fastgrc-openclaw 1.0.20 → 1.0.23

package/dist/bin.js

@@ -38,12 +38,12 @@ async function evaluate(payload) {
     agentId,
     agentType,
     agentName,
-    apiKey: apiKey2,
-    policyId: policyId2,
-    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
     timeoutMs = DEFAULT_TIMEOUT_MS
   } = payload;
-  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
   const content = `tool_name: ${toolName}
 args: ${JSON.stringify(args)}`;
   try {
@@ -52,7 +52,7 @@ args: ${JSON.stringify(args)}`;
     const res = await fetch(evalUrl, {
       method: "POST",
       headers: {
-        "Authorization": `Bearer ${apiKey2}`,
+        "Authorization": `Bearer ${apiKey}`,
         "Content-Type": "application/json"
       },
       body: JSON.stringify({
@@ -62,7 +62,7 @@ args: ${JSON.stringify(args)}`;
         agentId,
         agentType,
         agentName,
-        ...policyId2 ? { policyId: policyId2 } : {}
+        ...policyId ? { policyId } : {}
       }),
       signal: controller.signal
     });
@@ -149,12 +149,47 @@ if (cmd === "unset-policy") {
   process.stdout.write("FastGRC policy ID removed \u2014 org-wide default will be used.\n");
   process.exit(0);
 }
+function computeHandler() {
+  const binPath = process.argv[1];
+  const homeDir = os.homedir();
+  return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
+}
+function printTestSnippet(handlerStr) {
+  process.stdout.write(
+    `
+Test it directly (bypasses OpenClaw):
+  echo '{"tool_name":"Bash","tool_input":{"command":"rm -rf /production"},"session_id":"t1"}' \\
+    | ${handlerStr}
+  # exit 2 = blocked, exit 0 = allowed
+`
+  );
+}
+if (cmd === "restart-openclaw") {
+  const { spawn, execSync } = require("child_process");
+  try {
+    execSync("pkill -x openclaw", { stdio: "ignore" });
+    process.stdout.write("Stopped existing openclaw process(es).\n");
+  } catch {
+    process.stdout.write("No openclaw process was running.\n");
+  }
+  const logPath = process.env.OPENCLAW_LOG ?? "/tmp/openclaw.log";
+  const workDir = arg || process.cwd();
+  const out = fs.openSync(logPath, "a");
+  const child = spawn("openclaw", [], {
+    detached: true,
+    stdio: ["ignore", out, out],
+    cwd: workDir
+  });
+  child.unref();
+  process.stdout.write(`\u2713 OpenClaw started (PID: ${child.pid}, cwd: ${workDir})
+   Logs: tail -f ${logPath}
+`);
+  process.exit(0);
+}
 if (cmd === "install-hook") {
   const targetDir = arg || process.cwd();
   const hookMdPath = path.join(targetDir, "HOOK.md");
-  const binPath = process.argv[1];
-  const homeDir = os.homedir();
-  const handlerStr = `HOME=${homeDir} node ${binPath}`;
+  const { handlerStr } = computeHandler();
   const HOOK_ENTRY = `  - matcher: PreToolUse
     handler: "${handlerStr}"
 `;
@@ -166,15 +201,19 @@ if (cmd === "install-hook") {
   if (!fs.existsSync(hookMdPath)) {
     fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
     process.stdout.write(`\u2713 Created ${hookMdPath}
+   Handler: ${handlerStr}
 
 Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   const existing = fs.readFileSync(hookMdPath, "utf8");
   if (existing.includes(handlerStr)) {
     process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
+   Handler: ${handlerStr}
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
@@ -184,9 +223,11 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
     );
     fs.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
+   Handler: ${handlerStr}
 
 Restart OpenClaw to activate.
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   const fmEnd = existing.indexOf("\n---", 3);
@@ -201,82 +242,228 @@ ${HOOK_ENTRY}`;
   }
   fs.writeFileSync(hookMdPath, updated, "utf8");
   process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+   Handler: ${handlerStr}
 
 Restart OpenClaw to activate.
