feat(plugins): expose install source facts

* feat(plugins): expose install source facts * fix(plugins): normalize install integrity facts * fix(plugins): guard install source string fields * fix(plugins): keep install source facts additive
2026-05-06 10:50:44 +00:00 · 2026-04-23 23:21:43 -07:00
parent b588b5a230
commit 37c37eecfb
8 changed files with 317 additions and 4 deletions
--- a/docs/plugins/architecture-internals.md
+++ b/docs/plugins/architecture-internals.md
@@ -884,6 +884,20 @@ Or point `OPENCLAW_PLUGIN_CATALOG_PATHS` (or `OPENCLAW_MPM_CATALOG_PATHS`) at
 one or more JSON files (comma/semicolon/`PATH`-delimited). Each file should
 contain `{ "entries": [ { "name": "@scope/pkg", "openclaw": { "channel": {...}, "install": {...} } } ] }`. The parser also accepts `"packages"` or `"plugins"` as legacy aliases for the `"entries"` key.

+Generated channel catalog entries and provider install catalog entries expose
+normalized install-source facts next to the raw `openclaw.install` block. The
+normalized facts identify whether the npm spec is an exact version or floating
+selector, whether expected integrity metadata is present, and whether a local
+source path is also available. Consumers should treat `installSource` as an
+additive optional field so older hand-built entries and compatibility shims do
+not have to synthesize it. This lets onboarding and diagnostics explain
+source-plane state without importing plugin runtime.
+
+Official external npm entries should prefer an exact `npmSpec` plus
+`expectedIntegrity`. Bare package names and dist-tags still work for
+compatibility, but they surface source-plane warnings so the catalog can move
+toward pinned, integrity-checked installs without breaking existing plugins.
+
 ## Context engine plugins

 Context engine plugins own session context orchestration for ingest, assembly,
--- a/docs/plugins/manifest.md
+++ b/docs/plugins/manifest.md
@@ -591,10 +591,12 @@ registry loading. Invalid values are rejected; newer-but-valid values skip the
 plugin on older hosts.

 Exact npm version pinning already lives in `npmSpec`, for example
-`"npmSpec": "@wecom/wecom-openclaw-plugin@1.2.3"`. Pair that with
-`expectedIntegrity` when you want update flows to fail closed if the fetched
-npm artifact no longer matches the pinned release. Interactive onboarding
-offers trusted registry npm specs, including bare package names and dist-tags.
+`"npmSpec": "@wecom/wecom-openclaw-plugin@1.2.3"`. Official external catalog
+entries should pair exact specs with `expectedIntegrity` so update flows fail
+closed if the fetched npm artifact no longer matches the pinned release.
+Interactive onboarding still offers trusted registry npm specs, including bare
+package names and dist-tags, for compatibility. Catalog diagnostics can
+distinguish exact, floating, integrity-pinned, and missing-integrity sources.
 When `expectedIntegrity` is present, install/update flows enforce it; when it
 is omitted, the registry resolution is recorded without an integrity pin.