ci: add process exec codeql security shard

fix(agents): narrow sessions_send active-run fallback
Limit sessions_send active-run queue delivery to run-scoped targets, keep stranded cron-run fallback for valid cron run keys, and report unsafe queue rejections without rerouting through durable sessions. Fixes #91420.
2026-06-14 01:58:47 +08:00 · 2026-06-13 20:38:21 +08:00 · 2026-06-13 20:31:50 +08:00 · 2026-06-13 20:16:13 +08:00 · 2026-06-13 19:57:09 +08:00 · 2026-06-13 19:55:37 +08:00
951 changed files with 51160 additions and 7593 deletions
--- a/.agents/skills/openclaw-changelog-update/SKILL.md
+++ b/.agents/skills/openclaw-changelog-update/SKILL.md
@@ -19,7 +19,7 @@ attribution.

 ## Inputs

- Target base version: `YYYY.M.D`, without beta suffix.
+- Target base version: `YYYY.M.PATCH`, without beta suffix.
 - Base tag: last reachable shipped release tag, usually the previous stable or
  the previous beta train requested by the operator.
 - Target ref: exact branch/SHA being released.
@@ -37,7 +37,7 @@ attribution.
 3. Read linked PRs/issues or diffs for ambiguous commits. Direct commits matter;
   infer notes from subject, body, touched files, tests, and nearby commits.
 4. Rewrite one stable-base section only:
-   - use `## YYYY.M.D`
+   - use `## YYYY.M.PATCH`
   - do not create beta-specific headings
   - do not leave a stale `## Unreleased` section above the target release
   - if `Unreleased` contains release-bound notes, fold them into the target
@@ -93,7 +93,7 @@ attribution.
 10. Validate and ship:
   - `git diff --check`
   - for docs/changelog-only changes, no broad tests are required
-   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.D notes" CHANGELOG.md`
+   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.PATCH notes" CHANGELOG.md`
   - push, pull/rebase if needed, then branch/rebase release from latest `main`

 ## Quota / API Outage Rule
--- a/.agents/skills/release-openclaw-mac/SKILL.md
+++ b/.agents/skills/release-openclaw-mac/SKILL.md
@@ -36,8 +36,8 @@ Do not update these from mixed sources. All three ASC fields must come from the
 ## Workflow Shape

 - Public release branch may carry mac-only packaging fixes after the stable tag/npm are already live.
- Use `source_ref=release/YYYY.M.D` for private mac preflight/validation when building that branch variation.
- Keep `tag=vYYYY.M.D` pointing at the original stable release commit.
+- Use `source_ref=release/YYYY.M.PATCH` for private mac preflight/validation when building that branch variation.
+- Keep `tag=vYYYY.M.PATCH` pointing at the original stable release commit.
 - Real mac publish must reuse:
  - a successful private mac preflight run for the same tag/source SHA
  - a successful private mac validation run for the same tag/source SHA
@@ -56,37 +56,37 @@ Private preflight:

 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.D \
-  -f source_ref=release/YYYY.M.D \
+  -f tag=vYYYY.M.PATCH \
+  -f source_ref=release/YYYY.M.PATCH \
  -f preflight_only=true \
  -f smoke_test_only=false \
  -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.D
+  -f public_release_branch=release/YYYY.M.PATCH
 ```

 Private validation for a branch-variation preflight:

 ```bash
 gh workflow run openclaw-macos-validate.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.D \
-  -f source_ref=release/YYYY.M.D
+  -f tag=vYYYY.M.PATCH \
+  -f source_ref=release/YYYY.M.PATCH
 ```

 Real publish:

 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.D \
+  -f tag=vYYYY.M.PATCH \
  -f preflight_only=false \
  -f smoke_test_only=false \
  -f preflight_run_id=<successful-preflight-run> \
  -f validate_run_id=<successful-validation-run> \
  -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.D
+  -f public_release_branch=release/YYYY.M.PATCH
 ```

 ## Verify

- `gh release view vYYYY.M.D --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.D.zip`.
+- `gh release view vYYYY.M.PATCH --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
+- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.PATCH.zip`.
 - Appcast entry has `sparkle:version`, `sparkle:shortVersionString`, length, and `sparkle:edSignature`.
--- a/.agents/skills/release-openclaw-maintainer/SKILL.md
+++ b/.agents/skills/release-openclaw-maintainer/SKILL.md
@@ -10,12 +10,15 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Respect release guardrails

 - Do not change version numbers without explicit operator approval.
+- Versions use `YYYY.M.PATCH`, where `PATCH` is the sequential release-train number within the month, not the calendar day.
+- Choose a new beta train from stable and beta releases only. Alpha-only tags do not consume or advance the beta/stable patch number. Continue the highest existing unpublished/published beta train with the next `beta.N` when appropriate; otherwise increment the highest stable/beta patch by one and start at `beta.1`.
+- Example: after stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even if automated alpha-only tags such as `2026.6.10-alpha.1` exist.
 - Ask permission before any npm publish or release step.
 - This skill should be sufficient to drive the normal release flow end-to-end.
 - Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
 - Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
 - Normal release work happens on a branch cut from `main`, not directly on
-  `main`. Use `release/YYYY.M.D` for the branch name.
+  `main`. Use `release/YYYY.M.PATCH` for the branch name.
 - If the operator asks for a release without saying stable/full, default to
  beta only. Continue from beta to stable only when the operator explicitly asks
  for the full release or an automated beta-and-stable train.
@@ -92,7 +95,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Keep release channel naming aligned

 - `stable`: tagged releases only, published to npm `beta` by default; operators may target npm `latest` explicitly or promote later
- `beta`: prerelease tags like `vYYYY.M.D-beta.N`, with npm dist-tag `beta`
+- `beta`: prerelease tags like `vYYYY.M.PATCH-beta.N`, with npm dist-tag `beta`
 - Prefer `-beta.N`; do not mint new `-1` or `-2` beta suffixes
 - `dev`: moving head on `main`
 - When using a beta Git tag, publish npm with the matching beta version suffix so the plain version is not consumed or blocked
@@ -108,7 +111,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  - `docs/install/updating.md`
  - Peekaboo Xcode project and plist version fields
 - Before creating a release tag, make every version location above match the version encoded by that tag.
- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
+- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version locations still stay at `YYYY.M.PATCH`.
 - “Bump version everywhere” means all version locations above except `appcast.xml`.
 - Release signing and notary credentials live outside the repo in the private maintainer docs.
 - Every stable OpenClaw release ships the npm package, macOS app, and signed
@@ -129,19 +132,19 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  tagged commit when the delta is mac packaging, signing, workflow, or
  validation-only release machinery. If mac packaging needs release-branch-only
  fixes after the stable npm package or GitHub tag is already published, do not
-  create a `vYYYY.M.D-N` correction tag just to change the workflow source.
-  Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with
-  `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`;
+  create a `vYYYY.M.PATCH-N` correction tag just to change the workflow source.
+  Dispatch the private mac workflows for the original `tag=vYYYY.M.PATCH` with
+  `source_ref=release/YYYY.M.PATCH` and `public_release_branch=release/YYYY.M.PATCH`;
  provenance checks must prove the source SHA descends from the tag and
-  validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction
+  validation/preflight use the same source. Reserve `vYYYY.M.PATCH-N` correction
  tags for emergency hotfixes that must publish a new npm package/release
  identity, not for ordinary mac-only packaging recovery.
 - The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo.
 - That shared production Sparkle feed is stable-only. Beta mac releases may
  upload assets to the GitHub prerelease, but they must not replace the shared
  `appcast.xml` unless a separate beta feed exists.
- For fallback correction tags like `vYYYY.M.D-N`, the repo version still stays
-  at `YYYY.M.D`, but the mac release must use a strictly higher numeric
+- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version still stays
+  at `YYYY.M.PATCH`, but the mac release must use a strictly higher numeric
  `APP_BUILD` / Sparkle build than the original release so existing installs
  see it as newer.
 - Stable Windows Hub release closeout requires the signed
@@ -151,7 +154,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  workflow after the matching `openclaw/openclaw-windows-node` release exists;
  it verifies Authenticode signatures on Windows before uploading assets.
 - Website Windows Hub download links should target exact canonical
-  `openclaw/openclaw/releases/download/vYYYY.M.D/...` assets for the current
+  `openclaw/openclaw/releases/download/vYYYY.M.PATCH/...` assets for the current
  stable release, or `releases/latest/download/...` only after verifying the
  redirect resolves to that same tag, so the installable signed Windows artifact
  is visible from both the GitHub release page and openclaw.ai.
@@ -165,7 +168,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  beta release tag as the base, then inspect every commit through the target
  release SHA.
 - The changelog rewrite is not optional for beta reruns: any `beta.N` after a
-  rebase or backport must refresh the same stable-base `## YYYY.M.D` section
+  rebase or backport must refresh the same stable-base `## YYYY.M.PATCH` section
  before the new version/tag commit.
 - Include both merged PR commits and direct commits on `main`. Direct commits
  matter: infer notes from their subject, body, touched files, linked issues,
@@ -188,11 +191,11 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - Changelog entries should be user-facing, not internal release-process notes.
 - GitHub release and prerelease bodies must use the full matching
  `CHANGELOG.md` version section, not highlights or an excerpt. When creating
-  or editing a release, extract from `## YYYY.M.D` through the line before the
+  or editing a release, extract from `## YYYY.M.PATCH` through the line before the
  next level-2 heading and use that complete block as the release notes.
 - To update an existing GitHub Release body, resolve the numeric release id and
  patch that resource with the notes file as the `body` field:
-  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.D --jq .id`, then
+  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.PATCH --jq .id`, then
  `gh api -X PATCH repos/openclaw/openclaw/releases/<id> -F body=@/tmp/notes.md`.
  Do not trust `gh release edit --notes-file` or `--input` JSON if verification
  disagrees; verify with `gh api repos/openclaw/openclaw/releases/<id>` because
@@ -205,10 +208,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  record's `docsPath` or `/plugins/compatibility` when no more specific
  deprecation page exists.
 - When cutting a mac release with a beta GitHub prerelease:
-  - tag `vYYYY.M.D-beta.N` from the release commit
-  - create a prerelease titled `openclaw YYYY.M.D-beta.N`
+  - tag `vYYYY.M.PATCH-beta.N` from the release commit
+  - create a prerelease titled `openclaw YYYY.M.PATCH-beta.N`
  - use release notes from the stable base `CHANGELOG.md` version section
-    (`## YYYY.M.D`), not a beta-specific heading
+    (`## YYYY.M.PATCH`), not a beta-specific heading
  - attach at least the zip and dSYM zip, plus dmg if available
 - Keep the top version entries in `CHANGELOG.md` sorted by impact:
  - `### Changes` first
@@ -218,10 +221,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if

 Use the OpenClaw account's existing release-post style:

- Format: `OpenClaw YYYY.M.D 🦞` or `🦞 OpenClaw YYYY.M.D is live`, blank line,
+- Format: `OpenClaw YYYY.M.PATCH 🦞` or `🦞 OpenClaw YYYY.M.PATCH is live`, blank line,
  then 3-4 emoji-led bullets, blank line, one short punchline, then the release
  link.
- For beta: say `OpenClaw YYYY.M.D-beta.N 🦞` or `OpenClaw YYYY.M.D beta N is
+- For beta: say `OpenClaw YYYY.M.PATCH-beta.N 🦞` or `OpenClaw YYYY.M.PATCH beta N is
 live`; keep it clearly beta and avoid implying stable promotion.
 - Lead with user-visible capabilities, then important integrations, then
  reliability/security/install fixes. Compress "lots of fixes" into one
@@ -314,6 +317,23 @@ pnpm release:check
 pnpm test:install:smoke
 ```

+- Before tagging, diff publishable plugin package manifests against the last
+  reachable stable/beta release tag. For every newly publishable package
+  (`openclaw.release.publishToNpm: true` or `publishToClawHub: true`) whose
+  package name did not exist in the base tag, verify the target registry package
+  already exists in npm/ClawHub or stop and help the owner mint/prepublish the
+  package first. Do not hide or disable release surfaces just to unblock a
+  train unless the owner explicitly decides the plugin should not ship in that
+  release; first-package registry ownership is release prep, not product
+  rollback. The mint/prepublish path must either be the real release publish
+  path for the auto-bumped beta version, or a deliberately non-consuming
+  registry-prep step that cannot occupy the next beta version/tag. Confirm
+  registry owner, npm scope/package-creation permission, provenance path, and
+  first-package publish plan before the full release publish continues. Useful
+  npm probe:
+  `npm view <package-name> version dist-tags --json --prefer-online`; a 404 for
+  a package newly added to the release is a release-prep blocker, not something
+  to discover from the publish job.
 - Use `pnpm qa:otel:smoke` when release validation needs telemetry coverage.
  It starts a local OTLP/HTTP trace receiver, runs QA-lab's
  `otel-trace-smoke`, and checks span names plus content/identifier redaction
@@ -332,8 +352,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 ```

 - This verifies the published registry install path in a fresh temp prefix.
- For stable correction releases like `YYYY.M.D-N`, it also verifies the
-  upgrade path from `YYYY.M.D` to `YYYY.M.D-N` so a correction publish cannot
+- For stable correction releases like `YYYY.M.PATCH-N`, it also verifies the
+  upgrade path from `YYYY.M.PATCH` to `YYYY.M.PATCH-N` so a correction publish cannot
  silently leave existing global installs on the old base stable payload.
 - Treat install smoke as a pack-budget gate too. `pnpm test:install:smoke`
  now fails the candidate update tarball when npm reports an oversized
@@ -480,7 +500,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
    `npm login --auth-type=legacy`, then confirm `npm whoami` reports
    `steipete`.
  - Promote with a fresh OTP:
-    `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`.
+    `npm dist-tag add openclaw@YYYY.M.PATCH latest --otp "$OTP"`.
  - Verify with a cache-bypassed registry read, for example:
    `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
    and `npm view openclaw@latest version dist.tarball --json --prefer-online`.
@@ -506,7 +526,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
  the npm version is already published.
 - npm validation-only preflight may still be dispatched from ordinary branches
  when testing workflow changes before merge. Release checks and real publish
-  use only `main` or `release/YYYY.M.D`.
+  use only `main` or `release/YYYY.M.PATCH`.
 - `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a
  public validation-only handoff. It validates the tag/release state and points
  operators to the private repo. It still rebuilds the JS outputs needed for
@@ -531,7 +551,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
  waives the full gate; mac beta validation is still only required when
  requested.
 - Real publish runs may be dispatched from `main` or from a
-  `release/YYYY.M.D` branch. For release-branch runs, the tag must be contained
+  `release/YYYY.M.PATCH` branch. For release-branch runs, the tag must be contained
  in that release branch, and the real publish must reuse a successful preflight
  from the same branch.
 - The release workflows stay tag-based; rely on the documented release sequence
@@ -559,7 +579,11 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm
  does not support trusted publishing for `npm dist-tag add`.
 - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
- Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
+- Publishable plugins that are new to npm require owner-led first-package
+  minting before the full release publish. Do not consume the next beta version
+  with an ad-hoc manual package publish; use the release-owned auto-bumped
+  version path, or a non-consuming registry setup/preflight step. Bundled
+  disk-tree-only plugins stay unpublished.

 ## Fallback local mac publish

@@ -599,8 +623,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 4. Pull latest `main` and confirm current `main` CI is green.
 5. Run `/changelog` for the stable base target version on `main`, commit the
   changelog rewrite immediately, push, and pull/rebase. For beta releases,
-   keep the changelog heading as `## YYYY.M.D`, not `## YYYY.M.D-beta.N`.
-6. Create `release/YYYY.M.D` from that post-changelog `main` commit.
+   keep the changelog heading as `## YYYY.M.PATCH`, not `## YYYY.M.PATCH-beta.N`.
+6. Create `release/YYYY.M.PATCH` from that post-changelog `main` commit.
 7. Make every repo version location match the beta tag before creating it.
 8. Commit release preparation changes on the release branch and push the branch.
 9. Immediately dispatch Actions > `OpenClaw Performance` from `main` with
@@ -616,7 +640,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
    mac app, signing, notarization, and appcast path.
 12. Confirm the target npm version is not already published.
 13. Create and push the git tag from the release branch.
-14. Create or refresh the matching GitHub release.
+14. Do not create or publish the matching GitHub release page yet. The real
+    publish workflow creates or undrafts it only after postpublish verification
+    and release evidence upload pass.
 15. Dispatch Actions > `QA-Lab - All Lanes` against the release tag and wait
    for the mock parity, live Matrix, and live Telegram credentialed-channel
    lanes to pass.
@@ -639,20 +665,29 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
    with `preflight_only=true` and wait for it to pass. Save that run id because
    the real publish requires it to reuse the notarized mac artifacts.
 21. If any preflight or validation run fails, fix the issue on a new commit,
-    delete the tag and matching GitHub release, recreate them from the fixed
-    commit, and rerun all relevant preflights from scratch before continuing.
-    Never reuse old preflight results after the commit changes. For pushed or
-    published beta tags, do not delete/recreate; increment to the next beta tag.
-    For preflight-only failures where npm did not publish the beta version,
-    delete/recreate the same beta tag and prerelease at the fixed commit instead
-    of skipping a prerelease number.
+    delete the tag and any accidental draft/incomplete GitHub release, recreate
+    the tag from the fixed commit, and rerun all relevant preflights from
+    scratch before continuing. Never reuse old preflight results after the
+    commit changes. Once the npm version exists, do not rerun the publish
+    workflow for that same version; finalize the existing draft/evidence state
+    manually or cut a correction tag. For pushed or published beta tags, do not
+    delete/recreate; increment to the next beta tag. For preflight-only failures
+    where npm did not publish the beta version, delete/recreate the same beta
+    tag and any accidental draft/incomplete prerelease at the fixed commit
+    instead of skipping a prerelease number.
 22. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
    the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
    `latest` only when you intentionally want direct stable publish), keep it
    the same as the preflight run, and pass the successful npm
    `preflight_run_id`.
 23. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
-24. Run postpublish verification:
+24. Wait for the real publish workflow to run postpublish verification,
+    create or update the GitHub release as a draft, upload dependency evidence,
+    append release verification proof, and only then undraft/publish it. If a
+    waited plugin publish fails after OpenClaw npm succeeds, the workflow keeps
+    the release draft with OpenClaw npm evidence and exits red; do not undraft
+    until the plugin publish gap is repaired. The standalone verifier command
+    remains the recovery probe:
    `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
 25. Run the post-published beta verification roster. First scan current `main`
    for critical fixes that landed after the release branch cut; backport only
--- a/.agents/skills/release-openclaw-nightly/SKILL.md
+++ b/.agents/skills/release-openclaw-nightly/SKILL.md
@@ -37,9 +37,11 @@ This is good for auditability if commits are clearly machine-authored and gated
 - Branch name: `tideclaw/alpha/YYYY-MM-DD-HHMMZ`
 - Base: current `origin/main` SHA at trigger time.
 - State file: resolve from `$release-private` on the Tideclaw host.
- Release tag: `vYYYY.M.D-alpha.N`
+- Release tag: `vYYYY.M.PATCH-alpha.N`
 - npm dist-tag: `alpha`

+`PATCH` is a sequential monthly release-train number, never the calendar day. Determine the alpha train from stable and beta releases; ignore alpha-only patch numbers when choosing the next train. Use one greater than the highest stable/beta patch for the month, then increment only `alpha.N` for repeated nightlies on that train. If a beta exists on that next patch, move alpha to the following train. Legacy alpha-only tags with inflated patch numbers do not advance beta/stable numbering.
+
 Do not reuse old alpha branches for a new run. If rerunning the same base SHA, create a new timestamped branch and record why.

 ## Start
@@ -98,7 +100,7 @@ Tideclaw may run beta releases from `#releases` or mentioned `#maintainers` comm
 Accepted shapes:

 ```text
-@Tideclaw beta release from vYYYY.M.D-alpha.N
+@Tideclaw beta release from vYYYY.M.PATCH-alpha.N
@Tideclaw beta release from tideclaw/alpha/YYYY-MM-DD-HHMMZ
@Tideclaw beta release from latest proven alpha
 ```
@@ -110,7 +112,7 @@ Rules:
 3. Verify the source alpha first: GitHub release, npm `alpha` package, release CI, recorded state file, and branch/tag SHA.
 4. Create a fresh beta branch `tideclaw/beta/YYYY-MM-DD-HHMMZ` from the proven alpha source, not directly from a moving `main`.
 5. Reuse/squash only stabilization fixes already proven on alpha. Do not import unrelated alpha release mechanics unless the beta release docs require them.
-6. Compute beta as `vYYYY.M.D-beta.N`, matching npm `--tag beta`.
+6. Compute beta as `vYYYY.M.PATCH-beta.N`, matching npm `--tag beta`. Ignore alpha-only patch numbers when selecting the beta train.
 7. Run beta release validation/preflight/full release CI and fix failures on the beta branch.
 8. Publish beta only after green beta gates. Use GitHub Actions/OIDC, never direct npm publish from the host.
 9. Final Discord summary must include source alpha, beta tag/version, branch, fix commits, workflow run IDs, npm/GitHub proof, and any skipped/blocked reason.
@@ -165,7 +167,7 @@ git push -u origin "$BRANCH"

 After local proof:

-1. Compute the next `vYYYY.M.D-alpha.N` from existing git tags, npm versions, and GitHub releases.
+1. Compute the next `vYYYY.M.PATCH-alpha.N` from existing git tags, npm versions, and GitHub releases. Select `PATCH` from stable/beta trains, not the date or the highest alpha-only patch. Reuse the same alpha train and increment `alpha.N` until that patch has a beta; after a beta exists, use the following patch for new alpha builds.
 2. Make the alpha branch package version and release metadata match that tag, commit it, and push the branch.
 3. Run release validation from the alpha branch, using GitHub CLI, not browser/fetch tools. On the Tideclaw host, bare `gh` is a read-only Codex sandbox wrapper; use `/usr/local/bin/gh-tideclaw-write` for write-capable commands such as `workflow run`, `run cancel`, and publish dispatch:

--- a/.github/codeql/codeql-process-exec-boundary-critical-security.yml
+++ b/.github/codeql/codeql-process-exec-boundary-critical-security.yml
@@ -0,0 +1,61 @@
+name: openclaw-codeql-process-exec-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/process
+  - src/tui/tui-local-shell.ts
+  - src/tui/tui.ts
+  - src/plugin-sdk/windows-spawn.ts
+  - packages/agent-core/src/harness/env
+  - packages/memory-host-sdk/src/host
+  - extensions/acpx/src
+  - extensions/bonjour/src/advertiser.ts
+  - extensions/browser/src/browser/chrome-mcp.ts
+  - extensions/browser/src/browser/chrome.executables.ts
+  - extensions/browser/src/browser/chrome.ts
+  - extensions/codex/src/app-server/sandbox-exec-server
+  - extensions/codex/src/app-server/transport-stdio.ts
+  - extensions/codex/src/node-cli-sessions.ts
+  - extensions/codex-supervisor/src/json-rpc-client.ts
+  - extensions/file-transfer/src
+  - extensions/google-meet/src
+  - extensions/imessage/src
+  - extensions/memory-core/src/memory/qmd-manager.ts
+  - extensions/memory-wiki/src/obsidian.ts
+  - extensions/microsoft-foundry/cli.ts
+  - extensions/ollama/src/wsl2-crash-loop-check.ts
+  - extensions/qa-lab/src
+  - extensions/signal/src/daemon.ts
+  - extensions/tts-local-cli/speech-provider.ts
+  - extensions/voice-call/src
+  - scripts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,7 +17,28 @@ on:
      - ".github/actions/**"
      - ".github/codeql/**"
      - ".github/workflows/**"
+      - "extensions/acpx/src/**"
+      - "extensions/bonjour/src/advertiser.ts"
+      - "extensions/browser/src/browser/chrome-mcp.ts"
+      - "extensions/browser/src/browser/chrome.executables.ts"
+      - "extensions/browser/src/browser/chrome.ts"
+      - "extensions/codex/src/app-server/sandbox-exec-server/**"
+      - "extensions/codex/src/app-server/transport-stdio.ts"
+      - "extensions/codex/src/node-cli-sessions.ts"
+      - "extensions/codex-supervisor/src/json-rpc-client.ts"
+      - "extensions/file-transfer/src/**"
+      - "extensions/google-meet/src/**"
+      - "extensions/imessage/src/**"
+      - "extensions/memory-core/src/memory/qmd-manager.ts"
+      - "extensions/memory-wiki/src/obsidian.ts"
+      - "extensions/microsoft-foundry/cli.ts"
+      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
+      - "extensions/qa-lab/src/**"
+      - "extensions/signal/src/daemon.ts"
+      - "extensions/tts-local-cli/speech-provider.ts"
+      - "extensions/voice-call/src/**"
      - "packages/**"
+      - "scripts/**"
      - "src/**"
  push:
    branches:
@@ -26,7 +47,28 @@ on:
      - ".github/actions/**"
      - ".github/codeql/**"
      - ".github/workflows/**"
+      - "extensions/acpx/src/**"
+      - "extensions/bonjour/src/advertiser.ts"
+      - "extensions/browser/src/browser/chrome-mcp.ts"
+      - "extensions/browser/src/browser/chrome.executables.ts"
+      - "extensions/browser/src/browser/chrome.ts"
+      - "extensions/codex/src/app-server/sandbox-exec-server/**"
+      - "extensions/codex/src/app-server/transport-stdio.ts"
+      - "extensions/codex/src/node-cli-sessions.ts"
+      - "extensions/codex-supervisor/src/json-rpc-client.ts"
+      - "extensions/file-transfer/src/**"
+      - "extensions/google-meet/src/**"
+      - "extensions/imessage/src/**"
+      - "extensions/memory-core/src/memory/qmd-manager.ts"
+      - "extensions/memory-wiki/src/obsidian.ts"
+      - "extensions/microsoft-foundry/cli.ts"
+      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
+      - "extensions/qa-lab/src/**"
+      - "extensions/signal/src/daemon.ts"
+      - "extensions/tts-local-cli/speech-provider.ts"
+      - "extensions/voice-call/src/**"
      - "packages/**"
+      - "scripts/**"
      - "src/**"
  schedule:
    - cron: "0 6 * * *"
@@ -73,6 +115,11 @@ jobs:
            runs_on: blacksmith-4vcpu-ubuntu-2404
            timeout_minutes: 25
            config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: process-exec-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-process-exec-boundary-critical-security.yml
          - language: javascript-typescript
            category: plugin-trust-boundary
            runs_on: blacksmith-4vcpu-ubuntu-2404
--- a/.github/workflows/mantis-discord-status-reactions.yml
+++ b/.github/workflows/mantis-discord-status-reactions.yml
@@ -437,8 +437,17 @@ jobs:
            echo "::warning::Could not generate motion-trimmed desktop previews; continuing with screenshots and full MP4 links."
          fi

-          baseline_status="$(jq -r '.scenarios[0].status' "$root/baseline/discord-qa-summary.json")"
-          candidate_status="$(jq -r '.scenarios[0].status' "$root/candidate/discord-qa-summary.json")"
+          read_discord_status_reaction_status() {
+            local lane="$1"
+            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
+              jq -r '.entries[0].result.status' "$root/$lane/qa-evidence.json"
+              return
+            fi
+            jq -r '.scenarios[0].status' "$root/$lane/discord-qa-summary.json"
+          }
+
+          baseline_status="$(read_discord_status_reaction_status baseline)"
+          candidate_status="$(read_discord_status_reaction_status candidate)"

          jq -n \
            --arg baseline_status "$baseline_status" \
--- a/.github/workflows/mantis-discord-thread-attachment.yml
+++ b/.github/workflows/mantis-discord-thread-attachment.yml
@@ -451,8 +451,17 @@ jobs:

          capture_candidate_discord_web

-          baseline_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/baseline/discord-qa-summary.json")"
-          candidate_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/candidate/discord-qa-summary.json")"
+          read_discord_thread_attachment_status() {
+            local lane="$1"
+            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
+              jq -r '.entries[] | select(.test.id == "discord-thread-reply-filepath-attachment") | .result.status' "$root/$lane/qa-evidence.json"
+              return
+            fi
+            jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/$lane/discord-qa-summary.json"
+          }
+
+          baseline_status="$(read_discord_thread_attachment_status baseline)"
+          candidate_status="$(read_discord_thread_attachment_status candidate)"
          comparison_status="fail"
          if [[ "$baseline_status" == "fail" && "$candidate_status" == "pass" ]]; then
            comparison_status="pass"
--- a/.github/workflows/mantis-telegram-live.yml
+++ b/.github/workflows/mantis-telegram-live.yml
@@ -445,8 +445,8 @@ jobs:
          telegram_exit=$?
          set -e

-          if [[ ! -f "$root/telegram-qa-summary.json" ]]; then
-            echo "Telegram live QA did not produce a summary." >&2
+          if [[ ! -f "$root/qa-evidence.json" && ! -f "$root/telegram-qa-summary.json" ]]; then
+            echo "Telegram live QA did not produce an evidence summary." >&2
            exit "$telegram_exit"
          fi
          echo "telegram_exit=${telegram_exit}" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -1748,6 +1748,7 @@ jobs:
            anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
            google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
            minimax) require_any MiniMax MINIMAX_API_KEY ;;
+            moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
            openai) require_any OpenAI OPENAI_API_KEY ;;
            opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
            openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
@@ -1836,7 +1837,7 @@ jobs:
        run: |
          set -euo pipefail

-          all_providers=(anthropic google minimax openai opencode-go openrouter xai zai fireworks)
+          all_providers=(anthropic google minimax moonshot openai opencode-go openrouter xai zai fireworks)

          normalize_provider() {
            local value="${1,,}"
@@ -1922,6 +1923,7 @@ jobs:
              anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
              google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
              minimax) require_any MiniMax MINIMAX_API_KEY ;;
+              moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
              openai) require_any OpenAI OPENAI_API_KEY ;;
              opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
              openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
--- a/.github/workflows/openclaw-performance.yml
+++ b/.github/workflows/openclaw-performance.yml
@@ -527,6 +527,13 @@ jobs:
          cleanup_gateway
          trap - EXIT

+          if node -e "const fs=require('node:fs'); const scripts=require('./package.json').scripts||{}; process.exit(scripts['test:sqlite:perf:smoke'] && fs.existsSync('scripts/bench-sqlite-state.ts') ? 0 : 1)"; then
+            pnpm test:sqlite:perf:smoke
+            cp .artifacts/sqlite-perf/smoke.json "$SOURCE_PERF_DIR/sqlite-perf-smoke.json"
+          else
+            echo "SQLite state smoke probe is not available in ${TESTED_REF}; continuing with the remaining source probes." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
          summary_args=(node "$PERFORMANCE_HELPER_DIR/scripts/openclaw-performance-source-summary.mjs" \
            --source-dir "$SOURCE_PERF_DIR" \
            --output "$SOURCE_PERF_DIR/index.md")
@@ -604,7 +611,7 @@ jobs:

          ## Source probes

-          Additional gateway boot, memory, plugin pressure, mock hello-loop, and CLI startup numbers are in [source/index.md](source/index.md).
+          Additional gateway boot, memory, plugin pressure, mock hello-loop, CLI startup, and SQLite state smoke numbers are in [source/index.md](source/index.md).
          EOF
            fi
          fi
--- a/.github/workflows/openclaw-release-publish.yml
+++ b/.github/workflows/openclaw-release-publish.yml
@@ -387,7 +387,9 @@ jobs:
        run: |
          set -euo pipefail

-          dispatch_workflow() {
+          dispatch_workflow_at_ref() {
+            local workflow_ref="$1"
+            shift
            local workflow="$1"
            shift

@@ -397,7 +399,7 @@ jobs:
              -F per_page=100 \
              --jq '[.workflow_runs[].id]')"

-            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
+            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$workflow_ref" "$@" 2>&1)"
            printf '%s\n' "$dispatch_output" >&2
            run_id="$(
              printf '%s\n' "$dispatch_output" |
@@ -432,6 +434,10 @@ jobs:
            printf '%s\n' "${run_id}"
          }

+          dispatch_workflow() {
+            dispatch_workflow_at_ref "$CHILD_WORKFLOW_REF" "$@"
+          }
+
          print_pending_deployments() {
            local workflow="$1"
            local run_id="$2"
@@ -653,6 +659,128 @@ jobs:
            done
          }

+          guard_existing_public_release() {
+            local release_version asset_name release_json is_draft has_sha has_proof has_asset release_url
+
+            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
+              return 0
+            fi
+
+            if ! release_json="$(gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json isDraft,assets,body,url 2>/dev/null)"; then
+              return 0
+            fi
+
+            is_draft="$(printf '%s' "${release_json}" | jq -r '.isDraft')"
+            if [[ "${is_draft}" == "true" ]]; then
+              return 0
+            fi
+
+            release_version="${RELEASE_TAG#v}"
+            asset_name="openclaw-${release_version}-dependency-evidence.zip"
+            has_sha="$(printf '%s' "${release_json}" | jq --arg sha "${TARGET_SHA}" -r '.body | contains($sha)')"
+            has_proof="$(printf '%s' "${release_json}" | jq -r '.body | contains("### Release verification")')"
+            has_asset="$(printf '%s' "${release_json}" | jq --arg name "${asset_name}" -r 'any(.assets[]?; .name == $name)')"
+            release_url="$(printf '%s' "${release_json}" | jq -r '.url')"
+
+            if [[ "${has_sha}" == "true" && "${has_proof}" == "true" && "${has_asset}" == "true" ]]; then
+              return 0
+            fi
+
+            {
+              echo "Release ${RELEASE_TAG} already has a public GitHub release page without complete postpublish evidence for ${TARGET_SHA}."
+              echo "Refusing to reuse a public prerelease tag after publication started: ${release_url}"
+              echo "Create a new beta tag or delete/draft the incomplete public release before retrying."
+            } >&2
+            exit 1
+          }
+
+          guard_openclaw_npm_not_already_published() {
+            local release_version release_url
+
+            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
+              return 0
+            fi
+
+            release_version="${RELEASE_TAG#v}"
+            if ! npm view "openclaw@${release_version}" version >/dev/null 2>&1; then
+              return 0
+            fi
+
+            release_url="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}"
+            {
+              echo "openclaw@${release_version} is already published on npm."
+              echo "Refusing to dispatch publish child workflows for an already-published version."
+              echo "If this is recovery from a failed postpublish evidence or draft-release step, repair/finalize the existing draft or create a correction tag; do not rerun the publish workflow for the same npm version."
+              echo "Release page, if present: ${release_url}"
+            } >&2
+            exit 1
+          }
+
+          resolve_clawhub_release_plan() {
+            local -a plan_args
+
+            clawhub_plan_path="${RUNNER_TEMP}/openclaw-release-clawhub-plan.json"
+            plan_args=(
+              --release-tag "${RELEASE_TAG}"
+              --release-publish-branch "${CHILD_WORKFLOW_REF}"
+              --release-publish-run-id "${GITHUB_RUN_ID}"
+              --plugin-publish-scope "${PLUGIN_PUBLISH_SCOPE}"
+            )
+            if [[ -n "${PLUGINS// }" ]]; then
+              plan_args+=(--plugins "${PLUGINS}")
+            fi
+
+            CLAWHUB_REGISTRY="${CLAWHUB_REGISTRY:-https://clawhub.ai}" \
+              node --import tsx scripts/openclaw-release-clawhub-plan.ts "${plan_args[@]}" > "${clawhub_plan_path}"
+
+            echo "Resolved OpenClaw release ClawHub dispatch plan:"
+            cat "${clawhub_plan_path}"
+
+            clawhub_workflow_ref="$(jq -r '.clawHubWorkflowRef' "${clawhub_plan_path}")"
+            normal_plugins="$(jq -r '.summary.normalPlugins' "${clawhub_plan_path}")"
+            bootstrap_plugins="$(jq -r '.summary.bootstrapPlugins' "${clawhub_plan_path}")"
+            missing_trusted_plugins="$(jq -r '.summary.missingTrustedPlugins' "${clawhub_plan_path}")"
+            normal_plugin_count="$(jq -r '.summary.normalCount' "${clawhub_plan_path}")"
+            bootstrap_plugin_count="$(jq -r '.summary.bootstrapCount' "${clawhub_plan_path}")"
+            missing_trusted_plugin_count="$(jq -r '.summary.missingTrustedPublisherCount' "${clawhub_plan_path}")"
+
+            {
+              echo "### ClawHub release plan"
+              echo
+              echo "- Normal OIDC candidates: \`${normal_plugin_count}\`"
+              echo "- Bootstrap/repair candidates: \`${bootstrap_plugin_count}\`"
+              echo "- Existing-package trusted-publisher repairs: \`${missing_trusted_plugin_count}\`"
+              if [[ -n "${normal_plugins}" ]]; then
+                echo "- Normal plugins: \`${normal_plugins}\`"
+              fi
+              if [[ -n "${bootstrap_plugins}" ]]; then
+                echo "- Bootstrap/repair plugins: \`${bootstrap_plugins}\`"
+              fi
+              if [[ -n "${missing_trusted_plugins}" ]]; then
+                echo "- Trusted-publisher repair plugins: \`${missing_trusted_plugins}\`"
+              fi
+            } >> "$GITHUB_STEP_SUMMARY"
+          }
+
+          append_clawhub_dispatch_args() {
+            local target="$1"
+            while IFS=$'\t' read -r key value; do
+              clawhub_dispatch_args+=(-f "${key}=${value}")
+            done < <(jq -r --arg target "${target}" '.[$target].inputs | to_entries[] | [.key, .value] | @tsv' "${clawhub_plan_path}")
+          }
+
+          write_clawhub_runtime_state() {
+            local force_skip_clawhub="$1"
+            local output_path="$2"
+            node --import tsx scripts/openclaw-release-clawhub-runtime-state.ts \
+              --repository "${GITHUB_REPOSITORY}" \
+              --wait-for-clawhub "${WAIT_FOR_CLAWHUB}" \
+              --force-skip-clawhub "${force_skip_clawhub}" \
+              --normal-run-id "${plugin_clawhub_run_id:-}" \
+              --bootstrap-run-id "${plugin_clawhub_bootstrap_run_id:-}" \
+              --bootstrap-completed "${plugin_clawhub_bootstrap_completed:-false}" > "${output_path}"
+          }
+
          create_or_update_github_release() {
            local release_version notes_version title notes_file changelog_file latest_arg prerelease_args
            release_version="${RELEASE_TAG#v}"
@@ -698,11 +826,17 @@ jobs:
            else
              gh release create "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" \
                --verify-tag \
+                --draft \
                --title "${title}" \
                --notes-file "${notes_file}" \
                "${prerelease_args[@]}" \
                "${latest_arg}"
            fi
+            echo "- GitHub release draft: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
+          }
+
+          publish_github_release() {
+            gh release edit "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --draft=false
            echo "- GitHub release: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
          }

@@ -735,9 +869,11 @@ jobs:
          }

          verify_published_release() {
-            local release_version evidence_path
+            local release_version evidence_path skip_clawhub clawhub_runtime_state_path
            local -a verify_args

+            skip_clawhub="${1:-false}"
+
            release_version="${RELEASE_TAG#v}"
            evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
            mkdir -p "${POSTPUBLISH_EVIDENCE_DIR}"
@@ -750,16 +886,18 @@ jobs:
              --dist-tag "${RELEASE_NPM_DIST_TAG}"
              --repo "${GITHUB_REPOSITORY}"
              --workflow-ref "${CHILD_WORKFLOW_REF}"
+              --clawhub-workflow-ref "${clawhub_workflow_ref}"
              --full-release-validation-run "${FULL_RELEASE_VALIDATION_RUN_ID}"
              --plugin-npm-run "${plugin_npm_run_id}"
              --openclaw-npm-run "${openclaw_npm_run_id}"
              --evidence-out "${evidence_path}"
+              --skip-github-release
            )
-            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-              verify_args+=(--plugin-clawhub-run "${plugin_clawhub_run_id}")
-            else
-              verify_args+=(--skip-clawhub)
-            fi
+            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-verify.json"
+            write_clawhub_runtime_state "${skip_clawhub}" "${clawhub_runtime_state_path}"
+            while IFS= read -r arg; do
+              verify_args+=("${arg}")
+            done < <(jq -r '.verifierArgs[]' "${clawhub_runtime_state_path}")
            if [[ -n "${PLUGINS// }" ]]; then
              verify_args+=(--plugins "${PLUGINS}")
            fi
@@ -775,7 +913,7 @@ jobs:
          }

          append_release_proof_to_github_release() {
-            local release_version body_file notes_file tarball integrity telegram_line clawhub_line
+            local release_version body_file notes_file tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path

            release_version="${RELEASE_TAG#v}"
            body_file="${RUNNER_TEMP}/release-body.md"
@@ -789,16 +927,16 @@ jobs:
            else
              telegram_line="- npm Telegram beta E2E: not supplied"
            fi
-            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-              clawhub_line="- plugin ClawHub publish: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
-            else
-              clawhub_line="- plugin ClawHub publish: dispatched separately, not awaited by this proof: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
-            fi
+            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-proof.json"
+            write_clawhub_runtime_state false "${clawhub_runtime_state_path}"
+            clawhub_line="$(jq -r '.proofLines.normal' "${clawhub_runtime_state_path}")"
+            clawhub_bootstrap_line="$(jq -r '.proofLines.bootstrap' "${clawhub_runtime_state_path}")"

            RELEASE_BODY_FILE="${body_file}" \
              RELEASE_NOTES_FILE="${notes_file}" \
              RELEASE_VERSION="${release_version}" \
              RELEASE_TAG="${RELEASE_TAG}" \
+              RELEASE_SHA="${TARGET_SHA}" \
              RELEASE_REPO="${GITHUB_REPOSITORY}" \
              RELEASE_TARBALL="${tarball}" \
              RELEASE_INTEGRITY="${integrity}" \
@@ -808,6 +946,7 @@ jobs:
              PLUGIN_NPM_RUN_ID="${plugin_npm_run_id}" \
              OPENCLAW_NPM_RUN_ID="${openclaw_npm_run_id}" \
              CLAWHUB_LINE="${clawhub_line}" \
+              CLAWHUB_BOOTSTRAP_LINE="${clawhub_bootstrap_line}" \
              TELEGRAM_LINE="${telegram_line}" \
              node --input-type=module <<'NODE'
          import { readFileSync, writeFileSync } from "node:fs";
@@ -825,12 +964,14 @@ jobs:
            `- npm package: https://www.npmjs.com/package/openclaw/v/${process.env.RELEASE_VERSION}`,
            `- registry tarball: ${process.env.RELEASE_TARBALL}`,
            `- integrity: \`${process.env.RELEASE_INTEGRITY}\``,
+            `- release SHA: \`${process.env.RELEASE_SHA}\``,
            `- full release CI report: https://github.com/openclaw/releases/blob/main/evidence/${process.env.RELEASE_VERSION}/release-evidence.md`,
            `- release publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.RELEASE_PUBLISH_RUN_ID}`,
            `- npm preflight: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PREFLIGHT_RUN_ID}`,
            `- full release validation: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.FULL_RELEASE_VALIDATION_RUN_ID}`,
            `- plugin npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PLUGIN_NPM_RUN_ID}`,
            process.env.CLAWHUB_LINE,
+            process.env.CLAWHUB_BOOTSTRAP_LINE,
            `- OpenClaw npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.OPENCLAW_NPM_RUN_ID}`,
            process.env.TELEGRAM_LINE,
          ].join("\n");
@@ -847,6 +988,7 @@ jobs:
            echo "### Publish sequence"
            echo
            echo "- Workflow ref: \`${CHILD_WORKFLOW_REF}\`"
+            echo "- ClawHub workflow ref: release tag \`${RELEASE_TAG}\`"
            echo "- Release tag: \`${RELEASE_TAG}\`"
            echo "- Release SHA: \`${TARGET_SHA}\`"
            echo "- Release approval: this workflow job"
@@ -863,26 +1005,68 @@ jobs:
            fi
          } >> "$GITHUB_STEP_SUMMARY"

+          guard_existing_public_release
+          guard_openclaw_npm_not_already_published
+          resolve_clawhub_release_plan
+
          npm_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
-          clawhub_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
          if [[ -n "${PLUGINS}" ]]; then
            npm_args+=(-f plugins="${PLUGINS}")
-            clawhub_args+=(-f plugins="${PLUGINS}")
          fi

          plugin_npm_run_id="$(dispatch_workflow plugin-npm-release.yml "${npm_args[@]}")"
-          plugin_clawhub_run_id="$(dispatch_workflow plugin-clawhub-release.yml "${clawhub_args[@]}")"
+          plugin_clawhub_run_id=""
+          if [[ "$(jq -r '.normal.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
+            clawhub_dispatch_args=()
+            append_clawhub_dispatch_args normal
+            plugin_clawhub_run_id="$(dispatch_workflow_at_ref \
+              "$(jq -r '.normal.ref' "${clawhub_plan_path}")" \
+              "$(jq -r '.normal.workflow' "${clawhub_plan_path}")" \
+              "${clawhub_dispatch_args[@]}")"
+          else
+            echo "- plugin-clawhub-release.yml: no normal OIDC candidates" >> "$GITHUB_STEP_SUMMARY"
+          fi
+          plugin_clawhub_bootstrap_run_id=""
+          plugin_clawhub_bootstrap_completed="false"
+          if [[ "$(jq -r '.bootstrap.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
+            clawhub_dispatch_args=()
+            append_clawhub_dispatch_args bootstrap
+            plugin_clawhub_bootstrap_run_id="$(dispatch_workflow_at_ref \
+              "$(jq -r '.bootstrap.ref' "${clawhub_plan_path}")" \
+              "$(jq -r '.bootstrap.workflow' "${clawhub_plan_path}")" \
+              "${clawhub_dispatch_args[@]}")"
+          else
+            echo "- plugin-clawhub-new.yml: no bootstrap candidates" >> "$GITHUB_STEP_SUMMARY"
+          fi
          {
            echo "- Plugin npm run ID: \`${plugin_npm_run_id}\`"
-            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id}\`"
+            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id:-none}\`"
+            echo "- Plugin ClawHub bootstrap run ID: \`${plugin_clawhub_bootstrap_run_id:-none}\`"
          } >> "$GITHUB_STEP_SUMMARY"

          if ! wait_for_run plugin-npm-release.yml "${plugin_npm_run_id}"; then
-            echo "Plugin npm publish failed; cancelling ClawHub publish child ${plugin_clawhub_run_id}." >&2
-            gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
+            echo "Plugin npm publish failed; cancelling dispatched ClawHub child workflows." >&2
+            if [[ -n "${plugin_clawhub_run_id}" ]]; then
+              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
+            fi
+            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
+              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_bootstrap_run_id}" >/dev/null 2>&1 || true
+            fi
            exit 1
          fi

+          if [[ -n "${plugin_clawhub_bootstrap_run_id}" && "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
+            echo "Waiting for plugin-clawhub-new.yml bootstrap to finish before continuing release publish."
+            if wait_for_run plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
+              plugin_clawhub_bootstrap_completed="true"
+            else
+              if [[ -n "${plugin_clawhub_run_id}" ]]; then
+                gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
+              fi
+              exit 1
+            fi
+          fi
+
          openclaw_npm_run_id=""
          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
            openclaw_npm_run_id="$(dispatch_workflow openclaw-npm-release.yml \
@@ -899,19 +1083,52 @@ jobs:

          clawhub_result=""
          clawhub_pid=""
+          clawhub_bootstrap_result=""
+          clawhub_bootstrap_pid=""
          if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-            clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
-            wait_run_pid=""
-            wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
-            clawhub_pid="${wait_run_pid}"
-          else
-            wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
-            if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
-              :
-            else
-              echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
+            if [[ -n "${plugin_clawhub_run_id}" ]]; then
+              clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
+              wait_run_pid=""
+              wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
+              clawhub_pid="${wait_run_pid}"
+            fi
+            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
+              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
+                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
+              else
+                clawhub_bootstrap_result="$RUNNER_TEMP/clawhub-bootstrap-result.txt"
+                wait_run_pid=""
+                wait_for_run_background plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "${clawhub_bootstrap_result}"
+                clawhub_bootstrap_pid="${wait_run_pid}"
+              fi
+            fi
+          else
+            if [[ -n "${plugin_clawhub_run_id}" ]]; then
+              wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
+              if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
+                :
+              else
+                echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
+              fi
+              echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
+            else
+              echo "- plugin-clawhub-release.yml: no normal OIDC publish to await" >> "$GITHUB_STEP_SUMMARY"
+            fi
+            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
+              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
+                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
+              else
+                wait_for_job_success plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "Validate release publish approval"
+                if approve_child_publish_environment plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
+                  :
+                else
+                  echo "- plugin-clawhub-new.yml: child environment gate not ready; bootstrap was left dispatched (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
+                fi
+                echo "- plugin-clawhub-new.yml: bootstrap not awaited (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
+              fi
+            else
+              echo "- plugin-clawhub-new.yml: no bootstrap publish to await" >> "$GITHUB_STEP_SUMMARY"
            fi
-            echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
          fi

          openclaw_result=""
@@ -934,21 +1151,33 @@ jobs:
            openclaw_failed=1
          fi

-          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
-            create_or_update_github_release
-            upload_dependency_evidence_release_asset
-          fi
-
          if [[ -n "${clawhub_pid}" ]] && ! wait "${clawhub_pid}"; then
            failed=1
          fi
          if [[ -f "${clawhub_result}" && "$(cat "${clawhub_result}")" != "success" ]]; then
            failed=1
          fi
+          if [[ -n "${clawhub_bootstrap_pid}" ]] && ! wait "${clawhub_bootstrap_pid}"; then
+            failed=1
+          fi
+          if [[ -f "${clawhub_bootstrap_result}" && "$(cat "${clawhub_bootstrap_result}")" != "success" ]]; then
+            failed=1
+          fi

-          if [[ "${failed}" == "0" && -n "${openclaw_npm_run_id}" ]]; then
-            verify_published_release
+          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
+            if [[ "${failed}" == "0" ]]; then
+              verify_published_release
+            else
+              verify_published_release true
+            fi
+            create_or_update_github_release
+            upload_dependency_evidence_release_asset
            append_release_proof_to_github_release
+            if [[ "${failed}" == "0" ]]; then
+              publish_github_release
+            else
+              echo "- GitHub release: left as draft because a required publish child failed" >> "$GITHUB_STEP_SUMMARY"
+            fi
          fi
          if [[ "${failed}" != "0" ]]; then
            exit 1
--- a/.github/workflows/plugin-clawhub-new.yml
+++ b/.github/workflows/plugin-clawhub-new.yml
@@ -0,0 +1,504 @@
+name: Plugin ClawHub New
+
+on:
+  workflow_dispatch:
+    inputs:
+      plugins:
+        description: Comma-separated plugin package names to bootstrap on ClawHub
+        required: true
+        type: string
+      ref:
+        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
+        required: false
+        default: ""
+        type: string
+      release_publish_run_id:
+        description: Approved OpenClaw Release Publish workflow run id
+        required: false
+        type: string
+      release_publish_branch:
+        description: Branch name of the approving OpenClaw Release Publish workflow run
+        required: false
+        type: string
+      dry_run:
+        description: Validate the token-gated ClawHub bootstrap handoff without publishing.
+        required: false
+        default: false
+        type: boolean
+
+concurrency:
+  group: plugin-clawhub-new-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  NODE_VERSION: "24.15.0"
+  CLAWHUB_REGISTRY: "https://clawhub.ai"
+  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"
+
+jobs:
+  resolve_bootstrap_plan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      ref_revision: ${{ steps.ref.outputs.sha }}
+      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
+      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
+      matrix: ${{ steps.plan.outputs.matrix }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Resolve checked-out ref
+        id: ref
+        env:
+          TARGET_REF: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || '' }}
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          if [[ -n "${TARGET_REF}" ]]; then
+            if git rev-parse --verify --quiet "${TARGET_REF}^{commit}" >/dev/null; then
+              target_sha="$(git rev-parse "${TARGET_REF}^{commit}")"
+            elif git rev-parse --verify --quiet "origin/${TARGET_REF}^{commit}" >/dev/null; then
+              target_sha="$(git rev-parse "origin/${TARGET_REF}^{commit}")"
+            else
+              echo "Unable to resolve requested publish ref: ${TARGET_REF}" >&2
+              exit 1
+            fi
+            git checkout --detach "${target_sha}"
+          fi
+          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Validate ref is on a trusted publish branch
+        env:
+          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+        run: |
+          set -euo pipefail
+          if git merge-base --is-ancestor HEAD origin/main; then
+            exit 0
+          fi
+          while IFS= read -r release_ref; do
+            if git merge-base --is-ancestor HEAD "${release_ref}"; then
+              exit 0
+            fi
+          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
+          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
+            git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
+            if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
+              exit 0
+            fi
+          fi
+          echo "Plugin ClawHub bootstraps must target a commit reachable from main, release/*, or the matching Tideclaw alpha branch." >&2
+          exit 1
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "false"
+
+      - name: Validate publishable plugin metadata
+        env:
+          RELEASE_PLUGINS: ${{ inputs.plugins }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${RELEASE_PLUGINS// }" ]]; then
+            echo "Plugin ClawHub bootstrap requires at least one package name in plugins." >&2
+            exit 1
+          fi
+          pnpm release:plugins:clawhub:check -- --selection-mode selected --plugins "${RELEASE_PLUGINS}"
+
+      - name: Resolve plugin bootstrap plan
+        id: plan
+        env:
+          RELEASE_PLUGINS: ${{ inputs.plugins }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          mkdir -p .local
+          node --import tsx scripts/plugin-clawhub-release-plan.ts \
+            --selection-mode selected \
+            --plugins "${RELEASE_PLUGINS}" > .local/plugin-clawhub-release-plan.json
+
+          cat .local/plugin-clawhub-release-plan.json
+
+          bootstrap_candidate_count="$(jq -r '(.bootstrapCandidates | length) + (.missingTrustedPublisher | length)' .local/plugin-clawhub-release-plan.json)"
+          selected_count="$(jq -r '.all | length' .local/plugin-clawhub-release-plan.json)"
+          matrix_json="$(
+            jq -c '
+              [
+                .bootstrapCandidates[]? + {
+                  bootstrapMode: "publish",
+                  requiresManualOverride: false
+                },
+                .missingTrustedPublisher[]? + {
+                  bootstrapMode: (if .alreadyPublished then "configure-only" else "publish" end),
+                  requiresManualOverride: true
+                }
+              ]
+            ' .local/plugin-clawhub-release-plan.json
+          )"
+          has_bootstrap_candidates="false"
+          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
+            has_bootstrap_candidates="true"
+          fi
+
+          invalid_scope="$(
+            jq -r '
+              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
+              | select(.packageName | startswith("@openclaw/") | not)
+              | "- \(.packageName)@\(.version)"
+            ' .local/plugin-clawhub-release-plan.json
+          )"
+          if [[ -n "${invalid_scope}" ]]; then
+            echo "Plugin ClawHub bootstrap only supports @openclaw/* packages." >&2
+            printf '%s\n' "${invalid_scope}" >&2
+            exit 1
+          fi
+
+          not_bootstrap="$(
+            jq -r '
+              (.bootstrapCandidates | map(.packageName)) as $bootstrapNames
+              | (.missingTrustedPublisher | map(.packageName)) as $repairNames
+              | .all[]?
+              | select(.packageName as $name | ($bootstrapNames + $repairNames | index($name) | not))
+              | "- \(.packageName)@\(.version)"
+            ' .local/plugin-clawhub-release-plan.json
+          )"
+          if [[ -n "${not_bootstrap}" ]]; then
+            echo "Selected packages must all be first-publish bootstrap candidates or trusted-publisher repair candidates." >&2
+            printf '%s\n' "${not_bootstrap}" >&2
+            exit 1
+          fi
+          if [[ "${selected_count}" == "0" || "${bootstrap_candidate_count}" == "0" ]]; then
+            echo "No selected packages require ClawHub bootstrap." >&2
+            exit 1
+          fi
+
+          {
+            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
+            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
+            echo "matrix=${matrix_json}"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "ClawHub bootstrap candidates:"
+          jq -r '
+            .bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"
+          ' .local/plugin-clawhub-release-plan.json
+          echo "ClawHub trusted-publisher repair candidates:"
+          jq -r '
+            .missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir), alreadyPublished=\(.alreadyPublished)"
+          ' .local/plugin-clawhub-release-plan.json
+
+      - name: Validate Tideclaw alpha plugin channels
+        env:
+          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+        run: |
+          set -euo pipefail
+          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            exit 0
+          fi
+          invalid="$(
+            jq -r '
+              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
+              | select(.publishTag != "alpha" or .channel != "alpha")
+              | "- \(.packageName)@\(.version) [\(.publishTag)]"
+            ' .local/plugin-clawhub-release-plan.json
+          )"
+          if [[ -n "${invalid}" ]]; then
+            echo "Tideclaw alpha ClawHub bootstraps may only publish alpha plugin versions." >&2
+            printf '%s\n' "${invalid}" >&2
+            exit 1
+          fi
+
+  validate_release_publish_approval:
+    name: Validate release publish approval
+    needs: resolve_bootstrap_plan
+    if: github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Validate release publish approval run
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
+          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
+            if [[ "${GITHUB_ACTOR}" == "github-actions[bot]" ]]; then
+              echo "Plugin ClawHub bootstrap dispatched by another workflow must include release_publish_run_id." >&2
+              exit 1
+            fi
+            echo "Direct Plugin ClawHub New dispatch; relying on this workflow's clawhub-plugin-bootstrap environment approval."
+            exit 0
+          fi
+          direct_recovery=false
+          if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
+            direct_recovery=true
+            echo "Direct Plugin ClawHub New recovery with release_publish_run_id; relying on this workflow's clawhub-plugin-bootstrap environment approval."
+          fi
+          RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
+          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
+
+  validate_bootstrap_trusted_publisher_cli:
+    needs: [resolve_bootstrap_plan, validate_release_publish_approval]
+    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Validate pinned ClawHub trusted publisher CLI support
+        env:
+          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
+        run: |
+          set -euo pipefail
+          help_output="$(
+            npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
+              clawhub package trusted-publisher set --help 2>&1 || true
+          )"
+          printf '%s\n' "${help_output}"
+          if ! grep -Fq "Usage: clawhub package trusted-publisher set" <<<"${help_output}"; then
+            echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} to expose 'package trusted-publisher set' before token bootstrap publish can run. The pinned CLI returned parent help or no set command, so this workflow is stopping before creating a ClawHub package row."
+            exit 1
+          fi
+          for required_flag in --repository --workflow-filename; do
+            if ! grep -Fq -- "${required_flag}" <<<"${help_output}"; then
+              echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} trusted-publisher set help to include ${required_flag}."
+              exit 1
+            fi
+          done
+
+  publish_bootstrap_plugins:
+    needs:
+      [
+        resolve_bootstrap_plan,
+        validate_release_publish_approval,
+        validate_bootstrap_trusted_publisher_cli,
+      ]
+    if: always() && github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success' && (inputs.dry_run == true || needs.validate_bootstrap_trusted_publisher_cli.result == 'success')
+    runs-on: ubuntu-latest
+    environment: clawhub-plugin-bootstrap
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 8
+      matrix:
+        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Checkout target revision
+        env:
+          TARGET_SHA: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          git checkout --detach "${TARGET_SHA}"
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "true"
+          install-deps: "true"
+
+      - name: Verify package-local runtime build
+        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
+
+      - name: Install pinned ClawHub CLI wrapper
+        run: |
+          set -euo pipefail
+          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
+          EOF
+          chmod +x "${RUNNER_TEMP}/clawhub"
+          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
+
+      - name: Write ClawHub token config
+        if: inputs.dry_run != true
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          config_path="${RUNNER_TEMP}/clawhub-config.json"
+          CONFIG_PATH="${config_path}" node --input-type=module <<'NODE'
+          import { writeFileSync } from "node:fs";
+
+          const registry = process.env.CLAWHUB_REGISTRY?.trim();
+          const token = process.env.CLAWHUB_TOKEN?.trim();
+          const configPath = process.env.CONFIG_PATH;
+          if (!registry) {
+            throw new Error("CLAWHUB_REGISTRY is required for token-gated ClawHub bootstrap.");
+          }
+          if (!token) {
+            throw new Error("CLAWHUB_TOKEN is required for token-gated ClawHub bootstrap.");
+          }
+          if (!configPath) {
+            throw new Error("CONFIG_PATH is required.");
+          }
+
+          writeFileSync(configPath, `${JSON.stringify({ registry, token }, null, 2)}\n`, {
+            encoding: "utf8",
+            mode: 0o600,
+          });
+          NODE
+          echo "CLAWHUB_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
+
+      - name: Publish ClawHub bootstrap package
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+          SOURCE_REPO: ${{ github.repository }}
+          SOURCE_COMMIT: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
+          SOURCE_REF: ${{ github.ref }}
+          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
+          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
+          BOOTSTRAP_MODE: ${{ matrix.plugin.bootstrapMode }}
+          REQUIRES_MANUAL_OVERRIDE: ${{ matrix.plugin.requiresManualOverride && 'true' || 'false' }}
+          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
+          OPENCLAW_PLUGIN_NPM_RUNTIME_BUILD: "0"
+        run: |
+          set -euo pipefail
+          if [[ "${BOOTSTRAP_MODE}" == "configure-only" ]]; then
+            echo "Skipping bootstrap publish because ${PACKAGE_DIR} version is already present on ClawHub; configuring trusted publisher only."
+          elif [[ "${DRY_RUN}" == "true" ]]; then
+            bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
+          else
+            if [[ "${REQUIRES_MANUAL_OVERRIDE}" == "true" ]]; then
+              export OPENCLAW_CLAWHUB_MANUAL_OVERRIDE_REASON="GitHub Actions trusted publisher repair before OIDC migration"
+            fi
+            bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
+          fi
+
+      - name: Configure trusted publisher for normal OIDC releases
+        if: inputs.dry_run != true
+        env:
+          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
+          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
+        run: |
+          set -euo pipefail
+          npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
+            clawhub package trusted-publisher set "${PACKAGE_NAME}" \
+              --repository openclaw/openclaw \
+              --workflow-filename plugin-clawhub-release.yml
+
+  verify_bootstrap_clawhub_package:
+    needs: [resolve_bootstrap_plan, publish_bootstrap_plugins]
+    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 8
+      matrix:
+        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
+    steps:
+      - name: Verify bootstrap ClawHub package and trusted publisher
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
+          PACKAGE_VERSION: ${{ matrix.plugin.version }}
+          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
+        run: |
+          set -euo pipefail
+          node --input-type=module <<'EOF'
+          const registry = (process.env.CLAWHUB_REGISTRY ?? "https://clawhub.ai").replace(/\/+$/, "");
+          const packageName = process.env.PACKAGE_NAME;
+          const packageVersion = process.env.PACKAGE_VERSION;
+          const packageTag = process.env.PACKAGE_TAG;
+          if (!packageName || !packageVersion || !packageTag) {
+            throw new Error("Missing ClawHub bootstrap verification env.");
+          }
+          const encodedName = encodeURIComponent(packageName);
+          const encodedVersion = encodeURIComponent(packageVersion);
+          const detailUrl = `${registry}/api/v1/packages/${encodedName}`;
+          const trustedPublisherUrl = `${detailUrl}/trusted-publisher`;
+          const versionUrl = `${detailUrl}/versions/${encodedVersion}`;
+          const artifactUrl = `${versionUrl}/artifact/download`;
+
+          async function fetchWithRetry(url, options = {}) {
+            let lastStatus = "unknown";
+            for (let attempt = 1; attempt <= 12; attempt += 1) {
+              try {
+                const response = await fetch(url, { redirect: "manual", ...options });
+                lastStatus = response.status;
+                if (response.status !== 429 && response.status < 500) {
+                  return response;
+                }
+              } catch (error) {
+                lastStatus = error instanceof Error ? error.message : String(error);
+              }
+              await new Promise((resolve) => setTimeout(resolve, attempt * 5000));
+            }
+            throw new Error(`${url} did not stabilize; last status ${lastStatus}.`);
+          }
+
+          const detailResponse = await fetchWithRetry(detailUrl, {
+            headers: { accept: "application/json" },
+          });
+          if (!detailResponse.ok) {
+            throw new Error(`${detailUrl} returned HTTP ${detailResponse.status}.`);
+          }
+          const detail = await detailResponse.json();
+          const tags = detail?.package?.tags ?? {};
+          if (tags[packageTag] !== packageVersion) {
+            throw new Error(
+              `${packageName}: ClawHub tag ${packageTag} points to ${tags[packageTag] ?? "<missing>"}, expected ${packageVersion}.`,
+            );
+          }
+
+          const trustedPublisherResponse = await fetchWithRetry(trustedPublisherUrl, {
+            headers: { accept: "application/json" },
+          });
+          if (!trustedPublisherResponse.ok) {
+            throw new Error(`${trustedPublisherUrl} returned HTTP ${trustedPublisherResponse.status}.`);
+          }
+          const trustedPublisherDetail = await trustedPublisherResponse.json();
+          const trustedPublisher = trustedPublisherDetail?.trustedPublisher;
+          if (
+            trustedPublisher?.repository !== "openclaw/openclaw" ||
+            trustedPublisher?.workflowFilename !== "plugin-clawhub-release.yml" ||
+            trustedPublisher?.environment != null
+          ) {
+            throw new Error(
+              `${packageName}: trusted publisher config did not match openclaw/openclaw plugin-clawhub-release.yml without an environment pin.`,
+            );
+          }
+
+          const versionResponse = await fetchWithRetry(versionUrl);
+          if (!versionResponse.ok) {
+            throw new Error(`${versionUrl} returned HTTP ${versionResponse.status}.`);
+          }
+          const artifactResponse = await fetchWithRetry(artifactUrl, { method: "HEAD" });
+          if (artifactResponse.status < 200 || artifactResponse.status >= 400) {
+            throw new Error(`${artifactUrl} returned HTTP ${artifactResponse.status}.`);
+          }
+          console.log(`${packageName}@${packageVersion} bootstrap verified on ClawHub.`);
+          EOF
--- a/.github/workflows/plugin-clawhub-release.yml
+++ b/.github/workflows/plugin-clawhub-release.yml
@@ -16,7 +16,7 @@ on:
        required: false
        type: string
      ref:
-        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
+        description: Dry-run target ref to validate; real OIDC publishes must dispatch the workflow with --ref set to the target release tag/ref
        required: false
        default: ""
        type: string
@@ -24,6 +24,10 @@ on:
        description: Approved OpenClaw Release Publish workflow run id
        required: false
        type: string
+      release_publish_branch:
+        description: Branch name of the approving OpenClaw Release Publish workflow run
+        required: false
+        type: string
      dry_run:
        description: Validate the full ClawHub artifact handoff without publishing.
        required: false
@@ -38,9 +42,7 @@ env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  NODE_VERSION: "24.15.0"
  CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_REPOSITORY: "openclaw/clawhub"
-  # Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
-  CLAWHUB_REF: "c9bb13023598dcc547fdf4a93b9d42512b8c8854"
+  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"

 jobs:
  preview_plugins_clawhub:
@@ -50,9 +52,15 @@ jobs:
    outputs:
      ref_revision: ${{ steps.ref.outputs.sha }}
      has_candidates: ${{ steps.plan.outputs.has_candidates }}
+      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
+      has_missing_trusted_publisher: ${{ steps.plan.outputs.has_missing_trusted_publisher }}
      candidate_count: ${{ steps.plan.outputs.candidate_count }}
+      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
+      missing_trusted_publisher_count: ${{ steps.plan.outputs.missing_trusted_publisher_count }}
      skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
      matrix: ${{ steps.plan.outputs.matrix }}
+      bootstrap_matrix: ${{ steps.plan.outputs.bootstrap_matrix }}
+      missing_trusted_publisher_matrix: ${{ steps.plan.outputs.missing_trusted_publisher_matrix }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
@@ -83,9 +91,27 @@ jobs:
          fi
          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

+      - name: Validate OIDC source matches workflow ref
+        env:
+          TARGET_SHA: ${{ steps.ref.outputs.sha }}
+          WORKFLOW_SHA: ${{ github.sha }}
+          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
+        run: |
+          set -euo pipefail
+          if [[ "${TARGET_SHA}" != "${WORKFLOW_SHA}" ]]; then
+            if [[ "${DRY_RUN}" == "true" ]]; then
+              echo "Dry-run publish target differs from workflow ref; allowing validation-only dispatch."
+              exit 0
+            fi
+            echo "Plugin ClawHub OIDC publishes must run from the same ref that is being published." >&2
+            echo "The ref input is only supported for dry_run=true." >&2
+            echo "For real publishes, dispatch this workflow with --ref pointing at the target release tag/ref and omit the ref input." >&2
+            exit 1
+          fi
+
      - name: Validate ref is on a trusted publish branch
        env:
-          WORKFLOW_REF: ${{ github.ref }}
+          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
        run: |
          set -euo pipefail
          if git merge-base --is-ancestor HEAD origin/main; then
@@ -96,8 +122,8 @@ jobs:
              exit 0
            fi
          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
-          if [[ "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            alpha_branch="${WORKFLOW_REF#refs/heads/}"
+          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
            git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
            if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
              exit 0
@@ -158,36 +184,78 @@ jobs:
          cat .local/plugin-clawhub-release-plan.json

          candidate_count="$(jq -r '.candidates | length' .local/plugin-clawhub-release-plan.json)"
+          bootstrap_candidate_count="$(jq -r '.bootstrapCandidates | length' .local/plugin-clawhub-release-plan.json)"
+          missing_trusted_publisher_count="$(jq -r '.missingTrustedPublisher | length' .local/plugin-clawhub-release-plan.json)"
          skipped_published_count="$(jq -r '.skippedPublished | length' .local/plugin-clawhub-release-plan.json)"
          has_candidates="false"
          if [[ "${candidate_count}" != "0" ]]; then
            has_candidates="true"
          fi
+          has_bootstrap_candidates="false"
+          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
+            has_bootstrap_candidates="true"
+          fi
+          has_missing_trusted_publisher="false"
+          if [[ "${missing_trusted_publisher_count}" != "0" ]]; then
+            has_missing_trusted_publisher="true"
+          fi
          matrix_json="$(jq -c '.candidates' .local/plugin-clawhub-release-plan.json)"
+          bootstrap_matrix_json="$(jq -c '.bootstrapCandidates' .local/plugin-clawhub-release-plan.json)"
+          missing_trusted_publisher_matrix_json="$(jq -c '.missingTrustedPublisher' .local/plugin-clawhub-release-plan.json)"

          {
            echo "candidate_count=${candidate_count}"
+            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
+            echo "missing_trusted_publisher_count=${missing_trusted_publisher_count}"
            echo "skipped_published_count=${skipped_published_count}"
            echo "has_candidates=${has_candidates}"
+            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
+            echo "has_missing_trusted_publisher=${has_missing_trusted_publisher}"
            echo "matrix=${matrix_json}"
+            echo "bootstrap_matrix=${bootstrap_matrix_json}"
+            echo "missing_trusted_publisher_matrix=${missing_trusted_publisher_matrix_json}"
          } >> "$GITHUB_OUTPUT"

          echo "Plugin release candidates:"
          jq -r '.candidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json

+          echo "Bootstrap candidates requiring token bootstrap:"
+          jq -r '.bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
+
+          echo "Missing trusted publisher candidates:"
+          jq -r '.missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
+
          echo "Already published / skipped:"
          jq -r '.skippedPublished[]? | "- \(.packageName)@\(.version)"' .local/plugin-clawhub-release-plan.json

+      - name: Fail when trusted publisher is missing
+        if: steps.plan.outputs.missing_trusted_publisher_count != '0'
+        run: |
+          echo "::error::One or more ClawHub packages exist but do not have trusted publishing configured. Configure trusted publishing before running the normal OIDC publish workflow."
+          jq -r '.missingTrustedPublisher[]? | "::error::Missing trusted publisher: \(.packageName)@\(.version). Configure trusted publishing for openclaw/openclaw, workflow plugin-clawhub-release.yml."' .local/plugin-clawhub-release-plan.json
+          exit 1
+
+      - name: Fail normal publish when bootstrap is required
+        if: steps.plan.outputs.bootstrap_candidate_count != '0'
+        run: |
+          echo "::error::One or more ClawHub packages do not exist yet and require the token-gated Plugin ClawHub New bootstrap workflow before normal OIDC publish can run."
+          jq -r '.bootstrapCandidates[]? | "::error::Bootstrap required: \(.packageName)@\(.version). Dispatch plugin-clawhub-new.yml for this package, then rerun the normal release."' .local/plugin-clawhub-release-plan.json
+          exit 1
+
      - name: Fail manual publish when target versions already exist
-        if: github.event_name == 'workflow_dispatch' && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
+        if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
        run: |
          echo "::error::One or more selected plugin versions already exist on ClawHub. Bump the version before running a real publish."
          exit 1

      - name: Validate Tideclaw alpha plugin channels
-        if: startsWith(github.ref, 'refs/heads/tideclaw/alpha/')
+        env:
+          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
        run: |
          set -euo pipefail
+          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            exit 0
+          fi
          invalid="$(
            jq -r '.candidates[]? | select(.publishTag != "alpha" or .channel != "alpha") | "- \(.packageName)@\(.version) [\(.publishTag)]"' .local/plugin-clawhub-release-plan.json
          )"
@@ -197,12 +265,6 @@ jobs:
            exit 1
          fi

-      - name: Verify OpenClaw ClawHub package ownership
-        if: steps.plan.outputs.has_candidates == 'true'
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-        run: node --import tsx scripts/plugin-clawhub-owner-preflight.ts .local/plugin-clawhub-release-plan.json
-
  validate_release_publish_approval:
    name: Validate release publish approval
    needs: preview_plugins_clawhub
@@ -221,7 +283,7 @@ jobs:
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
-          EXPECTED_WORKFLOW_BRANCH: ${{ github.ref_name }}
+          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
        run: |
          set -euo pipefail
          if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
@@ -240,99 +302,8 @@ jobs:
          RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs

-  preview_plugin_pack:
-    needs: preview_plugins_clawhub
-    if: needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 12
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Checkout target revision
-        env:
-          TARGET_SHA: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin \
-            +refs/heads/main:refs/remotes/origin/main \
-            '+refs/heads/release/*:refs/remotes/origin/release/*'
-          git checkout --detach "${TARGET_SHA}"
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "true"
-          install-deps: "true"
-
-      - name: Checkout ClawHub CLI source
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          repository: ${{ env.CLAWHUB_REPOSITORY }}
-          ref: main
-          path: clawhub-source
-          fetch-depth: 0
-
-      - name: Checkout pinned ClawHub CLI revision
-        working-directory: clawhub-source
-        env:
-          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
-        run: git checkout --detach "${CLAWHUB_REF}"
-
-      - name: Install ClawHub CLI dependencies
-        working-directory: clawhub-source
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3; do
-            if bun install --frozen-lockfile; then
-              exit 0
-            fi
-            status="$?"
-            if [[ "${attempt}" == "3" ]]; then
-              exit "${status}"
-            fi
-            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
-            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
-            sleep $((attempt * 15))
-          done
-
-      - name: Bootstrap ClawHub CLI
-        run: |
-          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
-          EOF
-          chmod +x "$RUNNER_TEMP/clawhub"
-          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
-
-      - name: Verify package-local runtime build
-        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
-
-      - name: Preview publish command
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
-          SOURCE_REF: ${{ github.ref }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-        run: bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
-
  pack_plugins_clawhub_artifacts:
-    needs: [preview_plugins_clawhub, preview_plugin_pack, validate_release_publish_approval]
+    needs: [preview_plugins_clawhub, validate_release_publish_approval]
    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
    runs-on: ubuntu-latest
    permissions:
@@ -367,47 +338,19 @@ jobs:
          install-bun: "true"
          install-deps: "true"

-      - name: Checkout ClawHub CLI source
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          repository: ${{ env.CLAWHUB_REPOSITORY }}
-          ref: main
-          path: clawhub-source
-          fetch-depth: 0
+      - name: Verify package-local runtime build
+        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"

-      - name: Checkout pinned ClawHub CLI revision
-        working-directory: clawhub-source
-        env:
-          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
-        run: git checkout --detach "${CLAWHUB_REF}"
-
-      - name: Install ClawHub CLI dependencies
-        working-directory: clawhub-source
+      - name: Install pinned ClawHub CLI wrapper
        run: |
          set -euo pipefail
-          for attempt in 1 2 3; do
-            if bun install --frozen-lockfile; then
-              exit 0
-            fi
-            status="$?"
-            if [[ "${attempt}" == "3" ]]; then
-              exit "${status}"
-            fi
-            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
-            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
-            sleep $((attempt * 15))
-          done
-
-      - name: Bootstrap ClawHub CLI
-        run: |
-          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
+          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
          #!/usr/bin/env bash
          set -euo pipefail
-          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
+          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
          EOF
-          chmod +x "$RUNNER_TEMP/clawhub"
-          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
+          chmod +x "${RUNNER_TEMP}/clawhub"
+          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"

      - name: Pack ClawHub package artifact
        env:
@@ -428,19 +371,23 @@ jobs:
          if-no-files-found: error
          retention-days: 7

-  approve_plugin_clawhub_release:
+  approve_plugins_clawhub_release:
    needs: [preview_plugins_clawhub, pack_plugins_clawhub_artifacts]
-    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
+    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success'
    runs-on: ubuntu-latest
    environment: clawhub-plugin-release
-    permissions: {}
+    permissions:
+      contents: read
    steps:
-      - name: Approve ClawHub package publish
-        run: echo "ClawHub package publish approved."
+      - name: Approve Plugin ClawHub release publish
+        run: |
+          echo "Approved CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows release publish gate."

  publish_plugins_clawhub:
-    needs: [preview_plugins_clawhub, pack_plugins_clawhub_artifacts, approve_plugin_clawhub_release]
-    if: always() && github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success' && (inputs.dry_run == true || needs.approve_plugin_clawhub_release.result == 'success')
+    needs:
+      [preview_plugins_clawhub, pack_plugins_clawhub_artifacts, approve_plugins_clawhub_release]
+    if: always() && github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success' && (inputs.dry_run == true || needs.approve_plugins_clawhub_release.result == 'success')
+    uses: openclaw/clawhub/.github/workflows/package-publish.yml@9d49df109d4ad3dc8a6ecf05d26b39f46d294721
    permissions:
      actions: read
      contents: read
@@ -450,19 +397,18 @@ jobs:
      max-parallel: 32
      matrix:
        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    uses: openclaw/clawhub/.github/workflows/package-publish.yml@c9bb13023598dcc547fdf4a93b9d42512b8c8854
    with:
-      dry_run: ${{ inputs.dry_run }}
-      json: true
      package_artifact_name: ${{ matrix.plugin.artifactName }}
+      dry_run: ${{ inputs.dry_run }}
      registry: https://clawhub.ai
      site: https://clawhub.ai
+      tags: ${{ matrix.plugin.publishTag }}
      source_repo: ${{ github.repository }}
      source_commit: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
      source_ref: ${{ github.ref }}
-      tags: ${{ matrix.plugin.publishTag }}
-    secrets:
-      clawhub_token: ${{ secrets.CLAWHUB_TOKEN }}
+      source_path: ${{ matrix.plugin.packageDir }}
+      inspector_artifact_name: ${{ matrix.plugin.artifactName }}-inspector
+      publish_json_artifact_name: ${{ matrix.plugin.artifactName }}-publish-json

  verify_published_clawhub_package:
    needs: [preview_plugins_clawhub, publish_plugins_clawhub]
--- a/.github/workflows/plugin-npm-release.yml
+++ b/.github/workflows/plugin-npm-release.yml
@@ -288,6 +288,7 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          OPENCLAW_NPM_PUBLISH_AUTH_MODE: trusted-publisher
        run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"

      - name: Verify published runtime
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -251,9 +251,11 @@ Skills own workflows; root owns hard policy and routing.
 - Lockfiles/shrinkwrap are security surface: review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, `package-lock.json`; root/plugin npm packages ship shrinkwrap, not package-lock.
 - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks.
 - Releases/publish/version bumps need explicit approval. Use `$release-openclaw-maintainer`.
+- Release versions use `YYYY.M.PATCH`, where `PATCH` is a sequential monthly release-train number, never the calendar day. Stable and beta tags determine the current train; alpha-only tags do not consume or advance the beta/stable patch number. After `2026.6.5`, the next beta train is `2026.6.6-beta.1` even if higher alpha-only tags exist.
+- Alpha/nightly versions use the next unreleased train plus an incrementing prerelease number. Repeated nightlies for the same train increment only `alpha.N`; they must not mint a new patch number from the date.
 - Backport means apply to newest open `release/` branch unless user names another target.
 - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`.
- Beta tag/version match: `vYYYY.M.D-beta.N` -> npm `YYYY.M.D-beta.N --tag beta`.
+- Beta tag/version match: `vYYYY.M.PATCH-beta.N` -> npm `YYYY.M.PATCH-beta.N --tag beta`.

 ## Platform / Ops

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,39 @@

 Docs: https://docs.openclaw.ai

+## 2026.6.6
+
+### Highlights
+
+- Security boundaries are substantially tighter across transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP access, native search policy, elevated sender checks, deleted-agent ACP bypasses, loopback tools, Discord moderation, and Teams group actions; exec approvals now fail closed on timeout. (#91529, #91618, #91615, #91619, #91741, #91745, #91746, #91748, #91749, #91750, #91751, #91752, #91763, #89938) Thanks @joshavant, @pgondhi987, @mmaps, @eleqtrizit, @shakkernerd, and @drobison00.
+- Telegram delivery is safer and more coherent: account-scoped topics route to the right agent, streamed text survives tool calls, `/compact` works on generic ingress, callback handling uses concrete APIs, draft chunking is shared, durable dispatch dedupe moved into the SDK, and unauthorized DM text stays out of cache and prompt context. (#91189, #88682, #89588, #90212, #91876, #91874, #91904, #91478, #91915) Thanks @codysai001, @alexzhu0, @joelnishanth, @snowzlm, @obviyus, and @sallyom.
+- iMessage recovery and delivery now cover always-on inbound restart, durable echo markers, block streaming, idle approval discovery, hardened outbound transport, and actionable inbound startup diagnostics. (#91335, #91449, #88969, #88530, #91783, #91785) Thanks @omarshahine, @jmissig, and @colmbrogan.
+- Browser and MCP connectivity gained existing-session CDP support, discovered WebSocket validation, default-profile `cdpUrl` handling, safer browser-output boundaries, Streamable HTTP loopback transport, corrected OAuth/SSE authorization handling, and broader schema compatibility. (#91422, #89851, #91736, #91747, #91451, #80143) Thanks @pgondhi987, @anagnorisis2peripeteia, @lifuyue, @eleqtrizit, @LiuwqGit, and @HemantSudarshan.
+- Control UI startup and first-reply latency are lower through cached model metadata, removal of the startup catalog wait, lazy slash-command loading, and first-event tracing with slow-reply diagnostics. (#91531, #91538, #91568, #91583, #91598)
+- Provider support expands with OpenRouter OAuth onboarding and Claude Fable 5 adaptive thinking, while Codex sessions keep correct compaction ownership, local models skip guardian review, dynamic tool progress normalizes cleanly, and Gemma 4 reasoning replay is preserved. (#91830, #91882, #91590, #88630, #88768, #91696) Thanks @Patrick-Erichsen, @joshavant, @bdjben, and @Coder-Wangyankun.
+
+### Changes
+
+- CLI progress: emit Claude CLI commentary progress events and bridge inter-tool commentary into channel progress without exposing internal protocol scaffolding. (#89834, #90883) Thanks @anagnorisis2peripeteia.
+- Observability: allow trusted diagnostics channels to capture tool input/output content, add first-assistant-event traces, and warn on slow initial replies. (#91256, #91568, #91583) Thanks @amknight.
+- Plugins/ClawHub: dogfood reusable package publishing, let dry runs skip publish approval, allow declared installed trusted hooks, report managed plugin version drift, and warn instead of failing on retired Skill Workshop configuration. (#91574, #91591, #90004, #90927, #90838) Thanks @Patrick-Erichsen, @brokemac79, and @lonexreb.
+- Memory/providers: move the local llama.cpp runtime into its provider plugin, batch embeddings across files, persist the agent model catalog cache, and keep QMD JSON search one-shot while filtering stale REM recall previews. (#91324, #89138, #90457, #91837, #91851) Thanks @osolmaz, @mushuiyu886, @ai-hpc, and @TurboTheTurtle.
+- Channels/mobile: add the QQBot group mention toggle, improve iPad and iPhone control surfaces, and expose the active connection host in the TUI footer. (#91423, #91557, #89909) Thanks @cxyhhhhh, @Solvely-Colin, and @baskduf.
+- Performance: prewarm TUI runtime plugins, deduplicate plugin auto-enable fanout, trim dense text-delta snapshots, and reuse prepared startup model metadata. (#90782, #89978, #91580, #91531) Thanks @RomneyDa and @ai-hpc.
+
+### Fixes
+
+- Agent/session recovery: drop stale approval follow-ups after session rebind, remove drained reply-queue items by identity, recover stale main and visible replies, preserve Codex context-engine compaction ownership, lower the default compaction timeout to 180 seconds while respecting explicit configuration, and keep provider-failure terminal lifecycle state correct. (#85679, #91450, #91566, #91840, #91590, #91361, #91895) Thanks @openperf, @yetval, @joshavant, @wangmiao0668000666, and @TurboTheTurtle.
+- User-visible content boundaries: suppress Codex/Harmony protocol artifacts, neutralize browser and LanceDB memory media directives, redact transcript images, and preserve native `/compact` replies through source suppression. (#89151, #91422, #91425, #91529, #90212) Thanks @joelnishanth, @pgondhi987, @joshavant, and @snowzlm.
+- Channel delivery: keep WhatsApp captured replies attached to the successor controller after restart, retry Feishu rate limits, preserve Mattermost thread replies, canonicalize LINE webhook paths, restore Discord reply hydration and runtime timeout exports, and show OpenAI Realtime WebRTC assistant transcripts. (#85823, #89659, #91684, #91649, #90263, #91686, #90426) Thanks @itsuzef, @ladygege, @jacobtomlinson, @fuller-stack-dev, and @shushushv.
+- Cron: cancel active task runs cleanly, preserve terminal timeout/cancel state, and recover no-deliver tool warnings instead of silently losing the outcome. (#90666, #90678) Thanks @ai-hpc.
+- Gateway/config/auth: share the approval runtime socket token, replace arrays explicitly in `config.patch`, skip the deleted-agent guard only for valid ACP harness sessions, surface headless LaunchAgent state, verify SQLite auth migration before cleanup, and arm QMD startup maintenance. (#87105, #91551, #91219, #91614, #91740, #91978) Thanks @fuller-stack-dev and @scotthuang.
+- Providers/Codex: clarify quota errors, restore the Codex synthetic usage line, canonicalize Codex protocol assets, require API-key auth for realtime voice, normalize ACP model refs, preserve Gemma 4 `reasoning_content`, and avoid guardian review for local models. (#91390, #91709, #91507, #91567, #88630, #91696) Thanks @hxy91819, @brokemac79, @RomneyDa, @joshavant, and @Coder-Wangyankun.
+- Updates/builds: recover package Gateway restarts after refresh failure, expose plugin convergence repair, fall back to Corepack in PATH-less pnpm environments, seed the correct Docker store packages, and keep ClawHub dry-run and publish paths reusable. (#91581, #91599, #91547, #91591) Thanks @fuller-stack-dev, @sallyom, and @Patrick-Erichsen.
+- UI: require explicit user intent before opening chat sessions and drain restored chat queues after session switches. (#91480) Thanks @TurboTheTurtle.
+- Android: avoid the `dataSync` foreground-service type for persistent nodes. (#80082) Thanks @davelutztx.
+- Native hooks: bound relay lifetimes so abandoned native hook connections cannot linger indefinitely. (#91550) Thanks @joshavant.
+
 ## 2026.6.5

 ### Highlights
@@ -31,6 +64,7 @@ Docs: https://docs.openclaw.ai

 ### Fixes

+- Agents: `sessions_send` now honors an explicit `sessionKey` when stale label metadata is also present, and denied session-id sends no longer echo the resolved canonical session key. Fixes #64699; refs #74009 and #41199. Thanks @Mintalix, @RevisitMoon, and @Mocha-s.
 - Channel content boundaries: QQBot now strips reasoning/thinking tags before sending, preserving final answers while hiding internal model narration from users. (#89913, #90132) Thanks @openperf.
 - Agents/MCP/providers: coerce non-text/image MCP tool-result blocks before they reach provider converters, preserving valid images and turning richer MCP content into text instead of malformed image blocks. (#90710, #90728) Thanks @RanSHammer and @849261680.
 - Anthropic/Codex/ACP/agent recovery: defer Anthropic stream start events until `message_start`, strip stale compaction thinking signatures before Anthropic replay, detect unsigned thinking-only stalls, refresh prompt fences after compaction writes, reject empty completion handoffs, preserve parent streaming-off overrides/shared progress commentary, forward heartbeat metadata to context-engine hooks, and cover Codex session/thread migration edge cases. (#90667, #90697, #90163, #90108, #89874, #89505, #90632, #89302, #90729, #90317, #90319) Thanks @openperf, @100yenadmin, and @ooiuuii.
--- a/12
+++ b/12
@@ -116,11 +116,19 @@ RUN pnpm_config_verify_deps_before_run=false pnpm canvas:a2ui:bundle || \
     echo "/* A2UI bundle unavailable in this build */" > extensions/canvas/src/host/a2ui/a2ui.bundle.js && \
     echo "stub" > extensions/canvas/src/host/a2ui/.bundle.hash && \
     rm -rf vendor/a2ui apps/shared/OpenClawKit/Tools/CanvasA2UI)
-RUN NODE_OPTIONS=--max-old-space-size=8192 pnpm_config_verify_deps_before_run=false pnpm build:docker
+RUN if printf '%s\n' "$OPENCLAW_EXTENSIONS" | tr ',' ' ' | tr ' ' '\n' | grep -qx 'qa-lab'; then \
+      export OPENCLAW_BUILD_PRIVATE_QA=1 OPENCLAW_ENABLE_PRIVATE_QA_CLI=1; \
+    fi && \
+    NODE_OPTIONS=--max-old-space-size=8192 pnpm_config_verify_deps_before_run=false pnpm build:docker
 # Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
 ENV OPENCLAW_PREFER_PNPM=1
 RUN pnpm_config_verify_deps_before_run=false pnpm ui:build
-RUN pnpm_config_verify_deps_before_run=false pnpm qa:lab:build
+RUN if printf '%s\n' "$OPENCLAW_EXTENSIONS" | tr ',' ' ' | tr ' ' '\n' | grep -qx 'qa-lab'; then \
+      pnpm_config_verify_deps_before_run=false pnpm qa:lab:build && \
+      mkdir -p dist/extensions/qa-lab/web && \
+      rm -rf dist/extensions/qa-lab/web/dist && \
+      cp -R extensions/qa-lab/web/dist dist/extensions/qa-lab/web/dist; \
+    fi

 # Prune dev dependencies, omitted plugin runtime packages, and build-only
 # metadata before copying runtime assets into the final image.
--- a/apps/macos/Sources/OpenClaw/CronJobsStore.swift
+++ b/apps/macos/Sources/OpenClaw/CronJobsStore.swift
@@ -72,7 +72,7 @@ final class CronJobsStore {
        do {
            if let status = try? await GatewayConnection.shared.cronStatus() {
                self.schedulerEnabled = status.enabled
-                self.schedulerStorePath = status.storePath
+                self.schedulerStorePath = status.sqlitePath ?? status.storePath
                self.schedulerNextWakeAtMs = status.nextWakeAtMs
            }
            self.jobs = try await GatewayConnection.shared.cronList(includeDisabled: true)
--- a/apps/macos/Sources/OpenClaw/ExecApprovals.swift
+++ b/apps/macos/Sources/OpenClaw/ExecApprovals.swift
@@ -1,4 +1,5 @@
 import CryptoKit
+import Darwin
 import Foundation
 import OSLog
 import Security
@@ -229,6 +230,12 @@ enum ExecApprovalsStore {
    private static let secureStateDirPermissions = 0o700
    private static let fileLock = NSRecursiveLock()

+    private enum LegacyMigrationResult {
+        case notNeeded
+        case migrated
+        case blocked
+    }
+
    private static func withFileLock<T>(_ body: () throws -> T) rethrows -> T {
        self.fileLock.lock()
        defer { self.fileLock.unlock() }
@@ -243,6 +250,195 @@ enum ExecApprovalsStore {
        OpenClawPaths.stateDirURL.appendingPathComponent("exec-approvals.sock").path
    }

+    private static func legacyStateDirURLs() -> [URL] {
+        if let home = OpenClawEnv.path("OPENCLAW_HOME") {
+            var urls = [
+                URL(fileURLWithPath: home, isDirectory: true)
+                    .appendingPathComponent(".openclaw", isDirectory: true),
+            ]
+            let osHomeURL = FileManager().homeDirectoryForCurrentUser
+                .appendingPathComponent(".openclaw", isDirectory: true)
+            if !urls.contains(where: {
+                $0.standardizedFileURL.path == osHomeURL.standardizedFileURL.path
+            }) {
+                urls.append(osHomeURL)
+            }
+            return urls
+        }
+        return [
+            FileManager().homeDirectoryForCurrentUser
+                .appendingPathComponent(".openclaw", isDirectory: true),
+        ]
+    }
+
+    private static func legacyFileURLIfPending() -> URL? {
+        guard OpenClawEnv.path("OPENCLAW_STATE_DIR") != nil else { return nil }
+        let targetURL = self.fileURL()
+        for stateDirURL in self.legacyStateDirURLs() {
+            let legacyURL = stateDirURL
+                .appendingPathComponent("exec-approvals.json", isDirectory: false)
+            guard legacyURL.standardizedFileURL.path != targetURL.standardizedFileURL.path else {
+                continue
+            }
+            guard FileManager().fileExists(atPath: legacyURL.path) else { continue }
+            guard !FileManager().fileExists(atPath: targetURL.path) else { return nil }
+            return legacyURL
+        }
+        return nil
+    }
+
+    private static func unmigratedLegacyFallbackFile() -> ExecApprovalsFile {
+        ExecApprovalsFile(
+            version: 1,
+            socket: nil,
+            defaults: ExecApprovalsDefaults(
+                security: .deny,
+                ask: .always,
+                askFallback: .deny,
+                autoAllowSkills: nil),
+            agents: [:])
+    }
+
+    private static func isLegacyDefaultSocketPath(_ raw: String, legacyFileURL: URL) -> Bool {
+        let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
+        if trimmed.isEmpty { return true }
+        let expanded = self.expandPath(trimmed)
+        let legacySocket = legacyFileURL.deletingLastPathComponent()
+            .appendingPathComponent("exec-approvals.sock", isDirectory: false)
+            .path
+        return URL(fileURLWithPath: expanded).standardizedFileURL.path
+            == URL(fileURLWithPath: legacySocket).standardizedFileURL.path
+    }
+
+    private static func hasSymlinkParent(_ url: URL) -> Bool {
+        var cursor = url.deletingLastPathComponent()
+        let manager = FileManager()
+        while true {
+            var isDirectory = ObjCBool(false)
+            if manager.fileExists(atPath: cursor.path, isDirectory: &isDirectory) {
+                if (try? manager.destinationOfSymbolicLink(atPath: cursor.path)) != nil {
+                    return true
+                }
+            }
+            let parent = cursor.deletingLastPathComponent()
+            if parent.path == cursor.path { return false }
+            cursor = parent
+        }
+    }
+
+    private static func archiveMigratedLegacyFile(_ legacyURL: URL) throws -> URL {
+        let manager = FileManager()
+        var archiveURL = URL(fileURLWithPath: "\(legacyURL.path).migrated")
+        if manager.fileExists(atPath: archiveURL.path) {
+            archiveURL = URL(fileURLWithPath: "\(archiveURL.path)-\(UUID().uuidString)")
+        }
+        try manager.moveItem(at: legacyURL, to: archiveURL)
+        return archiveURL
+    }
+
+    private static func writeMigratedFileExclusively(_ data: Data, to targetURL: URL) throws -> Bool {
+        let tempURL = targetURL.deletingLastPathComponent()
+            .appendingPathComponent(".exec-approvals.migration.\(UUID().uuidString)")
+        let fd = open(tempURL.path, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR)
+        if fd == -1 {
+            throw POSIXError(POSIXErrorCode(rawValue: errno) ?? .EIO)
+        }
+        var closed = false
+        defer {
+            if !closed { close(fd) }
+        }
+        do {
+            try data.withUnsafeBytes { rawBuffer in
+                guard let base = rawBuffer.baseAddress else { return }
+                var offset = 0
+                while offset < rawBuffer.count {
+                    let written = Darwin.write(
+                        fd,
+                        base.advanced(by: offset),
+                        rawBuffer.count - offset)
+                    if written < 0 {
+                        throw POSIXError(POSIXErrorCode(rawValue: errno) ?? .EIO)
+                    }
+                    offset += written
+                }
+            }
+            close(fd)
+            closed = true
+            let copied = copyfile(
+                tempURL.path,
+                targetURL.path,
+                nil,
+                copyfile_flags_t(COPYFILE_EXCL))
+            if copied == -1 {
+                if errno == EEXIST {
+                    try? FileManager().removeItem(at: tempURL)
+                    return false
+                }
+                try? FileManager().removeItem(at: targetURL)
+                throw POSIXError(POSIXErrorCode(rawValue: errno) ?? .EIO)
+            }
+            try? FileManager().removeItem(at: tempURL)
+            return true
+        } catch {
+            try? FileManager().removeItem(at: tempURL)
+            throw error
+        }
+    }
+
+    private static func migrateLegacyFileIfNeeded() -> LegacyMigrationResult {
+        guard let legacyURL = self.legacyFileURLIfPending() else { return .notNeeded }
+        let targetURL = self.fileURL()
+        do {
+            if self.hasSymlinkParent(targetURL) {
+                throw NSError(domain: "ExecApprovals", code: 10, userInfo: [
+                    NSLocalizedDescriptionKey: "target path has a symlink parent",
+                ])
+            }
+            let data = try Data(contentsOf: legacyURL)
+            var file = try JSONDecoder().decode(ExecApprovalsFile.self, from: data)
+            guard file.version == 1 else {
+                throw NSError(domain: "ExecApprovals", code: 11, userInfo: [
+                    NSLocalizedDescriptionKey: "unsupported legacy approvals version",
+                ])
+            }
+            file = self.normalizeIncoming(file)
+            let rawSocketPath = file.socket?.path?
+                .trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+            if self.isLegacyDefaultSocketPath(rawSocketPath, legacyFileURL: legacyURL) {
+                if file.socket == nil {
+                    file.socket = ExecApprovalsSocketConfig(path: nil, token: nil)
+                }
+                file.socket?.path = self.socketPath()
+            }
+            let encoder = JSONEncoder()
+            encoder.outputFormatting = [.prettyPrinted, .sortedKeys]
+            let migrated = try encoder.encode(file)
+            self.ensureSecureStateDirectory()
+            try FileManager().createDirectory(
+                at: targetURL.deletingLastPathComponent(),
+                withIntermediateDirectories: true)
+            if FileManager().fileExists(atPath: targetURL.path) { return .notNeeded }
+            let created = try self.writeMigratedFileExclusively(migrated, to: targetURL)
+            if !created { return .notNeeded }
+            try? FileManager().setAttributes(
+                [.posixPermissions: 0o600],
+                ofItemAtPath: targetURL.path)
+            do {
+                _ = try self.archiveMigratedLegacyFile(legacyURL)
+            } catch {
+                self.logger
+                    .warning(
+                        "exec approvals legacy archive failed: \(error.localizedDescription, privacy: .public)")
+            }
+            return .migrated
+        } catch {
+            self.logger
+                .error(
+                    "exec approvals legacy migration failed: \(error.localizedDescription, privacy: .public)")
+            return .blocked
+        }
+    }
+
    static func normalizeIncoming(_ file: ExecApprovalsFile) -> ExecApprovalsFile {
        let socketPath = file.socket?.path?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
        let token = file.socket?.token?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
@@ -278,6 +474,14 @@ enum ExecApprovalsStore {

    static func readSnapshot() -> ExecApprovalsSnapshot {
        self.withFileLock {
+            if self.legacyFileURLIfPending() != nil {
+                let file = self.unmigratedLegacyFallbackFile()
+                return ExecApprovalsSnapshot(
+                    path: self.fileURL().path,
+                    exists: false,
+                    hash: self.hashRaw(nil),
+                    file: file)
+            }
            let url = self.fileURL()
            guard FileManager().fileExists(atPath: url.path) else {
                return ExecApprovalsSnapshot(
@@ -322,6 +526,14 @@ enum ExecApprovalsStore {

    static func loadFile() -> ExecApprovalsFile {
        self.withFileLock {
+            if self.legacyFileURLIfPending() != nil {
+                switch self.migrateLegacyFileIfNeeded() {
+                case .migrated, .notNeeded:
+                    break
+                case .blocked:
+                    return self.unmigratedLegacyFallbackFile()
+                }
+            }
            let url = self.fileURL()
            guard FileManager().fileExists(atPath: url.path) else {
                return ExecApprovalsFile(version: 1, socket: nil, defaults: nil, agents: [:])
@@ -361,6 +573,14 @@ enum ExecApprovalsStore {

    static func ensureFile() -> ExecApprovalsFile {
        self.withFileLock {
+            if self.legacyFileURLIfPending() != nil {
+                switch self.migrateLegacyFileIfNeeded() {
+                case .migrated, .notNeeded:
+                    break
+                case .blocked:
+                    return self.unmigratedLegacyFallbackFile()
+                }
+            }
            self.ensureSecureStateDirectory()
            let url = self.fileURL()
            let existed = FileManager().fileExists(atPath: url.path)
--- a/apps/macos/Sources/OpenClaw/GatewayConnection.swift
+++ b/apps/macos/Sources/OpenClaw/GatewayConnection.swift
@@ -775,6 +775,7 @@ extension GatewayConnection {
    struct CronSchedulerStatus: Decodable {
        let enabled: Bool
        let storePath: String
+        let sqlitePath: String?
        let jobs: Int
        let nextWakeAtMs: Int?
    }
--- a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift
@@ -27,6 +27,8 @@ enum HostEnvSanitizer {
    private static let gitAllowProtocolKey = "GIT_ALLOW_PROTOCOL"
    private static let gitProtocolFromUserKey = "GIT_PROTOCOL_FROM_USER"
    private static let gitProtocolFromUserDisabledValue = "0"
+    private static let cargoTargetExecutableOverridePattern =
+        #"^CARGO_TARGET_[A-Z0-9_]+_(LINKER|RUNNER)$"#
    private static let gitDefaultAlwaysAllowedProtocols: Set<String> = [
        "git",
        "http",
@@ -46,6 +48,12 @@ enum HostEnvSanitizer {

    private static func isBlockedOverride(_ upperKey: String) -> Bool {
        if self.blockedOverrideKeys.contains(upperKey) { return true }
+        if upperKey.range(
+            of: self.cargoTargetExecutableOverridePattern,
+            options: .regularExpression) != nil
+        {
+            return true
+        }
        return self.blockedOverridePrefixes.contains(where: { upperKey.hasPrefix($0) })
    }

--- a/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+++ b/apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
@@ -37,7 +37,9 @@ enum HostEnvSecurityPolicy {
        "BZR_PLUGIN_PATH",
        "BZR_SSH",
        "CARGO_BUILD_RUSTC",
+        "CARGO_BUILD_RUSTC_WORKSPACE_WRAPPER",
        "CARGO_BUILD_RUSTC_WRAPPER",
+        "CARGO_BUILD_RUSTDOC",
        "CARGO_HOME",
        "CATALINA_OPTS",
        "CC",
@@ -113,6 +115,8 @@ enum HostEnvSecurityPolicy {
        "GVIMINIT",
        "HELM_HOME",
        "HELM_PLUGINS",
+        "HGEDITOR",
+        "HGMERGE",
        "HGRCPATH",
        "HOSTALIASES",
        "IFS",
@@ -132,6 +136,7 @@ enum HostEnvSecurityPolicy {
        "LUA_INIT_5_3",
        "LUA_INIT_5_4",
        "LUA_PATH",
+        "MAKE",
        "MAKEFLAGS",
        "MAVEN_OPTS",
        "MFLAGS",
@@ -172,7 +177,10 @@ enum HostEnvSecurityPolicy {
        "RUBYLIB",
        "RUBYOPT",
        "RUBYSHELL",
+        "RUSTC",
+        "RUSTC_WORKSPACE_WRAPPER",
        "RUSTC_WRAPPER",
+        "RUSTDOC",
        "RUSTFLAGS",
        "R_ENVIRON",
        "R_ENVIRON_USER",
@@ -220,7 +228,9 @@ enum HostEnvSecurityPolicy {
        "BZR_PLUGIN_PATH",
        "BZR_SSH",
        "CARGO_BUILD_RUSTC",
+        "CARGO_BUILD_RUSTC_WORKSPACE_WRAPPER",
        "CARGO_BUILD_RUSTC_WRAPPER",
+        "CARGO_BUILD_RUSTDOC",
        "CATALINA_OPTS",
        "CC",
        "CMAKE_CXX_COMPILER",
@@ -263,6 +273,8 @@ enum HostEnvSecurityPolicy {
        "GRADLE_OPTS",
        "GVIMINIT",
        "HELM_PLUGINS",
+        "HGEDITOR",
+        "HGMERGE",
        "HGRCPATH",
        "HOSTALIASES",
        "IFS",
@@ -276,6 +288,7 @@ enum HostEnvSecurityPolicy {
        "LUA_INIT_5_2",
        "LUA_INIT_5_3",
        "LUA_INIT_5_4",
+        "MAKE",
        "MAKEFLAGS",
        "MAVEN_OPTS",
        "MFLAGS",
@@ -296,7 +309,10 @@ enum HostEnvSecurityPolicy {
        "RUBYLIB",
        "RUBYOPT",
        "RUBYSHELL",
+        "RUSTC",
+        "RUSTC_WORKSPACE_WRAPPER",
        "RUSTC_WRAPPER",
+        "RUSTDOC",
        "R_ENVIRON",
        "R_ENVIRON_USER",
        "R_PROFILE",
--- a/apps/macos/Sources/OpenClaw/VoiceWakeSettings.swift
+++ b/apps/macos/Sources/OpenClaw/VoiceWakeSettings.swift
@@ -47,19 +47,20 @@ struct VoiceWakeSettings: View {
    private var voiceSummaryPanel: some View {
        let enabled = voiceWakeSupported && self.state.swabbleEnabled
        let pushToTalk = voiceWakeSupported && self.state.voicePushToTalkEnabled
+        let statusColor: Color = !voiceWakeSupported ? .orange : enabled || pushToTalk ? .green : .secondary

        return HStack(alignment: .center, spacing: 14) {
            ZStack {
                Circle()
-                    .fill((enabled || pushToTalk ? Color.green : Color.secondary).opacity(0.18))
-                Image(systemName: enabled ? "waveform.badge.mic" : "mic.slash")
+                    .fill(statusColor.opacity(0.18))
+                Image(systemName: self.voiceSummaryIconName(enabled: enabled))
                    .font(.system(size: 18, weight: .semibold))
-                    .foregroundStyle(enabled || pushToTalk ? .green : .secondary)
+                    .foregroundStyle(statusColor)
            }
            .frame(width: 46, height: 46)

            VStack(alignment: .leading, spacing: 4) {
-                Text(enabled ? "Voice Wake active" : pushToTalk ? "Push-to-talk active" : "Voice controls idle")
+                Text(self.voiceSummaryTitle(enabled: enabled, pushToTalk: pushToTalk))
                    .font(.headline)
                Text(self.voiceSummarySubtitle)
                    .font(.footnote)
@@ -84,6 +85,26 @@ struct VoiceWakeSettings: View {
        }
    }

+    private func voiceSummaryIconName(enabled: Bool) -> String {
+        if !voiceWakeSupported {
+            return "exclamationmark.triangle.fill"
+        }
+        return enabled ? "waveform.badge.mic" : "mic.slash"
+    }
+
+    private func voiceSummaryTitle(enabled: Bool, pushToTalk: Bool) -> String {
+        if !voiceWakeSupported {
+            return "Voice Wake unavailable"
+        }
+        if enabled {
+            return "Voice Wake active"
+        }
+        if pushToTalk {
+            return "Push-to-talk active"
+        }
+        return "Voice controls idle"
+    }
+
    private var voiceSummarySubtitle: String {
        if !voiceWakeSupported {
            return "Voice Wake requires macOS 26 or newer."
@@ -98,16 +119,31 @@ struct VoiceWakeSettings: View {
    }

    private var unsupportedVoiceWakePanel: some View {
-        HStack(spacing: 10) {
+        HStack(alignment: .top, spacing: 12) {
            Image(systemName: "exclamationmark.triangle.fill")
-                .foregroundStyle(.yellow)
-            Text("Voice Wake requires macOS 26 or newer.")
-                .font(.callout.weight(.medium))
+                .font(.title3.weight(.semibold))
+                .foregroundStyle(.orange)
+                .frame(width: 28)
+                .padding(.top, 1)
+
+            VStack(alignment: .leading, spacing: 4) {
+                Text("Voice Wake requires macOS 26 or newer")
+                    .font(.callout.weight(.semibold))
+                Text("The Voice Wake and push-to-talk controls are hidden on older macOS versions.")
+                    .font(.footnote)
+                    .foregroundStyle(.secondary)
+                    .fixedSize(horizontal: false, vertical: true)
+            }
+
            Spacer()
        }
-        .padding(.horizontal, 14)
-        .padding(.vertical, 12)
-        .background(.yellow.opacity(0.12), in: RoundedRectangle(cornerRadius: 12, style: .continuous))
+        .padding(.horizontal, 16)
+        .padding(.vertical, 14)
+        .background(.orange.opacity(0.12), in: RoundedRectangle(cornerRadius: 12, style: .continuous))
+        .overlay {
+            RoundedRectangle(cornerRadius: 12, style: .continuous)
+                .strokeBorder(.orange.opacity(0.18))
+        }
    }

    var body: some View {
@@ -119,72 +155,68 @@ struct VoiceWakeSettings: View {

                self.voiceSummaryPanel

-                SettingsCardGroup("Activation") {
-                    SettingsCardToggleRow(
-                        title: "Enable Voice Wake",
-                        subtitle: "Listen for a wake phrase before running voice commands. Recognition runs fully on-device.",
-                        binding: self.voiceWakeBinding)
-                        .disabled(!voiceWakeSupported)
+                if voiceWakeSupported {
+                    SettingsCardGroup("Activation") {
+                        SettingsCardToggleRow(
+                            title: "Enable Voice Wake",
+                            subtitle: "Listen for a wake phrase before running voice commands. Recognition runs fully on-device.",
+                            binding: self.voiceWakeBinding)

-                    SettingsCardToggleRow(
-                        title: "Trigger Talk Mode",
-                        subtitle: "Start a full voice conversation when a wake phrase is detected.",
-                        binding: self.$state.voiceWakeTriggersTalkMode)
-                        .disabled(!self.state.swabbleEnabled)
+                        SettingsCardToggleRow(
+                            title: "Trigger Talk Mode",
+                            subtitle: "Start a full voice conversation when a wake phrase is detected.",
+                            binding: self.$state.voiceWakeTriggersTalkMode)
+                            .disabled(!self.state.swabbleEnabled)

-                    SettingsCardToggleRow(
-                        title: "Hold Right Option to talk",
-                        subtitle: "Start listening while you hold the key and show the preview overlay.",
-                        binding: self.$state.voicePushToTalkEnabled)
-                        .disabled(!voiceWakeSupported)
+                        SettingsCardToggleRow(
+                            title: "Hold Right Option to talk",
+                            subtitle: "Start listening while you hold the key and show the preview overlay.",
+                            binding: self.$state.voicePushToTalkEnabled)

-                    if self.state.voicePushToTalkEnabled, self.state.talkEnabled {
-                        SettingsCardRow(
-                            title: "Push-to-talk paused",
-                            subtitle: "Push-to-Talk resumes when Talk Mode is turned off.")
-                        {
-                            Image(systemName: "pause.circle.fill")
-                                .foregroundStyle(.orange)
+                        if self.state.voicePushToTalkEnabled, self.state.talkEnabled {
+                            SettingsCardRow(
+                                title: "Push-to-talk paused",
+                                subtitle: "Push-to-Talk resumes when Talk Mode is turned off.")
+                            {
+                                Image(systemName: "pause.circle.fill")
+                                    .foregroundStyle(.orange)
+                            }
                        }
+
+                        SettingsCardToggleRow(
+                            title: "Play phase-transition sounds",
+                            subtitle: "Play short sounds when Talk Mode switches between listening, thinking, and speaking.",
+                            binding: self.$state.talkPhaseSoundsEnabled)
+
+                        SettingsCardToggleRow(
+                            title: "Right Option stops speech",
+                            subtitle: "Tap Right Option to interrupt speech and return to listening.",
+                            binding: self.$state.talkShiftToStopEnabled,
+                            showsDivider: false)
                    }

-                    SettingsCardToggleRow(
-                        title: "Play phase-transition sounds",
-                        subtitle: "Play short sounds when Talk Mode switches between listening, thinking, and speaking.",
-                        binding: self.$state.talkPhaseSoundsEnabled)
-                        .disabled(!voiceWakeSupported)
+                    SettingsCardGroup("Recognition") {
+                        self.localePicker
+                        self.micPicker
+                        self.levelMeter
+                    }

-                    SettingsCardToggleRow(
-                        title: "Right Option stops speech",
-                        subtitle: "Tap Right Option to interrupt speech and return to listening.",
-                        binding: self.$state.talkShiftToStopEnabled,
-                        showsDivider: false)
-                        .disabled(!voiceWakeSupported)
-                }
+                    SettingsCardGroup("Test") {
+                        VoiceWakeTestCard(
+                            testState: self.$testState,
+                            isTesting: self.$isTesting,
+                            onToggle: self.toggleTest)
+                            .padding(.horizontal, 14)
+                            .padding(.vertical, 12)
+                    }

-                if !voiceWakeSupported {
+                    self.chimeSection
+
+                    self.triggerTable
+                } else {
                    self.unsupportedVoiceWakePanel
                }

-                SettingsCardGroup("Recognition") {
-                    self.localePicker
-                    self.micPicker
-                    self.levelMeter
-                }
-
-                SettingsCardGroup("Test") {
-                    VoiceWakeTestCard(
-                        testState: self.$testState,
-                        isTesting: self.$isTesting,
-                        onToggle: self.toggleTest)
-                        .padding(.horizontal, 14)
-                        .padding(.vertical, 12)
-                }
-
-                self.chimeSection
-
-                self.triggerTable
-
                Spacer(minLength: 8)
            }
            .settingsDetailContent()
@@ -217,9 +249,13 @@ struct VoiceWakeSettings: View {
    }

    private func activateLivePreview() {
+        self.loadTriggerEntries()
+        guard voiceWakeSupported else {
+            self.deactivateLivePreview()
+            return
+        }
        self.meterStartupTask?.cancel()
        self.startMicObserver()
-        self.loadTriggerEntries()
        self.meterStartupTask = Task { @MainActor in
            await self.loadMicsIfNeeded()
            guard !Task.isCancelled, self.isActive else { return }
@@ -244,6 +280,11 @@ struct VoiceWakeSettings: View {
    }

    private func scheduleMeterRestart() {
+        guard voiceWakeSupported else {
+            self.state.voiceWakeMeterActive = false
+            Task { await self.meter.stop() }
+            return
+        }
        self.meterStartupTask?.cancel()
        self.meterStartupTask = Task { @MainActor in
            guard !Task.isCancelled, self.isActive else { return }
@@ -662,7 +703,7 @@ struct VoiceWakeSettings: View {

    @MainActor
    private func scheduleMicRefresh() {
-        guard self.isActive else { return }
+        guard voiceWakeSupported, self.isActive else { return }
        MicRefreshSupport.schedule(refreshTask: &self.micRefreshTask) {
            await self.loadMicsIfNeeded(force: true)
            await self.restartMeter()
@@ -724,6 +765,11 @@ struct VoiceWakeSettings: View {

    @MainActor
    private func restartMeter() async {
+        guard voiceWakeSupported else {
+            self.state.voiceWakeMeterActive = false
+            await self.meter.stop()
+            return
+        }
        guard self.isActive else {
            self.state.voiceWakeMeterActive = false
            await self.meter.stop()
@@ -890,6 +936,7 @@ extension VoiceWakeSettings {
        _ = view.levelMeter
        _ = view.triggerTable
        _ = view.chimeSection
+        _ = view.unsupportedVoiceWakePanel

        view.addWord()
        if let entryId = view.triggerEntries.first?.id {
--- a/apps/macos/Tests/OpenClawIPCTests/ExecApprovalsStoreRefactorTests.swift
+++ b/apps/macos/Tests/OpenClawIPCTests/ExecApprovalsStoreRefactorTests.swift
@@ -16,6 +16,23 @@ struct ExecApprovalsStoreRefactorTests {
        }
    }

+    private func withTempHomeAndStateDir(
+        _ body: @escaping @Sendable (URL, URL) async throws -> Void) async throws
+    {
+        let root = FileManager().temporaryDirectory
+            .appendingPathComponent("openclaw-home-state-\(UUID().uuidString)", isDirectory: true)
+        let home = root.appendingPathComponent("home", isDirectory: true)
+        let stateDir = root.appendingPathComponent("state", isDirectory: true)
+        defer { try? FileManager().removeItem(at: root) }
+
+        try await TestIsolation.withEnvValues([
+            "OPENCLAW_HOME": home.path,
+            "OPENCLAW_STATE_DIR": stateDir.path,
+        ]) {
+            try await body(home, stateDir)
+        }
+    }
+
    @Test
    func `ensure file skips rewrite when unchanged`() async throws {
        try await self.withTempStateDir { _ in
@@ -30,6 +47,50 @@ struct ExecApprovalsStoreRefactorTests {
        }
    }

+    @Test
+    func `ensure file migrates default approvals into custom state dir`() async throws {
+        try await self.withTempHomeAndStateDir { home, stateDir in
+            let legacyDir = home.appendingPathComponent(".openclaw", isDirectory: true)
+            try FileManager().createDirectory(
+                at: legacyDir,
+                withIntermediateDirectories: true)
+            let legacySocket = legacyDir.appendingPathComponent("exec-approvals.sock").path
+            let legacyFile = legacyDir.appendingPathComponent("exec-approvals.json")
+            let legacyJson = """
+            {
+              "version": 1,
+              "socket": {
+                "path": "\(legacySocket)",
+                "token": "legacy-token"
+              },
+              "defaults": {
+                "security": "deny",
+                "ask": "always"
+              },
+              "agents": {
+                "main": {
+                  "allowlist": [{ "pattern": "git status" }]
+                }
+              }
+            }
+            """
+            try Data(legacyJson.utf8).write(to: legacyFile)
+
+            let file = ExecApprovalsStore.ensureFile()
+            let targetURL = ExecApprovalsStore.fileURL()
+
+            #expect(targetURL.path == stateDir.appendingPathComponent("exec-approvals.json").path)
+            #expect(FileManager().fileExists(atPath: targetURL.path))
+            #expect(file.socket?.path == stateDir.appendingPathComponent("exec-approvals.sock").path)
+            #expect(file.socket?.token == "legacy-token")
+            #expect(file.defaults?.security == .deny)
+            #expect(file.defaults?.ask == .always)
+            #expect(file.agents?["main"]?.allowlist?.map(\.pattern) == ["git status"])
+            #expect(!FileManager().fileExists(atPath: legacyFile.path))
+            #expect(FileManager().fileExists(atPath: "\(legacyFile.path).migrated"))
+        }
+    }
+
    @Test
    func `update allowlist accepts basename pattern`() async throws {
        try await self.withTempStateDir { _ in
--- a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
@@ -982,21 +982,25 @@ public struct WakeParams: Codable, Sendable {
    public let mode: AnyCodable
    public let text: String
    public let sessionkey: String?
+    public let agentid: String?

    public init(
        mode: AnyCodable,
        text: String,
-        sessionkey: String?)
+        sessionkey: String?,
+        agentid: String? = nil)
    {
        self.mode = mode
        self.text = text
        self.sessionkey = sessionkey
+        self.agentid = agentid
    }

    private enum CodingKeys: String, CodingKey {
        case mode
        case text
        case sessionkey = "sessionKey"
+        case agentid = "agentId"
    }
 }

--- a/docs/.generated/plugin-sdk-api-baseline.sha256
+++ b/docs/.generated/plugin-sdk-api-baseline.sha256
@@ -1,2 +1,2 @@
-8a2769df428906990ee0d1bf8b0423f2a099b053c64c816d092ff84d61e11633  plugin-sdk-api-baseline.json
-28b798973f3fb2a5b33ccbb6e3c1ac0453fa234a3a1c6cdc27935c27639bd104  plugin-sdk-api-baseline.jsonl
+2c783beea6b3cda3d79060739a923f9f39e7e8b5942123dd6b08a09143a587ca  plugin-sdk-api-baseline.json
+0b33af2cffb42abb46682fb71c8f214da220793f13d10a34d332e75ff99e8ce9  plugin-sdk-api-baseline.jsonl
--- a/docs/channels/clickclack.md
+++ b/docs/channels/clickclack.md
@@ -59,6 +59,14 @@ export CLICKCLACK_BOT_TOKEN="ccb_..."
 openclaw gateway
 ```

