Add hard-coded OpenClaw official publishers

[jesse-merhi]

Summary

• Derive Official publisher status from the hard-coded openclaw org: the openclaw org publisher is Official, and current openclaw org members' personal publishers are Official while membership exists.
• Keep package publishing/channel decisions tied to that policy; trustedPublisher remains only an automated publish permission.
• Remove the overbuilt persisted Official state/sync/backfill path: no publishers.official, no skill badge source metadata, no official skill digest index, and no generic endpoint for arbitrary Official publishers.
• Render the blue Official badge in publisher/profile, skill, and plugin UI where the existing public data supports it.
• Document the narrowed policy.

Visual proof

Captured locally with origin/main on localhost:3101 and this PR on localhost:3100.

Surface	Mode	Before	After
Plugin detail, /plugins/@openclaw/codex	Dark
Plugin detail, /plugins/@openclaw/codex	Light
Member profile with OpenClaw org affiliation, /user/steipete	Dark
Member profile with OpenClaw org affiliation, /user/steipete	Light	n/a
OpenClaw org profile with member/published-item badges, /user/openclaw	Dark	n/a
OpenClaw org profile with member/published-item badges, /user/openclaw	Light	n/a
Skill detail title badge, /openclaw/official-agent-toolkit	Dark
Skill detail title badge, /openclaw/official-agent-toolkit	Light	n/a
Skill card tag row, /skills?q=official-agent-toolkit&view=grid	Dark
Skill card tag row, /skills?q=official-agent-toolkit&view=grid	Light	n/a
Runtime plugin detail, /plugins/@openclaw/runtime-tools	Dark
Runtime plugin detail, /plugins/@openclaw/runtime-tools	Light	n/a

DOM check

• /plugins/@openclaw/codex: before dark/light Official badge count 0; after dark/light Official badge count 1.
• /user/steipete: before dark Official badge count 0; after dark/light Official badge count 3.
• /user/openclaw: after dark/light Official badge count 6.
• /openclaw/official-agent-toolkit: before dark Official badge count 0 and Verified text count 1; after dark/light Official badge count 1 and Verified text count 0.
• /skills?q=official-agent-toolkit&view=grid: before dark Official badge count 0 and Verified text count 1; after dark/light Official badge count 1 and Verified text count 0.
• /plugins/@openclaw/runtime-tools: before dark Official badge count 0; after dark/light Official badge count 1.
• The only recurring console error in the screenshot run was the same dev-only theme hydration warning.

Prod data check

• Active Official packages in prod: 32.
• Official packages outside hard-coded OpenClaw ownership: 0.
• Trusted publishers/users outside hard-coded OpenClaw ownership: 0.
• One non-OpenClaw skill-level Official badge exists (x-search by Jaaneek), and this PR preserves skill-level Official badges.

Verification

• bun run test
• bun run test convex/lib/officialPublishers.test.ts convex/lib/public.test.ts convex/packages.public.test.ts convex/publishers.test.ts
• bun run test src/components/SkillHeader.test.tsx src/components/PublisherListItem.test.tsx src/components/PluginListItem.test.tsx src/components/SkillListItem.test.tsx src/components/UserBadge.test.tsx src/components/PublishedItemCard.test.tsx src/components/SkillCard.test.tsx src/__tests__/packages-route.test.tsx src/__tests__/package-detail-route.test.tsx
• bun run format:check
• bun run lint
• VITE_CONVEX_URL=https://example.invalid bunx tsc --noEmit
• bunx tsc -p packages/schema/tsconfig.json --noEmit
• bunx tsc -p packages/clawhub/tsconfig.json --noEmit

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clawhub	Ready	Preview, Comment	May 26, 2026 6:34am

[clawsweeper]

Codex review: found issues before merge. Reviewed May 26, 2026, 3:17 AM ET / 07:17 UTC.

