npm - openclaw-airlock - Versions diffs - 0.4.7 - Mend

openclaw-airlock 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/README.md +406 -0
package/dist/cli/register.d.ts +22 -0
package/dist/cli/register.d.ts.map +1 -0
package/dist/cli/register.js +229 -0
package/dist/cli/register.js.map +1 -0
package/dist/client.d.ts +136 -0
package/dist/client.d.ts.map +1 -0
package/dist/client.js +474 -0
package/dist/client.js.map +1 -0
package/dist/commands/airlockStatus.d.ts +20 -0
package/dist/commands/airlockStatus.d.ts.map +1 -0
package/dist/commands/airlockStatus.js +48 -0
package/dist/commands/airlockStatus.js.map +1 -0
package/dist/config.d.ts +48 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +104 -0
package/dist/config.js.map +1 -0
package/dist/crypto.d.ts +41 -0
package/dist/crypto.d.ts.map +1 -0
package/dist/crypto.js +112 -0
package/dist/crypto.js.map +1 -0
package/dist/hooks/beforeTool.d.ts +46 -0
package/dist/hooks/beforeTool.d.ts.map +1 -0
package/dist/hooks/beforeTool.js +112 -0
package/dist/hooks/beforeTool.js.map +1 -0
package/dist/index.d.ts +50 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +88 -0
package/dist/index.js.map +1 -0
package/dist/state.d.ts +44 -0
package/dist/state.d.ts.map +1 -0
package/dist/state.js +79 -0
package/dist/state.js.map +1 -0
package/dist/tools/checkStatus.d.ts +42 -0
package/dist/tools/checkStatus.d.ts.map +1 -0
package/dist/tools/checkStatus.js +67 -0
package/dist/tools/checkStatus.js.map +1 -0
package/dist/tools/requestApproval.d.ts +63 -0
package/dist/tools/requestApproval.d.ts.map +1 -0
package/dist/tools/requestApproval.js +85 -0
package/dist/tools/requestApproval.js.map +1 -0
package/openclaw.plugin.json +69 -0
package/package.json +61 -0

package/dist/commands/airlockStatus.js ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Command: airlock-status — Diagnostic slash command.
+ *
+ * Shows the current Airlock configuration, gateway connectivity,
+ * pairing status, and enforcement settings.
+ */
+import { loadPairingState } from "../state.js";
+/** Command definition for OpenClaw registration. */
+export const airlockStatusCommandDef = {
+    name: "airlock-status",
+    description: "Show Airlock security gateway status and configuration",
+};
+/**
+ * Register the /airlock-status command with the OpenClaw plugin API.
+ */
+export function registerAirlockStatusCommand(api, client, config) {
+    api.registerCommand(airlockStatusCommandDef, async () => {
+        const health = await client.checkHealth();
+        const persistedState = await loadPairingState();
+        const lines = [
+            "═══ Airlock Status ═══",
+            "",
+            `Gateway URL:     ${config.gatewayUrl}`,
+            `Connectivity:    ${health.connected ? "✓ Connected" : `✗ Unreachable (${health.error ?? "unknown"})`}`,
+            health.serverTime ? `Server Time:     ${health.serverTime}` : "",
+            "",
+            `Enforcer ID:     ${config.enforcerId}`,
+            `Workspace:       ${config.workspaceName}`,
+            `Execution Mode:  ${config.executionMode}`,
+            `Fail Mode:       ${config.failMode}`,
+            `Timeout:         ${config.timeoutMs / 1000}s`,
+            `Poll Interval:   ${config.pollIntervalMs}ms`,
+            "",
+            `Auth (PAT):      ${config.pat ? "✓ Configured" : "✗ Not set"}`,
+            `Auth (Client):   ${config.clientId ? `✓ ${config.clientId}` : "✗ Not set"}`,
+            "",
+            `Pairing:         ${config.routingToken ? "✓ Paired" : "✗ Not paired"}`,
+            `Encryption Key:  ${config.encryptionKey ? "✓ Available" : "✗ Not available"}`,
+            `State File:      ${persistedState ? `✓ Persisted (${persistedState.pairedAt})` : "✗ No state on disk"}`,
+            "",
+            `Protected Tools: ${config.protectedTools.length > 0
+                ? config.protectedTools.join(", ")
+                : "(none — use requestApproval tool for explicit control)"}`,
+        ];
+        return lines.filter((l) => l !== undefined).join("\n");
+    });
+}
+//# sourceMappingURL=airlockStatus.js.map