 `);
+  printTestSnippet(handlerStr);
   process.exit(0);
 }
-var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
-if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
-  process.exit(0);
-}
-var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
-async function main() {
-  const chunks = [];
-  for await (const chunk of process.stdin) chunks.push(chunk);
-  const raw = Buffer.concat(chunks).toString("utf8").trim();
-  const toolName = process.env.HOOK_TOOL_NAME ?? "";
-  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
-  let args = {};
-  let agentId;
-  if (raw) {
-    try {
-      const ctx = JSON.parse(raw);
-      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
-      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
-    } catch {
+if (cmd === "setup") {
+  const { execSync } = require("child_process");
+  const rest = process.argv.slice(3);
+  let apiKeyArg;
+  let policyIdArg;
+  for (let i = 0; i < rest.length; i++) {
+    if (rest[i] === "--api-key" && rest[i + 1]) {
+      apiKeyArg = rest[++i];
+    } else if (rest[i] === "--policy-id" && rest[i + 1]) {
+      policyIdArg = rest[++i];
+    } else if (!apiKeyArg && !rest[i].startsWith("--")) {
+      apiKeyArg = rest[i];
+    } else if (!policyIdArg && !rest[i].startsWith("--")) {
+      policyIdArg = rest[i];
     }
   }
-  if (!toolName && !raw) {
+  if (!apiKeyArg) {
+    process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
+    process.exit(1);
+  }
+  const selfBin = process.argv[1];
+  process.stdout.write("Step 1/4: Installing OpenClaw plugin as root...\n");
+  try {
+    execSync("sudo openclaw plugins remove fastgrc-openclaw", { stdio: "ignore" });
+  } catch {
+  }
+  execSync("sudo openclaw plugins install fastgrc-openclaw", { stdio: "inherit" });
+  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+  process.stdout.write("Step 2/4: API key saved to ~/.fastgrc.json\n");
+  if (policyIdArg) {
+    writeConfig({ ...readConfig(), policyId: policyIdArg });
+    process.stdout.write("Step 3/4: Policy ID saved to ~/.fastgrc.json\n");
+  } else {
+    process.stdout.write("Step 3/4: No policy ID provided \u2014 org-wide default will be used.\n");
+  }
+  process.stdout.write("Step 4/4: Wiring up HOOK.md and restarting OpenClaw...\n");
+  execSync(`node "${selfBin}" install-hook`, { stdio: "inherit" });
+  execSync(`node "${selfBin}" restart-openclaw`, { stdio: "inherit" });
+  process.stdout.write('\n\u2713 FastGRC setup complete. Run "fastgrc-hook test" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "uninstall-hook") {
+  const targetDir = arg || process.cwd();
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  if (!fs.existsSync(hookMdPath)) {
+    process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
     process.exit(0);
   }
-  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
-  if (!args || Object.keys(args).length === 0) {
-    try {
-      args = JSON.parse(toolInputRaw);
-    } catch {
-      args = {};
-    }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  const patched = existing.replace(
+    /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
+    ""
+  );
+  if (patched === existing) {
+    process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
+  } else {
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
+`);
   }
-  const result = await evaluate({
-    toolName: resolvedToolName,
-    args,
-    agentId,
+  process.exit(0);
+}
+if (cmd === "uninstall") {
+  const { execSync } = require("child_process");
+  const selfBin = process.argv[1];
+  const targetDir = arg || process.cwd();
+  process.stdout.write("Removing FastGRC from this OpenClaw deployment...\n\n");
+  process.stdout.write("1. Removing OpenClaw plugin...\n");
+  try {
+    execSync("sudo openclaw plugins remove fastgrc-openclaw", { stdio: "inherit" });
+  } catch {
+    process.stdout.write("   (plugin was not installed \u2014 skipped)\n");
+  }
+  process.stdout.write("2. Clearing config...\n");
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("   API key and policy ID removed from ~/.fastgrc.json\n");
