squad-openclaw 2026.2.1903 → 2026.2.1905

package/dist/index.d.ts

@@ -3,9 +3,34 @@
  *
  * Provides:
  *   - In-memory entity registry with filesystem watching (entity_list, entity_search, entity_sync)
- *   - Filesystem tools for remote clients (fs_read, fs_write, fs_list, fs_delete)
+ *   - Filesystem tools for remote clients (fs_read, fs_write, fs_list, fs_delete, fs_rename)
+ *   - Restricted SQL query tool (sql_query) — sqlite3 only, squad-ceo-data/ only
  *   - Version check and self-update gateway methods (squad.version.*)
  *   - Cloud relay client for remote browser access (relay-client)
+ *
+ * ┌──────────────────────────────────────────────────────────────────────────┐
+ * │  SECURITY POLICY — Credential Protection                                │
+ * │                                                                         │
+ * │  This plugin enforces hard-coded security rules in filesystem.ts:       │
+ * │                                                                         │
+ * │  BLOCKED directories (no read, write, list, delete, or rename):         │
+ * │    • ~/.openclaw/credentials/                                           │
+ * │    • ~/.openclaw/devices/                                               │
+ * │    • ~/.openclaw/identity/                                              │
+ * │                                                                         │
+ * │  REDACTED on read (sensitive fields replaced with "[REDACTED]"):       │
+ * │    • ~/.openclaw/openclaw.json → channel.*.botToken                    │
+ * │    • ~/.openclaw/openclaw.json → gateway.auth.*                        │
+ * │    • squad-ceo-data/squad-relay.json → deviceKeys.privateKeyPem        │
+ * │                                                                         │
+ * │  WRITE-PROTECTED (no writes, deletes, or renames):                      │
+ * │    • ~/.openclaw/openclaw.json                                          │
+ * │    • squad-ceo-data/squad-relay.json                                    │
+ * │    • All blocked directories above                                      │
+ * │                                                                         │
+ * │  The bundle is NOT minified to allow security auditing of the           │
+ * │  distributed code. See tsup.config.ts for build configuration.          │
+ * └──────────────────────────────────────────────────────────────────────────┘
  */
 declare function squadAppPlugin(api: any): void;
 

