APort Open Agent Protocol (OAP) for OpenClaw
Pre-action authorization for AI agents. Enforces YAML capability manifests before tool calls via the Open Agent Protocol (OAP).
This plugin gives your OpenClaw agent two tools:
| Tool | Description |
|---|---|
aport_check |
Validate a planned tool call against your OAP capability manifest before executing it |
aport_passport |
Read or generate an agent-passport.yaml for the current session |
Optional enforcement mode: set mode: "enforce" to register a before_tool_call hook that automatically blocks any tool call not in your policy — the agent cannot bypass it.
openclaw plugins install @aporthq/openclaw-plugin-aport-oapSee docs/quick-start.md for the full guide.
TL;DR:
- Install the plugin
- Ask your agent: "Generate an agent passport for this session."
- Edit
./agent-passport.yamlto list exactly what tools this agent may call - The agent will use
aport_checkbefore executing sensitive operations
Agent plans a tool call
↓
aport_check({ tool_name: "exec", params: {...} })
↓
Policy evaluator reads agent-passport.yaml
↓
{ allowed: true/false, reason: "...", policy_applied: "local-yaml", decision_id: "..." }
↓
Agent proceeds (or stops if not allowed)
In enforce mode, the before_tool_call hook does this automatically — no explicit aport_check call needed.
{
"plugins": {
"entries": {
"aport-oap": {
"mode": "audit",
"policyFile": "./agent-passport.yaml"
}
}
}
}| Key | Values | Default |
|---|---|---|
mode |
audit | enforce |
audit |
policyFile |
path | ./agent-passport.yaml |
passportId |
APort passport ID | — |
apiUrl |
URL | https://api.aport.io |
apiKey |
string | $APORT_API_KEY |
auditLog |
JSONL path | — |
- aport-agent-guardrails — Core OAP library with
before_tool_callenforcement, bash evaluator, and framework adapters - OAP Spec — DOI: 10.5281/zenodo.18901596
- aport.io — Hosted passports, Global Suspend, dashboard
Apache 2.0 — see LICENSE