shellward 0.3.3 → 0.4.0

package/README.md

@@ -1,6 +1,6 @@
 # ShellWard
 
-**First bilingual (EN/ZH) security plugin for OpenClaw** — prompt injection detection, dangerous operation blocking, PII/secret redaction, audit logging.
+**First bilingual (EN/ZH) security plugin for OpenClaw** — the only plugin with Chinese prompt injection detection & Chinese PII redaction (ID card, phone, bank card). 8 defense layers, zero dependencies.
 
 [中文说明](#中文说明) | [English](#english)
 
@@ -30,7 +30,7 @@ ShellWard protects your OpenClaw agent with 8 defense layers:
 - **Bilingual** — all messages, rules, and prompts in English and Chinese
 - **Chinese PII detection** — ID card (with checksum validation), phone number, bank card (Luhn)
 - **Global PII detection** — API keys, JWT, passwords, US SSN, credit cards, emails
-- **25 injection rules** — 13 Chinese + 12 English patterns with risk scoring
+- **26 injection rules** — 14 Chinese + 12 English patterns with risk scoring
 - **15 dangerous command rules** — fork bombs, reverse shells, disk formatting, etc. (all case-insensitive)
 - **12 protected path rules** — .env, .ssh, private keys, cloud credentials
 - **Dual mode** — `enforce` (block + log) or `audit` (log only)
@@ -230,7 +230,7 @@ ShellWard 通过 8 层防御保护你的 OpenClaw 智能体：
 - **中英双语** — 所有消息、规则、提示均支持中英文
 - **中国 PII 检测** — 身份证号（含校验位验证）、手机号、银行卡号（Luhn 校验）
 - **国际 PII 检测** — API Key、JWT、密码、美国 SSN、信用卡、邮箱
-- **25 条注入规则** — 13 条中文 + 12 条英文，带风险评分
+- **26 条注入规则** — 14 条中文 + 12 条英文，带风险评分
 - **双模式** — `enforce`（拦截+记录）或 `audit`（仅记录）
 - **JSONL 审计日志** — 零依赖、支持 grep/jq 查询、100MB 自动轮转
 

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "shellward",
   "name": "ShellWard",
   "description": "First bilingual (EN/ZH) security plugin for OpenClaw — injection detection, dangerous operation blocking, PII/secret redaction (incl. Chinese ID card, phone, bank card), audit logging",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "skills": ["./skills"],
   "configSchema": {
     "type": "object",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "shellward",
-  "version": "0.3.3",
-  "description": "First bilingual (EN/ZH) security plugin for OpenClaw — injection detection, dangerous operation blocking, PII/secret redaction, audit logging",
+  "version": "0.4.0",
+  "description": "First bilingual (EN/ZH) security plugin for OpenClaw — Chinese PII detection (ID card/phone/bank card), prompt injection detection (13 ZH + 12 EN rules), dangerous command blocking, audit logging. Zero dependencies.",
   "keywords": [
     "shellward",
     "openclaw",
@@ -31,6 +31,7 @@
     "src/",
     "skills/",
     "openclaw.plugin.json",
+    "vuln-db.json",
     "install.sh",
     "install.ps1",
     "LICENSE",

package/src/commands/check-updates.ts

@@ -1,34 +1,35 @@
-// src/commands/check-updates.ts — /check-updates: check OpenClaw version and known vulnerabilities
+// src/commands/check-updates.ts — /check-updates: check versions + remote vulnerability DB
 
 import { execSync } from 'child_process'
 import { existsSync, readFileSync } from 'fs'
 import { join } from 'path'
 import type { ShellWardConfig } from '../types'
 import { resolveLocale } from '../types'
+import { checkForUpdate, fetchVulnDB, compareVersions } from '../update-check'
 
