fix(line): precheck outbound LINE media size

[masatohoshino]

Summary

Outbound LINE media (image / video / audio / preview) currently returns
success from pushMessage / replyMessage even when the URL body is
larger than the LINE platform cap; LINE rejects the URL asynchronously
after our call returns, so the caller sees no failure but the recipient
never receives the message.

This PR adds a local size precheck on every outbound LINE media call
site. Hosts that don't expose Content-Length continue to work
unchanged (soft-fail, pass through).

Behavior change

• Add LINE_OUTBOUND_MEDIA_MAX_BYTES per role (caps documented at the
  LINE Messaging API reference,
  verified 2026-05-20) and precheckLineOutboundMediaSize in
  extensions/line/src/outbound-media.ts. The helper issues a HEAD via
  the existing fetchWithSsrFGuard (5 s, requireHttps, mode: "strict", LINE_OUTBOUND_MEDIA_SSRF_POLICY —
  allowPrivateNetwork: false).
• Hard-fail only on HTTP 200 or 206 with Content-Length > cap.
  All other statuses (2xx without a usable body length, 3xx, 4xx,
  5xx, network error) take the soft-fail branch and pass through;
  the size contract is only enforceable when the host advertises a
  concrete Content-Length alongside a 200/206 response.
• Wire the precheck next to every existing validateLineMediaUrl site:
  resolveLineOutboundMedia, the video / audio / image branches of
  sendMessageLine, and pushImageMessage. previewImageUrl is
  always checked against the stricter 1 MiB preview cap.
• Implicit-preview image path: in the image branch, both
  resolveLineOutboundMedia and pushImageMessage default
  previewImageUrl to originalContentUrl. An image between 1 MiB and
  10 MiB therefore passed the local image cap but was rejected later by
  LINE's preview cap. After this PR the implicit case binds against
  the preview cap first.
• Dedupe: when previewImageUrl === mediaUrl (explicit or via the
  implicit fallback), the helper issues a single HEAD probe and
  evaluates it against the stricter preview cap.

Files

LINE-channel-local; no shared SDK, core, or cross-channel surface is
touched.

extensions/line/src/outbound-media.ts       (+114 / -2)   production
extensions/line/src/send.ts                 (+25  / -2)   production
extensions/line/src/outbound-media.test.ts  (+308)        unit tests
extensions/line/src/send.test.ts            (+165)        unit tests

Production change is approximately +139 LOC; the remaining
+471 LOC is unit tests covering cap math (per role, inclusive
boundary), soft-fail branches (probe error, non-2xx, missing /
malformed / negative Content-Length), equal-URL dedupe, and the
implicit-preview fallback in both resolveLineOutboundMedia and
pushImageMessage. The overall diff size therefore reflects test
coverage rather than production surface area, and the production
change is confined to extensions/line/src/**.

Non-Scope

• No changes to src/media/** or src/plugin-sdk/**. Independent of
  fix(media): add shared media MIME validation helpers #76566 (MIME helpers — no file overlap).
• No new account-level config knob.
• Format / dimensions / duration validation. Only size is gated.
• The adapter (extensions/line/src/outbound.ts, untouched) chains
  resolveLineOutboundMedia → sendMessageLine. Both layers precheck,
  so the kind-aware adapter path issues two HEAD probes per media URL.
  This matches the existing topology used by validateLineMediaUrl
  (same call sites, same duplication), and collapsing it requires
  touching outbound.ts which is out of scope for this size-cap PR.
• Quick-reply inline media: the generic quick-reply inline image
  branch in extensions/line/src/outbound.ts (the path that pushes an
  image object directly when no LINE-specific media options are
  present) is intentionally not covered by this precheck. Scope
  here is restricted to outbound image / video / audio / preview URL
  precheck reachable through sendMessageLine, pushImageMessage,
  and resolveLineOutboundMedia. A follow-up PR can extend the
  precheck to the quick-reply inline branch if maintainers want full
  outbound coverage.

