Skip to content

fix: derive CLI version from package.json (v1.3.2)#4

Merged
chenliuyun merged 1 commit intomainfrom
fix/version-drift
Apr 19, 2026
Merged

fix: derive CLI version from package.json (v1.3.2)#4
chenliuyun merged 1 commit intomainfrom
fix/version-drift

Conversation

@chenliuyun
Copy link
Copy Markdown
Collaborator

@chenliuyun chenliuyun commented Apr 19, 2026

Summary

  • Root cause: src/index.ts:24 hardcoded .version('2.1.0'), decoupled from package.json. Every release required two manual edits; v1.3.1 shipped with switchbot --version reporting 2.1.0 while package.json said 1.3.1.
  • Three-layer fix:
    • C (eliminate at source): src/index.ts now reads version via createRequire('../package.json') — single source of truth.
    • A (local test guard): tests/version.test.ts spawns node dist/index.js --version and compares against package.json. vitest globalSetup runs npm run build once per test run.
    • B (CI guard): .github/workflows/ci.yml runs the compiled CLI post-build and diffs its output against package.json, failing the PR on drift.
  • Bump package.json1.3.2, package-lock.json resynced.

Test plan

  • npm run build clean
  • npm test — 659/659 pass across 37 files (658 existing + 1 new drift guard)
  • node dist/index.js --version prints 1.3.2
  • CI smoke step fires on this PR (observe the "CLI --version matches package.json" step)

fix: derive CLI version from package.json (v1.3.2)
3c27f87 
Root cause: src/index.ts hardcoded `.version('2.1.0')`, decoupled from
package.json, so every release required two manual edits and one was
bound to drift. v1.3.1 shipped with `switchbot --version` reporting
`2.1.0` while package.json said `1.3.1`.

Fix (three layers):
- C: src/index.ts reads version via createRequire('../package.json') —
  single source of truth. Version strings can no longer be hardcoded.
- A: tests/version.test.ts spawns `node dist/index.js --version` and
  compares with package.json. vitest globalSetup runs `npm run build`
  once per test run so the compiled CLI is always fresh.
- B: ci.yml adds a post-build step that runs the CLI and diffs its
  output against package.json, failing the PR on drift.

Side changes:
- tests/commands/capabilities.test.ts fixture: '2.1.0' -> '0.0.0-test'
  so grep for the stale version leaves no ghosts.
- package.json 1.3.1 -> 1.3.2, package-lock.json resynced.

Tests: 659/659 pass (658 existing + 1 new version drift guard).
@chenliuyun chenliuyun merged commit 569d445 into main Apr 19, 2026
3 checks passed
@chenliuyun chenliuyun deleted the fix/version-drift branch April 19, 2026 03:00
chenliuyun pushed a commit that referenced this pull request Apr 20, 2026
@claude
fix(mcp): strict schemas + dryRun support on mutating tools (security…
4db24da 
… fix for bug #4)

Convert all 10 plain-object inputSchemas to z.object({...}).strict() so unknown
keys are rejected with JSON-RPC -32602, closing the silent-passthrough hole that
allowed dryRun:true (or any unknown key) to reach the Smart Lock / Garage Door
live API calls. Add dryRun:boolean?.optional() to send_command and run_scene;
when true, returns { ok:true, dryRun:true, wouldSend:{...} } without any API call.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chenliuyun pushed a commit that referenced this pull request Apr 20, 2026
@claude
docs(changelog): describe 2.5.0 bug fixes from v2.4.0 report
04419fb 
Document every fix landed in this branch beyond the history-aggregate
feature: bugs #1, #4, #5, #6, #8, #9, #10, #11, #12, #13, #14, #15,
#16, #17, #18 from the OpenClaw v2.4.0 smoke-test report. Call out
the deferred items (#2, #7) explicitly so readers don't assume they
were overlooked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@chenliuyun chenliuyun mentioned this pull request Apr 20, 2026
Merged
4 tasks
chenliuyun pushed a commit that referenced this pull request Apr 20, 2026
fix(mcp): strict schemas + dryRun support on mutating tools (security…
618e506 
… fix for bug #4)

Convert all 10 plain-object inputSchemas to z.object({...}).strict() so unknown
keys are rejected with JSON-RPC -32602, closing the silent-passthrough hole that
allowed dryRun:true (or any unknown key) to reach the Smart Lock / Garage Door
live API calls. Add dryRun:boolean?.optional() to send_command and run_scene;
when true, returns { ok:true, dryRun:true, wouldSend:{...} } without any API call.
chenliuyun pushed a commit that referenced this pull request Apr 20, 2026
docs(changelog): describe 2.5.0 bug fixes from v2.4.0 report
90f07be 
Document every fix landed in this branch beyond the history-aggregate
feature: bugs #1, #4, #5, #6, #8, #9, #10, #11, #12, #13, #14, #15,
#16, #17, #18 from the OpenClaw v2.4.0 smoke-test report. Call out
the deferred items (#2, #7) explicitly so readers don't assume they
were overlooked.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chenliuyun