openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/plugins/dependency-resolution.md‎
Lines changed: 8 additions & 0 deletions b/‎docs/plugins/dependency-resolution.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/infra/npm-install-env.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/infra/npm-install-env.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/infra/npm-managed-root.test.ts‎
Lines changed: 135 additions & 1 deletion b/‎src/infra/npm-managed-root.test.ts‎
Lines changed: 135 additions & 1 deletion
diff --git a/‎src/infra/npm-managed-root.ts‎
Lines changed: 176 additions & 0 deletions b/‎src/infra/npm-managed-root.ts‎
Lines changed: 176 additions & 0 deletions
@@ -59,6 +59,8 @@ Docs: https://docs.openclaw.ai
 - Plugins/update: treat official externalized bundled npm migrations and ClawHub-to-npm fallbacks as trusted source-linked installs, so prerelease-only official plugin packages can migrate from bundled builds without being rejected as unsafe prerelease resolutions. Thanks @vincentkoc.
 - Plugins/update: move ClawHub-preferred externalized plugin installs back to ClawHub after an earlier npm fallback once the ClawHub package becomes available. Thanks @vincentkoc.
 - Plugins/update: clean stale bundled load paths for already-externalized pinned npm and ClawHub plugin installs, so release-channel sync does not leave removed bundled paths ahead of the installed external package. Thanks @vincentkoc.
+- Plugins/update: repair stale managed npm-root `openclaw` peer packages before plugin installs, so beta-channel official plugin updates are not downgraded by old core package-lock state. Thanks @vincentkoc.
+- Plugins/install: reassert managed npm plugin `openclaw` peer links after shared-root npm installs, updates, and uninstalls, so mutating one plugin does not leave previously installed SDK-using plugins unable to resolve `openclaw/plugin-sdk/*`.
 - Plugins/update: make package upgrades swap pnpm/npm-prefix installs cleanly, keep legacy plugin install runtime chunks working, and on the beta channel fall back default-line npm plugins to default/latest when plugin beta releases are missing or fail install validation. Thanks @vincentkoc and @joshavant.
 - Plugins/active-memory: skip session-store channel entries that contain `:` when resolving the recall subagent's channel, so QQ c2c agent IDs (e.g. `c2c:10D4F7C2…`) and other scoped conversation IDs do not reach bundled-plugin `dirName` validation and crash the recall run. The same guard already applied to explicit `channelId` params (#76704); this extends it to store-derived channels. (#77396) Thanks @hclsys.
 - Sandbox/Windows: accept drive-absolute Docker bind sources while keeping sandbox blocked-path and allowed-root policy comparisons Windows-case-insensitive. (#42174) Thanks @6607changchun.
 
@@ -51,6 +51,14 @@ the plugin package. OpenClaw scans the managed npm root before trusting the
 install and uses npm to remove npm-managed packages during uninstall, so hoisted
 runtime dependencies stay inside the managed cleanup boundary.
 
+Plugins that import `openclaw/plugin-sdk/*` declare `openclaw` as a peer
+dependency. OpenClaw does not let npm install a separate registry copy of the
+host package into the managed root, because stale host packages can affect npm
+peer resolution during later plugin installs. Instead, after npm finishes
+mutating the shared root during install, update, or uninstall, OpenClaw reasserts
+plugin-local `node_modules/openclaw` links for installed packages that declare
+the host peer.
