fastgrc-openclaw 1.0.20 → 1.0.24

package/dist/bin.js

@@ -38,12 +38,12 @@ async function evaluate(payload) {
     agentId,
     agentType,
     agentName,
-    apiKey: apiKey2,
-    policyId: policyId2,
-    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
     timeoutMs = DEFAULT_TIMEOUT_MS
   } = payload;
-  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
   const content = `tool_name: ${toolName}
 args: ${JSON.stringify(args)}`;
   try {
@@ -52,7 +52,7 @@ args: ${JSON.stringify(args)}`;
     const res = await fetch(evalUrl, {
       method: "POST",
       headers: {
-        "Authorization": `Bearer ${apiKey2}`,
+        "Authorization": `Bearer ${apiKey}`,
         "Content-Type": "application/json"
       },
       body: JSON.stringify({
@@ -62,7 +62,7 @@ args: ${JSON.stringify(args)}`;
         agentId,
         agentType,
         agentName,
-        ...policyId2 ? { policyId: policyId2 } : {}
+        ...policyId ? { policyId } : {}
       }),
       signal: controller.signal
     });
@@ -91,6 +91,101 @@ function readConfig() {
 function writeConfig(data) {
   fs.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
 }
+function computeHandler() {
+  const binPath = process.argv[1];
+  const homeDir = os.homedir();
+  return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
+}
+function printTestSnippet(handlerStr) {
+  process.stdout.write(
+    `
+Test it directly (bypasses OpenClaw):
+  echo '{"tool_name":"Bash","tool_input":{"command":"rm -rf /production"},"session_id":"t1"}' \\
+    | ${handlerStr}
+  # exit 2 = blocked, exit 0 = allowed
+`
+  );
+}
+function doInstallHook(targetDir) {
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  const { handlerStr } = computeHandler();
+  const HOOK_ENTRY = `  - matcher: PreToolUse
+    handler: "${handlerStr}"
+`;
+  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
+  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
+  if (!hasKey) {
+    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
+  }
+  if (!fs.existsSync(hookMdPath)) {
+    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+    process.stdout.write(`\u2713 Created ${hookMdPath}
+   Handler: ${handlerStr}
+
+Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  if (existing.includes(handlerStr)) {
+    process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
+   Handler: ${handlerStr}
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
+    const patched = existing.replace(
+      /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
+      `handler: "${handlerStr}"`
+    );
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
+   Handler: ${handlerStr}
+
+Restart OpenClaw to activate.
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  const fmEnd = existing.indexOf("\n---", 3);
+  let updated;
+  if (fmEnd !== -1) {
+    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
+    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
+${HOOK_ENTRY}`;
+    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  } else {
+    updated = HOOK_BLOCK + "\n" + existing;
+  }
+  fs.writeFileSync(hookMdPath, updated, "utf8");
+  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+   Handler: ${handlerStr}
+
+Restart OpenClaw to activate.
