fastgrc-openclaw 1.0.28 → 1.0.29

package/dist/bin.js

@@ -24,9 +24,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // src/bin.ts
-var fs2 = __toESM(require("fs"));
-var os2 = __toESM(require("os"));
-var path2 = __toESM(require("path"));
+var fs3 = __toESM(require("fs"));
+var os3 = __toESM(require("os"));
+var path3 = __toESM(require("path"));
 
 // src/index.ts
 var fs = __toESM(require("fs"));
@@ -93,21 +93,100 @@ args: ${JSON.stringify(args)}`;
   }
 }
 
+// src/plugin.ts
+var net = __toESM(require("net"));
+var crypto = __toESM(require("crypto"));
+var fs2 = __toESM(require("fs"));
+var os2 = __toESM(require("os"));
+var path2 = __toESM(require("path"));
+function sign(payload, token) {
+  const nonce = crypto.randomBytes(16).toString("hex");
+  const ts = Math.floor(Date.now() / 1e3).toString();
+  const body = JSON.stringify(payload);
+  const mac = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${ts}:${body}`).digest("hex");
+  return { ...payload, nonce, timestamp: ts, hmac: mac };
+}
+function verifyHmac(req, token) {
+  try {
+    const { nonce, timestamp, hmac, ...rest } = req;
+    const expected = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${timestamp}:${JSON.stringify(rest)}`).digest("hex");
+    return hmac === expected;
+  } catch {
+    return false;
+  }
+}
+function readExecApprovalsConfig() {
+  const cfgPath = path2.join(os2.homedir(), ".openclaw", "exec-approvals.json");
+  try {
+    return JSON.parse(fs2.readFileSync(cfgPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function startExecApprovalsClient(apiKey, policyId, baseUrl) {
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) return;
+  const { path: sockPath, token } = cfg.socket;
+  function connect() {
+    const client = net.createConnection(sockPath);
+    let buffer = "";
+    client.on("connect", () => {
+      console.log("[fastgrc] exec-approvals socket connected");
+    });
+    client.on("data", async (buf) => {
+      buffer += buf.toString();
+      let req;
+      try {
+        req = JSON.parse(buffer);
+      } catch {
+        return;
+      }
+      buffer = "";
+      if (!verifyHmac(req, token)) {
+        console.warn("[fastgrc] exec-approvals: HMAC verification failed \u2014 ignoring request");
+        return;
+      }
+      let decision = "allow-once";
+      try {
+        const result = await evaluate({
+          toolName: "Exec",
+          args: { command: req.command, rawCommand: req.rawCommand, cwd: req.cwd },
+          agentId: req.agentId,
+          apiKey,
+          policyId,
+          baseUrl
+        });
+        if (result && (result.decision === "block" || result.decision === "require_approval")) {
+          decision = "deny";
+          const msg = result.policyContext?.matchedRule ? `[fastgrc] exec blocked: [${result.policyContext.matchedRule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`;
+          console.warn(msg);
+        }
+      } catch {
+      }
+      const response = sign({ approvalId: req.approvalId, decision }, token);
+      client.write(JSON.stringify(response));
+    });
+    client.on("error", () => setTimeout(connect, 5e3));
+    client.on("close", () => setTimeout(connect, 5e3));
+  }
+  connect();
+}
+
 // src/bin.ts
-var CONFIG_PATH = path2.join(os2.homedir(), ".fastgrc.json");
+var CONFIG_PATH = path3.join(os3.homedir(), ".fastgrc.json");
 function readConfig() {
   try {
-    return JSON.parse(fs2.readFileSync(CONFIG_PATH, "utf8"));
+    return JSON.parse(fs3.readFileSync(CONFIG_PATH, "utf8"));
   } catch {
     return {};
   }
 }
 function writeConfig(data) {
-  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
+  fs3.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
 }
 function computeHandler() {
   const binPath = process.argv[1];
-  const homeDir = os2.homedir();
+  const homeDir = os3.homedir();
   return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
 }
 function printTestSnippet(handlerStr) {
@@ -121,7 +200,7 @@ Test it directly (bypasses OpenClaw):
   );
 }
 function doInstallHook(targetDir) {
-  const hookMdPath = path2.join(targetDir, "HOOK.md");
+  const hookMdPath = path3.join(targetDir, "HOOK.md");
   const { handlerStr } = computeHandler();
   const HOOK_ENTRY = `  - matcher: PreToolUse
     handler: "${handlerStr}"
@@ -131,8 +210,8 @@ function doInstallHook(targetDir) {
   if (!hasKey) {
     process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
   }
-  if (!fs2.existsSync(hookMdPath)) {
-    fs2.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+  if (!fs3.existsSync(hookMdPath)) {
+    fs3.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
     process.stdout.write(`\u2713 Created ${hookMdPath}
    Handler: ${handlerStr}
 
