@axonflow/openclaw 2.0.5 → 2.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +48 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,53 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [2.0.7] - 2026-05-02 — Pin ClawHub CLI to v0.12.0 + restore ClawPack publish + add ClawHub install smoke
|
|
4
|
+
|
|
5
|
+
v2.0.6 reverted to folder upload to escape v2.0.5's broken-install state but the install was **still broken** with a different error (`ClawHub archive contents do not match files[] metadata for "@axonflow/openclaw@2.0.6": missing "package.json"`). Both broken versions used `clawhub` CLI v0.12.1, which was published 2026-05-02 20:50 UTC — about two hours before our v2.0.5 ship.
|
|
6
|
+
|
|
7
|
+
v2.0.4 (last known-good install) was published 2026-04-30 with `clawhub` CLI v0.12.0 and still installs cleanly. The regression is in CLI v0.12.1's publish pipeline: regardless of whether you pass a folder or a tarball, the resulting artifact registers as `npm-pack (tgz)` with bytes that don't match the SHA-256 ClawHub records — breaking the install path.
|
|
8
|
+
|
|
9
|
+
### Changed
|
|
10
|
+
|
|
11
|
+
- **Pin `clawhub@0.12.0` in `.github/workflows/publish.yml`.** `npm install -g clawhub` (unpinned) was always pulling latest, which is why the regression hit on the next publish after v0.12.1 shipped. The pin holds until ClawHub fixes the upstream regression in v0.12.1+.
|
|
12
|
+
- **Restore ClawPack tarball publish path.** With CLI pinned to v0.12.0, `clawhub package publish ./<tarball>.tgz` returns to producing a publishable ClawPack artifact. Re-earns the ClawPack badge on the install page. If install still breaks despite the pin, v2.0.8 will revert to folder upload (Legacy ZIP).
|
|
13
|
+
|
|
14
|
+
### Added
|
|
15
|
+
|
|
16
|
+
- **`verify-clawhub-install` job in `publish.yml`.** Runs `openclaw plugins install clawhub:@axonflow/openclaw@<version>` against the just-published version and fails the workflow if install errors. v2.0.5 + v2.0.6 both shipped to ClawHub successfully and `verify-publish` (which only checks npm propagation) reported success — but adopters could not install. This job closes the gap so future regressions in the ClawHub install path surface in CI within ~3 minutes of tag rather than via adopter reports.
|
|
17
|
+
|
|
18
|
+
### Carried forward from v2.0.5/v2.0.6 (unchanged)
|
|
19
|
+
|
|
20
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override remains in `package.json` (closes the moderate GHSA on insecure default file permissions).
|
|
21
|
+
- Explicit `permissions: contents: read` remains on the `Heartbeat Real-Stack E2E` workflow (CodeQL parity).
|
|
22
|
+
|
|
23
|
+
### Upgrade
|
|
24
|
+
|
|
25
|
+
`openclaw plugins install @axonflow/openclaw@latest`. If you were stuck on v2.0.5 or v2.0.6 with `ClawHub archive integrity mismatch` or `missing "package.json"` errors, retry — v2.0.7 should resolve cleanly via the pinned CLI's ClawPack path.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## [2.0.6] - 2026-05-02 — Revert ClawPack publish path (v2.0.5 was uninstallable via ClawHub)
|
|
30
|
+
|
|
31
|
+
v2.0.5 switched the ClawHub publish artifact from folder upload (Legacy ZIP) to the `npm-pack` tarball (ClawPack). That triggered two ClawHub-side regressions specific to the ClawPack handling path that left v2.0.5 unusable for adopters:
|
|
32
|
+
|
|
33
|
+
1. **Install integrity mismatch.** `openclaw plugins install clawhub:@axonflow/openclaw@2.0.5` failed with `ClawHub archive integrity mismatch: expected sha256-RJwSW6ANBH3JKUkP06oA++JY9r1XAx58NDWKCeD6hwQ=, got sha256-7gGhfvJM/LuF9HfTZG2EsbjkSoImPau6h2wt+nwlhKo=`. The expected hash matched the published tarball; the bytes ClawHub's install endpoint actually served did not. ClawHub's CLI download path (`clawhub package download`) returned the correct bytes — only the install resolution path was broken.
|
|
34
|
+
2. **LLM scanner hallucinated "missing implementation".** ClawScan flagged dimensions at `concern` claiming "the bundle contains only package.json and openclaw.plugin.json", "implementation code is absent", and "registry presents this as an instruction-only skill with no code" — all factually false. ClawHub's own package record correctly tagged the artifact as `family: "code-plugin"` with `npmFileCount: 70` and `unpackedSize: 280368`. Static Analysis (deterministic — reads actual bytes) returned Benign. Only the LLM scanner pipeline saw an incomplete prompt context.
|
|
35
|
+
|
|
36
|
+
### Changed
|
|
37
|
+
|
|
38
|
+
- **Revert ClawHub publish step to folder upload.** `.github/workflows/publish.yml` now runs `clawhub package publish .` (folder) instead of `clawhub package publish ./<tarball>.tgz`. This re-introduces the "Legacy ZIP — may have compatibility issues" badge on the ClawHub install page but restores `openclaw plugins install` for every adopter. Trade-off accepted until ClawHub fixes the ClawPack handling path.
|
|
39
|
+
|
|
40
|
+
### Carried forward from v2.0.5
|
|
41
|
+
|
|
42
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override remains in `package.json` (closes the moderate GHSA on insecure default file permissions; `@anthropic-ai/sdk` is a transitive dev-only dependency through the `openclaw` peerDep).
|
|
43
|
+
- Explicit `permissions: contents: read` remains on the `Heartbeat Real-Stack E2E` workflow (CodeQL parity).
|
|
44
|
+
|
|
45
|
+
### Upgrade
|
|
46
|
+
|
|
47
|
+
`openclaw plugins install @axonflow/openclaw@latest`. No code or configuration changes on your side. If you tried to install v2.0.5 and hit `ClawHub archive integrity mismatch`, retry with v2.0.6 — install resolves cleanly via the Legacy ZIP path.
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
3
51
|
## [2.0.5] - 2026-05-02 — Publish as ClawPack + transitive security bump
|
|
4
52
|
|
|
5
53
|
ClawHub's install page on prior versions surfaced a "Legacy ZIP — may have compatibility issues" badge because the publish flow uploaded a folder rather than the npm-pack tarball. The plugin already declared the `openclaw.compat.pluginApi` and `openclaw.build.openclawVersion` metadata that ClawPack requires, so the only change needed was the publish artifact format itself.
|
package/dist/index.d.ts
CHANGED
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
* for async hook support.
|
|
26
26
|
*/
|
|
27
27
|
/** Plugin version — update before each release. */
|
|
28
|
-
export declare const VERSION = "2.0.
|
|
28
|
+
export declare const VERSION = "2.0.7";
|
|
29
29
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
30
30
|
export type { AxonFlowPluginConfig } from "./config.js";
|
|
31
31
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/dist/index.js
CHANGED
|
@@ -35,7 +35,7 @@ import { bootstrapCommunitySaas } from "./community-saas-bootstrap.js";
|
|
|
35
35
|
import { resetMetrics } from "./metrics.js";
|
|
36
36
|
import { runPluginVersionCheck } from "./plugin-version-check.js";
|
|
37
37
|
/** Plugin version — update before each release. */
|
|
38
|
-
export const VERSION = "2.0.
|
|
38
|
+
export const VERSION = "2.0.7";
|
|
39
39
|
// Re-export for external consumers
|
|
40
40
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
41
41
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axonflow/openclaw",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.7",
|
|
4
4
|
"description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|