npm - airlock-bot - Versions diffs - 0.2.24 → 0.2.26 - Mend

airlock-bot 0.2.24 → 0.2.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/dist/config/schema.d.ts +26 -0
package/dist/config/schema.d.ts.map +1 -1
package/dist/config/schema.js +2 -0
package/dist/config/schema.js.map +1 -1
package/dist/gateway.d.ts.map +1 -1
package/dist/gateway.js +5 -0
package/dist/gateway.js.map +1 -1
package/dist/index.js +15 -0
package/dist/index.js.map +1 -1
package/dist/pool/http-client.d.ts +3 -1
package/dist/pool/http-client.d.ts.map +1 -1
package/dist/pool/http-client.js +6 -2
package/dist/pool/http-client.js.map +1 -1
package/dist/pool/oauth-provider.d.ts +3 -1
package/dist/pool/oauth-provider.d.ts.map +1 -1
package/dist/pool/oauth-provider.js +17 -2
package/dist/pool/oauth-provider.js.map +1 -1
package/dist/pool/pool.d.ts.map +1 -1
package/dist/pool/pool.js +1 -1
package/dist/pool/pool.js.map +1 -1
package/dist/setup-openclaw/cli.d.ts +9 -0
package/dist/setup-openclaw/cli.d.ts.map +1 -0
package/dist/setup-openclaw/cli.js +49 -0
package/dist/setup-openclaw/cli.js.map +1 -0
package/dist/tools/api.d.ts +8 -0
package/dist/tools/api.d.ts.map +1 -0
package/dist/tools/api.js +103 -0
package/dist/tools/api.js.map +1 -0
package/extensions/openclaw/index.ts +125 -0
package/extensions/openclaw/openclaw.plugin.json +38 -0
package/extensions/openclaw/package-lock.json +8548 -0
package/extensions/openclaw/package.json +12 -0
package/package.json +3 -1
package/schema.json +6 -0

package/dist/setup-openclaw/cli.js ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * `airlock setup openclaw` — one-command setup for the airlock-bridge plugin.
+ *
+ * Creates a symlink from ~/.openclaw/extensions/airlock-bridge to the bundled
+ * plugin in this package. The symlink means updates to airlock automatically
+ * update the plugin — no need to rerun this command after upgrading.
+ */
+import { mkdirSync, symlinkSync, existsSync, lstatSync, unlinkSync } from 'fs';
+import { homedir } from 'os';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+export function runSetupOpenclaw(_argv) {
+    // Locate the bundled plugin source relative to this file.
+    // In the source tree: src/setup-openclaw/cli.ts → ../../extensions/openclaw
+    // In the dist tree:   dist/setup-openclaw/cli.js → ../../extensions/openclaw
+    const pluginSrc = join(__dirname, '..', '..', 'extensions', 'openclaw');
+    if (!existsSync(pluginSrc)) {
+        throw new Error(`Plugin source not found at ${pluginSrc}`);
+    }
+    const extensionsDir = join(homedir(), '.openclaw', 'extensions');
+    const dest = join(extensionsDir, 'airlock-bridge');
+    mkdirSync(extensionsDir, { recursive: true });
+    // Remove an existing symlink or warn about a real directory.
+    if (existsSync(dest) || lstatSync(dest, { throwIfNoEntry: false })) {
+        const stat = lstatSync(dest);
+        if (stat.isSymbolicLink()) {
+            unlinkSync(dest);
+        }
+        else {
+            throw new Error(`${dest} already exists and is not a symlink.\nRemove it manually to continue.`);
+        }
+    }
+    symlinkSync(pluginSrc, dest, 'dir');
+    console.log(`✓ airlock-bridge → ${pluginSrc}
+Restart the OpenClaw gateway to load it:
+  openclaw restart
+The plugin connects to http://localhost:4111 as agent "openclaw" by default.
+Override with environment variables if needed:
+  export AIRLOCK_URL=http://localhost:4111
+  export AIRLOCK_AGENT=openclaw
+  export AIRLOCK_SECRET=your-api-secret
+`);
+}
+//# sourceMappingURL=cli.js.map