Summary
The PR derives Official publisher/package status from hard-coded OpenClaw ownership and updates package channel policy, badge UI, docs, specs, and tests.

Reproducibility: yes. for the identified PR bug by source inspection: SkillHeader consumes owner.official, while the skill detail owner mapper still emits the old public publisher shape. I did not run the app because this review is read-only.

Review metrics: 1 noteworthy metric.

• PR surface: 39 files changed. The patch spans Convex policy, public types, UI rendering, docs, specs, and tests, so compatibility and trust-boundary review matter before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get maintainer confirmation of the Official source of truth before merge.
• Hydrate or remove the skill-detail owner.official path so tests prove real Convex payload behavior.

Mantis proof suggestion
A browser visual proof pass would help confirm the Official badge across the changed ClawHub UI surfaces after the data-flow fix. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify Official badges on plugin detail, publisher profile, skill detail, and skill/plugin cards for OpenClaw-owned content after the PR changes.

Risk before merge

• Merging changes official-channel eligibility away from trustedPublisher, so existing admin or automation assumptions around trusted publishers may stop granting official package status.
• Official trust would derive from the openclaw publisher handle and current org membership; that is security-sensitive and needs explicit maintainer acceptance before merge.
• The UI currently has a broken owner-based skill detail badge path because the backend does not populate owner.official there.

Maintainer options:

1. Confirm boundary and repair data flow (recommended)
   Before merge, maintainers should confirm the authoritative Official source of truth and the branch should then hydrate or remove the owner.official skill detail path to match that decision.
2. Use an admin-controlled proof signal
   If handle-only Official is too broad, bind Official to an admin-controlled source such as a reserved-handle owner, configured publisher id, or explicit approved publisher state while preserving current UI proof expectations.
3. Pause the policy change
   If the Official trust model is not settled, pause this PR and keep trustedPublisher behavior unchanged until the policy is specified.

Next step before merge
Maintainers need to decide the Official identity boundary; after that, the author or a repair lane can make the skill detail badge data flow match the decision.

Security
Needs attention: The diff introduces a trust-boundary change by deriving Official from the OpenClaw handle and org membership, which needs explicit maintainer acceptance before merge.

Review findings

• [P1] Require ownership proof before granting Official — convex/lib/officialPublishers.ts:33-34
• [P2] Hydrate owner.official before rendering it — src/components/SkillHeader.tsx:151

Review details

Best possible solution:

Land the narrowed Official policy only after maintainers accept the OpenClaw identity boundary and the skill detail owner data path is made consistent with the intended badge behavior.

Do we have a high-confidence way to reproduce the issue?

Yes for the identified PR bug by source inspection: SkillHeader consumes owner.official, while the skill detail owner mapper still emits the old public publisher shape. I did not run the app because this review is read-only.

Is this the best way to solve the issue?

No, not yet; the implementation should either hydrate Official publisher status into skill detail owners or remove the owner-based title badge path, and maintainers still need to accept the trust boundary.

Full review comments:

• [P1] Require ownership proof before granting Official — convex/lib/officialPublishers.ts:33-34
isOfficialPublisher currently makes any active org publisher with normalized handle openclaw Official. Since self-serve org creation only blocks that handle when an active reserved-handle row exists for another user, a fresh or misconfigured deployment can mint Official trust by handle alone; bind this to an admin-controlled proof signal before using it for badges and official package eligibility.
  Confidence: 0.82
• [P2] Hydrate owner.official before rendering it — src/components/SkillHeader.tsx:151
SkillHeader now treats owner.official as enough to render the title Official tag, but the skill detail queries still build owners with toPublicPublisher(...) in convex/skills.ts, so normal skill detail payloads never include that field. OpenClaw-owned skills without a skill-level badges.official entry will still miss the new badge even though the component test injects owner.official directly.
  Confidence: 0.89

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8a2c0c06fd17.

Label changes

Label changes:

• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.

