fix(feeds): load native search through public surface

.agents/skills/autoreview/SKILL.md

@@ -24,7 +24,7 @@ Use when:
 - Prefer small fixes at the right ownership boundary; no refactor unless it clearly improves the bug class.
 - When an accepted finding shows a bug class or repeated pattern, inspect the current PR scope for sibling instances before fixing.
 - Fix the scoped bug class at once when practical; stop at touched surfaces, owner boundaries, and clear follow-up territory.
-- Keep going until structured review returns no accepted/actionable findings only while the work remains inside the original task scope.
+- Keep going until structured review returns no accepted/actionable findings.
 - If a review-triggered fix changes code, rerun focused tests and rerun the structured review helper.
 - For security-audit suppression changes, verify accepted findings remain auditable: suppressed findings stay in structured output, active output keeps an unsuppressible suppression notice, and aggregate findings cannot hide unrelated active risk.
 - Never switch or override the requested review engine/model. If the review hits model capacity, retry the same command a few times with the same engine/model.
@@ -43,42 +43,6 @@ Use when:
 - If Gitcrawl reports a portable manifest mismatch, source/runtime DB health error, or stale portable-store checkout, run `gitcrawl doctor --json` and inspect `source_db_health`, `runtime_db_health`, and `portable_store_status` before falling back to live GitHub.
 - Do not push just to review. Push only when the user requested push/ship/PR update.
 
-## Scope Governor
-
-Autoreview is a closeout gate, not permission to rewrite the task.
-
-Before the first review, freeze a scope baseline: original request or issue, target branch, intended behavior, owner boundary, changed files, and non-test LOC. For inherited or already-bloated branches, use the intended PR diff as the baseline rather than accepting all existing branch drift.
-
-Before patching a finding, classify it:
-
-- **In-scope blocker**: the finding is introduced by the current diff, affects the same owner boundary, and can be fixed without changing the task's contract.
-- **Follow-up**: the finding is real but belongs to an adjacent bug class, sibling surface, cleanup, or broader hardening track.
-- **Stop-and-escalate**: the finding requires a new protocol/config/storage/public API contract, a different owner boundary, a release-process change, or a design choice outside the original request.
-
-Stop patching and report the scope break instead of continuing when:
-
-- a narrow PR turns into an architecture change, protocol change, migration, or release-process change;
-- the diff grows past 2x the original files or non-test LOC without explicit approval to expand scope;
-- two review-triggered patch cycles have not converged; pause and reclassify every remaining finding before another edit;
-- the best fix is "define the canonical contract first" rather than another local inference layer;
-- fixing the accepted finding would make the PR no longer describe the same behavior, issue, or owner boundary.
-
-After the two-cycle pause, continue only when every remaining accepted finding is still an in-scope blocker. Otherwise preserve the useful analysis, identify the smallest safe landed subset if one exists, and open or request a follow-up for the larger fix. Do not keep committing speculative fixes just to satisfy the reviewer.
-
-Do not stack or push review-triggered fix commits while scope classification or focused proof is unresolved. Keep exploratory edits local until the cycle is proven in scope; if scope breaks, remove them from the landing lane instead of preserving them as branch history.
-
-Critical exceptions must be explicit: active data loss, crash, broken install/upgrade, release blocker, or concrete security exposure. If the exception is not one of those, it is not critical enough to blow up scope.
-
-## Release Branches And Release Process
-
-On release, beta, stable, hotfix, signing, notarization, appcast, package-publish, or release-check work, use freeze discipline even when the branch name is not release-like:
-
-- Fix only release blockers, failed release infrastructure, exact backports, install/upgrade breakage, data loss, crashes, or concrete security exposure.
-- Treat non-blocking autoreview findings as follow-ups for `main`, not reasons to broaden the release branch.
-- Do not introduce new product behavior, config surface, protocol shape, migration, plugin ownership, docs narrative, or process policy unless it directly unblocks the release.
-- Keep proof tied to the release target: exact branch/ref, failing check or shipped-risk reason, smallest command/proof, and whether the fix must also forward-port to `main`.
-- If review discovers a real but non-critical design problem during release closeout, stop with a follow-up issue/PR plan; do not use the release branch as the refactor lane.
-
 ## Pick Target
 
 Dirty local work:

.agents/skills/autoreview/scripts/autoreview

@@ -440,36 +440,8 @@ def load_datasets(args: argparse.Namespace) -> str:
     return "\n\n".join(chunks)
 
 
-def review_scope_policy() -> str:
-    return textwrap.dedent(
-        """
-        Review scope discipline:
-        - This helper is a closeout gate. Do not turn a narrow patch into a broad
-          redesign request.
-        - Report a finding only when this diff introduces or exposes a concrete
-          defect that must be fixed before this target can land.
-        - If the best fix requires a new protocol, config, storage, public API,
-          release process, migration, owner-boundary move, or canonical contract,
-          say that directly in the finding and keep the finding tied to the
-          smallest changed line that proves the current patch is not landable.
-        - Do not ask for sibling-surface hardening, cleanup, refactors, or
-          follow-up architecture work unless the current diff is incorrect
-          without that work.
-        - Prefer the smallest correct pre-merge fix. A broader ideal design is
-          not an actionable finding unless the current patch cannot safely land.
-        - If this is release-branch or release-process work, apply freeze
-          discipline. Report only release blockers, exact backport regressions,
-          install/upgrade breakage, crashes, data loss, concrete security
-          exposure, or release-infrastructure failures. Non-blocking design,
-          cleanup, and hardening concerns belong on main as follow-ups.
-        """
-    ).strip()
-
-
 def build_prompt(repo: Path, target: str, target_ref: str | None, bundle: str, extra_prompt: str, datasets: str) -> str:
     target_line = f"{target} {target_ref}" if target_ref else target
-    branch = current_branch(repo)
-    scope_policy = review_scope_policy()
     return textwrap.dedent(
         f"""
         You are a senior code reviewer. Review the provided git change bundle only.
@@ -491,11 +463,8 @@ def build_prompt(repo: Path, target: str, target_ref: str | None, bundle: str, e
         - If there are no actionable findings, return an empty findings array and mark the patch correct.
 
         Review target: {target_line}
-        Current branch: {branch}
         Repository: {repo}
 
-        {scope_policy}
-
         {extra_prompt}
 
         {datasets}

.agents/skills/autoreview/scripts/test-review-harness.py

@@ -3,7 +3,6 @@ from __future__ import annotations
 
 import argparse
 import os
-import runpy
 import shutil
 import stat
 import subprocess
@@ -146,23 +145,8 @@ def create_fixture_repo(repo: Path, fixture: str) -> None:
     write_fixture_file(repo, MALICIOUS_CHANGED if fixture == "malicious" else BENIGN_CHANGED)
 
 
-def validate_prompt_policy(repo: Path, autoreview: Path) -> None:
-    namespace = runpy.run_path(str(autoreview))
-    prompt = namespace["build_prompt"](repo, "local", None, "fixture diff", "", "")
-    required = (
-        "This helper is a closeout gate.",
-        "Do not turn a narrow patch into a broad",
-        "If this is release-branch or release-process work",
-        "Non-blocking design,",
-    )
-    missing = [needle for needle in required if needle not in prompt]
-    if missing:
-        raise RuntimeError(f"autoreview prompt missing scope policy: {missing}")
-
-
 def run_reviews(repo: Path, script_dir: Path, fixture: str, engines: list[str]) -> None:
     autoreview = script_dir / "autoreview"
-    validate_prompt_policy(repo, autoreview)
     for engine in engines:
         print(f"== {engine} ==", flush=True)
         command = [

.agents/skills/openclaw-pr-maintainer/SKILL.md

@@ -284,7 +284,7 @@ gh search issues --repo openclaw/openclaw --match title,body --limit 50 \
 - If bot review conversations exist on your PR, address them and resolve them yourself once fixed.
 - Leave a review conversation unresolved only when reviewer or maintainer judgment is still needed.
 - Before landing any PR with non-trivial code changes, run `$autoreview` until no accepted/actionable findings remain, unless equivalent manual review already covered it, the change is trivial/docs-only, or the user opts out.
-- When an agent is landing or merging a PR targeting `main`, use only the repo-native `scripts/pr` wrapper: run `scripts/pr review-init <PR>`, follow its emitted checkout/guard guidance, initialize and complete review artifacts with `scripts/pr review-artifacts-init <PR>`, validate them with `scripts/pr review-validate-artifacts <PR>`, then run `scripts/pr prepare-run <PR>` and `scripts/pr merge-run <PR>`.
+- When landing or merging any PR, follow the global `/landpr` process.
 - Use `scripts/committer "<msg>" <file...>` for scoped commits instead of manual `git add` and `git commit`.
 - Keep commit messages concise and action-oriented.
 - Group related changes; avoid bundling unrelated refactors.

.agents/skills/release-openclaw-ci/SKILL.md

@@ -65,13 +65,6 @@ gh workflow run openclaw-performance.yml \
 
 Prefer the trusted workflow on `main`, target the exact release SHA:
 