package/dist/commands/airlockStatus.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"airlockStatus.js","sourceRoot":"","sources":["../../src/commands/airlockStatus.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C,oDAAoD;AACpD,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,wDAAwD;CACtE,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,GAAgF,EAChF,MAAqB,EACrB,MAAqB;IAErB,GAAG,CAAC,eAAe,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,cAAc,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAEhD,MAAM,KAAK,GAAa;YACtB,wBAAwB;YACxB,EAAE;YACF,oBAAoB,MAAM,CAAC,UAAU,EAAE;YACvC,oBAAoB,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,kBAAkB,MAAM,CAAC,KAAK,IAAI,SAAS,GAAG,EAAE;YACvG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,oBAAoB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE;YAChE,EAAE;YACF,oBAAoB,MAAM,CAAC,UAAU,EAAE;YACvC,oBAAoB,MAAM,CAAC,aAAa,EAAE;YAC1C,oBAAoB,MAAM,CAAC,aAAa,EAAE;YAC1C,oBAAoB,MAAM,CAAC,QAAQ,EAAE;YACrC,oBAAoB,MAAM,CAAC,SAAS,GAAG,IAAI,GAAG;YAC9C,oBAAoB,MAAM,CAAC,cAAc,IAAI;YAC7C,EAAE;YACF,oBAAoB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,WAAW,EAAE;YAC/D,oBAAoB,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE;YAC5E,EAAE;YACF,oBAAoB,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,cAAc,EAAE;YACvE,oBAAoB,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iBAAiB,EAAE;YAC9E,oBAAoB,cAAc,CAAC,CAAC,CAAC,gBAAgB,cAAc,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,oBAAoB,EAAE;YACxG,EAAE;YACF,oBAAoB,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;gBAClD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClC,CAAC,CAAC,wDAAwD,EAAE;SAC/D,CAAC;QAEF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/config.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Airlock Plugin Config — parse, validate, and apply defaults.
+ *
+ * Config comes from OpenClaw's plugin config mechanism (openclaw.plugin.json schema).
+ * Auth: PAT + ClientId/ClientSecret. Pairing: pre-generated device code.
+ */
+/** Strongly-typed config for the Airlock OpenClaw plugin. */
+export interface AirlockConfig {
+    /** Airlock Gateway base URL (e.g. "https://gw.airlocks.io"). */
+    gatewayUrl: string;
+    /** Unique identifier for this enforcer instance. */
+    enforcerId: string;
+    /** Personal Access Token for user authentication. */
+    pat?: string;
+    /** Enforcer App Client ID. */
+    clientId?: string;
+    /** Enforcer App Client Secret. */
+    clientSecret?: string;
+    /** Pre-generated device pairing code. */
+    pairingCode?: string;
+    /** Human-readable workspace name. */
+    workspaceName: string;
+    /** Approval timeout in milliseconds (default: 300000 = 5 min). */
+    timeoutMs: number;
+    /** Decision poll interval in milliseconds (default: 3000). */
+    pollIntervalMs: number;
+    /** Behavior on timeout/error: "open" = allow, "closed" = block. */
+    failMode: "open" | "closed";
+    /** Tool names requiring approval (empty = none protected, opt-in). */
+    protectedTools: string[];
+    /** How to wait for decisions: "poll" (default) or "webhook" (future). */
+    executionMode: "poll" | "webhook";
+    /** Routing token from completed pairing. */
+    routingToken?: string;
+    /** AES-256-GCM encryption key (base64url) derived via X25519 ECDH. */
+    encryptionKey?: string;
+}
+/**
+ * Parse raw config from OpenClaw plugin context, validate required fields,
+ * and apply defaults.
+ *
+ * @throws Error if required fields are missing or values are invalid.
+ */
+export declare function loadAndValidateConfig(raw: Record<string, unknown>): AirlockConfig;
+export declare class ConfigError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,6DAA6D;AAC7D,MAAM,WAAW,aAAa;IAC5B,gEAAgE;IAChE,UAAU,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,UAAU,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yCAAyC;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,SAAS,EAAE,MAAM,CAAC;IAClB,8DAA8D;IAC9D,cAAc,EAAE,MAAM,CAAC;IACvB,mEAAmE;IACnE,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC5B,sEAAsE;IACtE,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,yEAAyE;IACzE,aAAa,EAAE,MAAM,GAAG,SAAS,CAAC;IAGlC,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAwEjF;AAID,qBAAa,WAAY,SAAQ,KAAK;gBACxB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/config.js ADDED Viewed

@@ -0,0 +1,104 @@
+/**
+ * Airlock Plugin Config — parse, validate, and apply defaults.
+ *
+ * Config comes from OpenClaw's plugin config mechanism (openclaw.plugin.json schema).
+ * Auth: PAT + ClientId/ClientSecret. Pairing: pre-generated device code.
+ */
+/**
+ * Parse raw config from OpenClaw plugin context, validate required fields,
+ * and apply defaults.
