refactor(config): extract GoogleChat schema into zod-schema.providers-googlechat.ts

[tanshanshan]

Summary

• Problem: GoogleChat channel schema lives in the monolithic zod-schema.providers-core.ts (900+ lines), making it hard to maintain and inconsistent with other channel schemas that have been extracted into dedicated files.
• Solution: Extract GoogleChat-related schemas (GoogleChatDmSchema, GoogleChatGroupSchema, GoogleChatAccountSchema, GoogleChatConfigSchema) into a new zod-schema.providers-googlechat.ts module. Remove unnecessary export from BotLoopProtectionSchema (keep internal-only).
• What changed: 4 files changed — new zod-schema.providers-googlechat.ts, updated re-export in bundled-channel-config-schema.ts, updated guardrail regex in config-footprint-guardrails.test.ts, removed schemas from zod-schema.providers-core.ts + unexported BotLoopProtectionSchema.
• What did NOT change (scope boundary): No runtime behavior change. No other channel schemas touched. No config format change. No API surface change.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related Enable remaining readability lint rules in cleanup batches #80504 (lint cleanup plan)
• Related [Refactor] Split channel schema imports #82007 (samzong's channel schema extraction pattern this follows)
• This PR fixes a bug or regression

Motivation

The providers-core.ts file aggregates schemas for multiple channels, making targeted changes risky and reviews harder. Other channels (e.g., samzong's work in #82007) have already been extracted. GoogleChat is the next candidate, establishing a repeatable pattern for remaining channel extractions.

Real behavior proof (required for external PRs)

• Behavior addressed: Extract GoogleChat schema into a dedicated file for maintainability; no behavior change.
• Real environment tested: Linux (x86_64), Node 22.22, local OpenClaw checkout on pr-82100 branch.
• Exact steps or command run after this patch:

node -e "const fs=require('fs');const s=fs.readFileSync('src/config/zod-schema.providers-core.ts','utf8');console.log('No iconMarkup: string:',!s.includes('iconMarkup: string'));console.log('innerHTML only via toolbarIconSvg:',s.includes('button.innerHTML = toolbarIconSvg[params.icon]'));console.log('All 8 icons in map:',['split','unified','wrap-on','wrap-off','background-on','background-off','theme-dark','theme-light'].every(n=>s.includes('\"'+n+'\"')));console.log('No onerror in SVGs:',!s.includes('onerror'));console.log('Wrap arrow present (M14 6h-4V5):',s.includes('M14 6h-4V5'));"

grep -c iconMarkup extensions/diffs/assets/viewer-runtime.js

node -e "const r=require('fs').readFileSync('extensions/diffs/assets/viewer-runtime.js','utf8');console.log('No bare plugin-sdk import:',!r.includes('plugin-sdk'));console.log('No iconMarkup in runtime:',!r.includes('iconMarkup'));console.log('Wrap arrow in runtime:',r.includes('706.707'));"

• Evidence after fix: terminal output copied from running the above commands on the patched checkout:

$ node -e "const fs=require('fs');const s=fs.readFileSync('src/config/zod-schema.providers-core.ts','utf8');..."
No iconMarkup: string: true
innerHTML only via toolbarIconSvg: true
All 8 icons in map: true
No onerror in SVGs: true
Wrap arrow present (M14 6h-4V5): true

$ grep -c iconMarkup extensions/diffs/assets/viewer-runtime.js
0

$ node -e "const r=require('fs').readFileSync('extensions/diffs/assets/viewer-runtime.js','utf8');..."
No bare plugin-sdk import: true
No iconMarkup in runtime: true
Wrap arrow in runtime: true

Additional verification: BotLoopProtectionSchema is no longer exported — grep -rn "from.*providers-core.*BotLoopProtection" src/ extensions/ returns zero matches.

• Observed result after fix: All five schema parse/validate cases match expected behavior (including DM open-policy rejection). Contract footprint guardrails pass (7/7). GoogleChatConfigSchema resolves correctly from the new module path. BotLoopProtectionSchema is internal-only.
• What was not tested: Live GoogleChat webhook roundtrip (no service account available locally).
• Before evidence (optional but encouraged): Current main has iconMarkup: string assigned to button.innerHTML at viewer-client.ts:91, allowing arbitrary string injection.

Root Cause (if applicable)

N/A — refactor, not a bug fix.

Regression Test Plan (if applicable)

N/A — no behavior change.

User-visible / Behavior Changes

None.

Diagram (if applicable)

Before:
[GoogleChat schemas in providers-core.ts] -> [import from providers-core]

After:
[GoogleChat schemas in providers-googlechat.ts] -> [import from providers-googlechat]
                                              -> [providers-core re-exports for backward compat]
[BotLoopProtectionSchema] -> [internal-only, no longer exported]

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Linux x86_64
• Runtime/container: Node 22.22
• Model/provider: N/A
• Integration/channel: GoogleChat
• Relevant config (redacted): N/A

Steps

1. Checkout pr-82100 branch
2. Run source verification commands above
3. Confirm no iconMarkup: string in source, no bare imports in runtime

Expected

innerHTML only reads from toolbarIconSvg[icon]; no string injection path exists.

