openclaw-guardian 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 fatcatMaoFei
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,279 @@
+# openclaw-guardian
+
+> **The missing safety layer for AI agents.**
+
+## Why This Exists
+
+OpenClaw is powerful — it gives AI agents direct access to shell commands, file operations, email, browser automation, and more. That power is exactly what makes it useful, but it's also what makes people nervous.
+
+The community has been vocal: *"security nightmare"*, *"what if the AI deletes my files?"*, *"I don't trust it with my credentials"*. OpenClaw's existing safety (sandbox + allowlist + manual confirmation) only covers `exec`, and it's all-or-nothing — either you trust the agent completely, or you block everything.
+
+**openclaw-guardian** fills that gap. It sits between the AI's decision and the actual execution, using a two-tier blacklist to catch dangerous operations and LLM-based intent verification to confirm the user actually asked for them. Think of it as a security checkpoint that only stops you when you're carrying something dangerous — and even then, it just checks your ID before letting you through.
+
+The key insight: **99% of what an AI agent does is harmless** (reading files, fetching URLs, writing notes). Only ~1% is potentially dangerous (deleting files, running destructive commands, accessing secrets). Guardian only intervenes on that 1%, so you get safety without sacrificing speed.
+
+## How It Works
+
+```
+AI Agent wants to run a tool (e.g., exec "rm -rf /tmp/data")
+                    ↓
+        ┌───────────────────────┐
+        │   Blacklist Matcher   │  ← Keyword rules, 0ms, no model call
+        │   critical / warning  │
+        └───────────┬───────────┘
+                    ↓
+    ┌───────────────┼───────────────┐
+    ↓               ↓               ↓
+ No match        warning          critical
+ (just go)     (1 LLM vote)    (3 LLM votes)
+    ↓               ↓               ↓
+ Execute       1 vote check     3 parallel votes
+  0ms          ~1-2s            ~2-4s
+                    ↓               ↓
+              confirmed? →     ALL 3 confirmed?
+              yes: execute     yes: execute
+              no: block        no: block
+```
+
+### Two-Tier Blacklist
+
+| Tier | LLM Votes | Threshold | Latency | When |
+|------|-----------|-----------|---------|------|
+| No match | 0 | — | 0ms | Reading files, fetching URLs, normal operations |
+| Warning | 1 | 1/1 | ~1-2s | `sudo`, `rm -r`, `chmod 777`, writing to `.env` |
+| Critical | 3 | 3/3 | ~2-4s | `rm -rf /`, `mkfs`, `dd of=/dev/`, writing to `/etc/passwd` |
+
+### What Gets Flagged
+
+**Critical** (irreversible destruction or system compromise — needs 3/3 unanimous LLM confirmation):
+
+| Pattern | Why |
+|---------|-----|
+| `rm -rf` on system paths | Filesystem destruction |
+| `mkfs`, `dd of=/dev/` | Disk-level destruction |
+| Write to `/etc/passwd`, `/etc/shadow`, `/etc/sudoers` | System auth compromise |
+| `shutdown`, `reboot` | System availability |
+| `curl \| bash`, `base64 -d \| sh` | Remote code execution |
+| `xargs rm`, `find -delete` | Indirect bulk deletion |
+
+**Warning** (risky but possibly intentional — needs 1/1 LLM confirmation):
+
+| Pattern | Why |
+|---------|-----|
+| `sudo` | Privilege escalation |
+| `rm -r` (non-system paths) | Recursive deletion |
+| `chmod 777`, `chmod -R`, `chown -R` | Dangerous permissions |
+| `kill -9`, `killall`, `pkill` | Force kill processes |
+| `systemctl stop/disable` | Service disruption |
+| `eval` | Arbitrary code execution (review before running) |
+| Write to `.env`, `.ssh/`, `openclaw.json` | Sensitive file modification |
+
+### LLM Intent Verification
+
+When a blacklist rule matches, Guardian doesn't just block — it reads the recent conversation context and asks a lightweight LLM: **"Did the user explicitly request this operation?"**
+
+- Uses the cheapest/fastest model available from your existing OpenClaw config (prefers Haiku, GPT-4o-mini, Gemini Flash)
+- No separate API key needed — piggybacks on whatever you already have configured
+- If LLM is unavailable: critical → block (fail-safe), warning → ask user
+
+### Whitelist (Always Allowed)
+
+These commands are considered safe and will never be flagged, even if they appear inside a broader command:
+
+| Pattern | Why |
+|---------|-----|
+| `mkdir` | Creating directories is non-destructive |
+| `touch` | Creating empty files is non-destructive |
+| `tar`, `unzip`, `gzip`, `gunzip`, `bzip2`, `xz` | Archive extraction/compression — normal dev workflow |
+| `openclaw` (CLI) | OpenClaw's own CLI commands (e.g., `openclaw gateway status`) |
+
+Whitelist rules are checked **before** the blacklist. If a command matches a whitelist pattern, it passes through immediately with zero overhead.
+
+### Tool-Level Blacklist
+
+Guardian doesn't just inspect `exec`, `write`, and `edit` — it also scans tool calls for **any** tool (e.g., `message`, `browser`, database clients, email plugins). To avoid false positives on normal payloads, it only checks action-oriented fields: `action`, `method`, `command`, and `operation` — not the entire parameter object.
+
+**Critical** (3/3 unanimous LLM confirmation):
+
+| Pattern | Why |
+|---------|-----|
+| `batchDelete`, `expunge`, `emptyTrash`, `purge` | Bulk email deletion — irreversible mailbox destruction |
+| `DROP DATABASE`, `DROP TABLE`, `TRUNCATE`, `DELETE FROM` | Database destruction — irreversible data loss |
+
+**Warning** (1/1 LLM confirmation):
+
+| Pattern | Why |
+|---------|-----|
+| `delete`, `trash` | Single-item deletion — usually intentional but worth confirming |
+
+Everyday operations like `send`, `get`, `web_fetch`, `cron`, `snapshot`, etc. are completely unaffected — they never match any blacklist pattern.
+
+### Dual Protection Protocol (双重防护)
+
+Guardian provides two layers of protection that work together:
+
+**Layer 1 — Guardian Plugin (automatic):** Regex pattern matching + LLM intent verification. When a dangerous operation is detected, Guardian blocks the tool call and returns a rejection message to the agent.
+
+**Layer 2 — Agent Self-Discipline (behavioral):** When an agent receives a Guardian block notification, it **must immediately stop**, report the blocked command and reason to the human user, and **wait for explicit confirmation** before proceeding. The agent must not attempt to bypass, retry, or find alternative ways to execute the blocked operation.
+
+**The protection chain:**
+
+```
+Tool call → Regex match → Guardian blocks → Agent stops → Reports to human → Human decides → Continue or abort
+```
+
+This dual approach ensures that even if an agent is determined to perform a dangerous action, it cannot silently retry or work around the block. The human always stays in the loop for any operation Guardian considers risky.
+
+#### Recommended AGENTS.md Rule
+
+To activate Layer 2, add this rule to your `AGENTS.md` (or equivalent agent instructions file):
+
+```markdown
+### Guardian 双重防护协议（硬规则）
+1. **第一层（Guardian 插件）**：regex 初筛 + LLM 意图确认，自动拦截危险操作
+2. **第二层（Agent 自觉）**：当 Guardian 拦截命令时，agent 收到拦截通知后**必须立刻停下**，向用户报告被拦截的命令和原因，等待确认后才能继续。禁止自行绕过、重试或换方式执行被拦截的操作。
+3. **防护链**：regex 初筛 → Guardian 拦截 → agent 停下 → 人类确认 → 继续/放弃
+```
+
+This ensures the agent treats Guardian blocks as hard stops rather than soft suggestions.
+
+### Why Not Just Use LLMs for Everything?
+
+Guardian's blacklist uses **zero-cost keyword rules** — no model calls for pattern matching. Regex like `rm -rf /` → critical, `sudo` → warning is instant and deterministic. LLM verification is only triggered for the ~1% of operations that actually hit the blacklist, and its only job is confirming user intent — not scoring risk.
+
+## Quick Start (One Command)
+
+### 1. Clone into your OpenClaw workspace
+
+```bash
+cd ~/.openclaw/workspace
+git clone https://github.com/fatcatMaoFei/openclaw-guardian.git
+```
+
+### 2. Register the plugin
+
+Add to your `openclaw.json`:
+
+```json
+{
+  "plugins": {
+    "load": {
+      "paths": ["./openclaw-guardian"]
+    },
+    "entries": {
+      "openclaw-guardian": {
+        "enabled": true
+      }
+    }
+  }
+}
+```
+
+### 3. Restart
+
+```bash
+openclaw gateway restart
+```
+
+That's it. Guardian is now active. Every tool call goes through blacklist checking automatically.
+
+## Customization
+
+### Enable / Disable
+
+Edit `default-policies.json`:
+
+```json
+{
+  "enabled": true
+}
+```
+
+Set to `false` to disable Guardian entirely without uninstalling.
+
+### Blacklist Rules
+
+The blacklist is defined in `src/blacklist.ts` with two levels of rules:
+
+- **`CRITICAL_EXEC` / `CRITICAL_PATH`** — patterns that trigger 3-vote unanimous LLM verification
+- **`WARNING_EXEC` / `WARNING_PATH`** — patterns that trigger 1-vote LLM verification
+- **`SAFE_EXEC`** — whitelisted commands that skip blacklist entirely (e.g., `ls`, `cat`, `git status`)
+
+To add your own rules, add a regex + reason to the appropriate array. For example:
+
+```typescript
+// Add to WARNING_EXEC to flag any docker commands
+{ pattern: /\bdocker\s+(?:rm|rmi|system\s+prune)\b/, reason: "docker resource removal" },
+```
+
+### LLM Model Selection
+
+Guardian automatically picks the cheapest available model from your OpenClaw config. Preference order:
+
+1. `claude-haiku-4-5` (Anthropic)
+2. `gpt-4o-mini` (OpenAI)
+3. `gemini-2.0-flash` (Google)
+4. First available model (fallback)
+
+No extra configuration needed.
+
+## Audit Trail
+
+Every blacklist-matched operation is logged to `~/.openclaw/guardian-audit.jsonl` with SHA-256 hash chaining:
+
+```json
+{
+  "timestamp": "2026-02-24T09:30:00.000Z",
+  "toolName": "exec",
+  "blacklistLevel": "critical",
+  "blacklistReason": "rm -rf on root-level system path",
+  "pattern": "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*\\s+|--recursive\\s+)\\/",
+  "userConfirmed": false,
+  "finalReason": "Only 1/3 confirmed (need 3)",
+  "hash": "a1b2c3...",
+  "prevHash": "d4e5f6..."
+}
+```
+
+Tamper-evident: each entry's hash includes the previous entry's hash. Break one link and the whole chain fails verification.
+
+## Architecture
+
+```
+openclaw-guardian/
+├── openclaw.plugin.json    # Plugin manifest (v2.0.0)
+├── index.ts                # Entry — registers before_tool_call hook, routes blacklist hits to LLM
+├── src/
+│   ├── blacklist.ts        # Two-tier keyword rules (critical/warning), 0ms, no model calls
+│   ├── llm-voter.ts        # LLM intent verification (single vote or 3-vote unanimous)
+│   └── audit-log.ts        # SHA-256 hash-chain audit logger
+├── default-policies.json   # Enable/disable toggle
+├── package.json
+└── tsconfig.json
+```
+
+### How It Hooks Into OpenClaw
+
+OpenClaw's agent loop: `Model → tool_call → Tool Executor → result → Model`
+
+Guardian registers a `before_tool_call` plugin hook. This hook fires **after** the model decides to call a tool but **before** the tool actually executes. If Guardian returns `{ block: true }`, the tool is stopped and the model receives a rejection message instead.
+
+This is the same hook interface OpenClaw uses internally for loop detection — battle-tested, async-safe, and zero modifications to core code.
+
+## Token Cost
+
+| Tier | % of Operations | Extra Cost |
+|------|----------------|------------|
+| No match (pass) | ~99% | 0 (no model call) |
+| Warning (1 vote) | ~0.5-1% | ~500 tokens per review |
+| Critical (3 votes) | <0.5% | ~1500 tokens per review |
+
+**Average overhead: near zero.** The vast majority of operations never hit the blacklist. When they do, Guardian uses the cheapest model available.
+
+## Status
+
+🚧 Under active development — contributions welcome.
+
+## License
+
+MIT

