fastgrc-openclaw 1.0.30 → 1.0.33

package/dist/bin.js

@@ -112,7 +112,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
     console.warn("[fastgrc] exec-approvals: no socket config found \u2014 webchat execs will not be evaluated");
     return;
   }
-  const { path: sockPath, token: configToken } = cfg.socket;
+  const { path: sockPath } = cfg.socket;
   try {
     fs2.unlinkSync(sockPath);
   } catch {
@@ -126,18 +126,25 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
       const line = buffer.slice(0, idx).trim();
       buffer = "";
       if (!line) {
-        conn.destroy();
+        conn.end();
         return;
       }
       let msg;
       try {
         msg = JSON.parse(line);
       } catch {
-        conn.destroy();
+        conn.end();
         return;
       }
-      if (msg.type !== "request" || msg.token !== configToken) {
-        conn.destroy();
+      if (msg.type !== "request") {
+        conn.end();
+        return;
+      }
+      const liveCfg = readExecApprovalsConfig();
+      const expectedToken = liveCfg?.socket?.token;
+      if (!expectedToken || msg.token !== expectedToken) {
+        console.warn("[fastgrc] exec-approvals: token mismatch \u2014 failing open. Restart fastgrc-approvals service if this persists.");
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
         return;
       }
       const req = msg.request ?? {};
@@ -157,11 +164,9 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
           const rule = result.policyContext?.matchedRule;
           console.warn(rule ? `[fastgrc] exec blocked: [${rule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`);
         }
-        conn.write(JSON.stringify({ type: "decision", decision }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision }) + "\n");
       }).catch(() => {
-        conn.write(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
       });
     });
     conn.on("error", () => {
@@ -169,7 +174,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
   });
   server.listen(sockPath, () => {
     try {
-      fs2.chmodSync(sockPath, 384);
+      fs2.chmodSync(sockPath, 432);
     } catch {
     }
     console.log(`[fastgrc] exec-approvals server listening on ${sockPath}`);
@@ -286,6 +291,24 @@ function doUninstallHook(targetDir) {
 `);
   }
 }
+async function validatePolicy(apiKey, policyId, baseUrl = "https://app.fastgrc.ai") {
+  try {
+    const controller = new AbortController();
+    setTimeout(() => controller.abort(), 5e3);
+    const res = await fetch(`${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/policies/${encodeURIComponent(policyId)}`, {
+      headers: { "Authorization": `Bearer ${apiKey}` },
+      signal: controller.signal
+    });
+    if (res.status === 404) return { valid: false, error: "Policy not found \u2014 check the ID belongs to your account." };
+    if (res.status === 401) return { valid: false, error: "Invalid API key." };
+    if (!res.ok) return { valid: false, error: `API returned ${res.status}` };
+    const policy = await res.json();
+    return { valid: true, name: policy.name };
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    return { valid: false, error: `Could not reach FastGRC API (${reason}) \u2014 skipping validation.` };
+  }
+}
 function doConfigureExecApprovals() {
   const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
   if (!fs3.existsSync(cfgPath)) {
@@ -301,9 +324,9 @@ function doConfigureExecApprovals() {
   const updated = {
     ...existing,
     defaults: {
-      security: "deny",
+      security: "ask",
       ask: "always",
-      askFallback: "deny",
+      askFallback: "allow",
       autoAllowSkills: false
     }
   };
@@ -345,11 +368,29 @@ if (cmd === "set-policy") {
     process.stderr.write("Usage: fastgrc-hook set-policy <policy-id>\n");
     process.exit(1);
   }
-  writeConfig({ ...readConfig(), policyId: arg });
-  process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+  (async () => {
+    const apiKey = readConfig().apiKey ?? process.env.FASTGRC_API_KEY;
+    const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+    if (apiKey) {
+      process.stdout.write(`Verifying policy ${arg}\u2026
 `);
-  process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
-  process.exit(0);
+      const check = await validatePolicy(apiKey, arg, baseUrl);
+      if (!check.valid) {
+        process.stderr.write(`\u2717 ${check.error}
+`);
+        process.exit(1);
+      }
+      process.stdout.write(`\u2713 Policy verified: ${check.name}
+`);
+    } else {
+      process.stdout.write("\u26A0  No API key set \u2014 skipping policy verification.\n");
+    }
+    writeConfig({ ...readConfig(), policyId: arg });
+    process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+`);
+    process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
+    process.exit(0);
+  })();
 }
 if (cmd === "get-policy") {
   const id = readConfig().policyId;
@@ -396,19 +437,33 @@ if (cmd === "setup") {
     process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
     process.exit(1);
   }
-  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
-  process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
-  if (policyIdArg) {
-    writeConfig({ ...readConfig(), policyId: policyIdArg });
-    process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
-  } else {
-    process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
-  }
-  doInstallHook(process.cwd());
-  doConfigureExecApprovals();
-  process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
-  process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
-  process.exit(0);
+  (async () => {
+    const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+    writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+    process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
+    if (policyIdArg) {
+      process.stdout.write(`Verifying policy ${policyIdArg}\u2026
+`);
+      const check = await validatePolicy(apiKeyArg, policyIdArg, baseUrl);
+      if (!check.valid) {
+        process.stderr.write(`\u2717 Policy not found: ${check.error}
+`);
+        process.stderr.write("  Pass a valid policy ID from your dashboard, or omit --policy-id to use the org default.\n");
+        process.exit(1);
+      }
+      process.stdout.write(`\u2713 Policy verified: ${check.name}
+`);
+      writeConfig({ ...readConfig(), policyId: policyIdArg });
+      process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
+    } else {
+      process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
+    }
+    doInstallHook(process.cwd());
+    doConfigureExecApprovals();
+    process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
+    process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
+    process.exit(0);
+  })();
 }
 if (cmd === "serve-approvals") {
   const apiKey = resolveApiKey();
@@ -423,6 +478,17 @@ if (cmd === "serve-approvals") {
     );
     process.exit(1);
   }
+  try {
+    const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
+    const raw = JSON.parse(fs3.readFileSync(cfgPath, "utf8"));
+    const defaults = raw.defaults ?? {};
+    if (defaults.security !== "ask" || defaults.askFallback !== "allow") {
+      raw.defaults = { ...defaults, security: "ask", askFallback: "allow" };
+      fs3.writeFileSync(cfgPath, JSON.stringify(raw, null, 2), "utf8");
+      process.stdout.write("[fastgrc] exec-approvals defaults patched: security=ask, askFallback=allow\n");
+    }
+  } catch {
+  }
   const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
   const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
   process.stdout.write(`[fastgrc] serve-approvals running \u2014 listening on ${cfg.socket.path}

