npm - openclaw-plugin-vt-sentinel - Versions diffs - 0.12.0 → 0.12.1 - Mend

openclaw-plugin-vt-sentinel 0.12.0 → 0.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +24 -0
package/dist/compliance-snapshot.d.ts +13 -0
package/dist/compliance-snapshot.js +79 -0
package/dist/index.d.ts +27 -2
package/dist/index.js +24 -1
package/openclaw.plugin.json +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,30 @@
 All notable changes to `openclaw-plugin-vt-sentinel`.
+## 0.12.1 — Security audit collector: dual-path wiring
+Fix for the collector introduced in 0.12.0. The in-gateway registration via
+`api.registerSecurityAuditCollector` was insufficient: `openclaw security audit
+--deep` runs in a fresh Node process that doesn't share state with the gateway
+and reads collectors from the plugin's **module-level** `securityAuditCollectors`
+field instead. Verified empirically on the production Linux VM (OpenClaw
+2026.4.12): 0.12.0 shipped with a runtime-only collector that emitted zero
+`vt-sentinel.*` findings under `openclaw security audit --deep --json`.
+### Fixed
+- **`securityAuditCollectors` declared at module level.** The default export
+  is now a plugin-definition object: `{ id, name, register, securityAuditCollectors }`.
+  The CLI audit picks up the collector from the object's field; the gateway
+  still registers it at runtime via `api.registerSecurityAuditCollector` for
+  any in-process audit surface that uses `getActivePluginRegistry()`. Both
+  paths now light up.
+- **`vtSentinelAuditCollector` is self-contained.** It rebuilds the
+  compliance snapshot exclusively from `ctx.config`, `ctx.stateDir`, and
+  `ctx.configPath` — no closure state, no shared-module variables. Usable
+  from a cold-loaded plugin metadata snapshot.
+- Runtime behavior (scanning, hooks, policies) unchanged.
 ## 0.12.0 — Transparency surface + log hygiene
 **Headline:** what VT Sentinel does at runtime is now auditable from two

package/dist/compliance-snapshot.d.ts CHANGED Viewed

@@ -103,3 +103,16 @@ export declare function collectLogModes(stateDir: string): LogModesInfo;
  * first and pass the result as `input.logModes`.
  */
 export declare function buildComplianceSnapshot(input: ComplianceSnapshotInput): ComplianceSnapshot;
+interface AuditCollectorCtx {
+    config: any;
+    sourceConfig: any;
+    env: NodeJS.ProcessEnv;
+    stateDir: string;
+    configPath: string;
+}
+/**
+ * Static security-audit collector. Pass this to OpenClaw via the plugin's
+ * module-level default export (`securityAuditCollectors: [vtSentinelAuditCollector]`).
+ */
+export declare function vtSentinelAuditCollector(ctx: AuditCollectorCtx): AuditFinding[];
+export {};

package/dist/compliance-snapshot.js CHANGED Viewed

@@ -53,8 +53,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.computePaths = computePaths;
 exports.collectLogModes = collectLogModes;
 exports.buildComplianceSnapshot = buildComplianceSnapshot;
+exports.vtSentinelAuditCollector = vtSentinelAuditCollector;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const config_manager_1 = require("./config-manager");
 // --- Core paths helper (pure) ---
 function computePaths(stateDir) {
     const auditDir = path.join(stateDir, 'vt-sentinel-audit');
@@ -301,3 +303,80 @@ function buildComplianceSnapshot(input) {
         risks,
     };
 }
+// --- Static (module-level) security audit collector ---
+//
+// The OpenClaw `security audit --deep` CLI runs in a fresh process that
+// does NOT share state with the gateway. It therefore reads
+// `securityAuditCollectors` from the plugin's module-level definition, NOT
+// from runtime `api.registerSecurityAuditCollector(...)` calls.
+//
+// This function is the canonical collector used by the CLI. It derives the
+// same snapshot as the gateway-side collector, but exclusively from the
+// audit context (ctx.config, ctx.stateDir, ctx.configPath) — no closure
+// state, no cross-module shared variables. Everything is reconstructable
+// from what the CLI hands us.
+//
+// Differences from the gateway-side invocation:
+//   - `watchDirs` only includes user-configured dirs (`cfg.watchDirs`); the
+//     auto-derived dirs (tmp, ~/Downloads, etc.) are a runtime concept.
+//   - `credentialMode` is inferred from (a) presence of `cfg.apiKey` and
+//     (b) presence of the persisted agent credentials file on disk.
+const PLUGIN_ID = 'openclaw-plugin-vt-sentinel';
+function extractPluginConfig(cfg) {
+    try {
+        return cfg?.plugins?.entries?.[PLUGIN_ID]?.config ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function readAgentPublicHandle(stateDir) {
+    try {
+        const raw = fs.readFileSync(path.join(stateDir, 'vt-sentinel-agent.json'), 'utf-8');
+        const parsed = JSON.parse(raw);
+        return typeof parsed?.publicHandle === 'string' ? parsed.publicHandle : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function credentialsFileExists(stateDir) {
+    try {
+        return fs.statSync(path.join(stateDir, 'vt-sentinel-agent.json')).isFile();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Static security-audit collector. Pass this to OpenClaw via the plugin's
+ * module-level default export (`securityAuditCollectors: [vtSentinelAuditCollector]`).
+ */
+function vtSentinelAuditCollector(ctx) {
+    try {
+        const staticCfg = extractPluginConfig(ctx.config) ?? extractPluginConfig(ctx.sourceConfig);
+        const cm = new config_manager_1.ConfigManager(staticCfg);
+        const eff = cm.getEffective();
+        const hasUserKey = typeof staticCfg?.['apiKey'] === 'string' && staticCfg['apiKey'].trim().length > 0;
+        const hasCachedVtai = credentialsFileExists(ctx.stateDir);
+        const credentialMode = hasUserKey ? 'user_key' : (hasCachedVtai ? 'vtai' : 'none');
+        const watchDirs = Array.isArray(eff.watchDirs) ? [...eff.watchDirs] : [];
+        const snap = buildComplianceSnapshot({
+            config: eff,
+            stateDir: ctx.stateDir,
+            credentialMode,
+            watchDirs,
+            agentPublicHandle: readAgentPublicHandle(ctx.stateDir),
+            logModes: collectLogModes(ctx.stateDir),
+        });
+        return [...snap.baseline, ...snap.risks];
+    }
+    catch (err) {
+        return [{
+                checkId: 'vt-sentinel.audit-collector-error',
+                severity: 'warn',
+                title: 'VT Sentinel compliance snapshot failed to build',
+                detail: `Collector threw while assembling audit findings: ${err?.message || String(err)}`,
+            }];
+    }
+}

