Fix Docker store seed target packages

[sallyom]

Summary

Fixes #91035.

The Docker runtime-assets store seed now follows the current build target instead of adding every lockfile package. This keeps platform optional packages, such as @zed-industries/codex-acp-*, limited to the architecture Docker is actually building for.

Root Cause

pnpm install was already configured with Docker target architecture filters, but the later offline prune store seed used scripts/list-prod-store-packages.mjs to add every package from pnpm-lock.yaml. That explicitly reintroduced non-target optional packages before pnpm store add, including Darwin/Windows and the wrong Linux architecture ACP packages.

Changes

• Filter pnpm list --prod and lockfile snapshot closure through os/cpu/libc selectors for the current process target.
• Keep snapshot dependency closure, including target-matching optional dependencies, so the offline prune store still has the packages it needs.
• Handle pnpm peer-resolved snapshot keys when walking snapshot dependencies.
• Add focused tests for target platform optional dependencies and peer-resolved snapshot closures.

Verification

• pnpm lint --threads=8
• node scripts/run-vitest.mjs test/scripts/list-prod-store-packages.test.ts
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local
• Local Docker target probe, OPENCLAW_EXTENSIONS=acpx, native linux/arm64: verified the store seed includes @zed-industries/codex-acp-linux-arm64@0.15.0, excludes Darwin/Windows/Linux x64 ACP packages, and pnpm store add succeeds.
• Local Docker target probe, OPENCLAW_EXTENSIONS=acpx, --platform=linux/amd64: verified process.arch is x64, the store seed includes @zed-industries/codex-acp-linux-x64@0.15.0, excludes Darwin/Windows/Linux arm64 ACP packages, and pnpm store add succeeds.
• Testbox-through-Crabbox full Docker build: provider blacksmith-testbox, id tbx_01ktn3vp481ggkcwhh0wfnt8t6, Actions run https://github.com/openclaw/openclaw/actions/runs/27180308958, command docker build --progress=plain --target runtime-assets --build-arg OPENCLAW_EXTENSIONS=acpx -t openclaw:pr91547-runtime-assets -f Dockerfile ., HEAD ec9f55e742ee428f631c8f6e591c9eaab265ffee, exit 0. The runtime-assets stage completed pnpm list | scripts/list-prod-store-packages.mjs | pnpm store add, offline pnpm prune --prod, plugin dist prune, postinstall, and package dist import checks, then exported image sha256:dcb33fbedf7480f2c7b559468875f53c3f63243ddd3d1b44872d475e4a5d4a00.

Real behavior proof

Behavior addressed: Docker builds with ACPX no longer seed non-target optional platform packages from the pnpm lockfile into the offline production store. The runtime-assets stage now keeps the target Linux architecture package and avoids Darwin, Windows, and wrong-Linux-architecture ACP packages.

Real environment tested: Blacksmith Testbox through Crabbox on Linux amd64 Docker Engine 28.0.4, provider blacksmith-testbox, id tbx_01ktn3vp481ggkcwhh0wfnt8t6, Actions run https://github.com/openclaw/openclaw/actions/runs/27180308958, PR commit ec9f55e742ee428f631c8f6e591c9eaab265ffee.

Exact steps or command run after this patch: docker build --progress=plain --target runtime-assets --build-arg OPENCLAW_EXTENSIONS=acpx -t openclaw:pr91547-runtime-assets -f Dockerfile .

Evidence after fix: The Testbox run exited 0. Docker completed the runtime-assets stage, including pnpm list --prod --depth Infinity --json | node scripts/list-prod-store-packages.mjs | xargs -r pnpm store add, offline pnpm prune --prod, plugin dist prune, postinstall, package dist import checks, and image export.

Observed result after fix: The runtime-assets build succeeded and exported image sha256:dcb33fbedf7480f2c7b559468875f53c3f63243ddd3d1b44872d475e4a5d4a00. The store seed step completed without trying to fetch incompatible ACP platform tarballs.

What was not tested: A full final runtime image smoke was not run here; this proof targeted the failing Docker runtime-assets store/prune path from #91035. Local Docker Desktop full build was attempted before Testbox proof but hit an out-of-memory SIGKILL during pnpm build:docker, before the patched runtime-assets step.

Notes

The temporary openclaw/openclaw:codex/docker-store-seed-targets branch was used only because Blacksmith workflow dispatch requires a base-repository ref. It was deleted after the passing Testbox run; the PR head remains sallyom:codex/docker-store-seed-targets.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 10:45 PM ET / 02:45 UTC.

Summary
The PR updates scripts/list-prod-store-packages.mjs and its tests so Docker runtime-assets store seeding keeps only target-matching production packages and target optional snapshot dependencies.

PR surface: Tests +121, Other +52. Total +173 across 2 files.

Reproducibility: yes. Source inspection on current main shows Docker runtime-assets feeds pnpm store add from a script that also adds every lockfile package, while the lockfile records non-target @zed-industries/codex-acp optional packages matching the linked failure logs.

Review metrics: 1 noteworthy metric.

• Proof/head delta: 1 helper-only loop rewrite after Docker proof. The real Docker proof ran before the final force-push, so maintainers should notice the small current-head delta before relying on that proof.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] The store seed feeds Docker offline prune; if the target filter or snapshot closure misses a real production dependency, users would see it as a Docker runtime-assets build failure.
• [P1] The strongest Docker proof ran on 90349eef56d3, while current head ec9f55e742ee only rewrites dependency iteration; maintainers may still want exact-head Docker proof or a final runtime image smoke before merge.

