@agenthifive/agenthifive
v0.4.7
Published
OpenClaw plugin for [AgentHiFive](https://agenthifive.com) vault integration. Gives AI agents secure, policy-governed access to user accounts through vault-managed credentials and a brokered API proxy.
Maintainers
Readme
@agenthifive/agenthifive
OpenClaw plugin for AgentHiFive vault integration. Gives AI agents secure, policy-governed access to user accounts through vault-managed credentials and a brokered API proxy.
What It Does
- 7 agent tools for executing API calls, managing connections, approvals, and downloads through the vault
- Native channel plugins for Telegram and Slack
- Step-up approval flow for sensitive actions (user approves via dashboard)
- Prompt injection with chunked API reference docs for connected services
- ES256 JWT auth with automatic background token refresh
- Setup wizard (
ah5-setup) for bootstrapping agent auth
Quick Start
1. Install the plugin
openclaw plugins install @agenthifive/[email protected]2. Install the setup CLI
npm install -g @agenthifive/[email protected]3. Run setup
Run the setup wizard to bootstrap agent auth, discover connected services, write config, and apply the temporary credential proxying patch used until native OpenClaw support lands:
ah5-setupOr non-interactively:
ah5-setup --base-url https://app.agenthifive.com --bootstrap-secret ah5b_...The wizard automatically:
- Writes canonical AgentHiFive config to
~/.openclaw/openclaw.json - Applies the temporary credential proxying patch to your OpenClaw installation
After setup:
- Changing models from the OpenClaw TUI
/modelspicker is fine - Avoid re-running OpenClaw
onboardormodels authfor vault-managed providers, because those flows expect local provider keys/tokens
Additional flags:
--config-path <path>— explicit config file path--openclaw-dir <path>— explicit OpenClaw installation directory--mode remove— removechannels.agenthifivecleanly, then uninstall the plugin
4. Connect Services
Add OAuth connections (Google, Microsoft, Slack, Telegram, etc.) and configure policies in the AgentHiFive dashboard.
Tools
| Tool | Description |
|------|-------------|
| vault_execute | Execute an HTTP request through the vault proxy (Model B) |
| request_permission | Request permission for a sensitive action |
| request_capability | Request access to a new service/capability |
| vault_await_approval | Wait for a step-up approval to be resolved |
| vault_connections_list | List available connections and their status |
| vault_connection_revoke | Revoke a connection immediately |
| vault_download | Download binary files through the vault to disk |
Configuration
Canonical config lives under channels.agenthifive in your openclaw.json.
Minimal example:
{
"channels": {
"agenthifive": {
"accounts": {
"default": {
"enabled": true,
"baseUrl": "https://app.agenthifive.com",
"auth": {
"mode": "agent",
"agentId": "agent_...",
"privateKey": "base64-encoded-jwk"
},
"providers": {
"telegram": {
"enabled": true,
"dmPolicy": "balanced",
"allowFrom": []
},
"slack": {
"enabled": true
}
}
}
}
}
},
"plugins": {
"enabled": true,
"allow": ["agenthifive"],
"entries": {
"agenthifive": {
"enabled": true
}
}
}
}AgentHiFive's generic plugin layer derives its runtime config from that channel section, so plugins.entries.agenthifive remains intentionally minimal.
Important keys under channels.agenthifive.accounts.<id>:
| Key | Type | Description |
|-----|------|-------------|
| baseUrl | string | AgentHiFive API base URL |
| auth.mode | "agent" | "bearer" | Authentication mode |
| auth.agentId | string | Agent ID (agent mode) |
| auth.privateKey | string | Base64-encoded ES256 JWK (agent mode) |
| auth.token | string | Bearer token (bearer mode) |
| auth.tokenAudience | string | Token audience override (optional) |
| pollTimeoutMs | number | Approval poll timeout (default: 300000) |
| pollIntervalMs | number | Approval poll interval (default: 3000) |
| providers.telegram.* | object | Telegram channel settings |
| providers.slack.* | object | Slack channel settings |
LLM Credential Proxying
The setup wizard automatically patches OpenClaw's resolveApiKeyForProvider() to route LLM API calls through the vault, so agents don't need local API keys.
This patch-based flow is the officially supported path today for vault-managed LLM calls. It is a temporary compatibility layer while the upstream OpenClaw contribution for native support is being processed.
The patch is applied during ah5-setup and:
- Works with both npm installs (
dist/chunks) and source installs (src/) - Creates a
.bakbackup of the patched file - Is idempotent (safe to run multiple times)
- Uses the shared
globalThis.__ah5_runtimebridge, so it is a no-op when the plugin is not installed
To re-apply manually (for example after an OpenClaw upgrade), re-run the setup wizard or see patches/README.md.
Removing AgentHiFive
Use the setup CLI rather than uninstalling the plugin first:
ah5-setup --mode removeThat removes channels.agenthifive from config and then uninstalls the plugin cleanly.
Programmatic Usage
The package also exports classes for use outside the plugin system:
import { VaultClient, VaultTokenManager, VaultActionProxy } from "@agenthifive/agenthifive";
// Direct API client
const client = new VaultClient({
baseUrl: "https://app.agenthifive.com",
auth: { mode: "bearer", token: "ah5t_..." },
});
// ES256 JWT token management
const tokenManager = new VaultTokenManager({
baseUrl: "https://app.agenthifive.com",
agentId: "agent_...",
privateKey: jwk,
});
await tokenManager.init();License
MIT
