Merge pull request #248 from peg/staging

fix: bundle OpenClaw plugin in binary + remaining v0.9.12 fixes

Author: peg

cmd/rampart/cli/mcp.go

@@ -255,8 +255,8 @@ func newMCPProxyCmd(opts *rootOptions, deps *mcpDeps) *cobra.Command {
 	cmd.Flags().StringVar(&mode, "mode", "enforce", "Mode: enforce | monitor")
 	cmd.Flags().StringVar(&auditDir, "audit-dir", "", "Directory for audit logs (default: ~/.rampart/audit)")
 	cmd.Flags().BoolVar(&filterTools, "filter-tools", false, "Filter denied tools from tools/list responses")
-	cmd.Flags().StringVar(&agentID, "agent-id", "", "Agent identity for policy evaluation and audit (default: mcp-client)")
-	cmd.Flags().StringVar(&sessionID, "session-id", "", "Session identity for policy evaluation and audit (default: mcp-proxy)")
+	cmd.Flags().StringVar(&agentID, "agent-id", "", "Agent identity for policy evaluation and audit (default: mcp-client). Advisory only — not verified by Rampart. Do not use as a security boundary.")
+	cmd.Flags().StringVar(&sessionID, "session-id", "", "Session identity for policy evaluation and audit (default: mcp-proxy). Advisory only — not verified by Rampart.")
 
 	return cmd
 }

cmd/rampart/cli/setup_openclaw_plugin.go

@@ -25,6 +25,7 @@ import (
 	"strings"
 	"time"
 
+	ocplugin "github.com/peg/rampart/internal/plugin/openclaw"
 	"github.com/peg/rampart/policies"
 )
 
@@ -36,9 +37,8 @@ const openclawPluginDir = "extensions/rampart"
 // before_tool_call hook used by the Rampart plugin.
 const openclawMinVersion = "2026.3.28"
 
-// TODO: bundle the plugin inside the rampart binary and extract to a temp dir.
-// For now, point at the development checkout path.
-const openclawPluginDevPath = "/home/clap/.openclaw/workspace/rampart-openclaw-plugin"
+// The plugin is bundled inside the binary via //go:embed and extracted to a
+// temp directory during setup. No external checkout or npm install required.
 
 // runSetupOpenClawPlugin installs the Rampart native plugin into OpenClaw.
 //
@@ -81,18 +81,23 @@ func runSetupOpenClawPlugin(w io.Writer, errW io.Writer) error {
 		fmt.Fprintf(w, "✓ OpenClaw version: %s (>= %s required)\n", version, openclawMinVersion)
 	}
 
-	// 3. Install the plugin.
-	pluginPath := openclawPluginDevPath
-	if _, err := os.Stat(pluginPath); os.IsNotExist(err) {
-		return fmt.Errorf("Rampart OpenClaw plugin not found at %s\n  Build it first: cd %s && npm install && npm run build", pluginPath, pluginPath)
+	// 3. Extract the bundled plugin to a temp dir and install it.
+	pluginDir, err := os.MkdirTemp("", "rampart-openclaw-plugin-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temp dir for plugin: %w", err)
+	}
+	defer os.RemoveAll(pluginDir)
+
+	if err := ocplugin.Extract(pluginDir); err != nil {
+		return fmt.Errorf("failed to extract bundled plugin: %w", err)
 	}
-	fmt.Fprintf(w, "Installing plugin from: %s\n", pluginPath)
+	fmt.Fprintf(w, "Installing bundled plugin (v%s)...\n", ocplugin.Version())
 
-	installCmd := osexec.Command(openclawBin, "plugins", "install", pluginPath)
+	installCmd := osexec.Command(openclawBin, "plugins", "install", pluginDir)
 	installCmd.Stdout = w
 	installCmd.Stderr = errW
 	if err := installCmd.Run(); err != nil {
-		return fmt.Errorf("openclaw plugins install failed: %w\n  Try running manually: openclaw plugins install %s", err, pluginPath)
+		return fmt.Errorf("openclaw plugins install failed: %w\n  Try running manually: openclaw plugins install <extracted-plugin-path>", err)
 	}
 	fmt.Fprintln(w, "✓ Rampart plugin installed into OpenClaw")
 