+ *
+ * @throws Error if required fields are missing or values are invalid.
+ */
+export function loadAndValidateConfig(raw) {
+    // ── Required fields ──
+    const gatewayUrl = requireString(raw, "gatewayUrl", "Gateway URL is required");
+    if (!/^https?:\/\//i.test(gatewayUrl)) {
+        throw new ConfigError("gatewayUrl must start with http:// or https://");
+    }
+    const enforcerId = requireString(raw, "enforcerId", "Enforcer ID is required");
+    // ── Auth: at least PAT or clientId+clientSecret ──
+    const pat = optionalString(raw, "pat");
+    const clientId = optionalString(raw, "clientId");
+    const clientSecret = optionalString(raw, "clientSecret");
+    if (!pat && !clientId) {
+        throw new ConfigError("Authentication required: provide either 'pat' (Personal Access Token) " +
+            "or 'clientId' + 'clientSecret' (Enforcer App credentials)");
+    }
+    if (clientId && !clientSecret) {
+        throw new ConfigError("'clientSecret' is required when 'clientId' is provided");
+    }
+    // ── Optional fields with defaults ──
+    const pairingCode = optionalString(raw, "pairingCode");
+    const workspaceName = optionalString(raw, "workspaceName") ?? "OpenClaw Workspace";
+    const timeoutMs = optionalNumber(raw, "timeoutMs") ?? 300_000;
+    const pollIntervalMs = Math.max(1000, optionalNumber(raw, "pollIntervalMs") ?? 3000);
+    const rawFailMode = optionalString(raw, "failMode") ?? "closed";
+    if (rawFailMode !== "open" && rawFailMode !== "closed") {
+        throw new ConfigError(`failMode must be "open" or "closed", got "${rawFailMode}"`);
+    }
+    const rawExecMode = optionalString(raw, "executionMode") ?? "poll";
+    if (rawExecMode !== "poll" && rawExecMode !== "webhook") {
+        throw new ConfigError(`executionMode must be "poll" or "webhook", got "${rawExecMode}"`);
+    }
+    if (rawExecMode === "webhook") {
+        throw new ConfigError("Webhook mode is not implemented yet (planned for Sprint 26+). Use 'poll'.");
+    }
+    const rawProtectedTools = raw["protectedTools"];
+    let protectedTools = [];
+    if (Array.isArray(rawProtectedTools)) {
+        protectedTools = rawProtectedTools
+            .map((t) => String(t).trim())
+            .filter((t) => t.length > 0);
+    }
+    // ── Pairing state (may come from config or be restored from disk at runtime) ──
+    const routingToken = optionalString(raw, "routingToken");
+    const encryptionKey = optionalString(raw, "encryptionKey");
+    return {
+        gatewayUrl: gatewayUrl.replace(/\/$/, ""),
+        enforcerId,
+        pat,
+        clientId,
+        clientSecret,
+        pairingCode,
+        workspaceName,
+        timeoutMs,
+        pollIntervalMs,
+        failMode: rawFailMode,
+        protectedTools,
+        executionMode: rawExecMode,
+        routingToken,
+        encryptionKey,
+    };
+}
+// ── Helpers ──────────────────────────────────────────────────────
+export class ConfigError extends Error {
+    constructor(message) {
+        super(`[Airlock Config] ${message}`);
+        this.name = "ConfigError";
+    }
+}
+function requireString(raw, key, errorMsg) {
+    const value = raw[key];
+    if (typeof value !== "string" || value.trim().length === 0) {
+        throw new ConfigError(errorMsg);
+    }
+    return value.trim();
+}
+function optionalString(raw, key) {
+    const value = raw[key];
+    if (value === undefined || value === null)
+        return undefined;
+    if (typeof value !== "string")
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function optionalNumber(raw, key) {
+    const value = raw[key];
+    if (value === undefined || value === null)
+        return undefined;
+    const num = Number(value);
+    return Number.isFinite(num) ? num : undefined;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAoCH;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAA4B;IAChE,wBAAwB;IACxB,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,yBAAyB,CAAC,CAAC;IAC/E,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,WAAW,CAAC,gDAAgD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,yBAAyB,CAAC,CAAC;IAE/E,oDAAoD;IACpD,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,cAAc,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAEzD,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,IAAI,WAAW,CACnB,wEAAwE;YACxE,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,WAAW,CAAC,wDAAwD,CAAC,CAAC;IAClF,CAAC;IAED,sCAAsC;IACtC,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACvD,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,EAAE,eAAe,CAAC,IAAI,oBAAoB,CAAC;IACnF,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,OAAO,CAAC;IAC9D,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC,GAAG,EAAE,gBAAgB,CAAC,IAAI,IAAI,CAAC,CAAC;IAErF,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,QAAQ,CAAC;IAChE,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;QACvD,MAAM,IAAI,WAAW,CAAC,6CAA6C,WAAW,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC;IACnE,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QACxD,MAAM,IAAI,WAAW,CAAC,mDAAmD,WAAW,GAAG,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,WAAW,CAAC,2EAA2E,CAAC,CAAC;IACrG,CAAC;IAED,MAAM,iBAAiB,GAAG,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAChD,IAAI,cAAc,GAAa,EAAE,CAAC;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,cAAc,GAAG,iBAAiB;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,iFAAiF;IACjF,MAAM,YAAY,GAAG,cAAc,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAE3D,OAAO;QACL,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACzC,UAAU;QACV,GAAG;QACH,QAAQ;QACR,YAAY;QACZ,WAAW;QACX,aAAa;QACb,SAAS;QACT,cAAc;QACd,QAAQ,EAAE,WAAW;QACrB,cAAc;QACd,aAAa,EAAE,WAAW;QAC1B,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC;AAED,oEAAoE;AAEpE,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,GAAW,EAAE,QAAgB;IAChF,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,cAAc,CAAC,GAA4B,EAAE,GAAW;IAC/D,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;AAClD,CAAC;AAED,SAAS,cAAc,CAAC,GAA4B,EAAE,GAAW;IAC/D,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC"}

package/dist/crypto.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Cryptographic utilities for Airlock plugin.
