openclaw-observability 1.0.0 → 1.0.2

package/README.md

@@ -0,0 +1,189 @@
+# openclaw-observability
+
+Full-stack observability plugin for [OpenClaw](https://openclaw.ai) — automatically records every LLM call, tool invocation, and agent lifecycle event into a local DuckDB or remote MySQL database, with a built-in web dashboard for tracing, analytics, and security auditing.
+
+## ✨ Features
+
+- **Full-Chain Tracing** — Captures 20 OpenClaw hooks covering LLM calls, tool invocations, agent lifecycle, session management, context compaction, and gateway events
+- **Token Usage Tracking** — Automatically injects `stream_options` via fetch interception to capture prompt/completion tokens from any OpenAI-compatible API
+- **Dual Storage Backend** — Local mode (embedded DuckDB, zero config) or Remote mode (MySQL/RDS)
+- **Built-in Web Dashboard** — Session list, waterfall trace view, analytics charts, and security alerts — all served from the plugin with no external dependencies
+- **Security Scanning** — Two-layer detection engine:
+  - **L1 Rule Engine** — Regex-based real-time scanning for secrets, dangerous commands, prompt injection, and sensitive file access
+  - **L2 Chain Detector** — Cross-action behavioral analysis (e.g., read credentials → exfiltrate data)
+- **Automatic Redaction** — Masks API keys, passwords, tokens, and other sensitive fields before storage
+- **Async Batch Buffer** — Configurable batch size and flush interval with overflow protection
+
+## 📦 Installation
+
+```bash
+openclaw plugins install openclaw-observability
+```
+
+That's it. The plugin starts in **Local mode** by default — zero configuration required.
+
+## 🚀 Quick Start
+
+1. Install the plugin (see above)
+2. Restart the gateway:
+   ```bash
+   openclaw gateway restart
+   ```
+3. Open the dashboard:
+   ```
+   http://localhost:18789/plugins/observability/
+   ```
+
+## 🖥️ Dashboard
+
+The built-in web UI provides four tabs:
+
+### Dashboard (Traces)
+- Summary stats: total sessions, actions, tokens, average latency, success rate
+- Full-text search across sessions, actions, and content
+- Time range filtering (30 min → all time)
+- Click any session to open the **waterfall trace view** with nested action timeline and detailed input/output inspector
+
+### Analytics
+- Overview KPIs: sessions, tokens (input/output), latency, active models, security alerts
+- Activity over time chart (auto-switches between hourly and daily granularity)
+- Token usage by model breakdown
+- Action type distribution
+- Top agents by session/token count
+
+### Security
+- Alert statistics by severity (Critical / Warning / Info)
+- Filterable alert list with full-text search
+- Alert lifecycle management: Acknowledge → Resolve → False Positive
+- Direct link from alert to the offending action in the trace view
+
+## ⚙️ Configuration
+
+### Storage Modes
+
+| Mode | Backend | Config Required |
+|------|---------|----------------|
+| `local` (default) | Embedded DuckDB | None |
+| `remote` | MySQL 5.7+ / 8.x / RDS | Connection info |
+
+### Remote Mode (MySQL)
+
+Configure via OpenClaw Dashboard (Settings → Plugins → openclaw-observability Config) or edit `~/.openclaw/openclaw.json`:
+
+```json
+{
+  "plugins": {
+    "entries": {
+      "openclaw-observability": {
+        "enabled": true,
+        "config": {
+          "mode": "remote",
+          "mysql": {
+            "host": "your-mysql-host.com",
+            "port": 3306,
+            "user": "username",
+            "password": "password",
+            "database": "openclaw_observability"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### All Options
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `mode` | `local` | Storage mode: `local` (DuckDB) or `remote` (MySQL) |
+| `duckdb.path` | `~/.openclaw/observability.duckdb` | DuckDB database file path (local mode only) |
+| `mysql.host` | `localhost` | MySQL host address |
+| `mysql.port` | `3306` | MySQL port |
+| `mysql.user` | `root` | MySQL username |
+| `mysql.password` | `""` | MySQL password |
+| `mysql.database` | `openclaw_observability` | MySQL database name (auto-created) |
+| `buffer.batchSize` | `50` | Records to accumulate before batch write |
+| `buffer.flushIntervalMs` | `5000` | Auto-flush interval in ms |
+| `redaction.enabled` | `true` | Automatically redact sensitive fields |
