openclaw-safeclaw-plugin 0.7.0 → 0.7.2

package/README.md

@@ -1,38 +1,33 @@
 # openclaw-safeclaw-plugin
 
-Neurosymbolic governance plugin for OpenClaw AI agents. Validates every tool call, message, and action against OWL ontologies and SHACL constraints before execution.
+Neurosymbolic governance plugin for OpenClaw AI agents. Validates every tool call, message, and action against safety constraints before execution.
 
 ## Install
 
 ```bash
-openclaw plugins install openclaw-safeclaw-plugin
+npm install -g openclaw-safeclaw-plugin
 ```
 
 ## Quick Start
 
-Install and go — the plugin connects to SafeClaw's hosted service by default:
+1. Sign up at [safeclaw.eu](https://safeclaw.eu) and create an API key
+2. Install and connect:
 
 ```bash
-openclaw plugins install openclaw-safeclaw-plugin
+npm install -g openclaw-safeclaw-plugin
+safeclaw connect <your-api-key>
+safeclaw restart-openclaw
 ```
 
-No configuration needed. The default service URL is `https://api.safeclaw.eu/api/v1`.
+That's it. Every tool call your AI agent makes is now governed by SafeClaw.
 
-## Self-Hosted
+## Commands
 
-To run your own SafeClaw service, override the URL:
-
-```bash
-export SAFECLAW_URL="http://localhost:8420/api/v1"
-
-# Start the SafeClaw service
-git clone https://github.com/tendlyeu/SafeClaw.git
-cd SafeClaw/safeclaw-service
-python -m venv .venv && source .venv/bin/activate
-pip install -e ".[dev]"
-safeclaw init --user-id yourname
-safeclaw serve
-# Engine ready on http://localhost:8420
+```
+safeclaw connect <api-key>  Connect to SafeClaw and register with OpenClaw
+safeclaw setup              Register plugin with OpenClaw (no key needed)
+safeclaw tui                Open the interactive settings TUI
+safeclaw restart-openclaw   Restart the OpenClaw daemon
 ```
 
 ## What It Does
@@ -60,11 +55,11 @@ Set via environment variables or `~/.safeclaw/config.json`:
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `SAFECLAW_URL` | `https://api.safeclaw.eu/api/v1` | SafeClaw service URL |
-| `SAFECLAW_API_KEY` | *(empty)* | API key for cloud mode |
+| `SAFECLAW_API_KEY` | *(empty)* | API key (set automatically by `safeclaw connect`) |
 | `SAFECLAW_TIMEOUT_MS` | `500` | Request timeout in ms |
 | `SAFECLAW_ENABLED` | `true` | Set `false` to disable |
 | `SAFECLAW_ENFORCEMENT` | `enforce` | `enforce`, `warn-only`, `audit-only`, or `disabled` |
-| `SAFECLAW_FAIL_MODE` | `closed` | `open` (allow on failure) or `closed` (block on failure) |
+| `SAFECLAW_FAIL_MODE` | `open` | `open` (allow on failure) or `closed` (block on failure) |
 
 ## Enforcement Modes
 

package/cli.tsx

@@ -2,81 +2,38 @@
 import React from 'react';
 import { render } from 'ink';
 import { execSync } from 'child_process';
-import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync, symlinkSync, lstatSync, unlinkSync, realpathSync } from 'fs';
-import { join, dirname } from 'path';
+import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync } from 'fs';
+import { join } from 'path';
 import { homedir } from 'os';
-import { fileURLToPath } from 'url';
 import App from './tui/App.js';
 
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-function readJson(path: string): Record<string, unknown> {
-  try {
-    return JSON.parse(readFileSync(path, 'utf-8'));
-  } catch {
-    return {};
-  }
-}
-
 function registerWithOpenClaw(): boolean {
-  // Plugin root is one level up from dist/
-  const pluginRoot = join(__dirname, '..');
-  const extensionsDir = join(homedir(), '.openclaw', 'extensions');
-  const linkPath = join(extensionsDir, 'safeclaw');
-
-  // 1. Create symlink in ~/.openclaw/extensions/safeclaw -> plugin root
+  // Use OpenClaw's native plugin install mechanism
   try {
-    mkdirSync(extensionsDir, { recursive: true });
-
-    // Remove existing symlink/dir if it points elsewhere
-    if (existsSync(linkPath)) {
-      const stat = lstatSync(linkPath);
-      if (stat.isSymbolicLink()) {
-        const target = realpathSync(linkPath);
-        if (target === realpathSync(pluginRoot)) {
-          // Already linked correctly
-        } else {
-          unlinkSync(linkPath);
-          symlinkSync(pluginRoot, linkPath);
-        }
+    execSync('openclaw plugins install openclaw-safeclaw-plugin', {
+      encoding: 'utf-8',
+      timeout: 30000,
