@upx-us/shield 0.2.12-beta

package/dist/src/sender.js

@@ -0,0 +1,186 @@
+"use strict";
+/**
+ * sender.ts — Shield ingest API sender
+ *
+ * Posts events to the Shield ingest API via HMAC-SHA256 authentication.
+ * Events are batched and sent to the configured Shield endpoint only —
+ * no cloud provider details are exposed in this module.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REQUEST_TIMEOUT_MS = void 0;
+exports._signRequestWithSecret = _signRequestWithSecret;
+exports.sendEvents = sendEvents;
+exports.reportInstance = reportInstance;
+const crypto_1 = require("crypto");
+const log = __importStar(require("./log"));
+const version_1 = require("./version");
+const BATCH_SIZE = 100;
+exports.REQUEST_TIMEOUT_MS = 30_000;
+function errMsg(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+function envHeaders(shieldEnv) {
+    return shieldEnv ? { 'X-Shield-Env': shieldEnv } : {};
+}
+function generateNonce() {
+    return `${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
+}
+function signRequest(instanceId, nonce, secret) {
+    const message = `${instanceId}:${nonce}`;
+    return (0, crypto_1.createHmac)('sha256', secret).update(message).digest('hex');
+}
+/** Exported for testing only — computes HMAC with an explicit secret */
+function _signRequestWithSecret(secret, instanceId, nonce) {
+    const message = `${instanceId}:${nonce}`;
+    return (0, crypto_1.createHmac)('sha256', secret).update(message).digest('hex');
+}
+async function fetchWithTimeout(url, init, timeoutMs = exports.REQUEST_TIMEOUT_MS) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+async function sendEvents(events, config) {
+    if (events.length === 0)
+        return [];
+    if (config.dryRun) {
+        log.info('sender', `DRY RUN — ${events.length} events in ${Math.ceil(events.length / BATCH_SIZE)} batch(es) (not sent)`);
+        for (let i = 0; i < events.length; i += BATCH_SIZE) {
+            const batch = events.slice(i, i + BATCH_SIZE);
+            const toolNames = batch.map((e) => e.event?.tool_name || 'unknown').join(', ');
+            log.info('sender', `Batch ${Math.floor(i / BATCH_SIZE) + 1}: ${batch.length} events [${toolNames}]`);
+            log.debug('sender', `Dry-run batch detail`, { entries: batch });
+        }
+        return [{ success: true, statusCode: 200, body: 'dry-run', eventCount: events.length }];
+    }
+    const { apiUrl, instanceId, hmacSecret, shieldEnv } = config.credentials;
+    if (!apiUrl || !instanceId || !hmacSecret) {
+        log.error('sender', 'Missing credentials (apiUrl, instanceId, or hmacSecret). Run: npx shield-setup');
+        return [{ success: false, statusCode: 0, body: 'missing credentials', eventCount: events.length }];
+    }
+    const results = [];
+    for (let i = 0; i < events.length; i += BATCH_SIZE) {
+        const batch = events.slice(i, i + BATCH_SIZE);
+        const batchNum = Math.floor(i / BATCH_SIZE) + 1;
+        const payload = JSON.stringify({ entries: batch });
+        const nonce = generateNonce();
+        const signature = signRequest(instanceId, nonce, hmacSecret);
+        log.debug('sender', `Batch ${batchNum}: ${batch.length} events → ${apiUrl}/v1/ingest [env=${shieldEnv || 'dev'}]`);
+        for (let attempt = 0; attempt < 2; attempt++) {
+            try {
+                const res = await fetchWithTimeout(`${apiUrl}/v1/ingest`, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'X-Shield-Instance-Id': instanceId,
+                        'X-Shield-Nonce': nonce,
+                        'X-Shield-Signature': signature,
+                        'X-Shield-Version': version_1.VERSION,
+                        ...envHeaders(shieldEnv),
+                    },
+                    body: payload,
+                });
+                const data = await res.text();
+                log.info('sender', `Batch ${batchNum}: ${batch.length} events (HTTP ${res.status})`);
+                if (res.ok) {
+                    results.push({ success: true, statusCode: res.status, body: data, eventCount: batch.length });
+                    break;
+                }
+                if (res.status >= 500 && attempt === 0) {
+                    log.warn('sender', `Batch ${batchNum} attempt ${attempt + 1} — HTTP ${res.status}, retrying...`);
+                    continue;
+                }
+                log.error('sender', `Batch ${batchNum} — HTTP ${res.status}: ${data}`);
+                results.push({ success: false, statusCode: res.status, body: data, eventCount: batch.length });
+                break;
+            }
+            catch (err) {
+                log.error('sender', `Batch ${batchNum} attempt ${attempt + 1} — ${errMsg(err)}`);
+                if (attempt === 1) {
+                    results.push({ success: false, statusCode: 0, body: errMsg(err), eventCount: batch.length });
+                }
+            }
+        }
+    }
+    return results;
+}
+/**
+ * reportInstance — PUT /v1/instance
+ *
+ * Reports machine + software metadata to the Shield platform for score
+ * calculation and dashboard display. This is NOT a security event and does
+ * NOT go to Chronicle — it goes directly to the platform API via Cloud Run.
+ *
+ * Called periodically (default: every 5 minutes) by the bridge/plugin loop.
+ */
+async function reportInstance(payload, credentials) {
+    const { apiUrl, instanceId, hmacSecret, shieldEnv } = credentials;
+    if (!apiUrl || !instanceId || !hmacSecret) {
+        log.warn('sender', 'reportInstance: missing credentials, skipping');
+        return false;
+    }
+    const nonce = generateNonce();
+    const signature = signRequest(instanceId, nonce, hmacSecret);
+    log.debug('sender', `reportInstance → ${apiUrl}/v1/instance [env=${shieldEnv || 'dev'}]`, payload);
+    try {
+        const res = await fetchWithTimeout(`${apiUrl}/v1/instance`, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Shield-Instance-Id': instanceId,
+                'X-Shield-Nonce': nonce,
+                'X-Shield-Signature': signature,
+                'X-Shield-Version': version_1.VERSION,
+                ...envHeaders(shieldEnv),
+            },
+            body: JSON.stringify(payload),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            log.warn('sender', `reportInstance HTTP ${res.status}: ${body.slice(0, 100)}`);
+            return false;
+        }
+        return true;
+    }
+    catch (err) {
+        log.warn('sender', `reportInstance error: ${errMsg(err)}`);
+        return false;
+    }
+}

