@axonflow/openclaw 2.0.6 → 2.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +62 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,67 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [2.0.8] - 2026-05-02 — Drop tarball arg; v0.12.0 only supports folder upload
|
|
4
|
+
|
|
5
|
+
v2.0.7 attempted CLI pin v0.12.0 + tarball arg and got `Error: Path must be a folder` from the publisher — tarball-arg support is a v0.12.1+ feature. The publish-clawhub job failed; v2.0.7 is on npm but never registered on ClawHub.
|
|
6
|
+
|
|
7
|
+
Falling back to the v2.0.4 baseline: CLI v0.12.0 + folder upload (Legacy ZIP). This is the only proven-working combination on ClawHub right now. Re-introduces the "Legacy ZIP" badge on the install page; install path works.
|
|
8
|
+
|
|
9
|
+
### Changed
|
|
10
|
+
|
|
11
|
+
- **`.github/workflows/publish.yml` `publish-clawhub` step uses folder upload** (`clawhub package publish .`). Identical to the v2.0.4 publish step; CLI pin from v2.0.7 retained.
|
|
12
|
+
|
|
13
|
+
### Carried forward (unchanged from v2.0.7)
|
|
14
|
+
|
|
15
|
+
- `clawhub@0.12.0` pin in `Install ClawHub CLI` step
|
|
16
|
+
- `verify-clawhub-install` CI smoke job
|
|
17
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override
|
|
18
|
+
- `permissions: contents: read` on heartbeat-real-stack workflow
|
|
19
|
+
|
|
20
|
+
### Upstream regression and follow-up
|
|
21
|
+
|
|
22
|
+
The underlying issue is in `clawhub` CLI v0.12.1+: published artifacts register as `npm-pack (tgz)` with bytes that don't match the recorded SHA-256, which breaks `openclaw plugins install` regardless of whether you upload a folder or a tarball. We've reproduced the failure across both upload modes on v0.12.1 and confirmed v0.12.0 still works for folder uploads. Once ClawHub addresses the v0.12.1+ regression upstream, we'll revisit the ClawPack tarball publish path and drop the Legacy ZIP badge.
|
|
23
|
+
|
|
24
|
+
### Registry-state asymmetry
|
|
25
|
+
|
|
26
|
+
The release train this afternoon left npm and ClawHub in slightly different states:
|
|
27
|
+
|
|
28
|
+
- **npm** has `2.0.5`, `2.0.6`, `2.0.7`, `2.0.8` (each version's `publish` job succeeded; npm publish is independent of ClawHub publish).
|
|
29
|
+
- **ClawHub** has `2.0.5`, `2.0.6`, `2.0.8` (v2.0.7's `publish-clawhub` job failed mid-workflow with `Error: Path must be a folder`, so v2.0.7 was never registered on ClawHub).
|
|
30
|
+
|
|
31
|
+
For most users on `@latest` this is invisible — both registries point at v2.0.8. Anyone explicitly pinning `clawhub:@axonflow/openclaw@2.0.7` will hit "version not found"; in that case, either pin to `2.0.8` or drop the version pin entirely.
|
|
32
|
+
|
|
33
|
+
### Upgrade
|
|
34
|
+
|
|
35
|
+
`openclaw plugins install @axonflow/openclaw@latest`. If you tried v2.0.5, v2.0.6, or v2.0.7 and hit any install error, retry — v2.0.8 should resolve cleanly.
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
## [2.0.7] - 2026-05-02 — Pin ClawHub CLI to v0.12.0 + restore ClawPack publish + add ClawHub install smoke
|
|
40
|
+
|
|
41
|
+
v2.0.6 reverted to folder upload to escape v2.0.5's broken-install state but the install was **still broken** with a different error (`ClawHub archive contents do not match files[] metadata for "@axonflow/openclaw@2.0.6": missing "package.json"`). Both broken versions used `clawhub` CLI v0.12.1, which was published 2026-05-02 20:50 UTC — about two hours before our v2.0.5 ship.