+`);
+  printTestSnippet(handlerStr);
+}
+function doUninstallHook(targetDir) {
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  if (!fs.existsSync(hookMdPath)) {
+    process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
+    return;
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  const patched = existing.replace(
+    /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
+    ""
+  );
+  if (patched === existing) {
+    process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
+  } else {
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
+`);
+  }
+}
 var [, , cmd, arg] = process.argv;
 if (cmd === "set-key") {
   if (!arg) {
@@ -150,133 +245,184 @@ if (cmd === "unset-policy") {
   process.exit(0);
 }
 if (cmd === "install-hook") {
-  const targetDir = arg || process.cwd();
-  const hookMdPath = path.join(targetDir, "HOOK.md");
-  const binPath = process.argv[1];
-  const homeDir = os.homedir();
-  const handlerStr = `HOME=${homeDir} node ${binPath}`;
-  const HOOK_ENTRY = `  - matcher: PreToolUse
-    handler: "${handlerStr}"
-`;
-  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
-  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
-  if (!hasKey) {
-    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
-  }
-  if (!fs.existsSync(hookMdPath)) {
-    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
-    process.stdout.write(`\u2713 Created ${hookMdPath}
-
-Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
-`);
-    process.exit(0);
-  }
-  const existing = fs.readFileSync(hookMdPath, "utf8");
-  if (existing.includes(handlerStr)) {
-    process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
-`);
-    process.exit(0);
+  doInstallHook(arg || process.cwd());
+  process.exit(0);
+}
+if (cmd === "uninstall-hook") {
+  doUninstallHook(arg || process.cwd());
+  process.exit(0);
+}
+if (cmd === "setup") {
+  const rest = process.argv.slice(3);
+  let apiKeyArg;
+  let policyIdArg;
+  for (let i = 0; i < rest.length; i++) {
+    if (rest[i] === "--api-key" && rest[i + 1]) {
+      apiKeyArg = rest[++i];
+    } else if (rest[i] === "--policy-id" && rest[i + 1]) {
+      policyIdArg = rest[++i];
+    } else if (!apiKeyArg && !rest[i].startsWith("--")) {
+      apiKeyArg = rest[i];
+    } else if (!policyIdArg && !rest[i].startsWith("--")) {
+      policyIdArg = rest[i];
+    }
   }
-  if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
-    const patched = existing.replace(
-      /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
-      `handler: "${handlerStr}"`
-    );
-    fs.writeFileSync(hookMdPath, patched, "utf8");
-    process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
-
-Restart OpenClaw to activate.
-`);
-    process.exit(0);
+  if (!apiKeyArg) {
+    process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
+    process.exit(1);
   }
-  const fmEnd = existing.indexOf("\n---", 3);
-  let updated;
-  if (fmEnd !== -1) {
-    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
-    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
-${HOOK_ENTRY}`;
-    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+  process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
+  if (policyIdArg) {
+    writeConfig({ ...readConfig(), policyId: policyIdArg });
+    process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
   } else {
-    updated = HOOK_BLOCK + "\n" + existing;
+    process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
   }
-  fs.writeFileSync(hookMdPath, updated, "utf8");
-  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
-
-Restart OpenClaw to activate.
-`);
+  doInstallHook(process.cwd());
+  process.stdout.write("\n\u2713 Config and HOOK.md done.\n");
+  process.stdout.write('Run "fastgrc-hook test" to verify the hook.\n');
   process.exit(0);
 }
-var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
-if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
+if (cmd === "uninstall") {
+  const targetDir = arg || process.cwd();
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("\u2713 API key and policy ID removed from ~/.fastgrc.json\n");
+  doUninstallHook(targetDir);
+  process.stdout.write(
+    "\n\u2713 Config and HOOK.md cleaned up.\nComplete removal \u2014 run these two commands:\n  sudo openclaw plugins remove fastgrc-openclaw\n  npm uninstall -g fastgrc-openclaw\n"
+  );
   process.exit(0);
 }
-var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
