perf: speed up secrets and nodes help startup

[frankekn]

Summary

• add launcher, entry, and run-main precomputed help fast paths for secrets --help and nodes --help
• generate secrets/nodes parent help in startup metadata while preserving plugin-sensitive nodes help fallback
• lazy-load secrets action runtime modules behind action handlers

Root Cause

Parent help was taking the normal command-registration path, which eagerly loaded action/runtime-heavy secrets and nodes modules even though parent help only needs static command metadata.

Startup Bench

• secrets --help: 800.6ms / 337.6MB RSS -> 23.8ms / 46.8MB RSS
• nodes --help: 923.5ms / 344.7MB RSS -> 28.3ms / 46.7MB RSS

Verification

• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm test src/entry.test.ts src/cli/run-main.test.ts src/cli/run-main.exit.test.ts src/cli/help-cold-imports.test.ts test/scripts/write-cli-startup-metadata.test.ts src/cli/secrets-cli.test.ts src/cli/nodes-cli.coverage.test.ts src/cli/program/register.subclis.test.ts test/openclaw-launcher.e2e.test.ts -- --reporter=default
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm build
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm tsgo
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm test:startup:bench -- --case secretsHelp --case nodesHelp --runs 3 --warmup 1 --json --output .artifacts/perf-secrets-nodes-help-after.json

Review

• gstack Codex review found 2 P2 issues in the first pass; both were fixed
• rerun review was clean

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch adds precomputed secrets --help and nodes --help fast paths across the launcher, entry, run-main, startup metadata generation, and secrets runtime imports, with focused CLI tests and a changelog entry.

Reproducibility: not applicable. this is a performance PR, not a bug report with a failing current-main reproduction. The PR body provides before/after benchmark commands, and source inspection confirms the affected help path is startup/metadata routing.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The patch is a focused, normally mergeable CLI performance change after maintainer conflict resolution and exact-head validation.

Rank-up moves:

• Resolve the CHANGELOG.md conflict against current main.
• Rerun the listed exact-head build, tsgo, focused CLI tests, and startup benchmark after the conflict resolution.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This maintainer-member PR is not gated on external contributor real behavior proof; the PR body lists benchmark and verification commands, but this read-only review did not execute them.

Risk before merge

• Current main and the PR head conflict in CHANGELOG.md, so the branch is not directly mergeable until rebased or the changelog entry is resolved.
• This changes launcher, entry, run-main, and generated CLI startup metadata behavior; merge should stay tied to exact-head build, type, focused CLI tests, and startup-benchmark proof so packaged help output cannot drift silently.

Maintainer options:

1. Resolve conflict and merge with exact-head proof (recommended)
   Resolve the current CHANGELOG.md conflict, rerun build, tsgo, focused CLI tests, and the startup benchmark on the final head, then merge if those checks stay green.
2. Pause if metadata proof is unavailable
   If the final head cannot exercise metadata generation and launcher/entry fast paths, pause merge until a maintainer can inspect CI artifacts or rerun the listed validation.

Next step before merge
No ClawSweeper repair lane is needed; the remaining work is maintainer-owned conflict resolution and exact-head merge validation.

Security
Cleared: The diff lazy-loads existing secrets runtime modules and changes CLI help metadata paths without adding dependencies, broadening credential access, or changing secret execution policy.

Review details

Best possible solution:

Resolve the current changelog conflict, then land the fast path after exact-head validation confirms metadata generation, launcher bypass, entry fallback, and plugin-sensitive nodes help behavior.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a performance PR, not a bug report with a failing current-main reproduction. The PR body provides before/after benchmark commands, and source inspection confirms the affected help path is startup/metadata routing.

Is this the best way to solve the issue?

Yes: reusing the existing precomputed help metadata architecture is the right fit, and the nodes path preserves the plugin-sensitive fallback. The remaining issue is merge readiness, not a different implementation approach.

Label justifications:

• P2: This is a normal-priority CLI performance improvement with limited blast radius but user-visible startup behavior.
• merge-risk: 🚨 automation: The PR changes generated startup metadata and launcher/entry fast paths, where stale or unvalidated artifacts can break packaged CLI help outside normal unit coverage.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is a focused, normally mergeable CLI performance change after maintainer conflict resolution and exact-head validation.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This maintainer-member PR is not gated on external contributor real behavior proof; the PR body lists benchmark and verification commands, but this read-only review did not execute them.

What I checked:

• Protected maintainer routing: The provided GitHub context shows author association MEMBER and the protected maintainer label, so this PR should stay open for explicit maintainer handling rather than cleanup close.
• Entry fast path implementation: The PR adds tryHandlePrecomputedCommandHelpFastPath, limits it to parent browser, secrets, and nodes help, respects the kill switch/container target, and defers nodes when live plugin-sensitive help is required. (src/entry.ts:226, 99302535a2ba)
• Run-main fallback path: The runtime path now outputs precomputed secrets help directly and checks plugin-sensitive live options before using precomputed nodes help, then falls through to normal program construction if metadata is unavailable. (src/cli/run-main.ts:563, 99302535a2ba)
• Metadata generation coverage: The PR adds source signatures for secrets and nodes help, includes canvas/plugin command sources for nodes invalidation, and renders command help with the startup fast path disabled. (scripts/write-cli-startup-metadata.ts:106, 99302535a2ba)
• Launcher regression coverage: The PR adds launcher tests proving browser/secrets/nodes precomputed help can bypass the runtime entry and that nodes help defers when plugin config can affect command metadata. (test/openclaw-launcher.e2e.test.ts:224, 99302535a2ba)
• Current-main merge state: A read-only merge-tree simulation against current main reports a CHANGELOG.md conflict, while the code files merge cleanly. (CHANGELOG.md:17, 4a360ac1cc18)

Likely related people:

• frankekn: The adjacent merged CLI help startup fast path for setup/onboard/configure was authored by Frank Yang and this PR extends the same run-main policy shape. (role: recent area contributor; confidence: high; commits: 2c0c9c92f485; files: src/cli/run-main.ts, src/cli/run-main-policy.ts)
• steipete: Blame in this checkout attributes the base launcher, run-main policy, and startup metadata script surface to commit 2e389b6a46, making Peter a useful routing candidate for architecture review. (role: introduced current startup/help surface in checked-out history; confidence: medium; commits: 2e389b6a46a0; files: openclaw.mjs, src/entry.ts, src/cli/run-main.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4a360ac1cc18.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Clockwork Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: collects tiny proofs.
Image traits: location artifact grotto; accessory proof snapshot camera; palette amber, ink, and glacier blue; mood focused; pose pointing at a small proof artifact; shell starlit enamel shell; lighting soft underwater shimmer; background quiet workflow signs.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[frankekn]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26211578027
• Updated: 2026-05-21T07:27:59.802Z

[frankekn]

Merged via squash.

• Prepared head SHA: d65ae1bd58c6dbe0b872102b9e6b81337f17c072
• Merge commit: 233765b361050c4edb4c6e53d4f1ae122c5390bd

Thanks @frankekn!