|
|
42
|
+
|
|
43
|
+
v2.0.4 (last known-good install) was published 2026-04-30 with `clawhub` CLI v0.12.0 and still installs cleanly. The regression is in CLI v0.12.1's publish pipeline: regardless of whether you pass a folder or a tarball, the resulting artifact registers as `npm-pack (tgz)` with bytes that don't match the SHA-256 ClawHub records — breaking the install path.
|
|
44
|
+
|
|
45
|
+
### Changed
|
|
46
|
+
|
|
47
|
+
- **Pin `clawhub@0.12.0` in `.github/workflows/publish.yml`.** `npm install -g clawhub` (unpinned) was always pulling latest, which is why the regression hit on the next publish after v0.12.1 shipped. The pin holds until ClawHub fixes the upstream regression in v0.12.1+.
|
|
48
|
+
- **Restore ClawPack tarball publish path.** With CLI pinned to v0.12.0, `clawhub package publish ./<tarball>.tgz` returns to producing a publishable ClawPack artifact. Re-earns the ClawPack badge on the install page. If install still breaks despite the pin, v2.0.8 will revert to folder upload (Legacy ZIP).
|
|
49
|
+
|
|
50
|
+
### Added
|
|
51
|
+
|
|
52
|
+
- **`verify-clawhub-install` job in `publish.yml`.** Runs `openclaw plugins install clawhub:@axonflow/openclaw@<version>` against the just-published version and fails the workflow if install errors. v2.0.5 + v2.0.6 both shipped to ClawHub successfully and `verify-publish` (which only checks npm propagation) reported success — but adopters could not install. This job closes the gap so future regressions in the ClawHub install path surface in CI within ~3 minutes of tag rather than via adopter reports.
|
|
53
|
+
|
|
54
|
+
### Carried forward from v2.0.5/v2.0.6 (unchanged)
|
|
55
|
+
|
|
56
|
+
- `@anthropic-ai/sdk` `>=0.91.1` override remains in `package.json` (closes the moderate GHSA on insecure default file permissions).
|
|
57
|
+
- Explicit `permissions: contents: read` remains on the `Heartbeat Real-Stack E2E` workflow (CodeQL parity).
|
|
58
|
+
|
|
59
|
+
### Upgrade
|
|
60
|
+
|
|
61
|
+
`openclaw plugins install @axonflow/openclaw@latest`. If you were stuck on v2.0.5 or v2.0.6 with `ClawHub archive integrity mismatch` or `missing "package.json"` errors, retry — v2.0.7 should resolve cleanly via the pinned CLI's ClawPack path.
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
3
65
|
## [2.0.6] - 2026-05-02 — Revert ClawPack publish path (v2.0.5 was uninstallable via ClawHub)
|
|
4
66
|
|
|
5
67
|
v2.0.5 switched the ClawHub publish artifact from folder upload (Legacy ZIP) to the `npm-pack` tarball (ClawPack). That triggered two ClawHub-side regressions specific to the ClawPack handling path that left v2.0.5 unusable for adopters:
|
package/dist/index.d.ts
CHANGED
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
* for async hook support.
|
|
26
26
|
*/
|
|
27
27
|
/** Plugin version — update before each release. */
|
|
28
|
-
export declare const VERSION = "2.0.
|
|
28
|
+
export declare const VERSION = "2.0.8";
|
|
29
29
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
30
30
|
export type { AxonFlowPluginConfig } from "./config.js";
|
|
31
31
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/dist/index.js
CHANGED
|
@@ -35,7 +35,7 @@ import { bootstrapCommunitySaas } from "./community-saas-bootstrap.js";
|
|
|
35
35
|
import { resetMetrics } from "./metrics.js";
|
|
36
36
|
import { runPluginVersionCheck } from "./plugin-version-check.js";
|
|
37
37
|
/** Plugin version — update before each release. */
|
|
38
|
-
export const VERSION = "2.0.
|
|
38
|
+
export const VERSION = "2.0.8";
|
|
39
39
|
// Re-export for external consumers
|
|
40
40
|
export { AxonFlowClient } from "./axonflow-client.js";
|
|
41
41
|
export { resolveConfig, shouldGovernTool } from "./config.js";
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axonflow/openclaw",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.8",
|
|
4
4
|
"description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|