Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug] 2026.3.22 npm install: ACPX metadata present, ACPX plugin missing, and install resolves to skill [4 pull requests, 6 comments, 6 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#52831Fetched 2026-04-08 01:18:44
View on GitHub
Comments
6
Participants
6
Timeline
13
Reactions
3
Author
evmlionelevmlionel
Participants
arsabooarsaboodefmthddefmthdevmlionelevmlionelHollychou924Hollychou924sercadasercadavincentkocvincentkoc
Timeline (top)
commented ×6subscribed ×3closed ×2locked ×1

After upgrading a global npm install from 2026.3.14 to 2026.3.22, an existing ACP setup using acpx could no longer be configured cleanly.

In this environment, the installed 2026.3.22 package still contains ACPX manifest metadata, but ACPX is not discoverable as a plugin and is not installable through either the bare or scoped plugin install paths. Existing config that references acpx then fails validation.

This looks like a mismatch between the published package contents and the ACPX plugin/install surface, not just local config drift.

Error Message

npm i -g openclaw@latest --no-fund --no-audit --loglevel=error 3. If the ACPX install or naming changed, the config error points to the correct migration path.

Root Cause

After upgrading a global npm install from 2026.3.14 to 2026.3.22, an existing ACP setup using acpx could no longer be configured cleanly.

In this environment, the installed 2026.3.22 package still contains ACPX manifest metadata, but ACPX is not discoverable as a plugin and is not installable through either the bare or scoped plugin install paths. Existing config that references acpx then fails validation.

This looks like a mismatch between the published package contents and the ACPX plugin/install surface, not just local config drift.

Fix Action

Fix / Workaround

Current workaround

PR fix notes

PR #52404: ACP: fully rename acpx plugin

Description (problem / solution / changelog)

Summary

  • Problem: ACP used acpx for the runtime CLI, plugin id, docs, and package naming in a way that mixed runtime identity with plugin identity.
  • Why it matters: contributors and operators were conflating the acpx CLI with the OpenClaw plugin package and config key.
  • What changed: fully aligned the plugin to acpx-plugin across package name, plugin id, backend id, config/docs/examples, tests, and the extension directory name.
  • What did NOT change (scope boundary): the underlying runtime command remains acpx.

Change Type (select all)

  • Refactor required for the fix
  • Docs

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

  • The ACP runtime plugin is now @openclaw/acpx-plugin.
  • The plugin/backend/config id is now acpx-plugin.
  • Local source installs now use extensions/acpx-plugin.
  • The underlying acpx CLI/binary name is unchanged.

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: Node 22 + pnpm
  • Model/provider: n/a
  • Integration/channel (if any): ACP runtime plugin
  • Relevant config (redacted): ACP enabled with acpx-plugin backend

Steps

  1. Rename the ACP plugin package, plugin id, backend id, docs, and extension path from acpx to acpx-plugin.
  2. Update ACP/runtime/config/install resolution and test fixtures to match the new id.
  3. Build and run focused ACP/plugin verification.

Expected

  • ACP/plugin discovery, auto-enable, session metadata, install hints, and docs consistently use acpx-plugin.
  • The runtime still invokes the acpx CLI.

Actual

  • Matches expected after the rename.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: focused ACP/plugin tests passed; final branch tip passed pnpm build.
  • Edge cases checked: install hints for local path vs scoped package, session/backend identifier text, bundled metadata copy paths, runtime/backend registry lookups.
  • What you did not verify: live ACP runtime against a real external harness.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) No
  • Config/env changes? (Yes/No) Yes
  • Migration needed? (Yes/No) Yes
  • If yes, exact upgrade steps:
    • Rename ACP backend/config references from acpx to acpx-plugin.
    • Rename plugin entry keys from plugins.entries.acpx to plugins.entries.acpx-plugin.
    • Use @openclaw/acpx-plugin or ./extensions/acpx-plugin for installs.

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR or restore the prior acpx plugin id/package/path set.
  • Files/config to restore: ACP plugin metadata under extensions/acpx-plugin, ACP config/backend references, install hints/docs.
  • Known bad symptoms reviewers should watch for: ACP backend not found, auto-enable missing the plugin, docs/install commands referencing the old id.

