[plugin sdk] Allow declared installed trusted hooks

[brokemac79]

Summary

• Allow installed plugins to register api.registerAgentToolResultMiddleware(...) when their manifest declares the targeted runtimes in contracts.agentToolResultMiddleware.
• Add contracts.trustedToolPolicies[] so installed plugins can opt into named trusted pre-tool policies while undeclared policy ids still fail closed.
• Preserve bundled trusted-policy priority ahead of installed trusted policies and prevent installed trusted-policy id shadowing of bundled guards.
• Document the manifest, inspect, and audit contract, and keep contracts.trustedToolPolicies through official external catalog contract merges.

Closes #87735.

Current-Main Source Evidence

Current main still has the bundled-only gates that the canonical issue reports:

• src/plugins/registry.ts rejects installed/non-bundled api.registerAgentToolResultMiddleware(...) registrations with only bundled plugins can register agent tool result middleware.
• src/plugins/registry.ts rejects installed/non-bundled api.registerTrustedToolPolicy(...) registrations with only bundled plugins can register trusted tool policies.
• src/plugins/agent-tool-result-middleware-loader.ts skips every manifest record where record.origin !== "bundled", so installed plugins declaring contracts.agentToolResultMiddleware cannot be lazy-loaded as middleware owners.
• FRD: installed-plugin opt-in for registerTrustedToolPolicy + registerAgentToolResultMiddleware #87735 includes concrete first-party Tokenjuice external-install evidence on OpenClaw 2026.5.28 showing this bundled-only middleware gate is exposed as a broken official-plugin install flow.

Security / Trust Posture

• This is not a blanket external-plugin trust grant: installed plugins must declare exact runtime ids or trusted policy ids in openclaw.plugin.json before registration is accepted.
• Bundled trusted policies keep the existing path and are ordered before installed trusted policies.
• Installed plugins cannot shadow bundled trusted-policy ids: installed duplicates are rejected, and if a bundled policy later registers an id already claimed by an installed plugin, the bundled registration replaces the installed one while emitting a warning diagnostic/log.
• Author-side code/proof work is complete as far as we can tell; the remaining decision is maintainer/security review of the manifest-gated installed-plugin trust boundary.

Real Behavior Proof

• Behavior addressed: Installed/official plugins that declare host-trusted contracts can now register tool-result middleware and named trusted pre-tool policies instead of being rejected solely because their origin is not bundled.
• Real environment tested: Local Windows source checkout on this PR branch with isolated OpenClaw homes/configs, plus a Blacksmith Testbox changed-gate run on a warmed Linux Testbox. No production OpenClaw state, VPS state, or user secrets were touched.
• Exact steps or command run after this patch: Ran isolated installed-plugin runtime inspect, NPM Tokenjuice install + runtime inspect, ClawHub Tokenjuice install + runtime inspect, the focused plugin/host-hook/Codex middleware regression suites, lint/type/diff gates, and the repository changed gate on Blacksmith Testbox tbx_01ktm4xc6e4yqawy9wck02f46n using env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 CI=1 corepack pnpm check:changed.
• Evidence after fix: Terminal output from the real node --import tsx src/entry.ts plugins inspect ... --runtime --json runs showed installed/official Tokenjuice loaded from both npm and ClawHub with enabled: true, imported: true, trustedOfficialInstall: true, diagnostics: [], and contracts.agentToolResultMiddleware: ["openclaw", "codex"]. The isolated installed-plugin proof also retained contracts.trustedToolPolicies: ["issue-87735-proof-policy"] with diagnostics: []. The Blacksmith Testbox changed gate completed on tbx_01ktm4xc6e4yqawy9wck02f46n with TESTBOX_EXIT=0; warmup Actions run: https://github.com/openclaw/openclaw/actions/runs/27155636123. PR head f990ec4fcf3d390740dd48b30adbb767dc94d9bc is a no-op CI requeue commit on the same tree as the tested 53cfddad43c7a16cd461289588af86b5c5c4507b head.
• Observed result after fix: Installed official/declared plugins can register the intended host-trusted contracts, undeclared trusted policy ids still fail closed, bundled trusted policies stay ahead of installed trusted policies, and installed plugins can no longer shadow bundled trusted policy ids by registering first.
• What was not tested: A production Gateway/VPS Tokenjuice turn was not rerun on this PR branch; full pnpm check was not run. The final review used focused runtime/plugin/Codex middleware gates, Blacksmith Testbox check:changed, ClawSweeper review, and manual diff review.