+| `redaction.patterns` | `[api_key, password, ...]` | Field name patterns to redact (case-insensitive regex) |
+| `security.enabled` | `true` | Enable real-time security scanning |
+| `security.rules.*` | `true` | Toggle individual rule categories |
+| `security.domainWhitelist` | `[]` | Domains excluded from external request alerts |
+
+## 🔒 Security Rules
+
+### L1 — Pattern-Based Detection
+
+| Rule | Detection | Severity |
+|------|-----------|----------|
+| S001 | Alibaba Cloud AccessKey leak | Critical |
+| S002 | AWS AccessKey leak | Critical |
+| S003 | Private key (RSA/EC/SSH) leak | Critical |
+| S004 | JWT token leak | Warning |
+| S005 | Database connection string leak | Warning |
+| S006 | Generic API key leak (OpenAI, GitHub PAT, etc.) | Warning |
+| S007 | GCP service account key | Critical |
+| S008 | Azure connection string leak | Critical |
+| H001 | Dangerous shell commands (`rm -rf`, `curl \| sh`, etc.) | Critical |
+| H002 | Sensitive file path access (`.ssh/`, `.env`, etc.) | Warning |
+| H003 | Abnormally large data output (>100KB) | Warning |
+| H004 | Bulk environment variable access | Warning |
+| H005 | Privilege escalation (`sudo`, `su -`, `pkexec`) | Critical |
+| T003 | External network request (non-whitelisted domain) | Warning |
+| T005 | Prompt injection attack patterns | Warning/Critical |
+
+### L2 — Behavioral Chain Detection
+
+| Chain | Pattern | Severity |
+|-------|---------|----------|
+| CHAIN-001 | Read sensitive file → outbound network request | Critical |
+| CHAIN-002 | Tool returns injection → executes sensitive operation | Critical |
+
+## 🗄️ Database Schema
+
+The plugin automatically creates three tables:
+
+- **`audit_actions`** — Every recorded action (LLM call, tool invocation, etc.)
+- **`audit_sessions`** — Aggregated session summaries (auto-updated)
+- **`audit_alerts`** — Security alert records
+
+Schema is identical between DuckDB and MySQL backends.
+
+## 🏗️ Architecture
+
+```
+OpenClaw Gateway
+  │
+  ├── Plugin Hooks (20 hooks)
+  │     ├── llm_input / llm_output
+  │     ├── before_tool_call / after_tool_call
+  │     ├── session_start / session_end
+  │     └── ... (agent, message, context, gateway)
+  │
+  ├── Fetch Interceptor
+  │     └── Injects stream_options → Parses SSE usage
+  │
+  ├── Security Scanner
+  │     ├── L1: Pattern rules (15 rules)
+  │     └── L2: Chain detector (2 chains)
+  │
+  ├── Async Batch Buffer
+  │     └── batchSize / flushIntervalMs / overflow protection
+  │
+  ├── Storage Writer
+  │     ├── DuckDBLocalWriter (local mode)
+  │     └── MySQLWriter (remote mode)
+  │
+  └── Web Dashboard
+        ├── GET /plugins/observability/          → SPA UI
+        ├── GET /plugins/observability/api/stats
+        ├── GET /plugins/observability/api/sessions
+        ├── GET /plugins/observability/api/actions
+        ├── GET /plugins/observability/api/alerts
+        └── GET /plugins/observability/api/analytics
+```
+
+## 📄 License
+
+MIT

package/dist/config.js

@@ -41,7 +41,7 @@ exports.resolveConfig = resolveConfig;
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
 /** Default DuckDB path */
-exports.DEFAULT_DUCKDB_PATH = path.join(os.homedir(), '.openclaw', 'audit.duckdb');
+exports.DEFAULT_DUCKDB_PATH = path.join(os.homedir(), '.openclaw', 'observability.duckdb');
 /** Default config */
 exports.DEFAULT_CONFIG = {
     mode: 'local', // default: local DuckDB, zero config
@@ -50,14 +50,14 @@ exports.DEFAULT_CONFIG = {
         port: 3306,
         user: 'root',
         password: '',
-        database: 'openclaw_audit',
+        database: 'openclaw_observability',
     },
     duckdb: {
         path: exports.DEFAULT_DUCKDB_PATH,
     },
     buffer: {
         batchSize: 50,
-        flushIntervalMs: 30000,
+        flushIntervalMs: 5000,
     },
     redaction: {
         enabled: true,

