fix: satisfy plugin init scaffold CI guards

feat: scaffold provider plugins from init
2026-06-26 01:01:58 +08:00 · 2026-06-17 19:05:23 -07:00 · 2026-06-17 18:54:22 -07:00
2920 changed files with 47458 additions and 109444 deletions
--- a/.agents/skills/channel-message-flows/SKILL.md
+++ b/.agents/skills/channel-message-flows/SKILL.md
@@ -1,34 +1,44 @@
 ---
 name: channel-message-flows
-description: "Use when running QA Lab channel message flow evidence."
+description: "Use when previewing local channel message flow fixtures."
 ---

 # Channel Message Flows

-Use this from the OpenClaw repo root to run the QA Lab evidence for Telegram
-draft/final delivery sequencing. This skill no longer launches a standalone
-script; the behavior is owned by the QA scenario and its Vitest-backed e2e test.
+Use this from the OpenClaw repo root to send canned channel preview flows while iterating on message UX. These are real sends/edits/deletes against the configured channel target.

-## QA Scenario
+## Telegram

-Run the scenario through QA Lab:
+Native Telegram `sendMessageDraft` tool progress, then a final answer:

 ```bash
-pnpm openclaw qa suite --scenario channel-message-flows
+node --import tsx scripts/dev/channel-message-flows.ts \
+  --channel telegram \
+  --target <telegram-chat-id> \
+  --flow working-final \
+  --duration-ms 20000
 ```

-Run the focused e2e test directly in a Codex worktree:
+Thinking preview, then a final answer:

 ```bash
-node scripts/run-vitest.mjs extensions/telegram/src/channel-message-flows.qa.e2e.test.ts
+node --import tsx scripts/dev/channel-message-flows.ts \
+  --channel telegram \
+  --target <telegram-chat-id> \
+  --flow thinking-final
 ```

-## References
+## Options

- `qa/scenarios/channels/channel-message-flows.yaml`
- `extensions/telegram/src/channel-message-flows.qa.e2e.test.ts`
- `extensions/telegram/src/test-support/channel-message-flows.ts`
+- `--account <accountId>`: Telegram account id when not using the default.
+- `--thread-id <id>`: Telegram forum topic/message thread id.
+- `--delay-ms <ms>`: Override preview update cadence.
+- `--duration-ms <ms>`: Simulated working duration for `working-final`.
+- `--final-text <text>`: Override the durable final message.

-The scenario covers `channels.streaming` as primary evidence and records
-secondary coverage for thread preservation, delivery ordering, and reasoning
-preview visibility.
+## Notes
+
+- `--target` is the numeric Telegram chat id.
+- `working-final` exercises native Telegram `sendMessageDraft` with static `Working` status and sample tool progress.
+- `thinking-final` exercises formatted `Thinking` reasoning preview clearing before the final answer.
+- Only `--channel telegram` is implemented for now.
--- a/.agents/skills/claw-score/SKILL.md
+++ b/.agents/skills/claw-score/SKILL.md
@@ -16,8 +16,11 @@ This skill owns the operational workflow for:

 - `taxonomy.yaml`
 - `docs/maturity-scores.yaml`
- `docs/concepts/qa-e2e-automation.md`
- `qa/scenarios/index.yaml`
+- `docs/maturity-scorecard.md`
+- `docs/taxonomy.md`
+- `docs/taxonomy-outline.md`
+- `scripts/render-maturity-docs.mjs`
+- `.github/workflows/maturity-scorecard.yml`

 Keep person-specific, maintainer-private, Discord archive, and discrawl facts
 out of this repo. If a score needs private evidence, use the redacted
@@ -28,21 +31,12 @@ out of this repo. If a score needs private evidence, use the redacted
 - `taxonomy.yaml` is the hand-edited source of truth for surfaces, levels,
  QA profiles, categories, feature coverage IDs, docs refs, LTS overrides, and
  completeness-instruction paths.
- Feature `coverageIds` are ANDed proof targets, not aliases. A feature may
-  list multiple IDs when each ID proves part of one capability.
- Coverage IDs use dotted `namespace.behavior` form, with lowercase
-  alphanumeric/dash segments. Profile, surface, and category IDs may remain
-  dashed or dotted.
- Keep categories and feature names unique, product-shaped, and broader than raw
-  coverage IDs. Do not promote generic IDs into standalone feature names.
- Avoid duplicate coverage-ID bundles under different feature names in one
-  category.
 - `docs/maturity-scores.yaml` is the aggregate score source committed in this
  repo. It is the only committed score data; do not add generated inventory
  directories.
- There is no committed maturity-doc renderer or `pnpm maturity:*` script in
-  this repo. Do not invent generated scorecard files; update the source YAML
-  and current docs directly.
+- `docs/maturity-scorecard.md`, `docs/taxonomy.md`, and
+  `docs/taxonomy-outline.md` are deterministic docs generated from the root
+  taxonomy and aggregate score source.
 - `qa-evidence.json` artifacts provide per-run QA scorecard evidence. They can
  enrich generated artifact docs, but they are not committed as inventory.

@@ -50,28 +44,22 @@ out of this repo. If a score needs private evidence, use the redacted

 Run from the openclaw repo root.

-Validate YAML structure after source edits:
+Render committed docs:

 ```bash
-node <<'NODE'
-const fs = require("node:fs");
-const YAML = require("yaml");
-for (const file of ["taxonomy.yaml", "docs/maturity-scores.yaml", "qa/scenarios/index.yaml"]) {
-  YAML.parse(fs.readFileSync(file, "utf8"));
-}
-NODE
+pnpm maturity:render
 ```

-Check docs when touching docs prose:
+Check generated docs are current:

 ```bash
-pnpm check:docs
+pnpm maturity:check
 ```

-Run focused QA/profile checks when changing coverage IDs or profile membership:
+Render an evidence-enriched docs artifact from downloaded QA artifacts:

 ```bash
-pnpm openclaw qa coverage --json
+pnpm maturity:render -- --evidence-dir .artifacts/maturity-evidence --output-dir .artifacts/maturity-docs
 ```

 ## Scoring Workflow
@@ -87,13 +75,13 @@ When asked to score or refresh a surface:
   discrawl or unredacted private archives.
 5. Update `docs/maturity-scores.yaml` only when the score change is backed by
   public or redacted artifact evidence.
-6. Run the YAML validation command from this skill.
-7. Run `pnpm check:docs` if docs prose changed, and focused QA coverage checks
-   if coverage IDs or profile membership changed.
+6. Run `pnpm maturity:render`.
+7. Run `pnpm maturity:check`.

 For subjective score changes, make the smallest defensible edit and leave the
-evidence path in the PR or task summary. Keep manual prose in current docs and
-keep score data in `docs/maturity-scores.yaml`.
+evidence path in the PR or task summary. The deterministic renderer owns
+Markdown structure; manual prose tweaks belong in taxonomy, score source, or
+the renderer rather than in generated docs.

 ## Default Completeness Process

@@ -170,9 +158,13 @@ Bands:
 - `Alpha`: 50-70
 - `Experimental`: 0-50

-## Artifacts
+## GitHub Action
+
+The `Maturity scorecard` workflow verifies committed generated docs on PRs and
+pushes. Manual dispatch can also download QA artifacts from another workflow run
+with `source_run_id` and `artifact_pattern`, render evidence-enriched docs into
+`.artifacts/maturity-docs`, and upload them as a GitHub artifact.

 Do not add the maintainer repo's `docs/kevinslin/maturity-scorecard/inventory/`
-tree to openclaw. Evidence-enriched scorecard outputs belong in short-lived
-artifacts, not committed generated docs, unless this repo adds an explicit
-renderer/check workflow first.
+tree to openclaw. Those generated reports are intentionally replaced here by
+short-lived artifact docs and the committed aggregate scorecard pages.
--- a/.agents/skills/openclaw-changelog-update/SKILL.md
+++ b/.agents/skills/openclaw-changelog-update/SKILL.md
@@ -12,10 +12,10 @@ content, ordering, grouping, and attribution discipline.

 ## Goal

-Rebuild the target `CHANGELOG.md` version section from a complete, generated
-history manifest, not stale draft notes. Produce grouped user-facing release
-notes sorted by user interest while preserving every relevant issue/PR ref and
-every human `Thanks @...` attribution.
+Rewrite the target `CHANGELOG.md` version section from history, not from stale
+draft notes. Produce grouped user-facing release notes sorted by user interest
+while preserving every relevant issue/PR ref and every human `Thanks @...`
+attribution.

 ## Inputs

@@ -34,37 +34,8 @@ every human `Thanks @...` attribution.
   - `git log --first-parent --date=iso-strict --pretty=format:'%h%x09%ad%x09%s' <base-tag>..<target-ref>`
   - `git log --first-parent --grep='(#' --date=short --pretty=format:'%h%x09%ad%x09%s' <base-tag>..<target-ref>`
   - also inspect `--since='24 hours ago'` when main moved during the release.
-3. Generate the complete contribution record and editorial manifest before
-   writing grouped prose:
-
-   ```bash
-   node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
-     --base <base-tag> \
-     --target <target-ref> \
-     --version <YYYY.M.PATCH> \
-     --manifest /tmp/openclaw-release-<YYYY.M.PATCH>.json \
-     --write-ledger
-   ```
-
-   - the manifest is the required input to the rewrite, not an after-the-fact
-     audit; it contains every referenced PR, eligible contributor credit,
-     inline issue context, every direct commit, and an editorial-eligibility
-     classification for PRs and direct commits
-   - for a historical backfill, add `--seed-ref <pre-backfill-ref>` once so
-     contribution records from the prior changelog are retained even when an
-     older merged commit omitted its PR number; the verifier excludes records
-     for work reverted after the base tag, including beta work reverted before
-     the stable release
-   - source PR discovery combines merged GitHub commit associations with merged
-     PR references explicitly present in active commit subjects/bodies so
-     cherry-picks and squash commits remain accounted for. Resolve every
-     association page and exclude PRs merged after the target release commit
-   - read the manifest before editing `### Highlights`, `### Changes`, or
-     `### Fixes`; do not carry old grouped prose forward without re-auditing it
-   - inspect linked PRs/issues or diffs for ambiguous commits. Direct commits
-     are editorial input, not public ledger rows; infer material user outcomes
-     from subject, body, touched files, tests, and nearby commits
-
+3. Read linked PRs/issues or diffs for ambiguous commits. Direct commits matter;
+   infer notes from subject, body, touched files, tests, and nearby commits.
 4. Rewrite one stable-base section only:
   - use `## YYYY.M.PATCH`
   - do not create beta-specific headings
@@ -73,21 +44,10 @@ every human `Thanks @...` attribution.
     section instead of deleting them
 5. Section shape:
   - `### Highlights`: 5-8 bullets, broad user wins first
-     - include only a clear user-visible capability or workflow unlock, a
-       material reliability/safety fix, a broad cross-surface improvement, or
-       a release-defining integration/compatibility milestone
-     - every highlight must say what changed for a user in one sentence; use
-       one user story per bullet and group its supporting PRs
-     - exclude tests, CI, refactors, docs, catalog churn, and implementation
-       detail unless the outcome is a material install/update, data-safety, or
-       widely visible user improvement
   - `### Changes`: new capabilities and behavior changes
   - `### Fixes`: user-facing fixes first, grouped by impact and surface
   - group related changes/fixes by surface and user impact; avoid one bullet
     per tiny commit when several commits tell one user-facing story
-   - `### Complete contribution record`: generated PR-first record after the
-     grouped prose; it is the exhaustive accounting surface, not a second
-     release summary
 6. Preserve attribution:
   - keep `#issue`, `(#PR)`, `Fixes #...`, and `Thanks @...`
   - every human-authored merged PR represented by a user-facing entry needs
@@ -102,35 +62,17 @@ every human `Thanks @...` attribution.
   - multiple `Thanks @...` handles in one bullet are expected; do not drop or
     collapse contributor credit just because the note is grouped
   - if one grouped bullet covers both direct commits and PRs, keep all PR refs
-     and thanks, plus any issue refs and human credit from the direct work
-   - issues remain normal inline `#NNN` references. Do not add a separate
-     linked-issues inventory. The generated PR record keeps source issues
-     inline as `Related #NNN` on the PR that shipped them
-   - when backfilling an older linked-issues inventory, preserve reporter
-     credit inline for every GitHub-confirmed closing PR relationship. Do not
-     infer a PR relationship from a generic cross-reference event, invent an
-     unrelated PR link for a standalone report, or recreate the retired
-     inventory
-   - the complete contribution record lists every merged source PR exactly once
-     as `**PR #NNN**`; source PRs include GitHub commit associations and merged
-     PR references explicitly present in active commit subjects/bodies. It
-     preserves author/co-author credit and any issue references in the original
-     title
-   - direct commits remain in the manifest with GitHub-resolved author,
-     co-author, issue, and editorial-eligibility data. They inform grouped
-     prose but are never rendered as a public `#### Direct commits` dump. Add
-     direct-commit credit to a grouped bullet only when it shares an explicit
-     closing issue reference or at least two distinctive subject terms
-   - the verifier rejects `docs`, `test`, `refactor`, `ci`, `build`, `chore`,
-     and `style` PRs in Highlights, Changes, or Fixes. Keep those internal
-     contributions in the complete PR record, but do not give them editorial
-     release-note space
-   - classify internal-only work from conventional prefixes and clear title
-     signals such as `QA`, `test`, `docs`, `refactor`, `lint`, or `CI`; an
-     untyped title is not automatically editorial
+     and thanks, plus any issue refs from the direct commits
+   - before finalizing, audit the final release-note body:
+     - extract all `#NNN` refs from the notes
+     - resolve which refs are PRs and collect human PR authors
+     - resolve issue refs used as bug/report refs and collect human reporters
+     - scan represented commits for `Co-authored-by`
+     - compare those handles to the final `Thanks @...` set
+     - fix every missing human credit or explicitly record why it is omitted
   - do not add GHSA references, advisory IDs, or security advisory slugs to
     changelog entries or GitHub release-note text unless explicitly requested
-   - never thank bots, `@claude`, `@openclaw`, `@clawsweeper`, or `@steipete`
+   - never thank bots, `@openclaw`, `@clawsweeper`, or `@steipete`
   - do not use GitHub's release contributor count as the source of truth; the
     changelog must carry the complete human credit set itself
 7. Sorting preference:
@@ -149,50 +91,36 @@ every human `Thanks @...` attribution.
   - if any compatibility `removeAfter` is on/before release date, resolve it
     or explicitly record the blocker before shipping
 10. Validate and ship:
-
- after the manifest-driven rewrite, regenerate and verify the complete
-  contribution record before committing:
-  ```bash
-  node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
-    --base <base-tag> \
-    --target <target-ref> \
-    --version <YYYY.M.PATCH> \
-    --manifest /tmp/openclaw-release-<YYYY.M.PATCH>.json \
-    --write-ledger
-  ```
- the command fails when any `#NNN` reference in release history or the
-  rendered release section cannot resolve, when reverted work is presented
-  as shipped, when a source PR is absent from the contribution record, when
-  direct commits are rendered as a public record dump, when non-editorial
-  PRs appear in grouped prose, or when an eligible PR author or known
-  co-author is missing from that PR's `Thanks @...` credit
- when grouped prose names a PR, that same bullet must retain every
-  contributor and linked-reporter credit from its generated PR record
- unqualified `#NNN` references resolve against `openclaw/openclaw`;
-  cross-repository references such as `openclaw/imsg#141` remain literal
-  text and must not be rewritten as local issue links
- after the GitHub release or prerelease is published, verify every matching
-  release page against the same source section:
-  ```bash
-  node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
-    --base <base-tag> \
-    --target <target-ref> \
-    --version <YYYY.M.PATCH> \
-    --release-tag v<YYYY.M.PATCH> \
-    --check-github
-  ```
- add one `--release-tag` for every beta and stable page in the train; a
-  `### Release verification` tail is permitted, but any other body drift
-  fails the check; the GitHub body must begin with the complete
-  `## YYYY.M.PATCH` changelog section, including its heading
- GitHub release bodies are limited to 125,000 characters. If the complete
-  source section plus an existing verification tail exceeds that limit, keep
-  the source section intact and omit the tail; never truncate the
-  contribution record
- `git diff --check`
- for docs/changelog-only changes, no broad tests are required
- commit with `scripts/committer "docs(changelog): refresh YYYY.M.PATCH notes" CHANGELOG.md`
- push, pull/rebase if needed, then branch/rebase release from latest `main`
+   - generate and verify the complete contribution ledger before committing:
+     ```bash
+     node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
+       --base <base-tag> \
+       --target <target-ref> \
+       --version <YYYY.M.PATCH> \
+       --write-ledger
+     ```
+   - the command fails when any `#NNN` reference in release history or the
+     rendered release section is absent from the ledger, when reverted work is
+     presented as shipped, or when an eligible PR author, issue reporter, or
+     known co-author is missing from that entry's `Thanks @...` credit
+   - after the GitHub release or prerelease is published, verify every matching
+     release page against the same source section:
+     ```bash
+     node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
+       --base <base-tag> \
+       --target <target-ref> \
+       --version <YYYY.M.PATCH> \
+       --release-tag v<YYYY.M.PATCH> \
+       --check-github
+     ```
+   - add one `--release-tag` for every beta and stable page in the train; a
+     `### Release verification` tail is permitted, but any other body drift
+     fails the check; the GitHub body must begin with the complete
+     `## YYYY.M.PATCH` changelog section, including its heading
+   - `git diff --check`
+   - for docs/changelog-only changes, no broad tests are required
+   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.PATCH notes" CHANGELOG.md`
+   - push, pull/rebase if needed, then branch/rebase release from latest `main`

 ## Quota / API Outage Rule

--- a/.agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs
+++ b/.agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs
--- a/.agents/skills/openclaw-landable-bug-sweep/SKILL.md
+++ b/.agents/skills/openclaw-landable-bug-sweep/SKILL.md
@@ -107,9 +107,16 @@ Reject:

 ## PR Body Proof

-Use the repo PR template. Include authored `## What Problem This Solves` and
-`## Evidence` sections. Keep the body focused on intent and the most useful
-validation evidence; inspect the code, tests, and CI before judging correctness.
+Use the repo PR template. Include these exact labels:
+
+```text
+Behavior addressed:
+Real environment tested:
+Exact steps or command run after this patch:
+Evidence after fix:
+Observed result after fix:
+What was not tested:
+```

 ## Existing PR Rules

--- a/.agents/skills/release-openclaw-maintainer/SKILL.md
+++ b/.agents/skills/release-openclaw-maintainer/SKILL.md
@@ -249,20 +249,12 @@ Stable publication is not complete until `main` carries the actual shipped relea
  section from history, not existing notes. Use the last reachable stable or
  beta release tag as the base, then inspect every commit through the target
  release SHA.
- Generate `$openclaw-changelog-update`'s full contribution manifest before
-  the editorial rewrite. It is the required source for `### Highlights`,
-  `### Changes`, and `### Fixes`; do not preserve old grouped prose without
-  comparing it to the manifest's PRs, contributors, direct commits, and
-  unlinked commits.
 - The changelog rewrite is not optional for beta reruns: any `beta.N` after a
  rebase or backport must refresh the same stable-base `## YYYY.M.PATCH` section
  before the new version/tag commit.
 - Include both merged PR commits and direct commits on `main`. Direct commits
  matter: infer notes from their subject, body, touched files, linked issues,
  tests, and nearby code when no PR body exists.
- Keep direct commits in the generated manifest and use them to shape grouped
-  user outcomes, but never dump them into `CHANGELOG.md` or GitHub release
-  bodies. The public complete record is PR-first and exhaustive for PRs.
 - Prefer PR bodies, issue links, review proof, and commit bodies over commit
  subjects alone. If a commit fixed an issue directly, the commit body should
  name the user-visible behavior, affected surface, issue ref, and credited
@@ -278,31 +270,11 @@ Stable publication is not complete until `main` carries the actual shipped relea
  `#issue`, `(#PR)`, `Fixes #...`, and every human `Thanks @...` handle.
  Multiple thanks in one bullet are expected when multiple contributor PRs are
  grouped.
- Highlights earn their place only when they are a visible capability/workflow
-  unlock, a material reliability or safety repair, a broad user-facing
-  improvement, or a release-defining integration/compatibility change. Keep
-  five to eight user-outcome bullets; omit tests, CI, refactors, docs, and
-  implementation trivia unless their outcome materially affects users.
- Do not give `docs`, `test`, `refactor`, `ci`, `build`, `chore`, or `style`
-  PRs/direct commits their own Highlights, Changes, or Fixes entry. They remain
-  accounted for in the PR record or manifest, but are not product release
-  content. Treat explicit internal title signals such as `QA`, `lint`, or
-  `testing` the same way even when the PR has no conventional prefix.
- Use the generated `### Complete contribution record` as PR-first accounting:
-  every merged source PR appears once with author/co-author credit, including
-  PRs identified only by an explicit active-commit `#NNN` reference after a
-  cherry-pick or squash. Keep issues inline as `#NNN` in titles and grouped
-  prose; do not create a linked-issues inventory or a direct-commit listing.
-  When grouped prose names a PR, keep every contributor and linked-reporter
-  credit from that PR's record on the same bullet.
 - Changelog entries should be user-facing, not internal release-process notes.
 - GitHub release and prerelease bodies must use the full matching
  `CHANGELOG.md` version section, not highlights or an excerpt. When creating
  or editing a release, extract from `## YYYY.M.PATCH` through the line before the
  next level-2 heading and use that complete block as the release notes.
- GitHub limits release bodies to 125,000 characters. If a historical
-  `### Release verification` tail would exceed that cap, omit the tail and keep
-  the complete changelog section; do not truncate the contribution record.
 - Before publishing or closing a release, run
  `$openclaw-changelog-update`'s `verify-release-notes.mjs` with every stable
  and beta release tag in the train. Do not publish or leave a page live when
--- a/.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
+++ b/.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
@@ -20,7 +20,7 @@ paths:
  - src/agents/tools/web-shared.ts
  - src/plugin-sdk/ssrf-policy.ts
  - src/web-fetch
-  - packages/web-content-core/src/provider-runtime-shared.ts
+  - src/web/provider-runtime-shared.ts
  - packages/memory-host-sdk/src/host/ssrf-policy.ts
  - packages/net-policy/src

--- a/.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
+++ b/.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
@@ -16,7 +16,7 @@ query-filters:
 paths:
  - src/web-fetch
  - src/web-search
-  - packages/web-content-core/src/provider-runtime-shared.ts
+  - src/web/provider-runtime-shared.ts
  - src/media
  - src/media-understanding
  - src/image-generation
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -171,10 +171,6 @@
      - any-glob-to-any-file:
          - "extensions/zalo/**"
          - "docs/channels/zalo.md"
-"channel: zaloclawbot":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "docs/channels/zaloclawbot.md"
 "channel: zalouser":
  - changed-files:
      - any-glob-to-any-file:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,57 +1,118 @@
-<!--
-Optional linked context:
-Add a visible `Closes #<issue-number>` or `Related: #<issue-number>` line
-below this comment.
+## Summary

-Required PR title:
-type: user-facing description
-Use a parenthesized scope only when it adds clarity:
-fix(auth): login redirect loops when session cookie is expired
+What problem does this PR solve?

