docs(changelog): note beta plugin update channel fix

Summary:
- The branch moves configured-channel plugin registry loading for `openclaw message` into `runCommandWithRuntime`, adds regression coverage for preload failure exit handling, and adds a changelog fix entry for #76168.
- Reproducibility: yes. for the exit-path bug: current main calls plugin registry preload before `runCommandWi ...  the high-CPU child process in this read-only review, but the missing exit boundary is source-reproducible.

Automerge notes:
- No ClawSweeper repair was needed after automerge opt-in.

Validation:
- ClawSweeper review passed for head 95b67ea9ba.
- Required merge gates passed before the squash merge.

Prepared head SHA: 95b67ea9ba
Review: https://github.com/openclaw/openclaw/pull/76846#issuecomment-4366747104

Co-authored-by: Peter Steinberger <steipete@gmail.com>

.agents/skills/blacksmith-testbox/SKILL.md

@@ -1,391 +0,0 @@
----
-name: blacksmith-testbox
-description: Run Blacksmith Testbox for CI-parity checks, secrets, hosted services, migrations, or builds local cannot reproduce.
----
-
-# Blacksmith Testbox
-
-## Scope
-
-Use Testbox when you need remote CI parity, injected secrets, hosted services,
-or an OS/runtime image that your local machine cannot provide cheaply.
-
-Do not default to Testbox for every local test/build loop. If the repo has
-documented local commands for normal iteration, use those first so you keep
-warm caches, local build state, and fast feedback.
-
-Testbox is the expensive path. Reach for it deliberately.
-
-OpenClaw maintainers can opt into Testbox-first validation by setting
-`OPENCLAW_TESTBOX=1` in their environment or standing agent rules. This mode is
-maintainers-only and requires Blacksmith access.
-
-When `OPENCLAW_TESTBOX=1` is set in OpenClaw:
-
-- Pre-warm a Testbox early for longer, wider, or uncertain work.
-- Prefer Testbox for `pnpm` gates, e2e, package-like proof, and broad suites.
-- Reuse the same Testbox ID for every run command in the same task/session.
-- Use local commands only when the task explicitly sets
-  `OPENCLAW_LOCAL_CHECK_MODE=throttled|full`, or when the user asks for local
-  proof.
-
-## Install the CLI
-
-If `blacksmith` is not installed, install it:
-
-    curl -fsSL https://get.blacksmith.sh | sh
-
-For the canary channel (bleeding-edge):
-
-    BLACKSMITH_CHANNEL=canary sh -c 'curl -fsSL https://get.blacksmith.sh | sh'
-
-Then authenticate:
-
-    blacksmith auth login
-
-## Agent-triggered browser auth (non-interactive)
-
-When an agent needs to ensure the user is authenticated before running testbox
-commands (e.g. warmup, run), use browser-based auth with non-interactive mode.
-This opens the browser for the user to sign in; the agent does not interact with
-the browser. The org selector in the dashboard is skipped, so the user only sees
-the sign-in flow.
-
-**Required command** (`--organization` is required with `--non-interactive`):
-
-    blacksmith auth login --non-interactive --organization <org-slug>
-
-The org slug can come from `BLACKSMITH_ORG` env var or the `--org` global flag.
-If neither is set, the agent should use the project's known org (e.g. from repo
-config or user context). Example:
-
-    blacksmith auth login --non-interactive --organization acme-corp
-    blacksmith --org acme-corp auth login --non-interactive --organization acme-corp
-
-**Flow**: The CLI starts a local callback server, opens the browser to the
-dashboard auth page, and blocks for up to 2 minutes. The user completes sign-in
-and authorization in the browser. The dashboard redirects to localhost with the
-token; the CLI saves credentials and exits. The agent then proceeds.
-
-**Do not use** `--api-token` for this flow — that is for headless/token-based
-auth. This skill focuses on browser-based auth when the user prefers signing in
-via the web UI.
-
-Optional flags:
-
-- `--dashboard-url <url>` — Override dashboard URL (e.g. for staging)
-
-## Decide first: local or Testbox
-
-Before warming anything up, check the repo's own instructions.
-
-Prefer local commands when:
-
-- the repo documents a supported local test/build workflow
-- you are iterating on unit tests, lint, typecheck, formatting, or other
-  local-only validation
-- the value comes from warm local caches and fast repeat runs
-- the command does not need remote secrets, hosted services, or CI-only images
-
-Prefer Testbox when:
-
-- the repo explicitly requires CI-parity or remote validation
-- the command needs secrets, service containers, or provisioned infra
-- you are reproducing CI-only failures
-- you need the exact workflow image/job environment from GitHub Actions
-
-For OpenClaw specifically, normal local iteration stays local unless maintainer
-Testbox mode is enabled with `OPENCLAW_TESTBOX=1`:
-
-- `pnpm check:changed`
-- `pnpm test:changed`
-- `pnpm test <path-or-filter>`
-- `pnpm test:serial`
-- `pnpm build`
-
-If `OPENCLAW_TESTBOX=1` is enabled, run those same repo commands inside the
-warm Testbox. If the user wants laptop-friendly local proof for one command, use
-the explicit escape hatch `OPENCLAW_LOCAL_CHECK_MODE=throttled`.
-
-For installable-package product proof, prefer the GitHub `Package Acceptance`
-workflow over an ad hoc Testbox command. It resolves one package candidate
-(`source=npm`, `source=ref`, `source=url`, or `source=artifact`), uploads it as
-`package-under-test`, and runs the reusable Docker E2E lanes against that exact
-tarball on GitHub/Blacksmith runners. Use `workflow_ref` for the trusted
-workflow/harness code and `package_ref` for the source ref to pack when testing
-an older trusted branch, tag, or SHA.
-
-## Setup: Warmup before coding
-
-If you decided Testbox is warranted, warm one up early. This returns an ID
-instantly and boots the CI environment in the background while you work:
-
-    blacksmith testbox warmup ci-check-testbox.yml
-    # → tbx_01jkz5b3t9...
-
-Save this ID. You need it for every `run` command.
-
-For OpenClaw maintainer Testbox mode, pre-warm at the start of longer or wider
-tasks:
-
-    blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90
-
-Use the build-artifact warmup when e2e/package/build proof benefits from seeded
-`dist/`, `dist-runtime/`, and build-all caches:
-
-    blacksmith testbox warmup ci-build-artifacts-testbox.yml --ref main --idle-timeout 90
-
-Warmup dispatches a GitHub Actions workflow that provisions a VM with the
-full CI environment: dependencies installed, services started, secrets
-injected, and a clean checkout of the repo at the default branch.
-
-In OpenClaw, raw commit SHAs are not reliable dispatch refs for `warmup --ref`;
-use a branch or tag. The build-artifact workflow resolves `openclaw@beta` and
-`openclaw@latest` to SHA cache keys internally.
-
-Options:
-
-    --ref <branch|tag>     Git ref to dispatch against (default: repo's default branch)
-    --job <name>           Specific job within the workflow (if it has multiple)
-    --idle-timeout <min>   Idle timeout in minutes (default: 30)
-
-## CRITICAL: Always run from the repo root
-
-ALWAYS invoke `blacksmith testbox` commands from the **root of the git
-repository**. The CLI syncs the current working directory to the testbox
-using rsync with `--delete`. If you run from a subdirectory (e.g.
-`cd backend && blacksmith testbox run ...`), rsync will mirror only that
-subdirectory and **delete everything else** on the testbox — wiping other
-directories like `dashboard/`, `cli/`, etc.
-
-    # CORRECT — run from repo root, use paths in the command
-    blacksmith testbox run --id <ID> "cd backend && php artisan test"
-    blacksmith testbox run --id <ID> "cd dashboard && npm test"
-
-    # WRONG — do NOT cd into a subdirectory before invoking the CLI
-    cd backend && blacksmith testbox run --id <ID> "php artisan test"
-
-If your shell is in a subdirectory, `cd` back to the repo root first:
-
-    cd "$(git rev-parse --show-toplevel)"
-    blacksmith testbox run --id <ID> "cd backend && php artisan test"
-
-## Running commands
-
-    blacksmith testbox run --id <ID> "<command>"
-
-The `run` command automatically waits for the testbox to become ready if
-it is still booting, so you can call `run` immediately after warmup without
-needing to check status first.
-
-## Downloading files from a testbox
-
-Use the `download` command to retrieve files or directories from a running
-testbox to your local machine. This is useful for fetching build artifacts,
-test results, coverage reports, or any output generated on the testbox.
-
-    blacksmith testbox download --id <ID> <remote-path> [local-path]
-
-The remote path is relative to the testbox working directory (same as `run`).
-If no local path is specified, the file is saved to the current directory
-using the same base name.
-
-To download a directory, append a trailing `/` to the remote path — this
-triggers recursive mode:
-
-    # Download a single file
-    blacksmith testbox download --id <ID> coverage/report.html
-
-    # Download a file to a specific local path
-    blacksmith testbox download --id <ID> build/output.tar.gz ./output.tar.gz
-
-    # Download an entire directory
-    blacksmith testbox download --id <ID> test-results/ ./results/
-
-Options:
-
-    --ssh-private-key <path>   Path to SSH private key (if warmup used --ssh-public-key)
-
-## How file sync works
-
-Understanding this model is critical for using Testbox correctly.
-
-When you call `run`, the CLI performs a **delta sync** of your local changes
-to the remote testbox before executing your command:
-
-1. The testbox VM starts from a clean `actions/checkout` at the warmup ref.
-   The workflow's setup steps (e.g. `npm install`, `pip install`, `composer install`)
-   run during warmup and populate dependency directories on the remote VM.
-
-2. On each `run`, the CLI uses **git** to detect which files changed locally
-   since the last sync. It syncs ONLY tracked files and untracked non-ignored
-   files (i.e. files that `git ls-files` reports).
-
-3. **`.gitignore`'d directories are never synced.** This means directories
-   like `node_modules/`, `vendor/`, `.venv/`, `build/`, `dist/`, etc. are
-   NOT transferred from your local machine. The testbox uses its own copies
-   of those directories, populated during the warmup workflow steps.
-
-4. If nothing has changed since the last sync (same git commit and working
-   tree state), the sync is skipped entirely for speed.
-
-### Why this matters
-
-- **Changing dependencies**: If you modify `package.json`, `requirements.txt`,
-  `composer.json`, `go.mod`, or similar dependency manifests, the lock/manifest
-  file will be synced but the actual dependency directory will NOT. You must
-  re-run the install command on the testbox:
-
-      blacksmith testbox run --id <ID> "npm install && npm test"
-      blacksmith testbox run --id <ID> "pip install -r requirements.txt && pytest"
-      blacksmith testbox run --id <ID> "composer install && phpunit"
-
-- **Generated/build artifacts**: If your tests depend on a build step (e.g.
-  `npm run build`, `make`), and you changed source files that affect the build
-  output, re-run the build on the testbox before testing.
-
-- **New untracked files**: New files you create locally ARE synced (as long as
-  they are not gitignored). You do not need to `git add` them first.
-
-- **Deleted files**: Files you delete locally are also deleted on the remote
-  testbox. The sync model keeps the remote in lockstep with your local managed
-  file set.
-
-## CRITICAL: Do not ban local tests
-
-Do not assume local validation is forbidden. Many repos intentionally invest in
-fast, warm local loops, and forcing every run through Testbox destroys that
-advantage.
-
-Use Testbox for the checks that actually need it: remote parity, secrets,
-services, CI-only runners, or reproducibility against the workflow image.
-
-If the repo says local tests/builds are the normal path, follow the repo.
-
-OpenClaw maintainer exception: if `OPENCLAW_TESTBOX=1` is set by the user or
-agent environment, treat Testbox as the normal validation path for this repo.
-Use `OPENCLAW_LOCAL_CHECK_MODE=throttled|full` as the explicit local escape
-hatch.
-
-## When to use
-
-Use Testbox when:
-
-- running database migrations or destructive environment checks
-- running commands that depend on secrets or environment variables not present locally
-- reproducing CI-only failures or validating against the workflow image
-- validating behavior that needs provisioned services or remote runners
-- doing a final parity check before commit/push when the repo or user wants that
-
-Trim that list based on repo guidance. If the repo documents supported local
-tests/builds, prefer local for routine iteration and keep Testbox for the
-checks that need parity or remote state.
-
-## Workflow
-
-1. Decide whether the repo's local loop is the right default. For OpenClaw,
-   `OPENCLAW_TESTBOX=1` makes Testbox the maintainer default.
-2. If Testbox is warranted, warm up early:
-   `blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90` → save the ID
-3. Write code while the testbox boots in the background.
-4. Run the remote command when needed:
-   `blacksmith testbox run --id <ID> "pnpm check:changed"`
-5. If tests fail, fix code and re-run against the same warm box.
-6. If you changed dependency manifests (package.json, etc.), prepend
-   the install command: `blacksmith testbox run --id <ID> "npm install && npm test"`
-7. If a narrow PR reports a full sync or the box was reused/expired, sanity
-   check the remote copy before a slow gate:
-   `blacksmith testbox run --id <ID> "pnpm testbox:sanity"`.
-   If it reports missing root files or mass tracked deletions, stop the box and
-   warm a fresh one. Use `OPENCLAW_TESTBOX_ALLOW_MASS_DELETIONS=1` only for an
-   intentional large deletion PR.
-8. If you need artifacts (coverage reports, build outputs, etc.), download them:
-   `blacksmith testbox download --id <ID> coverage/ ./coverage/`
-9. Once green, commit and push.
-
-## OpenClaw full test suite
-
-For OpenClaw, use the repo package manager and the measured stable full-suite
-profile below. It keeps six Vitest project shards active while limiting each
-shard to one worker to avoid worker OOMs on Testbox:
-
-    blacksmith testbox run --id <ID> "env NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test"
-
-Observed full-suite time on Blacksmith Testbox is about 3-4 minutes:
-
-- 173-180s on a warmed box
-- 219s on a fresh 32-vCPU box
-
-When validating before commit/push in maintainer Testbox mode, run
-`pnpm check:changed` inside the warmed box first when appropriate, then the full
-suite with the profile above if broad confidence is needed.
-
-Run `pnpm testbox:sanity` inside the warmed box before the broad command when
-the sync looks suspicious. It checks that root files such as `pnpm-lock.yaml`
-still exist and fails on 200 or more tracked deletions. That catches stale or
-corrupted rsync state before dependency install or Vitest failures hide the real
-problem.
-
-## Examples
-
-    blacksmith testbox warmup ci-check-testbox.yml
-    # → tbx_01jkz5b3t9...
-
-    # Run tests
-    blacksmith testbox run --id <ID> "npm test -- --testPathPattern=handler.test"
-    blacksmith testbox run --id <ID> "go test ./pkg/api/... -run TestHandler -v"
-    blacksmith testbox run --id <ID> "python -m pytest tests/test_api.py -k test_auth"
-
-    # Re-install deps after changing package.json, then test
-    blacksmith testbox run --id <ID> "npm install && npm test"
-
-    # Build and test
-    blacksmith testbox run --id <ID> "npm run build && npm test"
-
-    # Download artifacts from the testbox
-    blacksmith testbox download --id <ID> coverage/lcov-report/ ./coverage/
-    blacksmith testbox download --id <ID> build/output.tar.gz
-
-## Waiting for the testbox to be ready
-
-The `run` command automatically waits for the testbox, so explicit waiting is
-usually unnecessary. If you do need to check readiness separately (e.g. before
-a series of runs), use the `--wait` flag. Do NOT use a sleep-and-recheck loop.
-
-Correct: block until ready with a timeout:
-
-    blacksmith testbox status --id <ID> --wait [--wait-timeout 5m]
-
-Wrong: never use sleep + status in a loop:
-
-    # BAD — do not do this
-    sleep 30 && blacksmith testbox status --id <ID>
-    while ! blacksmith testbox status --id <ID> | grep ready; do sleep 5; done
-
-`--wait` polls the status and exits as soon as the testbox is ready (or when the
-timeout is reached). Default timeout is 5m; use `--wait-timeout` for longer
-(e.g. `10m`, `1h`).
-
-## Managing testboxes
-
-    # Check status of a specific testbox
-    blacksmith testbox status --id <ID>
-
-    # List all active testboxes for the current repo
-    blacksmith testbox list
-
-    # Stop a testbox when you're done (frees resources)
-    blacksmith testbox stop --id <ID>
-
-Testboxes automatically shut down after being idle (default: 30 minutes).
-If you need a longer session, increase the timeout at warmup time. For OpenClaw
-maintainer work, use 90 minutes for long-running sessions:
-
-    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 90
-    blacksmith testbox warmup ci-build-artifacts-testbox.yml --idle-timeout 90
-
-## With options
-
-    blacksmith testbox warmup ci-check-testbox.yml --ref main
-    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 90
-    blacksmith testbox run --id <ID> "go test ./..."

.agents/skills/clawsweeper/SKILL.md

@@ -0,0 +1,339 @@
+---
+name: clawsweeper
+description: "Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills."
+---
+
+# ClawSweeper
+
+ClawSweeper lives at `~/Projects/clawsweeper`. It is the one OpenClaw
+maintenance bot for sweeping, commit review, repair jobs, and guarded fix PRs.
+Use this skill whenever Peter asks about reports, findings, dispatch health,
+repair/cloud PR creation, comment commands, automerge, permissions, or gates.
+
+## Start
+
+```bash
+cd ~/Projects/clawsweeper
+git status --short --branch
+git pull --ff-only
+pnpm run build:all
+```
+
+Do not overwrite unrelated edits. If the tree is dirty, inspect first and keep
+read-only report work read-only unless Peter asked to commit.
+
+## One Bot, One App
+
+Use the ClawSweeper repo and the `clawsweeper` GitHub App. Use only
+`CLAWSWEEPER_*` configuration for this automation. Do not use legacy apps,
+variables, labels, or skills.
+
+Required app setup:
+
+- `CLAWSWEEPER_APP_CLIENT_ID`: public app client ID for `clawsweeper`.
+- `CLAWSWEEPER_APP_PRIVATE_KEY`: private key used only inside
+  `actions/create-github-app-token` steps.
+- Target app permissions: read target scan context; write issues and pull
+  requests; contents write for report commits, repair branches, and workflow
+  inputs; Actions write on `openclaw/clawsweeper` for comment-router
+  re-review dispatch, workflow dispatch, run cancellation, and self-heal;
+  optional Checks write for commit Check Runs.
+
+Token boundary:
+
+- Codex workers do not get mutation credentials.
+- Review workers run with stripped secret/token env.
+- Deterministic scripts own comments, labels, branch pushes, PR creation,
+  closes, and merges through short-lived GitHub App tokens.
+- Merge and write gates default closed.
+
+## Commit Reports
+
+Canonical commit reports:
+
+```text
+records/<repo-slug>/commits/<40-char-sha>.md
+```
+
+Use the lister:
+
+```bash
+pnpm commit-reports -- --since 6h
+pnpm commit-reports -- --since "24 hours ago" --findings
+pnpm commit-reports -- --since 7d --non-clean
+pnpm commit-reports -- --repo openclaw/openclaw --author steipete --since 7d
+pnpm commit-reports -- --since 24h --json
+```
+
+Results: `nothing_found`, `findings`, `inconclusive`, `failed`,
+`skipped_non_code`. One report per SHA; reruns overwrite the SHA-named report.
+
+Manual rerun/backfill:
+
+```bash
+gh workflow run commit-review.yml --repo openclaw/clawsweeper \
+  -f target_repo=openclaw/openclaw \
+  -f commit_sha=<end-sha> \
+  -f before_sha=<start-or-parent-sha> \
+  -f create_checks=false \
+  -f enabled=true
+```
+
+Use `create_checks=true` only when Peter explicitly wants target commit Check
+Runs. Add `-f additional_prompt="..."` for focused one-off review instructions.
+
+## Sweep Reports
+
+Issue/PR reports live at:
+
+```text
+records/<repo-slug>/items/<number>.md
+records/<repo-slug>/closed/<number>.md
+```
+
+Lead with counts, concrete findings, and report links. Do not post unsolicited
+GitHub comments from report-reading work. Public surfaces are markdown reports,
+durable ClawSweeper review comments, and optional checks.
+
+PR reports include Codex `/review`-style `reviewFindings` with priority,
+confidence, repository-relative file, and line range. Public PR comments show a
+short `Review findings:` list when findings exist; full review comments,
+evidence links, likely owners, and runtime details stay inside the collapsed
+`Review details` block.
+
+Useful commands:
+
+```bash
+pnpm run status
+pnpm run audit
+pnpm run reconcile
+pnpm run apply-decisions -- --dry-run
+```
+
+## Create One Repair Job
+
+Create a job from issue/PR refs and a maintainer prompt:
+
+```bash
+pnpm run repair:create-job -- \
+  --repo openclaw/openclaw \
+  --refs 123,456 \
+  --prompt-file /tmp/clawsweeper-prompt.md
+```
+
+Create from an existing ClawSweeper report:
+
+```bash
+pnpm run repair:create-job -- \
+  --from-report ../clawsweeper/records/openclaw-openclaw/items/123.md
+```
+
+The job creator checks for an existing open PR, body match, or remote
+`clawsweeper/<cluster-id>` branch before writing another job. Use `--dry-run`
+to inspect. Use `--force` only after deciding the duplicate guard is stale.
+
+Validate, commit, then dispatch:
+
+```bash
+pnpm run repair:validate-job -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md
+pnpm run repair:dispatch -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md \
+  --mode autonomous \
+  --runner blacksmith-4vcpu-ubuntu-2404 \
+  --execution-runner blacksmith-16vcpu-ubuntu-2404 \
+  --model gpt-5.5
+```
+
+Do not dispatch a just-created job before the job file is committed and pushed;
+the workflow reads the job path from GitHub.
+
+## Replacement PRs
+
+For a useful but uneditable/stale/unsafe source PR, make the maintainer prompt
+explicit:
+
+```md
+Treat #123 as useful source work. If the source branch cannot be safely updated
+because it is uneditable, stale, draft-only, unmergeable, or unsafe, create a
+narrow ClawSweeper replacement PR instead of waiting. Preserve the source PR
+author as co-author, credit the source PR in the replacement PR body, and close
+only that source PR after the replacement PR is opened.
+```
+
+The worker should emit `repair_strategy=replace_uneditable_branch` and list the
+source PR URL in `source_prs`. The deterministic executor opens or updates
+`clawsweeper/<cluster-id>`, adds non-bot source authors as `Co-authored-by`
+trailers, and closes superseded source PRs only after replacement exists.
+
+## Gates
+
+Open execution windows intentionally and close them after the run:
+
+```bash
+gh variable set CLAWSWEEPER_ALLOW_EXECUTE --repo openclaw/clawsweeper --body 1
+gh variable set CLAWSWEEPER_ALLOW_FIX_PR --repo openclaw/clawsweeper --body 1
+gh variable set CLAWSWEEPER_ALLOW_MERGE --repo openclaw/clawsweeper --body 1
+gh variable set CLAWSWEEPER_ALLOW_AUTOMERGE --repo openclaw/clawsweeper --body 1
+```
+
+Reset gates only when Peter asks; the active maintainer window may intentionally
+leave them at `1`.
+
+Important gates:
+
+- `CLAWSWEEPER_ALLOW_EXECUTE`: allows deterministic write lanes.
+- `CLAWSWEEPER_ALLOW_FIX_PR`: allows branch repair/replacement PRs.
+- `CLAWSWEEPER_ALLOW_MERGE`: allows merge-capable applicators.
+- `CLAWSWEEPER_ALLOW_AUTOMERGE`: allows comment-router automerge.
+- `CLAWSWEEPER_COMMENT_ROUTER_EXECUTE`: lets scheduled comment routing
+  post replies and dispatch repair.
+
+## Maintainer Mentions
+
+Prefer `@clawsweeper` comments for all maintainer-facing control. Slash
+commands still parse as compatibility aliases, but examples and live guidance
+should use mentions.
+
+```text
+@clawsweeper status
+@clawsweeper re-review
+@clawsweeper review
+@clawsweeper fix ci
+@clawsweeper address review
+@clawsweeper rebase
+@clawsweeper autofix
+@clawsweeper automerge
+@clawsweeper approve
+@clawsweeper explain
+@clawsweeper stop
+@clawsweeper <question or safe action request>
+@clawsweeper[bot] re-review
+@openclaw-clawsweeper fix ci
+@openclaw-clawsweeper[bot] fix ci
+```
+
+Accepted aliases: `review`, `re-review`, `rereview`, `review again`,
+`rerun review`, and `run review`. `review` and `re-review` dispatch a fresh
+ClawSweeper issue/PR review without starting repair. `fix ci`,
+`address review`, and `rebase` dispatch the
+repair worker only for ClawSweeper PRs or PRs opted into
+`clawsweeper:autofix` or `clawsweeper:automerge`. `autofix` runs the bounded
+review/fix loop without merging. `automerge` runs the bounded review/fix/merge
+loop, but draft PRs stay fix-only until GitHub marks them ready for review.
+
+Freeform maintainer mentions such as `@clawsweeper why did automerge stop?`
+or `@clawsweeper: can you explain this failure?` dispatch a read-only assist
+review with the mention text as one-off instructions. The answer lands in the
+next public ClawSweeper review comment. Action-looking prose does not directly
+mutate GitHub; it must map to existing structured recommendations and pass the
+normal deterministic gates.
+
+Default accepted maintainers: `OWNER`, `MEMBER`, `COLLABORATOR`; fallback
+repository permission accepts `admin`, `maintain`, or `write`. Contributor
+comments are ignored without a reply.
+
+Run router manually:
+
+```bash
+pnpm run repair:comment-router -- --repo openclaw/openclaw --lookback-minutes 180
+pnpm run repair:comment-router -- --repo openclaw/openclaw --execute --wait-for-capacity
+```
+
+Scheduled routing stays dry unless
+`CLAWSWEEPER_COMMENT_ROUTER_EXECUTE=1`.
+
+## Trusted Autofix And Automerge
+
+`@clawsweeper autofix` opts an existing PR into the bounded review/fix loop.
+`@clawsweeper automerge` opts an existing PR into the bounded review/fix/merge
+loop. The router:
+
+- verifies maintainer authorization;
+- labels the PR `clawsweeper:autofix` or `clawsweeper:automerge`;
+- dispatches ClawSweeper review for the current head SHA;
+- creates or reuses a durable adopted job;
+- repairs at most the configured caps;
+- never merges autofix PRs or draft PRs;
+- merges automerge PRs only when ClawSweeper passed the exact current head,
+  checks are green, GitHub says mergeable, no human-review label is present,
+  the PR is not draft, required user-facing OpenClaw changelog entries are
+  present, and both merge gates are open.
+
+If ClawSweeper passes while merge gates are closed, it labels
+`clawsweeper:merge-ready` and comments instead of merging. `@clawsweeper stop`
+adds `clawsweeper:human-review`.
+
+When Peter asks Codex to create a PR and enable ClawSweeper automerge, do not
+leave his local OpenClaw checkout on the PR branch. After the PR is created,
+pushed, and the `@clawsweeper automerge` request is posted or otherwise
+confirmed, return the local checkout to `main` and fast-forward it when the
+working tree is clean:
+
+```bash
+git switch main
+git pull --ff-only
+```
+
+If unrelated local edits or an in-progress rebase prevent switching, report the
+blocker instead of stashing, deleting, or overwriting work.
+
+Repair caps:
+
+```bash
+CLAWSWEEPER_MAX_REPAIRS_PER_PR=10
+CLAWSWEEPER_MAX_REPAIRS_PER_HEAD=1
+```
+
+## Security Boundary
+
+Do not stage unapproved security-sensitive work for ClawSweeper Repair. Route
+vulnerability reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys,
+plaintext secret storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege
+escalation, and sensitive data exposure to central OpenClaw security handling.
+
+For PRs explicitly opted into `clawsweeper:autofix` or
+`clawsweeper:automerge`, security-sensitive review findings may dispatch
+bounded repair, but merge remains blocked until a later exact-head review is
+clean and the normal merge gates pass. Trust deterministic ClawSweeper security
+markers, labels, and job frontmatter; do not infer security handling from vague
+prose.
+
+## Monitoring
+
+Receiver workflows:
+
+```bash
+gh run list --repo openclaw/clawsweeper --workflow "ClawSweeper Commit Review" \
+  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
+gh run list --repo openclaw/clawsweeper --workflow "repair cluster worker" \
+  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
+gh run list --repo openclaw/clawsweeper --workflow "repair comment router" \
+  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
+```
+
+Target dispatcher:
+
+```bash
+gh run list --repo openclaw/openclaw --workflow "ClawSweeper Dispatch" \
+  --event push --limit 8 --json databaseId,displayTitle,event,status,conclusion,headSha,url
+```
+
+Target commit check:
+
+```bash
+gh api "repos/openclaw/openclaw/commits/<sha>/check-runs?per_page=100" \
+  --jq '.check_runs[] | select(.name=="ClawSweeper Commit Review") | [.status,.conclusion,.details_url] | @tsv'
+```
+
+## Reading Output
+
+For findings or failures, summarize:
+
+- target repo, item/PR/commit, run, report path
+- result, confidence, severity, and exact blocker
+- affected files or cluster refs
+- validation commands and whether they passed
+- whether mutation gates were open or closed
+- next deterministic action
+
+Keep the broom small: one cluster, one branch, one PR, narrow proof, clear
+owner-visible evidence.

.agents/skills/clawsweeper/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "ClawSweeper"
+  short_description: "Inspect ClawSweeper commit review reports and Actions runs."
+  default_prompt: "Review recent ClawSweeper commit reports and summarize findings."

.agents/skills/crabbox/SKILL.md

@@ -0,0 +1,283 @@
+---
+name: crabbox
+description: Use Crabbox for OpenClaw remote Linux validation. Default to Blacksmith Testbox; includes direct Blacksmith and owned AWS/Hetzner fallback notes when Crabbox fails.
+---
+
+# Crabbox
+
+Use Crabbox when OpenClaw needs remote Linux proof for broad tests, CI-parity
+checks, secrets, hosted services, Docker/E2E/package lanes, warmed reusable
+boxes, sync timing, logs/results, cache inspection, or lease cleanup.
+
+Default backend: `blacksmith-testbox`. The separate `blacksmith-testbox` skill
+has been removed; this skill owns both the normal Crabbox path and the direct
+Blacksmith fallback playbook.
+
+## First Checks
+
+- Run from the repo root. Crabbox sync mirrors the current checkout.
+- Check the wrapper and providers before remote work:
+
+```sh
+command -v crabbox
+../crabbox/bin/crabbox --version
+pnpm crabbox:run -- --help | sed -n '1,120p'
+```
+
+- OpenClaw scripts prefer `../crabbox/bin/crabbox` when present. The user PATH
+  shim can be stale.
+- Check `.crabbox.yaml` for repo defaults, but override provider explicitly.
+  Even if config still says AWS, maintainer validation should normally pass
+  `--provider blacksmith-testbox`.
+- Prefer local targeted tests for tight edit loops. Broad gates belong remote.
+
+## Default Blacksmith Backend
+
+Use this for `pnpm check`, `pnpm check:changed`, `pnpm test`,
+`pnpm test:changed`, Docker/E2E/live/package gates, or anything likely to fan
+out across many Vitest projects.
+
+Changed gate:
+
+```sh
+pnpm crabbox:run -- --provider blacksmith-testbox \
+  --blacksmith-org openclaw \
+  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
+  --blacksmith-job check \
+  --blacksmith-ref main \
+  --idle-timeout 90m \
+  --ttl 240m \
+  --timing-json \
+  --shell -- \
+  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
+```
+
+Full suite:
+
+```sh
+pnpm crabbox:run -- --provider blacksmith-testbox \
+  --blacksmith-org openclaw \
+  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
+  --blacksmith-job check \
+  --blacksmith-ref main \
+  --idle-timeout 90m \
+  --ttl 240m \
+  --timing-json \
+  --shell -- \
+  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test"
+```
+
+Focused rerun:
+
+```sh
+pnpm crabbox:run -- --provider blacksmith-testbox \
+  --blacksmith-org openclaw \
+  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
+  --blacksmith-job check \
+  --blacksmith-ref main \
+  --idle-timeout 90m \
+  --ttl 240m \
+  --timing-json \
+  --shell -- \
+  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test <path-or-filter>"
+```
+
+Read the JSON summary. Useful fields:
+
+- `provider`: should be `blacksmith-testbox`
+- `leaseId`: `tbx_...`
+- `syncDelegated`: should be `true`
+- `commandMs` / `totalMs`
+- `exitCode`
+
+Crabbox should stop one-shot Blacksmith Testboxes automatically after the run.
+Verify cleanup when a run fails, is interrupted, or the command output is
+unclear:
+
+```sh
+blacksmith testbox list
+```
+
+## Reuse And Keepalive
+
+For most Blacksmith-backed Crabbox calls, one-shot is enough. Use reuse only
+when you need multiple manual commands on the same hydrated box.
+
+If Crabbox returns a reusable id or you intentionally keep a lease:
+
+```sh
+pnpm crabbox:run -- --provider blacksmith-testbox --id <tbx_id> --no-sync --timing-json --shell -- "pnpm test <path>"
+```
+
+Stop boxes you created before handoff:
+
+```sh
+pnpm crabbox:stop -- <id-or-slug>
+blacksmith testbox stop --id <tbx_id>
+```
+
+## If Crabbox Fails
+
+Keep the fallback narrow. First decide whether the failure is Crabbox itself,
+Blacksmith/Testbox, repo hydration, sync, or the test command.
+
+Fast checks:
+
+```sh
+command -v crabbox
+../crabbox/bin/crabbox --version
+crabbox run --provider blacksmith-testbox --help | sed -n '1,140p'
+command -v blacksmith
+blacksmith --version
+blacksmith testbox list
+```
+
+Common Crabbox-only failures:
+
+- Provider missing or old CLI: use `../crabbox/bin/crabbox` from the sibling
+  repo, or update/install Crabbox before retrying.
+- Bad local config: pass `--provider blacksmith-testbox` plus explicit
+  `--blacksmith-*` flags instead of relying on `.crabbox.yaml`.
+- Slug/claim confusion: use the raw `tbx_...` id, or run one-shot without
+  `--id`.
+- Sync/timing bug: add `--debug --timing-json`; capture the final JSON and the
+  printed Actions URL.
+- Cleanup uncertainty: run `blacksmith testbox list` and stop only boxes you
+  created.
+
+If Crabbox cannot dispatch, sync, attach, or stop but Blacksmith itself works,
+use direct Blacksmith from the repo root:
+
+```sh
+blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90
+blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
+blacksmith testbox stop --id <tbx_id>
+```
+
+Direct full suite:
+
+```sh
+blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test"
+```
+
+Auth fallback, only when `blacksmith` says auth is missing:
+
+```sh
+blacksmith auth login --non-interactive --organization openclaw
+```
+
+Raw Blacksmith footguns:
+
+- Run from repo root. The CLI syncs the current directory.
+- Save the returned `tbx_...` id in the session.
+- Reuse that id for focused reruns; stop it before handoff.
+- Raw commit SHAs are not reliable `warmup --ref` refs; use a branch or tag.
+- Treat `blacksmith testbox list` as cleanup diagnostics, not a shared reusable
+  queue.
+
+Escalate to owned AWS/Hetzner only when Blacksmith is down, quota-limited,
+missing the needed environment, or owned capacity is the explicit goal. Use the
+Owned Cloud Fallback section below.
+
+## Blacksmith Backend Notes
+
+Crabbox Blacksmith backend delegates setup to:
+
+- org: `openclaw`
+- workflow: `.github/workflows/ci-check-testbox.yml`
+- job: `check`
+- ref: `main` unless testing a branch/tag intentionally
+
+The hydration workflow owns checkout, Node/pnpm setup, dependency install,
+secrets, ready marker, and keepalive. Crabbox owns dispatch, sync, SSH command
+execution, timing, logs/results, and cleanup.
+
+Minimal direct Blacksmith fallback, from repo root:
+
+```sh
+blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90
+blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test:changed"
+blacksmith testbox stop --id <tbx_id>
+```
+
+Use direct Blacksmith only when Crabbox is the broken layer and Blacksmith
+itself still works. Prefer direct `blacksmith testbox list` for cleanup
+diagnostics, not as a reusable work queue.
+
+Important Blacksmith footguns:
+
+- Always run from repo root. The CLI syncs the current directory.
+- Raw commit SHAs are not reliable `warmup --ref` refs; use a branch or tag.
+- If auth is missing and browser auth is acceptable:
+
+```sh
+blacksmith auth login --non-interactive --organization openclaw
+```
+
+## Owned Cloud Fallback
+
+Use AWS/Hetzner only when Blacksmith is down, quota-limited, missing the needed
+environment, or owned capacity is explicitly the goal.
+
+```sh
+pnpm crabbox:warmup -- --provider aws --class beast --market on-demand --idle-timeout 90m
+pnpm crabbox:hydrate -- --id <cbx_id-or-slug>
+pnpm crabbox:run -- --id <cbx_id-or-slug> --timing-json --shell -- "env NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
+pnpm crabbox:stop -- <cbx_id-or-slug>
+```
+
+Install/auth for owned Crabbox if needed:
+
+```sh
+brew install openclaw/tap/crabbox
+printf '%s' "$CRABBOX_COORDINATOR_TOKEN" | crabbox login --url https://crabbox.openclaw.ai --provider aws --token-stdin
+```
+
+macOS config lives at:
+
+```text
+~/Library/Application Support/crabbox/config.yaml
+```
+
+It should include `broker.url`, `broker.token`, and usually `provider: aws`
+for owned-cloud lanes. Do not let that config override the OpenClaw default
+when Blacksmith proof is requested; pass `--provider blacksmith-testbox`.
+
+## Diagnostics
+
+```sh
+crabbox status --id <id-or-slug> --wait
+crabbox inspect --id <id-or-slug> --json
+crabbox sync-plan
+crabbox history --lease <id-or-slug>
+crabbox logs <run_id>
+crabbox results <run_id>
+crabbox cache stats --id <id-or-slug>
+crabbox ssh --id <id-or-slug>
+blacksmith testbox list
+```
+
+Use `--debug` on `run` when measuring sync timing.
+Use `--timing-json` on warmup, hydrate, and run when comparing backends.
+Use `--market spot|on-demand` only on AWS warmup/one-shot runs.
+
+## Failure Triage
+
+- Crabbox cannot find provider: verify `../crabbox/bin/crabbox --help` lists
+  `blacksmith-testbox`; update Crabbox before falling back.
+- Hydration stuck or failed: open the printed GitHub Actions run URL and inspect
+  the hydration step.
+- Sync failed: rerun with `--debug`; check changed-file count and whether the
+  checkout is dirty.
+- Command failed: rerun only the failing shard/file first. Do not rerun a full
+  suite until the focused failure is understood.
+- Cleanup uncertain: `blacksmith testbox list`; stop owned `tbx_...` leases you
+  created.
+- Crabbox broken but Blacksmith works: use the direct Blacksmith fallback above,
+  then file/fix the Crabbox issue.
+
+## Boundary
+
+Do not add OpenClaw-specific setup to Crabbox itself. Put repo setup in the
+hydration workflow and keep Crabbox generic around lease, sync, command
+execution, logs/results, timing, and cleanup.

.agents/skills/openclaw-pr-maintainer/SKILL.md

@@ -41,6 +41,34 @@ gitcrawl cluster-detail openclaw/openclaw --id <cluster-id> --member-limit 20 --
   - `invalid`
   - `dirty` for PRs only
 
+## Select small high-confidence triage candidates
+
+When asked for `X` issues or PRs to triage, `X` means qualified candidates, not sampled threads.
+
+Triage is read/prove/patch-local by default. Do not commit unless Peter writes
+`commit` in the current instruction for the exact diff being handled. Do not
+treat earlier messages, inferred intent, "next", sweep momentum, or bundled
+publish language as commit permission. If Peter asks for follow-up work without
+saying `commit`, keep the files dirty after local fixes and proof.
+
+Only list candidates that pass all gates:
+
+- small owner/surface, with a likely narrow fix and focused regression test
+- symptom is reproducible or provable with logs, failing test, live command, dependency contract, or current-main behavior
+- root cause is traceable to code with file/line and the proposed fix touches that path
+- no strong smell that a broader refactor, ownership rethink, migration, or product decision is the better fix
+- dependency-backed behavior checked against upstream docs/source/types; live or web proof used when local proof is insufficient
+
+Loop:
+
+1. Use `gitcrawl` / `gh` to gather candidate clusters.
+2. Read issue/PR body, comments, current code, adjacent tests, and dependency contracts.
+3. Try focused repro or proof.
+4. Reject unclear, stale, speculative, broad-refactor, or owner-ambiguous items.
+5. Continue until `X` qualified candidates or the bounded search is exhausted.
+
+Output only qualifying candidates, with: ref, surface, proof, cause, fix sketch, why small, expected test/gate. If none qualify, say so; do not pad.
+
 ## Enforce the bug-fix evidence bar
 
 - Never merge a bug-fix PR based only on issue text, PR text, or AI rationale.

.agents/skills/openclaw-pre-release-plugin-testing/SKILL.md

@@ -0,0 +1,234 @@
+---
+name: openclaw-pre-release-plugin-testing
+description: Plan and run pre-release OpenClaw plugin validation across bundled plugins, package artifacts, lifecycle commands, doctor/fix, config round-trip, gateway startup, SDK compatibility, Docker E2E, Package Acceptance, and Testbox proof.
+---
+
+# OpenClaw Pre-Release Plugin Testing
+
+Use this skill when the user asks for plugin release confidence, plugin lifecycle
+sweeps, package-artifact plugin proof, or "what else should we test before
+release?" It complements `openclaw-testing`; use that skill too when choosing
+the cheapest safe runner or debugging a failing lane.
+
+## Goal
+
+Prove the plugin system as a product surface, not just as source tests:
+
+- bundled plugin lifecycle: install, inspect, enable, disable, uninstall
+- package artifact behavior from a clean `HOME`
+- doctor/fix/config validation and idempotence
+- config discovery and config round-trip
+- status/log visibility and diagnostics
+- gateway startup/bootstrap with plugin metadata snapshots
+- public SDK compatibility for real external plugins
+- live-ish provider/channel probes only when safe credentials exist
+
+## First Checks
+
+From the OpenClaw repo root:
+
+```bash
+pnpm docs:list
+git status --short --branch
+readlink node_modules
+pnpm changed:lanes --json
+```
+
+In Codex worktrees under `.codex/worktrees`, `node_modules` must be a symlink to
+the main OpenClaw checkout. Do not run `pnpm install` there. For broad or
+package-heavy proof, use Blacksmith Testbox or GitHub Actions.
+
+## Runner Choice
+
+Prefer this order:
+
+1. **GitHub Package Acceptance** for installable-package product proof.
+2. **`ci-build-artifacts-testbox.yml` Testbox** when Docker/package lanes need
+   seeded `dist`, `dist-runtime`, and package caches.
+3. **`ci-check-testbox.yml` Testbox** for source checks, targeted Vitest,
+   package-boundary checks, or focused Docker lanes.
+4. **Local targeted commands only** for small format/static/unit probes.
+
+Avoid long package Docker runs from a stale sparse worktree. If Testbox sync
+reports hundreds of changed files or starts deleting package inputs, stop and
+warm a fresh box from current `main`, or switch to Package Acceptance.
+
+## Existing Baseline
+
+Run or verify these before inventing new coverage:
+
+```bash
+OPENCLAW_TESTBOX=1 pnpm check:changed
+pnpm run test:extensions:package-boundary:canary
+pnpm run test:extensions:package-boundary:compile
+pnpm test:docker:plugins
+OPENCLAW_PLUGINS_E2E_CLAWHUB=0 pnpm test:docker:plugins
+pnpm test:docker:plugin-update
+pnpm test:docker:bundled-channel-deps:fast
+```
+
+For full bundled install/uninstall proof, shard the packaged sweep:
+
+```bash
+OPENCLAW_BUNDLED_PLUGIN_SWEEP_TOTAL=8 \
+OPENCLAW_BUNDLED_PLUGIN_SWEEP_INDEX=<0-7> \
+pnpm test:docker:bundled-plugin-install-uninstall
+```
+
+Expected current packaged scope: 116 public bundled plugins over shards `0-7`.
+Private QA plugins are source-mode only unless a package explicitly includes
+them.
+
+## Confidence Matrix
+
+Use this matrix for pre-release signoff. Record pass/fail, run URL/Testbox ID,
+package SHA/version, and skipped-live reason.
+
+| Surface | Proof | Preferred runner |
+| --- | --- | --- |
+| Package artifact | Package Acceptance `suite_profile=package` or custom lanes | GitHub Actions |
+| Bundled lifecycle | 8-shard `test:docker:bundled-plugin-install-uninstall` | Testbox or release Docker |
+| External plugins | `test:docker:plugins` and `plugins-offline` | Testbox/package acceptance |
+| Update no-op | `test:docker:plugin-update` | Testbox/package acceptance |
+| Channel runtime deps | `test:docker:bundled-channel-deps:fast` plus key channels | Testbox/package acceptance |
+| Doctor/fix | seeded bad configs + `doctor --fix --non-interactive` | new Docker/Testbox harness |
+| Config round-trip | `config set/get`, inspect, doctor, reload, diff hash | new Docker/Testbox harness |
+| Gateway bootstrap | clean `HOME`, plugin groups enabled/disabled, status JSON | new Docker/Testbox harness |
+| SDK compatibility | directory, tgz, and `file:` external plugins using SDK subpaths | `test:docker:plugins` plus new smoke |
+| Live-ish | redacted provider/channel probes only for present env | Testbox live lanes |
+
+## Package Acceptance Plan
+
+Use this when validating a release branch, beta, or candidate package:
+
+```bash
+gh workflow run package-acceptance.yml \
+  --repo openclaw/openclaw \
+  --ref main \
+  -f workflow_ref=main \
+  -f source=ref \
+  -f package_ref=<branch-or-sha> \
+  -f suite_profile=custom \
+  -f docker_lanes='plugins-offline plugin-update bundled-channel-deps-compat doctor-switch update-channel-switch config-reload mcp-channels npm-onboard-channel-agent' \
+  -f telegram_mode=mock-openai
+```
+
+Use `source=npm -f package_spec=openclaw@beta` for published beta proof. Keep
+`workflow_ref` as trusted current harness code unless the release process says
+otherwise.
+
+## New Testbox Harness Plan
+
+If more certainty is needed, add or run a `plugin-lifecycle-matrix` Docker lane
+that uses one package tarball and sharded plugin lists. Per plugin:
+
+1. Start with a clean `HOME`.
+2. Capture `plugins list --json`.
+3. `plugins install <id>`.
+4. `plugins inspect <id> --json`.
+5. `plugins disable <id>`, then assert disabled visibility.
+6. `plugins enable <id>`, except config-required plugins without config.
+7. `plugins registry --refresh`.
+8. `doctor --non-interactive`.
+9. `plugins uninstall <id> --force`.
+10. Assert no config entry, allow/deny residue, install record, managed dir, or
+    bundled `dist/extensions/...` load path remains.
+11. Assert diagnostics contain no `level: "error"` and output redacts
+    secret-looking values.
+
+Keep `memory-lancedb` special: it is config-required. First assert install does
+not enable it without embedding config, then run a second configured case.
+
+## Doctor/Fix Matrix
+
+Seed bad states and require `doctor --fix --non-interactive` to repair them,
+then run doctor again and require idempotence:
+
+- stale `plugins.allow`
+- stale `plugins.entries`
+- stale channel config for missing channel plugin
+- invalid `plugins.entries.<id>.config`
+- packaged bundled path in `plugins.load.paths`
+- legacy `plugins.installs`
+- disabled channel/plugin config that must not stage runtime deps
+- root-owned global package tree that must remain unmodified
+
+## Gateway Bootstrap Matrix
+
+Start packaged OpenClaw in Docker with clean state:
+
+- provider plugins enabled, no credentials: ready with warnings, no crash
+- channel plugins configured disabled: no runtime deps staged
+- startup-activation plugins enabled: ready and reflected in status
+- invalid single plugin config: bad plugin skipped/quarantined, others remain
+
+Assert:
+
+- gateway reaches ready
+- `openclaw status --json` includes plugin diagnostics
+- `openclaw plugins inspect --all --json` is parseable
+- package tree is not mutated
+- logs contain no raw tokens
+
+## Config Round-Trip Representatives
+
+Use representative plugin families instead of every plugin for deep config
+round-trip:
+
+- providers: `openai`, `anthropic`, `mistral`, `openrouter`
+- channels: `telegram`, `discord`, `slack`, `whatsapp`
+- memory: `memory-lancedb`
+- feature/runtime: `browser`, `acpx`, `tokenjuice`
+
+For each representative:
+
+1. Write config through CLI when possible.
+2. Read it back through `config get` or JSON.
+3. Run `plugins inspect`.
+4. Run `doctor --non-interactive`.
+5. Trigger gateway config reload if applicable.
+6. Compare config hash before/after no-op commands.
+
+## External SDK Smoke
+
+In a package Docker lane, create tiny external plugins and install them from:
+
+- local directory
+- `.tgz`
+- `file:` npm spec
+
+Cover CJS and ESM shapes, plus at least one plugin importing focused
+`openclaw/plugin-sdk/*` subpaths. Assert `plugins inspect` sees its tool,
+gateway method, CLI command, or service.
+
+## Live-Ish Probe Rules
+
+Before live-ish work, source allowed env in Testbox and generate a redacted
+availability matrix: present/missing only, never values.
+
+Only run probes for credentials that exist. Prefer auth/catalog/status probes
+over sending user-visible messages. If a probe might contact an external user,
+channel, or workspace, stop and ask the user.
+
+## Reporting
+
+Report in this shape:
+
+```text
+package/ref:
+tbx ids / run urls:
+matrix:
+  bundled lifecycle:
+  package acceptance:
+  doctor/fix:
+  gateway bootstrap:
+  config round-trip:
+  sdk external:
+  live-ish:
+failures:
+skips:
+next highest-value gap:
+```
+
+Say clearly when a failure is Testbox sync/env damage rather than product
+behavior, and prove that with a clean rerun or current-main comparison.

