test: broaden plugin install update coverage

2026-05-06 18:40:44 +00:00 · 2026-05-02 02:57:00 +01:00
parent 62b20e7fa2
commit 7ed73f5383
12 changed files with 416 additions and 11 deletions
--- a/docs/help/testing-updates-plugins.md
+++ b/docs/help/testing-updates-plugins.md
@@ -33,8 +33,8 @@ Update and plugin tests protect these contracts:
 - Plugin npm dependencies are installed in the managed npm root, scanned before
  trust, and removed through npm during uninstall so hoisted dependencies do not
  linger.
- Plugin update is stable when nothing changed: install records, resolved source,
-  and enabled state stay intact.
+- Plugin update is stable when nothing changed: install records, resolved
+  source, installed dependency layout, and enabled state stay intact.

 ## Local proof during development

@@ -83,9 +83,11 @@ pnpm test:docker:update-migration
 Important lanes:

 - `test:docker:plugins` validates plugin install smoke, local folder installs,
-  local folders with preinstalled dependencies, git installs with package
-  dependencies, npm package dependency installs, local ClawHub fixture installs,
-  marketplace update behavior, and Claude-bundle enable/inspect. Set
+  local folder update skip behavior, local folders with preinstalled
+  dependencies, `file:` package installs, git installs with CLI execution, git
+  moving-ref updates, npm registry installs with hoisted transitive
+  dependencies, npm update no-ops, local ClawHub fixture installs and update
+  no-ops, marketplace update behavior, and Claude-bundle enable/inspect. Set
  `OPENCLAW_PLUGINS_E2E_CLAWHUB=0` to keep the ClawHub block hermetic/offline.
 - `test:docker:plugin-update` validates that an unchanged installed plugin does
  not reinstall or lose install metadata during `openclaw plugins update`.
@@ -234,6 +236,10 @@ can fail for the right reason:
 - Published-release migration behavior: `published-upgrade-survivor` scenario.
 - Registry/package source behavior: `test:docker:plugins` fixture or ClawHub
  fixture server.
+- Dependency layout or cleanup behavior: assert both runtime execution and the
+  filesystem boundary. npm dependencies may be hoisted under the managed npm
+  root, so tests should prove the root is scanned/cleaned instead of assuming a
+  package-local `node_modules` tree.

 Keep new Docker fixtures hermetic by default. Use local fixture registries and
 fake packages unless the point of the test is live registry behavior.
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -632,11 +632,11 @@ The live-model Docker runners also bind-mount only the needed CLI auth homes (or
 - MCP channel bridge (seeded Gateway + stdio bridge + raw Claude notification-frame smoke): `pnpm test:docker:mcp-channels` (script: `scripts/e2e/mcp-channels-docker.sh`)
 - Pi bundle MCP tools (real stdio MCP server + embedded Pi profile allow/deny smoke): `pnpm test:docker:pi-bundle-mcp-tools` (script: `scripts/e2e/pi-bundle-mcp-tools-docker.sh`)
 - Cron/subagent MCP cleanup (real Gateway + stdio MCP child teardown after isolated cron and one-shot subagent runs): `pnpm test:docker:cron-mcp-cleanup` (script: `scripts/e2e/cron-mcp-cleanup-docker.sh`)
- Plugins (install smoke, ClawHub kitchen-sink install/uninstall, marketplace updates, and Claude-bundle enable/inspect): `pnpm test:docker:plugins` (script: `scripts/e2e/plugins-docker.sh`)
+- Plugins (install/update smoke for local path, `file:`, npm registry with hoisted dependencies, git moving refs, ClawHub kitchen-sink, marketplace updates, and Claude-bundle enable/inspect): `pnpm test:docker:plugins` (script: `scripts/e2e/plugins-docker.sh`)
  Set `OPENCLAW_PLUGINS_E2E_CLAWHUB=0` to skip the ClawHub block, or override the default kitchen-sink package/runtime pair with `OPENCLAW_PLUGINS_E2E_CLAWHUB_SPEC` and `OPENCLAW_PLUGINS_E2E_CLAWHUB_ID`. Without `OPENCLAW_CLAWHUB_URL`/`CLAWHUB_URL`, the test uses a hermetic local ClawHub fixture server.
 - Plugin update unchanged smoke: `pnpm test:docker:plugin-update` (script: `scripts/e2e/plugin-update-unchanged-docker.sh`)
 - Config reload metadata smoke: `pnpm test:docker:config-reload` (script: `scripts/e2e/config-reload-source-docker.sh`)
- Plugins: `pnpm test:docker:plugins` covers install smoke, local ClawHub fixture installs, marketplace updates, npm package dependency installs, and Claude-bundle enable/inspect. `pnpm test:docker:plugin-update` covers unchanged update behavior for installed plugins.
+- Plugins: `pnpm test:docker:plugins` covers install/update smoke for local path, `file:`, npm registry with hoisted dependencies, git moving refs, ClawHub fixtures, marketplace updates, and Claude-bundle enable/inspect. `pnpm test:docker:plugin-update` covers unchanged update behavior for installed plugins.

