@stanchat/clawguard 2.1.0

package/hooks/clawguard/HOOK.md

@@ -0,0 +1,53 @@
+---
+name: clawguard
+description: "AI safety guardrails - monitors actions, blocks dangerous commands, requires approval for risky operations"
+homepage: https://github.com/averecion/clawguard
+metadata:
+  {
+    "clawdbot":
+      {
+        "emoji": "🛡️",
+        "events": ["command"],
+        "install": [{ "id": "community", "kind": "community", "label": "Community Hook" }],
+      },
+  }
+---
+
+# Clawguard
+
+AI Safety for OpenClaw - monitors actions, blocks dangers, requires approval for risky operations.
+
+## What It Does
+
+- **Prompt Injection Detection**: Blocks attempts to hijack your agent via malicious prompts
+- **Dangerous Command Blocking**: Prevents rm -rf, fork bombs, curl|bash, and other destructive operations
+- **Approval Workflow**: Risky actions require your explicit approval via CLI or dashboard
+- **Activity Logging**: Full audit trail at `~/.clawguard/logs/`
+
+## Protection Levels
+
+- **Relaxed**: Minimal blocking, auto-approves most actions
+- **Balanced**: Asks before risky actions (recommended)
+- **Strict**: Requires approval for everything
+
+## Dashboard
+
+Visual monitoring at `http://localhost:4321/clawguard`
+
+## CLI Commands
+
+```bash
+clawdbot clawguard status    # Protection status
+clawdbot clawguard pending   # Pending approvals
+clawdbot clawguard approve   # Approve an action
+clawdbot clawguard deny      # Deny an action
+clawdbot clawguard dashboard # Open visual dashboard
+```
+
+## First Run
+
+On first use, Clawguard runs in **Show Mode** - observing 10 actions without blocking to demonstrate how it works. After Show Mode completes, full protection activates.
+
+## Configuration
+
+Config stored at `~/.clawguard/config.json`

package/hooks/clawguard/handler.d.ts

@@ -0,0 +1,17 @@
+interface ToolEvent {
+    type: string;
+    action?: string;
+    tool: string;
+    args: Record<string, unknown>;
+    sessionKey?: string;
+    sessionId?: string;
+    timestamp: Date;
+    messages: string[];
+    context: Record<string, unknown>;
+}
+declare const clawguardHandler: (event: ToolEvent) => Promise<{
+    allowed: boolean;
+    reason: string;
+} | void>;
+export default clawguardHandler;
+//# sourceMappingURL=handler.d.ts.map

package/hooks/clawguard/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["handler.ts"],"names":[],"mappings":"AAkBA,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAuJD,QAAA,MAAM,gBAAgB,UAAiB,SAAS,KAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAgHrG,CAAC;AAEF,eAAe,gBAAgB,CAAC"}

package/hooks/clawguard/handler.js

@@ -0,0 +1,271 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const CLAWGUARD_DIR = path.join(os.homedir(), ".clawguard");
+const CONFIG_FILE = path.join(CLAWGUARD_DIR, "config.json");
+const LOG_DIR = path.join(CLAWGUARD_DIR, "logs");
+const PENDING_DIR = path.join(CLAWGUARD_DIR, "pending");
+const POLICY_FILE = path.join(CLAWGUARD_DIR, "policy.json");
+const DEFAULT_POLICY = [
+    { tool: "shell.exec", decision: "review", reason: "Terminal commands can modify your system" },
+    { tool: "exec", decision: "review", reason: "Terminal commands can modify your system" },
+    { tool: "fs.write", decision: "review", reason: "File writes can overwrite important data" },
+    { tool: "fs.delete", decision: "blocked", reason: "File deletion is high-risk" },
+    { tool: "fs.unlink", decision: "blocked", reason: "File deletion is high-risk" },
+    { tool: "http.request", decision: "approved", reason: "Network requests allowed by default" },
+    { tool: "env.read", decision: "blocked", reason: "Credential access is restricted" },
+    { tool: "env.get", decision: "blocked", reason: "Credential access is restricted" },
+    { tool: "process", decision: "review", reason: "Process management requires review" }
+];
+const DANGEROUS_PATTERNS = [
+    /rm\s+(-rf?|--recursive|--force)\s+[\/~]/i,