+ *
+ * - X25519 key pair generation and ECDH shared key derivation
+ * - Ed25519 decision signature verification
+ *
+ * These mirror the Claude Code enforcer's crypto.js and pairing.js patterns.
+ */
+export interface X25519KeyPair {
+    /** Base64url-encoded SPKI DER public key. */
+    publicKey: string;
+    /** Base64url-encoded PKCS8 DER private key. */
+    privateKey: string;
+}
+/** Generate an X25519 key pair for ECDH key exchange. */
+export declare function generateX25519KeyPair(): X25519KeyPair;
+/**
+ * Derive a shared AES-256-GCM key from local X25519 private key and remote X25519 public key.
+ *
+ * Uses ECDH + HKDF-SHA256 with info "HARP-E2E-AES256GCM" (matching all other Airlock SDKs).
+ *
+ * @param localPrivateKeyBase64Url PKCS8 DER private key (base64url).
+ * @param remotePublicKeyBase64Url SPKI DER or raw 32-byte public key (base64url).
+ * @returns AES-256-GCM key as base64url string.
+ */
+export declare function deriveSharedKey(localPrivateKeyBase64Url: string, remotePublicKeyBase64Url: string): string;
+export interface PairedKeyEntry {
+    /** Base64 public key (DER or raw Ed25519). */
+    publicKey: string;
+    /** Device identifier. */
+    deviceId: string;
+}
+/**
+ * Verify an Ed25519 decision signature.
+ *
+ * Canonical format: `${artifactHash}|${decision}|${nonce}`
+ *
+ * @returns True if the signature is valid, false otherwise.
+ */
+export declare function verifyDecisionSignature(pairedKeys: Record<string, PairedKeyEntry>, artifactHash: string, decision: string, nonce: string, signatureBase64Url: string, signerKeyId: string): boolean;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAwBH,MAAM,WAAW,aAAa;IAC5B,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,+CAA+C;IAC/C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,yDAAyD;AACzD,wBAAgB,qBAAqB,IAAI,aAAa,CAUrD;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,wBAAwB,EAAE,MAAM,EAChC,wBAAwB,EAAE,MAAM,GAC/B,MAAM,CAiCR;AAID,MAAM,WAAW,cAAc;IAC7B,8CAA8C;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,EAC1C,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,kBAAkB,EAAE,MAAM,EAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAoDT"}

package/dist/crypto.js ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * Cryptographic utilities for Airlock plugin.
+ *
+ * - X25519 key pair generation and ECDH shared key derivation
+ * - Ed25519 decision signature verification
+ *
+ * These mirror the Claude Code enforcer's crypto.js and pairing.js patterns.
+ */
+import { generateKeyPairSync, createPrivateKey, createPublicKey, diffieHellman, hkdfSync, verify, } from "node:crypto";
+// ── Constants ───────────────────────────────────────────────────
+const AES_KEY_BYTES = 32;
+const HKDF_INFO = "HARP-E2E-AES256GCM";
+/** ASN.1 DER prefix for X25519 SPKI encoding (raw 32-byte key → DER). */
+const X25519_SPKI_HEADER = Buffer.from("302a300506032b656e032100", "hex");
+/** ASN.1 DER prefix for Ed25519 SPKI encoding (raw 32-byte key → DER). */
+const ED25519_SPKI_HEADER = Buffer.from("302a300506032b6570032100", "hex");
+/** Generate an X25519 key pair for ECDH key exchange. */
+export function generateX25519KeyPair() {
+    const { publicKey, privateKey } = generateKeyPairSync("x25519");
+    return {
+        publicKey: publicKey
+            .export({ type: "spki", format: "der" })
+            .toString("base64url"),
+        privateKey: privateKey
+            .export({ type: "pkcs8", format: "der" })
+            .toString("base64url"),
+    };
+}
+/**
+ * Derive a shared AES-256-GCM key from local X25519 private key and remote X25519 public key.
