@upx-us/shield 0.3.16 → 0.4.36

package/dist/src/updater.js

@@ -0,0 +1,477 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSemVer = parseSemVer;
+exports.isNewerVersion = isNewerVersion;
+exports.classifyUpdate = classifyUpdate;
+exports.loadUpdateState = loadUpdateState;
+exports.saveUpdateState = saveUpdateState;
+exports.checkNpmVersion = checkNpmVersion;
+exports.checkForUpdate = checkForUpdate;
+exports.backupCurrentVersion = backupCurrentVersion;
+exports.restoreFromBackup = restoreFromBackup;
+exports.downloadAndInstall = downloadAndInstall;
+exports.performAutoUpdate = performAutoUpdate;
+exports.requestGatewayRestart = requestGatewayRestart;
+const child_process_1 = require("child_process");
+const fs_1 = require("fs");
+const safe_io_1 = require("./safe-io");
+const path_1 = require("path");
+const os_1 = require("os");
+const crypto_1 = require("crypto");
+const log = __importStar(require("./log"));
+const version_1 = require("./version");
+const PACKAGE_NAME = '@upx-us/shield';
+const CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000;
+const MIN_CHECK_INTERVAL_MS = 60 * 1000;
+const PLUGIN_DIR = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'extensions', 'shield');
+const BACKUP_DIR = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data', 'backup');
+const UPDATE_STATE_FILE = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data', 'update-state.json');
+const MAX_BACKUPS = 2;
+function parseSemVer(version) {
+    const match = version.match(/^(\d+)\.(\d+)\.(\d+)(?:-(.+))?$/);
+    if (!match)
+        return null;
+    return {
+        major: parseInt(match[1], 10),
+        minor: parseInt(match[2], 10),
+        patch: parseInt(match[3], 10),
+        prerelease: match[4] || null,
+    };
+}
+function isNewerVersion(current, candidate) {
+    const cur = parseSemVer(current);
+    const cand = parseSemVer(candidate);
+    if (!cur || !cand)
+        return false;
+    if (cand.major !== cur.major)
+        return cand.major > cur.major;
+    if (cand.minor !== cur.minor)
+        return cand.minor > cur.minor;
+    if (cand.patch !== cur.patch)
+        return cand.patch > cur.patch;
+    if (cur.prerelease && !cand.prerelease)
+        return true;
+    return false;
+}
+function classifyUpdate(current, candidate) {
+    const cur = parseSemVer(current);
+    const cand = parseSemVer(candidate);
+    if (!cur || !cand)
+        return { isPatch: false, isMinor: false, isMajor: false };
+    return {
+        isMajor: cand.major > cur.major,
+        isMinor: cand.major === cur.major && cand.minor > cur.minor,
+        isPatch: cand.major === cur.major && cand.minor === cur.minor && cand.patch > cur.patch,
+    };
+}
+function ensureDir(dir) {
+    if (!(0, fs_1.existsSync)(dir))
+        (0, fs_1.mkdirSync)(dir, { recursive: true });
+}
+function loadUpdateState() {
+    const defaults = {
+        lastCheckAt: 0,
+        lastUpdateAt: 0,
+        currentVersion: version_1.VERSION,
+        latestVersion: null,
+        updateAvailable: false,
+        lastError: null,
+        rollbackVersion: null,
+        consecutiveFailures: 0,
+    };
+    if (!(0, fs_1.existsSync)(UPDATE_STATE_FILE))
+        return defaults;
+    const loaded = (0, safe_io_1.readJsonSafe)(UPDATE_STATE_FILE, {}, 'update-state');
+    return { ...defaults, ...loaded };
+}
+function saveUpdateState(state) {
+    ensureDir((0, path_1.dirname)(UPDATE_STATE_FILE));
+    (0, safe_io_1.writeJsonSafe)(UPDATE_STATE_FILE, state);
+}
+function checkNpmVersion() {
+    try {
+        const result = (0, child_process_1.execSync)(`npm view ${PACKAGE_NAME} version`, {
+            encoding: 'utf-8',
+            timeout: 15_000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        if (!parseSemVer(result)) {
+            log.warn('updater', `npm returned invalid version: ${result}`);
+            return null;
+        }
+        return result;
+    }
+    catch (err) {
+        log.warn('updater', `Failed to check npm: ${err instanceof Error ? err.message : String(err)}`);
+        return null;
+    }
+}
+function checkForUpdate(overrideInterval) {
+    const state = loadUpdateState();
+    const now = Date.now();
+    const interval = overrideInterval ?? CHECK_INTERVAL_MS;
+    if (now - state.lastCheckAt < Math.max(interval, MIN_CHECK_INTERVAL_MS)) {
+        if (state.updateAvailable && state.latestVersion) {
+            const classification = classifyUpdate(version_1.VERSION, state.latestVersion);
+            return {
+                updateAvailable: true,
+                currentVersion: version_1.VERSION,
+                latestVersion: state.latestVersion,
+                ...classification,
+            };
+        }
+        return null;