internal/bridge/openclaw.go

@@ -636,8 +636,28 @@ func (b *OpenClawBridge) writeAllowAlwaysRule(command string) {
 		b.logger.Error("bridge: allow-always: create policies dir", "error", err)
 		return
 	}
-	if err := os.WriteFile(overridesPath, []byte(existing+rule), 0o600); err != nil {
-		b.logger.Error("bridge: allow-always: write user-overrides.yaml", "error", err)
+	// Atomic write: write to temp file then rename to avoid partial reads.
+	dir := filepath.Dir(overridesPath)
+	tmp, err := os.CreateTemp(dir, ".rampart-user-overrides-*.yaml.tmp")
+	if err != nil {
+		b.logger.Error("bridge: allow-always: create temp file", "error", err)
+		return
+	}
+	tmpPath := tmp.Name()
+	if _, werr := tmp.WriteString(existing + rule); werr != nil {
+		tmp.Close()
+		os.Remove(tmpPath)
+		b.logger.Error("bridge: allow-always: write temp file", "error", werr)
+		return
+	}
+	if cerr := tmp.Close(); cerr != nil {
+		os.Remove(tmpPath)
+		b.logger.Error("bridge: allow-always: close temp file", "error", cerr)
+		return
+	}
+	if rerr := os.Rename(tmpPath, overridesPath); rerr != nil {
+		os.Remove(tmpPath)
+		b.logger.Error("bridge: allow-always: rename to final path", "error", rerr)
 		return
 	}
 

internal/plugin/openclaw/README.md

@@ -0,0 +1,154 @@
+# rampart-openclaw-plugin
+
+**Rampart AI agent firewall — native OpenClaw plugin (v1.0)**
+
+This OpenClaw plugin integrates [Rampart](https://github.com/peg/rampart) using the native `before_tool_call` hook API (OpenClaw ≥ 2026.3.28). It is the primary integration path, replacing the legacy dist-file patching approach.
+
+---
+
+## Quick start
+
+```bash
+# 1. Install Rampart
+go install github.com/peg/rampart@latest
+
+# 2. Start Rampart policy server (defaults to :9090)
+rampart serve
+
+# 3. Install this plugin
+openclaw plugins install /path/to/rampart-openclaw-plugin
+```
+
+That's it. Every tool call is now checked against your Rampart policies.
+
+---
+
+## What happens on each decision
+
+Every time the OpenClaw agent calls a tool (`exec`, `read`, `write`, `web_fetch`, `message`, etc.), this plugin intercepts the call **before it executes** and checks it against the running Rampart policy engine (`rampart serve`).
+
+| Decision | What happens |
+|----------|-------------|
+| `allow`  | Tool call proceeds normally |
+| `deny`   | Tool call is blocked; agent sees a `blockReason` message |
+| `ask`    | OpenClaw pauses and prompts you for approval (120 s timeout → auto-deny) |
+
+### The always-allow flow
+
+When Rampart returns `ask` and you click **Allow Always** in the OpenClaw approval UI:
+
+1. The plugin calls `POST /v1/approvals/{id}/resolve` with `persist: true`
+2. Rampart writes a rule to `~/.rampart/policies/auto-allowed.yaml`
+3. Future calls matching the same tool + pattern are automatically allowed — you are never asked again
+
+### Fail-open behavior
+
+If `rampart serve` is not running or unreachable, the plugin **fails open** (allows the call) and logs at debug level. This matches Rampart's existing default behavior and keeps OpenClaw functional when Rampart is down.
+
+If `rampart serve` is reachable but returns a 5xx error, the plugin also fails open but logs a warning.
+
+---
+
+## Configuration
+
+Plugin config lives in your OpenClaw config file under `plugins.rampart`:
+
+```yaml
+plugins:
+  rampart:
+    serveUrl: "http://localhost:9090"   # default
+    enabled: true                        # default
+    timeoutMs: 3000                      # ms to wait for Rampart before failing open
+    approvalTimeoutMs: 120000            # ms before unanswered approval auto-denies
+```
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `serveUrl` | string | `http://localhost:9090` | Rampart serve endpoint |
+| `enabled` | boolean | `true` | Disable the plugin without uninstalling |
+| `timeoutMs` | number | `3000` | Max ms to wait for Rampart before failing open |
+| `approvalTimeoutMs` | number | `120000` | Ms before an unanswered approval auto-denies |
+
+---
+
+## Authentication
+
+The plugin reads your Rampart token from (in order):
+
+1. `RAMPART_TOKEN` environment variable
+2. `~/.rampart/token` file
+
+This matches the standard Rampart CLI token resolution.
+
+---
+
+## Security note
+
+The plugin only makes network calls to **localhost** (or whatever `serveUrl` is configured to). It reads a single token file from `~/.rampart/token`. It does not phone home, send telemetry, or make any external network requests.
+
+---
+
+## Rampart API contract
+
+The plugin calls:
+
+```
+POST http://localhost:9090/v1/tool/{toolName}
+Content-Type: application/json
+Authorization: Bearer <token>
+
+{
+  "agent":   "main",
+  "session": "...",
+  "run_id":  "...",
+  "params":  { "command": "ls -la" }
+}
+```
+
+Expected response shapes:
+
+```json
+{ "allowed": true,  "decision": "allow", "message": "..." }
+{ "allowed": false, "decision": "deny",  "message": "blocked by policy X", "policy": "no-rm-rf" }
+{ "allowed": false, "decision": "ask",   "message": "shell command requires approval", "severity": "warning", "approval_id": "abc123" }
+```
+
+When `decision` is `ask`, the plugin uses `approval_id` to call back into Rampart's approval API when the user resolves the prompt:
+
+```
+POST http://localhost:9090/v1/approvals/{approval_id}/resolve
+{ "approved": true, "resolved_by": "openclaw", "persist": true }
+```
+
+The plugin also posts to `POST /v1/audit` after each tool call (best-effort, fire-and-forget).
+
+---
+
+## Replacing the dist-patching approach
+
+Previously, Rampart intercepted OpenClaw tool calls by patching JavaScript files inside OpenClaw's bundled `dist/` directory:
+
+```bash
+sudo rampart setup openclaw --patch-tools --force
+```
+
+This was fragile — every `openclaw upgrade` would overwrite the patches.
+
+With this plugin installed, you can remove the dist patches:
+
+```bash
+# Re-install OpenClaw without the patches (or let an upgrade overwrite them)
+# The plugin handles interception through the stable hook API instead.
+```
+
+---
+
+## Development
+
+```bash
+# Verify no syntax errors (ESM import test)
+node -e "import('./index.js').then(() => console.log('ok')).catch(e => console.error(e))"
+
+# Verify manifest JSON
+cat openclaw.plugin.json | node -e "process.stdin.resume(); let d=''; process.stdin.on('data',c=>d+=c); process.stdin.on('end',()=>{JSON.parse(d); console.log('valid json')})"
+```

