fix(deps): pin to published versions of tsx and claude-agent-acp

[trumpyla]

Summary

acpx@0.9.0 declared two dependency versions that are not (or were not) published to npm, leaving fresh installs broken:

Package	Declared	Actual npm latest	Symptom
tsx	^4.22.0	4.21.0 (at the time of 0.9.0's release)	pnpm i / npm i fails with ETARGET No matching version
@agentclientprotocol/claude-agent-acp	^0.36.1 (in src/agent-registry.ts)	0.33.1	acpx claude cannot spawn the adapter — npx -y …@0.36.1 404s

Both pins lowered to the newest versions actually on the registry.

Changes

• package.json — tsx: ^4.22.0 → ^4.21.0
• src/agent-registry.ts — claude: ^0.36.1 → ^0.33.1
• pnpm-lock.yaml — refreshed to match

tsx 4.22.x has since been republished (4.22.3), but ^4.21.0 is a safer floor and resolves to the same 4.22.3 on a fresh install, so keeping it as the minimum protects against another transient republish.

Verification

• pnpm install then pnpm run build succeed on a clean clone.
• npm install -g . produces a working global acpx (acpx --version → 0.9.0).
• The built dist/ no longer carries the broken @0.36.1 reference (grep returns nothing); acpx claude spawns claude-agent-acp@0.33.1 cleanly.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Latest ClawSweeper review: 2026-05-23 22:05 UTC / May 23, 2026, 6:05 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch lowers the tsx dependency specifier, lowers the built-in Claude ACP adapter range, and refreshes the lockfile specifier.

Reproducibility: no. Current npm registry metadata now publishes both tsx@4.22.x and @agentclientprotocol/claude-agent-acp@0.36.1, so the reported ETARGET and adapter 404 path is not reproducible from the dependency source of truth.

PR rating
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Summary: The branch has a concrete compatibility blocker and lacks real behavior proof, so it is not quality-ready for merge.

Rank-up moves:

• Restore or intentionally advance the Claude adapter range instead of downgrading it.
• Add redacted terminal output or logs showing clean install and acpx claude behavior after revision.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: The PR body lists verification steps, but it does not include terminal output, logs, screenshots, recordings, or linked artifacts proving a clean install and acpx claude launch after the change. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• Merging as-is would downgrade the built-in Claude adapter from the current ^0.36.1 range to ^0.33.1, which can remove fixes or behavior that existing acpx claude users now receive from the published adapter range.
• The PR body states install and launch verification but does not include terminal output, logs, screenshots, recordings, or linked artifacts showing the after-change behavior in a real setup.

Maintainer options:

1. Preserve the Claude adapter contract (recommended)
   Revise the branch so the built-in Claude adapter range stays at ^0.36.1 or advances intentionally to a currently published compatible range, with focused validation for acpx claude.
2. Close and replace the stale dependency fix
   If maintainers consider the unpublished-version incident transient, close this branch and ask for a new narrow PR only for any remaining dependency-floor policy change.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Preserve or intentionally advance the Claude adapter range instead of downgrading it, refresh the lockfile only if necessary, and add focused validation evidence for `acpx claude`.

Next step before merge
Human review is needed because the remaining decision is whether to preserve, advance, or otherwise policy-adjust the Claude adapter range after the registry state changed.

Security
Cleared: The diff changes dependency ranges but does not add new package sources, lifecycle hooks, workflow permissions, secrets access, or release behavior.

Review findings

• [P1] Restore the current Claude adapter range — src/agent-registry.ts:8

Review details

Best possible solution:

Keep the Claude adapter on a currently published non-downgrade range and only adjust dependency floors when current registry evidence and install proof show that a lower floor is still needed.

Do we have a high-confidence way to reproduce the issue?

No. Current npm registry metadata now publishes both tsx@4.22.x and @agentclientprotocol/claude-agent-acp@0.36.1, so the reported ETARGET and adapter 404 path is not reproducible from the dependency source of truth.

Is this the best way to solve the issue?

No. The Claude adapter downgrade is no longer the narrowest safe fix; the safer solution is to keep a published non-downgrade range and require fresh install plus launch proof for any dependency-floor change.

Label changes:

• add P2: This is a normal dependency and built-in adapter compatibility PR with limited blast radius, not an urgent runtime outage on current registry state.
• add merge-risk: 🚨 compatibility: The PR downgrades a built-in adapter range that current users may rely on for published fixes and behavior.
• add merge-risk: 🚨 auth-provider: The changed range controls the Claude provider adapter launched by acpx claude, so merging could alter provider startup behavior.

Label justifications:

• P2: This is a normal dependency and built-in adapter compatibility PR with limited blast radius, not an urgent runtime outage on current registry state.
• merge-risk: 🚨 compatibility: The PR downgrades a built-in adapter range that current users may rely on for published fixes and behavior.
• merge-risk: 🚨 auth-provider: The changed range controls the Claude provider adapter launched by acpx claude, so merging could alter provider startup behavior.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🦪 silver shellfish, patch quality is 🧂 unranked krab, and The branch has a concrete compatibility blocker and lacks real behavior proof, so it is not quality-ready for merge.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists verification steps, but it does not include terminal output, logs, screenshots, recordings, or linked artifacts proving a clean install and acpx claude launch after the change. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Full review comments:

• [P1] Restore the current Claude adapter range — src/agent-registry.ts:8
  The registry now publishes @agentclientprotocol/claude-agent-acp@0.36.1 and newer, so lowering the built-in claude adapter range to ^0.33.1 would downgrade existing users and can drop fixes or behavior they currently receive. Keep the current ^0.36.1 range, or intentionally advance it with maintainer-visible compatibility proof, instead of pinning back to an older floor.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.93

Acceptance criteria:

• pnpm run check
• npm view tsx versions --json
• npm view @agentclientprotocol/claude-agent-acp versions --json
• pnpm run dev -- claude status

What I checked:

• Current Claude range on main: Current main keeps the built-in Claude adapter range at ^0.36.1, so the PR would downgrade the built-in adapter command used by acpx claude. (src/agent-registry.ts:8, aa61f9e8ba07)
• Current tsx dependency on main: Current main declares tsx as ^4.22.0, while the lockfile resolves it to 4.22.3; the PR only lowers the minimum specifier to ^4.21.0 without changing the resolved package version. (package.json:76, aa61f9e8ba07)
• PR diff changes dependency floors: The provided PR diff changes package.json, pnpm-lock.yaml, and src/agent-registry.ts by one specifier each: tsx from ^4.22.0 to ^4.21.0, and Claude adapter from ^0.36.1 to ^0.33.1. (src/agent-registry.ts:8, ff4a7724844f)
• Registry state no longer matches downgrade premise: Live npm metadata shows tsx has 4.22.3 published and @agentclientprotocol/claude-agent-acp has 0.36.1 and newer 0.37.0 published, so the reported unpublished-version failure is no longer reproducible from registry metadata.
• Claude adapter range provenance: Commit 8eaac40927702ce5ff9886c31097f4b1904e00db introduced the ^0.36.1 Claude adapter range during dependency and release updates, and commit aa61f9e8ba074a7bf79664ffb682e58a45002526 later maintained the same range while adding the built-in agents list. (src/agent-registry.ts:8, 8eaac4092770)

Likely related people:

• steipete: Recent current-main commits touched src/agent-registry.ts, dependency metadata, docs, and tests around built-in agents, including maintaining the current Claude adapter range in the built-in agent list commit. (role: recent area contributor; confidence: high; commits: aa61f9e8ba07, 8eaac4092770; files: src/agent-registry.ts, package.json, pnpm-lock.yaml)
• openclaw: Earlier commits in the current file history introduced and iterated on the built-in agent registry surface that this PR modifies. (role: feature history contributor; confidence: medium; commits: 073e7266f7ab, a7474f384262; files: src/agent-registry.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against aa61f9e8ba07.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.