+ *
+ * Uses ECDH + HKDF-SHA256 with info "HARP-E2E-AES256GCM" (matching all other Airlock SDKs).
+ *
+ * @param localPrivateKeyBase64Url PKCS8 DER private key (base64url).
+ * @param remotePublicKeyBase64Url SPKI DER or raw 32-byte public key (base64url).
+ * @returns AES-256-GCM key as base64url string.
+ */
+export function deriveSharedKey(localPrivateKeyBase64Url, remotePublicKeyBase64Url) {
+    const privKey = createPrivateKey({
+        key: Buffer.from(localPrivateKeyBase64Url, "base64url"),
+        format: "der",
+        type: "pkcs8",
+    });
+    // Handle both raw 32-byte and full SPKI DER formats
+    let remotePubBuf = Buffer.from(remotePublicKeyBase64Url, "base64url");
+    if (remotePubBuf.length === 32) {
+        remotePubBuf = Buffer.concat([X25519_SPKI_HEADER, remotePubBuf]);
+    }
+    const pubKey = createPublicKey({
+        key: remotePubBuf,
+        format: "der",
+        type: "spki",
+    });
+    const sharedSecret = diffieHellman({
+        publicKey: pubKey,
+        privateKey: privKey,
+    });
+    const derivedKey = hkdfSync("sha256", sharedSecret, Buffer.alloc(0), // no salt
+    Buffer.from(HKDF_INFO, "utf-8"), // info
+    AES_KEY_BYTES);
+    return Buffer.from(derivedKey).toString("base64url");
+}
+/**
+ * Verify an Ed25519 decision signature.
+ *
+ * Canonical format: `${artifactHash}|${decision}|${nonce}`
+ *
+ * @returns True if the signature is valid, false otherwise.
+ */
+export function verifyDecisionSignature(pairedKeys, artifactHash, decision, nonce, signatureBase64Url, signerKeyId) {
+    // Look up the signer's public key (try multiple key ID variants)
+    const keyEntry = pairedKeys[signerKeyId] ??
+        pairedKeys[signerKeyId.replace(/^key-/, "")] ??
+        pairedKeys[`key-${signerKeyId}`];
+    if (!keyEntry) {
+        return false;
+    }
+    // Decode the signature from base64url → standard base64
+    let sigB64 = signatureBase64Url.replace(/-/g, "+").replace(/_/g, "/");
+    while (sigB64.length % 4 !== 0)
+        sigB64 += "=";
+    const signatureBytes = Buffer.from(sigB64, "base64");
+    // Build canonical message
+    const canonical = `${artifactHash}|${decision}|${nonce}`;
+    const message = Buffer.from(canonical, "utf-8");
+    const publicKeyBytes = Buffer.from(keyEntry.publicKey, "base64");
+    // Try verification with full DER SPKI first
+    try {
+        if (verify(null, message, { key: publicKeyBytes, format: "der", type: "spki" }, signatureBytes)) {
+            return true;
+        }
+    }
+    catch {
+        // Might be raw key, try wrapping with Ed25519 header
+    }
+    // Try with raw 32-byte key wrapped in Ed25519 SPKI header
+    try {
+        const keyObj = createPublicKey({
+            key: Buffer.concat([ED25519_SPKI_HEADER, publicKeyBytes]),
+            format: "der",
+            type: "spki",
+        });
+        if (verify(null, message, keyObj, signatureBytes)) {
+            return true;
+        }
+    }
+    catch {
+        // Verification failed
+    }
+    return false;
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,QAAQ,EACR,MAAM,GACP,MAAM,aAAa,CAAC;AAErB,mEAAmE;AAEnE,MAAM,aAAa,GAAG,EAAE,CAAC;AACzB,MAAM,SAAS,GAAG,oBAAoB,CAAC;AAEvC,yEAAyE;AACzE,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;AAE1E,0EAA0E;AAC1E,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;AAW3E,yDAAyD;AACzD,MAAM,UAAU,qBAAqB;IACnC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAChE,OAAO;QACL,SAAS,EAAE,SAAS;aACjB,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;aACvC,QAAQ,CAAC,WAAW,CAAC;QACxB,UAAU,EAAE,UAAU;aACnB,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;aACxC,QAAQ,CAAC,WAAW,CAAC;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,wBAAgC,EAChC,wBAAgC;IAEhC,MAAM,OAAO,GAAG,gBAAgB,CAAC;QAC/B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,WAAW,CAAC;QACvD,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IAEH,oDAAoD;IACpD,IAAI,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,WAAW,CAAC,CAAC;IACtE,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC/B,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,kBAAkB,EAAE,YAAY,CAAC,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,EAAE,YAAY;QACjB,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,aAAa,CAAC;QACjC,SAAS,EAAE,MAAM;QACjB,UAAU,EAAE,OAAO;KACpB,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