diff --git a/docs/plans/2026-02-16-clawhub-registry-checklist.md b/docs/plans/2026-02-16-clawhub-registry-checklist.md new file mode 100644 index 0000000..b921b94 --- /dev/null +++ b/docs/plans/2026-02-16-clawhub-registry-checklist.md @@ -0,0 +1,123 @@ +# ClawHub Registry — Scoped Implementation Checklist + +**Date:** 2026-02-16 + +**Parent roadmap:** `docs/plans/2026-02-15-openclaw-gap-roadmap.md` + +**Goal:** Close the gap item "ClawHub / community skill registry" with a safe, incremental registry flow that supports discovery and installation without weakening current skill safety controls. + +## Scope + +### In scope + +- Add a read-only skill registry source for discovery. +- Add CLI registry listing/details and install-by-id flow. +- Reuse existing skill safety scanner and install policy gates. +- Add docs and tests for end-to-end registry flow. + +### Out of scope (this milestone) + +- Arbitrary third-party repository execution without safety checks. +- Auto-update/auto-upgrade daemons for installed skills. +- Full signed-package ecosystem (can be follow-up phase). + +## Phase Plan + +### Phase 1: Registry Source + Types + +Checklist: + +- [ ] Add registry types + parser module (`src/skills/registrySource.ts` or equivalent). +- [ ] Support one source shape: + - [ ] local JSON file path (for deterministic tests and offline use) + - [ ] optional HTTPS URL source (fetch + timeout + parse) +- [ ] Validate required fields for each skill entry: + - [ ] `id`, `name`, `version`, `source`, `summary` + - [ ] optional trust metadata (`publisher`, `homepage`, `sha256`) +- [ ] Reject malformed registry entries with actionable errors. + +Acceptance: + +- `flynn skills` internals can load a normalized registry catalog. + +Tests: + +- [ ] Unit tests for parser/validation edge cases. + +--- + +### Phase 2: CLI Discovery UX + +Checklist: + +- [ ] Add `flynn skills registry list` command (table/text + `--json`). +- [ ] Add `flynn skills registry show ` command (entry detail + source fields). +- [ ] Add filtering options: + - [ ] `--search ` + - [ ] `--publisher ` +- [ ] Ensure output clearly marks trust metadata as declared/unverified. + +Acceptance: + +- Operators can discover candidate skills without leaving Flynn tooling. + +Tests: + +- [ ] Command tests for text + JSON output paths. + +--- + +### Phase 3: Install by Registry ID + +Checklist: + +- [ ] Add `flynn skills install --registry-id ` resolution path. +- [ ] Support source forms: + - [ ] git URL + - [ ] archive URL + - [ ] local path +- [ ] Route resolved sources through existing installer + scanner pipeline. +- [ ] Require explicit confirmation flag for non-local sources (for example `--confirm`). +- [ ] Emit audit events for registry-driven installs (id + source + outcome). + +Acceptance: + +- Install-by-id works and unsafe skills still fail scanner checks. + +Tests: + +- [ ] Installer tests for registry-id resolution and scan failures. +- [ ] CLI tests for confirmation and error paths. + +--- + +### Phase 4: Docs + Runtime Visibility + +Checklist: + +- [ ] Update `README.md` skills section with registry usage. +- [ ] Update `docs/security/SAFE_PERSONAL_AGENT.md` with registry trust model. +- [ ] Add doctor diagnostics: + - [ ] registry source reachable/parsible + - [ ] clear warning when registry disabled/unconfigured + +Acceptance: + +- Operator docs explain safe usage and tradeoffs. + +Tests: + +- [ ] Doctor tests for registry health reporting. + +## Security Guardrails + +- [ ] Registry metadata is never treated as trusted code. +- [ ] Skill scanner remains mandatory before skill becomes available. +- [ ] Prompt injection and symlink/binary checks still gate registry-installed skills. +- [ ] Secrets are never accepted from registry metadata. + +## Final Validation + +- [ ] `pnpm typecheck` +- [ ] `pnpm test:run` +- [ ] Update `docs/plans/state.json` to `completed` with summary + test status once all phases land. diff --git a/docs/plans/state.json b/docs/plans/state.json index 3e0dacc..71fc5c6 100644 --- a/docs/plans/state.json +++ b/docs/plans/state.json @@ -211,6 +211,13 @@ "updated": "2026-02-16", "summary": "Completed roadmap closure for the six prioritized OpenClaw gaps: per-tier credential system v2 (API + OAuth/token), Vercel AI Gateway provider, skill safety scanner, elevated mode, Matrix adapter, and deployment targets (Nix + PaaS)." }, + "clawhub-registry": { + "file": "2026-02-16-clawhub-registry-checklist.md", + "status": "planned", + "date": "2026-02-16", + "updated": "2026-02-16", + "summary": "Scoped the next OpenClaw-gap milestone as a phased ClawHub-style registry implementation: catalog source + validation, CLI discovery, install-by-id via existing scanner pipeline, and docs/doctor visibility." + }, "credential-system-v2-api-and-oauth": { "file": "2026-02-15-credential-system-v2-api-and-oauth-checklist.md", "status": "completed", @@ -2750,7 +2757,7 @@ "gmail_auth_cli": "flynn gmail-auth command implemented with OAuth2 flow, doctor check, config routed to Telegram", "native_audio_support": "completed — smart routing for native audio (Gemini/OpenAI/GitHub) vs Whisper transcription fallback", "remaining_phases_completion": "Phase 1: 3/3 (100%) — context levels, command registry, memory structure. Phase 2: 3/3 (100%) — component registry, confidence routing, history index. Phase 3: 2/2 (100%) — adaptive memory/compaction, truthfulness/autonomy hardening", - "next_up": "Pick the next OpenClaw gap milestone and create a scoped checklist (candidates: ClawHub registry, Bonjour/mDNS discovery, synthetic provider)" + "next_up": "Implement ClawHub registry milestone checklist (Phase 1: registry source/types and validation)" }, "soul_md_and_cron_create": { "date": "2026-02-11",