fix(plugins): keep derived metadata snapshots fresh

[vincentkoc]

Summary

• Problem: fix(plugins): keep plugin metadata memo fresh #81064 broadened plugin metadata memoization enough that derived discovery could stay stale when a new plugin was added under an existing load path.
• Solution: keep the existing persisted/provided metadata memo, but mark metadata snapshots with their registry source and refuse process-local reuse for derived snapshots.
• What changed: direct metadata snapshot memoization skips derived registries, and the runtime/current snapshot handoff clears instead of retaining derived metadata.
• What did NOT change (scope boundary): persisted/provided registry snapshots still use the existing process memo path.

Motivation

• Follow-up to fix(plugins): keep plugin metadata memo fresh #81064 review feedback: newly added source/workspace plugins should be discoverable in the same process when OpenClaw is using derived discovery because the persisted registry is missing, disabled, or stale.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related fix(plugins): keep plugin metadata memo fresh #81064
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: derived plugin metadata snapshots are no longer reused from process-local caches, so newly added plugins under configured discovery paths are not hidden until restart.
• Real environment tested: Blacksmith Testbox using .github/workflows/ci-check-testbox.yml.
• Exact steps or command run after this patch: node scripts/run-vitest.mjs src/plugins/plugin-metadata-snapshot.memo.test.ts src/plugins/current-plugin-metadata-snapshot.test.ts src/plugins/runtime/load-context.test.ts; pnpm check:changed; post-rebase git diff --check HEAD~1..HEAD.
• Evidence after fix: Testbox tbx_01ks5w6e7694ny1q42r85wmyyh passed targeted Vitest, 3 files / 39 tests, and pnpm check:changed; local post-rebase diff check passed.
• Observed result after fix: persisted/provided snapshots still memoize, while derived snapshots are reloaded and not retained by the runtime current-snapshot cache.
• What was not tested: a second post-rebase Testbox run on tbx_01ks6tcphf6yqqv3yjj5t9h96z failed during rsync file sync before commands ran; local Vitest was not usable because local dependencies were missing a native rolldown binding.
• Before evidence (optional but encouraged): review finding on fix(plugins): keep plugin metadata memo fresh #81064 identified stale derived discovery when adding plugins under an existing load path in the same process.

Root Cause (if applicable)

• Root cause: the metadata memo and runtime current-snapshot handoff treated derived registry snapshots as reusable even though their freshness set only covered plugins already present in the snapshot.
• Missing detection / guardrail: memo tests covered changed files for known plugins, but not newly added plugins under derived discovery or the runtime current-snapshot cache path.
• Contributing context (if known): fix(plugins): keep plugin metadata memo fresh #81064 optimized metadata snapshot reuse without carrying the registry source into the runtime cache decision.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/plugins/plugin-metadata-snapshot.memo.test.ts, src/plugins/current-plugin-metadata-snapshot.test.ts, src/plugins/runtime/load-context.test.ts.
• Scenario the test should lock in: derived registry snapshots are not memoized or installed as the reusable runtime current snapshot.
• Why this is the smallest reliable guardrail: the bug lived in process-local metadata reuse decisions, not plugin runtime execution.
• Existing test that already covers this (if any): persisted snapshot memo reuse remains covered by the existing memo test.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

Newly added plugins under derived discovery paths can be found without restarting the OpenClaw process.

Diagram (if applicable)

Before:
derived discovery -> metadata snapshot -> process cache/current snapshot -> later loads miss newly added plugins

After:
derived discovery -> metadata snapshot -> no process reuse -> later loads rescan discovery paths

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux Testbox; local macOS diff sanity
• Runtime/container: OpenClaw repo Testbox check environment
• Model/provider: N/A
• Integration/channel (if any): plugin metadata discovery
• Relevant config (redacted): derived discovery path, persisted registry unavailable/stale/disabled

Steps

1. Load plugin metadata from a derived registry snapshot.
2. Add a new plugin under an existing configured load path.
3. Load plugin metadata again in the same process.

