openclaw
diff --git a/‎apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift‎
Lines changed: 4 additions & 4 deletions b/‎apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎scripts/pr‎
Lines changed: 25 additions & 0 deletions b/‎scripts/pr‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎scripts/release-check.ts‎
Lines changed: 98 additions & 5 deletions b/‎scripts/release-check.ts‎
Lines changed: 98 additions & 5 deletions
diff --git a/‎src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts‎
Lines changed: 15 additions & 0 deletions b/‎src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts‎
Lines changed: 15 additions & 0 deletions
@@ -22,7 +22,7 @@ enum HostEnvSecurityPolicy {
         "PS4",
         "GCONV_PATH",
         "IFS",
-        "SSLKEYLOGFILE",
+        "SSLKEYLOGFILE"
     ]
 
     static let blockedOverrideKeys: Set<String> = [
@@ -50,17 +50,17 @@ enum HostEnvSecurityPolicy {
         "OPENSSL_ENGINES",
         "PYTHONSTARTUP",
         "WGETRC",
-        "CURL_HOME",
+        "CURL_HOME"
     ]
 
     static let blockedOverridePrefixes: [String] = [
         "GIT_CONFIG_",
-        "NPM_CONFIG_",
+        "NPM_CONFIG_"
     ]
 
     static let blockedPrefixes: [String] = [
         "DYLD_",
         "LD_",
-        "BASH_FUNC_",
+        "BASH_FUNC_"
     ]
 }
@@ -227,7 +227,7 @@
     "build:plugin-sdk:dts": "tsc -p tsconfig.plugin-sdk.dts.json",
     "build:strict-smoke": "pnpm canvas:a2ui:bundle && node scripts/tsdown-build.mjs && node scripts/copy-plugin-sdk-root-alias.mjs && pnpm build:plugin-sdk:dts",
     "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh",
-    "check": "pnpm format:check && pnpm tsgo && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope && pnpm check:host-env-policy:swift",
+    "check": "pnpm check:host-env-policy:swift && pnpm format:check && pnpm tsgo && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope",
     "check:docs": "pnpm format:docs:check && pnpm lint:docs && pnpm docs:check-links",
     "check:host-env-policy:swift": "node scripts/generate-host-env-security-policy-swift.mjs --check",
     "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500",
 
@@ -229,6 +229,30 @@ checkout_prep_branch() {
   git checkout "$prep_branch"
 }
 
+verify_prep_branch_matches_prepared_head() {
+  local pr="$1"
+  local prepared_head_sha="$2"
+
+  require_artifact .local/prep-context.env
+  checkout_prep_branch "$pr"
+
+  local prep_branch_head_sha
+  prep_branch_head_sha=$(git rev-parse HEAD)
+  if [ "$prep_branch_head_sha" = "$prepared_head_sha" ]; then
+    return 0
+  fi
+
+  echo "Local prep branch moved after prepare-push (expected $prepared_head_sha, got $prep_branch_head_sha)."
+  if git merge-base --is-ancestor "$prepared_head_sha" "$prep_branch_head_sha" 2>/dev/null; then
+    echo "Unpushed local commits on prep branch:"
+    git log --oneline "${prepared_head_sha}..${prep_branch_head_sha}" | sed 's/^/  /' || true
+    echo "Run scripts/pr prepare-sync-head $pr to push them before merge."
+  else
+    echo "Prep branch no longer contains the prepared head. Re-run prepare-init."
+  fi
+  exit 1
+}
+
 resolve_head_push_url() {
   # shellcheck disable=SC1091
   source .local/pr-meta.env
@@ -1667,6 +1691,7 @@ merge_verify() {
   require_artifact .local/prep.env
   # shellcheck disable=SC1091
   source .local/prep.env
+  verify_prep_branch_matches_prepared_head "$pr" "$PREP_HEAD_SHA"
 
   local json
   json=$(pr_meta_json "$pr")
 
@@ -8,6 +8,17 @@ import { sparkleBuildFloorsFromShortVersion, type SparkleBuildFloors } from "./s
 
 type PackFile = { path: string };
 type PackResult = { files?: PackFile[] };
+type PackageJson = {
+  name?: string;
+  version?: string;
+  dependencies?: Record<string, string>;
+  optionalDependencies?: Record<string, string>;
+  openclaw?: {
+    install?: {
+      npmSpec?: string;
+    };
+  };
+};
 
 const requiredPathGroups = [
   ["dist/index.js", "dist/index.mjs"],
@@ -108,11 +119,6 @@ const appcastPath = resolve("appcast.xml");
 const laneBuildMin = 1_000_000_000;
 const laneFloorAdoptionDateKey = 20260227;
 
-type PackageJson = {
-  name?: string;
-  version?: string;
-};
-
 function normalizePluginSyncVersion(version: string): string {
   const normalized = version.trim().replace(/^v/, "");
   const base = /^([0-9]+\.[0-9]+\.[0-9]+)/.exec(normalized)?.[1];
@@ -122,6 +128,92 @@ function normalizePluginSyncVersion(version: string): string {
   return normalized.replace(/[-+].*$/, "");
 }
 