Isolated installed-plugin command:

$env:OPENCLAW_HOME = "C:\oc-work\oc-87735\.artifacts\issue-87735-proof\home"
$env:OPENCLAW_CONFIG_PATH = "C:\oc-work\oc-87735\.artifacts\issue-87735-proof\home\.openclaw\openclaw.json"
$env:OPENCLAW_BUNDLED_PLUGINS_DIR = "C:\oc-work\oc-87735\.artifacts\issue-87735-proof\no-bundled-plugins"
$env:OPENCLAW_DISABLE_BUNDLED_PLUGINS = "1"
node --import tsx src/entry.ts plugins inspect issue-87735-installed-proof --runtime --json

The isolated installed-plugin inspect command reported the installed plugin as loaded/imported with no diagnostics and retained the trusted-surface contracts:

{
  "contracts": {
    "agentToolResultMiddleware": ["codex"],
    "trustedToolPolicies": ["issue-87735-proof-policy"]
  },
  "diagnostics": []
}

NPM Tokenjuice package command:

$env:OPENCLAW_HOME = "C:\oc-work\oc-87735\.artifacts\tokenjuice-packaged-proof\home"
$env:OPENCLAW_CONFIG_PATH = "C:\oc-work\oc-87735\.artifacts\tokenjuice-packaged-proof\home\.openclaw\openclaw.json"
$env:OPENCLAW_BUNDLED_PLUGINS_DIR = "C:\oc-work\oc-87735\.artifacts\tokenjuice-packaged-proof\no-bundled-plugins"
node --import tsx src/entry.ts plugins install npm:@openclaw/tokenjuice@2026.6.1 --pin
node --import tsx src/entry.ts plugins inspect tokenjuice --runtime --json

NPM Tokenjuice runtime inspect reported install.source: "npm", trustedOfficialInstall: true, enabled: true, explicitlyEnabled: true, status: "loaded", imported: true, diagnostics: [], and contracts.agentToolResultMiddleware: ["openclaw", "codex"].

ClawHub Tokenjuice package command:

$env:OPENCLAW_HOME = "C:\oc-work\oc-87735\.artifacts\tokenjuice-clawhub-proof\home"
$env:OPENCLAW_CONFIG_PATH = "C:\oc-work\oc-87735\.artifacts\tokenjuice-clawhub-proof\home\.openclaw\openclaw.json"
$env:OPENCLAW_BUNDLED_PLUGINS_DIR = "C:\oc-work\oc-87735\.artifacts\tokenjuice-clawhub-proof\no-bundled-plugins"
node --import tsx src/entry.ts plugins search tokenjuice
node --import tsx src/entry.ts plugins install clawhub:@openclaw/tokenjuice@2026.6.1 --pin
node --import tsx src/entry.ts plugins inspect tokenjuice --runtime --json

ClawHub Tokenjuice runtime inspect reported install.source: "clawhub", clawhubChannel: "official", trustedOfficialInstall: true, enabled: true, explicitlyEnabled: true, status: "loaded", imported: true, diagnostics: [], and contracts.agentToolResultMiddleware: ["openclaw", "codex"].

Maintainer-review follow-up: after maintainer review pointed out that an installed plugin could register a built-in trusted policy id before the bundled policy and win the duplicate check, PR head b2677eef2c removed the earlier installed registration when the later registration is bundled, logs/records a warning for the displaced plugin, and keeps the bundled policy as the only active policy for that id. The focused regression lets bundled trusted policies replace declared external policies with the same id proves the installed fake policy is displaced and the bundled policy blocks the tool call.

