#22356: test(web): fix media test fixture local root handling

## What changed - Updated `src/web/media.test.ts` to pass explicit `localRoots` for local fixture files created in `/tmp`. - Kept production path restrictions unchanged while making unit tests robust to tightened default allowed-root behavior. ## Why this fixes issue #22191 - The failing tests create fixture media files under `/tmp/openclaw-media-test-*`, which are no longer allowed by default hardened media root policy. - Explicitly scoping fixture reads to `localRoots: [fixtureRoot]` lets the same fixture paths pass validation deterministically without relaxing security logic in `loadWebMedia`. ## Tests run - `pnpm vitest run src/web/media.test.ts` - `pnpm test:fast src/web/media.test.ts` ## Edge cases / notes - No production behavior changes were made. - If broader acceptance for `/tmp` fixtures is required outside tests, provide explicit roots at call sites instead of widening defaults. <!-- greptile_comment --> <h3>Greptile Summary</h3> Updated `media.test.ts` to explicitly pass `localRoots: [fixtureRoot]` when calling `loadWebMedia()` for test fixture files created in `/tmp/openclaw-media-test-*`. The tests were failing after hardened default media root restrictions were introduced. The test fixtures are created under `/tmp`, which is no longer in the default allowed roots. By explicitly scoping fixture reads to `localRoots: [fixtureRoot]`, the tests pass validation deterministically without relaxing security logic in production code. - Updated 8 test cases to use the options object format with explicit `localRoots` - No production behavior changes - Maintains security boundaries while allowing test fixtures to work <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The changes are test-only updates that explicitly scope fixture file access to match hardened security defaults. No production code was modified, and the fix correctly addresses the failing tests by providing explicit `localRoots` for `/tmp` fixtures rather than weakening the security policy. - No files require special attention _{Last reviewed commit: d0e6a18} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->