feat: hourly rule updates from GitHub registry, Settings tab, macOS restart banner

leos565 · leos565 · commit e318ed57add3 · 2026-02-27T15:23:00.000+02:00
Made-with: Cursor
diff --git a/README.md b/README.md
@@ -270,6 +270,8 @@ Open [http://localhost:8477](http://localhost:8477) in your browser.
 - **Platform filtering** — Auto-detects OS and shows only relevant rules. Pill bar to switch between This Mac / All Platforms / macOS / Linux.
 - **Search** — Filter rules by Rule ID, value, or category.
 - **Sessions dropdown** — Shows active OpenClaw instances being monitored.
+- **Settings tab** — Toggle auto-check for rule updates (hourly). Manual "Check for updates now" button.
+- **Rule updates** — Agents query the GitHub registry hourly for updated threat signatures. On **Linux**, new rules are downloaded and enforced automatically (monitor hot-reloads). On **macOS**, a banner shows the number of changes and prompts to restart OpenClaw to enforce.
 
 ### API Endpoints
 
@@ -285,6 +287,10 @@ Open [http://localhost:8477](http://localhost:8477) in your browser.
 | `PUT` | `/api/custom-rules/{id}` | Update a custom rule's value or platform |
 | `DELETE` | `/api/custom-rules/{id}` | Delete a custom rule |
 | `GET` | `/api/sessions` | Active OpenClaw sessions |
+| `GET` | `/api/settings` | Dashboard settings (auto-update toggle) |
+| `POST` | `/api/settings` | Update settings |
+| `GET` | `/api/updates` | Check for rule updates from registry |
+| `POST` | `/api/updates/apply` | Download and apply updates |
 
 ## User Rules
 
diff --git a/deploy/dashboard/app.py b/deploy/dashboard/app.py
@@ -35,12 +35,17 @@
     load_user_rules, save_user_rules, USER_RULES_PATH,
     add_custom_rule, update_custom_rule, delete_custom_rule,
     get_custom_rules, get_custom_rule_metadata, CUSTOM_RULE_TYPES,
+    load_settings, save_settings,
 )
+from shared.rule_updater import check_for_updates, download_and_apply
 
 logger = logging.getLogger("clawedr.dashboard")
 
 app = FastAPI(title="ClawEDR Dashboard", version="1.0.0")
 
+# Cached result from background update check (macOS banner)
+_pending_updates: dict | None = None
+
 POLICY_PATH = os.environ.get(
     "CLAWEDR_POLICY_PATH", "/usr/local/share/clawedr/compiled_policy.json"
 )
@@ -517,6 +522,64 @@ async def get_status():
     return JSONResponse(status)
 
 
+# ---------------------------------------------------------------------------
+# Settings & Rule Updates
+# ---------------------------------------------------------------------------
+
+@app.get("/api/settings")
+async def get_settings():
+    """Return dashboard settings (auto-update toggle, etc.)."""
+    return JSONResponse(load_settings())
+
+
+@app.post("/api/settings")
+async def post_settings(request: Request):
+    """Update dashboard settings."""
+    try:
+        body = await request.json()
+        settings = load_settings()
+        if "auto_update_rules" in body:
+            settings["auto_update_rules"] = bool(body["auto_update_rules"])
+        save_settings(settings)
+        return JSONResponse({"status": "ok", "settings": settings})
+    except Exception as exc:
+        return JSONResponse({"error": str(exc)}, status_code=400)
+
+
+@app.get("/api/updates")
+async def get_updates():
+    """Check for rule updates from the registry. Returns has_updates, change_count, etc."""
+    global _pending_updates
+    result = check_for_updates()
+    if result.get("has_updates"):
+        _pending_updates = result
+    else:
+        _pending_updates = None
+    return JSONResponse(result)
+
+
+@app.get("/api/updates/cached")
+async def get_updates_cached():
+    """Return cached update result from background check (for lightweight polling)."""
+    return JSONResponse(_pending_updates or {"has_updates": False})
+
+
+@app.post("/api/updates/apply")
+async def apply_updates():
+    """Download and apply rule updates. Linux: hot-reload. macOS: replace files, user must restart."""
+    ok, msg = download_and_apply()
+    if ok:
+        global _pending_updates
+        _pending_updates = None
+        # Update last_check timestamp
+        settings = load_settings()
+        from datetime import datetime
+        settings["last_update_check"] = datetime.utcnow().isoformat() + "Z"
+        save_settings(settings)
+        return JSONResponse({"status": "ok", "message": msg})
+    return JSONResponse({"error": msg}, status_code=500)
+
+
 @app.get("/api/sessions")
 async def get_sessions():
     """Return active OpenClaw sessions."""
@@ -574,8 +637,47 @@ async def dashboard():
     return HTMLResponse("<h1>ClawEDR Dashboard</h1><p>Template not found.</p>")
 
