Remove bundled channel contract fallbacks

[obviyus]

Summary

• Remove bundled channel doctor/secret fallback loading through broad contract-api sidecars.
• Move remaining test/session-binding contracts to named sidecars and delete fallback-only barrels.
• Add regression coverage so missing canonical artifacts do not probe contract-api, and dedicated exports stay out of broad sidecars.

Verification

• node scripts/run-vitest.mjs src/secrets/runtime-external-channel-audit.test.ts src/channels/plugins/doctor-contract-api.fast-path.test.ts src/secrets/channel-contract-api.fast-path.test.ts test/scripts/bundled-plugin-build-entries.test.ts src/channels/plugins/contracts/session-binding.registry-backed.contract.test.ts
• OPENCLAW_LOCAL_CHECK_MODE=throttled node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo
• OPENCLAW_LOCAL_CHECK_MODE=throttled node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions.tsbuildinfo
• Telegram mock SUT E2E: driver message 29583, SUT reply 29584, text OPENCLAW_E2E_OK, mock requests 1
• .agents/skills/autoreview/scripts/autoreview --mode local: clean after fixing the externalized-channel audit expectation

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 10, 2026, 3:15 AM ET / 07:15 UTC.

Summary
The PR removes bundled contract-api fallback loading for channel doctor and secret contracts, moves session-binding exports to dedicated sidecars, and adds regression tests for dedicated sidecar usage.

PR surface: Source -109, Tests +78. Total -31 across 29 files.

Reproducibility: not applicable. this is a refactor PR, not a bug report with a current-main failure to reproduce. Source review can verify the loader behavior, but the remaining gate is package/upgrade proof after the cutover.

Review metrics: 1 noteworthy metric.

• Bundled fallback loaders: 2 removed. Doctor and secret bundled loaders stop probing broad contract-api.js, which is the compatibility-sensitive behavior maintainers need to approve before merge.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted real behavior proof from a packaged or upgrade-style run that exercises the new doctor and secret sidecar loading.
• [P2] Include the exact command/output or artifact showing at least one affected bundled channel no longer needs broad contract-api.js fallback.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body lists targeted tests, tsgo, autoreview, and a Telegram mock SUT E2E, but no after-fix real packaged or upgrade run of the loader, doctor, or secret path. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P2] Removing broad bundled fallback loading can break upgrade or packaged layouts if any affected bundled channel is missing its canonical doctor-contract-api.js, secret-contract-api.js, or new session-binding sidecar in the built artifact.
• [P2] The PR body lists tests and a mock Telegram SUT run, but it does not show a real packaged/fresh-install or upgrade path proving the new sidecars resolve after the fallback is removed.

Maintainer options:

1. Prove the sidecar cutover before merge (recommended)
   Run a packaged or upgrade-style proof that exercises doctor and secret contract loading for representative affected bundled channels after the broad fallback is gone.
2. Keep the fallback for one more release
   If upgrade proof is not available, preserve contract-api fallback loading while keeping the new dedicated sidecars and duplicate-export guards.
3. Accept the compatibility cutover
   Maintainers can intentionally remove the shipped fallback now, but should own the risk that older or incomplete bundled artifacts stop resolving these contracts.

Next step before merge

• [P2] Protected maintainer labeling plus intentional fallback removal make this a human compatibility/proof decision rather than a safe automated repair lane.

Security
Cleared: No concrete security or supply-chain regression was found in the diff; the remaining concern is compatibility proof for secret and doctor sidecar loading.

Review details

Best possible solution:

Land only after maintainers accept the fallback cutover and there is real package or upgrade proof that the affected bundled channels resolve their canonical sidecars; otherwise keep the shipped fallback until a deprecation path is explicit.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a refactor PR, not a bug report with a current-main failure to reproduce. Source review can verify the loader behavior, but the remaining gate is package/upgrade proof after the cutover.

Is this the best way to solve the issue?

Unclear as merge-ready until upgrade proof exists: the source shape is cleaner and keeps external plugin fallback discovery intact, but removing the shipped bundled fallback is a maintainer compatibility decision.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a3d5e5bc7247.