-async function main() {
-  const chunks = [];
-  for await (const chunk of process.stdin) chunks.push(chunk);
-  const raw = Buffer.concat(chunks).toString("utf8").trim();
-  const toolName = process.env.HOOK_TOOL_NAME ?? "";
-  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
-  let args = {};
-  let agentId;
-  if (raw) {
-    try {
-      const ctx = JSON.parse(raw);
-      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
-      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
-    } catch {
-    }
-  }
-  if (!toolName && !raw) {
-    process.exit(0);
-  }
-  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
-  if (!args || Object.keys(args).length === 0) {
-    try {
-      args = JSON.parse(toolInputRaw);
-    } catch {
-      args = {};
-    }
+if (cmd === "test") {
+  const testCommand = arg || "rm -rf /production-db";
+  const payload = JSON.stringify({
+    tool_name: "Bash",
+    tool_input: { command: testCommand },
+    session_id: "fastgrc-hook-test"
+  });
+  const { handlerStr } = computeHandler();
+  process.stdout.write(`Testing handler: ${handlerStr}
+`);
+  process.stdout.write(`Payload: ${payload}
+
+`);
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
   }
-  const result = await evaluate({
-    toolName: resolvedToolName,
-    args,
-    agentId,
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const ctx = JSON.parse(payload);
+  evaluate({
+    toolName: ctx.tool_name,
+    args: ctx.tool_input,
+    agentId: ctx.session_id,
     apiKey,
-    // narrowed at module level via early-exit guard above
     policyId,
     baseUrl
+  }).then((result) => {
+    if (!result) {
+      process.stdout.write("Evaluate returned null (fail-open) \u2014 network error or timeout.\n");
+      process.exit(0);
+    }
+    process.stdout.write(`Decision: ${result.decision}
+`);
+    if (result.reasoning) process.stdout.write(`Reason: ${result.reasoning}
+`);
+    if (result.policyContext?.matchedRule) process.stdout.write(`Matched rule: ${result.policyContext.matchedRule}
+`);
+    process.exit(result.decision === "block" || result.decision === "require_approval" ? 2 : 0);
+  }).catch((err) => {
+    process.stderr.write(`Test failed: ${err}
+`);
+    process.exit(1);
   });
-  if (!result) {
+} else if (cmd === "where" || cmd === "which-hook") {
+  const { handlerStr, binPath } = computeHandler();
+  process.stdout.write(`Binary: ${binPath}
+`);
+  process.stdout.write(`Handler: ${handlerStr}
+`);
+  process.exit(0);
+}
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook") {
+} else {
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
     process.exit(0);
   }
-  const { decision, reasoning, policyContext, reasonTags } = result;
-  const matchedRule = policyContext?.matchedRule;
-  if (decision === "block") {
-    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
-    process.exit(2);
-  }
-  if (decision === "require_approval") {
-    process.stderr.write(
-      `FastGRC requires approval before this action.
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  async function main() {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    const toolName = process.env.HOOK_TOOL_NAME ?? "";
+    const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+    let args = {};
+    let agentId;
+    if (raw) {
+      try {
+        const ctx = JSON.parse(raw);
+        args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+        agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+      } catch {
+      }
+    }
+    if (!toolName && !raw) {
+      process.exit(0);
+    }
+    const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+    if (!args || Object.keys(args).length === 0) {
+      try {
+        args = JSON.parse(toolInputRaw);
+      } catch {
+        args = {};
+      }
+    }
+    const result = await evaluate({
+      toolName: resolvedToolName,
+      args,
+      agentId,
+      apiKey,
+      policyId,
+      baseUrl
+    });
+    if (!result) {
+      process.exit(0);
+    }
+    const { decision, reasoning, policyContext, reasonTags } = result;
+    const matchedRule = policyContext?.matchedRule;
+    if (decision === "block") {
+      const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+      process.exit(2);
+    }
+    if (decision === "require_approval") {
+      process.stderr.write(
+        `FastGRC requires approval before this action.
