npm - squad-openclaw - Versions diffs - 2026.2.2001 → 2026.2.2002 - Mend

squad-openclaw 2026.2.2001 → 2026.2.2002

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -10,7 +10,7 @@ OpenClaw gateway plugin for [Squad](https://squad.ceo) — provides entity regis
 | `fs_read`, `fs_write`, `fs_list`, `fs_delete`, `fs_rename`, `fs_mkdir` | Remote filesystem access for browser clients (subject to security restrictions below) |
 | `sql_query` | Restricted SQLite query tool — `sqlite3` only, scoped to `~/.openclaw/squad-ceo-data/` |
 | `squad.version.check`, `squad.version.update` | Plugin version management and self-update |
-| `tools.invoke` | RPC-based tool invocation for relay mode (WebSocket) |
+| `tools.invoke` | RPC-based tool invocation for relay mode — **only invokes this plugin's own tools**, each with its own security restrictions (see below) |
 | Cloud relay client | **Disabled by default (opt-in).** Connects outbound to `relay.squad.ceo` for remote browser access |
 ## Security Model
@@ -112,13 +112,31 @@ Browser ──[connect request]──> relay.squad.ceo ──[relay.forward]─
 The relay server only sees the outer `relay.forward` envelope. It **never** receives the modified request containing the token. The token injection happens entirely within the relay-client process, and the modified message is sent over a **local loopback** connection to the gateway. A compromised relay server cannot intercept the operator token because it never traverses the relay — it only exists on the `localhost:18789` path.
+## Remote Tool Invocation (`tools.invoke`)
+The `tools.invoke` gateway method allows the browser to call plugin tools over WebSocket (used in relay mode where there is no HTTP path). This is **not** a generic RPC gateway — it is scoped exclusively to the tools registered by **this plugin**:
+| Tool | What it can access | Restrictions |
+|---|---|---|
+| `fs_read`, `fs_write`, `fs_list`, `fs_delete`, `fs_rename`, `fs_mkdir` | `~/.openclaw/` only | All 4 security layers apply (blocked dirs, blocked files, redaction, allowed roots, write protection) |
+| `sql_query` | `~/.openclaw/squad-ceo-data/*.db` only | sqlite3 only, no shell, no command injection (see below) |
+| `entity_list`, `entity_search`, `entity_sync` | In-memory entity index | Read-only metadata (names, types, paths) |
+| `squad.version.check`, `squad.version.update` | npm registry | Read-only check + controlled `npm install` |
+It **cannot** invoke gateway core tools (`exec`, `bash`, `read`, `write`, `web_fetch`, etc.) — only the tools this plugin registers via `api.registerTool()`. Every invoked tool enforces its own security restrictions independently — `tools.invoke` is just a transport layer, not a privilege escalation.
+**Authentication chain for relay access:** Browser JWT → relay claim token → operator-approved device pairing → operator auth token (localhost only). All four must be valid for a `tools.invoke` call to reach the gateway.
 ## SQL Query Tool
+> **`sql_query` can only access the plugin's own application data** in `~/.openclaw/squad-ceo-data/`. It cannot read or modify any other files on the system — not system databases, not user documents, not gateway configuration.
 The `sql_query` tool provides restricted SQLite access:
-- **Path restriction:** Database files must be within `~/.openclaw/squad-ceo-data/`
+- **Path restriction:** Database files must be within `~/.openclaw/squad-ceo-data/` — the plugin's own data directory containing entity registries and application state. Paths outside this directory are rejected before any query is executed.
 - **No shell:** Uses `execFile` (not `exec`) — arguments are passed as an argv array, preventing command injection
-- **No arbitrary commands:** Only `sqlite3` is executed
+- **No arbitrary commands:** Only `sqlite3` is executed — no other binary can be invoked through this tool
+- **Data scope:** The databases in `squad-ceo-data/` contain only Squad application data (entity metadata, search indexes, user preferences). No credentials, tokens, or gateway configuration is stored in these databases.
 ## Build Transparency

package/dist/index.js CHANGED Viewed

@@ -1918,6 +1918,49 @@ function squadAppPlugin(api) {
       }
     }
   );
+  api.registerGatewayMethod(
+    "tools.list",
+    async ({ respond }) => {
+      const coreTools = [
+        "exec",
+        "bash",
+        "process",
+        "read",
+        "write",
+        "edit",
+        "apply_patch",
+        "web_search",
+        "web_fetch",
+        "browser",
+        "canvas",
+        "nodes",
+        "image",
+        "message",
+        "cron",
+        "gateway",
+        "sessions_list",
+        "sessions_history",
+        "sessions_send",
+        "sessions_spawn",
+        "session_status",
+        "agents_list",
+        "memory_search"
+      ];
+      const groups = [
+        "group:fs",
+        "group:runtime",
+        "group:sessions",
+        "group:memory",
+        "group:web",
+        "group:ui",
+        "group:automation",
+        "group:messaging",
+        "group:nodes"
+      ];
+      const pluginTools = Array.from(toolExecutors.keys());
+      respond(true, { tools: [...coreTools, ...groups, ...pluginTools] });
+    }
+  );
   const relayEnabled = api.pluginConfig?.["relay.enabled"] ?? false;
   if (relayEnabled) {
     const relayUrl = api.pluginConfig?.["relay.url"] || "wss://relay.squad.ceo";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "squad-openclaw",
-  "version": "2026.2.2001",
+  "version": "2026.2.2002",
   "description": "Entity registry, filesystem tools, and version management plugin for OpenClaw gateway",
   "type": "module",
   "main": "./dist/index.js",