Treat soft plugin repair warnings as nonfatal

[TurboTheTurtle]

Summary

• keep post-core plugin convergence warnings visible without making every warning fatal
• only block restart when repair reports failed plugin ids or payload smoke checks fail
• add regression coverage for soft repair warnings and failed repair ids

Fixes #83889.

Real behavior proof

Behavior or issue addressed:
Post-core plugin convergence treated any repair warning as errored: true, so a soft repair warning such as a beta fallback note could make the post-core update path report error even when no plugin repair failed and payload smoke checks passed.

Real environment tested:
Local OpenClaw worktree on macOS, Node from the Codex bundled runtime (v24.14.0). The runtime proof uses a standalone convergence harness that executes this PR's runPostCorePluginConvergence implementation with controlled repair/smoke inputs, so it exercises the post-core convergence decision path outside the Vitest runner.

Exact steps or command run after this patch:

PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node node_modules/tsx/dist/cli.mjs /private/tmp/openclaw-84431-proof/current/proof.ts
PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node scripts/run-vitest.mjs src/cli/update-cli/post-core-plugin-convergence.test.ts
PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node scripts/run-vitest.mjs src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/plugins/update.test.ts
git diff --check

Evidence after fix:

scenario=soft
warnings=1
warning0=Plugin "demo" has no beta npm release for @openclaw/demo@beta; using @openclaw/demo instead. Core update can still complete.
smokeFailures=0
convergenceErrored=false
foldedErrored=false
wouldPostUpdateStatus=warning
---
scenario=hard
warnings=1
warning0=Failed to install missing configured plugin "demo" from @openclaw/demo: network unavailable.
smokeFailures=0
convergenceErrored=true
foldedErrored=true
wouldPostUpdateStatus=error
---

src/cli/update-cli/post-core-plugin-convergence.test.ts: Test Files 1 passed (1), Tests 15 passed (15)
src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/plugins/update.test.ts: Test Files 2 passed (2), Tests 137 passed (137)
git diff --check: passed with no output

Observed result after fix:
A convergence run with only a nonfatal repair warning now preserves the warning but returns convergenceErrored=false, folds to foldedErrored=false, and would surface post-update plugin status as warning rather than error. A convergence run with failedPluginIds still returns convergenceErrored=true, folds to foldedErrored=true, and would surface status as error. Payload smoke-check failures remain fatal through the existing smoke-failure branch and tests.

What was not tested:
No live package-manager update, package swap, or gateway restart was performed; this proof verifies the post-core convergence decision behavior that controls whether warnings block the restart path.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 31, 2026, 4:16 PM ET / 20:16 UTC.

Summary
The PR changes post-core plugin convergence to keep repair warnings visible while only failed repair IDs or payload smoke failures make convergence errored, and adds focused tests.

PR surface: Source 0, Tests +23. Total +23 across 2 files.

Reproducibility: yes. Current main still keys convergence failure off warnings.length > 0, and a focused mocked convergence path with repair warnings but no failedPluginIds or smoke failures reproduces the bad error state from source.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Maintainers should either accept the convergence-only proof gap or request one live package-manager update plus gateway restart smoke before merge.

Risk before merge

• [P1] No live package-manager update plus gateway restart proof was supplied; the proof exercises the convergence decision path directly rather than the full upgrade path.
• [P1] After merge, repair warnings without failedPluginIds or payload smoke failures will no longer block restart, so maintainers should explicitly accept that those two hard-failure signals cover the unsafe restart cases.

Maintainer options:

1. Accept Targeted Convergence Proof (recommended)
   Merge after current-head required checks if maintainers accept that the supplied proof covers the convergence decision path rather than a live package swap and gateway restart.
2. Request Live Update Smoke
   Ask for one live package-manager update plus gateway restart proof showing a soft fallback warning reports warning status while failed repair IDs or smoke failures still block.

Next step before merge

• [P2] No repair lane is needed; the focused branch is reviewable and the remaining action is maintainer acceptance or additional live upgrade proof.

Security
Cleared: The diff only changes a convergence boolean and colocated tests; it does not touch dependencies, workflows, credentials, package resolution, or other security-sensitive surfaces.

Review details

Best possible solution:

Merge the scoped convergence gate and regression tests once maintainers are satisfied that soft fallback warnings remain warning-only and hard repair or payload failures still block restart.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main still keys convergence failure off warnings.length > 0, and a focused mocked convergence path with repair warnings but no failedPluginIds or smoke failures reproduces the bad error state from source.

Is this the best way to solve the issue?

Yes. The narrowest maintainable fix is to use the existing failedPluginIds repair contract plus payload smoke failures as the fatal signals, while leaving soft warnings visible to the caller.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 80b7f5660354.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix live output from a standalone convergence harness plus targeted test output for soft and hard scenarios; the remaining full upgrade/restart gap is tracked as merge risk, not missing proof.

