@agenthifive/openclaw

OpenClaw plugin for AgentHiFive vault integration. Gives AI agents secure, policy-governed access to user accounts through vault-managed credentials and a brokered API proxy.

What It Does

• 5 agent tools for executing API calls through the vault (Model B brokered proxy)
• Step-up approval flow for sensitive actions (user approves via dashboard)
• Prompt injection with chunked API reference docs for connected services
• ES256 JWT auth with automatic background token refresh
• Setup wizard (openclaw setup-vault) for bootstrapping agent auth

Quick Start

1. Install

openclaw plugins install @agenthifive/openclaw

Or add to your OpenClaw config manually:

{
  "plugins": {
    "load": { "paths": ["@agenthifive/openclaw"] },
    "entries": {
      "agenthifive": {
        "enabled": true,
        "hooks": { "allowPromptInjection": true },
        "config": { ... }
      }
    }
  }
}

2. Setup

Run the setup wizard to bootstrap agent auth, discover connected services, write config, and apply the credential proxying patch:

openclaw setup-vault

Or non-interactively:

openclaw setup-vault --base-url https://app.agenthifive.com --bootstrap-secret ah5b_...

The wizard automatically:

• Writes plugin config to ~/.openclaw/openclaw.json
• Applies the credential proxying patch to your OpenClaw installation

Additional flags:

• --config-path <path> — explicit config file path
• --openclaw-dir <path> — explicit OpenClaw installation directory

3. Connect Services

Add OAuth connections (Google, Microsoft, Slack, Telegram, etc.) and configure policies in the AgentHiFive dashboard.

Tools

| Tool | Description | |------|-------------| | agenthifive_execute | Execute an HTTP request through the vault proxy (Model B) | | agenthifive_approval_request | Create a step-up approval request for sensitive actions | | agenthifive_approval_commit | Wait for an approval to be resolved | | agenthifive_connections_list | List available connections and their status | | agenthifive_connection_revoke | Revoke a connection immediately |

Configuration

Plugin config goes in plugins.entries.agenthifive.config in your openclaw.json:

| Key | Type | Description | |-----|------|-------------| | baseUrl | string | AgentHiFive API base URL | | auth.mode | "agent" | "bearer" | Authentication mode | | auth.agentId | string | Agent ID (agent mode) | | auth.privateKey | string | Base64-encoded ES256 JWK (agent mode) | | auth.token | string | Bearer token (bearer mode) | | auth.tokenAudience | string | Token audience override (optional) | | connectedProviders | string[] | Provider names for prompt injection | | proxiedProviders | string[] | Providers using vault LLM proxy | | pollTimeoutMs | number | Approval poll timeout (default: 300000) | | pollIntervalMs | number | Approval poll interval (default: 3000) |

LLM Credential Proxying

The setup wizard automatically patches OpenClaw's resolveApiKeyForProvider() to route LLM API calls through the vault, so agents don't need local API keys.

The patch is applied during openclaw setup-vault and:

• Works with both npm installs (dist/ chunks) and source installs (src/)
• Creates a .bak backup of the patched file
• Is idempotent (safe to run multiple times)
• Uses dynamic imports — no-op when the plugin is not installed

To apply manually (e.g. after an OpenClaw upgrade), re-run the setup wizard or see patches/README.md.

Programmatic Usage

The package also exports classes for use outside the plugin system:

import { VaultClient, VaultTokenManager, VaultActionProxy } from "@agenthifive/openclaw";

// Direct API client
const client = new VaultClient({
  baseUrl: "https://app.agenthifive.com",
  auth: { mode: "bearer", token: "ah5t_..." },
});

// ES256 JWT token management
const tokenManager = new VaultTokenManager({
  baseUrl: "https://app.agenthifive.com",
  agentId: "agent_...",
  privateKey: jwk,
});
await tokenManager.init();

License

MIT