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgIH,sCAoCC;AAlKD,2CAA6B;AAC7B,uCAAyB;AA2DzB,0BAA0B;AACb,QAAA,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAC1C,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,cAAc,CAC1C,CAAC;AAEF,qBAAqB;AACR,QAAA,cAAc,GAAsB;IAC/C,IAAI,EAAE,OAAO,EAAG,qCAAqC;IACrD,KAAK,EAAE;QACL,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,gBAAgB;KAC3B;IACD,MAAM,EAAE;QACN,IAAI,EAAE,2BAAmB;KAC1B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,EAAE;QACb,eAAe,EAAE,KAAK;KACvB;IACD,SAAS,EAAE;QACT,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,SAAS;YACT,gBAAgB;YAChB,UAAU;YACV,QAAQ;YACR,cAAc;YACd,YAAY;YACZ,eAAe;YACf,cAAc;YACd,eAAe;YACf,YAAY;YACZ,YAAY;YACZ,eAAe;YACf,aAAa;YACb,YAAY;SACb;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,KAAK,EAAE;YACL,aAAa,EAAE,IAAI;YACnB,WAAW,EAAE,IAAI;YACjB,eAAe,EAAE,IAAI;YACrB,cAAc,EAAE,IAAI;SACrB;QACD,eAAe,EAAE,EAAE;KACpB;CACF,CAAC;AAEF;;;;;GAKG;AACH,SAAS,SAAS,CAAC,UAAsC;IACvD,IAAI,UAAU,CAAC,IAAI;QAAE,OAAO,UAAU,CAAC,IAAI,CAAC;IAC5C,MAAM,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC;IAC3B,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW,IAAI,CAAC,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACzE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAgB,aAAa,CAC3B,UAAkD;IAElD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,GAAG,sBAAc,EAAE,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,UAAU,CAAC;QAC3B,KAAK,EAAE;YACL,GAAG,sBAAc,CAAC,KAAK;YACvB,GAAG,UAAU,CAAC,KAAK;SACpB;QACD,MAAM,EAAE;YACN,GAAG,sBAAc,CAAC,MAAM;YACxB,GAAG,UAAU,CAAC,MAAM;SACrB;QACD,MAAM,EAAE;YACN,GAAG,sBAAc,CAAC,MAAM;YACxB,GAAG,UAAU,CAAC,MAAM;SACrB;QACD,SAAS,EAAE;YACT,GAAG,sBAAc,CAAC,SAAS;YAC3B,GAAG,UAAU,CAAC,SAAS;YACvB,QAAQ,EAAE,UAAU,CAAC,SAAS,EAAE,QAAQ,IAAI,sBAAc,CAAC,SAAS,CAAC,QAAQ;SAC9E;QACD,QAAQ,EAAE;YACR,GAAG,sBAAc,CAAC,QAAQ;YAC1B,GAAG,UAAU,CAAC,QAAQ;YACtB,KAAK,EAAE;gBACL,GAAG,sBAAc,CAAC,QAAQ,CAAC,KAAK;gBAChC,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC;aAChC;YACD,eAAe,EAAE,UAAU,CAAC,QAAQ,EAAE,eAAe,IAAI,sBAAc,CAAC,QAAQ,CAAC,eAAe;SACjG;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgIH,sCAoCC;AAlKD,2CAA6B;AAC7B,uCAAyB;AA2DzB,0BAA0B;AACb,QAAA,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAC1C,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,sBAAsB,CAClD,CAAC;AAEF,qBAAqB;AACR,QAAA,cAAc,GAAsB;IAC/C,IAAI,EAAE,OAAO,EAAG,qCAAqC;IACrD,KAAK,EAAE;QACL,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,wBAAwB;KACnC;IACD,MAAM,EAAE;QACN,IAAI,EAAE,2BAAmB;KAC1B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,EAAE;QACb,eAAe,EAAE,IAAI;KACtB;IACD,SAAS,EAAE;QACT,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,SAAS;YACT,gBAAgB;YAChB,UAAU;YACV,QAAQ;YACR,cAAc;YACd,YAAY;YACZ,eAAe;YACf,cAAc;YACd,eAAe;YACf,YAAY;YACZ,YAAY;YACZ,eAAe;YACf,aAAa;YACb,YAAY;SACb;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,KAAK,EAAE;YACL,aAAa,EAAE,IAAI;YACnB,WAAW,EAAE,IAAI;YACjB,eAAe,EAAE,IAAI;YACrB,cAAc,EAAE,IAAI;SACrB;QACD,eAAe,EAAE,EAAE;KACpB;CACF,CAAC;AAEF;;;;;GAKG;AACH,SAAS,SAAS,CAAC,UAAsC;IACvD,IAAI,UAAU,CAAC,IAAI;QAAE,OAAO,UAAU,CAAC,IAAI,CAAC;IAC5C,MAAM,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC;IAC3B,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW,IAAI,CAAC,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACzE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAgB,aAAa,CAC3B,UAAkD;IAElD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,GAAG,sBAAc,EAAE,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,UAAU,CAAC;QAC3B,KAAK,EAAE;YACL,GAAG,sBAAc,CAAC,KAAK;YACvB,GAAG,UAAU,CAAC,KAAK;SACpB;QACD,MAAM,EAAE;YACN,GAAG,sBAAc,CAAC,MAAM;YACxB,GAAG,UAAU,CAAC,MAAM;SACrB;QACD,MAAM,EAAE;YACN,GAAG,sBAAc,CAAC,MAAM;YACxB,GAAG,UAAU,CAAC,MAAM;SACrB;QACD,SAAS,EAAE;YACT,GAAG,sBAAc,CAAC,SAAS;YAC3B,GAAG,UAAU,CAAC,SAAS;YACvB,QAAQ,EAAE,UAAU,CAAC,SAAS,EAAE,QAAQ,IAAI,sBAAc,CAAC,SAAS,CAAC,QAAQ;SAC9E;QACD,QAAQ,EAAE;YACR,GAAG,sBAAc,CAAC,QAAQ;YAC1B,GAAG,UAAU,CAAC,QAAQ;YACtB,KAAK,EAAE;gBACL,GAAG,sBAAc,CAAC,QAAQ,CAAC,KAAK;gBAChC,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC;aAChC;YACD,eAAe,EAAE,UAAU,CAAC,QAAQ,EAAE,eAAe,IAAI,sBAAc,CAAC,QAAQ,CAAC,eAAe;SACjG;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 /**
- * OpenClaw audit plugin entry point
+ * OpenClaw observability plugin entry point
  * Registers all 24 Plugin Hooks, assembles capture -> buffer -> writer pipeline
  *
  * OpenClaw hooks:

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAe5D,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC1C,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,IAAI,CAAC;IACjE,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE;QAC3B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,WAAW,EAAE,eAAe,EAAE,GAAG,EAAE,OAAO,WAAW,EAAE,cAAc,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,OAAO,GAAG,IAAI,CAAC;QACzI,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;QAC3B,KAAK,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;KAC3B,KAAK,IAAI,CAAC;IACX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAmbD,iBAAS,QAAQ,CAAC,GAAG,EAAE,SAAS,GAAG;IAAE,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAs+BrE;AAED,OAAO,EAAE,QAAQ,EAAE,CAAC;AACpB,eAAe,QAAQ,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,UAAU,CAAC;AAe5D,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC1C,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,GAAG,IAAI,CAAC;IACjE,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE;QAC3B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,WAAW,EAAE,eAAe,EAAE,GAAG,EAAE,OAAO,WAAW,EAAE,cAAc,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,OAAO,GAAG,IAAI,CAAC;QACzI,IAAI,EAAE,SAAS,GAAG,QAAQ,CAAC;QAC3B,KAAK,CAAC,EAAE,OAAO,GAAG,QAAQ,CAAC;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;KAC3B,KAAK,IAAI,CAAC;IACX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAmbD,iBAAS,QAAQ,CAAC,GAAG,EAAE,SAAS,GAAG;IAAE,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAu+BrE;AAED,OAAO,EAAE,QAAQ,EAAE,CAAC;AACpB,eAAe,QAAQ,CAAC"}

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 /**
- * OpenClaw audit plugin entry point
+ * OpenClaw observability plugin entry point
  * Registers all 24 Plugin Hooks, assembles capture -> buffer -> writer pipeline
  *
  * OpenClaw hooks:
@@ -164,14 +164,14 @@ function installFetchInterceptor() {
         });
     };
     fetchInterceptorInstalled = true;
-    console.log('[audit-duckdb] Fetch interceptor installed for token usage tracking');
+    console.log('[openclaw-observability] Fetch interceptor installed for token usage tracking');
 }
 function uninstallFetchInterceptor() {
     if (originalFetch) {
         globalThis.fetch = originalFetch;
         originalFetch = null;
         fetchInterceptorInstalled = false;
-        console.log('[audit-duckdb] Fetch interceptor uninstalled');
+        console.log('[openclaw-observability] Fetch interceptor uninstalled');
     }
 }
 /**
@@ -351,7 +351,7 @@ function makeAction(sessionId, overrides) {
 function activate(api) {
     const rawConfig = (api.pluginConfig || api.config || {});
     const config = (0, config_1.resolveConfig)(rawConfig);
-    console.log(`[audit-duckdb] Config resolved: mode=${config.mode} ` +
+    console.log(`[openclaw-observability] Config resolved: mode=${config.mode} ` +
         (config.mode === 'remote'
             ? `mysql.host=${config.mysql.host} mysql.database=${config.mysql.database}`
             : `duckdb.path=${config.duckdb.path}`));
@@ -366,6 +366,7 @@ function activate(api) {
     }
     const buffer = new buffer_1.AsyncBatchBuffer(config.buffer, (entries) => writer.writeBatch(entries));
     // Install fetch interceptor for token usage tracking
+    // NOTE: Only install if not in a restart loop (check via env flag)
     installFetchInterceptor();
     // Security scanner
     const securityConfig = (0, scanner_1.resolveSecurityConfig)(config.security);
@@ -385,8 +386,8 @@ function activate(api) {
             .initialize()
             .then(() => {
             buffer.start();
-            // Start security alert flush timer (every 30s)
-            alertFlushTimer = setInterval(() => void flushAlerts(), 30000);
+            // Start security alert flush timer (same interval as buffer flush)
+            alertFlushTimer = setInterval(() => void flushAlerts(), config.buffer.flushIntervalMs);
             if (alertFlushTimer && typeof alertFlushTimer === 'object' && 'unref' in alertFlushTimer) {
                 alertFlushTimer.unref();
             }
@@ -395,22 +396,22 @@ function activate(api) {
             if (mapCleanupTimer && typeof mapCleanupTimer === 'object' && 'unref' in mapCleanupTimer) {
                 mapCleanupTimer.unref();
             }
-            console.log(`[audit-duckdb] Plugin activated (mode=${config.mode}, security scanner enabled)`);
+            console.log(`[openclaw-observability] Plugin activated (mode=${config.mode}, security scanner enabled)`);
         })
             .catch((error) => {
-            console.error('[audit-duckdb] Failed to initialize database:', error);
+            console.error('[openclaw-observability] Failed to initialize database:', error);
         });
     }
     else {
-        console.log('[audit-duckdb] MySQL not configured yet — skipping database connection. ' +
