fastgrc-openclaw 1.0.4 → 1.0.6

package/dist/bin.js

@@ -1,5 +1,32 @@
 #!/usr/bin/env node
 "use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/bin.ts
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
 
 // src/index.ts
 var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
@@ -53,9 +80,49 @@ args: ${JSON.stringify(args)}`;
 }
 
 // src/bin.ts
-var apiKey = process.env.FASTGRC_API_KEY;
+var CONFIG_PATH = path.join(os.homedir(), ".fastgrc.json");
+function readConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeConfig(data) {
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
+}
+var [, , cmd, arg] = process.argv;
+if (cmd === "set-key") {
+  if (!arg) {
+    process.stderr.write("Usage: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  writeConfig({ ...readConfig(), apiKey: arg });
+  process.stdout.write(`\u2713 FastGRC API key saved to ${CONFIG_PATH}
+`);
+  process.stdout.write('  Run "fastgrc-hook get-key" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "get-key") {
+  const key = readConfig().apiKey;
+  if (!key) {
+    process.stdout.write("No key stored. Run: fastgrc-hook set-key fgrc_k1_...\n");
+  } else {
+    process.stdout.write(`${key.slice(0, 12)}${"*".repeat(Math.max(0, key.length - 12))}
+`);
+  }
+  process.exit(0);
+}
+if (cmd === "unset-key") {
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  writeConfig(cfg);
+  process.stdout.write("FastGRC API key removed.\n");
+  process.exit(0);
+}
+var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
 if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] FASTGRC_API_KEY is not set \u2014 allowing tool call\n");
+  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
   process.exit(0);
 }
 var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";

package/dist/bin.mjs

@@ -1,5 +1,10 @@
 #!/usr/bin/env node
 
+// src/bin.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+
 // src/index.ts
 var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
 var DEFAULT_TIMEOUT_MS = 3e3;
@@ -52,9 +57,49 @@ args: ${JSON.stringify(args)}`;
 }
 
 // src/bin.ts
-var apiKey = process.env.FASTGRC_API_KEY;
+var CONFIG_PATH = path.join(os.homedir(), ".fastgrc.json");
+function readConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeConfig(data) {
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(data, null, 2), { mode: 384 });
+}
+var [, , cmd, arg] = process.argv;
+if (cmd === "set-key") {
+  if (!arg) {
+    process.stderr.write("Usage: fastgrc-hook set-key fgrc_k1_...\n");
+    process.exit(1);
+  }
+  writeConfig({ ...readConfig(), apiKey: arg });
+  process.stdout.write(`\u2713 FastGRC API key saved to ${CONFIG_PATH}
+`);
+  process.stdout.write('  Run "fastgrc-hook get-key" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "get-key") {
+  const key = readConfig().apiKey;
+  if (!key) {
+    process.stdout.write("No key stored. Run: fastgrc-hook set-key fgrc_k1_...\n");
+  } else {
+    process.stdout.write(`${key.slice(0, 12)}${"*".repeat(Math.max(0, key.length - 12))}
+`);
+  }
+  process.exit(0);
+}
+if (cmd === "unset-key") {
+  const cfg = readConfig();
+  delete cfg.apiKey;
+  writeConfig(cfg);
+  process.stdout.write("FastGRC API key removed.\n");
+  process.exit(0);
+}
+var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
 if (!apiKey) {
-  process.stderr.write("[fastgrc-hook] FASTGRC_API_KEY is not set \u2014 allowing tool call\n");
+  process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
   process.exit(0);
 }
 var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";

package/dist/index.d.mts

@@ -1,6 +1,10 @@
+declare function resolveApiKey(explicit?: string): string | undefined;
 interface FastGRCPluginOptions {
-    /** Your FastGRC API key (fgrc_k1_...) */
-    apiKey: string;
+    /**
+     * Your FastGRC API key (fgrc_k1_...).
+     * Optional — falls back to FASTGRC_API_KEY env var, then ~/.fastgrc.json (set via `fastgrc-hook set-key`).
+     */
+    apiKey?: string;
     /** Specific policy ID to evaluate against. Omit to use the org-wide default. */
     policyId?: string;
     /**
@@ -72,4 +76,4 @@ declare function evaluate(payload: {
 }): Promise<EvaluateResponse | null>;
 declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
 
-export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate, resolveApiKey };

package/dist/index.d.ts

@@ -1,6 +1,10 @@
+declare function resolveApiKey(explicit?: string): string | undefined;
 interface FastGRCPluginOptions {
-    /** Your FastGRC API key (fgrc_k1_...) */
-    apiKey: string;
+    /**
+     * Your FastGRC API key (fgrc_k1_...).
+     * Optional — falls back to FASTGRC_API_KEY env var, then ~/.fastgrc.json (set via `fastgrc-hook set-key`).
+     */
+    apiKey?: string;
     /** Specific policy ID to evaluate against. Omit to use the org-wide default. */
     policyId?: string;
     /**
@@ -72,4 +76,4 @@ declare function evaluate(payload: {
 }): Promise<EvaluateResponse | null>;
 declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
 
