fix(plugin-sdk): bundle zod subpath artifact

[zeus1959]

Summary

• Problem: openclaw/plugin-sdk/zod shipped as dist/plugin-sdk/zod.js with a bare runtime export * from "zod", which can fail in pnpm global installs where zod is not resolvable from the OpenClaw package root.
• Why it matters: bundled and third-party channel plugins import this public SDK subpath during registration, so a missing bare zod dependency can prevent plugins such as Feishu and BlueBubbles from registering.
• What changed: force zod into the tsdown bundle graph so the published SDK subpath imports only package-local chunks.
• Guardrail: extend the npm postpublish verifier with a package-artifact check that rejects dist/plugin-sdk/zod.js when it imports or re-exports bare zod.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Fixes fix(plugin-sdk): zod bare import fails to resolve in pnpm global installs #78398
• This PR fixes a bug or regression

Root Cause (if applicable)

src/plugin-sdk/zod.ts re-exported from bare zod, and the build did not force that dependency to stay bundled for the public SDK subpath. Published artifacts could therefore contain export * from "zod", which relies on Node resolving zod from the installed OpenClaw package location. pnpm global installs can leave that dependency unavailable from that path.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Package-artifact smoke
• Target test or file:
  • test/openclaw-npm-postpublish-verify.test.ts
  • scripts/openclaw-npm-postpublish-verify.ts
• Scenario the test locks in: installed dist/plugin-sdk/zod.js must be self-contained and must not import or re-export bare zod.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux workspace
• Runtime/container: Node v24.15.0, pnpm 10.33.2/10.33.3 via Corepack
• Integration/channel: package artifact and plugin SDK zod subpath

Steps

1. Build the package.
2. Inspect dist/plugin-sdk/zod.js for bare zod imports/exports.
3. Pack the candidate tarball.
4. Install it into an isolated pnpm global root.
5. Import openclaw/plugin-sdk/zod from the installed package.

Expected

The zod SDK subpath imports successfully and the installed artifact verifier reports no bare zod import/export.

Actual

After this patch, the installed pnpm global tarball import succeeded and the verifier returned [].

Evidence

$ pnpm build
OK: All 4 required plugin-sdk exports verified.
[build-all] write-cli-compat

$ rg -n 'from "zod"|from "zod/|export \* from "zod|import\("zod' dist/plugin-sdk/zod.js dist -g '*.js' | head -100
# no output

$ pnpm pack --pack-destination /tmp/openclaw-zod-smoke
Tarball Details
/tmp/openclaw-zod-smoke/openclaw-2026.5.6.tgz

$ PNPM_HOME=/tmp/openclaw-zod-smoke/pnpm-home HOME=/tmp/openclaw-zod-smoke/home PATH=/tmp/openclaw-zod-smoke/pnpm-home:$PATH pnpm install -g /tmp/openclaw-zod-smoke/openclaw-2026.5.6.tgz --global-dir /tmp/openclaw-zod-smoke/global --store-dir /tmp/openclaw-zod-smoke/store --no-lockfile --dangerously-allow-all-builds
/tmp/openclaw-zod-smoke/global/5:
+ openclaw 2026.5.6

$ node --input-type=module --eval "const mod = await import('openclaw/plugin-sdk/zod'); console.log(typeof mod.z.object, typeof mod.object);"
function function

$ node --import tsx --input-type=module --eval "import { collectInstalledPluginSdkZodArtifactErrors } from './scripts/openclaw-npm-postpublish-verify.ts'; const errors = collectInstalledPluginSdkZodArtifactErrors('/tmp/openclaw-zod-smoke/global/5/node_modules/openclaw'); console.log(JSON.stringify(errors));"
[]

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: packaging more zod code into the OpenClaw runtime artifact could increase package size.
  • Mitigation: this only forces an existing root runtime dependency into the bundle graph for a public SDK subpath that must work from installed packages.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: #78515 already landed the same zod bundling fix with a stronger reachable-chunk artifact verifier, and that implementation is present in v2026.5.20.