+  process.stdout.write("3. Removing hook from HOOK.md...\n");
+  execSync(`node "${selfBin}" uninstall-hook "${targetDir}"`, { stdio: "inherit" });
+  process.stdout.write("4. Restarting OpenClaw...\n");
+  execSync(`node "${selfBin}" restart-openclaw`, { stdio: "inherit" });
+  process.stdout.write(
+    "\n\u2713 FastGRC removed.\nTo fully remove the CLI: npm uninstall -g fastgrc-openclaw\n"
+  );
+  process.exit(0);
+}
+if (cmd === "test") {
+  const testCommand = arg || "rm -rf /production-db";
+  const payload = JSON.stringify({
+    tool_name: "Bash",
+    tool_input: { command: testCommand },
+    session_id: "fastgrc-hook-test"
+  });
+  const { handlerStr } = computeHandler();
+  process.stdout.write(`Testing handler: ${handlerStr}
+`);
+  process.stdout.write(`Payload: ${payload}
+
+`);
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const ctx = JSON.parse(payload);
+  evaluate({
+    toolName: ctx.tool_name,
+    args: ctx.tool_input,
+    agentId: ctx.session_id,
     apiKey,
-    // narrowed at module level via early-exit guard above
     policyId,
     baseUrl
+  }).then((result) => {
+    if (!result) {
+      process.stdout.write("Evaluate returned null (fail-open) \u2014 network error or timeout.\n");
+      process.exit(0);
+    }
+    process.stdout.write(`Decision: ${result.decision}
+`);
+    if (result.reasoning) process.stdout.write(`Reason: ${result.reasoning}
+`);
+    if (result.policyContext?.matchedRule) process.stdout.write(`Matched rule: ${result.policyContext.matchedRule}
+`);
+    process.exit(result.decision === "block" || result.decision === "require_approval" ? 2 : 0);
+  }).catch((err) => {
+    process.stderr.write(`Test failed: ${err}
+`);
+    process.exit(1);
   });
-  if (!result) {
+} else if (cmd === "where" || cmd === "which-hook") {
+  const { handlerStr, binPath } = computeHandler();
+  process.stdout.write(`Binary: ${binPath}
+`);
+  process.stdout.write(`Handler: ${handlerStr}
+`);
+  process.exit(0);
+}
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "restart-openclaw" || cmd === "setup" || cmd === "uninstall" || cmd === "uninstall-hook") {
+} else {
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
     process.exit(0);
   }
-  const { decision, reasoning, policyContext, reasonTags } = result;
-  const matchedRule = policyContext?.matchedRule;
-  if (decision === "block") {
-    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
-    process.exit(2);
-  }
-  if (decision === "require_approval") {
-    process.stderr.write(
-      `FastGRC requires approval before this action.
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  async function main() {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    const toolName = process.env.HOOK_TOOL_NAME ?? "";
+    const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+    let args = {};
+    let agentId;
+    if (raw) {
+      try {
+        const ctx = JSON.parse(raw);
+        args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+        agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+      } catch {
+      }
+    }
+    if (!toolName && !raw) {
+      process.exit(0);
+    }
+    const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+    if (!args || Object.keys(args).length === 0) {
+      try {
+        args = JSON.parse(toolInputRaw);
+      } catch {
+        args = {};
+      }
+    }
+    const result = await evaluate({
+      toolName: resolvedToolName,
+      args,
+      agentId,
+      apiKey,
+      // narrowed at module level via early-exit guard above
+      policyId,
+      baseUrl
+    });
+    if (!result) {
+      process.exit(0);
+    }
+    const { decision, reasoning, policyContext, reasonTags } = result;
+    const matchedRule = policyContext?.matchedRule;
+    if (decision === "block") {
+      const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+      process.exit(2);
+    }
+    if (decision === "require_approval") {
+      process.stderr.write(
+        `FastGRC requires approval before this action.
