openclaw-safeclaw-plugin 1.2.0 → 1.3.0

package/cli.tsx

@@ -490,8 +490,8 @@ if (!command || command === '--help' || command === '-h' || command === 'help')
   console.log('  restart-openclaw     Restart the OpenClaw daemon to pick up plugin changes');
   console.log('');
   console.log('Diagnostics:');
-  console.log('  status               Run 8 checks: config, API key, service health, evaluate endpoint,');
-  console.log('                       handshake, OpenClaw binary, plugin files, OpenClaw config');
+  console.log('  status               Run 9 checks: config, API key, service health, evaluate endpoint,');
+  console.log('                       handshake, OpenClaw binary, plugin files, OpenClaw config, NemoClaw');
   console.log('');
   console.log('Configuration:');
   console.log('  config show          Show current enforcement, failMode, enabled, serviceUrl, apiKey');

package/dist/cli.js

@@ -501,8 +501,8 @@ else {
     console.log('  restart-openclaw     Restart the OpenClaw daemon to pick up plugin changes');
     console.log('');
     console.log('Diagnostics:');
-    console.log('  status               Run 8 checks: config, API key, service health, evaluate endpoint,');
-    console.log('                       handshake, OpenClaw binary, plugin files, OpenClaw config');
+    console.log('  status               Run 9 checks: config, API key, service health, evaluate endpoint,');
+    console.log('                       handshake, OpenClaw binary, plugin files, OpenClaw config, NemoClaw');
     console.log('');
     console.log('Configuration:');
     console.log('  config show          Show current enforcement, failMode, enabled, serviceUrl, apiKey');

package/dist/index.js

@@ -34,7 +34,7 @@ function getConfig() {
 // --- HTTP Client ---
 async function post(path, body) {
     const cfg = getConfig();
-    if (!cfg.enabled)
+    if (!cfg.enabled || cfg.enforcement === 'disabled')
         return null;
     const headers = { 'Content-Type': 'application/json' };
     if (cfg.apiKey) {
@@ -79,7 +79,7 @@ async function post(path, body) {
 }
 async function get(path) {
     const cfg = getConfig();
-    if (!cfg.enabled)
+    if (!cfg.enabled || cfg.enforcement === 'disabled')
         return null;
     const headers = {};
     if (cfg.apiKey)
@@ -333,6 +333,16 @@ export default {
                 childConfig: event.childConfig ?? {},
                 reason: event.reason ?? '',
             });
+            // Fail-closed handling (matches before_tool_call / message_sending pattern)
+            if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'enforce') {
+                throw new Error('SafeClaw service unavailable (fail-closed mode)');
+            }
+            else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'warn-only') {
+                log.warn('[SafeClaw] Service unavailable (fail-closed mode, warn-only)');
+            }
+            else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'audit-only') {
+                log.warn('[SafeClaw] Service unavailable (fail-closed mode, audit-only)');
+            }
             if (r?.block && cfg.enforcement === 'enforce') {
                 throw new Error(r.reason || 'Blocked by SafeClaw: delegation bypass detected');
             }

