build: suppress rolldown-plugin-dts CommonJS dts warnings from bundled zod locales

[RomneyDa]

Why not the more invasive fixes

Up front, here's why this PR only filters the warning instead of changing the build:

• Setting dts: false on the tsdown node build would remove rolldown-plugin-dts from the JS bundle pass entirely (tsdown.config.ts:nodeBuildConfig). It plausibly works because build:plugin-sdk:dts (tsgo) is what actually emits the dts files we ship, but it changes a behavior that's been in place since the tsdown migration. Any downstream step or tooling quietly relying on the tsdown-side dts emission would silently break — and a clean pnpm build confirms tsdown is emitting ~2k *.d.ts files into dist/ today, several of which are not the plugin-sdk surface, so the blast radius isn't obviously empty.
• Externalizing zod for the dts pass only is what the warning literally suggests, but tsdown's deps.alwaysBundle / deps.neverBundle / inputOptions.external apply uniformly to JS and dts. The JS path needs zod inlined per fix(build): bundle zod inline to fix pnpm global install resolution #78515 (otherwise globally-installed openclaw fails to resolve zod/* subpaths). There's no per-pass externalization knob on rolldown-plugin-dts, so doing this cleanly would require splitting the build into two graphs.

The warning is purely informational from the bundler's perspective — the dts output is still valid; rolldown-plugin-dts is just hedging on edge cases for export = ... style declarations. Filtering it matches the existing onLog pattern in this file for PLUGIN_TIMINGS, scoped UNRESOLVED_IMPORT, and the bottleneck/protobufjs EVAL warnings.

When/why it started

Two upstream changes combined:

1. 0496063264 (2026-05-10) bumped rolldown-plugin-dts 0.23.2 → 0.25.0.
2. 94ac563399 (2026-05-20) bumped 0.25.0 → 0.25.1, which is the version that introduced the new CommonJS dts syntax warning in rolldown-plugin-dts:fake-js (see isCjsDtsInputSyntax — fires on export = ... and import x = require(...)).

Combined with ea72414e1c / #78515, which added zod and zod/* to shouldAlwaysBundleDependency so the dts pass walks src/plugin-sdk/zod.ts → zod/v4/classic/external.d.cts → ../locales/index.cjs → every per-locale *.d.cts (all of which use export = _default), every full build now emits one warning per locale file.

Summary

• Extend isSuppressedLog in tsdown.config.ts to drop PLUGIN_WARNING logs from rolldown-plugin-dts:fake-js whose message contains uses CommonJS dts syntax. Other warnings from the same plugin still pass through.
• Add plugin?: string to the log type and two tests in src/infra/tsdown-config.test.ts (one that suppresses the zod-locale message, one that forwards an unrelated warning to the default handler).
• Changelog entry under Unreleased / Fixes.

Verification

Both runs in a clean Codex worktree on the rebased branch (post pnpm install --frozen-lockfile, so rolldown-plugin-dts@0.25.1 is on disk):

• Behavior addressed: pnpm build spam of (rolldown-plugin-dts:fake-js plugin) /…/zod/v4/locales/*.d.cts uses CommonJS dts syntax. …
• Real environment tested: local macOS Codex worktree, Node 22.22.0, pnpm 11.1.0
• Exact steps or command run after this patch:
  • rm -rf dist dist-runtime && OPENCLAW_BUILD_VERBOSE=1 node scripts/tsdown-build.mjs 2>&1 | grep -c "CommonJS dts" (verbose mode bypasses our onLog patch — reproduces upstream warnings)
  • rm -rf dist dist-runtime && node scripts/tsdown-build.mjs 2>&1 | grep -c "CommonJS dts" (normal build — filter active)
  • node scripts/run-vitest.mjs src/infra/tsdown-config.test.ts
  • node scripts/run-tsgo.mjs -p tsconfig.core.json --noEmit
  • node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --noEmit
  • node scripts/run-oxlint.mjs tsdown.config.ts src/infra/tsdown-config.test.ts
• Evidence after fix:
  • Verbose run (bypasses filter): 52 CommonJS dts lines emitted, sample (rolldown-plugin-dts:fake-js plugin) /…/zod/v4/locales/be.d.cts uses CommonJS dts syntax. …
  • Filtered run: 0 CommonJS dts lines; 4931 files in dist/ — build still succeeds end-to-end
  • Vitest: 15 passed / 15 in src/infra/tsdown-config.test.ts (13 existing + 2 new)
  • tsgo core + core-test: exit 0
  • oxlint: 0 warnings / 0 errors
• Observed result after fix: warnings gone from non-verbose pnpm build; legitimate other warnings remain reachable through the same onLog path.
• What was not tested: full pnpm build end-to-end past the tsdown step (postbuild, plugin-sdk:dts, etc.) — only the tsdown step is touched and only the log path changes; broader CI gates can confirm.

Test plan

• node scripts/run-vitest.mjs src/infra/tsdown-config.test.ts — passes
• Verbose vs filtered tsdown comparison shows 52 → 0
• tsgo core + core-test typecheck clean
• oxlint clean
• CI green

[clawsweeper]

Codex review: needs changes before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a tsdown onLog filter for rolldown-plugin-dts:fake-js CommonJS-dts warnings, focused config tests, and a changelog entry.

Reproducibility: yes. with high confidence from source and contributor terminal proof. Current main bundles zod/*, the lockfile pins rolldown-plugin-dts@0.25.1, upstream warns on CommonJS declaration syntax, and the PR body reports a 52-to-0 warning comparison after the patch.

PR rating
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Summary: The behavior proof is strong for the noisy build output, but patch confidence is capped by the overly broad warning suppression.

