securityclaw 0.0.1 → 0.0.2

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [0.0.2] - 2026-03-17
+
+### Changed
+- Simplified the README install section to focus on product overview plus remote install and uninstall flows.
+- Clarified that published npm releases ship with a prebuilt admin frontend bundle.
+- Prevented admin build tooling from being shipped as runtime npm dependencies.
+- Avoided auto-opening the dashboard from short-lived gateway service commands before the persistent admin backend is ready.
+
 ## [0.1.0] - 2026-03-15
 
 ### 架构重构

package/README.md

@@ -6,112 +6,59 @@ SecurityClaw is a runtime security plugin for [OpenClaw](https://github.com/open
 
 ## Why SecurityClaw
 
-LLM agents can execute powerful tools. SecurityClaw provides a policy guardrail layer so risky operations are either blocked, challenged for approval, or allowed with warning and traceability.
+LLM agents can execute powerful tools. SecurityClaw adds a rule-first guardrail layer so risky operations are blocked, challenged for approval, or allowed with warning and traceability.
 
 ## Core Capabilities
 
 - Runtime policy enforcement for OpenClaw hooks (`before_tool_call`, `after_tool_call`, etc.)
 - Rule-first security model (`allow`, `warn`, `challenge`, `block`)
 - Challenge approval workflow with command-based admin handling
-- Dynamic sensitive-path registry that maps paths to asset labels before rule evaluation
-- Sensitive data scanning and sanitization (DLP)
-- Admin dashboard for strategy and account policy operations
-- Decision events for audit and observability
-- Built-in internationalization (`en` and `zh-CN`) for runtime/admin text
+- Dynamic sensitive-path registry and DLP sanitization
+- Admin dashboard for strategy, account policy, and runtime status
+- Built-in internationalization (`en` and `zh-CN`) for runtime and admin text
 
-## Architecture
+## Install
 
-SecurityClaw follows a layered architecture:
-
-- `domain`: policy, approval, context inference, formatting
-- `domain/services/sensitive_path_registry.ts`: built-in + runtime-overridden sensitive path mappings
-- `engine`: rule matching, decisioning, DLP scanning
-- `config`: base YAML + SQLite runtime override
-- `admin`: dashboard backend + frontend
-- `monitoring`: runtime status and decision snapshots
-
-See [Architecture](./docs/ARCHITECTURE.md) and [Technical Solution](./docs/TECHNICAL_SOLUTION.md).
-
-## Quick Start
-
-### 1. Install dependencies
+Install the latest published release:
 
 ```bash
-npm install
+npx securityclaw install
 ```
 
-### 2. Install into OpenClaw
+Or install through the remote script:
 
 ```bash
-npm run openclaw:install
+curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
 ```
 
-Alternative install paths for end users:
+Install a specific published version:
 
 ```bash
-npx securityclaw install
-curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
+SECURITYCLAW_VERSION=0.0.2 curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
 ```
 
-### 3. Run verification
+Published npm releases already include the prebuilt admin frontend bundle, so end-user installs do not rebuild the dashboard during plugin installation.
 
-```bash
-npm test
-```
+## Uninstall
 
-### 4. Start admin dashboard (standalone)
+Remove the installed plugin from OpenClaw:
 
 ```bash
-npm run admin
+openclaw plugins uninstall securityclaw
 ```
 
-Default dashboard URL: `http://127.0.0.1:4780`
-
-## OpenClaw Integration
-
-Preferred local install:
+If you want to preview the removal first:
 
 ```bash
-npm run openclaw:install
+openclaw plugins uninstall securityclaw --dry-run
 ```
 
-This creates a versioned plugin archive, installs it through `openclaw plugins install`, restarts the gateway, and verifies gateway health.
-See [OpenClaw Install Guide](./docs/OPENCLAW_INSTALL.md) for details.
-
-## Approval Commands
-
-After setting one account policy with `is_admin=true`, the admin can run:
+After install or uninstall, restart or verify the gateway if needed:
 
-- `/securityclaw-approve <approval_id>`
-- `/securityclaw-approve <approval_id> long`
-- `/securityclaw-reject <approval_id>`
-- `/securityclaw-pending`
-
-## Admin Dashboard
-
-Dashboard supports English and Chinese UI switching and stores language preference in local storage.
-By default, it follows the host system language.
-
-Main panels:
-
-- Overview: posture and trend signals, plus a skill-risk snapshot for high-priority installed skills
-- Decisions: recent decision events and reasons
-- Policies: grouped rule strategy controls plus sensitive-path registry management
-- Skill Interception: installed skill inventory, risk scoring, undeclared-change detection, rescan/quarantine/trust override actions, and interception policy matrix
-- Accounts: admin approver account selection and mode settings
-
-Sensitive path registry behavior:
-
-- Built-in path patterns cover credentials, personal content, download staging, browser profiles, browser secret stores, and communication stores.
-- Registry entries are persisted in SQLite runtime strategy overrides together with rule decisions.
-- Built-in entries can be disabled from the dashboard, and custom path rules can be added without editing the base YAML.
-
-Skill interception behavior:
-
-- Dashboard discovers installed skills from local OpenClaw / Codex skill roots and stores scan results in SQLite.
-- A skill can be flagged when its content changes without a matching version update.
-- Overview surfaces the most important skill signals directly so admins can see high-risk items without switching tabs.
-- The dedicated Skill Interception panel supports rescan, quarantine, temporary trust override, and risk-matrix editing.
+```bash
+openclaw gateway restart
+openclaw gateway status
+```
 
