@plusplus7/clawclamp 0.1.0

package/assets/index.html

@@ -0,0 +1,125 @@
+<!doctype html>
+<html lang="zh-CN">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>OpenClaw Clawclamp 审计控制台</title>
+    <link rel="stylesheet" href="/plugins/clawclamp/assets/styles.css" />
+  </head>
+  <body>
+    <div class="page">
+      <header class="header">
+        <div>
+          <p class="eyebrow">OpenClaw - Clawclamp</p>
+          <h1>工具授权与审计</h1>
+          <p class="subhead">
+            基于 Cedar 的策略决策，支持短期授权与灰度放行。
+          </p>
+        </div>
+        <div class="header-actions">
+          <button id="refresh" class="btn ghost">刷新</button>
+        </div>
+      </header>
+
+      <section class="card policy-shell">
+        <div class="policy-head">
+          <div>
+            <h2>Cedar 策略</h2>
+            <div class="note">查看与维护当前策略集（policyStoreUri 配置时为只读）。</div>
+          </div>
+          <div class="policy-badge">Policy Lab</div>
+        </div>
+        <div class="policy-grid">
+          <div class="policy-list-wrap">
+            <div class="label">策略列表</div>
+            <div class="policy-list" id="policy-list"></div>
+          </div>
+          <div class="policy-editor">
+            <div class="policy-form">
+              <label>
+                Policy ID
+                <input id="policy-id" placeholder="policy-id" />
+              </label>
+              <label>
+                Policy 内容
+                <textarea id="policy-content" rows="12" placeholder="permit(principal, action, resource) when { ... }"></textarea>
+              </label>
+              <div class="policy-actions">
+                <button id="policy-create" class="btn primary">新增</button>
+                <button id="policy-update" class="btn">保存</button>
+                <button id="policy-delete" class="btn warn">删除</button>
+              </div>
+              <div id="policy-status" class="note"></div>
+            </div>
+          </div>
+        </div>
+      </section>
+
+      <section class="grid">
+        <div class="card">
+          <h2>模式</h2>
+          <div class="mode-row">
+            <div>
+              <div class="label">当前模式</div>
+              <div id="mode" class="value">加载中...</div>
+              <div id="mode-note" class="note"></div>
+            </div>
+            <div class="mode-actions">
+              <button id="mode-enforce" class="btn">强制</button>
+              <button id="mode-gray" class="btn warn">灰度</button>
+            </div>
+          </div>
+        </div>
+
+        <div class="card">
+          <h2>短期授权</h2>
+          <form id="grant-form" class="grant-form">
+            <label>
+              工具名称
+              <input id="grant-tool" placeholder="exec（或 *）" required />
+            </label>
+            <label>
+              TTL（秒）
+              <input id="grant-ttl" type="number" min="60" step="60" />
+            </label>
+            <label>
+              备注
+              <input id="grant-note" placeholder="原因 / 工单" />
+            </label>
+            <button class="btn primary" type="submit">创建授权</button>
+            <div id="grant-hint" class="note"></div>
+          </form>
+        </div>
+
+        <div class="card">
+          <h2>当前授权</h2>
+          <div id="grants" class="list"></div>
+        </div>
+      </section>
+
+      <section class="card">
+        <h2>审计日志</h2>
+        <div class="note">最近的工具调用记录（允许、拒绝、灰度放行）。</div>
+        <div class="toolbar">
+          <label class="toolbar-item">
+            每页
+            <select id="audit-page-size">
+              <option value="20">20</option>
+              <option value="50" selected>50</option>
+              <option value="100">100</option>
+              <option value="200">200</option>
+            </select>
+          </label>
+          <div class="toolbar-item pagination">
+            <button id="audit-prev" class="btn">上一页</button>
+            <span id="audit-page-info" class="note">第 1 页</span>
+            <button id="audit-next" class="btn">下一页</button>
+          </div>
+        </div>
+        <div class="table" id="audit"></div>
+      </section>
+    </div>
+
+    <script type="module" src="/plugins/clawclamp/assets/app.js"></script>
+  </body>
+</html>