package/dist/setup-openclaw/cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/setup-openclaw/cli.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC/E,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,MAAM,UAAU,gBAAgB,CAAC,KAAe;IAC9C,0DAA0D;IAC1D,4EAA4E;IAC5E,6EAA6E;IAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;IAExE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,SAAS,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEnD,SAAS,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,GAAG,IAAI,wEAAwE,CAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAEpC,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS;;;;;;;;;;;;CAY5C,CAAC,CAAC;AACH,CAAC"}

package/dist/tools/api.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { FastifyInstance } from 'fastify';
+import type { AgentServerDeps } from '../transport/agent-server.js';
+export interface ToolsApiOpts {
+    getDeps: (agentId: string) => AgentServerDeps | undefined;
+    secret?: string;
+}
+export declare function toolsApiPlugin(app: FastifyInstance, opts: ToolsApiOpts): Promise<void>;
+//# sourceMappingURL=api.d.ts.map

package/dist/tools/api.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/tools/api.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAepE,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,eAAe,GAAG,SAAS,CAAC;IAC1D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAGD,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAkG5F"}

package/dist/tools/api.js ADDED Viewed

@@ -0,0 +1,103 @@
+import { timingSafeEqual } from 'crypto';
+import { buildMiddlewareChain } from '../middleware/chain-builder.js';
+import { generateId } from '../util/id.js';
+import { childLogger } from '../util/logger.js';
+const log = childLogger('tools-api');
+function constantTimeEqual(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length)
+        return false;
+    return timingSafeEqual(bufA, bufB);
+}
+// eslint-disable-next-line @typescript-eslint/require-await
+export async function toolsApiPlugin(app, opts) {
+    const { getDeps, secret } = opts;
+    app.addHook('preHandler', async (request, reply) => {
+        if (!secret)
+            return;
+        const auth = request.headers.authorization ?? '';
+        if (!constantTimeEqual(auth, `Bearer ${secret}`)) {
+            return reply.status(401).send({ error: 'Unauthorized' });
+        }
+    });
+    app.get('/agents/:agentId/tools', async (request, reply) => {
+        const { agentId } = request.params;
+        const deps = getDeps(agentId);
+        if (!deps) {
+            return reply.status(404).send({ error: `Unknown agent: ${agentId}` });
+        }
+        const tools = deps.registry.getFiltered(agentId);
+        return reply.send({ tools });
+    });
+    app.post('/agents/:agentId/tools/invoke', async (request, reply) => {
+        const { agentId } = request.params;
+        const body = request.body;
+        if (!body?.tool) {
+            return reply.status(400).send({ error: 'Missing required field: tool' });
+        }
+        const { tool, args = {} } = body;
+        const deps = getDeps(agentId);
+        if (!deps) {
+            return reply.status(404).send({ error: `Unknown agent: ${agentId}` });
+        }
+        const getConfig = deps.getAgentConfig ?? (() => deps.agentConfig);
+        const agentConfig = getConfig();
+        const chain = buildMiddlewareChain(agentConfig, {
+            registry: deps.registry,
+            allowlist: deps.allowlist,
+            hitlEngine: deps.hitlEngine,
+            hitlBatcher: deps.hitlBatcher,
+            auditLogger: deps.auditLogger,
+            securityConfig: deps.securityConfig ?? { blocked_hosts: [], allowed_local: [] },
+        });
+        const ctx = {
+            callId: generateId(),
+            agentId,
+            agentConfig,
+            toolName: tool,
+            args,
+            meta: {},
+            deps: {
+                registry: deps.registry,
+                allowlist: deps.allowlist,
+                hitlEngine: deps.hitlEngine,
+                hitlBatcher: deps.hitlBatcher,
+                auditLogger: deps.auditLogger,
+                securityConfig: deps.securityConfig ?? { blocked_hosts: [], allowed_local: [] },
+            },
+            startedAt: Date.now(),
+        };
+        try {
+            const response = await chain(ctx, () => {
+                throw new Error('Middleware chain did not terminate — missing execute middleware');
+            });
+            const duration_ms = Date.now() - ctx.startedAt;
+            // Middleware may return an MCP-style error response (e.g. HITL deny/timeout)
+            // with isError: true in the result — map that to success: false for the HTTP API.
+            const result = response.result;
+            if (result?.isError) {
+                return reply.send({
+                    success: false,
+                    error: response.text || 'Tool call failed',
+                    metadata: { duration_ms },
+                });
+            }
+            return reply.send({
+                success: true,
+                data: response.result,
+                metadata: { duration_ms, truncated: response.truncated ?? false },
+            });
+        }
+        catch (err) {
+            const duration_ms = Date.now() - ctx.startedAt;
+            log.warn({ err, agentId, tool }, 'Tool invocation failed');
+            return reply.send({
+                success: false,
+                error: err instanceof Error ? err.message : String(err),
+                metadata: { duration_ms },
+            });
+        }
+    });
+}
+//# sourceMappingURL=api.js.map

