fix(openclaw): enforce scan_directory sandbox to demo_projects only

[sanjaysaini383]

Summary

Fixes a medium-severity information disclosure in the OpenClaw weekly report workflow: scan_directory could be steered (via LLM planning or prompt injection on ASI:One) to scan broad local paths such as ~/Documents or ~/projects, exposing git repo names and recent commit messages to cloud chat.

This PR enforces DEMO_PROJECTS_DIR only by default across four layers:

1. Orchestrator policy — rejects dispatched plans with scan_directory paths outside the demo sandbox
2. Connector policy — default allowlist is demo directory only (not ~/Documents, CWD, /tmp)
3. Planner — normalizes scan_directory paths after LLM/keyword planning
4. Executor — weekly_report.scan_directory() uses shared path normalization at runtime

Adds shared/paths.py for centralized sandbox helpers. Operators can opt into legacy broad paths for local dev with OPENCLAW_EXTENDED_PATHS=true.

CHANGELOG.md updated. 75/75 OpenClaw tests pass.

Type of Change

• New agent example
• Bug fix
• Documentation update
• Refactor / cleanup
• Other

Checklist

• I have starred this repository.
• I ran ruff check ..
• I ran ruff format ..
• I added/updated README.md for changed example(s). (.env.example documents new flag; README behavior unchanged for default demo flow.)
• I added .env.example if environment variables are required. (Documented OPENCLAW_EXTENDED_PATHS.)
• I added demo image/GIF (if applicable). (N/A)
• I added agent profile link (if applicable). (N/A)
• I updated CHANGELOG.md (required for non-doc changes).
• I verified paths/commands used in docs.

Related Issue

Closes #112

Notes for Reviewers

Problem (before)

Layer	Documented intent	Previous behavior
Planner system prompt	Always ./demo_projects	Suggestion only
FetchPolicy	Policy before dispatch	No path checks
LocalPolicy	Path sandboxing	Allowed ~/Documents, ~/projects, /tmp, CWD
scan_directory()	Demo-only scans	Only rewrote ~ prefixes; absolute paths could still scan user folders

Solution (after)

Component	Enforcement
shared/paths.py	is_path_under_demo(), normalize_scan_directory_path(), default_allowed_scan_paths()
orchestrator/policy.py	check_scan_paths() → PATH_NOT_ALLOWED
connector/policy.py	Default allowed_paths = [demo_projects_dir()] only
orchestrator/planner.py	_enforce_scan_directory_paths() after planning
connector/workflows/weekly_report.py	Runtime normalization

Opt-in extended mode (local dev only)

OPENCLAW_EXTENDED_PATHS=true

[sanjaysaini383]

Hii @gautammanak1
Before merge this PR label this as gssoc26:approved and assign it to me .
Thanks

[Karanjot786]

Hey @sanjaysaini383! Saw your work on GSSoC 2026.

We are building TermUI, a TypeScript terminal UI framework with React-style hooks and JSX, rendered entirely in the terminal.

We have 67 unassigned GSSoC issues open. 19 are marked good first issue. Your TypeScript background transfers directly.

• Open issues (GSSoC 2026)
• TermUI on GSSoC

Karanjot, TermUI maintainer