Verification

Gate	Result
vitest extensions/line/src/outbound-media.test.ts	39 / 39 passed
vitest extensions/line/src/send.test.ts	19 / 19 passed
node scripts/test-projects.mjs --changed upstream/main	exit 0 (typecheck, oxlint, runtime import cycles, all guards)

Real behavior proof

Behavior addressed: outbound LINE media (image / video / audio /
preview) URLs whose body exceeds the LINE platform cap previously
returned success from pushMessage / replyMessage while LINE
rejected the URL asynchronously, so the recipient never received the
message. The new precheck makes this fail locally with a descriptive
error before the LINE API call is issued.

Real environment tested: live LINE Messaging API channel against a
1:1 chat target, using extensions/line/src/runtime-api.ts exported
helpers from the rebuilt worktree (dist/extensions/line/runtime-api.js).
Media fixtures were hosted on a short-lived Cloudflare quick-tunnel,
which was torn down after the proof window. The fixture host only
served three deterministic byte-length files (small valid, mid
between 1 MiB and 10 MiB, and over 10 MiB).

Exact steps or command run after this patch:

1. Build the worktree (pnpm build).
2. Start the fixture host: python3 -m http.server 18890 --bind 127.0.0.1.
3. Open the public URL via cloudflared tunnel --url http://127.0.0.1:18890.
4. Source runtime/secrets/.env to populate LINE_CHANNEL_ACCESS_TOKEN / LINE_CHANNEL_SECRET.
5. Run a driver that imports dist/extensions/line/runtime-api.js and calls sendMessageLine / pushImageMessage with each of cases A / B / C / D below.

Evidence after fix: cases B, C, D fail locally with the redacted
runtime log output captured below (terminal output from
node driver.mjs against the rebuilt worktree's
dist/extensions/line/runtime-api.js); client.pushMessage is not
invoked in those cases. Case A succeeds end-to-end with the LINE app
receiving the message. The fixture-host access log tail confirms
exactly 1 HEAD per distinct URL, and 0 HEADs on the rejected payload
for soft-fail.

$ node driver.mjs B
Error: LINE image media must be ≤10485760 bytes (got 14545753 bytes from <FIXTURE_HOST>/image-overcap.png)

$ node driver.mjs C
Error: LINE preview media must be ≤1048576 bytes (got 1489176 bytes from <FIXTURE_HOST>/mid-preview-overcap.jpg)

$ node driver.mjs D
Error: LINE preview media must be ≤1048576 bytes (got 1489176 bytes from <FIXTURE_HOST>/mid-preview-overcap.jpg)

Observed result after fix:

• Case A — sendMessageLine image, previewImageUrl === mediaUrl, file = 3 116 B → LINE app received the message. Origin log: 1 HEAD (equal-URL dedupe) followed by LINE-side GET.
• Case B — sendMessageLine image, originalContentUrl 14 545 753 B (> 10 MiB) + valid small preview → local image-cap error; client.pushMessage not called. Origin log: 1 HEAD on the over-cap original, no preview HEAD, no LINE-side GET.
• Case C — sendMessageLine image, valid small originalContentUrl + previewImageUrl 1 489 176 B (between 1 MiB and 10 MiB) → local preview-cap error; client.pushMessage not called.
• Case D — sendMessageLine image, previewImageUrl === mediaUrl, shared file 1 489 176 B → local preview-cap error; exactly 1 HEAD for the shared URL (dedupe preserved, stricter cap applied).

What was not tested:

• Live > 200 MB video send (same code path as image; the cap math is locked by outbound-media.test.ts with a synthetic Content-Length: 209715201 HEAD response).
• Live extensions/line/src/outbound.ts adapter path; the precheck behavior is identical to the direct sendMessageLine path proven above.
• Group / room targets live; the precheck is target-agnostic.
• Live re-capture against the implicit-preview commit; that commit only widens the existing preview-cap call site to the implicit fallback path and is covered by new unit asserts in both outbound-media.test.ts and send.test.ts.
• pushImageMessage (previewImageUrl === originalContentUrl shared-file case) live capture is not included in the redacted fenced block above; its preview-cap rejection is covered by unit test send.test.ts pushImageMessage preview-cap rejection, which asserts the same shape as the live sendMessageLine Case D above.
• Quick-reply inline media path (see Non-Scope); this PR does not exercise that branch in either unit or live testing.