+If `plugins.allow` is a non-empty restrictive list, explicitly selecting
+ClickClack in channel setup or running `openclaw plugins enable clickclack`
+appends `clickclack` to that list. Onboarding installation uses the same
+explicit-selection behavior. These paths do not override `plugins.deny` or a
+global `plugins.enabled: false` setting. Direct `openclaw plugins install
+clickclack` follows the normal plugin-install policy and also records ClickClack
+in an existing allowlist.
+
 ## Multiple bots

 Each account opens its own ClickClack realtime connection and uses its own bot token.
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -183,7 +183,7 @@ The workflow installs OCM from a pinned release and Kova from `openclaw/Kova` at
 - `mock-deep-profile`: CPU/heap/trace profiling for startup, gateway, and agent-turn hotspots.
 - `live-openai-candidate`: a real OpenAI `openai/gpt-5.5` agent turn, skipped when `OPENAI_API_KEY` is unavailable.

-The mock-provider lane also runs OpenClaw-native source probes after the Kova pass: gateway boot timing and memory across default, hook, and 50-plugin startup cases; bundled plugin import RSS, repeated mock-OpenAI `channel-chat-baseline` hello loops, and CLI startup commands against the booted gateway. When the previous published mock-provider source report is available for the tested ref, the source summary compares current RSS and heap values against that baseline and marks large RSS increases as `watch`. The source probe Markdown summary lives at `source/index.md` in the report bundle, with raw JSON beside it.
+The mock-provider lane also runs OpenClaw-native source probes after the Kova pass: gateway boot timing and memory across default, hook, and 50-plugin startup cases; bundled plugin import RSS, repeated mock-OpenAI `channel-chat-baseline` hello loops, CLI startup commands against the booted gateway, and the SQLite state smoke performance probe. When the previous published mock-provider source report is available for the tested ref, the source summary compares current RSS and heap values against that baseline and marks large RSS increases as `watch`. The source probe Markdown summary lives at `source/index.md` in the report bundle, with raw JSON beside it.

 Every lane uploads GitHub artifacts. When `CLAWGRIT_REPORTS_TOKEN` is configured, the workflow also commits `report.json`, `report.md`, bundles, `index.md`, and source-probe artifacts into `openclaw/clawgrit-reports` under `openclaw-performance/<tested-ref>/<run-id>-<attempt>/<lane>/`. The current tested-ref pointer is written as `openclaw-performance/<tested-ref>/latest-<lane>.json`.

@@ -452,7 +452,7 @@ For normal PRs, follow scoped CI/check evidence instead of treating parity as a

 The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily, manual, and non-draft pull request guard runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript surfaces with high-confidence security queries filtered to high/critical `security-severity`.

-The pull request guard stays light: it only starts for changes under `.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, or `src`, and it runs the same high-confidence security matrix as the scheduled workflow. Android and macOS CodeQL stay out of PR defaults.
+The pull request guard stays light: it only starts for changes under `.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, `scripts`, `src`, or process-owning bundled plugin runtime paths, and it runs the same high-confidence security matrix as the scheduled workflow. Android and macOS CodeQL stay out of PR defaults.

 ### Security categories

@@ -462,6 +462,7 @@ The pull request guard stays light: it only starts for changes under `.github/ac
 | `/codeql-security-high/channel-runtime-boundary`  | Core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, audit touchpoints              |
 | `/codeql-security-high/network-ssrf-boundary`     | Core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces                                                |
 | `/codeql-security-high/mcp-process-tool-boundary` | MCP servers, process execution helpers, outbound delivery, and agent tool-execution gates                                           |
+| `/codeql-security-high/process-exec-boundary`     | Local shell, process spawn helpers, subprocess-owning bundled plugin runtimes, and workflow script glue                             |
 | `/codeql-security-high/plugin-trust-boundary`     | Plugin install, loader, manifest, registry, package-manager install, source-loading, and Plugin SDK package contract trust surfaces |

 ### Platform-specific security shards
--- a/docs/cli/approvals.md
+++ b/docs/cli/approvals.md
@@ -27,7 +27,7 @@ Use it when you want to:

 - inspect the local requested policy, host approvals file, and effective merge
 - apply a local preset such as YOLO or deny-all
- synchronize local `tools.exec.*` and local `~/.openclaw/exec-approvals.json`
+- synchronize local `tools.exec.*` and the local host approvals file

 Examples:

@@ -183,7 +183,9 @@ Targeting notes:
 - `--node` uses the same resolver as `openclaw nodes` (id, name, ip, or id prefix).
 - `--agent` defaults to `"*"`, which applies to all agents.
 - The node host must advertise `system.execApprovals.get/set` (macOS app or headless node host).
- Approvals files are stored per host at `~/.openclaw/exec-approvals.json`.
+- Approvals files are stored per host in the OpenClaw state dir
+  (`$OPENCLAW_STATE_DIR/exec-approvals.json`, or
+  `~/.openclaw/exec-approvals.json` when the variable is unset).

 ## Related

--- a/docs/cli/node.md
+++ b/docs/cli/node.md
@@ -162,7 +162,8 @@ The node host stores its node id, token, display name, and gateway connection in

 `system.run` is gated by local exec approvals:

- `~/.openclaw/exec-approvals.json`
+- `$OPENCLAW_STATE_DIR/exec-approvals.json`, or
+  `~/.openclaw/exec-approvals.json` when the variable is unset
 - [Exec approvals](/tools/exec-approvals)
 - `openclaw approvals --node <id|name|ip>` (edit from the Gateway)

--- a/docs/cli/update.md
+++ b/docs/cli/update.md
@@ -130,12 +130,14 @@ install method aligned:
  missing or older than the current stable release.

 The Gateway core auto-updater (when enabled via config) launches the CLI update path
-outside the live Gateway request handler. Control-plane `update.run` package-manager
-updates also use a managed-service handoff instead of replacing the package tree
-inside the live Gateway process. The Gateway starts a detached helper, exits,
-and the helper runs the normal `openclaw update --yes --json` CLI path from
-outside the Gateway process tree. If that handoff is unavailable, `update.run`
-returns a structured response with the safe shell command to run manually.
+outside the live Gateway request handler. Control-plane `update.run`
+package-manager updates and supervised git-checkout updates also use a
+managed-service handoff instead of replacing the package tree or rebuilding
+`dist/` inside the live Gateway process. The Gateway starts a detached helper,
+exits, and the helper runs the normal `openclaw update --yes --json` CLI path
+from outside the Gateway process tree. If that handoff is unavailable,
+`update.run` returns a structured response with the safe shell command to run
+manually.

 For package-manager installs, `openclaw update` resolves the target package
 version before invoking the package manager. npm global installs use a staged
@@ -150,29 +152,33 @@ installed OpenClaw build while leaving full plugin-command completion rebuilds t
 explicit `openclaw completion --write-state` runs.

 When a local managed Gateway service is installed and restart is enabled,
-package-manager updates stop the running service before replacing the package
-tree, then refresh the service metadata from the updated install, restart the
-service, and verify the restarted Gateway reports the expected version before
-reporting `Gateway: restarted and verified.`. On macOS, the post-update check
-also verifies the LaunchAgent is loaded/running for the active profile and the
-configured loopback port is healthy. If the plist is installed but launchd is
-not supervising it, OpenClaw re-bootstraps the LaunchAgent automatically, then
-reruns the health/version/channel readiness checks. A fresh bootstrap loads the
-RunAtLoad job directly, so update recovery does not immediately `kickstart -k`
-the newly spawned Gateway. If the Gateway still does not become healthy, the
-command exits non-zero and prints the restart log path plus explicit restart,
-reinstall, and package rollback instructions. If restart cannot run, the command
-prints `Gateway: restart skipped (...)` or `Gateway: restart failed: ...` with a
-manual `openclaw gateway restart` hint. With `--no-restart`,
-package replacement still runs but the managed service is not stopped or
-restarted, so the running Gateway may keep old code until you restart it
-manually.
+package-manager and git-checkout updates stop the running service before
+replacing the package tree or mutating the checkout/build output. The updater
+then refreshes the service metadata from the updated install, restarts the
+service, and verifies the restarted Gateway before reporting
+`Gateway: restarted and verified.`. Package-manager updates additionally verify
+the restarted Gateway reports the expected package version; git-checkout updates
+verify gateway health and service readiness after the rebuild. On macOS, the
+post-update check also verifies the LaunchAgent is loaded/running for the active
+profile and the configured loopback port is healthy. If the plist is installed
+but launchd is not supervising it, OpenClaw re-bootstraps the LaunchAgent
+automatically, then reruns the health/version/channel readiness checks. A fresh
+bootstrap loads the RunAtLoad job directly, so update recovery does not
+immediately `kickstart -k` the newly spawned Gateway. If the Gateway still does
+not become healthy, the command exits non-zero and prints the restart log path
+plus explicit restart, reinstall, and package rollback instructions. If restart
+cannot run, the command prints `Gateway: restart skipped (...)` or
+`Gateway: restart failed: ...` with a manual `openclaw gateway restart` hint.
+With `--no-restart`, package replacement or git rebuild still runs but the
+managed service is not stopped or restarted, so the running Gateway may keep old
+code until you restart it manually.

 ### Control-plane response shape

 When `update.run` is invoked through the Gateway control plane on a
-package-manager install, the handler reports the handoff initiation separately
-from the CLI update that continues after the Gateway exits:
+package-manager install or supervised git checkout, the handler reports the
+handoff initiation separately from the CLI update that continues after the
+Gateway exits:

 - `ok: true`, `result.status: "skipped"`,
  `result.reason: "managed-service-handoff-started"`, and
@@ -181,8 +187,11 @@ from the CLI update that continues after the Gateway exits:
  `openclaw update --yes --json` outside the live service process.
 - `ok: false`, `result.reason: "managed-service-handoff-unavailable"`, and
  `handoff.status: "unavailable"` mean OpenClaw could not find a supervising
-  service boundary for a safe handoff. The response includes
-  `handoff.command`, the shell command to run from outside the Gateway.
+  service boundary and durable service identity for a safe handoff. For
+  example, systemd handoff requires the OpenClaw unit identity
+  (`OPENCLAW_SYSTEMD_UNIT`), not only ambient systemd process markers. The
+  response includes `handoff.command`, the shell command to run from outside the
+  Gateway.
 - `ok: false`, `result.reason: "managed-service-handoff-failed"` means the
  Gateway tried to create the handoff but could not spawn the detached helper.

@@ -193,8 +202,8 @@ health checks complete. During the handoff, the sentinel can carry
 restarted Gateway keeps polling it and only fires the continuation after the CLI
 has verified service health and rewritten the sentinel with the final `ok`
 result. `openclaw status` and `openclaw status --all` show an `Update restart`
-row while that sentinel is pending or failed, and `update.status` returns the
-latest cached sentinel.
+row while that sentinel is pending or failed, and `update.status` refreshes and
+returns the latest sentinel.

 ## Git checkout flow

--- a/docs/cli/wiki.md
+++ b/docs/cli/wiki.md
@@ -35,6 +35,7 @@ openclaw wiki status
 openclaw wiki doctor
 openclaw wiki init
 openclaw wiki ingest ./notes/alpha.md
+openclaw wiki okf import ./knowledge-catalog/okf/bundles/ga4
 openclaw wiki compile
 openclaw wiki lint
 openclaw wiki search "alpha"
@@ -104,6 +105,31 @@ Notes:
 - imported source pages keep provenance in frontmatter
 - auto-compile can run after ingest when enabled

+### `wiki okf import <path>`
+
+Import an unpacked Open Knowledge Format bundle into wiki concept pages.
+
+The importer reads every non-reserved `.md` concept document in the OKF
+directory tree, requires a non-empty `type` field, and treats unknown OKF
+`type` values as generic concepts. Reserved OKF `index.md` and `log.md` files
+are not imported as concepts.
+
+Imported pages are flattened under `concepts/` so existing wiki compile,
+search, get, digest, and dashboard flows see them immediately. The original OKF
+concept ID, `type`, `resource`, `tags`, timestamp, source path, and full
+frontmatter are preserved in the page frontmatter. Internal OKF markdown links
+are rewritten to the generated wiki pages; broken or external links are left
+unchanged.
+
+Examples:
+
+```bash
+openclaw wiki okf import ./bundles/ga4
+openclaw wiki okf import ./bundles/ga4 --json
+openclaw wiki search "BigQuery Table" --mode source-evidence --json
+openclaw wiki get <path-from-json-result>
+```
+
 ### `wiki compile`

 Rebuild indexes, related blocks, dashboards, and compiled digests.
@@ -233,6 +259,8 @@ These require the official `obsidian` CLI on `PATH` when
 - Use `wiki lint` before trusting contradictory or low-confidence content.
 - Use `wiki compile` after bulk imports or source changes when you want fresh
  dashboards and compiled digests immediately.
+- Use `wiki okf import` when a data catalog, documentation export, or agent
+  enrichment pipeline already emits OKF markdown bundles.
 - Use `wiki bridge import` when bridge mode depends on newly exported memory
  artifacts.

--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -368,6 +368,7 @@ Kimi K2 model IDs:
 [//]: # "moonshot-kimi-k2-model-refs:start"

 - `moonshot/kimi-k2.6`
+- `moonshot/kimi-k2.7-code`
 - `moonshot/kimi-k2.5`
 - `moonshot/kimi-k2-thinking`
 - `moonshot/kimi-k2-thinking-turbo`
--- a/docs/concepts/qa-e2e-automation.md
+++ b/docs/concepts/qa-e2e-automation.md
@@ -374,7 +374,7 @@ The implicit default set always covers canary, mention gating, native command re
 Output artifacts:

 - `telegram-qa-report.md`
- `telegram-qa-summary.json` - includes per-reply RTT (driver send → observed SUT reply) starting with the canary.
+- `qa-evidence.json` - evidence entries for the live transport checks, including profile, coverage, provider, channel, artifacts, result, and RTT fields.
 - `telegram-qa-observed-messages.json` - bodies redacted unless `OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT=1`.

 Package RTT comparison uses the same Telegram credential contract while keeping
@@ -447,7 +447,7 @@ pnpm openclaw qa discord \
 Output artifacts:

 - `discord-qa-report.md`
- `discord-qa-summary.json`
+- `qa-evidence.json` - evidence entries for the live transport checks.
 - `discord-qa-observed-messages.json` - bodies redacted unless `OPENCLAW_QA_DISCORD_CAPTURE_CONTENT=1`.
 - `discord-qa-reaction-timelines.json` and `discord-status-reactions-tool-only-timeline.png` when the status-reaction scenario runs.

@@ -495,7 +495,7 @@ Scenarios (`extensions/qa-lab/src/live-transports/slack/slack-live.runtime.ts`):
 Output artifacts:

 - `slack-qa-report.md`
- `slack-qa-summary.json`
+- `qa-evidence.json` - evidence entries for the live transport checks.
 - `slack-qa-observed-messages.json` - bodies redacted unless `OPENCLAW_QA_SLACK_CAPTURE_CONTENT=1`.
 - `approval-checkpoints/` - only when Mantis sets
  `OPENCLAW_QA_SLACK_APPROVAL_CHECKPOINT_DIR`; contains checkpoint JSON,
@@ -740,7 +740,7 @@ poll and upload-file coverage run through deterministic gateway `poll` and
 Output artifacts:

 - `whatsapp-qa-report.md`
- `whatsapp-qa-summary.json`
+- `qa-evidence.json` - evidence entries for the live transport checks.
 - `whatsapp-qa-observed-messages.json` - bodies redacted unless `OPENCLAW_QA_WHATSAPP_CAPTURE_CONTENT=1`.

 ### Convex credential pool
@@ -787,9 +787,10 @@ the source of truth for one test run and should define:
 - docs and code refs
 - optional plugin requirements
 - optional gateway config patch
- the executable `qa-flow`
+- an executable `qa-flow` block for flow scenarios, or `execution.kind`/`execution.path`
+  for Vitest and Playwright scenarios

-The reusable runtime surface that backs `qa-flow` is allowed to stay generic
+The reusable runtime surface that backs `qa-flow` blocks is allowed to stay generic
 and cross-cutting. For example, markdown scenarios can combine transport-side
 helpers with browser-side helpers that drive the embedded Control UI through the
 Gateway `browser.request` seam without adding a special-case runner.
@@ -915,6 +916,7 @@ The report should answer:
 For the inventory of available scenarios - useful when sizing follow-up work or wiring a new transport - run `pnpm openclaw qa coverage` (add `--json` for machine-readable output).
 When choosing focused proof for a touched behavior or file path, run `pnpm openclaw qa coverage --match <query>`.
 The match report searches scenario metadata, docs refs, code refs, coverage IDs, plugins, and provider requirements, then prints matching `qa suite --scenario ...` targets.
+Every `qa suite` scenario execution writes a `qa-evidence.json` artifact. Flow scenarios also write `qa-suite-summary.json` for existing suite/report tooling; scenarios that declare `execution.kind: vitest` or `execution.kind: playwright` run the matching test path and write `qa-vitest-report.md` or `qa-playwright-report.md` plus per-scenario logs.
 Treat it as a discovery aid, not a gate replacement; the selected scenario still needs the right provider mode, live transport, Multipass, Testbox, or release lane for the behavior under test.

 For character and style checks, run the same scenario across multiple live model
--- a/docs/concepts/usage-tracking.md
+++ b/docs/concepts/usage-tracking.md
@@ -30,6 +30,23 @@ title: "Usage tracking"
 - CLI: `openclaw channels list` prints the same usage snapshot alongside provider config (use `--no-usage` to skip).
 - macOS menu bar: "Usage" section under Context (only if available).

+## Custom `/usage full` footer
+
+Set `messages.usageTemplate` to customize the per-response `/usage full`
+footer. The value can be an inline template object or a JSON file path:
+
+```json
+{
+  "messages": {
+    "usageTemplate": "~/.openclaw/usage-footer.json"
+  }
+}
+```
+
+Templates read the `openclaw.usageLine.v1` contract and can use `scales`,
+`aliases`, and `output.surfaces` to render channel-specific footers. Missing,
+unreadable, invalid, or empty templates fall back to the built-in usage line.
+
 ## Providers + credentials

 - **Anthropic (Claude)**: OAuth tokens in auth profiles.
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -1374,9 +1374,7 @@
                "pages": [
                  "clawhub/cli",
                  "clawhub/publishing",
-                  "clawhub/plugin-validation-fixes",
                  "clawhub/skill-format",
-                  "clawhub/soul-format",
                  "clawhub/auth",
                  "clawhub/telemetry",
                  "clawhub/troubleshooting"
--- a/docs/gateway/configuration-examples.md
+++ b/docs/gateway/configuration-examples.md
@@ -493,6 +493,8 @@ example `~/.agents/skills/manager -> ~/Projects/manager/skills`.
 - `extraDirs` scans the sibling repo as an explicit skill root.
 - `allowSymlinkTargets` lets symlinked skill folders resolve into that trusted
  real target root without allowing arbitrary symlink escapes.
+- To let Skill Workshop apply write through the same trusted symlink target,
+  set `skills.workshop.allowSymlinkTargetWrites: true`.

 ## Common patterns

--- a/docs/gateway/configuration-reference.md
+++ b/docs/gateway/configuration-reference.md
@@ -200,6 +200,9 @@ See [MCP](/cli/mcp#openclaw-as-an-mcp-client-registry) and
      nodeManager: "npm", // npm | pnpm | yarn | bun
      allowUploadedArchives: false,
    },
+    workshop: {
+      allowSymlinkTargetWrites: false,
+    },
    entries: {
      "image-lab": {
        apiKey: { source: "env", provider: "default", id: "GEMINI_API_KEY" }, // or plaintext string
@@ -216,6 +219,8 @@ See [MCP](/cli/mcp#openclaw-as-an-mcp-client-registry) and
 - `load.extraDirs`: extra shared skill roots (lowest precedence).
 - `load.allowSymlinkTargets`: trusted real target roots that skill symlinks may
  resolve into when the link lives outside its configured source root.
+- `workshop.allowSymlinkTargetWrites`: allows Skill Workshop apply to write
+  through already-trusted symlink targets (default: false).
 - `install.preferBrew`: when true, prefer Homebrew installers when `brew` is
  available before falling back to other installer kinds.
 - `install.nodeManager`: node installer preference for `metadata.openclaw.install`
--- a/docs/gateway/health.md
+++ b/docs/gateway/health.md
@@ -42,6 +42,21 @@ health commands above for live connectivity checks.
 - `channels.<provider>.accounts.<accountId>.healthMonitor.enabled`: multi-account override that wins over the channel-level setting.
 - These per-channel overrides apply to the built-in channel monitors that expose them today: Discord, Google Chat, iMessage, Microsoft Teams, Signal, Slack, Telegram, and WhatsApp.

+## Uptime monitoring
+
+External uptime monitoring services should use the dedicated `/health` endpoint, not `/v1/chat/completions`.
+
+- **DO use:** `GET /health` — instant response, no session created, no LLM call, returns `{"ok":true,"status":"live"}`
+- **DON'T use:** `/v1/chat/completions` for health checks — each request creates a full agent session with skill snapshot, context assembly, and LLM calls
+
+When no `x-openclaw-session-key` header or `user` field is provided, `/v1/chat/completions` generates a new random session for each request. Monitoring services that ping every 15 minutes create ~96 sessions/day, each consuming 4–22KB. Over time this causes session store bloat and can lead to context window overflow.
+
+### Monitoring service setup examples
+
+- **BetterStack:** Set health check URL to `https://<your-gateway-host>:<port>/health`
+- **UptimeRobot:** Add a new HTTP monitor with URL `https://<your-gateway-host>:<port>/health`
+- **Generic:** Any HTTP GET to `/health` returns 200 with `{"ok":true}` when the gateway is healthy
+
 ## When something fails

 - `logged out` or status 409–515 → relink with `openclaw channels logout` then `openclaw channels login`.
--- a/docs/gateway/openai-http-api.md
+++ b/docs/gateway/openai-http-api.md
@@ -75,6 +75,7 @@ Auth matrix:
  - honor `x-openclaw-scopes` when the header is present
  - fall back to the normal operator default scope set when the header is absent
  - only lose owner semantics when the caller explicitly narrows scopes and omits `operator.admin`
+  - require `operator.admin` for owner-level request controls such as `x-openclaw-model`

 See [Security](/gateway/security) and [Remote access](/gateway/remote).

@@ -96,7 +97,7 @@ OpenClaw treats the OpenAI `model` field as an **agent target**, not a raw provi

 Optional request headers:

- `x-openclaw-model: <provider/model-or-bare-id>` overrides the backend model for the selected agent.
+- `x-openclaw-model: <provider/model-or-bare-id>` overrides the backend model for the selected agent. Shared-secret bearer callers can use this header. Identity-bearing callers, such as trusted-proxy or private no-auth ingress requests with `x-openclaw-scopes`, need `operator.admin`; write-only callers get `403 missing scope: operator.admin`.
 - `x-openclaw-agent-id: <agentId>` remains supported as a compatibility override.
 - `x-openclaw-session-key: <sessionKey>` fully controls session routing.
 - `x-openclaw-message-channel: <channel>` sets the synthetic ingress channel context for channel-aware prompts and policies.
@@ -178,7 +179,7 @@ This is the highest-leverage compatibility set for self-hosted frontends and too

  </Accordion>
  <Accordion title="How do I override the backend model?">
-    Use `x-openclaw-model`.
+    Use `x-openclaw-model`. This is an owner-level override: it works with the Gateway shared-secret bearer token/password path, and it requires `operator.admin` on identity-bearing HTTP paths such as trusted proxy auth.

    Examples:
    `x-openclaw-model: openai/gpt-5.4`
@@ -191,7 +192,7 @@ This is the highest-leverage compatibility set for self-hosted frontends and too
    `/v1/embeddings` uses the same agent-target `model` ids.

    Use `model: "openclaw/default"` or `model: "openclaw/<agentId>"`.
-    When you need a specific embedding model, send it in `x-openclaw-model`.
+    When you need a specific embedding model, send it in `x-openclaw-model` from a shared-secret caller or an identity-bearing caller with `operator.admin`.
    Without that header, the request passes through to the selected agent's normal embedding setup.

  </Accordion>
@@ -285,7 +286,7 @@ Expected behavior:

 - `GET /v1/models` should list `openclaw/default`
 - Open WebUI should use `openclaw/default` as the chat model id
- If you want a specific backend provider/model for that agent, set the agent's normal default model or send `x-openclaw-model`
+- If you want a specific backend provider/model for that agent, set the agent's normal default model or send `x-openclaw-model` from a shared-secret caller or an identity-bearing caller with `operator.admin`

 Quick smoke:

@@ -370,7 +371,7 @@ Notes:

 - `/v1/models` returns OpenClaw agent targets, not raw provider catalogs.
 - `openclaw/default` is always present so one stable id works across environments.
- Backend provider/model overrides belong in `x-openclaw-model`, not the OpenAI `model` field.
+- Backend provider/model overrides belong in `x-openclaw-model`, not the OpenAI `model` field. On identity-bearing HTTP auth paths, this header requires `operator.admin`.
 - `/v1/embeddings` supports `input` as a string or array of strings.