package/dist/index.js

@@ -618,9 +618,78 @@ function registerEntityTools(api, onFsChange) {
 // src/filesystem.ts
 import fs3 from "fs";
 import path3 from "path";
+var HOME_DIR = process.env.HOME ?? "/root";
+var OPENCLAW_DIR = path3.join(HOME_DIR, ".openclaw");
+var SENSITIVE_BLOCKED_DIRS = [
+  path3.join(OPENCLAW_DIR, "credentials"),
+  path3.join(OPENCLAW_DIR, "devices"),
+  path3.join(OPENCLAW_DIR, "identity")
+];
+var SENSITIVE_BLOCKED_FILES = [
+  path3.join(OPENCLAW_DIR, "squad-ceo-data", "squad-relay.json")
+];
+function isSensitivePath(resolvedPath) {
+  for (const blocked of SENSITIVE_BLOCKED_DIRS) {
+    if (resolvedPath === blocked || resolvedPath.startsWith(blocked + path3.sep)) {
+      return true;
+    }
+  }
+  for (const blocked of SENSITIVE_BLOCKED_FILES) {
+    if (resolvedPath === blocked) {
+      return true;
+    }
+  }
+  return false;
+}
+var OPENCLAW_JSON_FILENAME = "openclaw.json";
+function redactOpenclawJson(rawContent) {
+  let config;
+  try {
+    config = JSON.parse(rawContent);
+  } catch {
+    return rawContent;
+  }
+  let redactedCount = 0;
+  const channels = config.channels;
+  if (channels && typeof channels === "object") {
+    for (const channelKey of Object.keys(channels)) {
+      const channel = channels[channelKey];
+      if (channel && typeof channel === "object" && "botToken" in channel) {
+        channel.botToken = "[REDACTED]";
+        redactedCount++;
+      }
+    }
+  }
+  const gateway = config.gateway;
+  if (gateway && typeof gateway === "object") {
+    if (gateway.auth && typeof gateway.auth === "object") {
+      const auth = gateway.auth;
+      for (const key of Object.keys(auth)) {
+        auth[key] = "[REDACTED]";
+        redactedCount++;
+      }
+    }
+    if ("token" in gateway) {
+      gateway.token = "[REDACTED]";
+      redactedCount++;
+    }
+    const remote = gateway.remote;
+    if (remote && typeof remote === "object" && "token" in remote) {
+      remote.token = "[REDACTED]";
+      redactedCount++;
+    }
+  }
+  if (redactedCount > 0) {
+    console.log(`[security] Redacted ${redactedCount} sensitive field(s) from openclaw.json before returning to client`);
+  }
+  return JSON.stringify(config, null, 2);
+}
+function isOpenclawJson(resolvedPath) {
+  return path3.basename(resolvedPath) === OPENCLAW_JSON_FILENAME && resolvedPath.startsWith(OPENCLAW_DIR);
+}
 function expandHome(p) {
   if (p.startsWith("~/") || p === "~") {
-    return path3.join(process.env.HOME ?? "/root", p.slice(1));
+    return path3.join(HOME_DIR, p.slice(1));
   }
   return p;
 }
@@ -636,6 +705,24 @@ function validatePath(p, allowedRoots) {
   }
   return resolved;
 }
+function validateAndBlockSensitive(p, allowedRoots) {
+  const resolved = validatePath(p, allowedRoots);
+  if (isSensitivePath(resolved)) {
+    throw new Error(
+      `Access denied: path "${p}" is inside a protected directory (credentials/devices/identity)`
+    );
+  }
+  return resolved;
+}
+function validateWritePath(p, allowedRoots) {
+  const resolved = validateAndBlockSensitive(p, allowedRoots);
+  if (isOpenclawJson(resolved)) {
+    throw new Error(
+      `Write denied: "${p}" is a protected configuration file (openclaw.json)`
+    );
+  }
+  return resolved;
+}
 function ok(data) {
   return {
     content: [{ type: "text", text: JSON.stringify(data) }]
@@ -674,12 +761,20 @@ function listDir(dirPath, opts) {
   }
   return results;
 }
+function filterSensitiveEntries(entries) {
+  return entries.filter((entry) => !isSensitivePath(entry.path)).map((entry) => {
+    if (entry.children) {
+      return { ...entry, children: filterSensitiveEntries(entry.children) };
+    }
+    return entry;
+  });
+}
 function registerFilesystemTools(api) {
   const allowedRoots = api.pluginConfig?.["fs.allowedRoots"] ?? [];
   api.registerTool({
     name: "fs_read",
     label: "Read File",
-    description: "Read a file from the server filesystem. Returns the file contents as text. Supports ~ for home directory expansion.",
+    description: "Read a file from the server filesystem. Returns the file contents as text. Supports ~ for home directory expansion. Sensitive directories (credentials, devices, identity) are blocked. Config files are returned with auth tokens redacted.",
     parameters: {
       type: "object",
       properties: {
@@ -697,10 +792,13 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const filePath = validatePath(params.path, allowedRoots);
+        const filePath = validateAndBlockSensitive(params.path, allowedRoots);
         const encoding = params.encoding ?? "utf-8";
-        const content = fs3.readFileSync(filePath, encoding);
+        let content = fs3.readFileSync(filePath, encoding);
         const stat = fs3.statSync(filePath);
+        if (isOpenclawJson(filePath) && encoding === "utf-8") {
+          content = redactOpenclawJson(content);
+        }
         return ok({
           path: filePath,
           content,
@@ -716,7 +814,7 @@ function registerFilesystemTools(api) {
   api.registerTool({
     name: "fs_write",
     label: "Write File",
