Guide Codex Computer Use setup during onboarding

Merged via squash.

Prepared head SHA: d8ad8d89b7
Reviewed-by: @sallyom

.agents/skills/openclaw-pre-release-plugin-testing/SKILL.md

@@ -0,0 +1,234 @@
+---
+name: openclaw-pre-release-plugin-testing
+description: Plan and run pre-release OpenClaw plugin validation across bundled plugins, package artifacts, lifecycle commands, doctor/fix, config round-trip, gateway startup, SDK compatibility, Docker E2E, Package Acceptance, and Testbox proof.
+---
+
+# OpenClaw Pre-Release Plugin Testing
+
+Use this skill when the user asks for plugin release confidence, plugin lifecycle
+sweeps, package-artifact plugin proof, or "what else should we test before
+release?" It complements `openclaw-testing`; use that skill too when choosing
+the cheapest safe runner or debugging a failing lane.
+
+## Goal
+
+Prove the plugin system as a product surface, not just as source tests:
+
+- bundled plugin lifecycle: install, inspect, enable, disable, uninstall
+- package artifact behavior from a clean `HOME`
+- doctor/fix/config validation and idempotence
+- config discovery and config round-trip
+- status/log visibility and diagnostics
+- gateway startup/bootstrap with plugin metadata snapshots
+- public SDK compatibility for real external plugins
+- live-ish provider/channel probes only when safe credentials exist
+
+## First Checks
+
+From the OpenClaw repo root:
+
+```bash
+pnpm docs:list
+git status --short --branch
+readlink node_modules
+pnpm changed:lanes --json
+```
+
+In Codex worktrees under `.codex/worktrees`, `node_modules` must be a symlink to
+the main OpenClaw checkout. Do not run `pnpm install` there. For broad or
+package-heavy proof, use Blacksmith Testbox or GitHub Actions.
+
+## Runner Choice
+
+Prefer this order:
+
+1. **GitHub Package Acceptance** for installable-package product proof.
+2. **`ci-build-artifacts-testbox.yml` Testbox** when Docker/package lanes need
+   seeded `dist`, `dist-runtime`, and package caches.
+3. **`ci-check-testbox.yml` Testbox** for source checks, targeted Vitest,
+   package-boundary checks, or focused Docker lanes.
+4. **Local targeted commands only** for small format/static/unit probes.
+
+Avoid long package Docker runs from a stale sparse worktree. If Testbox sync
+reports hundreds of changed files or starts deleting package inputs, stop and
+warm a fresh box from current `main`, or switch to Package Acceptance.
+
+## Existing Baseline
+
+Run or verify these before inventing new coverage:
+
+```bash
+OPENCLAW_TESTBOX=1 pnpm check:changed
+pnpm run test:extensions:package-boundary:canary
+pnpm run test:extensions:package-boundary:compile
+pnpm test:docker:plugins
+OPENCLAW_PLUGINS_E2E_CLAWHUB=0 pnpm test:docker:plugins
+pnpm test:docker:plugin-update
+pnpm test:docker:bundled-channel-deps:fast
+```
+
+For full bundled install/uninstall proof, shard the packaged sweep:
+
+```bash
+OPENCLAW_BUNDLED_PLUGIN_SWEEP_TOTAL=8 \
+OPENCLAW_BUNDLED_PLUGIN_SWEEP_INDEX=<0-7> \
+pnpm test:docker:bundled-plugin-install-uninstall
+```
+
+Expected current packaged scope: 116 public bundled plugins over shards `0-7`.
+Private QA plugins are source-mode only unless a package explicitly includes
+them.
+
+## Confidence Matrix
+
+Use this matrix for pre-release signoff. Record pass/fail, run URL/Testbox ID,
+package SHA/version, and skipped-live reason.
+
+| Surface | Proof | Preferred runner |
+| --- | --- | --- |
+| Package artifact | Package Acceptance `suite_profile=package` or custom lanes | GitHub Actions |
+| Bundled lifecycle | 8-shard `test:docker:bundled-plugin-install-uninstall` | Testbox or release Docker |
+| External plugins | `test:docker:plugins` and `plugins-offline` | Testbox/package acceptance |
+| Update no-op | `test:docker:plugin-update` | Testbox/package acceptance |
+| Channel runtime deps | `test:docker:bundled-channel-deps:fast` plus key channels | Testbox/package acceptance |
+| Doctor/fix | seeded bad configs + `doctor --fix --non-interactive` | new Docker/Testbox harness |
+| Config round-trip | `config set/get`, inspect, doctor, reload, diff hash | new Docker/Testbox harness |
+| Gateway bootstrap | clean `HOME`, plugin groups enabled/disabled, status JSON | new Docker/Testbox harness |
+| SDK compatibility | directory, tgz, and `file:` external plugins using SDK subpaths | `test:docker:plugins` plus new smoke |
+| Live-ish | redacted provider/channel probes only for present env | Testbox live lanes |
+
+## Package Acceptance Plan
+
+Use this when validating a release branch, beta, or candidate package:
+
+```bash
+gh workflow run package-acceptance.yml \
+  --repo openclaw/openclaw \
+  --ref main \
+  -f workflow_ref=main \
+  -f source=ref \
+  -f package_ref=<branch-or-sha> \
+  -f suite_profile=custom \
+  -f docker_lanes='plugins-offline plugin-update bundled-channel-deps-compat doctor-switch update-channel-switch config-reload mcp-channels npm-onboard-channel-agent' \
+  -f telegram_mode=mock-openai
+```
+
+Use `source=npm -f package_spec=openclaw@beta` for published beta proof. Keep
+`workflow_ref` as trusted current harness code unless the release process says
+otherwise.
+
+## New Testbox Harness Plan
+
+If more certainty is needed, add or run a `plugin-lifecycle-matrix` Docker lane
+that uses one package tarball and sharded plugin lists. Per plugin:
+
+1. Start with a clean `HOME`.
+2. Capture `plugins list --json`.
+3. `plugins install <id>`.
+4. `plugins inspect <id> --json`.
+5. `plugins disable <id>`, then assert disabled visibility.
+6. `plugins enable <id>`, except config-required plugins without config.
+7. `plugins registry --refresh`.
+8. `doctor --non-interactive`.
+9. `plugins uninstall <id> --force`.
+10. Assert no config entry, allow/deny residue, install record, managed dir, or
+    bundled `dist/extensions/...` load path remains.
+11. Assert diagnostics contain no `level: "error"` and output redacts
+    secret-looking values.
+
+Keep `memory-lancedb` special: it is config-required. First assert install does
+not enable it without embedding config, then run a second configured case.
+
+## Doctor/Fix Matrix
+
+Seed bad states and require `doctor --fix --non-interactive` to repair them,
+then run doctor again and require idempotence:
+
+- stale `plugins.allow`
+- stale `plugins.entries`
+- stale channel config for missing channel plugin
+- invalid `plugins.entries.<id>.config`
+- packaged bundled path in `plugins.load.paths`
+- legacy `plugins.installs`
+- disabled channel/plugin config that must not stage runtime deps
+- root-owned global package tree that must remain unmodified
+
+## Gateway Bootstrap Matrix
+
+Start packaged OpenClaw in Docker with clean state:
+
+- provider plugins enabled, no credentials: ready with warnings, no crash
+- channel plugins configured disabled: no runtime deps staged
+- startup-activation plugins enabled: ready and reflected in status
+- invalid single plugin config: bad plugin skipped/quarantined, others remain
+
+Assert:
+
+- gateway reaches ready
+- `openclaw status --json` includes plugin diagnostics
+- `openclaw plugins inspect --all --json` is parseable
+- package tree is not mutated
+- logs contain no raw tokens
+
+## Config Round-Trip Representatives
+
+Use representative plugin families instead of every plugin for deep config
+round-trip:
+
+- providers: `openai`, `anthropic`, `mistral`, `openrouter`
+- channels: `telegram`, `discord`, `slack`, `whatsapp`
+- memory: `memory-lancedb`
+- feature/runtime: `browser`, `acpx`, `tokenjuice`
+
+For each representative:
+
+1. Write config through CLI when possible.
+2. Read it back through `config get` or JSON.
+3. Run `plugins inspect`.
+4. Run `doctor --non-interactive`.
+5. Trigger gateway config reload if applicable.
+6. Compare config hash before/after no-op commands.
+
+## External SDK Smoke
+
+In a package Docker lane, create tiny external plugins and install them from:
+
+- local directory
+- `.tgz`
+- `file:` npm spec
+
+Cover CJS and ESM shapes, plus at least one plugin importing focused
+`openclaw/plugin-sdk/*` subpaths. Assert `plugins inspect` sees its tool,
+gateway method, CLI command, or service.
+
+## Live-Ish Probe Rules
+
+Before live-ish work, source allowed env in Testbox and generate a redacted
+availability matrix: present/missing only, never values.
+
+Only run probes for credentials that exist. Prefer auth/catalog/status probes
+over sending user-visible messages. If a probe might contact an external user,
+channel, or workspace, stop and ask the user.
+
+## Reporting
+
+Report in this shape:
+
+```text
+package/ref:
+tbx ids / run urls:
+matrix:
+  bundled lifecycle:
+  package acceptance:
+  doctor/fix:
+  gateway bootstrap:
+  config round-trip:
+  sdk external:
+  live-ish:
+failures:
+skips:
+next highest-value gap:
+```
+
+Say clearly when a failure is Testbox sync/env damage rather than product
+behavior, and prove that with a clean rerun or current-main comparison.

.agents/skills/openclaw-pre-release-plugin-testing/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "OpenClaw Plugin Pre-Release Testing"
+  short_description: "Plan plugin release validation"
+  default_prompt: "Use $openclaw-pre-release-plugin-testing to plan or run pre-release OpenClaw plugin validation across package, lifecycle, doctor, gateway, SDK, and live-ish proof."

.agents/skills/openclaw-test-performance/SKILL.md

@@ -1,12 +1,13 @@
 ---
 name: openclaw-test-performance
-description: Benchmark, diagnose, and optimize OpenClaw test runtime, import hotspots, CPU/RSS, and slow coverage paths.
+description: Benchmark, diagnose, and optimize OpenClaw test and plugin-suite runtime, import hotspots, CPU/RSS, heap growth, and slow coverage paths.
 ---
 
 # OpenClaw Test Performance
 
-Use evidence first. The goal is real `pnpm test` speed/RSS improvement with
-coverage intact, not runner tuning by guesswork.
+Use evidence first. The goal is real `pnpm test`, plugin-suite, and
+plugin-inspector speed/RSS improvement with coverage intact, not runner tuning by
+guesswork.
 
 ## Workflow
 
@@ -21,6 +22,9 @@ coverage intact, not runner tuning by guesswork.
 2. Establish a baseline before changing code:
    - Prefer `pnpm test:perf:groups --full-suite --allow-failures --output <file>`
      for full-suite ranking.
+   - For bundled plugin breadth, run the smallest relevant `pnpm
+test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
+     before jumping to the full extension sweep.
    - For a scoped hotspot use:
      `/usr/bin/time -l pnpm test <file-or-files> --maxWorkers=1 --reporter=verbose`
    - For import-heavy suspicion add:
@@ -33,6 +37,8 @@ coverage intact, not runner tuning by guesswork.
      passed, capture that as harness/noise and verify the suspect file directly.
 4. Pick the next attack by return and risk:
    - High return: one file/test dominates seconds or RSS and has a clear root.
+   - High leverage: one plugin or SDK barrel causes every plugin-inspector or
+     extension-batch run to load broad runtime.
    - Lower risk: static descriptors, target parsing, routing, auth bypass,
      setup hints, registry fixtures, or test server lifecycle.
    - Higher risk: real memory/runtime behavior, live providers, protocol
@@ -44,6 +50,8 @@ coverage intact, not runner tuning by guesswork.
      and pure helpers over broad mocks.
    - Reuse suite-level servers/clients when a fresh handshake is irrelevant.
    - Keep schedulers/background loops off unless the test proves scheduling.
+   - In plugin paths, move static metadata into manifest/lightweight artifacts
+     and keep runtime plugin loads behind explicit execution boundaries.
 6. Preserve coverage shape:
    - Do not delete a slow integration proof unless the exact production
      composition is extracted into a named helper and tested.
@@ -57,6 +65,90 @@ coverage intact, not runner tuning by guesswork.
 9. Commit with `scripts/committer "<message>" <paths...>` and push when the
    user asked for commits/pushes. Stage only files touched for this attack.
 
+## Plugin-Suite Workflow
+
+Use this section when perf work involves bundled plugins, plugin-inspector, SDK
+barrels, package-boundary tests, or extension suites.
+
+1. Map the suite shape first:
+   - source tests: `pnpm test extensions/<id>` or `pnpm test:extensions:batch <id>`
+   - package boundaries: `pnpm run test:extensions:package-boundary:canary` and
+     `pnpm run test:extensions:package-boundary:compile`
+   - all bundled source tests: `pnpm test:extensions`
+   - plugin import memory: `pnpm test:extensions:memory -- --json .artifacts/test-perf/extensions-memory.json`
+   - plugin-inspector/report work: keep report primitives in `plugin-inspector`;
+     keep wrappers thin and collect peak RSS when the command supports it.
+2. Start narrow, then widen:
+   - one plugin changed: run that plugin's tests and plugin-inspector slice.
+   - SDK/public barrel changed: add representative provider, channel, memory,
+     and feature plugins.
+   - loader/runtime mirror changed: add package-boundary checks and build/package
+     proof as needed.
+   - unknown shared plugin behavior: run `test:extensions:batch` groups before
+     `pnpm test:extensions`.
+3. Treat plugin-inspector failures as product signals:
+   - JSON must parse.
+   - warnings/errors must be classified, not hidden.
+   - runtime capture should be quiet and config-tolerant.
+   - command output should include wall time, exit code, and peak RSS when
+     available.
+4. For broad or package-heavy plugin proof, use Blacksmith Testbox by default on
+   maintainer machines. Warm once and reuse the same box:
+   - `blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90`
+   - `blacksmith testbox run --id <ID> "OPENCLAW_TESTBOX=1 pnpm test:extensions:batch <ids>"`
+   - stop the box when done.
+5. If plugin performance is package-artifact sensitive, switch to
+   `openclaw-pre-release-plugin-testing` and Package Acceptance rather than
+   trusting source-only timing.
+
+## Metric Collection
+
+Collect at least one stable metric before and after. Prefer the same machine and
+same command. For Testbox comparisons, use the same `tbx_...` id when possible.
+
+| Metric          | Use for                            | Preferred source                                                            |
+| --------------- | ---------------------------------- | --------------------------------------------------------------------------- |
+| wall time       | user-visible suite cost            | `/usr/bin/time -l`, test wrapper duration, Testbox run time                 |
+| Vitest duration | test body/import cost              | Vitest output per file/shard                                                |
+| import duration | broad barrel/runtime loads         | `OPENCLAW_VITEST_IMPORT_DURATIONS=1`                                        |
+| max RSS         | memory pressure and OOM risk       | `/usr/bin/time -l`, `pnpm test:extensions:memory`, wrapper memory summaries |
+| CPU/user/sys    | CPU-bound vs wait-bound split      | `/usr/bin/time -l` locally, Testbox job timing when local CPU is noisy      |
+| heap snapshots  | real leak vs retained module graph | `openclaw-test-heap-leaks` workflow                                         |
+
+Local scoped command with CPU/RSS:
+
+```bash
+timeout 240 /usr/bin/time -l pnpm test <file> --maxWorkers=1 --reporter=verbose
+```
+
+Plugin import memory profile:
+
+```bash
+pnpm build
+pnpm test:extensions:memory -- --top 20 --json .artifacts/test-perf/extensions-memory.json
+```
+
+Targeted plugin import memory:
+
+```bash
+pnpm test:extensions:memory -- --extension discord --extension telegram --skip-combined
+```
+
+Heap/RSS escalation:
+
+```bash
+OPENCLAW_TEST_MEMORY_TRACE=1 \
+OPENCLAW_TEST_HEAPSNAPSHOT_INTERVAL_MS=60000 \
+OPENCLAW_TEST_HEAPSNAPSHOT_DIR=.tmp/heapsnap \
+OPENCLAW_TEST_WORKERS=2 \
+OPENCLAW_TEST_MAX_OLD_SPACE_SIZE_MB=6144 \
+pnpm test
+```
+
+Use `openclaw-test-heap-leaks` when RSS keeps growing across intervals, workers
+OOM, or the suspect command has app-object retention. Do not call RSS growth a
+leak until snapshots or retainers support it.
+
 ## Common Root Causes
 
 - Full bundled channel/plugin runtime loaded for static data.
@@ -64,6 +156,12 @@ coverage intact, not runner tuning by guesswork.
   parser would suffice.
 - Broad `api.ts`, `runtime-api.ts`, `test-api.ts`, or plugin-sdk barrels pulled
   into hot tests.
+- SDK root aliases or package barrels pulling focused subpaths back into a broad
+  plugin graph.
+- Plugin-inspector loading runtime code just to render metadata, reports, or CI
+  policy scores.
+- Bundled plugin capture reusing real config/home state instead of synthetic,
+  redacted, isolated state.
 - Partial-real mocks using `importActual()` around broad modules.
 - `vi.resetModules()` plus fresh imports in per-test loops.
 - Test plugin registry seeded in `beforeAll` while runtime state resets in
@@ -72,6 +170,10 @@ coverage intact, not runner tuning by guesswork.
 - Runtime/default model/auth selection paid by idle snapshots or fixtures.
 - Plugin-owned media/action discovery triggered before checking whether args
   contain plugin-owned fields.
+- Timings missing from `test/fixtures/test-timings.unit.json`, causing hotspot
+  files to stay in shared workers.
+- Parallel Vitest runs sharing `node_modules/.experimental-vitest-cache` without
+  distinct `OPENCLAW_VITEST_FS_MODULE_CACHE_PATH` values.
 
 ## Benchmark Commands
 
@@ -97,6 +199,25 @@ pnpm test:perf:groups --full-suite --allow-failures \
   --output .artifacts/test-perf/<name>.json
 ```
 
+Extension batch:
+
+```bash
+pnpm test:extensions:batch <plugin[,plugin...]> -- --reporter=verbose
+```
+
+All extension tests:
+
+```bash
+pnpm test:extensions
+```
+
+Package-boundary plugin checks:
+
+```bash
+pnpm run test:extensions:package-boundary:canary
+pnpm run test:extensions:package-boundary:compile
+```
+
 Reuse an existing Vitest JSON report:
 
 ```bash
@@ -107,19 +228,26 @@ pnpm test:perf:groups --report <vitest-json> \
 ## Verification
 
 - Always run the targeted test surface that proves the change.
-- Run `pnpm check` before commit unless the change is docs-only and the hook
-  handles it.
+- For source changes, run `pnpm check:changed` before push; in maintainer
+  Testbox mode run it in the warmed Testbox.
+- For test-only changes, run `pnpm test:changed` or the exact edited tests.
 - Run `pnpm build` when touching lazy-loading, bundled artifacts, package
   boundaries, dynamic imports, build output, or public surfaces.
+- For plugin SDK/barrel/runtime changes, add `pnpm plugin-sdk:api:check` or
+  `pnpm plugin-sdk:api:gen` when the API surface may drift.
+- For plugin-suite perf fixes, verify at least one representative plugin batch
+  plus the changed gate; use Package Acceptance if the bug only exists in a
+  packed artifact.
 - If deps are missing/stale, run `pnpm install` and retry the exact failed
   command once.
 - Use the report format:
 
 ```markdown
-| Metric         | Before | After |          Gain |
-| -------------- | -----: | ----: | ------------: |
-| File wall time |   `Xs` |  `Ys` |  `-Zs` (`P%`) |
-| Max RSS        |  `XMB` | `YMB` | `-ZMB` (`P%`) |
+| Metric         | Before |  After |          Gain |
+| -------------- | -----: | -----: | ------------: |
+| File wall time |   `Xs` |   `Ys` |  `-Zs` (`P%`) |
+| Max RSS        |  `XMB` |  `YMB` | `-ZMB` (`P%`) |
+| CPU user/sys   | `X/Ys` | `A/Bs` |       explain |
 ```
 
 ## Handoff
@@ -127,8 +255,12 @@ pnpm test:perf:groups --report <vitest-json> \
 Keep the final concise:
 
 - Root cause.
+- Suite/plugin scope.
 - Files changed.
-- Before/after numbers.
+- Before/after wall, Vitest/import, CPU, and RSS numbers where available.
+- Leak classification if memory was involved: real leak, retained module graph,
+  or inconclusive.
 - Coverage retained.
 - Verification commands.
+- Testbox ID or workflow URL for remote proof.
 - Commit hash and push status.

.agents/skills/openclaw-test-performance/agents/openai.yaml

@@ -1,6 +1,6 @@
 interface:
   display_name: "OpenClaw Test Performance"
-  short_description: "Benchmark and fix slow OpenClaw tests"
-  default_prompt: "Use $openclaw-test-performance to reassess the OpenClaw test benchmark, identify the next real hotspot, fix it without losing coverage, update the report, and commit scoped changes."
+  short_description: "Benchmark tests, plugin suites, CPU, RSS, and heap growth"
+  default_prompt: "Use $openclaw-test-performance to reassess OpenClaw test and plugin-suite performance, collect wall/import/CPU/RSS metrics, investigate memory growth when needed, fix the next real hotspot without losing coverage, update the report, and commit scoped changes."
 policy:
   allow_implicit_invocation: false

.github/CODEOWNERS

@@ -9,6 +9,7 @@
 /.github/dependabot.yml @openclaw/secops
 /.github/codeql/ @openclaw/secops
 /.github/workflows/codeql.yml @openclaw/secops
+/.github/workflows/codeql-android-critical-security.yml @openclaw/secops
 /.github/workflows/codeql-critical-quality.yml @openclaw/secops
 /src/security/ @openclaw/secops
 /src/secrets/ @openclaw/secops

.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml

@@ -0,0 +1,53 @@
+name: openclaw-codeql-agent-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/acp/control-plane
+  - src/agents/command
+  - src/agents/cli-runner
+  - src/agents/pi-embedded-runner
+  - src/agents/tools
+  - src/agents/*completion*.ts
+  - src/agents/*transport*.ts
+  - src/agents/model-*.ts
+  - src/agents/openclaw-tools*.ts
+  - src/agents/provider-*.ts
+  - src/agents/session*.ts
+  - src/agents/tool-call*.ts
+  - src/auto-reply/reply/agent-runner*.ts
+  - src/auto-reply/reply/commands*.ts
+  - src/auto-reply/reply/directive-handling*.ts
+  - src/auto-reply/reply/dispatch-*.ts
+  - src/auto-reply/reply/get-reply-run*.ts
+  - src/auto-reply/reply/provider-dispatcher*.ts
+  - src/auto-reply/reply/queue*.ts
+  - src/auto-reply/reply/reply-run-registry*.ts
+  - src/auto-reply/reply/session*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml

@@ -0,0 +1,33 @@
+name: openclaw-codeql-channel-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/channels
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-channel-runtime-boundary-critical-security.yml

@@ -0,0 +1,50 @@
+name: openclaw-codeql-channel-runtime-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+  - exclude:
+      problem.severity:
+        - recommendation
+        - warning
+
+paths:
+  - src/channels
+  - src/config/channel-*.ts
+  - src/config/types.channel*.ts
+  - src/gateway/server-channel*.ts
+  - src/gateway/server-methods/channels.ts
+  - src/gateway/protocol/schema/channels.ts
+  - src/infra/channel-*.ts
+  - src/infra/exec-approval-channel-runtime.ts
+  - src/infra/outbound/channel-*.ts
+  - src/plugin-sdk/channel-*.ts
+  - src/plugins/channel-*.ts
+  - src/plugins/bundled-channel-*.ts
+  - src/plugins/runtime/*channel*.ts
+  - src/secrets/channel-*.ts
+  - src/secrets/runtime-config-collectors-channels.ts
+  - src/security/audit-channel*.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-config-boundary-critical-quality.yml

@@ -0,0 +1,33 @@
+name: openclaw-codeql-config-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/config
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml

@@ -0,0 +1,34 @@
+name: openclaw-codeql-gateway-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/gateway/protocol
+  - src/gateway/server-methods
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/codeql/codeql-javascript-typescript-critical-quality.yml

@@ -22,7 +22,6 @@ paths:
   - src/agents/sandbox
   - src/agents/sandbox.ts
   - src/agents/sandbox-*.ts
-  - src/config
   - src/cron/service/jobs.ts
   - src/cron/stagger.ts
   - src/gateway/*auth*.ts

.github/codeql/codeql-plugin-boundary-critical-quality.yml

@@ -0,0 +1,76 @@
+name: openclaw-codeql-plugin-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/plugins/activation-planner.ts
+  - src/plugins/api-builder.ts
+  - src/plugins/bundled-compat.ts
+  - src/plugins/bundled-dir.ts
+  - src/plugins/bundled-plugin-metadata.ts
+  - src/plugins/bundled-public-surface-runtime-root.ts
+  - src/plugins/bundled-runtime-deps.ts
+  - src/plugins/bundled-runtime-root.ts
+  - src/plugins/captured-registration.ts
+  - src/plugins/config-activation-shared.ts
+  - src/plugins/config-contracts.ts
+  - src/plugins/config-normalization-shared.ts
+  - src/plugins/config-policy.ts
+  - src/plugins/config-schema.ts
+  - src/plugins/config-state.ts
+  - src/plugins/discovery.ts
+  - src/plugins/effective-plugin-ids.ts
+  - src/plugins/externalized-bundled-plugins.ts
+  - src/plugins/installed-plugin-index*.ts
+  - src/plugins/loader*.ts
+  - src/plugins/manifest*.ts
+  - src/plugins/module-export.ts
+  - src/plugins/package-entrypoints.ts
+  - src/plugins/plugin-registry*.ts
+  - src/plugins/provider-contract-public-artifacts.ts
+  - src/plugins/provider-public-artifacts.ts
+  - src/plugins/public-surface*.ts
+  - src/plugins/registry.ts
+  - src/plugins/registry-types.ts
+  - src/plugins/runtime
+  - src/plugins/runtime-state.ts
+  - src/plugins/runtime.ts
+  - src/plugins/sdk-alias.ts
+  - src/plugins/source-loader.ts
+  - src/plugins/types.ts
+  - src/plugins/validation-diagnostics.ts
+  - src/plugins/web-provider-public-artifacts*.ts
+  - src/plugin-sdk/*entry*.ts
+  - src/plugin-sdk/*facade*.ts
+  - src/plugin-sdk/api-baseline.ts
+  - src/plugin-sdk/config-schema.ts
+  - src/plugin-sdk/config-types.ts
+  - src/plugin-sdk/core.ts
+  - src/plugin-sdk/extension-shared.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"

.github/workflows/ci-build-artifacts-testbox.yml

@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 35
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@v2
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
 
@@ -218,7 +218,7 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@v2
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: always()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci-check-testbox.yml

@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@v2
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
       - name: Checkout
@@ -121,7 +121,7 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@v2
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: always()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci.yml

