@f4bioo/berry-shield 2026.3.17 → 2026.3.20

package/docs/wiki/deploy/installation.md

@@ -14,7 +14,7 @@ This guide defines two installation tracks and when each one should be used.
 
 ## Prerequisites
 
-- Node.js 20 or newer.
+- Node.js 22.16.0 or newer.
 - OpenClaw runtime available in environment.
 - Git available in environment.
 

package/docs/wiki/operation/cli/README.md

@@ -76,14 +76,23 @@ openclaw bshield rules list
 Expected: CLI shows baseline and custom IDs, including `[ENABLED]` and `[DISABLED]` status.
 
 ### 6) Disable one baseline rule
-Use this to disable one baseline rule by stable ID.
+Use this to disable baseline rules by stable ID. This applies to both internal `berry:` patterns and `gitleaks:` community rules.
+
+Example (Berry Shield):
 ```bash
-openclaw bshield rules disable baseline secret:openai-key
+openclaw bshield rules disable baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
+```bash
+openclaw bshield rules disable baseline gitleaks:secret:aws-access-token
 ```
 Expected: CLI marks the target baseline rule as disabled.
 
 ### 7) Disable one custom rule
 Use this to keep a custom rule stored but inactive.
+
+Example (User custom):
 ```bash
 openclaw bshield rules disable custom secret:my-token-rule
 ```

package/docs/wiki/operation/cli/add.md

@@ -97,7 +97,7 @@ If cancel is selected, the wizard exits without persisting data.
 ### Step 2: Preset or custom pattern
 After choosing type, the wizard offers:
 - custom pattern
-- built-in presets for the selected type
+- baseline presets for the selected type
 - cancel
 
 If a preset is selected, name/pattern/placeholder values are prefilled from that preset.

package/docs/wiki/operation/cli/remove.md

@@ -40,6 +40,8 @@ Positional arguments:
 
 ### Remove an existing custom rule
 Use this when the exact custom rule id is known.
+
+Example (User custom):
 ```bash
 openclaw bshield rules remove custom secret:MyToken
 ```
@@ -47,6 +49,8 @@ Result: CLI confirms custom rule removal.
 
 ### Remove a custom file rule
 Use this when a file-pattern custom rule must be removed.
+
+Example (User custom):
 ```bash
 openclaw bshield rules remove custom file:team-key
 ```
@@ -61,8 +65,15 @@ Result: Removed custom rule no longer appears in custom entries.
 
 ### Disable a baseline rule (separate command)
 Use this when the target is a baseline ID.
+
+Example (Berry Shield):
+```bash
+openclaw bshield rules disable baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
 ```bash
-openclaw bshield rules disable baseline secret:openai-key
+openclaw bshield rules disable baseline gitleaks:secret:aws-access-token
 ```
 Result: Baseline rule is marked disabled in rules inventory.
 
@@ -70,13 +81,24 @@ Result: Baseline rule is marked disabled in rules inventory.
 
 ### Wrong target
 Use this to validate explicit target semantics.
+
+Example (Berry Shield):
 ```bash
-openclaw bshield rules remove baseline secret:openai-key
+# openclaw bshield rules remove baseline <id>
+openclaw bshield rules remove baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
+```bash
+# openclaw bshield rules remove baseline <id>
+openclaw bshield rules remove baseline gitleaks:secret:aws-access-key
 ```
 Expected: CLI returns usage error because remove supports only custom target.
 
 ### Rule not found
 Use this to verify missing-rule behavior.
+
+Example (User custom):
 ```bash
 openclaw bshield rules remove custom secret:UnknownRule
 ```

package/docs/wiki/operation/cli/rules.md

@@ -46,30 +46,54 @@ openclaw bshield rules remove custom <id>
 Expected: Removes one custom rule by typed id (`secret:<name> | file:<name> | command:<name>`).
 
 ### Disable one baseline rule
-Use this to disable a single baseline rule when you need a controlled exception.
+Use this to disable baseline rules by stable ID. This applies to both internal `berry:` patterns and `gitleaks:` community rules.
+
+Example (Berry Shield):
+```bash
+# openclaw bshield rules disable baseline <id>
+openclaw bshield rules disable baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
 ```bash
-openclaw bshield rules disable baseline <id>
+# openclaw bshield rules disable baseline <id>
+openclaw bshield rules disable baseline gitleaks:secret:aws-access-token
 ```
 Expected: Marks one baseline rule as disabled.
 
 ### Disable one custom rule
 Use this to disable one custom rule without deleting it.
+
+Example (User custom):
 ```bash
-openclaw bshield rules disable custom <id>
+# openclaw bshield rules disable custom <id>
+openclaw bshield rules disable custom secret:my-token-rule
 ```
 Expected: Marks one custom rule as disabled and keeps it in inventory.
 