package/dist/tui/Settings.js

@@ -15,10 +15,17 @@ export default function Settings({ config, onConfigChange }) {
     const [selected, setSelected] = useState(0);
     const [editing, setEditing] = useState(false);
     const [editBuffer, setEditBuffer] = useState('');
+    const [saveError, setSaveError] = useState(null);
     const updateConfig = (patch) => {
         const updated = { ...config, ...patch };
-        saveConfig(updated);
-        onConfigChange(updated);
+        try {
+            saveConfig(updated);
+            setSaveError(null);
+            onConfigChange(updated);
+        }
+        catch (e) {
+            setSaveError(e instanceof Error ? e.message : String(e));
+        }
     };
     useInput((input, key) => {
         if (editing) {
@@ -28,13 +35,7 @@ export default function Settings({ config, onConfigChange }) {
                     // Reject invalid API keys — must start with sc_
                     return;
                 }
-                try {
-                    updateConfig({ [editingKey]: editBuffer });
-                }
-                catch {
-                    // saveConfig may throw on invalid URL — stay in edit mode
-                    return;
-                }
+                updateConfig({ [editingKey]: editBuffer });
                 setEditing(false);
             }
             else if (key.escape) {
@@ -99,5 +100,5 @@ export default function Settings({ config, onConfigChange }) {
                         ? SETTINGS[selected].key === 'apiKey' && editBuffer && !editBuffer.startsWith('sc_')
                             ? '  API key must start with sc_ · esc to cancel'
                             : '  type to edit · enter to save · esc to cancel'
-                        : '  ↑↓ navigate · ←→/enter cycle/toggle · enter to edit text fields · q quit' }) }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '  Enforcement: enforce=block violations, warn-only=log only, audit-only=record only, disabled=off' }) }), _jsx(Box, { children: _jsx(Text, { dimColor: true, children: '  Fail Mode:   open=allow if service unreachable, closed=block if service unreachable' }) }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '  All changes save to ~/.safeclaw/config.json immediately.' }) })] }));
+                        : '  ↑↓ navigate · ←→/enter cycle/toggle · enter to edit text fields · q quit' }) }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '  Enforcement: enforce=block violations, warn-only=log only, audit-only=record only, disabled=off' }) }), _jsx(Box, { children: _jsx(Text, { dimColor: true, children: '  Fail Mode:   open=allow if service unreachable, closed=block if service unreachable' }) }), saveError && (_jsx(Box, { marginTop: 1, children: _jsxs(Text, { color: "red", children: ['  Error saving config: ', saveError] }) })), _jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: '  All changes save to ~/.safeclaw/config.json immediately.' }) })] }));
 }

package/dist/tui/config.js

@@ -67,10 +67,14 @@ export function loadConfig() {
     }
     if (process.env.SAFECLAW_ENABLED === 'false')
         defaults.enabled = false;
-    if (process.env.SAFECLAW_ENFORCEMENT)
-        defaults.enforcement = process.env.SAFECLAW_ENFORCEMENT;
-    if (process.env.SAFECLAW_FAIL_MODE)
-        defaults.failMode = process.env.SAFECLAW_FAIL_MODE;
+    const enforcement = process.env.SAFECLAW_ENFORCEMENT;
+    if (enforcement && ['enforce', 'warn-only', 'audit-only', 'disabled'].includes(enforcement)) {
+        defaults.enforcement = enforcement;
+    }
+    const failMode = process.env.SAFECLAW_FAIL_MODE;
+    if (failMode && ['open', 'closed'].includes(failMode)) {
+        defaults.failMode = failMode;
+    }
     if (process.env.SAFECLAW_AGENT_ID)
         defaults.agentId = process.env.SAFECLAW_AGENT_ID;
     if (process.env.SAFECLAW_AGENT_TOKEN)
@@ -139,6 +143,9 @@ export function saveConfig(config) {
     if (config.apiKey) {
         existing.remote.apiKey = config.apiKey;
     }
+    else {
+        delete existing.remote.apiKey;
+    }
     if (!existing.enforcement || typeof existing.enforcement !== 'object') {
         existing.enforcement = {};
     }

package/index.ts

@@ -45,7 +45,7 @@ function getConfig(): typeof config {
 
 async function post(path: string, body: Record<string, unknown>): Promise<Record<string, unknown> | null> {
   const cfg = getConfig();
-  if (!cfg.enabled) return null;
+  if (!cfg.enabled || cfg.enforcement === 'disabled') return null;
 
   const headers: Record<string, string> = { 'Content-Type': 'application/json' };
   if (cfg.apiKey) {
@@ -89,7 +89,7 @@ async function post(path: string, body: Record<string, unknown>): Promise<Record
 
 async function get(path: string): Promise<Record<string, unknown> | null> {
   const cfg = getConfig();
-  if (!cfg.enabled) return null;
+  if (!cfg.enabled || cfg.enforcement === 'disabled') return null;
   const headers: Record<string, string> = {};
   if (cfg.apiKey) headers['Authorization'] = `Bearer ${cfg.apiKey}`;
   try {
@@ -357,6 +357,15 @@ export default {
         reason: event.reason ?? '',
       });
 