@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     outputs:
-      checkout_sha: ${{ steps.checkout_ref.outputs.sha }}
+      checkout_revision: ${{ steps.checkout_ref.outputs.sha }}
       docs_only: ${{ steps.manifest.outputs.docs_only }}
       docs_changed: ${{ steps.manifest.outputs.docs_changed }}
       run_node: ${{ steps.manifest.outputs.run_node }}
@@ -59,6 +59,10 @@ jobs:
       checks_node_core_dist_matrix: ${{ steps.manifest.outputs.checks_node_core_dist_matrix }}
       run_check: ${{ steps.manifest.outputs.run_check }}
       run_check_additional: ${{ steps.manifest.outputs.run_check_additional }}
+      run_plugin_prerelease_suite: ${{ steps.manifest.outputs.run_plugin_prerelease_suite }}
+      plugin_prerelease_ref: ${{ steps.manifest.outputs.plugin_prerelease_ref }}
+      plugin_prerelease_static_matrix: ${{ steps.manifest.outputs.plugin_prerelease_static_matrix }}
+      plugin_prerelease_docker_lanes: ${{ steps.manifest.outputs.plugin_prerelease_docker_lanes }}
       run_build_smoke: ${{ steps.manifest.outputs.run_build_smoke }}
       run_check_docs: ${{ steps.manifest.outputs.run_check_docs }}
       run_control_ui_i18n: ${{ steps.manifest.outputs.run_control_ui_i18n }}
@@ -124,6 +128,10 @@ jobs:
           OPENCLAW_CI_RUN_NODE_FAST_CI_ROUTING: ${{ github.event_name == 'workflow_dispatch' && 'false' || steps.changed_scope.outputs.run_node_fast_ci_routing || 'false' }}
           OPENCLAW_CI_RUN_SKILLS_PYTHON: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_skills_python || 'false' }}
           OPENCLAW_CI_RUN_CONTROL_UI_I18N: ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_control_ui_i18n || 'false' }}
+          OPENCLAW_CI_CHECKOUT_REVISION: ${{ steps.checkout_ref.outputs.sha }}
+          OPENCLAW_CI_EVENT_NAME: ${{ github.event_name }}
+          OPENCLAW_CI_PR_HEAD_REPOSITORY: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
+          OPENCLAW_CI_PR_HEAD_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
           OPENCLAW_CI_REPOSITORY: ${{ github.repository }}
         run: |
           node --input-type=module <<'EOF'
@@ -131,6 +139,9 @@ jobs:
           import {
             createNodeTestShards,
           } from "./scripts/lib/ci-node-test-plan.mjs";
+          import {
+            assertPluginPrereleaseTestPlanComplete,
+          } from "./scripts/lib/plugin-prerelease-test-plan.mjs";
           import {
             createChannelContractTestShards,
           } from "./scripts/lib/channel-contract-test-plan.mjs";
@@ -173,6 +184,16 @@ jobs:
           const runSkillsPython = parseBoolean(process.env.OPENCLAW_CI_RUN_SKILLS_PYTHON) && !docsOnly;
           const runControlUiI18n =
             parseBoolean(process.env.OPENCLAW_CI_RUN_CONTROL_UI_I18N) && !docsOnly;
+          const pluginPrereleasePlan = assertPluginPrereleaseTestPlanComplete();
+          const trustedPluginPrereleaseRef =
+            process.env.OPENCLAW_CI_EVENT_NAME !== "pull_request" ||
+            process.env.OPENCLAW_CI_PR_HEAD_REPOSITORY === process.env.OPENCLAW_CI_REPOSITORY;
+          const pluginPrereleaseRef =
+            process.env.OPENCLAW_CI_EVENT_NAME === "pull_request" && trustedPluginPrereleaseRef
+              ? process.env.OPENCLAW_CI_PR_HEAD_SHA
+              : process.env.OPENCLAW_CI_CHECKOUT_REVISION;
+          const runPluginPrereleaseSuite =
+            runNodeFull && isCanonicalRepository && trustedPluginPrereleaseRef;
           const extensionTestShardCount = isCanonicalRepository
             ? DEFAULT_EXTENSION_TEST_SHARD_COUNT
             : Math.max(DEFAULT_EXTENSION_TEST_SHARD_COUNT, 36);
@@ -264,6 +285,20 @@ jobs:
             checks_node_core_dist_matrix: createMatrix(nodeTestDistShards),
             run_check: runNodeFull,
             run_check_additional: runNodeFull,
+            run_plugin_prerelease_suite: runPluginPrereleaseSuite,
+            plugin_prerelease_ref: runPluginPrereleaseSuite ? pluginPrereleaseRef : "",
+            plugin_prerelease_static_matrix: createMatrix(
+              runPluginPrereleaseSuite
+                ? pluginPrereleasePlan.staticChecks.map((check) => ({
+                    check_name: check.checkName,
+                    command: check.command,
+                    task: check.check,
+                  }))
+                : [],
+            ),
+            plugin_prerelease_docker_lanes: runPluginPrereleaseSuite
+              ? pluginPrereleasePlan.dockerLanes.join(" ")
+              : "",
             run_build_smoke: runNodeFull,
             run_check_docs: docsChanged,
             run_control_ui_i18n: runControlUiI18n,
@@ -468,7 +503,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -540,7 +575,7 @@ jobs:
           path: |
             dist/
             dist-runtime/
-          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_sha }}
+          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_revision }}
 
       - name: Pack built runtime artifacts
         run: tar --posix -cf dist-runtime-build.tar.zst --use-compress-program zstdmt dist dist-runtime
@@ -669,7 +704,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -764,7 +799,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -867,7 +902,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -935,7 +970,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1055,7 +1090,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1135,7 +1170,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1322,7 +1357,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1454,7 +1489,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1621,6 +1656,91 @@ jobs:
             exit 1
           fi
 
+  plugin-prerelease-static-shard:
+    permissions:
+      contents: read
+    name: ${{ matrix.check_name }}
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_prerelease_suite == 'true'
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_static_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Run plugin prerelease static shard
+        env:
+          PLUGIN_PRERELEASE_COMMAND: ${{ matrix.command }}
+          PLUGIN_PRERELEASE_TASK: ${{ matrix.task }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "Running ${PLUGIN_PRERELEASE_TASK}: ${PLUGIN_PRERELEASE_COMMAND}"
+          bash -c "$PLUGIN_PRERELEASE_COMMAND"
+
+  plugin-prerelease-docker-suite:
+    name: plugin-prerelease-docker-suite
+    needs: [preflight]
+    if: needs.preflight.outputs.run_plugin_prerelease_suite == 'true'
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+    with:
+      ref: ${{ needs.preflight.outputs.plugin_prerelease_ref }}
+      include_repo_e2e: false
+      include_release_path_suites: false
+      include_openwebui: false
+      docker_lanes: ${{ needs.preflight.outputs.plugin_prerelease_docker_lanes }}
+      include_live_suites: false
+      live_models_only: false
+
+  plugin-prerelease-suite:
+    permissions:
+      contents: read
+    name: plugin-prerelease-suite
+    needs: [preflight, plugin-prerelease-static-shard, plugin-prerelease-docker-suite]
+    if: ${{ !cancelled() && always() && needs.preflight.outputs.run_plugin_prerelease_suite == 'true' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Verify plugin prerelease suite
+        env:
+          DOCKER_RESULT: ${{ needs.plugin-prerelease-docker-suite.result }}
+          STATIC_RESULT: ${{ needs.plugin-prerelease-static-shard.result }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          failed=0
+          for result in \
+            "plugin-prerelease-static=${STATIC_RESULT}" \
+            "plugin-prerelease-docker=${DOCKER_RESULT}"
+          do
+            name="${result%%=*}"
+            status="${result#*=}"
+            if [ "$status" != "success" ]; then
+              echo "::error::${name} ended with ${status}"
+              failed=1
+            fi
+          done
+          exit "$failed"
+
   build-smoke:
     permissions:
       contents: read
@@ -1652,7 +1772,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
@@ -1715,7 +1835,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1758,7 +1878,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1863,7 +1983,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -1904,7 +2024,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preflight.outputs.checkout_sha }}
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
           persist-credentials: false
           submodules: false
 
@@ -2005,7 +2125,7 @@ jobs:
         shell: bash
         env:
           CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }}
+          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
           CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail

.github/workflows/clawsweeper-dispatch.yml

@@ -9,18 +9,29 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: clawsweeper-dispatch-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: ${{ github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review' }}
+
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    if: ${{ !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled')) }}
     env:
       HAS_CLAWSWEEPER_APP_PRIVATE_KEY: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY != '' }}
+      CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093
+      SUPERSEDES_IN_PROGRESS: ${{ (github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review') && 'true' || 'false' }}
     steps:
+      - name: Debounce bursty metadata events
+        if: ${{ github.event.action == 'labeled' || github.event.action == 'unlabeled' }}
+        run: sleep 20
+
       - name: Create ClawSweeper dispatch token
         id: token
         if: ${{ env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
-          app-id: 3306130
+          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
           private-key: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY }}
           owner: openclaw
           repositories: clawsweeper
@@ -31,6 +42,8 @@ jobs:
           TARGET_REPO: ${{ github.repository }}
           ITEM_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
           ITEM_KIND: ${{ github.event_name == 'pull_request_target' && 'pull_request' || 'issue' }}
+          SOURCE_EVENT: ${{ github.event_name }}
+          SOURCE_ACTION: ${{ github.event.action }}
         run: |
           if [ -z "$GH_TOKEN" ]; then
             echo "::notice::Skipping ClawSweeper dispatch because no dispatch credential is configured."
@@ -40,7 +53,10 @@ jobs:
             --arg target_repo "$TARGET_REPO" \
             --argjson item_number "$ITEM_NUMBER" \
             --arg item_kind "$ITEM_KIND" \
-            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind}}')"
+            --arg source_event "$SOURCE_EVENT" \
+            --arg source_action "$SOURCE_ACTION" \
+            --argjson supersedes_in_progress "$SUPERSEDES_IN_PROGRESS" \
+            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind,source_event:$source_event,source_action:$source_action,supersedes_in_progress:$supersedes_in_progress}}')"
           if gh api repos/openclaw/clawsweeper/dispatches \
             --method POST \
             --input - <<< "$payload"; then

.github/workflows/codeql-android-critical-security.yml

@@ -0,0 +1,51 @@
+name: CodeQL Android Critical Security
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 7 * * *"
+
+concurrency:
+  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  android:
+    name: Critical Security (android)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Setup Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: java-kotlin
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-android-critical-security.yml
+
+      - name: Build Android for CodeQL
+        working-directory: apps/android
+        run: ./gradlew --no-daemon :app:assemblePlayDebug
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-security/android"

.github/workflows/codeql-critical-quality.yml

@@ -38,3 +38,108 @@ jobs:
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/javascript-typescript"
+
+  config-boundary:
+    name: Critical Quality (config-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/config-boundary"
+
+  gateway-runtime-boundary:
+    name: Critical Quality (gateway-runtime-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/gateway-runtime-boundary"
+
+  channel-runtime-boundary:
+    name: Critical Quality (channel-runtime-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/channel-runtime-boundary"
+
+  agent-runtime-boundary:
+    name: Critical Quality (agent-runtime-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/agent-runtime-boundary"
+
+  plugin-boundary:
+    name: Critical Quality (plugin-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-boundary"

.github/workflows/codeql-macos-critical-security.yml

@@ -0,0 +1,89 @@
+name: CodeQL macOS Critical Security
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 8 * * 1"
+
+concurrency:
+  group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  macos:
+    name: Critical Security (macOS)
+    runs-on: blacksmith-6vcpu-macos-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Select Xcode
+        run: |
+          sudo xcode-select -s /Applications/Xcode_26.1.app
+          xcodebuild -version
+          swift --version
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: swift
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-macos-critical-security.yml
+
+      - name: Build macOS for CodeQL
+        run: swift build --package-path apps/macos --product OpenClaw
+
+      - name: Analyze
+        id: analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          output: sarif-results
+          upload: failure-only
+          category: "/codeql-critical-security/macos"
+
+      - name: Remove dependency build results
+        env:
+          SARIF_OUTPUT: sarif-results
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+
+          if [ ! -d "$SARIF_OUTPUT" ]; then
+            echo "SARIF output directory not found: $SARIF_OUTPUT" >&2
+            exit 1
+          fi
+
+          mkdir -p sarif-results-filtered
+
+          files=("$SARIF_OUTPUT"/*.sarif)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No SARIF files found in $SARIF_OUTPUT" >&2
+            exit 1
+          fi
+
+          for file in "${files[@]}"; do
+            jq '
+              def in_dependency_build:
+                ((.locations // []) | length > 0)
+                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
+
+              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
+            ' "$file" > "sarif-results-filtered/$(basename "$file")"
+          done
+
+      - name: Upload filtered SARIF
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          sarif_file: sarif-results-filtered
+          category: "/codeql-critical-security/macos"

.github/workflows/codeql.yml

@@ -11,8 +11,6 @@ on:
         options:
           - all
           - security
-          - android-security
-          - macos-security
   schedule:
     - cron: "0 6 * * *"
 
@@ -30,7 +28,7 @@ permissions:
 
 jobs:
   critical-security:
-    name: Critical Security (${{ matrix.language }})
+    name: Critical Security (${{ matrix.category }})
     if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security' }}
     runs-on: ${{ matrix.runs_on }}
     timeout-minutes: ${{ matrix.timeout_minutes }}
@@ -39,10 +37,17 @@ jobs:
       matrix:
         include:
           - language: javascript-typescript
+            category: javascript-typescript
             runs_on: blacksmith-8vcpu-ubuntu-2404
             timeout_minutes: 25
             config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml
+          - language: javascript-typescript
+            category: channel-runtime-boundary
+            runs_on: blacksmith-8vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
           - language: actions
+            category: actions
             runs_on: blacksmith-8vcpu-ubuntu-2404
             timeout_minutes: 10
             config_file: ./.github/codeql/codeql-actions-critical-security.yml
@@ -61,108 +66,4 @@ jobs:
       - name: Analyze
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
-          category: "/codeql-critical-security/${{ matrix.language }}"
-
-  android-security:
-    name: Critical Security (android)
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }}
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: java-kotlin
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-android-critical-security.yml
-
-      - name: Build Android for CodeQL
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-security/android"
-
-  macos-security:
-    name: Critical Security (macOS)
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'macos-security' }}
-    runs-on: blacksmith-6vcpu-macos-latest
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Select Xcode
-        run: |
-          sudo xcode-select -s /Applications/Xcode_26.1.app
-          xcodebuild -version
-          swift --version
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: swift
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-macos-critical-security.yml
-
-      - name: Build macOS for CodeQL
-        run: swift build --package-path apps/macos --product OpenClaw
-
-      - name: Analyze
-        id: analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          output: sarif-results
-          upload: failure-only
-          category: "/codeql-critical-security/macos"
-
-      - name: Remove dependency build results
-        env:
-          SARIF_OUTPUT: sarif-results
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-
-          if [ ! -d "$SARIF_OUTPUT" ]; then
-            echo "SARIF output directory not found: $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          mkdir -p sarif-results-filtered
-
-          files=("$SARIF_OUTPUT"/*.sarif)
-          if [ "${#files[@]}" -eq 0 ]; then
-            echo "No SARIF files found in $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          for file in "${files[@]}"; do
-            jq '
-              def in_dependency_build:
-                ((.locations // []) | length > 0)
-                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
-
-              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
-            ' "$file" > "sarif-results-filtered/$(basename "$file")"
-          done
-
-      - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          sarif_file: sarif-results-filtered
-          category: "/codeql-critical-security/macos"
+          category: "/codeql-critical-security/${{ matrix.category }}"

.github/workflows/docs-agent.yml

@@ -149,7 +149,7 @@ jobs:
 
       - name: Run Codex docs agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
           DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}

.github/workflows/full-release-validation.yml

@@ -82,7 +82,7 @@ permissions:
 
 concurrency:
   group: full-release-validation-${{ inputs.ref }}
-  cancel-in-progress: false
+  cancel-in-progress: ${{ inputs.ref == 'main' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -207,6 +207,19 @@ jobs:
             echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
             echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+            cleanup_child_run() {
+              local exit_code=$?
+              trap - EXIT INT TERM
+              local child_status
+              child_status="$(gh run view "$run_id" --json status --jq '.status' 2>/dev/null || true)"
+              if [[ "$child_status" != "completed" ]]; then
+                echo "Cancelling child ${workflow} run ${run_id} after parent exit (${exit_code})."
+                gh run cancel "$run_id" || gh api -X POST "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/force-cancel" || true
+              fi
+              return "$exit_code"
+            }
+            trap cleanup_child_run EXIT INT TERM
+
             while true; do
               status="$(gh run view "$run_id" --json status --jq '.status')"
               if [[ "$status" == "completed" ]]; then
@@ -214,6 +227,7 @@ jobs:
               fi
               sleep 30
             done
+            trap - EXIT INT TERM
 
             conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
             url="$(gh run view "$run_id" --json url --jq '.url')"
@@ -232,6 +246,23 @@ jobs:
             echo "- Target SHA: \`${TARGET_SHA}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
+          cancel_same_sha_push_ci() {
+            local run_ids run_id
+            run_ids="$(
+              gh run list --workflow ci.yml --limit 100 --json databaseId,event,headSha,status \
+                --jq 'map(select(.event == "push" and .headSha == env.TARGET_SHA and (.status == "queued" or .status == "in_progress" or .status == "waiting" or .status == "pending"))) | .[].databaseId'
+            )"
+            if [[ -z "${run_ids// }" ]]; then
+              return 0
+            fi
+            while IFS= read -r run_id; do
+              [[ -n "${run_id// }" ]] || continue
+              echo "Cancelling same-SHA push CI run ${run_id}; Full Release Validation dispatches the full manual CI child for ${TARGET_SHA}."
+              gh run cancel "$run_id" || gh api -X POST "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/force-cancel" || true
+            done <<< "$run_ids"
+          }
+
+          cancel_same_sha_push_ci
           dispatch_and_wait ci.yml -f target_ref="$TARGET_SHA"
 
   release_checks:
@@ -295,6 +326,19 @@ jobs:
             echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
             echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+            cleanup_child_run() {
+              local exit_code=$?
+              trap - EXIT INT TERM
+              local child_status
+              child_status="$(gh run view "$run_id" --json status --jq '.status' 2>/dev/null || true)"
+              if [[ "$child_status" != "completed" ]]; then
+                echo "Cancelling child ${workflow} run ${run_id} after parent exit (${exit_code})."
+                gh run cancel "$run_id" || gh api -X POST "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/force-cancel" || true
+              fi
+              return "$exit_code"
+            }
+            trap cleanup_child_run EXIT INT TERM
+
             while true; do
               status="$(gh run view "$run_id" --json status --jq '.status')"
               if [[ "$status" == "completed" ]]; then
@@ -302,6 +346,7 @@ jobs:
               fi
               sleep 30
             done
+            trap - EXIT INT TERM
 
             conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
             url="$(gh run view "$run_id" --json url --jq '.url')"
@@ -389,6 +434,19 @@ jobs:
           echo "Dispatched npm-telegram-beta-e2e.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
           echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
 
+          cleanup_child_run() {
+            local exit_code=$?
+            trap - EXIT INT TERM
+            local child_status
+            child_status="$(gh run view "$run_id" --json status --jq '.status' 2>/dev/null || true)"
+            if [[ "$child_status" != "completed" ]]; then
+              echo "Cancelling npm-telegram-beta-e2e.yml child run ${run_id} after parent exit (${exit_code})."
+              gh run cancel "$run_id" || gh api -X POST "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/force-cancel" || true
+            fi
+            return "$exit_code"
+          }
+          trap cleanup_child_run EXIT INT TERM
+
           while true; do
             status="$(gh run view "$run_id" --json status --jq '.status')"
             if [[ "$status" == "completed" ]]; then
@@ -396,6 +454,7 @@ jobs:
             fi
             sleep 30
           done
+          trap - EXIT INT TERM
 
           conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
           url="$(gh run view "$run_id" --json url --jq '.url')"

.github/workflows/openclaw-cross-os-release-checks-reusable.yml

@@ -158,7 +158,7 @@ permissions: read-all
 
 concurrency:
   group: openclaw-cross-os-release-checks-${{ inputs.ref }}-${{ inputs.provider }}-${{ inputs.mode }}
-  cancel-in-progress: false
+  cancel-in-progress: ${{ inputs.ref == 'main' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -169,7 +169,7 @@ env:
 
 jobs:
   prepare:
-    runs-on: blacksmith-8vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     outputs:
       baseline_file_name: ${{ steps.baseline_metadata.outputs.file_name }}
       baseline_spec: ${{ steps.baseline.outputs.value }}
@@ -321,7 +321,7 @@ jobs:
           submodules: recursive
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
         with:
           version: ${{ env.PNPM_VERSION }}
           run_install: false
@@ -333,6 +333,9 @@ jobs:
           cache: pnpm
           cache-dependency-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }}
 
+      - name: Ensure pnpm store cache directory exists
+        run: mkdir -p "$(pnpm store path --silent)"
+
       - name: Build candidate artifact once
         if: inputs.candidate_artifact_name == ''
         env:
@@ -496,7 +499,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
         with:
           version: ${{ env.PNPM_VERSION }}
           run_install: false

.github/workflows/openclaw-live-and-e2e-checks-reusable.yml

@@ -1875,22 +1875,25 @@ jobs:
           case "${{ matrix.suite_id }}" in
             live-cli-backend-docker)
               echo "OPENCLAW_LIVE_CLI_BACKEND_MODEL=codex-cli/gpt-5.5" >> "$GITHUB_ENV"
-              # The CLI backend Docker lane should exercise the same staged
-              # Codex auth path Peter uses locally so MCP cron creation and
-              # multimodal probes stay covered in CI. Replace the staged
-              # config.toml with a minimal CI-safe config so the repo stays
-              # trusted for MCP/tool use without inheriting maintainer-local
-              # provider/profile overrides that do not exist inside CI.
+              # Keep the release-blocking CI lane on Codex API-key auth. The
+              # staged auth-file path remains supported for local maintainer
+              # reruns, but it can hang on stale subscription/session state in
+              # an otherwise healthy release run.
+              echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
+              # Replace the staged config.toml with a minimal CI-safe config so
+              # the repo stays trusted for MCP/tool use without inheriting
+              # maintainer-local provider/profile overrides that do not exist
+              # inside CI.
               # Codex's workspace-write sandbox relies on user namespaces that
               # this Docker lane does not provide, so run Codex unsandboxed
               # inside the already-isolated container to keep MCP cron/tool
               # execution representative instead of failing on nested sandbox
               # setup.
-              echo 'OPENCLAW_LIVE_CLI_BACKEND_CLEAR_ENV=["OPENAI_API_KEY","OPENAI_BASE_URL"]' >> "$GITHUB_ENV"
               echo 'OPENCLAW_LIVE_CLI_BACKEND_ARGS=["exec","--json","--color","never","--sandbox","danger-full-access","--skip-git-repo-check"]' >> "$GITHUB_ENV"
               echo 'OPENCLAW_LIVE_CLI_BACKEND_RESUME_ARGS=["exec","resume","{sessionId}","-c","sandbox_mode=\"danger-full-access\"","--skip-git-repo-check"]' >> "$GITHUB_ENV"
               echo "OPENCLAW_LIVE_CLI_BACKEND_DEBUG=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_CLI_BACKEND_LOG_OUTPUT=1" >> "$GITHUB_ENV"
+              echo "OPENCLAW_TEST_CONSOLE=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_LIVE_CLI_BACKEND_USE_CI_SAFE_CODEX_CONFIG=1" >> "$GITHUB_ENV"
               ;;
             live-codex-harness-docker)
@@ -1898,6 +1901,9 @@ jobs:
               # is currently stale, but the wrapper still supports codex-auth for
               # local maintainer reruns without changing Peter's flow.
               echo "OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key" >> "$GITHUB_ENV"
+              echo "OPENCLAW_LIVE_CODEX_HARNESS_DEBUG=1" >> "$GITHUB_ENV"
+              echo "OPENCLAW_CLI_BACKEND_LOG_OUTPUT=1" >> "$GITHUB_ENV"
+              echo "OPENCLAW_TEST_CONSOLE=1" >> "$GITHUB_ENV"
               ;;
             live-acp-bind-docker)
               if [[ -n "${GEMINI_API_KEY:-}" || -n "${GOOGLE_API_KEY:-}" ]]; then

.github/workflows/openclaw-release-checks.yml

@@ -56,23 +56,23 @@ on:
 
 concurrency:
   group: openclaw-release-checks-${{ inputs.ref }}
-  cancel-in-progress: false
+  cancel-in-progress: ${{ inputs.ref == 'main' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
   PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
+  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
 
 jobs:
   resolve_target:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     permissions:
       contents: read
     outputs:
       ref: ${{ steps.inputs.outputs.ref }}
-      sha: ${{ steps.ref.outputs.sha }}
+      revision: ${{ steps.ref.outputs.sha }}
       provider: ${{ steps.inputs.outputs.provider }}
       mode: ${{ steps.inputs.outputs.mode }}
       release_profile: ${{ steps.inputs.outputs.release_profile }}
@@ -106,6 +106,7 @@ jobs:
       - name: Checkout trusted workflow helper
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.ref_name }}
           path: workflow
           fetch-depth: 1
@@ -126,6 +127,7 @@ jobs:
         if: steps.fast_ref.outputs.fallback == 'true'
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ inputs.ref }}
           path: source
           fetch-depth: 0
@@ -227,7 +229,7 @@ jobs:
     name: Prepare release package artifact
     needs: [resolve_target]
     if: contains(fromJSON('["all","cross-os","live-e2e","package"]'), needs.resolve_target.outputs.rerun_group)
-    runs-on: blacksmith-32vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     permissions:
       contents: read
@@ -240,6 +242,7 @@ jobs:
       - name: Checkout trusted workflow ref
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.ref_name }}
           fetch-depth: 0
 
@@ -259,7 +262,7 @@ jobs:
         id: package
         shell: bash
         env:
-          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
+          PACKAGE_REF: ${{ needs.resolve_target.outputs.revision }}
         run: |
           set -euo pipefail
           node scripts/resolve-openclaw-package-candidate.mjs \
@@ -298,7 +301,7 @@ jobs:
       contents: read
     uses: ./.github/workflows/install-smoke.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       run_bun_global_install_smoke: true
 
   cross_os_release_checks:
@@ -307,7 +310,7 @@ jobs:
     permissions: read-all
     uses: ./.github/workflows/openclaw-cross-os-release-checks-reusable.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.ref }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       provider: ${{ needs.resolve_target.outputs.provider }}
       mode: ${{ needs.resolve_target.outputs.mode }}
       candidate_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
@@ -323,8 +326,9 @@ jobs:
       OPENCLAW_DISCORD_SMOKE_GUILD_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_GUILD_ID }}
       OPENCLAW_DISCORD_SMOKE_CHANNEL_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_CHANNEL_ID }}
 
-  live_and_e2e_release_checks:
-    needs: [resolve_target, prepare_release_package]
+  live_repo_e2e_release_checks:
+    name: Run repo/live E2E validation
+    needs: [resolve_target]
     if: contains(fromJSON('["all","live-e2e"]'), needs.resolve_target.outputs.rerun_group)
     permissions:
       actions: read
@@ -333,15 +337,13 @@ jobs:
       pull-requests: read
     uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
     with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
       include_repo_e2e: true
-      include_release_path_suites: true
-      include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }}
+      include_release_path_suites: false
+      include_openwebui: false
       include_live_suites: true
       release_test_profile: ${{ needs.resolve_target.outputs.release_profile }}
-      package_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
-      package_artifact_run_id: ${{ github.run_id }}
-    secrets:
+    secrets: &live_e2e_release_secrets
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -388,6 +390,27 @@ jobs:
       OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
       FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
 
+  docker_e2e_release_checks:
+    name: Run Docker release-path validation
+    needs: [resolve_target, prepare_release_package]
+    if: contains(fromJSON('["all","live-e2e"]'), needs.resolve_target.outputs.rerun_group)
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      pull-requests: read
+    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+    with:
+      ref: ${{ needs.resolve_target.outputs.revision }}
+      include_repo_e2e: false
+      include_release_path_suites: true
+      include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }}
+      include_live_suites: false
+      release_test_profile: ${{ needs.resolve_target.outputs.release_profile }}
+      package_artifact_name: ${{ needs.prepare_release_package.outputs.artifact_name }}
+      package_artifact_run_id: ${{ github.run_id }}
+    secrets: *live_e2e_release_secrets
+
   package_acceptance_release_checks:
     name: Run package acceptance
     needs: [resolve_target, prepare_release_package]
@@ -488,7 +511,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -535,7 +559,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -556,7 +580,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -569,7 +594,7 @@ jobs:
       - name: Download parity lane artifacts
         uses: actions/download-artifact@v4
         with:
-          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.sha }}
+          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           merge-multiple: true
 
@@ -590,7 +615,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-parity-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -612,7 +637,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -669,7 +695,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -691,7 +717,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -754,7 +781,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
           retention-days: 14
           if-no-files-found: warn
@@ -765,7 +792,8 @@ jobs:
       - prepare_release_package
       - install_smoke_release_checks
       - cross_os_release_checks
-      - live_and_e2e_release_checks
+      - live_repo_e2e_release_checks
+      - docker_e2e_release_checks
       - package_acceptance_release_checks
       - qa_lab_parity_lane_release_checks
       - qa_lab_parity_report_release_checks
@@ -785,7 +813,8 @@ jobs:
             "prepare_release_package=${{ needs.prepare_release_package.result }}" \
             "install_smoke_release_checks=${{ needs.install_smoke_release_checks.result }}" \
             "cross_os_release_checks=${{ needs.cross_os_release_checks.result }}" \
-            "live_and_e2e_release_checks=${{ needs.live_and_e2e_release_checks.result }}" \
+            "live_repo_e2e_release_checks=${{ needs.live_repo_e2e_release_checks.result }}" \
+            "docker_e2e_release_checks=${{ needs.docker_e2e_release_checks.result }}" \
             "package_acceptance_release_checks=${{ needs.package_acceptance_release_checks.result }}" \
             "qa_lab_parity_lane_release_checks=${{ needs.qa_lab_parity_lane_release_checks.result }}" \
             "qa_lab_parity_report_release_checks=${{ needs.qa_lab_parity_report_release_checks.result }}" \

