test(secret-file): cover NickServ + account-level symlinks, narrow inspect catch

[RomneyDa]

Summary

Followup to #84711 picking up the three reviewer nits that didn't block the original merge:

1. Narrow the new inspectTokenFile catch in extensions/telegram/src/account-inspect.ts to FsSafeError so only fs-safe validation throws map to configured_unavailable; any other throw (programmer error, unexpected I/O) re-raises instead of being silently swallowed.
2. Add a regression test for the IRC NickServ password file symlink path (extensions/irc/src/accounts.ts:118), paralleling the existing top-level passwordFile symlink test.
3. Add a regression test for the Telegram account-level tokenFile symlink path (extensions/telegram/src/token.ts:149), paralleling the existing channel-level tokenFile symlink test.

Behavior was already correct after #84711; this just locks coverage on the two latent paths and tightens the catch.

Verification

• node scripts/run-vitest.mjs extensions/telegram/src/account-inspect.test.ts extensions/telegram/src/token.test.ts extensions/irc/src/accounts.test.ts → 3 files, 40 tests passing.

ref #84711

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR narrows Telegram account token-file inspection to catch only FsSafeError and adds IRC NickServ plus Telegram account-level symlink regression tests.

Reproducibility: yes. source inspection gives a high-confidence path: current main has rejectSymlink: true on both account-level Telegram token files and IRC NickServ password files, and the PR adds the missing regression assertions. I did not execute the tests in this read-only review.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Focused patch with clear source fit and reported targeted tests; no blocking defects found, with local test execution intentionally skipped for read-only review.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: Real behavior proof is not required here because this is a maintainer-labeled MEMBER PR; the PR body provides targeted test verification.

Risk before merge

• I did not rerun the targeted Vitest command because this review was read-only; the PR body reports node scripts/run-vitest.mjs extensions/telegram/src/account-inspect.test.ts extensions/telegram/src/token.test.ts extensions/irc/src/accounts.test.ts passing 40 tests.
• The narrowed catch intentionally lets unexpected non-FsSafeError failures propagate from Telegram account inspection instead of returning configured_unavailable.

Maintainer options:

1. Decide the mitigation before merge
   Land this focused hardening through the maintainer PR workflow after the normal targeted checks confirm the secret-file contract remains intact.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No automated repair is needed; this protected maintainer PR should proceed through normal maintainer review and merge handling.

Security
Cleared: No security or supply-chain regression found; the diff tightens credential-file error handling and adds symlink rejection coverage without new dependencies or workflow changes.

Review details

Best possible solution:

Land this focused hardening through the maintainer PR workflow after the normal targeted checks confirm the secret-file contract remains intact.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence path: current main has rejectSymlink: true on both account-level Telegram token files and IRC NickServ password files, and the PR adds the missing regression assertions. I did not execute the tests in this read-only review.

Is this the best way to solve the issue?

Yes. Catching only FsSafeError at the Telegram status boundary and adding platform-gated symlink tests is a narrow, maintainable follow-up to the merged secret-file fix.

Label changes:

• add P2: The PR is a normal-priority credential-file hardening and regression-coverage follow-up with limited surface area.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Focused patch with clear source fit and reported targeted tests; no blocking defects found, with local test execution intentionally skipped for read-only review.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Real behavior proof is not required here because this is a maintainer-labeled MEMBER PR; the PR body provides targeted test verification.

Label justifications:

• P2: The PR is a normal-priority credential-file hardening and regression-coverage follow-up with limited surface area.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Focused patch with clear source fit and reported targeted tests; no blocking defects found, with local test execution intentionally skipped for read-only review.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Real behavior proof is not required here because this is a maintainer-labeled MEMBER PR; the PR body provides targeted test verification.

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/telegram/src/account-inspect.test.ts extensions/telegram/src/token.test.ts extensions/irc/src/accounts.test.ts

What I checked:

• Protected PR context: The provided live PR context shows author association MEMBER and label maintainer, which are protected keep-open signals for this cleanup workflow.
• Patch scope: The PR head only changes three files: one Telegram inspection catch and two focused symlink regression tests. (extensions/telegram/src/account-inspect.ts:47, e2a4814329d2)
• Current Telegram account path: Current main already reads account-level tokenFile through tryReadSecretFileSync(..., { rejectSymlink: true }), so the added test covers a real existing path. (extensions/telegram/src/token.ts:149, 90fd26b602b0)
• Current IRC NickServ path: Current main reads NickServ passwordFile through tryReadSecretFileSync(..., { rejectSymlink: true }), so the added test covers the latent NickServ path. (extensions/irc/src/accounts.ts:118, 90fd26b602b0)
• Current broad catch: Current main maps every thrown error from Telegram token-file inspection to configured_unavailable; the PR narrows that to the public fs-safe error type. (extensions/telegram/src/account-inspect.ts:46, 90fd26b602b0)
• Dependency contract pin: The repository pins @openclaw/fs-safe to 0.2.7, matching the related merged PR's stated fail-closed secret-file contract. (package.json:1783, 90fd26b602b0)

Likely related people:

• RomneyDa: Authored the current-main merge commit that restored fail-closed secret-file symlink behavior and adjusted the same Telegram/IRC tests this PR follows up on. (role: recent fix owner; confidence: high; commits: 90fd26b602b0; files: src/infra/secret-file.ts, extensions/telegram/src/account-inspect.ts, extensions/telegram/src/token.test.ts)
• Ayaan Zaidi: Current-line blame attributes the existing Telegram account token-file resolver and IRC NickServ secret-file resolver paths to this author, although the shallow/grafted history makes the older feature trail thin. (role: adjacent area contributor; confidence: low; commits: c289e3ea8730; files: extensions/telegram/src/token.ts, extensions/irc/src/accounts.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 90fd26b602b0.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Neon Proofling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: stacks clean commits.
Image traits: location workflow harbor; accessory rollback rope; palette pearl, teal, and neon green; mood watchful; pose pointing at a small proof artifact; shell frosted glass shell; lighting cool dashboard glow; background smooth stones and checkmarks.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Neon Proofling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.