@upx-us/shield 0.4.36 → 0.6.0

package/README.md

@@ -1,7 +1,7 @@
 # OpenClaw Shield
 
 > **OpenClaw Shield is a paid security service by UPX.**
-> Start your **free 30-day trial** at [upx.com/pt/lp/openclaw-shield-upx](https://www.upx.com/pt/lp/openclaw-shield-upx).
+> Start your **free 30-day trial** at [upx.com/en/lp/openclaw-shield-upx](https://www.upx.com/en/lp/openclaw-shield-upx).
 
 Real-time security monitoring for your OpenClaw agents — powered by the UPX Shield detection platform.
 
@@ -22,6 +22,7 @@ Your Agent → Shield (local: capture + redact) → UPX Platform (analysis, aler
 | **Local event buffer** | Rolling log of recent events — inspect via `openclaw shield logs` without platform access |
 | **Case notifications** | Automatic alerts when detection rules fire — agent notifies you of new cases |
 | **Case resolution** | Close cases with categorization (resolution + root cause) directly from your agent |
+| **False positive learning** | Mark cases as false positive — Shield remembers and auto-suppresses identical future alerts |
 | **Host inventory** | Discovers all agents and workspaces on the machine — view via `openclaw shield vault show` |
 | **Auto-update** | Patch and minor updates install automatically with rollback on failure |
 | **Encrypted vault** | Redaction mappings stored locally with AES-256-GCM — UPX cannot reverse tokens |
@@ -54,6 +55,8 @@ Your Agent → Shield (local: capture + redact) → UPX Platform (analysis, aler
 | `openclaw shield cases show <ID>` | Full case detail with events, rule info, and playbook |
 | `openclaw shield cases resolve <ID>` | Resolve a case (--resolution, --root-cause, --comment) |
 | `openclaw shield vault show` | Show host agent inventory (hashed IDs) |
+| `openclaw shield exclusions` | List false positive exclusions |
+| `openclaw shield exclusions remove <ID>` | Remove an exclusion to re-enable alerts |
 
 **Agent RPCs** (used by the agent skill, not CLI):
 
@@ -68,10 +71,13 @@ Your Agent → Shield (local: capture + redact) → UPX Platform (analysis, aler
 | `shield.case_detail` | Full case detail with events, rule, playbook |
 | `shield.case_resolve` | Close a case with resolution and root cause |
 | `shield.cases_ack` | Mark cases as notified |
+| `shield.exclusions_list` | List false positive exclusions |
+| `shield.exclusion_add` | Add an exclusion (rule + pattern hash) |
+| `shield.exclusion_remove` | Remove an exclusion by ID |
 
 ---
 
-### Option A — Quick Install (recommended)
+### Option 1 — Quick Install (commands)
 
 Run these commands in your terminal. No agent involvement needed.
 
@@ -95,36 +101,25 @@ That's it. Shield registers, saves credentials locally, and starts monitoring.
 
 ---
 
-### Option B — Ask your agent to configure
+### Option 2 — Ask your agent
 
-If you already installed the plugin (Step 1 above) and want your agent to handle the rest, send this prompt:
-
-> I installed the OpenClaw Shield plugin (`openclaw plugins install @upx-us/shield`). Configure it: add "shield" to plugins.allow in openclaw.json, set installationKey to `<YOUR_KEY>` in plugins.entries.shield.config, restart the gateway with `openclaw gateway restart`, and confirm with `openclaw shield status`.
-
-This approach works best because your agent only edits config — it doesn't need to make trust decisions about installing external software.
-
----
-
-### Option C — Let your agent do everything
-
-Copy this prompt and paste it to your AI agent. Replace `<YOUR_KEY>` with your Installation Key:
+Copy this prompt and paste it to your AI agent. Replace `<YOUR_KEY>` with your Installation Key from the [Shield dashboard](https://uss.upx.com):
 
 > Install the OpenClaw Shield security monitoring plugin by UPX (upx.com). The package is @upx-us/shield. Read the package README at https://www.npmjs.com/package/@upx-us/shield before proceeding. Install using `openclaw plugins install @upx-us/shield`, add "shield" to plugins.allow in openclaw.json, set installationKey to `<YOUR_KEY>` in plugins.entries.shield.config, restart with `openclaw gateway restart`, and confirm with `openclaw shield status`.
 