package/dist/tools/api.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.js","sourceRoot":"","sources":["../../src/tools/api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAIzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,GAAG,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;AAErC,SAAS,iBAAiB,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAOD,4DAA4D;AAC5D,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAoB,EAAE,IAAkB;IAC3E,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAEjC,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACjD,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,UAAU,MAAM,EAAE,CAAC,EAAE,CAAC;YACjD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,wBAAwB,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACzD,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAA6B,CAAC;QAC1D,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kBAAkB,OAAO,EAAE,EAAE,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACjD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAA6B,CAAC;QAC1D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAqE,CAAC;QAE3F,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;YAChB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC;QAEjC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kBAAkB,OAAO,EAAE,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClE,MAAM,WAAW,GAAG,SAAS,EAAE,CAAC;QAEhC,MAAM,KAAK,GAAG,oBAAoB,CAAC,WAAW,EAAE;YAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAChF,CAAC,CAAC;QAEH,MAAM,GAAG,GAAoB;YAC3B,MAAM,EAAE,UAAU,EAAE;YACpB,OAAO;YACP,WAAW;YACX,QAAQ,EAAE,IAAI;YACd,IAAI;YACJ,IAAI,EAAE,EAAE;YACR,IAAI,EAAE;gBACJ,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;aAChF;YACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE;gBACrC,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;YACrF,CAAC,CAAC,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;YAE/C,6EAA6E;YAC7E,kFAAkF;YAClF,MAAM,MAAM,GAAG,QAAQ,CAAC,MAA6C,CAAC;YACtE,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;gBACpB,OAAO,KAAK,CAAC,IAAI,CAAC;oBAChB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,QAAQ,CAAC,IAAI,IAAI,kBAAkB;oBAC1C,QAAQ,EAAE,EAAE,WAAW,EAAE;iBAC1B,CAAC,CAAC;YACL,CAAC;YAED,OAAO,KAAK,CAAC,IAAI,CAAC;gBAChB,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,QAAQ,CAAC,MAAM;gBACrB,QAAQ,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,KAAK,EAAE;aAClE,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC;YAC/C,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAC3D,OAAO,KAAK,CAAC,IAAI,CAAC;gBAChB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvD,QAAQ,EAAE,EAAE,WAAW,EAAE;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/extensions/openclaw/index.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * Airlock Bridge — OpenClaw plugin
+ *
+ * Fetches the tool list from Airlock at startup and registers each one as a
+ * native OpenClaw tool. Every tool call is forwarded to Airlock, which applies
+ * the agent's allowlist, HITL gate, sandbox, and audit logging before executing.
+ *
+ * Configuration (plugin config or environment variable fallbacks):
+ *   url    / AIRLOCK_URL     Base URL of the Airlock gateway  (default: http://localhost:4111)
+ *   agent  / AIRLOCK_AGENT   Agent profile to run as           (default: openclaw)
+ *   secret / AIRLOCK_SECRET  Bearer token / api_secret         (default: empty = no auth)
+ *
+ * Install:
+ *   mkdir -p ~/.openclaw/extensions/airlock-bridge
+ *   cp -r extensions/openclaw/* ~/.openclaw/extensions/airlock-bridge/
+ *   cd ~/.openclaw/extensions/airlock-bridge && npm install --omit=dev
+ */
+import { Type } from '@sinclair/typebox';
+import type { OpenClawPluginApi } from 'openclaw/plugin-sdk';
+interface AirlockTool {
+  name: string;
+  description?: string;
+  inputSchema: Record<string, unknown>;
+}
+interface AirlockInvokeResult {
+  success: boolean;
+  data?: unknown;
+  error?: string;
+  metadata?: { duration_ms: number; truncated: boolean };
+}
+// Convert an Airlock tool name (e.g. "github/list_prs") to a valid OpenClaw
+// tool identifier (e.g. "airlock_github_list_prs").
+function toOpenClawName(airlockName: string): string {
+  return 'airlock_' + airlockName.replace(/[^a-zA-Z0-9]/g, '_');