package/assets/styles.css

@@ -0,0 +1,432 @@
+:root {
+  color-scheme: light;
+  --bg: #f2f3f5;
+  --panel: #ffffff;
+  --ink: #0f1115;
+  --muted: #5f6774;
+  --accent: #00a3ff;
+  --accent-2: #7c8cff;
+  --warn: #ff5b4d;
+  --border: #d7dbe2;
+  --shadow: 0 10px 30px rgba(4, 8, 16, 0.08);
+  --radius: 10px;
+  --mono: "JetBrains Mono", "IBM Plex Mono", "SFMono-Regular", "Menlo", "Consolas", monospace;
+  --sans: "Space Grotesk", "IBM Plex Sans", "Segoe UI", sans-serif;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+body {
+  margin: 0;
+  font-family: var(--mono);
+  background: radial-gradient(circle at top, #ffffff 0%, var(--bg) 45%, #e7eaef 100%);
+  color: var(--ink);
+}
+
+.page {
+  max-width: 1120px;
+  margin: 0 auto;
+  padding: 20px 18px 32px;
+}
+
+.header {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  gap: 16px;
+  padding: 16px 18px;
+  background: var(--panel);
+  border-radius: var(--radius);
+  box-shadow: var(--shadow);
+  border: 1px solid var(--border);
+  margin-bottom: 16px;
+}
+
+.eyebrow {
+  margin: 0 0 8px;
+  text-transform: uppercase;
+  letter-spacing: 0.2em;
+  font-size: 0.7rem;
+  color: var(--muted);
+}
+
+h1 {
+  margin: 0 0 4px;
+  font-size: 1.6rem;
+  letter-spacing: 0.02em;
+}
+
+.subhead {
+  margin: 0;
+  color: var(--muted);
+}
+
+.header-actions {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+
+.grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
+  gap: 12px;
+  margin-bottom: 16px;
+}
+
+.card {
+  background: var(--panel);
+  border-radius: var(--radius);
+  padding: 14px;
+  border: 1px solid var(--border);
+  box-shadow: var(--shadow);
+}
+
+.policy-shell {
+  margin-bottom: 16px;
+  background:
+    linear-gradient(135deg, rgba(0, 163, 255, 0.1), rgba(124, 140, 255, 0.06)),
+    var(--panel);
+  border-color: #b9d7ea;
+}
+
+.policy-head {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  gap: 12px;
+  margin-bottom: 12px;
+}
+
+.policy-badge {
+  padding: 6px 10px;
+  border: 1px solid #a7d7ff;
+  border-radius: 999px;
+  font-size: 0.72rem;
+  letter-spacing: 0.08em;
+  text-transform: uppercase;
+  color: #03527d;
+  background: rgba(255, 255, 255, 0.8);
+}
+
+h2 {
+  margin: 0 0 8px;
+  font-size: 1rem;
+  letter-spacing: 0.02em;
+}
+
+.mode-row {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 12px;
+}
+
+.mode-actions {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.label {
+  font-size: 0.8rem;
+  color: var(--muted);
+}
+
+.value {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.note {
+  font-size: 0.85rem;
+  color: var(--muted);
+  margin-top: 6px;
+}
+
+.toolbar {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 10px;
+  margin-top: 10px;
+  flex-wrap: wrap;
+}
+
+.toolbar-item {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  font-size: 0.82rem;
+  color: var(--muted);
+}
+
+.toolbar-item select {
+  min-width: 76px;
+}
+
+.pagination {
+  margin-left: auto;
+}
+
+.btn {
+  padding: 8px 12px;
+  border-radius: 8px;
+  border: 1px solid var(--border);
+  background: #fff;
+  cursor: pointer;
+  font-weight: 600;
+  font-family: var(--mono);
+  font-size: 0.82rem;
+}
+
+.btn.primary {
+  background: var(--accent);
+  color: #fff;
+  border-color: var(--accent);
+}
+
+.btn.warn {
+  background: var(--warn);
+  color: #fff;
+  border-color: var(--warn);
+}
+
+.btn.mini {
+  padding: 6px 8px;
+  border-radius: 6px;
+  font-size: 0.75rem;
+}
+
+.btn.ghost {
+  background: transparent;
+}
+
+.btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.grant-form {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+}
+
+.grant-form label {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  font-size: 0.85rem;
+  color: var(--muted);
+}
+
+input,
