Codex review: needs maintainer review before merge.

What this changes:

The PR branch adds a SQLite-backed keyed plugin state store exposed as api.runtime.state.openKeyedStore, wires gateway shutdown and maintenance cleanup, updates SDK docs/baselines/changelog, and adds plugin-state unit, E2E, and permission tests.

Maintainer follow-up before merge:

Keep this PR open for explicit maintainer and security/runtime-storage review. The best path is to decide whether the bundled-only keyed-store API is the right plugin boundary, resolve or consciously accept the SQLite event-loop and permission-hardening tradeoffs, verify generated SDK docs/baseline and CI proof, and keep consumer migrations in separate owner-scoped PRs.

Best possible solution:

Keep this PR open for explicit maintainer and security/runtime-storage review. The best path is to decide whether the bundled-only keyed-store API is the right plugin boundary, resolve or consciously accept the SQLite event-loop and permission-hardening tradeoffs, verify generated SDK docs/baseline and CI proof, and keep consumer migrations in separate owner-scoped PRs.

Acceptance criteria:

• pnpm test src/plugin-state/plugin-state-store.test.ts src/plugin-state/plugin-state-store.e2e.test.ts src/plugin-state/plugin-state-store.permissions.test.ts
• pnpm plugin-sdk:api:gen/check
• pnpm config:docs:gen/check
• pnpm check:changed in Testbox before merge

What I checked:

• Protected PR metadata: Provided GitHub context shows this PR is open, unmerged, ready for review, and labeled maintainer, docs, gateway, and size: XL; protected maintainer labeling requires explicit maintainer handling rather than auto-close. (1f320e3e0aa5)
• Current runtime type has no keyed store: Current PluginRuntimeCore.state exposes only resolveStateDir; there is no openKeyedStore member on main. (src/plugins/runtime/types-core.ts:228, 443ca4865d61)
• Current runtime factory only wires state dir resolution: createPluginRuntime currently constructs state: { resolveStateDir }, so main does not create the proposed runtime keyed-store API. (src/plugins/runtime/index.ts:229, 443ca4865d61)
• Current registry proxy has no state-store binding: The runtime proxy currently only special-cases subagent; it does not bind plugin ids or gate bundled-only access for state.openKeyedStore. (src/plugins/registry.ts:1955, 443ca4865d61)
• Current docs document only state directory resolution: The public SDK runtime docs describe api.runtime.state as state directory resolution and show only api.runtime.state.resolveStateDir(). Public docs: docs/plugins/sdk-runtime.md. (docs/plugins/sdk-runtime.md:396, 443ca4865d61)
• No plugin-state implementation on current main: Search found no openKeyedStore, PluginStateKeyedStore, PluginStateStore, plugin-state-store, sweepExpiredPluginStateEntries, closePluginStateSqliteStore, or src/plugin-state directory on current main. (443ca4865d61)

Likely related people:

• steipete: Prior ClawSweeper context for this same PR traced deeper current-main blame for PluginRuntimeCore.state, createPluginRuntime, the registry runtime proxy region, and SDK runtime docs to Peter Steinberger; local history also shows recent plugin-startup policy work by Peter near the affected plugin startup surface. (role: recent current-main maintainer and likely reviewer; confidence: medium; commits: 3b10b8cf74e3, 390a7598c952; files: src/plugins/runtime/types-core.ts, src/plugins/runtime/index.ts, src/plugins/registry.ts)
• vincentkoc: Prior ClawSweeper context linked Vincent Koc to recent adjacent work in src/plugins/registry.ts and gateway/plugin-loader paths; local recent history also shows plugin contract/auth-adjacent maintenance under this author. (role: recent adjacent registry and gateway maintainer; confidence: medium; commits: 1d61862adb0d, ad2516b1, 56d2749b; files: src/plugins/registry.ts, src/gateway/server-methods/agent.ts, src/plugins/loader.test.ts)

Remaining risk / open question:

• The PR adds a new SQLite-backed runtime storage surface with WAL behavior, file permission hardening, TTL eviction, plugin isolation, shutdown cleanup, and synchronous filesystem/database calls on gateway paths; that needs explicit runtime-storage and security review.
• The API is intentionally bundled-plugin-only, which intersects with the plugin boundary rule against private bundled-only backdoors unless maintainers deliberately accept that contract.
• The PR body lists several consumer migrations as follow-ups; merging or closing this PR should not accidentally settle Slack, Discord, MS Teams, Matrix, BlueBubbles, or Feishu owner-specific behavior.
• Current main does not implement the proposed API, so closing as implemented would be incorrect.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 443ca4865d61.

Validation blitz — plugin state store E2E results

Five standalone scripts exercised the plugin state store end-to-end against real SQLite on real filesystem. Every script used an isolated OPENCLAW_STATE_DIR temp directory. 109 checks total, 109 passed, 0 failed.

1. CRUD + Persistence — 25/25 ✅

2. TTL + Sweep — 18/18 ✅

Note: sweepExpiredPluginStateEntries() is global across all plugins/namespaces — leftover expired rows from earlier test phases are included in sweep counts. Isolation requires either fresh state dirs or draining stale rows first.

3. Isolation + Multi-plugin — 24/24 ✅

4. Limits + Eviction — 22/22 ✅

5. Stress + WAL — 10/10 ✅

Summary

No bugs found. The store is solid across all tested dimensions — correctness, isolation, limits, persistence, TTL semantics, eviction ordering, error handling, and stress.