package/default-policies.json

@@ -0,0 +1,3 @@
+{
+  "enabled": true
+}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * OpenClaw Guardian v2 — Blacklist + LLM Intent Verification
+ *
+ * Flow:
+ *   tool call → only check exec/write/edit
+ *     → blacklist match? no → pass (99%)
+ *     → yes, critical → 3 LLM votes (all must confirm user intent)
+ *     → yes, warning  → 1 LLM vote (confirm user intent)
+ *     → LLM down → critical: block, warning: ask user
+ */
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+export default function setup(api: OpenClawPluginApi): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AA0B7D,MAAM,CAAC,OAAO,UAAU,KAAK,CAAC,GAAG,EAAE,iBAAiB,GAAG,IAAI,CAsE1D"}

package/dist/index.js

@@ -0,0 +1,96 @@
+/**
+ * OpenClaw Guardian v2 — Blacklist + LLM Intent Verification
+ *
+ * Flow:
+ *   tool call → only check exec/write/edit
+ *     → blacklist match? no → pass (99%)
+ *     → yes, critical → 3 LLM votes (all must confirm user intent)
+ *     → yes, warning  → 1 LLM vote (confirm user intent)
+ *     → LLM down → critical: block, warning: ask user
+ */
+import { readFileSync } from "node:fs";
+import { join, dirname, resolve, normalize } from "node:path";
+import { fileURLToPath } from "node:url";
+function canonicalizePath(raw) {
+    if (!raw)
+        return raw;
+    // Expand ~ to home dir
+    if (raw.startsWith("~/"))
+        raw = raw.replace("~", process.env.HOME ?? "/root");
+    // Resolve to absolute + normalize (removes ../ etc)
+    return normalize(resolve(raw));
+}
+import { checkExecBlacklist, checkPathBlacklist, checkToolBlacklist } from "./src/blacklist.js";
+import { initLlm, singleVote, multiVote } from "./src/llm-voter.js";
+import { initAuditLog, writeAuditEntry } from "./src/audit-log.js";
+function loadEnabled() {
+    try {
+        const dir = dirname(fileURLToPath(import.meta.url));
+        const raw = readFileSync(join(dir, "default-policies.json"), "utf-8");
+        return JSON.parse(raw).enabled !== false;
+    }
+    catch {
+        return true; // default on if config missing
+    }
+}
+export default function setup(api) {
+    if (!loadEnabled()) {
+        api.logger.info("[guardian] Disabled by policy");
+        return;
+    }
+    initAuditLog();
+    initLlm(api.config);
+    const log = api.logger;
+    log.info("[guardian] v2 active — blacklist + LLM intent verification");
+    api.on("before_tool_call", async (event, ctx) => {
+        const { toolName, params } = event;
+        // Only check exec, write, edit — everything else passes instantly
+        let match = null;
+        if (toolName === "exec") {
+            match = checkExecBlacklist((params?.command ?? ""));
+        }
+        else if (toolName === "write" || toolName === "edit") {
+            const rawPath = (params?.file_path ?? params?.path ?? "");
+            const safePath = canonicalizePath(rawPath);
+            match = checkPathBlacklist(safePath);
+        }
+        if (!match) {
+            // Check tool-level blacklist (covers all other tools like email, message, etc.)
+            match = checkToolBlacklist(toolName, (params ?? {}));
+        }
+        if (!match)
+            return; // 99% of calls end here
+        const detail = toolName === "exec"
+            ? (params?.command ?? "").toString().slice(0, 120)
+            : (params?.file_path ?? params?.path ?? "").toString().slice(0, 120);
+        log.warn(`[guardian] ⚠️ Blacklist hit: ${match.level.toUpperCase()} | tool=${toolName} | ${detail} | rule=${match.reason}`);
+        // Blacklist hit — verify user intent via LLM
+        const sessionKey = ctx?.sessionKey;
+        if (match.level === "critical") {
+            const result = await multiVote(toolName, params ?? {}, sessionKey, 3, 3);
+            writeAuditEntry(toolName, params ?? {}, match, result.confirmed, result.reason);
+            if (!result.confirmed) {
+                log.error(`[guardian] 🛑 BLOCKED CRITICAL | tool=${toolName} | ${detail} | votes=${result.reason}`);
+                return {
+                    block: true,
+                    blockReason: `🛡️ Guardian: 危险操作被拦截 — ${match.reason}。${result.reason}`,
+                };
+            }
+            log.info(`[guardian] ✅ CRITICAL passed (3/3 confirmed) | tool=${toolName} | ${detail}`);
+            return;
+        }
+        // Warning level: 1 vote
+        const result = await singleVote(toolName, params ?? {}, sessionKey);
+        writeAuditEntry(toolName, params ?? {}, match, result.confirmed, result.reason);
+        if (!result.confirmed) {
+            log.warn(`[guardian] 🚫 BLOCKED WARNING | tool=${toolName} | ${detail} | reason=${result.reason}`);
+            return {
+                block: true,
+                blockReason: `🛡️ Guardian: 此操作需要用户确认 — ${match.reason}。请先询问用户是否要执行此操作。`,
+            };
+        }
+        log.info(`[guardian] ✅ WARNING passed (user confirmed) | tool=${toolName} | ${detail}`);
+        return;
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,uBAAuB;IACvB,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,CAAC;IAC9E,oDAAoD;IACpD,OAAO,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;AACjC,CAAC;AACD,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAChG,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAEnE,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,EAAE,OAAO,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,+BAA+B;IAC9C,CAAC;AACH,CAAC;AAED,MAAM,CAAC,OAAO,UAAU,KAAK,CAAC,GAAsB;IAClD,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACnB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACjD,OAAO;IACT,CAAC;IAED,YAAY,EAAE,CAAC;IACf,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,GAAG,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IAEvE,GAAG,CAAC,EAAE,CAAC,kBAAkB,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QAC9C,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEnC,kEAAkE;QAClE,IAAI,KAAK,GAAG,IAAI,CAAC;QAEjB,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,KAAK,GAAG,kBAAkB,CAAC,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAW,CAAC,CAAC;QAChE,CAAC;aAAM,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,SAAS,IAAI,MAAM,EAAE,IAAI,IAAI,EAAE,CAAW,CAAC;YACpE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAC3C,KAAK,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,gFAAgF;YAChF,KAAK,GAAG,kBAAkB,CAAC,QAAQ,EAAE,CAAC,MAAM,IAAI,EAAE,CAA4B,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,wBAAwB;QAE5C,MAAM,MAAM,GAAG,QAAQ,KAAK,MAAM;YAChC,CAAC,CAAC,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAClD,CAAC,CAAC,CAAC,MAAM,EAAE,SAAS,IAAI,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAEvE,GAAG,CAAC,IAAI,CAAC,gCAAgC,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,WAAW,QAAQ,MAAM,MAAM,WAAW,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAE5H,6CAA6C;QAC7C,MAAM,UAAU,GAAG,GAAG,EAAE,UAAgC,CAAC;QAEzD,IAAI,KAAK,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;YACzE,eAAe,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YAEhF,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACtB,GAAG,CAAC,KAAK,CAAC,yCAAyC,QAAQ,MAAM,MAAM,YAAY,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;gBACpG,OAAO;oBACL,KAAK,EAAE,IAAI;oBACX,WAAW,EAAE,2BAA2B,KAAK,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE;iBACxE,CAAC;YACJ,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,uDAAuD,QAAQ,MAAM,MAAM,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;QACpE,eAAe,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAEhF,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC,wCAAwC,QAAQ,MAAM,MAAM,aAAa,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACnG,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,6BAA6B,KAAK,CAAC,MAAM,kBAAkB;aACzE,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,uDAAuD,QAAQ,MAAM,MAAM,EAAE,CAAC,CAAC;QACxF,OAAO;IACT,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/audit-log.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Audit Log — SHA-256 hash-chain append-only trail.
+ * Only logs blacklist-matched operations (not every tool call).
+ */
+import type { BlacklistMatch } from "./blacklist.js";
+export type AuditEntry = {
+    timestamp: string;
+    toolName: string;
+    blacklistLevel: string;
+    blacklistReason: string;
+    pattern: string;
+    userConfirmed: boolean;
+    finalReason: string;
+    hash: string;
+    prevHash: string;
+};
+export declare function initAuditLog(): void;
+export declare function writeAuditEntry(toolName: string, params: Record<string, unknown>, match: BlacklistMatch, userConfirmed: boolean, reason: string): void;
+//# sourceMappingURL=audit-log.d.ts.map

package/dist/src/audit-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../src/audit-log.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,MAAM,UAAU,GAAG;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AA6BF,wBAAgB,YAAY,IAAI,IAAI,CAKnC;AAED,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,EAAE,cAAc,EACrB,aAAa,EAAE,OAAO,EACtB,MAAM,EAAE,MAAM,GACb,IAAI,CAqBN"}

package/dist/src/audit-log.js

@@ -0,0 +1,64 @@
+/**
+ * Audit Log — SHA-256 hash-chain append-only trail.
+ * Only logs blacklist-matched operations (not every tool call).
+ */
+import { createHash } from "node:crypto";
+import { appendFileSync, readFileSync, mkdirSync, existsSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+let lastHash = "";
+let logPath = "";
+function getLogPath() {
+    if (logPath)
+        return logPath;
+    logPath = join(homedir(), ".openclaw", "guardian-audit.jsonl");
+    return logPath;
+}
+function computeHash(data) {
+    return createHash("sha256").update(data).digest("hex");
+}
+function recoverLastHash(path) {
+    try {
+        if (!existsSync(path))
+            return "";
+        const content = readFileSync(path, "utf-8").trim();
+        if (!content)
+            return "";
+        const lines = content.split("\n");
+        const lastLine = lines[lines.length - 1];
+        const entry = JSON.parse(lastLine);
+        return entry.hash ?? "";
+    }
+    catch {
+        return "";
+    }
+}
+export function initAuditLog() {
+    const path = getLogPath();
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    lastHash = recoverLastHash(path);
+}
+export function writeAuditEntry(toolName, params, match, userConfirmed, reason) {
+    const entry = {
+        timestamp: new Date().toISOString(),
+        toolName,
+        blacklistLevel: match.level,
+        blacklistReason: match.reason,
+        pattern: match.pattern,
+        userConfirmed,
+        finalReason: reason,
+        prevHash: lastHash,
+    };
+    const hashInput = JSON.stringify(entry);
+    entry.hash = computeHash(hashInput);
+    lastHash = entry.hash;
+    try {
+        appendFileSync(getLogPath(), JSON.stringify(entry) + "\n", "utf-8");
+    }
+    catch (err) {
+        console.error(`[guardian] audit write failed: ${err}`);
+    }
+}
+//# sourceMappingURL=audit-log.js.map

package/dist/src/audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/audit-log.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC9E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAelC,IAAI,QAAQ,GAAG,EAAE,CAAC;AAClB,IAAI,OAAO,GAAG,EAAE,CAAC;AAEjB,SAAS,UAAU;IACjB,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,sBAAsB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAe,CAAC;QACjD,OAAO,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,MAA+B,EAC/B,KAAqB,EACrB,aAAsB,EACtB,MAAc;IAEd,MAAM,KAAK,GAAiD;QAC1D,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,cAAc,EAAE,KAAK,CAAC,KAAK;QAC3B,eAAe,EAAE,KAAK,CAAC,MAAM;QAC7B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,aAAa;QACb,WAAW,EAAE,MAAM;QACnB,QAAQ,EAAE,QAAQ;KACnB,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACpC,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,cAAc,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kCAAkC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC"}

package/dist/src/blacklist.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Blacklist rules — pure pattern matching, no LLM involved.
+ * Two levels: "critical" (needs 3/3 LLM votes) and "warning" (needs 1/1).
+ *
+ * IMPORTANT: These patterns are checked against:
+ *   - exec: the command string
+ *   - write/edit: the file path
+ * The caller (index.ts) decides what text to pass in.
+ */
+export type BlacklistMatch = {
+    level: "critical" | "warning";
+    pattern: string;
+    reason: string;
+};
+/**
+ * Check a command (exec) against blacklist.
+ * Splits on shell operators and checks each segment.
+ * Returns null if no match (99% of calls).
+ */
+export declare function checkExecBlacklist(command: string): BlacklistMatch | null;
+/**
+ * Check a file path (write/edit) against blacklist.
+ * Returns null if no match.
+ */
+export declare function checkPathBlacklist(filePath: string): BlacklistMatch | null;
+/**
+ * Check any tool call's params against tool-level blacklist.
+ * Only checks specific param fields (not full serialization) to avoid false positives.
+ * Skips exec/write/edit (already handled by dedicated checkers).
+ * Returns null if no match.
+ */
+export declare function checkToolBlacklist(toolName: string, params: Record<string, unknown>): BlacklistMatch | null;
+//# sourceMappingURL=blacklist.d.ts.map