 ## Related
--- a/docs/gateway/protocol.md
+++ b/docs/gateway/protocol.md
@@ -411,8 +411,8 @@ enumeration of `src/gateway/server-methods/*.ts`.
    - `config.apply` validates + replaces the full config payload.
    - `config.schema` returns the live config schema payload used by Control UI and CLI tooling: schema, `uiHints`, version, and generation metadata, including plugin + channel schema metadata when the runtime can load it. The schema includes field `title` / `description` metadata derived from the same labels and help text used by the UI, including nested object, wildcard, array-item, and `anyOf` / `oneOf` / `allOf` composition branches when matching field documentation exists.
    - `config.schema.lookup` returns a path-scoped lookup payload for one config path: normalized path, a shallow schema node, matched hint + `hintPath`, optional `reloadKind`, and immediate child summaries for UI/CLI drill-down. `reloadKind` is one of `restart`, `hot`, or `none` and mirrors the Gateway config reload planner for the requested path. Lookup schema nodes keep the user-facing docs and common validation fields (`title`, `description`, `type`, `enum`, `const`, `format`, `pattern`, numeric/string/array/object bounds, and flags like `additionalProperties`, `deprecated`, `readOnly`, `writeOnly`). Child summaries expose `key`, normalized `path`, `type`, `required`, `hasChildren`, optional `reloadKind`, plus the matched `hint` / `hintPath`.
-    - `update.run` runs the gateway update flow and schedules a restart only when the update itself succeeded; callers with a session can include `continuationMessage` so startup resumes one follow-up agent turn through the restart continuation queue. Package-manager updates from the control plane use a detached managed-service handoff instead of replacing the package tree inside the live Gateway. A started handoff returns `ok: true` with `result.reason: "managed-service-handoff-started"` and `handoff.status: "started"`; unavailable or failed handoffs return `ok: false` with `managed-service-handoff-unavailable` or `managed-service-handoff-failed`, plus `handoff.command` when a manual shell update is required. During a started handoff, the restart sentinel may briefly report `stats.reason: "restart-health-pending"`; the continuation is delayed until the CLI verifies the restarted Gateway and writes the final `ok` sentinel.
-    - `update.status` returns the latest cached update restart sentinel, including the post-restart running version when available.
+    - `update.run` runs the gateway update flow and schedules a restart only when the update itself succeeded; callers with a session can include `continuationMessage` so startup resumes one follow-up agent turn through the restart continuation queue. Package-manager updates and supervised git-checkout updates from the control plane use a detached managed-service handoff instead of replacing the package tree or mutating checkout/build output inside the live Gateway. A started handoff returns `ok: true` with `result.reason: "managed-service-handoff-started"` and `handoff.status: "started"`; unavailable or failed handoffs return `ok: false` with `managed-service-handoff-unavailable` or `managed-service-handoff-failed`, plus `handoff.command` when a manual shell update is required. An unavailable handoff means OpenClaw lacks a safe supervisor boundary or durable service identity, such as `OPENCLAW_SYSTEMD_UNIT` for systemd. During a started handoff, the restart sentinel may briefly report `stats.reason: "restart-health-pending"`; the continuation is delayed until the CLI verifies the restarted Gateway and writes the final `ok` sentinel.
+    - `update.status` refreshes and returns the latest update restart sentinel, including the post-restart running version when available.
    - `wizard.start`, `wizard.next`, `wizard.status`, and `wizard.cancel` expose the onboarding wizard over WS RPC.

  </Accordion>
--- a/docs/gateway/security/audit-checks.md
+++ b/docs/gateway/security/audit-checks.md
@@ -93,7 +93,7 @@ exhaustive):
 | `tools.exec.host_sandbox_no_sandbox_agents`                   | warn          | Per-agent `exec host=sandbox` fails closed when sandbox is off                       | `agents.list[].tools.exec.host`, `agents.list[].sandbox.mode`                                        | no       |
 | `tools.exec.security_full_configured`                         | warn/critical | Host exec is running with `security="full"`                                          | `tools.exec.security`, `agents.list[].tools.exec.security`                                           | no       |
 | `tools.exec.fs_tools_disabled_but_exec_enabled`               | warn          | Filesystem tool policy does not make shell execution read-only                       | `tools.deny`, `agents.list[].tools.deny`, `agents.*.sandbox.workspaceAccess`                         | no       |
-| `tools.exec.auto_allow_skills_enabled`                        | warn          | Exec approvals trust skill bins implicitly                                           | `~/.openclaw/exec-approvals.json`                                                                    | no       |
+| `tools.exec.auto_allow_skills_enabled`                        | warn          | Exec approvals trust skill bins implicitly                                           | host approvals file                                                                                  | no       |
 | `tools.exec.allowlist_interpreter_without_strict_inline_eval` | warn          | Interpreter allowlists permit inline eval without forced reapproval                  | `tools.exec.strictInlineEval`, `agents.list[].tools.exec.strictInlineEval`, exec approvals allowlist | no       |
 | `tools.exec.safe_bins_interpreter_unprofiled`                 | warn          | Interpreter/runtime bins in `safeBins` without explicit profiles broaden exec risk   | `tools.exec.safeBins`, `tools.exec.safeBinProfiles`, `agents.list[].tools.exec.*`                    | no       |
 | `tools.exec.safe_bins_broad_behavior`                         | warn          | Broad-behavior tools in `safeBins` weaken the low-risk stdin-filter trust model      | `tools.exec.safeBins`, `agents.list[].tools.exec.safeBins`                                           | no       |
--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -951,7 +951,7 @@ Important boundary note:
 - Treat credentials that can call `/v1/chat/completions`, `/v1/responses`, plugin routes such as `/api/v1/admin/rpc`, or `/api/channels/*` as full-access operator secrets for that gateway.
 - On the OpenAI-compatible HTTP surface, shared-secret bearer auth restores the full default operator scopes (`operator.admin`, `operator.approvals`, `operator.pairing`, `operator.read`, `operator.talk.secrets`, `operator.write`) and owner semantics for agent turns; narrower `x-openclaw-scopes` values do not reduce that shared-secret path.
 - Per-request scope semantics on HTTP only apply when the request comes from an identity-bearing mode such as trusted proxy auth, or from an explicitly no-auth private ingress.
- In those identity-bearing modes, omitting `x-openclaw-scopes` falls back to the normal operator default scope set; send the header explicitly when you want a narrower scope set.
+- In those identity-bearing modes, omitting `x-openclaw-scopes` falls back to the normal operator default scope set; send the header explicitly when you want a narrower scope set. Owner-level OpenAI-compatible headers such as `x-openclaw-model` require `operator.admin` when scopes are narrowed.
 - `/tools/invoke` and HTTP session history endpoints follow the same shared-secret rule: token/password bearer auth is treated as full operator access there too, while identity-bearing modes still honor declared scopes.
 - Do not share these credentials with untrusted callers; prefer separate gateways per trust boundary.

--- a/docs/gateway/troubleshooting.md
+++ b/docs/gateway/troubleshooting.md
@@ -154,6 +154,10 @@ Do not use broad targets such as `~`, `/`, or a whole synced project folder.
 Keep `allowSymlinkTargets` scoped to the real skill root that contains trusted
 `SKILL.md` directories.

+If Skill Workshop apply should also write through those trusted symlinked
+workspace skill paths, enable `skills.workshop.allowSymlinkTargetWrites`. Keep
+it disabled for read-only shared skill roots.
+
 Related:

 - [Skills config](/tools/skills-config#symlinked-sibling-repos)
--- a/docs/platforms/mac/voicewake.md
+++ b/docs/platforms/mac/voicewake.md
@@ -7,6 +7,12 @@ title: "Voice wake (macOS)"

 # Voice Wake & Push-to-Talk

+## Requirements
+
+Voice Wake and push-to-talk require macOS 26 or newer. On older macOS versions,
+the controls are hidden from the Voice settings page, which shows the macOS 26
+requirement.
+
 ## Modes

 - **Wake-word mode** (default): always-on Speech recognizer waits for trigger tokens (`swabbleTriggerWords`). On match it starts capture, shows the overlay with partial text, and auto-sends after silence.
@@ -47,7 +53,7 @@ Hardening:
 ## User-facing settings

 - **Voice Wake** toggle: enables wake-word runtime.
- **Hold Cmd+Fn to talk**: enables the push-to-talk monitor. Disabled on macOS < 26.
+- **Hold Right Option to talk**: enables the push-to-talk monitor.
 - Language & mic pickers, live level meter, trigger-word table, tester (local-only; does not forward).
 - Mic picker preserves the last selection if a device disconnects, shows a disconnected hint, and temporarily falls back to the system default until it returns.
 - **Sounds**: chimes on trigger detect and on send; defaults to the macOS "Glass" system sound. You can pick any `NSSound`-loadable file (e.g. MP3/WAV/AIFF) for each event or choose **No Sound**.
@@ -63,7 +69,7 @@ Hardening:

 ## Quick verification

- Toggle push-to-talk on, hold Cmd+Fn, speak, release: overlay should show partials then send.
+- Toggle push-to-talk on, hold Right Option, speak, release: overlay should show partials then send.
 - While holding, menu-bar ears should stay enlarged (uses `triggerVoiceEars(ttl:nil)`); they drop after release.

 ## Related
--- a/docs/platforms/windows.md
+++ b/docs/platforms/windows.md
@@ -18,11 +18,13 @@ most Linux-compatible Gateway runtime.
 Windows Hub is the native WinUI companion app for Windows 10 20H2+ and Windows 11. It installs without administrator privileges and is published with signed
 x64 and ARM64 installers on OpenClaw releases.

-Download the latest stable installer:
+Download the latest stable installer from the [OpenClaw releases page](https://github.com/openclaw/openclaw/releases):

- [OpenClawCompanion-Setup-x64.exe](https://github.com/openclaw/openclaw/releases/latest/download/OpenClawCompanion-Setup-x64.exe)
- [OpenClawCompanion-Setup-arm64.exe](https://github.com/openclaw/openclaw/releases/latest/download/OpenClawCompanion-Setup-arm64.exe)
- [Checksums](https://github.com/openclaw/openclaw/releases/latest/download/OpenClawCompanion-SHA256SUMS.txt)
+- [OpenClawCompanion-Setup-x64.exe](https://github.com/openclaw/openclaw/releases/download/v2026.6.5/OpenClawCompanion-Setup-x64.exe)
+- [OpenClawCompanion-Setup-arm64.exe](https://github.com/openclaw/openclaw/releases/download/v2026.6.5/OpenClawCompanion-Setup-arm64.exe)
+- [Checksums](https://github.com/openclaw/openclaw/releases/download/v2026.6.5/OpenClawCompanion-SHA256SUMS.txt)
+
+If a download link above returns a 404, visit the [releases page](https://github.com/openclaw/openclaw/releases) and look for the `OpenClawCompanion-Setup-*` assets on the latest release.

 After install, launch **OpenClaw Companion** from the Start menu or the system
 tray. The installer also adds shortcuts for Gateway Setup, Chat, Settings,
--- a/docs/plugins/compatibility.md
+++ b/docs/plugins/compatibility.md
@@ -128,6 +128,10 @@ Current compatibility records include:
 - legacy runtime aliases such as `api.runtime.taskFlow`,
  `api.runtime.subagent.getSession`, `api.runtime.stt`, and deprecated
  `api.runtime.config.loadConfig()` / `api.runtime.config.writeConfigFile(...)`
+- WhatsApp `WebInboundMessage` flat callback fields such as `body`, `chatId`,
+  `reply(...)`, and `mediaPath` while callback consumers migrate to the nested
+  `WebInboundCallbackMessage` `event`, `payload`, `quote`, `group`, and
+  `platform` contexts
 - legacy memory-plugin split registration while memory plugins move to
  `registerMemoryCapability`
 - legacy memory-specific embedding provider registration while embedding
@@ -160,6 +164,33 @@ New plugin code should prefer the replacement listed in the registry and in the
 specific migration guide. Existing plugins can keep using a compatibility path
 until the docs, diagnostics, and release notes announce a removal window.

+### WhatsApp Inbound Callback Flat Aliases
+
+WhatsApp runtime callbacks deliver `WebInboundMessage`: the canonical nested
+`event`, `payload`, `quote`, `group`, and `platform` contexts plus deprecated
+flat aliases for the shipped callback fields. New callback code should read the
+nested contexts. Code that constructs clean nested callback messages can use
+`WebInboundCallbackMessage`; compatibility listeners that still inject old flat
+test or plugin messages should use `LegacyFlatWebInboundMessage` or
+`WebInboundMessageInput`.
+
+The flat aliases remain available until **2026-08-30**. That removal window
+applies only to flat alias access; the nested callback shape is the canonical
+runtime contract. The TypeScript `@deprecated` annotations on each flat alias
+name its exact nested replacement. Common examples:
+
+- `id`, `timestamp`, and `isBatched` move under `event`.
+- `body`, `mediaPath`, `mediaType`, `mediaFileName`, `mediaUrl`, `location`, and
+  `untrustedStructuredContext` move under `payload`.
+- `to`, `chatId`, sender/self fields, `sendComposing`, `reply(...)`, and
+  `sendMedia(...)` move under `platform`.
+- `replyTo*` fields move under `quote`, and group subject/participant/mention
+  fields move under `group`.
+
+`payload.untrustedStructuredContext` is extracted from inbound provider payloads.
+Plugins should inspect the `label`, `source`, and `type` before treating its
+`payload` as authoritative.
+
 ## Release notes

 Release notes should include upcoming plugin deprecations with target dates and
--- a/docs/plugins/hooks.md
+++ b/docs/plugins/hooks.md
@@ -425,6 +425,10 @@ even when the channel payload has no visible text/caption. Rewriting that
 `content` updates the hook-visible transcript only; it is not rendered as a
 media caption.

+`reply_payload_sending` events may include `usageState`, a best-effort live
+per-turn model/usage/context snapshot. Durable delivery, recovered replay, and
+replies without exact run correlation omit it.
+
 Message hook contexts expose stable correlation fields when available:
 `ctx.sessionKey`, `ctx.runId`, `ctx.messageId`, `ctx.senderId`, `ctx.trace`,
 `ctx.traceId`, `ctx.spanId`, `ctx.parentSpanId`, and `ctx.callDepth`. Inbound
--- a/docs/plugins/memory-wiki.md
+++ b/docs/plugins/memory-wiki.md
@@ -25,6 +25,7 @@ less like a pile of Markdown files.
 - Page-level provenance, confidence, contradictions, and open questions
 - Compiled digests for agent/runtime consumers
 - Wiki-native search/get/apply/lint tools
+- Open Knowledge Format imports into compiled wiki concepts
 - Optional bridge mode that imports public artifacts from the active memory plugin
 - Optional Obsidian-friendly render mode and CLI integration

@@ -135,6 +136,34 @@ The main page groups are:
 - `syntheses/` for compiled summaries and maintained rollups
 - `reports/` for generated dashboards

+## Open Knowledge Format imports
+
+`memory-wiki` can import unpacked Open Knowledge Format bundles with:
+
+```bash
+openclaw wiki okf import ./bundles/ga4
+```
+
+This is the cleanest fit when a data catalog, documentation crawler, or
+enrichment agent already produces OKF: keep OKF as the portable exchange
+artifact, then let `memory-wiki` turn it into OpenClaw-native concept pages and
+compiled digests.
+
+The importer follows the OKF v0.1 shape:
+
+- non-reserved `.md` files are concept documents
+- each imported concept needs a non-empty `type` frontmatter field
+- unknown OKF `type` values are accepted
+- reserved `index.md` and `log.md` files are not imported as concepts
+- broken or external markdown links are preserved
+
+Imported concept pages are flattened under `concepts/` so the existing compile,
+search, get, dashboard, and prompt-digest paths see them without adding a second
+wiki tree. Each page keeps the original OKF concept ID, source path, `type`,
+`resource`, `tags`, timestamp, and full producer frontmatter. Internal OKF links
+are rewritten to the generated wiki concept pages and also emitted as structured
+`relationships` entries with `kind: okf-link`.
+
 ## Structured claims and evidence

 Pages can carry structured `claims` frontmatter, not just freeform text.
--- a/docs/plugins/plugin-inventory.md
+++ b/docs/plugins/plugin-inventory.md
@@ -137,7 +137,7 @@ Each entry lists the package, distribution route, and description.

 - **[mattermost](/plugins/reference/mattermost)** (`@openclaw/mattermost`) - included in OpenClaw. Adds the Mattermost channel surface for sending and receiving OpenClaw messages.

- **[memory-core](/plugins/reference/memory-core)** (`@openclaw/memory-core`) - included in OpenClaw. Adds file-backed memory search tools.
+- **[memory-core](/plugins/reference/memory-core)** (`@openclaw/memory-core`) - included in OpenClaw. Adds agent-callable tools.

 - **[memory-wiki](/plugins/reference/memory-wiki)** (`@openclaw/memory-wiki`) - included in OpenClaw. Persistent wiki compiler and Obsidian-friendly knowledge vault for OpenClaw.

@@ -267,10 +267,10 @@ Each entry lists the package, distribution route, and description.

 - **[googlechat](/plugins/reference/googlechat)** (`@openclaw/googlechat`) - npm; ClawHub. OpenClaw Google Chat channel plugin for spaces and direct messages.

- **[llama-cpp](/plugins/reference/llama-cpp)** (`@openclaw/llama-cpp-provider`) - npm; ClawHub. OpenClaw llama.cpp embedding provider plugin.
-
 - **[line](/plugins/reference/line)** (`@openclaw/line`) - npm; ClawHub. OpenClaw LINE channel plugin for LINE Bot API chats.

+- **[llama-cpp](/plugins/reference/llama-cpp)** (`@openclaw/llama-cpp-provider`) - npm; ClawHub. Local GGUF embeddings through node-llama-cpp.
+
 - **[lobster](/plugins/reference/lobster)** (`@openclaw/lobster`) - npm; ClawHub. Lobster workflow tool plugin for typed pipelines and resumable approvals.

 - **[matrix](/plugins/reference/matrix)** (`@openclaw/matrix`) - ClawHub: `clawhub:@openclaw/matrix`; npm. OpenClaw Matrix channel plugin for rooms and direct messages.
--- a/docs/plugins/reference/anthropic-vertex.md
+++ b/docs/plugins/reference/anthropic-vertex.md
@@ -18,8 +18,12 @@ OpenClaw Anthropic Vertex provider plugin for Claude models on Google Vertex AI.

 providers: anthropic-vertex

+<!-- openclaw-plugin-reference:manual-start -->
+
 ## Claude Fable 5

 Use `anthropic-vertex/claude-fable-5` where the model is available in your Google Cloud region.
 Fable 5 always uses adaptive thinking and defaults to `high` effort. `/think off` and
 `/think minimal` use `low` effort because the model does not support disabling thinking.
+
+<!-- openclaw-plugin-reference:manual-end -->
--- a/docs/plugins/reference/llama-cpp.md
+++ b/docs/plugins/reference/llama-cpp.md
@@ -1,13 +1,13 @@
 ---
-summary: "OpenClaw llama.cpp embedding provider plugin."
+summary: "Local GGUF embeddings through node-llama-cpp."
 read_when:
  - You are installing, configuring, or auditing the llama-cpp plugin
-title: "llama-cpp plugin"
+title: "Llama Cpp plugin"
 ---

-# llama-cpp plugin
+# Llama Cpp plugin

-OpenClaw llama.cpp embedding provider plugin.
+Local GGUF embeddings through node-llama-cpp.

 ## Distribution

@@ -20,4 +20,4 @@ contracts: embeddingProviders

 ## Related docs

- [llama.cpp Provider](/plugins/llama-cpp)
+- [llama-cpp](/plugins/llama-cpp)
--- a/docs/plugins/reference/memory-core.md
+++ b/docs/plugins/reference/memory-core.md
@@ -1,5 +1,5 @@
 ---
-summary: "Adds file-backed memory search tools."
+summary: "Adds agent-callable tools."
 read_when:
  - You are installing, configuring, or auditing the memory-core plugin
 title: "Memory Core plugin"
@@ -7,7 +7,7 @@ title: "Memory Core plugin"

 # Memory Core plugin

-Adds file-backed memory search tools.
+Adds agent-callable tools.

 ## Distribution

--- a/docs/plugins/reference/microsoft-foundry.md
+++ b/docs/plugins/reference/microsoft-foundry.md
@@ -1,5 +1,5 @@
 ---
-summary: "Use Microsoft Foundry chat and MAI image deployments from OpenClaw."
+summary: "Adds Microsoft Foundry model provider support to OpenClaw."
 read_when:
  - You are installing, configuring, or auditing the microsoft-foundry plugin
 title: "Microsoft Foundry plugin"
@@ -7,9 +7,7 @@ title: "Microsoft Foundry plugin"

 # Microsoft Foundry plugin

-Use Microsoft Foundry deployments from OpenClaw with API-key auth or Microsoft
-Entra ID through the Azure CLI. The plugin owns Microsoft Foundry model
-discovery, runtime token refresh, and MAI image generation.
+Adds Microsoft Foundry model provider support to OpenClaw.

 ## Distribution

@@ -18,7 +16,10 @@ discovery, runtime token refresh, and MAI image generation.

 ## Surface

- Model provider: `microsoft-foundry`
+providers: microsoft-foundry; contracts: imageGenerationProviders
+
+<!-- openclaw-plugin-reference:manual-start -->
+
 - Image-generation provider: `microsoft-foundry`

 ## Requirements
@@ -108,3 +109,5 @@ MAI image constraints:
  Foundry deployment through onboarding or add `models.providers.microsoft-foundry.baseUrl`.
 - `supports MAI image deployments only`: the selected image model points at a
  non-MAI deployment. Use a deployed MAI image model for `image_generate`.
+
+<!-- openclaw-plugin-reference:manual-end -->
--- a/docs/plugins/sdk-runtime.md
+++ b/docs/plugins/sdk-runtime.md
@@ -471,6 +471,13 @@ two-party event loops that do not go through the shared inbound reply runner.
    const hint = api.runtime.system.formatNativeDependencyHint(pkg);
    ```

+    `runCommandWithTimeout(...)` returns captured `stdout` and `stderr`, optional
+    truncation counts, `code`, `signal`, `killed`, `termination`, and
+    `noOutputTimedOut`. Timeout and no-output-timeout results report `code: 124`
+    when the child process does not provide a non-zero exit code. Non-timeout
+    signal exits can still return `code: null`, so use `termination` and
+    `noOutputTimedOut` to distinguish timeout reasons.
+
  </Accordion>
  <Accordion title="api.runtime.events">
    Event subscriptions.
--- a/docs/providers/bedrock-mantle.md
+++ b/docs/providers/bedrock-mantle.md
@@ -38,6 +38,19 @@ Choose your preferred auth method and follow the setup steps.
        export AWS_REGION="us-west-2"
        ```
      </Step>
+      <Step title="Opt in to provider data sharing for Claude Fable 5">
+        Claude Fable 5 and Claude Mythos-class Bedrock models require the Mantle Data Retention API mode `provider_data_share` before invocation. This opt-in allows Bedrock to share prompts and completions with Anthropic and retain them for up to 30 days for trust and safety review.
+
+        ```bash
+        AWS_REGION="${AWS_REGION:-us-east-1}"
+        curl -X PUT "https://bedrock-mantle.${AWS_REGION}.api.aws/v1/data_retention" \
+          -H "Authorization: Bearer $AWS_BEARER_TOKEN_BEDROCK" \
+          -H "Content-Type: application/json" \
+          -d '{ "mode": "provider_data_share" }'
+        ```
+
+        Use another Bedrock model in the config if you cannot accept that retention mode.
+      </Step>
      <Step title="Verify models are discovered">
        ```bash
        openclaw models list
--- a/docs/providers/moonshot.md
+++ b/docs/providers/moonshot.md
@@ -22,6 +22,7 @@ Moonshot and Kimi Coding are **separate providers**. Keys are not interchangeabl
 | Model ref                         | Name                   | Reasoning | Input       | Context | Max output |
 | --------------------------------- | ---------------------- | --------- | ----------- | ------- | ---------- |
 | `moonshot/kimi-k2.6`              | Kimi K2.6              | No        | text, image | 262,144 | 262,144    |
+| `moonshot/kimi-k2.7-code`         | Kimi K2.7 Code         | Always on | text, image | 262,144 | 262,144    |
 | `moonshot/kimi-k2.5`              | Kimi K2.5              | No        | text, image | 262,144 | 262,144    |
 | `moonshot/kimi-k2-thinking`       | Kimi K2 Thinking       | Yes       | text        | 262,144 | 262,144    |
 | `moonshot/kimi-k2-thinking-turbo` | Kimi K2 Thinking Turbo | Yes       | text        | 262,144 | 262,144    |
@@ -30,11 +31,18 @@ Moonshot and Kimi Coding are **separate providers**. Keys are not interchangeabl
 [//]: # "moonshot-kimi-k2-ids:end"

 Bundled cost estimates for current Moonshot-hosted K2 models use Moonshot's
-published pay-as-you-go rates: Kimi K2.6 is $0.16/MTok cache hit,
+published pay-as-you-go rates: Kimi K2.7 Code is $0.19/MTok cache hit,
+$0.95/MTok input, and $4.00/MTok output; Kimi K2.6 is $0.16/MTok cache hit,
 $0.95/MTok input, and $4.00/MTok output; Kimi K2.5 is $0.10/MTok cache hit,
 $0.60/MTok input, and $3.00/MTok output. Other legacy catalog entries keep
 zero-cost placeholders unless you override them in config.

+Kimi K2.7 Code always uses native thinking. OpenClaw exposes only the `on`
+thinking state for this model and omits outbound `thinking` and
+`reasoning_effort` controls, as required by Moonshot. OpenClaw also omits
+sampling overrides that K2.7 fixes to provider defaults. Kimi K2.6 remains the
+onboarding default.
+
 ## Getting started

 Choose your provider and follow the setup steps.
@@ -109,6 +117,7 @@ Choose your provider and follow the setup steps.
          models: {
            // moonshot-kimi-k2-aliases:start
            "moonshot/kimi-k2.6": { alias: "Kimi K2.6" },
+            "moonshot/kimi-k2.7-code": { alias: "Kimi K2.7 Code" },
            "moonshot/kimi-k2.5": { alias: "Kimi K2.5" },
            "moonshot/kimi-k2-thinking": { alias: "Kimi K2 Thinking" },
            "moonshot/kimi-k2-thinking-turbo": { alias: "Kimi K2 Thinking Turbo" },
@@ -135,6 +144,15 @@ Choose your provider and follow the setup steps.
                contextWindow: 262144,
                maxTokens: 262144,
              },
+              {
+                id: "kimi-k2.7-code",
+                name: "Kimi K2.7 Code",
+                reasoning: true,
+                input: ["text", "image"],
+                cost: { input: 0.95, output: 4, cacheRead: 0.19, cacheWrite: 0 },
+                contextWindow: 262144,
+                maxTokens: 262144,
+              },
              {
                id: "kimi-k2.5",
                name: "Kimi K2.5",
@@ -288,7 +306,13 @@ Config lives under `plugins.entries.moonshot.config.webSearch`:

 <AccordionGroup>
  <Accordion title="Native thinking mode">
-    Moonshot Kimi supports binary native thinking:
+    Kimi K2.7 Code always uses native thinking. Moonshot requires clients to
+    omit the `thinking` field for this model, so OpenClaw exposes only `on` and
+    ignores stale `off` settings. K2.7 also fixes `temperature`, `top_p`, `n`,
+    `presence_penalty`, and `frequency_penalty`; OpenClaw omits configured
+    overrides for those fields.
+
+    Other Moonshot Kimi models support binary native thinking:

    - `thinking: { type: "enabled" }`
    - `thinking: { type: "disabled" }`
@@ -311,7 +335,7 @@ Config lives under `plugins.entries.moonshot.config.webSearch`:
    }
    ```

-    OpenClaw also maps runtime `/think` levels for Moonshot:
+    OpenClaw maps runtime `/think` levels for those models:

    | `/think` level       | Moonshot behavior          |
    | -------------------- | -------------------------- |
@@ -319,14 +343,16 @@ Config lives under `plugins.entries.moonshot.config.webSearch`:
    | Any non-off level    | `thinking.type=enabled`    |

    <Warning>
-    When Moonshot thinking is enabled, `tool_choice` must be `auto` or `none`. OpenClaw normalizes incompatible `tool_choice` values to `auto` for compatibility.
+    When Moonshot thinking is enabled, `tool_choice` must be `auto` or `none`. OpenClaw normalizes incompatible values to `auto`. This includes Kimi K2.7 Code, whose thinking mode cannot be disabled to preserve a pinned tool choice.
    </Warning>

    Kimi K2.6 also accepts an optional `thinking.keep` field that controls
    multi-turn retention of `reasoning_content`. Set it to `"all"` to keep full
    reasoning across turns; omit it (or leave it `null`) to use the server
    default strategy. OpenClaw only forwards `thinking.keep` for
-    `moonshot/kimi-k2.6` and strips it from other models.
+    `moonshot/kimi-k2.6` and strips it from other models. Kimi K2.7 Code
+    preserves full reasoning history by default while OpenClaw omits the entire
+    `thinking` field.

    ```json5
    {
@@ -347,7 +373,7 @@ Config lives under `plugins.entries.moonshot.config.webSearch`:
  </Accordion>

  <Accordion title="Tool call id sanitization">
-    Moonshot Kimi serves tool_call ids shaped like `functions.<name>:<index>`. OpenClaw preserves them unchanged so multi-turn tool calls keep working.
+    Moonshot Kimi serves native tool_call ids shaped like `functions.<name>:<index>`. For the OpenAI-completions transport, OpenClaw preserves the first occurrence of each native Kimi id and rewrites later duplicates to deterministic OpenAI-style `call_*` ids. Matching tool results are remapped with the same id so replay remains unique without stripping Kimi's first native id.

    To force strict sanitization on a custom OpenAI-compatible provider, set `sanitizeToolCallIds: true`:

--- a/docs/reference/RELEASING.md
+++ b/docs/reference/RELEASING.md
@@ -23,16 +23,24 @@ OpenClaw has three public release lanes:
  - Git tag: `vYYYY.M.PATCH-beta.N`
 - Do not zero-pad month or patch
 - Starting with the June 2026 release process update, the third component is a
-  monthly patch counter, not a calendar day. Pre-update tags and npm versions
-  keep their existing names and remain valid; release automation continues to
+  sequential monthly release-train number, not a calendar day. Stable and beta
+  releases determine the current train; alpha-only tags do not consume or
+  advance the beta/stable patch number. Pre-update tags and npm versions keep
+  their existing names and remain valid; release automation continues to
  compare them by year, month, patch, channel, and prerelease or correction
  number.
+- Alpha/nightly builds use the next unreleased patch train and increment only
+  `alpha.N` for repeated builds. Once that patch has a beta, new alpha builds
+  move to the following patch. Ignore legacy alpha-only tags with higher patch
+  numbers when selecting a beta or stable train.
 - npm versions are immutable. If a beta tag has already been published, do not
  delete, republish, or reuse it; cut the next beta number or the next monthly
  patch instead. Because `2026.6.5-beta.1` was already published during the
  transition, June 2026 release trains must use patch `5` or higher. Do not
  publish new June 2026 stable or beta trains as `2026.6.2`, `2026.6.3`, or
  `2026.6.4`.
+- After stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even
+  if automated alpha-only tags with higher patch numbers already exist.
 - `latest` means the current promoted stable npm release
 - `beta` means the current beta install target
 - Stable and stable correction releases publish to npm `beta` by default; release operators can target `latest` explicitly, or promote a vetted beta build later
--- a/docs/tools/exec-approvals-advanced.md
+++ b/docs/tools/exec-approvals-advanced.md
@@ -115,7 +115,7 @@ Configuration location:
 - `safeBins` comes from config (`tools.exec.safeBins` or per-agent `agents.list[].tools.exec.safeBins`).
 - `safeBinTrustedDirs` comes from config (`tools.exec.safeBinTrustedDirs` or per-agent `agents.list[].tools.exec.safeBinTrustedDirs`).
 - `safeBinProfiles` comes from config (`tools.exec.safeBinProfiles` or per-agent `agents.list[].tools.exec.safeBinProfiles`). Per-agent profile keys override global keys.
- allowlist entries live in host-local `~/.openclaw/exec-approvals.json` under `agents.<id>.allowlist` (or via Control UI / `openclaw approvals allowlist ...`).
+- allowlist entries live in the host-local approvals file under `agents.<id>.allowlist` (or via Control UI / `openclaw approvals allowlist ...`).
 - `openclaw security audit` warns with `tools.exec.safe_bins_interpreter_unprofiled` when interpreter/runtime bins appear in `safeBins` without explicit profiles.
 - `openclaw doctor --fix` can scaffold missing custom `safeBinProfiles.<bin>` entries as `{}` (review and tighten afterward). Interpreter/runtime bins are not auto-scaffolded.

--- a/docs/tools/exec-approvals.md
+++ b/docs/tools/exec-approvals.md
@@ -23,7 +23,7 @@ Codex Guardian mapping, and ACPX harness permissions, see
 Effective policy is the **stricter** of `tools.exec.*` and approvals
 defaults; if an approvals field is omitted, the `tools.exec` value is
 used. Host exec also uses local approvals state on that machine - a
-host-local `ask: "always"` in `~/.openclaw/exec-approvals.json` keeps
+host-local `ask: "always"` in the execution host approvals file keeps
 prompting even if session or config defaults request `ask: "on-miss"`.
 </Note>

@@ -73,12 +73,20 @@ Exec approvals are enforced locally on the execution host:

 ## Settings and storage

-Approvals live in a local JSON file on the execution host:
+Approvals live in a local JSON file on the execution host. When
+`OPENCLAW_STATE_DIR` is set, the file follows that state directory;
+otherwise it uses the default OpenClaw state directory:

 ```text
+$OPENCLAW_STATE_DIR/exec-approvals.json
+# otherwise
 ~/.openclaw/exec-approvals.json
 ```

