@upx-us/shield 0.6.1 → 0.6.3

package/CHANGELOG.md

@@ -4,6 +4,25 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## [0.6.3] — 2026-03-09
+
+### Fixed
+- **Version normalization** — `resolveOpenClawVersion()` now normalizes messy version strings from `openclaw --version` output and the `lastTouchedVersion` config field (e.g. `"OpenClaw 2026.3.8 (3caab92)"` → `"2026.3.8"`). Previously these strings caused false "out of date" alerts on the Shield dashboard.
+- **Missing Network info** — `PUT /v1/instance` now always includes `public_ip` in the machine payload, even when the IP hasn't been resolved yet (sends `""` instead of omitting the field). This ensures the platform can attempt server-side geo-enrichment (Provider/Location) instead of silently skipping it.
+
+### Added
+- `normalizeSoftwareVersion(v: string): string` — exported helper that applies the full version normalization pipeline (strip `"OpenClaw "` prefix, parenthetical hash, leading `"v"`). Used internally by `resolveOpenClawVersion()` for all auto-detected version paths.
+- `isPrivateIp(ip: string): boolean` — exported helper that detects RFC-1918/loopback addresses. Used by the ingest service to identify when an agent behind NAT (macOS, home/office Linux) self-reports a LAN IP and override it with the authoritative request IP. Ensures correct Network info (Provider, Location) on the Shield dashboard for all platforms.
+
+---
+
+## [0.6.2] — 2026-03-09
+
+### Fixed
+- **ANSI field prefix bug** — `ansi_content_detected` and `ansi_sequences` were emitted without the `openclaw.` namespace prefix in `tool-result/enrich.ts`. YARAL rules reference them as `additional.fields["openclaw.ansi_content_detected"]` and `additional.fields["openclaw.ansi_sequences"]`. Fields now correctly namespaced. Unblocks `openclaw_ansi_injection` detection rule.
+
+---
+
 ## [0.6.1] — 2026-03-09
 
 ### Fixed

package/dist/src/events/tool-result/enrich.js

@@ -17,8 +17,8 @@ function buildToolResult(raw, ctx) {
     };
     const ansiMatches = resultText.match(/\x1b\[[0-9;]*[a-zA-Z]|\x1b\]|\x07|\x1b\(B/g);
     if (ansiMatches && ansiMatches.length > 0) {
-        meta['ansi_content_detected'] = 'true';
-        meta['ansi_sequences'] = ansiMatches.slice(0, 10).map((s) => s.replace(/\x1b/g, 'ESC')).join(', ');
+        meta['openclaw.ansi_content_detected'] = 'true';
+        meta['openclaw.ansi_sequences'] = ansiMatches.slice(0, 10).map((s) => s.replace(/\x1b/g, 'ESC')).join(', ');
     }
     const event = {
         timestamp: ctx.timestamp,

package/dist/src/index.js

@@ -104,7 +104,7 @@ async function poll() {
                         os: process.platform,
                         arch: process.arch,
                         node_version: process.version,
-                        public_ip: (0, transformer_1.getCachedPublicIp)() ?? undefined,
+                        public_ip: (0, transformer_1.getCachedPublicIp)() ?? '',
                     },
                     software: {
                         plugin_version: version_1.VERSION,
@@ -118,6 +118,9 @@ async function poll() {
                         }),
                     },
                 };
+                if (!(0, transformer_1.getCachedPublicIp)()) {
+                    log.warn('bridge', 'Public IP not yet resolved — sending empty public_ip so platform can enrich server-side');
+                }
                 const result = await (0, sender_1.reportInstance)(instancePayload, config.credentials);
                 log.info('bridge', `Instance report → Platform: success=${result.ok}`);
                 if (result.ok) {

package/dist/src/transformer.d.ts

@@ -8,10 +8,12 @@ export interface EnvelopeEvent {
 export interface IngestPayload {
     entries: EnvelopeEvent[];
 }
+export declare function normalizeSoftwareVersion(v: string): string;
 export declare function resolveOpenClawVersion(): string;
 export declare function _resetCachedOpenClawVersion(): void;
 export declare function resolveAgentLabel(agentId: string): string;
 export declare function getCachedPublicIp(): string | null;
+export declare function isPrivateIp(ip: string): boolean;
 export declare function resolveOutboundIp(): Promise<string | null>;
 export declare function transformEntries(entries: RawEntry[]): EnvelopeEvent[];
 export declare function generateHostTelemetry(): EnvelopeEvent | null;

