fix(cli): bundle MarkItDown in workspace installs + diagnose missing converter

[Jurij89]

Summary

• Workspace/dev pnpm install now stages the MarkItDown binary by default so PDF/DOCX/PPTX/XLSX/CSV/HTML/EPUB/XML extraction works out of the box, matching the published-install experience. Previously the postinstall silently skipped the release-asset download for source checkouts and PDFs returned extraction.status='skipped'.
• When the local package.json version is ahead of the latest published tag (the common pre-release case), the bundler falls back to the newest non-draft release and rewrites the meta sidecar with the local cliVersion (preserving the release tag in an effectiveTag field) so the daemon's converter check accepts the binary instead of rejecting it as a fingerprint mismatch.
• A missing converter is now visible to operators and agents: /api/status carries extractionPipelines: string[] + warnings: [{code, message, remediation?}], the live /.well-known/skill.md adds an Unavailable extraction pipelines line, the static SKILL.md template points agents at the dkg_status tool, and the daemon startup warning tells operators exactly which command to run and that a restart is required.
• Failure UX hardened: DKG_SKIP_MARKITDOWN_DOWNLOAD=1 opt-out, automatic silent skip in CI, per-OS install hint when python3-venv is missing from markitdown:build, and a release-time --verify-release-artifacts check in release.yml that fails the workflow if any matrix-built binary or sidecar is missing/mismatched before softprops/action-gh-release publishes.

Related

• Fixes MarkItDown converter is not available out of the box in workspace/dev node installs #467
• Follow-up to Fix local agent chat attachment delivery #446 / File attachments in OpenClaw agent chat are never delivered to the agent #256 — the manual PDF attachment validation that surfaced this gap
• Out of scope (documented in MarkItDown converter is not available out of the box in workspace/dev node installs #467 and worth a separate PR): extending the import-file skipped response with a structured reason field, and loosening the OpenClaw attachment-ref normalizer to allow non-completed statuses so agents see the skip reason

Files changed

File	What
packages/cli/scripts/bundle-markitdown-binaries.mjs	New bundleImplicitCurrentPlatform() workflow with workspace fallback to latest tag, fetchLatestReleaseTag() (uses /releases listing — /releases/latest returns 404 on prerelease-only repos), verifyReleaseArtifacts(), rewriteVenvError(), restart-hint logging, opt-out env vars. Removed the silent workspace-skip short-circuit.
packages/cli/src/daemon/routes/status.ts	extractionPipelines and warnings[] on /api/status; unavailablePipelines passed to buildSkillMd for the live skill manifest.
packages/cli/src/daemon/manifest.ts	buildSkillMd accepts unavailablePipelines, renders the diagnostic line, placeholder match updated in lockstep with the template wording.
packages/cli/src/daemon/lifecycle.ts	Startup warning now includes pnpm --filter @origintrail-official/dkg run markitdown:bundle + restart-the-daemon remediation.
packages/cli/skills/dkg-node/SKILL.md	§1 placeholder points agents at the dkg_status tool (matching the template's tool-first convention) instead of raw HTTP for the live pipeline list.
.github/workflows/release.yml	New verification step (--verify-release-artifacts) runs before softprops/action-gh-release and fails the workflow if any matrix-built binary or sidecar is missing/mismatched.
.gitignore + packages/cli/bin/.gitkeep	Defensive: keeps platform-specific MarkItDown binaries out of git while preserving the directory so the bundler can write into it.
packages/cli/test/markitdown-binaries.test.ts	14 new vitest cases covering workspace download, already-staged skip, version-ahead fallback, total-failure remediation, opt-out env vars, CI skip, venv error rewriter, and release-artifact verifier.

