openclaw-safeclaw-plugin 0.9.2 → 1.1.0

package/index.ts

@@ -8,35 +8,54 @@
  */
 
 import { loadConfig, configHash } from './tui/config.js';
+import crypto from 'crypto';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const { version: PLUGIN_VERSION } = require('./package.json') as { version: string };
 
 // --- Configuration ---
 
-const config = loadConfig();
+const CONFIG_RELOAD_INTERVAL_MS = 60_000; // Reload config every 60 seconds
+
+let config = loadConfig();
+let configLoadedAt = Date.now();
+
+function getConfig(): typeof config {
+  const now = Date.now();
+  if (now - configLoadedAt >= CONFIG_RELOAD_INTERVAL_MS) {
+    config = loadConfig();
+    configLoadedAt = now;
+  }
+  return config;
+}
 
 // --- HTTP Client ---
 
 async function post(path: string, body: Record<string, unknown>): Promise<Record<string, unknown> | null> {
-  if (!config.enabled) return null;
+  const cfg = getConfig();
+  if (!cfg.enabled) return null;
 
   const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-  if (config.apiKey) {
-    headers['Authorization'] = `Bearer ${config.apiKey}`;
+  if (cfg.apiKey) {
+    headers['Authorization'] = `Bearer ${cfg.apiKey}`;
   }
 
-  const agentFields = config.agentId ? { agentId: config.agentId, agentToken: config.agentToken } : {};
+  const agentFields = cfg.agentId ? { agentId: cfg.agentId, agentToken: cfg.agentToken } : {};
 
   try {
-    const res = await fetch(`${config.serviceUrl}${path}`, {
+    const res = await fetch(`${cfg.serviceUrl}${path}`, {
       method: 'POST',
       headers,
       body: JSON.stringify({ ...body, ...agentFields }),
-      signal: AbortSignal.timeout(config.timeoutMs),
+      signal: AbortSignal.timeout(cfg.timeoutMs),
     });
     if (!res.ok) {
       // Try to parse structured error body from service
       try {
         const errBody = await res.json() as Record<string, unknown>;
-        const detail = errBody.detail ?? `HTTP ${res.status}`;
+        const rawDetail = errBody.detail ?? `HTTP ${res.status}`;
+        const detail = typeof rawDetail === 'string' ? rawDetail : JSON.stringify(rawDetail);
         const hint = errBody.hint ? ` (${errBody.hint})` : '';
         console.warn(`[SafeClaw] ${path}: ${detail}${hint}`);
       } catch {
@@ -47,11 +66,11 @@ async function post(path: string, body: Record<string, unknown>): Promise<Record
     return await res.json() as Record<string, unknown>;
   } catch (e) {
     if (e instanceof DOMException && e.name === 'TimeoutError') {
-      console.warn(`[SafeClaw] Timeout after ${config.timeoutMs}ms on ${path} (${config.serviceUrl})`);
+      console.warn(`[SafeClaw] Timeout after ${cfg.timeoutMs}ms on ${path} (${cfg.serviceUrl})`);
     } else if (e instanceof TypeError && (e.message.includes('fetch') || e.message.includes('ECONNREFUSED'))) {
-      console.warn(`[SafeClaw] Connection refused: ${config.serviceUrl}${path} — is the service running?`);
+      console.warn(`[SafeClaw] Connection refused: ${cfg.serviceUrl}${path} — is the service running?`);
     } else {
-      console.warn(`[SafeClaw] Service unavailable: ${config.serviceUrl}${path}`);
+      console.warn(`[SafeClaw] Service unavailable: ${cfg.serviceUrl}${path}`);
     }
     return null;  // Caller checks failMode
   }
@@ -82,14 +101,15 @@ interface PluginApi {
 let handshakeCompleted = false;
 
 async function performHandshake(): Promise<boolean> {
-  if (!config.apiKey) {
+  const cfg = getConfig();
+  if (!cfg.apiKey) {
     console.warn('[SafeClaw] No API key configured — skipping handshake');
     return false;
   }
 
   const r = await post('/handshake', {
-    pluginVersion: '0.1.3',
-    configHash: configHash(config),
+    pluginVersion: PLUGIN_VERSION,
+    configHash: configHash(cfg),
   });
 
   if (r === null) {
@@ -103,13 +123,14 @@ async function performHandshake(): Promise<boolean> {
 }
 
