fix(whatsapp): force version-pinned OpenClaw messaging plugin installs

[ericksoa]

Summary

NemoClaw already derives external messaging plugin versions from OPENCLAW_VERSION, but it passed bare @openclaw/*@<version> specs to openclaw plugins install. On OpenClaw's official plugin install path that can still resolve through the official/ClawHub/default supply chain and drift to the current plugin release.

This change forces build-time messaging plugin activation through exact npm specs and pins the install record:

• install npm:@openclaw/<plugin>@${OPENCLAW_VERSION} instead of a bare @openclaw/<plugin>@${OPENCLAW_VERSION} spec
• pass --pin so the managed install remains tied to the runtime version
• add a regression check for OPENCLAW_VERSION=2026.5.18 so WhatsApp resolves to npm:@openclaw/whatsapp@2026.5.18, not latest

Version evidence

Live npm metadata currently shows:

• openclaw@latest: 2026.5.28
• @openclaw/whatsapp@latest: 2026.5.28
• @openclaw/whatsapp@2026.5.28 peers on openclaw >=2026.5.28
• @openclaw/whatsapp@2026.5.18 peers on openclaw >=2026.5.18

So any unpinned/default WhatsApp install into an OpenClaw 2026.5.18 sandbox can pick a plugin that is too new for the runtime.

Verification

• npm ci --include=dev --ignore-scripts
• python3 -m py_compile scripts/openclaw-build-messaging-plugins.py
• npx vitest run test/openclaw-build-messaging-plugins.test.ts
• git diff --check

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

• Chores
  • Enhanced messaging plugin installation reliability by enforcing strict version pinning, ensuring consistent plugin versions across deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 01cc9d12-8a31-4592-beee-674aeec72313

📥 Commits

Reviewing files that changed from the base of the PR and between 4e89db9 and c7afa95.

📒 Files selected for processing (2)

• scripts/openclaw-build-messaging-plugins.py
• test/openclaw-build-messaging-plugins.test.ts

---

📝 Walkthrough

Walkthrough

The PR updates messaging plugin installation logic to enforce explicit, version-pinned npm installs for external channels. Plugin install specs are now formatted with an npm: prefix, and the --pin argument is explicitly passed during installation. Tests are updated to match the new spec format and validate pinning behavior.

Changes

Messaging Plugin Install Pinning

Layer / File(s)	Summary
Plugin install spec and pinning implementation scripts/openclaw-build-messaging-plugins.py	Docstring clarified to document explicit npm install pinning requirement. Plugin install specs now format as npm:<package>@<version> with the npm: prefix. Installation loop now explicitly passes --pin to each openclaw plugins install invocation.
Test expectations and coverage for new install format test/openclaw-build-messaging-plugins.test.ts	Existing test assertions updated to expect npm:-prefixed plugin specs and --pin arguments in traces and install calls. New test added validating WhatsApp is pinned to OPENCLAW_VERSION. Discord contract test updated to validate new npm:-prefixed spec format and --pin requirement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4340: WeChat E2E test assertions verify that the resulting plugin install metadata is pinned from npm, so test expectations are coupled to the same npm: spec and pinning behavior.

Suggested labels

Integration: OpenClaw, fix, dependencies

Suggested reviewers

• jyaunches
• cv

Poem

🐰 With npm: prefix and --pin so true,
External plugins now know what to do,
No drifting versions or pins left unclear,
Bundled stability reigns here!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enforcing version-pinned OpenClaw messaging plugin installs, which is the core fix across both the main script and test updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pin-openclaw-messaging-plugin-installs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Top item: Validate real OpenClaw handling of npm: plugin specs