+    /rm\s+-[rf]{2}\s+/i,
+    /mkfs\./i,
+    /dd\s+if=.*of=\/dev/i,
+    />\s*\/dev\/sd[a-z]/i,
+    /chmod\s+777\s+\//i,
+    /curl.*\|\s*(ba)?sh/i,
+    /wget.*\|\s*(ba)?sh/i,
+    /eval\s*\(/i,
+    /:(){.*}:/i,
+    /fork\s*bomb/i
+];
+const INJECTION_PATTERNS = [
+    /ignore\s+(previous|all|prior)\s+(instructions?|prompts?)/i,
+    /disregard\s+(your|the|all)\s+(instructions?|rules?|guidelines?)/i,
+    /you\s+are\s+now\s+(a|in|acting)/i,
+    /new\s+instructions?:/i,
+    /system\s*:\s*you/i,
+    /\[INST\]/i,
+    /<\|im_start\|>/i,
+    /jailbreak/i,
+    /bypass\s+(security|filter|restriction)/i
+];
+function ensureDir(dir) {
+    if (!fs.existsSync(dir))
+        fs.mkdirSync(dir, { recursive: true });
+}
+function loadConfig() {
+    ensureDir(CLAWGUARD_DIR);
+    try {
+        if (fs.existsSync(CONFIG_FILE)) {
+            return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+        }
+    }
+    catch { }
+    return { enabled: false, consented: false, showMode: false, showModeActionsRemaining: 10, protectionLevel: "balanced" };
+}
+function saveConfig(config) {
+    ensureDir(CLAWGUARD_DIR);
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+function loadPolicy() {
+    try {
+        if (fs.existsSync(POLICY_FILE)) {
+            return JSON.parse(fs.readFileSync(POLICY_FILE, "utf-8"));
+        }
+    }
+    catch { }
+    return DEFAULT_POLICY;
+}
+function classifyTool(tool) {
+    const policy = loadPolicy();
+    return policy.find(r => tool.startsWith(r.tool) || tool === r.tool) || null;
+}
+function checkDangerousCommand(args) {
+    const argsStr = JSON.stringify(args);
+    for (const pattern of DANGEROUS_PATTERNS) {
+        if (pattern.test(argsStr)) {
+            return `Dangerous command pattern detected`;
+        }
+    }
+    return null;
+}
+function checkInjection(args) {
+    const argsStr = JSON.stringify(args);
+    for (const pattern of INJECTION_PATTERNS) {
+        if (pattern.test(argsStr)) {
+            return `Possible prompt injection detected`;
+        }
+    }
+    return null;
+}
+function logAction(tool, args, allowed, reason) {
+    ensureDir(LOG_DIR);
+    const logEntry = {
+        ts: new Date().toISOString(),
+        tool,
+        args,
+        allowed,
+        reason
+    };
+    const logFile = path.join(LOG_DIR, `${new Date().toISOString().split("T")[0]}.jsonl`);
+    fs.appendFileSync(logFile, JSON.stringify(logEntry) + "\n");
+}
+function generateApprovalId() {
+    return `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+async function waitForApproval(id, timeoutMs = 30000) {
+    const filePath = path.join(PENDING_DIR, `${id}.json`);
+    const startTime = Date.now();
+    const pollInterval = 500;
+    while (Date.now() - startTime < timeoutMs) {
+        try {
+            if (fs.existsSync(filePath)) {
+                const approval = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+                if (approval.status !== "pending") {
+                    return approval.status === "approved";
+                }
+            }
+        }
+        catch { }
+        await new Promise(resolve => setTimeout(resolve, pollInterval));
+    }
+    return false;
+}
+function createPendingApproval(tool, args, reason) {
+    ensureDir(PENDING_DIR);
+    const id = generateApprovalId();
+    const approval = {
+        id,
+        tool,
+        args,
+        reason,
+        createdAt: new Date().toISOString(),
+        status: "pending"
+    };
+    fs.writeFileSync(path.join(PENDING_DIR, `${id}.json`), JSON.stringify(approval, null, 2));
+    return id;
+}
+const clawguardHandler = async (event) => {
+    const config = loadConfig();
+    if (!config.enabled || !config.consented) {
+        return { allowed: true, reason: "Clawguard not enabled" };
+    }
+    const tool = event.tool;
+    const args = event.args || {};
+    const injection = checkInjection(args);
+    if (injection) {
+        if (config.showMode) {
