Smart Updater
Principle: 宁可不升,不可升坏。
Execution Contract
A final report is invalid unless ALL of the following are true:
- -
inventory.json exists (Phase 1 complete) - INLINECODE1� exists (Phase 2 complete)
- Every update candidate has a changelog summary or explicit "unavailable" note (Phase 3 complete)
- Every update candidate has a risk level (Phase 4 complete)
If any condition is not met, do NOT generate the report. Output BLOCKED with the missing items instead.
Never Do This
- - Never generate the report before changelog fetch
- Never infer or invent changelog contents — fetch them
- Never present updates to the user without changelog evidence
- Never skip an update candidate in the report because its changelog was hard to find
Quick Commands
Inventory only
bash ~/.openclaw/workspace/skills/smart-updater/scripts/inventory.sh
Scans all installed assets → �INLINECODE3
Scan only
bash ~/.openclaw/workspace/skills/smart-updater/scripts/scan.sh
Checks each trackable asset for updates → �INLINECODE4
Full Check (most common)
Execute Phases 1–5 below in order.
Workflow
Phase 1 — Inventory
Action: Run
inventory.sh
Output:
~/.openclaw/inventory.json
Exit criteria: File exists and contains
assets array
Asset types: core/npm, extension/npm, extension/local, extension/github, skill/clawhub, skill/github, skill/local, �INLINECODE15
Do not continue until Phase 1 exit criteria are met.
Phase 2 — Scan
Action: Run
scan.sh
Output:
~/.openclaw/scan-result.json
Exit criteria: File exists and contains
updates array
Do not continue until Phase 2 exit criteria are met.
If updates is empty → report "all up to date" and stop. No further phases needed.
Phase 3 — Changelog Fetch
Action: For EACH update in
scan-result.json, fetch changelog/release notes.
Output: Changelog summary per update candidate.
| Source | How to fetch |
|---|
| ClawHub | INLINECODE21 |
| npm |
npm info <pkg> --json → check
repository, then
web_fetch GitHub releases |
|
GitHub |
cd <dir> && git log --oneline HEAD..origin/main or
changelogUrl from scan-result |
Note: scan-result.json may already contain a changelog array for ClawHub skills. Use it if present, but verify/supplement if sparse.
For each update, record:
- - One-line summary of what changed
- Source URL or command used
- Breaking changes (if any)
- "unavailable" with reason (if fetch failed)
Exit criteria: Every update candidate has EITHER:
- - a changelog summary with source, OR
- an explicit "changelog unavailable" note with the source attempted
⛔ Do not continue to Phase 4 until Phase 3 exit criteria are met.
Phase 4 — Risk Assessment
Action: Assign risk level to each update using this matrix:
| Condition | Risk | Action |
|---|
| patch + bugfix | 🟢 Low | Recommend |
| minor + feature |
🟡 Medium | Suggest |
| major + breaking | 🔴 High | Require confirmation |
| extension type | 🟡+ | Always full Gate 2 flow |
| changelog unavailable | 🟠 Unknown | Flag for manual review |
| new executable scripts | 🟠+ | Suggest skill-vetter |
| name conflict | 🔴 | Block upgrade (Gate 1) |
Exit criteria: Every update candidate has a risk level assigned.
Gate — Pre-Report Verification
Before generating the report, verify:
- - [ ] Every update has changelog summary or "unavailable" note
- [ ] Every update has risk level
- [ ] Every update has changelog source (URL or command)
If ANY checkbox fails → output BLOCKED: <missing items>. Do NOT proceed.
Phase 5 — Report
Only now read
references/report-format.md and generate the report using that template.
The report MUST include changelog summaries from Phase 3. If Phase 3 data is absent, return to Phase 3.
Phase 6 — Wait for User
Present the report and wait. Do NOT auto-upgrade. Do NOT proceed without explicit user selection.