package/dist/src/setup.d.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+/**
+ * setup.ts — Interactive configuration wizard for Shield
+ *
+ * Two-stage credential flow:
+ *   1. User provides a registration key from the Shield portal
+ *   2. POST /v1/register exchanges it for an HMAC signing secret
+ *   3. The returned HMAC secret + generated instance ID are saved to config.env
+ */
+export {};

package/dist/src/setup.js

@@ -0,0 +1,222 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * setup.ts — Interactive configuration wizard for Shield
+ *
+ * Two-stage credential flow:
+ *   1. User provides a registration key from the Shield portal
+ *   2. POST /v1/register exchanges it for an HMAC signing secret
+ *   3. The returned HMAC secret + generated instance ID are saved to config.env
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const readline = __importStar(require("readline"));
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const config_1 = require("./config");
+const crypto_1 = require("crypto");
+const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+});
+function prompt(question) {
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => resolve(answer.trim()));
+    });
+}
+function generateInstanceId() {
+    const data = `${(0, os_1.hostname)()}-${(0, os_1.userInfo)().username}-${Date.now()}`;
+    return (0, crypto_1.createHash)('sha256').update(data).digest('hex');
+}
+async function testConnection(apiUrl) {
+    try {
+        process.stdout.write('Connecting... ');
+        const response = await fetch(`${apiUrl}/`, {
+            method: 'GET',
+            headers: {
+                'User-Agent': 'OpenClaw-Shield-Setup/1.0'
+            }
+        });
+        if (response.ok) {
+            console.log('ok');
+            return true;
+        }
+        else {
+            console.log(`failed (HTTP ${response.status})`);
+            return false;
+        }
+    }
+    catch (error) {
+        console.log(`failed (${error instanceof Error ? error.message : String(error)})`);
+        return false;
+    }
+}
+async function registerInstance(config) {
+    try {
+        process.stdout.write('Registering instance... ');
+        // Cloud Run /v1/register expects: installation_code + fingerprint
+        const payload = {
+            installation_code: config.registrationKey,
+            fingerprint: config.instanceId,
+            machine: {
+                hostname: (0, os_1.hostname)(),
+                user: (0, os_1.userInfo)().username,
+                os: process.platform,
+                arch: process.arch,
+                node_version: process.version,
+            },
+            software: {
+                plugin_version: '0.2.8-beta',
+                instance_name: config.instanceName,
+            },
+        };
+        const response = await fetch(`${config.apiUrl}/v1/register`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'User-Agent': 'OpenClaw-Shield-Setup/0.2',
+            },
+            body: JSON.stringify(payload),
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (response.ok) {
+            const data = await response.json();
+            const hmacSecret = data.hmacSecret;
+            if (!hmacSecret) {
+                console.log('failed (no credentials returned — contact your Shield administrator)');
+                return null;
+            }
+            console.log('ok');
+            return hmacSecret;
+        }
+        else {
+            const body = await response.text();
+            let msg = `HTTP ${response.status}`;
+            try {
+                const parsed = JSON.parse(body);
+                msg = parsed.message || parsed.error || msg;
+            }
+            catch { /* raw */ }
+            console.log(`failed — ${msg}`);
+            return null;
+        }
+    }
+    catch (error) {
+        console.log(`failed — ${error instanceof Error ? error.message : String(error)}`);
+        return null;
+    }
+}
+function saveConfig(config) {
+    const configDir = (0, path_1.join)(config_1.SHIELD_CONFIG_PATH, '..');
+    if (!(0, fs_1.existsSync)(configDir)) {