 ### Enable one baseline rule
-Use this to re-enable a previously disabled baseline rule by ID.
+Use this to re-enable baseline rules by stable ID. This applies to both internal `berry:` patterns and `gitleaks:` community rules.
+
+Example (Berry Shield):
+```bash
+# openclaw bshield rules enable baseline <id>
+openclaw bshield rules enable baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
 ```bash
-openclaw bshield rules enable baseline <id>
+# openclaw bshield rules enable baseline <id>
+openclaw bshield rules enable baseline gitleaks:secret:aws-access-token
 ```
 Expected: Marks one baseline rule as enabled.
 
 ### Enable one custom rule
 Use this to re-enable one custom rule by ID.
+
+Example (User custom):
 ```bash
-openclaw bshield rules enable custom <id>
+# openclaw bshield rules enable custom <id>
+openclaw bshield rules enable custom secret:my-token-rule
 ```
 Expected: Marks one custom rule as enabled.
 
@@ -128,21 +152,36 @@ Expected: Applies enable to full rule scope (`baseline + custom`).
 
 ### Wrong target for remove
 Use this check to validate that remove only accepts the custom target.
+
+Example (Berry Shield):
+```bash
+# openclaw bshield rules remove baseline <id>
+openclaw bshield rules remove baseline berry:secret:openai-key
+```
+
+Example (Gitleaks Community):
 ```bash
-openclaw bshield rules remove baseline secret:openai-key
+# openclaw bshield rules remove baseline <id>
+openclaw bshield rules remove baseline gitleaks:secret:aws-access-token
 ```
 Expected: Usage failure (remove supports only custom target).
 
 ### Unknown baseline ID
 Use this check to validate error handling when an ID does not exist in baseline catalog.
+
+Example (Berry Shield):
 ```bash
-openclaw bshield rules disable baseline secret:does-not-exist
+# openclaw bshield rules disable baseline <id>
+openclaw bshield rules disable baseline berry:secret:does-not-exist
 ```
 Expected: Operation failure (`Unknown baseline rule id`).
 
 ### Unknown custom ID
 Use this check to validate error handling when a custom rule is not found.
+
+Example (User custom):
 ```bash
+# openclaw bshield rules disable custom <id>
 openclaw bshield rules disable custom secret:does-not-exist
 ```
 Expected: Operation failure (`Unknown custom rule id`).

package/docs/wiki/operation/cli/test.md

@@ -1,17 +1,17 @@
 ---
 summary: "CLI reference for `openclaw bshield test` (test one input against active match patterns)"
 read_when:
-  - You need to verify if a string matches built-in or custom patterns
+  - You need to verify if a string matches baseline or custom patterns
   - You are validating custom regex behavior before production use
 title: "test"
 ---
 
 # `openclaw bshield test`
 
-Test one input string against active built-in and custom match patterns.
+Test one input string against active baseline and custom match patterns.
 
 ## What it does
-- Loads built-in secret/PII patterns and custom secret rules.
+- Loads baseline secret/PII patterns and custom secret rules.
 - Evaluates the provided input against active patterns.
 - Prints either no-match output or match details with rule source and redaction placeholder.
 
@@ -45,7 +45,7 @@ Expected: CLI reports no matches or prints one or more matching rule entries.
 
 ## Options
 Positional argument:
-- `<input>`: string to test against active built-in and custom patterns.
+- `<input>`: string to test against active baseline and custom patterns.
 
 ## Examples
 
@@ -78,9 +78,24 @@ openclaw bshield test "SMOKE_WEB_CMD"
 Expected: `No matches found` because this command does not evaluate custom command/file rules.
 
 ### Typed ID input is not a payload value
-Use this when input is a rule ID format.
+Use this when input is a rule ID format to confirm it is not used as a test literal.
+
+Example (Berry Shield):
+```bash
+# openclaw bshield test "<input>"
+openclaw bshield test "berry:command:smoke-web-cmd"
+```
+
+Example (Gitleaks Community):
+```bash
+# openclaw bshield test "<input>"
+openclaw bshield test "gitleaks:secret:aws-access-token"
+```
+
+Example (User custom):
 ```bash
-openclaw bshield test "command:smoke-web-cmd"
+# openclaw bshield test "<input>"
+openclaw bshield test "secret:my-token"
 ```
 Expected: no matches and guidance that typed IDs are rule identifiers, not payload values for this command.
 

package/docs/wiki/tutorials/incident-triage-report.md

@@ -1,4 +1,4 @@
----
+---
 summary: "Use report output for incident triage and policy follow-up"
 read_when:
   - You need to investigate suspicious activity patterns

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
     "id": "berry-shield",
     "name": "Berry Shield",
     "description": "Security plugin that helps to block destructive commands, redact secrets and PII",
-    "version": "2026.3.17",
+    "version": "2026.3.20",
     "configSchema": {
         "type": "object",
         "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@f4bioo/berry-shield",
-  "version": "2026.3.17",
+  "version": "2026.3.20",
   "description": "OpenClaw plugin for policy checks, command/file blocking, and sensitive-data redaction.",
   "keywords": [
     "openclaw",