@upx-us/shield 0.7.5 → 0.7.7

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## [0.7.7] — 2026-03-16
+
+### Fixed
+
+- **Bug preventing the plugin from starting after an auto-update** (#177): In certain conditions following an auto-update, the plugin would crash on every boot before processing any events. A gateway restart is sufficient to recover affected instances.
+- **Bug causing incorrect plugin version to be reported in the dashboard** (#175): Some instances were reporting a stale version number in the platform dashboard instead of the currently installed version.
+
+---
+
+## [0.7.6] — 2026-03-13
+
+### Security
+- **URL enforcement switched to allowlist** — plugin traffic is restricted to the Shield ingest endpoint. Any other URL is rejected and replaced with the default. No infrastructure details are disclosed in source.
+
+---
+
 ## [0.7.5] — 2026-03-13
 
 ### Security

package/dist/src/config.js

@@ -139,18 +139,11 @@ function loadCredentials() {
     };
 }
 const CANONICAL_INGEST_URL = 'https://openclaw-shield.upx.com';
-const BLOCKED_HOST_PATTERNS = [
-    /^https?:\/\/uss\.upx\.com/i,
-    /^https?:\/\/[a-z0-9-]+\.replit\.app/i,
-    /^https?:\/\/egupx-/i,
-];
 function enforceIngestUrl(url) {
-    if (!url)
-        return CANONICAL_INGEST_URL;
-    const isBlocked = BLOCKED_HOST_PATTERNS.some(p => p.test(url));
-    if (isBlocked) {
-        log.warn('config', `SHIELD_API_URL points to a platform backend ("${url}") — this is not permitted. ` +
-            `Overriding with ${CANONICAL_INGEST_URL}. Remove SHIELD_API_URL from your config to fix this permanently.`);
+    if (!url || !url.startsWith(CANONICAL_INGEST_URL)) {
+        if (url && url !== CANONICAL_INGEST_URL) {
+            log.warn('config', `SHIELD_API_URL is not a permitted ingest endpoint — overriding with the default. Remove SHIELD_API_URL from your config to fix this permanently.`);
+        }
         return CANONICAL_INGEST_URL;
     }
     return url;

package/dist/src/index.js

@@ -85,7 +85,8 @@ async function poll() {
     const _rawEnvStartup = process.env.SHIELD_AUTO_UPDATE;
     const autoUpdateMode = _rawEnvStartup === 'false' ? false : _rawEnvStartup ?? true;
     log.info('updater', `Startup update check (autoUpdate=${autoUpdateMode}, current=${version_1.VERSION})`);
-    const startupUpdate = (0, updater_1.performAutoUpdate)(autoUpdateMode, 0);
+    const _bootState = (0, updater_1.loadUpdateState)();
+    const startupUpdate = (0, updater_1.performAutoUpdate)(autoUpdateMode, _bootState.pendingRestart ? undefined : 0);
     if (startupUpdate.action === "none") {
         log.info("updater", `Up to date (${version_1.VERSION})`);
     }
@@ -119,7 +120,7 @@ async function poll() {
                         public_ip: (0, transformer_1.getCachedPublicIp)() ?? '',
                     },
                     software: {
-                        plugin_version: version_1.VERSION,
+                        plugin_version: (0, version_1.getVersion)(),
                         openclaw_version: (0, transformer_1.resolveOpenClawVersion)(),
                         agent_label: (0, transformer_1.resolveAgentLabel)(agentId),
                         instance_name: (0, transformer_1.resolveAgentLabel)(agentId) || config.hostname,

package/dist/src/rpc/client.js

@@ -57,11 +57,10 @@ async function callPlatformApi(config, path, params, method) {
             error: 'Platform API not configured. This feature requires the Shield platform API which is not yet available for your instance. Check your Shield dashboard for updates.',
         };
     }
-    const BLOCKED = [/^https?:\/\/uss\.upx\.com/i, /^https?:\/\/[a-z0-9-]+\.replit\.app/i, /^https?:\/\/egupx-/i];
-    if (BLOCKED.some(p => p.test(config.apiUrl))) {
+    if (!config.apiUrl.startsWith('https://openclaw-shield.upx.com')) {
         return {
             ok: false,
-            error: 'Shield API URL points to a platform backend — direct access is not permitted. Reconfigure Shield to use the ingest endpoint.',
+            error: 'Shield API URL is not the permitted ingest endpoint. Reconfigure Shield or contact support.',
         };
     }
     const url = new URL(path, config.apiUrl);

