fastgrc-openclaw 1.0.5 → 1.0.7

package/dist/bin.js

@@ -120,13 +120,82 @@ if (cmd === "unset-key") {
   process.stdout.write("FastGRC API key removed.\n");
   process.exit(0);
 }
+if (cmd === "set-policy") {
+  if (!arg) {
+    process.stderr.write("Usage: fastgrc-hook set-policy <policy-id>\n");
+    process.exit(1);
+  }
+  writeConfig({ ...readConfig(), policyId: arg });
+  process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+`);
+  process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "get-policy") {
+  const id = readConfig().policyId;
+  if (!id) {
+    process.stdout.write("No policy ID stored \u2014 org-wide default will be used.\n");
+    process.stdout.write("Run: fastgrc-hook set-policy <policy-id>\n");
+  } else {
+    process.stdout.write(`${id}
+`);
+  }
+  process.exit(0);
+}
+if (cmd === "unset-policy") {
+  const cfg = readConfig();
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("FastGRC policy ID removed \u2014 org-wide default will be used.\n");
+  process.exit(0);
+}
+if (cmd === "install-hook") {
+  const targetDir = arg || process.cwd();
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  const HOOK_ENTRY = '  - matcher: PreToolUse\n    handler: "fastgrc-hook"\n';
+  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
+  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
+  if (!hasKey) {
+    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
+  }
+  if (!fs.existsSync(hookMdPath)) {
+    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+    process.stdout.write(`\u2713 Created ${hookMdPath}
+
+Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
+`);
+    process.exit(0);
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  if (existing.includes("fastgrc-hook")) {
+    process.stdout.write(`\u2713 FastGRC hook already present in ${hookMdPath}
+`);
+    process.exit(0);
+  }
+  const fmEnd = existing.indexOf("\n---", 3);
+  let updated;
+  if (fmEnd !== -1) {
+    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
+    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
+${HOOK_ENTRY}`;
+    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  } else {
+    updated = HOOK_BLOCK + "\n" + existing;
+  }
+  fs.writeFileSync(hookMdPath, updated, "utf8");
+  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+
+Restart OpenClaw to activate.
+`);
+  process.exit(0);
+}
 var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
 if (!apiKey) {
   process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
   process.exit(0);
 }
 var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID;
+var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
 async function main() {
   const chunks = [];
   for await (const chunk of process.stdin) chunks.push(chunk);