+}
+export default async function register(api: OpenClawPluginApi): Promise<void> {
+  const cfg = (api.pluginConfig ?? {}) as { url?: string; agent?: string; secret?: string };
+  const baseUrl = (process.env['AIRLOCK_URL'] ?? cfg.url ?? 'http://localhost:4111').replace(
+    /\/$/,
+    ''
+  );
+  const agentId = process.env['AIRLOCK_AGENT'] ?? cfg.agent ?? 'openclaw';
+  const secret = process.env['AIRLOCK_SECRET'] ?? cfg.secret ?? '';
+  const authHeaders: Record<string, string> = secret ? { Authorization: `Bearer ${secret}` } : {};
+  // Fetch tools and register them once the gateway is ready.
+  api.on('gateway_start', async () => {
+    let tools: AirlockTool[];
+    try {
+      const res = await fetch(`${baseUrl}/agents/${agentId}/tools`, {
+        headers: authHeaders,
+      });
+      if (!res.ok) {
+        api.logger.error(`[airlock-bridge] Failed to fetch tools: HTTP ${res.status}`);
+        return;
+      }
+      const body = (await res.json()) as { tools: AirlockTool[] };
+      tools = body.tools;
+    } catch (err) {
+      api.logger.error(`[airlock-bridge] Could not reach Airlock gateway: ${String(err)}`);
+      return;
+    }
+    api.logger.info(`[airlock-bridge] Registering ${tools.length} tools for agent "${agentId}"`);
+    for (const tool of tools) {
+      const openClawName = toOpenClawName(tool.name);
+      const airlockName = tool.name; // captured in closure
+      api.registerTool(
+        {
+          name: openClawName,
+          label: tool.name, // human-readable: preserves the original "namespace/tool" form
+          description: tool.description ?? openClawName,
+          // Wrap Airlock's JSON Schema as a typebox Unsafe type so OpenClaw's
+          // tool registry accepts it without modification.
+          parameters: Type.Unsafe<Record<string, unknown>>(tool.inputSchema),
+          async execute(_toolCallId: string, params: Record<string, unknown>) {
+            let result: AirlockInvokeResult;
+            try {
+              const res = await fetch(`${baseUrl}/agents/${agentId}/tools/invoke`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json', ...authHeaders },
+                body: JSON.stringify({ tool: airlockName, args: params }),
+              });
+              result = (await res.json()) as AirlockInvokeResult;
+            } catch (err) {
+              return {
+                content: [{ type: 'text' as const, text: `Airlock unreachable: ${String(err)}` }],
+                details: {},
+              };
+            }
+            if (!result.success) {
+              return {
+                content: [
+                  { type: 'text' as const, text: `Error: ${result.error ?? 'unknown error'}` },
+                ],
+                details: result.metadata ?? {},
+              };
+            }
+            return {
+              content: [{ type: 'text' as const, text: JSON.stringify(result.data ?? null) }],
+              details: result.metadata ?? {},
+            };
+          },
+        },
+        { optional: true }
+      );
+    }
+  });
+}

package/extensions/openclaw/openclaw.plugin.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "id": "airlock-bridge",
+  "name": "Airlock Bridge",
+  "description": "Routes tool calls through Airlock for permission enforcement and human-in-the-loop approval",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "url": {
+        "type": "string",
+        "description": "Airlock gateway base URL (overrides AIRLOCK_URL env var)"
+      },
+      "agent": {
+        "type": "string",
+        "description": "Airlock agent profile to run as (overrides AIRLOCK_AGENT env var)"
+      },
+      "secret": {
+        "type": "string",
+        "description": "Airlock API secret / Bearer token (overrides AIRLOCK_SECRET env var)"
+      }
+    }
+  },
+  "uiHints": {
+    "url": {
+      "label": "Gateway URL",
+      "placeholder": "http://localhost:4111"
+    },
+    "agent": {
+      "label": "Agent Profile",
+      "placeholder": "openclaw"
+    },
+    "secret": {
+      "label": "API Secret",
+      "sensitive": true,
+      "placeholder": "your-api-secret"
+    }
+  }
+}