+The default approval socket follows the same root:
+`$OPENCLAW_STATE_DIR/exec-approvals.sock`, or
+`~/.openclaw/exec-approvals.sock` when the variable is unset.
+
 Example schema:

 ```json
@@ -210,7 +218,7 @@ agent under `agents.list[].tools.exec.commandHighlighting`.
 If you want host exec to run without approval prompts, you must open
 **both** policy layers - requested exec policy in OpenClaw config
 (`tools.exec.*`) **and** host-local approvals policy in
-`~/.openclaw/exec-approvals.json`.
+the execution host approvals file.

 OpenClaw defaults omitted `askFallback` to `deny`. Set host
 `askFallback` to `full` explicitly when a no-UI approval prompt should
@@ -281,8 +289,7 @@ openclaw exec-policy preset yolo
 That local shortcut updates both:

 - Local `tools.exec.host/security/ask`.
- Local `~/.openclaw/exec-approvals.json` defaults, including
-  `askFallback: "full"`.
+- Local approvals file defaults, including `askFallback: "full"`.

 It is intentionally local-only. To change gateway-host or node-host
 approvals remotely, use `openclaw approvals set --gateway` or
@@ -425,7 +432,7 @@ shows last-used metadata per pattern so you can keep the list tidy.
 The target selector chooses **Gateway** (local approvals) or a **Node**.
 Nodes must advertise `system.execApprovals.get/set` (macOS app or
 headless node host). If a node does not advertise exec approvals yet,
-edit its local `~/.openclaw/exec-approvals.json` directly.
+edit its local approvals file directly.

 CLI: `openclaw approvals` supports gateway or node editing - see
 [Approvals CLI](/cli/approvals).
--- a/docs/tools/exec.md
+++ b/docs/tools/exec.md
@@ -47,7 +47,7 @@ Where to execute. `auto` resolves to `sandbox` when a sandbox runtime is active

 <ParamField path="security" type="'deny' | 'allowlist' | 'full'">
 Ignored for normal tool calls. `gateway` / `node` security is controlled by
-`tools.exec.security` and `~/.openclaw/exec-approvals.json`; elevated mode can
+`tools.exec.security` and the host approvals file; elevated mode can
 force `security=full` only when the operator explicitly grants elevated access.
 </ParamField>

@@ -75,7 +75,7 @@ Notes:
 - `tools.exec.mode` is the normalized policy knob. Values are `deny`, `allowlist`, `ask`, `auto`, and `full`. `auto` runs deterministic allowlist/safe-bin matches directly and routes every remaining exec approval case through OpenClaw's native auto reviewer before asking a human. `ask` / `ask=always` still asks a human every time.
 - With no extra config, `host=auto` still "just works": no sandbox means it resolves to `gateway`; a live sandbox means it stays in the sandbox.
 - `elevated` escapes the sandbox onto the configured host path: `gateway` by default, or `node` when `tools.exec.host=node` (or the session default is `host=node`). It is only available when elevated access is enabled for the current session/provider.
- `gateway`/`node` approvals are controlled by `~/.openclaw/exec-approvals.json`.
+- `gateway`/`node` approvals are controlled by the host approvals file.
 - `node` requires a paired node (companion app or headless node host).
 - If multiple nodes are available, set `exec.node` or `tools.exec.node` to select one.
 - `exec host=node` is the only shell-execution path for nodes; the legacy `nodes.run` wrapper has been removed.
@@ -114,7 +114,7 @@ Notes:
 - `tools.exec.host` (default: `auto`; resolves to `sandbox` when sandbox runtime is active, `gateway` otherwise)
 - `tools.exec.security` (default: `deny` for sandbox, `full` for gateway + node when unset)
 - `tools.exec.ask` (default: `off`)
- No-approval host exec is the default for gateway + node. If you want approvals/allowlist behavior, tighten both `tools.exec.*` and the host `~/.openclaw/exec-approvals.json`; see [Exec approvals](/tools/exec-approvals#yolo-mode-no-approval).
+- No-approval host exec is the default for gateway + node. If you want approvals/allowlist behavior, tighten both `tools.exec.*` and the host approvals file; see [Exec approvals](/tools/exec-approvals#yolo-mode-no-approval).
 - YOLO comes from the host-policy defaults (`security=full`, `ask=off`), not from `host=auto`. If you want to force gateway or node routing, set `tools.exec.host` or use `/exec host=...`.
 - In `security=full` plus `ask=off` mode, host exec follows the configured policy directly; there is no extra heuristic command-obfuscation prefilter or script-preflight rejection layer.
 - `tools.exec.node` (default: unset)
--- a/docs/tools/skill-workshop.md
+++ b/docs/tools/skill-workshop.md
@@ -190,6 +190,7 @@ agent session or the CLI.
      autonomous: {
        enabled: false,
      },
+      allowSymlinkTargetWrites: false,
      approvalPolicy: "pending",
      maxPending: 50,
      maxSkillBytes: 40000,
@@ -200,6 +201,9 @@ agent session or the CLI.

 - `autonomous.enabled`: allows OpenClaw to create pending proposals from durable
  conversation signals after successful turns. Default: `false`.
+- `allowSymlinkTargetWrites`: allows apply to write through workspace skill
+  symlinks whose real target is listed in `skills.load.allowSymlinkTargets`.
+  Default: `false`.
 - `approvalPolicy: "pending"`: requires an approval prompt before
  agent-initiated `apply`, `reject`, or `quarantine`.
 - `approvalPolicy: "auto"`: skips that approval prompt. The agent must still
@@ -265,6 +269,7 @@ Default state directory: `~/.openclaw`.
 | `Skill proposal content is too large`          | Shorten the proposal body or raise `skills.workshop.maxSkillBytes`.                                                                                                                                         |
 | `Target skill changed after proposal creation` | Revise the proposal against the current target, or create a new proposal.                                                                                                                                   |
 | `Proposal scan failed`                         | Inspect scanner findings, then revise or quarantine the proposal.                                                                                                                                           |
+| `untrusted symlink target`                     | Configure `skills.load.allowSymlinkTargets` and enable `skills.workshop.allowSymlinkTargetWrites` only for intentional shared skill roots.                                                                  |
 | `Support file paths must be under one of...`   | Move support files under `assets/`, `examples/`, `references/`, `scripts/`, or `templates/`.                                                                                                                |
 | Proposal does not show in list                 | Check the selected `--agent` workspace and `OPENCLAW_STATE_DIR`.                                                                                                                                            |
 | Agent cannot call `skill_workshop`             | Check the active tool policy and run mode. `coding` includes the tool; restrictive `tools.allow` policies must list it explicitly, and sandboxed runs must use a normal host-side agent session or the CLI. |
--- a/docs/tools/skills-config.md
+++ b/docs/tools/skills-config.md
@@ -29,6 +29,7 @@ Most skills configuration lives under `skills` in
    },
    workshop: {
      autonomous: { enabled: false },
+      allowSymlinkTargetWrites: false,
      approvalPolicy: "pending",
      maxPending: 50,
      maxSkillBytes: 40000,
@@ -333,6 +334,13 @@ different visible skill set per agent.
  quarantine. `auto` allows those actions without approval.
 </ParamField>

+<ParamField path="skills.workshop.allowSymlinkTargetWrites" type="boolean" default="false">
+  Allow Skill Workshop apply to write through workspace skill symlinks whose
+  real target is already trusted by `skills.load.allowSymlinkTargets`. Keep this
+  disabled unless generated proposal applies should mutate that shared skill
+  root.
+</ParamField>
+
 <ParamField path="skills.workshop.maxPending" type="number" default="50">
  Maximum pending and quarantined proposals retained per workspace.
 </ParamField>
@@ -365,6 +373,23 @@ With this config, `<workspace>/skills/manager -> ~/Projects/manager/skills` is
 accepted after realpath resolution. `extraDirs` scans the sibling repo directly;
 `allowSymlinkTargets` preserves the symlinked path for existing layouts.

+Skill Workshop apply does not write through those symlinks by default. To let
+Workshop apply mutate skills under already-trusted symlink targets, opt in
+separately:
+
+```json5
+{
+  skills: {
+    load: {
+      allowSymlinkTargets: ["~/Projects/manager/skills"],
+    },
+    workshop: {
+      allowSymlinkTargetWrites: true,
+    },
+  },
+}
+```
+
 Managed `~/.openclaw/skills` and personal `~/.agents/skills` directories
 already accept skill-directory symlinks (per-skill `SKILL.md` containment still
 applies).
--- a/docs/tools/skills.md
+++ b/docs/tools/skills.md
@@ -204,6 +204,8 @@ publish and sync.
    Workspace, project-agent, and extra-dir skill discovery only accepts skill
    roots whose resolved realpath stays inside the configured root, unless
    `skills.load.allowSymlinkTargets` explicitly trusts a target root.
+    Skill Workshop writes through those trusted targets only when
+    `skills.workshop.allowSymlinkTargetWrites` is enabled.
    Managed `~/.openclaw/skills` and personal `~/.agents/skills` may contain
    symlinked skill folders, but every `SKILL.md` realpath must still stay
    inside its resolved skill directory.
@@ -533,6 +535,8 @@ aligned.
    Use `allowSymlinkTargets` for intentional symlinked layouts where a skill
    root symlink points outside the configured root, for example
    `<workspace>/skills/manager -> ~/Projects/manager/skills`.
+    Enable `skills.workshop.allowSymlinkTargetWrites` only when Skill Workshop
+    should also apply proposals through those trusted symlinked paths.

  </Accordion>
  <Accordion title="Remote macOS nodes (Linux gateway)">
--- a/docs/tools/thinking.md
+++ b/docs/tools/thinking.md
@@ -35,7 +35,7 @@ title: "Thinking levels"
  - Google Gemini maps `/think adaptive` to Gemini's provider-owned dynamic thinking. Gemini 3 requests omit a fixed `thinkingLevel`, while Gemini 2.5 requests send `thinkingBudget: -1`; fixed levels still map to the closest Gemini `thinkingLevel` or budget for that model family.
  - MiniMax M2.x (`minimax/MiniMax-M2*`) on the Anthropic-compatible streaming path defaults to `thinking: { type: "disabled" }` unless you explicitly set thinking in model params or request params. This avoids leaked `reasoning_content` deltas from M2.x's non-native Anthropic stream format. MiniMax-M3 (and M3.x) is exempt: M3 emits proper Anthropic thinking blocks and returns empty content when thinking is disabled, so OpenClaw keeps M3 on the provider's omitted/adaptive thinking path.
  - Z.AI (`zai/*`) only supports binary thinking (`on`/`off`). Any non-`off` level is treated as `on` (mapped to `low`).
-  - Moonshot (`moonshot/*`) maps `/think off` to `thinking: { type: "disabled" }` and any non-`off` level to `thinking: { type: "enabled" }`. When thinking is enabled, Moonshot only accepts `tool_choice` `auto|none`; OpenClaw normalizes incompatible values to `auto`.
+  - Moonshot Kimi K2.7 Code (`moonshot/kimi-k2.7-code`) always thinks. Its profile exposes only `on`, and OpenClaw omits the outbound `thinking` field as required by Moonshot. Other `moonshot/*` models map `/think off` to `thinking: { type: "disabled" }` and any non-`off` level to `thinking: { type: "enabled" }`. When thinking is enabled, Moonshot only accepts `tool_choice` `auto|none`; OpenClaw normalizes incompatible values to `auto`.

 ## Resolution order

--- a/docs/web/control-ui.md
+++ b/docs/web/control-ui.md
@@ -74,7 +74,7 @@ The same browser-local pattern applies to the assistant avatar override. Uploade

 ## Runtime config endpoint

-The Control UI fetches its runtime settings from `/__openclaw/control-ui-config.json`. That endpoint is gated by the same gateway auth as the rest of the HTTP surface: unauthenticated browsers cannot fetch it, and a successful fetch requires either an already valid gateway token/password, Tailscale Serve identity, or a trusted-proxy identity.
+The Control UI fetches its runtime settings from `/control-ui-config.json`, resolved relative to the gateway's Control UI base path (for example `/__openclaw__/control-ui-config.json` when the UI is served under `/__openclaw__/`). That endpoint is gated by the same gateway auth as the rest of the HTTP surface: unauthenticated browsers cannot fetch it, and a successful fetch requires either an already valid gateway token/password, Tailscale Serve identity, or a trusted-proxy identity.

 ## Language support

--- a/extensions/acpx/npm-shrinkwrap.json
+++ b/extensions/acpx/npm-shrinkwrap.json
@@ -224,9 +224,9 @@
      }
    },
    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.0.tgz",
-      "integrity": "sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.1.tgz",
+      "integrity": "sha512-Svl7tq8k/08+p6CXPpRjQ1fKX+1odH/BQbb48fV6fj3CWHhsoIOoY87w1oHXm0qEpkIK3ZfVgp0hed3XBXzXMQ==",
      "cpu": [
        "ppc64"
      ],
@@ -240,9 +240,9 @@
      }
    },
    "node_modules/@esbuild/android-arm": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.0.tgz",
-      "integrity": "sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.1.tgz",
+      "integrity": "sha512-0k2F129Xdio1TdJfzJ8sy1Q47vUD2NnwdhiAf7drUN1EBTfPf4hsFCtmMgu/6m8JSzsBrlmVjudMBQqOfG8usQ==",
      "cpu": [
        "arm"
      ],
@@ -256,9 +256,9 @@
      }
    },
    "node_modules/@esbuild/android-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.0.tgz",
-      "integrity": "sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.1.tgz",
+      "integrity": "sha512-34EGEbCIAgosYz6goLcopX6Mo7NyGv9tfwEM2/7Ce2VcVRk568iSvniGWcUXIy7wEDR1wzolcxcriFVrWYcwBg==",
      "cpu": [
        "arm64"
      ],
@@ -272,9 +272,9 @@
      }
    },
    "node_modules/@esbuild/android-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.0.tgz",
-      "integrity": "sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.1.tgz",
+      "integrity": "sha512-dbwY7ltSMDWsRatcRpCnES4F+im88OCUgGZjy52shC7GqHRE/cYlxNbB4Z4UpJswpcc4Qxd2oE/ufM0p61IKng==",
      "cpu": [
        "x64"
      ],
@@ -288,9 +288,9 @@
      }
    },
    "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.0.tgz",
-      "integrity": "sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.1.tgz",
+      "integrity": "sha512-TZbWkQY7kvTAXbXUT7uVACR5cMHsDiSz9z7ZKAX/RTq/WJEk3QyRr0wZpNhBDX+/0CtdqUIJlOiodQcta6tY3Q==",
      "cpu": [
        "arm64"
      ],
@@ -304,9 +304,9 @@
      }
    },
    "node_modules/@esbuild/darwin-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.0.tgz",
-      "integrity": "sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.1.tgz",
+      "integrity": "sha512-zfdzgK9ACBNZLI/CyHTOx81SyNbM6YXn7rxSgX97VjyiPl9W1i4Ka4fgKECEoFCKGpvBj5qArWIGgQjOwkgskQ==",
      "cpu": [
        "x64"
      ],
@@ -320,9 +320,9 @@
      }
    },
    "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-wG2EA8ENdEI0qhkSZMjfqrdY+ziCYCPMmtZjjIwOmXFjmyzEHn+UUxk5of+SYsjtfs3VpnlC7QLzSI5hY/rOAw==",
      "cpu": [
        "arm64"
      ],
@@ -336,9 +336,9 @@
      }
    },
    "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.0.tgz",
-      "integrity": "sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i7dZ9vQgnvSCzi/rYCXNgtF/U+eKZNJBzu3eTQbRgHnM7tNSizLOkRFAl3qzVc/Op/u5YkHHa4pf/3DOYHthLQ==",
      "cpu": [
        "x64"
      ],
@@ -352,9 +352,9 @@
      }
    },
    "node_modules/@esbuild/linux-arm": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.0.tgz",
-      "integrity": "sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.1.tgz",
+      "integrity": "sha512-qVXBOHQS+d5Y722GwJzJUtOLlX7km3CraOaGormF1pDtPd2C/l1SHRPgjLunLGe51Sh5YYWKMFDyV4SxgMQYTQ==",
      "cpu": [
        "arm"
      ],
@@ -368,9 +368,9 @@
      }
    },
    "node_modules/@esbuild/linux-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.0.tgz",
-      "integrity": "sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.1.tgz",
+      "integrity": "sha512-yHs+0uc8+nvEAfAfxrWQKK5peSNzBc4PegcMO0EJ2hT71uA7vB8Ihg2e77R2P7SG5uYjPbHlLLmve4LLLRCf0g==",
      "cpu": [
        "arm64"
      ],
@@ -384,9 +384,9 @@
      }
    },
    "node_modules/@esbuild/linux-ia32": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.0.tgz",
-      "integrity": "sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.1.tgz",
+      "integrity": "sha512-d1z4ZuP0ajrfz/FhGT4vv278rX8KnPPJx8i5+AtK7TYbx9Le9F1hyzurZpkEyjkGa9dUGhQow4C1NmeGvqxN2w==",
      "cpu": [
        "ia32"
      ],
@@ -400,9 +400,9 @@
      }
    },
    "node_modules/@esbuild/linux-loong64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.0.tgz",
-      "integrity": "sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.1.tgz",
+      "integrity": "sha512-M5sRjUVZrkm1OAPR3dlOYzNmN+loZKGVi1VUQGrwuqLcbR6qeAz+famMhjASeH3YVKvZz+zT1jlh/keC3Rj/lg==",
      "cpu": [
        "loong64"
      ],
@@ -416,9 +416,9 @@
      }
    },
    "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.0.tgz",
-      "integrity": "sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.1.tgz",
+      "integrity": "sha512-mRObBZeHh2OxcBFPWE/FjylkRgZdYuiTR3vaTozquCGOH14iP9oN4x4Ge81CoIDYQrXmIxpFumJBu5MtZpnQJQ==",
      "cpu": [
        "mips64el"
      ],
@@ -432,9 +432,9 @@
      }
    },
    "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.0.tgz",
-      "integrity": "sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.1.tgz",
+      "integrity": "sha512-slScBsMAb3GFDcdrCgLwZtPYRoH2H/youv10QiZyRjmsP48fznoveWytSgCI/R0ZcUgpc0ZhIUEx6LHts8yrfQ==",
      "cpu": [
        "ppc64"
      ],
@@ -448,9 +448,9 @@
      }
    },
    "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.0.tgz",
-      "integrity": "sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.1.tgz",
+      "integrity": "sha512-kw0owk1o0GFETUJyW0jc0G4Yzs0BHZn0JDZ8JRT088vjJYX777BAs1fDGxAC+q831qOs2DTC96mNsG2opdfyyQ==",
      "cpu": [
        "riscv64"
      ],
@@ -464,9 +464,9 @@
      }
    },
    "node_modules/@esbuild/linux-s390x": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.0.tgz",
-      "integrity": "sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.1.tgz",
+      "integrity": "sha512-/lAIjX8aYFRByhh6L5rYtPEDRqa9de/4V/juOXcta5frjvzXO4/sqEtyytse0g3zZFuWu5cDN0MkLz2qRDD2Ag==",
      "cpu": [
        "s390x"
      ],
@@ -480,9 +480,9 @@
      }
    },
    "node_modules/@esbuild/linux-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.0.tgz",
-      "integrity": "sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.1.tgz",
+      "integrity": "sha512-u/anNYF2mmVOEDwLtnQ1wOr3EZ9sTNGLWrsYGYwHWzGA3Si84IOkHXlbWTD1NB+9/1lcnweYKO54uhxZydNzfA==",
      "cpu": [
        "x64"
      ],
@@ -496,9 +496,9 @@
      }
    },
    "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-oks0DYbLwWMmaakTsCb+zL4E+aHRVLom9IJZOAthMQEPiQmydXHkziYEsGYRx0uNV/IjEKGAV941JzH02pflqw==",
      "cpu": [
        "arm64"
      ],
@@ -512,9 +512,9 @@
      }
    },
    "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.0.tgz",
-      "integrity": "sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-aeL6lAnN89Hz43Mlh1G8ARasbuoYvSITDEx0tHh5b7jJnHcssqgjy9Yx430GDpmCa6OyrKoS0aNRjKundRizGg==",
      "cpu": [
        "x64"
      ],
@@ -528,9 +528,9 @@
      }
    },
    "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-MEFJe5C3R8pwXdZ5Y21oo6m7ePiS0d9pWucn99O/wvyJZChoIQKrQDxKrGeW8F5+T0okTHesAmDeiHDTIq0V/Q==",
      "cpu": [
        "arm64"
      ],
@@ -544,9 +544,9 @@
      }
    },
    "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.0.tgz",
-      "integrity": "sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i/ZLIOafE0Z8cI/XANJAixoJL/uRAoS2xOA3rb0xN+KK0K177cMAsQYkzHtBrtMXAKuAc7HGgcWiZ/sRC1Nxgw==",
      "cpu": [
        "x64"
      ],
@@ -560,9 +560,9 @@
      }
    },
    "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.0.tgz",
-      "integrity": "sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.1.tgz",
+      "integrity": "sha512-ge+Z7EXFNt2BO1oAMsVpiQ8EwndV9i1xXerAeTIK7AtPs3bKFXQM7nlRxDSIUIMeueR1CNXxqztLzdNeReKBJg==",
      "cpu": [
        "arm64"
      ],
@@ -576,9 +576,9 @@
      }
    },
    "node_modules/@esbuild/sunos-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.0.tgz",
-      "integrity": "sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.1.tgz",
+      "integrity": "sha512-BEjgtECkL3vY+SaSQ6nzVfiALUeFxpawyp8Jmf5PtYhf1Ug40N1h/hxlhts+f1FvSvarEigdxS3BlSMI2PJLcQ==",
      "cpu": [
        "x64"
      ],
@@ -592,9 +592,9 @@
      }
    },
    "node_modules/@esbuild/win32-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.0.tgz",
-      "integrity": "sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.1.tgz",
+      "integrity": "sha512-lCv9eK/H6ZJWbE7bh2nw54CZ9M2nupBxJcTsdk/QQnWkdSjKGuxmmH8/GWrlT1eMmZfn4dGcCjRte397WqfQXA==",
      "cpu": [
        "arm64"
      ],
@@ -608,9 +608,9 @@
      }
    },
    "node_modules/@esbuild/win32-ia32": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.0.tgz",
-      "integrity": "sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.1.tgz",
+      "integrity": "sha512-zvb/mB2bSCoJOpoCBgYKKpX6YM6mJBlBUVUtVj41DlZJVEB6/0CKlRYxP5wWl1C1ILiCoAU5wZZ4q1P3qeS6Eg==",
      "cpu": [
        "ia32"
      ],
@@ -624,9 +624,9 @@
      }
    },
    "node_modules/@esbuild/win32-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.0.tgz",
-      "integrity": "sha512-pEl1bO9mfAmIC+tW5btTmrKaujg3zGtUmWNdCw/xs70FBjwAL3o9OEKNHvNmnyylD6ubxUERiEhdsL0xBQ9efw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.1.tgz",
+      "integrity": "sha512-bm4Mowrv+GXMlpWX++EcXw/iLyd1o3+bJkC2DkWXYVvgZCqD/bSj9ctZeAMC3cIxgjRVR2Dufaiu4YPxr5gW1A==",
      "cpu": [
        "x64"
      ],
@@ -1208,9 +1208,9 @@
      }
    },
    "node_modules/esbuild": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.0.tgz",
-      "integrity": "sha512-sNR9MHpXSUV/XB4zmsFKN+QgVG82Cc7+/aaxJ8Adi8hyOac+EXptIp45QBPaVyX3N70664wRbTcLTOemCAnyqw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.1.tgz",
+      "integrity": "sha512-HrJrvZv5ayxBzPfwphOoNzkzOIIlifzk0KJrGK2c8R4+LKpMtpYLQeUdjnwjWv/LZlkH2laZk+4w78pi99D4Vw==",
      "hasInstallScript": true,
      "license": "MIT",
      "bin": {
@@ -1220,32 +1220,32 @@
        "node": ">=18"
      },
      "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.28.0",
-        "@esbuild/android-arm": "0.28.0",
-        "@esbuild/android-arm64": "0.28.0",
-        "@esbuild/android-x64": "0.28.0",
-        "@esbuild/darwin-arm64": "0.28.0",
-        "@esbuild/darwin-x64": "0.28.0",
-        "@esbuild/freebsd-arm64": "0.28.0",
-        "@esbuild/freebsd-x64": "0.28.0",
-        "@esbuild/linux-arm": "0.28.0",
-        "@esbuild/linux-arm64": "0.28.0",
-        "@esbuild/linux-ia32": "0.28.0",
-        "@esbuild/linux-loong64": "0.28.0",
-        "@esbuild/linux-mips64el": "0.28.0",
-        "@esbuild/linux-ppc64": "0.28.0",
-        "@esbuild/linux-riscv64": "0.28.0",
-        "@esbuild/linux-s390x": "0.28.0",
-        "@esbuild/linux-x64": "0.28.0",
-        "@esbuild/netbsd-arm64": "0.28.0",
-        "@esbuild/netbsd-x64": "0.28.0",
-        "@esbuild/openbsd-arm64": "0.28.0",
-        "@esbuild/openbsd-x64": "0.28.0",
-        "@esbuild/openharmony-arm64": "0.28.0",
-        "@esbuild/sunos-x64": "0.28.0",
-        "@esbuild/win32-arm64": "0.28.0",
-        "@esbuild/win32-ia32": "0.28.0",
-        "@esbuild/win32-x64": "0.28.0"
+        "@esbuild/aix-ppc64": "0.28.1",
+        "@esbuild/android-arm": "0.28.1",
+        "@esbuild/android-arm64": "0.28.1",
+        "@esbuild/android-x64": "0.28.1",
+        "@esbuild/darwin-arm64": "0.28.1",
+        "@esbuild/darwin-x64": "0.28.1",
+        "@esbuild/freebsd-arm64": "0.28.1",
+        "@esbuild/freebsd-x64": "0.28.1",
+        "@esbuild/linux-arm": "0.28.1",
+        "@esbuild/linux-arm64": "0.28.1",
+        "@esbuild/linux-ia32": "0.28.1",
+        "@esbuild/linux-loong64": "0.28.1",
+        "@esbuild/linux-mips64el": "0.28.1",
+        "@esbuild/linux-ppc64": "0.28.1",
+        "@esbuild/linux-riscv64": "0.28.1",
+        "@esbuild/linux-s390x": "0.28.1",
+        "@esbuild/linux-x64": "0.28.1",
+        "@esbuild/netbsd-arm64": "0.28.1",
+        "@esbuild/netbsd-x64": "0.28.1",
+        "@esbuild/openbsd-arm64": "0.28.1",
+        "@esbuild/openbsd-x64": "0.28.1",
+        "@esbuild/openharmony-arm64": "0.28.1",
+        "@esbuild/sunos-x64": "0.28.1",
+        "@esbuild/win32-arm64": "0.28.1",
+        "@esbuild/win32-ia32": "0.28.1",
+        "@esbuild/win32-x64": "0.28.1"
      }
    },
    "node_modules/escape-html": {
--- a/extensions/amazon-bedrock-mantle/discovery.test.ts
+++ b/extensions/amazon-bedrock-mantle/discovery.test.ts
@@ -477,11 +477,21 @@ describe("bedrock mantle discovery", () => {
    expect(provider?.api).toBe("openai-completions");
    expect(provider?.auth).toBe("api-key");
    expect(provider?.apiKey).toBe("env:AWS_BEARER_TOKEN_BEDROCK");
-    expect(provider?.models).toHaveLength(2);
+    expect(provider?.models).toHaveLength(3);
    const opus = provider?.models?.find((model) => model.id === "anthropic.claude-opus-4-7");
    expect(opus?.api).toBe("anthropic-messages");
    expect(opus?.reasoning).toBe(false);
    expect(opus).not.toHaveProperty("baseUrl");
+    const mythos = provider?.models?.find(
+      (model) => model.id === "anthropic.claude-mythos-preview",
+    );
+    expect(mythos).toMatchObject({
+      api: "anthropic-messages",
+      reasoning: true,
+      params: { canonicalModelId: "claude-mythos-preview" },
+      contextWindow: 1_000_000,
+      maxTokens: 128_000,
+    });
  });

  it("returns null when no auth is available", async () => {
--- a/extensions/amazon-bedrock-mantle/discovery.ts
+++ b/extensions/amazon-bedrock-mantle/discovery.ts
@@ -404,6 +404,17 @@ export async function resolveImplicitMantleProvider(params: {
      contextWindow: 1_000_000,
      maxTokens: 128_000,
    },
+    {
+      id: "anthropic.claude-mythos-preview",
+      name: "Claude Mythos Preview",
+      api: "anthropic-messages" as const,
+      reasoning: true,
+      params: { canonicalModelId: "claude-mythos-preview" },
+      input: ["text", "image"],
+      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+      contextWindow: 1_000_000,
+      maxTokens: 128_000,
+    },
  ];
  const allModels = [...models, ...claudeModels];

--- a/extensions/amazon-bedrock-mantle/mantle-anthropic.runtime.test.ts
+++ b/extensions/amazon-bedrock-mantle/mantle-anthropic.runtime.test.ts
@@ -6,7 +6,7 @@ import {
  resolveMantleAnthropicBaseUrl,
 } from "./mantle-anthropic.runtime.js";

-function createTestModel(): Model {
+function createTestModel(overrides: Partial<Model> = {}): Model {
  return {
    id: "anthropic.claude-opus-4-7",
    name: "Claude Opus 4.7",
@@ -21,6 +21,7 @@ function createTestModel(): Model {
    cost: { input: 5, output: 25, cacheRead: 0.5, cacheWrite: 6.25 },
    contextWindow: 1_000_000,
    maxTokens: 128_000,
+    ...overrides,
  } as Model;
 }

@@ -112,6 +113,69 @@ describe("createMantleAnthropicStreamFn", () => {
    expect(streamOptions.thinkingEnabled).toBe(false);
  });

+  it("defaults Mythos Preview to adaptive high effort", () => {
+    const model = createTestModel({
+      id: "anthropic.claude-mythos-preview",
+      name: "Claude Mythos Preview",
+      reasoning: true,
+      params: { canonicalModelId: "claude-mythos-preview" },
+    });
+    const context = { messages: [] };
+    const deps = createTestDeps();
+    deps.stream.mockReturnValue({ kind: "anthropic-stream" } as never);
+
+    void createMantleAnthropicStreamFn(deps)(model, context, {
+      apiKey: "bedrock-bearer-token",
+    });
+
+    expectFirstStreamCall(deps, model, context);
+    const streamOptions = firstStreamOptions(deps);
+    expect(streamOptions.thinkingEnabled).toBe(true);
+    expect(streamOptions.effort).toBe("high");
+  });
+
+  it("clamps unsupported Mythos Preview max effort to high", () => {
+    const model = createTestModel({
+      id: "anthropic.claude-mythos-preview",
+      name: "Claude Mythos Preview",
+      reasoning: true,
+      params: { canonicalModelId: "claude-mythos-preview" },
+    });
+    const context = { messages: [] };
+    const deps = createTestDeps();
+    deps.stream.mockReturnValue({ kind: "anthropic-stream" } as never);
+
+    void createMantleAnthropicStreamFn(deps)(model, context, {
+      apiKey: "bedrock-bearer-token",
+      reasoning: "max",
+    });
+
+    expectFirstStreamCall(deps, model, context);
+    const streamOptions = firstStreamOptions(deps);
+    expect(streamOptions.thinkingEnabled).toBe(true);
+    expect(streamOptions.effort).toBe("high");
+  });
+
+  it("maps Mythos Preview minimal reasoning to low effort", () => {
+    const model = createTestModel({
+      id: "anthropic.claude-mythos-preview",
+      name: "Claude Mythos Preview",
+      reasoning: true,
+      params: { canonicalModelId: "claude-mythos-preview" },
+    });
+    const deps = createTestDeps();
+    deps.stream.mockReturnValue({ kind: "anthropic-stream" } as never);
+
+    void createMantleAnthropicStreamFn(deps)(model, { messages: [] }, {
+      apiKey: "bedrock-bearer-token",
+      reasoning: "minimal",
+    });
+
+    const streamOptions = firstStreamOptions(deps);
+    expect(streamOptions.thinkingEnabled).toBe(true);
+    expect(streamOptions.effort).toBe("low");
+  });
+
  it("normalizes Mantle provider URLs to the Anthropic endpoint", () => {
    expect(resolveMantleAnthropicBaseUrl("https://bedrock-mantle.us-east-1.api.aws/v1")).toBe(
      "https://bedrock-mantle.us-east-1.api.aws/anthropic",
--- a/extensions/amazon-bedrock-mantle/mantle-anthropic.runtime.ts
+++ b/extensions/amazon-bedrock-mantle/mantle-anthropic.runtime.ts
@@ -27,6 +27,36 @@ function requiresDefaultSampling(modelId: string): boolean {
  return modelId.includes("claude-opus-4-7");
 }

+function isClaudeMythosPreviewModel(model: Model): boolean {
+  return [model.id, model.name, model.params?.canonicalModelId]
+    .filter((value): value is string => typeof value === "string")
+    .some((value) =>
+      /(?:^|-)claude-mythos-preview(?=$|[^a-z0-9])/.test(
+        value
+          .trim()
+          .toLowerCase()
+          .replace(/[\s_.:]+/g, "-"),
+      ),
+    );
+}
+
+function resolveMantleReasoning(
+  model: Model,
+  options: SimpleStreamOptions | undefined,
+): NonNullable<SimpleStreamOptions["reasoning"]> | undefined {
+  if (requiresDefaultSampling(model.id)) {
+    return undefined;
+  }
+  const reasoning = options?.reasoning ?? (isClaudeMythosPreviewModel(model) ? "high" : undefined);
+  if (!isClaudeMythosPreviewModel(model)) {
+    return reasoning;
+  }
+  if (reasoning === "minimal") {
+    return "low";
+  }
+  return reasoning === "xhigh" || reasoning === "max" ? "high" : reasoning;
+}
+
 function mergeHeaders(
  ...headerSources: Array<Record<string, string> | undefined>
 ): Record<string, string> {
@@ -109,7 +139,8 @@ export function createMantleAnthropicStreamFn(deps?: {
    // Plugin package deps can give this plugin a distinct physical SDK copy.
    // The client API is the same, but the SDK class private field makes types nominal.
    const streamClient = client as unknown as AnthropicStreamClient;
-    if (!options?.reasoning || requiresDefaultSampling(model.id)) {
+    const reasoning = resolveMantleReasoning(model, options);
+    if (!reasoning) {
      return streamFn(model as Model<"anthropic-messages">, context, {
        ...base,
        client: streamClient,
@@ -120,14 +151,15 @@ export function createMantleAnthropicStreamFn(deps?: {
    const adjusted = adjustMaxTokensForThinking(
      base.maxTokens || 0,
      model.maxTokens,
-      options.reasoning,
-      options.thinkingBudgets,
+      reasoning,
+      options?.thinkingBudgets,
    );
    return streamFn(model as Model<"anthropic-messages">, context, {
      ...base,
      client: streamClient,
      maxTokens: adjusted.maxTokens,
      thinkingEnabled: true,
+      ...(isClaudeMythosPreviewModel(model) ? { effort: reasoning } : {}),
      thinkingBudgetTokens: adjusted.thinkingBudget,
    });
  };
--- a/extensions/amazon-bedrock/discovery.test.ts
+++ b/extensions/amazon-bedrock/discovery.test.ts
@@ -166,6 +166,65 @@ describe("bedrock discovery", () => {
    });
  });

+  it("marks known Fable inference profile fallbacks as reasoning capable", async () => {
+    sendMock
+      .mockResolvedValueOnce({
+        modelSummaries: [],
+      })
+      .mockResolvedValueOnce({
+        inferenceProfileSummaries: [
+          {
+            inferenceProfileId: "us.anthropic.claude-fable-5",
+            inferenceProfileName: "US Claude Fable 5",
+            status: "ACTIVE",
+            type: "SYSTEM_DEFINED",
+            models: [
+              {
+                modelArn: "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-fable-5",
+              },
+            ],
+          },
+        ],
+      });
+
+    const models = await discoverBedrockModels({ region: "us-east-1", clientFactory });
+
+    expect(models).toHaveLength(1);
+    expectModelFields(models[0], {
+      id: "us.anthropic.claude-fable-5",
+      reasoning: true,
+      contextWindow: 1_000_000,
+      thinkingLevelMap: { off: "low", minimal: "low", xhigh: "xhigh", max: "max" },
+    });
+  });
+
+  it("skips Mythos Preview inference profiles because Mantle owns that route", async () => {
+    sendMock
+      .mockResolvedValueOnce({
+        modelSummaries: [],
+      })
+      .mockResolvedValueOnce({
+        inferenceProfileSummaries: [
+          {
+            inferenceProfileId: "us.anthropic.claude-mythos-preview",
+            inferenceProfileName: "US Claude Mythos Preview",
+            status: "ACTIVE",
+            type: "SYSTEM_DEFINED",
+            models: [
+              {
+                modelArn:
+                  "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-mythos-preview",
+              },
+            ],
+          },
+        ],
+      });
+
+    const models = await discoverBedrockModels({ region: "us-east-1", clientFactory });
+
+    expect(models).toEqual([]);
+  });
+
  it("normalizes region-prefixed versioned model ids when resolving context windows", async () => {
    sendMock
      .mockResolvedValueOnce({
--- a/extensions/amazon-bedrock/discovery.ts
+++ b/extensions/amazon-bedrock/discovery.ts
@@ -157,6 +157,13 @@ function resolveKnownContextWindow(modelId: string): number | undefined {
  return undefined;
 }

+function isKnownClaudeMythosPreviewModelId(modelId: string): boolean {
+  const stripped = modelId.replace(/^(?:us|eu|ap|apac|au|jp|global)\./, "");
+  return [modelId, stripped].some((candidate) =>
+    /(?:^|[/.:])anthropic\.claude-mythos-preview(?:$|[-.:/])/i.test(candidate),
+  );
+}
+
 function resolveKnownThinkingLevelMap(
  modelId: string,
 ): ModelDefinitionConfig["thinkingLevelMap"] | undefined {
@@ -322,6 +329,9 @@ function shouldIncludeSummary(summary: BedrockModelSummary, filter: string[]): b
  if (summary.responseStreamingSupported !== true) {
    return false;
  }
+  if (isKnownClaudeMythosPreviewModelId(summary.modelId)) {
+    return false;
+  }
  if (!includesTextModalities(summary.outputModalities)) {
    return false;
  }
@@ -454,6 +464,9 @@ function resolveInferenceProfiles(

    // Look up the underlying foundation model to inherit its capabilities.
    const baseModelId = resolveBaseModelId(profile);
+    if (isKnownClaudeMythosPreviewModelId(baseModelId ?? profile.inferenceProfileId)) {
+      continue;
+    }
    const baseModel = baseModelId
