Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.visiqlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

@visiq/openclaw-plugin is an OpenClaw plugin that routes tool calls and LLM I/O through VisIQ’s ALLOW (action authorization), RECALL (context firewall), and RECORD (signed audit log) layers.

What it does

The plugin registers five OpenClaw hooks:
HookBehavior
before_tool_callFor retrieval tools (web_search, x_search, web_fetch, tool_search, tool_describe): runs ALLOW + RECALL. deny blocks the call; redact queues a redaction spec; escalate prompts a human approval.
tool_result_persistApplies any queued redaction spec to the tool’s output before it lands in the session transcript.
before_message_writeDefense-in-depth gate. If a redaction was queued but never applied, the message is dropped (fail-closed per G001).
llm_inputObserve-only telemetry sent to VisIQ /api/events.
llm_outputRECORD envelope sent to /api/events for Ed25519 + TSA signing.
Non-retrieval tools (writes, anything outside the retrieval set) are not gated by this plugin; their authorization is handled elsewhere in the broader VisIQ harness.

Interactive setup

For local development, install and configure the plugin interactively: 
openclaw plugins install @visiq/openclaw-plugin
openclaw plugins configure @visiq/openclaw-plugin
openclaw start
The configure step prompts for apiKey, agentId, and an optional baseUrl, then writes them to ~/.openclaw/openclaw.json under plugins.entries["@visiq/openclaw-plugin"].config.

Automated / CI setup

For pipelines, containers, and anywhere without an interactive TTY, supply credentials via environment variables: 
VISIQ_API_KEY=vk_live_... \
VISIQ_AGENT_ID=my-agent \
openclaw start
Optional: 
VISIQ_BASE_URL=https://api.visiqlabs.com
VISIQ_CONFIG_PATH=/etc/visiq/config.json   # alternate JSON file

Credential resolution precedence

The plugin resolves credentials in this order (highest priority first):
  1. Environment variables: VISIQ_API_KEY / VISIQ_AGENT_ID / VISIQ_BASE_URL
  2. JSON file at the path in VISIQ_CONFIG_PATH
  3. ~/.openclaw/openclaw.jsonplugins.entries["@visiq/openclaw-plugin"].config
  4. Interactive TTY prompt (only when stdout is a terminal)

Fail-open vs fail-closed

  • Unconfigured (missing credentials): every hook no-ops. A single structured warning is emitted to stderr explaining how to configure the plugin. This fail-open behavior is by design — the plugin should never break OpenClaw on first install before credentials are provisioned.
  • ALLOW or RECALL evaluation errors: fail-CLOSED per G001. The tool call is blocked with a clear [VisIQ ...] prefixed reason.
  • Telemetry errors: silently swallowed. Telemetry is best-effort and MUST NOT affect agent behavior.

Verifying the install

After openclaw start, trigger a web_search and confirm the call appears in the VisIQ dashboard’s Events view and Decision Receipts list.