 ${reasoning}
 Review at: ${baseUrl}/dashboard/agent-policies
 `
-    );
-    process.exit(2);
-  }
-  if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
-    const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
+      );
+      process.exit(2);
+    }
+    if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+      const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+    }
+    process.exit(0);
   }
-  process.exit(0);
-}
-main().catch((err) => {
-  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+  main().catch((err) => {
+    process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
 `);
-  process.exit(0);
-});
+    process.exit(0);
+  });
+}
 module.exports = module.exports.default ?? module.exports;

package/dist/bin.mjs

@@ -1,4 +1,10 @@
 #!/usr/bin/env node
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 
 // src/bin.ts
 import * as fs from "fs";
@@ -15,12 +21,12 @@ async function evaluate(payload) {
     agentId,
     agentType,
     agentName,
-    apiKey: apiKey2,
-    policyId: policyId2,
-    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
     timeoutMs = DEFAULT_TIMEOUT_MS
   } = payload;
-  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
   const content = `tool_name: ${toolName}
 args: ${JSON.stringify(args)}`;
   try {
@@ -29,7 +35,7 @@ args: ${JSON.stringify(args)}`;
     const res = await fetch(evalUrl, {
       method: "POST",
       headers: {
-        "Authorization": `Bearer ${apiKey2}`,
+        "Authorization": `Bearer ${apiKey}`,
         "Content-Type": "application/json"
       },
       body: JSON.stringify({
@@ -39,7 +45,7 @@ args: ${JSON.stringify(args)}`;
         agentId,
         agentType,
         agentName,
-        ...policyId2 ? { policyId: policyId2 } : {}
+        ...policyId ? { policyId } : {}
       }),
       signal: controller.signal
     });
@@ -126,12 +132,47 @@ if (cmd === "unset-policy") {
   process.stdout.write("FastGRC policy ID removed \u2014 org-wide default will be used.\n");
   process.exit(0);
 }
+function computeHandler() {
+  const binPath = process.argv[1];
+  const homeDir = os.homedir();
+  return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
+}
+function printTestSnippet(handlerStr) {
+  process.stdout.write(
+    `
+Test it directly (bypasses OpenClaw):
+  echo '{"tool_name":"Bash","tool_input":{"command":"rm -rf /production"},"session_id":"t1"}' \\
+    | ${handlerStr}
+  # exit 2 = blocked, exit 0 = allowed
+`
+  );
+}
+if (cmd === "restart-openclaw") {
+  const { spawn, execSync } = __require("child_process");
+  try {
+    execSync("pkill -x openclaw", { stdio: "ignore" });
+    process.stdout.write("Stopped existing openclaw process(es).\n");
+  } catch {
+    process.stdout.write("No openclaw process was running.\n");
+  }
+  const logPath = process.env.OPENCLAW_LOG ?? "/tmp/openclaw.log";
+  const workDir = arg || process.cwd();
+  const out = fs.openSync(logPath, "a");
+  const child = spawn("openclaw", [], {
+    detached: true,
+    stdio: ["ignore", out, out],
+    cwd: workDir
+  });
+  child.unref();
+  process.stdout.write(`\u2713 OpenClaw started (PID: ${child.pid}, cwd: ${workDir})
+   Logs: tail -f ${logPath}
+`);
+  process.exit(0);
+}
 if (cmd === "install-hook") {
   const targetDir = arg || process.cwd();
   const hookMdPath = path.join(targetDir, "HOOK.md");
-  const binPath = process.argv[1];
-  const homeDir = os.homedir();
-  const handlerStr = `HOME=${homeDir} node ${binPath}`;
+  const { handlerStr } = computeHandler();
   const HOOK_ENTRY = `  - matcher: PreToolUse
     handler: "${handlerStr}"
 `;
@@ -143,15 +184,19 @@ if (cmd === "install-hook") {
   if (!fs.existsSync(hookMdPath)) {
     fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
     process.stdout.write(`\u2713 Created ${hookMdPath}
+   Handler: ${handlerStr}
 
 Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   const existing = fs.readFileSync(hookMdPath, "utf8");
   if (existing.includes(handlerStr)) {
     process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
+   Handler: ${handlerStr}
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
@@ -161,9 +206,11 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
     );
     fs.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
+   Handler: ${handlerStr}
 
 Restart OpenClaw to activate.
 `);
+    printTestSnippet(handlerStr);
     process.exit(0);
   }
   const fmEnd = existing.indexOf("\n---", 3);
@@ -178,81 +225,227 @@ ${HOOK_ENTRY}`;
   }
   fs.writeFileSync(hookMdPath, updated, "utf8");
   process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+   Handler: ${handlerStr}
 
 Restart OpenClaw to activate.
