vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 14:20:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): warn on install source package drift

Browse Source 
Warn when provider or channel catalog package identity drifts from openclaw.install.npmSpec while keeping compatible catalogs non-fatal.
This commit is contained in:
Vincent Koc
2026-04-24 09:31:40 -07:00
committed by GitHub
parent 90877e0d42
commit 4d1ee3a73e
9 changed files with 162 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/plugins/architecture-internals.md
View File

@@ -888,12 +888,14 @@ Generated channel catalog entries and provider install catalog entries expose
normalized install-source facts next to the raw `openclaw.install` block. The
normalized facts identify whether the npm spec is an exact version or floating
selector, whether expected integrity metadata is present, and whether a local
source path is also available. They also warn when `defaultChoice` is invalid
or points at a source that is not available, and when npm integrity metadata is
present without a valid npm source. Consumers should treat `installSource` as
an additive optional field so older hand-built entries and compatibility shims
do not have to synthesize it. This lets onboarding and diagnostics explain
source-plane state without importing plugin runtime.
source path is also available. When the catalog/package identity is known, the
normalized facts warn if the parsed npm package name drifts from that identity.
They also warn when `defaultChoice` is invalid or points at a source that is
not available, and when npm integrity metadata is present without a valid npm
source. Consumers should treat `installSource` as an additive optional field so
older hand-built entries and compatibility shims do not have to synthesize it.
This lets onboarding and diagnostics explain source-plane state without
importing plugin runtime.
Official external npm entries should prefer an exact `npmSpec` plus
`expectedIntegrity`. Bare package names and dist-tags still work for

7
docs/plugins/manifest.md
View File

@@ -596,9 +596,10 @@ entries should pair exact specs with `expectedIntegrity` so update flows fail
closed if the fetched npm artifact no longer matches the pinned release.
Interactive onboarding still offers trusted registry npm specs, including bare
package names and dist-tags, for compatibility. Catalog diagnostics can
distinguish exact, floating, integrity-pinned, missing-integrity, and invalid
default-choice sources. They also warn when `expectedIntegrity` is present but
there is no valid npm source it can pin. When `expectedIntegrity` is present,
distinguish exact, floating, integrity-pinned, missing-integrity, package-name
mismatch, and invalid default-choice sources. They also warn when
`expectedIntegrity` is present but there is no valid npm source it can pin.
When `expectedIntegrity` is present,
install/update flows enforce it; when it is omitted, the registry resolution is
recorded without an integrity pin.