      ? foundationModels.get(normalizeLowercaseStringOrEmpty(baseModelId))
      : undefined;
--- a/extensions/amazon-bedrock/index.test.ts
+++ b/extensions/amazon-bedrock/index.test.ts
@@ -835,6 +835,44 @@ describe("amazon-bedrock provider plugin", () => {
    expect(payload.inferenceConfig).toEqual({});
  });

+  it("does not re-upgrade Mythos Preview max thinking in the final payload", async () => {
+    const provider = await registerSingleProviderPlugin(amazonBedrockPlugin);
+    const wrapped = provider.wrapStreamFn?.({
+      provider: "amazon-bedrock",
+      modelId: "us.anthropic.claude-mythos-preview",
+      streamFn: spyStreamFn,
+      thinkingLevel: "max",
+    } as never);
+
+    const result = wrapped?.(
+      {
+        api: "bedrock-converse-stream",
+        provider: "amazon-bedrock",
+        id: "us.anthropic.claude-mythos-preview",
+        name: "Claude Mythos Preview",
+        reasoning: true,
+      } as never,
+      { messages: [] } as never,
+      { reasoning: "max" } as never,
+    ) as Record<string, unknown> | undefined;
+
+    const payload = {
+      inferenceConfig: { temperature: 0.2 },
+      additionalModelRequestFields: {
+        thinking: { type: "adaptive" },
+        output_config: { effort: "high" },
+      },
+    };
+
+    await (result?.onPayload as ((p: Record<string, unknown>) => unknown) | undefined)?.(payload);
+
+    expect(payload.additionalModelRequestFields).toEqual({
+      thinking: { type: "adaptive" },
+      output_config: { effort: "high" },
+    });
+    expect(payload.inferenceConfig).toEqual({});
+  });
+
  it("classifies nested Bedrock deprecated-temperature validation as format failover", async () => {
    const provider = await registerSingleProviderPlugin(amazonBedrockPlugin);

--- a/extensions/amazon-bedrock/register.sync.runtime.ts
+++ b/extensions/amazon-bedrock/register.sync.runtime.ts
@@ -23,6 +23,7 @@ import { mergeImplicitBedrockProvider, resolveBedrockConfigApiKey } from "./disc
 import { bedrockMemoryEmbeddingProviderAdapter } from "./memory-embedding-adapter.js";
 import { streamBedrock, streamSimpleBedrock } from "./stream.runtime.js";
 import {
+  isLatestAdaptiveBedrockModelRef,
  isOpus47OrNewerBedrockModelRef,
  resolveBedrockNativeThinkingLevelMap,
  resolveBedrockClaudeThinkingProfile,
@@ -596,8 +597,10 @@ export function registerAmazonBedrockPlugin(api: OpenClawPluginApi): void {
        currentPluginConfig?.discovery?.region;
      const mayNeedCacheInjection =
        isBedrockAppInferenceProfile(modelId) && !sharedRuntimeWouldInjectCachePoints(modelId);
-      const shouldOmitTemperature = opus47OrNewer || fable5;
+      const shouldOmitTemperature =
+        opus47OrNewer || fable5 || isLatestAdaptiveBedrockModelRef(modelId, model?.params);
      const shouldPatchMaxThinking = supportsNativeMax && thinkingLevel === "max";
+      const shouldPatchPayload = shouldOmitTemperature || shouldPatchMaxThinking;

      // For known Anthropic models (heuristic match), enable injection immediately.
      // For opaque profile IDs, we'll resolve via GetInferenceProfile on first call.
@@ -627,13 +630,17 @@ export function registerAmazonBedrockPlugin(api: OpenClawPluginApi): void {
            context,
            withAwsCredentialRefreshOnPayload({
              ...merged,
-              ...(shouldPatchMaxThinking
+              ...(shouldPatchPayload
                ? {
                    onPayload: (payload: unknown, payloadModel: unknown) => {
                      if (payload && typeof payload === "object") {
                        const payloadRecord = payload as Record<string, unknown>;
-                        patchMaxThinkingEffort(payloadRecord);
-                        omitUnsupportedClaudePayloadTemperature(payloadRecord);
+                        if (shouldPatchMaxThinking) {
+                          patchMaxThinkingEffort(payloadRecord);
+                        }
+                        if (shouldOmitTemperature) {
+                          omitUnsupportedClaudePayloadTemperature(payloadRecord);
+                        }
                      }
                      return originalOnPayload?.(payload, payloadModel);
                    },
--- a/extensions/amazon-bedrock/stream.runtime.test.ts
+++ b/extensions/amazon-bedrock/stream.runtime.test.ts
@@ -167,7 +167,34 @@ describe("Bedrock profile endpoint resolution", () => {
 });

 describe("Bedrock thinking effort mapping", () => {
-  it("caps max effort at high for Claude Sonnet 4.6", () => {
+  it("does not force adaptive thinking for optional Claude models when callers omit reasoning", () => {
+    const model = bedrockModel({
+      id: "anthropic.claude-sonnet-4-6-v1:0",
+      name: "Claude Sonnet 4.6",
+      reasoning: true,
+    });
+    const options = testing.resolveSimpleBedrockOptions(model, {});
+
+    expect(options.reasoning).toBeUndefined();
+    expect(testing.buildAdditionalModelRequestFields(model, options)).toBeUndefined();
+  });
+
+  it("forces adaptive thinking for Bedrock Mythos Preview when callers omit reasoning", () => {
+    const model = bedrockModel({
+      id: "us.anthropic.claude-mythos-preview",
+      name: "US Claude Mythos Preview",
+      reasoning: true,
+    });
+    const options = testing.resolveSimpleBedrockOptions(model, {});
+
+    expect(options.reasoning).toBe("high");
+    expect(testing.buildAdditionalModelRequestFields(model, options)).toEqual({
+      thinking: { type: "adaptive", display: "summarized" },
+      output_config: { effort: "high" },
+    });
+  });
+
+  it("clamps max effort for Claude models without native max support", () => {
    expect(
      testing.mapThinkingLevelToEffort(
        bedrockModel({
--- a/extensions/amazon-bedrock/stream.runtime.ts
+++ b/extensions/amazon-bedrock/stream.runtime.ts
@@ -351,29 +351,38 @@ export const streamSimpleBedrock: StreamFunction<"bedrock-converse-stream", Simp
  model: Model<"bedrock-converse-stream">,
  context: Context,
  options?: SimpleStreamOptions,
-) => {
+) => streamBedrock(model, context, resolveSimpleBedrockOptions(model, options));
+
+function resolveSimpleBedrockOptions(
+  model: Model<"bedrock-converse-stream">,
+  options?: SimpleStreamOptions,
+): BedrockOptions {
  const base = buildBaseOptions(model, options, undefined);
  if (usesClaudeFable5BedrockContract(model)) {
-    return streamBedrock(model, context, {
+    return {
      ...base,
      reasoning: options?.reasoning ?? "high",
      thinkingBudgets: options?.thinkingBudgets,
-    } satisfies BedrockOptions);
+    } satisfies BedrockOptions;
  }
  if (!options?.reasoning) {
-    return streamBedrock(model, context, {
+    const reasoning =
+      isAnthropicClaudeModel(model) && requiresMandatoryAdaptiveThinking(model)
+        ? "high"
+        : undefined;
+    return {
      ...base,
-      reasoning: undefined,
-    } satisfies BedrockOptions);
+      reasoning,
+    } satisfies BedrockOptions;
  }

  if (isAnthropicClaudeModel(model)) {
    if (supportsAdaptiveThinking(model)) {
-      return streamBedrock(model, context, {
+      return {
        ...base,
        reasoning: options.reasoning,
        thinkingBudgets: options.thinkingBudgets,
-      } satisfies BedrockOptions);
+      } satisfies BedrockOptions;
    }

    // Undefined means the caller did not request an output cap; let the helper use the model cap.
@@ -385,7 +394,7 @@ export const streamSimpleBedrock: StreamFunction<"bedrock-converse-stream", Simp
      options.thinkingBudgets,
    );

-    return streamBedrock(model, context, {
+    return {
      ...base,
      maxTokens: adjusted.maxTokens,
      reasoning: options.reasoning,
@@ -393,15 +402,15 @@ export const streamSimpleBedrock: StreamFunction<"bedrock-converse-stream", Simp
        ...options.thinkingBudgets,
        [clampReasoning(options.reasoning)!]: adjusted.thinkingBudget,
      },
-    } satisfies BedrockOptions);
+    } satisfies BedrockOptions;
  }

-  return streamBedrock(model, context, {
+  return {
    ...base,
    reasoning: options.reasoning,
    thinkingBudgets: options.thinkingBudgets,
-  } satisfies BedrockOptions);
-};
+  } satisfies BedrockOptions;
+}

 function handleContentBlockStart(
  event: ContentBlockStartEvent,
@@ -553,15 +562,37 @@ function resolveClaudeProfileNameModelId(modelName?: string): string | undefined
  if (!normalized.includes("claude")) {
    return undefined;
  }
-  const family = /(?:fable-5|opus-4-(?:6|7|8)|sonnet-4-6)(?:$|-)/.exec(normalized)?.[0];
+  const family = /(?:fable-5|mythos-preview|opus-4-(?:6|7|8)|sonnet-4-6)(?:$|-)/.exec(
+    normalized,
+  )?.[0];
  return family ? `claude-${family.replace(/-$/, "")}` : undefined;
 }

+function isClaudeMythosPreviewModelId(modelId?: string): boolean {
+  return /(?:^|-)claude-mythos-preview(?=$|[^a-z0-9])/.test(
+    modelId
+      ?.trim()
+      .toLowerCase()
+      .replace(/[\s_.:]+/g, "-") ?? "",
+  );
+}
+
 /** Check canonical metadata and profile names for adaptive Claude support. */
 function supportsAdaptiveThinking(model: Model<"bedrock-converse-stream">): boolean {
  const profileModelId = resolveClaudeProfileNameModelId(model.name);
  return (
-    supportsClaudeAdaptiveThinking(model) || supportsClaudeAdaptiveThinking({ id: profileModelId })
+    supportsClaudeAdaptiveThinking(model) ||
+    supportsClaudeAdaptiveThinking({ id: profileModelId }) ||
+    isClaudeMythosPreviewModelId(resolveClaudeModelIdentity(model)) ||
+    isClaudeMythosPreviewModelId(profileModelId)
+  );
+}
+
+function requiresMandatoryAdaptiveThinking(model: Model<"bedrock-converse-stream">): boolean {
+  const profileModelId = resolveClaudeProfileNameModelId(model.name);
+  return (
+    isClaudeMythosPreviewModelId(resolveClaudeModelIdentity(model)) ||
+    isClaudeMythosPreviewModelId(profileModelId)
  );
 }

@@ -1071,9 +1102,11 @@ function createImageBlock(mimeType: string, data: string) {

 /** Test-only hooks for Bedrock runtime conversion and endpoint policy. */
 export const testing = {
+  buildAdditionalModelRequestFields,
  convertMessages,
  getConfiguredBedrockRegion,
  hasConfiguredBedrockProfile,
  mapThinkingLevelToEffort,
+  resolveSimpleBedrockOptions,
  shouldUseExplicitBedrockEndpoint,
 };
--- a/extensions/amazon-bedrock/thinking-policy.ts
+++ b/extensions/amazon-bedrock/thinking-policy.ts
@@ -43,6 +43,28 @@ export function isOpus47OrNewerBedrockModelRef(modelRef: string): boolean {
  return isOpus47BedrockModelRef(modelRef) || isOpus48BedrockModelRef(modelRef);
 }

+function isMythosPreviewBedrockModelRef(modelRef: string): boolean {
+  return /(?:^|[/.:])(?:(?:us|eu|ap|apac|au|jp|global)\.)?(?:anthropic\.)?claude-mythos-preview(?:$|[-.:/])/i.test(
+    modelRef,
+  );
+}
+
+/** Return whether a Bedrock Claude ref needs latest adaptive-thinking request shaping. */
+export function isLatestAdaptiveBedrockModelRef(
+  modelId: string,
+  params?: Record<string, unknown>,
+): boolean {
+  const modelRef = { id: modelId, params };
+  const canonicalModelId = resolveClaudeModelIdentity(modelRef);
+  return (
+    resolveClaudeFable5ModelIdentity(modelRef) !== undefined ||
+    [modelId, canonicalModelId].some(
+      (candidate) =>
+        isOpus47OrNewerBedrockModelRef(candidate) || isMythosPreviewBedrockModelRef(candidate),
+    )
+  );
+}
+
 /** Return whether a Bedrock Claude ref supports max effort. */
 export function supportsBedrockNativeMaxEffort(
  modelId: string,
@@ -109,6 +131,12 @@ export function resolveBedrockClaudeThinkingProfile(
      defaultLevel: "adaptive",
    };
  }
+  if (modelRefs.some(isMythosPreviewBedrockModelRef)) {
+    return {
+      levels: [...BASE_CLAUDE_THINKING_LEVELS, { id: "adaptive" }],
+      defaultLevel: "adaptive",
+    };
+  }
  if (modelRefs.some((modelRef) => /claude-sonnet-4(?:\.|-)6(?:$|[-.])/i.test(modelRef))) {
    return {
      levels: [...BASE_CLAUDE_THINKING_LEVELS, { id: "adaptive" }],
--- a/extensions/anthropic-vertex/stream-runtime.test.ts
+++ b/extensions/anthropic-vertex/stream-runtime.test.ts
@@ -3,8 +3,6 @@ import { createAssistantMessageEventStream, type Model } from "openclaw/plugin-s
 import { beforeAll, describe, expect, it, vi } from "vitest";
 import type { AnthropicVertexStreamDeps } from "./stream-runtime.js";

-const SYSTEM_PROMPT_CACHE_BOUNDARY = "\n<!-- OPENCLAW_CACHE_BOUNDARY -->\n";
-
 function createStreamDeps(): {
  deps: AnthropicVertexStreamDeps;
  streamAnthropicMock: ReturnType<typeof vi.fn>;
@@ -50,8 +48,6 @@ function makeModel(params: {
  } as Model<"anthropic-messages">;
 }

-const CACHE_BOUNDARY_PROMPT = `Stable prefix${SYSTEM_PROMPT_CACHE_BOUNDARY}Dynamic suffix`;
-
 type PayloadHook = (payload: unknown, payloadModel: unknown) => Promise<unknown>;

 function streamAnthropicCall(streamAnthropicMock: ReturnType<typeof vi.fn>): unknown[] {
@@ -72,8 +68,8 @@ function streamTransportOptions(
  return options as Record<string, unknown>;
 }

-function captureCacheBoundaryPayloadHook(
-  onPayload: PayloadHook,
+function captureTransportPayloadHook(
+  onPayload: PayloadHook | undefined,
  deps: AnthropicVertexStreamDeps,
  streamAnthropicMock: ReturnType<typeof vi.fn>,
 ) {
@@ -82,14 +78,8 @@ function captureCacheBoundaryPayloadHook(

  void streamFn(
    model,
-    {
-      systemPrompt: CACHE_BOUNDARY_PROMPT,
-      messages: [{ role: "user", content: "Hello" }],
-    } as never,
-    {
-      cacheRetention: "short",
-      onPayload,
-    } as never,
+    { messages: [{ role: "user", content: "Hello" }] } as never,
+    { cacheRetention: "short", ...(onPayload ? { onPayload } : {}) } as never,
  );

  const transportOptions = streamTransportOptions(streamAnthropicMock);
@@ -97,26 +87,30 @@ function captureCacheBoundaryPayloadHook(
  return { model, onPayload: transportOptions.onPayload as PayloadHook | undefined };
 }

-function buildExpectedCacheBoundaryPayload(messageText: string) {
+// Mirrors the shared anthropic-messages transport output: cache boundary already
+// split (uncached dynamic suffix) and all four cache_control markers allocated.
+function buildBudgetedTransportPayload() {
  return {
    system: [
-      {
-        type: "text",
-        text: "Stable prefix",
-        cache_control: { type: "ephemeral" },
-      },
-      {
-        type: "text",
-        text: "Dynamic suffix",
-      },
+      { type: "text", text: "Stable prefix", cache_control: { type: "ephemeral" } },
+      { type: "text", text: "Dynamic suffix" },
+    ],
+    tools: [
+      { name: "exec", input_schema: { type: "object" }, cache_control: { type: "ephemeral" } },
    ],
    messages: [
+      {
+        role: "user",
+        content: [{ type: "text", text: "Hello", cache_control: { type: "ephemeral" } }],
+      },
+      { role: "assistant", content: [{ type: "tool_use", id: "t1", name: "exec", input: {} }] },
      {
        role: "user",
        content: [
          {
-            type: "text",
-            text: messageText,
+            type: "tool_result",
+            tool_use_id: "t1",
+            content: [],
            cache_control: { type: "ephemeral" },
          },
        ],
@@ -125,6 +119,29 @@ function buildExpectedCacheBoundaryPayload(messageText: string) {
  };
 }

+function countCacheControlMarkers(payload: unknown): number {
+  let count = 0;
+  const visit = (value: unknown) => {
+    if (Array.isArray(value)) {
+      value.forEach(visit);
+      return;
+    }
+    if (!value || typeof value !== "object") {
+      return;
+    }
+    const record = value as Record<string, unknown>;
+    if (record.cache_control !== undefined) {
+      count += 1;
+    }
+    visit(record.content);
+  };
+  const record = payload as Record<string, unknown>;
+  visit(record.system);
+  visit(record.tools);
+  visit(record.messages);
+  return count;
+}
+
 describe("createAnthropicVertexStreamFn", () => {
  beforeAll(async () => {
    ({ createAnthropicVertexStreamFn, createAnthropicVertexStreamFnForModel } =
@@ -180,7 +197,7 @@ describe("createAnthropicVertexStreamFn", () => {
    expect(streamTransportOptions(streamAnthropicMock).maxTokens).toBe(128000);
  });

-  it.each(["claude-opus-4-8", "claude-opus-4-7"])(
+  it.each(["claude-opus-4-8", "claude-opus-4-7", "claude-fable-5", "claude-mythos-5"])(
    "omits unsupported temperature for %s",
    (modelId) => {
      const { deps, streamAnthropicMock } = createStreamDeps();
@@ -219,6 +236,21 @@ describe("createAnthropicVertexStreamFn", () => {
    expect(streamTransportOptions(streamAnthropicMock)).not.toHaveProperty("temperature");
  });

+  it("uses Mythos 5's mandatory adaptive Vertex contract by default", () => {
+    const { deps, streamAnthropicMock } = createStreamDeps();
+    const streamFn = createAnthropicVertexStreamFn("vertex-project", "us-east5", undefined, deps);
+    const model = makeModel({ id: "claude-mythos-5", maxTokens: 128000 });
+
+    void streamFn(model, { messages: [] }, { temperature: 0.7 });
+
+    expect(streamTransportOptions(streamAnthropicMock)).toMatchObject({
+      thinkingEnabled: true,
+      effort: "high",
+      maxTokens: 128000,
+    });
+    expect(streamTransportOptions(streamAnthropicMock)).not.toHaveProperty("temperature");
+  });
+
  it("uses canonical Claude policy for Vertex deployment aliases", () => {
    const { deps, streamAnthropicMock } = createStreamDeps();
    const streamFn = createAnthropicVertexStreamFn("vertex-project", "us-east5", undefined, deps);
@@ -328,63 +360,35 @@ describe("createAnthropicVertexStreamFn", () => {
    expect(transportOptions).not.toHaveProperty("temperature");
  });

-  it("applies Anthropic cache-boundary shaping before forwarding payload hooks", async () => {
+  it("keeps already-budgeted cache_control markers intact when forwarding payload hooks", async () => {
    const { deps, streamAnthropicMock } = createStreamDeps();
    const onPayload = vi.fn(async (payload: unknown) => payload);
-    const { model, onPayload: transportPayloadHook } = captureCacheBoundaryPayloadHook(
+    const { model, onPayload: transportPayloadHook } = captureTransportPayloadHook(
      onPayload,
      deps,
      streamAnthropicMock,
    );
-    const payload = {
-      system: [
-        {
-          type: "text",
-          text: CACHE_BOUNDARY_PROMPT,
-          cache_control: { type: "ephemeral" },
-        },
-      ],
-      messages: [{ role: "user", content: "Hello" }],
-    };
+    const payload = buildBudgetedTransportPayload();

    const nextPayload = await transportPayloadHook?.(payload, model);

-    const expectedPayload = buildExpectedCacheBoundaryPayload("Hello");
-    expect(onPayload).toHaveBeenCalledWith(expectedPayload, model);
-    expect(nextPayload).toEqual(expectedPayload);
+    expect(onPayload).toHaveBeenCalledWith(payload, model);
+    expect(countCacheControlMarkers(nextPayload)).toBe(4);
+    expect((nextPayload as ReturnType<typeof buildBudgetedTransportPayload>).system[1]).toEqual({
+      type: "text",
+      text: "Dynamic suffix",
+    });
  });

-  it("reapplies Anthropic cache-boundary shaping when payload hooks return a fresh payload", async () => {
+  it("omits the transport payload hook when the caller provides none", () => {
    const { deps, streamAnthropicMock } = createStreamDeps();
-    const onPayload = vi.fn(async () => ({
-      system: [
-        {
-          type: "text",
-          text: CACHE_BOUNDARY_PROMPT,
-        },
-      ],
-      messages: [{ role: "user", content: "Hello again" }],
-    }));
-    const { model, onPayload: transportPayloadHook } = captureCacheBoundaryPayloadHook(
-      onPayload,
+    const { onPayload: transportPayloadHook } = captureTransportPayloadHook(
+      undefined,
      deps,
      streamAnthropicMock,
    );

-    const nextPayload = await transportPayloadHook?.(
-      {
-        system: [
-          {
-            type: "text",
-            text: CACHE_BOUNDARY_PROMPT,
-          },
-        ],
-        messages: [{ role: "user", content: "Hello" }],
-      },
-      model,
-    );
-
-    expect(nextPayload).toEqual(buildExpectedCacheBoundaryPayload("Hello again"));
+    expect(transportPayloadHook).toBeUndefined();
  });

  it("omits maxTokens when neither the model nor request provide a finite limit", () => {
--- a/extensions/anthropic-vertex/stream-runtime.ts
+++ b/extensions/anthropic-vertex/stream-runtime.ts
@@ -1,6 +1,6 @@
 /**
 * Anthropic Vertex stream runtime. It constructs Vertex SDK clients and adapts
- * OpenClaw stream options into Anthropic Messages payload policy.
+ * OpenClaw stream options for the shared Anthropic Messages transport.
 */
 import { AnthropicVertex as AnthropicVertexSdk } from "@anthropic-ai/vertex-sdk";
 import type { StreamFn } from "openclaw/plugin-sdk/agent-core";
@@ -18,10 +18,6 @@ import {
  supportsClaudeNativeMaxEffort,
  supportsClaudeNativeXhighEffort,
 } from "openclaw/plugin-sdk/provider-model-shared";
-import {
-  applyAnthropicPayloadPolicyToParams,
-  resolveAnthropicPayloadPolicy,
-} from "openclaw/plugin-sdk/provider-stream-shared";
 import { resolveAnthropicVertexClientRegion, resolveAnthropicVertexProjectId } from "./region.js";

 type AnthropicVertexTransportOptions = ProviderStreamOptions & {
@@ -58,8 +54,12 @@ function isClaudeFable5Model(modelId: string): boolean {
  return resolveClaudeFable5ModelIdentity({ id: modelId }) !== undefined;
 }

+function isClaudeMythos5Model(modelId: string): boolean {
+  return /(?:^|-)claude-mythos-5(?=$|[^a-z0-9])/.test(resolveClaudeModelIdentity({ id: modelId }));
+}
+
 function supportsAdaptiveThinking(modelId: string): boolean {
-  return supportsClaudeAdaptiveThinking({ id: modelId });
+  return supportsClaudeAdaptiveThinking({ id: modelId }) || isClaudeMythos5Model(modelId);
 }

 function mapAnthropicAdaptiveEffort(
@@ -82,10 +82,13 @@ function mapAnthropicAdaptiveEffort(
    high: "high",
    xhigh: isClaudeFable5Model(modelId)
      ? "xhigh"
-      : isClaudeOpus47OrNewerModel(modelId)
+      : isClaudeOpus47OrNewerModel(modelId) || isClaudeMythos5Model(modelId)
        ? "xhigh"
        : "high",
-    max: supportsClaudeNativeMaxEffort({ id: modelId }) ? "max" : "high",
+    max:
+      supportsClaudeNativeMaxEffort({ id: modelId }) || isClaudeMythos5Model(modelId)
+        ? "max"
+        : "high",
  };
  return effortMap[resolvedReasoning] ?? "high";
 }
@@ -113,36 +116,6 @@ function resolveAnthropicVertexMaxTokens(params: {
  return requested ?? modelMax;
 }

-function createAnthropicVertexOnPayload(params: {
-  model: { api: string; baseUrl?: string; provider: string };
-  cacheRetention: ProviderStreamOptions["cacheRetention"] | undefined;
-  onPayload: ProviderStreamOptions["onPayload"] | undefined;
-}): NonNullable<ProviderStreamOptions["onPayload"]> {
-  const policy = resolveAnthropicPayloadPolicy({
-    provider: params.model.provider,
-    api: params.model.api,
-    baseUrl: params.model.baseUrl,
-    cacheRetention: params.cacheRetention,
-    enableCacheControl: true,
-  });
-
-  function applyPolicy(payload: unknown): unknown {
-    if (payload && typeof payload === "object" && !Array.isArray(payload)) {
-      applyAnthropicPayloadPolicyToParams(payload as Record<string, unknown>, policy);
-    }
-    return payload;
-  }
-
-  return async (payload, model) => {
-    const shapedPayload = applyPolicy(payload);
-    const nextPayload = await params.onPayload?.(shapedPayload, model);
-    if (nextPayload === undefined || nextPayload === shapedPayload) {
-      return shapedPayload;
-    }
-    return applyPolicy(nextPayload);
-  };
-}
-
 /**
 * Create a StreamFn that routes through OpenClaw's generic model stream with an
 * injected `AnthropicVertex` client.  All streaming, message conversion, and
@@ -173,11 +146,16 @@ export function createAnthropicVertexStreamFn(
    });
    const contractModelId = resolveClaudeModelIdentity(model);
    const fable5 = isClaudeFable5Model(contractModelId);
-    const reasoning = options?.reasoning as ModelThinkingLevel | undefined;
+    const mandatoryAdaptiveThinking = fable5 || isClaudeMythos5Model(contractModelId);
+    const reasoning =
+      (options?.reasoning as ModelThinkingLevel | undefined) ??
+      (mandatoryAdaptiveThinking ? "high" : undefined);
    const adaptiveThinking =
-      fable5 || Boolean(reasoning && supportsAdaptiveThinking(contractModelId));
+      mandatoryAdaptiveThinking || Boolean(reasoning && supportsAdaptiveThinking(contractModelId));
    const temperature =
-      adaptiveThinking || isClaudeOpus47OrNewerModel(contractModelId)
+      adaptiveThinking ||
+      isClaudeOpus47OrNewerModel(contractModelId) ||
+      isClaudeMythos5Model(contractModelId)
        ? undefined
        : options?.temperature;
    const opts: AnthropicVertexTransportOptions = {
@@ -188,11 +166,10 @@ export function createAnthropicVertexStreamFn(
      cacheRetention: options?.cacheRetention,
      sessionId: options?.sessionId,
      headers: options?.headers,
-      onPayload: createAnthropicVertexOnPayload({
-        model: transportModel,
-        cacheRetention: options?.cacheRetention,
-        onPayload: options?.onPayload,
-      }),
+      // The shared anthropic-messages transport already splits the system prompt
+      // cache boundary and budgets all cache_control markers; re-applying the
+      // payload policy here marked the uncached suffix and breached the 4-marker cap.
+      onPayload: options?.onPayload,
      maxRetryDelayMs: options?.maxRetryDelayMs,
      metadata: options?.metadata,
    };
--- a/extensions/anthropic/index.test.ts
+++ b/extensions/anthropic/index.test.ts
@@ -710,6 +710,28 @@ describe("anthropic provider replay hooks", () => {
    expect(resolved).toBeUndefined();
  });

+  it("normalizes Claude Mythos Preview with native max but no xhigh thinking map", async () => {
+    const provider = await registerSingleProviderPlugin(anthropicPlugin);
+
+    const normalized = provider.normalizeResolvedModel?.({
+      provider: "anthropic",
+      modelId: "claude-mythos-preview",
+      model: {
+        id: "claude-mythos-preview",
+        name: "Claude Mythos Preview",
+        provider: "anthropic",
+        api: "anthropic-messages",
+        reasoning: true,
+        input: ["text", "image"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 200_000,
+        maxTokens: 64_000,
+      },
+    } as never);
+
+    expect(normalized?.thinkingLevelMap).toEqual({ max: "max" });
+  });
+
  it("normalizes stale text-only modern Claude vision rows to image-capable", async () => {
    const provider = await registerSingleProviderPlugin(anthropicPlugin);

--- a/extensions/anthropic/openclaw.plugin.json
+++ b/extensions/anthropic/openclaw.plugin.json
@@ -101,6 +101,28 @@
            "contextWindow": 200000,
            "maxTokens": 64000
          },
+          {
+            "id": "claude-haiku-4-5",
+            "name": "Claude Haiku 4.5",
+            "reasoning": true,
+            "input": ["text", "image"],
+            "mediaInput": {
+              "image": { "maxSidePx": 1568, "preferredSidePx": 1568, "tokenMode": "provider" }
+            },
+            "contextWindow": 200000,
+            "maxTokens": 64000
+          },
+          {
+            "id": "claude-haiku-4-5-20251001",
+            "name": "Claude Haiku 4.5",
+            "reasoning": true,
+            "input": ["text", "image"],
+            "mediaInput": {
+              "image": { "maxSidePx": 1568, "preferredSidePx": 1568, "tokenMode": "provider" }
+            },
+            "contextWindow": 200000,
+            "maxTokens": 64000
+          },
          {
            "id": "claude-sonnet-4-6",
            "name": "Claude Sonnet 4.6",
--- a/extensions/anthropic/openclaw.plugin.test.ts
+++ b/extensions/anthropic/openclaw.plugin.test.ts
@@ -0,0 +1,57 @@
+// Anthropic tests cover provider manifest model catalog behavior.
+import { readFileSync } from "node:fs";
+import { describe, expect, it } from "vitest";
+
+type AnthropicManifest = {
+  modelCatalog?: {
+    providers?: {
+      anthropic?: {
+        models?: Array<{
+          id?: string;
+          name?: string;
+          reasoning?: boolean;
+          input?: string[];
+          mediaInput?: {
+            image?: {
+              maxSidePx?: number;
+              preferredSidePx?: number;
+              tokenMode?: string;
+            };
+          };
+          contextWindow?: number;
+          maxTokens?: number;
+        }>;
+      };
+    };
+    discovery?: Record<string, string>;
+  };
+};
+
+const manifest = JSON.parse(
+  readFileSync(new URL("./openclaw.plugin.json", import.meta.url), "utf8"),
+) as AnthropicManifest;
+
+describe("Anthropic plugin manifest", () => {
+  it("resolves both official Claude Haiku 4.5 API identifiers from the static catalog", () => {
+    expect(manifest.modelCatalog?.discovery?.anthropic).toBe("static");
+
+    const models = manifest.modelCatalog?.providers?.anthropic?.models ?? [];
+    for (const id of ["claude-haiku-4-5", "claude-haiku-4-5-20251001"]) {
+      expect(models.find((model) => model.id === id)).toEqual({
+        id,
+        name: "Claude Haiku 4.5",
+        reasoning: true,
+        input: ["text", "image"],
+        mediaInput: {
+          image: {
+            maxSidePx: 1568,
+            preferredSidePx: 1568,
+            tokenMode: "provider",
+          },
+        },
+        contextWindow: 200000,
+        maxTokens: 64000,
+      });
+    }
+  });
+});
--- a/extensions/anthropic/register.runtime.ts
+++ b/extensions/anthropic/register.runtime.ts
@@ -34,6 +34,7 @@ import {
  resolveClaudeModelIdentity,
  resolveClaudeThinkingProfile,
  supportsClaudeAdaptiveThinking,
+  supportsClaudeNativeMaxEffort,
  supportsClaudeNativeXhighEffort,
 } from "openclaw/plugin-sdk/provider-model-shared";
 import { fetchClaudeUsage } from "openclaw/plugin-sdk/provider-usage";
@@ -292,6 +293,11 @@ function buildAnthropicForwardCompatModel(
    maxTokens: isAnthropic128kOutputModel(trimmedModelId)
      ? ANTHROPIC_MODERN_MAX_OUTPUT_TOKENS
      : 64_000,
+    ...(supportsClaudeNativeXhighEffort({ id: trimmedModelId })
+      ? { thinkingLevelMap: { xhigh: "xhigh", max: "max" } }
+      : supportsAnthropicNativeMaxEffort(trimmedModelId)
+        ? { thinkingLevelMap: { max: "max" } }
+        : {}),
  };
 }

@@ -361,6 +367,16 @@ function isAnthropicOpus47OrNewerModel(modelId: string): boolean {
  return supportsClaudeNativeXhighEffort({ id: modelId }) && !isAnthropicFable5Model(modelId);
 }

+function isAnthropicMythosPreviewModel(modelId: string): boolean {
+  return /(?:^|-)claude-mythos-preview(?=$|[^a-z0-9])/.test(
+    resolveClaudeModelIdentity({ id: modelId }),
+  );
+}
+
+function supportsAnthropicNativeMaxEffort(modelId: string): boolean {
+  return supportsClaudeNativeMaxEffort({ id: modelId }) || isAnthropicMythosPreviewModel(modelId);
+}
+
 function hasConfiguredModelContextOverride(
  config: ProviderNormalizeResolvedModelContext["config"],
  provider: string,
@@ -455,15 +471,17 @@ function applyAnthropicThinkingLevelMap(params: {
 }): ProviderRuntimeModel | undefined {
  const fable5 = isAnthropicFable5Model(params.modelId);
  const nativeXhigh = fable5 || isAnthropicOpus47OrNewerModel(params.modelId);
-  if (!matchesAnthropicModernModel(params.modelId)) {
+  if (!supportsAnthropicNativeMaxEffort(params.modelId)) {
    return undefined;
  }
  const current = params.model.thinkingLevelMap;
-  const nativeDefaults = {
-    ...(fable5 ? { off: "low" as const, minimal: "low" as const } : {}),
-    xhigh: nativeXhigh ? ("xhigh" as const) : null,
-    max: "max" as const,
-  };
+  const nativeDefaults = isAnthropicMythosPreviewModel(params.modelId)
+    ? { max: "max" as const }
+    : {
+        ...(fable5 ? { off: "low" as const, minimal: "low" as const } : {}),
+        xhigh: nativeXhigh ? ("xhigh" as const) : null,
+        max: "max" as const,
+      };
  const currentEfforts = current as Record<string, string | null | undefined> | undefined;
  if (Object.keys(nativeDefaults).every((level) => currentEfforts?.[level] !== undefined)) {
    return undefined;
@@ -478,7 +496,7 @@ function applyAnthropicThinkingLevelMap(params: {
 }

 function matchesAnthropicModernModel(modelId: string): boolean {
-  return supportsClaudeAdaptiveThinking({ id: modelId });
+  return supportsClaudeAdaptiveThinking({ id: modelId }) || isAnthropicMythosPreviewModel(modelId);
 }

 function hasImageInput(input: unknown): boolean {
--- a/extensions/browser/src/cli/browser-cli-manage.test.ts
+++ b/extensions/browser/src/cli/browser-cli-manage.test.ts
@@ -461,4 +461,24 @@ describe("browser manage output", () => {
    expect(output).toContain("OK gateway: browser control endpoint reachable");
    expect(output).toContain("OK tabs: 1 visible, use tab reference t1");
  });
+
+  it("prints a readable browser doctor failure when gateway auth SecretRefs are unavailable", async () => {
+    const error = Object.assign(new Error("gateway.auth.password unavailable"), {
+      code: "GATEWAY_SECRET_REF_UNAVAILABLE",
+      name: "GatewaySecretRefUnavailableError",
+    });
+    getBrowserManageCallBrowserRequestMock().mockRejectedValueOnce(error);
+
+    const program = createBrowserManageProgram();
+    await expect(program.parseAsync(["browser", "doctor"], { from: "user" })).rejects.toThrow(
+      "__exit__:1",
+    );
+
+    const output = lastRuntimeLog();
+    expect(output).toContain(
+      "FAIL gateway: Gateway auth SecretRef is unavailable in this command path",
+    );
+    expect(output).toContain("OPENCLAW_GATEWAY_TOKEN");
+    expect(output).not.toContain("GatewaySecretRefUnavailableError");
+  });
 });
--- a/extensions/browser/src/cli/browser-cli-manage.ts
+++ b/extensions/browser/src/cli/browser-cli-manage.ts
@@ -152,6 +152,24 @@ function formatDoctorLine(check: BrowserDoctorCheck): string {
  return `${check.ok ? "OK" : "FAIL"} ${check.name}${check.detail ? `: ${check.detail}` : ""}`;
 }

+function isGatewaySecretRefUnavailableErrorShape(error: unknown): boolean {
+  if (!(error instanceof Error)) {
+    return false;
+  }
+  const errorRecord = error as Error & { code?: unknown };
+  return (
+    errorRecord.name === "GatewaySecretRefUnavailableError" ||
+    errorRecord.code === "GATEWAY_SECRET_REF_UNAVAILABLE"
+  );
+}
+
+function formatBrowserDoctorGatewayError(error: unknown): string {
+  if (!isGatewaySecretRefUnavailableErrorShape(error)) {
+    return String(error);
+  }
+  return "Gateway auth SecretRef is unavailable in this command path; browser doctor cannot reach the admin-scoped browser.request endpoint. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD, then retry.";
+}
+
 async function runBrowserDoctor(parent: BrowserParentOpts, profile?: string, deep?: boolean) {
  const checks: BrowserDoctorCheck[] = [];
  let status: BrowserStatus | null;
@@ -167,7 +185,7 @@ async function runBrowserDoctor(parent: BrowserParentOpts, profile?: string, dee
    checks.push({
      name: "gateway",
      ok: false,
-      detail: String(err),
+      detail: formatBrowserDoctorGatewayError(err),
    });
    return { ok: false, checks };
  }
--- a/extensions/canvas/src/host/server.test.ts
+++ b/extensions/canvas/src/host/server.test.ts
@@ -120,6 +120,7 @@ describe("canvas host", () => {
  };
  let createCanvasHostHandler: typeof import("./server.js").createCanvasHostHandler;
  let startCanvasHost: typeof import("./server.js").startCanvasHost;
+  let canvasLiveReloadMaxInboundMessageBytes = 0;
  let WebSocketServerClass: typeof import("ws").WebSocketServer;
  let watcherState: ReturnType<typeof createMockWatcherState>;
  let fixtureRoot = "";
@@ -162,7 +163,10 @@ describe("canvas host", () => {
      };
    });
    vi.resetModules();
-    ({ createCanvasHostHandler, startCanvasHost } = await import("./server.js"));
