perf(ci): trigger install smoke only for install surfaces

* ACP: revert acpx-plugin package naming

* Test: format acp install hints expectations

.agents/skills/security-triage/SKILL.md

@@ -0,0 +1,108 @@
+---
+name: security-triage
+description: Triage GitHub security advisories for OpenClaw with high-confidence close/keep decisions, exact tag and commit verification, trust-model checks, optional hardening notes, and a final reply ready to post and copy to clipboard.
+---
+
+# Security Triage
+
+Use when reviewing OpenClaw security advisories, drafts, or GHSA reports.
+
+Goal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions.
+
+## Close Bar
+
+Close only if one of these is true:
+
+- duplicate of an existing advisory or fixed issue
+- invalid against shipped behavior
+- out of scope under `SECURITY.md`
+- fixed before any affected release/tag
+
+Do not close only because `main` is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status.
+
+## Required Reads
+
+Before answering:
+
+1. Read `SECURITY.md`.
+2. Read the GHSA body with `gh api /repos/openclaw/openclaw/security-advisories/<GHSA>`.
+3. Inspect the exact implicated code paths.
+4. Verify shipped state:
+   - `git tag --sort=-creatordate | head`
+   - `npm view openclaw version --userconfig "$(mktemp)"`
+   - `git tag --contains <fix-commit>`
+   - if needed: `git show <tag>:path/to/file`
+5. Search for canonical overlap:
+   - existing published GHSAs
+   - older fixed bugs
+   - same trust-model class already covered in `SECURITY.md`
+
+## Review Method
+
+For each advisory, decide:
+
+- `close`
+- `keep open`
+- `keep open but narrow`
+
+Check in this order:
+
+1. Trust model
+   - Is the prerequisite already inside trusted host/local/plugin/operator state?
+   - Does `SECURITY.md` explicitly call this class out as out of scope or hardening-only?
+2. Shipped behavior
+   - Is the bug present in the latest shipped tag or npm release?
+   - Was it fixed before release?
+3. Exploit path
+   - Does the report show a real boundary bypass, not just prompt injection, local same-user control, or helper-level semantics?
+4. Functional tradeoff
+   - If a hardening change would reduce intended user functionality, call that out before proposing it.
+   - Prefer fixes that preserve user workflows over deny-by-default regressions unless the boundary demands it.
+
+## Response Format
+
+When preparing a maintainer-ready close reply:
+
+1. Print the GHSA URL first.
+2. Then draft a detailed response the maintainer can post.
+3. Include:
+   - exact reason for close
+   - exact code refs
+   - exact shipped tag / release facts
+   - exact fix commit or canonical duplicate GHSA when applicable
+   - optional hardening note only if worthwhile and functionality-preserving
+
+Keep tone firm, specific, non-defensive.
+
+## Clipboard Step
+
+After drafting the final post body, copy it:
+
+```bash
+pbcopy <<'EOF'
+<final response>
+EOF
+```
+
+Tell the user that the clipboard now contains the proposed response.
+
+## Useful Commands
+
+```bash
+gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
+gh api /repos/openclaw/openclaw/security-advisories --paginate
+git tag --sort=-creatordate | head -n 20
+npm view openclaw version --userconfig "$(mktemp)"
+git tag --contains <commit>
+git show <tag>:<path>
+gh search issues --repo openclaw/openclaw --match title,body,comments -- "<terms>"
+gh search prs --repo openclaw/openclaw --match title,body,comments -- "<terms>"
+```
+
+## Decision Notes
+
+- “fixed on main, unreleased” is usually not a close.
+- “needs attacker-controlled trusted local state first” is usually out of scope.
+- “same-host same-user process can already read/write local state” is usually out of scope.
+- “helper function behaves differently than documented config semantics” is usually invalid.
+- If only the severity is wrong but the bug is real, keep it open and narrow the impact in the reply.

.github/actions/ensure-base-commit/action.yml

@@ -30,7 +30,9 @@ runs:
 
         for deepen_by in 25 100 300; do
           echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
-          git fetch --no-tags --deepen="$deepen_by" origin "$FETCH_REF" || true
+          if ! git fetch --no-tags --deepen="$deepen_by" origin "$FETCH_REF"; then
+            echo "::warning title=ensure-base-commit fetch failed::Failed to deepen $FETCH_REF by $deepen_by while looking for $BASE_SHA"
+          fi
           if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
             echo "Resolved base commit after deepening: $BASE_SHA"
             exit 0
@@ -38,7 +40,9 @@ runs:
         done
 
         echo "Base commit still missing; fetching full history for $FETCH_REF."
-        git fetch --no-tags origin "$FETCH_REF" || true
+        if ! git fetch --no-tags origin "$FETCH_REF"; then
+          echo "::warning title=ensure-base-commit fetch failed::Failed to fetch full history for $FETCH_REF while looking for $BASE_SHA"
+        fi
         if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
           echo "Resolved base commit after full ref fetch: $BASE_SHA"
           exit 0

.github/actions/setup-node-env/action.yml

@@ -63,7 +63,7 @@ runs:
 
     - name: Setup Bun
       if: inputs.install-bun == 'true'
-      uses: oven-sh/setup-bun@v2.1.3
+      uses: oven-sh/setup-bun@v2.2.0
       with:
         bun-version: "1.3.9"
 

.github/workflows/auto-response.yml

@@ -398,11 +398,13 @@ jobs:
             const invalidLabel = "invalid";
             const spamLabel = "r: spam";
             const dirtyLabel = "dirty";
+            const badBarnacleLabel = "bad-barnacle";
             const noisyPrMessage =
               "Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.";
 
             if (pullRequest) {
-              if (labelSet.has(dirtyLabel)) {
+              // `bad-barnacle` exempts PRs that Barnacle incorrectly marked dirty.
+              if (labelSet.has(dirtyLabel) && !labelSet.has(badBarnacleLabel)) {
                 await github.rest.issues.createComment({
                   owner: context.repo.owner,
                   repo: context.repo.repo,

.github/workflows/ci.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
 
 concurrency:
   group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -16,6 +17,7 @@ jobs:
   # Detect docs-only changes to skip heavy jobs (test, build, Windows, macOS, Android).
   # Lint and format always run. Fail-safe: if detection fails, run everything.
   docs-scope:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: blacksmith-16vcpu-ubuntu-2404
     outputs:
       docs_only: ${{ steps.check.outputs.docs_only }}
@@ -183,8 +185,8 @@ jobs:
         run: pnpm release:check
 
   checks:
-    needs: [docs-scope, changed-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true'
+    needs: [docs-scope, changed-scope, build-artifacts]
+    if: always() && needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' && (github.event_name != 'push' || needs.build-artifacts.result == 'success')
     runs-on: blacksmith-16vcpu-ubuntu-2404
     strategy:
       fail-fast: false
@@ -221,7 +223,9 @@ jobs:
             cache_key_suffix: "node22"
             command: |
               pnpm build
-              pnpm test
+              node openclaw.mjs --help
+              node openclaw.mjs status --json --timeout 1
+              pnpm test:build:singleton
               node scripts/stage-bundled-plugin-runtime-deps.mjs
               node --import tsx scripts/release-check.ts
     steps:
@@ -259,6 +263,17 @@ jobs:
             echo "OPENCLAW_TEST_SHARD_INDEX=$SHARD_INDEX" >> "$GITHUB_ENV"
           fi
 
+      - name: Download dist artifact
+        if: github.event_name == 'push' && matrix.task == 'test'
+        uses: actions/download-artifact@v8
+        with:
+          name: dist-build
+          path: dist/
+
+      - name: Build dist
+        if: github.event_name != 'push' && matrix.task == 'test' && matrix.runtime == 'node'
+        run: pnpm build
+
       - name: Run ${{ matrix.task }} (${{ matrix.runtime }})
         if: github.event_name != 'pull_request' || (matrix.runtime != 'bun' && matrix.task != 'compat-node22')
         run: ${{ matrix.command }}
@@ -364,6 +379,11 @@ jobs:
         continue-on-error: true
         run: pnpm config:docs:check
 
+      - name: Check plugin SDK API baseline drift
+        id: plugin_sdk_api_drift
+        continue-on-error: true
+        run: pnpm plugin-sdk:api:check
+
       - name: Upload gateway watch regression artifacts
         if: always()
         uses: actions/upload-artifact@v7
@@ -382,6 +402,7 @@ jobs:
           NO_RAW_WINDOW_OPEN_OUTCOME: ${{ steps.no_raw_window_open.outcome }}
           GATEWAY_WATCH_REGRESSION_OUTCOME: ${{ steps.gateway_watch_regression.outcome }}
           CONFIG_DOCS_DRIFT_OUTCOME: ${{ steps.config_docs_drift.outcome }}
+          PLUGIN_SDK_API_DRIFT_OUTCOME: ${{ steps.plugin_sdk_api_drift.outcome }}
         run: |
           failures=0
           for result in \
@@ -391,7 +412,8 @@ jobs:
             "extension-plugin-sdk-internal-boundary|$EXTENSION_PLUGIN_SDK_INTERNAL_BOUNDARY_OUTCOME" \
             "lint:ui:no-raw-window-open|$NO_RAW_WINDOW_OPEN_OUTCOME" \
             "gateway-watch-regression|$GATEWAY_WATCH_REGRESSION_OUTCOME" \
-            "config-docs-drift|$CONFIG_DOCS_DRIFT_OUTCOME"; do
+            "config-docs-drift|$CONFIG_DOCS_DRIFT_OUTCOME" \
+            "plugin-sdk-api-drift|$PLUGIN_SDK_API_DRIFT_OUTCOME"; do
             name="${result%%|*}"
             outcome="${result#*|}"
             if [ "$outcome" != "success" ]; then
@@ -404,8 +426,8 @@ jobs:
 
   build-smoke:
     name: "build-smoke"
-    needs: [docs-scope, changed-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true'
+    needs: [docs-scope, changed-scope, build-artifacts]
+    if: always() && needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' && (github.event_name != 'push' || needs.build-artifacts.result == 'success')
     runs-on: blacksmith-16vcpu-ubuntu-2404
     steps:
       - name: Checkout
@@ -419,7 +441,15 @@ jobs:
           install-bun: "false"
           use-sticky-disk: "false"
 
+      - name: Download dist artifact
+        if: github.event_name == 'push'
+        uses: actions/download-artifact@v8
+        with:
+          name: dist-build
+          path: dist/
+
       - name: Build dist
+        if: github.event_name != 'push'
         run: pnpm build
 
       - name: Smoke test CLI launcher help
@@ -481,6 +511,7 @@ jobs:
         run: python -m pytest -q skills
 
   secrets:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: blacksmith-16vcpu-ubuntu-2404
     steps:
       - name: Checkout
@@ -557,8 +588,8 @@ jobs:
         run: pre-commit run --all-files pnpm-audit-prod
 
   checks-windows:
-    needs: [docs-scope, changed-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_windows == 'true'
+    needs: [docs-scope, changed-scope, build-artifacts]
+    if: always() && needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_windows == 'true' && (github.event_name != 'push' || needs.build-artifacts.result == 'success')
     runs-on: blacksmith-32vcpu-windows-2025
     timeout-minutes: 45
     env:
@@ -678,6 +709,17 @@ jobs:
         if: matrix.task == 'test'
         run: pnpm canvas:a2ui:bundle
 
+      - name: Download dist artifact
+        if: github.event_name == 'push' && matrix.task == 'test'
+        uses: actions/download-artifact@v8
+        with:
+          name: dist-build
+          path: dist/
+
+      - name: Build dist (Windows)
+        if: github.event_name != 'push' && matrix.task == 'test'
+        run: pnpm build
+
       - name: Run ${{ matrix.task }} (${{ matrix.runtime }})
         run: ${{ matrix.command }}
 
@@ -700,6 +742,9 @@ jobs:
         with:
           install-bun: "false"
 
+      - name: Build dist (macOS)
+        run: pnpm build
+
       # --- Run all checks sequentially (fast gates first) ---
       - name: TS tests (macOS)
         env:

.github/workflows/docker-release.yml

@@ -15,7 +15,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: Existing release tag to backfill (for example v2026.3.13)
+        description: Existing release tag to backfill (for example v2026.3.22)
         required: true
         type: string
 
@@ -159,6 +159,8 @@ jobs:
         with:
           context: .
           platforms: linux/amd64
+          cache-from: type=gha,scope=docker-release-amd64
+          cache-to: type=gha,mode=max,scope=docker-release-amd64
           tags: ${{ steps.tags.outputs.value }}
           labels: ${{ steps.labels.outputs.value }}
           provenance: false
@@ -171,6 +173,8 @@ jobs:
         with:
           context: .
           platforms: linux/amd64
+          cache-from: type=gha,scope=docker-release-amd64
+          cache-to: type=gha,mode=max,scope=docker-release-amd64
           build-args: |
             OPENCLAW_VARIANT=slim
           tags: ${{ steps.tags.outputs.slim }}
@@ -272,6 +276,8 @@ jobs:
         with:
           context: .
           platforms: linux/arm64
+          cache-from: type=gha,scope=docker-release-arm64
+          cache-to: type=gha,mode=max,scope=docker-release-arm64
           tags: ${{ steps.tags.outputs.value }}
           labels: ${{ steps.labels.outputs.value }}
           provenance: false
@@ -284,6 +290,8 @@ jobs:
         with:
           context: .
           platforms: linux/arm64
+          cache-from: type=gha,scope=docker-release-arm64
+          cache-to: type=gha,mode=max,scope=docker-release-arm64
           build-args: |
             OPENCLAW_VARIANT=slim
           tags: ${{ steps.tags.outputs.slim }}

.github/workflows/install-smoke.yml

@@ -3,7 +3,32 @@ name: Install Smoke
 on:
   push:
     branches: [main]
+    paths:
+      - "Dockerfile"
+      - ".npmrc"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+      - "scripts/install.sh"
+      - "scripts/test-install-sh-docker.sh"
+      - "scripts/docker/**"
+      - "extensions/*/package.json"
+      - ".github/workflows/install-smoke.yml"
+      - ".github/actions/setup-node-env/action.yml"
   pull_request:
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
+    paths:
+      - "Dockerfile"
+      - ".npmrc"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+      - "scripts/install.sh"
+      - "scripts/test-install-sh-docker.sh"
+      - "scripts/docker/**"
+      - "extensions/*/package.json"
+      - ".github/workflows/install-smoke.yml"
+      - ".github/actions/setup-node-env/action.yml"
   workflow_dispatch:
 
 concurrency:
@@ -14,31 +39,12 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
-  docs-scope:
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    outputs:
-      docs_only: ${{ steps.check.outputs.docs_only }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-          fetch-tags: false
-
-      - name: Ensure docs-scope base commit
-        uses: ./.github/actions/ensure-base-commit
-        with:
-          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
-          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
-
-      - name: Detect docs-only changes
-        id: check
-        uses: ./.github/actions/detect-docs-changes
-
   install-smoke:
-    needs: [docs-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true'
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: blacksmith-16vcpu-ubuntu-2404
+    env:
+      DOCKER_BUILD_SUMMARY: "false"
+      DOCKER_BUILD_RECORD_UPLOAD: "false"
     steps:
       - name: Checkout CLI
         uses: actions/checkout@v6
@@ -53,6 +59,8 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
+          build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
           tags: openclaw-dockerfile-smoke:local
           load: true
           push: false
@@ -71,6 +79,7 @@ jobs:
           context: .
           file: ./Dockerfile
           build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
             OPENCLAW_EXTENSIONS=matrix
           tags: openclaw-ext-smoke:local
           load: true