+            event.messages.push(`🛡️ [SHOW MODE] Would block: ${injection}`);
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+            logAction(tool, args, true, `showMode:${injection}`);
+            return { allowed: true, reason: `Show mode: ${injection}` };
+        }
+        logAction(tool, args, false, injection);
+        event.messages.push(`🛡️ Blocked: ${injection}`);
+        return { allowed: false, reason: injection };
+    }
+    const dangerous = checkDangerousCommand(args);
+    if (dangerous) {
+        if (config.showMode) {
+            event.messages.push(`🛡️ [SHOW MODE] Would block: ${dangerous}`);
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+            logAction(tool, args, true, `showMode:${dangerous}`);
+            return { allowed: true, reason: `Show mode: ${dangerous}` };
+        }
+        logAction(tool, args, false, dangerous);
+        event.messages.push(`🛡️ Blocked: ${dangerous}`);
+        return { allowed: false, reason: dangerous };
+    }
+    const rule = classifyTool(tool);
+    if (!rule) {
+        logAction(tool, args, true, "No policy match");
+        if (config.showMode) {
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+        }
+        return { allowed: true, reason: "No policy match" };
+    }
+    if (rule.decision === "approved") {
+        logAction(tool, args, true, rule.reason);
+        if (config.showMode) {
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+        }
+        return { allowed: true, reason: rule.reason };
+    }
+    if (rule.decision === "blocked") {
+        if (config.showMode) {
+            event.messages.push(`🛡️ [SHOW MODE] Would block: ${tool} - ${rule.reason}`);
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+            logAction(tool, args, true, `showMode:blocked`);
+            return { allowed: true, reason: `Show mode: ${rule.reason}` };
+        }
+        logAction(tool, args, false, rule.reason);
+        event.messages.push(`🛡️ Blocked: ${rule.reason}`);
+        return { allowed: false, reason: rule.reason };
+    }
+    if (rule.decision === "review") {
+        if (config.protectionLevel === "relaxed") {
+            logAction(tool, args, true, "Relaxed mode - auto-approved");
+            if (config.showMode) {
+                config.showModeActionsRemaining--;
+                if (config.showModeActionsRemaining <= 0)
+                    config.showMode = false;
+                saveConfig(config);
+            }
+            return { allowed: true, reason: "Relaxed mode - auto-approved" };
+        }
+        if (config.showMode) {
+            event.messages.push(`🛡️ [SHOW MODE] Would require approval: ${tool}`);
+            config.showModeActionsRemaining--;
+            if (config.showModeActionsRemaining <= 0)
+                config.showMode = false;
+            saveConfig(config);
+            logAction(tool, args, true, `showMode:review`);
+            return { allowed: true, reason: `Show mode: would require approval` };
+        }
+        const approvalId = createPendingApproval(tool, args, rule.reason);
+        event.messages.push(`🛡️ Approval required: ${tool} - ${rule.reason}`);
+        event.messages.push(`   Run: clawdbot clawguard approve ${approvalId}`);
+        const approved = await waitForApproval(approvalId);
+        logAction(tool, args, approved, approved ? "manualApproval" : "denied/timeout");
+        if (!approved) {
+            event.messages.push(`🛡️ Action denied or timed out`);
+        }
+        return { allowed: approved, reason: approved ? "Manually approved" : "Denied or timed out" };
+    }
+    logAction(tool, args, true, "Default allow");
+    return { allowed: true, reason: "Default allow" };
+};
+exports.default = clawguardHandler;
+//# sourceMappingURL=handler.js.map

