fix: simplify bundled runtime dependency repair

[steipete]

Summary

This PR unifies bundled plugin runtime-dependency repair around the package-level plan and lets npm/pnpm own dependency convergence once OpenClaw has decided a repair is required.

What changed:

• Build the active bundled plugin dependency plan before startup/runtime imports, then repair the selected package-level install root once instead of per-plugin ad hoc scans.
• Treat an existing node_modules tree without complete generated materialization as incomplete, even when package sentinels such as node_modules/<dep>/package.json exist.
• Force the package-manager repair once the planner has marked a tree incomplete, so writing the generated install manifest cannot accidentally turn the repair into a no-op.
• Keep post-install verification on requested packages and declared entry files, so package-manager success is not trusted until the staged tree is actually usable.
• Accept generated manifest supersets for narrower plugin loads so a complete package-level stage is reused rather than pruned/reinstalled.
• Preserve config/doctor/hot-reload behavior: config determines the plugin plan; doctor/config edits enter plan mode; startup only repairs when the plan or materialization requires it.

Fixes / related reports

Fixes #75309.

Supersedes the implementation approach in #75310 by keeping the same narrow idea but closing the reviewed hole where a generated manifest plus a no-main package sentinel could still look materialized.

Also hardens the recovery side of the already-addressed reports #75296 and #75304:

• [Bug] bundled-runtime-deps installer reports success after partial install on ETIMEDOUT, leaving channel modules unable to resolve json5 #75296: post-install verification already fails closed when npm/pnpm reports success but requested packages are missing; this PR additionally makes later doctor/startup repair recover from the leftover partial tree.
• [Bug]: OpenClaw 2026.4.29 — Telegram/Discord channels crash-loop due to missing ESM exports in bundled runtime deps #75304: mirrored root dependencies and manifest-superset reuse already address the json5/prune crash loop; this PR prevents interrupted runtime-deps stages from staying stuck behind false package sentinels.

Not claimed: #73520, #74948, #74963, #75071, and #75288 are nearby runtime-deps lifecycle issues with different root causes.

Verification

Local:

• pnpm docs:list
• pnpm exec oxfmt --check --threads=1 src/plugins/bundled-runtime-deps-install.ts src/plugins/bundled-runtime-deps.ts src/plugins/bundled-runtime-deps-materialization.ts src/plugins/bundled-runtime-deps.test.ts src/commands/doctor-bundled-plugin-runtime-deps.test.ts
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md
• pnpm check:changelog-attributions
• git diff --check
• pnpm test src/plugins/bundled-runtime-deps.test.ts src/commands/doctor-bundled-plugin-runtime-deps.test.ts src/gateway/server-startup-plugins.test.ts src/gateway/server.reload.test.ts -- --reporter=verbose

Blacksmith/Testbox:

• tbx_01kqgsehj3tf33k2dmzy35ds7j: pnpm test src/plugins/bundled-runtime-deps.test.ts src/commands/doctor-bundled-plugin-runtime-deps.test.ts src/gateway/server-startup-plugins.test.ts src/gateway/server.reload.test.ts -- --reporter=verbose passed, 3 Vitest shards / 177 tests.

Broad pnpm check:changed was attempted on tbx_01kqgrw1phqcm20c9w06n1w4wx, but the Testbox full-sync omitted the tracked-but-gitignored pnpm-lock.yaml; the workaround polluted remote node_modules into the changed-file scan and tsgolint was later SIGKILLed. I do not count that polluted run as product signal.

[clawsweeper]

Codex review: needs maintainer review before merge.

What this changes:

This PR refactors bundled plugin runtime dependency planning and repair into a package-level flow, hardens materialization/lock/symlink recovery, adjusts Gateway startup and CLI plugin-load policy, and updates related tests, docs, and changelog entries.

Maintainer follow-up before merge:

No safe fix-PR candidate: this automerge-opted PR has no discrete review finding from this pass, and the remaining action is exact-head CI/merge gating rather than an autonomous repair.

Security review:

Security review cleared: Security review cleared: the diff touches package-manager repair paths but keeps lifecycle scripts disabled, disables workspace installs, avoids new secrets or permissions, and does not introduce a concrete supply-chain regression.

Review details

Best possible solution:

Keep the package-level runtime-deps repair direction, let the exact-head automerge/CI gates finish on the current head, and merge only after the pending checks and maintainer policy gates are satisfied.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked corrupt staged-tree scenario is reproducible by leaving a generated install manifest plus partial node_modules materialization, and the PR adds focused regression coverage for incomplete materialization, forced repair, doctor repair, and Gateway/startup fallback paths.

