fix(media): decode remote URL fallback filenames

[clawsweeper]

Makes #84052 merge-ready for the ClawSweeper automerge loop.
The edit pass should inspect the live PR diff, review comments, and failing checks; rebase if needed; keep the contributor branch credited; and stop only when validation is green or an external blocker is proven.
Known failing checks:

• Failing check: label:FAILURE (https://github.com/openclaw/openclaw/actions/runs/26088148444/job/76706501073)

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-84052
• Source PRs: fix(media): decode remote URL fallback filenames #84052
• Credit: Source PR: fix(media): decode remote URL fallback filenames #84052
• Validation: pnpm check:changed
• Replacement reason: ClawSweeper could not update the source PR branch directly, so it opened a writable replacement PR instead.
• Automerge requested by: @Takhoffman

• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

Inherited issue-closing references from the source PR:
Fixes #84050

Co-author credit kept:

• @jbetala7: Co-authored-by: Jayesh Betala 55358314+jbetala7@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 8cbac43.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This replacement PR decodes valid percent escapes in remote media URL fallback basenames, replaces decoded slash separators with underscores, preserves malformed escapes, adds saveRemoteMedia regression coverage, and updates the changelog.

Reproducibility: yes. Source inspection plus a Node check on current main show the URL path basename remains My%20Report.pdf, and the linked source PR supplies after-fix runtime proof through saveRemoteMedia.

PR rating
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Summary: Small, focused bug fix with convincing runtime proof, targeted regression tests, and no blocking correctness or security findings.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Clockwork Proofling

        /\     /\            
      _/  \___/  \_          
     /  ( o   o )  \         
    |      \_/      |        
    |   /\  ===  /\ |        
     \_/  \_____/  \_/       
        _/|_| |_|\_          
       /__| | | |__\         
          ' ' ' '            
         /_/     \_\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: polishes edge cases.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Proofling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (terminal): The source PR includes after-fix terminal output from a local HTTP server using the real saveRemoteMedia runtime path and showing the decoded filename result.

Next step before merge
No repair lane is needed; this automerge replacement PR has no blocking code findings, so normal exact-head checks and mergeability should decide it.

Security
Cleared: The diff adds no dependencies, workflow changes, or credential handling, and decoded path separators are neutralized before the value is exposed as a filename.

Review details

Best possible solution:

Land the narrow fallback-filename decode fix with its regression coverage once the exact PR head passes the normal automerge checks.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection plus a Node check on current main show the URL path basename remains My%20Report.pdf, and the linked source PR supplies after-fix runtime proof through saveRemoteMedia.

Is this the best way to solve the issue?

Yes. Decoding only the selected fallback basename preserves existing filename precedence, avoids treating decoded separators as path traversal, and keeps malformed escape handling non-throwing.

Label justifications:

• P2: The PR fixes a visible but limited remote media filename bug in a shared media utility.

What I checked:

• Current main behavior: Current main still derives the URL fallback filename with basenameFromAnyPath(parsed.pathname), so URL.pathname percent escapes are not decoded before the filename is returned. (src/media/fetch.ts:298, e2c8e7c8ae65)
• Source reproduction check: A Node check against the same URL/pathname primitives printed /files/My%20Report.pdf and My%20Report.pdf, matching the reported current-main fallback behavior.
• Patch implementation: The PR adds basenameFromUrlPathname, decodes only the selected URL basename, replaces decoded / and \ with _, and wires it into resolveRemoteFileName. (src/media/fetch.ts:132, 8cbac43f9bbd)
• Regression coverage: The PR covers decoded spaces, malformed percent escapes, and decoded slash/backslash separators in the saveRemoteMedia path. (src/media/fetch.test.ts:586, 8cbac43f9bbd)
• Formatting sanity: The patch diff has no git diff --check whitespace errors. (8cbac43f9bbd)
• Real behavior proof: The source PR body reports a local HTTP server exercising the real saveRemoteMedia source-runtime path and copied console output showing fileName: "My Report.pdf", contentType: "application/pdf", and storedBytesMatch: true. (f93dca627a82)

Likely related people:

• steipete: Peter Steinberger introduced src/media/fetch.ts in 4075895c4ca491753cd13eeffbb833f091514daa and later carried several central media fetch refactors and fixes through this file. (role: introduced behavior and recurring area contributor; confidence: high; commits: 4075895c4ca4, 81c68f582d4a, b289441e6feb; files: src/media/fetch.ts, src/media/fetch.test.ts)
• vincentkoc: Vincent Koc recently changed the same remote media fetch path and tests for explicit proxy DNS handling, so he is a useful adjacent reviewer for media transport behavior. (role: recent adjacent contributor; confidence: medium; commits: e58d50b7a848; files: src/media/fetch.ts, src/media/fetch.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e2c8e7c8ae65.

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=8cbac43f9bbd38ebf072c48ee5376d9cbec6e0e8)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-19T11:42:17Z
Merge commit: 4e60ad721209

What merged:

• This replacement PR decodes valid percent escapes in remote media URL fallback basenames, replaces decoded s ... scores, preserves malformed escapes, adds saveRemoteMedia regression coverage, and updates the changelog.
• Reproducibility: yes. Source inspection plus a Node check on current main show the URL path basename remains My%20Report.pdf, and the linked source PR supplies after-fix runtime proof through saveRemoteMedia.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(media): decode remote URL fallback filenames

The automerge loop is complete.

Automerge progress:

• 2026-05-19 11:42:05 UTC review passed 8cbac43f9bbd (structured ClawSweeper verdict: pass (sha=8cbac43f9bbd38ebf072c48ee5376d9cbec6e...)

• 2026-05-19 11:42:20 UTC merged 8cbac43f9bbd (merged by ClawSweeper automerge)