.github/workflows/openclaw-npm-release.yml

@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: Release tag to publish (for example v2026.3.14, v2026.3.14-beta.1, or fallback v2026.3.14-1)
+        description: Release tag to publish (for example v2026.3.22, v2026.3.22-beta.1, or fallback v2026.3.22-1)
         required: true
         type: string
 

.github/workflows/sandbox-common-smoke.yml

@@ -8,6 +8,7 @@ on:
       - Dockerfile.sandbox-common
       - scripts/sandbox-common-setup.sh
   pull_request:
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
     paths:
       - Dockerfile.sandbox
       - Dockerfile.sandbox-common
@@ -22,6 +23,7 @@ env:
 
 jobs:
   sandbox-common-smoke:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: blacksmith-16vcpu-ubuntu-2404
     steps:
       - name: Checkout

.github/workflows/stale.yml

@@ -42,7 +42,7 @@ jobs:
           stale-issue-label: stale
           stale-pr-label: stale
           exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          exempt-pr-labels: maintainer,no-stale
+          exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
           exempt-all-assignees: true
@@ -98,7 +98,7 @@ jobs:
           stale-issue-label: stale
           stale-pr-label: stale
           exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          exempt-pr-labels: maintainer,no-stale
+          exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
           exempt-all-assignees: true

.github/workflows/workflow-sanity.yml

@@ -72,7 +72,7 @@ jobs:
       - name: Disallow direct inputs interpolation in composite run blocks
         run: python3 scripts/check-composite-action-input-interpolation.py
 
-  config-docs-drift:
+  generated-doc-baselines:
     if: github.event_name == 'workflow_dispatch'
     runs-on: blacksmith-16vcpu-ubuntu-2404
     steps:
@@ -87,3 +87,6 @@ jobs:
 
       - name: Check config docs drift statefile
         run: pnpm config:docs:check
+
+      - name: Check plugin SDK API baseline drift
+        run: pnpm plugin-sdk:api:check

AGENTS.md

@@ -10,6 +10,7 @@
 - Tests: colocated `*.test.ts`.
 - Docs: `docs/` (images, queue, Pi config). Built output lives in `dist/`.
 - Nomenclature: use "plugin" / "plugins" in docs, UI, changelogs, and contributor guidance. `extensions/*` remains the internal directory/package path to avoid repo-wide churn from a rename.
+- Bundled plugin naming: for repo-owned workspace plugins, keep the canonical plugin id aligned across `openclaw.plugin.json:id`, `extensions/<id>` by default, and package names anchored to the same id (`@openclaw/<id>` or approved suffix forms like `-provider`, `-plugin`, `-speech`, `-sandbox`). Keep `openclaw.install.npmSpec` equal to the package name and `openclaw.channel.id` equal to the plugin id when present. Exceptions must be explicit and covered by the repo invariant test.
 - Plugins: live under `extensions/*` (workspace packages). Keep plugin-only deps in the extension `package.json`; do not add them to the root `package.json` unless core uses them.
 - Plugins: install runs `npm install --omit=dev` in plugin dir; runtime deps must live in `dependencies`. Avoid `workspace:*` in `dependencies` (npm install breaks); put `openclaw` in `devDependencies` or `peerDependencies` instead (runtime resolves `openclaw/plugin-sdk` via jiti alias).
 - Import boundaries: extension production code should treat `openclaw/plugin-sdk/*` plus local `api.ts` / `runtime-api.ts` barrels as the public surface. Do not import core `src/**`, `src/plugin-sdk-internal/**`, or another extension's `src/**` directly.
@@ -71,6 +72,10 @@
 - Format check: `pnpm format` (oxfmt --check)
 - Format fix: `pnpm format:fix` (oxfmt --write)
 - Tests: `pnpm test` (vitest); coverage: `pnpm test:coverage`
+- Generated baseline artifacts live together under `docs/.generated/`.
+- Config schema drift uses `pnpm config:docs:gen` / `pnpm config:docs:check`.
+- Plugin SDK API drift uses `pnpm plugin-sdk:api:gen` / `pnpm plugin-sdk:api:check`.
+- If you change config schema/help or the public Plugin SDK surface, update the matching baseline artifact and keep the two drift-check flows adjacent in scripts/workflows/docs guidance rather than inventing a third pattern.
 - For narrowly scoped changes, prefer narrowly scoped tests that directly validate the touched behavior. If no meaningful scoped test exists, say so explicitly and use the next most direct validation available.
 - Preferred landing bar for pushes to `main`: `pnpm check` and `pnpm test`, with a green result when feasible.
 - Scoped tests prove the change itself. `pnpm test` remains the default `main` landing bar; scoped tests do not replace full-suite gates by default.
@@ -109,6 +114,7 @@
 - Framework: Vitest with V8 coverage thresholds (70% lines/branches/functions/statements).
 - Naming: match source names with `*.test.ts`; e2e in `*.e2e.test.ts`.
 - Run `pnpm test` (or `pnpm test:coverage`) before pushing when you touch logic.
+- Write tests to clean up timers, env, globals, mocks, sockets, temp dirs, and module state so `--isolate=false` stays green.
 - Agents MUST NOT modify baseline, inventory, ignore, snapshot, or expected-failure files to silence failing checks without explicit approval in this chat.
 - For targeted/local debugging, keep using the wrapper: `pnpm test -- <path-or-filter> [vitest args...]` (for example `pnpm test -- src/commands/onboard-search.test.ts -t "shows registered plugin providers"`); do not default to raw `pnpm vitest run ...` because it bypasses wrapper config/profile/pool routing.
 - Do not set test workers above 16; tried already.

CHANGELOG.md

@@ -6,6 +6,8 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
+- Breaking/Plugins: bare `openclaw plugins install <package>` now prefers ClawHub before npm for npm-safe names, and only falls back to npm when ClawHub does not have that package or version.
+- ClawHub/install: add native `openclaw skills search|install|update` flows plus `openclaw plugins install clawhub:<package>` with tracked update metadata, gateway skill-install/update support for ClawHub-backed requests, and regression coverage/docs for the new source path.
 - Models/Anthropic Vertex: add core `anthropic-vertex` provider support for Claude via Google Vertex AI, including GCP auth/discovery and main run-path routing. (#43356) Thanks @sallyom and @yossiovadia.
 - Commands/btw: add `/btw` side questions for quick tool-less answers about the current session without changing future session context, with dismissible in-session TUI answers and explicit BTW replies on external channels. (#45444) Thanks @ngutman.
 - Gateway/docs: clarify that empty URL input allowlists are treated as unset, document `allowUrl: false` as the deny-all switch, and add regression coverage for the normalization path.
@@ -61,14 +63,26 @@ Docs: https://docs.openclaw.ai
 - Models/GitHub Copilot: allow forward-compat dynamic model ids without code updates, while preserving configured provider and per-model overrides for those synthetic models. (#51325) Thanks @fuller-stack-dev.
 - Agents/compaction: notify users when followup auto-compaction starts and finishes, keeping those notices out of TTS and preserving reply threading for the real assistant reply. (#38805) Thanks @zidongdesign.
 - Models/OpenAI: switch the default OpenAI setup model to `openai/gpt-5.4`, keep Codex on `openai-codex/gpt-5.4`, and centralize OpenAI chat, image, TTS, transcription, and embedding defaults in one shared module so future default-model updates stay low-churn. Thanks @vincentkoc.
+- Memory/plugins: let the active memory plugin register its own system-prompt section while preserving cache-clear and snapshot-load prompt isolation. (#40126) Thanks @jarimustonen.
+- Control UI/usage: improve usage overview styling, localization, and responsive chat/context-notice presentation, including safer theme color handling and unclipped usage-header menus. (#51951) Thanks @BunsDev.
+- Agents: add per-agent thinking/reasoning/fast defaults and auto-revert disallowed model overrides to the agent's default selection. Thanks @xuanmingguo and @vincentkoc.
+- Control UI/usage: drop the empty session-detail placeholder card so the usage view stays single-column until a real session detail panel is selected. (#52013) Thanks @BunsDev.
+- Hooks/workspace: keep repo-local `<workspace>/hooks` disabled until explicitly enabled, block workspace hook name collisions from shadowing bundled/managed/plugin hooks, and treat `hooks.internal.load.extraDirs` as trusted managed hook sources.
+- CLI/hooks: route hook-pack install and update through `openclaw plugins`, keep `openclaw hooks` focused on hook visibility and per-hook controls, and show plugin-managed hook details in CLI output.
 
 ### Fixes
 
+- Nostr/security: enforce inbound DM policy before decrypt, route Nostr DMs through the standard reply pipeline, and add pre-crypto rate and size guards so unknown senders cannot bypass pairing or force unbounded crypto work. Thanks @kuranikaran.
+- Agents/default timeout: raise the shared default agent timeout from `600s` to `48h` so long-running ACP and agent sessions do not fail unless you configure a shorter limit.
+- Gateway/Linux: auto-detect nvm-managed Node TLS CA bundle needs before CLI startup and refresh installed services that are missing `NODE_EXTRA_CA_CERTS`. (#51146) Thanks @GodsBoy.
+- Android/pairing: resolve portless secure setup URLs to `443` while preserving direct cleartext gateway defaults and explicit `:80` manual endpoints in onboarding. (#43540) Thanks @fmercurio.
 - CLI/config: make `config set --strict-json` enforce real JSON, prefer `JSON.parse` with JSON5 fallback for machine-written cron/subagent stores, and relabel raw config surfaces as `JSON/JSON5` to match actual compatibility. Related: #48415, #43127, #14529, #21332. Thanks @adhitShet and @vincentkoc.
 - CLI/Ollama onboarding: keep the interactive model picker for explicit `openclaw onboard --auth-choice ollama` runs so setup still selects a default model without reintroducing pre-picker auto-pulls. (#49249) Thanks @BruceMacD.
+- Android/location: make current-location requests drop late callbacks after timeout instead of crashing with `Already resumed`. (#52318) Thanks @Kaneki-x.
 - Plugins/bundler TDZ: fix `RESERVED_COMMANDS` temporal dead zone error that prevented device-pair, phone-control, and talk-voice plugins from registering when the bundler placed the commands module after call sites in the same output chunk. Thanks @BunsDev.
 - Plugins/imports: fix stale googlechat runtime-api import paths and signal SDK circular re-exports broken by recent plugin-sdk refactors. Thanks @BunsDev.
 - Telegram/setup: seed fresh setups with `channels.telegram.groups["*"].requireMention=true` so new bots stay mention-gated in groups unless you explicitly open them up. Thanks @vincentkoc.
+- Security/exec safe bins: remove `jq` from the default safe-bin allowlist and fail closed on the `jq` `env` builtin when operators explicitly opt `jq` back in, so `jq -n env` cannot dump host secrets without an explicit trust path. Thanks @gladiator9797 for reporting.
 - Google auth/Node 25: patch `gaxios` to use native fetch without injecting `globalThis.window`, while translating proxy and mTLS transport settings so Google Vertex and Google Chat auth keep working on Node 25. (#47914) Thanks @pdd-cli.
 - Gateway/startup: load bundled channel plugins from compiled `dist/extensions` entries in built installs, so gateway boot no longer recompiles bundled extension TypeScript on every startup and WhatsApp-class cold starts drop back to seconds instead of tens of seconds or worse. (#47560) Thanks @ngutman.
 - Agents/openai-responses: strip `prompt_cache_key` and `prompt_cache_retention` for non-OpenAI-compatible Responses endpoints while keeping them on direct OpenAI and Azure OpenAI paths, so third-party OpenAI-compatible providers no longer reject those requests with HTTP 400. (#49877) Thanks @ShaunTsai.
@@ -84,6 +98,12 @@ Docs: https://docs.openclaw.ai
 - CLI/configure: clarify fresh-setup memory-search warnings so they say semantic recall needs at least one embedding provider, and scope the initial model allowlist picker to the provider selected in configure. Thanks @vincentkoc.
 - CLI/auth choice: lazy-load plugin/provider fallback resolution so mapped auth choices stay on the static path and only unknown choices pay the heavy provider load. (#47495) Thanks @vincentkoc.
 - CLI: avoid loading provider discovery during startup model normalization. (#46522) Thanks @ItsAditya-xyz and @vincentkoc.
+- Agents/Telegram: avoid rebuilding the full model catalog on ordinary inbound replies so Telegram message handling no longer pays multi-second core startup latency before reply generation. Thanks @vincentkoc.
+- Gateway/Discord startup: load only configured channel plugins during gateway boot, and lazy-load Discord provider/session runtime setup so startup stops importing unrelated providers and trims cold-start delay. Thanks @vincentkoc.
+- Security/exec: harden macOS allowlist resolution against wrapper and `env` spoofing, require fresh approval for inline interpreter eval with `tools.exec.strictInlineEval`, wrap Discord guild message bodies as untrusted external content, and add audit findings for risky exec approval and open-channel combinations.
+- Agents/inbound: lazy-load media and link understanding for plain-text turns and cache synced auth stores by auth-file state so ordinary inbound replies avoid unnecessary startup churn. Thanks @vincentkoc.
+- Telegram/polling: hard-timeout stuck `getUpdates` requests so wedged network paths fail over sooner instead of waiting for the polling stall watchdog. Thanks @vincentkoc.
+- Agents/models: cache `models.json` readiness by config and auth-file state so embedded runner turns stop paying repeated model-catalog startup work before replies. Thanks @vincentkoc.
 - Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
 - Inbound policy hardening: tighten callback and webhook sender checks across Mattermost and Google Chat, match Nextcloud Talk rooms by stable room token, and treat explicit empty Twitch allowlists as deny-all. (#46787) Thanks @zpbrent, @ijxpwastaken and @vincentkoc.
 - Webhooks/runtime: move auth earlier and tighten pre-auth body limits and timeouts across bundled webhook handlers, including slow-body handling for Mattermost slash commands. (#46802) Thanks @vincentkoc.
@@ -100,7 +120,10 @@ Docs: https://docs.openclaw.ai
 - Models/openai-completions: default non-native OpenAI-compatible providers to omit tool-definition `strict` fields unless users explicitly opt back in, so tool calling keeps working on providers that reject that option. (#45497) Thanks @sahancava.
 - Telegram/setup: warn when setup leaves DMs on pairing without an allowlist, and show valid account-scoped remediation commands. (#50710) Thanks @ernestodeoliveira.
 - Doctor/Telegram: replace the fresh-install empty group-allowlist false positive with first-run guidance that explains DM pairing approval and the next group setup steps, so new Telegram installs get actionable setup help instead of a broken-config warning. Thanks @vincentkoc.
+- Doctor/extensions: keep Matrix DM `allowFrom` repairs on the canonical `dm.allowFrom` path and stop treating Zalouser group sender gating as if it fell back to `allowFrom`, so doctor warnings and `--fix` stay aligned with runtime access control. Thanks @vincentkoc.
+- Doctor/refactor: centralize built-in channel doctor semantics in one static capability registry with conservative fallback behavior for unknown/external channels, so future extension changes stop depending on scattered shared string checks. Thanks @vincentkoc.
 - Models/OpenRouter runtime capabilities: fetch uncatalogued OpenRouter model metadata on first use so newly added vision models keep image input instead of silently degrading to text-only, with top-level capability field fallbacks for `/api/v1/models`. (#45824) Thanks @DJjjjhao.
+- Gateway/startup: prewarm the configured primary model before channel startup and retry one transient provider-runtime miss so the first Telegram or Discord message after boot no longer fails with `Unknown model: openai-codex/gpt-5.4`. Thanks @vincentkoc.
 - Channels/plugins: keep shared interactive payloads merge-ready by fixing Slack custom callback routing and repeat-click dedupe, allowing interactive-only sends, and preserving ordered Discord shared text blocks. (#47715) Thanks @vincentkoc.
 - Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
 - Feishu/actions: expand the runtime action surface with message read/edit, explicit thread replies, pinning, and operator-facing chat/member inspection so Feishu can operate more of the workspace directly. (#47968) Thanks @Takhoffman.
@@ -110,8 +133,11 @@ Docs: https://docs.openclaw.ai
 - WhatsApp/reconnect: restore the append recency filter in the extension inbox monitor and handle protobuf `Long` timestamps correctly, so fresh post-reconnect append messages are processed while stale history sync stays suppressed. (#42588) Thanks @MonkeyLeeT.
 - WhatsApp/login: wait for pending creds writes before reopening after Baileys `515` pairing restarts in both QR login and `channels login` flows, and keep the restart coverage pinned to the real wrapped error shape plus per-account creds queues. (#27910) Thanks @asyncjason.
 - Telegram/message send: forward `--force-document` through the `sendPayload` path as well as `sendMedia`, so Telegram payload sends with `channelData` keep uploading images as documents instead of silently falling back to compressed photo sends. (#47119) Thanks @thepagent.
+- Android/canvas: serialize A2UI action-status event strings before evaluating WebView JS, so action ids and multiline errors do not break the callback dispatch. (#43784) Thanks @Kaneki-x.
+- Android/camera: recycle intermediate and final snap bitmaps in `camera.snap` so repeated captures do not leak native image memory. (#41902) Thanks @Kaneki-x.
 - Telegram/message chunking: preserve spaces, paragraph separators, and word boundaries when HTML overflow rechunking splits formatted replies. (#47274) Thanks @obviyus.
 - Z.AI/onboarding: detect a working default model even for explicit `zai-coding-*` endpoint choices, so Coding Plan setup can keep the selected endpoint while defaulting to `glm-5` when available or `glm-4.7` as fallback. (#45969) Thanks @obviyus.
+- CI/onboarding smoke: surface `ensure-base-commit` fetch failures as workflow warnings and fail the onboarding Docker smoke when expected setup prompts drift instead of continuing silently. Thanks @Takhoffman.
 - Z.AI/onboarding: add `glm-5-turbo` to the default Z.AI provider catalog so onboarding-generated configs expose the new model alongside the existing GLM defaults. (#46670) Thanks @tomsun28.
 - Zalo Personal/group gating: stop reapplying `dmPolicy.allowFrom` as a sender gate for already-allowlisted groups when `groupAllowFrom` is unset, so any member of an allowed group can trigger replies while DMs stay restricted. (#46663) Fixes #40146. Thanks @Takhoffman.
 - Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
@@ -131,6 +157,7 @@ Docs: https://docs.openclaw.ai
 - Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#46596) Fixes #45777. Thanks @odysseus0.
 - CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
 - Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
+- Plugins/runtime barrels: route bundled extension runtime imports through public `openclaw/plugin-sdk/*` subpaths and block relative cross-package escapes so packaged extensions stop depending on monorepo-only relative paths. (#51939) Thanks @vincentkoc.
 - Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
 - Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
 - Tlon/DM auth: defer cited-message expansion until after DM authorization and owner command handling, so unauthorized DMs and owner approval/admin commands no longer trigger cross-channel cite fetches before the deny or command path.
@@ -170,6 +197,7 @@ Docs: https://docs.openclaw.ai
 - Exec: harden host env override handling across gateway and node (#51207) Thanks @gladiator9797 and @joshavant.
 - Voice Call: enforce spoken-output contract and fix stream TTS silence regression (#51500) Thanks @joshavant.
 - xAI/models: rename the bundled Grok 4.20 catalog entries to the GA IDs and normalize saved deprecated beta IDs at runtime so existing configs and sessions keep resolving. (#50772) thanks @Jaaneek
+- Plugins/Matrix TTS: send auto-TTS replies as native Matrix voice bubbles instead of generic audio attachments. (#37080) thanks @Matthew19990919.
 