 ${reasoning}
 Review at: ${baseUrl}/dashboard/agent-policies
 `
-    );
-    process.exit(2);
-  }
-  if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
-    const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
+      );
+      process.exit(2);
+    }
+    if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+      const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+    }
+    process.exit(0);
   }
-  process.exit(0);
-}
-main().catch((err) => {
-  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+  main().catch((err) => {
+    process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
 `);
-  process.exit(0);
-});
+    process.exit(0);
+  });
+}
 module.exports = module.exports.default ?? module.exports;

package/dist/bin.mjs

@@ -15,12 +15,12 @@ async function evaluate(payload) {
     agentId,
     agentType,
     agentName,
-    apiKey: apiKey2,
-    policyId: policyId2,
-    baseUrl: baseUrl2 = DEFAULT_BASE_URL,
+    apiKey,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
     timeoutMs = DEFAULT_TIMEOUT_MS
   } = payload;
-  const evalUrl = `${baseUrl2.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
   const content = `tool_name: ${toolName}
 args: ${JSON.stringify(args)}`;
   try {
@@ -29,7 +29,7 @@ args: ${JSON.stringify(args)}`;
     const res = await fetch(evalUrl, {
       method: "POST",
       headers: {
-        "Authorization": `Bearer ${apiKey2}`,
+        "Authorization": `Bearer ${apiKey}`,
         "Content-Type": "application/json"
       },
       body: JSON.stringify({
@@ -39,7 +39,7 @@ args: ${JSON.stringify(args)}`;
         agentId,
         agentType,
         agentName,
-        ...policyId2 ? { policyId: policyId2 } : {}
+        ...policyId ? { policyId } : {}
       }),
       signal: controller.signal
     });
@@ -68,6 +68,101 @@ function readConfig() {
 function writeConfig(data) {
   fs.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
 }
+function computeHandler() {
+  const binPath = process.argv[1];
+  const homeDir = os.homedir();
+  return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
+}
+function printTestSnippet(handlerStr) {
+  process.stdout.write(
+    `
+Test it directly (bypasses OpenClaw):
+  echo '{"tool_name":"Bash","tool_input":{"command":"rm -rf /production"},"session_id":"t1"}' \\
+    | ${handlerStr}
+  # exit 2 = blocked, exit 0 = allowed
+`
+  );
+}
+function doInstallHook(targetDir) {
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  const { handlerStr } = computeHandler();
+  const HOOK_ENTRY = `  - matcher: PreToolUse
+    handler: "${handlerStr}"
+`;
+  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
+  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
+  if (!hasKey) {
+    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
+  }
+  if (!fs.existsSync(hookMdPath)) {
+    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+    process.stdout.write(`\u2713 Created ${hookMdPath}
+   Handler: ${handlerStr}
+
+Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  if (existing.includes(handlerStr)) {
+    process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
+   Handler: ${handlerStr}
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
+    const patched = existing.replace(
+      /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
+      `handler: "${handlerStr}"`
+    );
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
+   Handler: ${handlerStr}
+
+Restart OpenClaw to activate.
+`);
+    printTestSnippet(handlerStr);
+    return;
+  }
+  const fmEnd = existing.indexOf("\n---", 3);
+  let updated;
+  if (fmEnd !== -1) {
+    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
+    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
+${HOOK_ENTRY}`;
+    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  } else {
+    updated = HOOK_BLOCK + "\n" + existing;
+  }
+  fs.writeFileSync(hookMdPath, updated, "utf8");
+  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+   Handler: ${handlerStr}
+
+Restart OpenClaw to activate.
+`);
+  printTestSnippet(handlerStr);
+}
+function doUninstallHook(targetDir) {
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  if (!fs.existsSync(hookMdPath)) {
+    process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
+    return;
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  const patched = existing.replace(
+    /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
+    ""
+  );
+  if (patched === existing) {
+    process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
+  } else {
+    fs.writeFileSync(hookMdPath, patched, "utf8");
+    process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
+`);
+  }
+}
 var [, , cmd, arg] = process.argv;