Is this the best way to solve the issue?

Yes. The PR’s direction is the narrow maintainable fix: OpenClaw computes the active package-level dependency plan, npm/pnpm converges the install root with scripts/workspaces disabled, and OpenClaw verifies runtime entries before import instead of relying on package sentinels alone.

What I checked:

• Current main baseline: The checkout is on main at 9d21df2, and current main still has the older install short-circuit path that returns when isRuntimeDepsPlanMaterialized is true without the PR's forced repair path. (src/plugins/bundled-runtime-deps-install.ts:293, 9d21df251e50)
• Package-level repair diff: The PR adds createBundledRuntimeDepsPackagePlan, marks a previous incomplete node_modules tree as missing, attempts safe sibling reuse only when materialized, and forces package-manager repair after the planner has already determined repair is required. (src/plugins/bundled-runtime-deps.ts:579, 04dc566534f2)
• Materialization verification diff: The PR makes generated/package manifest supersets acceptable only when requested dependency packages also satisfy version and reachable runtime entry/export checks, and adds a controlled removal path for legacy node_modules symlinks. (src/plugins/bundled-runtime-deps-materialization.ts:260, 04dc566534f2)
• Prior review finding addressed: The current PR diff scopes installBundledRuntimeDeps: false to read-only/status paths while operational channels commands use the configured-channel registry policy without the no-repair override, addressing the earlier P1 review comment about disabling repair for all channel commands. (src/cli/command-catalog.ts:63, 04dc566534f2)
• Exact-head PR state: The public GitHub API reports PR head 04dc566, labels include maintainer and clawsweeper:automerge, mergeable is true with mergeable_state unstable, and exact-head checks were still pending at review time with many completed successes. (04dc566534f2)
• Feature history: GitHub path history shows recent bundled runtime-deps and runtime-root work led by steipete, with adjacent Gateway startup plugin metadata/runtime work by shakkernerd and channel/CLI plugin-load trimming by NianJiuZst/gumadeiras. (9d21df251e50)

Likely related people:

• steipete: Recent main history for bundled runtime-deps planning, materialization, runtime-root staging, and CLI startup policy repeatedly points to Peter Steinberger, including the central runtime-deps simplification and later planner/materialization refactors. (role: primary runtime-deps and startup-path maintainer; confidence: high; commits: 8cf724a381a3, c160bec3d62a, 9ae7db556289; files: src/plugins/bundled-runtime-deps.ts, src/plugins/bundled-runtime-deps-materialization.ts, src/plugins/bundled-runtime-root.ts)
• shakkernerd: Recent main history on server-startup-plugins.ts shows Shakker carrying plugin lookup-table, startup metadata reuse, and diagnostics timeline work that this PR now composes with deferred startup plugin runtime loading. (role: adjacent Gateway startup metadata owner; confidence: medium; commits: 3f38d3af887d, 9de2bc6ffcc4, 197c83138e30; files: src/gateway/server-startup-plugins.ts, src/gateway/server.impl.ts)
• NianJiuZst: Recent merged CLI text-command hang work changed plugin preload behavior in command-catalog.ts, which is the same startup-policy surface this PR narrows for channel commands. (role: adjacent CLI startup maintainer; confidence: medium; commits: 43ca7399e5ba; files: src/cli/command-catalog.ts)
• gumadeiras: Prior merged work specifically kept channel status checks off plugin runtimes in command-catalog.ts, making it relevant to the read-only channel no-repair policy adjusted here. (role: adjacent channel CLI policy contributor; confidence: medium; commits: 24db09a19bde; files: src/cli/command-catalog.ts)

Remaining risk / open question:

• Exact-head CI was not fully complete at review time; merge should remain gated on the final check set for head 04dc566.
• The diff is broad across plugin runtime-deps, Gateway startup, CLI policy, docs, and tests, so maintainer review should focus on final startup behavior and check results even though no discrete code-review finding was identified.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9d21df251e50.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d4a7b17ed

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[steipete]

@clawsweeper automerge

[clawsweeper]

🦞🦞
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: structured ClawSweeper verdict: needs-human (sha=04dc566534f232984370c9cba2c96099eb34c9ef)

I added clawsweeper:human-review and left the final call with a maintainer.

[steipete]

@clawsweeper approve automerge