-- Keep trusted-workflow checks compatible with frozen release targets. If
-  `main` adds a target-owned guard script or package command after the release
-  branch cut, make the trusted workflow skip only when that target surface is
-  absent. Heal the trusted workflow before rerunning validation; do not port an
-  unrelated runtime refactor or mutate the release candidate just to satisfy a
-  newer `main`-only check.
-
 ```bash
 gh workflow run full-release-validation.yml \
   --repo openclaw/openclaw \

.agents/skills/release-openclaw-maintainer/SKILL.md

@@ -552,16 +552,6 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - `preflight_only=true` on the npm workflow is also the right way to validate an
   existing tag after publish; it should keep running the build checks even when
   the npm version is already published.
-- npm registry metadata is eventually consistent immediately after trusted
-  publishing. Keep postpublish `npm view` checks on bounded `--prefer-online`
-  retries, and carry that verified tarball/integrity metadata into later proof
-  steps instead of reading the registry again. If the OpenClaw npm child
-  succeeded but the parent publish workflow failed on an immediate exact-version
-  `E404`, verify the exact version with a cache-bypassed registry read, run the
-  standalone postpublish verifier and the full beta verifier with the original
-  successful child run IDs, then finalize the draft, dependency evidence asset,
-  and release proof manually. Never rerun the publish workflow for that
-  already-published version.
 - npm validation-only preflight may still be dispatched from ordinary branches
   when testing workflow changes before merge. Release checks and real publish
   use only `main` or `release/YYYY.M.PATCH`.
@@ -730,13 +720,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     waited plugin publish or Windows Hub promotion fails after OpenClaw npm
     succeeds, the workflow keeps the release draft with OpenClaw npm evidence
     and exits red; do not undraft until the gap is repaired. The standalone
-    verifier command remains the first recovery probe:
+    verifier command remains the recovery probe:
     `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
-    For a failed postpublish parent after successful publish children, also run
-    `pnpm release:verify-beta -- <published-version> ... --skip-github-release`
-    with the original child run IDs and an evidence output path before manually
-    recreating the workflow's draft, dependency evidence asset, proof section,
-    and publish step.
 25. Run the post-published beta verification roster. First scan current `main`
     for critical fixes that landed after the release branch cut; backport only
     important low-risk fixes before starting expensive lanes, or increment to

.github/labeler.yml

@@ -318,6 +318,11 @@
       - any-glob-to-any-file:
           - "extensions/policy/**"
           - "docs/cli/policy.md"
+"extensions: feeds":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "extensions/feeds/**"
+          - "docs/plugins/reference/feeds.md"
 "extensions: open-prose":
   - changed-files:
       - any-glob-to-any-file:

.github/workflows/ci.yml

@@ -1365,8 +1365,6 @@ jobs:
             boundary_shard: 2/4,3/4,4/4
           - check_name: check-session-accessor-boundary
             group: session-accessor-boundary
-          - check_name: check-session-transcript-reader-boundary
-            group: session-transcript-reader-boundary
           - check_name: check-additional-extension-channels
             group: extension-channels
           - check_name: check-additional-extension-bundled
@@ -1522,15 +1520,6 @@ jobs:
                 run_check "lint:tmp:session-accessor-boundary" pnpm run lint:tmp:session-accessor-boundary
               fi
               ;;
-            session-transcript-reader-boundary)
-              if [ ! -f scripts/check-session-transcript-reader-boundary.mjs ]; then
-                echo "[skip] session transcript reader boundary check is not present in this checkout"
-              elif ! node -e 'const pkg = require("./package.json"); process.exit(pkg.scripts?.["lint:tmp:session-transcript-reader-boundary"] ? 0 : 1);'; then
-                echo "[skip] session transcript reader boundary script is not present in package.json"
-              else
-                run_check "lint:tmp:session-transcript-reader-boundary" pnpm run lint:tmp:session-transcript-reader-boundary
-              fi
-              ;;
             extension-channels)
               run_check "lint:extensions:channels" pnpm run lint:extensions:channels
               ;;

.github/workflows/full-release-validation.yml

@@ -275,7 +275,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count
+            local before_json dispatch_output run_id status conclusion url poll_count
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -298,6 +298,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -307,7 +309,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -408,7 +423,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count
+            local before_json dispatch_output run_id status conclusion url poll_count
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -431,6 +446,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -440,7 +457,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -551,7 +581,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count run_json
+            local before_json dispatch_output run_id status conclusion url poll_count run_json
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -574,6 +604,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -583,7 +615,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -883,6 +928,8 @@ jobs:
             return "$status"
           }
 
+          before_json="$(gh_with_retry run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
           args=(-f package_spec="${PACKAGE_SPEC:-openclaw@beta}" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
           if [[ -z "${PACKAGE_SPEC// }" ]]; then
             if [[ "$PREPARE_PACKAGE_RESULT" != "success" || -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
@@ -899,16 +946,22 @@ jobs:
             args+=(-f scenario="$SCENARIO")
           fi
 
-          dispatch_output="$(gh_with_retry workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}")"
-          printf '%s\n' "$dispatch_output"
-          run_id="$(
-            printf '%s\n' "$dispatch_output" |
-              sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-              tail -n 1
-          )"
+          gh_with_retry workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}"
+
+          run_id=""
+          for _ in $(seq 1 60); do
+            run_id="$(
+              BEFORE_IDS="$before_json" gh_with_retry run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+            )"
+            if [[ -n "$run_id" ]]; then
+              break
+            fi
+            sleep 5
+          done
 
           if [[ -z "$run_id" ]]; then
-            echo "::error::gh workflow run npm-telegram-beta-e2e.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+            echo "Could not find dispatched run for npm-telegram-beta-e2e.yml." >&2
             exit 1
           fi
 
@@ -1020,23 +1073,31 @@ jobs:
             echo "- Release impact: advisory"
           } >> "$GITHUB_STEP_SUMMARY"
 
-          dispatch_output="$(gh_with_retry workflow run openclaw-performance.yml \
+          before_json="$(gh_with_retry run list --workflow openclaw-performance.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
+          gh_with_retry workflow run openclaw-performance.yml \
             --ref "$CHILD_WORKFLOW_REF" \
             -f target_ref="$TARGET_SHA" \
             -f profile=release \
             -f repeat=3 \
             -f deep_profile=false \
             -f live_openai_candidate=false \
-            -f fail_on_regression=false)"
-          printf '%s\n' "$dispatch_output"
-          run_id="$(
-            printf '%s\n' "$dispatch_output" |
-              sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-              tail -n 1
-          )"
+            -f fail_on_regression=false
+
+          run_id=""
+          for _ in $(seq 1 60); do
+            run_id="$(
+              BEFORE_IDS="$before_json" gh_with_retry run list --workflow openclaw-performance.yml --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+            )"
+            if [[ -n "$run_id" ]]; then
+              break
+            fi
+            sleep 5
+          done
 
           if [[ -z "$run_id" ]]; then
-            echo "::warning::gh workflow run openclaw-performance.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs."
+            echo "::warning::Could not find dispatched run for openclaw-performance.yml."
             exit 0
           fi
 

.github/workflows/openclaw-performance.yml

@@ -56,7 +56,6 @@ concurrency:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   OCM_VERSION: v0.2.15
-  OCM_LINUX_X64_SHA256: b849b8de5d77e97e0df9319703254ae95e29d7f26a7552ea79bf173ff110ea0a
   KOVA_REPOSITORY: openclaw/Kova
   PERFORMANCE_MODEL_ID: gpt-5.5
 
@@ -188,20 +187,11 @@ jobs:
           set -euo pipefail
           KOVA_SRC="${RUNNER_TEMP}/kova-src"
           echo "KOVA_SRC=$KOVA_SRC" >> "$GITHUB_ENV"
-          mkdir -p "$HOME/.local/bin" "$(dirname "$KOVA_SRC")" "${RUNNER_TEMP}/ocm-install"
-
-          ocm_archive="${RUNNER_TEMP}/ocm-${OCM_VERSION}-x86_64-unknown-linux-gnu.tar.gz"
-          curl -fsSL --proto '=https' --tlsv1.2 --retry 3 --retry-delay 1 --retry-connrefused \
-            -o "$ocm_archive" \
-            "https://github.com/shakkernerd/ocm/releases/download/${OCM_VERSION}/ocm-x86_64-unknown-linux-gnu.tar.gz"
-          echo "${OCM_LINUX_X64_SHA256}  ${ocm_archive}" | sha256sum -c -
-          tar -xzf "$ocm_archive" -C "${RUNNER_TEMP}/ocm-install"
-          install -m 0755 "${RUNNER_TEMP}/ocm-install/ocm" "$HOME/.local/bin/ocm"
-
-          git init -b main "$KOVA_SRC"
-          git -C "$KOVA_SRC" remote add origin "https://github.com/${KOVA_REPOSITORY}.git"
-          git -C "$KOVA_SRC" fetch --filter=blob:none --depth 1 origin "$KOVA_REF"
-          git -C "$KOVA_SRC" checkout --detach FETCH_HEAD
+          mkdir -p "$HOME/.local/bin" "$(dirname "$KOVA_SRC")"
+          curl -fsSL https://raw.githubusercontent.com/shakkernerd/ocm/main/install.sh \
+            | bash -s -- --version "$OCM_VERSION" --prefix "$HOME/.local" --force
+          git clone --filter=blob:none "https://github.com/${KOVA_REPOSITORY}.git" "$KOVA_SRC"
+          git -C "$KOVA_SRC" checkout "$KOVA_REF"
           cat > "$HOME/.local/bin/kova" <<EOF
           #!/usr/bin/env bash
           export KOVA_HOME="${KOVA_HOME}"

.github/workflows/openclaw-release-publish.yml

@@ -1112,14 +1112,13 @@ jobs:
           }
 
           append_release_proof_to_github_release() {
-            local release_version body_file notes_file evidence_path tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path windows_line
+            local release_version body_file notes_file tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path windows_line
 
             release_version="${RELEASE_TAG#v}"
             body_file="${RUNNER_TEMP}/release-body.md"
             notes_file="${RUNNER_TEMP}/release-notes-with-proof.md"
-            evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
-            tarball="$(jq -er '.openclawNpmTarball | select(type == "string" and length > 0)' "${evidence_path}")"
-            integrity="$(jq -er '.openclawNpmIntegrity | select(type == "string" and length > 0)' "${evidence_path}")"
+            tarball="$(npm view "openclaw@${release_version}" dist.tarball --json | jq -r '.')"
+            integrity="$(npm view "openclaw@${release_version}" dist.integrity --json | jq -r '.')"
             gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json body --jq .body > "${body_file}"
 
             if [[ -n "${NPM_TELEGRAM_RUN_ID// }" ]]; then

.github/workflows/windows-testbox-probe.yml

@@ -133,9 +133,8 @@ jobs:
               $rootfs = "C:\wsl\ubuntu-noble-wsl.rootfs.tar.gz"
               New-Item -ItemType Directory -Force -Path @((Split-Path -Parent $rootfs), $wslRoot) | Out-Null
               Invoke-WebRequest -Uri $env:UBUNTU_WSL_ROOTFS_URL -OutFile $rootfs -UseBasicParsing
-              $import = Invoke-WslText -Arguments @("--import", "UbuntuProbe", $wslRoot, $rootfs, "--version", "2")
-              Write-Host $import.Text
-              Write-Host "wsl_import_exit=$($import.Code)"
+              wsl.exe --import UbuntuProbe $wslRoot $rootfs --version 2
+              Write-Host "wsl_import_exit=$LASTEXITCODE"
               $list = Invoke-WslText -Arguments @("--list", "--verbose")
               Write-Host $list.Text
               Write-Host "wsl_list_after_import_exit=$($list.Code)"
@@ -145,15 +144,14 @@ jobs:
             if ($distros.Count -gt 0) {
               $distro = $distros[0]
               Write-Host "wsl_probe_distro=$distro"
-              $exec = Invoke-WslText -Arguments @("-d", $distro, "--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
+              wsl.exe -d $distro --exec bash -lc 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi'
             } else {
-              $exec = Invoke-WslText -Arguments @("--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
+              wsl.exe --exec bash -lc 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi'
             }
-            Write-Host $exec.Text
-            if ($exec.Code -eq 0) {
+            if ($LASTEXITCODE -eq 0) {
               $ok = $true
             }
-            Write-Host "wsl_exec_exit=$($exec.Code)"
+            Write-Host "wsl_exec_exit=$LASTEXITCODE"
           }
 
           if ($ok) {

.github/workflows/workflow-sanity.yml

@@ -251,6 +251,3 @@ jobs:
 
       - name: Check plugin SDK API baseline drift
         run: pnpm plugin-sdk:api:check
-
-      - name: Check plugin SDK surface budget
-        run: pnpm plugin-sdk:surface:check

AGENTS.md

@@ -172,7 +172,7 @@ Skills own workflows; root owns hard policy and routing.
 - PR artifacts/screenshots: attach to PR/comment/external artifact store. Never push screenshots, videos, proof images, or proof assets to OpenClaw or any product repo branch, including temp artifact branches. Use Crabbox artifact publishing plus the manifest URL. Do not commit `.github/pr-assets`.
 - CI polling: exact SHA, relevant checks only, minimal fields. Skip routine noise (`Auto response`, `Labeler`, docs agents, performance/stale). Logs only after failure/completion or concrete need.
 - OpenClaw write-access maintainers may skip `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
-- Agent PR landing to `main`: use only the repo-native `scripts/pr` wrapper: run `scripts/pr review-init <PR>`, follow its emitted checkout/guard guidance, initialize and complete review artifacts with `scripts/pr review-artifacts-init <PR>`, validate them with `scripts/pr review-validate-artifacts <PR>`, then run `scripts/pr prepare-run <PR>` and `scripts/pr merge-run <PR>`; do not idle on `auto-response` or `check-docs`.
+- `/landpr`: use `~/.codex/prompts/landpr.md`; do not idle on `auto-response` or `check-docs`.
 
 ## Code
 

CHANGELOG.md

@@ -23,23 +23,15 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
-- Onboarding/skills: show the Homebrew install recommendation only on macOS and Linux, so FreeBSD and other unsupported platforms no longer get a misleading brew prompt. Fixes #68893; carries forward #68894, #68910, #68941, #68943, #69002, and #69545. Thanks @yurivict, @Sanjays2402, @Eruditi, @JustInCache, @nnish16, and @Mlightsnow.
 - Channels and delivery: preserve account-scoped DM channel send policy, rich Telegram final replies, rich Telegram tables and lists, Telegram thread-create CLI remapping, Slack outbound `message_sent` hooks, contributed message-tool schema optionality, same-channel generated media completions, and channel chunking around surrogate pairs and Infinity limits. (#92788, #92679, #89421, #89943, #91137, #91246, #92735) Thanks @yetval, @obviyus, @spacegeologist, @rishitamrakar, @lundog, @TurboTheTurtle, and @yhterrance.
-- Auto-reply/groups: keep ordinary group text replies on automatic final-reply delivery while allowing `message(action=send)` for files, images, and other attachments to the same group or topic. Carries forward #43276; refs #48004. Thanks @NayukiChiba and @ShakaRover.
-- iMessage: normalize leading NUL sent-message echo prefixes while preserving interior NUL bytes and the leading attributedBody marker handling from #73942. Carries forward #63581. Thanks @drvoss.
 - Discord: give generated auto-thread titles a 60-second timeout and 4,096-token reasoning-model output budget, clamped to the selected model output cap. (#64734) Thanks @hanamizuki.
 - Agent, cron, and Gateway runtime: mark active main sessions before restart shutdown aborts, pause yielded subagent runs whose terminal also signals abort, preserve yielded media completions, de-duplicate main-session heartbeat events, expose session identity in runtime prompts, reject unknown OpenAI agent selectors, keep generated media completions and slash-command block replies in WebChat, preserve fresh post-compaction usage while clearing stale usage snapshots, and require admin privileges for HTTP session/model override surfaces. (#91357, #92631, #92146, #91287, #92468, #92510, #91246, #50795, #50845, #82874, #92651, #92646) Thanks @ooiuuii, @openperf, @IWhatsskill, @ZengWen-DT, @zhangguiping-xydt, @Hollychou924, @leno23, and @TurboTheTurtle.
-- Agents/exec: default empty-success background completion notices on only for real chat channels, preserving explicit opt-outs and keeping generic providers silent while carrying forward the narrow UX intent from #39726 and #46926. Thanks @Sapientropic and @wenkang-xie.
 - Providers and model replay: preserve storeless OpenAI Responses replay compatibility, avoid eager tool streaming for Claude 4.5 in Copilot, honor profile auth for SecretRef model entries, bound model browsing, strip provider prefixes where runtimes need bare IDs, and surface nested embedding fetch failures. (#90706, #75393, #90686, #92247, #92627, #91218, #92628) Thanks @snowzlm, @Kailigithub, @rohitjavvadi, @samson910022, @liuhao1024, @bymle, and @mushuiyu886.
 - Memory, state, diagnostics, and config: split header-too-large embedding batches, keep QMD memory search enabled in transient mode, avoid SQLite WAL on NFS volumes, preserve recovery scheduling outside stuck-session warning backoff, and keep shell environment fallbacks contained in config write tests. (#92650, #92618, #92639, #91247, #92752) Thanks @mushuiyu886, @TurboTheTurtle, @849261680, and @gnanam1990.
-- Workspace setup state: store setup completion outside the workspace dot directory using an OpenClaw-named root file, migrate valid legacy state forward, and avoid clobbering generic root `workspace-state.json` files for TigerFS-style dot-path compatibility. This Clownfish replacement carries forward the focused #53326 fix idea because the original branch was closed and uneditable. (#53326, #44783, #39446) Thanks @1qh.
 - UI/mobile/TUI: preserve dashboard session parent lineage, WebChat backscroll, reset soft command args, sidebar session picker interactivity, collapsed workspace files, resolved `/model` confirmation refs, and stale foreground iOS Gateway reconnects. (#90658, #92622, #91353, #92705, #92779, #92773, #92552) Thanks @luoyanglang, @TurboTheTurtle, @zhouhe-xydt, @NianJiuZst, @shakkernerd, @NarahariRaghava, and @Solvely-Colin.
-- Control UI: preserve Gateway Access tokens during same-normalized WebSocket URL edits and reload gateway-scoped tokens when switching endpoints. Fixes #41545; repairs #42001 with additional source PRs #41546, #41552, and #41718. Thanks @wsyjh8, @llagy0020, @llagy007, @pingfanfan, and @zheliu2.
-- Gateway CLI: tolerate a single transient clean WebSocket close before `hello-ok` so one-shot RPC calls reconnect instead of failing noisily, while repeated clean pre-hello closes still surface. Carries forward source PRs #54475 and #54774; #85253 covered adjacent connect assembly diagnostics. Thanks @ruanrrn.
 - Release and test reliability: extend slow Gateway/full-suite watchdogs, split local full-suite shards when throttled, stabilize plugin auth marker fixtures, avoid brittle provider-ref error text, and keep QA Lab bootstrap selection assertions aligned with flow-only scenarios. (#92652)
 - macOS Peekaboo bridge: update the embedded Peekaboo package to 3.5.2 and route bundled-skill CLI commands through the OpenClaw app bridge so they inherit its Screen Recording and Accessibility grants.
 - Agent routing: route subagent RPC callbacks addressed to an agent-shaped `--to` target to the correct session key instead of falling back to the main session, so WeChat (and other channel) session-key callbacks reach the intended subagent session. (#90231) Thanks @zhangguiping-xydt.
-- Cron: preserve model, fallback, thinking, timeout, light-context, unsafe-content, and tool allow-list overrides on implicit text payloads by promoting them to agent turns, while explicit system events still prune those fields. Fixes #28905; carries forward #64060 and #73946. Thanks @liaoandi.
 - QQBot delivery: keep markdown table chunks self-contained across message boundaries by preserving table state across block deliveries, flushing unfinished table-row fragments as plain text, and detecting short pipe-terminated rows by column count so split rows are not sent as malformed markdown. (#92428) Thanks @sliverp.
 
 ## 2026.6.6

apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt

@@ -443,7 +443,6 @@ class NodeRuntime(
         updateStatus()
         micCapture.onGatewayConnectionChanged(true)
         scope.launch {
-          subscribeOperatorSessionEvents()
           refreshHomeCanvasOverviewIfConnected()
           if (voiceReplySpeakerLazy.isInitialized()) {
             voiceReplySpeaker.refreshConfig()
@@ -486,14 +485,6 @@ class NodeRuntime(
       },
     )
 
-  private suspend fun subscribeOperatorSessionEvents() {
-    try {
-      operatorSession.request("sessions.subscribe", null)
-    } catch (err: Throwable) {
-      Log.d("OpenClawRuntime", "sessions.subscribe failed: ${err.message ?: err::class.java.simpleName}")
-    }
-  }
-
   private val nodeSession =
     GatewaySession(
       scope = scope,

apps/android/app/src/main/java/ai/openclaw/app/chat/ChatController.kt

@@ -311,6 +311,7 @@ class ChatController(
     }
   }
 
+  /** Applies gateway chat/agent stream events to local transcript and pending-run state. */
   fun handleGatewayEvent(
     event: String,
     payloadJson: String?,
@@ -320,6 +321,7 @@ class ChatController(
         scope.launch { pollHealthIfNeeded(force = false) }
       }
       "health" -> {
+        // If we receive a health snapshot, the gateway is reachable.
         _healthOk.value = true
       }
       "seqGap" -> {
@@ -330,17 +332,6 @@ class ChatController(
         if (payloadJson.isNullOrBlank()) return
         handleChatEvent(payloadJson)
       }
-      "sessions.changed" -> {
-        if (payloadJson.isNullOrBlank()) {
-          refreshSessionsForCurrentWindow()
-        } else {
-          handleSessionsChangedEvent(payloadJson)
-        }
-      }
-      "session.message" -> {
-        if (payloadJson.isNullOrBlank()) return
-        handleSessionMessageEvent(payloadJson)
-      }
       "agent" -> {
         if (payloadJson.isNullOrBlank()) return
         handleAgentEvent(payloadJson)
@@ -362,7 +353,6 @@ class ChatController(
         )
       if (!isCurrentHistoryLoad(sessionKey, _sessionKey.value, generation, historyLoadGeneration.get())) return
       val history = parseHistory(historyJson, sessionKey = sessionKey, previousMessages = _messages.value)
-      updateSessionFromHistory(history)
       prunePersistedOptimisticMessages(history.messages)
       _messages.value = mergeOptimisticMessages(incoming = history.messages, optimistic = optimisticMessagesByRunId.values)
       _sessionId.value = history.sessionId
@@ -398,10 +388,6 @@ class ChatController(
     }
   }
 
-  private fun refreshSessionsForCurrentWindow() {
-    scope.launch { fetchSessions(limit = _sessions.value.size.takeIf { it > 0 } ?: 100) }
-  }
-
   private suspend fun pollHealthIfNeeded(force: Boolean) {
     val now = System.currentTimeMillis()
     val last = lastHealthPollAtMs
@@ -471,7 +457,6 @@ class ChatController(
                 sessionKey = currentSessionKey,
                 previousMessages = _messages.value,
               )
-            updateSessionFromHistory(history)
             prunePersistedOptimisticMessages(history.messages)
             _messages.value = mergeOptimisticMessages(incoming = history.messages, optimistic = optimisticMessagesByRunId.values)
             _sessionId.value = history.sessionId
@@ -487,31 +472,6 @@ class ChatController(
     }
   }
 
-  private fun handleSessionsChangedEvent(payloadJson: String) {
-    val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
-    if (payload["reason"].asStringOrNull() == "delete") {
-      removeSessionEntry(payload["sessionKey"].asStringOrNull() ?: payload["key"].asStringOrNull())
-      return
-    }
-    val entry = parseEventSessionEntry(payload)
-    if (entry != null) {
-      upsertSessionEntry(entry)
-    } else {
-      refreshSessionsForCurrentWindow()
-    }
-  }
-
-  private fun handleSessionMessageEvent(payloadJson: String) {
-    val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
-    val entry = parseEventSessionEntry(payload)
-    if (entry != null) {
-      upsertSessionEntry(entry)
-    }
-  }
-
-  private fun parseEventSessionEntry(payload: JsonObject): ChatSessionEntry? =
-    payload["session"].asObjectOrNull()?.let(::parseSessionEntry) ?: parseSessionEntry(payload)
-
   private fun handleAgentEvent(payloadJson: String) {
     val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
     val sessionKey = payload["sessionKey"].asStringOrNull()?.trim()
@@ -640,7 +600,6 @@ class ChatController(
     val root = json.parseToJsonElement(historyJson).asObjectOrNull() ?: return ChatHistory(sessionKey, null, null, emptyList())
     val sid = root["sessionId"].asStringOrNull()
     val thinkingLevel = root["thinkingLevel"].asStringOrNull()
-    val sessionInfo = root["sessionInfo"].asObjectOrNull()?.let { parseSessionEntry(it, fallbackKey = sessionKey) }
     val array = root["messages"].asArrayOrNull() ?: JsonArray(emptyList())
 
     val messages =
@@ -663,69 +622,20 @@ class ChatController(
       sessionId = sid,
       thinkingLevel = thinkingLevel,
       messages = reconcileMessageIds(previous = previousMessages, incoming = messages),
-      sessionInfo = sessionInfo,
     )
   }
 
   private fun parseSessions(jsonString: String): List<ChatSessionEntry> {
     val root = json.parseToJsonElement(jsonString).asObjectOrNull() ?: return emptyList()
     val sessions = root["sessions"].asArrayOrNull() ?: return emptyList()
-    return sessions.mapNotNull { item -> parseSessionEntry(item.asObjectOrNull()) }
-  }
-
-  private fun parseSessionEntry(
-    obj: JsonObject?,
-    fallbackKey: String? = null,
-  ): ChatSessionEntry? {
-    if (obj == null) return null
-    val key =
-      obj["key"].asStringOrNull()?.trim().orEmpty()
-        .ifEmpty { obj["sessionKey"].asStringOrNull()?.trim().orEmpty() }
-        .ifEmpty { fallbackKey?.trim().orEmpty() }
-    if (key.isEmpty()) return null
-    return ChatSessionEntry(
-      key = key,
-      updatedAtMs = obj["updatedAt"].asLongOrNull(),
-      displayName = obj["displayName"].asStringOrNull()?.trim(),
-      totalTokens = obj["totalTokens"].asLongOrNull(),
-      totalTokensFresh = obj["totalTokensFresh"].asBooleanOrNull(),
-      contextTokens = obj["contextTokens"].asLongOrNull(),
-      hasContextUsageMetadata =
-        "totalTokens" in obj ||
-          "totalTokensFresh" in obj ||
-          "contextTokens" in obj,
-    )
-  }
-
-  private fun updateSessionFromHistory(history: ChatHistory) {
-    val info = history.sessionInfo ?: return
-    upsertSessionEntry(info, preserveExistingContextUsageWithoutTotal = true)
-  }
-
-  private fun upsertSessionEntry(
-    entry: ChatSessionEntry,
-    preserveExistingContextUsageWithoutTotal: Boolean = false,
-  ) {
-    val current = _sessions.value
-    val index = current.indexOfFirst { it.key == entry.key }
-    _sessions.value =
-      if (index >= 0) {
-        current.toMutableList().also {
-          it[index] =
-            mergeChatSessionEntry(
-              existing = it[index],
-              next = entry,
-              preserveExistingContextUsageWithoutTotal = preserveExistingContextUsageWithoutTotal,
-            )
-        }
-      } else {
-        listOf(entry) + current
-      }
-  }
-
-  private fun removeSessionEntry(sessionKey: String?) {
-    val key = sessionKey?.trim()?.takeIf { it.isNotEmpty() } ?: return
-    _sessions.value = _sessions.value.filterNot { it.key == key }
+    return sessions.mapNotNull { item ->
+      val obj = item.asObjectOrNull() ?: return@mapNotNull null
+      val key = obj["key"].asStringOrNull()?.trim().orEmpty()
+      if (key.isEmpty()) return@mapNotNull null
+      val updatedAt = obj["updatedAt"].asLongOrNull()
+      val displayName = obj["displayName"].asStringOrNull()?.trim()
+      ChatSessionEntry(key = key, updatedAtMs = updatedAt, displayName = displayName)
+    }
   }
 
   private fun parseRunId(resJson: String): String? =
@@ -947,44 +857,3 @@ private fun JsonElement?.asLongOrNull(): Long? =
     is JsonPrimitive -> content.toLongOrNull()
     else -> null
   }
-
-private fun JsonElement?.asBooleanOrNull(): Boolean? =
-  when (this) {
-    is JsonPrimitive -> content.toBooleanStrictOrNull()
-    else -> null
-  }
-
-internal fun mergeChatSessionEntry(
-  existing: ChatSessionEntry,
-  next: ChatSessionEntry,
-  preserveExistingContextUsageWithoutTotal: Boolean = false,
-): ChatSessionEntry {
-  val preserveExistingContextUsage = preserveExistingContextUsageWithoutTotal && next.totalTokens == null
-  return existing.copy(
-    updatedAtMs = next.updatedAtMs ?: existing.updatedAtMs,
-    displayName = next.displayName ?: existing.displayName,
-    totalTokens =
-      when {
-        preserveExistingContextUsage -> existing.totalTokens
-        next.hasContextUsageMetadata -> next.totalTokens
-        else -> null
-      },
-    totalTokensFresh =
-      when {
-        preserveExistingContextUsage -> existing.totalTokensFresh
-        next.hasContextUsageMetadata -> next.totalTokensFresh
-        else -> null
-      },
-    contextTokens =
-      when {
-        preserveExistingContextUsage -> next.contextTokens ?: existing.contextTokens
-        next.hasContextUsageMetadata -> next.contextTokens
-        else -> null
-      },
-    hasContextUsageMetadata =
-      when {
-        preserveExistingContextUsage -> existing.hasContextUsageMetadata || next.contextTokens != null
-        else -> next.hasContextUsageMetadata
-      },
-  )
-}

apps/android/app/src/main/java/ai/openclaw/app/chat/ChatModels.kt

@@ -40,10 +40,6 @@ data class ChatSessionEntry(
   val key: String,
   val updatedAtMs: Long?,
   val displayName: String? = null,
-  val totalTokens: Long? = null,
-  val totalTokensFresh: Boolean? = null,
-  val contextTokens: Long? = null,
-  val hasContextUsageMetadata: Boolean = totalTokens != null || totalTokensFresh != null || contextTokens != null,
 )
 
 /**
@@ -54,7 +50,6 @@ data class ChatHistory(
   val sessionId: String?,
   val thinkingLevel: String?,
   val messages: List<ChatMessage>,
-  val sessionInfo: ChatSessionEntry? = null,
 )
 
 /**

apps/android/app/src/main/java/ai/openclaw/app/ui/chat/ChatScreen.kt

@@ -74,7 +74,6 @@ import kotlinx.coroutines.withContext
 import java.text.DateFormat
 import java.util.Date
 import java.util.Locale
-import kotlin.math.roundToInt
 
 /** Full chat surface that wires MainViewModel state to messages, attachments, voice, and composer actions. */
 @Composable
@@ -96,7 +95,6 @@ fun ChatScreen(
   val sessions by viewModel.chatSessions.collectAsState()
   val chatDraft by viewModel.chatDraft.collectAsState()
   val pendingAssistantAutoSend by viewModel.pendingAssistantAutoSend.collectAsState()
-  val contextUsage = resolveChatContextUsage(sessionKey = sessionKey, mainSessionKey = mainSessionKey, sessions = sessions)
   val context = LocalContext.current
   val resolver = context.contentResolver
   val scope = rememberCoroutineScope()
@@ -198,7 +196,6 @@ fun ChatScreen(
       onValueChange = { input = it },
       attachments = attachments,
       thinkingLevel = thinkingLevel,
-      contextUsage = contextUsage,
       healthOk = healthOk,
       pendingRunCount = pendingRunCount,
       onThinkingLevelChange = viewModel::setChatThinkingLevel,
@@ -688,7 +685,6 @@ private fun ChatComposer(
   onValueChange: (String) -> Unit,
   attachments: List<PendingImageAttachment>,
   thinkingLevel: String,
-  contextUsage: ChatContextUsage,
   healthOk: Boolean,
   pendingRunCount: Int,
   onThinkingLevelChange: (String) -> Unit,
@@ -703,11 +699,7 @@ private fun ChatComposer(
       AttachmentStrip(attachments = attachments, onRemoveAttachment = onRemoveAttachment)
     }
 
-    ChatContextMeter(
-      thinkingLevel = thinkingLevel,
-      contextUsage = contextUsage,
-      onClick = { onThinkingLevelChange(nextThinkingValue(thinkingLevel)) },
-    )
+    ChatContextMeter(thinkingLevel = thinkingLevel, onClick = { onThinkingLevelChange(nextThinkingValue(thinkingLevel)) })
 
     Row(modifier = Modifier.fillMaxWidth(), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(6.dp)) {
       ChatInputPill(value = value, onValueChange = onValueChange, onPickImages = onPickImages, onVoice = onVoice, modifier = Modifier.weight(1f))
@@ -743,10 +735,8 @@ private fun ChatComposer(
 @Composable
 private fun ChatContextMeter(
   thinkingLevel: String,
-  contextUsage: ChatContextUsage,
   onClick: () -> Unit,
 ) {
-  val contextFraction = contextMeterWidth(contextUsage) ?: 0f
   Row(
     modifier = Modifier.width(178.dp),
     verticalAlignment = Alignment.CenterVertically,
@@ -765,13 +755,7 @@ private fun ChatContextMeter(
         horizontalArrangement = Arrangement.spacedBy(6.dp),
       ) {
         Icon(imageVector = Icons.Default.Refresh, contentDescription = null, modifier = Modifier.size(12.dp), tint = ClawTheme.colors.textSubtle)
-        Text(
-          text = contextMeterLabel(contextUsage, thinkingLevel),
-          style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp),
-          color = ClawTheme.colors.textMuted,
-          maxLines = 1,
-          overflow = TextOverflow.Ellipsis,
-        )
+        Text(text = "Context ${contextPercent(thinkingLevel)}%", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted)
       }
     }
     Box(
@@ -784,7 +768,7 @@ private fun ChatContextMeter(
       Box(
         modifier =
           Modifier
-            .fillMaxWidth(contextFraction)
+            .fillMaxWidth(thinkingMeterWidth(thinkingLevel))
             .height(3.dp)
             .background(ClawTheme.colors.primary, RoundedCornerShape(999.dp)),
       )
@@ -918,32 +902,6 @@ private fun isActiveSessionChoice(
   return choiceKey == current
 }
 
-internal data class ChatContextUsage(
-  val totalTokens: Long?,
-  val totalTokensFresh: Boolean?,
-  val contextTokens: Long?,
-)
-
-internal fun resolveChatContextUsage(
-  sessionKey: String,
-  mainSessionKey: String,
-  sessions: List<ChatSessionEntry>,
-): ChatContextUsage {
-  val entry =
-    sessions.firstOrNull {
-      isActiveSessionChoice(
-        choiceKey = it.key,
-        sessionKey = sessionKey,
-        mainSessionKey = mainSessionKey,
-      )
-  }
-  return ChatContextUsage(
-    totalTokens = entry?.totalTokens,
-    totalTokensFresh = entry?.totalTokensFresh,
-    contextTokens = entry?.contextTokens,
-  )
-}
-
 @Composable
 private fun SendButton(
   enabled: Boolean,
@@ -1000,29 +958,17 @@ private fun nextThinkingValue(value: String): String =
     else -> "off"
   }
 
-internal fun contextMeterWidth(usage: ChatContextUsage): Float? {
-  if (usage.totalTokensFresh == false) return null
-  val total = usage.totalTokens?.takeIf { it >= 0L } ?: return null
-  val context = usage.contextTokens?.takeIf { it > 0L } ?: return null
-  return (total.toDouble() / context.toDouble()).coerceIn(0.0, 1.0).toFloat()
-}
-
-internal fun contextMeterLabel(
-  usage: ChatContextUsage,
-  thinkingLevel: String,
-): String {
-  val contextLabel = contextMeterWidth(usage)?.let { "Context ${(it * 100).roundToInt()}%" } ?: "Context --"
-  return "$contextLabel · ${contextMeterThinkingLabel(thinkingLevel)}"
-}
-
-internal fun contextMeterThinkingLabel(value: String): String =
+/** Maps thinking presets to the visual context meter fill fraction. */
+private fun thinkingMeterWidth(value: String): Float =
   when (value.lowercase(Locale.US)) {
-    "low" -> "low"
-    "medium" -> "medium"
-    "high" -> "high"
-    else -> "off"
+    "low" -> 0.34f
+    "medium" -> 0.58f
+    "high" -> 0.82f
+    else -> 0.18f
   }
 
+private fun contextPercent(value: String): Int = (thinkingMeterWidth(value) * 100).toInt()
+
 private fun formatChatTimestamp(timestampMs: Long): String = DateFormat.getTimeInstance(DateFormat.SHORT, Locale.getDefault()).format(Date(timestampMs))
 
 /** Quick markdown detector used to avoid routing plain chat text through the markdown renderer. */

apps/android/app/src/test/java/ai/openclaw/app/chat/ChatControllerSessionPolicyTest.kt

@@ -59,96 +59,4 @@ class ChatControllerSessionPolicyTest {
       ),
     )
   }
-
-  @Test
-  fun sessionMergeClearsUsageWhenNewSnapshotOmitsUsageMetadata() {
-    val existing =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 1L,
-        displayName = "Phone",
-        totalTokens = 41_000L,
-        totalTokensFresh = true,
-        contextTokens = 100_000L,
-      )
-    val next =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 2L,
-        displayName = "Phone renamed",
-        hasContextUsageMetadata = false,
-      )
-
-    val merged = mergeChatSessionEntry(existing, next)
-
-    assertEquals("agent:main:phone", merged.key)
-    assertEquals(2L, merged.updatedAtMs)
-    assertEquals("Phone renamed", merged.displayName)
-    assertEquals(null, merged.totalTokens)
-    assertEquals(null, merged.totalTokensFresh)
-    assertEquals(null, merged.contextTokens)
-    assertFalse(merged.hasContextUsageMetadata)
-  }
-
-  @Test
-  fun sessionMergePreservesUsageWhenHistorySnapshotOmitsTotalTokens() {
-    val existing =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 1L,
-        displayName = "Phone",
-        totalTokens = 41_000L,
-        totalTokensFresh = true,
-        contextTokens = 100_000L,
-      )
-    val next =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 2L,
-        displayName = "Phone renamed",
-        totalTokensFresh = false,
-        contextTokens = 120_000L,
-      )
-
-    val merged =
-      mergeChatSessionEntry(
-        existing = existing,
-        next = next,
-        preserveExistingContextUsageWithoutTotal = true,
-      )
-
-    assertEquals(2L, merged.updatedAtMs)
-    assertEquals("Phone renamed", merged.displayName)
-    assertEquals(41_000L, merged.totalTokens)
-    assertEquals(true, merged.totalTokensFresh)
-    assertEquals(120_000L, merged.contextTokens)
-    assertTrue(merged.hasContextUsageMetadata)
-  }
-
-  @Test
-  fun sessionMergeAppliesExplicitStaleUsageMetadata() {
-    val existing =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 1L,
-        totalTokens = 41_000L,
-        totalTokensFresh = true,
-        contextTokens = 100_000L,
-      )
-    val next =
-      ChatSessionEntry(
-        key = "agent:main:phone",
-        updatedAtMs = 2L,
-        totalTokens = 82_000L,
-        totalTokensFresh = false,
-        contextTokens = 100_000L,
-      )
-
-    val merged = mergeChatSessionEntry(existing, next)
-
-    assertEquals(82_000L, merged.totalTokens)
-    assertEquals(false, merged.totalTokensFresh)
-    assertEquals(100_000L, merged.contextTokens)
-    assertTrue(merged.hasContextUsageMetadata)
-  }
 }

apps/android/app/src/test/java/ai/openclaw/app/ui/chat/ChatContextMeterTest.kt

@@ -1,84 +0,0 @@
-package ai.openclaw.app.ui.chat
-
-import ai.openclaw.app.chat.ChatSessionEntry
-import org.junit.Assert.assertEquals
-import org.junit.Assert.assertNull
-import org.junit.Test
-
-class ChatContextMeterTest {
-  @Test
-  fun contextMeterUsesActiveSessionTokenBudget() {
-    val sessions =
-      listOf(
-        ChatSessionEntry(key = "main", updatedAtMs = 1L, displayName = "Main", totalTokens = 8_000L, totalTokensFresh = true, contextTokens = 10_000L),
-        ChatSessionEntry(
-          key = "agent:main:mobile:test-device",
-          updatedAtMs = 2L,
-          displayName = "Phone",
-          totalTokens = 1_250L,
-          totalTokensFresh = true,
-          contextTokens = 5_000L,
-        ),
-      )
-
-    val usage =
-      resolveChatContextUsage(
-        sessionKey = "agent:main:mobile:test-device",
-        mainSessionKey = "main",
-        sessions = sessions,
-      )
-
-    assertEquals(ChatContextUsage(totalTokens = 1_250L, totalTokensFresh = true, contextTokens = 5_000L), usage)
-    assertEquals(0.25f, contextMeterWidth(usage))
-    assertEquals("Context 25% · high", contextMeterLabel(usage, "high"))
-  }
-
-  @Test
-  fun contextMeterResolvesCanonicalMainAlias() {
-    val sessions =
-      listOf(
-        ChatSessionEntry(
-          key = "agent:main:node-phone",
-          updatedAtMs = 1L,
-          displayName = "Main",
-          totalTokens = 41_000L,
-          totalTokensFresh = true,
-          contextTokens = 100_000L,
-        ),
-      )
-
-    val usage =
-      resolveChatContextUsage(
-        sessionKey = "main",
-        mainSessionKey = "agent:main:node-phone",
-        sessions = sessions,
-      )
-
-    assertEquals(ChatContextUsage(totalTokens = 41_000L, totalTokensFresh = true, contextTokens = 100_000L), usage)
-    assertEquals("Context 41% · off", contextMeterLabel(usage, "off"))
-  }
-
-  @Test
-  fun contextMeterDoesNotInventPercentWhenBudgetIsMissing() {
-    val usage = ChatContextUsage(totalTokens = 8_200L, totalTokensFresh = true, contextTokens = null)
-
-    assertNull(contextMeterWidth(usage))
-    assertEquals("Context -- · medium", contextMeterLabel(usage, "medium"))
-  }
-
-  @Test
-  fun contextMeterClampsOverfullSessions() {
-    val usage = ChatContextUsage(totalTokens = 150_000L, totalTokensFresh = true, contextTokens = 100_000L)
-
-    assertEquals(1.0f, contextMeterWidth(usage))
-    assertEquals("Context 100% · low", contextMeterLabel(usage, "low"))
-  }
-
-  @Test
-  fun contextMeterDoesNotDisplayStaleTokenUsage() {
-    val usage = ChatContextUsage(totalTokens = 82_000L, totalTokensFresh = false, contextTokens = 100_000L)
-
-    assertNull(contextMeterWidth(usage))
-    assertEquals("Context -- · high", contextMeterLabel(usage, "high"))
-  }
-}

apps/ios/CHANGELOG.md

@@ -58,11 +58,11 @@ Maintenance update for the current OpenClaw release.
 
 ## 2026.5.12 - 2026-05-12
 
-Maintenance update for the current OpenClaw release.
+Maintenance update for the current OpenClaw beta release.
 
 ## 2026.5.10 - 2026-05-10
 
-Maintenance update for the current OpenClaw release.
+Maintenance update for the current OpenClaw beta release.
 
 - Gateway connections now recover after a trusted Gateway certificate changes by refreshing the stored certificate pin during reconnect.
 
@@ -128,7 +128,7 @@ Maintenance update for the current OpenClaw release.
 
 ## 2026.4.19 - 2026-04-19
 
-Maintenance update for the current OpenClaw release.
+Maintenance update for the current OpenClaw beta release.
 
 ## 2026.4.18 - 2026-04-18
 
@@ -136,11 +136,11 @@ Maintenance update for the current OpenClaw release.
 
 ## 2026.4.15 - 2026-04-15
 
-Maintenance update for the current OpenClaw release.
+Maintenance update for the current OpenClaw beta release.
 
 ## 2026.4.14 - 2026-04-14
 
-Maintenance update for the current OpenClaw release.
+Maintenance update for the current OpenClaw beta release.
 
 ## 2026.4.12 - 2026-04-12
 

apps/ios/Config/AppStoreSigning.json

@@ -1,53 +0,0 @@
-{
-  "teamId": "FWJYW4S8P8",
-  "signingRepo": "git@github.com:openclaw/ios-signing.git",
-  "certificateType": "IOS_DISTRIBUTION",
-  "profileType": "IOS_APP_STORE",
-  "targets": [
-    {
-      "target": "OpenClaw",
-      "displayName": "OpenClaw",
-      "bundleId": "ai.openclawfoundation.app",
-      "platform": "IOS",
-      "profileKey": "OPENCLAW_APP_PROFILE",
-      "profileName": "OpenClaw App Store ai.openclawfoundation.app",
-      "capabilities": ["PUSH_NOTIFICATIONS"]
-    },
-    {
-      "target": "OpenClawShareExtension",
-      "displayName": "OpenClaw Share",
-      "bundleId": "ai.openclawfoundation.app.share",
-      "platform": "IOS",
-      "profileKey": "OPENCLAW_SHARE_PROFILE",
-      "profileName": "OpenClaw App Store ai.openclawfoundation.app.share",
-      "capabilities": []
-    },
-    {
-      "target": "OpenClawActivityWidget",
-      "displayName": "OpenClaw Activity Widget",
-      "bundleId": "ai.openclawfoundation.app.activitywidget",
-      "platform": "IOS",
-      "profileKey": "OPENCLAW_ACTIVITY_WIDGET_PROFILE",
-      "profileName": "OpenClaw App Store ai.openclawfoundation.app.activitywidget",
-      "capabilities": []
-    },
-    {
-      "target": "OpenClawWatchApp",
-      "displayName": "OpenClaw Watch App",
-      "bundleId": "ai.openclawfoundation.app.watchkitapp",
-      "platform": "IOS",
-      "profileKey": "OPENCLAW_WATCH_APP_PROFILE",
-      "profileName": "OpenClaw App Store ai.openclawfoundation.app.watchkitapp",
-      "capabilities": []
-    },
-    {
-      "target": "OpenClawWatchExtension",
-      "displayName": "OpenClaw Watch Extension",
-      "bundleId": "ai.openclawfoundation.app.watchkitapp.extension",
-      "platform": "IOS",
-      "profileKey": "OPENCLAW_WATCH_EXTENSION_PROFILE",
-      "profileName": "OpenClaw App Store ai.openclawfoundation.app.watchkitapp.extension",
-      "capabilities": []
-    }
-  ]
-}

apps/ios/Config/Signing.xcconfig

@@ -1,16 +1,14 @@
 // Shared iOS signing defaults for local development + CI.
 #include "Version.xcconfig"
 
-OPENCLAW_IOS_DEFAULT_TEAM = FWJYW4S8P8
+OPENCLAW_IOS_DEFAULT_TEAM = Y5PE65HELJ
 OPENCLAW_IOS_SELECTED_TEAM = $(OPENCLAW_IOS_DEFAULT_TEAM)
 OPENCLAW_DEVELOPMENT_TEAM = $(OPENCLAW_IOS_SELECTED_TEAM)
 OPENCLAW_CODE_SIGN_STYLE = Automatic
-OPENCLAW_CODE_SIGN_IDENTITY = Apple Development
-OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
-OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
-OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension
-OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
-OPENCLAW_ACTIVITY_WIDGET_PROFILE =
+OPENCLAW_APP_BUNDLE_ID = ai.openclaw.client
+OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclaw.client.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclaw.client.watchkitapp.extension
+OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclaw.client.activitywidget
 OPENCLAW_WATCH_APP_PROFILE =
 OPENCLAW_WATCH_EXTENSION_PROFILE =
 
@@ -20,7 +18,7 @@ OPENCLAW_WATCH_EXTENSION_PROFILE =
 #include? "../LocalSigning.xcconfig"
 
 CODE_SIGN_STYLE = $(OPENCLAW_CODE_SIGN_STYLE)
-CODE_SIGN_IDENTITY = $(OPENCLAW_CODE_SIGN_IDENTITY)
+CODE_SIGN_IDENTITY = Apple Development
 DEVELOPMENT_TEAM = $(OPENCLAW_DEVELOPMENT_TEAM)
 
 // Let Xcode manage provisioning for the selected local team unless a local override pins one.

apps/ios/LocalSigning.xcconfig.example

@@ -2,18 +2,16 @@
 // This file is only an example and should stay committed.
 
 OPENCLAW_CODE_SIGN_STYLE = Automatic
-OPENCLAW_CODE_SIGN_IDENTITY = Apple Development
 OPENCLAW_DEVELOPMENT_TEAM = YOUR_TEAM_ID
 
-OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
-OPENCLAW_SHARE_BUNDLE_ID = ai.openclawfoundation.app.share
-OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
-OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
-OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension
+OPENCLAW_APP_BUNDLE_ID = ai.openclaw.client
+OPENCLAW_SHARE_BUNDLE_ID = ai.openclaw.client.share
+OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclaw.client.activitywidget
+OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclaw.client.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclaw.client.watchkitapp.extension
 
 // Leave empty with automatic signing.
 OPENCLAW_APP_PROFILE =
 OPENCLAW_SHARE_PROFILE =
-OPENCLAW_ACTIVITY_WIDGET_PROFILE =
 OPENCLAW_WATCH_APP_PROFILE =
 OPENCLAW_WATCH_EXTENSION_PROFILE =

apps/ios/README.md

@@ -4,8 +4,8 @@ This iOS app is super-alpha and internal-use only. The first public App Store re
 
 ## Distribution Status
 
-- Public distribution: App Store Connect app created; production signing is configured through the App Store release Fastlane path.
-- Internal TestFlight distribution: uses the same App Store distribution archive uploaded to App Store Connect.
+- Public distribution: not available.
+- Internal beta distribution: local archive + TestFlight upload via Fastlane.
 - Local/manual deploy from source via Xcode remains the default development path.
 
 ## Super-Alpha Disclaimer
@@ -47,7 +47,7 @@ Shortcut command (same flow + open project):
 pnpm ios:open
 ```
 
-## App Store Release Flow
+## Local Beta Release Flow
 
 Prereqs:
 
@@ -55,82 +55,51 @@ Prereqs:
 - `pnpm`
 - `xcodegen`
 - `fastlane`
-- Apple account signed into Xcode for the canonical OpenClaw team (`FWJYW4S8P8`)
-- `asc` CLI authenticated for the canonical OpenClaw team
-- Release-owner access to the encrypted signing repo password (`ASC_MATCH_PASSWORD`)
-- App Store Connect app already created for `ai.openclawfoundation.app`
-- App Store Connect API key set up in Keychain via `scripts/ios-asc-keychain-setup.sh` when auto-resolving a build number or uploading to App Store Connect
+- Apple account signed into Xcode for automatic signing/provisioning
+- App Store Connect API key set up in Keychain via `scripts/ios-asc-keychain-setup.sh` when auto-resolving a beta build number or uploading to TestFlight
 
 Release behavior:
 
-- Local development uses the canonical `ai.openclawfoundation.app*` bundle IDs when the OpenClaw team is available, and unique `ai.openclawfoundation.app.test.*` bundle IDs only for non-canonical fallback teams.
-- App Store release uses canonical `ai.openclawfoundation.app*` bundle IDs through a temporary generated xcconfig in `apps/ios/build/AppStoreRelease.xcconfig`.
-- App Store release uses manual `Apple Distribution` signing with profile names pinned in `apps/ios/Config/AppStoreSigning.json`.
-- `asc` owns one-time Developer Portal setup and encrypted signing sync. Fastlane owns release handling after those assets exist.
-- App Store release also switches the app to `OpenClawPushTransport=relay`, `OpenClawPushDistribution=official`, `OpenClawPushAPNsEnvironment=production`, and a production `aps-environment` entitlement.
-- `pnpm ios:release:upload` generates App Store screenshots and uploads release notes before archiving and uploading the IPA.
-- `pnpm ios:release` remains a compatibility alias for `pnpm ios:release:upload`; prefer the explicit upload command in new release docs and automation.
-- App Review submission is manual in App Store Connect. The release lane uploads a build and metadata, but does not submit for review.
-- The release flow does not modify `apps/ios/.local-signing.xcconfig` or `apps/ios/LocalSigning.xcconfig`.
+- Local development keeps using unique per-developer bundle IDs from `scripts/ios-configure-signing.sh`.
+- Beta release uses canonical `ai.openclaw.client*` bundle IDs through a temporary generated xcconfig in `apps/ios/build/BetaRelease.xcconfig`.
+- Beta release also switches the app to `OpenClawPushTransport=relay`, `OpenClawPushDistribution=official`, and `OpenClawPushAPNsEnvironment=production`.
+- The beta flow does not modify `apps/ios/.local-signing.xcconfig` or `apps/ios/LocalSigning.xcconfig`.
 - `apps/ios/version.json` is the pinned iOS release version source.
 - `apps/ios/CHANGELOG.md` is the iOS-only changelog and release-note source.
 - The pinned iOS version must use CalVer like `2026.4.10`.
 - That pinned value becomes:
   - `CFBundleShortVersionString = 2026.4.10`
-  - `CFBundleVersion = next App Store Connect build number for 2026.4.10`
+  - `CFBundleVersion = next TestFlight build number for 2026.4.10`
 - Changing the root gateway version does not change the iOS app version until you explicitly pin from the gateway.
 - See `apps/ios/VERSIONING.md` for the full workflow.
 
-Relay behavior for App Store builds:
+Relay behavior for beta builds:
 
-- Release builds default to `https://ios-push-relay.openclaw.ai`.
+- Beta builds default to `https://ios-push-relay.openclaw.ai`.
 - Optional custom relay override: `OPENCLAW_PUSH_RELAY_BASE_URL=https://relay.example.com`
   This must be a plain `https://host[:port][/path]` base URL without whitespace, query params, fragments, or xcconfig metacharacters.
 
-Signing setup commands:
-
-```bash
-pnpm ios:release:signing:plan
-pnpm ios:release:signing:check
-pnpm ios:release:signing:setup
-ASC_MATCH_PASSWORD=... pnpm ios:release:signing:sync:push
-ASC_MATCH_PASSWORD=... pnpm ios:release:signing:sync:pull
-```
-
-Release-owner secrets:
-
-- App Store Connect API auth uses Keychain for private key material plus non-secret `apps/ios/fastlane/.env` variables.
-- The encrypted signing repo password lives outside this repo in the release-owner vault and is exposed locally as `ASC_MATCH_PASSWORD`.
-- Apple Distribution private keys, certificates, provisioning profiles, and decrypted signing sync output stay under `apps/ios/build/` or Keychain and are gitignored.
-- Rotating release signing means revoking/replacing the Developer Portal certificate or profile with `asc`, then pushing a fresh encrypted sync state.
-
-Prepare the generated release xcconfig/project without archiving:
-
-```bash
-pnpm ios:release:prepare -- --build-number 7
-```
-
 Archive without upload:
 
 ```bash
-pnpm ios:release:archive
+pnpm ios:beta:archive
 ```
 
-Archive and upload to App Store Connect:
+Archive and upload to TestFlight:
 
 ```bash
-pnpm ios:release:upload
+pnpm ios:beta
 ```
 
 If you need to force a specific build number:
 
 ```bash
-pnpm ios:release:upload -- --build-number 7
+pnpm ios:beta -- --build-number 7
 ```
 
 ### Maintainer Quick Release Checklist
 
-Use this when a clone is missing local iOS release setup and you want the shortest path to an App Store Connect upload.
+Use this when a clone is missing local iOS release setup and you want the shortest path to a TestFlight upload.
 
