refactor: simplify plugin dependency handling

Simplify plugin installation and runtime loading around package-manager-owned dependencies, with Jiti reserved for local/TS fallback paths. Also scans npm plugin install roots so hoisted transitive dependencies are covered by dependency denylist and node_modules symlink checks.
2026-05-06 17:10:49 +00:00 · 2026-05-01 21:32:22 +01:00
parent 2e8e9cd6ca
commit ed8f50f240
294 changed files with 2562 additions and 25454 deletions
--- a/docs/plugins/bundles.md
+++ b/docs/plugins/bundles.md
@@ -258,13 +258,12 @@ dual-format packages from being partially installed as bundles.
 - Third-party compatible bundles do not get startup `npm install` repair. They
  should be installed through `openclaw plugins install` and ship everything
  they need in the installed plugin directory.
- OpenClaw-owned packaged bundled plugins have a narrow exception: when one is
-  enabled, Gateway startup can repair missing declared runtime dependencies
-  before import. Operators can inspect or repair that stage with
-  `openclaw plugins deps`.
- The release pipeline is still responsible for shipping a complete bundled
-  dependency payload when possible (see the postpublish verification rule in
-  [Releasing](/reference/RELEASING)).
+- OpenClaw-owned bundled plugins are either shipped lightweight in core or
+  downloadable through the plugin installer. Gateway startup never runs a
+  package manager for them.
+- `openclaw doctor --fix` removes legacy staged dependency directories and can
+  install configured downloadable plugins that are missing from the local
+  plugin index.

 ## Security