-// Known vulnerability database (hardcoded, updated with plugin releases)
-// Format: { version_range, severity, cve, description_zh, description_en }
-const KNOWN_VULNS = [
+// Local fallback vulnerability database (used when remote fetch fails)
+// Contains only CVE-assigned vulnerabilities as minimum baseline
+const LOCAL_VULNS = [
   {
-    affectedBelow: '2026.3.6',
-    severity: 'HIGH',
-    id: 'CG-2026-001',
-    description_zh: 'tool_result_persist hook 可被绕过泄露敏感数据',
-    description_en: 'tool_result_persist hook bypass may leak sensitive data',
+    affectedBelow: '1.0.111',
+    severity: 'HIGH' as const,
+    id: 'CVE-2025-59536',
+    description_zh: '远程代码执行：恶意仓库通过 Hooks 和 MCP Server 在信任提示前执行任意命令 (CVSS 8.7)',
+    description_en: 'RCE via Hooks and MCP Server bypass — arbitrary shell execution before trust dialog (CVSS 8.7)',
   },
   {
-    affectedBelow: '2026.3.4',
-    severity: 'CRITICAL',
-    id: 'CG-2026-002',
-    description_zh: '插件系统缺少签名验证，可加载恶意插件',
-    description_en: 'Plugin system lacks signature verification, allows malicious plugins',
+    affectedBelow: '2.0.65',
+    severity: 'MEDIUM' as const,
+    id: 'CVE-2026-21852',
+    description_zh: 'API 密钥泄露：恶意仓库通过 settings.json 设置 ANTHROPIC_BASE_URL 窃取用户 API Key (CVSS 5.3)',
+    description_en: 'API key exfiltration via ANTHROPIC_BASE_URL in settings.json before trust prompt (CVSS 5.3)',
   },
   {
-    affectedBelow: '2026.3.2',
-    severity: 'HIGH',
-    id: 'CG-2026-003',
-    description_zh: 'Gateway 默认绑定 0.0.0.0，未认证即可远程执行',
-    description_en: 'Gateway binds 0.0.0.0 by default, allows unauthenticated remote execution',
+    affectedBelow: '2026.2.7',
+    severity: 'HIGH' as const,
+    id: 'GHSA-ff64-7w26-62rf',
+    description_zh: '沙箱逃逸：通过 settings.json 持久化配置注入',
+    description_en: 'Sandbox escape via persistent configuration injection in settings.json',
   },
 ]
 
@@ -38,10 +39,10 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
   api.registerCommand({
     name: 'check-updates',
     description: locale === 'zh'
-      ? '🔄 检查 OpenClaw 版本和已知漏洞'
-      : '🔄 Check OpenClaw version and known vulnerabilities',
+      ? '🔄 检查版本更新和已知漏洞（支持远程漏洞库）'
+      : '🔄 Check for updates and known vulnerabilities (remote vuln DB)',
     acceptsArgs: false,
-    handler: () => {
+    handler: async () => {
       const zh = locale === 'zh'
       const lines: string[] = []
 
@@ -49,20 +50,19 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
       lines.push('')
 
       // 1. Get OpenClaw version
-      let currentVersion = 'unknown'
+      let openclawVersion = 'unknown'
       try {
         const out = execSync('openclaw --version 2>&1', { timeout: 5000 }).toString().trim()
-        // Extract version like "2026.3.8"
         const match = out.match(/(\d{4}\.\d+\.\d+)/)
-        if (match) currentVersion = match[1]
+        if (match) openclawVersion = match[1]
       } catch { /* skip */ }
 
       lines.push(zh
-        ? `### OpenClaw 版本: ${currentVersion}`
-        : `### OpenClaw Version: ${currentVersion}`)
+        ? `### OpenClaw 版本: ${openclawVersion}`
+        : `### OpenClaw Version: ${openclawVersion}`)
       lines.push('')
 
-      // 2. Check ShellWard version
+      // 2. Check ShellWard version + available update
       let shellwardVersion = 'unknown'
       try {
         const pkgPath = join(__dirname, '../../package.json')
@@ -75,17 +75,45 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
       lines.push(zh
         ? `### ShellWard 版本: ${shellwardVersion}`
         : `### ShellWard Version: ${shellwardVersion}`)
+
+      // Check for ShellWard update from npm
+      try {
+        const updateInfo = await checkForUpdate(shellwardVersion)
+        if (updateInfo?.updateAvailable) {
+          lines.push(zh
+            ? `  🆕 **新版本 v${updateInfo.latest} 可用！** 运行 \`openclaw plugins update shellward\` 更新`
+            : `  🆕 **v${updateInfo.latest} available!** Run \`openclaw plugins update shellward\` to update`)
+        } else if (updateInfo) {
+          lines.push(zh ? '  ✅ 已是最新版本' : '  ✅ Up to date')
+        }
+      } catch { /* skip */ }
       lines.push('')
 
-      // 3. Check known vulnerabilities
+      // 3. Check known vulnerabilities (remote DB with local fallback)
       lines.push(zh ? '### 已知漏洞检查' : '### Known Vulnerability Check')
 
