fix(channel): harden local setup trust

[clawsweeper]

Makes #89456 merge-ready for the ClawSweeper automerge loop.
The edit pass should inspect the live PR diff, review comments, and failing checks; rebase if needed; keep the contributor branch credited; and stop only when validation is green or an external blocker is proven.
Known failing checks:

• Failing check: checks-node-agentic-agents-core-runtime:FAILURE (https://github.com/openclaw/openclaw/actions/runs/27330612463/job/80741944668)
• Failing check: checks-node-agentic-agents-core-models:FAILURE (https://github.com/openclaw/openclaw/actions/runs/27330612463/job/80741944647)

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-89456
• Source PRs: fix(channel): harden local setup trust #89456
• Credit: Source PR: fix(channel): harden local setup trust #89456
• Validation: pnpm check:changed
• Replacement reason: ClawSweeper could not update the source PR branch directly, so it opened a writable replacement PR instead.
• Automerge requested by: @hxy91819

• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

Co-author credit kept:

• @hxy91819: Co-authored-by: Mason Huang 8814856+hxy91819@users.noreply.github.com

fish notes: reasoning high; reviewed against bf86d9f.

[clawsweeper]

Codex review: passed. Reviewed June 11, 2026, 9:44 AM ET / 13:44 UTC.

Summary
The PR extends channel setup trust enforcement and trusted catalog fallback from workspace-origin plugins to config/global local origins, threads configured load paths into catalog discovery, and adds focused regression plus Docker/package proof coverage.

PR surface: Source +190, Tests +892, Other +324. Total +1406 across 13 files.

Reproducibility: yes. The source PR provides a concrete clean-main Docker/package path where an explicitly trusted plugins.load.paths channel remains unresolved, while the patched package resolves it and still blocks untrusted module and setup execution.

Review metrics: 1 noteworthy metric.

• Local trust coverage: 2 additional origins gated. Config and global channel plugins now follow the workspace setup trust boundary, which is the central compatibility and security decision before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Existing config/global local channel plugins that relied on setup-only execution without plugins.allow or plugins.entries.<id>.enabled: true will now fail closed until operators explicitly trust them.
• [P1] This changes a plugin code-execution boundary; future edits must keep catalog filtering and loader enforcement aligned or setup may either hide trusted plugins or import untrusted code.

Maintainer options:

1. Land the explicit trust boundary (recommended)
   Accept the intentional upgrade behavior and merge once the exact-head checks finish, preserving both catalog and loader enforcement plus the package proof.
2. Pause for compatibility policy
   Pause only if maintainers want existing config/global local plugins to retain implicit setup execution, which requires an explicit alternative trust or migration policy.

Next step before merge

• [P2] No repair lane is needed; this open automerge implementation has no concrete patch finding, and final handling is exact-head check completion plus maintainer acceptance of the documented trust compatibility change.

Security
Cleared: No concrete security or supply-chain regression was found; the patch tightens local plugin execution trust, adds no dependency source, workflow permission, secret access, or downloaded executable path, and keeps enforcement at both selection and import boundaries.

Review details

Best possible solution:

Land one canonical local-plugin trust rule across catalog selection and scoped loader imports, preserving explicit trusted setup and origin-aware safe fallback while clearly accepting the fail-closed upgrade behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. The source PR provides a concrete clean-main Docker/package path where an explicitly trusted plugins.load.paths channel remains unresolved, while the patched package resolves it and still blocks untrusted module and setup execution.

Is this the best way to solve the issue?

Yes. The patch uses the existing manifest-owner policy at both catalog and loader owner boundaries, threads the existing load-path configuration into discovery, and narrows fallback exclusion to the rejected origin/plugin pair instead of adding a competing trust mechanism.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 047785eb30c0.

Label changes

Label justifications:

• P2: This fixes a bounded channel setup regression and local-plugin trust inconsistency with limited affected scope.
• merge-risk: 🚨 compatibility: Existing implicitly trusted config/global local channel plugins can stop loading during setup after merge.
• merge-risk: 🚨 security-boundary: The patch changes whether locally discovered plugin modules may execute in setup-only flows.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (logs): The linked source contribution includes after-fix Docker/package and black-box marker evidence for trusted and untrusted load-path behavior, and this replacement head retains that runtime proof while exact-head validation reports the focused checks passing.
• proof: sufficient: Contributor real behavior proof is sufficient. The linked source contribution includes after-fix Docker/package and black-box marker evidence for trusted and untrusted load-path behavior, and this replacement head retains that runtime proof while exact-head validation reports the focused checks passing.

Evidence reviewed

PR surface:

Source +190, Tests +892, Other +324. Total +1406 across 13 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	217	27	+190
Tests	8	1055	163	+892
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	1	324	0	+324
Total	13	1596	190	+1406

What I checked:

• Current-main gap: Current main's trusted catalog logic recognizes only workspace-origin local entries and falls back by excluding the entire workspace origin, so explicitly trusted plugins.load.paths channels are not covered by the same resolution path. (src/commands/channel-setup/trusted-catalog.ts:49, 047785eb30c0)
• Unified trust decision: The PR classifies workspace, config, and global as local origins, applies existing manifest-owner base policy and explicit-trust helpers, and permits the existing workspace auto-enable exception without inventing a parallel trust source. (src/commands/channel-setup/trusted-catalog.ts:49, eabee04d5459)
• Origin-aware fallback: Rejected local candidates are excluded by {pluginId, origin} and retried through the catalog, allowing a safe bundled copy with the same id to remain eligible instead of suppressing all copies. (src/commands/channel-setup/trusted-catalog.ts:85, eabee04d5459)
• Loader enforcement: Scoped setup-only loads reapply the same base-policy and explicit-trust checks before importing non-bundled channel plugin code, closing the execution path rather than relying only on catalog filtering. (src/plugins/loader.ts:2074, eabee04d5459)
• Real behavior proof: The source contribution records a clean-main Docker/package failure for an explicitly trusted load-path channel and an after-fix pass for trusted and untrusted cases; this head retains a package-installed Docker script that asserts module import and setup registration marker behavior. (scripts/e2e/channel-plugin-trust-docker.sh:215, eabee04d5459)
• Exact-head checks: GitHub reported 93 successful checks, five skipped, one neutral, and only an unrelated in-progress control-plane shard at inspection time; the previously failing core-runtime and core-models shards succeeded on the exact head. (eabee04d5459)

Likely related people:

• hxy91819: Introduced the merged workspace setup-only trust boundary in PR fix(plugins): block untrusted workspace setup-only channel loads #86953 and authored the original config/global follow-up branch and proof. (role: feature owner; confidence: high; commits: 004835f4c7f4, d797c403b24f, 0f3964cf9f19; files: src/plugins/loader.ts, src/commands/channel-setup/trusted-catalog.ts, scripts/e2e/channel-plugin-trust-docker.sh)
• steipete: Recent history shows repeated ownership of plugin loader behavior, diagnostics, lazy runtime surfaces, and plugin edge-case hardening around the affected loader path. (role: recent adjacent contributor; confidence: medium; commits: 5b79e8156962, ccb50f89dacf, fe91ada73017; files: src/plugins/loader.ts)
• brokemac79: Recently changed trusted installed-plugin policy contracts in the same loader and manifest-owner policy area, making them relevant to trust-policy consistency review. (role: recent adjacent owner; confidence: medium; commits: de4b8d8ebf73; files: src/plugins/loader.ts, src/plugins/manifest-owner-policy.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=eabee04d54596790a16a70d56b97b51eddd87791)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-06-11T13:48:42Z
Merge commit: 2bec2caf0c69

What merged:

• The PR extends channel setup trust enforcement and trusted catalog fallback from workspace-origin plugins to ... nfigured load paths into catalog discovery, and adds focused regression plus Docker/package proof coverage.
• PR surface: Source +190, Tests +892, Other +324. Total +1406 across 13 files.
• Reproducibility: yes. The source PR provides a concrete clean-main Docker/package path where an explicitly t ... ns unresolved, while the patched package resolves it and still blocks untrusted module and setup execution.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(channel): stabilize trusted catalog dts typing
• PR branch already contained follow-up commit before automerge: fix(channel): repair trusted catalog exclusions typing
• PR branch already contained follow-up commit before automerge: test(channel): cover local channel plugin trust
• PR branch already contained follow-up commit before automerge: chore(deps): refresh plugin shrinkwraps
• PR branch already contained follow-up commit before automerge: test(channel): route trust regression in command shard
• PR branch already contained follow-up commit before automerge: test(channel): remove e2e-named trust regression

The automerge loop is complete.

Automerge progress:

• 2026-06-11 12:59:13 UTC review queued bf86d9f5c035 (queued)

• 2026-06-11 13:10:21 UTC review passed bf86d9f5c035 (structured ClawSweeper verdict: pass (sha=bf86d9f5c035dac859a73ccc4f023174e1dc7...)

• 2026-06-11 13:10:46 UTC repair queued bf86d9f5c035 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988

• 2026-06-11 13:14:26 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 automerge-openclaw-openclaw-89456

• 2026-06-11 13:14:48 UTC validation plan (passed) in 23s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 pnpm check:changed; pnpm test src/commands/channel-setup/trusted-catalog.test.ts src/channels/plugins/catalog.test.ts src/plugins/loader.test.ts src/plugins/ch...

• 2026-06-11 13:15:01 UTC Codex write preflight (passed) in 35s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 danger-full-access

• 2026-06-11 13:26:33 UTC Codex edit 1 bf86d9f5c035 (complete) in 12m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 exit 0

• 2026-06-11 13:38:25 UTC validation and review 1 eabee04d5459 (base moved) in 24m Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 rebased

• 2026-06-11 13:38:30 UTC repair completed eabee04d5459 (branch updated) in 24m 5s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 initial automerge rebase is delegated to Codex repair

• 2026-06-11 13:38:30 UTC review queued eabee04d5459 (after repair)

• 2026-06-11 13:48:34 UTC automerge wait eabee04d5459 (waiting) in 34m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 waiting for GitHub checks: Critical Quality (channel-runtime-boundary):IN_PROGRESS

• 2026-06-11 13:48:35 UTC repair finished eabee04d5459 (pushed) in 34m 10s Run: https://github.com/openclaw/clawsweeper/actions/runs/27349186988 repair_contributor_branch

• 2026-06-11 13:45:00 UTC review passed eabee04d5459 (structured ClawSweeper verdict: pass (sha=eabee04d54596790a16a70d56b97b51eddd87...)

• 2026-06-11 13:48:45 UTC merged eabee04d5459 (merged by ClawSweeper automerge)