fix(plugins): require host floor for new sdk subpaths

[vincentkoc]

Summary

• Problem: several installable channel plugins that now depend on new openclaw/plugin-sdk/* subpaths still marked the openclaw peer optional, and irc / twitch had no host peer floor at all.
• Why it matters: the plugin install path runs npm install --omit=dev in the unpacked plugin directory, so optional-or-missing host peers let older OpenClaw releases accept the install and only fail later at runtime when the new subpaths cannot resolve.
• What changed: removed peerDependenciesMeta.openclaw.optional from the affected installable channel plugins, added the missing mandatory openclaw >=2026.3.14 peer to irc and twitch, and added a guardrail test that locks this host-version gate in place.
• What did NOT change (scope boundary): no runtime plugin behavior, no SDK surface changes, and no changes to private/non-installable plugin manifests outside this install-compatibility fix.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related fix(plugin-sdk): remove relative extension boundary escapes #51939

User-visible / Behavior Changes

Older OpenClaw hosts now fail plugin installation earlier for the affected npm-installable channel plugins instead of accepting the package and failing later when the new plugin-sdk subpaths are loaded.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22, pnpm 10
• Model/provider: n/a
• Integration/channel (if any): plugin install manifests
• Relevant config (redacted): none

Steps

1. Inspect installable plugin manifests that now use new openclaw/plugin-sdk/* subpaths.
2. Remove peerDependenciesMeta.openclaw.optional where present and add the missing mandatory openclaw >=2026.3.14 peer where absent.
3. Re-run the manifest guardrail and install-path tests.

Expected

• Affected installable plugins require a non-optional openclaw >=2026.3.14 host peer.
• The install-path tests still pass.

Actual

• Local validation is green, and a fresh pnpm install in the clean worktree fails on unpublished openclaw@>=2026.3.14, which is the intended early gate for older npm-host installs.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: ran pnpm test -- src/plugins/install-host-peer-guardrails.test.ts and pnpm test -- src/infra/install-package-dir.test.ts in the clean worktree.
• Edge cases checked: confirmed the new host floor stays mandatory for every affected installable channel plugin, and confirmed irc / twitch now declare the peer explicitly.
• What you did not verify: broader runtime behavior after installation on a released 2026.3.14 host, because that package is not published yet.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (No)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commits cb0ef3f49f and f55ea62b7d if needed.
• Files/config to restore: the touched extensions/*/package.json manifests and src/plugins/install-host-peer-guardrails.test.ts.
• Known bad symptoms reviewers should watch for: plugin install failures on hosts that should satisfy >=2026.3.14, or guardrail-test drift if another installable plugin starts using new plugin-sdk subpaths without a mandatory host peer floor.

Risks and Mitigations

• Risk: hosts that previously installed these plugins despite being too old will now fail at install time.
  • Mitigation: that is the intended behavior; it moves failure to the package-manager boundary instead of a later runtime crash.

AI-assisted: Yes. Tested locally.

[greptile-apps]

Greptile Summary

This PR moves the install-time failure gate earlier for 17 npm-installable channel plugins that depend on new openclaw/plugin-sdk/* subpaths, by removing peerDependenciesMeta.openclaw.optional from the 15 plugins that had it and adding the missing mandatory openclaw >=2026.3.14 peer to irc and twitch. A new guardrail test locks this in.

Key findings:

• Coverage gap (synology-chat, memory-lancedb): Both plugins are npm-installable (they carry "install": { "npmSpec": ... }) and import from multiple openclaw/plugin-sdk/* subpaths, yet neither declares any peerDependencies for openclaw, and neither appears in the new guardrail test. They have the identical vulnerability this PR is fixing — an older host will accept the install and crash at runtime. Both need the mandatory peer added to their package.json and their IDs added to INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR in the test.

• Guardrail test uses exact string equality: expect(...).toBe(">=2026.3.14") will cause a false failure if any listed plugin legitimately raises its floor to a higher version in a future PR (e.g., ">=2026.4.0" is a stricter, still-correct gate). Switching to a presence + prefix check would make the test resilient to forward version bumps without weakening the guardrail.