Verification

Original PR validation:

• NODE_OPTIONS=--max-old-space-size=8192 node scripts/run-vitest.mjs src/agents/codex-app-server.extensions.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/plugins/manifest-registry.test.ts
• corepack pnpm build:plugin-sdk:strict-smoke
• corepack pnpm tsgo:prod
• corepack pnpm check:test-types
• corepack pnpm lint --threads=8
• corepack pnpm exec oxfmt --check src/plugins/manifest.ts src/plugins/registry.ts src/plugins/agent-tool-result-middleware-loader.ts src/plugins/types.ts src/plugins/registry-types.ts src/agents/codex-app-server.extensions.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/plugins/manifest-registry.test.ts
• corepack pnpm exec oxfmt --check docs/plugins/sdk-overview.md docs/plugins/sdk-agent-harness.md docs/plugins/hooks.md docs/plugins/manifest.md docs/plugins/building-plugins.md docs/cli/plugins.md
• corepack pnpm docs:check-mdx
• corepack pnpm docs:check-i18n-glossary
• corepack pnpm docs:check-links
• git diff --check
• Rebased onto current origin/main and reran the focused ClawSweeper acceptance set on PR head 6ea717e3572ba4a9f0ab370202ae4c8835cadb5a.

Maintainer-review follow-up validation on PR head b2677eef2c:

• node scripts/run-vitest.mjs run --config test/vitest/vitest.contracts-plugin.config.ts src/plugins/contracts/host-hooks.contract.test.ts -t "lets bundled trusted"
• node scripts/run-vitest.mjs run --config test/vitest/vitest.contracts-plugin.config.ts src/plugins/contracts/host-hooks.contract.test.ts
• NODE_OPTIONS=--max-old-space-size=8192 pnpm tsgo:core
• pnpm exec oxlint src/plugins/registry.ts src/plugins/contracts/host-hooks.contract.test.ts
• git diff --check

Additional follow-up validation on PR head 53cfddad43c7a16cd461289588af86b5c5c4507b:

• node scripts/run-vitest.mjs src/plugins/loader.test.ts -t "rolls back trusted policies when plugin register fails"
• node scripts/run-vitest.mjs test/scripts/kitchen-sink-plugin-assertions.test.ts -t "accepts" --reporter=verbose
• node scripts/run-vitest.mjs src/plugins/loader.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/agents/codex-app-server.extensions.test.ts
• node scripts/run-vitest.mjs src/agents/codex-app-server.extensions.test.ts -t "loads missing installed middleware" --reporter=verbose
• pnpm exec oxlint on focused plugin, loader, host-hook, Codex middleware, and kitchen-sink files
• NODE_OPTIONS=--max-old-space-size=8192 pnpm tsgo:core
• git diff --check
• codex-review --mode branch through the local codex-review helper: clean; no accepted/actionable findings.

Blacksmith/Testbox changed gate:

• PR head tested: 53cfddad43c7a16cd461289588af86b5c5c4507b
• Current PR head: f990ec4fcf3d390740dd48b30adbb767dc94d9bc (no-op CI requeue commit on the same tree)
• Blacksmith Testbox: tbx_01ktm4xc6e4yqawy9wck02f46n
• Warmup Actions run: https://github.com/openclaw/openclaw/actions/runs/27155636123
• Command:

env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 CI=1 corepack pnpm check:changed

Result: passed with TESTBOX_EXIT=0.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 1:24 AM ET / 05:24 UTC.

Summary
The branch adds manifest-declared, explicitly enabled installed-plugin access to trusted tool policies and agent tool-result middleware, plus lazy/startup loading, inspect/docs, and regression coverage.

PR surface: Source +222, Tests +797, Docs +31, Other +1. Total +1051 across 28 files.

Reproducibility: yes. Current main source directly rejects non-bundled registrations on both requested paths, and the linked Tokenjuice issue provides concrete external-install evidence; I did not run a live repro in this read-only review.

Review metrics: 1 noteworthy metric.

• Host-trusted plugin contract surface: 1 new manifest contract, 1 existing contract widened. contracts.trustedToolPolicies is added and contracts.agentToolResultMiddleware changes from bundled-only to explicitly enabled installed plugins, so maintainers should review the API and upgrade implications before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get explicit maintainer/security acceptance for the installed-plugin trusted-hook boundary before merge.

