npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@darkelogix/openclaw-trusted-mode

v1.0.7

Published

MIT-licensed OpenClaw Trusted Mode plugin with standalone hardening and optional SDE-backed governance

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tmdarketmdarke

Keywords

openclawtrusted-modepolicy-enforcementgovernancesecuritydarkelogix

Readme

@darkelogix/openclaw-trusted-mode

Terminology and acronyms: GLOSSARY.md.

Acronym Expansions

  • SDE: Strategic Decision Engine
  • PDP: Policy Decision Point
  • WSL: Windows Subsystem for Linux
  • CI: Continuous Integration

OpenClaw plugin that enforces Trusted Mode policy checks on before_tool_call. Documentation index (by audience and task): docs/README.md.

npm Package

Install the public MIT adapter/plugin package with:

npm install @darkelogix/openclaw-trusted-mode

What npm install gives you

npm install @darkelogix/openclaw-trusted-mode gives you the MIT adapter/plugin layer and standalone hardening flow only. It does not grant access to the proprietary SDE runtime, enterprise deployment packs, or governed tenant entitlements.

Need governed mode?

If you want SDE-backed governed mode, obtain your licensed SDE runtime and deployment instructions from the Darkelogix customer console. Use the public npm package for adapter installation, then connect it to your licensed SDE environment for governed authorization, evidence, and rollout controls.

The npm package contains the MIT plugin files and standalone hardening logic only. It does not include the proprietary sde-enterprise runtime.

Licensing

openclaw-trusted-mode is licensed under the MIT License.

sde-enterprise, including the SDE PDP runtime and related enterprise deployment assets, is proprietary software and is not covered by the plugin's MIT license. Use, copying, modification, distribution, or deployment of the SDE runtime requires a separate commercial license or written permission from Darkelogix.

First-time setup (download/install/configure/test/run): START_HERE.md. Troubleshooting decision tree: SELF_SERVICE_FAQ.md. Org defaults and support metadata: <org-values-file>. One-command setup: powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path>. For full install/reinstall/uninstall/startup/config/troubleshooting guidance across both plugin and SDE-PDP, see OPERATIONS_GUIDE.md. For a simpler operator runbook, see RUNBOOK_NON_TECHNICAL.md. For go-live gating, use PRODUCTION_READINESS_CHECKLIST.md. For a pre-filled starting point, use PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md. For alternate port deployments, use PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md. For public launch readiness, use PUBLIC_RELEASE_READINESS_CHECKLIST.md. For end-to-end public release execution steps (what/where/how), use PUBLIC_RELEASE_PROCESS_RUNBOOK.md. For certified runtime support status, see COMPATIBILITY_MATRIX.md. For vulnerability reporting and security posture, see SECURITY.md. For release hardening process, see RELEASE_OPERATIONS.md. For security evidence indexing, see SECURITY_EVIDENCE_BUNDLE.md. For performance baseline evidence, see PERFORMANCE_BASELINE.md. For governed release declaration, see RELEASE_v1.0.0.md.

What it does

  • Free standalone mode defaults to local hardening with a minimal allowlist:
    • read_file
    • list_files
    • search_files
  • Blocks high-risk tools such as exec, file writes/edits, and deletes unless you deliberately widen the policy.
  • Sends tool call context to a Policy Decision Point (PDP) endpoint.
  • Denies execution when PDP returns a deny decision.
  • Optionally enforces returned constraints.
  • Supports fail-closed (default) or fail-open behavior.

Free vs Paid

The product boundary should be explicit at install time:

  • npm install gets you the adapter/plugin and standalone hardening path

  • governed mode requires a separately licensed SDE deployment

  • the customer console is the supported way to obtain governed runtime artifacts and deployment instructions

  • Free standalone use:

    • useful as a local hardening layer
    • works without sde-enterprise
    • best for "read/search only" OpenClaw sessions

  • Paid / enterprise use:

    • PDP-backed authorization and deny decisions
    • signed policy packs
    • tenant entitlements and governed rollout
    • release attestation and compatibility certification

Build and test

npm run build
npm test
npm run adversarial-check
npm run performance-benchmark
npm run test-pack-matrix

Trusted Mode Check

npm run trusted-mode-check
npm run trusted-mode-check -- --json

trusted-mode-check is a PDP-backed validation path. It is useful for SDE-integrated deployments, not for standalone free-mode validation.

JSON output status values:

  • ENFORCED_OK
  • LOCKDOWN_ONLY
  • UNSAFE

Attestation pack inputs:

  • attestation/trusted_mode_attest_v1.json
  • attestation/trusted_mode_attest_v1.sig

Runtime/certification env vars:

  • CERTIFICATION_STATUS (CERTIFIED_ENFORCED | LOCKDOWN_ONLY | UNSUPPORTED)
  • OPENCLAW_VERSION
  • EXPECTED_STATUS (optional CI assertion override)

Local install in OpenClaw (WSL)

openclaw plugins install /mnt/c/path/to/openclaw-trusted-mode
openclaw plugins info openclaw-trusted-mode

For a standalone free-mode config, start from openclaw.user-config.entry.example.json.

For governed mode, install/register the plugin first, then write the OpenClaw host config with:

openclaw-trusted-mode-configure \
  --tenantId darkelogix \
  --gatewayId gw-dev \
  --environment dev \
  --pdpUrl http://10.90.0.6:8001/v1/authorize \
  --certificationStatus LOCKDOWN_ONLY

This command updates ~/.openclaw/openclaw.json, adds openclaw-trusted-mode to plugins.allow, and writes the governed plugin settings under plugins.entries.openclaw-trusted-mode.

Plugin config

See openclaw.plugin.json for config schema and defaults, including:

  • pdpUrl
  • policyVariant
  • pdpTimeoutMs
  • failClosed
  • tenantId
  • certificationStatus
  • openclawVersion
  • certifiedOpenClawVersions
  • highRiskTools
  • toolPolicyMode
  • allowedTools
  • requireTenantId
  • allowedTenantIds
  • contextCurator

Recommended standalone free-mode baseline:

{
  "toolPolicyMode": "ALLOWLIST_ONLY",
  "allowedTools": ["read_file", "list_files", "search_files"],
  "failClosed": true,
  "certificationStatus": "LOCKDOWN_ONLY"
}

Recommended paid / PDP-backed baseline:

{
  "toolPolicyMode": "PDP",
  "pdpUrl": "http://localhost:8001/v1/authorize",
  "tenantId": "trial-tenant",
  "gatewayId": "gw-smoke-1",
  "environment": "prod",
  "failClosed": true,
  "certificationStatus": "LOCKDOWN_ONLY"
}

Compatibility Matrix Automation

npm run update-compatibility-matrix
npm run verify-compatibility-matrix

Security Gates

npm run collect-security-evidence
npm run generate-security-release-index
npm run verify-security-gates

Schema Contract and Evidence Bundle

npm run verify-plugin-schema-contract
npm run bundle-release-evidence

Startup Health Verification

npm run startup-health-check -- --skip-plugin-check