limits-openclaw 0.0.11 → 0.0.13

package/README.md

@@ -1,10 +1,10 @@
-# limits-openclaw 
+# limits-openclaw
 
-[![npm version](https://img.shields.io/npm/v/limits-openclaw .svg?style=flat-square)](https://www.npmjs.com/package/limits-openclaw )
+[![npm version](https://img.shields.io/npm/v/limits-openclaw.svg?style=flat-square)](https://www.npmjs.com/package/limits-openclaw)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?style=flat-square)](https://opensource.org/licenses/MIT)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.x-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![Node.js](https://img.shields.io/badge/Node.js-18%2B-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org/)
-[![GitHub](https://img.shields.io/badge/GitHub-limitsdev%2Flimits--openclaw-181717?style=flat-square&logo=github)](https://github.com/limitsdev/limits-openclaw )
+[![GitHub](https://img.shields.io/badge/GitHub-limitsdev%2Flimits--openclaw-181717?style=flat-square&logo=github)](https://github.com/limitsdev/limits-openclaw)
 
 **Official** OpenClaw plugin for the [Limits](https://limits.dev) platform. Delegates policy enforcement via HTTP. Every decision is made by calling `POST {baseUrl}/openclaw/enforce` before and after each tool call. Optional policy-generator tools let the agent create and update policies from natural language.
 
@@ -31,23 +31,43 @@
 ## Installation
 
 ```bash
-npm install limits-openclaw 
+npm install limits-openclaw
 ```
 
 ```bash
-yarn add limits-openclaw 
+yarn add limits-openclaw
 ```
 
 ```bash
-pnpm add limits-openclaw 
+pnpm add limits-openclaw
 ```
 
 Then register the plugin with OpenClaw:
 
 ```bash
-openclaw plugins install ./node_modules/limits-openclaw 
+openclaw plugins install ./node_modules/limits-openclaw
 openclaw gateway restart
-openclaw plugins enable "limits-openclaw "
+```
+
+**Add `limits-openclaw` to the Plugin Allowlist** (required before enabling):
+
+**Option A — Dashboard:**
+
+1. Open the OpenClaw dashboard and go to **Config → Plugins → Plugin Allowlist**.
+2. Click **Add** and type `limits-openclaw`, then save and apply.
+
+**Option B — CLI:**
+
+```bash
+current=$(openclaw config get plugins.allow 2>/dev/null | grep -v '^\[.\+\] ')
+updated=$(echo "${current:-[]}" | jq -c '(. // []) + ["limits-openclaw"] | unique')
+openclaw config set plugins.allow "$updated" --json
+```
+
+Then enable the plugin:
+
+```bash
+openclaw plugins enable "limits-openclaw"
 ```
 
 ---
@@ -64,7 +84,7 @@ openclaw limits configure
 If you see **`error: unknown command 'limits'`**, the OpenClaw CLI may not load plugin commands in your environment. Run the configure script directly (from a directory where the package is installed):
 
 ```bash
-node node_modules/limits-openclaw /scripts/configure.js
+node node_modules/limits-openclaw/scripts/configure.js
 ```
 
 Or set config manually:
@@ -73,7 +93,7 @@ Or set config manually:
 {
   "plugins": {
     "entries": {
-      "limits-openclaw ": {
+      "limits-openclaw": {
         "enabled": true,
         "config": {
           "apiToken": "sk_your_organization_api_key"
@@ -92,7 +112,7 @@ Or set config manually:
     "list": [
       {
         "id": "main",
-        "tools": { "allow": ["limits-openclaw "] }
+        "tools": { "allow": ["limits-openclaw"] }
       }
     ]
   }
@@ -127,7 +147,7 @@ flowchart LR
 1. **Before each tool call** (`before_tool_call`): the plugin POSTs `phase: "pre"` with tool name and args. Limits returns `ALLOW`, `BLOCK`, or `REWRITE` (with `rewriteArgs`). The plugin blocks the call, allows it, or replaces the tool arguments accordingly.
 2. **After each tool call** (`after_tool_call`): the plugin POSTs `phase: "post"` with tool name, args, and result. Limits returns `ALLOW`, `BLOCK`, `REDACT`, or `REWRITE` (with `redactedResult` or `rewrittenResult`). The plugin leaves the result unchanged, replaces it with a safe blocked response, or replaces it with the redacted/rewritten value.
 
-**Compatibility:** This plugin requires an OpenClaw build where tool hooks are wired into the execution path. If you see **`[limits-openclaw ] before_tool_call observed`** in logs once after a tool runs, hooks are working. See [OpenClaw #6535](https://github.com/openclaw/openclaw/issues/6535) if hooks never fire.
+**Compatibility:** This plugin requires an OpenClaw build where tool hooks are wired into the execution path. If you see **`[limits-openclaw] before_tool_call observed`** in logs once after a tool runs, hooks are working. See [OpenClaw #6535](https://github.com/openclaw/openclaw/issues/6535) if hooks never fire.
 
 ---
 
@@ -150,16 +170,16 @@ Optionally, you can copy it manually. The example below is for Unix; on Windows
 
 ```bash
 mkdir -p ~/.openclaw/workspace/skills/limits-policy-generator
-cp -r ./node_modules/limits-openclaw /skills/limits-policy-generator/. ~/.openclaw/workspace/skills/limits-policy-generator/
+cp -r ./node_modules/limits-openclaw/skills/limits-policy-generator/. ~/.openclaw/workspace/skills/limits-policy-generator/
 ```
 
 ### Expose tools to the agent
 
-The plugin registers these tools as **optional**. Add the plugin to the agent's tool allowlist (see [Quick Start](#quick-start)) so the agent can call them. Use `"limits-openclaw "` to allow all tools from this plugin, or allow by name: `["limits_generate_create_policy", "limits_generate_update_policy"]`.
+The plugin registers these tools as **optional**. Add the plugin to the agent's tool allowlist (see [Quick Start](#quick-start)) so the agent can call them. Use `"limits-openclaw"` to allow all tools from this plugin, or allow by name: `["limits_generate_create_policy", "limits_generate_update_policy"]`.
 
 ### Sandboxed agents
 
-If the agent runs in a **sandbox**, add `"limits-openclaw "` (or the tool names) to `tools.sandbox.tools.allow` as well so the sandboxed agent can call the policy tools. Otherwise the agent can have the skill but cannot invoke the tools from inside the sandbox.
+If the agent runs in a **sandbox**, add `"limits-openclaw"` (or the tool names) to `tools.sandbox.tools.allow` as well so the sandboxed agent can call the policy tools. Otherwise the agent can have the skill but cannot invoke the tools from inside the sandbox.
 
 ---
 
@@ -190,7 +210,7 @@ If the agent runs in a **sandbox**, add `"limits-openclaw "` (or the tool names)
 {
   "plugins": {
     "entries": {
-      "limits-openclaw ": {
+      "limits-openclaw": {
         "enabled": true,
         "config": {
           "apiToken": "sk_your_organization_api_key",
@@ -253,12 +273,12 @@ Policies are scoped to OpenClaw tool calls using **tags** in the Limits dashboar
 |---------|-------------|
 | `openclaw plugins install <path>` | Install plugin from path. |
 | `openclaw plugins install -l <path>` | Link plugin (no copy, for development). |
-| `openclaw plugins enable "limits-openclaw "` | Enable the plugin. |
+| `openclaw plugins enable "limits-openclaw"` | Enable the plugin. |
 | `openclaw plugins list` | List installed plugins. |
 | `openclaw plugins doctor` | Check plugin health. |
 | `openclaw limits configure` | Interactive wizard to set API token and sandbox allowlist. |
-| `openclaw config get 'plugins.entries["limits-openclaw "]'` | Show plugin config. |
-| `openclaw config set 'plugins.entries["limits-openclaw "].config.apiToken' "sk_..."` | Set apiToken manually. |
+| `openclaw config get 'plugins.entries["limits-openclaw"]'` | Show plugin config. |
+| `openclaw config set 'plugins.entries["limits-openclaw"].config.apiToken' "sk_..."` | Set apiToken manually. |
 