-    description: "Write content to a file on the server filesystem. Creates parent directories if they don't exist. Supports ~ for home directory expansion.",
+    description: "Write content to a file on the server filesystem. Creates parent directories if they don't exist. Supports ~ for home directory expansion. Writes to protected directories (credentials, devices, identity) and config files (openclaw.json) are denied.",
     parameters: {
       type: "object",
       properties: {
@@ -742,7 +840,7 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const filePath = validatePath(params.path, allowedRoots);
+        const filePath = validateWritePath(params.path, allowedRoots);
         const content = params.content;
         const encoding = params.encoding ?? "utf-8";
         const mkdir = params.mkdir !== false;
@@ -765,7 +863,7 @@ function registerFilesystemTools(api) {
   api.registerTool({
     name: "fs_list",
     label: "List Directory",
-    description: "List contents of a directory on the server filesystem. Returns file metadata including name, type, size, and modification time. Supports ~ for home directory expansion.",
+    description: "List contents of a directory on the server filesystem. Returns file metadata including name, type, size, and modification time. Supports ~ for home directory expansion. Protected directories (credentials, devices, identity) are excluded from results.",
     parameters: {
       type: "object",
       properties: {
@@ -786,10 +884,11 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const dirPath = validatePath(params.path, allowedRoots);
+        const dirPath = validateAndBlockSensitive(params.path, allowedRoots);
         const recursive = params.recursive === true;
         const includeHidden = params.includeHidden === true;
-        const entries = listDir(dirPath, { recursive, includeHidden, depth: 0, maxDepth: 3 });
+        let entries = listDir(dirPath, { recursive, includeHidden, depth: 0, maxDepth: 3 });
+        entries = filterSensitiveEntries(entries);
         return ok({
           path: dirPath,
           count: entries.length,
@@ -804,7 +903,7 @@ function registerFilesystemTools(api) {
   api.registerTool({
     name: "fs_mkdir",
     label: "Create Directory",
-    description: "Create a directory on the server filesystem. Creates parent directories as needed. Supports ~ for home directory expansion.",
+    description: "Create a directory on the server filesystem. Creates parent directories as needed. Supports ~ for home directory expansion. Cannot create directories inside protected paths (credentials, devices, identity).",
     parameters: {
       type: "object",
       properties: {
@@ -817,7 +916,7 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const targetPath = validatePath(params.path, allowedRoots);
+        const targetPath = validateWritePath(params.path, allowedRoots);
         fs3.mkdirSync(targetPath, { recursive: true });
         return ok({
           path: targetPath,
@@ -829,10 +928,44 @@ function registerFilesystemTools(api) {
       }
     }
   });
+  api.registerTool({
+    name: "fs_rename",
+    label: "Rename / Move",
+    description: "Rename or move a file or directory on the server filesystem. Supports ~ for home directory expansion. Cannot move files into or out of protected directories.",
+    parameters: {
+      type: "object",
+      properties: {
+        oldPath: {
+          type: "string",
+          description: "Current absolute or ~-prefixed path"
+        },
+        newPath: {
+          type: "string",
+          description: "New absolute or ~-prefixed path"
+        }
+      },
+      required: ["oldPath", "newPath"]
+    },
+    async execute(_id, params) {
+      try {
+        const resolvedOld = validateWritePath(params.oldPath, allowedRoots);
+        const resolvedNew = validateWritePath(params.newPath, allowedRoots);
+        fs3.renameSync(resolvedOld, resolvedNew);
+        return ok({
+          oldPath: resolvedOld,
+          newPath: resolvedNew,
+          renamed: true
+        });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return err(`fs_rename failed: ${msg}`);
+      }
+    }
+  });
   api.registerTool({
     name: "fs_delete",
     label: "Delete File or Directory",
-    description: "Delete a file or directory from the server filesystem. For directories, removes recursively. Supports ~ for home directory expansion.",
+    description: "Delete a file or directory from the server filesystem. For directories, removes recursively. Supports ~ for home directory expansion. Cannot delete protected directories or config files.",
     parameters: {
       type: "object",
       properties: {
@@ -845,7 +978,7 @@ function registerFilesystemTools(api) {
     },
     async execute(_id, params) {
       try {
-        const targetPath = validatePath(params.path, allowedRoots);
+        const targetPath = validateWritePath(params.path, allowedRoots);
         const stat = fs3.statSync(targetPath);
         const wasDirectory = stat.isDirectory();
         if (wasDirectory) {
@@ -866,17 +999,101 @@ function registerFilesystemTools(api) {
   });
 }
 