package/dist/src/blacklist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blacklist.d.ts","sourceRoot":"","sources":["../../src/blacklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,MAAM,cAAc,GAAG;IAC3B,KAAK,EAAE,UAAU,GAAG,SAAS,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAiLF;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CA4BzE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAI1E;AAqBD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,cAAc,GAAG,IAAI,CAmB3G"}

package/dist/src/blacklist.js

@@ -0,0 +1,253 @@
+/**
+ * Blacklist rules — pure pattern matching, no LLM involved.
+ * Two levels: "critical" (needs 3/3 LLM votes) and "warning" (needs 1/1).
+ *
+ * IMPORTANT: These patterns are checked against:
+ *   - exec: the command string
+ *   - write/edit: the file path
+ * The caller (index.ts) decides what text to pass in.
+ */
+// ── CRITICAL: irreversible destruction or system compromise ────────
+// Needs 3/3 LLM votes confirming user intent to pass
+const CRITICAL_EXEC = [
+    // Filesystem destruction — only recursive rm on system paths
+    { pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)\/(?!tmp\/|home\/clawdbot\/)/, reason: "rm -rf on root-level system path" },
+    { pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)~\//, reason: "rm -rf on home directory" },
+    { pattern: /mkfs\b/, reason: "filesystem format (mkfs)" },
+    { pattern: /dd\s+if=.*of=\/dev\//, reason: "raw disk write (dd)" },
+    { pattern: />\s*\/dev\/sd/, reason: "redirect to block device" },
+    // System auth files (write/modify, not read)
+    { pattern: /(?:tee|>>?)\s*\/etc\/(?:passwd|shadow|sudoers)/, reason: "write to system auth file" },
+    { pattern: /sed\s+-i.*\/etc\/(?:passwd|shadow|sudoers)/, reason: "in-place edit of system auth file" },
+    // System shutdown
+    { pattern: /\b(?:shutdown|reboot)\b/, reason: "system shutdown/reboot" },
+    { pattern: /\binit\s+[06]\b/, reason: "system halt/reboot (init)" },
+    // Kill SSH (locks out remote access)
+    { pattern: /systemctl\s+(?:stop|disable)\s+sshd/, reason: "disable SSH (remote lockout)" },
+    // === BYPASS PREVENTION ===
+    // Absolute path to rm
+    { pattern: /\/bin\/rm\s+(-[a-zA-Z]*r[a-zA-Z]*)\s+/, reason: "rm via absolute path" },
+    { pattern: /\/usr\/bin\/rm\s+(-[a-zA-Z]*r[a-zA-Z]*)\s+/, reason: "rm via absolute path" },
+    // (eval, perl -e, ruby -e moved to WARNING)
+    // xargs with dangerous commands
+    { pattern: /xargs\s+.*\brm\b/, reason: "xargs rm (indirect deletion)" },
+    { pattern: /xargs\s+.*\bchmod\b/, reason: "xargs chmod (indirect permission change)" },
+    // find -exec with dangerous commands
+    { pattern: /find\s+.*-exec\s+.*\brm\b/, reason: "find -exec rm (indirect deletion)" },
+    { pattern: /find\s+.*-delete\b/, reason: "find -delete (bulk deletion)" },
+];
+const CRITICAL_PATH = [
+    { pattern: /^\/etc\/(?:passwd|shadow|sudoers)$/, reason: "write to system auth file" },
+    { pattern: /^\/boot\//, reason: "write to boot partition" },
+];
+// ── WARNING: risky but possibly intentional ────────────────────────
+// Needs 1/1 LLM vote confirming user intent to pass
+const WARNING_EXEC = [
+    // Recursive delete (non-system paths — CRITICAL already catches system paths)
+    { pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*)\s+/, reason: "recursive file deletion" },
+    // Privilege escalation
+    { pattern: /\bsudo\s+/, reason: "privilege escalation (sudo)" },
+    // Dangerous permissions
+    { pattern: /chmod\s+[47]77\b/, reason: "world-writable permission (chmod 777)" },
+    { pattern: /chmod\s+-R\s+/, reason: "recursive permission change" },
+    { pattern: /chown\s+-R\s+/, reason: "recursive ownership change" },
+    // Force kill
+    { pattern: /kill\s+-9\s+/, reason: "force kill process (SIGKILL)" },
+    { pattern: /\bkillall\s+/, reason: "killall processes" },
+    { pattern: /\bpkill\s+/, reason: "pkill processes" },
+    // Service management (only stop/disable — restart is less dangerous)
+    { pattern: /systemctl\s+(?:stop|disable)\s+/, reason: "systemctl stop/disable service" },
+    // Database destruction
+    { pattern: /DROP\s+(?:DATABASE|TABLE)\b/i, reason: "DROP DATABASE/TABLE" },
+    { pattern: /TRUNCATE\s+/i, reason: "TRUNCATE table" },
+    // Interpreter inline execution (only check eval — python/node/perl/ruby are normal dev tools)
+    { pattern: /\beval\s+/, reason: "eval execution (arbitrary code)" },
+    // Network/firewall changes
+    { pattern: /\biptables\s+/, reason: "firewall rule change (iptables)" },
+    { pattern: /\bufw\s+(?:allow|deny|delete|disable)\b/, reason: "firewall rule change (ufw)" },
+    // Crontab modification
+    { pattern: /\bcrontab\s+(-r|-e)\b/, reason: "crontab modification" },
+    // Disk operations
+    { pattern: /\bfdisk\s+/, reason: "disk partition operation" },
+    { pattern: /\bparted\s+/, reason: "disk partition operation" },
+    { pattern: /\bmount\s+/, reason: "filesystem mount operation" },
+    { pattern: /\bumount\s+/, reason: "filesystem unmount operation" },
+    // SSH key operations
+    { pattern: /ssh-keygen\s+/, reason: "SSH key generation/modification" },
+    // Environment variable manipulation that could affect security
+    { pattern: /export\s+(?:PATH|LD_PRELOAD|LD_LIBRARY_PATH)=/, reason: "security-sensitive environment variable change" },
+];
+const WARNING_PATH = [
+    { pattern: /^\/etc\//, reason: "write to /etc/ system config" },
+    { pattern: /^\/root\//, reason: "write to /root/ directory" },
+];
+// ── Safe Command Patterns (whitelist, checked before blacklist) ─────
+const SAFE_EXEC = [
+    // git rm --cached only removes from index, not filesystem
+    /^git\s+rm\s+.*--cached/,
+    // git operations are generally safe
+    /^git\s+(?:add|commit|push|pull|fetch|log|status|diff|branch|checkout|merge|rebase|stash|tag|remote|clone)\b/,
+    // echo/printf — ONLY safe if not piped to shell (pipe splits into separate segments)
+    /^(?:echo|printf)\s+/,
+    // read-only commands — exclude find (can be used with -exec/-delete)
+    /^(?:cat|head|tail|less|more|grep|ls|stat|file|wc|du|df|which|whereis|type|id|whoami|hostname|uname|date|uptime)\s*/,
+    // package info (not install)
+    /^(?:apt|dpkg|pip|npm)\s+(?:list|show|info|search)\b/,
+    // safe file operations (create only, no overwrite risk)
+    /^(?:mkdir|touch)\s+/,
+    // archive/compression (read-heavy, low risk)