+        (0, fs_1.mkdirSync)(configDir, { recursive: true });
+    }
+    const envContent = `# Shield API Configuration
+# Generated by shield-setup on ${new Date().toISOString()}
+# Location: ${config_1.SHIELD_CONFIG_PATH}
+
+SHIELD_API_URL=${config.apiUrl}
+SHIELD_INSTANCE_ID=${config.instanceId}
+SHIELD_HMAC_SECRET=${config.hmacSecret}
+INSTANCE_NAME=${config.instanceName}
+
+# Optional overrides (uncomment to use)
+# POLL_INTERVAL_MS=30000
+# DRY_RUN=true
+# REDACTION_ENABLED=true
+# SESSION_DIR=/path/to/custom/sessions
+`;
+    (0, fs_1.writeFileSync)(config_1.SHIELD_CONFIG_PATH, envContent, { encoding: 'utf-8', mode: 0o600 });
+    console.log(`✅ Configuration saved to ${config_1.SHIELD_CONFIG_PATH}`);
+}
+const SHIELD_API_URL = 'https://openclaw-shield.upx.com';
+async function main() {
+    console.log('🛡️  OpenClaw Shield Setup');
+    console.log('==========================\n');
+    try {
+        const registrationKey = await prompt('Installation Key (from Shield portal): ');
+        if (!registrationKey) {
+            console.log('❌ Installation key is required');
+            process.exit(1);
+        }
+        const instanceName = `openclaw-${(0, os_1.hostname)()}`;
+        const instanceId = generateInstanceId();
+        const config = {
+            apiUrl: SHIELD_API_URL,
+            registrationKey,
+            instanceName,
+            instanceId,
+            hmacSecret: '',
+        };
+        // Warn if credentials already exist
+        if ((0, fs_1.existsSync)(config_1.SHIELD_CONFIG_PATH)) {
+            const overwrite = await prompt('⚠️  Shield is already configured. Overwrite? (y/N): ');
+            if (overwrite.toLowerCase() !== 'y' && overwrite.toLowerCase() !== 'yes') {
+                console.log('Setup cancelled. Existing configuration preserved.');
+                process.exit(0);
+            }
+        }
+        const connectionOk = await testConnection(SHIELD_API_URL);
+        if (!connectionOk) {
+            console.log('❌ Cannot reach the Shield API. Check your internet connection and try again.');
+            process.exit(1);
+        }
+        const exchangedSecret = await registerInstance(config);
+        if (!exchangedSecret) {
+            console.log('❌ Registration failed. Please verify your installation key and try again.');
+            process.exit(1);
+        }
+        config.hmacSecret = exchangedSecret;
+        saveConfig(config);
+        console.log('\n✅ Shield activated!');
+        console.log('   Restart your OpenClaw Gateway to start monitoring.');
+    }
+    catch (error) {
+        console.error('❌ Setup failed:', error instanceof Error ? error.message : String(error));
+        process.exit(1);
+    }
+    finally {
+        rl.close();
+    }
+}
+process.on('SIGINT', () => {
+    console.log('\n\nSetup cancelled by user.');
+    rl.close();
+    process.exit(0);
+});
+if (require.main === module) {
+    main();
+}

package/dist/src/transformer.d.ts

@@ -0,0 +1,26 @@
+/**
+ * transformer.ts — Thin orchestration layer
+ *
+ * Iterates raw JSONL entries, routes each tool call to the matching schema,
+ * and wraps the resulting ShieldEvent in an EnvelopeEvent for transmission.
+ *
+ * All enrichment logic lives in src/events/{type}/enrich.ts.
+ */
+import { RawEntry } from './fetcher';
+import type { ShieldEvent, SourceInfo } from './events';
+export type { SourceInfo };
+export interface EnvelopeEvent {
+    source: SourceInfo;
+    event: ShieldEvent;
+}
+/** Top-level request body for POST /v1/ingest — used for JSON Schema generation */
+export interface IngestPayload {
+    entries: EnvelopeEvent[];
+}
+/** Resolve the installed OpenClaw version from known package.json paths. */
+export declare function resolveOpenClawVersion(): string;
+/** Resolve agent_label from IDENTITY.md in the configured workspace. */
+export declare function resolveAgentLabel(agentId: string): string;
+export declare function transformEntries(entries: RawEntry[]): EnvelopeEvent[];
+/** Generate a HOST_TELEMETRY envelope with version + config info for security rules */
+export declare function generateHostTelemetry(): EnvelopeEvent | null;