+      stdio: 'pipe',
+    });
+    return true;
+  } catch {
+    // Fallback: try linking from the global npm install location
+    try {
+      const globalRoot = execSync('npm root -g', { encoding: 'utf-8', timeout: 5000 }).trim();
+      const pluginPath = join(globalRoot, 'openclaw-safeclaw-plugin');
+      if (existsSync(pluginPath)) {
+        execSync(`openclaw plugins install --link "${pluginPath}"`, {
+          encoding: 'utf-8',
+          timeout: 15000,
+          stdio: 'pipe',
+        });
+        return true;
       }
-      // If it's a real directory (from openclaw plugins install), leave it
-    } else {
-      symlinkSync(pluginRoot, linkPath);
+    } catch {
+      // Both methods failed
     }
-  } catch (e) {
-    console.warn(`Warning: Could not create extension symlink: ${e instanceof Error ? e.message : e}`);
-    return false;
-  }
-
-  // 2. Enable plugin in ~/.openclaw/openclaw.json
-  const openclawConfigPath = join(homedir(), '.openclaw', 'openclaw.json');
-  const ocConfig = readJson(openclawConfigPath);
-
-  if (!ocConfig.plugins || typeof ocConfig.plugins !== 'object') {
-    ocConfig.plugins = {};
   }
-  const plugins = ocConfig.plugins as Record<string, unknown>;
-  if (!plugins.entries || typeof plugins.entries !== 'object') {
-    plugins.entries = {};
-  }
-  const entries = plugins.entries as Record<string, unknown>;
-
-  // Only add/update if not already configured
-  if (!entries.safeclaw || typeof entries.safeclaw !== 'object') {
-    entries.safeclaw = { enabled: true };
-  } else {
-    (entries.safeclaw as Record<string, unknown>).enabled = true;
-  }
-
-  try {
-    writeFileSync(openclawConfigPath, JSON.stringify(ocConfig, null, 2) + '\n');
-  } catch (e) {
-    console.warn(`Warning: Could not update OpenClaw config: ${e instanceof Error ? e.message : e}`);
-    return false;
-  }
-
-  return true;
+  return false;
 }
 
 const args = process.argv.slice(2);
@@ -94,6 +51,12 @@ if (command === 'connect') {
     process.exit(1);
   }
 
+  if (!apiKey.startsWith('sc_')) {
+    console.error('Error: Invalid API key. Keys start with "sc_".');
+    console.error('Get your key at https://safeclaw.eu/dashboard');
+    process.exit(1);
+  }
+
   const configDir = join(homedir(), '.safeclaw');
   const configPath = join(configDir, 'config.json');
 
@@ -122,18 +85,18 @@ if (command === 'connect') {
   console.log(`Connected! API key saved to ${configPath}`);
 
   // Register with OpenClaw
+  console.log('Registering SafeClaw plugin with OpenClaw...');
   const registered = registerWithOpenClaw();
   if (registered) {
     console.log('SafeClaw plugin registered with OpenClaw.');
     console.log('');
     console.log('Restart OpenClaw to activate:');
     console.log('  safeclaw restart-openclaw');
-    console.log('  — or —');
-    console.log('  openclaw daemon restart');
   } else {
     console.log('');
     console.log('Could not auto-register with OpenClaw.');
-    console.log('Register manually: openclaw plugins install openclaw-safeclaw-plugin');
+    console.log('Register manually:');
+    console.log('  openclaw plugins install openclaw-safeclaw-plugin');
   }
 } else if (command === 'tui') {
   render(React.createElement(App));
@@ -148,7 +111,7 @@ if (command === 'connect') {
     process.exit(1);
   }
 } else if (command === 'setup') {
-  // Just register with OpenClaw (no API key needed)
+  console.log('Registering SafeClaw plugin with OpenClaw...');
   const registered = registerWithOpenClaw();
   if (registered) {
     console.log('SafeClaw plugin registered with OpenClaw.');
@@ -158,7 +121,93 @@ if (command === 'connect') {
     console.log('  2. Run: safeclaw connect <your-api-key>');
     console.log('  3. Run: safeclaw restart-openclaw');
   } else {
-    console.log('Could not auto-register. Try: openclaw plugins install openclaw-safeclaw-plugin');
+    console.log('Could not auto-register.');
+    console.log('Try: openclaw plugins install openclaw-safeclaw-plugin');
+  }
+} else if (command === 'status') {
+  const configPath = join(homedir(), '.safeclaw', 'config.json');
+  let allOk = true;
+
+  // 1. Config file
+  if (existsSync(configPath)) {
+    console.log('[ok] Config file: ' + configPath);
+  } else {
