daniel-ai-permissions-openclaw 0.2.0

package/dist/approval-store.d.ts

@@ -0,0 +1,24 @@
+/**
+ * One-use approval store for REQUIRES_APPROVAL flow.
+ * UUIDs are consumed on first use; cannot be reused.
+ */
+export interface PendingApproval {
+    uuid: string;
+    toolName: string;
+    params: Record<string, unknown>;
+    status: 'pending' | 'approved' | 'denied';
+    reason: string;
+    createdAt: number;
+}
+export declare function createApprovalRequest(toolName: string, params: Record<string, unknown>, reason: string): string;
+export declare function resolveApproval(uuid: string, decision: 'APPROVE' | 'DENY'): boolean;
+/**
+ * Consume an approved approval for this tool call. One-use: deletes after use.
+ * Returns true if an approved matching approval was found and consumed.
+ */
+export declare function consumeApprovalIfExists(toolName: string, params: Record<string, unknown>): boolean;
+export declare function getApprovalStatus(uuid: string): 'pending' | 'approved' | 'denied' | 'unknown';
+export declare function parseApprovalFromMessage(content: string): {
+    uuid: string;
+    decision: 'APPROVE' | 'DENY';
+} | null;

package/dist/approval-store.js

@@ -0,0 +1,83 @@
+/**
+ * One-use approval store for REQUIRES_APPROVAL flow.
+ * UUIDs are consumed on first use; cannot be reused.
+ */
+import { randomUUID } from 'node:crypto';
+const APPROVAL_TTL_MS = 60 * 60 * 1000; // 1 hour
+function paramsKey(params) {
+    try {
+        return JSON.stringify(params, Object.keys(params).sort());
+    }
+    catch {
+        return String(params);
+    }
+}
+const store = new Map();
+const paramsToUuid = new Map(); // toolName:paramsKey -> uuid for lookup
+export function createApprovalRequest(toolName, params, reason) {
+    const uuid = randomUUID();
+    const key = `${toolName}:${paramsKey(params)}`;
+    const approval = {
+        uuid,
+        toolName,
+        params,
+        status: 'pending',
+        reason,
+        createdAt: Date.now(),
+    };
+    store.set(uuid, approval);
+    paramsToUuid.set(key, uuid);
+    return uuid;
+}
+export function resolveApproval(uuid, decision) {
+    const approval = store.get(uuid);
+    if (!approval || approval.status !== 'pending')
+        return false;
+    approval.status = decision === 'APPROVE' ? 'approved' : 'denied';
+    return true;
+}
+/**
+ * Consume an approved approval for this tool call. One-use: deletes after use.
+ * Returns true if an approved matching approval was found and consumed.
+ */
+export function consumeApprovalIfExists(toolName, params) {
+    const key = `${toolName}:${paramsKey(params)}`;
+    const uuid = paramsToUuid.get(key);
+    if (!uuid)
+        return false;
+    const approval = store.get(uuid);
+    if (!approval || approval.status !== 'approved')
+        return false;
+    // Consume: remove so it cannot be used again
+    store.delete(uuid);
+    paramsToUuid.delete(key);
+    return true;
+}
+export function getApprovalStatus(uuid) {
+    const approval = store.get(uuid);
+    if (!approval)
+        return 'unknown';
+    return approval.status;
+}
+function cleanupExpired() {
+    const now = Date.now();
+    for (const [uuid, approval] of store.entries()) {
+        if (approval.status === 'pending' && now - approval.createdAt > APPROVAL_TTL_MS) {
+            store.delete(uuid);
+            paramsToUuid.delete(`${approval.toolName}:${paramsKey(approval.params)}`);
+        }
+    }
+}
+const UUID_REGEX = '[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}';
+export function parseApprovalFromMessage(content) {
+    const trimmed = (content || '').trim();
+    const approveMatch = trimmed.match(new RegExp(`(?:^|\\s)(?:/approve\\s+)?approve\\s+(${UUID_REGEX})`, 'i'));
+    if (approveMatch)
+        return { uuid: approveMatch[1].toLowerCase(), decision: 'APPROVE' };
+    const denyMatch = trimmed.match(new RegExp(`(?:^|\\s)(?:/deny\\s+)?deny\\s+(${UUID_REGEX})`, 'i'));
+    if (denyMatch)
+        return { uuid: denyMatch[1].toLowerCase(), decision: 'DENY' };
+    return null;
+}
+// Run cleanup periodically
+setInterval(cleanupExpired, 5 * 60 * 1000); // every 5 min

