fix(plugins): preserve host package during peer repair

[vincentkoc]

Summary

• preserve linked active openclaw host packages while scrubbing stale managed-root package/lock/bin ownership metadata
• add a stable plugins/hook-runner-global dist entry plus the hook-runner-global-B8rMIo8I.js legacy alias for package-swap shutdown compatibility
• guard Telegram reconnect delivery drains when a test/minimal bot starts without a runtime config, fixing the current extension typecheck blocker exposed by the changed gate
• add changelog credit for [Bug]: 2026.5.7 @openclaw/codex missing openclaw peer link plus stale NODE_PATH causes hook stalls and password_missing #79462 and [Bug]: Unable to resolve bundled plugin public surface speech-core/runtime-api.js #81819 reporters

Verification

• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH="$PWD/.vitest-cache-package-atomicity" node scripts/run-vitest.mjs src/infra/npm-managed-root.test.ts test/scripts/runtime-postbuild.test.ts src/infra/tsdown-config.test.ts extensions/telegram/src/polling-session.test.ts (4 files, 77 tests passed)
• git diff --check origin/main...HEAD
• Crabbox fresh PR checkout run_9d948db51781 on cbx_24f1a9cbc577: pnpm check:changed passed, then pnpm build passed on the pre-rebase code head; final head only rebased the changelog over newer main, and GitHub CI is running on e1d8093eda30db4caec148670080dbe31cb68e7e

Behavior addressed: managed plugin installs no longer let npm uninstall or replace a linked npm-global openclaw host package; running gateways can resolve the shutdown hook-runner chunk after package swaps.
Real environment tested: fresh Linux PR checkout via Crabbox on cbx_24f1a9cbc577.
Exact steps or command run after this patch: env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm check:changed; pnpm build.
Evidence after fix: Crabbox run run_9d948db51781 completed with exit code 0; command phases: check_changed 3m12s, build 54s.
Observed result after fix: linked active host packages are preserved while stale managed metadata is removed; runtime postbuild writes the legacy hook-runner alias to the new stable plugin entry; changed gate and build pass from a full fresh PR checkout.
What was not tested: live npm-global package upgrade against a real user home directory; covered here by unit-level filesystem reproduction plus package/build gates.

Fixes #79462.
Fixes #81819.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR preserves linked active openclaw host packages during managed peer repair, adds a stable hook-runner dist entry and legacy alias, guards a Telegram reconnect drain without config, and updates focused tests/changelog.

Reproducibility: yes. at source level: current main returns before scrubbing stale managed-root openclaw metadata when the active host is present as a symlink, and current main lacks the stable hook-runner dist entry plus beta.8 legacy alias. I did not perform a live npm-global package-swap reproduction in this read-only review.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this member-authored, maintainer-labeled PR; the body nevertheless reports Crabbox fresh-checkout check:changed and build proof.

Next step before merge
No ClawSweeper repair lane is needed: this active protected PR has no actionable review finding for automation, so normal CI and maintainer merge handling are the next steps.

Security
Cleared: No concrete security or supply-chain regression was found; the diff adds no dependencies, workflow permissions, secret handling, or downloaded code execution.

Review details

Best possible solution:

Land this PR after required CI and maintainer approval, keeping the fix scoped to managed-root metadata cleanup, stable runtime aliasing, and the narrow Telegram no-config guard.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main returns before scrubbing stale managed-root openclaw metadata when the active host is present as a symlink, and current main lacks the stable hook-runner dist entry plus beta.8 legacy alias. I did not perform a live npm-global package-swap reproduction in this read-only review.

Is this the best way to solve the issue?

Yes: the PR uses the existing scrub path but adds a narrow preserve-package-dir mode for linked active hosts, and the hook-runner alias follows the established stable-runtime compatibility pattern. I found no safer narrower fix in the inspected code path.

