Skip to content

Commit ec5bd71

Browse files
authored
fix: 0.4.0 revival — tool contract fix, allowlist hardening, dep refresh (#5)
* fix: harden allowlist patterns against ReDoS, enforce full-match semantics Port the datafog-python 4.7.0 allowlist hardening: reject quantified groups containing nested quantifiers at config time (catastrophic backtracking on attacker-influenced entity text), cap pattern length at 512 chars, anchor patterns so a partial match never suppresses a finding, and skip pattern matching for entities longer than 512 chars (fail-safe: the finding is kept). * fix: register tools with parameters/execute to match OpenClaw plugin contract All 6 tools were registered with schema:/handler:, which the OpenClaw runtime does not recognize — tool calls failed before reaching the model (verified against upstream docs/plugins/building-plugins.md; execute receives (toolCallId, params)). Ported from PR #3, which discovered the breakage during E2E testing in February. Also declares the six tools in the manifest contracts.tools block, now required for tool discovery, and bumps the manifest version to 0.4.0. * chore: fix npm audit vulnerabilities, bump sharp and vitest npm audit reported 10 vulnerabilities (2 critical). audit fix cleared the protobufjs/rollup/tar transitives; the rest were the vitest 2.x dev chain, cleared by vitest 4. sharp 0.34.5 -> 0.35.3. onnxruntime pins stay as-is: gliner 0.0.19 (still latest) expects onnxruntime 1.19.x internals, and the test suite mocks GLiNER so a runtime ABI break would not be caught here. Adds the openclaw.compat block and Node >=22.19 engine floor now required by the plugin runtime. Version to 0.4.0. * docs: changelog for 0.4.0
1 parent 6be36b2 commit ec5bd71

12 files changed

Lines changed: 1228 additions & 1161 deletions

CHANGELOG.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,29 @@
11
# Changelog
22

3+
## 0.4.0
4+
5+
### Fixed
6+
7+
- **Tool registration matches the OpenClaw plugin contract** — all 6 tools were registered with `schema:`/`handler:`, which the runtime does not recognize; tool calls failed before reaching the model. Tools now register with `parameters:` and `execute(toolCallId, params)`. Discovered in E2E testing (PR #3), verified against current upstream docs.
8+
- **Outbound redaction stays on the regex path** (#4, thanks @hanhuihanhui) — `message_sending` now uses regex-only scanning to keep reply delivery fast, consistent with the tool-result path. Also removes an undeclared direct import of `@xenova/transformers`.
9+
10+
### Added
11+
12+
- **SECRET and TOKEN detection** (#4) — assigned credentials (`client_secret=…`, `password: …`) and tokens (`api_key=…`, `Bearer …`) are now detected and redacted by the regex engine.
13+
- **`contracts.tools` manifest declaration** — the six FogClaw tools are declared in `openclaw.plugin.json`, required for tool discovery in current OpenClaw.
14+
- **`openclaw.compat` metadata** in `package.json` (`pluginApi >=2026.3.24-beta.2`); Node engine floor raised to 22.19.
15+
16+
### Security
17+
18+
- **Allowlist hardening** (ported from datafog-python 4.7.0) — patterns must match the full entity text, so a partial match never suppresses a finding; quantified groups containing nested quantifiers (e.g. `(a+)+`) are rejected at config time to prevent catastrophic backtracking on attacker-influenced entity text; patterns are capped at 512 chars; entities longer than 512 chars skip pattern matching fail-safe (the finding is kept).
19+
- **Dependency vulnerabilities cleared**`npm audit` reported 10 vulnerabilities (2 critical); now 0. protobufjs/rollup/tar transitives fixed, vitest 2→4, sharp 0.34.5→0.35.3.
20+
21+
### Known follow-ups
22+
23+
- `before_agent_start` is deprecated upstream (compatibility-only): migrate the inbound guardrail to `before_prompt_build`, and consider `before_agent_run` for hard blocks (requires users to set `hooks.allowConversationAccess`).
24+
- Consider registering `reply_payload_sending` for outbound coverage of media captions and normalized payloads.
25+
- onnxruntime pins unchanged: gliner 0.0.19 (latest) expects onnxruntime 1.19.x internals; revisit when gliner updates.
26+
327
## 0.3.0
428

529
### Added

openclaw.plugin.json

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,18 @@
11
{
22
"id": "fogclaw",
33
"name": "FogClaw",
4-
"version": "0.3.0",
4+
"version": "0.4.0",
55
"description": "PII detection & custom entity redaction plugin powered by DataFog",
6+
"contracts": {
7+
"tools": [
8+
"fogclaw_scan",
9+
"fogclaw_preview",
10+
"fogclaw_redact",
11+
"fogclaw_request_access",
12+
"fogclaw_requests",
13+
"fogclaw_resolve"
14+
]
15+
},
616
"configSchema": {
717
"type": "object",
818
"properties": {
@@ -137,7 +147,7 @@
137147
},
138148
"allowlist": {
139149
"label": "Allowlist / Exemptions",
140-
"help": "Global and per-entity allowlist entries to exclude from enforcement. Supports exact values and regex patterns.",
150+
"help": "Global and per-entity allowlist entries to exclude from enforcement. Supports exact values and regex patterns; patterns must match the full entity text (a partial match never suppresses a finding).",
141151
"advanced": true
142152
},
143153
"auditEnabled": {

0 commit comments

Comments
 (0)