fix: auto-repair missing plugins on startup (#293)

* fix: auto-repair missing plugins and graceful config fallback

Plugins whose directories are missing (failed update, migration, etc.)
now get automatically reinstalled from the store on startup. The config
endpoint no longer returns a hard 500 when a schema is unavailable —
it falls back to conservative key-name-based masking so the settings
page stays functional.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: handle ledmatrix- prefix in plugin updates and reconciliation

The store registry uses unprefixed IDs (e.g., 'weather') while older
installs used prefixed config keys (e.g., 'ledmatrix-weather'). Both
update_plugin() and auto-repair now try the unprefixed ID as a fallback
when the prefixed one isn't found in the registry.

Also filters system config keys (schedule, display, etc.) from
reconciliation to avoid false positives.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address code review findings for plugin auto-repair

- Move backup-folder filter from _get_config_state to _get_disk_state
  where the artifact actually lives
- Run startup reconciliation in a background thread so requests aren't
  blocked by plugin reinstallation
- Set _reconciliation_done only after success so failures allow retries
- Replace print() with proper logger in reconciliation
- Wrap load_schema in try/except so exceptions fall through to
  conservative masking instead of 500
- Handle list values in _conservative_mask_config for nested secrets
- Remove duplicate import re

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add thread-safe locking to PluginManager and fix reconciliation retry

PluginManager thread safety:
- Add RLock protecting plugin_manifests and plugin_directories
- Build scan results locally in _scan_directory_for_plugins, then update
  shared state under lock
- Protect reads in get_plugin_info, get_all_plugin_info,
  get_plugin_directory, get_plugin_display_modes, find_plugin_for_mode
- Protect manifest mutation in reload_plugin
- Prevents races between background reconciliation thread and request
  handlers reading plugin state

Reconciliation retry:
- Clear _reconciliation_started on exception so next request retries
- Check result.reconciliation_successful before marking done
- Reset _reconciliation_started on non-success results to allow retry

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

web_interface/app.py

@@ -651,12 +651,49 @@ def _initialize_health_monitor():
     
     _health_monitor_initialized = True
 
-# Initialize health monitor on first request (using before_request for compatibility)
+_reconciliation_done = False
+_reconciliation_started = False
+
+def _run_startup_reconciliation():
+    """Run state reconciliation in background to auto-repair missing plugins."""
+    global _reconciliation_done, _reconciliation_started
+    from src.logging_config import get_logger
+    _logger = get_logger('reconciliation')
+
+    try:
+        from src.plugin_system.state_reconciliation import StateReconciliation
+        reconciler = StateReconciliation(
+            state_manager=plugin_state_manager,
+            config_manager=config_manager,
+            plugin_manager=plugin_manager,
+            plugins_dir=plugins_dir,
+            store_manager=plugin_store_manager
+        )
+        result = reconciler.reconcile_state()
+        if result.inconsistencies_found:
+            _logger.info("[Reconciliation] %s", result.message)
+        if result.reconciliation_successful:
+            if result.inconsistencies_fixed:
+                plugin_manager.discover_plugins()
+            _reconciliation_done = True
+        else:
+            _logger.warning("[Reconciliation] Finished with unresolved issues, will retry")
+            _reconciliation_started = False
+    except Exception as e:
+        _logger.error("[Reconciliation] Error: %s", e, exc_info=True)
+        _reconciliation_started = False
+
+# Initialize health monitor and run reconciliation on first request
 @app.before_request
 def check_health_monitor():
-    """Ensure health monitor is initialized on first request."""
+    """Ensure health monitor is initialized; launch reconciliation in background."""
+    global _reconciliation_started
     if not _health_monitor_initialized:
         _initialize_health_monitor()
+    if not _reconciliation_started:
+        _reconciliation_started = True
+        import threading
+        threading.Thread(target=_run_startup_reconciliation, daemon=True).start()
 
 if __name__ == '__main__':
     app.run(host='0.0.0.0', port=5000, debug=True)

web_interface/blueprints/api_v3.py

@@ -33,6 +33,29 @@ from src.web_interface.secret_helpers import (
     separate_secrets,
 )
 
+_SECRET_KEY_PATTERN = re.compile(
+    r'(api_key|api_secret|password|secret|token|auth_key|credential)',
+    re.IGNORECASE,
+)
+
+def _conservative_mask_config(config, _parent_key=None):
+    """Mask string values whose keys look like secrets (no schema available)."""
+    if isinstance(config, list):
+        return [
+            _conservative_mask_config(item, _parent_key) if isinstance(item, (dict, list))
+            else ('' if isinstance(item, str) and item and _parent_key and _SECRET_KEY_PATTERN.search(_parent_key) else item)
+            for item in config
+        ]
+    result = dict(config)
+    for key, value in result.items():
+        if isinstance(value, dict):
+            result[key] = _conservative_mask_config(value)
+        elif isinstance(value, list):
+            result[key] = _conservative_mask_config(value, key)
+        elif isinstance(value, str) and value and _SECRET_KEY_PATTERN.search(key):
+            result[key] = ''
+    return result
+
 # Will be initialized when blueprint is registered
 config_manager = None
 plugin_manager = None
@@ -2505,24 +2528,19 @@ def get_plugin_config():
             }
 
         # Mask secret fields before returning to prevent exposing API keys
-        # Fail closed — if schema unavailable, refuse to return unmasked config
         schema_mgr = api_v3.schema_manager
-        if not schema_mgr:
-            return error_response(
-                ErrorCode.CONFIG_LOAD_FAILED,
-                f"Cannot safely return config for {plugin_id}: schema manager unavailable",
-                status_code=500
-            )
+        schema_for_mask = None
+        if schema_mgr:
+            try:
+                schema_for_mask = schema_mgr.load_schema(plugin_id, use_cache=True)
+            except Exception as e:
+                logger.error("[PluginConfig] Error loading schema for %s: %s", plugin_id, e, exc_info=True)
 
-        schema_for_mask = schema_mgr.load_schema(plugin_id, use_cache=True)
-        if not schema_for_mask or 'properties' not in schema_for_mask:
-            return error_response(
-                ErrorCode.CONFIG_LOAD_FAILED,
-                f"Cannot safely return config for {plugin_id}: schema unavailable for secret masking",
-                status_code=500
-            )
-
-        plugin_config = mask_secret_fields(plugin_config, schema_for_mask['properties'])
+        if schema_for_mask and 'properties' in schema_for_mask:
+            plugin_config = mask_secret_fields(plugin_config, schema_for_mask['properties'])
+        else:
+            logger.warning("[PluginConfig] Schema unavailable for %s, applying conservative masking", plugin_id)
+            plugin_config = _conservative_mask_config(plugin_config)
 
         return success_response(data=plugin_config)
     except Exception as e: