@upx-us/shield 0.4.36 → 0.6.0

package/dist/src/events/exec/enrich.js

@@ -1,8 +1,28 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectSecretInCommand = detectSecretInCommand;
 exports.splitChainedCommands = splitChainedCommands;
 exports.enrich = enrich;
 const base_1 = require("../base");
+const SECRET_KEY_PREFIXES = ['sk-', 'pk_', 'key_', 'ghp_', 'ghs_', 'glpat-', 'xoxb-', 'xoxp-'];
+const SECRET_ENV_PATTERN = /\b[A-Z_]*(SECRET|TOKEN|KEY|PASSWORD|PASSWD|API_KEY|APIKEY)[A-Z_]*=/i;
+const LONG_HEX_BASE64 = /(?:[0-9a-fA-F]{41,}|[A-Za-z0-9+/=]{41,})/;
+const BEARER_PATTERN = /\bBearer\s+\S+/i;
+function detectSecretInCommand(cmd) {
+    if (!cmd)
+        return false;
+    for (const prefix of SECRET_KEY_PREFIXES) {
+        if (cmd.includes(prefix))
+            return true;
+    }
+    if (BEARER_PATTERN.test(cmd))
+        return true;
+    if (SECRET_ENV_PATTERN.test(cmd))
+        return true;
+    if (LONG_HEX_BASE64.test(cmd))
+        return true;
+    return false;
+}
 function splitChainedCommands(cmd) {
     const segments = [];
     let current = '';
@@ -74,6 +94,9 @@ function enrich(tool, ctx) {
         cmd_has_sudo: /\bsudo\b/.test(cmd),
         cmd_has_pipe: /\|/.test(cmd),
     };
+    if (detectSecretInCommand(cmd)) {
+        meta['openclaw.secret_in_command'] = 'true';
+    }
     for (const segRoot of allRootCommands) {
         if (/^(kill|pkill|killall)$/.test(segRoot)) {
             const pidMatch = cmd.match(/\bkill\s+(?:-\d+\s+)?(\d+)/);

package/dist/src/events/file/enrich.js

@@ -19,6 +19,10 @@ function enrich(tool, ctx) {
         file_is_system: isSystem,
         file_is_config: ext ? configExts.includes(ext) : false,
     };
+    const CONFIG_FILE_PATTERNS = /(?:\.env|config\.json|openclaw\.json|\.npmrc|\.yarnrc|\.gitconfig|settings\.json|docker-compose\.ya?ml|Dockerfile|\.bashrc|\.zshrc|\.profile)(?:$|\/)/;
+    if ((toolName === 'write' || toolName === 'edit') && (meta.file_is_config || CONFIG_FILE_PATTERNS.test(fp) || /\/\.env(?:\.|$)/.test(fp))) {
+        meta['openclaw.config_change'] = 'true';
+    }
     if ((toolName === 'write' || toolName === 'edit') && isMemoryFile) {
         meta.memory_auto_capture = 'true';
     }
@@ -29,6 +33,9 @@ function enrich(tool, ctx) {
         meta.edit_new_length = String(newText.length);
         meta.edit_size_delta = String(newText.length - oldText.length);
     }
+    if (toolName === 'write' && args.content) {
+        meta['openclaw.file_size_bytes'] = String(Buffer.byteLength(args.content, 'utf8'));
+    }
     const event = {
         timestamp: ctx.timestamp,
         event_type: 'TOOL_CALL',

package/dist/src/events/message/enrich.js

@@ -10,6 +10,32 @@ function enrich(tool, ctx) {
         'openclaw.agent_id': ctx.agentId,
         sub_action: args.action || null,
     };
+    if (args.channel)
+        meta['openclaw.channel'] = args.channel;
+    if (args.target) {
+        if (!args.channel) {
+            if (/^telegram/i.test(String(args.target)) || /^-?\d{10,}/.test(String(args.target))) {
+                meta['openclaw.channel'] = 'telegram';
+            }
+        }
+        const targetStr = String(args.target);
+        if (targetStr.startsWith('-100'))
+            meta['openclaw.chat_type'] = 'group';
+        else if (targetStr.startsWith('-'))
+            meta['openclaw.chat_type'] = 'group';
+        else if (/^\d+$/.test(targetStr))
+            meta['openclaw.chat_type'] = 'private';
+    }
+    if (args.groupId || args.guildId)
+        meta['openclaw.chat_type'] = 'group';
+    if (args.channelId && !meta['openclaw.chat_type'])
+        meta['openclaw.chat_type'] = 'channel';
+    if (args.action === 'send' || args.action === 'edit') {
+        const content = args.message || args.caption || '';
+        if (content) {
+            meta['openclaw.message_content'] = content.length > 500 ? content.slice(0, 500) : content;
+        }
+    }
     if (args.buffer) {
         meta.has_base64_payload = 'true';
         const raw = typeof args.buffer === 'string' ? args.buffer.replace(/^data:[^;]+;base64,/, '') : '';