+    }
+    log.info('updater', `Checking npm for updates (current: ${version_1.VERSION})...`);
+    const latestVersion = checkNpmVersion();
+    state.lastCheckAt = now;
+    state.currentVersion = version_1.VERSION;
+    if (!latestVersion) {
+        state.lastError = 'Failed to query npm registry';
+        saveUpdateState(state);
+        return null;
+    }
+    state.latestVersion = latestVersion;
+    if (isNewerVersion(version_1.VERSION, latestVersion)) {
+        state.updateAvailable = true;
+        state.lastError = null;
+        saveUpdateState(state);
+        const classification = classifyUpdate(version_1.VERSION, latestVersion);
+        log.info('updater', `Update available: ${version_1.VERSION} → ${latestVersion} (${classification.isPatch ? 'patch' : classification.isMinor ? 'minor' : 'major'})`);
+        return {
+            updateAvailable: true,
+            currentVersion: version_1.VERSION,
+            latestVersion,
+            ...classification,
+        };
+    }
+    state.updateAvailable = false;
+    state.lastError = null;
+    saveUpdateState(state);
+    return null;
+}
+function backupCurrentVersion() {
+    if (!(0, fs_1.existsSync)(PLUGIN_DIR))
+        return null;
+    ensureDir(BACKUP_DIR);
+    const backupName = `shield-${version_1.VERSION}-${Date.now()}`;
+    const backupPath = (0, path_1.join)(BACKUP_DIR, backupName);
+    try {
+        (0, fs_1.mkdirSync)(backupPath, { recursive: true });
+        const filesToBackup = ['package.json', 'openclaw.plugin.json', 'LICENSE', 'README.md'];
+        for (const f of filesToBackup) {
+            const src = (0, path_1.join)(PLUGIN_DIR, f);
+            if ((0, fs_1.existsSync)(src))
+                (0, fs_1.copyFileSync)(src, (0, path_1.join)(backupPath, f));
+        }
+        const distSrc = (0, path_1.join)(PLUGIN_DIR, 'dist');
+        if ((0, fs_1.existsSync)(distSrc)) {
+            copyRecursive(distSrc, (0, path_1.join)(backupPath, 'dist'));
+        }
+        const skillsSrc = (0, path_1.join)(PLUGIN_DIR, 'skills');
+        if ((0, fs_1.existsSync)(skillsSrc)) {
+            copyRecursive(skillsSrc, (0, path_1.join)(backupPath, 'skills'));
+        }
+        pruneBackups();
+        log.info('updater', `Backup created: ${backupName}`);
+        return backupPath;
+    }
+    catch (err) {
+        log.error('updater', `Backup failed: ${err instanceof Error ? err.message : String(err)}`);
+        return null;
+    }
+}
+function copyRecursive(src, dest) {
+    (0, fs_1.mkdirSync)(dest, { recursive: true });
+    for (const entry of (0, fs_1.readdirSync)(src, { withFileTypes: true })) {
+        const srcPath = (0, path_1.join)(src, entry.name);
+        const destPath = (0, path_1.join)(dest, entry.name);
+        if (entry.isDirectory()) {
+            copyRecursive(srcPath, destPath);
+        }
+        else {
+            (0, fs_1.copyFileSync)(srcPath, destPath);
+        }
+    }
+}
+function pruneBackups() {
+    if (!(0, fs_1.existsSync)(BACKUP_DIR))
+        return;
+    const backups = (0, fs_1.readdirSync)(BACKUP_DIR)
+        .filter(d => d.startsWith('shield-'))
+        .map(d => ({ name: d, path: (0, path_1.join)(BACKUP_DIR, d), stat: (0, fs_1.statSync)((0, path_1.join)(BACKUP_DIR, d)) }))
+        .sort((a, b) => b.stat.mtimeMs - a.stat.mtimeMs);
+    for (const old of backups.slice(MAX_BACKUPS)) {
+        try {
+            (0, fs_1.rmSync)(old.path, { recursive: true, force: true });
+            log.info('updater', `Pruned old backup: ${old.name}`);
+        }
+        catch { }
+    }
+}
+function restoreFromBackup(backupPath) {
+    if (!(0, fs_1.existsSync)(backupPath)) {
+        log.error('updater', `Backup not found: ${backupPath}`);
+        return false;
+    }
+    try {
+        const backupPkg = (0, path_1.join)(backupPath, 'package.json');
+        if (!(0, fs_1.existsSync)(backupPkg)) {
+            log.error('updater', 'Backup is corrupt — no package.json');
+            return false;
+        }
+        for (const entry of (0, fs_1.readdirSync)(PLUGIN_DIR)) {
+            if (entry === 'node_modules')
+                continue;
+            const fullPath = (0, path_1.join)(PLUGIN_DIR, entry);
+            (0, fs_1.rmSync)(fullPath, { recursive: true, force: true });
+        }
+        copyRecursive(backupPath, PLUGIN_DIR);
+        const restoredVersion = JSON.parse((0, fs_1.readFileSync)(backupPkg, 'utf-8')).version;
+        log.info('updater', `Restored from backup: ${restoredVersion}`);
+        return true;
+    }
+    catch (err) {
+        log.error('updater', `Restore failed: ${err instanceof Error ? err.message : String(err)}`);
+        return false;
+    }
+}
+function updateOpenClawPluginMetadata(newVersion, shasum) {