package/hooks/clawguard/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["handler.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAEzB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;AACjD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;AACxD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AA4B5D,MAAM,cAAc,GAAiB;IACnC,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAC9F,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,0CAA0C,EAAE;IACxF,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAC5F,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAChF,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAChF,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,qCAAqC,EAAE;IAC7F,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,iCAAiC,EAAE;IACpF,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,iCAAiC,EAAE;IACnF,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,oCAAoC,EAAE;CACtF,CAAC;AAEF,MAAM,kBAAkB,GAAG;IACzB,0CAA0C;IAC1C,mBAAmB;IACnB,SAAS;IACT,qBAAqB;IACrB,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,YAAY;IACZ,WAAW;IACX,cAAc;CACf,CAAC;AAEF,MAAM,kBAAkB,GAAG;IACzB,2DAA2D;IAC3D,kEAAkE;IAClE,kCAAkC;IAClC,uBAAuB;IACvB,mBAAmB;IACnB,WAAW;IACX,iBAAiB;IACjB,YAAY;IACZ,yCAAyC;CAC1C,CAAC;AAEF,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,UAAU;IACjB,SAAS,CAAC,aAAa,CAAC,CAAC;IACzB,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC;AAC1H,CAAC;AAED,SAAS,UAAU,CAAC,MAAuB;IACzC,SAAS,CAAC,aAAa,CAAC,CAAC;IACzB,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AAC9E,CAAC;AAED,SAAS,qBAAqB,CAAC,IAA6B;IAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,oCAAoC,CAAC;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAA6B;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,oCAAoC,CAAC;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,IAAY,EAAE,IAA6B,EAAE,OAAgB,EAAE,MAAc;IAC9F,SAAS,CAAC,OAAO,CAAC,CAAC;IACnB,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,IAAI;QACJ,IAAI;QACJ,OAAO;QACP,MAAM;KACP,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACtF,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;AACnE,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,EAAU,EAAE,SAAS,GAAG,KAAK;IAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,YAAY,GAAG,GAAG,CAAC;IAEzB,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,SAAS,EAAE,CAAC;QAC1C,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;gBAChE,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAClC,OAAO,QAAQ,CAAC,MAAM,KAAK,UAAU,CAAC;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QACV,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,IAA6B,EAAE,MAAc;IACxF,SAAS,CAAC,WAAW,CAAC,CAAC;IACvB,MAAM,EAAE,GAAG,kBAAkB,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG;QACf,EAAE;QACF,IAAI;QACJ,IAAI;QACJ,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,SAAS;KAClB,CAAC;IACF,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1F,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,gBAAgB,GAAG,KAAK,EAAE,KAAgB,EAAwD,EAAE;IACxG,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACxB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IAE9B,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gCAAgC,SAAS,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,SAAS,EAAE,CAAC,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,SAAS,EAAE,EAAE,CAAC;QAC9D,CAAC;QACD,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QACxC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gCAAgC,SAAS,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,SAAS,EAAE,CAAC,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,SAAS,EAAE,EAAE,CAAC;QAC9D,CAAC;QACD,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QACxC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAEhC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,CAAC;QAC/C,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACjC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gCAAgC,IAAI,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAC7E,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;YAChD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