Pin official npm plugin install records

[zhuisDEV]

Summary

• Persist exact npm registry resolvedSpec values into managed official plugin install records instead of rewriting them back to bare catalog specs after successful installs/updates.
• Keep third-party moving npm specs unchanged so the trust audit still warns on user-authored unpinned records.
• Let openclaw plugins update resolve official plugins through the official catalog, so exact-pinned official records can still update.
• Treat equivalent legacy bare-vs-exact official npm install records as the same resolved artifact during state migration, while still warning on truly conflicting resolved versions.

Real behavior proof

Behavior addressed: openclaw update / managed official plugin update paths can rewrite official npm plugin records such as acpx, codex, and discord back to bare specs like @openclaw/codex, causing openclaw status --deep to report WARN Plugin index includes unpinned npm specs even though the installed npm payload and lockfile are versioned.

Real environment tested: reporter's macOS global install at /opt/homebrew/bin/openclaw with Node v25.8.1. I applied this PR behavior as a local patch to the unpacked global package, then ran the official plugin update path for acpx, codex, and discord.

Exact steps or command run after this patch:

/opt/homebrew/bin/openclaw plugins update acpx
/opt/homebrew/bin/openclaw plugins update codex
/opt/homebrew/bin/openclaw plugins update discord
/opt/homebrew/bin/openclaw status --deep

Evidence after fix:

Before applying the PR behavior, openclaw status --deep shows the false-positive plugin warning for bare official npm specs:

After the patched writer rewrote the official records to exact specs, openclaw status --deep no longer reports WARN Plugin index includes unpinned npm specs:

Observed result after fix: the patched managed official plugin update path rewrote ~/.openclaw/plugins/installs.json to exact official specs @openclaw/acpx@2026.5.28, @openclaw/codex@2026.5.28, and @openclaw/discord@2026.5.28. The follow-up openclaw status --deep security audit summary changed from 0 critical · 4 warn · 1 info with WARN Plugin index includes unpinned npm specs to 0 critical · 3 warn · 1 info with that plugin warning gone.

What was not tested: I did not publish a release package from this branch. The after screenshot comes from patching the reporter's existing global install in place to exercise the same managed official plugin writer paths before release.

Verification

• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts
• node scripts/run-vitest.mjs src/commands/doctor-state-migrations.test.ts
• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor-state-migrations.test.ts
• pnpm exec oxfmt --check --threads=1 src/infra/state-migrations.ts src/commands/doctor-state-migrations.test.ts
• node scripts/run-oxlint.mjs src/infra/state-migrations.ts src/commands/doctor-state-migrations.test.ts
• scoped pnpm format:check and scoped node scripts/run-oxlint.mjs for the original install/update patch files
• git diff --check

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 3, 2026, 8:43 PM ET / 00:43 UTC.

Summary
The PR changes official npm plugin install/update, onboarding, and doctor repair paths so managed official npm plugin records persist exact resolved specs while manual pins and third-party moving specs remain unchanged.

PR surface: Source +292, Tests +692. Total +984 across 10 files.

Reproducibility: yes. with high confidence from source and supplied CLI proof, though I did not run the CLI locally. Current main can persist bare official npm specs that the security audit reports as unpinned, and the PR proof shows the warning disappearing after exact records are written.

Review metrics: 2 noteworthy metrics.

• Install-record writer policy: 3 writer paths changed. Update, onboarding, and doctor repair now decide when managed official npm records persist exact resolved specs, which is the compatibility-sensitive behavior under review.
• Npm fallback metadata lookup: 1 registry versions query added. Fallback integrity decisions now use npm view <package> versions --json, so maintainers should notice the added external metadata read before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Refresh GitHub mergeability and required checks at the latest head before landing.
• Optionally run one live official plugin update smoke on the latest head if maintainers want release-package confidence.

Risk before merge

• [P1] This changes persisted machine-managed plugin install records across update, onboarding, and doctor repair paths, so upgrade behavior for existing SQLite and legacy install records remains compatibility-sensitive even with focused tests.
• [P2] The patch changes official-plugin trust and integrity fallback decisions and adds an npm versions metadata lookup; no bypass was found, but this is still a security-boundary merge surface.
• [P1] The provided GitHub context reports dirty mergeability while local merge-tree proof was clean, so maintainers should refresh GitHub mergeability or rebase if the platform still blocks merge.

Maintainer options:

1. Land with existing focused proof (recommended)
   Maintainers can accept the compatibility and trust-boundary risk because the PR has targeted regression tests, before/after CLI proof, CI proof in discussion, and no blocking code findings.
2. Run one live update smoke first
   If maintainers want extra confidence, run a real official plugin update plus openclaw status --deep against the latest head or release package before merge.
3. Pause for install-record policy review
   Pause only if maintainers want to reconsider whether managed official records should be auto-pinned instead of leaving the current audit warning behavior.