+    const configPath = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'openclaw.json');
+    try {
+        if (!(0, fs_1.existsSync)(configPath))
+            return;
+        const config = JSON.parse((0, fs_1.readFileSync)(configPath, 'utf-8'));
+        if (!config.plugins?.installs?.shield)
+            return;
+        const install = config.plugins.installs.shield;
+        install.spec = `${PACKAGE_NAME}@${newVersion}`;
+        install.version = newVersion;
+        install.resolvedVersion = newVersion;
+        install.resolvedSpec = `${PACKAGE_NAME}@${newVersion}`;
+        delete install.integrity;
+        if (shasum) {
+            install.shasum = shasum;
+        }
+        else {
+            delete install.shasum;
+        }
+        install.installedAt = new Date().toISOString();
+        (0, safe_io_1.writeJsonSafe)(configPath, config);
+        log.info('updater', `Updated openclaw.json plugin metadata → ${newVersion}`);
+    }
+    catch (err) {
+        log.warn('updater', `Failed to update openclaw.json metadata: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+function downloadAndInstall(targetVersion) {
+    const tmpDir = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data', 'tmp-update');
+    try {
+        if ((0, fs_1.existsSync)(tmpDir))
+            (0, fs_1.rmSync)(tmpDir, { recursive: true, force: true });
+        (0, fs_1.mkdirSync)(tmpDir, { recursive: true });
+        log.info('updater', `Downloading ${PACKAGE_NAME}@${targetVersion}...`);
+        (0, child_process_1.execSync)(`npm pack ${PACKAGE_NAME}@${targetVersion}`, {
+            cwd: tmpDir,
+            encoding: 'utf-8',
+            timeout: 60_000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const tarballs = (0, fs_1.readdirSync)(tmpDir).filter(f => f.endsWith('.tgz'));
+        if (tarballs.length === 0) {
+            log.error('updater', 'npm pack produced no tarball');
+            return false;
+        }
+        const tarball = (0, path_1.join)(tmpDir, tarballs[0]);
+        const tarballShasum = (0, crypto_1.createHash)('sha1').update((0, fs_1.readFileSync)(tarball)).digest('hex');
+        const stagingDir = (0, path_1.join)(tmpDir, 'staging');
+        (0, fs_1.mkdirSync)(stagingDir, { recursive: true });
+        (0, child_process_1.execSync)(`tar xzf "${tarball}" -C "${stagingDir}" --strip-components=1`, {
+            timeout: 30_000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const pkgPath = (0, path_1.join)(stagingDir, 'package.json');
+        if (!(0, fs_1.existsSync)(pkgPath)) {
+            log.error('updater', 'Downloaded package has no package.json');
+            return false;
+        }
+        const pkg = JSON.parse((0, fs_1.readFileSync)(pkgPath, 'utf-8'));
+        if (pkg.version !== targetVersion) {
+            log.error('updater', `Version mismatch: expected ${targetVersion}, got ${pkg.version}`);
+            return false;
+        }
+        const pluginJsonPath = (0, path_1.join)(stagingDir, 'openclaw.plugin.json');
+        if ((0, fs_1.existsSync)(pluginJsonPath)) {
+            const pluginJson = JSON.parse((0, fs_1.readFileSync)(pluginJsonPath, 'utf-8'));
+            if (pluginJson.version !== targetVersion) {
+                log.error('updater', `Plugin manifest version mismatch: expected ${targetVersion}, got ${pluginJson.version}`);
+                return false;
+            }
+        }
+        if (!(0, fs_1.existsSync)((0, path_1.join)(stagingDir, 'dist', 'index.js'))) {
+            log.error('updater', 'Downloaded package missing dist/index.js');
+            return false;
+        }
+        for (const entry of (0, fs_1.readdirSync)(PLUGIN_DIR)) {
+            if (entry === 'node_modules')
+                continue;
+            (0, fs_1.rmSync)((0, path_1.join)(PLUGIN_DIR, entry), { recursive: true, force: true });
+        }
+        copyRecursive(stagingDir, PLUGIN_DIR);
+        updateOpenClawPluginMetadata(targetVersion, tarballShasum);
+        log.info('updater', `Installed ${PACKAGE_NAME}@${targetVersion} successfully`);
+        return true;
+    }
+    catch (err) {
+        log.error('updater', `Download/install failed: ${err instanceof Error ? err.message : String(err)}`);
+        return false;
+    }
+    finally {
+        try {
+            (0, fs_1.rmSync)(tmpDir, { recursive: true, force: true });
+        }
+        catch { }
+    }
+}
+function performAutoUpdate(mode, checkIntervalMs) {
+    const noOp = { action: 'none', fromVersion: version_1.VERSION, toVersion: null, message: '', requiresRestart: false };
+    if (mode === false)
+        return noOp;
+    const check = checkForUpdate(checkIntervalMs);
+    if (!check || !check.updateAvailable)