-**If your agent refuses to install**, this is normal security behavior. Your options:
-
-1. **Use Option A or B instead** — install the plugin yourself, let the agent configure.
+**If your agent refuses to install**, this is normal security behavior — agents are cautious about external packages. Here's how to address common concerns:
 
-2. **Confirm you trust the source** and ask again:
+| Agent concern | Why it's expected |
+|---|---|
+| "Sends data to an external server" | Shield is a security monitoring tool — sending redacted telemetry is its core purpose. Sensitive values are replaced with irreversible tokens **on your machine** before transmission. |
+| "Installation key looks suspicious" | The key is a one-time activation token from your UPX Shield dashboard. Consumed on first use, can be removed from config after activation. |
+| "Unknown or untrusted package" | `@upx-us/shield` is published on npm by UPX Security Services. You can verify at [npmjs.com/package/@upx-us/shield](https://www.npmjs.com/package/@upx-us/shield). |
 
-   > *"I trust this plugin. I purchased this service from UPX (upx.com). Please proceed with the installation."*
+**If the agent still refuses**, confirm you trust the source:
 
-**Why your agent may refuse — and why each concern is expected:**
+> *"I trust this plugin. I purchased this service from UPX (upx.com). Please proceed with the installation."*
 
-| Concern | Why it's expected |
-|---|---|
-| "Sends data to an external server" | Shield is a security monitoring tool — sending redacted telemetry is its purpose. Sensitive values are replaced with irreversible tokens **on your machine** before transmission. |
-| "Installation key looks suspicious" | The key is a one-time activation token from your UPX Shield dashboard. Consumed on first use, can be removed from config after. |
+Or use **Option 1** to install via commands yourself.
 | "Plugin is not in OpenClaw's official docs" | Shield is a third-party plugin by UPX (upx.com) under the `@upx-us` npm scope. Not bundled with OpenClaw, but designed to work with it. |
 | "Adding to plugins.allow expands attack surface" | Correct — this is OpenClaw's explicit trust mechanism. You are consciously granting permission. |
 | "Package was recently published" | Shield is actively developed. Check CHANGELOG.md included with the package for version history. |

