[Fix] Avoid registry import in media trust path

[samzong]

Summary

• Problem: agent media trust pulled the plugin contract registry into the embedded subscribe path just to decide whether local MEDIA: paths were trusted.
• Solution: replace that hot-path registry import with a static bundled-plugin media allowlist, then gate local media passthrough on the exact active core or bundled plugin tool names for the current run.
• What changed: media filtering now blocks MCP/external provenance, unvetted registered plugin names, and non-bundled overrides of bundled or core tool names while preserving trusted core and active bundled plugin media output.
• What did NOT change (scope boundary): no channel behavior, provider behavior, plugin loading policy, config schema, or public protocol shape changed.

Motivation

• This addresses the local startup/import-fanout-investigation backlog item by removing an avoidable registry/generated-metadata import from the agent subscribe/media trust path while keeping local media trust fail-closed for untrusted tool origins.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• N/A - local startup backlog item only.
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: The real Gateway media route still saves/generated media, while the agent subscribe trust gate only preserves local MEDIA: paths for active trusted core or bundled plugin tool origins and strips MCP/external or untrusted plugin collisions.
• Real environment tested: Local macOS 26.4.1 shell, Node v25.9.0, pnpm 11.1.0. QA suite host runner with a real Gateway child (dist/index.js gateway run --port 51535 --bind loopback --allow-unconfigured), qa-channel + qa-lab bus, mock-openai/gpt-5.5 provider; plus a production subscribeEmbeddedPiSession event-stream probe. The startup benchmark also used built Gateway processes and probed /healthz + /readyz.
• Exact steps or command run after this patch:
  • OPENCLAW_QA_KEEP_TEMP=1 pnpm openclaw qa suite --provider-mode mock-openai --runner host --scenario native-image-generation --output-dir .artifacts/qa-media-trust-refactor-proof
  • ls -l /tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png && file /tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png && shasum -a 256 /tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png
  • node --import tsx --input-type=module <<'EOF' ... EOF with an inline script that imports ./src/agents/pi-embedded-subscribe.ts, feeds tool_execution_end + agent_end events, passes trustedLocalMediaToolNames, and reads subscription.getPendingToolMediaReply().
  • node --import tsx scripts/bench-gateway-startup.ts --case skipChannels --case fiftyStartupLazyPlugins --runs 2 --warmup 1 --cpu-prof-dir .artifacts/startup-import-fanout/real-proof-cpu --output .artifacts/startup-import-fanout/real-proof.json
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):
  • QA suite report:

    # OpenClaw QA Scenario Suite
    - Started: 2026-05-20T03:42:24.382Z
    - Finished: 2026-05-20T03:42:59.138Z
    - Duration ms: 34756
    - Passed: 1
    - Failed: 0
    
    ### Native image generation
    - Status: pass
    - Steps:
      - [x] enables image_generate and saves a real media artifact
    Protocol note: I reviewed the requested material. Evidence snippet: Background task started for image generation (d66f2a36-6682-4f6f-8b80-931d61d7ca46).
    IMAGE_PATH:/tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png
    Notes: Runs against qa-channel + qa-lab bus + real gateway child + mock-openai provider.
    

  • Preserved media artifact verification:

    -rw-r--r--@ 1 x  wheel  68 May 20 11:42 /tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png
    PNG image data, 1 x 1, 8-bit gray+alpha, non-interlaced
    65deda782bef8ddd50b7e5d3d426fbcfafa4d9ac63bb0e56675b6b46893d51c9
    

  • Gateway/session trace showed the built Gateway invocation, image_generate tool call, async tool result, and inter-session completion carrying the saved image attachment:

    invocation: dist/index.js gateway run --port 51535 --bind loopback --allow-unconfigured
    plugin registry source: active-registry; importedRuntimePluginIds: acpx, memory-core, openai, qa-channel
    toolCall: image_generate filename=qa-lighthouse.png size=1024x1024
    toolResult: status=started taskId=d66f2a36-6682-4f6f-8b80-931d61d7ca46 runId=tool:image_generate:0ee6a0fb-f6db-4758-a68a-17846825130f
    completion attachment: type=image mimeType=image/png path=/tmp/openclaw/openclaw-qa-suite-RFNTjs/state/media/tool-image-generation/qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png
    

  • Production subscribe event-stream probe output:

    {
      "trustedCoreExact": ["/tmp/openclaw-proof-core-browser.png"],
      "mcpExactNameLocal": [],
      "pluginOverrideLocal": [],
      "trustedBundledExact": ["/tmp/openclaw-proof-bundled-browser.png"],
      "mcpRemoteStillAllowed": ["https://example.test/proof.png"]
    }