@@ -141,7 +220,7 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
     printTestSnippet(handlerStr);
     return;
   }
-  const existing = fs2.readFileSync(hookMdPath, "utf8");
+  const existing = fs3.readFileSync(hookMdPath, "utf8");
   if (existing.includes(handlerStr)) {
     process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
    Handler: ${handlerStr}
@@ -154,7 +233,7 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
       /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
       `handler: "${handlerStr}"`
     );
-    fs2.writeFileSync(hookMdPath, patched, "utf8");
+    fs3.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
    Handler: ${handlerStr}
 
@@ -173,7 +252,7 @@ ${HOOK_ENTRY}`;
   } else {
     updated = HOOK_BLOCK + "\n" + existing;
   }
-  fs2.writeFileSync(hookMdPath, updated, "utf8");
+  fs3.writeFileSync(hookMdPath, updated, "utf8");
   process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
    Handler: ${handlerStr}
 
@@ -182,12 +261,12 @@ Restart OpenClaw to activate.
   printTestSnippet(handlerStr);
 }
 function doUninstallHook(targetDir) {
-  const hookMdPath = path2.join(targetDir, "HOOK.md");
-  if (!fs2.existsSync(hookMdPath)) {
+  const hookMdPath = path3.join(targetDir, "HOOK.md");
+  if (!fs3.existsSync(hookMdPath)) {
     process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
     return;
   }
-  const existing = fs2.readFileSync(hookMdPath, "utf8");
+  const existing = fs3.readFileSync(hookMdPath, "utf8");
   const patched = existing.replace(
     /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
     ""
@@ -195,11 +274,36 @@ function doUninstallHook(targetDir) {
   if (patched === existing) {
     process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
   } else {
-    fs2.writeFileSync(hookMdPath, patched, "utf8");
+    fs3.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
 `);
   }
 }
+function doConfigureExecApprovals() {
+  const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
+  if (!fs3.existsSync(cfgPath)) {
+    process.stdout.write(`\u26A0  ${cfgPath} not found \u2014 skipping exec-approvals config (OpenClaw may not be installed here).
+`);
+    return;
+  }
+  let existing = {};
+  try {
+    existing = JSON.parse(fs3.readFileSync(cfgPath, "utf8"));
+  } catch {
+  }
+  const updated = {
+    ...existing,
+    defaults: {
+      security: "deny",
+      ask: "always",
+      askFallback: "deny",
+      autoAllowSkills: false
+    }
+  };
+  fs3.writeFileSync(cfgPath, JSON.stringify(updated, null, 2), "utf8");
+  process.stdout.write(`\u2713 exec-approvals.json configured \u2014 all webchat execs routed through FastGRC.
+`);
+}
 var [, , cmd, arg] = process.argv;
 if (cmd === "set-key") {
   if (!arg) {
@@ -294,10 +398,30 @@ if (cmd === "setup") {
     process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
   }
   doInstallHook(process.cwd());
-  process.stdout.write("\n\u2713 Config and HOOK.md done.\n");
-  process.stdout.write('Run "fastgrc-hook test" to verify the hook.\n');
+  doConfigureExecApprovals();
+  process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
+  process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
   process.exit(0);
 }
+if (cmd === "serve-approvals") {
+  const apiKey = resolveApiKey();
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) {
+    process.stderr.write(
+      'No exec-approvals socket configured.\nRun "fastgrc-hook setup" to configure OpenClaw exec-approvals, then restart OpenClaw.\n'
+    );
+    process.exit(1);
+  }
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  process.stdout.write(`[fastgrc] serve-approvals running \u2014 listening on ${cfg.socket.path}
+`);
+  startExecApprovalsClient(apiKey, policyId, baseUrl);
+}
 if (cmd === "uninstall") {
   const targetDir = arg || process.cwd();
   const cfg = readConfig();
@@ -364,7 +488,7 @@ if (cmd === "test") {
 `);
   process.exit(0);
 }
-if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook") {
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook" || cmd === "serve-approvals") {
 } else {
   const apiKey = resolveApiKey();
   if (!apiKey) {

