Skip to content

[codex] harden clawhub plugin publishing and install#56870

Merged
odysseus0 merged 2 commits intomainfrom
codex/openclaw-plugin-publish-flow
Mar 29, 2026
Merged

[codex] harden clawhub plugin publishing and install#56870
odysseus0 merged 2 commits intomainfrom
codex/openclaw-plugin-publish-flow

Conversation

@odysseus0
Copy link
Copy Markdown
Contributor

@odysseus0 odysseus0 commented Mar 29, 2026

Summary

  • fix ClawHub plugin installs for scoped package names by moving archive downloads onto a sanitized temp-download abstraction
  • add the canonical @openclaw/plugin-package-contract workspace package for external ClawHub-published plugins
  • align OpenClaw plugin docs and snippets with the actual required publish metadata and command flow
  • add docs/contract regression tests so plugin publishing docs cannot silently drift again

Root cause

The OpenClaw side of the plugin publish flow had two structural problems: archive downloads treated package names as filesystem-safe paths, which breaks for scoped packages, and the published plugin contract was not owned or tested as a single source of truth for docs and validation.

What changed

  • add src/infra/temp-download.ts and re-export from src/plugin-sdk/temp-path.ts
  • update ClawHub package and skill archive downloads to use cleanup-safe sanitized temp files
  • update ClawHub install paths to rely on archive cleanup instead of ad hoc temp-dir deletion
  • add packages/plugin-package-contract with canonical compatibility-field validation helpers for externally published code plugins
  • add canonical docs snippets under docs/snippets/plugin-publish/
  • update plugin docs and ClawHub docs to use clawhub package publish and include required openclaw.compat / openclaw.build metadata
  • add docs regression tests to keep snippets valid and forbid bare clawhub publish in plugin docs

Follow-up

The final cross-repo de-duplication step is intentionally deferred until the corresponding publishable package releases exist. For now this PR makes the contract explicit and tested without depending on npm publish rights.

Validation

  • pnpm exec vitest run packages/plugin-package-contract/src/index.test.ts src/infra/clawhub.test.ts src/plugins/clawhub.test.ts src/agents/skills-clawhub.test.ts src/docs/clawhub-plugin-docs.test.ts
  • node --max-old-space-size=8192 ./node_modules/typescript/bin/tsc -p tsconfig.json --noEmit

@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation agents Agent runtime and tooling size: L maintainer Maintainer-authored PR labels Mar 29, 2026
@odysseus0 odysseus0 marked this pull request as ready for review March 29, 2026 09:23
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 29, 2026

Greptile Summary

This PR hardens ClawHub plugin publishing and install by fixing scoped package name handling in archive downloads, consolidating temp-file cleanup behind a cleanup() callback, and introducing a canonical @openclaw/plugin-package-contract workspace package for external plugin metadata validation.

  • Scoped package fix: downloadClawHubPackageArchive and downloadClawHubSkillArchive now use createTempDownloadTarget, which calls sanitizeTempFileName (via path.basename) instead of safeDirName. Scoped names like @myorg/plugin resolve safely to plugin.zip inside a unique mkdtemp-isolated directory.
  • Cleanup consolidation: Both src/plugins/clawhub.ts and src/agents/skills-clawhub.ts replace their two-step fs.rm(file) + fs.rm(dir) finally blocks with a single archive.cleanup() call. Semantically equivalent and centrally tested.
  • Contract package: packages/plugin-package-contract exports correct null-safe validation helpers with proper fallback chains (install.minHostVersioncompat.minGatewayVersion, package versionbuild.openclawVersion).
  • temp-path.ts consolidation: Reduced to a re-export barrel of temp-download.ts, removing ~80 lines of duplication.
  • Docs regression tests: clawhub-plugin-docs.test.ts locks canonical snippet files against the contract validator and guards against bare clawhub publish references drifting back into plugin docs.

Confidence Score: 5/5

Safe to merge — all changes are well-scoped refactors with matching test coverage and no regressions in the changed paths.