 ---
 
@@ -283,29 +303,29 @@ If you were using the plugin under the old name **limits-enforcer**, update your
 
 | Before | After |
 |--------|-------|
-| Plugin ID / allowlist: `"limits-enforcer"` | `"limits-openclaw "` |
-| Config path: `plugins.entries.limits-enforcer` | `plugins.entries["limits-openclaw "]` |
+| Plugin ID / allowlist: `"limits-enforcer"` | `"limits-openclaw"` |
+| Config path: `plugins.entries.limits-enforcer` | `plugins.entries["limits-openclaw"]` |
 | CLI command: `openclaw limits-enforcer configure` | `openclaw limits configure` |
-| Log prefix: `[limits-enforcer]` | `[limits-openclaw ]` |
+| Log prefix: `[limits-enforcer]` | `[limits-openclaw]` |
 
-After renaming, reinstall the plugin and enable `"limits-openclaw "`.
+After renaming, reinstall the plugin and enable `"limits-openclaw"`.
 
 ---
 
 ## Troubleshooting
 
-- **Config warning "plugin id mismatch (manifest uses 'limits-openclaw ', entry hints 'openclaw')"**  
-  Some OpenClaw gateways install scoped packages under `extensions/openclaw` instead of `extensions/limits-openclaw `. The gateway then infers the plugin id from the folder name (`openclaw`), which does not match the manifest id `limits-openclaw `, so the plugin may not load and `openclaw limits configure` shows **unknown command 'limits'**.
+- **Config warning "plugin id mismatch (manifest uses 'limits-openclaw', entry hints 'openclaw')"**  
+  Some OpenClaw gateways install scoped packages under `extensions/openclaw` instead of `extensions/limits-openclaw`. The gateway then infers the plugin id from the folder name (`openclaw`), which does not match the manifest id `limits-openclaw`, so the plugin may not load and `openclaw limits configure` shows **unknown command 'limits'**.
 
   **Workaround — install under the scoped path so the gateway matches the config entry:**
   ```bash
   # Create the scope directory and install the package there (adjust if you use npm -g or another path)
   mkdir -p ~/.openclaw/extensions/@limits
-  cp -r ./node_modules/limits-openclaw  ~/.openclaw/extensions/@limits/
+  cp -r ./node_modules/limits-openclaw ~/.openclaw/extensions/@limits/
 
   # Tell OpenClaw to load the plugin from that path
-  openclaw plugins install ~/.openclaw/extensions/limits-openclaw 
-  openclaw plugins enable "limits-openclaw "
+  openclaw plugins install ~/.openclaw/extensions/limits-openclaw
+  openclaw plugins enable "limits-openclaw"
   openclaw gateway restart
   ```
   Then run `openclaw limits configure`.
@@ -313,7 +333,7 @@ After renaming, reinstall the plugin and enable `"limits-openclaw "`.
 - **`error: unknown command 'limits'`**  
   The plugin did not load (often due to the id mismatch above). Use the workaround above, or run the configure wizard without the OpenClaw CLI:
   ```bash
-  node node_modules/limits-openclaw /scripts/configure.js
+  node node_modules/limits-openclaw/scripts/configure.js
   ```
   Or from the plugin repo: `npm run configure`.
 
@@ -322,4 +342,4 @@ After renaming, reinstall the plugin and enable `"limits-openclaw "`.
 