package/dist/bin.mjs

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 // src/bin.ts
-import * as fs2 from "fs";
-import * as os2 from "os";
-import * as path2 from "path";
+import * as fs3 from "fs";
+import * as os3 from "os";
+import * as path3 from "path";
 
 // src/index.ts
 import * as fs from "fs";
@@ -70,21 +70,100 @@ args: ${JSON.stringify(args)}`;
   }
 }
 
+// src/plugin.ts
+import * as net from "net";
+import * as crypto from "crypto";
+import * as fs2 from "fs";
+import * as os2 from "os";
+import * as path2 from "path";
+function sign(payload, token) {
+  const nonce = crypto.randomBytes(16).toString("hex");
+  const ts = Math.floor(Date.now() / 1e3).toString();
+  const body = JSON.stringify(payload);
+  const mac = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${ts}:${body}`).digest("hex");
+  return { ...payload, nonce, timestamp: ts, hmac: mac };
+}
+function verifyHmac(req, token) {
+  try {
+    const { nonce, timestamp, hmac, ...rest } = req;
+    const expected = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${timestamp}:${JSON.stringify(rest)}`).digest("hex");
+    return hmac === expected;
+  } catch {
+    return false;
+  }
+}
+function readExecApprovalsConfig() {
+  const cfgPath = path2.join(os2.homedir(), ".openclaw", "exec-approvals.json");
+  try {
+    return JSON.parse(fs2.readFileSync(cfgPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function startExecApprovalsClient(apiKey, policyId, baseUrl) {
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) return;
+  const { path: sockPath, token } = cfg.socket;
+  function connect() {
+    const client = net.createConnection(sockPath);
+    let buffer = "";
+    client.on("connect", () => {
+      console.log("[fastgrc] exec-approvals socket connected");
+    });
+    client.on("data", async (buf) => {
+      buffer += buf.toString();
+      let req;
+      try {
+        req = JSON.parse(buffer);
+      } catch {
+        return;
+      }
+      buffer = "";
+      if (!verifyHmac(req, token)) {
+        console.warn("[fastgrc] exec-approvals: HMAC verification failed \u2014 ignoring request");
+        return;
+      }
+      let decision = "allow-once";
+      try {
+        const result = await evaluate({
+          toolName: "Exec",
+          args: { command: req.command, rawCommand: req.rawCommand, cwd: req.cwd },
+          agentId: req.agentId,
+          apiKey,
+          policyId,
+          baseUrl
+        });
+        if (result && (result.decision === "block" || result.decision === "require_approval")) {
+          decision = "deny";
+          const msg = result.policyContext?.matchedRule ? `[fastgrc] exec blocked: [${result.policyContext.matchedRule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`;
+          console.warn(msg);
+        }
+      } catch {
+      }
+      const response = sign({ approvalId: req.approvalId, decision }, token);
+      client.write(JSON.stringify(response));
+    });
+    client.on("error", () => setTimeout(connect, 5e3));
+    client.on("close", () => setTimeout(connect, 5e3));
+  }
+  connect();
+}
+
 // src/bin.ts
-var CONFIG_PATH = path2.join(os2.homedir(), ".fastgrc.json");
+var CONFIG_PATH = path3.join(os3.homedir(), ".fastgrc.json");
 function readConfig() {
   try {
-    return JSON.parse(fs2.readFileSync(CONFIG_PATH, "utf8"));
+    return JSON.parse(fs3.readFileSync(CONFIG_PATH, "utf8"));
   } catch {
     return {};
   }
 }
 function writeConfig(data) {
-  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
+  fs3.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
 }
 function computeHandler() {
   const binPath = process.argv[1];
-  const homeDir = os2.homedir();
+  const homeDir = os3.homedir();
   return { binPath, homeDir, handlerStr: `HOME=${homeDir} node ${binPath}` };
 }
 function printTestSnippet(handlerStr) {
@@ -98,7 +177,7 @@ Test it directly (bypasses OpenClaw):
   );
 }
 function doInstallHook(targetDir) {
-  const hookMdPath = path2.join(targetDir, "HOOK.md");
+  const hookMdPath = path3.join(targetDir, "HOOK.md");
   const { handlerStr } = computeHandler();
   const HOOK_ENTRY = `  - matcher: PreToolUse
     handler: "${handlerStr}"
@@ -108,8 +187,8 @@ function doInstallHook(targetDir) {
   if (!hasKey) {
     process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
   }
-  if (!fs2.existsSync(hookMdPath)) {
-    fs2.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+  if (!fs3.existsSync(hookMdPath)) {
+    fs3.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
     process.stdout.write(`\u2713 Created ${hookMdPath}
    Handler: ${handlerStr}
 