+
 git installs clone or refresh the repository, then run:
 
 ```bash
 
@@ -9,7 +9,9 @@ const NPM_CONFIG_KEYS_TO_RESET = new Set([
   "npm_config_include_workspace_root",
   "npm_config_ignore_scripts",
   "npm_config_location",
+  "npm_config_legacy_peer_deps",
   "npm_config_prefix",
+  "npm_config_strict_peer_deps",
   "npm_config_workspace",
   "npm_config_workspaces",
 ]);
 
@@ -1,8 +1,9 @@
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import {
+  repairManagedNpmRootOpenClawPeer,
   removeManagedNpmRootDependency,
   readManagedNpmRootInstalledDependency,
   resolveManagedNpmRootDependencySpec,
@@ -11,6 +12,15 @@ import {
 
 const tempDirs: string[] = [];
 
+const successfulSpawn = {
+  code: 0,
+  stdout: "",
+  stderr: "",
+  signal: null,
+  killed: false,
+  termination: "exit" as const,
+};
+
 async function makeTempRoot(): Promise<string> {
   const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-npm-managed-root-"));
   tempDirs.push(dir);
@@ -183,4 +193,128 @@ describe("managed npm root", () => {
       },
     });
   });
+
+  it("repairs stale managed openclaw peer state without dropping plugin packages", async () => {
+    const npmRoot = await makeTempRoot();
+    await fs.mkdir(path.join(npmRoot, "node_modules", "openclaw"), { recursive: true });
+    await fs.writeFile(
+      path.join(npmRoot, "package.json"),
+      `${JSON.stringify(
+        {
+          private: true,
+          dependencies: {
+            openclaw: "2026.5.4",
+            "@openclaw/discord": "2026.5.4",
+          },
+        },
+        null,
+        2,
+      )}\n`,
+    );
+    await fs.writeFile(
+      path.join(npmRoot, "package-lock.json"),
+      `${JSON.stringify(
+        {
+          lockfileVersion: 3,
+          packages: {
+            "": {
+              dependencies: {
+                openclaw: "2026.5.4",
+                "@openclaw/discord": "2026.5.4",
+              },
+            },
+            "node_modules/openclaw": {
+              version: "2026.5.4",
+            },
+            "node_modules/@openclaw/discord": {
+              version: "2026.5.4",
+            },
+          },
+          dependencies: {
+            openclaw: {
+              version: "2026.5.4",
+            },
+          },
+        },
+        null,
+        2,
+      )}\n`,
+    );
+    await fs.writeFile(
+      path.join(npmRoot, "node_modules", "openclaw", "package.json"),
+      `${JSON.stringify({ name: "openclaw", version: "2026.5.4" })}\n`,
+    );
+    await fs.mkdir(path.join(npmRoot, "node_modules", ".bin"), { recursive: true });
+    await fs.writeFile(path.join(npmRoot, "node_modules", ".bin", "openclaw"), "shim");
+    await fs.writeFile(path.join(npmRoot, "node_modules", ".bin", "openclaw.cmd"), "cmd shim");
+    await fs.writeFile(path.join(npmRoot, "node_modules", ".bin", "openclaw.ps1"), "ps1 shim");
+    await fs.writeFile(
+      path.join(npmRoot, "node_modules", ".package-lock.json"),
+      `${JSON.stringify(
+        {
+          lockfileVersion: 3,
+          packages: {
+            "node_modules/openclaw": {
+              version: "2026.5.4",
+            },
+          },
+        },
+        null,
+        2,
+      )}\n`,
+    );
+
+    const runCommand = vi.fn().mockResolvedValue(successfulSpawn);
+    await expect(repairManagedNpmRootOpenClawPeer({ npmRoot, runCommand })).resolves.toBe(true);
+    expect(runCommand).toHaveBeenCalledWith(
+      [
+        "npm",
+        "uninstall",
+        "--loglevel=error",
+        "--ignore-scripts",
+        "--no-audit",
+        "--no-fund",
+        "--prefix",
+        ".",
+        "openclaw",
+      ],
+      expect.objectContaining({
+        cwd: npmRoot,
+      }),
+    );
+
+    const manifest = JSON.parse(await fs.readFile(path.join(npmRoot, "package.json"), "utf8")) as {
+      dependencies?: Record<string, string>;
+    };
+    expect(manifest.dependencies).toEqual({
+      "@openclaw/discord": "2026.5.4",
+    });
