fix(update): skip disabled plugins during post-update sync

[openclaw-clownfish]

Fixes #73880.

This PR updates post-update plugin sync so tracked installs that are explicitly disabled in config are resolved before any ClawHub/npm/marketplace update request and are reported as skipped or non-fatal. Enabled plugin update failures, integrity drift, and real install/update errors remain fail-closed.

Preserve disabled install metadata and package-id migration behavior; do not delete disabled installs or lose config. Keep docs unchanged unless the existing CLI update text must explicitly mention disabled tracked plugins.

Credit: report by @islandpreneur007 in #73880.

Validation plan:

• pnpm test:serial src/plugins/update.test.ts
• pnpm check:changed

ProjectClownfish replacement details:

• Cluster: clawsweeper-openclaw-openclaw-73880
• Source PRs: none
• Credit: Issue reported by @islandpreneur007 in openclaw update exits code 1 on disabled-plugin ClawHub 429 even though core update succeeded; should treat disabled plugins as no-op for sync #73880; credit the report in the PR body and changelog if repo convention supports attribution.; No contributor source PR was hydrated, so no PR branch credit is required.
• Validation: pnpm test:serial src/plugins/update.test.ts; pnpm check:changed

[greptile-apps]

Greptile Summary

This PR adds skipDisabledPlugins: true to the post-update plugin sync path so that tracked installs explicitly disabled in config are skipped before any npm/ClawHub/marketplace network call, while enabled plugin failures remain fatal. The change is small, well-tested across all three install sources, and correctly preserves install records and config entries for disabled plugins.

Confidence Score: 5/5

This PR is safe to merge; the change is narrow, fail-safe, and comprehensively tested.

Only a new optional flag is introduced; the default path (flag omitted/false) is entirely unchanged, and the new code path is covered by parameterized tests for all three install sources plus a regression test confirming enabled-plugin failures remain fatal.

No files require special attention.

_{Reviews (2): Last reviewed commit: "fix(update): skip disabled plugins durin..." | Re-trigger Greptile}

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this PR open. Current main still lacks the disabled-plugin skip during post-update plugin sync, and the proposed change is a focused implementation candidate for #73880 rather than obsolete work.

Best possible solution:

Keep this PR open and review/validate it as the focused fix for #73880. The best path is to land a narrow change that skips explicitly disabled tracked installs only during post-update sync, preserves disabled install metadata and package-id migration behavior, and keeps enabled plugin failures and integrity drift fail-closed.

What I checked:

• Current post-update sync call lacks disabled-plugin skip: The post-core update path calls updateNpmInstalledPlugins with config, timeout, skipIds, logger, and integrity handling, but current main does not pass any option to skip disabled plugins. (src/cli/update-cli/update-command.ts:741, 28ff82dcdae7)
• Current updater checks install records before any enabled-state check: updateNpmInstalledPlugins iterates tracked install records and skips missing/unsupported/malformed records, but it does not resolve plugins.entries..enabled before proceeding toward update checks. (src/plugins/update.ts:485, 28ff82dcdae7)
• Current updater can still call ClawHub/npm/marketplace for tracked installs: After record validation, current main proceeds to npm metadata checks and npm/ClawHub/marketplace install/update calls without a disabled-plugin gate. (src/plugins/update.ts:570, 28ff82dcdae7)
• Existing tests confirm disabled entries can still be updated in current behavior: The current package-id migration test keeps plugins.entries.voice-call.enabled false but still expects installPluginFromNpmSpec to be called, which shows disabled entries are not globally skipped by updateNpmInstalledPlugins today. (src/plugins/update.test.ts:880, 28ff82dcdae7)
• Docs match the reporter's failure mode: The CLI update docs say post-update plugin sync failures fail the update result and stop restart follow-up work, matching the linked report's disabled ClawHub 429 symptom. Public docs: docs/cli/update.md. (docs/cli/update.md:152, 28ff82dcdae7)
• Proposed diff is focused and includes regression coverage: The provided PR context shows the proposed branch adds skipDisabledPlugins to updateNpmInstalledPlugins, passes it from post-update sync, adds disabled npm/ClawHub/marketplace tests, and adds a changelog entry; it does not touch workflows, dependencies, lockfiles, publishing metadata, or secret handling. (src/plugins/update.ts:469, ff1e82875820)

Likely related people:

• Peter Steinberger steipete@gmail.com: Local blame and path history show the current post-update plugin sync, updateNpmInstalledPlugins implementation, and relevant tests in the central files were introduced or recently carried by Peter, including e583db6 and release-adjacent changelog work in be8c246. (role: recent maintainer / feature-history owner; confidence: medium; commits: e583db63c602, be8c24633aaa; files: src/plugins/update.ts, src/cli/update-cli/update-command.ts, src/plugins/update.test.ts)

Remaining risk / open question:

• The PR changes an install/update path, so review should verify enabled plugin update failures and integrity drift still fail closed while only explicitly disabled tracked installs are skipped during post-update sync.
• Skipping disabled tracked installs means disabled plugins may remain stale until explicitly updated or re-enabled; that appears consistent with the linked report, but maintainers should confirm this is the intended product behavior.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 28ff82dcdae7.

[openclaw-barnacle]

Closing this PR because the author has more than 10 active PRs in this repo. Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.

[openclaw-barnacle]

Closing this PR because the author has more than 10 active PRs in this repo. Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.

[vincentkoc]

Reopening now that Barnacle no longer applies active-PR-limit closure to clownfish PRs. L3.1 still owns the actual PR closeout.

[vincentkoc]

Thanks for the focused fix. GitHub kept this PR pinned to the stale head after the queue-limit close, so I rebuilt the same narrow patch on current main and landed it through #73970.

Merged commit: 43da089

[vincentkoc]

Barnacle mainline fix landed: active-PR-limit closure no longer applies to clownfish PRs. I tried to reopen this PR, but GitHub rejects reopen because the clownfish/clawsweeper-openclaw-openclaw-73880 branch was force-pushed or recreated after closure. L3.1 still owns the actual PR closeout.

[vincentkoc]

Barnacle now skips the active-PR-limit label/closure path for clownfish PRs. Reopening for L3.1 follow-up; not merging here.