 `);
+  printTestSnippet(handlerStr);
   process.exit(0);
 }
-var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
-if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
-  process.exit(0);
-}
-var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
-async function main() {
-  const chunks = [];
-  for await (const chunk of process.stdin) chunks.push(chunk);
-  const raw = Buffer.concat(chunks).toString("utf8").trim();
-  const toolName = process.env.HOOK_TOOL_NAME ?? "";
-  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
-  let args = {};
-  let agentId;
-  if (raw) {
-    try {
-      const ctx = JSON.parse(raw);
-      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
-      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
-    } catch {
+if (cmd === "setup") {
+  const { execSync } = __require("child_process");
+  const rest = process.argv.slice(3);
+  let apiKeyArg;
+  let policyIdArg;
+  for (let i = 0; i < rest.length; i++) {
+    if (rest[i] === "--api-key" && rest[i + 1]) {
+      apiKeyArg = rest[++i];
+    } else if (rest[i] === "--policy-id" && rest[i + 1]) {
+      policyIdArg = rest[++i];
+    } else if (!apiKeyArg && !rest[i].startsWith("--")) {
+      apiKeyArg = rest[i];
+    } else if (!policyIdArg && !rest[i].startsWith("--")) {
+      policyIdArg = rest[i];
     }
   }
-  if (!toolName && !raw) {
+  if (!apiKeyArg) {
+    process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
+    process.exit(1);
+  }
+  const selfBin = process.argv[1];
+  process.stdout.write("Step 1/4: Installing OpenClaw plugin as root...\n");
+  try {
+    execSync("sudo openclaw plugins remove fastgrc-openclaw", { stdio: "ignore" });
+  } catch {
+  }
+  execSync("sudo openclaw plugins install fastgrc-openclaw", { stdio: "inherit" });
+  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+  process.stdout.write("Step 2/4: API key saved to ~/.fastgrc.json\n");
+  if (policyIdArg) {
+    writeConfig({ ...readConfig(), policyId: policyIdArg });
+    process.stdout.write("Step 3/4: Policy ID saved to ~/.fastgrc.json\n");
+  } else {
+    process.stdout.write("Step 3/4: No policy ID provided \u2014 org-wide default will be used.\n");
+  }
+  process.stdout.write("Step 4/4: Wiring up HOOK.md and restarting OpenClaw...\n");
+  execSync(`node "${selfBin}" install-hook`, { stdio: "inherit" });
+  execSync(`node "${selfBin}" restart-openclaw`, { stdio: "inherit" });
+  process.stdout.write('\n\u2713 FastGRC setup complete. Run "fastgrc-hook test" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "uninstall-hook") {
+  const targetDir = arg || process.cwd();
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  if (!fs.existsSync(hookMdPath)) {
+    process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
     process.exit(0);
   }
-  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
-  if (!args || Object.keys(args).length === 0) {
-    try {
-      args = JSON.parse(toolInputRaw);
-    } catch {
-      args = {};
-    }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  const patched = existing.replace(
+    /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
+    ""
+  );
+  if (patched === existing) {
+    process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
+  } else {
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
+`);
   }
-  const result = await evaluate({
-    toolName: resolvedToolName,
-    args,
-    agentId,
+  process.exit(0);
+}
+if (cmd === "uninstall") {
+  const { execSync } = __require("child_process");
+  const selfBin = process.argv[1];
+  const targetDir = arg || process.cwd();
+  process.stdout.write("Removing FastGRC from this OpenClaw deployment...\n\n");
+  process.stdout.write("1. Removing OpenClaw plugin...\n");
+  try {
+    execSync("sudo openclaw plugins remove fastgrc-openclaw", { stdio: "inherit" });
+  } catch {
+    process.stdout.write("   (plugin was not installed \u2014 skipped)\n");
+  }
+  process.stdout.write("2. Clearing config...\n");
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("   API key and policy ID removed from ~/.fastgrc.json\n");
+  process.stdout.write("3. Removing hook from HOOK.md...\n");
+  execSync(`node "${selfBin}" uninstall-hook "${targetDir}"`, { stdio: "inherit" });
+  process.stdout.write("4. Restarting OpenClaw...\n");
+  execSync(`node "${selfBin}" restart-openclaw`, { stdio: "inherit" });
+  process.stdout.write(
+    "\n\u2713 FastGRC removed.\nTo fully remove the CLI: npm uninstall -g fastgrc-openclaw\n"
