PR #60701: fix(plugins): workspace scanner treats non-plugin .js files as broken plugin candidates

• Repository: openclaw/openclaw
• Author: Scelex
• State: closed | merged: False
• Link: https://github.com/openclaw/openclaw/pull/60701

Description (problem / solution / changelog)

Summary

Fixes #60686. After 2026.4.3, workspaces containing Python virtual environments or non-plugin script files cause the gateway to fail with Config invalid errors because the workspace discovery scanner treats all .js/.ts files as plugin candidates.

Two changes:

• discovery.ts: Add .venv and venv to SCANNED_DIRECTORY_IGNORE_NAMES so Python virtual environments (which contain many .js files in emscripten/webpack dirs) are skipped during workspace scanning
• manifest-registry.ts: Downgrade "plugin manifest not found" diagnostic from error to warn specifically for workspace-origin candidates, since workspace discovery is opportunistic and a missing manifest just means the file is not a plugin. Other manifest errors (parse failures, unsafe paths) remain at error level for all origins.

Test plan

• Added test: workspace-origin candidates with missing manifests produce warn (not error) diagnostics
• Added test: non-workspace origins (global, config) with missing manifests still produce error diagnostics
• pnpm test src/plugins/manifest-registry.test.ts -- 27/27 passing
• Reviewed by GPT-5.4 (Codex) -- addressed both findings (scoped downgrade to missing-manifest only, dropped overly generic env directory name)