 1. Confirm Fastlane auth is set up:
 
@@ -150,50 +119,38 @@ scripts/ios-asc-keychain-setup.sh \
 
 This should create `apps/ios/fastlane/.env` with the non-secret ASC variables while the private key stays in Keychain.
 
-3. Confirm the App Store Connect app and Apple Developer identifiers/capabilities exist for:
-   - `ai.openclawfoundation.app`
-   - `ai.openclawfoundation.app.share`
-   - `ai.openclawfoundation.app.activitywidget`
-   - `ai.openclawfoundation.app.watchkitapp`
-   - `ai.openclawfoundation.app.watchkitapp.extension`
-
-   Use `pnpm ios:release:signing:setup` for the initial portal setup, then `ASC_MATCH_PASSWORD=... pnpm ios:release:signing:sync:push` to publish encrypted signing assets to the shared private repo.
-
-4. Optional: set a custom official relay URL for the build. If unset, the release flow uses `https://ios-push-relay.openclaw.ai`.
+3. Optional: set a custom official/TestFlight relay URL for the build. If unset, the beta flow uses `https://ios-push-relay.openclaw.ai`.
 
 ```bash
 export OPENCLAW_PUSH_RELAY_BASE_URL=https://relay.example.com
 ```
 
-5. If you are starting a brand-new production release train, pin iOS to the current gateway version first:
+4. If you are starting a brand-new production release train, pin iOS to the current gateway version first:
 
 ```bash
 pnpm ios:version:pin -- --from-gateway
 ```
 
-6. Upload the build:
+5. Upload the beta:
 
 ```bash
-pnpm ios:release:upload
+pnpm ios:beta
 ```
 
-7. Expected behavior:
+6. Expected behavior:
    - Fastlane reads `apps/ios/version.json`
    - verifies synced iOS versioning artifacts
-   - resolves the next App Store Connect build number for that short version
-   - generates deterministic App Store screenshots
-   - uploads release notes and screenshots to the editable App Store version
-   - generates `apps/ios/build/AppStoreRelease.xcconfig`
+   - resolves the next TestFlight build number for that short version
+   - generates `apps/ios/build/BetaRelease.xcconfig`
    - archives `OpenClaw`
-   - uploads the IPA to App Store Connect for TestFlight/App Review use
-   - leaves App Review submission for a maintainer to complete manually
+   - uploads the IPA to TestFlight
 
-8. Expected outputs after a successful run:
-   - `apps/ios/build/app-store/OpenClaw-<version>.ipa`
-   - `apps/ios/build/app-store/OpenClaw-<version>.app.dSYM.zip`
-   - Fastlane log line like `Uploaded iOS App Store build: version=<version> short=<short> build=<build>`
+7. Expected outputs after a successful run:
+   - `apps/ios/build/beta/OpenClaw-<version>.ipa`
+   - `apps/ios/build/beta/OpenClaw-<version>.app.dSYM.zip`
+   - Fastlane log line like `Uploaded iOS beta: version=<version> short=<short> build=<build>`
 
-9. If this is a fresh clone on a maintainer machine that already works elsewhere, it is OK to copy the non-secret `apps/ios/fastlane/.env` from another trusted local clone on the same Mac. The Keychain-backed private key remains machine-local and is not stored in the repo.
+8. If this is a fresh clone on a maintainer machine that already works elsewhere, it is OK to copy the non-secret `apps/ios/fastlane/.env` from another trusted local clone on the same Mac. The Keychain-backed private key remains machine-local and is not stored in the repo.
 
 ## iOS Versioning Workflow
 
@@ -219,7 +176,7 @@ Recommended flow:
 1. Keep `apps/ios/version.json` pinned to the current train version.
 2. Update `apps/ios/CHANGELOG.md`, usually under `## Unreleased` while iterating.
 3. Run `pnpm ios:version:sync` after changelog changes.
-4. Upload more TestFlight builds with `pnpm ios:release:upload`.
+4. Upload more TestFlight builds with `pnpm ios:beta`.
 5. Let Fastlane bump only the numeric build number.
 
 ### Starting the next production release train
@@ -232,7 +189,7 @@ pnpm ios:version:pin -- --from-gateway
 
 2. Update `apps/ios/CHANGELOG.md` for the new release as needed.
 3. Run `pnpm ios:version:sync`.
-4. Submit the first App Store Connect build for that newly pinned version.
+4. Submit the first TestFlight build for that newly pinned version.
 5. Keep iterating on that same version until the release candidate is ready.
 
 See `apps/ios/VERSIONING.md` for the detailed spec.
@@ -240,9 +197,9 @@ See `apps/ios/VERSIONING.md` for the detailed spec.
 ## APNs Expectations For Local/Manual Builds
 
 - The app calls `registerForRemoteNotifications()` at launch.
-- `apps/ios/Sources/OpenClaw.entitlements` derives `aps-environment` from the active build configuration/signing override.
+- `apps/ios/Sources/OpenClaw.entitlements` sets `aps-environment` to `development`.
 - APNs token registration to gateway happens only after gateway connection (`push.apns.register`).
-- Local/manual builds default to `OpenClawPushTransport=direct`, `OpenClawPushDistribution=local`, and a development `aps-environment` entitlement.
+- Local/manual builds default to `OpenClawPushTransport=direct` and `OpenClawPushDistribution=local`.
 - Your selected team/profile must support Push Notifications for the app bundle ID you are signing.
 - If push capability or provisioning is wrong, APNs registration fails at runtime (check Xcode logs for `APNs registration failed`).
 - The gateway host also needs direct APNs auth configured separately with `OPENCLAW_APNS_TEAM_ID`, `OPENCLAW_APNS_KEY_ID`, and either `OPENCLAW_APNS_PRIVATE_KEY_P8` or `OPENCLAW_APNS_PRIVATE_KEY_PATH`.
@@ -362,7 +319,7 @@ Automatic wake/reconnect hardening:
 5. If network path is unclear:
    - switch to manual host/port + TLS in Gateway Advanced settings
 6. In Xcode console, filter for subsystem/category signals:
-   - `ai.openclawfoundation.app`
+   - `ai.openclaw.ios`
    - `GatewayDiag`
    - `APNs registration failed`
 7. Validate background expectations:

apps/ios/ShareExtension/ShareViewController.swift

@@ -17,7 +17,7 @@ final class ShareViewController: UIViewController {
         var attachments: [ShareAttachment]
     }
 
-    private let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "ShareExtension")
+    private let logger = Logger(subsystem: "ai.openclaw.ios", category: "ShareExtension")
     private var statusLabel: UILabel?
     private let draftTextView = UITextView()
     private let sendButton = UIButton(type: .system)

apps/ios/Signing.xcconfig

@@ -5,21 +5,16 @@
 #include "Config/Version.xcconfig"
 
 OPENCLAW_CODE_SIGN_STYLE = Manual
-OPENCLAW_CODE_SIGN_IDENTITY = Apple Development
-OPENCLAW_DEVELOPMENT_TEAM = FWJYW4S8P8
+OPENCLAW_DEVELOPMENT_TEAM = Y5PE65HELJ
 
-OPENCLAW_APP_BUNDLE_ID = ai.openclawfoundation.app
-OPENCLAW_SHARE_BUNDLE_ID = ai.openclawfoundation.app.share
-OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp
-OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclawfoundation.app.watchkitapp.extension
-OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclawfoundation.app.activitywidget
-OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT = development
+OPENCLAW_APP_BUNDLE_ID = ai.openclaw.client
+OPENCLAW_SHARE_BUNDLE_ID = ai.openclaw.client.share
+OPENCLAW_WATCH_APP_BUNDLE_ID = ai.openclaw.client.watchkitapp
+OPENCLAW_WATCH_EXTENSION_BUNDLE_ID = ai.openclaw.client.watchkitapp.extension
+OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID = ai.openclaw.client.activitywidget
 
-OPENCLAW_APP_PROFILE = ai.openclawfoundation.app Development
-OPENCLAW_SHARE_PROFILE = ai.openclawfoundation.app.share Development
-OPENCLAW_ACTIVITY_WIDGET_PROFILE =
-OPENCLAW_WATCH_APP_PROFILE =
-OPENCLAW_WATCH_EXTENSION_PROFILE =
+OPENCLAW_APP_PROFILE = ai.openclaw.client Development
+OPENCLAW_SHARE_PROFILE = ai.openclaw.client.share Development
 
 // Keep local includes after defaults: xcconfig is evaluated top-to-bottom,
 // so later assignments in local files override the defaults above.

apps/ios/Sources/Chat/AppleReviewDemoChatTransport.swift

@@ -14,50 +14,7 @@ enum AppleReviewDemoMode {
     }
 
     static var agents: [AgentSummary] {
-        LocalChatFixture.appleReviewDemo.agents
-    }
-}
-
-enum ScreenshotFixtureMode {
-    static let gatewayName = "OpenClaw Gateway"
-    static let gatewayAddress = "Mac Studio on local network"
-    static let gatewayID = "screenshot-fixture-gateway"
-
-    static var agents: [AgentSummary] {
-        LocalChatFixture.appScreenshots.agents
-    }
-}
-
-struct LocalChatFixture {
-    let sessionKey: String
-    let sessionIDPrefix: String
-    let displayName: String
-    let subject: String
-    let workspace: String
-    let modelProvider: String
-    let modelID: String
-    let modelName: String
-    let responsePrefix: String
-    let seedMessages: [String]
-    let agents: [AgentSummary]
-
-    static let appleReviewDemo = LocalChatFixture(
-        sessionKey: "main",
-        sessionIDPrefix: "apple-review-demo",
-        displayName: "Apple Review Demo",
-        subject: "Gateway review flow",
-        workspace: "Apple Review Demo",
-        modelProvider: "demo",
-        modelID: "local-demo",
-        modelName: "Apple Review Demo",
-        responsePrefix: "Demo mode is active.",
-        seedMessages: [
-            """
-            Apple Review demo mode is active. This local chat transport lets reviewers inspect the iOS app \
-            without a private Gateway.
-            """,
-        ],
-        agents: [
+        [
             AgentSummary(
                 id: "main",
                 name: "Main",
@@ -68,70 +25,12 @@ struct LocalChatFixture {
                 thinkinglevels: nil,
                 thinkingoptions: ["auto", "low", "medium"],
                 thinkingdefault: "auto"),
-        ])
-
-    static let appScreenshots = LocalChatFixture(
-        sessionKey: "main",
-        sessionIDPrefix: "screenshot-fixture",
-        displayName: "Molty",
-        subject: "Mobile command center",
-        workspace: "OpenClaw",
-        modelProvider: "openai",
-        modelID: "gpt-5.5",
-        modelName: "GPT-5.5",
-        responsePrefix: "OpenClaw is connected to your gateway.",
-        seedMessages: [
-            """
-            OpenClaw is connected to your gateway. I can coordinate agents, inspect project context, and prepare \
-            actions from your phone.
-            """,
-            """
-            The Molty agent is ready. Recent context, voice controls, and gateway settings are available \
-            across the app.
-            """,
-        ],
-        agents: [
-            AgentSummary(
-                id: "main",
-                name: "Molty",
-                identity: ["emoji": AnyCodable("M")],
-                workspace: "OpenClaw",
-                model: ["provider": AnyCodable("openai"), "model": AnyCodable("gpt-5.5")],
-                agentruntime: ["kind": AnyCodable("gateway")],
-                thinkinglevels: nil,
-                thinkingoptions: ["auto", "low", "medium", "high"],
-                thinkingdefault: "auto"),
-            AgentSummary(
-                id: "research",
-                name: "Research",
-                identity: ["emoji": AnyCodable("RS")],
-                workspace: "OpenClaw",
-                model: ["provider": AnyCodable("openai"), "model": AnyCodable("gpt-5.5")],
-                agentruntime: ["kind": AnyCodable("gateway")],
-                thinkinglevels: nil,
-                thinkingoptions: ["auto", "low", "medium", "high"],
-                thinkingdefault: "medium"),
-            AgentSummary(
-                id: "automation",
-                name: "Automation",
-                identity: ["emoji": AnyCodable("AU")],
-                workspace: "OpenClaw",
-                model: ["provider": AnyCodable("openai"), "model": AnyCodable("gpt-5.5")],
-                agentruntime: ["kind": AnyCodable("gateway")],
-                thinkinglevels: nil,
-                thinkingoptions: ["auto", "low", "medium", "high"],
-                thinkingdefault: "auto"),
-        ])
+        ]
+    }
 }
 
-struct LocalFixtureChatTransport: OpenClawChatTransport {
-    private let fixture: LocalChatFixture
-    private let store: LocalFixtureChatStore
-
-    init(fixture: LocalChatFixture) {
-        self.fixture = fixture
-        self.store = LocalFixtureChatStore(fixture: fixture)
-    }
+struct AppleReviewDemoChatTransport: OpenClawChatTransport {
+    private let store = AppleReviewDemoChatStore()
 
     func createSession(
         key: String,
@@ -148,9 +47,9 @@ struct LocalFixtureChatTransport: OpenClawChatTransport {
     func listModels() async throws -> [OpenClawChatModelChoice] {
         [
             OpenClawChatModelChoice(
-                modelID: self.fixture.modelID,
-                name: self.fixture.modelName,
-                provider: self.fixture.modelProvider,
+                modelID: "local-demo",
+                name: "Apple Review Demo",
+                provider: "demo",
                 contextWindow: 128_000),
         ]
     }
@@ -202,102 +101,26 @@ struct LocalFixtureChatTransport: OpenClawChatTransport {
     func compactSession(sessionKey _: String) async throws {}
 }
 
-struct AppleReviewDemoChatTransport: OpenClawChatTransport {
-    private let transport = LocalFixtureChatTransport(fixture: .appleReviewDemo)
-
-    func createSession(
-        key: String,
-        label: String?,
-        parentSessionKey: String?) async throws -> OpenClawChatCreateSessionResponse
-    {
-        try await self.transport.createSession(key: key, label: label, parentSessionKey: parentSessionKey)
-    }
-
-    func requestHistory(sessionKey: String) async throws -> OpenClawChatHistoryPayload {
-        try await self.transport.requestHistory(sessionKey: sessionKey)
-    }
-
-    func listModels() async throws -> [OpenClawChatModelChoice] {
-        try await self.transport.listModels()
-    }
-
-    func sendMessage(
-        sessionKey: String,
-        message: String,
-        thinking: String,
-        idempotencyKey: String,
-        attachments: [OpenClawChatAttachmentPayload]) async throws -> OpenClawChatSendResponse
-    {
-        try await self.transport.sendMessage(
-            sessionKey: sessionKey,
-            message: message,
-            thinking: thinking,
-            idempotencyKey: idempotencyKey,
-            attachments: attachments)
-    }
-
-    func abortRun(sessionKey: String, runId: String) async throws {
-        try await self.transport.abortRun(sessionKey: sessionKey, runId: runId)
-    }
-
-    func listSessions(limit: Int?) async throws -> OpenClawChatSessionsListResponse {
-        try await self.transport.listSessions(limit: limit)
-    }
-
-    func setSessionModel(sessionKey: String, model: String?) async throws {
-        try await self.transport.setSessionModel(sessionKey: sessionKey, model: model)
-    }
-
-    func setSessionThinking(sessionKey: String, thinkingLevel: String) async throws {
-        try await self.transport.setSessionThinking(sessionKey: sessionKey, thinkingLevel: thinkingLevel)
-    }
-
-    func requestHealth(timeoutMs: Int) async throws -> Bool {
-        try await self.transport.requestHealth(timeoutMs: timeoutMs)
-    }
-
-    func waitForRunCompletion(runId: String, timeoutMs: Int) async -> Bool {
-        await self.transport.waitForRunCompletion(runId: runId, timeoutMs: timeoutMs)
-    }
-
-    func events() -> AsyncStream<OpenClawChatTransportEvent> {
-        self.transport.events()
-    }
-
-    func setActiveSessionKey(_ sessionKey: String) async throws {
-        try await self.transport.setActiveSessionKey(sessionKey)
-    }
-
-    func resetSession(sessionKey: String) async throws {
-        try await self.transport.resetSession(sessionKey: sessionKey)
-    }
-
-    func compactSession(sessionKey: String) async throws {
-        try await self.transport.compactSession(sessionKey: sessionKey)
-    }
-}
-
-private actor LocalFixtureChatStore {
-    private let fixture: LocalChatFixture
+private actor AppleReviewDemoChatStore {
+    private let sessionKey = "main"
     private var messages: [OpenClawChatMessage]
 
-    init(fixture: LocalChatFixture) {
-        self.fixture = fixture
-        self.messages = Self.seedMessages(fixture: fixture)
+    init() {
+        self.messages = AppleReviewDemoChatStore.seedMessages()
     }
 
     func createSession(key: String) throws -> OpenClawChatCreateSessionResponse {
         try Self.decode(
-            CreateSessionPayload(ok: true, key: key, sessionId: "\(self.fixture.sessionIDPrefix)-\(key)"),
+            CreateSessionPayload(ok: true, key: key, sessionId: "apple-review-demo-\(key)"),
             as: OpenClawChatCreateSessionResponse.self)
     }
 
     func history(sessionKey: String) throws -> OpenClawChatHistoryPayload {
-        let normalizedSessionKey = Self.normalizedSessionKey(sessionKey, fallback: self.fixture.sessionKey)
+        let normalizedSessionKey = Self.normalizedSessionKey(sessionKey)
         return try Self.decode(
             HistoryPayload(
                 sessionKey: normalizedSessionKey,
-                sessionId: "\(self.fixture.sessionIDPrefix)-\(normalizedSessionKey)",
+                sessionId: "apple-review-demo-\(normalizedSessionKey)",
                 messages: self.messages,
                 thinkingLevel: "auto"),
             as: OpenClawChatHistoryPayload.self)
@@ -312,8 +135,9 @@ private actor LocalFixtureChatStore {
             Self.message(
                 role: "assistant",
                 text: """
-                \(self.fixture.responsePrefix) I can help with \(subject), summarize current project context, \
-                prepare agent actions, and keep the mobile workflow connected to the gateway.
+                Demo mode is active. I can show the review flow locally for \(subject), including chat, agent \
+                selection, settings, and Gateway-connected UI states. Live automation requires pairing a real \
+                OpenClaw Gateway.
                 """,
                 timestamp: now + 1))
         return try Self.decode(
@@ -323,15 +147,15 @@ private actor LocalFixtureChatStore {
 
     func sessions() throws -> OpenClawChatSessionsListResponse {
         let entry = OpenClawChatSessionEntry(
-            key: self.fixture.sessionKey,
+            key: self.sessionKey,
             kind: "chat",
-            displayName: self.fixture.displayName,
+            displayName: "Apple Review Demo",
             surface: "ios",
-            subject: self.fixture.subject,
+            subject: "Gateway review flow",
             room: nil,
             space: nil,
             updatedAt: Date().timeIntervalSince1970 * 1000,
-            sessionId: "\(self.fixture.sessionIDPrefix)-\(self.fixture.sessionKey)",
+            sessionId: "apple-review-demo-main",
             systemSent: true,
             abortedLastRun: false,
             thinkingLevel: "auto",
@@ -339,49 +163,50 @@ private actor LocalFixtureChatStore {
             inputTokens: nil,
             outputTokens: nil,
             totalTokens: nil,
-            modelProvider: self.fixture.modelProvider,
-            model: self.fixture.modelID,
+            modelProvider: "demo",
+            model: "local-demo",
             contextTokens: 128_000,
-            thinkingLevels: Self.thinkingLevels,
-            thinkingOptions: Self.thinkingOptions,
+            thinkingLevels: [
+                OpenClawChatThinkingLevelOption(id: "auto", label: "Auto"),
+                OpenClawChatThinkingLevelOption(id: "low", label: "Low"),
+                OpenClawChatThinkingLevelOption(id: "medium", label: "Medium"),
+            ],
+            thinkingOptions: ["auto", "low", "medium"],
             thinkingDefault: "auto")
         return OpenClawChatSessionsListResponse(
             ts: Date().timeIntervalSince1970 * 1000,
             path: nil,
             count: 1,
             defaults: OpenClawChatSessionsDefaults(
-                modelProvider: self.fixture.modelProvider,
-                model: self.fixture.modelID,
+                modelProvider: "demo",
+                model: "local-demo",
                 contextTokens: 128_000,
-                thinkingLevels: Self.thinkingLevels,
-                thinkingOptions: Self.thinkingOptions,
+                thinkingLevels: [
+                    OpenClawChatThinkingLevelOption(id: "auto", label: "Auto"),
+                    OpenClawChatThinkingLevelOption(id: "low", label: "Low"),
+                    OpenClawChatThinkingLevelOption(id: "medium", label: "Medium"),
+                ],
+                thinkingOptions: ["auto", "low", "medium"],
                 thinkingDefault: "auto",
-                mainSessionKey: self.fixture.sessionKey),
+                mainSessionKey: self.sessionKey),
             sessions: [entry])
     }
 
     func reset() {
-        self.messages = Self.seedMessages(fixture: self.fixture)
+        self.messages = Self.seedMessages()
     }
 
-    private static var thinkingOptions: [String] {
-        ["auto", "low", "medium", "high"]
-    }
-
-    private static var thinkingLevels: [OpenClawChatThinkingLevelOption] {
-        [
-            OpenClawChatThinkingLevelOption(id: "auto", label: "Auto"),
-            OpenClawChatThinkingLevelOption(id: "low", label: "Low"),
-            OpenClawChatThinkingLevelOption(id: "medium", label: "Medium"),
-            OpenClawChatThinkingLevelOption(id: "high", label: "High"),
-        ]
-    }
-
-    private static func seedMessages(fixture: LocalChatFixture) -> [OpenClawChatMessage] {
+    private static func seedMessages() -> [OpenClawChatMessage] {
         let now = Date().timeIntervalSince1970 * 1000
-        return fixture.seedMessages.enumerated().map { index, text in
-            self.message(role: "assistant", text: text, timestamp: now + Double(index))
-        }
+        return [
+            self.message(
+                role: "assistant",
+                text: """
+                Apple Review demo mode is active. This local chat transport lets reviewers inspect the iOS app \
+                without a private Gateway.
+                """,
+                timestamp: now),
+        ]
     }
 
     private static func message(role: String, text: String, timestamp: Double) -> OpenClawChatMessage {
@@ -398,9 +223,9 @@ private actor LocalFixtureChatStore {
             timestamp: timestamp)
     }
 
-    private static func normalizedSessionKey(_ value: String, fallback: String) -> String {
+    private static func normalizedSessionKey(_ value: String) -> String {
         let trimmed = value.trimmingCharacters(in: .whitespacesAndNewlines)
-        return trimmed.isEmpty ? fallback : trimmed
+        return trimmed.isEmpty ? "main" : trimmed
     }
 
     private static func decode<T: Decodable>(_ value: some Encodable, as type: T.Type) throws -> T {

apps/ios/Sources/Chat/IOSGatewayChatTransport.swift

@@ -5,7 +5,7 @@ import OpenClawProtocol
 import OSLog
 
 struct IOSGatewayChatTransport: OpenClawChatTransport {
-    static let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "ios.chat.transport")
+    static let logger = Logger(subsystem: "ai.openclaw", category: "ios.chat.transport")
     static let defaultChatSendTimeoutMs = 30000
     private let gateway: GatewayNodeSession
 

apps/ios/Sources/Design/AgentProTab+Overview.swift

@@ -303,7 +303,7 @@ extension AgentProTab {
         }
         .padding(.vertical, 14)
         .padding(.horizontal, 13)
-        .frame(maxWidth: .infinity, minHeight: AgentLayout.rowMinHeight, alignment: .leading)
+        .frame(minHeight: AgentLayout.rowMinHeight, alignment: .center)
         .contentShape(Rectangle())
         .onTapGesture {
             self.appModel.setSelectedAgentId(agent.id)
@@ -557,7 +557,7 @@ extension AgentProTab {
     }
 
     var liveGatewayConnected: Bool {
-        !self.appModel.isLocalGatewayFixtureEnabled &&
+        !self.appModel.isAppleReviewDemoModeEnabled &&
             self.gatewayConnected &&
             self.appModel.isOperatorGatewayConnected
     }

apps/ios/Sources/Design/ChatProTab.swift

@@ -6,7 +6,7 @@ struct ChatProTab: View {
     @Environment(NodeAppModel.self) private var appModel
     @Environment(\.colorScheme) private var colorScheme
     @State private var viewModel: OpenClawChatViewModel?
-    @State private var viewModelTransportModeID = ""
+    @State private var viewModelUsesAppleReviewDemoTransport = false
     let headerLeadingAction: OpenClawSidebarHeaderAction?
     let headerTitle: String?
     let headerSubtitle: String?
@@ -64,7 +64,6 @@ struct ChatProTab: View {
                     }
                 }
                 .frame(maxWidth: .infinity, maxHeight: .infinity, alignment: .top)
-                .safeAreaPadding(.top, 8)
             }
             .frame(maxWidth: .infinity, maxHeight: .infinity, alignment: .top)
             .navigationBarHidden(true)
@@ -79,10 +78,6 @@ struct ChatProTab: View {
             self.syncChatViewModel()
             self.viewModel?.refresh()
         }
-        .onChange(of: self.appModel.isScreenshotFixtureModeEnabled) { _, _ in
-            self.syncChatViewModel()
-            self.viewModel?.refresh()
-        }
         .onChange(of: self.appModel.isOperatorGatewayConnected) { _, connected in
             guard connected else { return }
             self.syncChatViewModel()
@@ -108,6 +103,7 @@ struct ChatProTab: View {
             self.connectionPillButton
         }
         .padding(.horizontal, OpenClawProMetric.pagePadding)
+        .padding(.top, 8)
         .padding(.bottom, 4)
     }
 
@@ -139,12 +135,14 @@ struct ChatProTab: View {
 
     private func syncChatViewModel() {
         let sessionKey = self.appModel.chatSessionKey
-        let transportModeID = self.appModel.chatTransportModeID
+        let usesDemoTransport = self.appModel.isAppleReviewDemoModeEnabled
         guard let viewModel else {
-            self.viewModelTransportModeID = transportModeID
+            self.viewModelUsesAppleReviewDemoTransport = usesDemoTransport
             self.viewModel = OpenClawChatViewModel(
                 sessionKey: sessionKey,
-                transport: self.appModel.makeChatTransport(),
+                transport: usesDemoTransport
+                    ? AppleReviewDemoChatTransport()
+                    : IOSGatewayChatTransport(gateway: self.appModel.operatorSession),
                 onSessionChanged: { sessionKey in
                     self.appModel.focusChatSession(sessionKey)
                 },
@@ -153,11 +151,13 @@ struct ChatProTab: View {
                 })
             return
         }
-        if self.viewModelTransportModeID != transportModeID {
-            self.viewModelTransportModeID = transportModeID
+        if self.viewModelUsesAppleReviewDemoTransport != usesDemoTransport {
+            self.viewModelUsesAppleReviewDemoTransport = usesDemoTransport
             self.viewModel = OpenClawChatViewModel(
                 sessionKey: sessionKey,
-                transport: self.appModel.makeChatTransport(),
+                transport: usesDemoTransport
+                    ? AppleReviewDemoChatTransport()
+                    : IOSGatewayChatTransport(gateway: self.appModel.operatorSession),
                 onSessionChanged: { sessionKey in
                     self.appModel.focusChatSession(sessionKey)
                 },
@@ -226,7 +226,7 @@ struct ChatProTab: View {
         guard self.gatewayDisplayState == .connected else {
             return false
         }
-        return self.appModel.isLocalChatFixtureEnabled || self.appModel.isOperatorGatewayConnected
+        return self.appModel.isAppleReviewDemoModeEnabled || self.appModel.isOperatorGatewayConnected
     }
 
     private var gatewayDisplayState: GatewayDisplayState {

apps/ios/Sources/Design/CommandCenterTab.swift

@@ -370,11 +370,12 @@ struct CommandCenterTab: View {
     }
 
     private var sessionListAvailable: Bool {
-        self.appModel.isLocalChatFixtureEnabled || self.appModel.isOperatorGatewayConnected
+        self.appModel.isAppleReviewDemoModeEnabled || self.appModel.isOperatorGatewayConnected
     }
 
     private var sessionListMode: String {
-        self.appModel.chatTransportModeID
+        if self.appModel.isAppleReviewDemoModeEnabled { return "demo" }
+        return self.appModel.isOperatorGatewayConnected ? "operator" : "offline"
     }
 
     private var sessionItems: [WorkItem] {
@@ -413,7 +414,9 @@ struct CommandCenterTab: View {
         }
 
         do {
-            let transport = self.appModel.makeChatTransport()
+            let transport: any OpenClawChatTransport = self.appModel.isAppleReviewDemoModeEnabled
+                ? AppleReviewDemoChatTransport()
+                : IOSGatewayChatTransport(gateway: self.appModel.operatorSession)
             let response = try await transport.listSessions(limit: Self.recentSessionsFetchLimit)
             self.defaultChatSessionEntry = response.sessions.first {
                 $0.key == self.appModel.defaultChatSessionKey
@@ -762,7 +765,9 @@ struct CommandSessionsScreen: View {
         defer { self.isLoading = false }
 
         do {
-            let transport = self.appModel.makeChatTransport()
+            let transport: any OpenClawChatTransport = self.appModel.isAppleReviewDemoModeEnabled
+                ? AppleReviewDemoChatTransport()
+                : IOSGatewayChatTransport(gateway: self.appModel.operatorSession)
             let response = try await transport.listSessions(limit: CommandCenterTab.recentSessionsFetchLimit)
             self.sessions = response.sessions
         } catch {
@@ -774,10 +779,11 @@ struct CommandSessionsScreen: View {
 
 extension NodeAppModel {
     fileprivate var isCommandSessionListAvailable: Bool {
-        self.isLocalChatFixtureEnabled || self.isOperatorGatewayConnected
+        self.isAppleReviewDemoModeEnabled || self.isOperatorGatewayConnected
     }
 
     fileprivate var commandSessionListMode: String {
-        self.chatTransportModeID
+        if self.isAppleReviewDemoModeEnabled { return "demo" }
+        return self.isOperatorGatewayConnected ? "operator" : "offline"
     }
 }

apps/ios/Sources/Design/IPadActivityScreen.swift

@@ -180,11 +180,12 @@ struct IPadActivityScreen: View {
     }
 
     private var sessionsAvailable: Bool {
-        self.appModel.isLocalChatFixtureEnabled || self.appModel.isOperatorGatewayConnected
+        self.appModel.isAppleReviewDemoModeEnabled || self.appModel.isOperatorGatewayConnected
     }
 
     private var sessionsMode: String {
-        self.appModel.chatTransportModeID
+        if self.appModel.isAppleReviewDemoModeEnabled { return "demo" }
+        return self.appModel.isOperatorGatewayConnected ? "operator" : "offline"
     }
 
     private var sessionRows: [CommandCenterTab.WorkItem] {
@@ -214,7 +215,9 @@ struct IPadActivityScreen: View {
         defer { self.isLoading = false }
 
         do {
-            let transport = self.appModel.makeChatTransport()
+            let transport: any OpenClawChatTransport = self.appModel.isAppleReviewDemoModeEnabled
+                ? AppleReviewDemoChatTransport()
+                : IOSGatewayChatTransport(gateway: self.appModel.operatorSession)
             let response = try await transport.listSessions(limit: CommandCenterTab.recentSessionsFetchLimit)
             self.sessions = response.sessions
         } catch {

apps/ios/Sources/Device/NetworkStatusService.swift

@@ -6,7 +6,7 @@ final class NetworkStatusService: @unchecked Sendable {
     func currentStatus(timeoutMs: Int = 1500) async -> OpenClawNetworkStatusPayload {
         await withCheckedContinuation { cont in
             let monitor = NWPathMonitor()
-            let queue = DispatchQueue(label: "ai.openclawfoundation.app.network-status")
+            let queue = DispatchQueue(label: "ai.openclaw.ios.network-status")
             let state = NetworkStatusState()
 
             monitor.pathUpdateHandler = { path in

apps/ios/Sources/Gateway/GatewayConnectionController.swift

@@ -125,7 +125,6 @@ final class GatewayConnectionController {
     private(set) var pendingTrustPrompt: TrustPrompt?
 
     private let discovery = GatewayDiscoveryModel()
-    private let discoveryEnabled: Bool
     private weak var appModel: NodeAppModel?
     private var didAutoConnect = false
     private var pendingServiceResolvers: [String: GatewayServiceResolver] = [:]
@@ -138,7 +137,6 @@ final class GatewayConnectionController {
     }
 
     init(appModel: NodeAppModel, startDiscovery: Bool = true) {
-        self.discoveryEnabled = startDiscovery
         self.appModel = appModel
 