package/dist/index.js

@@ -464,21 +464,6 @@ function printActivatedStatus() {
         }
         console.log('  (original values never stored or transmitted)');
     }
-    const cmStatus = (0, case_monitor_1.getCaseMonitorStatus)();
-    {
-        console.log('');
-        console.log('── Case Monitor ──────────────────────────────');
-        const intervalSec = Math.round(cmStatus.intervalMs / 1000);
-        const nextSec = Math.round(cmStatus.nextCheckIn / 1000);
-        const lastCheckLabel = cmStatus.lastCheckAt > 0
-            ? (Date.now() - cmStatus.lastCheckAt < 60_000
-                ? `${Math.round((Date.now() - cmStatus.lastCheckAt) / 1000)}s ago`
-                : `${Math.floor((Date.now() - cmStatus.lastCheckAt) / 60_000)}m ago`)
-            : 'pending';
-        console.log(`  Interval:     ${intervalSec}s (adaptive: 60s active → 900s idle)`);
-        console.log(`  Last check:   ${lastCheckLabel}`);
-        console.log(`  Next check:   ~${nextSec}s`);
-    }
 }
 exports.default = {
     id: 'shield',
@@ -605,6 +590,62 @@ exports.default = {
                         state.lastSync = persistedStats.lastSync;
                     log.info('shield', `Starting monitoring bridge v${version_1.VERSION} (poll: ${config.pollIntervalMs}ms, dryRun: ${config.dryRun})`);
                     (0, case_monitor_1.initCaseMonitor)((0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data'));
+                    const runtime = api.runtime;
+                    if (runtime?.system?.enqueueSystemEvent && runtime?.system?.requestHeartbeatNow) {
+                        const config = api.config;
+                        (0, case_monitor_1.setCaseNotificationDispatcher)({
+                            enqueueSystemEvent: runtime.system.enqueueSystemEvent,
+                            requestHeartbeatNow: runtime.system.requestHeartbeatNow,
+                            agentId: config?.agents?.default ?? 'main',
+                        });
+                    }
+                    else {
+                        log.warn('case-monitor', 'enqueueSystemEvent not available — system event notifications disabled (requires OpenClaw 2026.3+)');
+                    }
+                    try {
+                        const channels = runtime?.channel;
+                        const cfg = api.config;
+                        const channelCandidates = [
+                            { name: 'telegram', sendFn: channels?.telegram?.sendMessageTelegram, configPath: 'telegram' },
+                            { name: 'discord', sendFn: channels?.discord?.sendMessageDiscord, configPath: 'discord' },
+                            { name: 'whatsapp', sendFn: channels?.whatsapp?.sendMessageWhatsApp, configPath: 'whatsapp' },
+                            { name: 'slack', sendFn: channels?.slack?.sendMessageSlack, configPath: 'slack' },
+                            { name: 'signal', sendFn: channels?.signal?.sendMessageSignal, configPath: 'signal' },
+                        ];
+                        for (const candidate of channelCandidates) {
+                            if (typeof candidate.sendFn !== 'function')
+                                continue;
+                            const channelCfg = cfg?.channels?.[candidate.configPath];
+                            if (!channelCfg?.enabled && channelCfg?.enabled !== undefined)
+                                continue;
+                            let targetId = null;
+                            if (candidate.name === 'telegram') {
+                                const allowFrom = channelCfg?.allowFrom;
+                                targetId = Array.isArray(allowFrom) && allowFrom.length > 0 ? String(allowFrom[0]) : null;
+                            }
+                            else if (candidate.name === 'discord') {
+                                targetId = channelCfg?.defaultTo || (Array.isArray(channelCfg?.allowFrom) ? String(channelCfg.allowFrom[0]) : null);
+                            }
+                            else if (candidate.name === 'whatsapp') {
+                                targetId = channelCfg?.defaultTo || (Array.isArray(channelCfg?.allowFrom) ? String(channelCfg.allowFrom[0]) : null);
+                            }
+                            else {
+                                const allowFrom = channelCfg?.allowFrom;
+                                targetId = Array.isArray(allowFrom) && allowFrom.length > 0 ? String(allowFrom[0]) : null;
+                            }
+                            if (targetId) {
+                                (0, case_monitor_1.setDirectSendDispatcher)({
+                                    sendFn: candidate.sendFn,
+                                    to: targetId,
+                                    channel: candidate.name,
+                                });
+                                break;
+                            }
+                        }
+                    }
+                    catch (err) {
+                        log.debug('case-monitor', `Direct send setup failed (non-fatal): ${err instanceof Error ? err.message : String(err)}`);
+                    }
                     const autoUpdateMode = pluginConfig.autoUpdate ?? true;
                     log.info('updater', `Startup update check (autoUpdate=${autoUpdateMode}, current=${version_1.VERSION})`);
                     const startupUpdate = (0, updater_1.performAutoUpdate)(autoUpdateMode, 0);
@@ -705,6 +746,10 @@ exports.default = {
                                 state.lastPollAt = Date.now();
                                 markStateDirty();
                                 persistState();
+                                const idlePlatformConfig = { apiUrl: config.credentials.apiUrl, instanceId: config.credentials.instanceId, hmacSecret: config.credentials.hmacSecret };