package/dist/src/transformer.d.ts

@@ -11,6 +11,7 @@ export interface IngestPayload {
 export declare function normalizeSoftwareVersion(v: string): string;
 export declare function resolveOpenClawVersion(): string;
 export declare function _resetCachedOpenClawVersion(): void;
+export declare function _setVersionForTest(version: string, fromStaleFallback: boolean): void;
 export declare function resolveAgentLabel(agentId: string): string;
 export declare function getCachedPublicIp(): string | null;
 export declare function isPrivateIp(ip: string): boolean;

package/dist/src/transformer.js

@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeSoftwareVersion = normalizeSoftwareVersion;
 exports.resolveOpenClawVersion = resolveOpenClawVersion;
 exports._resetCachedOpenClawVersion = _resetCachedOpenClawVersion;
+exports._setVersionForTest = _setVersionForTest;
 exports.resolveAgentLabel = resolveAgentLabel;
 exports.getCachedPublicIp = getCachedPublicIp;
 exports.isPrivateIp = isPrivateIp;
@@ -54,6 +55,7 @@ const counters_1 = require("./counters");
 const inventory_1 = require("./inventory");
 const attributor_1 = require("./attributor");
 let _cachedOpenClawVersion = "";
+let _cachedFromStaleFallback = false;
 function normalizeSoftwareVersion(v) {
     return v
         .replace(/^openclaw\s+/i, '')
@@ -62,10 +64,11 @@ function normalizeSoftwareVersion(v) {
         .trim();
 }
 function resolveOpenClawVersion() {
-    if (_cachedOpenClawVersion !== "")
+    if (_cachedOpenClawVersion !== "" && !_cachedFromStaleFallback)
         return _cachedOpenClawVersion;
     if (process.env.OPENCLAW_VERSION) {
         _cachedOpenClawVersion = process.env.OPENCLAW_VERSION;
+        _cachedFromStaleFallback = false;
         return _cachedOpenClawVersion;
     }
     try {
@@ -73,6 +76,7 @@ function resolveOpenClawVersion() {
         const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
         if (pkg.version) {
             _cachedOpenClawVersion = normalizeSoftwareVersion(pkg.version);
+            _cachedFromStaleFallback = false;
             return _cachedOpenClawVersion;
         }
     }
@@ -88,6 +92,7 @@ function resolveOpenClawVersion() {
         const version = normalizeSoftwareVersion(raw);
         if (version && version !== 'unknown') {
             _cachedOpenClawVersion = version;
+            _cachedFromStaleFallback = false;
             return _cachedOpenClawVersion;
         }
     }
@@ -99,16 +104,23 @@ function resolveOpenClawVersion() {
             const normalized = normalizeSoftwareVersion(v);
             if (normalized) {
                 _cachedOpenClawVersion = normalized;
+                _cachedFromStaleFallback = true;
                 return _cachedOpenClawVersion;
             }
         }
     }
     catch { }
     _cachedOpenClawVersion = 'unknown';
+    _cachedFromStaleFallback = false;
     return _cachedOpenClawVersion;
 }
 function _resetCachedOpenClawVersion() {
     _cachedOpenClawVersion = "";
+    _cachedFromStaleFallback = false;
+}
+function _setVersionForTest(version, fromStaleFallback) {
+    _cachedOpenClawVersion = version;
+    _cachedFromStaleFallback = fromStaleFallback;
 }
 function resolveAgentLabel(agentId) {
     if (process.env.OPENCLAW_AGENT_LABEL)
@@ -217,28 +229,32 @@ function injectIp(ip) {
 }
 initOutboundIp();
 function getSourceInfo() {
-    if (_source)
-        return _source;
     const agentId = process.env.OPENCLAW_AGENT_ID || 'main';
-    _source = {
-        hostname: os.hostname(),
-        ip_addresses: Object.values(os.networkInterfaces())
-            .flat()
-            .filter((i) => i && i.family === 'IPv4' && !i.internal)
-            .map((i) => i.address),
-        os: {
-            type: os.type(),
-            platform: os.platform() === 'darwin' ? 'MAC' : os.platform() === 'linux' ? 'LINUX' : 'WINDOWS',
-            release: os.release(),
-            arch: os.arch(),
-        },
-        openclaw: {
-            version: resolveOpenClawVersion(),
-            agent_id: agentId,
-            agent_label: resolveAgentLabel(agentId),
-        },
-        plugin: { version: version_1.VERSION, transport: 'openclaw_plugin' },
-    };
+    if (!_source) {
+        _source = {
+            hostname: os.hostname(),
+            ip_addresses: Object.values(os.networkInterfaces())
+                .flat()
+                .filter((i) => i && i.family === 'IPv4' && !i.internal)
+                .map((i) => i.address),
+            os: {
+                type: os.type(),
+                platform: os.platform() === 'darwin' ? 'MAC' : os.platform() === 'linux' ? 'LINUX' : 'WINDOWS',
+                release: os.release(),
+                arch: os.arch(),
+            },
+            openclaw: {
+                version: resolveOpenClawVersion(),
+                agent_id: agentId,
+                agent_label: resolveAgentLabel(agentId),
+            },
+            plugin: { version: version_1.VERSION, transport: 'openclaw_plugin' },
+        };
+    }
+    else {
+        _source.openclaw.version = resolveOpenClawVersion();
+        _source.plugin.version = (0, version_1.getVersion)();
+    }
     return _source;
 }
 function isAdministrativeEvent(toolName, args, sessionId) {

