@axonflow/openclaw 1.2.2 → 1.2.4

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [1.2.4] - 2026-04-14
+
+### Documentation
+
+- **README now reflects the verified-working install on OpenClaw 2026.4.14+.** v1.2.3 verified end-to-end that `openclaw plugins install @axonflow/openclaw` (and the `clawhub:@axonflow/openclaw` form) both work cleanly, but the README shipped with v1.2.3 still led with a "try this, might fail" framing and buried the primary command under a known-issue warning. Since README is the ClawHub listing page content, users saw instructions that contradicted actual behavior. v1.2.4 is a docs-only release that corrects the framing: primary command is shown unconditionally for 2026.4.14+, the older-CLI `npm pack` workaround is preserved inside a collapsed `<details>` block with affected-version context and an upgrade pointer.
+
+No code changes.
+
+## [1.2.3] - 2026-04-14
+
+### Fixed
+
+- **`openclaw plugins install @axonflow/openclaw` now works end-to-end on OpenClaw 2026.4.14+.** Two separate upstream bugs had been blocking this install path:
+  1. OpenClaw CLI prior to 2026.4.14 wrote the downloaded archive to `<tempdir>/@scope/name.zip` without creating the `@scope/` subdirectory, which made every scoped npm package on ClawHub fail with `ENOENT`. Fixed upstream in OpenClaw 2026.4.14 ([openclaw/openclaw#66618](https://github.com/openclaw/openclaw/issues/66618)).
+  2. OpenClaw 2026.4.14 also upgraded its install-time static scanner from **warn** to **block** on files that co-locate `process.env.X` reads with `fetch()` calls. Our telemetry opt-out unit tests (`tests/telemetry.test.ts`) legitimately mock both and were flagged as "possible credential harvesting", which blocked installation of v1.2.2. Filed upstream: [openclaw/openclaw#66840](https://github.com/openclaw/openclaw/issues/66840).
+- **Fix in this release:** new `.clawhubignore` excludes test files, TypeScript sources, CI config, and internal scripts from the ClawHub-published archive. Only runtime artifacts (`dist/`, `openclaw.plugin.json`, `policies/`, `package.json`, `README.md`, `CHANGELOG.md`, `LICENSE`) ship to ClawHub. The npm-published tgz was already minimal via the `files` field in `package.json`; this brings the ClawHub archive in line.
+
 ## [1.2.2] - 2026-04-14
 
 ### Fixed

package/README.md

@@ -60,19 +60,31 @@ See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for fu
 
 Available on [ClawHub](https://clawhub.ai/plugins/%40axonflow%2Fopenclaw) and [npm](https://www.npmjs.com/package/@axonflow/openclaw).
 
+**Recommended:**
+
 ```bash
 openclaw plugins install @axonflow/openclaw
 ```
 
-> ⚠️ **Known issue with scoped packages on OpenClaw CLI**
->
-> If the command above fails with `ENOENT: no such file or directory, open '...openclaw-clawhub-package-XXXXXX/@axonflow/openclaw.zip'`, this is an upstream OpenClaw CLI bug ([openclaw/openclaw#66618](https://github.com/openclaw/openclaw/issues/66618)) affecting all scoped npm packages (any name with `@scope/`). The CLI writes the downloaded zip to a path containing the scope as a subdirectory but never creates that subdirectory. Workaround — install from npm directly:
->
-> ```bash
-> # Captures the exact tgz filename so a stale tgz in CWD doesn't get picked up
-> TGZ=$(npm pack @axonflow/openclaw 2>/dev/null | tail -1)
-> openclaw plugins install "./$TGZ"
-> ```
+The `clawhub:@axonflow/openclaw` form also works if you prefer to be explicit about the source:
+
+```bash
+openclaw plugins install clawhub:@axonflow/openclaw
+```
+
+Requires OpenClaw **2026.4.14 or later**. If you are not on the latest, upgrade with `npm install -g openclaw@latest`.
+
+<details>
+<summary>On an older OpenClaw CLI? The old workaround is still needed.</summary>
+
+OpenClaw versions before 2026.4.14 had a bug ([openclaw/openclaw#66618](https://github.com/openclaw/openclaw/issues/66618)) that made scoped packages fail with `ENOENT .../openclaw-clawhub-package-XXXXXX/@axonflow/openclaw.zip` — both forms of the install command hit it. The fix shipped in 2026.4.14. If you cannot upgrade, install from npm directly:
+
+```bash
+# Captures the exact tgz filename so a stale tgz in CWD doesn't get picked up
+TGZ=$(npm pack @axonflow/openclaw 2>/dev/null | tail -1)
+openclaw plugins install "./$TGZ"
+```
+</details>
 
 For the full integration walkthrough (architecture, hook coverage, policy examples, troubleshooting), see the [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/).
 

package/dist/index.d.ts

@@ -31,7 +31,7 @@
  * for async hook support.
  */
 /** Plugin version — update before each release. */
-export declare const VERSION = "1.2.2";
+export declare const VERSION = "1.2.4";
 export { AxonFlowClient } from "./axonflow-client.js";
 export type { AxonFlowPluginConfig } from "./config.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/dist/index.js

@@ -39,7 +39,7 @@ import { createLlmInputHandler, createLlmOutputHandler } from "./llm-audit.js";
 import { sendTelemetryPing } from "./telemetry.js";
 import { resetMetrics } from "./metrics.js";
 /** Plugin version — update before each release. */
-export const VERSION = "1.2.2";
+export const VERSION = "1.2.4";
 // Re-export for external consumers
 export { AxonFlowClient } from "./axonflow-client.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axonflow/openclaw",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
   "type": "module",
   "main": "dist/index.js",