+    console.log('[!!] Config file not found. Run: safeclaw connect <api-key>');
+    allOk = false;
+  }
+
+  // 2. API key
+  let apiKey = '';
+  let serviceUrl = 'https://api.safeclaw.eu/api/v1';
+  if (existsSync(configPath)) {
+    try {
+      const cfg = JSON.parse(readFileSync(configPath, 'utf-8'));
+      const remote = cfg.remote as Record<string, string> | undefined;
+      apiKey = remote?.apiKey ?? '';
+      serviceUrl = remote?.serviceUrl ?? serviceUrl;
+    } catch { /* ignore */ }
+  }
+
+  if (apiKey && apiKey.startsWith('sc_')) {
+    console.log('[ok] API key: configured (sc_...)');
+  } else if (apiKey) {
+    console.log('[!!] API key: invalid (must start with sc_)');
+    allOk = false;
+  } else {
+    console.log('[!!] API key: not set. Run: safeclaw connect <api-key>');
+    allOk = false;
+  }
+
+  // 3. SafeClaw service reachable
+  try {
+    const res = await fetch(`${serviceUrl}/health`, {
+      signal: AbortSignal.timeout(5000),
+      headers: apiKey ? { 'Authorization': `Bearer ${apiKey}` } : {},
+    });
+    if (res.ok) {
+      const data = await res.json() as Record<string, unknown>;
+      console.log(`[ok] SafeClaw service: ${data.status ?? 'ok'} (${serviceUrl})`);
+    } else {
+      console.log(`[!!] SafeClaw service: HTTP ${res.status} (${serviceUrl})`);
+      allOk = false;
+    }
+  } catch {
+    console.log(`[!!] SafeClaw service: unreachable (${serviceUrl})`);
+    allOk = false;
+  }
+
+  // 4. OpenClaw installed
+  try {
+    execSync('which openclaw', { encoding: 'utf-8', stdio: 'pipe' });
+    console.log('[ok] OpenClaw: installed');
+  } catch {
+    console.log('[!!] OpenClaw: not found in PATH');
+    allOk = false;
+  }
+
+  // 5. Plugin registered with OpenClaw
+  try {
+    const pluginList = execSync('openclaw plugins list', {
+      encoding: 'utf-8',
+      timeout: 10000,
+      stdio: 'pipe',
+    });
+    if (pluginList.includes('safeclaw')) {
+      console.log('[ok] Plugin: registered with OpenClaw');
+    } else {
+      console.log('[!!] Plugin: not registered with OpenClaw. Run: safeclaw setup');
+      allOk = false;
+    }
+  } catch {
+    console.log('[??] Plugin: could not check OpenClaw plugin list');
+  }
+
+  // Summary
+  console.log('');
+  if (allOk) {
+    console.log('All checks passed. SafeClaw is ready.');
+  } else {
+    console.log('Some checks failed. Fix the issues above.');
   }
 } else {
   console.log('Usage: safeclaw <command>');
@@ -166,6 +215,7 @@ if (command === 'connect') {
   console.log('Commands:');
   console.log('  connect <api-key>  Connect to SafeClaw and register with OpenClaw');
   console.log('  setup              Register SafeClaw plugin with OpenClaw (no key needed)');
+  console.log('  status             Check SafeClaw + OpenClaw connection status');
   console.log('  tui                Open the interactive SafeClaw settings TUI');
   console.log('  restart-openclaw   Restart the OpenClaw daemon');
   process.exit(0);

package/dist/cli.js

@@ -2,77 +2,39 @@
 import React from 'react';
 import { render } from 'ink';
 import { execSync } from 'child_process';
-import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync, symlinkSync, lstatSync, unlinkSync, realpathSync } from 'fs';
-import { join, dirname } from 'path';
+import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync } from 'fs';
+import { join } from 'path';
 import { homedir } from 'os';
-import { fileURLToPath } from 'url';
 import App from './tui/App.js';
-const __dirname = dirname(fileURLToPath(import.meta.url));
-function readJson(path) {
+function registerWithOpenClaw() {
+    // Use OpenClaw's native plugin install mechanism
     try {
-        return JSON.parse(readFileSync(path, 'utf-8'));
+        execSync('openclaw plugins install openclaw-safeclaw-plugin', {
+            encoding: 'utf-8',
+            timeout: 30000,
+            stdio: 'pipe',
+        });
+        return true;
     }
     catch {
-        return {};
-    }
-}
-function registerWithOpenClaw() {
-    // Plugin root is one level up from dist/
-    const pluginRoot = join(__dirname, '..');
-    const extensionsDir = join(homedir(), '.openclaw', 'extensions');
-    const linkPath = join(extensionsDir, 'safeclaw');
-    // 1. Create symlink in ~/.openclaw/extensions/safeclaw -> plugin root