No P0 or P1 issues found. The scoped-package filename fix is correct (path.basename strips the scope, unique mkdtemp dir prevents collisions). Cleanup delegation is semantically equivalent to the previous two-step rm. The contract package logic is null-safe and fully tested. Docs regression tests anchor the snippets to the validator.

No files require special attention.

Important Files Changed
Filename Overview
src/infra/temp-download.ts New temp-download abstraction wrapping mkdtemp-based isolation with sanitized filenames and attached cleanup(). Moved from plugin-sdk/temp-path.ts with no logic changes.
src/infra/clawhub.ts Downloads now use createTempDownloadTarget; path.basename inside sanitizeTempFileName strips scopes safely. ClawHubPackageCompatibility aliased to ExternalPluginCompatibility (additive: gains optional pluginSdkVersion).
src/plugins/clawhub.ts Cleanup replaced from two ad-hoc fs.rm calls to a single archive.cleanup() delegation; semantically equivalent but cleaner.
src/agents/skills-clawhub.ts Same cleanup consolidation as plugins/clawhub.ts; correctly delegates to archive.cleanup() in the finally block.
packages/plugin-package-contract/src/index.ts Clean canonical validation helpers for external code plugins with correct null-safe field traversal and proper fallback logic.
src/docs/clawhub-plugin-docs.test.ts Regression tests verify canonical snippet files pass contract validation and labelled JSON blocks in docs match the snippets.
src/plugin-sdk/temp-path.ts Reduced to a pure re-export barrel of temp-download.ts; removes ~80 lines of duplicated code.

Reviews (1): Last reviewed commit: "fix: harden clawhub plugin publishing an..." | Re-trigger Greptile

@odysseus0 odysseus0 force-pushed the codex/openclaw-plugin-publish-flow branch from 0bd38c3 to b028549 Compare March 29, 2026 18:55
@odysseus0 odysseus0 merged commit e133924 into main Mar 29, 2026
21 of 36 checks passed
@odysseus0 odysseus0 deleted the codex/openclaw-plugin-publish-flow branch March 29, 2026 18:59
@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Open
@aisle-research-bot
Copy link
Copy Markdown

aisle-research-bot bot commented Mar 30, 2026
edited
Loading

🤖 We're reviewing this PR with Aisle

We're running a security check on the changes in this PR now. This usually takes a few minutes. ⌛
We'll post the results here as soon as they're ready.

Progress:

  • Analysis
  • Finalization

Latest run failed. Keeping previous successful results. Trace ID: 019d3af3668dcb7ba822ad287bcda4b6.

Last updated on: 2026-03-30T09:47:26Z

pritchie pushed a commit to pritchie/openclaw that referenced this pull request Mar 30, 2026
@odysseus0
[codex] harden clawhub plugin publishing and install (openclaw#56870)
b28a357 
* fix: harden clawhub plugin publishing and install

* fix(process): preserve windows shim exit success
alexjiang1 pushed a commit to alexjiang1/openclaw that referenced this pull request Mar 31, 2026
@odysseus0
[codex] harden clawhub plugin publishing and install (openclaw#56870)
c2eeff3 
* fix: harden clawhub plugin publishing and install

* fix(process): preserve windows shim exit success
livingghost pushed a commit to livingghost/openclaw that referenced this pull request Mar 31, 2026
@odysseus0 @livingghost
[codex] harden clawhub plugin publishing and install (openclaw#56870)
b8e0d89 
* fix: harden clawhub plugin publishing and install

* fix(process): preserve windows shim exit success
pgondhi987 pushed a commit to pgondhi987/openclaw that referenced this pull request Mar 31, 2026
@odysseus0 @pgondhi987
[codex] harden clawhub plugin publishing and install (openclaw#56870)
7e12161 
* fix: harden clawhub plugin publishing and install

* fix(process): preserve windows shim exit success
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

agents Agent runtime and tooling docs Improvements or additions to documentation maintainer Maintainer-authored PR size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@odysseus0