Appendix: caps, test additions

Cap values (verified at the LINE Messaging API reference linked above
on 2026-05-20):

Role	Cap (bytes)
image originalContentUrl	10 485 760 (10 MiB)
video originalContentUrl	209 715 200 (200 MiB)
audio originalContentUrl	209 715 200 (200 MiB)
previewImageUrl (image / video)	1 048 576 (1 MiB)

Test additions:

• Preview-cap commit: 4 asserts in outbound-media.test.ts (explicit-preview rejection in resolveLineOutboundMedia, equal-URL shared-file rejection, kind=preview unit-level rejection, kind=preview inclusive boundary); 2 asserts in send.test.ts (sendMessageLine image branch preview-cap rejection, pushImageMessage preview-cap rejection).
• Implicit-preview commit: 1 assert in outbound-media.test.ts (implicit previewImageUrl = mediaUrl fallback in resolveLineOutboundMedia); 1 assert in send.test.ts (pushImageMessage implicit fallback).

Secrets and the recipient userId were redacted in any captured
artifact via driver-side substitution; no credentials are committed.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds LINE-local Content-Length HEAD prechecks for outbound image, video, audio, and preview URLs plus regression tests in the LINE send and outbound-media helpers.

Reproducibility: yes. from source inspection and the LINE platform contract. Current main validates outbound LINE media URLs but does not precheck Content-Length before push/reply calls, so over-cap media can still be handed to LINE and fail outside OpenClaw's returned result.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Good normal PR: the implementation is focused and well covered, with strong live proof for the main flow and merge-risk tradeoffs left for maintainers.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes redacted live LINE Messaging API output for under-cap delivery and over-cap local rejection, with unit coverage for the latest implicit-preview edge.

Risk before merge

• Each new guarded HEAD probe can add up to 5 seconds per checked media URL; the LINE-specific adapter path can still probe in both resolveLineOutboundMedia and sendMessageLine.
• Known over-cap Content-Length responses, and inaccurate over-cap headers, now fail locally instead of attempting the LINE send that current OpenClaw would hand off.
• The gateway now performs a public HTTPS HEAD request before LINE fetches the media URL; the SSRF guard mitigates private-network targets, but maintainers should accept the extra outbound egress behavior.
• Generic quick-reply inline image media without LINE-specific options remains outside this PR, so full outbound LINE coverage would need a follow-up.

Maintainer options:

1. Accept the guarded precheck tradeoff (recommended)
   Maintainers can merge the current fail-closed-on-known-over-cap behavior because it turns known asynchronous LINE media drops into local errors.
2. Deduplicate adapter probes before merge
   If the extra latency is too high for LINE-specific adapter sends, carry the prepared size-check result across resolveLineOutboundMedia and sendMessageLine first.
3. Split full quick-reply coverage
   If generic quick-reply inline media needs the same guard, open or link a narrow follow-up instead of widening this PR late.

Next step before merge
The remaining action is maintainer review and explicit risk acceptance, not a narrow automated repair.

Security
Cleared: The diff adds guarded HTTPS-only HEAD probes through the existing SSRF fetch guard and does not change dependencies, workflows, credentials, or package resolution.

Review details

Best possible solution:

Land the LINE-local guarded precheck if maintainers accept the compatibility, egress, and latency tradeoffs, and track generic quick-reply inline coverage separately if full outbound coverage is required.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection and the LINE platform contract. Current main validates outbound LINE media URLs but does not precheck Content-Length before push/reply calls, so over-cap media can still be handed to LINE and fail outside OpenClaw's returned result.

Is this the best way to solve the issue?

Mostly yes. A plugin-local guarded HEAD precheck uses the existing SSRF guard and keeps the fix near the LINE send paths; the only maintainer choice is accepting the local fail-closed and latency tradeoffs or asking for adapter probe deduping first.

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted live LINE Messaging API output for under-cap delivery and over-cap local rejection, with unit coverage for the latest implicit-preview edge.

Label justifications:

• P2: This is a normal-priority LINE-channel delivery bug fix with a limited plugin-local blast radius.
• merge-risk: 🚨 compatibility: The new known-over-cap branch can make callers receive local errors for URLs current OpenClaw would still attempt to send.
• merge-risk: 🚨 message-delivery: The change intentionally suppresses sends that appear over LINE caps, while one generic quick-reply inline media path remains uncovered.
• merge-risk: 🚨 availability: The added HEAD probes can add up to 5 seconds per checked media URL and may be duplicated on the LINE-specific adapter path.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Good normal PR: the implementation is focused and well covered, with strong live proof for the main flow and merge-risk tradeoffs left for maintainers.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes redacted live LINE Messaging API output for under-cap delivery and over-cap local rejection, with unit coverage for the latest implicit-preview edge.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted live LINE Messaging API output for under-cap delivery and over-cap local rejection, with unit coverage for the latest implicit-preview edge.