 async function checkConnection(): Promise<void> {
+  const cfg = getConfig();
   const label = `[SafeClaw]`;
-  console.log(`${label} Connecting to ${config.serviceUrl} ...`);
-  console.log(`${label} Mode: enforcement=${config.enforcement}, failMode=${config.failMode}`);
+  console.log(`${label} Connecting to ${cfg.serviceUrl} ...`);
+  console.log(`${label} Mode: enforcement=${cfg.enforcement}, failMode=${cfg.failMode}`);
 
   try {
-    const res = await fetch(`${config.serviceUrl}/health`, {
-      signal: AbortSignal.timeout(config.timeoutMs * 2),
+    const res = await fetch(`${cfg.serviceUrl}/health`, {
+      signal: AbortSignal.timeout(cfg.timeoutMs * 2),
     });
     if (res.ok) {
       const data = await res.json() as Record<string, unknown>;
@@ -118,8 +139,8 @@ async function checkConnection(): Promise<void> {
       console.warn(`${label} ✗ Service responded with HTTP ${res.status}`);
     }
   } catch {
-    console.warn(`${label} ✗ Cannot reach service at ${config.serviceUrl}`);
-    if (config.failMode === 'closed') {
+    console.warn(`${label} ✗ Cannot reach service at ${cfg.serviceUrl}`);
+    if (cfg.failMode === 'closed') {
       console.warn(`${label}   fail-mode=closed → tool calls will be BLOCKED until service is reachable`);
     } else {
       console.warn(`${label}   fail-mode=open → tool calls will be ALLOWED despite no connection`);
@@ -130,64 +151,64 @@ async function checkConnection(): Promise<void> {
 export default {
   id: 'safeclaw',
   name: 'SafeClaw Neurosymbolic Governance',
-  version: '0.1.3',
+  version: PLUGIN_VERSION,
 
   register(api: PluginApi) {
-    if (!config.enabled) {
+    if (!getConfig().enabled) {
       console.log('[SafeClaw] Plugin disabled');
       return;
     }
 
+    // Generate a unique instance ID for this plugin run (fallback when agentId is not configured)
+    const instanceId = getConfig().agentId || `instance-${crypto.randomUUID()}`;
+
     // Heartbeat watchdog — send config hash to service every 30s
     const sendHeartbeat = async () => {
       try {
-        await fetch(`${config.serviceUrl}/heartbeat`, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({
-            agentId: config.agentId || 'default',
-            configHash: configHash(config),
-            status: 'alive',
-          }),
-          signal: AbortSignal.timeout(config.timeoutMs),
+        await post('/heartbeat', {
+          agentId: instanceId,
+          configHash: configHash(getConfig()),
+          status: 'alive',
         });
       } catch {
         // Heartbeat failure is non-fatal
       }
     };
 
-    // Start heartbeat after connection check + handshake
+    // Start heartbeat only after connection check + handshake completes (#84)
+    let heartbeatInterval: ReturnType<typeof setInterval> | undefined;
     checkConnection()
       .then(() => performHandshake())
       .then((ok) => {
-        if (!ok && config.failMode === 'closed') {
-          console.warn('[SafeClaw] ⚠ Handshake failed with fail-mode=closed — tool calls will be BLOCKED');
+        if (!ok && getConfig().failMode === 'closed') {
+          console.warn('[SafeClaw] Handshake failed with fail-mode=closed — tool calls will be BLOCKED');
         }
+        heartbeatInterval = setInterval(sendHeartbeat, 30000);
         return sendHeartbeat();
       })
       .catch(() => {});
-    const heartbeatInterval = setInterval(sendHeartbeat, 30000);
 
     // Clean shutdown: send shutdown heartbeat and clear interval
-    const shutdown = () => {
-      clearInterval(heartbeatInterval);
-      fetch(`${config.serviceUrl}/heartbeat`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-          agentId: config.agentId || 'default',
-          configHash: configHash(config),
+    // Use async shutdown for SIGINT/SIGTERM where async is supported (#55)
+    const shutdown = async () => {
+      if (heartbeatInterval) clearInterval(heartbeatInterval);
+      try {
+        await post('/heartbeat', {
+          agentId: instanceId,
+          configHash: configHash(getConfig()),
           status: 'shutdown',
-        }),
-      }).catch(() => {});
+        });
+      } catch {
+        // Best-effort shutdown notification
+      }
     };
-    process.on('exit', shutdown);
-    process.on('SIGINT', () => { shutdown(); process.exit(0); });
-    process.on('SIGTERM', () => { shutdown(); process.exit(0); });
+    process.on('SIGINT', async () => { await shutdown(); process.exit(0); });
+    process.on('SIGTERM', async () => { await shutdown(); process.exit(0); });
 