 if (cmd === "set-key") {
   if (!arg) {
@@ -127,132 +222,183 @@ if (cmd === "unset-policy") {
   process.exit(0);
 }
 if (cmd === "install-hook") {
-  const targetDir = arg || process.cwd();
-  const hookMdPath = path.join(targetDir, "HOOK.md");
-  const binPath = process.argv[1];
-  const homeDir = os.homedir();
-  const handlerStr = `HOME=${homeDir} node ${binPath}`;
-  const HOOK_ENTRY = `  - matcher: PreToolUse
-    handler: "${handlerStr}"
-`;
-  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
-  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
-  if (!hasKey) {
-    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
-  }
-  if (!fs.existsSync(hookMdPath)) {
-    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
-    process.stdout.write(`\u2713 Created ${hookMdPath}
-
-Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
-`);
-    process.exit(0);
-  }
-  const existing = fs.readFileSync(hookMdPath, "utf8");
-  if (existing.includes(handlerStr)) {
-    process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
-`);
-    process.exit(0);
+  doInstallHook(arg || process.cwd());
+  process.exit(0);
+}
+if (cmd === "uninstall-hook") {
+  doUninstallHook(arg || process.cwd());
+  process.exit(0);
+}
+if (cmd === "setup") {
+  const rest = process.argv.slice(3);
+  let apiKeyArg;
+  let policyIdArg;
+  for (let i = 0; i < rest.length; i++) {
+    if (rest[i] === "--api-key" && rest[i + 1]) {
+      apiKeyArg = rest[++i];
+    } else if (rest[i] === "--policy-id" && rest[i + 1]) {
+      policyIdArg = rest[++i];
+    } else if (!apiKeyArg && !rest[i].startsWith("--")) {
+      apiKeyArg = rest[i];
+    } else if (!policyIdArg && !rest[i].startsWith("--")) {
+      policyIdArg = rest[i];
+    }
   }
-  if (existing.includes("fastgrc-hook") || existing.includes("fastgrc-openclaw")) {
-    const patched = existing.replace(
-      /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
-      `handler: "${handlerStr}"`
-    );
-    fs.writeFileSync(hookMdPath, patched, "utf8");
-    process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
-
-Restart OpenClaw to activate.
-`);
-    process.exit(0);
+  if (!apiKeyArg) {
+    process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
+    process.exit(1);
   }
-  const fmEnd = existing.indexOf("\n---", 3);
-  let updated;
-  if (fmEnd !== -1) {
-    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
-    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
-${HOOK_ENTRY}`;
-    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+  process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
+  if (policyIdArg) {
+    writeConfig({ ...readConfig(), policyId: policyIdArg });
+    process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
   } else {
-    updated = HOOK_BLOCK + "\n" + existing;
+    process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
   }
-  fs.writeFileSync(hookMdPath, updated, "utf8");
-  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
-
-Restart OpenClaw to activate.
-`);
+  doInstallHook(process.cwd());
+  process.stdout.write("\n\u2713 Config and HOOK.md done.\n");
+  process.stdout.write('Run "fastgrc-hook test" to verify the hook.\n');
   process.exit(0);
 }
-var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
-if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
+if (cmd === "uninstall") {
+  const targetDir = arg || process.cwd();
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("\u2713 API key and policy ID removed from ~/.fastgrc.json\n");
+  doUninstallHook(targetDir);
+  process.stdout.write(
+    "\n\u2713 Config and HOOK.md cleaned up.\nComplete removal \u2014 run these two commands:\n  sudo openclaw plugins remove fastgrc-openclaw\n  npm uninstall -g fastgrc-openclaw\n"
+  );
   process.exit(0);
 }
-var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
-async function main() {
-  const chunks = [];
-  for await (const chunk of process.stdin) chunks.push(chunk);
-  const raw = Buffer.concat(chunks).toString("utf8").trim();
-  const toolName = process.env.HOOK_TOOL_NAME ?? "";
-  const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
-  let args = {};
-  let agentId;
-  if (raw) {
-    try {
-      const ctx = JSON.parse(raw);
-      args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
-      agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
-    } catch {
-    }
-  }
-  if (!toolName && !raw) {
-    process.exit(0);
-  }
-  const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
-  if (!args || Object.keys(args).length === 0) {
-    try {
-      args = JSON.parse(toolInputRaw);
-    } catch {
-      args = {};
-    }
+if (cmd === "test") {