 
+def _run_update_check():
+    """Background task: hourly check for rule updates."""
+    import platform
+    import time
+    global _pending_updates
+    CHECK_INTERVAL = 3600  # 1 hour
+    time.sleep(60)  # Defer first check to avoid startup load
+    while True:
+        try:
+            settings = load_settings()
+            if not settings.get("auto_update_rules", True):
+                continue
+            result = check_for_updates()
+            if result.get("error"):
+                continue
+            if not result.get("has_updates"):
+                _pending_updates = None
+                continue
+            if platform.system() == "Linux":
+                ok, msg = download_and_apply()
+                if ok:
+                    logger.info("Auto-applied rule update: %s", msg)
+                    _pending_updates = None
+                    settings = load_settings()
+                    from datetime import datetime
+                    settings["last_update_check"] = datetime.utcnow().isoformat() + "Z"
+                    save_settings(settings)
+            else:
+                # macOS: cache for banner, user must restart
+                _pending_updates = result
+                logger.info("Rule updates available (%d changes). Restart OpenClaw to enforce.", result.get("change_count", 0))
+        except Exception as e:
+            logger.exception("Update check failed: %s", e)
+        time.sleep(CHECK_INTERVAL)
+
+
 def main():
+    import threading
     import uvicorn
+    t = threading.Thread(target=_run_update_check, daemon=True)
+    t.start()
     port = int(os.environ.get("CLAWEDR_DASHBOARD_PORT", "8477"))
     logger.info("Starting ClawEDR Dashboard on http://localhost:%d", port)
     uvicorn.run(app, host="127.0.0.1", port=port, log_level="info")
diff --git a/deploy/dashboard/templates/index.html b/deploy/dashboard/templates/index.html
@@ -1208,6 +1208,35 @@
             padding: 0;
             display: flex;
         }
+
+        /* Update banner (macOS: new rules available) */
+        .update-banner {
+            position: fixed;
+            top: 0;
+            left: 0;
+            right: 0;
+            background: linear-gradient(135deg, var(--warning) 0%, #f59e0b 100%);
+            color: #1a1a1a;
+            padding: 12px 24px;
+            z-index: 500;
+            box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
+        }
+        .update-banner-content {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            gap: 16px;
+            flex-wrap: wrap;
+        }
+        .update-banner-content .btn-primary {
+            background: #1a1a1a;
+            color: white;
+            border-color: #1a1a1a;
+        }
+        .update-banner-content .btn-primary:hover {
+            background: #333;
+            color: white;
+        }
     </style>
 </head>
 
@@ -1251,6 +1280,15 @@ <h1>ClawEDR <span>Dashboard</span></h1>
                     </svg>
                     Policy Rules
                 </button>
+                <button class="tab sidebar-link" data-tab="settings"
+                    style="text-align: left; display: flex; align-items: center; gap: 12px; padding: 10px 16px;">
+                    <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"
+                        stroke-linecap="round" stroke-linejoin="round">
+                        <circle cx="12" cy="12" r="3"></circle>
+                        <path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 0 1 0 2.83 2 2 0 0 1-2.83 0l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-2 2 2 2 0 0 1-2-2v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 0 1-2.83 0 2 2 0 0 1 0-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1-2-2 2 2 0 0 1 2-2h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 0 1 0-2.83 2 2 0 0 1 2.83 0l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 2-2 2 2 0 0 1 2 2v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 0 1 2.83 0 2 2 0 0 1 0 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 2 2 2 2 0 0 1-2 2h-.09a1.65 1.65 0 0 0-1.51 1z"></path>
+                    </svg>
+                    Settings
+                </button>
             </nav>
 
             <div class="sidebar-footer" style="margin-top: 24px; display: flex; flex-direction: column; gap: 12px;">
@@ -1419,6 +1457,40 @@ <h3 style="font-size: 15px; font-weight: 600;">Alert Details</h3>
                 </div>
             </div>
 
