plugin-sdk: keep command-auth status compatibility path light

[hxy91819]

Summary

• Problem: plugins that import openclaw/plugin-sdk/command-auth only need auth helpers, but the module also re-exported status/help text builders from src/auto-reply/status.ts. That static re-export dragged in status.ts → context.ts, a heavyweight chain that can trigger loadConfig() at import-time — causing recursive config loading during plugin load.
• Why it matters: latest main already stopped the original stack-overflow via Weixin-side lazy loading and core loader/provider reentry guards. But the SDK boundary itself was still too broad: command-auth was wired to modules it has no business depending on.
• Why not just remove the old exports (scheme A): these three builders are synchronous functions. In ESM there is no way to keep the same sync signature while lazily loading the implementation (await import() would change them to async — a worse breaking change). The project's own AGENTS.md states "Breaking removals or renames are major-version work, not drive-by cleanup", and src/plugin-sdk/compat.ts already demonstrates the deprecated-compatibility pattern. Since main is already stable, there is no urgency to break third-party plugins.
• What changed (scheme E): extract the three sync builders into a new lightweight module (command-status-builders.ts) that does not import status.ts or context.ts. Both command-auth (deprecated compat) and the new command-status subpath now point to this lightweight module. The heavy command-auth → status.ts → context.ts edge is removed.
• Outcome: zero breaking change for third-party plugins, the old heavy import edge is gone, and the new command-status boundary is covered by explicit contract tests.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: the plugin-facing auth SDK surface (command-auth) had a static dependency on heavyweight status rendering code (status.ts), which in turn imported context warmup logic (context.ts). This module boundary violation meant that any plugin importing command-auth during loadConfig() could re-enter config loading.
• Missing guardrail: command-auth lacked a module-boundary constraint preventing it from depending on status.ts. There was also no contract-level test proving that importing command-auth stays free of config-load side effects under CLI/plugin-load conditions.
• Contributing context: the original production-style stack overflow no longer reproduces on latest main because Weixin 2.1.7 lazy-imported the hot path and core added plugin/provider reentry guards. This PR hardens the SDK boundary itself so the fix does not rely solely on those deeper runtime guards.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target tests/files:
  • src/agents/context.eager-warmup.test.ts
  • src/plugin-sdk/command-auth.test.ts
  • src/plugins/contracts/plugin-sdk-subpaths.test.ts
• Scenarios locked in:
  • importing ../plugin-sdk/command-auth.js under CLI-style argv for onboard, pairing approve, and channels login must not trigger loadConfig()
  • deprecated sync builder exports on command-auth must still work for compatibility
  • the explicit command-status subpath must export the three builders, while command-auth must no longer import ../auto-reply/status.js
• Why this is the smallest reliable guardrail:
  • it directly exercises the offending import boundary
  • it proves the compatibility layer is intentional rather than accidental
  • it makes the new command-status boundary visible in public-contract coverage
• Existing test that already covers this (if any): none before this change
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• New Plugin SDK import path: openclaw/plugin-sdk/command-status
• command-status is not a new CLI command; it is only a new Plugin SDK subpath for status/help rendering helpers
• command-auth still exports the legacy sync builders for compatibility, but those exports are now deprecated
• New code should import buildCommandsMessage, buildCommandsMessagePaginated, and buildHelpMessage from openclaw/plugin-sdk/command-status

Diagram (if applicable)

Before:
  command-auth ──┬── auth helpers (lightweight) ✅
                 └── re-export from status.ts (heavyweight) ⚠️
                      └── status.ts → context.ts → loadConfig() → recursive 💥

After (scheme E):
  command-auth ──┬── auth helpers (unchanged) ✅
                 └── @deprecated builders → command-status-builders.ts (lightweight) ✅
                      └── does NOT import status.ts or context.ts

  command-status ────→ command-status-builders.ts (lightweight) ✅

  status.ts and context.ts are no longer on command-auth's import chain.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node 22 / pnpm
• Model/provider: N/A
• Integration/channel (if any): Weixin plugin import path, Telegram in-repo consumer
• Relevant config (redacted): isolated temp state dirs plus plugin load paths

Steps

1. Import ../plugin-sdk/command-auth.js under CLI-style argv for commands that previously hit the bad path.
2. Verify loadConfig() is not called from that import path.
3. Verify deprecated command-auth compatibility exports still work synchronously.
4. Verify the explicit command-status SDK contract is present and command-auth no longer imports status.ts.
5. Build and run targeted SDK/export checks.
6. Re-run the archived Weixin 2.1.6 smoke manually outside this PR branch if needed; that repro harness is now kept as case material rather than repo code because latest main no longer reproduces the original outage.

Expected

• command-auth import stays lightweight and does not trigger config-load side effects.
• Legacy sync builder exports from command-auth still exist for third-party compatibility.
• Status/help rendering remains available through the explicit command-status SDK subpath.
• Neither latest main nor this branch should emit the original stack-overflow signature with archived Weixin 2.1.6.

Actual

• Regression tests pass and the compatibility exports remain available from command-auth without routing through status.ts.
• Explicit contract assertions now cover the command-status public surface and the compatibility-layer boundary.
• Latest main no longer reproduces the original recursion failure.
• This branch also avoids the stack-overflow signature while removing the heavy SDK edge.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Concrete evidence used for this PR:

• Targeted checks run:
  • pnpm test src/agents/context.eager-warmup.test.ts
  • pnpm test src/plugin-sdk/command-auth.test.ts
  • pnpm plugin-sdk:check-exports
  • pnpm build
• Contract coverage added in:
  • src/plugins/contracts/plugin-sdk-subpaths.test.ts
• Manual archived-plugin verification notes are kept in the case materials, not in the repo tree, because that harness is currently investigative-only.