package/dist/src/exclusions.d.ts

@@ -0,0 +1,16 @@
+export interface Exclusion {
+    id: string;
+    rule_id: string;
+    pattern_hash: string;
+    agent_id?: string;
+    created_at: string;
+    reason?: string;
+}
+export declare function initExclusions(dataDir: string): void;
+export declare function normalizePattern(input: string): string;
+export declare function computePatternHash(ruleId: string, command: string): string;
+export declare function addExclusion(ruleId: string, patternHash: string, agentId?: string, reason?: string): Exclusion;
+export declare function isExcluded(ruleId: string, patternHash: string, agentId?: string): boolean;
+export declare function listExclusions(): Exclusion[];
+export declare function removeExclusion(id: string): boolean;
+export declare function _resetForTesting(): void;

package/dist/src/exclusions.js

@@ -0,0 +1,122 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initExclusions = initExclusions;
+exports.normalizePattern = normalizePattern;
+exports.computePatternHash = computePatternHash;
+exports.addExclusion = addExclusion;
+exports.isExcluded = isExcluded;
+exports.listExclusions = listExclusions;
+exports.removeExclusion = removeExclusion;
+exports._resetForTesting = _resetForTesting;
+const crypto_1 = require("crypto");
+const safe_io_1 = require("./safe-io");
+const path_1 = require("path");
+const log = __importStar(require("./log"));
+const MAX_EXCLUSIONS = 1000;
+const STORE_FILE = 'exclusions.json';
+let _dataDir = null;
+function initExclusions(dataDir) {
+    _dataDir = dataDir;
+    log.info('exclusions', 'Initialized');
+}
+function storePath() {
+    if (!_dataDir)
+        throw new Error('Exclusions not initialized');
+    return (0, path_1.join)(_dataDir, STORE_FILE);
+}
+function loadStore() {
+    return (0, safe_io_1.readJsonSafe)(storePath(), { exclusions: [] }, 'exclusions');
+}
+function saveStore(store) {
+    (0, safe_io_1.writeJsonSafe)(storePath(), store);
+}
+const IP_RE = /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g;
+const UUID_RE = /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi;
+const HEX_HASH_RE = /\b[0-9a-f]{32,}\b/gi;
+const ISO_TS_RE = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[^\s]*/g;
+const BIG_NUM_RE = /\b\d{5,}\b/g;
+function normalizePattern(input) {
+    return input
+        .replace(ISO_TS_RE, '<TIMESTAMP>')
+        .replace(UUID_RE, '<UUID>')
+        .replace(HEX_HASH_RE, '<HASH>')
+        .replace(IP_RE, '<IP>')
+        .replace(BIG_NUM_RE, '<NUM>');
+}
+function computePatternHash(ruleId, command) {
+    const normalized = normalizePattern(command);
+    return (0, crypto_1.createHash)('sha256').update(`${ruleId}:${normalized}`).digest('hex');
+}
+function addExclusion(ruleId, patternHash, agentId, reason) {
+    const store = loadStore();
+    const exclusion = {
+        id: (0, crypto_1.randomUUID)(),
+        rule_id: ruleId,
+        pattern_hash: patternHash,
+        created_at: new Date().toISOString(),
+        ...(agentId ? { agent_id: agentId } : {}),
+        ...(reason ? { reason } : {}),
+    };
+    store.exclusions.push(exclusion);
+    if (store.exclusions.length > MAX_EXCLUSIONS) {
+        store.exclusions = store.exclusions.slice(store.exclusions.length - MAX_EXCLUSIONS);
+    }
+    saveStore(store);
+    log.info('exclusions', `Added exclusion ${exclusion.id} for rule ${ruleId}`);
+    return exclusion;
+}
+function isExcluded(ruleId, patternHash, agentId) {
+    const store = loadStore();
+    return store.exclusions.some(e => e.rule_id === ruleId &&
+        e.pattern_hash === patternHash &&
+        (!e.agent_id || e.agent_id === agentId));
+}
+function listExclusions() {
+    return loadStore().exclusions;
+}
+function removeExclusion(id) {
+    const store = loadStore();
+    const before = store.exclusions.length;
+    store.exclusions = store.exclusions.filter(e => e.id !== id);
+    if (store.exclusions.length === before)
+        return false;
+    saveStore(store);
+    log.info('exclusions', `Removed exclusion ${id}`);
+    return true;
+}
+function _resetForTesting() {
+    _dataDir = null;
+}