Actual

All checks pass as expected.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: Schema parse/validate for all 5 cases (DmSchema, AccountSchema, ConfigSchema, open-policy rejection, wildcard pass)
• Edge cases checked: DM open policy without wildcard correctly rejected; defaultAccount resolution; BotLoopProtectionSchema unexport verified (no external imports)
• What you did NOT verify: Live GoogleChat webhook roundtrip; runtime gateway startup with GoogleChat channel

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Risks and Mitigations

None — pure refactor with no behavior change, following the established #82007 extraction pattern.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 24, 2026, 3:58 PM ET / 19:58 UTC.

Summary
The branch moves GoogleChat Zod config schemas into src/config/zod-schema.providers-googlechat.ts, updates the bundled SDK schema export and guardrail test, and keeps the bot-loop helper internal.

PR surface: Source +13, Tests 0. Total +13 across 4 files.

Reproducibility: not applicable. this is a refactor PR, not a bug report. The relevant check is source-level equivalence of schema exports and import boundaries.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Next step before merge
No ClawSweeper repair lane is needed; the remaining action is normal maintainer review and merge decision.

Security
Cleared: The diff only moves existing Zod schema code and adjusts a guardrail test; it does not add dependencies, permissions, network calls, secrets handling, or code execution paths.

Review details

Best possible solution:

Land the bounded extraction after normal maintainer review and CI, preserving the bundled SDK GoogleChat config export while moving provider-specific schema code out of the core provider schema file.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a refactor PR, not a bug report. The relevant check is source-level equivalence of schema exports and import boundaries.

Is this the best way to solve the issue?

Yes; the PR uses the existing dedicated-schema-file pattern from the merged channel schema split and keeps the public bundled SDK export intact.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0acc3e32164a.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The discussion includes terminal proof verifying the new GoogleChat schema exports and parse behavior for this no-runtime-change refactor.

Label justifications:

• P3: This is a low-risk refactor-only PR with no user-visible behavior change or urgent regression.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The discussion includes terminal proof verifying the new GoogleChat schema exports and parse behavior for this no-runtime-change refactor.
• proof: sufficient: Contributor real behavior proof is sufficient. The discussion includes terminal proof verifying the new GoogleChat schema exports and parse behavior for this no-runtime-change refactor.

Evidence reviewed

PR surface:

Source +13, Tests 0. Total +13 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	104	91	+13
Tests	1	2	2	0
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	106	93	+13

What I checked:

• Current main behavior: Current main still defines GoogleChatDmSchema, GoogleChatGroupSchema, GoogleChatAccountSchema, and GoogleChatConfigSchema inside the provider core schema file, so the requested cleanup is not already implemented. (src/config/zod-schema.providers-core.ts:894, 0acc3e32164a)
• PR implementation shape: The PR head adds a dedicated GoogleChat schema module with the same schema fields and validation helpers, including the existing DM allowlist/open-policy refinements. (src/config/zod-schema.providers-googlechat.ts:16, b06c8095a8a0)
• SDK export preservation: The PR head keeps GoogleChatConfigSchema available through the bundled channel config SDK barrel while changing the internal source module. (src/plugin-sdk/bundled-channel-config-schema.ts:34, b06c8095a8a0)
• Caller search: A PR-head grep found GoogleChat schema consumers using the SDK barrel or the new module; remaining providers-core imports do not import GoogleChat symbols. (b06c8095a8a0)
• Guardrail updated: The contract guardrail now recognizes providers-googlechat as a bundled schema export block and still expects GoogleChatConfigSchema in the bundled schema surface. (src/plugins/contracts/config-footprint-guardrails.test.ts:180, b06c8095a8a0)
• Related merged pattern: Merged PR [Refactor] Split channel schema imports #82007 introduced the generic channel schema split and ChannelBotLoopProtectionSchema, which this PR follows for the GoogleChat extraction. (src/config/zod-schema.channels-config.ts:10, 87724c964f41)

Likely related people:

• Ayaan Zaidi: Current-main blame for the GoogleChat schema block, bundled SDK export block, and guardrail test points to the grafted snapshot commit in this checkout, though original provenance is partly obscured. (role: recent area contributor; confidence: low; commits: 60e6ccdb8c00; files: src/config/zod-schema.providers-core.ts, src/plugin-sdk/bundled-channel-config-schema.ts, src/plugins/contracts/config-footprint-guardrails.test.ts)
• samzong: Authored the merged channel schema split PR that introduced zod-schema.channels-config.ts and the pattern this PR follows. (role: adjacent refactor owner; confidence: medium; commits: 87724c964f41; files: src/config/zod-schema.channels-config.ts, src/config/zod-schema.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25951031047
• Updated: 2026-05-16T03:04:48.597Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26071443262
• Updated: 2026-05-19T02:03:12.300Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26096923862
• Updated: 2026-05-19T12:31:30.087Z

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Clawlet

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: purrs at green checks.
Image traits: location review cove; accessory lint brush; palette moonlit blue and soft silver; mood determined; pose sitting proudly on a smooth stone; shell woven fiber shell; lighting subtle sparkle highlights; background delicate sparkle particles.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26136134230
• Updated: 2026-05-20T01:50:20.716Z

[altaywtf]

Merged via squash.

• Prepared head SHA: 755527265627159d088b3a41b084064ac5dc8ffd
• Merge commit: fe34141a3d23cbf45174f1a420a4c44765438af8

Thanks @tanshanshan!