Canonical path: Keep the shipped implementation from #78515 and close this duplicate PR rather than merging a stale parallel branch.

So I’m closing this here and keeping the remaining discussion on #78515.

Review details

Best possible solution:

Keep the shipped implementation from #78515 and close this duplicate PR rather than merging a stale parallel branch.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked issue and PR body give a concrete pnpm global install path for the old artifact failure, and source inspection shows the public SDK subpath and package verifier path involved.

Is this the best way to solve the issue?

No for this PR as the landing vehicle. The build-side direction was right, but the already-merged implementation is the better solution because it also verifies reachable local chunks from the zod entry artifact.

Security review:

Security review cleared: The diff only changes bundling for an existing declared dependency plus package-artifact verification, tests, and changelog text; it adds no new dependency source, permissions, network calls, lifecycle hooks, or secret handling.

What I checked:

• Current main bundles zod: Current main always-bundles both zod and zod/ subpaths in the shared tsdown dependency policy, which covers the central runtime failure this PR was written to fix. (tsdown.config.ts:194, 8961eae3f022)
• Current main has the stronger verifier: The installed-package verifier now starts at dist/plugin-sdk/zod.js, walks reachable package-local dist imports, and rejects any bare zod or zod/ import it finds. (scripts/openclaw-npm-postpublish-verify.ts:254, 8961eae3f022)
• Regression coverage includes reachable chunks: Current tests reject both a direct bare zod export from dist/plugin-sdk/zod.js and a reachable local chunk that imports zod/v4/core, covering the review gap in this older branch. (test/openclaw-npm-postpublish-verify.test.ts:174, 8961eae3f022)
• Superseding PR provenance: The merged canonical fix is commit ea72414 from fix(build): bundle zod inline to fix pnpm global install resolution #78515, titled "fix(build): bundle zod inline to fix pnpm global install resolution". (ea72414e1c44)
• Shipped release provenance: The v2026.5.20 changelog includes the plugin-sdk/zod package-artifact fix and references the canonical merged PR, so the fix is already shipped rather than only present on current main. (CHANGELOG.md:407, e510042870cf)
• Older branch verifier gap: This PR branch reads only dist/plugin-sdk/zod.js before accepting the artifact, so it lacks the reachable-local-chunk walk now present on main. (scripts/openclaw-npm-postpublish-verify.ts:221, a63b87916550)

Likely related people:

• ggzeng: Authored the detailed linked bug report and the merged superseding PR whose squash commit fixed the packaging issue and shipped in v2026.5.20. (role: canonical fix contributor; confidence: high; commits: ea72414e1c44; files: tsdown.config.ts, scripts/openclaw-npm-postpublish-verify.ts, test/openclaw-npm-postpublish-verify.test.ts)
• obviyus: Commit 8b13710 added the public plugin-sdk/zod subpath and related package metadata that made this installed-package contract relevant. (role: introduced SDK surface; confidence: high; commits: 8b13710c0921; files: src/plugin-sdk/zod.ts, package.json, scripts/lib/plugin-sdk-entrypoints.json)
• Takhoffman: Commit 7651a03 added the packed CLI smoke and postpublish verifier infrastructure that the zod artifact guard extends. (role: verifier feature contributor; confidence: medium; commits: 7651a03424fa; files: scripts/openclaw-npm-postpublish-verify.ts, test/openclaw-npm-postpublish-verify.test.ts)
• altaywtf: The canonical squash commit records altaywtf as reviewer and co-author for the merged zod packaging fix. (role: reviewer and co-author of superseding fix; confidence: medium; commits: ea72414e1c44; files: tsdown.config.ts, scripts/openclaw-npm-postpublish-verify.ts, test/openclaw-npm-postpublish-verify.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8961eae3f022; fix evidence: release v2026.5.20, commit ea72414e1c44.

[clawsweeper]

ClawSweeper applied the proposed close for this PR.

• Action: closed this PR.
• Close reason: duplicate or superseded.
• Evidence: durable ClawSweeper review.