Greptile Summary

This PR introduces a SQLite-backed keyed-state store for bundled plugins, exposed as api.runtime.state.openKeyedStore, with TTL expiry, per-namespace entry caps, a per-plugin hard cap of 1,000 live rows, JSON value validation, WAL maintenance, and gateway shutdown cleanup. The implementation is well-structured and the core transaction logic (BEGIN IMMEDIATE, rollback on error, namespace eviction before plugin-cap check) is correct.

Confidence Score: 4/5

Safe to merge; all findings are non-blocking style/consistency issues with no correctness impact.

Only P2-level findings: two write operations (delete, clear) silently skip the permission-hardening path that register/consume use, a redundant ensureSchema call in the probe function, and a minor allocation pattern in the Proxy state handler. No logic bugs or data-loss risks identified.

src/plugin-state/plugin-state-store.sqlite.ts — the pluginStateDelete and pluginStateClear functions should be reviewed for permission-hardening consistency.

This is a comment left during a code review.
Path: src/plugin-state/plugin-state-store.sqlite.ts
Line: 477-494

Comment:
**`delete` and `clear` skip permission hardening**

`pluginStateDelete` and `pluginStateClear` (line 518) call `openPluginStateDatabase` directly and issue writes without going through `runWriteTransaction`. This means they never call `ensurePluginStatePermissions`, which is the step that tightens file permissions on `0o600` after every write. `register` and `consume` always get permission hardening via `runWriteTransaction`; these two silently skip it. If a file ends up world-readable after an external process touches it, a `delete` or `clear` will leave it that way whereas a `register` would re-tighten it.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/plugin-state/plugin-state-store.sqlite.ts
Line: 596-600

Comment:
**Redundant `ensureSchema` call in probe**

`openPluginStateDatabase` already calls `ensureSchema` internally (line 319). Calling it again on line 599 inside `probePluginStateStore` is harmless because `CREATE TABLE IF NOT EXISTS` is idempotent, but it's dead work and may confuse readers into thinking the probe step does additional schema validation. Consider removing this second call or renaming the probe step to `"open-and-schema"` if you want a unified step name.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/plugins/registry.ts
Line: 1949-1975

Comment:
**`runtime.state` allocates a new object on every property access**

The Proxy's `get` trap for `"state"` spreads `baseState` and creates a fresh `openKeyedStore` closure each time `runtime.state` is accessed. The proxy itself is cached per `pluginId` in `pluginRuntimeById`, but the returned state object isn't. For plugins that access `runtime.state` in registration callbacks this is harmless, but it's easy to inadvertently call `openKeyedStore` in a hot path (e.g., inside a hook handler that accesses `api.runtime.state` on every event). Memoizing the state object inside the proxy closure — as is already done for `subagent` via `defineCachedValue` — would make this consistent with the rest of the runtime API.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(plugins): keep committed state write..." | Re-trigger Greptile}

Validation blitz — round 2: robustness, contention, memory, and proxy path

Five additional standalone scripts targeting gaps identified after the first 109-check round. All run against real SQLite on real filesystem with isolated state dirs. 121 additional checks, 121 passed, 0 failed.

1. Multi-process contention — 8/8 ✅

6 child processes, each doing 250 mixed ops (1,500 total) against the same SQLite database file simultaneously.

WAL mode + busy_timeout=5000 handled all contention. No lock escapes under 6-process concurrent load.

2. Close during in-flight writes — 38/38 ✅

3. Database integrity + WAL checkpoint — 30/30 ✅

4. RSS memory growth — 2/2 ✅

No memory leak detected. RSS growth is modest and sublinear across 30,000 operations and 100 distinct store instances.

5. Runtime proxy path + bundled-only gate — 15/15 ✅

Combined totals (round 1 + round 2)

No bugs found across 236 checks covering correctness, isolation, limits, persistence, TTL, eviction, proxy binding, multi-process contention, close safety, database integrity, WAL checkpointing, memory growth, and stress.

Review feedback response

Addressed findings from Aisle, Greptile, and self-review. All changes are local — not yet pushed.

Fixed

Tests added for all three limit types (key bytes, namespace bytes, nesting depth). All 31 tests pass (17 unit + 13 e2e + 1 permissions).

Declined

Validation blitz — round 3: full gateway E2E lifecycle

Standalone script exercising the plugin state store through a real gateway process — start, write state, stop, verify persistence, restart, verify again. 21 checks, 21 passed, 0 failed.

What this proves that rounds 1–2 didn't

Rounds 1–2 (236 checks) exercised the store API directly and through the registry proxy with a mock runtime. This round starts the actual gateway binary (dist/index.js gateway --port N --bind loopback), uses the same OPENCLAW_STATE_DIR, and exercises the full lifecycle:

gateway start → plugin loader → registry → state dir initialized
→ store writes (concurrent with running gateway)
→ SIGTERM → graceful shutdown (closePluginStateSqliteStore + WAL checkpoint)
→ state dir persists on disk
→ gateway restart → state still readable

Results — 21/21 ✅

Key observations

• WAL checkpoint confirmed: WAL file size = 0 after gateway shutdown — the shutdownStep("plugin-state-store", () => closePluginStateSqliteStore()) in server-close.ts runs the TRUNCATE checkpoint.
• Multi-process SQLite access: The test process and the gateway process both had the database open simultaneously (WAL mode) with no lock conflicts.
• DB location: $OPENCLAW_STATE_DIR/plugins/state.sqlite — exactly where the path resolver puts it.

Combined totals (all 3 rounds)