internal/plugin/openclaw/embed.go

@@ -0,0 +1,60 @@
+// Copyright 2026 The Rampart Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package openclaw provides the bundled Rampart OpenClaw plugin.
+// The plugin is embedded into the Rampart binary at build time and
+// extracted to a temp directory during `rampart setup openclaw --plugin`.
+package openclaw
+
+import (
+	"embed"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+//go:embed index.js package.json openclaw.plugin.json README.md
+var PluginFS embed.FS
+
+// Version returns the bundled plugin version from package.json.
+func Version() string {
+	data, err := PluginFS.ReadFile("package.json")
+	if err != nil {
+		return "unknown"
+	}
+	var pkg struct {
+		Version string `json:"version"`
+	}
+	if err := json.Unmarshal(data, &pkg); err != nil {
+		return "unknown"
+	}
+	return pkg.Version
+}
+
+// Extract writes the embedded plugin files to dir and returns the path.
+// The caller is responsible for cleanup if the returned path is a temp dir.
+func Extract(dir string) error {
+	files := []string{"index.js", "package.json", "openclaw.plugin.json", "README.md"}
+	for _, name := range files {
+		data, err := PluginFS.ReadFile(name)
+		if err != nil {
+			return fmt.Errorf("read embedded plugin file %q: %w", name, err)
+		}
+		dest := filepath.Join(dir, name)
+		if err := os.WriteFile(dest, data, 0o644); err != nil {
+			return fmt.Errorf("write plugin file %q: %w", dest, err)
+		}
+	}
+	return nil
+}