-            'Please configure via Dashboard (Settings → Plugins → audit-duckdb Config) then restart.');
+        console.log('[openclaw-observability] MySQL not configured yet — skipping database connection. ' +
+            'Please configure via Dashboard (Settings → Plugins → openclaw-observability Config) then restart.');
     }
-    // Register audit panel Web UI (mounted on Gateway HTTP server)
+    // Register observability panel Web UI (mounted on Gateway HTTP server)
     if (typeof api.registerHttpRoute === 'function') {
         (0, routes_1.registerAuditRoutes)(api.registerHttpRoute.bind(api), writer);
     }
     else {
-        console.warn('[audit-duckdb] registerHttpRoute not available — audit UI disabled');
+        console.warn('[openclaw-observability] registerHttpRoute not available — observability UI disabled');
     }
     // ====================== Helper functions ======================
     /** Record action, update session stats, and run security scan */
@@ -427,12 +428,12 @@ function activate(api) {
                     if (alertBuffer.length + alerts.length > MAX_ALERT_BUFFER) {
                         const overflow = alertBuffer.length + alerts.length - MAX_ALERT_BUFFER;
                         alertBuffer.splice(0, overflow);
-                        console.warn(`[audit-security] Alert buffer overflow, dropped ${overflow} oldest alerts`);
+                        console.warn(`[openclaw-observability-security] Alert buffer overflow, dropped ${overflow} oldest alerts`);
                     }
                     alertBuffer.push(...alerts);
                     for (const alert of alerts) {
                         const icon = alert.severity === 'critical' ? '🔴' : alert.severity === 'warn' ? '🟡' : 'ℹ️';
-                        console.log(`[audit-security] ${icon} ${alert.severity.toUpperCase()} ${alert.ruleId}: ${alert.ruleName} — ${alert.finding} (session=${alert.sessionId})`);
+                        console.log(`[openclaw-observability-security] ${icon} ${alert.severity.toUpperCase()} ${alert.ruleId}: ${alert.ruleName} — ${alert.finding} (session=${alert.sessionId})`);
                     }
                     // Flush immediately on CRITICAL alerts
                     if (alerts.some(a => a.severity === 'critical')) {
@@ -441,7 +442,7 @@ function activate(api) {
                 }
             }
             catch (err) {
-                console.error('[audit-security] Scan error:', err);
+                console.error('[openclaw-observability-security] Scan error:', err);
             }
         }
     }
@@ -454,7 +455,7 @@ function activate(api) {
             await writer.writeAlerts(batch);
         }
         catch (err) {
-            console.error('[audit-security] Failed to write alerts:', err);
+            console.error('[openclaw-observability-security] Failed to write alerts:', err);
             // Put back into buffer
             alertBuffer.unshift(...batch);
         }
@@ -491,10 +492,10 @@ function activate(api) {
                 userId: c?.agentId,
                 inputParams: redactor.redact({ prompt: truncate(e.prompt) }),
             }));
-            console.log(`[audit-duckdb] before_model_resolve: session=${sid}`);
+            console.log(`[openclaw-observability] before_model_resolve: session=${sid}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in before_model_resolve:', err);
+            console.error('[openclaw-observability] Error in before_model_resolve:', err);
         }
     });
     // before_prompt_build: before prompt construction
@@ -512,10 +513,10 @@ function activate(api) {
                     messageCount: Array.isArray(e.messages) ? e.messages.length : 0,
                 }),
             }));
-            console.log(`[audit-duckdb] before_prompt_build: session=${sid} msgs=${Array.isArray(e.messages) ? e.messages.length : '?'}`);
+            console.log(`[openclaw-observability] before_prompt_build: session=${sid} msgs=${Array.isArray(e.messages) ? e.messages.length : '?'}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in before_prompt_build:', err);
+            console.error('[openclaw-observability] Error in before_prompt_build:', err);
         }
     });
     // before_agent_start: skipped — legacy hook that fires twice
@@ -537,10 +538,10 @@ function activate(api) {
                 }),