Label changes

Label changes:

• add P2: This is a normal-priority cleanup with broad channel/plugin-loader reach and compatibility-sensitive fallback removal, but no urgent user-facing regression is proven.
• add merge-risk: 🚨 compatibility: Merging removes shipped bundled fallback paths and several broad sidecar exports, so existing package or upgrade layouts could fail if canonical sidecars are not present.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists targeted tests, tsgo, autoreview, and a Telegram mock SUT E2E, but no after-fix real packaged or upgrade run of the loader, doctor, or secret path. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Label justifications:

• P2: This is a normal-priority cleanup with broad channel/plugin-loader reach and compatibility-sensitive fallback removal, but no urgent user-facing regression is proven.
• merge-risk: 🚨 compatibility: Merging removes shipped bundled fallback paths and several broad sidecar exports, so existing package or upgrade layouts could fail if canonical sidecars are not present.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists targeted tests, tsgo, autoreview, and a Telegram mock SUT E2E, but no after-fix real packaged or upgrade run of the loader, doctor, or secret path. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source -109, Tests +78. Total -31 across 29 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	25	52	161	-109
Tests	4	89	11	+78
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	29	141	172	-31

What I checked:

• Repository policy applied: Root policy treats plugin APIs, fallback behavior, startup/setup, config loading, and upgrade-sensitive paths as merge risks that need explicit review rather than routine cleanup. (AGENTS.md:30, a3d5e5bc7247)
• Doctor fallback removed: On the PR head, bundled channel doctor loading calls only doctor-contract-api.js, returns undefined only for missing public artifacts, and throws other loader errors. (src/channels/plugins/doctor-contract-api.ts:34, 48cf443ff2c6)
• Secret fallback narrowed for bundled channels: On the PR head, bundled channel secret loading calls only secret-contract-api.js, while external plugin discovery still searches secret-contract-api before contract-api. (src/secrets/channel-contract-api.ts:72, 48cf443ff2c6)
• Session-binding test seam moved: The registry-backed session binding helper now imports session-binding-contract-api instead of the broad contract-api artifact. (src/channels/plugins/contracts/test-helpers/registry-session-binding.ts:59, 48cf443ff2c6)
• Regression coverage added: The PR adds fast-path assertions that missing doctor and secret sidecars do not probe broad contract-api.js, plus a build-entry guard against duplicate dedicated exports in broad sidecars. (test/scripts/bundled-plugin-build-entries.test.ts:223, 48cf443ff2c6)
• History provenance: Current-main blame and log tie the existing broad fallback loaders to commit 440284f, which is the central code path this PR refactors. (src/secrets/channel-contract-api.ts:46, 440284f87955)

Likely related people:

• shakkernerd: Current-main blame and file history show commit 440284f carrying the bundled doctor and secret fallback loaders that this PR changes. (role: recent area contributor; confidence: medium; commits: 440284f87955; files: src/channels/plugins/doctor-contract-api.ts, src/secrets/channel-contract-api.ts, extensions/telegram/contract-api.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[obviyus]

Land-ready proof:

• Rebased onto current origin/main; head 94b0e564563ef358879040ab5c2d1936e8aff19b.
• Local scoped tests: node scripts/run-vitest.mjs src/secrets/runtime-external-channel-audit.test.ts src/channels/plugins/doctor-contract-api.fast-path.test.ts src/secrets/channel-contract-api.fast-path.test.ts test/scripts/bundled-plugin-build-entries.test.ts src/channels/plugins/contracts/session-binding.registry-backed.contract.test.ts.
• Local type probes: OPENCLAW_LOCAL_CHECK_MODE=throttled node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo and OPENCLAW_LOCAL_CHECK_MODE=throttled node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions.tsbuildinfo.
• Whitespace proof: git diff --check origin/main..HEAD.
• Telegram proof: node ~/.codex/skills/custom/telegram-e2e-bot-to-bot/scripts/run-mock-sut-e2e.mjs --text '@{sut} Please answer with OPENCLAW_E2E_OK only.' --expect OPENCLAW_E2E_OK; reply OPENCLAW_E2E_OK, mockRequests=1, RTT 2928ms.
• GitHub checks: all reported checks passed for this head, including Real behavior proof, build-artifacts, check-prod-types, check-test-types, check-lint, channel/runtime/security boundary checks, and targeted node shards.

Known gaps: none.

[obviyus]

Landed via rebase merge.

Final commits on main:

• 7f9f687d82 refactor(channels): remove bundled contract fallbacks
• 05a0dfdd08 refactor(extensions): split channel contract sidecars
• 3407402b2c test(plugins): guard dedicated channel sidecars

Proof before merge: scoped Vitest, core/extensions tsgo probes, git diff --check, Telegram mock-SUT E2E, and full reported GitHub checks green.