Label justifications:

• P2: This is a meaningful policy/UI feature with limited but real trust-signal and package-publishing blast radius.
• merge-risk: 🚨 compatibility: The PR changes official-channel eligibility away from trustedPublisher and renames visible/filter language from Verified to Official.
• merge-risk: 🚨 security-boundary: The PR turns the OpenClaw publisher handle and current org membership into the source of truth for Official trust signals and official package eligibility.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR body includes after-fix screenshots and DOM counts comparing local main and the PR branch across plugin detail, publisher profile, skill detail, and grid/list surfaces.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix screenshots and DOM counts comparing local main and the PR branch across plugin detail, publisher profile, skill detail, and grid/list surfaces.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body includes after-fix screenshots and DOM counts comparing local main and the PR branch across plugin detail, publisher profile, skill detail, and grid/list surfaces.

Evidence reviewed

Security concerns:

• [medium] Official trust derives from handle membership — convex/lib/officialPublishers.ts:33
isOfficialPublisher treats the openclaw org handle and all current members' personal publishers as Official. That is security-sensitive because it controls public trust badges and official package-channel eligibility.
  Confidence: 0.86

What I checked:

• Official helper grants by handle: The PR adds isOfficialPublisher, which treats any active org publisher whose normalized handle is openclaw as Official. (convex/lib/officialPublishers.ts:33, dbcd18a7903e)
• SkillHeader consumes owner.official: The PR adds an owner?.official condition for the skill detail title Official tag. (src/components/SkillHeader.tsx:151, dbcd18a7903e)
• Skill detail owner is not hydrated with official: The PR head still uses toPublicPublisher(ownerPublisher) in the skill detail query, so owner.official is not populated for normal skill detail payloads. (convex/skills.ts:2228, dbcd18a7903e)
• Self-serve org creation is reservation-dependent: Current main self-serve org creation blocks reserved handles only when an active reserved-handle row exists for another user; openclaw is not a hard-coded public-owner reservation in publicRouteReservations. (convex/publishers.ts:832, 8a2c0c06fd17)
• Contributor proof: The PR body includes before/after screenshots and DOM-count checks for plugin detail, publisher profile, skill detail, and card/list surfaces, plus targeted test and typecheck commands. (dbcd18a7903e)
• Feature history: Publisher ownership and package registry history traces through publisher org ownership, native package registry flows, trusted publishing, and recent self-serve publisher work. (0b888a2d1371)

Likely related people:

• Patrick Erichsen: Recent commits touched self-serve publisher creation, package/publisher behavior, and adjacent ClawHub security surfaces. (role: recent area contributor; confidence: high; commits: 0b888a2d1371, ffdd06a731aa, cc16d7fbd924; files: convex/publishers.ts, convex/packages.ts, convex/skills.ts)
• Peter Steinberger: Earlier history introduced the native package registry, publisher org ownership, and legacy publisher handle migration paths this PR builds on. (role: feature originator; confidence: high; commits: fc7d4dadca25, f6ce8f9e1efa, 22287558b9d3; files: convex/packages.ts, convex/publishers.ts, convex/schema.ts)
• Onur: Introduced package trusted publishing via GitHub OIDC, which is the current-main policy signal this PR separates from Official. (role: adjacent owner; confidence: medium; commits: 8592272720fe; files: convex/packages.ts, convex/publishers.ts, packages/clawhub/src/cli/commands/packages.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Copilot]

Pull request overview

This PR introduces an admin-controlled “official publisher” policy flag and surfaces “Official” badges/labels across the product (UI), API schemas/docs, and CLI-installed skill origin metadata. It aligns prior “Verified” UI copy with the new “Official” terminology and connects publisher officialness to package channel/isOfficial behavior.

Changes:

• Add publishers.official (admin-set) and expose it as official: boolean in public publisher shapes and HTTP API responses/schemas.
• Update UI to display “Official” badges for publishers and official packages (replacing “Verified” copy in multiple views).
• Extend CLI install/update to persist ownerHandle + official into installed skill origin metadata; add docs/spec updates for the new policy.