package/dist/bin.mjs

@@ -97,13 +97,82 @@ if (cmd === "unset-key") {
   process.stdout.write("FastGRC API key removed.\n");
   process.exit(0);
 }
+if (cmd === "set-policy") {
+  if (!arg) {
+    process.stderr.write("Usage: fastgrc-hook set-policy <policy-id>\n");
+    process.exit(1);
+  }
+  writeConfig({ ...readConfig(), policyId: arg });
+  process.stdout.write(`\u2713 FastGRC policy ID saved to ${CONFIG_PATH}
+`);
+  process.stdout.write('  Run "fastgrc-hook get-policy" to verify.\n');
+  process.exit(0);
+}
+if (cmd === "get-policy") {
+  const id = readConfig().policyId;
+  if (!id) {
+    process.stdout.write("No policy ID stored \u2014 org-wide default will be used.\n");
+    process.stdout.write("Run: fastgrc-hook set-policy <policy-id>\n");
+  } else {
+    process.stdout.write(`${id}
+`);
+  }
+  process.exit(0);
+}
+if (cmd === "unset-policy") {
+  const cfg = readConfig();
+  delete cfg.policyId;
+  writeConfig(cfg);
+  process.stdout.write("FastGRC policy ID removed \u2014 org-wide default will be used.\n");
+  process.exit(0);
+}
+if (cmd === "install-hook") {
+  const targetDir = arg || process.cwd();
+  const hookMdPath = path.join(targetDir, "HOOK.md");
+  const HOOK_ENTRY = '  - matcher: PreToolUse\n    handler: "fastgrc-hook"\n';
+  const HOOK_BLOCK = "---\nname: FastGRC Policy Check\ndescription: Evaluate every tool call against your FastGRC compliance policy\nhooks:\n" + HOOK_ENTRY + "---\n";
+  const hasKey = !!(readConfig().apiKey || process.env.FASTGRC_API_KEY);
+  if (!hasKey) {
+    process.stdout.write("\u26A0  No API key set yet. Run: fastgrc-hook set-key fgrc_k1_your_key\n\n");
+  }
+  if (!fs.existsSync(hookMdPath)) {
+    fs.writeFileSync(hookMdPath, HOOK_BLOCK, "utf8");
+    process.stdout.write(`\u2713 Created ${hookMdPath}
+
+Restart OpenClaw \u2014 FastGRC will evaluate every tool call.
+`);
+    process.exit(0);
+  }
+  const existing = fs.readFileSync(hookMdPath, "utf8");
+  if (existing.includes("fastgrc-hook")) {
+    process.stdout.write(`\u2713 FastGRC hook already present in ${hookMdPath}
+`);
+    process.exit(0);
+  }
+  const fmEnd = existing.indexOf("\n---", 3);
+  let updated;
+  if (fmEnd !== -1) {
+    const hasHooksKey = existing.lastIndexOf("hooks:", fmEnd) !== -1;
+    const insertText = hasHooksKey ? HOOK_ENTRY : `hooks:
+${HOOK_ENTRY}`;
+    updated = existing.slice(0, fmEnd) + "\n" + insertText + existing.slice(fmEnd);
+  } else {
+    updated = HOOK_BLOCK + "\n" + existing;
+  }
+  fs.writeFileSync(hookMdPath, updated, "utf8");
+  process.stdout.write(`\u2713 Updated ${hookMdPath} \u2014 FastGRC hook added.
+
+Restart OpenClaw to activate.
+`);
+  process.exit(0);
+}
 var apiKey = process.env.FASTGRC_API_KEY ?? readConfig().apiKey;
 if (!apiKey) {
   process.stderr.write("[fastgrc-hook] No API key configured \u2014 run: fastgrc-hook set-key fgrc_k1_...\n");
   process.exit(0);
 }
 var baseUrl = process.env.FASTGRC_BASE_URL ?? "https://app.fastgrc.ai";
-var policyId = process.env.FASTGRC_POLICY_ID;
+var policyId = process.env.FASTGRC_POLICY_ID ?? readConfig().policyId;
 async function main() {
   const chunks = [];
   for await (const chunk of process.stdin) chunks.push(chunk);

package/dist/index.d.mts

@@ -1,3 +1,4 @@
+declare function resolveApiKey(explicit?: string): string | undefined;
 interface FastGRCPluginOptions {
     /**
      * Your FastGRC API key (fgrc_k1_...).
@@ -75,4 +76,4 @@ declare function evaluate(payload: {
 }): Promise<EvaluateResponse | null>;
 declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
 
-export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate, resolveApiKey };

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+declare function resolveApiKey(explicit?: string): string | undefined;
 interface FastGRCPluginOptions {
     /**
      * Your FastGRC API key (fgrc_k1_...).
@@ -75,4 +76,4 @@ declare function evaluate(payload: {
 }): Promise<EvaluateResponse | null>;
 declare function FastGRCPlugin(options: FastGRCPluginOptions): OpenClawPlugin;
 
-export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate };
+export { FastGRCApprovalRequiredError, FastGRCBlockedError, FastGRCPlugin, type FastGRCPluginOptions, evaluate, resolveApiKey };

package/dist/index.js

@@ -33,7 +33,8 @@ __export(index_exports, {
   FastGRCApprovalRequiredError: () => FastGRCApprovalRequiredError,
   FastGRCBlockedError: () => FastGRCBlockedError,
   FastGRCPlugin: () => FastGRCPlugin,
-  evaluate: () => evaluate
+  evaluate: () => evaluate,
+  resolveApiKey: () => resolveApiKey
 });
 module.exports = __toCommonJS(index_exports);
 var fs = __toESM(require("fs"));
@@ -177,5 +178,6 @@ function FastGRCPlugin(options) {
   FastGRCApprovalRequiredError,
   FastGRCBlockedError,
   FastGRCPlugin,
-  evaluate
+  evaluate,
+  resolveApiKey
 });

