fix(release): preserve shipped channel surfaces in npm tar

[ngutman]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: 2026.3.22 stripped previously shipped optional bundled extension metadata and dist/control-ui from the npm tarball, which left upgraded packaged installs with missing channel discovery and missing UI assets.
• Why it matters: upgraded users could hit Unknown channel: whatsapp, lose auto-install discovery for install-on-demand channels, and end up with missing Control UI assets after upgrade.
• What changed: ship the official channel catalog fallback, keep previously shipped optional bundled upgrade surfaces in npm release artifacts by default, require dist/control-ui/index.html plus optional bundled extension manifests in release-check, and make release:check build Control UI before validating the pack.
• What did NOT change (scope boundary): this does not publish @openclaw/whatsapp, does not change plugin install semantics beyond restoring discovery and shipped upgrade surfaces, and does not force optional bundles for lanes that explicitly opt out with OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=0.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related [Bug]: WhatsApp (and other optional bundled plugins) silently broken after upgrade to 2026.3.22 #52838

User-visible / Behavior Changes

• Packaged installs keep dist/control-ui and the previously shipped optional bundled extension metadata needed for upgrade continuity.
• Official install-on-demand channels remain discoverable in packaged installs even when their runtime is not bundled.
• No operator-facing config changes are required for the normal release lane.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local build + clean npm pack install
• Model/provider: n/a
• Integration/channel (if any): WhatsApp / Control UI
• Relevant config (redacted): clean OPENCLAW_STATE_DIR for packaged-install repro

Steps

1. Install openclaw@2026.3.22 into a clean temporary directory.
2. Run openclaw channels add --channel whatsapp or inspect the packaged tarball contents.
3. Observe that WhatsApp metadata and dist/control-ui are missing from the shipped artifact.

Expected

• Previously shipped upgrade surfaces remain present in the npm tarball, and official install-on-demand channels stay discoverable.

Actual

• Clean packaged installs lost WhatsApp discoverability and the tarball omitted Control UI assets.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • pnpm check
  • pnpm build
  • pnpm test -- test/official-channel-catalog.test.ts
  • pnpm test -- src/channels/plugins/plugins-core.test.ts
  • pnpm test -- src/plugins/copy-bundled-plugin-metadata.test.ts
  • pnpm test -- test/release-check.test.ts
  • node scripts/stage-bundled-plugin-runtime-deps.mjs
  • pnpm ui:build
  • node --import tsx scripts/release-check.ts
  • npm pack --dry-run --json --ignore-scripts includes dist/channel-catalog.json, dist/control-ui/index.html, and the optional bundled extension manifests for acpx, diagnostics-otel, diffs, googlechat, matrix, memory-lancedb, msteams, nostr, tlon, twitch, whatsapp, and zalouser
• Edge cases checked:
  • shipped official catalog entries load when bundled metadata is absent
  • bundled metadata-backed channel entries still preserve pluginId
  • default packaging now keeps the prior shipped optional-bundle upgrade surface
  • explicit OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=0 still disables optional bundles for size-sensitive lanes
  • release-check fails when required shipped paths are missing
• What you did not verify:
  • publishing/installing the actual @openclaw/whatsapp package
  • the full top-level pnpm release:check wrapper is still blocked earlier by existing config baseline drift on current main; the pack-validation portion was run directly and passed

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert 2f1f4100ec, or set OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=0 on a size-sensitive packaging lane that must opt out explicitly
• Files/config to restore: scripts/lib/optional-bundled-clusters.mjs, scripts/release-check.ts, package.json
• Known bad symptoms reviewers should watch for: packaged installs missing dist/control-ui/index.html, missing optional bundled extension manifests, or pack size growing materially beyond the new 176 MiB budget

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: restoring the shipped upgrade surface increases npm pack size.
  • Mitigation: the budget is raised only to 176 MiB, while remaining well below the 2026.3.12 213.6 MiB regression guardrail, and release-check still enforces the budget.
• Risk: some size-sensitive packaging lanes may still want the old stripped behavior.
  • Mitigation: those lanes can opt out explicitly with OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=0.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Untrusted official channel-catalog.json search paths allow catalog spoofing and arbitrary npmSpec suggestions
2	🔵 Low	Potential DoS via unbounded synchronous loading/parsing of plugin catalog JSON from configurable paths
3	🔵 Low	Prototype pollution via untrusted channel IDs used as object keys in UI catalog builders