+const ALLOWLISTED_BUNDLED_EXTENSION_ROOT_DEP_GAPS: Record<string, string[]> = {
+  googlechat: ["google-auth-library"],
+  matrix: ["@matrix-org/matrix-sdk-crypto-nodejs", "@vector-im/matrix-bot-sdk", "music-metadata"],
+  msteams: ["@microsoft/agents-hosting"],
+  nostr: ["nostr-tools"],
+  tlon: ["@tloncorp/api", "@tloncorp/tlon-skill", "@urbit/aura"],
+  zalouser: ["zca-js"],
+};
+
+export function collectBundledExtensionRootDependencyGapErrors(params: {
+  rootPackage: PackageJson;
+  extensions: Array<{ id: string; packageJson: PackageJson }>;
+}): string[] {
+  const rootDeps = {
+    ...params.rootPackage.dependencies,
+    ...params.rootPackage.optionalDependencies,
+  };
+  const errors: string[] = [];
+
+  for (const extension of params.extensions) {
+    if (!extension.packageJson.openclaw?.install?.npmSpec) {
+      continue;
+    }
+
+    const missing = Object.keys(extension.packageJson.dependencies ?? {})
+      .filter((dep) => dep !== "openclaw" && !rootDeps[dep])
+      .toSorted();
+    const allowlisted = [
+      ...(ALLOWLISTED_BUNDLED_EXTENSION_ROOT_DEP_GAPS[extension.id] ?? []),
+    ].toSorted();
+    if (missing.join("\n") !== allowlisted.join("\n")) {
+      const unexpected = missing.filter((dep) => !allowlisted.includes(dep));
+      const resolved = allowlisted.filter((dep) => !missing.includes(dep));
+      const parts = [
+        `bundled extension '${extension.id}' root dependency mirror drift`,
+        `missing in root package: ${missing.length > 0 ? missing.join(", ") : "(none)"}`,
+      ];
+      if (unexpected.length > 0) {
+        parts.push(`new gaps: ${unexpected.join(", ")}`);
+      }
+      if (resolved.length > 0) {
+        parts.push(`remove stale allowlist entries: ${resolved.join(", ")}`);
+      }
+      errors.push(parts.join(" | "));
+    }
+  }
+
+  return errors;
+}
+
+function collectBundledExtensions(): Array<{ id: string; packageJson: PackageJson }> {
+  const extensionsDir = resolve("extensions");
+  const entries = readdirSync(extensionsDir, { withFileTypes: true }).filter((entry) =>
+    entry.isDirectory(),
+  );
+
+  return entries.flatMap((entry) => {
+    const packagePath = join(extensionsDir, entry.name, "package.json");
+    try {
+      return [
+        {
+          id: entry.name,
+          packageJson: JSON.parse(readFileSync(packagePath, "utf8")) as PackageJson,
+        },
+      ];
+    } catch {
+      return [];
+    }
+  });
+}
+
+function checkBundledExtensionRootDependencyMirrors() {
+  const rootPackage = JSON.parse(readFileSync(resolve("package.json"), "utf8")) as PackageJson;
+  const errors = collectBundledExtensionRootDependencyGapErrors({
+    rootPackage,
+    extensions: collectBundledExtensions(),
+  });
+  if (errors.length > 0) {
+    console.error("release-check: bundled extension root dependency mirror validation failed:");
+    for (const error of errors) {
+      console.error(`  - ${error}`);
+    }
+    process.exit(1);
+  }
+}
+
 function runPackDry(): PackResult[] {
   const raw = execSync("npm pack --dry-run --json --ignore-scripts", {
     encoding: "utf8",
@@ -321,6 +413,7 @@ function main() {
   checkPluginVersions();
   checkAppcastSparkleVersions();
   checkPluginSdkExports();
+  checkBundledExtensionRootDependencyMirrors();
 
   const results = runPackDry();
   const files = results.flatMap((entry) => entry.files ?? []);
 
@@ -246,6 +246,21 @@ describe("models-config", () => {
     });
   });
 
+  it("replaces stale merged baseUrl when the provider api changes", async () => {
+    await withTempHome(async () => {
+      const parsed = await runCustomProviderMergeTest({
+        seedProvider: {
+          baseUrl: "https://agent.example/v1",
+          apiKey: "AGENT_KEY", // pragma: allowlist secret
+          api: "openai-completions",
+          models: [{ id: "agent-model", name: "Agent model", input: ["text"] }],
+        },
+      });
+      expect(parsed.providers.custom?.apiKey).toBe("AGENT_KEY");
+      expect(parsed.providers.custom?.baseUrl).toBe("https://config.example/v1");
+    });
+  });
+
   it("replaces stale merged apiKey when provider is SecretRef-managed in current config", async () => {
     await withTempHome(async () => {
       await writeAgentModelsJson({
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ enum HostEnvSecurityPolicy {`
`22`	`22`	`"PS4",`
`23`	`23`	`"GCONV_PATH",`
`24`	`24`	`"IFS",`
`25`		`- "SSLKEYLOGFILE",`
	`25`	`+ "SSLKEYLOGFILE"`
`26`	`26`	`]`
`27`	`27`
`28`	`28`	`static let blockedOverrideKeys: Set<String> = [`
`@@ -50,17 +50,17 @@ enum HostEnvSecurityPolicy {`
`50`	`50`	`"OPENSSL_ENGINES",`
`51`	`51`	`"PYTHONSTARTUP",`
`52`	`52`	`"WGETRC",`
`53`		`- "CURL_HOME",`
	`53`	`+ "CURL_HOME"`
`54`	`54`	`]`
`55`	`55`
`56`	`56`	`static let blockedOverridePrefixes: [String] = [`
`57`	`57`	`"GIT_CONFIG_",`
`58`		`- "NPM_CONFIG_",`
	`58`	`+ "NPM_CONFIG_"`
`59`	`59`	`]`
`60`	`60`
`61`	`61`	`static let blockedPrefixes: [String] = [`
`62`	`62`	`"DYLD_",`
`63`	`63`	`"LD_",`
`64`		`- "BASH_FUNC_",`
	`64`	`+ "BASH_FUNC_"`
`65`	`65`	`]`
`66`	`66`	`}`