-export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate, resolveApiKey };

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -23,11 +33,25 @@ __export(index_exports, {
   FastGRCApprovalRequiredError: () => FastGRCApprovalRequiredError,
   FastGRCBlockedError: () => FastGRCBlockedError,
   FastGRCPlugin: () => FastGRCPlugin,
-  evaluate: () => evaluate
+  evaluate: () => evaluate,
+  resolveApiKey: () => resolveApiKey
 });
 module.exports = __toCommonJS(index_exports);
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
 var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
 var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
 var FastGRCBlockedError = class extends Error {
   constructor(matchedRule, reasoning, policyId) {
     super(
@@ -101,14 +125,14 @@ args: ${JSON.stringify(args)}`;
 }
 function FastGRCPlugin(options) {
   const {
-    apiKey,
     policyId,
     timeoutMs = DEFAULT_TIMEOUT_MS,
     baseUrl = DEFAULT_BASE_URL
   } = options;
-  if (!apiKey) {
+  const resolvedKey = resolveApiKey(options.apiKey);
+  if (!resolvedKey) {
     console.warn(
-      '[fastgrc] FastGRCPlugin: apiKey is not set \u2014 all tool calls will proceed unchecked.\n\n  Get a free API key at: https://app.fastgrc.ai/connect\n\n  Then set it in openclaw.config.ts:\n    FastGRCPlugin({ apiKey: "fgrc_k1_your_key_here" })\n\n  To rotate your key: replace the value in openclaw.config.ts and restart OpenClaw.\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings'
+      "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Quick setup (install + set key in one command):\n    npm install -g fastgrc-openclaw && fastgrc-hook set-key fgrc_k1_your_key\n\n  Already installed? Just run:\n    fastgrc-hook set-key fgrc_k1_your_key\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
     );
   }
   const dashboardUrl = `${baseUrl.replace(/\/$/, "")}/dashboard/agent-policies`;
@@ -116,13 +140,14 @@ function FastGRCPlugin(options) {
     name: "fastgrc",
     hooks: {
       async before_tool_call(toolName, args, context) {
+        if (!resolvedKey) return { block: false };
         const result = await evaluate({
           toolName,
           args,
           agentId: context.id,
           agentType: context.type,
           agentName: context.name,
-          apiKey,
+          apiKey: resolvedKey,
           policyId,
           baseUrl,
           timeoutMs
@@ -153,5 +178,6 @@ function FastGRCPlugin(options) {
   FastGRCApprovalRequiredError,
   FastGRCBlockedError,
   FastGRCPlugin,
-  evaluate
+  evaluate,
+  resolveApiKey
 });

package/dist/index.mjs

@@ -1,6 +1,19 @@
 // src/index.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
 var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
 var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
 var FastGRCBlockedError = class extends Error {
   constructor(matchedRule, reasoning, policyId) {
     super(
@@ -74,14 +87,14 @@ args: ${JSON.stringify(args)}`;
 }
 function FastGRCPlugin(options) {
   const {
-    apiKey,
     policyId,
     timeoutMs = DEFAULT_TIMEOUT_MS,
     baseUrl = DEFAULT_BASE_URL
   } = options;
-  if (!apiKey) {
+  const resolvedKey = resolveApiKey(options.apiKey);
+  if (!resolvedKey) {
     console.warn(
-      '[fastgrc] FastGRCPlugin: apiKey is not set \u2014 all tool calls will proceed unchecked.\n\n  Get a free API key at: https://app.fastgrc.ai/connect\n\n  Then set it in openclaw.config.ts:\n    FastGRCPlugin({ apiKey: "fgrc_k1_your_key_here" })\n\n  To rotate your key: replace the value in openclaw.config.ts and restart OpenClaw.\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings'
+      "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Quick setup (install + set key in one command):\n    npm install -g fastgrc-openclaw && fastgrc-hook set-key fgrc_k1_your_key\n\n  Already installed? Just run:\n    fastgrc-hook set-key fgrc_k1_your_key\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
     );
   }
   const dashboardUrl = `${baseUrl.replace(/\/$/, "")}/dashboard/agent-policies`;
@@ -89,13 +102,14 @@ function FastGRCPlugin(options) {
     name: "fastgrc",
     hooks: {
       async before_tool_call(toolName, args, context) {
+        if (!resolvedKey) return { block: false };
         const result = await evaluate({
           toolName,
           args,
           agentId: context.id,
           agentType: context.type,
           agentName: context.name,
-          apiKey,
+          apiKey: resolvedKey,
           policyId,
           baseUrl,
           timeoutMs
@@ -125,5 +139,6 @@ export {
   FastGRCApprovalRequiredError,
   FastGRCBlockedError,
   FastGRCPlugin,
-  evaluate
+  evaluate,
+  resolveApiKey
 };

