#21039: Fix npm-spec plugin installs when npm pack output is empty

# Fix npm-spec plugin installs when npm pack output is empty ## Summary This patch makes npm-spec plugin and hook installs resilient when `npm pack` does not print a tarball name on stdout. It keeps the existing fast path, but now falls back to detecting generated `.tgz` files in the temporary pack directory. ## Problem - Expected: `openclaw plugins install <npm-spec>` resolves an archive path and installs successfully. - Actual: install fails with `npm pack produced no archive` when stdout is empty (or does not include a `.tgz` token). - Impact: High - npm-spec installs are blocked for affected environments/users. ## Reproduction 1. Run `openclaw plugins install openclaw-mcp-client` (or another npm spec). 2. In environments where `npm pack` exits 0 but emits no archive filename on stdout, observe the failure. - Expected result: plugin install proceeds after archive resolution. - Actual result: install exits with `npm pack produced no archive`. ## Issues Found Severity: high Confidence: high Status: fixed | ID | Severity | Confidence | Area | Summary | Evidence | Status | | --- | --- | --- | --- | --- | --- | --- | | PR-21039-BUG-01 | high | high | src/infra/install-source-utils.ts | npm-spec install depends on stdout-only archive detection and fails when stdout omits tarball name | open issue #21028 and `packNpmSpecToArchive` stdout-only parsing | fixed | ## Fix Approach - Parse `.tgz` tokens from `npm pack` stdout instead of relying on the final line only. - If stdout has no usable archive token, scan the temp pack directory for generated `.tgz` files and pick the newest candidate. - Verify parsed archive existence and fall back to directory detection if needed. - Add regression tests for empty/non-tgz stdout fallback behavior. ## Testing - `pnpm exec vitest run --config vitest.unit.config.ts src/infra/install-source-utils.test.ts` (pass) - `pnpm exec oxfmt --check src/infra/install-source-utils.ts src/infra/install-source-utils.test.ts` (pass) - `pnpm tsgo && pnpm lint && pnpm build` (pass) - `pnpm check` (fails: pre-existing untracked file `__openclaw_vitest__/cron/runs-one-shot/case-0/cron/jobs.json` triggers format check outside this change) ## Risk / Notes - Scope is limited to archive path resolution for npm-spec installs (`plugins` and `hooks` share this path). - Existing behavior is preserved when stdout already includes a valid tarball name. - Refs #21028 <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixed npm-spec plugin installs failing when `npm pack` stdout is empty. The implementation adds a robust fallback that parses `.tgz` filenames from stdout (instead of relying on final line), verifies archive existence, and scans the temp directory for generated `.tgz` files when stdout parsing fails. The fix maintains backward compatibility with existing behavior while resolving install failures in environments where `npm pack` succeeds but produces no filename output. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with low risk - it fixes a high-impact bug with a well-tested fallback mechanism - The fix is well-implemented with proper fallback logic, comprehensive test coverage for the new behavior, and maintains backward compatibility. The implementation correctly handles edge cases (empty stdout, no .tgz in stdout, multiple archives). Minor deduction for the double fallback pattern in lines 112-121 which adds complexity, though it provides additional safety - No files require special attention _{Last reviewed commit: 9dab96a} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->