-Types: feat, fix, improve, refactor, docs, chore.
-For fixes, describe the user-visible symptom and trigger:
-fix: task list fails to load when user has no environments
-Avoid implementation details such as:
-fix: add null check to task query
-->
+Why does this matter now?

-## What Problem This Solves
+What is the intended outcome?

-<!--
-Describe the concrete user, product, or operational problem.
-For fixes, begin with:
-"Fixes an issue where users <do X> would <experience Y> when <condition>."
-or:
-"Resolves a problem where..."
+What is intentionally out of scope?

-Name the affected UI surface or workflow. Do not describe the code-level cause here.
-->
+What does success look like?

-## Why This Change Was Made
+What should reviewers focus on?

-<!--
-In one or two sentences, explain the complete shipped solution, key design
-decisions, and relevant boundaries or non-goals. Include implementation detail
-only when it helps reviewers understand user-visible behavior or risk.
-Avoid file-by-file narration.
-->
+<details>
+<summary>Summary guidance</summary>

-## User Impact
+This PR description is the contributor's durable explanation of the change. Write it for human maintainers first; ClawSweeper and Barnacle use the same text to understand intent, proof, risk, and current review state.

-<!--
-State what users, operators, or developers can now do or expect. Lead with the
-concrete benefit and use user-facing language. If there is no user-visible
-impact, say so plainly.
-->
+Describe the intent and outcome in 2-5 bullets. Avoid restating the diff; reviewers and bots can read the changed files.

-## Evidence
+If this PR fixes a plugin beta-release blocker, title it `fix(<plugin-id>): beta blocker - <summary>` and link the matching `Beta blocker: <plugin-name> - <summary>` issue labeled `beta-blocker`. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.

-<!--
-Show the most useful proof that this change works. Screenshots, screencasts,
-terminal output, focused tests, CI results, live observations, redacted logs,
-and artifact links are all useful. Include before/after evidence for visual
-changes when it clarifies the result.
+</details>

-Reviewers will inspect the code, tests, and CI. Use this section to make the
-validation easy to understand, not to restate the diff.
-->
+## Linked context
+
+Which issue does this close?
+
+Closes #
+
+Which issues, PRs, or discussions are related?
+
+Related #
+
+Was this requested by a maintainer or owner?
+
+<details>
+<summary>Linked context guidance</summary>
+
+Link the issue, PR, discussion, maintainer request, or owner request that explains why this PR should exist. Maintainer context helps reviewers and automation distinguish intended work from drive-by churn.
+
+</details>
+
+## Real behavior proof (required for external PRs)
+
+- Behavior or issue addressed:
+- Real environment tested:
+- Exact steps or command run after this patch:
+- Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):
+- Observed result after fix:
+- What was not tested:
+- Proof limitations or environment constraints:
+- Before evidence (optional but encouraged):
+
+<details>
+<summary>Real behavior proof guidance</summary>
+
+External contributors must show after-fix evidence from a real OpenClaw setup. Unit tests, mocks, lint, typechecks, snapshots, and CI are supplemental only.
+
+Screenshots are encouraged even for CLI, console, text, or log changes. Terminal screenshots, copied live output, redacted runtime logs, recordings, and linked artifacts count.
+
+If your environment cannot produce the ideal proof, explain that under `Proof limitations or environment constraints` so reviewers and ClawSweeper can direct the next step properly.
+
+Be mindful of private information like IP addresses, API keys, phone numbers, non-public endpoints, or other private details when providing evidence.
+
+</details>
+
+## Tests and validation
+
+Which commands did you run?
+
+What regression coverage was added or updated?
+
+What failed before this fix, if known?
+
+If no test was added, why not?
+
+<details>
+<summary>Testing guidance</summary>
+
+List focused commands, not every incidental check. CI is useful support, but external PRs still need real behavior proof above when behavior changes.
+
+</details>
+
+## Risk checklist
+
+Did user-visible behavior change? (`Yes/No`)
+
+Did config, environment, or migration behavior change? (`Yes/No`)
+
+Did security, auth, secrets, network, or tool execution behavior change? (`Yes/No`)
+
+What is the highest-risk area?
+
+How is that risk mitigated?
+
+<details>
+<summary>Risk guidance</summary>
+
+Use this for author judgment that is not obvious from the diff. ClawSweeper can see touched files, but it cannot know which behavior you think is risky, why the risk is acceptable, or what mitigation reviewers should verify.
+
+</details>
+
+## Current review state
+
+What is the next action?
+
+What is still waiting on author, maintainer, CI, or external proof?
+
+Which bot or reviewer comments were addressed?
+
+<details>
+<summary>Review state guidance</summary>
+
+Keep this as the durable state for review progress. If useful information appears in comments, fold the current next action or blocker back here so maintainers and ClawSweeper do not need to reconstruct state from comment history.
+
+</details>
--- a/.github/workflows/ci-build-artifacts-testbox.yml
+++ b/.github/workflows/ci-build-artifacts-testbox.yml
@@ -14,10 +14,6 @@ on:
 permissions:
  contents: read

-concurrency:
-  group: ${{ github.event_name == 'pull_request' && format('{0}-pr-v1-{1}', github.workflow, github.event.pull_request.number) || format('{0}-manual-v1-{1}', github.workflow, github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

@@ -214,49 +210,24 @@ jobs:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
-          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}
          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-          OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-          OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-          OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-          OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-          OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-          OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          FAL_KEY: ${{ secrets.FAL_KEY }}
-          RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-          DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-          BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-          BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-          OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-          OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-          OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-          OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
        run: bash scripts/ci-hydrate-testbox-env.sh

      - name: Run Testbox
--- a/.github/workflows/ci-check-arm-testbox.yml
+++ b/.github/workflows/ci-check-arm-testbox.yml
@@ -13,10 +13,6 @@ on:
 permissions:
  contents: read

-concurrency:
-  group: ${{ github.event_name == 'pull_request' && format('{0}-pr-v1-{1}', github.workflow, github.event.pull_request.number) || format('{0}-manual-v1-{1}', github.workflow, github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  PNPM_CONFIG_STORE_DIR: "/tmp/openclaw-pnpm-store"
@@ -132,10 +128,8 @@ jobs:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}
          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
@@ -143,38 +137,16 @@ jobs:
          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-          OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-          OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-          OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-          OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-          OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-          OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          FAL_KEY: ${{ secrets.FAL_KEY }}
-          RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-          DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-          BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-          BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-          OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-          OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-          OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-          OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
        run: bash scripts/ci-hydrate-testbox-env.sh

      - name: Run Testbox
--- a/.github/workflows/ci-check-testbox.yml
+++ b/.github/workflows/ci-check-testbox.yml
@@ -17,10 +17,6 @@ on:
 permissions:
  contents: read

-concurrency:
-  group: ${{ github.event_name == 'pull_request' && format('{0}-pr-v1-{1}', github.workflow, github.event.pull_request.number) || format('{0}-manual-v1-{1}', github.workflow, github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  PNPM_CONFIG_STORE_DIR: "/tmp/openclaw-pnpm-store"
@@ -121,10 +117,8 @@ jobs:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}
          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
@@ -132,38 +126,16 @@ jobs:
          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-          OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-          OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-          OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-          OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-          OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-          OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          FAL_KEY: ${{ secrets.FAL_KEY }}
-          RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-          DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-          BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-          BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-          OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-          OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-          OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-          OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
        run: bash scripts/ci-hydrate-testbox-env.sh

      - name: Run Testbox
--- a/.github/workflows/clawsweeper-dispatch.yml
+++ b/.github/workflows/clawsweeper-dispatch.yml
@@ -18,16 +18,15 @@ permissions:
  contents: read

 concurrency:
-  group: ${{ github.event_name == 'push' && format('clawsweeper-dispatch-{0}-{1}', github.repository, github.ref) || format('clawsweeper-dispatch-{0}-{1}', github.repository, github.event.issue.number || github.event.pull_request.number || github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'push' || github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review' }}
+  group: clawsweeper-dispatch-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: ${{ github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review' }}

 jobs:
  dispatch:
    runs-on: ubuntu-latest
    if: >-
      ${{
-        (github.event_name != 'issue_comment' ||
-          (github.actor != 'clawsweeper[bot]' && github.actor != 'openclaw-clawsweeper[bot]')) &&
+        github.event_name == 'issue_comment' ||
        !(
          endsWith(github.actor, '[bot]') &&
          (github.event.action == 'labeled' || github.event.action == 'unlabeled')
@@ -42,34 +41,6 @@ jobs:
        if: ${{ github.event.action == 'labeled' || github.event.action == 'unlabeled' }}
        run: sleep 20

-      - name: Debounce main push dispatch
-        if: ${{ github.event_name == 'push' }}
-        run: sleep 45
-
-      - name: Install GitHub API backoff helper
-        run: |
-          cat > "$RUNNER_TEMP/github-api-backoff.sh" <<'BASH'
-          gh_api_with_retry() {
-            local attempt output status lower_output
-            for attempt in 1 2 3 4 5; do
-              if output="$(gh api "$@" 2>&1)"; then
-                printf '%s\n' "$output"
-                return 0
-              fi
-              status=$?
-              lower_output="${output,,}"
-              if [[ "$lower_output" != *"rate limit"* && "$output" != *"HTTP 429"* ]]; then
-                printf '%s\n' "$output" >&2
-                return "$status"
-              fi
-              echo "::warning::GitHub API throttled ClawSweeper dispatch on attempt ${attempt}; retrying after backoff." >&2
-              sleep $((attempt * attempt * 5))
-            done
-            printf '%s\n' "$output" >&2
-            return "$status"
-          }
-          BASH
-
      - name: Create ClawSweeper dispatch token
        id: token
        if: ${{ env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
@@ -81,27 +52,9 @@ jobs:
          repositories: clawsweeper
          permission-contents: write

-      - name: Pre-filter ClawSweeper comment
-        id: comment_filter
-        if: ${{ github.event_name == 'issue_comment' }}
-        env:
-          COMMENT_BODY: ${{ github.event.comment.body }}
-        run: |
-          set -euo pipefail
-          if grep -Eiq '(^|[[:space:]])@(clawsweeper|openclaw-clawsweeper)\b(\[bot\])?|(^|[[:space:]])/(clawsweeper|review|autoclose|auto([[:space:]]+|-)?merge)\b' <<< "$COMMENT_BODY"; then
-            echo "is_command=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_command=false" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Create target comment token
        id: target_token
-        if: >-
-          ${{
-            github.event_name == 'issue_comment' &&
-            steps.comment_filter.outputs.is_command == 'true' &&
-            env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true'
-          }}
+        if: ${{ github.event_name == 'issue_comment' && env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
@@ -124,7 +77,6 @@ jobs:
            echo "::notice::Skipping GitHub activity dispatch because no ClawSweeper app token is configured."
            exit 0
          fi
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          activity="$(jq -c \
            --arg target_repo "$TARGET_REPO" \
            --arg event_name "$SOURCE_EVENT" \
@@ -191,7 +143,7 @@ jobs:
            ' "$GITHUB_EVENT_PATH")"
          payload="$(jq -nc --argjson activity "$activity" \
            '{event_type:"github_activity",client_payload:{activity:$activity}}')"
-          if gh_api_with_retry repos/openclaw/clawsweeper/dispatches \
+          if gh api repos/openclaw/clawsweeper/dispatches \
            --method POST \
            --input - <<< "$payload"; then
            echo "Dispatched GitHub activity to ClawSweeper."
@@ -213,7 +165,6 @@ jobs:
            echo "::notice::Skipping ClawSweeper dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
            exit 0
          fi
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          payload="$(jq -nc \
            --arg target_repo "$TARGET_REPO" \
            --argjson item_number "$ITEM_NUMBER" \
@@ -222,7 +173,7 @@ jobs:
            --arg source_action "$SOURCE_ACTION" \
            --argjson supersedes_in_progress "$SUPERSEDES_IN_PROGRESS" \
            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind,source_event:$source_event,source_action:$source_action,supersedes_in_progress:$supersedes_in_progress}}')"
-          if gh_api_with_retry repos/openclaw/clawsweeper/dispatches \
+          if gh api repos/openclaw/clawsweeper/dispatches \
            --method POST \
            --input - <<< "$payload"; then
            echo "Dispatched ClawSweeper review."
@@ -231,11 +182,7 @@ jobs:
          fi

      - name: Acknowledge and dispatch ClawSweeper comment
-        if: >-
-          ${{
-            github.event_name == 'issue_comment' &&
-            steps.comment_filter.outputs.is_command == 'true'
-          }}
+        if: ${{ github.event_name == 'issue_comment' }}
        env:
          DISPATCH_TOKEN: ${{ steps.token.outputs.token }}
          TARGET_TOKEN: ${{ steps.target_token.outputs.token }}
@@ -251,12 +198,15 @@ jobs:
            echo "::notice::Skipping ClawSweeper comment dispatch because no ClawSweeper app token is configured."
            exit 0
          fi
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          body_file="$RUNNER_TEMP/clawsweeper-comment-body.txt"
          printf '%s\n' "$COMMENT_BODY" > "$body_file"
+          if ! grep -Eiq '(^|[[:space:]])@(clawsweeper|openclaw-clawsweeper)\b(\[bot\])?|(^|[[:space:]])/(clawsweeper|review|automerge|autoclose)\b' "$body_file"; then
+            echo "No ClawSweeper command found in comment."
+            exit 0
+          fi
          if [ -n "$TARGET_TOKEN" ]; then
            err="$(mktemp)"
-            if GH_TOKEN="$TARGET_TOKEN" gh_api_with_retry -X POST \
+            if GH_TOKEN="$TARGET_TOKEN" gh api -X POST \
              -H "Accept: application/vnd.github+json" \
              "repos/$TARGET_REPO/issues/comments/$COMMENT_ID/reactions" \
              -f content="eyes" 2>"$err" >/dev/null; then
@@ -283,7 +233,7 @@ jobs:
                  "Command router queued. I will update this comment with the next step.")"
                status_payload="$(jq -nc --arg body "$status_body" '{body:$body}')"
                status_err="$(mktemp)"
-                if status_response="$(GH_TOKEN="$TARGET_TOKEN" gh_api_with_retry \
+                if status_response="$(GH_TOKEN="$TARGET_TOKEN" gh api \
                  "repos/$TARGET_REPO/issues/$ITEM_NUMBER/comments" \
                  --method POST \
                  --input - <<< "$status_payload" 2>"$status_err")"; then
@@ -304,7 +254,7 @@ jobs:
            --arg source_event "issue_comment" \
            --arg source_action "$SOURCE_ACTION" \
            '{event_type:"clawsweeper_comment",client_payload:({target_repo:$target_repo,item_number:$item_number,comment_id:$comment_id,source_event:$source_event,source_action:$source_action,max_comments:"1"} + (if $status_comment_id != "" then {status_comment_id:($status_comment_id|tonumber)} else {} end))}')"
-          if GH_TOKEN="$DISPATCH_TOKEN" gh_api_with_retry repos/openclaw/clawsweeper/dispatches \
+          if GH_TOKEN="$DISPATCH_TOKEN" gh api repos/openclaw/clawsweeper/dispatches \
            --method POST \
            --input - <<< "$payload"; then
            echo "Dispatched ClawSweeper comment router."
@@ -326,7 +276,6 @@ jobs:
            echo "::notice::Skipping ClawSweeper commit dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
            exit 0
          fi
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          case "$CREATE_CHECKS" in
            true|TRUE|1|yes|YES|on|ON) create_checks=true ;;
            *) create_checks=false ;;
@@ -338,7 +287,7 @@ jobs:
            --arg ref "$SOURCE_REF" \
            --argjson create_checks "$create_checks" \
            '{event_type:"clawsweeper_commit_review",client_payload:{target_repo:$target_repo,before_sha:$before_sha,after_sha:$after_sha,ref:$ref,enabled:true,create_checks:$create_checks}}')"
-          if gh_api_with_retry repos/openclaw/clawsweeper/dispatches \
+          if gh api repos/openclaw/clawsweeper/dispatches \
            --method POST \
            --input - <<< "$payload"; then
            echo "Dispatched ClawSweeper commit review."
--- a/.github/workflows/codeql-android-critical-security.yml
+++ b/.github/workflows/codeql-android-critical-security.yml
@@ -6,7 +6,7 @@ on:
    - cron: "0 7 * * *"

 concurrency:
-  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || format('ref-{0}', github.ref) }}
+  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
  cancel-in-progress: false

 env:
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -136,7 +136,7 @@ on:
    - cron: "30 6 * * *"

 concurrency:
-  group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('ref-{0}', github.ref) }}
+  group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 env:
--- a/.github/workflows/codeql-macos-critical-security.yml
+++ b/.github/workflows/codeql-macos-critical-security.yml
@@ -6,7 +6,7 @@ on:
    - cron: "0 8 * * 1"

 concurrency:
-  group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || format('ref-{0}', github.ref) }}
+  group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
  cancel-in-progress: false

 env:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,8 +32,8 @@ on:
    - cron: "0 6 * * *"

 concurrency:
-  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || format('ref-{0}', github.ref) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
+  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
--- a/.github/workflows/control-ui-locale-refresh.yml
+++ b/.github/workflows/control-ui-locale-refresh.yml
@@ -23,8 +23,8 @@ permissions:
  contents: write

 concurrency:
-  group: control-ui-locale-refresh-${{ github.event_name == 'push' && github.ref || github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || github.event_name == 'release' && format('release-{0}', github.event.release.tag_name) || format('{0}-{1}', github.event_name, github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+  group: control-ui-locale-refresh
+  cancel-in-progress: false

 jobs:
  plan:
--- a/.github/workflows/crabbox-hydrate.yml
+++ b/.github/workflows/crabbox-hydrate.yml
@@ -663,10 +663,8 @@ jobs:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}
          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
@@ -674,38 +672,16 @@ jobs:
          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-          OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-          OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-          OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-          OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-          OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-          OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          FAL_KEY: ${{ secrets.FAL_KEY }}
-          RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-          DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-          BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-          BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-          OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-          OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-          OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-          OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-          OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
        run: bash scripts/ci-hydrate-testbox-env.sh

      - name: Mark Crabbox ready
--- a/.github/workflows/docs-sync-publish.yml
+++ b/.github/workflows/docs-sync-publish.yml
@@ -13,10 +13,6 @@ on:
 permissions:
  contents: read

-concurrency:
-  group: docs-sync-publish-${{ github.event_name == 'workflow_dispatch' && format('manual-{0}', github.run_id) || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-
 jobs:
  sync-publish-repo:
    runs-on: ubuntu-latest
--- a/.github/workflows/full-release-validation.yml
+++ b/.github/workflows/full-release-validation.yml
@@ -70,7 +70,7 @@ on:
        default: ""
        type: string
      npm_telegram_package_spec:
-        description: Optional published package spec for the focused package Telegram E2E rerun
+        description: Optional published package spec for the package Telegram E2E lane
        required: false
        default: ""
        type: string
@@ -95,7 +95,7 @@ on:
        default: ""
        type: string
      npm_telegram_provider_mode:
-        description: Provider mode for the focused package Telegram E2E rerun
+        description: Provider mode for the package Telegram E2E lane
        required: false
        default: mock-openai
        type: choice
@@ -103,7 +103,7 @@ on:
          - mock-openai
          - live-frontier
      npm_telegram_scenario:
-        description: Optional comma-separated Telegram scenario ids for the focused package Telegram E2E rerun
+        description: Optional comma-separated Telegram scenario ids for the package Telegram lane
        required: false
        default: ""
        type: string
@@ -200,16 +200,14 @@ jobs:
            if [[ -n "${RELEASE_PACKAGE_SPEC// }" ]]; then
              echo "- Published release package: \`${RELEASE_PACKAGE_SPEC}\`"
            fi
-            if [[ "$RERUN_GROUP" == "npm-telegram" && -n "${NPM_TELEGRAM_PACKAGE_SPEC// }" ]]; then
+            if [[ -n "${NPM_TELEGRAM_PACKAGE_SPEC// }" ]]; then
              echo "- Published-package Telegram E2E: \`${NPM_TELEGRAM_PACKAGE_SPEC}\`"
-            elif [[ "$RERUN_GROUP" == "npm-telegram" && -n "${RELEASE_PACKAGE_SPEC// }" ]]; then
+            elif [[ -n "${RELEASE_PACKAGE_SPEC// }" ]]; then
              echo "- Published-package Telegram E2E: \`${RELEASE_PACKAGE_SPEC}\`"
-            elif [[ "$RERUN_GROUP" == "npm-telegram" ]]; then
-              echo "- Package Telegram E2E: focused rerun requires \`release_package_spec\` or \`npm_telegram_package_spec\`"
-            elif [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "release-checks" || "$RERUN_GROUP" == "package" ]]; then
-              echo "- Package Telegram E2E: OpenClaw Release Checks Package Acceptance"
+            elif [[ "$RERUN_GROUP" == "all" && "$RELEASE_PROFILE" == "full" ]]; then
+              echo "- Package Telegram E2E: parent \`release-package-under-test\` artifact"
            else
-              echo "- Package Telegram E2E: skipped by rerun group"
+              echo "- Package Telegram E2E: skipped unless \`release_profile=full\`, \`release_package_spec\`, or \`npm_telegram_package_spec\` is provided"
            fi
            if [[ -n "${EVIDENCE_PACKAGE_SPEC// }" ]]; then
              echo "- Private evidence package proof: \`${EVIDENCE_PACKAGE_SPEC}\`"
@@ -766,13 +764,83 @@ jobs:

          dispatch_and_wait openclaw-release-checks.yml "${args[@]}"

