vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 10:00:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): require provenance for official npm trust

Browse Source 
Require OpenClaw-owned install provenance before granting official npm plugin scanner trust. Direct npm package names now scan normally; catalog, onboarding, and doctor paths pass explicit provenance.\n\nValidation:\n- pnpm test:serial src/plugins/install.npm-spec.test.ts src/cli/plugins-cli.install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/channels/plugins/contracts/channel-catalog.contract.test.ts src/commands/auth-choice.apply.plugin-provider.test.ts\n- pnpm test:serial src/plugins/install.test.ts src/plugins/provider-auth-choices.test.ts src/plugins/provider-install-catalog.test.ts src/commands/channel-setup/plugin-install.test.ts\n- pnpm exec oxfmt --check --threads=1 ...\n- node scripts/run-oxlint.mjs ...\n- Crabbox cbx_6157440c9bbe / run_cbd813956eed: pnpm check:changed passed\n\nThanks @fede-kamel and @vincentkoc.
This commit is contained in:
Vincent Koc
2026-05-02 23:30:45 -07:00
committed by GitHub
parent f249b1c6df
commit 2a22eb68aa
13 changed files with 122 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/cli/plugins-install-command.ts
View File

@@ -279,6 +279,7 @@ async function tryInstallPluginOrHookPackFromNpmSpec(params: {
extensionsDir: string;
expectedPluginId?: string;
expectedIntegrity?: string;
trustedSourceLinkedOfficialInstall?: boolean;
runtime?: RuntimeEnv;
}): Promise<{ ok: true } | { ok: false }> {
const result = await installPluginFromNpmSpec({
@@ -287,6 +288,9 @@ async function tryInstallPluginOrHookPackFromNpmSpec(params: {
spec: params.spec,
...(params.expectedPluginId ? { expectedPluginId: params.expectedPluginId } : {}),
...(params.expectedIntegrity ? { expectedIntegrity: params.expectedIntegrity } : {}),
...(params.trustedSourceLinkedOfficialInstall
? { trustedSourceLinkedOfficialInstall: true }
: {}),
extensionsDir: params.extensionsDir,
logger: createPluginInstallLogger(params.runtime),
});
@@ -787,6 +791,7 @@ export async function runPluginInstallCommand(params: {
extensionsDir,
expectedPluginId: officialExternalPlan.pluginId,
expectedIntegrity: officialExternalPlan.expectedIntegrity,
trustedSourceLinkedOfficialInstall: true,
runtime,
});
if (!npmResult.ok) {