All repair warnings treated as fatal convergence errors even when non-blocking

[davinci282828]

Severity: low / Confidence: medium / Category: api-contract
Triage: contract-mismatch
Detected against: openclaw v2026.5.18 (latest stable at time of scan, 2026-05-18)
Tooling: clawpatch 0.3.0 + acpx/claude-sonnet-4-5 via Brad Mills protocol

Evidence

• src/cli/update-cli/post-core-plugin-convergence.ts:60-85 (runPostCorePluginConvergence)

const warnings: PostCoreConvergenceWarning[] = repair.warnings.map((message) => ({
    reason: message,
    message,
    guidance: [REPAIR_GUIDANCE],
  }));
  ...
  return {
    changes: repair.changes,
    warnings,
    errored: warnings.length > 0,
    smokeFailures: smoke.failures,
    installRecords: records,
  };

Reasoning

repairMissingConfiguredPluginInstalls can emit informational warnings (e.g. a plugin that was already up-to-date, a no-op repair). All such messages are appended to warnings before the smoke failures, and errored: warnings.length > 0 fires on ANY non-empty warning list. This means a purely informational repair observation blocks the gateway restart. The downstream convergenceWarningsToOutcomes propagates errored to set the plugin update status: 'error', which the outer caller uses for exit 1. The confidence is medium because the contract of repair.warnings from repairMissingConfiguredPluginInstalls cannot be fully verified from these files alone — if repair.warnings are always actionable, this is correct.

Reproduction

Trigger a repair run that emits a warning that is not a hard failure (e.g. a plugin repair that partially succeeds with a note). The update will refuse to restart.

Recommendation

Distinguish fatal convergence failures from soft repair observations. Either: (a) have repairMissingConfiguredPluginInstalls return a structured result with errors vs warnings, or (b) set errored: smoke.failures.length > 0 || repair.errors?.length > 0 rather than keying off total warning count. Document in PostCoreConvergenceResult whether errored is set only on hard failures.

Why existing tests miss this

No tests exist for runPostCorePluginConvergence.

Suggested regression test

it('errored is false when only soft repair warnings exist and smoke passes', async () => { /* mock repairMissingConfiguredPluginInstalls to return warnings:['note'] and runPluginPayloadSmokeCheck to return no failures */ const result = await runPostCorePluginConvergence(...); expect(result.errored).toBe(false); });

Minimum fix scope

Clarify the contract of repair.warnings and key errored only on genuine hard failures (smoke failures + repair errors), not soft warnings.

---

Standardized clawpatch finding. Persistent in v2026.5.18 (not resolved by upgrading from v2026.5.12). Finding ID: fnd_sig-feat-cli-command-0e1f16a0ce-_3cbd805bec.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still makes post-core convergence fatal for any repair warning, while the repair/update producer can emit documented soft fallback warnings after a successful plugin update.

Reproducibility: yes. from source inspection: make repairMissingConfiguredPluginInstalls return only a soft warning while runPluginPayloadSmokeCheck returns no failures, and current convergence still returns errored: true. Existing update tests show successful fallback warnings are a real producer contract, though I did not execute tests in this read-only sweep.

Next step
This is a focused repair candidate because the affected convergence contract, producer signal, and regression tests are localized.

Review details

Best possible solution:

Keep mandatory convergence fatal for failed repair installs and smoke-check failures, but let successful repair/update warnings surface as postUpdate.plugins.status: "warning" without blocking restart.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: make repairMissingConfiguredPluginInstalls return only a soft warning while runPluginPayloadSmokeCheck returns no failures, and current convergence still returns errored: true. Existing update tests show successful fallback warnings are a real producer contract, though I did not execute tests in this read-only sweep.

Is this the best way to solve the issue?

No, the current implementation is not the best fix because it uses warning count as the fatality signal. The safer repair is to key errored on repair.failedPluginIds and smoke.failures, while preserving warning output for operator visibility.

Label justifications:

• P2: This is a normal-priority update/plugin repair bug with a clear source path and limited blast radius.
• impact:crash-loop: The reported failure can block the post-update Gateway restart path even when plugin repair only produced a nonfatal warning.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/update-cli/post-core-plugin-convergence.test.ts
• node scripts/run-vitest.mjs src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/plugins/update.test.ts

What I checked:

• Current convergence fatal flag: runPostCorePluginConvergence maps every repair.warnings entry into convergence warnings, then returns errored: warnings.length > 0, so a soft repair warning is indistinguishable from a hard convergence failure. (src/cli/update-cli/post-core-plugin-convergence.ts:102, e9989f3a92e5)
• Downstream update failure path: runPostCorePluginUpdate returns status: "error" when convergence errored, and the outer update result then becomes status: "error" with an exit 1 path. (src/cli/update-cli/update-command.ts:1691, e9989f3a92e5)
• Repair producer has separate failure signal: The repair path captures updateNpmInstalledPlugins logger warnings into warnings, but only outcome.status === "error" adds a failed plugin id, which suggests warnings are not all fatal by contract. (src/commands/doctor/shared/missing-configured-plugin-install.ts:1143, e9989f3a92e5)
• Soft warning source: updateNpmInstalledPlugins emits beta/ClawHub fallback warnings that explicitly say the core update can still complete, and tests assert those warnings alongside successful updated outcomes. (src/plugins/update.ts:1577, e9989f3a92e5)
• Documented nonfatal warning behavior: The shipped update docs and appcast describe plugin fallback warnings as warnings that should keep update/Gateway reachability from looking failed, which conflicts with convergence keying fatality only on warning count. Public docs: docs/cli/update.md. (docs/cli/update.md:220, e9989f3a92e5)
• History/provenance: The shallow checkout’s blame attributes the current convergence fatal flag and related repair/update warning paths to commit c92ebd6; the changelog also credits the post-core convergence feature to fix(update): mandatory post-core plugin convergence before gateway restart #79143. (src/cli/update-cli/post-core-plugin-convergence.ts:102, c92ebd6a4104)

Likely related people:

• @BKF-Gitty: The changelog credits the mandatory post-core convergence feature to this contributor via fix(update): mandatory post-core plugin convergence before gateway restart #79143, which is the affected behavior boundary. (role: feature contributor; confidence: medium; files: src/cli/update-cli/post-core-plugin-convergence.ts, src/commands/doctor/shared/missing-configured-plugin-install.ts)
• Tak Hoffman: Local blame in the shallow checkout attributes the current convergence and repair/update warning lines to commit c92ebd6, though the shallow boundary limits finer provenance. (role: recent area contributor; confidence: low; commits: c92ebd6a4104; files: src/cli/update-cli/post-core-plugin-convergence.ts, src/commands/doctor/shared/missing-configured-plugin-install.ts, src/plugins/update.ts)

Remaining risk / open question:

• I did not run a live update flow; the reproduction confidence comes from source and existing unit-test contracts showing successful plugin fallback warnings can be emitted through the same warning channel.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9989f3a92e5.