fix: detect and recover from incomplete bundled runtime deps staging

[scottgl9]

What bug this fixes

Closes #75309

When openclaw update times out during the post-install pnpm staging step (ETIMEDOUT), node_modules is left in a corrupt/incomplete state. Both gateway startup (prestageGatewayBundledRuntimeDeps) and openclaw doctor --repair (maybeRepairBundledPluginRuntimeDeps) have an early-return at missing.length === 0 that fires even when the install is corrupt, leaving channels crashing at runtime.

Relationship to upstream refactor

The upstream refactor of isRuntimeDepSatisfied (in bundled-runtime-deps-materialization.ts) now also checks hasInstalledRuntimeDepEntryFiles — verifying that the package's main entry file exists on disk. This catches the specific dotenv case from the original bug report. However, packages that do not declare a main field return true from hasInstalledRuntimeDepEntryFiles unconditionally, so a corrupt install of such a package still passes the sentinel check and missing.length === 0 returns early without repair.

Fix

This PR adds defense-in-depth using isRuntimeDepsPlanMaterialized — the same completeness check the repair function itself uses internally. It verifies both the generated install manifest (package.json with name: "openclaw-runtime-deps-install") and that all package entry files satisfy hasSatisfiedInstallSpecPackages, so corrupt stages are caught regardless of whether a package declares a main field.

hasPreviousIncompleteInstall(installRoot, installSpecs) combines the check:

1. node_modules exists → there was a previous install attempt
2. !isRuntimeDepsPlanMaterialized(installRoot, installSpecs) → the install isn't actually complete

At both early-return sites: if incomplete, treat all deps as missing to force a clean reinstall.

Is this the best fix?

Yes. isRuntimeDepsPlanMaterialized is the authoritative completeness check already used by the repair functions — using it to gate the early-return is the minimally invasive fix with the broadest coverage.

Evidence

• Confirmed root cause and fix on scottgl-aipc after v2026.4.29 upgrade with staging timeout
• All 7 gateway startup tests pass
• All 29 doctor repair tests pass
• New tests added for both code paths

[clawsweeper]

Codex review: needs changes before merge.

What this changes:

The PR adds a bundled runtime-deps completion marker, checks gateway startup and openclaw doctor --repair for node_modules without that marker, forces all detected deps through repair when incomplete state is detected, and adds regression tests plus a changelog entry.

Required change before merge:

There is a concrete P2 bug in the PR branch that an automated repair can address in the runtime-deps installer and focused tests; check whether #75183 has merged before starting to avoid duplicate work.

Security review:

Security review cleared: The diff is limited to runtime-deps repair/installer logic, tests, and changelog; it adds no dependencies, workflow permissions, package sources, secret handling, or new execution surface beyond the existing npm/pnpm staging path.

Review findings:

• [P2] Honor missing completion markers in the installer — src/plugins/bundled-runtime-deps-install.ts:346-350

Review details

Best possible solution:

Keep the bug tracked until the runtime-deps repair path treats a missing completion marker as non-converged all the way through the installer, with regression coverage for the generated-manifest plus no-main package sentinel case in gateway startup and doctor repair. If #75183 lands first, this PR can be closed as superseded by that merged implementation.

Do we have a high-confidence way to reproduce the issue?

Yes. A source-level reproduction can create an install root with node_modules/<dep>/package.json for a package without main, a generated openclaw-runtime-deps-install manifest, missing real package contents, and no .install-complete; the PR calls repair, but the default installer can still return before reinstalling or writing the marker.

Is this the best way to solve the issue?

No. Gateway startup and doctor repair are the right boundaries, and a post-success marker is viable, but the marker must be integrated with the installer/materialization fast path rather than checked only before calling repair.