 ### Fixes
 
@@ -184,9 +212,11 @@ Docs: https://docs.openclaw.ai
 - Agents/prompt composition: append bootstrap truncation warnings to the current-turn prompt and add regression coverage for stable system-prompt cache invariants. (#49237) Thanks @scoootscooob.
 - Gateway/auth: add regression coverage that keeps device-less trusted-proxy Control UI sessions off privileged pairing approval RPCs. Thanks @vincentkoc.
 - Plugins/runtime-api: pin extension runtime-api export surfaces with explicit guardrail coverage so future surface creep becomes a deliberate diff. Thanks @vincentkoc.
+- Synology Chat/multi-account: scope direct-message sessions by account and sender so identical webhook `user_id` values on different Synology accounts no longer share transcript or delivery state.
 - Telegram/security: add regression coverage proving pinned fallback host overrides stay bound to Telegram and delegate non-matching hostnames back to the original lookup path. Thanks @vincentkoc.
 - Secrets/exec refs: require explicit `--allow-exec` for `secrets apply` write plans that contain exec SecretRefs/providers, and align audit/configure/apply dry-run behavior to skip exec checks unless opted in to prevent unexpected command side effects. (#49417) Thanks @restriction and @joshavant.
 - Tools/image generation: add bundled fal image generation support so `image_generate` can target `fal/*` models with `FAL_KEY`, including single-image edit flows via FLUX image-to-image. Thanks @vincentkoc.
+- Messages/polls: treat zero-valued poll params on `message.send` as unset defaults while keeping non-zero poll params on the poll validation path. (#52150) Fixes #52118. Thanks @Bartok9.
 - xAI/web search: add missing Grok credential metadata so the bundled provider registration type-checks again. (#49472) thanks @scoootscooob.
 - Signal/runtime API: re-export `SignalAccountConfig` so Signal account resolution type-checks again. (#49470) Thanks @scoootscooob.
 - Google Chat/runtime API: thin the private runtime barrel onto the curated public SDK surface while keeping public Google Chat exports intact. (#49504) Thanks @scoootscooob.
@@ -204,14 +234,22 @@ Docs: https://docs.openclaw.ai
 - Web search: align onboarding, configure, and finalize with plugin-owned provider contracts, including disabled-provider recovery, config-aware credential hooks, and runtime-visible summaries. (#50935) Thanks @gumadeiras.
 - Agents/replay: sanitize malformed assistant tool-call replay blocks before provider replay so follow-up Anthropic requests do not inherit the downstream `replace` crash. (#50005) Thanks @jalehman.
 - Plugins/context engines: retry strict legacy `assemble()` calls without the new `prompt` field when older engines reject it, preserving prompt-aware retrieval compatibility for pre-prompt plugins. (#50848) thanks @danhdoan.
+- make `openclaw update status` explicitly say `up to date` when the local version already matches npm latest, while keeping the availability logic unchanged. (#51409) Thanks @dongzhenye.
 - Agents/embedded transport errors: distinguish common network failures like connection refused, DNS lookup failure, and interrupted sockets from true timeouts in embedded-run user messaging and lifecycle diagnostics. (#51419) Thanks @scoootscooob.
-- Discord/startup logging: report client initialization while the gateway is still connecting instead of claiming Discord is logged in before readiness is reached. (#51425) Thanks @scoootscooob.
+- Discord/startup logging: report client initialization while the gateway is still connecting instead of claiming Discord is logged in before readiness is reached. (#51425) Thanks @scoootscoob.
 - Gateway/probe: honor caller `--timeout` for active local loopback probes in `gateway status`, keep inactive remote-mode loopback probes fast, and clamp probe timers to JS-safe bounds so slow local/container gateways stop reporting false timeouts. (#47533) Thanks @MonkeyLeeT.
 - Config/startup: keep bundled web-search allowlist compatibility on a lightweight manifest path so config validation no longer pulls bundled web-search registry imports into startup, while still avoiding accidental auto-allow of config-loaded override plugins. (#51574) Thanks @RichardCao.
 - Gateway/chat.send: persist uploaded image references across reloads and compaction without delaying first-turn dispatch or double-submitting the same image to vision models. (#51324) Thanks @fuller-stack-dev.
 - Plugins/runtime state: share plugin-facing infra singleton state across duplicate module graphs and keep session-binding adapter ownership stable until the active owner unregisters. (#50725) thanks @huntharo.
 - Agents/compaction safeguard: preserve split-turn context and preserved recent turns when capped retry fallback reuses the last successful summary. (#27727) thanks @Pandadadadazxf.
 - Discord/pickers: keep `/codex_resume --browse-projects` picker callbacks alive in Discord by sharing component callback state across duplicate module graphs, preserving callback fallbacks, and acknowledging matched plugin interactions before dispatch. (#51260) Thanks @huntharo.
+- Agents/memory flush: keep transcript-hash dedup active across memory-flush fallback retries so a write-then-throw flush attempt cannot append duplicate `MEMORY.md` entries before the fallback cycle completes. (#34222) Thanks @lml2468.
+- make `openclaw update status` explicitly say `up to date` when the local version already matches npm latest, while keeping the availability logic unchanged. (#51409) Thanks @dongzhenye.
+- Android/canvas: recycle captured and scaled snapshot bitmaps so repeated canvas snapshots do not leak native image memory. (#41889) Thanks @Kaneki-x.
+- Android/theme: switch status bar icon contrast with the active system theme so Android light mode no longer leaves unreadable light icons over the app header. (#51098) Thanks @goweii.
+- Discord/ACP: forward worker abort signals into ACP turns so timed-out Discord jobs cancel the running turn instead of silently leaving the bound ACP session working in the background.
+- Gateway/openresponses: preserve assistant commentary and session continuity across hosted-tool `/v1/responses` turns, and emit streamed tool-call payloads before finalization so client tool loops stay resumable. (#52171) Thanks @CharZhou.
+- Android/Talk: serialize `TalkModeManager` player teardown so rapid interrupt/restart cycles stop double-releasing or overlapping TTS playback. (#52310) Thanks @Kaneki-x.
 
 ### Breaking
 
@@ -226,6 +264,8 @@ Docs: https://docs.openclaw.ai
 - Plugins/Matrix: add a new Matrix plugin backed by the official `matrix-js-sdk`. If you are upgrading from the previous public Matrix plugin, follow the migration guide: https://docs.openclaw.ai/install/migrating-matrix Thanks @gumadeiras.
 - Discord/commands: switch native command deployment to Carbon reconcile by default so Discord restarts stop churning slash commands through OpenClaw’s local deploy path. (#46597) Thanks @huntharo and @thewilloftheshadow.
 - Plugins/Matrix: durably dedupe inbound room events across gateway restarts so previously handled Matrix messages are not replayed as new, while preserving clean-restart backlog delivery for unseen events. (#50922) thanks @gumadeiras
+- Agents/media replies: migrate the remaining browser, canvas, and nodes snapshot outputs onto `details.media` so generated media keeps attaching to assistant replies after the collect-then-attach refactor. (#51731) Thanks @christianklotz.
+- Android/contacts search: escape literal `%` and `_` in contact-name queries so searches like `100%` or `_id` no longer match unrelated contacts through SQL `LIKE` wildcards. (#41891) Thanks @Kaneki-x.
 
 ## 2026.3.13
 
@@ -406,6 +446,7 @@ Docs: https://docs.openclaw.ai
 
 - Control UI/auth: restore one-time legacy `?token=` imports for shared Control UI links while keeping `#token=` preferred, and carry pending query tokens through gateway URL confirmation so compatibility links still authenticate after confirmation. (#43979) Thanks @stim64045-spec.
 - Plugins/context engines: retry legacy lifecycle calls once without `sessionKey` when older plugins reject that field, memoize legacy mode after the first strict-schema fallback, and preserve non-compat runtime errors without retry. (#44779) thanks @hhhhao28.
+- Agents/compaction: treat markup-wrapped heartbeat boilerplate as non-meaningful session history when deciding whether to compact, so heartbeat-only sessions no longer keep compaction alive due to wrapper formatting. (#42119) thanks @samzong.
 
 ## 2026.3.11
 
@@ -541,6 +582,8 @@ Docs: https://docs.openclaw.ai
 - macOS/remote gateway: stop PortGuardian from killing Docker Desktop and other external listeners on the gateway port in remote mode, so containerized and tunneled gateway setups no longer lose their port-forward owner on app startup. (#6755) Thanks @teslamint.
 - Feishu/streaming recovery: clear stale `streamingStartPromise` when card creation fails (HTTP 400) so subsequent messages can retry streaming instead of silently dropping all future replies. Fixes #43322.
 - Exec/env sandbox: block JVM agent injection (`JAVA_TOOL_OPTIONS`, `_JAVA_OPTIONS`, `JDK_JAVA_OPTIONS`), Python breakpoint hijack (`PYTHONBREAKPOINT`), and .NET startup hooks (`DOTNET_STARTUP_HOOKS`) from the host exec environment. (#49025)
+- Android/camera clip cleanup: delete temporary clip files even when `readBytes()` fails so failed clip captures do not leak cache storage. (#41890) Thanks @Kaneki-x.
+- Android/photos: recycle decoded and intermediate bitmaps in `photos.latest` so repeated photo fetches stop leaking native memory. (#41888) Thanks @Kaneki-x.
 