@@ -118,7 +197,7 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
     printTestSnippet(handlerStr);
     return;
   }
-  const existing = fs2.readFileSync(hookMdPath, "utf8");
+  const existing = fs3.readFileSync(hookMdPath, "utf8");
   if (existing.includes(handlerStr)) {
     process.stdout.write(`\u2713 FastGRC hook already up to date in ${hookMdPath}
    Handler: ${handlerStr}
@@ -131,7 +210,7 @@ Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
       /handler:\s*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"/,
       `handler: "${handlerStr}"`
     );
-    fs2.writeFileSync(hookMdPath, patched, "utf8");
+    fs3.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 Updated handler in ${hookMdPath} \u2014 now uses absolute path.
    Handler: ${handlerStr}
 
@@ -150,7 +229,7 @@ ${HOOK_ENTRY}`;
   } else {
     updated = HOOK_BLOCK + "\n" + existing;
   }
-  fs2.writeFileSync(hookMdPath, updated, "utf8");
+  fs3.writeFileSync(hookMdPath, updated, "utf8");
   process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
    Handler: ${handlerStr}
 
@@ -159,12 +238,12 @@ Restart OpenClaw to activate.
   printTestSnippet(handlerStr);
 }
 function doUninstallHook(targetDir) {
-  const hookMdPath = path2.join(targetDir, "HOOK.md");
-  if (!fs2.existsSync(hookMdPath)) {
+  const hookMdPath = path3.join(targetDir, "HOOK.md");
+  if (!fs3.existsSync(hookMdPath)) {
     process.stdout.write("No HOOK.md found \u2014 nothing to remove.\n");
     return;
   }
-  const existing = fs2.readFileSync(hookMdPath, "utf8");
+  const existing = fs3.readFileSync(hookMdPath, "utf8");
   const patched = existing.replace(
     /[ \t]*-[ \t]*matcher:[ \t]*PreToolUse\n[ \t]*handler:[ \t]*"[^"]*(?:fastgrc-hook|fastgrc-openclaw)[^"]*"\n?/,
     ""
@@ -172,11 +251,36 @@ function doUninstallHook(targetDir) {
   if (patched === existing) {
     process.stdout.write("FastGRC hook not found in HOOK.md \u2014 nothing to remove.\n");
   } else {
-    fs2.writeFileSync(hookMdPath, patched, "utf8");
+    fs3.writeFileSync(hookMdPath, patched, "utf8");
     process.stdout.write(`\u2713 FastGRC hook removed from ${hookMdPath}
 `);
   }
 }
+function doConfigureExecApprovals() {
+  const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
+  if (!fs3.existsSync(cfgPath)) {
+    process.stdout.write(`\u26A0  ${cfgPath} not found \u2014 skipping exec-approvals config (OpenClaw may not be installed here).
+`);
+    return;
+  }
+  let existing = {};
+  try {
+    existing = JSON.parse(fs3.readFileSync(cfgPath, "utf8"));
+  } catch {
+  }
+  const updated = {
+    ...existing,
+    defaults: {
+      security: "deny",
+      ask: "always",
+      askFallback: "deny",
+      autoAllowSkills: false
+    }
+  };
+  fs3.writeFileSync(cfgPath, JSON.stringify(updated, null, 2), "utf8");
+  process.stdout.write(`\u2713 exec-approvals.json configured \u2014 all webchat execs routed through FastGRC.
+`);
+}
 var [, , cmd, arg] = process.argv;
 if (cmd === "set-key") {
   if (!arg) {
@@ -271,10 +375,30 @@ if (cmd === "setup") {
     process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
   }
   doInstallHook(process.cwd());
-  process.stdout.write("\n\u2713 Config and HOOK.md done.\n");
-  process.stdout.write('Run "fastgrc-hook test" to verify the hook.\n');
+  doConfigureExecApprovals();
+  process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
+  process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
   process.exit(0);
 }
+if (cmd === "serve-approvals") {
+  const apiKey = resolveApiKey();
+  if (!apiKey) {
+    process.stderr.write("No API key configured. Run: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) {
+    process.stderr.write(
+      'No exec-approvals socket configured.\nRun "fastgrc-hook setup" to configure OpenClaw exec-approvals, then restart OpenClaw.\n'
+    );
+    process.exit(1);
+  }
+  const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
+  const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+  process.stdout.write(`[fastgrc] serve-approvals running \u2014 listening on ${cfg.socket.path}
+`);
+  startExecApprovalsClient(apiKey, policyId, baseUrl);
+}
 if (cmd === "uninstall") {
   const targetDir = arg || process.cwd();
   const cfg = readConfig();
@@ -341,7 +465,7 @@ if (cmd === "test") {
 `);
   process.exit(0);
 }
-if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook") {
+if (cmd === "test" || cmd === "where" || cmd === "which-hook" || cmd === "setup" || cmd === "uninstall" || cmd === "install-hook" || cmd === "uninstall-hook" || cmd === "serve-approvals") {
 } else {
   const apiKey = resolveApiKey();
   if (!apiKey) {