                 durationMs: e.durationMs ?? null,
             }));
-            console.log(`[audit-duckdb] agent_end: session=${sid} success=${e.success} duration=${e.durationMs}ms`);
+            console.log(`[openclaw-observability] agent_end: session=${sid} success=${e.success} duration=${e.durationMs}ms`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in agent_end:', err);
+            console.error('[openclaw-observability] Error in agent_end:', err);
         }
     });
     // =====================================================================
@@ -566,13 +567,13 @@ function activate(api) {
             if (c?.agentId)
                 sctx.userId = c.agentId;
             sctx.modelName = `${e.provider}/${e.model}`;
-            console.log(`[audit-duckdb] llm_input: session=${sid} model=${e.provider}/${e.model} runId=${e.runId} images=${e.imagesCount ?? 0} mediaParts=${media.length}`);
+            console.log(`[openclaw-observability] llm_input: session=${sid} model=${e.provider}/${e.model} runId=${e.runId} images=${e.imagesCount ?? 0} mediaParts=${media.length}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in llm_input:', err);
+            console.error('[openclaw-observability] Error in llm_input:', err);
         }
     });
-    // llm_output: after LLM call — primary audit record point
+    // llm_output: after LLM call — primary observability record point
     api.on('llm_output', (event, ctx) => {
         try {
             const e = event;
@@ -653,10 +654,10 @@ function activate(api) {
                 durationMs,
                 userId: c?.agentId,
             }), totalTokens);
-            console.log(`[audit-duckdb] llm_output: session=${e.sessionId} model=${e.model} duration=${durationMs}ms tokens=${promptTokens ?? '?'}/${completionTokens ?? '?'} cache_r=${cacheRead ?? '-'} cache_w=${cacheWrite ?? '-'}`);
+            console.log(`[openclaw-observability] llm_output: session=${e.sessionId} model=${e.model} duration=${durationMs}ms tokens=${promptTokens ?? '?'}/${completionTokens ?? '?'} cache_r=${cacheRead ?? '-'} cache_w=${cacheWrite ?? '-'}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in llm_output:', err);
+            console.error('[openclaw-observability] Error in llm_output:', err);
         }
     });
     // =====================================================================
@@ -678,10 +679,10 @@ function activate(api) {
                     tokenCount: e.tokenCount,
                 }),
             }));
-            console.log(`[audit-duckdb] before_compaction: session=${sid} msgs=${e.messageCount} tokens=${e.tokenCount}`);
+            console.log(`[openclaw-observability] before_compaction: session=${sid} msgs=${e.messageCount} tokens=${e.tokenCount}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in before_compaction:', err);
+            console.error('[openclaw-observability] Error in before_compaction:', err);
         }
     });
     // after_compaction: after context compaction
@@ -700,10 +701,10 @@ function activate(api) {
                     tokenCount: e.tokenCount,
                 }),
             }));
-            console.log(`[audit-duckdb] after_compaction: session=${sid} compacted=${e.compactedCount}`);
+            console.log(`[openclaw-observability] after_compaction: session=${sid} compacted=${e.compactedCount}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in after_compaction:', err);
+            console.error('[openclaw-observability] Error in after_compaction:', err);
         }
     });
     // before_reset: before session reset
@@ -721,10 +722,10 @@ function activate(api) {
                     messageCount: Array.isArray(e.messages) ? e.messages.length : 0,
                 }),
             }));
-            console.log(`[audit-duckdb] before_reset: session=${sid} reason=${e.reason}`);
+            console.log(`[openclaw-observability] before_reset: session=${sid} reason=${e.reason}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in before_reset:', err);
+            console.error('[openclaw-observability] Error in before_reset:', err);
         }
     });
     // =====================================================================
@@ -750,10 +751,10 @@ function activate(api) {
                 }),
                 createdAt: new Date(e.timestamp || Date.now()),
             }));
