fix(security): harden discord proxy and bundled channel activation (#60455)

* fix(security): tighten discord proxy and mobile tls guards * fix(plugins): enforce allowlists for bundled channels * fix(types): align callers with removed legacy config aliases * fix(security): preserve bundled channel opt-in and ipv6 proxies
2026-04-27 09:02:15 +00:00 · 2026-04-04 02:48:52 +09:00
parent 3ddf745f97
commit 50e1eb56d7
16 changed files with 266 additions and 44 deletions
--- a/src/plugins/loader.test.ts
+++ b/src/plugins/loader.test.ts
@@ -731,7 +731,7 @@ describe("loadOpenClawPlugins", () => {
      },
    },
    {
-      name: "loads bundled channel plugins when channels.<id>.enabled=true even if plugins.allow excludes them",
+      name: "keeps bundled channel plugins behind restrictive allowlists even when channels.<id>.enabled=true",
      config: {
        channels: {
          telegram: {
@@ -743,7 +743,10 @@ describe("loadOpenClawPlugins", () => {
        },
      } satisfies PluginLoadConfig,
      assert: (registry: ReturnType<typeof loadOpenClawPlugins>) => {
-        expectTelegramLoaded(registry);
+        const telegram = registry.plugins.find((entry) => entry.id === "telegram");
+        expect(telegram?.status).toBe("disabled");
+        expect(telegram?.error).toBe("not in allowlist");
+        expect(telegram?.explicitlyEnabled).toBe(true);
      },
    },
    {