Summary

• Problem: explicit providerRefs setup/runtime loads still relied on older manifest ownership helpers, so descriptor-first provider activation hints were not actually narrowing those paths.
• Why it matters: provider-targeted setup/runtime flows could still over-load plugins, and explicit owner ids discovered from manifest activation/setup metadata could get dropped by the legacy providers.length > 0 filter.
• What changed: provider runtime/setup loading now plans explicit provider owners from manifest activation metadata first, keeps legacy provider/CLI-backend ownership as fallback, and preserves explicit owner ids through the final load options.
• What did NOT change (scope boundary): no new global activation snapshot model, no broad registry rewrite, no repo-wide manifest backfill.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: explicit provider targeting on setup/runtime paths still routed through legacy manifest ownership helpers instead of the new activation-planner seam.
• Missing detection / guardrail: there was no focused test proving activation.onProviders or setup.providers owners survived all the way into provider load options.
• Contributing context (if known): the CLI planning slice landed first, so provider-specific paths were still on the older ownership logic.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/plugins/providers.test.ts
• Scenario the test should lock in: explicit provider-targeted setup/runtime loads keep activation/setup-descriptor owners, while legacy CLI-backend ownership still works as fallback.
• Why this is the smallest reliable guardrail: the regression lives in provider load planning before runtime execution, so a focused providers-runtime unit test catches it without booting the full plugin graph.
• Existing test that already covers this (if any): none before this change.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

None.

Diagram (if applicable)

Before:
[providerRefs] -> [legacy ownership helper] -> [enabled/discovered provider filter] -> [activation/setup-only owner can be dropped]

After:
[providerRefs] -> [manifest activation planner] -> [legacy fallback if needed] -> [explicit owner ids preserved into load options]

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local Node/pnpm worktree
• Model/provider: N/A
• Integration/channel (if any): plugin/provider load path
• Relevant config (redacted): default local dev config

Steps

1. Add a plugin manifest owner that declares activation.onProviders or setup.providers for an explicit provider id without the older providers[] static metadata.
2. Resolve plugin providers with providerRefs on runtime or setup paths.
3. Inspect the final onlyPluginIds / activated config used for provider loading.

Expected

• Explicit provider owners resolved from manifest metadata stay in the provider load options.
• Legacy CLI-backend ownership still resolves when activation metadata is absent.

Actual

• Fixed by this PR.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: explicit runtime provider ownership via activation.onProviders; explicit setup provider ownership via setup.providers; legacy CLI-backend fallback via claude-cli; existing provider runtime tests still green.
• Edge cases checked: explicit owner ids survive the legacy provider filter; setup and runtime paths both covered.
• What you did not verify: full repo pnpm check; broad end-to-end plugin flows.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: manifest activation metadata could over-target a plugin if its provider ownership is declared incorrectly.
  • Mitigation: legacy fallback remains in place, and new focused tests lock the explicit-owner load behavior.