🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more
Sign In

@kilocode/openclaw-security-advisor

Package Overview
Dependencies
Maintainers
10
Versions
11
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@kilocode/openclaw-security-advisor - npm Package Compare versions

Comparing version
0.1.0-dev.4
to
0.1.0-dev.5
+1
-0
CHANGELOG.md

@@ -12,2 +12,3 @@ # Changelog

- First-time device auth no longer triggers a brief gateway restart after the token is captured. The plugin now registers `reload.noopPrefixes` for `plugins.entries.openclaw-security-advisor.config.authToken`, so the SecretRef patch written to `openclaw.json` after device auth is classified as a noop by the gateway reload planner instead of falling through to the default `plugins.* → restart` rule. The security checkup report is returned in the same response with no connection interruption. Scope is intentionally limited to the `authToken` field — `apiBaseUrl` and other config changes still take effect via the normal restart path.
- Release workflow: consolidated post-publish git/GitHub operations into a single atomic step with retries, eliminating a race condition where the version bump commit and tag could be pushed separately. Registry verification is now informational-only and never blocks tag/release steps.

@@ -14,0 +15,0 @@ - Release workflow: added a `Reconcile latest dist-tag` step that automatically repoints `npm dist-tags.latest` back to the highest stable version after a dev publish, preventing npm's first-publish auto-assign behavior from routing plain `npm install` users to a prerelease.

@@ -297,2 +297,22 @@ import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";

"Run a security checkup of your OpenClaw instance and get an expert analysis report from KiloCode.",
// The gateway reload planner classifies any change under `plugins.*`
// as `kind: "restart"` by default. writeStoredToken() patches
// plugins.entries.openclaw-security-advisor.config.authToken with a
// SecretRef after device auth, which would force a full gateway
// restart on first-time token capture. Plugin-registered reload
// rules are evaluated before the base rules (first-match wins), so
// declaring just the authToken path as a noop shadows the base
// restart rule for that one field without affecting anything else.
//
// Scope is intentionally narrow — only `.config.authToken`, NOT the
// full `.config` subtree. `apiBaseUrl` is captured as a snapshot in
// register() (see `pluginConfig` below), so runtime updates to it
// still need to fall through to the base `plugins.* → restart` rule
// to take effect. The plugin reads the token directly from disk via
// readTokenFromFile() on every invocation, so authToken noop is safe.
reload: {
noopPrefixes: [
"plugins.entries.openclaw-security-advisor.config.authToken",
],
},
// The SDK's OpenClawPluginApi type is large and internal. We narrow

@@ -299,0 +319,0 @@ // to our own structural PluginApi (declared above) immediately on

+1
-1
{
"name": "@kilocode/openclaw-security-advisor",
"version": "0.1.0-dev.4",
"version": "0.1.0-dev.5",
"type": "module",

@@ -5,0 +5,0 @@ "license": "MIT",

@@ -128,7 +128,2 @@ # @kilocode/openclaw-security-advisor

> **Note:** after the token is saved, OpenClaw briefly reloads to apply
> the new credential. You'll see a short connection blip in the chat
> UI. This is expected and only happens on first auth. Subsequent
> checkups run instantly without any reload.
For every run after the first, no auth prompt appears. The saved token

@@ -135,0 +130,0 @@ is reused automatically.

@@ -56,5 +56,14 @@ import { mkdir, readFile, unlink, writeFile } from "node:fs/promises";

*
* This triggers one gateway restart. On restart, OpenClaw resolves the
* SecretRef → api.pluginConfig.authToken = the token string, available
* in the plugin closure forever after.
* The config write does NOT trigger a gateway restart: the plugin
* declares `reload.noopPrefixes` for
* `plugins.entries.<id>.config.authToken` in index.ts, which shadows
* the gateway reload planner's default `plugins.* → restart` rule for
* just that one field. Other `.config.*` fields (e.g. `apiBaseUrl`)
* intentionally still hit the default restart rule so runtime edits
* take effect. The plugin reads the token directly from the secrets
* file via readTokenFromFile() on every invocation, so no hot-resolve
* of api.pluginConfig.authToken is needed — the SecretRef in
* openclaw.json exists for discoverability (so operators inspecting
* config can see where the token lives) and to align with openclaw's
* SecretRef direction.
*/

@@ -61,0 +70,0 @@ export async function writeStoredToken(

@@ -18,2 +18,16 @@ /**

/**
* Subset of the SDK's OpenClawPluginReloadRegistration. Entries here let a
* plugin override the gateway reload planner's default classification for
* specific config prefixes. First-match wins, and plugin-registered rules
* are evaluated before the base `plugins.* -> restart` rule, so declaring
* `plugins.entries.<id>.config` here overrides the base restart for our
* own config subtree.
*/
export type PluginReloadRegistration = {
restartPrefixes?: string[];
hotPrefixes?: string[];
noopPrefixes?: string[];
};
/**
* Register a plugin with the OpenClaw runtime. The `register` callback

@@ -28,2 +42,3 @@ * receives a runtime-provided plugin API object. The SDK's concrete

description: string;
reload?: PluginReloadRegistration;
register: (api: any) => void;

@@ -30,0 +45,0 @@ }): unknown;