+  prepare_release_package:
+    name: Prepare release package artifact
+    needs: [resolve_target, docker_runtime_assets_preflight]
+    if: ${{ always() && needs.resolve_target.result == 'success' && inputs.npm_telegram_package_spec == '' && inputs.release_package_spec == '' && inputs.rerun_group == 'all' && inputs.release_profile == 'full' && needs.docker_runtime_assets_preflight.result == 'success' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      artifact_name: ${{ steps.artifact.outputs.name }}
+      package_sha256: ${{ steps.package.outputs.sha256 }}
+      package_version: ${{ steps.package.outputs.package_version }}
+      source_sha: ${{ steps.package.outputs.source_sha }}
+    steps:
+      - name: Checkout trusted workflow ref
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: true
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: Set artifact metadata
+        id: artifact
+        run: echo "name=release-package-under-test" >> "$GITHUB_OUTPUT"
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "true"
+          install-deps: "false"
+
+      - name: Resolve release package artifact
+        id: package
+        shell: bash
+        env:
+          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
+        run: |
+          set -euo pipefail
+          node scripts/resolve-openclaw-package-candidate.mjs \
+            --source ref \
+            --package-ref "$PACKAGE_REF" \
+            --output-dir .artifacts/docker-e2e-package \
+            --output-name openclaw-current.tgz \
+            --metadata .artifacts/docker-e2e-package/package-candidate.json \
+            --github-output "$GITHUB_OUTPUT"
+          digest="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).sha256")"
+          version="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).version")"
+          source_sha="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).packageSourceSha")"
+          echo "source_sha=$source_sha" >> "$GITHUB_OUTPUT"
+          {
+            echo "## Release package artifact"
+            echo
+            echo "- Artifact: \`release-package-under-test\`"
+            echo "- Package ref: \`$PACKAGE_REF\`"
+            echo "- SHA-256: \`$digest\`"
+            echo "- Version: \`$version\`"
+            echo "- Source SHA: \`$source_sha\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload release package artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: release-package-under-test
+          path: |
+            .artifacts/docker-e2e-package/openclaw-current.tgz
+            .artifacts/docker-e2e-package/package-candidate.json
+          if-no-files-found: error
+
  npm_telegram:
    name: Run package Telegram E2E
-    needs: [resolve_target]
-    if: ${{ always() && needs.resolve_target.result == 'success' && inputs.rerun_group == 'npm-telegram' && (inputs.npm_telegram_package_spec != '' || inputs.release_package_spec != '') }}
+    needs: [resolve_target, prepare_release_package]
+    if: ${{ always() && contains(fromJSON('["all","npm-telegram"]'), inputs.rerun_group) && (inputs.npm_telegram_package_spec != '' || inputs.release_package_spec != '' || (inputs.rerun_group == 'all' && inputs.release_profile == 'full')) }}
    continue-on-error: ${{ startsWith(github.ref, 'refs/heads/tideclaw/alpha/') }}
    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 360 || 60 }}
+    timeout-minutes: ${{ inputs.release_profile == 'full' && 120 || 60 }}
    outputs:
      run_id: ${{ steps.dispatch.outputs.run_id }}
      url: ${{ steps.dispatch.outputs.url }}
@@ -785,6 +853,8 @@ jobs:
          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
          PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec || inputs.release_package_spec }}
+          PACKAGE_ARTIFACT_NAME: ${{ needs.prepare_release_package.outputs.artifact_name }}
+          PREPARE_PACKAGE_RESULT: ${{ needs.prepare_release_package.result }}
          PROVIDER_MODE: ${{ inputs.npm_telegram_provider_mode }}
          SCENARIO: ${{ inputs.npm_telegram_scenario }}
        run: |
@@ -813,7 +883,18 @@ jobs:
            return "$status"
          }

-          args=(-f package_spec="$PACKAGE_SPEC" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
+          args=(-f package_spec="${PACKAGE_SPEC:-openclaw@beta}" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
+          if [[ -z "${PACKAGE_SPEC// }" ]]; then
+            if [[ "$PREPARE_PACKAGE_RESULT" != "success" || -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
+              echo "Full release Telegram requires either npm_telegram_package_spec or a prepared release-package-under-test artifact." >&2
+              exit 1
+            fi
+            args+=(
+              -f package_artifact_name="$PACKAGE_ARTIFACT_NAME"
+              -f package_artifact_run_id="${GITHUB_RUN_ID}"
+              -f package_label="full-release-${TARGET_SHA:0:12}"
+            )
+          fi
          if [[ -n "${SCENARIO// }" ]]; then
            args+=(-f scenario="$SCENARIO")
          fi
@@ -890,7 +971,7 @@ jobs:
    needs: [resolve_target, docker_runtime_assets_preflight]
    if: ${{ always() && needs.resolve_target.result == 'success' && contains(fromJSON('["all","performance"]'), inputs.rerun_group) && (inputs.rerun_group != 'all' || needs.docker_runtime_assets_preflight.result == 'success') }}
    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 360 || 120 }}
+    timeout-minutes: 120
    outputs:
      run_id: ${{ steps.dispatch.outputs.run_id }}
      url: ${{ steps.dispatch.outputs.url }}
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -1686,8 +1686,7 @@ jobs:
      FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
      OPENCLAW_LIVE_PROVIDERS: ${{ matrix.providers }}
      OPENCLAW_LIVE_IMAGE: ${{ needs.prepare_live_test_image.outputs.live_image }}
-      OPENCLAW_LIVE_MODELS: ${{ matrix.models || 'modern' }}
-      OPENCLAW_LIVE_MAX_MODELS: ${{ matrix.max_models || '6' }}
+      OPENCLAW_LIVE_MAX_MODELS: "6"
      OPENCLAW_LIVE_MODEL_TIMEOUT_MS: "45000"
      OPENCLAW_SKIP_DOCKER_BUILD: "1"
      OPENCLAW_VITEST_MAX_WORKERS: "2"
@@ -2001,7 +2000,7 @@ jobs:
            profiles: stable full
          - suite_id: native-live-src-gateway-profiles-minimax
            label: Native live gateway profiles MiniMax
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M2.7,minimax-portal/MiniMax-M2.7 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M3,minimax-portal/MiniMax-M3 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
            timeout_minutes: 60
            profile_env_only: false
            profiles: stable full
@@ -2304,7 +2303,7 @@ jobs:
            profiles: stable full
          - suite_id: live-gateway-minimax-docker
            label: Docker live gateway MiniMax
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M2.7,minimax-portal/MiniMax-M2.7 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M3,minimax-portal/MiniMax-M3 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
            timeout_minutes: 40
            profile_env_only: false
            profiles: stable full
--- a/.github/workflows/openclaw-performance.yml
+++ b/.github/workflows/openclaw-performance.yml
@@ -45,7 +45,7 @@ on:
      kova_ref:
        description: openclaw/Kova Git ref to install
        required: false
-        default: 4f146016583018bad9e24f8e64a6af5f963bb7ee
+        default: b63b6f9e20efb23641df00487e982230d81a90ac
        type: string
      dispatch_id:
        description: Optional parent workflow dispatch identifier
@@ -66,7 +66,6 @@ env:
  OCM_LINUX_X64_SHA256: b849b8de5d77e97e0df9319703254ae95e29d7f26a7552ea79bf173ff110ea0a
  KOVA_REPOSITORY: openclaw/Kova
  PERFORMANCE_MODEL_ID: gpt-5.5
-  KOVA_SCENARIO_TIMEOUT_MS: "300000"

 jobs:
  kova:
@@ -99,7 +98,7 @@ jobs:
            live: "true"
            include_filters: "scenario:agent-cold-warm-message"
    env:
-      KOVA_REF: ${{ inputs.kova_ref || '4f146016583018bad9e24f8e64a6af5f963bb7ee' }}
+      KOVA_REF: ${{ inputs.kova_ref || 'b63b6f9e20efb23641df00487e982230d81a90ac' }}
      KOVA_HOME: ${{ github.workspace }}/.artifacts/kova/home/${{ matrix.lane }}
      PERFORMANCE_HELPER_DIR: ${{ github.workspace }}/.artifacts/performance-workflow
      REPORT_DIR: ${{ github.workspace }}/.artifacts/kova/reports/${{ matrix.lane }}
@@ -292,7 +291,6 @@ jobs:
            --auth "$AUTH_MODE"
            --parallel 1
            --repeat "$repeat"
-            --timeout-ms "$KOVA_SCENARIO_TIMEOUT_MS"
            --report-dir "$REPORT_DIR"
            --execute
            --json
@@ -363,7 +361,6 @@ jobs:
          - Kova repository: ${KOVA_REPOSITORY}
          - Kova ref: ${KOVA_REF}
          - Kova profile: ${PROFILE}
-          - Kova scenario timeout: ${KOVA_SCENARIO_TIMEOUT_MS}ms
          - Lane auth: ${AUTH_MODE}
          - Lane model: ${PERFORMANCE_MODEL_ID}
          - Lane repeat: ${repeat}
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -717,6 +717,7 @@ jobs:
      published_upgrade_survivor_baselines: ${{ needs.resolve_target.outputs.run_release_soak == 'true' && 'last-stable-4 2026.4.23 2026.5.2 2026.4.15' || '' }}
      published_upgrade_survivor_scenarios: ${{ needs.resolve_target.outputs.run_release_soak == 'true' && 'reported-issues' || '' }}
      telegram_mode: mock-openai
+      telegram_scenarios: telegram-help-command,telegram-commands-command,telegram-tools-compact-command,telegram-whoami-command,telegram-status-command,telegram-other-bot-command-gating,telegram-context-command,telegram-mentioned-message-reply,telegram-long-final-reuses-preview,telegram-mention-gating
    secrets:
      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
      OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
--- a/.github/workflows/openclaw-release-publish.yml
+++ b/.github/workflows/openclaw-release-publish.yml
@@ -519,7 +519,12 @@ jobs:
            local workflow="$1"
            shift

-            local dispatch_output run_id
+            local before_json dispatch_output run_id
+            before_json="$(gh api -X GET "repos/${GITHUB_REPOSITORY}/actions/workflows/${workflow}/runs" \
+              -F event=workflow_dispatch \
+              -F per_page=100 \
+              --jq '[.workflow_runs[].id]')"
+
            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$workflow_ref" "$@" 2>&1)"
            printf '%s\n' "$dispatch_output" >&2
            run_id="$(
@@ -529,7 +534,22 @@ jobs:
            )"

            if [[ -z "$run_id" ]]; then
-              echo "gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh api -X GET "repos/${GITHUB_REPOSITORY}/actions/workflows/${workflow}/runs" \
+                    -F event=workflow_dispatch \
+                    -F per_page=50 \
+                    --jq '.workflow_runs | map({databaseId:.id, createdAt:.created_at}) | map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
              exit 1
            fi

--- a/.github/workflows/openclaw-stable-main-closeout.yml
+++ b/.github/workflows/openclaw-stable-main-closeout.yml
@@ -23,8 +23,8 @@ permissions:
  contents: write

 concurrency:
-  group: openclaw-stable-main-closeout-${{ github.event_name == 'workflow_dispatch' && (inputs.tag || github.run_id) || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+  group: openclaw-stable-main-closeout
+  cancel-in-progress: false

 jobs:
  resolve:
@@ -43,30 +43,6 @@ jobs:
      should_closeout: ${{ steps.inputs.outputs.should_closeout }}
      tag: ${{ steps.inputs.outputs.tag }}
    steps:
-      - name: Install GitHub API backoff helper
-        run: |
-          cat > "$RUNNER_TEMP/github-api-backoff.sh" <<'BASH'
-          gh_with_retry() {
-            local attempt output status lower_output
-            for attempt in 1 2 3 4 5; do
-              if output="$(gh "$@" 2>&1)"; then
-                printf '%s\n' "$output"
-                return 0
-              fi
-              status=$?
-              lower_output="${output,,}"
-              if [[ "$lower_output" != *"rate limit"* && "$output" != *"HTTP 429"* ]]; then
-                printf '%s\n' "$output" >&2
-                return "$status"
-              fi
-              echo "::warning::GitHub API throttled stable closeout on attempt ${attempt}; retrying after backoff." >&2
-              sleep $((attempt * attempt * 5))
-            done
-            printf '%s\n' "$output" >&2
-            return "$status"
-          }
-          BASH
-
      - name: Checkout pushed main
        if: ${{ github.event_name == 'push' }}
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
@@ -86,13 +62,9 @@ jobs:
          TRIGGER_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail
-          if [[ "$EVENT_NAME" == "push" ]]; then
-            sleep 45
-          fi
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          if [[ "$EVENT_NAME" == "push" ]]; then
            main_ref="$TRIGGER_SHA"
-            tag="$(gh_with_retry release list --repo "$GITHUB_REPOSITORY" --exclude-drafts --limit 100 \
+            tag="$(gh release list --repo "$GITHUB_REPOSITORY" --exclude-drafts --limit 100 \
              --json tagName,isPrerelease,publishedAt \
              --jq '[.[] | select(.isPrerelease | not) | select(.tagName | test("^v[0-9]{4}\\.[0-9]+\\.[0-9]+(-[0-9]+)?$"))] | sort_by(.publishedAt) | last | .tagName // empty')"
            if [[ -z "$tag" ]]; then
@@ -116,27 +88,8 @@ jobs:
          if [[ "$release_package_version" =~ ^(.+)-[0-9]+$ ]]; then
            fallback_package_version="${BASH_REMATCH[1]}"
          fi
-          tag_package_content="$RUNNER_TEMP/tag-package-content.b64"
-          tag_package_read=false
-          for attempt in 1 2 3; do
-            if gh_with_retry api "repos/$GITHUB_REPOSITORY/contents/package.json?ref=$tag" \
-              --jq '.content' > "$tag_package_content"; then
-              tag_package_read=true
-              break
-            fi
-            if [[ "$attempt" != "3" ]]; then
-              sleep $((attempt * 5))
-            fi
-          done
-          if [[ "$tag_package_read" != "true" ]]; then
-            echo "Stable closeout could not read package.json for $tag from GitHub API." >&2
-            exit 1
-          fi
-          if ! tag_package_json="$(tr -d '\n' < "$tag_package_content" | base64 --decode)"; then
-            echo "Stable closeout package.json content for $tag was not valid base64." >&2
-            exit 1
-          fi
-          tag_package_version="$(jq -r '.version // empty' <<<"$tag_package_json")"
+          tag_package_version="$(gh api "repos/$GITHUB_REPOSITORY/contents/package.json?ref=$tag" \
+            --jq '.content' | tr -d '\n' | base64 --decode | jq -r '.version // empty')"
          fallback_correction=false
          evidence_source_tag="$tag"
          if [[ "$release_package_version" != "$fallback_package_version" &&
@@ -154,7 +107,7 @@ jobs:
          closeout_checksum_asset="${closeout_asset}.sha256"
          closeout_dir="$RUNNER_TEMP/release-closeout-evidence"
          mkdir -p "$closeout_dir"
-          gh_with_retry release download "$tag" --repo "$GITHUB_REPOSITORY" \
+          gh release download "$tag" --repo "$GITHUB_REPOSITORY" \
            --pattern "$closeout_asset" --pattern "$closeout_checksum_asset" --dir "$closeout_dir" || true
          closeout_json_path="$closeout_dir/$closeout_asset"
          closeout_checksum_path="$closeout_dir/$closeout_checksum_asset"
@@ -210,11 +163,8 @@ jobs:
          fi
          evidence_dir="$RUNNER_TEMP/release-postpublish-evidence"
          mkdir -p "$evidence_dir"
-          gh_with_retry release download "$evidence_source_tag" --repo "$GITHUB_REPOSITORY" \
-            --pattern "$evidence_asset" --pattern "$evidence_checksum_asset" --dir "$evidence_dir" || true
-          evidence_path="$evidence_dir/$evidence_asset"
-          evidence_checksum_path="$evidence_dir/$evidence_checksum_asset"
-          if [[ ! -f "$evidence_path" || ! -f "$evidence_checksum_path" ]]; then
+          if ! gh release download "$evidence_source_tag" --repo "$GITHUB_REPOSITORY" \
+            --pattern "$evidence_asset" --pattern "$evidence_checksum_asset" --dir "$evidence_dir"; then
            if [[ "$EVENT_NAME" == "push" ]]; then
              echo "Stable closeout skipped: $evidence_source_tag predates immutable postpublish evidence." >&2
              echo "should_closeout=false" >> "$GITHUB_OUTPUT"
@@ -223,6 +173,7 @@ jobs:
            echo "Stable closeout is required for $tag, but immutable postpublish evidence from $evidence_source_tag is missing." >&2
            exit 1
          fi
+          evidence_path="$evidence_dir/$evidence_asset"
          if ! (
            cd "$evidence_dir"
            sha256sum --strict --status -c "$evidence_checksum_asset"
@@ -302,30 +253,6 @@ jobs:
            exit 1
          fi

-      - name: Install GitHub API backoff helper
-        run: |
-          cat > "$RUNNER_TEMP/github-api-backoff.sh" <<'BASH'
-          gh_with_retry() {
-            local attempt output status lower_output
-            for attempt in 1 2 3 4 5; do
-              if output="$(gh "$@" 2>&1)"; then
-                printf '%s\n' "$output"
-                return 0
-              fi
-              status=$?
-              lower_output="${output,,}"
-              if [[ "$lower_output" != *"rate limit"* && "$output" != *"HTTP 429"* ]]; then
-                printf '%s\n' "$output" >&2
-                return "$status"
-              fi
-              echo "::warning::GitHub API throttled stable closeout on attempt ${attempt}; retrying after backoff." >&2
-              sleep $((attempt * attempt * 5))
-            done
-            printf '%s\n' "$output" >&2
-            return "$status"
-          }
-          BASH
-
      - name: Verify release workflow evidence
        env:
          GH_TOKEN: ${{ github.token }}
@@ -333,8 +260,7 @@ jobs:
          RELEASE_PUBLISH_RUN_ID: ${{ needs.resolve.outputs.release_publish_run_id }}
        run: |
          set -euo pipefail
-          . "$RUNNER_TEMP/github-api-backoff.sh"
-          gh_with_retry run view "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
+          gh run view "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
            --json workflowName,event,status,conclusion \
            > "$RUNNER_TEMP/full-release-validation-run.json"
          node --input-type=module - "$RUNNER_TEMP/full-release-validation-run.json" <<'NODE'
@@ -351,7 +277,7 @@ jobs:
            }
          }
          NODE
-          gh_with_retry run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" \
+          gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" \
            --json workflowName,event,status,conclusion \
            > "$RUNNER_TEMP/release-publish-run.json"
          node --input-type=module - "$RUNNER_TEMP/release-publish-run.json" <<'NODE'
@@ -372,7 +298,7 @@ jobs:
          manifest_dir="$RUNNER_TEMP/full-release-validation-manifest"
          rm -rf "$manifest_dir"
          mkdir -p "$manifest_dir"
-          gh_with_retry run download "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
+          gh run download "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
            --name "full-release-validation-${FULL_RELEASE_VALIDATION_RUN_ID}" \
            --dir "$manifest_dir"
          tag_sha="$(git -C "$GITHUB_WORKSPACE/release-tag" rev-parse HEAD)"
@@ -401,8 +327,7 @@ jobs:
        run: |
          set -euo pipefail
          mkdir -p "$CLOSEOUT_DIR"
-          . "$RUNNER_TEMP/github-api-backoff.sh"
-          gh_with_retry release view "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
+          gh release view "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
            --json tagName,isDraft,isPrerelease,assets \
            > "$CLOSEOUT_DIR/github-release.json"
          node scripts/verify-stable-main-closeout.mjs \
@@ -428,23 +353,21 @@ jobs:
          CLOSEOUT_DIR: ${{ runner.temp }}/openclaw-stable-main-closeout
        run: |
          set -euo pipefail
-          . "$RUNNER_TEMP/github-api-backoff.sh"
          release_version="${RELEASE_TAG#v}"
          attach_or_verify() {
            local source_path="$1"
            local asset_name="$2"
            local existing_dir="$CLOSEOUT_DIR/existing-${asset_name}"
            mkdir -p "$existing_dir"
-            gh_with_retry release download "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
-              --pattern "$asset_name" --dir "$existing_dir" || true
-            if [[ -f "$existing_dir/$asset_name" ]]; then
+            if gh release download "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
+              --pattern "$asset_name" --dir "$existing_dir"; then
              cmp --silent "$source_path" "$existing_dir/$asset_name" || {
                echo "Existing release asset $asset_name differs from closeout evidence." >&2
                exit 1
              }
              return
            fi
-            gh_with_retry release upload "$RELEASE_TAG" "$source_path#$asset_name" --repo "$GITHUB_REPOSITORY"
+            gh release upload "$RELEASE_TAG" "$source_path#$asset_name" --repo "$GITHUB_REPOSITORY"
          }
          attach_or_verify \
            "$CLOSEOUT_DIR/stable-main-closeout.json" \
--- a/.github/workflows/plugin-init-scaffold-validation.yml
+++ b/.github/workflows/plugin-init-scaffold-validation.yml
@@ -0,0 +1,51 @@
+name: Plugin Init Scaffold Validation
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/plugin-init-scaffold-validation.yml"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "scripts/validate-plugin-init-provider-scaffold.ts"
+      - "src/cli/plugins-authoring-command.ts"
+      - "src/cli/plugins-authoring-command.test.ts"
+      - "src/cli/plugins-cli.ts"
+      - "src/plugin-sdk/**"
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+    paths:
+      - ".github/workflows/plugin-init-scaffold-validation.yml"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "scripts/validate-plugin-init-provider-scaffold.ts"
+      - "src/cli/plugins-authoring-command.ts"
+      - "src/cli/plugins-authoring-command.test.ts"
+      - "src/cli/plugins-cli.ts"
+      - "src/plugin-sdk/**"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  validate-provider-scaffold:
+    name: Validate provider scaffold
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Generate and validate provider scaffold
+        run: pnpm test:plugins:init-provider-scaffold
--- a/.github/workflows/plugin-npm-release.yml
+++ b/.github/workflows/plugin-npm-release.yml
@@ -38,8 +38,8 @@ on:
        type: string

 concurrency:
-  group: plugin-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+  group: plugin-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
+  cancel-in-progress: false