 ### Security
 

Dockerfile

@@ -14,6 +14,7 @@
 #   Slim (bookworm-slim):    docker build --build-arg OPENCLAW_VARIANT=slim .
 ARG OPENCLAW_EXTENSIONS=""
 ARG OPENCLAW_VARIANT=default
+ARG OPENCLAW_DOCKER_APT_UPGRADE=1
 ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
 ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
@@ -113,6 +114,7 @@ LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm-sli
 # ── Stage 3: Runtime ────────────────────────────────────────────
 FROM base-${OPENCLAW_VARIANT}
 ARG OPENCLAW_VARIANT
+ARG OPENCLAW_DOCKER_APT_UPGRADE
 
 # OCI base-image metadata for downstream image consumers.
 # If you change these annotations, also update:
@@ -129,10 +131,14 @@ WORKDIR /app
 
 # Install system utilities present in bookworm but missing in bookworm-slim.
 # On the full bookworm image these are already installed (apt-get is a no-op).
+# Smoke workflows can opt out of distro upgrades to cut repeated CI time while
+# keeping the default runtime image behavior unchanged.
 RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \
     apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends && \
+    if [ "${OPENCLAW_DOCKER_APT_UPGRADE}" != "0" ]; then \
+      DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends; \
+    fi && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
       procps hostname curl git lsof openssl
 

apps/android/app/build.gradle.kts

@@ -65,8 +65,8 @@ android {
         applicationId = "ai.openclaw.app"
         minSdk = 31
         targetSdk = 36
-        versionCode = 2026032000
-        versionName = "2026.3.20"
+        versionCode = 2026032200
+        versionName = "2026.3.22"
         ndk {
             // Support all major ABIs — native libs are tiny (~47 KB per ABI)
             abiFilters += listOf("armeabi-v7a", "arm64-v8a", "x86", "x86_64")

apps/android/app/src/main/java/ai/openclaw/app/PermissionRequester.kt

@@ -4,6 +4,8 @@ import android.content.pm.PackageManager
 import android.content.Intent
 import android.Manifest
 import android.net.Uri
+import android.os.Handler
+import android.os.Looper
 import android.provider.Settings
 import androidx.appcompat.app.AlertDialog
 import androidx.activity.ComponentActivity
@@ -11,17 +13,21 @@ import androidx.activity.result.ActivityResultLauncher
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.core.content.ContextCompat
 import androidx.core.app.ActivityCompat
+import androidx.lifecycle.Lifecycle
+import androidx.lifecycle.LifecycleEventObserver
 import kotlinx.coroutines.CompletableDeferred
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
 import kotlinx.coroutines.withContext
 import kotlinx.coroutines.suspendCancellableCoroutine
+import java.util.concurrent.atomic.AtomicBoolean
 import kotlin.coroutines.resume
 
 class PermissionRequester(private val activity: ComponentActivity) {
   private val mutex = Mutex()
   private var pending: CompletableDeferred<Map<String, Boolean>>? = null
+  private val mainHandler = Handler(Looper.getMainLooper())
 
   private val launcher: ActivityResultLauncher<Array<String>> =
     activity.registerForActivityResult(ActivityResultContracts.RequestMultiplePermissions()) { result ->
@@ -86,32 +92,84 @@ class PermissionRequester(private val activity: ComponentActivity) {
 
   private suspend fun showRationaleDialog(permissions: List<String>): Boolean =
     withContext(Dispatchers.Main) {
+      if (activity.isFinishing || activity.isDestroyed) {
+        return@withContext false
+      }
       suspendCancellableCoroutine { cont ->
-        AlertDialog.Builder(activity)
-          .setTitle("Permission required")
-          .setMessage(buildRationaleMessage(permissions))
-          .setPositiveButton("Continue") { _, _ -> cont.resume(true) }
-          .setNegativeButton("Not now") { _, _ -> cont.resume(false) }
-          .setOnCancelListener { cont.resume(false) }
-          .show()
+        val lifecycle = activity.lifecycle
+        var dialog: AlertDialog? = null
+        var observer: LifecycleEventObserver? = null
+        val finished = AtomicBoolean(false)
+        val removeObserver = {
+          observer?.let(lifecycle::removeObserver)
+          observer = null
+        }
+        fun finish(result: Boolean?) {
+          if (!finished.compareAndSet(false, true)) return
+          removeObserver()
+          dialog?.dismiss()
+          if (result != null) {
+            cont.resume(result)
+          }
+        }
+        val actualObserver =
+          LifecycleEventObserver { _, event ->
+            if (event != Lifecycle.Event.ON_DESTROY) return@LifecycleEventObserver
+            finish(false)
+          }
+        observer = actualObserver
+        lifecycle.addObserver(actualObserver)
+        cont.invokeOnCancellation {
+          mainHandler.post {
+            finish(null)
+          }
+        }
+        dialog =
+          AlertDialog.Builder(activity)
+            .setTitle("Permission required")
+            .setMessage(buildRationaleMessage(permissions))
+            .setPositiveButton("Continue") { _, _ -> finish(true) }
+            .setNegativeButton("Not now") { _, _ -> finish(false) }
+            .setOnCancelListener { finish(false) }
+            .show()
       }
     }
 
-  private fun showSettingsDialog(permissions: List<String>) {
-    AlertDialog.Builder(activity)
-      .setTitle("Enable permission in Settings")
-      .setMessage(buildSettingsMessage(permissions))
-      .setPositiveButton("Open Settings") { _, _ ->
-        val intent =
-          Intent(
-            Settings.ACTION_APPLICATION_DETAILS_SETTINGS,
-            Uri.fromParts("package", activity.packageName, null),
-          )
-        activity.startActivity(intent)
+  private suspend fun showSettingsDialog(permissions: List<String>) =
+    withContext(Dispatchers.Main) {
+      if (activity.isFinishing || activity.isDestroyed) return@withContext
+      val lifecycle = activity.lifecycle
+      var dialog: AlertDialog? = null
+      var observer: LifecycleEventObserver? = null
+      val removeObserver = {
+        observer?.let(lifecycle::removeObserver)
+        observer = null
       }
-      .setNegativeButton("Cancel", null)
-      .show()
-  }
+      val actualObserver =
+        LifecycleEventObserver { _, event ->
+          if (event != Lifecycle.Event.ON_DESTROY) return@LifecycleEventObserver
+          removeObserver()
+          dialog?.dismiss()
+        }
+      observer = actualObserver
+      lifecycle.addObserver(actualObserver)
+      dialog =
+        AlertDialog.Builder(activity)
+          .setTitle("Enable permission in Settings")
+          .setMessage(buildSettingsMessage(permissions))
+          .setPositiveButton("Open Settings") { _, _ ->
+            if (activity.isFinishing || activity.isDestroyed) return@setPositiveButton
+            val intent =
+              Intent(
+                Settings.ACTION_APPLICATION_DETAILS_SETTINGS,
+                Uri.fromParts("package", activity.packageName, null),
+              )
+            activity.startActivity(intent)
+          }
+          .setNegativeButton("Cancel", null)
+          .setOnDismissListener { removeObserver() }
+          .show()
+    }
 
   private fun buildRationaleMessage(permissions: List<String>): String {
     val labels = permissions.map { permissionLabel(it) }

apps/android/app/src/main/java/ai/openclaw/app/node/CameraCaptureManager.kt

@@ -121,42 +121,48 @@ class CameraCaptureManager(private val context: Context) {
             (rotated.height.toDouble() * (maxWidth.toDouble() / rotated.width.toDouble()))
               .toInt()
               .coerceAtLeast(1)
-          rotated.scale(maxWidth, h)
+          val s = rotated.scale(maxWidth, h)
+          if (s !== rotated) rotated.recycle()
+          s
         } else {
           rotated
         }
 
-      val maxPayloadBytes = 5 * 1024 * 1024
-      // Base64 inflates payloads by ~4/3; cap encoded bytes so the payload stays under 5MB (API limit).
-      val maxEncodedBytes = (maxPayloadBytes / 4) * 3
-      val result =
-        JpegSizeLimiter.compressToLimit(
-          initialWidth = scaled.width,
-          initialHeight = scaled.height,
-          startQuality = (quality * 100.0).roundToInt().coerceIn(10, 100),
-          maxBytes = maxEncodedBytes,
-          encode = { width, height, q ->
-            val bitmap =
-              if (width == scaled.width && height == scaled.height) {
-                scaled
-              } else {
-                scaled.scale(width, height)
+      try {
+        val maxPayloadBytes = 5 * 1024 * 1024
+        // Base64 inflates payloads by ~4/3; cap encoded bytes so the payload stays under 5MB (API limit).
+        val maxEncodedBytes = (maxPayloadBytes / 4) * 3
+        val result =
+          JpegSizeLimiter.compressToLimit(
+            initialWidth = scaled.width,
+            initialHeight = scaled.height,
+            startQuality = (quality * 100.0).roundToInt().coerceIn(10, 100),
+            maxBytes = maxEncodedBytes,
+            encode = { width, height, q ->
+              val bitmap =
+                if (width == scaled.width && height == scaled.height) {
+                  scaled
+                } else {
+                  scaled.scale(width, height)
+                }
+              val out = ByteArrayOutputStream()
+              if (!bitmap.compress(Bitmap.CompressFormat.JPEG, q, out)) {
+                if (bitmap !== scaled) bitmap.recycle()
+                throw IllegalStateException("UNAVAILABLE: failed to encode JPEG")
               }
-            val out = ByteArrayOutputStream()
-            if (!bitmap.compress(Bitmap.CompressFormat.JPEG, q, out)) {
-              if (bitmap !== scaled) bitmap.recycle()
-              throw IllegalStateException("UNAVAILABLE: failed to encode JPEG")
-            }
-            if (bitmap !== scaled) {
-              bitmap.recycle()
-            }
-            out.toByteArray()
-          },
+              if (bitmap !== scaled) {
+                bitmap.recycle()
+              }
+              out.toByteArray()
+            },
+          )
+        val base64 = Base64.encodeToString(result.bytes, Base64.NO_WRAP)
+        Payload(
+          """{"format":"jpg","base64":"$base64","width":${result.width},"height":${result.height}}""",
         )
-      val base64 = Base64.encodeToString(result.bytes, Base64.NO_WRAP)
-      Payload(
-        """{"format":"jpg","base64":"$base64","width":${result.width},"height":${result.height}}""",
-      )
+      } finally {
+        scaled.recycle()
+      }
     }
 
   @SuppressLint("MissingPermission")

apps/android/app/src/main/java/ai/openclaw/app/node/CameraHandler.kt

@@ -134,9 +134,11 @@ class CameraHandler(
       }
 
       val bytes = withContext(Dispatchers.IO) {
-        val b = filePayload.file.readBytes()
-        filePayload.file.delete()
-        b
+        try {
+          filePayload.file.readBytes()
+        } finally {
+          filePayload.file.delete()
+        }
       }
       val base64 = android.util.Base64.encodeToString(bytes, android.util.Base64.NO_WRAP)
       clipLog("returning base64 payload")

apps/android/app/src/main/java/ai/openclaw/app/node/CanvasController.kt

@@ -180,27 +180,41 @@ class CanvasController {
     withContext(Dispatchers.Main) {
       val wv = webView ?: throw IllegalStateException("no webview")
       val bmp = wv.captureBitmap()
-      val scaled = bmp.scaleForMaxWidth(maxWidth)
-
-      val out = ByteArrayOutputStream()
-      scaled.compress(Bitmap.CompressFormat.PNG, 100, out)
-      Base64.encodeToString(out.toByteArray(), Base64.NO_WRAP)
+      try {
+        val scaled = bmp.scaleForMaxWidth(maxWidth)
+        try {
+          val out = ByteArrayOutputStream()
+          scaled.compress(Bitmap.CompressFormat.PNG, 100, out)
+          Base64.encodeToString(out.toByteArray(), Base64.NO_WRAP)
+        } finally {
+          if (scaled !== bmp) scaled.recycle()
+        }
+      } finally {
+        bmp.recycle()
+      }
     }
 
   suspend fun snapshotBase64(format: SnapshotFormat, quality: Double?, maxWidth: Int?): String =
     withContext(Dispatchers.Main) {
       val wv = webView ?: throw IllegalStateException("no webview")
       val bmp = wv.captureBitmap()
-      val scaled = bmp.scaleForMaxWidth(maxWidth)
-
-      val out = ByteArrayOutputStream()
-      val (compressFormat, compressQuality) =
-        when (format) {
-          SnapshotFormat.Png -> Bitmap.CompressFormat.PNG to 100
-          SnapshotFormat.Jpeg -> Bitmap.CompressFormat.JPEG to clampJpegQuality(quality)
+      try {
+        val scaled = bmp.scaleForMaxWidth(maxWidth)
+        try {
+          val out = ByteArrayOutputStream()
+          val (compressFormat, compressQuality) =
+            when (format) {
+              SnapshotFormat.Png -> Bitmap.CompressFormat.PNG to 100
+              SnapshotFormat.Jpeg -> Bitmap.CompressFormat.JPEG to clampJpegQuality(quality)
+            }
+          scaled.compress(compressFormat, compressQuality, out)
+          Base64.encodeToString(out.toByteArray(), Base64.NO_WRAP)
+        } finally {
+          if (scaled !== bmp) scaled.recycle()
         }
-      scaled.compress(compressFormat, compressQuality, out)
-      Base64.encodeToString(out.toByteArray(), Base64.NO_WRAP)
+      } finally {
+        bmp.recycle()
+      }
     }
 
   private suspend fun WebView.captureBitmap(): Bitmap =

apps/android/app/src/main/java/ai/openclaw/app/node/ContactsHandler.kt

@@ -76,8 +76,8 @@ private object SystemContactsDataSource : ContactsDataSource {
       selection = null
       selectionArgs = null
     } else {
-      selection = "${ContactsContract.Contacts.DISPLAY_NAME_PRIMARY} LIKE ?"
-      selectionArgs = arrayOf("%${request.query}%")
+      selection = "${ContactsContract.Contacts.DISPLAY_NAME_PRIMARY} LIKE ? ESCAPE '\\'"
+      selectionArgs = arrayOf("%${escapeLikePattern(request.query)}%")
     }
     val sortOrder = "${ContactsContract.Contacts.DISPLAY_NAME_PRIMARY} COLLATE NOCASE ASC LIMIT ${request.limit}"
     resolver.query(
@@ -247,6 +247,9 @@ private object SystemContactsDataSource : ContactsDataSource {
     }
   }
 
