fix(gateway): pin plugin webhook route registry

[steipete]

Summary

• fix plugin HTTP route desynchronization by pinning a dedicated HTTP-route registry for the gateway lifetime
• route runtime webhook registration through that pinned registry instead of the later active plugin registry pointer
• make plugin auth preflight and plugin request dispatch resolve routes from the same live HTTP-route registry
• add regression coverage for active-registry churn, explicit-registry fallback, and pinned-route registration

Change Type

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Fixes [Bug]: Regression: all plugin HTTP routes return 404 — plugin registry mismatch (BlueBubbles webhook never reachable) #46924
• Fixes [Bug]: Plugin HTTP routes invisible to gateway — registry desynchronization in createGatewayPluginRequestHandler #47041
• Related BlueBubbles webhook route invisible to gateway handler (registry object mismatch) #45598
• Related [Bug]: BlueBubbles webhook appears to be listening, but POST /bluebubbles-webhook returns 404 in OpenClaw 2026.3.12 #45620
• Related BlueBubbles webhook returns 404 despite plugin logging 'listening on /bluebubbles-webhook' #47468
• Supersedes fix(plugins): preserve channel webhook routes across registry replacements #47676

User-visible / Behavior Changes

• channel webhooks that register routes at runtime (for example BlueBubbles) remain reachable after plugin-registry churn instead of falling through to 404
• plugin HTTP auth preflight and dispatch now agree on the route registry they inspect

Security Impact

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Steps

1. Start the gateway with a channel that registers a webhook route at runtime.
2. Replace the active plugin registry during later plugin-loader activity.
3. POST to the webhook path.

Before

• runtime route can be registered into a different registry object than the one the gateway auth/dispatch path reads
• webhook request falls through to 404 or mismatched auth behavior

After

• runtime route stays in the pinned gateway route registry
• auth preflight and dispatch resolve the same route set

Evidence

• pnpm test -- src/plugins/runtime.test.ts src/plugins/http-registry.test.ts src/gateway/server/plugins-http.test.ts src/gateway/config-reload.test.ts
• pnpm tsgo
• pnpm build
• pnpm check

Human Verification

• verified the exact registry-churn failure mode with dedicated regression tests
• verified explicit-registry callers still work when the pinned route registry is empty
• verified route registration cleanup on shutdown/release path

[cursor]

PR Summary

Medium Risk
Changes how plugin HTTP routes are registered and resolved for gateway auth/dispatch, which can affect webhook reachability and authorization behavior. Risk is moderate due to central request-routing changes, but scope is contained and covered by new regression tests.

Overview
Fixes plugin webhook route desynchronization by pinning a dedicated plugin HTTP-route registry at gateway startup and using it consistently for both auth preflight and request dispatch, even if the active plugin registry pointer later changes.

Adds lifecycle management to release the pinned registry on shutdown (including error paths), and updates registerPluginHttpRoute to target the pinned HTTP-route registry by default. Expands tests to cover registry churn, pinned-vs-explicit fallback behavior, and late route registration into the startup registry.

^{Written by Cursor Bugbot for commit c336a20. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a plugin HTTP route desynchronization bug where runtime-registered webhook routes (e.g. BlueBubbles) could end up in a different PluginRegistry object than the one the gateway's auth-preflight and dispatch paths were inspecting — causing 404s or auth mismatches after plugin-registry churn. The fix pins a dedicated httpRouteRegistry in global state at gateway startup, routes all registerPluginHttpRoute calls to that pinned registry, and makes both the auth-preflight (shouldEnforceGatewayAuthForPluginPath) and the dispatch handler (createGatewayPluginRequestHandler) resolve routes from the same live registry on every request.

Key changes:

• src/plugins/runtime.ts: introduces pinActivePluginHttpRouteRegistry, releasePinnedPluginHttpRouteRegistry, and resolveActivePluginHttpRouteRegistry alongside the two existing get/requireActive helpers.
• src/plugins/http-registry.ts: registerPluginHttpRoute now targets requireActivePluginHttpRouteRegistry() instead of requireActivePluginRegistry(), so runtime registrations land in the pinned registry even after the active registry pointer is replaced.
• src/gateway/server-runtime-state.ts: calls pinActivePluginHttpRouteRegistry at the start of setup and releases it on both success (via returned releasePluginRouteRegistry) and failure (catch block).
• src/gateway/server-close.ts: wraps the shutdown sequence in try/finally to guarantee releasePluginRouteRegistry is always called.
• Tests comprehensively cover registry-churn regression, explicit-registry fallback, and cleanup paths.