,cAAc,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAChE,CAAC;QACD,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC/B,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;YACzC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,8BAA8B,CAAC,CAAC;YAC5D,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,MAAM,CAAC,wBAAwB,EAAE,CAAC;gBAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;oBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;gBAClE,UAAU,CAAC,MAAM,CAAC,CAAC;YACrB,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,wBAAwB,IAAI,CAAC;gBAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;YAClE,UAAU,CAAC,MAAM,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,CAAC;YAC/C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;QACxE,CAAC;QAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAClE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,0BAA0B,IAAI,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,UAAU,EAAE,CAAC,CAAC;QAExE,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC;QACnD,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;QAEhF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC;IAC/F,CAAC;IAED,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC;IAC7C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;AACpD,CAAC,CAAC;AAEF,kBAAe,gBAAgB,CAAC"}

package/hooks/clawguard/handler.ts

@@ -0,0 +1,326 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+const CLAWGUARD_DIR = path.join(os.homedir(), ".clawguard");
+const CONFIG_FILE = path.join(CLAWGUARD_DIR, "config.json");
+const LOG_DIR = path.join(CLAWGUARD_DIR, "logs");
+const PENDING_DIR = path.join(CLAWGUARD_DIR, "pending");
+const POLICY_FILE = path.join(CLAWGUARD_DIR, "policy.json");
+
+interface ClawguardConfig {
+  enabled: boolean;
+  consented: boolean;
+  showMode: boolean;
+  showModeActionsRemaining: number;
+  protectionLevel: "relaxed" | "balanced" | "strict";
+}
+
+interface ToolEvent {
+  type: string;
+  action?: string;
+  tool: string;
+  args: Record<string, unknown>;
+  sessionKey?: string;
+  sessionId?: string;
+  timestamp: Date;
+  messages: string[];
+  context: Record<string, unknown>;
+}
+
+interface CommandEvent {
+  action: string;
+  sessionKey?: string;
+  senderId?: string;
+  source?: string;
+  timestamp?: Date;
+}
+
+interface PolicyRule {
+  tool: string;
+  decision: "approved" | "blocked" | "review";
+  reason: string;
+}
+
+const DEFAULT_POLICY: PolicyRule[] = [
+  { tool: "shell.exec", decision: "review", reason: "Terminal commands can modify your system" },
+  { tool: "exec", decision: "review", reason: "Terminal commands can modify your system" },
+  { tool: "fs.write", decision: "review", reason: "File writes can overwrite important data" },
+  { tool: "fs.delete", decision: "blocked", reason: "File deletion is high-risk" },
+  { tool: "fs.unlink", decision: "blocked", reason: "File deletion is high-risk" },
+  { tool: "http.request", decision: "approved", reason: "Network requests allowed by default" },
+  { tool: "env.read", decision: "blocked", reason: "Credential access is restricted" },
+  { tool: "env.get", decision: "blocked", reason: "Credential access is restricted" },
+  { tool: "process", decision: "review", reason: "Process management requires review" }
+];
+
+const DANGEROUS_PATTERNS = [
+  /rm\s+(-rf?|--recursive|--force)\s+[\/~]/i,
+  /rm\s+-[rf]{2}\s+/i,
+  /mkfs\./i,
+  /dd\s+if=.*of=\/dev/i,
+  />\s*\/dev\/sd[a-z]/i,
+  /chmod\s+777\s+\//i,
+  /curl.*\|\s*(ba)?sh/i,
+  /wget.*\|\s*(ba)?sh/i,
+  /eval\s*\(/i,
+  /:(){.*}:/i,
+  /fork\s*bomb/i
+];
+
+const INJECTION_PATTERNS = [
+  /ignore\s+(previous|all|prior)\s+(instructions?|prompts?)/i,
+  /disregard\s+(your|the|all)\s+(instructions?|rules?|guidelines?)/i,
+  /you\s+are\s+now\s+(a|in|acting)/i,
+  /new\s+instructions?:/i,
+  /system\s*:\s*you/i,
+  /\[INST\]/i,
+  /<\|im_start\|>/i,
+  /jailbreak/i,
+  /bypass\s+(security|filter|restriction)/i