package/dist/src/transformer.js

@@ -33,10 +33,12 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeSoftwareVersion = normalizeSoftwareVersion;
 exports.resolveOpenClawVersion = resolveOpenClawVersion;
 exports._resetCachedOpenClawVersion = _resetCachedOpenClawVersion;
 exports.resolveAgentLabel = resolveAgentLabel;
 exports.getCachedPublicIp = getCachedPublicIp;
+exports.isPrivateIp = isPrivateIp;
 exports.resolveOutboundIp = resolveOutboundIp;
 exports.transformEntries = transformEntries;
 exports.generateHostTelemetry = generateHostTelemetry;
@@ -51,6 +53,13 @@ const version_1 = require("./version");
 const counters_1 = require("./counters");
 const inventory_1 = require("./inventory");
 let _cachedOpenClawVersion = "";
+function normalizeSoftwareVersion(v) {
+    return v
+        .replace(/^openclaw\s+/i, '')
+        .replace(/\s*\([^)]*\)/g, '')
+        .replace(/^v/, '')
+        .trim();
+}
 function resolveOpenClawVersion() {
     if (_cachedOpenClawVersion !== "")
         return _cachedOpenClawVersion;
@@ -62,7 +71,7 @@ function resolveOpenClawVersion() {
         const pkgPath = require.resolve('openclaw/package.json');
         const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
         if (pkg.version) {
-            _cachedOpenClawVersion = pkg.version;
+            _cachedOpenClawVersion = normalizeSoftwareVersion(pkg.version);
             return _cachedOpenClawVersion;
         }
     }
@@ -74,7 +83,8 @@ function resolveOpenClawVersion() {
             stdio: ['ignore', 'pipe', 'ignore'],
             encoding: 'utf8',
         }).trim();
-        const version = output.includes('/') ? output.split('/').pop() : output;
+        const raw = output.includes('/') ? output.split('/').pop() : output;
+        const version = normalizeSoftwareVersion(raw);
         if (version && version !== 'unknown') {
             _cachedOpenClawVersion = version;
             return _cachedOpenClawVersion;
@@ -85,8 +95,11 @@ function resolveOpenClawVersion() {
         const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), '.openclaw/openclaw.json'), 'utf8'));
         const v = cfg?.meta?.lastTouchedVersion;
         if (v) {
-            _cachedOpenClawVersion = v;
-            return _cachedOpenClawVersion;
+            const normalized = normalizeSoftwareVersion(v);
+            if (normalized) {
+                _cachedOpenClawVersion = normalized;
+                return _cachedOpenClawVersion;
+            }
         }
     }
     catch { }
@@ -141,7 +154,15 @@ function writeIpCache(ip) {
     catch { }
 }
 function getCachedPublicIp() {
-    return readIpCache()?.ip ?? (_source?.ip_addresses[0] ?? null);
+    return readIpCache()?.ip ?? null;
+}
+function isPrivateIp(ip) {
+    return /^10\./.test(ip) ||
+        /^172\.(1[6-9]|2[0-9]|3[01])\./.test(ip) ||
+        /^192\.168\./.test(ip) ||
+        /^127\./.test(ip) ||
+        /^::1$/.test(ip) ||
+        /^fd/i.test(ip);
 }
 function resolveOutboundIp() {
     return new Promise((resolve) => {

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "shield",
   "name": "OpenClaw Shield",
-  "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.6.1",
+  "description": "Real-time security monitoring \u2014 streams enriched, redacted security events to the Shield detection platform.",
+  "version": "0.6.3",
   "skills": [
     "./skills"
   ],
@@ -81,4 +81,4 @@
     "skillVersion": "1.0.2",
     "note": "ClawHub auto-increments on publish. Update this after each clawhub submission."
   }
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",