Risk before merge

• [P1] This intentionally expands host-trusted pre-tool policy and model-visible tool-result rewriting from bundled-only code to explicitly enabled installed plugins, so maintainer/security acceptance is still required.
• [P1] The PR changes plugin manifest/API contract semantics and trusted-policy id handling, which is compatibility-sensitive even though the code keeps bundled policies ahead of installed policies.

Maintainer options:

1. Approve the new trusted-hook boundary (recommended)
   A maintainer/security owner can accept manifest declarations plus explicit plugin enablement as the supported contract before merge.
2. Require stronger production proof first
   Maintainers can ask for a production Gateway or VPS Tokenjuice turn if inspect/Testbox proof is not enough for this trust-boundary change.
3. Pause if installed plugins should not own this tier
   If the long-term trust model remains bundled-only, close or redesign this PR around external docs/install guidance instead of merging the new API surface.

Next step before merge

• [P2] The remaining action is maintainer/security judgment on the new installed-plugin trusted-hook contract, not an automated code repair.

Security
Needs attention: No malicious or supply-chain concern was found, but the diff intentionally changes a host-trusted plugin security boundary that needs maintainer/security acceptance.

Review details

Best possible solution:

Accept or reject the manifest-gated installed trusted-hook boundary explicitly; if accepted, keep the explicit enablement, bundled-first ordering, inspect/docs visibility, and regression coverage together.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main source directly rejects non-bundled registrations on both requested paths, and the linked Tokenjuice issue provides concrete external-install evidence; I did not run a live repro in this read-only review.

Is this the best way to solve the issue?

Unclear until maintainers accept the trust model. Given that decision, the PR's manifest declaration plus explicit enablement is the narrowest implementation shape I found for the existing plugin-contract architecture.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 69a73b6278b5.

Label changes

Label changes:

• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body includes after-fix terminal proof for isolated installed plugins, npm and ClawHub Tokenjuice inspect flows, focused regression commands, and a passing Blacksmith Testbox changed gate.
• remove status: 👀 ready for maintainer look: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority plugin SDK improvement with clear downstream impact but no current core outage or data-loss emergency.
• merge-risk: 🚨 compatibility: The PR changes plugin manifest/API contract semantics and startup/loading behavior for installed plugins.
• merge-risk: 🚨 security-boundary: The PR expands host-trusted pre-tool policy and model-visible tool-result rewriting to installed plugins when declared and explicitly enabled.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body includes after-fix terminal proof for isolated installed plugins, npm and ClawHub Tokenjuice inspect flows, focused regression commands, and a passing Blacksmith Testbox changed gate.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal proof for isolated installed plugins, npm and ClawHub Tokenjuice inspect flows, focused regression commands, and a passing Blacksmith Testbox changed gate.

Evidence reviewed

PR surface:

Source +222, Tests +797, Docs +31, Other +1. Total +1051 across 28 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	10	264	42	+222
Tests	9	811	14	+797
Docs	8	74	43	+31
Config	0	0	0	0
Generated	0	0	0	0
Other	1	4	3	+1
Total	28	1153	102	+1051

Security concerns:

• [medium] Accept the installed-plugin trusted-hook boundary — src/plugins/registry.ts:2052
  The registry now permits explicitly enabled installed plugins to register trusted pre-tool policies and tool-result middleware when declared in the manifest, which can affect tool authorization and model-visible tool output.
  Confidence: 0.86

What I checked:

• Repository policy read and applied: Root AGENTS.md and scoped docs/extensions/scripts/src/agents/src/plugins/test guides were read fully; plugin SDK compatibility, manifest-first behavior, and security-boundary guidance affected this review. (AGENTS.md:1, 69a73b6278b5)
• Current main still has bundled-only gates: Current main rejects non-bundled agent tool-result middleware and trusted tool policies before installed plugins can use declared contracts. (src/plugins/registry.ts:528, 69a73b6278b5)
• PR registry gate uses manifest plus explicit enablement: The PR removes the origin-only middleware block and requires declared runtimes plus explicit enablement for installed middleware registrations. (src/plugins/registry.ts:528, 431e4e377470)
• PR trusted policy gate is declared and ordered: Installed trusted policies must declare the policy id and be explicitly enabled; bundled policy registrations are inserted before installed registrations. (src/plugins/registry.ts:2052, 431e4e377470)
• Lazy middleware loading covers installed owners: The PR's middleware loader considers enabled, explicitly opted-in installed owners and loads only missing middleware owners while preserving already active handlers. (src/plugins/agent-tool-result-middleware-loader.ts:73, 431e4e377470)
• Regression coverage exercises the trust boundary: Tests cover installed middleware opt-in, lazy installed middleware, active bundled plus missing installed middleware, trusted-policy explicit opt-in, duplicate owner scoping, bundled-before-installed order, and rollback on register failure. (src/plugins/contracts/host-hooks.contract.test.ts:194, 431e4e377470)

Likely related people:

• vincentkoc: History shows this contributor introduced and hardened tool-result middleware and recently failed-closed trusted policy errors around the same host-hook surfaces. (role: feature owner / adjacent trusted-surface contributor; confidence: high; commits: 47f6a98909b5, 7bd74758c5f5, be967545c500; files: src/agents/harness/tool-result-middleware.ts, src/plugins/trusted-tool-policy.ts, src/plugins/registry.ts)
• shakkernerd: The installed/bundled middleware lazy-loading path traces to this contributor's lazy tool-result middleware plugin work. (role: adjacent loader contributor; confidence: medium; commits: 08cc44b57d3f; files: src/plugins/agent-tool-result-middleware-loader.ts, src/agents/harness/tool-result-middleware.ts)
• steipete: Recent main history shows repeated plugin registry, discovery helper, docs, and agent runtime refactors touching the same plugin SDK boundary. (role: recent area contributor; confidence: medium; commits: a77f20a6d67f, f6049db20fe4, bb46b79d3c14; files: src/plugins/registry.ts, src/plugins/agent-tool-result-middleware-loader.ts, src/agents/harness/tool-result-middleware.ts)
• 100yenadmin: GitHub history links the generic plugin host-hook contract introduction to this contributor, with review by jalehman noted in the merge metadata. (role: original host-hook contract contributor; confidence: medium; commits: 1adaa28dc86b; files: src/plugins/trusted-tool-policy.ts, src/plugins/contracts/host-hooks.contract.test.ts, docs/plugins/hooks.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26917745920
• Updated: 2026-06-03T22:47:07.841Z

[brokemac79]

Addressed the latest ClawSweeper rank-up items in commit 0f1b93d:

• Added trustedToolPolicies to the plugin registry snapshot/restore rollback path so a failed register() cannot leave a trusted policy behind.
• Added a focused regression test for failed trusted-policy registration rollback.
• Updated the kitchen-sink trusted-policy diagnostic canaries to match the manifest-contract gate, and made the fixture use its isolated OPENCLAW_STATE_DIR so the canary test is not affected by ambient test env.

Validation run locally:

• node scripts/run-vitest.mjs src/plugins/loader.test.ts -t "rolls back trusted policies when plugin register fails"
• node scripts/run-vitest.mjs test/scripts/kitchen-sink-plugin-assertions.test.ts -t "accepts" --reporter=verbose
• node scripts/run-vitest.mjs src/plugins/loader.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/agents/codex-app-server.extensions.test.ts
• pnpm exec oxlint src/plugins/registry.ts src/plugins/loader.ts src/plugins/contracts/host-hooks.contract.test.ts src/plugins/loader.test.ts scripts/e2e/lib/kitchen-sink-plugin/assertions.mjs test/scripts/kitchen-sink-plugin-assertions.test.ts
• NODE_OPTIONS=--max-old-space-size=8192 pnpm tsgo:core
• git diff --check

I did not trigger a manual ClawSweeper re-review.

[brokemac79]

Follow-up after Codex review: commit 53cfdda fixes the remaining middleware-loader gap.

