fix(channel): harden local setup trust

[hxy91819]

Summary

• follow up on fix(plugins): block untrusted workspace setup-only channel loads #86953's workspace-only setup trust fix by extending the same trusted-catalog fallback logic to local config / global channel plugins discovered through plugins.load.paths or linked installs
• prove the regression on current code with the blackbox plugin-trust harness: clean main blocks trusted plugins.load.paths setup because the catalog never sees that channel, while this branch reaches the loader and passes all four trust cases
• keep the setup trust rule origin-aware: reject untrusted local shadows by { pluginId, origin }, then fall back to a safe bundled/non-local copy instead of suppressing all copies of the same plugin id
• fix the .dts build break in src/commands/channel-setup/trusted-catalog.ts, which was failing fresh pnpm build:plugin-sdk:dts / Docker image builds even when local incremental caches hid it
• add main-repo L4 coverage plus a focused Docker/package L6 manual proof script for the local channel plugin trust boundary

Change Type

• Bug fix
• Feature
• Refactor required for the fix
• Docs / PR context
• Security hardening
• Chore / infra

Scope

• Integrations
• API / contracts
• UI / DX
• CI / infra
• Gateway / orchestration
• Auth / tokens
• Memory / storage

Linked Issue / PR

• Follow-up to merged fix(plugins): block untrusted workspace setup-only channel loads #86953 (fix(plugins): block untrusted workspace setup-only channel loads)
• Context and autoreview notes: my_docs/my_docs/04-cases/2026-04-10-channel-workspace-shadow-case/pr-86953-autoreview-follow-up.zh.md
• This PR exists because fix(plugins): block untrusted workspace setup-only channel loads #86953 fixed the workspace trust boundary, but the same local-code trust question still applied to plugins.load.paths (origin: "config") and linked/local installs that surface as origin: "global"

Problem Statement

#86953 established the product rule that untrusted local channel plugins should not get imported during setup-only channel flows. That landed for workspace-origin plugins.

The remaining gap was the broader local-origin surface:

• plugins.load.paths channel plugins appear as origin: "config"
• linked / managed local installs can appear as origin: "global"

Those are still local code from the operator's point of view. If setup hardening only keys on origin === "workspace", the trust boundary is inconsistent: one class of local plugin is blocked before import, while other local shadows can still win channel catalog resolution or suppress a safe bundled fallback.

This branch also had a separate concrete defect in fresh builds: src/commands/channel-setup/trusted-catalog.ts failed declaration generation, so Docker image builds died in build:plugin-sdk:dts even though local incremental caches could mask the problem.

The fresh-build failure was:

src/commands/channel-setup/trusted-catalog.ts(82,3): error TS2344:
Type '"excludeOrigins" | "excludePluginRefs"' does not satisfy the constraint 'never'.
src/commands/channel-setup/trusted-catalog.ts(97,3): error TS2322:
Type '{ excludeOrigins?: (PluginOrigin | undefined)[] | undefined; ... }'
is not assignable to type 'Pick<CatalogOptions | undefined, "excludeOrigins" | "excludePluginRefs">'.
src/commands/channel-setup/trusted-catalog.ts(113,61): error TS2345:
Argument of type '{ ... excludeOrigins: unknown; excludePluginRefs: unknown; }'
is not assignable to parameter of type 'CatalogOptions'.

Blackbox Proof

Harness:

• e2e repo: sibling openclaw-e2e-go
• spec: specs/plugintrust/local_origin_followup_test.go
• probe: scripts/docker/test-plugintrust-local-origin.sh
• fixtures: scripts/fixtures/plugintrust/{workspace-shadow,load-paths-shadow}/
• command: OPENCLAW_E2E_TARGET_REPO=<openclaw checkout> go test ./specs/plugintrust -v

The harness bakes a fresh OpenClaw image from source, then asserts only on marker files written by fixture plugins:

• PLUGINTRUST_SETUP_IMPORT_MARKER: module top-level import happened
• PLUGINTRUST_SETUP_REGISTER_MARKER: setup hook actually ran

Clean main (a4196a44454f) behavior:

• Case 1 workspace + untrusted: PASS, trust gate blocks the untrusted workspace plugin
• Case 2 workspace + plugins.allow: PASS, trusted workspace plugin loads
• Case 3 load-paths + untrusted: PASS as probe-only, marker absent because catalog rejects Unknown channel e2e-load-paths before loader
• Case 4 load-paths + plugins.allow: FAIL, same Unknown channel e2e-load-paths; trusted load-path plugin is still invisible to the catalog on main

This branch behavior from the previously built fresh image:

• Case 1: PASS, untrusted workspace shadow not loaded
• Case 2: PASS, trusted workspace shadow loaded
• Case 3: PASS, load-path probe reached and recorded
• Case 4: PASS, trusted load-path plugin loaded

That is the direct before/after proof for the regression this PR fixes: on main, trusted plugins.load.paths channels never reach setup because the catalog cannot resolve them; on this branch, the same scenario resolves and loads correctly while the untrusted cases still stay blocked.

What Changed

1. Thread extraPaths through channel catalog resolution so trusted channel setup/add flows can actually see channel plugins discovered from plugins.load.paths.
2. Make fallback exclusion origin-aware with excludePluginRefs: [{ pluginId, origin }], so rejecting an untrusted local shadow only skips that exact local candidate and still allows a bundled copy of the same channel/plugin id to win.
3. Keep setup discovery lenient for display-only cases: if an untrusted local entry has no trusted fallback, it stays visible in the setup discovery bucket rather than disappearing from the UI.
4. Fix the TypeScript declaration-build typing in trusted-catalog.ts by replacing the unstable Pick<Parameters<...>[1], ...> shape with an explicit local exclusions type and explicit local-origin narrowing.
5. Add src/commands/channels.add.trust.e2e.test.ts as a main-repo L4 E2E regression for the real channels add CLI path.
6. Add bash scripts/e2e/channel-plugin-trust-docker.sh as a focused Docker/package L6 manual proof script for the plugins.load.paths trust boundary.

Why This Is The Right Follow-up To #86953

#86953 already proved the core trust model: local untrusted channel plugin code must not execute in setup-only flows. This PR does not redefine that model; it applies the same invariant consistently to the remaining local origins the earlier PR intentionally left as a follow-up hardening item.

The pr-86953-autoreview-follow-up.zh.md note called out exactly this direction: stop hardcoding one origin name and move the loader/catalog gate toward a unified local trust decision. This PR stays within that scope and keeps the current product behavior for trusted plugins:

• explicitly trusted / allowlisted local plugins still resolve
• bundled entries still act as the safe fallback when a local shadow is not trusted
• discovery UI can still show installable local-only candidates without treating them as executable

Verification

• pnpm build:plugin-sdk:dts
• pnpm test src/commands/channel-setup/trusted-catalog.test.ts -- --reporter=verbose
• pnpm build
• pnpm test src/commands/channels.add.trust.e2e.test.ts -- --reporter=verbose
• bash scripts/e2e/channel-plugin-trust-docker.sh
• git diff --check
• env npm_config_registry=https://registry.npmjs.org/ node scripts/generate-npm-shrinkwrap.mjs --check
• Blackbox harness context above from sibling openclaw-e2e-go

Evidence

• Fresh pnpm build:plugin-sdk:dts now passes after the trusted-catalog.ts type fix; this was the blocker for Docker image rebuilds.
• Focused Vitest passed: 10/10 in src/commands/channel-setup/trusted-catalog.test.ts.
• pnpm build passes after the declaration-build fix.
• Main-repo L4 E2E passed: src/commands/channels.add.trust.e2e.test.ts covers workspace/load-paths x trusted/untrusted, 4/4 passing through the real openclaw channels add CLI path.
• New L6 Docker/package manual proof passed locally: bash scripts/e2e/channel-plugin-trust-docker.sh built the package artifacts, packed/checked the OpenClaw tarball, installed it into the functional Docker image, then verified plugins.load.paths untrusted blocks setup entry execution and plugins.allow permits setup entry execution.
• Root npm-shrinkwrap.json was regenerated/check-verified with https://registry.npmjs.org/; no local mirror URLs are present.
• pnpm check:changed could not complete locally because the installed Crabbox binary is 0.15.0 while current Testbox delegation requires Crabbox >=0.22.0. Running the child command directly reached existing shrinkwrap guard behavior for changed plugin packages; no test/lint/type failure was observed before that guard.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 11, 2026, 3:32 AM ET / 07:32 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

PR surface: Source +160, Tests +788, Other +324. Total +1272 across 13 files.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model internal, reasoning high; reviewed against 418d7e1e83c5.

Label changes

Label changes:

• remove P2: Current review triage priority is none.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove merge-risk: 🚨 security-boundary: Current PR review selected no merge-risk labels.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

PR surface:

Source +160, Tests +788, Other +324. Total +1272 across 13 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	184	24	+160
Tests	8	953	165	+788
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	1	324	0	+324
Total	13	1461	189	+1272

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this PR with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[byungskers]

I like the origin-aware fallback here — excluding { pluginId, origin } instead of suppressing every copy of the same id feels like the right shape. One thing I wondered about: resolveTrustedCatalogEntry() is now recursive across rejected candidates. In the normal catalog flow that should terminate quickly, but would it be worth adding a tiny guard against repeatedly resurfacing the same local candidate set (for example a malformed discovery result that keeps producing an entry without a stable pluginId)? Probably not a blocker, just checking whether you thought about a recursion cap / seen-set here.

[github-actions]

Dependency graph guard cleared

This PR no longer has blocked dependency graph changes. A future dependency graph change requires a fresh /allow-dependencies-change comment after the guard blocks that new head SHA.

• Current SHA: c99d3b1f4271dba6effed8a484eecc988dca1ada

[hxy91819]

@clawsweeper automerge

[clawsweeper]

🦞🔧
ClawSweeper automerge is enabled.

• Head: c99d3b1f4271
• Label: clawsweeper:automerge
• Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-06-11 12:34:09 UTC review queued c99d3b1f4271 (queued)

• 2026-06-11 12:35:14 UTC repair queued c99d3b1f4271 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382

• 2026-06-11 12:37:17 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 automerge-openclaw-openclaw-89456

• 2026-06-11 12:37:40 UTC validation plan (passed) in 24s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-06-11 12:37:53 UTC Codex write preflight (passed) in 37s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 danger-full-access

• 2026-06-11 12:47:33 UTC Codex edit 1 56a26f9db6ee (complete) in 10m 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 exit 0

• 2026-06-11 12:55:45 UTC validation and review 1 bf86d9f5c035 (base moved) in 18m 29s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 rebased

• 2026-06-11 12:56:24 UTC repair finished bf86d9f5c035 (opened) in 19m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/27347129382 open_fix_pr

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the work on this. ClawSweeper opened a replacement PR only because the source branch was not writable from the available bot permissions. branch tides, not contributor blame.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #92175
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
Closing this source PR only because source-PR closing was explicitly enabled for this run.
Credit follows the fix over to the replacement PR. no sneaky treasure grab.
Co-author credit kept:

• @hxy91819: Co-authored-by: Mason Huang 8814856+hxy91819@users.noreply.github.com

fish notes: reasoning high; reviewed against bf86d9f.