Two minor style observations are noted inline in runtime.ts: the resolveActivePluginHttpRouteRegistry heuristic should be documented to make the "pinned wins when non-empty" invariant explicit, and the getActivePluginHttpRouteRegistry return type could drop | null since the registry is always initialized.

Confidence Score: 4/5

• This PR is safe to merge; it is a targeted, well-tested bug fix with no security surface changes.
• The core logic is correct and directly mirrors the described failure mode. Both resolveActivePluginHttpRouteRegistry call-sites pass the same startup pluginRegistry as the fallback, so the implicit route-count heuristic is safe in production. The try/finally refactor in server-close.ts preserves original exception behaviour while adding the registry-release guarantee. New tests cover all three branches (churn, empty-pinned fallback, pinned-preference). Score of 4 rather than 5 reflects the two minor style gaps flagged inline (undocumented heuristic and spurious | null in the return type).
• src/plugins/runtime.ts — the resolveActivePluginHttpRouteRegistry heuristic and getActivePluginHttpRouteRegistry return type are worth a second look before future callers are added.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/plugins/runtime.ts
Line: 80-91

Comment:
**Implicit route-count heuristic silently drops fallback routes**

`resolveActivePluginHttpRouteRegistry` returns the pinned registry whenever it has **any** routes (`routeCount > 0`), completely ignoring routes that may exist in `fallback`. In the current production call-sites both arguments point to the same `pluginRegistry` object, so this is harmless. However, if a future caller passes a distinct `fallback` that has routes the pinned registry doesn't own, those routes will be silently unreachable once the pinned registry accumulates even a single entry.

Adding a brief doc comment explaining the intended tie-breaking rule (pinned wins when non-empty, fallback wins only when pinned is empty) would make the invariant explicit and easier to verify:

```suggestion
/**
 * Returns the pinned HTTP-route registry when it owns at least one route;
 * otherwise falls back to the provided registry.  Both the auth-preflight
 * and the dispatch path must pass the same `fallback` object so that the
 * two code paths always agree on which registry to consult.
 */
export function resolveActivePluginHttpRouteRegistry(fallback: PluginRegistry): PluginRegistry {
  const routeRegistry = getActivePluginHttpRouteRegistry();
  if (!routeRegistry) {
    return fallback;
  }
  const routeCount = routeRegistry.httpRoutes?.length ?? 0;
  const fallbackRouteCount = fallback.httpRoutes?.length ?? 0;
  if (routeCount === 0 && fallbackRouteCount > 0) {
    return fallback;
  }
  return routeRegistry;
}
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/plugins/runtime.ts
Line: 66-68

Comment:
**Dead `!routeRegistry` branch in `getActivePluginHttpRouteRegistry`**

`state.httpRouteRegistry ?? state.registry` can only return `null` when both fields are `null`. `state.registry` is always initialized to `createEmptyPluginRegistry()` at module load and `setActivePluginRegistry` only accepts a non-nullable `PluginRegistry`, so this function will never return `null`. The callers that check `if (!routeRegistry)` (e.g. `resolveActivePluginHttpRouteRegistry` line 82) therefore have unreachable branches. This is minor, but updating the return type to `PluginRegistry` (dropping `| null`) would make the guarantee explicit and let TypeScript remove those dead checks upstream.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: c336a20}

[greptile-apps]

Implicit route-count heuristic silently drops fallback routes

resolveActivePluginHttpRouteRegistry returns the pinned registry whenever it has any routes (routeCount > 0), completely ignoring routes that may exist in fallback. In the current production call-sites both arguments point to the same pluginRegistry object, so this is harmless. However, if a future caller passes a distinct fallback that has routes the pinned registry doesn't own, those routes will be silently unreachable once the pinned registry accumulates even a single entry.

Adding a brief doc comment explaining the intended tie-breaking rule (pinned wins when non-empty, fallback wins only when pinned is empty) would make the invariant explicit and easier to verify:

Suggested change

	export function resolveActivePluginHttpRouteRegistry(fallback: PluginRegistry): PluginRegistry {
	const routeRegistry = getActivePluginHttpRouteRegistry();
	if (!routeRegistry) {
	return fallback;
	}
	const routeCount = routeRegistry.httpRoutes?.length ?? 0;
	const fallbackRouteCount = fallback.httpRoutes?.length ?? 0;
	if (routeCount === 0 && fallbackRouteCount > 0) {
	return fallback;
	}
	return routeRegistry;
	}
	/**
	* Returns the pinned HTTP-route registry when it owns at least one route;
	* otherwise falls back to the provided registry. Both the auth-preflight
	* and the dispatch path must pass the same `fallback` object so that the
	* two code paths always agree on which registry to consult.
	*/
	export function resolveActivePluginHttpRouteRegistry(fallback: PluginRegistry): PluginRegistry {
	const routeRegistry = getActivePluginHttpRouteRegistry();
	if (!routeRegistry) {
	return fallback;
	}
	const routeCount = routeRegistry.httpRoutes?.length ?? 0;
	const fallbackRouteCount = fallback.httpRoutes?.length ?? 0;
	if (routeCount === 0 && fallbackRouteCount > 0) {
	return fallback;
	}
	return routeRegistry;
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/plugins/runtime.ts
Line: 80-91

Comment:
**Implicit route-count heuristic silently drops fallback routes**

`resolveActivePluginHttpRouteRegistry` returns the pinned registry whenever it has **any** routes (`routeCount > 0`), completely ignoring routes that may exist in `fallback`. In the current production call-sites both arguments point to the same `pluginRegistry` object, so this is harmless. However, if a future caller passes a distinct `fallback` that has routes the pinned registry doesn't own, those routes will be silently unreachable once the pinned registry accumulates even a single entry.

Adding a brief doc comment explaining the intended tie-breaking rule (pinned wins when non-empty, fallback wins only when pinned is empty) would make the invariant explicit and easier to verify:

```suggestion
/**
 * Returns the pinned HTTP-route registry when it owns at least one route;
 * otherwise falls back to the provided registry.  Both the auth-preflight
 * and the dispatch path must pass the same `fallback` object so that the
 * two code paths always agree on which registry to consult.
 */
export function resolveActivePluginHttpRouteRegistry(fallback: PluginRegistry): PluginRegistry {
  const routeRegistry = getActivePluginHttpRouteRegistry();
  if (!routeRegistry) {
    return fallback;
  }
  const routeCount = routeRegistry.httpRoutes?.length ?? 0;
  const fallbackRouteCount = fallback.httpRoutes?.length ?? 0;
  if (routeCount === 0 && fallbackRouteCount > 0) {
    return fallback;
  }
  return routeRegistry;
}
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Dead !routeRegistry branch in getActivePluginHttpRouteRegistry

state.httpRouteRegistry ?? state.registry can only return null when both fields are null. state.registry is always initialized to createEmptyPluginRegistry() at module load and setActivePluginRegistry only accepts a non-nullable PluginRegistry, so this function will never return null. The callers that check if (!routeRegistry) (e.g. resolveActivePluginHttpRouteRegistry line 82) therefore have unreachable branches. This is minor, but updating the return type to PluginRegistry (dropping | null) would make the guarantee explicit and let TypeScript remove those dead checks upstream.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/plugins/runtime.ts
Line: 66-68

Comment:
**Dead `!routeRegistry` branch in `getActivePluginHttpRouteRegistry`**

`state.httpRouteRegistry ?? state.registry` can only return `null` when both fields are `null`. `state.registry` is always initialized to `createEmptyPluginRegistry()` at module load and `setActivePluginRegistry` only accepts a non-nullable `PluginRegistry`, so this function will never return `null`. The callers that check `if (!routeRegistry)` (e.g. `resolveActivePluginHttpRouteRegistry` line 82) therefore have unreachable branches. This is minor, but updating the return type to `PluginRegistry` (dropping `| null`) would make the guarantee explicit and let TypeScript remove those dead checks upstream.

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c336a20564

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Release pinned route registry on startup failure

createGatewayRuntimeState now pins the process-global HTTP route registry, but releasePluginRouteRegistry is only wired into the later shutdown path. If any awaited startup step after this point fails (for example sidecar/bootstrap work), startGatewayServer rejects before the close handler exists, so the pin is never released and later registerPluginHttpRoute calls in the same process can write to an orphaned registry object.

Useful? React with 👍 / 👎.