plugins: Allow trusted plugin keyed state

[bek91]

Summary

Fixes #83762.

This PR allows runtime.state.openKeyedStore() for trusted official plugin installs in addition to bundled plugins. That keeps untrusted global/workspace plugins blocked while letting official externalized channel plugins such as Slack, Discord, Matrix, and MS Teams use their existing host-backed persistent state when installed globally.

Root Cause

The plugin runtime proxy only allowed keyed state for records with origin === "bundled". Official channel plugins can now be loaded as trusted global installs, so their persistent state paths caught the runtime error and degraded to in-memory state.

Changes

• Permit keyed state when record.trustedOfficialInstall === true.
• Update the runtime error wording from bundled-only to trusted-plugin access.
• Add coverage for trusted global access and untrusted global/workspace rejection.

Validation

• pnpm exec vitest run src/plugin-state/plugin-state-store.runtime.test.ts extensions/slack/src/sent-thread-cache.test.ts extensions/discord/src/components.test.ts extensions/matrix/src/approval-reactions.test.ts extensions/msteams/src/sent-message-cache.test.ts
• pnpm test:contracts:plugins
• pnpm test:contracts:channels
• pnpm check
• codex review --base origin/main (no findings)

AI Assistance

This PR was prepared with Codex assistance. I reviewed the diff and validation results before submission.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR lets runtime.state.openKeyedStore() accept trusted official plugin installs in addition to bundled plugins, with focused runtime tests for trusted and untrusted origins.

Reproducibility: yes. from source inspection: current main rejects non-bundled openKeyedStore() calls, while the Slack thread participation cache calls that API and official external installs can be global. I did not run a live Slack reproduction in this read-only review.

PR rating
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Summary: The code change is small and well-targeted, but missing real behavior proof keeps the PR below merge-ready quality.

Rank-up moves:

• Add real Slack or trusted global-plugin proof showing keyed state persists after the patch, with private IDs, tokens, phone numbers, endpoints, and workspace details redacted.
• Update the SDK runtime docs warning from bundled-only to the new trusted-plugin access rule.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature, rarity, or ASCII portrait is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

Real behavior proof
Needs real behavior proof before merge: The PR body provides test/check commands but no after-fix real Slack or trusted global-plugin proof; add redacted live output, logs, terminal screenshot, screenshot/video, or linked artifact, then update the PR body to trigger review.

Mantis proof suggestion
A real Slack thread follow-up after a trusted global plugin install would materially prove the user-visible fix better than unit tests alone. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

slack desktop smoke: verify a trusted global Slack plugin records thread participation after an explicit mention and later unmentioned thread replies are eligible for response.

Risk before merge
Why this matters: - The PR body lists tests and checks only; it does not include a real Slack/global-plugin run, terminal output, redacted logs, screenshot, recording, or artifact showing persistent thread participation works after the patch.

• The SDK runtime docs still describe keyed stores as bundled-only, which would be inaccurate once trusted official external installs are allowed.

Maintainer options:

1. Decide the mitigation before merge
   Land the runtime gate after aligning the public SDK wording and adding real Slack or trusted global-plugin proof that persistence works while untrusted plugins remain blocked.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
This needs contributor-supplied real behavior proof and protected-label maintainer handling, not an automated repair lane.

Security
Cleared: No concrete security regression found: access is widened only for the existing trusted official install flag, and the PR keeps untrusted global/workspace rejection coverage.

Review findings

• [P3] Update the keyed-state access contract docs — src/plugins/registry.ts:2424-2426

Review details

Best possible solution:

Land the runtime gate after aligning the public SDK wording and adding real Slack or trusted global-plugin proof that persistence works while untrusted plugins remain blocked.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main rejects non-bundled openKeyedStore() calls, while the Slack thread participation cache calls that API and official external installs can be global. I did not run a live Slack reproduction in this read-only review.

Is this the best way to solve the issue?

Mostly yes: using the existing trustedOfficialInstall contract is the narrow owner-boundary fix, but the public SDK docs and real behavior proof need to catch up before merge.

Label justifications:

• P1: The linked regression breaks a real Slack channel workflow by losing persistent thread participation for official external global installs.

Full review comments:

• [P3] Update the keyed-state access contract docs — src/plugins/registry.ts:2424-2426
  This widens openKeyedStore() from bundled-only to trusted official installs, but docs/plugins/sdk-runtime.md still tells plugin authors it is "Bundled plugins only in this release." Please update that public SDK warning so the docs match the new trusted-plugin contract.
  Confidence: 0.84

Overall correctness: patch is correct
Overall confidence: 0.86

What I checked:

• Current main gate: Current main only allows keyed plugin state when the runtime record origin is bundled, which matches the linked report's root-cause path for official external plugins loaded as global. (src/plugins/registry.ts:2424, d124c5aa2005)
• PR implementation: The PR changes the runtime check to allow records where trustedOfficialInstall === true while preserving the existing throw path for other non-bundled records. (src/plugins/registry.ts:2424, df4a8a854c00)
• Trust contract source: trustedOfficialInstall is derived from global/config candidates that match recorded installs and the official external plugin catalog, not from plugin manifest self-assertion. (src/plugins/manifest-registry.ts:779, d124c5aa2005)
• Regression coverage in PR: The PR adds coverage for a trusted global plugin successfully registering and looking up keyed state, plus continued rejection for untrusted workspace and global plugins. (src/plugin-state/plugin-state-store.runtime.test.ts:95, df4a8a854c00)
• Affected Slack path: Slack thread participation persistence opens a keyed store, so current main's bundled-only gate explains the reported global-plugin fallback to in-memory state. (extensions/slack/src/sent-thread-cache.ts:74, 1912be8619fb)
• Docs mismatch: The public SDK runtime documentation still says keyed stores are bundled-plugin-only, which becomes stale after this PR's trusted official install behavior. Public docs: docs/plugins/sdk-runtime.md. (docs/plugins/sdk-runtime.md:527, d124c5aa2005)

Likely related people:

• Krzysztof Probola: Blame on the current plugin runtime state proxy and isTrustedOfficialPluginInstall helper points to commit 1912be8619fbd874e27c67b1e967161b273cff18. (role: introduced current runtime/trust plumbing in local history; confidence: medium; commits: 1912be8619fb; files: src/plugins/registry.ts, src/plugins/manifest-registry.ts)
• Peter Steinberger: Recent history around the affected Slack cache and official/trusted plugin install area includes release and trusted catalog/externalization work by this author. (role: recent adjacent contributor; confidence: medium; commits: 50a2481652b6, a86c43e1fd88, e1da91791abf; files: extensions/slack/src/sent-thread-cache.ts, src/commands/channel-setup/trusted-catalog.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against d124c5aa2005.

[bek91]

Screenshot with post fix proof. First image is before fix, second image is after (gateway was restarted between user and agent msg to show its not a in session store)