     // THE GATE — constraint checking on every tool call
     api.on('before_tool_call', async (event: PluginEvent, ctx: PluginContext) => {
-      if (!handshakeCompleted && config.failMode === 'closed' && config.enforcement === 'enforce') {
+      const cfg = getConfig();
+      if (!handshakeCompleted && cfg.failMode === 'closed' && cfg.enforcement === 'enforce') {
         return { block: true, blockReason: 'SafeClaw handshake not completed (fail-closed)' };
       }
 
@@ -199,19 +220,20 @@ export default {
         sessionHistory: event.sessionHistory ?? [],
       });
 
-      if (r === null && config.failMode === 'closed' && config.enforcement === 'enforce') {
-        return { block: true, blockReason: `SafeClaw service unavailable at ${config.serviceUrl} (fail-closed)` };
-      } else if (r === null && config.failMode === 'closed' && config.enforcement === 'warn-only') {
-        console.warn(`[SafeClaw] Service unavailable at ${config.serviceUrl} (fail-closed mode, warn-only)`);
-      } else if (r === null && config.failMode === 'closed' && config.enforcement === 'audit-only') {
-        console.warn(`[SafeClaw] Service unavailable at ${config.serviceUrl} (fail-closed mode, audit-only)`);
+      if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'enforce') {
+        return { block: true, blockReason: `SafeClaw service unavailable at ${cfg.serviceUrl} (fail-closed)` };
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'warn-only') {
+        console.warn(`[SafeClaw] Service unavailable at ${cfg.serviceUrl} (fail-closed mode, warn-only)`);
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'audit-only') {
+        console.warn(`[SafeClaw] Service unavailable at ${cfg.serviceUrl} (fail-closed mode, audit-only)`);
       }
       if (r?.block) {
-        if (config.enforcement === 'enforce') {
-          return { block: true, blockReason: r.reason as string };
+        const blockReason = (r.reason as string) || 'Blocked by SafeClaw (no reason provided)';
+        if (cfg.enforcement === 'enforce') {
+          return { block: true, blockReason };
         }
-        if (config.enforcement === 'warn-only') {
-          console.warn(`[SafeClaw] Warning: ${r.reason}`);
+        if (cfg.enforcement === 'warn-only') {
+          console.warn(`[SafeClaw] Warning: ${blockReason}`);
         }
         // audit-only: logged server-side, no action here
       }
@@ -231,6 +253,7 @@ export default {
 
     // Message governance — check outbound messages
     api.on('message_sending', async (event: PluginEvent, ctx: PluginContext) => {
+      const cfg = getConfig();
       const r = await post('/evaluate/message', {
         sessionId: ctx.sessionId ?? event.sessionId,
         userId: ctx.userId ?? event.userId,
@@ -238,17 +261,20 @@ export default {
         content: event.content,
       });
 
-      if (r === null && config.failMode === 'closed' && config.enforcement === 'enforce') {
-        return { cancel: true };
-      } else if (r === null && config.failMode === 'closed' && config.enforcement === 'warn-only') {
+      if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'enforce') {
+        return { cancel: true, cancelReason: 'SafeClaw service unavailable (fail-closed mode)' };
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'warn-only') {
         console.warn('[SafeClaw] Service unavailable (fail-closed mode, warn-only)');
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'audit-only') {
+        console.info('[SafeClaw] audit-only: service unreachable, allowing message (fail-closed)');
       }
       if (r?.block) {
-        if (config.enforcement === 'enforce') {
-          return { cancel: true };
+        const blockReason = (r.reason as string) || 'Blocked by SafeClaw (no reason provided)';
+        if (cfg.enforcement === 'enforce') {
+          return { cancel: true, cancelReason: blockReason };
         }
-        if (config.enforcement === 'warn-only') {
-          console.warn(`[SafeClaw] Warning: ${r.reason}`);
+        if (cfg.enforcement === 'warn-only') {
+          console.warn(`[SafeClaw] Warning: ${blockReason}`);
         }
         // audit-only: logged server-side, no action here
       }

