test(e2e): harden beta preflight failures

scripts/e2e/parallels-linux-smoke.sh

@@ -403,6 +403,12 @@ guest_exec() {
   prlctl exec "$VM_NAME" /usr/bin/env HOME=/root "$@"
 }
 
+guest_bash_script() {
+  local encoded
+  encoded="$(base64 | tr -d '\n')"
+  guest_exec bash -lc "printf '%s' '$encoded' | base64 -d | bash"
+}
+
 wait_for_vm_status() {
   local expected="$1"
   local deadline status
@@ -625,7 +631,7 @@ run_ref_onboard() {
 }
 
 inject_bad_plugin_fixture() {
-  guest_exec bash -lc "$(cat <<'EOF'
+  guest_bash_script <<'EOF'
 set -euo pipefail
 plugin_dir=/root/.openclaw/test-bad-plugin
 mkdir -p "$plugin_dir"
@@ -684,7 +690,6 @@ if isinstance(allow, list) and "test-bad-plugin" not in allow:
 config_path.write_text(json.dumps(config, indent=2) + "\n")
 PY
 EOF
-)"
 }
 
 verify_bad_plugin_diagnostic() {

src/commands/doctor-config-flow.test.ts

@@ -1708,14 +1708,16 @@ describe("doctor config flow", () => {
     const cfg = result.cfg as unknown as {
       channels: { discord: { dm: { allowFrom: string[] }; allowFrom?: string[] } };
     };
-    // When dmPolicy is set at top level but allowFrom only exists nested in dm,
-    // the repair adds "*" to dm.allowFrom
-    if (cfg.channels.discord.dm) {
+    // Top-level allowFrom is canonical for Discord; nested dm.allowFrom is
+    // preserved when it already carried sender ids.
+    if (cfg.channels.discord.allowFrom) {
+      expect(cfg.channels.discord.allowFrom).toContain("*");
+      expect(cfg.channels.discord.dm?.allowFrom).toContain("123");
+    } else if (cfg.channels.discord.dm) {
       expect(cfg.channels.discord.dm.allowFrom).toContain("*");
       expect(cfg.channels.discord.dm.allowFrom).toContain("123");
     } else {
-      // If doctor flattened the config, allowFrom should be at top level
-      expect(cfg.channels.discord.allowFrom).toContain("*");
+      expect.unreachable("expected Discord repair to preserve a DM allowFrom location");
     }
   });