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Build-time OpenClaw messaging plugin installation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: scripts/openclaw-build-messaging-plugins.py changes the install spec and flag; test/openclaw-build-messaging-plugins.test.ts asserts the new argv against fake openclaw binaries.
• Real OpenClaw install contract for npm: specs is unverified (scripts/openclaw-build-messaging-plugins.py:141): This PR changes a build-time supply-chain control from bare @openclaw package specs to npm:@openclaw/<plugin>@<OPENCLAW_VERSION> plus --pin. The package names are allowlisted and subprocess invocation is argv-based, which is good, but the changed behavior depends on how the real OpenClaw CLI parses, resolves, and records npm: plugin specs. The updated tests use fake openclaw binaries that assert NemoClaw passed the desired argv; they do not prove that the real installer accepts this form or that --pin records the exact runtime-compatible plugin version.
  • Recommendation: Add or identify a targeted runtime/contract validation for `openclaw plugins install npm:@openclaw/<plugin>@<version> --pin` that confirms the real OpenClaw CLI installs/records the exact requested plugin version, or document/link the OpenClaw CLI contract in the script/tests so this supply-chain assumption is reviewable.
  • Evidence: scripts/openclaw-build-messaging-plugins.py now calls `run_command(["openclaw", "plugins", "install", spec, "--pin"])`; test/openclaw-build-messaging-plugins.test.ts uses fake openclaw scripts that only check argv such as `args[2] !== "npm:@openclaw/discord@2026.5.22"` and `args[3] !== "--pin"`.

🌱 Nice ideas

• None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: messaging-providers-e2e
Optional E2E: ubuntu-repo-cloud-openclaw-discord, ubuntu-repo-cloud-openclaw-slack, openclaw-discord-pairing-e2e, openclaw-slack-pairing-e2e

Dispatch hint: messaging-providers-e2e

Auto-dispatched E2E: messaging-providers-e2e via nightly-e2e.yaml at c7afa95c455d4faac985c50cbd8a6b62953f7122 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• messaging-providers-e2e (high): Best existing end-to-end coverage for this change: builds/onboards an OpenClaw sandbox with token-backed messaging channels and validates provider attachment, placeholder rewrite, sanitized credentials, OpenClaw channel/plugin activation, and WhatsApp QR-only policy/config behavior. This directly exercises the build-time messaging plugin installer changed in this PR.

Optional E2E

• ubuntu-repo-cloud-openclaw-discord (medium): Typed scenario coverage for the OpenClaw Discord onboarding path; useful if maintainers want an additional scenario-registry validation of external plugin activation beyond the broader messaging-providers job.
• ubuntu-repo-cloud-openclaw-slack (medium): Typed scenario coverage for the OpenClaw Slack onboarding path; useful adjacent confidence for the npm: install spec and --pin behavior on another external messaging package.
• openclaw-discord-pairing-e2e (high): Hermetic Discord pairing flow that depends on a working Discord OpenClaw plugin install and shared OpenClaw state; good regression confidence if the install CLI syntax is suspected to affect runtime plugin state.
• openclaw-slack-pairing-e2e (high): Hermetic Slack Socket Mode pairing flow that depends on a working Slack OpenClaw plugin install; useful adjacent validation for the same external plugin install path.

New E2E recommendations

• None.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: messaging-providers-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw-discord, ubuntu-repo-cloud-openclaw-slack
Optional scenario E2E: None

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-discord
• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-slack

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw-discord: Changed OpenClaw messaging plugin build/install helper; Discord is an external OpenClaw messaging plugin path affected by npm: spec formatting and --pin install behavior.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-discord
• ubuntu-repo-cloud-openclaw-slack: Changed OpenClaw messaging plugin build/install helper; Slack is an external OpenClaw messaging plugin path affected by npm: spec formatting and --pin install behavior.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-slack

Optional scenario E2E

• None.