.github/workflows/package-acceptance.yml

@@ -262,6 +262,7 @@ jobs:
       include_openwebui: ${{ steps.profile.outputs.include_openwebui }}
       include_release_path_suites: ${{ steps.profile.outputs.include_release_path_suites }}
       package_artifact_name: ${{ steps.profile.outputs.package_artifact_name }}
+      package_source_sha: ${{ steps.resolve.outputs.package_source_sha }}
       package_sha256: ${{ steps.resolve.outputs.sha256 }}
       package_version: ${{ steps.resolve.outputs.package_version }}
       telegram_enabled: ${{ steps.profile.outputs.telegram_enabled }}
@@ -493,7 +494,7 @@ jobs:
       package_spec: ${{ inputs.package_spec }}
       package_artifact_name: ${{ needs.resolve_package.outputs.package_artifact_name }}
       package_label: openclaw@${{ needs.resolve_package.outputs.package_version }}
-      harness_ref: ${{ inputs.source == 'ref' && inputs.package_ref || inputs.workflow_ref }}
+      harness_ref: ${{ needs.resolve_package.outputs.package_source_sha || inputs.workflow_ref }}
       provider_mode: ${{ needs.resolve_package.outputs.telegram_mode }}
       scenario: ${{ inputs.telegram_scenarios }}
     secrets:

.github/workflows/parity-gate.yml

@@ -42,7 +42,7 @@ jobs:
       # followthrough gate that expects a fast post-approval read within a 30s
       # agent.wait timeout.
       QA_PARITY_CONCURRENCY: "1"
-      OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
+      OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
       OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
       OPENAI_API_KEY: ""
       ANTHROPIC_API_KEY: ""
@@ -57,9 +57,11 @@ jobs:
     steps:
       - name: Checkout PR
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
 
       - name: Setup Node
         uses: actions/setup-node@v6

.github/workflows/plugin-clawhub-release.yml

@@ -35,7 +35,7 @@ jobs:
     permissions:
       contents: read
     outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
+      ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
       skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
@@ -44,6 +44,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.sha }}
           fetch-depth: 0
 
@@ -150,7 +151,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -164,6 +166,7 @@ jobs:
       - name: Checkout ClawHub CLI source
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           repository: ${{ env.CLAWHUB_REPOSITORY }}
           ref: ${{ env.CLAWHUB_REF }}
           path: clawhub-source
@@ -187,7 +190,7 @@ jobs:
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
@@ -209,7 +212,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -223,6 +227,7 @@ jobs:
       - name: Checkout ClawHub CLI source
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           repository: ${{ env.CLAWHUB_REPOSITORY }}
           ref: ${{ env.CLAWHUB_REF }}
           path: clawhub-source
@@ -266,7 +271,7 @@ jobs:
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}

.github/workflows/plugin-npm-release.yml

@@ -46,7 +46,7 @@ jobs:
     permissions:
       contents: read
     outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
+      ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
       matrix: ${{ steps.plan.outputs.matrix }}
@@ -54,6 +54,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
           fetch-depth: 0
 
@@ -151,7 +152,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -185,7 +187,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
+          persist-credentials: false
+          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment

.github/workflows/qa-live-transports-convex.yml

@@ -44,7 +44,7 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
   PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
+  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
 
@@ -81,12 +81,13 @@ jobs:
     needs: authorize_actor
     runs-on: blacksmith-8vcpu-ubuntu-2404
     outputs:
-      selected_sha: ${{ steps.validate.outputs.selected_sha }}
+      selected_revision: ${{ steps.validate.outputs.selected_revision }}
       trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
     steps:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
+          persist-credentials: false
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
           fetch-depth: 0
 
@@ -98,27 +99,27 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          selected_sha="$(git rev-parse HEAD)"
+          selected_revision="$(git rev-parse HEAD)"
           trusted_reason=""
 
           git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
 
-          if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then
+          if git merge-base --is-ancestor "$selected_revision" refs/remotes/origin/main; then
             trusted_reason="main-ancestor"
-          elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then
+          elif git tag --points-at "$selected_revision" | grep -Eq '^v'; then
             trusted_reason="release-tag"
           elif [[ "$INPUT_REF" =~ ^release/[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then
             git fetch --no-tags origin "+refs/heads/${INPUT_REF}:refs/remotes/origin/${INPUT_REF}"
             release_branch_sha="$(git rev-parse "refs/remotes/origin/${INPUT_REF}")"
-            if [[ "$selected_sha" == "$release_branch_sha" ]]; then
+            if [[ "$selected_revision" == "$release_branch_sha" ]]; then
               trusted_reason="release-branch-head"
             fi
           else
             pr_head_count="$(
               gh api \
                 -H "Accept: application/vnd.github+json" \
-                "repos/${GITHUB_REPOSITORY}/commits/${selected_sha}/pulls" \
-                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_sha}"'")] | length'
+                "repos/${GITHUB_REPOSITORY}/commits/${selected_revision}/pulls" \
+                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_revision}"'")] | length'
             )"
             if [[ "$pr_head_count" != "0" ]]; then
               trusted_reason="open-pr-head"
@@ -126,16 +127,16 @@ jobs:
           fi
 
           if [[ -z "$trusted_reason" ]]; then
-            echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for this secret-bearing QA run." >&2
+            echo "Ref '${INPUT_REF}' resolved to $selected_revision, which is not trusted for this secret-bearing QA run." >&2
             echo "Allowed refs must be on main, point to a release tag, match a release branch head, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
             exit 1
           fi
 
-          echo "selected_sha=$selected_sha" >> "$GITHUB_OUTPUT"
+          echo "selected_revision=$selected_revision" >> "$GITHUB_OUTPUT"
           echo "trusted_reason=$trusted_reason" >> "$GITHUB_OUTPUT"
           {
             echo "Validated ref: \`${INPUT_REF}\`"
-            echo "Resolved SHA: \`$selected_sha\`"
+            echo "Resolved SHA: \`$selected_revision\`"
             echo "Trust reason: \`$trusted_reason\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
@@ -157,7 +158,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -220,7 +222,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -303,7 +306,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -375,7 +379,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment
@@ -467,7 +472,8 @@ jobs:
       - name: Checkout selected ref
         uses: actions/checkout@v6
         with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
+          persist-credentials: false
+          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
           fetch-depth: 1
 
       - name: Setup Node environment

.github/workflows/test-performance-agent.yml

@@ -129,7 +129,7 @@ jobs:
 
       - name: Run Codex test performance agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         with:
           openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           prompt-file: .github/codex/prompts/test-performance-agent.md

.gitignore

@@ -3,6 +3,7 @@ node_modules
 .env
 docker-compose.override.yml
 docker-compose.extra.yml
+docker-compose.sandbox.yml
 dist
 dist-runtime/
 pnpm-lock.yaml

CHANGELOG.md

@@ -6,54 +6,82 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
-- iOS/Gateway: add an authenticated `node.presence.alive` protocol event and `node.list` last-seen fields so background iOS wakes can mark paired nodes recently alive without treating them as connected. Carries forward #63123. Thanks @ngutman.
-- Android: publish authenticated `node.presence.alive` events after node connect and background transitions so paired Android nodes retain durable last-seen metadata after disconnects. Carries forward #63123. Thanks @ngutman.
-- Gateway/chat: accept non-image attachments through `chat.send` by staging them as agent-readable media paths, while keeping unsupported RPC attachment paths explicit instead of silently dropping files. Fixes #48123. (#67572) Thanks @samzong.
-- Security/networking: add opt-in operator-managed outbound proxy routing (proxy.enabled + proxy.proxyUrl/OPENCLAW_PROXY_URL) with strict http:// forward-proxy validation, loopback-only Gateway bypass, and cleanup of proxy env/dispatcher state on exit. (#70044) Thanks @jesse-merhi and @joshavant.
+- Channels: add Yuanbao channel docs entrance so the Tencent Yuanbao bot appears in the channel listing and sidebar navigation. (#73443) Thanks @loongfay.
+- Active Memory: add optional per-conversation `allowedChatIds` and `deniedChatIds` filters so operators can enable recall only for selected direct, group, or channel conversations while keeping broad sessions skipped. (#67977) Thanks @quengh.
+- Active Memory: return bounded partial recall summaries when the hidden memory sub-agent times out, including the default temporary-transcript path, so useful recovered context is not discarded. (#73219) Thanks @joeykrug.
+- Docker setup: add `OPENCLAW_SKIP_ONBOARDING` so automated Docker installs can skip the interactive onboarding step while still applying gateway defaults. (#55518) Thanks @jinjimz.
 
 ### Fixes
 
-- Plugins/startup: precompute bundled runtime mirror fingerprints before taking the mirror lock, including dist-runtime canonical roots, so Docker Desktop/WSL cold starts no longer hold `.openclaw-runtime-mirror.lock` while scanning slow persisted volumes. Fixes #73339. Thanks @1yihui.
-- Channels/LINE: persist inbound image, video, audio, and file downloads in `~/.openclaw/media/inbound/` instead of temporary files so agents can still read LINE media after `/tmp` cleanup. Fixes #73370. Thanks @hijirii and @wenxu007.
-- Control UI/WebChat: keep large attachment payloads out of Lit state and optimistic chat messages, using object URL previews plus send-time payload serialization so PDF/image uploads no longer trigger `RangeError: Maximum call stack size exceeded`. Fixes #73360; refs #54378 and #63432. Thanks @hejunhui-73, @Ansub, and @christianhernandez3-afk.
-- Agents/Anthropic: cancel stalled Anthropic Messages SSE body reads when abort signals fire, so active-memory timeouts release transport resources instead of leaving hidden recall runs parked on `reader.read()`. Refs #72965 and #73120. Thanks @wdeveloper16.
-- Agents/models: keep per-agent primary models strict when `fallbacks` is omitted, so probe-only custom providers are not tried as hidden fallback candidates unless the agent explicitly opts in. Fixes #73332. Thanks @haumanto.
-- Gateway/models: add `models.pricing.enabled` so offline or restricted-network installs can skip startup OpenRouter and LiteLLM pricing-catalog fetches while keeping explicit model costs working. Fixes #53639. Thanks @callebtc, @palewire, and @rjdjohnston.
-- Onboarding: pin interactive and non-interactive health checks to the just-configured setup token/password so stale `OPENCLAW_GATEWAY_TOKEN` or `OPENCLAW_GATEWAY_PASSWORD` values do not produce false gateway-token-mismatch failures after setup. Fixes #72203. Thanks @galiniliev.
-- Doctor/state: require an interactive confirmation before archiving orphan transcript files, so `openclaw doctor --fix` no longer silently renames recoverable session history after upgrades regenerate `sessions.json`. Fixes #73106. Thanks @scottgl9.
-- Cron/Telegram: preserve explicit `:topic:` delivery targets over stale session-derived thread IDs when isolated cron announces to Telegram forum topics. Carries forward #59069; refs #49704 and #43808. Thanks @roytong9.
-- Build/runtime: write the runtime-postbuild stamp after `pnpm build` writes the build stamp, so the next CLI invocation does not re-sync runtime artifacts after a successful build. Fixes #73151. Thanks @bittoby.
-- Build/runtime: preserve staged bundled-plugin runtime dependency caches across source-checkout tsdown rebuilds, so local CLI and gateway-watch rebuilds no longer recreate large plugin dependency trees before starting. Refs #73205. Thanks @SymbolStar.
-- CLI/channels: list configured chat channel accounts from read-only setup metadata even when the standalone CLI has not loaded the runtime channel registry, so `openclaw channels list` shows Telegram accounts before auth providers. Fixes #73319 and #73322. Thanks @mlaihk.
-- CLI/model probes: keep `infer model run --gateway` raw by skipping prior session transcript, bootstrap context, context-engine assembly, tools, and bundled MCP servers, so local backends can be tested without full agent-context overhead. Fixes #73308. Thanks @ScientificProgrammer.
-- CLI/model probes: reject empty or whitespace-only `infer model run --prompt` values before calling local providers or the Gateway, so smoke checks do not spend provider calls on invalid turns. Fixes #73185. Thanks @iot2edge.
-- Gateway/media: route text-only `chat.send` image offloads through media-understanding fields so `agents.defaults.imageModel` can describe WebChat attachments instead of leaving only an opaque `media://inbound` marker. Fixes #72968. Thanks @vorajeeah.
-- Gateway/Windows: route no-listener restart handoffs through the Windows supervisor without leaving restart tokens in flight, so failed task scheduling can be retried and successful handoffs do not coalesce later restart requests. (#69056) Thanks @Thatgfsj.
-- Gateway/model pricing: skip plugin manifest discovery during background pricing refreshes when `plugins.enabled: false`, so disabled-plugin setups do not keep rebuilding plugin metadata from the Gateway hot path. Fixes #73291. Thanks @slideshow-dingo and @fishgills.
-- Ollama/thinking: validate `/think` commands against live Ollama catalog reasoning metadata, so models whose `/api/show` capabilities include `thinking` expose `low`, `medium`, `high`, and `max` instead of being stuck on `off`. Fixes #73366. Thanks @cymise.
-- Gateway/sessions: remove automatic oversized `sessions.json` rotation backups, deprecate `session.maintenance.rotateBytes`, and teach `openclaw doctor --fix` to remove the ignored key so hot session writes no longer copy multi-MB stores. Refs #72338. Thanks @midhunmonachan and @DougButdorf.
-- Channels/Telegram: fail fast when Telegram rejects the startup `getMe` token probe with 401, so invalid or stale BotFather tokens are reported as token auth failures instead of misleading `deleteWebhook` cleanup failures. Fixes #47674. Thanks @samaedan-arch.
-- ACPX: keep generated Codex and Claude ACP wrapper startup paths working when remote or special state filesystems reject chmod, since OpenClaw invokes the wrappers through Node instead of executing them directly. Fixes #73333. Thanks @david-garcia-garcia.
-- CLI/onboarding: infer image input for common custom-provider vision model IDs, ask only for unknown models, and keep `--custom-image-input`/`--custom-text-input` overrides so vision-capable proxies do not get saved as text-only configs. Fixes #51869. Thanks @Antsoldier1974.
-- Models/OpenAI Codex: stop listing or resolving unsupported `openai-codex/gpt-5.4-mini` rows through Codex OAuth, keep stale discovery rows suppressed with a clear API-key-route hint, and leave direct `openai/gpt-5.4-mini` available. Fixes #73242. Thanks @0xCyda.
-- Plugin SDK: restore the root `stringEnum` and `optionalStringEnum` exports on both the published SDK entry and runtime root-alias bridge, so older external plugins can keep building and loading while migrating to focused SDK subpaths. Fixes #68279. Thanks @marzliak.
-- Plugin SDK: restore the root-alias bridge for `registerContextEngine` and expose missing legacy compat helpers `normalizeAccountId` and `resolvePreferredOpenClawTmpDir` so older external plugins such as `openclaw-weixin` can keep loading while migrating to focused SDK subpaths. Fixes #53497. Thanks @alanxchen85.
-- Auth profiles: make `openclaw doctor --fix` migrate legacy flat `auth-profiles.json` files such as `{ "ollama-windows": { "apiKey": "ollama-local" } }` to canonical provider default API-key profiles with a backup, so custom Ollama/OpenAI-compatible providers recover cleanly after upgrading. Fixes #59629; supersedes #59642. Thanks @Xsanders555 and @Linux2010.
-- Memory/Dreaming: retry Dream Diary once with the session default when a configured dreaming model is unavailable, while leaving subagent trust and allowlist errors visible instead of silently masking configuration problems. Refs #67409 and #69209. Thanks @Ghiggins18 and @everySympathy.
-- Feishu/inbound files: recover CJK filenames from plain `Content-Disposition: filename=` download headers when Feishu exposes UTF-8 bytes through Latin-1 header decoding, while leaving valid Latin-1 and JSON-derived names unchanged. (#48578, #50435, #59431) Thanks @alex-xuweilong, @lishuaigit, and @DoChaoing.
-- Channels/Telegram: normalize accidental full `/bot<TOKEN>` Telegram `apiRoot` values at runtime and teach `openclaw doctor --fix` to remove the suffix, so startup control calls no longer 404 when direct Bot API curl commands work. Fixes #55387. Thanks @brendanmatthewjones-cmyk, @techfindubai-ux, and @Sivlerback-Chris.
-- Zalo Personal: persist refreshed `zca-js` session cookies after QR login, session restore, and successful API calls so gateway restarts restore the freshest local session. (#73277) Thanks @darkamenosa.
-- Logging/security: redact sensitive tokens (sk-\* keys, Bearer/Authorization values, etc.) at the subsystem console sink so `createSubsystemLogger().info/warn/error` output that bypasses the patched console-capture handler still applies the same redaction the file transport already does. Fixes #73284; refs #67953 and #64046. Thanks @edwin-rivera-dev.
-- Plugins/runtime deps: reuse enclosing versioned cache roots when bundled plugins resolve from nested staged paths, so plugin-runtime-deps no longer mints `openclaw-unknown-*` directories or loops on `ENOTEMPTY`. Fixes #72956. (#73205) Thanks @SymbolStar.
-- Agents/failover: classify CJK provider transport, quota, billing, auth, and overload error text so Chinese-language provider failures trigger fallback and user-facing transport copy instead of surfacing as unclassified raw errors. (#56242) Thanks @tomcatzh.
-- Agents/failover: seed non-claude-cli fallback prompts with Claude Code session context when a claude-cli attempt fails, so fallback models do not restart cold after billing or quota failover. (#72069) Thanks @stainlu.
+- Plugin SDK/Discord: restore a deprecated `openclaw/plugin-sdk/discord` compatibility facade and the legacy compat group-policy warning export for the published `@openclaw/discord@2026.3.13` package, covering its config, account, directory, status, and thread-binding imports while keeping new plugins on generic SDK subpaths. Fixes #73685; supersedes #73703. Thanks @rderickson9 and @SymbolStar.
+- Channels/Discord: suppress duplicate gateway monitors when multiple enabled accounts resolve to the same bot token, preferring config tokens over default env fallback and reporting skipped duplicates as disabled. Supersedes #73608. Thanks @kagura-agent.
+- Control UI/Talk: decode Google Live binary WebSocket JSON frames and stop queued browser audio on interruption or shutdown, so browser Talk leaves `Connecting Talk...` and barge-in no longer plays stale audio. Fixes #73601 and #73460; supersedes #73466. Thanks @Spolen23 and @WadydX.
+- Channels/Discord: ignore stale route-shaped conversation bindings after a Discord channel is reconfigured to another agent, while preserving explicit focus and subagent bindings. Fixes #73626. Thanks @ramitrkar-hash.
+- Agents/bootstrap: pass pending BOOTSTRAP.md contents through the first-run user prompt while keeping them out of privileged system context, and show limited bootstrap guidance when workspace file access is unavailable. Fixes #73622. Thanks @mark1010.
+- ACP/tasks: classify parent-owned ACP sessions as background work regardless of persistent runtime mode, and close terminal stale ACP sessions when no active binding remains, so delegated ACP output reports through the parent task notifier instead of acting like a normal foreground chat session. Refs #73609. Thanks @joerod26.
+- Tasks: keep terminal mirrored TaskFlow timestamps pinned to task completion time and let maintenance repair stale mirrors, so ACP terminal delivery updates no longer leave inconsistent flow audits. Refs #73609. Thanks @joerod26.
+- Gateway/sessions: add conservative stuck-session recovery that releases only stale session lanes while active embedded runs, reply operations, and lane tasks remain serialized, so queued follow-ups can drain without aborting legitimate long-running turns. Refs #73581, #73655, #73652, #73705, #73647, #73602, #73592, and #73601. Thanks @WS-Q0758, @bryangauvin, @spenceryang1996-dot, @bmilne1981, @mattmcintyre, @Vksh07, and @Spolen23.
+- Plugins: cache unchanged plugin manifest loads by file signature, reducing repeated JSON/JSON5 parsing and manifest normalization in bursty startup and runtime registry paths. Refs #73532 and #73647; carries forward #73678. Thanks @TheDutchRuler.
+- Plugins/runtime-deps: cache unchanged bundled runtime mirror dist-file materialization decisions and close file-lock handles on owner-write failures, reducing repeated startup chunk scans and avoiding FileHandle-GC recovery stalls. Refs #73532. Thanks @oadiazp and @bstanbury.
+- CLI/TUI: keep `chat.history` off model-catalog discovery so initial Gateway-backed TUI history loads cannot block behind slow provider/plugin model scans on low-core hosts. Refs #73524. Thanks @harshcatsystems-collab.
+- Channels/WhatsApp: flag recently reconnected linked accounts in channel status even when the socket is currently healthy, so flapping WhatsApp Web sessions no longer look clean after a brief reconnect. Refs #73602. Thanks @Vksh07.
+- Gateway: expose `gateway.handshakeTimeoutMs` in config, schema, and docs while preserving `OPENCLAW_HANDSHAKE_TIMEOUT_MS` precedence, so loaded or low-powered hosts can tune local WebSocket pre-auth handshakes without patching dist files. Supersedes #51282; refs #73592 and #73652. Thanks @henry-the-frog.
+- Agents/model selection: resolve slash-form aliases before provider/model parsing and keep alias-resolved primary models subject to transient provider cooldowns, so cron and persisted sessions do not retry cooled-down raw aliases. Fixes #73573 and #73657. Thanks @akai-shuuichi and @hashslingers.
+- Agents/Claude CLI: reuse already-cached macOS Keychain credentials for no-prompt Claude credential reads, so doctor/runtime checks do not miss fresh interactive Claude auth. Fixes #73682. Thanks @RyanSandoval.
+- Agents/transcripts: strip empty assistant text blocks while preserving valid text, images, and signatures, so Anthropic-style providers no longer reject sanitized transcript turns. Fixes #73640. Thanks @jowhee327.
+- Providers/Bedrock: omit deprecated `temperature` for Claude Opus 4.7 Bedrock model ids, named and application inference profiles, including dotted `opus-4.7` refs, and classify the nested validation response for failover. Fixes #73663. Thanks @bstanbury.
+- Gateway: raise the preauth/connect-challenge timeout to 15s so cold CLI starts on slower hosts have more time to process the WebSocket challenge before the Gateway closes the connection. Fixes #51469; refs #73592 and #62060. Thanks @GothicFox and @jackychen-png.
+- CLI/status: fall back to a bounded local `status` RPC when loopback detail probes time out or report unknown capability, so reachable local gateways are no longer marked unreachable by slow read diagnostics. Fixes #73535; refs #48360, #62762, #51357, and #42019. Thanks @RacecarGuy, @justinschille, @DJBlackhawk, @tianyaqpzm, and @0xrsydn.
+- CLI/gateway: reuse cached paired-device auth during `gateway probe` and report post-connect diagnostic failures as degraded reachability, so healthy local gateways are no longer marked unreachable after loopback auth or read timeouts. Fixes #48360. Thanks @RacecarGuy.
+- Channels/Discord: give Discord Gateway WebSocket handshakes a 30s timeout so stalled TLS/network transitions emit an error and Carbon can continue its reconnect loop instead of leaving the bot silent until restart. Refs #50046. Thanks @codexGW.
+- NVIDIA/NIM: persist the `NVIDIA_API_KEY` provider marker and mark bundled NVIDIA Chat Completions models as string-content compatible, so NIM models load from `models.json` and OpenAI-compatible subagent calls send plain text content. Fixes #73013 and #50107; refs #73014. Thanks @bautrey, @iot2edge, @ifearghal, and @futhgar.
+- Channels/Discord: let text-only configs drop the `GuildVoiceStates` gateway intent and expose a bounded `/gateway/bot` metadata timeout with rate-limited fallback logs, reducing idle CPU and warning floods. Fixes #73709 and #73585. Thanks @sanchezm86 and @trac3r00.
+- Agents/sessions: mark same-turn `sessions_send` and A2A reply prompts with an inter-session `isUser=false` envelope before they reach the model, so foreign session output no longer lands as bare active user text. Fixes #73702; refs #73698, #73609, #73595, and #73622. Thanks @alvelda.
+- Outbound/security: strip known internal runtime scaffolding such as `<system-reminder>` and `<previous_response>` at the final channel delivery boundary and keep Discord output on targeted tag stripping, so degraded harness replies cannot leak those tags to users. Fixes #73595. Thanks @gabrielexito-stack and @martingarramon.
+- CLI/plugins: use plugin metadata snapshots for install slot selection and add opt-in plugin lifecycle timing traces, so plugin install avoids runtime-loading the plugin registry for metadata-only decisions. Thanks @shakkernerd.
+- fix(plugins): restrict bundled plugin dir resolution to trusted package roots. (#73275) Thanks @pgondhi987.
+- fix(security): prevent workspace PATH injection via service env and trash helpers. (#73264) Thanks @pgondhi987.
+- Active Memory: allow `allowedChatTypes` to include explicit portal/webchat sessions and classify `agent:...:explicit:...` session keys before opaque session ids can shadow the chat type. Fixes #65775. (#66285) Thanks @Lidang-Jiang.
+- Active Memory: allow the hidden recall sub-agent to use both `memory_recall` and the legacy `memory_search`/`memory_get` memory tool contract, so bundled `memory-lancedb` recall works without breaking the default `memory-core` path. Fixes #73502. (#73584) Thanks @Takhoffman.
+- fix(device-pairing): validate callerScopes against resolved token scopes on repair [AI]. (#72925) Thanks @pgondhi987.
+- Active Memory docs: document the `cacheTtlMs` 1000-120000 ms range and 15000 ms default so setup snippets do not lead users past the schema limit. Fixes #65708. (#65737) Thanks @WuKongAI-CMU.
+- fix(agents): canonicalize provider aliases in byProvider tool policy lookup [AI]. (#72917) Thanks @pgondhi987.
+- fix(security): block npm_execpath injection from workspace .env [AI-assisted]. (#73262) Thanks @pgondhi987.
+- Tools/web_fetch: decode response bodies from raw bytes using declared HTTP, XML, or HTML meta charsets before extraction, so Shift_JIS and other legacy-charset pages no longer return mojibake. Fixes #72916. Thanks @amknight.
+- Active Memory: skip payload-less `memory_search` transcript tool results when building debug telemetry, so newer empty entries no longer hide the latest useful debug payload. (#68773) Thanks @SimbaKingjoe.
+- Active Memory: keep recall setup time from consuming the configured model timeout while giving the hook runner an explicit bounded budget for the plugin, so slow embedded-run setup no longer causes immediate recall timeouts. Fixes #72606. (#72620) Thanks @hyspacex.
+- Channels/Discord: bound message read/search REST calls, route those actions through Gateway execution, and fall back to `CommandTargetSessionKey` for inbound hook session keys so Discord reads do not hang and hooks still fire when `SessionKey` is empty. Fixes #73431. (#73521) Thanks @amknight.
+- Plugins/media: auto-enable provider plugins referenced by `agents.defaults.imageGenerationModel`, `videoGenerationModel`, and `musicGenerationModel` primary/fallback refs, so configured Google and MiniMax media providers do not stay disabled behind a restrictive plugin allowlist. Thanks @vincentkoc.
+- Memory-core/dreaming: retry managed dreaming cron registration after startup when the cron service is not reachable yet, so the scheduled Memory Dreaming Promotion sweep recovers without waiting for heartbeat traffic. Fixes #72841. Thanks @amknight.
+- Acpx/runtime: validate the runtime session mode at the `AcpxRuntime.ensureSession` wrapper boundary so callers that pass anything other than `persistent` or `oneshot` get a clear `ACP_INVALID_RUNTIME_OPTION` error instead of silently round-tripping through the encoded handle as a default `persistent` mode and later throwing `SessionResumeRequiredError`. Investigation context: #73071. (#73548) Thanks @amknight.
+- CLI/infer: keep web-search fallback on missing provider API keys, preserve structured validation errors from the selected provider, and let per-request image describe prompts override configured media-entry prompts. (#63263) Thanks @Spolen23.
+- Chat commands: include configured model-catalog reasoning metadata when building `/think` argument menus so Ollama Cloud and other provider-owned reasoning models show supported levels instead of only `off`. Fixes #73515; supersedes #73568. Thanks @danielzinhu99 and @neeravmakwana.
+- Channels/Telegram: suppress generic tool-progress chatter when preview streaming is off, so non-streaming Telegram turns only deliver final replies while approvals, media, and errors still route normally. Refs #72363 and #72482. Thanks @neeravmakwana and @SweetSophia.
+- CLI/model probes: add repeatable image `--file` inputs to `infer model run` for local and gateway multimodal model smokes, so vision models such as Ollama Qwen VL and Gemini can be tested through the raw model-probe surface. Fixes #63700. Thanks @cedricjanssens.
+- CLI/model probes: request trusted operator scope for `infer model run --gateway --model <provider/model>` so Gateway raw model smokes can use one-off provider/model overrides instead of being rejected before provider auth resolution. Fixes #73759. Thanks @chrislro.
+- CLI/image describe: pass `--prompt` and `--timeout-ms` through `infer image describe` and `describe-many`, so custom vision instructions and slow local model budgets reach media-understanding providers such as Ollama, OpenAI, Google, and OpenRouter. Refs #63700. Thanks @cedricjanssens.
+- Model selection: include the rejected provider/model ref and allowlist recovery hint when a stored session override is cleared, so local model selections such as Gemma GGUF variants do not fall back to the default with a generic message. Refs #71069. Thanks @CyberRaccoonTeam.
+- WhatsApp/Web: pass explicit Baileys socket timings into every WhatsApp Web socket and expose `web.whatsapp.*` keepalive, connect, and query timeout settings so unstable networks can avoid repeated 408 disconnect and opening-handshake timeout loops. Fixes #56365. (#73580) Thanks @velvet-shark.
+- Channels/Telegram: persist native command metadata on target sessions so topic, helper, and ACP-bound slash commands keep their session metadata attached to the routed conversation. (#57548) Thanks @GaosCode.
+- Channels/native commands: keep validated native slash command replies visible in group chats while preserving explicit owner allowlists for command authorization. (#73672) Thanks @obviyus.
+- Pairing/doctor: bootstrap `commands.ownerAllowFrom` from the first approved DM pairing when no command owner exists, and have doctor explain missing owners so privileged slash commands are not accidentally unusable after onboarding. Thanks @pashpashpash.
+- Telegram/exec: infer native exec approvers from `commands.ownerAllowFrom` and auto-enable the Telegram approval client when an owner is resolvable, so owner-only commands such as `/diagnostics` can be approved in Telegram without duplicate per-channel approver config. Thanks @pashpashpash.
+- Auto-reply/session: carry the tail of user/assistant turns into the freshly-rotated transcript on silent in-reply session resets (compaction failure, role-ordering conflict) so direct-chat continuity survives the rebind. Fixes #70853. (#70898) Thanks @neeravmakwana.
+- Config: skip malformed non-string `env.vars` entries before env-reference checks, so config loading no longer crashes on JSON values like numbers or booleans. (#42402) Thanks @MiltonHeYan.
 
