From 93c799eb169c13e9416c4e190f140c8a0aa28c0e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Thu, 14 May 2026 23:21:35 +0100
Subject: [PATCH] test(release): tolerate generated Slack scan artifact

---
 .../npm-install-security-scan.release.test.ts  | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/plugins/npm-install-security-scan.release.test.ts b/src/plugins/npm-install-security-scan.release.test.ts
index ae834dfe7c4..bd027ce0c6f 100644
--- a/src/plugins/npm-install-security-scan.release.test.ts
+++ b/src/plugins/npm-install-security-scan.release.test.ts
@@ -30,7 +30,6 @@ const REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
   "@openclaw/google-meet:dangerous-exec:src/node-host.ts",
   "@openclaw/google-meet:dangerous-exec:src/realtime.ts",
   "@openclaw/matrix:dangerous-exec:src/matrix/deps.ts",
-  "@openclaw/slack:dynamic-code-execution:dist/outbound-payload.test-harness-<hash>.js",
   "@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
   "@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
 ]);
@@ -40,6 +39,7 @@ const OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS = new Set([
   "@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
   "@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
   "@openclaw/google-meet:dangerous-exec:dist/index.js",
+  "@openclaw/slack:dynamic-code-execution:dist/outbound-payload.test-harness-<hash>.js",
   "@openclaw/voice-call:dangerous-exec:dist/runtime-entry-<hash>.js",
 ]);
 
@@ -99,6 +99,16 @@ function normalizePackedFindingPath(packedPath: string): string {
   return packedPath;
 }
 
+function expectedOptionalReviewedFindingsForPackedPath(
+  packageName: string,
+  packedPath: string,
+): string[] {
+  const normalizedPath = normalizePackedFindingPath(packedPath);
+  return [...OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS].filter(
+    (key) => key.startsWith(`${packageName}:`) && key.endsWith(`:${normalizedPath}`),
+  );
+}
+
 function stageScannerRelevantPackedFiles(
   packageDir: string,
   packedFiles: readonly string[],
@@ -182,8 +192,10 @@ async function scanPublishablePluginPackage(plugin: PublishablePluginPackage): P
   const unexpectedCriticalFindings: string[] = [];
   const packedFiles = await collectNpmPackedFiles(plugin.packageDir, plugin.packageName);
   for (const packedFile of packedFiles) {
-    const key = `${plugin.packageName}:dangerous-exec:${normalizePackedFindingPath(packedFile)}`;
-    if (OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS.has(key)) {
+    for (const key of expectedOptionalReviewedFindingsForPackedPath(
+      plugin.packageName,
+      packedFile,
+    )) {
       expectedReviewedCriticalFindings.push(key);
     }
   }