.agents/skills/openclaw-pre-release-plugin-testing/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "OpenClaw Plugin Pre-Release Testing"
+  short_description: "Plan plugin release validation"
+  default_prompt: "Use $openclaw-pre-release-plugin-testing to plan or run pre-release OpenClaw plugin validation across package, lifecycle, doctor, gateway, SDK, and live-ish proof."

.agents/skills/openclaw-release-maintainer/SKILL.md

@@ -41,9 +41,11 @@ Use this skill for release and publish-time workflow. Keep ordinary development
   recommended replacement can shift as plugin ownership, externalization, and
   config footprint move, so do not blindly copy stale replacement annotations
   into release notes.
-- Do not delete or rewrite beta tags after they leave the machine. If a
-  published or pushed beta needs a fix, commit the fix on the release branch and
-  increment to the next `-beta.N`.
+- Do not delete or rewrite beta tags after their matching npm package has been
+  published. If a pushed beta tag fails preflight before npm publish, delete and
+  recreate the tag and prerelease at the fixed commit so npm prerelease versions
+  stay contiguous. If a published beta needs a fix, commit the fix on the
+  release branch and increment to the next `-beta.N`.
 - For a beta release train, run the fast local preflight first, publish the
   beta to npm `beta`, then run the expensive published-package roster focused
   on install/update/Docker/Parallels/NPM Telegram. If anything fails, fix it on
@@ -367,8 +369,10 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Any fix after preflight means a new commit. Delete and recreate the tag and
   matching GitHub release from the fixed commit, then rerun preflight from
   scratch before publishing.
-  Exception: never delete or recreate a beta tag that has already been pushed or
-  published; increment to the next beta number instead.
+  Exception: never delete or recreate a beta tag whose matching npm package has
+  already been published; increment to the next beta number instead. If only the
+  pushed tag/prerelease exists and npm publish has not happened, recreate that
+  same beta tag at the fixed commit.
 - For stable mac releases, generate the signed `appcast.xml` before uploading
   public release assets so the updater feed cannot lag the published binaries.
 - Serialize stable appcast-producing runs across tags so two releases do not
@@ -561,6 +565,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     commit, and rerun all relevant preflights from scratch before continuing.
     Never reuse old preflight results after the commit changes. For pushed or
     published beta tags, do not delete/recreate; increment to the next beta tag.
+    For preflight-only failures where npm did not publish the beta version,
+    delete/recreate the same beta tag and prerelease at the fixed commit instead
+    of skipping a prerelease number.
 20. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
     the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
     `latest` only when you intentionally want direct stable publish), keep it
@@ -573,9 +580,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     for critical fixes that landed after the release branch cut; backport only
     important low-risk fixes before starting expensive lanes, or increment to
     the next beta if the fix must change the already-published package. If any
-    lane fails after the beta tag/package is pushed or published, fix,
-    commit/push/pull, increment to the next beta tag, and rerun the affected
-    beta evidence. Once the beta is live, start remote/manual rosters where they
+    lane fails after the beta package is published, fix, commit/push/pull,
+    increment to the next beta tag, and rerun the affected beta evidence. Once
+    the beta is live, start remote/manual rosters where they
     can overlap safely, but keep local Docker and Parallels load controlled.
     Ensure the full expensive roster has passed at least once before
     stable/latest promotion. The roster includes the manual Actions >

.agents/skills/openclaw-small-bugfix-sweep/SKILL.md

@@ -0,0 +1,74 @@
+---
+name: openclaw-small-bugfix-sweep
+description: Fix only small, high-certainty OpenClaw bugs from a pasted issue/PR list after deep code review.
+---
+
+# OpenClaw Small Bugfix Sweep
+
+Batch workflow for pasted OpenClaw issue/PR refs.
+Execute, do not summarize.
+Triage does not commit, push, create PRs, comment, close, label, land, or merge.
+
+## Peter Review Gate
+
+Peter always wants to review code before commits.
+After local fixes and proof, stop with the diff summary, touched files, and test/gate output.
+Do not commit unless Peter writes `commit` in the current instruction for the exact diff being handled.
+Do not treat earlier messages, inferred intent, "next", sweep momentum, or bundled publish language as commit permission.
+If Peter asks for follow-up work without saying `commit`, keep the files dirty after local fixes and proof.
+Do not push, comment, close, label, land, merge, or otherwise publish until Peter explicitly asks for that exact action after the code has been reviewed.
+If Peter asks for a bundled action like `commit push close`, first confirm the code has already been reviewed in chat; if not, stop with the dirty diff and ask for review/approval.
+
+## Companion Skills
+
+Use `$gitcrawl` first, `$openclaw-pr-maintainer` for live GitHub hygiene, `$github-deep-review` posture for source tracing, and `$openclaw-testing` for proof.
+
+## Loop
+
+For each ref:
+
+1. Read live target with `gh`.
+2. Check `gitcrawl` for related, duplicate, closed, or already-fixed threads.
+3. Read body, comments, linked refs, changed files, current code, adjacent tests, and dependency contracts when relevant.
+4. Trace the real runtime path.
+5. For issues: fix locally only if this is a bug, current code proves root cause, the implicated path is clear, and a narrow patch is cleaner than refactor.
+6. For PRs: decide `ready-to-merge`, `needs-fixup`, or `skip`; do not alter PR branches unless explicitly asked.
+7. Add focused regression proof when practical for local issue fixes or PR readiness checks.
+8. Run the smallest meaningful gate.
+9. Continue until every pasted ref is fixed or classified.
+
+No subagents unless explicitly requested.
+
+## Skip If
+
+- not a bug
+- config/docs/workflow/release/support/dependency/product work
+- repro or root cause is uncertain
+- larger refactor or owner-boundary change is cleaner
+- already fixed on current `main`
+- dependency behavior is guessed
+- no focused proof is feasible
+
+Skip with terse reason. Do not pad with low-confidence fixes.
+
+## Fix Rules
+
+- owner module first; generic seam only when required
+- existing patterns/helpers/types
+- no drive-by refactors
+- tests near failing surface
+- docs only for changed public behavior
+- no commit unless Peter writes `commit` in the current instruction
+- no push/create PR/comment/close/label/land/merge unless explicitly asked for that exact action after review
+
+## PR Rules
+
+- `ready-to-merge`: code is good, current head checked, required proof is green or clearly pending only external CI; list for maintainer merge or `@clawsweeper automerge`
+- `needs-fixup`: small bug is clear, but PR branch needs changes; list exact files/tests and wait for explicit fix/push/automerge instruction
+- `skip`: broad, stale, speculative, config/product/security/release, owner-boundary, or refactor-sized
+- if source PR is untrusted/uneditable, do not create a replacement PR during sweep
+
+## Output Shape
+
+Ledger: `fixed-local`, `ready-to-merge`, `needs-fixup`, `skipped`, `needs-human`.
+Final: issue files left on disk, PRs ready for merge/automerge, tests/gates, skip reasons.

.agents/skills/openclaw-test-heap-leaks/SKILL.md

@@ -7,6 +7,8 @@ description: Investigate OpenClaw pnpm test memory growth, Vitest OOMs, RSS spik
 
 Use this skill for test-memory investigations. Do not guess from RSS alone when heap snapshots are available. Treat snapshot-name deltas as triage evidence, not proof, until retainers or dominators support the call.
 
+For **runtime fixes** (e.g., closure leaks in long-running services like the gateway), see [Validating runtime fixes](#validating-runtime-fixes-not-test-memory) below — that uses a dedicated harness, not the test-parallel snapshot machinery.
+
 ## Workflow
 
 1. Reproduce the failing shape first.
@@ -63,6 +65,38 @@ Use this skill for test-memory investigations. Do not guess from RSS alone when
 
 Read the top positive deltas first. Large positive growth in module-transform artifacts suggests lane isolation; large positive growth in runtime objects suggests a real leak. If the names alone do not settle it, open the same snapshot pair in DevTools and inspect retainers/dominators for the top rows before declaring root cause.
 
+## Validating runtime fixes (not test-memory)
+
+The workflow above is for diagnosing Vitest worker memory growth. For
+validating that a runtime/closure fix actually releases captured state, use the
+dedicated harness:
+
+- `pnpm leak:embedded-run` — runs `scripts/embedded-run-abort-leak.ts`. Loops N
+  aborted runs in a function-shaped scope mimicking `runEmbeddedAttempt`,
+  writes heap snapshots, and reports a PASS/FAIL verdict on retention growth
+  using `FinalizationRegistry` for tracked-instance counting plus RSS delta.
+
+Modes:
+
+- `closure-extracted` (default) — production fix shape (helper at module scope).
+- `closure-inline` — pre-fix shape (closure inside the runner scope). Use as a
+  sensitivity check: if it passes you've broken the harness, not fixed a bug.
+- `synthetic-leak` — deliberately retains via a module-level bucket. Use to
+  confirm the harness can detect leaks before trusting a PASS on a real fix.
+
+Snapshots land in `.tmp/embedded-run-abort-leak/`. Diff with the same script
+as above:
+
+```
+node .agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs \
+  .tmp/embedded-run-abort-leak/baseline-*.heapsnapshot \
+  .tmp/embedded-run-abort-leak/batch-N-*.heapsnapshot --top 30
+```
+
+When fixing a different runtime leak, add a new harness alongside this one
+rather than retrofitting it. The fixture function should mimic the lexical
+scope of the function where the leak lives, not be a generic abort-loop.
+
 ## Output Expectations
 
 When using this skill, report:

.agents/skills/openclaw-test-performance/SKILL.md

@@ -1,12 +1,13 @@
 ---
 name: openclaw-test-performance
-description: Benchmark, diagnose, and optimize OpenClaw test runtime, import hotspots, CPU/RSS, and slow coverage paths.
+description: Benchmark, diagnose, and optimize OpenClaw test and plugin-suite runtime, import hotspots, CPU/RSS, heap growth, and slow coverage paths.
 ---
 
 # OpenClaw Test Performance
 
-Use evidence first. The goal is real `pnpm test` speed/RSS improvement with
-coverage intact, not runner tuning by guesswork.
+Use evidence first. The goal is real `pnpm test`, plugin-suite, and
+plugin-inspector speed/RSS improvement with coverage intact, not runner tuning by
+guesswork.
 
 ## Workflow
 
@@ -21,6 +22,9 @@ coverage intact, not runner tuning by guesswork.
 2. Establish a baseline before changing code:
    - Prefer `pnpm test:perf:groups --full-suite --allow-failures --output <file>`
      for full-suite ranking.
+   - For bundled plugin breadth, run the smallest relevant `pnpm
+test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
+     before jumping to the full extension sweep.
    - For a scoped hotspot use:
      `/usr/bin/time -l pnpm test <file-or-files> --maxWorkers=1 --reporter=verbose`
    - For import-heavy suspicion add:
@@ -33,6 +37,8 @@ coverage intact, not runner tuning by guesswork.
      passed, capture that as harness/noise and verify the suspect file directly.
 4. Pick the next attack by return and risk:
    - High return: one file/test dominates seconds or RSS and has a clear root.
+   - High leverage: one plugin or SDK barrel causes every plugin-inspector or
+     extension-batch run to load broad runtime.
    - Lower risk: static descriptors, target parsing, routing, auth bypass,
      setup hints, registry fixtures, or test server lifecycle.
    - Higher risk: real memory/runtime behavior, live providers, protocol
@@ -44,6 +50,8 @@ coverage intact, not runner tuning by guesswork.
      and pure helpers over broad mocks.
    - Reuse suite-level servers/clients when a fresh handshake is irrelevant.
    - Keep schedulers/background loops off unless the test proves scheduling.
+   - In plugin paths, move static metadata into manifest/lightweight artifacts
+     and keep runtime plugin loads behind explicit execution boundaries.
 6. Preserve coverage shape:
    - Do not delete a slow integration proof unless the exact production
      composition is extracted into a named helper and tested.
@@ -57,6 +65,90 @@ coverage intact, not runner tuning by guesswork.
 9. Commit with `scripts/committer "<message>" <paths...>` and push when the
    user asked for commits/pushes. Stage only files touched for this attack.
 
+## Plugin-Suite Workflow
+
+Use this section when perf work involves bundled plugins, plugin-inspector, SDK
+barrels, package-boundary tests, or extension suites.
+
+1. Map the suite shape first:
+   - source tests: `pnpm test extensions/<id>` or `pnpm test:extensions:batch <id>`
+   - package boundaries: `pnpm run test:extensions:package-boundary:canary` and
+     `pnpm run test:extensions:package-boundary:compile`
+   - all bundled source tests: `pnpm test:extensions`
+   - plugin import memory: `pnpm test:extensions:memory -- --json .artifacts/test-perf/extensions-memory.json`
+   - plugin-inspector/report work: keep report primitives in `plugin-inspector`;
+     keep wrappers thin and collect peak RSS when the command supports it.
+2. Start narrow, then widen:
+   - one plugin changed: run that plugin's tests and plugin-inspector slice.
+   - SDK/public barrel changed: add representative provider, channel, memory,
+     and feature plugins.
+   - loader/runtime mirror changed: add package-boundary checks and build/package
+     proof as needed.
+   - unknown shared plugin behavior: run `test:extensions:batch` groups before
+     `pnpm test:extensions`.
+3. Treat plugin-inspector failures as product signals:
+   - JSON must parse.
+   - warnings/errors must be classified, not hidden.
+   - runtime capture should be quiet and config-tolerant.
+   - command output should include wall time, exit code, and peak RSS when
+     available.
+4. For broad or package-heavy plugin proof, use Blacksmith Testbox by default on
+   maintainer machines. Warm once and reuse the same box:
+   - `blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90`
+   - `blacksmith testbox run --id <ID> "OPENCLAW_TESTBOX=1 pnpm test:extensions:batch <ids>"`
+   - stop the box when done.
+5. If plugin performance is package-artifact sensitive, switch to
+   `openclaw-pre-release-plugin-testing` and Package Acceptance rather than
+   trusting source-only timing.
+
+## Metric Collection
+
+Collect at least one stable metric before and after. Prefer the same machine and
+same command. For Testbox comparisons, use the same `tbx_...` id when possible.
+
+| Metric          | Use for                            | Preferred source                                                            |
+| --------------- | ---------------------------------- | --------------------------------------------------------------------------- |
+| wall time       | user-visible suite cost            | `/usr/bin/time -l`, test wrapper duration, Testbox run time                 |
+| Vitest duration | test body/import cost              | Vitest output per file/shard                                                |
+| import duration | broad barrel/runtime loads         | `OPENCLAW_VITEST_IMPORT_DURATIONS=1`                                        |
+| max RSS         | memory pressure and OOM risk       | `/usr/bin/time -l`, `pnpm test:extensions:memory`, wrapper memory summaries |
+| CPU/user/sys    | CPU-bound vs wait-bound split      | `/usr/bin/time -l` locally, Testbox job timing when local CPU is noisy      |
+| heap snapshots  | real leak vs retained module graph | `openclaw-test-heap-leaks` workflow                                         |
+
+Local scoped command with CPU/RSS:
+
+```bash
+timeout 240 /usr/bin/time -l pnpm test <file> --maxWorkers=1 --reporter=verbose
+```
+
+Plugin import memory profile:
+
+```bash
+pnpm build
+pnpm test:extensions:memory -- --top 20 --json .artifacts/test-perf/extensions-memory.json
+```
+
+Targeted plugin import memory:
+
+```bash
+pnpm test:extensions:memory -- --extension discord --extension telegram --skip-combined
+```
+
+Heap/RSS escalation:
+
+```bash
+OPENCLAW_TEST_MEMORY_TRACE=1 \
+OPENCLAW_TEST_HEAPSNAPSHOT_INTERVAL_MS=60000 \
+OPENCLAW_TEST_HEAPSNAPSHOT_DIR=.tmp/heapsnap \
+OPENCLAW_TEST_WORKERS=2 \
+OPENCLAW_TEST_MAX_OLD_SPACE_SIZE_MB=6144 \
+pnpm test
+```
+
+Use `openclaw-test-heap-leaks` when RSS keeps growing across intervals, workers
+OOM, or the suspect command has app-object retention. Do not call RSS growth a
+leak until snapshots or retainers support it.
+
 ## Common Root Causes
 
 - Full bundled channel/plugin runtime loaded for static data.
@@ -64,6 +156,12 @@ coverage intact, not runner tuning by guesswork.
   parser would suffice.
 - Broad `api.ts`, `runtime-api.ts`, `test-api.ts`, or plugin-sdk barrels pulled
   into hot tests.
+- SDK root aliases or package barrels pulling focused subpaths back into a broad
+  plugin graph.
+- Plugin-inspector loading runtime code just to render metadata, reports, or CI
+  policy scores.
+- Bundled plugin capture reusing real config/home state instead of synthetic,
+  redacted, isolated state.
 - Partial-real mocks using `importActual()` around broad modules.
 - `vi.resetModules()` plus fresh imports in per-test loops.
 - Test plugin registry seeded in `beforeAll` while runtime state resets in
@@ -72,6 +170,10 @@ coverage intact, not runner tuning by guesswork.
 - Runtime/default model/auth selection paid by idle snapshots or fixtures.
 - Plugin-owned media/action discovery triggered before checking whether args
   contain plugin-owned fields.
+- Timings missing from `test/fixtures/test-timings.unit.json`, causing hotspot
+  files to stay in shared workers.
+- Parallel Vitest runs sharing `node_modules/.experimental-vitest-cache` without
+  distinct `OPENCLAW_VITEST_FS_MODULE_CACHE_PATH` values.
 
 ## Benchmark Commands
 
@@ -97,6 +199,25 @@ pnpm test:perf:groups --full-suite --allow-failures \
   --output .artifacts/test-perf/<name>.json
 ```
 
+Extension batch:
+
+```bash
+pnpm test:extensions:batch <plugin[,plugin...]> -- --reporter=verbose
+```
+
+All extension tests:
+
+```bash
+pnpm test:extensions
+```
+
+Package-boundary plugin checks:
+
+```bash
+pnpm run test:extensions:package-boundary:canary
+pnpm run test:extensions:package-boundary:compile
+```
+
 Reuse an existing Vitest JSON report:
 
 ```bash
@@ -107,19 +228,26 @@ pnpm test:perf:groups --report <vitest-json> \
 ## Verification
 
 - Always run the targeted test surface that proves the change.
-- Run `pnpm check` before commit unless the change is docs-only and the hook
-  handles it.
+- For source changes, run `pnpm check:changed` before push; in maintainer
+  Testbox mode run it in the warmed Testbox.
+- For test-only changes, run `pnpm test:changed` or the exact edited tests.
 - Run `pnpm build` when touching lazy-loading, bundled artifacts, package
   boundaries, dynamic imports, build output, or public surfaces.
+- For plugin SDK/barrel/runtime changes, add `pnpm plugin-sdk:api:check` or
+  `pnpm plugin-sdk:api:gen` when the API surface may drift.
+- For plugin-suite perf fixes, verify at least one representative plugin batch
+  plus the changed gate; use Package Acceptance if the bug only exists in a
+  packed artifact.
 - If deps are missing/stale, run `pnpm install` and retry the exact failed
   command once.
 - Use the report format:
 
 ```markdown
-| Metric         | Before | After |          Gain |
-| -------------- | -----: | ----: | ------------: |
-| File wall time |   `Xs` |  `Ys` |  `-Zs` (`P%`) |
-| Max RSS        |  `XMB` | `YMB` | `-ZMB` (`P%`) |
+| Metric         | Before |  After |          Gain |
+| -------------- | -----: | -----: | ------------: |
+| File wall time |   `Xs` |   `Ys` |  `-Zs` (`P%`) |
+| Max RSS        |  `XMB` |  `YMB` | `-ZMB` (`P%`) |
+| CPU user/sys   | `X/Ys` | `A/Bs` |       explain |
 ```
 
 ## Handoff
@@ -127,8 +255,12 @@ pnpm test:perf:groups --report <vitest-json> \
 Keep the final concise:
 
 - Root cause.
+- Suite/plugin scope.
 - Files changed.
-- Before/after numbers.
+- Before/after wall, Vitest/import, CPU, and RSS numbers where available.
+- Leak classification if memory was involved: real leak, retained module graph,
+  or inconclusive.
 - Coverage retained.
 - Verification commands.
+- Testbox ID or workflow URL for remote proof.
 - Commit hash and push status.

.agents/skills/openclaw-test-performance/agents/openai.yaml

@@ -1,6 +1,6 @@
 interface:
   display_name: "OpenClaw Test Performance"
-  short_description: "Benchmark and fix slow OpenClaw tests"
-  default_prompt: "Use $openclaw-test-performance to reassess the OpenClaw test benchmark, identify the next real hotspot, fix it without losing coverage, update the report, and commit scoped changes."
+  short_description: "Benchmark tests, plugin suites, CPU, RSS, and heap growth"
+  default_prompt: "Use $openclaw-test-performance to reassess OpenClaw test and plugin-suite performance, collect wall/import/CPU/RSS metrics, investigate memory growth when needed, fix the next real hotspot without losing coverage, update the report, and commit scoped changes."
 policy:
   allow_implicit_invocation: false

.agents/skills/openclaw-testing/SKILL.md

@@ -36,6 +36,14 @@ Prove the touched surface first. Do not reflexively run the whole suite.
 - Prefer GitHub Actions for release/Docker proof when the workflow already has the prepared image and secrets.
 - Use `scripts/committer "<msg>" <paths...>` when committing; stage only your files.
 - If deps are missing, run `pnpm install`, retry once, then report the first actionable error.
+- For Blacksmith Testbox proof, reuse only an id warmed and claimed in this
+  operator session. `blacksmith testbox list` is diagnostics only; a listed id
+  can have a local key and still carry stale rsync state from another lane.
+  After warmup, run `pnpm testbox:claim --id <id>`, then prefer
+  `pnpm testbox:run --id <id> -- "<command>"` for OpenClaw gates so stale
+  org-visible ids fail fast before syncing. Claims older than 12 hours are
+  stale unless `OPENCLAW_TESTBOX_CLAIM_TTL_MINUTES` is explicitly set for long
+  work.
 
 ## Local Test Shortcuts
 
@@ -111,7 +119,10 @@ rerun after a focused patch.
 the manual "everything before release" umbrella. It resolves a target ref, then
 dispatches:
 
-- manual `CI` for the full normal CI graph
+- manual `CI` for the full normal CI graph, with Android enabled via
+  `include_android=true`
+- `Plugin Prerelease` for release-only plugin static checks, extension shards,
+  the release-only `agentic-plugins` shard, and plugin product Docker lanes
 - `OpenClaw Release Checks` for install smoke, cross-OS release checks, live and
   E2E checks, Docker release-path suites, OpenWebUI, QA Lab, fast Matrix, and
   Telegram release lanes
@@ -138,13 +149,19 @@ Use `release_profile=minimum|stable|full` to control live/provider breadth:
 `minimum` keeps the fastest OpenAI/core release-critical set, `stable` adds the
 stable provider/backend set, and `full` adds the broad advisory provider/media
 matrix. Do not make `full` faster by silently dropping suites; optimize setup,
-artifact reuse, and sharding instead. The parent verifier job appends
-slowest-job tables for child runs; rerun only that verifier after a child rerun
-turns green.
+artifact reuse, and sharding instead. The parent verifier job appends a child
+overview plus slowest-job tables for child runs; rerun only that verifier after
+a child rerun turns green.
+
+Standalone manual `CI` dispatches do not run the plugin prerelease suite, the
+extension batch sweep, or the release-only `agentic-plugins` Vitest shard. Those
+lanes are intentionally reserved for the separate `Plugin Prerelease` child so
+PRs, main pushes, and ad hoc broad CI checks do not spend Docker/package time or
+all-plugin runtime time on release-only product coverage.
 
 If a full run is already active on a newer `origin/main`, prefer watching that
-run over dispatching a duplicate. If you accidentally dispatch a stale duplicate,
-cancel it and monitor the current run.
+run over dispatching a duplicate. Do not cancel release, release-check, or child
+workflow runs unless Peter explicitly asks for cancellation.
 
 The child-dispatch jobs record the child run ids. The final
 `Verify full validation` job re-queries those child runs and is the canonical
@@ -153,9 +170,15 @@ only the failed parent verifier job; do not dispatch a new full umbrella unless
 the release evidence is stale.
 
 For bounded recovery after a focused fix, pass `-f rerun_group=<group>`.
-Supported umbrella groups are `all`, `ci`, `release-checks`, `install-smoke`,
-`cross-os`, `live-e2e`, `package`, `qa`, `qa-parity`, `qa-live`, and
-`npm-telegram`. Use the narrowest group that covers the failed box.
+Supported umbrella groups are `all`, `ci`, `plugin-prerelease`,
+`release-checks`, `install-smoke`, `cross-os`, `live-e2e`, `package`, `qa`,
+`qa-parity`, `qa-live`, and `npm-telegram`. Use the narrowest group that covers
+the failed box. After a targeted release-check fix, do not restart the full
+umbrella by habit: dispatch the matching `rerun_group` and rerun only the parent
+verifier/evidence step after the child is green unless the release evidence is
+stale. For a single failed live/E2E shard, use
+`-f rerun_group=live-e2e -f live_suite_filter=<suite_id>` so the Blacksmith
+workflow only spends setup and queue time on that suite.
 
 ### Release Evidence
 
@@ -222,6 +245,20 @@ When `Full Release Validation` dispatches release checks, it passes the requeste
 branch/tag plus an `expected_sha` so branch/tag refs resolve through the fast
 remote-ref path while the package and QA jobs still validate the exact SHA.
 
+The full install-smoke child is split on purpose: one job prepares or reuses the
+target-SHA GHCR root Dockerfile smoke image, QR package install runs in its own
+job, root Dockerfile/gateway smokes pull the prepared image, and installer/Bun
+smokes pull the same image while building only their small installer images.
+If install-smoke gets slow again, first check whether the root image was reused
+or rebuilt before adding/removing coverage.
+
+The full-profile native live media shards use the prebuilt
+`ghcr.io/openclaw/openclaw-live-media-runner:ubuntu-24.04` container so
+`ffmpeg`/`ffprobe` are already present. If those jobs suddenly spend minutes in
+dependency setup again, first check the `Live Media Runner Image` workflow and
+the `Verify preinstalled live media dependencies` step before assuming the media
+tests themselves slowed down.
+
 The release Docker path intentionally shards the plugin/runtime tail. The
 workflow uses `plugins-runtime-plugins`, `plugins-runtime-services`, and
 `plugins-runtime-install-a` through `plugins-runtime-install-d`; aggregate

.crabbox.yaml

@@ -0,0 +1,41 @@
+profile: openclaw-check
+provider: aws
+class: beast
+capacity:
+  market: spot
+  strategy: most-available
+  fallback: on-demand-after-120s
+  regions:
+    - eu-west-1
+actions:
+  workflow: .github/workflows/crabbox-hydrate.yml
+  job: hydrate
+  ref: main
+  runnerLabels:
+    - crabbox
+    - openclaw
+  runnerVersion: latest
+  ephemeral: true
+aws:
+  region: eu-west-1
+  rootGB: 400
+sync:
+  delete: true
+  checksum: false
+  gitSeed: true
+  fingerprint: true
+  baseRef: main
+  exclude:
+    - .artifacts
+    - .codex
+    - .DS_Store
+    - playwright-report
+    - test-results
+env:
+  allow:
+    - CI
+    - NODE_OPTIONS
+    - OPENCLAW_*
+ssh:
+  user: crabbox
+  port: "2222"

.detect-secrets.cfg

@@ -1,45 +0,0 @@
-# detect-secrets exclusion patterns (regex)
-#
-# Note: detect-secrets does not read this file by default. If you want these
-# applied, wire them into your scan command (e.g. translate to --exclude-files
-# / --exclude-lines) or into a baseline's filters_used.
-
-[exclude-files]
-# pnpm lockfiles contain lots of high-entropy package integrity blobs.
-pattern = (^|/)pnpm-lock\.yaml$
-
-[exclude-lines]
-# Fastlane checks for private key marker; not a real key.
-pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
-# UI label string for Anthropic auth mode.
-pattern = case \.apiKeyEnv: "API key \(env var\)"
-# CodingKeys mapping uses apiKey literal.
-pattern = case apikey = "apiKey"
-# Schema labels referencing password fields (not actual secrets).
-pattern = "gateway\.remote\.password"
-pattern = "gateway\.auth\.password"
-# Schema label for talk API key (label text only).
-pattern = "talk\.apiKey"
-# checking for typeof is not something we care about.
-pattern = === "string"
-# specific optional-chaining password check that didn't match the line above.
-pattern = typeof remote\?\.password === "string"
-# Docker apt signing key fingerprint constant; not a secret.
-pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
-# Credential matrix metadata field in docs JSON; not a secret value.
-pattern = "secretShape": "(secret_input|sibling_ref)"
-# Docs line describing API key rotation knobs; not a credential.
-pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
-# Docs line describing remote password precedence; not a credential.
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
-# Test fixture starts a multiline fake private key; detector should ignore the header line.
-pattern = const key = `-----BEGIN PRIVATE KEY-----
-# Docs examples: literal placeholder API key snippets and shell heredoc helper.
-pattern = export CUSTOM_API_K[E]Y="your-key"
-pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
-pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
-pattern = "ap[i]Key": "xxxxx",
-pattern = ap[i]Key: "A[I]za\.\.\.",
-# Sparkle appcast signatures are release metadata, not credentials.
-pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"

.dockerignore

@@ -59,11 +59,6 @@ apps/ios/build
 
 # large app trees not needed for CLI build
 apps/
-assets/
-Peekaboo/
-Swabble/
-Core/
-Users/
 vendor/
 
 # Needed for building the Canvas A2UI bundle during Docker image builds.

.env.example

@@ -29,6 +29,12 @@ OPENCLAW_GATEWAY_TOKEN=
 # OPENCLAW_CONFIG_PATH=~/.openclaw/openclaw.json
 # OPENCLAW_HOME=~
 
+# Allowlist of extra directories that `$include` directives in openclaw.json may
+# resolve files from. Path-list separated (':' on POSIX, ';' on Windows). Each
+# entry is tilde-expanded. Without this, `$include` is confined to the directory
+# containing openclaw.json.
+# OPENCLAW_INCLUDE_ROOTS=/etc/openclaw/shared:~/.openclaw/shared
+
 # Optional: import missing keys from your login shell profile.
 # OPENCLAW_LOAD_SHELL_ENV=1
 # OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000

.github/CODEOWNERS

@@ -2,50 +2,51 @@
 /.github/CODEOWNERS @steipete
 
 # WARNING: GitHub CODEOWNERS uses last-match-wins semantics.
-# If you add overlapping rules below the secops block, include @openclaw/secops
+# If you add overlapping rules below the secops block, include @openclaw/openclaw-secops
 # on those entries too or you can silently remove required secops review.
 # Security-sensitive code, config, and docs require secops review.
-/SECURITY.md @openclaw/secops
-/.github/dependabot.yml @openclaw/secops
-/.github/codeql/ @openclaw/secops
-/.github/workflows/codeql.yml @openclaw/secops
-/.github/workflows/codeql-critical-quality.yml @openclaw/secops
-/src/security/ @openclaw/secops
-/src/secrets/ @openclaw/secops
-/src/config/*secret*.ts @openclaw/secops
-/src/config/**/*secret*.ts @openclaw/secops
-/src/gateway/*auth*.ts @openclaw/secops
-/src/gateway/**/*auth*.ts @openclaw/secops
-/src/gateway/*secret*.ts @openclaw/secops
-/src/gateway/**/*secret*.ts @openclaw/secops
-/src/gateway/security-path*.ts @openclaw/secops
-/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/secops
-/src/gateway/protocol/**/*secret*.ts @openclaw/secops
-/src/gateway/server-methods/secrets*.ts @openclaw/secops
-/src/agents/*auth*.ts @openclaw/secops
-/src/agents/**/*auth*.ts @openclaw/secops
-/src/agents/auth-profiles*.ts @openclaw/secops
-/src/agents/auth-health*.ts @openclaw/secops
-/src/agents/auth-profiles/ @openclaw/secops
-/src/agents/sandbox.ts @openclaw/secops
-/src/agents/sandbox-*.ts @openclaw/secops
-/src/agents/sandbox/ @openclaw/secops
-/src/infra/secret-file*.ts @openclaw/secops
-/src/cron/stagger.ts @openclaw/secops
-/src/cron/service/jobs.ts @openclaw/secops
-/docs/security/ @openclaw/secops
-/docs/gateway/authentication.md @openclaw/secops
-/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/secops
-/docs/gateway/sandboxing.md @openclaw/secops
-/docs/gateway/secrets-plan-contract.md @openclaw/secops
-/docs/gateway/secrets.md @openclaw/secops
-/docs/gateway/security/ @openclaw/secops
-/docs/cli/approvals.md @openclaw/secops
-/docs/cli/sandbox.md @openclaw/secops
-/docs/cli/security.md @openclaw/secops
-/docs/cli/secrets.md @openclaw/secops
-/docs/reference/secretref-credential-surface.md @openclaw/secops
-/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/secops
+/SECURITY.md @openclaw/openclaw-secops
+/.github/dependabot.yml @openclaw/openclaw-secops
+/.github/codeql/ @openclaw/openclaw-secops
+/.github/workflows/codeql.yml @openclaw/openclaw-secops
+/.github/workflows/codeql-android-critical-security.yml @openclaw/openclaw-secops
+/.github/workflows/codeql-critical-quality.yml @openclaw/openclaw-secops
+/src/security/ @openclaw/openclaw-secops
+/src/secrets/ @openclaw/openclaw-secops
+/src/config/*secret*.ts @openclaw/openclaw-secops
+/src/config/**/*secret*.ts @openclaw/openclaw-secops
+/src/gateway/*auth*.ts @openclaw/openclaw-secops
+/src/gateway/**/*auth*.ts @openclaw/openclaw-secops
+/src/gateway/*secret*.ts @openclaw/openclaw-secops
+/src/gateway/**/*secret*.ts @openclaw/openclaw-secops
+/src/gateway/security-path*.ts @openclaw/openclaw-secops
+/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/openclaw-secops
+/src/gateway/protocol/**/*secret*.ts @openclaw/openclaw-secops
+/src/gateway/server-methods/secrets*.ts @openclaw/openclaw-secops
+/src/agents/*auth*.ts @openclaw/openclaw-secops
+/src/agents/**/*auth*.ts @openclaw/openclaw-secops
+/src/agents/auth-profiles*.ts @openclaw/openclaw-secops
+/src/agents/auth-health*.ts @openclaw/openclaw-secops
+/src/agents/auth-profiles/ @openclaw/openclaw-secops
+/src/agents/sandbox.ts @openclaw/openclaw-secops
+/src/agents/sandbox-*.ts @openclaw/openclaw-secops
+/src/agents/sandbox/ @openclaw/openclaw-secops
+/src/infra/secret-file*.ts @openclaw/openclaw-secops
+/src/cron/stagger.ts @openclaw/openclaw-secops
+/src/cron/service/jobs.ts @openclaw/openclaw-secops
+/docs/security/ @openclaw/openclaw-secops
+/docs/gateway/authentication.md @openclaw/openclaw-secops
+/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/openclaw-secops
+/docs/gateway/sandboxing.md @openclaw/openclaw-secops
+/docs/gateway/secrets-plan-contract.md @openclaw/openclaw-secops
+/docs/gateway/secrets.md @openclaw/openclaw-secops
+/docs/gateway/security/ @openclaw/openclaw-secops
+/docs/cli/approvals.md @openclaw/openclaw-secops
+/docs/cli/sandbox.md @openclaw/openclaw-secops
+/docs/cli/security.md @openclaw/openclaw-secops
+/docs/cli/secrets.md @openclaw/openclaw-secops
+/docs/reference/secretref-credential-surface.md @openclaw/openclaw-secops
+/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/openclaw-secops
 
 # Release workflow and its supporting release-path checks.
 /.github/workflows/openclaw-npm-release.yml @openclaw/openclaw-release-managers

.github/actionlint.yaml

@@ -4,6 +4,7 @@
 self-hosted-runner:
   labels:
     # Blacksmith CI runners
+    - blacksmith-4vcpu-ubuntu-2404
     - blacksmith-8vcpu-ubuntu-2404
     - blacksmith-8vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404

.github/actions/docker-e2e-plan/action.yml

@@ -94,6 +94,9 @@ runs:
               echo "lanes input is required for Docker E2E targeted planning." >&2
               exit 1
             fi
+            if [[ "$INCLUDE_RELEASE_PATH_SUITES" == "true" ]]; then
+              export OPENCLAW_DOCKER_ALL_PROFILE=release-path
+            fi
             export OPENCLAW_DOCKER_ALL_LANES="$LANES"
             plan_path=".artifacts/docker-tests/targeted-plan.json"
             ;;

.github/actions/setup-node-env/action.yml

@@ -47,7 +47,7 @@ runs:
       if: inputs.install-bun == 'true'
       uses: oven-sh/setup-bun@v2.2.0
       with:
-        bun-version: "1.3.9"
+        bun-version: "1.3.13"
 
     - name: Runtime versions
       shell: bash
@@ -90,9 +90,11 @@ runs:
 
         install_args=(
           install
+          --prefer-offline
           --ignore-scripts=false
           --config.engine-strict=false
           --config.enable-pre-post-scripts=true
+          --config.side-effects-cache=true
         )
         if [ -n "$LOCKFILE_FLAG" ]; then
           install_args+=("$LOCKFILE_FLAG")

.github/codeql/codeql-actions-critical-security.yml

@@ -1,5 +1,18 @@
 name: openclaw-codeql-actions-critical-security
 
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
 paths:
   - .github/actions
   - .github/workflows

.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml

@@ -0,0 +1,53 @@
+name: openclaw-codeql-agent-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/acp/control-plane
+  - src/agents/command
+  - src/agents/cli-runner
+  - src/agents/pi-embedded-runner
+  - src/agents/tools
+  - src/agents/*completion*.ts
+  - src/agents/*transport*.ts
+  - src/agents/model-*.ts
+  - src/agents/openclaw-tools*.ts
+  - src/agents/provider-*.ts
+  - src/agents/session*.ts
+  - src/agents/tool-call*.ts
+  - src/auto-reply/reply/agent-runner*.ts
+  - src/auto-reply/reply/commands*.ts
+  - src/auto-reply/reply/directive-handling*.ts
+  - src/auto-reply/reply/dispatch-*.ts
+  - src/auto-reply/reply/get-reply-run*.ts
+  - src/auto-reply/reply/provider-dispatcher*.ts
+  - src/auto-reply/reply/queue*.ts
+  - src/auto-reply/reply/reply-run-registry*.ts
+  - src/auto-reply/reply/session*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml

@@ -0,0 +1,56 @@
+name: openclaw-codeql-channel-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - extensions/bluebubbles/src
+  - extensions/discord/src
+  - extensions/feishu/src
+  - extensions/googlechat/src
+  - extensions/imessage/src
+  - extensions/irc/src
+  - extensions/line/src
+  - extensions/matrix/src
+  - extensions/mattermost/src
+  - extensions/msteams/src
+  - extensions/nextcloud-talk/src
+  - extensions/nostr/src
+  - extensions/qa-channel/src
+  - extensions/qqbot/src
+  - extensions/signal/src
+  - extensions/slack/src
+  - extensions/synology-chat/src
+  - extensions/telegram/src
+  - extensions/tlon/src
+  - extensions/twitch/src
+  - extensions/whatsapp/src
+  - extensions/zalo/src
+  - extensions/zalouser/src
+  - src/channels
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-channel-runtime-boundary-critical-security.yml

@@ -0,0 +1,48 @@
+name: openclaw-codeql-channel-runtime-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/channels
+  - src/config/channel-*.ts
+  - src/config/types.channel*.ts
+  - src/gateway/server-channel*.ts
+  - src/gateway/server-methods/channels.ts
+  - src/gateway/protocol/schema/channels.ts
+  - src/infra/channel-*.ts
+  - src/infra/exec-approval-channel-runtime.ts
+  - src/infra/outbound/channel-*.ts
+  - src/plugin-sdk/channel-*.ts
+  - src/plugins/channel-*.ts
+  - src/plugins/bundled-channel-*.ts
+  - src/plugins/runtime/*channel*.ts
+  - src/secrets/channel-*.ts
+  - src/secrets/runtime-config-collectors-channels.ts
+  - src/security/audit-channel*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-config-boundary-critical-quality.yml

@@ -0,0 +1,33 @@
+name: openclaw-codeql-config-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/config
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-core-auth-secrets-critical-quality.yml

@@ -1,4 +1,4 @@
-name: openclaw-codeql-javascript-typescript-critical-quality
+name: openclaw-codeql-core-auth-secrets-critical-quality
 
 disable-default-queries: true
 
@@ -22,7 +22,6 @@ paths:
   - src/agents/sandbox
   - src/agents/sandbox.ts
   - src/agents/sandbox-*.ts
-  - src/config
   - src/cron/service/jobs.ts
   - src/cron/stagger.ts
   - src/gateway/*auth*.ts

