From e1a73d380db7cea0e960b5463041bc5c644e54aa Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sat, 2 May 2026 16:59:24 -0700
Subject: [PATCH] test(plugins): require reviewed npm critical findings

---
 .../npm-install-security-scan.release.test.ts | 37 +++++++++++++------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/plugins/npm-install-security-scan.release.test.ts b/src/plugins/npm-install-security-scan.release.test.ts
index 6b7811a7d6f..2d8bac8ad8c 100644
--- a/src/plugins/npm-install-security-scan.release.test.ts
+++ b/src/plugins/npm-install-security-scan.release.test.ts
@@ -18,6 +18,16 @@ type PublishablePluginPackage = {
   packageName: string;
 };
 
+const REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
+  "@openclaw/acpx:dangerous-exec:src/codex-auth-bridge.ts",
+  "@openclaw/acpx:dangerous-exec:src/runtime-internals/mcp-proxy.mjs",
+  "@openclaw/codex:dangerous-exec:src/app-server/transport-stdio.ts",
+  "@openclaw/google-meet:dangerous-exec:src/node-host.ts",
+  "@openclaw/google-meet:dangerous-exec:src/realtime.ts",
+  "@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
+  "@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
+]);
+
 const tempDirs: string[] = [];
 
 afterEach(() => {
@@ -115,8 +125,9 @@ function collectPublishablePluginPackages(): PublishablePluginPackage[] {
 }
 
 describe("publishable plugin npm package install security scan", () => {
-  it("keeps npm-published plugin files clear of env-harvesting hits", async () => {
-    const failures: string[] = [];
+  it("keeps npm-published plugin files clear of unexpected critical hits", async () => {
+    const unexpectedCriticalFindings: string[] = [];
+    const reviewedCriticalFindings = new Set<string>();
 
     for (const plugin of collectPublishablePluginPackages()) {
       const packedFiles = collectNpmPackedFiles(plugin.packageDir, plugin.packageName);
@@ -127,20 +138,22 @@ describe("publishable plugin npm package install security scan", () => {
       });
 
       for (const finding of summary.findings) {
-        if (finding.ruleId !== "env-harvesting" || finding.severity !== "critical") {
+        if (finding.severity !== "critical") {
           continue;
         }
-        failures.push(
-          [
-            plugin.packageName,
-            relative(stageDir, finding.file).split(sep).join("/"),
-            `${finding.line}`,
-            finding.evidence,
-          ].join(":"),
-        );
+        const packedPath = relative(stageDir, finding.file).split(sep).join("/");
+        const key = `${plugin.packageName}:${finding.ruleId}:${packedPath}`;
+        if (REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS.has(key)) {
+          reviewedCriticalFindings.add(key);
+          continue;
+        }
+        unexpectedCriticalFindings.push([key, `${finding.line}`, finding.evidence].join(":"));
       }
     }
 
-    expect(failures).toEqual([]);
+    expect(unexpectedCriticalFindings).toEqual([]);
+    expect([...reviewedCriticalFindings].toSorted()).toEqual(
+      [...REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS].toSorted(),
+    );
   });
 });