+  private fun escapeLikePattern(pattern: String): String =
+    pattern.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")
+
   private fun loadPhones(resolver: ContentResolver, contactId: Long): List<String> {
     return queryContactValues(
       resolver = resolver,

apps/android/app/src/main/java/ai/openclaw/app/node/LocationCaptureManager.kt

@@ -12,8 +12,6 @@ import java.time.format.DateTimeFormatter
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import kotlinx.coroutines.withTimeout
-import kotlin.coroutines.resume
-import kotlin.coroutines.resumeWithException
 import kotlinx.coroutines.suspendCancellableCoroutine
 
 class LocationCaptureManager(private val context: Context) {
@@ -100,18 +98,15 @@ class LocationCaptureManager(private val context: Context) {
     val resolved =
       providers.firstOrNull { manager.isProviderEnabled(it) }
         ?: throw IllegalStateException("LOCATION_UNAVAILABLE: no providers available")
-    return withTimeout(timeoutMs.coerceAtLeast(1)) {
-      suspendCancellableCoroutine { cont ->
+    val location = withTimeout(timeoutMs.coerceAtLeast(1)) {
+      suspendCancellableCoroutine<Location?> { cont ->
         val signal = CancellationSignal()
         cont.invokeOnCancellation { signal.cancel() }
         manager.getCurrentLocation(resolved, signal, context.mainExecutor) { location ->
-          if (location != null) {
-            cont.resume(location)
-          } else {
-            cont.resumeWithException(IllegalStateException("LOCATION_UNAVAILABLE: no fix"))
-          }
+          cont.resume(location) { _, _, _ -> }
         }
       }
     }
+    return location ?: throw IllegalStateException("LOCATION_UNAVAILABLE: no fix")
   }
 }

apps/android/app/src/main/java/ai/openclaw/app/node/MotionHandler.kt

@@ -10,6 +10,7 @@ import android.os.SystemClock
 import androidx.core.content.ContextCompat
 import ai.openclaw.app.gateway.GatewaySession
 import java.time.Instant
+import kotlinx.coroutines.InternalCoroutinesApi
 import kotlinx.coroutines.suspendCancellableCoroutine
 import kotlinx.coroutines.withTimeoutOrNull
 import kotlinx.serialization.json.Json
@@ -18,7 +19,6 @@ import kotlinx.serialization.json.JsonPrimitive
 import kotlinx.serialization.json.buildJsonArray
 import kotlinx.serialization.json.buildJsonObject
 import kotlinx.serialization.json.put
-import kotlin.coroutines.resume
 import kotlin.math.abs
 import kotlin.math.max
 import kotlin.math.sqrt
@@ -142,19 +142,18 @@ private object SystemMotionDataSource : MotionDataSource {
     val averageDelta: Double,
   )
 
+  @OptIn(InternalCoroutinesApi::class)
   private suspend fun readStepCounter(sensorManager: SensorManager, sensor: Sensor): Int? {
     val sample =
       withTimeoutOrNull(1200L) {
         suspendCancellableCoroutine<Float?> { cont ->
-          var resumed = false
           val listener =
             object : SensorEventListener {
               override fun onSensorChanged(event: SensorEvent?) {
-                if (resumed) return
                 val value = event?.values?.firstOrNull()
-                resumed = true
+                val token = cont.tryResume(value) ?: return
+                cont.completeResume(token)
                 sensorManager.unregisterListener(this)
-                cont.resume(value)
               }
 
               override fun onAccuracyChanged(sensor: Sensor?, accuracy: Int) = Unit
@@ -162,8 +161,7 @@ private object SystemMotionDataSource : MotionDataSource {
           val registered = sensorManager.registerListener(listener, sensor, SensorManager.SENSOR_DELAY_NORMAL)
           if (!registered) {
             sensorManager.unregisterListener(listener)
-            resumed = true
-            cont.resume(null)
+            cont.resume(null) { _, _, _ -> }
             return@suspendCancellableCoroutine
           }
           cont.invokeOnCancellation { sensorManager.unregisterListener(listener) }
@@ -172,6 +170,7 @@ private object SystemMotionDataSource : MotionDataSource {
     return sample?.toInt()?.takeIf { it >= 0 }
   }
 
+  @OptIn(InternalCoroutinesApi::class)
   private suspend fun readAccelerometerSample(
     sensorManager: SensorManager,
     sensor: Sensor,
@@ -181,7 +180,6 @@ private object SystemMotionDataSource : MotionDataSource {
         suspendCancellableCoroutine<AccelerometerSample?> { cont ->
           var count = 0
           var sumDelta = 0.0
-          var resumed = false
           val listener =
             object : SensorEventListener {
               override fun onSensorChanged(event: SensorEvent?) {
@@ -195,15 +193,14 @@ private object SystemMotionDataSource : MotionDataSource {
                   ).toDouble()
                 sumDelta += abs(magnitude - SensorManager.GRAVITY_EARTH.toDouble())
                 count += 1
-                if (count >= ACCELEROMETER_SAMPLE_TARGET && !resumed) {
-                  resumed = true
-                  sensorManager.unregisterListener(this)
-                  cont.resume(
-                    AccelerometerSample(
-                      samples = count,
-                      averageDelta = if (count == 0) 0.0 else sumDelta / count,
-                    ),
+                if (count >= ACCELEROMETER_SAMPLE_TARGET) {
+                  val result = AccelerometerSample(
+                    samples = count,
+                    averageDelta = sumDelta / count,
                   )
+                  val token = cont.tryResume(result) ?: return
+                  cont.completeResume(token)
+                  sensorManager.unregisterListener(this)
                 }
               }
 
@@ -211,8 +208,7 @@ private object SystemMotionDataSource : MotionDataSource {
             }
           val registered = sensorManager.registerListener(listener, sensor, SensorManager.SENSOR_DELAY_NORMAL)
           if (!registered) {
-            resumed = true
-            cont.resume(null)
+            cont.resume(null) { _, _, _ -> }
             return@suspendCancellableCoroutine
           }
           cont.invokeOnCancellation { sensorManager.unregisterListener(listener) }

apps/android/app/src/main/java/ai/openclaw/app/node/PhotosHandler.kt

@@ -71,17 +71,22 @@ private object SystemPhotosDataSource : PhotosDataSource {
     for (row in rows) {
       if (remainingBudget <= 0) break
       val bitmap = decodeScaledBitmap(resolver, row.uri, request.maxWidth) ?: continue
-      val encoded = encodeJpegUnderBudget(bitmap, request.quality, MAX_PER_PHOTO_BASE64_CHARS) ?: continue
-      if (encoded.base64.length > remainingBudget) break
-      remainingBudget -= encoded.base64.length
-      out +=
-        EncodedPhotoPayload(
-          format = "jpeg",
-          base64 = encoded.base64,
-          width = encoded.width,
-          height = encoded.height,
-          createdAt = row.createdAtMs?.let { Instant.ofEpochMilli(it).toString() },
-        )
+      try {
+        val encoded = encodeJpegUnderBudget(bitmap, request.quality, MAX_PER_PHOTO_BASE64_CHARS)
+        if (encoded == null) continue
+        if (encoded.base64.length > remainingBudget) break
+        remainingBudget -= encoded.base64.length
+        out +=
+          EncodedPhotoPayload(
+            format = "jpeg",
+            base64 = encoded.base64,
+            width = encoded.width,
+            height = encoded.height,
+            createdAt = row.createdAtMs?.let { Instant.ofEpochMilli(it).toString() },
+          )
+      } finally {
+        bitmap.recycle()
+      }
     }
     return out
   }
@@ -159,7 +164,11 @@ private object SystemPhotosDataSource : PhotosDataSource {
 
     if (decoded.width <= maxWidth) return decoded
     val targetHeight = max(1, ((decoded.height.toDouble() * maxWidth) / decoded.width).roundToInt())
-    return decoded.scale(maxWidth, targetHeight, true)
+    return try {
+      decoded.scale(maxWidth, targetHeight, true)
+    } finally {
+      decoded.recycle()
+    }
   }
 
   private fun computeInSampleSize(width: Int, maxWidth: Int): Int {
@@ -178,30 +187,36 @@ private object SystemPhotosDataSource : PhotosDataSource {
     maxBase64Chars: Int,
   ): EncodedJpeg? {
     var working = bitmap
-    var jpegQuality = (quality.coerceIn(0.1, 1.0) * 100.0).roundToInt().coerceIn(10, 100)
-    repeat(10) {
-      val out = ByteArrayOutputStream()
-      val ok = working.compress(Bitmap.CompressFormat.JPEG, jpegQuality, out)
-      if (!ok) return null
-      val bytes = out.toByteArray()
-      val base64 = android.util.Base64.encodeToString(bytes, android.util.Base64.NO_WRAP)
-      if (base64.length <= maxBase64Chars) {
-        return EncodedJpeg(
-          base64 = base64,
-          width = working.width,
-          height = working.height,
-        )
+    try {
+      var jpegQuality = (quality.coerceIn(0.1, 1.0) * 100.0).roundToInt().coerceIn(10, 100)
+      repeat(10) {
+        val out = ByteArrayOutputStream()
+        val ok = working.compress(Bitmap.CompressFormat.JPEG, jpegQuality, out)
+        if (!ok) return null
+        val bytes = out.toByteArray()
+        val base64 = android.util.Base64.encodeToString(bytes, android.util.Base64.NO_WRAP)
+        if (base64.length <= maxBase64Chars) {
+          return EncodedJpeg(
+            base64 = base64,
+            width = working.width,
+            height = working.height,
+          )
+        }
+        if (jpegQuality > 35) {
+          jpegQuality = max(25, jpegQuality - 15)
+          return@repeat
+        }
+        val nextWidth = max(240, (working.width * 0.75f).roundToInt())
+        if (nextWidth >= working.width) return null
+        val nextHeight = max(1, ((working.height.toDouble() * nextWidth) / working.width).roundToInt())
+        val previous = working
+        working = working.scale(nextWidth, nextHeight, true)
+        if (previous !== bitmap) previous.recycle()
       }
-      if (jpegQuality > 35) {
-        jpegQuality = max(25, jpegQuality - 15)
-        return@repeat
-      }
-      val nextWidth = max(240, (working.width * 0.75f).roundToInt())
-      if (nextWidth >= working.width) return null
-      val nextHeight = max(1, ((working.height.toDouble() * nextWidth) / working.width).roundToInt())
-      working = working.scale(nextWidth, nextHeight, true)
+      return null
+    } finally {
+      if (working !== bitmap) working.recycle()
     }
-    return null
   }
 }
 

apps/android/app/src/main/java/ai/openclaw/app/protocol/OpenClawCanvasA2UIAction.kt

@@ -58,9 +58,12 @@ object OpenClawCanvasA2UIAction {
   }
 
   fun jsDispatchA2UIActionStatus(actionId: String, ok: Boolean, error: String?): String {
-    val err = (error ?: "").replace("\\", "\\\\").replace("\"", "\\\"")
+    val err = jsonStringLiteral(error ?: "")
     val okLiteral = if (ok) "true" else "false"
-    val idEscaped = actionId.replace("\\", "\\\\").replace("\"", "\\\"")
-    return "window.dispatchEvent(new CustomEvent('openclaw:a2ui-action-status', { detail: { id: \"${idEscaped}\", ok: ${okLiteral}, error: \"${err}\" } }));"
+    val idLiteral = jsonStringLiteral(actionId)
+    return "window.dispatchEvent(new CustomEvent('openclaw:a2ui-action-status', { detail: { id: ${idLiteral}, ok: ${okLiteral}, error: ${err} } }));"
   }
+
+  private fun jsonStringLiteral(raw: String): String =
+    JsonPrimitive(raw).toString().replace("\u2028", "\\u2028").replace("\u2029", "\\u2029")
 }

apps/android/app/src/main/java/ai/openclaw/app/ui/GatewayConfigResolver.kt

@@ -97,8 +97,25 @@ internal fun parseGatewayEndpoint(rawInput: String): GatewayEndpointConfig? {
       "wss", "https" -> true
       else -> true
     }
-  val port = uri.port.takeIf { it in 1..65535 } ?: if (tls) 443 else 18789
-  val displayUrl = "${if (tls) "https" else "http"}://$host:$port"
+  val defaultPort =
+    when (scheme) {
+      "wss", "https" -> 443
+      "ws", "http" -> 18789
+      else -> 443
+    }
+  val displayPort =
+    when (scheme) {
+      "wss", "https" -> 443
+      "ws", "http" -> 80
+      else -> 443
+    }
+  val port = uri.port.takeIf { it in 1..65535 } ?: defaultPort
+  val displayUrl =
+    if (port == displayPort && defaultPort == displayPort) {
+      "${if (tls) "https" else "http"}://$host"
+    } else {
+      "${if (tls) "https" else "http"}://$host:$port"
+    }
 
   return GatewayEndpointConfig(host = host, port = port, tls = tls, displayUrl = displayUrl)
 }

apps/android/app/src/main/java/ai/openclaw/app/ui/OpenClawTheme.kt

@@ -1,13 +1,17 @@
 package ai.openclaw.app.ui
 
+import android.app.Activity
 import androidx.compose.foundation.isSystemInDarkTheme
 import androidx.compose.material3.MaterialTheme
 import androidx.compose.material3.dynamicDarkColorScheme
 import androidx.compose.material3.dynamicLightColorScheme
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.CompositionLocalProvider
+import androidx.compose.runtime.SideEffect
 import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalView
+import androidx.core.view.WindowCompat
 
 @Composable
 fun OpenClawTheme(content: @Composable () -> Unit) {
@@ -16,6 +20,15 @@ fun OpenClawTheme(content: @Composable () -> Unit) {
   val colorScheme = if (isDark) dynamicDarkColorScheme(context) else dynamicLightColorScheme(context)
   val mobileColors = if (isDark) darkMobileColors() else lightMobileColors()
 
+  val view = LocalView.current
+  if (!view.isInEditMode) {
+    SideEffect {
+      val window = (view.context as Activity).window
+      WindowCompat.getInsetsController(window, window.decorView)
+        .isAppearanceLightStatusBars = !isDark
+    }
+  }
+
   CompositionLocalProvider(LocalMobileColors provides mobileColors) {
     MaterialTheme(colorScheme = colorScheme, content = content)
   }

apps/android/app/src/main/java/ai/openclaw/app/voice/TalkModeManager.kt

@@ -104,6 +104,7 @@ class TalkModeManager(
   private val playbackGeneration = AtomicLong(0L)
 
   private var ttsJob: Job? = null
+  private val playerLock = Any()
   private var player: MediaPlayer? = null
   @Volatile private var finalizeInFlight = false
   private var listenWatchdogJob: Job? = null
@@ -763,7 +764,9 @@ class TalkModeManager(
     try {
       withContext(Dispatchers.IO) { tempFile.writeBytes(audioBytes) }
       val player = MediaPlayer()
-      this.player = player
+      synchronized(playerLock) {
+        this.player = player
+      }
       val finished = CompletableDeferred<Unit>()
       player.setAudioAttributes(
         AudioAttributes.Builder()
@@ -784,7 +787,7 @@ class TalkModeManager(
       ensurePlaybackActive(playbackToken)
     } finally {
       try {
-        cleanupPlayer()
+        cleanupPlayer(player)
       } catch (_: Throwable) {}
       tempFile.delete()
     }
@@ -821,7 +824,11 @@ class TalkModeManager(
       return
     }
     if (resetInterrupt) {
-      val currentMs = player?.currentPosition?.toDouble() ?: 0.0
+      val currentMs = synchronized(playerLock) {
+        try {
+          player?.currentPosition?.toDouble() ?: 0.0
+        } catch (_: IllegalStateException) { 0.0 }
+      }
       lastInterruptedAtSeconds = currentMs / 1000.0
     }
     cleanupPlayer()
@@ -864,10 +871,16 @@ class TalkModeManager(
     audioFocusRequest = null
   }
 
