Fix OpenClaw runtime protection and plugin config integration

[Mr-Lucky]

Summary

This PR fixes AgentGuard's OpenClaw integration so OpenClaw tool calls are routed through runtime/cloud protection and plugin configuration is respected correctly.

Changes

• Route OpenClaw before_tool_call events through protectAction()
• Allow normal non-whitelisted OpenClaw exec commands to reach AgentGuard policy instead of being blocked at the plugin layer
• Read OpenClaw's actual plugin registry state for auto-scan:
  • channel.registry
  • activeRegistry
  • legacy registry fallback
• Respect api.pluginConfig.level from OpenClaw plugin config
• Remove hardcoded level: 'balanced' from the generated OpenClaw plugin template
• Harden local audit write failures so runtime decisions are still returned
• Add integration and installer tests for OpenClaw runtime protection, auto-scan, and config level handling

All tests pass: 201 passed.

Type

• [✅] Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• [✅] npm run build passes
• [✅] npm test passes (32 tests)
• Manually tested the change

Related Issues

[github-actions]

AgentGuard PR Review

1. severity: high — src/adapters/openclaw-plugin.ts hunk around runtimeProtectionEnabled / catch (err)
   The new default behavior is to fail open for security-sensitive tool calls when protectAction throws, because runtimeFailureMode defaults to block but the implementation only blocks when isSecuritySensitiveRuntimeAction(runtimeActionType) returns true. mapOpenClawToolToRuntimeAction() now returns 'other' for any unrecognized tool, and the code then falls back to the local hook policy instead of blocking. A malicious or renamed tool can evade runtime protection just by avoiding the heuristic names.
   Fix: Treat any tool call with unclassified action as security-sensitive by default, or block on runtime protection failure unless the tool is explicitly known to be safe.

2. severity: medium — src/adapters/openclaw-plugin.ts mapOpenClawToolToRuntimeAction(...): RuntimeActionType
   The new classifier returns 'other' for tools it cannot recognize, but then classifies many actions as 'shell' based on weak heuristics like includes('command'), includes('request'), or inspecting params.command. This can misclassify benign file/network actions as shell and cause unnecessary blocking, and more importantly may still miss dangerous tools whose payload is nested differently.
   Fix: Require OpenClaw to provide an explicit tool/action mapping, or validate against a trusted allowlist of known tool schemas instead of free-form string heuristics.

3. severity: medium — src/adapters/openclaw-plugin.ts hunk adding pluginConfig and readOpenClawConfigLevel()
   The plugin now reads api.pluginConfig.level and overrides runtime config, but there is no validation that this config originates from a trusted source. If an attacker can influence plugin config, they can downgrade protection to permissive or balanced.
   Fix: Only accept level overrides from signed/trusted installer-generated config, or ignore external plugin config for security policy selection.

4. severity: low — src/tests/runtime-cloud.test.ts new test using cloudUrl: 'https://127.0.0.1:9'
   The test depends on a non-routable port and on audit write failure semantics, but protectAction now swallows audit write errors. If writeAuditLog behavior changes or filesystem permissions differ, the test may become flaky because it does not assert the audit failure path explicitly.
   Fix: Mock writeAuditLog/filesystem failure directly in the unit test rather than relying on environment behavior.