From 5db30ab47d87e0e045e109351f04e8bcc1a60b84 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 17 May 2026 03:44:24 +0800
Subject: [PATCH] fix(extensions): satisfy runtime boundary checks

---
 extensions/clickclack/src/gateway.ts    |  6 +++---
 extensions/qa-lab/src/runtime-parity.ts | 18 ++++++++++++++----
 extensions/xai/onboard.test.ts          |  6 +++++-
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/extensions/clickclack/src/gateway.ts b/extensions/clickclack/src/gateway.ts
index b5da8d505f0..235ace8294f 100644
--- a/extensions/clickclack/src/gateway.ts
+++ b/extensions/clickclack/src/gateway.ts
@@ -100,7 +100,7 @@ export async function startClickClackGatewayAccount(
   ctx: ChannelGatewayContext<ResolvedClickClackAccount>,
 ) {
   const configuredAccount = resolveClickClackAccount({
-    cfg: ctx.cfg as CoreConfig,
+    cfg: ctx.cfg,
     accountId: ctx.account.accountId,
   });
   if (!configuredAccount.configured) {
@@ -138,7 +138,7 @@ export async function startClickClackGatewayAccount(
         afterCursor = event.cursor || afterCursor;
         await processEvent({
           account,
-          config: ctx.cfg as CoreConfig,
+          config: ctx.cfg,
           client,
           event,
           botUserId: account.botUserId,
@@ -162,7 +162,7 @@ export async function startClickClackGatewayAccount(
           afterCursor = event.cursor || afterCursor;
           await processEvent({
             account,
-            config: ctx.cfg as CoreConfig,
+            config: ctx.cfg,
             client,
             event,
             botUserId: account.botUserId ?? "",
diff --git a/extensions/qa-lab/src/runtime-parity.ts b/extensions/qa-lab/src/runtime-parity.ts
index fc66f755355..175cd0f8e7f 100644
--- a/extensions/qa-lab/src/runtime-parity.ts
+++ b/extensions/qa-lab/src/runtime-parity.ts
@@ -1,6 +1,7 @@
 import { createHash } from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 
 export type RuntimeId = "pi" | "codex";
 
@@ -851,11 +852,20 @@ async function loadRuntimeParityMockToolCalls(
     return null;
   }
   try {
-    const response = await fetch(`${normalizedBaseUrl}/debug/requests`);
-    if (!response.ok) {
-      return null;
+    const { response, release } = await fetchWithSsrFGuard({
+      url: `${normalizedBaseUrl}/debug/requests`,
+      policy: { allowPrivateNetwork: true },
+      auditContext: "qa-lab-runtime-parity-mock-tool-calls",
+    });
+    let payload: unknown;
+    try {
+      if (!response.ok) {
+        return null;
+      }
+      payload = await response.json();
+    } finally {
+      await release();
     }
-    const payload = (await response.json()) as unknown;
     if (!Array.isArray(payload)) {
       return null;
     }
diff --git a/extensions/xai/onboard.test.ts b/extensions/xai/onboard.test.ts
index 20684565683..e3b4906d7f4 100644
--- a/extensions/xai/onboard.test.ts
+++ b/extensions/xai/onboard.test.ts
@@ -25,7 +25,11 @@ describe("xai onboard", () => {
       modelId: "custom-model",
       modelName: "Custom",
     });
-    legacy.models!.providers!.xai!.models.push(
+    const xaiProvider = legacy.models?.providers?.xai;
+    if (!xaiProvider) {
+      throw new Error("expected xAI provider fixture");
+    }
+    xaiProvider.models.push(
       {
         id: "grok-3",
         name: "Grok 3",