perf(qqbot): narrow tool discovery cold load

[RomneyDa]

Profile Evidence

Run	CPU profile	Submit -> first model request	Request -> visible response	QQBot tool-discovery/register	First-turn embedded duration
Before	.artifacts/tui-local-cpu/full-surface-1780700761191/openclaw-tui-99042-2026-06-05T23-06-02-328Z.cpuprofile	12,683ms	17ms	4,640.8ms	10,824ms
After	.artifacts/tui-local-cpu/full-surface-narrow-tools-1780700900305/openclaw-tui-17302-2026-06-05T23-08-29-149Z.cpuprofile	10,387ms	23ms	1,268.9ms	6,563ms

CPU profile summaries showed the first turn is cold module loading, not provider latency: top samples were dist/jiti.cjs, Babel transforms, package_json_reader, fs stat/open/read, and ESM compile. The mocked local Responses server returned in ~20ms; the delay happened before the request was sent.

Summary

• Route QQBot tool-discovery registration through the narrow tool registration module instead of the broad public api.ts barrel.
• Keep full QQBot registration on the channel-entry path for normal runtime registration.
• Lazy-load the QQ sender auth helper only when qqbot_channel_api executes, so tool registration does not import messaging sender/runtime code.

Verification

• node scripts/run-vitest.mjs extensions/qqbot/src/bridge/commands/framework-registration.test.ts extensions/qqbot/src/bridge/tools/remind.test.ts extensions/qqbot/src/engine/tools/remind-logic.test.ts src/plugin-sdk/channel-entry-contract.test.ts
• pnpm build
• git diff --check
• Profiled pnpm openclaw tui --local with an isolated config and mocked local Responses endpoint before and after the patch.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 7, 2026, 2:50 AM ET / 06:50 UTC.

Summary
The branch narrows QQBot tool-discovery loading, routes full QQBot registration through a top-level sidecar, lazy-loads the sender auth helper during tool execution, and updates QQBot package runtime build expectations.

PR surface: Source +15, Tests +2. Total +17 across 5 files.

Reproducibility: not applicable. as a bug reproduction. The PR's performance claim has before/after profiling evidence, and the source path that previously loaded the broad QQBot barrel is clear from current main and the PR diff.

Review metrics: 1 noteworthy metric.

• QQBot runtime sidecars: 2 added. QQBot is excluded from the root dist and published as its own package, so the added sidecars must be included in the package runtime build before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Rerun current-head validation, especially the bundled-entry guard, QQBot focused tests, package runtime build planning, and build.

Risk before merge

• [P1] The latest visible Blacksmith failure comment was updated before the final force-push, so the current head still needs a fresh CI/build result before landing.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow-sidecar implementation after current-head validation confirms the packaged QQBot sidecars and bundled-entry guard remain green.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] No repair job is needed because the latest head addresses the prior ./src/** sidecar issue; remaining work is validation and maintainer merge review.

Security
Cleared: No concrete security or supply-chain regression was found; the diff does not change dependencies, workflows, permissions, or secret handling semantics.

Review details

Best possible solution:

Land the narrow-sidecar implementation after current-head validation confirms the packaged QQBot sidecars and bundled-entry guard remain green.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction. The PR's performance claim has before/after profiling evidence, and the source path that previously loaded the broad QQBot barrel is clear from current main and the PR diff.

Is this the best way to solve the issue?

Yes, this is the best fit among the inspected options. A narrow top-level sidecar matches the extension boundary guidance and avoids the broad api.ts barrel without changing QQBot tool behavior or channel registration semantics.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 97d68b69027f.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes before/after CPU profile timings from a local TUI run showing QQBot tool-discovery/register time dropping from about 4.6s to about 1.3s on the measured path.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority QQBot performance improvement with limited channel-specific blast radius.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes before/after CPU profile timings from a local TUI run showing QQBot tool-discovery/register time dropping from about 4.6s to about 1.3s on the measured path.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes before/after CPU profile timings from a local TUI run showing QQBot tool-discovery/register time dropping from about 4.6s to about 1.3s on the measured path.

Evidence reviewed

PR surface:

Source +15, Tests +2. Total +17 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	17	2	+15
Tests	1	2	0	+2
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	19	2	+17

What I checked:

• Tool-discovery path narrowed: At the PR head, registerQQBotFull branches on registrationMode === "tool-discovery" and loads ./tools-api.js; the normal registration path loads ./channel-entry-api.js instead of the broad ./api.js barrel. (extensions/qqbot/index.ts:8, f175f0792106)
• Sidecars keep packed entry loads top-level: The PR adds top-level QQBot sidecars that re-export only registerQQBotFull and registerQQBotTools, avoiding direct ./src/** entry specifiers from the bundled channel entry. (extensions/qqbot/channel-entry-api.ts:1, f175f0792106)
• Sender auth helper is deferred to execution: registerChannelTool no longer imports the sender module at module load; getAccessToken is dynamically imported inside qqbot_channel_api.execute, preserving the tool registration behavior while avoiding cold registration of messaging runtime code. (extensions/qqbot/src/bridge/tools/channel.ts:51, f175f0792106)
• Bundled channel contract supports this split: Current main's bundled channel entry contract calls registerFull for tool discovery without channel runtime hydration, while sidecar loading resolves top-level module refs through the guarded bundled-entry loader. (src/plugin-sdk/channel-entry-contract.ts:557, 97d68b69027f)
• Package runtime build coverage includes the new sidecars: The PR updates the QQBot package runtime build-plan assertion to include channel-entry-api.ts and tools-api.ts; current build planning collects top-level public surface entries into package runtime entries. (test/plugin-npm-runtime-build.test.ts:59, f175f0792106)
• Existing guard matches the prior review concern: The bundled-entry guard rejects specifier: "./src/..." in bundled channel entries, which is the contract the latest PR head now satisfies by using top-level QQBot sidecars. (test/scripts/bundled-plugin-build-entries.test.ts:223, 97d68b69027f)

Likely related people:

• steipete: Recent blame and history tie the current QQBot bundled entry and bridge split to commit a4236bd, with adjacent bundled-entry contract and sidecar work in 3126809, 08ae0e6, and 9334015. (role: recent area contributor; confidence: high; commits: a4236bd6faf6, 3126809cb06a, 08ae0e6d2992; files: extensions/qqbot/index.ts, extensions/qqbot/src/bridge/channel-entry.ts, extensions/qqbot/src/bridge/tools/channel.ts)
• Sliverp: Commit bf6f506 introduced the QQBot channel package, entrypoint, manifest, tools, and channel API surface that this PR now optimizes. (role: introduced behavior; confidence: medium; commits: bf6f506dfae6; files: extensions/qqbot/index.ts, extensions/qqbot/api.ts, extensions/qqbot/openclaw.plugin.json)
• vincentkoc: Commit 2e08f0f added the plugin runtime build planning tests and scripts that now need to include QQBot's new top-level sidecars. (role: adjacent build-plan contributor; confidence: medium; commits: 2e08f0f4221f; files: scripts/lib/plugin-npm-runtime-build.mjs, scripts/lib/bundled-plugin-build-entries.mjs, test/plugin-npm-runtime-build.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.