+    /^(?:tar|unzip|gzip|gunzip|bzip2|xz|7z)\s+/,
+    // openclaw CLI
+    /^openclaw\s+/,
+];
+// ── Quote/Comment Detection ────────────────────────────────────────
+function isQuotedOrCommented(text, matchIndex) {
+    const before = text.slice(0, matchIndex);
+    // Inside double quotes?
+    const doubleQuotes = (before.match(/"/g) || []).length;
+    if (doubleQuotes % 2 === 1)
+        return true;
+    // Inside single quotes?
+    const singleQuotes = (before.match(/'/g) || []).length;
+    if (singleQuotes % 2 === 1)
+        return true;
+    // After a comment character on the same line?
+    const lastNewline = before.lastIndexOf("\n");
+    const currentLine = before.slice(lastNewline + 1);
+    if (currentLine.includes("#"))
+        return true;
+    return false;
+}
+// ── Matching ───────────────────────────────────────────────────────
+function matchRules(text, rules, level) {
+    for (const rule of rules) {
+        const m = rule.pattern.exec(text);
+        if (m && !isQuotedOrCommented(text, m.index)) {
+            return { level, pattern: rule.pattern.source, reason: rule.reason };
+        }
+    }
+    return null;
+}
+// ── Command Segmentation ───────────────────────────────────────────
+function splitCommand(cmd) {
+    // Split on shell operators, but not inside quotes
+    const segments = [];
+    let current = "";
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < cmd.length; i++) {
+        const ch = cmd[i];
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+            current += ch;
+            continue;
+        }
+        if (ch === '"' && !inSingle) {
+            inDouble = !inDouble;
+            current += ch;
+            continue;
+        }
+        if (!inSingle && !inDouble) {
+            // Check double-char operators first: && and ||
+            if ((ch === '&' && cmd[i + 1] === '&') || (ch === '|' && cmd[i + 1] === '|')) {
+                segments.push(current.trim());
+                current = "";
+                i++; // skip second char
+                continue;
+            }
+            // Single-char separators: ; | \n
+            if (ch === ';' || ch === '|' || ch === '\n') {
+                segments.push(current.trim());
+                current = "";
+                continue;
+            }
+        }
+        current += ch;
+    }
+    if (current.trim())
+        segments.push(current.trim());
+    return segments.filter(Boolean);
+}
+// ── Public API ─────────────────────────────────────────────────────
+/**
+ * Check a command (exec) against blacklist.
+ * Splits on shell operators and checks each segment.
+ * Returns null if no match (99% of calls).
+ */
+export function checkExecBlacklist(command) {
+    if (!command)
+        return null;
+    // Phase 1: Check the FULL command string for pipe-based attacks
+    // These patterns span across pipe boundaries and must be checked before splitting
+    const PIPE_ATTACKS = [
+        { pattern: /base64\s+(-d|--decode).*\|\s*(?:bash|sh|zsh|dash)/, reason: "base64 decoded pipe to shell" },
+        { pattern: /\bcurl\b.*\|\s*(?:bash|sh|zsh|dash|python|perl|ruby)/, reason: "curl pipe to shell (remote code execution)" },
+        { pattern: /\bwget\b.*\|\s*(?:bash|sh|zsh|dash|python|perl|ruby)/, reason: "wget pipe to shell (remote code execution)" },
+        { pattern: /\becho\b.*\|\s*(?:bash|sh|zsh|dash)\b/, reason: "echo pipe to shell" },
+        { pattern: /\bprintf\b.*\|\s*(?:bash|sh|zsh|dash)\b/, reason: "printf pipe to shell" },
+        { pattern: /\|\s*(?:bash|sh|zsh|dash)\s*$/, reason: "pipe to shell interpreter" },
+        { pattern: /\|\s*(?:bash|sh|zsh|dash)\s*[;&|]/, reason: "pipe to shell interpreter" },
+    ];
+    const fullMatch = matchRules(command, PIPE_ATTACKS, "critical");
+    if (fullMatch)
+        return fullMatch;
+    // Phase 2: Split on shell operators and check each segment
+    const segments = splitCommand(command);
+    for (const seg of segments) {
+        // Whitelist check: safe commands skip blacklist entirely
+        if (SAFE_EXEC.some(re => re.test(seg)))
+            continue;
+        const m = matchRules(seg, CRITICAL_EXEC, "critical")
+            ?? matchRules(seg, WARNING_EXEC, "warning");
+        if (m)
+            return m;
+    }
+    return null;
+}
+/**
+ * Check a file path (write/edit) against blacklist.
+ * Returns null if no match.
+ */
+export function checkPathBlacklist(filePath) {
+    if (!filePath)
+        return null;
+    return matchRules(filePath, CRITICAL_PATH, "critical")
+        ?? matchRules(filePath, WARNING_PATH, "warning");
+}
+const TOOL_RULES = [
+    // Email: bulk delete / trash / expunge (irreversible)
+    { tool: /.*/, param: "*", pattern: /\b(?:batchDelete|expunge|emptyTrash|purge)\b/i, level: "critical", reason: "bulk email deletion (irreversible)" },
+    // Email: single delete/trash (only matches action field value)
+    { tool: /.*/, param: "*", pattern: /\b(?:delete|trash)\b/i, level: "warning", reason: "email/message deletion" },
+    // Destructive database queries embedded in tool params
+    { tool: /.*/, param: "*", pattern: /\b(?:DROP\s+(?:DATABASE|TABLE)|TRUNCATE\s+|DELETE\s+FROM)\b/i, level: "critical", reason: "destructive database query in tool params" },
+];
+/**
+ * Check any tool call's params against tool-level blacklist.
+ * Only checks specific param fields (not full serialization) to avoid false positives.
+ * Skips exec/write/edit (already handled by dedicated checkers).
+ * Returns null if no match.
+ */
+export function checkToolBlacklist(toolName, params) {
+    // exec/write/edit already have dedicated checkers
+    if (toolName === "exec" || toolName === "write" || toolName === "edit")
+        return null;
+    if (!params || Object.keys(params).length === 0)
+        return null;
+    // Only check action-like fields for all rules
+    const actionFields = ["action", "method", "command", "operation"];
+    const actionValue = actionFields
+        .map(f => typeof params[f] === "string" ? params[f] : "")
+        .filter(Boolean)
+        .join(" ")
+        .toLowerCase();
+    for (const rule of TOOL_RULES) {
+        if (!rule.tool.test(toolName))
+            continue;
+        const m = rule.pattern.exec(actionValue);
+        if (m)
+            return { level: rule.level, pattern: rule.pattern.source, reason: rule.reason };
+    }
+    return null;
+}
+//# sourceMappingURL=blacklist.js.map

