesting approval: tool=${toolName} tier=${tier} session=${ctx.sessionKey ?? ctx.sessionId ?? "?"}`);
+            // Enrich tool_input with file size for delete operations so the backend
+            // can display it in the approval card (same as Create file shows size).
+            let enrichedParams = params;
+            const lowerTool = toolName.toLowerCase();
+            if (lowerTool === "bash" || lowerTool === "shell" || lowerTool === "exec") {
+                const cmd = (params.command ?? params.cmd);
+                if (typeof cmd === "string") {
+                    const sizeBytes = tryStatRmTarget(cmd);
+                    if (sizeBytes !== undefined)
+                        enrichedParams = { ...params, _file_size_bytes: sizeBytes };
+                    const scriptBody = tryReadScriptFile(cmd);
+                    if (scriptBody !== undefined)
+                        enrichedParams = { ...enrichedParams, _script_body: scriptBody };
+                }
+            }
+            // Compute the outcome first; only throw/return AFTER the try/catch so a
+            // deny is never swallowed by this block's own catch.
+            let outcome;
+            try {
+                const result = await oked.approve({
+                    action: toolName,
+                    description,
+                    tier,
+                    tool_input: enrichedParams,
+                    ...(ctx.sessionId ? { session_id: ctx.sessionId } : {}),
+                    ...(ctx.sessionKey && !ctx.sessionId ? { session_id: ctx.sessionKey } : {}),
+                    cwd: process.cwd(),
+                });
+                if (result.approved) {
+                    outcome = "allow";
+                }
+                else {
+                    // Phrase the denial as an explicit instruction to the agent. A terse
+                    // "denied via OKed" message gets interpreted as a transient tool
+                    // error and the agent retries (observed: 17 retries of the same
+                    // DELETE before the agent gave up). Spell out that this is a final
+                    // human decision so the LLM stops looping.
+                    const verb = result.decision === "timeout" ? "did not respond to" : "DENIED";
+                    outcome =
+                        `USER ${verb} this action via OKed (approval ${result.approval_id}). ` +
+                            `This is a final human decision - do NOT retry the same action. ` +
+                            `Stop and ask the user what to do instead.`;
+                }
+            }
+            catch (err) {
+                if (err instanceof OKedAuthError) {
+                    // Auth misconfig is not an outage - always deny.
+                    log?.error?.(`[oked] invalid API key for ${toolName}.`);
+                    outcome =
+                        "OKed: invalid API key (configuration error, not a transient failure). " +
+                            "Do NOT retry. Stop and report this to the user.";
+                }
+                else if (err instanceof OKedBackendUnreachableError) {
+                    const decision = degradedDecision(tier, {
+                        strictFailClosed: oked.strictFailClosed,
+                    });
+                    if (decision === "allow") {
+                        // OpenClaw has no native "ask"; degraded non-high-stakes proceeds.
+                        log?.warn?.(`[oked] backend unreachable - ${toolName} (${tier}) allowed (degraded; non-high-stakes)`);
+                        outcome = "allow";
+                    }
+                    else {
+                        const why = oked.strictFailClosed ? "strict fail-closed" : "high-stakes";
+                        log?.error?.(`[oked] backend unreachable - ${toolName} (${tier}) denied (${why}, fail-safe)`);
+                        outcome =
+                            `OKed backend unreachable - this ${tier} action is denied (${why}, fail-safe). ` +
+                                `Do NOT retry. Stop and ask the user how to proceed.`;
+                    }
+                }
+                else {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    log?.error?.(`[oked] approval request failed for ${toolName}: ${msg}.`);
+                    outcome =
+                        `OKed backend error, fail-safe deny: ${msg}. ` +
+                            `Do NOT retry. Stop and ask the user how to proceed.`;
+                }
+            }
+            if (outcome === "allow") {
+                log?.info?.(`[oked] OK ${toolName} allowed`);
+                return; // allow
+            }
+            return deny(outcome); // throws OkedDeniedError - strongest abort signal
+        });
+    },
+};
+export default plugin;
+export { classifyOpenClawTool } from "./classify-openclaw.js";

package/openclaw.plugin.json

@@ -0,0 +1,73 @@
+{
+  "id": "oked",
+  "name": "OKed",
+  "description": "Human approval layer for AI agents - freezes the agent before sensitive tool calls and asks for human approval via Telegram or the OKed dashboard.",
+  "activation": {
+    "onStartup": true
+  },
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "enabled": {
+        "type": "boolean"
+      },
+      "apiKey": {
+        "type": "string"
+      },
+      "backendUrl": {
+        "type": "string"
+      },
+      "minTier": {
+        "type": "string",
+        "enum": ["safe", "warning", "review", "high_stakes"],
+        "default": "review"
+      },
+      "alwaysApprove": {
+        "type": "array",
+        "items": { "type": "string" }
+      },
+      "alwaysAllow": {
+        "type": "array",
+        "items": { "type": "string" }
+      },
+      "timeoutMs": {
+        "type": "integer",
+        "minimum": 1000,
+        "maximum": 600000
+      }
+    }
+  },
+  "uiHints": {
+    "enabled": {
+      "label": "OKed Approvals",
+      "help": "Globally enable or pause the OKed approval gate."
+    },
+    "apiKey": {
+      "label": "OKed API Key",
+      "placeholder": "ok_...",
+      "help": "Your OKed API key from https://app.oked.ai/dashboard."
+    },
+    "backendUrl": {
+      "label": "Backend URL",
+      "placeholder": "https://api.oked.ai",
+      "help": "Override the OKed backend URL. Default is the hosted backend."
+    },
+    "minTier": {
+      "label": "Minimum Approval Tier",
+      "help": "Lowest risk tier that requires human approval. Use 'review' to gate everything except clearly safe reads, 'warning' for state-changing actions only, or 'high_stakes' for the most dangerous calls only."
+    },
+    "alwaysApprove": {
+      "label": "Always Require Approval",
+      "help": "Tool names that should always require approval, regardless of the classifier."
+    },
+    "alwaysAllow": {
+      "label": "Always Allow",
+      "help": "Tool names to never gate. Use sparingly."
+    },
+    "timeoutMs": {
+      "label": "Approval Timeout (ms)",
+      "help": "How long to wait for a human decision before the action is denied. Defaults to the SDK's value."
+    }
+  }
+}

package/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "@oked/openclaw",
+  "version": "0.1.0",
+  "description": "OKed plugin for OpenClaw. Gates skill and tool calls behind a human approval push to your phone.",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "openclaw.plugin.json",
+    "README.md"
+  ],
+  "scripts": {
+    "prebuild": "npm run build --workspace=@oked/sdk",
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "npm run build && node src/smoke.test.mjs",
+    "prepublishOnly": "npm run build"
+  },
+  "openclaw": {
+    "extensions": [
+      "./dist/index.js"
+    ]
+  },
+  "peerDependencies": {
+    "openclaw": ">=2026.4.20"
+  },
+  "peerDependenciesMeta": {
+    "openclaw": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@oked/sdk": "^0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.10",
+    "typescript": "^5.6.0"
+  },
+  "keywords": [
+    "openclaw",
+    "openclaw-plugin",
+    "approval",
+    "agents",
+    "ai",
+    "human-in-the-loop",
+    "oked"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/oked-ai/oked-sdk.git"
+  },
+  "bugs": {
+    "url": "https://github.com/oked-ai/oked-sdk/issues"
+  },
+  "homepage": "https://github.com/oked-ai/oked-sdk/tree/main/packages/openclaw#readme",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}