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "openclaw-safeclaw-plugin",
-  "version": "0.9.2",
+  "version": "1.1.0",
   "description": "SafeClaw Neurosymbolic Governance plugin for OpenClaw — validates AI agent actions against OWL ontologies and SHACL constraints",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",
   "bin": {
-    "safeclaw": "dist/cli.js"
+    "safeclaw-plugin": "dist/cli.js"
   },
   "scripts": {
     "build": "tsc",

package/tui/About.tsx

@@ -5,11 +5,28 @@ export default function About() {
   return (
     <Box flexDirection="column" paddingX={1}>
       <Box marginBottom={1}>
-        <Text bold>About</Text>
+        <Text bold>About SafeClaw</Text>
       </Box>
-      <Text>  SafeClaw Neurosymbolic Governance</Text>
-      <Text dimColor>  Validates AI agent actions against OWL</Text>
-      <Text dimColor>  ontologies and SHACL constraints.</Text>
+      <Text>  Neurosymbolic governance for AI agents.</Text>
+      <Text dimColor>  Validates tool calls, messages, and actions against</Text>
+      <Text dimColor>  OWL ontologies and SHACL constraints before execution.</Text>
+
+      <Box marginTop={1} marginBottom={1}>
+        <Text bold>  Features</Text>
+      </Box>
+      <Text dimColor>  - 9-step constraint pipeline (SHACL, policies, preferences, dependencies)</Text>
+      <Text dimColor>  - Role-based access control with per-user preferences</Text>
+      <Text dimColor>  - Multi-agent governance with delegation detection</Text>
+      <Text dimColor>  - Append-only audit trail with compliance reporting</Text>
+      <Text dimColor>  - Passive LLM security reviewer and classification observer</Text>
+      <Text dimColor>  - Natural language policy compilation</Text>
+
+      <Box marginTop={1} marginBottom={1}>
+        <Text bold>  CLI commands</Text>
+      </Box>
+      <Text dimColor>  safeclaw-plugin  This plugin CLI (connect, status, config, tui)</Text>
+      <Text dimColor>  safeclaw         Service CLI (serve, audit, policy, pref, status)</Text>
+
       <Box marginTop={1}>
         <Text>  Web:  </Text>
         <Text color="cyan">https://safeclaw.eu</Text>

package/tui/App.tsx

@@ -55,7 +55,7 @@ export default function App() {
             {`${i + 1}:${t}`}
           </Text>
         ))}
-        <Text dimColor> tab/1-3 to switch</Text>
+        <Text dimColor> tab/1-3 switch  q quit</Text>
       </Box>
 
       {/* Content */}

package/tui/Settings.tsx

@@ -22,6 +22,7 @@ const SETTINGS: SettingItem[] = [
   { key: 'enforcement', label: 'Enforcement', type: 'cycle', values: ENFORCEMENT_MODES },
   { key: 'failMode', label: 'Fail Mode', type: 'cycle', values: FAIL_MODES },
   { key: 'serviceUrl', label: 'Service URL', type: 'text' },
+  { key: 'apiKey', label: 'API Key', type: 'text' },
 ];
 
 export default function Settings({ config, onConfigChange }: SettingsProps) {
@@ -38,7 +39,17 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
   useInput((input, key) => {
     if (editing) {
       if (key.return) {
-        updateConfig({ serviceUrl: editBuffer });
+        const editingKey = SETTINGS[selected].key;
+        if (editingKey === 'apiKey' && editBuffer && !editBuffer.startsWith('sc_')) {
+          // Reject invalid API keys — must start with sc_
+          return;
+        }
+        try {
+          updateConfig({ [editingKey]: editBuffer } as Partial<SafeClawConfig>);
+        } catch {
+          // saveConfig may throw on invalid URL — stay in edit mode
+          return;
+        }
         setEditing(false);
       } else if (key.escape) {
         setEditing(false);
@@ -67,7 +78,7 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
         updateConfig({ [currentKey]: next });
       } else if (setting.type === 'text' && key.return) {
         setEditing(true);
-        setEditBuffer(config.serviceUrl);
+        setEditBuffer(String(config[setting.key as keyof SafeClawConfig] ?? ''));
       }
     }
   });
@@ -85,8 +96,12 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
 
         if (setting.key === 'enabled') {
           value = config.enabled ? 'ON' : 'OFF';
-        } else if (setting.key === 'serviceUrl' && editing && isSelected) {
-          value = editBuffer + '█';
+        } else if (setting.type === 'text' && editing && isSelected) {
+          value = (setting.key === 'apiKey' ? '*'.repeat(editBuffer.length) : editBuffer) + '█';
+        } else if (setting.key === 'apiKey') {
+          value = config.apiKey
+            ? `${config.apiKey.slice(0, 6)}..${config.apiKey.slice(-4)}`
+            : '(not set)';
         } else {
           value = String(config[setting.key as keyof SafeClawConfig]);
         }
@@ -117,13 +132,22 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
       <Box marginTop={1}>
         <Text dimColor>
           {editing
-            ? '  type to edit · enter to save · esc to cancel'
-            : '  ↑↓ navigate · ←→ change · enter to edit URL · q quit'}
+            ? SETTINGS[selected].key === 'apiKey' && editBuffer && !editBuffer.startsWith('sc_')
+              ? '  API key must start with sc_ · esc to cancel'
+              : '  type to edit · enter to save · esc to cancel'
+            : '  ↑↓ navigate · ←→/enter cycle/toggle · enter to edit text fields · q quit'}
         </Text>
       </Box>
 
