fastgrc-openclaw 1.0.0

package/README.md

@@ -0,0 +1,83 @@
+# fastgrc-openclaw
+
+FastGRC compliance plugin for [OpenClaw](https://openclaw.ai). Evaluates every agent tool call against your policy before it executes — blocking, flagging, or logging violations in real time.
+
+## Install
+
+```bash
+npm install fastgrc-openclaw
+```
+
+## Setup (2 lines)
+
+```typescript
+// openclaw.config.ts
+import { FastGRCPlugin } from 'fastgrc-openclaw';
+
+export default {
+  plugins: [
+    FastGRCPlugin({
+      apiKey: process.env.FASTGRC_API_KEY,  // fgrc_k1_...
+    }),
+  ],
+};
+```
+
+Set your environment variable:
+
+```bash
+FASTGRC_API_KEY=fgrc_k1_your_key_here
+```
+
+Get your API key at [fastgrc.ai/connect?source=openclaw](https://fastgrc.ai/connect?source=openclaw) — free, no credit card.
+
+## Options
+
+```typescript
+FastGRCPlugin({
+  apiKey: string;           // Required. Your FastGRC API key.
+  policyId?: string;        // Optional. Target a specific policy. Omit for org-wide default.
+  onBlock?: 'throw'         // (default) Throw FastGRCBlockedError — OpenClaw surfaces it as an agent error
+           | 'warn'         // console.warn and allow through
+           | 'silent';      // Allow through silently
+  timeoutMs?: number;       // Max ms to wait for FastGRC API. Default: 3000. Fail-open on timeout.
+  baseUrl?: string;         // Override FastGRC base URL. Default: https://app.fastgrc.ai
+})
+```
+
+## How it works
+
+The plugin registers a `before_tool_call` hook. For every tool invocation:
+
+1. Calls `POST /api/v1/policy-router/evaluate` with the tool name and arguments
+2. On `decision: block` → throws `FastGRCBlockedError` (OpenClaw surfaces this as an agent error with explanation)
+3. On `decision: require_approval` → throws `FastGRCApprovalRequiredError` with a link to your dashboard
+4. On `decision: allow | uncertain` → passes through silently
+5. On timeout or network error → **fail-open** (allows through, logs a warning) — FastGRC never breaks your agent due to infra issues
+
+## Error types
+
+```typescript
+import { FastGRCBlockedError, FastGRCApprovalRequiredError } from 'fastgrc-openclaw';
+
+// Catch in your agent error handler:
+if (err instanceof FastGRCBlockedError) {
+  console.log(err.matchedRule);  // Which policy rule triggered
+  console.log(err.reasoning);    // Human-readable explanation
+  console.log(err.policyId);     // Policy that made the decision
+}
+
+if (err instanceof FastGRCApprovalRequiredError) {
+  console.log(err.dashboardUrl); // Link to approve in FastGRC dashboard
+}
+```
+
+## Policy modes
+
+Policies start in **Observability Mode** — violations are logged but never blocked. Switch to enforcement from your [FastGRC dashboard](https://app.fastgrc.ai/dashboard/agent-policies) when ready.
+
+## Links
+
+- [FastGRC docs](https://docs.fastgrc.ai/integrations/openclaw)
+- [Get your API key](https://fastgrc.ai/connect?source=openclaw)
+- [Dashboard](https://app.fastgrc.ai)

package/dist/bin.d.mts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/bin.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/bin.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+"use strict";
+
+// src/index.ts
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId: policyId2,
+    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId2 ? { policyId: policyId2 } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/bin.ts
+var apiKey = process.env.FASTGRC_API_KEY;
+if (!apiKey) {
+  process.stderr.write("[fastgrc-hook] FASTGRC_API_KEY is not set \u2014 allowing tool call\n");
+  process.exit(0);
+}
+var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+var policyId = process.env.FASTGRC_POLICY_ID;
+async function main() {
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  const toolName = process.env.HOOK_TOOL_NAME ?? "";
+  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+  let args = {};
+  let agentId;
+  if (raw) {
+    try {
+      const ctx = JSON.parse(raw);
+      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+    } catch {
+    }
+  }
+  if (!toolName && !raw) {
+    process.exit(0);
+  }
+  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+  if (!args || Object.keys(args).length === 0) {
+    try {
+      args = JSON.parse(toolInputRaw);
+    } catch {
+      args = {};
+    }
+  }
+  const result = await evaluate({
+    toolName: resolvedToolName,
+    args,
+    agentId,
+    apiKey,
+    // narrowed at module level via early-exit guard above
+    policyId,
+    baseUrl
+  });
+  if (!result) {
+    process.exit(0);
+  }
+  const { decision, reasoning, policyContext } = result;
+  const matchedRule = policyContext?.matchedRule;
+  if (decision === "block") {
+    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+    process.stderr.write(msg + "\n");
+    process.exit(2);
+  }
+  if (decision === "require_approval") {
+    process.stderr.write(
+      `FastGRC requires approval before this action.
+${reasoning}
+Review at: ${baseUrl}/dashboard/agent-policies
+`
+    );
+    process.exit(2);
+  }
+  process.exit(0);
+}
+main().catch((err) => {
+  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+`);
+  process.exit(0);
+});