package/dist/plugin.d.mts

@@ -0,0 +1,22 @@
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+type BeforeToolCallResult = {
+    block: true;
+    blockReason: string;
+} | {
+    requireApproval: {
+        timeoutBehavior: 'allow' | 'deny';
+    };
+} | undefined;
+declare const plugin: {
+    name: string;
+    hooks: {
+        before_tool_call(toolName: string, args: unknown, context: AgentContext): Promise<BeforeToolCallResult>;
+    };
+};
+
+export { plugin as default };

package/dist/plugin.d.ts

@@ -0,0 +1,22 @@
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+type BeforeToolCallResult = {
+    block: true;
+    blockReason: string;
+} | {
+    requireApproval: {
+        timeoutBehavior: 'allow' | 'deny';
+    };
+} | undefined;
+declare const plugin: {
+    name: string;
+    hooks: {
+        before_tool_call(toolName: string, args: unknown, context: AgentContext): Promise<BeforeToolCallResult>;
+    };
+};
+
+export { plugin as default };

package/dist/plugin.js

@@ -0,0 +1,147 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/plugin.ts
+var plugin_exports = {};
+__export(plugin_exports, {
+  default: () => plugin_default
+});
+module.exports = __toCommonJS(plugin_exports);
+
+// src/index.ts
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/plugin.ts
+var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS2 = 3e3;
+var apiKey = resolveApiKey();
+if (!apiKey) {
+  console.warn(
+    "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Run once to connect:\n    fastgrc-hook set-key fgrc_k1_your_key_here\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
+  );
+}
+var plugin = {
+  name: "fastgrc",
+  hooks: {
+    async before_tool_call(toolName, args, context) {
+      if (!apiKey) return void 0;
+      const result = await evaluate({
+        toolName,
+        args,
+        agentId: context.id,
+        agentType: context.type,
+        agentName: context.name,
+        apiKey,
+        baseUrl: DEFAULT_BASE_URL2,
+        timeoutMs: DEFAULT_TIMEOUT_MS2
+      });
+      if (!result) return void 0;
+      const { decision, reasoning, policyContext, reasonTags } = result;
+      const matchedRule = policyContext?.matchedRule ?? "policy rule";
+      if (decision === "block") {
+        return {
+          block: true,
+          blockReason: `[${matchedRule}] ${reasoning}`
+        };
+      }
+      if (decision === "require_approval") {
+        return {
+          requireApproval: { timeoutBehavior: "deny" }
+        };
+      }
+      if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+        const msg = policyContext?.matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${policyContext.matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+        console.warn(msg);
+      }
+      return void 0;
+    }
+  }
+};
+var plugin_default = plugin;

package/dist/plugin.mjs

@@ -0,0 +1,114 @@
+// src/index.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/plugin.ts
+var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS2 = 3e3;
+var apiKey = resolveApiKey();
+if (!apiKey) {
+  console.warn(
+    "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Run once to connect:\n    fastgrc-hook set-key fgrc_k1_your_key_here\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
+  );
+}
+var plugin = {
+  name: "fastgrc",
+  hooks: {
+    async before_tool_call(toolName, args, context) {
+      if (!apiKey) return void 0;
+      const result = await evaluate({
+        toolName,
+        args,
+        agentId: context.id,
+        agentType: context.type,
+        agentName: context.name,
+        apiKey,
+        baseUrl: DEFAULT_BASE_URL2,
+        timeoutMs: DEFAULT_TIMEOUT_MS2
+      });
+      if (!result) return void 0;
+      const { decision, reasoning, policyContext, reasonTags } = result;
+      const matchedRule = policyContext?.matchedRule ?? "policy rule";
+      if (decision === "block") {
+        return {
+          block: true,
+          blockReason: `[${matchedRule}] ${reasoning}`
+        };
+      }
+      if (decision === "require_approval") {
+        return {
+          requireApproval: { timeoutBehavior: "deny" }
+        };
+      }
+      if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+        const msg = policyContext?.matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${policyContext.matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+        console.warn(msg);
+      }
+      return void 0;
+    }
+  }
+};
+var plugin_default = plugin;
+export {
+  plugin_default as default
+};

package/openclaw.plugin.json

@@ -0,0 +1,6 @@
+{
+  "id": "fastgrc",
+  "name": "FastGRC Policy Router",
+  "description": "Evaluate every tool call against your FastGRC compliance policy before it executes. Blocks violations, flags drift, builds an audit trail.",
+  "extensions": ["./dist/plugin.js"]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -10,14 +10,23 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./plugin": {
+      "types": "./dist/plugin.d.ts",
+      "import": "./dist/plugin.mjs",
+      "require": "./dist/plugin.js"
     }
   },
+  "openclaw": {
+    "extensions": ["./dist/plugin.js"]
+  },
   "bin": {
     "fastgrc-hook": "./dist/bin.js"
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "openclaw.plugin.json"
   ],
   "scripts": {
     "build": "tsup && node -e \"require('fs').chmodSync('dist/bin.js', '755')\"",