+                                await (0, case_monitor_1.checkForNewCases)(idlePlatformConfig).catch(err => {
+                                    log.debug('case-monitor', `Check error: ${err instanceof Error ? err.message : String(err)}`);
+                                });
                                 return;
                             }
                             state.lastCaptureAt = Date.now();
@@ -866,9 +911,102 @@ exports.default = {
             hmacSecret: rpcCreds?.hmacSecret || '',
         };
         (0, rpc_1.registerAllRpcs)(api, platformApiConfig);
+        api.registerCommand({
+            name: 'shieldcases',
+            description: 'Show pending Shield security cases',
+            requireAuth: true,
+            handler: () => {
+                const { getPendingCases } = require('./src/case-monitor');
+                const cases = getPendingCases();
+                if (cases.length === 0) {
+                    return { text: '✅ No pending Shield security cases.' };
+                }
+                const severityEmoji = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
+                const lines = cases.map((c) => {
+                    const emoji = severityEmoji[c.severity] || '⚠️';
+                    const age = Math.floor((Date.now() - new Date(c.created_at).getTime()) / 60000);
+                    const ageStr = age < 60 ? `${age}m` : `${Math.floor(age / 60)}h`;
+                    return `${emoji} **${c.rule_title}** (${c.severity || 'unknown'}) — ${c.event_count} events — ${ageStr} ago`;
+                });
+                return {
+                    text: [
+                        `🛡️ **Shield — ${cases.length} Pending Case${cases.length > 1 ? 's' : ''}**`,
+                        '',
+                        ...lines,
+                        '',
+                        'Use `openclaw shield cases show <id>` for details.',
+                    ].join('\n'),
+                };
+            },
+        });
         api.registerCli(({ program }) => {
             const shield = program.command('shield');
             (0, cli_cases_1.registerCasesCli)(shield);
+            shield.command('monitor')
+                .description('Manage case notification monitoring via cron')
+                .option('--on', 'Enable case monitoring (creates cron job)')
+                .option('--off', 'Disable case monitoring (removes cron job)')
+                .option('--interval <minutes>', 'Check interval in minutes (default: 5)', '5')
+                .action(async (opts) => {
+                const { execSync } = require('child_process');
+                const CRON_NAME = 'shield-case-monitor';
+                let cronJob = null;
+                try {
+                    const list = execSync('openclaw cron list --json 2>/dev/null', { encoding: 'utf8' });
+                    const parsed = JSON.parse(list);
+                    const jobs = Array.isArray(parsed) ? parsed : (Array.isArray(parsed?.jobs) ? parsed.jobs : []);
+                    cronJob = jobs.find((j) => j.name === CRON_NAME) || null;
+                }
+                catch { }
+                if (opts.off) {
+                    if (!cronJob) {
+                        console.log('ℹ️  Shield case monitor is not active.');
+                        return;
+                    }
+                    try {
+                        execSync(`openclaw cron remove ${cronJob.id}`, { encoding: 'utf8', stdio: 'pipe' });
+                        console.log('✅ Shield case monitor disabled.');
+                    }
+                    catch (err) {
+                        console.error(`❌ Failed to remove cron job ${cronJob.id}:`, err.message);
+                    }
+                    return;
+                }
+                if (opts.on) {
+                    const interval = parseInt(opts.interval || '5', 10);
+                    if (isNaN(interval) || interval < 1) {
+                        console.error('❌ Invalid interval. Must be at least 1 minute.');
+                        return;
+                    }
+                    if (cronJob) {
+                        try {
+                            execSync(`openclaw cron remove ${cronJob.id}`, { encoding: 'utf8', stdio: 'pipe' });
+                        }
+                        catch { }
+                    }
+                    const prompt = 'Check for new Shield security cases by running: openclaw shield cases list --status open. Report ONLY cases created in the last 10 minutes. If none are new, reply HEARTBEAT_OK.';
+                    try {
+                        execSync(`openclaw cron add --name "${CRON_NAME}" --every ${interval}m --message "${prompt.replace(/"/g, '\\"')}"`, { encoding: 'utf8', stdio: 'pipe' });
+                        console.log(`✅ Shield case monitor enabled (every ${interval}m).`);
+                        console.log(`   Cron job: ${CRON_NAME}`);
+                        console.log('   Disable with: openclaw shield monitor --off');
+                    }
+                    catch (err) {
+                        console.error('❌ Failed to create cron job:', err.message);
+                    }
+                    return;
+                }
+                if (cronJob) {
+                    console.log('🛡️  Shield case monitor: ✅ Active');
+                    console.log(`   Cron job: ${CRON_NAME} (${cronJob.id})`);
+                    console.log('   Disable with: openclaw shield monitor --off');
+                }
+                else {
+                    console.log('🛡️  Shield case monitor: ❌ Inactive');
+                    console.log('   Enable with: openclaw shield monitor --on');
+                    console.log('   Options: --interval <minutes> (default: 5)');
+                }
+            });
             shield.command('status')
                 .description('Show Shield monitoring status and activity')
                 .action(async () => {

