@kilocode/openclaw-security-advisor
Advanced tools
+1
-0
@@ -12,2 +12,3 @@ # Changelog | ||
| - First-time device auth no longer triggers a brief gateway restart after the token is captured. The plugin now registers `reload.noopPrefixes` for `plugins.entries.openclaw-security-advisor.config.authToken`, so the SecretRef patch written to `openclaw.json` after device auth is classified as a noop by the gateway reload planner instead of falling through to the default `plugins.* → restart` rule. The security checkup report is returned in the same response with no connection interruption. Scope is intentionally limited to the `authToken` field — `apiBaseUrl` and other config changes still take effect via the normal restart path. | ||
| - Release workflow: consolidated post-publish git/GitHub operations into a single atomic step with retries, eliminating a race condition where the version bump commit and tag could be pushed separately. Registry verification is now informational-only and never blocks tag/release steps. | ||
@@ -14,0 +15,0 @@ - Release workflow: added a `Reconcile latest dist-tag` step that automatically repoints `npm dist-tags.latest` back to the highest stable version after a dev publish, preventing npm's first-publish auto-assign behavior from routing plain `npm install` users to a prerelease. |
+20
-0
@@ -297,2 +297,22 @@ import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry"; | ||
| "Run a security checkup of your OpenClaw instance and get an expert analysis report from KiloCode.", | ||
| // The gateway reload planner classifies any change under `plugins.*` | ||
| // as `kind: "restart"` by default. writeStoredToken() patches | ||
| // plugins.entries.openclaw-security-advisor.config.authToken with a | ||
| // SecretRef after device auth, which would force a full gateway | ||
| // restart on first-time token capture. Plugin-registered reload | ||
| // rules are evaluated before the base rules (first-match wins), so | ||
| // declaring just the authToken path as a noop shadows the base | ||
| // restart rule for that one field without affecting anything else. | ||
| // | ||
| // Scope is intentionally narrow — only `.config.authToken`, NOT the | ||
| // full `.config` subtree. `apiBaseUrl` is captured as a snapshot in | ||
| // register() (see `pluginConfig` below), so runtime updates to it | ||
| // still need to fall through to the base `plugins.* → restart` rule | ||
| // to take effect. The plugin reads the token directly from disk via | ||
| // readTokenFromFile() on every invocation, so authToken noop is safe. | ||
| reload: { | ||
| noopPrefixes: [ | ||
| "plugins.entries.openclaw-security-advisor.config.authToken", | ||
| ], | ||
| }, | ||
| // The SDK's OpenClawPluginApi type is large and internal. We narrow | ||
@@ -299,0 +319,0 @@ // to our own structural PluginApi (declared above) immediately on |
+1
-1
| { | ||
| "name": "@kilocode/openclaw-security-advisor", | ||
| "version": "0.1.0-dev.4", | ||
| "version": "0.1.0-dev.5", | ||
| "type": "module", | ||
@@ -5,0 +5,0 @@ "license": "MIT", |
+0
-5
@@ -128,7 +128,2 @@ # @kilocode/openclaw-security-advisor | ||
| > **Note:** after the token is saved, OpenClaw briefly reloads to apply | ||
| > the new credential. You'll see a short connection blip in the chat | ||
| > UI. This is expected and only happens on first auth. Subsequent | ||
| > checkups run instantly without any reload. | ||
| For every run after the first, no auth prompt appears. The saved token | ||
@@ -135,0 +130,0 @@ is reused automatically. |
@@ -56,5 +56,14 @@ import { mkdir, readFile, unlink, writeFile } from "node:fs/promises"; | ||
| * | ||
| * This triggers one gateway restart. On restart, OpenClaw resolves the | ||
| * SecretRef → api.pluginConfig.authToken = the token string, available | ||
| * in the plugin closure forever after. | ||
| * The config write does NOT trigger a gateway restart: the plugin | ||
| * declares `reload.noopPrefixes` for | ||
| * `plugins.entries.<id>.config.authToken` in index.ts, which shadows | ||
| * the gateway reload planner's default `plugins.* → restart` rule for | ||
| * just that one field. Other `.config.*` fields (e.g. `apiBaseUrl`) | ||
| * intentionally still hit the default restart rule so runtime edits | ||
| * take effect. The plugin reads the token directly from the secrets | ||
| * file via readTokenFromFile() on every invocation, so no hot-resolve | ||
| * of api.pluginConfig.authToken is needed — the SecretRef in | ||
| * openclaw.json exists for discoverability (so operators inspecting | ||
| * config can see where the token lives) and to align with openclaw's | ||
| * SecretRef direction. | ||
| */ | ||
@@ -61,0 +70,0 @@ export async function writeStoredToken( |
@@ -18,2 +18,16 @@ /** | ||
| /** | ||
| * Subset of the SDK's OpenClawPluginReloadRegistration. Entries here let a | ||
| * plugin override the gateway reload planner's default classification for | ||
| * specific config prefixes. First-match wins, and plugin-registered rules | ||
| * are evaluated before the base `plugins.* -> restart` rule, so declaring | ||
| * `plugins.entries.<id>.config` here overrides the base restart for our | ||
| * own config subtree. | ||
| */ | ||
| export type PluginReloadRegistration = { | ||
| restartPrefixes?: string[]; | ||
| hotPrefixes?: string[]; | ||
| noopPrefixes?: string[]; | ||
| }; | ||
| /** | ||
| * Register a plugin with the OpenClaw runtime. The `register` callback | ||
@@ -28,2 +42,3 @@ * receives a runtime-provided plugin API object. The SDK's concrete | ||
| description: string; | ||
| reload?: PluginReloadRegistration; | ||
| register: (api: any) => void; | ||
@@ -30,0 +45,0 @@ }): unknown; |
52164
5.35%1023
4.39%234
-2.09%