What I checked:

• Current main only validates media URL shape and hostname: On current main, validateLineMediaUrl checks URL parsing, HTTPS, 2000-character length, and the original hostname through the LINE SSRF policy, but it does not inspect remote Content-Length before LINE delivery. (extensions/line/src/outbound-media.ts:25, 6ccca4ae9529)
• Current main sends media after URL validation: sendMessageLine currently validates mediaUrl/previewImageUrl and then builds LINE image/video/audio messages without a size precheck before push/reply delivery. (extensions/line/src/send.ts:287, 6ccca4ae9529)
• PR diff adds guarded size prechecks: The PR adds LINE_OUTBOUND_MEDIA_MAX_BYTES and precheckLineOutboundMediaSize, calls fetchWithSsrFGuard with HEAD, strict mode, HTTPS required, 5s timeout, and applies the preview cap when previewImageUrl shares the original image URL. (extensions/line/src/outbound-media.ts:33, ca3b45744e1c)
• LINE platform contract supports the cap values: The LINE Messaging API reference lists image originalContentUrl at 10 MB, image/video previewImageUrl at 1 MB, and video/audio originalContentUrl at 200 MB, matching the PR's cap constants. (developers.line.biz)
• SSRF guard contract reviewed: fetchWithSsrFGuard enforces HTTPS when requireHttps is true, resolves and pins hostnames under the caller policy, handles redirects manually, and returns a release callback for dispatcher cleanup. (src/infra/net/fetch-guard.ts:345, 6ccca4ae9529)
• Existing quick-reply inline branch remains outside scope: The generic quick-reply inline media path still constructs image objects directly when no LINE-specific media options exist, matching the PR body's stated non-scope for full outbound coverage. (extensions/line/src/outbound.ts:272, 6ccca4ae9529)

Likely related people:

• masatohoshino: The earlier merged outbound LINE media support commit added the central send/outbound-media paths now being patched, and this account also authored the current focused follow-up. (role: introduced outbound media support and domain contributor; confidence: high; commits: 9449e54f4ffc; files: extensions/line/src/outbound-media.ts, extensions/line/src/send.ts, extensions/line/src/outbound.ts)
• Takhoffman: The outbound media introduction commit records Tak Hoffman as a co-author, so this is a reasonable routing candidate for the original LINE media behavior. (role: co-author of outbound media support; confidence: medium; commits: 9449e54f4ffc; files: extensions/line/src/outbound-media.ts, extensions/line/src/send.ts, extensions/line/src/outbound.ts)
• vincentkoc: Recent LINE plugin history includes runtime seam and webhook work by Vincent Koc around the same plugin boundary, useful for adjacent review. (role: recent LINE plugin runtime contributor; confidence: medium; commits: f881f086bb75, f5352b5611b4, 2687a4957572; files: extensions/line)
• steipete: Recent LINE/plugin commits by Peter Steinberger cover tests, channel helper refactors, and release work touching the same plugin area. (role: recent area contributor and release integrator; confidence: medium; commits: ba68537d9d59, 96724e5a4b8d, 57a3744f16e0; files: extensions/line)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6ccca4ae9529.

[masatohoshino]

Updated current-head real behavior proof for 3642d23, including previewImageUrl 1 MiB cap rejection and refreshed under-cap delivery / over-cap rejection evidence.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: guards the happy path.
Image traits: location status garden; accessory little merge flag; palette seafoam, black, and opal; mood patient; pose peeking out from the egg shell; shell translucent glimmer shell; lighting clean product lighting; background quiet workflow signs.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[masatohoshino]

Closing this for now — it's a larger change that has drifted (conflicting/stale base) and no longer fits the small, correctness-focused PRs I'm prioritizing. The proof still stands if it's wanted later and I'm happy to refresh and reopen. Thanks!