  • Startup proof still reached readiness: skipChannels /readyz p50=4635.6ms; fiftyStartupLazyPlugins /readyz p50=3895.1ms; built agent subscribe/embedded chunks had no plugins/contracts/registry, pluginRegistrationContractRegistry, registry-Bus, or bundled-capability-metadata matches.
• Observed result after fix: The QA suite drove a real built Gateway child through native image generation and produced a saved PNG media artifact. The production subscribe event stream used the single trustedLocalMediaToolNames set, kept exact trusted core and bundled local media, stripped exact-name MCP local media, stripped untrusted plugin override local media, and still allowed remote MCP media URLs.
• What was not tested: Full CI, cross-OS/Testbox, live non-mock provider output, and a real external chat channel were not run.
• Before evidence: N/A - this PR validates the after-patch import and runtime media-trust behavior for the startup investigation path.

Performance accounting

• This PR does not claim a measured latency win. The proof shows the built Gateway still starts and reaches readiness after removing the registry import from the media trust path, and the built chunks no longer contain the removed registry/generated-metadata imports in the affected agent subscribe/embedded outputs.

Root Cause (if applicable)

• Root cause: media trust used pluginRegistrationContractRegistry to derive bundled plugin tool names, coupling a hot agent subscribe helper to the plugin contract registry and generated bundled capability metadata.
• Missing detection / guardrail: no source/import guard covered this helper, and no manifest-alignment test kept a lightweight allowlist honest.
• Contributing context (if known): local media passthrough has to distinguish trusted core/bundled tool origins from MCP/external tools and plugin name collisions.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/pi-embedded-subscribe.tools.media.test.ts, src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts.
• Scenario the test should lock in: registry-free media trust, static bundled allowlist alignment with manifests, MCP/external local media blocking, unvetted plugin local media blocking, and core/bundled exact-origin passthrough.
• Why this is the smallest reliable guardrail: the behavior is decided by the media trust helper and subscribe handler before any broader Gateway delivery path.
• Existing test that already covers this (if any): N/A.
• If no new test is added, why not: N/A - targeted tests were added/extended.

User-visible / Behavior Changes

None.

Diagram (if applicable)

Before:
[tool result MEDIA:] -> [media trust helper] -> [plugin contract registry import] -> [local path decision]

After:
[tool result MEDIA:] -> [media trust helper] -> [single active trustedLocalMediaToolNames set + static allowlist] -> [local path decision]

Security Impact (required)

• New permissions/capabilities? (Yes/No): No.
• Secrets/tokens handling changed? (Yes/No): No.
• New/changed network calls? (Yes/No): No.
• Command/tool execution surface changed? (Yes/No): Yes.
• Data access scope changed? (Yes/No): Yes.
• If any Yes, explain risk + mitigation: local MEDIA: path passthrough is narrowed. The mitigation is exact active-tool origin gating plus explicit MCP/external blocking, with tests for non-bundled overrides and name collisions.

Repro + Verification

Environment

• OS: macOS 26.4.1 (25E253)
• Runtime/container: local shell, Node v25.9.0, pnpm 11.1.0
• Model/provider: mock-openai/gpt-5.5 for QA media proof; N/A for import grep and startup benchmark
• Integration/channel (if any): qa-channel + qa-lab bus for QA media proof
• Relevant config (redacted): QA-suite and benchmark-managed temporary Gateway state

Steps

1. Build the repository with pnpm build.
2. Verify affected built chunks do not import the removed registry/generated metadata with rg "plugins/contracts/registry|pluginRegistrationContractRegistry|registry-Bus|bundled-capability-metadata" dist/attempt.tool-run-context-*.js dist/*subscribe*.js dist/*embedded*.js.
3. Run the QA suite native image generation proof listed in the Real behavior proof section.
4. Verify the preserved generated media artifact with ls, file, and shasum.
5. Run the production subscribe event-stream media trust probe listed in the Real behavior proof section.
6. Run the startup proof command listed in the Real behavior proof section.

Expected

• The Gateway reaches /healthz and /readyz in both benchmark scenarios.
• The affected built chunks do not include the plugin contract registry or bundled capability metadata import.
• The QA suite drives the built Gateway child through native image generation and saves a media artifact.
• Local MEDIA: paths are retained only for trusted active core or bundled plugin tool origins.

Actual

• The Gateway reached /healthz and /readyz in both scenarios.
• The built chunk import grep returned no matches.
• The QA suite passed native-image-generation, produced qa-lighthouse---89531b3b-7c57-4953-a338-a2799cd36030.png, and the preserved PNG verified as sha256 65deda782bef8ddd50b7e5d3d426fbcfafa4d9ac63bb0e56675b6b46893d51c9.
• The production subscribe event-stream probe returned {"trustedCoreExact":["/tmp/openclaw-proof-core-browser.png"],"mcpExactNameLocal":[],"pluginOverrideLocal":[],"trustedBundledExact":["/tmp/openclaw-proof-bundled-browser.png"],"mcpRemoteStillAllowed":["https://example.test/proof.png"]}.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What I personally verified:

• Verified scenarios: targeted media trust tests, production subscribe event-stream media trust probe, build, built-chunk import grep, changed-lane discovery, QA suite native-image-generation with a real built Gateway child, preserved media artifact verification, and built Gateway startup proof for skipChannels and fiftyStartupLazyPlugins.
• Edge cases checked: MCP provenance using a trusted name, plugin override of an overlapping core/bundled name, exact active core passthrough, exact active bundled passthrough, remote MCP media passthrough, and manifest alignment for bundled tool names.
• What I did not verify: full CI, cross-OS/Testbox, live non-mock provider output, and real external chat channel delivery.

AI-assisted: yes, Codex assisted with implementation and verification; I reviewed the diff and ran the proof commands locally.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

No existing PR review conversations were present for this branch before PR creation.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes.
• Config/env changes? (Yes/No): No.
• Migration needed? (Yes/No): No.
• If yes, exact upgrade steps: N/A.

Risks and Mitigations

• Risk: the static bundled tool allowlist could drift from bundled plugin manifests.
  • Mitigation: src/agents/pi-embedded-subscribe.tools.media.test.ts reads bundled manifests and asserts the allowlist trusts every declared bundled contract tool name.
• Risk: bundled plugin local media could be too narrow if a run lacks plugin metadata origin information.
  • Mitigation: plugin local media fails closed when exact active bundled origin cannot be proven; core local media remains separately gated by the exact active core tool set.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR replaces the agent subscribe media-trust registry lookup with a static bundled-tool allowlist, threads a trusted local-media tool-name set through embedded runs, and adds focused media-trust tests.

Reproducibility: yes. Source inspection of current main and v2026.5.18 shows the subscribe media helper imports the plugin contract registry and trusts bundled tool names through that registry path; I did not run tests because this review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong proof and a clean focused patch make this normally mergeable after maintainer acceptance of the compatibility/security boundary.

Rank-up moves:

• Have a maintainer explicitly accept the fail-closed behavior for non-bundled or colliding plugin local media before merge.
• Let CI or a focused Testbox lane cover the touched media subscribe tests and build import boundary.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body supplies after-patch live output for a real Gateway media run, artifact verification, a subscribe trust probe, and startup readiness/import-grep proof.

Risk before merge

• The fail-closed behavior can suppress local attachments from external or workspace plugins that previously relied on names overlapping bundled or core tools, so maintainers need to accept that compatibility change.
• Because this is a local MEDIA trust boundary, a wrong allowlist or origin snapshot would either over-strip message media or over-trust local file paths.
• The supplied proof is strong for Gateway QA and subscribe probes, but full CI, cross-OS/Testbox, live non-mock provider output, and a real external chat channel were not run.

Maintainer options:

1. Accept fail-closed plugin media boundary (recommended)
   Merge after maintainer acceptance that non-bundled or colliding plugin local MEDIA paths are intentionally stripped and required checks are green.
2. Add an explicit plugin trust contract
   If external plugins should retain local media passthrough, add a documented opt-in origin or capability contract before landing this behavior.
3. Ask for real channel attachment proof
   If maintainers want more delivery confidence, request a real channel run showing generated media still arrives as an attachment after the trust change.

Next step before merge
No narrow automated repair remains; maintainers need to accept the fail-closed plugin media compatibility/security boundary and rely on merge gates for validation.

Security
Cleared: The diff narrows local MEDIA passthrough and keeps MCP/external blocking; I found no concrete new secret, permission, dependency, or supply-chain concern.

Review details

Best possible solution:

Merge the registry-free trust path only after maintainers accept the fail-closed plugin media policy and normal CI verifies the focused media/import tests; otherwise add a documented plugin media-trust contract first.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection of current main and v2026.5.18 shows the subscribe media helper imports the plugin contract registry and trusts bundled tool names through that registry path; I did not run tests because this review is read-only.

Is this the best way to solve the issue?

Yes, with a maintainer policy decision. The latest diff is a bounded fix that removes the registry import, preserves exact-name fallback gating for direct subscribers, and keeps MCP/external local media blocked; the remaining question is whether maintainers accept the fail-closed behavior for external plugin local media.