package/dist/plugin.d.mts

@@ -1,3 +1,11 @@
+interface ExecApprovalsConfig {
+    socket?: {
+        path?: string;
+        token?: string;
+    };
+}
+declare function readExecApprovalsConfig(): ExecApprovalsConfig | null;
+declare function startExecApprovalsClient(apiKey: string, policyId?: string, baseUrl?: string): void;
 declare const pluginEntry: {
     id: string;
     name: string;
@@ -5,4 +13,4 @@ declare const pluginEntry: {
     register(api: any): void;
 };
 
-export { pluginEntry as default };
+export { pluginEntry as default, readExecApprovalsConfig, startExecApprovalsClient };

package/dist/plugin.d.ts

@@ -1,3 +1,11 @@
+interface ExecApprovalsConfig {
+    socket?: {
+        path?: string;
+        token?: string;
+    };
+}
+declare function readExecApprovalsConfig(): ExecApprovalsConfig | null;
+declare function startExecApprovalsClient(apiKey: string, policyId?: string, baseUrl?: string): void;
 declare const pluginEntry: {
     id: string;
     name: string;
@@ -5,4 +13,4 @@ declare const pluginEntry: {
     register(api: any): void;
 };
 
-export { pluginEntry as default };
+export { pluginEntry as default, readExecApprovalsConfig, startExecApprovalsClient };

package/dist/plugin.js

@@ -30,9 +30,16 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/plugin.ts
 var plugin_exports = {};
 __export(plugin_exports, {
-  default: () => plugin_default
+  default: () => plugin_default,
+  readExecApprovalsConfig: () => readExecApprovalsConfig,
+  startExecApprovalsClient: () => startExecApprovalsClient
 });
 module.exports = __toCommonJS(plugin_exports);
+var net = __toESM(require("net"));
+var crypto = __toESM(require("crypto"));
+var fs2 = __toESM(require("fs"));
+var os2 = __toESM(require("os"));
+var path2 = __toESM(require("path"));
 