         GatewaySettingsStore.bootstrapPersistence()
@@ -148,7 +146,7 @@ final class GatewayConnectionController {
         self.updateFromDiscovery()
         self.observeDiscovery()
 
-        if self.discoveryEnabled {
+        if startDiscovery {
             self.discovery.start()
         }
     }
@@ -158,11 +156,6 @@ final class GatewayConnectionController {
     }
 
     func setScenePhase(_ phase: ScenePhase) {
-        guard self.discoveryEnabled else {
-            self.discovery.stop()
-            return
-        }
-
         switch phase {
         case .background:
             self.discovery.stop()
@@ -176,12 +169,6 @@ final class GatewayConnectionController {
     }
 
     func restartDiscovery() {
-        guard self.discoveryEnabled else {
-            self.discovery.stop()
-            self.updateFromDiscovery()
-            return
-        }
-
         self.discovery.stop()
         self.didAutoConnect = false
         self.discovery.start()

apps/ios/Sources/Gateway/GatewayDiscoveryModel.swift

@@ -59,7 +59,7 @@ final class GatewayDiscoveryModel {
             let browser = GatewayDiscoveryBrowserSupport.makeBrowser(
                 serviceType: OpenClawBonjour.gatewayServiceType,
                 domain: domain,
-                queueLabelPrefix: "ai.openclawfoundation.app.gateway-discovery",
+                queueLabelPrefix: "ai.openclaw.ios.gateway-discovery",
                 onState: { [weak self] state in
                     guard let self else { return }
                     self.statesByDomain[domain] = state

apps/ios/Sources/Gateway/GatewaySettingsStore.swift

@@ -2,9 +2,9 @@ import Foundation
 import os
 
 enum GatewaySettingsStore {
-    private static let gatewayService = "ai.openclawfoundation.app.gateway"
-    private static let nodeService = "ai.openclawfoundation.app.node"
-    private static let talkService = "ai.openclawfoundation.app.talk"
+    private static let gatewayService = "ai.openclaw.gateway"
+    private static let nodeService = "ai.openclaw.node"
+    private static let talkService = "ai.openclaw.talk"
 
     private static let instanceIdDefaultsKey = "node.instanceId"
     private static let preferredGatewayStableIDDefaultsKey = "gateway.preferredStableID"
@@ -443,8 +443,8 @@ enum GatewaySettingsStore {
 }
 
 enum GatewayDiagnostics {
-    private static let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "GatewayDiag")
-    private static let queue = DispatchQueue(label: "ai.openclawfoundation.app.gateway.diagnostics")
+    private static let logger = Logger(subsystem: "ai.openclaw.ios", category: "GatewayDiag")
+    private static let queue = DispatchQueue(label: "ai.openclaw.gateway.diagnostics")
     private static let maxLogBytes: Int64 = 512 * 1024
     private static let keepLogBytes: Int64 = 256 * 1024
     private static let logSizeCheckEveryWrites = 50

apps/ios/Sources/Info.plist

@@ -4,7 +4,7 @@
 <dict>
 	<key>BGTaskSchedulerPermittedIdentifiers</key>
 	<array>
-		<string>$(OPENCLAW_APP_BUNDLE_ID).bgrefresh</string>
+		<string>ai.openclaw.ios.bgrefresh</string>
 	</array>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>$(DEVELOPMENT_LANGUAGE)</string>
@@ -28,7 +28,7 @@
 	<array>
 		<dict>
 			<key>CFBundleURLName</key>
-			<string>ai.openclawfoundation.app</string>
+			<string>ai.openclaw.ios</string>
 			<key>CFBundleURLSchemes</key>
 			<array>
 				<string>openclaw</string>

apps/ios/Sources/LiveActivity/LiveActivityManager.swift

@@ -7,7 +7,7 @@ import os
 final class LiveActivityManager {
     static let shared = LiveActivityManager()
 
-    private let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "LiveActivity")
+    private let logger = Logger(subsystem: "ai.openclaw.ios", category: "LiveActivity")
     private let connectingStaleSeconds: TimeInterval = 120
     private let hydrationStaleSeconds: TimeInterval = 300
     private var currentActivity: Activity<OpenClawActivityAttributes>?

apps/ios/Sources/Model/NodeAppModel.swift

@@ -88,14 +88,14 @@ final class NodeAppModel {
         var pendingApprovalIDs: [String]?
     }
 
-    private let deepLinkLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "DeepLink")
-    private let pushWakeLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "PushWake")
-    private let pendingActionLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "PendingAction")
-    private let locationWakeLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "LocationWake")
-    private let watchReplyLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "WatchReply")
-    private let watchExecApprovalLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "WatchExecApproval")
+    private let deepLinkLogger = Logger(subsystem: "ai.openclaw.ios", category: "DeepLink")
+    private let pushWakeLogger = Logger(subsystem: "ai.openclaw.ios", category: "PushWake")
+    private let pendingActionLogger = Logger(subsystem: "ai.openclaw.ios", category: "PendingAction")
+    private let locationWakeLogger = Logger(subsystem: "ai.openclaw.ios", category: "LocationWake")
+    private let watchReplyLogger = Logger(subsystem: "ai.openclaw.ios", category: "WatchReply")
+    private let watchExecApprovalLogger = Logger(subsystem: "ai.openclaw.ios", category: "WatchExecApproval")
     private let execApprovalNotificationLogger = Logger(
-        subsystem: "ai.openclawfoundation.app",
+        subsystem: "ai.openclaw.ios",
         category: "ExecApprovalNotification")
     enum CameraHUDKind {
         case photo
@@ -112,7 +112,6 @@ final class NodeAppModel {
     var nodeStatusText: String = "Offline"
     var operatorStatusText: String = "Offline"
     private(set) var isAppleReviewDemoModeEnabled: Bool = false
-    private(set) var isScreenshotFixtureModeEnabled: Bool = false
     var isOperatorGatewayConnected: Bool {
         self.operatorConnected
     }
@@ -207,36 +206,6 @@ final class NodeAppModel {
         self.operatorGateway
     }
 
-    var localChatFixture: LocalChatFixture? {
-        if self.isScreenshotFixtureModeEnabled { return .appScreenshots }
-        if self.isAppleReviewDemoModeEnabled { return .appleReviewDemo }
-        return nil
-    }
-
-    var isLocalChatFixtureEnabled: Bool {
-        self.localChatFixture != nil
-    }
-
-    var isLocalGatewayFixtureEnabled: Bool {
-        self.isAppleReviewDemoModeEnabled || self.isScreenshotFixtureModeEnabled
-    }
-
-    var chatTransportModeID: String {
-        if self.isScreenshotFixtureModeEnabled { return "screenshots" }
-        if self.isAppleReviewDemoModeEnabled { return "apple-review-demo" }
-        return self.isOperatorGatewayConnected ? "operator" : "offline"
-    }
-
-    func makeChatTransport() -> any OpenClawChatTransport {
-        if self.isScreenshotFixtureModeEnabled {
-            return LocalFixtureChatTransport(fixture: .appScreenshots)
-        }
-        if self.isAppleReviewDemoModeEnabled {
-            return AppleReviewDemoChatTransport()
-        }
-        return IOSGatewayChatTransport(gateway: self.operatorSession)
-    }
-
     private(set) var activeGatewayConnectConfig: GatewayConnectConfig?
 
     private static let watchExecApprovalBridgeStateKey = "watch.execApproval.bridge.state.v1"
@@ -578,7 +547,7 @@ final class NodeAppModel {
             await self.operatorGateway.disconnect()
             await self.nodeGateway.disconnect()
             await MainActor.run {
-                guard !self.isLocalGatewayFixtureEnabled else { return }
+                guard !self.isAppleReviewDemoModeEnabled else { return }
                 self.setOperatorConnected(false)
                 self.gatewayConnected = false
                 self.talkMode.updateGatewayConnected(false)
@@ -945,7 +914,7 @@ final class NodeAppModel {
                 await self.operatorGateway.disconnect()
                 await self.nodeGateway.disconnect()
                 await MainActor.run {
-                    guard !self.isLocalGatewayFixtureEnabled else { return }
+                    guard !self.isAppleReviewDemoModeEnabled else { return }
                     self.setOperatorConnected(false)
                     self.gatewayConnected = false
                     self.gatewayStatusText = "Reconnecting…"
@@ -1994,7 +1963,6 @@ extension NodeAppModel {
     /// Preferred entry-point: apply a single config object and start both sessions.
     func applyGatewayConnectConfig(_ cfg: GatewayConnectConfig, forceReconnect: Bool = false) {
         self.isAppleReviewDemoModeEnabled = false
-        self.isScreenshotFixtureModeEnabled = false
         self.connectToGateway(
             url: cfg.url,
             // Preserve the caller-provided stableID (may be empty) and let connectToGateway
@@ -2029,7 +1997,7 @@ extension NodeAppModel {
 
     private func restartGatewaySessionsAfterForegroundStaleConnection() async {
         await self.resetGatewaySessionsForForcedReconnect()
-        guard !self.isLocalGatewayFixtureEnabled else { return }
+        guard !self.isAppleReviewDemoModeEnabled else { return }
         self.setOperatorConnected(false)
         self.gatewayConnected = false
         self.gatewayStatusText = "Reconnecting…"
@@ -2040,7 +2008,6 @@ extension NodeAppModel {
 
     func disconnectGateway() {
         self.isAppleReviewDemoModeEnabled = false
-        self.isScreenshotFixtureModeEnabled = false
         self.gatewayAutoReconnectEnabled = false
         self.gatewayPairingPaused = false
         self.gatewayPairingRequestId = nil
@@ -2076,7 +2043,6 @@ extension NodeAppModel {
 extension NodeAppModel {
     private func prepareForGatewayConnect(stableID: String) {
         self.isAppleReviewDemoModeEnabled = false
-        self.isScreenshotFixtureModeEnabled = false
         self.gatewayAutoReconnectEnabled = true
         self.gatewayPairingPaused = false
         self.gatewayPairingRequestId = nil
@@ -2119,7 +2085,7 @@ extension NodeAppModel {
     }
 
     private func applyGatewayConnectionProblem(_ problem: GatewayConnectionProblem) {
-        guard !self.isLocalGatewayFixtureEnabled else { return }
+        guard !self.isAppleReviewDemoModeEnabled else { return }
         self.lastGatewayProblem = problem
         self.gatewayStatusText = problem.statusText
         self.gatewayServerName = nil
@@ -2145,7 +2111,7 @@ extension NodeAppModel {
     }
 
     private func applyOperatorGatewayConnectionProblem(_ problem: GatewayConnectionProblem) {
-        guard !self.isLocalGatewayFixtureEnabled else { return }
+        guard !self.isAppleReviewDemoModeEnabled else { return }
         self.operatorGatewayProblem = problem
         self.lastGatewayProblem = problem
         self.gatewayStatusText = problem.statusText
@@ -2378,7 +2344,7 @@ extension NodeAppModel {
                         onConnected: { [weak self] in
                             guard let self else { return }
                             let shouldUseConnection = await MainActor.run {
-                                guard !self.isLocalGatewayFixtureEnabled else { return false }
+                                guard !self.isAppleReviewDemoModeEnabled else { return false }
                                 self.setOperatorConnected(true)
                                 self.clearOperatorGatewayConnectionProblemIfCurrent()
                                 self.forceOperatorTalkPermissionUpgradeRequest = false
@@ -2400,7 +2366,7 @@ extension NodeAppModel {
                         onDisconnected: { [weak self] reason in
                             guard let self else { return }
                             await MainActor.run {
-                                guard !self.isLocalGatewayFixtureEnabled else { return }
+                                guard !self.isAppleReviewDemoModeEnabled else { return }
                                 self.setOperatorConnected(false)
                                 self.talkMode.updateGatewayConnected(false)
                                 LiveActivityManager.shared.endActivity(reason: "operator_disconnected")
@@ -2425,7 +2391,7 @@ extension NodeAppModel {
                     GatewayDiagnostics.log("operator gateway connect error: \(error.localizedDescription)")
                     let problem: GatewayConnectionProblem? = await MainActor.run {
                         let nextProblem = GatewayConnectionProblemMapper.map(error: error)
-                        guard !self.isLocalGatewayFixtureEnabled else { return nil }
+                        guard !self.isAppleReviewDemoModeEnabled else { return nil }
                         if let nextProblem {
                             if nextProblem.needsPairingApproval || nextProblem.pauseReconnect {
                                 self.applyOperatorGatewayConnectionProblem(nextProblem)
@@ -2491,7 +2457,7 @@ extension NodeAppModel {
                     continue
                 }
                 await MainActor.run {
-                    guard !self.isLocalGatewayFixtureEnabled else { return }
+                    guard !self.isAppleReviewDemoModeEnabled else { return }
                     self.gatewayStatusText = (attempt == 0) ? "Connecting…" : "Reconnecting…"
                     self.gatewayServerName = nil
                     self.gatewayRemoteAddress = nil
@@ -2519,7 +2485,7 @@ extension NodeAppModel {
                         onConnected: { [weak self] in
                             guard let self else { return }
                             let shouldUseConnection = await MainActor.run {
-                                guard !self.isLocalGatewayFixtureEnabled else { return false }
+                                guard !self.isAppleReviewDemoModeEnabled else { return false }
                                 self.clearGatewayConnectionProblem()
                                 self.gatewayStatusText = "Connected"
                                 self.gatewayServerName = url.host ?? "gateway"
@@ -2578,7 +2544,7 @@ extension NodeAppModel {
                         onDisconnected: { [weak self] reason in
                             guard let self else { return }
                             await MainActor.run {
-                                guard !self.isLocalGatewayFixtureEnabled else { return }
+                                guard !self.isAppleReviewDemoModeEnabled else { return }
                                 if self.shouldKeepGatewayProblemStatus(forDisconnectReason: reason),
                                    let lastGatewayProblem = self.lastGatewayProblem
                                 {
@@ -2628,7 +2594,7 @@ extension NodeAppModel {
                         let nextProblem = GatewayConnectionProblemMapper.map(
                             error: error,
                             preserving: self.lastGatewayProblem)
-                        guard !self.isLocalGatewayFixtureEnabled else { return nil }
+                        guard !self.isAppleReviewDemoModeEnabled else { return nil }
                         if let nextProblem {
                             self.applyGatewayConnectionProblem(nextProblem)
                         } else {
@@ -2669,7 +2635,7 @@ extension NodeAppModel {
             }
 
             await MainActor.run {
-                guard !self.isLocalGatewayFixtureEnabled else { return }
+                guard !self.isAppleReviewDemoModeEnabled else { return }
                 self.lastGatewayProblem = nil
                 self.gatewayStatusText = "Offline"
                 LiveActivityManager.shared.endActivity(reason: "gateway_loop_stopped")
@@ -2819,7 +2785,6 @@ extension NodeAppModel {
 extension NodeAppModel {
     func enterAppleReviewDemoMode() {
         self.isAppleReviewDemoModeEnabled = true
-        self.isScreenshotFixtureModeEnabled = false
         self.gatewayAutoReconnectEnabled = false
         self.gatewayPairingPaused = false
         self.gatewayPairingRequestId = nil
@@ -2860,47 +2825,6 @@ extension NodeAppModel {
         self.talkMode.updateMainSessionKey(self.mainSessionKey)
         self.homeCanvasRevision &+= 1
     }
-
-    func enterScreenshotFixtureMode() {
-        self.isAppleReviewDemoModeEnabled = false
-        self.isScreenshotFixtureModeEnabled = true
-        self.gatewayAutoReconnectEnabled = false
-        self.gatewayPairingPaused = false
-        self.gatewayPairingRequestId = nil
-        self.lastGatewayProblem = nil
-        self.operatorGatewayProblem = nil
-        self.nodeGatewayTask?.cancel()
-        self.nodeGatewayTask = nil
-        self.operatorGatewayTask?.cancel()
-        self.operatorGatewayTask = nil
-        self.voiceWakeSyncTask?.cancel()
-        self.voiceWakeSyncTask = nil
-        self.gatewayHealthMonitor.stop()
-        LiveActivityManager.shared.endActivity(reason: "screenshot_fixture")
-
-        Task {
-            await self.operatorGateway.disconnect()
-            await self.nodeGateway.disconnect()
-        }
-
-        self.gatewayStatusText = "Connected"
-        self.nodeStatusText = "Connected"
-        self.gatewayServerName = ScreenshotFixtureMode.gatewayName
-        self.gatewayRemoteAddress = ScreenshotFixtureMode.gatewayAddress
-        self.connectedGatewayID = ScreenshotFixtureMode.gatewayID
-        self.activeGatewayConnectConfig = nil
-        self.gatewayConnected = true
-        self.setOperatorConnected(true)
-        self.hasOperatorAdminScope = true
-        self.mainSessionBaseKey = "main"
-        self.selectedAgentId = nil
-        self.gatewayDefaultAgentId = "main"
-        self.gatewayAgents = ScreenshotFixtureMode.agents
-        self.focusedChatSessionKey = nil
-        self.talkMode.updateMainSessionKey(self.mainSessionKey)
-        self.talkMode.enterScreenshotFixtureMode()
-        self.homeCanvasRevision &+= 1
-    }
 }
 
 extension NodeAppModel {

apps/ios/Sources/OpenClaw.entitlements

@@ -3,6 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>aps-environment</key>
-	<string>$(OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT)</string>
+	<string>development</string>
 </dict>
 </plist>
+

apps/ios/Sources/OpenClawApp.swift

@@ -22,22 +22,9 @@ enum OpenClawAppModelRegistry {
 
 @MainActor
 final class OpenClawAppDelegate: NSObject, UIApplicationDelegate, @preconcurrency UNUserNotificationCenterDelegate {
-    private let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "Push")
-    private let backgroundWakeLogger = Logger(subsystem: "ai.openclawfoundation.app", category: "BackgroundWake")
-    private static var wakeRefreshTaskIdentifier: String {
-        "\(appBundleIdentifier).bgrefresh"
-    }
-
-    private static var appBundleIdentifier: String {
-        guard let bundleId = Bundle.main.bundleIdentifier?.trimmingCharacters(in: .whitespacesAndNewlines),
-              !bundleId.isEmpty
-        else {
-            return "ai.openclawfoundation.app"
-        }
-
-        return bundleId
-    }
-
+    private let logger = Logger(subsystem: "ai.openclaw.ios", category: "Push")
+    private let backgroundWakeLogger = Logger(subsystem: "ai.openclaw.ios", category: "BackgroundWake")
+    private static let wakeRefreshTaskIdentifier = "ai.openclaw.ios.bgrefresh"
     private var backgroundWakeTask: Task<Bool, Never>?
     private var pendingAPNsDeviceToken: Data?
     private var pendingWatchPromptActions: [PendingWatchPromptAction] = []
@@ -105,10 +92,6 @@ final class OpenClawAppDelegate: NSObject, UIApplicationDelegate, @preconcurrenc
     func _test_resolvedAppModel() -> NodeAppModel? {
         self.resolvedAppModel()
     }
-
-    func _test_wakeRefreshTaskIdentifier() -> String {
-        Self.wakeRefreshTaskIdentifier
-    }
     #endif
 
     func application(
@@ -628,21 +611,9 @@ struct OpenClawApp: App {
         Self.installUncaughtExceptionLogger()
         GatewaySettingsStore.bootstrapPersistence()
         let appModel = NodeAppModel()
-        #if DEBUG
-        if Self.screenshotModeEnabled {
-            UIView.setAnimationsEnabled(false)
-            UserDefaults.standard.set(true, forKey: "gateway.onboardingComplete")
-            UserDefaults.standard.set(true, forKey: "gateway.hasConnectedOnce")
-            UserDefaults.standard.set(true, forKey: "onboarding.quickSetupDismissed")
-            appModel.enterScreenshotFixtureMode()
-        }
-        #endif
         OpenClawAppModelRegistry.appModel = appModel
         _appModel = State(initialValue: appModel)
-        _gatewayController = State(
-            initialValue: GatewayConnectionController(
-                appModel: appModel,
-                startDiscovery: !Self.screenshotModeEnabled))
+        _gatewayController = State(initialValue: GatewayConnectionController(appModel: appModel))
     }
 
     var body: some Scene {
@@ -678,14 +649,6 @@ struct OpenClawApp: App {
             ?? .system
     }
 
-    private static var screenshotModeEnabled: Bool {
-        #if DEBUG
-        ProcessInfo.processInfo.arguments.contains("--openclaw-screenshot-mode")
-        #else
-        false
-        #endif
-    }
-
     @MainActor
     private func applyAppearancePreference() {
         let style = self.appearancePreference.userInterfaceStyle

apps/ios/Sources/Push/PushRelayKeychainStore.swift

@@ -13,7 +13,7 @@ private struct StoredPushRelayRegistrationState: Codable {
 }
 
 enum PushRelayRegistrationStore {
-    private static let service = "ai.openclawfoundation.app.pushrelay"
+    private static let service = "ai.openclaw.pushrelay"
     private static let registrationStateAccount = "registration-state"
     private static let appAttestKeyIDAccount = "app-attest-key-id"
     private static let appAttestedKeyIDAccount = "app-attested-key-id"

apps/ios/Sources/Screen/ScreenRecordService.swift

@@ -56,7 +56,7 @@ final class ScreenRecordService: @unchecked Sendable {
             outPath: outPath)
 
         let state = CaptureState()
-        let recordQueue = DispatchQueue(label: "ai.openclawfoundation.app.screenrecord")
+        let recordQueue = DispatchQueue(label: "ai.openclaw.screenrecord")
 
         try await self.startCapture(state: state, config: config, recordQueue: recordQueue)
         try await Task.sleep(nanoseconds: UInt64(config.durationMs) * 1_000_000)

apps/ios/Sources/Services/WatchConnectivityTransport.swift

@@ -26,7 +26,7 @@ private func sendReachableWatchMessage(_ payload: [String: Any], with session: W
 }
 
 final class WatchConnectivityTransport: NSObject, @unchecked Sendable {
-    private nonisolated static let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "watch.messaging")
+    private nonisolated static let logger = Logger(subsystem: "ai.openclaw", category: "watch.messaging")
 
     private let session: WCSession?
     private let callbacksLock = NSLock()

apps/ios/Sources/Settings/PrivacyAccessSectionView.swift

@@ -121,18 +121,13 @@ struct PrivacyAccessSectionView: View {
         switch self.contactsStatus {
         case .notDetermined:
             Task {
-                let granted = await PermissionRequestBridge.awaitRequest { completion in
+                _ = await PermissionRequestBridge.awaitRequest { completion in
                     let store = CNContactStore()
                     store.requestAccess(for: .contacts) { granted, _ in
                         completion(granted)
                     }
                 }
-                await MainActor.run {
-                    self.refreshAll()
-                    if granted {
-                        self.contactsStatus = .authorized
-                    }
-                }
+                await MainActor.run { self.refreshAll() }
             }
         case .denied, .restricted:
             self.openSettings()
@@ -169,13 +164,8 @@ struct PrivacyAccessSectionView: View {
         switch self.calendarStatus {
         case .notDetermined:
             Task {
-                let granted = await self.requestCalendarWriteOnly()
-                await MainActor.run {
-                    self.refreshAll()
-                    if granted {
-                        self.calendarStatus = .writeOnly
-                    }
-                }
+                _ = await self.requestCalendarWriteOnly()
+                await MainActor.run { self.refreshAll() }
             }
         case .denied, .restricted:
             self.openSettings()
@@ -216,13 +206,8 @@ struct PrivacyAccessSectionView: View {
         switch self.calendarStatus {
         case .notDetermined, .writeOnly:
             Task {
-                let granted = await self.requestCalendarFull()
-                await MainActor.run {
-                    self.refreshAll()
-                    if granted {
-                        self.calendarStatus = .fullAccess
-                    }
-                }
+                _ = await self.requestCalendarFull()
+                await MainActor.run { self.refreshAll() }
             }
         case .denied, .restricted:
             self.openSettings()
@@ -263,13 +248,8 @@ struct PrivacyAccessSectionView: View {
         switch self.remindersStatus {
         case .notDetermined, .writeOnly:
             Task {
-                let granted = await self.requestRemindersFull()
-                await MainActor.run {
-                    self.refreshAll()
-                    if granted {
-                        self.remindersStatus = .fullAccess
-                    }
-                }
+                _ = await self.requestRemindersFull()
+                await MainActor.run { self.refreshAll() }
             }
         case .denied, .restricted:
             self.openSettings()

apps/ios/Sources/Voice/RealtimeTalkRelaySession.swift

@@ -121,7 +121,7 @@ final class RealtimeTalkRelaySession {
     private let gateway: GatewayNodeSession
     private let options: Options
     private let pcmPlayer: PCMStreamingAudioPlaying
-    private let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "RealtimeTalkRelay")
+    private let logger = Logger(subsystem: "ai.openclaw", category: "RealtimeTalkRelay")
     private let onStatus: (String) -> Void
     private let onIssue: (TalkRuntimeIssue) -> Void
     private let onSpeakingChanged: (Bool) -> Void

apps/ios/Sources/Voice/TalkModeManager.swift

@@ -170,7 +170,7 @@ final class TalkModeManager: NSObject {
     private var incrementalSpeechPrefetch: IncrementalSpeechPrefetchState?
     private var incrementalSpeechPrefetchMonitorTask: Task<Void, Never>?
 
-    private let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "TalkMode")
+    private let logger = Logger(subsystem: "ai.openclaw", category: "TalkMode")
 
     private static func nowSeconds() -> TimeInterval {
         ProcessInfo.processInfo.systemUptime
@@ -220,34 +220,6 @@ final class TalkModeManager: NSObject {
         }
     }
 
-    func enterScreenshotFixtureMode() {
-        self.updateGatewayConnected(true)
-        self.isEnabled = false
-        self.isListening = false
-        self.isSpeaking = false
-        self.isUserSpeechDetected = false
-        self.statusText = "Ready"
-        self.gatewayTalkConfigLoaded = true
-        self.gatewayTalkApiKeyConfigured = true
-        self.gatewayTalkDefaultModelId = "gpt-realtime-2"
-        self.gatewayTalkDefaultVoiceId = "marin"
-        self.gatewayTalkProviderLabel = "OpenAI"
-        self.gatewayTalkTransportLabel = "Gateway Relay"
-        self.gatewayTalkUsesRealtime = true
-        self.gatewayTalkUsesRealtimeRelay = true
-        self.gatewayTalkRealtimeProviderLabel = "OpenAI"
-        self.gatewayTalkRealtimeModelId = "gpt-realtime-2"
-        self.gatewayTalkRealtimeVoiceId = "marin"
-        self.gatewayTalkVoiceModeTitle = "Realtime Voice"
-        self.gatewayTalkVoiceModeSubtitle = "Gateway relay ready"
-        self.gatewayTalkVoiceModeAccessibilityValue = "Realtime Voice, Gateway relay ready"
-        self.gatewayTalkActiveModeTitle = "Ready"
-        self.gatewayTalkActiveModeSubtitle = "Listening starts from this phone"
-        self.gatewayTalkLastIssueText = nil
-        self.gatewayTalkCurrentFallbackIssue = nil
-        self.gatewayTalkPermissionState = .ready
-    }
-
     func setEnabled(_ enabled: Bool) {
         self.isEnabled = enabled
         if enabled {

apps/ios/Sources/Voice/TalkRealtimeWebRTCSession.swift

@@ -17,7 +17,7 @@ protocol TalkRealtimeWebRTCSessionDelegate: AnyObject {
 
 @MainActor
 final class TalkRealtimeWebRTCSession: NSObject {
-    private static let logger = Logger(subsystem: "ai.openclawfoundation.app", category: "TalkRealtimeWebRTC")
+    private static let logger = Logger(subsystem: "ai.openclaw", category: "TalkRealtimeWebRTC")
     private static let consultToolName = "openclaw_agent_consult"
     private static let controlToolName = "openclaw_agent_control"
     private static let defaultOfferURL = "https://api.openai.com/v1/realtime/calls"

apps/ios/Tests/GatewayConnectionControllerTests.swift

@@ -371,18 +371,15 @@ import UIKit
     }
 
     @Test @MainActor func loadLastConnectionReadsSavedValues() {
-        let prior = KeychainStore.loadString(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+        let prior = KeychainStore.loadString(service: "ai.openclaw.gateway", account: "lastConnection")
         defer {
             if let prior {
-                _ = KeychainStore.saveString(
-                    prior,
-                    service: "ai.openclawfoundation.app.gateway",
-                    account: "lastConnection")
+                _ = KeychainStore.saveString(prior, service: "ai.openclaw.gateway", account: "lastConnection")
             } else {
-                _ = KeychainStore.delete(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+                _ = KeychainStore.delete(service: "ai.openclaw.gateway", account: "lastConnection")
             }
         }
-        _ = KeychainStore.delete(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+        _ = KeychainStore.delete(service: "ai.openclaw.gateway", account: "lastConnection")
 
         GatewaySettingsStore.saveLastGatewayConnectionManual(
             host: "gateway.example.com",
@@ -398,18 +395,15 @@ import UIKit
     }
 
     @Test @MainActor func loadLastConnectionReturnsNilForInvalidData() {
-        let prior = KeychainStore.loadString(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+        let prior = KeychainStore.loadString(service: "ai.openclaw.gateway", account: "lastConnection")
         defer {
             if let prior {
-                _ = KeychainStore.saveString(
-                    prior,
-                    service: "ai.openclawfoundation.app.gateway",
-                    account: "lastConnection")
+                _ = KeychainStore.saveString(prior, service: "ai.openclaw.gateway", account: "lastConnection")
             } else {
-                _ = KeychainStore.delete(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+                _ = KeychainStore.delete(service: "ai.openclaw.gateway", account: "lastConnection")
             }
         }
-        _ = KeychainStore.delete(service: "ai.openclawfoundation.app.gateway", account: "lastConnection")
+        _ = KeychainStore.delete(service: "ai.openclaw.gateway", account: "lastConnection")
 
         // Plant legacy UserDefaults with invalid host/port to exercise migration + validation.
         withUserDefaults([

apps/ios/Tests/GatewaySettingsStoreTests.swift

@@ -7,8 +7,8 @@ private struct KeychainEntry: Hashable {
     let account: String
 }
 
-private let gatewayService = "ai.openclawfoundation.app.gateway"
-private let nodeService = "ai.openclawfoundation.app.node"
+private let gatewayService = "ai.openclaw.gateway"
+private let nodeService = "ai.openclaw.node"
 private let instanceIdEntry = KeychainEntry(service: nodeService, account: "instanceId")
 private let preferredGatewayEntry = KeychainEntry(service: gatewayService, account: "preferredStableID")
 private let lastGatewayEntry = KeychainEntry(service: gatewayService, account: "lastDiscoveredStableID")

apps/ios/Tests/KeychainStoreTests.swift

@@ -4,7 +4,7 @@ import Testing
 
 @Suite struct KeychainStoreTests {
     @Test func saveLoadUpdateDeleteRoundTrip() {
-        let service = "ai.openclawfoundation.app.tests.\(UUID().uuidString)"
+        let service = "ai.openclaw.tests.\(UUID().uuidString)"
         let account = "value"
 
         #expect(KeychainStore.delete(service: service, account: account))

apps/ios/Tests/OpenClawAppDelegateTests.swift

@@ -1,9 +1,8 @@
-import Foundation
 import Testing
 @testable import OpenClaw
 
 @Suite(.serialized) struct OpenClawAppDelegateTests {
-    @Test @MainActor func `resolves registry model before view task assigns delegate model`() {
+    @Test @MainActor func resolvesRegistryModelBeforeViewTaskAssignsDelegateModel() {
         let registryModel = NodeAppModel()
         OpenClawAppModelRegistry.appModel = registryModel
         defer { OpenClawAppModelRegistry.appModel = nil }
@@ -13,7 +12,7 @@ import Testing
         #expect(delegate._test_resolvedAppModel() === registryModel)
     }
 
-    @Test @MainActor func `prefers explicit delegate model over registry fallback`() {
+    @Test @MainActor func prefersExplicitDelegateModelOverRegistryFallback() {
         let registryModel = NodeAppModel()
         let explicitModel = NodeAppModel()
         OpenClawAppModelRegistry.appModel = registryModel
@@ -24,11 +23,4 @@ import Testing
 