,QAAQ,CACzB,QAAQ,EACR,YAAY,EACZ,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAY,UAAU;IACrC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,OAAO;IACxC,aAAa,CACd,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACvD,CAAC;AAWD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAA0C,EAC1C,YAAoB,EACpB,QAAgB,EAChB,KAAa,EACb,kBAA0B,EAC1B,WAAmB;IAEnB,iEAAiE;IACjE,MAAM,QAAQ,GACZ,UAAU,CAAC,WAAW,CAAC;QACvB,UAAU,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5C,UAAU,CAAC,OAAO,WAAW,EAAE,CAAC,CAAC;IAEnC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,KAAK,CAAC;IACf,CAAC;IAED,wDAAwD;IACxD,IAAI,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtE,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC;IAC9C,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAErD,0BAA0B;IAC1B,MAAM,SAAS,GAAG,GAAG,YAAY,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;IACzD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEjE,4CAA4C;IAC5C,IAAI,CAAC;QACH,IACE,MAAM,CACJ,IAAI,EACJ,OAAO,EACP,EAAE,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EACpD,cAAc,CACf,EACD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;IACvD,CAAC;IAED,0DAA0D;IAC1D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,eAAe,CAAC;YAC7B,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;YACzD,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/hooks/beforeTool.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Hook: before_tool_call — automatic interception of protected tool executions.
+ *
+ * Uses OpenClaw's `before_tool_call` plugin hook event to intercept tools
+ * and require approval from the Airlock mobile approver.
+ *
+ * If `protectedTools` is empty, no tools are automatically protected
+ * (opt-in model). Use the requestApproval tool for explicit control.
+ *
+ * Checks DND (Do Not Disturb) policies before requesting approval —
+ * if a matching DND policy is active, the tool is auto-approved.
+ *
+ * Returns `{ block: true, blockReason }` to block, or `undefined` to allow.
+ */
+import type { AirlockClient } from "../client.js";
+import type { AirlockConfig } from "../config.js";
+/** Context passed to the before_tool_call hook by OpenClaw. */
+export interface BeforeToolContext {
+    /** The name of the tool being executed. */
+    toolName: string;
+    /** The tool's input parameters. */
+    params?: Record<string, unknown>;
+    /** The tool's input arguments (legacy compat). */
+    toolInput?: unknown;
+    /** Optional metadata about the tool call. */
+    metadata?: Record<string, unknown>;
+}
+/** Return value for before_tool_call — OpenClaw checks these fields. */
+export interface BeforeToolResult {
+    block?: boolean;
+    blockReason?: string;
+    params?: Record<string, unknown>;
+}
+/**
+ * Register the before_tool_call hook with the OpenClaw plugin API.
+ *
+ * @param api OpenClaw plugin API (api.registerHook)
+ * @param client AirlockClient instance
+ * @param config Validated AirlockConfig
+ */
+export declare function registerBeforeToolHook(api: {
+    on: (hookName: string, handler: (event: unknown, ctx?: unknown) => unknown, opts?: {
+        priority?: number;
+    }) => void;
+}, client: AirlockClient, config: AirlockConfig): void;
+//# sourceMappingURL=beforeTool.d.ts.map

package/dist/hooks/beforeTool.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"beforeTool.d.ts","sourceRoot":"","sources":["../../src/hooks/beforeTool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAElD,+DAA+D;AAC/D,MAAM,WAAW,iBAAiB;IAChC,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,kDAAkD;IAClD,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,wEAAwE;AACxE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE;IAAE,EAAE,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,OAAO,EAAE,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAA;CAAE,EAC1H,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,aAAa,GACpB,IAAI,CAsFN"}

package/dist/hooks/beforeTool.js ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * Hook: before_tool_call — automatic interception of protected tool executions.
+ *
+ * Uses OpenClaw's `before_tool_call` plugin hook event to intercept tools
+ * and require approval from the Airlock mobile approver.
+ *
+ * If `protectedTools` is empty, no tools are automatically protected
+ * (opt-in model). Use the requestApproval tool for explicit control.