+            <!-- Settings Tab -->
+            <div class="tab-panel" id="tab-settings">
+                <div class="card">
+                    <div class="card-header">
+                        <span class="card-title">Rule Updates</span>
+                    </div>
+                    <p style="color:var(--text-muted);font-size:12px;margin-bottom:16px;">
+                        ClawEDR checks the GitHub registry every hour for updated threat signatures/rules.
+                        When enabled, updates are applied automatically on Linux. On macOS, you'll see a banner
+                        and must restart OpenClaw to enforce new rules.
+                    </p>
+                    <div class="form-group">
+                        <label class="form-label" style="display:flex;align-items:center;gap:12px;cursor:pointer;">
+                            <input type="checkbox" id="autoUpdateToggle" checked onchange="toggleAutoUpdate(this.checked)">
+                            <span>Auto-check for rule updates (hourly)</span>
+                        </label>
+                    </div>
+                    <div style="display:flex;gap:12px;margin-top:16px;">
+                        <button class="btn btn-primary" onclick="checkForUpdates()" id="checkUpdatesBtn">
+                            Check for updates now
+                        </button>
+                        <span id="lastCheckLabel" style="font-size:12px;color:var(--text-muted);align-self:center;"></span>
+                    </div>
+                </div>
+            </div>
+
+            <!-- Update banner (macOS: when updates available, show count + restart message) -->
+            <div class="update-banner" id="updateBanner" style="display:none;">
+                <div class="update-banner-content">
+                    <span id="updateBannerText"></span>
+                    <button class="btn btn-primary btn-sm" onclick="applyUpdates()" id="applyUpdatesBtn">Download & apply</button>
+                </div>
+            </div>
+
             <div class="footer">ClawEDR v2.0 — Kernel-level endpoint detection for AI agents</div>
         </main>
     </div>
@@ -2071,11 +2143,100 @@ <h2 id="modalTitle">Add Custom Rule</h2>
             renderAlerts(activeDisplayedAlerts);
         }
 
+        // ── Settings & Updates ──
+        async function loadSettings() {
+            try {
+                const s = await fetchJSON('/api/settings');
+                document.getElementById('autoUpdateToggle').checked = s.auto_update_rules !== false;
+                const last = s.last_update_check;
+                document.getElementById('lastCheckLabel').textContent = last
+                    ? 'Last check: ' + new Date(last).toLocaleString()
+                    : '';
+            } catch (_) {}
+        }
+        async function toggleAutoUpdate(on) {
+            try {
+                await fetch('/api/settings', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ auto_update_rules: on })
+                });
+                showToast(on ? 'Auto-update enabled' : 'Auto-update disabled', 'info');
+            } catch (e) { showToast('Failed to save', 'danger'); }
+        }
+        async function checkForUpdates() {
+            const btn = document.getElementById('checkUpdatesBtn');
+            btn.disabled = true;
+            btn.textContent = 'Checking...';
+            try {
+                const r = await fetchJSON('/api/updates');
+                if (r.error) {
+                    showToast(r.error, 'danger');
+                } else if (r.has_updates) {
+                    const n = r.change_count || 0;
+                    showToast(`${n} rule change(s) available`, 'warning');
+                    showUpdateBanner(r);
+                } else {
+                    showToast('Rules are up to date', 'success');
+                    hideUpdateBanner();
+                }
+            } catch (e) {
+                showToast('Check failed: ' + e.message, 'danger');
+            }
+            btn.disabled = false;
+            btn.textContent = 'Check for updates now';
+            loadSettings();
+        }
+        function showUpdateBanner(r) {
+            const n = r.change_count || 0;
+            const isMac = detectedOS === 'Darwin';
+            const el = document.getElementById('updateBanner');
+            const text = document.getElementById('updateBannerText');
+            text.textContent = isMac
+                ? `${n} new rule change(s) available. Restart OpenClaw to enforce.`
+                : `${n} new rule change(s) available.`;
+            el.style.display = 'block';
+        }
+        function hideUpdateBanner() {
+            document.getElementById('updateBanner').style.display = 'none';
+        }
+        async function applyUpdates() {
+            const btn = document.getElementById('applyUpdatesBtn');
+            btn.disabled = true;
+            btn.textContent = 'Applying...';
+            try {
+                const res = await fetch('/api/updates/apply', { method: 'POST' });
+                const data = await res.json();
+                if (data.error) {
+                    showToast(data.error, 'danger');
+                } else {
+                    showToast(data.message || 'Updates applied', 'success');
+                    hideUpdateBanner();
+                    if (detectedOS === 'Linux') loadRules();
+                }
+            } catch (e) {
+                showToast('Apply failed: ' + e.message, 'danger');
+            }
+            btn.disabled = false;
+            btn.textContent = 'Download & apply';
+            loadSettings();
+        }
+
         // ── Init ──
-        loadStatus().then(() => loadRules().then(() => loadUserRules()));
+        loadStatus().then(() => {
+            loadRules().then(() => loadUserRules());
+            loadSettings();
+            checkForUpdates().then(() => {}); // Initial check for banner
+        });
         loadSessions(); loadAlerts(); loadCustomRules();
         setInterval(loadAlerts, 30000);
         setInterval(loadSessions, 15000);
+        setInterval(async () => {
+            try {
+                const r = await fetchJSON('/api/updates/cached');
+                if (r.has_updates) showUpdateBanner(r);
+            } catch (_) {}
+        }, 120000); // Poll for cached updates every 2 min (from background hourly check)
     </script>
 </body>
 
