npm - @formthefog/stratus - Versions diffs - 2026.2.20 → 2026.2.24 - Mend

@formthefog/stratus 2026.2.20 → 2026.2.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/.github/workflows/publish.yml +28 -0
package/README.md +63 -0
package/SECURITY.md +74 -0
package/package.json +1 -1

package/.github/workflows/publish.yml ADDED Viewed

@@ -0,0 +1,28 @@
+name: Publish to npm
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: npm-publish
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+      - run: npm install -g npm@latest
+      - run: npm ci
+      - run: npm publish --provenance --access public

package/README.md CHANGED Viewed

@@ -16,6 +16,8 @@ Integrate Stratus V3 (X1-AC), a state-of-the-art action-conditioned JEPA (Joint-
 - **Secure**: API key authentication with automatic validation
 - **Opt-in Tools**: Tools are optional and require explicit allowlisting
+> See [SECURITY.md](./SECURITY.md) for a full accounting of credentials accessed, network calls made, and files written.
 ## Support
 - **Documentation**: [https://stratus.run/docs](https://stratus.run/docs)
@@ -28,6 +30,19 @@ Integrate Stratus V3 (X1-AC), a state-of-the-art action-conditioned JEPA (Joint-
 > **Note:** This plugin does NOT have an automatic postinstall script. You must run setup manually.
+**Before you begin**, export your Stratus API key. Get one at [stratus.run](https://stratus.run).
+```bash
+export STRATUS_API_KEY=stratus_sk_your_key_here
+```
+To persist it across sessions, add it to your shell config:
+```bash
+echo 'export STRATUS_API_KEY=stratus_sk_your_key_here' >> ~/.zshrc
+source ~/.zshrc
+```
 ```bash
 # 1. Install the plugin
 openclaw plugins install @formthefog/stratus
@@ -52,6 +67,54 @@ openclaw plugins install @formthefog/stratus
 ---
+## Using the API directly
+Stratus is drop-in compatible with OpenAI and Anthropic SDKs. Just change the `baseURL` and use your `STRATUS_API_KEY`.
+**OpenAI SDK (TypeScript)**
+```typescript
+import OpenAI from 'openai';
+const client = new OpenAI({
+  baseURL: 'https://api.stratus.run/v1',
+  apiKey: process.env.STRATUS_API_KEY
+});
+const response = await client.chat.completions.create({
+  model: 'stratus-x1ac-base-claude-sonnet-4-5',
+  messages: [{ role: 'user', content: 'Plan a route through 20 cities' }]
+});
+```
+**Anthropic SDK (TypeScript)**
+```typescript
+import Anthropic from '@anthropic-ai/sdk';
+const client = new Anthropic({
+  baseURL: 'https://api.stratus.run/v1',
+  apiKey: process.env.STRATUS_API_KEY
+});
+const response = await client.messages.create({
+  model: 'stratus-x1ac-base-claude-sonnet-4-5',
+  max_tokens: 1024,
+  messages: [{ role: 'user', content: 'Plan a route through 20 cities' }]
+});
+```
+**cURL**
+```bash
+curl https://api.stratus.run/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $STRATUS_API_KEY" \
+  -d '{
+    "model": "stratus-x1ac-base-claude-sonnet-4-5",
+    "messages": [{ "role": "user", "content": "Plan a route through 20 cities" }]
+  }'
+```
+---
 ## Available Commands
 Use these slash commands in any OpenClaw chat (TUI, Telegram, Discord, etc.):

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,74 @@
+# Security Policy
+## What This Plugin Does
+`@formthefog/stratus` is an OpenClaw plugin that integrates the Stratus X1 world model API. This document provides a transparent accounting of all security-relevant behavior.
+---
+## Credentials
+**What is accessed:**
+- `STRATUS_API_KEY` — read from environment or OpenClaw config (`plugins.stratus.apiKey`)
+**What is validated:**
+- Key must be present before any network call is made
+- Key must match the format `stratus_sk_*` — requests with malformed keys are rejected locally, no network call is made
+**What is written to disk:**
+- During setup, the API key is stored in `~/.openclaw/agents/main/agent/auth-profiles.json`
+- This is the standard OpenClaw credential store, equivalent in scope to `~/.aws/credentials` or `~/.npmrc`
+- A timestamped backup of any existing file is created before writing
+- The key is never logged, printed, or written anywhere else by this plugin
+**What is never accessed:**
+- `~/.ssh` or any SSH keys or known_hosts — nothing in this plugin reads or touches SSH paths
+- Other environment variables beyond `STRATUS_API_KEY`, `STRATUS_BASE_URL`, and `SHELL`
+- Browser storage, keychains, or system credential managers
+---
+## Network
+**Outbound endpoints:**
+| Endpoint | When | What is sent |
+|---|---|---|
+| `https://api.stratus.run/v1/embeddings` | `stratus_embeddings` tool call | `Authorization: Bearer <key>`, text input |
+| `https://api.stratus.run/v1/rollout` | `stratus_rollout` tool call | `Authorization: Bearer <key>`, goal + state |
+**What is never done:**
+- No calls to any endpoint other than `api.stratus.run`
+- No telemetry, analytics, or usage reporting
+- No data is sent to third parties
+- All connections are HTTPS-only
+Data handling is governed by the [Stratus privacy policy](https://stratus.run/privacy).
+---
+## File System
+**Files read during setup/verify:**
+- `~/.openclaw/openclaw.json` — OpenClaw's own config, to add the Stratus provider entry
+- `~/.openclaw/agents/main/agent/auth-profiles.json` — OpenClaw's own auth store, to add Stratus credentials
+- `~/Library/LaunchAgents/ai.openclaw.gateway.plist` — macOS only, if the user explicitly opts in during `install.sh`
+**Files written during setup:**
+- Same paths as above, plus timestamped `.backup-*` copies before any modification
+- Optionally appends `export STRATUS_API_KEY=...` to `~/.zshrc` / `~/.bashrc` / `~/.bash_profile` — only when the user explicitly answers `y` at the prompt
+**What is never touched:**
+- No files outside `~/.openclaw/`, the shell config the user selects, or the LaunchAgent plist
+- No `/etc/`, `/usr/`, `/Library/` (system paths)
+- No other dotfiles or home directory contents
+---
+## Reporting a Vulnerability
+If you discover a security issue, please report it privately:
+- Email: security@stratus.run
+- GitHub: [open a private security advisory](https://github.com/formthefog/openclaw-stratus-x1-plugin/security/advisories/new)
+Please do not open a public issue for security vulnerabilities. We aim to respond within 72 hours.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@formthefog/stratus",
-  "version": "2026.2.20",
+  "version": "2026.2.24",
   "description": "Stratus API integration for OpenClaw - action-conditioned JEPA for autonomous agent planning",
   "keywords": [
     "agent",