+ *
+ * Checks DND (Do Not Disturb) policies before requesting approval —
+ * if a matching DND policy is active, the tool is auto-approved.
+ *
+ * Returns `{ block: true, blockReason }` to block, or `undefined` to allow.
+ */
+/**
+ * Register the before_tool_call hook with the OpenClaw plugin API.
+ *
+ * @param api OpenClaw plugin API (api.registerHook)
+ * @param client AirlockClient instance
+ * @param config Validated AirlockConfig
+ */
+export function registerBeforeToolHook(api, client, config) {
+    // OpenClaw API: api.on(hookName, handler) → registerTypedHook → registry.typedHooks (callable)
+    // NOTE: api.registerHook() only adds to registry.hooks (metadata), never invoked by the hook runner.
+    api.on("before_tool_call", async (rawContext) => {
+        const context = rawContext;
+        const toolName = context.toolName;
+        console.log(`[Airlock] tool:before_call fired — tool=${toolName}`);
+        // ── Opt-in model: if protectedTools is empty, do nothing ──
+        if (config.protectedTools.length === 0) {
+            return {};
+        }
+        // ── Check if this tool is in the protected list ──
+        const isProtected = config.protectedTools.some((pattern) => matchToolName(toolName, pattern));
+        if (!isProtected) {
+            console.log(`[Airlock] Tool ${toolName} not protected — allowing`);
+            return {};
+        }
+        console.info(`[Airlock] Tool ${toolName} is PROTECTED — requesting approval`);
+        // ── Check DND (Do Not Disturb) policies ──
+        const dndActive = await client.isDndActive();
+        if (dndActive) {
+            console.info(`[Airlock] DND active — auto-approving tool ${toolName}`);
+            return {};
+        }
+        // ── Build a readable command text from tool input ──
+        const toolInput = context.params ?? context.toolInput;
+        let commandText;
+        try {
+            commandText = typeof toolInput === "string"
+                ? toolInput
+                : JSON.stringify(toolInput, null, 2);
+        }
+        catch {
+            commandText = String(toolInput);
+        }
+        // Truncate very long inputs
+        const maxLen = 2000;
+        if (commandText.length > maxLen) {
+            commandText = commandText.slice(0, maxLen) + "\n... (truncated)";
+        }
+        // ── Request approval from Airlock Gateway ──
+        const decision = await client.requestApproval({
+            actionType: toolName,
+            commandText,
+            description: `Tool: ${toolName}`,
+        });
+        // ── Apply decision using OpenClaw's { block, blockReason } response ──
+        if (decision.decision === "approved") {
+            console.info(`[Airlock] Tool ${toolName} APPROVED`);
+            return {};
+        }
+        if (decision.decision === "rejected") {
+            const reason = decision.reason ?? "no reason provided";
+            console.warn(`[Airlock] Tool ${toolName} DENIED — ${reason}`);
+            return {
+                block: true,
+                blockReason: `Airlock: Action denied by approver — ${reason}. Do NOT retry this action automatically.`,
+            };
+        }
+        // Timeout — apply failMode
+        if (config.failMode === "closed") {
+            console.warn(`[Airlock] Tool ${toolName} TIMEOUT — blocking (fail-closed)`);
+            return {
+                block: true,
+                blockReason: "Airlock: Approval timed out — blocking (fail-closed). Do NOT retry this action automatically.",
+            };
+        }
+        // failMode === "open" — allow silently
+        console.warn(`[Airlock] Tool ${toolName} TIMEOUT — allowing (fail-open)`);
+        return {};
+    });
+}
+/**
+ * Match a tool name against a pattern.
+ * Supports exact match and glob-like wildcards (*).
+ */
+function matchToolName(toolName, pattern) {
+    // Exact match
+    if (toolName === pattern)
+        return true;
+    // Simple wildcard: "shell.*" matches "shell.exec", "shell.run", etc.