-            console.log(`[audit-duckdb] message_received: from=${e.from} channel=${c?.channelId} len=${e.content?.length}`);
+            console.log(`[openclaw-observability] message_received: from=${e.from} channel=${c?.channelId} len=${e.content?.length}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in message_received:', err);
+            console.error('[openclaw-observability] Error in message_received:', err);
         }
     });
     // message_sending: before message send (interceptable/modifiable)
@@ -774,10 +775,10 @@ function activate(api) {
                     channelId: c?.channelId,
                 }),
             }));
-            console.log(`[audit-duckdb] message_sending: to=${e.to} channel=${c?.channelId}`);
+            console.log(`[openclaw-observability] message_sending: to=${e.to} channel=${c?.channelId}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in message_sending:', err);
+            console.error('[openclaw-observability] Error in message_sending:', err);
         }
     });
     // message_sent: message sent
@@ -800,13 +801,13 @@ function activate(api) {
                     channelId: c?.channelId,
                 }),
             }));
-            console.log(`[audit-duckdb] message_sent: to=${e.to} success=${e.success} channel=${c?.channelId}`);
+            console.log(`[openclaw-observability] message_sent: to=${e.to} success=${e.success} channel=${c?.channelId}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in message_sent:', err);
+            console.error('[openclaw-observability] Error in message_sent:', err);
         }
     });
-    // before_message_write: skipped — message content already fully recorded in llm_input/llm_output, no additional audit value
+    // before_message_write: skipped — message content already fully recorded in llm_input/llm_output, no additional observability value
     // =====================================================================
     //  5. Tool calls
     // =====================================================================
@@ -825,13 +826,13 @@ function activate(api) {
             const sctx = getSessionCtx(sid);
             if (c?.agentId)
                 sctx.userId = c.agentId;
-            console.log(`[audit-duckdb] before_tool_call: tool=${e.toolName} session=${sid} callId=${callId}`);
+            console.log(`[openclaw-observability] before_tool_call: tool=${e.toolName} session=${sid} callId=${callId}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in before_tool_call:', err);
+            console.error('[openclaw-observability] Error in before_tool_call:', err);
         }
     });
-    // after_tool_call: after tool call — generate audit record
+    // after_tool_call: after tool call — generate observability record
     api.on('after_tool_call', (event, ctx) => {
         try {
             const e = event;
@@ -872,7 +873,7 @@ function activate(api) {
                         }
                     }
                     if (toolMedia.length > 0) {
-                        // Don't write full base64 to audit record, only record metadata
+                        // Don't write full base64 to observability record, only record metadata
                         const sanitized = { ...raw };
                         sanitized.content = resultContent.map((part) => {
                             if (part && typeof part === 'object' && part.type === 'image') {
@@ -906,10 +907,10 @@ function activate(api) {
                 durationMs,
                 userId: c?.agentId,
             }));
-            console.log(`[audit-duckdb] after_tool_call: tool=${toolName} session=${sessionId} duration=${durationMs}ms`);
+            console.log(`[openclaw-observability] after_tool_call: tool=${toolName} session=${sessionId} duration=${durationMs}ms`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in after_tool_call:', err);
+            console.error('[openclaw-observability] Error in after_tool_call:', err);
         }
     });
     // tool_result_persist: tool result persistence (sync hook)
@@ -932,7 +933,7 @@ function activate(api) {
             }));
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in tool_result_persist:', err);
+            console.error('[openclaw-observability] Error in tool_result_persist:', err);
         }
     });
     // =====================================================================
