diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d5e9c9..38c469b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,9 +15,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Documentation -- README install section now leads with the `@dev` install command and explains why the plain install will fail until the first stable release ships. +- README install section leads with the plain install command (no `@dev` suffix) now that a stable release is shipping. The dev channel is documented as a prerelease option under `Channels`. +- README `Contributing` links to `AGENTS.md`, `RELEASING.md`, and `CHANGELOG.md` are now absolute GitHub URLs, so they resolve correctly on the npm package page (those docs were never shipped in the tarball). +- README now documents `KILO_API_KEY` as an alias for `KILOCODE_API_KEY` (both have always been accepted by the code). +- Removed the stale "The gateway restarts after device auth" troubleshooting entry. The restart no longer happens after the `reload.noopPrefixes` fix above. +- Exact-version install example updated from `0.1.0-dev.1` to `0.1.0`. - RELEASING.md documents the first-publish `latest` dist-tag quirk, the workflow's reconciliation step, and what its expected `::warning::` output means. +### Packaging + +- Added npm `keywords` to `package.json` (`openclaw`, `kiloclaw`, `kilocode`, `security`) for registry discoverability. + ## [0.1.0-dev.1] - 2026-04-15 Initial dev release. diff --git a/README.md b/README.md index 1cf21cd..b361cdc 100644 --- a/README.md +++ b/README.md @@ -14,20 +14,11 @@ concrete remediation guidance, displayed directly in your chat. ## Install ```bash -openclaw plugins install @kilocode/openclaw-security-advisor@dev +openclaw plugins install @kilocode/openclaw-security-advisor openclaw plugins enable openclaw-security-advisor openclaw gateway restart ``` -> **Why `@dev`?** No stable release has shipped yet — only dev snapshots -> (`0.1.0-dev.N`). The `@dev` tag is currently the only working install -> path. Plain `openclaw plugins install @kilocode/openclaw-security-advisor` -> (without `@dev`) **will fail today** with a prerelease-guard error, -> because npm's `latest` dist-tag still points at a dev version on -> pre-stable packages. Once the first stable release (`X.Y.Z`) ships, -> you'll be able to drop the `@dev` suffix and use the plain command. -> See [Channels](#channels) below. - On first use, the plugin will walk you through a one-time device auth flow to connect your KiloCode account. @@ -35,10 +26,10 @@ flow to connect your KiloCode account. The plugin ships on two npm dist-tags: -- **`latest`** — public stable releases (`X.Y.Z`). Default for plain - `npm install` / `openclaw plugins install`. Will exist once the first - stable release ships. -- **`dev`** — internal dogfood snapshots (`X.Y.Z-dev.N`). Install with: +- **`latest`** — stable releases (`X.Y.Z`). Default for plain + `npm install` / `openclaw plugins install`. +- **`dev`** — prerelease snapshots (`X.Y.Z-dev.N`) published ahead of + stable cuts for early testing. Install with: ```bash openclaw plugins install @kilocode/openclaw-security-advisor@dev @@ -48,13 +39,11 @@ The plugin ships on two npm dist-tags: Dev releases are real npm publishes with the same provenance attestation as stable releases (verify with `npm audit signatures`). - They're "internal" only by social convention and by being on a - non-default dist-tag — there's nothing technically restricting access. You can also install an exact version directly: ```bash -openclaw plugins install @kilocode/openclaw-security-advisor@0.1.0-dev.1 +openclaw plugins install @kilocode/openclaw-security-advisor@0.1.0 ``` --- @@ -175,9 +164,10 @@ openclaw config set plugins.entries.openclaw-security-advisor.config.apiBaseUrl The plugin also respects these environment variables, useful for non-interactive setups (CI, containerized deployments): -- `KILOCODE_API_KEY`: if set, the plugin uses this as the auth token - and skips the device auth flow entirely. Intended for environments - where an operator has already injected the key at boot. +- `KILOCODE_API_KEY` (alias: `KILO_API_KEY`): if set, the plugin uses + this as the auth token and skips the device auth flow entirely. + Intended for environments where an operator has already injected the + key at boot. - `KILO_API_URL` or `KILOCODE_API_BASE_URL`: override the API base URL without touching the plugin config. @@ -213,18 +203,13 @@ openclaw gateway restart The plugin itself works without this setting. It's only needed if you want the `/plugins list` chat command to show installed plugins. -**The gateway restarts after device auth** -This is expected on first auth: the plugin writes your token to the -OpenClaw config, which triggers a one-time gateway reload. Subsequent -checkups don't reload. - --- ## Contributing -- [`AGENTS.md`](./AGENTS.md) — build, test, lint, code layout, and contribution rules. -- [`RELEASING.md`](./RELEASING.md) — how to cut a release. -- [`CHANGELOG.md`](./CHANGELOG.md) — release history. +- [`AGENTS.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/AGENTS.md) — build, test, lint, code layout, and contribution rules. +- [`RELEASING.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/RELEASING.md) — how to cut a release. +- [`CHANGELOG.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/CHANGELOG.md) — release history. --- diff --git a/package.json b/package.json index e5bf46e..c89ea95 100644 --- a/package.json +++ b/package.json @@ -4,6 +4,12 @@ "type": "module", "license": "MIT", "description": "Security analysis plugin for OpenClaw instances, powered by KiloCode", + "keywords": [ + "openclaw", + "kiloclaw", + "kilocode", + "security" + ], "//": "private: true is intentional — safety net against accidental `npm publish`. The publish script (script/publish.ts) strips this flag before packing and restores it after. Do NOT remove this without also having the publish pipeline in place.", "private": true, "main": "index.ts",