 To prebuild and reuse the shared functional image manually:

--- a/docs/plugins/dependency-resolution.md
+++ b/docs/plugins/dependency-resolution.md
@@ -46,6 +46,11 @@ npm installs run in the npm root with:
 npm install --prefix ~/.openclaw/npm <spec> --omit=dev --ignore-scripts --no-audit --no-fund
 ```

+npm may hoist transitive dependencies to `~/.openclaw/npm/node_modules` beside
+the plugin package. OpenClaw scans the managed npm root before trusting the
+install and uses npm to remove npm-managed packages during uninstall, so hoisted
+runtime dependencies stay inside the managed cleanup boundary.
+
 git installs clone or refresh the repository, then run:

 ```bash
@@ -53,7 +58,8 @@ npm install --omit=dev --ignore-scripts --no-audit --no-fund
 ```

 The installed plugin then loads from that package directory, so package-local
-`node_modules` resolution works the same way it does for a normal Node package.
+and parent `node_modules` resolution works the same way it does for a normal
+Node package.

 ## Local plugins

--- a/docs/reference/test.md
+++ b/docs/reference/test.md
@@ -46,6 +46,7 @@ title: "Tests"
 - `pnpm test:docker:upgrade-survivor`: Installs the packed OpenClaw tarball over a dirty old-user fixture, runs package update plus non-interactive doctor without live provider or channel keys, then starts a loopback Gateway and checks that agents, channel config, plugin allowlists, workspace/session files, stale legacy plugin dependency state, startup, and RPC status survive.
 - `pnpm test:docker:published-upgrade-survivor`: Installs `openclaw@latest` by default, seeds realistic existing-user files without live provider or channel keys, configures that baseline with a baked `openclaw config set` command recipe, updates that published install to the packed OpenClaw tarball, runs non-interactive doctor, writes `.artifacts/upgrade-survivor/summary.json`, then starts a loopback Gateway and checks that configured intents, workspace/session files, stale plugin config and legacy dependency state, startup, `/healthz`, `/readyz`, and RPC status survive or repair cleanly. Override one baseline with `OPENCLAW_UPGRADE_SURVIVOR_BASELINE_SPEC`, expand an exact matrix with `OPENCLAW_UPGRADE_SURVIVOR_BASELINE_SPECS`, or add scenario fixtures with `OPENCLAW_UPGRADE_SURVIVOR_SCENARIOS=reported-issues`; Package Acceptance exposes those as `published_upgrade_survivor_baseline`, `published_upgrade_survivor_baselines`, and `published_upgrade_survivor_scenarios`.
 - `pnpm test:docker:update-migration`: Runs the published-upgrade survivor harness in the cleanup-heavy `plugin-deps-cleanup` scenario, starting at `openclaw@2026.4.23` by default. The separate `Update Migration` workflow expands this lane with `baselines=all-since-2026.4.23` so every stable published package from `.23` onward updates to the candidate and proves configured-plugin dependency cleanup outside Full Release CI.
+- `pnpm test:docker:plugins`: Runs install/update smoke for local path, `file:`, npm registry packages with hoisted dependencies, git moving refs, ClawHub fixtures, marketplace updates, and Claude-bundle enable/inspect.

 ## Local PR gate

--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -100,9 +100,10 @@ Plugin dependency installation happens only during explicit install/update or
 doctor repair flows. Gateway startup, config reload, and runtime inspection do
 not run package managers or repair dependency trees. Local plugins must already
 have their dependencies installed, while npm, git, and ClawHub plugins are
-installed under OpenClaw's managed plugin roots with package-local
-dependencies. External plugins and custom load paths must still be installed
-through `openclaw plugins install`.
+installed under OpenClaw's managed plugin roots. npm dependencies may be hoisted
+within OpenClaw's managed npm root; install/update scans that managed root before
+trust and uninstall removes npm-managed packages through npm. External plugins
+and custom load paths must still be installed through `openclaw plugins install`.
 See [Plugin dependency resolution](/plugins/dependency-resolution) for the
 install-time lifecycle.