 ## License
 
-MIT — [Limits](https://limits.dev) — [GitHub](https://github.com/limitsdev/limits-openclaw )
+MIT — [Limits](https://limits.dev) — [GitHub](https://github.com/limitsdev/limits-openclaw)

package/dist/config.js

@@ -10,7 +10,7 @@ const DEFAULTS = {
     redactLogs: true,
 };
 export function loadConfig(api) {
-    const raw = api.config?.plugins?.entries?.["limits-openclaw "]?.config ?? {};
+    const raw = api.config?.plugins?.entries?.["limits-openclaw"]?.config ?? {};
     // baseUrl defaults to static; not in wizard or schema so users don't edit it (config override only for tests/advanced)
     const baseUrl = raw.baseUrl ?? DEFAULTS.baseUrl;
     const timeoutMs = typeof process.env.LIMITS_ENFORCER_TIMEOUT_MS === "string"

package/dist/configure-wizard.js

@@ -1,10 +1,9 @@
 import { createInterface } from "node:readline";
-import { spawn } from "node:child_process";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import fs from "node:fs";
 import os from "node:os";
-const CONFIG_PREFIX = 'plugins.entries["limits-openclaw "].config';
+const CONFIG_PREFIX = 'plugins.entries["limits-openclaw"].config';
 const SKILL_NAME = "limits-policy-generator";
 function getPluginRoot() {
     const currentDir = dirname(fileURLToPath(import.meta.url));
@@ -31,6 +30,71 @@ function copySkillToWorkspace() {
         console.error("\nFailed to copy skill:", err instanceof Error ? err.message : String(err));
     }
 }
+function getConfigFilePath() {
+    return process.env.OPENCLAW_CONFIG || join(os.homedir(), ".openclaw", "openclaw.json");
+}
+function readConfigFile() {
+    try {
+        return JSON.parse(fs.readFileSync(getConfigFilePath(), "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function writeConfigFile(cfg) {
+    fs.writeFileSync(getConfigFilePath(), JSON.stringify(cfg, null, 2) + "\n", "utf8");
+}
+function parseConfigPath(path) {
+    const segments = [];
+    const re = /\[["']([^"']+)["']\]|\.?([^.[\]]+)/g;
+    let m;
+    while ((m = re.exec(path)) !== null) {
+        const seg = m[1] ?? m[2];
+        if (seg)
+            segments.push(seg);
+    }
+    return segments;
+}
+function configGet(cfg, path) {
+    let cur = cfg;
+    for (const seg of parseConfigPath(path)) {
+        if (cur == null || typeof cur !== "object")
+            return undefined;
+        cur = cur[seg];
+    }
+    return cur;
+}
+function configSet(cfg, path, value) {
+    const segments = parseConfigPath(path);
+    let cur = cfg;
+    for (let i = 0; i < segments.length - 1; i++) {
+        const seg = segments[i];
+        if (cur[seg] == null || typeof cur[seg] !== "object")
+            cur[seg] = {};
+        cur = cur[seg];
+    }
+    cur[segments[segments.length - 1]] = value;
+}
+function runConfigSet(key, jsonValue) {
+    const fullKey = `${CONFIG_PREFIX}.${key}`;
+    const cfg = readConfigFile();
+    configSet(cfg, fullKey, JSON.parse(jsonValue));
+    writeConfigFile(cfg);
+    console.log(`Updated ${fullKey}.`);
+    return Promise.resolve();
+}
+function runConfigGet(fullKey) {
+    const cfg = readConfigFile();
+    const val = configGet(cfg, fullKey);
+    return Promise.resolve(val !== undefined ? JSON.stringify(val) : "");
+}
+function runConfigSetFull(fullKey, jsonValue) {
+    const cfg = readConfigFile();
+    configSet(cfg, fullKey, JSON.parse(jsonValue));
+    writeConfigFile(cfg);
+    console.log(`Updated ${fullKey}.`);
+    return Promise.resolve();
+}
 export function ask(rl, question, defaultValue = "") {
     const prompt = defaultValue ? `${question} [${defaultValue}]: ` : `${question}: `;
     return new Promise((resolve) => {