         #expect(delegate._test_resolvedAppModel() === explicitModel)
     }
-
-    @Test @MainActor func `derives background refresh task identifier from app bundle identifier`() {
-        let delegate = OpenClawAppDelegate()
-        let bundleIdentifier = Bundle.main.bundleIdentifier ?? "ai.openclawfoundation.app.tests"
-
-        #expect(delegate._test_wakeRefreshTaskIdentifier() == "\(bundleIdentifier).bgrefresh")
-    }
 }

apps/ios/UITests/Info.plist

@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>CFBundleDevelopmentRegion</key>
-	<string>$(DEVELOPMENT_LANGUAGE)</string>
-	<key>CFBundleDisplayName</key>
-	<string>OpenClawUITests</string>
-	<key>CFBundleExecutable</key>
-	<string>$(EXECUTABLE_NAME)</string>
-	<key>CFBundleIdentifier</key>
-	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
-	<key>CFBundleInfoDictionaryVersion</key>
-	<string>6.0</string>
-	<key>CFBundleName</key>
-	<string>$(PRODUCT_NAME)</string>
-	<key>CFBundlePackageType</key>
-	<string>BNDL</string>
-	<key>CFBundleShortVersionString</key>
-	<string>$(OPENCLAW_MARKETING_VERSION)</string>
-	<key>CFBundleVersion</key>
-	<string>$(OPENCLAW_BUILD_VERSION)</string>
-</dict>
-</plist>

apps/ios/UITests/OpenClawSnapshotUITests.swift

@@ -1,58 +0,0 @@
-import XCTest
-
-@MainActor
-final class OpenClawSnapshotUITests: XCTestCase {
-    private struct ScreenshotTarget {
-        let initialTab: String
-        let initialDestination: String
-        let name: String
-    }
-
-    private static let screenshotTargets = [
-        ScreenshotTarget(initialTab: "control", initialDestination: "overview", name: "01-control-connected"),
-        ScreenshotTarget(initialTab: "chat", initialDestination: "chat", name: "02-chat-connected"),
-        ScreenshotTarget(initialTab: "talk", initialDestination: "talk", name: "03-talk-connected"),
-        ScreenshotTarget(initialTab: "agent", initialDestination: "agents", name: "04-agent-connected"),
-        ScreenshotTarget(initialTab: "settings", initialDestination: "settings", name: "05-settings-connected"),
-    ]
-
-    private var app: XCUIApplication?
-
-    override func setUpWithError() throws {
-        try super.setUpWithError()
-        self.continueAfterFailure = false
-    }
-
-    override func tearDownWithError() throws {
-        self.app?.terminate()
-        self.app = nil
-        try super.tearDownWithError()
-    }
-
-    func testConnectedGatewayTabs() {
-        for target in Self.screenshotTargets {
-            self.launchApp(for: target)
-            snapshot(target.name, timeWaitingForIdle: 5)
-        }
-    }
-
-    private func launchApp(for target: ScreenshotTarget) {
-        self.app?.terminate()
-
-        let app = XCUIApplication()
-        setupSnapshot(app, waitForAnimations: false)
-        app.launchArguments += [
-            "--openclaw-screenshot-mode",
-            "--openclaw-initial-tab",
-            target.initialTab,
-            "--openclaw-initial-destination",
-            target.initialDestination,
-            "--openclaw-sidebar-visibility",
-            "hidden",
-        ]
-        app.launch()
-        self.app = app
-
-        XCTAssertTrue(app.wait(for: .runningForeground, timeout: 8))
-    }
-}

apps/ios/UITests/SnapshotHelper.swift

@@ -1,309 +0,0 @@
-//
-//  SnapshotHelper.swift
-//  Example
-//
-//  Created by Felix Krause on 10/8/15.
-//
-
-// -----------------------------------------------------
-// IMPORTANT: When modifying this file, make sure to
-//            increment the version number at the very
-//            bottom of the file to notify users about
-//            the new SnapshotHelper.swift
-// -----------------------------------------------------
-
-import Foundation
-import XCTest
-
-var deviceLanguage = ""
-var locale = ""
-
-func setupSnapshot(_ app: XCUIApplication, waitForAnimations: Bool = true) {
-    Snapshot.setupSnapshot(app, waitForAnimations: waitForAnimations)
-}
-
-func snapshot(_ name: String, waitForLoadingIndicator: Bool) {
-    if waitForLoadingIndicator {
-        Snapshot.snapshot(name)
-    } else {
-        Snapshot.snapshot(name, timeWaitingForIdle: 0)
-    }
-}
-
-/// - Parameters:
-///   - name: The name of the snapshot
-///   - timeout: Amount of seconds to wait until the network loading indicator disappears. Pass `0` if you don't want to wait.
-func snapshot(_ name: String, timeWaitingForIdle timeout: TimeInterval = 20) {
-    Snapshot.snapshot(name, timeWaitingForIdle: timeout)
-}
-
-enum SnapshotError: Error, CustomDebugStringConvertible {
-    case cannotFindSimulatorHomeDirectory
-    case cannotRunOnPhysicalDevice
-
-    var debugDescription: String {
-        switch self {
-        case .cannotFindSimulatorHomeDirectory:
-            return "Couldn't find simulator home location. Please, check SIMULATOR_HOST_HOME env variable."
-        case .cannotRunOnPhysicalDevice:
-            return "Can't use Snapshot on a physical device."
-        }
-    }
-}
-
-@objcMembers
-open class Snapshot: NSObject {
-    static var app: XCUIApplication?
-    static var waitForAnimations = true
-    static var cacheDirectory: URL?
-    static var screenshotsDirectory: URL? {
-        return cacheDirectory?.appendingPathComponent("screenshots", isDirectory: true)
-    }
-
-    open class func setupSnapshot(_ app: XCUIApplication, waitForAnimations: Bool = true) {
-
-        Snapshot.app = app
-        Snapshot.waitForAnimations = waitForAnimations
-
-        do {
-            let cacheDir = try getCacheDirectory()
-            Snapshot.cacheDirectory = cacheDir
-            setLanguage(app)
-            setLocale(app)
-            setLaunchArguments(app)
-        } catch let error {
-            NSLog(error.localizedDescription)
-        }
-    }
-
-    class func setLanguage(_ app: XCUIApplication) {
-        guard let cacheDirectory = self.cacheDirectory else {
-            NSLog("CacheDirectory is not set - probably running on a physical device?")
-            return
-        }
-
-        let path = cacheDirectory.appendingPathComponent("language.txt")
-
-        do {
-            let trimCharacterSet = CharacterSet.whitespacesAndNewlines
-            deviceLanguage = try String(contentsOf: path, encoding: .utf8).trimmingCharacters(in: trimCharacterSet)
-            app.launchArguments += ["-AppleLanguages", "(\(deviceLanguage))"]
-        } catch {
-            NSLog("Couldn't detect/set language...")
-        }
-    }
-
-    class func setLocale(_ app: XCUIApplication) {
-        guard let cacheDirectory = self.cacheDirectory else {
-            NSLog("CacheDirectory is not set - probably running on a physical device?")
-            return
-        }
-
-        let path = cacheDirectory.appendingPathComponent("locale.txt")
-
-        do {
-            let trimCharacterSet = CharacterSet.whitespacesAndNewlines
-            locale = try String(contentsOf: path, encoding: .utf8).trimmingCharacters(in: trimCharacterSet)
-        } catch {
-            NSLog("Couldn't detect/set locale...")
-        }
-
-        if locale.isEmpty && !deviceLanguage.isEmpty {
-            locale = Locale(identifier: deviceLanguage).identifier
-        }
-
-        if !locale.isEmpty {
-            app.launchArguments += ["-AppleLocale", "\"\(locale)\""]
-        }
-    }
-
-    class func setLaunchArguments(_ app: XCUIApplication) {
-        guard let cacheDirectory = self.cacheDirectory else {
-            NSLog("CacheDirectory is not set - probably running on a physical device?")
-            return
-        }
-
-        let path = cacheDirectory.appendingPathComponent("snapshot-launch_arguments.txt")
-        app.launchArguments += ["-FASTLANE_SNAPSHOT", "YES", "-ui_testing"]
-
-        do {
-            let launchArguments = try String(contentsOf: path, encoding: String.Encoding.utf8)
-            let regex = try NSRegularExpression(pattern: "(\\\".+?\\\"|\\S+)", options: [])
-            let matches = regex.matches(in: launchArguments, options: [], range: NSRange(location: 0, length: launchArguments.count))
-            let results = matches.map { result -> String in
-                (launchArguments as NSString).substring(with: result.range)
-            }
-            app.launchArguments += results
-        } catch {
-            NSLog("Couldn't detect/set launch_arguments...")
-        }
-    }
-
-    open class func snapshot(_ name: String, timeWaitingForIdle timeout: TimeInterval = 20) {
-        if timeout > 0 {
-            waitForLoadingIndicatorToDisappear(within: timeout)
-        }
-
-        NSLog("snapshot: \(name)") // more information about this, check out https://docs.fastlane.tools/actions/snapshot/#how-does-it-work
-
-        if Snapshot.waitForAnimations {
-            sleep(1) // Waiting for the animation to be finished (kind of)
-        }
-
-        #if os(OSX)
-            guard let app = self.app else {
-                NSLog("XCUIApplication is not set. Please call setupSnapshot(app) before snapshot().")
-                return
-            }
-
-            app.typeKey(XCUIKeyboardKeySecondaryFn, modifierFlags: [])
-        #else
-
-            guard self.app != nil else {
-                NSLog("XCUIApplication is not set. Please call setupSnapshot(app) before snapshot().")
-                return
-            }
-
-            let screenshot = XCUIScreen.main.screenshot()
-            #if os(iOS)
-            let image = XCUIDevice.shared.orientation.isLandscape ?  fixLandscapeOrientation(image: screenshot.image) : screenshot.image
-            #else
-            let image = screenshot.image
-            #endif
-
-            guard var simulator = ProcessInfo().environment["SIMULATOR_DEVICE_NAME"], let screenshotsDir = screenshotsDirectory else { return }
-
-            do {
-                // The simulator name contains "Clone X of " inside the screenshot file when running parallelized UI Tests on concurrent devices
-                let regex = try NSRegularExpression(pattern: "Clone [0-9]+ of ")
-                let range = NSRange(location: 0, length: simulator.count)
-                simulator = regex.stringByReplacingMatches(in: simulator, range: range, withTemplate: "")
-
-                let path = screenshotsDir.appendingPathComponent("\(simulator)-\(name).png")
-                #if swift(<5.0)
-                    UIImagePNGRepresentation(image)?.write(to: path, options: .atomic)
-                #else
-                    try image.pngData()?.write(to: path, options: .atomic)
-                #endif
-            } catch let error {
-                NSLog("Problem writing screenshot: \(name) to \(screenshotsDir)/\(simulator)-\(name).png")
-                NSLog(error.localizedDescription)
-            }
-        #endif
-    }
-
-    class func fixLandscapeOrientation(image: UIImage) -> UIImage {
-        #if os(watchOS)
-            return image
-        #else
-            if #available(iOS 10.0, *) {
-                let format = UIGraphicsImageRendererFormat()
-                format.scale = image.scale
-                let renderer = UIGraphicsImageRenderer(size: image.size, format: format)
-                return renderer.image { context in
-                    image.draw(in: CGRect(x: 0, y: 0, width: image.size.width, height: image.size.height))
-                }
-            } else {
-                return image
-            }
-        #endif
-    }
-
-    class func waitForLoadingIndicatorToDisappear(within timeout: TimeInterval) {
-        #if os(tvOS)
-            return
-        #endif
-
-        guard let app = self.app else {
-            NSLog("XCUIApplication is not set. Please call setupSnapshot(app) before snapshot().")
-            return
-        }
-
-        let networkLoadingIndicator = app.otherElements.deviceStatusBars.networkLoadingIndicators.element
-        let networkLoadingIndicatorDisappeared = XCTNSPredicateExpectation(predicate: NSPredicate(format: "exists == false"), object: networkLoadingIndicator)
-        _ = XCTWaiter.wait(for: [networkLoadingIndicatorDisappeared], timeout: timeout)
-    }
-
-    class func getCacheDirectory() throws -> URL {
-        let cachePath = "Library/Caches/tools.fastlane"
-        // on OSX config is stored in /Users/<username>/Library
-        // and on iOS/tvOS/WatchOS it's in simulator's home dir
-        #if os(OSX)
-            let homeDir = URL(fileURLWithPath: NSHomeDirectory())
-            return homeDir.appendingPathComponent(cachePath)
-        #elseif arch(i386) || arch(x86_64) || arch(arm64)
-            guard let simulatorHostHome = ProcessInfo().environment["SIMULATOR_HOST_HOME"] else {
-                throw SnapshotError.cannotFindSimulatorHomeDirectory
-            }
-            let homeDir = URL(fileURLWithPath: simulatorHostHome)
-            return homeDir.appendingPathComponent(cachePath)
-        #else
-            throw SnapshotError.cannotRunOnPhysicalDevice
-        #endif
-    }
-}
-
-private extension XCUIElementAttributes {
-    var isNetworkLoadingIndicator: Bool {
-        if hasAllowListedIdentifier { return false }
-
-        let hasOldLoadingIndicatorSize = frame.size == CGSize(width: 10, height: 20)
-        let hasNewLoadingIndicatorSize = frame.size.width.isBetween(46, and: 47) && frame.size.height.isBetween(2, and: 3)
-
-        return hasOldLoadingIndicatorSize || hasNewLoadingIndicatorSize
-    }
-
-    var hasAllowListedIdentifier: Bool {
-        let allowListedIdentifiers = ["GeofenceLocationTrackingOn", "StandardLocationTrackingOn"]
-
-        return allowListedIdentifiers.contains(identifier)
-    }
-
-    func isStatusBar(_ deviceWidth: CGFloat) -> Bool {
-        if elementType == .statusBar { return true }
-        guard frame.origin == .zero else { return false }
-
-        let oldStatusBarSize = CGSize(width: deviceWidth, height: 20)
-        let newStatusBarSize = CGSize(width: deviceWidth, height: 44)
-
-        return [oldStatusBarSize, newStatusBarSize].contains(frame.size)
-    }
-}
-
-private extension XCUIElementQuery {
-    var networkLoadingIndicators: XCUIElementQuery {
-        let isNetworkLoadingIndicator = NSPredicate { (evaluatedObject, _) in
-            guard let element = evaluatedObject as? XCUIElementAttributes else { return false }
-
-            return element.isNetworkLoadingIndicator
-        }
-
-        return self.containing(isNetworkLoadingIndicator)
-    }
-
-    var deviceStatusBars: XCUIElementQuery {
-        guard let app = Snapshot.app else {
-            fatalError("XCUIApplication is not set. Please call setupSnapshot(app) before snapshot().")
-        }
-
-        let deviceWidth = app.windows.firstMatch.frame.width
-
-        let isStatusBar = NSPredicate { (evaluatedObject, _) in
-            guard let element = evaluatedObject as? XCUIElementAttributes else { return false }
-
-            return element.isStatusBar(deviceWidth)
-        }
-
-        return self.containing(isStatusBar)
-    }
-}
-
-private extension CGFloat {
-    func isBetween(_ numberA: CGFloat, and numberB: CGFloat) -> Bool {
-        return numberA...numberB ~= self
-    }
-}
-
-// Please don't remove the lines below
-// They are used to detect outdated configuration files
-// SnapshotHelperVersion [1.27]

apps/ios/VERSIONING.md

@@ -64,7 +64,7 @@ Pinned iOS version `2026.4.10` maps to:
 - `apps/ios/fastlane/metadata/en-US/release_notes.txt`
   - generated from `apps/ios/CHANGELOG.md`
 - `apps/ios/build/Version.xcconfig`
-  - local gitignored build override generated per build or release prep
+  - local gitignored build override generated per build or beta prep
 
 ## Tooling surfaces
 
@@ -81,21 +81,16 @@ Pinned iOS version `2026.4.10` maps to:
 - `scripts/ios-pin-version.ts`
   - explicitly pins iOS to a chosen release version or the current gateway version
 
-### Build and App Store release flow
+### Build and beta flow
 
 - `scripts/ios-write-version-xcconfig.sh`
   - reads the pinned iOS version
   - writes the local numeric build override file in `apps/ios/build/Version.xcconfig`
-- `scripts/ios-release-prepare.sh`
-  - prepares App Store distribution signing and bundle settings against the pinned iOS version
-- `scripts/ios-release-signing.mjs`
-  - validates the checked-in App Store signing manifest
-  - creates or verifies Developer Portal bundle IDs, capabilities, certificates, and profiles through `asc`
-  - syncs encrypted signing assets with the private shared signing repo
+- `scripts/ios-beta-prepare.sh`
+  - prepares beta signing and bundle settings against the pinned iOS version
 - `apps/ios/fastlane/Fastfile`
   - resolves version metadata from the pinned iOS helper
-  - increments App Store Connect build numbers for the pinned short version
-  - uploads screenshots and release notes before archiving a release build
+  - increments TestFlight build numbers for the pinned short version
 
 ## Release-note resolution order
 
@@ -123,7 +118,7 @@ pnpm ios:version:pin -- --version 2026.4.10
 
 1. keep `apps/ios/version.json` pinned to the current TestFlight train version
 2. update `apps/ios/CHANGELOG.md` under `## Unreleased` while iterating
-3. upload more App Store Connect builds with `pnpm ios:release:upload`
+3. upload more betas with the usual flow
 4. let Fastlane increment only `CFBundleVersion`
 
 This keeps the TestFlight version stable while review is in flight.
@@ -144,15 +139,12 @@ pnpm ios:version:pin -- --from-gateway
    - `apps/ios/fastlane/metadata/en-US/release_notes.txt`
 3. update `apps/ios/CHANGELOG.md` for the new release if needed
 4. run `pnpm ios:version:sync` again if the changelog changed
-5. upload the first App Store Connect build for that newly pinned version
+5. submit the first TestFlight build for that newly pinned version
 6. keep iterating only by build number until the release candidate is ready
-7. manually submit the reviewed build for App Review in App Store Connect
-8. release the approved build to production
+7. release that reviewed TestFlight build to production
 
 ## Important invariant
 
 Fastlane and Xcode should consume only the pinned iOS version from `apps/ios/version.json`.
 
 Changing `package.json.version` alone must not change the iOS app version until a maintainer explicitly runs the pin step.
-
-App Review submission must remain manual. Automation may create/update the editable App Store version, upload screenshots, upload release notes, and upload builds, but it should not submit a build for review.

apps/ios/WatchExtension/Sources/OpenClawWatchApp.swift

@@ -3,17 +3,10 @@ import SwiftUI
 @main
 struct OpenClawWatchApp: App {
     @Environment(\.scenePhase) private var scenePhase
-    @State private var inboxStore = WatchInboxStore(
-        requestNotificationAuthorization: !OpenClawWatchApp.isScreenshotMode)
+    @State private var inboxStore = WatchInboxStore()
     @State private var receiver: WatchConnectivityReceiver?
     @State private var execApprovalRefreshTask: Task<Void, Never>?
 
-    private static let screenshotModeDefaultsKey = "openclaw.watch.screenshotMode"
-    private static let isScreenshotMode = ProcessInfo.processInfo.arguments.contains(
-        "--openclaw-watch-screenshot-mode")
-        || ProcessInfo.processInfo.environment["OPENCLAW_WATCH_SCREENSHOT_MODE"] == "1"
-        || UserDefaults.standard.bool(forKey: OpenClawWatchApp.screenshotModeDefaultsKey)
-
     var body: some Scene {
         WindowGroup {
             WatchInboxView(
@@ -44,10 +37,6 @@ struct OpenClawWatchApp: App {
                     self.refreshExecApprovalReview(force: true)
                 })
                 .task {
-                    if OpenClawWatchApp.isScreenshotMode {
-                        self.inboxStore.configureScreenshotFixture()
-                        return
-                    }
                     if self.receiver == nil {
                         let receiver = WatchConnectivityReceiver(store: self.inboxStore)
                         receiver.activate()
@@ -89,32 +78,3 @@ struct OpenClawWatchApp: App {
         }
     }
 }
-
-@MainActor
-extension WatchInboxStore {
-    fileprivate func configureScreenshotFixture() {
-        self.consume(
-            execApprovalSnapshot: WatchExecApprovalSnapshotMessage(
-                approvals: [],
-                sentAtMs: Int(Date().timeIntervalSince1970 * 1000),
-                snapshotId: nil),
-            transport: "screenshot")
-        self.consume(
-            message: WatchNotifyMessage(
-                id: "watch-screenshot-quick-reply",
-                title: "Molty request",
-                body: "Molty Gateway checklist ready.",
-                sentAtMs: Int(Date().timeIntervalSince1970 * 1000),
-                promptId: "watch-screenshot-prompt",
-                sessionKey: "watch-screenshot-session",
-                kind: "release-checklist",
-                details: nil,
-                expiresAtMs: nil,
-                risk: "medium",
-                actions: [
-                    WatchPromptAction(id: "approve", label: "Approve", style: nil),
-                    WatchPromptAction(id: "later", label: "Later", style: "cancel"),
-                ]),
-            transport: "screenshot")
-    }
-}

apps/ios/WatchExtension/Sources/WatchInboxStore.swift

@@ -170,17 +170,12 @@ struct WatchExecApprovalRecord: Codable, Equatable, Identifiable {
     private var hasCompletedExecApprovalSnapshotRefreshInSession = false
     private var lastDeliveryKey: String?
 
-    init(
-        defaults: UserDefaults = .standard,
-        requestNotificationAuthorization: Bool = true)
-    {
+    init(defaults: UserDefaults = .standard) {
         self.defaults = defaults
         self.restorePersistedState()
         self.pruneExpiredExecApprovals(nowMs: Self.nowMs())
-        if requestNotificationAuthorization {
-            Task {
-                await self.ensureNotificationAuthorization()
-            }
+        Task {
+            await self.ensureNotificationAuthorization()
         }
     }
 

apps/ios/fastlane/.env.example

@@ -19,6 +19,3 @@
 # Deliver toggles (off by default)
 # DELIVER_METADATA=1
 # DELIVER_SCREENSHOTS=1
-
-# Screenshot generation
-# OPENCLAW_SNAPSHOT_DEVICES=iPhone 16 Pro Max,iPad Pro 13-inch (M4)

apps/ios/fastlane/Appfile

@@ -1,4 +1,4 @@
-app_identifier("ai.openclawfoundation.app")
+app_identifier("ai.openclaw.client")
 
 # Auth is expected via App Store Connect API key.
 # Provide either:

apps/ios/fastlane/Fastfile

@@ -1,23 +1,10 @@
 require "shellwords"
 require "open3"
 require "json"
-require "fileutils"
-require "tmpdir"
-require "tempfile"
-require "cgi"
 
 default_platform(:ios)
 
-APP_STORE_APP_IDENTIFIER = "ai.openclawfoundation.app"
-DEFAULT_SNAPSHOT_DEVICES = ["iPhone 16 Pro Max", "iPad Pro 13-inch (M4)"].freeze
-DEFAULT_WATCH_SNAPSHOT_DEVICE = "Apple Watch Ultra 3 (49mm)"
-WATCH_SCREENSHOT_MODE_DEFAULTS_KEY = "openclaw.watch.screenshotMode"
-WATCH_SNAPSHOT_STATUS_BAR_TIME = "09:41"
-SNAPSHOT_STATUS_BAR_ARGUMENTS = "--time 09:41 --dataNetwork wifi --wifiMode active --wifiBars 3 --cellularMode active --cellularBars 4 --batteryState charged --batteryLevel 100".freeze
-REQUIRED_SCREENSHOT_FAMILIES = {
-  "iPhone" => /iPhone/,
-  "13-inch iPad" => /iPad (Air|Pro) 13-inch/
-}.freeze
+BETA_APP_IDENTIFIER = "ai.openclaw.client"
 
 def load_env_file(path)
   return unless File.exist?(path)
@@ -46,294 +33,10 @@ def screenshot_upload_requested?
   ENV["DELIVER_SCREENSHOTS"] == "1"
 end
 
-def release_notes_upload_requested?
-  ENV["DELIVER_RELEASE_NOTES"] == "1"
-end
-
 def screenshot_paths
   Dir[File.join(__dir__, "screenshots", "**", "*.png")]
 end
 
-def validate_required_screenshots!(paths)
-  missing_families = REQUIRED_SCREENSHOT_FAMILIES.filter_map do |name, pattern|
-    name unless paths.any? { |path| File.basename(path).match?(pattern) }
-  end
-  return if missing_families.empty?
-
-  UI.user_error!("DELIVER_SCREENSHOTS=1 but screenshots are missing for: #{missing_families.join(', ')}.")
-end
-
-def snapshot_devices
-  raw = ENV["OPENCLAW_SNAPSHOT_DEVICES"].to_s.strip
-  return DEFAULT_SNAPSHOT_DEVICES if raw.empty?
-
-  raw.split(",").map(&:strip).reject(&:empty?)
-end
-
-def watch_snapshot_device
-  raw = ENV["OPENCLAW_WATCH_SNAPSHOT_DEVICE"].to_s.strip
-  raw.empty? ? DEFAULT_WATCH_SNAPSHOT_DEVICE : raw
-end
-
-def available_simulator_devices
-  stdout, stderr, status = Open3.capture3("xcrun", "simctl", "list", "devices", "available", "--json")
-  unless status.success?
-    detail = stderr.to_s.strip
-    detail = stdout.to_s.strip if detail.empty?
-    UI.user_error!("Failed to list simulator devices: #{detail}")
-  end
-
-  JSON.parse(stdout).fetch("devices").values.flatten
-rescue JSON::ParserError => e
-  UI.user_error!("Invalid JSON from simctl device list: #{e.message}")
-end
-
-def resolve_simulator_device(name)
-  devices = available_simulator_devices
-  exact = devices.find { |device| device["name"] == name }
-  return exact if exact
-
-  watch_devices = devices.select { |device| device["name"].to_s.include?("Apple Watch") }
-  fallback = watch_devices.find { |device| device["name"].to_s.include?("Ultra") } || watch_devices.first
-  UI.user_error!("No available Apple Watch simulators found.") unless fallback
-
-  UI.important("Apple Watch simulator '#{name}' was not found; using '#{fallback.fetch("name")}'.")
-  fallback
-end
-
-def bundle_identifier_for_product(product_path)
-  info_plist_path = File.join(product_path, "Info.plist")
-  UI.user_error!("Expected Info.plist at #{info_plist_path}.") unless File.exist?(info_plist_path)
-
-  stdout, stderr, status = Open3.capture3(
-    "/usr/libexec/PlistBuddy",
-    "-c",
-    "Print:CFBundleIdentifier",
-    info_plist_path
-  )
-  unless status.success?
-    detail = stderr.to_s.strip
-    detail = stdout.to_s.strip if detail.empty?
-    UI.user_error!("Failed to read bundle identifier from #{info_plist_path}: #{detail}")
-  end
-
-  bundle_identifier = stdout.to_s.strip
-  UI.user_error!("Missing bundle identifier in #{info_plist_path}.") if bundle_identifier.empty?
-  bundle_identifier
-end
-
-def write_watch_screenshot_mode_defaults(udid, bundle_identifiers)
-  bundle_identifiers.each do |bundle_identifier|
-    sh(
-      shell_join([
-        "xcrun",
-        "simctl",
-        "spawn",
-        udid,
-        "defaults",
-        "write",
-        bundle_identifier,
-        WATCH_SCREENSHOT_MODE_DEFAULTS_KEY,
-        "-bool",
-        "YES",
-      ])
-    )
-  end
-end
-
-def clear_watch_screenshot_mode_defaults(udid, bundle_identifiers)
-  bundle_identifiers.each do |bundle_identifier|
-    sh(
-      "#{shell_join([
-        "xcrun",
-        "simctl",
-        "spawn",
-        udid,
-        "defaults",
-        "delete",
-        bundle_identifier,
-        WATCH_SCREENSHOT_MODE_DEFAULTS_KEY,
-      ])} >/dev/null 2>&1 || true"
-    )
-  end
-end
-
-def status_bar_unsupported?(detail)
-  detail.include?("Status bar overrides not supported on this platform") ||
-    detail.include?("Operation not supported")
-end
-
-def set_watch_status_bar_override(udid)
-  stdout, stderr, status = Open3.capture3(
-    "xcrun",
-    "simctl",
-    "status_bar",
-    udid,
-    "override",
-    "--time",
-    WATCH_SNAPSHOT_STATUS_BAR_TIME
-  )
-  return true if status.success?
-
-  detail = stderr.to_s.strip
-  detail = stdout.to_s.strip if detail.empty?
-  if status_bar_unsupported?(detail)
-    UI.important("watchOS simulator status bar overrides are not supported; Watch screenshot clock will use simulator time.")
-    return false
-  end
-
-  UI.user_error!("Failed to override Watch simulator status bar: #{detail}")
-end
-
-def clear_watch_status_bar_override(udid)
-  stdout, stderr, status = Open3.capture3("xcrun", "simctl", "status_bar", udid, "clear")
-  return if status.success?
-
-  detail = stderr.to_s.strip
-  detail = stdout.to_s.strip if detail.empty?
-  UI.user_error!("Failed to clear Watch simulator status bar override: #{detail}") unless status_bar_unsupported?(detail)
-end
-
-def normalize_watch_screenshot_status_bar(path)
-  script = <<~SWIFT
-    import AppKit
-    import Foundation
-
-    let path = CommandLine.arguments[1]
-    let timeText = CommandLine.arguments[2]
-
-    guard let source = NSImage(contentsOfFile: path),
-          let cgImage = source.cgImage(forProposedRect: nil, context: nil, hints: nil)
-    else {
-      fputs("Failed to load screenshot at \\(path)\\n", stderr)
-      exit(2)
-    }
-
-    let width = CGFloat(cgImage.width)
-    let height = CGFloat(cgImage.height)
-    guard let bitmap = NSBitmapImageRep(
-      bitmapDataPlanes: nil,
-      pixelsWide: Int(width),
-      pixelsHigh: Int(height),
-      bitsPerSample: 8,
-      samplesPerPixel: 4,
-      hasAlpha: true,
-      isPlanar: false,
-      colorSpaceName: .deviceRGB,
-      bytesPerRow: 0,
-      bitsPerPixel: 0),
-      let graphicsContext = NSGraphicsContext(bitmapImageRep: bitmap)
-    else {
-      fputs("Failed to create normalized screenshot bitmap at \\(path)\\n", stderr)
-      exit(3)
-    }
-
-    bitmap.size = NSSize(width: width, height: height)
-    NSGraphicsContext.saveGraphicsState()
-    NSGraphicsContext.current = graphicsContext
-    source.draw(
-      in: NSRect(x: 0, y: 0, width: width, height: height),
-      from: NSRect(x: 0, y: 0, width: width, height: height),
-      operation: .copy,
-      fraction: 1.0)
-
-    NSColor.black.setFill()
-    NSBezierPath(rect: NSRect(x: width - 146, y: height - 92, width: 124, height: 70)).fill()
-
-    let paragraphStyle = NSMutableParagraphStyle()
-    paragraphStyle.alignment = .right
-    let attributes: [NSAttributedString.Key: Any] = [
-      .font: NSFont.monospacedDigitSystemFont(ofSize: 34, weight: .semibold),
-      .foregroundColor: NSColor.white,
-      .paragraphStyle: paragraphStyle,
-    ]
-    timeText.draw(
-      in: NSRect(x: width - 134, y: height - 82, width: 102, height: 44),
-      withAttributes: attributes)
-    NSGraphicsContext.restoreGraphicsState()
-
-    guard let png = bitmap.representation(using: .png, properties: [:])
-    else {
-      fputs("Failed to encode normalized screenshot at \\(path)\\n", stderr)
-      exit(4)
-    }
-
-    try png.write(to: URL(fileURLWithPath: path))
-  SWIFT
-
-  Tempfile.create(["openclaw-watch-status-bar", ".swift"]) do |file|
-    file.write(script)
-    file.flush
-    sh(shell_join(["xcrun", "swift", file.path, path, "9:41"]))
-  end
-end
-
-def capture_watch_screenshot
-  device = resolve_simulator_device(watch_snapshot_device)
-  device_name = device.fetch("name")
-  udid = device.fetch("udid")
-  output_dir = File.join(ios_root, "fastlane", "screenshots", "en-US")
-  output_path = File.join(output_dir, "#{device_name}-01-quick-reply.png")
-  derived_data_path = File.join(ios_root, "build", "WatchScreenshotDerivedData")
-  app_path = File.join(derived_data_path, "Build", "Products", "Debug-watchsimulator", "OpenClawWatchApp.app")
-
-  FileUtils.mkdir_p(output_dir)
-  Dir[File.join(output_dir, "Apple Watch*-*.png")].each { |path| FileUtils.rm_f(path) }
-  FileUtils.rm_rf(derived_data_path)
-
-  sh(
-    xcodebuild_shell_join([
-      "xcodebuild",
-      "-project",
-      File.join(ios_root, "OpenClaw.xcodeproj"),
-      "-scheme",
-      "OpenClawWatchApp",
-      "-configuration",
-      "Debug",
-      "-destination",
-      "platform=watchOS Simulator,id=#{udid}",
-      "-derivedDataPath",
-      derived_data_path,
-      "build",
-    ])
-  )
-
-  UI.user_error!("Watch screenshot build did not produce #{app_path}.") unless File.exist?(app_path)
-  extension_path = File.join(app_path, "PlugIns", "OpenClawWatchExtension.appex")
-  watch_app_identifier = bundle_identifier_for_product(app_path)
-  watch_extension_identifier = bundle_identifier_for_product(extension_path)
-  screenshot_mode_bundle_identifiers = [watch_app_identifier, watch_extension_identifier]
-
-  sh("#{shell_join(["xcrun", "simctl", "boot", udid])} >/dev/null 2>&1 || true")
-  sh(shell_join(["xcrun", "simctl", "bootstatus", udid, "-b"]))
-  sh("#{shell_join(["xcrun", "simctl", "uninstall", udid, watch_app_identifier])} >/dev/null 2>&1 || true")
-  status_bar_overridden = false
-  begin
-    sh(shell_join(["xcrun", "simctl", "install", udid, app_path]))
-    write_watch_screenshot_mode_defaults(udid, screenshot_mode_bundle_identifiers)
-    status_bar_overridden = set_watch_status_bar_override(udid)
-    sh(
-      "SIMCTL_CHILD_OPENCLAW_WATCH_SCREENSHOT_MODE=1 #{shell_join([
-        "xcrun",
-        "simctl",
-        "launch",
-        udid,
-        watch_app_identifier,
-        "--openclaw-watch-screenshot-mode",
-      ])}"
-    )
-    sleep(3)
-    sh(shell_join(["xcrun", "simctl", "io", udid, "screenshot", output_path]))
-    normalize_watch_screenshot_status_bar(output_path)
-  ensure
-    clear_watch_status_bar_override(udid) if status_bar_overridden
-    clear_watch_screenshot_mode_defaults(udid, screenshot_mode_bundle_identifiers)
-  end
-
-  UI.success("Captured Apple Watch screenshot: #{output_path}")
-  output_path
-end
-
 def maybe_decode_hex_keychain_secret(value)
   return value unless env_present?(value)
 