-      if (currentVersion === 'unknown') {
+      let vulnDB = LOCAL_VULNS
+      let alerts: { id: string; severity: string; date: string; description_zh: string; description_en: string }[] = []
+      let dbSource = 'local'
+      try {
+        const remote = await fetchVulnDB()
+        if (remote.vulns.length > 0) {
+          vulnDB = remote.vulns
+          dbSource = 'remote'
+        }
+        alerts = remote.alerts || []
+      } catch { /* use local */ }
+
+      lines.push(zh
+        ? `  数据源: ${dbSource === 'remote' ? `远程漏洞库 (GitHub) — ${vulnDB.length} 条记录` : '本地内置数据库'}`
+        : `  Source: ${dbSource === 'remote' ? `Remote vuln DB (GitHub) — ${vulnDB.length} entries` : 'Local built-in database'}`)
+
+      if (openclawVersion === 'unknown') {
         lines.push(zh
           ? '  ⚠️ 无法确定 OpenClaw 版本，请手动检查'
           : '  ⚠️ Cannot determine OpenClaw version, please check manually')
       } else {
-        const affected = KNOWN_VULNS.filter(v => compareVersions(currentVersion, v.affectedBelow) < 0)
+        const affected = vulnDB.filter(v => compareVersions(openclawVersion, v.affectedBelow) < 0)
         if (affected.length === 0) {
           lines.push(zh
             ? '  ✅ 当前版本未发现已知漏洞'
@@ -96,11 +124,22 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
             const desc = zh ? vuln.description_zh : vuln.description_en
             lines.push(`  ${icon} **${vuln.id}** [${vuln.severity}]: ${desc}`)
             lines.push(zh
-              ? `     影响版本: < ${vuln.affectedBelow} — 请升级 OpenClaw`
-              : `     Affected: < ${vuln.affectedBelow} — please upgrade OpenClaw`)
+              ? `     影响版本: < ${vuln.affectedBelow} — 请升级`
+              : `     Affected: < ${vuln.affectedBelow} — please upgrade`)
           }
         }
       }
+
+      // Supply chain alerts
+      if (alerts.length > 0) {
+        lines.push('')
+        lines.push(zh ? '### 供应链安全警告' : '### Supply Chain Alerts')
+        for (const alert of alerts) {
+          const icon = alert.severity === 'CRITICAL' ? '🔴' : '🟡'
+          const desc = zh ? alert.description_zh : alert.description_en
+          lines.push(`  ${icon} **${alert.id}** [${alert.date}]: ${desc}`)
+        }
+      }
       lines.push('')
 
       // 4. Check Node.js version
@@ -135,17 +174,3 @@ export function registerCheckUpdatesCommand(api: any, config: ShellWardConfig) {
     },
   })
 }
-
-/**
- * Compare two version strings like "2026.3.8" vs "2026.3.6"
- * Returns: negative if a < b, 0 if equal, positive if a > b
- */
-function compareVersions(a: string, b: string): number {
-  const pa = a.split('.').map(Number)
-  const pb = b.split('.').map(Number)
-  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0)
-    if (diff !== 0) return diff
-  }
-  return 0
-}

package/src/commands/scan-plugins.ts

@@ -113,9 +113,9 @@ export function registerScanPluginsCommand(api: any, config: ShellWardConfig) {
           try {
             const content = readFileSync(file, 'utf-8')
             for (const rule of SUSPICIOUS_PATTERNS) {
-              if (rule.pattern.test(content)) {
-                // Reset lastIndex for global regexes
-                rule.pattern.lastIndex = 0
+              // Use fresh regex to avoid lastIndex state issues with global patterns
+              const regex = new RegExp(rule.pattern.source, rule.pattern.flags)
+              if (regex.test(content)) {
                 const relPath = file.replace(plugin.path + '/', '')
                 risks.push(zh
                   ? `⚠️ ${relPath}: ${rule.name} (${rule.risk})`

package/src/index.ts

@@ -1,4 +1,4 @@
-// src/index.ts — ShellWard plugin entry point (v0.3.1)
+// src/index.ts — ShellWard plugin entry point (v0.4.0)
 // 8 defense layers + 6 slash commands + 1 security skill
 
 import { AuditLog } from './audit-log'
@@ -12,8 +12,46 @@ import { setupDataFlowGuard } from './layers/data-flow-guard'
 import { setupSessionGuard } from './layers/session-guard'
 import { registerAllCommands } from './commands/index'
 import { DEFAULT_CONFIG, resolveLocale } from './types'
+import { checkForUpdate } from './update-check'
 import type { ShellWardConfig } from './types'
 
+const CURRENT_VERSION = '0.4.0'
+
+/**
+ * Wrap api.on so every hook handler gets try-catch protection.
+ * If a security hook throws, we log the error and fail-safe:
+ * - before_tool_call: block (deny on error, safer than allow)
+ * - other hooks: return undefined (don't break the chain)
+ */
+function createSafeApi(api: any, log: AuditLog): any {
+  return {
+    ...api,
+    on(hookName: string, handler: Function, opts?: any) {
+      const isBlockHook = hookName === 'before_tool_call'
+      const wrappedHandler = (event: any) => {
+        try {
+          return handler(event)
+        } catch (err: any) {
+          const msg = err?.message || String(err)
+          log.write({
+            level: 'CRITICAL',
+            layer: 'L0',
+            action: 'error',
+            detail: `Hook ${opts?.name || hookName} threw: ${msg.slice(0, 200)}`,
+          })
+          try { api.logger.warn(`[ShellWard] Hook error in ${opts?.name || hookName}: ${msg}`) } catch {}
+          // Fail-safe: block on security hooks, pass on others
+          if (isBlockHook) {
+            return { block: true, blockReason: `⚠️ [ShellWard] Internal error in security check — operation blocked for safety` }
+          }
+          return undefined
+        }
+      }
+      api.on(hookName, wrappedHandler, opts)
+    },
+  }
+}
+
 function mergeConfig(userConfig: Partial<ShellWardConfig> | undefined): ShellWardConfig {
   if (!userConfig) return { ...DEFAULT_CONFIG }
 