Full review comments:

• [P2] Honor missing completion markers in the installer — src/plugins/bundled-runtime-deps-install.ts:346-350
repairBundledRuntimeDepsInstallRootAsync writes the generated package.json before it calls installBundledRuntimeDepsAsync. For the corrupt no-main package state this PR is trying to recover from, that can make isRuntimeDepsPlanMaterialized(...) true, so the installer returns before reaching the new marker removal/reinstall code. The marker stays absent and the corrupt node_modules tree is reused; gate the materialized fast path on the completion marker or force install when the marker is missing.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.9

Acceptance criteria:

• pnpm test src/plugins/bundled-runtime-deps.test.ts src/commands/doctor-bundled-plugin-runtime-deps.test.ts src/gateway/server-startup-plugins.test.ts
• pnpm exec oxfmt --check --threads=1 src/plugins/bundled-runtime-deps-install.ts src/plugins/bundled-runtime-deps.ts src/plugins/bundled-runtime-deps-materialization.ts src/plugins/bundled-runtime-deps.test.ts src/commands/doctor-bundled-plugin-runtime-deps.ts src/commands/doctor-bundled-plugin-runtime-deps.test.ts src/gateway/server-startup-plugins.ts src/gateway/server-startup-plugins.test.ts CHANGELOG.md

What I checked:

• Current main gateway early return: Gateway startup still returns when the scan reports missing.length === 0, before resolving the package-level install root or attempting repair. (src/gateway/server-startup-plugins.ts:106, 42d73fd955af)
• Current main doctor early return: Doctor bundled runtime-deps repair also returns when missing.length === 0, so a corrupt tree that passes the sentinel scan is not repaired on main. (src/commands/doctor-bundled-plugin-runtime-deps.ts:80, 42d73fd955af)
• No-main package materialization gap: hasInstalledRuntimeDepEntryFiles returns true when package.json has no non-empty main, and isRuntimeDepsPlanMaterialized then accepts generated manifest coverage plus satisfied package sentinels. (src/plugins/bundled-runtime-deps-materialization.ts:79, 42d73fd955af)
• Repair writes generated manifest before invoking install: The async repair path writes the generated install manifest before calling the installer, which can make the materialization fast path true for a no-main package sentinel before a real reinstall occurs. (src/plugins/bundled-runtime-deps-install.ts:431, 42d73fd955af)
• PR marker handling is after the fast path: The PR removes the new completion marker only after isRuntimeDepsPlanMaterialized has already had a chance to return, so a missing marker does not force the installer to run. (src/plugins/bundled-runtime-deps-install.ts:346, a7c5c7d2606c)
• PR tests bypass default installer: The added doctor regression test injects installDeps and only asserts that repair is requested, so it does not cover the default installer returning early after repair writes the generated manifest. (src/commands/doctor-bundled-plugin-runtime-deps.test.ts:661, a7c5c7d2606c)

Likely related people:

• steipete: Current-main blame for the central runtime-deps materialization, installer, gateway startup, and doctor repair paths points to Peter Steinberger, and the related open fix: simplify bundled runtime dependency repair #75183 by steipete is an active maintainer-side refactor for the same bundled runtime-deps repair behavior. (role: recent maintainer and adjacent owner; confidence: medium; commits: 4987482e4c54; files: src/plugins/bundled-runtime-deps.ts, src/plugins/bundled-runtime-deps-install.ts, src/plugins/bundled-runtime-deps-materialization.ts)

Remaining risk / open question:

• Open fix: simplify bundled runtime dependency repair #75183 overlaps this fix and may supersede this branch before an automated repair is useful.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 42d73fd955af.

[steipete]

Thanks for jumping on this. We ended up landing the broader runtime-deps repair in #75183, which closes #75309 and covers the partial pnpm tree recovery path from this PR, including the generated-manifest/no-main package hole noted in review. Since this branch is now conflicted and superseded by the merged fix, I’m closing it to keep the queue clean.

[scottgl9]

Thanks for jumping on this. We ended up landing the broader runtime-deps repair in #75183, which closes #75309 and covers the partial pnpm tree recovery path from this PR, including the generated-manifest/no-main package hole noted in review. Since this branch is now conflicted and superseded by the merged fix, I’m closing it to keep the queue clean.

Any ETA on when this will make it to the next release version of OpenClaw? I'm still encountering this issue.