Reviewed changes

Copilot reviewed 36 out of 42 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/styles.css	Add styling for the “Official” user badge.
src/routes/plugins/index.tsx	Relabel “Verified only” filter to “Official only” in plugin browse UI.
src/routes/plugins/$name.tsx	Replace verified badge UI with an “Official” badge/icon for official packages.
src/routes/p/$handle.tsx	Show “Official” badge on publisher profile when publisher is official.
src/routes/management.tsx	Update management UI badge copy/styling for official plugins.
src/routes/index.tsx	Update home/trending UI label from “Verified” to “Official”.
src/lib/publicUser.ts	Extend PublicPublisher type to include official?: boolean.
src/components/UserBadge.tsx	Render “Official” badge in UserBadge when the passed user/publisher is official.
src/components/UserBadge.test.tsx	Add test coverage for “Official” badge rendering; mock Convex client.
src/components/PluginListItem.tsx	Update list/card tags to show “Official” instead of “Verified”.
src/tests/package-detail-route.test.tsx	Assert official packages are labeled “Official” (and not “Verified”).
specs/spec.md	Document publisher official policy signal and its UI effects.
specs/plans/plugins.md	Update channel policy wording to use publisher “Official” flag.
specs/orgs.md	Add official?: { byUserId, at } field to publisher/org spec.
specs/official-publishers.md	New spec doc defining “Official publishers” policy and constraints.
packages/schema/src/schemas.ts	Add official?: boolean to skill list/detail schemas and skill owner schema.
packages/schema/src/packages.ts	Add official?: boolean to package owner schema.
packages/schema/dist/schemas.js.map	Built artifact update for schema changes.
packages/schema/dist/schemas.js	Built artifact update for schema changes.
packages/schema/dist/schemas.d.ts	Built artifact update for schema changes.
packages/schema/dist/packages.js.map	Built artifact update for schema changes.
packages/schema/dist/packages.js	Built artifact update for schema changes.
packages/schema/dist/packages.d.ts	Built artifact update for schema changes.
packages/clawhub/src/skills.ts	Extend installed skill origin parsing to include ownerHandle + official.
packages/clawhub/src/skills.test.ts	Test roundtrip read/write of new origin metadata fields.
packages/clawhub/src/schema/schemas.ts	Mirror schema updates for the CLI package (skills schemas).
packages/clawhub/src/schema/packages.ts	Mirror schema updates for the CLI package (packages schemas).
packages/clawhub/src/cli/commands/skills.ts	Persist official/ownerHandle metadata into installed skill origin on install/update.
packages/clawhub/src/cli/commands/skills.test.ts	Test that install writes official publisher metadata into origin.
docs/publishing.md	Add documentation section describing “Official” policy and its meaning.
docs/http-api.md	Document official in skill responses and owner.official semantics; update policy text.
convex/skills.public.test.ts	Ensure public owner response includes official: false (sanitized publisher shape).
convex/schema.ts	Add publishers.official field to Convex schema.
convex/publishers.ts	Add admin mutation to set official publisher and sync package official/channel state.
convex/publishers.test.ts	Add tests for setting/unsetting official publisher and syncing packages + digests.
convex/packages.ts	Enforce “official channel” eligibility based on official publisher (not trustedPublisher).
convex/packages.public.test.ts	Update tests to use official publisher eligibility for official package operations.
convex/lib/public.ts	Expose official boolean in toPublicPublisher.
convex/lib/public.test.ts	Add unit test for public publisher official mapping.
convex/httpApiV1/skillsV1.ts	Expose skill.official and owner.official in skills HTTP API responses.
convex/httpApiV1/packagesV1.ts	Include owner.official in packages/skills-as-packages HTTP API responses.
convex/httpApiV1.handlers.test.ts	Update handler tests to include official badges/owner official signals.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.