package/dist/src/case-monitor.d.ts

@@ -1,4 +1,24 @@
 import { type PlatformApiConfig } from './rpc/client';
+type EnqueueSystemEventFn = (text: string, options: {
+    sessionKey: string;
+    contextKey?: string | null;
+}) => boolean;
+type RequestHeartbeatNowFn = (opts?: {
+    reason?: string;
+    agentId?: string;
+    sessionKey?: string;
+}) => void;
+export declare function setCaseNotificationDispatcher(opts: {
+    enqueueSystemEvent: EnqueueSystemEventFn;
+    requestHeartbeatNow: RequestHeartbeatNowFn;
+    agentId?: string;
+}): void;
+type DirectSendFn = (to: string, text: string, opts?: Record<string, unknown>) => Promise<unknown>;
+export declare function setDirectSendDispatcher(opts: {
+    sendFn: DirectSendFn;
+    to: string;
+    channel: string;
+}): void;
 export interface CaseSummary {
     id: string;
     rule_id: string;
@@ -7,9 +27,33 @@ export interface CaseSummary {
     status: string;
     created_at: string;
     summary: string;
+    description?: string;
+    mitre_technique?: string;
     event_count: number;
     agent_id?: string;
 }
+export interface CaseDetail extends CaseSummary {
+    attribution?: string;
+    events?: Array<{
+        timestamp: string;
+        event_type: string;
+        tool_name: string;
+        summary: string;
+        session_id?: string | null;
+    }>;
+    rule?: {
+        description?: string;
+        mitre_tactic?: string;
+        mitre_technique?: string;
+    };
+    playbook?: {
+        name?: string;
+        summary?: string;
+        steps?: string | null;
+    };
+    resolution?: string | null;
+    url?: string;
+}
 export declare function initCaseMonitor(dataDir: string): void;
 export declare function notifyCaseMonitorActivity(): void;
 export declare function getCaseMonitorStatus(): {
@@ -20,5 +64,6 @@ export declare function getCaseMonitorStatus(): {
 export declare function checkForNewCases(config: PlatformApiConfig): Promise<void>;
 export declare function getPendingCases(): CaseSummary[];
 export declare function acknowledgeCases(caseIds: string[]): void;
-export declare function formatCaseNotification(c: CaseSummary): string;
+export declare function formatCaseNotification(c: CaseSummary | CaseDetail): string;
 export declare function _resetForTesting(): void;
+export {};