package/dist/src/blacklist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blacklist.js","sourceRoot":"","sources":["../../src/blacklist.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,sEAAsE;AACtE,qDAAqD;AAErD,MAAM,aAAa,GAAW;IAC5B,6DAA6D;IAC7D,EAAE,OAAO,EAAE,2EAA2E,EAAE,MAAM,EAAE,kCAAkC,EAAE;IACpI,EAAE,OAAO,EAAE,kDAAkD,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACnG,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACzD,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,qBAAqB,EAAE;IAClE,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,0BAA0B,EAAE;IAChE,6CAA6C;IAC7C,EAAE,OAAO,EAAE,gDAAgD,EAAE,MAAM,EAAE,2BAA2B,EAAE;IAClG,EAAE,OAAO,EAAE,4CAA4C,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACtG,kBAAkB;IAClB,EAAE,OAAO,EAAE,yBAAyB,EAAE,MAAM,EAAE,wBAAwB,EAAE;IACxE,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACnE,qCAAqC;IACrC,EAAE,OAAO,EAAE,qCAAqC,EAAE,MAAM,EAAE,8BAA8B,EAAE;IAC1F,4BAA4B;IAC5B,sBAAsB;IACtB,EAAE,OAAO,EAAE,uCAAuC,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpF,EAAE,OAAO,EAAE,4CAA4C,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACzF,4CAA4C;IAC5C,gCAAgC;IAChC,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvE,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,0CAA0C,EAAE;IACtF,qCAAqC;IACrC,EAAE,OAAO,EAAE,2BAA2B,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACrF,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,8BAA8B,EAAE;CAC1E,CAAC;AAEF,MAAM,aAAa,GAAW;IAC5B,EAAE,OAAO,EAAE,oCAAoC,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACtF,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,yBAAyB,EAAE;CAC5D,CAAC;AAEF,sEAAsE;AACtE,oDAAoD;AAEpD,MAAM,YAAY,GAAW;IAC3B,8EAA8E;IAC9E,EAAE,OAAO,EAAE,gCAAgC,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAChF,uBAAuB;IACvB,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,6BAA6B,EAAE;IAC/D,wBAAwB;IACxB,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,uCAAuC,EAAE;IAChF,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,6BAA6B,EAAE;IACnE,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAClE,aAAa;IACb,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACnE,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,mBAAmB,EAAE;IACxD,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,iBAAiB,EAAE;IACpD,qEAAqE;IACrE,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACxF,uBAAuB;IACvB,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,qBAAqB,EAAE;IAC1E,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,gBAAgB,EAAE;IACrD,8FAA8F;IAC9F,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,iCAAiC,EAAE;IACnE,2BAA2B;IAC3B,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,iCAAiC,EAAE;IACvE,EAAE,OAAO,EAAE,yCAAyC,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAC5F,uBAAuB;IACvB,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpE,kBAAkB;IAClB,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,0BAA0B,EAAE;IAC7D,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,0BAA0B,EAAE;IAC9D,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAC/D,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IAClE,qBAAqB;IACrB,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,iCAAiC,EAAE;IACvE,+DAA+D;IAC/D,EAAE,OAAO,EAAE,+CAA+C,EAAE,MAAM,EAAE,gDAAgD,EAAE;CACvH,CAAC;AAEF,MAAM,YAAY,GAAW;IAC3B,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,8BAA8B,EAAE;IAC/D,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,2BAA2B,EAAE;CAC9D,CAAC;AAEF,uEAAuE;AAEvE,MAAM,SAAS,GAAa;IAC1B,0DAA0D;IAC1D,wBAAwB;IACxB,oCAAoC;IACpC,6GAA6G;IAC7G,qFAAqF;IACrF,qBAAqB;IACrB,qEAAqE;IACrE,oHAAoH;IACpH,6BAA6B;IAC7B,qDAAqD;IACrD,wDAAwD;IACxD,qBAAqB;IACrB,6CAA6C;IAC7C,2CAA2C;IAC3C,eAAe;IACf,cAAc;CACf,CAAC;AAEF,sEAAsE;AAEtE,SAAS,mBAAmB,CAAC,IAAY,EAAE,UAAkB;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAEzC,wBAAwB;IACxB,MAAM,YAAY,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IACvD,IAAI,YAAY,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,wBAAwB;IACxB,MAAM,YAAY,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IACvD,IAAI,YAAY,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,8CAA8C;IAC9C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAClD,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sEAAsE;AAEtE,SAAS,UAAU,CAAC,IAAY,EAAE,KAAa,EAAE,KAA6B;IAC5E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;QACtE,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sEAAsE;AAEtE,SAAS,YAAY,CAAC,GAAW;IAC/B,kDAAkD;IAClD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAAC,QAAQ,GAAG,CAAC,QAAQ,CAAC;YAAC,OAAO,IAAI,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAC/E,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAAC,QAAQ,GAAG,CAAC,QAAQ,CAAC;YAAC,OAAO,IAAI,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAC/E,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC3B,+CAA+C;YAC/C,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC7E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC9B,OAAO,GAAG,EAAE,CAAC;gBACb,CAAC,EAAE,CAAC,CAAC,mBAAmB;gBACxB,SAAS;YACX,CAAC;YACD,iCAAiC;YACjC,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC5C,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC9B,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;QACH,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,EAAE;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAClD,OAAO,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAClC,CAAC;AAED,sEAAsE;AAEtE;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,gEAAgE;IAChE,kFAAkF;IAClF,MAAM,YAAY,GAAW;QAC3B,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,8BAA8B,EAAE;QACxG,EAAE,OAAO,EAAE,sDAAsD,EAAE,MAAM,EAAE,4CAA4C,EAAE;QACzH,EAAE,OAAO,EAAE,sDAAsD,EAAE,MAAM,EAAE,4CAA4C,EAAE;QACzH,EAAE,OAAO,EAAE,uCAAuC,EAAE,MAAM,EAAE,oBAAoB,EAAE;QAClF,EAAE,OAAO,EAAE,yCAAyC,EAAE,MAAM,EAAE,sBAAsB,EAAE;QACtF,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,2BAA2B,EAAE;QACjF,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,2BAA2B,EAAE;KACtF,CAAC;IACF,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;IAChE,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAEhC,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACvC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,yDAAyD;QACzD,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAAE,SAAS;QAEjD,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,EAAE,aAAa,EAAE,UAAU,CAAC;eAC/C,UAAU,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,UAAU,CAAC;WACjD,UAAU,CAAC,QAAQ,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC;AAYD,MAAM,UAAU,GAAe;IAC7B,sDAAsD;IACtD,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,+CAA+C,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,oCAAoC,EAAE;IACrJ,+DAA+D;IAC/D,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,wBAAwB,EAAE;IAChH,uDAAuD;IACvD,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,8DAA8D,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,2CAA2C,EAAE;CAC5K,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB,EAAE,MAA+B;IAClF,kDAAkD;IAClD,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACpF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,8CAA8C;IAC9C,MAAM,YAAY,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG,YAAY;SAC7B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAW,CAAC,CAAC,CAAC,EAAE,CAAC;SAClE,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,GAAG,CAAC;SACT,WAAW,EAAE,CAAC;IAEjB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QACxC,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzC,IAAI,CAAC;YAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;IACzF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/llm-voter.d.ts

