vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 12:40:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): require provenance for official npm trust

Browse Source 
Require OpenClaw-owned install provenance before granting official npm plugin scanner trust. Direct npm package names now scan normally; catalog, onboarding, and doctor paths pass explicit provenance.\n\nValidation:\n- pnpm test:serial src/plugins/install.npm-spec.test.ts src/cli/plugins-cli.install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/channels/plugins/contracts/channel-catalog.contract.test.ts src/commands/auth-choice.apply.plugin-provider.test.ts\n- pnpm test:serial src/plugins/install.test.ts src/plugins/provider-auth-choices.test.ts src/plugins/provider-install-catalog.test.ts src/commands/channel-setup/plugin-install.test.ts\n- pnpm exec oxfmt --check --threads=1 ...\n- node scripts/run-oxlint.mjs ...\n- Crabbox cbx_6157440c9bbe / run_cbd813956eed: pnpm check:changed passed\n\nThanks @fede-kamel and @vincentkoc.
This commit is contained in:
Vincent Koc
2026-05-02 23:30:45 -07:00
committed by GitHub
parent f249b1c6df
commit 2a22eb68aa
13 changed files with 122 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/cli/plugins-cli.install.test.ts
View File

@@ -675,6 +675,7 @@ describe("plugins cli install", () => {
expect.objectContaining({
spec: "@openclaw/brave-plugin",
expectedPluginId: "brave",
trustedSourceLinkedOfficialInstall: true,
}),
);
expect(writePersistedInstalledPluginIndexInstallRecords).toHaveBeenCalledWith({
@@ -708,6 +709,7 @@ describe("plugins cli install", () => {
expectedPluginId: "wecom",
expectedIntegrity:
"sha512-bnzfdIEEu1/LFvcdyjaTkyxt27w6c7dqhkPezU62OWaqmcdFsUGR3T55USK/O9pIKsNcnL1Tnu1pqKYCWHFgWQ==",
trustedSourceLinkedOfficialInstall: true,
}),
);
});
@@ -728,6 +730,11 @@ describe("plugins cli install", () => {
await expect(runPluginsCommand(["plugins", "install", "wecom"])).rejects.toThrow("__exit__:1");
expect(installPluginFromNpmSpec).toHaveBeenCalledWith(
expect.objectContaining({
trustedSourceLinkedOfficialInstall: true,
}),
);
expect(installHooksFromNpmSpec).toHaveBeenCalledWith(
expect.objectContaining({
spec: "@wecom/wecom-openclaw-plugin@2026.4.23",
@@ -845,6 +852,11 @@ describe("plugins cli install", () => {
expectedPluginId: "brave",
}),
);
expect(installPluginFromNpmSpec).toHaveBeenCalledWith(
expect.not.objectContaining({
trustedSourceLinkedOfficialInstall: true,
}),
);
expect(installPluginFromClawHub).not.toHaveBeenCalled();
});