package/dist/bin.mjs

@@ -89,7 +89,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
     console.warn("[fastgrc] exec-approvals: no socket config found \u2014 webchat execs will not be evaluated");
     return;
   }
-  const { path: sockPath, token: configToken } = cfg.socket;
+  const { path: sockPath } = cfg.socket;
   try {
     fs2.unlinkSync(sockPath);
   } catch {
@@ -103,18 +103,25 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
       const line = buffer.slice(0, idx).trim();
       buffer = "";
       if (!line) {
-        conn.destroy();
+        conn.end();
         return;
       }
       let msg;
       try {
         msg = JSON.parse(line);
       } catch {
-        conn.destroy();
+        conn.end();
         return;
       }
-      if (msg.type !== "request" || msg.token !== configToken) {
-        conn.destroy();
+      if (msg.type !== "request") {
+        conn.end();
+        return;
+      }
+      const liveCfg = readExecApprovalsConfig();
+      const expectedToken = liveCfg?.socket?.token;
+      if (!expectedToken || msg.token !== expectedToken) {
+        console.warn("[fastgrc] exec-approvals: token mismatch \u2014 failing open. Restart fastgrc-approvals service if this persists.");
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
         return;
       }
       const req = msg.request ?? {};
@@ -134,11 +141,9 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
           const rule = result.policyContext?.matchedRule;
           console.warn(rule ? `[fastgrc] exec blocked: [${rule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`);
         }
-        conn.write(JSON.stringify({ type: "decision", decision }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision }) + "\n");
       }).catch(() => {
-        conn.write(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
       });
     });
     conn.on("error", () => {
@@ -146,7 +151,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
   });
   server.listen(sockPath, () => {
     try {
-      fs2.chmodSync(sockPath, 384);
+      fs2.chmodSync(sockPath, 432);
     } catch {
     }
     console.log(`[fastgrc] exec-approvals server listening on ${sockPath}`);
@@ -263,6 +268,24 @@ function doUninstallHook(targetDir) {
 `);
   }
 }
+async function validatePolicy(apiKey, policyId, baseUrl = "https://app.fastgrc.ai") {
+  try {
+    const controller = new AbortController();
+    setTimeout(() => controller.abort(), 5e3);
+    const res = await fetch(`${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/policies/${encodeURIComponent(policyId)}`, {
+      headers: { "Authorization": `Bearer ${apiKey}` },
+      signal: controller.signal
+    });
+    if (res.status === 404) return { valid: false, error: "Policy not found \u2014 check the ID belongs to your account." };
+    if (res.status === 401) return { valid: false, error: "Invalid API key." };
+    if (!res.ok) return { valid: false, error: `API returned ${res.status}` };
+    const policy = await res.json();
+    return { valid: true, name: policy.name };
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    return { valid: false, error: `Could not reach FastGRC API (${reason}) \u2014 skipping validation.` };
+  }
+}
 function doConfigureExecApprovals() {
   const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
   if (!fs3.existsSync(cfgPath)) {
@@ -278,9 +301,9 @@ function doConfigureExecApprovals() {
   const updated = {
     ...existing,
     defaults: {
-      security: "deny",
+      security: "ask",
       ask: "always",
-      askFallback: "deny",
+      askFallback: "allow",
       autoAllowSkills: false
     }
   };
@@ -322,11 +345,29 @@ if (cmd === "set-policy") {
     process.stderr.write("Usage: fastgrc-hook set-policy <policy-id>\n");
     process.exit(1);
   }
-  writeConfig({ ...readConfig(), policyId: arg });
-  process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+  (async () => {