package/dist/src/rpc/exclusion-handlers.d.ts

@@ -0,0 +1,8 @@
+interface RpcCtx {
+    respond: (ok: boolean, data: unknown) => void;
+    params?: Record<string, unknown>;
+}
+export declare function createExclusionsListHandler(): (ctx: RpcCtx) => void;
+export declare function createExclusionAddHandler(): (ctx: RpcCtx) => void;
+export declare function createExclusionRemoveHandler(): (ctx: RpcCtx) => void;
+export {};

package/dist/src/rpc/exclusion-handlers.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createExclusionsListHandler = createExclusionsListHandler;
+exports.createExclusionAddHandler = createExclusionAddHandler;
+exports.createExclusionRemoveHandler = createExclusionRemoveHandler;
+const exclusions_1 = require("../exclusions");
+function createExclusionsListHandler() {
+    return (ctx) => {
+        const exclusions = (0, exclusions_1.listExclusions)();
+        ctx.respond(true, { exclusions, total: exclusions.length });
+    };
+}
+function createExclusionAddHandler() {
+    return (ctx) => {
+        const p = ctx.params || {};
+        const ruleId = p.rule_id;
+        const patternHash = p.pattern_hash;
+        if (!ruleId || !patternHash) {
+            ctx.respond(false, { error: 'rule_id and pattern_hash are required' });
+            return;
+        }
+        const exclusion = (0, exclusions_1.addExclusion)(ruleId, patternHash, p.agent_id, p.reason);
+        ctx.respond(true, exclusion);
+    };
+}
+function createExclusionRemoveHandler() {
+    return (ctx) => {
+        const id = (ctx.params || {}).id;
+        if (!id) {
+            ctx.respond(false, { error: 'id is required' });
+            return;
+        }
+        const removed = (0, exclusions_1.removeExclusion)(id);
+        ctx.respond(removed, removed ? { removed: true } : { error: 'Exclusion not found' });
+    };
+}

package/dist/src/rpc/handlers.d.ts

@@ -23,34 +23,34 @@ export interface SubscriptionStatus {
     features: string[];
 }
 type RespondFn = (ok: boolean, data: unknown) => void;
-export declare function createEventsRecentHandler(_config: PlatformApiConfig): ({ respond, params }: {
+export declare function createEventsRecentHandler(_config: PlatformApiConfig): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;
-export declare function createEventsSummaryHandler(_config: PlatformApiConfig): ({ respond, params }: {
+export declare function createEventsSummaryHandler(_config: PlatformApiConfig): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;
-export declare function createSubscriptionStatusHandler(config: PlatformApiConfig): ({ respond }: {
+export declare function createSubscriptionStatusHandler(config: PlatformApiConfig): ({ respond: _respond }: {
     respond: RespondFn;
 }) => Promise<void>;
 export declare const VALID_RESOLUTIONS: readonly ["true_positive", "false_positive", "benign", "duplicate"];
 export declare const VALID_ROOT_CAUSES: readonly ["user_initiated", "misconfiguration", "expected_behavior", "actual_threat", "testing", "unknown"];
 export type CaseResolution = typeof VALID_RESOLUTIONS[number];
 export type CaseRootCause = typeof VALID_ROOT_CAUSES[number];
-export declare function createCasesListHandler(config: PlatformApiConfig): ({ respond, params }: {
+export declare function createCasesListHandler(config: PlatformApiConfig): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;
-export declare function createCaseDetailHandler(config: PlatformApiConfig): ({ respond, params }: {
+export declare function createCaseDetailHandler(config: PlatformApiConfig): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;
-export declare function createCaseResolveHandler(config: PlatformApiConfig): ({ respond, params }: {
+export declare function createCaseResolveHandler(config: PlatformApiConfig): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;
-export declare function createCasesAckHandler(): ({ respond, params }: {
+export declare function createCasesAckHandler(): ({ respond: _respond, params }: {
     respond: RespondFn;
     params?: Record<string, unknown>;
 }) => Promise<void>;