@@ -39,41 +103,8 @@ export function ask(rl, question, defaultValue = "") {
         });
     });
 }
-function runConfigSet(key, value) {
-    return new Promise((resolve, reject) => {
-        const fullKey = `${CONFIG_PREFIX}.${key}`;
-        const child = spawn("openclaw", ["config", "set", fullKey, value], {
-            stdio: "inherit",
-            shell: true,
-        });
-        child.on("close", (code) => code === 0 ? resolve() : reject(new Error(`openclaw config set exited ${code}`)));
-        child.on("error", reject);
-    });
-}
-function runConfigGet(fullKey) {
-    return new Promise((resolve) => {
-        const child = spawn("openclaw", ["config", "get", fullKey], {
-            stdio: ["inherit", "pipe", "inherit"],
-            shell: true,
-        });
-        let out = "";
-        child.stdout?.on("data", (d) => (out += d.toString()));
-        child.on("close", () => resolve(out.trim()));
-        child.on("error", () => resolve(""));
-    });
-}
-function runConfigSetFull(fullKey, value) {
-    return new Promise((resolve, reject) => {
-        const child = spawn("openclaw", ["config", "set", fullKey, value], {
-            stdio: "inherit",
-            shell: true,
-        });
-        child.on("close", (code) => code === 0 ? resolve() : reject(new Error(`openclaw config set exited ${code}`)));
-        child.on("error", reject);
-    });
-}
 /**
- * Run the configure wizard (interactive prompts, then openclaw config set).
+ * Run the configure wizard (interactive prompts, then direct config file write).
  * Call this when the user runs `openclaw limits configure` or after link.
  */
 export async function runConfigureWizard() {
@@ -82,7 +113,7 @@ export async function runConfigureWizard() {
     console.log("   Base URL is fixed. apiToken is used for /openclaw/enforce and policy-generator tools. Run after: openclaw plugins install -l <path>\n");
     const apiToken = await ask(rl, "Organization API key (apiToken) — required for enforce and policy-generator tools", process.env.LIMITS_ENFORCER_API_TOKEN ?? "");
     const sandboxAnswer = await ask(rl, "Do you run agents inside a sandbox?", "N");
-    const addSkillAnswer = await ask(rl, "Add limits-policy-generator skill to OpenClaw workspace?", "Y");
+    const addSkillAnswer = await ask(rl, "Add limits-policy-generator skill to OpenClaw workspace? (Recommended)", "Y");
     rl.close();
     if (apiToken)
         await runConfigSet("apiToken", JSON.stringify(apiToken));
@@ -100,18 +131,18 @@ export async function runConfigureWizard() {
                 allow = [];
             }
         }
-        if (allow.includes("limits-openclaw ")) {
-            console.log("\nlimits-openclaw  is already in tools.sandbox.tools.allow, skipping.");
+        if (allow.includes("limits-openclaw")) {
+            console.log("\nlimits-openclaw is already in tools.sandbox.tools.allow, skipping.");
         }
         else {
-            allow.push("limits-openclaw ");
+            allow.push("limits-openclaw");
             await runConfigSetFull(SANDBOX_ALLOW_KEY, JSON.stringify(allow));
-            console.log("\nAdded limits-openclaw  to tools.sandbox.tools.allow.");
+            console.log("\nAdded limits-openclaw to tools.sandbox.tools.allow.");
         }
     }
     const addSkillYes = /^y(es)?$/i.test(addSkillAnswer.trim());
     if (addSkillYes)
         copySkillToWorkspace();
     console.log("\nDone. Restart the gateway if it is running.");
-    console.log('Verify: openclaw config get plugins.entries["limits-openclaw "]\n');
+    console.log('Verify: openclaw config get plugins.entries["limits-openclaw"]\n');
 }