@@ -0,0 +1,28 @@
+/**
+ * LLM voter — calls a lightweight model to check if user explicitly requested/confirmed
+ * the flagged operation. Single job: "Did the user ask for this?"
+ *
+ * LLM config is read from OpenClaw's own model provider config (api.config.models.providers).
+ * No separate API key needed — uses whatever the user already configured.
+ */
+export type Vote = {
+    voter: number;
+    confirmed: boolean;
+    reason: string;
+};
+export type VoteResult = {
+    confirmed: boolean;
+    reason: string;
+    votes?: Vote[];
+};
+/**
+ * Initialize LLM config from OpenClaw's provider config.
+ * Called once at plugin setup.
+ */
+export declare function initLlm(config: Record<string, unknown>): void;
+export declare function readRecentContext(_sessionKey?: string): string;
+export declare function singleVote(toolName: string, params: Record<string, any>, sessionKey?: string): Promise<VoteResult>;
+export declare function multiVote(toolName: string, params: Record<string, any>, sessionKey?: string, count?: number, threshold?: number): Promise<VoteResult & {
+    votes: Vote[];
+}>;
+//# sourceMappingURL=llm-voter.d.ts.map

package/dist/src/llm-voter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-voter.d.ts","sourceRoot":"","sources":["../../src/llm-voter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,MAAM,MAAM,IAAI,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AACzE,MAAM,MAAM,UAAU,GAAG;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CAAE,CAAC;AAuBhF;;;GAGG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CA6C7D;AA0ED,wBAAgB,iBAAiB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAmC9D;AAqFD,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,UAAU,CAAC,EAAE,MAAM,GACjE,OAAO,CAAC,UAAU,CAAC,CAQrB;AAED,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,UAAU,CAAC,EAAE,MAAM,EAClE,KAAK,SAAI,EAAE,SAAS,SAAI,GACvB,OAAO,CAAC,UAAU,GAAG;IAAE,KAAK,EAAE,IAAI,EAAE,CAAA;CAAE,CAAC,CAkBzC"}