@@ -49,6 +87,7 @@ export default {
     const log = new AuditLog(config)
     const enforce = config.mode === 'enforce'
     const locale = resolveLocale(config)
+    const safe = createSafeApi(api, log)
 
     const modeLabel = locale === 'zh'
       ? `模式: ${config.mode}`
@@ -56,45 +95,46 @@ export default {
     api.logger.info(`[ShellWard] Security plugin started (${modeLabel})`)
 
     // === Defense Layers (L1-L8) ===
+    // All layers use `safe` wrapper — hooks get automatic try-catch + fail-safe
 
     // L1: Prompt Guard (before_prompt_build — prependSystemContext for caching)
     if (config.layers.promptGuard) {
-      setupPromptGuard(api, config, log)
+      setupPromptGuard(safe, config, log)
     }
 
     // L2: Output Scanner (tool_result_persist — redact PII in tool results)
     if (config.layers.outputScanner) {
-      setupOutputScanner(api, config, log, enforce)
+      setupOutputScanner(safe, config, log, enforce)
     }
 
     // L3: Tool Blocker (before_tool_call — block dangerous commands/paths)
     if (config.layers.toolBlocker) {
-      setupToolBlocker(api, config, log, enforce)
+      setupToolBlocker(safe, config, log, enforce)
     }
 
     // L4: Input Auditor (before_tool_call + message_received — injection detection)
     if (config.layers.inputAuditor) {
-      setupInputAuditor(api, config, log, enforce)
+      setupInputAuditor(safe, config, log, enforce)
     }
 
-    // L5: Security Gate (registerTool — defense in depth)
+    // L5: Security Gate (registerTool — defense in depth, uses raw api for registerTool)
     if (config.layers.securityGate) {
       setupSecurityGate(api, config, log, enforce)
     }
 
     // L6: Outbound Guard (message_sending — redact PII in LLM responses + canary detection)
     if (config.layers.outboundGuard) {
-      setupOutboundGuard(api, config, log, enforce)
+      setupOutboundGuard(safe, config, log, enforce)
     }
 
     // L7: Data Flow Guard (after_tool_call + before_tool_call — anti-exfiltration)
     if (config.layers.dataFlowGuard) {
-      setupDataFlowGuard(api, config, log, enforce)
+      setupDataFlowGuard(safe, config, log, enforce)
     }
 
     // L8: Session Guard (session_end + subagent_spawning — lifecycle security)
     if (config.layers.sessionGuard) {
-      setupSessionGuard(api, config, log, enforce)
+      setupSessionGuard(safe, config, log, enforce)
     }
 
     // === Slash Commands ===
@@ -113,7 +153,18 @@ export default {
       level: 'INFO',
       layer: 'L1',
       action: 'allow',
-      detail: `ShellWard v0.3.3 started with ${enabledCount} layers`,
+      detail: `ShellWard v${CURRENT_VERSION} started with ${enabledCount} layers`,
     })
+
+    // === Non-blocking update check (async, won't delay startup) ===
+    // Only notifies ONCE per new version — won't repeat after user has seen it
+    checkForUpdate(CURRENT_VERSION).then(result => {
+      if (result?.shouldNotify) {
+        const msg = locale === 'zh'
+          ? `[ShellWard] 新版本 v${result.latest} 可用 (当前 v${result.current})。运行 \`openclaw plugins update shellward\` 更新`
+          : `[ShellWard] Update available: v${result.latest} (current v${result.current}). Run \`openclaw plugins update shellward\` to update`
+        api.logger.warn(msg)
+      }
+    }).catch(() => { /* silently ignore network errors */ })
   },
 }

package/src/layers/data-flow-guard.ts

@@ -37,8 +37,8 @@ export function setupDataFlowGuard(
 
   // === Part 1: Track sensitive file reads via after_tool_call ===
   api.on('after_tool_call', (event: any) => {
-    const toolName = (event.toolName || '').toLowerCase()
-    const params = event.params || {}
+    const toolName = String(event.toolName || '').toLowerCase()
+    const params = (event.params && typeof event.params === 'object') ? event.params : {}
     const path = String(params.path || params.file_path || params.filename || '')
 
     if (!READ_TOOLS.has(toolName) || !path) return
@@ -79,8 +79,8 @@ export function setupDataFlowGuard(
 