Changed files

• .agents/maintainers.md (added, +1/-0)
• .agents/skills/openclaw-ghsa-maintainer/SKILL.md (added, +87/-0)
• .agents/skills/openclaw-parallels-smoke/SKILL.md (added, +97/-0)
• .agents/skills/openclaw-pr-maintainer/SKILL.md (added, +75/-0)
• .agents/skills/openclaw-release-maintainer/SKILL.md (added, +267/-0)
• .agents/skills/openclaw-test-heap-leaks/SKILL.md (added, +75/-0)
• .agents/skills/openclaw-test-heap-leaks/agents/openai.yaml (added, +4/-0)
• .agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs (added, +553/-0)
• .agents/skills/parallels-discord-roundtrip/SKILL.md (added, +62/-0)
• .agents/skills/security-triage/SKILL.md (added, +108/-0)
• .codex (added, +0/-0)
• .detect-secrets.cfg (added, +45/-0)
• .dockerignore (added, +72/-0)
• .env.example (added, +80/-0)
• .gitattributes (added, +3/-0)
• .github/CODEOWNERS (added, +54/-0)
• .github/ISSUE_TEMPLATE/bug_report.yml (added, +148/-0)
• .github/ISSUE_TEMPLATE/config.yml (added, +8/-0)
• .github/ISSUE_TEMPLATE/feature_request.yml (added, +70/-0)
• .github/actionlint.yaml (added, +23/-0)
• .github/actions/detect-docs-changes/action.yml (added, +53/-0)
• .github/actions/ensure-base-commit/action.yml (added, +61/-0)
• .github/actions/setup-node-env/action.yml (added, +99/-0)
• .github/actions/setup-pnpm-store-cache/action.yml (added, +76/-0)
• .github/codeql/codeql-javascript-typescript.yml (added, +18/-0)
• .github/dependabot.yml (added, +127/-0)
• .github/instructions/copilot.instructions.md (added, +64/-0)
• .github/labeler.yml (added, +340/-0)
• .github/pull_request_template.md (added, +147/-0)
• .github/workflows/auto-response.yml (added, +530/-0)
• .github/workflows/ci.yml (added, +1207/-0)
• .github/workflows/codeql.yml (added, +137/-0)
• .github/workflows/docker-release.yml (added, +389/-0)
• .github/workflows/install-smoke.yml (added, +207/-0)
• .github/workflows/labeler.yml (added, +877/-0)
• .github/workflows/macos-release.yml (added, +93/-0)
• .github/workflows/openclaw-npm-release.yml (added, +424/-0)
• .github/workflows/plugin-clawhub-release.yml (added, +276/-0)
• .github/workflows/plugin-npm-release.yml (added, +217/-0)
• .github/workflows/sandbox-common-smoke.yml (added, +64/-0)
• .github/workflows/stale.yml (added, +217/-0)
• .github/workflows/workflow-sanity.yml (added, +98/-0)
• .gitignore (added, +145/-0)
• .jscpd.json (added, +16/-0)
• .mailmap (added, +13/-0)
• .markdownlint-cli2.jsonc (added, +55/-0)
• .npmignore (added, +3/-0)
• .npmrc (added, +4/-0)
• .oxfmtrc.jsonc (added, +26/-0)
• .oxlintrc.json (added, +39/-0)
• .pi/extensions/diff.ts (added, +117/-0)
• .pi/extensions/files.ts (added, +134/-0)
• .pi/extensions/prompt-url-widget.ts (added, +190/-0)
• .pi/extensions/redraws.ts (added, +26/-0)
• .pi/extensions/ui/paged-select.ts (added, +82/-0)
• .pi/git/.gitignore (added, +2/-0)
• .pi/prompts/cl.md (added, +58/-0)
• .pi/prompts/is.md (added, +22/-0)
• .pi/prompts/landpr.md (added, +73/-0)
• .pi/prompts/reviewpr.md (added, +134/-0)
• .pre-commit-config.yaml (added, +157/-0)
• .prettierignore (added, +1/-0)
• .secrets.baseline (added, +13017/-0)
• .shellcheckrc (added, +25/-0)
• .swiftformat (added, +51/-0)
• .swiftlint.yml (added, +150/-0)
• .vscode/extensions.json (added, +3/-0)
• .vscode/settings.json (added, +22/-0)
• AGENTS.md (added, +304/-0)
• CHANGELOG.md (added, +5420/-0)
• CLAUDE.md (added, +1/-0)
• CONTRIBUTING.md (added, +211/-0)
• Dockerfile (added, +264/-0)
• Dockerfile.sandbox (added, +24/-0)
• Dockerfile.sandbox-browser (added, +36/-0)
• Dockerfile.sandbox-common (added, +48/-0)
• LICENSE (added, +21/-0)
• Makefile (added, +4/-0)
• README.md (added, +614/-0)
• SECURITY.md (added, +322/-0)
• Swabble/.github/workflows/ci.yml (added, +54/-0)
• Swabble/.gitignore (added, +33/-0)
• Swabble/.swiftformat (added, +8/-0)
• Swabble/.swiftlint.yml (added, +43/-0)
• Swabble/CHANGELOG.md (added, +11/-0)
• Swabble/LICENSE (added, +21/-0)
• Swabble/Package.resolved (added, +69/-0)
• Swabble/Package.swift (added, +55/-0)
• Swabble/README.md (added, +111/-0)
• Swabble/Sources/SwabbleCore/Config/Config.swift (added, +77/-0)
• Swabble/Sources/SwabbleCore/Hooks/HookExecutor.swift (added, +75/-0)
• Swabble/Sources/SwabbleCore/Speech/BufferConverter.swift (added, +50/-0)
• Swabble/Sources/SwabbleCore/Speech/SpeechPipeline.swift (added, +114/-0)
• Swabble/Sources/SwabbleCore/Support/AttributedString+Sentences.swift (added, +62/-0)
• Swabble/Sources/SwabbleCore/Support/Logging.swift (added, +41/-0)
• Swabble/Sources/SwabbleCore/Support/OutputFormat.swift (added, +45/-0)
• Swabble/Sources/SwabbleCore/Support/TranscriptsStore.swift (added, +45/-0)
• Swabble/Sources/SwabbleKit/WakeWordGate.swift (added, +191/-0)
• Swabble/Sources/swabble/CLI/CLIRegistry.swift (added, +71/-0)
• Swabble/Sources/swabble/Commands/DoctorCommand.swift (added, +37/-0)

PR #60680: fix(plugins): require manifest guard before promoting bare files as plugin candidates

• Repository: openclaw/openclaw
• Author: GitZhangChi
• State: closed | merged: False
• Link: https://github.com/openclaw/openclaw/pull/60680

Description (problem / solution / changelog)

Summary

• Problem: recursive workspace discovery promoted ordinary helper scripts under workspace scripts/ trees into plugin candidates.
• Why it matters: gateway startup could fail with plugin manifest not found errors for normal workspace and skill-local script directories.
• What changed: recursive discovery now requires openclaw.plugin.json presence in a directory before treating bare extension files as plugin candidates.
• Scope boundary: explicit plugin load paths and manifest/package-based discovery behavior are unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #60686
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: recursive scanning from the workspace root reused bare extension-file candidate rules that are only safe in dedicated extension directories.
• Missing detection / guardrail: recursive discovery accepted bare extension files without first requiring manifest presence in the containing directory.
• Contributing context (if known): ordinary workspaces commonly have helper scripts under workspace/scripts and workspace/skills/**/scripts.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/plugins/discovery.test.ts
• Scenario the test should lock in: recursive workspace discovery must not promote plain workspace/scripts/*.js or workspace/skills/**/scripts/*.js files into plugin candidates.
• Why this is the smallest reliable guardrail: the bug lives in candidate selection inside discovery, before runtime/plugin init.
• Existing test that already covers this (if any): None found.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• Gateway startup no longer fails on ordinary workspace script files during recursive workspace discovery.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local Node/tsx CLI run
• Model/provider: N/A
• Relevant config (redacted): workspace with plain script trees under workspace/scripts and workspace/skills/**/scripts