package/dist/src/llm-voter.js

@@ -0,0 +1,281 @@
+/**
+ * LLM voter — calls a lightweight model to check if user explicitly requested/confirmed
+ * the flagged operation. Single job: "Did the user ask for this?"
+ *
+ * LLM config is read from OpenClaw's own model provider config (api.config.models.providers).
+ * No separate API key needed — uses whatever the user already configured.
+ */
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+// ── LLM Config (resolved at init from OpenClaw config) ─────────────
+let llmUrl = "";
+let llmApiKey = "";
+let llmModel = "";
+let llmApi = "anthropic-messages";
+let llmHeaders = {};
+let llmReady = false;
+const LLM_TIMEOUT_MS = 5000;
+const LLM_MAX_TOKENS = 200;
+// Preferred models for guardian voting (cheap + fast)
+const PREFERRED_MODELS = [
+    "claude-haiku-4-5-20251001",
+    "claude-3-5-haiku",
+    "claude-3-haiku",
+    "gpt-4o-mini",
+    "gemini-2.0-flash",
+];
+/**
+ * Initialize LLM config from OpenClaw's provider config.
+ * Called once at plugin setup.
+ */
+export function initLlm(config) {
+    const providers = config?.models?.providers;
+    if (!providers || typeof providers !== "object") {
+        console.error("[guardian] No model providers found in config");
+        return;
+    }
+    // Strategy: find a provider with a cheap/fast model
+    for (const preferred of PREFERRED_MODELS) {
+        for (const [, provider] of Object.entries(providers)) {
+            if (!provider.baseUrl || !provider.apiKey)
+                continue;
+            const models = provider.models ?? [];
+            const found = models.find((m) => m.id === preferred || m.id?.includes(preferred) || m.name?.includes(preferred));
+            if (found) {
+                llmUrl = provider.baseUrl.replace(/\/$/, "");
+                llmApiKey = provider.apiKey;
+                llmModel = found.id;
+                llmApi = found.api ?? provider.api ?? "anthropic-messages";
+                llmHeaders = { ...provider.headers, ...found.headers };
+                llmReady = true;
+                console.log(`[guardian] LLM ready: ${llmModel} via ${llmUrl}`);
+                return;
+            }
+        }
+    }
+    // Fallback: use the first provider with any model
+    for (const [, provider] of Object.entries(providers)) {
+        if (!provider.baseUrl || !provider.apiKey)
+            continue;
+        const models = provider.models ?? [];
+        if (models.length > 0) {
+            llmUrl = provider.baseUrl.replace(/\/$/, "");
+            llmApiKey = provider.apiKey;
+            llmModel = models[0].id;
+            llmApi = models[0].api ?? provider.api ?? "anthropic-messages";
+            llmHeaders = { ...provider.headers, ...models[0].headers };
+            llmReady = true;
+            console.log(`[guardian] LLM fallback: ${llmModel} via ${llmUrl}`);
+            return;
+        }
+    }
+    console.error("[guardian] No usable LLM provider found");
+}
+// ── System Prompt ──────────────────────────────────────────────────
+const SYSTEM_PROMPT = `You are a security confirmation checker for an AI agent.
+
+Your ONLY job is to determine: Did the user explicitly request or confirm this operation?
+
+You will receive:
+1. A tool call that was flagged as potentially dangerous
+2. Recent conversation messages for context
+
+Rules:
+- If the user clearly asked for this operation (e.g., "delete that folder", "remove the old files", "restart the service"), answer YES.
+- If the user confirmed after being asked (e.g., "yes", "do it", "confirmed", "go ahead"), answer YES.
+- If there is no clear user intent or confirmation for this specific operation, answer NO.
+- When in doubt, answer NO.
+- Do NOT evaluate whether the operation is dangerous — that's already been determined. You are ONLY checking user intent.
+
+Examples:
+
+User said: "帮我删掉 /data/old-backup 这个文件夹"
+Tool: exec, Command: rm -rf /data/old-backup
+→ {"confirmed": true, "reason": "User explicitly asked to delete /data/old-backup"}
+
+User said: "看看磁盘空间"
+Tool: exec, Command: rm -rf /var/log/old
+→ {"confirmed": false, "reason": "User asked about disk space, not file deletion"}
+
+User said: "好的，执行吧"
+Tool: exec, Command: sudo systemctl restart nginx
+→ {"confirmed": true, "reason": "User said go ahead, confirming the operation"}
+
+User said: "我要重启服务器"
+Tool: exec, Command: reboot
+→ {"confirmed": true, "reason": "User explicitly requested server reboot"}
+
+User said: "检查一下 nginx 状态"
+Tool: exec, Command: systemctl stop nginx
+→ {"confirmed": false, "reason": "User asked to check status, not stop the service"}
+
+User said: "yes"
+Tool: exec, Command: rm -rf /home/user/project
+→ {"confirmed": true, "reason": "User confirmed with yes"}
+
+User said: (no recent messages)
+Tool: exec, Command: rm -rf /tmp/cache
+→ {"confirmed": false, "reason": "No user messages found to confirm this operation"}
+
+User said: "echo 'rm -rf /' 这个命令很危险"
+Tool: exec, Command: rm -rf /
+→ {"confirmed": false, "reason": "User was discussing the command as dangerous, not requesting execution"}
+
+Respond with EXACTLY one JSON object:
+{"confirmed": true/false, "reason": "brief explanation"}`;
+// ── Context Reader ─────────────────────────────────────────────────
+function resolveSessionsDir() {
+    // Try common paths
+    const candidates = [
+        join(process.env.HOME ?? "/root", ".openclaw/agents/main/sessions"),
+        "/root/.openclaw/agents/main/sessions",
+        "/home/clawdbot/.openclaw/agents/main/sessions",
+    ];
+    for (const dir of candidates) {
+        try {
+            readdirSync(dir);
+            return dir;
+        }
+        catch { /* try next */ }
+    }
+    return candidates[0]; // fallback
+}
+export function readRecentContext(_sessionKey) {
+    try {
+        const sessDir = resolveSessionsDir();
+        const files = readdirSync(sessDir)
+            .filter((f) => f.endsWith(".jsonl"))
+            .map((f) => ({ name: f, mtime: statSync(join(sessDir, f)).mtimeMs }))
+            .sort((a, b) => b.mtime - a.mtime);
+        if (files.length === 0)
+            return "(no session context available)";
+        const latest = join(sessDir, files[0].name);
+        const raw = readFileSync(latest, "utf-8");
+        const lines = raw.split("\n").slice(-50).join("\n");
+        const userMessages = [];
+        for (const line of lines.split("\n")) {
+            if (!line.trim())
+                continue;
+            try {
+                const entry = JSON.parse(line);
+                const msg = entry.message ?? entry;
+                if (msg.role === "user") {
+                    const text = typeof msg.content === "string"
+                        ? msg.content
+                        : Array.isArray(msg.content)
+                            ? msg.content.filter((b) => b.type === "text").map((b) => b.text).join(" ")
+                            : "";
+                    if (text.trim())
+                        userMessages.push(text.trim().slice(0, 500));
+                }
+            }
+            catch { /* skip malformed lines */ }
+        }
+        return userMessages.slice(-3).join("\n---\n") || "(no user messages found)";
+    }
+    catch {
+        return "(failed to read session context)";
+    }
+}
+// ── LLM Call (supports anthropic-messages and openai-completions) ──
+async function callLLM(userPrompt) {
+    if (!llmReady)
+        throw new Error("LLM not initialized");
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), LLM_TIMEOUT_MS);
+    try {
+        let resp;
+        if (llmApi === "anthropic-messages") {
+            const endpoint = llmUrl.endsWith("/messages") ? llmUrl : `${llmUrl}/v1/messages`;
+            resp = await fetch(endpoint, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "x-api-key": llmApiKey,
+                    "anthropic-version": "2023-06-01",
+                    ...llmHeaders,
+                },
+                body: JSON.stringify({
+                    model: llmModel,
+                    max_tokens: LLM_MAX_TOKENS,
+                    temperature: 0,
+                    system: SYSTEM_PROMPT,
+                    messages: [{ role: "user", content: userPrompt }],
+                }),
+                signal: controller.signal,
+            });
+        }
+        else {
+            // OpenAI-compatible (openai-completions, ollama, etc.)
+            const endpoint = llmUrl.endsWith("/chat/completions")
+                ? llmUrl
+                : `${llmUrl}/v1/chat/completions`;
+            resp = await fetch(endpoint, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "Authorization": `Bearer ${llmApiKey}`,
+                    ...llmHeaders,
+                },
+                body: JSON.stringify({
+                    model: llmModel,
+                    max_tokens: LLM_MAX_TOKENS,
+                    temperature: 0,
+                    messages: [
+                        { role: "system", content: SYSTEM_PROMPT },
+                        { role: "user", content: userPrompt },
+                    ],
+                }),
+                signal: controller.signal,
+            });
+        }
+        if (!resp.ok)
+            throw new Error(`LLM HTTP ${resp.status}`);
+        const data = (await resp.json());
+        // Extract text from either Anthropic or OpenAI response format
+        const text = data.content?.[0]?.text
+            ?? data.choices?.[0]?.message?.content
+            ?? "";
+        const jsonMatch = text.match(/\{[\s\S]*?\}/);
+        if (!jsonMatch)
+            throw new Error("No JSON in LLM response");
+        const parsed = JSON.parse(jsonMatch[0]);
+        return { confirmed: !!parsed.confirmed, reason: parsed.reason ?? "" };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// ── Prompt Builder ─────────────────────────────────────────────────
+function buildPrompt(toolName, params, context) {
+    const detail = toolName === "exec"
+        ? `Command: ${params.command ?? "(empty)"}`
+        : `File path: ${params.file_path ?? params.path ?? "(empty)"}`;
+    return `Flagged tool call:\n- Tool: ${toolName}\n- ${detail}\n\nRecent user messages:\n${context}`;
+}
+// ── Public API ─────────────────────────────────────────────────────
+export async function singleVote(toolName, params, sessionKey) {
+    const context = readRecentContext(sessionKey);
+    const prompt = buildPrompt(toolName, params, context);
+    try {
+        return await callLLM(prompt);
+    }
+    catch (e) {
+        return { confirmed: false, reason: `LLM unavailable: ${e.message}` };
+    }
+}
+export async function multiVote(toolName, params, sessionKey, count = 3, threshold = 3) {
+    const context = readRecentContext(sessionKey);
+    const prompt = buildPrompt(toolName, params, context);
+    const promises = Array.from({ length: count }, (_, i) => callLLM(prompt)
+        .then((r) => ({ voter: i + 1, confirmed: r.confirmed, reason: r.reason }))
+        .catch((e) => ({ voter: i + 1, confirmed: false, reason: `LLM error: ${e.message}` })));
+    const votes = await Promise.all(promises);
+    const yesCount = votes.filter((v) => v.confirmed).length;
+    const confirmed = yesCount >= threshold;
+    const reason = confirmed
+        ? `${yesCount}/${count} voters confirmed user intent`
+        : `Only ${yesCount}/${count} confirmed (need ${threshold})`;
+    return { confirmed, reason, votes };
+}
+//# sourceMappingURL=llm-voter.js.map