Expected

• The second load does not reuse the old derived metadata snapshot.

Actual

• Covered by regression tests: derived metadata snapshots are not memoized and are not stored as reusable current runtime snapshots.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: targeted metadata/runtime cache tests and pnpm check:changed on Testbox; post-rebase diff sanity locally.
• Edge cases checked: persisted memo reuse is preserved; derived snapshots from stale/missing/disabled/preferPersisted=false paths are not memoized.
• What you did not verify: full local Vitest due local dependency state; post-rebase Testbox rerun due rsync failure before command execution.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: derived discovery paths do more repeated metadata work than the broadened fix(plugins): keep plugin metadata memo fresh #81064 memo path.
  • Mitigation: persisted/provided snapshots still use the existing memo, and derived discovery is the correctness-sensitive fallback path.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR marks plugin metadata snapshots with their registry source and stops reusing derived registry metadata through the process memo or runtime current-snapshot handoff, while keeping persisted/provided snapshot reuse.

Reproducibility: yes. source inspection gives a high-confidence reproduction path: current main can memoize policy-stale derived metadata and can retain metadata through the runtime current-snapshot handoff. I did not run tests because this review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Solid small bug-fix PR with targeted proof and no blocking findings, with only normal maintainer landing gates remaining.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (logs): The PR body includes after-fix Testbox proof for targeted metadata/runtime cache tests and changed checks; no contributor action is needed for this maintainer-authored PR.

Risk before merge

• Derived-discovery fallback paths will rescan more often; the PR preserves persisted/provided memoization, but there is no full performance proof in the available body.
• The PR body reports one successful Testbox run and a later post-rebase sync failure before commands ran, so maintainer landing should rely on the usual fresh gates before merge.

Maintainer options:

1. Decide the mitigation before merge
   Land this narrow cache-correctness fix after maintainer review, undrafting, and normal gates, keeping persisted/provided snapshots memoized while treating derived discovery as freshness-sensitive.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
This is a maintainer-labeled draft with no discrete automation repair; maintainer review, fresh gates, and undrafting are the remaining actions.

Security
Cleared: The diff is limited to TypeScript plugin cache logic, focused tests, and a changelog line; it adds no dependency, workflow, secret, network, or execution-surface change.

Review details

Best possible solution:

Land this narrow cache-correctness fix after maintainer review, undrafting, and normal gates, keeping persisted/provided snapshots memoized while treating derived discovery as freshness-sensitive.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence reproduction path: current main can memoize policy-stale derived metadata and can retain metadata through the runtime current-snapshot handoff. I did not run tests because this review is read-only.

Is this the best way to solve the issue?

Yes. Carrying registrySource forward and refusing process-local reuse for derived snapshots is the narrow maintainable fix because it removes the stale freshness set while preserving persisted/provided memo paths.

Label changes:

• add P2: The PR fixes a bounded plugin discovery freshness regression without touching auth, messaging delivery, or core availability paths.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix Testbox proof for targeted metadata/runtime cache tests and changed checks; no contributor action is needed for this maintainer-authored PR.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Solid small bug-fix PR with targeted proof and no blocking findings, with only normal maintainer landing gates remaining.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes after-fix Testbox proof for targeted metadata/runtime cache tests and changed checks; no contributor action is needed for this maintainer-authored PR.

Label justifications:

• P2: The PR fixes a bounded plugin discovery freshness regression without touching auth, messaging delivery, or core availability paths.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Solid small bug-fix PR with targeted proof and no blocking findings, with only normal maintainer landing gates remaining.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes after-fix Testbox proof for targeted metadata/runtime cache tests and changed checks; no contributor action is needed for this maintainer-authored PR.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix Testbox proof for targeted metadata/runtime cache tests and changed checks; no contributor action is needed for this maintainer-authored PR.