Codex review found that installed tool-result middleware could still be skipped when bundled middleware was already active for the same runtime. I accepted that finding and fixed the loader to load only missing manifest owners, then return active handlers plus newly loaded missing handlers. Added a regression covering active bundled middleware plus lazy installed middleware, proving both handlers run.

Additional validation after the fix:

• node scripts/run-vitest.mjs src/agents/codex-app-server.extensions.test.ts -t "loads missing installed middleware" --reporter=verbose
• node scripts/run-vitest.mjs src/plugins/loader.test.ts src/plugins/contracts/host-hooks.contract.test.ts src/agents/codex-app-server.extensions.test.ts
• node scripts/run-vitest.mjs test/scripts/kitchen-sink-plugin-assertions.test.ts -t "accepts" --reporter=verbose
• pnpm exec oxlint focused files
• NODE_OPTIONS=--max-old-space-size=8192 pnpm tsgo:core
• git diff --check
• C:\Users\marti.codex\skills\codex-review\scripts\codex-review --mode branch, rerun via MSYS Bash: clean; no accepted/actionable findings.

No manual ClawSweeper re-review was triggered.

[brokemac79]

Additional Testbox / changed-gate proof for the rank-up request:

• PR head tested: 53cfddad43c7a16cd461289588af86b5c5c4507b.
• Blacksmith Testbox: tbx_01ktm4xc6e4yqawy9wck02f46n.
• Warmup Actions run: https://github.com/openclaw/openclaw/actions/runs/27155636123.
• Testbox checkout was reset to origin/main, then fetched and checked out brokemac79:fix/issue-87735-installed-plugin-opt-in.
• Command run on the Testbox:

env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 CI=1 corepack pnpm check:changed

Result: passed with TESTBOX_EXIT=0.

Note: the local Windows Crabbox/Blacksmith wrapper path hit worktree/key-permission issues, so I ran the same approved changed gate directly on the warmed Blacksmith Testbox over SSH. No production/VPS OpenClaw state or user secrets were touched.

[brokemac79]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27158066555
• Updated: 2026-06-08T18:29:10.931Z

[amknight]

Overall LGTM after fixing the prior issue. Given plugin SDK changes it would still be good to get @vincentkoc @steipete approval.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27203612816
• Updated: 2026-06-09T11:51:20.555Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27254417159
• Updated: 2026-06-10T05:14:55.043Z

[jesse-merhi]

/clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27254213977
• Updated: 2026-06-10T05:02:33.238Z

[jesse-merhi]

Land-ready proof checked before merge.

Local proof already run on this branch:

node scripts/run-vitest.mjs src/plugins/contracts/host-hooks.contract.test.ts
node scripts/run-vitest.mjs src/agents/codex-app-server.extensions.test.ts src/agents/runtime-plugins.test.ts src/plugins/loader.test.ts src/plugins/manifest-registry.test.ts src/plugins/channel-plugin-ids.test.ts
node scripts/run-vitest.mjs extensions/qa-lab/src/scenario-catalog.test.ts test/scripts/kitchen-sink-plugin-assertions.test.ts
node scripts/run-vitest.mjs src/plugins/status.registry-snapshot.test.ts
pnpm tsgo:core
pnpm tsgo:test:src
pnpm build
pnpm lint --threads=8
git diff --check
.agents/skills/autoreview/scripts/autoreview --mode local

Additional runtime proof:

Blacksmith Testbox through Crabbox: tbx_01ktr1nq0rhq47fjkwrepm7fd3
Result: exit 0

That proof loaded temporary installed plugins through the real loader and verified:

enabled + declared trustedToolPolicies contract -> policy registered and blocked exec
enabled + missing manifest contract -> rejected
declared contract + discovered but not explicitly enabled -> rejected

Live PR state before merge:

head: 431e4e3774707287f125efb25585eae0731bf80b
mergeStateStatus: CLEAN
mergeable: MERGEABLE
reviewDecision: APPROVED
CI/checks: passing

Known proof gap: Clawsweeper-until-clean did not complete because repeated Clawsweeper/Codex execution runs failed before producing a code finding. No actionable Clawsweeper code finding was observed.