@upx-us/shield 0.6.0 → 0.6.1

package/CHANGELOG.md

@@ -4,6 +4,37 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## [0.6.1] — 2026-03-09
+
+### Fixed
+- **Auto-update restart resilience** — `requestGatewayRestart()` failures no longer leave the plugin in a split-brain state. The updater now tracks `pendingRestart` in `update-state.json` and retries the gateway restart on every subsequent poll cycle. After 5 failed attempts (~2.5 min), automatically rolls back to the previous backup version. Closes #112.
+
+---
+
+## [0.6.0] — 2026-03-06
+
+### Added
+- **Transformer gap fields** — 7 new fields to unblock ~20 SIEM detection rules:
+  - `openclaw.secret_in_command` — detects API keys, bearer tokens, and secrets in commands (pre-redaction flag)
+  - `openclaw.channel` + `openclaw.chat_type` — messaging context for DLP rules
+  - `openclaw.message_content` — truncated outbound message content (500 chars) for DLP pattern matching
+  - `openclaw.browser_action` — browser tool action type (navigate, click, evaluate, etc.)
+  - `openclaw.config_change` — flags writes/edits to config files (.env, openclaw.json, etc.)
+  - `openclaw.file_size_bytes` — file size on write operations
+- **`_skill_hint` in RPC responses** — all successful Shield RPCs include a machine-readable hint nudging agents to read the SKILL.md before presenting data to users.
+
+### Changed
+- npm registry cleaned: removed 26 old 0.5.x versions (kept 0.5.38 as fallback)
+
+---
+
+## [0.5.38] — 2026-03-06
+
+### Added
+- `_skill_hint` field in all RPC responses (agent-facing, invisible to users)
+
+---
+
 ## [0.5.18] — 2026-03-06
 
 ### Added

package/dist/src/updater.d.ts

@@ -8,6 +8,8 @@ export interface UpdateState {
     lastError: string | null;
     rollbackVersion: string | null;
     consecutiveFailures: number;
+    pendingRestart: boolean;
+    restartAttempts: number;
 }
 export interface UpdateCheckResult {
     updateAvailable: boolean;

package/dist/src/updater.js

@@ -111,6 +111,8 @@ function loadUpdateState() {
         lastError: null,
         rollbackVersion: null,
         consecutiveFailures: 0,
+        pendingRestart: false,
+        restartAttempts: 0,
     };
     if (!(0, fs_1.existsSync)(UPDATE_STATE_FILE))
         return defaults;
@@ -242,6 +244,14 @@ function pruneBackups() {
         catch { }
     }
 }
+function listBackups() {
+    if (!(0, fs_1.existsSync)(BACKUP_DIR))
+        return [];
+    return (0, fs_1.readdirSync)(BACKUP_DIR)
+        .filter(d => d.startsWith('shield-'))
+        .map(d => (0, path_1.join)(BACKUP_DIR, d))
+        .sort((a, b) => (0, fs_1.statSync)(b).mtimeMs - (0, fs_1.statSync)(a).mtimeMs);
+}
 function restoreFromBackup(backupPath) {
     if (!(0, fs_1.existsSync)(backupPath)) {
         log.error('updater', `Backup not found: ${backupPath}`);
@@ -370,6 +380,36 @@ function performAutoUpdate(mode, checkIntervalMs) {
     const noOp = { action: 'none', fromVersion: version_1.VERSION, toVersion: null, message: '', requiresRestart: false };
     if (mode === false)
         return noOp;
+    {
+        const state = loadUpdateState();
+        if (state.pendingRestart && state.currentVersion && state.currentVersion !== version_1.VERSION) {
+            const MAX_RESTART_ATTEMPTS = 5;
+            if ((state.restartAttempts ?? 0) >= MAX_RESTART_ATTEMPTS) {
+                log.warn('updater', `Gateway restart failed ${MAX_RESTART_ATTEMPTS}x after update to ${state.currentVersion} — rolling back`);
+                const backups = listBackups();
+                if (backups.length > 0) {
+                    restoreFromBackup(backups[0]);
+                }
+                state.pendingRestart = false;
+                state.restartAttempts = 0;
+                saveUpdateState(state);
+            }
+            else {
+                log.info('updater', `Retrying gateway restart (attempt ${(state.restartAttempts ?? 0) + 1}/${MAX_RESTART_ATTEMPTS})...`);
+                const restarted = requestGatewayRestart();
+                if (restarted) {
+                    state.pendingRestart = false;
+                    state.restartAttempts = 0;
+                    saveUpdateState(state);
+                }
+                else {
+                    state.restartAttempts = (state.restartAttempts ?? 0) + 1;
+                    saveUpdateState(state);
+                }
+            }
+            return noOp;
+        }
+    }
     const check = checkForUpdate(checkIntervalMs);
     if (!check || !check.updateAvailable)
         return noOp;
@@ -445,6 +485,26 @@ function performAutoUpdate(mode, checkIntervalMs) {
             requiresRestart: false,
         };
     }
+    const restarted = requestGatewayRestart();
+    if (!restarted) {
+        state.pendingRestart = true;
+        state.restartAttempts = (state.restartAttempts ?? 0) + 1;
+        state.currentVersion = check.latestVersion;
+        state.lastUpdateAt = Date.now();
+        state.consecutiveFailures = 0;
+        state.lastError = null;
+        saveUpdateState(state);
+        log.warn('updater', `Gateway restart failed after update to ${check.latestVersion} — will retry on next poll cycle.`);
+        return {
+            action: 'updated',
+            fromVersion: version_1.VERSION,
+            toVersion: check.latestVersion,
+            message: `Shield updated to ${check.latestVersion} on disk. Gateway restart failed — will retry on next poll cycle.`,
+            requiresRestart: true,
+        };
+    }
+    state.pendingRestart = false;
+    state.restartAttempts = 0;
     state.lastUpdateAt = Date.now();
     state.updateAvailable = false;
     state.rollbackVersion = version_1.VERSION;
@@ -452,12 +512,12 @@ function performAutoUpdate(mode, checkIntervalMs) {
     state.consecutiveFailures = 0;
     state.lastError = null;
     saveUpdateState(state);
-    log.info('updater', `✅ Auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart required to load new version.`);
+    log.info('updater', `✅ Auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart initiated.`);
     return {
         action: 'updated',
         fromVersion: version_1.VERSION,
         toVersion: check.latestVersion,
-        message: `Shield auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart required.`,
+        message: `Shield auto-updated: ${version_1.VERSION} → ${check.latestVersion}. Gateway restart initiated.`,
         requiresRestart: true,
     };
 }