+      // Fail-closed handling (matches before_tool_call / message_sending pattern)
+      if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'enforce') {
+        throw new Error('SafeClaw service unavailable (fail-closed mode)');
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'warn-only') {
+        log.warn('[SafeClaw] Service unavailable (fail-closed mode, warn-only)');
+      } else if (r === null && cfg.failMode === 'closed' && cfg.enforcement === 'audit-only') {
+        log.warn('[SafeClaw] Service unavailable (fail-closed mode, audit-only)');
+      }
+
       if (r?.block && cfg.enforcement === 'enforce') {
         throw new Error((r.reason as string) || 'Blocked by SafeClaw: delegation bypass detected');
       }

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "safeclaw",
   "name": "SafeClaw Neurosymbolic Governance",
   "description": "Validates AI agent actions against OWL ontologies and SHACL constraints before execution",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "author": "Tendly EU",
   "license": "MIT",
   "homepage": "https://safeclaw.eu",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-safeclaw-plugin",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "SafeClaw Neurosymbolic Governance plugin for OpenClaw — validates AI agent actions against OWL ontologies and SHACL constraints",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -20,6 +20,7 @@
   },
   "files": [
     "dist/",
+    "types/",
     "openclaw.plugin.json",
     "index.ts",
     "cli.tsx",

package/tui/Settings.tsx

@@ -29,11 +29,17 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
   const [selected, setSelected] = useState(0);
   const [editing, setEditing] = useState(false);
   const [editBuffer, setEditBuffer] = useState('');
+  const [saveError, setSaveError] = useState<string | null>(null);
 
   const updateConfig = (patch: Partial<SafeClawConfig>) => {
     const updated = { ...config, ...patch };
-    saveConfig(updated);
-    onConfigChange(updated);
+    try {
+      saveConfig(updated);
+      setSaveError(null);
+      onConfigChange(updated);
+    } catch (e) {
+      setSaveError(e instanceof Error ? e.message : String(e));
+    }
   };
 
   useInput((input, key) => {
@@ -44,12 +50,7 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
           // Reject invalid API keys — must start with sc_
           return;
         }
-        try {
-          updateConfig({ [editingKey]: editBuffer } as Partial<SafeClawConfig>);
-        } catch {
-          // saveConfig may throw on invalid URL — stay in edit mode
-          return;
-        }
+        updateConfig({ [editingKey]: editBuffer } as Partial<SafeClawConfig>);
         setEditing(false);
       } else if (key.escape) {
         setEditing(false);
@@ -146,6 +147,12 @@ export default function Settings({ config, onConfigChange }: SettingsProps) {
         <Text dimColor>{'  Fail Mode:   open=allow if service unreachable, closed=block if service unreachable'}</Text>
       </Box>
 
+      {saveError && (
+        <Box marginTop={1}>
+          <Text color="red">{'  Error saving config: '}{saveError}</Text>
+        </Box>
+      )}
+
       <Box marginTop={1}>
         <Text dimColor>{'  All changes save to ~/.safeclaw/config.json immediately.'}</Text>
       </Box>

package/tui/config.ts

@@ -73,8 +73,14 @@ export function loadConfig(): SafeClawConfig {
     }
   }
   if (process.env.SAFECLAW_ENABLED === 'false') defaults.enabled = false;
-  if (process.env.SAFECLAW_ENFORCEMENT) defaults.enforcement = process.env.SAFECLAW_ENFORCEMENT as SafeClawConfig['enforcement'];
-  if (process.env.SAFECLAW_FAIL_MODE) defaults.failMode = process.env.SAFECLAW_FAIL_MODE as SafeClawConfig['failMode'];
+  const enforcement = process.env.SAFECLAW_ENFORCEMENT;
+  if (enforcement && ['enforce', 'warn-only', 'audit-only', 'disabled'].includes(enforcement)) {
+    defaults.enforcement = enforcement as SafeClawConfig['enforcement'];
+  }
+  const failMode = process.env.SAFECLAW_FAIL_MODE;
+  if (failMode && ['open', 'closed'].includes(failMode)) {
+    defaults.failMode = failMode as SafeClawConfig['failMode'];
+  }
   if (process.env.SAFECLAW_AGENT_ID) defaults.agentId = process.env.SAFECLAW_AGENT_ID;
   if (process.env.SAFECLAW_AGENT_TOKEN) defaults.agentToken = process.env.SAFECLAW_AGENT_TOKEN;
 