+      <Box marginTop={1}>
+        <Text dimColor>{'  Enforcement: enforce=block violations, warn-only=log only, audit-only=record only, disabled=off'}</Text>
+      </Box>
       <Box>
-        <Text dimColor>{'  Saves to ~/.safeclaw/config.json'}</Text>
+        <Text dimColor>{'  Fail Mode:   open=allow if service unreachable, closed=block if service unreachable'}</Text>
+      </Box>
+
+      <Box marginTop={1}>
+        <Text dimColor>{'  All changes save to ~/.safeclaw/config.json immediately.'}</Text>
       </Box>
     </Box>
   );

package/tui/Status.tsx

@@ -1,8 +1,15 @@
 import React, { useState, useEffect } from 'react';
 import { Text, Box, useInput } from 'ink';
 import { exec } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { homedir } from 'os';
+import { fileURLToPath } from 'url';
 import { type SafeClawConfig } from './config.js';
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PKG_VERSION = JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8')).version as string;
+
 interface StatusProps {
   config: SafeClawConfig;
 }
@@ -13,6 +20,7 @@ interface HealthData {
   engine_ready?: boolean;
 }
 
+type CheckStatus = 'checking' | 'ok' | 'fail';
 type OpenClawStatus = 'checking' | 'running' | 'not running' | 'error';
 
 export default function Status({ config }: StatusProps) {
@@ -21,6 +29,9 @@ export default function Status({ config }: StatusProps) {
   const [lastCheck, setLastCheck] = useState<Date | null>(null);
   const [openclawStatus, setOpenclawStatus] = useState<OpenClawStatus>('checking');
   const [restartMsg, setRestartMsg] = useState<string | null>(null);
+  const [evaluateStatus, setEvaluateStatus] = useState<CheckStatus>('checking');
+  const [handshakeStatus, setHandshakeStatus] = useState<CheckStatus>('checking');
+  const [handshakeDetail, setHandshakeDetail] = useState('');
 
   const checkHealth = async () => {
     try {
@@ -31,17 +42,73 @@ export default function Status({ config }: StatusProps) {
         const data = await res.json() as HealthData;
         setHealth(data);
         setError(null);
+        // If healthy, run deeper checks
+        checkEvaluate();
+        if (config.apiKey) checkHandshake();
+        else {
+          setHandshakeStatus('fail');
+          setHandshakeDetail('No API key');
+        }
       } else {
         setHealth(null);
         setError(`HTTP ${res.status}`);
+        setEvaluateStatus('fail');
+        setHandshakeStatus('fail');
       }
     } catch {
       setHealth(null);
       setError('Cannot connect');
+      setEvaluateStatus('fail');
+      setHandshakeStatus('fail');
     }
     setLastCheck(new Date());
   };
 
+  const checkEvaluate = async () => {
+    try {
+      const res = await fetch(`${config.serviceUrl}/evaluate/tool-call`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(config.apiKey ? { 'Authorization': `Bearer ${config.apiKey}` } : {}),
+        },
+        body: JSON.stringify({
+          sessionId: 'tui-check', userId: 'tui-check',
+          toolName: 'echo', params: { message: 'tui-check' },
+        }),
+        signal: AbortSignal.timeout(config.timeoutMs),
+      });
+      setEvaluateStatus(res.ok || res.status === 422 || res.status === 401 || res.status === 403 ? 'ok' : 'fail');
+    } catch {
+      setEvaluateStatus('fail');
+    }
+  };
+
+  const checkHandshake = async () => {
+    try {
+      const res = await fetch(`${config.serviceUrl}/handshake`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': `Bearer ${config.apiKey}`,
+        },
+        body: JSON.stringify({ pluginVersion: PKG_VERSION, configHash: '' }),
+        signal: AbortSignal.timeout(config.timeoutMs),
+      });
+      if (res.ok) {
+        const data = await res.json() as Record<string, unknown>;
+        setHandshakeStatus('ok');
+        setHandshakeDetail(`org=${data.orgId ?? '?'}`);
+      } else {
+        setHandshakeStatus('fail');
+        setHandshakeDetail(`HTTP ${res.status}`);
+      }
+    } catch {
+      setHandshakeStatus('fail');
+      setHandshakeDetail('timeout');
+    }
+  };
+
   const checkOpenClaw = () => {
     exec('openclaw daemon status', { timeout: 10000 }, (err, stdout) => {
       if (err) {
@@ -82,6 +149,7 @@ export default function Status({ config }: StatusProps) {
     }
   });
 