+        return noOp;
+    if (mode === 'notify-only') {
+        const kind = check.isPatch ? 'patch' : check.isMinor ? 'minor' : 'major';
+        return {
+            action: 'notify',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: `Shield update available: ${version_1.VERSION} → ${check.latestVersion} (${kind}). Set autoUpdate: true to enable automatic updates.`,
+            requiresRestart: false,
+        };
+    }
+    if (check.isMajor) {
+        return {
+            action: 'notify',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: `Shield major update available: ${version_1.VERSION} → ${check.latestVersion}. Major updates require manual installation. Run: openclaw plugins update shield`,
+            requiresRestart: false,
+        };
+    }
+    const state = loadUpdateState();
+    log.info('updater', `Auto-updating: ${version_1.VERSION} → ${check.latestVersion}`);
+    const backupPath = backupCurrentVersion();
+    if (!backupPath) {
+        state.consecutiveFailures++;
+        state.lastError = 'Backup failed — update aborted';
+        saveUpdateState(state);
+        return {
+            action: 'error',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: 'Auto-update aborted: failed to backup current version',
+            requiresRestart: false,
+        };
+    }
+    const installed = downloadAndInstall(check.latestVersion);
+    if (!installed) {
+        log.warn('updater', 'Install failed — rolling back...');
+        const restored = restoreFromBackup(backupPath);
+        state.consecutiveFailures++;
+        state.lastError = 'Install failed — rolled back';
+        saveUpdateState(state);
+        return {
+            action: restored ? 'rollback' : 'error',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: restored
+                ? `Auto-update to ${check.latestVersion} failed — rolled back to ${version_1.VERSION}`
+                : `Auto-update to ${check.latestVersion} failed and rollback failed! Manual intervention needed.`,
+            requiresRestart: !restored,
+        };
+    }
+    try {
+        const newPkg = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(PLUGIN_DIR, 'package.json'), 'utf-8'));
+        if (newPkg.version !== check.latestVersion) {
+            throw new Error(`Post-install version mismatch: ${newPkg.version} !== ${check.latestVersion}`);
+        }
+    }
+    catch (err) {
+        log.error('updater', `Post-install validation failed: ${err instanceof Error ? err.message : String(err)}`);
+        log.warn('updater', 'Rolling back...');
+        restoreFromBackup(backupPath);
+        state.consecutiveFailures++;
+        state.lastError = 'Post-install validation failed — rolled back';
+        saveUpdateState(state);
+        return {
+            action: 'rollback',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: `Auto-update to ${check.latestVersion} failed validation — rolled back to ${version_1.VERSION}`,
+            requiresRestart: false,
+        };
+    }
+    state.lastUpdateAt = Date.now();
+    state.updateAvailable = false;
+    state.rollbackVersion = version_1.VERSION;
+    state.currentVersion = check.latestVersion;
+    state.consecutiveFailures = 0;
+    state.lastError = null;
+    saveUpdateState(state);
+    log.info('updater', `✅ Auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart required to load new version.`);
+    return {
+        action: 'updated',
+        fromVersion: version_1.VERSION,
+        toVersion: check.latestVersion,
+        message: `Shield auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart required.`,
+        requiresRestart: true,
+    };
+}
+function requestGatewayRestart() {
+    try {
+        (0, child_process_1.execSync)('openclaw gateway restart', {
+            timeout: 30_000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        log.info('updater', 'Gateway restart requested');
+        return true;
+    }
+    catch (err) {
+        log.warn('updater', `Gateway restart failed: ${err instanceof Error ? err.message : String(err)}`);
+        return false;
+    }
+}

package/openclaw.plugin.json

@@ -1,60 +1,84 @@
 {
-    "id": "shield",
-    "name": "OpenClaw Shield",
-    "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
-    "version": "0.3.16",
-    "skills": [
-        "./skills"
-    ],
-    "configSchema": {
-        "type": "object",
-        "additionalProperties": false,
-        "properties": {
-            "installationKey": {
-                "type": "string",
-                "description": "One-time installation key from the Shield portal. The plugin uses this to register the instance and obtain credentials automatically. Can be removed from config after first activation."
