aarvion · guard for openclaw

changelog/

What shipped.

Straight from the repo history, including the fixes that came out of running the guard against a live OpenClaw. Full detail is in the commit log.

2026 · 07 · 10

fix

Telegram approvals give visible feedback on every tap

The approval message edits itself when you tap, win or lose the race with the console, so your phone never leaves you guessing.

fix

Live-caught: OpenClaw names its shell tool Bash

Found by governing a real agent turn, not a test rig. The normalizer now recognizes the capitalized tool and the command-in-map shape, with a regression test.

feat

Approvals gate the call end to end

The plugin holds a sensitive action while the guard waits for your tap on Telegram or in the console. No answer in 90 seconds means no.

feat

Console: packs board, learning panel, approvals inbox

The local console grew the three consumer views. Loopback only, token-gated, served by the guard itself.

feat

Learn mode: watch first, then make it policy

Every pack starts in observe. The guard records what each agent actually does; one click turns the profile into policy.

feat

Policy packs engine: seven packs, two compilers

One pack definition compiles to tighten-only local rules and to the signed cloud bundle. Local changes can never loosen policy.

feat

Semantic action normalizer

Tool calls classify by intent (twitter.post, file.delete, email.send) instead of by command substrings. Flag order and quoting tricks stop mattering.

feat

One-command onboard

aarvion-guard onboard pairs the machine, installs the plugin into a stock OpenClaw, wires the environment, and restarts.

2026 · 07 · 09

feat

Standalone OpenClaw plugin

Installable against an unmodified OpenClaw; every tool surface checks in with the guard before it runs.

feat

Kill switch and break-glass levers

A file-driven emergency stop, for the day something needs to halt right now.

feat

Egress allowlist with observe and enforce modes

Default-deny network egress, plus a learn-mode observer that proposes the allowlist from real traffic.

feat

Audit sinks: JSONL, Prometheus, deny webhook

Hash-chained decisions, exportable, with metrics and per-host rate limits alongside.