+  // Derived display values
   const connected = health !== null;
   const dot = '●';
   const serviceDotColor = connected ? 'green' : 'red';
@@ -94,6 +162,31 @@ export default function Status({ config }: StatusProps) {
     : openclawStatus === 'running' ? 'Running'
     : 'Not running';
 
+  // Plugin file checks
+  const extensionDir = join(homedir(), '.openclaw', 'extensions', 'safeclaw');
+  const pluginInstalled = existsSync(join(extensionDir, 'openclaw.plugin.json'))
+    && existsSync(join(extensionDir, 'index.js'));
+
+  // Plugin enabled in OpenClaw config
+  let pluginEnabled = false;
+  const ocConfigPath = join(homedir(), '.openclaw', 'openclaw.json');
+  if (existsSync(ocConfigPath)) {
+    try {
+      const ocConfig = JSON.parse(readFileSync(ocConfigPath, 'utf-8'));
+      pluginEnabled = !!ocConfig?.plugins?.entries?.safeclaw?.enabled;
+    } catch { /* ignore */ }
+  }
+
+  const apiKeyMasked = config.apiKey
+    ? `${config.apiKey.slice(0, 6)}..${config.apiKey.slice(-4)}`
+    : '(not set)';
+
+  const statusDot = (status: CheckStatus | boolean) => {
+    if (status === 'checking') return <Text color="yellow">{dot} </Text>;
+    if (status === 'ok' || status === true) return <Text color="green">{dot} </Text>;
+    return <Text color="red">{dot} </Text>;
+  };
+
   return (
     <Box flexDirection="column" paddingX={1}>
       <Box marginBottom={1}>
@@ -101,18 +194,51 @@ export default function Status({ config }: StatusProps) {
       </Box>
 
       <Box>
-        <Text dimColor>{'  Service     '}</Text>
+        <Text dimColor>{'  Service      '}</Text>
         <Text color={serviceDotColor}>{dot} </Text>
         <Text>{serviceText}</Text>
       </Box>
 
+      {connected && (
+        <>
+          <Box>
+            <Text dimColor>{'    Evaluate   '}</Text>
+            {statusDot(evaluateStatus)}
+            <Text>{evaluateStatus === 'ok' ? 'Responding' : evaluateStatus === 'checking' ? 'Checking...' : 'Not responding'}</Text>
+          </Box>
+          <Box>
+            <Text dimColor>{'    Handshake  '}</Text>
+            {statusDot(handshakeStatus)}
+            <Text>{handshakeStatus === 'ok' ? handshakeDetail : handshakeStatus === 'checking' ? 'Checking...' : handshakeDetail}</Text>
+          </Box>
+        </>
+      )}
+
       <Box>
-        <Text dimColor>{'  OpenClaw    '}</Text>
+        <Text dimColor>{'  OpenClaw      '}</Text>
         <Text color={openclawDotColor}>{dot} </Text>
         <Text>{openclawText}</Text>
         {restartMsg && <Text dimColor>{`  (${restartMsg})`}</Text>}
       </Box>
 
+      <Box>
+        <Text dimColor>{'    Plugin     '}</Text>
+        {statusDot(pluginInstalled)}
+        <Text>{pluginInstalled ? 'Installed' : 'Not installed'}</Text>
+      </Box>
+
+      <Box>
+        <Text dimColor>{'    Config     '}</Text>
+        {statusDot(pluginEnabled)}
+        <Text>{pluginEnabled ? 'Enabled' : 'Not enabled'}</Text>
+      </Box>
+
+      <Box>
+        <Text dimColor>{'  API Key      '}</Text>
+        {statusDot(!!config.apiKey)}
+        <Text>{apiKeyMasked}</Text>
+      </Box>
+
       <Box>
         <Text dimColor>{'  Enforcement  '}</Text>
         <Text>{config.enforcement}</Text>