+select {
+  border: 1px solid var(--border);
+  border-radius: 8px;
+  padding: 8px 10px;
+  font-size: 0.85rem;
+  font-family: var(--mono);
+}
+
+.list {
+  display: grid;
+  gap: 10px;
+}
+
+.list-item {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 10px;
+  border-radius: 8px;
+  border: 1px solid var(--border);
+  background: #f6f7f9;
+  font-size: 0.8rem;
+}
+
+.list-item strong {
+  font-family: var(--mono);
+}
+
+.table {
+  display: grid;
+  gap: 6px;
+  margin-top: 10px;
+}
+
+.table-row {
+  display: grid;
+  grid-template-columns: 110px 110px 90px 70px 1fr 120px;
+  gap: 10px;
+  align-items: center;
+  padding: 8px 10px;
+  border-radius: 8px;
+  border: 1px solid var(--border);
+  background: #fdfdfd;
+  font-size: 0.78rem;
+}
+
+.table-row.header {
+  background: #eef2f7;
+  font-weight: 700;
+}
+
+.table-row .mono {
+  font-family: var(--mono);
+}
+
+.actions {
+  display: flex;
+  gap: 6px;
+  flex-wrap: wrap;
+}
+
+.audit-detail {
+  grid-column: 1 / -1;
+  border-top: 1px dashed var(--border);
+  margin-top: 6px;
+  padding-top: 6px;
+  font-size: 0.72rem;
+  color: var(--muted);
+}
+
+.audit-detail pre {
+  margin: 6px 0 0;
+  padding: 8px;
+  border-radius: 6px;
+  border: 1px solid var(--border);
+  background: #f3f5f9;
+  font-size: 0.72rem;
+  line-height: 1.35;
+  overflow: auto;
+}
+
+.policy-grid {
+  display: grid;
+  grid-template-columns: 260px 1fr;
+  gap: 12px;
+  margin-top: 10px;
+}
+
+.policy-list-wrap {
+  display: grid;
+  gap: 8px;
+}
+
+.policy-list {
+  display: grid;
+  gap: 6px;
+  align-content: start;
+  max-height: 420px;
+  overflow: auto;
+  padding: 8px;
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  background: rgba(255, 255, 255, 0.7);
+  box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.8);
+}
+
+.policy-item {
+  padding: 8px 10px;
+  border-radius: 8px;
+  border: 1px solid #d6e3f0;
+  background: linear-gradient(180deg, #ffffff, #f5f9fd);
+  font-family: var(--mono);
+  font-size: 0.75rem;
+  text-align: left;
+  cursor: pointer;
+  transition: transform 120ms ease, border-color 120ms ease, background 120ms ease;
+}
+
+.policy-item:hover {
+  transform: translateY(-1px);
+  border-color: #8ecdf6;
+  background: linear-gradient(180deg, #ffffff, #eef8ff);
+}
+
+.policy-editor {
+  display: block;
+}
+
+.policy-form {
+  display: grid;
+  gap: 10px;
+  padding: 12px;
+  border: 1px solid #d6e3f0;
+  border-radius: 12px;
+  background: rgba(255, 255, 255, 0.86);
+}
+
+.policy-form label {
+  display: grid;
+  gap: 6px;
+  font-size: 0.8rem;
+  color: var(--muted);
+}
+
+.policy-form textarea {
+  border: 1px solid var(--border);
+  border-radius: 8px;
+  padding: 8px 10px;
+  font-size: 0.8rem;
+  font-family: var(--mono);
+  min-height: 260px;
+  resize: vertical;
+  background: #fbfdff;
+}
+
+.policy-actions {
+  display: flex;
+  gap: 6px;
+  flex-wrap: wrap;
+}
+
+@media (max-width: 900px) {
+  .policy-grid {
+    grid-template-columns: 1fr;
+  }
+  .policy-editor {
+    grid-template-columns: 1fr;
+  }
+}
+
+.badge {
+  padding: 3px 6px;
+  border-radius: 999px;
+  font-size: 0.68rem;
+  text-transform: uppercase;
+  font-weight: 700;
+  justify-self: start;
+}
+
+.badge.allow {
+  background: rgba(0, 163, 255, 0.15);
+  color: #0086cc;
+}
+
+.badge.deny {
+  background: rgba(255, 91, 77, 0.15);
+  color: #d9392c;
+}
+
+.badge.gray {
+  background: rgba(124, 140, 255, 0.2);
+  color: #4f5bff;
+}
+
+@media (max-width: 900px) {
+  .table-row {
+    grid-template-columns: 100px 1fr;
+    grid-template-rows: auto auto auto;
+  }
+  .table-row > :nth-child(3),
+  .table-row > :nth-child(4),
+  .table-row > :nth-child(5),
+  .table-row > :nth-child(6) {
+    grid-column: 1 / -1;
+  }
+}