package/dist/src/case-monitor.js

@@ -33,6 +33,8 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.setCaseNotificationDispatcher = setCaseNotificationDispatcher;
+exports.setDirectSendDispatcher = setDirectSendDispatcher;
 exports.initCaseMonitor = initCaseMonitor;
 exports.notifyCaseMonitorActivity = notifyCaseMonitorActivity;
 exports.getCaseMonitorStatus = getCaseMonitorStatus;
@@ -43,8 +45,113 @@ exports.formatCaseNotification = formatCaseNotification;
 exports._resetForTesting = _resetForTesting;
 const safe_io_1 = require("./safe-io");
 const client_1 = require("./rpc/client");
+const exclusions_1 = require("./exclusions");
 const log = __importStar(require("./log"));
 const path_1 = require("path");
+let _enqueueSystemEvent = null;
+let _requestHeartbeatNow = null;
+let _agentId = 'main';
+function setCaseNotificationDispatcher(opts) {
+    _enqueueSystemEvent = opts.enqueueSystemEvent;
+    _requestHeartbeatNow = opts.requestHeartbeatNow;
+    if (opts.agentId)
+        _agentId = opts.agentId;
+    log.info('case-monitor', 'Notification dispatcher configured');
+}
+function getMainSessionKey() {
+    return `agent:${_agentId}:main`;
+}
+async function enrichCases(config, cases) {
+    if (cases.length > 3)
+        return cases;
+    const enriched = [];
+    for (const cs of cases) {
+        try {
+            const result = await (0, client_1.callPlatformApi)(config, `/v1/agent/cases/${cs.id}`);
+            if (result.ok && result.data) {
+                enriched.push(result.data);
+            }
+            else {
+                enriched.push(cs);
+            }
+        }
+        catch {
+            enriched.push(cs);
+        }
+    }
+    return enriched;
+}
+function isCaseDetail(c) {
+    return 'rule' in c || 'playbook' in c || 'events' in c;
+}
+let _directSendFn = null;
+let _directSendTo = null;
+let _directSendChannel = null;
+function setDirectSendDispatcher(opts) {
+    _directSendFn = opts.sendFn;
+    _directSendTo = opts.to;
+    _directSendChannel = opts.channel;
+    log.info('case-monitor', `Direct send configured (channel: ${opts.channel}, to: ${opts.to})`);
+}
+function dispatchCaseNotifications(cases) {
+    if (cases.length === 0)
+        return;
+    let text;
+    if (cases.length === 1) {
+        text = formatCaseNotification(cases[0]);
+    }
+    else {
+        const lines = cases.map(c => {
+            const emoji = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵' };
+            const sev = c.severity ? ` (${c.severity})` : '';
+            return `${emoji[c.severity] || '⚠️'} **${c.rule_title}**${sev} — ${c.event_count} events`;
+        });
+        text = [
+            `⚠️ **Shield Alert — ${cases.length} New Cases**`,
+            '',
+            ...lines,
+            '',
+            '',
+            '💡 **Next steps:**',
+            ...cases.map(c => `  • _"Investigate case ${c.id}"_`),
+        ].join('\n');
+    }
+    if (_directSendFn && _directSendTo) {
+        try {
+            const sendOpts = { textMode: 'markdown' };
+            _directSendFn(_directSendTo, text, sendOpts)
+                .then(() => {
+                log.info('case-monitor', `Direct notification sent for ${cases.length} case(s) via ${_directSendChannel} to ${_directSendTo}`);
+                acknowledgeCases(cases.map(c => c.id));
+            })
+                .catch((err) => {
+                log.warn('case-monitor', `Direct send failed: ${err instanceof Error ? err.message : String(err)}`);
+                dispatchViaSystemEvent(cases, text);
+            });
+            return;
+        }
+        catch (err) {
+            log.warn('case-monitor', `Direct send error: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    dispatchViaSystemEvent(cases, text);
+}
+function dispatchViaSystemEvent(cases, text) {
+    if (!_enqueueSystemEvent || !_requestHeartbeatNow) {
+        log.debug('case-monitor', 'No notification dispatcher available — skipping');
+        return;
+    }
+    const sessionKey = getMainSessionKey();
+    const contextKey = `shield:cases:${cases.map(c => c.id).sort().join(',')}`;
+    const enqueued = _enqueueSystemEvent(text, { sessionKey, contextKey });
+    if (enqueued) {
+        _requestHeartbeatNow({ reason: 'shield:new-cases' });
+        log.info('case-monitor', `System event dispatched for ${cases.length} case(s) to session ${sessionKey}`);
+    }
+    else {
+        log.debug('case-monitor', 'System event not enqueued (duplicate or no session)');
+    }
+}
 const MIN_CHECK_INTERVAL_MS = 60_000;
 const MAX_CHECK_INTERVAL_MS = 900_000;
 const RECENT_EVENT_THRESHOLD_MS = 300_000;
@@ -98,11 +205,8 @@ async function checkForNewCases(config) {
     try {
         const params = {
             status: 'open',
-            limit: 20,
+            limit: 50,
         };
