v0.4.0 — Hook Error Handling, Update Notifications, Remote Vuln DB

What's New

Hook Error Handling (Fail-Safe)

• createSafeApi() wrapper: all 8 defense layers get automatic try-catch
• before_tool_call errors → block (deny on error, safer than allow)
• Other hook errors → pass-through (don't break the chain)
• All errors logged at CRITICAL level

Non-Blocking Update Notifications

• Checks npm registry for new versions (24h interval)
• Notification dedup: same version only notified once — won't repeat after user has seen it
• Silent on network failure, cached to avoid repeated timeouts

Remote Vulnerability Database

• 17 real CVEs/GHSAs from NVD and GitHub Security Advisories
• 1 supply chain alert (SANDWORM_MODE campaign)
• 24h cache, graceful fallback to local built-in DB
• /check-updates command shows vuln DB source and details

Security Fixes

• ReDoS fix: email regex 333x speedup on large text (14s → 43ms on 200KB)
• Injection rule gaps: expanded Chinese rules, added cross-language injection detection (26 total rules)
• Fork bomb regex: fixed pattern broken by command splitting
• Defensive input handling: non-string toolName/params no longer crash
• Regex state pollution: fixed global flag leak in /scan-plugins

Testing

• 100 tests across 3 suites (37 integration + 42 edge cases + 21 update check)
• Performance: 125,000 tool checks/sec, 200KB PII scan in 55ms

---

Install: openclaw plugins install shellward