fix(openclaw): use exported memory SDK subpath

[vincentkoc]

Why

I maintain OpenClaw core and am working through visible plugin compatibility issues from Crabpot so plugins keep loading cleanly as the public SDK surface narrows.

Crabpot beta flagged Honcho because index.ts imports openclaw/plugin-sdk/memory-core, but current OpenClaw package exports no longer expose that broad memory-core SDK alias.

Immutable Crabpot evidence: https://github.com/openclaw/crabpot/blob/28bc58ae049933afdf6eed8466d1e6db0778f3e8/reports/crabpot-issues.md#L63-L67

What changed

• Import MemoryPromptSectionBuilder from openclaw/plugin-sdk/memory-core-host-runtime-core, which is the exported SDK subpath OpenClaw uses for this memory prompt-section contract.
• Raise the declared OpenClaw compatibility floor to >=2026.4.10, the first OpenClaw tag that exports memory-core-host-runtime-core.
• Add openclaw@2026.4.10 as a dev dependency so local builds validate against the minimum supported host instead of floating to latest.
• Harden memory-passthrough tool params from unknown to plain records so TypeScript passes against current OpenClaw tool API types.

Validation

• pnpm install --lockfile-only --ignore-scripts
• pnpm install --frozen-lockfile --ignore-scripts
• pnpm build
• pnpm exec tsc --noEmit
• pnpm exec vitest run - 35 tests passed
• npx --yes @openclaw/plugin-inspector@latest check --plugin-root . --openclaw /Users/USER/openclaw --json

Plugin Inspector now reports: all observed plugin SDK imports exist in target OpenClaw package exports for openclaw/plugin-sdk, openclaw/plugin-sdk/memory-core-host-runtime-core, and openclaw/plugin-sdk/plugin-entry.

Remaining inspector findings

This PR removes the sdk-export-missing P1. The remaining P1 is conversation-access-hook, which is an OpenClaw/plugin-inspector privacy-boundary probe coverage item for agent_end hooks, not an upstream Honcho code fix.

Summary by CodeRabbit

• Bug Fixes

  • Fixed OpenClaw SDK import compatibility for OpenClaw 2026.4.10+
  • Improved parameter handling robustness for memory tool operations

• Documentation

  • Updated known issues section with verified working version information

• Chores

  • Updated minimum OpenClaw version requirement to 2026.4.10

[coderabbitai]

Warning

Rate limit exceeded

@vincentkoc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 7 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 94df1dc2-8dff-430e-a42e-384d9c84df7c

📥 Commits

Reviewing files that changed from the base of the PR and between 49713ce and e12d2fb.

📒 Files selected for processing (4)

• CHANGELOG.md
• README.md
• test/memory-passthrough.test.ts
• tools/memory-passthrough.ts

Walkthrough

This PR upgrades OpenClaw SDK compatibility from 2026.3.22 to 2026.4.10 with coordinated version and import path updates across configuration and code, and introduces defensive parameter normalization to protect memory tool implementations from malformed inputs.

Changes

OpenClaw compatibility and tool robustness

Layer / File(s)	Summary
OpenClaw 2026.4.10 version and import alignment package.json, index.ts, CHANGELOG.md, README.md	Dev dependencies, peer dependencies, and build version requirements are bumped to 2026.4.10. The MemoryPromptSectionBuilder type import is switched to openclaw/plugin-sdk/memory-core-host-runtime-core to match the new SDK module structure. Changelog and known issues documentation are updated to reflect the new version requirement.
Tool parameter defensive normalization tools/memory-passthrough.ts	A requireToolParams(params) helper coerces unknown tool-call inputs into plain objects (or {}), and memory_search and memory_get now read parameters from this normalized input to prevent non-object parameter access issues.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A version dance, from three to four,
SDK paths we did restore,
Tool inputs now play safe and sound,
Defensive guards protect all 'round!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: importing MemoryPromptSectionBuilder from the exported OpenClaw SDK subpath (openclaw/plugin-sdk/memory-core-host-runtime-core) instead of the unavailable path.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vincentkoc]

@ajspig @VVoruganti this is ready for review. It is a narrow OpenClaw SDK import compatibility fix from the Crabpot beta report; build, tests, and plugin-inspector are in the PR body.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 314: Update the README section so the two version notes are explicit and
not contradictory: change the line that currently reads "Fix: 2026.4.6 or
later." to say something like "Upstream hook bug fixed in OpenClaw 2026.4.6+
(this fix is upstream)" and change or augment the line that reads "Verified
working: OpenClaw 2026.4.10+." to say "Plugin requires OpenClaw 2026.4.10+
(tested/verified on 2026.4.10+)" so both the upstream fix and the plugin
requirement are shown together in the same paragraph.

In `@tools/memory-passthrough.ts`:
- Around line 104-109: The code currently lets validation errors from
requireToolParams/readStringParam/readNumberParam be swallowed by the provider
try/catch and reported as provider outages; instead, perform all input
validation up front (call requireToolParams, readStringParam, readNumberParam
and buildSessionKey) outside the provider try/catch and if those functions throw
return or throw a validation-style error payload, then only wrap the actual
provider interaction in the try/catch that maps to provider-unavailable errors;
apply the same separation for the other block referenced (lines 146-149) so
parameter validation never gets classified as provider failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9c1f885d-e7e1-4c1b-8895-5382d308da9a

📥 Commits

Reviewing files that changed from the base of the PR and between e9f0145 and 49713ce.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• CHANGELOG.md
• README.md
• index.ts
• package.json
• tools/memory-passthrough.ts

[ajspig]

@vincentkoc Thanks for this.

BTW the clawhub is currently broken in a way I can't publish this package there any more. :( I posted about it in discord. https://discord.com/channels/1456350064065904867/1504936568073486597

I'm hitting a scope mismatch publishing openclaw-honcho v1.5.0: my package.json uses @honcho-ai/openclaw-honcho but @honcho-aiis not an org on ClawHub, and overriding with --owner or --name fails because they don't match. Since ClawHub only supports GitHub sign-in and our GitHub org is plastic-labs (not honcho-ai), the cleanest fix seems to be creating a honcho-ai GitHub account to claim the scope — but I'd love to know if there's a better way to map a ClawHub scope to a differently-named GitHub org without losing my existing publish history under ajspig.

[Patrick-Erichsen]

@ajspig followed up with you on your other issue here: openclaw/openclaw#82322 (comment)

Thanks for bringing these issues up to us!