Risks and Mitigations

  • Risk: some config or tests may still assume the old acpx plugin id or extension path.
    • Mitigation: updated ACP/plugin tests, docs, install hints, auto-enable logic, bundled metadata tests, and verified with pnpm build.

Changed files

  • AGENTS.md (modified, +1/-0)
  • docs/tools/acp-agents.md (modified, +2/-2)
  • extensions/acpx/package.json (modified, +1/-1)
  • extensions/acpx/skills/acp-router/SKILL.md (modified, +1/-1)
  • src/auto-reply/reply/commands-acp/install-hints.test.ts (modified, +8/-4)
  • src/auto-reply/reply/commands-acp/install-hints.ts (modified, +1/-1)
  • src/plugins/bundled-plugin-naming.test.ts (added, +143/-0)
  • src/plugins/copy-bundled-plugin-metadata.test.ts (modified, +1/-1)

PR #52456: ACP: revert acpx-plugin package naming

Description (problem / solution / changelog)

Summary

  • Problem: the bundled ACP runtime plugin package was renamed to @openclaw/acpx-plugin, which reintroduced the naming split we had decided not to carry forward.
  • Why it matters: docs, install hints, and bundled metadata started telling users to install @openclaw/acpx-plugin even though the stable plugin/backend identity remains acpx.
  • What changed: reverted the bundled package name to @openclaw/acpx, switched ACP install hints back to openclaw plugins install acpx, and updated the bundled metadata/doc references to match.
  • What did NOT change (scope boundary): plugin id/backend id/config keys remain acpx; no ACP runtime behavior changed.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

  • ACP install guidance now points back to openclaw plugins install acpx.
  • Bundled plugin metadata names the package as @openclaw/acpx again.

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: local dev checkout
  • Model/provider: N/A
  • Integration/channel (if any): ACP install hints / bundled plugin metadata
  • Relevant config (redacted): default local checkout

Steps

  1. Search the repo for @openclaw/acpx-plugin / acpx-plugin references in the bundled ACP plugin surface.
  2. Revert the bundled package name and install/doc hint strings back to acpx.
  3. Run focused ACP install-hint and bundled-metadata tests.

Expected

  • Bundled ACP package metadata, docs, and install hints all consistently use acpx again.

Actual

  • Verified locally after the revert.

Evidence

Attach at least one:

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: pnpm test -- src/auto-reply/reply/commands-acp/install-hints.test.ts src/plugins/copy-bundled-plugin-metadata.test.ts
  • Edge cases checked: local extensions/acpx hint path and generic install-command override path still pass.
  • What you did not verify: full end-to-end plugin install from a release build.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) No
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR; it is string/metadata-only.
  • Files/config to restore: extensions/acpx/package.json, src/auto-reply/reply/commands-acp/install-hints.ts, docs/tools/acp-agents.md
  • Known bad symptoms reviewers should watch for: docs or hints still mentioning @openclaw/acpx-plugin.

Risks and Mitigations

  • Risk: a remaining repo reference still points to acpx-plugin and creates mixed guidance.
    • Mitigation: repo search after the patch only left an unrelated temp-dir test string; focused ACP hint/metadata tests passed.

Changed files

  • docs/tools/acp-agents.md (modified, +2/-2)
  • extensions/acpx/package.json (modified, +1/-1)
  • extensions/acpx/skills/acp-router/SKILL.md (modified, +1/-1)
  • src/auto-reply/reply/commands-acp/install-hints.test.ts (modified, +3/-7)
  • src/auto-reply/reply/commands-acp/install-hints.ts (modified, +1/-1)
  • src/plugins/copy-bundled-plugin-metadata.test.ts (modified, +1/-1)

PR #52491: fix(plugins): distinguish missing entry file from path-escape security violation

Description (problem / solution / changelog)

lobster-biscuit

Closes #52445

Problem

Gateway enters a fatal crash loop during startup when any extension entry point file is missing. The error message says "extension entry escapes package directory" but the file is simply not found (ENOENT) — not a security violation.

This affects AUR/Arch Linux builds and any environment where built-in extensions may be partially installed.