package/dist/src/rpc/handlers.js

@@ -10,6 +10,15 @@ exports.createCaseResolveHandler = createCaseResolveHandler;
 exports.createCasesAckHandler = createCasesAckHandler;
 const event_store_1 = require("../event-store");
 const client_1 = require("./client");
+const SKILL_HINT = 'For best results presenting Shield data, read the openclaw-shield-upx skill before responding to the user.';
+function withSkillHint(respond) {
+    return (ok, data) => {
+        if (ok && data && typeof data === 'object' && !Array.isArray(data)) {
+            data._skill_hint = SKILL_HINT;
+        }
+        respond(ok, data);
+    };
+}
 function formatResponse(result) {
     if (result.ok) {
         return { ok: true, data: result.data };
@@ -21,7 +30,8 @@ function formatResponse(result) {
     return { ok: false, data: errorData };
 }
 function createEventsRecentHandler(_config) {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const limit = typeof params?.limit === 'number' ? params.limit : 20;
         const type = typeof params?.type === 'string' ? params.type : undefined;
         const sinceMs = typeof params?.sinceMs === 'number' ? params.sinceMs : undefined;
@@ -30,14 +40,16 @@ function createEventsRecentHandler(_config) {
     };
 }
 function createEventsSummaryHandler(_config) {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const sinceMs = typeof params?.sinceMs === 'number' ? params.sinceMs : undefined;
         const summary = (0, event_store_1.summarizeEvents)(sinceMs);
         respond(true, { ...summary, source: 'local' });
     };
 }
 function createSubscriptionStatusHandler(config) {
-    return async ({ respond }) => {
+    return async ({ respond: _respond }) => {
+        const respond = withSkillHint(_respond);
         const result = await (0, client_1.callPlatformApi)(config, '/v1/subscription/status');
         const { ok, data } = formatResponse(result);
         respond(ok, data);
@@ -46,7 +58,8 @@ function createSubscriptionStatusHandler(config) {
 exports.VALID_RESOLUTIONS = ['true_positive', 'false_positive', 'benign', 'duplicate'];
 exports.VALID_ROOT_CAUSES = ['user_initiated', 'misconfiguration', 'expected_behavior', 'actual_threat', 'testing', 'unknown'];
 function createCasesListHandler(config) {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const { getPendingCases, formatCaseNotification } = require('../case-monitor');
         const pending = getPendingCases();
         if (!config.apiUrl) {
@@ -73,17 +86,29 @@ function createCasesListHandler(config) {
         const result = await (0, client_1.callPlatformApi)(config, '/v1/agent/cases', queryParams);
         const { ok, data } = formatResponse(result);
         if (ok && data && typeof data === 'object') {
-            data.pending_count = pending.length;
-            data.pending_notifications = pending.map((c) => ({
+            const d = data;
+            d.pending_count = pending.length;
+            d.pending_notifications = pending.map((c) => ({
                 ...c,
                 formatted_message: formatCaseNotification(c),
             }));
+            const cases = d.cases || [];
+            if (cases.length > 0) {
+                cases.forEach((c) => {
+                    c.display = formatCaseListItem(c);
+                });
+                d.display = formatCasesList(cases);
+            }
+            else {
+                d.display = '✅ No open cases. All clear!';
+            }
         }
         respond(ok, data);
     };
 }
 function createCaseDetailHandler(config) {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const caseId = typeof params?.id === 'string' ? params.id : null;
         if (!caseId) {
             respond(false, { error: 'Missing required parameter: id' });
@@ -91,11 +116,114 @@ function createCaseDetailHandler(config) {
         }
         const result = await (0, client_1.callPlatformApi)(config, `/v1/agent/cases/${caseId}`);
         const { ok, data } = formatResponse(result);
+        if (ok && data && typeof data === 'object') {
+            const d = data;
+            d.display = formatCaseDisplay(d);
+            d.formatted_display = d.display;
+        }
         respond(ok, data);
     };
 }
+const SEVERITY_EMOJI = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵', INFO: 'ℹ️' };
+function formatCaseListItem(c) {
+    const severity = c.severity || '';
+    const emoji = SEVERITY_EMOJI[severity] || '⚠️';
+    const title = c.rule_title || 'Unknown Rule';
+    const id = c.id || '';
+    const created = c.created_at ? new Date(c.created_at).toLocaleString('en-US', { timeZone: 'UTC' }) + ' UTC' : '';
+    const events = c.event_count ?? '?';