-            },
-            "enabled": {
-                "type": "boolean",
-                "default": true
-            },
-            "dryRun": {
-                "type": "boolean",
-                "default": false
-            },
-            "redactionEnabled": {
-                "type": "boolean",
-                "default": true
-            },
-            "pollIntervalMs": {
-                "type": "number",
-                "default": 30000
-            },
-            "collectHostMetrics": {
-                "type": "boolean",
-                "default": false
-            }
-        }
+  "id": "shield",
+  "name": "OpenClaw Shield",
+  "description": "Real-time security monitoring \u2014 streams enriched, redacted security events to the Shield detection platform.",
+  "version": "0.4.36",
+  "skills": [
+    "./skills"
+  ],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "installationKey": {
+        "type": "string",
+        "description": "One-time installation key from the Shield portal. The plugin uses this to register the instance and obtain credentials automatically. Can be removed from config after first activation."
+      },
+      "enabled": {
+        "type": "boolean",
+        "default": true
+      },
+      "dryRun": {
+        "type": "boolean",
+        "default": false
+      },
+      "redactionEnabled": {
+        "type": "boolean",
+        "default": true
+      },
+      "pollIntervalMs": {
+        "type": "number",
+        "default": 30000
+      },
+      "collectHostMetrics": {
+        "type": "boolean",
+        "default": false
+      },
+      "autoUpdate": {
+        "oneOf": [
+          {
+            "type": "boolean"
+          },
+          {
+            "type": "string",
+            "enum": [
+              "notify-only"
+            ]
+          }
+        ],
+        "default": true,
+        "description": "Auto-update mode: true (auto-update patch versions), false (disabled), or 'notify-only' (log available updates without installing)."
+      }
+    }
+  },
+  "uiHints": {
+    "installationKey": {
+      "label": "Installation Key",
+      "description": "One-time key from the Shield portal (https://uss.upx.com). Required for first-time activation only."
+    },
+    "enabled": {
+      "label": "Enable security monitoring"
+    },
+    "dryRun": {
+      "label": "Dry run (log events locally, do not transmit)"
+    },
+    "redactionEnabled": {
+      "label": "Redact sensitive values before transmitting"
+    },
+    "pollIntervalMs": {
+      "label": "Polling interval (milliseconds)"
+    },
+    "collectHostMetrics": {
+      "label": "Collect host telemetry metrics"
     },
-    "uiHints": {
-        "installationKey": {
-            "label": "Installation Key",
-            "description": "One-time key from the Shield portal (https://uss.upx.com). Required for first-time activation only."
-        },
-        "enabled": {
-            "label": "Enable security monitoring"
-        },
-        "dryRun": {
-            "label": "Dry run (log events locally, do not transmit)"
-        },
-        "redactionEnabled": {
-            "label": "Redact sensitive values before transmitting"
-        },
-        "pollIntervalMs": {
-            "label": "Polling interval (milliseconds)"
-        },
-        "collectHostMetrics": {
-            "label": "Collect host telemetry metrics"
-        }
+    "autoUpdate": {
+      "label": "Auto-update mode",
+      "description": "true = auto-install patch updates, 'notify-only' = log only, false = disabled"
     }
-}
+  },
+  "clawhub": {
+    "slug": "openclaw-shield-upx",
+    "skillVersion": "1.0.2",
+    "note": "ClawHub auto-increments on publish. Update this after each clawhub submission."
+  }
+}