+    const lockfile = JSON.parse(
+      await fs.readFile(path.join(npmRoot, "package-lock.json"), "utf8"),
+    ) as {
+      packages?: Record<string, { dependencies?: Record<string, string>; version?: string }>;
+      dependencies?: Record<string, unknown>;
+    };
+    expect(lockfile.packages?.[""]?.dependencies).toEqual({
+      "@openclaw/discord": "2026.5.4",
+    });
+    expect(lockfile.packages?.["node_modules/openclaw"]).toBeUndefined();
+    expect(lockfile.packages?.["node_modules/@openclaw/discord"]?.version).toBe("2026.5.4");
+    expect(lockfile.dependencies?.openclaw).toBeUndefined();
+    await expect(fs.lstat(path.join(npmRoot, "node_modules", "openclaw"))).rejects.toMatchObject({
+      code: "ENOENT",
+    });
+    for (const binName of ["openclaw", "openclaw.cmd", "openclaw.ps1"]) {
+      await expect(
+        fs.lstat(path.join(npmRoot, "node_modules", ".bin", binName)),
+      ).rejects.toMatchObject({
+        code: "ENOENT",
+      });
+    }
+    await expect(
+      fs.lstat(path.join(npmRoot, "node_modules", ".package-lock.json")),
+    ).rejects.toMatchObject({
+      code: "ENOENT",
+    });
+  });
 });
@@ -1,8 +1,10 @@
 import fs from "node:fs/promises";
 import path from "node:path";
+import { runCommandWithTimeout } from "../process/exec.js";
 import type { NpmSpecResolution } from "./install-source-utils.js";
 import { readJson, readJsonIfExists, writeJson } from "./json-files.js";
 import type { ParsedRegistryNpmSpec } from "./npm-registry-spec.js";
+import { createSafeNpmInstallEnv } from "./safe-package-install.js";
 
 type ManagedNpmRootManifest = {
   private?: boolean;
@@ -16,6 +18,18 @@ export type ManagedNpmRootInstalledDependency = {
   resolved?: string;
 };
 
+type ManagedNpmRootLockfile = {
+  packages?: Record<string, unknown>;
+  dependencies?: Record<string, unknown>;
+  [key: string]: unknown;
+};
+
+type ManagedNpmRootLogger = {
+  warn?: (message: string) => void;
+};
+
+type ManagedNpmRootRunCommand = typeof runCommandWithTimeout;
+
 function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -69,6 +83,168 @@ export async function upsertManagedNpmRootDependency(params: {
   await writeJson(manifestPath, next, { trailingNewline: true });
 }
 
+export async function repairManagedNpmRootOpenClawPeer(params: {
+  npmRoot: string;
+  timeoutMs?: number;
+  logger?: ManagedNpmRootLogger;
+  runCommand?: ManagedNpmRootRunCommand;
+}): Promise<boolean> {
+  await fs.mkdir(params.npmRoot, { recursive: true });
+
+  const manifestPath = path.join(params.npmRoot, "package.json");
+  const manifest = await readManagedNpmRootManifest(manifestPath);
+  const dependencies = readDependencyRecord(manifest.dependencies);
+  const hasManifestDependency = "openclaw" in dependencies;
+  const hasLockDependency = await managedNpmRootLockfileHasOpenClawPeer(params.npmRoot);
+  const hasPackageDir = await pathExists(path.join(params.npmRoot, "node_modules", "openclaw"));
+  if (!hasManifestDependency && !hasLockDependency && !hasPackageDir) {
+    return false;
+  }
+
+  const command = params.runCommand ?? runCommandWithTimeout;
+  const npmArgs = hasManifestDependency
+    ? [
+        "npm",
+        "uninstall",
+        "--loglevel=error",
+        "--ignore-scripts",
+        "--no-audit",
+        "--no-fund",
+        "--prefix",
+        ".",
+        "openclaw",
+      ]
+    : [
+        "npm",
+        "prune",
+        "--loglevel=error",
+        "--ignore-scripts",
+        "--no-audit",
+        "--no-fund",
+        "--prefix",
+        ".",
+      ];
+  try {
+    const result = await command(npmArgs, {
+      cwd: params.npmRoot,
+      timeoutMs: Math.max(params.timeoutMs ?? 300_000, 300_000),
+      env: createSafeNpmInstallEnv(process.env, { packageLock: true, quiet: true }),
+    });
+    if (result.code !== 0) {
+      params.logger?.warn?.(
+        `npm ${hasManifestDependency ? "uninstall openclaw" : "prune"} failed while repairing managed npm root; falling back to direct cleanup: ${result.stderr.trim() || result.stdout.trim()}`,