Human Verification (required)

• Verified scenarios:
  • pnpm test src/agents/context.eager-warmup.test.ts
  • pnpm test src/plugin-sdk/command-auth.test.ts
  • pnpm plugin-sdk:check-exports
  • pnpm build
• Edge cases checked in targeted tests:
  • openclaw onboard
  • openclaw pairing approve feishu BAH8YVB3
  • openclaw channels login --channel openclaw-weixin
• What was not verified:
  • full repo test suite
  • third-party plugins outside the known import pattern
  • a repo-committed end-to-end repro harness, since that script is intentionally not part of this PR

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) Yes
• Exact upgrade steps:
  • existing third-party plugins can keep importing the three sync builders from command-auth with no code changes
  • new code should import them from openclaw/plugin-sdk/command-status instead
  • the deprecated compatibility exports will only be removed after an explicit deprecation window in a future major version

Additional Notes

• this PR intentionally chooses scheme E, a non-breaking deprecation path, instead of the earlier breaking split
• command-status is an import-only SDK subpath, not a new user-facing CLI command
• if maintainers want a stronger migration signal, we can add release-note or deprecation guidance later

Risks and Mitigations

• Risk: third-party plugins may keep using the deprecated command-auth exports indefinitely.
  • Mitigation: the compatibility path is now lightweight, so it no longer reintroduces the original heavy import edge; new docs and PR notes point people to command-status.
• Risk: reviewers may miss that compatibility was preserved and assume this is still the earlier breaking split.
  • Mitigation: the PR body, case docs, reviewer guide, and explicit contract tests all now call out the scheme E design.
• Risk: latest main already masks the original outage via loader/runtime guards, so reviewers may question whether this PR still matters.
  • Mitigation: this PR explicitly positions itself as SDK boundary hardening that removes an unnecessary heavy import from a plugin-facing surface.

Current Main Status

Latest main appears to have already fixed the immediate outage in two ways:

• Plugin side: Weixin 2.1.7 moved monitorWeixinProvider behind a lazy import, so plugin registration no longer eagerly walks monitor -> process-message -> command-auth.
• Core side: main added loader/provider runtime reentry guards, including:
  • src/plugins/loader.ts: PluginLoadReentryError plus inFlightPluginRegistryLoads
  • src/plugins/loader.ts: resolveRuntimePluginRegistry() returns undefined when the same load is already in flight
  • src/plugins/provider-runtime.ts: resolveProviderPluginsForHooks() short-circuits to [] when provider plugin load is already in flight
  • src/plugins/providers.runtime.ts: isPluginProvidersLoadInFlight() centralizes that check

What main already solved:

• the original stack-overflow / recursive plugin-load outage is no longer reproducible in the same way
• plugin/provider runtime now fails closed instead of recursing indefinitely in this class of path

What this PR still improves structurally:

• openclaw/plugin-sdk/command-auth no longer reaches the old status.ts -> context.ts chain for the status/help builders
• the new command-status boundary is explicit and test-covered
• compatibility is preserved while the public SDK surface becomes semantically clearer

This PR should therefore be evaluated as boundary cleanup / architecture hardening with compatibility preserved, not as the only remaining live fix for the original outage.

[greptile-apps]

Greptile Summary

This PR extracts the three sync status/help builder functions (buildCommandsMessage, buildCommandsMessagePaginated, buildHelpMessage) from status.ts into a new lightweight command-status-builders.ts module, exposes them under a new openclaw/plugin-sdk/command-status SDK subpath, and replaces the old command-auth → status.ts → context.ts import chain with deprecated compatibility shims that point to the lighter module. The extensions/telegram consumer is already migrated to the new subpath. All SDK registration surfaces (package.json, plugin-sdk-entrypoints.json) and contract tests are updated in sync.

Confidence Score: 5/5

Safe to merge — clean boundary refactor with backward-compatible deprecated wrappers and no logic changes.

All remaining findings are P2 or lower. The core fix is correct, the new SDK subpath is properly wired, contract tests lock the boundary in both directions, and the model consumer (Telegram) is already migrated.

No files require special attention.

Vulnerabilities

No security concerns identified. The PR is a module boundary refactor with no changes to auth logic, secret handling, network calls, or access-control decisions.

_{Reviews (3): Last reviewed commit: "tests: document config mock choice for e..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 889e58bc0a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[hxy91819]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 889e58bc0a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[hxy91819]

Addressed the current bot feedback in three ways:

• The earlier P1 compatibility comments are now stale relative to the current branch state. command-auth again exports buildCommandsMessage, buildCommandsMessagePaginated, and buildHelpMessage as deprecated compatibility wrappers backed by command-status-builders.ts, and plugin-sdk-subpaths.test.ts now asserts that compatibility contract instead of omission.
• I also updated the PR description/case docs so reviewers see this is scheme E with compatibility preserved, not the earlier breaking split.
• For the remaining Greptile P2 point on context.eager-warmup.test.ts, I kept the partial-real mock and added a short comment explaining why: context.js and command-auth.js still read other config exports at import time, so a factory-only mock would be unsafe there.

I am resolving the two P1 review threads as outdated by the newer commits. The P2 note is addressed by the test comment in b6d5b7128e.

[hxy91819]

@codex review

[hxy91819]

@greptile-apps review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[steipete]

Merged via maintainer rebase. Thanks @hxy91819.

Landed on main: 6e200f4

Maintainer follow-up:

• regenerated Plugin SDK API baseline
• added CHANGELOG entry

Local gate:

• pnpm plugin-sdk:api:check
• pnpm plugin-sdk:check-exports
• pnpm test src/agents/context.eager-warmup.test.ts src/plugin-sdk/command-auth.test.ts src/plugins/contracts/plugin-sdk-subpaths.test.ts
• pnpm check
• pnpm build