---

1. 🟡 Untrusted official channel-catalog.json search paths allow catalog spoofing and arbitrary npmSpec suggestions

Property	Value
Severity	Medium
CWE	CWE-494
Location	src/channels/plugins/catalog.ts:138-156

Description

listChannelPluginCatalogEntries() now loads an “official” channel catalog from multiple implicit filesystem locations (derived from process.cwd(), import.meta.url package roots, and especially path.dirname(process.execPath)), without integrity/authenticity checks.

Impact:

• If an attacker can drop or modify a channel-catalog.json in any searched location (e.g., a writable portable install directory / the executable directory, or a manipulated working directory/package root), they can inject/override catalog entries.
• Catalog entries carry an install.npmSpec value that is later displayed to users and used as the install spec when installing channel plugins (via installPluginFromNpmSpec({ spec: entry.install.npmSpec })).
• This enables supply-chain style plugin spoofing: the UI/CLI may present attacker-controlled plugins as “official” and install attacker-chosen packages if the user proceeds, potentially leading to code execution via plugin installation.

Vulnerable code (new behavior):

const execDir = path.dirname(process.execPath);
candidates.push(path.join(execDir, OFFICIAL_CHANNEL_CATALOG_RELATIVE_PATH));
candidates.push(path.join(execDir, "channel-catalog.json"));
...
for (const entry of loadOfficialCatalogEntries(options)) {
  const priority = ORIGIN_PRIORITY.bundled ?? 99;
  ... resolved.set(entry.id, { entry, priority });
}

Why this is risky:

• The exec directory and/or cwd-derived package roots are not guaranteed to be read-only.
• The code treats loaded entries with bundled priority, so they can override other sources for the same id.
• No signature, hash, or trusted-only path policy is enforced for “official” data.

Recommendation

Restrict “official” catalog loading to trusted, immutable locations and/or verify authenticity.

Recommended fixes (pick one or combine):

1. Only load the official catalog from the application’s own installed resources (e.g., a path resolved relative to the currently executing module/package), and do not consult process.cwd() or process.execPath.

2. Cryptographically verify the catalog before use (signature validation), and ignore any unsigned/invalid file.

3. If you must keep multiple fallback paths, enforce a trust policy:

• Only accept catalogs under a known app-owned directory with correct ownership/permissions
• Do not assign bundled priority to filesystem-discovered catalogs; treat them as external (lowest priority)

Example: only load from package root resolved from import.meta.url, and demote priority:

function resolveOfficialCatalogPaths(): string[] {
  const root = resolveOpenClawPackageRootSync({ moduleUrl: import.meta.url });
  return root ? [path.join(root, OFFICIAL_CHANNEL_CATALOG_RELATIVE_PATH)] : [];
}

​// When merging, do NOT treat as bundled
const priority = 98; // lower trust than bundled

---

2. 🔵 Potential DoS via unbounded synchronous loading/parsing of plugin catalog JSON from configurable paths

Property	Value
Severity	Low
CWE	CWE-400
Location	src/channels/plugins/catalog.ts:122-131

Description

loadCatalogEntriesFromPaths() synchronously reads entire catalog files into memory and parses them with JSON.parse() for each configured/existing catalog path (including env-resolved paths and multiple “official” fallback locations).

Impact:

• A very large JSON file (or many files) can cause high CPU/memory usage and block the Node.js event loop (startup/CLI hang).
• Catalog paths can be influenced via environment variables (OPENCLAW_PLUGIN_CATALOG_PATHS / OPENCLAW_MPM_CATALOG_PATHS) or via officialCatalogPaths option. If an attacker can control these inputs in a service context, they can trigger a denial of service.

Vulnerable code:

const payload = JSON.parse(fs.readFileSync(resolvedPath, "utf-8")) as unknown;

Recommendation

Add hard limits and safer loading when ingesting catalog files:

• Enforce a maximum catalog file size before reading (e.g., 1–5MB).
• Optionally enforce a maximum number of catalog paths processed.
• Prefer async I/O to avoid blocking, or perform parsing in a worker thread if this is on a latency-sensitive path.