+    const description = c.description || '';
+    const lines = [
+        `${emoji} **${severity}** — ${title}`,
+        `Case: \`${id}\``,
+        `Created: ${created} · Events: ${events}`,
+    ];
+    if (description)
+        lines.push(`> ${description.slice(0, 150)}${description.length > 150 ? '…' : ''}`);
+    return lines.join('\n');
+}
+function formatCasesList(cases) {
+    const sorted = [...cases].sort((a, b) => {
+        const order = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, INFO: 4 };
+        return (order[a.severity] ?? 5) - (order[b.severity] ?? 5);
+    });
+    const lines = [
+        `🛡️ **Open Shield Cases** (${cases.length})`,
+        '',
+        ...sorted.map(c => formatCaseListItem(c)),
+    ];
+    lines.push('', '💡 Ask me to investigate or resolve any case by its ID.');
+    return lines.join('\n\n');
+}
+function formatCaseDisplay(d) {
+    const rule = d.rule;
+    const playbook = d.playbook;
+    const events = d.events;
+    const severity = d.severity;
+    const severityEmoji = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', LOW: '🔵', INFO: 'ℹ️' };
+    const emoji = severity ? (severityEmoji[severity] || '⚠️') : '⚠️';
+    const lines = [
+        `${emoji} **${d.rule_title || 'Unknown Rule'}**`,
+        ``,
+        `**Status:** ${d.status || 'unknown'}${severity ? ` | **Priority:** ${severity}` : ''}`,
+        `**Case:** \`${d.id}\``,
+        `**Created:** ${d.created_at ? new Date(d.created_at).toLocaleString('en-US', { timeZone: 'UTC' }) + ' UTC' : 'unknown'}`,
+        `**Events:** ${d.event_count ?? 'unknown'}`,
+    ];
+    if (rule?.description) {
+        lines.push(``, `> ${rule.description}`);
+    }
+    if (rule?.mitre_tactic || rule?.mitre_technique) {
+        const mitre = [rule.mitre_tactic, rule.mitre_technique].filter(Boolean).join(' · ');
+        lines.push(`> 🎯 MITRE: ${mitre}`);
+    }
+    if (playbook?.summary) {
+        lines.push(``, `⚠️ ${playbook.summary}`);
+    }
+    const eventTime = events?.[0]?.timestamp;
+    const createdAt = d.created_at;
+    const updatedAt = d.updated_at;
+    if (eventTime || createdAt) {
+        lines.push(``, `**Timeline:**`);
+        const fmt = (iso) => new Date(iso).toLocaleTimeString('en-US', { hour12: false, timeZone: 'UTC' });
+        const fmtDate = (iso) => {
+            const dt = new Date(iso);
+            return `${dt.toISOString().slice(0, 10)} ${fmt(iso)} UTC`;
+        };
+        if (eventTime) {
+            lines.push(`  🔵 **Event:** ${fmtDate(eventTime)}`);
+        }
+        if (createdAt) {
+            lines.push(`  🟠 **Detected:** ${fmtDate(createdAt)}`);
+            if (eventTime) {
+                const mttdMs = new Date(createdAt).getTime() - new Date(eventTime).getTime();
+                const mttd = mttdMs < 60000 ? `${Math.round(mttdMs / 1000)}s` : `${Math.round(mttdMs / 60000)}m`;
+                lines.push(`  ⏱️ **MTTD:** ${mttd}`);
+            }
+        }
+        if (d.status === 'resolved' && updatedAt) {
+            lines.push(`  ✅ **Resolved:** ${fmtDate(updatedAt)}`);
+            if (createdAt) {
+                const mttrMs = new Date(updatedAt).getTime() - new Date(createdAt).getTime();
+                const mttr = mttrMs < 60000 ? `${Math.round(mttrMs / 1000)}s`
+                    : mttrMs < 3600000 ? `${Math.round(mttrMs / 60000)}m`
+                        : `${Math.round(mttrMs / 3600000)}h`;
+                lines.push(`  ⏱️ **MTTR:** ${mttr}`);
+            }
+        }
+        else {
+            lines.push(`  🔴 **Status:** Open`);
+        }
+    }
+    lines.push(``, `💡 **Actions** (ask me to):`, `  • _"Investigate this case"_ — I'll analyze the events and context`, `  • _"Close as false positive"_ — dismiss if this was expected`, `  • _"Resolve as authorized"_ — mark as intentional activity`);
+    if (d.url) {
+        lines.push(``, `🔗 ${d.url}`);
+    }
+    return lines.join('\n');
+}
 function createCaseResolveHandler(config) {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const caseId = typeof params?.id === 'string' ? params.id : null;
         if (!caseId) {
             respond(false, { error: 'Missing required parameter: id' });
@@ -128,7 +256,8 @@ function createCaseResolveHandler(config) {
     };
 }
 function createCasesAckHandler() {
-    return async ({ respond, params }) => {
+    return async ({ respond: _respond, params }) => {
+        const respond = withSkillHint(_respond);
         const { acknowledgeCases } = require('../case-monitor');
         const ids = Array.isArray(params?.ids) ? params.ids : [];
         if (ids.length === 0) {