Test plan

• pnpm exec vitest run test/markitdown-binaries.test.ts test/extraction-markitdown.test.ts test/document-processor-e2e.test.ts → 50 passed, 4 skipped (the skipIf'd e2e cases need a real converter; follow-up could remove the guards now that the workspace flow actually stages one).
• pnpm exec tsc --noEmit in packages/cli/ → clean.
• Manual smoke (Windows worktree): fresh pnpm install stages markitdown-win32-x64.exe via fallback to v10.0.0-rc.4; bin/markitdown-win32-x64.exe.meta.json reports cliVersion: "10.0.0-rc.6", effectiveTag: "v10.0.0-rc.4"; extraction-markitdown.test.ts no longer logs the "Ignoring bundled binary with incompatible metadata sidecar" warning that fires before this PR.
• CI matrix run on Linux. Windows symlink-permission failures in slot-helpers, migration, rollback, blue-green-integration, auto-update, etc. on the dev machine are pre-existing and unrelated to these files.
• Operator manual: with binary present, curl /api/status | jq '.extractionPipelines, .warnings' returns the full pipeline list and []. With binary deleted and daemon restarted, returns just text/markdown and a single markitdown_unavailable warning with remediation.
• Operator manual: curl /.well-known/skill.md | grep -i 'extraction pipelines' shows the Available line when the binary is present, and BOTH an Available and an Unavailable line (listing the 9 MIME types) when it is missing.
• PDF round-trip: import a PDF via POST /api/assertion/test-pdf/import-file → response carries extraction.status: "completed", pipelineUsed: "application/pdf", tripleCount > 0, and an mdIntermediateHash.

🤖 Generated with Claude Code

[github-actions]

🔴 Bug: bundleImplicitCurrentPlatform() now turns download problems into { status: 'failed' } instead of throwing, but this caller drops the result. In --current-platform mode that means the script exits 0 even when staging failed, unless --best-effort happens to be set. Please check the returned status here and throw on failure/unexpected outcomes so explicit runs still fail fast.

[Jurij89]

Fixed in cc8ab93. main() now inspects bundleImplicitCurrentPlatform's return value and throws when status === 'failed' unless --best-effort is set, so explicit pnpm run markitdown:bundle (no --best-effort) exits 1. Verified locally with --release-repo this-org-does-not-exist/dkg-fake: remediation message printed, then the new wrapper error, exit code 1. Postinstall (which sets --best-effort) still exits 0 with the warning, unchanged.

[github-actions]

🔴 Bug: this remediation tells operators to run pnpm --filter @origintrail-official/dkg run markitdown:bundle, but packages/cli/package.json only defines markitdown:build today. Following the warning will hit a missing-script error and leave extraction unavailable. Either add a real markitdown:bundle script or change this and the matching log/skill text to a command that actually exists.

[Jurij89]

Fixed in cc8ab93. Added "markitdown:bundle": "node ./scripts/bundle-markitdown-binaries.mjs --current-platform --force" to packages/cli/package.json. pnpm --filter @origintrail-official/dkg run markitdown:bundle now resolves, downloads the binary (using the workspace fallback if the local version is ahead of the latest published tag), and exits non-zero on failure — verified locally.

[github-actions]

🟡 Issue: this test title/comment says the fallback binary is staged, but the assertions only verify the failure path (status === 'failed'). That leaves the new fallback-staged branch effectively untested and makes the coverage misleading. Either exercise the happy path here or rename the test/comments to match the behavior being asserted.

[Jurij89]

Fixed in cc8ab93. Added an injectable buildReleaseUrl(version, repo) parameter to bundleImplicitCurrentPlatform so tests can redirect BOTH the primary and fallback URLs to a local mock server (previously the fallback path called releaseBaseUrl directly and hit github.com). Removed the weak-assertion variant. The new test workspace + version-tag 404 + injected URL builder stages the fallback binary with rewritten meta exercises the full happy path: 404 on version tag → fetchLatestTag returns the latest → fallback downloads → status === 'fallback-staged', binary present on disk, and (critical for issue #467) meta sidecar reports cliVersion: LOCAL with effectiveTag: LATEST_TAG so the daemon's converter check accepts it.

[github-actions]

Codex review skipped: filtered diff is 6748 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.