What I checked:

• Current main still memoizes a derived stale-policy snapshot: On current main, canMemoizePluginMetadataSnapshotResult returns true for derived snapshots when all diagnostics are persisted-registry-stale-policy, which matches the stale derived-discovery path described by the PR. (src/plugins/plugin-metadata-snapshot.ts:767, ae4806ed9adf)
• Current main runtime handoff stores any metadata snapshot: resolvePluginRuntimeLoadContext stores metadataSnapshot through setCurrentPluginMetadataSnapshot without knowing whether it came from a derived registry source. (src/plugins/runtime/load-context.ts:97, ae4806ed9adf)
• Patch excludes derived snapshots from reuse: The PR adds isReusableCurrentPluginMetadataSnapshot, clears instead of storing derived snapshots, records registrySource on produced metadata snapshots, and changes canMemoizePluginMetadataSnapshotResult to require a non-derived source. (src/plugins/plugin-metadata-snapshot.ts:771, 36bca54a61a9)
• Patch covers the direct memo and runtime current-snapshot paths: The added tests assert policy-stale derived snapshots call the registry loader twice, derived snapshots are not retained as current snapshots, and runtime load context clears rather than stores derived metadata. (src/plugins/plugin-metadata-snapshot.memo.test.ts:257, 36bca54a61a9)
• Related regression provenance: The related merged change expanded plugin metadata snapshot memoization in commit 5734193, and this PR is a follow-up to that memoization behavior. (src/plugins/plugin-metadata-snapshot.ts:701, 5734193fdf00)
• Protected workflow state: The provided GitHub context marks this PR as authorAssociation MEMBER with the maintainer label and draft state, so conservative cleanup should not close it even if the patch looks correct.

Likely related people:

• Kaspre: Authored the merged plugin metadata memo freshness PR that this follow-up explicitly narrows for derived snapshots. (role: related regression source contributor; confidence: high; commits: 5734193fdf00; files: src/plugins/plugin-metadata-snapshot.ts, src/plugins/plugin-metadata-snapshot.memo.test.ts)
• Peter Steinberger: Git history shows multiple plugin metadata and plugin seam refactors in the same area before the memoization changes. (role: plugin metadata area contributor; confidence: medium; commits: 171b24c5c5b6, 471d056e2f0d, 8cb85ff85f29; files: src/plugins/plugin-metadata-snapshot.ts, src/plugins/plugin-metadata-snapshot.types.ts)
• Dallin Romney: Recently touched the runtime load-context path that now participates in the current metadata snapshot handoff. (role: recent adjacent contributor; confidence: medium; commits: dca9cecaeed9; files: src/plugins/runtime/load-context.ts, src/plugins/runtime/load-context.test.ts)
• Vincent Koc: Authored this focused follow-up and also appears in plugin metadata history through prior bundled metadata refresh work, so he is a reasonable routing candidate without relying solely on PR authorship. (role: current follow-up owner and adjacent plugin metadata contributor; confidence: medium; commits: 36bca54a61a9, 6fde26304611; files: src/plugins/plugin-metadata-snapshot.ts, src/plugins/current-plugin-metadata-snapshot.ts, src/plugins/runtime/load-context.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ae4806ed9adf.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Sunspot Merge Sprite

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: hums during re-review.
Image traits: location status garden; accessory commit compass; palette seafoam, black, and opal; mood watchful; pose standing beside its cracked shell; shell paper lantern shell; lighting soft studio lighting; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Sunspot Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[vincentkoc]

Verification before merge:

• Testbox tbx_01ks5w6e7694ny1q42r85wmyyh: node scripts/run-vitest.mjs src/plugins/plugin-metadata-snapshot.memo.test.ts src/plugins/current-plugin-metadata-snapshot.test.ts src/plugins/runtime/load-context.test.ts passed, 3 files / 39 tests.
• Testbox tbx_01ks5w6e7694ny1q42r85wmyyh: pnpm check:changed passed.
• Local after rebase: git diff --check HEAD~1..HEAD passed.

Known proof gap:

• Post-rebase Testbox rerun on tbx_01ks6tcphf6yqqv3yjj5t9h96z failed during rsync sync before commands ran.
• Local Vitest was blocked by missing local rolldown native binding in shared node_modules.