Confidence Score: 3/5

• Safe to merge for the 17 listed plugins, but the fix is incomplete — two installable plugins with the same vulnerability (synology-chat and memory-lancedb) are left unaddressed.
• The manifest and test changes for the 17 listed plugins are mechanically correct and address the stated problem. However, synology-chat and memory-lancedb are both npm-installable and both import from openclaw/plugin-sdk/* subpaths, yet are absent from both the manifests and the guardrail test. This is the same bug the PR is fixing and leaves two install-path vectors that can still silently pass version gating and crash at runtime. Resolving those two omissions would bring this to a 4 or 5.
• extensions/synology-chat/package.json and extensions/memory-lancedb/package.json — both are installable via npm, both import openclaw/plugin-sdk/* subpaths, and neither has an openclaw peer dependency declared.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/plugins/install-host-peer-guardrails.test.ts
Line: 6-24

Comment:
**Installable plugins missing from guardrail**

Two npm-installable plugins that also import from `openclaw/plugin-sdk/*` subpaths are absent from both this test's `INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR` list and the manifest fixes in this PR:

- `extensions/synology-chat/package.json` — has `"install": { "npmSpec": "@openclaw/synology-chat", ... }` and imports from over a dozen `openclaw/plugin-sdk/*` subpaths (`/core`, `/webhook-ingress`, `/setup`, `/runtime-store`, `/channel-config-schema`, etc.), yet declares no `peerDependencies` at all.
- `extensions/memory-lancedb/package.json` — has `"install": { "npmSpec": "@openclaw/memory-lancedb", ... }` and imports from `openclaw/plugin-sdk` in `api.ts`, yet also declares no `peerDependencies`.

These two plugins share the exact same vulnerability the PR is fixing: an older OpenClaw host can successfully install them via npm (because there is no mandatory peer version gate) but will crash at runtime when the new SDK subpaths cannot resolve. They should be added to the `INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR` array here, and `"peerDependencies": { "openclaw": ">=2026.3.14" }` should be added to both of their manifests.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/plugins/install-host-peer-guardrails.test.ts
Line: 39-42

Comment:
**Strict equality check may produce false negatives for future version bumps**