-    try {
-        mkdirSync(extensionsDir, { recursive: true });
-        // Remove existing symlink/dir if it points elsewhere
-        if (existsSync(linkPath)) {
-            const stat = lstatSync(linkPath);
-            if (stat.isSymbolicLink()) {
-                const target = realpathSync(linkPath);
-                if (target === realpathSync(pluginRoot)) {
-                    // Already linked correctly
-                }
-                else {
-                    unlinkSync(linkPath);
-                    symlinkSync(pluginRoot, linkPath);
-                }
+        // Fallback: try linking from the global npm install location
+        try {
+            const globalRoot = execSync('npm root -g', { encoding: 'utf-8', timeout: 5000 }).trim();
+            const pluginPath = join(globalRoot, 'openclaw-safeclaw-plugin');
+            if (existsSync(pluginPath)) {
+                execSync(`openclaw plugins install --link "${pluginPath}"`, {
+                    encoding: 'utf-8',
+                    timeout: 15000,
+                    stdio: 'pipe',
+                });
+                return true;
             }
-            // If it's a real directory (from openclaw plugins install), leave it
         }
-        else {
-            symlinkSync(pluginRoot, linkPath);
+        catch {
+            // Both methods failed
         }
     }
-    catch (e) {
-        console.warn(`Warning: Could not create extension symlink: ${e instanceof Error ? e.message : e}`);
-        return false;
-    }
-    // 2. Enable plugin in ~/.openclaw/openclaw.json
-    const openclawConfigPath = join(homedir(), '.openclaw', 'openclaw.json');
-    const ocConfig = readJson(openclawConfigPath);
-    if (!ocConfig.plugins || typeof ocConfig.plugins !== 'object') {
-        ocConfig.plugins = {};
-    }
-    const plugins = ocConfig.plugins;
-    if (!plugins.entries || typeof plugins.entries !== 'object') {
-        plugins.entries = {};
-    }
-    const entries = plugins.entries;
-    // Only add/update if not already configured
-    if (!entries.safeclaw || typeof entries.safeclaw !== 'object') {
-        entries.safeclaw = { enabled: true };
-    }
-    else {
-        entries.safeclaw.enabled = true;
-    }
-    try {
-        writeFileSync(openclawConfigPath, JSON.stringify(ocConfig, null, 2) + '\n');
-    }
-    catch (e) {
-        console.warn(`Warning: Could not update OpenClaw config: ${e instanceof Error ? e.message : e}`);
-        return false;
-    }
-    return true;
+    return false;
 }
 const args = process.argv.slice(2);
 const command = args[0];
@@ -86,6 +48,11 @@ if (command === 'connect') {
         console.error('Usage: safeclaw connect <api-key> [--service-url <url>]');
         process.exit(1);
     }
+    if (!apiKey.startsWith('sc_')) {
+        console.error('Error: Invalid API key. Keys start with "sc_".');
+        console.error('Get your key at https://safeclaw.eu/dashboard');
+        process.exit(1);
+    }
     const configDir = join(homedir(), '.safeclaw');
     const configPath = join(configDir, 'config.json');
     // Load existing config or start fresh
@@ -110,19 +77,19 @@ if (command === 'connect') {
     chmodSync(configPath, 0o600);
     console.log(`Connected! API key saved to ${configPath}`);
     // Register with OpenClaw
+    console.log('Registering SafeClaw plugin with OpenClaw...');
     const registered = registerWithOpenClaw();
     if (registered) {
         console.log('SafeClaw plugin registered with OpenClaw.');
         console.log('');
         console.log('Restart OpenClaw to activate:');
         console.log('  safeclaw restart-openclaw');
-        console.log('  — or —');
-        console.log('  openclaw daemon restart');
     }
     else {
         console.log('');
         console.log('Could not auto-register with OpenClaw.');
-        console.log('Register manually: openclaw plugins install openclaw-safeclaw-plugin');
+        console.log('Register manually:');
+        console.log('  openclaw plugins install openclaw-safeclaw-plugin');
     }
 }
 else if (command === 'tui') {
@@ -141,7 +108,7 @@ else if (command === 'restart-openclaw') {
     }
 }
 else if (command === 'setup') {
-    // Just register with OpenClaw (no API key needed)