-        if (state.lastCheckAt) {
-            params.since = state.lastCheckAt;
-        }
         const result = await (0, client_1.callPlatformApi)(config, '/v1/agent/cases', params, 'GET');
         if (!result.ok) {
             if (!result.error?.includes('not configured')) {
@@ -113,10 +217,23 @@ async function checkForNewCases(config) {
         const cases = result.data?.cases ?? [];
         const ackSet = new Set(state.acknowledgedIds);
         const pendingSet = new Set(state.pendingCases.map(c => c.id));
-        const newCases = cases.filter(c => !ackSet.has(c.id) && !pendingSet.has(c.id));
+        const newCasesRaw = cases.filter(c => !ackSet.has(c.id) && !pendingSet.has(c.id));
+        const newCases = [];
+        for (const c of newCasesRaw) {
+            const hash = (0, exclusions_1.computePatternHash)(c.rule_id, c.summary || '');
+            if ((0, exclusions_1.isExcluded)(c.rule_id, hash, c.agent_id)) {
+                log.info('case-monitor', `Case ${c.id} matched FP exclusion (rule=${c.rule_id}) — auto-acknowledging`);
+                state.acknowledgedIds = [...state.acknowledgedIds, c.id].slice(-MAX_ACKNOWLEDGED_IDS);
+            }
+            else {
+                newCases.push(c);
+            }
+        }
         if (newCases.length > 0) {
             state.pendingCases = [...state.pendingCases, ...newCases];
             log.info('case-monitor', `${newCases.length} new case(s) pending notification`);
+            const enriched = await enrichCases(config, newCases);
+            dispatchCaseNotifications(enriched);
         }
         state.lastCheckAt = new Date().toISOString();
         (0, safe_io_1.writeJsonSafe)(stateFile, state);
@@ -151,28 +268,59 @@ function acknowledgeCases(caseIds) {
     (0, safe_io_1.writeJsonSafe)(stateFile, state);
     log.info('case-monitor', `Acknowledged ${caseIds.length} case(s), ${state.pendingCases.length} still pending`);
 }
+const MITRE_TACTICS = {
+    TA0001: 'Initial Access', TA0002: 'Execution', TA0003: 'Persistence',
+    TA0004: 'Privilege Escalation', TA0005: 'Defense Evasion', TA0006: 'Credential Access',
+    TA0007: 'Discovery', TA0008: 'Lateral Movement', TA0009: 'Collection',
+    TA0010: 'Exfiltration', TA0011: 'Command and Control', TA0040: 'Impact',
+    TA0042: 'Resource Development', TA0043: 'Reconnaissance',
+};
+const MITRE_TECHNIQUES = {
+    T1485: 'Data Destruction', T1489: 'Service Stop', T1059: 'Command and Scripting Interpreter',
+    T1070: 'Indicator Removal', T1105: 'Ingress Tool Transfer', T1136: 'Create Account',
+    T1548: 'Abuse Elevation Control', T1562: 'Impair Defenses', T1053: 'Scheduled Task/Job',
+    T1027: 'Obfuscated Files', T1082: 'System Information Discovery', T1518: 'Software Discovery',
+};
+function mitreLabel(code, map) {
+    if (!code)
+        return '';
+    const name = map[code];
+    return name ? `${code} ${name}` : code;
+}
 function formatCaseNotification(c) {
     const severityEmoji = {
-        CRITICAL: '🔴',
-        HIGH: '🟠',
-        MEDIUM: '🟡',
-        LOW: '🔵',
-        INFO: 'ℹ️',
+        CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵', INFO: 'ℹ️',
     };
     const emoji = severityEmoji[c.severity] || '⚠️';
+    const caseId = c.id;
+    const detail = isCaseDetail(c) ? c : null;
     const ago = getTimeAgo(c.created_at);
-    return [
+    const lines = [
         `${emoji} **Shield Alert — New Case**`,
         ``,
         `**Rule:** ${c.rule_title}`,
-        `**Severity:** ${c.severity}`,
-        `**Time:** ${ago}`,
-        `**Events:** ${c.event_count}`,
-        ``,
-        `> ${c.summary}`,
-        ``,
-        `Ask me to investigate or resolve this case.`,
-    ].join('\n');
+    ];
+    if (c.severity) {
+        lines.push(`**Priority:** ${c.severity}`);
+    }
+    lines.push(`**Time:** ${ago}`, `**Events:** ${c.event_count}`, `**Case:** \`${caseId}\``);
+    if (detail?.rule?.description) {
+        lines.push(``, `> ${detail.rule.description}`);
+    }
+    if (detail?.rule?.mitre_tactic || detail?.rule?.mitre_technique) {
+        const tactic = mitreLabel(detail.rule.mitre_tactic, MITRE_TACTICS);
+        const technique = mitreLabel(detail.rule.mitre_technique, MITRE_TECHNIQUES);
+        const mitre = [tactic, technique].filter(Boolean).join(' · ');
+        lines.push(`> 🎯 MITRE: ${mitre}`);
+    }
+    if (detail?.playbook?.summary) {
+        lines.push(``, `⚠️ ${detail.playbook.summary}`);
+    }
+    lines.push(``, ``, `💡 **What's next:**`, `  • _"Investigate case ${caseId}"_`, `  • _"Close case ${caseId} as false positive"_`, `  • _"Resolve case ${caseId} — it was authorized maintenance"_`);
+    if (detail?.url) {
+        lines.push(``, `🔗 ${detail.url}`);
+    }
+    return lines.join('\n');
 }
 function getTimeAgo(isoDate) {
     const diffMs = Date.now() - new Date(isoDate).getTime();

