update docs

CHANGELOG.md

@@ -15,9 +15,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Documentation
 
-- README install section now leads with the `@dev` install command and explains why the plain install will fail until the first stable release ships.
+- README install section leads with the plain install command (no `@dev` suffix) now that a stable release is shipping. The dev channel is documented as a prerelease option under `Channels`.
+- README `Contributing` links to `AGENTS.md`, `RELEASING.md`, and `CHANGELOG.md` are now absolute GitHub URLs, so they resolve correctly on the npm package page (those docs were never shipped in the tarball).
+- README now documents `KILO_API_KEY` as an alias for `KILOCODE_API_KEY` (both have always been accepted by the code).
+- Removed the stale "The gateway restarts after device auth" troubleshooting entry. The restart no longer happens after the `reload.noopPrefixes` fix above.
+- Exact-version install example updated from `0.1.0-dev.1` to `0.1.0`.
 - RELEASING.md documents the first-publish `latest` dist-tag quirk, the workflow's reconciliation step, and what its expected `::warning::` output means.
 
+### Packaging
+
+- Added npm `keywords` to `package.json` (`openclaw`, `kiloclaw`, `kilocode`, `security`) for registry discoverability.
+
 ## [0.1.0-dev.1] - 2026-04-15
 
 Initial dev release.

README.md

@@ -14,31 +14,22 @@ concrete remediation guidance, displayed directly in your chat.
 ## Install
 
 ```bash
-openclaw plugins install @kilocode/openclaw-security-advisor@dev
+openclaw plugins install @kilocode/openclaw-security-advisor
 openclaw plugins enable openclaw-security-advisor
 openclaw gateway restart
 ```
 
-> **Why `@dev`?** No stable release has shipped yet — only dev snapshots
-> (`0.1.0-dev.N`). The `@dev` tag is currently the only working install
-> path. Plain `openclaw plugins install @kilocode/openclaw-security-advisor`
-> (without `@dev`) **will fail today** with a prerelease-guard error,
-> because npm's `latest` dist-tag still points at a dev version on
-> pre-stable packages. Once the first stable release (`X.Y.Z`) ships,
-> you'll be able to drop the `@dev` suffix and use the plain command.
-> See [Channels](#channels) below.
-
 On first use, the plugin will walk you through a one-time device auth
 flow to connect your KiloCode account.
 
 ### Channels
 
 The plugin ships on two npm dist-tags:
 
-- **`latest`** — public stable releases (`X.Y.Z`). Default for plain
-  `npm install` / `openclaw plugins install`. Will exist once the first
-  stable release ships.
-- **`dev`** — internal dogfood snapshots (`X.Y.Z-dev.N`). Install with:
+- **`latest`** — stable releases (`X.Y.Z`). Default for plain
+  `npm install` / `openclaw plugins install`.
+- **`dev`** — prerelease snapshots (`X.Y.Z-dev.N`) published ahead of
+  stable cuts for early testing. Install with:
 
   ```bash
   openclaw plugins install @kilocode/openclaw-security-advisor@dev
@@ -48,13 +39,11 @@ The plugin ships on two npm dist-tags:
 
   Dev releases are real npm publishes with the same provenance
   attestation as stable releases (verify with `npm audit signatures`).
-  They're "internal" only by social convention and by being on a
-  non-default dist-tag — there's nothing technically restricting access.
 
 You can also install an exact version directly:
 
 ```bash
-openclaw plugins install @kilocode/openclaw-security-advisor@0.1.0-dev.1
+openclaw plugins install @kilocode/openclaw-security-advisor@0.1.0
 ```
 
 ---
@@ -175,9 +164,10 @@ openclaw config set plugins.entries.openclaw-security-advisor.config.apiBaseUrl
 The plugin also respects these environment variables, useful for
 non-interactive setups (CI, containerized deployments):
 
-- `KILOCODE_API_KEY`: if set, the plugin uses this as the auth token
-  and skips the device auth flow entirely. Intended for environments
-  where an operator has already injected the key at boot.
+- `KILOCODE_API_KEY` (alias: `KILO_API_KEY`): if set, the plugin uses
+  this as the auth token and skips the device auth flow entirely.
+  Intended for environments where an operator has already injected the
+  key at boot.
 - `KILO_API_URL` or `KILOCODE_API_BASE_URL`: override the API base URL
   without touching the plugin config.
 
@@ -213,18 +203,13 @@ openclaw gateway restart
 The plugin itself works without this setting. It's only needed if you
 want the `/plugins list` chat command to show installed plugins.
 
-**The gateway restarts after device auth**
-This is expected on first auth: the plugin writes your token to the
-OpenClaw config, which triggers a one-time gateway reload. Subsequent
-checkups don't reload.
-
 ---
 
 ## Contributing
 
-- [`AGENTS.md`](./AGENTS.md) — build, test, lint, code layout, and contribution rules.
-- [`RELEASING.md`](./RELEASING.md) — how to cut a release.
-- [`CHANGELOG.md`](./CHANGELOG.md) — release history.
+- [`AGENTS.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/AGENTS.md) — build, test, lint, code layout, and contribution rules.
+- [`RELEASING.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/RELEASING.md) — how to cut a release.
+- [`CHANGELOG.md`](https://github.com/Kilo-Org/openclaw-security-advisor/blob/main/CHANGELOG.md) — release history.
 
 ---
 

package.json

@@ -4,6 +4,12 @@
   "type": "module",
   "license": "MIT",
   "description": "Security analysis plugin for OpenClaw instances, powered by KiloCode",
+  "keywords": [
+    "openclaw",
+    "kiloclaw",
+    "kilocode",
+    "security"
+  ],
   "//": "private: true is intentional — safety net against accidental `npm publish`. The publish script (script/publish.ts) strips this flag before packing and restores it after. Do NOT remove this without also having the publish pipeline in place.",
   "private": true,
   "main": "index.ts",