+    const apiKey = readConfig().apiKey ?? process.env.FASTGRC_API_KEY;
+    const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+    if (apiKey) {
+      process.stdout.write(`Verifying policy ${arg}\u2026
 `);
-  process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
-  process.exit(0);
+      const check = await validatePolicy(apiKey, arg, baseUrl);
+      if (!check.valid) {
+        process.stderr.write(`\u2717 ${check.error}
+`);
+        process.exit(1);
+      }
+      process.stdout.write(`\u2713 Policy verified: ${check.name}
+`);
+    } else {
+      process.stdout.write("\u26A0  No API key set \u2014 skipping policy verification.\n");
+    }
+    writeConfig({ ...readConfig(), policyId: arg });
+    process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+`);
+    process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
+    process.exit(0);
+  })();
 }
 if (cmd === "get-policy") {
   const id = readConfig().policyId;
@@ -373,19 +414,33 @@ if (cmd === "setup") {
     process.stderr.write("Usage: fastgrc-hook setup --api-key <key> [--policy-id <id>]\n");
     process.exit(1);
   }
-  writeConfig({ ...readConfig(), apiKey: apiKeyArg });
-  process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
-  if (policyIdArg) {
-    writeConfig({ ...readConfig(), policyId: policyIdArg });
-    process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
-  } else {
-    process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
-  }
-  doInstallHook(process.cwd());
-  doConfigureExecApprovals();
-  process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
-  process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
-  process.exit(0);
+  (async () => {
+    const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
+    writeConfig({ ...readConfig(), apiKey: apiKeyArg });
+    process.stdout.write("\u2713 API key saved to ~/.fastgrc.json\n");
+    if (policyIdArg) {
+      process.stdout.write(`Verifying policy ${policyIdArg}\u2026
+`);
+      const check = await validatePolicy(apiKeyArg, policyIdArg, baseUrl);
+      if (!check.valid) {
+        process.stderr.write(`\u2717 Policy not found: ${check.error}
+`);
+        process.stderr.write("  Pass a valid policy ID from your dashboard, or omit --policy-id to use the org default.\n");
+        process.exit(1);
+      }
+      process.stdout.write(`\u2713 Policy verified: ${check.name}
+`);
+      writeConfig({ ...readConfig(), policyId: policyIdArg });
+      process.stdout.write("\u2713 Policy ID saved to ~/.fastgrc.json\n");
+    } else {
+      process.stdout.write("  (no policy ID \u2014 org-wide default will be used)\n");
+    }
+    doInstallHook(process.cwd());
+    doConfigureExecApprovals();
+    process.stdout.write("\n\u2713 Config, HOOK.md, and exec-approvals done.\n");
+    process.stdout.write('Restart OpenClaw, then run "fastgrc-hook test" to verify.\n');
+    process.exit(0);
+  })();
 }
 if (cmd === "serve-approvals") {
   const apiKey = resolveApiKey();
@@ -400,6 +455,17 @@ if (cmd === "serve-approvals") {
     );
     process.exit(1);
   }
+  try {
+    const cfgPath = path3.join(os3.homedir(), ".openclaw", "exec-approvals.json");
+    const raw = JSON.parse(fs3.readFileSync(cfgPath, "utf8"));
+    const defaults = raw.defaults ?? {};
+    if (defaults.security !== "ask" || defaults.askFallback !== "allow") {
+      raw.defaults = { ...defaults, security: "ask", askFallback: "allow" };
+      fs3.writeFileSync(cfgPath, JSON.stringify(raw, null, 2), "utf8");
+      process.stdout.write("[fastgrc] exec-approvals defaults patched: security=ask, askFallback=allow\n");
+    }
+  } catch {
+  }
   const policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
   const baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
   process.stdout.write(`[fastgrc] serve-approvals running \u2014 listening on ${cfg.socket.path}