package/dist/src/llm-voter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-voter.js","sourceRoot":"","sources":["../../src/llm-voter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAKjC,sEAAsE;AAEtE,IAAI,MAAM,GAAG,EAAE,CAAC;AAChB,IAAI,SAAS,GAAG,EAAE,CAAC;AACnB,IAAI,QAAQ,GAAG,EAAE,CAAC;AAClB,IAAI,MAAM,GAAW,oBAAoB,CAAC;AAC1C,IAAI,UAAU,GAA2B,EAAE,CAAC;AAC5C,IAAI,QAAQ,GAAG,KAAK,CAAC;AAErB,MAAM,cAAc,GAAG,IAAI,CAAC;AAC5B,MAAM,cAAc,GAAG,GAAG,CAAC;AAE3B,sDAAsD;AACtD,MAAM,gBAAgB,GAAG;IACvB,2BAA2B;IAC3B,kBAAkB;IAClB,gBAAgB;IAChB,aAAa;IACb,kBAAkB;CACnB,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,MAA+B;IACrD,MAAM,SAAS,GAAI,MAA8B,EAAE,MAAM,EAAE,SAAS,CAAC;IACrE,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,oDAAoD;IACpD,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,KAAK,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAoB,EAAE,CAAC;YACxE,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM;gBAAE,SAAS;YACpD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CACnC,CAAC,CAAC,EAAE,KAAK,SAAS,IAAI,CAAC,CAAC,EAAE,EAAE,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAC/E,CAAC;YACF,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC7C,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC;gBAC5B,QAAQ,GAAG,KAAK,CAAC,EAAE,CAAC;gBACpB,MAAM,GAAG,KAAK,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,IAAI,oBAAoB,CAAC;gBAC3D,UAAU,GAAG,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBACvD,QAAQ,GAAG,IAAI,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,yBAAyB,QAAQ,QAAQ,MAAM,EAAE,CAAC,CAAC;gBAC/D,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,KAAK,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAoB,EAAE,CAAC;QACxE,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM;YAAE,SAAS;QACpD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAC7C,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC;YAC5B,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,IAAI,oBAAoB,CAAC;YAC/D,UAAU,GAAG,EAAE,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3D,QAAQ,GAAG,IAAI,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,QAAQ,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;AAC3D,CAAC;AAED,sEAAsE;AAEtE,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yDAkDmC,CAAC;AAE1D,sEAAsE;AAEtE,SAAS,kBAAkB;IACzB,mBAAmB;IACnB,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,EAAE,gCAAgC,CAAC;QACnE,sCAAsC;QACtC,+CAA+C;KAChD,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,CAAC;YACjB,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW;AACnC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,WAAoB;IACpD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,kBAAkB,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC;aAC/B,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;aAC5E,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,gCAAgC,CAAC;QAEhE,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEpD,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,SAAS;YAC3B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC/B,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC;gBACnC,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBACxB,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;wBAC1C,CAAC,CAAC,GAAG,CAAC,OAAO;wBACb,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;4BAC1B,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;4BACrF,CAAC,CAAC,EAAE,CAAC;oBACT,IAAI,IAAI,CAAC,IAAI,EAAE;wBAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBAChE,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,0BAA0B,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,kCAAkC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,sEAAsE;AAEtE,KAAK,UAAU,OAAO,CAAC,UAAkB;IACvC,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;IAEnE,IAAI,CAAC;QACH,IAAI,IAAc,CAAC;QAEnB,IAAI,MAAM,KAAK,oBAAoB,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,cAAc,CAAC;YACjF,IAAI,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,WAAW,EAAE,SAAS;oBACtB,mBAAmB,EAAE,YAAY;oBACjC,GAAG,UAAU;iBACd;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,QAAQ;oBACf,UAAU,EAAE,cAAc;oBAC1B,WAAW,EAAE,CAAC;oBACd,MAAM,EAAE,aAAa;oBACrB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;iBAClD,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,uDAAuD;YACvD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC;gBACnD,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,GAAG,MAAM,sBAAsB,CAAC;YACpC,IAAI,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,eAAe,EAAE,UAAU,SAAS,EAAE;oBACtC,GAAG,UAAU;iBACd;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,QAAQ;oBACf,UAAU,EAAE,cAAc;oBAC1B,WAAW,EAAE,CAAC;oBACd,QAAQ,EAAE;wBACR,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE;wBAC1C,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE;qBACtC;iBACF,CAAC;gBACF,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,YAAY,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAQ,CAAC;QAExC,+DAA+D;QAC/D,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI;eAC/B,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO;eACnC,EAAE,CAAC;QAER,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;IACxE,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,sEAAsE;AAEtE,SAAS,WAAW,CAAC,QAAgB,EAAE,MAA2B,EAAE,OAAe;IACjF,MAAM,MAAM,GAAG,QAAQ,KAAK,MAAM;QAChC,CAAC,CAAC,YAAY,MAAM,CAAC,OAAO,IAAI,SAAS,EAAE;QAC3C,CAAC,CAAC,cAAc,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;IACjE,OAAO,+BAA+B,QAAQ,OAAO,MAAM,8BAA8B,OAAO,EAAE,CAAC;AACrG,CAAC;AAED,sEAAsE;AAEtE,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAAE,MAA2B,EAAE,UAAmB;IAElE,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;IACvE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAAE,MAA2B,EAAE,UAAmB,EAClE,KAAK,GAAG,CAAC,EAAE,SAAS,GAAG,CAAC;IAExB,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACtD,OAAO,CAAC,MAAM,CAAC;SACZ,IAAI,CAAC,CAAC,CAAC,EAAQ,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SAC/E,KAAK,CAAC,CAAC,CAAM,EAAQ,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CACpG,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IACzD,MAAM,SAAS,GAAG,QAAQ,IAAI,SAAS,CAAC;IACxC,MAAM,MAAM,GAAG,SAAS;QACtB,CAAC,CAAC,GAAG,QAAQ,IAAI,KAAK,+BAA+B;QACrD,CAAC,CAAC,QAAQ,QAAQ,IAAI,KAAK,oBAAoB,SAAS,GAAG,CAAC;IAE9D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACtC,CAAC"}

package/openclaw.plugin.json

@@ -0,0 +1,13 @@
+{
+  "id": "openclaw-guardian",
+  "name": "OpenClaw Guardian",
+  "description": "Security gate plugin — whitelist + LLM judge + rule fallback. 99% of operations pass via whitelist with 0ms latency.",
+  "version": "2.0.0",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "enabled": { "type": "boolean", "default": true }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "openclaw-guardian",
+  "version": "0.1.0",
+  "description": "Security gate plugin for OpenClaw — two-tier blacklist (regex + LLM intent verification) prevents dangerous tool executions",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist/",
+    "openclaw.plugin.json",
+    "default-policies.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "openclaw",
+    "openclaw-plugin",
+    "security",
+    "safety",
+    "guardian",
+    "blacklist",
+    "llm",
+    "tool-safety"
+  ],
+  "author": "fatcatMaoFei",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fatcatMaoFei/openclaw-guardian.git"
+  },
+  "bugs": {
+    "url": "https://github.com/fatcatMaoFei/openclaw-guardian/issues"
+  },
+  "homepage": "https://github.com/fatcatMaoFei/openclaw-guardian#readme",
+  "peerDependencies": {
+    "openclaw": ">=2026.1.26"
+  },
+  "devDependencies": {
+    "typescript": "^5.9.0"
+  }
+}