fix(package): accept uppercase artifact digests

scripts/resolve-openclaw-package-candidate.mjs

@@ -376,7 +376,7 @@ async function sha256(file) {
 }
 
 function assertSha256(value) {
-  if (!/^[a-f0-9]{64}$/u.test(value)) {
+  if (!/^[a-f0-9]{64}$/iu.test(value)) {
     throw new Error(`package_sha256 must be a lowercase or uppercase 64-character SHA-256 digest`);
   }
 }
@@ -393,6 +393,8 @@ async function assertExpectedSha256(file, expected) {
   return actual;
 }
 
+export const assertExpectedSha256ForTest = assertExpectedSha256;
+
 async function findSingleTarball(dir) {
   const root = path.resolve(ROOT_DIR, dir);
   const pending = [root];

test/scripts/resolve-openclaw-package-candidate.test.ts

@@ -8,6 +8,7 @@ import { pathToFileURL } from "node:url";
 import { afterEach, describe, expect, it } from "vitest";
 import {
   ARTIFACT_TARBALL_SCAN_MAX_ENTRIES,
+  assertExpectedSha256ForTest,
   cleanupPackageSourceWorktreeForTest,
   cleanPackedOpenClawTarballsForTest,
   downloadUrl,
@@ -1020,6 +1021,16 @@ describe("resolve-openclaw-package-candidate", () => {
     });
   });
 
+  it("accepts uppercase package artifact SHA-256 metadata", async () => {
+    const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-sha-"));
+    tempDirs.push(dir);
+    const file = path.join(dir, "openclaw.tgz");
+    await writeFile(file, "openclaw package bytes");
+    const digest = "ae0b98d18c80dbf9447fa48560a139195595db2d337ad33421ca2183b0dd3e99";
+
+    await expect(assertExpectedSha256ForTest(file, digest.toUpperCase())).resolves.toBe(digest);
+  });
+
   it("rejects source artifact scans that exceed the filesystem entry limit", async () => {
     const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-artifact-scan-"));
     tempDirs.push(dir);