Relevant changed files

• scripts/openclaw-build-messaging-plugins.py

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26731308849
Target ref: c7afa95c455d4faac985c50cbd8a6b62953f7122
Workflow ref: main
Requested jobs: all (no filter)
Summary: 8 passed, 1 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	❌ failure
channels-stop-start-e2e	⚠️ cancelled
cloud-e2e	⚠️ cancelled
cloud-inference-e2e	⚠️ cancelled
cloud-onboard-e2e	⚠️ cancelled
credential-migration-e2e	⚠️ cancelled
credential-sanitization-e2e	⚠️ cancelled
device-auth-health-e2e	⚠️ cancelled
diagnostics-e2e	⚠️ cancelled
docs-validation-e2e	⚠️ cancelled
double-onboard-e2e	⚠️ cancelled
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-dashboard-e2e	⚠️ cancelled
hermes-discord-e2e	✅ success
hermes-e2e	⚠️ cancelled
hermes-inference-switch-e2e	⚠️ cancelled
hermes-onboard-security-posture-e2e	⚠️ cancelled
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	⚠️ cancelled
inference-routing-e2e	⚠️ cancelled
issue-2478-crash-loop-recovery-e2e	⚠️ cancelled
issue-3600-gpu-proof-optional-e2e	✅ success
issue-4462-gateway-pinned-approval-characterization-e2e	⚠️ cancelled
issue-4462-scope-upgrade-approval-e2e	⚠️ cancelled
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	⚠️ cancelled
messaging-compatible-endpoint-e2e	⚠️ cancelled
messaging-providers-e2e	⚠️ cancelled
network-policy-e2e	⚠️ cancelled
onboard-negative-paths-e2e	⚠️ cancelled
onboard-repair-e2e	⚠️ cancelled
onboard-resume-e2e	⚠️ cancelled
openclaw-discord-pairing-e2e	⚠️ cancelled
openclaw-inference-switch-e2e	⚠️ cancelled
openclaw-onboard-security-posture-e2e	⚠️ cancelled
openclaw-slack-pairing-e2e	⚠️ cancelled
openclaw-tui-chat-correlation-e2e	⚠️ cancelled
openshell-gateway-upgrade-e2e	⚠️ cancelled
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	⚠️ cancelled
rebuild-hermes-stale-base-e2e	⚠️ cancelled
rebuild-openclaw-e2e	⚠️ cancelled
runtime-overrides-e2e	⚠️ cancelled
sandbox-operations-e2e	⚠️ cancelled
sandbox-survival-e2e	⚠️ cancelled
shields-config-e2e	⚠️ cancelled
skill-agent-e2e	⚠️ cancelled
snapshot-commands-e2e	⚠️ cancelled
state-backup-restore-e2e	⚠️ cancelled
telegram-injection-e2e	⚠️ cancelled
token-rotation-e2e	⚠️ cancelled
tunnel-lifecycle-e2e	⚠️ cancelled
upgrade-stale-sandbox-e2e	⚠️ cancelled
vm-driver-privileged-exec-routing-e2e	✅ success

Failed jobs: channels-add-remove-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26731416721
Target ref: c7afa95c455d4faac985c50cbd8a6b62953f7122
Workflow ref: main
Requested jobs: messaging-providers-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
messaging-providers-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26731308849
Target ref: c7afa95c455d4faac985c50cbd8a6b62953f7122
Workflow ref: main
Requested jobs: all (no filter)
Summary: 54 passed, 1 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-dashboard-e2e	✅ success
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success
issue-4462-gateway-pinned-approval-characterization-e2e	✅ success
issue-4462-scope-upgrade-approval-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	✅ success
openshell-gateway-upgrade-e2e	❌ failure
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success
vm-driver-privileged-exec-routing-e2e	✅ success

Failed jobs: openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26731308849
Target ref: c7afa95c455d4faac985c50cbd8a6b62953f7122
Workflow ref: main
Requested jobs: all (no filter)
Summary: 55 passed, 0 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-dashboard-e2e	✅ success
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success
issue-4462-gateway-pinned-approval-characterization-e2e	✅ success
issue-4462-scope-upgrade-approval-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success
vm-driver-privileged-exec-routing-e2e	✅ success