Label justifications:

• P2: This is a normal-priority CLI/plugin update bugfix with limited blast radius but real post-update restart impact.
• merge-risk: 🚨 availability: The PR changes when post-core plugin convergence blocks restart, so a missed hard-failure classification could affect gateway availability after update.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body provides after-fix live output from a standalone convergence harness plus targeted test output for soft and hard scenarios; the remaining full upgrade/restart gap is tracked as merge risk, not missing proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix live output from a standalone convergence harness plus targeted test output for soft and hard scenarios; the remaining full upgrade/restart gap is tracked as merge risk, not missing proof.

Evidence reviewed

PR surface:

Source 0, Tests +23. Total +23 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	1	1	0
Tests	1	24	1	+23
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	25	2	+23

What I checked:

• Current main still has the reported behavior: At current main, runPostCorePluginConvergence returns errored based on warnings.length > 0, so a soft repair warning is still promoted to an error. (src/cli/update-cli/post-core-plugin-convergence.ts:158, 80b7f5660354)
• PR changes the fatality gate narrowly: The branch changes the errored expression to repair.failedPluginIds or smoke.failures, leaving warnings in the result without making every warning fatal. (src/cli/update-cli/post-core-plugin-convergence.ts:158, a8aee1b57617)
• Focused regression coverage added: The PR adds one soft-warning test expecting errored=false and one failedPluginIds test expecting errored=true, preserving the hard-failure path. (src/cli/update-cli/post-core-plugin-convergence.test.ts:278, a8aee1b57617)
• Repair contract distinguishes failed plugin IDs: repairMissingConfiguredPluginInstalls exposes failedPluginIds and populates it when update outcomes or install candidates fail, which gives the convergence layer a hard-failure signal separate from warnings. (src/commands/doctor/shared/missing-configured-plugin-install.ts:1140, 80b7f5660354)
• Caller maps convergence error to update status: update-command folds convergence warnings into user-visible warnings and uses convergenceFolded.errored as the post-core status error gate, so this one boolean controls whether warnings block the post-update restart path. (src/cli/update-cli/update-command.ts:1812, 80b7f5660354)
• Latest release still has the old gate: The latest release tag v2026.5.28 points at e932160 and still contains errored: warnings.length > 0, so this PR is not already shipped. (src/cli/update-cli/post-core-plugin-convergence.ts:158, e93216080aa1)

Likely related people:

• steipete: git blame and file history attribute the current post-core convergence implementation and failedPluginIds contract to Peter Steinberger's 3bac0bc commit. (role: introduced current convergence path; confidence: high; commits: 3bac0bcbfb20; files: src/cli/update-cli/post-core-plugin-convergence.ts, src/commands/doctor/shared/missing-configured-plugin-install.ts, src/cli/update-cli/update-command.ts)
• vincentkoc: Recent history for the update-cli surface includes Vincent Koc's a24af49 commit on post-update plugin refresh behavior, which is adjacent to this convergence gate. (role: recent adjacent update-cli contributor; confidence: medium; commits: a24af4910018; files: src/cli/update-cli/update-command.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Brave Shellbean

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: sparkles near resolved comments.
Image traits: location review cove; accessory shell-shaped keyboard; palette amber, ink, and glacier blue; mood curious; pose peeking out from the egg shell; shell soft speckled shell; lighting soft studio lighting; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Brave Shellbean in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[TurboTheTurtle]

Added a standalone convergence runtime proof to the PR body.

It runs this PR's runPostCorePluginConvergence implementation outside the Vitest runner and shows:

scenario=soft
warnings=1
smokeFailures=0
convergenceErrored=false
foldedErrored=false
wouldPostUpdateStatus=warning
---
scenario=hard
warnings=1
smokeFailures=0
convergenceErrored=true
foldedErrored=true
wouldPostUpdateStatus=error

So warning-only convergence stays visible as a warning without blocking, while failedPluginIds still blocks as an error.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26141347468
• Updated: 2026-05-20T04:36:43.803Z

[TurboTheTurtle]

Rebased this branch onto current upstream/main to resolve the merge conflict.\n\nConflict resolution: kept the upstream stale bundled-plugin shadow pruning coverage and preserved this PR's warning-only/nonfatal convergence behavior plus failedPluginIds hard-failure coverage.\n\nValidation:\n- npm run test -- src/cli/update-cli/post-core-plugin-convergence.test.ts\n- git diff --check\n\nAuthor check before push:\n\ntext\n2fee6bc2fd Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com> Treat soft plugin repair warnings as nonfatal\n\n\nRaw Pulls API still reports maintainer_can_modify: true.\n\n@clawsweeper re-review

[RomneyDa]

Heads up: this PR needs to be updated against current main before the new required Dependency Guard check can pass.

[steipete]

Reviewed and reworked for current main.

Proof:

• Rebased onto current main and pushed exact head eb64f3c.
• Focused local test: node scripts/run-vitest.mjs src/cli/update-cli/post-core-plugin-convergence.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts
• Autoreview: /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode auto --base origin/main; clean after fixing the accepted finding.
• GitHub CI on exact head: 131 passing checks including build-artifacts, check-prod-types, check-test-types, check-lint, check-shrinkwrap, plugin boundary lanes, CodeQL high-signal lanes, Real behavior proof, and dependency guard.

Best-fix verdict: best. The update path now treats repair warnings as nonfatal, but still blocks failures for active/effective/trusted plugin records that the gateway can actually load.