 // src/index.ts
 var fs = __toESM(require("fs"));
@@ -114,6 +121,78 @@ args: ${JSON.stringify(args)}`;
 // src/plugin.ts
 var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
 var DEFAULT_TIMEOUT_MS2 = 3e3;
+function sign(payload, token) {
+  const nonce = crypto.randomBytes(16).toString("hex");
+  const ts = Math.floor(Date.now() / 1e3).toString();
+  const body = JSON.stringify(payload);
+  const mac = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${ts}:${body}`).digest("hex");
+  return { ...payload, nonce, timestamp: ts, hmac: mac };
+}
+function verifyHmac(req, token) {
+  try {
+    const { nonce, timestamp, hmac, ...rest } = req;
+    const expected = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${timestamp}:${JSON.stringify(rest)}`).digest("hex");
+    return hmac === expected;
+  } catch {
+    return false;
+  }
+}
+function readExecApprovalsConfig() {
+  const cfgPath = path2.join(os2.homedir(), ".openclaw", "exec-approvals.json");
+  try {
+    return JSON.parse(fs2.readFileSync(cfgPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function startExecApprovalsClient(apiKey, policyId, baseUrl) {
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) return;
+  const { path: sockPath, token } = cfg.socket;
+  function connect() {
+    const client = net.createConnection(sockPath);
+    let buffer = "";
+    client.on("connect", () => {
+      console.log("[fastgrc] exec-approvals socket connected");
+    });
+    client.on("data", async (buf) => {
+      buffer += buf.toString();
+      let req;
+      try {
+        req = JSON.parse(buffer);
+      } catch {
+        return;
+      }
+      buffer = "";
+      if (!verifyHmac(req, token)) {
+        console.warn("[fastgrc] exec-approvals: HMAC verification failed \u2014 ignoring request");
+        return;
+      }
+      let decision = "allow-once";
+      try {
+        const result = await evaluate({
+          toolName: "Exec",
+          args: { command: req.command, rawCommand: req.rawCommand, cwd: req.cwd },
+          agentId: req.agentId,
+          apiKey,
+          policyId,
+          baseUrl
+        });
+        if (result && (result.decision === "block" || result.decision === "require_approval")) {
+          decision = "deny";
+          const msg = result.policyContext?.matchedRule ? `[fastgrc] exec blocked: [${result.policyContext.matchedRule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`;
+          console.warn(msg);
+        }
+      } catch {
+      }
+      const response = sign({ approvalId: req.approvalId, decision }, token);
+      client.write(JSON.stringify(response));
+    });
+    client.on("error", () => setTimeout(connect, 5e3));
+    client.on("close", () => setTimeout(connect, 5e3));
+  }
+  connect();
+}
 var pluginEntry = {
   id: "fastgrc",
   name: "FastGRC Policy Router",
@@ -128,31 +207,7 @@ var pluginEntry = {
       return;
     }
     console.log("[fastgrc] Plugin registered \u2014 before_tool_call hook active");
-    const probeEvents = [
-      "exec",
-      "before_exec",
-      "shell",
-      "before_shell",
-      "command",
-      "before_command",
-      "run",
-      "before_run",
-      "tool_call",
-      "before_tool",
-      "action",
-      "before_action",
-      "request",
-      "before_request",
-      "call",
-      "before_call"
-    ];
-    for (const evt of probeEvents) {
-      api.on(evt, (...args) => {
-        console.log(`[fastgrc:hit] ${evt}`, JSON.stringify(args[0])?.slice(0, 120));
-      });
-    }
     api.on("before_tool_call", async (event, ctx) => {
-      console.log(`[fastgrc] before_tool_call fired: ${event.toolName}`);
       const result = await evaluate({
         toolName: event.toolName,
         args: event.params,
@@ -182,7 +237,13 @@ var pluginEntry = {
       }
       return void 0;
     });
+    startExecApprovalsClient(apiKey, policyId, DEFAULT_BASE_URL2);
   }
 };
 var plugin_default = pluginEntry;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  readExecApprovalsConfig,
+  startExecApprovalsClient
+});
 module.exports = module.exports.default ?? module.exports;