package/dist/src/updater.js

@@ -459,6 +459,15 @@ function downloadAndInstall(targetVersion) {
 }
 function performAutoUpdate(mode, checkIntervalMs) {
     const noOp = { action: 'none', fromVersion: version_1.VERSION, toVersion: null, message: '', requiresRestart: false };
+    {
+        const st = loadUpdateState();
+        if (st.pendingRestart && st.currentVersion === version_1.VERSION) {
+            log.info('updater', `Clearing stale pendingRestart — running version matches stored currentVersion (${version_1.VERSION})`);
+            st.pendingRestart = false;
+            st.restartAttempts = 0;
+            saveUpdateState(st);
+        }
+    }
     if (mode === false)
         return noOp;
     {

package/dist/src/version.d.ts

@@ -1 +1,2 @@
 export declare const VERSION: string;
+export declare function getVersion(): string;

package/dist/src/version.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
+exports.getVersion = getVersion;
 const fs_1 = require("fs");
 const path_1 = require("path");
 function loadVersion() {
@@ -16,3 +17,15 @@ function loadVersion() {
     return '0.0.0';
 }
 exports.VERSION = loadVersion();
+function getVersion() {
+    for (const rel of ['../package.json', '../../package.json']) {
+        const p = (0, path_1.join)(__dirname, rel);
+        if ((0, fs_1.existsSync)(p)) {
+            try {
+                return JSON.parse((0, fs_1.readFileSync)(p, 'utf-8')).version ?? '0.0.0';
+            }
+            catch { }
+        }
+    }
+    return '0.0.0';
+}

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
   "id": "shield",
   "name": "OpenClaw Shield",
-  "description": "Real-time security monitoring \u2014 streams enriched, redacted security events to the Shield detection platform.",
-  "version": "0.7.5",
+  "description": "Real-time security monitoring — streams enriched, redacted security events to the Shield detection platform.",
+  "version": "0.7.7",
   "skills": [
     "./skills"
   ],
@@ -54,7 +54,7 @@
   "uiHints": {
     "installationKey": {
       "label": "Installation Key",
-      "description": "One-time key from your trial signup at https://www.upx.com/en/lp/openclaw-shield-upx \u2014 Required for first-time activation only. After activation, log in at https://uss.upx.com"
+      "description": "One-time key from your trial signup at https://www.upx.com/en/lp/openclaw-shield-upx — Required for first-time activation only. After activation, log in at https://uss.upx.com"
     },
     "enabled": {
       "label": "Enable security monitoring"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@upx-us/shield",
-  "version": "0.7.5",
+  "version": "0.7.7",
   "description": "Security monitoring plugin for OpenClaw agents — streams enriched security events to the Shield detection platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",