+];
+
+function ensureDir(dir: string): void {
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+}
+
+function loadConfig(): ClawguardConfig {
+  ensureDir(CLAWGUARD_DIR);
+  try {
+    if (fs.existsSync(CONFIG_FILE)) {
+      return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+    }
+  } catch {}
+  return { enabled: false, consented: false, showMode: false, showModeActionsRemaining: 10, protectionLevel: "balanced" };
+}
+
+function saveConfig(config: ClawguardConfig): void {
+  ensureDir(CLAWGUARD_DIR);
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+
+function loadPolicy(): PolicyRule[] {
+  try {
+    if (fs.existsSync(POLICY_FILE)) {
+      return JSON.parse(fs.readFileSync(POLICY_FILE, "utf-8"));
+    }
+  } catch {}
+  return DEFAULT_POLICY;
+}
+
+function classifyTool(tool: string): PolicyRule | null {
+  const policy = loadPolicy();
+  return policy.find(r => tool.startsWith(r.tool) || tool === r.tool) || null;
+}
+
+function checkDangerousCommand(args: Record<string, unknown>): string | null {
+  const argsStr = JSON.stringify(args);
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(argsStr)) {
+      return `Dangerous command pattern detected`;
+    }
+  }
+  return null;
+}
+
+function checkInjection(args: Record<string, unknown>): string | null {
+  const argsStr = JSON.stringify(args);
+  for (const pattern of INJECTION_PATTERNS) {
+    if (pattern.test(argsStr)) {
+      return `Possible prompt injection detected`;
+    }
+  }
+  return null;
+}
+
+function logAction(tool: string, args: Record<string, unknown>, allowed: boolean, reason: string): void {
+  ensureDir(LOG_DIR);
+  const logEntry = {
+    ts: new Date().toISOString(),
+    tool,
+    args,
+    allowed,
+    reason
+  };
+  const logFile = path.join(LOG_DIR, `${new Date().toISOString().split("T")[0]}.jsonl`);
+  fs.appendFileSync(logFile, JSON.stringify(logEntry) + "\n");
+}
+
+function generateApprovalId(): string {
+  return `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+
+async function waitForApproval(id: string, timeoutMs = 30000): Promise<boolean> {
+  const filePath = path.join(PENDING_DIR, `${id}.json`);
+  const startTime = Date.now();
+  const pollInterval = 500;
+  
+  while (Date.now() - startTime < timeoutMs) {
+    try {
+      if (fs.existsSync(filePath)) {
+        const approval = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+        if (approval.status !== "pending") {
+          return approval.status === "approved";
+        }
+      }
+    } catch {}
+    await new Promise(resolve => setTimeout(resolve, pollInterval));
+  }
+  
+  return false;
+}
+
+function createPendingApproval(tool: string, args: Record<string, unknown>, reason: string): string {
+  ensureDir(PENDING_DIR);
+  const id = generateApprovalId();
+  const approval = {
+    id,
+    tool,
+    args,
+    reason,
+    createdAt: new Date().toISOString(),
+    status: "pending"
+  };
+  fs.writeFileSync(path.join(PENDING_DIR, `${id}.json`), JSON.stringify(approval, null, 2));
+  return id;
+}
+
+function logCommand(event: CommandEvent): void {
+  ensureDir(LOG_DIR);
+  const logEntry = {
+    ts: new Date().toISOString(),
+    type: "command",
+    action: event.action,
+    sessionKey: event.sessionKey,
+    senderId: event.senderId,
+    source: event.source
+  };
+  const logFile = path.join(LOG_DIR, `${new Date().toISOString().split("T")[0]}.jsonl`);
+  fs.appendFileSync(logFile, JSON.stringify(logEntry) + "\n");
+  console.log(`🛡️ Clawguard: logged command event - ${event.action}`);
+}
+
+const clawguardHandler = async (event: ToolEvent | CommandEvent): Promise<{ allowed: boolean; reason: string } | void> => {
+  const config = loadConfig();
+  
+  // Handle command events (slash commands like /new, /stop)
+  if (!("tool" in event) && "action" in event) {
+    const cmdEvent = event as CommandEvent;
+    console.log(`🛡️ Clawguard: received command event - ${cmdEvent.action}`);