 ## 2026.4.27
 
 ### Changes
 
+- Sandbox/Docker: add opt-in `sandbox.docker.gpus` passthrough for Docker sandbox containers so local GPU workloads can run inside sandboxed agents when the host Docker runtime supports `--gpus`. Fixes #57976; carries forward #58124. Thanks @cyan-ember.
+- iOS/Gateway: add an authenticated `node.presence.alive` protocol event and `node.list` last-seen fields so background iOS wakes can mark paired nodes recently alive without treating them as connected. Carries forward #63123. Thanks @ngutman.
+- Android: publish authenticated `node.presence.alive` events after node connect and background transitions so paired Android nodes retain durable last-seen metadata after disconnects. Carries forward #63123. Thanks @ngutman.
+- Gateway/chat: accept non-image attachments through `chat.send` by staging them as agent-readable media paths, while keeping unsupported RPC attachment paths explicit instead of silently dropping files. Fixes #48123. (#67572) Thanks @samzong.
+- Security/networking: add opt-in operator-managed outbound proxy routing (proxy.enabled + proxy.proxyUrl/OPENCLAW_PROXY_URL) with strict http:// forward-proxy validation, loopback-only Gateway bypass, and cleanup of proxy env/dispatcher state on exit. (#70044) Thanks @jesse-merhi and @joshavant.
 - Dependencies: refresh provider and tooling dependencies, including AWS SDK, PI runtime packages, AJV, Feishu SDK, Anthropic SDK, tokenjuice, and native TypeScript/oxlint tooling. Thanks @dependabot.
 - Matrix/QA: add live Matrix approval scenarios for exec metadata, chunked fallback, plugin approvals, deny reactions, thread targeting, and `target: "both"` delivery, with redacted artifacts preserving safe approval summaries. Thanks @gumadeiras.
+- Diagnostics/Codex: add owner-only core `/diagnostics` with a sensitive-data preamble, docs link, and explicit Gateway export approval guidance; Codex harness sessions also ask before uploading Codex feedback for the attached thread and print the matching `codex resume <thread-id>` inspection command after confirmed upload. Thanks @pashpashpash.
+- Trajectory export: route `/export-trajectory` through per-run exec approval, send group-chat approval prompts and export results only to the owner privately, and add `openclaw sessions export-trajectory` for the approved command path. Thanks @pashpashpash.
 - Codex: add Computer Use setup for Codex-mode agents, including `/codex computer-use status/install`, marketplace discovery, optional auto-install, and fail-closed MCP server checks before Codex-mode turns start. Fixes #72094. (#71842) Thanks @pash-openai.
 - Apps: consume Peekaboo 3.0.0-beta4 and ElevenLabsKit 0.1.1, align Swabble on Commander 0.2.2, and refresh macOS/iOS SwiftPM resolutions against the released dependency graph. Thanks @Blaizzy.
 - Plugin SDK: expose shared channel route normalization, parser-driven target resolution, raw-target compact keys, parsed-target types, and route comparison helpers through `openclaw/plugin-sdk/channel-route`, switch native approval origin matching onto that route contract with optional delivery and match-only target normalization, and retire the internal channel-route shim behind dated compatibility aliases for legacy key/comparable-target helpers. Thanks @vincentkoc.
@@ -92,6 +120,90 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- BlueBubbles: tighten DM-vs-group routing across the outbound session route (`chat_guid:iMessage;-;...` DMs no longer classified as groups), reaction handling (drop group reactions that arrive without any chat identifier instead of synthesizing a `"group"` literal peerId), inbound `chatGuid` fallback (no longer fall back to the sender's DM chatGuid when resolving a group whose webhook omits chatGuid+chatId+chatIdentifier), and short message id resolution (carry caller chat context so a numeric short id reused after a long group conversation cannot silently resolve to a message in a different chat, with the same cross-chat guard applied to full GUIDs so retries cannot bypass it). Thanks @zqchris.
+- Agents/approvals: fail restart-interrupted sessions whose transcript tail is still `approval-pending` instead of replaying stale exec approval IDs into the new Gateway process after restart. Fixes #65486. Thanks @mjmai20682068-create.
+- CLI/Gateway: use method-specific least-privilege scopes for classified CLI Gateway calls while preserving legacy broad scopes for unclassified plugin methods, so read-only commands no longer create admin/write/pairing scope-upgrade prompts. Fixes #68634. Thanks @nightmusher.
+- Gateway/sessions: align `chat.history` and `sessions.list` thinking defaults with owning-agent and catalog-aware resolution so Control UI session defaults match backend runtime state. (#63418) Thanks @jpreagan.
+- Devices/pairing: recover array-shaped device and node pairing state files before persisting approvals, so UUID-keyed pending and paired entries no longer disappear after a malformed JSON store write. Fixes #63035. Thanks @sar618.
+- Gateway/auth: clear reused stale device tokens and stop reconnecting on device-token mismatch in the Control UI and Node gateway clients, avoiding rate-limit loops after scope-upgrade or token-rotation handoffs. Fixes #71609. Thanks @ricksayhi.
+- Gateway/approvals: treat duplicate same-decision approval resolves as idempotent during the resolved-entry grace window, including consumed `allow-once` approvals, while returning an explicit already-resolved error for conflicting repeats. Fixes #59162; refs #58479 and #65486. Thanks @wikithoughts, @sajazuniga7-coder, and @mjmai20682068-create.
+- Channels/Telegram: honor `approvals.exec/plugin.targets[].accountId` when routing native approvals across multi-bot Telegram accounts while preserving unscoped Telegram targets for any account. Fixes #69916. Thanks @joerod26.
+- Agents/exec: omit the internal session-resume fallback preface from successful async exec completion messages sent directly back to chat. Fixes #67181. Thanks @raistlin88.
+- Agents/media: register detached `video_generate` and `music_generate` tool run contexts until terminal status, so Discord-backed provider jobs stay live in `/tasks` instead of becoming `lost` when the parent chat run context disappears. Thanks @vincentkoc.
+- Agents/media: prefer OpenAI image and video providers when the default model uses the OpenAI Codex auth alias, so auto media generation no longer falls through to Fal before GPT Image or Sora. Thanks @vincentkoc.
+- Tasks/media: infer agent ownership for session-scoped task records so `/tasks` agent-local fallback includes session-backed `video_generate` and other async media jobs even when the current chat session has no linked rows. Thanks @vincentkoc.
+- Agents/media: keep long-running `video_generate` and `music_generate` tasks fresh while provider jobs are still pending, so task maintenance does not mark active Discord media renders lost before completion. Thanks @vincentkoc.
+- CLI/status: treat scope-limited gateway probes as reachable-but-degraded in shared status scans, so `openclaw status --all` no longer reports a live gateway as unreachable after `missing scope: operator.read`. Fixes #49180; supersedes #47981. Thanks @openjay.
+- Slack/Socket Mode: use a 15s Slack SDK pong timeout by default and add `channels.slack.socketMode.clientPingTimeout`, `serverPingTimeout`, and `pingPongLoggingEnabled` overrides so stale-websocket handling no longer depends on app-event health heuristics. Fixes #14248; refs #58519, #64009, and #63488. Thanks @shivasymbl and @freerk.
+- Slack/media: bound private file and forwarded attachment downloads with idle and total timeouts while preserving placeholder fallback, so stalled Slack `file_share` media no longer wedges inbound message handling. Fixes #61850. Thanks @bassboy2k.
+- Plugins/inspector: keep bundled plugin runtime capture quiet and config-tolerant for Codex, memory-lancedb, Feishu, Mattermost, QQBot, and Tlon so plugin-inspector JSON checks can validate the full bundled set. Thanks @vincentkoc.
+- Slack/auto-reply: keep fully consumed text reset triggers such as `new session` out of `BodyForAgent` after directive cleanup, so configured Slack reset phrases do not leak into the fresh model turn. Fixes #73137. Thanks @neeravmakwana.
+- Plugins/runtime deps: prune stale retained bundled runtime deps and keep doctor/secret channel contract scans on lightweight artifacts, so disabled bundled channels stop preserving old dependency trees or importing heavy plugin surfaces. Thanks @SymbolStar and @vincentkoc.
+- Auto-reply: bound the post-run pending tool-result delivery drain with a progress-aware idle timeout, so a never-settling tool-result task no longer leaves the session active forever while slow healthy deliveries can keep draining. Fixes #53889; supersedes #64733 and #73434. Thanks @zijunl and @wujiaming88.
+- Gateway/startup: start chat channels without waiting for primary model prewarm, keeping model warmup bounded in the background so Slack and other channels come online promptly when provider discovery is slow. Supersedes #73420. Thanks @dorukardahan.
+- Gateway/install: carry env-backed config SecretRefs such as `channels.discord.token` into generated service environments when they are present only in the installing shell, while keeping gateway auth SecretRefs non-persisted. Fixes #67817; supersedes #73426. Thanks @wdimaculangan and @ztexydt-cqh.
+- Auto-reply/commands: stop bare `/reset` and `/new` after reset hooks acknowledge the command, so non-ACP channels no longer fall through into empty provider calls while `/reset <message>` and `/new <message>` still seed the next model turn. Fixes #73367 and #73412. Thanks @hoyanhan, @wenxu007, and @amdhelper.
+- Providers/DeepSeek: backfill DeepSeek V4 `reasoning_content` on plain assistant replay messages as well as tool-call turns, so thinking sessions with prior tool use no longer fail follow-up requests with missing reasoning content. Fixes #73417; refs #71372. Thanks @34262315716 and @Bartok9.
+- Agents/gateway tool: strip full config payloads from `config.patch` and `config.apply` tool responses while preserving direct RPC responses, so config-heavy sessions no longer replay large redacted configs into transcript history. Fixes #47610; supersedes #73439. Thanks @HanenVit and @juan-flores077.
+- Auto-reply: preserve voice-note media from silent turns while continuing to suppress text and non-voice media, so `NO_REPLY` TTS replies still deliver the requested audio bubble. (#73406) Thanks @zqchris.
+- Channels/Mattermost: stop enqueueing regular inbound posts as system events, so Mattermost user messages reach the model only as user-role inbound-envelope content instead of also appearing as `System: Mattermost message...` directives. Fixes #71795. Thanks @juan-flores077.
+- Agents/media: qualify bare `agents.defaults.imageModel` and `pdfModel` refs from unique configured image-capable providers, so Ollama vision models such as `moondream` and `qwen2.5vl:7b` do not fall through to the default provider. Fixes #38816; supersedes #73396. Thanks @alainasclaw and @vincentkoc.
+- Agents/Anthropic: send implicit Anthropic beta headers only to direct public Anthropic endpoints, including OAuth, so custom Anthropic-compatible providers no longer mis-handle unsupported beta flags unless explicitly configured. Refs #73346. Thanks @byBrodowski.
+- Skills: require explicit `skills.entries.coding-agent.enabled` before exposing the bundled coding-agent skill, so installs with Codex on PATH but no OpenAI auth do not silently offer Codex delegation. Fixes #73358. Thanks @LaFleurAdvertising and @Sanjays2402.
+- Plugins/startup: treat manifestless Claude bundles as valid installed-plugin registry entries instead of stale missing manifests, so workspace bundles no longer force repeated derived registry rebuilds or noisy `plugins.entries.workspace` warnings during Gateway startup. Fixes #73433. Thanks @AnneVoss.
+- Agents/subagents: preserve `sessions_yield` as a paused subagent state and ignore its wait text while freezing completion output, so parent sessions wait for the final post-compaction answer instead of receiving intermediate progress or `(no output)`. Fixes #73413. Thanks @Ask-sola.
+- Plugins/startup: precompute bundled runtime mirror fingerprints before taking the mirror lock and keep Docker bundled plugin runtime deps/mirrors in a Docker-managed volume instead of the Windows/WSL config bind mount, so cold starts avoid slow host-volume mirror writes. Fixes #73339. Thanks @1yihui.
+- Plugins/runtime deps: refresh bundled runtime mirrors without deleting active import trees, so config-triggered restarts do not see transient missing plugin files during registration. Thanks @shakkernerd.
+- Channels/LINE: persist inbound image, video, audio, and file downloads in `~/.openclaw/media/inbound/` instead of temporary files so agents can still read LINE media after `/tmp` cleanup. Fixes #73370. Thanks @hijirii and @wenxu007.
+- CLI/plugins: keep bundled plugin installs out of `plugins.load.paths` while preserving install records, so install/inspect/doctor loops no longer warn about the current bundled plugin directory. Thanks @vincentkoc.
+- CLI/plugins: scope `plugins inspect <id>` runtime loading to the matched plugin so single-plugin inspection does not load every plugin before checking the target. Thanks @shakkernerd.
+- CLI/plugins: remove managed copied-path plugin directories during uninstall and plan uninstall from metadata instead of runtime-loading plugins, so plugin lifecycle commands avoid unnecessary bundled runtime-deps work. Thanks @shakkernerd.
+- Cron tool: infer the creating session's agentId for `cron.add` jobs when `agentId` is omitted or passed as undefined, keeping scheduled agentTurn jobs routed to the session agent; #40571 identified the guard bug and supplied the focused regression coverage. Thanks @ChanningYul.
+- Cron/Telegram: add `--thread-id` to `openclaw cron add` and `openclaw cron edit`, preserving Telegram forum topic delivery targets across scheduled announcements. Carries forward #51581, #60373, and #60890. Thanks @ChunHao-dev.
+- Cron/Telegram: preserve session-derived Telegram topic thread IDs when isolated cron delivery explicitly targets the parent chat, keeping bare chat targets in the active forum topic without leaking stale topics to other chats. Carries forward #64708. Thanks @addelh.
+- Memory/compaction: keep pre-compaction memory-flush prompts runtime-only so session transcripts and `chat.history` no longer expose them as normal user turns. Fixes #54408 and #58956; refs #43567. Thanks @markgong and @guoyuhang9.
+- Control UI/WebChat: keep large attachment payloads out of Lit state and optimistic chat messages, using object URL previews plus send-time payload serialization so PDF/image uploads no longer trigger `RangeError: Maximum call stack size exceeded`. Fixes #73360; refs #54378 and #63432. Thanks @hejunhui-73, @Ansub, and @christianhernandez3-afk.
+- Agents/Anthropic: cancel stalled Anthropic Messages SSE body reads when abort signals fire, so active-memory timeouts release transport resources instead of leaving hidden recall runs parked on `reader.read()`. Refs #72965 and #73120. Thanks @wdeveloper16.
+- Control UI/WebChat: keep pending run and typing state attached to the active client run, so unowned inject/announce/side-result finals no longer unlock unrelated active runs while completed owned runs still clear promptly. Fixes #57795; carries forward the narrow diagnosis from #57887. Thanks @haoyu-haoyu.
+- Sandbox/Docker: stop satisfying a missing default sandbox image by tagging plain Debian as `openclaw-sandbox:bookworm-slim`, preserving the Python tooling required by sandbox write/edit helpers and directing users to build the default image. Fixes #51185; refs #45108, #51099, #51609, and #57713. Thanks @dpalis, @Tin55FoilDev, @jbcohen2-coder, @macminihal-cyber, and @PraxoOnline.
+- Control UI/WebChat: confirm toolbar New Session button resets before dispatching `/new` while leaving typed `/new` and `/reset` commands immediate. Fixes #45800; refs #27065, #56611, #54499, and #27110. Thanks @aethnova, @kosta228-huli, @adambezemek, and @xss925175263 (xianshishan).
+- Agents/models: keep per-agent primary models strict when `fallbacks` is omitted, so probe-only custom providers are not tried as hidden fallback candidates unless the agent explicitly opts in. Fixes #73332. Thanks @haumanto.
+- Gateway/models: add `models.pricing.enabled` so offline or restricted-network installs can skip startup OpenRouter and LiteLLM pricing-catalog fetches while keeping explicit model costs working. Fixes #53639. Thanks @callebtc, @palewire, and @rjdjohnston.
+- Gateway/startup: warn when legacy `CLAWDBOT_*` or `MOLTBOT_*` environment variables are still present, pointing users to `OPENCLAW_*` names instead of failing silently. Fixes #53482; carries forward #53667. Thanks @lndyzwdxhs.
+- Onboarding: pin interactive and non-interactive health checks to the just-configured setup token/password so stale `OPENCLAW_GATEWAY_TOKEN` or `OPENCLAW_GATEWAY_PASSWORD` values do not produce false gateway-token-mismatch failures after setup. Fixes #72203. Thanks @galiniliev.
+- Doctor/state: require an interactive confirmation before archiving orphan transcript files, so `openclaw doctor --fix` no longer silently renames recoverable session history after upgrades regenerate `sessions.json`. Fixes #73106. Thanks @scottgl9.
+- Cron/Telegram: preserve explicit `:topic:` delivery targets over stale session-derived thread IDs when isolated cron announces to Telegram forum topics. Carries forward #59069; refs #49704 and #43808. Thanks @roytong9.
+- Build/runtime: write the runtime-postbuild stamp after `pnpm build` writes the build stamp, so the next CLI invocation does not re-sync runtime artifacts after a successful build. Fixes #73151. Thanks @bittoby.
+- Build/runtime: preserve staged bundled-plugin runtime dependency caches across source-checkout tsdown rebuilds, so local CLI and gateway-watch rebuilds no longer recreate large plugin dependency trees before starting. Refs #73205. Thanks @SymbolStar.
+- CLI/channels: list configured chat channel accounts from read-only setup metadata even when the standalone CLI has not loaded the runtime channel registry, so `openclaw channels list` shows Telegram accounts before auth providers. Fixes #73319 and #73322. Thanks @mlaihk.
+- CLI/model probes: keep `infer model run --gateway` raw by skipping prior session transcript, bootstrap context, context-engine assembly, tools, and bundled MCP servers, so local backends can be tested without full agent-context overhead. Fixes #73308. Thanks @ScientificProgrammer.
+- CLI/image describe: pass `--prompt` and `--timeout-ms` through `infer image describe` and `describe-many`, so custom vision instructions and slow local model budgets reach media-understanding providers such as Ollama, OpenAI, Google, and OpenRouter. Addresses #63700. Thanks @cedricjanssens.
+- Providers/Ollama: reject long non-linguistic Kimi/GLM symbol runs as provider failures instead of storing them as successful visible assistant replies, so fallback or error handling can recover from garbled cloud output. Fixes #64262; refs #67019. Thanks @Kloz813 and @xiaomenger123.
+- CLI/model probes: reject empty or whitespace-only `infer model run --prompt` values before calling local providers or the Gateway, so smoke checks do not spend provider calls on invalid turns. Fixes #73185. Thanks @iot2edge.
+- Gateway/media: route text-only `chat.send` image offloads through media-understanding fields so `agents.defaults.imageModel` can describe WebChat attachments instead of leaving only an opaque `media://inbound` marker. Fixes #72968. Thanks @vorajeeah.
+- Gateway/Windows: route no-listener restart handoffs through the Windows supervisor without leaving restart tokens in flight, so failed task scheduling can be retried and successful handoffs do not coalesce later restart requests. (#69056) Thanks @Thatgfsj.
+- Gateway/model pricing: skip plugin manifest discovery during background pricing refreshes when `plugins.enabled: false`, so disabled-plugin setups do not keep rebuilding plugin metadata from the Gateway hot path. Fixes #73291. Thanks @slideshow-dingo and @fishgills.
+- Ollama/thinking: validate `/think` commands against live Ollama catalog reasoning metadata and preserve explicit native `params.think`/`params.thinking`, so models whose `/api/show` capabilities include `thinking` expose `low`, `medium`, `high`, and `max` instead of being stuck on `off`. Fixes #73366. Thanks @cymise.
+- Gateway/sessions: remove automatic oversized `sessions.json` rotation backups, deprecate `session.maintenance.rotateBytes`, and teach `openclaw doctor --fix` to remove the ignored key so hot session writes no longer copy multi-MB stores. Refs #72338. Thanks @midhunmonachan and @DougButdorf.
+- Channels/Telegram: fail fast when Telegram rejects the startup `getMe` token probe with 401, so invalid or stale BotFather tokens are reported as token auth failures instead of misleading `deleteWebhook` cleanup failures. Fixes #47674. Thanks @samaedan-arch.
+- ACPX: keep generated Codex and Claude ACP wrapper startup paths working when remote or special state filesystems reject chmod, since OpenClaw invokes the wrappers through Node instead of executing them directly. Fixes #73333. Thanks @david-garcia-garcia.
+- CLI/onboarding: infer image input for common custom-provider vision model IDs, ask only for unknown models, and keep `--custom-image-input`/`--custom-text-input` overrides so vision-capable proxies do not get saved as text-only configs. Fixes #51869. Thanks @Antsoldier1974.
+- Models/OpenAI Codex: stop listing or resolving unsupported `openai-codex/gpt-5.4-mini` rows through Codex OAuth, keep stale discovery rows suppressed with a clear API-key-route hint, and leave direct `openai/gpt-5.4-mini` available. Fixes #73242. Thanks @0xCyda.
+- Plugin SDK: restore the root `stringEnum` and `optionalStringEnum` exports on both the published SDK entry and runtime root-alias bridge, so older external plugins can keep building and loading while migrating to focused SDK subpaths. Fixes #68279. Thanks @marzliak.
+- Plugin SDK: restore the root-alias bridge for `registerContextEngine` and expose missing legacy compat helpers `normalizeAccountId` and `resolvePreferredOpenClawTmpDir` so older external plugins such as `openclaw-weixin` can keep loading while migrating to focused SDK subpaths. Fixes #53497. Thanks @alanxchen85.
+- Auth profiles: make `openclaw doctor --fix` migrate legacy flat `auth-profiles.json` files such as `{ "ollama-windows": { "apiKey": "ollama-local" } }` to canonical provider default API-key profiles with a backup, so custom Ollama/OpenAI-compatible providers recover cleanly after upgrading. Fixes #59629; supersedes #59642. Thanks @Xsanders555 and @Linux2010.
+- Memory/Dreaming: retry Dream Diary once with the session default when a configured dreaming model is unavailable, while leaving subagent trust and allowlist errors visible instead of silently masking configuration problems. Refs #67409 and #69209. Thanks @Ghiggins18 and @everySympathy.
+- Feishu/inbound files: recover CJK filenames from plain `Content-Disposition: filename=` download headers when Feishu exposes UTF-8 bytes through Latin-1 header decoding, while leaving valid Latin-1 and JSON-derived names unchanged. (#48578, #50435, #59431) Thanks @alex-xuweilong, @lishuaigit, and @DoChaoing.
+- Channels/Telegram: normalize accidental full `/bot<TOKEN>` Telegram `apiRoot` values at runtime and teach `openclaw doctor --fix` to remove the suffix, so startup control calls no longer 404 when direct Bot API curl commands work. Fixes #55387. Thanks @brendanmatthewjones-cmyk, @techfindubai-ux, and @Sivlerback-Chris.
+- Zalo Personal: persist refreshed `zca-js` session cookies after QR login, session restore, and successful API calls so gateway restarts restore the freshest local session. (#73277) Thanks @darkamenosa.
+- Logging/security: redact sensitive tokens (sk-\* keys, Bearer/Authorization values, etc.) at the subsystem console sink so `createSubsystemLogger().info/warn/error` output that bypasses the patched console-capture handler still applies the same redaction the file transport already does. Fixes #73284; refs #67953 and #64046. Thanks @edwin-rivera-dev.
+- Plugins/runtime deps: reuse enclosing versioned cache roots when bundled plugins resolve from nested staged paths, so plugin-runtime-deps no longer mints `openclaw-unknown-*` directories or loops on `ENOTEMPTY`. Fixes #72956. (#73205) Thanks @SymbolStar.
+- Agents/failover: classify CJK provider transport, quota, billing, auth, and overload error text so Chinese-language provider failures trigger fallback and user-facing transport copy instead of surfacing as unclassified raw errors. (#56242) Thanks @tomcatzh.
+- Agents/failover: seed non-claude-cli fallback prompts with Claude Code session context when a claude-cli attempt fails, so fallback models do not restart cold after billing or quota failover. (#72069) Thanks @stainlu.
+- Agents/CLI runner: transfer bundle-MCP tempDir cleanup from the per-turn runner finally to the Claude live-session lifecycle, so persistent Claude CLI sessions keep their `--mcp-config` directory until the live subprocess closes. Fixes #73244. Thanks @edwin-rivera-dev.
+- Gateway/nodes: allow Windows companion nodes to use safe declared commands such as canvas, camera list, location, device info, and screen snapshot by default while keeping dangerous media commands opt-in. (#71884) Thanks @shanselman.
+- Agents/cron: clarify agent-tool and CLI cron timezone guidance so supplied `tz` values use local wall-clock cron fields and omitted cron `tz` falls back to the Gateway host local timezone. Fixes #53669; carries forward #46177. (#73372) Thanks @chen-zhang-cs-code and @maranello-o.
+- Providers/Qwen: allow explicitly configured `qwen/qwen3.6-plus` to resolve on Qwen Coding Plan endpoints while keeping the built-in catalog from advertising it there. Fixes #63654; carries forward #63987. Thanks @jepson-liu.
 - Channels/Telegram: keep Bot API network fallbacks sticky after failed attempts and retry timed-out startup control calls once on the fallback route, so `deleteWebhook` IPv6 stalls no longer trigger slow multi-account retry storms. Fixes #73255. Thanks @ttomiczek and @sktbrd.
 - Gateway/agents: accept heartbeat, cron, and webhook as internal channel hints for agent runs so `sessions_spawn` works from non-delivery parent sessions while unknown channel hints still fail closed. Fixes #73237. Thanks @KeWang0622.
 - Gateway/models: merge explicit `models.providers.*.models` rows into the Gateway model catalog with normalized provider/model dedupe, and use normalized image-capability lookup so custom vision models keep native image attachments even when Pi discovery omits them or model ID casing differs. Fixes #64213 and #65165. Thanks @billonese and @202233a.
@@ -246,6 +358,7 @@ Docs: https://docs.openclaw.ai
 
 - Control UI/Talk: add a generic browser realtime transport contract, Google Live browser Talk sessions with constrained ephemeral tokens, and a Gateway relay for backend-only realtime voice plugins. Thanks @VACInc.
 - CLI/models: route provider-filtered model listing through an explicit source plan so user config, installed manifest rows, Provider Index previews, and scoped runtime fallbacks keep a stable authority order without adding another catalog cache. Thanks @shakkernerd.
+- Plugins/cron: add a typed `cron_changed` hook for observing gateway-owned cron lifecycle updates without depending on internal cron events. Thanks @amknight.
 - Providers: add Cerebras as a bundled plugin with onboarding, static model catalog, docs, and manifest-owned endpoint metadata.
 - Memory/OpenAI-compatible: add optional `memorySearch.inputType`, `queryInputType`, and `documentInputType` config for asymmetric embedding endpoints, including direct query embeddings and provider batch indexing. Carries forward #63313 and #60727. Thanks @HOYALIM and @prospect1314521.
 - Ollama/memory: add model-specific retrieval query prefixes for `nomic-embed-text`, `qwen3-embedding`, and `mxbai-embed-large` memory-search queries while leaving document batches unchanged. Carries forward #45013. Thanks @laolin5564.
@@ -402,6 +515,7 @@ Docs: https://docs.openclaw.ai
 - Agents/bootstrap: dedupe hook-injected bootstrap context files by workspace-relative path and store normalized resolved paths so duplicate relative and absolute hook paths no longer depend on the process cwd. (#59344; fixes #59319; related #56721, #56725, and #57587) Thanks @koen666.
 - Agents/bootstrap: refresh cached workspace bootstrap snapshots on long-lived main-session turns when `AGENTS.md`, `SOUL.md`, `MEMORY.md`, or `TOOLS.md` change on disk, while preserving unchanged snapshot identity through the workspace file cache. (#64871; related #43901, #26497, #28594, #30896) Thanks @aimqwest and @mikejuyoon.
 - macOS Gateway: detect installed-but-unloaded LaunchAgent split-brain states during status, doctor, and restart, and re-bootstrap launchd supervision before falling back to unmanaged listener restarts. Fixes #67335, #53475, and #71060; refs #58890, #60885, and #70801. Thanks @ze1tgeist88, @dafacto, and @vishutdhar.
+- WhatsApp: clear cached Web auth and active listener state after terminal 440/401 conflict/logout closes so linked/OK status no longer masks a dead inbound listener after relink or restart. Fixes #45474; refs #49305, #63855, #66920, and #70856. Thanks @juvenalmakoszay and @dsantoreis.
 - Gateway/restart: keep local restart-health probes on configured local daemon auth without falling back to remote gateway credentials. (#57374, #59439) Thanks @zssggle-rgb and @roytong9.
 - Plugins/install: treat mirrored core logger dependencies as staged bundled runtime deps so packaged Gateway starts do not crash when the external plugin-runtime-deps root is missing `tslog`. Fixes #72228; supersedes #72493. Thanks @deepujain.
 - Build/plugins: preserve active bundled runtime-dependency staging temp directories owned by live build processes so overlapping postbuild runs no longer delete each other's staged deps mid-prune. Supersedes #72220. Thanks @VACInc.
@@ -413,6 +527,7 @@ Docs: https://docs.openclaw.ai
 - TTS/SecretRef: resolve `messages.tts.providers.*.apiKey` from the active runtime snapshot so SecretRef-backed MiniMax and other TTS provider keys work in runtime reply/audio paths. Fixes #68690. Thanks @joshavant.
 - Gateway/install: surface systemd user-bus recovery hints during Linux service activation and retry via the target user scope when `systemctl --user` reports no-medium bus failures, without letting stale `SUDO_USER` override `sudo -u` installs. Fixes #39673; refs #44417 and #63561. Thanks @Arbor4, @myrsu, @mssteuer, and @boyuaner.
 - CLI/nodes: make unfiltered `openclaw nodes list` prefer the effective paired-node view used by `nodes status` while preserving pending rows, pairing-scope fallback, terminal-safe table rendering, and paired JSON metadata. Fixes #46871; carries forward #65772 through the ProjectClownfish #72619 repair. Thanks @skainguyen1412.
+- Memory Wiki/CLI: route active bridge-mode status, doctor, and bridge imports through Gateway RPC so CLI checks use the runtime memory plugin context while disabled bridge imports stay local/offline. Carries forward #67208 and #71479; related #70185. Thanks @moorsecopers99, @vincentkoc, and @prasad-yashdeep.
 - CLI/startup: read generated startup metadata from the bundled `dist` layout before falling back to live help rendering, so root/browser help and channel-option bootstrap stay on the fast path. Thanks @vincentkoc.
 - Feishu/Lark: stop treating broadcast-only `@all`/`@_all` messages as bot mentions while preserving direct bot mentions, including messages that also include `@all`. Fixes #37706. Thanks @JosepLee.
 - CLI/help: treat positional `help` invocations like `openclaw channels help` as help paths for startup gating, avoiding model/auth warmup while preserving positional arguments such as `openclaw docs help`. Thanks @gumadeiras.
@@ -923,6 +1038,7 @@ Docs: https://docs.openclaw.ai
 - Google Meet joins OpenClaw as a bundled participant plugin, with personal Google auth, Chrome/Twilio realtime sessions, paired-node Chrome support, artifact/attendance exports, and recovery tooling for already-open Meet tabs.
 - DeepSeek V4 Flash and V4 Pro are in the bundled catalog, V4 Flash is the onboarding default, and DeepSeek thinking/replay behavior is fixed for follow-up tool-call turns.
 - Talk, Voice Call, and Google Meet can use realtime voice loops that consult the full OpenClaw agent for deeper tool-backed answers.
+- Providers/OpenRouter: add native video generation through `video_generate`, so OpenRouter video models work with `OPENROUTER_API_KEY`. (#72700) Thanks @notamicrodose.
 - Browser automation gets coordinate clicks, longer default action budgets, per-profile headless overrides, and steadier tab reuse/recovery.
 - Plugin and model infrastructure is lighter at startup: static model catalogs, manifest-backed model rows, lazy provider dependencies, and external runtime-dependency repair for packaged installs.
 

Dockerfile

@@ -258,10 +258,12 @@ RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,shar
 RUN ln -sf /app/openclaw.mjs /usr/local/bin/openclaw \
  && chmod 755 /app/openclaw.mjs
 
-# Pre-create the default state dir so first-run Docker named volumes mounted
-# here inherit node ownership instead of starting as root-owned state.
+# Pre-create the default state and runtime-deps dirs so first-run Docker named
+# volumes mounted here inherit node ownership instead of root-owned state.
 RUN install -d -m 0700 -o node -g node /home/node/.openclaw && \
-    stat -c '%U:%G %a' /home/node/.openclaw | grep -qx 'node:node 700'
+    install -d -m 0700 -o node -g node /var/lib/openclaw/plugin-runtime-deps && \
+    stat -c '%U:%G %a' /home/node/.openclaw | grep -qx 'node:node 700' && \
+    stat -c '%U:%G %a' /var/lib/openclaw/plugin-runtime-deps | grep -qx 'node:node 700'
 
 ENV NODE_ENV=production
 

apps/android/.editorconfig

@@ -11,9 +11,6 @@ indent_style = space
 indent_size = 2
 max_line_length = off
 ktlint_standard_filename = disabled
-ktlint_standard_function-expression-body = disabled
 ktlint_standard_function-naming = disabled
-ktlint_standard_if-else-bracing = disabled
 ktlint_standard_max-line-length = disabled
-ktlint_standard_no-wildcard-imports = disabled
 ktlint_standard_property-naming = disabled

apps/android/app/build.gradle.kts

@@ -33,10 +33,10 @@ if (wantsAndroidReleaseBuild && !hasAndroidReleaseSigning) {
 }
 
 plugins {
-  id("com.android.application")
-  id("org.jlleitschuh.gradle.ktlint")
-  id("org.jetbrains.kotlin.plugin.compose")
-  id("org.jetbrains.kotlin.plugin.serialization")
+  alias(libs.plugins.android.application)
+  alias(libs.plugins.ktlint)
+  alias(libs.plugins.kotlin.compose)
+  alias(libs.plugins.kotlin.serialization)
 }
 
 android {
@@ -78,13 +78,9 @@ android {
   productFlavors {
     create("play") {
       dimension = "store"
-      buildConfigField("boolean", "OPENCLAW_ENABLE_SMS", "false")
-      buildConfigField("boolean", "OPENCLAW_ENABLE_CALL_LOG", "false")
     }
     create("thirdParty") {
       dimension = "store"
-      buildConfigField("boolean", "OPENCLAW_ENABLE_SMS", "true")
-      buildConfigField("boolean", "OPENCLAW_ENABLE_CALL_LOG", "true")
     }
   }
 
@@ -133,15 +129,7 @@ android {
   }
 
   lint {
-    disable +=
-      setOf(
-        "AndroidGradlePluginVersion",
-        "GradleDependency",
-        "HighAppVersionCode",
-        "IconLauncherShape",
-        "NewerVersionAvailable",
-        "OldTargetApi",
-      )
+    lintConfig = file("lint.xml")
     warningsAsErrors = true
   }
 
@@ -184,57 +172,57 @@ ktlint {
 }
 
 dependencies {
-  val composeBom = platform("androidx.compose:compose-bom:2026.04.01")
+  val composeBom = platform(libs.androidx.compose.bom)
   implementation(composeBom)
   androidTestImplementation(composeBom)
 
-  implementation("androidx.core:core-ktx:1.18.0")
-  implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.10.0")
-  implementation("androidx.activity:activity-compose:1.13.0")
-  implementation("androidx.webkit:webkit:1.15.0")
+  implementation(libs.androidx.core.ktx)
+  implementation(libs.androidx.lifecycle.runtime.ktx)
+  implementation(libs.androidx.activity.compose)
+  implementation(libs.androidx.webkit)
 
-  implementation("androidx.compose.ui:ui")
-  implementation("androidx.compose.ui:ui-tooling-preview")
-  implementation("androidx.compose.material3:material3")
+  implementation(libs.androidx.compose.ui)
+  implementation(libs.androidx.compose.ui.tooling.preview)
+  implementation(libs.androidx.compose.material3)
   // material-icons-extended pulled in full icon set (~20 MB DEX). Only ~18 icons used.
   // R8 will tree-shake unused icons when minify is enabled on release builds.
-  implementation("androidx.compose.material:material-icons-extended")
+  implementation(libs.androidx.compose.material.icons.extended)
 
-  debugImplementation("androidx.compose.ui:ui-tooling")
+  debugImplementation(libs.androidx.compose.ui.tooling)
 
   // Material Components (XML theme + resources)
-  implementation("com.google.android.material:material:1.13.0")
+  implementation(libs.material)
 
-  implementation("org.jetbrains.kotlinx:kotlinx-coroutines-android:1.10.2")
-  implementation("org.jetbrains.kotlinx:kotlinx-serialization-json:1.11.0")
+  implementation(libs.kotlinx.coroutines.android)
+  implementation(libs.kotlinx.serialization.json)
 
-  implementation("androidx.security:security-crypto:1.1.0")
-  implementation("androidx.exifinterface:exifinterface:1.4.2")
-  implementation("com.squareup.okhttp3:okhttp:5.3.2")
-  implementation("org.bouncycastle:bcprov-jdk18on:1.84")
-  implementation("org.commonmark:commonmark:0.28.0")
-  implementation("org.commonmark:commonmark-ext-autolink:0.28.0")
-  implementation("org.commonmark:commonmark-ext-gfm-strikethrough:0.28.0")
-  implementation("org.commonmark:commonmark-ext-gfm-tables:0.28.0")
-  implementation("org.commonmark:commonmark-ext-task-list-items:0.28.0")
+  implementation(libs.androidx.security.crypto)
+  implementation(libs.androidx.exifinterface)
+  implementation(libs.okhttp)
+  implementation(libs.bcprov)
+  implementation(libs.commonmark)
+  implementation(libs.commonmark.ext.autolink)
+  implementation(libs.commonmark.ext.gfm.strikethrough)
+  implementation(libs.commonmark.ext.gfm.tables)
+  implementation(libs.commonmark.ext.task.list.items)
 
   // CameraX (for node.invoke camera.* parity)
-  implementation("androidx.camera:camera-core:1.6.0")
-  implementation("androidx.camera:camera-camera2:1.6.0")
-  implementation("androidx.camera:camera-lifecycle:1.6.0")
-  implementation("androidx.camera:camera-video:1.6.0")
-  implementation("com.google.android.gms:play-services-code-scanner:16.1.0")
+  implementation(libs.androidx.camera.core)
+  implementation(libs.androidx.camera.camera2)
+  implementation(libs.androidx.camera.lifecycle)
+  implementation(libs.androidx.camera.video)
+  implementation(libs.play.services.code.scanner)
 
   // Unicast DNS-SD (Wide-Area Bonjour) for tailnet discovery domains.
-  implementation("dnsjava:dnsjava:3.6.4")
+  implementation(libs.dnsjava)
 
-  testImplementation("junit:junit:4.13.2")
-  testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:1.10.2")
-  testImplementation("io.kotest:kotest-runner-junit5-jvm:6.1.11")
-  testImplementation("io.kotest:kotest-assertions-core-jvm:6.1.11")
-  testImplementation("com.squareup.okhttp3:mockwebserver:5.3.2")
-  testImplementation("org.robolectric:robolectric:4.16.1")
-  testRuntimeOnly("org.junit.vintage:junit-vintage-engine:6.0.3")
+  testImplementation(libs.junit)
+  testImplementation(libs.kotlinx.coroutines.test)
+  testImplementation(libs.kotest.runner.junit5)
+  testImplementation(libs.kotest.assertions.core)
+  testImplementation(libs.mockwebserver)
+  testImplementation(libs.robolectric)
+  testRuntimeOnly(libs.junit.vintage.engine)
 }
 
 tasks.withType<Test>().configureEach {

apps/android/app/lint.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<lint>
+    <issue id="AndroidGradlePluginVersion" severity="ignore" />
+    <issue id="GradleDependency" severity="ignore" />
+    <issue id="IconLauncherShape" severity="ignore" />
+    <issue id="NewerVersionAvailable" severity="ignore" />
+
+    <!-- OpenClaw uses date-based version codes (yyyyMMddNN), which are high but still below the Android max. -->
+    <issue id="HighAppVersionCode" severity="ignore" />
+
+    <!-- Target SDK follows the current release train; bump only after platform compatibility testing. -->
+    <issue id="OldTargetApi" severity="ignore" />
+</lint>

apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt

@@ -13,7 +13,33 @@ import ai.openclaw.app.gateway.GatewaySession
 import ai.openclaw.app.gateway.GatewayTlsProbeFailure
 import ai.openclaw.app.gateway.GatewayTlsProbeResult
 import ai.openclaw.app.gateway.probeGatewayTlsFingerprint
-import ai.openclaw.app.node.*
+import ai.openclaw.app.node.A2UIHandler
+import ai.openclaw.app.node.CalendarHandler
+import ai.openclaw.app.node.CallLogHandler
+import ai.openclaw.app.node.CameraCaptureManager
+import ai.openclaw.app.node.CameraHandler
+import ai.openclaw.app.node.CanvasController
+import ai.openclaw.app.node.ConnectionManager
+import ai.openclaw.app.node.ContactsHandler
+import ai.openclaw.app.node.DEFAULT_SEAM_COLOR_ARGB
+import ai.openclaw.app.node.DebugHandler
+import ai.openclaw.app.node.DeviceHandler
+import ai.openclaw.app.node.DeviceNotificationListenerService
+import ai.openclaw.app.node.InvokeDispatcher
+import ai.openclaw.app.node.LocationCaptureManager
+import ai.openclaw.app.node.LocationHandler
+import ai.openclaw.app.node.MotionHandler
+import ai.openclaw.app.node.NodePresenceAliveBeacon
+import ai.openclaw.app.node.NotificationsHandler
+import ai.openclaw.app.node.PhotosHandler
+import ai.openclaw.app.node.Quad
+import ai.openclaw.app.node.SmsHandler
+import ai.openclaw.app.node.SmsManager
+import ai.openclaw.app.node.SystemHandler
+import ai.openclaw.app.node.asObjectOrNull
+import ai.openclaw.app.node.asStringOrNull
+import ai.openclaw.app.node.invokeErrorFromThrowable
+import ai.openclaw.app.node.parseHexColorArgb
 import ai.openclaw.app.protocol.OpenClawCanvasA2UIAction
 import ai.openclaw.app.voice.MicCaptureManager
 import ai.openclaw.app.voice.TalkModeManager
@@ -103,8 +129,8 @@ class NodeRuntime(
   private val deviceHandler: DeviceHandler =
     DeviceHandler(
       appContext = appContext,
-      smsEnabled = BuildConfig.OPENCLAW_ENABLE_SMS,
-      callLogEnabled = BuildConfig.OPENCLAW_ENABLE_CALL_LOG,
+      smsEnabled = SensitiveFeatureConfig.smsEnabled,
+      callLogEnabled = SensitiveFeatureConfig.callLogEnabled,
     )
 
   private val notificationsHandler: NotificationsHandler =
@@ -163,10 +189,10 @@ class NodeRuntime(
       voiceWakeMode = { VoiceWakeMode.Off },
       motionActivityAvailable = { motionHandler.isActivityAvailable() },
       motionPedometerAvailable = { motionHandler.isPedometerAvailable() },
-      sendSmsAvailable = { BuildConfig.OPENCLAW_ENABLE_SMS && sms.canSendSms() },
-      readSmsAvailable = { BuildConfig.OPENCLAW_ENABLE_SMS && sms.canReadSms() },
-      smsSearchPossible = { BuildConfig.OPENCLAW_ENABLE_SMS && sms.hasTelephonyFeature() },
-      callLogAvailable = { BuildConfig.OPENCLAW_ENABLE_CALL_LOG },
+      sendSmsAvailable = { SensitiveFeatureConfig.smsEnabled && sms.canSendSms() },
+      readSmsAvailable = { SensitiveFeatureConfig.smsEnabled && sms.canReadSms() },
+      smsSearchPossible = { SensitiveFeatureConfig.smsEnabled && sms.hasTelephonyFeature() },
+      callLogAvailable = { SensitiveFeatureConfig.callLogEnabled },
       hasRecordAudioPermission = { hasRecordAudioPermission() },
       manualTls = { manualTls.value },
     )
@@ -190,11 +216,11 @@ class NodeRuntime(
       isForeground = { _isForeground.value },
       cameraEnabled = { cameraEnabled.value },
       locationEnabled = { locationMode.value != LocationMode.Off },
-      sendSmsAvailable = { BuildConfig.OPENCLAW_ENABLE_SMS && sms.canSendSms() },
-      readSmsAvailable = { BuildConfig.OPENCLAW_ENABLE_SMS && sms.canReadSms() },
-      smsFeatureEnabled = { BuildConfig.OPENCLAW_ENABLE_SMS },
+      sendSmsAvailable = { SensitiveFeatureConfig.smsEnabled && sms.canSendSms() },
+      readSmsAvailable = { SensitiveFeatureConfig.smsEnabled && sms.canReadSms() },
+      smsFeatureEnabled = { SensitiveFeatureConfig.smsEnabled },
       smsTelephonyAvailable = { sms.hasTelephonyFeature() },
-      callLogAvailable = { BuildConfig.OPENCLAW_ENABLE_CALL_LOG },
+      callLogAvailable = { SensitiveFeatureConfig.callLogEnabled },
       debugBuild = { BuildConfig.DEBUG },
       refreshNodeCanvasCapability = { nodeSession.refreshNodeCanvasCapability() },
       onCanvasA2uiPush = {

apps/android/app/src/main/java/ai/openclaw/app/node/DeviceHandler.kt

@@ -1,6 +1,7 @@
 package ai.openclaw.app.node
 
 import ai.openclaw.app.BuildConfig
+import ai.openclaw.app.SensitiveFeatureConfig
 import ai.openclaw.app.gateway.GatewaySession
 import android.Manifest
 import android.app.ActivityManager
@@ -25,8 +26,8 @@ import java.util.Locale
 
 class DeviceHandler(
   private val appContext: Context,
-  private val smsEnabled: Boolean = BuildConfig.OPENCLAW_ENABLE_SMS,
-  private val callLogEnabled: Boolean = BuildConfig.OPENCLAW_ENABLE_CALL_LOG,
+  private val smsEnabled: Boolean = SensitiveFeatureConfig.smsEnabled,
+  private val callLogEnabled: Boolean = SensitiveFeatureConfig.callLogEnabled,
 ) {
   companion object {
     internal fun hasAnySmsCapability(

apps/android/app/src/main/java/ai/openclaw/app/ui/OnboardingFlow.kt

@@ -1,8 +1,8 @@
 package ai.openclaw.app.ui
 
-import ai.openclaw.app.BuildConfig
 import ai.openclaw.app.LocationMode
 import ai.openclaw.app.MainViewModel
+import ai.openclaw.app.SensitiveFeatureConfig
 import ai.openclaw.app.gateway.GatewayEndpoint
 import ai.openclaw.app.node.DeviceNotificationListenerService
 import android.Manifest
@@ -248,10 +248,10 @@ fun OnboardingFlow(
 
   val smsAvailable =
     remember(context) {
-      BuildConfig.OPENCLAW_ENABLE_SMS &&
+      SensitiveFeatureConfig.smsEnabled &&
         context.packageManager?.hasSystemFeature(PackageManager.FEATURE_TELEPHONY) == true
     }
-  val callLogAvailable = remember { BuildConfig.OPENCLAW_ENABLE_CALL_LOG }
+  val callLogAvailable = remember { SensitiveFeatureConfig.callLogEnabled }
   val motionAvailable =
     remember(context) {
       hasMotionCapabilities(context)

apps/android/app/src/main/java/ai/openclaw/app/ui/SettingsSheet.kt

@@ -4,6 +4,7 @@ import ai.openclaw.app.BuildConfig
 import ai.openclaw.app.LocationMode
 import ai.openclaw.app.MainViewModel
 import ai.openclaw.app.NotificationPackageFilterMode
+import ai.openclaw.app.SensitiveFeatureConfig
 import ai.openclaw.app.node.DeviceNotificationListenerService
 import ai.openclaw.app.normalizeLocalHourMinute
 import android.Manifest
@@ -204,10 +205,10 @@ fun SettingsSheet(viewModel: MainViewModel) {
 
   val smsPermissionAvailable =
     remember {
-      BuildConfig.OPENCLAW_ENABLE_SMS &&
+      SensitiveFeatureConfig.smsEnabled &&
         context.packageManager?.hasSystemFeature(PackageManager.FEATURE_TELEPHONY) == true
     }
-  val callLogPermissionAvailable = remember { BuildConfig.OPENCLAW_ENABLE_CALL_LOG }
+  val callLogPermissionAvailable = remember { SensitiveFeatureConfig.callLogEnabled }
   val photosPermission =
     if (Build.VERSION.SDK_INT >= 33) {
       Manifest.permission.READ_MEDIA_IMAGES

apps/android/app/src/play/java/ai/openclaw/app/SensitiveFeatureConfig.kt

@@ -0,0 +1,6 @@
+package ai.openclaw.app
+
+object SensitiveFeatureConfig {
+  const val smsEnabled: Boolean = false
+  const val callLogEnabled: Boolean = false
+}

apps/android/app/src/play/java/ai/openclaw/app/node/CallLogHandler.kt

@@ -0,0 +1,54 @@
+package ai.openclaw.app.node
+
+import ai.openclaw.app.gateway.GatewaySession
+import android.content.Context
+
+internal data class CallLogRecord(
+  val number: String?,
+  val cachedName: String?,
+  val date: Long,
+  val duration: Long,
+  val type: Int,
+)
+
+internal data class CallLogSearchRequest(
+  val limit: Int,
+  val offset: Int,
+  val cachedName: String?,
+  val number: String?,
+  val date: Long?,
+  val dateStart: Long?,
+  val dateEnd: Long?,
+  val duration: Long?,
+  val type: Int?,
+)
+
+internal interface CallLogDataSource {
+  fun hasReadPermission(context: Context): Boolean
+
+  fun search(
+    context: Context,
+    request: CallLogSearchRequest,
+  ): List<CallLogRecord>
+}
+
+class CallLogHandler private constructor() {
+  constructor(
+    @Suppress("unused") appContext: Context,
+  ) : this()
+
+  fun handleCallLogSearch(
+    @Suppress("unused") paramsJson: String?,
+  ): GatewaySession.InvokeResult =
+    GatewaySession.InvokeResult.error(
+      code = "CALL_LOG_UNAVAILABLE",
+      message = "CALL_LOG_UNAVAILABLE: call log not available on this build",
+    )
+
+  companion object {
+    internal fun forTesting(
+      @Suppress("unused") appContext: Context,
+      @Suppress("unused") dataSource: CallLogDataSource,
+    ): CallLogHandler = CallLogHandler()
+  }
+}

apps/android/app/src/play/java/ai/openclaw/app/node/SmsManager.kt

@@ -0,0 +1,69 @@
+package ai.openclaw.app.node
+
+import ai.openclaw.app.PermissionRequester
+import android.content.Context
+
+class SmsManager(
+  @Suppress("unused") private val context: Context,
+) {
+  data class SendResult(
+    val ok: Boolean,
+    val to: String,
+    val message: String?,
+    val error: String? = null,
+    val payloadJson: String,
+  )
+
+  data class SmsMessage(
+    val id: Long,
+    val threadId: Long,
+    val address: String?,
+    val person: String?,
+    val date: Long,
+    val dateSent: Long,
+    val read: Boolean,
+    val type: Int,
+    val body: String?,
+    val status: Int,
+    val transportType: String? = null,
+  )
+
+  data class SearchResult(
+    val ok: Boolean,
+    val messages: List<SmsMessage>,
+    val error: String? = null,
+    val payloadJson: String,
+  )
+
+  fun attachPermissionRequester(
+    @Suppress("unused") requester: PermissionRequester,
+  ) {
+  }
+
+  fun canSendSms(): Boolean = false
+
+  fun canSearchSms(): Boolean = false
+
+  fun canReadSms(): Boolean = false
+
+  fun hasTelephonyFeature(): Boolean = false
+
+  suspend fun send(paramsJson: String?): SendResult =
+    SendResult(
+      ok = false,
+      to = "",
+      message = null,
+      error = "SMS_PERMISSION_REQUIRED: grant SMS permission",
+      payloadJson = unavailablePayload(paramsJson),
+    )
+
+  suspend fun search(paramsJson: String?): SearchResult =
+    SearchResult(
+      ok = false,
+      messages = emptyList(),
+      error = "SMS_PERMISSION_REQUIRED: grant READ_SMS permission",
+      payloadJson = unavailablePayload(paramsJson),
+    )
+
+  private fun unavailablePayload(paramsJson: String?): String = """{"ok":false,"error":"SMS_UNAVAILABLE","paramsProvided":${!paramsJson.isNullOrBlank()}}"""
+}

apps/android/app/src/thirdParty/java/ai/openclaw/app/SensitiveFeatureConfig.kt

@@ -0,0 +1,6 @@
+package ai.openclaw.app
+
+object SensitiveFeatureConfig {
+  const val smsEnabled: Boolean = true
+  const val callLogEnabled: Boolean = true
+}

apps/android/app/src/thirdParty/java/ai/openclaw/app/node/SmsHandler.kt

@@ -0,0 +1,39 @@
+package ai.openclaw.app.node
+
+import ai.openclaw.app.gateway.GatewaySession
+
+class SmsHandler(
+  private val sms: SmsManager,
+) {
+  suspend fun handleSmsSend(paramsJson: String?): GatewaySession.InvokeResult {
+    val res = sms.send(paramsJson)
+    if (res.ok) {
+      return GatewaySession.InvokeResult.ok(res.payloadJson)
+    }
+    return errorResult(res.error, defaultCode = "SMS_SEND_FAILED")
+  }
+
+  suspend fun handleSmsSearch(paramsJson: String?): GatewaySession.InvokeResult {
+    val res = sms.search(paramsJson)
+    if (res.ok) {
+      return GatewaySession.InvokeResult.ok(res.payloadJson)
+    }
+    return errorResult(res.error, defaultCode = "SMS_SEARCH_FAILED")
+  }
+
+  private fun errorResult(
+    error: String?,
+    defaultCode: String,
+  ): GatewaySession.InvokeResult {
+    val rawMessage = error ?: defaultCode
+    val idx = rawMessage.indexOf(':')
+    val code = if (idx > 0) rawMessage.substring(0, idx).trim() else defaultCode
+    val message =
+      if (idx > 0 && code == rawMessage.substring(0, idx).trim()) {
+        rawMessage.substring(idx + 1).trim().ifEmpty { rawMessage }
+      } else {
+        rawMessage
+      }
+    return GatewaySession.InvokeResult.error(code = code, message = message)
+  }
+}

apps/android/benchmark/build.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-  id("com.android.test")
-  id("org.jlleitschuh.gradle.ktlint")
+  alias(libs.plugins.android.test)
+  alias(libs.plugins.ktlint)
 }
 
 android {
@@ -39,7 +39,7 @@ ktlint {
 }
 
 dependencies {
-  implementation("androidx.benchmark:benchmark-macro-junit4:1.4.1")
-  implementation("androidx.test.ext:junit:1.3.0")
-  implementation("androidx.test.uiautomator:uiautomator:2.4.0-beta02")
+  implementation(libs.androidx.benchmark.macro.junit4)
+  implementation(libs.androidx.test.ext.junit)
+  implementation(libs.androidx.uiautomator)
 }

apps/android/build.gradle.kts

@@ -1,7 +1,7 @@
 plugins {
-  id("com.android.application") version "9.2.0" apply false
-  id("com.android.test") version "9.2.0" apply false
-  id("org.jlleitschuh.gradle.ktlint") version "14.2.0" apply false
-  id("org.jetbrains.kotlin.plugin.compose") version "2.3.21" apply false
-  id("org.jetbrains.kotlin.plugin.serialization") version "2.3.21" apply false
+  alias(libs.plugins.android.application) apply false
+  alias(libs.plugins.android.test) apply false
+  alias(libs.plugins.ktlint) apply false
+  alias(libs.plugins.kotlin.compose) apply false
+  alias(libs.plugins.kotlin.serialization) apply false
 }

apps/android/gradle/libs.versions.toml

@@ -0,0 +1,74 @@
+[versions]
+agp = "9.2.0"
+androidx-activity = "1.13.0"
+androidx-benchmark = "1.4.1"
+androidx-camera = "1.6.0"
+androidx-compose-bom = "2026.04.01"
+androidx-core = "1.18.0"
+androidx-exifinterface = "1.4.2"
+androidx-lifecycle = "2.10.0"
+androidx-security = "1.1.0"
+androidx-test-ext = "1.3.0"
+androidx-uiautomator = "2.4.0-beta02"
+androidx-webkit = "1.15.0"
+bcprov = "1.84"
+commonmark = "0.28.0"
+coroutines = "1.10.2"
+dnsjava = "3.6.4"
+junit = "4.13.2"
+junit-vintage = "6.0.3"
+kotest = "6.1.11"
+ktlint-gradle = "14.2.0"
+kotlin = "2.3.21"
+material = "1.13.0"
+okhttp = "5.3.2"
+play-services-code-scanner = "16.1.0"
+robolectric = "4.16.1"
+serialization-json = "1.11.0"
+
+[libraries]
+androidx-activity-compose = { module = "androidx.activity:activity-compose", version.ref = "androidx-activity" }
+androidx-benchmark-macro-junit4 = { module = "androidx.benchmark:benchmark-macro-junit4", version.ref = "androidx-benchmark" }
+androidx-camera-camera2 = { module = "androidx.camera:camera-camera2", version.ref = "androidx-camera" }
+androidx-camera-core = { module = "androidx.camera:camera-core", version.ref = "androidx-camera" }
+androidx-camera-lifecycle = { module = "androidx.camera:camera-lifecycle", version.ref = "androidx-camera" }
+androidx-camera-video = { module = "androidx.camera:camera-video", version.ref = "androidx-camera" }
+androidx-compose-bom = { module = "androidx.compose:compose-bom", version.ref = "androidx-compose-bom" }
+androidx-compose-material-icons-extended = { module = "androidx.compose.material:material-icons-extended" }
+androidx-compose-material3 = { module = "androidx.compose.material3:material3" }
+androidx-compose-ui = { module = "androidx.compose.ui:ui" }
+androidx-compose-ui-tooling = { module = "androidx.compose.ui:ui-tooling" }
+androidx-compose-ui-tooling-preview = { module = "androidx.compose.ui:ui-tooling-preview" }
+androidx-core-ktx = { module = "androidx.core:core-ktx", version.ref = "androidx-core" }
+androidx-exifinterface = { module = "androidx.exifinterface:exifinterface", version.ref = "androidx-exifinterface" }
+androidx-lifecycle-runtime-ktx = { module = "androidx.lifecycle:lifecycle-runtime-ktx", version.ref = "androidx-lifecycle" }
+androidx-security-crypto = { module = "androidx.security:security-crypto", version.ref = "androidx-security" }
+androidx-test-ext-junit = { module = "androidx.test.ext:junit", version.ref = "androidx-test-ext" }
+androidx-uiautomator = { module = "androidx.test.uiautomator:uiautomator", version.ref = "androidx-uiautomator" }
+androidx-webkit = { module = "androidx.webkit:webkit", version.ref = "androidx-webkit" }
+bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bcprov" }
+commonmark = { module = "org.commonmark:commonmark", version.ref = "commonmark" }
+commonmark-ext-autolink = { module = "org.commonmark:commonmark-ext-autolink", version.ref = "commonmark" }
+commonmark-ext-gfm-strikethrough = { module = "org.commonmark:commonmark-ext-gfm-strikethrough", version.ref = "commonmark" }
+commonmark-ext-gfm-tables = { module = "org.commonmark:commonmark-ext-gfm-tables", version.ref = "commonmark" }
+commonmark-ext-task-list-items = { module = "org.commonmark:commonmark-ext-task-list-items", version.ref = "commonmark" }
+dnsjava = { module = "dnsjava:dnsjava", version.ref = "dnsjava" }
+junit = { module = "junit:junit", version.ref = "junit" }
+junit-vintage-engine = { module = "org.junit.vintage:junit-vintage-engine", version.ref = "junit-vintage" }
+kotest-assertions-core = { module = "io.kotest:kotest-assertions-core-jvm", version.ref = "kotest" }
+kotest-runner-junit5 = { module = "io.kotest:kotest-runner-junit5-jvm", version.ref = "kotest" }
+kotlinx-coroutines-android = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-android", version.ref = "coroutines" }
+kotlinx-coroutines-test = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-test", version.ref = "coroutines" }
+kotlinx-serialization-json = { module = "org.jetbrains.kotlinx:kotlinx-serialization-json", version.ref = "serialization-json" }
+material = { module = "com.google.android.material:material", version.ref = "material" }
+mockwebserver = { module = "com.squareup.okhttp3:mockwebserver", version.ref = "okhttp" }
+okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "okhttp" }
+play-services-code-scanner = { module = "com.google.android.gms:play-services-code-scanner", version.ref = "play-services-code-scanner" }
+robolectric = { module = "org.robolectric:robolectric", version.ref = "robolectric" }
+
+[plugins]
+android-application = { id = "com.android.application", version.ref = "agp" }
+android-test = { id = "com.android.test", version.ref = "agp" }
+kotlin-compose = { id = "org.jetbrains.kotlin.plugin.compose", version.ref = "kotlin" }
+kotlin-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
+ktlint = { id = "org.jlleitschuh.gradle.ktlint", version.ref = "ktlint-gradle" }

apps/macos/Sources/OpenClawProtocol/GatewayModels.swift

@@ -4195,6 +4195,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
     public let host: AnyCodable?
     public let security: AnyCodable?
     public let ask: AnyCodable?
+    public let warningtext: AnyCodable?
     public let agentid: AnyCodable?
     public let resolvedpath: AnyCodable?
     public let sessionkey: AnyCodable?
@@ -4216,6 +4217,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         host: AnyCodable?,
         security: AnyCodable?,
         ask: AnyCodable?,
+        warningtext: AnyCodable?,
         agentid: AnyCodable?,
         resolvedpath: AnyCodable?,
         sessionkey: AnyCodable?,
@@ -4236,6 +4238,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         self.host = host
         self.security = security
         self.ask = ask
+        self.warningtext = warningtext
         self.agentid = agentid
         self.resolvedpath = resolvedpath
         self.sessionkey = sessionkey
@@ -4258,6 +4261,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         case host
         case security
         case ask
+        case warningtext = "warningText"
         case agentid = "agentId"
         case resolvedpath = "resolvedPath"
         case sessionkey = "sessionKey"

apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift

@@ -4195,6 +4195,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
     public let host: AnyCodable?
     public let security: AnyCodable?
     public let ask: AnyCodable?
+    public let warningtext: AnyCodable?
     public let agentid: AnyCodable?
     public let resolvedpath: AnyCodable?
     public let sessionkey: AnyCodable?
@@ -4216,6 +4217,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         host: AnyCodable?,
         security: AnyCodable?,
         ask: AnyCodable?,
+        warningtext: AnyCodable?,
         agentid: AnyCodable?,
         resolvedpath: AnyCodable?,
         sessionkey: AnyCodable?,
@@ -4236,6 +4238,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         self.host = host
         self.security = security
         self.ask = ask
+        self.warningtext = warningtext
         self.agentid = agentid
         self.resolvedpath = resolvedpath
         self.sessionkey = sessionkey
@@ -4258,6 +4261,7 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
         case host
         case security
         case ask
+        case warningtext = "warningText"
         case agentid = "agentId"
         case resolvedpath = "resolvedPath"
         case sessionkey = "sessionKey"

docker-compose.yml

@@ -1,6 +1,7 @@
 services:
   openclaw-gateway:
     image: ${OPENCLAW_IMAGE:-openclaw:local}
+    build: .
     environment:
       HOME: /home/node
       TERM: xterm-256color
@@ -22,10 +23,12 @@ services:
       CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
       CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
       CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
+      OPENCLAW_PLUGIN_STAGE_DIR: /var/lib/openclaw/plugin-runtime-deps
       TZ: ${OPENCLAW_TZ:-UTC}
     volumes:
       - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
       - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
+      - openclaw-plugin-runtime-deps:/var/lib/openclaw/plugin-runtime-deps
       ## Uncomment the lines below to enable sandbox isolation
       ## (agents.defaults.sandbox). Requires Docker CLI in the image
       ## (build with --build-arg OPENCLAW_INSTALL_DOCKER_CLI=1) or use
@@ -84,13 +87,18 @@ services:
       CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY:-}
       CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY:-}
       CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE:-}
+      OPENCLAW_PLUGIN_STAGE_DIR: /var/lib/openclaw/plugin-runtime-deps
       TZ: ${OPENCLAW_TZ:-UTC}
     volumes:
       - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
       - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
+      - openclaw-plugin-runtime-deps:/var/lib/openclaw/plugin-runtime-deps
     stdin_open: true
     tty: true
     init: true
     entrypoint: ["node", "dist/index.js"]
     depends_on:
       - openclaw-gateway
+
+volumes:
+  openclaw-plugin-runtime-deps:

docs/.generated/config-baseline.sha256

@@ -1,4 +1,4 @@
-b1d76b9451b21434325e64d5bb531b9b995ba3bbf8f7b1628c09cce18f24c8e2  config-baseline.json
-58e98b59498060d301104b3772332de5600eb674687b06d0d32a202370709ee0  config-baseline.core.json
-a9f058ee9616e189dab7fc223e1207a49ae52b8490b8028935c9d0a2b16f81b2  config-baseline.channel.json
-1f5592bfd141ba1e982ce31763a253c10afb080ab4ea2b6538299b114e29cee1  config-baseline.plugin.json
+d4c98bce7b547349b9cbbe08ec1018eafce9900502d7794df993d07fdec0e2e0  config-baseline.json
+6ce74b2ab3544e5375009a435a2360a3095e6bd759bb7dd8114293fb8a0e2b25  config-baseline.core.json
+0e38bad86bdc96c38573f6d51ac9e6fc5306cc20fb4a454399c57c105a61ba87  config-baseline.channel.json
+0dd6583fafae6c9134e46c4cf9bddee9822d6436436dcb1a6dcba6d012962e51  config-baseline.plugin.json

docs/.generated/plugin-sdk-api-baseline.sha256

@@ -1,2 +1,2 @@
-9a688c953f0108f85f58c173e79c28363d846a592130abec04cafbcabbb22dcc  plugin-sdk-api-baseline.json
-010252e56202abde0816787588239c41b4bfb710b930a5454848a5ae76ad6dae  plugin-sdk-api-baseline.jsonl
+46476e7b4fee105ca27aed9c769c507f70f02b8ce8586c135feb18e751db0de1  plugin-sdk-api-baseline.json
+4bc1c0dc66d910c80694fa1a6b7ba3ab488bf737b3566e53b8a5857c16d2e0b1  plugin-sdk-api-baseline.jsonl

docs/automation/tasks.md

@@ -311,12 +311,15 @@ autocheckpoint threshold plus periodic and shutdown `TRUNCATE` checkpoints.
 
 ### Automatic maintenance
 
-A sweeper runs every **60 seconds** and handles three things:
+A sweeper runs every **60 seconds** and handles four things:
 
 <Steps>
   <Step title="Reconciliation">
     Checks whether active tasks still have authoritative runtime backing. ACP/subagent tasks use child-session state, cron tasks use active-job ownership, and chat-backed CLI tasks use the owning run context. If that backing state is gone for more than 5 minutes, the task is marked `lost`.
   </Step>
+  <Step title="ACP session repair">
+    Closes terminal parent-owned one-shot ACP sessions, and closes stale terminal persistent ACP sessions only when no active conversation binding remains.
+  </Step>
   <Step title="Cleanup stamping">
     Sets a `cleanupAfter` timestamp on terminal tasks (endedAt + 7 days). During retention, lost tasks still appear in audit as warnings; after `cleanupAfter` expires or when cleanup metadata is missing, they are errors.
   </Step>

docs/channels/discord.md

@@ -105,6 +105,7 @@ openclaw gateway
 ```
 
     If OpenClaw is already running as a background service, restart it via the OpenClaw Mac app or by stopping and restarting the `openclaw gateway run` process.
+    For managed service installs, run `openclaw gateway install` from a shell where `DISCORD_BOT_TOKEN` is present, or store the variable in `~/.openclaw/.env`, so the service can resolve the env SecretRef after restart.
 
   </Step>
 
@@ -175,6 +176,7 @@ openclaw pairing approve discord <CODE>
 
 <Note>
 Token resolution is account-aware. Config token values win over env fallback. `DISCORD_BOT_TOKEN` is only used for the default account.
+If two enabled Discord accounts resolve to the same bot token, OpenClaw starts only one gateway monitor for that token. A config-sourced token wins over the default env fallback; otherwise the first enabled account wins and the duplicate account is reported disabled.
 For advanced outbound calls (message tool/channel actions), an explicit per-call `token` is used for that call. This applies to send and read/probe-style actions (for example read/search/fetch/thread/pins/permissions). Account policy/retry settings still come from the selected account in the active runtime snapshot.
 </Note>
 
@@ -1020,7 +1022,8 @@ Notes:
 - `voice.model` overrides the LLM used for Discord voice channel responses only. Leave it unset to inherit the routed agent model.
 - STT uses `tools.media.audio`; `voice.model` does not affect transcription.
 - Voice transcript turns derive owner status from Discord `allowFrom` (or `dm.allowFrom`); non-owner speakers cannot access owner-only tools (for example `gateway` and `cron`).
-- Voice is enabled by default; set `channels.discord.voice.enabled=false` to disable it.
+- Voice is enabled by default; set `channels.discord.voice.enabled=false` to disable voice runtime and the `GuildVoiceStates` gateway intent.
+- `channels.discord.intents.voiceStates` can explicitly override voice-state intent subscription. Leave it unset for the intent to follow `voice.enabled`.
 - `voice.daveEncryption` and `voice.decryptionFailureTolerance` pass through to `@discordjs/voice` join options.
 - `@discordjs/voice` defaults are `daveEncryption=true` and `decryptionFailureTolerance=24` if unset.
 - OpenClaw also watches receive decrypt failures and auto-recovers by leaving/rejoining the voice channel after repeated failures in a short window.
@@ -1130,6 +1133,18 @@ openclaw logs --follow
 
   </Accordion>
 
+  <Accordion title="Gateway metadata lookup timeout warnings">
+    OpenClaw fetches Discord `/gateway/bot` metadata before connecting. Transient failures fall back to Discord's default gateway URL and are rate-limited in logs.
+
+    Metadata timeout knobs:
+
+    - single-account: `channels.discord.gatewayInfoTimeoutMs`
+    - multi-account: `channels.discord.accounts.<accountId>.gatewayInfoTimeoutMs`
+    - env fallback when config is unset: `OPENCLAW_DISCORD_GATEWAY_INFO_TIMEOUT_MS`
+    - default: `30000` (30 seconds), max: `120000`
+
+  </Accordion>
+
   <Accordion title="Permissions audit mismatches">
     `channels status --probe` permission checks only work for numeric channel IDs.
 
@@ -1177,6 +1192,7 @@ Primary reference: [Configuration reference - Discord](/gateway/config-channels#
 - command: `commands.native`, `commands.useAccessGroups`, `configWrites`, `slashCommand.*`
 - event queue: `eventQueue.listenerTimeout` (listener budget), `eventQueue.maxQueueSize`, `eventQueue.maxConcurrency`
 - inbound worker: `inboundWorker.runTimeoutMs`
+- gateway metadata: `gatewayInfoTimeoutMs`
 - reply/history: `replyToMode`, `historyLimit`, `dmHistoryLimit`, `dms.*.historyLimit`
 - delivery: `textChunkLimit`, `chunkMode`, `maxLinesPerMessage`
 - streaming: `streaming` (legacy alias: `streamMode`), `streaming.preview.toolProgress`, `draftChunk`, `blockStreaming`, `blockStreamingCoalesce`

docs/channels/group-messages.md

@@ -81,7 +81,7 @@ Only the owner number (from `channels.whatsapp.allowFrom`, or the bot’s own E.
 - Heartbeats are intentionally skipped for groups to avoid noisy broadcasts.
 - Echo suppression uses the combined batch string; if you send identical text twice without mentions, only the first will get a response.
 - Session store entries will appear as `agent:<agentId>:whatsapp:group:<jid>` in the session store (`~/.openclaw/agents/<agentId>/sessions/sessions.json` by default); a missing entry just means the group hasn’t triggered a run yet.
-- Typing indicators in groups follow `agents.defaults.typingMode` (default: `message` when unmentioned).
+- Typing indicators in groups follow `agents.defaults.typingMode`. When visible replies use the default message-tool-only mode, typing starts immediately by default so group members can see the agent is working even if no automatic final reply is posted. Explicit typing-mode config still wins.
 
 ## Related
 

docs/channels/groups.md

@@ -45,6 +45,8 @@ That means the agent still processes the turn and can update memory/session stat
 
 This replaces the old pattern of forcing the model to answer `NO_REPLY` for most lurk-mode turns. In tool-only mode, doing nothing visible simply means not calling the message tool.
 
+Typing indicators are still sent while the agent works in tool-only mode. The default group typing mode is upgraded from "message" to "instant" for these turns because there may never be normal assistant message text before the agent decides whether to call the message tool. Explicit typing-mode config still wins.
+
 To restore legacy automatic final replies for group/channel rooms:
 
 ```json5
@@ -57,6 +59,8 @@ To restore legacy automatic final replies for group/channel rooms:
 }
 ```
 
+Native slash commands (Discord, Telegram, and other surfaces with native command support) bypass `visibleReplies: "message_tool"` and always reply visibly so the channel-native command UI gets the response it expects. This applies to validated native command turns only; text-typed `/...` commands and ordinary chat turns still follow the configured group default.
+
 ## Context visibility and allowlists
 
 Two different controls are involved in group safety:

docs/channels/index.md

@@ -44,6 +44,7 @@ Text is supported everywhere; media and reactions vary by channel.
 - [WebChat](/web/webchat) — Gateway WebChat UI over WebSocket.
 - [WeChat](/channels/wechat) — Tencent iLink Bot plugin via QR login; private chats only (external plugin).
 - [WhatsApp](/channels/whatsapp) — Most popular; uses Baileys and requires QR pairing.
+- [Yuanbao](/channels/yuanbao) — Tencent Yuanbao bot (external plugin).
 - [Zalo](/channels/zalo) — Zalo Bot API; Vietnam's popular messenger (bundled plugin).
 - [Zalo Personal](/channels/zalouser) — Zalo personal account via QR login (bundled plugin).
 

docs/channels/pairing.md

@@ -7,7 +7,7 @@ read_when:
 title: "Pairing"
 ---
 
-“Pairing” is OpenClaw’s explicit **owner approval** step.
+“Pairing” is OpenClaw’s explicit access approval step.
 It is used in two places:
 
 1. **DM pairing** (who is allowed to talk to the bot)
@@ -34,6 +34,12 @@ openclaw pairing list telegram
 openclaw pairing approve telegram <CODE>
 ```
 
+If no command owner is configured yet, approving a DM pairing code also bootstraps
+`commands.ownerAllowFrom` to the approved sender, such as `telegram:123456789`.
+That gives first-time setups an explicit owner for privileged commands and exec
+approval prompts. After an owner exists, later pairing approvals only grant DM
+access; they do not add more owners.
+
 Supported channels: `bluebubbles`, `discord`, `feishu`, `googlechat`, `imessage`, `irc`, `line`, `matrix`, `mattermost`, `msteams`, `nextcloud-talk`, `nostr`, `openclaw-weixin`, `signal`, `slack`, `synology-chat`, `telegram`, `twitch`, `whatsapp`, `zalo`, `zalouser`.
 
 ### Where the state lives
@@ -53,7 +59,12 @@ Account scoping behavior:
 Treat these as sensitive (they gate access to your assistant).
 
 <Note>
-This store is for DM access. Group authorization is separate. Approving a DM pairing code does not automatically allow that sender to run group commands or control the bot in groups. For group access, configure the channel's explicit group allowlists (for example `groupAllowFrom`, `groups`, or per-group or per-topic overrides depending on the channel).
+The pairing allowlist store is for DM access. Group authorization is separate.
+Approving a DM pairing code does not automatically allow that sender to run group
+commands or control the bot in groups. First-owner bootstrap is separate config
+state in `commands.ownerAllowFrom`, and group chat delivery still follows the
+channel's group allowlists (for example `groupAllowFrom`, `groups`, or per-group
+or per-topic overrides depending on the channel).
 </Note>
 
 ## 2) Node device pairing (iOS/Android/macOS/headless nodes)

docs/channels/slack.md

@@ -117,6 +117,27 @@ openclaw gateway
   </Tab>
 </Tabs>
 
+## Socket Mode transport tuning
+
+OpenClaw sets the Slack SDK client pong timeout to 15 seconds by default for Socket Mode. Override the transport settings only when you need workspace- or host-specific tuning:
+
+```json5
+{
+  channels: {
+    slack: {
+      mode: "socket",
+      socketMode: {
+        clientPingTimeout: 20000,
+        serverPingTimeout: 30000,
+        pingPongLoggingEnabled: false,
+      },
+    },
+  },
+}
+```
+
+Use this only for Socket Mode workspaces that log Slack websocket pong/server-ping timeouts or run on hosts with known event-loop starvation. `clientPingTimeout` is the pong wait after the SDK sends a client ping; `serverPingTimeout` is the wait for Slack server pings. App messages and events remain application state, not transport liveness signals.
+
 ## Manifest and scope checklist
 
 The base Slack app manifest is the same for Socket Mode and HTTP Request URLs. Only the `settings` block (and the slash command `url`) differs.
@@ -611,6 +632,8 @@ Notes:
   <Accordion title="Inbound attachments">
     Slack file attachments are downloaded from Slack-hosted private URLs (token-authenticated request flow) and written to the media store when fetch succeeds and size limits permit. File placeholders include the Slack `fileId` so agents can fetch the original file with `download-file`.
 
+    Downloads use bounded idle and total timeouts. If Slack file retrieval stalls or fails, OpenClaw keeps processing the message and falls back to the file placeholder.
+
     Runtime inbound size cap defaults to `20MB` unless overridden by `channels.slack.mediaMaxMb`.
 
   </Accordion>

docs/channels/telegram.md

@@ -111,6 +111,8 @@ Token resolution order is account-aware. In practice, config values win over env
     - `open` (requires `allowFrom` to include `"*"`)
     - `disabled`
 
+    `dmPolicy: "open"` with `allowFrom: ["*"]` lets any Telegram account that finds or guesses the bot username command the bot. Use it only for intentionally public bots with tightly restricted tools; one-owner bots should use `allowlist` with numeric user IDs.
+
     `channels.telegram.allowFrom` accepts numeric Telegram user IDs. `telegram:` / `tg:` prefixes are accepted and normalized.
     `dmPolicy: "allowlist"` with empty `allowFrom` blocks all DMs and is rejected by config validation.
     Setup asks for numeric user IDs only.
@@ -120,8 +122,9 @@ Token resolution order is account-aware. In practice, config values win over env
     For one-owner bots, prefer `dmPolicy: "allowlist"` with explicit numeric `allowFrom` IDs to keep access policy durable in config (instead of depending on previous pairing approvals).
 
     Common confusion: DM pairing approval does not mean "this sender is authorized everywhere".
-    Pairing grants DM access only. Group sender authorization still comes from explicit config allowlists.
-    If you want "I am authorized once and both DMs and group commands work", put your numeric Telegram user ID in `channels.telegram.allowFrom`.
+    Pairing grants DM access. If no command owner exists yet, the first approved pairing also sets `commands.ownerAllowFrom` so owner-only commands and exec approvals have an explicit operator account.
+    Group sender authorization still comes from explicit config allowlists.
+    If you want "I am authorized once and both DMs and group commands work", put your numeric Telegram user ID in `channels.telegram.allowFrom`; for owner-only commands, make sure `commands.ownerAllowFrom` contains `telegram:<your user id>`.
 
     ### Finding your Telegram user ID
 
@@ -295,7 +298,7 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"
     }
     ```
 
-    Use `streaming.mode: "off"` only when you want to disable Telegram preview edits entirely. Use `streaming.preview.toolProgress: false` when you only want to disable the tool-progress status lines.
+    Use `streaming.mode: "off"` only when you want final-only delivery: Telegram preview edits are disabled and generic tool/progress chatter is suppressed instead of being sent as standalone "Working..." messages. Approval prompts, media payloads, and errors still route through normal final delivery. Use `streaming.preview.toolProgress: false` when you only want to keep answer preview edits while hiding the tool-progress status lines.
 
     For text-only replies:
 
@@ -775,7 +778,7 @@ openclaw message poll --channel telegram --target -1001234567890:topic:42 \
     Config path:
 
     - `channels.telegram.execApprovals.enabled` (auto-enables when at least one approver is resolvable)
-    - `channels.telegram.execApprovals.approvers` (falls back to numeric owner IDs from `allowFrom` / `defaultTo`)
+    - `channels.telegram.execApprovals.approvers` (falls back to numeric owner IDs from `commands.ownerAllowFrom`, `allowFrom`, or `defaultTo`)
     - `channels.telegram.execApprovals.target`: `dm` (default) | `channel` | `both`
     - `agentFilter`, `sessionFilter`
 

docs/channels/troubleshooting.md

@@ -31,12 +31,12 @@ Healthy baseline:
 
 ### WhatsApp failure signatures
 
-| Symptom                         | Fastest check                                       | Fix                                                      |
-| ------------------------------- | --------------------------------------------------- | -------------------------------------------------------- |
-| Connected but no DM replies     | `openclaw pairing list whatsapp`                    | Approve sender or switch DM policy/allowlist.            |
-| Group messages ignored          | Check `requireMention` + mention patterns in config | Mention the bot or relax mention policy for that group.  |
-| QR login times out with 408     | Check gateway `HTTPS_PROXY` / `HTTP_PROXY` env      | Set a reachable proxy; use `NO_PROXY` only for bypasses. |
-| Random disconnect/relogin loops | `openclaw channels status --probe` + logs           | Re-login and verify credentials directory is healthy.    |
+| Symptom                         | Fastest check                                       | Fix                                                                                                                              |
+| ------------------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
+| Connected but no DM replies     | `openclaw pairing list whatsapp`                    | Approve sender or switch DM policy/allowlist.                                                                                    |
+| Group messages ignored          | Check `requireMention` + mention patterns in config | Mention the bot or relax mention policy for that group.                                                                          |
+| QR login times out with 408     | Check gateway `HTTPS_PROXY` / `HTTP_PROXY` env      | Set a reachable proxy; use `NO_PROXY` only for bypasses.                                                                         |
+| Random disconnect/relogin loops | `openclaw channels status --probe` + logs           | Recent reconnects are flagged even when currently connected; watch logs, restart the gateway, then relink if flapping continues. |
 
 Full troubleshooting: [WhatsApp troubleshooting](/channels/whatsapp#troubleshooting)
 

docs/channels/whatsapp.md

@@ -147,6 +147,7 @@ OpenClaw recommends running WhatsApp on a separate number when possible. (The ch
 
 - Gateway owns the WhatsApp socket and reconnect loop.
 - The reconnect watchdog uses WhatsApp Web transport activity, not only inbound app-message volume, so a quiet linked-device session is not restarted solely because nobody has sent a message recently. A longer application-silence cap still forces a reconnect if transport frames keep arriving but no application messages are handled for the watchdog window.
+- Baileys socket timings are explicit under `web.whatsapp.*`: `keepAliveIntervalMs` controls WhatsApp Web application pings, `connectTimeoutMs` controls the opening handshake timeout, and `defaultQueryTimeoutMs` controls Baileys query timeouts.
 - Outbound sends require an active WhatsApp listener for the target account.
 - Status and broadcast chats are ignored (`@status`, `@broadcast`).
 - Direct chats use DM session rules (`session.dmScope`; default `main` collapses DMs to the agent main session).
@@ -520,6 +521,23 @@ Behavior notes:
     restarts when WhatsApp Web transport activity stops, the socket closes, or
     application-level activity stays silent beyond the longer safety window.
 
+    If logs show repeated `status=408 Request Time-out Connection was lost`, tune
+    Baileys socket timings under `web.whatsapp`. Start by shortening
+    `keepAliveIntervalMs` below your network's idle timeout and increasing
+    `connectTimeoutMs` on slow or lossy links:
+
+    ```json5
+    {
+      web: {
+        whatsapp: {
+          keepAliveIntervalMs: 15000,
+          connectTimeoutMs: 60000,
+          defaultQueryTimeoutMs: 60000,
+        },
+      },
+    }
+    ```
+
     Fix:
 
     ```bash
@@ -643,7 +661,7 @@ High-signal WhatsApp fields:
 - access: `dmPolicy`, `allowFrom`, `groupPolicy`, `groupAllowFrom`, `groups`
 - delivery: `textChunkLimit`, `chunkMode`, `mediaMaxMb`, `sendReadReceipts`, `ackReaction`, `reactionLevel`
 - multi-account: `accounts.<id>.enabled`, `accounts.<id>.authDir`, account-level overrides
-- operations: `configWrites`, `debounceMs`, `web.enabled`, `web.heartbeatSeconds`, `web.reconnect.*`
+- operations: `configWrites`, `debounceMs`, `web.enabled`, `web.heartbeatSeconds`, `web.reconnect.*`, `web.whatsapp.*`
 - session behavior: `session.dmScope`, `historyLimit`, `dmHistoryLimit`, `dms.<id>.historyLimit`
 - prompts: `groups.<id>.systemPrompt`, `groups["*"].systemPrompt`, `direct.<id>.systemPrompt`, `direct["*"].systemPrompt`
 

docs/ci.md

@@ -230,16 +230,43 @@ or overlapping changed hunks.
 The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
 not the full repository sweep. Daily and manual runs scan Actions workflow code
 plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
-gateway surfaces with high-precision security queries. Android and macOS remain
-manual security shards so their runtime and alert quality can be tracked
-separately.
+gateway surfaces with high-precision security queries. The
+channel-runtime-boundary job separately scans core channel implementation
+contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and
+audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary`
+category so channel security signal can scale without broadening the baseline
+JS/TS category.
+
+The `CodeQL Android Critical Security` workflow is the scheduled Android
+security shard. It builds the Android app manually for CodeQL on the smallest
+Blacksmith Linux runner label accepted by workflow sanity and uploads results
+under the `/codeql-critical-security/android` category.
+
+The `CodeQL macOS Critical Security` workflow is the weekly/manual macOS
+security shard. It builds the macOS app manually for CodeQL on Blacksmith macOS,
+filters dependency build results out of the uploaded SARIF, and uploads results
+under the `/codeql-critical-security/macos` category. Keep it outside the daily
+default workflow because the macOS build dominates runtime even when clean.
 
 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
-over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it
-separate from the security workflow so quality findings can be scheduled,
-measured, disabled, or expanded without obscuring security signal. Swift,
-Android, Python, UI, and bundled-plugin CodeQL expansion should be added back as
+over narrow high-value surfaces. Its baseline job scans the same auth, secrets,
+sandbox, cron, and gateway surface as the security workflow. The config-boundary
+job scans config schema, migration, normalization, and IO contracts under the
+separate `/codeql-critical-quality/config-boundary` category. The
+gateway-runtime-boundary job scans gateway protocol schemas and server method
+contracts under the separate
+`/codeql-critical-quality/gateway-runtime-boundary` category. The
+channel-runtime-boundary job scans core channel implementation contracts under
+the separate `/codeql-critical-quality/channel-runtime-boundary` category. The
+agent-runtime-boundary job scans command execution, model/provider dispatch,
+auto-reply dispatch and queues, and ACP control-plane runtime contracts under
+the separate `/codeql-critical-quality/agent-runtime-boundary` category. The
+plugin-boundary job scans loader, registry, public-surface, and Plugin SDK
+entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary`
+category. Keep the workflow separate from security so quality findings can be
+scheduled, measured, disabled, or expanded without obscuring security signal.
+Swift, Python, UI, and bundled-plugin CodeQL expansion should be added back as
 scoped or sharded follow-up work only after the narrow profiles have stable
 runtime and signal.
 

docs/cli/cron.md

@@ -183,6 +183,12 @@ Announce to a specific channel:
 openclaw cron edit <job-id> --announce --channel slack --to "channel:C1234567890"
 ```
 
+Announce to a Telegram forum topic:
+
+```bash
+openclaw cron edit <job-id> --announce --channel telegram --to "-1001234567890" --thread-id 42
+```
+
 Create an isolated job with lightweight bootstrap context:
 
 ```bash

docs/cli/doctor.md

@@ -51,6 +51,7 @@ Notes:
 - Doctor auto-migrates legacy flat Talk config (`talk.voiceId`, `talk.modelId`, and friends) into `talk.provider` + `talk.providers.<provider>`.
 - Repeat `doctor --fix` runs no longer report/apply Talk normalization when the only difference is object key order.
 - Doctor includes a memory-search readiness check and can recommend `openclaw configure --section model` when embedding credentials are missing.
+- Doctor warns when no command owner is configured. The command owner is the human operator account allowed to run owner-only commands and approve dangerous actions. DM pairing only lets someone talk to the bot; if you approved a sender before first-owner bootstrap existed, set `commands.ownerAllowFrom` explicitly.
 - If sandbox mode is enabled but Docker is unavailable, doctor reports a high-signal warning with remediation (`install Docker` or `openclaw config set agents.defaults.sandbox.mode off`).
 - If `gateway.auth.token`/`gateway.auth.password` are SecretRef-managed and unavailable in the current command path, doctor reports a read-only warning and does not write plaintext fallback credentials.
 - If channel SecretRef inspection fails in a fix path, doctor continues and reports a warning instead of exiting early.

docs/cli/gateway.md

@@ -145,7 +145,7 @@ When you set `--url`, the CLI does not fall back to config or environment creden
 openclaw gateway health --url ws://127.0.0.1:18789
 ```
 
-The HTTP `/healthz` endpoint is a liveness probe: it returns once the server can answer HTTP. The HTTP `/readyz` endpoint is stricter and stays red while startup sidecars, channels, or configured hooks are still settling.
+The HTTP `/healthz` endpoint is a liveness probe: it returns once the server can answer HTTP. The HTTP `/readyz` endpoint is stricter and stays red while startup sidecars, channels, or configured hooks are still settling. Local or authenticated detailed readiness responses include an `eventLoop` diagnostic block with event-loop delay, event-loop utilization, CPU core ratio, and a `degraded` flag.
 
 ### `gateway usage-cost`
 
@@ -323,6 +323,7 @@ openclaw gateway probe --json
     - `Capability: read-only|write-capable|admin-capable|pairing-pending|connect-only` reports what the probe could prove about auth. It is separate from reachability.
     - `Read probe: ok` means read-scope detail RPC calls (`health`/`status`/`system-presence`/`config.get`) also succeeded.
     - `Read probe: limited - missing scope: operator.read` means connect succeeded but read-scope RPC is limited. This is reported as **degraded** reachability, not full failure.
+    - `Read probe: failed` after `Connect: ok` means the Gateway accepted the WebSocket connection, but follow-up read diagnostics timed out or failed. This is also **degraded** reachability, not an unreachable Gateway.
     - Like `gateway status`, probe reuses existing cached device auth but does not create first-time device identity or pairing state.
     - Exit code is non-zero only when no probed target is reachable.
 
@@ -331,7 +332,7 @@ openclaw gateway probe --json
     Top level:
 
     - `ok`: at least one target is reachable.
-    - `degraded`: at least one target had scope-limited detail RPC.
+    - `degraded`: at least one target accepted a connection but did not complete full detail RPC diagnostics.
     - `capability`: best capability seen across reachable targets (`read_only`, `write_capable`, `admin_capable`, `pairing_pending`, `connected_no_operator_scope`, or `unknown`).
     - `primaryTargetId`: best target to treat as the active winner in this order: explicit URL, SSH tunnel, configured remote, then local loopback.
     - `warnings[]`: best-effort warning records with `code`, `message`, and optional `targetIds`.

docs/cli/infer.md

@@ -107,18 +107,19 @@ and the shared capability runtime before the provider request is made.
 
 This table maps common inference tasks to the corresponding infer command.
 
-| Task                    | Command                                                                | Notes                                                 |
-| ----------------------- | ---------------------------------------------------------------------- | ----------------------------------------------------- |
-| Run a text/model prompt | `openclaw infer model run --prompt "..." --json`                       | Uses the normal local path by default                 |
-| Generate an image       | `openclaw infer image generate --prompt "..." --json`                  | Use `image edit` when starting from an existing file  |
-| Describe an image file  | `openclaw infer image describe --file ./image.png --json`              | `--model` must be an image-capable `<provider/model>` |
-| Transcribe audio        | `openclaw infer audio transcribe --file ./memo.m4a --json`             | `--model` must be `<provider/model>`                  |
-| Synthesize speech       | `openclaw infer tts convert --text "..." --output ./speech.mp3 --json` | `tts status` is gateway-oriented                      |
-| Generate a video        | `openclaw infer video generate --prompt "..." --json`                  | Supports provider hints such as `--resolution`        |
-| Describe a video file   | `openclaw infer video describe --file ./clip.mp4 --json`               | `--model` must be `<provider/model>`                  |
-| Search the web          | `openclaw infer web search --query "..." --json`                       |                                                       |
-| Fetch a web page        | `openclaw infer web fetch --url https://example.com --json`            |                                                       |
-| Create embeddings       | `openclaw infer embedding create --text "..." --json`                  |                                                       |
+| Task                         | Command                                                                                       | Notes                                                 |
+| ---------------------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------- |
+| Run a text/model prompt      | `openclaw infer model run --prompt "..." --json`                                              | Uses the normal local path by default                 |
+| Run a model prompt on images | `openclaw infer model run --prompt "Describe this" --file ./image.png --model provider/model` | Repeat `--file` for multiple image inputs             |
+| Generate an image            | `openclaw infer image generate --prompt "..." --json`                                         | Use `image edit` when starting from an existing file  |
+| Describe an image file       | `openclaw infer image describe --file ./image.png --prompt "..." --json`                      | `--model` must be an image-capable `<provider/model>` |
+| Transcribe audio             | `openclaw infer audio transcribe --file ./memo.m4a --json`                                    | `--model` must be `<provider/model>`                  |
+| Synthesize speech            | `openclaw infer tts convert --text "..." --output ./speech.mp3 --json`                        | `tts status` is gateway-oriented                      |
+| Generate a video             | `openclaw infer video generate --prompt "..." --json`                                         | Supports provider hints such as `--resolution`        |
+| Describe a video file        | `openclaw infer video describe --file ./clip.mp4 --json`                                      | `--model` must be `<provider/model>`                  |
+| Search the web               | `openclaw infer web search --query "..." --json`                                              |                                                       |
+| Fetch a web page             | `openclaw infer web fetch --url https://example.com --json`                                   |                                                       |
+| Create embeddings            | `openclaw infer embedding create --text "..." --json`                                         |                                                       |
 
 ## Behavior
 
@@ -131,7 +132,10 @@ This table maps common inference tasks to the corresponding infer command.
 - Gateway-managed state commands default to gateway.
 - The normal local path does not require the gateway to be running.
 - Local `model run` is a lean one-shot provider completion. It resolves the configured agent model and auth, but does not start a chat-agent turn, load tools, or open bundled MCP servers.
-- `model run --gateway` exercises Gateway routing, saved auth, provider selection, and the embedded runtime, but still runs as a raw model probe: it sends the supplied prompt without prior session transcript, bootstrap/AGENTS context, context-engine assembly, tools, or bundled MCP servers.
+- `model run --file` accepts image files, detects their MIME type, and sends them with the supplied prompt to the selected model. Repeat `--file` for multiple images.
+- `model run --file` rejects non-image inputs. Use `infer audio transcribe` for audio files and `infer video describe` for video files.
+- `model run --gateway` exercises Gateway routing, saved auth, provider selection, and the embedded runtime, but still runs as a raw model probe: it sends the supplied prompt and any image attachments without prior session transcript, bootstrap/AGENTS context, context-engine assembly, tools, or bundled MCP servers.
+- `model run --gateway --model <provider/model>` requires a trusted operator gateway credential because the request asks the Gateway to run a one-off provider/model override.
 
 ## Model
 
@@ -139,7 +143,8 @@ Use `model` for provider-backed text inference and model/provider inspection.
 
 ```bash
 openclaw infer model run --prompt "Reply with exactly: smoke-ok" --json
-openclaw infer model run --prompt "Summarize this changelog entry" --provider openai --json
+openclaw infer model run --prompt "Summarize this changelog entry" --model openai/gpt-5.4 --json
+openclaw infer model run --prompt "Describe this image in one sentence" --file ./photo.jpg --model google/gemini-2.5-flash --json
 openclaw infer model providers --json
 openclaw infer model inspect --name gpt-5.5 --json
 ```
@@ -154,11 +159,15 @@ openclaw infer model run --local --model google/gemini-2.5-flash --prompt "Reply
 openclaw infer model run --local --model groq/llama-3.1-8b-instant --prompt "Reply with exactly: pong" --json
 openclaw infer model run --local --model mistral/mistral-small-latest --prompt "Reply with exactly: pong" --json
 openclaw infer model run --local --model openai/gpt-4.1 --prompt "Reply with exactly: pong" --json
+openclaw infer model run --local --model ollama/qwen2.5vl:7b --prompt "Describe this image." --file ./photo.jpg --json
 ```
 
 Notes:
 
 - Local `model run` is the narrowest CLI smoke for provider/model/auth health because it sends only the supplied prompt to the selected model.
+- Local `model run --file` keeps that lean path and attaches image content directly to the single user message. Common image files such as PNG, JPEG, and WebP work when their MIME type is detected as `image/*`; unsupported or unrecognized files fail before the provider is called.
+- `model run --file` is best when you want to test the selected multimodal text model directly. Use `infer image describe` when you want OpenClaw's image-understanding provider selection and default image-model routing.
+- The selected model must support image input; text-only models may reject the request at the provider layer.
 - `model run --prompt` must contain non-whitespace text; empty prompts are rejected before local providers or the Gateway are called.
 - Local `model run` exits non-zero when the provider returns no text output, so unreachable local providers and empty completions do not look like successful probes.
 - Use `model run --gateway` when you need to test Gateway routing, agent-runtime setup, or Gateway-managed provider state while keeping the model input raw. Use `openclaw agent` or chat surfaces when you want the full agent context, tools, memory, and session transcript.
@@ -176,8 +185,10 @@ openclaw infer image generate --prompt "slow image backend" --timeout-ms 180000
 openclaw infer image edit --file ./logo.png --model openai/gpt-image-1.5 --output-format png --background transparent --prompt "keep the logo, remove the background" --json
 openclaw infer image edit --file ./poster.png --prompt "make this a vertical story ad" --size 2160x3840 --aspect-ratio 9:16 --resolution 4K --json
 openclaw infer image describe --file ./photo.jpg --json
+openclaw infer image describe --file ./receipt.jpg --prompt "Extract the merchant, date, and total" --json
+openclaw infer image describe-many --file ./before.png --file ./after.png --prompt "Compare the screenshots and list visible UI changes" --json
 openclaw infer image describe --file ./ui-screenshot.png --model openai/gpt-4.1-mini --json
-openclaw infer image describe --file ./photo.jpg --model ollama/qwen2.5vl:7b --json
+openclaw infer image describe --file ./photo.jpg --model ollama/qwen2.5vl:7b --prompt "Describe the image in one sentence" --timeout-ms 300000 --json
 ```
 
 Notes:
@@ -208,6 +219,8 @@ Notes:
   output paths. When `--output` is set, the final extension may follow the
   provider's returned MIME type.
 
+- For `image describe` and `image describe-many`, use `--prompt` to give the vision model a task-specific instruction such as OCR, comparison, UI inspection, or concise captioning.
+- Use `--timeout-ms` with slow local vision models or cold Ollama starts.
 - For `image describe`, `--model` must be an image-capable `<provider/model>`.
 - For local Ollama vision models, pull the model first and set `OLLAMA_API_KEY` to any placeholder value, for example `ollama-local`. See [Ollama](/providers/ollama#vision-and-image-description).
 

docs/cli/pairing.md

@@ -57,12 +57,19 @@ Options:
 - `--account <accountId>`: account id for multi-account channels
 - `--notify`: send a confirmation back to the requester on the same channel
 
+Owner bootstrap:
+
+- If `commands.ownerAllowFrom` is empty when you approve a pairing code, OpenClaw also records the approved sender as the command owner, using a channel-scoped entry such as `telegram:123456789`.
+- This only bootstraps the first owner. Later pairing approvals do not replace or expand `commands.ownerAllowFrom`.
+- The command owner is the human operator account allowed to run owner-only commands and approve dangerous actions such as `/diagnostics`, `/export-trajectory`, `/config`, and exec approvals.
+
 ## Notes
 
 - Channel input: pass it positionally (`pairing list telegram`) or with `--channel <channel>`.
 - `pairing list` supports `--account <accountId>` for multi-account channels.
 - `pairing approve` supports `--account <accountId>` and `--notify`.
 - If only one pairing-capable channel is configured, `pairing approve <code>` is allowed.
+- If you approved a sender before this bootstrap existed, run `openclaw doctor`; it warns when no command owner is configured and shows the `openclaw config set commands.ownerAllowFrom ...` command to fix it.
 
 ## Related
 

docs/cli/plugins.md

@@ -48,6 +48,10 @@ openclaw plugins marketplace list <marketplace>
 openclaw plugins marketplace list <marketplace> --json
 ```
 
+For slow install, inspect, uninstall, or registry-refresh investigation, run the
+command with `OPENCLAW_PLUGIN_LIFECYCLE_TRACE=1`. The trace writes phase timings
+to stderr and keeps JSON output parseable. See [Debugging](/help/debugging#plugin-lifecycle-trace).
+
 <Note>
 Bundled plugins ship with OpenClaw. Some are enabled by default (for example bundled model providers, bundled speech providers, and the bundled browser plugin); others require `plugins enable`.
 

docs/cli/sessions.md

@@ -26,6 +26,17 @@ Scope selection:
 - `--all-agents`: aggregate all configured agent stores
 - `--store <path>`: explicit store path (cannot be combined with `--agent` or `--all-agents`)
 
+Export a trajectory bundle for a stored session:
+
+```bash
+openclaw sessions export-trajectory --session-key "agent:main:telegram:direct:123" --workspace .
+openclaw sessions export-trajectory --session-key "agent:main:telegram:direct:123" --output bug-123 --json
+```
+
+This is the command path used by the `/export-trajectory` slash command after
+the owner approves the exec request. The output directory is always resolved
+inside `.openclaw/trajectory-exports/` under the selected workspace.
+
 `openclaw sessions --all-agents` reads configured agent stores. Gateway and ACP
 session discovery are broader: they also include disk-only stores found under
 the default `agents/` root or a templated `session.store` root. Those

docs/cli/wiki.md

@@ -68,10 +68,18 @@ Inspect current vault mode, health, and Obsidian CLI availability.
 Use this first when you are unsure whether the vault is initialized, bridge mode
 is healthy, or Obsidian integration is available.
 
+When bridge mode is active and configured to read memory artifacts, this command
+queries the running Gateway so it sees the same active memory plugin context as
+agent/runtime memory.
+
 ### `wiki doctor`
 
 Run wiki health checks and surface configuration or vault problems.
 
+When bridge mode is active and configured to read memory artifacts, this command
+queries the running Gateway before building the report. Disabled bridge imports
+and bridge configs that do not read memory artifacts remain local/offline.
+
 Typical issues include:
 
 - bridge mode enabled without public memory artifacts
@@ -168,6 +176,11 @@ source pages.
 Use this in `bridge` mode when you want the latest exported memory artifacts
 pulled into the wiki vault.
 
+For active bridge artifact reads, the CLI routes the import through Gateway RPC
+so the import uses the runtime memory plugin context. If bridge imports are
+disabled or artifact reads are turned off, the command keeps the local/offline
+zero-import behavior.
+
 ### `wiki unsafe-local import`
 
 Import from explicitly configured local paths in `unsafe-local` mode.

docs/concepts/active-memory.md

@@ -80,7 +80,7 @@ because it follows your existing provider, auth, and model preferences.
 If you want Active Memory to feel faster, use a dedicated inference model
 instead of borrowing the main chat model. Recall quality matters, but latency
 matters more than for the main answer path, and Active Memory's tool surface
-is narrow (it only calls `memory_search` and `memory_get`).
+is narrow (it only calls available memory recall tools).
 
 Good fast-model options:
 
@@ -256,6 +256,34 @@ allowedChatTypes: ["direct", "group"]
 allowedChatTypes: ["direct", "group", "channel"]
 ```
 
+For narrower rollout, use `config.allowedChatIds` and
+`config.deniedChatIds` after choosing the allowed session types.
+
+`allowedChatIds` is an explicit allowlist of resolved conversation ids. When it
+is non-empty, Active Memory only runs when the session's conversation id is in
+that list. This narrows every allowed chat type at once, including direct
+messages. If you want all direct messages plus only specific groups, include
+the direct peer ids in `allowedChatIds` or keep `allowedChatTypes` focused on
+the group/channel rollout you are testing.
+
+`deniedChatIds` is an explicit denylist. It always wins over
+`allowedChatTypes` and `allowedChatIds`, so a matching conversation is skipped
+even when its session type is otherwise allowed.
+
+The ids come from the persistent channel session key: for example Feishu
+`chat_id` / `open_id`, Telegram chat id, or Slack channel id. Matching is
+case-insensitive. If `allowedChatIds` is non-empty and OpenClaw cannot resolve a
+conversation id for the session, Active Memory skips the turn instead of
+guessing.
+
+Example:
+
+```json5
+allowedChatTypes: ["direct", "group"],
+allowedChatIds: ["ou_operator_open_id", "oc_small_ops_group"],
+deniedChatIds: ["oc_large_public_group"]
+```
+
 ## Where it runs
 
 Active memory is a conversational enrichment feature, not a platform-wide
@@ -304,8 +332,9 @@ flowchart LR
   I --> M["Main Reply"]
 ```
 
-The blocking memory sub-agent can use only:
+The blocking memory sub-agent can use only the available memory recall tools:
 
+- `memory_recall`
 - `memory_search`
 - `memory_get`
 
@@ -534,6 +563,9 @@ The most important fields are:
 | `enabled`                   | `boolean`                                                                                            | Enables the plugin itself                                                                              |
 | `config.agents`             | `string[]`                                                                                           | Agent ids that may use active memory                                                                   |
 | `config.model`              | `string`                                                                                             | Optional blocking memory sub-agent model ref; when unset, active memory uses the current session model |
+| `config.allowedChatTypes`   | `("direct" \| "group" \| "channel")[]`                                                               | Session types that may run Active Memory; defaults to direct-message style sessions                    |
+| `config.allowedChatIds`     | `string[]`                                                                                           | Optional per-conversation allowlist applied after `allowedChatTypes`; non-empty lists fail closed      |
+| `config.deniedChatIds`      | `string[]`                                                                                           | Optional per-conversation denylist that overrides allowed session types and allowed ids                |
 | `config.queryMode`          | `"message" \| "recent" \| "full"`                                                                    | Controls how much conversation the blocking memory sub-agent sees                                      |
 | `config.promptStyle`        | `"balanced" \| "strict" \| "contextual" \| "recall-heavy" \| "precision-heavy" \| "preference-only"` | Controls how eager or strict the blocking memory sub-agent is when deciding whether to return memory   |
 | `config.thinking`           | `"off" \| "minimal" \| "low" \| "medium" \| "high" \| "xhigh" \| "adaptive" \| "max"`                | Advanced thinking override for the blocking memory sub-agent; default `off` for speed                  |
@@ -547,14 +579,14 @@ The most important fields are:
 
 Useful tuning fields:
 
-| Key                           | Type     | Meaning                                                       |
-| ----------------------------- | -------- | ------------------------------------------------------------- |
-| `config.maxSummaryChars`      | `number` | Maximum total characters allowed in the active-memory summary |
-| `config.recentUserTurns`      | `number` | Prior user turns to include when `queryMode` is `recent`      |
-| `config.recentAssistantTurns` | `number` | Prior assistant turns to include when `queryMode` is `recent` |
-| `config.recentUserChars`      | `number` | Max chars per recent user turn                                |
-| `config.recentAssistantChars` | `number` | Max chars per recent assistant turn                           |
-| `config.cacheTtlMs`           | `number` | Cache reuse for repeated identical queries                    |
+| Key                           | Type     | Meaning                                                                            |
+| ----------------------------- | -------- | ---------------------------------------------------------------------------------- |
+| `config.maxSummaryChars`      | `number` | Maximum total characters allowed in the active-memory summary                      |
+| `config.recentUserTurns`      | `number` | Prior user turns to include when `queryMode` is `recent`                           |
+| `config.recentAssistantTurns` | `number` | Prior assistant turns to include when `queryMode` is `recent`                      |
+| `config.recentUserChars`      | `number` | Max chars per recent user turn                                                     |
+| `config.recentAssistantChars` | `number` | Max chars per recent assistant turn                                                |
+| `config.cacheTtlMs`           | `number` | Cache reuse for repeated identical queries (range: 1000-120000 ms; default: 15000) |
 
 ## Recommended setup
 
@@ -613,9 +645,10 @@ If active memory is too slow:
 
 ## Common issues
 
-Active Memory rides on the normal `memory_search` pipeline under
-`agents.defaults.memorySearch`, so most recall surprises are embedding-provider
-problems, not Active Memory bugs.
+Active Memory rides on the configured memory plugin's recall pipeline, so most
+recall surprises are embedding-provider problems, not Active Memory bugs. The
+default `memory-core` path uses `memory_search`; `memory-lancedb` uses
+`memory_recall`.
 
 <AccordionGroup>
   <Accordion title="Embedding provider switched or stopped working">

docs/concepts/agent-loop.md

@@ -162,6 +162,7 @@ surfaces, while Codex native hooks remain a separate lower-level Codex mechanism
 
 - `agent.wait` default: 30s (just the wait). `timeoutMs` param overrides.
 - Agent runtime: `agents.defaults.timeoutSeconds` default 172800s (48 hours); enforced in `runEmbeddedPiAgent` abort timer.
+- Stuck-session recovery: with diagnostics enabled, `diagnostics.stuckSessionWarnMs` detects long `processing` sessions. Active embedded runs, active reply operations, and active session-lane tasks remain warning-only by default; if diagnostics show no active work for the session, the watchdog releases the affected session lane so queued startup work can drain.
 - Model idle timeout: OpenClaw aborts a model request when no response chunks arrive before the idle window. `models.providers.<id>.timeoutSeconds` extends this idle watchdog for slow local/self-hosted providers; otherwise OpenClaw uses `agents.defaults.timeoutSeconds` when configured, capped at 120s by default. Cron-triggered runs with no explicit model or agent timeout disable the idle watchdog and rely on the cron outer timeout.
 - Provider HTTP request timeout: `models.providers.<id>.timeoutSeconds` applies to that provider's model HTTP fetches, including connect, headers, body, SDK request timeout, total guarded-fetch abort handling, and model stream idle watchdog. Use this for slow local/self-hosted providers such as Ollama before raising the whole agent runtime timeout.
 

docs/concepts/model-providers.md

@@ -674,6 +674,7 @@ Example (OpenAI‑compatible):
     - For slow local models or remote LAN/tailnet hosts, set `models.providers.<id>.timeoutSeconds`. This extends provider model HTTP request handling, including connect, headers, body streaming, and the total guarded-fetch abort, without increasing the whole agent runtime timeout.
     - If `baseUrl` is empty/omitted, OpenClaw keeps the default OpenAI behavior (which resolves to `api.openai.com`).
     - For safety, an explicit `compat.supportsDeveloperRole: true` is still overridden on non-native `openai-completions` endpoints.
+    - For `api: "anthropic-messages"` on non-direct endpoints (any provider other than canonical `anthropic`, or a custom `models.providers.anthropic.baseUrl` whose host is not a public `api.anthropic.com` endpoint), OpenClaw suppresses implicit Anthropic beta headers such as `claude-code-20250219`, `interleaved-thinking-2025-05-14`, and OAuth markers, so custom Anthropic-compatible proxies do not reject unsupported beta flags. Set `models.providers.<id>.headers["anthropic-beta"]` explicitly if your proxy needs specific beta features.
 
   </Accordion>
 </AccordionGroup>

docs/concepts/models.md

@@ -131,6 +131,12 @@ This happens **before** a normal reply is generated, so the message can feel lik
 
 </Warning>
 
+For local/GGUF models, store the full provider-prefixed ref in the allowlist,
+for example `ollama/gemma4:26b`, `lmstudio/Gemma4-26b-a4-it-gguf`, or the
+exact provider/model shown by `openclaw models list --provider <provider>`.
+Bare local filenames or display names are not enough when the allowlist is
+active.
+
 Example allowlist config:
 
 ```json5

docs/concepts/queue.md

@@ -85,6 +85,7 @@ Defaults: `debounceMs: 1000`, `cap: 20`, `drop: summarize`.
 
 - If commands seem stuck, enable verbose logs and look for “queued for …ms” lines to confirm the queue is draining.
 - If you need queue depth, enable verbose logs and watch for queue timing lines.
+- When diagnostics are enabled, sessions that remain in `processing` past `diagnostics.stuckSessionWarnMs` log a stuck-session warning. Active embedded runs, active reply operations, and active lane tasks remain warning-only by default; stale startup bookkeeping with no active session work can release the affected session lane so queued work drains.
 
 ## Related
 

docs/concepts/session-tool.md

@@ -93,6 +93,11 @@ the response:
   immediately.
 - **Wait for reply:** set a timeout and get the response inline.
 
+Messages and A2A follow-up replies are marked as inter-session data in the
+receiving prompt (`[Inter-session message ... isUser=false]`) and in transcript
+provenance. The receiving agent should treat them as tool-routed data, not as a
+direct end-user-authored instruction.
+
 After the target responds, OpenClaw can run a **reply-back loop** where the
 agents alternate messages (up to 5 turns). The target agent can reply
 `REPLY_SKIP` to stop early.

docs/concepts/streaming.md

@@ -191,7 +191,7 @@ Supported surfaces:
 - **Discord**, **Slack**, **Telegram**, and **Matrix** stream tool-progress into the live preview edit by default when preview streaming is active.
 - Telegram has shipped with tool-progress preview updates enabled since `v2026.4.22`; keeping them enabled preserves that released behavior.
 - **Mattermost** already folds tool activity into its single draft preview post (see above).
-- Tool-progress edits follow the active preview streaming mode; they are skipped when preview streaming is `off` or when block streaming has taken over the message.
+- Tool-progress edits follow the active preview streaming mode; they are skipped when preview streaming is `off` or when block streaming has taken over the message. On Telegram, `streaming.mode: "off"` is final-only: generic progress chatter is also suppressed instead of being delivered as standalone "Working..." messages, while approval prompts, media payloads, and errors still route normally.
 - To keep preview streaming but hide tool-progress lines, set `streaming.preview.toolProgress` to `false` for that channel. To disable preview edits entirely, set `streaming.mode` to `off`.
 
 Example:

docs/docs.json

@@ -1084,6 +1084,7 @@
                   "channels/wechat",
                   "channels/qqbot",
                   "channels/feishu",
+                  "channels/yuanbao",
                   "channels/zalo",
                   "channels/zalouser"
                 ]

docs/gateway/cli-backends.md

@@ -224,6 +224,27 @@ Serialization notes:
   rotation does not cut the stored CLI session. If a CLI does not expose a
   stable OAuth account id, OpenClaw lets that CLI enforce resume permissions.
 
+## Fallback prelude from claude-cli sessions
+
+When a `claude-cli` attempt fails over to a non-CLI candidate in
+[`agents.defaults.model.fallbacks`](/concepts/model-failover), OpenClaw seeds
+the next attempt with a context prelude harvested from Claude Code's local
+JSONL transcript at `~/.claude/projects/`. Without this seed, the fallback
+provider would start cold because OpenClaw's own session transcript is empty
+for `claude-cli` runs.
+
+- The prelude prefers the latest `/compact` summary or `compact_boundary`
+  marker, then appends the most recent post-boundary turns up to a char
+  budget. Pre-boundary turns are dropped because the summary already represents
+  them.
+- Tool blocks are coalesced to compact `(tool call: name)` and
+  `(tool result: …)` hints to keep the prompt budget honest. The summary is
+  labeled `(truncated)` if it overflows.
+- Same-provider `claude-cli` to `claude-cli` fallbacks rely on Claude's own
+  `--resume` and skip the prelude.
+- The seed reuses the existing Claude session-file path validation, so
+  arbitrary paths cannot be read.
+
 ## Images (pass-through)
 
 If your CLI accepts image paths, set `imageArg`:

docs/gateway/config-agents.md

@@ -125,8 +125,9 @@ knob.
   `agents.defaults.bootstrapTotalMaxChars`:
   normal workspace bootstrap injection.
 - `agents.defaults.startupContext.*`:
-  one-shot `/new` and `/reset` startup prelude, including recent daily
-  `memory/*.md` files.
+  one-shot reset/startup model-run prelude, including recent daily
+  `memory/*.md` files. Bare chat `/new` and `/reset` commands are
+  acknowledged without invoking the model.
 - `skills.limits.*`:
   the compact skills list injected into the system prompt.
 - `agents.defaults.contextLimits.*`:
@@ -142,8 +143,9 @@ budget:
 
 #### `agents.defaults.startupContext`
 
-Controls the first-turn startup prelude injected on bare `/new` and `/reset`
-runs.
+Controls the first-turn startup prelude injected on reset/startup model runs.
+Bare chat `/new` and `/reset` commands acknowledge the reset without invoking
+the model, so they do not load this prelude.
 
 ```json5
 {
@@ -340,6 +342,7 @@ Time format in system prompt. Default: `auto` (OS preference).
 - `imageModel`: accepts either a string (`"provider/model"`) or an object (`{ primary, fallbacks }`).
   - Used by the `image` tool path as its vision-model config.
   - Also used as fallback routing when the selected/default model cannot accept image input.
+  - Prefer explicit `provider/model` refs. Bare IDs are accepted for compatibility; if a bare ID uniquely matches a configured image-capable entry in `models.providers.*.models`, OpenClaw qualifies it to that provider. Ambiguous configured matches require an explicit provider prefix.
 - `imageGenerationModel`: accepts either a string (`"provider/model"`) or an object (`{ primary, fallbacks }`).
   - Used by the shared image-generation capability and any future tool/plugin surface that generates images.
   - Typical values: `google/gemini-3.1-flash-image-preview` for native Gemini image generation, `fal/fal-ai/flux/dev` for fal, `openai/gpt-image-2` for OpenAI Images, or `openai/gpt-image-1.5` for transparent-background OpenAI PNG/WebP output.

docs/gateway/config-channels.md

@@ -96,6 +96,13 @@ WhatsApp runs through the gateway's web channel (Baileys Web). It starts automat
 
 ```json5
 {
+  web: {
+    whatsapp: {
+      keepAliveIntervalMs: 25000,
+      connectTimeoutMs: 60000,
+      defaultQueryTimeoutMs: 60000,
+    },
+  },
   channels: {
     whatsapp: {
       dmPolicy: "pairing", // pairing | allowlist | open | disabled
@@ -390,6 +397,11 @@ WhatsApp runs through the gateway's web channel (Baileys Web). It starts automat
       enabled: true,
       botToken: "xoxb-...",
       appToken: "xapp-...",
+      socketMode: {
+        clientPingTimeout: 15000,
+        serverPingTimeout: 30000,
+        pingPongLoggingEnabled: false,
+      },
       dmPolicy: "pairing",
       allowFrom: ["U123", "U456", "*"],
       dm: { enabled: true, groupEnabled: false, groupChannels: ["G123"] },
@@ -448,6 +460,7 @@ WhatsApp runs through the gateway's web channel (Baileys Web). It starts automat
 
 - **Socket mode** requires both `botToken` and `appToken` (`SLACK_BOT_TOKEN` + `SLACK_APP_TOKEN` for default account env fallback).
 - **HTTP mode** requires `botToken` plus `signingSecret` (at root or per-account).
+- `socketMode` passes Slack SDK Socket Mode transport tuning through to the public Bolt receiver API. Use it only when investigating ping/pong timeout or stale websocket behavior.
 - `botToken`, `appToken`, `signingSecret`, and `userToken` accept plaintext
   strings or SecretRef objects.
 - Slack account snapshots expose per-credential source/status fields such as

docs/gateway/configuration-reference.md

@@ -441,6 +441,7 @@ See [Plugins](/tools/plugin).
 - Relay-backed registrations are delegated to a specific gateway identity. The paired iOS app fetches `gateway.identity.get`, includes that identity in the relay registration, and forwards a registration-scoped send grant to the gateway. Another gateway cannot reuse that stored registration.
 - `OPENCLAW_APNS_RELAY_BASE_URL` / `OPENCLAW_APNS_RELAY_TIMEOUT_MS`: temporary env overrides for the relay config above.
 - `OPENCLAW_APNS_RELAY_ALLOW_HTTP=true`: development-only escape hatch for loopback HTTP relay URLs. Production relay URLs should stay on HTTPS.
+- `gateway.handshakeTimeoutMs`: pre-auth Gateway WebSocket handshake timeout in milliseconds. Default: `15000`. `OPENCLAW_HANDSHAKE_TIMEOUT_MS` takes precedence when set. Increase this on loaded or low-powered hosts where local clients can connect while startup warmup is still settling.
 - `gateway.channelHealthCheckMinutes`: channel health-monitor interval in minutes. Set `0` to disable health-monitor restarts globally. Default: `5`.
 - `gateway.channelStaleEventThresholdMinutes`: stale-socket threshold in minutes. Keep this greater than or equal to `gateway.channelHealthCheckMinutes`. Default: `30`.
 - `gateway.channelMaxRestartsPerHour`: maximum health-monitor restarts per channel/account in a rolling hour. Default: `10`.
@@ -451,7 +452,7 @@ See [Plugins](/tools/plugin).
 - `trustedProxies`: reverse proxy IPs that terminate TLS or inject forwarded-client headers. Only list proxies you control. Loopback entries are still valid for same-host proxy/local-detection setups (for example Tailscale Serve or a local reverse proxy), but they do **not** make loopback requests eligible for `gateway.auth.mode: "trusted-proxy"`.
 - `allowRealIpFallback`: when `true`, the gateway accepts `X-Real-IP` if `X-Forwarded-For` is missing. Default `false` for fail-closed behavior.
 - `gateway.nodes.pairing.autoApproveCidrs`: optional CIDR/IP allowlist for auto-approving first-time node device pairing with no requested scopes. It is disabled when unset. This does not auto-approve operator/browser/Control UI/WebChat pairing, and it does not auto-approve role, scope, metadata, or public-key upgrades.
-- `gateway.nodes.allowCommands` / `gateway.nodes.denyCommands`: global allow/deny shaping for declared node commands after pairing and allowlist evaluation.
+- `gateway.nodes.allowCommands` / `gateway.nodes.denyCommands`: global allow/deny shaping for declared node commands after pairing and platform allowlist evaluation. Use `allowCommands` to opt into dangerous node commands such as `camera.snap`, `camera.clip`, and `screen.record`; `denyCommands` removes a command even if a platform default or explicit allow would otherwise include it. After a node changes its declared command list, reject and re-approve that device pairing so the gateway stores the updated command snapshot.
 - `gateway.tools.deny`: extra tool names blocked for HTTP `POST /tools/invoke` (extends default deny list).
 - `gateway.tools.allow`: remove tool names from the default HTTP deny list.
 

docs/gateway/configuration.md

@@ -270,6 +270,24 @@ cannot roll back unrelated user settings.
 
   </Accordion>
 
+  <Accordion title="Tune gateway WebSocket handshake timeout">
+    Give local clients more time to complete the pre-auth WebSocket handshake on
+    loaded or low-powered hosts:
+
+    ```json5
+    {
+      gateway: {
+        handshakeTimeoutMs: 30000,
+      },
+    }
+    ```
+
+    - Default is `15000` milliseconds.
+    - `OPENCLAW_HANDSHAKE_TIMEOUT_MS` still takes precedence for one-off service or shell overrides.
+    - Prefer fixing startup/event-loop stalls first; this knob is for hosts that are healthy but slow during warmup.
+
+  </Accordion>
+
   <Accordion title="Configure sessions and resets">
     Sessions control conversation continuity and isolation:
 

docs/gateway/diagnostics.md

@@ -7,9 +7,13 @@ read_when:
   - Reviewing what diagnostics data is recorded or redacted
 ---
 
-OpenClaw can create a local diagnostics zip that is safe to attach to bug
-reports. It combines sanitized Gateway status, health, logs, config shape, and
-recent payload-free stability events.
+OpenClaw can create a local diagnostics zip for bug reports. It combines
+sanitized Gateway status, health, logs, config shape, and recent payload-free
+stability events.
+
+Treat diagnostics bundles like secrets until you have reviewed them. They are
+designed to omit or redact payloads and credentials, but they still summarize
+local Gateway logs and host-level runtime state.
 
 ## Quick start
 
@@ -29,6 +33,45 @@ For automation:
 openclaw gateway diagnostics export --json
 ```
 
+## Chat command
+
+Owners can use `/diagnostics [note]` in chat to request a local Gateway export.
+Use this when the bug happened in a real conversation and you want one
+copy-pasteable report for support:
+
+1. Send `/diagnostics` in the conversation where you noticed the problem. Add a
+   short note if it helps, for example `/diagnostics bad tool choice`.
+2. OpenClaw sends the diagnostics preamble and asks for one explicit exec
+   approval. The approval runs `openclaw gateway diagnostics export --json`.
+   Do not approve diagnostics through an allow-all rule.
+3. After approval, OpenClaw replies with a pasteable report containing the local
+   bundle path, manifest summary, privacy notes, and relevant session ids.
+
+In group chats, an owner can still run `/diagnostics`, but OpenClaw does not
+post the diagnostic details back into the shared chat. It sends the preamble,
+approval prompts, Gateway export result, and Codex session/thread breakdown to
+the owner through the private approval route. The group only gets a short notice
+that the diagnostics flow was sent privately. If OpenClaw cannot find a private
+owner route, the command fails closed and asks the owner to run it from a DM.
+
+When the active OpenClaw session is using the native OpenAI Codex harness,
+the same exec approval also covers an OpenAI feedback upload for the Codex
+runtime threads OpenClaw knows about. That upload is separate from the local
+Gateway zip and appears only for Codex harness sessions. Before approval, the
+prompt explains that approving diagnostics will also send Codex feedback, but it
+does not list Codex session or thread ids. After approval, the chat reply lists
+the channels, OpenClaw session ids, Codex thread ids, and local resume commands
+for the threads that were sent to OpenAI servers. If you deny or ignore the
+approval, OpenClaw does not run the export, does not send Codex feedback, and
+does not print the Codex ids.
+
+That makes the common Codex debugging loop short: notice the bad behavior in
+Telegram, Discord, or another channel, run `/diagnostics`, approve once, share
+the report with support, then run the printed `codex resume <thread-id>` command
+locally if you want to inspect the native Codex thread yourself. See
+[Codex harness](/plugins/codex-harness#inspect-a-codex-thread-from-the-cli) for
+that inspection workflow.
+
 ## What the export contains
 
 The zip includes:

docs/gateway/protocol.md

@@ -554,7 +554,7 @@ stable across protocol v3 and are the expected baseline for third-party clients.
 | ----------------------------------------- | ----------------------------------------------------- | ---------------------------------------------------------- |
 | `PROTOCOL_VERSION`                        | `3`                                                   | `src/gateway/protocol/schema/protocol-schemas.ts`          |
 | Request timeout (per RPC)                 | `30_000` ms                                           | `src/gateway/client.ts` (`requestTimeoutMs`)               |
-| Preauth / connect-challenge timeout       | `10_000` ms                                           | `src/gateway/handshake-timeouts.ts` (clamp `250`–`10_000`) |
+| Preauth / connect-challenge timeout       | `15_000` ms                                           | `src/gateway/handshake-timeouts.ts` (clamp `250`–`15_000`) |
 | Initial reconnect backoff                 | `1_000` ms                                            | `src/gateway/client.ts` (`backoffMs`)                      |
 | Max reconnect backoff                     | `30_000` ms                                           | `src/gateway/client.ts` (`scheduleReconnect`)              |
 | Fast-retry clamp after device-token close | `250` ms                                              | `src/gateway/client.ts`                                    |

docs/gateway/sandboxing.md

@@ -89,6 +89,8 @@ SSH-specific config lives under `agents.defaults.sandbox.ssh`. OpenShell-specifi
 
 Sandboxing is off by default. If you enable sandboxing and do not choose a backend, OpenClaw uses the Docker backend. It executes tools and sandbox browsers locally via the Docker daemon socket (`/var/run/docker.sock`). Sandbox container isolation is determined by Docker namespaces.
 
+To expose host GPUs to Docker sandboxes, set `agents.defaults.sandbox.docker.gpus` or the per-agent `agents.list[].sandbox.docker.gpus` override. The value is passed to Docker's `--gpus` flag as a separate argument, for example `"all"` or `"device=GPU-uuid"`, and requires a compatible host runtime such as NVIDIA Container Toolkit.
+
 <Warning>
 **Docker-out-of-Docker (DooD) constraints**
 
@@ -369,6 +371,8 @@ Default Docker image: `openclaw-sandbox:bookworm-slim`
 
     The default image does **not** include Node. If a skill needs Node (or other runtimes), either bake a custom image or install via `sandbox.docker.setupCommand` (requires network egress + writable root + root user).
 
+    OpenClaw does not silently substitute plain `debian:bookworm-slim` when `openclaw-sandbox:bookworm-slim` is missing. Sandbox runs that target the default image fail fast with a build instruction until you run `scripts/sandbox-setup.sh`, because the bundled image carries `python3` for sandbox write/edit helpers.
+
   </Step>
   <Step title="Optional: build the common image">
     For a more functional sandbox image with common tooling (for example `curl`, `jq`, `nodejs`, `python3`, `git`):

docs/gateway/security/index.md

@@ -608,7 +608,7 @@ Why:
 
 - OpenAI-compatible backends that front self-hosted models sometimes preserve special tokens that appear in user text, instead of masking them. An attacker who can write into inbound external content (a fetched page, an email body, a file contents tool output) could otherwise inject a synthetic `assistant` or `system` role boundary and escape the wrapped-content guardrails.
 - Sanitization happens at the external-content wrapping layer, so it applies uniformly across fetch/read tools and inbound channel content rather than being per-provider.
-- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, and similar scaffolding from user-visible replies. The external-content sanitizer is the inbound counterpart.
+- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, `<system-reminder>`, `<previous_response>`, and similar internal runtime scaffolding from user-visible replies at the final channel delivery boundary. The external-content sanitizer is the inbound counterpart.
 
 This does not replace the other hardening on this page — `dmPolicy`, allowlists, exec approvals, sandboxing, and `contextVisibility` still do the primary work. It closes one specific tokenizer-layer bypass against self-hosted stacks that forward user text with special tokens intact.
 

docs/gateway/troubleshooting.md

@@ -380,6 +380,7 @@ Common signatures:
 - `SSH tunnel failed to start; falling back to direct probes.` → SSH setup failed, but the command still tried direct configured/loopback targets.
 - `multiple reachable gateways detected` → more than one target answered. Usually this means an intentional multi-gateway setup or stale/duplicate listeners.
 - `Read-probe diagnostics are limited by gateway scopes (missing operator.read)` → connect worked, but detail RPC is scope-limited; pair device identity or use credentials with `operator.read`.
+- `Gateway accepted the WebSocket connection, but follow-up read diagnostics failed` → connect worked, but the full diagnostic RPC set timed out or failed. Treat this as a reachable Gateway with degraded diagnostics; compare `connect.ok` and `connect.rpcOk` in `--json` output.
 - `Capability: pairing-pending` or `gateway closed (1008): pairing required` → the gateway answered, but this client still needs pairing/approval before normal operator access.
 - unresolved `gateway.auth.*` / `gateway.remote.*` SecretRef warning text → auth material was unavailable in this command path for the failed target.
 

docs/help/debugging.md

@@ -43,6 +43,32 @@ Use `/trace` for plugin diagnostics such as Active Memory debug summaries.
 Keep using `/verbose` for normal verbose status/tool output, and keep using
 `/debug` for runtime-only config overrides.
 
+## Plugin lifecycle trace
+
+Use `OPENCLAW_PLUGIN_LIFECYCLE_TRACE=1` when plugin lifecycle commands feel slow
+and you need a built-in phase breakdown for plugin metadata, discovery, registry,
+runtime mirror, config mutation, and refresh work. The trace is opt-in and writes
+to stderr, so JSON command output remains parseable.
+
+Example:
+
+```bash
+OPENCLAW_PLUGIN_LIFECYCLE_TRACE=1 openclaw plugins install tokenjuice --force
+```
+
+Example output:
+
+```text
+[plugins:lifecycle] phase="config read" ms=6.83 status=ok command="install"
+[plugins:lifecycle] phase="slot selection" ms=94.31 status=ok command="install" pluginId="tokenjuice"
+[plugins:lifecycle] phase="registry refresh" ms=51.56 status=ok command="install" reason="source-changed"
+```
+
+Use this for plugin lifecycle investigation before reaching for a CPU profiler.
+If the command is running from a source checkout, prefer measuring the built
+runtime with `node dist/entry.js ...` after `pnpm build`; `pnpm openclaw ...`
+also measures source-runner overhead.
+
 ## Temporary CLI debug timing
 
 OpenClaw keeps `src/cli/debug-timing.ts` as a small helper for local

docs/help/environment.md

@@ -156,6 +156,18 @@ openclaw gateway run
 Do not rely on writing only to `~/.openclaw/.env` for this variable; Node reads
 `NODE_EXTRA_CA_CERTS` at process startup.
 
+## Legacy environment variables
+
+OpenClaw only reads `OPENCLAW_*` environment variables. The legacy
+`CLAWDBOT_*` and `MOLTBOT_*` prefixes from earlier releases are silently
+ignored.
+
+If any are still set on the Gateway process at startup, OpenClaw emits a
+single Node deprecation warning (`OPENCLAW_LEGACY_ENV_VARS`) listing the
+detected prefixes and the total count. Rename each value by replacing the
+legacy prefix with `OPENCLAW_` (for example `CLAWDBOT_GATEWAY_TOKEN` →
+`OPENCLAW_GATEWAY_TOKEN`); the old names take no effect.
+
 ## Related
 
 - [Gateway configuration](/gateway/configuration)

docs/help/testing.md

@@ -124,6 +124,16 @@ the fast Matrix and Telegram lanes before release approval.
     `aimock` starts a local AIMock-backed provider server for experimental
     fixture and protocol-mock coverage without replacing the scenario-aware
     `mock-openai` lane.
+- `pnpm test:gateway:cpu-scenarios`
+  - Runs the gateway startup bench plus a small mock QA Lab scenario pack
+    (`channel-chat-baseline`, `memory-failure-fallback`,
+    `gateway-restart-inflight-run`) and writes a combined CPU observation
+    summary under `.artifacts/gateway-cpu-scenarios/`.
+  - Flags only sustained hot CPU observations by default (`--cpu-core-warn`
+    plus `--hot-wall-warn-ms`), so short startup bursts are recorded as metrics
+    without looking like the minutes-long gateway peg regression.
+  - Uses built `dist` artifacts; run a build first when the checkout does not
+    already have fresh runtime output.
 - `pnpm openclaw qa suite --runner multipass`
   - Runs the same QA suite inside a disposable Multipass Linux VM.
   - Keeps the same scenario-selection behavior as `qa suite` on the host.

docs/install/docker-vm-runtime.md

@@ -116,18 +116,19 @@ Expected output:
 OpenClaw runs in Docker, but Docker is not the source of truth.
 All long-lived state must survive restarts, rebuilds, and reboots.
 
-| Component           | Location                          | Persistence mechanism  | Notes                                                         |
-| ------------------- | --------------------------------- | ---------------------- | ------------------------------------------------------------- |
-| Gateway config      | `/home/node/.openclaw/`           | Host volume mount      | Includes `openclaw.json`, `.env`                              |
-| Model auth profiles | `/home/node/.openclaw/agents/`    | Host volume mount      | `agents/<agentId>/agent/auth-profiles.json` (OAuth, API keys) |
-| Skill configs       | `/home/node/.openclaw/skills/`    | Host volume mount      | Skill-level state                                             |
-| Agent workspace     | `/home/node/.openclaw/workspace/` | Host volume mount      | Code and agent artifacts                                      |
-| WhatsApp session    | `/home/node/.openclaw/`           | Host volume mount      | Preserves QR login                                            |
-| Gmail keyring       | `/home/node/.openclaw/`           | Host volume + password | Requires `GOG_KEYRING_PASSWORD`                               |
-| External binaries   | `/usr/local/bin/`                 | Docker image           | Must be baked at build time                                   |
-| Node runtime        | Container filesystem              | Docker image           | Rebuilt every image build                                     |
-| OS packages         | Container filesystem              | Docker image           | Do not install at runtime                                     |
-| Docker container    | Ephemeral                         | Restartable            | Safe to destroy                                               |
+| Component           | Location                                 | Persistence mechanism  | Notes                                                         |
+| ------------------- | ---------------------------------------- | ---------------------- | ------------------------------------------------------------- |
+| Gateway config      | `/home/node/.openclaw/`                  | Host volume mount      | Includes `openclaw.json`, `.env`                              |
+| Model auth profiles | `/home/node/.openclaw/agents/`           | Host volume mount      | `agents/<agentId>/agent/auth-profiles.json` (OAuth, API keys) |
+| Skill configs       | `/home/node/.openclaw/skills/`           | Host volume mount      | Skill-level state                                             |
+| Agent workspace     | `/home/node/.openclaw/workspace/`        | Host volume mount      | Code and agent artifacts                                      |
+| WhatsApp session    | `/home/node/.openclaw/`                  | Host volume mount      | Preserves QR login                                            |
+| Gmail keyring       | `/home/node/.openclaw/`                  | Host volume + password | Requires `GOG_KEYRING_PASSWORD`                               |
+| Plugin runtime deps | `/var/lib/openclaw/plugin-runtime-deps/` | Docker named volume    | Generated bundled plugin deps and runtime mirrors             |
+| External binaries   | `/usr/local/bin/`                        | Docker image           | Must be baked at build time                                   |
+| Node runtime        | Container filesystem                     | Docker image           | Rebuilt every image build                                     |
+| OS packages         | Container filesystem                     | Docker image           | Do not install at runtime                                     |
+| Docker container    | Ephemeral                                | Restartable            | Safe to destroy                                               |
 
 ## Updates