vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 14:20:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): warn on orphan install integrity (#71163)

Browse Source
This commit is contained in:
Vincent Koc
2026-04-24 09:01:15 -07:00
committed by GitHub
parent 5dfc1b90e1
commit bbe0234720
5 changed files with 40 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/plugins/architecture-internals.md
View File

@@ -889,10 +889,11 @@ normalized install-source facts next to the raw `openclaw.install` block. The
normalized facts identify whether the npm spec is an exact version or floating
selector, whether expected integrity metadata is present, and whether a local
source path is also available. They also warn when `defaultChoice` is invalid
or points at a source that is not available. Consumers should treat
`installSource` as an additive optional field so older hand-built entries and
compatibility shims do not have to synthesize it. This lets onboarding and
diagnostics explain source-plane state without importing plugin runtime.
or points at a source that is not available, and when npm integrity metadata is
present without a valid npm source. Consumers should treat `installSource` as
an additive optional field so older hand-built entries and compatibility shims
do not have to synthesize it. This lets onboarding and diagnostics explain
source-plane state without importing plugin runtime.
Official external npm entries should prefer an exact `npmSpec` plus
`expectedIntegrity`. Bare package names and dist-tags still work for

7
docs/plugins/manifest.md
View File

@@ -597,9 +597,10 @@ closed if the fetched npm artifact no longer matches the pinned release.
Interactive onboarding still offers trusted registry npm specs, including bare
package names and dist-tags, for compatibility. Catalog diagnostics can
distinguish exact, floating, integrity-pinned, missing-integrity, and invalid
default-choice sources. When `expectedIntegrity` is present, install/update
flows enforce it; when it is omitted, the registry resolution is recorded
without an integrity pin.
default-choice sources. They also warn when `expectedIntegrity` is present but
there is no valid npm source it can pin. When `expectedIntegrity` is present,
install/update flows enforce it; when it is omitted, the registry resolution is
recorded without an integrity pin.
Channel plugins should provide `openclaw.setupEntry` when status, channel list,
or SecretRef scans need to identify configured accounts without loading the full