package/dist/index.d.ts

@@ -0,0 +1,25 @@
+/**
+ * AI Permissions Layer - OpenClaw Plugin
+ *
+ * Intercepts tool calls via before_tool_call hook, applies user-defined rules,
+ * returns ALLOW | BLOCK | REQUIRES_APPROVAL. Zero-setup: uses OpenClaw's model config.
+ * REQUIRES_APPROVAL: generates one-use UUID, prompts user; APPROVE/DENY consumed via message_received.
+ */
+import { type DefaultWhenNoMatch } from 'daniel-ai-permissions-layer';
+interface PluginConfig {
+    rulesPath?: string;
+    defaultWhenNoMatch?: DefaultWhenNoMatch;
+    pathProtection?: {
+        enabled?: boolean;
+        dangerousTools?: string[];
+    };
+}
+export default function aiPermissionsPlugin(api: {
+    on: (hook: string, handler: (...args: unknown[]) => unknown) => void;
+    logger: {
+        info: (msg: string) => void;
+        warn: (msg: string) => void;
+    };
+    pluginConfig?: PluginConfig;
+}): void;
+export {};

package/dist/index.js

@@ -0,0 +1,175 @@
+/**
+ * AI Permissions Layer - OpenClaw Plugin
+ *
+ * Intercepts tool calls via before_tool_call hook, applies user-defined rules,
+ * returns ALLOW | BLOCK | REQUIRES_APPROVAL. Zero-setup: uses OpenClaw's model config.
+ * REQUIRES_APPROVAL: generates one-use UUID, prompts user; APPROVE/DENY consumed via message_received.
+ */
+import { match, compile, createOpenClawAdapter, isProtectedPathViolation, OPENCLAW_DANGEROUS_TOOLS, DEFAULT_PROTECTED_PATTERNS, } from 'daniel-ai-permissions-layer';
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { createApprovalRequest, consumeApprovalIfExists, resolveApproval, parseApprovalFromMessage, } from './approval-store.js';
+function resolvePath(p) {
+    if (p.startsWith('~')) {
+        return path.join(os.homedir(), p.slice(1));
+    }
+    return path.resolve(p);
+}
+function extractCommand(args) {
+    for (const key of ['command', 'cmd', 'script', 'code', 'args']) {
+        const val = args[key];
+        if (typeof val === 'string' && val.length > 0)
+            return val;
+        if (Array.isArray(val))
+            return val.join(' ');
+    }
+    return null;
+}
+const DEFAULT_RULES_YAML = resolvePath('~/.openclaw/rules.yaml');
+const STARTER_RULES = `# AI Permissions - edit and run: openclaw ai-permissions compile
+- block gmail.delete and gmail.batchDelete - never auto-delete emails
+- require approval before exec, bash, or process - ask before running commands
+- require approval before write, edit, apply_patch - ask before file changes
+- allow read, search, list - safe read-only operations
+`;
+function loadRules(rulesPath) {
+    const resolved = resolvePath(rulesPath);
+    if (!existsSync(resolved)) {
+        return [];
+    }
+    try {
+        const raw = readFileSync(resolved, 'utf-8');
+        const parsed = JSON.parse(raw);
+        return parsed.rules ?? [];
+    }
+    catch {
+        return [];
+    }
+}
+export default function aiPermissionsPlugin(api) {
+    const logger = api.logger;
+    const config = {
+        rulesPath: '~/.openclaw/ai-permissions-rules.json',
+        defaultWhenNoMatch: 'require_approval',
+        pathProtection: { enabled: true },
+        ...api.pluginConfig,
+    };
+    const pathConfig = config.pathProtection?.enabled !== false
+        ? {
+            dangerousTools: config.pathProtection?.dangerousTools ?? OPENCLAW_DANGEROUS_TOOLS,
+            protectedPatterns: DEFAULT_PROTECTED_PATTERNS,
+        }
+        : null;
+    const INTERNAL_TOOL_PATTERNS = [
+        /^pairing$/i,
+        /^device[-_]?pair/i,
+        /^pair\b/i,
+        /internal/i,
+        /^openclaw\./i,
+    ];
+    const hookHandler = async (...args) => {
+        const event = args[0];
+        const toolName = event.toolName;
+        const params = (event.params ?? {});
+        if (INTERNAL_TOOL_PATTERNS.some((p) => p.test(toolName))) {
+            return undefined;
+        }
+        const toolCall = { toolName, args: params };
+        const intent = { text: '' };
+        if (pathConfig && isProtectedPathViolation(toolCall, pathConfig)) {
+            logger.warn(`[ai-permissions-openclaw] BLOCKED: Protected path - ${toolName}`);
+            return {
+                block: true,
+                blockReason: 'Protected path: rules cannot be modified by agent',
+            };
+        }
