#17456: fix(test): stabilize media root guard test against tmpdir HOME overlap

## fix(test): stabilize media root guard test ### Problem The test `rejects default OpenClaw state per-agent workspace-* roots without explicit local roots` in `src/web/media.test.ts` **fails on every CI run** (bun + node), including on `main`. ### Root Cause The test harness sets `HOME` to a temp directory under `os.tmpdir()`: ``` HOME=/tmp/openclaw-test-home-xC06Jb ``` Since `os.tmpdir()` (`/tmp`) is a default allowed media root, **all paths** under the test's `HOME` directory match the tmpdir root: ``` testPath: /tmp/openclaw-test-home-xC06Jb/.openclaw-guard-reject-test/workspace-clawdy/tmp/render.bin root /tmp → MATCH (startsWith /tmp/) ``` The test expects a rejection but gets a successful resolve because the path is "allowed" via tmpdir. ### Fix Pin `OPENCLAW_STATE_DIR` to `/var/openclaw-guard-reject-test` (outside `/tmp`) for the duration of the test. This is the same pattern used in `be9b5cefb` for the `web media loading` describe block, which was missing from the separate `local media root guard` describe block. ### Changed Files | File | Change | |------|--------| | `src/web/media.test.ts` | Pin OPENCLAW_STATE_DIR in the failing test | ### Testing - All 22 media tests pass (previously 21 pass / 1 fail) - This fixes the CI failure visible on `main` and all open PRs <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixed a flaky test that was failing in CI by preventing `HOME` directory overlap with `os.tmpdir()`. The test `rejects default OpenClaw state per-agent workspace-* roots without explicit local roots` was incorrectly passing because the test harness sets `HOME` under `/tmp`, which is a default allowed media root. The fix pins `OPENCLAW_STATE_DIR` to `/var/openclaw-guard-reject-test` (outside `/tmp`) for the duration of the test, ensuring the path doesn't match any default allowed roots. This follows the same pattern used in the `web media loading` describe block and properly restores the environment variable in the finally block. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no identified risks - The change is a focused test stabilization fix that properly isolates the test environment. It uses the correct cleanup pattern with try-finally to restore the environment variable, follows the existing pattern from another test block in the same file, and addresses a real CI failure without changing any production code. - No files require special attention _{Last reviewed commit: ebbcfe6} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->