Fix plugin tool discovery when a selected wildcard plugin set is resolved against a partial active registry.\n\nRequire scoped registries to cover every requested plugin owner, force cold-load incomplete tool discovery registries without replacing active plugin runtime state, and add regression coverage for the partial-registry path.\n\nFixes #76780.\nThanks @lilesjtu.
Preserve enabled-by-default metadata for manifest command aliases so missing CLI command diagnostics can point users at the parent bundled plugin and the `openclaw plugins enable <plugin>` repair path.
Also carries the current-main deadcode allowlist entry for the command-analysis barrel that blocked CI.
Verified:
- pnpm test src/cli/run-main.test.ts src/plugins/manifest-command-aliases.test.ts
- pnpm deadcode:unused-files
- pnpm exec oxfmt --check --threads=1 scripts/deadcode-unused-files.allowlist.mjs CHANGELOG.md src/cli/run-main-policy.ts src/cli/run-main.test.ts src/plugins/manifest-command-aliases.ts src/plugins/manifest-command-aliases.test.ts
- git diff --check
- PR CI on 6076ff2d52 green, ignoring cancelled auto-response per landing matrix
Keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance.
Thanks @Lucenx9.
Fixes the session-list plugin metadata hot path by reusing the active workspace-scoped plugin metadata snapshot for manifest model-id normalization and setup CLI backend fallback. Also keeps model-pricing collection on its provided manifest registry and fixes the CI-only hoisted test mock failure.
Validated with targeted plugin/gateway/model-selection tests, CI-shaped gateway startup shard, Testbox `pnpm check:changed`, and green PR CI.
Thanks @rolandrscheel.
Summary:
- The PR adds `sensitive` support to wizard text prompts, routes sensitive Clack prompts through `password()`, ... preserves existing gateway secrets through masked-preview confirms, and adds tests plus a changelog entry.
- Reproducibility: yes. Source inspection shows current main routes onboarding credential entry through visibl ... y provides a concrete Windows PowerShell `openclaw onboard --install-daemon` reproduction with screenshots.
Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.
Validation:
- ClawSweeper review passed for head a3db64c265.
- Required merge gates passed before the squash merge.
Prepared head SHA: a3db64c265
Review: https://github.com/openclaw/openclaw/pull/76693#issuecomment-4366253531
Co-authored-by: anurag-bg-neu <bheemappagnanamurt.a@northeastern.edu>
External context-engine plugins (e.g. lossless-claw) register via
api.registerContextEngine at load time but ship without
activation.onStartup in their manifest. The gateway startup planner
only considered memory plugins and explicit sidecar plugins, so a
selected non-legacy context engine was omitted from the startup load
plan and never loaded before agent turns resolved the active engine,
producing the "Context engine X is not registered; falling back to
default engine legacy" warning.
Fix: add resolveContextEngineSlotStartupPluginId mirroring the memory
slot pattern; pass contextEngineSlotStartupPluginId into
shouldConsiderForGatewayStartup so the selected context-engine plugin
is included in pluginIds regardless of its manifest activation shape.
Tests: added four regression cases covering include, exclude, legacy
bypass, and id normalization. 82 tests pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
`resolvePluginTools` returned an empty tool list when no pre-warmed
channel/active registry was found after startup — the on-demand fallback
removed by PR #76004 was only added back for memory and capability-provider
surfaces, leaving path-based (origin "config") plugin tool factories silent.
Fix: when `resolvePluginToolRegistry` returns null, trigger a standalone
registry load via `ensureStandaloneRuntimePluginRegistryLoaded`, then retry.
Adds regression test asserting tools are resolved without pre-warming.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Run npm install from the managed npm-root manifest so sequential @openclaw/* plugin installs preserve siblings on disk.
Fixes#76571.
Thanks @byungskers and @crpol.
Summary:
- The PR makes `tools.profile: "full"` resolve to a wildcard allowlist, teaches plugin optional-tool allowlist checks to honor `*`, and updates regression tests, docs, and the changelog for browser tool availability.
- Reproducibility: yes. source-level reproduction is high confidence: current main makes `full` resolve to no ... plugin allowlist helpers do not accept `*`. I did not run a live browser session in this read-only review.
Automerge notes:
- PR branch already contained follow-up commit before automerge: docs: update full profile description and add changelog for #76507
Validation:
- ClawSweeper review passed for head b5329de33c.
- Required merge gates passed before the squash merge.
Prepared head SHA: b5329de33c
Review: https://github.com/openclaw/openclaw/pull/76557#issuecomment-4365736091
Co-authored-by: Alex Knight <aknight@atlassian.com>