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { SensitiveFilePolicy } from './scanner';
 import { getCurrentVersion } from './version';
 import { generateUpdateCommands } from './update-commands';
+import { vtSentinelAuditCollector } from './compliance-snapshot';
 interface VTSentinelConfig {
     apiKey?: string;
     watchDirs?: string[];
@@ -77,10 +78,34 @@ declare function buildEnhancedBio(eff: {
     configPreset?: string;
     autoScan?: boolean;
 }): string;
-export default function vtSentinelPlugin(api: PluginApi): void;
+declare function vtSentinelPlugin(api: PluginApi): void;
 export declare const _generateUpdateCommands: typeof generateUpdateCommands;
 export declare const _fetchLatestVersion: typeof fetchLatestVersion;
 export declare const _getCurrentVersion: typeof getCurrentVersion;
 export declare const _generateAgentName: typeof generateAgentName;
 export declare const _buildEnhancedBio: typeof buildEnhancedBio;
-export {};
+/**
+ * Module-level plugin definition.
+ *
+ * `register(api)` runs inside the gateway — it's where the plugin wires up
+ * tools, hooks, the service, the runtime security-audit collector, and
+ * everything else that needs access to the live gateway API.
+ *
+ * `securityAuditCollectors` is read by `openclaw security audit --deep` in
+ * a FRESH Node process that does NOT share state with the gateway. That
+ * collector (`vtSentinelAuditCollector`) is self-contained: it rebuilds the
+ * compliance snapshot from ctx alone. Keeping it at module level is how
+ * plugin-declared findings land in `security audit` output.
+ *
+ * The dual-path wiring (runtime via `api.registerSecurityAuditCollector`
+ * inside `register`, static via `securityAuditCollectors` here) lets both
+ * the in-gateway audit flow and the out-of-process CLI flow surface the
+ * same data.
+ */
+declare const _default: {
+    id: string;
+    name: string;
+    register: typeof vtSentinelPlugin;
+    securityAuditCollectors: (typeof vtSentinelAuditCollector)[];
+};
+export default _default;

package/dist/index.js CHANGED Viewed

@@ -39,7 +39,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports._buildEnhancedBio = exports._generateAgentName = exports._getCurrentVersion = exports._fetchLatestVersion = exports._generateUpdateCommands = void 0;
 exports.isNewerVersion = isNewerVersion;
 exports.isSelfPath = isSelfPath;
-exports.default = vtSentinelPlugin;
 const axios_1 = __importDefault(require("axios"));
 const chokidar = __importStar(require("chokidar"));
 const fs = __importStar(require("fs"));
@@ -1612,3 +1611,27 @@ exports._fetchLatestVersion = fetchLatestVersion;
 exports._getCurrentVersion = version_1.getCurrentVersion;
 exports._generateAgentName = generateAgentName;
 exports._buildEnhancedBio = buildEnhancedBio;
+/**
+ * Module-level plugin definition.
+ *
+ * `register(api)` runs inside the gateway — it's where the plugin wires up
+ * tools, hooks, the service, the runtime security-audit collector, and
+ * everything else that needs access to the live gateway API.
+ *
+ * `securityAuditCollectors` is read by `openclaw security audit --deep` in
+ * a FRESH Node process that does NOT share state with the gateway. That
+ * collector (`vtSentinelAuditCollector`) is self-contained: it rebuilds the
+ * compliance snapshot from ctx alone. Keeping it at module level is how
+ * plugin-declared findings land in `security audit` output.
+ *
+ * The dual-path wiring (runtime via `api.registerSecurityAuditCollector`
+ * inside `register`, static via `securityAuditCollectors` here) lets both
+ * the in-gateway audit flow and the out-of-process CLI flow surface the
+ * same data.
+ */
+exports.default = {
+    id: 'openclaw-plugin-vt-sentinel',
+    name: 'VT Sentinel',
+    register: vtSentinelPlugin,
+    securityAuditCollectors: [compliance_snapshot_1.vtSentinelAuditCollector],
+};

package/openclaw.plugin.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "id": "openclaw-plugin-vt-sentinel",
   "name": "VT Sentinel",
   "description": "VirusTotal Sentinel for OpenClaw — malware detection, active protection, and AI-powered code analysis.",
-  "version": "0.12.0",
+  "version": "0.12.1",
   "skills": ["./skills"],
   "contracts": {
     "tools": [

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-plugin-vt-sentinel",
-  "version": "0.12.0",
+  "version": "0.12.1",
   "displayName": "VT Sentinel",
   "description": "VirusTotal Sentinel for OpenClaw - Malware detection and AI-powered code analysis",
   "main": "dist/index.js",