package/dist/index.mjs

@@ -139,5 +139,6 @@ export {
   FastGRCApprovalRequiredError,
   FastGRCBlockedError,
   FastGRCPlugin,
-  evaluate
+  evaluate,
+  resolveApiKey
 };

package/dist/plugin.d.mts

@@ -0,0 +1,22 @@
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+type BeforeToolCallResult = {
+    block: true;
+    blockReason: string;
+} | {
+    requireApproval: {
+        timeoutBehavior: 'allow' | 'deny';
+    };
+} | undefined;
+declare const plugin: {
+    name: string;
+    hooks: {
+        before_tool_call(toolName: string, args: unknown, context: AgentContext): Promise<BeforeToolCallResult>;
+    };
+};
+
+export { plugin as default };

package/dist/plugin.d.ts

@@ -0,0 +1,22 @@
+interface AgentContext {
+    id?: string;
+    name?: string;
+    type?: string;
+    [key: string]: unknown;
+}
+type BeforeToolCallResult = {
+    block: true;
+    blockReason: string;
+} | {
+    requireApproval: {
+        timeoutBehavior: 'allow' | 'deny';
+    };
+} | undefined;
+declare const plugin: {
+    name: string;
+    hooks: {
+        before_tool_call(toolName: string, args: unknown, context: AgentContext): Promise<BeforeToolCallResult>;
+    };
+};
+
+export { plugin as default };

package/dist/plugin.js

@@ -0,0 +1,147 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/plugin.ts
+var plugin_exports = {};
+__export(plugin_exports, {
+  default: () => plugin_default
+});
+module.exports = __toCommonJS(plugin_exports);
+
+// src/index.ts
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/plugin.ts
+var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS2 = 3e3;
+var apiKey = resolveApiKey();
+if (!apiKey) {
+  console.warn(
+    "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Run once to connect:\n    fastgrc-hook set-key fgrc_k1_your_key_here\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
+  );
+}
+var plugin = {
+  name: "fastgrc",
+  hooks: {
+    async before_tool_call(toolName, args, context) {
+      if (!apiKey) return void 0;
+      const result = await evaluate({
+        toolName,
+        args,
+        agentId: context.id,
+        agentType: context.type,
+        agentName: context.name,
+        apiKey,
+        baseUrl: DEFAULT_BASE_URL2,
+        timeoutMs: DEFAULT_TIMEOUT_MS2
+      });
+      if (!result) return void 0;
+      const { decision, reasoning, policyContext, reasonTags } = result;
+      const matchedRule = policyContext?.matchedRule ?? "policy rule";
+      if (decision === "block") {
+        return {
+          block: true,
+          blockReason: `[${matchedRule}] ${reasoning}`
+        };
+      }
+      if (decision === "require_approval") {
+        return {
+          requireApproval: { timeoutBehavior: "deny" }
+        };
+      }
+      if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+        const msg = policyContext?.matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${policyContext.matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+        console.warn(msg);
+      }
+      return void 0;
+    }
+  }
+};
+var plugin_default = plugin;