 ## Documentation
 
@@ -121,15 +68,6 @@ Skill interception behavior:
 - [Runbook](./docs/RUNBOOK.md)
 - [Integration Guide](./docs/INTEGRATION_GUIDE.md)
 
-## Development
-
-```bash
-npm run typecheck
-npm run test:unit
-npm test
-npm run admin:build
-```
-
 ## License
 
 MIT. See [LICENSE](./LICENSE).

package/README.zh-CN.md

@@ -6,112 +6,59 @@ SecurityClaw 是面向 [OpenClaw](https://github.com/openclaw/openclaw) 的运
 
 ## SecurityClaw 解决什么问题
 
-LLM Agent 具备高权限工具调用能力。SecurityClaw 在运行时提供策略护栏，将高风险操作按规则执行为拦截、审批确认、提醒或放行，并保留可追溯审计信息。
+LLM Agent 具备高权限工具调用能力。SecurityClaw 提供一层规则优先的安全护栏，让高风险操作被阻止、进入审批，或在留痕前提下放行。
 
 ## 核心能力
 
-- 基于 OpenClaw Hook 的运行时策略执行（`before_tool_call` 等）
+- 基于 OpenClaw Hook 的运行时策略执行（`before_tool_call`、`after_tool_call` 等）
 - 规则优先决策模型（`allow` / `warn` / `challenge` / `block`）
-- Challenge 审批流程与管理员命令处理
-- 动态敏感路径注册表，在规则判断前先把路径映射成资产标签
-- DLP 扫描与敏感输出净化
-- 管理后台（策略与账号策略配置）
-- 决策事件与状态观测
-- 中英文国际化（`en` / `zh-CN`）
+- 基于管理员命令的审批流程
+- 动态敏感路径注册表与 DLP 敏感信息净化
+- 用于策略、账号策略和运行状态的管理后台
+- 运行时与后台均支持中英文（`en` / `zh-CN`）
 
-## 架构说明
+## 安装
 
-分层结构如下：
-
-- `domain`：策略、审批、上下文推断、格式化
-- `domain/services/sensitive_path_registry.ts`：内置 + 运行时覆写的敏感路径映射
-- `engine`：规则匹配、决策引擎、DLP
-- `config`：YAML 基线配置 + SQLite 运行时覆盖
-- `admin`：管理后台前后端
-- `monitoring`：运行状态与决策快照
-
-详见 [架构文档](./docs/ARCHITECTURE.md) 与 [技术方案](./docs/TECHNICAL_SOLUTION.md)。
-
-## 快速开始
-
-### 1. 安装依赖
+安装最新发布版本：
 
 ```bash
-npm install
+npx securityclaw install
 ```
 
-### 2. 安装到 OpenClaw
+或者通过远程脚本安装：
 
 ```bash
-npm run openclaw:install
+curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
 ```
 
-终端用户也可以直接使用：
+安装指定发布版本：
 
 ```bash
-npx securityclaw install
-curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
+SECURITYCLAW_VERSION=0.0.2 curl -fsSL https://raw.githubusercontent.com/znary/securityclaw/main/install.sh | bash
 ```
 
-### 3. 执行验证
+发布到 npm 的版本会直接带上预构建好的管理后台前端，因此终端用户安装插件时不需要现场再构建后台资源。
 
-```bash
-npm test
-```
+## 卸载
 
-### 4. 启动管理后台（独立模式）
+从 OpenClaw 中卸载已安装插件：
 
 ```bash
-npm run admin
+openclaw plugins uninstall securityclaw
 ```
 
-默认地址：`http://127.0.0.1:4780`
-
-## OpenClaw 集成
-
-推荐本地安装方式：
+如果想先预览会删除什么：
 
 ```bash
-npm run openclaw:install
+openclaw plugins uninstall securityclaw --dry-run
 ```
 
-这条命令会生成带版本号的插件压缩包，通过 `openclaw plugins install` 安装，随后自动重启 gateway 并校验状态。
-详情见 [OpenClaw 安装指南](./docs/OPENCLAW_INSTALL.md)。
-
-## 审批命令
-
-当账号策略中配置 `is_admin=true` 后，管理员可在聊天渠道执行：
+安装或卸载后，如有需要可重启并校验 gateway：
 