-  private fun cleanupPlayer() {
-    player?.stop()
-    player?.release()
-    player = null
+  private fun cleanupPlayer(expectedPlayer: MediaPlayer? = null) {
+    synchronized(playerLock) {
+      val p = player ?: return
+      if (expectedPlayer != null && p !== expectedPlayer) return
+      player = null
+      try {
+        p.stop()
+      } catch (_: IllegalStateException) {}
+      p.release()
+    }
   }
 
   private fun shouldInterrupt(transcript: String): Boolean {

apps/android/app/src/test/java/ai/openclaw/app/protocol/OpenClawCanvasA2UIActionTest.kt

@@ -46,4 +46,18 @@ class OpenClawCanvasA2UIActionTest {
       js,
     )
   }
+
+  @Test
+  fun jsDispatchA2uiStatusQuotesControlCharacters() {
+    val js =
+      OpenClawCanvasA2UIAction.jsDispatchA2UIActionStatus(
+        actionId = "a1\n\u2028\"",
+        ok = false,
+        error = "parse failed\n\t\u2029\\",
+      )
+    assertEquals(
+      "window.dispatchEvent(new CustomEvent('openclaw:a2ui-action-status', { detail: { id: \"a1\\n\\u2028\\\"\", ok: false, error: \"parse failed\\n\\t\\u2029\\\\\" } }));",
+      js,
+    )
+  }
 }

apps/android/app/src/test/java/ai/openclaw/app/ui/GatewayConfigResolverTest.kt

@@ -4,8 +4,86 @@ import java.util.Base64
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertNull
 import org.junit.Test
+import org.junit.runner.RunWith
+import org.robolectric.RobolectricTestRunner
 
+@RunWith(RobolectricTestRunner::class)
 class GatewayConfigResolverTest {
+  @Test
+  fun parseGatewayEndpointUsesDefaultTlsPortForBareWssUrls() {
+    val parsed = parseGatewayEndpoint("wss://gateway.example")
+
+    assertEquals(
+      GatewayEndpointConfig(
+        host = "gateway.example",
+        port = 443,
+        tls = true,
+        displayUrl = "https://gateway.example",
+      ),
+      parsed,
+    )
+  }
+
+  @Test
+  fun parseGatewayEndpointUsesDefaultCleartextPortForBareWsUrls() {
+    val parsed = parseGatewayEndpoint("ws://gateway.example")
+
+    assertEquals(
+      GatewayEndpointConfig(
+        host = "gateway.example",
+        port = 18789,
+        tls = false,
+        displayUrl = "http://gateway.example:18789",
+      ),
+      parsed,
+    )
+  }
+
+  @Test
+  fun parseGatewayEndpointOmitsExplicitDefaultTlsPortFromDisplayUrl() {
+    val parsed = parseGatewayEndpoint("https://gateway.example:443")
+
+    assertEquals(
+      GatewayEndpointConfig(
+        host = "gateway.example",
+        port = 443,
+        tls = true,
+        displayUrl = "https://gateway.example",
+      ),
+      parsed,
+    )
+  }
+
+  @Test
+  fun parseGatewayEndpointKeepsExplicitNonDefaultPortInDisplayUrl() {
+    val parsed = parseGatewayEndpoint("http://gateway.example:8080")
+
+    assertEquals(
+      GatewayEndpointConfig(
+        host = "gateway.example",
+        port = 8080,
+        tls = false,
+        displayUrl = "http://gateway.example:8080",
+      ),
+      parsed,
+    )
+  }
+
+  @Test
+  fun parseGatewayEndpointKeepsExplicitCleartextPort80InDisplayUrl() {
+    val parsed = parseGatewayEndpoint("http://gateway.example:80")
+
+    assertEquals(
+      GatewayEndpointConfig(
+        host = "gateway.example",
+        port = 80,
+        tls = false,
+        displayUrl = "http://gateway.example:80",
+      ),
+      parsed,
+    )
+  }
+
   @Test
   fun resolveScannedSetupCodeAcceptsRawSetupCode() {
     val setupCode =

apps/ios/Config/Version.xcconfig

@@ -1,8 +1,8 @@
 // Shared iOS version defaults.
 // Generated overrides live in build/Version.xcconfig (git-ignored).
 
-OPENCLAW_GATEWAY_VERSION = 2026.3.14
-OPENCLAW_MARKETING_VERSION = 2026.3.14
-OPENCLAW_BUILD_VERSION = 202603140
+OPENCLAW_GATEWAY_VERSION = 2026.3.22
+OPENCLAW_MARKETING_VERSION = 2026.3.22
+OPENCLAW_BUILD_VERSION = 202603220
 
 #include? "../build/Version.xcconfig"

apps/ios/README.md

@@ -65,9 +65,9 @@ Release behavior:
 - Beta release also switches the app to `OpenClawPushTransport=relay`, `OpenClawPushDistribution=official`, and `OpenClawPushAPNsEnvironment=production`.
 - The beta flow does not modify `apps/ios/.local-signing.xcconfig` or `apps/ios/LocalSigning.xcconfig`.
 - Root `package.json.version` is the only version source for iOS.
-- A root version like `2026.3.13-beta.1` becomes:
-  - `CFBundleShortVersionString = 2026.3.13`
-  - `CFBundleVersion = next TestFlight build number for 2026.3.13`
+- A root version like `2026.3.22-beta.1` becomes:
+  - `CFBundleShortVersionString = 2026.3.22`
+  - `CFBundleVersion = next TestFlight build number for 2026.3.22`
 
 Required env for beta builds:
 

apps/ios/fastlane/Fastfile

@@ -99,7 +99,7 @@ def normalize_release_version(raw_value)
   version = raw_value.to_s.strip.sub(/\Av/, "")
   UI.user_error!("Missing root package.json version.") unless env_present?(version)
   unless version.match?(/\A\d+\.\d+\.\d+(?:[.-]?beta[.-]\d+)?\z/i)
-    UI.user_error!("Invalid package.json version '#{raw_value}'. Expected 2026.3.13 or 2026.3.13-beta.1.")
+    UI.user_error!("Invalid package.json version '#{raw_value}'. Expected 2026.3.22 or 2026.3.22-beta.1.")
   end
 
   version

apps/macos/Sources/OpenClaw/AppState.swift

@@ -783,7 +783,7 @@ extension AppState {
         remoteToken: String,
         remoteTokenDirty: Bool) -> [String: Any]
     {
-        Self.updatedRemoteGatewayConfig(
+        self.updatedRemoteGatewayConfig(
             current: current,
             transport: transport,
             remoteUrl: remoteUrl,
@@ -804,7 +804,7 @@ extension AppState {
         remoteToken: String,
         remoteTokenDirty: Bool) -> [String: Any]
     {
-        Self.syncedGatewayRoot(
+        self.syncedGatewayRoot(
             currentRoot: currentRoot,
             connectionMode: connectionMode,
             remoteTransport: remoteTransport,

apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift

@@ -8,8 +8,8 @@ final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHandler {
     static let messageName = "openclawCanvasA2UIAction"
     static let allMessageNames = [messageName]
 
-    // Compatibility helper for debug/test shims. Runtime dispatch remains
-    // limited to in-app canvas schemes in `didReceive`.
+    /// Compatibility helper for debug/test shims. Runtime dispatch remains
+    /// limited to in-app canvas schemes in `didReceive`.
     static func isLocalNetworkCanvasURL(_ url: URL) -> Bool {
         guard let scheme = url.scheme?.lowercased(), scheme == "http" || scheme == "https" else {
             return false

apps/macos/Sources/OpenClaw/CanvasWindowController.swift

@@ -57,8 +57,7 @@ final class CanvasWindowController: NSWindowController, WKNavigationDelegate, NS
         let allowedSchemesJSON = (
             try? String(
                 data: JSONSerialization.data(withJSONObject: CanvasScheme.allSchemes),
-                encoding: .utf8)
-        ) ?? "[]"
+                encoding: .utf8)) ?? "[]"
         let bridgeScript = """
         (() => {
           try {

apps/macos/Sources/OpenClaw/CronJobEditor+Helpers.swift

@@ -17,10 +17,10 @@ extension CronJobEditor {
         self.enabled = job.enabled
         self.deleteAfterRun = job.deleteAfterRun ?? false
         switch job.parsedSessionTarget {
-        case .predefined(let target):
+        case let .predefined(target):
             self.sessionTarget = target
             self.preservedSessionTargetRaw = nil
-        case .session(let id):
+        case let .session(id):
             self.sessionTarget = .isolated
             self.preservedSessionTargetRaw = "session:\(id)"
         }
@@ -265,7 +265,10 @@ extension CronJobEditor {
     }
 
     var effectiveSessionTargetRaw: String {
-        if self.sessionTarget == .isolated, let preserved = self.preservedSessionTargetRaw?.trimmingCharacters(in: .whitespacesAndNewlines), !preserved.isEmpty {
+        if self.sessionTarget == .isolated,
+           let preserved = self.preservedSessionTargetRaw?.trimmingCharacters(in: .whitespacesAndNewlines),
+           !preserved.isEmpty
+        {
             return preserved
         }
         return self.sessionTarget.rawValue

apps/macos/Sources/OpenClaw/CronModels.swift

@@ -16,10 +16,10 @@ enum CronCustomSessionTarget: Codable, Equatable {
 
     var rawValue: String {
         switch self {
-        case .predefined(let target):
-            return target.rawValue
-        case .session(let id):
-            return "session:\(id)"
+        case let .predefined(target):
+            target.rawValue
+        case let .session(id):
+            "session:\(id)"
         }
     }
 
@@ -328,10 +328,10 @@ struct CronJob: Identifiable, Codable, Equatable {
     /// predefined enum.
     var sessionTarget: CronSessionTarget {
         switch self.parsedSessionTarget {
-        case .predefined(let target):
-            return target
+        case let .predefined(target):
+            target
         case .session:
-            return .isolated
+            .isolated
         }
     }
 
@@ -342,20 +342,20 @@ struct CronJob: Identifiable, Codable, Equatable {
     var transcriptSessionKey: String? {
         switch self.parsedSessionTarget {
         case .predefined(.main):
-            return nil
+            nil
         case .predefined(.isolated), .predefined(.current):
-            return "cron:\(self.id)"
-        case .session(let id):
-            return id
+            "cron:\(self.id)"
+        case let .session(id):
+            id
         }
     }
 
     var supportsAnnounceDelivery: Bool {
         switch self.parsedSessionTarget {
         case .predefined(.main):
-            return false
+            false
         case .predefined(.isolated), .predefined(.current), .session:
-            return true
+            true
         }
     }
 

apps/macos/Sources/OpenClaw/ExecApprovalsGatewayPrompter.swift

@@ -89,11 +89,11 @@ final class ExecApprovalsGatewayPrompter {
     private static func shouldAsk(security: ExecSecurity, ask: ExecAsk) -> Bool {
         switch ask {
         case .always:
-            return true
+            true
         case .onMiss:
-            return security == .allowlist
+            security == .allowlist
         case .off:
-            return false
+            false
         }
     }
 
@@ -113,21 +113,21 @@ final class ExecApprovalsGatewayPrompter {
         let mode = AppStateStore.shared.connectionMode
         let activeSession = WebChatManager.shared.activeSessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
         let requestSession = request.request.sessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
-        
+
         // Read-only resolve to avoid disk writes on the MainActor
         let approvals = ExecApprovalsStore.resolveReadOnly(agentId: request.request.agentId)
         let security = approvals.agent.security
         let ask = approvals.agent.ask
-        
+
         let shouldAsk = Self.shouldAsk(security: security, ask: ask)
-        
+
         let canPresent = shouldAsk && Self.shouldPresent(
             mode: mode,
             activeSession: activeSession,
             requestSession: requestSession,
             lastInputSeconds: Self.lastInputSeconds(),
             thresholdSeconds: 120)
-        
+
         return PresentationDecision(
             shouldAsk: shouldAsk,
             canPresent: canPresent,

apps/macos/Sources/OpenClaw/ExecCommandResolution.swift

@@ -25,8 +25,16 @@ struct ExecCommandResolution {
         cwd: String?,
         env: [String: String]?) -> [ExecCommandResolution]
     {
-        let shell = ExecShellWrapperParser.extract(command: command, rawCommand: rawCommand)
+        // Allowlist resolution must follow actual argv execution for wrappers.
+        // `rawCommand` is caller-supplied display text and may be canonicalized.
+        let shell = ExecShellWrapperParser.extract(command: command, rawCommand: nil)
         if shell.isWrapper {
+            // Fail closed when env modifiers precede a shell wrapper. This mirrors
+            // system-run binding behavior where such invocations must stay bound to
+            // full argv and must not be auto-allowlisted by payload-only matches.
+            if ExecSystemRunCommandValidator.hasEnvManipulationBeforeShellWrapper(command) {
+                return []
+            }
             guard let shellCommand = shell.command,
                   let segments = self.splitShellCommandChain(shellCommand)
             else {
@@ -46,7 +54,12 @@ struct ExecCommandResolution {
             return resolutions
         }
 
