Best possible solution:

Keep the SQLite migration, preserve install-ledger reads when only persisted snapshots are bypassed, rebuild or mark stale records-only legacy rows, rethrow state DB compatibility errors, and require redacted real migration proof before merge.

Do we have a high-confidence way to reproduce the issue?

Yes. The blocking PR findings are source-reproducible from the live head: preferPersisted: false disables ledger reads, records-only legacy rows persist with empty plugins, and SQLite open errors are caught broadly.

Is this the best way to solve the issue?

No. Moving the index to SQLite matches repository direction, but the current patch is not the best merge shape until it preserves existing registry semantics, handles legacy rows safely, and proves a real upgrade path.

Full review comments:

• [P1] Keep install records when bypassing persisted registry — src/plugins/plugin-registry-snapshot.ts:448
  At this line, preferPersisted: false also disables reading the install ledger, so the derived path below receives {} records. Provider-scoped discovery uses this option to bypass snapshots, not installed records, so installed external plugins can disappear from provider/model/auth metadata.
  Confidence: 0.9
• [P2] Rebuild records-only legacy indexes before persisting — src/infra/state-migrations.ts:314-323
  Records-only legacy JSON is converted into a persisted index with legacy policy fields, no diagnostics, and an empty plugins array. No-config registry reads can accept that row as persisted, so migration should rebuild from the records or make the synthetic row unambiguously stale.
  Confidence: 0.84
• [P2] Do not hide unsupported state DB errors — src/plugins/installed-plugin-index-store.ts:323-324
  This broad catch also catches openOpenClawStateDatabase compatibility errors such as a newer user_version. That makes an unsupported state DB look like a missing plugin index and can silently hide installed plugins instead of surfacing the hard compatibility error.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 82d24b26ea93.

Label justifications:

• P2: This is a normal-priority persistence migration with concrete compatibility blockers but limited blast radius before merge.
• merge-risk: 🚨 compatibility: The PR changes durable plugin install state, migration behavior, fallback reads, and downgrade/error semantics for existing state directories.
• merge-risk: 🚨 auth-provider: The install-record read regression can remove installed external provider/auth metadata from model discovery and SecretRef-related paths.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists tests and checks only; it needs redacted terminal or log proof of a real legacy install-index migration with installed plugins visible afterward. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

PR surface:

Source +466, Tests +490, Docs 0, Other +181. Total +1137 across 56 files.

What I checked:

• Repository policy applied: Root and scoped plugin policy were read; plugin state belongs in SQLite, but plugin registry, config loading, migrations, provider routing, and fallback behavior are compatibility-sensitive review surfaces. (AGENTS.md:30, 82d24b26ea93)
• Current main still uses JSON install index: Current main resolves the installed plugin index to plugins/installs.json, so the central SQLite persistence change is not already implemented on main. (src/plugins/installed-plugin-index-store-path.ts:4, 82d24b26ea93)
• PR drops install-record reads with preferPersisted: false: On the live PR head, persistedInstallRecordReadsEnabled is tied to persistedReadsEnabled, so caller-level snapshot bypass also bypasses the install ledger. (src/plugins/plugin-registry-snapshot.ts:448, a67273881c5a)
• Current main preserves install-record reads: Current main keeps installed-plugin record reads enabled unless the environment break-glass disables persisted registry reads, which preserves provider/model/auth metadata for installed external plugins. (src/plugins/plugin-registry-snapshot.ts:444, 82d24b26ea93)
• Legacy records-only migration can persist an empty plugin list: The PR synthesizes a legacy index with plugins: [] and no diagnostics for records-only JSON, which can be accepted as a persisted registry before discovery rebuilds the plugin records. (src/infra/state-migrations.ts:314, a67273881c5a)
• Unsupported state DB errors are currently hard failures: The shared state DB opener throws when the database user_version is newer than this build supports; the PR's installed-index read catch can turn that into a missing-index result. (src/state/openclaw-state-db.ts:83, 82d24b26ea93)

Likely related people:

• vincentkoc: Current main blame for the plugin registry snapshot, installed-index path/store, and state migration files points to recent work under Vincent Koc on the central surfaces this PR changes. (role: recent area contributor; confidence: medium; commits: 7c315252d68b, 015c6b40aeac; files: src/plugins/plugin-registry-snapshot.ts, src/plugins/installed-plugin-index-store-path.ts, src/plugins/installed-plugin-index-store.ts)
• steipete: The live PR branch is authored by steipete and he also appears in recent current-main history, so he is a likely follow-up owner for branch repair and proof even though current-main blame for the central plugin files is shared. (role: PR branch owner and adjacent contributor; confidence: medium; commits: a7e7bcaef17d, cc4375fa62ee, e93216080aa1; files: src/plugins/installed-plugin-index-store.ts, src/plugins/plugin-registry-snapshot.ts, src/infra/state-migrations.ts)

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.