@@ -148,6 +154,8 @@ export function saveConfig(config: SafeClawConfig): void {
   (existing.remote as Record<string, unknown>).serviceUrl = config.serviceUrl;
   if (config.apiKey) {
     (existing.remote as Record<string, unknown>).apiKey = config.apiKey;
+  } else {
+    delete (existing.remote as Record<string, unknown>).apiKey;
   }
 
   if (!existing.enforcement || typeof existing.enforcement !== 'object') {

package/types/openclaw-sdk.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Ambient type declarations for OpenClaw Plugin SDK.
+ * These match the types exported by openclaw/plugin-sdk as of v2026.3.
+ * When installed inside OpenClaw, the real SDK types take precedence.
+ */
+
+declare module 'openclaw/plugin-sdk/core' {
+  export interface OpenClawPluginApi {
+    on(
+      hookName: string,
+      handler: (event: OpenClawPluginEvent, ctx: OpenClawPluginContext) => Promise<Record<string, unknown> | void> | void,
+      options?: { priority?: number },
+    ): void;
+    registerService?(service: OpenClawPluginService): void;
+    registerCli?(registrar: (ctx: { program: unknown; config: unknown }) => void, opts?: { commands: string[] }): void;
+    registerTool?(tool: OpenClawPluginTool): void;
+    registerCommand?(def: { name: string; description: string; execute: (ctx: unknown) => Promise<string | void> }): void;
+    pluginConfig?: Record<string, unknown>;
+    logger?: OpenClawPluginLogger;
+  }
+
+  export interface OpenClawPluginEvent {
+    sessionId?: string;
+    toolName?: string;
+    params?: Record<string, unknown>;
+    to?: string;
+    content?: string;
+    result?: unknown;
+    error?: string;
+    durationMs?: number;
+    prompt?: string;
+    provider?: string;
+    model?: string;
+    lastAssistant?: string;
+    usage?: Record<string, unknown>;
+    parentAgentId?: string;
+    childConfig?: Record<string, unknown>;
+    reason?: string;
+    metadata?: Record<string, unknown>;
+    channel?: string;
+    sender?: string;
+    [key: string]: unknown;
+  }
+
+  export interface OpenClawPluginContext {
+    sessionId?: string;
+    agentId?: string;
+    runId?: string;
+    conversationId?: string;
+    accountId?: string;
+    channelId?: string;
+    workspaceDir?: string;
+    [key: string]: unknown;
+  }
+
+  export interface OpenClawPluginService {
+    id: string;
+    start: () => void | Promise<void>;
+    stop?: () => void | Promise<void>;
+  }
+
+  export interface OpenClawPluginTool {
+    name: string;
+    description: string;
+    parameters: Record<string, unknown>;
+    execute: (params: Record<string, unknown>, ctx: Record<string, unknown>) => Promise<unknown>;
+  }
+
+  export interface OpenClawPluginLogger {
+    info: (...args: unknown[]) => void;
+    warn: (...args: unknown[]) => void;
+    error: (...args: unknown[]) => void;
+  }
+}
+
+declare module 'openclaw/plugin-sdk/plugin-entry' {
+  import type { OpenClawPluginApi } from 'openclaw/plugin-sdk/core';
+
+  export interface PluginDefinition {
+    id: string;
+    name: string;
+    description?: string;
+    version?: string;
+    configSchema?: Record<string, unknown>;
+    register?: (api: OpenClawPluginApi) => void | Promise<void>;
+  }
+
+  export function definePluginEntry(def: PluginDefinition): PluginDefinition;
+}