fix(plugins): honor allowlist for bundled provider discovery

[steipete]

Summary

• replace PR fix(plugins): allowlist bundled provider discovery #77194 with one squashed commit on current main
• add plugins.bundledDiscovery so bundled provider discovery defaults to plugins.allow
• keep a documented compat mode plus doctor/config migration help for legacy configs
• preserve alias handling for allowlisted provider plugins and globally-disabled plugin configs

Verification

• pnpm test src/agents/models-config.providers.plugin-allowlist-compat.test.ts src/plugins/providers.test.ts src/plugins/web-provider-public-artifacts.fallback.test.ts src/commands/doctor-state-integrity.test.ts
• exact CI doctor shard: OPENCLAW_VITEST_SHARD_NAME=agentic-commands-doctor ... pnpm exec node scripts/test-projects.mjs test/vitest/vitest.commands.config.ts
• pnpm lint
• pnpm config:schema:check
• pnpm exec oxfmt --check --threads=1 src/commands/doctor-state-integrity.test.ts
• git diff --check origin/main...HEAD

Replaces #77194.
Closes #75575.

[steipete]

Closing this replacement: #77194 was already merged while I was trying to rewrite its detached head ref. This branch is based on the older pre-merge main, so keeping it open would only create a stale duplicate.

Canonical merged PR: #77194 (d3628792825956702be7a6253061b96d976c623d).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5e2ef4562

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Honor disabled bundled web-provider entries

When a bundled web-search/fetch plugin is still present in plugins.allow but the operator disables it with plugins.entries.<id>.enabled=false or blocks it with plugins.deny, this public-artifact fast path still returns the plugin because it filters only against the allowlist. Since callers return these artifact providers before invoking the normal loader/manifest policy, an explicitly disabled or denied bundled web provider can still be discovered at runtime in the new allowlist mode; the filter needs to apply the same base policy as provider discovery, not just plugins.allow.

Useful? React with 👍 / 👎.