package/dist/bin.mjs

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+
+// src/index.ts
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId: policyId2,
+    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId2 ? { policyId: policyId2 } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/bin.ts
+var apiKey = process.env.FASTGRC_API_KEY;
+if (!apiKey) {
+  process.stderr.write("[fastgrc-hook] FASTGRC_API_KEY is not set \u2014 allowing tool call\n");
+  process.exit(0);
+}
+var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+var policyId = process.env.FASTGRC_POLICY_ID;
+async function main() {
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  const toolName = process.env.HOOK_TOOL_NAME ?? "";
+  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+  let args = {};
+  let agentId;
+  if (raw) {
+    try {
+      const ctx = JSON.parse(raw);
+      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+    } catch {
+    }
+  }
+  if (!toolName && !raw) {
+    process.exit(0);
+  }
+  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+  if (!args || Object.keys(args).length === 0) {
+    try {
+      args = JSON.parse(toolInputRaw);
+    } catch {
+      args = {};
+    }
+  }
+  const result = await evaluate({
+    toolName: resolvedToolName,
+    args,
+    agentId,
+    apiKey,
+    // narrowed at module level via early-exit guard above
+    policyId,
+    baseUrl
+  });
+  if (!result) {
+    process.exit(0);
+  }
+  const { decision, reasoning, policyContext } = result;
+  const matchedRule = policyContext?.matchedRule;
+  if (decision === "block") {
+    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+    process.stderr.write(msg + "\n");
+    process.exit(2);
+  }
+  if (decision === "require_approval") {
+    process.stderr.write(
+      `FastGRC requires approval before this action.
+${reasoning}
+Review at: ${baseUrl}/dashboard/agent-policies
+`
+    );
+    process.exit(2);
+  }
+  process.exit(0);
+}
+main().catch((err) => {
+  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+`);
+  process.exit(0);
+});

package/dist/index.d.mts

@@ -0,0 +1,74 @@
+interface FastGRCPluginOptions {
+    /** Your FastGRC API key (fgrc_k1_...) */
+    apiKey: string;
+    /** Specific policy ID to evaluate against. Omit to use the org-wide default. */
+    policyId?: string;
+    /**
+     * What to do on a block decision when used outside the plugin hook (e.g. manual invocation).
+     * The plugin hook always returns { block: true } per OpenClaw's hook protocol.
+     * - 'throw'  (default) — throw FastGRCBlockedError
+     * - 'warn'   — console.warn and allow through
+     * - 'silent' — allow through silently
+     */
+    onBlock?: 'throw' | 'warn' | 'silent';
+    /** Max ms to wait for the FastGRC API. Fail-open on timeout. Default: 3000 */
+    timeoutMs?: number;
+    /** Override the FastGRC base URL. Default: https://app.fastgrc.ai */
+    baseUrl?: string;
+}
+/** Thrown when FastGRC's policy blocks a tool call (onBlock: 'throw', outside plugin hook) */
+declare class FastGRCBlockedError extends Error {
+    readonly matchedRule: string;
+    readonly reasoning: string;
+    readonly policyId?: string;
+    constructor(matchedRule: string, reasoning: string, policyId?: string);
+}
+/** Thrown when FastGRC requires human approval (outside plugin hook) */
+declare class FastGRCApprovalRequiredError extends Error {
+    readonly dashboardUrl: string;
+    constructor(dashboardUrl: string, reasoning: string);
+}
+type HookDecision = {
+    block: true;
+    reason?: string;
+} | {
+    block: false;
+} | {
+    requireApproval: true;
+    reason?: string;
+} | undefined;
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+interface OpenClawPlugin {
+    name: string;
+    hooks: {
+        before_tool_call?: (toolName: string, args: unknown, context: AgentContext) => Promise<HookDecision> | HookDecision;
+    };
+}
+interface EvaluateResponse {
+    decision: 'allow' | 'block' | 'verify' | 'uncertain' | 'require_approval';
+    confidence: number;
+    reasoning: string;
+    policyContext?: {
+        policyId?: string;
+        matchedRule?: string;
+    };
+}
+declare function evaluate(payload: {
+    toolName: string;
+    args: unknown;
+    agentId?: string;
+    agentType?: string;
+    agentName?: string;
+    apiKey: string;
+    policyId?: string;
+    baseUrl?: string;
+    timeoutMs?: number;
+}): Promise<EvaluateResponse | null>;
+declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
+
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };

package/dist/index.d.ts

@@ -0,0 +1,74 @@
+interface FastGRCPluginOptions {
+    /** Your FastGRC API key (fgrc_k1_...) */
+    apiKey: string;
+    /** Specific policy ID to evaluate against. Omit to use the org-wide default. */
+    policyId?: string;
+    /**
+     * What to do on a block decision when used outside the plugin hook (e.g. manual invocation).
+     * The plugin hook always returns { block: true } per OpenClaw's hook protocol.
+     * - 'throw'  (default) — throw FastGRCBlockedError
+     * - 'warn'   — console.warn and allow through
+     * - 'silent' — allow through silently
+     */
+    onBlock?: 'throw' | 'warn' | 'silent';
+    /** Max ms to wait for the FastGRC API. Fail-open on timeout. Default: 3000 */
+    timeoutMs?: number;
+    /** Override the FastGRC base URL. Default: https://app.fastgrc.ai */
+    baseUrl?: string;
+}
+/** Thrown when FastGRC's policy blocks a tool call (onBlock: 'throw', outside plugin hook) */
+declare class FastGRCBlockedError extends Error {
+    readonly matchedRule: string;
+    readonly reasoning: string;
+    readonly policyId?: string;
+    constructor(matchedRule: string, reasoning: string, policyId?: string);
+}
+/** Thrown when FastGRC requires human approval (outside plugin hook) */
+declare class FastGRCApprovalRequiredError extends Error {
+    readonly dashboardUrl: string;
+    constructor(dashboardUrl: string, reasoning: string);
+}
+type HookDecision = {
+    block: true;
+    reason?: string;
+} | {
+    block: false;
+} | {
+    requireApproval: true;
+    reason?: string;
+} | undefined;
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+interface OpenClawPlugin {
+    name: string;
+    hooks: {
+        before_tool_call?: (toolName: string, args: unknown, context: AgentContext) => Promise<HookDecision> | HookDecision;
+    };
+}
+interface EvaluateResponse {
+    decision: 'allow' | 'block' | 'verify' | 'uncertain' | 'require_approval';
+    confidence: number;
+    reasoning: string;
+    policyContext?: {
+        policyId?: string;
+        matchedRule?: string;
+    };
+}
+declare function evaluate(payload: {
+    toolName: string;
+    args: unknown;
+    agentId?: string;
+    agentType?: string;
+    agentName?: string;
+    apiKey: string;
+    policyId?: string;
+    baseUrl?: string;
+    timeoutMs?: number;
+}): Promise<EvaluateResponse | null>;
+declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
+
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };

package/dist/index.js

@@ -0,0 +1,148 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  FastGRCApprovalRequiredError: () => FastGRCApprovalRequiredError,
+  FastGRCBlockedError: () => FastGRCBlockedError,
+  FastGRCPlugin: () => FastGRCPlugin,
+  evaluate: () => evaluate
+});
+module.exports = __toCommonJS(index_exports);
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+var FastGRCBlockedError = class extends Error {
+  constructor(matchedRule, reasoning, policyId) {
+    super(
+      `FastGRC policy blocked this action.
+Rule: ${matchedRule}
+Reason: ${reasoning}`
+    );
+    this.name = "FastGRCBlockedError";
+    this.matchedRule = matchedRule;
+    this.reasoning = reasoning;
+    this.policyId = policyId;
+  }
+};
+var FastGRCApprovalRequiredError = class extends Error {
+  constructor(dashboardUrl, reasoning) {
+    super(
+      `FastGRC requires human approval before this action.
+Reason: ${reasoning}
+Review at: ${dashboardUrl}`
+    );
+    this.name = "FastGRCApprovalRequiredError";
+    this.dashboardUrl = dashboardUrl;
+  }
+};
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+function FastGRCPlugin(options) {
+  const {
+    apiKey,
+    policyId,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    baseUrl = DEFAULT_BASE_URL
+  } = options;
+  const dashboardUrl = `${baseUrl.replace(/\/$/, "")}/dashboard/agent-policies`;
+  return {
+    name: "fastgrc",
+    hooks: {
+      async before_tool_call(toolName, args, context) {
+        const result = await evaluate({
+          toolName,
+          args,
+          agentId: context.id,
+          agentType: context.type,
+          agentName: context.name,
+          apiKey,
+          policyId,
+          baseUrl,
+          timeoutMs
+        });
+        if (!result) return { block: false };
+        const { decision, reasoning, policyContext } = result;
+        const matchedRule = policyContext?.matchedRule ?? "policy rule";
+        if (decision === "block") {
+          return { block: true, reason: `[${matchedRule}] ${reasoning}` };
+        }
+        if (decision === "require_approval") {
+          return {
+            requireApproval: true,
+            reason: `${reasoning} \u2014 review at ${dashboardUrl}`
+          };
+        }
+        return { block: false };
+      }
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  FastGRCApprovalRequiredError,
+  FastGRCBlockedError,
+  FastGRCPlugin,
+  evaluate
+});

package/dist/index.mjs

@@ -0,0 +1,120 @@
+// src/index.ts
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+var FastGRCBlockedError = class extends Error {
+  constructor(matchedRule, reasoning, policyId) {
+    super(
+      `FastGRC policy blocked this action.
+Rule: ${matchedRule}
+Reason: ${reasoning}`
+    );
+    this.name = "FastGRCBlockedError";
+    this.matchedRule = matchedRule;
+    this.reasoning = reasoning;
+    this.policyId = policyId;
+  }
+};
+var FastGRCApprovalRequiredError = class extends Error {
+  constructor(dashboardUrl, reasoning) {
+    super(
+      `FastGRC requires human approval before this action.
+Reason: ${reasoning}
+Review at: ${dashboardUrl}`
+    );
+    this.name = "FastGRCApprovalRequiredError";
+    this.dashboardUrl = dashboardUrl;
+  }
+};
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+function FastGRCPlugin(options) {
+  const {
+    apiKey,
+    policyId,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    baseUrl = DEFAULT_BASE_URL
+  } = options;
+  const dashboardUrl = `${baseUrl.replace(/\/$/, "")}/dashboard/agent-policies`;
+  return {
+    name: "fastgrc",
+    hooks: {
+      async before_tool_call(toolName, args, context) {
+        const result = await evaluate({
+          toolName,
+          args,
+          agentId: context.id,
+          agentType: context.type,
+          agentName: context.name,
+          apiKey,
+          policyId,
+          baseUrl,
+          timeoutMs
+        });
+        if (!result) return { block: false };
+        const { decision, reasoning, policyContext } = result;
+        const matchedRule = policyContext?.matchedRule ?? "policy rule";
+        if (decision === "block") {
+          return { block: true, reason: `[${matchedRule}] ${reasoning}` };
+        }
+        if (decision === "require_approval") {
+          return {
+            requireApproval: true,
+            reason: `${reasoning} \u2014 review at ${dashboardUrl}`
+          };
+        }
+        return { block: false };
+      }
+    }
+  };
+}
+export {
+  FastGRCApprovalRequiredError,
+  FastGRCBlockedError,
+  FastGRCPlugin,
+  evaluate
+};

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "fastgrc-openclaw",
+  "version": "1.0.0",
+  "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "bin": {
+    "fastgrc-hook": "./dist/bin.js"
+  },
+  "files": ["dist", "README.md"],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": ["fastgrc", "openclaw", "ai-agent", "compliance", "policy", "security"],
+  "author": "FastGRC <support@fastgrc.ai>",
+  "license": "MIT",
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0"
+  },
+  "engines": { "node": ">=18" }
+}