#15744: fix: allow cross-agent session path validation

Fixes validation error when Discord bound channels create sessions in their agent's directory but are validated against main agent's sessions directory. ## Problem When a Discord message arrives on a channel bound to a non-main agent (e.g., `#general` → `general-agent`), the session file is created in `agents/general-agent/sessions/` but validated against `agents/main/sessions/`. The relative path starts with `'..'` and fails the security check, causing all bound Discord channels to fail with: ``` [discord] handler failed: Error: Session file path must be within sessions directory ``` **Debug output:** ``` sessionsDir=/home/user/.openclaw/agents/main/sessions candidate=/home/user/.openclaw/agents/general-agent/sessions/abc.jsonl relative=../../general-agent/sessions/abc.jsonl ``` ## Solution Widen the security boundary from `agents/<agentId>/sessions/` to `agents/**/sessions/` while still preventing path traversal outside the agents directory. When the first validation fails, check against the wider agents root boundary. ## Security Still validates that session files are within the agents root directory (`~/.openclaw/agents/`), preventing path traversal attacks to system files. ## Testing Tested with 11 bound Discord channels - all now working correctly without handler failures. <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR updates session transcript path validation so that if a session file path isn’t within the current agent’s `sessionsDir`, it falls back to allowing any path under the broader `~/.openclaw/agents/` root (to support Discord channels bound to non-main agents). The intent matches the reported failure mode (cross-agent sessions being validated against the main agent’s sessions directory), but the new fallback check currently widens the boundary beyond `agents/**/sessions/**` to *any* path under `agentsRoot`, which changes the security/behavioral contract of `resolveSessionFilePath` and will also invalidate existing expectations in `paths.test.ts`. <h3>Confidence Score: 3/5</h3> - This PR is close, but the fallback path validation currently widens file access more than intended. - The change likely fixes the Discord cross-agent session issue, but the fallback allows any file under the agents root (not just sessions directories) and breaks an existing test expectation; this needs tightening/adjustment before merge. - src/config/sessions/paths.ts _{Last reviewed commit: c51ddfc} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->