plugins registry --refresh (refreshReason: policy-changed) drops path/npm-origin plugins from plugins[]

[cjagwani]

Summary

When OpenClaw's plugin registry regenerates with refreshReason: "policy-changed" (which happens on the first sandbox run after a runtime policy mutation), the rebuild of plugins[] excludes any plugin whose installRecords[id].source is "path" or "npm". Only bundled extensions (origin: "bundled") survive the regen.

Impact

• openclaw plugins inspect <id> → Plugin not found
• openclaw config set plugins.allow ... silently strips the entry because the validator only consults plugins[], not installRecords
• TUI slash command not registered for the affected plugin
• Plugin's own subcommand (e.g. openclaw <plugin-id>) unreachable until someone re-runs openclaw plugins registry --refresh manually

Reproduced on:

• DGX Spark + Ubuntu 24.04 aarch64 + OpenClaw 2026.5.22 + OpenShell 0.0.44
• Brev T4 (n1-highcpu-4:nvidia-tesla-t4:1) + Ubuntu 22.04 + same OpenClaw/OpenShell

Common factor: sandbox onboard with GPU enabled, which mutates policy between build and first runtime. No-GPU onboard does not trigger the regen and the bug does not manifest.

Evidence

Right after first sandbox run on fresh image:

{
  "refreshReason": "policy-changed",
  "installRecords": {
    "nemoclaw":        {"source": "path", "installPath": "/sandbox/.openclaw/extensions/nemoclaw"},
    "openclaw-weixin": {"source": "npm",  "spec": "@tencent-weixin/openclaw-weixin@2.4.3"}
  },
  "plugins": [ /* 93 entries — all origin: "bundled" — nemoclaw + weixin missing */ ]
}

installRecords is preserved (file is on disk, installer ran). plugins[] is rebuilt from bundled discovery only, so the runtime view forgets both entries.

Reproducer

# Any host with GPU. Tested on Brev T4 + DGX Spark.
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash -s -- --yes-i-accept-third-party-software
nemoclaw onboard --non-interactive --yes --name my-assistant \
  --agent openclaw --gpu --sandbox-gpu --fresh

SBX=$(docker ps --format '{{.Names}}' | grep '^openshell-my-assistant' | head -1)
docker exec "$SBX" cat /sandbox/.openclaw/plugins/installs.json | \
  jq '[.plugins[] | select(.id == "nemoclaw")] | length'
# → 0 (expected: 1)

Workaround

openclaw plugins registry --refresh (as the sandbox user, HOME=/sandbox) restores both plugins to the runtime registry. This works as a manual recovery but should not be required after onboard. NemoClaw is shipping a temporary post-gateway-start refresh call in their sandbox entrypoint (see related issue below); intent is to remove that workaround once this issue is fixed upstream.

Suggested fix

Either of these closes the issue:

1. Registry regen rebuilds plugins[] from installRecords ∪ bundled discovery — not bundled only. Path/npm-origin plugins survive policy-changed regen.
2. plugins.allow validator consults installRecords as a fallback when an id isn't in plugins[] — so users can pin plugins.allow even if the regen view is stale.

Option (1) is the cleaner fix because it removes the source-of-truth split between installRecords and plugins[].

Related

• [All Platform] /nemoclaw slash command not working in sandbox OpenClaw TUI NVIDIA/NemoClaw#2021 — downstream user-facing report (slash command broken in TUI)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 2, 2026, 4:32 PM ET / 20:32 UTC.

Summary
Current main still has a source-reproducible path where a policy refresh persists a registry built from bundled discovery plus existing installRecords without resolving path/npm installs back into plugins[], so the reported external plugin disappearance remains actionable.

Reproducibility: yes. from source inspection: the policy-refresh path calls the registry refresh code, and that refresh currently discovers from search roots while only carrying installRecords along as metadata. I did not run the GPU sandbox repro, so this is source-reproducible rather than locally reproduced.

Next step
This is a concrete source-reproducible registry bug with clear likely files and no product decision blocker.