+  );
+  process.exit(0);
+}
+if (cmd === "test") {
+  const testCommand = arg || "rm -rf /production-db";
+  const payload = JSON.stringify({
+    tool_name: "Bash",
+    tool_input: { command: testCommand },
+    session_id: "fastgrc-hook-test"
+  });
+  const { handlerStr } = computeHandler();
+  process.stdout.write(`Testing handler: ${handlerStr}
+`);
+  process.stdout.write(`Payload: ${payload}
+
+`);
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const ctx = JSON.parse(payload);
+  evaluate({
+    toolName: ctx.tool_name,
+    args: ctx.tool_input,
+    agentId: ctx.session_id,
     apiKey,
-    // narrowed at module level via early-exit guard above
     policyId,
     baseUrl
+  }).then((result) => {
+    if (!result) {
+      process.stdout.write("Evaluate returned null (fail-open) \u2014 network error or timeout.\n");
+      process.exit(0);
+    }
+    process.stdout.write(`Decision: ${result.decision}
+`);
+    if (result.reasoning) process.stdout.write(`Reason: ${result.reasoning}
+`);
+    if (result.policyContext?.matchedRule) process.stdout.write(`Matched rule: ${result.policyContext.matchedRule}
+`);
+    process.exit(result.decision === "block" || result.decision === "require_approval" ? 2 : 0);
+  }).catch((err) => {
+    process.stderr.write(`Test failed: ${err}
+`);
+    process.exit(1);
   });
-  if (!result) {
+} else if (cmd === "where" || cmd === "which-hook") {
+  const { handlerStr, binPath } = computeHandler();
+  process.stdout.write(`Binary: ${binPath}
+`);
+  process.stdout.write(`Handler: ${handlerStr}
+`);
+  process.exit(0);
+}
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "restart-openclaw" || cmd === "setup" || cmd === "uninstall" || cmd === "uninstall-hook") {
+} else {
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
     process.exit(0);
   }
-  const { decision, reasoning, policyContext, reasonTags } = result;
-  const matchedRule = policyContext?.matchedRule;
-  if (decision === "block") {
-    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
-    process.exit(2);
-  }
-  if (decision === "require_approval") {
-    process.stderr.write(
-      `FastGRC requires approval before this action.
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  async function main() {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    const toolName = process.env.HOOK_TOOL_NAME ?? "";
+    const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+    let args = {};
+    let agentId;
+    if (raw) {
+      try {
+        const ctx = JSON.parse(raw);
+        args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+        agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+      } catch {
+      }
+    }
+    if (!toolName && !raw) {
+      process.exit(0);
+    }
+    const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+    if (!args || Object.keys(args).length === 0) {
+      try {
+        args = JSON.parse(toolInputRaw);
+      } catch {
+        args = {};
+      }
+    }
+    const result = await evaluate({
+      toolName: resolvedToolName,
+      args,
+      agentId,
+      apiKey,
+      // narrowed at module level via early-exit guard above
+      policyId,
+      baseUrl
+    });
+    if (!result) {
+      process.exit(0);
+    }
+    const { decision, reasoning, policyContext, reasonTags } = result;
+    const matchedRule = policyContext?.matchedRule;
+    if (decision === "block") {
+      const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+      process.exit(2);
+    }
+    if (decision === "require_approval") {
+      process.stderr.write(
+        `FastGRC requires approval before this action.
 ${reasoning}
 Review at: ${baseUrl}/dashboard/agent-policies
 `
-    );
-    process.exit(2);
-  }
-  if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
-    const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
+      );
+      process.exit(2);
+    }
+    if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+      const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+    }
+    process.exit(0);
   }
-  process.exit(0);
-}
-main().catch((err) => {
-  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+  main().catch((err) => {
+    process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
 `);
-  process.exit(0);
-});
+    process.exit(0);
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.20",
+  "version": "1.0.23",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",