What I checked:

• Protected PR state: The provided GitHub context marks the author association as MEMBER, and live PR metadata shows the PR is open, mergeable, and labeled maintainer, scripts, channel: telegram, and size: M; this cleanup workflow should not close it. (fcbca2d3fac5)
• Current-main managed-root behavior: Current main treats any managed node_modules/openclaw realpath matching the active package root as the active host and returns before metadata scrub, which also covers a symlinked active host. (src/infra/npm-managed-root.ts:761, 3064d6181d18)
• Current-main scrub behavior: The existing scrub helper removes manifest/lock ownership and then deletes node_modules/openclaw, so using it unchanged on a linked active host would remove the host link. (src/infra/npm-managed-root.ts:946, 3064d6181d18)
• PR managed-root fix: The PR distinguishes managed-active-host from linked-active-host, preserves the linked package directory, and scrubs only stale managed-root ownership metadata for linked hosts. (src/infra/npm-managed-root.ts:761, fcbca2d3fac5)
• PR regression coverage: The PR adds a filesystem regression test that creates a symlinked active host plus stale manifest, lockfile, hidden lock, and bin ownership metadata, then asserts the symlink survives while stale metadata is removed and npm is not invoked. (src/infra/npm-managed-root.test.ts:919, fcbca2d3fac5)
• Current-main runtime compatibility gap: Current main has legacy root runtime aliases for earlier shutdown chunks and a stable server-close.runtime entry, but no stable plugins/hook-runner-global dist entry or beta.8 hook-runner alias. (scripts/runtime-postbuild.mjs:26, 3064d6181d18)

Likely related people:

• steipete: Recent current-main history shows work on managed npm peer repair, legacy lazy runtime aliases, and the Telegram reconnect drain code path touched here. (role: recent area contributor; confidence: high; commits: d9ff8cfb012e, 88943e14f92e, 7270bb95b70e; files: src/infra/npm-managed-root.ts, scripts/runtime-postbuild.mjs, extensions/telegram/src/polling-session.ts)
• shakkernerd: GitHub file history shows several recent commits in the managed npm root peer preservation and repair path. (role: recent managed npm peer repair contributor; confidence: high; commits: 402b0df3b675, f4cb20300f6b, 6e5042cd62e7; files: src/infra/npm-managed-root.ts)
• vincentkoc: Current-main history includes prior managed npm and dist graph work, and this PR head owns the proposed package repair and runtime alias changes. (role: adjacent area contributor and current PR author; confidence: high; commits: 3ba2ce6694d2, 5d557171b3cd, 1b7755311584; files: src/infra/npm-managed-root.ts, tsdown.config.ts, scripts/runtime-postbuild.mjs)

Remaining risk / open question:

• I did not run tests or build commands because this review is read-only; the PR body reports focused Vitest coverage, git diff --check, Crabbox pnpm check:changed, and pnpm build proof.
• The PR body notes that a live npm-global package upgrade against a real user home directory was not tested.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3064d6181d18.

[vincentkoc]

Verification before merge:

• Final PR head: 127bde8
• Exact-head GitHub checks: 114/114 completed, 0 failures, merge state CLEAN
• Focused local Vitest: OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=.vitest-cache-package-atomicity-final node scripts/run-vitest.mjs src/infra/npm-managed-root.test.ts test/scripts/runtime-postbuild.test.ts src/infra/tsdown-config.test.ts extensions/telegram/src/polling-session.test.ts src/image-generation/image-assets.test.ts extensions/openrouter/image-generation-provider.test.ts -> 6 files, 95 tests passed
• Focused lint/type repair proof: node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/image-generation/image-assets.ts; node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/openrouter/image-generation-provider.ts; node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-package-atomicity.tsbuildinfo; node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-package-atomicity.tsbuildinfo
• Package/runtime proof before the final clean rebase: Crabbox run_db90bd167907 passed tarball/global/plugin-pin smoke for the managed peer symlink path; run_73d79c2f5e3d passed root-managed-vps-upgrade; run_36d2ad06254e passed update_restart_auth

Known proof note: the Crabbox package/runtime proof was on the same code line before the final clean rebase; the final head also has exact-head GitHub CI green.