.github/codeql/codeql-core-auth-secrets-critical-security.yml

@@ -1,4 +1,4 @@
-name: openclaw-codeql-javascript-typescript-critical-security
+name: openclaw-codeql-core-auth-secrets-critical-security
 
 disable-default-queries: true
 
@@ -10,10 +10,8 @@ query-filters:
       precision:
         - high
         - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
 
 paths:
   - src/agents/*auth*.ts

.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml

@@ -0,0 +1,37 @@
+name: openclaw-codeql-gateway-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/gateway/method-scopes.ts
+  - src/gateway/protocol
+  - src/gateway/server-methods
+  - src/gateway/server-methods.ts
+  - src/gateway/server-methods-list.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml

@@ -0,0 +1,35 @@
+name: openclaw-codeql-mcp-process-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/mcp
+  - src/process
+  - src/infra/outbound
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml

@@ -0,0 +1,56 @@
+name: openclaw-codeql-mcp-process-tool-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/mcp
+  - src/process
+  - src/infra/outbound
+  - src/agents/bash-tools.exec*.ts
+  - src/agents/bash-tools.process*.ts
+  - src/agents/exec-*.ts
+  - src/agents/execution-contract.ts
+  - src/agents/openclaw-plugin-tools.ts
+  - src/agents/openclaw-tools.runtime.ts
+  - src/agents/openclaw-tools.registration.ts
+  - src/agents/pi-tool-definition-adapter.ts
+  - src/agents/pi-tools.abort.ts
+  - src/agents/pi-tools.before-tool-call*.ts
+  - src/agents/pi-tools.host-edit.ts
+  - src/agents/pi-tools-parameter-schema.ts
+  - src/agents/pi-embedded-runner/effective-tool-policy.ts
+  - src/agents/pi-embedded-runner/tool-name-allowlist.ts
+  - src/agents/pi-embedded-runner/tool-schema-runtime.ts
+  - src/agents/tools/gateway-tool.ts
+  - src/agents/tools/message-tool.ts
+  - src/agents/tools/sessions-send-tool.ts
+  - src/agents/tools/sessions-spawn-tool.ts
+  - src/agents/tools/subagents-tool.ts
+  - src/agents/tools/tool-runtime.helpers.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml

@@ -0,0 +1,41 @@
+name: openclaw-codeql-memory-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - packages/memory-host-sdk/src
+  - src/memory
+  - src/memory-host-sdk
+  - src/plugin-sdk/memory-*.ts
+  - src/plugin-sdk/memory-core-host-*.ts
+  - src/plugins/memory-*.ts
+  - src/gateway/server-startup-memory.ts
+  - src/commands/doctor-memory-search.ts
+  - src/commands/doctor-cron-dreaming-payload-migration.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-network-ssrf-boundary-critical-security.yml

@@ -0,0 +1,41 @@
+name: openclaw-codeql-network-ssrf-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/infra/net
+  - src/shared/net
+  - src/agents/tools/web-fetch.ts
+  - src/agents/tools/web-guarded-fetch.ts
+  - src/agents/tools/web-shared.ts
+  - src/plugin-sdk/ssrf-policy.ts
+  - src/web-fetch
+  - src/web/provider-runtime-shared.ts
+  - packages/memory-host-sdk/src/host/ssrf-policy.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-plugin-boundary-critical-quality.yml

@@ -0,0 +1,75 @@
+name: openclaw-codeql-plugin-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/plugins/activation-planner.ts
+  - src/plugins/api-builder.ts
+  - src/plugins/bundled-compat.ts
+  - src/plugins/bundled-dir.ts
+  - src/plugins/bundled-plugin-metadata.ts
+  - src/plugins/bundled-public-surface-runtime-root.ts
+  - src/plugins/plugin-sdk-dist-alias.ts
+  - src/plugins/captured-registration.ts
+  - src/plugins/config-activation-shared.ts
+  - src/plugins/config-contracts.ts
+  - src/plugins/config-normalization-shared.ts
+  - src/plugins/config-policy.ts
+  - src/plugins/config-schema.ts
+  - src/plugins/config-state.ts
+  - src/plugins/discovery.ts
+  - src/plugins/effective-plugin-ids.ts
+  - src/plugins/externalized-bundled-plugins.ts
+  - src/plugins/installed-plugin-index*.ts
+  - src/plugins/loader*.ts
+  - src/plugins/manifest*.ts
+  - src/plugins/module-export.ts
+  - src/plugins/package-entrypoints.ts
+  - src/plugins/plugin-registry*.ts
+  - src/plugins/provider-contract-public-artifacts.ts
+  - src/plugins/provider-public-artifacts.ts
+  - src/plugins/public-surface*.ts
+  - src/plugins/registry.ts
+  - src/plugins/registry-types.ts
+  - src/plugins/runtime
+  - src/plugins/runtime-state.ts
+  - src/plugins/runtime.ts
+  - src/plugins/sdk-alias.ts
+  - src/plugins/source-loader.ts
+  - src/plugins/types.ts
+  - src/plugins/validation-diagnostics.ts
+  - src/plugins/web-provider-public-artifacts*.ts
+  - src/plugin-sdk/*entry*.ts
+  - src/plugin-sdk/*facade*.ts
+  - src/plugin-sdk/api-baseline.ts
+  - src/plugin-sdk/config-schema.ts
+  - src/plugin-sdk/config-types.ts
+  - src/plugin-sdk/core.ts
+  - src/plugin-sdk/extension-shared.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml

@@ -0,0 +1,36 @@
+name: openclaw-codeql-plugin-sdk-package-contract-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - packages/plugin-sdk/src
+  - packages/plugin-package-contract/src
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml

@@ -0,0 +1,44 @@
+name: openclaw-codeql-plugin-sdk-reply-runtime-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/plugin-sdk/inbound-envelope.ts
+  - src/plugin-sdk/inbound-reply-dispatch.ts
+  - src/plugin-sdk/reply-*.ts
+  - src/plugin-sdk/channel-reply-*.ts
+  - src/plugin-sdk/delivery-queue-runtime.ts
+  - src/plugin-sdk/outbound-runtime.ts
+  - src/plugin-sdk/outbound-send-deps.ts
+  - src/plugin-sdk/model-session-runtime.ts
+  - src/plugin-sdk/session-*.ts
+  - src/plugin-sdk/thread-bindings-runtime.ts
+  - src/plugin-sdk/thread-bindings-session-runtime.ts
+  - src/plugin-sdk/conversation-binding-runtime.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-plugin-trust-boundary-critical-security.yml

@@ -0,0 +1,86 @@
+name: openclaw-codeql-plugin-trust-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/cli/plugin-install-config-policy.ts
+  - src/cli/plugin-registry-loader.ts
+  - src/cli/plugins-command-helpers.ts
+  - src/cli/plugins-install-command.ts
+  - src/cli/plugins-install-record-commit.ts
+  - src/plugins/activation-planner.ts
+  - src/plugins/bundle-manifest.ts
+  - src/plugins/bundled-compat.ts
+  - src/plugins/bundled-dir.ts
+  - src/plugins/bundled-plugin-metadata.ts
+  - src/plugins/bundled-plugin-scan.ts
+  - src/plugins/plugin-sdk-dist-alias.ts
+  - src/plugins/cli-registry-loader.ts
+  - src/plugins/config-activation-shared.ts
+  - src/plugins/config-contracts.ts
+  - src/plugins/config-policy.ts
+  - src/plugins/config-schema.ts
+  - src/plugins/dependency-denylist.ts
+  - src/plugins/discovery.ts
+  - src/plugins/effective-plugin-ids.ts
+  - src/plugins/externalized-bundled-plugins.ts
+  - src/plugins/install.runtime.ts
+  - src/plugins/install-source-info.ts
+  - src/plugins/installed-plugin-index*.ts
+  - src/plugins/loader*.ts
+  - src/plugins/manifest*.ts
+  - src/plugins/marketplace.ts
+  - src/plugins/module-export.ts
+  - src/plugins/package-entrypoints.ts
+  - src/plugins/plugin-config-trust.ts
+  - src/plugins/plugin-origin.types.ts
+  - src/plugins/plugin-registry*.ts
+  - src/plugins/public-surface*.ts
+  - src/plugins/registry*.ts
+  - src/plugins/runtime
+  - src/plugins/runtime-state.ts
+  - src/plugins/runtime.ts
+  - src/plugins/source-loader.ts
+  - src/plugins/update.ts
+  - src/plugins/validation-diagnostics.ts
+  - src/plugin-sdk/*entry*.ts
+  - src/plugin-sdk/*facade*.ts
+  - src/plugin-sdk/api-baseline.ts
+  - src/plugin-sdk/config-schema.ts
+  - src/plugin-sdk/config-types.ts
+  - src/plugin-sdk/core.ts
+  - src/plugin-sdk/extension-shared.ts
+  - packages/plugin-package-contract/src
+  - packages/plugin-sdk/src/plugin-entry.ts
+  - packages/plugin-sdk/src/plugin-runtime.ts
+  - packages/plugin-sdk/src/runtime-env.ts
+  - packages/plugin-sdk/src/security-runtime.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml

@@ -0,0 +1,44 @@
+name: openclaw-codeql-provider-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/model-catalog
+  - src/plugins/provider-*.ts
+  - src/plugins/providers*.ts
+  - src/plugins/*provider*.ts
+  - src/plugins/capability-provider-runtime.ts
+  - src/plugins/compaction-provider.ts
+  - src/plugins/memory-embedding-provider*.ts
+  - src/plugins/memory-embedding-providers*.ts
+  - src/plugins/migration-provider-runtime.ts
+  - src/plugins/synthetic-auth.runtime.ts
+  - src/plugins/web-fetch-providers*.ts
+  - src/plugins/web-search-providers*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml

@@ -0,0 +1,48 @@
+name: openclaw-codeql-session-diagnostics-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/auto-reply/reply/queue
+  - src/auto-reply/reply/post-compaction-context.ts
+  - src/auto-reply/reply/startup-context.ts
+  - src/infra/diagnostic-*.ts
+  - src/infra/diagnostics-timeline.ts
+  - src/infra/session-delivery-queue*.ts
+  - src/infra/outbound/base-session-key.ts
+  - src/infra/outbound/delivery-queue*.ts
+  - src/infra/outbound/outbound-session.ts
+  - src/infra/outbound/session-binding*.ts
+  - src/infra/outbound/session-context.ts
+  - src/infra/outbound/targets-session.ts
+  - src/logging/diagnostic*.ts
+  - src/commands/doctor-session-*.ts
+  - src/commands/session-store-targets.ts
+  - src/commands/sessions*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-ui-control-plane-critical-quality.yml

@@ -0,0 +1,36 @@
+name: openclaw-codeql-ui-control-plane-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - ui/src/main.ts
+  - ui/src/local-storage.ts
+  - ui/src/ui
+  - src/tasks/task-registry-control*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml

@@ -0,0 +1,39 @@
+name: openclaw-codeql-web-media-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/web-fetch
+  - src/web-search
+  - src/web/provider-runtime-shared.ts
+  - src/media
+  - src/media-understanding
+  - src/image-generation
+  - src/media-generation
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/dependabot.yml

@@ -29,7 +29,7 @@ updates:
         update-types:
           - minor
           - patch
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 20
     registries:
       - npm-npmjs
 
@@ -83,7 +83,7 @@ updates:
 
   # Swift Package Manager - Swabble
   - package-ecosystem: swift
-    directory: /Swabble
+    directory: /apps/swabble
     schedule:
       interval: daily
     cooldown:

.github/images/live-media-runner/Dockerfile

@@ -0,0 +1,16 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    bash \
+    ca-certificates \
+    curl \
+    ffmpeg \
+    git \
+    openssh-client \
+    unzip \
+    xz-utils \
+    zstd \
+  && rm -rf /var/lib/apt/lists/*

.github/labeler.yml

@@ -9,6 +9,12 @@
           - "extensions/azure-speech/**"
           - "docs/providers/azure-speech.md"
           - "docs/tools/tts.md"
+"plugin: file-transfer":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "extensions/file-transfer/**"
+          - "docs/nodes/index.md"
+          - "docs/plugins/sdk-runtime.md"
 "channel: discord":
   - changed-files:
       - any-glob-to-any-file:
@@ -189,7 +195,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "docs/**"
-          - "docs.acp.md"
 
 "cli":
   - changed-files:
@@ -212,10 +217,10 @@
           - "Dockerfile"
           - "Dockerfile.*"
           - "docker-compose.yml"
-          - "docker-setup.sh"
-          - "setup-podman.sh"
           - ".dockerignore"
+          - "deploy/fly.private.toml"
           - "scripts/docker/setup.sh"
+          - "scripts/docker/sandbox/Dockerfile*"
           - "scripts/podman/setup.sh"
           - "scripts/**/*docker*"
           - "scripts/**/Dockerfile*"
@@ -238,8 +243,11 @@
 "security":
   - changed-files:
       - any-glob-to-any-file:
+          - ".github/workflows/opengrep-*.yml"
+          - ".semgrepignore"
           - "docs/cli/security.md"
           - "docs/gateway/security.md"
+          - "security/**"
 
 "extensions: copilot-proxy":
   - changed-files:

.github/workflows/ci-build-artifacts-testbox.yml

@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 35
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@v2
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
 
@@ -218,7 +218,7 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@v2
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: always()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci-check-testbox.yml

@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@v2
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
       - name: Checkout
@@ -121,7 +121,7 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@v2
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: always()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci.yml

@@ -8,6 +8,11 @@ on:
         required: false
         default: ""
         type: string
+      include_android:
+        description: Run Android lanes for this manual CI dispatch.
+        required: false
+        default: false
+        type: boolean
   push:
     branches: [main]
     paths-ignore:
@@ -36,7 +41,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     outputs:
-      checkout_sha: ${{ steps.checkout_ref.outputs.sha }}
+      checkout_revision: ${{ steps.checkout_ref.outputs.sha }}
       docs_only: ${{ steps.manifest.outputs.docs_only }}
       docs_changed: ${{ steps.manifest.outputs.docs_changed }}
       run_node: ${{ steps.manifest.outputs.run_node }}
@@ -49,8 +54,9 @@ jobs:
       run_checks_fast_core: ${{ steps.manifest.outputs.run_checks_fast_core }}
       run_checks_fast: ${{ steps.manifest.outputs.run_checks_fast }}
       checks_fast_core_matrix: ${{ steps.manifest.outputs.checks_fast_core_matrix }}
+      run_plugin_contracts_shards: ${{ steps.manifest.outputs.run_plugin_contracts_shards }}
+      plugin_contracts_matrix: ${{ steps.manifest.outputs.plugin_contracts_matrix }}
       channel_contracts_matrix: ${{ steps.manifest.outputs.channel_contracts_matrix }}
-      checks_node_extensions_matrix: ${{ steps.manifest.outputs.checks_node_extensions_matrix }}
       run_checks: ${{ steps.manifest.outputs.run_checks }}
       checks_matrix: ${{ steps.manifest.outputs.checks_matrix }}
       run_checks_node_core_nondist: ${{ steps.manifest.outputs.run_checks_node_core_nondist }}
@@ -117,13 +123,14 @@ jobs:
           OPENCLAW_CI_DOCS_CHANGED: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.docs_scope.outputs.docs_changed }}
           OPENCLAW_CI_RUN_NODE: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_node || 'false' }}
           OPENCLAW_CI_RUN_MACOS: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_macos || 'false' }}
-          OPENCLAW_CI_RUN_ANDROID: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_android || 'false' }}
+          OPENCLAW_CI_RUN_ANDROID: ${{ github.event_name == 'workflow_dispatch' && inputs.include_android && 'true' || steps.changed_scope.outputs.run_android || 'false' }}
           OPENCLAW_CI_RUN_WINDOWS: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_windows || 'false' }}
           OPENCLAW_CI_RUN_NODE_FAST_ONLY: ${{ github.event_name == 'workflow_dispatch' && 'false' || steps.changed_scope.outputs.run_node_fast_only || 'false' }}
           OPENCLAW_CI_RUN_NODE_FAST_PLUGIN_CONTRACTS: ${{ github.event_name == 'workflow_dispatch' && 'false' || steps.changed_scope.outputs.run_node_fast_plugin_contracts || 'false' }}
           OPENCLAW_CI_RUN_NODE_FAST_CI_ROUTING: ${{ github.event_name == 'workflow_dispatch' && 'false' || steps.changed_scope.outputs.run_node_fast_ci_routing || 'false' }}
           OPENCLAW_CI_RUN_SKILLS_PYTHON: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_skills_python || 'false' }}
           OPENCLAW_CI_RUN_CONTROL_UI_I18N: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_control_ui_i18n || 'false' }}
+          OPENCLAW_CI_CHECKOUT_REVISION: ${{ steps.checkout_ref.outputs.sha }}
           OPENCLAW_CI_REPOSITORY: ${{ github.repository }}
         run: |
           node --input-type=module <<'EOF'
@@ -134,10 +141,6 @@ jobs:
           import {
             createChannelContractTestShards,
           } from "./scripts/lib/channel-contract-test-plan.mjs";
-          import {
-            createExtensionTestShards,
-            DEFAULT_EXTENSION_TEST_SHARD_COUNT,
-          } from "./scripts/lib/extension-test-plan.mjs";
 
           const parseBoolean = (value, fallback = false) => {
             if (value === undefined) return fallback;
@@ -147,6 +150,24 @@ jobs:
             return fallback;
           };
 
+          const { createPluginContractTestShards } = await import(
+            "./scripts/lib/plugin-contract-test-plan.mjs"
+          ).catch((error) => {
+            if (error?.code !== "ERR_MODULE_NOT_FOUND") {
+              throw error;
+            }
+            return {
+              createPluginContractTestShards: () => [
+                {
+                  checkName: "checks-fast-contracts-plugins-legacy",
+                  includePatterns: ["src/plugins/contracts/**/*.test.ts"],
+                  runtime: "node",
+                  task: "contracts-plugins",
+                },
+              ],
+            };
+          });
+
           const createMatrix = (include) => ({ include });
           const outputPath = process.env.GITHUB_OUTPUT;
           const isCanonicalRepository = process.env.OPENCLAW_CI_REPOSITORY === "openclaw/openclaw";
@@ -160,7 +181,7 @@ jobs:
             runNode && parseBoolean(process.env.OPENCLAW_CI_RUN_NODE_FAST_PLUGIN_CONTRACTS);
           const runNodeFastCiRouting =
             runNode && parseBoolean(process.env.OPENCLAW_CI_RUN_NODE_FAST_CI_ROUTING);
-          const runChecksFastCore = runNodeFull || runNodeFastPluginContracts || runNodeFastCiRouting;
+          const runPluginContractShards = runNodeFull || runNodeFastPluginContracts;
           const runMacos =
             parseBoolean(process.env.OPENCLAW_CI_RUN_MACOS) && !docsOnly && isCanonicalRepository;
           const runAndroid =
@@ -173,44 +194,13 @@ jobs:
           const runSkillsPython = parseBoolean(process.env.OPENCLAW_CI_RUN_SKILLS_PYTHON) && !docsOnly;
           const runControlUiI18n =
             parseBoolean(process.env.OPENCLAW_CI_RUN_CONTROL_UI_I18N) && !docsOnly;
-          const extensionTestShardCount = isCanonicalRepository
-            ? DEFAULT_EXTENSION_TEST_SHARD_COUNT
-            : Math.max(DEFAULT_EXTENSION_TEST_SHARD_COUNT, 36);
-          const extensionShardMatrix = createMatrix(
-            runNodeFull
-              ? createExtensionTestShards({
-                  shardCount: extensionTestShardCount,
-                }).map((shard) => ({
-                  check_name: shard.checkName,
-                  extensions_csv: shard.extensionIds.join(","),
-                  runner: isCanonicalRepository && [0, 3, 4].includes(shard.index)
-                    ? "blacksmith-8vcpu-ubuntu-2404"
-                    : isCanonicalRepository
-                      ? "blacksmith-4vcpu-ubuntu-2404"
-                      : "ubuntu-24.04",
-                  shard_index: shard.index + 1,
-                  task: "extensions-batch",
-                }))
-              : [],
-          );
           const checksFastCoreTasks = [];
           if (runNodeFull) {
             checksFastCoreTasks.push(
               { check_name: "checks-fast-bundled", runtime: "node", task: "bundled" },
-              {
-                check_name: "checks-fast-contracts-plugins",
-                runtime: "node",
-                task: "contracts-plugins",
-              },
             );
           } else {
-            if (runNodeFastPluginContracts) {
-              checksFastCoreTasks.push({
-                check_name: "checks-fast-contracts-plugins",
-                runtime: "node",
-                task: runNodeFastCiRouting ? "contracts-plugins-ci-routing" : "contracts-plugins",
-              });
-            } else if (runNodeFastCiRouting) {
+            if (runNodeFastCiRouting) {
               checksFastCoreTasks.push({
                 check_name: "checks-fast-ci-routing",
                 runtime: "node",
@@ -220,7 +210,9 @@ jobs:
           }
 
           const nodeTestShards = runNodeFull
-            ? createNodeTestShards().map((shard) => ({
+            ? createNodeTestShards({
+                includeReleaseOnlyPluginShards: false,
+              }).map((shard) => ({
                 check_name: shard.checkName,
                 runtime: "node",
                 task: "test-shard",
@@ -243,13 +235,16 @@ jobs:
             run_skills_python: runSkillsPython,
             run_windows: runWindows,
             run_build_artifacts: runNodeFull,
-            run_checks_fast_core: runChecksFastCore,
+            run_checks_fast_core: checksFastCoreTasks.length > 0,
             run_checks_fast: runNodeFull,
             checks_fast_core_matrix: createMatrix(checksFastCoreTasks),
+            run_plugin_contracts_shards: runPluginContractShards,
+            plugin_contracts_matrix: createMatrix(
+              runPluginContractShards ? createPluginContractTestShards() : [],
+            ),
             channel_contracts_matrix: createMatrix(
               runNodeFull ? createChannelContractTestShards() : [],
             ),
-            checks_node_extensions_matrix: extensionShardMatrix,
             run_checks: runNodeFull,
             checks_matrix: createMatrix(
               runNodeFull
@@ -468,7 +463,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -540,7 +535,7 @@ jobs:
           path: |
             dist/
             dist-runtime/
-          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_sha }}
+          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_revision }}
 
       - name: Pack built runtime artifacts
         run: tar --posix -cf dist-runtime-build.tar.zst --use-compress-program zstdmt dist dist-runtime
@@ -569,9 +564,6 @@ jobs:
       - name: Smoke test built bundled plugin singleton
         run: pnpm test:build:singleton
 
-      - name: Smoke test built bundled runtime deps
-        run: pnpm test:build:bundled-runtime-deps
-
       - name: Check CLI startup memory
         run: pnpm test:startup:memory
 
@@ -669,7 +661,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -748,6 +740,112 @@ jobs:
               ;;
           esac
 
+  checks-fast-plugin-contracts-shard:
+    permissions:
+      contents: read
+    name: ${{ matrix.checkName }}
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_contracts_shards == 'true'
+    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.preflight.outputs.plugin_contracts_matrix) }}
+    steps:
+      - name: Checkout
+        shell: bash
+        env:
+          CHECKOUT_REPO: ${{ github.repository }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+
+          workdir="$GITHUB_WORKSPACE"
+          auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
+
+          reset_checkout_dir() {
+            mkdir -p "$workdir"
+            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
+          }
+
+          checkout_attempt() {
+            local attempt="$1"
+
+            reset_checkout_dir
+            git init "$workdir" >/dev/null
+            git config --global --add safe.directory "$workdir"
+            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
+            git -C "$workdir" config gc.auto 0
+
+            timeout --signal=TERM 30s git -C "$workdir" \
+              -c protocol.version=2 \
+              -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \
+              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
+
+            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
+            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
+            echo "checkout attempt ${attempt}/5 succeeded"
+          }
+
+          for attempt in 1 2 3 4 5; do
+            if checkout_attempt "$attempt"; then
+              exit 0
+            fi
+            echo "checkout attempt ${attempt}/5 failed"
+            sleep $((attempt * 5))
+          done
+
+          echo "checkout failed after 5 attempts" >&2
+          exit 1
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Run plugin contract shard
+        env:
+          OPENCLAW_CONTRACT_INCLUDE_PATTERNS_JSON: ${{ toJson(matrix.includePatterns) }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          include_file="$RUNNER_TEMP/plugin-contract-include.json"
+          INCLUDE_FILE="$include_file" node --input-type=module <<'EOF'
+          import { writeFileSync } from "node:fs";
+
+          const includePatterns = JSON.parse(process.env.OPENCLAW_CONTRACT_INCLUDE_PATTERNS_JSON ?? "[]");
+          if (!Array.isArray(includePatterns) || includePatterns.length === 0) {
+            console.error("Missing plugin contract include patterns");
+            process.exit(1);
+          }
+          writeFileSync(process.env.INCLUDE_FILE, JSON.stringify(includePatterns), "utf8");
+          EOF
+          OPENCLAW_VITEST_INCLUDE_FILE="$include_file" pnpm test:contracts:plugins
+
+  checks-fast-plugin-contracts:
+    permissions:
+      contents: read
+    name: checks-fast-contracts-plugins
+    needs: [preflight, checks-fast-plugin-contracts-shard]
+    if: ${{ !cancelled() && always() && needs.preflight.outputs.run_plugin_contracts_shards == 'true' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Verify plugin contract shards
+        env:
+          SHARD_RESULT: ${{ needs.checks-fast-plugin-contracts-shard.result }}
+        run: |
+          if [ "$SHARD_RESULT" = "cancelled" ]; then
+            echo "Plugin contract shards were cancelled, usually because a newer commit superseded this run." >&2
+            exit 1
+          fi
+          if [ "$SHARD_RESULT" != "success" ]; then
+            echo "Plugin contract shards failed: $SHARD_RESULT" >&2
+            exit 1
+          fi
+
   checks-fast-channel-contracts-shard:
     permissions:
       contents: read
@@ -764,7 +862,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -867,7 +965,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -919,97 +1017,6 @@ jobs:
       - name: Run protocol check
         run: pnpm protocol:check
 
-  checks-node-extensions-shard:
-    permissions:
-      contents: read
-    name: ${{ matrix.check_name }}
-    needs: [preflight]
-    if: needs.preflight.outputs.run_checks_fast == 'true'
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 60
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJson(needs.preflight.outputs.checks_node_extensions_matrix) }}
-    steps:
-      - name: Checkout
-        shell: bash
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
-          CHECKOUT_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE"
-          auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
-
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
-            git -C "$workdir" config gc.auto 0
-
-            timeout --signal=TERM 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
-
-            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
-            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              exit 0
-            fi
-            echo "checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "checkout failed after 5 attempts" >&2
-          exit 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Run extension shard
-        env:
-          NODE_OPTIONS: --max-old-space-size=6144
-          OPENCLAW_EXTENSION_BATCH_PARALLEL: 2
-          OPENCLAW_VITEST_MAX_WORKERS: 1
-          OPENCLAW_EXTENSION_BATCH: ${{ matrix.extensions_csv }}
-        run: pnpm test:extensions:batch -- "$OPENCLAW_EXTENSION_BATCH"
-
-  checks-node-extensions:
-    permissions:
-      contents: read
-    name: checks-node-extensions
-    needs: [preflight, checks-node-extensions-shard]
-    if: ${{ !cancelled() && always() && needs.preflight.outputs.run_checks_fast == 'true' }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    steps:
-      - name: Verify extension shards
-        env:
-          SHARD_RESULT: ${{ needs.checks-node-extensions-shard.result }}
-        run: |
-          if [ "$SHARD_RESULT" != "success" ]; then
-            echo "Extension shard checks failed: $SHARD_RESULT" >&2
-            exit 1
-          fi
-
   checks:
     permissions:
       contents: read
@@ -1055,7 +1062,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1135,7 +1142,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1308,6 +1315,9 @@ jobs:
           - check_name: check-lint
             task: lint
             runner: blacksmith-16vcpu-ubuntu-2404
+          - check_name: check-dependencies
+            task: dependencies
+            runner: ubuntu-24.04
           - check_name: check-policy-guards
             task: policy-guards
             runner: ubuntu-24.04
@@ -1322,7 +1332,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1383,6 +1393,7 @@ jobs:
               pnpm check:no-conflict-markers
               pnpm tool-display:check
               pnpm check:host-env-policy:swift
+              pnpm dup:check:coverage
               ;;
             prod-types)
               pnpm tsgo:prod
@@ -1390,6 +1401,15 @@ jobs:
             lint)
               pnpm lint --threads=8
               ;;
+            dependencies)
+              if pnpm run --silent 2>/dev/null | grep -q '^  deadcode:dependencies$'; then
+                pnpm deadcode:dependencies
+                pnpm deadcode:unused-files
+                pnpm deadcode:report:ci:ts-unused
+              else
+                pnpm deadcode:ci
+              fi
+              ;;
             policy-guards)
               pnpm lint:webhook:no-low-level-body-read
               pnpm lint:auth:no-pairing-store-group
@@ -1409,6 +1429,14 @@ jobs:
               ;;
           esac
 
+      - name: Upload deadcode reports
+        if: ${{ always() && matrix.task == 'dependencies' }}
+        uses: actions/upload-artifact@v7
+        with:
+          name: deadcode-reports
+          path: .artifacts/deadcode
+          if-no-files-found: ignore
+
   check:
     permissions:
       contents: read
@@ -1439,8 +1467,18 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - check_name: check-additional-boundaries
+          - check_name: check-additional-boundaries-a
             group: boundaries
+            boundary_shard: 1/4
+          - check_name: check-additional-boundaries-b
+            group: boundaries
+            boundary_shard: 2/4
+          - check_name: check-additional-boundaries-c
+            group: boundaries
+            boundary_shard: 3/4
+          - check_name: check-additional-boundaries-d
+            group: boundaries
+            boundary_shard: 4/4
           - check_name: check-additional-extension-channels
             group: extension-channels
           - check_name: check-additional-extension-bundled
@@ -1454,7 +1492,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1545,6 +1583,7 @@ jobs:
       - name: Run additional check shard
         env:
           ADDITIONAL_CHECK_GROUP: ${{ matrix.group }}
+          OPENCLAW_ADDITIONAL_BOUNDARY_SHARD: ${{ matrix.boundary_shard || '' }}
           RUN_CONTROL_UI_I18N: ${{ needs.preflight.outputs.run_control_ui_i18n }}
           OPENCLAW_ADDITIONAL_BOUNDARY_CONCURRENCY: 4
           OPENCLAW_EXTENSION_BOUNDARY_CONCURRENCY: 6
@@ -1652,7 +1691,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1715,7 +1754,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1730,10 +1769,10 @@ jobs:
           python -m pip install pytest ruff pyyaml
 
       - name: Lint Python skill scripts
-        run: python -m ruff check skills
+        run: python -m ruff check --config skills/pyproject.toml skills
 
       - name: Test skill Python scripts
-        run: python -m pytest -q skills
+        run: python -m pytest -q -c skills/pyproject.toml skills
 
   checks-windows:
     permissions:
@@ -1758,7 +1797,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1863,7 +1902,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1904,7 +1943,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1933,7 +1972,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: apps/macos/.build
-          key: ${{ runner.os }}-swift-build-v2-${{ steps.swift-toolchain.outputs.key }}-${{ hashFiles('apps/macos/Package.swift', 'apps/macos/Package.resolved', 'apps/macos/Sources/**', 'apps/macos/Tests/**', 'apps/shared/OpenClawKit/Package.swift', 'apps/shared/OpenClawKit/Sources/**', 'Swabble/Package.swift', 'Swabble/Sources/**') }}
+          key: ${{ runner.os }}-swift-build-v2-${{ steps.swift-toolchain.outputs.key }}-${{ hashFiles('apps/macos/Package.swift', 'apps/macos/Package.resolved', 'apps/macos/Sources/**', 'apps/macos/Tests/**', 'apps/shared/OpenClawKit/Package.swift', 'apps/shared/OpenClawKit/Sources/**', 'apps/swabble/Package.swift', 'apps/swabble/Sources/**') }}
           restore-keys: |
             ${{ runner.os }}-swift-build-v2-${{ steps.swift-toolchain.outputs.key }}-
 
@@ -1943,13 +1982,13 @@ jobs:
           set -euo pipefail
           # Exact source-hash cache hits already match these inputs; checkout
           # mtimes are the only reason SwiftPM rebuilds cached products.
-          find apps/macos/Sources apps/macos/Tests apps/shared/OpenClawKit/Sources Swabble/Sources apps/macos/.build/checkouts \
+          find apps/macos/Sources apps/macos/Tests apps/shared/OpenClawKit/Sources apps/swabble/Sources apps/macos/.build/checkouts \
             -type f -exec touch -t 200001010000 {} +
           touch -t 200001010000 \
             apps/macos/Package.swift \
             apps/macos/Package.resolved \
             apps/shared/OpenClawKit/Package.swift \
-            Swabble/Package.swift
+            apps/swabble/Package.swift
 
       - name: Show toolchain
         run: |
@@ -1959,8 +1998,8 @@ jobs:
 
       - name: Swift lint
         run: |
-          swiftlint --config .swiftlint.yml
-          swiftformat --lint apps/macos/Sources --config .swiftformat
+          swiftlint lint --config config/swiftlint.yml
+          swiftformat --lint apps/macos/Sources --config config/swiftformat --exclude '**/OpenClawProtocol,**/HostEnvSecurityPolicy.generated.swift'
 
       - name: Swift build (release)
         run: |
@@ -2005,7 +2044,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -2061,6 +2100,14 @@ jobs:
             apps/android/**/gradle-wrapper.properties
             apps/android/gradle/libs.versions.toml
 
+      - name: Cache Android SDK
+        uses: actions/cache@v5
+        with:
+          path: ~/.android-sdk
+          key: ${{ runner.os }}-android-sdk-v1-cmdline-12266719-platform-36-build-tools-36.0.0
+          restore-keys: |
+            ${{ runner.os }}-android-sdk-v1-
+
       - name: Setup Android SDK cmdline-tools
         run: |
           set -euo pipefail
@@ -2069,11 +2116,13 @@ jobs:
           ARCHIVE="commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip"
           URL="https://dl.google.com/android/repository/${ARCHIVE}"
 
-          mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools"
-          curl -fsSL "$URL" -o "/tmp/${ARCHIVE}"
-          rm -rf "$ANDROID_SDK_ROOT/cmdline-tools/latest"
-          unzip -q "/tmp/${ARCHIVE}" -d "$ANDROID_SDK_ROOT/cmdline-tools"
-          mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest"
+          if [ ! -x "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager" ]; then
+            mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools"
+            curl -fsSL "$URL" -o "/tmp/${ARCHIVE}"
+            rm -rf "$ANDROID_SDK_ROOT/cmdline-tools/latest"
+            unzip -q "/tmp/${ARCHIVE}" -d "$ANDROID_SDK_ROOT/cmdline-tools"
+            mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest"
+          fi
 
           echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> "$GITHUB_ENV"
           echo "ANDROID_HOME=$ANDROID_SDK_ROOT" >> "$GITHUB_ENV"

.github/workflows/clawsweeper-dispatch.yml

@@ -3,44 +3,169 @@ name: ClawSweeper Dispatch
 on:
   issues:
     types: [opened, reopened, edited, labeled, unlabeled]
+  issue_comment:
+    types: [created, edited]
+  push:
+    branches: [main]
   pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned external dispatch; no checkout or untrusted PR code execution
     types: [opened, reopened, synchronize, ready_for_review, edited, labeled, unlabeled]
+  pull_request_review:
+    types: [submitted, edited, dismissed]
+  pull_request_review_comment:
+    types: [created, edited]
 
 permissions:
   contents: read
 
+concurrency:
+  group: clawsweeper-dispatch-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: ${{ github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review' }}
+
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'issue_comment' || !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled')) }}
     env:
       HAS_CLAWSWEEPER_APP_PRIVATE_KEY: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY != '' }}
+      CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093
+      SUPERSEDES_IN_PROGRESS: ${{ (github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review') && 'true' || 'false' }}
     steps:
+      - name: Debounce bursty metadata events
+        if: ${{ github.event.action == 'labeled' || github.event.action == 'unlabeled' }}
+        run: sleep 20
+
       - name: Create ClawSweeper dispatch token
         id: token
         if: ${{ env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: 3306130
+          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
           private-key: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY }}
           owner: openclaw
           repositories: clawsweeper
+          permission-contents: write
+
+      - name: Create target comment token
+        id: target_token
+        if: ${{ github.event_name == 'issue_comment' && env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
+          private-key: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+          permission-issues: write
+          permission-pull-requests: read
+
+      - name: Dispatch GitHub activity to ClawSweeper
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+          TARGET_REPO: ${{ github.repository }}
+          SOURCE_EVENT: ${{ github.event_name }}
+          SOURCE_ACTION: ${{ github.event.action }}
+          ACTOR: ${{ github.actor }}
+        run: |
+          set -euo pipefail
+          if [ -z "$GH_TOKEN" ]; then
+            echo "::notice::Skipping GitHub activity dispatch because no ClawSweeper app token is configured."
+            exit 0
+          fi
+          activity="$(jq -c \
+            --arg target_repo "$TARGET_REPO" \
+            --arg event_name "$SOURCE_EVENT" \
+            --arg source_action "$SOURCE_ACTION" \
+            --arg actor "$ACTOR" \
+            '
+            def body_excerpt(value):
+              if (value // "" | type) == "string" then
+                ((value // "") | gsub("\\s+"; " ") | .[0:1200])
+              else null end;
+            {
+              type: $event_name,
+              repo: $target_repo,
+              action: $source_action,
+              actor: $actor,
+              subject: (
+                if .pull_request then {
+                  kind: "pull_request",
+                  number: .pull_request.number,
+                  title: .pull_request.title,
+                  url: .pull_request.html_url,
+                  state: (if .pull_request.merged == true then "merged" else .pull_request.state end)
+                } elif .issue then {
+                  kind: (if .issue.pull_request then "pull_request" else "issue" end),
+                  number: .issue.number,
+                  title: .issue.title,
+                  url: .issue.html_url,
+                  state: .issue.state
+                } elif $event_name == "push" then {
+                  kind: "push",
+                  title: (.head_commit.message // .after // "push"),
+                  url: (.head_commit.url // .compare),
+                  state: .ref
+                } else {
+                  kind: $event_name
+                } end),
+              comment: (if .comment then {
+                id: .comment.id,
+                url: .comment.html_url,
+                body_excerpt: body_excerpt(.comment.body)
+              } else null end),
+              review: (if .review then {
+                id: .review.id,
+                state: .review.state,
+                url: .review.html_url,
+                body_excerpt: body_excerpt(.review.body)
+              } else null end),
+              review_comment: (if .comment and $event_name == "pull_request_review_comment" then {
+                id: .comment.id,
+                path: .comment.path,
+                line: (.comment.line // .comment.original_line),
+                url: .comment.html_url,
+                body_excerpt: body_excerpt(.comment.body)
+              } else null end),
+              push: (if $event_name == "push" then {
+                before: .before,
+                after: .after,
+                ref: .ref,
+                compare: .compare,
+                head_commit: .head_commit.id
+              } else null end),
+              delivery_id: (.comment.id // .review.id // .pull_request.head.sha // .issue.updated_at // .after // env.GITHUB_RUN_ID)
+            } | del(.. | nulls)
+            ' "$GITHUB_EVENT_PATH")"
+          payload="$(jq -nc --argjson activity "$activity" \
+            '{event_type:"github_activity",client_payload:{activity:$activity}}')"
+          if gh api repos/openclaw/clawsweeper/dispatches \
+            --method POST \
+            --input - <<< "$payload"; then
+            echo "Dispatched GitHub activity to ClawSweeper."
+          else
+            echo "::warning::Skipping GitHub activity dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
+          fi
 
       - name: Dispatch exact ClawSweeper review
+        if: ${{ github.event_name == 'issues' || github.event_name == 'pull_request_target' }}
         env:
-          GH_TOKEN: ${{ steps.token.outputs.token || secrets.OPENCLAW_GH_TOKEN }}
+          GH_TOKEN: ${{ steps.token.outputs.token }}
           TARGET_REPO: ${{ github.repository }}
           ITEM_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
           ITEM_KIND: ${{ github.event_name == 'pull_request_target' && 'pull_request' || 'issue' }}
+          SOURCE_EVENT: ${{ github.event_name }}
+          SOURCE_ACTION: ${{ github.event.action }}
         run: |
           if [ -z "$GH_TOKEN" ]; then
-            echo "::notice::Skipping ClawSweeper dispatch because no dispatch credential is configured."
+            echo "::notice::Skipping ClawSweeper dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
             exit 0
           fi
           payload="$(jq -nc \
             --arg target_repo "$TARGET_REPO" \
             --argjson item_number "$ITEM_NUMBER" \
             --arg item_kind "$ITEM_KIND" \
-            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind}}')"
+            --arg source_event "$SOURCE_EVENT" \
+            --arg source_action "$SOURCE_ACTION" \
+            --argjson supersedes_in_progress "$SUPERSEDES_IN_PROGRESS" \
+            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind,source_event:$source_event,source_action:$source_action,supersedes_in_progress:$supersedes_in_progress}}')"
           if gh api repos/openclaw/clawsweeper/dispatches \
             --method POST \
             --input - <<< "$payload"; then
@@ -48,3 +173,90 @@ jobs:
           else
             echo "::warning::Skipping ClawSweeper dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
           fi
+
+      - name: Acknowledge and dispatch ClawSweeper comment
+        if: ${{ github.event_name == 'issue_comment' }}
+        env:
+          DISPATCH_TOKEN: ${{ steps.token.outputs.token }}
+          TARGET_TOKEN: ${{ steps.target_token.outputs.token }}
+          TARGET_REPO: ${{ github.repository }}
+          ITEM_NUMBER: ${{ github.event.issue.number }}
+          COMMENT_ID: ${{ github.event.comment.id }}
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          SOURCE_ACTION: ${{ github.event.action }}
+        run: |
+          set -euo pipefail
+          if [ -z "$DISPATCH_TOKEN" ]; then
+            echo "::notice::Skipping ClawSweeper comment dispatch because no ClawSweeper app token is configured."
+            exit 0
+          fi
+          body_file="$RUNNER_TEMP/clawsweeper-comment-body.txt"
+          printf '%s\n' "$COMMENT_BODY" > "$body_file"
+          if ! grep -Eiq '(^|[[:space:]])@(clawsweeper|openclaw-clawsweeper)\b(\[bot\])?|(^|[[:space:]])/(clawsweeper|review|automerge|autoclose)\b' "$body_file"; then
+            echo "No ClawSweeper command found in comment."
+            exit 0
+          fi
+          if [ -n "$TARGET_TOKEN" ]; then
+            err="$(mktemp)"
+            if GH_TOKEN="$TARGET_TOKEN" gh api -X POST \
+              -H "Accept: application/vnd.github+json" \
+              "repos/$TARGET_REPO/issues/comments/$COMMENT_ID/reactions" \
+              -f content="eyes" 2>"$err" >/dev/null; then
+              echo "Acknowledged ClawSweeper command comment."
+            elif grep -qi "HTTP 422\\|already exists" "$err"; then
+              echo "ClawSweeper command comment already acknowledged."
+            else
+              cat "$err" >&2
+              echo "::warning::Could not acknowledge ClawSweeper command comment."
+            fi
+            rm -f "$err"
+          else
+            echo "::notice::Skipping ClawSweeper comment acknowledgement because no target token is configured."
+          fi
+          payload="$(jq -nc \
+            --arg target_repo "$TARGET_REPO" \
+            --argjson item_number "$ITEM_NUMBER" \
+            --argjson comment_id "$COMMENT_ID" \
+            --arg source_event "issue_comment" \
+            --arg source_action "$SOURCE_ACTION" \
+            '{event_type:"clawsweeper_comment",client_payload:{target_repo:$target_repo,item_number:$item_number,comment_id:$comment_id,source_event:$source_event,source_action:$source_action}}')"
+          if GH_TOKEN="$DISPATCH_TOKEN" gh api repos/openclaw/clawsweeper/dispatches \
+            --method POST \
+            --input - <<< "$payload"; then
+            echo "Dispatched ClawSweeper comment router."
+          else
+            echo "::warning::Skipping ClawSweeper comment dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
+          fi
+
+      - name: Dispatch ClawSweeper commit review
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.event.deleted != true }}
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+          TARGET_REPO: ${{ github.repository }}
+          BEFORE_SHA: ${{ github.event.before }}
+          AFTER_SHA: ${{ github.sha }}
+          SOURCE_REF: ${{ github.ref }}
+          CREATE_CHECKS: ${{ vars.CLAWSWEEPER_COMMIT_REVIEW_CREATE_CHECKS || 'false' }}
+        run: |
+          if [ -z "$GH_TOKEN" ]; then
+            echo "::notice::Skipping ClawSweeper commit dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
+            exit 0
+          fi
+          case "$CREATE_CHECKS" in
+            true|TRUE|1|yes|YES|on|ON) create_checks=true ;;
+            *) create_checks=false ;;
+          esac
+          payload="$(jq -nc \
+            --arg target_repo "$TARGET_REPO" \
+            --arg before_sha "$BEFORE_SHA" \
+            --arg after_sha "$AFTER_SHA" \
+            --arg ref "$SOURCE_REF" \
+            --argjson create_checks "$create_checks" \
+            '{event_type:"clawsweeper_commit_review",client_payload:{target_repo:$target_repo,before_sha:$before_sha,after_sha:$after_sha,ref:$ref,enabled:true,create_checks:$create_checks}}')"
+          if gh api repos/openclaw/clawsweeper/dispatches \
+            --method POST \
+            --input - <<< "$payload"; then
+            echo "Dispatched ClawSweeper commit review."
+          else
+            echo "::warning::Skipping ClawSweeper commit dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
+          fi