diff --git a/deploy/install.sh b/deploy/install.sh
@@ -198,6 +198,7 @@ install_macos() {
     # Shared modules
     fetch "$CLAWEDR_BASE_URL/shared/user_rules.py"           "$tmpdir/user_rules.py"
     fetch "$CLAWEDR_BASE_URL/shared/alert_dispatcher.py"     "$tmpdir/alert_dispatcher.py"
+    fetch "$CLAWEDR_BASE_URL/shared/rule_updater.py"         "$tmpdir/rule_updater.py"
     # Dashboard
     fetch "$CLAWEDR_BASE_URL/dashboard/app.py"               "$tmpdir/dashboard_app.py"
     fetch "$CLAWEDR_BASE_URL/dashboard/templates/index.html" "$tmpdir/dashboard_index.html"
@@ -217,6 +218,7 @@ install_macos() {
     cp "$tmpdir/compiled_policy.json"    "$CLAWEDR_DIR/"
     cp "$tmpdir/user_rules.py"           "$CLAWEDR_DIR/shared/"
     cp "$tmpdir/alert_dispatcher.py"     "$CLAWEDR_DIR/shared/"
+    cp "$tmpdir/rule_updater.py"         "$CLAWEDR_DIR/shared/"
     cp "$tmpdir/dashboard_app.py"        "$CLAWEDR_DIR/dashboard/app.py"
     cp "$tmpdir/dashboard_index.html"    "$CLAWEDR_DIR/dashboard/templates/index.html"
     touch "$CLAWEDR_DIR/shared/__init__.py"
@@ -261,6 +263,7 @@ install_linux() {
     # Shared modules
     fetch "$CLAWEDR_BASE_URL/shared/user_rules.py"           "$tmpdir/user_rules.py"
     fetch "$CLAWEDR_BASE_URL/shared/alert_dispatcher.py"     "$tmpdir/alert_dispatcher.py"
+    fetch "$CLAWEDR_BASE_URL/shared/rule_updater.py"         "$tmpdir/rule_updater.py"
     # Dashboard
     fetch "$CLAWEDR_BASE_URL/dashboard/app.py"               "$tmpdir/dashboard_app.py"
     fetch "$CLAWEDR_BASE_URL/dashboard/templates/index.html" "$tmpdir/dashboard_index.html"
@@ -279,6 +282,7 @@ install_linux() {
     cp "$tmpdir/monitor.py"          "$CLAWEDR_DIR/"
     cp "$tmpdir/user_rules.py"       "$CLAWEDR_DIR/shared/"
     cp "$tmpdir/alert_dispatcher.py" "$CLAWEDR_DIR/shared/"
+    cp "$tmpdir/rule_updater.py"     "$CLAWEDR_DIR/shared/"
     cp "$tmpdir/dashboard_app.py"    "$CLAWEDR_DIR/dashboard/app.py"
     cp "$tmpdir/dashboard_index.html" "$CLAWEDR_DIR/dashboard/templates/index.html"
     touch "$CLAWEDR_DIR/shared/__init__.py"
diff --git a/deploy/shared/rule_updater.py b/deploy/shared/rule_updater.py
diff --git a/deploy/shared/user_rules.py b/deploy/shared/user_rules.py