package/dist/index.js

@@ -1,5 +1,5 @@
 /**
- * limits-openclaw : register(api) entrypoint — wires before_tool_call and after_tool_call.
+ * limits-openclaw: register(api) entrypoint — wires before_tool_call and after_tool_call.
  */
 import { loadConfig } from "./config.js";
 import { callEnforce } from "./enforcer.js";
@@ -182,7 +182,7 @@ function registerPolicyTools(api) {
     log("policy-generator tools registered (limits_generate_create_policy, limits_generate_update_policy)");
 }
 export function register(api) {
-    log("limits-openclaw  loaded");
+    log("limits-openclaw loaded");
     if (typeof api.on !== "function") {
         log("api.on not available, hooks not registered");
         return;

package/dist/logger.js

@@ -1,7 +1,7 @@
 /**
- * Safe logger for limits-openclaw . Never logs apiToken, request body, or tool args.
+ * Safe logger for limits-openclaw. Never logs apiToken, request body, or tool args.
  */
-const PREFIX = "[limits-openclaw ]";
+const PREFIX = "[limits-openclaw]";
 export function log(message, ...safeArgs) {
     const safe = safeArgs.map((a) => typeof a === "string" || typeof a === "number" || typeof a === "boolean"
         ? a

package/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "limits-openclaw ",
-  "version": "0.0.11",
+  "name": "limits-openclaw",
+  "version": "0.0.13",
   "description": "Delegates policy enforcement to the Limits platform before and after every tool call.",
   "keywords": [
     "openclaw",
@@ -18,6 +18,7 @@
   },
   "files": [
     "dist",
+    "skills",
     "openclaw.plugin.json",
     "README.md",
     "LICENSE",

