refactor: trim infra env exports

src/infra/exec-approval-session-target.ts

@@ -10,12 +10,6 @@ import type { ExecApprovalRequest } from "./exec-approvals.js";
 import { resolveSessionDeliveryTarget } from "./outbound/targets.js";
 import type { PluginApprovalRequest } from "./plugin-approvals.js";
 
-export {
-  doesApprovalRequestMatchChannelAccount,
-  resolveApprovalRequestAccountId,
-  resolveApprovalRequestChannelAccountId,
-} from "./approval-request-account-binding.js";
-
 export type ExecApprovalSessionTarget = {
   channel?: string;
   to: string;

src/infra/exec-safe-bin-policy-profiles.ts

@@ -295,7 +295,7 @@ export function resolveSafeBinProfiles(
   };
 }
 
-export function resolveSafeBinDeniedFlags(
+function resolveSafeBinDeniedFlags(
   fixtures: Readonly<Record<string, SafeBinProfileFixture>> = SAFE_BIN_PROFILE_FIXTURES,
 ): Record<string, string[]> {
   const out: Record<string, string[]> = {};

src/infra/fs-pinned-write-helper.ts

@@ -7,7 +7,7 @@ import type { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import type { FileIdentityStat } from "./file-identity.js";
 
-export type PinnedWriteInput =
+type PinnedWriteInput =
   | { kind: "buffer"; data: string | Buffer; encoding?: BufferEncoding }
   | { kind: "stream"; stream: Readable };
 

src/infra/gateway-discovery-targets.ts

@@ -5,7 +5,7 @@ import {
   type GatewayDiscoveryResolvedEndpoint,
 } from "./bonjour-discovery.js";
 
-export type GatewayDiscoveryTarget = {
+type GatewayDiscoveryTarget = {
   title: string;
   domain: string;
   endpoint: GatewayDiscoveryResolvedEndpoint | null;

src/infra/gateway-lock.ts

@@ -29,7 +29,7 @@ const LockPayloadSchema = z.object({
   startTime: z.number().optional(),
 }) as z.ZodType<LockPayload>;
 
-export type GatewayLockHandle = {
+type GatewayLockHandle = {
   lockPath: string;
   configPath: string;
   release: () => Promise<void>;

src/infra/git-root.ts

@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
 
-export const DEFAULT_GIT_DISCOVERY_MAX_DEPTH = 12;
+const DEFAULT_GIT_DISCOVERY_MAX_DEPTH = 12;
 
 function walkUpFrom<T>(
   startDir: string,

src/infra/heartbeat-reason.ts

@@ -1,6 +1,6 @@
 import { normalizeOptionalString } from "../shared/string-coerce.js";
 
-export type HeartbeatReasonKind =
+type HeartbeatReasonKind =
   | "retry"
   | "interval"
   | "manual"

src/infra/heartbeat-typing.ts

@@ -8,7 +8,7 @@ type HeartbeatTypingLogger = {
   debug?: (message: string, meta?: Record<string, unknown>) => void;
 };
 
-export type HeartbeatTypingTarget = {
+type HeartbeatTypingTarget = {
   channel: string;
   to?: string;
   accountId?: string | null;

src/infra/host-env-security.ts

@@ -4,25 +4,25 @@ import { markOpenClawExecEnv } from "./openclaw-exec-env.js";
 const PORTABLE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/;
 const WINDOWS_COMPAT_OVERRIDE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_()]*$/;
 
-export const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedKeys,
 ]);
-export const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedPrefixes,
 ]);
-export const HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedInheritedKeys,
 ]);
-export const HOST_DANGEROUS_INHERITED_ENV_PREFIXES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_INHERITED_ENV_PREFIXES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedInheritedPrefixes,
 ]);
-export const HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedOverrideKeys,
 ]);
-export const HOST_DANGEROUS_OVERRIDE_ENV_PREFIXES: readonly string[] = Object.freeze([
+const HOST_DANGEROUS_OVERRIDE_ENV_PREFIXES: readonly string[] = Object.freeze([
   ...HOST_ENV_SECURITY_POLICY.blockedOverridePrefixes,
 ]);
-export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([
+const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([
   "TERM",
   "LANG",
   "LC_ALL",
@@ -32,16 +32,13 @@ export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string
   "NO_COLOR",
   "FORCE_COLOR",
 ]);
-export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_PREFIX_VALUES: readonly string[] =
-  Object.freeze(["LC_"]);
-export const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
-export const HOST_DANGEROUS_INHERITED_ENV_KEYS = new Set<string>(
-  HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES,
-);
-export const HOST_DANGEROUS_OVERRIDE_ENV_KEYS = new Set<string>(
-  HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES,
-);
-export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEYS = new Set<string>(
+const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_PREFIX_VALUES: readonly string[] = Object.freeze([
+  "LC_",
+]);
+const HOST_DANGEROUS_ENV_KEYS = new Set<string>(HOST_DANGEROUS_ENV_KEY_VALUES);
+const HOST_DANGEROUS_INHERITED_ENV_KEYS = new Set<string>(HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES);
+const HOST_DANGEROUS_OVERRIDE_ENV_KEYS = new Set<string>(HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES);
+const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEYS = new Set<string>(
   HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES,
 );
 
@@ -59,13 +56,13 @@ function isShellWrapperAllowedOverrideEnvVarName(rawKey: string): boolean {
   );
 }
 
-export type HostExecEnvSanitizationResult = {
+type HostExecEnvSanitizationResult = {
   env: Record<string, string>;
   rejectedOverrideBlockedKeys: string[];
   rejectedOverrideInvalidKeys: string[];
 };
 
-export type HostExecEnvOverrideDiagnostics = {
+type HostExecEnvOverrideDiagnostics = {
   rejectedOverrideBlockedKeys: string[];
   rejectedOverrideInvalidKeys: string[];
 };