fix: fail closed on sandbox media mapping errors

src/auto-reply/reply/reply-media-paths.test.ts

@@ -162,6 +162,28 @@ describe("createReplyMediaPathNormalizer", () => {
     expect(resolveOutboundAttachmentFromUrl).not.toHaveBeenCalled();
   });
 
+  it("drops absolute host-local media paths when sandbox mapping fails", async () => {
+    ensureSandboxWorkspaceForSession.mockResolvedValue({
+      workspaceDir: "/tmp/sandboxes/session-1",
+      containerWorkdir: "/workspace",
+    });
+    const normalize = createReplyMediaPathNormalizer({
+      cfg: { tools: { fs: { workspaceOnly: false } } },
+      sessionKey: "session-key",
+      workspaceDir: "/tmp/agent-workspace",
+    });
+
+    const result = await normalize({
+      mediaUrls: ["/Users/peter/Documents/report.pdf"],
+    });
+
+    expect(result).toMatchObject({
+      mediaUrl: undefined,
+      mediaUrls: undefined,
+    });
+    expect(resolveOutboundAttachmentFromUrl).not.toHaveBeenCalled();
+  });
+
   it("stages absolute workspace media paths so the PR scenario now works", async () => {
     const absolutePath = "/Users/peter/.openclaw/workspace/exports/images/chart.png";
     const normalize = createReplyMediaPathNormalizer({

src/auto-reply/reply/reply-media-paths.ts

@@ -187,19 +187,13 @@ export function createReplyMediaPathNormalizer(params: {
           sandboxRoot,
         });
       } catch (err) {
-        if (!isLikelyLocalMediaSource(media)) {
-          throw err;
-        }
         if (FILE_URL_RE.test(media)) {
           throw new Error(
             "Host-local MEDIA file URLs are blocked in normal replies. Use a safe path or the message tool.",
             { cause: err },
           );
         }
-        if (isRelativeLocalMedia) {
-          return await persistLocalReplyMedia(resolveWorkspaceRelativeMedia(media));
-        }
-        return await persistLocalReplyMedia(media);
+        throw err;
       }
       return await persistLocalReplyMedia(sandboxResolvedMedia);
     }