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "shield",
   "name": "OpenClaw Shield",
   "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "skills": [
     "./skills"
   ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills/shield/LICENSE

@@ -0,0 +1,38 @@
+Copyright (c) 2026 UPX Technologies, Inc. All rights reserved.
+
+PROPRIETARY SOFTWARE LICENSE
+
+This software and associated documentation files (the "Software") are the
+proprietary and confidential property of UPX Technologies, Inc. ("UPX").
+
+GRANT OF USE
+Subject to the terms of a valid, active subscription agreement with UPX for
+the OpenClaw Shield service, UPX grants you a limited, non-exclusive,
+non-transferable, non-sublicensable license to install and use the Software
+solely for the purpose of connecting to the OpenClaw Shield platform as part
+of your subscription.
+
+RESTRICTIONS
+You may not, and you may not permit others to:
+  - Copy, modify, adapt, translate, or create derivative works of the Software
+  - Distribute, transfer, sublicense, lease, lend, or rent the Software
+  - Reverse engineer, disassemble, or decompile the Software
+  - Remove or alter any proprietary notices, labels, or marks on the Software
+  - Use the Software without an active OpenClaw Shield subscription
+
+TERMINATION
+This license is effective until terminated. It will terminate automatically
+if you breach any term of this agreement or your subscription expires. Upon
+termination, you must destroy all copies of the Software in your possession.
+
+DISCLAIMER
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. UPX DISCLAIMS
+ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
+
+IN NO EVENT SHALL UPX BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH
+THE SOFTWARE OR ITS USE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+For licensing inquiries: legal@upx.com
+For support: https://upx.com

package/skills/shield/SKILL.md

@@ -3,6 +3,7 @@ name: openclaw-shield-upx
 description: "Security monitoring for OpenClaw agents — check Shield health, review events, inspect vault. Use when: user asks about security status, Shield health, event logs, or redaction vault. NOT for: general OS hardening, firewall config, or network security."
 homepage: https://www.upx.com/en/lp/openclaw-shield-upx
 source: https://www.npmjs.com/package/@upx-us/shield
+license: "Proprietary — UPX Technologies, Inc. All rights reserved."
 metadata: {"openclaw": {"requires": {"config": ["plugins.entries.shield"]}, "homepage": "https://clawhub.ai/brunopradof/openclaw-shield-upx", "emoji": "🛡️"}}
 ---