package/skills/limits-policy-generator/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: limits-policy-generator
+description: "Generate and create or update policy rules on the Limits SaaS from natural language. Use when the user asks to add, change, or create policy rules enforced by the Limits backend."
+metadata: {"openclaw": {"emoji": "📜", "requires": {"config": ["plugins.entries[\"limits-openclaw\"].config.apiToken"]}}}
+---
+
+# Limits Policy Generator
+
+You have two tools for creating and updating policies on the Limits SaaS from natural language. They call the Limits backend so the user's enforcement rules are created or updated there (and apply to tool-call enforcement via the limits-openclaw plugin).
+
+## When to use this skill
+
+Use these tools when the user says things like:
+
+- "Create a policy that blocks all payment tools"
+- "Add a rule: never run bash with rm -rf"
+- "Generate a policy from this: block transactions over 500"
+- "Update my policy to also block stripe_* tools"
+- "I want to add a guardrail that redacts emails from tool output"
+- "Change the payment limit to 700"
+
+## Tools available
+
+### `limits_generate_create_policy`
+
+Generate a new policy from natural language and create it on the Limits backend. Use when the user wants to **add** a new policy.
+
+```
+limits_generate_create_policy(
+  input="Block any tool whose name starts with stripe_ or payment_. Allow all other tools.",
+  mode="INSTRUCTIONS",
+  tools=["stripe_.*", "payment_.*"]
+)
+```
+
+- **input** (required): Natural-language description of the policy (what to block, allow, or require).
+- **mode** (optional): `"INSTRUCTIONS"` | `"CONDITIONS"` | `"GUARDRAIL"`. Default is INSTRUCTIONS. Use GUARDRAIL for rules that scan tool **output** (e.g. redact PII).
+- **tools** (required): Which tool calls this policy applies to. See "Where to apply" section below.
+
+### `limits_generate_update_policy`
+
+Generate updates from natural language and apply them to an **existing** policy. Use when the user wants to **change** a policy they already have.
+
+```
+limits_generate_update_policy(
+  policyId="uuid-of-existing-policy",
+  input="Also block transfer_money. Keep the existing amount limit.",
+  mode="INSTRUCTIONS"
+)
+```
+
+- **policyId** (required): The ID of the existing policy to update (UUID).
+- **input** (required): Natural-language description of the changes or additions.
+- **mode** (optional): Same as above.
+- **Note:** Update does **not** change which tools the policy applies to — scope is fixed at creation time. If the user wants to change scope, they should create a new policy.
+
+## Where to apply (tools parameter)
+
+The `tools` parameter on `limits_generate_create_policy` is **required** and controls which tool calls the policy is enforced on.
+
+### Values
+
+| Value | Meaning |
+|-------|---------|
+| `["*"]` | Apply to **all** tool calls / all requests |
+| `["<tool_name>"]` | Apply to the exact tool (use only names from the agent's actual tool list) |
+| `["<prefix>.*"]` | Apply to all tools whose name starts with that prefix (e.g. `payment_.*`) |
+
+Use `prefix.*` (dot-star) for prefix matching. The backend also accepts `prefix_*` and normalizes it to `prefix_.*`. **Use only tool names or prefixes that exist in the user's / agent's available tools** — do not invent names.
+
+### Ask-once logic (required)
+
+**Do not call `limits_generate_create_policy` until you know scope.** If the user did not say scope, ask once.
+
+- User says **"everywhere"**, **"all requests"**, **"globally"**, or **"all tools"** → use `["*"]` without asking.
+- User **explicitly names specific tools** (e.g. "for read_file", "payment tools", "stripe_*") → use those tools without asking.
+- User **does not say** "all" / "everywhere" / "globally" and **does not name any tools** (e.g. "create a policy if currency is JOD allow request", "create a policy that blocks payments") → you **must ask once** before calling the tool: _"Which tools should this policy apply to: all tool calls, or only specific tools? If specific, which tool names from your available tools?"_ Then call the tool with the user's answer.
+
+Do not assume scope. Do not call the create-policy tool immediately when the user only describes the rule (e.g. "if currency is JOD allow") without stating where it applies. Ask once, then call.
+
+### Tool names: use source of truth only
+
+When setting the `tools` parameter, use **only tool names from the agent's actual available tools** (the list of tools you have access to). Do not invent or assume tool names. If the user wants "specific tools", list the relevant tools from your real tool list and use those exact names (or prefix patterns like `name_.*` that match them). If you do not have a list of available tools, ask the user which tools should be in scope and use only names they confirm.
+
+## Recommended flow
+
+1. If the user wants a **new** policy:
+   - **First determine scope.** If the user did not say "all tools" / "everywhere" / "globally" and did not name specific tools, ask once: "Which tools should this apply to: all tool calls or specific tools? If specific, which ones?"
+   - Only then call `limits_generate_create_policy` with `input`, `tools` (from user or from their actual tool list), and optionally `mode`.
+   - Confirm what was created and **where it applies** (e.g. "This policy applies to all tools" or "This policy applies to [tool names]").
+2. If the user wants to **change** an existing policy:
+   - Use `limits_generate_update_policy` with the policy id and the change description. (You may need to list or find the policy id first if the user says "update my payment policy".)
+   - Remind the user that **scope (which tools the policy applies to) cannot be changed via update** — it stays as set when the policy was created.
+3. Policies on the Limits backend apply to tool-call enforcement (via limits-openclaw) for that organization.
+
+## Sandbox vs host
+
+**If you are running inside a sandbox:** The `limits_generate_create_policy` and `limits_generate_update_policy` tools are only available if the gateway config allows them in the sandbox (e.g. `tools.sandbox.tools.allow` includes `"limits-openclaw"`). If those tools are not in your tool list, you cannot invoke them from this environment.
+
+- **To run the policy tools from the sandbox:** The admin must add `limits-openclaw` to the agent allowlist and to `tools.sandbox.tools.allow` (see the limits-openclaw README). After that, you can call the tools from here.
+- **If the tools are still not available:** Tell the user to run the policy command on the **host** or an agent instance that has the Limits backend wired up and the tools allowed.
+
+## Configuration
+
+The plugin must be configured with:
+
+- **baseUrl**: Base URL of the Limits API (e.g. `https://api.limits.dev`). Used for enforce and policy-generator tools.
+- **apiToken**: Organization API key (Bearer) for the Limits backend. Used for enforce and policy-generator tools.
+
+Without these, the tools will not be available or will return an error asking the user to configure them.