Skip to content

Docs(osa) slash compat and release recovery note#10

Merged
St0rmz1 merged 6 commits intomainfrom
docs/slash-compat-and-release-recovery-note
Apr 20, 2026
Merged

Docs(osa) slash compat and release recovery note#10
St0rmz1 merged 6 commits intomainfrom
docs/slash-compat-and-release-recovery-note

Conversation

@St0rmz1
Copy link
Copy Markdown
Collaborator

@St0rmz1 St0rmz1 commented Apr 19, 2026
edited
Loading

Summary

Docs-only PR covering three related areas the last two releases exposed as gaps:

  • Slash-command channel compatibility. Documents that /security-checkup works in the OpenClaw native control UI chat and Telegram, but not in Kilo Chat or Slack (those channels don't route OpenClaw slash commands). Kilo Chat / Slack users should invoke the plugin via natural language so the agent calls the kilocode_security_advisor tool directly. The tool description now tells the agent not to suggest /security-checkup in those channels.

  • Path-agnostic update reminder. Security checkup reports now occasionally append a "stay current" footer with npm view @kilocode/openclaw-security-advisor version and the upgrade commands. The footer is applied in doCheckup at the markdown layer, so it surfaces on both the LLM-driven kilocode_security_advisor tool path and the LLM-bypassing /security-checkup slash command path — fixing an earlier approach that lived only in the tool description and would never have reached slash-command users. Cadence is roughly 1-in-5 successful reports. README has a new Staying up to date section documenting the commands.

  • Release recovery banner. Documents the current partial-publish failure mode (github-actions[bot] not on the main ruleset's bypass list → every stable publish fails at the post-publish push step with GH013). Gives a clean 3-step recovery:

    1. Check what landed on origin.
    2. Common case (tag landed, only the release is missing): one gh release create --verify-tag command.
    3. Rare case (tag also missing): follow Scenario 4.

    --verify-tag is critical — without it, gh release create silently mints a missing tag at current main HEAD, pointing the release at code that was never published to npm. RELEASING.md's Branch protection section now also lists the two durable fixes (add the bot to the bypass list, or refactor stable publishes to never touch main).

Test plan

  • bun run typecheck — passes
  • bun run format:check — passes
  • bun test — 44 pass / 0 fail

🤖 Generated with Claude Code

St0rmz1 added 2 commits April 17, 2026 11:02
@St0rmz1
Update release directions
29f2638 
Update docs and agent hints that slash commands don't work with all channels, such as Slack
@St0rmz1
docs(update-reminder): prompt users to keep plugin current
f1b3411
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 19, 2026
View reviewed changes
Comment thread README.md Outdated
Comment thread RELEASING.md
@kilo-code-bot
Copy link
Copy Markdown

kilo-code-bot Bot commented Apr 19, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)
  • CHANGELOG.md
  • RELEASING.md

Reviewed by gpt-5.4-2026-03-05 · 611,304 tokens

kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 19, 2026
View reviewed changes
Comment thread RELEASING.md Outdated
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 19, 2026
View reviewed changes
Comment thread RELEASING.md Outdated
@St0rmz1
The previous revision wrongly told operators to run git tag vX.Y.Z <r…
a8be870 
…unner-sha> && git push origin vX.Y.Z.

  That doesn't work because:
  - The commit was built inside the runner by publish.yml:185 (git commit -m "release: $TAG")
  - When the push was rejected, that commit object lives only in the (now-destroyed) runner; the operator's
  local clone has no way to fetch it
  - git tag <sha> fails with "unknown revision" on any SHA git doesn't know

  Corrected: when the tag is missing, point readers at Scenario 4 (which already documents the correct
  reconstruct-and-tag flow — bump package.json locally to the published version, commit, tag, push). Also noted
   that the workflow's Print recovery instructions on partial failure step prints this same sequence inline in
  the failed run's logs.
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 19, 2026
View reviewed changes
Comment thread RELEASING.md Outdated
@St0rmz1 St0rmz1 enabled auto-merge April 19, 2026 23:09
@St0rmz1 St0rmz1 merged commit acd6a9a into main Apr 20, 2026
7 checks passed
@St0rmz1 St0rmz1 deleted the docs/slash-compat-and-release-recovery-note branch April 20, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeanduplessis jeanduplessis jeanduplessis approved these changes

+1 more reviewer

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@St0rmz1 @jeanduplessis