doctor --fix removes allow-only externalized plugins (lobster) during v2026.5.2 one-time migration

[kmanan]

Summary

When upgrading from v2026.4.27 to v2026.5.2, openclaw doctor --fix triggers a one-time plugin externalization migration that silently removes lobster (and potentially other allow-only externalized plugins) from both plugins.allow and plugins.entries in openclaw.json. This breaks all cron jobs that depend on lobster pipelines (briefings, digests, etc.) with no warning or error message.

Steps to Reproduce

1. Running v2026.4.27 with lobster configured:
   • plugins.allow: ["bluebubbles", "lobster", ...]
   • plugins.entries.lobster: { "enabled": true, "config": {} }
   • Multiple cron jobs running lobster pipelines (ClawFlow briefings/digests)
2. Upgrade to v2026.5.2: npm install -g openclaw
3. Run openclaw doctor --fix
4. Check config: lobster is gone from both plugins.allow and plugins.entries

Expected Behavior

Doctor should detect that lobster is in plugins.allow, recognize it as an official external plugin (it's in the catalog as @openclaw/lobster), install it via npm, and preserve the allow/entries configuration.

Actual Behavior

• Doctor's one-time release step (collectReleaseConfiguredPluginIds) does NOT read plugins.allow to determine which plugins to install
• It only collects from: channels, providers, model refs, slots, agent harness runtimes, web search/fetch providers
• Lobster is a pure workflow runtime plugin — none of those categories
• The stale-entry cleanup then runs, sees lobster has no install record, and calls removePluginFromConfig which wipes it from allow + entries
• All lobster-dependent cron jobs silently fail on next fire

Impact

In our case this silently broke 6 cron jobs (4 briefing/digest pipelines + 2 health checks) that all use .lobster pipeline files. No error was surfaced — cron just produced nothing. We only caught it because we verified immediately after upgrade.

Root Cause (confirmed in source)

• release-configured-plugin-installs-CvfnGeYf.js lines 151-173: collectReleaseConfiguredPluginIds calls multiple collect* helpers but never reads config.plugins.allow
• missing-configured-plugin-install-A5tUUqKF.js lines 46-67: The non-release repair function (collectConfiguredPluginIds) DOES read plugins.allow, but the release step bypasses it — it calls repairMissingPluginInstallsForIds with its own narrower collection instead of repairMissingConfiguredPluginInstalls
• uninstall-TRIhnPr4.js lines 181-270: removePluginFromConfig wipes allow, entries, installs, and load.paths

Suggested Fix

In collectReleaseConfiguredPluginIds, add plugins.allow entries to the collection set. Specifically: for each ID in config.plugins.allow, if it appears in listOfficialExternalPluginCatalogEntries() (i.e., it was a bundled plugin that's now external), include it in the set passed to repairMissingPluginInstallsForIds.

Alternatively, the release step could call repairMissingConfiguredPluginInstalls (which already reads allow) instead of constructing its own narrower set.

Workaround

Manually install the external package before running doctor:

npm install -g @openclaw/lobster
openclaw doctor --fix

Or re-add lobster to the config after doctor removes it:

openclaw plugins install @openclaw/lobster
# Then manually re-add "lobster" to plugins.allow and plugins.entries in openclaw.json

Environment

• OpenClaw v2026.5.2
• macOS 15.5 (Darwin 25.0.0)
• lobster plugin configured as workflow runtime for ClawFlow/.lobster pipeline files
• Also affects v2026.5.3-beta.1 through beta.4 (checked — same code path)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main appears to protect material plugins.entries usage, but it still intentionally excludes allow-only plugin ids from the release install repair, and stale cleanup can remove those ids afterward.

Reproducibility: yes. by source inspection: current main tests and implementation show allow-only plugin ids are not passed to the missing-install repair, while stale cleanup removes missing allow and entry references. I did not live-run doctor because this was a read-only review.

Next step
This is a narrow doctor migration bug with clear source paths, tests to update, and no product/config decision needed.