Review details

Best possible solution:

Keep this open and fix policy refresh so the canonical registry rebuild includes installed path/npm plugin records, with regression coverage for allow-list validation and CLI/plugin visibility after refresh.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: the policy-refresh path calls the registry refresh code, and that refresh currently discovers from search roots while only carrying installRecords along as metadata. I did not run the GPU sandbox repro, so this is source-reproducible rather than locally reproduced.

Is this the best way to solve the issue?

Yes, the issue's option to rebuild plugins[] from bundled discovery plus installRecords is the best maintainable direction because it restores one canonical runtime view instead of adding a validator-only fallback.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6af047c7f6d8.

Label changes

Label changes:

• add P2: This is a normal priority plugin-registry bug with concrete user impact for external path/npm plugins after policy refresh, but it is not a core crash or security emergency.
• add impact:other: The issue affects plugin discovery, CLI commands, and slash-command registration, which is maintainer-visible but outside the more specific owned impact labels.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a normal priority plugin-registry bug with concrete user impact for external path/npm plugins after policy refresh, but it is not a core crash or security emergency.
• impact:other: The issue affects plugin discovery, CLI commands, and slash-command registration, which is maintainer-visible but outside the more specific owned impact labels.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/plugins/plugin-registry-refresh.test.ts src/plugins/plugin-config-validation.test.ts
• rg -n "policy-changed|installRecords|validatePluginAllowIds" src/plugins

What I checked:

• Policy refresh entry point: refreshPluginRegistryForPolicyChange calls refreshPluginRegistry with refreshReason: "policy-changed", so the reported first-runtime policy mutation path uses the same registry refresh machinery as the issue describes. (src/plugins/plugin-policy-refresh.ts:17, 6af047c7f6d8)
• Refresh source list: refreshPluginRegistry discovers plugins only from getPluginSearchRoots and then writes the refreshed registry with the prior installRecords object, which matches the reported split between preserved installRecords and a rebuilt plugins[] list. (src/plugins/plugin-registry-refresh.ts:47, 6af047c7f6d8)
• Install records are not converted back to plugin roots: The refresh helper threads existing.installRecords into savePluginRegistry but its discoverPluginRecords call does not use those records as plugin roots, so npm/path installs can remain known only in installRecords after policy refresh. (src/plugins/plugin-registry-refresh.ts:52, 6af047c7f6d8)
• Registry validator uses plugins[]: validatePluginAllowIds compares requested allow ids against registry.plugins and ignores installRecords, so a plugin missing from plugins[] is rejected even when its install record is still present. (src/plugins/plugin-config-validation.ts:20, 6af047c7f6d8)
• Tests cover staleness but not path/npm preservation: Existing plugin registry refresh tests cover refresh persistence and stale diagnostics, but no test asserts that policy refresh reconstructs path or npm install records into plugins[]. (src/plugins/plugin-registry-refresh.test.ts:78, 6af047c7f6d8)
• Related issue search: The only close related OpenClaw issue found is [Bug]: 2026.5.27 Refresh still says stale #87730, which tracks stale-source warnings after manual refresh rather than path/npm entries being dropped during policy refresh, so it is not a canonical duplicate.

Likely related people:

• Jakob Homan: Git history shows commit e7622dceee28fe49b7dd9c4933b8283a66938e85 introduced src/plugins/plugin-registry-refresh.ts and related plugin refresh plumbing. (role: introduced registry refresh behavior; confidence: medium; commits: e7622dceee28; files: src/plugins/plugin-registry-refresh.ts, src/plugins/plugin-policy-refresh.ts)
• OpenClaw devs: Recent registry staleness and plugin catalog commits including 159daf633dc7f140d664fbbfcb228ac12ec33a07 touched the same refresh/registry surface; available local metadata did not expose a more precise GitHub handle without email. (role: recent adjacent owner; confidence: low; commits: 159daf633dc7; files: src/plugins/plugin-registry-refresh.ts, src/plugins/plugin-registry-refresh.test.ts, src/plugins/plugin-runtime-registry.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.