fix(config): migrate bundled private-network aliases

[vincentkoc]

Summary

• make bundled channel public config canonical on network.dangerouslyAllowPrivateNetwork
• keep allowPrivateNetwork as compat-only input via channel doctor normalization on load
• preserve existing private-network opt-in semantics; no posture change
• centralize shared alias handling in the plugin SDK SSRF helper and refresh generated config metadata

Channels

• Matrix
• Mattermost
• BlueBubbles
• Nextcloud Talk
• Tlon

Verification

• git diff --check
• pnpm plugin-sdk:api:gen
• pnpm config:channels:gen
• pnpm config:docs:gen
• pnpm plugin-sdk:api:check
• pnpm config:channels:check
• pnpm config:docs:check
• pnpm build
• direct node --import tsx smoke for helper + all five doctor adapters

Notes

• Vitest wrapper in this worktree remained unreliable under low-disk pressure, so I did not claim a green scoped test lane I could not observe finishing.
• Existing false / unset posture is preserved. Only explicit opt-in continues to emit private-network SSRF allowance.

[greptile-apps]

Greptile Summary

This PR centralizes private-network opt-in semantics across five bundled channel plugins (Matrix, BlueBubbles, Mattermost, Nextcloud Talk, Tlon) by making network.dangerouslyAllowPrivateNetwork the canonical public config key and keeping the legacy flat allowPrivateNetwork key as a compat-only input that is auto-migrated on load via channel doctor normalization.

Key changes:

• src/plugin-sdk/ssrf-policy.ts adds migrateLegacyFlatAllowPrivateNetworkAlias (migrates flat key → nested key using OR semantics to preserve the most permissive posture when both keys exist) and expands isPrivateNetworkOptInEnabled/PrivateNetworkOptInInput to recognize both key forms simultaneously.
• src/plugin-sdk/ssrf-runtime.ts exports the new migration helpers through the public SDK surface so extensions can import them via openclaw/plugin-sdk/ssrf-runtime.
• All five channel extensions receive new or updated ChannelDoctorAdapter.normalizeCompatibilityConfig implementations that call migrateLegacyFlatAllowPrivateNetworkAlias at both the top-level and per-account scopes.
• Type definitions (types.ts) and config schemas (config-schema.ts) for each extension now only declare network.dangerouslyAllowPrivateNetwork; the legacy key is handled at the doctor/compat layer, not the schema layer.
• extensions/matrix/src/matrix/config-update.ts — MatrixAccountPatch.allowPrivateNetwork retains the clean patch-API name but updateMatrixAccountConfig now writes to network.dangerouslyAllowPrivateNetwork under the hood.
• Four of the five channels (all except Mattermost) received new doctor.test.ts files verifying the migration produces the correct output for both the top-level and account-level scopes.
• The migration is backward-compatible: existing false/unset posture is preserved, and only an explicit true opt-in continues to emit private-network SSRF allowance at runtime.

Confidence Score: 4/5

Safe to merge — the migration is backward-compatible, preserves existing private-network opt-in semantics, and the core logic is well-tested.

The implementation is consistent across all five channel adapters, the OR-based migration logic handles all realistic config combinations correctly, and isPrivateNetworkOptInEnabled correctly handles both legacy and canonical keys during the transition window. Score docked one point because the Mattermost doctor's normalizeCompatibilityConfig function has no corresponding test while all other four channels do, and the PR author noted that the Vitest lane was unreliable during authoring.

extensions/mattermost/src/doctor.ts — the only changed doctor file without a corresponding test. src/plugin-sdk/ssrf-policy.test.ts — minor gap in the conflict-case test matrix.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/mattermost/src/doctor.ts
Line: 77-142

Comment:
**Missing doctor test for Mattermost**

All four other channels modified in this PR (Matrix, BlueBubbles, Nextcloud Talk, Tlon) received new or updated `doctor.test.ts` files covering the `normalizeCompatibilityConfig` migration. Mattermost's `normalizeMattermostCompatibilityConfig` function is new in this PR but has no corresponding test.

This isn't a correctness issue — the implementation mirrors the other four adapters — but it's a coverage gap that is inconsistent with the rest of the PR. A minimal smoke test like the ones added for the other channels would confirm the top-level and account-level migrations both produce the expected output (e.g., `allowPrivateNetwork: true` → `network.dangerouslyAllowPrivateNetwork: true`).

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/plugin-sdk/ssrf-policy.test.ts
Line: 134-153

Comment:
**Conflict case only tested in one direction**

The existing test covers `{ allowPrivateNetwork: true, network: { dangerouslyAllowPrivateNetwork: false } }` → `true` (legacy wins over new-key `false`). The symmetric case — `{ allowPrivateNetwork: false, network: { dangerouslyAllowPrivateNetwork: true } }` → `true` (new key wins over legacy `false`) — is not covered but is equally valid. Both branches exercise the same OR logic, and the omission is unlikely to hide a bug, but adding the reverse case would make the test table complete and the contract explicit.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into vk/allow-privat..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 393af03cc8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 92b01313d3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Honor explicit false when migrating conflicting network keys

When both allowPrivateNetwork and network.dangerouslyAllowPrivateNetwork are present, this migration collapses them with a boolean OR, which can silently turn a disabled config into enabled private-network access. In mixed/stale configs (for example legacy allowPrivateNetwork: false plus a leftover/new network.dangerouslyAllowPrivateNetwork: true), upgrade now rewrites to true, widening SSRF scope unexpectedly. The conflict resolution should be deterministic (prefer one source key) rather than OR-merging.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be33869ec7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".