fix: derive plugin media trust from metadata

[steipete]

Summary

• Remove the subscription-time import of the full plugin registration contract registry.
• Mark bundled manifest-contract plugin tools with trusted local-media metadata when plugin tools are materialized.
• Carry the per-run trusted local-media tool set through direct media delivery and duplicate suppression, with regression coverage for bundled plugin local media.

Refs #84409.

Verification

• node scripts/run-vitest.mjs src/agents/pi-embedded-subscribe.tools.media.test.ts src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts src/agents/pi-embedded-subscribe.subscribe-embedded-pi-session.subscribeembeddedpisession.test.ts src/plugins/tools.optional.test.ts
• env -u OPENCLAW_TESTBOX -u OPENCLAW_TESTBOX_REMOTE_RUN pnpm check:changed
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Real behavior proof

Behavior addressed: bundled plugin local MEDIA: paths no longer require importing the full plugin registry on subscription paths, and plugin trust is derived from plugin tool materialization metadata plus the actual run tool surface.
Real environment tested: local source checkout on macOS, Node/Pnpm repo tooling.
Exact steps or command run after this patch: focused Vitest command above, changed-file gate above, and autoreview branch closeout.
Evidence after fix: focused tests passed 6 files / 247 tests; changed gate exited 0; final autoreview reported no accepted/actionable findings.
Observed result after fix: core media tools retain exact-name local media gating, bundled manifest-contract plugin tools such as meeting_notes can pass local media only when included in the trusted run-local set, and duplicate suppression sees the same trusted set.
What was not tested: packaged gateway end-to-end media delivery; this patch is covered by unit/subscription behavior tests plus type/lint/import-cycle gates.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 25, 2026, 9:12 AM ET / 13:12 UTC.

Summary
The PR removes the subscribe-time plugin registry media allowlist, tags bundled manifest-contract plugin tools with trusted local-media metadata, threads a per-run trusted tool-name set through subscribe media filtering and duplicate suppression, and updates tests plus changelog.

PR surface: Source +90, Tests +41, Docs +1. Total +132 across 13 files.

Reproducibility: yes. Source inspection shows current main imports pluginRegistrationContractRegistry in the subscribe media helper, and the PR removes that path while adding focused media trust tests; I did not run a live gateway scenario in this read-only review.

Review metrics: 2 noteworthy metrics.

• Local-media filtering call sites: 3 changed. Direct media filtering, structured media output, and verbose duplicate suppression now depend on the new trustedLocalMediaToolNames set.
• PR surface: 13 files, +179/-47. The change crosses agent runner, subscribe handlers, plugin tool metadata, tests, and changelog, so maintainers should review it as a boundary change rather than a single helper tweak.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add redacted real behavior proof for this exact head, preferably a gateway media run or production subscribe probe showing trusted bundled media passes and untrusted local media is stripped.
• Get the failed build-artifacts check green or document why it is unrelated before merge.

Proof guidance:
Needs real behavior proof before merge: The proof section lists tests, changed checks, and autoreview only; add redacted current-head runtime proof such as terminal output, logs, a subscribe probe, or a linked artifact, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• The current PR body supplies only focused tests/checks/autoreview, so reviewers still lack current-head runtime proof that bundled local media passes while MCP/external/non-bundled local paths are stripped.
• This local-media trust source is compatibility-sensitive because a mismatch between materialized plugin metadata and the actual run tool surface could silently strip expected media attachments.
• The current head has a failed build-artifacts check and two in-progress checks, so merge readiness is not fully proven by CI yet.

Maintainer options:

1. Require current-head media proof (recommended)
   Ask for a redacted gateway media run, production subscribe probe, or equivalent runtime log showing trusted bundled media survives and untrusted local media is stripped on this exact head.
2. Maintainer override with owned proof
   A maintainer can accept the proof gate only if they run and record equivalent local or Testbox proof before landing.
3. Pause until CI settles
   Hold the PR if the build-artifacts failure or in-progress checks turn out to be related to the changed media or plugin-loading surface.

Next step before merge
Human handling is needed because the PR has a protected maintainer label, changes a local-media trust boundary, lacks current-head real behavior proof, and has unsettled CI state rather than a narrow code defect for automation to repair.

Security
Cleared: The diff changes a local file media trust boundary, but I found no concrete overtrust, credential, dependency, workflow, or supply-chain regression in the current patch.