Rank-up moves:

• Restrict the suppression to normalized zod/v4/locales/*.d.cts warning paths.
• Add a regression test showing the same CommonJS-dts warning from a non-zod path is forwarded.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body provides terminal before/after tsdown warning counts plus focused test, typecheck, and lint results after the patch.

Risk before merge

• Normal build and CI logs would hide future non-zod CommonJS declaration warnings from rolldown-plugin-dts:fake-js, because the filter does not inspect the warning path.

Maintainer options:

1. Narrow the suppression before merge (recommended)
   Require the predicate to match the known zod locale declaration path and add a regression test proving a non-zod CommonJS-dts warning is forwarded.
2. Accept the broader warning class suppression
   Maintainers can intentionally hide every rolldown-plugin-dts:fake-js CommonJS-dts warning if they decide that whole warning class is non-actionable for this build graph.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Restrict the rolldown-plugin-dts CommonJS-dts suppression to messages whose normalized path is under `zod/v4/locales/` and ends with `.d.cts`; add a regression test showing the same warning text from a non-zod path is forwarded.

Next step before merge
A focused repair can narrow the suppression predicate and add one regression test without a product decision.

Security
Cleared: The diff only changes build log filtering, focused tests, and changelog text; no concrete security or supply-chain regression was found.

Review findings

• [P2] Scope the dts warning filter to zod locales — tsdown.config.ts:92-96

Review details

Best possible solution:

Keep zod inlined, but suppress only normalized warning paths under zod/v4/locales/*.d.cts and keep same-message non-zod warnings visible.

Do we have a high-confidence way to reproduce the issue?

Yes, with high confidence from source and contributor terminal proof. Current main bundles zod/*, the lockfile pins rolldown-plugin-dts@0.25.1, upstream warns on CommonJS declaration syntax, and the PR body reports a 52-to-0 warning comparison after the patch.

Is this the best way to solve the issue?

No, not as written. Suppressing this known zod-locale warning is a reasonable direction, but the predicate should verify the declaration path so unrelated CommonJS-dts warnings remain visible.

Label justifications:

• P3: This is low-risk build-output cleanup with no runtime behavior change, though the log filter still needs a focused merge fix.
• merge-risk: 🚨 automation: The PR changes build-log filtering in a way that could hide future declaration-bundling warnings from normal build and CI output.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🦞 diamond lobster, patch quality is 🦐 gold shrimp, and The behavior proof is strong for the noisy build output, but patch confidence is capped by the overly broad warning suppression.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body provides terminal before/after tsdown warning counts plus focused test, typecheck, and lint results after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides terminal before/after tsdown warning counts plus focused test, typecheck, and lint results after the patch.

Full review comments:

• [P2] Scope the dts warning filter to zod locales — tsdown.config.ts:92-96
  The predicate only checks the plugin name and warning text, so the same CommonJS-dts warning from any other declaration input would be hidden in normal builds. Since this PR is targeting zod locale noise, include the normalized zod/v4/locales/*.d.cts path in the check and add a non-zod same-message forwarding test.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/infra/tsdown-config.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.core.json --noEmit
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --noEmit
• node scripts/run-oxlint.mjs tsdown.config.ts src/infra/tsdown-config.test.ts

What I checked:

• Current zod bundling contract: Current main intentionally bundles zod and zod/*, which is the build path that makes the zod locale declarations visible to the dts bundler. (tsdown.config.ts:185, 5c4c6a42071c)
• PR suppression predicate: The PR head suppresses based on PLUGIN_WARNING, plugin name, and message text only; it does not check whether the warning path is under zod/v4/locales/*.d.cts. (tsdown.config.ts:92, 476ac0f5562d)
• Focused tests miss same-message non-zod forwarding: The PR adds a zod-locale suppression test and a different-message forwarding test, but no regression test proving the same CommonJS-dts warning from a non-zod path remains visible. (src/infra/tsdown-config.test.ts:275, 476ac0f5562d)
• Upstream warning source: rolldown-plugin-dts@0.25.1 emits this warning from rolldown-plugin-dts:fake-js for any declaration input containing TSExportAssignment or external TSImportEqualsDeclaration; the upstream condition is not zod-specific.
• Zod locale declaration shape: zod@4.4.3 locale declarations such as v4/locales/ur.d.cts use export = _default, matching the upstream CommonJS-dts warning trigger.
• Relevant history: Commit ea72414e1c447bf65febd8c74cbb20857f1a057d added the intentional zod inline bundling, while 94ac563399b3ccca6984c90b71ec8bf7da380517 updated dependencies to the warning-emitting rolldown-plugin-dts@0.25.1. (tsdown.config.ts:185, ea72414e1c44)

Likely related people:

• ggzeng: Merged PR history shows commit ea72414e1c447bf65febd8c74cbb20857f1a057d added the intentional zod and zod/* inline bundling contract that this warning suppression must preserve. (role: zod bundling feature owner; confidence: high; commits: ea72414e1c44; files: tsdown.config.ts, src/infra/tsdown-config.test.ts, scripts/openclaw-npm-postpublish-verify.ts)
• steipete: The bounded history shows dependency refresh commits 049606326438a3f385180be3f90f2bb8d768235a and 94ac563399b3ccca6984c90b71ec8bf7da380517, including the rolldown-plugin-dts update that made the warning visible. (role: dependency update author; confidence: high; commits: 049606326438, 94ac563399b3; files: package.json, pnpm-lock.yaml)
• Ayaan Zaidi: Current-line blame in this checkout attributes the buildInputOptions and isSuppressedLog structure, plus the current tsdown config test file, to bbcac0019b11ce14c9b0a976549fae7c9827aa07. (role: recent area contributor; confidence: medium; commits: bbcac0019b11; files: tsdown.config.ts, src/infra/tsdown-config.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5c4c6a42071c.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.