@@ -400,92 +103,6 @@ def ios_root
   File.expand_path("..", __dir__)
 end
 
-def preserve_file(path)
-  existed = File.exist?(path)
-  contents = existed ? File.binread(path) : nil
-
-  yield
-ensure
-  if existed
-    File.binwrite(path, contents)
-  else
-    FileUtils.rm_f(path)
-  end
-end
-
-def preserve_local_signing
-  preserve_file(File.join(ios_root, ".local-signing.xcconfig")) do
-    yield
-  end
-end
-
-def app_store_signing_manifest
-  JSON.parse(File.read(File.join(ios_root, "Config", "AppStoreSigning.json")))
-end
-
-def app_store_provisioning_profiles
-  app_store_signing_manifest.fetch("targets").each_with_object({}) do |target, profiles|
-    profiles[target.fetch("bundleId")] = target.fetch("profileName")
-  end
-end
-
-def xml_string(value)
-  CGI.escapeHTML(value.to_s)
-end
-
-def write_app_store_export_options(path)
-  manifest = app_store_signing_manifest
-  profile_entries = app_store_provisioning_profiles.map do |bundle_id, profile_name|
-    "    <key>#{xml_string(bundle_id)}</key>\n    <string>#{xml_string(profile_name)}</string>"
-  end.join("\n")
-
-  File.write(path, <<~PLIST)
-    <?xml version="1.0" encoding="UTF-8"?>
-    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
-    <plist version="1.0">
-    <dict>
-      <key>method</key>
-      <string>app-store-connect</string>
-      <key>signingStyle</key>
-      <string>manual</string>
-      <key>signingCertificate</key>
-      <string>Apple Distribution</string>
-      <key>teamID</key>
-      <string>#{xml_string(manifest.fetch("teamId"))}</string>
-      <key>provisioningProfiles</key>
-      <dict>
-    #{profile_entries}
-      </dict>
-      <key>destination</key>
-      <string>export</string>
-      <key>stripSwiftSymbols</key>
-      <true/>
-      <key>manageAppVersionAndBuildNumber</key>
-      <false/>
-    </dict>
-    </plist>
-  PLIST
-end
-
-def release_signing_check!
-  sh(shell_join(["node", File.join(repo_root, "scripts", "ios-release-signing.mjs"), "--mode", "check"]))
-end
-
-def release_notes_path
-  File.join(__dir__, "metadata", "en-US", "release_notes.txt")
-end
-
-def release_notes_metadata_path
-  source = release_notes_path
-  UI.user_error!("Missing release notes at #{source}. Run `pnpm ios:version:sync`.") unless File.exist?(source)
-
-  temp_root = Dir.mktmpdir("openclaw-release-notes")
-  target_dir = File.join(temp_root, "en-US")
-  FileUtils.mkdir_p(target_dir)
-  FileUtils.cp(source, File.join(target_dir, "release_notes.txt"))
-  temp_root
-end
-
 def read_ios_version_metadata
   script_path = File.join(repo_root, "scripts", "ios-version.ts")
   stdout, stderr, status = Open3.capture3(
@@ -539,102 +156,69 @@ def shell_join(parts)
   Shellwords.join(parts.compact)
 end
 
-def xcodebuild_shell_join(parts)
-  xcode_path = "/usr/bin:/bin:/usr/sbin:/sbin:/opt/homebrew/bin:/usr/local/bin"
-  shell_join(["env", "PATH=#{xcode_path}", *parts])
-end
-
-def resolve_release_build_number(api_key:, short_version:)
-  explicit = ENV["IOS_RELEASE_BUILD_NUMBER"]
+def resolve_beta_build_number(api_key:, short_version:)
+  explicit = ENV["IOS_BETA_BUILD_NUMBER"]
   if env_present?(explicit)
-    UI.user_error!("Invalid iOS release build number '#{explicit}'. Expected digits only.") unless explicit.match?(/\A\d+\z/)
-    UI.message("Using explicit iOS release build number #{explicit}.")
+    UI.user_error!("Invalid IOS_BETA_BUILD_NUMBER '#{explicit}'. Expected digits only.") unless explicit.match?(/\A\d+\z/)
+    UI.message("Using explicit iOS beta build number #{explicit}.")
     return explicit
   end
 
   latest_build = latest_testflight_build_number(
     api_key: api_key,
-    app_identifier: APP_STORE_APP_IDENTIFIER,
+    app_identifier: BETA_APP_IDENTIFIER,
     version: short_version,
     initial_build_number: 0
   )
   next_build = latest_build.to_i + 1
-  UI.message("Resolved iOS release build number #{next_build} for #{short_version} (latest App Store Connect build: #{latest_build}).")
+  UI.message("Resolved iOS beta build number #{next_build} for #{short_version} (latest TestFlight build: #{latest_build}).")
   next_build.to_s
 end
 
-def release_build_number_needs_asc_auth?
-  explicit = ENV["IOS_RELEASE_BUILD_NUMBER"]
+def beta_build_number_needs_asc_auth?
+  explicit = ENV["IOS_BETA_BUILD_NUMBER"]
   !env_present?(explicit)
 end
 
-def prepare_app_store_release!(version:, build_number:)
-  script_path = File.join(repo_root, "scripts", "ios-release-prepare.sh")
-  UI.message("Preparing iOS App Store release #{version} (build #{build_number}).")
+def prepare_beta_release!(version:, build_number:)
+  script_path = File.join(repo_root, "scripts", "ios-beta-prepare.sh")
+  UI.message("Preparing iOS beta release #{version} (build #{build_number}).")
   sh(shell_join(["bash", script_path, "--build-number", build_number]))
 
-  release_xcconfig = File.join(ios_root, "build", "AppStoreRelease.xcconfig")
-  UI.user_error!("Missing App Store release xcconfig at #{release_xcconfig}.") unless File.exist?(release_xcconfig)
+  beta_xcconfig = File.join(ios_root, "build", "BetaRelease.xcconfig")
+  UI.user_error!("Missing beta xcconfig at #{beta_xcconfig}.") unless File.exist?(beta_xcconfig)
 
-  ENV["XCODE_XCCONFIG_FILE"] = release_xcconfig
-  release_xcconfig
+  ENV["XCODE_XCCONFIG_FILE"] = beta_xcconfig
+  beta_xcconfig
 end
 
-def build_app_store_release(context)
+def build_beta_release(context)
   version = context[:version]
-  project_path = File.join(ios_root, "OpenClaw.xcodeproj")
-  output_directory = File.join(ios_root, "build", "app-store")
+  output_directory = File.join("build", "beta")
   archive_path = File.join(output_directory, "OpenClaw-#{version}.xcarchive")
-  export_options_path = File.join(output_directory, "ExportOptions.plist")
-  output_name = "OpenClaw-#{version}.ipa"
-  expected_ipa_path = File.join(output_directory, output_name)
 
-  FileUtils.mkdir_p(output_directory)
-  FileUtils.rm_rf(archive_path)
-  Dir[File.join(output_directory, "*.ipa")].each { |path| FileUtils.rm_f(path) }
-  write_app_store_export_options(export_options_path)
-
-  sh(
-    xcodebuild_shell_join([
-      "xcodebuild",
-      "-project",
-      project_path,
-      "-scheme",
-      "OpenClaw",
-      "-configuration",
-      "Release",
-      "-destination",
-      "generic/platform=iOS",
-      "-archivePath",
-      archive_path,
-      "clean",
-      "archive",
-    ])
+  build_app(
+    project: "OpenClaw.xcodeproj",
+    scheme: "OpenClaw",
+    configuration: "Release",
+    export_method: "app-store",
+    clean: true,
+    skip_profile_detection: true,
+    build_path: "build",
+    archive_path: archive_path,
+    output_directory: output_directory,
+    output_name: "OpenClaw-#{version}.ipa",
+    xcargs: "-allowProvisioningUpdates",
+    export_xcargs: "-allowProvisioningUpdates",
+    export_options: {
+      signingStyle: "automatic"
+    }
   )
 
-  sh(
-    xcodebuild_shell_join([
-      "xcodebuild",
-      "-exportArchive",
-      "-archivePath",
-      archive_path,
-      "-exportPath",
-      output_directory,
-      "-exportOptionsPlist",
-      export_options_path,
-    ])
-  )
-
-  exported_ipas = Dir[File.join(output_directory, "*.ipa")]
-  UI.user_error!("xcodebuild export did not produce an IPA in #{output_directory}.") if exported_ipas.empty?
-  UI.user_error!("xcodebuild export produced multiple IPAs in #{output_directory}: #{exported_ipas.join(", ")}") if exported_ipas.length > 1
-  exported_ipa = exported_ipas.first
-  FileUtils.mv(exported_ipa, expected_ipa_path) unless exported_ipa == expected_ipa_path
-
   {
     archive_path: archive_path,
     build_number: context[:build_number],
-    ipa_path: expected_ipa_path,
+    ipa_path: lane_context[SharedValues::IPA_OUTPUT_PATH],
     short_version: context[:short_version],
     version: version
   }
@@ -688,40 +272,40 @@ platform :ios do
     api_key
   end
 
-  private_lane :prepare_app_store_context do |options|
+  private_lane :prepare_beta_context do |options|
     require_api_key = options[:require_api_key] == true
-    needs_api_key = require_api_key || release_build_number_needs_asc_auth?
+    needs_api_key = require_api_key || beta_build_number_needs_asc_auth?
     api_key = needs_api_key ? asc_api_key : nil
     sync_ios_versioning!
     version_metadata = read_ios_version_metadata
     version = version_metadata[:version]
     short_version = version_metadata[:short_version]
-    build_number = resolve_release_build_number(api_key: api_key, short_version: short_version)
-    release_xcconfig = prepare_app_store_release!(version: version, build_number: build_number)
+    build_number = resolve_beta_build_number(api_key: api_key, short_version: short_version)
+    beta_xcconfig = prepare_beta_release!(version: version, build_number: build_number)
 
     {
       api_key: api_key,
+      beta_xcconfig: beta_xcconfig,
       build_number: build_number,
-      release_xcconfig: release_xcconfig,
       short_version: short_version,
       version: version
     }
   end
 
-  desc "Build an App Store distribution archive locally without uploading"
-  lane :app_store_archive do
-    context = prepare_app_store_context(require_api_key: false)
-    build = build_app_store_release(context)
-    UI.success("Built iOS App Store archive: version=#{build[:version]} short=#{build[:short_version]} build=#{build[:build_number]}")
+  desc "Build a beta archive locally without uploading"
+  lane :beta_archive do
+    context = prepare_beta_context(require_api_key: false)
+    build = build_beta_release(context)
+    UI.success("Built iOS beta archive: version=#{build[:version]} short=#{build[:short_version]} build=#{build[:build_number]}")
     build
   ensure
     ENV.delete("XCODE_XCCONFIG_FILE")
   end
 
-  desc "Build + upload an App Store distribution build to App Store Connect"
-  lane :app_store do
-    context = prepare_app_store_context(require_api_key: true)
-    build = build_app_store_release(context)
+  desc "Build + upload a beta to TestFlight"
+  lane :beta do
+    context = prepare_beta_context(require_api_key: true)
+    build = build_beta_release(context)
 
     upload_to_testflight(
       api_key: context[:api_key],
@@ -730,33 +314,7 @@ platform :ios do
       uses_non_exempt_encryption: false
     )
 
-    UI.success("Uploaded iOS App Store build: version=#{build[:version]} short=#{build[:short_version]} build=#{build[:build_number]}")
-  ensure
-    ENV.delete("XCODE_XCCONFIG_FILE")
-  end
-
-  desc "Generate screenshots, update App Store version metadata, then upload an App Store build"
-  lane :release_upload do
-    release_signing_check!
-    preserve_local_signing do
-      screenshots
-    end
-    ENV["DELIVER_SCREENSHOTS"] = "1"
-    ENV["DELIVER_RELEASE_NOTES"] = "1"
-    metadata
-
-    context = prepare_app_store_context(require_api_key: true)
-    build = build_app_store_release(context)
-
-    upload_to_testflight(
-      api_key: context[:api_key],
-      ipa: build[:ipa_path],
-      skip_waiting_for_build_processing: true,
-      uses_non_exempt_encryption: false
-    )
-
-    UI.success("Uploaded iOS App Store build: version=#{build[:version]} short=#{build[:short_version]} build=#{build[:build_number]}")
-    UI.important("App Review submission remains manual in App Store Connect.")
+    UI.success("Uploaded iOS beta: version=#{build[:version]} short=#{build[:short_version]} build=#{build[:build_number]}")
   ensure
     ENV.delete("XCODE_XCCONFIG_FILE")
   end
@@ -772,19 +330,8 @@ platform :ios do
     app_identifier = nil unless env_present?(app_identifier)
     app_id = nil unless env_present?(app_id)
 
-    if screenshot_upload_requested?
-      paths = screenshot_paths
-      if paths.empty?
-        UI.user_error!("DELIVER_SCREENSHOTS=1 but no PNG screenshots were found under apps/ios/fastlane/screenshots.")
-      end
-      validate_required_screenshots!(paths)
-    end
-
-    metadata_path = File.join(__dir__, "metadata")
-    skip_metadata = ENV["DELIVER_METADATA"] != "1"
-    if release_notes_upload_requested? && skip_metadata
-      metadata_path = release_notes_metadata_path
-      skip_metadata = false
+    if screenshot_upload_requested? && screenshot_paths.empty?
+      UI.user_error!("DELIVER_SCREENSHOTS=1 but no PNG screenshots were found under apps/ios/fastlane/screenshots.")
     end
 
     deliver_options = {
@@ -794,13 +341,10 @@ platform :ios do
       copyright: "2026 OpenClaw",
       primary_category: "PRODUCTIVITY",
       secondary_category: "UTILITIES",
-      metadata_path: metadata_path,
       skip_screenshots: !screenshot_upload_requested?,
-      skip_metadata: skip_metadata,
+      skip_metadata: ENV["DELIVER_METADATA"] != "1",
       skip_binary_upload: true,
       overwrite_screenshots: screenshot_upload_requested?,
-      skip_app_version_update: false,
-      submit_for_review: false,
       run_precheck_before_submit: false
     }
     deliver_options[:app_identifier] = app_identifier if app_identifier
@@ -813,40 +357,6 @@ platform :ios do
     deliver(**deliver_options)
   end
 
-  desc "Generate deterministic iOS screenshots for App Store metadata"
-  lane :screenshots do
-    sh(shell_join(["bash", File.join(repo_root, "scripts", "ios-configure-signing.sh")]))
-    sh(shell_join(["bash", File.join(repo_root, "scripts", "ios-write-version-xcconfig.sh")]))
-    sh(shell_join(["xcodegen", "generate", "--spec", File.join(ios_root, "project.yml"), "--project", ios_root]))
-
-    capture_ios_screenshots(
-      project: File.join(ios_root, "OpenClaw.xcodeproj"),
-      scheme: "OpenClawUITests",
-      configuration: "Debug",
-      devices: snapshot_devices,
-      languages: ["en-US"],
-      launch_arguments: ["--openclaw-screenshot-mode"],
-      output_directory: File.join(ios_root, "fastlane", "screenshots"),
-      clear_previous_screenshots: true,
-      reinstall_app: true,
-      concurrent_simulators: false,
-      override_status_bar: true,
-      override_status_bar_arguments: SNAPSHOT_STATUS_BAR_ARGUMENTS,
-      skip_open_summary: true,
-      xcargs: "-allowProvisioningUpdates"
-    )
-
-    watch_screenshot
-  end
-
-  desc "Generate deterministic Apple Watch screenshot for App Store metadata"
-  lane :watch_screenshot do
-    sh(shell_join(["bash", File.join(repo_root, "scripts", "ios-configure-signing.sh")]))
-    sh(shell_join(["bash", File.join(repo_root, "scripts", "ios-write-version-xcconfig.sh")]))
-    sh(shell_join(["xcodegen", "generate", "--spec", File.join(ios_root, "project.yml"), "--project", ios_root]))
-    capture_watch_screenshot
-  end
-
   desc "Validate App Store Connect API auth"
   lane :auth_check do
     asc_api_key

apps/ios/fastlane/SETUP.md

@@ -29,12 +29,12 @@ ASC_KEYCHAIN_SERVICE=openclaw-asc-key
 ASC_KEYCHAIN_ACCOUNT=YOUR_MAC_USERNAME
 ```
 
-Important: `apps/ios/fastlane/.env` is only for Fastlane/App Store Connect auth and optional release-archive settings. It does **not** configure gateway-side direct APNs push delivery for local iOS builds.
+Important: `apps/ios/fastlane/.env` is only for Fastlane/App Store Connect auth and optional beta-archive settings. It does **not** configure gateway-side direct APNs push delivery for local iOS builds.
 
 Optional app targeting variables (helpful if Fastlane cannot auto-resolve app by bundle):
 
 ```bash
-ASC_APP_IDENTIFIER=ai.openclawfoundation.app
+ASC_APP_IDENTIFIER=ai.openclaw.client
 # or
 ASC_APP_ID=YOUR_APP_STORE_CONNECT_APP_ID
 ```
@@ -53,26 +53,7 @@ Code signing variable (optional in `.env`):
 IOS_DEVELOPMENT_TEAM=YOUR_TEAM_ID
 ```
 
-Tip: run `scripts/ios-team-id.sh --require-canonical` from repo root to verify the canonical OpenClaw iOS team (`FWJYW4S8P8`) is available locally. Fastlane uses the same canonical-only path when `IOS_DEVELOPMENT_TEAM` is missing, and rejects non-canonical teams for release archives.
-
-App Store release signing is manual and profile-pinned. The canonical manifest is `apps/ios/Config/AppStoreSigning.json`.
-
-One-time or rotation setup:
-
-```bash
-pnpm ios:release:signing:plan
-pnpm ios:release:signing:check
-pnpm ios:release:signing:setup
-```
-
-Shared encrypted signing storage:
-
-```bash
-ASC_MATCH_PASSWORD=... pnpm ios:release:signing:sync:push
-ASC_MATCH_PASSWORD=... pnpm ios:release:signing:sync:pull
-```
-
-The signing repo is private and encrypted. Store `ASC_MATCH_PASSWORD` in the release-owner vault, not in this product repo. `sync:pull` writes decrypted assets under `apps/ios/build/signing/`; import the distribution certificate/private key into Keychain before archiving.
+Tip: run `scripts/ios-team-id.sh` from repo root to print a Team ID for `.env`. The helper prefers the canonical OpenClaw team (`Y5PE65HELJ`) when present locally; otherwise it prefers the first non-personal team from your Xcode account (then personal team if needed). Fastlane uses this helper automatically if `IOS_DEVELOPMENT_TEAM` is missing.
 
 For local/manual iOS builds that stay on direct APNs, configure the gateway host separately with `OPENCLAW_APNS_TEAM_ID`, `OPENCLAW_APNS_KEY_ID`, and either `OPENCLAW_APNS_PRIVATE_KEY_P8` or `OPENCLAW_APNS_PRIVATE_KEY_PATH`. Those gateway runtime env vars are separate from Fastlane's `.env`.
 
@@ -85,36 +66,28 @@ fastlane ios auth_check
 
 ASC auth is only required when:
 
-- uploading to App Store Connect
+- uploading to TestFlight
 - auto-resolving the next build number from App Store Connect
 
-If you pass `--build-number` to `pnpm ios:release:archive`, the local archive path does not need ASC auth.
+If you pass `--build-number` to `pnpm ios:beta:archive`, the local archive path does not need ASC auth.
 
 Archive locally without upload:
 
 ```bash
-pnpm ios:release:archive
+pnpm ios:beta:archive
 ```
 
-Generate deterministic App Store screenshots:
+Upload to TestFlight:
 
 ```bash
-pnpm ios:screenshots
-```
-
-The screenshot lane runs the app with `--openclaw-screenshot-mode`, which enters the built-in connected screenshot fixture instead of pairing with a live gateway. By default it captures the tab set on `iPhone 16 Pro Max` and `iPad Pro 13-inch (M4)`; override devices with a comma-separated `OPENCLAW_SNAPSHOT_DEVICES` value when the requested simulators exist locally.
-
-Upload to App Store Connect:
-
-```bash
-pnpm ios:release:upload
+pnpm ios:beta
 ```
 
 Direct Fastlane entry point:
 
 ```bash
 cd apps/ios
-fastlane ios release_upload
+fastlane ios beta
 ```
 
 Maintainer recovery path for a fresh clone on the same Mac:
@@ -142,7 +115,7 @@ fastlane ios auth_check
 pnpm ios:version:pin -- --from-gateway
 ```
 
-5. Set the official relay URL before release:
+5. Set the official/TestFlight relay URL before release:
 
 ```bash
 export OPENCLAW_PUSH_RELAY_BASE_URL=https://relay.example.com
@@ -151,14 +124,14 @@ export OPENCLAW_PUSH_RELAY_BASE_URL=https://relay.example.com
 6. Upload:
 
 ```bash
-pnpm ios:release:upload
+pnpm ios:beta
 ```
 
 Quick verification after upload:
 
-- confirm `apps/ios/build/app-store/OpenClaw-<version>.ipa` exists
-- confirm Fastlane prints `Uploaded iOS App Store build: version=<version> short=<short> build=<build>`
-- remember that App Store Connect/TestFlight processing can take a few minutes after the upload succeeds
+- confirm `apps/ios/build/beta/OpenClaw-<version>.ipa` exists
+- confirm Fastlane prints `Uploaded iOS beta: version=<version> short=<short> build=<build>`
+- remember that TestFlight processing can take a few minutes after the upload succeeds
 
 Versioning rules:
 
@@ -168,10 +141,9 @@ Versioning rules:
 - `pnpm ios:version:pin -- --from-gateway` promotes the current root gateway version into the pinned iOS release version
 - Fastlane uses the pinned iOS version only; changing `package.json.version` alone does not change the iOS app version
 - Fastlane sets `CFBundleShortVersionString` to the pinned iOS version, for example `2026.4.10`
-- Fastlane resolves `CFBundleVersion` as the next integer App Store Connect build number for that short version
+- Fastlane resolves `CFBundleVersion` as the next integer TestFlight build number for that short version
 - Run `pnpm ios:version:sync` after changing `apps/ios/version.json` or `apps/ios/CHANGELOG.md`
 - `pnpm ios:version:check` validates that checked-in iOS version artifacts are in sync
-- The release flow regenerates `apps/ios/OpenClaw.xcodeproj` from `apps/ios/project.yml` before archiving
-- Local App Store signing uses a temporary generated xcconfig with profile names from `apps/ios/Config/AppStoreSigning.json` and leaves local development signing overrides untouched
-- `pnpm ios:release:upload` generates and uploads screenshots and release notes before archiving, then uploads the IPA without submitting it for App Review
+- The beta flow regenerates `apps/ios/OpenClaw.xcodeproj` from `apps/ios/project.yml` before archiving
+- Local beta signing uses a temporary generated xcconfig and leaves local development signing overrides untouched
 - See `apps/ios/VERSIONING.md` for the detailed workflow

apps/ios/fastlane/Snapfile

@@ -1,24 +0,0 @@
-project("OpenClaw.xcodeproj")
-scheme("OpenClawUITests")
-configuration("Debug")
-
-devices([
-  "iPhone 16 Pro Max",
-  "iPad Pro 13-inch (M4)",
-])
-
-languages([
-  "en-US",
-])
-
-launch_arguments([
-  "--openclaw-screenshot-mode",
-])
-
-output_directory("fastlane/screenshots")
-clear_previous_screenshots(true)
-reinstall_app(true)
-concurrent_simulators(false)
-override_status_bar(true)
-override_status_bar_arguments("--time 09:41 --dataNetwork wifi --wifiMode active --wifiBars 3 --cellularMode active --cellularBars 4 --batteryState charged --batteryLevel 100")
-skip_open_summary(true)

apps/ios/fastlane/metadata/README.md

@@ -10,15 +10,6 @@ ASC_APP_ID=YOUR_APP_STORE_CONNECT_APP_ID \
 DELIVER_METADATA=1 fastlane ios metadata
 ```
 
-## Release notes only
-
-`pnpm ios:release:upload` uses this mode before archiving so the editable App Store version has current release notes without rewriting all metadata:
-
-```bash
-cd apps/ios
-DELIVER_RELEASE_NOTES=1 fastlane ios metadata
-```
-
 ## Optional: include screenshots
 
 ```bash
@@ -48,7 +39,6 @@ Or set `APP_STORE_CONNECT_API_KEY_PATH`.
 - `release_notes.txt` is generated from `apps/ios/CHANGELOG.md`; after changelog updates, run `pnpm ios:version:sync`.
 - Release notes resolve from `## <pinned iOS version>` first, then fall back to `## Unreleased` while a TestFlight train is still in progress.
 - When starting a new production release train, pin the iOS version first with `pnpm ios:version:pin -- --from-gateway`.
-- The release upload flow uploads release notes and screenshots before the IPA, and never submits for App Review.
 - `privacy_url.txt` is set to `https://openclaw.ai/privacy`.
 - If app lookup fails in `deliver`, set one of:
   - `ASC_APP_IDENTIFIER` (bundle ID)

apps/ios/project.yml

@@ -1,6 +1,6 @@
 name: OpenClaw
 options:
-  bundleIdPrefix: ai.openclawfoundation
+  bundleIdPrefix: ai.openclaw
   deploymentTarget:
     iOS: "18.0"
   xcodeVersion: "16.0"
@@ -37,19 +37,6 @@ schemes:
     test:
       targets:
         - OpenClawLogicTests
-  OpenClawUITests:
-    shared: true
-    build:
-      targets:
-        OpenClawUITests: all
-    test:
-      targets:
-        - OpenClawUITests
-  OpenClawWatchApp:
-    shared: true
-    build:
-      targets:
-        OpenClawWatchApp: all
 
 targets:
   OpenClaw:
@@ -104,7 +91,7 @@ targets:
           swiftlint lint --config "$SRCROOT/.swiftlint.yml" --use-script-input-file-lists
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_ENTITLEMENTS: Sources/OpenClaw.entitlements
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
@@ -118,13 +105,11 @@ targets:
         ENABLE_APP_INTENTS_METADATA_GENERATION: NO
       configs:
         Debug:
-          OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT: development
           OPENCLAW_PUSH_TRANSPORT: direct
           OPENCLAW_PUSH_DISTRIBUTION: local
           OPENCLAW_PUSH_RELAY_BASE_URL: ""
           OPENCLAW_PUSH_APNS_ENVIRONMENT: sandbox
         Release:
-          OPENCLAW_APNS_ENTITLEMENT_ENVIRONMENT: production
           OPENCLAW_PUSH_TRANSPORT: direct
           OPENCLAW_PUSH_DISTRIBUTION: local
           OPENCLAW_PUSH_RELAY_BASE_URL: ""
@@ -135,7 +120,7 @@ targets:
         CFBundleDisplayName: OpenClaw
         CFBundleIconName: AppIcon
         CFBundleURLTypes:
-          - CFBundleURLName: ai.openclawfoundation.app
+          - CFBundleURLName: ai.openclaw.ios
             CFBundleURLSchemes:
               - openclaw
         CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
@@ -148,7 +133,7 @@ targets:
           - audio
           - remote-notification
         BGTaskSchedulerPermittedIdentifiers:
-          - "$(OPENCLAW_APP_BUNDLE_ID).bgrefresh"
+          - ai.openclaw.ios.bgrefresh
         NSLocalNetworkUsageDescription: OpenClaw discovers and connects to your OpenClaw gateway on the local network.
         NSAppTransportSecurity:
           NSAllowsArbitraryLoadsInWebContent: true
@@ -191,7 +176,7 @@ targets:
       - sdk: AppIntents.framework
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
         ENABLE_APPINTENTS_METADATA: NO
@@ -231,11 +216,10 @@ targets:
       - sdk: ActivityKit.framework
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
         PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_ACTIVITY_WIDGET_BUNDLE_ID)"
-        PROVISIONING_PROFILE_SPECIFIER: "$(OPENCLAW_ACTIVITY_WIDGET_PROFILE)"
         TARGETED_DEVICE_FAMILY: "1,2"
         SWIFT_VERSION: "6.0"
         SWIFT_STRICT_CONCURRENCY: complete
@@ -267,7 +251,7 @@ targets:
     settings:
       base:
         ASSETCATALOG_COMPILER_APPICON_NAME: AppIcon
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
         ENABLE_APPINTENTS_METADATA: NO
@@ -301,7 +285,7 @@ targets:
       ProvisioningStyle: "$(OPENCLAW_CODE_SIGN_STYLE)"
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
         PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_WATCH_EXTENSION_BUNDLE_ID)"
@@ -334,10 +318,10 @@ targets:
       - sdk: AppIntents.framework
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
-        PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_APP_BUNDLE_ID).tests"
+        PRODUCT_BUNDLE_IDENTIFIER: ai.openclaw.ios.tests
         ENABLE_APP_INTENTS_METADATA_GENERATION: NO
         SWIFT_VERSION: "6.0"
         SWIFT_STRICT_CONCURRENCY: complete
@@ -362,10 +346,10 @@ targets:
       - package: OpenClawKit
     settings:
       base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
+        CODE_SIGN_IDENTITY: "Apple Development"
         CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
         DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
-        PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_APP_BUNDLE_ID).logic-tests"
+        PRODUCT_BUNDLE_IDENTIFIER: ai.openclaw.ios.logic-tests
         ENABLE_APP_INTENTS_METADATA_GENERATION: NO
         SWIFT_EMIT_CONST_VALUE_PROTOCOLS: ""
         SWIFT_VERSION: "6.0"
@@ -376,32 +360,3 @@ targets:
         CFBundleDisplayName: OpenClawLogicTests
         CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
         CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"
-
-  OpenClawUITests:
-    type: bundle.ui-testing
-    platform: iOS
-    configFiles:
-      Debug: Signing.xcconfig
-      Release: Signing.xcconfig
-    sources:
-      - path: UITests
-    dependencies:
-      - target: OpenClaw
-    settings:
-      base:
-        CODE_SIGN_IDENTITY: "$(OPENCLAW_CODE_SIGN_IDENTITY)"
-        CODE_SIGN_STYLE: "$(OPENCLAW_CODE_SIGN_STYLE)"
-        DEVELOPMENT_TEAM: "$(OPENCLAW_DEVELOPMENT_TEAM)"
-        PRODUCT_BUNDLE_IDENTIFIER: "$(OPENCLAW_APP_BUNDLE_ID).ui-tests"
-        SDKROOT: iphoneos
-        SUPPORTED_PLATFORMS: "iphonesimulator iphoneos"
-        SUPPORTS_MACCATALYST: NO
-        SUPPORTS_MAC_DESIGNED_FOR_IPHONE_IPAD: NO
-        TEST_TARGET_NAME: OpenClaw
-        SWIFT_VERSION: "5.0"
-    info:
-      path: UITests/Info.plist
-      properties:
-        CFBundleDisplayName: OpenClawUITests
-        CFBundleShortVersionString: "$(OPENCLAW_MARKETING_VERSION)"
-        CFBundleVersion: "$(OPENCLAW_BUILD_VERSION)"

apps/shared/OpenClawKit/Sources/OpenClawKit/Resources/tool-display.json

@@ -306,15 +306,6 @@
             "fps",
             "screenIndex"
           ]
-        },
-        "screen_snapshot": {
-          "label": "screen snapshot",
-          "detailKeys": [
-            "node",
-            "nodeId",
-            "screenIndex",
-            "maxWidth"
-          ]
         }
       }
     },

apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift

@@ -6156,7 +6156,6 @@ public struct CronListParams: Codable, Sendable {
     public let sortby: AnyCodable?
     public let sortdir: AnyCodable?
     public let agentid: String?
-    public let compact: Bool?
 