Steps

1. Use a workspace containing plain helper scripts under workspace/scripts and skill-local scripts/ directories.
2. Start openclaw gateway --verbose on the regressed main path.
3. Observe manifest lookup against .../scripts/openclaw.plugin.json for non-plugin directories.

Expected

• Ordinary workspace helper scripts should not be treated as plugin candidates.
• Gateway should continue startup.

Actual

• Startup fails with plugin manifest not found errors for normal scripts/ directories.

Evidence

• Failing test/log before + passing after
• Screenshot/recording
• Perf numbers (if relevant)

Example failing log before the fix:

Invalid config at ~/.openclaw/openclaw.json:
- plugins: plugin: plugin manifest not found: .../workspace/scripts/openclaw.plugin.json
- plugins: plugin: plugin manifest not found: .../workspace/skills/user/.../scripts/openclaw.plugin.json

Human Verification (required)

• Verified scenarios:
  • Reproduced startup failure on an affected local config against the regressed main path.
  • Verified the patched path no longer fails immediately on the same workspace layout.
  • Added a discovery regression test covering bare JS files under workspace script trees.
  • Addressed all bot review P2 items: env isolation via buildDiscoveryEnv, removed extra blank line, added positive no-error assertion.
• Edge cases checked:
  • Explicit plugin load paths were not modified.
  • Dedicated extension roots were not modified.
• What you did not verify:
  • Full CI matrix.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: recursive discovery may skip a bare file plugin placed in a recursively scanned directory without a manifest.
  • Mitigation: manifest-backed discovery and explicit load paths remain intact, and plugin startup already assumes manifest presence.

Changed files

• src/plugins/discovery.test.ts (modified, +28/-0)
• src/plugins/discovery.ts (modified, +4/-0)
• src/ui-app-settings.agents-files-refresh.test.ts (modified, +4/-0)
• ui/src/ui/app-settings.test.ts (modified, +8/-0)

PR #60875: fix(plugins): downgrade workspace manifest-not-found diagnostic to warn via typed failure reason

• Repository: openclaw/openclaw
• Author: Scelex
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/60875

Description (problem / solution / changelog)

Summary

Addresses the narrower variant of #60686: loose top-level files or directories with an index.js under .openclaw/extensions are treated as workspace plugin candidates and fail with "plugin manifest not found" at error level, which can block gateway startup.

This PR does not add venv directory ignores (the original issue's example paths are not reachable through current workspace discovery, which is scoped to .openclaw/extensions).

Changes

src/plugins/manifest.ts:

• Export ManifestLoadFailureReason union type: "not-found" | "unsafe-path" | "parse-error" | "invalid"
• Add reason field to the failure branch of PluginManifestLoadResult
• Tag each failure return in loadPluginManifest with the appropriate reason

src/plugins/bundle-manifest.ts:

• Add reason field to BundleManifestLoadResult and BundleManifestFileLoadResult failure branches
• Tag each failure return in loadBundleManifestFile with the appropriate reason

src/plugins/manifest-registry.ts:

• Use manifestRes.reason === "not-found" instead of string matching on manifestRes.error
• Downgrade to warn only for workspace-origin candidates with not-found reason; all other failure reasons remain error for all origins

Test plan

• pnpm test src/plugins/manifest-registry.test.ts -- 27/27 passing
• pnpm test src/plugins/discovery.test.ts -- 28/28 passing
• pnpm tsgo -- clean (only pre-existing extensions/matrix/src/doctor.ts error on main)
• Test: workspace-origin candidates with missing manifests produce warn not error
• Test: non-workspace origins with missing manifests still produce error

Supersedes #60701, which was closed for review feedback (now addressed).

Changed files

• src/plugins/bundle-manifest.ts (modified, +22/-6)
• src/plugins/manifest-registry.test.ts (modified, +27/-0)
• src/plugins/manifest-registry.ts (modified, +3/-1)
• src/plugins/manifest.ts (modified, +21/-6)