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-patch live output for a real Gateway media run, artifact verification, a subscribe trust probe, and startup readiness/import-grep proof.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong proof and a clean focused patch make this normally mergeable after maintainer acceptance of the compatibility/security boundary.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-patch live output for a real Gateway media run, artifact verification, a subscribe trust probe, and startup readiness/import-grep proof.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority agent media trust and startup import improvement with limited but security-sensitive blast radius.
• merge-risk: 🚨 compatibility: The PR can intentionally stop non-bundled or colliding plugin local media passthrough that worked before by name overlap.
• merge-risk: 🚨 message-delivery: If the trusted tool set or allowlist is wrong, local media attachments can be stripped from channel replies.
• merge-risk: 🚨 security-boundary: The changed code decides when local filesystem paths from tool results may be trusted and forwarded.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong proof and a clean focused patch make this normally mergeable after maintainer acceptance of the compatibility/security boundary.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-patch live output for a real Gateway media run, artifact verification, a subscribe trust probe, and startup readiness/import-grep proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-patch live output for a real Gateway media run, artifact verification, a subscribe trust probe, and startup readiness/import-grep proof.

What I checked:

• Current main imports the registry in the media trust path: Current main imports pluginRegistrationContractRegistry from pi-embedded-subscribe.tools.ts and derives TRUSTED_BUNDLED_PLUGIN_MEDIA_TOOLS from it, so the reported import fanout exists on main. (src/agents/pi-embedded-subscribe.tools.ts:5, 989e53c20d39)
• Registry source performs manifest-backed bundled contract loading: The registry resolves bundled manifest contracts through loadPluginManifestRegistry and bundled capability metadata, which is the import chain this PR is trying to keep out of subscribe/media trust. (src/plugins/contracts/registry.ts:89, 989e53c20d39)
• Shipped release has the same registry import behavior: v2026.5.18 still imports pluginRegistrationContractRegistry in pi-embedded-subscribe.tools.ts, so this is not already shipped fixed behavior. (src/agents/pi-embedded-subscribe.tools.ts:5, 50a2481652b6)
• PR computes a narrower trusted local-media set: The PR computes trustedLocalMediaToolNames from core tool names plus active bundled-origin plugin tools and passes that into subscribeEmbeddedPiSession. (src/agents/pi-embedded-runner/run/attempt.ts:2253, 0e02f7a3dd01)
• PR preserves direct subscribe fallback: After the force-push, subscribeEmbeddedPiSession falls back from trustedLocalMediaToolNames to builtinToolNames and adds a regression test for the case-variant Web_Search local MEDIA path. (src/agents/pi-embedded-subscribe.ts:124, 0e02f7a3dd01)
• PR proof includes real runtime media and import checks: The PR body supplies a real Gateway QA native image-generation run, saved PNG verification, a subscribe event-stream probe for trusted/core/MCP/plugin override cases, startup readiness, and built-chunk import grep output. (0e02f7a3dd01)

Likely related people:

• drobison00: Remote commit history shows this contributor tightened trusted tool media passthrough, widened raw tool-name gating, and added the collision coverage that this PR is modifying. (role: introduced trusted media gate behavior; confidence: high; commits: 52ef42302ead; files: src/agents/pi-embedded-subscribe.tools.ts, src/agents/pi-embedded-subscribe.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• vincentkoc: Recent history includes a targeted fix to keep the trusted media guard out of unrelated performance churn in the same helper file. (role: recent area contributor; confidence: high; commits: f05f9f69d79a; files: src/agents/pi-embedded-subscribe.tools.ts)
• steipete: Recent commits in the subscribe/media path delivered generated media as structured attachments and adjusted attachment handling around this surface. (role: recent media delivery contributor; confidence: medium; commits: 55322d73012e, 63ad5b4f9749; files: src/agents/pi-embedded-subscribe.tools.ts, src/agents/pi-embedded-subscribe.ts)
• SebTardif: Recent plugin registry work threaded explicit discovery to avoid redundant filesystem walks in the registry path this PR removes from the hot media trust helper. (role: adjacent registry performance contributor; confidence: medium; commits: 28beea9e881c; files: src/plugins/contracts/registry.ts, src/plugins/bundled-capability-runtime.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 989e53c20d39.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: ✨ glimmer Moonlit Shellbean

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: ✨ glimmer.
Trait: stacks clean commits.
Image traits: location flaky test forest; accessory miniature diff map; palette moss green and polished brass; mood bright-eyed; pose waving from a small platform; shell smooth pearl shell; lighting subtle sparkle highlights; background tiny shells and proof notes.
Share on X: post this hatch
Copy: My PR egg hatched a ✨ glimmer Moonlit Shellbean in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Thanks for chasing this. The direction is right: subscription/media paths should not import the full plugin registration registry just to decide local MEDIA: trust.

I am closing this PR because the hardcoded bundled plugin tool-name list would drift from manifests. Latest main already has bundled manifest tools such as meeting_notes, and a static list would have missed them. I opened a replacement that keeps the same startup-import-fanout fix, but derives plugin local-media trust from the cached startup metadata snapshot and the actual tools prepared for the run, before provider normalization can clone tool objects.

Replacement PR: #86410