   // === Part 2: Block network tool calls if sensitive data was recently read ===
   api.on('before_tool_call', (event: any) => {
-    const toolName = (event.toolName || '').toLowerCase()
-    const params = event.params || {}
+    const toolName = String(event.toolName || '').toLowerCase()
+    const params = (event.params && typeof event.params === 'object') ? event.params : {}
 
     // 2a. Block network tools if sensitive files were recently read
     if (NETWORK_TOOLS.has(toolName) && sensitiveReads.size > 0) {

package/src/layers/input-auditor.ts

@@ -43,7 +43,7 @@ export function setupInputAuditor(
 
   // Hook 1: Check tool call arguments for injection
   api.on('before_tool_call', (event: any) => {
-    const args: Record<string, any> = event.params || {}
+    const args: Record<string, any> = (event.params && typeof event.params === 'object') ? event.params : {}
     const texts = extractTexts(args)
     if (texts.length === 0) return
 

package/src/layers/prompt-guard.ts

@@ -48,7 +48,7 @@ export function setupPromptGuard(
   const locale = resolveLocale(config)
 
   // Generate canary token for system prompt exfiltration detection
-  canaryToken = 'CG-' + randomBytes(8).toString('hex')
+  canaryToken = 'SW-' + randomBytes(8).toString('hex')
 
   const basePrompt = locale === 'zh' ? SECURITY_PROMPT_ZH : SECURITY_PROMPT_EN
   const canaryRule = locale === 'zh'

package/src/layers/tool-blocker.ts

@@ -34,9 +34,9 @@ export function setupToolBlocker(
   const locale = resolveLocale(config)
 
   api.on('before_tool_call', (event: any) => {
-    const tool: string = event.toolName || ''
+    const tool: string = String(event.toolName || '')
     const toolLower = tool.toLowerCase()
-    const args: Record<string, any> = event.params || {}
+    const args: Record<string, any> = (event.params && typeof event.params === 'object') ? event.params : {}
 
     // 1. Always-blocked tools (case-insensitive)
     if (BLOCKED_TOOLS.has(toolLower)) {

package/src/rules/dangerous-commands.ts

@@ -71,7 +71,7 @@ export const DANGEROUS_COMMANDS: DangerousCommandRule[] = [
   },
   {
     id: 'fork_bomb',
-    pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;|\.\/[a-z]+\s*&\s*\.\/[a-z]+/i,
+    pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;?|\.\/[a-z]+\s*&\s*\.\/[a-z]+/i,
     description_zh: 'Fork 炸弹（耗尽系统资源）',
     description_en: 'Fork bomb (exhaust system resources)',
   },

package/src/rules/injection-zh.ts

@@ -13,7 +13,7 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
   {
     id: 'zh_new_role',
     name: '角色扮演攻击',
-    pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|扮演|你是一个)(?:.*?)(?:助手|AI|机器人|黑客|专家)',
+    pattern: '(?:你现在是|你的新身份是|从现在起你是|假装你是|请?扮演|你是一个|充当)(?:.*?)(?:助手|AI|机器人|黑客|专家|没有限制)',
     riskScore: 35,
     category: 'role_hijack',
   },
@@ -34,7 +34,7 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
   {
     id: 'zh_no_restriction',
     name: '解除限制',
-    pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过)(?:所有|一切|你的)?(?:限制|约束|安全|过滤|审查|规则)',
+    pattern: '(?:取消|移除|去掉|关闭|忽略|跳过|绕过|忘记|丢弃)(?:之前|所有|一切|你的|以上|前面)*(?:的)?(?:限制|约束|安全|过滤|审查|规则|指令|设定)',
     riskScore: 40,
     category: 'override',
   },
@@ -96,4 +96,12 @@ export const INJECTION_RULES_ZH: InjectionRule[] = [
     riskScore: 30,
     category: 'injection',
   },
+  {
+    id: 'zh_mixed_lang_injection',
+    name: '中英混合注入',
+    pattern: '(?:please|pls|now)?\\s*(?:ignore|forget|disregard)\\s+.*(?:指令|规则|之前|以上)|(?:忽略|忘记|跳过).*(?:instruction|rule|prompt|previous)',
+    flags: 'i',
+    riskScore: 40,
+    category: 'override',
+  },
 ]

package/src/rules/sensitive-patterns.ts

@@ -59,7 +59,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
   {
     id: 'password',
     name: 'Password',
-    regex: /(?:password|passwd|pwd)\s*[=:]\s*['"]?\S{6,}['"]?/gi,
+    regex: /(?:password|passwd|pwd)\s*[=:]\s*['"]?\S{6,100}['"]?/gi,
     replacement: '[REDACTED:Password]',
   },
   {
@@ -95,7 +95,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
   {
     id: 'email',
     name: 'Email Address',
-    regex: /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/g,
+    regex: /[A-Za-z0-9._%+-]{1,64}@[A-Za-z0-9.-]{1,255}\.[A-Za-z]{2,10}/g,
     replacement: '[REDACTED:Email]',
   },
   {

package/src/types.ts

@@ -21,8 +21,8 @@ export type ResolvedLocale = 'zh' | 'en'
 export interface AuditEntry {
   ts: string
   level: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO'
-  layer: 'L1' | 'L2' | 'L3' | 'L4' | 'L5' | 'L6' | 'L7' | 'L8'
-  action: 'block' | 'redact' | 'detect' | 'allow' | 'inject'
+  layer: 'L0' | 'L1' | 'L2' | 'L3' | 'L4' | 'L5' | 'L6' | 'L7' | 'L8'
+  action: 'block' | 'redact' | 'detect' | 'allow' | 'inject' | 'error'
   detail: string
   tool?: string
   pattern?: string
@@ -88,6 +88,6 @@ export function resolveLocale(config: ShellWardConfig): ResolvedLocale {
   if (config.locale === 'zh') return 'zh'
   if (config.locale === 'en') return 'en'
   // auto detection
-  const lang = process.env.LANG || process.env.LANGUAGE || process.env.LC_ALL || ''
-  return /zh/i.test(lang) ? 'zh' : 'en'
+  const lang = process.env.LANG || process.env.LC_ALL || process.env.LC_MESSAGES || process.env.LANGUAGE || ''
+  return /\bzh[_-]|chinese/i.test(lang) ? 'zh' : 'en'
 }

