[Feature] Hooks extensions for security plugins (and more)

[zeroaltitude]

Summary

Add hook surfaces needed for trust-aware security/provenance plugins (identity context, loop observability, LLM/tool/response interception, and session-memory controls).

Problem to solve

Security/provenance plugins need intervention points, not just observation. Today it’s hard (or impossible) for a plugin to reliably:

• determine who triggered a run (owner vs non-owner, group vs DM, provenance chain) in a consistent hook context
• observe iteration/loop behavior for guardrails and debugging
• filter/block tool calls based on trust/taint policies as a batch after the LLM responds
• redact/block the final response/tools before used or emitted and persisted
• prevent/quarantine/redact session-memory persistence for sensitive conversations

Without these, policy plugins either can’t enforce controls or must rely on brittle workarounds.

Proposed solution

A small series of additive PRs that expand the hook surface and session-memory policy controls while keeping each change reviewable and low-risk. Exact event/result shapes and detailed semantics live in the PRs; this issue is intended to provide the motive and rationale behind developed, proposed solutions to these problems.

Proposed merge order:

1. Identity context plumbing: feat(hooks): add sender identity and session context to plugin hook agent context [claude, human developer oversight] #33914
2. Loop observability hooks (void/parallel): feat(hooks): add context_assembled, loop_iteration_start/end observability hooks [claude, human developer oversight] #33915
3. Session-memory policy controls (block/quarantine/override content): feat(hooks): add session memory policy controls (blockSessionSave, redirectPath) [claude, human developer oversight] #35567
4. New content/tool-mutating interception hooks (largest): feat(hooks): add before_llm_call, after_llm_call, before_response_emit tool/content mutating hooks [claude, human developer oversight] #33916

Alternatives considered

• Bake security/provenance into core instead of as a plug-in: heavier architectural commitment; less flexible than providing hook primitives; genuinely believe in plugin power as an alternative to a massive openclaw core
• Rely only on existing void hooks (llm_input/llm_output) + before_tool_call: still missing early LLM input filtering, batch tool-call gating, and response emission gating.

My belief at the moment is that something of this shape is necessary for the kind of plugin that can address prompt injection risks in a deterministic way.

Impact

• Enables a new class of security/provenance plugins to implement trust-aware controls without invasive core changes.

Evidence/examples

• I’ve been running my openclaw-provenance and openclaw-vestige plugins locally for ~1 month: https://github.com/zeroaltitude/openclaw-plugins/,
• openclaw-provenance: demonstrates trust/taint tracking that can dynamically gate tooling during an agent run (e.g. content fetched from an untrusted URL taints context and blocks subsequent exec). Screenshot below shows a live example while building a PhaserJS OpenClaw dashboard,
• Hooks used: after_llm_call (batch tool-call filtering/blocking), before_response_emit (optional output gating), identity/loop hooks for provenance context,
• openclaw-vestige: deterministically injects salient memories into the prompt by modifying context right before the LLM call,
• Hooks used: before_llm_call (inject/remove content). Measured overhead: ~50ms pre-staging per call in my setup (DeBERTa-based scoring)

Additional information

In local production for ~1mo. Developer working with well-groomed agents.

[bmendonca3]

Thanks for laying this out as a split series. I went back through the linked PRs after cleaning up my own placeholder/intake branches so review stays on the implementation threads.

My read after looking at the current branches is:

• #33914 and #33915 look like the strongest merge candidates as separate additive pieces.
• #35567 feels split-worthy: blockSessionSave / sessionSaveContent are much easier to review than sessionSaveRedirectPath, which widens file-write policy and pulls in most of the canonicalization / symlink complexity.
• #33916 looks like the main reviewer-burden problem. The after_llm_call gate bridge is clever, but the current implementation is explicitly best-effort async, so it doesn't seem strong enough for the deterministic security / policy-gating story this issue is aiming at. If that piece moves forward, I think it likely wants either a synchronous integration point or a split so before_llm_call / before_response_emit can be reviewed separately from after_llm_call.

If I pick something up in this area later, I'll do it as a narrow follow-up or superseding code PR in one of those scopes rather than another umbrella thread.

[zeroaltitude]

Excellent @bmendonca3 ! This morning, I'm

• Tidying up 33914 and 33915
  • Done!
• Splitting 35567 along the lines you suggest
  • feat(hooks): postHookActions mechanism, blockSessionSave/sessionSaveContent, and slug-generation hardening #38161
  • feat(hooks): add sessionSaveRedirectPath to session memory handler [claude, human developer oversight] #38162
  • Done!
  • Improved hook architecture with a new feature: postHookActions (38161)
  • Improved slug security with disableTools: true (38161)
• Splitting 33916 along the lines you suggest
  • feat(hooks): add before_llm_call + after_llm_call plugin hooks [claude, human developer oversight] #39206 [before_llm_call, after_llm_call]
    • Added a strong guarantee, instead of best effort, for after_llm_call synchronization!
  • feat(hooks): add before_response_emit hook for output policies [claude, human developer oversight] #39207 [before_response_emit hook]

There will still be a couple of big ones in the stack, but this will be easier and cleaner! Thanks for the suggestions!

@bmendonca3: NB, the splits have taken place! @darfaz issue for the broader series of PRs, FYSA

[constansino]

I just published a concrete plugin in this area:

• Repo: https://github.com/constansino/openclaw-chat-only-trigger
• Release: https://github.com/constansino/openclaw-chat-only-trigger/releases/tag/v0.1.0

The plugin is basically a runtime least-privilege layer for public chats / groups:

• message_received captures sender + channel metadata
• before_model_resolve switches the turn onto a fixed chat model
• before_prompt_build injects a no-tools / no-actions system rule
• before_tool_call hard-blocks tools
• subagent_spawning hard-blocks subagents / ACP

One practical takeaway from implementing it: current hooks are already enough to ship useful guardrails, but missing sender identity on PluginHookAgentContext forces a workaround. I currently cache inbound sender metadata from message_received and map it back later via session / conversation keys.

So the hook-surface direction in this issue feels very practical from a real plugin-author perspective, not theoretical.