fix(doctor): include allow-only official plugin ids in release repair set

[hclsys]

Summary

Fixes #77155 — doctor --fix silently removes plugins that appear in plugins.allow but not in plugins.entries (allow-only).

Root Cause

collectReleaseConfiguredPluginIds collected plugin ids from plugins.entries (material entries), slots, channels, providers, and runtimes — but not from plugins.allow. Allow-only entries (e.g. lobster in plugins.allow with no plugins.entries.lobster) were never passed to repairMissingPluginInstallsForIds, so they weren't installed during the one-time 2026.5.2 release repair. Stale-config cleanup then removed them from plugins.allow because they weren't in the installed plugin registry — silently breaking cron jobs that depend on those plugins.

Fix

Added collectAllowOnlyOfficialPluginIds which reads plugins.allow, filters out ids already covered by a material plugins.entries entry, and gates each remaining id against getOfficialExternalPluginCatalogEntry. Only official external catalog entries are included — arbitrary allow-list ids for unofficial/workspace plugins are intentionally excluded to avoid installing unknown packages during doctor --fix.

Changes

• src/commands/doctor/shared/release-configured-plugin-installs.ts: added collectAllowOnlyOfficialPluginIds + call in collectReleaseConfiguredPluginIds
• src/commands/doctor/shared/release-configured-plugin-installs.test.ts: 2 new regression tests
• CHANGELOG.md: entry under Fixes

Test plan

• pnpm exec vitest run src/commands/doctor/shared/release-configured-plugin-installs.test.ts — 12/12 pass
• pnpm exec oxlint src/commands/doctor/shared/release-configured-plugin-installs.ts src/commands/doctor/shared/release-configured-plugin-installs.test.ts — 0 warnings, 0 errors
• New test: allow-only official plugin (lobster) → included in repair set
• New test: allow-only unofficial plugin → excluded from repair set
• New test: allow-only id already covered by material entry → not double-added, catalog not queried for it

🤖 Generated with Claude Code

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR adds official-catalog-gated collection of plugins.allow-only IDs to doctor’s release configured-plugin install repair, with regression tests and a changelog entry.

Reproducibility: yes. Source inspection shows current main’s release collector does not iterate plugins.allow, while stale plugin repair removes missing allow entries when discovery is healthy; I did not live-run doctor --fix.

Next step before merge
The only actionable blocker I found is the dirty merge state; an automated repair lane can rebase/resolve the conflict without redesigning the functional doctor fix.

Security
Cleared: The diff changes doctor’s install-repair candidate selection only for explicit config IDs that resolve through the official external plugin catalog, with no dependency, CI, secret, or package-source changes.

Review details

Best possible solution:

Resolve the current merge conflict, keep the official-catalog gate and regression tests intact, then land the doctor repair with the changelog entry on current main.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main’s release collector does not iterate plugins.allow, while stale plugin repair removes missing allow entries when discovery is healthy; I did not live-run doctor --fix.

Is this the best way to solve the issue?

Yes, functionally. Gating allow-only repair installs through the official external plugin catalog is the narrow maintainable fix; the remaining issue is mechanical conflict resolution and revalidation before merge.

Acceptance criteria:

• git diff --check
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/commands/doctor/shared/release-configured-plugin-installs.ts src/commands/doctor/shared/release-configured-plugin-installs.test.ts
• pnpm test src/commands/doctor/shared/release-configured-plugin-installs.test.ts

What I checked:

• Current collector omits allow-only IDs: Current main’s collectReleaseConfiguredPluginIds collects auto-enable candidates, material entries, slots, providers, runtimes, web search, ACP, and channels, but has no pass over plugins.allow. (src/commands/doctor/shared/release-configured-plugin-installs.ts:277, ef0dbcf49d85)
• Stale cleanup removes missing allow entries: When plugin discovery is healthy, stale plugin repair removes hit IDs from plugins.allow, matching the reported failure mode if the release repair never installs the allow-only plugin first. (src/commands/doctor/shared/stale-plugin-config.ts:323, ef0dbcf49d85)
• Lobster is official external catalog data: The official external plugin catalog maps lobster to @openclaw/lobster, making it eligible for an official-catalog-gated repair path. (scripts/lib/official-external-plugin-catalog.json:123, ef0dbcf49d85)
• PR implements the narrow gate: The PR adds collectAllowOnlyOfficialPluginIds, skips IDs already covered by material entries, gates the rest through getOfficialExternalPluginCatalogEntry, and feeds them into the existing eligible repair set. (src/commands/doctor/shared/release-configured-plugin-installs.ts:253, eda2f563b689)
• PR adds targeted regression coverage: The PR tests that allow-only official IDs are included, unofficial IDs are excluded, and material-entry IDs are not redundantly catalog-queried. (src/commands/doctor/shared/release-configured-plugin-installs.test.ts:386, eda2f563b689)
• Changelog entry is present on PR head: The latest PR head includes a Doctor/plugins Fixes entry for the allow-only official plugin repair and credits the contributor. (CHANGELOG.md:51, eda2f563b689)

Likely related people:

• steipete: GitHub file history shows Peter introduced the 2026.5.2 configured-plugin doctor repair path and multiple follow-up repairs around update-time plugin install behavior. (role: introduced and recent maintainer; confidence: high; commits: b63d098e8cee, 47375fd6dc98, 04c724bb0ce9; files: src/commands/doctor/shared/release-configured-plugin-installs.ts, src/commands/doctor/shared/missing-configured-plugin-install.ts)
• vincentkoc: Vincent’s recent commits maintain the official external plugin catalog and adjacent external-plugin install paths that this PR uses as its safety gate. (role: adjacent owner; confidence: high; commits: d4268b1b2b74, 46d4238425ca, b5affa64b3bb; files: src/plugins/official-external-plugin-catalog.ts, scripts/lib/official-external-plugin-catalog.json, src/commands/doctor/shared/stale-plugin-config.ts)
• sallyom: The stale plugin allowlist and entry pruning behavior appears to originate in the merged stale-plugin cleanup work, which is part of the failure interaction here. (role: introduced related cleanup behavior; confidence: medium; commits: ae336d16023e; files: src/commands/doctor/shared/stale-plugin-config.ts)

Remaining risk / open question:

• The PR branch is currently dirty against current main, so merge conflict resolution may shift the changelog context before landing.
• I did not run the targeted test suite in this read-only review; the functional verdict is based on source inspection, PR diff inspection, and the author-reported targeted test result.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ef0dbcf49d85.