@upx-us/shield 0.6.6 → 0.6.8

package/CHANGELOG.md

@@ -4,6 +4,28 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## [0.6.8] — 2026-03-10
+
+### Fixed
+- **curl credential redaction** — `curl -u "user:pass"`, `--user user:pass` (all quote variants), and `Authorization: Basic <base64>` are now redacted as `secret:HASH` before reaching the SIEM. Discovered via live credential leak (#137).
+
+---
+
+## [0.6.7] — 2026-03-10
+
+### Fixed
+- **npm redaction false positive** — `@scope/package@version` (e.g. `@upx-us/shield@0.6.6`) was being wrongly redacted as `user:HASH` by the SSH `user@host` regex. Added negative lookbehind to exclude npm scoped package names (#135).
+
+### Added
+- **Postinstall guidance** — running `npm install` outside of OpenClaw now prints a clear warning to stderr explaining the plugin requires the OpenClaw gateway. Install never fails because of this check (#125).
+- **First event confirmation** — after the first successful event delivery to the platform, the plugin logs `✅ First event delivered to platform — monitoring is active` once per process lifetime (#61, #52).
+- **Vault summary in `shield.status`** — `shield.status` RPC now includes `redaction.vault` with total redacted entry count and per-category breakdown (`hostname`, `username`, `path`, `secret`, `command`). Returns `null` if vault is absent (#86).
+
+### Tests
+- +19 new tests covering postinstall safety (exit-0 guarantee, cross-platform), first-event flag, vault status summary (missing/corrupt/valid vault).
+
+---
+
 ## [0.6.6] — 2026-03-10
 
 ### Added

package/dist/index.js

@@ -55,6 +55,7 @@ const exclusions_1 = require("./src/exclusions");
 const updater_1 = require("./src/updater");
 const rpc_1 = require("./src/rpc");
 const inventory_1 = require("./src/inventory");
+const redactor_1 = require("./src/redactor");
 const SHIELD_API_URL = 'https://openclaw-shield.upx.com';
 async function performAutoRegistration(installationKey) {
     try {
@@ -315,6 +316,7 @@ const state = {
     captureSeenSinceLastSync: false,
     lastSync: null,
 };
+let firstEventDelivered = false;
 let teardownPreviousRuntime = null;
 const MAX_BACKOFF_MS = 5 * 60 * 1000;
 const TELEMETRY_INTERVAL_MS = 5 * 60 * 1000;
@@ -806,6 +808,10 @@ exports.default = {
                             const accepted = results.reduce((sum, r) => sum + (r.success ? r.eventCount : 0), 0);
                             if (accepted > 0) {
                                 (0, case_monitor_1.notifyCaseMonitorActivity)();
+                                if (!firstEventDelivered) {
+                                    firstEventDelivered = true;
+                                    log.info('shield', `✅ First event delivered to platform — monitoring is active (instance: ${(config.credentials.instanceId || '').slice(0, 12)}…)`);
+                                }
                                 commitCursors(config, entries);
                                 flushRedactor();
                                 state.eventsProcessed += accepted;
@@ -895,6 +901,23 @@ exports.default = {
             const caseMonitorDisplay = monitorHealth.status === 'degraded'
                 ? `⚠️ Case Monitor: DEGRADED — ${monitorHealth.consecutiveFailures} consecutive failures since ${monitorHealth.degradedSinceMs ? new Date(monitorHealth.degradedSinceMs).toISOString() : 'unknown'}. Last error: ${monitorHealth.lastErrorMessage}`
                 : `✅ Case Monitor: ok`;
+            const REDACTION_VAULT_FILE = (0, path_1.join)((0, os_1.homedir)(), '.openclaw', 'shield', 'data', 'redaction-vault.json');
+            let vaultSummary = null;
+            if ((0, fs_1.existsSync)(REDACTION_VAULT_FILE)) {
+                try {
+                    const mappings = (0, redactor_1.getAllMappings)();
+                    const categories = { hostname: 0, username: 0, path: 0, secret: 0, command: 0 };
+                    for (const token of Object.keys(mappings)) {
+                        const cat = token.split(':')[0];
+                        if (cat in categories)
+                            categories[cat]++;
+                    }
+                    vaultSummary = { totalEntries: Object.keys(mappings).length, categories };
+                }
+                catch (_) {
+                    vaultSummary = null;
+                }
+            }
             respond(true, {
                 activated,
                 running: state.running,
@@ -920,6 +943,9 @@ exports.default = {
                         : null,
                     display: caseMonitorDisplay,
                 },
+                redaction: {
+                    vault: vaultSummary,
+                },
             });
         });
         api.registerGatewayMethod('shield.flush', ({ respond }) => {