+      );
+    }
+  } catch (error) {
+    params.logger?.warn?.(
+      `npm ${hasManifestDependency ? "uninstall openclaw" : "prune"} failed while repairing managed npm root; falling back to direct cleanup: ${String(error)}`,
+    );
+  }
+
+  await scrubManagedNpmRootOpenClawPeer({ npmRoot: params.npmRoot });
+  return true;
+}
+
+async function managedNpmRootLockfileHasOpenClawPeer(npmRoot: string): Promise<boolean> {
+  const lockPath = path.join(npmRoot, "package-lock.json");
+  try {
+    const parsed = JSON.parse(await fs.readFile(lockPath, "utf8")) as ManagedNpmRootLockfile;
+    if (isRecord(parsed.packages)) {
+      const rootPackage = parsed.packages[""];
+      if (
+        isRecord(rootPackage) &&
+        isRecord(rootPackage.dependencies) &&
+        "openclaw" in rootPackage.dependencies
+      ) {
+        return true;
+      }
+      if ("node_modules/openclaw" in parsed.packages) {
+        return true;
+      }
+    }
+    return isRecord(parsed.dependencies) && "openclaw" in parsed.dependencies;
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") {
+      return false;
+    }
+    throw err;
+  }
+}
+
+async function pathExists(filePath: string): Promise<boolean> {
+  return await fs
+    .lstat(filePath)
+    .then(() => true)
+    .catch((err: NodeJS.ErrnoException) => {
+      if (err.code === "ENOENT") {
+        return false;
+      }
+      throw err;
+    });
+}
+
+async function scrubManagedNpmRootOpenClawPeer(params: { npmRoot: string }): Promise<void> {
+  const manifestPath = path.join(params.npmRoot, "package.json");
+  const manifest = await readManagedNpmRootManifest(manifestPath);
+  const dependencies = readDependencyRecord(manifest.dependencies);
+  if ("openclaw" in dependencies) {
+    const { openclaw: _removed, ...nextDependencies } = dependencies;
+    await fs.writeFile(
+      manifestPath,
+      `${JSON.stringify({ ...manifest, private: true, dependencies: nextDependencies }, null, 2)}\n`,
+      "utf8",
+    );
+  }
+
+  const lockPath = path.join(params.npmRoot, "package-lock.json");
+  try {
+    const parsed = JSON.parse(await fs.readFile(lockPath, "utf8")) as ManagedNpmRootLockfile;
+    let lockChanged = false;
+    if (isRecord(parsed.packages)) {
+      const rootPackage = parsed.packages[""];
+      if (isRecord(rootPackage) && isRecord(rootPackage.dependencies)) {
+        const dependencies = { ...rootPackage.dependencies };
+        if ("openclaw" in dependencies) {
+          delete dependencies.openclaw;
+          parsed.packages[""] = { ...rootPackage, dependencies };
+          lockChanged = true;
+        }
+      }
+      if ("node_modules/openclaw" in parsed.packages) {
+        delete parsed.packages["node_modules/openclaw"];
+        lockChanged = true;
+      }
+    }
+    if (isRecord(parsed.dependencies) && "openclaw" in parsed.dependencies) {
+      const dependencies = { ...parsed.dependencies };
+      delete dependencies.openclaw;
+      parsed.dependencies = dependencies;
+      lockChanged = true;
+    }
+    if (lockChanged) {
+      await fs.writeFile(lockPath, `${JSON.stringify(parsed, null, 2)}\n`, "utf8");
+    }
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code !== "ENOENT") {
+      throw err;
+    }
+  }
+
+  const openclawPackageDir = path.join(params.npmRoot, "node_modules", "openclaw");
+  if (await pathExists(openclawPackageDir)) {
+    await fs.rm(openclawPackageDir, { recursive: true, force: true });
+  }
+  const binDir = path.join(params.npmRoot, "node_modules", ".bin");
+  await Promise.all(
+    ["openclaw", "openclaw.cmd", "openclaw.ps1"].map((binName) =>
+      fs.rm(path.join(binDir, binName), { force: true }),
+    ),
+  );
+  await fs.rm(path.join(params.npmRoot, "node_modules", ".package-lock.json"), {
+    force: true,
+  });
+}
+
 export async function readManagedNpmRootInstalledDependency(params: {
   npmRoot: string;
   packageName: string;