Example (size guard):

const MAX_BYTES = 5 * 1024 * 1024;

const stat = fs.statSync(resolvedPath);
if (!stat.isFile() || stat.size > MAX_BYTES) {
  continue; // or log/throw
}

const text = fs.readFileSync(resolvedPath, "utf-8");
const payload = JSON.parse(text) as unknown;

---

3. 🔵 Prototype pollution via untrusted channel IDs used as object keys in UI catalog builders

Property	Value
Severity	Low
CWE	CWE-1321
Location	src/channels/plugins/catalog.ts:359-370

Description

buildChannelUiCatalog builds several plain object maps (labels, detailLabels, systemImages, byId) and indexes them with entry.id.

• entry.id ultimately comes from plugin manifests / external catalog JSON (manifest.channel.id).
• External catalog paths can be user-controlled via environment variables (e.g., OPENCLAW_PLUGIN_CATALOG_PATHS, OPENCLAW_MPM_CATALOG_PATHS).
• If an attacker can supply a catalog entry with id set to "__proto__", "prototype", or "constructor", assignments like byId[entry.id] = entry can mutate object prototypes in JavaScript, leading to prototype pollution and potentially unexpected behavior/security bypasses wherever these maps are later used.

Vulnerable code:

labels[entry.id] = entry.label;
detailLabels[entry.id] = entry.detailLabel;
...
byId[entry.id] = entry;

Recommendation

Prevent prototype pollution by ensuring these dictionaries cannot have their prototype mutated and/or by rejecting dangerous keys.

Option A (preferred): create null-prototype maps

const labels: Record<string, string> = Object.create(null);
const detailLabels: Record<string, string> = Object.create(null);
const systemImages: Record<string, string> = Object.create(null);
const byId: Record<string, ChannelUiMetaEntry> = Object.create(null);

Option B: validate IDs before using them as keys

function isSafeKey(key: string): boolean {
  return key !== "__proto__" && key !== "prototype" && key !== "constructor";
}
...
if (!isSafeKey(entry.id)) continue;
byId[entry.id] = entry;

Doing both is even safer. Also consider validating manifest.channel.id at ingestion time (when building catalog entries from external JSON).

---

Analyzed PR: #52913 at commit 7bd8d7d

_{Last updated on: 2026-03-23T15:53:09Z}

[greptile-apps]

Greptile Summary

This PR fixes the 2026.3.22 regression where optional bundled extension metadata and dist/control-ui were inadvertently stripped from the npm tarball. It restores the previously shipped upgrade surface by flipping shouldIncludeOptionalBundledClusters from opt-in (=== "1") to opt-out (!== "0"), adds a new write-official-channel-catalog.mjs build step that emits a dist/channel-catalog.json fallback for install-on-demand discovery, and strengthens release-check to validate that these artifacts are present in every release pack.

Key changes:

• optional-bundled-clusters.mjs: default behavior is now "include unless explicitly disabled", preserving the shipped upgrade surface without requiring callers to set OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=1.
• write-official-channel-catalog.mjs (new): walks extensions/*/package.json and emits a sorted dist/channel-catalog.json from entries with openclaw.release.publishToNpm === true. Called in runRuntimePostBuild so it runs automatically as part of the runtime build.
• catalog.ts: loadOfficialCatalogEntries injects shipped catalog entries at ORIGIN_PRIORITY.bundled priority before external catalog entries, ensuring official channels like WhatsApp remain discoverable even when bundled plugin metadata is absent.
• release-check.ts: extracts collectMissingPackPaths as an exported, tested function; adds dist/channel-catalog.json, dist/control-ui/index.html, and all non-ui optional-bundled extension manifests to required pack paths; raises size budget from 160 MiB to 176 MiB.
• package.json: release:check now runs pnpm ui:build before the pack validation so dist/control-ui/index.html is guaranteed present.
• Tests updated throughout to reflect the new opt-out default and to cover the new catalog generation and release-check validation paths.