package/dist/plugin.js

@@ -134,7 +134,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
     console.warn("[fastgrc] exec-approvals: no socket config found \u2014 webchat execs will not be evaluated");
     return;
   }
-  const { path: sockPath, token: configToken } = cfg.socket;
+  const { path: sockPath } = cfg.socket;
   try {
     fs2.unlinkSync(sockPath);
   } catch {
@@ -148,18 +148,25 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
       const line = buffer.slice(0, idx).trim();
       buffer = "";
       if (!line) {
-        conn.destroy();
+        conn.end();
         return;
       }
       let msg;
       try {
         msg = JSON.parse(line);
       } catch {
-        conn.destroy();
+        conn.end();
         return;
       }
-      if (msg.type !== "request" || msg.token !== configToken) {
-        conn.destroy();
+      if (msg.type !== "request") {
+        conn.end();
+        return;
+      }
+      const liveCfg = readExecApprovalsConfig();
+      const expectedToken = liveCfg?.socket?.token;
+      if (!expectedToken || msg.token !== expectedToken) {
+        console.warn("[fastgrc] exec-approvals: token mismatch \u2014 failing open. Restart fastgrc-approvals service if this persists.");
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
         return;
       }
       const req = msg.request ?? {};
@@ -179,11 +186,9 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
           const rule = result.policyContext?.matchedRule;
           console.warn(rule ? `[fastgrc] exec blocked: [${rule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`);
         }
-        conn.write(JSON.stringify({ type: "decision", decision }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision }) + "\n");
       }).catch(() => {
-        conn.write(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
       });
     });
     conn.on("error", () => {
@@ -191,7 +196,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
   });
   server.listen(sockPath, () => {
     try {
-      fs2.chmodSync(sockPath, 384);
+      fs2.chmodSync(sockPath, 432);
     } catch {
     }
     console.log(`[fastgrc] exec-approvals server listening on ${sockPath}`);

package/dist/plugin.mjs

@@ -98,7 +98,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
     console.warn("[fastgrc] exec-approvals: no socket config found \u2014 webchat execs will not be evaluated");
     return;
   }
-  const { path: sockPath, token: configToken } = cfg.socket;
+  const { path: sockPath } = cfg.socket;
   try {
     fs2.unlinkSync(sockPath);
   } catch {
@@ -112,18 +112,25 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
       const line = buffer.slice(0, idx).trim();
       buffer = "";
       if (!line) {
-        conn.destroy();
+        conn.end();
         return;
       }
       let msg;
       try {
         msg = JSON.parse(line);
       } catch {
-        conn.destroy();
+        conn.end();
         return;
       }
-      if (msg.type !== "request" || msg.token !== configToken) {
-        conn.destroy();
+      if (msg.type !== "request") {
+        conn.end();
+        return;
+      }
+      const liveCfg = readExecApprovalsConfig();
+      const expectedToken = liveCfg?.socket?.token;
+      if (!expectedToken || msg.token !== expectedToken) {
+        console.warn("[fastgrc] exec-approvals: token mismatch \u2014 failing open. Restart fastgrc-approvals service if this persists.");
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
         return;
       }
       const req = msg.request ?? {};
@@ -143,11 +150,9 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
           const rule = result.policyContext?.matchedRule;
           console.warn(rule ? `[fastgrc] exec blocked: [${rule}] ${result.reasoning}` : `[fastgrc] exec blocked: ${result.reasoning}`);
         }
-        conn.write(JSON.stringify({ type: "decision", decision }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision }) + "\n");
       }).catch(() => {
-        conn.write(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
-        conn.destroy();
+        conn.end(JSON.stringify({ type: "decision", decision: "allow-once" }) + "\n");
       });
     });
     conn.on("error", () => {
@@ -155,7 +160,7 @@ function startExecApprovalsServer(apiKey, policyId, baseUrl) {
   });
   server.listen(sockPath, () => {
     try {
-      fs2.chmodSync(sockPath, 384);
+      fs2.chmodSync(sockPath, 432);
     } catch {
     }
     console.log(`[fastgrc] exec-approvals server listening on ${sockPath}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.30",
+  "version": "1.0.33",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",