-- `/securityclaw-approve <approval_id>`
-- `/securityclaw-approve <approval_id> long`
-- `/securityclaw-reject <approval_id>`
-- `/securityclaw-pending`
-
-## 管理后台
-
-管理后台支持中英文切换，并将语言偏好保存在本地存储。
-默认跟随系统语言。
-
-核心模块：
-
-- 概览：总体态势、趋势，以及高优先级已安装 skill 的风险快照
-- 决策记录：最近决策事件与原因
-- 规则策略：按分组编辑规则动作，并维护敏感路径注册表
-- Skill 拦截：已安装 skill 清单、风险打分、未声明变更检测、重扫 / 隔离 / 受信覆盖操作，以及拦截策略矩阵
-- 账号策略：管理员审批账号与模式配置
-
-敏感路径注册表说明：
-
-- 内置覆盖凭据目录、个人内容目录、下载暂存区、浏览器资料目录、浏览器密钥库和通信存储。
-- 路径注册表与规则动作一起持久化到 SQLite 运行时策略覆盖中。
-- 可在后台删除内置项，也可直接添加自定义路径，无需手改基线 YAML。
-
-Skill 拦截说明：
-
-- 后台会从本地 OpenClaw / Codex skill 目录自动发现已安装 skills，并把扫描结果持久化到 SQLite。
-- 当 skill 内容发生变化、但版本号没有同步更新时，会被标记为“内容变了但版本没变”。
-- 概览页会直接展示最值得优先处理的 skill 风险信号，不需要先切到 Skill 页签。
-- `Skill 拦截` 面板支持重扫、隔离、临时受信覆盖，以及风险矩阵配置。
+```bash
+openclaw gateway restart
+openclaw gateway status
+```
 
 ## 文档导航
 
@@ -121,15 +68,6 @@ Skill 拦截说明：
 - [运行手册](./docs/RUNBOOK.md)
 - [集成指南](./docs/INTEGRATION_GUIDE.md)
 
-## 开发命令
-
-```bash
-npm run typecheck
-npm run test:unit
-npm test
-npm run admin:build
-```
-
 ## 许可证
 
 MIT，详见 [LICENSE](./LICENSE)。

package/index.ts

@@ -30,7 +30,6 @@ import {
 } from "./src/infrastructure/config/plugin_config_parser.ts";
 import { RuntimeStatusStore } from "./src/monitoring/status_store.ts";
 import { startAdminServer } from "./admin/server.ts";
-import { ensureAdminAssetsBuilt } from "./src/admin/build.ts";
 import { announceAdminConsole, shouldAnnounceAdminConsoleForArgv } from "./src/admin/console_notice.ts";
 import { shouldAutoStartAdminServer } from "./src/admin/runtime_guard.ts";
 import { AccountPolicyEngine } from "./src/domain/services/account_policy_engine.ts";
@@ -1991,69 +1990,67 @@ const plugin = {
       return runtime;
     }
 