+        const rules = loadRules(config.rulesPath);
+        const result = match(toolCall, intent, rules, {
+            defaultWhenNoMatch: config.defaultWhenNoMatch,
+        });
+        if (result.decision === 'BLOCK') {
+            logger.warn(`[ai-permissions-openclaw] BLOCKED: ${result.reason ?? 'Rule matched'}`);
+            return {
+                block: true,
+                blockReason: result.reason ?? 'Blocked by permissions rule',
+            };
+        }
+        if (result.decision === 'REQUIRES_APPROVAL') {
+            if (consumeApprovalIfExists(toolName, params)) {
+                logger.info(`[ai-permissions-openclaw] ALLOWED: User approved (one-use consumed)`);
+                return undefined;
+            }
+            const cmd = extractCommand(params);
+            const cmdLine = cmd ? `\nCommand: ${cmd}` : '';
+            const uuid = createApprovalRequest(toolName, params, result.reason ?? 'No matching rule');
+            logger.warn(`[ai-permissions-openclaw] REQUIRES_APPROVAL: ${result.reason ?? 'No matching rule'} (uuid=${uuid})`);
+            return {
+                block: true,
+                blockReason: `[Approval required] ${result.reason ?? 'No matching rule'}${cmdLine}\n\n` +
+                    `Request ID: ${uuid}\n\n` +
+                    `Ask the user: Reply APPROVE ${uuid} to allow this action, or DENY ${uuid} to block it. ` +
+                    `This is a one-use approval; after APPROVE, retry the same action.`,
+            };
+        }
+        return undefined;
+    };
+    const messageReceivedHandler = (...args) => {
+        const event = args[0];
+        const parsed = parseApprovalFromMessage(event?.content ?? '');
+        if (!parsed)
+            return;
+        const ok = resolveApproval(parsed.uuid, parsed.decision);
+        if (ok) {
+            logger.info(`[ai-permissions-openclaw] User ${parsed.decision}d request ${parsed.uuid}`);
+        }
+    };
+    const apiAny = api;
+    if (typeof apiAny.on === 'function') {
+        apiAny.on('before_tool_call', hookHandler);
+        apiAny.on('message_received', messageReceivedHandler);
+    }
+    else if (typeof apiAny.registerHook === 'function') {
+        apiAny.registerHook('before_tool_call', hookHandler);
+        apiAny.registerHook('message_received', messageReceivedHandler);
+    }
+    else {
+        logger.warn('[ai-permissions-openclaw] No hook API found (api.on or api.registerHook)');
+    }
+    if (typeof apiAny.registerCli === 'function') {
+        const compileHandler = async (input, output) => {
+            const inputPath = input ? resolvePath(input) : DEFAULT_RULES_YAML;
+            const outputPath = output ? resolvePath(output) : resolvePath(config.rulesPath);
+            if (!existsSync(inputPath)) {
+                if (!input) {
+                    writeFileSync(DEFAULT_RULES_YAML, STARTER_RULES);
+                    console.log(`Created ${DEFAULT_RULES_YAML} with starter rules.`);
+                }
+                else {
+                    console.error(`Input file not found: ${inputPath}`);
+                    process.exit(1);
+                }
+            }
+            const llm = createOpenClawAdapter(process.env.OPENAI_API_KEY);
+            if (!llm) {
+                console.error('OpenClaw config not found or model unresolved. Run openclaw onboard first.');
+                process.exit(1);
+            }
+            const content = readFileSync(inputPath, 'utf-8');
+            const rules = content
+                .split('\n')
+                .filter((l) => l.trim().startsWith('-'))
+                .map((l) => l.replace(/^-\s*["']?|["']?$/g, '').trim());
+            const { rules: compiled } = await compile(rules, llm);
+            writeFileSync(outputPath, JSON.stringify({ rules: compiled }, null, 2));
+            console.log(`Compiled ${compiled.length} rules to ${outputPath}`);
+        };
+        apiAny.registerCli((opts) => {
+            const ap = opts.program.command('ai-permissions');
+            ap.command('compile [input] [output]').action((a, b) => {
+                void compileHandler(a, b);
+            });
+        }, { commands: ['ai-permissions'] });
+    }
+    logger.info('[ai-permissions-openclaw] Plugin loaded - tool call interception active');
+}

