fix(core): unify session-key normalization and plugin boundary checks

2026-05-10 13:05:01 +00:00 · 2026-02-26 12:40:57 +00:00
parent e3385a6578
commit 4b71de384c
13 changed files with 182 additions and 34 deletions
--- a/src/plugins/loader.ts
+++ b/src/plugins/loader.ts
@@ -530,6 +530,10 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
      absolutePath: candidate.source,
      rootPath: pluginRoot,
      boundaryLabel: "plugin root",
+      // Discovery stores rootDir as realpath but source may still be a lexical alias
+      // (e.g. /var/... vs /private/var/... on macOS). Canonical boundary checks
+      // still enforce containment; skip lexical pre-check to avoid false escapes.
+      skipLexicalRootCheck: true,
    });
    if (!opened.ok) {
      record.status = "error";