Next step before merge

• No automated repair is needed; the remaining action is maintainer landing judgment for a compatibility- and security-sensitive plugin install metadata change.

Security
Cleared: The diff touches supply-chain-sensitive plugin install metadata and integrity paths, but I found no concrete security regression or new third-party code execution surface.

Review details

Best possible solution:

Land this PR after a final mergeability and CI refresh, keeping the exact-spec record writer behavior rather than weakening the security audit to ignore managed official bare specs.

Do we have a high-confidence way to reproduce the issue?

Yes, with high confidence from source and supplied CLI proof, though I did not run the CLI locally. Current main can persist bare official npm specs that the security audit reports as unpinned, and the PR proof shows the warning disappearing after exact records are written.

Is this the best way to solve the issue?

Yes, this is the right layer: the managed record writers caused the warning, and fixing them preserves the audit for third-party moving specs. The weaker alternative would be audit-side special casing, which would hide an unpinned record instead of making the managed state exact.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f6aa2c02d1c7.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.
• add proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (screenshot): The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.
• remove rating: 🌊 off-meta tidepool: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P2: The PR fixes a normal-priority plugin install/update correctness issue with limited blast radius but meaningful security-audit impact.
• merge-risk: 🚨 compatibility: Persisted plugin install records and upgrade/migration behavior can affect existing users after update.
• merge-risk: 🚨 security-boundary: The diff changes trusted official npm install provenance, exact pinning, and integrity drift decision paths.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (screenshot): The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR supplies before/after CLI screenshots and exact commands showing the user-visible status --deep warning removed after patched official plugin updates; the remaining gap is only no release-package smoke for latest head.

Evidence reviewed

PR surface:

Source +292, Tests +692. Total +984 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	315	23	+292
Tests	6	708	16	+692
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	1023	39	+984

What I checked:

• Repository policy applied: Root AGENTS.md and the scoped plugin/SDK policies were read; plugin install records, migrations, and trust handling are compatibility-sensitive review surfaces under this policy. (AGENTS.md:14, f6aa2c02d1c7)
• Current main still rewrites official records to moving specs: On current main, npm update records write spec from recordSpec, which comes from the official catalog bare spec during official sync, so the managed record can remain unpinned even after a resolved exact artifact is known. (src/plugins/update.ts:1794, f6aa2c02d1c7)
• PR pins only caller-owned managed official records: The PR routes npm update record writes through resolveNpmInstallRecordSpec, pinning to the exact resolved registry spec only when official sync or an official fallback owns the managed pinning decision. (src/plugins/update.ts:2032, 36048e8d8768)
• Pinning helper rejects tags and non-registry resolutions: The new helper returns the resolved spec only when pinResolvedRegistrySpec is true and the resolved spec parses as an exact registry npm version; otherwise it preserves the requested spec. (src/plugins/installs.ts:22, 36048e8d8768)
• Regression tests cover the main pinning and preservation paths: The PR adds coverage for official sync pinning, unchanged official record rewrites, third-party moving specs, manual exact pins without official sync, and reinstalling missing exact official pins. (src/plugins/update.test.ts:602, 36048e8d8768)
• Security audit explains the user-visible warning: The plugin trust audit warns when npm install records have a string spec that is not an exact pinned registry spec, which matches the reported Plugin index includes unpinned npm specs warning. (src/security/audit-plugins-trust.ts:455, f6aa2c02d1c7)

Likely related people:

• steipete: Authored the latest branch repair commits, supplied land-ready proof, and is the assignee/commenter for the current review state. (role: recent PR repair owner and reviewer; confidence: high; commits: 49b7000a814f, 36048e8d8768; files: src/plugins/update.ts, src/plugins/update.test.ts)
• B.K.: Recent current-main history on src/plugins/update.ts changed plugin channel fallback behavior that this PR builds on. (role: recent area contributor; confidence: medium; commits: c96a12d3c887; files: src/plugins/update.ts)
• vincentkoc: The shallow current-main blame for the reviewed plugin update, migration, and audit files points through the current main snapshot commit; this is a weak routing signal because the checkout is shallow. (role: recent current-main contributor; confidence: low; commits: 8fe67e4b7073; files: src/plugins/update.ts, src/infra/state-migrations.ts, src/security/audit-plugins-trust.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[zhuisDEV]

Behavior proof screenshot for this PR:

The purple markup highlights the openclaw status --deep warning after update rewrote official npm plugin records back to bare specs.

[zhuisDEV]

Follow-up for the legacy state migration warning reported after testing PR head 47967b0 on OpenClaw 2026.5.31.