package/openclaw.plugin.json

@@ -0,0 +1,44 @@
+{
+  "id": "ai-permissions-openclaw",
+  "name": "AI Permissions Layer",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "rulesPath": {
+        "type": "string",
+        "default": "~/.openclaw/ai-permissions-rules.json",
+        "description": "Path to compiled rules JSON file"
+      },
+      "defaultWhenNoMatch": {
+        "type": "string",
+        "enum": [
+          "allow",
+          "require_approval",
+          "block"
+        ],
+        "default": "require_approval",
+        "description": "Behavior when no rule matches: allow (permit), require_approval (ask), block (deny)"
+      },
+      "pathProtection": {
+        "type": "object",
+        "properties": {
+          "enabled": {
+            "type": "boolean",
+            "default": true
+          },
+          "dangerousTools": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "Tool names that can write files (default: write, edit, apply_patch)"
+          }
+        },
+        "default": {
+          "enabled": true
+        }
+      }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "daniel-ai-permissions-openclaw",
+  "version": "0.2.0",
+  "description": "AI Permissions Layer plugin for OpenClaw. Intercepts tool calls, applies rules, approval flow via chat.",
+  "type": "module",
+  "main": "dist/index.js",
+  "openclaw": {
+    "extensions": [
+      "./dist/index.js"
+    ]
+  },
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "files": [
+    "dist",
+    "openclaw.plugin.json"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/wei292224644/my-ai-permissions-layer.git",
+    "directory": "openclaw-plugin"
+  },
+  "keywords": [
+    "openclaw",
+    "ai",
+    "permissions",
+    "plugin"
+  ],
+  "license": "GPL-3.0-or-later",
+  "peerDependencies": {
+    "openclaw": ">=2026.1.0"
+  },
+  "dependencies": {
+    "daniel-ai-permissions-layer": "^0.2.1"
+  },
+  "devDependencies": {
+    "openclaw": "latest",
+    "typescript": "^5.9.3"
+  }
+}