Review details

Best possible solution:

Land the metadata-derived trust design only after current-head real gateway or subscribe-path proof verifies trusted core and bundled media delivery, untrusted local-media blocking, and a green or known-unrelated CI state.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main imports pluginRegistrationContractRegistry in the subscribe media helper, and the PR removes that path while adding focused media trust tests; I did not run a live gateway scenario in this read-only review.

Is this the best way to solve the issue?

Yes, with proof. Deriving trust from bundled plugin tool metadata and the actual run tool surface is the maintainable direction, but the current PR still needs real runtime proof before merge because the touched path controls local attachment delivery.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8fe4f34af224.

Label changes

Label justifications:

• P1: The PR touches agent local-media trust and delivery, where a regression can drop expected media attachments from real agent replies.
• merge-risk: 🚨 compatibility: The PR replaces a registry-derived bundled plugin media allowlist with per-run metadata-derived trust, which can affect existing bundled plugin media behavior on upgrade.
• merge-risk: 🚨 message-delivery: If the trusted tool-name set is incomplete or mismatched, local MEDIA paths can be stripped before direct delivery or duplicate suppression.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The proof section lists tests, changed checks, and autoreview only; add redacted current-head runtime proof such as terminal output, logs, a subscribe probe, or a linked artifact, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +90, Tests +41, Docs +1. Total +132 across 13 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	8	127	37	+90
Tests	4	51	10	+41
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	13	179	47	+132

What I checked:

• Repository policy applied: Root and scoped AGENTS guidance treats agent hot-path plugin lookups, plugin metadata, and local media delivery as compatibility, laziness, and security-sensitive review surfaces. (AGENTS.md:15, 8fe4f34af224)
• Current main registry-backed behavior: Current main builds trusted bundled plugin media names from pluginRegistrationContractRegistry inside the subscribe media helper, which is the hot-path import this PR removes. (src/agents/pi-embedded-subscribe.tools.ts:313, 8fe4f34af224)
• PR derives trust from materialized tool metadata: Current PR head collects trusted plugin local-media tool names from getPluginToolMeta over toolsRaw and filtered bundled tools, not from the current metadata snapshot directly. (src/agents/pi-embedded-runner/run/attempt.ts:1759, 24e584b9ce64)
• PR carries trusted set into subscription: The PR builds trustedLocalMediaToolNames from core trusted names and trusted plugin tool names, then passes that set into subscribeEmbeddedPiSession. (src/agents/pi-embedded-runner/run/attempt.ts:2339, 24e584b9ce64)
• Plugin metadata marking: The PR marks plugin tools as trustedLocalMedia when their manifest origin is bundled and contracts.tools declares the tool name, including cached descriptor tools. (src/plugins/tools.ts:1212, 24e584b9ce64)
• Prior review context: The earlier inline review warned about deriving trust from getCurrentPluginMetadataSnapshot; current head changed that trust derivation, but the old unresolved review comment remains attached to the PR. (src/agents/pi-embedded-runner/run/attempt.ts:1684, 24e584b9ce64)

Likely related people:

• FullerStackDev: git blame attributes the current main media trust helper and plugin tool metadata lines to this author in f036bac. (role: introduced current baseline; confidence: medium; commits: f036bac14423; files: src/agents/pi-embedded-subscribe.tools.ts, src/plugins/tools.ts)
• Jason (Json): Commit 35dcd42 recently touched async media handling in the embedded runner and subscribe tool handler paths adjacent to this PR. (role: recent adjacent media contributor; confidence: medium; commits: 35dcd42c9da5; files: src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts)
• steipete: The current PR is assigned to steipete, and local history shows the current baseline commit was committed by Peter Steinberger, so routing follow-up there is plausible without treating PR authorship alone as ownership. (role: recent committer and assigned follow-up owner; confidence: medium; commits: f036bac14423, 24e584b9ce64; files: src/agents/pi-embedded-runner/run/attempt.ts, src/plugins/tools.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 07368f6ef9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fall back when current metadata snapshot is unavailable

Deriving trustedPluginLocalMediaToolNames from getCurrentPluginMetadataSnapshot(...) here makes bundled-plugin local media trust depend on the global “current” snapshot, but that snapshot is intentionally cleared whenever plugin metadata is loaded from a derived source (see src/plugins/runtime/load-context.ts, which clears current state for derived snapshots). In that common startup path (e.g., no reusable persisted registry yet), this call returns undefined, collectTrustedPluginLocalMediaToolNames produces an empty set, and bundled plugin MEDIA: paths are stripped even though those tools were actually loaded for the run. This is a user-visible regression from the prior behavior where bundled plugin media remained deliverable.

Useful? React with 👍 / 👎.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.