+// src/sql.ts
+import { execFile } from "child_process";
+import path4 from "path";
+import fs4 from "fs";
+import { Type as T2 } from "@sinclair/typebox";
+var HOME_DIR2 = process.env.HOME ?? "/root";
+var ALLOWED_DATA_DIR = path4.join(HOME_DIR2, ".openclaw", "squad-ceo-data");
+function validateDbPath(dbPath) {
+  let expanded = dbPath;
+  if (expanded.startsWith("~/") || expanded === "~") {
+    expanded = path4.join(HOME_DIR2, expanded.slice(1));
+  }
+  const resolved = path4.resolve(expanded);
+  if (resolved !== ALLOWED_DATA_DIR && !resolved.startsWith(ALLOWED_DATA_DIR + path4.sep)) {
+    throw new Error(
+      `Access denied: database path must be within ~/.openclaw/squad-ceo-data/`
+    );
+  }
+  try {
+    const stat = fs4.statSync(resolved);
+    if (!stat.isFile()) {
+      throw new Error(`Not a file: ${dbPath}`);
+    }
+  } catch (e) {
+    if (e.code === "ENOENT") {
+      throw new Error(`Database file not found: ${dbPath}`);
+    }
+    throw e;
+  }
+  return resolved;
+}
+function runSqlite3(dbPath, args) {
+  return new Promise((resolve, reject) => {
+    execFile(
+      "sqlite3",
+      [dbPath, ...args],
+      { timeout: 3e4, maxBuffer: 10 * 1024 * 1024 },
+      (error, stdout, stderr) => {
+        if (error) {
+          reject(new Error(stderr || error.message));
+          return;
+        }
+        resolve(stdout);
+      }
+    );
+  });
+}
+function registerSqlTools(api) {
+  api.registerTool({
+    name: "sql_query",
+    label: "SQL Query",
+    description: "Execute a sqlite3 query on a database file within ~/.openclaw/squad-ceo-data/. Only sqlite3 is allowed \u2014 no arbitrary shell commands. Use jsonOutput: true for structured JSON results.",
+    parameters: T2.Object({
+      dbPath: T2.String({
+        description: "Path to the SQLite database file (must be within ~/.openclaw/squad-ceo-data/)"
+      }),
+      query: T2.String({ description: "SQL query to execute" }),
+      jsonOutput: T2.Optional(
+        T2.Boolean({
+          description: "Return results as JSON (sqlite3 -json flag)"
+        })
+      )
+    }),
+    async execute(_id, params) {
+      try {
+        const resolvedDb = validateDbPath(params.dbPath);
+        const args = [];
+        if (params.jsonOutput) args.push("-json");
+        args.push(params.query);
+        const output = await runSqlite3(resolvedDb, args);
+        return {
+          content: [{ type: "text", text: output }]
+        };
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return {
+          content: [{ type: "text", text: JSON.stringify({ error: msg }) }],
+          isError: true
+        };
+      }
+    }
+  });
+}
+
 // src/version.ts
 import { execSync } from "child_process";
-import fs4 from "fs";
-import path4 from "path";
+import fs5 from "fs";
+import path5 from "path";
 import { fileURLToPath } from "url";
 var PACKAGE_NAME = "squad-openclaw";
 function getCurrentVersion() {
   const thisFile = fileURLToPath(import.meta.url);
-  const pkgPath = path4.resolve(path4.dirname(thisFile), "..", "package.json");
+  const pkgPath = path5.resolve(path5.dirname(thisFile), "..", "package.json");
   try {
-    const pkg = JSON.parse(fs4.readFileSync(pkgPath, "utf-8"));
+    const pkg = JSON.parse(fs5.readFileSync(pkgPath, "utf-8"));
     return pkg.version ?? "0.0.0";
   } catch {
     return "0.0.0";
@@ -974,8 +1191,8 @@ function registerVersionMethods(api) {
 // src/relay-client.ts
 import { WebSocket as NodeWebSocket } from "ws";
 import crypto2 from "crypto";
-import fs5 from "fs";
-import path5 from "path";
+import fs6 from "fs";
+import path6 from "path";
 import os from "os";
 
