fix(plugins): invalidate runtime deps cache on package upgrade

[sahilsatralkar]

Summary

Describe the problem and fix in 2–5 bullets:

If this PR fixes a plugin beta-release blocker, title it fix(<plugin-id>): beta blocker - <summary> and link the matching Beta blocker: <plugin-name> - <summary> issue labeled beta-blocker. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.

• Problem: Bundled plugin runtime-deps cache could be reused after an in-place OpenClaw package upgrade at the same
  filesystem path.
• Why it matters: A packaged upgrade such as 2026.4.26 -> 2026.4.27 could keep loading stale staged runtime
  dependencies for bundled plugins.
• What changed: The plugin loader cache key now includes bundled package identity/version metadata, and a regression
  test locks the upgrade scenario.
• What did NOT change (scope boundary): No runtime dependency install policy, plugin manifest format, gateway
  behavior, docs, or user-facing config changed.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Browser plugin broken after 4.26→4.27 upgrade — ERR_MODULE_NOT_FOUND for old plugin-runtime-deps path (persists after doctor --repair) #75045
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write N/A. If the cause is unclear, write Unknown.

• Root cause: The plugin registry cache key included bundled plugin root paths and config inputs, but did not
  include the owning packaged OpenClaw version/package identity. When a packaged install was upgraded in place, the
  path stayed stable and the stale cached registry/runtime-deps staging could be reused.
• Missing detection / guardrail: There was no regression test covering a same-path packaged upgrade where the root
  package version changes while bundled plugin runtime-deps should be restaged.
• Contributing context (if known): The issue was observed with stale openclaw-2026.4.26-* browser runtime-deps
  paths after upgrading to a newer packaged build.

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write N/A.

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
  • Target test or file: src/plugins/loader.test.ts
  • Scenario the test should lock in: Loading a bundled plugin from the same package root before and after changing
    the root OpenClaw package version must not reuse the old cached registry/runtime-deps stage.
  • Why this is the smallest reliable guardrail: The bug lives at the plugin loader cache/staging seam, so the test
    exercises loadOpenClawPlugins with a temp bundled package and fake runtime-deps install without requiring a full
    packaged app install.
  • Existing test that already covers this (if any): None.
  • If no new test is added, why not: N/A.

User-visible / Behavior Changes

Packaged OpenClaw upgrades should no longer keep using stale bundled plugin runtime-deps staging from the previous
package version.

Diagram (if applicable)

For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write N/A.

  Before:
  [upgrade package in place] -> [same bundled plugin path] -> [old loader cache key] -> [stale runtime deps reused]

  After:
  [upgrade package in place] -> [package version identity changes] -> [new loader cache key] -> [fresh runtime deps
  staging]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 / pnpm workspace
• Model/provider: N/A
• Integration/channel (if any): Bundled plugin runtime-deps loader
• Relevant config (redacted): OPENCLAW_BUNDLED_PLUGINS_DIR, OPENCLAW_PLUGIN_STAGE_DIR,
  OPENCLAW_TEST_TRUST_BUNDLED_PLUGINS_DIR=1

Steps

1. Load a bundled plugin from a packaged root with root package version 2026.4.26.
2. Mutate the same package root to version 2026.4.27 and update the bundled plugin runtime entry.
3. Load the same bundled plugin again.

Expected

• The second load computes a distinct cache key and uses fresh runtime-deps staging for the upgraded package
  version.

Actual

• Before this fix, the second load could reuse the first cached plugin registry/runtime-deps staging because the
  package version was not part of the cache identity.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • New regression failed before the implementation change and passed after it.
  • Targeted plugin loader/runtime-deps tests passed.
  • Targeted doctor/gateway runtime-deps tests passed.
  • Targeted formatter check passed.
  • pnpm build passed.
  • codex review --base origin/main completed with no findings.
• Edge cases checked:
  • Same package path with changed root package version.
  • Runtime-deps install root changes after upgrade.
  • Existing bundled runtime-deps/stage-root/persisted manifest coverage remains green.
• What you did not verify:
  • Broad Blacksmith/Testbox changed-gate was not run.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: Cache invalidation becomes slightly broader for packaged bundled plugin roots when package metadata changes.
  • Mitigation: The cache identity is scoped to the bundled package root/package.json metadata and does not change
    runtime dependency install policy or plugin contracts.

[clawsweeper]

Codex review: needs changes before merge.

What this changes:

The PR adds bundled package package.json identity/version metadata to the plugin loader cache key and adds a regression test for same-path packaged upgrades re-staging bundled runtime deps.

Required change before merge:

An automated worker can safely add the missing changelog entry without changing loader behavior; maintainer review is still needed afterward for the full packaged-upgrade validation and merge decision.

Security review:

Security review cleared: The diff only reads local bundled package metadata for cache identity and adds tests; it does not add dependencies, workflow changes, permissions, network calls, secret handling, or new execution surfaces.