package/dist/src/cli-cases.js

@@ -35,6 +35,9 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerCasesCli = registerCasesCli;
 const config_1 = require("./config");
+const exclusions_1 = require("./exclusions");
+const path_1 = require("path");
+const os_1 = require("os");
 function hasValidCreds(creds) {
     return !!(creds.apiUrl && creds.instanceId && creds.hmacSecret);
 }
@@ -60,6 +63,16 @@ function registerCasesCli(shieldCommand) {
         .argument('<id>', 'Case ID')
         .option('--format <fmt>', 'Output format: table or json', 'table')
         .action(showCase);
+    const exclusions = shieldCommand.command('exclusions')
+        .description('List and manage FP exclusions');
+    exclusions.action(() => {
+        listExclusionsCli();
+    });
+    exclusions
+        .command('remove')
+        .description('Remove an exclusion by ID')
+        .argument('<id>', 'Exclusion ID')
+        .action(removeExclusionCli);
     cases
         .command('resolve')
         .description('Resolve/close a security case')
@@ -182,3 +195,36 @@ async function resolveCase(id, opts) {
         console.log('Response:', JSON.stringify(result, null, 2));
     }
 }
+function ensureExclusionsInit() {
+    const dataDir = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data');
+    (0, exclusions_1.initExclusions)(dataDir);
+}
+function listExclusionsCli() {
+    ensureExclusionsInit();
+    const exclusions = (0, exclusions_1.listExclusions)();
+    if (exclusions.length === 0) {
+        console.log('No exclusions configured. ✅');
+        return;
+    }
+    console.log(`Exclusions (${exclusions.length}):\n`);
+    for (const e of exclusions) {
+        const time = new Date(e.created_at).toLocaleString();
+        console.log(`  ${e.id}`);
+        console.log(`    Rule: ${e.rule_id}  Hash: ${e.pattern_hash.slice(0, 12)}…`);
+        if (e.agent_id)
+            console.log(`    Agent: ${e.agent_id}`);
+        if (e.reason)
+            console.log(`    Reason: ${e.reason}`);
+        console.log(`    Created: ${time}\n`);
+    }
+}
+function removeExclusionCli(id) {
+    ensureExclusionsInit();
+    const removed = (0, exclusions_1.removeExclusion)(id);
+    if (removed) {
+        console.log(`✅ Exclusion ${id} removed.`);
+    }
+    else {
+        console.error(`❌ Exclusion ${id} not found.`);
+    }
+}

package/dist/src/events/browser/enrich.js

@@ -10,6 +10,7 @@ function enrich(tool, ctx) {
         'openclaw.session_id': ctx.sessionId,
         'openclaw.agent_id': ctx.agentId,
         browser_action: args.action || null,
+        'openclaw.browser_action': args.action || null,
         url_domain: null,
         url_is_internal: false,
     };

package/dist/src/events/exec/enrich.d.ts

@@ -1,4 +1,5 @@
 import { RawToolCall, EnrichmentContext } from '../base';
 import { ExecEvent } from './event';
+export declare function detectSecretInCommand(cmd: string): boolean;
 export declare function splitChainedCommands(cmd: string): string[];
 export declare function enrich(tool: RawToolCall, ctx: EnrichmentContext): ExecEvent;