fix: allow installed plugins through allowlist

2026-05-06 07:00:43 +00:00 · 2026-04-23 14:25:59 +01:00
parent e6d1ce943c
commit d3dc890821
4 changed files with 87 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ Docs: https://docs.openclaw.ai

 - Thinking defaults/status: raise the implicit default thinking level for reasoning-capable models from legacy `off`/`low` fallback behavior to a safe provider-supported `medium` equivalent when no explicit config default is set, preserve configured-model reasoning metadata when runtime catalog loading is empty, and make `/status` report the same resolved default as runtime.
 - Gateway/model pricing: fetch OpenRouter and LiteLLM pricing asynchronously at startup and extend catalog fetch timeouts to 30 seconds, reducing noisy timeout warnings during slow upstream responses.
+- Plugins/install: add newly installed plugin ids to an existing `plugins.allow` list before enabling them, so allowlisted configs load installed plugins after restart.
 - Status: show `Fast` in `/status` when fast mode is enabled, including config/default-derived fast mode, and omit it when disabled.
 - OpenAI/image generation: detect Azure OpenAI-style image endpoints, use Azure `api-key` auth plus deployment-scoped image URLs, and honor `AZURE_OPENAI_API_VERSION` so image generation and edits work against Azure-hosted OpenAI resources. (#70570) Thanks @zhanggpcsu.
 - Models/auth: merge provider-owned default-model additions from `openclaw models auth login` instead of replacing `agents.defaults.models`, so re-authenticating an OAuth provider such as OpenAI Codex no longer wipes other providers' aliases and per-model params. Migrations that must rename keys (Anthropic -> Claude CLI) opt in with `replaceDefaultModels`. Fixes #69414. (#70435) Thanks @neeravmakwana.
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -255,6 +255,10 @@ plugin). Other bundled plugins still need `openclaw plugins enable <id>`.
 plugins. It is not supported with `--link`, which reuses the source path instead
 of copying over a managed install target.

+When `plugins.allow` is already set, `openclaw plugins install` adds the
+installed plugin id to that allowlist before enabling it, so installs are
+immediately loadable after restart.
+
 `openclaw plugins update <id-or-npm-spec>` applies to tracked installs. Passing
 an npm package spec with a dist-tag or exact version resolves the package name
 back to the tracked plugin record and records the new spec for future updates.
--- a/src/cli/plugins-install-persist.test.ts
+++ b/src/cli/plugins-install-persist.test.ts
@@ -0,0 +1,64 @@
+import { beforeEach, describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "../config/config.js";
+import {
+  enablePluginInConfig,
+  recordPluginInstall,
+  resetPluginsCliTestState,
+  writeConfigFile,
+} from "./plugins-cli-test-helpers.js";
+
+describe("persistPluginInstall", () => {
+  beforeEach(() => {
+    resetPluginsCliTestState();
+  });
+
+  it("adds installed plugins to restrictive allowlists before enabling", async () => {
+    const { persistPluginInstall } = await import("./plugins-install-persist.js");
+    const baseConfig = {
+      plugins: {
+        allow: ["memory-core"],
+      },
+    } as OpenClawConfig;
+    const enabledConfig = {
+      plugins: {
+        allow: ["alpha", "memory-core"],
+        entries: {
+          alpha: { enabled: true },
+        },
+      },
+    } as OpenClawConfig;
+    const persistedConfig = {
+      plugins: {
+        ...enabledConfig.plugins,
+        installs: {
+          alpha: {
+            source: "npm",
+            spec: "alpha@1.0.0",
+            installPath: "/tmp/alpha",
+          },
+        },
+      },
+    } as OpenClawConfig;
+
+    enablePluginInConfig.mockImplementation((...args: unknown[]) => {
+      const [cfg, pluginId] = args as [OpenClawConfig, string];
+      expect(pluginId).toBe("alpha");
+      expect(cfg.plugins?.allow).toEqual(["alpha", "memory-core"]);
+      return { config: enabledConfig };
+    });
+    recordPluginInstall.mockReturnValue(persistedConfig);
+
+    const next = await persistPluginInstall({
+      config: baseConfig,
+      pluginId: "alpha",
+      install: {
+        source: "npm",
+        spec: "alpha@1.0.0",
+        installPath: "/tmp/alpha",
+      },
+    });
+
+    expect(next).toBe(persistedConfig);
+    expect(writeConfigFile).toHaveBeenCalledWith(persistedConfig);
+  });
+});
--- a/src/cli/plugins-install-persist.ts
+++ b/src/cli/plugins-install-persist.ts
@@ -12,6 +12,20 @@ import {
  logSlotWarnings,
 } from "./plugins-command-helpers.js";

+function addInstalledPluginToAllowlist(cfg: OpenClawConfig, pluginId: string): OpenClawConfig {
+  const allow = cfg.plugins?.allow;
+  if (!Array.isArray(allow) || allow.length === 0 || allow.includes(pluginId)) {
+    return cfg;
+  }
+  return {
+    ...cfg,
+    plugins: {
+      ...cfg.plugins,
+      allow: [...allow, pluginId].toSorted(),
+    },
+  };
+}
+
 export async function persistPluginInstall(params: {
  config: OpenClawConfig;
  baseHash?: string;
@@ -20,7 +34,10 @@ export async function persistPluginInstall(params: {
  successMessage?: string;
  warningMessage?: string;
 }): Promise<OpenClawConfig> {
-  let next = enablePluginInConfig(params.config, params.pluginId).config;
+  let next = enablePluginInConfig(
+    addInstalledPluginToAllowlist(params.config, params.pluginId),
+    params.pluginId,
+  ).config;
  next = recordPluginInstall(next, {
    pluginId: params.pluginId,
    ...params.install,