Root cause

src/plugins/discovery.ts:478resolvePackageEntrySource() checks !opened.ok but never inspects opened.reason. openBoundaryFileSync returns SafeOpenSyncResult with reason: "path" for ENOENT and reason: "validation" for actual path-escape violations (safe-open-sync.ts:4).

All failures were treated as security violations, aborting the gateway.

User impact

Gateway cannot start at all. Crash loop on every startup attempt. No workaround except manually creating missing entry files.

Fix

Only emit the security diagnostic when opened.reason === "validation". For "path" (ENOENT) or "io" errors, return null to skip the entry silently.

1 file, +4 lines.

How to verify

  1. Remove or rename an extension entry point file (e.g. extensions/acpx/index.js)
  2. Start gateway
  3. Before: crash loop with "escapes package directory". After: extension skipped, gateway starts.

Tests

The SafeOpenSyncResult type and openBoundaryFileSync are covered by existing tests in safe-open-sync.test.ts. This change is a call-site guard — the function behavior is unchanged.

🤖 Generated with Claude Code

Changed files

  • src/plugins/discovery.ts (modified, +13/-0)

PR #52730: ACPX: align pinned runtime version

Description (problem / solution / changelog)

Summary

  • Problem: extensions/acpx already installs [email protected], but the runtime default pin still enforced 0.1.16.
  • Why it matters: plugin-local install/version checks could report a mismatch against the bundled dependency, and the surfaced config help text advertised an outdated version example.
  • What changed: updated ACPX_PINNED_VERSION to 0.3.1, updated the ACPX manifest help text example, and regenerated bundled plugin metadata.
  • What did NOT change (scope boundary): no ACPX permission model, command resolution, or dependency graph changes beyond aligning the existing pin with the already-installed package.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

The ACPX plugin now defaults to enforcing [email protected], which matches the bundled dependency already declared in extensions/acpx/package.json. The config UI/help text example now shows 0.3.1 instead of 0.1.16.

Security Impact (required)

  • New permissions/capabilities? (No)
  • Secrets/tokens handling changed? (No)
  • New/changed network calls? (No)
  • Command/tool execution surface changed? (No)
  • Data access scope changed? (No)
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: local repo checkout
  • Model/provider: N/A
  • Integration/channel (if any): ACPX runtime plugin
  • Relevant config (redacted): default bundled ACPX config

Steps

  1. Verify the published latest acpx version from npm and compare it with the repo pin points.
  2. Update the stale runtime pin and ACPX manifest example text.
  3. Regenerate bundled plugin metadata and run targeted ACPX tests plus a full build.

Expected

  • Default ACPX version enforcement matches the bundled acpx dependency.
  • Generated metadata stays in sync with the manifest.
  • ACPX plugin tests and build pass.

Actual

  • npm view acpx version dist-tags.latest time --json reports latest 0.3.1.
  • Repo runtime pin now matches 0.3.1, metadata is regenerated, targeted tests pass, and pnpm build passes.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: confirmed npm registry latest is 0.3.1; confirmed extensions/acpx/package.json was already pinned to 0.3.1; updated the runtime pin and surfaced manifest example; regenerated src/plugins/bundled-plugin-metadata.generated.ts; ran targeted ACPX tests and pnpm build successfully.
  • Edge cases checked: bundled plugin metadata remained in sync via pnpm check:bundled-plugin-metadata.
  • What you did not verify: a live ACPX-backed OpenClaw session against a real external acpx binary.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes)
  • Config/env changes? (No)
  • Migration needed? (No)
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR or explicitly set plugins.entries.acpx.expectedVersion to the desired override.
  • Files/config to restore: extensions/acpx/src/config.ts, extensions/acpx/openclaw.plugin.json, and regenerated src/plugins/bundled-plugin-metadata.generated.ts.
  • Known bad symptoms reviewers should watch for: ACPX startup/version-check failures if 0.3.1 proves incompatible with a live runtime environment.

Risks and Mitigations

  • Risk: latest acpx may behave differently than older runtime assumptions in untested live environments.
    • Mitigation: the repo already bundles [email protected]; this change only aligns the runtime pin with that existing dependency, and targeted ACPX tests plus pnpm build passed.

