chore(deps): bump plugins/a2a-gateway from a335e59 to 1a03a74

[dependabot]

Bumps plugins/a2a-gateway from a335e59 to 1a03a74.

Commits

• 1a03a74 fix: raise A2A JSON body limit to allow inline file transfers (#69)
• 6044306 fix: restore OpenClaw 2026.5.x compatibility (gateway methods + startup activ...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-24 01:35 UTC / May 23, 2026, 9:35 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR updates the plugins/a2a-gateway submodule pointer from a335e59 to 1a03a74, pulling upstream fixes for OpenClaw 2026.5.x startup compatibility and larger inline A2A JSON file transfers.

Reproducibility: not applicable. this is a dependency submodule bump, not a bug report with a current-main reproduction path. The review path is source/diff inspection, upstream commit inspection, and CI metadata.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: The update is useful and small, but the patch is incomplete until generated Crabpot artifacts are refreshed with the new fixture revision.

Rank-up moves:

• Regenerate and commit the affected Crabpot report/README artifacts for the a2a-gateway submodule pin.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a Dependabot bot PR, so the contributor real-behavior-proof gate does not apply; upstream commit messages include runtime verification and Crabpot CI checks passed.

Risk before merge

• Merging only the gitlink can leave Crabpot's committed reports, README dashboard, and line-based probe surfaces out of sync with the pinned a2a-gateway source.

Maintainer options:

1. Regenerate Fixture Artifacts (recommended)
   Update the branch so the a2a-gateway gitlink and all generated Crabpot report/README artifacts reflect the same pinned fixture revision before merge.
2. Accept A Follow-Up Refresh
   Maintainers could merge the gitlink alone only if they intentionally accept a temporary mismatch and have a follow-up dashboard/report refresh ready.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Keep `plugins/a2a-gateway` pinned at `1a03a747ec3f871e4dbd1ff97da8be8498a099a6`, materialize that submodule, regenerate the Crabpot reports and README/dashboard artifacts for the changed fixture, and run `npm test` plus `npm run check`; do not change unrelated fixture refs or vendor external plugin source.

Next step before merge
A repair lane can mechanically regenerate the Crabpot reports and README/dashboard for this exact submodule pin without a product decision.

Security
Cleared: The inspected upstream diff changes only index.ts and openclaw.plugin.json, adds no new dependencies or lifecycle scripts, and keeps the larger JSON body limit bounded by existing config.

Review findings

• [P2] Regenerate the Crabpot reports for this fixture bump — plugins/a2a-gateway:1

Review details

Best possible solution:

Land the submodule update together with regenerated Crabpot report and README/dashboard artifacts for the changed a2a-gateway fixture, preserving the external code as a submodule.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency submodule bump, not a bug report with a current-main reproduction path. The review path is source/diff inspection, upstream commit inspection, and CI metadata.

Is this the best way to solve the issue?

No as submitted: the gitlink update is the right minimal source change, but Crabpot's generated reports should be refreshed with it before merge.

Label changes:

• add P2: This is a bounded dependency/fixture update with real compatibility value, but it needs generated artifact refresh before normal merge confidence.
• add merge-risk: 🚨 automation: The PR can leave committed Crabpot report and dashboard artifacts stale relative to the new submodule pin.
• add rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The update is useful and small, but the patch is incomplete until generated Crabpot artifacts are refreshed with the new fixture revision.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot PR, so the contributor real-behavior-proof gate does not apply; upstream commit messages include runtime verification and Crabpot CI checks passed.

Label justifications:

• P2: This is a bounded dependency/fixture update with real compatibility value, but it needs generated artifact refresh before normal merge confidence.
• merge-risk: 🚨 automation: The PR can leave committed Crabpot report and dashboard artifacts stale relative to the new submodule pin.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The update is useful and small, but the patch is incomplete until generated Crabpot artifacts are refreshed with the new fixture revision.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot PR, so the contributor real-behavior-proof gate does not apply; upstream commit messages include runtime verification and Crabpot CI checks passed.

Full review comments:

• [P2] Regenerate the Crabpot reports for this fixture bump — plugins/a2a-gateway:1
  The gitlink moves a2a-gateway to upstream commits that add manifest contracts and shift index.ts registration locations, but the branch leaves committed report artifacts at the old fixture state, for example reports/crabpot-capture.md still points at plugins/a2a-gateway/index.ts:616. Crabpot keeps these generated report surfaces with dependency-update commits, so merging only the gitlink leaves the dashboard/report contract stale.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.86

Acceptance criteria:

• npm test
• npm run check

What I checked:

• Current main still uses old submodule pin: HEAD 124ebfff0e2a49da55d682c978d21748e6e7caef points plugins/a2a-gateway at a335e59e926f7e1a8913e6cd7b1cbf2d44c33cb7, so the PR's central update is not already implemented on main. (plugins/a2a-gateway:1, 124ebfff0e2a)
• Latest release also uses old submodule pin: Release tag v0.1.4 / ca97245e907d799e592e4f9095728fa7c1bb8415 also points plugins/a2a-gateway at a335e59e926f7e1a8913e6cd7b1cbf2d44c33cb7. (plugins/a2a-gateway:1, ca97245e907d)
• PR diff only changes the gitlink: GitHub PR metadata shows one changed file, plugins/a2a-gateway, replacing a335e59e926f7e1a8913e6cd7b1cbf2d44c33cb7 with 1a03a747ec3f871e4dbd1ff97da8be8498a099a6. (plugins/a2a-gateway:1, 9bdc8f9db4da)
• Upstream change is substantive fixture behavior: The external compare is two commits ahead and modifies index.ts plus openclaw.plugin.json, adding OpenClaw 2026.5.x activation/contracts compatibility and a bounded A2A JSON body parser for inline file transfers. (plugins/a2a-gateway:1, 1a03a747ec3f)
• Generated reports remain at old fixture locations: Committed report artifacts still reference old a2a-gateway registration locations such as plugins/a2a-gateway/index.ts:616, while the upstream compare shifts the registration area by adding new code before it. (reports/crabpot-capture.md:31, 124ebfff0e2a)
• Prior submodule bump pattern includes generated artifacts: A recent merged submodule bump updated the gitlink together with README and many reports/* artifacts, matching Crabpot's generated-report workflow. (README.md:13, c54e26c6f671)

Likely related people:

• AliceLJY: GitHub commit metadata shows this person authored both external openclaw-a2a-gateway commits included by the submodule bump, covering the startup compatibility and JSON body limit changes. (role: upstream plugin fix author; confidence: high; commits: 604430675836, 1a03a747ec3f; files: plugins/a2a-gateway/index.ts, plugins/a2a-gateway/openclaw.plugin.json)
• Vincent Koc: Repository history shows this person initialized the Crabpot compat testbed and added the workspace/report generation surfaces that need refreshing when fixture refs move. (role: Crabpot fixture and report area contributor; confidence: medium; commits: fbb02499809f, 1ab208b3ea26, 2e2e0dafdb78; files: crabpot.config.json, reports/crabpot-workspace-plan.json, scripts/workspace-plan.mjs)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 124ebfff0e2a.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[dependabot]

Superseded by #108.