Review details

Best possible solution:

Teach the one-time release repair to include plugins.allow ids that resolve to official external catalog entries, then install those before stale cleanup without changing normal arbitrary allowlist behavior.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main tests and implementation show allow-only plugin ids are not passed to the missing-install repair, while stale cleanup removes missing allow and entry references. I did not live-run doctor because this was a read-only review.

Is this the best way to solve the issue?

Yes, the narrowest maintainable fix is to add only official external catalog matches from plugins.allow to the release migration set, preserving the existing rule that arbitrary allow-only plugin ids are not installed by normal repair.

Acceptance criteria:

• pnpm test src/commands/doctor/shared/release-configured-plugin-installs.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/doctor/shared/stale-plugin-config.test.ts
• pnpm exec oxfmt --check --threads=1 src/commands/doctor/shared/release-configured-plugin-installs.ts src/commands/doctor/shared/release-configured-plugin-installs.test.ts CHANGELOG.md
• pnpm check:changed

What I checked:

• Release collector omits allow-only ids: collectReleaseConfiguredPluginIds collects auto-enable candidates, material plugin entries, slots, providers, harness runtimes, web search, ACP, and channels, but has no pass over plugins.allow itself. (src/commands/doctor/shared/release-configured-plugin-installs.ts:277, fa689295c649)
• Existing test encodes allow-only exclusion: The release collector test is named collects used plugin ids without treating allow-only entries as usage and expects plugins.allow: ["allow-only"] not to appear in pluginIds. (src/commands/doctor/shared/release-configured-plugin-installs.test.ts:74, fa689295c649)
• Normal missing-install repair also excludes allow-only ids: repairMissingConfiguredPluginInstalls collects non-disabled plugins.entries and other configured surfaces, and its test asserts that a plugin merely listed in plugins.allow is not installed. (src/commands/doctor/shared/missing-configured-plugin-install.test.ts:942, fa689295c649)
• Stale cleanup removes missing allow and entry refs: scanStalePluginConfig flags unknown ids in plugins.allow and plugins.entries, and maybeRepairStalePluginConfig removes them when discovery is healthy. (src/commands/doctor/shared/stale-plugin-config.ts:103, fa689295c649)
• Lobster is in the official external plugin catalog: The catalog maps plugin id lobster to the npm package @openclaw/lobster, matching the issue’s proposed official-external-plugin boundary. (scripts/lib/official-external-plugin-catalog.json:123, fa689295c649)
• Doctor docs promise migration repair for configured downloadable plugins: The doctor docs say the 2026.5.2 pass automatically installs downloadable plugins an older config already uses and preserves configured plugin entries on install failure. Public docs: docs/cli/doctor.md. (docs/cli/doctor.md:48, fa689295c649)

Likely related people:

• Peter Steinberger: Current-main blame and local history for the release install repair, missing-install repair, stale cleanup, and doctor health contribution all point to this commit touching the relevant doctor/plugin repair flow. (role: recent maintainer; confidence: medium; commits: 7d26fb32a717; files: src/commands/doctor/shared/release-configured-plugin-installs.ts, src/commands/doctor/shared/missing-configured-plugin-install.ts, src/commands/doctor/shared/stale-plugin-config.ts)

Remaining risk / open question:

• The exact reported plugins.entries.lobster.enabled=true shape is now collected as a material entry on current main; the remaining high-confidence gap is official external plugins present only in plugins.allow.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fa689295c649.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25304726346
• Updated: 2026-05-04T06:44:13.113Z

[hclsys]

PR #77193 addresses this. Root cause: collectReleaseConfiguredPluginIds never included plugins.allow entries that lack a material plugins.entries record, so allow-only official plugins (e.g. lobster) were not passed to the release repair install step. Stale-config cleanup then removed them from plugins.allow.

Fix gates on getOfficialExternalPluginCatalogEntry so only official external catalog entries are added to the repair set — arbitrary unofficial allow-list ids remain excluded.