Changed files

Code Example

openclaw update --yes --json

---

npm i -g openclaw@latest --no-fund --no-audit --loglevel=error

---

{
  "acp": {
    "enabled": true,
    "backend": "acpx",
    "defaultAgent": "codex"
  },
  "plugins": {
    "entries": {
      "acpx": {
        "enabled": true
      }
    },
    "allow": ["acpx"]
  }
}

---

openclaw plugins list
openclaw plugins inspect acpx
openclaw plugins install acpx
openclaw plugins install @openclaw/acpx
openclaw status

---

Plugin not found: acpx

---

Resolving clawhub:acpx…
   "acpx" is a skill. Use "openclaw skills install acpx" instead.

---

Resolving clawhub:@openclaw/acpx…
   Downloading @openclaw/acpx…
   Package not found on npm: @openclaw/acpx. See https://docs.openclaw.ai/tools/plugin for installable plugins.
   Also not a valid hook pack: Package not found on npm: @openclaw/acpx. See https://docs.openclaw.ai/tools/plugin for installable plugins.

---

Invalid config at ~/.openclaw/openclaw.json:
   - plugins.allow: plugin not found: acpx

---

node -e 'const fs=require("fs"); const p="<OPENCLAW_ROOT>/dist/manifest-registry-D5E7Gxgl.js"; const s=fs.readFileSync(p,"utf8"); console.log(/packageName: "@openclaw\\/acpx"/.test(s), /dirName: "acpx"/.test(s));'

---

true true

---

node -e 'const fs=require("fs"); const path=require("path"); const root="<OPENCLAW_ROOT>/dist/extensions"; console.log(fs.existsSync(path.join(root,"acpx")), fs.readdirSync(root).includes("acpx"));'

---

false false
RAW_BUFFERClick to expand / collapse

Bug type

Regression (worked before, now fails)

Summary

After upgrading a global npm install from 2026.3.14 to 2026.3.22, an existing ACP setup using acpx could no longer be configured cleanly.

In this environment, the installed 2026.3.22 package still contains ACPX manifest metadata, but ACPX is not discoverable as a plugin and is not installable through either the bare or scoped plugin install paths. Existing config that references acpx then fails validation.

This looks like a mismatch between the published package contents and the ACPX plugin/install surface, not just local config drift.

Environment

  • OpenClaw: 2026.3.22
  • Previous version: 2026.3.14
  • OS: Ubuntu 25.10
  • Node: 24.14.0
  • Install method: global npm install
  • Upgrade path used: 
    openclaw update --yes --json
    which ran: 
    npm i -g openclaw@latest --no-fund --no-audit --loglevel=error

Existing config before upgrade

This ACP config was accepted on 2026.3.14:

{
  "acp": {
    "enabled": true,
    "backend": "acpx",
    "defaultAgent": "codex"
  },
  "plugins": {
    "entries": {
      "acpx": {
        "enabled": true
      }
    },
    "allow": ["acpx"]
  }
}

Repro

After upgrading to 2026.3.22, run:

openclaw plugins list
openclaw plugins inspect acpx
openclaw plugins install acpx
openclaw plugins install @openclaw/acpx
openclaw status

Expected

One of these should work cleanly:

  1. acpx is still bundled or discoverable, and the old config continues to work.
  2. acpx is no longer bundled, but there is a supported install path that succeeds.
  3. If the ACPX install or naming changed, the config error points to the correct migration path.

Actual

  1. acpx does not appear in openclaw plugins list.

  2. openclaw plugins inspect acpx says:

    Plugin not found: acpx

  3. openclaw plugins install acpx resolves to a skill instead of a plugin:

    Resolving clawhub:acpx…
"acpx" is a skill. Use "openclaw skills install acpx" instead.

  4. openclaw plugins install @openclaw/acpx also fails:

    Resolving clawhub:@openclaw/acpx…
Downloading @openclaw/acpx…
Package not found on npm: @openclaw/acpx. See https://docs.openclaw.ai/tools/plugin for installable plugins.
Also not a valid hook pack: Package not found on npm: @openclaw/acpx. See https://docs.openclaw.ai/tools/plugin for installable plugins.

