fix: mirror bundled extension deps in root package.json (#48189)

[pragun-ananda]

Extension-only dependencies (google-auth-library, zca-js, nostr-tools, @microsoft/agents-hosting, @matrix-org/matrix-sdk-crypto-nodejs, @vector-im/matrix-bot-sdk, music-metadata, @tloncorp/api, @tloncorp/tlon-skill, @urbit/aura) were not in root package.json, causing "Cannot find package" errors at runtime in Docker and npm global installs.

Add all to root dependencies and remove the now-unnecessary rootDependencyMirrorAllowlist entries from each extension.

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: Extension-only dependencies were not in root package.json, causing "Cannot find package" errors at runtime in Docker and npm global installs.
• Why it matters: Breaks the onboarding flow using Docker
• What changed: package.json - Added extension-only dependencies there

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Installation/Onboarding Issue #48189

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

None

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Docker (via ./docker-setup.sh)
• Model/provider: N/A
• Integration/channel (if any):
• Relevant config (redacted):

Steps

1. Run ./docker-setup.sh
2. Reach "Gateway Token stage" and click enter

Expected

• Proceed to the Channel setup step.

Actual

• Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'google-auth-library' imported from /app/dist/api-0XGYdJRK.js

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Went through the onboarding flow on the branch with this commit.
• Edge cases checked:
• What you did not verify:

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (No)
• Config/env changes? (Yes)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• Files/config to restore: package.json

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: Onboarding flow stays broken
  • Mitigation: Revert this PR

  ---

[greptile-apps]

Greptile Summary

This PR fixes a runtime "Cannot find package" error in Docker and npm global installs by mirroring 10 extension-only dependencies (google-auth-library, zca-js, nostr-tools, @microsoft/agents-hosting, @matrix-org/matrix-sdk-crypto-nodejs, @vector-im/matrix-bot-sdk, music-metadata, @tloncorp/api, @tloncorp/tlon-skill, @urbit/aura) into the root package.json, and removes the now-redundant releaseChecks.rootDependencyMirrorAllowlist entries from each affected extension manifest.

• All 10 added root dependency version specifiers exactly match those declared in their respective extension package.json files — no version drift introduced.
• The releaseChecks.rootDependencyMirrorAllowlist removal is safe: bundled-extension-manifest.ts defaults to an empty array when the field is absent, and release-check.ts will now correctly pass because missing (deps not in root) and allowlisted (now []) both evaluate to [] for each affected extension.
• Future enforcement is preserved and actually tightened: any new extension dependency not in root will trigger a "new gaps" CI failure without requiring a developer to explicitly add an allowlist entry first.
• The pnpm-lock.yaml is updated consistently with all new root-level resolutions.

Confidence Score: 5/5

• This PR is safe to merge — it adds missing runtime dependencies to root without introducing any version drift or breaking changes to existing checks.
• All added version specifiers exactly match the extension-level declarations, the release-check CI mechanism continues to work correctly (and is arguably stricter post-PR), the lock file is updated consistently, and the fix has been manually verified through the Docker onboarding flow. No logic changes were made — only dependency manifest updates.
• No files require special attention.

_{Last reviewed commit: 09d3014}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 98b864e293

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[steipete]

Closing this as implemented after Codex review.

Close. Current main already addresses the Docker/global-install bundled-runtime-dependency problem with a different design: bundled plugin runtime deps stay plugin-local, are staged into an external writable runtime directory for read-only/root-owned installs, and Docker E2E coverage now guards against the original Cannot find package failure path. This PR's root-package.json mirroring approach is obsolete on current main and would conflict with the new package-manifest contract.

What I checked:

• Current contract keeps these deps plugin-local: src/plugins/contracts/package-manifest.contract.test.ts:30-32,54-63,73-81,86-88 marks google-auth-library, Matrix crypto deps, music-metadata, nostr-tools, and Teams runtime deps as pluginLocalRuntimeDeps, not root-mirrored. (src/plugins/contracts/package-manifest.contract.test.ts:30, 48b9452c0795)
• Helper enforces plugin-local deps must be absent from root package.json: test/helpers/plugins/package-manifest-contract.ts:35-49 asserts plugin-local runtime deps exist in the plugin manifest and are undefined in the root manifest; root mirroring is only allowed for explicit mirroredRootRuntimeDeps entries at :53-67. (test/helpers/plugins/package-manifest-contract.ts:35, 48b9452c0795)
• Google Chat and Matrix manifests now opt into staged runtime deps: extensions/googlechat/package.json:7-10,24-27 and extensions/matrix/package.json:6-14 keep those dependencies inside each plugin, with openclaw.bundle.stageRuntimeDependencies: true on Google Chat. (extensions/googlechat/package.json:7, 4013c658537e)
• Root package no longer mirrors the PR's dependency list: package.json:1580-1615 shows root dependencies like express, markdown-it, and https-proxy-agent, but not google-auth-library, nostr-tools, Matrix crypto deps, music-metadata, or zca-js; current main intentionally does not mirror them. (package.json:1580, 4013c658537e)
• Main has a dedicated guard for root-owned/global installs: scripts/e2e/bundled-channel-runtime-deps-docker.sh:535-557 fails if the packaged tree is mutated, requires dependency sentinels under OPENCLAW_PLUGIN_STAGE_DIR, and explicitly errors on failed to install bundled runtime deps / Cannot find package 'openclaw' / Cannot find module 'openclaw/plugin-sdk'. docs/install/updating.md:57-72 documents the same read-only install staging model. (scripts/e2e/bundled-channel-runtime-deps-docker.sh:535, 48b9452c0795)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 4013c658537e; fix evidence: commit 48b9452c0795.