package/dist/plugin.mjs

@@ -1,3 +1,10 @@
+// src/plugin.ts
+import * as net from "net";
+import * as crypto from "crypto";
+import * as fs2 from "fs";
+import * as os2 from "os";
+import * as path2 from "path";
+
 // src/index.ts
 import * as fs from "fs";
 import * as os from "os";
@@ -78,6 +85,78 @@ args: ${JSON.stringify(args)}`;
 // src/plugin.ts
 var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
 var DEFAULT_TIMEOUT_MS2 = 3e3;
+function sign(payload, token) {
+  const nonce = crypto.randomBytes(16).toString("hex");
+  const ts = Math.floor(Date.now() / 1e3).toString();
+  const body = JSON.stringify(payload);
+  const mac = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${ts}:${body}`).digest("hex");
+  return { ...payload, nonce, timestamp: ts, hmac: mac };
+}
+function verifyHmac(req, token) {
+  try {
+    const { nonce, timestamp, hmac, ...rest } = req;
+    const expected = crypto.createHmac("sha256", Buffer.from(token, "base64")).update(`${nonce}:${timestamp}:${JSON.stringify(rest)}`).digest("hex");
+    return hmac === expected;
+  } catch {
+    return false;
+  }
+}
+function readExecApprovalsConfig() {
+  const cfgPath = path2.join(os2.homedir(), ".openclaw", "exec-approvals.json");
+  try {
+    return JSON.parse(fs2.readFileSync(cfgPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function startExecApprovalsClient(apiKey, policyId, baseUrl) {
+  const cfg = readExecApprovalsConfig();
+  if (!cfg?.socket?.path || !cfg?.socket?.token) return;
+  const { path: sockPath, token } = cfg.socket;
+  function connect() {
+    const client = net.createConnection(sockPath);
+    let buffer = "";
+    client.on("connect", () => {
+      console.log("[fastgrc] exec-approvals socket connected");
+    });
+    client.on("data", async (buf) => {
+      buffer += buf.toString();
+      let req;
+      try {
+        req = JSON.parse(buffer);
+      } catch {
+        return;
+      }
+      buffer = "";
+      if (!verifyHmac(req, token)) {
+        console.warn("[fastgrc] exec-approvals: HMAC verification failed \u2014 ignoring request");
+        return;
+      }
+      let decision = "allow-once";
+      try {
+        const result = await evaluate({
+          toolName: "Exec",
+          args: { command: req.command, rawCommand: req.rawCommand, cwd: req.cwd },
+          agentId: req.agentId,
+          apiKey,
+          policyId,
+          baseUrl
+        });
+        if (result && (result.decision === "block" || result.decision === "require_approval")) {
+          decision = "deny";
+          const msg = result.policyContext?.matchedRule ? `[fastgrc] exec blocked: [${result.policyContext.matchedRule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`;
+          console.warn(msg);
+        }
+      } catch {
+      }
+      const response = sign({ approvalId: req.approvalId, decision }, token);
+      client.write(JSON.stringify(response));
+    });
+    client.on("error", () => setTimeout(connect, 5e3));
+    client.on("close", () => setTimeout(connect, 5e3));
+  }
+  connect();
+}
 var pluginEntry = {
   id: "fastgrc",
   name: "FastGRC Policy Router",
@@ -92,31 +171,7 @@ var pluginEntry = {
       return;
     }
     console.log("[fastgrc] Plugin registered \u2014 before_tool_call hook active");
-    const probeEvents = [
-      "exec",
-      "before_exec",
-      "shell",
-      "before_shell",
-      "command",
-      "before_command",
-      "run",
-      "before_run",
-      "tool_call",
-      "before_tool",
-      "action",
-      "before_action",
-      "request",
-      "before_request",
-      "call",
-      "before_call"
-    ];
-    for (const evt of probeEvents) {
-      api.on(evt, (...args) => {
-        console.log(`[fastgrc:hit] ${evt}`, JSON.stringify(args[0])?.slice(0, 120));
-      });
-    }
     api.on("before_tool_call", async (event, ctx) => {
-      console.log(`[fastgrc] before_tool_call fired: ${event.toolName}`);
       const result = await evaluate({
         toolName: event.toolName,
         args: event.params,
@@ -146,9 +201,12 @@ var pluginEntry = {
       }
       return void 0;
     });
+    startExecApprovalsClient(apiKey, policyId, DEFAULT_BASE_URL2);
   }
 };
 var plugin_default = pluginEntry;
 export {
-  plugin_default as default
+  plugin_default as default,
+  readExecApprovalsConfig,
+  startExecApprovalsClient
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.28",
+  "version": "1.0.29",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",