  5. If the old ACPX config is left in place, config validation fails:

    Invalid config at ~/.openclaw/openclaw.json:
- plugins.allow: plugin not found: acpx

Evidence

The installed package still appears to know about ACPX in metadata:

node -e 'const fs=require("fs"); const p="<OPENCLAW_ROOT>/dist/manifest-registry-D5E7Gxgl.js"; const s=fs.readFileSync(p,"utf8"); console.log(/packageName: "@openclaw\\/acpx"/.test(s), /dirName: "acpx"/.test(s));'

Output:

true true

But the ACPX extension directory is missing from the installed package:

node -e 'const fs=require("fs"); const path=require("path"); const root="<OPENCLAW_ROOT>/dist/extensions"; console.log(fs.existsSync(path.join(root,"acpx")), fs.readdirSync(root).includes("acpx"));'

Output:

false false

So in this environment the package looks internally inconsistent:

  • ACPX metadata present
  • ACPX extension files absent
  • ACPX not discoverable via openclaw plugins list
  • ACPX not installable via openclaw plugins install acpx
  • ACPX not installable via openclaw plugins install @openclaw/acpx

Why this looks release-related

I checked the v2026.3.22 release notes and recent ACPX PRs:

Given that #52456 reverted the naming change before the 2026.3.22 release commit, this does not look like a normal acpx -> acpx-plugin migration case.

Possibly related packaging regressions in the same release line:

Current workaround

To restore a clean running setup locally, I had to:

  • disable ACP
  • remove stale plugins.entries.acpx config
  • remove "acpx" from plugins.allow

That restores a healthy gateway, but ACP/Codex is unavailable.

Questions

  1. Is ACPX supposed to be bundled or discoverable in the published 2026.3.22 npm package?
  2. If yes, is the published package missing the ACPX extension files?
  3. If no, what is the supported install path for ACPX on 2026.3.22?
  4. Why does openclaw plugins install acpx resolve to a skill instead of the ACP plugin?
  5. Should existing config that references:
    • acp.backend = "acpx"
    • plugins.entries.acpx
    • plugins.allow: ["acpx"] fail with a clearer migration or install hint?

Impact

  • Breaks existing ACP setups on upgrade
  • Prevents clean ACP/Codex setup after upgrade
  • Can invalidate config if old ACPX references remain
  • Forces users onto non-ACP fallbacks even when ACP previously worked

extent analysis

Fix Plan

To resolve the issue with ACPX not being discoverable or installable after upgrading to 2026.3.22, follow these steps:

  1. Check the ACPX plugin installation:

    • Verify if the ACPX plugin is correctly installed and configured.
    • If not, try installing it using the correct installation path.

  2. Update the configuration:

    • Remove the stale plugins.entries.acpx config.
    • Remove "acpx" from plugins.allow.
    • Update acp.backend to use the correct plugin name if it has changed.

  3. Verify the ACPX extension files:

    • Check if the ACPX extension files are present in the installed package.
    • If not, try reinstalling the package or checking for any packaging regressions.

Example configuration updates:

{
  "acp": {
    "enabled": true,
    "backend": "acpx-plugin", // Update the backend to the correct plugin name
    "defaultAgent": "codex"
  },
  "plugins": {
    "entries": {
      // Remove the stale acpx config
      // "acpx": {
      //   "enabled": true
      // }
    },
    "allow": [
      // Remove "acpx" from the allow list
      // "acpx"
    ]
  }
}

Verification

To verify that the fix worked:

  1. Run openclaw plugins list to check if the ACPX plugin is discoverable.
  2. Run openclaw plugins inspect acpx to check if the ACPX plugin is correctly installed.
  3. Run openclaw status to check if the configuration is valid and the ACPX plugin is enabled.

Extra Tips

  • Always check the release notes and recent PRs for any changes or regressions that may affect the ACPX plugin.
  • Verify the packaging and installation of the ACPX plugin to ensure it is correctly installed and configured.
  • Update the configuration to use the correct plugin name and remove any stale config references.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#dependency error#configuration error#environment variable#network issue#logging issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING