fix: v0.9.14 — OpenClaw 2026.4.1/4.2 compat + plugin install fix

[peg]

Summary

Fixes plugin install breakage introduced in OpenClaw 2026.4.1, plus two polish items caught during cold-start dogfooding.

Changes

Critical: package.json — remove openclaw.hooks field

OpenClaw 2026.4.1 added validateHookDir() which requires a HOOK.md file when the hook-pack install path is used. The openclaw.hooks field in package.json was triggering this path, causing:

Error: HOOK.md missing in /tmp/rampart-openclaw-plugin-XXXX/index.js

Removing openclaw.hooks routes the install through the plugin installer (openclaw.extensions path), which has no HOOK.md requirement. Plugin installs cleanly on 2026.4.1 and 2026.4.2.

status.go — show OpenClaw (plugin) in status summary

Previously showed OpenClaw (bridge) even when the native plugin was active. Now checks for ~/.openclaw/extensions/rampart first and shows OpenClaw (plugin) when present.

setup_openclaw_plugin.go — explain scanner false positive

OpenClaw's security scanner flags the plugin during install because it reads a local token file and makes authenticated requests. Added a note clarifying this is a false positive (localhost-only, no exfil).

Testing

• Cold start on OpenClaw 2026.4.2: install succeeds, no HOOK.md error
• rampart status shows OpenClaw (plugin)
• rampart doctor: 0 issues, 0 warnings
• before_tool_call enforcement verified: runBeforeToolCall is properly awaited in 2026.4.2 (closed bug: before_tool_call plugin hook is fire-and-forget in OpenClaw — BLOCK decisions not enforced #251)