@axonflow/openclaw 2.0.5 → 2.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,27 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [2.0.6] - 2026-05-02 — Revert ClawPack publish path (v2.0.5 was uninstallable via ClawHub)
|
|
4
|
+
|
|
5
|
+
v2.0.5 switched the ClawHub publish artifact from folder upload (Legacy ZIP) to the `npm-pack` tarball (ClawPack). That triggered two ClawHub-side regressions specific to the ClawPack handling path that left v2.0.5 unusable for adopters:
|
|
6
|
+
|
|
7
|
+
1. **Install integrity mismatch.** `openclaw plugins install clawhub:@axonflow/openclaw@2.0.5` failed with `ClawHub archive integrity mismatch: expected sha256-RJwSW6ANBH3JKUkP06oA++JY9r1XAx58NDWKCeD6hwQ=, got sha256-7gGhfvJM/LuF9HfTZG2EsbjkSoImPau6h2wt+nwlhKo=`. The expected hash matched the published tarball; the bytes ClawHub's install endpoint actually served did not. ClawHub's CLI download path (`clawhub package download`) returned the correct bytes — only the install resolution path was broken.
|
|
8
|
+
2. **LLM scanner hallucinated "missing implementation".** ClawScan flagged dimensions at `concern` claiming "the bundle contains only package.json and openclaw.plugin.json", "implementation code is absent", and "registry presents this as an instruction-only skill with no code" — all factually false. ClawHub's own package record correctly tagged the artifact as `family: "code-plugin"` with `npmFileCount: 70` and `unpackedSize: 280368`. Static Analysis (deterministic — reads actual bytes) returned Benign. Only the LLM scanner pipeline saw an incomplete prompt context.
|
|
9
|
+
|
|
10
|
+
### Changed
|
|
11
|
+
|
|
12
|
+
- **Revert ClawHub publish step to folder upload.** `.github/workflows/publish.yml` now runs `clawhub package publish .` (folder) instead of `clawhub package publish ./<tarball>.tgz`. This re-introduces the "Legacy ZIP — may have compatibility issues" badge on the ClawHub install page but restores `openclaw plugins install` for every adopter. Trade-off accepted until ClawHub fixes the ClawPack handling path.
|
|
13
|
+
|
|
14
|
+
### Carried forward from v2.0.5
|
|
15
|
+
|
|
16
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override remains in `package.json` (closes the moderate GHSA on insecure default file permissions; `@anthropic-ai/sdk` is a transitive dev-only dependency through the `openclaw` peerDep).
|
|
17
|
+
- Explicit `permissions: contents: read` remains on the `Heartbeat Real-Stack E2E` workflow (CodeQL parity).
|
|
18
|
+
|
|
19
|
+
### Upgrade
|
|
20
|
+
|
|
21
|
+
`openclaw plugins install @axonflow/openclaw@latest`. No code or configuration changes on your side. If you tried to install v2.0.5 and hit `ClawHub archive integrity mismatch`, retry with v2.0.6 — install resolves cleanly via the Legacy ZIP path.
|
|
22
|
+
|
|
23
|
+
---
|
|
24
|
+
|
|
3
25
|
## [2.0.5] - 2026-05-02 — Publish as ClawPack + transitive security bump
|
|
4
26
|
|
|
5
27
|
ClawHub's install page on prior versions surfaced a "Legacy ZIP — may have compatibility issues" badge because the publish flow uploaded a folder rather than the npm-pack tarball. The plugin already declared the `openclaw.compat.pluginApi` and `openclaw.build.openclawVersion` metadata that ClawPack requires, so the only change needed was the publish artifact format itself.
|
package/dist/index.d.ts
CHANGED
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
* for async hook support.
|
|
26
26
|
*/
|
|
27
27
|
/** Plugin version — update before each release. */
|
|
28
|
-
export declare const VERSION = "2.0.
|
|
28
|
+
export declare const VERSION = "2.0.6";
|
|
29
29
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
30
30
|
export type { AxonFlowPluginConfig } from "./config.js";
|
|
31
31
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/dist/index.js
CHANGED
|
@@ -35,7 +35,7 @@ import { bootstrapCommunitySaas } from "./community-saas-bootstrap.js";
|
|
|
35
35
|
import { resetMetrics } from "./metrics.js";
|
|
36
36
|
import { runPluginVersionCheck } from "./plugin-version-check.js";
|
|
37
37
|
/** Plugin version — update before each release. */
|
|
38
|
-
export const VERSION = "2.0.
|
|
38
|
+
export const VERSION = "2.0.6";
|
|
39
39
|
// Re-export for external consumers
|
|
40
40
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
41
41
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axonflow/openclaw",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.6",
|
|
4
4
|
"description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|