-        guard let resolution = self.resolve(command: command, rawCommand: rawCommand, cwd: cwd, env: env) else {
+        guard let resolution = self.resolveForAllowlistCommand(
+            command: command,
+            rawCommand: rawCommand,
+            cwd: cwd,
+            env: env)
+        else {
             return []
         }
         return [resolution]
@@ -70,6 +83,23 @@ struct ExecCommandResolution {
     }
 
     static func resolve(command: [String], cwd: String?, env: [String: String]?) -> ExecCommandResolution? {
+        let effective = ExecEnvInvocationUnwrapper.unwrapTransparentDispatchWrappersForResolution(command)
+        guard let raw = effective.first?.trimmingCharacters(in: .whitespacesAndNewlines), !raw.isEmpty else {
+            return nil
+        }
+        return self.resolveExecutable(rawExecutable: raw, cwd: cwd, env: env)
+    }
+
+    private static func resolveForAllowlistCommand(
+        command: [String],
+        rawCommand: String?,
+        cwd: String?,
+        env: [String: String]?) -> ExecCommandResolution?
+    {
+        let trimmedRaw = rawCommand?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedRaw.isEmpty, let token = self.parseFirstToken(trimmedRaw) {
+            return self.resolveExecutable(rawExecutable: token, cwd: cwd, env: env)
+        }
         let effective = ExecEnvInvocationUnwrapper.unwrapDispatchWrappersForResolution(command)
         guard let raw = effective.first?.trimmingCharacters(in: .whitespacesAndNewlines), !raw.isEmpty else {
             return nil

apps/macos/Sources/OpenClaw/ExecEnvInvocationUnwrapper.swift

@@ -110,4 +110,50 @@ enum ExecEnvInvocationUnwrapper {
         }
         return current
     }
+
+    private static func unwrapTransparentEnvInvocation(_ command: [String]) -> [String]? {
+        var idx = 1
+        while idx < command.count {
+            let token = command[idx].trimmingCharacters(in: .whitespacesAndNewlines)
+            if token.isEmpty {
+                idx += 1
+                continue
+            }
+            if token == "--" {
+                idx += 1
+                break
+            }
+            if token == "-" {
+                return nil
+            }
+            if self.isEnvAssignment(token) {
+                return nil
+            }
+            if token.hasPrefix("-"), token != "-" {
+                return nil
+            }
+            break
+        }
+        guard idx < command.count else { return nil }
+        return Array(command[idx...])
+    }
+
+    static func unwrapTransparentDispatchWrappersForResolution(_ command: [String]) -> [String] {
+        var current = command
+        var depth = 0
+        while depth < self.maxWrapperDepth {
+            guard let token = current.first?.trimmingCharacters(in: .whitespacesAndNewlines), !token.isEmpty else {
+                break
+            }
+            guard ExecCommandToken.basenameLower(token) == "env" else {
+                break
+            }
+            guard let unwrapped = self.unwrapTransparentEnvInvocation(current), !unwrapped.isEmpty else {
+                break
+            }
+            current = unwrapped
+            depth += 1
+        }
+        return current
+    }
 }

apps/macos/Sources/OpenClaw/ExecSystemRunCommandValidator.swift

@@ -53,23 +53,27 @@ enum ExecSystemRunCommandValidator {
         let envManipulationBeforeShellWrapper = self.hasEnvManipulationBeforeShellWrapper(command)
         let shellWrapperPositionalArgv = self.hasTrailingPositionalArgvAfterInlineCommand(command)
         let mustBindDisplayToFullArgv = envManipulationBeforeShellWrapper || shellWrapperPositionalArgv
-        let formattedArgv = ExecCommandFormatter.displayString(for: command)
-        let previewCommand: String? = if let shellCommand, !mustBindDisplayToFullArgv {
+        let canonicalDisplay = ExecCommandFormatter.displayString(for: command)
+        let legacyShellDisplay: String? = if let shellCommand, !mustBindDisplayToFullArgv {
             shellCommand
         } else {
             nil
         }
 
-        if let raw = normalizedRaw, raw != formattedArgv, raw != previewCommand {
-            return .invalid(message: "INVALID_REQUEST: rawCommand does not match command")
+        if let raw = normalizedRaw {
+            let matchesCanonical = raw == canonicalDisplay
+            let matchesLegacyShellText = legacyShellDisplay == raw
+            if !matchesCanonical, !matchesLegacyShellText {
+                return .invalid(message: "INVALID_REQUEST: rawCommand does not match command")
+            }
         }
 
         return .ok(ResolvedCommand(
-            displayCommand: formattedArgv,
+            displayCommand: canonicalDisplay,
             evaluationRawCommand: self.allowlistEvaluationRawCommand(
                 normalizedRaw: normalizedRaw,
                 shellIsWrapper: shell.isWrapper,
-                previewCommand: previewCommand)))
+                previewCommand: legacyShellDisplay)))
     }
 
     static func allowlistEvaluationRawCommand(command: [String], rawCommand: String?) -> String? {
@@ -149,7 +153,12 @@ enum ExecSystemRunCommandValidator {
                 idx += 1
                 continue
             }
-            if token == "--" || token == "-" {
+            if token == "--" {
+                idx += 1
+                break
+            }
+            if token == "-" {
+                usesModifiers = true
                 idx += 1
                 break
             }
@@ -221,7 +230,7 @@ enum ExecSystemRunCommandValidator {
         return Array(argv[appletIndex...])
     }
 
-    private static func hasEnvManipulationBeforeShellWrapper(
+    static func hasEnvManipulationBeforeShellWrapper(
         _ argv: [String],
         depth: Int = 0,
         envManipulationSeen: Bool = false) -> Bool

apps/macos/Sources/OpenClaw/NodeMode/MacNodeBrowserProxy.swift

@@ -147,7 +147,9 @@ actor MacNodeBrowserProxy {
         }
 
         if method != "GET", let body = params.body {
-            request.httpBody = try JSONSerialization.data(withJSONObject: body.foundationValue, options: [.fragmentsAllowed])
+            request.httpBody = try JSONSerialization.data(
+                withJSONObject: body.foundationValue,
+                options: [.fragmentsAllowed])
             request.setValue("application/json", forHTTPHeaderField: "Content-Type")
         }
 

apps/macos/Sources/OpenClaw/OnboardingView+Pages.swift

@@ -337,7 +337,6 @@ extension OnboardingView {
         self.remoteProbePreflightMessage == nil && self.remoteProbeState != .checking
     }
 
-    @ViewBuilder
     private func remoteConnectionSection() -> some View {
         VStack(alignment: .leading, spacing: 10) {
             HStack(alignment: .top, spacing: 12) {
@@ -503,17 +502,17 @@ extension OnboardingView {
     {
         switch issue {
         case .tokenRequired:
-            return ("key.fill", .orange)
+            ("key.fill", .orange)
         case .tokenMismatch:
-            return ("exclamationmark.triangle.fill", .orange)
+            ("exclamationmark.triangle.fill", .orange)
         case .gatewayTokenNotConfigured:
-            return ("wrench.and.screwdriver.fill", .orange)
+            ("wrench.and.screwdriver.fill", .orange)
         case .setupCodeExpired:
-            return ("qrcode.viewfinder", .orange)
+            ("qrcode.viewfinder", .orange)
         case .passwordRequired:
-            return ("lock.slash.fill", .orange)
+            ("lock.slash.fill", .orange)
         case .pairingRequired:
-            return ("link.badge.plus", .orange)
+            ("link.badge.plus", .orange)
         }
     }
 

apps/macos/Sources/OpenClaw/RemoteGatewayProbe.swift

@@ -180,7 +180,7 @@ enum RemoteGatewayProbe {
         }
 
         do {
-            _ = try await GatewayConnection.shared.healthSnapshot(timeoutMs: 10_000)
+            _ = try await GatewayConnection.shared.healthSnapshot(timeoutMs: 10000)
             let authSource = await GatewayConnection.shared.authSource()
             return .ready(RemoteGatewayProbeSuccess(authSource: authSource))
         } catch {

apps/macos/Sources/OpenClaw/Resources/Info.plist

@@ -15,9 +15,9 @@
     <key>CFBundlePackageType</key>
     <string>APPL</string>
     <key>CFBundleShortVersionString</key>
-    <string>2026.3.14</string>
+    <string>2026.3.22</string>
     <key>CFBundleVersion</key>
-    <string>202603140</string>
+    <string>202603220</string>
     <key>CFBundleIconFile</key>
     <string>OpenClaw</string>
     <key>CFBundleURLTypes</key>

apps/macos/Sources/OpenClaw/TalkModeGatewayConfig.swift

@@ -23,8 +23,8 @@ enum TalkModeGatewayConfigParser {
         defaultSilenceTimeoutMs: Int,
         envVoice: String?,
         sagVoice: String?,
-        envApiKey: String?
-    ) -> TalkModeGatewayConfigState {
+        envApiKey: String?) -> TalkModeGatewayConfigState
+    {
         let talk = snapshot.config?["talk"]?.dictionaryValue
         let selection = TalkConfigParsing.selectProviderConfig(talk, defaultProvider: defaultProvider)
         let activeProvider = selection?.provider ?? defaultProvider
@@ -81,8 +81,8 @@ enum TalkModeGatewayConfigParser {
         defaultSilenceTimeoutMs: Int,
         envVoice: String?,
         sagVoice: String?,
-        envApiKey: String?
-    ) -> TalkModeGatewayConfigState {
+        envApiKey: String?) -> TalkModeGatewayConfigState
+    {
         let resolvedVoice =
             (envVoice?.isEmpty == false ? envVoice : nil) ??
             (sagVoice?.isEmpty == false ? sagVoice : nil)

apps/macos/Sources/OpenClawProtocol/GatewayModels.swift

@@ -2780,54 +2780,6 @@ public struct SkillsBinsResult: Codable, Sendable {
     }
 }
 
-public struct SkillsInstallParams: Codable, Sendable {
-    public let name: String
-    public let installid: String
-    public let timeoutms: Int?
-
-    public init(
-        name: String,
-        installid: String,
-        timeoutms: Int?)
-    {
-        self.name = name
-        self.installid = installid
-        self.timeoutms = timeoutms
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case name
-        case installid = "installId"
-        case timeoutms = "timeoutMs"
-    }
-}
-
-public struct SkillsUpdateParams: Codable, Sendable {
-    public let skillkey: String
-    public let enabled: Bool?
-    public let apikey: String?
-    public let env: [String: AnyCodable]?
-
-    public init(
-        skillkey: String,
-        enabled: Bool?,
-        apikey: String?,
-        env: [String: AnyCodable]?)
-    {
-        self.skillkey = skillkey
-        self.enabled = enabled
-        self.apikey = apikey
-        self.env = env
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case skillkey = "skillKey"
-        case enabled
-        case apikey = "apiKey"
-        case env
-    }
-}
-
 public struct CronJob: Codable, Sendable {
     public let id: String
     public let agentid: String?

apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift

@@ -110,6 +110,41 @@ struct ExecAllowlistTests {
         #expect(resolutions[1].executableName == "touch")
     }
 
+    @Test func `resolve for allowlist uses wrapper argv payload even with canonical raw command`() {
+        let command = ["/bin/sh", "-lc", "echo allowlisted && /usr/bin/touch /tmp/openclaw-allowlist-test"]
+        let canonicalRaw = "/bin/sh -lc \"echo allowlisted && /usr/bin/touch /tmp/openclaw-allowlist-test\""
+        let resolutions = ExecCommandResolution.resolveForAllowlist(
+            command: command,
+            rawCommand: canonicalRaw,
+            cwd: nil,
+            env: ["PATH": "/usr/bin:/bin"])
+        #expect(resolutions.count == 2)
+        #expect(resolutions[0].executableName == "echo")
+        #expect(resolutions[1].executableName == "touch")
+    }
+
+    @Test func `resolve for allowlist fails closed for env modified shell wrappers`() {
+        let command = ["/usr/bin/env", "BASH_ENV=/tmp/payload.sh", "bash", "-lc", "echo allowlisted"]
+        let canonicalRaw = "/usr/bin/env BASH_ENV=/tmp/payload.sh bash -lc \"echo allowlisted\""
+        let resolutions = ExecCommandResolution.resolveForAllowlist(
+            command: command,
+            rawCommand: canonicalRaw,
+            cwd: nil,
+            env: ["PATH": "/usr/bin:/bin"])
+        #expect(resolutions.isEmpty)
+    }
+
+    @Test func `resolve for allowlist fails closed for env dash shell wrappers`() {
+        let command = ["/usr/bin/env", "-", "bash", "-lc", "echo allowlisted"]
+        let canonicalRaw = "/usr/bin/env - bash -lc \"echo allowlisted\""
+        let resolutions = ExecCommandResolution.resolveForAllowlist(
+            command: command,
+            rawCommand: canonicalRaw,
+            cwd: nil,
+            env: ["PATH": "/usr/bin:/bin"])
+        #expect(resolutions.isEmpty)
+    }
+
     @Test func `resolve for allowlist keeps quoted operators in single segment`() {
         let command = ["/bin/sh", "-lc", "echo \"a && b\""]
         let resolutions = ExecCommandResolution.resolveForAllowlist(
@@ -200,6 +235,16 @@ struct ExecAllowlistTests {
         }
     }
 
+    @Test func `resolve keeps env dash wrapper as effective executable`() {
+        let resolution = ExecCommandResolution.resolve(
+            command: ["/usr/bin/env", "-", "/usr/bin/printf", "ok"],
+            cwd: nil,
+            env: ["PATH": "/usr/bin:/bin"])
+        #expect(resolution?.rawExecutable == "/usr/bin/env")
+        #expect(resolution?.resolvedPath == "/usr/bin/env")
+        #expect(resolution?.executableName == "env")
+    }
+
     @Test func `resolve for allowlist treats plain sh invocation as direct exec`() {
         let command = ["/bin/sh", "./script.sh"]
         let resolutions = ExecCommandResolution.resolveForAllowlist(

apps/macos/Tests/OpenClawIPCTests/ExecSystemRunCommandValidatorTests.swift

@@ -64,6 +64,27 @@ struct ExecSystemRunCommandValidatorTests {
         }
     }
 
+    @Test func `env dash shell wrapper requires canonical raw command binding`() {
+        let command = ["/usr/bin/env", "-", "bash", "-lc", "echo hi"]
+
+        let legacy = ExecSystemRunCommandValidator.resolve(command: command, rawCommand: "echo hi")
+        switch legacy {
+        case .ok:
+            Issue.record("expected rawCommand mismatch for env dash prelude")
+        case let .invalid(message):
+            #expect(message.contains("rawCommand does not match command"))
+        }
+
+        let canonicalRaw = "/usr/bin/env - bash -lc \"echo hi\""
+        let canonical = ExecSystemRunCommandValidator.resolve(command: command, rawCommand: canonicalRaw)
+        switch canonical {
+        case let .ok(resolved):
+            #expect(resolved.displayCommand == canonicalRaw)
+        case let .invalid(message):
+            Issue.record("unexpected invalid result for canonical raw command: \(message)")
+        }
+    }
+
     private static func loadContractCases() throws -> [SystemRunCommandContractCase] {
         let fixtureURL = try self.findContractFixtureURL()
         let data = try Data(contentsOf: fixtureURL)

apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift

@@ -2780,54 +2780,6 @@ public struct SkillsBinsResult: Codable, Sendable {
     }
 }
 
-public struct SkillsInstallParams: Codable, Sendable {
-    public let name: String
-    public let installid: String
-    public let timeoutms: Int?
-
-    public init(
-        name: String,
-        installid: String,
-        timeoutms: Int?)
-    {
-        self.name = name
-        self.installid = installid
-        self.timeoutms = timeoutms
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case name
-        case installid = "installId"
-        case timeoutms = "timeoutMs"
-    }
-}
-
-public struct SkillsUpdateParams: Codable, Sendable {
-    public let skillkey: String
-    public let enabled: Bool?
-    public let apikey: String?
-    public let env: [String: AnyCodable]?
-
-    public init(
-        skillkey: String,
-        enabled: Bool?,
-        apikey: String?,
-        env: [String: AnyCodable]?)
-    {
-        self.skillkey = skillkey
-        self.enabled = enabled
-        self.apikey = apikey
-        self.env = env
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case skillkey = "skillKey"
-        case enabled
-        case apikey = "apiKey"
-        case env
-    }
-}
-
 public struct CronJob: Codable, Sendable {
     public let id: String
     public let agentid: String?

docs/.generated/README.md

@@ -4,5 +4,9 @@ These baseline artifacts are generated from the repo-owned OpenClaw config schem
 