Review findings:

• [P2] Add the required changelog entry — src/plugins/loader.ts:635

Review details

Best possible solution:

Land this generic cache-identity fix after adding the required changelog entry, rebasing or validating against current main, and confirming the linked browser upgrade path no longer references the previous versioned runtime-deps root.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked bug gives a concrete 2026.4.26 to 2026.4.27 packaged upgrade path with a stale openclaw-2026.4.26 runtime-deps import, and the PR adds a focused loader regression test for the same package-root version change.

Is this the best way to solve the issue?

Mostly yes. Adding bundled package identity to the generic plugin loader cache key is narrower and more maintainable than browser-specific cleanup, but the PR is not complete until the changelog is added and the full doctor/gateway upgrade route is validated.

Full review comments:

• [P2] Add the required changelog entry — src/plugins/loader.ts:635
  This is a user-facing packaged-upgrade bug fix, but the PR only touches loader code and tests. OpenClaw requires user-facing fixes to add an Unreleased CHANGELOG.md entry with contributor credit, so this should be added before merge.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.86

Acceptance criteria:

• pnpm exec oxfmt --check --threads=1 CHANGELOG.md
• pnpm check:changelog-attributions
• git diff --check
• pnpm test src/plugins/loader.test.ts -- --reporter=verbose
• Testbox/default before merge: pnpm check:changed

What I checked:

• Current main cache key lacks package identity: buildCacheKey on current main serializes plugin roots, config, installs, scope, setup/runtime mode, SDK resolution, gateway methods, and activation mode, but has no bundled package package.json version or package-root identity input. (src/plugins/loader.ts:549, f2d97df262e5)
• Current main reuses cached registries: loadOpenClawPlugins returns a cached registry when the computed cache key matches, so missing package identity can preserve stale staged runtime module paths inside a running process. (src/plugins/loader.ts:1117, f2d97df262e5)
• Runtime-deps install roots are package-versioned: Current main computes external bundled runtime-deps install roots as openclaw--, making stale cached registries observable after an in-place package upgrade changes the versioned stage root. (src/plugins/bundled-runtime-deps-roots.ts:211, f2d97df262e5)
• PR adds cache identity and regression coverage: The PR diff adds bundled package root/package.json/version/stat identity to the loader cache key and adds a loader test that changes one package root from 2026.4.26 to 2026.4.27 and expects a fresh runtime-deps install root. (src/plugins/loader.ts:635, 56a788982ba3)
• Required changelog entry is missing: The PR file list contains only src/plugins/loader.ts and src/plugins/loader.test.ts, while the PR body describes a user-visible packaged-upgrade bug fix; OpenClaw policy requires a CHANGELOG.md entry for user-facing fixes. (CHANGELOG.md:14, 56a788982ba3)
• Related runtime-deps PR does not supersede this PR: Open PR fix: simplify bundled runtime dependency repair #75183 is broader, maintainer-labeled runtime-deps repair work, but its body explicitly lists this PR among nearby issues it does not claim, so it is not a canonical replacement for this narrow cache-key fix. (3f7de3500fd5)

Likely related people:

• steipete: Current blame for the central loader cache key points to Peter-authored main materialization, and recent GitHub commit history shows substantial bundled runtime-deps staging, planner, doctor, and startup repair work around this surface. (role: major runtime-deps and plugin-cache history owner; confidence: high; commits: 231e5c618f8a, 8cf724a381a3, 3c4851037b6c; files: src/plugins/loader.ts, src/plugins/bundled-runtime-deps.ts, src/plugins/bundled-runtime-deps-roots.ts)
• openperf: Recent merged work directly changed bundled runtime-deps packageRoot canonicalization and stage-key behavior in the same install-root computation path affected by this regression. (role: adjacent runtime-deps stage-key contributor; confidence: medium; commits: 4b98f0952934; files: src/plugins/bundled-runtime-deps-roots.ts, CHANGELOG.md)
• galiniliev: Recent main history includes bundled plugin native loading and loader-path changes in src/plugins/loader.ts, adjacent to the cache and module-loading behavior this PR changes. (role: recent bundled plugin loader maintainer; confidence: medium; commits: c4a4c189f11e; files: src/plugins/loader.ts, src/plugins/jiti-loader-cache.ts, src/plugins/sdk-alias.ts)

Remaining risk / open question:

• The focused regression test covers same-process in-place package mutation, while the linked report also includes doctor repair and systemd gateway restarts; the full packaged upgrade route still needs maintainer validation before merge.
• The PR branch is based on 58a0b07 while the current checkout is f2d97df, and runtime-deps files have continued changing on main; rebase or changed-gate validation may reveal drift.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f2d97df262e5.

[steipete]

Closing as superseded by 931e607 on main.

[steipete]

Thanks @sahilsatralkar. This fix is now already on main via 931e607, with the changelog entry and the same regression coverage included.

I rechecked current origin/main:

• src/plugins/loader.ts includes bundled package identity/version in the loader cache key.
• src/plugins/loader.test.ts includes the same-path package-version upgrade regression test.
• CHANGELOG.md credits this fix with Thanks @sahilsatralkar.

Focused proof passed on current main:

pnpm test src/plugins/loader.test.ts -t "does not reuse cached bundled runtime deps after an in-place package version upgrade"

Closing this PR as superseded by the landed main commit. The underlying issue #75045 should be handled by that commit.