@@ -955,10 +956,10 @@ function activate(api) {
                     resumedFrom: e.resumedFrom,
                 }),
             }));
-            console.log(`[audit-duckdb] session_start: session=${sid} resumed=${e.resumedFrom}`);
+            console.log(`[openclaw-observability] session_start: session=${sid} resumed=${e.resumedFrom}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in session_start:', err);
+            console.error('[openclaw-observability] Error in session_start:', err);
         }
     });
     // session_end: session ended — force flush
@@ -980,10 +981,10 @@ function activate(api) {
             void buffer.flush();
             // Clean up session context
             sessionContextMap.delete(sid);
-            console.log(`[audit-duckdb] session_end: session=${sid} msgs=${e.messageCount} duration=${e.durationMs}ms`);
+            console.log(`[openclaw-observability] session_end: session=${sid} msgs=${e.messageCount} duration=${e.durationMs}ms`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in session_end:', err);
+            console.error('[openclaw-observability] Error in session_end:', err);
         }
     });
     // =====================================================================
@@ -1010,10 +1011,10 @@ function activate(api) {
                     requesterSessionKey: c?.requesterSessionKey,
                 }),
             }));
-            console.log(`[audit-duckdb] subagent_spawned: agent=${e.agentId} child=${e.childSessionKey}`);
+            console.log(`[openclaw-observability] subagent_spawned: agent=${e.agentId} child=${e.childSessionKey}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in subagent_spawned:', err);
+            console.error('[openclaw-observability] Error in subagent_spawned:', err);
         }
     });
     // subagent_ended: sub-agent ended
@@ -1033,10 +1034,10 @@ function activate(api) {
                     error: e.error,
                 }),
             }));
-            console.log(`[audit-duckdb] subagent_ended: target=${e.targetSessionKey} outcome=${e.outcome}`);
+            console.log(`[openclaw-observability] subagent_ended: target=${e.targetSessionKey} outcome=${e.outcome}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in subagent_ended:', err);
+            console.error('[openclaw-observability] Error in subagent_ended:', err);
         }
     });
     // =====================================================================
@@ -1053,10 +1054,10 @@ function activate(api) {
                 userId: 'system',
                 inputParams: { port: e.port },
             }));
-            console.log(`[audit-duckdb] gateway_start: port=${e.port}`);
+            console.log(`[openclaw-observability] gateway_start: port=${e.port}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in gateway_start:', err);
+            console.error('[openclaw-observability] Error in gateway_start:', err);
         }
     });
     // gateway_stop: gateway stopped
@@ -1072,10 +1073,10 @@ function activate(api) {
             }));
             // Force flush on gateway stop
             void buffer.flush();
-            console.log(`[audit-duckdb] gateway_stop: reason=${e.reason}`);
+            console.log(`[openclaw-observability] gateway_stop: reason=${e.reason}`);
         }
         catch (err) {
-            console.error('[audit-duckdb] Error in gateway_stop:', err);
+            console.error('[openclaw-observability] Error in gateway_stop:', err);
         }
     });
     // =====================================================================
@@ -1083,7 +1084,7 @@ function activate(api) {
     // =====================================================================
     return {
         deactivate: async () => {
-            console.log('[audit-duckdb] Deactivating plugin...');
+            console.log('[openclaw-observability] Deactivating plugin...');
             // Stop timers
             if (alertFlushTimer) {
                 clearInterval(alertFlushTimer);
@@ -1106,7 +1107,7 @@ function activate(api) {
             sessionContextMap.clear();
             securityScanner.reset();
             lastFallbackSessionId = 'unknown';
-            console.log('[audit-duckdb] Plugin deactivated');
+            console.log('[openclaw-observability] Plugin deactivated');
         },
     };
 }