+  const testCommand = arg || "rm -rf /production-db";
+  const payload = JSON.stringify({
+    tool_name: "Bash",
+    tool_input: { command: testCommand },
+    session_id: "fastgrc-hook-test"
+  });
+  const { handlerStr } = computeHandler();
+  process.stdout.write(`Testing handler: ${handlerStr}
+`);
+  process.stdout.write(`Payload: ${payload}
+
+`);
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
   }
-  const result = await evaluate({
-    toolName: resolvedToolName,
-    args,
-    agentId,
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const ctx = JSON.parse(payload);
+  evaluate({
+    toolName: ctx.tool_name,
+    args: ctx.tool_input,
+    agentId: ctx.session_id,
     apiKey,
-    // narrowed at module level via early-exit guard above
     policyId,
     baseUrl
+  }).then((result) => {
+    if (!result) {
+      process.stdout.write("Evaluate returned null (fail-open) \u2014 network error or timeout.\n");
+      process.exit(0);
+    }
+    process.stdout.write(`Decision: ${result.decision}
+`);
+    if (result.reasoning) process.stdout.write(`Reason: ${result.reasoning}
+`);
+    if (result.policyContext?.matchedRule) process.stdout.write(`Matched rule: ${result.policyContext.matchedRule}
+`);
+    process.exit(result.decision === "block" || result.decision === "require_approval" ? 2 : 0);
+  }).catch((err) => {
+    process.stderr.write(`Test failed: ${err}
+`);
+    process.exit(1);
   });
-  if (!result) {
+} else if (cmd === "where" || cmd === "which-hook") {
+  const { handlerStr, binPath } = computeHandler();
+  process.stdout.write(`Binary: ${binPath}
+`);
+  process.stdout.write(`Handler: ${handlerStr}
+`);
+  process.exit(0);
+}
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook") {
+} else {
+  const apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
+  if (!apiKey) {
+    process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
     process.exit(0);
   }
-  const { decision, reasoning, policyContext, reasonTags } = result;
-  const matchedRule = policyContext?.matchedRule;
-  if (decision === "block") {
-    const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
-    process.exit(2);
-  }
-  if (decision === "require_approval") {
-    process.stderr.write(
-      `FastGRC requires approval before this action.
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  async function main() {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    const toolName = process.env.HOOK_TOOL_NAME ?? "";
+    const toolInputRaw = process.env.HOOK_TOOL_INPUT ?? "{}";
+    let args = {};
+    let agentId;
+    if (raw) {
+      try {
+        const ctx = JSON.parse(raw);
+        args = ctx.tool_input ?? ctx.input ?? ctx.args ?? {};
+        agentId = ctx.agent_id ?? ctx.agentId ?? ctx.session_id;
+      } catch {
+      }
+    }
+    if (!toolName && !raw) {
+      process.exit(0);
+    }
+    const resolvedToolName = toolName || (raw ? JSON.parse(raw)?.tool_name ?? "unknown" : "unknown");
+    if (!args || Object.keys(args).length === 0) {
+      try {
+        args = JSON.parse(toolInputRaw);
+      } catch {
+        args = {};
+      }
+    }
+    const result = await evaluate({
+      toolName: resolvedToolName,
+      args,
+      agentId,
+      apiKey,
+      policyId,
+      baseUrl
+    });
+    if (!result) {
+      process.exit(0);
+    }
+    const { decision, reasoning, policyContext, reasonTags } = result;
+    const matchedRule = policyContext?.matchedRule;
+    if (decision === "block") {
+      const msg = matchedRule ? `FastGRC blocked: [${matchedRule}] ${reasoning}` : `FastGRC blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+      process.exit(2);
+    }
+    if (decision === "require_approval") {
+      process.stderr.write(
+        `FastGRC requires approval before this action.
 ${reasoning}
 Review at: ${baseUrl}/dashboard/agent-policies
 `
-    );
-    process.exit(2);
-  }
-  if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
-    const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
-    process.stderr.write(msg + "\n");
+      );
+      process.exit(2);
+    }
+    if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+      const msg = matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+      process.stderr.write(msg + "\n");
+    }
+    process.exit(0);
   }
-  process.exit(0);
-}
-main().catch((err) => {
-  process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
+  main().catch((err) => {
+    process.stderr.write(`[fastgrc-hook] Unexpected error: ${err}
 `);
-  process.exit(0);
-});
+    process.exit(0);
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.20",
+  "version": "1.0.24",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",