 // src/e2e-crypto.ts
@@ -1057,31 +1274,31 @@ var E2ECrypto = class {
 
 // src/relay-client.ts
 function readOperatorToken() {
-  const stateDir = process.env.OPENCLAW_STATE_DIR || path5.join(os.homedir(), ".openclaw");
-  const configPath = path5.join(stateDir, "openclaw.json");
+  const stateDir = process.env.OPENCLAW_STATE_DIR || path6.join(os.homedir(), ".openclaw");
+  const configPath = path6.join(stateDir, "openclaw.json");
   try {
-    const raw = fs5.readFileSync(configPath, "utf-8");
+    const raw = fs6.readFileSync(configPath, "utf-8");
     const config = JSON.parse(raw);
     return config?.gateway?.auth?.token ?? config?.gateway?.remote?.token ?? config?.gateway?.token ?? null;
   } catch {
     return null;
   }
 }
-var RELAY_DATA_DIR = path5.join(os.homedir(), ".openclaw", "squad-ceo-data");
-var RELAY_STATE_PATH = path5.join(RELAY_DATA_DIR, "squad-relay.json");
+var RELAY_DATA_DIR = path6.join(os.homedir(), ".openclaw", "squad-ceo-data");
+var RELAY_STATE_PATH = path6.join(RELAY_DATA_DIR, "squad-relay.json");
 function readRelayState() {
   try {
-    const raw = fs5.readFileSync(RELAY_STATE_PATH, "utf-8");
+    const raw = fs6.readFileSync(RELAY_STATE_PATH, "utf-8");
     return JSON.parse(raw);
   } catch {
     return {};
   }
 }
 function writeRelayState(state) {
-  if (!fs5.existsSync(RELAY_DATA_DIR)) {
-    fs5.mkdirSync(RELAY_DATA_DIR, { recursive: true });
+  if (!fs6.existsSync(RELAY_DATA_DIR)) {
+    fs6.mkdirSync(RELAY_DATA_DIR, { recursive: true });
   }
-  fs5.writeFileSync(RELAY_STATE_PATH, JSON.stringify(state, null, 2), { mode: 384 });
+  fs6.writeFileSync(RELAY_STATE_PATH, JSON.stringify(state, null, 2), { mode: 384 });
 }
 function toBase64Url(buf) {
   return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
@@ -1103,11 +1320,11 @@ function loadOrCreateRelayDeviceKeys() {
   return keys;
 }
 function ensureDevicePaired(keys, operatorToken) {
-  const stateDir = process.env.OPENCLAW_STATE_DIR || path5.join(os.homedir(), ".openclaw");
-  const pairedPath = path5.join(stateDir, "devices", "paired.json");
+  const stateDir = process.env.OPENCLAW_STATE_DIR || path6.join(os.homedir(), ".openclaw");
+  const pairedPath = path6.join(stateDir, "devices", "paired.json");
   let paired = {};
   try {
-    paired = JSON.parse(fs5.readFileSync(pairedPath, "utf-8"));
+    paired = JSON.parse(fs6.readFileSync(pairedPath, "utf-8"));
   } catch {
   }
   if (paired[keys.deviceId]) return false;
@@ -1129,9 +1346,9 @@ function ensureDevicePaired(keys, operatorToken) {
     approvedAtMs: now,
     displayName: "squad-relay"
   };
-  const dir = path5.dirname(pairedPath);
-  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
-  fs5.writeFileSync(pairedPath, JSON.stringify(paired, null, 2), { mode: 384 });
+  const dir = path6.dirname(pairedPath);
+  if (!fs6.existsSync(dir)) fs6.mkdirSync(dir, { recursive: true });
+  fs6.writeFileSync(pairedPath, JSON.stringify(paired, null, 2), { mode: 384 });
   console.log(`[relay-client] Device pairing entry created in paired.json`);
   return true;
 }
@@ -1645,6 +1862,7 @@ function squadAppPlugin(api) {
   const onFsChange = (evt) => broadcastToUsers("fs.change", evt);
   registerEntityTools(api, onFsChange);
   registerFilesystemTools(api);
+  registerSqlTools(api);
   registerVersionMethods(api);
   api.registerGatewayMethod(
     "tools.invoke",

package/openclaw.plugin.json

@@ -9,7 +9,7 @@
       "fs.allowedRoots": {
         "type": "array",
         "items": { "type": "string" },
-        "description": "Restrict fs_read/fs_write/fs_list/fs_delete to these directories. Empty or omitted = allow all."
+        "description": "Restrict fs_read/fs_write/fs_list/fs_delete/fs_rename to these directories. Empty or omitted = allow all."
       },
       "relay.enabled": {
         "type": "boolean",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "squad-openclaw",
-  "version": "2026.2.1903",
+  "version": "2026.2.1905",
   "description": "Entity registry, filesystem tools, and version management plugin for OpenClaw gateway",
   "type": "module",
   "main": "./dist/index.js",
@@ -35,12 +35,12 @@
     "squad"
   ],
   "dependencies": {
-    "@sinclair/typebox": "^0.31.0",
-    "chokidar": "^4.0.0",
-    "ws": "^8.18.0"
+    "@sinclair/typebox": "0.31.28",
+    "chokidar": "4.0.3",
+    "ws": "8.18.3"
   },
   "devDependencies": {
-    "tsup": "^8.0.0",
-    "typescript": "^5.0.0"
+    "tsup": "8.5.1",
+    "typescript": "5.9.3"
   }
 }