package/src/update-check.ts

@@ -0,0 +1,184 @@
+// src/update-check.ts — Non-blocking version check + remote vulnerability DB
+// Uses only Node.js built-in https module (zero dependencies)
+//
+// Anti-annoyance design:
+// - Network check at most once per 24 hours
+// - Same version update only notified ONCE (dismissed = silenced until next version)
+// - Vuln DB cached 24h, /check-updates always shows latest cache
+// - All network failures are silent and cached to avoid repeated timeouts
+
+import { get } from 'https'
+import { readFileSync, writeFileSync } from 'fs'
+import { join } from 'path'
+
+const CACHE_DIR = join(process.env.HOME || '~', '.openclaw', 'shellward')
+const CACHE_FILE = join(CACHE_DIR, 'update-cache.json')
+const VULN_CACHE_FILE = join(CACHE_DIR, 'vuln-db-cache.json')
+const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000 // 24 hours
+
+// Remote sources
+const NPM_REGISTRY_URL = 'https://registry.npmjs.org/shellward/latest'
+const VULN_DB_URL = 'https://raw.githubusercontent.com/jnMetaCode/shellward/main/vuln-db.json'
+
+interface UpdateCache {
+  lastCheck: number
+  latestVersion: string | null
+  notifiedVersion: string | null  // version user was already notified about — won't repeat
+}
+
+export interface VulnEntry {
+  affectedBelow: string
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM'
+  id: string
+  ghsa?: string
+  description_zh: string
+  description_en: string
+}
+
+export interface SupplyChainAlert {
+  id: string
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM'
+  date: string
+  description_zh: string
+  description_en: string
+}
+
+/**
+ * Simple HTTPS GET with redirect support. Timeout: 5s.
+ */
+function httpsGet(url: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const req = get(url, { timeout: 5000 }, (res) => {
+      if ((res.statusCode === 301 || res.statusCode === 302) && res.headers.location) {
+        get(res.headers.location, { timeout: 5000 }, (res2) => {
+          let data = ''
+          res2.on('data', (chunk: Buffer) => { data += chunk.toString() })
+          res2.on('end', () => resolve(data))
+          res2.on('error', reject)
+        }).on('error', reject)
+        return
+      }
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${res.statusCode}`))
+        return
+      }
+      let data = ''
+      res.on('data', (chunk: Buffer) => { data += chunk.toString() })
+      res.on('end', () => resolve(data))
+      res.on('error', reject)
+    })
+    req.on('error', reject)
+    req.on('timeout', () => { req.destroy(); reject(new Error('timeout')) })
+  })
+}
+
+/**
+ * Check npm for latest version.
+ *
+ * Returns result with `shouldNotify`:
+ * - true = first time seeing this new version, show the message
+ * - false = already notified for this version, stay quiet
+ * Returns null if check skipped or failed.
+ */
+export async function checkForUpdate(currentVersion: string): Promise<{
+  current: string
+  latest: string
+  updateAvailable: boolean
+  shouldNotify: boolean
+} | null> {
+  try {
+    const cache = readCache<UpdateCache>(CACHE_FILE)
+
+    // Use cached version if within interval
+    let latest: string | null = null
+    if (cache && Date.now() - cache.lastCheck < CHECK_INTERVAL_MS && cache.latestVersion) {
+      latest = cache.latestVersion
+    } else {
+      // Fetch from npm
+      const body = await httpsGet(NPM_REGISTRY_URL)
+      const data = JSON.parse(body)
+      latest = data.version
+      if (!latest || typeof latest !== 'string') return null
+
+      // Save to cache (preserve notifiedVersion)
+      writeCache(CACHE_FILE, {
+        lastCheck: Date.now(),
+        latestVersion: latest,
+        notifiedVersion: cache?.notifiedVersion || null,
+      })
+    }
+
+    const updateAvailable = compareVersions(latest, currentVersion) > 0
+
+    // Determine if we should notify:
+    // Only notify if update available AND we haven't already notified for this exact version
+    const alreadyNotified = cache?.notifiedVersion === latest
+    const shouldNotify = updateAvailable && !alreadyNotified
+
+    // If we're going to notify, mark it so we don't repeat
+    if (shouldNotify) {
+      const freshCache = readCache<UpdateCache>(CACHE_FILE) || { lastCheck: Date.now(), latestVersion: latest, notifiedVersion: null }
+      freshCache.notifiedVersion = latest
+      writeCache(CACHE_FILE, freshCache)
+    }
+
+    return { current: currentVersion, latest, updateAvailable, shouldNotify }
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Fetch remote vulnerability database. Cached 24h. Local fallback on failure.
+ */
+export async function fetchVulnDB(): Promise<{ vulns: VulnEntry[]; alerts: SupplyChainAlert[] }> {
+  try {
+    const cached = readCache<{ lastCheck: number; vulns: VulnEntry[]; alerts: SupplyChainAlert[] }>(VULN_CACHE_FILE)
+    if (cached && Date.now() - cached.lastCheck < CHECK_INTERVAL_MS && cached.vulns) {
+      return { vulns: cached.vulns, alerts: cached.alerts || [] }
+    }
+
+    const body = await httpsGet(VULN_DB_URL)
+    const data = JSON.parse(body)
+    const vulns: VulnEntry[] = Array.isArray(data.vulnerabilities) ? data.vulnerabilities : []
+    const alerts: SupplyChainAlert[] = Array.isArray(data.supplyChainAlerts) ? data.supplyChainAlerts : []
+
+    writeCache(VULN_CACHE_FILE, { lastCheck: Date.now(), vulns, alerts })
+    return { vulns, alerts }
+  } catch {
+    // Cache failure result to avoid repeated timeouts
+    const cached = readCache<{ vulns: VulnEntry[]; alerts: SupplyChainAlert[] }>(VULN_CACHE_FILE)
+    const fallback = { vulns: cached?.vulns || [], alerts: cached?.alerts || [] }
+    writeCache(VULN_CACHE_FILE, { lastCheck: Date.now(), ...fallback })
+    return fallback
+  }
+}
+
+/**
+ * Compare semver-like version strings. Positive if a > b, negative if a < b, 0 if equal.
+ */
+export function compareVersions(a: string, b: string): number {
+  const pa = a.split('.').map(Number)
+  const pb = b.split('.').map(Number)
+  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+    const diff = (pa[i] || 0) - (pb[i] || 0)
+    if (diff !== 0) return diff
+  }
+  return 0
+}
+
+// ===== Cache helpers =====
+
+function readCache<T>(path: string): T | null {
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8')) as T
+  } catch {
+    return null
+  }
+}
+
+function writeCache(path: string, data: unknown): void {
+  try {
+    writeFileSync(path, JSON.stringify(data), { mode: 0o600 })
+  } catch { /* ignore */ }
+}

