Fix bundled channel dist-runtime setup roots

[giodl73-repo]

Summary

• Resolve bundled generated entries from dist-runtime/extensions before falling back to source paths when packaged dist artifacts are absent.
• Use the matched dist-runtime bundled channel root as the setup-entry module boundary root instead of falling back to source extensions.
• Preserve the existing openRootFileSync containment/alias check and add regressions for packaged setup-entry loading.
• Repair current-main session-store validation test fixtures that now require persisted entries to carry valid sessionId metadata.

Fixes #77805.

Tests

• CI=1 node scripts/run-vitest.mjs src/plugins/bundled-plugin-metadata.test.ts src/channels/plugins/bundled.shape-guard.test.ts src/channels/plugins/read-only.test.ts src/channels/plugins/bundled-root-caches.test.ts
• CI=1 node scripts/run-vitest.mjs src/gateway/server.sessions.create.test.ts src/commands/doctor-heartbeat-session-target.test.ts src/auto-reply/reply/session.test.ts -t "replaces a dead main entry|uses runtime session canonicalization|scoped WhatsApp group entry only contains activation state"
• CI=1 node scripts/run-vitest.mjs src/plugins/bundled-plugin-metadata.test.ts src/channels/plugins/bundled.shape-guard.test.ts src/channels/plugins/read-only.test.ts src/channels/plugins/bundled-root-caches.test.ts src/gateway/server.sessions.create.test.ts src/commands/doctor-heartbeat-session-target.test.ts src/auto-reply/reply/session.test.ts -t "dist-runtime|replaces a dead main entry|uses runtime session canonicalization|scoped WhatsApp group entry only contains activation state"
• pnpm exec oxfmt --check --threads=1 src/plugins/bundled-plugin-metadata.ts src/plugins/bundled-plugin-metadata.test.ts src/channels/plugins/bundled.ts src/channels/plugins/bundled.shape-guard.test.ts src/gateway/server.sessions.create.test.ts src/commands/doctor-heartbeat-session-target.test.ts src/auto-reply/reply/session.test.ts
• git diff --check
• pnpm check:changed

Real behavior proof

Behavior or issue addressed:
Packaged bundled channel setup entries can resolve to dist-runtime/extensions/<channel>/setup-entry.js, but the bundled channel loader only recognized override and dist/extensions roots before falling back to source extensions/<channel>. That made the unchanged fs-safe module open check reject the setup entry as outside the selected plugin root, producing plugin module path escapes plugin root or fails alias checks.

Real environment tested:
Ubuntu 24.04 WSL source checkout at /root/src/openclaw-branches/base on branch fix-telegram-setup-windows-77805, using focused source-level regressions that exercise the real bundled generated path resolver and the real bundled setup-entry load path with a temporary packaged dist-runtime/extensions/alpha/setup-entry.js module.

Exact steps or command run after this patch:

1. Reverted only the production resolver changes locally while keeping the new regressions, then ran CI=1 node scripts/run-vitest.mjs src/plugins/bundled-plugin-metadata.test.ts src/channels/plugins/bundled.shape-guard.test.ts -t "dist-runtime".
2. Re-applied this patch and ran the same command.
3. Ran the focused bundled channel/plugin tests, current-main session fixture repair tests, and changed-file gate listed above.

Evidence after fix:
Before the production fix, the new regressions failed:

before_status=1
bundled.shape-guard.test.ts > uses dist-runtime as the boundary root for packaged setup entries
AssertionError: expected undefined to be 'Setup dist-runtime'

bundled-plugin-metadata.test.ts > uses dist-runtime generated paths before source fallback when packaged dist is absent
AssertionError: expected .../extensions/plugin/index.ts to be .../dist-runtime/extensions/plugin/index.js

After this patch, the same regressions passed:

after_status=0
Test Files  2 passed (2)
Tests  2 passed | 51 skipped (53)

Observed result after fix:
The generated setup-entry path resolves from dist-runtime/extensions, and the bundled channel setup loader checks that module against the matching dist-runtime/extensions/<channel> boundary root. The existing fs-safe openRootFileSync containment/alias validation remains the final enforcement point.

What was not tested:
No native Windows host was available in this run. AWS Crabbox proof was attempted but blocked by Crabbox infrastructure before command execution: one script transport exited 127, one lease never bootstrapped SSH, and one lease lost SSH after sync. The source proof targets the reported packaged-root mismatch without relaxing the security boundary.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR adds dist-runtime/extensions generated-entry lookup and boundary-root selection for bundled channel setup modules, plus regression tests and current-main fixture repairs.