.github/workflows/codeql-android-critical-security.yml

@@ -0,0 +1,51 @@
+name: CodeQL Android Critical Security
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 7 * * *"
+
+concurrency:
+  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  android:
+    name: Critical Security (android)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Setup Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: java-kotlin
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-android-critical-security.yml
+
+      - name: Build Android for CodeQL
+        working-directory: apps/android
+        run: ./gradlew --no-daemon :app:assemblePlayDebug
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-security/android"

.github/workflows/codeql-critical-quality.yml

@@ -2,12 +2,135 @@ name: CodeQL Critical Quality
 
 on:
   workflow_dispatch:
+    inputs:
+      profile:
+        description: CodeQL quality profile to run
+        required: false
+        default: all
+        type: choice
+        options:
+          - all
+          - agent-runtime-boundary
+          - config-boundary
+          - core-auth-secrets
+          - channel-runtime-boundary
+          - gateway-runtime-boundary
+          - memory-runtime-boundary
+          - mcp-process-runtime-boundary
+          - plugin-boundary
+          - plugin-sdk-package-contract
+          - plugin-sdk-reply-runtime
+          - provider-runtime-boundary
+          - session-diagnostics-boundary
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - ".github/codeql/**"
+      - ".github/workflows/codeql-critical-quality.yml"
+      - "packages/plugin-package-contract/**"
+      - "packages/plugin-sdk/**"
+      - "packages/memory-host-sdk/**"
+      - "src/config/**"
+      - "extensions/bluebubbles/src/**"
+      - "extensions/discord/src/**"
+      - "extensions/feishu/src/**"
+      - "extensions/googlechat/src/**"
+      - "extensions/imessage/src/**"
+      - "extensions/irc/src/**"
+      - "extensions/line/src/**"
+      - "extensions/matrix/src/**"
+      - "extensions/mattermost/src/**"
+      - "extensions/msteams/src/**"
+      - "extensions/nextcloud-talk/src/**"
+      - "extensions/nostr/src/**"
+      - "extensions/qa-channel/src/**"
+      - "extensions/qqbot/src/**"
+      - "extensions/signal/src/**"
+      - "extensions/slack/src/**"
+      - "extensions/synology-chat/src/**"
+      - "extensions/telegram/src/**"
+      - "extensions/tlon/src/**"
+      - "extensions/twitch/src/**"
+      - "extensions/whatsapp/src/**"
+      - "extensions/zalo/src/**"
+      - "extensions/zalouser/src/**"
+      - "src/agents/*auth*.ts"
+      - "src/agents/**/*auth*.ts"
+      - "src/agents/auth-health*.ts"
+      - "src/agents/auth-profiles"
+      - "src/agents/auth-profiles/**"
+      - "src/agents/bash-tools.exec-host-shared.ts"
+      - "src/agents/sandbox"
+      - "src/agents/sandbox/**"
+      - "src/agents/sandbox.ts"
+      - "src/agents/sandbox-*.ts"
+      - "src/acp/control-plane/**"
+      - "src/agents/cli-runner/**"
+      - "src/agents/command/**"
+      - "src/agents/pi-embedded-runner/**"
+      - "src/agents/tools/**"
+      - "src/agents/*completion*.ts"
+      - "src/agents/*transport*.ts"
+      - "src/agents/model-*.ts"
+      - "src/agents/openclaw-tools*.ts"
+      - "src/agents/provider-*.ts"
+      - "src/agents/session*.ts"
+      - "src/agents/tool-call*.ts"
+      - "src/auto-reply/reply/agent-runner*.ts"
+      - "src/auto-reply/reply/commands*.ts"
+      - "src/auto-reply/reply/directive-handling*.ts"
+      - "src/auto-reply/reply/dispatch-*.ts"
+      - "src/auto-reply/reply/get-reply-run*.ts"
+      - "src/auto-reply/reply/provider-dispatcher*.ts"
+      - "src/auto-reply/reply/queue*.ts"
+      - "src/auto-reply/reply/reply-run-registry*.ts"
+      - "src/auto-reply/reply/session*.ts"
+      - "src/channels/**"
+      - "src/auto-reply/reply/post-compaction-context.ts"
+      - "src/auto-reply/reply/queue/**"
+      - "src/auto-reply/reply/startup-context.ts"
+      - "src/commands/doctor-cron-dreaming-payload-migration.ts"
+      - "src/commands/doctor-memory-search.ts"
+      - "src/commands/doctor-session-*.ts"
+      - "src/commands/session-store-targets.ts"
+      - "src/commands/sessions*.ts"
+      - "src/cron/service/jobs.ts"
+      - "src/cron/stagger.ts"
+      - "src/gateway/*auth*.ts"
+      - "src/gateway/**/*auth*.ts"
+      - "src/gateway/*secret*.ts"
+      - "src/gateway/**/*secret*.ts"
+      - "src/gateway/protocol/**/*secret*.ts"
+      - "src/gateway/resolve-configured-secret-input-string*.ts"
+      - "src/gateway/security-path*.ts"
+      - "src/gateway/server-methods/secrets*.ts"
+      - "src/gateway/server-startup-memory.ts"
+      - "src/gateway/method-scopes.ts"
+      - "src/gateway/protocol/**"
+      - "src/gateway/server-methods/**"
+      - "src/gateway/server-methods.ts"
+      - "src/gateway/server-methods-list.ts"
+      - "src/infra/diagnostic-*.ts"
+      - "src/infra/diagnostics-timeline.ts"
+      - "src/infra/outbound/**"
+      - "src/infra/secret-file*.ts"
+      - "src/infra/session-delivery-queue*.ts"
+      - "src/logging/diagnostic*.ts"
+      - "src/memory/**"
+      - "src/memory-host-sdk/**"
+      - "src/mcp/**"
+      - "src/model-catalog/**"
+      - "src/plugin-sdk/**"
+      - "src/plugins/**"
+      - "src/process/**"
+      - "src/secrets/**"
+      - "src/security/**"
   schedule:
     - cron: "30 6 * * *"
 
 concurrency:
-  group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
-  cancel-in-progress: false
+  group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -15,12 +138,171 @@ env:
 permissions:
   actions: read
   contents: read
+  pull-requests: read
   security-events: write
 
 jobs:
-  javascript-typescript:
-    name: Critical Quality (javascript-typescript)
-    runs-on: blacksmith-8vcpu-ubuntu-2404
+  quality-shards:
+    name: Select Critical Quality shards
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 5
+    outputs:
+      agent: ${{ steps.detect.outputs.agent }}
+      channel: ${{ steps.detect.outputs.channel }}
+      config: ${{ steps.detect.outputs.config }}
+      core_auth_secrets: ${{ steps.detect.outputs.core_auth_secrets }}
+      gateway: ${{ steps.detect.outputs.gateway }}
+      memory: ${{ steps.detect.outputs.memory }}
+      mcp_process: ${{ steps.detect.outputs.mcp_process }}
+      plugin: ${{ steps.detect.outputs.plugin }}
+      plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
+      plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }}
+      provider: ${{ steps.detect.outputs.provider }}
+      session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }}
+    steps:
+      - name: Detect PR shard paths
+        id: detect
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+
+          agent=false
+          channel=false
+          config=false
+          core_auth_secrets=false
+          gateway=false
+          memory=false
+          mcp_process=false
+          plugin=false
+          plugin_sdk_package=false
+          plugin_sdk_reply=false
+          provider=false
+          session_diagnostics=false
+
+          if [[ "${EVENT_NAME}" != "pull_request" ]]; then
+            agent=true
+            channel=true
+            config=true
+            core_auth_secrets=true
+            gateway=true
+            memory=true
+            mcp_process=true
+            plugin=true
+            plugin_sdk_package=true
+            plugin_sdk_reply=true
+            provider=true
+            session_diagnostics=true
+          else
+            while IFS= read -r file; do
+              case "${file}" in
+                .github/codeql/*|.github/workflows/codeql-critical-quality.yml)
+                  agent=true
+                  channel=true
+                  config=true
+                  core_auth_secrets=true
+                  gateway=true
+                  memory=true
+                  mcp_process=true
+                  plugin=true
+                  plugin_sdk_package=true
+                  plugin_sdk_reply=true
+                  provider=true
+                  session_diagnostics=true
+                  ;;
+                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/pi-embedded-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
+                  agent=true
+                  ;;
+                src/auto-reply/reply/post-compaction-context.ts|src/auto-reply/reply/queue/*|src/auto-reply/reply/startup-context.ts|src/commands/doctor-session-*.ts|src/commands/session-store-targets.ts|src/commands/sessions*.ts|src/infra/diagnostic-*.ts|src/infra/diagnostics-timeline.ts|src/infra/session-delivery-queue*.ts|src/logging/diagnostic*.ts)
+                  session_diagnostics=true
+                  ;;
+                extensions/bluebubbles/src/*|extensions/discord/src/*|extensions/feishu/src/*|extensions/googlechat/src/*|extensions/imessage/src/*|extensions/irc/src/*|extensions/line/src/*|extensions/matrix/src/*|extensions/mattermost/src/*|extensions/msteams/src/*|extensions/nextcloud-talk/src/*|extensions/nostr/src/*|extensions/qa-channel/src/*|extensions/qqbot/src/*|extensions/signal/src/*|extensions/slack/src/*|extensions/synology-chat/src/*|extensions/telegram/src/*|extensions/tlon/src/*|extensions/twitch/src/*|extensions/whatsapp/src/*|extensions/zalo/src/*|extensions/zalouser/src/*|src/channels/*)
+                  channel=true
+                  ;;
+                src/config/*)
+                  config=true
+                  ;;
+                src/gateway/protocol/*secret*.ts|src/gateway/server-methods/secrets*.ts)
+                  core_auth_secrets=true
+                  gateway=true
+                  ;;
+                src/agents/*auth*.ts|src/agents/auth-health*.ts|src/agents/auth-profiles|src/agents/auth-profiles/*|src/agents/bash-tools.exec-host-shared.ts|src/agents/sandbox|src/agents/sandbox.ts|src/agents/sandbox-*.ts|src/agents/sandbox/*|src/cron/service/jobs.ts|src/cron/stagger.ts|src/gateway/*auth*.ts|src/gateway/*secret*.ts|src/gateway/resolve-configured-secret-input-string*.ts|src/gateway/security-path*.ts|src/infra/secret-file*.ts|src/secrets/*|src/security/*)
+                  core_auth_secrets=true
+                  ;;
+                src/gateway/method-scopes.ts|src/gateway/protocol/*|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts)
+                  gateway=true
+                  ;;
+                packages/memory-host-sdk/*|src/commands/doctor-cron-dreaming-payload-migration.ts|src/commands/doctor-memory-search.ts|src/gateway/server-startup-memory.ts|src/memory/*|src/memory-host-sdk/*)
+                  memory=true
+                  ;;
+                src/infra/outbound/base-session-key.ts|src/infra/outbound/delivery-queue*.ts|src/infra/outbound/outbound-session.ts|src/infra/outbound/session-binding*.ts|src/infra/outbound/session-context.ts|src/infra/outbound/targets-session.ts)
+                  mcp_process=true
+                  session_diagnostics=true
+                  ;;
+                src/infra/outbound/*|src/mcp/*|src/process/*)
+                  mcp_process=true
+                  ;;
+                src/plugin-sdk/inbound-envelope.ts|src/plugin-sdk/inbound-reply-dispatch.ts|src/plugin-sdk/reply-*.ts|src/plugin-sdk/channel-reply-*.ts|src/plugin-sdk/delivery-queue-runtime.ts|src/plugin-sdk/outbound-runtime.ts|src/plugin-sdk/outbound-send-deps.ts|src/plugin-sdk/model-session-runtime.ts|src/plugin-sdk/session-*.ts|src/plugin-sdk/thread-bindings-runtime.ts|src/plugin-sdk/thread-bindings-session-runtime.ts|src/plugin-sdk/conversation-binding-runtime.ts)
+                  plugin=true
+                  plugin_sdk_package=true
+                  plugin_sdk_reply=true
+                  ;;
+                src/plugin-sdk/memory-*.ts|src/plugin-sdk/memory-core-host-*.ts)
+                  memory=true
+                  plugin=true
+                  plugin_sdk_package=true
+                  ;;
+                src/plugin-sdk/*)
+                  plugin=true
+                  plugin_sdk_package=true
+                  ;;
+                src/plugins/provider-contract-public-artifacts.ts|src/plugins/provider-public-artifacts.ts|src/plugins/web-provider-public-artifacts*.ts)
+                  plugin=true
+                  provider=true
+                  ;;
+                src/plugins/memory-embedding-provider*.ts|src/plugins/memory-embedding-providers*.ts)
+                  memory=true
+                  provider=true
+                  ;;
+                src/plugins/memory-*.ts)
+                  memory=true
+                  ;;
+                src/model-catalog/*|src/plugins/*provider*.ts|src/plugins/capability-provider-runtime.ts|src/plugins/compaction-provider.ts|src/plugins/memory-embedding-provider*.ts|src/plugins/memory-embedding-providers*.ts|src/plugins/migration-provider-runtime.ts|src/plugins/synthetic-auth.runtime.ts|src/plugins/web-fetch-providers*.ts|src/plugins/web-search-providers*.ts)
+                  provider=true
+                  ;;
+                src/plugins/activation-planner.ts|src/plugins/api-builder.ts|src/plugins/bundled-*.ts|src/plugins/captured-registration.ts|src/plugins/config-*.ts|src/plugins/discovery.ts|src/plugins/effective-plugin-ids.ts|src/plugins/externalized-bundled-plugins.ts|src/plugins/installed-plugin-index*.ts|src/plugins/loader*.ts|src/plugins/manifest*.ts|src/plugins/module-export.ts|src/plugins/package-entrypoints.ts|src/plugins/plugin-registry*.ts|src/plugins/public-surface*.ts|src/plugins/registry.ts|src/plugins/registry-types.ts|src/plugins/runtime|src/plugins/runtime/*|src/plugins/runtime-state.ts|src/plugins/runtime.ts|src/plugins/sdk-alias.ts|src/plugins/source-loader.ts|src/plugins/types.ts|src/plugins/validation-diagnostics.ts)
+                  plugin=true
+                  ;;
+                packages/plugin-package-contract/*|packages/plugin-sdk/*)
+                  plugin_sdk_package=true
+                  ;;
+              esac
+            done < <(gh api --paginate "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --jq '.[].filename')
+          fi
+
+          {
+            echo "agent=${agent}"
+            echo "channel=${channel}"
+            echo "config=${config}"
+            echo "core_auth_secrets=${core_auth_secrets}"
+            echo "gateway=${gateway}"
+            echo "memory=${memory}"
+            echo "mcp_process=${mcp_process}"
+            echo "plugin=${plugin}"
+            echo "plugin_sdk_package=${plugin_sdk_package}"
+            echo "plugin_sdk_reply=${plugin_sdk_reply}"
+            echo "provider=${provider}"
+            echo "session_diagnostics=${session_diagnostics}"
+          } >> "${GITHUB_OUTPUT}"
+
+  core-auth-secrets:
+    name: Critical Quality (core-auth-secrets)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.core_auth_secrets == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'core-auth-secrets') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 25
     steps:
       - name: Checkout
@@ -32,9 +314,306 @@ jobs:
         uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml
+          config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
 
       - name: Analyze
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
-          category: "/codeql-critical-quality/javascript-typescript"
+          category: "/codeql-critical-quality/core-auth-secrets"
+
+  config-boundary:
+    name: Critical Quality (config-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.config == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'config-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/config-boundary"
+
+  gateway-runtime-boundary:
+    name: Critical Quality (gateway-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.gateway == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'gateway-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/gateway-runtime-boundary"
+
+  channel-runtime-boundary:
+    name: Critical Quality (channel-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.channel == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'channel-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/channel-runtime-boundary"
+
+  agent-runtime-boundary:
+    name: Critical Quality (agent-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.agent == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'agent-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/agent-runtime-boundary"
+
+  mcp-process-runtime-boundary:
+    name: Critical Quality (mcp-process-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.mcp_process == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'mcp-process-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/mcp-process-runtime-boundary"
+
+  memory-runtime-boundary:
+    name: Critical Quality (memory-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.memory == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'memory-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/memory-runtime-boundary"
+
+  session-diagnostics-boundary:
+    name: Critical Quality (session-diagnostics-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.session_diagnostics == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'session-diagnostics-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/session-diagnostics-boundary"
+
+  plugin-sdk-reply-runtime:
+    name: Critical Quality (plugin-sdk-reply-runtime)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.plugin_sdk_reply == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
+
+  provider-runtime-boundary:
+    name: Critical Quality (provider-runtime-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.provider == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/provider-runtime-boundary"
+
+  ui-control-plane:
+    name: Critical Quality (ui-control-plane)
+    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/ui-control-plane"
+
+  web-media-runtime-boundary:
+    name: Critical Quality (web-media-runtime-boundary)
+    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/web-media-runtime-boundary"
+
+  plugin-boundary:
+    name: Critical Quality (plugin-boundary)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.plugin == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-boundary') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-boundary"
+
+  plugin-sdk-package-contract:
+    name: Critical Quality (plugin-sdk-package-contract)
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.plugin_sdk_package == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract') }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-sdk-package-contract"

.github/workflows/codeql-macos-critical-security.yml

@@ -0,0 +1,89 @@
+name: CodeQL macOS Critical Security
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 8 * * 1"
+
+concurrency:
+  group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  macos:
+    name: Critical Security (macOS)
+    runs-on: blacksmith-6vcpu-macos-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Select Xcode
+        run: |
+          sudo xcode-select -s /Applications/Xcode_26.1.app
+          xcodebuild -version
+          swift --version
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: swift
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-macos-critical-security.yml
+
+      - name: Build macOS for CodeQL
+        run: swift build --package-path apps/macos --product OpenClaw
+
+      - name: Analyze
+        id: analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          output: sarif-results
+          upload: failure-only
+          category: "/codeql-critical-security/macos"
+
+      - name: Remove dependency build results
+        env:
+          SARIF_OUTPUT: sarif-results
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+
+          if [ ! -d "$SARIF_OUTPUT" ]; then
+            echo "SARIF output directory not found: $SARIF_OUTPUT" >&2
+            exit 1
+          fi
+
+          mkdir -p sarif-results-filtered
+
+          files=("$SARIF_OUTPUT"/*.sarif)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No SARIF files found in $SARIF_OUTPUT" >&2
+            exit 1
+          fi
+
+          for file in "${files[@]}"; do
+            jq '
+              def in_dependency_build:
+                ((.locations // []) | length > 0)
+                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
+
+              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
+            ' "$file" > "sarif-results-filtered/$(basename "$file")"
+          done
+
+      - name: Upload filtered SARIF
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          sarif_file: sarif-results-filtered
+          category: "/codeql-critical-security/macos"

.github/workflows/codeql.yml

@@ -11,14 +11,20 @@ on:
         options:
           - all
           - security
-          - android-security
-          - macos-security
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - ".github/actions/**"
+      - ".github/codeql/**"
+      - ".github/workflows/**"
+      - "packages/**"
+      - "src/**"
   schedule:
     - cron: "0 6 * * *"
 
 concurrency:
-  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
-  cancel-in-progress: false
+  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -29,9 +35,9 @@ permissions:
   security-events: write
 
 jobs:
-  critical-security:
-    name: Critical Security (${{ matrix.language }})
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security' }}
+  security-high:
+    name: Security High (${{ matrix.category }})
+    if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }}
     runs-on: ${{ matrix.runs_on }}
     timeout-minutes: ${{ matrix.timeout_minutes }}
     strategy:
@@ -39,10 +45,32 @@ jobs:
       matrix:
         include:
           - language: javascript-typescript
+            category: core-auth-secrets
             runs_on: blacksmith-8vcpu-ubuntu-2404
             timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml
+            config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml
+          - language: javascript-typescript
+            category: channel-runtime-boundary
+            runs_on: blacksmith-8vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: network-ssrf-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: mcp-process-tool-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: plugin-trust-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-plugin-trust-boundary-critical-security.yml
           - language: actions
+            category: actions
             runs_on: blacksmith-8vcpu-ubuntu-2404
             timeout_minutes: 10
             config_file: ./.github/codeql/codeql-actions-critical-security.yml
@@ -61,108 +89,4 @@ jobs:
       - name: Analyze
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
-          category: "/codeql-critical-security/${{ matrix.language }}"
-
-  android-security:
-    name: Critical Security (android)
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }}
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: java-kotlin
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-android-critical-security.yml
-
-      - name: Build Android for CodeQL
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-security/android"
-
-  macos-security:
-    name: Critical Security (macOS)
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'macos-security' }}
-    runs-on: blacksmith-6vcpu-macos-latest
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Select Xcode
-        run: |
-          sudo xcode-select -s /Applications/Xcode_26.1.app
-          xcodebuild -version
-          swift --version
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: swift
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-macos-critical-security.yml
-
-      - name: Build macOS for CodeQL
-        run: swift build --package-path apps/macos --product OpenClaw
-
-      - name: Analyze
-        id: analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          output: sarif-results
-          upload: failure-only
-          category: "/codeql-critical-security/macos"
-
-      - name: Remove dependency build results
-        env:
-          SARIF_OUTPUT: sarif-results
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-
-          if [ ! -d "$SARIF_OUTPUT" ]; then
-            echo "SARIF output directory not found: $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          mkdir -p sarif-results-filtered
-
-          files=("$SARIF_OUTPUT"/*.sarif)
-          if [ "${#files[@]}" -eq 0 ]; then
-            echo "No SARIF files found in $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          for file in "${files[@]}"; do
-            jq '
-              def in_dependency_build:
-                ((.locations // []) | length > 0)
-                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
-
-              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
-            ' "$file" > "sarif-results-filtered/$(basename "$file")"
-          done
-
-      - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          sarif_file: sarif-results-filtered
-          category: "/codeql-critical-security/macos"
+          category: "/codeql-security-high/${{ matrix.category }}"

.github/workflows/control-ui-locale-refresh.yml

@@ -49,7 +49,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          all_locales_json='["zh-CN","zh-TW","pt-BR","de","es","ja-JP","ko","fr","tr","uk","id","pl","th"]'
+          all_locales_json='["zh-CN","zh-TW","pt-BR","de","es","ja-JP","ko","fr","ar","it","tr","uk","id","pl","th","vi","nl","fa"]'
 
           if [ "$EVENT_NAME" != "push" ]; then
             echo "has_locales=true" >> "$GITHUB_OUTPUT"

.github/workflows/crabbox-hydrate.yml

@@ -0,0 +1,183 @@
+name: Crabbox Hydrate
+
+on:
+  workflow_dispatch:
+    inputs:
+      crabbox_id:
+        description: "Crabbox lease ID"
+        required: true
+        type: string
+      ref:
+        description: "Git ref to hydrate"
+        required: false
+        type: string
+      crabbox_runner_label:
+        description: "Dynamic Crabbox runner label"
+        required: true
+        type: string
+      crabbox_job:
+        description: "Hydration job identifier expected by Crabbox"
+        required: false
+        default: "hydrate"
+        type: string
+      crabbox_keep_alive_minutes:
+        description: "Minutes to keep the hydrated job alive"
+        required: false
+        default: "90"
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  hydrate:
+    name: hydrate
+    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Prepare Crabbox shell
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
+
+          node_bin="$(dirname "$(node -p 'process.execPath')")"
+          pnpm_bin="$(command -v pnpm)"
+          sudo ln -sf "$node_bin/node" /usr/local/bin/node
+          sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
+          sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
+          sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
+          sudo ln -sf "$pnpm_bin" /usr/local/bin/pnpm
+
+      - name: Ensure Docker is available
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if ! command -v docker >/dev/null 2>&1; then
+            curl -fsSL https://get.docker.com | sudo sh
+          fi
+
+          if command -v systemctl >/dev/null 2>&1; then
+            sudo systemctl start docker
+          fi
+
+          if [ -S /var/run/docker.sock ]; then
+            sudo usermod -aG docker "$USER" || true
+            # The runner process keeps its original groups; grant this
+            # ephemeral runner session access without requiring a relogin.
+            sudo chmod 666 /var/run/docker.sock
+          fi
+
+      - name: Hydrate provider env helper
+        shell: bash
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
+          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
+          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
+          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
+          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
+          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
+          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
+          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
+          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
+          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
+          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
+          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
+          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
+          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
+          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
+          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
+          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
+        run: bash scripts/ci-hydrate-testbox-env.sh
+
+      - name: Mark Crabbox ready
+        shell: bash
+        env:
+          CRABBOX_ID: ${{ inputs.crabbox_id }}
+          CRABBOX_JOB: ${{ inputs.crabbox_job }}
+        run: |
+          set -euo pipefail
+          job="${CRABBOX_JOB}"
+          if [ -z "$job" ]; then job=hydrate; fi
+          case "$CRABBOX_ID" in
+            ''|*[!A-Za-z0-9._-]*)
+              echo "Invalid crabbox_id" >&2
+              exit 2
+              ;;
+          esac
+          mkdir -p "$HOME/.crabbox/actions"
+          state="$HOME/.crabbox/actions/${CRABBOX_ID}.env"
+          env_file="$HOME/.crabbox/actions/${CRABBOX_ID}.env.sh"
+          services_file="$HOME/.crabbox/actions/${CRABBOX_ID}.services"
+          write_export() {
+            key="$1"
+            value="${!key-}"
+            if [ -n "$value" ]; then
+              printf 'export %s=%q\n' "$key" "$value"
+            fi
+          }
+          {
+            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE; do
+              write_export "$key"
+            done
+          } > "${env_file}.tmp"
+          mv "${env_file}.tmp" "$env_file"
+          {
+            echo "# Docker containers visible from the hydrated runner"
+            docker ps --format '{{.Names}}\t{{.Image}}\t{{.Ports}}' 2>/dev/null || true
+          } > "${services_file}.tmp"
+          mv "${services_file}.tmp" "$services_file"
+          tmp="${state}.tmp"
+          {
+            echo "WORKSPACE=${GITHUB_WORKSPACE}"
+            echo "RUN_ID=${GITHUB_RUN_ID}"
+            echo "JOB=${job}"
+            echo "ENV_FILE=${env_file}"
+            echo "SERVICES_FILE=${services_file}"
+            echo "READY_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          } > "$tmp"
+          mv "$tmp" "$state"
+
+      - name: Keep Crabbox job alive
+        shell: bash
+        env:
+          CRABBOX_ID: ${{ inputs.crabbox_id }}
+          CRABBOX_KEEP_ALIVE_MINUTES: ${{ inputs.crabbox_keep_alive_minutes }}
+        run: |
+          set -euo pipefail
+          case "$CRABBOX_ID" in
+            ''|*[!A-Za-z0-9._-]*)
+              echo "Invalid crabbox_id" >&2
+              exit 2
+              ;;
+          esac
+          minutes="${CRABBOX_KEEP_ALIVE_MINUTES}"
+          case "$minutes" in
+            ''|*[!0-9]*) minutes=90 ;;
+          esac
+          stop="$HOME/.crabbox/actions/${CRABBOX_ID}.stop"
+          deadline=$(( $(date +%s) + minutes * 60 ))
+          while [ "$(date +%s)" -lt "$deadline" ]; do
+            if [ -f "$stop" ]; then
+              exit 0
+            fi
+            sleep 15
+          done

.github/workflows/docker-release.yml

@@ -38,7 +38,7 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-(alpha|beta)\.[1-9][0-9]*)?$ ]]; then
             echo "Invalid release tag: ${RELEASE_TAG}"
             exit 1
           fi

.github/workflows/docs-agent.yml

@@ -149,7 +149,7 @@ jobs:
 
       - name: Run Codex docs agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
           DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}

.github/workflows/docs-translate-trigger-release.yml

@@ -20,6 +20,7 @@ jobs:
           set -euo pipefail
           for event_type in \
             translate-zh-cn-release \
+            translate-zh-tw-release \
             translate-ja-jp-release \
             translate-es-release \
             translate-pt-br-release \
@@ -28,6 +29,9 @@ jobs:
             translate-fr-release \
             translate-ar-release \
             translate-it-release \
+            translate-vi-release \
+            translate-nl-release \
+            translate-fa-release \
             translate-tr-release \
             translate-uk-release \
             translate-id-release \

.github/workflows/full-release-validation.yml

@@ -29,7 +29,7 @@ on:
       release_profile:
         description: Release coverage profile for live/Docker/provider breadth
         required: false
-        default: full
+        default: stable
         type: choice
         options:
           - minimum
@@ -43,6 +43,7 @@ on:
         options:
           - all
           - ci
+          - plugin-prerelease
           - release-checks
           - install-smoke
           - cross-os
@@ -52,8 +53,13 @@ on:
           - qa-parity
           - qa-live
           - npm-telegram
+      live_suite_filter:
+        description: Optional exact live suite id for focused live/E2E reruns; blank runs all selected live suites
+        required: false
+        default: ""
+        type: string
       npm_telegram_package_spec:
-        description: Optional published package spec for the post-publish Telegram E2E lane
+        description: Optional published package spec for the package Telegram E2E lane
         required: false
         default: ""
         type: string
@@ -62,8 +68,13 @@ on:
         required: false
         default: ""
         type: string
+      package_acceptance_package_spec:
+        description: Optional published package spec for Package Acceptance; blank uses the SHA-built release artifact
+        required: false
+        default: ""
+        type: string
       npm_telegram_provider_mode:
-        description: Provider mode for the optional post-publish Telegram E2E lane
+        description: Provider mode for the package Telegram E2E lane
         required: false
         default: mock-openai
         type: choice
@@ -71,7 +82,7 @@ on:
           - mock-openai
           - live-frontier
       npm_telegram_scenario:
-        description: Optional comma-separated Telegram scenario ids for the post-publish lane
+        description: Optional comma-separated Telegram scenario ids for the package Telegram lane
         required: false
         default: ""
         type: string
@@ -81,12 +92,14 @@ permissions:
   contents: read
 
 concurrency:
-  group: full-release-validation-${{ inputs.ref }}
-  cancel-in-progress: false
+  group: full-release-validation-${{ inputs.ref }}-${{ inputs.rerun_group }}
+  cancel-in-progress: ${{ inputs.ref == 'main' && inputs.rerun_group == 'all' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   GH_REPO: ${{ github.repository }}
+  NODE_VERSION: "24.x"
+  PNPM_VERSION: "10.32.1"
 
 jobs:
   resolve_target:
@@ -121,7 +134,10 @@ jobs:
           CHILD_WORKFLOW_REF: ${{ github.ref_name }}
           NPM_TELEGRAM_PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
           EVIDENCE_PACKAGE_SPEC: ${{ inputs.evidence_package_spec }}
+          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
+          RELEASE_PROFILE: ${{ inputs.release_profile }}
           RERUN_GROUP: ${{ inputs.rerun_group }}
+          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
         run: |
           {
             echo "## Full release validation"
@@ -130,24 +146,39 @@ jobs:
             echo "- Target SHA: \`${TARGET_SHA}\`"
             echo "- Child workflow ref: \`${CHILD_WORKFLOW_REF}\`"
             echo "- Rerun group: \`${RERUN_GROUP}\`"
+            if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
+              echo "- Live suite filter: \`${LIVE_SUITE_FILTER}\`"
+            fi
             if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "ci" ]]; then
               echo "- Normal CI: \`CI\` with \`target_ref=${TARGET_SHA}\`"
             else
               echo "- Normal CI: skipped by rerun group"
             fi
-            if [[ "$RERUN_GROUP" != "ci" && "$RERUN_GROUP" != "npm-telegram" ]]; then
+            if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "plugin-prerelease" ]]; then
+              echo "- Plugin prerelease: \`Plugin Prerelease\` with \`target_ref=${TARGET_SHA}\`"
+            else
+              echo "- Plugin prerelease: skipped by rerun group"
+            fi
+            if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "release-checks" || "$RERUN_GROUP" == "install-smoke" || "$RERUN_GROUP" == "cross-os" || "$RERUN_GROUP" == "live-e2e" || "$RERUN_GROUP" == "package" || "$RERUN_GROUP" == "qa" || "$RERUN_GROUP" == "qa-parity" || "$RERUN_GROUP" == "qa-live" ]]; then
               echo "- Release/live/Docker/package/QA: \`OpenClaw Release Checks\`"
             else
               echo "- Release/live/Docker/package/QA: skipped by rerun group"
             fi
             if [[ -n "${NPM_TELEGRAM_PACKAGE_SPEC// }" ]]; then
-              echo "- Post-publish Telegram E2E: \`${NPM_TELEGRAM_PACKAGE_SPEC}\`"
+              echo "- Published-package Telegram E2E: \`${NPM_TELEGRAM_PACKAGE_SPEC}\`"
+            elif [[ "$RERUN_GROUP" == "all" && "$RELEASE_PROFILE" == "full" ]]; then
+              echo "- Package Telegram E2E: parent \`release-package-under-test\` artifact"
             else
-              echo "- Post-publish Telegram E2E: skipped because no published package spec was provided"
+              echo "- Package Telegram E2E: skipped unless \`release_profile=full\` or \`npm_telegram_package_spec\` is provided"
             fi
             if [[ -n "${EVIDENCE_PACKAGE_SPEC// }" ]]; then
               echo "- Private evidence package proof: \`${EVIDENCE_PACKAGE_SPEC}\`"
             fi
+            if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
+              echo "- Package Acceptance package spec: \`${PACKAGE_ACCEPTANCE_PACKAGE_SPEC}\`"
+            else
+              echo "- Package Acceptance package spec: SHA-built release artifact"
+            fi
           } >> "$GITHUB_STEP_SUMMARY"
 
   normal_ci:
@@ -207,6 +238,14 @@ jobs:
             echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
             echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+            cancel_child() {
+              if [[ -n "${run_id:-}" ]]; then
+                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
+                gh run cancel "$run_id" >/dev/null 2>&1 || true
+              fi
+            }
+            trap cancel_child EXIT INT TERM
+
             while true; do
               status="$(gh run view "$run_id" --json status --jq '.status')"
               if [[ "$status" == "completed" ]]; then
@@ -214,6 +253,7 @@ jobs:
               fi
               sleep 30
             done
+            trap - EXIT INT TERM
 
             conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
             url="$(gh run view "$run_id" --json url --jq '.url')"
@@ -232,30 +272,26 @@ jobs:
             echo "- Target SHA: \`${TARGET_SHA}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
-          dispatch_and_wait ci.yml -f target_ref="$TARGET_SHA"
+          dispatch_and_wait ci.yml -f target_ref="$TARGET_SHA" -f include_android=true
 
-  release_checks:
-    name: Run release/live/Docker/QA validation
+  plugin_prerelease:
+    name: Run plugin prerelease validation
     needs: [resolve_target]
-    if: contains(fromJSON('["all","release-checks","install-smoke","cross-os","live-e2e","package","qa","qa-parity","qa-live"]'), inputs.rerun_group)
+    if: contains(fromJSON('["all","plugin-prerelease"]'), inputs.rerun_group)
     runs-on: ubuntu-24.04
-    timeout-minutes: 720
+    timeout-minutes: 300
     outputs:
       run_id: ${{ steps.dispatch.outputs.run_id }}
       url: ${{ steps.dispatch.outputs.url }}
       conclusion: ${{ steps.dispatch.outputs.conclusion }}
     steps:
-      - name: Dispatch and monitor release checks
+      - name: Dispatch and monitor plugin prerelease
         id: dispatch
         env:
           GH_TOKEN: ${{ github.token }}
           TARGET_REF: ${{ inputs.ref }}
           TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
           CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-          PROVIDER: ${{ inputs.provider }}
-          MODE: ${{ inputs.mode }}
-          RELEASE_PROFILE: ${{ inputs.release_profile }}
-          RERUN_GROUP: ${{ inputs.rerun_group }}
         run: |
           set -euo pipefail
 
@@ -295,6 +331,14 @@ jobs:
             echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
             echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+            cancel_child() {
+              if [[ -n "${run_id:-}" ]]; then
+                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
+                gh run cancel "$run_id" >/dev/null 2>&1 || true
+              fi
+            }
+            trap cancel_child EXIT INT TERM
+
             while true; do
               status="$(gh run view "$run_id" --json status --jq '.status')"
               if [[ "$status" == "completed" ]]; then
@@ -302,6 +346,106 @@ jobs:
               fi
               sleep 30
             done
+            trap - EXIT INT TERM
+
+            conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
+            url="$(gh run view "$run_id" --json url --jq '.url')"
+            echo "${workflow} finished with ${conclusion}: ${url}"
+            echo "url=${url}" >> "$GITHUB_OUTPUT"
+            echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
+            if [[ "$conclusion" != "success" ]]; then
+              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
+            fi
+          }
+
+          {
+            echo "### Plugin prerelease"
+            echo
+            echo "- Target ref: \`${TARGET_REF}\`"
+            echo "- Target SHA: \`${TARGET_SHA}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          dispatch_and_wait plugin-prerelease.yml -f target_ref="$TARGET_SHA" -f expected_sha="$TARGET_SHA" -f full_release_validation=true
+
+  release_checks:
+    name: Run release/live/Docker/QA validation
+    needs: [resolve_target]
+    if: contains(fromJSON('["all","release-checks","install-smoke","cross-os","live-e2e","package","qa","qa-parity","qa-live"]'), inputs.rerun_group)
+    runs-on: ubuntu-24.04
+    timeout-minutes: 720
+    outputs:
+      run_id: ${{ steps.dispatch.outputs.run_id }}
+      url: ${{ steps.dispatch.outputs.url }}
+      conclusion: ${{ steps.dispatch.outputs.conclusion }}
+    steps:
+      - name: Dispatch and monitor release checks
+        id: dispatch
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TARGET_REF: ${{ inputs.ref }}
+          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
+          PROVIDER: ${{ inputs.provider }}
+          MODE: ${{ inputs.mode }}
+          RELEASE_PROFILE: ${{ inputs.release_profile }}
+          RERUN_GROUP: ${{ inputs.rerun_group }}
+          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
+          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
+        run: |
+          set -euo pipefail
+
+          dispatch_and_wait() {
+            local workflow="$1"
+            shift
+
+            local before_json dispatch_output run_id status conclusion url
+            before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
+            dispatch_output="$(gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
+            printf '%s\n' "$dispatch_output"
+            run_id="$(
+              printf '%s\n' "$dispatch_output" |
+                sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
+                tail -n 1
+            )"
+
+            if [[ -z "$run_id" ]]; then
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
+              exit 1
+            fi
+
+            echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
+            echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
+
+            cancel_child() {
+              if [[ -n "${run_id:-}" ]]; then
+                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
+                gh run cancel "$run_id" >/dev/null 2>&1 || true
+              fi
+            }
+            trap cancel_child EXIT INT TERM
+
+            while true; do
+              status="$(gh run view "$run_id" --json status --jq '.status')"
+              if [[ "$status" == "completed" ]]; then
+                break
+              fi
+              sleep 30
+            done
+            trap - EXIT INT TERM
 
             conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
             url="$(gh run view "$run_id" --json url --jq '.url')"
@@ -322,6 +466,12 @@ jobs:
             echo "- Cross-OS mode: \`${MODE}\`"
             echo "- Release profile: \`${RELEASE_PROFILE}\`"
             echo "- Rerun group: \`${RERUN_GROUP}\`"
+            if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
+              echo "- Live suite filter: \`${LIVE_SUITE_FILTER}\`"
+            fi
+            if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
+              echo "- Package Acceptance package spec: \`${PACKAGE_ACCEPTANCE_PACKAGE_SPEC}\`"
+            fi
           } >> "$GITHUB_STEP_SUMMARY"
 
           child_rerun_group="$RERUN_GROUP"
@@ -329,18 +479,98 @@ jobs:
             child_rerun_group=all
           fi
 
-          dispatch_and_wait openclaw-release-checks.yml \
-            -f ref="$TARGET_REF" \
-            -f expected_sha="$TARGET_SHA" \
-            -f provider="$PROVIDER" \
-            -f mode="$MODE" \
-            -f release_profile="$RELEASE_PROFILE" \
+          args=(
+            -f ref="$TARGET_SHA"
+            -f expected_sha="$TARGET_SHA"
+            -f provider="$PROVIDER"
+            -f mode="$MODE"
+            -f release_profile="$RELEASE_PROFILE"
             -f rerun_group="$child_rerun_group"
+          )
+          if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
+            args+=(-f live_suite_filter="$LIVE_SUITE_FILTER")
+          fi
+          if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
+            args+=(-f package_acceptance_package_spec="$PACKAGE_ACCEPTANCE_PACKAGE_SPEC")
+          fi
+
+          dispatch_and_wait openclaw-release-checks.yml "${args[@]}"
+
+  prepare_release_package:
+    name: Prepare release package artifact
+    needs: [resolve_target]
+    if: ${{ inputs.npm_telegram_package_spec == '' && inputs.rerun_group == 'all' && inputs.release_profile == 'full' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      artifact_name: ${{ steps.artifact.outputs.name }}
+      package_sha256: ${{ steps.package.outputs.sha256 }}
+      package_version: ${{ steps.package.outputs.package_version }}
+      source_sha: ${{ steps.package.outputs.source_sha }}
+    steps:
+      - name: Checkout trusted workflow ref
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: Set artifact metadata
+        id: artifact
+        run: echo "name=release-package-under-test" >> "$GITHUB_OUTPUT"
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          pnpm-version: ${{ env.PNPM_VERSION }}
+          install-bun: "true"
+          install-deps: "false"
+
+      - name: Resolve release package artifact
+        id: package
+        shell: bash
+        env:
+          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
+        run: |
+          set -euo pipefail
+          node scripts/resolve-openclaw-package-candidate.mjs \
+            --source ref \
+            --package-ref "$PACKAGE_REF" \
+            --output-dir .artifacts/docker-e2e-package \
+            --output-name openclaw-current.tgz \
+            --metadata .artifacts/docker-e2e-package/package-candidate.json \
+            --github-output "$GITHUB_OUTPUT"
+          digest="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).sha256")"
+          version="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).version")"
+          source_sha="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).packageSourceSha")"
+          echo "source_sha=$source_sha" >> "$GITHUB_OUTPUT"
+          {
+            echo "## Release package artifact"
+            echo
+            echo "- Artifact: \`release-package-under-test\`"
+            echo "- Package ref: \`$PACKAGE_REF\`"
+            echo "- SHA-256: \`$digest\`"
+            echo "- Version: \`$version\`"
+            echo "- Source SHA: \`$source_sha\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload release package artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: release-package-under-test
+          path: |
+            .artifacts/docker-e2e-package/openclaw-current.tgz
+            .artifacts/docker-e2e-package/package-candidate.json
+          if-no-files-found: error
 
   npm_telegram:
-    name: Run post-publish Telegram E2E
-    needs: [resolve_target]
-    if: inputs.npm_telegram_package_spec != '' && contains(fromJSON('["all","npm-telegram"]'), inputs.rerun_group)
+    name: Run package Telegram E2E
+    needs: [resolve_target, prepare_release_package]
+    if: ${{ always() && contains(fromJSON('["all","npm-telegram"]'), inputs.rerun_group) && (inputs.npm_telegram_package_spec != '' || (inputs.rerun_group == 'all' && inputs.release_profile == 'full')) }}
     runs-on: ubuntu-24.04
     timeout-minutes: 120
     outputs:
@@ -355,6 +585,8 @@ jobs:
           CHILD_WORKFLOW_REF: ${{ github.ref_name }}
           TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
           PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
+          PACKAGE_ARTIFACT_NAME: ${{ needs.prepare_release_package.outputs.artifact_name }}
+          PREPARE_PACKAGE_RESULT: ${{ needs.prepare_release_package.result }}
           PROVIDER_MODE: ${{ inputs.npm_telegram_provider_mode }}
           SCENARIO: ${{ inputs.npm_telegram_scenario }}
         run: |
@@ -362,7 +594,18 @@ jobs:
 
           before_json="$(gh run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
 
-          args=(-f package_spec="$PACKAGE_SPEC" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
+          args=(-f package_spec="${PACKAGE_SPEC:-openclaw@beta}" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
+          if [[ -z "${PACKAGE_SPEC// }" ]]; then
+            if [[ "$PREPARE_PACKAGE_RESULT" != "success" || -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
+              echo "Full release Telegram requires either npm_telegram_package_spec or a prepared release-package-under-test artifact." >&2
+              exit 1
+            fi
+            args+=(
+              -f package_artifact_name="$PACKAGE_ARTIFACT_NAME"
+              -f package_artifact_run_id="${GITHUB_RUN_ID}"
+              -f package_label="full-release-${TARGET_SHA:0:12}"
+            )
+          fi
           if [[ -n "${SCENARIO// }" ]]; then
             args+=(-f scenario="$SCENARIO")
           fi
@@ -389,6 +632,14 @@ jobs:
           echo "Dispatched npm-telegram-beta-e2e.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
           echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+          cancel_child() {
+            if [[ -n "${run_id:-}" ]]; then
+              echo "Cancelling child workflow npm-telegram-beta-e2e.yml: ${run_id}" >&2
+              gh run cancel "$run_id" >/dev/null 2>&1 || true
+            fi
+          }
+          trap cancel_child EXIT INT TERM
+
           while true; do
             status="$(gh run view "$run_id" --json status --jq '.status')"
             if [[ "$status" == "completed" ]]; then
@@ -396,6 +647,7 @@ jobs:
             fi
             sleep 30
           done
+          trap - EXIT INT TERM
 
           conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
           url="$(gh run view "$run_id" --json url --jq '.url')"
@@ -408,7 +660,7 @@ jobs:
 
   summary:
     name: Verify full validation
-    needs: [normal_ci, release_checks, npm_telegram]
+    needs: [resolve_target, normal_ci, plugin_prerelease, release_checks, npm_telegram]
     if: always()
     runs-on: ubuntu-24.04
     timeout-minutes: 5
@@ -473,11 +725,14 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           NORMAL_CI_RUN_ID: ${{ needs.normal_ci.outputs.run_id }}
+          PLUGIN_PRERELEASE_RUN_ID: ${{ needs.plugin_prerelease.outputs.run_id }}
           RELEASE_CHECKS_RUN_ID: ${{ needs.release_checks.outputs.run_id }}
           NPM_TELEGRAM_RUN_ID: ${{ needs.npm_telegram.outputs.run_id }}
           NORMAL_CI_RESULT: ${{ needs.normal_ci.result }}
+          PLUGIN_PRERELEASE_RESULT: ${{ needs.plugin_prerelease.result }}
           RELEASE_CHECKS_RESULT: ${{ needs.release_checks.result }}
           NPM_TELEGRAM_RESULT: ${{ needs.npm_telegram.result }}
+          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
         run: |
           set -euo pipefail
 
@@ -495,20 +750,71 @@ jobs:
               return 1
             fi
 
-            local status conclusion url attempt
-            status="$(gh run view "$run_id" --json status --jq '.status')"
-            conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
-            url="$(gh run view "$run_id" --json url --jq '.url')"
-            attempt="$(gh run view "$run_id" --json attempt --jq '.attempt')"
-            echo "${label}: ${status}/${conclusion} attempt ${attempt}: ${url}"
+            local run_json status conclusion url attempt head_sha
+            run_json="$(gh run view "$run_id" --json status,conclusion,url,attempt,headSha,jobs)"
+            status="$(jq -r '.status' <<< "$run_json")"
+            conclusion="$(jq -r '.conclusion' <<< "$run_json")"
+            url="$(jq -r '.url' <<< "$run_json")"
+            attempt="$(jq -r '.attempt' <<< "$run_json")"
+            head_sha="$(jq -r '.headSha // ""' <<< "$run_json")"
+            echo "${label}: ${status}/${conclusion} attempt ${attempt} head ${head_sha}: ${url}"
+
+            if [[ -n "${TARGET_SHA// }" && "$head_sha" != "$TARGET_SHA" ]]; then
+              echo "::error::${label} child run used ${head_sha}, expected ${TARGET_SHA}. Dispatch Full Release Validation from a ref pinned to the target SHA, not a moving branch."
+              return 1
+            fi
 
             if [[ "$status" != "completed" || "$conclusion" != "success" ]]; then
               echo "::error::${label} child run ended with ${status}/${conclusion}: ${url}"
-              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, status, conclusion, url}' || true
+              jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, status, conclusion, url}' <<< "$run_json" || true
               return 1
             fi
           }
 
+          append_child_overview() {
+            {
+              echo
+              echo "### Child workflow overview"
+              echo
+              echo "| Child | Result | Minutes | Head SHA | Run |"
+              echo "| --- | --- | ---: | --- | --- |"
+            } >> "$GITHUB_STEP_SUMMARY"
+
+            append_child_row() {
+              local label="$1"
+              local run_id="$2"
+              local result="$3"
+
+              if [[ -z "${run_id// }" ]]; then
+                echo "| \`${label}\` | \`${result}\` |  | skipped |" >> "$GITHUB_STEP_SUMMARY"
+                return 0
+              fi
+
+              local run_json row
+              run_json="$(gh run view "$run_id" --json status,conclusion,url,createdAt,updatedAt,headSha)"
+              row="$(
+                jq -r --arg label "$label" '
+                  def ts: fromdateiso8601;
+                  . as $run |
+                  ($run.createdAt // "") as $created |
+                  ($run.updatedAt // "") as $updated |
+                  (if ($created | length) > 0 and ($updated | length) > 0
+                    then (((($updated | ts) - ($created | ts)) / 60) * 10 | round / 10 | tostring)
+                    else ""
+                  end) as $minutes |
+                  ($run.headSha // "") as $head |
+                  "| `" + $label + "` | `" + ($run.status // "") + "/" + ($run.conclusion // "") + "` | " + $minutes + " | `" + $head + "` | [run](" + ($run.url // "") + ") |"
+                ' <<< "$run_json"
+              )"
+              echo "$row" >> "$GITHUB_STEP_SUMMARY"
+            }
+
+            append_child_row "normal_ci" "$NORMAL_CI_RUN_ID" "$NORMAL_CI_RESULT"
+            append_child_row "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID" "$PLUGIN_PRERELEASE_RESULT"
+            append_child_row "release_checks" "$RELEASE_CHECKS_RUN_ID" "$RELEASE_CHECKS_RESULT"
+            append_child_row "npm_telegram" "$NPM_TELEGRAM_RUN_ID" "$NPM_TELEGRAM_RESULT"
+          }
+
           summarize_child_timing() {
             local label="$1"
             local run_id="$2"
@@ -534,17 +840,46 @@ jobs:
                   | map("| `" + (.name | gsub("\\|"; "\\|")) + "` | `" + ((.conclusion // "") | tostring) + "` | " + (.durationMin | tostring) + " |")
                   | .[])
               ' || echo "_Unable to summarize jobs for run ${run_id}._"
+              echo
+              echo "### Longest queues: ${label}"
+              echo
+              gh api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq ".jobs[] | @json" | jq -sr '
+                def ts: fromdateiso8601;
+                "| Job | Result | Queue minutes | Run minutes |",
+                "| --- | --- | ---: | ---: |",
+                ([.[]
+                  | select(.created_at != null and .started_at != null)
+                  | . + {
+                      queueMin: ((((.started_at | ts) - (.created_at | ts)) / 60) * 10 | round / 10),
+                      durationMin: (if .completed_at == null then null else ((((.completed_at | ts) - (.started_at | ts)) / 60) * 10 | round / 10) end)
+                    }
+                  | select(.queueMin > 0)
+                  | {name, conclusion, queueMin, durationMin}]
+                  | sort_by(.queueMin)
+                  | reverse
+                  | .[0:10]
+                  | map("| `" + (.name | gsub("\\|"; "\\|")) + "` | `" + ((.conclusion // "") | tostring) + "` | " + (.queueMin | tostring) + " | " + ((.durationMin // "") | tostring) + " |")
+                  | .[])
+              ' || echo "_Unable to summarize queue times for run ${run_id}._"
             } >> "$GITHUB_STEP_SUMMARY"
           }
 
           failed=0
 
+          append_child_overview
+
           if [[ "$NORMAL_CI_RESULT" == "skipped" && -z "${NORMAL_CI_RUN_ID// }" ]]; then
             check_child "normal_ci" "" 0 || failed=1
           else
             check_child "normal_ci" "$NORMAL_CI_RUN_ID" 1 || failed=1
           fi
 
+          if [[ "$PLUGIN_PRERELEASE_RESULT" == "skipped" && -z "${PLUGIN_PRERELEASE_RUN_ID// }" ]]; then
+            check_child "plugin_prerelease" "" 0 || failed=1
+          else
+            check_child "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID" 1 || failed=1
+          fi
+
           if [[ "$RELEASE_CHECKS_RESULT" == "skipped" && -z "${RELEASE_CHECKS_RUN_ID// }" ]]; then
             check_child "release_checks" "" 0 || failed=1
           else
@@ -558,6 +893,7 @@ jobs:
           fi
 
           summarize_child_timing "normal_ci" "$NORMAL_CI_RUN_ID"
+          summarize_child_timing "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID"
           summarize_child_timing "release_checks" "$RELEASE_CHECKS_RUN_ID"
           summarize_child_timing "npm_telegram" "$NPM_TELEGRAM_RUN_ID"
 

.github/workflows/install-smoke.yml

@@ -34,10 +34,11 @@ on:
 
 permissions:
   contents: read
+  packages: write
 
 concurrency:
-  group: ${{ github.event_name == 'workflow_dispatch' && format('{0}-manual-{1}', github.workflow, github.run_id) || format('{0}-{1}', github.workflow, github.ref) }}
-  cancel-in-progress: true
+  group: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && format('{0}-{1}-{2}', github.workflow, github.event_name, github.run_id) || format('{0}-{1}', github.workflow, github.ref) }}
+  cancel-in-progress: ${{ github.event_name != 'workflow_call' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -51,6 +52,8 @@ jobs:
       run_fast_install_smoke: ${{ steps.manifest.outputs.run_fast_install_smoke }}
       run_full_install_smoke: ${{ steps.manifest.outputs.run_full_install_smoke }}
       run_bun_global_install_smoke: ${{ steps.manifest.outputs.run_bun_global_install_smoke }}
+      target_sha: ${{ steps.manifest.outputs.target_sha }}
+      dockerfile_image: ${{ steps.manifest.outputs.dockerfile_image }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -74,6 +77,9 @@ jobs:
           run_full_install_smoke=true
           run_bun_global_install_smoke=false
           run_install_smoke=true
+          target_sha="$(git rev-parse HEAD)"
+          owner="$(printf '%s' "${GITHUB_REPOSITORY_OWNER:-openclaw}" | tr '[:upper:]' '[:lower:]')"
+          dockerfile_image="ghcr.io/${owner}/openclaw-dockerfile-smoke:${target_sha}"
           if [ "$event_name" = "schedule" ]; then
             run_bun_global_install_smoke=true
           elif [ "$event_name" = "workflow_dispatch" ] || [ "$event_name" = "workflow_call" ]; then
@@ -87,6 +93,8 @@ jobs:
             echo "run_fast_install_smoke=$run_fast_install_smoke"
             echo "run_full_install_smoke=$run_full_install_smoke"
             echo "run_bun_global_install_smoke=$run_bun_global_install_smoke"
+            echo "target_sha=$target_sha"
+            echo "dockerfile_image=$dockerfile_image"
           } >> "$GITHUB_OUTPUT"
 
   install-smoke-fast:
@@ -103,23 +111,23 @@ jobs:
           ref: ${{ inputs.ref || github.ref }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
-
-      # Blacksmith's builder owns the Docker layer cache; keep smoke builds off
-      # explicit gha cache directives so local tags still load cleanly.
-      - name: Build root Dockerfile smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
-          context: .
-          file: ./Dockerfile
-          build-args: |
-            OPENCLAW_EXTENSIONS=matrix
-          tags: |
-            openclaw-dockerfile-smoke:local
-            openclaw-ext-smoke:local
-          load: true
-          push: false
-          provenance: false
+          max-cache-size-mb: 800000
+
+      # Keep release smoke builds bounded and log-producing. The Blacksmith
+      # build action can leave jobs in-progress without step logs when a remote
+      # builder stalls; an explicit buildx invocation fails closed instead.
+      - name: Build root Dockerfile smoke image
+        run: |
+          timeout 45m docker buildx build \
+            --progress=plain \
+            --load \
+            --build-arg OPENCLAW_EXTENSIONS=matrix \
+            -t openclaw-dockerfile-smoke:local \
+            -t openclaw-ext-smoke:local \
+            -f ./Dockerfile \
+            .
 
       - name: Run root Dockerfile CLI smoke
         run: |
@@ -196,10 +204,12 @@ jobs:
             "
           '
 
-  install-smoke:
+  root_dockerfile_image:
     needs: [preflight]
     if: needs.preflight.outputs.run_full_install_smoke == 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
+    outputs:
+      image_ref: ${{ steps.image.outputs.image_ref }}
     env:
       DOCKER_BUILD_SUMMARY: "false"
       DOCKER_BUILD_RECORD_UPLOAD: "false"
@@ -209,51 +219,127 @@ jobs:
         with:
           ref: ${{ inputs.ref || github.ref }}
 
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+      - name: Log in to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Check for existing root Dockerfile smoke image
+        id: existing
+        env:
+          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
+        run: |
+          set -euo pipefail
+          if timeout 180s docker pull "$IMAGE_REF"; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+            echo "Using existing root Dockerfile smoke image: \`$IMAGE_REF\`" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "No existing root Dockerfile smoke image found for \`$IMAGE_REF\`; building it." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Set up Blacksmith Docker Builder
+        if: steps.existing.outputs.exists != 'true'
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
+        with:
+          max-cache-size-mb: 800000
+
+      # Build once with the matrix extension and publish by target SHA. Use a
+      # direct buildx command so release jobs emit Docker progress and time out.
+      - name: Build and push root Dockerfile smoke image
+        if: steps.existing.outputs.exists != 'true'
+        env:
+          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
+        run: |
+          timeout 45m docker buildx build \
+            --progress=plain \
+            --push \
+            --build-arg OPENCLAW_EXTENSIONS=matrix \
+            -t "$IMAGE_REF" \
+            -f ./Dockerfile \
+            .
+
+      - name: Record root image output
+        id: image
+        env:
+          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
+        run: echo "image_ref=$IMAGE_REF" >> "$GITHUB_OUTPUT"
+
+      - name: Summarize root image
+        env:
+          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
+          TARGET_SHA: ${{ needs.preflight.outputs.target_sha }}
+        run: |
+          {
+            echo "## Root Dockerfile smoke image"
+            echo
+            echo "- Target SHA: \`${TARGET_SHA}\`"
+            echo "- Image: \`${IMAGE_REF}\`"
+            echo "- Reused existing image: \`${{ steps.existing.outputs.exists }}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  qr_package_install_smoke:
+    needs: [preflight]
+    if: needs.preflight.outputs.run_full_install_smoke == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    steps:
+      - name: Checkout CLI
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref || github.ref }}
 
-      # Blacksmith's builder owns the Docker layer cache; keep smoke builds off
-      # explicit gha cache directives so local tags still load cleanly.
       - name: Run QR package install smoke
         env:
           OPENCLAW_QR_SMOKE_FORCE_INSTALL: "1"
         run: bash scripts/e2e/qr-import-docker.sh
 
-      # Build once with the matrix extension and tag both smoke names. This
-      # keeps the build-arg coverage without a second Blacksmith build action.
-      - name: Build root Dockerfile smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+  root_dockerfile_smokes:
+    needs: [preflight, root_dockerfile_image]
+    if: needs.preflight.outputs.run_full_install_smoke == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    steps:
+      - name: Checkout CLI
+        uses: actions/checkout@v6
         with:
-          context: .
-          file: ./Dockerfile
-          build-args: |
-            OPENCLAW_EXTENSIONS=matrix
-          tags: |
-            openclaw-dockerfile-smoke:local
-            openclaw-ext-smoke:local
-          load: true
-          push: false
-          provenance: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Pull root Dockerfile smoke image
+        env:
+          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
+        run: timeout 600s docker pull "$IMAGE_REF"
 
       - name: Run root Dockerfile CLI smoke
+        env:
+          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
         run: |
-          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc 'which openclaw && openclaw --version'
+          docker run --rm --entrypoint sh "$IMAGE_REF" -lc 'which openclaw && openclaw --version'
 
       - name: Run agents delete shared workspace Docker CLI smoke
         env:
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: openclaw-dockerfile-smoke:local
+          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
           OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_SKIP_BUILD: "1"
         run: bash scripts/e2e/agents-delete-shared-workspace-docker.sh
 
       - name: Run Docker gateway network e2e
         env:
-          OPENCLAW_GATEWAY_NETWORK_E2E_IMAGE: openclaw-dockerfile-smoke:local
+          OPENCLAW_GATEWAY_NETWORK_E2E_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
           OPENCLAW_GATEWAY_NETWORK_E2E_SKIP_BUILD: "1"
         run: bash scripts/e2e/gateway-network-docker.sh
 
       - name: Smoke test Dockerfile with matrix extension build arg
+        env:
+          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
         run: |
-          docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
+          docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
             which openclaw &&
             openclaw --version &&
             node -e "
@@ -296,39 +382,60 @@ jobs:
             "
           '
 
-      - name: Build installer smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+  installer_smoke:
+    needs: [preflight, root_dockerfile_image]
+    if: needs.preflight.outputs.run_full_install_smoke == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    env:
+      DOCKER_BUILD_SUMMARY: "false"
+      DOCKER_BUILD_RECORD_UPLOAD: "false"
+    steps:
+      - name: Checkout CLI
+        uses: actions/checkout@v6
         with:
-          context: ./scripts/docker
-          file: ./scripts/docker/install-sh-smoke/Dockerfile
-          tags: openclaw-install-smoke:local
-          load: true
-          push: false
-          provenance: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Pull root Dockerfile smoke image
+        env:
+          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
+        run: timeout 600s docker pull "$IMAGE_REF"
+
+      - name: Set up Blacksmith Docker Builder
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
+        with:
+          max-cache-size-mb: 800000
+
+      - name: Build installer smoke image
+        run: |
+          timeout 20m docker buildx build \
+            --progress=plain \
+            --load \
+            -t openclaw-install-smoke:local \
+            -f ./scripts/docker/install-sh-smoke/Dockerfile \
+            ./scripts/docker
 
       - name: Build installer non-root image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: ./scripts/docker
-          file: ./scripts/docker/install-sh-nonroot/Dockerfile
-          tags: openclaw-install-nonroot:local
-          load: true
-          push: false
-          provenance: false
+        run: |
+          timeout 20m docker buildx build \
+            --progress=plain \
+            --load \
+            -t openclaw-install-nonroot:local \
+            -f ./scripts/docker/install-sh-nonroot/Dockerfile \
+            ./scripts/docker
 
       - name: Setup Node environment for installer smoke
         uses: ./.github/actions/setup-node-env
         with:
-          install-bun: ${{ needs.preflight.outputs.run_bun_global_install_smoke }}
+          install-bun: "false"
           install-deps: "true"
 
-      - name: Run Bun global install image-provider smoke
-        if: needs.preflight.outputs.run_bun_global_install_smoke == 'true'
-        env:
-          OPENCLAW_BUN_GLOBAL_SMOKE_DIST_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_BUN_GLOBAL_SMOKE_HOST_BUILD: "0"
-        run: bash scripts/e2e/bun-global-install-smoke.sh
-
       - name: Run installer docker tests
         env:
           OPENCLAW_INSTALL_URL: https://openclaw.ai/install.sh
@@ -341,15 +448,49 @@ jobs:
           OPENCLAW_INSTALL_SMOKE_SKIP_NPM_GLOBAL: "1"
           OPENCLAW_INSTALL_SMOKE_SKIP_PREVIOUS: "1"
           OPENCLAW_INSTALL_SMOKE_UPDATE_BASELINE: ${{ inputs.update_baseline_version || 'latest' }}
-          OPENCLAW_INSTALL_SMOKE_UPDATE_DIST_IMAGE: openclaw-dockerfile-smoke:local
+          OPENCLAW_INSTALL_SMOKE_UPDATE_DIST_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
           OPENCLAW_INSTALL_SMOKE_UPDATE_SKIP_LOCAL_BUILD: "1"
         run: bash scripts/test-install-sh-docker.sh
 
+  bun_global_install_smoke:
+    needs: [preflight, root_dockerfile_image]
+    if: needs.preflight.outputs.run_full_install_smoke == 'true' && needs.preflight.outputs.run_bun_global_install_smoke == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    steps:
+      - name: Checkout CLI
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Pull root Dockerfile smoke image
+        env:
+          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
+        run: timeout 600s docker pull "$IMAGE_REF"
+
+      - name: Setup Node environment for Bun smoke
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "true"
+          install-deps: "true"
+
+      - name: Run Bun global install image-provider smoke
+        env:
+          OPENCLAW_BUN_GLOBAL_SMOKE_DIST_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
+          OPENCLAW_BUN_GLOBAL_SMOKE_HOST_BUILD: "0"
+        run: bash scripts/e2e/bun-global-install-smoke.sh
+
   docker-e2e-fast:
     needs: [preflight]
     if: needs.preflight.outputs.run_fast_install_smoke == 'true' || needs.preflight.outputs.run_full_install_smoke == 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
-    timeout-minutes: 8
+    timeout-minutes: 12
     env:
       DOCKER_BUILD_SUMMARY: "false"
       DOCKER_BUILD_RECORD_UPLOAD: "false"
@@ -360,16 +501,12 @@ jobs:
           ref: ${{ inputs.ref || github.ref }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
+        with:
+          max-cache-size-mb: 800000
 
       - name: Setup Node environment for package smoke
         uses: ./.github/actions/setup-node-env
         with:
           install-bun: "false"
           install-deps: "true"
-
-      - name: Run fast bundled plugin Docker E2E
-        env:
-          OPENCLAW_BUNDLED_CHANNEL_DEPS_E2E_IMAGE: openclaw-bundled-channel-fast:local
-          OPENCLAW_BUNDLED_CHANNEL_DOCKER_RUN_TIMEOUT: 90s
-        run: timeout 240s pnpm test:docker:bundled-channel-deps:fast

.github/workflows/labeler.yml

@@ -92,7 +92,7 @@ jobs:
             const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
             const totalChangedLines = files.reduce((total, file) => {
               const path = file.filename ?? "";
-              if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
+              if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
                 return total;
               }
               return total + (file.additions ?? 0) + (file.deletions ?? 0);
@@ -278,6 +278,7 @@ jobs:
             const labelColor = "B60205";
             const labelDescription = `Author has more than ${activePrLimit} active PRs in this repo`;
             const authorLogin = pullRequest.user?.login;
+            const headRefName = pullRequest.head?.ref ?? "";
             if (!authorLogin) {
               return;
             }
@@ -295,6 +296,25 @@ jobs:
                 .filter((name) => typeof name === "string"),
             );
 
+            if (pullRequest.user?.type === "Bot" || /\[bot\]$/i.test(authorLogin) || authorLogin.startsWith("app/")) {
+              if (labelNames.has(activePrLimitLabel)) {
+                try {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: pullRequest.number,
+                    name: activePrLimitLabel,
+                  });
+                } catch (error) {
+                  if (error?.status !== 404) {
+                    throw error;
+                  }
+                }
+              }
+              core.info(`Skipping active PR limit for GitHub App author ${authorLogin}.`);
+              return;
+            }
+
             if (labelNames.has(activePrLimitOverrideLabel)) {
               if (labelNames.has(activePrLimitLabel)) {
                 try {
@@ -374,7 +394,12 @@ jobs:
               return false;
             };
 
-            if (await isPrivilegedAuthor()) {
+            const automationPrHeadPrefixes = ["clawsweeper/", "clownfish/"];
+            const isAutomationPullRequest =
+              typeof headRefName === "string" &&
+              automationPrHeadPrefixes.some((prefix) => headRefName.startsWith(prefix));
+
+            if ((await isPrivilegedAuthor()) || isAutomationPullRequest) {
               if (labelNames.has(activePrLimitLabel)) {
                 try {
                   await github.rest.issues.removeLabel({
@@ -581,7 +606,7 @@ jobs:
               const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
               const totalChangedLines = files.reduce((total, file) => {
                 const path = file.filename ?? "";
-                if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
+                if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
                   return total;
                 }
                 return total + (file.additions ?? 0) + (file.deletions ?? 0);

.github/workflows/live-media-runner-image.yml

@@ -0,0 +1,54 @@
+name: Live Media Runner Image
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - ".github/images/live-media-runner/Dockerfile"
+      - ".github/workflows/live-media-runner-image.yml"
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: live-media-runner-image-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  build:
+    name: Build live media runner image
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Login to GHCR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Set up Blacksmith Docker Builder
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
+        with:
+          max-cache-size-mb: 800000
+
+      - name: Build and push live media runner image
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
+        with:
+          context: .github/images/live-media-runner
+          file: .github/images/live-media-runner/Dockerfile
+          platforms: linux/amd64
+          tags: |
+            ghcr.io/openclaw/openclaw-live-media-runner:ubuntu-24.04
+            ghcr.io/openclaw/openclaw-live-media-runner:${{ github.sha }}
+          sbom: true
+          provenance: mode=max
+          push: true

.github/workflows/macos-release.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22 or v2026.3.22-beta.1)
+        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22, v2026.3.22-alpha.1, or v2026.3.22-beta.1)
         required: true
         type: string
       preflight_only:
@@ -12,6 +12,11 @@ on:
         required: true
         default: true
         type: boolean
+      public_release_branch:
+        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.D
+        required: false
+        default: main
+        type: string
 
 concurrency:
   group: macos-release-${{ inputs.tag }}
@@ -33,7 +38,7 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
             echo "Invalid release tag format: ${RELEASE_TAG}"
             exit 1
           fi
@@ -66,13 +71,17 @@ jobs:
       - name: Validate release tag and package metadata
         env:
           RELEASE_TAG: ${{ inputs.tag }}
-          WORKFLOW_REF_NAME: ${{ github.ref_name }}
+          PUBLIC_RELEASE_BRANCH: ${{ inputs.public_release_branch }}
         run: |
           set -euo pipefail
+          if [[ "${PUBLIC_RELEASE_BRANCH}" != "main" && ! "${PUBLIC_RELEASE_BRANCH}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
+            echo "public_release_branch must be main or release/YYYY.M.D, got ${PUBLIC_RELEASE_BRANCH}." >&2
+            exit 1
+          fi
           RELEASE_SHA=$(git rev-parse HEAD)
-          RELEASE_MAIN_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
+          RELEASE_MAIN_REF="refs/remotes/origin/${PUBLIC_RELEASE_BRANCH}"
           export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
+          git fetch --no-tags origin "+refs/heads/${PUBLIC_RELEASE_BRANCH}:refs/remotes/origin/${PUBLIC_RELEASE_BRANCH}"
           pnpm release:openclaw:npm:check
 
       - name: Summarize next step

.github/workflows/maintainer-command-reactions.yml

@@ -0,0 +1,99 @@
+name: Maintainer Command Reactions
+
+on:
+  issue_comment:
+    types: [created, edited]
+
+permissions: {}
+
+concurrency:
+  group: maintainer-command-reactions-${{ github.event.comment.id }}
+  cancel-in-progress: true
+
+jobs:
+  react:
+    if: ${{ !endsWith(github.actor, '[bot]') }}
+    runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+      pull-requests: write
+    env:
+      MAINTAINER_COMMAND_REACTIONS: ${{ vars.MAINTAINER_COMMAND_REACTIONS || '/autoclose,/clawsweeper autoclose,/clawsweeper automerge,/merge,/land,/landpr' }}
+    steps:
+      - name: React to maintainer slash command
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const comment = context.payload.comment;
+            const issue = context.payload.issue;
+
+            const commands = (process.env.MAINTAINER_COMMAND_REACTIONS || "")
+              .split(",")
+              .map((command) => command.trim())
+              .filter(Boolean);
+            const commandLine = String(comment.body || "")
+              .split(/\r?\n/)
+              .map((line) => line.trim())
+              .find((line) => commands.some((command) => line === command || line.startsWith(`${command} `)));
+
+            if (!commandLine) {
+              core.info(`Skipping comment ${comment.id}; no tracked maintainer command found.`);
+              return;
+            }
+
+            const isAutocloseCommand =
+              commandLine === "/autoclose" ||
+              commandLine.startsWith("/autoclose ") ||
+              commandLine === "/clawsweeper autoclose" ||
+              commandLine.startsWith("/clawsweeper autoclose ");
+            if (!issue.pull_request && !isAutocloseCommand) {
+              core.info("Skipping non-autoclose command reaction because the comment is not on a pull request.");
+              return;
+            }
+
+            const maintainerPermissions = new Set(["admin", "maintain", "write"]);
+            let permission = "none";
+            try {
+              const result = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: comment.user.login,
+              });
+              permission = String(result.data.permission || "none").toLowerCase();
+            } catch (error) {
+              if (error.status !== 404) {
+                core.info(`Could not resolve repository permission for ${comment.user.login}: ${error.message}`);
+              }
+            }
+
+            if (!maintainerPermissions.has(permission)) {
+              core.info(
+                `Skipping non-maintainer command reaction for ${comment.user.login}; repository permission is ${permission}.`,
+              );
+              return;
+            }
+
+            async function react(content) {
+              try {
+                await github.rest.reactions.createForIssueComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: comment.id,
+                  content,
+                });
+                core.info(`Added ${content} reaction to comment ${comment.id}.`);
+              } catch (error) {
+                if (error.status === 422 && /already exists/i.test(String(error.message))) {
+                  core.info(`${content} reaction already exists on comment ${comment.id}.`);
+                  return;
+                }
+                if (error.status === 403 && /resource not accessible by integration/i.test(String(error.message))) {
+                  core.warning(`${content} reaction could not be added with this token: ${error.message}`);
+                  return;
+                }
+                throw error;
+              }
+            }
+
+            await react("eyes");
+            core.info(`Maintainer command observed on ${issue.pull_request ? "PR" : "issue"} #${issue.number}: ${commandLine}`);

.github/workflows/mantis-discord-smoke.yml

@@ -0,0 +1,169 @@
+name: Mantis Discord Smoke
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: Ref, tag, or SHA to run
+        required: true
+        default: main
+        type: string
+      post_message:
+        description: Post a smoke message and reaction to the configured Discord channel
+        required: true
+        default: true
+        type: boolean
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: mantis-discord-smoke-${{ inputs.ref }}-${{ github.run_attempt }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  NODE_VERSION: "24.x"
+  PNPM_VERSION: "10.33.0"
+  OPENCLAW_BUILD_PRIVATE_QA: "1"
+  OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
+
+jobs:
+  authorize_actor:
+    name: Authorize workflow actor
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    steps:
+      - name: Require maintainer-level repository access
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const allowed = new Set(["admin", "maintain", "write"]);
+            const { owner, repo } = context.repo;
+            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner,
+              repo,
+              username: context.actor,
+            });
+            const permission = data.permission;
+            core.info(`Actor ${context.actor} permission: ${permission}`);
+            if (!allowed.has(permission)) {
+              core.setFailed(
+                `Workflow requires write/maintain/admin access. Actor "${context.actor}" has "${permission}".`,
+              );
+            }
+
+  validate_selected_ref:
+    name: Validate selected ref
+    needs: authorize_actor
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    outputs:
+      selected_revision: ${{ steps.validate.outputs.selected_revision }}
+      trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
+    steps:
+      - name: Checkout selected ref
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Validate selected ref
+        id: validate
+        env:
+          GH_TOKEN: ${{ github.token }}
+          INPUT_REF: ${{ inputs.ref }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          selected_revision="$(git rev-parse HEAD)"
+          trusted_reason=""
+
+          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+
+          if git merge-base --is-ancestor "$selected_revision" refs/remotes/origin/main; then
+            trusted_reason="main-ancestor"
+          elif git tag --points-at "$selected_revision" | grep -Eq '^v'; then
+            trusted_reason="release-tag"
+          elif [[ "$INPUT_REF" =~ ^release/[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then
+            git fetch --no-tags origin "+refs/heads/${INPUT_REF}:refs/remotes/origin/${INPUT_REF}"
+            release_branch_sha="$(git rev-parse "refs/remotes/origin/${INPUT_REF}")"
+            if [[ "$selected_revision" == "$release_branch_sha" ]]; then
+              trusted_reason="release-branch-head"
+            fi
+          else
+            pr_head_count="$(
+              gh api \
+                -H "Accept: application/vnd.github+json" \
+                "repos/${GITHUB_REPOSITORY}/commits/${selected_revision}/pulls" \
+                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_revision}"'")] | length'
+            )"
+            if [[ "$pr_head_count" != "0" ]]; then
+              trusted_reason="open-pr-head"
+            fi
+          fi
+
+          if [[ -z "$trusted_reason" ]]; then
+            echo "Ref '${INPUT_REF}' resolved to $selected_revision, which is not trusted for this secret-bearing Mantis run." >&2
+            echo "Allowed refs must be on main, point to a release tag, match a release branch head, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
+            exit 1
+          fi
+
+          echo "selected_revision=$selected_revision" >> "$GITHUB_OUTPUT"
+          echo "trusted_reason=$trusted_reason" >> "$GITHUB_OUTPUT"
+          {
+            echo "Validated ref: \`${INPUT_REF}\`"
+            echo "Resolved SHA: \`$selected_revision\`"
+            echo "Trust reason: \`$trusted_reason\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  run_discord_smoke:
+    name: Run Mantis Discord smoke
+    needs: validate_selected_ref
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 20
+    environment: qa-live-shared
+    steps:
+      - name: Checkout selected ref
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
+          fetch-depth: 1
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          pnpm-version: ${{ env.PNPM_VERSION }}
+          install-bun: "true"
+
+      - name: Build private QA runtime
+        run: pnpm build
+
+      - name: Run Mantis Discord smoke
+        shell: bash
+        env:
+          OPENCLAW_QA_DISCORD_MANTIS_BOT_TOKEN: ${{ secrets.OPENCLAW_QA_DISCORD_MANTIS_BOT_TOKEN }}
+          OPENCLAW_QA_DISCORD_GUILD_ID: ${{ secrets.OPENCLAW_QA_DISCORD_GUILD_ID }}
+          OPENCLAW_QA_DISCORD_CHANNEL_ID: ${{ secrets.OPENCLAW_QA_DISCORD_CHANNEL_ID }}
+          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+        run: |
+          set -euo pipefail
+          args=()
+          if [[ "${{ inputs.post_message }}" != "true" ]]; then
+            args+=(--skip-post)
+          fi
+          pnpm openclaw qa mantis discord-smoke \
+            --repo-root . \
+            --output-dir .artifacts/qa-e2e/mantis/discord-smoke \
+            "${args[@]}"
+
+      - name: Upload Mantis artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: mantis-discord-smoke-${{ github.run_id }}-${{ github.run_attempt }}
+          path: .artifacts/qa-e2e/mantis/
+          retention-days: 14
+          if-no-files-found: warn

.github/workflows/mantis-discord-status-reactions.yml

@@ -0,0 +1,386 @@
+name: Mantis Discord Status Reactions
+
+on:
+  workflow_dispatch:
+    inputs:
+      baseline_ref:
+        description: Ref, tag, or SHA expected to reproduce queued-only behavior
+        required: true
+        default: 0bf06e953fdda290799fc9fb9244a8f67fdae593
+        type: string
+      candidate_ref:
+        description: Ref, tag, or SHA expected to show queued -> thinking -> done
+        required: true
+        default: main
+        type: string
+      pr_number:
+        description: Optional bug or fix PR number to receive the QA evidence comment
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: mantis-discord-status-reactions-${{ inputs.baseline_ref }}-${{ inputs.candidate_ref }}-${{ github.run_attempt }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  NODE_VERSION: "24.x"
+  PNPM_VERSION: "10.33.0"
+  OPENCLAW_BUILD_PRIVATE_QA: "1"
+  OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
+
+jobs:
+  authorize_actor:
+    name: Authorize workflow actor
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    steps:
+      - name: Require maintainer-level repository access
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const allowed = new Set(["admin", "maintain", "write"]);
+            const { owner, repo } = context.repo;
+            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner,
+              repo,
+              username: context.actor,
+            });
+            const permission = data.permission;
+            core.info(`Actor ${context.actor} permission: ${permission}`);
+            if (!allowed.has(permission)) {
+              core.setFailed(
+                `Workflow requires write/maintain/admin access. Actor "${context.actor}" has "${permission}".`,
+              );
+            }
+
+  validate_refs:
+    name: Validate selected refs
+    needs: authorize_actor
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    outputs:
+      baseline_revision: ${{ steps.validate.outputs.baseline_revision }}
+      candidate_revision: ${{ steps.validate.outputs.candidate_revision }}
+    steps:
+      - name: Checkout harness ref
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Validate refs are trusted
+        id: validate
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BASELINE_REF: ${{ inputs.baseline_ref }}
+          CANDIDATE_REF: ${{ inputs.candidate_ref }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+
+          validate_ref() {
+            local label="$1"
+            local input_ref="$2"
+            local revision=""
+            local reason=""
+
+            revision="$(git rev-parse "${input_ref}^{commit}")"
+            if git merge-base --is-ancestor "$revision" refs/remotes/origin/main; then
+              reason="main-ancestor"
+            elif git tag --points-at "$revision" | grep -Eq '^v'; then
+              reason="release-tag"
+            else
+              local pr_head_count
+              pr_head_count="$(
+                gh api \
+                  -H "Accept: application/vnd.github+json" \
+                  "repos/${GITHUB_REPOSITORY}/commits/${revision}/pulls" \
+                  --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${revision}"'")] | length'
+              )"
+              if [[ "$pr_head_count" != "0" ]]; then
+                reason="open-pr-head"
+              fi
+            fi
+
+            if [[ -z "$reason" ]]; then
+              echo "${label} ref '${input_ref}' resolved to ${revision}, which is not trusted for this secret-bearing Mantis run." >&2
+              exit 1
+            fi
+
+            echo "${label}_revision=${revision}" >> "$GITHUB_OUTPUT"
+            {
+              echo "${label}: \`${input_ref}\`"
+              echo "${label} SHA: \`${revision}\`"
+              echo "${label} trust reason: \`${reason}\`"
+            } >> "$GITHUB_STEP_SUMMARY"
+          }
+
+          validate_ref baseline "$BASELINE_REF"
+          validate_ref candidate "$CANDIDATE_REF"
+
+  run_status_reactions:
+    name: Run Discord status reaction before/after
+    needs: validate_refs
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 180
+    environment: qa-live-shared
+    steps:
+      - name: Checkout harness ref
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          pnpm-version: ${{ env.PNPM_VERSION }}
+          install-bun: "true"
+
+      - name: Build Mantis harness
+        run: pnpm build
+
+      - name: Prepare baseline and candidate worktrees
+        shell: bash
+        env:
+          BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
+          CANDIDATE_SHA: ${{ needs.validate_refs.outputs.candidate_revision }}
+        run: |
+          set -euo pipefail
+
+          worktree_root=".artifacts/qa-e2e/mantis/discord-status-reactions-worktrees"
+          mkdir -p "$worktree_root"
+          git worktree add --detach "$worktree_root/baseline" "$BASELINE_SHA"
+          git worktree add --detach "$worktree_root/candidate" "$CANDIDATE_SHA"
+
+          for lane in baseline candidate; do
+            lane_dir="$worktree_root/${lane}"
+            echo "Installing ${lane} worktree dependencies"
+            pnpm --dir "$lane_dir" install --frozen-lockfile
+            echo "Building ${lane} worktree"
+            pnpm --dir "$lane_dir" build
+          done
+
+      - name: Run baseline and candidate
+        id: run_mantis
+        shell: bash
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
+          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
+          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_DISCORD_CAPTURE_CONTENT: "1"
+        run: |
+          set -euo pipefail
+
+          require_var() {
+            local key="$1"
+            if [[ -z "${!key:-}" ]]; then
+              echo "Missing required ${key}." >&2
+              exit 1
+            fi
+          }
+
+          require_var OPENAI_API_KEY
+          require_var OPENCLAW_QA_CONVEX_SITE_URL
+          require_var OPENCLAW_QA_CONVEX_SECRET_CI
+
+          root=".artifacts/qa-e2e/mantis/discord-status-reactions"
+          worktree_root=".artifacts/qa-e2e/mantis/discord-status-reactions-worktrees"
+          mkdir -p "$root"
+          echo "output_dir=${root}" >> "$GITHUB_OUTPUT"
+
+          run_lane() {
+            local lane="$1"
+            local repo_root="$worktree_root/$lane"
+            local output_dir=".artifacts/qa-e2e/mantis/discord-status-reactions/$lane"
+            pnpm openclaw qa discord \
+              --repo-root "$repo_root" \
+              --output-dir "$output_dir" \
+              --provider-mode live-frontier \
+              --model openai/gpt-5.4 \
+              --alt-model openai/gpt-5.4 \
+              --fast \
+              --credential-source convex \
+              --credential-role ci \
+              --scenario discord-status-reactions-tool-only \
+              --allow-failures
+            rm -rf "$root/$lane"
+            mkdir -p "$root/$lane"
+            cp -a "$repo_root/$output_dir/." "$root/$lane/"
+          }
+
+          run_lane baseline
+          run_lane candidate
+
+          baseline_status="$(jq -r '.scenarios[0].status' "$root/baseline/discord-qa-summary.json")"
+          candidate_status="$(jq -r '.scenarios[0].status' "$root/candidate/discord-qa-summary.json")"
+
+          jq -n \
+            --arg baseline_status "$baseline_status" \
+            --arg candidate_status "$candidate_status" \
+            --arg baseline_sha "${{ needs.validate_refs.outputs.baseline_revision }}" \
+            --arg candidate_sha "${{ needs.validate_refs.outputs.candidate_revision }}" \
+            '{
+              scenario: "discord-status-reactions-tool-only",
+              baseline: { sha: $baseline_sha, expected: "queued-only", status: $baseline_status, reproduced: ($baseline_status == "fail") },
+              candidate: { sha: $candidate_sha, expected: "queued -> thinking -> done", status: $candidate_status, fixed: ($candidate_status == "pass") },
+              pass: (($baseline_status == "fail") and ($candidate_status == "pass"))
+            }' > "$root/comparison.json"
+
+          {
+            echo "# Mantis Discord Status Reactions"
+            echo
+            echo "- Scenario: \`discord-status-reactions-tool-only\`"
+            echo "- Baseline status: \`${baseline_status}\`"
+            echo "- Candidate status: \`${candidate_status}\`"
+            echo "- Baseline screenshot: \`baseline/discord-status-reactions-tool-only-timeline.png\`"
+            echo "- Candidate screenshot: \`candidate/discord-status-reactions-tool-only-timeline.png\`"
+          } > "$root/mantis-report.md"
+
+          cat "$root/mantis-report.md" >> "$GITHUB_STEP_SUMMARY"
+
+          if [[ "$baseline_status" != "fail" ]]; then
+            echo "Baseline did not reproduce queued-only behavior." >&2
+            exit 1
+          fi
+          if [[ "$candidate_status" != "pass" ]]; then
+            echo "Candidate did not show queued -> thinking -> done." >&2
+            exit 1
+          fi
+
+      - name: Upload Mantis status reaction artifacts
+        id: upload_artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: mantis-discord-status-reactions-${{ github.run_id }}-${{ github.run_attempt }}
+          path: ${{ steps.run_mantis.outputs.output_dir }}
+          retention-days: 14
+          if-no-files-found: warn
+
+      - name: Create Mantis GitHub App token
+        id: mantis_app_token
+        if: ${{ always() && inputs.pr_number != '' }}
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-issues: write
+          permission-pull-requests: write
+
+      - name: Comment PR with inline QA screenshots
+        if: ${{ always() && inputs.pr_number != '' && steps.run_mantis.outputs.output_dir != '' }}
+        env:
+          GH_TOKEN: ${{ steps.mantis_app_token.outputs.token }}
+          TARGET_PR: ${{ inputs.pr_number }}
+          ARTIFACT_URL: ${{ steps.upload_artifact.outputs.artifact-url }}
+          BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
+          CANDIDATE_SHA: ${{ needs.validate_refs.outputs.candidate_revision }}
+          MANTIS_COMMENT_BOT_LOGIN: ${{ vars.MANTIS_GITHUB_APP_BOT_LOGIN || 'openclaw-mantis-qa[bot]' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ ! "$TARGET_PR" =~ ^[0-9]+$ ]]; then
+            echo "pr_number must be numeric, got '${TARGET_PR}'." >&2
+            exit 1
+          fi
+
+          root=".artifacts/qa-e2e/mantis/discord-status-reactions"
+          for required in \
+            "$root/comparison.json" \
+            "$root/baseline/discord-status-reactions-tool-only-timeline.png" \
+            "$root/candidate/discord-status-reactions-tool-only-timeline.png"
+          do
+            if [[ ! -f "$required" ]]; then
+              echo "Missing required QA evidence file: $required" >&2
+              exit 1
+            fi
+          done
+
+          gh api "repos/${GITHUB_REPOSITORY}/pulls/${TARGET_PR}" --jq '.number' >/dev/null
+
+          artifact_root="mantis/discord-status-reactions/pr-${TARGET_PR}/run-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
+          artifacts_worktree="$(mktemp -d)"
+          git init --quiet "$artifacts_worktree"
+          git -C "$artifacts_worktree" config user.name "github-actions[bot]"
+          git -C "$artifacts_worktree" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git -C "$artifacts_worktree" remote add origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+
+          if git -C "$artifacts_worktree" fetch --quiet origin qa-artifacts; then
+            git -C "$artifacts_worktree" checkout --quiet -B qa-artifacts FETCH_HEAD
+          else
+            git -C "$artifacts_worktree" checkout --quiet --orphan qa-artifacts
+          fi
+
+          mkdir -p "$artifacts_worktree/$artifact_root"
+          cp "$root/baseline/discord-status-reactions-tool-only-timeline.png" "$artifacts_worktree/$artifact_root/baseline.png"
+          cp "$root/candidate/discord-status-reactions-tool-only-timeline.png" "$artifacts_worktree/$artifact_root/candidate.png"
+          cp "$root/comparison.json" "$artifacts_worktree/$artifact_root/comparison.json"
+          cp "$root/mantis-report.md" "$artifacts_worktree/$artifact_root/mantis-report.md"
+
+          git -C "$artifacts_worktree" add "$artifact_root"
+          if git -C "$artifacts_worktree" diff --cached --quiet; then
+            echo "No QA screenshot artifact changes to publish."
+          else
+            git -C "$artifacts_worktree" commit --quiet -m "qa: publish Mantis Discord screenshots for PR ${TARGET_PR}"
+            git -C "$artifacts_worktree" push --quiet origin HEAD:qa-artifacts
+          fi
+
+          encoded_artifact_root="${artifact_root// /%20}"
+          raw_base="https://raw.githubusercontent.com/${GITHUB_REPOSITORY}/qa-artifacts/${encoded_artifact_root}"
+          baseline_status="$(jq -r '.baseline.status' "$root/comparison.json")"
+          candidate_status="$(jq -r '.candidate.status' "$root/comparison.json")"
+          pass="$(jq -r '.pass' "$root/comparison.json")"
+          comment_file="$(mktemp)"
+          cat > "$comment_file" <<EOF
+          <!-- mantis-discord-status-reactions -->
+          ## Mantis Discord Status Reactions QA
+
+          Summary: Mantis reran Discord status reactions against the known queued-only baseline and the candidate ref. The baseline reproduced the bug, while the candidate showed the expected queued -> thinking -> done reaction sequence.
+
+          - Scenario: \`discord-status-reactions-tool-only\`
+          - Run: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}
+          - Artifact: ${ARTIFACT_URL}
+          - Baseline: \`${baseline_status}\` at \`${BASELINE_SHA}\`
+          - Candidate: \`${candidate_status}\` at \`${CANDIDATE_SHA}\`
+          - Overall: \`${pass}\`
+
+          | Baseline queued-only | Candidate queued -> thinking -> done |
+          | --- | --- |
+          | <img src="${raw_base}/baseline.png" width="420" alt="Baseline Discord status reaction timeline"> | <img src="${raw_base}/candidate.png" width="420" alt="Candidate Discord status reaction timeline"> |
+
+          Raw QA files: https://github.com/${GITHUB_REPOSITORY}/tree/qa-artifacts/${artifact_root}
+          EOF
+
+          comment_id="$(
+            gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${TARGET_PR}/comments" \
+              --jq ".[] | select(.body | contains(\"<!-- mantis-discord-status-reactions -->\")) | select(.user.login == \"${MANTIS_COMMENT_BOT_LOGIN}\") | .id" \
+              | tail -n 1
+          )"
+
+          if [[ -n "$comment_id" ]]; then
+            comment_payload="$(mktemp)"
+            jq -n --rawfile body "$comment_file" '{ body: $body }' > "$comment_payload"
+            if gh api --method PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${comment_id}" --input "$comment_payload" >/dev/null; then
+              echo "Updated Mantis QA screenshot comment on PR #${TARGET_PR}."
+            else
+              echo "::warning::Could not update existing Mantis QA screenshot comment ${comment_id}; creating a new one."
+              gh pr comment "$TARGET_PR" --body-file "$comment_file"
+              echo "Created Mantis QA screenshot comment on PR #${TARGET_PR}."
+            fi
+          else
+            gh pr comment "$TARGET_PR" --body-file "$comment_file"
+            echo "Created Mantis QA screenshot comment on PR #${TARGET_PR}."
+          fi

.github/workflows/npm-telegram-beta-e2e.yml

@@ -18,6 +18,11 @@ on:
         required: false
         default: ""
         type: string
+      package_artifact_run_id:
+        description: Advanced run id containing package_artifact_name; blank downloads from this run
+        required: false
+        default: ""
+        type: string
       harness_ref:
         description: Source ref for the private QA harness; defaults to the dispatched workflow ref
         required: false
@@ -42,7 +47,12 @@ on:
         required: true
         type: string
       package_artifact_name:
-        description: Optional package-under-test artifact from the current workflow run
+        description: Optional package-under-test artifact from the current or specified workflow run
+        required: false
+        default: ""
+        type: string
+      package_artifact_run_id:
+        description: Optional run id containing package_artifact_name
         required: false
         default: ""
         type: string
@@ -93,6 +103,7 @@ jobs:
     timeout-minutes: 60
     environment: qa-live-shared
     permissions:
+      actions: read
       contents: read
     env:
       DOCKER_BUILD_SUMMARY: "false"
@@ -105,12 +116,12 @@ jobs:
           fetch-depth: 1
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
       - name: Build Docker E2E image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
         with:
           context: .
           file: ./scripts/e2e/Dockerfile
@@ -141,8 +152,8 @@ jobs:
           set -euo pipefail
 
           if [[ -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
-            if [[ ! "${PACKAGE_SPEC}" =~ ^openclaw@(beta|latest|[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-[1-9][0-9]*|-beta\.[1-9][0-9]*)?)$ ]]; then
-              echo "package_spec must be openclaw@beta, openclaw@latest, or an exact OpenClaw release version; got: ${PACKAGE_SPEC}" >&2
+            if [[ ! "${PACKAGE_SPEC}" =~ ^openclaw@(alpha|beta|latest|[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-[1-9][0-9]*|-(alpha|beta)\.[1-9][0-9]*)?)$ ]]; then
+              echo "package_spec must be openclaw@alpha, openclaw@beta, openclaw@latest, or an exact OpenClaw release version; got: ${PACKAGE_SPEC}" >&2
               exit 1
             fi
           fi
@@ -169,12 +180,21 @@ jobs:
           fi
 
       - name: Download package-under-test artifact
-        if: inputs.package_artifact_name != ''
+        if: inputs.package_artifact_name != '' && inputs.package_artifact_run_id == ''
         uses: actions/download-artifact@v8
         with:
           name: ${{ inputs.package_artifact_name }}
           path: .artifacts/telegram-package-under-test
 
+      - name: Download package-under-test artifact from release run
+        if: inputs.package_artifact_name != '' && inputs.package_artifact_run_id != ''
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.package_artifact_name }}
+          path: .artifacts/telegram-package-under-test
+          run-id: ${{ inputs.package_artifact_run_id }}
+          github-token: ${{ github.token }}
+
       - name: Run package Telegram E2E
         id: run_lane
         shell: bash

.github/workflows/openclaw-cross-os-release-checks-reusable.yml

@@ -76,6 +76,11 @@ on:
         required: false
         default: ""
         type: string
+      openai_model:
+        description: OpenAI model for release cross-OS agent-turn smoke
+        required: false
+        default: ""
+        type: string
   workflow_call:
     inputs:
       ref:
@@ -140,6 +145,11 @@ on:
         required: false
         default: ""
         type: string
+      openai_model:
+        description: OpenAI model for release cross-OS agent-turn smoke
+        required: false
+        default: ""
+        type: string
     secrets:
       OPENAI_API_KEY:
         required: false
@@ -158,7 +168,7 @@ permissions: read-all
 
 concurrency:
   group: openclaw-cross-os-release-checks-${{ inputs.ref }}-${{ inputs.provider }}-${{ inputs.mode }}
-  cancel-in-progress: false
+  cancel-in-progress: ${{ inputs.ref == 'main' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -166,10 +176,11 @@ env:
   PNPM_VERSION: "10.32.1"
   OPENCLAW_REPOSITORY: openclaw/openclaw
   TSX_VERSION: "4.21.0"
+  OPENCLAW_CROSS_OS_OPENAI_MODEL: ${{ inputs.openai_model || vars.OPENCLAW_CROSS_OS_OPENAI_MODEL || 'openai/gpt-5.4' }}
 
 jobs:
   prepare:
-    runs-on: blacksmith-8vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     outputs:
       baseline_file_name: ${{ steps.baseline_metadata.outputs.file_name }}
       baseline_spec: ${{ steps.baseline.outputs.value }}
@@ -321,7 +332,7 @@ jobs:
           submodules: recursive
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
         with:
           version: ${{ env.PNPM_VERSION }}
           run_install: false
@@ -333,6 +344,9 @@ jobs:
           cache: pnpm
           cache-dependency-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }}
 
+      - name: Ensure pnpm store cache directory exists
+        run: mkdir -p "$(pnpm store path --silent)"
+
       - name: Build candidate artifact once
         if: inputs.candidate_artifact_name == ''
         env:
@@ -343,12 +357,19 @@ jobs:
             --source-dir source \
             --output-dir "${OUTPUT_DIR}"
 
-      - name: Download provided candidate artifact
-        if: inputs.candidate_artifact_name != ''
+      - name: Download current-run candidate artifact
+        if: inputs.candidate_artifact_name != '' && inputs.candidate_artifact_run_id == ''
         uses: actions/download-artifact@v8
         with:
           name: ${{ inputs.candidate_artifact_name }}
-          run-id: ${{ inputs.candidate_artifact_run_id || github.run_id }}
+          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/package
+
+      - name: Download previous-run candidate artifact
+        if: inputs.candidate_artifact_name != '' && inputs.candidate_artifact_run_id != ''
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.candidate_artifact_name }}
+          run-id: ${{ inputs.candidate_artifact_run_id }}
           github-token: ${{ github.token }}
           path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/package
 
@@ -496,7 +517,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
         with:
           version: ${{ env.PNPM_VERSION }}
           run_install: false

.github/workflows/openclaw-npm-release.yml

@@ -17,11 +17,12 @@ on:
         required: false
         type: string
       npm_dist_tag:
-        description: npm dist-tag to publish to for stable releases
+        description: npm dist-tag to publish to
         required: true
         default: beta
         type: choice
         options:
+          - alpha
           - beta
           - latest
 
@@ -54,7 +55,7 @@ jobs:
           RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_REF}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]] && [[ ! "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
+          if [[ ! "${RELEASE_REF}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]] && [[ ! "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
             echo "Invalid release ref format: ${RELEASE_REF}"
             exit 1
           fi
@@ -62,6 +63,10 @@ jobs:
             echo "Full commit SHA input is only supported for validation-only preflight runs."
             exit 1
           fi
+          if [[ "${RELEASE_REF}" == *"-alpha."* && "${RELEASE_NPM_DIST_TAG}" != "alpha" ]]; then
+            echo "Alpha prerelease tags must publish to npm dist-tag alpha."
+            exit 1
+          fi
           if [[ "${RELEASE_REF}" == *"-beta."* && "${RELEASE_NPM_DIST_TAG}" != "beta" ]]; then
             echo "Beta prerelease tags must publish to npm dist-tag beta."
             exit 1
@@ -294,10 +299,14 @@ jobs:
           RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
             echo "Invalid release tag format: ${RELEASE_TAG}"
             exit 1
           fi
+          if [[ "${RELEASE_TAG}" == *"-alpha."* && "${RELEASE_NPM_DIST_TAG}" != "alpha" ]]; then
+            echo "Alpha prerelease tags must publish to npm dist-tag alpha."
+            exit 1
+          fi
           if [[ "${RELEASE_TAG}" == *"-beta."* && "${RELEASE_NPM_DIST_TAG}" != "beta" ]]; then
             echo "Beta prerelease tags must publish to npm dist-tag beta."
             exit 1

.github/workflows/openclaw-performance.yml

@@ -0,0 +1,568 @@
+name: OpenClaw Performance
+
+on:
+  schedule:
+    - cron: "11 5 * * *"
+  workflow_dispatch:
+    inputs:
+      target_ref:
+        description: OpenClaw ref to benchmark; defaults to the workflow ref
+        required: false
+        default: ""
+        type: string
+      profile:
+        description: Kova profile to run
+        required: false
+        default: diagnostic
+        type: choice
+        options:
+          - smoke
+          - diagnostic
+          - soak
+          - release
+      repeat:
+        description: Repeat count for non-profiled Kova runs
+        required: false
+        default: "3"
+        type: string
+      deep_profile:
+        description: Run the deep-profile lane with CPU/heap/trace artifacts
+        required: false
+        default: false
+        type: boolean
+      live_gpt54:
+        description: Run the live OpenAI GPT 5.4 agent-turn lane
+        required: false
+        default: false
+        type: boolean
+      fail_on_regression:
+        description: Fail the workflow when Kova exits non-zero
+        required: false
+        default: false
+        type: boolean
+      kova_ref:
+        description: openclaw/Kova Git ref to install
+        required: false
+        default: b63b6f9e20efb23641df00487e982230d81a90ac
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.event_name == 'workflow_dispatch' && format('{0}-{1}', github.workflow, github.run_id) || format('{0}-{1}', github.workflow, github.ref) }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  OCM_VERSION: v0.2.15
+  KOVA_REPOSITORY: openclaw/Kova
+  PERFORMANCE_MODEL_ID: gpt-5.4
+
+jobs:
+  kova:
+    name: ${{ matrix.title }}
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    timeout-minutes: 240
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - lane: mock-provider
+            title: Kova mock provider performance
+            auth: mock
+            repeat: input
+            deep_profile: "false"
+            live: "false"
+            include_filters: "scenario:fresh-install scenario:gateway-performance scenario:bundled-plugin-startup scenario:bundled-runtime-deps scenario:agent-cold-warm-message"
+          - lane: mock-deep-profile
+            title: Kova mock provider deep profile
+            auth: mock
+            repeat: "1"
+            deep_profile: "true"
+            live: "false"
+            include_filters: "scenario:fresh-install scenario:gateway-performance scenario:agent-cold-warm-message"
+          - lane: live-gpt54
+            title: Kova live OpenAI GPT 5.4 agent turn
+            auth: live
+            repeat: "1"
+            deep_profile: "false"
+            live: "true"
+            include_filters: "scenario:agent-cold-warm-message"
+    env:
+      KOVA_REF: ${{ inputs.kova_ref || 'b63b6f9e20efb23641df00487e982230d81a90ac' }}
+      KOVA_HOME: ${{ github.workspace }}/.artifacts/kova/home/${{ matrix.lane }}
+      PERFORMANCE_HELPER_DIR: ${{ github.workspace }}/.artifacts/performance-workflow
+      REPORT_DIR: ${{ github.workspace }}/.artifacts/kova/reports/${{ matrix.lane }}
+      BUNDLE_DIR: ${{ github.workspace }}/.artifacts/kova/bundles/${{ matrix.lane }}
+      SUMMARY_DIR: ${{ github.workspace }}/.artifacts/kova/summaries
+      SOURCE_PERF_DIR: ${{ github.workspace }}/.artifacts/openclaw-performance/source/${{ matrix.lane }}
+      LANE_ID: ${{ matrix.lane }}
+      TARGET_REF: ${{ inputs.target_ref || github.ref_name }}
+      PROFILE: ${{ inputs.profile || 'diagnostic' }}
+      REQUESTED_REPEAT: ${{ inputs.repeat || '3' }}
+      FAIL_ON_REGRESSION: ${{ inputs.fail_on_regression || 'false' }}
+      INCLUDE_FILTERS: ${{ matrix.include_filters }}
+      AUTH_MODE: ${{ matrix.auth }}
+      MATRIX_REPEAT: ${{ matrix.repeat }}
+      MATRIX_DEEP_PROFILE: ${{ matrix.deep_profile }}
+      MATRIX_LIVE: ${{ matrix.live }}
+    steps:
+      - name: Decide lane
+        id: lane
+        shell: bash
+        run: |
+          set -euo pipefail
+          run_lane=true
+          reason=""
+          if [[ "$LANE_ID" == "mock-deep-profile" && "${{ github.event_name }}" != "schedule" && "${{ inputs.deep_profile || 'false' }}" != "true" ]]; then
+            run_lane=false
+            reason="deep_profile input is false"
+          fi
+          if [[ "$LANE_ID" == "live-gpt54" && "${{ github.event_name }}" != "schedule" && "${{ inputs.live_gpt54 || 'false' }}" != "true" ]]; then
+            run_lane=false
+            reason="live_gpt54 input is false"
+          fi
+          echo "run=$run_lane" >> "$GITHUB_OUTPUT"
+          if [[ "$run_lane" != "true" ]]; then
+            echo "Skipping ${LANE_ID}: ${reason}" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Detect clawgrit report token
+        id: clawgrit
+        if: steps.lane.outputs.run == 'true'
+        env:
+          CLAWGRIT_REPORTS_TOKEN: ${{ secrets.CLAWGRIT_REPORTS_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -n "${CLAWGRIT_REPORTS_TOKEN:-}" ]]; then
+            echo "present=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "present=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout OpenClaw
+        if: steps.lane.outputs.run == 'true'
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.target_ref || github.ref }}
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Checkout performance workflow helpers
+        if: steps.lane.outputs.run == 'true'
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.sha }}
+          path: .artifacts/performance-workflow
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Record tested revision
+        if: steps.lane.outputs.run == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          tested_sha="$(git rev-parse HEAD)"
+          echo "TESTED_REF=${TARGET_REF}" >> "$GITHUB_ENV"
+          echo "TESTED_SHA=${tested_sha}" >> "$GITHUB_ENV"
+          {
+            echo "Tested ref: ${TARGET_REF}"
+            echo "Tested SHA: ${tested_sha}"
+            echo "Workflow ref: ${GITHUB_REF_NAME}"
+            echo "Workflow SHA: ${GITHUB_SHA}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Set up Node environment
+        if: steps.lane.outputs.run == 'true'
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Install OCM and Kova
+        if: steps.lane.outputs.run == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          KOVA_SRC="${RUNNER_TEMP}/kova-src"
+          echo "KOVA_SRC=$KOVA_SRC" >> "$GITHUB_ENV"
+          mkdir -p "$HOME/.local/bin" "$(dirname "$KOVA_SRC")"
+          curl -fsSL https://raw.githubusercontent.com/shakkernerd/ocm/main/install.sh \
+            | bash -s -- --version "$OCM_VERSION" --prefix "$HOME/.local" --force
+          git clone --filter=blob:none "https://github.com/${KOVA_REPOSITORY}.git" "$KOVA_SRC"
+          git -C "$KOVA_SRC" checkout "$KOVA_REF"
+          cat > "$HOME/.local/bin/kova" <<EOF
+          #!/usr/bin/env bash
+          export KOVA_HOME="${KOVA_HOME}"
+          exec node "${KOVA_SRC}/bin/kova.mjs" "\$@"
+          EOF
+          chmod 0755 "$HOME/.local/bin/kova"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Pin Kova OpenAI model to GPT 5.4
+        if: steps.lane.outputs.run == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          node - <<'NODE'
+          const fs = require("node:fs");
+          const path = require("node:path");
+          const root = process.env.KOVA_SRC;
+          const files = [
+            "support/configure-openclaw-mock-auth.mjs",
+            "support/configure-openclaw-live-auth.mjs",
+            "support/mock-openai-server.mjs",
+            "states/mock-openai-provider.json"
+          ];
+          for (const rel of files) {
+            const file = path.join(root, rel);
+            const before = fs.readFileSync(file, "utf8");
+            const after = before.replaceAll("gpt-5.5", process.env.PERFORMANCE_MODEL_ID);
+            fs.writeFileSync(file, after, "utf8");
+          }
+          NODE
+
+      - name: Kova version and plan sanity
+        if: steps.lane.outputs.run == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          kova version --json
+          kova matrix plan \
+            --profile "$PROFILE" \
+            --target "local-build:${GITHUB_WORKSPACE}" \
+            --include scenario:fresh-install \
+            --json >/tmp/kova-plan.json
+
+      - name: Configure live OpenAI auth
+        if: ${{ steps.lane.outputs.run == 'true' && matrix.live == 'true' }}
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -z "${OPENAI_API_KEY:-}" ]]; then
+            echo "OPENAI_API_KEY is not configured; live GPT 5.4 lane will be skipped." >> "$GITHUB_STEP_SUMMARY"
+            exit 0
+          fi
+          kova setup --ci --json
+          kova setup --non-interactive --auth env-only --provider openai --env-var OPENAI_API_KEY --json
+
+      - name: Run Kova
+        id: kova
+        if: steps.lane.outputs.run == 'true'
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
+          CLAWGRIT_REPORTS_TOKEN_PRESENT: ${{ steps.clawgrit.outputs.present || 'false' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p "$REPORT_DIR" "$BUNDLE_DIR" "$SUMMARY_DIR"
+
+          if [[ "$MATRIX_LIVE" == "true" && -z "${OPENAI_API_KEY:-}" ]]; then
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          repeat="$REQUESTED_REPEAT"
+          if [[ "$MATRIX_REPEAT" != "input" ]]; then
+            repeat="$MATRIX_REPEAT"
+          fi
+
+          args=(
+            matrix run
+            --profile "$PROFILE"
+            --target "local-build:${GITHUB_WORKSPACE}"
+            --auth "$AUTH_MODE"
+            --parallel 1
+            --repeat "$repeat"
+            --report-dir "$REPORT_DIR"
+            --execute
+            --json
+          )
+
+          for filter in $INCLUDE_FILTERS; do
+            args+=(--include "$filter")
+          done
+
+          if [[ "$MATRIX_DEEP_PROFILE" == "true" ]]; then
+            args+=(--deep-profile)
+          fi
+          if [[ "$FAIL_ON_REGRESSION" == "true" ]]; then
+            args+=(--gate)
+          fi
+
+          log_path="$REPORT_DIR/${LANE_ID}.log"
+          set +e
+          kova "${args[@]}" 2>&1 | tee "$log_path"
+          status=${PIPESTATUS[0]}
+          set -e
+
+          report_json="$(find "$REPORT_DIR" -maxdepth 1 -type f -name '*.json' -print | sort | tail -n 1)"
+          if [[ -z "$report_json" ]]; then
+            echo "Kova did not write a JSON report." >&2
+            exit 1
+          fi
+          report_md="${report_json%.json}.md"
+          echo "status=$status" >> "$GITHUB_OUTPUT"
+          echo "report_json=$report_json" >> "$GITHUB_OUTPUT"
+          echo "report_md=$report_md" >> "$GITHUB_OUTPUT"
+
+          kova report bundle "$report_json" --output-dir "$BUNDLE_DIR" --json | tee "$BUNDLE_DIR/bundle.json"
+
+          ref_slug="$(printf '%s' "${TESTED_REF}" | tr -c 'A-Za-z0-9._-' '-')"
+          run_slug="${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
+          report_url=""
+          if [[ "${CLAWGRIT_REPORTS_TOKEN_PRESENT:-false}" == "true" ]]; then
+            report_url="https://github.com/openclaw/clawgrit-reports/tree/main/openclaw-performance/${ref_slug}/${run_slug}/${LANE_ID}"
+          fi
+          summary_path="$SUMMARY_DIR/${LANE_ID}.md"
+          summary_args=(node "$PERFORMANCE_HELPER_DIR/scripts/kova-ci-summary.mjs" --report "$report_json" --output "$summary_path" --lane "$LANE_ID")
+          if [[ -n "$report_url" ]]; then
+            summary_args+=(--report-url "$report_url")
+          fi
+          "${summary_args[@]}"
+          cat >> "$summary_path" <<EOF
+
+          ## Test scope
+
+          - Repository: ${GITHUB_REPOSITORY}
+          - Tested ref: ${TESTED_REF}
+          - Tested SHA: ${TESTED_SHA}
+          - Workflow ref: ${GITHUB_REF_NAME}
+          - Workflow SHA: ${GITHUB_SHA}
+          - Kova repository: ${KOVA_REPOSITORY}
+          - Kova ref: ${KOVA_REF}
+          - Kova profile: ${PROFILE}
+          - Lane auth: ${AUTH_MODE}
+          - Lane model: ${PERFORMANCE_MODEL_ID}
+          - Lane repeat: ${repeat}
+          - Include filters: ${INCLUDE_FILTERS}
+          EOF
+          cat "$summary_path" >> "$GITHUB_STEP_SUMMARY"
+
+          if [[ "$FAIL_ON_REGRESSION" == "true" && "$status" != "0" ]]; then
+            exit "$status"
+          fi
+
+      - name: Run OpenClaw source performance probes
+        if: ${{ steps.lane.outputs.run == 'true' && matrix.lane == 'mock-provider' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          source_runs="$REQUESTED_REPEAT"
+          if ! [[ "$source_runs" =~ ^[0-9]+$ ]] || [[ "$source_runs" -lt 1 ]]; then
+            source_runs=3
+          fi
+
+          mkdir -p "$SOURCE_PERF_DIR/mock-hello"
+          if ! node -e "const fs=require('node:fs'); const scripts=require('./package.json').scripts||{}; process.exit(scripts['test:gateway:cpu-scenarios'] && scripts.openclaw && fs.existsSync('scripts/bench-cli-startup.ts') ? 0 : 1)"; then
+            cat > "$SOURCE_PERF_DIR/index.md" <<EOF
+          # OpenClaw Source Performance
+
+          Generated: $(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+          Source probes skipped for this tested ref because one or more probe entry points are not present in the checked-out source tree.
+
+          ## Test scope
+
+          - Tested ref: ${TESTED_REF}
+          - Tested SHA: ${TESTED_SHA}
+          - Required scripts: test:gateway:cpu-scenarios, openclaw, scripts/bench-cli-startup.ts
+          EOF
+            cat "$SOURCE_PERF_DIR/index.md" >> "$GITHUB_STEP_SUMMARY"
+            exit 0
+          fi
+
+          pnpm build
+
+          pnpm test:gateway:cpu-scenarios \
+            --output-dir "$SOURCE_PERF_DIR/gateway-cpu" \
+            --runs "$source_runs" \
+            --warmup 1 \
+            --skip-qa \
+            --startup-case default \
+            --startup-case skipChannels \
+            --startup-case oneInternalHook \
+            --startup-case allInternalHooks \
+            --startup-case fiftyPlugins \
+            --startup-case fiftyStartupLazyPlugins
+
+          for run_index in $(seq 1 "$source_runs"); do
+            run_dir="$SOURCE_PERF_DIR/mock-hello/run-$(printf '%03d' "$run_index")"
+            pnpm openclaw qa suite \
+              --provider-mode mock-openai \
+              --model "mock-openai/${PERFORMANCE_MODEL_ID}" \
+              --concurrency 1 \
+              --output-dir "$(realpath --relative-to="$GITHUB_WORKSPACE" "$run_dir")" \
+              --scenario channel-chat-baseline
+          done
+
+          gateway_home="$(mktemp -d)"
+          gateway_port="$(node -e "const net=require('node:net'); const s=net.createServer(); s.listen(0,'127.0.0.1',()=>{ console.log(s.address().port); s.close(); });")"
+          gateway_state="$gateway_home/.openclaw"
+          gateway_config="$gateway_state/openclaw.json"
+          gateway_log="$SOURCE_PERF_DIR/cli-gateway.log"
+          gateway_pid=""
+          mkdir -p "$gateway_state"
+          cat > "$gateway_config" <<EOF
+          {
+            "browser": { "enabled": false },
+            "gateway": {
+              "mode": "local",
+              "port": ${gateway_port},
+              "bind": "loopback",
+              "auth": { "mode": "none" },
+              "controlUi": { "enabled": false },
+              "tailscale": { "mode": "off" }
+            },
+            "plugins": {
+              "enabled": true,
+              "entries": { "browser": { "enabled": false } }
+            }
+          }
+          EOF
+          cleanup_gateway() {
+            if [[ -n "${gateway_pid:-}" ]] && kill -0 "$gateway_pid" 2>/dev/null; then
+              kill "$gateway_pid" 2>/dev/null || true
+              wait "$gateway_pid" 2>/dev/null || true
+            fi
+            rm -rf "$gateway_home"
+          }
+          trap cleanup_gateway EXIT
+          OPENCLAW_HOME="$gateway_home" OPENCLAW_STATE_DIR="$gateway_state" OPENCLAW_CONFIG_PATH="$gateway_config" OPENCLAW_GATEWAY_PORT="$gateway_port" OPENCLAW_SKIP_CHANNELS=1 \
+            node dist/entry.js gateway run --bind loopback --port "$gateway_port" --auth none --allow-unconfigured --force \
+            >"$gateway_log" 2>&1 &
+          gateway_pid="$!"
+
+          for _ in $(seq 1 120); do
+            if curl -fsS "http://127.0.0.1:${gateway_port}/healthz" >/dev/null; then
+              break
+            fi
+            if ! kill -0 "$gateway_pid" 2>/dev/null; then
+              cat "$gateway_log" >&2
+              exit 1
+            fi
+            sleep 1
+          done
+          curl -fsS "http://127.0.0.1:${gateway_port}/healthz" >/dev/null
+
+          OPENCLAW_HOME="$gateway_home" OPENCLAW_STATE_DIR="$gateway_state" OPENCLAW_CONFIG_PATH="$gateway_config" OPENCLAW_GATEWAY_PORT="$gateway_port" \
+            node --import tsx scripts/bench-cli-startup.ts \
+            --case gatewayHealthJson \
+            --case configGetGatewayPort \
+            --runs "$source_runs" \
+            --warmup 1 \
+            --output "$SOURCE_PERF_DIR/cli-startup.json"
+          cleanup_gateway
+          trap - EXIT
+
+          node "$PERFORMANCE_HELPER_DIR/scripts/openclaw-performance-source-summary.mjs" \
+            --source-dir "$SOURCE_PERF_DIR" \
+            --output "$SOURCE_PERF_DIR/index.md"
+
+          cat "$SOURCE_PERF_DIR/index.md" >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload Kova artifacts
+        if: ${{ always() && steps.lane.outputs.run == 'true' }}
+        uses: actions/upload-artifact@v5
+        with:
+          name: openclaw-performance-${{ matrix.lane }}-${{ github.run_id }}-${{ github.run_attempt }}
+          path: |
+            .artifacts/kova/reports/${{ matrix.lane }}
+            .artifacts/kova/bundles/${{ matrix.lane }}
+            .artifacts/kova/summaries/${{ matrix.lane }}.md
+            .artifacts/openclaw-performance/source/${{ matrix.lane }}
+          if-no-files-found: ignore
+          retention-days: ${{ matrix.deep_profile == 'true' && 14 || 30 }}
+
+      - name: Prepare clawgrit reports checkout
+        if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' }}
+        env:
+          CLAWGRIT_REPORTS_TOKEN: ${{ secrets.CLAWGRIT_REPORTS_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          reports_root=".artifacts/clawgrit-reports"
+          mkdir -p "$reports_root"
+          git -C "$reports_root" init -b main
+          git -C "$reports_root" remote add origin https://github.com/openclaw/clawgrit-reports.git
+          auth_header="$(printf 'x-access-token:%s' "$CLAWGRIT_REPORTS_TOKEN" | base64 -w0)"
+          git -C "$reports_root" config http.https://github.com/.extraheader "AUTHORIZATION: basic ${auth_header}"
+          if git -C "$reports_root" ls-remote --exit-code --heads origin main >/dev/null 2>&1; then
+            git -C "$reports_root" fetch --depth=1 origin main
+            git -C "$reports_root" checkout -B main FETCH_HEAD
+          else
+            git -C "$reports_root" checkout -B main
+          fi
+
+      - name: Publish to clawgrit reports
+        if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          reports_root=".artifacts/clawgrit-reports"
+          ref_slug="$(printf '%s' "${TESTED_REF}" | tr -c 'A-Za-z0-9._-' '-')"
+          run_slug="${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
+          dest="${reports_root}/openclaw-performance/${ref_slug}/${run_slug}/${LANE_ID}"
+          mkdir -p "$dest"
+          cp "${{ steps.kova.outputs.report_json }}" "$dest/report.json"
+          if [[ -f "${{ steps.kova.outputs.report_md }}" ]]; then
+            cp "${{ steps.kova.outputs.report_md }}" "$dest/report.md"
+          fi
+          cp "$SUMMARY_DIR/${LANE_ID}.md" "$dest/index.md"
+          if [[ -d "$BUNDLE_DIR" ]]; then
+            mkdir -p "$dest/bundles"
+            cp -R "$BUNDLE_DIR"/. "$dest/bundles/"
+          fi
+          if [[ -d "$SOURCE_PERF_DIR" ]]; then
+            mkdir -p "$dest/source"
+            cp -R "$SOURCE_PERF_DIR"/. "$dest/source/"
+            if [[ -f "$SOURCE_PERF_DIR/index.md" ]]; then
+              cat >> "$dest/index.md" <<'EOF'
+
+          ## Source probes
+
+          Additional gateway boot, memory, plugin pressure, mock hello-loop, and CLI startup numbers are in [source/index.md](source/index.md).
+          EOF
+            fi
+          fi
+          cat > "${reports_root}/openclaw-performance/${ref_slug}/latest-${LANE_ID}.json" <<EOF
+          {
+            "repository": "${GITHUB_REPOSITORY}",
+            "ref": "${TESTED_REF}",
+            "sha": "${TESTED_SHA}",
+            "tested_ref": "${TESTED_REF}",
+            "tested_sha": "${TESTED_SHA}",
+            "workflow_ref": "${GITHUB_REF_NAME}",
+            "workflow_sha": "${GITHUB_SHA}",
+            "workflow": "${GITHUB_WORKFLOW}",
+            "run_id": "${GITHUB_RUN_ID}",
+            "run_attempt": "${GITHUB_RUN_ATTEMPT}",
+            "lane": "${LANE_ID}",
+            "path": "openclaw-performance/${ref_slug}/${run_slug}/${LANE_ID}"
+          }
+          EOF
+
+          git -C "$reports_root" config user.name "openclaw-performance[bot]"
+          git -C "$reports_root" config user.email "openclaw-performance[bot]@users.noreply.github.com"
+          git -C "$reports_root" add openclaw-performance
+          if git -C "$reports_root" diff --cached --quiet; then
+            echo "No clawgrit report changes to publish."
+            exit 0
+          fi
+          git -C "$reports_root" commit -m "perf: add OpenClaw ${LANE_ID} report ${TESTED_SHA::12}"
+          for attempt in 1 2 3 4 5; do
+            if git -C "$reports_root" push origin HEAD:main; then
+              exit 0
+            fi
+            if [[ "$attempt" == "5" ]]; then
+              exit 1
+            fi
+            sleep $((attempt * 2))
+            git -C "$reports_root" fetch --depth=1 origin main
+            git -C "$reports_root" rebase FETCH_HEAD
+          done

.github/workflows/openclaw-release-checks.yml

@@ -33,7 +33,7 @@ on:
       release_profile:
         description: Release coverage profile for live/Docker/provider breadth
         required: false
-        default: full
+        default: stable
         type: choice
         options:
           - minimum
@@ -53,38 +53,50 @@ on:
           - qa
           - qa-parity
           - qa-live
+      live_suite_filter:
+        description: Optional exact live suite id for focused live/E2E reruns; blank runs all selected live suites
+        required: false
+        default: ""
+        type: string
+      package_acceptance_package_spec:
+        description: Optional published package spec for Package Acceptance; blank uses the prepared release artifact
+        required: false
+        default: ""
+        type: string
 
 concurrency:
-  group: openclaw-release-checks-${{ inputs.ref }}
+  group: openclaw-release-checks-${{ inputs.expected_sha || inputs.ref }}-${{ inputs.rerun_group }}
   cancel-in-progress: false
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
   PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
+  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
 
 jobs:
   resolve_target:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     permissions:
       contents: read
     outputs:
       ref: ${{ steps.inputs.outputs.ref }}
-      sha: ${{ steps.ref.outputs.sha }}
+      revision: ${{ steps.ref.outputs.sha }}
       provider: ${{ steps.inputs.outputs.provider }}
       mode: ${{ steps.inputs.outputs.mode }}
       release_profile: ${{ steps.inputs.outputs.release_profile }}
       rerun_group: ${{ steps.inputs.outputs.rerun_group }}
+      live_suite_filter: ${{ steps.inputs.outputs.live_suite_filter }}
+      package_acceptance_package_spec: ${{ steps.inputs.outputs.package_acceptance_package_spec }}
     steps:
       - name: Require main or release workflow ref for release checks
         env:
           WORKFLOW_REF: ${{ github.ref }}
         run: |
           set -euo pipefail
-          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "Release checks must be dispatched from main or release/YYYY.M.D so workflow logic and secrets stay controlled." >&2
+          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release-ci/[0-9a-f]{12}-[0-9]+$ ]]; then
+            echo "Release checks must be dispatched from main, release/YYYY.M.D, or a Full Release Validation release-ci/<sha>-<timestamp> ref so workflow logic and secrets stay controlled." >&2
             exit 1
           fi
 
@@ -106,6 +118,7 @@ jobs:
       - name: Checkout trusted workflow helper
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.ref_name }}
           path: workflow
           fetch-depth: 1
@@ -126,6 +139,7 @@ jobs:
         if: steps.fast_ref.outputs.fallback == 'true'
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ inputs.ref }}
           path: source
           fetch-depth: 0
@@ -190,6 +204,8 @@ jobs:
           RELEASE_MODE_INPUT: ${{ inputs.mode }}
           RELEASE_PROFILE_INPUT: ${{ inputs.release_profile }}
           RELEASE_RERUN_GROUP_INPUT: ${{ inputs.rerun_group }}
+          RELEASE_LIVE_SUITE_FILTER_INPUT: ${{ inputs.live_suite_filter }}
+          RELEASE_PACKAGE_ACCEPTANCE_PACKAGE_SPEC_INPUT: ${{ inputs.package_acceptance_package_spec }}
         run: |
           set -euo pipefail
           {
@@ -198,6 +214,8 @@ jobs:
             printf 'mode=%s\n' "$RELEASE_MODE_INPUT"
             printf 'release_profile=%s\n' "$RELEASE_PROFILE_INPUT"
             printf 'rerun_group=%s\n' "$RELEASE_RERUN_GROUP_INPUT"
+            printf 'live_suite_filter=%s\n' "$RELEASE_LIVE_SUITE_FILTER_INPUT"
+            printf 'package_acceptance_package_spec=%s\n' "$RELEASE_PACKAGE_ACCEPTANCE_PACKAGE_SPEC_INPUT"
           } >> "$GITHUB_OUTPUT"
 
       - name: Summarize validated ref
@@ -209,6 +227,8 @@ jobs:
           RELEASE_MODE: ${{ inputs.mode }}
           RELEASE_PROFILE: ${{ inputs.release_profile }}
           RELEASE_RERUN_GROUP: ${{ inputs.rerun_group }}
+          RELEASE_LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
+          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
         run: |
           {
             echo "## Release checks"
@@ -220,17 +240,26 @@ jobs:
             echo "- Cross-OS mode: \`${RELEASE_MODE}\`"
             echo "- Release profile: \`${RELEASE_PROFILE}\`"
             echo "- Rerun group: \`${RELEASE_RERUN_GROUP}\`"
+            if [[ -n "${RELEASE_LIVE_SUITE_FILTER// }" ]]; then
+              echo "- Live suite filter: \`${RELEASE_LIVE_SUITE_FILTER}\`"
+            fi
+            if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
+              echo "- Package Acceptance package spec: \`${PACKAGE_ACCEPTANCE_PACKAGE_SPEC}\`"
+            else
+              echo "- Package Acceptance package spec: prepared release artifact"
+            fi
             echo "- This run will execute cross-OS release validation, install smoke, QA Lab parity, Matrix, and Telegram lanes, and the non-Parallels Docker/live/openwebui coverage from the CI migration plan."
           } >> "$GITHUB_STEP_SUMMARY"
 
   prepare_release_package:
     name: Prepare release package artifact
     needs: [resolve_target]
-    if: contains(fromJSON('["all","cross-os","live-e2e","package"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    if: contains(fromJSON('["all","cross-os","package"]'), needs.resolve_target.outputs.rerun_group) || (needs.resolve_target.outputs.rerun_group == 'live-e2e' && needs.resolve_target.outputs.live_suite_filter == '')
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     permissions:
       contents: read
+      packages: write
     outputs:
       artifact_name: ${{ steps.artifact.outputs.name }}
       package_sha256: ${{ steps.package.outputs.sha256 }}
@@ -240,6 +269,7 @@ jobs:
       - name: Checkout trusted workflow ref
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.ref_name }}
           fetch-depth: 0
 
@@ -259,7 +289,7 @@ jobs:
         id: package
         shell: bash
         env:
-          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
+          PACKAGE_REF: ${{ needs.resolve_target.outputs.revision }}
         run: |
           set -euo pipefail
           node scripts/resolve-openclaw-package-candidate.mjs \
@@ -287,7 +317,9 @@ jobs:
         uses: actions/upload-artifact@v7
         with:
           name: release-package-under-test
-          path: .artifacts/docker-e2e-package/openclaw-current.tgz
+          path: |
+            .artifacts/docker-e2e-package/openclaw-current.tgz
+            .artifacts/docker-e2e-package/package-candidate.json
           retention-days: 14
           if-no-files-found: error
 
@@ -296,9 +328,10 @@ jobs:
     if: contains(fromJSON('["all","install-smoke"]'), needs.resolve_target.outputs.rerun_group)
     permissions:
       contents: read
+      packages: write
     uses: ./.github/workflows/install-smoke.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       run_bun_global_install_smoke: true
 
   cross_os_release_checks:
@@ -307,14 +340,14 @@ jobs:
     permissions: read-all
     uses: ./.github/workflows/openclaw-cross-os-release-checks-reusable.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.ref }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       provider: ${{ needs.resolve_target.outputs.provider }}
       mode: ${{ needs.resolve_target.outputs.mode }}
       candidate_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
-      candidate_artifact_run_id: ${{ github.run_id }}
       candidate_file_name: openclaw-current.tgz
       candidate_version: ${{ needs.prepare_release_package.outputs.package_version }}
       candidate_source_sha: ${{ needs.prepare_release_package.outputs.source_sha }}
+      openai_model: openai/gpt-5.4
     secrets:
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -323,8 +356,9 @@ jobs:
       OPENCLAW_DISCORD_SMOKE_GUILD_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_GUILD_ID }}
       OPENCLAW_DISCORD_SMOKE_CHANNEL_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_CHANNEL_ID }}
 
-  live_and_e2e_release_checks:
-    needs: [resolve_target, prepare_release_package]
+  live_repo_e2e_release_checks:
+    name: Run repo/live E2E validation
+    needs: [resolve_target]
     if: contains(fromJSON('["all","live-e2e"]'), needs.resolve_target.outputs.rerun_group)
     permissions:
       actions: read
@@ -333,15 +367,14 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       include_repo_e2e: true
-      include_release_path_suites: true
-      include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }}
+      include_release_path_suites: false
+      include_openwebui: false
       include_live_suites: true
       release_test_profile: ${{ needs.resolve_target.outputs.release_profile }}
-      package_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
-      package_artifact_run_id: ${{ github.run_id }}
-    secrets:
+      live_suite_filter: ${{ needs.resolve_target.outputs.live_suite_filter }}
+    secrets: &live_e2e_release_secrets
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -388,6 +421,26 @@ jobs:
       OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
       FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
 
+  docker_e2e_release_checks:
+    name: Run Docker release-path validation
+    needs: [resolve_target, prepare_release_package]
+    if: contains(fromJSON('["all","live-e2e"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.live_suite_filter == ''
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+    with:
+      ref: ${{ needs.resolve_target.outputs.revision }}
+      include_repo_e2e: false
+      include_release_path_suites: true
+      include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }}
+      include_live_suites: false
+      release_test_profile: ${{ needs.resolve_target.outputs.release_profile }}
+      package_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
+    secrets: *live_e2e_release_secrets
+
   package_acceptance_release_checks:
     name: Run package acceptance
     needs: [resolve_target, prepare_release_package]
@@ -400,12 +453,14 @@ jobs:
     uses: ./.github/workflows/package-acceptance.yml
     with:
       workflow_ref: ${{ github.ref_name }}
-      source: artifact
-      artifact_run_id: ${{ github.run_id }}
+      source: ${{ needs.resolve_target.outputs.package_acceptance_package_spec != '' && 'npm' || 'artifact' }}
+      package_spec: ${{ needs.resolve_target.outputs.package_acceptance_package_spec || 'openclaw@beta' }}
       artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
       package_sha256: ${{ needs.prepare_release_package.outputs.package_sha256 }}
       suite_profile: custom
-      docker_lanes: bundled-channel-deps-compat plugins-offline
+      docker_lanes: doctor-switch update-channel-switch upgrade-survivor published-upgrade-survivor plugins-offline plugin-update
+      published_upgrade_survivor_baselines: all-since-2026.4.23
+      published_upgrade_survivor_scenarios: reported-issues
       telegram_mode: mock-openai
       telegram_scenarios: telegram-help-command,telegram-commands-command,telegram-tools-compact-command,telegram-whoami-command,telegram-context-command,telegram-mention-gating
     secrets:
@@ -461,7 +516,7 @@ jobs:
     name: Run QA Lab parity lane (${{ matrix.lane }})
     needs: [resolve_target]
     if: contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 30
     permissions:
       contents: read
@@ -488,7 +543,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -535,7 +591,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -544,7 +600,7 @@ jobs:
     name: Run QA Lab parity report
     needs: [resolve_target, qa_lab_parity_lane_release_checks]
     if: contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 20
     permissions:
       contents: read
@@ -556,7 +612,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -569,7 +626,7 @@ jobs:
       - name: Download parity lane artifacts
         uses: actions/download-artifact@v4
         with:
-          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.sha }}
+          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           merge-multiple: true
 
@@ -590,7 +647,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-parity-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -599,7 +656,7 @@ jobs:
     name: Run QA Lab live Matrix lane
     needs: [resolve_target]
     if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     permissions:
       contents: read
@@ -612,7 +669,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -622,18 +680,6 @@ jobs:
           pnpm-version: ${{ env.PNPM_VERSION }}
           install-bun: "true"
 
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${OPENAI_API_KEY:-}" ]]; then
-            echo "Missing required OPENAI_API_KEY." >&2
-            exit 1
-          fi
-
       - name: Build private QA runtime
         run: pnpm build
 
@@ -641,8 +687,8 @@ jobs:
         id: run_lane
         shell: bash
         env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_MATRIX_CANARY_TIMEOUT_MS: "90000"
           OPENCLAW_QA_MATRIX_NO_REPLY_WINDOW_MS: "3000"
         run: |
           set -euo pipefail
@@ -652,10 +698,9 @@ jobs:
 
           matrix_args=(
             --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
+            --provider-mode mock-openai \
+            --model mock-openai/gpt-5.5 \
+            --alt-model mock-openai/gpt-5.5-alt \
             --profile fast \
             --fast
           )
@@ -663,13 +708,23 @@ jobs:
             matrix_args+=(--fail-fast)
           fi
 
-          pnpm openclaw qa matrix "${matrix_args[@]}"
+          for attempt in 1 2; do
+            attempt_output_dir="${output_dir}/attempt-${attempt}"
+            if pnpm openclaw qa matrix --output-dir "${attempt_output_dir}" "${matrix_args[@]}"; then
+              exit 0
+            fi
+            if [[ "${attempt}" == "2" ]]; then
+              exit 1
+            fi
+            echo "Matrix live lane failed on attempt ${attempt}; retrying once..." >&2
+            sleep 10
+          done
 
       - name: Upload Matrix QA artifacts
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -678,7 +733,7 @@ jobs:
     name: Run QA Lab live Telegram lane
     needs: [resolve_target]
     if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     permissions:
       contents: read
@@ -691,7 +746,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -703,7 +759,6 @@ jobs:
 
       - name: Validate required QA credential env
         env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
         shell: bash
@@ -718,7 +773,6 @@ jobs:
             fi
           }
 
-          require_var OPENAI_API_KEY
           require_var OPENCLAW_QA_CONVEX_SITE_URL
           require_var OPENCLAW_QA_CONVEX_SECRET_CI
 
@@ -729,7 +783,6 @@ jobs:
         id: run_lane
         shell: bash
         env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
@@ -740,21 +793,31 @@ jobs:
           output_dir=".artifacts/qa-e2e/telegram-live-release-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
           echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
 
-          pnpm openclaw qa telegram \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --fast \
-            --credential-source convex \
-            --credential-role ci
+          for attempt in 1 2; do
+            attempt_output_dir="${output_dir}/attempt-${attempt}"
+            if pnpm openclaw qa telegram \
+              --repo-root . \
+              --output-dir "${attempt_output_dir}" \
+              --provider-mode mock-openai \
+              --model mock-openai/gpt-5.5 \
+              --alt-model mock-openai/gpt-5.5-alt \
+              --fast \
+              --credential-source convex \
+              --credential-role ci; then
+              exit 0
+            fi
+            if [[ "${attempt}" == "2" ]]; then
+              exit 1
+            fi
+            echo "Telegram live lane failed on attempt ${attempt}; retrying once..." >&2
+            sleep 10
+          done
 
       - name: Upload Telegram QA artifacts
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -765,7 +828,8 @@ jobs:
       - prepare_release_package
       - install_smoke_release_checks
       - cross_os_release_checks
-      - live_and_e2e_release_checks
+      - live_repo_e2e_release_checks
+      - docker_e2e_release_checks
       - package_acceptance_release_checks
       - qa_lab_parity_lane_release_checks
       - qa_lab_parity_report_release_checks
@@ -785,7 +849,8 @@ jobs:
             "prepare_release_package=${{ needs.prepare_release_package.result }}" \
             "install_smoke_release_checks=${{ needs.install_smoke_release_checks.result }}" \
             "cross_os_release_checks=${{ needs.cross_os_release_checks.result }}" \
-            "live_and_e2e_release_checks=${{ needs.live_and_e2e_release_checks.result }}" \
+            "live_repo_e2e_release_checks=${{ needs.live_repo_e2e_release_checks.result }}" \
+            "docker_e2e_release_checks=${{ needs.docker_e2e_release_checks.result }}" \
             "package_acceptance_release_checks=${{ needs.package_acceptance_release_checks.result }}" \
             "qa_lab_parity_lane_release_checks=${{ needs.qa_lab_parity_lane_release_checks.result }}" \
             "qa_lab_parity_report_release_checks=${{ needs.qa_lab_parity_report_release_checks.result }}" \

.github/workflows/openclaw-release-publish.yml

@@ -0,0 +1,262 @@
+name: OpenClaw Release Publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Release tag to publish, for example v2026.5.1-alpha.1 or v2026.5.1-beta.1
+        required: true
+        type: string
+      preflight_run_id:
+        description: Successful OpenClaw NPM Release preflight run id, required when publish_openclaw_npm=true
+        required: false
+        type: string
+      npm_dist_tag:
+        description: npm dist-tag for the OpenClaw package
+        required: true
+        default: beta
+        type: choice
+        options:
+          - alpha
+          - beta
+          - latest
+      plugin_publish_scope:
+        description: Plugin publish scope to run before OpenClaw publish
+        required: true
+        default: all-publishable
+        type: choice
+        options:
+          - selected
+          - all-publishable
+      plugins:
+        description: Comma-separated plugin package names when plugin_publish_scope=selected
+        required: false
+        type: string
+      publish_openclaw_npm:
+        description: Publish the OpenClaw npm package after plugin npm and ClawHub publish complete
+        required: true
+        default: true
+        type: boolean
+
+permissions:
+  actions: write
+  contents: read
+
+concurrency:
+  group: openclaw-release-publish-${{ inputs.tag }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  NODE_VERSION: "24.x"
+  PNPM_VERSION: "10.32.1"
+
+jobs:
+  resolve_release_target:
+    name: Resolve release target
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      sha: ${{ steps.ref.outputs.sha }}
+    steps:
+      - name: Validate inputs
+        env:
+          RELEASE_TAG: ${{ inputs.tag }}
+          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
+          PUBLISH_OPENCLAW_NPM: ${{ inputs.publish_openclaw_npm && 'true' || 'false' }}
+          PLUGIN_PUBLISH_SCOPE: ${{ inputs.plugin_publish_scope }}
+          PLUGINS: ${{ inputs.plugins }}
+          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
+          WORKFLOW_REF: ${{ github.ref }}
+        run: |
+          set -euo pipefail
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
+            echo "Invalid release tag: ${RELEASE_TAG}" >&2
+            exit 1
+          fi
+          if [[ "${RELEASE_TAG}" == *"-alpha."* && "${RELEASE_NPM_DIST_TAG}" != "alpha" ]]; then
+            echo "Alpha prerelease tags must publish OpenClaw to npm dist-tag alpha." >&2
+            exit 1
+          fi
+          if [[ "${RELEASE_TAG}" == *"-beta."* && "${RELEASE_NPM_DIST_TAG}" != "beta" ]]; then
+            echo "Beta prerelease tags must publish OpenClaw to npm dist-tag beta." >&2
+            exit 1
+          fi
+          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && -z "${PREFLIGHT_RUN_ID}" ]]; then
+            echo "publish_openclaw_npm=true requires preflight_run_id." >&2
+            exit 1
+          fi
+          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${WORKFLOW_REF}" != "refs/heads/main" && ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
+            echo "publish_openclaw_npm=true requires dispatching this workflow from main or release/YYYY.M.D." >&2
+            exit 1
+          fi
+          if [[ "${PLUGIN_PUBLISH_SCOPE}" == "selected" && -z "${PLUGINS}" ]]; then
+            echo "plugin_publish_scope=selected requires plugins." >&2
+            exit 1
+          fi
+          if [[ "${PLUGIN_PUBLISH_SCOPE}" == "all-publishable" && -n "${PLUGINS}" ]]; then
+            echo "plugin_publish_scope=all-publishable must not include plugins." >&2
+            exit 1
+          fi
+
+      - name: Checkout release tag
+        uses: actions/checkout@v6
+        with:
+          ref: refs/tags/${{ inputs.tag }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          pnpm-version: ${{ env.PNPM_VERSION }}
+          install-bun: "false"
+
+      - name: Resolve checked-out release ref
+        id: ref
+        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Validate release tag is reachable from main or release branch
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          if git merge-base --is-ancestor HEAD origin/main; then
+            exit 0
+          fi
+          while IFS= read -r release_ref; do
+            if git merge-base --is-ancestor HEAD "${release_ref}"; then
+              exit 0
+            fi
+          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
+          echo "Release tag must point to a commit reachable from main or release/*." >&2
+          exit 1
+
+      - name: Verify plugin versions were synced for this release
+        run: pnpm plugins:sync:check
+
+      - name: Summarize release target
+        env:
+          RELEASE_TAG: ${{ inputs.tag }}
+          TARGET_SHA: ${{ steps.ref.outputs.sha }}
+        run: |
+          {
+            echo "### Release target"
+            echo
+            echo "- Tag: \`${RELEASE_TAG}\`"
+            echo "- SHA: \`${TARGET_SHA}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  publish:
+    name: Publish plugins, then OpenClaw
+    needs: [resolve_release_target]
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    steps:
+      - name: Dispatch publish workflows
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TARGET_SHA: ${{ needs.resolve_release_target.outputs.sha }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
+          RELEASE_TAG: ${{ inputs.tag }}
+          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
+          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
+          PLUGIN_PUBLISH_SCOPE: ${{ inputs.plugin_publish_scope }}
+          PLUGINS: ${{ inputs.plugins }}
+          PUBLISH_OPENCLAW_NPM: ${{ inputs.publish_openclaw_npm && 'true' || 'false' }}
+        run: |
+          set -euo pipefail
+
+          dispatch_and_wait() {
+            local workflow="$1"
+            shift
+
+            local before_json dispatch_output run_id status conclusion url
+            before_json="$(gh run list --repo "$GITHUB_REPOSITORY" --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
+            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
+            printf '%s\n' "$dispatch_output"
+            run_id="$(
+              printf '%s\n' "$dispatch_output" |
+                sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
+                tail -n 1
+            )"
+
+            if [[ -z "$run_id" ]]; then
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh run list --repo "$GITHUB_REPOSITORY" --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
+              exit 1
+            fi
+
+            echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
+
+            cancel_child() {
+              if [[ -n "${run_id:-}" ]]; then
+                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
+                gh run cancel --repo "$GITHUB_REPOSITORY" "$run_id" >/dev/null 2>&1 || true
+              fi
+            }
+            trap cancel_child EXIT INT TERM
+
+            while true; do
+              status="$(gh run view --repo "$GITHUB_REPOSITORY" "$run_id" --json status --jq '.status')"
+              if [[ "$status" == "completed" ]]; then
+                break
+              fi
+              sleep 30
+            done
+            trap - EXIT INT TERM
+
+            conclusion="$(gh run view --repo "$GITHUB_REPOSITORY" "$run_id" --json conclusion --jq '.conclusion')"
+            url="$(gh run view --repo "$GITHUB_REPOSITORY" "$run_id" --json url --jq '.url')"
+            echo "${workflow} finished with ${conclusion}: ${url}"
+            {
+              echo "- ${workflow}: ${conclusion} (${url})"
+            } >> "$GITHUB_STEP_SUMMARY"
+            if [[ "$conclusion" != "success" ]]; then
+              gh run view --repo "$GITHUB_REPOSITORY" "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
+              exit 1
+            fi
+          }
+
+          {
+            echo "### Publish sequence"
+            echo
+            echo "- Workflow ref: \`${CHILD_WORKFLOW_REF}\`"
+            echo "- Release tag: \`${RELEASE_TAG}\`"
+            echo "- Release SHA: \`${TARGET_SHA}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          npm_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}")
+          clawhub_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}")
+          if [[ -n "${PLUGINS}" ]]; then
+            npm_args+=(-f plugins="${PLUGINS}")
+            clawhub_args+=(-f plugins="${PLUGINS}")
+          fi
+
+          dispatch_and_wait plugin-npm-release.yml "${npm_args[@]}"
+          dispatch_and_wait plugin-clawhub-release.yml "${clawhub_args[@]}"
+
+          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
+            dispatch_and_wait openclaw-npm-release.yml \
+              -f tag="${RELEASE_TAG}" \
+              -f preflight_only=false \
+              -f preflight_run_id="${PREFLIGHT_RUN_ID}" \
+              -f npm_dist_tag="${RELEASE_NPM_DIST_TAG}"
+          else
+            echo "- OpenClaw npm publish: skipped by input" >> "$GITHUB_STEP_SUMMARY"
+          fi

.github/workflows/opengrep-precise-full.yml

@@ -0,0 +1,70 @@
+name: OpenGrep — Full
+
+# Manual repository-wide scan for the high-precision OpenGrep rule super-config.
+# This is intentionally separate from PR scanning so broad/backlog findings do
+# not block unrelated pull requests.
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: opengrep-full-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    name: Scan full repository (precise)
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Install opengrep
+        env:
+          # Pin both the install script (by commit SHA) and the binary version.
+          # The script SHA must match the v1.19.0 release tag in opengrep/opengrep
+          # so a compromised or force-pushed `main` cannot RCE in our CI runner.
+          # Bump both together when upgrading.
+          OPENGREP_VERSION: v1.19.0
+          OPENGREP_INSTALL_SHA: 9a4c0a68220618441608cd2bad4ff2eddccf8113
+        run: |
+          curl -fsSL "https://raw.githubusercontent.com/opengrep/opengrep/${OPENGREP_INSTALL_SHA}/install.sh" \
+            | bash -s -- -v "$OPENGREP_VERSION"
+          echo "$HOME/.opengrep/cli/latest" >> "$GITHUB_PATH"
+
+      - name: Verify opengrep
+        run: opengrep --version
+
+      - name: Run full opengrep scan
+        # Manual full scans cover all first-party source paths so maintainers can
+        # audit the complete rulepack without making PRs inherit unrelated backlog.
+        run: |
+          mkdir -p .opengrep-out
+          scripts/run-opengrep.sh --sarif --error
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v4
+        # Only upload if the scan actually produced a SARIF file.
+        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
+        with:
+          sarif_file: .opengrep-out/precise.sarif
+          category: opengrep-full
+
+      - name: Upload SARIF as workflow artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: opengrep-full-sarif
+          path: .opengrep-out/precise.sarif
+          if-no-files-found: warn
+          retention-days: 30

.github/workflows/opengrep-precise.yml

@@ -0,0 +1,100 @@
+name: OpenGrep — PR Diff
+
+# Runs the high-precision OpenGrep rule super-config against only first-party
+# source paths changed by a pull request. Keeping PR scans diff-scoped makes
+# findings attributable to the proposed change instead of surfacing unrelated
+# repository-wide backlog.
+#
+# For a repository-wide scan, use the manual OpenGrep — Full workflow.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - ".github/actions/ensure-base-commit/**"
+      - ".github/workflows/opengrep-precise.yml"
+      - ".github/workflows/opengrep-precise-full.yml"
+      - ".semgrepignore"
+      - "apps/**"
+      - "extensions/**"
+      - "packages/**"
+      - "scripts/**"
+      - "security/opengrep/**"
+      - "src/**"
+
+concurrency:
+  group: opengrep-pr-diff-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    name: Scan changed paths (precise)
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.sha }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Ensure PR base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
+
+      - name: Install opengrep
+        env:
+          # Pin both the install script (by commit SHA) and the binary version.
+          # The script SHA must match the v1.19.0 release tag in opengrep/opengrep
+          # so a compromised or force-pushed `main` cannot RCE in our CI runner.
+          # Bump both together when upgrading.
+          OPENGREP_VERSION: v1.19.0
+          OPENGREP_INSTALL_SHA: 9a4c0a68220618441608cd2bad4ff2eddccf8113
+        run: |
+          curl -fsSL "https://raw.githubusercontent.com/opengrep/opengrep/${OPENGREP_INSTALL_SHA}/install.sh" \
+            | bash -s -- -v "$OPENGREP_VERSION"
+          echo "$HOME/.opengrep/cli/latest" >> "$GITHUB_PATH"
+
+      - name: Verify opengrep
+        run: opengrep --version
+
+      - name: Run opengrep on PR diff
+        env:
+          OPENCLAW_OPENGREP_BASE_REF: ${{ github.event.pull_request.base.sha }}...HEAD
+        # Findings from precise rules block this workflow. Pull requests scan
+        # changed first-party source paths only so findings stay attributable to
+        # the PR diff. Test/fixture/QA path exclusions live in `.semgrepignore`
+        # at the repo root and are picked up automatically.
+        run: |
+          mkdir -p .opengrep-out
+          scripts/run-opengrep.sh --changed --sarif --error
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v4
+        # Only upload if the scan actually produced a SARIF file.
+        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
+        with:
+          sarif_file: .opengrep-out/precise.sarif
+          category: opengrep-pr-diff
+
+      - name: Upload SARIF as workflow artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: opengrep-pr-diff-sarif
+          path: .opengrep-out/precise.sarif
+          if-no-files-found: warn
+          retention-days: 30

.github/workflows/package-acceptance.yml

@@ -64,6 +64,21 @@ on:
         required: false
         default: ""
         type: string
+      published_upgrade_survivor_baseline:
+        description: Published OpenClaw package baseline for the published-upgrade-survivor Docker lane
+        required: false
+        default: openclaw@latest
+        type: string
+      published_upgrade_survivor_baselines:
+        description: Optional baseline list for published-upgrade-survivor/update-migration; use all-since-2026.4.23, release-history, or exact versions
+        required: false
+        default: ""
+        type: string
+      published_upgrade_survivor_scenarios:
+        description: Optional scenario list for published-upgrade-survivor/update-migration; use reported-issues for known upgrade failure shapes
+        required: false
+        default: ""
+        type: string
       telegram_mode:
         description: Optional Telegram QA lane for the resolved package candidate
         required: true
@@ -129,6 +144,21 @@ on:
         required: false
         default: ""
         type: string
+      published_upgrade_survivor_baseline:
+        description: Published OpenClaw package baseline for the published-upgrade-survivor Docker lane
+        required: false
+        default: openclaw@latest
+        type: string
+      published_upgrade_survivor_baselines:
+        description: Optional baseline list for published-upgrade-survivor/update-migration; use all-since-2026.4.23, release-history, or exact versions
+        required: false
+        default: ""
+        type: string
+      published_upgrade_survivor_scenarios:
+        description: Optional scenario list for published-upgrade-survivor/update-migration; use reported-issues for known upgrade failure shapes
+        required: false
+        default: ""
+        type: string
       telegram_mode:
         description: Optional Telegram QA lane for the resolved package candidate
         required: false
@@ -254,7 +284,7 @@ env:
 jobs:
   resolve_package:
     name: Resolve package candidate
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     outputs:
       docker_lanes: ${{ steps.profile.outputs.docker_lanes }}
@@ -262,8 +292,11 @@ jobs:
       include_openwebui: ${{ steps.profile.outputs.include_openwebui }}
       include_release_path_suites: ${{ steps.profile.outputs.include_release_path_suites }}
       package_artifact_name: ${{ steps.profile.outputs.package_artifact_name }}
+      package_source_sha: ${{ steps.resolve.outputs.package_source_sha }}
       package_sha256: ${{ steps.resolve.outputs.sha256 }}
       package_version: ${{ steps.resolve.outputs.package_version }}
+      published_upgrade_survivor_baselines: ${{ steps.upgrade_survivor_baselines.outputs.baselines }}
+      published_upgrade_survivor_scenarios: ${{ inputs.published_upgrade_survivor_scenarios }}
       telegram_enabled: ${{ steps.profile.outputs.telegram_enabled }}
       telegram_mode: ${{ steps.profile.outputs.telegram_mode }}
     steps:
@@ -281,8 +314,15 @@ jobs:
           install-bun: ${{ inputs.source == 'ref' && 'true' || 'false' }}
           install-deps: "false"
 
-      - name: Download package artifact input
-        if: inputs.source == 'artifact'
+      - name: Download current-run package artifact input
+        if: inputs.source == 'artifact' && inputs.artifact_run_id == ''
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.artifact_name }}
+          path: .artifacts/package-candidate-input
+
+      - name: Download previous-run package artifact input
+        if: inputs.source == 'artifact' && inputs.artifact_run_id != ''
         env:
           GH_TOKEN: ${{ github.token }}
           ARTIFACT_RUN_ID: ${{ inputs.artifact_run_id }}
@@ -290,10 +330,6 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          if [[ -z "${ARTIFACT_RUN_ID// }" ]]; then
-            echo "artifact_run_id is required when source=artifact." >&2
-            exit 1
-          fi
           if [[ -z "${ARTIFACT_NAME// }" ]]; then
             echo "artifact_name is required when source=artifact." >&2
             exit 1
@@ -350,10 +386,10 @@ jobs:
               docker_lanes="npm-onboard-channel-agent gateway-network config-reload"
               ;;
             package)
-              docker_lanes="npm-onboard-channel-agent doctor-switch update-channel-switch bundled-channel-deps-compat plugins-offline plugin-update"
+              docker_lanes="npm-onboard-channel-agent doctor-switch update-channel-switch upgrade-survivor published-upgrade-survivor plugins-offline plugin-update"
               ;;
             product)
-              docker_lanes="npm-onboard-channel-agent doctor-switch update-channel-switch bundled-channel-deps-compat plugins plugin-update mcp-channels cron-mcp-cleanup openai-web-search-minimal openwebui"
+              docker_lanes="npm-onboard-channel-agent doctor-switch update-channel-switch upgrade-survivor published-upgrade-survivor plugins plugin-update mcp-channels cron-mcp-cleanup openai-web-search-minimal openwebui"
               include_openwebui=true
               ;;
             full)
@@ -391,6 +427,44 @@ jobs:
             echo "package_artifact_name=${PACKAGE_ARTIFACT_NAME}"
           } >> "$GITHUB_OUTPUT"
 
+      - name: Resolve published upgrade survivor baselines
+        id: upgrade_survivor_baselines
+        env:
+          FALLBACK_BASELINE: ${{ inputs.published_upgrade_survivor_baseline }}
+          REQUESTED_BASELINES: ${{ inputs.published_upgrade_survivor_baselines }}
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -z "${REQUESTED_BASELINES// }" ]]; then
+            echo "baselines=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          releases_json=""
+          npm_versions_json=""
+          if [[ "$REQUESTED_BASELINES" == *"release-history"* || "$REQUESTED_BASELINES" == *"all-since-"* ]]; then
+            releases_json=".artifacts/package-candidate-input/openclaw-releases.json"
+            npm_versions_json=".artifacts/package-candidate-input/openclaw-npm-versions.json"
+            mkdir -p "$(dirname "$releases_json")"
+            gh release list --repo "$GITHUB_REPOSITORY" --limit 100 --json tagName,publishedAt,isPrerelease > "$releases_json"
+            npm view openclaw versions --json > "$npm_versions_json"
+          fi
+          args=(
+            --requested "$REQUESTED_BASELINES"
+            --fallback "$FALLBACK_BASELINE"
+            --github-output "$GITHUB_OUTPUT"
+          )
+          if [[ -n "$releases_json" ]]; then
+            args+=(
+              --releases-json "$releases_json"
+              --npm-versions-json "$npm_versions_json"
+              --history-count 6
+              --include-version 2026.4.23
+              --pre-date 2026-03-15T00:00:00Z
+            )
+          fi
+          node scripts/resolve-upgrade-survivor-baselines.mjs "${args[@]}" >/dev/null
+
       - name: Upload package-under-test artifact
         uses: actions/upload-artifact@v7
         with:
@@ -409,6 +483,9 @@ jobs:
           SOURCE: ${{ inputs.source }}
           SUITE_PROFILE: ${{ inputs.suite_profile }}
           WORKFLOW_REF: ${{ inputs.workflow_ref }}
+          PUBLISHED_UPGRADE_SURVIVOR_BASELINE: ${{ inputs.published_upgrade_survivor_baseline }}
+          PUBLISHED_UPGRADE_SURVIVOR_BASELINES: ${{ steps.upgrade_survivor_baselines.outputs.baselines }}
+          PUBLISHED_UPGRADE_SURVIVOR_SCENARIOS: ${{ inputs.published_upgrade_survivor_scenarios }}
         shell: bash
         run: |
           {
@@ -422,6 +499,9 @@ jobs:
             echo "- Version: \`${PACKAGE_VERSION}\`"
             echo "- SHA-256: \`${PACKAGE_SHA256}\`"
             echo "- Profile: \`${SUITE_PROFILE}\`"
+            echo "- Published upgrade survivor baseline: \`${PUBLISHED_UPGRADE_SURVIVOR_BASELINE}\`"
+            echo "- Published upgrade survivor baselines: \`${PUBLISHED_UPGRADE_SURVIVOR_BASELINES}\`"
+            echo "- Published upgrade survivor scenarios: \`${PUBLISHED_UPGRADE_SURVIVOR_SCENARIOS}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
   docker_acceptance:
@@ -429,11 +509,14 @@ jobs:
     needs: resolve_package
     uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
     with:
-      ref: ${{ inputs.workflow_ref }}
+      ref: ${{ needs.resolve_package.outputs.package_source_sha || inputs.workflow_ref }}
       include_repo_e2e: false
       include_release_path_suites: ${{ needs.resolve_package.outputs.include_release_path_suites == 'true' }}
       include_openwebui: ${{ needs.resolve_package.outputs.include_openwebui == 'true' }}
       docker_lanes: ${{ needs.resolve_package.outputs.docker_lanes }}
+      published_upgrade_survivor_baseline: ${{ inputs.published_upgrade_survivor_baseline }}
+      published_upgrade_survivor_baselines: ${{ needs.resolve_package.outputs.published_upgrade_survivor_baselines }}
+      published_upgrade_survivor_scenarios: ${{ needs.resolve_package.outputs.published_upgrade_survivor_scenarios }}
       package_artifact_name: ${{ needs.resolve_package.outputs.package_artifact_name }}
       include_live_suites: ${{ needs.resolve_package.outputs.include_live_suites == 'true' }}
       live_models_only: false
@@ -493,7 +576,7 @@ jobs:
       package_spec: ${{ inputs.package_spec }}
       package_artifact_name: ${{ needs.resolve_package.outputs.package_artifact_name }}
       package_label: openclaw@${{ needs.resolve_package.outputs.package_version }}
-      harness_ref: ${{ inputs.source == 'ref' && inputs.package_ref || inputs.workflow_ref }}
+      harness_ref: ${{ needs.resolve_package.outputs.package_source_sha || inputs.workflow_ref }}
       provider_mode: ${{ needs.resolve_package.outputs.telegram_mode }}
       scenario: ${{ inputs.telegram_scenarios }}
     secrets:
@@ -505,7 +588,7 @@ jobs:
     name: Verify package acceptance
     needs: [resolve_package, docker_acceptance, package_telegram]
     if: always()
-    runs-on: ubuntu-24.04
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 5
     steps:
       - name: Verify package acceptance results

.github/workflows/parity-gate.yml

@@ -1,116 +0,0 @@
-name: Parity gate
-
-on:
-  pull_request:
-    types: [opened, reopened, synchronize, ready_for_review]
-    paths:
-      - "extensions/qa-lab/**"
-      - "extensions/qa-channel/**"
-      - "extensions/openai/**"
-      - "qa/scenarios/**"
-      - "src/agents/**"
-      - "src/context-engine/**"
-      - "src/gateway/**"
-      - "src/media/**"
-      - ".github/workflows/parity-gate.yml"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: parity-gate-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  parity-gate:
-    name: Run the OpenAI / Opus 4.6 parity gate against the qa-lab mock
-    if: ${{ github.event.pull_request.draft != true }}
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    env:
-      # Fence the gate off from any real provider credentials. The qa-lab
-      # mock server + auth staging (PR N) should be enough to produce a
-      # meaningful verdict without touching a real API. If any of these
-      # leak into the job env, fail hard instead of silently running
-      # against a live provider and burning real budget.
-      #
-      # The parity pack has 11 isolated scenario workers. It exercises a real
-      # gateway child plus mock model turns and subagents, so keep it serial in
-      # CI even on the larger runner. Concurrent isolated gateway workers make
-      # the short strict-agentic scenarios flaky, especially the approval-turn
-      # followthrough gate that expects a fast post-approval read within a 30s
-      # agent.wait timeout.
-      QA_PARITY_CONCURRENCY: "1"
-      OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
-      OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
-      OPENAI_API_KEY: ""
-      ANTHROPIC_API_KEY: ""
-      OPENCLAW_LIVE_OPENAI_KEY: ""
-      OPENCLAW_LIVE_ANTHROPIC_KEY: ""
-      OPENCLAW_LIVE_GEMINI_KEY: ""
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ""
-      # The parity suite is a private QA command. Build that exact runtime up
-      # front so CI never tests a public dist plus a later no-clean QA overlay.
-      OPENCLAW_BUILD_PRIVATE_QA: "1"
-      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-    steps:
-      - name: Checkout PR
-        uses: actions/checkout@v6
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: "22.18.0"
-          cache: "pnpm"
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      # The approval-turn sentinel still runs inside the full parity pack below.
-      # Keep the exact mock read-plan contract in deterministic unit tests instead
-      # of paying for a separate full-runtime preflight that has been flaky in CI.
-      - name: Run OpenAI candidate lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model openai/gpt-5.4-alt \
-            --output-dir .artifacts/qa-e2e/gpt54
-
-      - name: Run Opus 4.6 lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model anthropic/claude-opus-4-6 \
-            --alt-model anthropic/claude-sonnet-4-6 \
-            --output-dir .artifacts/qa-e2e/opus46
-
-      - name: Generate parity report
-        run: |
-          pnpm openclaw qa parity-report \
-            --repo-root . \
-            --candidate-summary .artifacts/qa-e2e/gpt54/qa-suite-summary.json \
-            --baseline-summary .artifacts/qa-e2e/opus46/qa-suite-summary.json \
-            --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-6 \
-            --output-dir .artifacts/qa-e2e/parity
-
-      - name: Upload parity artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: parity-gate-${{ github.event.pull_request.number || github.sha }}
-          path: .artifacts/qa-e2e/
-          retention-days: 14
-          if-no-files-found: warn

.github/workflows/plugin-clawhub-release.yml

@@ -15,9 +15,14 @@ on:
         description: Comma-separated plugin package names to publish when publish_scope=selected
         required: false
         type: string
+      ref:
+        description: Commit SHA on main or a release branch to publish from; defaults to the workflow ref
+        required: false
+        default: ""
+        type: string
 
 concurrency:
-  group: plugin-clawhub-release-${{ github.sha }}
+  group: plugin-clawhub-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
   cancel-in-progress: false
 
 env:
@@ -27,7 +32,7 @@ env:
   CLAWHUB_REGISTRY: "https://clawhub.ai"
   CLAWHUB_REPOSITORY: "openclaw/clawhub"
   # Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
-  CLAWHUB_REF: "4af2bd50a71465683dbf8aa269af764b9d39bdf5"
+  CLAWHUB_REF: "199e6a0cdf32471702e0503e9899e8d24f06a527"
 
 jobs:
   preview_plugins_clawhub:
@@ -35,7 +40,7 @@ jobs:
     permissions:
       contents: read
     outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
+      ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
       skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
@@ -44,7 +49,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.sha }}
+          persist-credentials: false
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
           fetch-depth: 0
 
       - name: Setup Node environment
@@ -58,11 +64,22 @@ jobs:
         id: ref
         run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
-      - name: Validate ref is on main
+      - name: Validate ref is on main or a release branch
         run: |
           set -euo pipefail
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-          git merge-base --is-ancestor HEAD origin/main
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          if git merge-base --is-ancestor HEAD origin/main; then
+            exit 0
+          fi
+          while IFS= read -r release_ref; do
+            if git merge-base --is-ancestor HEAD "${release_ref}"; then
+              exit 0
+            fi
+          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
+          echo "Plugin ClawHub publishes must target a commit reachable from main or release/*." >&2
+          exit 1
 
       - name: Validate publishable plugin metadata
         env:
@@ -144,13 +161,15 @@ jobs:
       contents: read
     strategy:
       fail-fast: false
+      max-parallel: 1
       matrix:
         plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -159,11 +178,12 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           pnpm-version: ${{ env.PNPM_VERSION }}
           install-bun: "true"
-          install-deps: "false"
+          install-deps: "true"
 
       - name: Checkout ClawHub CLI source
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           repository: ${{ env.CLAWHUB_REPOSITORY }}
           ref: ${{ env.CLAWHUB_REF }}
           path: clawhub-source
@@ -187,7 +207,7 @@ jobs:
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
@@ -209,7 +229,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -218,11 +239,12 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           pnpm-version: ${{ env.PNPM_VERSION }}
           install-bun: "true"
-          install-deps: "false"
+          install-deps: "true"
 
       - name: Checkout ClawHub CLI source
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           repository: ${{ env.CLAWHUB_REPOSITORY }}
           ref: ${{ env.CLAWHUB_REF }}
           path: clawhub-source
@@ -242,6 +264,36 @@ jobs:
           chmod +x "$RUNNER_TEMP/clawhub"
           echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
 
+      - name: Write ClawHub token config
+        env:
+          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${CLAWHUB_TOKEN}" ]]; then
+            echo "No CLAWHUB_TOKEN secret configured; publish will rely on GitHub OIDC trusted publishing."
+            exit 0
+          fi
+          node --input-type=module <<'EOF'
+          import { writeFileSync } from "node:fs";
+          import { join } from "node:path";
+
+          const path = join(process.env.RUNNER_TEMP, "clawhub-config.json");
+          writeFileSync(
+            path,
+            `${JSON.stringify(
+              {
+                registry: process.env.CLAWHUB_REGISTRY,
+                token: process.env.CLAWHUB_TOKEN,
+              },
+              null,
+              2,
+            )}\n`,
+          );
+          console.log(path);
+          EOF
+          echo "CLAWHUB_CONFIG_PATH=${RUNNER_TEMP}/clawhub-config.json" >> "$GITHUB_ENV"
+
       - name: Ensure version is not already published
         env:
           PACKAGE_NAME: ${{ matrix.plugin.packageName }}
@@ -266,7 +318,7 @@ jobs:
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}

.github/workflows/plugin-npm-release.yml

@@ -8,10 +8,12 @@ on:
       - ".github/workflows/plugin-npm-release.yml"
       - "extensions/**"
       - "package.json"
+      - "scripts/lib/plugin-npm-package-manifest.mjs"
       - "scripts/lib/plugin-npm-release.ts"
       - "scripts/plugin-npm-publish.sh"
       - "scripts/plugin-npm-release-check.ts"
       - "scripts/plugin-npm-release-plan.ts"
+      - "scripts/verify-plugin-npm-published-runtime.mjs"
   workflow_dispatch:
     inputs:
       publish_scope:
@@ -23,7 +25,7 @@ on:
           - selected
           - all-publishable
       ref:
-        description: Commit SHA on main to publish from (copy from the preview run)
+        description: Commit SHA on main or a release branch to publish from (copy from the preview run)
         required: true
         type: string
       plugins:
@@ -46,7 +48,7 @@ jobs:
     permissions:
       contents: read
     outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
+      ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
       matrix: ${{ steps.plan.outputs.matrix }}
@@ -54,6 +56,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
           fetch-depth: 0
 
@@ -68,11 +71,22 @@ jobs:
         id: ref
         run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
-      - name: Validate ref is on main
+      - name: Validate ref is on main or a release branch
         run: |
           set -euo pipefail
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-          git merge-base --is-ancestor HEAD origin/main
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          if git merge-base --is-ancestor HEAD origin/main; then
+            exit 0
+          fi
+          while IFS= read -r release_ref; do
+            if git merge-base --is-ancestor HEAD "${release_ref}"; then
+              exit 0
+            fi
+          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
+          echo "Plugin npm publishes must target a commit reachable from main or release/*." >&2
+          exit 1
 
       - name: Validate publishable plugin metadata
         env:
@@ -151,7 +165,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -160,14 +175,12 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           pnpm-version: ${{ env.PNPM_VERSION }}
           install-bun: "false"
-          install-deps: "false"
 
       - name: Preview publish command
         run: bash scripts/plugin-npm-publish.sh --dry-run "${{ matrix.plugin.packageDir }}"
 
       - name: Preview npm pack contents
-        working-directory: ${{ matrix.plugin.packageDir }}
-        run: npm pack --dry-run --json --ignore-scripts
+        run: bash scripts/plugin-npm-publish.sh --pack-dry-run "${{ matrix.plugin.packageDir }}"
 
   publish_plugins_npm:
     needs: [preview_plugins_npm, preview_plugin_pack]
@@ -185,7 +198,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -194,7 +208,6 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           pnpm-version: ${{ env.PNPM_VERSION }}
           install-bun: "false"
-          install-deps: "false"
 
       - name: Ensure version is not already published
         env:
@@ -212,3 +225,9 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"
+
+      - name: Verify published runtime
+        env:
+          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
+          PACKAGE_VERSION: ${{ matrix.plugin.version }}
+        run: node scripts/verify-plugin-npm-published-runtime.mjs "${PACKAGE_NAME}@${PACKAGE_VERSION}"

.github/workflows/plugin-prerelease.yml

@@ -0,0 +1,414 @@
+name: Plugin Prerelease
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_ref:
+        description: Branch, tag, or full commit SHA to validate
+        required: false
+        default: main
+        type: string
+      expected_sha:
+        description: Optional full commit SHA that target_ref must resolve to
+        required: false
+        default: ""
+        type: string
+      full_release_validation:
+        description: Enable release-only Docker prerelease lanes from Full Release Validation
+        required: false
+        default: false
+        type: boolean
+
+permissions:
+  contents: read
+
+concurrency:
+  group: plugin-prerelease-${{ inputs.target_ref }}
+  cancel-in-progress: ${{ inputs.target_ref == 'main' }}
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  preflight:
+    name: Build plugin prerelease plan
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    outputs:
+      checkout_revision: ${{ steps.manifest.outputs.checkout_revision }}
+      run_plugin_prerelease_suite: ${{ steps.manifest.outputs.run_plugin_prerelease_suite }}
+      run_plugin_prerelease_static: ${{ steps.manifest.outputs.run_plugin_prerelease_static }}
+      plugin_prerelease_static_matrix: ${{ steps.manifest.outputs.plugin_prerelease_static_matrix }}
+      run_plugin_prerelease_node: ${{ steps.manifest.outputs.run_plugin_prerelease_node }}
+      plugin_prerelease_node_matrix: ${{ steps.manifest.outputs.plugin_prerelease_node_matrix }}
+      run_plugin_prerelease_extensions: ${{ steps.manifest.outputs.run_plugin_prerelease_extensions }}
+      plugin_prerelease_extension_matrix: ${{ steps.manifest.outputs.plugin_prerelease_extension_matrix }}
+      run_plugin_prerelease_docker: ${{ steps.manifest.outputs.run_plugin_prerelease_docker }}
+      plugin_prerelease_docker_lanes: ${{ steps.manifest.outputs.plugin_prerelease_docker_lanes }}
+    steps:
+      - name: Checkout target
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.target_ref }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Build plugin prerelease manifest
+        id: manifest
+        env:
+          EXPECTED_SHA: ${{ inputs.expected_sha }}
+          FULL_RELEASE_VALIDATION: ${{ inputs.full_release_validation && 'true' || 'false' }}
+        run: |
+          node --input-type=module <<'EOF'
+          import { appendFileSync } from "node:fs";
+          import { execFileSync } from "node:child_process";
+
+          const createMatrix = (include) => ({ include });
+          const outputPath = process.env.GITHUB_OUTPUT;
+          const checkoutRevision = execFileSync("git", ["rev-parse", "HEAD"], {
+            encoding: "utf8",
+          }).trim();
+          const expectedSha = (process.env.EXPECTED_SHA ?? "").trim();
+          const fullReleaseValidation = process.env.FULL_RELEASE_VALIDATION === "true";
+          if (expectedSha && expectedSha !== checkoutRevision) {
+            console.error(
+              `target_ref resolved to ${checkoutRevision}, expected ${expectedSha}`,
+            );
+            process.exit(1);
+          }
+
+          let pluginPrereleasePlan = { staticChecks: [], dockerLanes: [] };
+          let extensionShards = [];
+          let nodeShards = [];
+
+          try {
+            const { assertPluginPrereleaseTestPlanComplete } = await import(
+              "./scripts/lib/plugin-prerelease-test-plan.mjs"
+            );
+            pluginPrereleasePlan = assertPluginPrereleaseTestPlanComplete();
+          } catch (error) {
+            const errorCode =
+              error && typeof error === "object" && "code" in error ? error.code : "";
+            const moduleUrl =
+              error && typeof error === "object" && "url" in error ? String(error.url) : "";
+            if (
+              errorCode === "ERR_MODULE_NOT_FOUND" &&
+              moduleUrl.endsWith("/scripts/lib/plugin-prerelease-test-plan.mjs")
+            ) {
+              console.warn(
+                "Plugin prerelease plan unavailable in target ref; skipping static and Docker plugin prerelease lanes.",
+              );
+            } else {
+              throw error;
+            }
+          }
+
+          try {
+            const { createExtensionTestShards, DEFAULT_EXTENSION_TEST_SHARD_COUNT } = await import(
+              "./scripts/lib/extension-test-plan.mjs"
+            );
+            extensionShards = createExtensionTestShards({
+              shardCount: DEFAULT_EXTENSION_TEST_SHARD_COUNT,
+            }).map((shard) => ({
+              check_name: shard.checkName,
+              extensions_csv: shard.extensionIds.join(","),
+              runner: [0, 1, 2, 3].includes(shard.index)
+                ? "blacksmith-8vcpu-ubuntu-2404"
+                : "blacksmith-4vcpu-ubuntu-2404",
+              shard_index: shard.index + 1,
+              task: "extensions-batch",
+            }));
+          } catch (error) {
+            const errorCode =
+              error && typeof error === "object" && "code" in error ? error.code : "";
+            const moduleUrl =
+              error && typeof error === "object" && "url" in error ? String(error.url) : "";
+            if (
+              errorCode === "ERR_MODULE_NOT_FOUND" &&
+              moduleUrl.endsWith("/scripts/lib/extension-test-plan.mjs")
+            ) {
+              console.warn(
+                "Extension test plan unavailable in target ref; skipping extension prerelease shards.",
+              );
+            } else {
+              throw error;
+            }
+          }
+
+          try {
+            const { createNodeTestShards } = await import("./scripts/lib/ci-node-test-plan.mjs");
+            nodeShards = createNodeTestShards({
+              includeReleaseOnlyPluginShards: true,
+            })
+              .filter((shard) => shard.shardName === "agentic-plugins")
+              .map((shard) => ({
+                check_name: shard.checkName,
+                runtime: "node",
+                task: "test-shard",
+                shard_name: shard.shardName,
+                configs: shard.configs,
+                includePatterns: shard.includePatterns,
+                runner: shard.runner,
+              }));
+          } catch (error) {
+            const errorCode =
+              error && typeof error === "object" && "code" in error ? error.code : "";
+            const moduleUrl =
+              error && typeof error === "object" && "url" in error ? String(error.url) : "";
+            if (
+              errorCode === "ERR_MODULE_NOT_FOUND" &&
+              moduleUrl.endsWith("/scripts/lib/ci-node-test-plan.mjs")
+            ) {
+              console.warn(
+                "Node test plan unavailable in target ref; skipping release-only plugin Node shard.",
+              );
+            } else {
+              throw error;
+            }
+          }
+
+          const staticChecks = pluginPrereleasePlan.staticChecks.map((check) => ({
+            check_name: check.checkName,
+            command: check.command,
+            task: check.check,
+          }));
+          const dockerLanes = pluginPrereleasePlan.dockerLanes;
+          const runStatic = staticChecks.length > 0;
+          const runNode = nodeShards.length > 0;
+          const runExtensions = extensionShards.length > 0;
+          const runDocker = fullReleaseValidation && dockerLanes.length > 0;
+          const runSuite = runStatic || runNode || runExtensions || runDocker;
+
+          const manifest = {
+            checkout_revision: checkoutRevision,
+            run_plugin_prerelease_suite: runSuite,
+            run_plugin_prerelease_static: runStatic,
+            plugin_prerelease_static_matrix: createMatrix(staticChecks),
+            run_plugin_prerelease_node: runNode,
+            plugin_prerelease_node_matrix: createMatrix(nodeShards),
+            run_plugin_prerelease_extensions: runExtensions,
+            plugin_prerelease_extension_matrix: createMatrix(extensionShards),
+            run_plugin_prerelease_docker: runDocker,
+            plugin_prerelease_docker_lanes: dockerLanes.join(" "),
+          };
+
+          for (const [key, value] of Object.entries(manifest)) {
+            appendFileSync(
+              outputPath,
+              `${key}=${typeof value === "string" ? value : JSON.stringify(value)}\n`,
+              "utf8",
+            );
+          }
+          EOF
+
+  plugin-prerelease-static-shard:
+    permissions:
+      contents: read
+    name: ${{ matrix.check_name }}
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_prerelease_static == 'true'
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_static_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Run plugin prerelease static shard
+        env:
+          PLUGIN_PRERELEASE_COMMAND: ${{ matrix.command }}
+          PLUGIN_PRERELEASE_TASK: ${{ matrix.task }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "Running ${PLUGIN_PRERELEASE_TASK}: ${PLUGIN_PRERELEASE_COMMAND}"
+          bash -c "$PLUGIN_PRERELEASE_COMMAND"
+
+  plugin-prerelease-node-shard:
+    permissions:
+      contents: read
+    name: ${{ matrix.check_name }}
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_prerelease_node == 'true'
+    runs-on: ${{ matrix.runner || 'ubuntu-24.04' }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_node_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Configure Node test resources
+        run: echo "OPENCLAW_VITEST_MAX_WORKERS=2" >> "$GITHUB_ENV"
+
+      - name: Run release-only plugin Node shard
+        env:
+          NODE_OPTIONS: --max-old-space-size=6144
+          OPENCLAW_NODE_TEST_CONFIGS_JSON: ${{ toJson(matrix.configs) }}
+          OPENCLAW_NODE_TEST_INCLUDE_PATTERNS_JSON: ${{ toJson(matrix.includePatterns) }}
+          OPENCLAW_VITEST_SHARD_NAME: ${{ matrix.shard_name }}
+          OPENCLAW_TEST_PROJECTS_PARALLEL: "2"
+        shell: bash
+        run: |
+          set -euo pipefail
+          node --input-type=module <<'EOF'
+          import { spawnSync } from "node:child_process";
+          import { writeFileSync } from "node:fs";
+          import { join } from "node:path";
+
+          const configs = JSON.parse(process.env.OPENCLAW_NODE_TEST_CONFIGS_JSON ?? "[]");
+          if (!Array.isArray(configs) || configs.length === 0) {
+            console.error("Missing node test shard configs");
+            process.exit(1);
+          }
+          const includePatterns = JSON.parse(
+            process.env.OPENCLAW_NODE_TEST_INCLUDE_PATTERNS_JSON ?? "null",
+          );
+          const childEnv = { ...process.env };
+          if (Array.isArray(includePatterns) && includePatterns.length > 0) {
+            const includeFile = join(
+              process.env.RUNNER_TEMP ?? ".",
+              `node-test-include-${process.env.GITHUB_JOB ?? "local"}-${Date.now()}.json`,
+            );
+            writeFileSync(includeFile, JSON.stringify(includePatterns), "utf8");
+            childEnv.OPENCLAW_VITEST_INCLUDE_FILE = includeFile;
+          }
+
+          const result = spawnSync(
+            "pnpm",
+            ["exec", "node", "scripts/test-projects.mjs", ...configs],
+            {
+              env: childEnv,
+              stdio: "inherit",
+            },
+          );
+          process.exit(result.status ?? 1);
+          EOF
+
+  plugin-prerelease-extension-shard:
+    permissions:
+      contents: read
+    name: ${{ matrix.check_name }}
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_prerelease_extensions == 'true'
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_extension_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Run extension shard
+        env:
+          NODE_OPTIONS: --max-old-space-size=6144
+          OPENCLAW_EXTENSION_BATCH_PARALLEL: 2
+          OPENCLAW_VITEST_MAX_WORKERS: 1
+          OPENCLAW_EXTENSION_BATCH: ${{ matrix.extensions_csv }}
+        run: pnpm test:extensions:batch -- "$OPENCLAW_EXTENSION_BATCH"
+
+  plugin-prerelease-docker-suite:
+    name: plugin-prerelease-docker-suite
+    needs: [preflight]
+    if: ${{ inputs.full_release_validation && needs.preflight.outputs.run_plugin_prerelease_docker == 'true' }}
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+    with:
+      ref: ${{ needs.preflight.outputs.checkout_revision }}
+      include_repo_e2e: false
+      include_release_path_suites: false
+      include_openwebui: false
+      docker_lanes: ${{ needs.preflight.outputs.plugin_prerelease_docker_lanes }}
+      targeted_docker_lane_group_size: 4
+      include_live_suites: false
+      live_models_only: false
+
+  plugin-prerelease-suite:
+    permissions:
+      contents: read
+    name: plugin-prerelease-suite
+    needs:
+      - preflight
+      - plugin-prerelease-static-shard
+      - plugin-prerelease-node-shard
+      - plugin-prerelease-extension-shard
+      - plugin-prerelease-docker-suite
+    if: ${{ !cancelled() && always() && needs.preflight.outputs.run_plugin_prerelease_suite == 'true' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Verify plugin prerelease suite
+        env:
+          RUN_STATIC: ${{ needs.preflight.outputs.run_plugin_prerelease_static }}
+          RUN_NODE: ${{ needs.preflight.outputs.run_plugin_prerelease_node }}
+          RUN_EXTENSIONS: ${{ needs.preflight.outputs.run_plugin_prerelease_extensions }}
+          RUN_DOCKER: ${{ needs.preflight.outputs.run_plugin_prerelease_docker }}
+          STATIC_RESULT: ${{ needs.plugin-prerelease-static-shard.result }}
+          NODE_RESULT: ${{ needs.plugin-prerelease-node-shard.result }}
+          EXTENSIONS_RESULT: ${{ needs.plugin-prerelease-extension-shard.result }}
+          DOCKER_RESULT: ${{ needs.plugin-prerelease-docker-suite.result }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          failed=0
+          check_required() {
+            local name="$1"
+            local required="$2"
+            local status="$3"
+            if [ "$required" != "true" ]; then
+              return 0
+            fi
+            if [ "$status" != "success" ]; then
+              echo "::error::${name} ended with ${status}"
+              failed=1
+            fi
+          }
+
+          check_required "plugin-prerelease-static" "$RUN_STATIC" "$STATIC_RESULT"
+          check_required "plugin-prerelease-node" "$RUN_NODE" "$NODE_RESULT"
+          check_required "plugin-prerelease-extensions" "$RUN_EXTENSIONS" "$EXTENSIONS_RESULT"
+          check_required "plugin-prerelease-docker" "$RUN_DOCKER" "$DOCKER_RESULT"
+          exit "$failed"

.github/workflows/qa-live-transports-convex.yml

@@ -44,7 +44,7 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
   PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
+  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
 
@@ -81,12 +81,13 @@ jobs:
     needs: authorize_actor
     runs-on: blacksmith-8vcpu-ubuntu-2404
     outputs:
-      selected_sha: ${{ steps.validate.outputs.selected_sha }}
+      selected_revision: ${{ steps.validate.outputs.selected_revision }}
       trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
     steps:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
           fetch-depth: 0
 
@@ -98,27 +99,27 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          selected_sha="$(git rev-parse HEAD)"
+          selected_revision="$(git rev-parse HEAD)"
           trusted_reason=""
 
           git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
 
-          if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then
+          if git merge-base --is-ancestor "$selected_revision" refs/remotes/origin/main; then
             trusted_reason="main-ancestor"
-          elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then
+          elif git tag --points-at "$selected_revision" | grep -Eq '^v'; then
             trusted_reason="release-tag"
           elif [[ "$INPUT_REF" =~ ^release/[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then
             git fetch --no-tags origin "+refs/heads/${INPUT_REF}:refs/remotes/origin/${INPUT_REF}"
             release_branch_sha="$(git rev-parse "refs/remotes/origin/${INPUT_REF}")"
-            if [[ "$selected_sha" == "$release_branch_sha" ]]; then
+            if [[ "$selected_revision" == "$release_branch_sha" ]]; then
               trusted_reason="release-branch-head"
             fi
           else
             pr_head_count="$(
               gh api \
                 -H "Accept: application/vnd.github+json" \
-                "repos/${GITHUB_REPOSITORY}/commits/${selected_sha}/pulls" \
-                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_sha}"'")] | length'
+                "repos/${GITHUB_REPOSITORY}/commits/${selected_revision}/pulls" \
+                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_revision}"'")] | length'
             )"
             if [[ "$pr_head_count" != "0" ]]; then
               trusted_reason="open-pr-head"
@@ -126,23 +127,23 @@ jobs:
           fi
 
           if [[ -z "$trusted_reason" ]]; then
-            echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for this secret-bearing QA run." >&2
+            echo "Ref '${INPUT_REF}' resolved to $selected_revision, which is not trusted for this secret-bearing QA run." >&2
             echo "Allowed refs must be on main, point to a release tag, match a release branch head, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
             exit 1
           fi
 
-          echo "selected_sha=$selected_sha" >> "$GITHUB_OUTPUT"
+          echo "selected_revision=$selected_revision" >> "$GITHUB_OUTPUT"
           echo "trusted_reason=$trusted_reason" >> "$GITHUB_OUTPUT"
           {
             echo "Validated ref: \`${INPUT_REF}\`"
-            echo "Resolved SHA: \`$selected_sha\`"
+            echo "Resolved SHA: \`$selected_revision\`"
             echo "Trust reason: \`$trusted_reason\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
   run_mock_parity:
-    name: Run QA Lab parity gate
+    name: Run QA Lab mock parity lane
     needs: [validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 30
     env:
       QA_PARITY_CONCURRENCY: "1"
@@ -157,7 +158,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -213,14 +215,15 @@ jobs:
     name: Run Matrix live QA lane
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ !(github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all') }}
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -287,7 +290,7 @@ jobs:
     name: Run Matrix live QA lane (${{ matrix.profile }})
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all' }}
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     strategy:
@@ -303,7 +306,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -368,14 +372,15 @@ jobs:
   run_live_telegram:
     name: Run Telegram live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -460,14 +465,15 @@ jobs:
   run_live_discord:
     name: Run Discord live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment

.github/workflows/sandbox-common-smoke.yml

@@ -4,14 +4,14 @@ on:
   push:
     branches: [main]
     paths:
-      - Dockerfile.sandbox
-      - Dockerfile.sandbox-common
+      - scripts/docker/sandbox/Dockerfile
+      - scripts/docker/sandbox/Dockerfile.common
       - scripts/sandbox-common-setup.sh
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
     paths:
-      - Dockerfile.sandbox
-      - Dockerfile.sandbox-common
+      - scripts/docker/sandbox/Dockerfile
+      - scripts/docker/sandbox/Dockerfile.common
       - scripts/sandbox-common-setup.sh
 
 permissions:

.github/workflows/stale.yml

@@ -4,6 +4,32 @@ on:
   schedule:
     - cron: "17 3 * * *"
   workflow_dispatch:
+    inputs:
+      backfill_stale_closures:
+        description: "Close currently stale-eligible issues and PRs with the Barnacle app"
+        required: false
+        type: boolean
+        default: false
+      dry_run:
+        description: "List matching stale-eligible items without closing them"
+        required: false
+        type: boolean
+        default: true
+      include_issues:
+        description: "Include stale-eligible issues in the backfill"
+        required: false
+        type: boolean
+        default: true
+      include_prs:
+        description: "Include stale-eligible pull requests in the backfill"
+        required: false
+        type: boolean
+        default: true
+      max_closures:
+        description: "Maximum items to close when dry_run is false"
+        required: false
+        type: number
+        default: 50
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -12,6 +38,7 @@ permissions: {}
 
 jobs:
   stale:
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.backfill_stale_closures != true }}
     permissions:
       issues: write
       pull-requests: write
@@ -35,10 +62,10 @@ jobs:
         uses: actions/stale@v10
         with:
           repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 7
-          days-before-issue-close: 5
-          days-before-pr-stale: 5
-          days-before-pr-close: 3
+          days-before-issue-stale: 14
+          days-before-issue-close: 7
+          days-before-pr-stale: 14
+          days-before-pr-close: 7
           stale-issue-label: stale
           stale-pr-label: stale
           exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
@@ -95,7 +122,7 @@ jobs:
           days-before-issue-stale: -1
           days-before-issue-close: -1
           days-before-pr-stale: 27
-          days-before-pr-close: 3
+          days-before-pr-close: 7
           stale-pr-label: stale
           exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
@@ -139,10 +166,10 @@ jobs:
         uses: actions/stale@v10
         with:
           repo-token: ${{ steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 7
-          days-before-issue-close: 5
-          days-before-pr-stale: 5
-          days-before-pr-close: 3
+          days-before-issue-stale: 14
+          days-before-issue-close: 7
+          days-before-pr-stale: 14
+          days-before-pr-close: 7
           stale-issue-label: stale
           stale-pr-label: stale
           exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
@@ -197,7 +224,7 @@ jobs:
           days-before-issue-stale: -1
           days-before-issue-close: -1
           days-before-pr-stale: 27
-          days-before-pr-close: 3
+          days-before-pr-close: 7
           stale-pr-label: stale
           exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
@@ -213,7 +240,253 @@ jobs:
             If you believe this PR should be revived, post in #clawtributors on Discord to talk to a maintainer.
             That channel is the escape hatch for high-quality PRs that get auto-closed.
 
+  backfill-stale-closures:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.backfill_stale_closures == true }}
+    permissions:
+      issues: write
+      pull-requests: write
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          app-id: "2971289"
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
+      - name: Backfill stale closures
+        uses: actions/github-script@v9
+        env:
+          DRY_RUN: ${{ inputs.dry_run }}
+          INCLUDE_ISSUES: ${{ inputs.include_issues }}
+          INCLUDE_PRS: ${{ inputs.include_prs }}
+          MAX_CLOSURES: ${{ inputs.max_closures }}
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          script: |
+            const dayMs = 24 * 60 * 60 * 1000;
+            const dryRun = process.env.DRY_RUN !== "false";
+            const includeIssues = process.env.INCLUDE_ISSUES !== "false";
+            const includePrs = process.env.INCLUDE_PRS !== "false";
+            const maxClosures = Math.max(0, Number(process.env.MAX_CLOSURES || "50"));
+            const nowMs = Date.now();
+            const { owner, repo } = context.repo;
+
+            const issueExemptLabels = new Set([
+              "enhancement",
+              "maintainer",
+              "pinned",
+              "security",
+              "no-stale",
+              "bad-barnacle",
+            ]);
+            const prExemptLabels = new Set(["maintainer", "no-stale", "bad-barnacle"]);
+            const maintainerAssociations = new Set(["OWNER", "MEMBER", "COLLABORATOR"]);
+            const maintainerLogins = new Set([
+              "altaywtf",
+              "BunsDev",
+              "cpojer",
+              "gumadeiras",
+              "hydro13",
+              "hxy91819",
+              "jalehman",
+              "joshavant",
+              "joshp123",
+              "mbelinky",
+              "mukhtharcm",
+              "ngutman",
+              "obviyus",
+              "odysseus0",
+              "onutc",
+              "osolmaz",
+              "sebslight",
+              "sliverp",
+              "steipete",
+              "thewilloftheshadow",
+              "tyler6204",
+              "velvet-shark",
+              "vignesh07",
+              "vincentkoc",
+              "visionik",
+            ].map(login => login.toLowerCase()));
+
+            const issueCloseMessage = [
+              "Closing due to inactivity.",
+              "If this is still an issue, please retry on the latest OpenClaw release and share updated details.",
+              "If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.",
+            ].join("\n");
+            const prCloseMessage = [
+              "Closing due to inactivity.",
+              "If you believe this PR should be revived, post in #clawtributors on Discord to talk to a maintainer.",
+              "That channel is the escape hatch for high-quality PRs that get auto-closed.",
+            ].join("\n");
+
+            const hasAny = (labels, exemptLabels) => {
+              for (const label of labels) {
+                if (exemptLabels.has(label)) {
+                  return true;
+                }
+              }
+              return false;
+            };
+            const isOlderThan = (dateString, days) => {
+              const timestamp = Date.parse(dateString);
+              return Number.isFinite(timestamp) && timestamp < nowMs - days * dayMs;
+            };
+
+            const candidates = [];
+            const skipped = {
+              missingStale: 0,
+              exemptLabel: 0,
+              maintainerAuthor: 0,
+              maintainerAssignee: 0,
+              notOldEnough: 0,
+              disabledType: 0,
+            };
+
+            for await (const response of github.paginate.iterator(github.rest.issues.listForRepo, {
+              owner,
+              repo,
+              state: "open",
+              sort: "updated",
+              direction: "asc",
+              per_page: 100,
+            })) {
+              for (const item of response.data) {
+                const isPr = Boolean(item.pull_request);
+                if ((isPr && !includePrs) || (!isPr && !includeIssues)) {
+                  skipped.disabledType += 1;
+                  continue;
+                }
+
+                const labels = new Set((item.labels || []).map(label => label.name));
+                if (!labels.has("stale")) {
+                  skipped.missingStale += 1;
+                  continue;
+                }
+
+                const exemptLabels = isPr ? prExemptLabels : issueExemptLabels;
+                if (hasAny(labels, exemptLabels)) {
+                  skipped.exemptLabel += 1;
+                  continue;
+                }
+
+                if (maintainerAssociations.has(item.author_association)) {
+                  skipped.maintainerAuthor += 1;
+                  continue;
+                }
+
+                const assigned = (item.assignees || []).length > 0;
+                const assignedToMaintainer = (item.assignees || []).some(assignee =>
+                  maintainerLogins.has(assignee.login.toLowerCase()),
+                );
+                if (assignedToMaintainer) {
+                  skipped.maintainerAssignee += 1;
+                  continue;
+                }
+
+                let eligible = false;
+                let lane = "";
+                if (isPr && assigned) {
+                  lane = "assigned-pr";
+                  eligible = isOlderThan(item.created_at, 34) && isOlderThan(item.updated_at, 7);
+                } else if (isPr) {
+                  lane = "unassigned-pr";
+                  eligible = isOlderThan(item.updated_at, 7);
+                } else if (assigned) {
+                  lane = "assigned-issue";
+                  eligible = isOlderThan(item.updated_at, 10);
+                } else {
+                  lane = "unassigned-issue";
+                  eligible = isOlderThan(item.updated_at, 7);
+                }
+
+                if (!eligible) {
+                  skipped.notOldEnough += 1;
+                  continue;
+                }
+
+                candidates.push({
+                  number: item.number,
+                  title: item.title,
+                  lane,
+                  isPr,
+                  assigned,
+                  createdAt: item.created_at,
+                  updatedAt: item.updated_at,
+                  authorAssociation: item.author_association,
+                  url: item.html_url,
+                });
+              }
+            }
+
+            const countsByLane = candidates.reduce((counts, candidate) => {
+              counts[candidate.lane] = (counts[candidate.lane] || 0) + 1;
+              return counts;
+            }, {});
+            const selected = candidates.slice(0, maxClosures);
+
+            core.info(`Dry run: ${dryRun}`);
+            core.info(`Candidates: ${candidates.length}`);
+            core.info(`Selected: ${selected.length}`);
+            core.info(`Counts by lane: ${JSON.stringify(countsByLane)}`);
+            core.info(`Skipped: ${JSON.stringify(skipped)}`);
+            for (const candidate of selected) {
+              core.info(`${dryRun ? "Would close" : "Closing"} ${candidate.lane} #${candidate.number}: ${candidate.title} (${candidate.url})`);
+            }
+
+            await core.summary
+              .addHeading("Stale Closure Backfill")
+              .addRaw(`Dry run: ${dryRun}\n\n`)
+              .addRaw(`Candidates: ${candidates.length}\n\n`)
+              .addRaw(`Selected: ${selected.length}\n\n`)
+              .addCodeBlock(JSON.stringify({ countsByLane, skipped }, null, 2), "json")
+              .addTable([
+                [
+                  { data: "Lane", header: true },
+                  { data: "Number", header: true },
+                  { data: "Title", header: true },
+                  { data: "URL", header: true },
+                ],
+                ...selected.map(candidate => [
+                  candidate.lane,
+                  String(candidate.number),
+                  candidate.title,
+                  candidate.url,
+                ]),
+              ])
+              .write();
+
+            if (dryRun) {
+              return;
+            }
+
+            for (const candidate of selected) {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number: candidate.number,
+                body: candidate.isPr ? prCloseMessage : issueCloseMessage,
+              });
+
+              if (candidate.isPr) {
+                await github.rest.pulls.update({
+                  owner,
+                  repo,
+                  pull_number: candidate.number,
+                  state: "closed",
+                });
+              } else {
+                await github.rest.issues.update({
+                  owner,
+                  repo,
+                  issue_number: candidate.number,
+                  state: "closed",
+                  state_reason: "not_planned",
+                });
+              }
+            }
+
   lock-closed-issues:
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.backfill_stale_closures != true }}
     permissions:
       issues: write
     runs-on: blacksmith-16vcpu-ubuntu-2404

.github/workflows/test-performance-agent.yml

@@ -129,7 +129,7 @@ jobs:
 
       - name: Run Codex test performance agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         with:
           openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           prompt-file: .github/codex/prompts/test-performance-agent.md
@@ -162,7 +162,7 @@ jobs:
           bad_paths="$(
             git diff --name-only | while IFS= read -r path; do
               case "$path" in
-                apps/*|extensions/*|packages/*|scripts/*|src/*|Swabble/*|test/*|ui/*) ;;
+                apps/*|extensions/*|packages/*|scripts/*|src/*|test/*|ui/*) ;;
                 *) printf '%s\n' "$path" ;;
               esac
             done
@@ -240,7 +240,7 @@ jobs:
 
           git config user.name "openclaw-test-performance-agent[bot]"
           git config user.email "openclaw-test-performance-agent[bot]@users.noreply.github.com"
-          git add apps extensions packages scripts src Swabble test ui
+          git add apps extensions packages scripts src test ui
           git commit --no-verify -m "test: optimize slow tests"
 
           for attempt in 1 2 3 4 5; do

.github/workflows/update-migration.yml

@@ -0,0 +1,46 @@
+name: Update Migration
+
+on:
+  workflow_dispatch:
+    inputs:
+      workflow_ref:
+        description: Trusted workflow/harness ref
+        default: main
+        required: true
+        type: string
+      package_ref:
+        description: Branch, tag, or SHA to package as the update target
+        default: main
+        required: true
+        type: string
+      baselines:
+        description: Published baselines to migrate; use all-since-2026.4.23 for full coverage
+        default: all-since-2026.4.23
+        required: true
+        type: string
+      scenarios:
+        description: Update survivor scenarios
+        default: plugin-deps-cleanup
+        required: true
+        type: string
+
+permissions:
+  actions: read
+  contents: read
+  packages: write
+  pull-requests: read
+
+jobs:
+  update_migration:
+    name: Update migration matrix
+    uses: ./.github/workflows/package-acceptance.yml
+    with:
+      workflow_ref: ${{ inputs.workflow_ref }}
+      source: ref
+      package_ref: ${{ inputs.package_ref }}
+      suite_profile: custom
+      docker_lanes: update-migration
+      published_upgrade_survivor_baselines: ${{ inputs.baselines }}
+      published_upgrade_survivor_scenarios: ${{ inputs.scenarios }}
+      telegram_mode: none
+    secrets: inherit

.gitignore

@@ -3,8 +3,10 @@ node_modules
 .env
 docker-compose.override.yml
 docker-compose.extra.yml
+docker-compose.sandbox.yml
 dist
 dist-runtime/
+dist-sea/
 pnpm-lock.yaml
 bun.lock
 bun.lockb
@@ -12,7 +14,7 @@ coverage
 __openclaw_vitest__/
 __pycache__/
 *.pyc
-.tsbuildinfo
+*.tsbuildinfo
 .pnpm-store
 .worktrees/
 .DS_Store
@@ -91,8 +93,11 @@ docs/internal/
 tmp/
 IDENTITY.md
 USER.md
-.tgz
+*.tgz
+*.tar.gz
+*.zip
 .idea
+.vscode/
 
 # local tooling
 .serena/
@@ -102,6 +107,8 @@ USER.md
 .agents/skills/*
 !.agents/skills/blacksmith-testbox/
 !.agents/skills/blacksmith-testbox/**
+!.agents/skills/crabbox/
+!.agents/skills/crabbox/**
 !.agents/skills/gitcrawl/
 !.agents/skills/gitcrawl/**
 !.agents/skills/openclaw-ghsa-maintainer/
@@ -136,6 +143,7 @@ USER.md
 .agent/*.json
 !.agent/workflows/
 /local/
+/client_secret_*.json
 package-lock.json
 .claude/
 .agent/
@@ -147,7 +155,10 @@ apps/ios/LocalSigning.xcconfig
 # Xcode build directories (xcodebuild output)
 apps/ios/build/
 apps/shared/OpenClawKit/build/
-Swabble/build/
+apps/swabble/build/
+*.xcresult
+*.trace
+*.profraw
 
 # Generated protocol schema (produced via pnpm protocol:gen)
 dist/protocol.schema.json
@@ -180,13 +191,31 @@ changelog/fragments/
 
 # Local scratch workspace
 .tmp/
+.cache/
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
 .vmux*
 .artifacts/
+.openclaw-config-doc-cache/
+openclaw-path-alias-*/
+/.pi/
+/C:\\openclaw/
+*.log
+*.tmp
+*.heapsnapshot
+*.cpuprofile
+*.prof
 test/fixtures/openclaw-vitest-unit-report.json
 analysis/
 .artifacts/qa-e2e/
+/runs/
+/data/rtt.jsonl
 extensions/qa-lab/web/dist/
 
 # Generated bundled plugin runtime dependency manifests
 extensions/**/.openclaw-runtime-deps.json
 extensions/**/.openclaw-runtime-deps-stamp.json
+
+# Output dir for scripts/run-opengrep.sh (local opengrep scans)
+/.opengrep-out/

.jscpd.json

@@ -1,16 +0,0 @@
-{
-  "gitignore": true,
-  "noSymlinks": true,
-  "ignore": [
-    "**/node_modules/**",
-    "**/dist/**",
-    "dist/**",
-    "**/.git/**",
-    "**/coverage/**",
-    "**/build/**",
-    "**/.build/**",
-    "**/.artifacts/**",
-    "docs/zh-CN/**",
-    "**/CHANGELOG.md"
-  ]
-}

.mailmap

@@ -1,13 +0,0 @@
-# Canonical contributor identity mappings for cherry-picked commits.
-bmendonca3 <208517100+bmendonca3@users.noreply.github.com> <brianmendonca@Brians-MacBook-Air.local>
-hcl <7755017+hclsys@users.noreply.github.com> <chenglunhu@gmail.com>
-Glucksberg <80581902+Glucksberg@users.noreply.github.com> <markuscontasul@gmail.com>
-JackyWay <53031570+JackyWay@users.noreply.github.com> <jackybbc@gmail.com>
-Marcus Castro <7562095+mcaxtr@users.noreply.github.com> <mcaxtr@gmail.com>
-Marc Gratch <2238658+mgratch@users.noreply.github.com> <me@marcgratch.com>
-Peter Machona <7957943+chilu18@users.noreply.github.com> <chilu.machona@icloud.com>
-Ben Marvell <92585+easternbloc@users.noreply.github.com> <ben@marvell.consulting>
-zerone0x <39543393+zerone0x@users.noreply.github.com> <hi@trine.dev>
-Marco Di Dionisio <3519682+marcodd23@users.noreply.github.com> <m.didionisio23@gmail.com>
-mujiannan <46643837+mujiannan@users.noreply.github.com> <shennan@mujiannan.com>
-Santhanakrishnan <239082898+bitfoundry-ai@users.noreply.github.com> <noreply@anthropic.com>

.npmignore

@@ -1,3 +0,0 @@
-**/node_modules/
-**/.runtime-deps-*/
-docs/.generated/

.oxfmtrc.jsonc

@@ -10,7 +10,6 @@
   "useTabs": false,
   "ignorePatterns": [
     "apps/",
-    "assets/",
     "CLAUDE.md",
     "docker-compose.yml",
     "dist/",
@@ -21,7 +20,8 @@
     "src/gateway/server-methods/CLAUDE.md",
     "src/auto-reply/reply/export-html/",
     "src/canvas-host/a2ui/a2ui.bundle.js",
-    "Swabble/",
+    "test/fixtures/agents/prompt-snapshots/codex-model-catalog/*.instructions.md",
+    "test/fixtures/agents/prompt-snapshots/happy-path/*.md",
     "vendor/",
   ],
 }

.oxlintrc.json

@@ -113,19 +113,19 @@
     "vitest/prefer-expect-type-of": "error"
   },
   "ignorePatterns": [
-    "assets/",
     "dist/",
     "dist-runtime/",
     "docs/_layouts/",
+    "extensions/diffs/assets/viewer-runtime.js",
     "node_modules/",
     "patches/",
     "pnpm-lock.yaml",
     "skills/",
     "src/auto-reply/reply/export-html/template.js",
     "src/canvas-host/a2ui/a2ui.bundle.js",
-    "Swabble/",
     "vendor/",
     "**/.cache/**",
+    "**/.openclaw-runtime-deps-copy-*/**",
     "**/build/**",
     "**/coverage/**",
     "**/dist/**",

.pi/extensions/diff.ts

@@ -1,117 +0,0 @@
-/**
- * Diff Extension
- *
- * /diff command shows modified/deleted/new files from git status and opens
- * the selected file in VS Code's diff view.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { showPagedSelectList } from "./ui/paged-select";
-
-interface FileInfo {
-  status: string;
-  statusLabel: string;
-  file: string;
-}
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("diff", {
-    description: "Show git changes and open in VS Code diff view",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        ctx.ui.notify("No UI available", "error");
-        return;
-      }
-
-      // Get changed files from git status
-      const result = await pi.exec("git", ["status", "--porcelain"], { cwd: ctx.cwd });
-
-      if (result.code !== 0) {
-        ctx.ui.notify(`git status failed: ${result.stderr}`, "error");
-        return;
-      }
-
-      if (!result.stdout || !result.stdout.trim()) {
-        ctx.ui.notify("No changes in working tree", "info");
-        return;
-      }
-
-      // Parse git status output
-      // Format: XY filename (where XY is two-letter status, then space, then filename)
-      const lines = result.stdout.split("\n");
-      const files: FileInfo[] = [];
-
-      for (const line of lines) {
-        if (line.length < 4) {
-          continue;
-        } // Need at least "XY f"
-
-        const status = line.slice(0, 2);
-        const file = line.slice(2).trimStart();
-
-        // Translate status codes to short labels
-        let statusLabel: string;
-        if (status.includes("M")) {
-          statusLabel = "M";
-        } else if (status.includes("A")) {
-          statusLabel = "A";
-        } else if (status.includes("D")) {
-          statusLabel = "D";
-        } else if (status.includes("?")) {
-          statusLabel = "?";
-        } else if (status.includes("R")) {
-          statusLabel = "R";
-        } else if (status.includes("C")) {
-          statusLabel = "C";
-        } else {
-          statusLabel = status.trim() || "~";
-        }
-
-        files.push({ status: statusLabel, statusLabel, file });
-      }
-
-      if (files.length === 0) {
-        ctx.ui.notify("No changes found", "info");
-        return;
-      }
-
-      const openSelected = async (fileInfo: FileInfo): Promise<void> => {
-        try {
-          // Open in VS Code diff view.
-          // For untracked files, git difftool won't work, so fall back to just opening the file.
-          if (fileInfo.status === "?") {
-            await pi.exec("code", ["-g", fileInfo.file], { cwd: ctx.cwd });
-            return;
-          }
-
-          const diffResult = await pi.exec(
-            "git",
-            ["difftool", "-y", "--tool=vscode", fileInfo.file],
-            {
-              cwd: ctx.cwd,
-            },
-          );
-          if (diffResult.code !== 0) {
-            await pi.exec("code", ["-g", fileInfo.file], { cwd: ctx.cwd });
-          }
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          ctx.ui.notify(`Failed to open ${fileInfo.file}: ${message}`, "error");
-        }
-      };
-
-      const items = files.map((file) => ({
-        value: file,
-        label: `${file.status} ${file.file}`,
-      }));
-      await showPagedSelectList({
-        ctx,
-        title: " Select file to diff",
-        items,
-        onSelect: (item) => {
-          void openSelected(item.value as FileInfo);
-        },
-      });
-    },
-  });
-}

.pi/extensions/files.ts

@@ -1,134 +0,0 @@
-/**
- * Files Extension
- *
- * /files command lists all files the model has read/written/edited in the active session branch,
- * coalesced by path and sorted newest first. Selecting a file opens it in VS Code.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { showPagedSelectList } from "./ui/paged-select";
-
-interface FileEntry {
-  path: string;
-  operations: Set<"read" | "write" | "edit">;
-  lastTimestamp: number;
-}
-
-type FileToolName = "read" | "write" | "edit";
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("files", {
-    description: "Show files read/written/edited in this session",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        ctx.ui.notify("No UI available", "error");
-        return;
-      }
-
-      // Get the current branch (path from leaf to root)
-      const branch = ctx.sessionManager.getBranch();
-
-      // First pass: collect tool calls (id -> {path, name}) from assistant messages
-      const toolCalls = new Map<string, { path: string; name: FileToolName; timestamp: number }>();
-
-      for (const entry of branch) {
-        if (entry.type !== "message") {
-          continue;
-        }
-        const msg = entry.message;
-
-        if (msg.role === "assistant" && Array.isArray(msg.content)) {
-          for (const block of msg.content) {
-            if (block.type === "toolCall") {
-              const name = block.name;
-              if (name === "read" || name === "write" || name === "edit") {
-                const path = block.arguments?.path;
-                if (path && typeof path === "string") {
-                  toolCalls.set(block.id, { path, name, timestamp: msg.timestamp });
-                }
-              }
-            }
-          }
-        }
-      }
-
-      // Second pass: match tool results to get the actual execution timestamp
-      const fileMap = new Map<string, FileEntry>();
-
-      for (const entry of branch) {
-        if (entry.type !== "message") {
-          continue;
-        }
-        const msg = entry.message;
-
-        if (msg.role === "toolResult") {
-          const toolCall = toolCalls.get(msg.toolCallId);
-          if (!toolCall) {
-            continue;
-          }
-
-          const { path, name } = toolCall;
-          const timestamp = msg.timestamp;
-
-          const existing = fileMap.get(path);
-          if (existing) {
-            existing.operations.add(name);
-            if (timestamp > existing.lastTimestamp) {
-              existing.lastTimestamp = timestamp;
-            }
-          } else {
-            fileMap.set(path, {
-              path,
-              operations: new Set([name]),
-              lastTimestamp: timestamp,
-            });
-          }
-        }
-      }
-
-      if (fileMap.size === 0) {
-        ctx.ui.notify("No files read/written/edited in this session", "info");
-        return;
-      }
-
-      // Sort by most recent first
-      const files = Array.from(fileMap.values()).toSorted(
-        (a, b) => b.lastTimestamp - a.lastTimestamp,
-      );
-
-      const openSelected = async (file: FileEntry): Promise<void> => {
-        try {
-          await pi.exec("code", ["-g", file.path], { cwd: ctx.cwd });
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          ctx.ui.notify(`Failed to open ${file.path}: ${message}`, "error");
-        }
-      };
-
-      const items = files.map((file) => {
-        const ops: string[] = [];
-        if (file.operations.has("read")) {
-          ops.push("R");
-        }
-        if (file.operations.has("write")) {
-          ops.push("W");
-        }
-        if (file.operations.has("edit")) {
-          ops.push("E");
-        }
-        return {
-          value: file,
-          label: `${ops.join("")} ${file.path}`,
-        };
-      });
-      await showPagedSelectList({
-        ctx,
-        title: " Select file to open",
-        items,
-        onSelect: (item) => {
-          void openSelected(item.value as FileEntry);
-        },
-      });
-    },
-  });
-}

.pi/extensions/prompt-url-widget.ts

@@ -1,190 +0,0 @@
-import {
-  DynamicBorder,
-  type ExtensionAPI,
-  type ExtensionContext,
-} from "@mariozechner/pi-coding-agent";
-import { Container, Text } from "@mariozechner/pi-tui";
-
-const PR_PROMPT_PATTERN = /^\s*You are given one or more GitHub PR URLs:\s*(\S+)/im;
-const ISSUE_PROMPT_PATTERN = /^\s*Analyze GitHub issue\(s\):\s*(\S+)/im;
-
-type PromptMatch = {
-  kind: "pr" | "issue";
-  url: string;
-};
-
-type GhMetadata = {
-  title?: string;
-  author?: {
-    login?: string;
-    name?: string | null;
-  };
-};
-
-function extractPromptMatch(prompt: string): PromptMatch | undefined {
-  const prMatch = prompt.match(PR_PROMPT_PATTERN);
-  if (prMatch?.[1]) {
-    return { kind: "pr", url: prMatch[1].trim() };
-  }
-
-  const issueMatch = prompt.match(ISSUE_PROMPT_PATTERN);
-  if (issueMatch?.[1]) {
-    return { kind: "issue", url: issueMatch[1].trim() };
-  }
-
-  return undefined;
-}
-
-async function fetchGhMetadata(
-  pi: ExtensionAPI,
-  kind: PromptMatch["kind"],
-  url: string,
-): Promise<GhMetadata | undefined> {
-  const args =
-    kind === "pr"
-      ? ["pr", "view", url, "--json", "title,author"]
-      : ["issue", "view", url, "--json", "title,author"];
-
-  try {
-    const result = await pi.exec("gh", args);
-    if (result.code !== 0 || !result.stdout) {
-      return undefined;
-    }
-    return JSON.parse(result.stdout) as GhMetadata;
-  } catch {
-    return undefined;
-  }
-}
-
-function formatAuthor(author?: GhMetadata["author"]): string | undefined {
-  if (!author) {
-    return undefined;
-  }
-  const name = author.name?.trim();
-  const login = author.login?.trim();
-  if (name && login) {
-    return `${name} (@${login})`;
-  }
-  if (login) {
-    return `@${login}`;
-  }
-  if (name) {
-    return name;
-  }
-  return undefined;
-}
-
-export default function promptUrlWidgetExtension(pi: ExtensionAPI) {
-  const setWidget = (
-    ctx: ExtensionContext,
-    match: PromptMatch,
-    title?: string,
-    authorText?: string,
-  ) => {
-    ctx.ui.setWidget("prompt-url", (_tui, thm) => {
-      const titleText = title ? thm.fg("accent", title) : thm.fg("accent", match.url);
-      const authorLine = authorText ? thm.fg("muted", authorText) : undefined;
-      const urlLine = thm.fg("dim", match.url);
-
-      const lines = [titleText];
-      if (authorLine) {
-        lines.push(authorLine);
-      }
-      lines.push(urlLine);
-
-      const container = new Container();
-      container.addChild(new DynamicBorder((s: string) => thm.fg("muted", s)));
-      container.addChild(new Text(lines.join("\n"), 1, 0));
-      return container;
-    });
-  };
-
-  const applySessionName = (ctx: ExtensionContext, match: PromptMatch, title?: string) => {
-    const label = match.kind === "pr" ? "PR" : "Issue";
-    const trimmedTitle = title?.trim();
-    const fallbackName = `${label}: ${match.url}`;
-    const desiredName = trimmedTitle ? `${label}: ${trimmedTitle} (${match.url})` : fallbackName;
-    const currentName = pi.getSessionName()?.trim();
-    if (!currentName) {
-      pi.setSessionName(desiredName);
-      return;
-    }
-    if (currentName === match.url || currentName === fallbackName) {
-      pi.setSessionName(desiredName);
-    }
-  };
-
-  const renderPromptMatch = (ctx: ExtensionContext, match: PromptMatch) => {
-    setWidget(ctx, match);
-    applySessionName(ctx, match);
-    void fetchGhMetadata(pi, match.kind, match.url).then((meta) => {
-      const title = meta?.title?.trim();
-      const authorText = formatAuthor(meta?.author);
-      setWidget(ctx, match, title, authorText);
-      applySessionName(ctx, match, title);
-    });
-  };
-
-  pi.on("before_agent_start", async (event, ctx) => {
-    if (!ctx.hasUI) {
-      return;
-    }
-    const match = extractPromptMatch(event.prompt);
-    if (!match) {
-      return;
-    }
-
-    renderPromptMatch(ctx, match);
-  });
-
-  pi.on("session_switch", async (_event, ctx) => {
-    rebuildFromSession(ctx);
-  });
-
-  const getUserText = (content: string | { type: string; text?: string }[] | undefined): string => {
-    if (!content) {
-      return "";
-    }
-    if (typeof content === "string") {
-      return content;
-    }
-    return (
-      content
-        .filter((block): block is { type: "text"; text: string } => block.type === "text")
-        .map((block) => block.text)
-        .join("\n") ?? ""
-    );
-  };
-
-  const rebuildFromSession = (ctx: ExtensionContext) => {
-    if (!ctx.hasUI) {
-      return;
-    }
-
-    const entries = ctx.sessionManager.getEntries();
-    const lastMatch = [...entries].toReversed().find((entry) => {
-      if (entry.type !== "message" || entry.message.role !== "user") {
-        return false;
-      }
-      const text = getUserText(entry.message.content);
-      return !!extractPromptMatch(text);
-    });
-
-    const content =
-      lastMatch?.type === "message" && lastMatch.message.role === "user"
-        ? lastMatch.message.content
-        : undefined;
-    const text = getUserText(content);
-    const match = text ? extractPromptMatch(text) : undefined;
-    if (!match) {
-      ctx.ui.setWidget("prompt-url", undefined);
-      return;
-    }
-
-    renderPromptMatch(ctx, match);
-  };
-
-  pi.on("session_start", async (_event, ctx) => {
-    rebuildFromSession(ctx);
-  });
-}

.pi/extensions/redraws.ts

@@ -1,26 +0,0 @@
-/**
- * Redraws Extension
- *
- * Exposes /tui to show TUI redraw stats.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { Text } from "@mariozechner/pi-tui";
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("tui", {
-    description: "Show TUI stats",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        return;
-      }
-      let redraws = 0;
-      await ctx.ui.custom<void>((tui, _theme, _keybindings, done) => {
-        redraws = tui.fullRedraws;
-        done(undefined);
-        return new Text("", 0, 0);
-      });
-      ctx.ui.notify(`TUI full redraws: ${redraws}`, "info");
-    },
-  });
-}

.pi/extensions/ui/paged-select.ts

@@ -1,82 +0,0 @@
-import { DynamicBorder } from "@mariozechner/pi-coding-agent";
-import {
-  Container,
-  Key,
-  matchesKey,
-  type SelectItem,
-  SelectList,
-  Text,
-} from "@mariozechner/pi-tui";
-
-type CustomUiContext = {
-  ui: {
-    custom: <T>(
-      render: (
-        tui: { requestRender: () => void },
-        theme: {
-          fg: (tone: string, text: string) => string;
-          bold: (text: string) => string;
-        },
-        kb: unknown,
-        done: () => void,
-      ) => {
-        render: (width: number) => string;
-        invalidate: () => void;
-        handleInput: (data: string) => void;
-      },
-    ) => Promise<T>;
-  };
-};
-
-export async function showPagedSelectList(params: {
-  ctx: CustomUiContext;
-  title: string;
-  items: SelectItem[];
-  onSelect: (item: SelectItem) => void;
-}): Promise<void> {
-  await params.ctx.ui.custom<void>((tui, theme, _kb, done) => {
-    const container = new Container();
-
-    container.addChild(new DynamicBorder((s: string) => theme.fg("accent", s)));
-    container.addChild(new Text(theme.fg("accent", theme.bold(params.title)), 0, 0));
-
-    const visibleRows = Math.min(params.items.length, 15);
-    let currentIndex = 0;
-
-    const selectList = new SelectList(params.items, visibleRows, {
-      selectedPrefix: (text) => theme.fg("accent", text),
-      selectedText: (text) => text,
-      description: (text) => theme.fg("muted", text),
-      scrollInfo: (text) => theme.fg("dim", text),
-      noMatch: (text) => theme.fg("warning", text),
-    });
-    selectList.onSelect = (item) => params.onSelect(item);
-    selectList.onCancel = () => done();
-    selectList.onSelectionChange = (item) => {
-      currentIndex = params.items.indexOf(item);
-    };
-    container.addChild(selectList);
-
-    container.addChild(
-      new Text(theme.fg("dim", " ↑↓ navigate • ←→ page • enter open • esc close"), 0, 0),
-    );
-    container.addChild(new DynamicBorder((s: string) => theme.fg("accent", s)));
-
-    return {
-      render: (width) => container.render(width),
-      invalidate: () => container.invalidate(),
-      handleInput: (data) => {
-        if (matchesKey(data, Key.left)) {
-          currentIndex = Math.max(0, currentIndex - visibleRows);
-          selectList.setSelectedIndex(currentIndex);
-        } else if (matchesKey(data, Key.right)) {
-          currentIndex = Math.min(params.items.length - 1, currentIndex + visibleRows);
-          selectList.setSelectedIndex(currentIndex);
-        } else {
-          selectList.handleInput(data);
-        }
-        tui.requestRender();
-      },
-    };
-  });
-}

.pi/git/.gitignore

@@ -1,2 +0,0 @@
-*
-!.gitignore

.pi/prompts/cl.md

@@ -1,58 +0,0 @@
----
-description: Audit changelog entries before release
----
-
-Audit changelog entries for all commits since the last release.
-
-## Process
-
-1. **Find the last release tag:**
-
-   ```bash
-   git tag --sort=-version:refname | head -1
-   ```
-
-2. **List all commits since that tag:**
-
-   ```bash
-   git log <tag>..HEAD --oneline
-   ```
-
-3. **Read each package's [Unreleased] section:**
-   - packages/ai/CHANGELOG.md
-   - packages/tui/CHANGELOG.md
-   - packages/coding-agent/CHANGELOG.md
-
-4. **For each commit, check:**
-   - Skip: changelog updates, doc-only changes, release housekeeping
-   - Determine which package(s) the commit affects (use `git show <hash> --stat`)
-   - Verify a changelog entry exists in the affected package(s)
-   - For external contributions (PRs), verify format: `Description ([#N](url) by [@user](url))`
-
-5. **Cross-package duplication rule:**
-   Changes in `ai`, `agent` or `tui` that affect end users should be duplicated to `coding-agent` changelog, since coding-agent is the user-facing package that depends on them.
-
-6. **Add New Features section after changelog fixes:**
-   - Insert a `### New Features` section at the start of `## [Unreleased]` in `packages/coding-agent/CHANGELOG.md`.
-   - Propose the top new features to the user for confirmation before writing them.
-   - Link to relevant docs and sections whenever possible.
-
-7. **Report:**
-   - List commits with missing entries
-   - List entries that need cross-package duplication
-   - Add any missing entries directly
-
-## Changelog Format Reference
-
-Sections (in order):
-
-- `### Breaking Changes` - API changes requiring migration
-- `### Added` - New features
-- `### Changed` - Changes to existing functionality
-- `### Fixed` - Bug fixes
-- `### Removed` - Removed features
-
-Attribution:
-
-- Internal: `Fixed foo ([#123](https://github.com/badlogic/pi-mono/issues/123))`
-- External: `Added bar ([#456](https://github.com/badlogic/pi-mono/pull/456) by [@user](https://github.com/user))`

.pi/prompts/is.md

@@ -1,22 +0,0 @@
----
-description: Analyze GitHub issues (bugs or feature requests)
----
-
-Analyze GitHub issue(s): $ARGUMENTS
-
-For each issue:
-
-1. Read the issue in full, including all comments and linked issues/PRs.
-
-2. **For bugs**:
-   - Ignore any root cause analysis in the issue (likely wrong)
-   - Read all related code files in full (no truncation)
-   - Trace the code path and identify the actual root cause
-   - Propose a fix
-
-3. **For feature requests**:
-   - Read all related code files in full (no truncation)
-   - Propose the most concise implementation approach
-   - List affected files and changes needed
-
-Do NOT implement unless explicitly asked. Analyze and propose only.