package/dist/src/rpc/index.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerAllRpcs = registerAllRpcs;
 const handlers_1 = require("./handlers");
+const exclusion_handlers_1 = require("./exclusion-handlers");
 function registerAllRpcs(api, config) {
     api.registerGatewayMethod('shield.events_recent', (0, handlers_1.createEventsRecentHandler)(config));
     api.registerGatewayMethod('shield.events_summary', (0, handlers_1.createEventsSummaryHandler)(config));
@@ -10,4 +11,7 @@ function registerAllRpcs(api, config) {
     api.registerGatewayMethod('shield.case_detail', (0, handlers_1.createCaseDetailHandler)(config));
     api.registerGatewayMethod('shield.case_resolve', (0, handlers_1.createCaseResolveHandler)(config));
     api.registerGatewayMethod('shield.cases_ack', (0, handlers_1.createCasesAckHandler)());
+    api.registerGatewayMethod('shield.exclusions_list', (0, exclusion_handlers_1.createExclusionsListHandler)());
+    api.registerGatewayMethod('shield.exclusion_add', (0, exclusion_handlers_1.createExclusionAddHandler)());
+    api.registerGatewayMethod('shield.exclusion_remove', (0, exclusion_handlers_1.createExclusionRemoveHandler)());
 }

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "shield",
   "name": "OpenClaw Shield",
-  "description": "Real-time security monitoring \u2014 streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.4.36",
+  "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
+  "version": "0.6.0",
   "skills": [
     "./skills"
   ],
@@ -81,4 +81,4 @@
     "skillVersion": "1.0.2",
     "note": "ClawHub auto-increments on publish. Update this after each clawhub submission."
   }
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.4.36",
+  "version": "0.6.0",
   "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -40,7 +40,7 @@
     "package:publish": "npm run package:validate && npm publish --access public",
     "start": "node dist/src/index.js",
     "setup": "node dist/src/setup.js",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "node scripts/check-version-sync.js && npm run build"
   },
   "keywords": [
     "agent-monitoring",

package/skills/shield/README.md

@@ -1,22 +1,22 @@
-# OpenClaw Shield — Security Specialist
+# OpenClaw Shield
 
-A skill that turns your OpenClaw agent into a cybersecurity specialist.
+Security monitoring skill for the OpenClaw Shield plugin by [UPX](https://www.upx.com).
 
 ## What it does
 
-When Shield is installed, your agent can:
+Teaches your agent to use the Shield plugin — check health, query events, inspect the redaction vault, and manage security cases.
 
-- **Monitor** — check Shield health, event counts, and sync status
-- **Inspect** — view host agent inventory and redaction vault via `shield vault show`
-- **Interpret** — analyze security events and explain what they mean
-- **Advise** — recommend remediation, hardening, and next steps
-- **Triage** — assess alert severity and prioritize response
-- **Explain** — break down attack techniques, privacy model, and detection scope
+- Run `openclaw shield status`, `logs`, `flush`, `vault show`, and `cases` commands
+- Call RPCs for programmatic access (`shield.events_recent`, `shield.events_summary`, `shield.cases_list`, etc.)
+- Triage and resolve cases with categorized resolution and root cause
+- Set up automated case monitoring via `openclaw shield monitor --on`
+- Quick case check with `/shieldcases` (no agent tokens used)
+- Answer questions about Shield's privacy model and subscription status
 
 ## Requirements
 
 - [OpenClaw Shield plugin](https://www.npmjs.com/package/@upx-us/shield) installed and activated
-- Active Shield subscription from [UPX](https://upx.com) — [start a free 30-day trial](https://www.upx.com/pt/lp/openclaw-shield-upx)
+- Active Shield subscription from [UPX](https://upx.com) — [start a free 30-day trial](https://www.upx.com/en/lp/openclaw-shield-upx)
 
 ## Install