+    if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$");
+        return regex.test(toolName);
+    }
+    // Case-insensitive match
+    if (toolName.toLowerCase() === pattern.toLowerCase())
+        return true;
+    return false;
+}
+//# sourceMappingURL=beforeTool.js.map

package/dist/hooks/beforeTool.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"beforeTool.js","sourceRoot":"","sources":["../../src/hooks/beforeTool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAwBH;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAA0H,EAC1H,MAAqB,EACrB,MAAqB;IAErB,+FAA+F;IAC/F,qGAAqG;IACrG,GAAG,CAAC,EAAE,CAAC,kBAAkB,EAAE,KAAK,EAAE,UAAmB,EAAE,EAAE;QACvD,MAAM,OAAO,GAAG,UAA+B,CAAC;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAElC,OAAO,CAAC,GAAG,CAAC,2CAA2C,QAAQ,EAAE,CAAC,CAAC;QAEnE,6DAA6D;QAC7D,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,oDAAoD;QACpD,MAAM,WAAW,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAC5C,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAC9C,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,kBAAkB,QAAQ,2BAA2B,CAAC,CAAC;YACnE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,kBAAkB,QAAQ,qCAAqC,CAAC,CAAC;QAE9E,4CAA4C;QAC5C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QAE7C,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,8CAA8C,QAAQ,EAAE,CAAC,CAAC;YACvE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,sDAAsD;QACtD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,CAAC;QACtD,IAAI,WAAmB,CAAC;QACxB,IAAI,CAAC;YACH,WAAW,GAAG,OAAO,SAAS,KAAK,QAAQ;gBACzC,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAClC,CAAC;QAED,4BAA4B;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC;QACpB,IAAI,WAAW,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;YAChC,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,mBAAmB,CAAC;QACnE,CAAC;QAED,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC;YAC5C,UAAU,EAAE,QAAQ;YACpB,WAAW;YACX,WAAW,EAAE,SAAS,QAAQ,EAAE;SACjC,CAAC,CAAC;QAEH,wEAAwE;QACxE,IAAI,QAAQ,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,kBAAkB,QAAQ,WAAW,CAAC,CAAC;YACpD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,oBAAoB,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,kBAAkB,QAAQ,aAAa,MAAM,EAAE,CAAC,CAAC;YAC9D,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,wCAAwC,MAAM,2CAA2C;aACvG,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,kBAAkB,QAAQ,mCAAmC,CAAC,CAAC;YAC5E,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,+FAA+F;aAC7G,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,OAAO,CAAC,IAAI,CAAC,kBAAkB,QAAQ,iCAAiC,CAAC,CAAC;QAC1E,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,OAAe;IACtD,cAAc;IACd,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAEtC,qEAAqE;IACrE,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,GAAG,CAC/E,CAAC;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,yBAAyB;IACzB,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE;QAAE,OAAO,IAAI,CAAC;IAElE,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * Airlock Plugin for OpenClaw — Entry Point
+ *
+ * Registers all Airlock capabilities with the OpenClaw plugin system:
+ * - Config validation
+ * - Pairing state restoration from disk
+ * - Presence heartbeat
+ * - requestApproval tool (AI-callable)
+ * - checkStatus tool (AI-callable)
+ * - beforeTool hook (automatic enforcement with DND check)
+ * - /airlock-status command (diagnostics)
+ * - airlock setup CLI command
+ * - airlock pair CLI command
+ */
+interface OpenClawPluginAPI {
+    getConfig(): Record<string, unknown>;
+    registerTool(def: unknown, handler: (input: unknown) => Promise<unknown>): void;
+    registerHook(event: string, handler: (context: unknown) => Promise<unknown>, options?: {
+        name?: string;
+        description?: string;
+    }): void;
+    registerCommand(def: unknown, handler: () => Promise<string>): void;
+    registerCli(registrar: (ctx: {
+        program: unknown;
+        config: unknown;
+        workspaceDir: string;
+        logger: unknown;
+    }) => void | Promise<void>, opts?: {
+        commands?: string[];
+    }): void;
+    on(hookName: string, handler: (event: unknown, ctx?: unknown) => unknown, opts?: {
+        priority?: number;
+    }): void;
+}
+interface OpenClawPluginAPICompat extends Partial<OpenClawPluginAPI> {
+    pluginConfig?: Record<string, unknown>;
+}
+interface PluginEntryDefinition {
+    id: string;
+    name: string;
+    description: string;
+    register(api: OpenClawPluginAPICompat): void;
+}
+declare const _default: PluginEntryDefinition;
+export default _default;
+export type { AirlockConfig } from "./config.js";
+export type { AirlockClient, Decision, ApprovalPayload, HealthResult, ConsentResult, ConsentStatus } from "./client.js";
+export { loadAndValidateConfig, ConfigError } from "./config.js";
+export { createAirlockClient } from "./client.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAcH,UAAU,iBAAiB;IACzB,SAAS,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;IAChF,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACtI,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IACpE,WAAW,CACT,SAAS,EAAE,CAAC,GAAG,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,EACtH,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAC7B,IAAI,CAAC;IACR,EAAE,CACA,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,OAAO,EACnD,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3B,IAAI,CAAC;CACT;AAED,UAAU,uBAAwB,SAAQ,OAAO,CAAC,iBAAiB,CAAC;IAClE,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACxC;AAED,UAAU,qBAAqB;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,GAAG,EAAE,uBAAuB,GAAG,IAAI,CAAC;CAC9C;;AAaD,wBAsEG;AAGH,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,eAAe,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACxH,OAAO,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}