@axonflow/openclaw 2.0.6 → 2.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +26 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,31 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [2.0.7] - 2026-05-02 — Pin ClawHub CLI to v0.12.0 + restore ClawPack publish + add ClawHub install smoke
|
|
4
|
+
|
|
5
|
+
v2.0.6 reverted to folder upload to escape v2.0.5's broken-install state but the install was **still broken** with a different error (`ClawHub archive contents do not match files[] metadata for "@axonflow/openclaw@2.0.6": missing "package.json"`). Both broken versions used `clawhub` CLI v0.12.1, which was published 2026-05-02 20:50 UTC — about two hours before our v2.0.5 ship.
|
|
6
|
+
|
|
7
|
+
v2.0.4 (last known-good install) was published 2026-04-30 with `clawhub` CLI v0.12.0 and still installs cleanly. The regression is in CLI v0.12.1's publish pipeline: regardless of whether you pass a folder or a tarball, the resulting artifact registers as `npm-pack (tgz)` with bytes that don't match the SHA-256 ClawHub records — breaking the install path.
|
|
8
|
+
|
|
9
|
+
### Changed
|
|
10
|
+
|
|
11
|
+
- **Pin `clawhub@0.12.0` in `.github/workflows/publish.yml`.** `npm install -g clawhub` (unpinned) was always pulling latest, which is why the regression hit on the next publish after v0.12.1 shipped. The pin holds until ClawHub fixes the upstream regression in v0.12.1+.
|
|
12
|
+
- **Restore ClawPack tarball publish path.** With CLI pinned to v0.12.0, `clawhub package publish ./<tarball>.tgz` returns to producing a publishable ClawPack artifact. Re-earns the ClawPack badge on the install page. If install still breaks despite the pin, v2.0.8 will revert to folder upload (Legacy ZIP).
|
|
13
|
+
|
|
14
|
+
### Added
|
|
15
|
+
|
|
16
|
+
- **`verify-clawhub-install` job in `publish.yml`.** Runs `openclaw plugins install clawhub:@axonflow/openclaw@<version>` against the just-published version and fails the workflow if install errors. v2.0.5 + v2.0.6 both shipped to ClawHub successfully and `verify-publish` (which only checks npm propagation) reported success — but adopters could not install. This job closes the gap so future regressions in the ClawHub install path surface in CI within ~3 minutes of tag rather than via adopter reports.
|
|
17
|
+
|
|
18
|
+
### Carried forward from v2.0.5/v2.0.6 (unchanged)
|
|
19
|
+
|
|
20
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override remains in `package.json` (closes the moderate GHSA on insecure default file permissions).
|
|
21
|
+
- Explicit `permissions: contents: read` remains on the `Heartbeat Real-Stack E2E` workflow (CodeQL parity).
|
|
22
|
+
|
|
23
|
+
### Upgrade
|
|
24
|
+
|
|
25
|
+
`openclaw plugins install @axonflow/openclaw@latest`. If you were stuck on v2.0.5 or v2.0.6 with `ClawHub archive integrity mismatch` or `missing "package.json"` errors, retry — v2.0.7 should resolve cleanly via the pinned CLI's ClawPack path.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
3
29
|
## [2.0.6] - 2026-05-02 — Revert ClawPack publish path (v2.0.5 was uninstallable via ClawHub)
|
|
4
30
|
|
|
5
31
|
v2.0.5 switched the ClawHub publish artifact from folder upload (Legacy ZIP) to the `npm-pack` tarball (ClawPack). That triggered two ClawHub-side regressions specific to the ClawPack handling path that left v2.0.5 unusable for adopters:
|
package/dist/index.d.ts
CHANGED
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
* for async hook support.
|
|
26
26
|
*/
|
|
27
27
|
/** Plugin version — update before each release. */
|
|
28
|
-
export declare const VERSION = "2.0.
|
|
28
|
+
export declare const VERSION = "2.0.7";
|
|
29
29
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
30
30
|
export type { AxonFlowPluginConfig } from "./config.js";
|
|
31
31
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/dist/index.js
CHANGED
|
@@ -35,7 +35,7 @@ import { bootstrapCommunitySaas } from "./community-saas-bootstrap.js";
|
|
|
35
35
|
import { resetMetrics } from "./metrics.js";
|
|
36
36
|
import { runPluginVersionCheck } from "./plugin-version-check.js";
|
|
37
37
|
/** Plugin version — update before each release. */
|
|
38
|
-
export const VERSION = "2.0.
|
|
38
|
+
export const VERSION = "2.0.7";
|
|
39
39
|
// Re-export for external consumers
|
|
40
40
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
41
41
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axonflow/openclaw",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.7",
|
|
4
4
|
"description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|