package/vuln-db.json

@@ -0,0 +1,137 @@
+{
+  "version": 2,
+  "lastUpdated": "2026-03-12T00:00:00Z",
+  "source": "ShellWard Security Team — aggregated from NVD, GitHub Advisories, security research",
+  "vulnerabilities": [
+    {
+      "affectedBelow": "1.0.111",
+      "severity": "HIGH",
+      "id": "CVE-2025-59536",
+      "ghsa": "GHSA-ph6w-f82w-28w6",
+      "description_zh": "远程代码执行：恶意仓库通过 Hooks 和 MCP Server 在信任提示前执行任意命令 (CVSS 8.7)",
+      "description_en": "RCE via Hooks and MCP Server bypass — arbitrary shell execution before trust dialog (CVSS 8.7)"
+    },
+    {
+      "affectedBelow": "2.0.65",
+      "severity": "MEDIUM",
+      "id": "CVE-2026-21852",
+      "ghsa": "GHSA-jh7p-qr78-84p7",
+      "description_zh": "API 密钥泄露：恶意仓库通过 settings.json 设置 ANTHROPIC_BASE_URL 窃取用户 API Key (CVSS 5.3)",
+      "description_en": "API key exfiltration via ANTHROPIC_BASE_URL in settings.json before trust prompt (CVSS 5.3)"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-66q4-vfjg-2qhh",
+      "description_zh": "命令注入：通过目录切换绕过文件写入保护",
+      "description_en": "Command injection via directory change bypasses write protection"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-mhg7-666j-cqg4",
+      "description_zh": "命令注入：通过管道 sed 命令绕过文件写入限制",
+      "description_en": "Command injection via piped sed command bypasses file write restrictions"
+    },
+    {
+      "affectedBelow": "2026.2.7",
+      "severity": "HIGH",
+      "id": "GHSA-ff64-7w26-62rf",
+      "description_zh": "沙箱逃逸：通过 settings.json 持久化配置注入",
+      "description_en": "Sandbox escape via persistent configuration injection in settings.json"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-qgqw-h4xq-7w8w",
+      "description_zh": "命令注入：find 命令绕过用户审批提示",
+      "description_en": "Command injection in find command bypasses user approval prompt"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-q728-gf8j-w49r",
+      "description_zh": "路径绕过：通过 ZSH clobber 实现任意文件写入",
+      "description_en": "Path restriction bypass via ZSH clobber allows arbitrary file writes"
+    },
+    {
+      "affectedBelow": "2026.2.4",
+      "severity": "HIGH",
+      "id": "GHSA-vhw5-3g5m-8ggf",
+      "description_zh": "域名验证绕过：自动向攻击者控制的域名发送请求",
+      "description_en": "Domain validation bypass allows automatic requests to attacker-controlled domains"
+    },
+    {
+      "affectedBelow": "1.0.131",
+      "severity": "HIGH",
+      "id": "GHSA-xq4m-mc3c-vvg3",
+      "description_zh": "命令验证绕过：允许执行任意代码",
+      "description_en": "Command validation bypass allows arbitrary code execution"
+    },
+    {
+      "affectedBelow": "1.0.120",
+      "severity": "HIGH",
+      "id": "GHSA-5hhx-v7f6-x7gv",
+      "description_zh": "信任提示前执行命令：启动时即执行恶意代码",
+      "description_en": "Command execution prior to startup trust dialog"
+    },
+    {
+      "affectedBelow": "1.0.120",
+      "severity": "HIGH",
+      "id": "GHSA-7mv8-j34q-vp7q",
+      "description_zh": "sed 命令验证绕过：实现任意文件写入",
+      "description_en": "Sed command validation bypass allows arbitrary file writes"
+    },
+    {
+      "affectedBelow": "1.0.111",
+      "severity": "HIGH",
+      "id": "GHSA-2jjv-qf24-vfm4",
+      "description_zh": "特定 Yarn 版本下插件自动加载导致任意代码执行",
+      "description_en": "Arbitrary code execution via plugin autoloading with specific Yarn versions"
+    },
+    {
+      "affectedBelow": "1.0.102",
+      "severity": "HIGH",
+      "id": "GHSA-j4h9-wv2m-wrf7",
+      "description_zh": "恶意 git email 配置导致任意代码执行",
+      "description_en": "Arbitrary code execution caused by maliciously configured git email"
+    },
+    {
+      "affectedBelow": "1.0.102",
+      "severity": "HIGH",
+      "id": "GHSA-qxfv-fcpc-w36x",
+      "description_zh": "rg 命令注入绕过用户审批提示",
+      "description_en": "Command injection in rg command bypassed user approval prompt"
+    },
+    {
+      "affectedBelow": "1.0.87",
+      "severity": "HIGH",
+      "id": "GHSA-x5gv-jw7f-j6xj",
+      "description_zh": "默认允许列表过于宽松：未授权文件读取和网络外泄",
+      "description_en": "Permissive default allowlist enables unauthorized file read and network exfiltration"
+    },
+    {
+      "affectedBelow": "1.0.82",
+      "severity": "HIGH",
+      "id": "GHSA-x56v-x2h6-7j34",
+      "description_zh": "echo 命令注入绕过用户审批提示",
+      "description_en": "Command injection in echo command bypassed user approval prompt"
+    },
+    {
+      "affectedBelow": "1.0.3",
+      "severity": "HIGH",
+      "id": "GHSA-9f65-56v6-gxw7",
+      "description_zh": "IDE 扩展 WebSocket 接受任意来源连接",
+      "description_en": "IDE extensions allow websocket connections from arbitrary origins"
+    }
+  ],
+  "supplyChainAlerts": [
+    {
+      "id": "SW-ALERT-2026-001",
+      "severity": "HIGH",
+      "date": "2026-02-15",
+      "description_zh": "SANDWORM_MODE 供应链攻击：19 个恶意 npm 包伪装为 Claude Code 等 AI 工具，植入恶意 MCP Server 窃取 SSH 密钥和凭证",
+      "description_en": "SANDWORM_MODE supply chain attack: 19 malicious npm packages impersonating Claude Code and AI tools, deploying rogue MCP servers to exfiltrate SSH keys and credentials"
+    }
+  ]
+}