Maintainer options:

1. Accept Targeted Runtime-Assets Proof (recommended)
   Maintainers can land after exact-head CI and mergeability if they accept the Testbox runtime-assets build plus the small post-proof helper-only delta as covering the reported ACPX store/prune failure.
2. Require Exact-Head Final Image Smoke
   Ask for a fresh Docker proof on ec9f55e742ee or a full final runtime image smoke if maintainers want assurance beyond the patched runtime-assets stage.

Next step before merge

• No automated repair is queued because no concrete patch defect remains; the remaining action is maintainer acceptance of targeted runtime-assets proof for a protected, availability-sensitive Docker build path.

Security
Cleared: The diff changes a local package-listing script and tests only; it does not add dependencies, workflow permissions, secrets handling, action refs, or new executable supply-chain sources.

Review details

Best possible solution:

Merge the target-aware store seed after maintainers accept the targeted Testbox runtime-assets proof and exact-head CI; run a final runtime image smoke only if broader container assurance is required.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows Docker runtime-assets feeds pnpm store add from a script that also adds every lockfile package, while the lockfile records non-target @zed-industries/codex-acp optional packages matching the linked failure logs.

Is this the best way to solve the issue?

Yes. Filtering the existing store-seed closure by lockfile os/cpu/libc selectors is the narrow maintainable fix and avoids ACPX-specific package hardcoding.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 329fa44d23f4.

Label changes

Label justifications:

• P2: This is a focused fix for a Docker build regression with limited blast radius to container runtime-assets package seeding.
• merge-risk: 🚨 availability: The PR changes which packages are seeded before Docker offline prune, so a missed target or closure case could make container builds fail.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (linked_artifact): Sufficient linked-artifact proof is present: the PR body reports a Testbox-through-Crabbox Docker runtime-assets build exit 0, and the current-head change after that proof is a small dependency-iteration refactor with the same behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. Sufficient linked-artifact proof is present: the PR body reports a Testbox-through-Crabbox Docker runtime-assets build exit 0, and the current-head change after that proof is a small dependency-iteration refactor with the same behavior.

Evidence reviewed

PR surface:

Tests +121, Other +52. Total +173 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	123	2	+121
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	1	77	25	+52
Total	2	200	27	+173

What I checked:

• Repository policy read: Root AGENTS.md plus scoped scripts/test/extension policy were read; the review applied the deep PR review, dependency-contract, protected-label, and script-wrapper guidance. (AGENTS.md:9, 329fa44d23f4)
• Current Docker entry point: Current main pipes pnpm list --prod --depth Infinity --json through scripts/list-prod-store-packages.mjs into pnpm store add before offline pnpm prune --prod with Linux target selectors. (Dockerfile:132, 329fa44d23f4)
• Current main failure surface: Current main's list script still adds every package key from pnpm-lock.yaml, so non-target optional platform packages can be fed to pnpm store add. (scripts/list-prod-store-packages.mjs:55, 329fa44d23f4)
• Shipped behavior check: The latest release tag v2026.6.1 contains the same runtime-assets store-seed path and old add-all-lockfile-package script shape, so the PR is not obsolete on the latest release. (scripts/list-prod-store-packages.mjs:55, 2e08f0f4221f)
• ACP optional package shape: The workspace lockfile records @zed-industries/codex-acp plus Darwin, Linux, and Windows optional platform packages, and the snapshot closure lists them as optional dependencies. (pnpm-lock.yaml:4274, 329fa44d23f4)
• PR implementation: The PR reads target os/cpu/libc, filters package specs through lockfile selectors, resolves peer-decorated snapshot keys, and includes both normal and optional snapshot dependency closure. (scripts/list-prod-store-packages.mjs:9, ec9f55e742ee)

Likely related people:

• @vincentkoc: Blame shows 4b55a0e04d41 introduced the current scripts/list-prod-store-packages.mjs and Docker runtime-assets seed path; recent history also ties Vincent Koc to release and runtime packaging work. (role: introduced current script path and recent release/runtime contributor; confidence: high; commits: 4b55a0e04d41, 2e08f0f4221f, 6d5e142b9312; files: scripts/list-prod-store-packages.mjs, Dockerfile, pnpm-lock.yaml)
• @steipete: Recent history shows Docker live-lane, bundled plugin dependency, and runtime image work near the same runtime-assets and plugin dependency surfaces. (role: recent Docker and bundled plugin dependency contributor; confidence: medium; commits: ae3b10c15c64, 8e0ab35b0ed0, 17085ec1a4b5; files: Dockerfile, scripts/docker/setup.sh, extensions/acpx/package.json)
• @sallyom: Sally O'Malley has prior merged Docker work around image size and OPENCLAW_EXTENSIONS, so this PR is not only a drive-by proposal even though she is also the PR author. (role: prior Docker feature contributor and current patch author with adjacent history; confidence: medium; commits: 57f19f0d5c10, 499c1ee6e32d, ec9f55e742ee; files: Dockerfile, scripts/docker/setup.sh, scripts/list-prod-store-packages.mjs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.