openclaw - 💡(How to fix) Fix SecOps authorization: clean up extension boundary test imports

@openclaw/secops please authorize editing the restricted test files below to clear the remaining test/extension-test-boundary.test.ts offenders.

Context: the current targeted boundary failure is only in tests under src/secrets/ and src/security/, both protected by CODEOWNERS. These tests currently deep-import bundled extension src/** internals, which violates the repository rule that plugin-owned behavior suites should live under the bundled plugin tree or consume public/contract surfaces.

Scope constraints:

• Do not change runtime behavior.
• Do not change SecretRef or secret resolution semantics.
• Do not change security audit implementation.
• Do not change restricted production files.
• Do not expand tenant lifecycle.
• Do not add snapshot/read-surfaces.
• Do not modify boundary inventory/ignore/expected-failure files.
• Only move tests, change test imports to public/contract seams, or replace an unrelated extension import with a core generic stub.

Requested authorization for restricted files and minimum action:

1. src/secrets/runtime-channel-inactive-variants.test.ts

   • Split plugin-specific IRC, Slack, and Google Chat cases into owning extension tests, or keep only a core generic stub for prepareSecretsRuntimeSnapshot channel secret hook behavior.
   • IRC now has extensions/irc/contract-api.ts available for a narrow contract surface.

2. src/secrets/runtime-discord-surface.test.ts

   • Move Discord token, PluralKit, and voice TTS active/inactive coverage to Discord owning extension tests.

3. src/secrets/runtime-inactive-telegram-surfaces.test.ts

   • Move inactive Telegram refs and diagnostics coverage to Telegram owning extension tests.

4. src/secrets/runtime-legacy-x-search.test.ts

   • Keep the core legacy tools.web.x_search.apiKey assertion in core, but remove the unrelated Telegram private import by using a core generic/no-op bootstrap stub.

5. src/secrets/runtime-matrix-shadowing.test.ts

   • Move Matrix password/accessToken shadowing coverage to Matrix owning extension tests.

6. src/secrets/runtime-matrix-top-level.test.ts

   • Move Matrix top-level accessToken SecretRef coverage to Matrix owning extension tests.

7. src/secrets/runtime-nextcloud-talk-file-precedence.test.ts

   • Move or import via public contract seam for Nextcloud Talk botSecret / apiPassword file-precedence coverage.
   • Nextcloud Talk now has extensions/nextcloud-talk/contract-api.ts available for a narrow contract surface.

8. src/secrets/runtime-telegram-token-inheritance.test.ts

   • Move Telegram botToken/webhookSecret inheritance, blank, tokenFile, and missing env coverage to Telegram owning extension tests.

9. src/secrets/runtime-zalo-token-activity.test.ts

   • Move Zalo botToken/tokenFile active-surface coverage to Zalo owning extension tests.

10. src/security/audit-channel-slack-command-findings.test.ts

    • Change imports to Slack public/contract surface instead of extensions/slack/src/accounts.js and extensions/slack/src/security-audit.js, or move plugin-owned audit coverage to Slack tests.

11. src/security/audit-feishu-doc-risk.test.ts

    • Change imports to Feishu public/contract surface instead of extensions/feishu/src/security-audit.js, or move plugin-owned audit coverage to Feishu tests.
    • Feishu now exports collectFeishuSecurityAuditFindings from extensions/feishu/contract-api.ts.

Review checklist:

• src/secrets/** and src/security/** diffs are limited to test migration/import/stub cleanup.
• No changes to src/secrets/runtime.ts, src/security/*.ts production implementation, or security-sensitive runtime behavior.
• Existing SecretRef, credential precedence, and security audit assertions remain covered in the appropriate owner test suite.
• New or used extension contract seams are narrow re-exports with no heavy runtime side effects.
• Boundary offender list reaches zero.

Targeted validation plan after authorization:

• OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test test/extension-test-boundary.test.ts -t "keeps plugin-owned behavior suites under the bundled plugin tree"
• pnpm test for the migrated extension secret/audit suites.
• pnpm test src/security/audit-channel-slack-command-findings.test.ts src/security/audit-feishu-doc-risk.test.ts if those files stay in src/security/.
• pnpm build if public/contract imports or module boundaries change.
• pnpm check before commit.