package/index.ts

@@ -0,0 +1,45 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { resolveClawClampConfig, clawClampConfigSchema } from "./src/config.js";
+import { createClawClampHttpHandler } from "./src/http.js";
+import { createClawClampService } from "./src/guard.js";
+
+const plugin = {
+  id: "clawclamp",
+  name: "Clawclamp",
+  description: "Cedar-based authorization guard with tool audit logging.",
+  configSchema: clawClampConfigSchema,
+  register(api: OpenClawPluginApi) {
+    const config = resolveClawClampConfig(api.pluginConfig);
+    const stateDir = api.runtime.state.resolveStateDir();
+    const service = createClawClampService({ api, config, stateDir });
+
+    api.on(
+      "before_tool_call",
+      async (event, ctx) => service.handleBeforeToolCall(event, ctx),
+      { priority: -10 },
+    );
+    api.on("after_tool_call", async (event, ctx) => service.handleAfterToolCall(event, ctx));
+
+    const assetsDir = path.join(path.dirname(fileURLToPath(import.meta.url)), "assets");
+    const gatewayToken =
+      typeof api.config.gateway?.auth?.token === "string" ? api.config.gateway.auth.token : undefined;
+    api.registerHttpRoute({
+      path: "/plugins/clawclamp",
+      auth: "plugin",
+      match: "prefix",
+      handler: createClawClampHttpHandler({
+        stateDir,
+        config,
+        assetsDir,
+        gatewayToken,
+        onPolicyUpdate: async () => {
+          await service.resetCedarling();
+        },
+      }),
+    });
+  },
+};
+
+export default plugin;

package/openclaw.plugin.json

@@ -0,0 +1,10 @@
+{
+  "id": "clawclamp",
+  "name": "Clawclamp",
+  "description": "Cedar-based authorization guard with tool audit logging and gray-mode override.",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "@plusplus7/clawclamp",
+  "version": "0.1.0",
+  "description": "OpenClaw Cedar authorization guard with audit UI",
+  "type": "module",
+  "dependencies": {
+    "@janssenproject/cedarling_wasm": "1.7.0"
+  },
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "devDependencies": {
+    "vitest": "^4.0.18"
+  }
+}