-    statusStore.markBoot(toStatusConfig(runtime.config, runtime.overrideLoaded, resolved));
-    const adminBuildPromise = ensureAdminAssetsBuilt({
-      logger: {
-        info: (message: string) => api.logger.info?.(`securityclaw: ${message}`)
+    function startManagedAdminConsole(): void {
+      if (!adminAutoStart) {
+        api.logger.info?.("securityclaw: admin auto-start disabled by config");
+        return;
       }
-    }).catch((error) => {
-      api.logger.warn?.(`securityclaw: failed to refresh admin bundle (${String(error)})`);
-    });
-    if (adminAutoStart) {
+
       const autoStartDecision = shouldAutoStartAdminServer(process.env);
-      if (autoStartDecision.enabled) {
-        const adminServerOptions = {
-          configPath: resolved.configPath,
-          legacyOverridePath: resolved.legacyOverridePath,
-          statusPath,
-          dbPath,
-          unrefOnStart: true,
-          logger: {
-            info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
-            warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`)
-          },
-          ...(pluginConfig.adminPort !== undefined ? { port: pluginConfig.adminPort } : {})
-        };
-        void adminBuildPromise
-          .then(() => startAdminServer(adminServerOptions))
-          .then((result) => {
-            announceAdminConsole({
-              locale: runtimeLocale,
-              logger: {
-                info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
-                warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`),
-              },
-              stateDir,
-              state: result.state,
-              url: `http://127.0.0.1:${result.runtime.port}`,
-            });
-          })
-          .catch((error) => {
-            api.logger.warn?.(`securityclaw: failed to auto-start admin dashboard (${String(error)})`);
+      if (!autoStartDecision.enabled) {
+        if (shouldAnnounceAdminConsoleForArgv(process.argv)) {
+          announceAdminConsole({
+            locale: runtimeLocale,
+            logger: {
+              info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
+              warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`),
+            },
+            stateDir,
+            state: "service-command",
+            url: adminConsoleUrl,
+          });
+          api.logger.info?.("securityclaw: admin dashboard is hosted by the background OpenClaw gateway service");
+        } else {
+          api.logger.info?.(
+            `securityclaw: admin auto-start skipped in ${autoStartDecision.reason}; use npm run admin for standalone dashboard`,
+          );
+        }
+        return;
+      }
+
+      const adminServerOptions = {
+        configPath: resolved.configPath,
+        legacyOverridePath: resolved.legacyOverridePath,
+        statusPath,
+        dbPath,
+        unrefOnStart: true,
+        logger: {
+          info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
+          warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`),
+        },
+        ...(pluginConfig.adminPort !== undefined ? { port: pluginConfig.adminPort } : {}),
+      };
+
+      void startAdminServer(adminServerOptions)
+        .then((result) => {
+          announceAdminConsole({
+            locale: runtimeLocale,
+            logger: {
+              info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
+              warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`),
+            },
+            stateDir,
+            state: result.state,
+            url: `http://127.0.0.1:${result.runtime.port}`,
           });
-	      } else {
-	        if (shouldAnnounceAdminConsoleForArgv(process.argv)) {
-	          announceAdminConsole({
-	            locale: runtimeLocale,
-	            logger: {
-	              info: (message: string) => api.logger.info?.(`securityclaw: ${message}`),
-	              warn: (message: string) => api.logger.warn?.(`securityclaw: ${message}`),
-	            },
-	            stateDir,
-	            state: "service-command",
-	            url: adminConsoleUrl,
-	          });
-	          api.logger.info?.("securityclaw: admin dashboard is hosted by the background OpenClaw gateway service");
-	        } else {
-	          api.logger.info?.(
-	            `securityclaw: admin auto-start skipped in ${autoStartDecision.reason}; use npm run admin for standalone dashboard`,
-	          );
-	        }
-	      }
-	    } else {
-      api.logger.info?.("securityclaw: admin auto-start disabled by config");
+        })
+        .catch((error) => {
+          api.logger.warn?.(`securityclaw: failed to auto-start admin dashboard (${String(error)})`);
+        });
     }
 
+    statusStore.markBoot(toStatusConfig(runtime.config, runtime.overrideLoaded, resolved));
+
     api.logger.info?.(
       `securityclaw: boot env=${runtime.config.environment} policy_version=${runtime.config.policy_version} dlp_mode=${runtime.config.dlp.on_dlp_hit} rules=${runtime.config.policies.length}`,
     );
@@ -2655,6 +2652,7 @@ const plugin = {
       { priority: 100 },
     );
 
+    startManagedAdminConsole();
     api.logger.info?.(`securityclaw: loaded policy_version=${runtime.config.policy_version}`);
   }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securityclaw",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "SecurityClaw security plugin for OpenClaw-compatible hooks.",
   "license": "MIT",
   "type": "module",
@@ -42,7 +42,7 @@
     "test:unit": "node --test --experimental-strip-types",
     "test": "npm run typecheck && npm run test:unit",
     "check": "npm test",
-    "admin": "node --experimental-strip-types ./admin/server.ts",
+    "admin": "npm run admin:build && node --experimental-strip-types ./admin/server.ts",
     "admin:build": "node ./scripts/build-admin.mjs",
     "prepack": "npm test && npm run admin:build",
     "pack:plugin": "node ./scripts/pack-plugin.mjs",
@@ -50,17 +50,15 @@
     "release:check": "node ./scripts/release-preflight.mjs",
     "release:dry-run": "npm run release:check && npm publish --dry-run --access public"
   },
-  "dependencies": {
-    "esbuild": "^0.27.4",
-    "react": "^19.2.4",
-    "react-dom": "^19.2.4",
-    "recharts": "^3.8.0"
-  },
   "devDependencies": {
     "@types/node": "^25.5.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
+    "esbuild": "^0.27.4",
     "openclaw": "^2026.3.13",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "recharts": "^3.8.0",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {

package/src/admin/console_notice.ts

@@ -168,9 +168,10 @@ export function announceAdminConsole(options: AnnounceAdminConsoleOptions): Anno
   const { locale, logger, url, state, stateDir, opener = openAdminConsoleInBrowser } = options;
   const markerPath = stateDir ? resolveAdminConsoleMarkerPath(stateDir) : undefined;
   const firstRun = markerPath !== undefined && !existsSync(markerPath);
+  const shouldAutoOpen = firstRun && state !== "service-command";
 
   let openedAutomatically = false;
-  if (firstRun) {
+  if (shouldAutoOpen) {
     const result = opener(url);
     if (result.ok) {
       openedAutomatically = true;