Upgrade Execution
When the user selects updates to apply:
Execute upgrades one at a time, sequentially. Each must pass Three Gates:
CODEBLOCK2
- - Gate 1: Source tracked, no name conflict, gateway healthy (extensions), local/github extensions blocked
- Gate 2: Backup isolated, jiti cleared (extensions), config preserved (core), upgrade executed
- Gate 3: Version verified, file count checked, provenance validated, rollback on failure
For detailed gate definitions and rollback procedures: Read �INLINECODE30
For each upgrade: Announce → Gate 1 → Gate 2 (backup+execute) → Gate 3 (verify) → Report result
Files
| File | Purpose |
|---|
| INLINECODE31 | Asset inventory (Phase 1) |
| INLINECODE32 |
Scan results with changelog data (Phase 2) |
|
references/report-format.md | Report template (Phase 5 only) |
|
references/three-gates.md | Detailed gate definitions |
|
~/.openclaw/skill-backups/ | Skill backup directory |
|
~/.openclaw/extensions-backup/ | Extension backup directory |
|
~/.openclaw/plist-backup/ | Gateway plist backup (core upgrades) |
智能更新器
原则:宁可不升,不可升坏。
执行合约
最终报告无效,除非满足以下所有条件:
- - inventory.json 存在(第一阶段完成)
- scan-result.json 存在(第二阶段完成)
- 每个更新候选对象都有变更日志摘要或明确的不可用说明(第三阶段完成)
- 每个更新候选对象都有风险等级(第四阶段完成)
如果任何条件未满足,则不要生成报告。输出 BLOCKED 并附上缺失项。
禁止事项
- - 在获取变更日志之前,切勿生成报告
- 切勿推断或编造变更日志内容——请获取它们
- 切勿在没有变更日志证据的情况下向用户呈现更新
- 切勿因为某个更新候选对象的变更日志难以查找而跳过它
快速命令
仅清单
bash
bash ~/.openclaw/workspace/skills/smart-updater/scripts/inventory.sh
扫描所有已安装资源 → ~/.openclaw/inventory.json
仅扫描
bash
bash ~/.openclaw/workspace/skills/smart-updater/scripts/scan.sh
检查每个可追踪资源的更新 → ~/.openclaw/scan-result.json
完整检查(最常见)
按顺序执行以下第一至第五阶段。
工作流程
第一阶段 — 清单
操作:运行 inventory.sh
输出:~/.openclaw/inventory.json
退出条件:文件存在且包含 assets 数组
资源类型:core/npm、extension/npm、extension/local、extension/github、skill/clawhub、skill/github、skill/local、builtin/bundled
在第一阶段退出条件满足之前,请勿继续。
第二阶段 — 扫描
操作:运行 scan.sh
输出:~/.openclaw/scan-result.json
退出条件:文件存在且包含 updates 数组
在第二阶段退出条件满足之前,请勿继续。
如果 updates 为空 → 报告全部为最新并停止。无需后续阶段。
第三阶段 — 获取变更日志
操作:针对 scan-result.json 中的
每个更新,获取变更日志/发布说明。
输出:每个更新候选对象的变更日志摘要。
| 来源 | 获取方式 |
|---|
| ClawHub | clawhub inspect <slug> --versions --limit 5 |
| npm |
npm info
--json → 检查 repository,然后 web_fetch GitHub 发布 |
| GitHub | cd && git log --oneline HEAD..origin/main 或来自 scan-result 的 changelogUrl |
注意:scan-result.json 可能已包含 ClawHub 技能的 changelog 数组。如果存在则使用,但如果内容稀疏则需验证/补充。
对于每个更新,记录:
- - 变更的一行摘要
- 来源 URL 或使用的命令
- 破坏性变更(如有)
- 如果获取失败,则记录不可用及原因
退出条件:每个更新候选对象要么:
- - 有包含来源的变更日志摘要,要么
- 有明确的变更日志不可用说明及尝试过的来源
⛔ 在第三阶段退出条件满足之前,请勿继续到第四阶段。
第四阶段 — 风险评估
操作:使用以下矩阵为每个更新分配风险等级:
| 条件 | 风险 | 操作 |
|---|
| 补丁 + 错误修复 | 🟢 低 | 推荐 |
| 次要 + 功能 |
🟡 中 | 建议 |
| 主要 + 破坏性 | 🔴 高 | 需要确认 |
| 扩展类型 | 🟡+ | 始终执行完整的第二道门流程 |
| 变更日志不可用 | 🟠 未知 | 标记为人工审查 |
| 新增可执行脚本 | 🟠+ | 建议使用技能审查器 |
| 名称冲突 | 🔴 | 阻止升级(第一道门) |
退出条件:每个更新候选对象都已分配风险等级。
门控 — 报告前验证
在生成报告之前,验证:
- - [ ] 每个更新都有变更日志摘要或不可用说明
- [ ] 每个更新都有风险等级
- [ ] 每个更新都有变更日志来源(URL 或命令)
如果任何复选框未通过 → 输出 BLOCKED: <缺失项>。请勿继续。
第五阶段 — 报告
现在才读取 references/report-format.md 并使用该模板生成报告。
报告必须包含第三阶段的变更日志摘要。如果第三阶段数据缺失,则返回第三阶段。
第六阶段 — 等待用户
呈现报告并等待。请勿自动升级。在用户明确选择之前,请勿继续。
升级执行
当用户选择要应用的更新时:
一次一个,按顺序执行升级。 每个必须通过三道门:
第一道门:预检 → 第二道门:隔离 → 第三道门:后检 → ✅
失败↓ 失败↓ 失败↓
阻止升级 中止+回滚 回滚+通知
- - 第一道门:来源可追踪,无名称冲突,网关健康(扩展),本地/GitHub 扩展被阻止
- 第二道门:备份隔离,jiti 清除(扩展),配置保留(核心),执行升级
- 第三道门:版本验证,文件计数检查,来源验证,失败时回滚
有关详细的门控定义和回滚流程:阅读 references/three-gates.md
对于每次升级:宣布 → 第一道门 → 第二道门(备份+执行) → 第三道门(验证) → 报告结果
文件
| 文件 | 用途 |
|---|
| ~/.openclaw/inventory.json | 资源清单(第一阶段) |
| ~/.openclaw/scan-result.json |
带有变更日志数据的扫描结果(第二阶段) |
| references/report-format.md | 报告模板(仅第五阶段) |
| references/three-gates.md | 详细的门控定义 |
| ~/.openclaw/skill-backups/ | 技能备份目录 |
| ~/.openclaw/extensions-backup/ | 扩展备份目录 |
| ~/.openclaw/plist-backup/ | 网关 plist 备份(核心升级) |