     public init(
         includedisabled: Bool?,
@@ -6168,8 +6167,7 @@ public struct CronListParams: Codable, Sendable {
         lastrunstatus: AnyCodable?,
         sortby: AnyCodable?,
         sortdir: AnyCodable?,
-        agentid: String? = nil,
-        compact: Bool? = nil)
+        agentid: String? = nil)
     {
         self.includedisabled = includedisabled
         self.limit = limit
@@ -6181,7 +6179,6 @@ public struct CronListParams: Codable, Sendable {
         self.sortby = sortby
         self.sortdir = sortdir
         self.agentid = agentid
-        self.compact = compact
     }
 
     private enum CodingKeys: String, CodingKey {
@@ -6195,7 +6192,6 @@ public struct CronListParams: Codable, Sendable {
         case sortby = "sortBy"
         case sortdir = "sortDir"
         case agentid = "agentId"
-        case compact
     }
 }
 

docs/.generated/config-baseline.sha256

@@ -1,4 +1,4 @@
-64c09563ce090b8dda1e9794f021af3068db0ff4a59cf471e5ad094d2ae978b8  config-baseline.json
-bb9f42e7f1d6713af46d693dba5c43efd603c222d7d0adbd0f0d0e95cdec6790  config-baseline.core.json
-2d735389858305509528e74329b6f8c65d311e1471c3b4e91dc17aaab8e63a80  config-baseline.channel.json
-a973af69b02a27b097b54e49886dd57dbebbc95e2ab29b0c7e222a9f35a105d8  config-baseline.plugin.json
+0485ba902d2afd89d2c41cde7180d0cec2900b2db6804b9f97d42b7d85cd3af5  config-baseline.json
+72bb80be618406f3337eaa2560d2559a35e49bd29576de8dd4a3aec1a6a94d92  config-baseline.core.json
+1218f5555541b61bd5ddcac6441f15061b44789e2471d4ffecbe3059777c55c1  config-baseline.channel.json
+a14ac4261e98403d1a7e047070e6f151938444e27382b860315bd0c74fda4861  config-baseline.plugin.json

docs/.generated/plugin-sdk-api-baseline.sha256

@@ -1,2 +1,2 @@
-ea92ef67bc01141e1f3b64edd025471c9c3439da50de3cecb208e7eca797f947  plugin-sdk-api-baseline.json
-28ed6df6ba46abfd252cd760b7f88a93c598b4256e6ea8dfc2c9005c327300fb  plugin-sdk-api-baseline.jsonl
+b121079a0912b3051a9fc319a675ef920da9db23364ca0c0ccd3c9f0a05a3a49  plugin-sdk-api-baseline.json
+61a0108da670e0f44ba4b861c002eb6eaa5cf63e392d4e7e7de42044cbe7d115  plugin-sdk-api-baseline.jsonl

docs/automation/cron-jobs.md

@@ -157,9 +157,6 @@ If stdout is non-empty, that text is the delivered result. If stdout is empty an
 <ParamField path="--model" type="string">
   Model override; uses the selected allowed model for the job.
 </ParamField>
-<ParamField path="--clear-model" type="boolean">
-  On `cron edit`, removes the per-job model override so the job follows normal cron model-selection precedence (a stored cron-session override if set, otherwise the agent/default model). Cannot be combined with `--model`.
-</ParamField>
 <ParamField path="--thinking" type="string">
   Thinking level override.
 </ParamField>
@@ -465,9 +462,7 @@ openclaw cron edit <jobId> --clear-agent
 
 `openclaw cron run <jobId>` returns after enqueueing the manual run. Use `--wait` for shutdown hooks, maintenance scripts, or other automation that must block until the queued run finishes. Wait mode polls the exact returned `runId`; it exits `0` for status `ok` and non-zero for `error`, `skipped`, or a wait timeout.
 
-The agent `cron` tool returns compact job summaries (`id`, `name`, `enabled`, `nextRunAtMs`, `scheduleKind`, `lastRunStatus`) from `cron(action: "list")`; use `cron(action: "get", jobId: "...")` for one full job definition. Direct Gateway callers can pass `compact: true` to `cron.list`; omitting it preserves the existing full response with delivery previews.
-
-`openclaw cron create` is an alias for `openclaw cron add`, and new jobs can use a positional schedule (`"0 9 * * 1"`, `"every 1h"`, `"20m"`, or an ISO timestamp) followed by a positional agent prompt. Use `--webhook <url>` on `cron add|create` or `cron edit` to POST the finished run payload to an HTTP endpoint. Webhook delivery cannot be combined with chat delivery flags such as `--announce`, `--channel`, `--to`, `--thread-id`, or `--account`. On `cron edit`, `--clear-channel`, `--clear-to`, `--clear-thread-id`, and `--clear-account` unset those routing fields individually (each rejected alongside its matching set flag), which is distinct from `--no-deliver` disabling runner fallback delivery.
+`openclaw cron create` is an alias for `openclaw cron add`, and new jobs can use a positional schedule (`"0 9 * * 1"`, `"every 1h"`, `"20m"`, or an ISO timestamp) followed by a positional agent prompt. Use `--webhook <url>` on `cron add|create` or `cron edit` to POST the finished run payload to an HTTP endpoint. Webhook delivery cannot be combined with chat delivery flags such as `--announce`, `--channel`, `--to`, `--thread-id`, or `--account`.
 
 <Note>
 Model override note:
@@ -476,7 +471,6 @@ Model override note:
 - If the model is allowed, that exact provider/model reaches the isolated agent run.
 - If it is not allowed or cannot be resolved, cron fails the run with an explicit validation error.
 - API `cron.update` payload patches can set `model: null` to clear a stored job model override.
-- `openclaw cron edit <job-id> --clear-model` clears that override from the CLI (same effect as the `model: null` patch) and cannot be combined with `--model`.
 - Configured fallback chains still apply because cron `--model` is a job primary, not a session `/model` override.
 - Payload `fallbacks` replaces configured fallbacks for that job; `fallbacks: []` disables fallback and makes the run strict.
 - A plain `--model` with no explicit or configured fallback list does not fall through to the agent primary as a silent extra retry target.

docs/automation/tasks.md

@@ -360,7 +360,7 @@ A sweeper runs every **60 seconds** and handles four things:
 
   </Accordion>
   <Accordion title="Tasks and sessions">
-    A task may reference a `childSessionKey` (where work runs) and a `requesterSessionKey` (who started it). Its `agentId` identifies the agent executing the work, while the requester and owner fields preserve launch and control context. Sessions are conversation context; tasks are activity tracking on top of that.
+    A task may reference a `childSessionKey` (where work runs) and a `requesterSessionKey` (who started it). Sessions are conversation context; tasks are activity tracking on top of that.
   </Accordion>
   <Accordion title="Tasks and agent runs">
     A task's `runId` links to the agent run doing the work. Agent lifecycle events (start, end, error) automatically update the task status - you do not need to manage the lifecycle manually.

docs/channels/groups.md

@@ -50,8 +50,6 @@ Use `messages.groupChat.visibleReplies: "message_tool"` when a shared room shoul
 
 Use `"automatic"` for weaker models or runtimes that do not reliably understand tool-only delivery. In automatic mode, the agent's final assistant text is the visible source reply path, so a model that cannot consistently call `message(action=send)` can still answer normally.
 
-In automatic mode, normal text final replies are posted directly to the room. If the visible reply needs files, images, or other attachments, the agent may still use `message(action=send)` for that attachment instead of trying to force it through the final text reply.
-
 If the message tool is unavailable under the active tool policy, OpenClaw falls
 back to automatic visible replies instead of silently suppressing the response.
 `openclaw doctor` warns about this mismatch.

docs/channels/telegram.md

@@ -111,10 +111,6 @@ After a successful startup, OpenClaw caches the bot identity in the state direct
 
 ## Access control and activation
 
-### Group bot identity
-
-In Telegram groups and forum topics, an explicit mention of the configured bot handle (for example `@my_bot`) is treated as addressing the selected OpenClaw agent, even when the agent persona name differs from the Telegram username. The group silence policy still applies to unrelated group traffic, but the bot handle itself is not considered "someone else."
-
 <Tabs>
   <Tab title="DM policy">
     `channels.telegram.dmPolicy` controls direct message access:
@@ -278,23 +274,6 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"
     },
   },
 }
-```
-
-    Group history context defaults to `mention-only`: prior group messages are
-    included only when they were addressed to the bot, are replies to the bot,
-    or are the bot's own messages. Set `includeGroupHistoryContext: "recent"` to
-    include recent room history for trusted groups. Set
-    `includeGroupHistoryContext: "none"` to send no prior Telegram group history
-    with the next turn.
-
-```json5
-{
-  channels: {
-    telegram: {
-      includeGroupHistoryContext: "recent",
-    },
-  },
-}
 ```
 
     Getting the group chat ID:
@@ -422,27 +401,13 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"
   </Accordion>
 
   <Accordion title="Rich message formatting">
-    Outbound text uses standard Telegram HTML messages by default so replies remain readable across current Telegram clients.
+    Outbound text uses Telegram rich messages.
 
-    Set `channels.telegram.richMessages: true` to opt into Bot API 10.1 rich messages:
-
-```json5
-{
-  channels: {
-    telegram: {
-      richMessages: true,
-    },
-  },
-}
-```
-
-    - Markdown text is rendered through OpenClaw's Markdown IR and sent as Telegram rich HTML.
-    - Explicit rich HTML payloads preserve supported Bot API 10.1 tags such as headings, tables, details, rich media, and formulas.
+    - Markdown text is sent as rich Markdown without converting it to HTML.
+    - Explicit HTML payloads are sent as rich HTML.
     - Media captions still use Telegram HTML captions because rich messages do not replace captions.
 
-    This keeps model text away from Telegram Rich Markdown sigils, so currency like `$400-600K` is not parsed as math. Long rich text is split automatically across Telegram's rich text and rich block limits. Tables over Telegram's column limit are sent as code blocks.
-
-    Rich messages require compatible Telegram clients. Some current Desktop, Web, Android, and third-party clients display accepted rich messages as unsupported, so keep this option disabled unless every client used with the bot can render them.
+    Long rich text is split automatically across Telegram's rich text and rich block limits. Tables over Telegram's column limit are sent as code blocks.
 
     Link previews are enabled by default. `channels.telegram.linkPreview: false` skips automatic entity detection for rich text.
 
@@ -1099,7 +1064,7 @@ Primary reference: [Configuration reference - Telegram](/gateway/config-channels
 - command/menu: `commands.native`, `commands.nativeSkills`, `customCommands`
 - threading/replies: `replyToMode`
 - streaming: `streaming` (preview), `streaming.preview.toolProgress`, `blockStreaming`
-- formatting/delivery: `textChunkLimit`, `chunkMode`, `richMessages`, `linkPreview`, `responsePrefix`
+- formatting/delivery: `textChunkLimit`, `chunkMode`, `linkPreview`, `responsePrefix`
 - media/network: `mediaMaxMb`, `mediaGroupFlushMs`, `timeoutSeconds`, `pollingStallThresholdMs`, `retry`, `network.autoSelectFamily`, `network.dangerouslyAllowPrivateNetwork`, `proxy`
 - custom API root: `apiRoot` (Bot API root only; do not include `/bot<TOKEN>`)
 - webhook: `webhookUrl`, `webhookSecret`, `webhookPath`, `webhookHost`

docs/cli/cron.md

@@ -93,8 +93,6 @@ Isolated cron chat delivery is shared between the agent and the runner:
 
 Use `cron add|create --webhook <url>` or `cron edit <job-id> --webhook <url>` to set webhook delivery. Do not combine `--webhook` with chat delivery flags such as `--announce`, `--no-deliver`, `--channel`, `--to`, `--thread-id`, or `--account`.
 
-`cron edit <job-id>` can unset individual delivery routing fields with `--clear-channel`, `--clear-to`, `--clear-thread-id`, and `--clear-account` (each is rejected when combined with its matching set flag). Unlike `--no-deliver`, which only disables runner fallback delivery, these remove the stored field so the job resolves that part of its route from defaults again.
-
 `--announce` is runner fallback delivery for the final reply. `--no-deliver` disables that fallback but does not remove the agent's `message` tool when a chat route is available.
 
 Reminders created from an active chat preserve the live chat delivery target for fallback announce delivery. Internal session keys may be lowercase; do not use them as a source of truth for case-sensitive provider IDs such as Matrix room IDs.
@@ -170,7 +168,7 @@ Use `--due` when you want the manual command to run only if the job is currently
 
 ## Models
 
-`cron add|edit --model <ref>` selects an allowed model for the job. `cron edit <job-id> --clear-model` removes the per-job model override so the job follows normal cron model-selection precedence (a stored cron-session override if present, otherwise the agent/default model); it cannot be combined with `--model`.
+`cron add|edit --model <ref>` selects an allowed model for the job.
 
 <Warning>
 If the model is not allowed or cannot be resolved, cron fails the run with an explicit validation error instead of falling back to the job's agent or default model selection.

docs/cli/policy.md

@@ -18,8 +18,9 @@ report drift through `doctor --lint`. The final conformance signal is a clean
 instead of creating a separate health gate.
 
 Policy currently manages configured channels, MCP servers, model providers,
-network SSRF posture, ingress/channel access posture, Gateway exposure posture, agent workspace posture,
-data-handling posture, OpenClaw config secret provider/auth profile posture, and governed tool
+network SSRF posture, ingress/channel access posture, Gateway exposure posture,
+feed catalog source posture, agent workspace posture, data-handling posture,
+OpenClaw config secret provider/auth profile posture, and governed tool
 declarations. For example, IT or a workspace operator can record that Telegram
 is not an approved channel provider, restrict MCP servers and model refs to
 approved entries, require private-network fetch/browser access to remain
@@ -54,8 +55,7 @@ doctor can report the missing artifact.
 Policy is authored, not generated from the user's current settings. A minimal
 policy for channels, MCP servers, model providers, network posture, ingress/channel access, Gateway
 exposure, agent workspace posture, configured sandbox runtime posture, OpenClaw
-data-handling posture, config secret provider/auth profile posture, exec approval
-file posture, and tool metadata looks like this:
+data-handling posture, config secret provider/auth profile posture, and tool metadata looks like this:
 
 ```jsonc
 {
@@ -115,6 +115,17 @@ file posture, and tool metadata looks like this:
       "requireUrlAllowlists": true,
     },
   },
+  "feeds": {
+    "sources": {
+      "require": ["company-approved"],
+      "requirePinned": true,
+      "allowUnsigned": false,
+    },
+    "search": {
+      "requireDefault": true,
+      "requireSources": ["company-approved"],
+    },
+  },
   "agents": {
     "workspace": {
       "allowedAccess": ["none", "ro"],
@@ -146,15 +157,6 @@ file posture, and tool metadata looks like this:
       "allowModes": ["api_key", "token"],
     },
   },
-  "execApprovals": {
-    "requireFile": true,
-    "defaults": { "allowSecurity": ["deny"] },
-    "agents": {
-      "allowSecurity": ["deny", "allowlist"],
-      "allowAutoAllowSkills": false,
-      "allowlist": { "expected": ["deploy", "status"] },
-    },
-  },
   "tools": {
     "requireMetadata": ["risk", "sensitivity", "owner"],
     "profiles": {
@@ -182,8 +184,9 @@ when a concrete rule is present. OpenClaw reads current `channels.*` settings
 settings, direct-message session scope, channel DM policy, channel group policy,
 channel/group mention gates, Gateway bind/auth/Control UI/Tailscale/remote/HTTP
 posture, OpenClaw config agent sandbox workspace access and tool deny posture,
-data-handling config posture, config secret
-provider and SecretRef provenance, config auth profile metadata, configured
+configured Feeds plugin source declarations, OpenClaw config agent sandbox
+workspace access and tool deny posture, data-handling config posture, config
+secret provider and SecretRef provenance, config auth profile metadata, configured
 global/per-agent tool posture, and `TOOLS.md` declarations as evidence, then
 reports observed state that does not conform. If a policy denies non-loopback
 Gateway binds, omit `gateway.bind` only when you
@@ -197,11 +200,9 @@ and `group:runtime` covers shell/process tools. Tool posture policy observes
 `tools.profile`, `tools.allow`, `tools.alsoAllow`, `tools.deny`,
 `tools.fs.workspaceOnly`, `tools.exec.security`, `tools.exec.ask`,
 `tools.exec.host`, `tools.elevated.enabled`, and the same per-agent
-`agents.list[].tools.*` overrides. Exec approval policy reads the named
-`exec-approvals.json` product artifact only when an `execApprovals` rule is
-present; evidence records defaults, per-agent posture, and allowlist patterns
-without socket tokens or last-used command text. Policy does not enforce tool
-calls at runtime. Secret evidence records
+`agents.list[].tools.*` overrides. It does not read runtime/operator approval
+state such as exec-approvals.json, and it does not enforce tool calls at
+runtime. Secret evidence records
 provider/source posture and SecretRef metadata, never raw secret values. Policy
 does not read or attest per-agent credential stores such as `auth-profiles.json`;
 those stores remain owned by the existing auth and credential flows.
@@ -230,8 +231,8 @@ its own finding against the same observed config.
 
 Use `scopes.<scopeName>` when one set of agents or channels needs stricter
 policy than the top-level baseline. Agent-scoped sections use `agentIds`, which
-supports `tools.*`, `agents.workspace.*`, `sandbox.*`, `dataHandling.memory.*`,
-and `execApprovals.*`. Channel-scoped
+supports `tools.*`, `agents.workspace.*`, `sandbox.*`, and
+`dataHandling.memory.*`. Channel-scoped
 ingress uses `channelIds`, which supports `ingress.channels.*`. Unsupported
 sections are rejected instead of being ignored. If an `agentIds` entry is not
 present in `agents.list[]`, OpenClaw evaluates the scoped rule against inherited
@@ -316,10 +317,10 @@ groups where those fields cannot be observed.
 Top-level `ingress.session.requireDmScope` remains global because
 `session.dmScope` is not channel-attributable evidence.
 
-| Selector     | Supported sections                                                                 | Use when                                          |
-| ------------ | ---------------------------------------------------------------------------------- | ------------------------------------------------- |
-| `agentIds`   | `tools`, `agents.workspace`, `sandbox`, `dataHandling.memory`, and `execApprovals` | One or more runtime agents need stricter rules.   |
-| `channelIds` | `ingress.channels`                                                                 | One or more channels need stricter ingress rules. |
+| Selector     | Supported sections                                                | Use when                                          |
+| ------------ | ----------------------------------------------------------------- | ------------------------------------------------- |
+| `agentIds`   | `tools`, `agents.workspace`, `sandbox`, and `dataHandling.memory` | One or more runtime agents need stricter rules.   |
+| `channelIds` | `ingress.channels`                                                | One or more channels need stricter ingress rules. |
 
 Every scope present in `policy.jsonc` must be valid and enforceable.
 
@@ -372,6 +373,20 @@ Every scope present in `policy.jsonc` must be valid and enforceable.
 | `gateway.http.denyEndpoints`            | Gateway HTTP API endpoints                     | Deny endpoint ids such as `chatCompletions` or `responses`.  |
 | `gateway.http.requireUrlAllowlists`     | Gateway HTTP URL-fetch inputs                  | Set to `true` to require URL allowlists on URL-fetch inputs. |
 
+#### Feed catalog sources
+
+| Policy field                  | Observed state                                   | Use when                                                            |
+| ----------------------------- | ------------------------------------------------ | ------------------------------------------------------------------- |
+| `feeds.sources.require`       | `plugins.entries.feeds.config.sources[].id`      | Require specific feed source ids to be configured and enabled.      |
+| `feeds.sources.requirePinned` | Feed source `trust` and `integrity` declarations | Set to `true` to require enabled feed sources to be pinned.         |
+| `feeds.sources.allowUnsigned` | Feed source `trust` declarations                 | Set to `false` to reject enabled sources using unsigned trust.      |
+| `feeds.search.requireDefault` | `plugins.entries.feeds.config.search.default`    | Set to `true` to require native skills/plugins search to use feeds. |
+| `feeds.search.requireSources` | `plugins.entries.feeds.config.search.sources[]`  | Require default native feed search to use selected source ids.      |
+
+Feed policy observes only configured source declarations and native search
+configuration. It does not fetch
+feed documents, install entries, or enforce install decisions at runtime.
+
 #### Agent workspace
 
 | Policy field                     | Observed state                                                                        | Use when                                                                                                            |
@@ -413,69 +428,6 @@ allowlist such as `["all"]`.
 | `secrets.denySources`             | Secret provider sources and SecretRef sources            | Deny sources such as `exec`, `file`, or another configured source name. |
 | `secrets.allowInsecureProviders`  | Insecure secret-provider posture flags                   | Set to `false` to reject providers that opt into insecure posture.      |
 
-#### Exec approvals
-
-Exec approvals policy observes the active runtime `exec-approvals.json`
-artifact. By default this is `~/.openclaw/exec-approvals.json`; when
-`OPENCLAW_STATE_DIR` is set, Policy reads
-`$OPENCLAW_STATE_DIR/exec-approvals.json`. Actual posture rules such as
-`execApprovals.defaults.*` or `execApprovals.agents.*` require readable artifact
-evidence; a missing or invalid artifact is reported as unobservable evidence
-instead of becoming a best-effort pass against synthetic runtime defaults. Once
-the artifact is readable, omitted approval fields inherit runtime defaults: missing
-`defaults.security` is `full`, and missing agent security inherits that
-default. Evidence includes `defaults`, `agents.*`, and
-`agents.*.allowlist[].pattern` plus optional `argPattern`, effective
-`autoAllowSkills` posture, and entry source. It does not include socket
-path/token, `commandText`, `lastUsedCommand`, resolved paths, or timestamps.
-
-| Policy field                                | Observed state                                                                         | Use when                                                                                |
-| ------------------------------------------- | -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
-| `execApprovals.requireFile`                 | Active runtime `exec-approvals.json` path                                              | Set to `true` to require the approvals artifact to exist and parse.                     |
-| `execApprovals.defaults.allowSecurity`      | `defaults.security`, defaulting to `full`                                              | Allow only approved default approval security modes.                                    |
-| `execApprovals.agents.allowSecurity`        | `agents.*.security`, inheriting defaults                                               | Allow only approved per-agent effective approval security modes.                        |
-| `execApprovals.agents.allowAutoAllowSkills` | `defaults.autoAllowSkills` and `agents.*.autoAllowSkills`, inheriting runtime defaults | Set to `false` to require strict manual allowlists without implicit skill CLI approval. |
-| `execApprovals.agents.allowlist.expected`   | Aggregate `agents.*.allowlist[]` pattern and optional argPattern entries               | Require the approvals allowlist to match the reviewed pattern set.                      |
-
-For example, require the approvals artifact, deny permissive defaults, and
-allow only reviewed exec approval posture for selected agents:
-
-```jsonc
-{
-  "execApprovals": {
-    "requireFile": true,
-    "defaults": {
-      // Security modes: "deny", "allowlist", or "full".
-      // This default permits only the locked-down deny posture.
-      "allowSecurity": ["deny"],
-    },
-  },
-  "scopes": {
-    "restricted-shell": {
-      "agentIds": ["family-agent", "groups-agent"],
-      "execApprovals": {
-        "agents": {
-          // Selected agents may use reviewed allowlist posture, but not "full".
-          "allowSecurity": ["allowlist"],
-          // false means skill CLIs must appear in the reviewed allowlist instead of
-          // being implicitly approved by autoAllowSkills.
-          "allowAutoAllowSkills": false,
-          "allowlist": {
-            "expected": [
-              // Simple entry: exact reviewed executable pattern with no argPattern.
-              "travel-hub",
-              // Constrained entry: pattern plus reviewed argument regex.
-              { "pattern": "calendar-cli", "argPattern": "^sync\\b" },
-              "/bin/date",
-            ],
-          },
-        },
-      },
-    },
-  },
-}
-```
-
 #### Auth profiles
 
 | Policy field                    | Observed state                               | Use when                                                                                   |
@@ -666,6 +618,16 @@ Example JSON output:
         "value": false
       }
     ],
+    "feeds": [
+      {
+        "id": "company-approved",
+        "source": "oc://openclaw.config/plugins/entries/feeds/config/sources/#0",
+        "enabled": true,
+        "url": "https://feeds.example.com#0123456789ab",
+        "trust": "pinned",
+        "integrityPresent": true
+      }
+    ],
     "gatewayExposure": [
       {
         "id": "gateway-bind",
@@ -815,6 +777,11 @@ Policy currently verifies:
 | `policy/gateway-remote-enabled`                          | Gateway remote mode is active when policy denies it.                              |
 | `policy/gateway-http-endpoint-enabled`                   | A Gateway HTTP API endpoint is enabled while denied by policy.                    |
 | `policy/gateway-http-url-fetch-unrestricted`             | Gateway HTTP URL-fetch input lacks a required URL allowlist.                      |
+| `policy/feeds-required-source-missing`                   | A required feed source id is not configured and enabled.                          |
+| `policy/feeds-source-unpinned`                           | An enabled feed source is not pinned when policy requires pinned feeds.           |
+| `policy/feeds-source-unsigned`                           | An enabled feed source uses unsigned trust when policy denies unsigned feeds.     |
+| `policy/feeds-search-default-missing`                    | Native skills/plugins search is not configured to use feeds by default.           |
+| `policy/feeds-search-source-missing`                     | Native feed search does not require a policy-required source id.                  |
 | `policy/agents-workspace-access-denied`                  | Agent sandbox mode or workspace access is outside the policy allowlist.           |
 | `policy/agents-tool-not-denied`                          | An agent or default config does not deny a tool required by policy.               |
 | `policy/tools-profile-unapproved`                        | A configured global or per-agent tool profile is outside the allowlist.           |
@@ -844,13 +811,6 @@ Policy currently verifies:
 | `policy/secrets-insecure-provider`                       | A secret provider opts into insecure posture when policy denies it.               |
 | `policy/auth-profile-invalid-metadata`                   | A config auth profile is missing valid provider or mode metadata.                 |
 | `policy/auth-profile-unapproved-mode`                    | A config auth profile mode is outside the policy allowlist.                       |
-| `policy/exec-approvals-missing`                          | Policy requires `exec-approvals.json`, but the artifact is missing.               |
-| `policy/exec-approvals-invalid`                          | The configured exec approvals artifact cannot be parsed.                          |
-| `policy/exec-approvals-default-security-unapproved`      | Exec approval defaults use a security mode outside the policy allowlist.          |
-| `policy/exec-approvals-agent-security-unapproved`        | A per-agent effective exec approval security mode is outside the allowlist.       |
-| `policy/exec-approvals-auto-allow-skills-enabled`        | An exec approval agent implicitly auto-allows skill CLIs when policy denies it.   |
-| `policy/exec-approvals-allowlist-missing`                | The approvals allowlist is missing a pattern required by policy.                  |
-| `policy/exec-approvals-allowlist-unexpected`             | The approvals allowlist includes a pattern not expected by policy.                |
 | `policy/tools-missing-risk-level`                        | A governed tool declaration is missing risk metadata.                             |
 | `policy/tools-unknown-risk-level`                        | A governed tool declaration uses an unknown risk value.                           |
 | `policy/tools-missing-sensitivity-token`                 | A governed tool declaration is missing sensitivity metadata.                      |

docs/cli/security.md

@@ -44,7 +44,7 @@ For webhook ingress, startup logs a non-fatal security warning and audit flags `
 If Gateway password auth is supplied only at startup, pass the same value to `openclaw security audit --auth password --password <password>` so the audit can check it against `hooks.token`.
 Run `openclaw doctor --fix` to rotate a persisted reused `hooks.token`, then update external hook senders to use the new hook token.
 