package/dist/plugin.mjs

@@ -0,0 +1,114 @@
+// src/index.ts
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+var DEFAULT_BASE_URL = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS = 3e3;
+function resolveApiKey(explicit) {
+  if (explicit) return explicit;
+  if (process.env.FASTGRC_API_KEY) return process.env.FASTGRC_API_KEY;
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fastgrc.json"), "utf8"));
+    if (cfg.apiKey) return cfg.apiKey;
+  } catch {
+  }
+  return void 0;
+}
+async function evaluate(payload) {
+  const {
+    toolName,
+    args,
+    agentId,
+    agentType,
+    agentName,
+    apiKey: apiKey2,
+    policyId,
+    baseUrl = DEFAULT_BASE_URL,
+    timeoutMs = DEFAULT_TIMEOUT_MS
+  } = payload;
+  const evalUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/policy-router/evaluate`;
+  const content = `tool_name: ${toolName}
+args: ${JSON.stringify(args)}`;
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(evalUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey2}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        subjectContent: content,
+        subjectType: "tool_argument",
+        direction: "ingress",
+        agentId,
+        agentType,
+        agentName,
+        ...policyId ? { policyId } : {}
+      }),
+      signal: controller.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      console.warn(`[fastgrc] Evaluate returned ${res.status} \u2014 failing open`);
+      return null;
+    }
+    return await res.json();
+  } catch (err) {
+    const reason = err instanceof Error && err.name === "AbortError" ? "timeout" : String(err);
+    console.warn(`[fastgrc] Evaluate failed (${reason}) \u2014 failing open`);
+    return null;
+  }
+}
+
+// src/plugin.ts
+var DEFAULT_BASE_URL2 = "https://app.fastgrc.ai";
+var DEFAULT_TIMEOUT_MS2 = 3e3;
+var apiKey = resolveApiKey();
+if (!apiKey) {
+  console.warn(
+    "[fastgrc] No API key found \u2014 all tool calls will proceed unchecked.\n\n  Run once to connect:\n    fastgrc-hook set-key fgrc_k1_your_key_here\n\n  Get a key at: https://app.fastgrc.ai/connect\n  Manage keys at: https://app.fastgrc.ai/dashboard/settings"
+  );
+}
+var plugin = {
+  name: "fastgrc",
+  hooks: {
+    async before_tool_call(toolName, args, context) {
+      if (!apiKey) return void 0;
+      const result = await evaluate({
+        toolName,
+        args,
+        agentId: context.id,
+        agentType: context.type,
+        agentName: context.name,
+        apiKey,
+        baseUrl: DEFAULT_BASE_URL2,
+        timeoutMs: DEFAULT_TIMEOUT_MS2
+      });
+      if (!result) return void 0;
+      const { decision, reasoning, policyContext, reasonTags } = result;
+      const matchedRule = policyContext?.matchedRule ?? "policy rule";
+      if (decision === "block") {
+        return {
+          block: true,
+          blockReason: `[${matchedRule}] ${reasoning}`
+        };
+      }
+      if (decision === "require_approval") {
+        return {
+          requireApproval: { timeoutBehavior: "deny" }
+        };
+      }
+      if (Array.isArray(reasonTags) && reasonTags.includes("override_block_active")) {
+        const msg = policyContext?.matchedRule ? `[FastGRC] Observability mode \u2014 would have blocked: [${policyContext.matchedRule}] ${reasoning}` : `[FastGRC] Observability mode \u2014 would have blocked: ${reasoning}`;
+        console.warn(msg);
+      }
+      return void 0;
+    }
+  }
+};
+var plugin_default = plugin;
+export {
+  plugin_default as default
+};

package/openclaw.plugin.json

@@ -0,0 +1,6 @@
+{
+  "id": "fastgrc",
+  "name": "FastGRC Policy Router",
+  "description": "Evaluate every tool call against your FastGRC compliance policy before it executes. Blocks violations, flags drift, builds an audit trail.",
+  "extensions": ["./dist/plugin.js"]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastgrc-openclaw",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "FastGRC agent compliance plugin for OpenClaw — evaluates every tool call against your policy before it executes",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -10,14 +10,23 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./plugin": {
+      "types": "./dist/plugin.d.ts",
+      "import": "./dist/plugin.mjs",
+      "require": "./dist/plugin.js"
     }
   },
+  "openclaw": {
+    "extensions": ["./dist/plugin.js"]
+  },
   "bin": {
     "fastgrc-hook": "./dist/bin.js"
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "openclaw.plugin.json"
   ],
   "scripts": {
     "build": "tsup && node -e \"require('fs').chmodSync('dist/bin.js', '755')\"",