v2026.2.26: bundled plugin manifests rejected as 'unsafe plugin manifest path' with pnpm global install

[seraphimarchangel147]

Description

After upgrading from v2026.2.25 to v2026.2.26 via pnpm add -g openclaw@latest, the gateway refuses to start with config validation errors for every bundled extension plugin:

plugins: plugin: unsafe plugin manifest path: /home/yvy/.local/share/pnpm/global/5/.pnpm/openclaw@2026.2.26_.../node_modules/openclaw/extensions/acpx/openclaw.plugin.json (validation)
plugins: plugin: unsafe plugin manifest path: /home/yvy/.local/share/pnpm/global/5/.pnpm/openclaw@2026.2.26_.../node_modules/openclaw/extensions/telegram/openclaw.plugin.json (validation)
... (35+ bundled extensions, all rejected)

openclaw doctor --fix cannot resolve it. Downgrading to v2026.2.25 resolves the issue immediately.

Root Cause

v2026.2.26 introduced several security hardening changes for path resolution:

• Security/Sandbox path alias guard — reject broken symlink targets by resolving through existing ancestors
• Security/Workspace FS boundary aliases — harden canonical boundary resolution for non-existent-leaf symlink aliases
• Security/Config includes — harden $include file loading with verified-open reads, reject hardlinked include aliases

pnpm's global store uses a content-addressable symlink layout:

~/.local/share/pnpm/global/5/node_modules/openclaw
  -> ../.pnpm/openclaw@2026.2.26_.../node_modules/openclaw

The new path validation appears to resolve plugin manifest paths through these symlinks and then reject them as "unsafe" because the resolved path falls outside the expected boundary.

Steps to Reproduce

1. Install openclaw globally via pnpm: pnpm add -g openclaw@2026.2.26
2. Run openclaw gateway
3. All bundled extension openclaw.plugin.json manifests are rejected as unsafe

Expected Behavior

Bundled plugin manifests shipped inside the openclaw package should be trusted regardless of the symlink layout used by the package manager (pnpm, npm, yarn, etc.).

Workaround

Downgrade to v2026.2.25: pnpm add -g openclaw@2026.2.25

Environment

• openclaw: v2026.2.26 (bc50708)
• Package manager: pnpm v10.29.1
• Node: v25.6.0 (via nvm)
• OS: Linux (WSL2) 6.6.87.2-microsoft-standard-WSL2

[lucasconnellm]

FWIW npm install does work. I just switched mine from pnpm -> npm temporarily and it's fine. Not a great workaround, but an option if you don't want to downgrade.

[Classical1030]

I'm also experiencing this issue after upgrading to v2026.2.26 using pnpm (v10.29.1) on Windows.

• Symptoms: Although I'm running the gateway, Webchat page returns 404 Not Found (http://127.0.0.1:18789), with the same unsafe plugin manifest path warnings for every bundled extension.
• Downgrade works: After reverting to v2026.2.25 (pnpm add -g openclaw@2026.2.25), the webchat loads correctly and plugin validation passes, no more similar warnings emerge.
  This confirms the regression is specific to v2026.2.26 and likely related to the new symlink/path security checks interacting poorly with pnpm's global store layout. Hopefully a fix can be prioritized. Thanks!

[Vagex]

had same issue

[newcodebook]

Confirmed: with pnpm add -g, OpenClaw ends up running from pnpm’s symlinked global store, and 2026.2.26’s tightened boundary checks reject bundled plugin manifests as “unsafe plugin manifest path”.

Practical workarounds (today)

1. Use npm for the global install (keeps the same OpenClaw version, avoids pnpm’s global symlink layout):

npm i -g openclaw@2026.2.26

2. Downgrade until a fix lands:

pnpm add -g openclaw@2026.2.25

After switching, restart the gateway and re-open http://127.0.0.1:18789/.

Recommended reading:

• https://coclaw.com/getting-started/
• https://coclaw.com/troubleshooting/

[Sid-Qin]

Submitted a fix in PR #28897.

The root cause is the rejectHardlinks check (defaulting to true) in openBoundaryFileSync — pnpm's content-addressable store makes all files hardlinks (nlink > 1), which triggers rejection for every plugin manifest and entry point.

The fix detects package manager store paths (node_modules/.pnpm/) in the resolved canonical path and skips the hardlink check only for those trusted paths. User-writable plugin directories still have full hardlink-escape protection. All existing security tests pass unchanged.

If you need an immediate workaround before the fix is merged, you can either:

1. Break existing hardlinks: find /path/to/openclaw/extensions -type f -links +1 -exec sh -c 'cp "$1" "$1.tmp" && mv "$1.tmp" "$1"' _ {} \;
2. Switch pnpm to copy mode: pnpm config set package-import-method copy
3. Downgrade to v2026.2.25