fix: preserve managed plugin peer dependencies

[shakkernerd]

Summary

Fixes the beta update/plugin install path where npm install in the shared OpenClaw npm root could prune peer dependencies used by existing plugins.

The concrete reported failure was a custom plugin depending on @lancedb/lancedb; LanceDB declares apache-arrow as a peer dependency, and a later beta plugin install/update could remove apache-arrow, causing the custom plugin to fail loading.

This change:

• discovers and preserves third-party peer dependencies in the managed npm root
• tracks only peer dependencies OpenClaw actually owns
• avoids marking existing root plugin dependencies as managed peers
• scans repaired/materialized peer packages instead of silently trusting them
• rolls back managed peer dependency mutations on failed installs
• bounds peer discovery traversal to avoid symlink/cycle/unbounded scan issues

Verification

Post-rebase sanity:

git diff --check origin/main..HEAD

Live CLI checks were run against the same four-commit patch stack before the final clean rebase:

• Built and installed a packed CLI from the patch stack: OpenClaw 2026.5.12-beta.1 (8aeb0b8).
• Installed an existing root plugin, then attempted a plugin whose peers included that existing root plugin plus a dangerous peer.
  • install failed with the expected security scan block
  • existing root plugin stayed installed/listed
  • existing root plugin was not marked as a managed peer
  • blocked plugin and dangerous peer were not left in dependencies, on disk, or managed metadata
• Installed a safe plugin with a missing peer.
  • missing peer was materialized
  • peer stayed tracked in managedPeerDependencies
• Ran real plugins update against a local registry moving latest from 1.0.0 to 1.0.1.
  • target updated to 1.0.1
  • managed peer stayed installed/tracked
• Reproduced the reported LanceDB shape live:
  • temp custom plugin depended on real @lancedb/lancedb@0.27.2
  • OpenClaw installed/tracked apache-arrow@18.1.0
  • installed real @openclaw/acpx@2026.5.12-beta.4
  • @lancedb/lancedb and apache-arrow both remained present
  • custom plugin and acpx both listed cleanly
  • no stale diagnostics from plugins list --json

[shakkernerd]

Landing with rebase merge per maintainer request.

Verification used for the merge decision:

git diff --check origin/main..HEAD

Live CLI proof from the same four-commit patch stack before the final clean rebase:

OpenClaw 2026.5.12-beta.1 (8aeb0b8)
install_existing   1491ms
install_blocked    1609ms
install_safe_host  1719ms
install_update_v1  1535ms
update_target      1412ms
list_json           693ms

Covered behavior:

• blocked dangerous peer install failed with the expected security scan block
• rollback left no blocked plugin or dangerous peer in dependencies, on disk, or managed peer metadata
• existing root plugin stayed installed/listed and was not marked as a managed peer
• safe missing peer was materialized and tracked as managedPeerDependencies
• real plugins update moved a registry package from 1.0.0 to 1.0.1 without pruning the managed peer
• reported LanceDB shape passed live: temp plugin using real @lancedb/lancedb@0.27.2, real apache-arrow@18.1.0, then real @openclaw/acpx@2026.5.12-beta.4; LanceDB and apache-arrow remained present and plugins listed cleanly

CI state at merge decision: PR head 7089af3a112bc6ca240ff12931420d16a1dfb908; broad GitHub CI was still pending/queued (mergeStateStatus=UNSTABLE), with no relevant completed failure observed. Known gap: not waiting for the full fanout to finish before landing.