+    const serverModule = await import("./server.js");
+    ({ createCanvasHostHandler, startCanvasHost } = serverModule);
+    canvasLiveReloadMaxInboundMessageBytes =
+      serverModule.CANVAS_LIVE_RELOAD_MAX_INBOUND_MESSAGE_BYTES;
    const wsModule = await vi.importActual<typeof import("ws")>("ws");
    WebSocketServerClass = wsModule.WebSocketServer;
    fixtureRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-canvas-fixtures-"));
@@ -221,6 +225,54 @@ describe("canvas host", () => {
    }
  });

+  it("caps live reload WebSocket inbound payloads", async () => {
+    const dir = await createCaseDir();
+    const constructorOptions: unknown[] = [];
+    let connectionHandler: ((socket: TrackingWebSocket) => void) | undefined;
+    class CapturingWebSocketServer {
+      on(event: string, cb: (socket: TrackingWebSocket) => void) {
+        if (event === "connection") {
+          connectionHandler = cb;
+        }
+        return this;
+      }
+
+      close(cb?: () => void) {
+        cb?.();
+      }
+
+      constructor(options: unknown) {
+        constructorOptions.push(options);
+      }
+    }
+
+    const handler = await createTestCanvasHostHandler(dir, {
+      webSocketServerClass:
+        CapturingWebSocketServer as unknown as typeof import("ws").WebSocketServer,
+    });
+
+    try {
+      expect(constructorOptions[0]).toMatchObject({
+        noServer: true,
+        maxPayload: canvasLiveReloadMaxInboundMessageBytes,
+      });
+      const socketHandlers: string[] = [];
+      const socket: TrackingWebSocket = {
+        sent: [],
+        on: (event) => {
+          socketHandlers.push(event);
+          return socket;
+        },
+        send: vi.fn(),
+      };
+      expect(connectionHandler).toBeDefined();
+      connectionHandler?.(socket);
+      expect(socketHandlers).toEqual(expect.arrayContaining(["error", "close"]));
+    } finally {
+      await handler.close();
+    }
+  });
+
  it("falls back to the default mount when the configured base path is malformed", async () => {
    const dir = await createCaseDir();
    await fs.writeFile(path.join(dir, "index.html"), "<html><body>fallback</body></html>", "utf8");
--- a/extensions/canvas/src/host/server.ts
+++ b/extensions/canvas/src/host/server.ts
@@ -30,6 +30,8 @@ import {
 } from "./a2ui-shared.js";
 import { normalizeUrlPath, resolveFileWithinRoot } from "./file-resolver.js";

+export const CANVAS_LIVE_RELOAD_MAX_INBOUND_MESSAGE_BYTES = 64 * 1024;
+
 type ChokidarWatch = typeof import("chokidar").watch;

 /** Options for Canvas host creation. */
@@ -276,11 +278,22 @@ export async function createCanvasHostHandler(
  const writeStabilityThresholdMs = testMode ? 12 : 75;
  const writePollIntervalMs = testMode ? 5 : 10;
  const WebSocketServerClass = opts.webSocketServerClass ?? WebSocketServer;
-  const wss = liveReload ? new WebSocketServerClass({ noServer: true }) : null;
+  const wss = liveReload
+    ? new WebSocketServerClass({
+        noServer: true,
+        // Live reload clients never need to send application payloads; cap frames
+        // before ws buffers oversized input on this long-lived upgrade route.
+        maxPayload: CANVAS_LIVE_RELOAD_MAX_INBOUND_MESSAGE_BYTES,
+      })
+    : null;
  const sockets = new Set<WebSocket>();
  if (wss) {
    wss.on("connection", (ws) => {
      sockets.add(ws);
+      // ws emits error for maxPayload rejections; close handles final cleanup.
+      ws.on("error", () => {
+        sockets.delete(ws);
+      });
      ws.on("close", () => sockets.delete(ws));
    });
  }
--- a/extensions/codex/src/app-server/attempt-context.ts
+++ b/extensions/codex/src/app-server/attempt-context.ts
@@ -15,6 +15,7 @@ import {
  type EmbeddedRunAttemptResult,
 } from "openclaw/plugin-sdk/agent-harness-runtime";
 import { resolveAgentWorkspaceDir } from "openclaw/plugin-sdk/agent-runtime";
+import { buildMemorySystemPromptAddition } from "openclaw/plugin-sdk/core";
 import type { CodexDynamicToolSpec, JsonValue } from "./protocol.js";
 import { isJsonObject } from "./protocol.js";
 import type { CodexAppServerThreadBinding } from "./session-binding.js";
@@ -249,9 +250,11 @@ export async function buildCodexWorkspaceBootstrapContext(params: {
        turnScopedDeveloperInstructionFiles,
      ),
      memoryCollaborationInstructions: shouldInjectCodexOpenClawPromptContext(params.params)
-        ? renderCodexWorkspaceMemoryReference({
+        ? renderCodexWorkspaceMemoryCollaborationInstructions({
            files: memoryReferenceFiles,
            toolNames: params.memoryToolNames,
+            memoryToolRouted: memoryToolsAvailable,
+            citationsMode: params.params.config?.memory?.citations,
          })
        : undefined,
      heartbeatCollaborationInstructions:
@@ -805,6 +808,55 @@ export function renderCodexWorkspaceMemoryReference(params: {
  return lines.join("\n").trim();
 }

+function renderCodexWorkspaceMemoryCollaborationInstructions(params: {
+  files: EmbeddedContextFile[];
+  toolNames: readonly string[];
+  memoryToolRouted: boolean;
+  citationsMode?: Parameters<typeof buildMemorySystemPromptAddition>[0]["citationsMode"];
+}): string | undefined {
+  const memoryRecallInstructions = params.memoryToolRouted
+    ? renderCodexMemoryRecallInstructions({
+        toolNames: params.toolNames,
+        citationsMode: params.citationsMode,
+      })
+    : undefined;
+  const memoryReferenceInstructions = renderCodexWorkspaceMemoryReference({
+    files: params.files,
+    toolNames: params.toolNames,
+  });
+  const sections = [memoryRecallInstructions, memoryReferenceInstructions].filter(isNonEmptyString);
+  return sections.length > 0 ? sections.join("\n\n") : undefined;
+}
+
+function renderCodexMemoryRecallInstructions(params: {
+  toolNames: readonly string[];
+  citationsMode?: Parameters<typeof buildMemorySystemPromptAddition>[0]["citationsMode"];
+}): string | undefined {
+  const availableTools = new Set(params.toolNames);
+  const memoryPrompt = buildMemorySystemPromptAddition({
+    availableTools,
+    citationsMode: params.citationsMode,
+  });
+  if (!memoryPrompt) {
+    // Memory recall policy belongs to the active memory plugin.
+    // Codex-side fallback text can mask plugin lifecycle bugs or misdescribe third-party memory tools.
+    return undefined;
+  }
+  const toolSearchBridge = renderCodexMemoryToolSearchBridge(params.toolNames);
+  return [memoryPrompt, toolSearchBridge].filter(isNonEmptyString).join("\n").trim();
+}
+
+function renderCodexMemoryToolSearchBridge(toolNames: readonly string[]): string | undefined {
+  const memoryToolNames = toolNames
+    .map((name) => normalizeCodexDynamicToolName(name))
+    .filter((name) => CODEX_MEMORY_TOOL_NAMES.has(name))
+    .toSorted();
+  if (memoryToolNames.length === 0) {
+    return undefined;
+  }
+  return `Codex may expose ${memoryToolNames.join(" and ")} as deferred tools. When the memory guidance above calls for memory recall, use an already-loaded memory tool directly. If the needed memory tool is deferred and not currently callable, use \`tool_search\` to load it, then call that memory tool.`;
+}
+
 /** Returns whether the current dynamic tool list can serve workspace memory. */
 export function hasCodexWorkspaceMemoryTools(tools: readonly { name: string }[]): boolean {
  return getCodexWorkspaceMemoryToolNames(tools).length > 0;
--- a/extensions/codex/src/app-server/config.test.ts
+++ b/extensions/codex/src/app-server/config.test.ts
@@ -19,7 +19,6 @@ import {
  resolveOpenClawExecPolicyForCodexAppServer,
  resolveCodexPluginsPolicy,
  shouldAutoApproveCodexAppServerApprovals,
-  withMcpElicitationsApprovalPolicy,
 } from "./config.js";

 type RuntimeOptionsParams = NonNullable<Parameters<typeof resolveCodexAppServerRuntimeOptions>[0]>;
@@ -28,20 +27,6 @@ function resolveRuntimeForTest(params: RuntimeOptionsParams = {}) {
  return resolveCodexAppServerRuntimeOptions({ env: {}, requirementsToml: null, ...params });
 }

-describe("withMcpElicitationsApprovalPolicy", () => {
-  it("returns a complete granular policy for Codex", () => {
-    expect(withMcpElicitationsApprovalPolicy("never")).toEqual({
-      granular: {
-        mcp_elicitations: true,
-        request_permissions: false,
-        rules: false,
-        sandbox_approval: false,
-        skill_approval: false,
-      },
-    });
-  });
-});
-
 function requireRecord(value: unknown, label: string): Record<string, unknown> {
  if (!value || typeof value !== "object" || Array.isArray(value)) {
    throw new Error(`Expected ${label}`);
--- a/extensions/codex/src/app-server/config.ts
+++ b/extensions/codex/src/app-server/config.ts
@@ -59,8 +59,8 @@ export type CodexAppServerEffectiveApprovalPolicy =
        mcp_elicitations: boolean;
        rules: boolean;
        sandbox_approval: boolean;
-        request_permissions: boolean;
-        skill_approval: boolean;
+        request_permissions?: boolean;
+        skill_approval?: boolean;
      };
    };
 export type CodexAppServerSandboxMode = "read-only" | "workspace-write" | "danger-full-access";
@@ -814,8 +814,6 @@ export function withMcpElicitationsApprovalPolicy(
        mcp_elicitations: true,
        rules: false,
        sandbox_approval: false,
-        request_permissions: false,
-        skill_approval: false,
      },
    };
  }
@@ -824,8 +822,6 @@ export function withMcpElicitationsApprovalPolicy(
      mcp_elicitations: true,
      rules: true,
      sandbox_approval: true,
-      request_permissions: true,
-      skill_approval: true,
    },
  };
 }
--- a/extensions/codex/src/app-server/protocol.ts
+++ b/extensions/codex/src/app-server/protocol.ts
@@ -2,23 +2,6 @@
 export type JsonValue = null | boolean | number | string | JsonValue[] | JsonObject;
 export type JsonObject = { [key: string]: JsonValue };
 export type CodexServiceTier = string;
-export type CodexApprovalPolicy =
-  | "untrusted"
-  | "on-failure"
-  | "on-request"
-  | {
-      granular: {
-        sandbox_approval: boolean;
-        rules: boolean;
-        skill_approval: boolean;
-        request_permissions: boolean;
-        mcp_elicitations: boolean;
-      };
-    }
-  | "never";
-export type CodexApprovalsReviewer = "user" | "auto_review" | "guardian_subagent";
-export type CodexSandboxMode = "read-only" | "workspace-write" | "danger-full-access";
-export type CodexPersonality = "none" | "friendly" | "pragmatic";

 export type CodexAppServerRequestMethod = keyof CodexAppServerRequestResultMap | (string & {});
 export type CodexAppServerRequestParams<M extends CodexAppServerRequestMethod> =
@@ -67,16 +50,11 @@ export type CodexInitializeResponse = {
  userAgent?: string;
 };

-export type CodexTextElement = {
-  byteRange: { start: number; end: number };
-  placeholder: string | null;
-};
-
 export type CodexUserInput =
  | {
      type: "text";
      text: string;
-      text_elements: CodexTextElement[];
+      text_elements?: JsonValue[];
    }
  | {
      type: "image";
@@ -103,10 +81,10 @@ export type CodexThreadStartParams = JsonObject & {
  cwd?: string;
  model?: string;
  modelProvider?: string | null;
-  personality?: CodexPersonality | null;
-  approvalPolicy?: CodexApprovalPolicy | null;
-  approvalsReviewer?: CodexApprovalsReviewer | null;
-  sandbox?: CodexSandboxMode | null;
+  personality?: string | null;
+  approvalPolicy?: string | JsonObject;
+  approvalsReviewer?: string | null;
+  sandbox?: string;
  serviceTier?: CodexServiceTier | null;
  dynamicTools?: CodexDynamicToolSpec[] | null;
  developerInstructions?: string;
@@ -120,10 +98,10 @@ export type CodexThreadResumeParams = JsonObject & {
  threadId: string;
  model?: string;
  modelProvider?: string | null;
-  personality?: CodexPersonality | null;
-  approvalPolicy?: CodexApprovalPolicy | null;
-  approvalsReviewer?: CodexApprovalsReviewer | null;
-  sandbox?: CodexSandboxMode | null;
+  personality?: string | null;
+  approvalPolicy?: string | JsonObject;
+  approvalsReviewer?: string | null;
+  sandbox?: string;
  serviceTier?: CodexServiceTier | null;
  config?: JsonObject;
  developerInstructions?: string;
@@ -141,7 +119,7 @@ export type CodexThreadForkParams = CodexThreadStartParams & {
  threadId: string;
  baseInstructions?: string;
  ephemeral?: boolean;
-  threadSource?: "user" | "subagent" | "memory_consolidation" | null;
+  threadSource?: string | JsonObject;
  excludeTurns?: boolean;
 };

@@ -169,37 +147,25 @@ export type CodexTurnInterruptParams = JsonObject & {

 export type CodexTurnStartParams = JsonObject & {
  threadId: string;
-  input: CodexUserInput[];
+  input?: CodexUserInput[];
  cwd?: string;
  model?: string;
-  approvalPolicy?: CodexApprovalPolicy | null;
-  approvalsReviewer?: CodexApprovalsReviewer | null;
+  approvalPolicy?: string | JsonObject;
+  approvalsReviewer?: string | null;
  sandboxPolicy?: CodexSandboxPolicy;
  serviceTier?: CodexServiceTier | null;
  effort?: string | null;
-  personality?: CodexPersonality | null;
+  personality?: string | null;
  environments?: CodexTurnEnvironmentParams[] | null;
  collaborationMode?: {
-    mode: "plan" | "default";
-    settings: {
-      model: string;
-      reasoning_effort: string | null;
+    mode: string;
+    settings: JsonObject & {
      developer_instructions: string | null;
    };
  } | null;
 };

-export type CodexSandboxPolicy =
-  | { type: "dangerFullAccess" }
-  | { type: "readOnly"; networkAccess: boolean }
-  | { type: "externalSandbox"; networkAccess: "restricted" | "enabled" }
-  | {
-      type: "workspaceWrite";
-      writableRoots: string[];
-      networkAccess: boolean;
-      excludeTmpdirEnvVar: boolean;
-      excludeSlashTmp: boolean;
-    };
+export type CodexSandboxPolicy = string | JsonObject;

 export type CodexTurnStartResponse = {
  turn: CodexTurn;
@@ -207,11 +173,11 @@ export type CodexTurnStartResponse = {

 export type CodexTurn = {
  id: string;
-  threadId?: string;
+  threadId: string;
  status?: string;
-  error?: CodexErrorNotification["error"] | null;
-  startedAt?: number | null;
-  completedAt?: number | null;
+  error?: CodexErrorNotification["error"];
+  startedAt?: string | null;
+  completedAt?: string | null;
  durationMs?: number | null;
  items: CodexThreadItem[];
 };
@@ -332,7 +298,10 @@ export type CodexDynamicToolCallOutputContentItem =
 export type CodexErrorNotification = {
  error: {
    message?: string;
-    codexErrorInfo?: string | JsonObject | null;
+    codexErrorInfo?: {
+      message?: string;
+      [key: string]: unknown;
+    };
    [key: string]: unknown;
  };
  message?: string;
--- a/extensions/codex/src/app-server/run-attempt-test-harness.ts
+++ b/extensions/codex/src/app-server/run-attempt-test-harness.ts
@@ -10,6 +10,7 @@ import {
 } from "openclaw/plugin-sdk/agent-harness-runtime";
 import { resetDiagnosticEventsForTest } from "openclaw/plugin-sdk/diagnostic-runtime";
 import { clearInternalHooks, resetGlobalHookRunner } from "openclaw/plugin-sdk/hook-runtime";
+import { clearMemoryPluginState } from "openclaw/plugin-sdk/memory-core-host-runtime-core";
 import { clearPluginCommands } from "openclaw/plugin-sdk/plugin-runtime";
 import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
 import { afterEach, beforeEach, expect, vi } from "vitest";
@@ -495,6 +496,7 @@ export function setupRunAttemptTestHooks(): void {
  beforeEach(async () => {
    vi.useRealTimers();
    clearInternalHooks();
+    clearMemoryPluginState();
    resetAgentEventsForTest();
    resetDiagnosticEventsForTest();
    vi.stubEnv("OPENCLAW_TRAJECTORY", "0");
@@ -512,6 +514,7 @@ export function setupRunAttemptTestHooks(): void {
    testing.clearPendingCodexNativeHookRelayUnregistersForTests();
    resetCodexRateLimitCacheForTests();
    nativeHookRelayTesting.clearNativeHookRelaysForTests();
+    clearMemoryPluginState();
    clearPluginCommands();
    resetAgentEventsForTest();
    resetDiagnosticEventsForTest();
--- a/extensions/codex/src/app-server/run-attempt.test.ts
+++ b/extensions/codex/src/app-server/run-attempt.test.ts
@@ -12,6 +12,7 @@ import {
  type DiagnosticEventPayload,
 } from "openclaw/plugin-sdk/diagnostic-runtime";
 import { initializeGlobalHookRunner, registerInternalHook } from "openclaw/plugin-sdk/hook-runtime";
+import { registerMemoryCapability } from "openclaw/plugin-sdk/memory-core-host-runtime-core";
 import { registerPluginCommand } from "openclaw/plugin-sdk/plugin-runtime";
 import { createMockPluginRegistry } from "openclaw/plugin-sdk/plugin-test-runtime";
 import { describe, expect, it, vi } from "vitest";
@@ -397,6 +398,37 @@ function createRuntimeDynamicTool(name: string): RuntimeDynamicToolForTest {
  };
 }

+function registerMemoryPromptForTest() {
+  registerMemoryCapability("memory-core", {
+    promptBuilder({ availableTools }) {
+      const hasMemorySearch = availableTools.has("memory_search");
+      const hasMemoryGet = availableTools.has("memory_get");
+      if (hasMemorySearch && hasMemoryGet) {
+        return [
+          "## Memory Recall",
+          "Test recall: run memory_search on MEMORY.md + memory/*.md + indexed session transcripts; then use memory_get.",
+          "",
+        ];
+      }
+      if (hasMemorySearch) {
+        return [
+          "## Memory Recall",
+          "Test recall: run memory_search on MEMORY.md + memory/*.md + indexed session transcripts.",
+          "",
+        ];
+      }
+      if (hasMemoryGet) {
+        return [
+          "## Memory Recall",
+          "Test recall: run memory_get for a specific memory file or note.",
+          "",
+        ];
+      }
+      return [];
+    },
+  });
+}
+
 function buildEmptyCodexToolTelemetry(): CodexAppServerToolTelemetry {
  return {
    didSendViaMessagingTool: false,
@@ -2203,6 +2235,7 @@ describe("runCodexAppServerAttempt", () => {
    await fs.writeFile(path.join(workspaceDir, "TOOLS.md"), toolGuidance);
    await fs.writeFile(path.join(workspaceDir, "USER.md"), userProfile);
    await fs.writeFile(path.join(workspaceDir, "MEMORY.md"), memorySummary);
+    registerMemoryPromptForTest();
    testing.setOpenClawCodingToolsFactoryForTests(() => [
      createRuntimeDynamicTool("memory_search"),
      createRuntimeDynamicTool("memory_get"),
@@ -2236,12 +2269,20 @@ describe("runCodexAppServerAttempt", () => {
    expect(collaborationInstructions).toContain(identityGuidance);
    expect(collaborationInstructions).not.toContain(toolGuidance);
    expect(collaborationInstructions).toContain(userProfile);
+    expect(collaborationInstructions).toContain("## Memory Recall");
+    expect(collaborationInstructions).toContain("MEMORY.md + memory/*.md");
    expect(collaborationInstructions).toContain("OpenClaw Workspace Memory");
    expect(collaborationInstructions).toContain(
      "MEMORY.md exists in the active agent workspace as a memory file, not an instruction file",
    );
    expect(collaborationInstructions).toContain("memory_search");
    expect(collaborationInstructions).toContain("memory_get");
+    expect(collaborationInstructions).toContain(
+      "When the memory guidance above calls for memory recall, use an already-loaded memory tool directly.",
+    );
+    expect(collaborationInstructions).toContain(
+      "If the needed memory tool is deferred and not currently callable, use `tool_search` to load it, then call that memory tool.",
+    );
    expect(collaborationInstructions).not.toContain(memorySummary);
    expect(inputText).not.toContain("OpenClaw runtime context for this turn:");
    expect(inputText).not.toContain("does not override Codex system/developer instructions");
@@ -2297,6 +2338,65 @@ describe("runCodexAppServerAttempt", () => {
    });
  });

+  it("adds memory recall guidance when dated memory notes exist without root MEMORY.md", async () => {
+    const sessionFile = path.join(tempDir, "session.jsonl");
+    const workspaceDir = path.join(tempDir, "workspace");
+    const datedMemory = "User avoids Chase cards while over 5/24.";
+    await fs.mkdir(path.join(workspaceDir, "memory"), { recursive: true });
+    await fs.writeFile(path.join(workspaceDir, "memory/2026-06-09.md"), datedMemory);
+    registerMemoryPromptForTest();
+    testing.setOpenClawCodingToolsFactoryForTests(() => [
+      createRuntimeDynamicTool("memory_search"),
+      createRuntimeDynamicTool("memory_get"),
+    ]);
+    const params = createParams(sessionFile, workspaceDir);
+    params.disableTools = false;
+    params.runtimePlan = createCodexRuntimePlanFixture();
+    setAgentWorkspaceForTest(params, workspaceDir);
+
+    const { collaborationInstructions, inputText } = await buildCodexTurnContextForTest(
+      params,
+      workspaceDir,
+    );
+
+    expect(collaborationInstructions).toContain("## Memory Recall");
+    expect(collaborationInstructions).toContain("MEMORY.md + memory/*.md");
+    expect(collaborationInstructions).toContain("memory_search");
+    expect(collaborationInstructions).toContain("memory_get");
+    expect(collaborationInstructions).not.toContain("OpenClaw Workspace Memory");
+    expect(collaborationInstructions).not.toContain(datedMemory);
+    expect(inputText).toBe("hello");
+    expect(inputText).not.toContain(datedMemory);
+  });
+
+  it("does not synthesize memory recall guidance without a registered memory prompt builder", async () => {
+    const sessionFile = path.join(tempDir, "session.jsonl");
+    const workspaceDir = path.join(tempDir, "workspace");
+    const memorySummary = "User avoids Chase cards while over 5/24.";
+    await fs.mkdir(workspaceDir, { recursive: true });
+    await fs.writeFile(path.join(workspaceDir, "MEMORY.md"), memorySummary);
+    testing.setOpenClawCodingToolsFactoryForTests(() => [
+      createRuntimeDynamicTool("memory_search"),
+      createRuntimeDynamicTool("memory_get"),
+    ]);
+    const params = createParams(sessionFile, workspaceDir);
+    params.disableTools = false;
+    params.runtimePlan = createCodexRuntimePlanFixture();
+    setAgentWorkspaceForTest(params, workspaceDir);
+
+    const { collaborationInstructions, inputText } = await buildCodexTurnContextForTest(
+      params,
+      workspaceDir,
+    );
+
+    expect(collaborationInstructions).not.toContain("## Memory Recall");
+    expect(collaborationInstructions).toContain("OpenClaw Workspace Memory");
+    expect(collaborationInstructions).not.toContain("Use `tool_search` first");
+    expect(collaborationInstructions).not.toContain(memorySummary);
+    expect(inputText).toBe("hello");
+    expect(inputText).not.toContain(memorySummary);
+  });
+
  it("sends workspace bootstrap instructions through Codex app-server payloads", async () => {
    const sessionFile = path.join(tempDir, "session.jsonl");
    const workspaceDir = path.join(tempDir, "workspace");
@@ -2405,6 +2505,7 @@ describe("runCodexAppServerAttempt", () => {
    const memorySummary = "Memory summary goes here.";
    await fs.mkdir(workspaceDir, { recursive: true });
    await fs.writeFile(path.join(workspaceDir, "MEMORY.md"), memorySummary);
+    registerMemoryPromptForTest();
    testing.setOpenClawCodingToolsFactoryForTests(() => [createRuntimeDynamicTool("memory_get")]);
    const params = createParams(sessionFile, workspaceDir);
    params.disableTools = false;
@@ -2417,6 +2518,7 @@ describe("runCodexAppServerAttempt", () => {
    expect(inputText).not.toContain("memory_get");
    expect(inputText).not.toContain("memory_search");
    expect(inputText).not.toContain(memorySummary);
+    expect(collaborationInstructions).toContain("## Memory Recall");
    expect(collaborationInstructions).toContain("OpenClaw Workspace Memory");
    expect(collaborationInstructions).toContain("memory_get");
    expect(collaborationInstructions).not.toContain("memory_search");
@@ -2595,6 +2697,7 @@ describe("runCodexAppServerAttempt", () => {
    const memorySummary = "Memory summary goes here.";
    await fs.mkdir(workspaceDir, { recursive: true });
    await fs.writeFile(path.join(workspaceDir, "MEMORY.md"), memorySummary);
+    registerMemoryPromptForTest();
    testing.setOpenClawCodingToolsFactoryForTests(() => [
      createRuntimeDynamicTool("memory_search"),
      createRuntimeDynamicTool("memory_get"),
@@ -2604,10 +2707,10 @@ describe("runCodexAppServerAttempt", () => {
    params.runtimePlan = createCodexRuntimePlanFixture();
    setAgentWorkspaceForTest(params, path.join(tempDir, "memory-workspace"));

-    const { inputText, systemPromptReport } = await buildCodexTurnContextForTest(
-      params,
-      workspaceDir,
-    );
+    const { collaborationInstructions, inputText, systemPromptReport } =
+      await buildCodexTurnContextForTest(params, workspaceDir);
+    expect(collaborationInstructions).not.toContain("## Memory Recall");
+    expect(collaborationInstructions).not.toContain("OpenClaw Workspace Memory");
    expect(inputText).not.toContain("OpenClaw Workspace Memory");
    expect(inputText).toContain(memorySummary);

--- a/extensions/codex/src/app-server/sandbox-exec-server.test.ts
+++ b/extensions/codex/src/app-server/sandbox-exec-server.test.ts
@@ -1,6 +1,7 @@
 // Codex tests cover sandbox exec server plugin behavior.
 import { afterEach, describe, expect, it, vi } from "vitest";
 import {
+  CODEX_SANDBOX_EXEC_SERVER_MAX_INBOUND_MESSAGE_BYTES,
  closeCodexSandboxExecServersForTests,
  ensureCodexSandboxExecServerEnvironment,
  releaseCodexSandboxExecServerEnvironment,
@@ -191,6 +192,22 @@ describe("OpenClaw Codex sandbox exec-server", () => {
    socket.close();
  });

+  it("closes oversized sandbox exec-server frames before JSON-RPC parsing", async () => {
+    const sandbox = createSandboxContext({});
+    const client = createClient();
+
+    await ensureCodexSandboxExecServerEnvironment({
+      client: client as never,
+      sandbox,
+    });
+    const socket = await openSocket(execServerUrlFromClient(client));
+    const closed = waitForSocketClose(socket);
+
+    socket.send(Buffer.alloc(CODEX_SANDBOX_EXEC_SERVER_MAX_INBOUND_MESSAGE_BYTES + 1));
+
+    await expect(closed).resolves.toEqual({ code: 1009 });
+  });
+
  it("rejects unsupported arg0 overrides instead of dropping them", async () => {
    const buildExecSpec = vi.fn(async () => ({
      argv: [process.execPath, "-e", ""],
@@ -441,6 +458,26 @@ describe("OpenClaw Codex sandbox exec-server", () => {
    await expect(waitForSocketClose(socket)).resolves.toEqual({ code: 1008 });
  });

+  it("handles oversized frames from unauthorized WebSocket clients", async () => {
+    const sandbox = createSandboxContext({});
+    const client = createClient();
+    await ensureCodexSandboxExecServerEnvironment({
+      client: client as never,
+      sandbox,
+    });
+    const unauthorizedUrl = execServerUrlFromClient(client).replace(
+      /\/openclaw-[^/?#]+/u,
+      "/wrong",
+    );
+    const socket = await openSocket(unauthorizedUrl);
+    const closed = waitForSocketClose(socket);
+
+    socket.send(Buffer.alloc(CODEX_SANDBOX_EXEC_SERVER_MAX_INBOUND_MESSAGE_BYTES + 1));
+
+    const closeResult = await closed;
+    expect([1008, 1009]).toContain(closeResult.code);
+  });
+
  it("closes the exec-server when its sandbox environment is released", async () => {
    const sandbox = createSandboxContext({});
    const client = createClient();
--- a/extensions/codex/src/app-server/sandbox-exec-server.ts
+++ b/extensions/codex/src/app-server/sandbox-exec-server.ts
@@ -48,6 +48,7 @@ export type CodexSandboxExecEnvironment = {
 };

 const SANDBOX_EXEC_SERVERS = new Map<string, Promise<OpenClawExecServer>>();
+export const CODEX_SANDBOX_EXEC_SERVER_MAX_INBOUND_MESSAGE_BYTES = 100 * 1024 * 1024;

 /** Closes all cached sandbox exec-server instances for deterministic tests. */
 export async function closeCodexSandboxExecServersForTests(): Promise<void> {
@@ -193,7 +194,13 @@ function startAndRememberOpenClawExecServer(sandbox: SandboxContext): Promise<Op
 }

 async function startOpenClawExecServer(sandbox: SandboxContext): Promise<OpenClawExecServer> {
-  const server = new WebSocketServer({ host: "127.0.0.1", port: 0 });
+  const server = new WebSocketServer({
+    host: "127.0.0.1",
+    port: 0,
+    // Match ws' historical default: Codex fs/writeFile sends one base64 JSON-RPC
+    // frame, while the socket error handler below makes oversize frames nonfatal.
+    maxPayload: CODEX_SANDBOX_EXEC_SERVER_MAX_INBOUND_MESSAGE_BYTES,
+  });
  await once(server, "listening");
  const address = server.address();
  if (!address || typeof address === "string") {
@@ -212,6 +219,8 @@ async function startOpenClawExecServer(sandbox: SandboxContext): Promise<OpenCla
    server,
  };
  server.on("connection", (socket, request) => {
+    // ws emits error for maxPayload rejections before auth or JSON-RPC sees the frame.
+    socket.on("error", handleExecServerSocketError);
    if (!isAuthorizedExecServerRequest(execServer, request)) {
      socket.close(1008, "unauthorized");
      return;
@@ -286,6 +295,10 @@ function handleConnection(execServer: OpenClawExecServer, socket: WebSocket): vo
  });
 }

+function handleExecServerSocketError(error: unknown): void {
+  embeddedAgentLog.debug("codex sandbox exec-server websocket failed", { error });
+}
+
 async function handleMessage(
  execServer: OpenClawExecServer,
  processes: Map<string, ManagedProcess>,
--- a/extensions/diagnostics-otel/src/service.test.ts
+++ b/extensions/diagnostics-otel/src/service.test.ts
@@ -171,6 +171,7 @@ import {
  type DiagnosticEventPrivateData,
 } from "openclaw/plugin-sdk/diagnostic-runtime";
 import {
+  emitDiagnosticEventWithTrustedTraceContext,
  emitInternalDiagnosticEventForTest,
  logMessageDispatchStarted,
  logMessageProcessed,
@@ -362,7 +363,11 @@ function histogramCreateOptions(name: string) {

 async function emitAndCaptureLog(
  event: Omit<Extract<Parameters<typeof emitDiagnosticEvent>[0], { type: "log.record" }>, "type">,
-  options: { captureContent?: OtelContextFlags["captureContent"]; trusted?: boolean } = {},
+  options: {
+    captureContent?: OtelContextFlags["captureContent"];
+    trusted?: boolean;
+    trustedTraceContext?: boolean;
+  } = {},
 ) {
  const service = createDiagnosticsOtelService();
  const ctx = createOtelContext(OTEL_TEST_ENDPOINT, {
@@ -370,7 +375,11 @@ async function emitAndCaptureLog(
    ...(options.captureContent !== undefined ? { captureContent: options.captureContent } : {}),
  });
  await service.start(ctx);
-  const emit = options.trusted ? emitTrustedDiagnosticEvent : emitDiagnosticEvent;
+  const emit = options.trusted
+    ? emitTrustedDiagnosticEvent
+    : options.trustedTraceContext
+      ? emitDiagnosticEventWithTrustedTraceContext
+      : emitDiagnosticEvent;
  emit({
    type: "log.record",
    ...event,
@@ -1391,6 +1400,28 @@ describe("diagnostics-otel service", () => {
    expect(emitCall?.context).toBeUndefined();
  });

+  test("attaches trace-only trusted context to exported logs", async () => {
+    const emitCall = await emitAndCaptureLog(
+      {
+        level: "INFO",
+        message: "traceable log",
+        trace: {
+          traceId: TRACE_ID,
+          spanId: SPAN_ID,
+          traceFlags: "01",
+        },
+      },
+      { trustedTraceContext: true },
+    );
+
+    expect(emitCall?.body).toBe("log");
+    expect(telemetryState.tracer.setSpanContext).toHaveBeenCalledTimes(1);
+    const emitContext = emitCall?.context as { spanContext?: Record<string, unknown> } | undefined;
+    const emitSpanContext = emitContext?.spanContext;
+    expect(emitSpanContext?.traceId).toBe(TRACE_ID);
+    expect(emitSpanContext?.spanId).toBe(SPAN_ID);
+  });
+
  test("attaches trusted diagnostic trace context to exported logs", async () => {
    const emitCall = await emitAndCaptureLog(
      {
--- a/extensions/diagnostics-otel/src/service.ts
+++ b/extensions/diagnostics-otel/src/service.ts
@@ -1031,7 +1031,9 @@ function contextForTrustedTraceContext(
  evt: DiagnosticEventPayload,
  metadata: DiagnosticEventMetadata,
 ) {
-  return metadata.trusted ? contextForTraceContext(evt.trace) : undefined;
+  return metadata.trusted || metadata.trustedTraceContext === true
+    ? contextForTraceContext(evt.trace)
+    : undefined;
 }

 function addTraceAttributes(
@@ -1626,7 +1628,7 @@ export function createDiagnosticsOtelService(): OpenClawPluginService {
            if (evt.code?.functionName) {
              assignOtelLogAttribute(attributes, "code.function", evt.code.functionName);
            }
-            if (metadata.trusted) {
+            if (metadata.trusted || metadata.trustedTraceContext === true) {
              addTraceAttributes(attributes, evt.trace);
            }

--- a/extensions/discord/src/actions/runtime.messaging.send.ts
+++ b/extensions/discord/src/actions/runtime.messaging.send.ts
@@ -24,6 +24,75 @@ function hasDiscordComponentObjectKeys(value: unknown): value is Record<string,
  );
 }

+function readDiscordThreadArchiveTimestamp(thread: unknown): string | undefined {
+  if (!thread || typeof thread !== "object" || Array.isArray(thread)) {
+    return undefined;
+  }
+  const record = thread as Record<string, unknown>;
+  const metadata = record.thread_metadata;
+  if (metadata && typeof metadata === "object" && !Array.isArray(metadata)) {
+    const archiveTimestamp = (metadata as Record<string, unknown>).archive_timestamp;
+    if (typeof archiveTimestamp === "string" && archiveTimestamp.trim()) {
+      return archiveTimestamp;
+    }
+  }
+  return undefined;
+}
+
+type DiscordThreadListActionResult = {
+  ok: true;
+  threads: unknown;
+  complete: boolean;
+  hasMore: boolean;
+  returnedCount: number;
+  source: "discord.threadList.archived" | "discord.threadList.active";
+  query: {
+    guildId: string;
+    channelId?: string;
+    includeArchived: boolean;
+    before?: string;
+    limit?: number;
+  };
+  nextBefore?: string;
+};
+
+function normalizeDiscordThreadListActionResult(params: {
+  value: unknown;
+  includeArchived: boolean;
+  channelId?: string;
+  guildId: string;
+  limit?: number;
+  before?: string;
+}): DiscordThreadListActionResult {
+  const record =
+    params.value && typeof params.value === "object" && !Array.isArray(params.value)
+      ? (params.value as Record<string, unknown>)
+      : undefined;
+  const threadItems = Array.isArray(record?.threads) ? record.threads : [];
+  const hasMore = record?.has_more === true;
+  const nextBefore =
+    params.includeArchived && hasMore
+      ? readDiscordThreadArchiveTimestamp(threadItems[threadItems.length - 1])
+      : undefined;
+
+  return {
+    ok: true,
+    threads: params.value,
+    complete: !hasMore,
+    hasMore,
+    returnedCount: threadItems.length,
+    source: params.includeArchived ? "discord.threadList.archived" : "discord.threadList.active",
+    query: {
+      guildId: params.guildId,
+      ...(params.channelId ? { channelId: params.channelId } : {}),
+      includeArchived: params.includeArchived,
+      ...(params.before ? { before: params.before } : {}),
+      ...(params.limit !== undefined ? { limit: params.limit } : {}),
+    },
+    ...(nextBefore ? { nextBefore } : {}),
+  };
+}
+
 async function appendDiscordThreadRenameResult(
  ctx: DiscordMessagingActionContext,
  params: {
@@ -306,7 +375,16 @@ export async function handleDiscordMessageSendAction(ctx: DiscordMessagingAction
        },
        ctx.withOpts(),
      );
-      return jsonResult({ ok: true, threads });
+      return jsonResult(
+        normalizeDiscordThreadListActionResult({
+          value: threads,
+          guildId,
+          channelId,
+          includeArchived: includeArchived === true,
+          before,
+          limit,
+        }),
+      );
    }
    case "threadReply": {
      if (!ctx.isActionEnabled("threads")) {
--- a/Show More
+++ b/Show More