Confidence Score: 5/5

• This PR is safe to merge — it is a focused regression fix with comprehensive test coverage and no breaking interface changes.
• The changes are well-scoped and directly address the documented regression. The opt-out default for optional bundled clusters is clearly intentional and documented in both code and PR description. The new catalog generation script has thorough defensive parsing. Priority logic in catalog.ts is consistent with the existing loadBundledMetadataCatalogEntries pattern. Release-check validation is strengthened, not weakened. The one inline comment is a P2 style observation about dead code in resolveOfficialCatalogPaths that has no runtime impact. Prior PR concerns are addressed or explicitly tracked.
• No files require special attention beyond the minor try/catch dead-code note in src/channels/plugins/catalog.ts.

Comments Outside Diff (1)

1. src/channels/plugins/catalog.ts, line 351-357 (link)

   Unreachable try/catch block around path.dirname/path.join

   Neither path.dirname(process.execPath) nor the subsequent path.join calls can throw — process.execPath is always a string in Node, and both path.dirname and path.join are purely synchronous string operations. The try/catch here is dead code and could mislead future readers into thinking this block has a known failure mode.

   Consider removing the try/catch wrapper, or — if the intent is to guard against exotic environments where process.execPath could be absent — narrow the guard to just if (process.execPath) instead.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/channels/plugins/catalog.ts
   Line: 351-357
   
   Comment:
   **Unreachable `try/catch` block around `path.dirname`/`path.join`**
   
   Neither `path.dirname(process.execPath)` nor the subsequent `path.join` calls can throw — `process.execPath` is always a string in Node, and both `path.dirname` and `path.join` are purely synchronous string operations. The `try/catch` here is dead code and could mislead future readers into thinking this block has a known failure mode.
   
   Consider removing the `try/catch` wrapper, or — if the intent is to guard against exotic environments where `process.execPath` could be absent — narrow the guard to just `if (process.execPath)` instead.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/channels/plugins/catalog.ts
Line: 351-357

Comment:
**Unreachable `try/catch` block around `path.dirname`/`path.join`**

Neither `path.dirname(process.execPath)` nor the subsequent `path.join` calls can throw — `process.execPath` is always a string in Node, and both `path.dirname` and `path.join` are purely synchronous string operations. The `try/catch` here is dead code and could mislead future readers into thinking this block has a known failure mode.

Consider removing the `try/catch` wrapper, or — if the intent is to guard against exotic environments where `process.execPath` could be absent — narrow the guard to just `if (process.execPath)` instead.

```suggestion
  const execDir = path.dirname(process.execPath);
  candidates.push(path.join(execDir, OFFICIAL_CHANNEL_CATALOG_RELATIVE_PATH));
  candidates.push(path.join(execDir, "channel-catalog.json"));
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (2): Last reviewed commit: "fix(release): keep shipped bundles in np..." | Re-trigger Greptile}

[greptile-apps]

Official catalog silently overrides user external-catalog customizations

Official catalog entries are inserted with ORIGIN_PRIORITY.bundled (= 3), and external catalog entries are only appended via if (!resolved.has(entry.id)) (line 415). This means that once a channel ID appears in the official catalog, any user-defined external catalog entry for the same channel ID (set via OPENCLAW_PLUGIN_CATALOG_PATHS or the default config-dir catalog) is silently ignored.

Before this PR, in a packaged install where bundled metadata was absent, external catalog entries for official channels (e.g. a user pointing at a self-hosted @openclaw/whatsapp fork) would still be respected. After this PR they are not, because the official catalog entry takes the slot first.

If this is intentional (official channels should not be user-overridable via external catalogs), it's worth a short in-code comment so the next reader doesn't mistake the skip for a bug. If users should be able to override, the official catalog priority should be set higher (e.g. ORIGIN_PRIORITY.bundled + 1 or a dedicated official origin) so that external entries can replace it:

// current – official cannot be overridden by external catalog
const priority = ORIGIN_PRIORITY.bundled ?? 99;   // 3

// alternative – give official a lower-priority slot
const priority = (ORIGIN_PRIORITY.bundled ?? 3) + 1;   // 4, so external-catalog wins

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/channels/plugins/catalog.ts
Line: 403-409

Comment:
**Official catalog silently overrides user external-catalog customizations**

Official catalog entries are inserted with `ORIGIN_PRIORITY.bundled` (= 3), and external catalog entries are only appended via `if (!resolved.has(entry.id))` (line 415). This means that once a channel ID appears in the official catalog, any user-defined external catalog entry for the same channel ID (set via `OPENCLAW_PLUGIN_CATALOG_PATHS` or the default config-dir catalog) is silently ignored.

Before this PR, in a packaged install where bundled metadata was absent, external catalog entries for official channels (e.g. a user pointing at a self-hosted `@openclaw/whatsapp` fork) would still be respected. After this PR they are not, because the official catalog entry takes the slot first.

If this is intentional (official channels should not be user-overridable via external catalogs), it's worth a short in-code comment so the next reader doesn't mistake the skip for a bug. If users should be able to override, the official catalog priority should be set higher (e.g. `ORIGIN_PRIORITY.bundled + 1` or a dedicated `official` origin) so that external entries can replace it:

```typescript
// current – official cannot be overridden by external catalog
const priority = ORIGIN_PRIORITY.bundled ?? 99;   // 3

// alternative – give official a lower-priority slot
const priority = (ORIGIN_PRIORITY.bundled ?? 3) + 1;   // 4, so external-catalog wins
```

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8bee5a73a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve external catalog precedence for official channels

When OPENCLAW_PLUGIN_CATALOG_PATHS / OPENCLAW_MPM_CATALOG_PATHS contains an entry for an official channel ID (for example to point whatsapp at a private mirror or fork), this new loop inserts the shipped catalog entry first with bundled priority. The later external-catalog pass only adds entries that are not already present (src/channels/plugins/catalog.ts:411-417), so the custom install.npmSpec is ignored and channel setup will install the hard-coded @openclaw/* package instead (src/commands/channel-setup/plugin-install.ts:185-203). Before this commit, those external entries were the only source for missing official channels, so this is a regression for catalog-driven installs.

Useful? React with 👍 / 👎.

[ngutman]

@greptile-apps please re-review this PR.

New work since the last Greptile review:

• 2f1f4100ec fix(release): keep shipped bundles in npm tar (#52838)
• PR body updated to cover the release-packaging follow-up and verification
• packaged tar now keeps dist/control-ui/index.html and the previously shipped optional bundled extension manifests

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2f1f4100ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep optional bundled clusters opt-in for default builds

With OPENCLAW_INCLUDE_OPTIONAL_BUNDLED unset (the normal pnpm build / CI path), this now returns true, and both tsdown.config.ts:87-93 and scripts/copy-bundled-plugin-metadata.mjs:192-194 start treating every optional cluster as bundled. That means the release build now compiles and ships the full dist/extensions/whatsapp, matrix, etc. trees again, instead of only adding the new catalog metadata. Besides the pack-size jump already reflected in this PR, that broadens the bundled runtime surface for every stable/beta install and undermines the “discoverability only” fix described here.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Respect explicit optional-bundle opt-out in release-check

This new required-path list is unconditional, so pnpm release:check now fails whenever a build intentionally sets OPENCLAW_INCLUDE_OPTIONAL_BUNDLED=0. That opt-out is still advertised in shouldIncludeOptionalBundledClusters(), and scripts/copy-bundled-plugin-metadata.mjs:192-194 will remove those dist/extensions/* directories in that mode, but collectMissingPackPaths() now always requires them. As written, any size-sensitive lane that disables optional bundles can no longer pass release verification.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7bd8d7d7d7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep release-check from rebuilding Control UI assets

In .github/workflows/ci.yml, the release-check job downloads the dist/ artifact from build-artifacts and then runs pnpm release:check. Adding pnpm ui:build here means the validator regenerates dist/control-ui locally before npm pack --dry-run, so this guard no longer verifies the artifact that was actually built and uploaded. If build-artifacts ever omits or ships stale Control UI files again, release-check will repair them in place and still pass, which defeats the regression check this PR is trying to add.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Derive official catalog paths from the selected bundle tree

listChannelPluginCatalogEntries() already threads options.env through plugin discovery and external catalog loading, but this helper ignores that env and always anchors the official fallback to the current checkout / executable. In flows that point OPENCLAW_BUNDLED_PLUGINS_DIR at a different install tree, channel-setup callers like src/commands/channels/add.ts and src/commands/onboard-channels.ts will still merge official entries from the wrong build (or miss the catalog next to the chosen bundle), so discovery can advertise channels that do not belong to the selected runtime.

Useful? React with 👍 / 👎.