 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
--- a/.github/workflows/qa-live-transports-convex.yml
+++ b/.github/workflows/qa-live-transports-convex.yml
@@ -532,7 +532,6 @@ jobs:
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-          OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.scenario || '' }}
        run: |
          set -euo pipefail
@@ -625,7 +624,6 @@ jobs:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
          OPENCLAW_QA_DISCORD_CAPTURE_CONTENT: "1"
          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.discord_scenario || '' }}
@@ -723,7 +721,6 @@ jobs:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
          OPENCLAW_QA_WHATSAPP_CAPTURE_CONTENT: "1"
          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.whatsapp_scenario || '' }}
@@ -818,7 +815,6 @@ jobs:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
          OPENCLAW_QA_SLACK_CAPTURE_CONTENT: "1"
          OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
--- a/.github/workflows/sandbox-common-smoke.yml
+++ b/.github/workflows/sandbox-common-smoke.yml
@@ -19,7 +19,7 @@ permissions:

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
--- a/.github/workflows/windows-blacksmith-testbox.yml
+++ b/.github/workflows/windows-blacksmith-testbox.yml
@@ -57,10 +57,6 @@ jobs:
            echo "could not read required Blacksmith metadata" >&2
            exit 1
          fi
-          if ! jq -e 'type == "number"' <<<"$installation_model_id" >/dev/null; then
-            echo "invalid Blacksmith installation model id: ${installation_model_id}" >&2
-            exit 1
-          fi

          if [ -n "${BLACKSMITH_HOSTNAME:-}" ]; then
            runner_host="$BLACKSMITH_HOSTNAME"
@@ -69,32 +65,21 @@ jobs:
          fi
          runner_ssh_port="${BLACKSMITH_SSH_PORT:-22}"

-          hydrating_body="$RUNNER_TEMP/testbox-hydrating.json"
          hydrating_response="$RUNNER_TEMP/testbox-hydrating.response"
-          jq -n \
-            --arg testbox_id "$TESTBOX_ID" \
-            --argjson installation_model_id "$installation_model_id" \
-            --arg status "hydrating" \
-            --arg ip_address "$runner_host" \
-            --arg ssh_port "$runner_ssh_port" \
-            --arg working_directory "$GITHUB_WORKSPACE" \
-            --arg adopted_run_id "$GITHUB_RUN_ID" \
-            '{
-              testbox_id: $testbox_id,
-              installation_model_id: $installation_model_id,
-              status: $status,
-              ip_address: $ip_address,
-              ssh_port: $ssh_port,
-              working_directory: $working_directory,
-              adopted_run_id: $adopted_run_id,
-              metadata: {}
-            }' > "$hydrating_body"
-
          hydrating_http_code="$(curl -sS -L --post302 --post303 -o "$hydrating_response" -w '%{http_code}' \
            -X POST "${api_url}/api/testbox/phone-home" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer ${auth_token}" \
-            --data-binary @"$hydrating_body" || true)"
+            -d "{
+              \"testbox_id\": \"${TESTBOX_ID}\",
+              \"installation_model_id\": ${installation_model_id},
+              \"status\": \"hydrating\",
+              \"ip_address\": \"${runner_host}\",
+              \"ssh_port\": \"${runner_ssh_port}\",
+              \"working_directory\": \"${GITHUB_WORKSPACE}\",
+              \"adopted_run_id\": \"${GITHUB_RUN_ID}\",
+              \"metadata\": {}
+            }" || true)"

          echo "phone_home_hydrating_http=${hydrating_http_code}"
          if [[ ! "$hydrating_http_code" =~ ^2 ]]; then
@@ -167,30 +152,20 @@ jobs:
          runner_ssh_port="$(cat "$state/runner_ssh_port")"
          working_directory="$(cat "$state/working_directory")"
          adopted_run_id="$(cat "$state/adopted_run_id")"
-          if ! jq -e 'type == "number"' <<<"$installation_model_id" >/dev/null; then
-            echo "invalid Blacksmith installation model id: ${installation_model_id}" >&2
-            exit 1
-          fi

          ready_body="$RUNNER_TEMP/testbox-ready.json"
-          jq -n \
-            --arg testbox_id "$testbox_id" \
-            --argjson installation_model_id "$installation_model_id" \
-            --arg status "ready" \
-            --arg ip_address "$runner_host" \
-            --arg ssh_port "$runner_ssh_port" \
-            --arg working_directory "$working_directory" \
-            --arg adopted_run_id "$adopted_run_id" \
-            '{
-              testbox_id: $testbox_id,
-              installation_model_id: $installation_model_id,
-              status: $status,
-              ip_address: $ip_address,
-              ssh_port: $ssh_port,
-              working_directory: $working_directory,
-              adopted_run_id: $adopted_run_id,
-              metadata: {}
-            }' > "$ready_body"
+          cat > "$ready_body" <<JSON
+          {
+            "testbox_id": "${testbox_id}",
+            "installation_model_id": ${installation_model_id},
+            "status": "ready",
+            "ip_address": "${runner_host}",
+            "ssh_port": "${runner_ssh_port}",
+            "working_directory": "${working_directory}",
+            "adopted_run_id": "${adopted_run_id}",
+            "metadata": {}
+          }
+          JSON

          http_code="$(curl -sS -L --post302 --post303 -o "$RUNNER_TEMP/testbox-ready.response" -w '%{http_code}' \
            -X POST "${api_url}/api/testbox/phone-home" \
--- a/.github/workflows/windows-testbox-probe.yml
+++ b/.github/workflows/windows-testbox-probe.yml
@@ -37,11 +37,6 @@ on:
        required: false
        default: false
        type: boolean
-      run_windows_ci:
-        description: "Run the focused Windows-native CI test shard after probing"
-        required: false
-        default: false
-        type: boolean

 permissions:
  contents: read
@@ -85,21 +80,10 @@ jobs:
        env:
          ENABLE_WSL2_FEATURES: ${{ inputs.enable_wsl2_features }}
          IMPORT_UBUNTU_WSL2: ${{ inputs.import_ubuntu_wsl2 }}
+          UBUNTU_WSL_ROOTFS_URL: https://cloud-images.ubuntu.com/wsl/releases/24.04/current/ubuntu-noble-wsl-amd64-wsl.rootfs.tar.gz
        run: |
          $ErrorActionPreference = "Continue"
          $ok = $false
-          $restartRequired = $false
-
-          function Resolve-UbuntuWslRootfsUrl {
-            $osArch = ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture).ToString().ToLowerInvariant()
-            switch ($osArch) {
-              "x64" { $wslArch = "amd64" }
-              "arm64" { $wslArch = "arm64" }
-              default { throw "Unsupported Windows architecture for Ubuntu WSL rootfs: $osArch" }
-            }
-            Write-Host "ubuntu_wsl_rootfs_arch=$wslArch"
-            "https://cloud-images.ubuntu.com/wsl/releases/24.04/current/ubuntu-noble-wsl-$wslArch-wsl.rootfs.tar.gz"
-          }

          function Invoke-WslText {
            param([string[]] $Arguments)
@@ -128,15 +112,9 @@ jobs:
            Write-Host "wsl.exe=$($wsl.Source)"
            if ($env:ENABLE_WSL2_FEATURES -eq "true") {
              Write-Host "enable_wsl2_features=true"
-              foreach ($feature in @("Microsoft-Windows-Subsystem-Linux", "VirtualMachinePlatform", "HypervisorPlatform")) {
+              foreach ($feature in @("Microsoft-Windows-Subsystem-Linux", "VirtualMachinePlatform", "HypervisorPlatform", "Microsoft-Hyper-V-All")) {
                dism.exe /online /enable-feature /featurename:$feature /all /norestart
                Write-Host "enable_feature_${feature}_exit=$LASTEXITCODE"
-                if ($LASTEXITCODE -eq 3010) {
-                  $restartRequired = $true
-                }
-              }
-              if ($restartRequired) {
-                Write-Warning "wsl2_restart_required=true; Windows optional feature changes require a runner reboot before WSL2 can be imported."
              }
            }

@@ -149,13 +127,12 @@ jobs:
            Write-Host "wsl_list_exit=$($list.Code)"

            $distros = @(Get-WslDistros)
-            if ($distros.Count -eq 0 -and $env:IMPORT_UBUNTU_WSL2 -eq "true" -and -not $restartRequired) {
+            if ($distros.Count -eq 0 -and $env:IMPORT_UBUNTU_WSL2 -eq "true") {
              Write-Host "import_ubuntu_wsl2=true"
              $wslRoot = "C:\wsl\UbuntuProbe"
              $rootfs = "C:\wsl\ubuntu-noble-wsl.rootfs.tar.gz"
-              $rootfsUrl = Resolve-UbuntuWslRootfsUrl
              New-Item -ItemType Directory -Force -Path @((Split-Path -Parent $rootfs), $wslRoot) | Out-Null
-              Invoke-WebRequest -Uri $rootfsUrl -OutFile $rootfs -UseBasicParsing
+              Invoke-WebRequest -Uri $env:UBUNTU_WSL_ROOTFS_URL -OutFile $rootfs -UseBasicParsing
              $import = Invoke-WslText -Arguments @("--import", "UbuntuProbe", $wslRoot, $rootfs, "--version", "2")
              Write-Host $import.Text
              Write-Host "wsl_import_exit=$($import.Code)"
@@ -163,16 +140,12 @@ jobs:
              Write-Host $list.Text
              Write-Host "wsl_list_after_import_exit=$($list.Code)"
              $distros = @(Get-WslDistros)
-            } elseif ($distros.Count -eq 0 -and $env:IMPORT_UBUNTU_WSL2 -eq "true" -and $restartRequired) {
-              Write-Warning "import_ubuntu_wsl2=skipped_restart_required"
            }

            if ($distros.Count -gt 0) {
              $distro = $distros[0]
              Write-Host "wsl_probe_distro=$distro"
              $exec = Invoke-WslText -Arguments @("-d", $distro, "--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
-            } elseif ($restartRequired) {
-              $exec = [pscustomobject]@{ Code = 1; Text = "wsl_exec_skipped=restart_required" }
            } else {
              $exec = Invoke-WslText -Arguments @("--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
            }
@@ -185,99 +158,17 @@ jobs:

          if ($ok) {
            "wsl2_ok=true" >> $env:GITHUB_OUTPUT
-            "wsl2_restart_required=false" >> $env:GITHUB_OUTPUT
            "OPENCLAW_WSL2_PROBE_OK=true" >> $env:GITHUB_ENV
-            "OPENCLAW_WSL2_RESTART_REQUIRED=false" >> $env:GITHUB_ENV
            Write-Host "wsl2_ok=true"
          } else {
            "wsl2_ok=false" >> $env:GITHUB_OUTPUT
-            "wsl2_restart_required=$($restartRequired.ToString().ToLowerInvariant())" >> $env:GITHUB_OUTPUT
            "OPENCLAW_WSL2_PROBE_OK=false" >> $env:GITHUB_ENV
-            "OPENCLAW_WSL2_RESTART_REQUIRED=$($restartRequired.ToString().ToLowerInvariant())" >> $env:GITHUB_ENV
            Write-Warning "wsl2_ok=false"
          }

          exit 0

-      - name: Try to exclude workspace from Windows Defender (best-effort)
-        if: ${{ inputs.run_windows_ci }}
-        shell: pwsh
-        run: |
-          $cmd = Get-Command Add-MpPreference -ErrorAction SilentlyContinue
-          if (-not $cmd) {
-            Write-Host "Add-MpPreference not available, skipping Defender exclusions."
-            exit 0
-          }
-
-          try {
-            Add-MpPreference -ExclusionPath "$env:GITHUB_WORKSPACE" -ErrorAction Stop
-            Add-MpPreference -ExclusionProcess "node.exe" -ErrorAction Stop
-            Write-Host "Defender exclusions applied."
-          } catch {
-            Write-Warning "Failed to apply Defender exclusions, continuing. $($_.Exception.Message)"
-          }
-
-      - name: Setup Node.js
-        if: ${{ inputs.run_windows_ci }}
-        shell: bash
-        env:
-          REQUESTED_NODE_VERSION: "22.x"
-        run: |
-          set -euo pipefail
-          source .github/actions/setup-pnpm-store-cache/ensure-node.sh
-          openclaw_ensure_node "$REQUESTED_NODE_VERSION"
-
-      - name: Setup pnpm
-        if: ${{ inputs.run_windows_ci }}
-        uses: ./.github/actions/setup-pnpm-store-cache
-        with:
-          node-version: 22.x
-
-      - name: Runtime versions
-        if: ${{ inputs.run_windows_ci }}
-        shell: bash
-        run: |
-          node -v
-          npm -v
-          pnpm -v
-
-      - name: Capture node path
-        if: ${{ inputs.run_windows_ci }}
-        shell: bash
-        run: |
-          node_bin="$(dirname "$(node -p 'process.execPath')")"
-          if command -v cygpath >/dev/null 2>&1; then
-            node_bin="$(cygpath -u "$node_bin")"
-          fi
-          echo "NODE_BIN=$node_bin" >> "$GITHUB_ENV"
-
-      - name: Install dependencies
-        if: ${{ inputs.run_windows_ci }}
-        shell: bash
-        env:
-          CI: true
-        run: |
-          export PATH="$NODE_BIN:$PATH"
-          which node
-          node -v
-          pnpm -v
-          pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true || pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true
-
-      - name: Run Windows CI tests
-        if: ${{ inputs.run_windows_ci }}
-        shell: bash
-        env:
-          CI: true
-          NODE_OPTIONS: --max-old-space-size=8192
-          OPENCLAW_TEST_SKIP_FULL_EXTENSIONS_SHARD: 1
-          OPENCLAW_VITEST_MAX_WORKERS: 1
-        run: |
-          set -euo pipefail
-          export PATH="$NODE_BIN:$PATH"
-          pnpm test:windows:ci
-
      - name: Keep runner alive for SSH inspection
-        if: ${{ always() && !cancelled() }}
        env:
          KEEPALIVE_MINUTES: ${{ inputs.keepalive_minutes }}
        run: |
@@ -294,7 +185,7 @@ jobs:
          }

      - name: Enforce WSL2 requirement
-        if: ${{ always() && !cancelled() && inputs.require_wsl2 }}
+        if: ${{ inputs.require_wsl2 }}
        run: |
          if ($env:OPENCLAW_WSL2_PROBE_OK -ne "true") {
            Write-Error "WSL2 probe failed or WSL2 is unavailable on this Windows runner."
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -35,7 +35,7 @@ Skills own workflows; root owns hard policy and routing.
 - One-sided fixes need sibling-surface proof, an explanation for why siblings are unaffected, or explicit follow-up work.
 - Changelog findings: see Docs / Changelog.
 - Public ClawSweeper comments prefer `https://docs.openclaw.ai/...` when a public docs page exists; structured evidence still cites repo files, lines, SHAs.
- Findings need current source, shipped/current behavior, tests/CI evidence, and dependency contract proof when dependency-backed behavior is involved. Validation is judged against touched and sibling surfaces plus this file's commands; clear evidence matters for user-visible changes, with Telegram/Desktop proof for Telegram-visible behavior when feasible.
+- Findings need current source, shipped/current behavior, tests/CI evidence, and dependency contract proof when dependency-backed behavior is involved. Validation is judged against touched and sibling surfaces plus this file's commands; real behavior proof matters for user-visible changes, with Telegram/Desktop proof for Telegram-visible behavior when feasible.
 - Prefer findings for concrete behavior regressions, missing changed-surface proof, owner-boundary violations, security/API contract issues, or docs/config mismatches.
 - Do not file findings for repo policy preference when changed code follows the relevant scoped guide and no user-visible, runtime, security, or maintainer-risk impact is shown.

@@ -165,12 +165,13 @@ Skills own workflows; root owns hard policy and routing.
 - Representing user: if user already has a comment/thread for the point, update/reply there when possible; avoid duplicate PR/issue comments.
 - No surprise GH writes: chat must mention every posted/updated public comment with URL.
 - GH comments with backticks, `$`, or shell snippets: use heredoc/body file, not inline double-quoted `--body`.
- PR create: real body required. Use the current template: `What Problem This Solves`, `Why This Change Was Made`, `User Impact`, and `Evidence`; include visible refs, behavior, and validation.
+- PR create: real body required. Include Summary + Verification; mention refs, behavior, and proof.
 - PR create/refresh: keep PR branches takeover-ready. Use a branch maintainers can push to, or for fork PRs ensure `maintainer_can_modify` / GitHub's `Allow edits by maintainers` is enabled unless explicitly told otherwise or GitHub's Actions/secrets warning makes that unsafe.
 - GitHub issue/PR create: read `$agent-transcript`; ask about sanitized transcript logs when available.
- Contributor PRs: parsed context requires authored `What Problem This Solves` and `Evidence` sections. Do not require field-level proof forms; reviewers inspect code, tests, and CI for correctness.
+- Contributor PRs: parsed `Real behavior proof` uses exact `field: value` labels: `Behavior addressed`, `Real environment tested`, `Exact steps or command run after this patch`, `Evidence after fix`, `Observed result after fix`, `What was not tested`.
 - PR artifacts/screenshots: attach to PR/comment/external artifact store. Never push screenshots, videos, proof images, or proof assets to OpenClaw or any product repo branch, including temp artifact branches. Use Crabbox artifact publishing plus the manifest URL. Do not commit `.github/pr-assets`.
 - CI polling: exact SHA, relevant checks only, minimal fields. Skip routine noise (`Auto response`, `Labeler`, docs agents, performance/stale). Logs only after failure/completion or concrete need.
+- OpenClaw write-access maintainers may skip `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
 - Agent PR landing to `main`: use only the repo-native `scripts/pr` wrapper: run `scripts/pr review-init <PR>`, follow its emitted checkout/guard guidance, initialize and complete review artifacts with `scripts/pr review-artifacts-init <PR>`, validate them with `scripts/pr review-validate-artifacts <PR>`, then run `scripts/pr prepare-run <PR>` and `scripts/pr merge-run <PR>`; do not idle on `auto-response` or `check-docs`.

 ## Code
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -106,8 +106,7 @@ For coordinated change sets that genuinely need more than 20 PRs, join the **#cl
 ## Before You PR

 - Test locally with your OpenClaw instance
- External PRs must describe the user, product, or operational problem in **What Problem This Solves** and include useful validation in **Evidence**. Focused tests, CI results, screenshots, recordings, terminal output, live observations, redacted logs, and artifact links all count. Reviewers will inspect the code, tests, and CI; use the PR body to explain intent and make validation easy to understand.
- When ClawSweeper, Codex, Barnacle, or a maintainer asks for more context or evidence, edit the PR description instead of only replying in a new comment. Keep **What Problem This Solves**, **Why This Change Was Made**, **User Impact**, and **Evidence** current; a short comment can point reviewers to the update, but the PR body should remain the durable explanation for maintainers and bots.
+- External PRs must include a filled **Real behavior proof** section in the PR body. Show the real setup you tested, the exact command or steps you ran after the patch, after-fix evidence, the observed result, and anything you did not test. Screenshots, recordings, terminal screenshots, console output, copied live output, linked artifacts, and redacted runtime logs all count. Unit tests, mocks, snapshots, lint, typechecks, and CI are useful but do not satisfy this requirement by themselves. Maintainers may apply `proof: override` only when the proof gate should not apply.
 - Keep PRs takeover-ready: open them from a branch maintainers can push to. For fork PRs, leave GitHub's **Allow edits by maintainers** option enabled so maintainers can finish urgent fixes, changelog entries, or merge prep when needed. If GitHub shows **Allow edits and access to secrets by maintainers**, enable it only when that workflow/secrets access is acceptable and say so in the PR.
 - Do not edit `CHANGELOG.md` in contributor PRs. Maintainers or ClawSweeper add the changelog entry when landing user-facing changes.
 - Run tests: `pnpm build && pnpm check && pnpm test`
@@ -170,7 +169,7 @@ Built with Codex, Claude, or other AI tools? **Awesome - just mark it!**
 Please include in your PR:

 - [ ] Mark as AI-assisted in the PR title or description
- [ ] Include a concise **Evidence** section with the most useful validation. Reviewers will inspect the code, tests, and CI rather than relying on the PR body alone.
+- [ ] Include human-run real behavior proof from your own setup. AI-generated tests, mocks, lint, typechecks, and CI output are supplemental only; they do not prove the fix works for users.
 - [ ] Include prompts or session logs if possible (super helpful!)
 - [ ] Confirm you understand what the code does
 - [ ] If you have access to Codex, run `codex review --base origin/main` locally and address the findings before asking for review
--- a/apps/android/Config/Version.properties
+++ b/apps/android/Config/Version.properties
@@ -2,5 +2,5 @@
 # Source of truth: apps/android/version.json
 # Generated by scripts/android-sync-versioning.ts.

-OPENCLAW_ANDROID_VERSION_NAME=2026.6.9
-OPENCLAW_ANDROID_VERSION_CODE=2026060901
+OPENCLAW_ANDROID_VERSION_NAME=2026.6.2
+OPENCLAW_ANDROID_VERSION_CODE=2026060201
--- a/apps/android/README.md
+++ b/apps/android/README.md
@@ -69,17 +69,6 @@ Generate raw Google Play screenshots:
 pnpm android:screenshots
 ```

-To make screenshot capture own emulator startup, pass a named AVD:
-
-```bash
-ANDROID_SCREENSHOT_AVD=OpenClaw_QA_API35 pnpm android:screenshots
-```
-
-The screenshot script uses one connected ADB device when available. If none is
-connected and `ANDROID_SCREENSHOT_AVD` is set, it boots that emulator
-headlessly, waits for Android to finish booting, disables animations, captures
-the screenshots, then shuts down the emulator it started.
-
 `pnpm android:release:archive` builds signed release artifacts into `apps/android/build/release-artifacts/` and writes `.sha256` checksum files:

 - Play build: `openclaw-<version>-play-release.aab`
--- a/apps/android/VERSIONING.md
+++ b/apps/android/VERSIONING.md
@@ -49,7 +49,7 @@ Recommended workflow:
 3. Update `apps/android/CHANGELOG.md`, then run `pnpm android:version:sync` again if needed.
 4. Run `MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:sync:pull` to materialize encrypted Android signing assets from `apps-signing`.
 5. Run `pnpm android:release:preflight` to validate Play auth, signing, synced versioning, and release notes.
-6. Run `ANDROID_SCREENSHOT_AVD=<avd-name> pnpm android:screenshots` to refresh raw Google Play screenshots with a script-managed emulator, or run `pnpm android:screenshots` when exactly one ADB device is already connected.
+6. Run `pnpm android:screenshots` to refresh raw Google Play screenshots.
 7. Run `pnpm android:release:archive` to produce the signed Play AAB and third-party APK.
 8. Run `pnpm android:release:upload` to upload metadata, screenshots, and the Play AAB to Google Play internal testing.
 9. Promote to production manually in Google Play Console.
--- a/apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt
+++ b/apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt
@@ -223,11 +223,10 @@ class NodeForegroundService : Service() {

 internal fun foregroundServiceTypesForVoiceMode(mode: VoiceCaptureMode): Int {
  val base = ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE
-  return when (mode) {
-    VoiceCaptureMode.Off -> base
-    VoiceCaptureMode.ManualMic,
-    VoiceCaptureMode.TalkMode,
-    -> base or ServiceInfo.FOREGROUND_SERVICE_TYPE_MICROPHONE
+  return if (mode == VoiceCaptureMode.TalkMode) {
+    base or ServiceInfo.FOREGROUND_SERVICE_TYPE_MICROPHONE
+  } else {
+    base
  }
 }

--- a/apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt
+++ b/apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt
@@ -1396,9 +1396,8 @@ class NodeRuntime(
    mode: VoiceCaptureMode,
    persistManualMic: Boolean = true,
  ) {
-    if (mode.requiresMicrophonePermission && !hasRecordAudioPermission()) {
+    if (mode == VoiceCaptureMode.TalkMode && !hasRecordAudioPermission()) {
      _voiceCaptureMode.value = VoiceCaptureMode.Off
-      prefs.setVoiceMicEnabled(false)
      externalAudioCaptureActive.value = false
      return
    }
@@ -1469,9 +1468,6 @@ class NodeRuntime(
    }
  }

-  private val VoiceCaptureMode.requiresMicrophonePermission: Boolean
-    get() = this == VoiceCaptureMode.ManualMic || this == VoiceCaptureMode.TalkMode
-
  fun refreshGatewayConnection() {
    val endpoint = connectedEndpoint
    if (endpoint == null) {
--- a/apps/android/app/src/main/java/ai/openclaw/app/ui/AndroidScreenshotModeScreen.kt
+++ b/apps/android/app/src/main/java/ai/openclaw/app/ui/AndroidScreenshotModeScreen.kt
@@ -114,12 +114,16 @@ private fun ConnectScene() {

@Composable
 private fun ChatScene() {
-  ChatBubble(label = "You", text = "Hi Molty, are you there?")
+  ChatBubble(label = "You", text = "Summarize the launch checklist before I start the release.")
  ChatBubble(
-    label = "Molty",
-    text = "Always. Lurking in the shadows, exfoliating.",
+    label = "OpenClaw",
+    text = "Android archive, Play metadata, and internal testing upload are ready. Screenshots are being refreshed now.",
    raised = true,
  )
+  CompactList(
+    title = "Working set",
+    rows = listOf("Release notes", "Play bundle", "Device screenshots"),
+  )
 }

@Composable
--- a/apps/android/app/src/main/java/ai/openclaw/app/ui/ShellScreen.kt
+++ b/apps/android/app/src/main/java/ai/openclaw/app/ui/ShellScreen.kt
@@ -898,38 +898,32 @@ private fun SettingsShellScreen(
        ProfilePanel(displayName = displayName.ifBlank { "OpenClaw" }, onClick = { onRouteChange(SettingsRoute.Profile) })
      }

-      val settingsRows =
-        listOf(
-          SettingsRow("Gateway", gatewaySummary(statusText, isConnected), Icons.Default.Cloud, status = isConnected, route = SettingsRoute.Gateway),
-          SettingsRow("Nodes & Devices", nodesDevicesSummaryText(nodesDevicesSummary), Icons.Default.Cloud, status = nodesDevicesStatus(nodesDevicesSummary), route = SettingsRoute.NodesDevices),
-          SettingsRow("Channels", channelsSummaryText(channelsSummary), Icons.Default.Notifications, status = channelsStatus(channelsSummary), route = SettingsRoute.Channels),
-          SettingsRow("Agents", if (agents.isEmpty()) "Load from gateway" else "${agents.size} available", Icons.Default.Person, status = agents.isNotEmpty(), route = SettingsRoute.Agents),
-          SettingsRow("Approvals", approvalsSummary(pendingToolCalls.size), Icons.Default.Lock, status = approvalsStatus(pendingToolCalls.size), route = SettingsRoute.Approvals),
-          SettingsRow("Cron Jobs", cronJobsSummary(cronStatus.jobs), Icons.Outlined.AccessTime, status = if (cronStatus.jobs > 0) cronStatus.enabled else null, route = SettingsRoute.CronJobs),
-          SettingsRow("Usage", usageSummaryText(usageSummary.providers.size), Icons.Default.Storage, status = if (usageSummary.providers.isNotEmpty()) true else null, route = SettingsRoute.Usage),
-          SettingsRow("Skills", skillsSummaryText(skillsSummary.skills), Icons.Default.Settings, status = skillsStatus(skillsSummary.skills), route = SettingsRoute.Skills),
-          SettingsRow("Dreaming", dreamingSummaryText(dreamingSummary), Icons.Default.Storage, status = dreamingStatus(dreamingSummary), route = SettingsRoute.Dreaming),
-          SettingsRow("Voice", if (speakerEnabled) "Speaker on" else "Speaker muted", Icons.Default.Mic, route = SettingsRoute.Voice),
-          SettingsRow("Canvas", "Screen surface", Icons.AutoMirrored.Filled.ScreenShare, status = isConnected, route = SettingsRoute.Canvas),
-          SettingsRow("Notifications", if (notificationForwardingEnabled) "Smart delivery" else "Off", Icons.Default.Notifications, route = SettingsRoute.Notifications),
-          SettingsRow("Phone Capabilities", if (cameraEnabled) "Camera enabled" else "Locked", Icons.Default.Lock, status = !cameraEnabled, route = SettingsRoute.PhoneCapabilities),
-          SettingsRow("Appearance", appearanceThemeSummary(appearanceThemeMode), Icons.Default.Palette, route = SettingsRoute.Appearance),
-          SettingsRow("About", "Version and update", Icons.Default.Storage, route = SettingsRoute.About),
-          SettingsRow("Health", "Diagnostics", Icons.Default.Settings, status = isConnected, route = SettingsRoute.Health),
-        )
-
-      settingsSections(settingsRows).forEach { section ->
-        item {
-          SettingsSectionTitle(section.title)
-        }
-        item {
-          SettingsGroup(rows = section.rows, onOpen = onRouteChange)
-        }
-      }
-
      item {
-        SettingsSectionTitle("Account")
+        SettingsGroup(
+          rows =
+            listOf(
+              SettingsRow("Profile", displayName.ifBlank { "Local device" }, Icons.Default.Person, route = SettingsRoute.Profile),
+              SettingsRow("Voice", if (speakerEnabled) "Speaker on" else "Speaker muted", Icons.Default.Mic, route = SettingsRoute.Voice),
+              SettingsRow("Agents", if (agents.isEmpty()) "Load from gateway" else "${agents.size} available", Icons.Default.Person, status = agents.isNotEmpty(), route = SettingsRoute.Agents),
+              SettingsRow("Approvals", approvalsSummary(pendingToolCalls.size), Icons.Default.Lock, status = approvalsStatus(pendingToolCalls.size), route = SettingsRoute.Approvals),
+              SettingsRow("Cron Jobs", cronJobsSummary(cronStatus.jobs), Icons.Outlined.AccessTime, status = if (cronStatus.jobs > 0) cronStatus.enabled else null, route = SettingsRoute.CronJobs),
+              SettingsRow("Usage", usageSummaryText(usageSummary.providers.size), Icons.Default.Storage, status = if (usageSummary.providers.isNotEmpty()) true else null, route = SettingsRoute.Usage),
+              SettingsRow("Skills", skillsSummaryText(skillsSummary.skills), Icons.Default.Settings, status = skillsStatus(skillsSummary.skills), route = SettingsRoute.Skills),
+              SettingsRow("Nodes & Devices", nodesDevicesSummaryText(nodesDevicesSummary), Icons.Default.Cloud, status = nodesDevicesStatus(nodesDevicesSummary), route = SettingsRoute.NodesDevices),
+              SettingsRow("Channels", channelsSummaryText(channelsSummary), Icons.Default.Notifications, status = channelsStatus(channelsSummary), route = SettingsRoute.Channels),
+              SettingsRow("Dreaming", dreamingSummaryText(dreamingSummary), Icons.Default.Storage, status = dreamingStatus(dreamingSummary), route = SettingsRoute.Dreaming),
+              SettingsRow("Canvas", "Screen surface", Icons.AutoMirrored.Filled.ScreenShare, status = isConnected, route = SettingsRoute.Canvas),
+              SettingsRow("Notifications", if (notificationForwardingEnabled) "Smart delivery" else "Off", Icons.Default.Notifications, route = SettingsRoute.Notifications),
+              SettingsRow("Phone Capabilities", if (cameraEnabled) "Camera enabled" else "Locked", Icons.Default.Lock, status = !cameraEnabled, route = SettingsRoute.PhoneCapabilities),
+              SettingsRow("Gateway", gatewaySummary(statusText, isConnected), Icons.Default.Cloud, status = isConnected, route = SettingsRoute.Gateway),
+              SettingsRow("Appearance", appearanceThemeSummary(appearanceThemeMode), Icons.Default.Palette, route = SettingsRoute.Appearance),
+              SettingsRow("Health", "Diagnostics", Icons.Default.Settings, status = isConnected, route = SettingsRoute.Health),
+              SettingsRow("About", "Version and update", Icons.Default.Storage, route = SettingsRoute.About),
+            ),
+          onOpen = onRouteChange,
+        )
      }
+
      item {
        SettingsGroup(
          rows = listOf(SettingsRow("Sign Out", "Disconnect", Icons.AutoMirrored.Filled.ExitToApp)),
@@ -1063,7 +1057,7 @@ private fun dreamingStatus(summary: GatewayDreamingSummary): Boolean? =
    else -> null
  }

-internal data class SettingsRow(
+private data class SettingsRow(
  val title: String,
  val value: String,
  val icon: ImageVector,
@@ -1071,65 +1065,6 @@ internal data class SettingsRow(
  val route: SettingsRoute? = null,
 )

-internal data class SettingsSection(
-  val title: String,
-  val rows: List<SettingsRow>,
-)
-
-internal fun settingsSections(rows: List<SettingsRow>): List<SettingsSection> =
-  settingsSectionOrder.mapNotNull { title ->
-    val sectionRows = rows.filter { row -> row.route?.let(::settingsSectionTitleForRoute) == title }
-    if (sectionRows.isEmpty()) null else SettingsSection(title = title, rows = sectionRows)
-  }
-
-private val settingsSectionOrder =
-  listOf(
-    "Connection",
-    "Agents & automation",
-    "Phone context & privacy",
-    "Profile & device",
-    "Diagnostics",
-  )
-
-internal fun settingsSectionTitleForRoute(route: SettingsRoute): String =
-  when (route) {
-    SettingsRoute.Gateway,
-    SettingsRoute.NodesDevices,
-    SettingsRoute.Channels,
-    -> "Connection"
-
-    SettingsRoute.Agents,
-    SettingsRoute.Approvals,
-    SettingsRoute.CronJobs,
-    SettingsRoute.Usage,
-    SettingsRoute.Skills,
-    SettingsRoute.Dreaming,
-    -> "Agents & automation"
-
-    SettingsRoute.Voice,
-    SettingsRoute.Canvas,
-    SettingsRoute.Notifications,
-    SettingsRoute.PhoneCapabilities,
-    -> "Phone context & privacy"
-
-    SettingsRoute.Profile,
-    SettingsRoute.Appearance,
-    SettingsRoute.About,
-    -> "Profile & device"
-
-    SettingsRoute.Health -> "Diagnostics"
-    SettingsRoute.Home -> "Diagnostics"
-  }
-
-@Composable
-private fun SettingsSectionTitle(title: String) {
-  Text(
-    text = title.uppercase(),
-    style = ClawTheme.type.caption.copy(fontSize = 12.sp, lineHeight = 16.sp),
-    color = ClawTheme.colors.textMuted,
-  )
-}
-
@Composable
 private fun ProfilePanel(
  displayName: String,
--- a/apps/android/app/src/test/java/ai/openclaw/app/GatewayBootstrapAuthTest.kt
+++ b/apps/android/app/src/test/java/ai/openclaw/app/GatewayBootstrapAuthTest.kt
@@ -376,25 +376,6 @@ class GatewayBootstrapAuthTest {
    assertNull(authStore.loadToken(deviceId, "operator"))
  }

-  @Test
-  fun restoredManualMicWithoutRecordAudioClearsStalePreference() {
-    val app = RuntimeEnvironment.getApplication()
-    shadowOf(app).denyPermissions(Manifest.permission.RECORD_AUDIO)
-    val securePrefs =
-      app.getSharedPreferences(
-        "openclaw.node.secure.test.${UUID.randomUUID()}",
-        android.content.Context.MODE_PRIVATE,
-      )
-    val prefs = SecurePrefs(app, securePrefsOverride = securePrefs)
-    prefs.setVoiceMicEnabled(true)
-
-    val runtime = NodeRuntime(app, prefs)
-
-    assertEquals(VoiceCaptureMode.Off, runtime.voiceCaptureMode.value)
-    assertFalse(prefs.voiceMicEnabled.value)
-    assertFalse(readField<MutableStateFlow<Boolean>>(runtime, "externalAudioCaptureActive").value)
-  }
-
  @Test
  fun talkPttStart_cleansPreparedCaptureWhenBeginFails() =
    runBlocking {
--- a/apps/android/app/src/test/java/ai/openclaw/app/NodeForegroundServiceTest.kt
+++ b/apps/android/app/src/test/java/ai/openclaw/app/NodeForegroundServiceTest.kt
@@ -32,13 +32,13 @@ class NodeForegroundServiceTest {
  }

  @Test
-  fun foregroundServiceTypesForVoiceMode_addsMicrophoneForActiveCaptureModes() {
+  fun foregroundServiceTypesForVoiceMode_addsMicrophoneOnlyForTalkMode() {
    assertEquals(
      ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE,
      foregroundServiceTypesForVoiceMode(VoiceCaptureMode.Off),
    )
    assertEquals(
-      ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE or ServiceInfo.FOREGROUND_SERVICE_TYPE_MICROPHONE,
+      ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE,
      foregroundServiceTypesForVoiceMode(VoiceCaptureMode.ManualMic),
    )
    assertEquals(
--- a/apps/android/app/src/test/java/ai/openclaw/app/ui/ShellScreenLogicTest.kt
+++ b/apps/android/app/src/test/java/ai/openclaw/app/ui/ShellScreenLogicTest.kt
@@ -7,8 +7,6 @@ import ai.openclaw.app.GatewayNodeApprovalState
 import ai.openclaw.app.GatewayNodeSummary
 import ai.openclaw.app.GatewayNodesDevicesSummary
 import ai.openclaw.app.GatewayPendingDeviceSummary
-import androidx.compose.material.icons.Icons
-import androidx.compose.material.icons.filled.Settings
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertFalse
 import org.junit.Assert.assertTrue
@@ -157,46 +155,7 @@ class ShellScreenLogicTest {
    assertEquals("Node approval pending", rows.single().subtitle)
  }

-  @Test
-  fun settingsSectionTitlesGroupPowerSettingsByMeaning() {
-    assertEquals("Connection", settingsSectionTitleForRoute(SettingsRoute.Gateway))
-    assertEquals("Connection", settingsSectionTitleForRoute(SettingsRoute.NodesDevices))
-    assertEquals("Agents & automation", settingsSectionTitleForRoute(SettingsRoute.Approvals))
-    assertEquals("Agents & automation", settingsSectionTitleForRoute(SettingsRoute.CronJobs))
-    assertEquals("Phone context & privacy", settingsSectionTitleForRoute(SettingsRoute.PhoneCapabilities))
-    assertEquals("Phone context & privacy", settingsSectionTitleForRoute(SettingsRoute.Notifications))
-    assertEquals("Profile & device", settingsSectionTitleForRoute(SettingsRoute.Appearance))
-    assertEquals("Diagnostics", settingsSectionTitleForRoute(SettingsRoute.Health))
-  }
-
-  @Test
-  fun settingsSectionsPreserveMeaningfulOrder() {
-    val sections =
-      settingsSections(
-        listOf(
-          settingsRow(SettingsRoute.Voice),
-          settingsRow(SettingsRoute.Agents),
-          settingsRow(SettingsRoute.Gateway),
-          settingsRow(SettingsRoute.Appearance),
-          settingsRow(SettingsRoute.Health),
-        ),
-      )
-
-    assertEquals(
-      listOf(
-        "Connection",
-        "Agents & automation",
-        "Phone context & privacy",
-        "Profile & device",
-        "Diagnostics",
-      ),
-      sections.map { it.title },
-    )
-  }
-
  private fun emptyChannels(): GatewayChannelsSummary = GatewayChannelsSummary(channels = emptyList())

  private fun emptyNodesDevices(): GatewayNodesDevicesSummary = GatewayNodesDevicesSummary(nodes = emptyList(), pendingDevices = emptyList(), pairedDevices = emptyList())
-
-  private fun settingsRow(route: SettingsRoute): SettingsRow = SettingsRow(route.name, "Value", Icons.Default.Settings, route = route)
 }
--- a/apps/android/fastlane/Fastfile
+++ b/apps/android/fastlane/Fastfile
@@ -6,7 +6,6 @@ require "supply/client"

 default_platform(:android)

-ANDROID_FASTLANE_ROOT = File.expand_path(__dir__, Dir.pwd)
 DEFAULT_PLAY_PACKAGE_NAME = "ai.openclaw.app"
 DEFAULT_PLAY_TRACK = "internal"
 DEFAULT_PLAY_RELEASE_STATUS = "completed"
@@ -36,7 +35,7 @@ def env_present?(value)
 end

 def android_root
-  File.expand_path("..", ANDROID_FASTLANE_ROOT)
+  File.expand_path("..", __dir__)
 end

 def repo_root
@@ -148,7 +147,7 @@ def sync_android_versioning!
 end

 def android_release_notes_path
-  File.join(ANDROID_FASTLANE_ROOT, "metadata", "android", "en-US", "release_notes.txt")
+  File.join(__dir__, "metadata", "android", "en-US", "release_notes.txt")
 end

 def validate_android_release_notes!
@@ -158,7 +157,7 @@ def validate_android_release_notes!
 end

 def android_changelog_path(version_code)
-  File.join(ANDROID_FASTLANE_ROOT, "metadata", "android", "en-US", "changelogs", "#{version_code}.txt")
+  File.join(__dir__, "metadata", "android", "en-US", "changelogs", "#{version_code}.txt")
 end

 def sync_android_changelog!(version_code)
@@ -171,7 +170,7 @@ def sync_android_changelog!(version_code)
 end

 def play_metadata_path
-  File.join(ANDROID_FASTLANE_ROOT, "metadata", "android")
+  File.join(__dir__, "metadata", "android")
 end

 def play_screenshot_paths
@@ -304,7 +303,7 @@ def upload_play_store_build!(version_metadata, upload_metadata: false, upload_im
  )
 end

-load_env_file(File.join(ANDROID_FASTLANE_ROOT, ".env"))
+load_env_file(File.join(__dir__, ".env"))

 platform :android do
  desc "Validate Google Play API credentials"
--- a/apps/android/fastlane/SETUP.md
+++ b/apps/android/fastlane/SETUP.md
@@ -65,14 +65,9 @@ pnpm android:release:archive
 Generate deterministic Google Play screenshots:

 ```bash
-ANDROID_SCREENSHOT_AVD=OpenClaw_QA_API35 pnpm android:screenshots
+pnpm android:screenshots
 ```

-If exactly one ADB device is already connected, `pnpm android:screenshots`
-uses it. With `ANDROID_SCREENSHOT_AVD` or `--avd <name>`, the script can boot a
-headless emulator, wait for boot completion, stabilize animation settings,
-capture screenshots, and shut down only the emulator it started.
-
 Upload metadata, release notes, and the Play AAB to the internal testing track:

 ```bash
--- a/apps/android/fastlane/metadata/android/en-US/release_notes.txt
+++ b/apps/android/fastlane/metadata/android/en-US/release_notes.txt
@@ -1 +1,3 @@
-Maintenance update for the current OpenClaw Android release.
+OpenClaw is now available on Android.
+
+Connect to your OpenClaw Gateway to chat with your assistant, use realtime Talk mode, review approvals, and bring Android device capabilities like camera, location, screen, and notifications into your private automation workflows.
--- a/apps/android/version.json
+++ b/apps/android/version.json
@@ -1,4 +1,4 @@
 {
-  "version": "2026.6.9",
-  "versionCode": 2026060901
+  "version": "2026.6.2",
+  "versionCode": 2026060201
 }
--- a/apps/ios/.periphery.yml
+++ b/apps/ios/.periphery.yml
@@ -12,7 +12,7 @@ report_include:
  - Sources/**
  - ShareExtension/**
  - ActivityWidget/**
-  - WatchApp/Sources/**
+  - WatchExtension/Sources/**
 build_arguments:
  - -destination
  - generic/platform=iOS Simulator
--- a/apps/ios/CHANGELOG.md
+++ b/apps/ios/CHANGELOG.md
@@ -1,13 +1,5 @@
 # OpenClaw iOS Changelog

-## 2026.6.9 - 2026-06-20
-
-Maintenance update for the current OpenClaw release.
-
- Added Apple Watch controls for common agent actions.
- Improved Gateway setup, notification settings, and share-extension identity handling.
- Updated the Watch app integration for current Xcode compatibility.
-
 ## 2026.6.2 - 2026-06-02

 OpenClaw is now available on iPhone.
--- a/apps/ios/Config/AppStoreSigning.json
+++ b/apps/ios/Config/AppStoreSigning.json
@@ -3,7 +3,6 @@
  "signingRepo": "git@github.com:openclaw/apps-signing.git",
  "signingBranch": "main",
  "profileType": "appstore",
-  "appGroupId": "group.ai.openclawfoundation.app.shared",
  "targets": [
    {
      "target": "OpenClaw",
@@ -12,8 +11,7 @@
      "platform": "IOS",
      "profileKey": "OPENCLAW_APP_PROFILE",
      "profileName": "OpenClaw App Store ai.openclawfoundation.app",
-      "capabilities": ["PUSH_NOTIFICATIONS", "APP_GROUPS"],
-      "appGroups": ["group.ai.openclawfoundation.app.shared"]
+      "capabilities": ["PUSH_NOTIFICATIONS"]
    },
    {
      "target": "OpenClawShareExtension",
@@ -22,8 +20,7 @@
      "platform": "IOS",
      "profileKey": "OPENCLAW_SHARE_PROFILE",
      "profileName": "OpenClaw App Store ai.openclawfoundation.app.share",
-      "capabilities": ["APP_GROUPS"],
-      "appGroups": ["group.ai.openclawfoundation.app.shared"]
+      "capabilities": []
    },
    {
      "target": "OpenClawActivityWidget",
@@ -42,6 +39,15 @@
      "profileKey": "OPENCLAW_WATCH_APP_PROFILE",
      "profileName": "OpenClaw App Store ai.openclawfoundation.app.watchkitapp",
      "capabilities": []
+    },
+    {
+      "target": "OpenClawWatchExtension",
+      "displayName": "OpenClaw Watch Extension",
+      "bundleId": "ai.openclawfoundation.app.watchkitapp.extension",
+      "platform": "IOS",
+      "profileKey": "OPENCLAW_WATCH_EXTENSION_PROFILE",
+      "profileName": "OpenClaw App Store ai.openclawfoundation.app.watchkitapp.extension",
+      "capabilities": []
    }
  ]
 }
--- a/apps/ios/Config/Signing.xcconfig
+++ b/apps/ios/Config/Signing.xcconfig
@@ -7,11 +7,12 @@ OPENCLAW_DEVELOPMENT_TEAM = $(OPENCLAW_IOS_SELECTED_TEAM)
 OPENCLAW_CODE_SIGN_STYLE = Automatic
 OPENCLAW_CODE_SIGN_IDENTITY = Apple Development
 OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
-OPENCLAW_APP_GROUP_ID = group.ai.openclawfoundation.app.shared
 OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension
 OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
 OPENCLAW_ACTIVITY_WIDGET_PROFILE =
 OPENCLAW_WATCH_APP_PROFILE =
+OPENCLAW_WATCH_EXTENSION_PROFILE =

 // Local contributors can override this by running scripts/ios-configure-signing.sh.
 // Keep include after defaults: xcconfig is evaluated top-to-bottom.
--- a/apps/ios/Config/Version.xcconfig
+++ b/apps/ios/Config/Version.xcconfig
@@ -2,8 +2,8 @@
 // Source of truth: apps/ios/version.json
 // Generated by scripts/ios-sync-versioning.ts.

-OPENCLAW_IOS_VERSION = 2026.6.9
-OPENCLAW_MARKETING_VERSION = 2026.6.9
+OPENCLAW_IOS_VERSION = 2026.6.2
+OPENCLAW_MARKETING_VERSION = 2026.6.2
 OPENCLAW_BUILD_VERSION = 1

 #include? "../build/Version.xcconfig"
--- a/apps/ios/LocalSigning.xcconfig.example
+++ b/apps/ios/LocalSigning.xcconfig.example
@@ -7,12 +7,13 @@ OPENCLAW_DEVELOPMENT_TEAM = YOUR_TEAM_ID

 OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
 OPENCLAW_SHARE_BUNDLE_ID = ai.openclawfoundation.app.share
-OPENCLAW_APP_GROUP_ID = group.ai.openclawfoundation.app.shared
 OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
 OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension

 // Leave empty with automatic signing.
 OPENCLAW_APP_PROFILE =
 OPENCLAW_SHARE_PROFILE =
 OPENCLAW_ACTIVITY_WIDGET_PROFILE =
 OPENCLAW_WATCH_APP_PROFILE =
+OPENCLAW_WATCH_EXTENSION_PROFILE =
--- a/apps/ios/README.md
+++ b/apps/ios/README.md
@@ -101,7 +101,6 @@ Release-owner secrets:

 - App Store Connect API auth uses Keychain for private key material plus non-secret `apps/ios/fastlane/.env` variables.
 - The encrypted signing repo password lives outside this repo in the release-owner vault and is exposed locally as `MATCH_PASSWORD`.
- The share sheet requires the Apple Developer App Group in `apps/ios/Config/AppStoreSigning.json` to be associated with both the app and share-extension bundle IDs before App Store profiles are regenerated.
 - Apple Distribution private keys, certificates, provisioning profiles, and decrypted signing sync output stay under `apps/ios/build/` or Keychain and are gitignored.
 - Rotating release signing means refreshing Fastlane `match` assets and pushing a fresh encrypted sync state.

@@ -156,8 +155,7 @@ This should create `apps/ios/fastlane/.env` with non-secret App Store Connect va
   - `ai.openclawfoundation.app.share`
   - `ai.openclawfoundation.app.activitywidget`
   - `ai.openclawfoundation.app.watchkitapp`
-
-   The main app and share extension must both be associated with the App Group pinned in `apps/ios/Config/AppStoreSigning.json`.
+   - `ai.openclawfoundation.app.watchkitapp.extension`

   Use `pnpm ios:release:signing:setup` for the initial portal setup, then `MATCH_PASSWORD=... pnpm ios:release:signing:sync:push` to publish encrypted Fastlane match assets to the shared private repo.

--- a/apps/ios/ShareExtension/Info.plist
+++ b/apps/ios/ShareExtension/Info.plist
@@ -41,7 +41,5 @@
 		<key>NSExtensionPrincipalClass</key>
 		<string>$(PRODUCT_MODULE_NAME).ShareViewController</string>
 	</dict>
-	<key>OpenClawAppGroupIdentifier</key>
-	<string>$(OPENCLAW_APP_GROUP_ID)</string>
 </dict>
 </plist>
--- a/apps/ios/ShareExtension/OpenClawShareExtension.entitlements
+++ b/apps/ios/ShareExtension/OpenClawShareExtension.entitlements
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.security.application-groups</key>
-	<array>
-		<string>$(OPENCLAW_APP_GROUP_ID)</string>
-	</array>
-</dict>
-</plist>
--- a/apps/ios/ShareExtension/ShareViewController.swift
+++ b/apps/ios/ShareExtension/ShareViewController.swift
@@ -184,8 +184,7 @@ final class ShareViewController: UIViewController {
                clientId: clientId,
                clientMode: "node",
                clientDisplayName: "OpenClaw Share",
-                deviceIdentityProfile: .shareExtension,
-                includeDeviceIdentity: true)
+                includeDeviceIdentity: false)
        }

        do {
--- a/apps/ios/Signing.xcconfig
+++ b/apps/ios/Signing.xcconfig
@@ -10,8 +10,8 @@ OPENCLAW_DEVELOPMENT_TEAM = FWJYW4S8P8

 OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
 OPENCLAW_SHARE_BUNDLE_ID = ai.openclawfoundation.app.share
-OPENCLAW_APP_GROUP_ID = group.ai.openclawfoundation.app.shared
 OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension
 OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
 OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT = development

@@ -19,6 +19,7 @@ OPENCLAW_APP_PROFILE = ai.openclawfoundation.app Development
 OPENCLAW_SHARE_PROFILE = ai.openclawfoundation.app.share Development
 OPENCLAW_ACTIVITY_WIDGET_PROFILE =
 OPENCLAW_WATCH_APP_PROFILE =
+OPENCLAW_WATCH_EXTENSION_PROFILE =

 // Keep local includes after defaults: xcconfig is evaluated top-to-bottom,
 // so later assignments in local files override the defaults above.
--- a/apps/ios/Sources/Design/SettingsProTab.swift
+++ b/apps/ios/Sources/Design/SettingsProTab.swift
@@ -53,7 +53,8 @@ struct SettingsProTab: View {
    @State var suppressCredentialPersist = false
    @State var locationStatusText: String?
    @State var previousLocationModeRaw: String = OpenClawLocationMode.off.rawValue
-    @State var notificationStatus: SettingsNotificationStatus = .checking
+    @State var notificationStatusText = "Checking"
+    @State var notificationActionText = "Request Access"
    @State var diagnosticsLastRunText = "Not run"
    @State var diagnosticsIssueCount: Int?
    @State var showTalkIssueDetails = false
--- a/apps/ios/Sources/Design/SettingsProTabActions.swift
+++ b/apps/ios/Sources/Design/SettingsProTabActions.swift
@@ -65,7 +65,7 @@ extension SettingsProTab {
                    title: "Notifications",
                    detail: "Approval and event alert channel",
                    value: self.notificationStatusText,
-                    color: self.notificationStatus.color)
+                    color: self.notificationStatusText == "Allowed" ? OpenClawBrand.ok : .secondary)
                Divider().padding(.leading, 60)
                self.diagnosticCheckRow(
                    icon: "rectangle.on.rectangle",
@@ -157,7 +157,7 @@ extension SettingsProTab {
            gatewayConnected: self.gatewayDiagnosticConnected,
            discoveredGatewayCount: self.gatewayController.gateways.count,
            talkConfigLoaded: self.gatewayDiagnosticTalkConfigLoaded,
-            notificationsAllowed: self.notificationStatus == .allowed)
+            notificationStatusText: self.notificationStatusText)
        self.diagnosticsIssueCount = issueCount
        self.diagnosticsLastRunText = SettingsDiagnostics.timestamp(Date())
    }
@@ -422,8 +422,8 @@ extension SettingsProTab {
    }

    func handleNotificationAction() {
-        if self.notificationStatus.shouldOpenNotificationSettings {
-            self.openNotificationSettings()
+        if self.notificationStatusText == "Allowed" || self.notificationStatusText == "Not Allowed" {
+            self.openSystemSettings()
            return
        }

@@ -434,14 +434,28 @@ extension SettingsProTab {
                .sound,
            ])) ?? false
            await MainActor.run {
-                self.notificationStatus = granted ? .allowed : .notAllowed
+                self.notificationStatusText = granted ? "Allowed" : "Not Allowed"
+                self.notificationActionText = granted ? "Open System Settings" : "Open System Settings"
            }
        }
    }

    @MainActor
    func applyNotificationStatus(_ status: UNAuthorizationStatus) {
-        self.notificationStatus = SettingsNotificationStatus(status)
+        switch status {
+        case .authorized, .provisional, .ephemeral:
+            self.notificationStatusText = "Allowed"
+            self.notificationActionText = "Open System Settings"
+        case .denied:
+            self.notificationStatusText = "Not Allowed"
+            self.notificationActionText = "Open System Settings"
+        case .notDetermined:
+            self.notificationStatusText = "Not Set"
+            self.notificationActionText = "Request Access"
+        @unknown default:
+            self.notificationStatusText = "Unknown"
+            self.notificationActionText = "Open System Settings"
+        }
    }

    func persistGatewayToken(_ value: String) {
@@ -462,8 +476,8 @@ extension SettingsProTab {
            instanceId: instanceId)
    }

-    func openNotificationSettings() {
-        guard let url = URL(string: UIApplication.openNotificationSettingsURLString) else { return }
+    func openSystemSettings() {
+        guard let url = URL(string: UIApplication.openSettingsURLString) else { return }
        UIApplication.shared.open(url)
    }

@@ -763,12 +777,4 @@ extension SettingsProTab {
        case .always: "Always"
        }
    }
-
-    var notificationStatusText: String {
-        self.notificationStatus.text
-    }
-
-    var notificationActionText: String {
-        self.notificationStatus.actionTitle
-    }
 }
--- a/apps/ios/Sources/Design/SettingsProTabSections.swift
+++ b/apps/ios/Sources/Design/SettingsProTabSections.swift
@@ -492,7 +492,7 @@ extension SettingsProTab {
                title: "Notifications",
                detail: "Approvals and event alerts from OpenClaw.",
                value: self.notificationStatusText,
-                color: self.notificationStatus.color)
+                color: self.notificationStatusText == "Allowed" ? OpenClawBrand.ok : .secondary)

            ProCard(radius: SettingsLayout.cardRadius) {
                VStack(alignment: .leading, spacing: 12) {
@@ -501,7 +501,7 @@ extension SettingsProTab {
                    } label: {
                        Label(
                            self.notificationActionText,
-                            systemImage: self.notificationStatus.actionIcon)
+                            systemImage: self.notificationStatusText == "Allowed" ? "gear" : "bell.badge")
                            .frame(maxWidth: .infinity)
                    }
                    .buttonStyle(.borderedProminent)
--- a/apps/ios/Sources/Design/SettingsProTabSupport.swift
+++ b/apps/ios/Sources/Design/SettingsProTabSupport.swift
@@ -1,7 +1,6 @@
 import Darwin
 import OpenClawKit
 import SwiftUI
-import UserNotifications

 enum SettingsRoute: Hashable {
    case gateway
@@ -66,63 +65,6 @@ struct SettingsApprovalRow: View {
    }
 }

-enum SettingsNotificationStatus: Equatable {
-    case checking
-    case allowed
-    case notAllowed
-    case notSet
-    case unknown
-
-    init(_ status: UNAuthorizationStatus) {
-        switch status {
-        case .authorized, .provisional, .ephemeral:
-            self = .allowed
-        case .denied:
-            self = .notAllowed
-        case .notDetermined:
-            self = .notSet
-        @unknown default:
-            self = .unknown
-        }
-    }
-
-    var text: String {
-        switch self {
-        case .checking: "Checking"
-        case .allowed: "Allowed"
-        case .notAllowed: "Not Allowed"
-        case .notSet: "Not Set"
-        case .unknown: "Unknown"
-        }
-    }
-
-    var actionTitle: String {
-        switch self {
-        case .notSet, .checking:
-            "Request Access"
-        case .allowed, .notAllowed, .unknown:
-            "Open System Settings"
-        }
-    }
-
-    var actionIcon: String {
-        self == .allowed ? "gear" : "bell.badge"
-    }
-
-    var color: Color {
-        self == .allowed ? OpenClawBrand.ok : .secondary
-    }
-
-    var shouldOpenNotificationSettings: Bool {
-        switch self {
-        case .allowed, .notAllowed, .unknown:
-            true
-        case .checking, .notSet:
-            false
-        }
-    }
-}
-
 enum SettingsDiagnosticIssue: String, Equatable, CaseIterable {
    case gatewayOffline
    case discoveryUnavailable
@@ -135,13 +77,13 @@ enum SettingsDiagnostics {
        gatewayConnected: Bool,
        discoveredGatewayCount: Int,
        talkConfigLoaded: Bool,
-        notificationsAllowed: Bool) -> [SettingsDiagnosticIssue]
+        notificationStatusText: String) -> [SettingsDiagnosticIssue]
    {
        var issues: [SettingsDiagnosticIssue] = []
        if !gatewayConnected { issues.append(.gatewayOffline) }
        if discoveredGatewayCount == 0 { issues.append(.discoveryUnavailable) }
        if gatewayConnected, !talkConfigLoaded { issues.append(.talkConfigMissing) }
-        if !notificationsAllowed { issues.append(.notificationsUnavailable) }
+        if notificationStatusText != "Allowed" { issues.append(.notificationsUnavailable) }
        return issues
    }

@@ -149,13 +91,13 @@ enum SettingsDiagnostics {
        gatewayConnected: Bool,
        discoveredGatewayCount: Int,
        talkConfigLoaded: Bool,
-        notificationsAllowed: Bool) -> Int
+        notificationStatusText: String) -> Int
    {
        self.issues(
            gatewayConnected: gatewayConnected,
            discoveredGatewayCount: discoveredGatewayCount,
            talkConfigLoaded: talkConfigLoaded,
-            notificationsAllowed: notificationsAllowed).count
+            notificationStatusText: notificationStatusText).count
    }

    static func timestamp(_ date: Date) -> String {
--- a/apps/ios/Sources/Gateway/GatewayConnectConfig.swift
+++ b/apps/ios/Sources/Gateway/GatewayConnectConfig.swift
@@ -62,7 +62,6 @@ struct GatewayConnectConfig {
            lhs.clientId == rhs.clientId &&
            lhs.clientMode == rhs.clientMode &&
            lhs.clientDisplayName == rhs.clientDisplayName &&
-            lhs.deviceIdentityProfile == rhs.deviceIdentityProfile &&
            lhs.includeDeviceIdentity == rhs.includeDeviceIdentity &&
            lhsScopes == rhsScopes &&
            lhsCaps == rhsCaps &&
--- a/apps/ios/Sources/Info.plist
+++ b/apps/ios/Sources/Info.plist
@@ -78,8 +78,6 @@
 	<string>OpenClaw uses on-device speech recognition for talk mode and voice wake.</string>
 	<key>NSSupportsLiveActivities</key>
 	<true/>
-	<key>OpenClawAppGroupIdentifier</key>
-	<string>$(OPENCLAW_APP_GROUP_ID)</string>
 	<key>OpenClawCanonicalVersion</key>
 	<string>$(OPENCLAW_IOS_VERSION)</string>
 	<key>OpenClawPushAPNsEnvironment</key>
--- a/apps/ios/Sources/Model/NodeAppModel.swift
+++ b/apps/ios/Sources/Model/NodeAppModel.swift
@@ -23,10 +23,6 @@ private struct WatchChatPreview {
    var statusText: String?
 }

-private struct ExecApprovalGatewayEventPayload: Decodable {
-    var id: String
-}
-
 /// Ensures notification requests return promptly even if the system prompt blocks.
 private final class NotificationInvokeLatch<T: Sendable>: @unchecked Sendable {
    private let lock = NSLock()
@@ -899,49 +895,26 @@ final class NodeAppModel {
            for await evt in stream {
                if Task.isCancelled { return }
                guard let payload = evt.payload else { continue }
-                await self.handleOperatorGatewayServerEvent(evt)
+                switch evt.event {
+                case "voicewake.changed":
+                    struct Payload: Decodable { var triggers: [String] }
+                    guard let decoded = try? GatewayPayloadDecoding.decode(payload, as: Payload.self) else { continue }
+                    let triggers = VoiceWakePreferences.sanitizeTriggerWords(decoded.triggers)
+                    VoiceWakePreferences.saveTriggerWords(triggers)
+                case "talk.mode":
+                    struct Payload: Decodable {
+                        var enabled: Bool
+                        var phase: String?
+                    }
+                    guard let decoded = try? GatewayPayloadDecoding.decode(payload, as: Payload.self) else { continue }
+                    self.applyTalkModeSync(enabled: decoded.enabled, phase: decoded.phase)
+                default:
+                    continue
+                }
            }
        }
    }

-    private func handleOperatorGatewayServerEvent(_ evt: EventFrame) async {
-        guard let payload = evt.payload else { return }
-        switch evt.event {
-        case "voicewake.changed":
-            struct Payload: Decodable { var triggers: [String] }
-            guard let decoded = try? GatewayPayloadDecoding.decode(payload, as: Payload.self) else { return }
-            let triggers = VoiceWakePreferences.sanitizeTriggerWords(decoded.triggers)
-            VoiceWakePreferences.saveTriggerWords(triggers)
-        case "talk.mode":
-            struct Payload: Decodable {
-                var enabled: Bool
-                var phase: String?
-            }
-            guard let decoded = try? GatewayPayloadDecoding.decode(payload, as: Payload.self) else { return }
-            self.applyTalkModeSync(enabled: decoded.enabled, phase: decoded.phase)
-        case ExecApprovalNotificationBridge.requestedKind:
-            guard let approvalId = Self.execApprovalEventID(from: payload) else { return }
-            await self.presentExecApprovalNotificationPrompt(
-                ExecApprovalNotificationPrompt(approvalId: approvalId))
-        case ExecApprovalNotificationBridge.resolvedKind:
-            guard let approvalId = Self.execApprovalEventID(from: payload) else { return }
-            await self.handleExecApprovalResolvedRemotePush(approvalId: approvalId)
-        default:
-            return
-        }
-    }
-
-    private nonisolated static func execApprovalEventID(from payload: AnyCodable) -> String? {
-        guard let decoded = try? GatewayPayloadDecoding.decode(
-            payload,
-            as: ExecApprovalGatewayEventPayload.self)
-        else {
-            return nil
-        }
-        let approvalId = decoded.id.trimmingCharacters(in: .whitespacesAndNewlines)
-        return approvalId.isEmpty ? nil : approvalId
-    }
-
    private func applyTalkModeSync(enabled: Bool, phase: String?) {
        _ = phase
        guard self.talkMode.isEnabled != enabled else { return }
@@ -5166,14 +5139,6 @@ extension NodeAppModel {
            isBackgrounded: isBackgrounded)
    }

-    nonisolated static func _test_execApprovalEventID(from payload: AnyCodable) -> String? {
-        self.execApprovalEventID(from: payload)
-    }
-
-    func _test_handleOperatorGatewayServerEvent(_ event: EventFrame) async {
-        await self.handleOperatorGatewayServerEvent(event)
-    }
-
    nonisolated static func _test_watchExecApprovalIDsNeedingFetch(
        candidateIDs: [String],
        cachedApprovalIDs: [String]) -> [String]
--- a/apps/ios/Sources/Onboarding/GatewayOnboardingReset.swift
+++ b/apps/ios/Sources/Onboarding/GatewayOnboardingReset.swift
@@ -18,7 +18,6 @@ enum GatewayOnboardingReset {
        let deviceId = DeviceIdentityStore.loadOrCreate().deviceId
        DeviceAuthStore.clearToken(deviceId: deviceId, role: "node")
        DeviceAuthStore.clearToken(deviceId: deviceId, role: "operator")
-        DeviceAuthStore.clearAll(profile: .shareExtension)

        GatewaySettingsStore.clearLastGatewayConnection(defaults: defaults)
        GatewaySettingsStore.clearPreferredGatewayStableID(defaults: defaults)
--- a/apps/ios/Sources/OpenClaw.entitlements
+++ b/apps/ios/Sources/OpenClaw.entitlements
@@ -4,9 +4,5 @@
 <dict>
 	<key>aps-environment</key>
 	<string>$(OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT)</string>
-	<key>com.apple.security.application-groups</key>
-	<array>
-		<string>$(OPENCLAW_APP_GROUP_ID)</string>
-	</array>
 </dict>
 </plist>
--- a/apps/ios/SwiftSources.input.xcfilelist
+++ b/apps/ios/SwiftSources.input.xcfilelist
@@ -109,10 +109,10 @@ Sources/Voice/VoiceWakePreferences.swift
 ShareExtension/ShareViewController.swift
 ActivityWidget/OpenClawActivityWidgetBundle.swift
 ActivityWidget/OpenClawLiveActivity.swift
-WatchApp/Sources/OpenClawWatchApp.swift
-WatchApp/Sources/WatchConnectivityReceiver.swift
-WatchApp/Sources/WatchInboxStore.swift
-WatchApp/Sources/WatchInboxView.swift
+WatchExtension/Sources/OpenClawWatchApp.swift
+WatchExtension/Sources/WatchConnectivityReceiver.swift
+WatchExtension/Sources/WatchInboxStore.swift
+WatchExtension/Sources/WatchInboxView.swift
 ../shared/OpenClawKit/Sources/OpenClawChatUI/ChatComposer.swift
 ../shared/OpenClawKit/Sources/OpenClawChatUI/ChatMarkdownRenderer.swift
 ../shared/OpenClawKit/Sources/OpenClawChatUI/ChatMarkdownPreprocessor.swift
--- a/apps/ios/Tests/NodeAppModelInvokeTests.swift
+++ b/apps/ios/Tests/NodeAppModelInvokeTests.swift
@@ -1160,35 +1160,6 @@ private final class MockBootstrapNotificationCenter: NotificationCentering, @unc
                isBackgrounded: false))
    }

-    @Test func execApprovalEventIDDecodesGatewayPayload() {
-        #expect(NodeAppModel._test_execApprovalEventID(from: AnyCodable(["id": " approval-1 "])) == "approval-1")
-        #expect(NodeAppModel._test_execApprovalEventID(from: AnyCodable(["id": "   "])) == nil)
-        #expect(NodeAppModel._test_execApprovalEventID(from: AnyCodable(["other": "approval-1"])) == nil)
-    }
-
-    @Test @MainActor func operatorGatewayResolvedEventClearsPendingApprovalPrompt() async throws {
-        let appModel = NodeAppModel()
-        try appModel._test_presentExecApprovalPrompt(
-            #require(
-                NodeAppModel._test_makeExecApprovalPrompt(
-                    id: "approval-event-resolved",
-                    commandText: "echo clear",
-                    allowedDecisions: ["allow-once", "deny"],
-                    host: "gateway",
-                    nodeId: nil,
-                    agentId: nil,
-                    expiresAtMs: Int(Date().timeIntervalSince1970 * 1000) + 60000)))
-
-        await appModel._test_handleOperatorGatewayServerEvent(EventFrame(
-            type: "event",
-            event: ExecApprovalNotificationBridge.resolvedKind,
-            payload: AnyCodable(["id": "approval-event-resolved"]),
-            seq: nil,
-            stateversion: nil))
-
-        #expect(appModel._test_pendingExecApprovalPrompt() == nil)
-    }
-
    @Test func watchExecApprovalHydrateFetchesOnlyMissingIDs() {
        let idsToFetch = NodeAppModel._test_watchExecApprovalIDsNeedingFetch(
            candidateIDs: ["cached", "pending", "cached", "other", "", "  pending  "],
--- a/apps/ios/Tests/SettingsNetworkingHelpersTests.swift
+++ b/apps/ios/Tests/SettingsNetworkingHelpersTests.swift
@@ -8,7 +8,7 @@ import Testing
                gatewayConnected: false,
                discoveredGatewayCount: 0,
                talkConfigLoaded: false,
-                notificationsAllowed: false) == [
+                notificationStatusText: "Not Set") == [
                    .gatewayOffline,
                    .discoveryUnavailable,
                    .notificationsUnavailable,
@@ -21,12 +21,12 @@ import Testing
                gatewayConnected: true,
                discoveredGatewayCount: 1,
                talkConfigLoaded: false,
-                notificationsAllowed: true) == [.talkConfigMissing])
+                notificationStatusText: "Allowed") == [.talkConfigMissing])
        #expect(
            SettingsDiagnostics.issueCount(
                gatewayConnected: true,
                discoveredGatewayCount: 1,
                talkConfigLoaded: true,
-                notificationsAllowed: true) == 0)
+                notificationStatusText: "Allowed") == 0)
    }
 }
--- a/apps/ios/Tests/ShareToAgentDeepLinkTests.swift
+++ b/apps/ios/Tests/ShareToAgentDeepLinkTests.swift
@@ -3,10 +3,6 @@ import OpenClawKit
 import Testing

@Suite struct ShareToAgentDeepLinkTests {
-    @Test func appGroupIdentifierUsesCanonicalOpenClawGroup() {
-        #expect(OpenClawAppGroup.canonicalIdentifier == "group.ai.openclawfoundation.app.shared")
-    }
-
    @Test func buildMessageIncludesSharedFields() {
        let payload = SharedContentPayload(
            title: "Article",
--- a/apps/ios/WatchApp/Info.plist
+++ b/apps/ios/WatchApp/Info.plist
@@ -20,9 +20,9 @@
 	<string>$(OPENCLAW_MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>$(OPENCLAW_BUILD_VERSION)</string>
-	<key>WKApplication</key>
-	<true/>
 	<key>WKCompanionAppBundleIdentifier</key>
 	<string>$(OPENCLAW_APP_BUNDLE_ID)</string>
+	<key>WKWatchKitApp</key>
+	<true/>
 </dict>
 </plist>
--- a/apps/ios/WatchExtension/Assets.xcassets/Contents.json
+++ b/apps/ios/WatchExtension/Assets.xcassets/Contents.json
@@ -0,0 +1,6 @@
+{
+  "info": {
+    "author": "xcode",
+    "version": 1
+  }
+}
--- a/apps/ios/WatchExtension/Assets.xcassets/OpenClawIcon.imageset/Contents.json
+++ b/apps/ios/WatchExtension/Assets.xcassets/OpenClawIcon.imageset/Contents.json
--- a/apps/ios/WatchExtension/Assets.xcassets/OpenClawIcon.imageset/openclaw-icon.png
+++ b/apps/ios/WatchExtension/Assets.xcassets/OpenClawIcon.imageset/openclaw-icon.png
--- a/apps/ios/WatchExtension/Info.plist
+++ b/apps/ios/WatchExtension/Info.plist
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<key>CFBundleDisplayName</key>
+	<string>OpenClaw</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(OPENCLAW_MARKETING_VERSION)</string>
+	<key>CFBundleVersion</key>
+	<string>$(OPENCLAW_BUILD_VERSION)</string>
+	<key>NSExtension</key>
+	<dict>
+		<key>NSExtensionAttributes</key>
+		<dict>
+			<key>WKAppBundleIdentifier</key>
+			<string>$(OPENCLAW_WATCH_APP_BUNDLE_ID)</string>
+		</dict>
+		<key>NSExtensionPointIdentifier</key>
+		<string>com.apple.watchkit</string>
+	</dict>
+</dict>
+</plist>
--- a/apps/ios/WatchExtension/Sources/OpenClawWatchApp.swift
+++ b/apps/ios/WatchExtension/Sources/OpenClawWatchApp.swift
--- a/apps/ios/WatchExtension/Sources/WatchConnectivityReceiver.swift
+++ b/apps/ios/WatchExtension/Sources/WatchConnectivityReceiver.swift
--- a/apps/ios/WatchExtension/Sources/WatchInboxStore.swift
+++ b/apps/ios/WatchExtension/Sources/WatchInboxStore.swift
--- a/apps/ios/WatchExtension/Sources/WatchInboxView.swift
+++ b/apps/ios/WatchExtension/Sources/WatchInboxView.swift
@@ -1146,7 +1146,7 @@ private enum WatchNativeTextInput {
        suggestions: [String],
        onSubmit: @escaping (String) -> Void)
    {
-        WKApplication.shared().visibleInterfaceController?.presentTextInputController(
+        WKExtension.shared().visibleInterfaceController?.presentTextInputController(
            withSuggestions: suggestions,
            allowedInputMode: .allowEmoji)
        { results in
--- a/apps/ios/fastlane/Fastfile
+++ b/apps/ios/fastlane/Fastfile
@@ -293,8 +293,6 @@ def capture_watch_screenshot
  Dir[File.join(output_dir, "Apple Watch*-*.png")].each { |path| FileUtils.rm_f(path) }
  FileUtils.rm_rf(derived_data_path)

-  # Single-target watch apps only expose generic simulator build destinations in Xcode.
-  # Keep the selected UDID for install/launch/screenshot below.
  sh(
    xcodebuild_shell_join([
      "xcodebuild",
@@ -305,7 +303,7 @@ def capture_watch_screenshot
      "-configuration",
      "Debug",
      "-destination",
-      "generic/platform=watchOS Simulator",
+      "platform=watchOS Simulator,id=#{udid}",
      "-derivedDataPath",
      derived_data_path,
      "build",
@@ -313,8 +311,10 @@ def capture_watch_screenshot
  )

  UI.user_error!("Watch screenshot build did not produce #{app_path}.") unless File.exist?(app_path)
+  extension_path = File.join(app_path, "PlugIns", "OpenClawWatchExtension.appex")
  watch_app_identifier = bundle_identifier_for_product(app_path)
-  screenshot_mode_bundle_identifiers = [watch_app_identifier]
+  watch_extension_identifier = bundle_identifier_for_product(extension_path)
+  screenshot_mode_bundle_identifiers = [watch_app_identifier, watch_extension_identifier]

  sh("#{shell_join(["xcrun", "simctl", "boot", udid])} >/dev/null 2>&1 || true")
  sh(shell_join(["xcrun", "simctl", "bootstatus", udid, "-b"]))
@@ -492,9 +492,6 @@ def produce_services_for_target(target)
  if target.fetch("capabilities").include?("PUSH_NOTIFICATIONS")
    services[:push_notification] = "on"
  end
-  if target.fetch("capabilities").include?("APP_GROUPS")
-    services[:app_group] = "on"
-  end
  services
 end

@@ -570,15 +567,6 @@ def profile_plist_value(profile_path, key_path)
  end
 end

-def profile_plist_array_values(profile_path, key_path)
-  raw = profile_plist_value(profile_path, key_path)
-  return [] unless raw
-
-  raw.lines.map(&:strip).reject do |line|
-    line.empty? || line == "Array {" || line == "}"
-  end
-end
-
 def validate_match_profile_capabilities!(target)
  capabilities = target.fetch("capabilities")
  return if capabilities.empty?
@@ -594,17 +582,6 @@ def validate_match_profile_capabilities!(target)
      )
    end
  end
-
-  if capabilities.include?("APP_GROUPS")
-    expected_app_groups = target.fetch("appGroups")
-    actual_app_groups = profile_plist_array_values(profile_path, "Entitlements:com.apple.security.application-groups")
-    missing = expected_app_groups - actual_app_groups
-    unless missing.empty?
-      UI.user_error!(
-        "Provisioning profile #{target.fetch("profileName")} for #{target.fetch("bundleId")} is missing App Groups #{missing.join(", ")}; actual groups: #{actual_app_groups.empty? ? "missing" : actual_app_groups.join(", ")}."
-      )
-    end
-  end
 end

 def sync_app_store_signing!(readonly:)
--- a/apps/ios/fastlane/SETUP.md
+++ b/apps/ios/fastlane/SETUP.md
@@ -65,7 +65,7 @@ pnpm ios:release:signing:check
 pnpm ios:release:signing:setup
 ```

-`signing:setup` uses Fastlane `produce` and `modify_services` to create Developer Portal bundle IDs and enable required services before running `match`. The main app and share extension also require the shared App Group from `apps/ios/Config/AppStoreSigning.json`; associate that group with both bundle IDs in the Apple Developer Portal before regenerating profiles. If Fastlane does not already have a valid Apple Developer Portal session, run `fastlane spaceauth` for a release-owner Apple ID and export the resulting `FASTLANE_SESSION`.
+`signing:setup` uses Fastlane `produce` and `modify_services` to create Developer Portal bundle IDs and enable required services before running `match`. If Fastlane does not already have a valid Apple Developer Portal session, run `fastlane spaceauth` for a release-owner Apple ID and export the resulting `FASTLANE_SESSION`.

 Shared encrypted signing storage:

--- a/apps/ios/fastlane/metadata/en-US/release_notes.txt
+++ b/apps/ios/fastlane/metadata/en-US/release_notes.txt
@@ -1,5 +1,3 @@
-Maintenance update for the current OpenClaw release.
+OpenClaw is now available on iPhone.

- Added Apple Watch controls for common agent actions.
- Improved Gateway setup, notification settings, and share-extension identity handling.
- Updated the Watch app integration for current Xcode compatibility.
+Connect to your OpenClaw Gateway to chat with your assistant, use realtime Talk mode, review approvals, share content from iOS, and bring device capabilities like camera, location, screen, and notifications into your private automation workflows.
--- a/apps/ios/project.yml
+++ b/apps/ios/project.yml
@@ -65,8 +65,6 @@ targets:
        embed: true
      - target: OpenClawActivityWidget
        embed: true
-      # A companion watch application belongs in the standard Watch bundle location.
-      # PlugIns is for extension products and breaks paired watch installation.
      - target: OpenClawWatchApp
      - package: OpenClawKit
      - package: OpenClawKit
@@ -90,7 +88,7 @@ targets:
            exit 1
          fi
          swiftformat --lint --config "$SRCROOT/../../config/swiftformat" \
-            --unexclude "$SRCROOT/Sources,$SRCROOT/ShareExtension,$SRCROOT/ActivityWidget,$SRCROOT/WatchApp,$SRCROOT/../shared/OpenClawKit,$SRCROOT/../swabble" \
+            --unexclude "$SRCROOT/Sources,$SRCROOT/ShareExtension,$SRCROOT/ActivityWidget,$SRCROOT/WatchExtension,$SRCROOT/../shared/OpenClawKit,$SRCROOT/../swabble" \
            --filelist "$SRCROOT/SwiftSources.input.xcfilelist"
      - name: SwiftLint
        basedOnDependencyAnalysis: false
@@ -142,7 +140,6 @@ targets:
              - openclaw
        CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
        OpenClawCanonicalVersion: "$(OPENCLAW_IOS_VERSION)"
-        OpenClawAppGroupIdentifier: "$(OPENCLAW_APP_GROUP_ID)"
        CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"
        UILaunchScreen: {}
        UIApplicationSceneManifest:
@@ -195,7 +192,6 @@ targets:
    settings:
      base:
        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
-        CODE_SIGN_ENTITLEMENTS: ShareExtension/OpenClawShareExtension.entitlements
        CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
        DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
        ENABLE_APPINTENTS_METADATA: NO
@@ -210,7 +206,6 @@ targets:
      properties:
        CFBundleDisplayName: OpenClaw Share
        CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
-        OpenClawAppGroupIdentifier: "$(OPENCLAW_APP_GROUP_ID)"
        CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"
        NSExtension:
          NSExtensionPointIdentifier: com.apple.share-services
@@ -256,17 +251,13 @@ targets:
          NSExtensionPointIdentifier: com.apple.widgetkit-extension

  OpenClawWatchApp:
-    type: application
+    type: application.watchapp2
    platform: watchOS
    deploymentTarget: "11.0"
    sources:
      - path: WatchApp
-        excludes:
-          - Info.plist
    dependencies:
-      - sdk: AppIntents.framework
-      - sdk: WatchConnectivity.framework
-      - sdk: UserNotifications.framework
+      - target: OpenClawWatchExtension
    configFiles:
      Debug: Config/Signing.xcconfig
      Release: Config/Signing.xcconfig
@@ -283,8 +274,6 @@ targets:
        ENABLE_APP_INTENTS_METADATA_GENERATION: NO
        PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_WATCH_APP_BUNDLE_ID)"
        PROVISIONING_PROFILE_SPECIFIER: "$(OPENCLAW_WATCH_APP_PROFILE)"
-        SWIFT_STRICT_CONCURRENCY: complete
-        SWIFT_VERSION: "6.0"
    info:
      path: WatchApp/Info.plist
      properties:
@@ -292,7 +281,42 @@ targets:
        CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
        CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"
        WKCompanionAppBundleIdentifier: "$(OPENCLAW_APP_BUNDLE_ID)"
-        WKApplication: true
+        WKWatchKitApp: true
+
+  OpenClawWatchExtension:
+    type: watchkit2-extension
+    platform: watchOS
+    deploymentTarget: "11.0"
+    sources:
+      - path: WatchExtension/Sources
+      - path: WatchExtension/Assets.xcassets
+    dependencies:
+      - sdk: AppIntents.framework
+      - sdk: WatchConnectivity.framework
+      - sdk: UserNotifications.framework
+    configFiles:
+      Debug: Config/Signing.xcconfig
+      Release: Config/Signing.xcconfig
+    attributes:
+      DevelopmentTeam: "$(OPENCLAW_DEVELOPMENT_TEAM)"
+      ProvisioningStyle: "$(OPENCLAW_CODE_SIGN_STYLE)"
+    settings:
+      base:
+        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
+        DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
+        PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_WATCH_EXTENSION_BUNDLE_ID)"
+        PROVISIONING_PROFILE_SPECIFIER: "$(OPENCLAW_WATCH_EXTENSION_PROFILE)"
+    info:
+      path: WatchExtension/Info.plist
+      properties:
+        CFBundleDisplayName: OpenClaw
+        CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
+        CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"
+        NSExtension:
+          NSExtensionAttributes:
+            WKAppBundleIdentifier: "$(OPENCLAW_WATCH_APP_BUNDLE_ID)"
+          NSExtensionPointIdentifier: com.apple.watchkit

  OpenClawTests:
    type: bundle.unit-test
--- a/apps/ios/version.json
+++ b/apps/ios/version.json
@@ -1,3 +1,3 @@
 {
-  "version": "2026.6.9"
+  "version": "2026.6.2"
 }
--- a/apps/macos/Sources/OpenClaw/CanvasWindowController+UIDelegate.swift
+++ b/apps/macos/Sources/OpenClaw/CanvasWindowController+UIDelegate.swift
@@ -1,32 +0,0 @@
-import AppKit
-import WebKit
-
-extension CanvasWindowController {
-    // MARK: - WKUIDelegate
-
-    /// Bridges `<input type="file">` clicks in canvas HTML to a native `NSOpenPanel`.
-    /// Without a `WKUIDelegate`, WebKit silently drops the request and file-picker
-    /// buttons in canvas pages do nothing.
-    @MainActor
-    func webView(
-        _ webView: WKWebView,
-        runOpenPanelWith parameters: WKOpenPanelParameters,
-        initiatedByFrame frame: WKFrameInfo,
-        completionHandler: @escaping @MainActor @Sendable ([URL]?) -> Void)
-    {
-        let panel = NSOpenPanel()
-        panel.canChooseFiles = true
-        panel.canChooseDirectories = parameters.allowsDirectories
-        panel.allowsMultipleSelection = parameters.allowsMultipleSelection
-        panel.resolvesAliases = true
-        if let window = self.window {
-            panel.beginSheetModal(for: window) { response in
-                completionHandler(response == .OK ? panel.urls : nil)
-            }
-            return
-        }
-        panel.begin { response in
-            completionHandler(response == .OK ? panel.urls : nil)
-        }
-    }
-}
--- a/apps/macos/Sources/OpenClaw/CanvasWindowController.swift
+++ b/apps/macos/Sources/OpenClaw/CanvasWindowController.swift
@@ -5,7 +5,7 @@ import OpenClawKit
 import WebKit

@MainActor
-final class CanvasWindowController: NSWindowController, WKNavigationDelegate, WKUIDelegate, NSWindowDelegate {
+final class CanvasWindowController: NSWindowController, WKNavigationDelegate, NSWindowDelegate {
    let sessionKey: String
    private let root: URL
    private let sessionDir: URL
@@ -159,7 +159,6 @@ final class CanvasWindowController: NSWindowController, WKNavigationDelegate, WK
        }

        self.webView.navigationDelegate = self
-        self.webView.uiDelegate = self
        self.window?.delegate = self
        self.container.onClose = { [weak self] in
            self?.hideCanvas()
--- a/apps/macos/Sources/OpenClaw/DashboardWindowController.swift
+++ b/apps/macos/Sources/OpenClaw/DashboardWindowController.swift
@@ -19,7 +19,7 @@ private final class DashboardWindowDragRegionView: NSView {
 }

@MainActor
-final class DashboardWindowController: NSWindowController, WKNavigationDelegate, WKUIDelegate, NSWindowDelegate {
+final class DashboardWindowController: NSWindowController, WKNavigationDelegate, NSWindowDelegate {
    private let webView: WKWebView
    private var currentURL: URL
    private var auth: DashboardWindowAuth
@@ -44,37 +44,9 @@ final class DashboardWindowController: NSWindowController, WKNavigationDelegate,
        super.init(window: window)

        self.webView.navigationDelegate = self
-        self.webView.uiDelegate = self
        self.window?.delegate = self
    }

-    // MARK: - WKUIDelegate
-
-    /// Bridges `<input type="file">` clicks in the embedded Control UI to a native
-    /// `NSOpenPanel`; without a `WKUIDelegate`, WebKit silently drops the request
-    /// and "Choose image" / file-picker buttons do nothing.
-    func webView(
-        _ webView: WKWebView,
-        runOpenPanelWith parameters: WKOpenPanelParameters,
-        initiatedByFrame frame: WKFrameInfo,
-        completionHandler: @escaping @MainActor @Sendable ([URL]?) -> Void)
-    {
-        let panel = NSOpenPanel()
-        panel.canChooseFiles = true
-        panel.canChooseDirectories = parameters.allowsDirectories
-        panel.allowsMultipleSelection = parameters.allowsMultipleSelection
-        panel.resolvesAliases = true
-        if let window = self.window {
-            panel.beginSheetModal(for: window) { response in
-                completionHandler(response == .OK ? panel.urls : nil)
-            }
-            return
-        }
-        panel.begin { response in
-            completionHandler(response == .OK ? panel.urls : nil)
-        }
-    }
-
    @available(*, unavailable)
    required init?(coder: NSCoder) {
        fatalError("init(coder:) is not supported")
--- a/apps/macos/Sources/OpenClaw/Resources/Info.plist
+++ b/apps/macos/Sources/OpenClaw/Resources/Info.plist
@@ -15,9 +15,9 @@
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
-    <string>2026.6.9</string>
+    <string>2026.6.2</string>
    <key>CFBundleVersion</key>
-    <string>2026060900</string>
+    <string>2026060200</string>
    <key>CFBundleIconFile</key>
    <string>OpenClaw</string>
    <key>CFBundleURLTypes</key>
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/DeviceAuthStore.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/DeviceAuthStore.swift
@@ -21,12 +21,10 @@ private struct DeviceAuthStoreFile: Codable {
 }

 public enum DeviceAuthStore {
-    public static func loadToken(
-        deviceId: String,
-        role: String,
-        profile: GatewayDeviceIdentityProfile = .primary) -> DeviceAuthEntry?
-    {
-        guard let store = readStore(profile: profile), store.deviceId == deviceId else { return nil }
+    private static let fileName = "device-auth.json"
+
+    public static func loadToken(deviceId: String, role: String) -> DeviceAuthEntry? {
+        guard let store = readStore(), store.deviceId == deviceId else { return nil }
        let role = self.normalizeRole(role)
        return store.tokens[role]
    }
@@ -35,11 +33,10 @@ public enum DeviceAuthStore {
        deviceId: String,
        role: String,
        token: String,
-        scopes: [String] = [],
-        profile: GatewayDeviceIdentityProfile = .primary) -> DeviceAuthEntry
+        scopes: [String] = []) -> DeviceAuthEntry
    {
        let normalizedRole = self.normalizeRole(role)
-        var next = self.readStore(profile: profile)
+        var next = self.readStore()
        if next?.deviceId != deviceId {
            next = DeviceAuthStoreFile(version: 1, deviceId: deviceId, tokens: [:])
        }
@@ -53,25 +50,17 @@ public enum DeviceAuthStore {
        }
        next?.tokens[normalizedRole] = entry
        if let store = next {
-            self.writeStore(store, profile: profile)
+            self.writeStore(store)
        }
        return entry
    }

-    public static func clearToken(
-        deviceId: String,
-        role: String,
-        profile: GatewayDeviceIdentityProfile = .primary)
-    {
-        guard var store = readStore(profile: profile), store.deviceId == deviceId else { return }
+    public static func clearToken(deviceId: String, role: String) {
+        guard var store = readStore(), store.deviceId == deviceId else { return }
        let normalizedRole = self.normalizeRole(role)
        guard store.tokens[normalizedRole] != nil else { return }
        store.tokens.removeValue(forKey: normalizedRole)
-        self.writeStore(store, profile: profile)
-    }
-
-    public static func clearAll(profile: GatewayDeviceIdentityProfile = .primary) {
-        try? FileManager.default.removeItem(at: self.fileURL(profile: profile))
+        self.writeStore(store)
    }

    private static func normalizeRole(_ role: String) -> String {
@@ -85,14 +74,14 @@ public enum DeviceAuthStore {
        return Array(Set(trimmed)).sorted()
    }

-    private static func fileURL(profile: GatewayDeviceIdentityProfile) -> URL {
+    private static func fileURL() -> URL {
        DeviceIdentityPaths.stateDirURL()
            .appendingPathComponent("identity", isDirectory: true)
-            .appendingPathComponent(profile.authFileName, isDirectory: false)
+            .appendingPathComponent(self.fileName, isDirectory: false)
    }

-    private static func readStore(profile: GatewayDeviceIdentityProfile) -> DeviceAuthStoreFile? {
-        let url = self.fileURL(profile: profile)
+    private static func readStore() -> DeviceAuthStoreFile? {
+        let url = self.fileURL()
        guard let data = try? Data(contentsOf: url) else { return nil }
        guard let decoded = try? JSONDecoder().decode(DeviceAuthStoreFile.self, from: data) else {
            return nil
@@ -101,8 +90,8 @@ public enum DeviceAuthStore {
        return decoded
    }

-    private static func writeStore(_ store: DeviceAuthStoreFile, profile: GatewayDeviceIdentityProfile) {
-        let url = self.fileURL(profile: profile)
+    private static func writeStore(_ store: DeviceAuthStoreFile) {
+        let url = self.fileURL()
        do {
            try FileManager.default.createDirectory(
                at: url.deletingLastPathComponent(),
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/DeviceIdentity.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/DeviceIdentity.swift
@@ -1,29 +1,6 @@
 import CryptoKit
 import Foundation

-public enum GatewayDeviceIdentityProfile: String, Sendable {
-    case primary
-    case shareExtension
-
-    var identityFileName: String {
-        switch self {
-        case .primary:
-            "device.json"
-        case .shareExtension:
-            "share-device.json"
-        }
-    }
-
-    var authFileName: String {
-        switch self {
-        case .primary:
-            "device-auth.json"
-        case .shareExtension:
-            "share-device-auth.json"
-        }
-    }
-}
-
 public struct DeviceIdentity: Codable, Sendable {
    public var deviceId: String
    public var publicKey: String
@@ -42,32 +19,6 @@ enum DeviceIdentityPaths {
    private static let stateDirEnv = ["OPENCLAW_STATE_DIR"]

    static func stateDirURL() -> URL {
-        self.stateDirURL(
-            overrideURL: self.stateDirOverrideURL(),
-            legacyStateDirURL: self.legacyStateDirURL(),
-            appGroupStateDirURL: self.appGroupStateDirURL(),
-            temporaryDirectory: FileManager.default.temporaryDirectory)
-    }
-
-    static func stateDirURL(
-        overrideURL: URL?,
-        legacyStateDirURL: URL?,
-        appGroupStateDirURL: URL?,
-        temporaryDirectory: URL) -> URL
-    {
-        if let overrideURL {
-            return overrideURL
-        }
-        if let appGroupStateDirURL {
-            return appGroupStateDirURL
-        }
-        if let legacyStateDirURL {
-            return legacyStateDirURL
-        }
-        return temporaryDirectory.appendingPathComponent("openclaw", isDirectory: true)
-    }
-
-    private static func stateDirOverrideURL() -> URL? {
        for key in self.stateDirEnv {
            if let raw = getenv(key) {
                let value = String(cString: raw).trimmingCharacters(in: .whitespacesAndNewlines)
@@ -76,49 +27,34 @@ enum DeviceIdentityPaths {
                }
            }
        }
-        return nil
-    }

-    private static func legacyStateDirURL() -> URL? {
        if let appSupport = FileManager.default.urls(for: .applicationSupportDirectory, in: .userDomainMask).first {
            return appSupport.appendingPathComponent("OpenClaw", isDirectory: true)
        }
-        return nil
-    }

-    private static func appGroupStateDirURL() -> URL? {
-        guard
-            let containerURL = FileManager.default
-                .containerURL(forSecurityApplicationGroupIdentifier: OpenClawAppGroup.identifier)
-        else {
-            return nil
-        }
-        return containerURL.appendingPathComponent("OpenClaw", isDirectory: true)
+        return FileManager.default.temporaryDirectory.appendingPathComponent("openclaw", isDirectory: true)
    }
 }

 public enum DeviceIdentityStore {
+    private static let fileName = "device.json"
    private static let ed25519SPKIPrefix = Data([
-        0x30, 0x2A, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65,
+        0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
        0x70, 0x03, 0x21, 0x00,
    ])
    private static let ed25519PKCS8PrivatePrefix = Data([
-        0x30, 0x2E, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
-        0x03, 0x2B, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
+        0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+        0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
    ])

    public static func loadOrCreate() -> DeviceIdentity {
-        self.loadOrCreate(profile: .primary)
-    }
-
-    public static func loadOrCreate(profile: GatewayDeviceIdentityProfile) -> DeviceIdentity {
-        self.loadOrCreate(fileURL: self.fileURL(profile: profile))
+        self.loadOrCreate(fileURL: self.fileURL())
    }

    static func loadOrCreate(fileURL url: URL) -> DeviceIdentity {
        if let data = try? Data(contentsOf: url) {
            switch self.decodeStoredIdentity(data) {
-            case let .identity(decoded):
+            case .identity(let decoded):
                return decoded
            case .recognizedInvalid:
                return self.generate()
@@ -207,7 +143,7 @@ public enum DeviceIdentityStore {
              let privateKeyData = Data(base64Encoded: identity.privateKey)
        else { return nil }

-        guard publicKeyData.count == 32, privateKeyData.count == 32,
+        guard publicKeyData.count == 32 && privateKeyData.count == 32,
              self.keyPairMatches(publicKeyData: publicKeyData, privateKeyData: privateKeyData)
        else { return nil }
        return DeviceIdentity(
@@ -275,11 +211,11 @@ public enum DeviceIdentityStore {
        }
    }

-    private static func fileURL(profile: GatewayDeviceIdentityProfile) -> URL {
+    private static func fileURL() -> URL {
        let base = DeviceIdentityPaths.stateDirURL()
        return base
            .appendingPathComponent("identity", isDirectory: true)
-            .appendingPathComponent(profile.identityFileName, isDirectory: false)
+            .appendingPathComponent(self.fileName, isDirectory: false)
    }
 }

--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
@@ -107,7 +107,6 @@ public struct GatewayConnectOptions: Sendable {
    public var clientId: String
    public var clientMode: String
    public var clientDisplayName: String?
-    public var deviceIdentityProfile: GatewayDeviceIdentityProfile
    /// When false, the connection omits the signed device identity payload and cannot use
    /// device-scoped auth (role/scope upgrades will require pairing). Keep this true for
    /// role/scoped sessions such as operator UI clients.
@@ -123,7 +122,6 @@ public struct GatewayConnectOptions: Sendable {
        clientId: String,
        clientMode: String,
        clientDisplayName: String?,
-        deviceIdentityProfile: GatewayDeviceIdentityProfile = .primary,
        includeDeviceIdentity: Bool = true)
    {
        self.role = role
@@ -135,7 +133,6 @@ public struct GatewayConnectOptions: Sendable {
        self.clientId = clientId
        self.clientMode = clientMode
        self.clientDisplayName = clientDisplayName
-        self.deviceIdentityProfile = deviceIdentityProfile
        self.includeDeviceIdentity = includeDeviceIdentity
    }
 }
@@ -439,15 +436,13 @@ public actor GatewayChannelActor {
        let clientId = options.clientId
        let clientMode = options.clientMode
        let role = options.role
-        let deviceIdentityProfile = options.deviceIdentityProfile
        let requestedScopes = options.scopes
        let scopesAreExplicit = options.scopesAreExplicit
        let includeDeviceIdentity = options.includeDeviceIdentity
-        let identity = includeDeviceIdentity ? DeviceIdentityStore.loadOrCreate(profile: deviceIdentityProfile) : nil
+        let identity = includeDeviceIdentity ? DeviceIdentityStore.loadOrCreate() : nil
        let selectedAuth = self.selectConnectAuth(
            role: role,
            includeDeviceIdentity: includeDeviceIdentity,
-            deviceIdentityProfile: deviceIdentityProfile,
            deviceId: identity?.deviceId,
            requestedScopes: requestedScopes)
        let scopes = self.resolveConnectScopes(
@@ -537,11 +532,7 @@ public actor GatewayChannelActor {
        try await self.task?.send(.data(data))
        do {
            let response = try await self.waitForConnectResponse(reqId: reqId)
-            try await self.handleConnectResponse(
-                response,
-                identity: identity,
-                role: role,
-                deviceIdentityProfile: deviceIdentityProfile)
+            try await self.handleConnectResponse(response, identity: identity, role: role)
            self.pendingDeviceTokenRetry = false
            self.deviceTokenRetryBudgetUsed = false
        } catch {
@@ -559,10 +550,7 @@ public actor GatewayChannelActor {
                      self.shouldClearStoredDeviceTokenAfterRetry(error)
            {
                // Retry failed with an explicit device-token mismatch; clear stale local token.
-                DeviceAuthStore.clearToken(
-                    deviceId: identity.deviceId,
-                    role: role,
-                    profile: deviceIdentityProfile)
+                DeviceAuthStore.clearToken(deviceId: identity.deviceId, role: role)
            }
            throw error
        }
@@ -571,7 +559,6 @@ public actor GatewayChannelActor {
    private func selectConnectAuth(
        role: String,
        includeDeviceIdentity: Bool,
-        deviceIdentityProfile: GatewayDeviceIdentityProfile,
        deviceId: String?,
        requestedScopes: [String]) -> SelectedConnectAuth
    {
@@ -581,7 +568,7 @@ public actor GatewayChannelActor {
        let explicitPassword = self.password?.trimmingCharacters(in: .whitespacesAndNewlines).nilIfEmpty
        let storedEntry =
            (includeDeviceIdentity && deviceId != nil)
-            ? DeviceAuthStore.loadToken(deviceId: deviceId!, role: role, profile: deviceIdentityProfile)
+            ? DeviceAuthStore.loadToken(deviceId: deviceId!, role: role)
            : nil
        let storedToken = storedEntry?.token
        let storedScopes = storedEntry?.scopes ?? []
@@ -769,8 +756,7 @@ public actor GatewayChannelActor {
        deviceId: String,
        role: String,
        token: String,
-        scopes: [String],
-        deviceIdentityProfile: GatewayDeviceIdentityProfile)
+        scopes: [String])
    {
        guard let filteredScopes = self.filteredBootstrapHandoffScopes(role: role, scopes: scopes) else {
            return
@@ -779,8 +765,7 @@ public actor GatewayChannelActor {
            deviceId: deviceId,
            role: role,
            token: token,
-            scopes: filteredScopes,
-            profile: deviceIdentityProfile)
+            scopes: filteredScopes)
    }

    private func persistIssuedDeviceToken(
@@ -788,8 +773,7 @@ public actor GatewayChannelActor {
        deviceId: String,
        role: String,
        token: String,
-        scopes: [String],
-        deviceIdentityProfile: GatewayDeviceIdentityProfile)
+        scopes: [String])
    {
        if authSource == .bootstrapToken {
            guard self.shouldPersistBootstrapHandoffTokens() else {
@@ -799,23 +783,20 @@ public actor GatewayChannelActor {
                deviceId: deviceId,
                role: role,
                token: token,
-                scopes: scopes,
-                deviceIdentityProfile: deviceIdentityProfile)
+                scopes: scopes)
            return
        }
        _ = DeviceAuthStore.storeToken(
            deviceId: deviceId,
            role: role,
            token: token,
-            scopes: scopes,
-            profile: deviceIdentityProfile)
+            scopes: scopes)
    }

    private func handleConnectResponse(
        _ res: ResponseFrame,
        identity: DeviceIdentity?,
-        role: String,
-        deviceIdentityProfile: GatewayDeviceIdentityProfile) async throws
+        role: String) async throws
    {
        if res.ok == false {
            let error = res.error
@@ -874,8 +855,7 @@ public actor GatewayChannelActor {
                    deviceId: identity.deviceId,
                    role: authRole,
                    token: deviceToken,
-                    scopes: scopes,
-                    deviceIdentityProfile: deviceIdentityProfile)
+                    scopes: scopes)
            }
            if self.shouldPersistBootstrapHandoffTokens(),
               let tokenEntries = auth["deviceTokens"]?.value as? [ProtoAnyCodable]
@@ -893,8 +873,7 @@ public actor GatewayChannelActor {
                        deviceId: identity.deviceId,
                        role: authRole,
                        token: deviceToken,
-                        scopes: scopes,
-                        deviceIdentityProfile: deviceIdentityProfile)
+                        scopes: scopes)
                }
            }
        }
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayNodeSession.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayNodeSession.swift
@@ -162,7 +162,6 @@ public actor GatewayNodeSession {
        let clientId = options.clientId.trimmingCharacters(in: .whitespacesAndNewlines)
        let clientMode = options.clientMode.trimmingCharacters(in: .whitespacesAndNewlines)
        let clientDisplayName = (options.clientDisplayName ?? "").trimmingCharacters(in: .whitespacesAndNewlines)
-        let deviceIdentityProfile = options.deviceIdentityProfile.rawValue
        let includeDeviceIdentity = options.includeDeviceIdentity ? "1" : "0"
        let permissions = options.permissions
            .map { key, value in
@@ -180,7 +179,6 @@ public actor GatewayNodeSession {
            clientId,
            clientMode,
            clientDisplayName,
-            deviceIdentityProfile,
            includeDeviceIdentity,
            permissions,
        ].joined(separator: "|")
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/OpenClawAppGroup.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/OpenClawAppGroup.swift
@@ -1,11 +0,0 @@
-import Foundation
-
-public enum OpenClawAppGroup {
-    public static let canonicalIdentifier = "group.ai.openclawfoundation.app.shared"
-
-    public static var identifier: String {
-        let raw = Bundle.main.object(forInfoDictionaryKey: "OpenClawAppGroupIdentifier") as? String
-        let trimmed = raw?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        return trimmed.isEmpty ? self.canonicalIdentifier : trimmed
-    }
-}
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/ShareGatewayRelaySettings.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/ShareGatewayRelaySettings.swift
@@ -26,7 +26,7 @@ public struct ShareGatewayRelayConfig: Codable, Sendable, Equatable {
 }

 public enum ShareGatewayRelaySettings {
-    private static var suiteName: String { OpenClawAppGroup.identifier }
+    private static let suiteName = "group.ai.openclaw.shared"
    private static let relayConfigKey = "share.gatewayRelay.config.v1"
    private static let lastEventKey = "share.gatewayRelay.event.v1"

--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/ShareToAgentSettings.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/ShareToAgentSettings.swift
@@ -1,7 +1,7 @@
 import Foundation

 public enum ShareToAgentSettings {
-    private static var suiteName: String { OpenClawAppGroup.identifier }
+    private static let suiteName = "group.ai.openclaw.shared"
    private static let defaultInstructionKey = "share.defaultInstruction"

    private static var defaults: UserDefaults {
--- a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
@@ -548,7 +548,6 @@ public struct MessageActionParams: Codable, Sendable {
    public let action: String
    public let params: [String: AnyCodable]
    public let accountid: String?
-    public let requesteraccountid: String?
    public let requestersenderid: String?
    public let senderisowner: Bool?
    public let sessionkey: String?
@@ -563,7 +562,6 @@ public struct MessageActionParams: Codable, Sendable {
        action: String,
        params: [String: AnyCodable],
        accountid: String?,
-        requesteraccountid: String? = nil,
        requestersenderid: String?,
        senderisowner: Bool?,
        sessionkey: String?,
@@ -577,7 +575,6 @@ public struct MessageActionParams: Codable, Sendable {
        self.action = action
        self.params = params
        self.accountid = accountid
-        self.requesteraccountid = requesteraccountid
        self.requestersenderid = requestersenderid
        self.senderisowner = senderisowner
        self.sessionkey = sessionkey
@@ -593,7 +590,6 @@ public struct MessageActionParams: Codable, Sendable {
        case action
        case params
        case accountid = "accountId"
-        case requesteraccountid = "requesterAccountId"
        case requestersenderid = "requesterSenderId"
        case senderisowner = "senderIsOwner"
        case sessionkey = "sessionKey"
@@ -6592,7 +6588,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
    public let turnsourceto: AnyCodable?
    public let turnsourceaccountid: AnyCodable?
    public let turnsourcethreadid: AnyCodable?
-    public let approvalreviewerdeviceids: [String]?
    public let requiredeliveryroute: Bool?
    public let suppressdelivery: Bool?
    public let timeoutms: Int?
@@ -6619,7 +6614,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        turnsourceto: AnyCodable?,
        turnsourceaccountid: AnyCodable?,
        turnsourcethreadid: AnyCodable?,
-        approvalreviewerdeviceids: [String]?,
        requiredeliveryroute: Bool? = nil,
        suppressdelivery: Bool? = nil,
        timeoutms: Int?,
@@ -6645,7 +6639,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        self.turnsourceto = turnsourceto
        self.turnsourceaccountid = turnsourceaccountid
        self.turnsourcethreadid = turnsourcethreadid
-        self.approvalreviewerdeviceids = approvalreviewerdeviceids
        self.requiredeliveryroute = requiredeliveryroute
        self.suppressdelivery = suppressdelivery
        self.timeoutms = timeoutms
@@ -6673,7 +6666,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        case turnsourceto = "turnSourceTo"
        case turnsourceaccountid = "turnSourceAccountId"
        case turnsourcethreadid = "turnSourceThreadId"
-        case approvalreviewerdeviceids = "approvalReviewerDeviceIds"
        case requiredeliveryroute = "requireDeliveryRoute"
        case suppressdelivery = "suppressDelivery"
        case timeoutms = "timeoutMs"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Patrick Erichsen	f69743907e	fix: satisfy plugin init scaffold CI guards	2026-06-17 19:05:23 -07:00
Patrick Erichsen	e1eb57cb56	feat: scaffold provider plugins from init	2026-06-17 18:54:22 -07:00