+    console.log('Registering SafeClaw plugin with OpenClaw...');
     const registered = registerWithOpenClaw();
     if (registered) {
         console.log('SafeClaw plugin registered with OpenClaw.');
@@ -152,7 +119,97 @@ else if (command === 'setup') {
         console.log('  3. Run: safeclaw restart-openclaw');
     }
     else {
-        console.log('Could not auto-register. Try: openclaw plugins install openclaw-safeclaw-plugin');
+        console.log('Could not auto-register.');
+        console.log('Try: openclaw plugins install openclaw-safeclaw-plugin');
+    }
+}
+else if (command === 'status') {
+    const configPath = join(homedir(), '.safeclaw', 'config.json');
+    let allOk = true;
+    // 1. Config file
+    if (existsSync(configPath)) {
+        console.log('[ok] Config file: ' + configPath);
+    }
+    else {
+        console.log('[!!] Config file not found. Run: safeclaw connect <api-key>');
+        allOk = false;
+    }
+    // 2. API key
+    let apiKey = '';
+    let serviceUrl = 'https://api.safeclaw.eu/api/v1';
+    if (existsSync(configPath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(configPath, 'utf-8'));
+            const remote = cfg.remote;
+            apiKey = remote?.apiKey ?? '';
+            serviceUrl = remote?.serviceUrl ?? serviceUrl;
+        }
+        catch { /* ignore */ }
+    }
+    if (apiKey && apiKey.startsWith('sc_')) {
+        console.log('[ok] API key: configured (sc_...)');
+    }
+    else if (apiKey) {
+        console.log('[!!] API key: invalid (must start with sc_)');
+        allOk = false;
+    }
+    else {
+        console.log('[!!] API key: not set. Run: safeclaw connect <api-key>');
+        allOk = false;
+    }
+    // 3. SafeClaw service reachable
+    try {
+        const res = await fetch(`${serviceUrl}/health`, {
+            signal: AbortSignal.timeout(5000),
+            headers: apiKey ? { 'Authorization': `Bearer ${apiKey}` } : {},
+        });
+        if (res.ok) {
+            const data = await res.json();
+            console.log(`[ok] SafeClaw service: ${data.status ?? 'ok'} (${serviceUrl})`);
+        }
+        else {
+            console.log(`[!!] SafeClaw service: HTTP ${res.status} (${serviceUrl})`);
+            allOk = false;
+        }
+    }
+    catch {
+        console.log(`[!!] SafeClaw service: unreachable (${serviceUrl})`);
+        allOk = false;
+    }
+    // 4. OpenClaw installed
+    try {
+        execSync('which openclaw', { encoding: 'utf-8', stdio: 'pipe' });
+        console.log('[ok] OpenClaw: installed');
+    }
+    catch {
+        console.log('[!!] OpenClaw: not found in PATH');
+        allOk = false;
+    }
+    // 5. Plugin registered with OpenClaw
+    try {
+        const pluginList = execSync('openclaw plugins list', {
+            encoding: 'utf-8',
+            timeout: 10000,
+            stdio: 'pipe',
+        });
+        if (pluginList.includes('safeclaw')) {
+            console.log('[ok] Plugin: registered with OpenClaw');
+        }
+        else {
+            console.log('[!!] Plugin: not registered with OpenClaw. Run: safeclaw setup');
+            allOk = false;
+        }
+    }
+    catch {
+        console.log('[??] Plugin: could not check OpenClaw plugin list');
+    }
+    // Summary
+    console.log('');
+    if (allOk) {
+        console.log('All checks passed. SafeClaw is ready.');
+    }
+    else {
+        console.log('Some checks failed. Fix the issues above.');
     }
 }
 else {
@@ -161,6 +218,7 @@ else {
     console.log('Commands:');
     console.log('  connect <api-key>  Connect to SafeClaw and register with OpenClaw');
     console.log('  setup              Register SafeClaw plugin with OpenClaw (no key needed)');
+    console.log('  status             Check SafeClaw + OpenClaw connection status');
     console.log('  tui                Open the interactive SafeClaw settings TUI');
     console.log('  restart-openclaw   Restart the OpenClaw daemon');
     process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-safeclaw-plugin",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "SafeClaw Neurosymbolic Governance plugin for OpenClaw — validates AI agent actions against OWL ontologies and SHACL constraints",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",