The assertion `toBe(MIN_HOST_VERSION)` checks that the peer version string is exactly `">=2026.3.14"`. If a plugin legitimately raises its floor to, say, `">=2026.4.0"` (a stricter, still-valid requirement), the test will fail even though the plugin correctly gates on a host that includes the new SDK subpaths. Consider asserting only that a peer floor exists and is not optional, without pinning the exact semver string:

```suggestion
      expect(
        manifest.peerDependencies?.openclaw,
        `${pluginId} should declare an openclaw peer`,
      ).toBeDefined();
      expect(
        manifest.peerDependencies?.openclaw,
        `${pluginId} should declare an openclaw peer floor >= ${MIN_HOST_VERSION}`,
      ).toMatch(/^>=/);
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "Merge branch 'main' ..."}

[greptile-apps]

Installable plugins missing from guardrail

Two npm-installable plugins that also import from openclaw/plugin-sdk/* subpaths are absent from both this test's INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR list and the manifest fixes in this PR:

• extensions/synology-chat/package.json — has "install": { "npmSpec": "@openclaw/synology-chat", ... } and imports from over a dozen openclaw/plugin-sdk/* subpaths (/core, /webhook-ingress, /setup, /runtime-store, /channel-config-schema, etc.), yet declares no peerDependencies at all.
• extensions/memory-lancedb/package.json — has "install": { "npmSpec": "@openclaw/memory-lancedb", ... } and imports from openclaw/plugin-sdk in api.ts, yet also declares no peerDependencies.

These two plugins share the exact same vulnerability the PR is fixing: an older OpenClaw host can successfully install them via npm (because there is no mandatory peer version gate) but will crash at runtime when the new SDK subpaths cannot resolve. They should be added to the INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR array here, and "peerDependencies": { "openclaw": ">=2026.3.14" } should be added to both of their manifests.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/plugins/install-host-peer-guardrails.test.ts
Line: 6-24

Comment:
**Installable plugins missing from guardrail**

Two npm-installable plugins that also import from `openclaw/plugin-sdk/*` subpaths are absent from both this test's `INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR` list and the manifest fixes in this PR:

- `extensions/synology-chat/package.json` — has `"install": { "npmSpec": "@openclaw/synology-chat", ... }` and imports from over a dozen `openclaw/plugin-sdk/*` subpaths (`/core`, `/webhook-ingress`, `/setup`, `/runtime-store`, `/channel-config-schema`, etc.), yet declares no `peerDependencies` at all.
- `extensions/memory-lancedb/package.json` — has `"install": { "npmSpec": "@openclaw/memory-lancedb", ... }` and imports from `openclaw/plugin-sdk` in `api.ts`, yet also declares no `peerDependencies`.

These two plugins share the exact same vulnerability the PR is fixing: an older OpenClaw host can successfully install them via npm (because there is no mandatory peer version gate) but will crash at runtime when the new SDK subpaths cannot resolve. They should be added to the `INSTALLABLE_PLUGIN_IDS_REQUIRING_HOST_FLOOR` array here, and `"peerDependencies": { "openclaw": ">=2026.3.14" }` should be added to both of their manifests.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Strict equality check may produce false negatives for future version bumps

The assertion toBe(MIN_HOST_VERSION) checks that the peer version string is exactly ">=2026.3.14". If a plugin legitimately raises its floor to, say, ">=2026.4.0" (a stricter, still-valid requirement), the test will fail even though the plugin correctly gates on a host that includes the new SDK subpaths. Consider asserting only that a peer floor exists and is not optional, without pinning the exact semver string:

Suggested change

	expect(
	manifest.peerDependencies?.openclaw,
	`${pluginId} should declare an openclaw peer`,
	).toBe(MIN_HOST_VERSION);
	expect(
	manifest.peerDependencies?.openclaw,
	`${pluginId} should declare an openclaw peer`,
	).toBeDefined();
	expect(
	manifest.peerDependencies?.openclaw,
	`${pluginId} should declare an openclaw peer floor >= ${MIN_HOST_VERSION}`,
	).toMatch(/^>=/);

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/plugins/install-host-peer-guardrails.test.ts
Line: 39-42

Comment:
**Strict equality check may produce false negatives for future version bumps**

The assertion `toBe(MIN_HOST_VERSION)` checks that the peer version string is exactly `">=2026.3.14"`. If a plugin legitimately raises its floor to, say, `">=2026.4.0"` (a stricter, still-valid requirement), the test will fail even though the plugin correctly gates on a host that includes the new SDK subpaths. Consider asserting only that a peer floor exists and is not optional, without pinning the exact semver string:

```suggestion
      expect(
        manifest.peerDependencies?.openclaw,
        `${pluginId} should declare an openclaw peer`,
      ).toBeDefined();
      expect(
        manifest.peerDependencies?.openclaw,
        `${pluginId} should declare an openclaw peer floor >= ${MIN_HOST_VERSION}`,
      ).toMatch(/^>=/);
```

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e691dbe624

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate host OpenClaw version before requiring peer

Making openclaw a mandatory peer here does not actually enforce a host-version floor during plugin install: installPackageDir runs npm install --omit=dev (without --omit=peer) in an isolated staging directory, so npm resolves peers from the registry rather than checking the running host version (src/infra/install-package-dir.ts:188-195). That means once openclaw@>=2026.3.14 is published, older hosts can still install these plugins (peer is fetched into the plugin dir), so the intended early compatibility gate is bypassed and runtime failures on old hosts can still occur.

Useful? React with 👍 / 👎.

[vincentkoc]

Superseded by #52094. The peer-dependency approach was not a reliable host-version gate because plugin install resolves peers inside the staged package directory. The replacement PR adds explicit host-side enforcement via \ during install and manifest loading instead.