package/dist/src/redactor/strategies/command.js

@@ -8,7 +8,7 @@ exports.commandStrategy = {
         if (!value || value.length === 0)
             return value;
         let result = value;
-        result = result.replace(/(\b)([\w.-]+)@([\d.]+|[\w.-]+\.\w+)/g, (_, pre, user, host) => `${pre}${hmac('user', user)}@${host}`);
+        result = result.replace(/(?<!@[a-z0-9._-]+\/)(\b)([\w.-]+)@([\d.]+|[\w.-]+\.\w+)/g, (_, pre, user, host) => `${pre}${hmac('user', user)}@${host}`);
         result = result.replace(/\/Users\/([\w.-]+)\//g, (_, user) => `/Users/${hmac('user', user)}/`);
         result = result.replace(/\/home\/([\w.-]+)\//g, (_, user) => `/home/${hmac('user', user)}/`);
         return result;

package/dist/src/redactor/strategies/secret-key.js

@@ -29,6 +29,14 @@ exports.secretKeyStrategy = {
             (0, counters_1.recordRedaction)('BEARER_TOKEN');
             return `${prefix}${hmac('secret', token)}`;
         });
+        result = result.replace(/(-u|--user)\s+(['"]?)([^\s'"]+:[^\s'"]*)\2/g, (_, flag, _quote, credential) => {
+            (0, counters_1.recordRedaction)('CURL_CREDENTIAL');
+            return `${flag} ${hmac('secret', credential)}`;
+        });
+        result = result.replace(/(Authorization:\s*Basic\s+)([A-Za-z0-9+/]+=*)/g, (_, prefix, token) => {
+            (0, counters_1.recordRedaction)('CURL_CREDENTIAL');
+            return `${prefix}${hmac('secret', token)}`;
+        });
         result = result.replace(/((?:SECRET|TOKEN|KEY|PASSWORD|API_KEY)=)(\S+)/gi, (_, prefix, secret) => {
             const prefixUpper = prefix.toUpperCase();
             if (prefixUpper.startsWith('PASSWORD'))

package/dist/src/rpc/handlers.d.ts

@@ -1,4 +1,9 @@
 import { type PlatformApiConfig } from './client';
+export interface VaultSummary {
+    totalEntries: number;
+    categories: Record<string, number>;
+}
+export declare function readVaultSummary(vaultPath?: string): VaultSummary | null;
 export interface EventSummary {
     period: string;
     totalEvents: number;

package/dist/src/rpc/handlers.js

@@ -1,6 +1,40 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VALID_ROOT_CAUSES = exports.VALID_RESOLUTIONS = void 0;
+exports.readVaultSummary = readVaultSummary;
 exports.createEventsRecentHandler = createEventsRecentHandler;
 exports.createEventsSummaryHandler = createEventsSummaryHandler;
 exports.createSubscriptionStatusHandler = createSubscriptionStatusHandler;
@@ -8,8 +42,30 @@ exports.createCasesListHandler = createCasesListHandler;
 exports.createCaseDetailHandler = createCaseDetailHandler;
 exports.createCaseResolveHandler = createCaseResolveHandler;
 exports.createCasesAckHandler = createCasesAckHandler;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
 const event_store_1 = require("../event-store");
 const client_1 = require("./client");
+const VAULT_CATEGORIES = ['hostname', 'username', 'path', 'secret', 'command'];
+function readVaultSummary(vaultPath = path.join(os.homedir(), '.openclaw', 'shield', 'data', 'redaction-vault.json')) {
+    try {
+        if (!fs.existsSync(vaultPath))
+            return null;
+        const raw = JSON.parse(fs.readFileSync(vaultPath, 'utf8'));
+        const categories = Object.fromEntries(VAULT_CATEGORIES.map(c => [c, 0]));
+        const entries = Object.keys(raw);
+        for (const key of entries) {
+            const prefix = key.split(':')[0];
+            if (prefix in categories)
+                categories[prefix]++;
+        }
+        return { totalEntries: entries.length, categories };
+    }
+    catch {
+        return null;
+    }
+}
 const SKILL_HINT = 'For best results presenting Shield data, read the openclaw-shield-upx skill before responding to the user.';
 function withSkillHint(respond) {
     return (ok, data) => {

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "shield",
   "name": "OpenClaw Shield",
-  "description": "Real-time security monitoring \u2014 streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.6.6",
+  "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
+  "version": "0.6.8",
   "skills": [
     "./skills"
   ],
@@ -54,7 +54,7 @@
   "uiHints": {
     "installationKey": {
       "label": "Installation Key",
-      "description": "One-time key from your trial signup at https://www.upx.com/en/lp/openclaw-shield-upx \u2014 Required for first-time activation only. After activation, log in at https://uss.upx.com"
+      "description": "One-time key from your trial signup at https://www.upx.com/en/lp/openclaw-shield-upx — Required for first-time activation only. After activation, log in at https://uss.upx.com"
     },
     "enabled": {
       "label": "Enable security monitoring"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.6.6",
+  "version": "0.6.8",
   "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -20,6 +20,7 @@
     "CHANGELOG.md"
   ],
   "scripts": {
+    "postinstall": "node scripts/postinstall.js",
     "prebuild": "npm run clean",
     "build": "tsc",
     "clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",