Reproducibility: Do we have a high-confidence way to reproduce the issue? No live current-main doctor run was performed in this read-only pass. Source inspection reaches the missing dist-runtime root path, and the linked issue provides concrete Windows and Ubuntu installed-release logs.

Real behavior proof
Needs real behavior proof before merge: The PR body shows before/after focused Vitest output only; before merge it still needs redacted packaged openclaw doctor or equivalent runtime proof, and updating the PR body should trigger re-review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
The protected maintainer label and missing real packaged behavior proof require maintainer/contributor follow-up rather than an automated repair job.

Security
Cleared: The diff recognizes an additional packaged bundled-root case while preserving the existing fs-safe containment gate, and I found no concrete security or supply-chain regression.

Review details

Best possible solution:

Land the narrow resolver and boundary-root fix after maintainer review and real packaged doctor proof, then close the linked issue with the regression evidence.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? No live current-main doctor run was performed in this read-only pass. Source inspection reaches the missing dist-runtime root path, and the linked issue provides concrete Windows and Ubuntu installed-release logs.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes, based on source review: recognizing the missing packaged runtime root while preserving openRootFileSync containment is narrower and safer than relaxing the boundary check.

What I checked:

• Live PR metadata blocks cleanup close: Live GitHub API data shows this PR is open, contributor-authored, head 7a717251d25f858e81ccb910f08e0030f8d73c75, and labeled maintainer; protected labels require explicit maintainer handling rather than cleanup closure. (7a717251d25f)
• Current main lacks the dist-runtime generated-entry fallback: On current main, listBundledPluginEntryBaseDirs checks scan dir, dist/extensions, then source extensions; it does not include dist-runtime/extensions before source fallback. (src/plugins/bundled-plugin-metadata.ts:231, df0d061c7a9c)
• Current main lacks dist-runtime boundary-root selection: On current main, bundled channel setup module boundary selection recognizes override roots and dist/extensions, then falls back to source extensions/<channel>, so a dist-runtime setup entry can be checked against the wrong root. (src/channels/plugins/bundled.ts:157, df0d061c7a9c)
• Containment remains the final loader gate: loadChannelPluginModule still opens generated modules through openRootFileSync and throws the reported plugin module path escapes plugin root or fails alias checks error on containment or alias failure. (src/channels/plugins/module-loader.ts:103, df0d061c7a9c)
• PR diff targets the implicated root mismatch: The PR adds dist-runtime/extensions to generated-entry base dirs and adds a matching dist-runtime/extensions/<channel> boundary root while still using the fs-safe module-open check. (src/channels/plugins/bundled.ts:161, 7a717251d25f)
• Linked issue has multi-platform reproduction context: The linked issue reports the Windows doctor setup-entry failure and a later Ubuntu 24.04 installed-release comment with the same boundary error for additional bundled channels.

Likely related people:

• @steipete: GitHub path history shows repeated recent work on bundled channel/plugin runtime files and the fs-safe extraction used by the final module-open boundary. (role: historical bundled-plugin runtime and fs-safe area contributor; confidence: high; commits: 538605ff44d2, b85b1c68d175, 9efa9419a9f6; files: src/channels/plugins/bundled.ts, src/channels/plugins/module-loader.ts, src/plugins/bundled-plugin-metadata.ts)
• @gumadeiras: Merged bundled setup runtime stabilization and doctor/plugin-path laziness work touched the same setup-entry and bundled runtime area. (role: bundled setup/runtime contributor; confidence: high; commits: 78ac1184274e, 66add9fcd96a; files: src/channels/plugins/bundled.ts, src/channels/plugins/bundled-root.ts, src/channels/plugins/module-loader.ts)
• @vincentkoc: Local blame on the reviewed checkout points the exact bundled resolver/root lines to a recent plugin cleanup commit, making this a useful routing signal even though deeper remote history is shared. (role: recent current-main line contributor; confidence: medium; commits: 0eef4c49f650, 6b2d418973bb; files: src/channels/plugins/bundled.ts, src/plugins/bundled-plugin-metadata.ts, src/channels/plugins/module-loader.ts)

Remaining risk / open question:

• No packaged Windows or Linux openclaw doctor proof is attached after the patch; the current proof is source-level Vitest output.
• The PR includes unrelated fixture repairs, so maintainer review should confirm the branch still rebases cleanly onto current main before landing.

Codex review notes: model gpt-5.5, reasoning high; reviewed against df0d061c7a9c.