-It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries (exact node command-name matching only, not shell-text filtering), when `gateway.nodes.allowCommands` explicitly enables dangerous node commands, when global `tools.profile="minimal"` is overridden by agent tool profiles, when write/edit tools are disabled but `exec` is still available without a constraining sandbox filesystem boundary, when open DMs or groups expose runtime/filesystem tools without sandbox/workspace guards, and when installed plugin tools may be reachable under permissive tool policy.
+It also warns when sandbox Docker settings are configured while sandbox mode is off, when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries (exact node command-name matching only, not shell-text filtering), when `gateway.nodes.allowCommands` explicitly enables dangerous node commands, when global `tools.profile="minimal"` is overridden by agent tool profiles, when write/edit tools are disabled but `exec` is still available without a constraining sandbox filesystem boundary, when open groups expose runtime/filesystem tools without sandbox/workspace guards, and when installed plugin tools may be reachable under permissive tool policy.
 It also flags `gateway.allowRealIpFallback=true` (header-spoofing risk if proxies are misconfigured) and `discovery.mdns.mode="full"` (metadata leakage via mDNS TXT records).
 It also warns when sandbox browser uses Docker `bridge` network without `sandbox.browser.cdpSourceRange`.
 It also flags dangerous sandbox Docker network modes (including `host` and `container:*` namespace joins).

docs/concepts/agent-loop.md

@@ -166,7 +166,7 @@ surfaces, while Codex native hooks remain a separate lower-level Codex mechanism
 - `agent.wait` default: 30s (just the wait). `timeoutMs` param overrides.
 - Agent runtime: `agents.defaults.timeoutSeconds` default 172800s (48 hours); enforced in `runEmbeddedAgent` abort timer.
 - Cron runtime: isolated agent-turn `timeoutSeconds` is owned by cron. The scheduler starts that timer when execution begins, aborts the underlying run at the configured deadline, then runs bounded cleanup before recording the timeout so a stale child session cannot keep the lane stuck.
-- Session liveness diagnostics: with diagnostics enabled, `diagnostics.stuckSessionWarnMs` classifies long `processing` sessions that have no observed reply, tool, status, block, or ACP progress. Active embedded runs, model calls, and tool calls report as `session.long_running`; owned silent model calls also stay `session.long_running` until `diagnostics.stuckSessionAbortMs` so slow or non-streaming providers are not reported as stalled too early. Active work with no recent progress reports as `session.stalled`; owned model calls switch to `session.stalled` at or after the abort threshold, and ownerless stale model/tool activity is not hidden as long-running. `session.stuck` is reserved for recoverable stale session bookkeeping, including idle queued sessions with stale ownerless model/tool activity. Stale session bookkeeping releases the affected session lane immediately after recovery gates pass; stalled embedded runs are abort-drained only after `diagnostics.stuckSessionAbortMs` (default: at least 5 minutes and 3x the warning threshold) so queued work can resume without cutting off merely slow runs. Recovery emits structured requested/completed outcomes, and diagnostic state is marked idle only if the same processing generation is still current. Repeated `session.stuck` diagnostics back off while the session remains unchanged.
+- Session liveness diagnostics: with diagnostics enabled, `diagnostics.stuckSessionWarnMs` classifies long `processing` sessions that have no observed reply, tool, status, block, or ACP progress. Active embedded runs, model calls, and tool calls report as `session.long_running`; active work with no recent progress reports as `session.stalled`; `session.stuck` is reserved for recoverable stale session bookkeeping, including idle queued sessions with stale ownerless model/tool activity. Stale session bookkeeping releases the affected session lane immediately after recovery gates pass; stalled embedded runs are abort-drained only after `diagnostics.stuckSessionAbortMs` (default: at least 5 minutes and 3x the warning threshold) so queued work can resume without cutting off merely slow runs. Recovery emits structured requested/completed outcomes, and diagnostic state is marked idle only if the same processing generation is still current. Repeated `session.stuck` diagnostics back off while the session remains unchanged.
 - Model idle timeout: OpenClaw aborts a model request when no response chunks arrive before the idle window. `models.providers.<id>.timeoutSeconds` extends this idle watchdog for slow local/self-hosted providers, but it is still bounded by any lower `agents.defaults.timeoutSeconds` or run-specific timeout because those control the whole agent run. Otherwise OpenClaw uses `agents.defaults.timeoutSeconds` when configured, capped at 120s by default. Cron-triggered runs with no explicit model or agent timeout disable the idle watchdog and rely on the cron outer timeout.
 - Provider HTTP request timeout: `models.providers.<id>.timeoutSeconds` applies to that provider's model HTTP fetches, including connect, headers, body, SDK request timeout, total guarded-fetch abort handling, and model stream idle watchdog. Use this for slow local/self-hosted providers such as Ollama before raising the whole agent runtime timeout, and keep the agent/runtime timeout at least as high when the model request needs to run longer.
 

docs/concepts/qa-e2e-automation.md

@@ -56,9 +56,8 @@ the resolved scenarios through `qa suite`. `--surface` and
 `--category` filter the selected profile instead of defining separate lanes.
 The resulting `qa-evidence.json` includes a profile scorecard summary with
 selected-category counts and missing coverage IDs; the individual evidence
-entries remain the source of truth for the tests, coverage roles, and results.
-Slim evidence omits per-entry `execution` and sets `evidenceMode: "slim"`;
-`smoke-ci` defaults to slim, and `--evidence-mode full` restores full entries:
+entries remain the source of truth for the tests, coverage roles, artifacts,
+and results:
 
 ```bash
 pnpm openclaw qa run \

docs/concepts/queue.md

@@ -126,7 +126,7 @@ keys.
 - If commands seem stuck, enable verbose logs and look for "queued for ...ms" lines to confirm the queue is draining.
 - If you need queue depth, enable verbose logs and watch for queue timing lines.
 - Codex app-server runs that accept a turn and then stop emitting progress are interrupted by the Codex adapter so the active session lane can release instead of waiting for the outer run timeout.
-- When diagnostics are enabled, sessions that remain in `processing` past `diagnostics.stuckSessionWarnMs` with no observed reply, tool, status, block, or ACP progress are classified by current activity. Active work logs as `session.long_running`; owned silent model calls also stay `session.long_running` until `diagnostics.stuckSessionAbortMs` so slow or non-streaming providers are not reported as stalled too early. Active work with no recent progress logs as `session.stalled`; owned model calls switch to `session.stalled` at or after the abort threshold, and ownerless stale model/tool activity is not hidden as long-running. `session.stuck` is reserved for recoverable stale session bookkeeping, including idle queued sessions with stale ownerless model/tool activity, and only that path can release the affected session lane so queued work drains. Repeated `session.stuck` diagnostics back off while the session remains unchanged.
+- When diagnostics are enabled, sessions that remain in `processing` past `diagnostics.stuckSessionWarnMs` with no observed reply, tool, status, block, or ACP progress are classified by current activity. Active work logs as `session.long_running`; active work with no recent progress logs as `session.stalled`; `session.stuck` is reserved for recoverable stale session bookkeeping, including idle queued sessions with stale ownerless model/tool activity, and only that path can release the affected session lane so queued work drains. Repeated `session.stuck` diagnostics back off while the session remains unchanged.
 
 ## Related
 

docs/concepts/timezone.md

@@ -36,7 +36,7 @@ If `userTimezone` is unset, OpenClaw resolves the host timezone at runtime (no c
 
 - **Use UTC envelopes** (`envelopeTimezone: "utc"`) when you want stable timestamps across hosts in different regions, or when you want UTC-aligned logs to match diagnostics output.
 - **Use a fixed IANA zone** (e.g. `"Europe/Vienna"`) when the gateway host is in one zone but the user is in another and you want envelopes to read in the user's zone regardless of host migration.
-- **Set `envelopeTimestamp: "off"`** when timestamp context is not useful for the conversation. This removes absolute timestamps from envelopes, direct agent prompt prefixes, and embedded model-input prefixes.
+- **Set `envelopeTimestamp: "off"`** for low-token envelopes when timestamp context is not useful for the conversation.
 
 For the full behavior reference, examples per provider, and elapsed-time formatting, see [Date & Time](/date-time).
 

docs/date-time.md

@@ -37,7 +37,7 @@ You can override this behavior:
 - `envelopeTimezone: "local"` uses the host timezone.
 - `envelopeTimezone: "user"` uses `agents.defaults.userTimezone` (falls back to host timezone).
 - Use an explicit IANA timezone (e.g., `"America/Chicago"`) for a fixed zone.
-- `envelopeTimestamp: "off"` removes absolute timestamps from envelope headers, direct agent prompt prefixes, and embedded model-input prefixes.
+- `envelopeTimestamp: "off"` removes absolute timestamps from envelope headers.
 - `envelopeElapsed: "off"` removes elapsed time suffixes (the `+2m` style).
 
 ### Examples

docs/docs.json

@@ -1385,8 +1385,7 @@
                 "pages": [
                   "clawhub/api",
                   "clawhub/http-api",
-                  "clawhub/acceptable-usage",
-                  "clawhub/content-rights"
+                  "clawhub/acceptable-usage"
                 ]
               }
             ]

docs/gateway/cli-backends.md

@@ -35,12 +35,9 @@ You can use Claude Code CLI **without any config** (the bundled Anthropic plugin
 registers a default backend):
 
 ```bash
-openclaw agent --agent main --message "hi" --model claude-cli/claude-sonnet-4-6
+openclaw agent --message "hi" --model claude-cli/claude-sonnet-4-6
 ```
 
-`main` is the default agent id when no explicit agent list is configured. If
-you use multiple agents, replace it with the agent id you want to run.
-
 If your gateway runs under launchd/systemd and PATH is minimal, add just the
 command path:
 

docs/gateway/openai-http-api.md

@@ -99,7 +99,7 @@ Optional request headers:
 
 - `x-openclaw-model: <provider/model-or-bare-id>` overrides the backend model for the selected agent. Shared-secret bearer callers can use this header. Identity-bearing callers, such as trusted-proxy or private no-auth ingress requests with `x-openclaw-scopes`, need `operator.admin`; write-only callers get `403 missing scope: operator.admin`.
 - `x-openclaw-agent-id: <agentId>` remains supported as a compatibility override.
-- `x-openclaw-session-key: <sessionKey>` explicitly controls session routing. The value must not use reserved internal session namespaces such as `subagent:`, `cron:`, or `acp:`; those requests are rejected with `400 invalid_request_error`.
+- `x-openclaw-session-key: <sessionKey>` fully controls session routing.
 - `x-openclaw-message-channel: <channel>` sets the synthetic ingress channel context for channel-aware prompts and policies.
 
 Compatibility aliases still accepted:
@@ -145,7 +145,7 @@ By default the endpoint is **stateless per request** (a new session key is gener
 
 If the request includes an OpenAI `user` string, the Gateway derives a stable session key from it, so repeated calls can share an agent session.
 
-For custom apps, the safest default is to reuse the same `user` value per conversation thread. Avoid account-level identifiers unless you explicitly want multiple conversations or devices to share one OpenClaw session. Use `x-openclaw-session-key` only when you need explicit routing control across multiple clients or threads, and choose application-owned keys that do not start with reserved internal namespaces such as `subagent:`, `cron:`, or `acp:`.
+For custom apps, the safest default is to reuse the same `user` value per conversation thread. Avoid account-level identifiers unless you explicitly want multiple conversations or devices to share one OpenClaw session. Use `x-openclaw-session-key` when you need explicit routing control across multiple clients or threads.
 
 ## Why this surface matters
 

docs/gateway/opentelemetry.md

@@ -249,18 +249,12 @@ still be detected.
 OpenClaw classifies sessions by the work it can still observe:
 
 - `session.long_running`: active embedded work, model calls, or tool calls are
-  still making progress. Owned model calls that stay silent past
-  `diagnostics.stuckSessionWarnMs` also report as long-running before
-  `diagnostics.stuckSessionAbortMs` so slow or non-streaming model providers do
-  not look like stalled gateway sessions while they remain abort-observable.
+  still making progress.
 - `session.stalled`: active work exists, but the active run has not reported
-  recent progress. Owned model calls switch from `session.long_running` to
-  `session.stalled` at or after `diagnostics.stuckSessionAbortMs`; ownerless
-  stale model/tool activity is not treated as harmless long-running work.
-  Stalled embedded runs stay observe-only at first, then abort-drain after
-  `diagnostics.stuckSessionAbortMs` with no progress so queued turns behind the
-  lane can resume. When unset, the abort threshold defaults to the safer
-  extended window of at least 5 minutes and 3x
+  recent progress. Stalled embedded runs stay observe-only at first, then
+  abort-drain after `diagnostics.stuckSessionAbortMs` with no progress so queued
+  turns behind the lane can resume. When unset, the abort threshold defaults to
+  the safer extended window of at least 5 minutes and 3x
   `diagnostics.stuckSessionWarnMs`.
 - `session.stuck`: stale session bookkeeping with no active work, or an idle
   queued session with stale ownerless model/tool activity. This releases the

docs/gateway/protocol.md

@@ -542,9 +542,7 @@ runtime state.
 `TaskSummary` includes `id`, `status`, and optional metadata such as `kind`,
 `runtime`, `title`, `agentId`, `sessionKey`, `childSessionKey`, `ownerKey`,
 `runId`, `taskId`, `flowId`, `parentTaskId`, `sourceId`, timestamps, progress,
-terminal summary, and sanitized error text. `agentId` identifies the agent
-executing the task; `sessionKey` and `ownerKey` preserve requester and control
-context.
+terminal summary, and sanitized error text.
 
 ### Operator helper methods
 

docs/gateway/security/audit-checks.md

@@ -110,8 +110,8 @@ exhaustive):
 | `skills.code_safety`                                          | warn/critical | Skill installer metadata/code contains suspicious or dangerous patterns              | skill install source                                                                                 | no       |
 | `skills.code_safety.scan_failed`                              | warn          | Skill code scan could not complete                                                   | skill scan environment                                                                               | no       |
 | `security.exposure.open_channels_with_exec`                   | warn/critical | Shared/public rooms can reach exec-enabled agents                                    | `channels.*.dmPolicy`, `channels.*.groupPolicy`, `tools.exec.*`, `agents.list[].tools.exec.*`        | no       |
-| `security.exposure.open_groups_with_elevated`                 | critical      | Open DMs/groups + elevated tools create high-impact prompt-injection paths           | top-level or nested DM policy paths, account overrides, `channels.*.groupPolicy`                     | no       |
-| `security.exposure.open_groups_with_runtime_or_fs`            | critical/warn | Open DMs/groups can reach command/file tools without sandbox/workspace guards        | DM/group policy paths, `tools.profile/deny`, `tools.fs.workspaceOnly`, `agents.*.sandbox.mode`       | no       |
+| `security.exposure.open_groups_with_elevated`                 | critical      | Open groups + elevated tools create high-impact prompt-injection paths               | `channels.*.groupPolicy`, `tools.elevated.*`                                                         | no       |
+| `security.exposure.open_groups_with_runtime_or_fs`            | critical/warn | Open groups can reach command/file tools without sandbox/workspace guards            | `channels.*.groupPolicy`, `tools.profile/deny`, `tools.fs.workspaceOnly`, `agents.*.sandbox.mode`    | no       |
 | `security.trust_model.multi_user_heuristic`                   | warn          | Config looks multi-user while gateway trust model is personal-assistant              | split trust boundaries, or shared-user hardening (`sandbox.mode`, tool deny/workspace scoping`)      | no       |
 | `tools.profile_minimal_overridden`                            | warn          | Agent overrides bypass global minimal profile                                        | `agents.list[].tools.profile`                                                                        | no       |
 | `plugins.tools_reachable_permissive_policy`                   | warn          | Extension tools reachable in permissive contexts                                     | `tools.profile` + tool allow/deny                                                                    | no       |

docs/help/testing.md

@@ -189,8 +189,6 @@ inside every shard.
     mixed flow, Vitest, and Playwright scenario selections.
   - When dispatched by `pnpm openclaw qa run --qa-profile <profile>`, embeds the
     selected taxonomy profile scorecard in the same `qa-evidence.json`.
-    `smoke-ci` writes slim evidence, which sets `evidenceMode: "slim"` and omits
-    per-entry `execution`.
   - Runs multiple selected scenarios in parallel by default with isolated
     gateway workers. `qa-channel` defaults to concurrency 4 (bounded by the
     selected scenario count). Use `--concurrency <count>` to tune the worker

docs/nodes/index.md

@@ -431,7 +431,7 @@ Notes:
 - Unrecognized node `platform` / `deviceFamily` metadata uses a conservative default allowlist that excludes `system.run` and `system.which`. If you intentionally need those commands for an unknown platform, add them explicitly via `gateway.nodes.allowCommands`.
 - `system.run` supports `--cwd`, `--env KEY=VAL`, `--command-timeout`, and `--needs-screen-recording`.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped `--env` values are reduced to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
-- For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `flock`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
+- For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 - On Windows node hosts in allowlist mode, shell-wrapper runs via `cmd.exe /c` require approval (allowlist entry alone does not auto-allow the wrapper form).
 - `system.notify` supports `--priority <passive|active|timeSensitive>` and `--delivery <system|overlay|auto>`.
 - Node hosts ignore `PATH` overrides and strip dangerous startup/shell keys (`DYLD_*`, `LD_*`, `BASHOPTS`, `FPATH`, `KSH_ENV`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`, `TCLLIBPATH`). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing `PATH` via `--env`.

docs/platforms/macos.md

@@ -109,7 +109,7 @@ Notes:
 - Choosing "Always Allow" in the prompt adds that command to the allowlist.
 - `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `BASHOPTS`, `FPATH`, `KSH_ENV`, `NODE_OPTIONS`, `NODE_REDIRECT_WARNINGS`, `NODE_REPL_EXTERNAL_MODULE`, `NODE_REPL_HISTORY`, `NODE_V8_COVERAGE`, `PYTHON*`, `PERL*`, `RUBYOPT`, `SHELLOPTS`, `PS4`, `TCLLIBPATH`) and then merged with the app's environment.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped environment overrides are reduced to a small explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
-- For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `flock`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
+- For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 
 ## Deep links
 

docs/platforms/windows.md

@@ -186,7 +186,6 @@ into Windows.
 Inside WSL:
 
 ```bash
-sudo apt-get install -y dbus-x11
 sudo loginctl enable-linger "$(whoami)"
 openclaw gateway install
 ```
@@ -194,7 +193,7 @@ openclaw gateway install
 In PowerShell as Administrator:
 
 ```powershell
-schtasks /create /tn "WSL Boot" /tr "wsl.exe -d Ubuntu --exec dbus-launch true" /sc onstart /ru "$env:USERNAME"
+schtasks /create /tn "WSL Boot" /tr "wsl.exe -d Ubuntu --exec /bin/true" /sc onstart /ru SYSTEM
 ```
 
 Replace `Ubuntu` with your distro name from:
@@ -203,11 +202,6 @@ Replace `Ubuntu` with your distro name from:
 wsl --list --verbose
 ```
 
-> **Note:** Two changes from older recipes:
->
-> - **`dbus-launch true` instead of `/bin/true`** — On WSL ≥ 2.6.1.0 a regression ([microsoft/WSL #13416](https://github.com/microsoft/WSL/issues/13416)) causes the distro to idle-terminate 15–20 seconds after the last client exits, even with linger enabled. `dbus-launch true` keeps a child-of-init process alive as a workaround ([community discussion, microsoft/WSL #9245](https://github.com/microsoft/WSL/discussions/9245)).
-> - **`/ru "$env:USERNAME"` instead of `/ru SYSTEM`** — Per-user WSL distros (the default setup) are not visible to the SYSTEM account; the task appears to run but the distro is never started. Running as your own account avoids this. Windows will prompt for your password when the task is created.
-
 After reboot, verify from WSL:
 
 ```bash

docs/plugins/codex-harness-reference.md

@@ -103,45 +103,8 @@ Supported `appServer` fields:
 | `approvalsReviewer`                           | `"user"` or an allowed guardian reviewer               | Use `"auto_review"` to let Codex review native approval prompts when allowed.                                                                                                                                                                                                                                                                                    |
 | `defaultWorkspaceDir`                         | current process directory                              | Workspace used by `/codex bind` when `--cwd` is omitted.                                                                                                                                                                                                                                                                                                         |
 | `serviceTier`                                 | unset                                                  | Optional Codex app-server service tier. `"priority"` enables fast-mode routing, `"flex"` requests flex processing, and `null` clears the override. Legacy `"fast"` is accepted as `"priority"`.                                                                                                                                                                  |
-| `networkProxy`                                | disabled                                               | Opt into Codex permissions-profile networking for app-server commands. OpenClaw defines the selected `permissions.<profile>.network` config and selects that profile on thread start or resume instead of sending `sandbox`.                                                                                                                                     |
 | `experimental.sandboxExecServer`              | `false`                                                | Preview opt-in that registers an OpenClaw sandbox-backed Codex environment with Codex app-server 0.132.0 or newer so native Codex execution can run inside the active OpenClaw sandbox.                                                                                                                                                                          |
 
-`appServer.networkProxy` is explicit because it changes the Codex sandbox
-contract. When enabled, OpenClaw also sets `features.network_proxy.enabled` in
-the Codex thread config so the generated permission profile can start Codex
-managed networking. The default generated profile is `openclaw-network`; use
-`profileName` to choose another local name.
-
-```js
-export default {
-  plugins: {
-    entries: {
-      codex: {
-        config: {
-          appServer: {
-            sandbox: "workspace-write",
-            networkProxy: {
-              enabled: true,
-              domains: {
-                "api.openai.com": "allow",
-                "blocked.example.com": "deny",
-              },
-              allowUpstreamProxy: true,
-              proxyUrl: "http://127.0.0.1:3128",
-            },
-          },
-        },
-      },
-    },
-  },
-};
-```
-
-If the normal app-server runtime would be `danger-full-access`, enabling
-`networkProxy` uses workspace-style filesystem access for the generated
-permission profile. Codex managed network enforcement is sandboxed networking,
-so a full-access profile would not protect outbound traffic.
-
 The plugin blocks older or unversioned app-server handshakes. Codex app-server
 must report stable version `0.125.0` or newer.
 

docs/plugins/codex-harness.md

@@ -505,22 +505,9 @@ Codex dynamic tools default to `searchable` loading. OpenClaw does not expose
 dynamic tools that duplicate Codex-native workspace operations: `read`, `write`,
 `edit`, `apply_patch`, `exec`, `process`, and `update_plan`. Most remaining
 OpenClaw integration tools such as messaging, media, cron, browser, nodes,
-gateway, and `heartbeat_respond` are available through Codex tool search under
-the `openclaw` namespace, keeping the initial model context smaller. Web search
-uses Codex's hosted `web_search` tool by default when search is enabled and no
-managed provider is selected. Native hosted search and OpenClaw's managed
-`web_search` dynamic tool are mutually exclusive so managed search cannot bypass
-native domain restrictions. OpenClaw uses the managed tool when hosted search is
-unavailable, explicitly disabled, or replaced by a selected managed provider.
-OpenClaw keeps Codex's standalone `web.run` extension disabled because
-production app-server traffic rejects its user-defined `web` namespace.
-`tools.web.search.enabled: false` disables both paths, as do tool-disabled
-LLM-only runs. Codex treats `"cached"` as a preference and resolves it to live
-external access for unrestricted app-server turns. Automatic managed fallback
-fails closed when native `allowedDomains` are set so the allowlist cannot be
-bypassed. Persistent effective search-policy changes rotate the bound Codex
-thread before the next turn. Transient per-turn restrictions use a temporary
-restricted thread and preserve the existing binding for later resume.
+gateway, `heartbeat_respond`, and `web_search` are available through Codex tool
+search under the `openclaw` namespace, keeping the initial model context
+smaller.
 `sessions_yield` and message-tool-only source replies stay direct because
 those are turn-control contracts. `sessions_spawn` stays searchable so Codex's
 native `spawn_agent` remains the primary Codex subagent surface, while explicit
@@ -561,45 +548,8 @@ Supported `appServer` fields:
 | `sandbox`                                     | `"danger-full-access"` or an allowed guardian sandbox  | Native Codex sandbox mode sent to thread start/resume. Guardian defaults prefer `"workspace-write"` when allowed, otherwise `"read-only"`. When an OpenClaw sandbox is active, `danger-full-access` turns use Codex `workspace-write` with network access derived from the OpenClaw sandbox egress setting.                                                      |
 | `approvalsReviewer`                           | `"user"` or an allowed guardian reviewer               | Use `"auto_review"` to let Codex review native approval prompts when allowed, otherwise `guardian_subagent` or `user`. `guardian_subagent` remains a legacy alias.                                                                                                                                                                                               |
 | `serviceTier`                                 | unset                                                  | Optional Codex app-server service tier. `"priority"` enables fast-mode routing, `"flex"` requests flex processing, `null` clears the override, and legacy `"fast"` is accepted as `"priority"`.                                                                                                                                                                  |
-| `networkProxy`                                | disabled                                               | Opt into Codex permissions-profile networking for app-server commands. OpenClaw defines the selected `permissions.<profile>.network` config and selects that profile on thread start or resume instead of sending `sandbox`.                                                                                                                                     |
 | `experimental.sandboxExecServer`              | `false`                                                | Preview opt-in that registers an OpenClaw sandbox-backed Codex environment with Codex app-server 0.132.0 or newer so native Codex execution can run inside the active OpenClaw sandbox.                                                                                                                                                                          |
 
-`appServer.networkProxy` is explicit because it changes the Codex sandbox
-contract. When enabled, OpenClaw also sets `features.network_proxy.enabled` in
-the Codex thread config so the generated permission profile can start Codex
-managed networking. The default generated profile is `openclaw-network`; use
-`profileName` to choose another local name.
-
-```js
-export default {
-  plugins: {
-    entries: {
-      codex: {
-        config: {
-          appServer: {
-            sandbox: "workspace-write",
-            networkProxy: {
-              enabled: true,
-              domains: {
-                "api.openai.com": "allow",
-                "blocked.example.com": "deny",
-              },
-              allowUpstreamProxy: true,
-              proxyUrl: "http://127.0.0.1:3128",
-            },
-          },
-        },
-      },
-    },
-  },
-};
-```
-
-If the normal app-server runtime would be `danger-full-access`, enabling
-`networkProxy` uses workspace-style filesystem access for the generated
-permission profile. Codex managed network enforcement is sandboxed networking,
-so a full-access profile would not protect outbound traffic.
-
 OpenClaw-owned dynamic tool calls are bounded independently from
 `appServer.requestTimeoutMs`: Codex `item/tool/call` requests use a 90 second
 OpenClaw watchdog by default. A positive per-call `timeoutMs` argument extends

docs/plugins/compatibility.md

@@ -132,9 +132,6 @@ Current compatibility records include:
   `reply(...)`, and `mediaPath` while callback consumers migrate to the nested
   `WebInboundCallbackMessage` `event`, `payload`, `quote`, `group`, and
   `platform` contexts
-- WhatsApp `WebInboundMessage` top-level admission fields such as `from`,
-  `conversationId`, `accountId`, `accessControlPassed`, and `chatType` while
-  callback consumers migrate to the `admission` envelope
 - legacy memory-plugin split registration while memory plugins move to
   `registerMemoryCapability`
 - legacy memory-specific embedding provider registration while embedding
@@ -194,23 +191,6 @@ name its exact nested replacement. Common examples:
 Plugins should inspect the `label`, `source`, and `type` before treating its
 `payload` as authoritative.
 
-### WhatsApp Inbound Admission Fields
-
-Accepted WhatsApp callback messages now carry `admission`, a public-safe
-envelope for the access-control decision that admitted the message. New callback
-code should read admission facts from `msg.admission` instead of the older
-top-level admission fields.
-
-The top-level fields remain available until **2026-08-30**. The TypeScript
-`@deprecated` annotations name each replacement:
-
-- `from` and `conversationId` move to `admission.conversation.id`.
-- `accountId` moves to `admission.accountId`.
-- `accessControlPassed` is a derived compatibility view of
-  `admission.ingress.decision === "allow"`; on messages that already carry
-  `admission`, writing the legacy boolean does not rewrite the ingress graph.
-- `chatType` moves to `admission.conversation.kind`.
-
 ## Release notes
 
 Release notes should include upcoming plugin deprecations with target dates and

docs/plugins/manifest.md

@@ -1278,7 +1278,6 @@ Important examples:
 | `openclaw.compat.pluginApi`                                                                | Minimum OpenClaw plugin API range required by this package, using a semver floor like `>=2026.5.27`.                                                                                 |
 | `openclaw.install.expectedIntegrity`                                                       | Expected npm dist integrity string such as `sha512-...`; install and update flows verify the fetched artifact against it.                                                            |
 | `openclaw.install.allowInvalidConfigRecovery`                                              | Allows a narrow bundled-plugin reinstall recovery path when config is invalid.                                                                                                       |
-| `openclaw.install.requiredPlatformPackages`                                                | npm package aliases that must materialize when their lockfile platform constraints match the current host.                                                                           |
 | `openclaw.startup.deferConfiguredChannelFullLoadUntilAfterListen`                          | Lets setup-runtime channel surfaces load before listen, then defers the full configured channel plugin until post-listen activation.                                                 |
 
 Manifest metadata decides which provider/channel/setup choices appear in
@@ -1291,13 +1290,6 @@ registry loading for non-bundled plugin sources. Invalid values are rejected;
 newer-but-valid values skip external plugins on older hosts. Bundled source
 plugins are assumed to be co-versioned with the host checkout.
 
-`openclaw.install.requiredPlatformPackages` is for npm packages that expose
-required native binaries through optional, platform-specific aliases. List the
-bare npm package name for every supported platform alias. During npm install,
-OpenClaw verifies only the declared alias whose lockfile constraints match the
-current host. If npm reports success but omits that alias, OpenClaw retries once
-with a fresh cache and rolls back the install if the alias is still missing.
-
 `openclaw.compat.pluginApi` is enforced during package install for non-bundled
 plugin sources. Use it for the OpenClaw plugin SDK/runtime API floor that the
 package was built against. It can be stricter than `minHostVersion` when a

docs/plugins/plugin-inventory.md

@@ -51,7 +51,7 @@ Each entry lists the package, distribution route, and description.
 
 ## Core npm package
 
-90 plugins
+91 plugins
 
 - **[admin-http-rpc](/plugins/reference/admin-http-rpc)** (`@openclaw/admin-http-rpc`) - included in OpenClaw. OpenClaw admin HTTP RPC endpoint.
 
@@ -101,6 +101,8 @@ Each entry lists the package, distribution route, and description.
 
 - **[fal](/plugins/reference/fal)** (`@openclaw/fal-provider`) - included in OpenClaw. Adds fal model provider support to OpenClaw.
 
+- **[feeds](/plugins/reference/feeds)** (`@openclaw/feeds`) - included in OpenClaw. Adds configured catalog feed source validation for skills and plugins.
+
 - **[file-transfer](/plugins/reference/file-transfer)** (`@openclaw/file-transfer`) - included in OpenClaw. Fetch, list, and write files on paired nodes via dedicated node commands. Bypasses bash stdout truncation by using base64 over node.invoke for binaries up to 16 MB.
 
 - **[firecrawl](/plugins/reference/firecrawl)** (`@openclaw/firecrawl-plugin`) - included in OpenClaw. Adds agent-callable tools. Adds web fetch provider support. Adds web search provider support.

docs/plugins/reference.md

@@ -15,5 +15,5 @@ This page is generated from `extensions/*/package.json` and
 pnpm plugins:inventory:gen
 ```
 
-Use [Plugin inventory](/plugins/plugin-inventory) to browse all 127
+Use [Plugin inventory](/plugins/plugin-inventory) to browse all 128
 generated plugin reference pages by distribution, package, and description.

docs/plugins/reference/feeds.md

@@ -0,0 +1,149 @@
+---
+summary: "Adds configured catalog feed source validation for skills and plugins."
+read_when:
+  - You are installing, configuring, or auditing the feeds plugin
+title: "Feeds plugin"
+---
+
+# Feeds plugin
+
+Adds configured catalog feed source validation, search, install handoff,
+lifecycle tooling, and optional native `skills search` / `plugins search` feed
+integration.
+
+## Distribution
+
+- Package: `@openclaw/feeds`
+- Install route: included in OpenClaw
+
+## Surface
+
+plugin
+
+## Configure feed sources
+
+Feed sources live under the bundled `feeds` plugin config. A source can point at
+an `https://` or `file://` feed document and can optionally be pinned by
+integrity.
+
+```jsonc
+{
+  "plugins": {
+    "entries": {
+      "feeds": {
+        "enabled": true,
+        "config": {
+          "sources": [
+            {
+              "id": "company-approved",
+              "url": "https://feeds.example.com/openclaw/feed.json",
+              "trust": "pinned",
+              "integrity": "sha256:..."
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+```
+
+## Discover entries
+
+```bash
+openclaw feeds sources
+openclaw feeds list --source company-approved
+openclaw feeds search calendar --type plugin
+```
+
+## Install from a feed
+
+`openclaw feeds install` resolves exactly one feed entry, checks the configured
+feed install policy, and then hands off to the existing OpenClaw skill or plugin
+install command. The feeds plugin does not introduce a second installer.
+
+```bash
+openclaw feeds install calendar-helper --source company-approved --type plugin --dry-run
+openclaw feeds install calendar-helper --source company-approved --type plugin
+openclaw feeds install calendar-helper --source company-approved --type plugin --force
+```
+
+Use `--dry-run` to print the underlying install command without running it. Use
+`--force` to forward force behavior to the existing installer.
+
+## Install policy
+
+`installPolicy` controls approval checks for explicit feed-backed installs.
+
+```jsonc
+{
+  "plugins": {
+    "entries": {
+      "feeds": {
+        "enabled": true,
+        "config": {
+          "installPolicy": {
+            "mode": "enforce",
+            "requireApproval": true
+          },
+          "sources": [
+            {
+              "id": "company-approved",
+              "url": "file:///opt/openclaw/feeds/company.json"
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+```
+
+- `mode: "off"` performs no approval check.
+- `mode: "warn"` reports unapproved entries and continues.
+- `mode: "enforce"` blocks unapproved entries.
+- `requireApproval: true` requires `approval.status: "approved"` on feed entries.
+
+If `requireApproval` is `true` and `mode` is omitted, OpenClaw treats the policy
+as enforce. If `mode` is `enforce` and `requireApproval` is omitted, approval is
+required.
+
+## Native search
+
+`openclaw skills search` and `openclaw plugins search` continue to use ClawHub by
+default. Operators can opt into configured feeds explicitly:
+
+```bash
+openclaw skills search calendar --catalog-feeds
+openclaw plugins search calendar --feed-source company-approved
+```
+
+To make native search use feeds by default, configure the bundled Feeds plugin:
+
+```jsonc
+{
+  "plugins": {
+    "entries": {
+      "feeds": {
+        "enabled": true,
+        "config": {
+          "search": {
+            "default": true,
+            "sources": ["company-approved"]
+          },
+          "sources": [
+            {
+              "id": "company-approved",
+              "url": "https://feeds.example.com/openclaw/feed.json",
+              "trust": "pinned",
+              "integrity": "sha256:..."
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+```
+
+Omit `search.sources` to search all enabled configured feed sources.