+    logCommand(cmdEvent);
+    return; // Command events don't need blocking, just logging
+  }
+
+  if (!config.enabled || !config.consented) {
+    return { allowed: true, reason: "Clawguard not enabled" };
+  }
+
+  const toolEvent = event as ToolEvent;
+  const tool = toolEvent.tool;
+  const args = toolEvent.args || {};
+
+  const injection = checkInjection(args);
+  if (injection) {
+    if (config.showMode) {
+      toolEvent.messages?.push(`🛡️ [SHOW MODE] Would block: ${injection}`);
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+      logAction(tool, args, true, `showMode:${injection}`);
+      return { allowed: true, reason: `Show mode: ${injection}` };
+    }
+    logAction(tool, args, false, injection);
+    toolEvent.messages?.push(`🛡️ Blocked: ${injection}`);
+    return { allowed: false, reason: injection };
+  }
+
+  const dangerous = checkDangerousCommand(args);
+  if (dangerous) {
+    if (config.showMode) {
+      toolEvent.messages?.push(`🛡️ [SHOW MODE] Would block: ${dangerous}`);
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+      logAction(tool, args, true, `showMode:${dangerous}`);
+      return { allowed: true, reason: `Show mode: ${dangerous}` };
+    }
+    logAction(tool, args, false, dangerous);
+    toolEvent.messages?.push(`🛡️ Blocked: ${dangerous}`);
+    return { allowed: false, reason: dangerous };
+  }
+
+  const rule = classifyTool(tool);
+  
+  if (!rule) {
+    logAction(tool, args, true, "No policy match");
+    if (config.showMode) {
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+    }
+    return { allowed: true, reason: "No policy match" };
+  }
+
+  if (rule.decision === "approved") {
+    logAction(tool, args, true, rule.reason);
+    if (config.showMode) {
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+    }
+    return { allowed: true, reason: rule.reason };
+  }
+
+  if (rule.decision === "blocked") {
+    if (config.showMode) {
+      toolEvent.messages?.push(`🛡️ [SHOW MODE] Would block: ${tool} - ${rule.reason}`);
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+      logAction(tool, args, true, `showMode:blocked`);
+      return { allowed: true, reason: `Show mode: ${rule.reason}` };
+    }
+    logAction(tool, args, false, rule.reason);
+    toolEvent.messages?.push(`🛡️ Blocked: ${rule.reason}`);
+    return { allowed: false, reason: rule.reason };
+  }
+
+  if (rule.decision === "review") {
+    if (config.protectionLevel === "relaxed") {
+      logAction(tool, args, true, "Relaxed mode - auto-approved");
+      if (config.showMode) {
+        config.showModeActionsRemaining--;
+        if (config.showModeActionsRemaining <= 0) config.showMode = false;
+        saveConfig(config);
+      }
+      return { allowed: true, reason: "Relaxed mode - auto-approved" };
+    }
+
+    if (config.showMode) {
+      toolEvent.messages?.push(`🛡️ [SHOW MODE] Would require approval: ${tool}`);
+      config.showModeActionsRemaining--;
+      if (config.showModeActionsRemaining <= 0) config.showMode = false;
+      saveConfig(config);
+      logAction(tool, args, true, `showMode:review`);
+      return { allowed: true, reason: `Show mode: would require approval` };
+    }
+
+    const approvalId = createPendingApproval(tool, args, rule.reason);
+    toolEvent.messages?.push(`🛡️ Approval required: ${tool} - ${rule.reason}`);
+    toolEvent.messages?.push(`   Run: clawdbot clawguard approve ${approvalId}`);
+    
+    const approved = await waitForApproval(approvalId);
+    logAction(tool, args, approved, approved ? "manualApproval" : "denied/timeout");
+    
+    if (!approved) {
+      toolEvent.messages?.push(`🛡️ Action denied or timed out`);
+    }
+    
+    return { allowed: approved, reason: approved ? "Manually approved" : "Denied or timed out" };
+  }
+
+  logAction(tool, args, true, "Default allow");
+  return { allowed: true, reason: "Default allow" };
+};
+
+export default clawguardHandler;