Kansodata Glue Plugin
OpenClaw plugin and companion skill for controlled AWS Glue orchestration writes and ETL catalog diagnostics.
Install
$
openclaw plugins install clawhub:@kansodata/kansodata-glue-plugin@kansodata/kansodata-glue-plugin
OpenClaw plugin runtime + companion skill for AWS Glue operations with controlled V1 write scope and ETL diagnostics focused on Glue Catalog partition behavior.
V1 Scope
Included
- Controlled writes:
glue_create_workflowglue_update_workflowglue_create_triggerglue_update_trigger
- Operational reads:
glue_list_workflowsglue_get_workflowglue_list_triggersglue_get_triggerglue_get_catalog_tableglue_list_catalog_tablesglue_get_catalog_partitions_sampleglue_explain_partitioning
Explicitly excluded in V1
- Create/update/delete for Glue Jobs.
- Create/update/delete for Glue Crawlers.
- Destructive default actions.
- Unsafe auto-apply flows.
Architecture
- Native OpenClaw plugin entrypoint:
src/openclawEntry.ts(definePluginEntry+api.registerTool). src/runtime: plugin runtime orchestration and tool dispatch.src/config: strict configuration loading and validation.src/client: AWS Glue client creation.src/services: Glue service adapter with output shaping and safe updates.src/tools: V1 tool implementations by domain (workflows,triggers,catalog).src/guards: write guards (allowlist, secret detection, read-before-write).src/errors: typed error hierarchy.skills/kansodata-glue-operator: companion operator skill.docs: architecture, threat model, rollback, roadmap, usage.
Installation
npm install
npm run build
Configuration
Effective config keys (OpenClaw pluginConfig + env fallback):
regionprofileendpointOverrideallowedNamePrefixesenforcePrefixAllowlistdryRunByDefaultmaxPartitionSampleSize
Precedence order:
- OpenClaw plugin config (
api.pluginConfig) - Environment variables
- Safe defaults already defined in schema (
allowedNamePrefixes,enforcePrefixAllowlist,dryRunByDefault,maxPartitionSampleSize)
Optional:
AWS_PROFILEKANSODATA_GLUE_ENDPOINT_OVERRIDEKANSODATA_GLUE_ALLOWED_PREFIXES(comma separated)KANSODATA_GLUE_ENFORCE_PREFIX_ALLOWLIST(defaulttrue)KANSODATA_GLUE_DRY_RUN_BY_DEFAULT(defaulttrue)KANSODATA_GLUE_MAX_PARTITION_SAMPLE_SIZE(default10, max25)
Fail-closed behavior:
- Missing region across OpenClaw config + env fails.
- Allowlist enforcement with empty prefix list fails.
- Write operations outside allowed prefixes fail when enforcement is active.
- Potential secret-like payloads are rejected.
Security and Hardening
- Strict TypeScript + strong input validation (
zod). - Error sanitization and explicit error taxonomy.
- No raw AWS payloads exposed by tools.
glue_update_triggeraccepts only fields that AWSUpdateTriggercan really apply (schedule,description,actions,predicate).- Update tools use controlled fields only, with read-before-write discipline.
- Dry-run defaults to
true.
Usage (runtime helpers)
import { createPluginRuntime } from "@kansodata/kansodata-glue-plugin";
const runtime = createPluginRuntime();
const result = await runtime.executeTool("glue_list_workflows", { limit: 10 });
console.log(result.summary, result.data);
See docs/usage.md for more examples.
OpenClaw Wiring
openclaw.plugin.jsondeclares plugin id, contracts, config schema, and companion skills ("./skills").package.jsondeclares OpenClaw runtime extension entrypoint ("./dist/openclawEntry.js").src/openclawEntry.tsis the canonical plugin entry and registers tool contracts via the official OpenClaw SDK.
Plugin/Skill Relationship
- Plugin executes controlled AWS Glue operations.
- Skill governs operational sequence:
read -> plan -> validate -> apply -> verify. - Skill does not replace plugin guardrails; it enforces higher-level operator discipline.
Validation Commands
npm run lint
npm run typecheck
npm run build
npm test