Root cause: the migration compared legacy plugins/installs.json records and shared SQLite install records with raw JSON equality, so a stale bare official npm spec like @openclaw/codex conflicted with the new exact official spec like @openclaw/codex@2026.5.31 even when both records resolved to the same npm artifact.

Added commit 9f63e5820e to compare npm install records by artifact identity for this migration: npm source, package name, resolved version, and shared artifact fields must agree. Different resolved versions still keep the warning and leave the legacy file in place.

Verification:

• node scripts/run-vitest.mjs src/commands/doctor-state-migrations.test.ts
• pnpm exec oxfmt --check --threads=1 src/infra/state-migrations.ts src/commands/doctor-state-migrations.test.ts
• node scripts/run-oxlint.mjs src/infra/state-migrations.ts src/commands/doctor-state-migrations.test.ts
• git diff --check
• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor-state-migrations.test.ts

[zhuisDEV]

Manual plugin update follow-up pushed in e0773e18de.

This addresses the ClawSweeper P1 concern about explicit manual plugin updates:

• openclaw plugins update <id> no longer passes syncOfficialPluginInstalls: true, so a user exact pin like @openclaw/codex@2026.5.28 is preserved instead of being silently rewritten back to the official moving catalog spec.
• Automatic OpenClaw/core update repair still keeps official install sync enabled, so managed official records can still be repaired/pinned during app updates.
• Added CLI coverage proving manual plugin update leaves syncOfficialPluginInstalls unset.
• Added updater coverage proving exact official npm pins stay exact when official sync is not requested, including the edge case where the recorded installed package directory has been deleted and the updater must reinstall from the exact recorded spec.

Verification:

• node scripts/run-vitest.mjs src/cli/plugins-cli.update.test.ts src/plugins/update.test.ts
• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor-state-migrations.test.ts src/cli/plugins-cli.update.test.ts
• pnpm exec oxfmt --check --threads=1 src/cli/plugins-update-command.ts src/cli/plugins-cli.update.test.ts src/plugins/update.test.ts
• node scripts/run-oxlint.mjs src/cli/plugins-update-command.ts src/cli/plugins-cli.update.test.ts src/plugins/update.test.ts
• git diff --check

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26754301952
• Updated: 2026-06-01T12:23:37.215Z

[steipete]

Land-ready proof for fb81858.

Local proof:

• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor-state-migrations.test.ts src/cli/plugins-cli.update.test.ts src/plugin-sdk/api-baseline.test.ts
• node scripts/run-oxlint.mjs src/plugins/update.ts src/plugins/update.test.ts src/plugins/installs.ts src/commands/doctor/shared/missing-configured-plugin-install.ts src/commands/onboarding-plugin-install.ts src/plugin-sdk/api-baseline.test.ts
• pnpm tsgo:prod
• pnpm check:deprecated-jsdoc
• git diff --check

Review:

• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• result: clean, no accepted/actionable findings

CI:

• GitHub CI run 26920641930 passed, including checks-node-agentic-control-plane-startup-health-runtime.
• CodeQL / Critical Quality / OpenGrep / Dependency Guard checks passed or skipped by path selection.
• Real behavior proof check passed.

Known proof gaps: no live npm registry install/update was run; behavior is covered by focused update/install regression tests and CI.

[steipete]

Land-ready proof for ad54022.

Local proof:

• node scripts/run-vitest.mjs src/plugins/installs.test.ts src/plugins/update.test.ts src/commands/doctor/shared/missing-configured-plugin-install.test.ts src/commands/onboarding-plugin-install.test.ts src/commands/doctor-state-migrations.test.ts src/cli/plugins-cli.update.test.ts src/plugin-sdk/api-baseline.test.ts test/scripts/npm-onboard-channel-agent-assertions.test.ts
• node scripts/run-oxlint.mjs scripts/e2e/lib/npm-onboard-channel-agent/assertions.mjs src/plugins/update.ts src/plugins/update.test.ts src/plugins/installs.ts src/commands/doctor/shared/missing-configured-plugin-install.ts src/commands/onboarding-plugin-install.ts src/plugin-sdk/api-baseline.test.ts
• pnpm tsgo:prod
• pnpm check:deprecated-jsdoc
• git diff --check

Review:

• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• result: clean, no accepted/actionable findings

CI:

• GitHub CI run 26922932707 passed, including build-artifacts, check-lint, check-prod-types, check-test-types, checks-node, and ci-timings-summary.
• Security High run 26922932697 passed.
• Critical Quality run 26922932686 passed selected plugin/plugin-sdk shards; other shards skipped by path selection.
• Dependency Guard, OpenGrep, CodeQL, actionlint, no-tabs, and Real behavior proof passed or skipped by path selection.

Known proof gaps: no live npm registry install/update was run; behavior is covered by focused update/install regression tests and CI.