 - Do not edit `config-baseline.json` by hand.
 - Do not edit `config-baseline.jsonl` by hand.
-- Regenerate it with `pnpm config:docs:gen`.
-- Validate it in CI or locally with `pnpm config:docs:check`.
+- Do not edit `plugin-sdk-api-baseline.json` by hand.
+- Do not edit `plugin-sdk-api-baseline.jsonl` by hand.
+- Regenerate config baseline artifacts with `pnpm config:docs:gen`.
+- Validate config baseline artifacts in CI or locally with `pnpm config:docs:check`.
+- Regenerate Plugin SDK API baseline artifacts with `pnpm plugin-sdk:api:gen`.
+- Validate Plugin SDK API baseline artifacts in CI or locally with `pnpm plugin-sdk:api:check`.

docs/.generated/config-baseline.json

@@ -4111,6 +4111,20 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.list.*.fastModeDefault",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Agent Fast Mode Default",
+      "help": "Optional per-agent default for fast mode. Applies when no per-message or session fast-mode override is set.",
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.groupChat",
       "kind": "core",
@@ -5226,6 +5240,25 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.list.*.reasoningDefault",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "enumValues": [
+        "on",
+        "off",
+        "stream"
+      ],
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Agent Reasoning Default",
+      "help": "Optional per-agent default reasoning visibility (on|off|stream). Applies when no per-message or session reasoning override is set.",
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.runtime",
       "kind": "core",
@@ -6287,6 +6320,29 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.list.*.thinkingDefault",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "enumValues": [
+        "off",
+        "minimal",
+        "low",
+        "medium",
+        "high",
+        "xhigh",
+        "adaptive"
+      ],
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Agent Thinking Default",
+      "help": "Optional per-agent default thinking level. Overrides agents.defaults.thinkingDefault for this agent when no per-message or session override is set.",
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.tools",
       "kind": "core",
@@ -6813,6 +6869,16 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.list.*.tools.exec.strictInlineEval",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.tools.exec.timeoutSec",
       "kind": "core",
@@ -42090,6 +42156,46 @@
       "tags": [],
       "hasChildren": true
     },
+    {
+      "path": "hooks.internal.installs.*.clawhubChannel",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "hooks.internal.installs.*.clawhubFamily",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "hooks.internal.installs.*.clawhubPackage",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "hooks.internal.installs.*.clawhubUrl",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "hooks.internal.installs.*.hooks",
       "kind": "core",
@@ -57618,6 +57724,46 @@
       "tags": [],
       "hasChildren": true
     },
+    {
+      "path": "plugins.installs.*.clawhubChannel",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.installs.*.clawhubFamily",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.installs.*.clawhubPackage",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.installs.*.clawhubUrl",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "plugins.installs.*.installedAt",
       "kind": "core",
@@ -60374,6 +60520,20 @@
       "help": "Execution security posture selector controlling sandbox/approval expectations for command execution. Keep strict security mode for untrusted prompts and relax only for trusted operator workflows.",
       "hasChildren": false
     },
+    {
+      "path": "tools.exec.strictInlineEval",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "tools"
+      ],
+      "label": "Require Inline-Eval Approval",
+      "help": "Require explicit approval for interpreter inline-eval forms such as `python -c`, `node -e`, `ruby -e`, or `osascript -e`. Prevents silent allowlist reuse and downgrades allow-always to ask-each-time for those forms.",
+      "hasChildren": false
+    },
     {
       "path": "tools.exec.timeoutSec",
       "kind": "core",

docs/.generated/config-baseline.jsonl

@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5563}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5576}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -354,6 +354,7 @@
 {"recordType":"path","path":"agents.list.*","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.agentDir","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.default","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.fastModeDefault","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Fast Mode Default","help":"Optional per-agent default for fast mode. Applies when no per-message or session fast-mode override is set.","hasChildren":false}
 {"recordType":"path","path":"agents.list.*.groupChat","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.groupChat.historyLimit","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.groupChat.mentionPatterns","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
@@ -463,6 +464,7 @@
 {"recordType":"path","path":"agents.list.*.name","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.params","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.params.*","kind":"core","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.reasoningDefault","kind":"core","type":"string","required":false,"enumValues":["on","off","stream"],"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Reasoning Default","help":"Optional per-agent default reasoning visibility (on|off|stream). Applies when no per-message or session reasoning override is set.","hasChildren":false}
 {"recordType":"path","path":"agents.list.*.runtime","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Runtime","help":"Optional runtime descriptor for this agent. Use embedded for default OpenClaw execution or acp for external ACP harness defaults.","hasChildren":true}
 {"recordType":"path","path":"agents.list.*.runtime.acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent ACP Runtime","help":"ACP runtime defaults for this agent when runtime.type=acp. Binding-level ACP overrides still take precedence per conversation.","hasChildren":true}
 {"recordType":"path","path":"agents.list.*.runtime.acp.agent","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent ACP Harness Agent","help":"Optional ACP harness agent id to use for this OpenClaw agent (for example codex, claude).","hasChildren":false}
@@ -561,6 +563,7 @@
 {"recordType":"path","path":"agents.list.*.subagents.model.fallbacks.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.subagents.model.primary","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.subagents.thinking","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.thinkingDefault","kind":"core","type":"string","required":false,"enumValues":["off","minimal","low","medium","high","xhigh","adaptive"],"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Thinking Default","help":"Optional per-agent default thinking level. Overrides agents.defaults.thinkingDefault for this agent when no per-message or session override is set.","hasChildren":false}
 {"recordType":"path","path":"agents.list.*.tools","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.tools.allow","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.tools.allow.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -611,6 +614,7 @@
 {"recordType":"path","path":"agents.list.*.tools.exec.safeBinTrustedDirs","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.tools.exec.safeBinTrustedDirs.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.tools.exec.security","kind":"core","type":"string","required":false,"enumValues":["deny","allowlist","full"],"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.tools.exec.strictInlineEval","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.tools.exec.timeoutSec","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.tools.fs","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.tools.fs.workspaceOnly","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -3753,6 +3757,10 @@
 {"recordType":"path","path":"hooks.internal.handlers.*.module","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Internal Hook Module","help":"Safe relative module path for the internal hook handler implementation loaded at runtime. Keep module files in reviewed directories and avoid dynamic path composition.","hasChildren":false}
 {"recordType":"path","path":"hooks.internal.installs","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Internal Hook Install Records","help":"Install metadata for internal hook modules, including source and resolved artifacts for repeatable deployments. Use this as operational provenance and avoid manual drift edits.","hasChildren":true}
 {"recordType":"path","path":"hooks.internal.installs.*","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"hooks.internal.installs.*.clawhubChannel","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"hooks.internal.installs.*.clawhubFamily","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"hooks.internal.installs.*.clawhubPackage","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"hooks.internal.installs.*.clawhubUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"hooks.internal.installs.*.hooks","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"hooks.internal.installs.*.hooks.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"hooks.internal.installs.*.installedAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -4956,6 +4964,10 @@
 {"recordType":"path","path":"plugins.entries.zalouser.subagent.allowModelOverride","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Plugin Subagent Model Override","help":"Explicitly allows this plugin to request provider/model overrides in background subagent runs. Keep false unless the plugin is trusted to steer model selection.","hasChildren":false}
 {"recordType":"path","path":"plugins.installs","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Install Records","help":"CLI-managed install metadata (used by `openclaw plugins update` to locate install sources).","hasChildren":true}
 {"recordType":"path","path":"plugins.installs.*","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"plugins.installs.*.clawhubChannel","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.clawhubFamily","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.clawhubPackage","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.clawhubUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.installedAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Install Time","help":"ISO timestamp of last install/update.","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.installPath","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Plugin Install Path","help":"Resolved install directory (usually ~/.openclaw/extensions/<id>).","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.integrity","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Resolved Integrity","help":"Resolved npm dist integrity hash for the fetched artifact (if reported by npm).","hasChildren":false}
@@ -5180,6 +5192,7 @@
 {"recordType":"path","path":"tools.exec.safeBinTrustedDirs","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["storage","tools"],"label":"Exec Safe Bin Trusted Dirs","help":"Additional explicit directories trusted for safe-bin path checks (PATH entries are never auto-trusted).","hasChildren":true}
 {"recordType":"path","path":"tools.exec.safeBinTrustedDirs.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"tools.exec.security","kind":"core","type":"string","required":false,"enumValues":["deny","allowlist","full"],"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Exec Security","help":"Execution security posture selector controlling sandbox/approval expectations for command execution. Keep strict security mode for untrusted prompts and relax only for trusted operator workflows.","hasChildren":false}
+{"recordType":"path","path":"tools.exec.strictInlineEval","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Require Inline-Eval Approval","help":"Require explicit approval for interpreter inline-eval forms such as `python -c`, `node -e`, `ruby -e`, or `osascript -e`. Prevents silent allowlist reuse and downgrades allow-always to ask-each-time for those forms.","hasChildren":false}
 {"recordType":"path","path":"tools.exec.timeoutSec","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"tools.fs","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"tools.fs.workspaceOnly","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Workspace-only FS tools","help":"Restrict filesystem tools (read/write/edit/apply_patch) to the workspace directory (default: false).","hasChildren":false}

docs/.generated/plugin-sdk-api-baseline.jsonl

@@ -0,0 +1,569 @@
+{"category":"legacy","entrypoint":"index","importSpecifier":"openclaw/plugin-sdk","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/index.ts"}
+{"declaration":"export function buildFalImageGenerationProvider(): ImageGenerationProvider;","entrypoint":"index","exportName":"buildFalImageGenerationProvider","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":188,"sourcePath":"src/image-generation/providers/fal.ts"}
+{"declaration":"export function buildGoogleImageGenerationProvider(): ImageGenerationProvider;","entrypoint":"index","exportName":"buildGoogleImageGenerationProvider","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":96,"sourcePath":"src/image-generation/providers/google.ts"}
+{"declaration":"export function buildOpenAIImageGenerationProvider(): ImageGenerationProvider;","entrypoint":"index","exportName":"buildOpenAIImageGenerationProvider","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":22,"sourcePath":"src/image-generation/providers/openai.ts"}
+{"declaration":"export function delegateCompactionToRuntime(params: { sessionId: string; sessionKey?: string | undefined; sessionFile: string; tokenBudget?: number | undefined; force?: boolean | undefined; currentTokenCount?: number | undefined; compactionTarget?: \"budget\" | ... 1 more ... | undefined; customInstructions?: string | undefined; runtimeContext?: ContextEngineRuntimeContext | undefined; }): Promise<...>;","entrypoint":"index","exportName":"delegateCompactionToRuntime","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/context-engine/delegate.ts"}
+{"declaration":"export function emptyPluginConfigSchema(): OpenClawPluginConfigSchema;","entrypoint":"index","exportName":"emptyPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":13,"sourcePath":"src/plugins/config-schema.ts"}
+{"declaration":"export function onDiagnosticEvent(listener: (evt: DiagnosticEventPayload) => void): () => void;","entrypoint":"index","exportName":"onDiagnosticEvent","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":223,"sourcePath":"src/infra/diagnostic-events.ts"}
+{"declaration":"export function registerContextEngine(id: string, factory: ContextEngineFactory): ContextEngineRegistrationResult;","entrypoint":"index","exportName":"registerContextEngine","importSpecifier":"openclaw/plugin-sdk","kind":"function","recordType":"export","sourceLine":377,"sourcePath":"src/context-engine/registry.ts"}
+{"declaration":"export type AnyAgentTool = AnyAgentTool;","entrypoint":"index","exportName":"AnyAgentTool","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":9,"sourcePath":"src/agents/tools/common.ts"}
+{"declaration":"export type ChannelAccountSnapshot = ChannelAccountSnapshot;","entrypoint":"index","exportName":"ChannelAccountSnapshot","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":144,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentTool = ChannelAgentTool;","entrypoint":"index","exportName":"ChannelAgentTool","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":18,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentToolFactory = ChannelAgentToolFactory;","entrypoint":"index","exportName":"ChannelAgentToolFactory","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":23,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelCapabilities = ChannelCapabilities;","entrypoint":"index","exportName":"ChannelCapabilities","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":229,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelConfigSchema = ChannelConfigSchema;","entrypoint":"index","exportName":"ChannelConfigSchema","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":48,"sourcePath":"src/channels/plugins/types.plugin.ts"}
+{"declaration":"export type ChannelConfiguredBindingConversationRef = ChannelConfiguredBindingConversationRef;","entrypoint":"index","exportName":"ChannelConfiguredBindingConversationRef","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":553,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfiguredBindingMatch = ChannelConfiguredBindingMatch;","entrypoint":"index","exportName":"ChannelConfiguredBindingMatch","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":558,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfiguredBindingProvider = ChannelConfiguredBindingProvider;","entrypoint":"index","exportName":"ChannelConfiguredBindingProvider","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":562,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelGatewayContext = ChannelGatewayContext<ResolvedAccount>;","entrypoint":"index","exportName":"ChannelGatewayContext","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":238,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelId = ChannelId;","entrypoint":"index","exportName":"ChannelId","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionAdapter = ChannelMessageActionAdapter;","entrypoint":"index","exportName":"ChannelMessageActionAdapter","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":515,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionContext = ChannelMessageActionContext;","entrypoint":"index","exportName":"ChannelMessageActionContext","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":481,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionName = \"send\" | \"broadcast\" | \"poll\" | \"poll-vote\" | \"react\" | \"reactions\" | \"read\" | \"edit\" | \"unsend\" | \"reply\" | \"sendWithEffect\" | \"renameGroup\" | \"setGroupIcon\" | \"addParticipant\" | \"removeParticipant\" | \"leaveGroup\" | \"sendAttachment\" | \"delete\" | \"pin\" | \"unpin\" | \"list-pins\" | \"permissions\" | \"thread-create\" | \"thread-list\" | \"thread-reply\" | \"search\" | \"sticker\" | \"sticker-search\" | \"member-info\" | \"role-info\" | \"emoji-list\" | \"emoji-upload\" | \"sticker-upload\" | \"role-add\" | \"role-remove\" | \"channel-info\" | \"channel-list\" | \"channel-create\" | \"channel-edit\" | \"channel-delete\" | \"channel-move\" | \"category-create\" | \"category-edit\" | \"category-delete\" | \"topic-create\" | \"topic-edit\" | \"voice-status\" | \"event-list\" | \"event-create\" | \"timeout\" | \"kick\" | \"ban\" | \"set-profile\" | \"set-presence\" | \"download-file\";","entrypoint":"index","exportName":"ChannelMessageActionName","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/channels/plugins/types.ts"}
+{"declaration":"export type ChannelPlugin = ChannelPlugin<ResolvedAccount, Probe, Audit>;","entrypoint":"index","exportName":"ChannelPlugin","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":55,"sourcePath":"src/channels/plugins/types.plugin.ts"}
+{"declaration":"export type ChannelSetupAdapter = ChannelSetupAdapter;","entrypoint":"index","exportName":"ChannelSetupAdapter","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":56,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelSetupInput = ChannelSetupInput;","entrypoint":"index","exportName":"ChannelSetupInput","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":63,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelSetupWizard = ChannelSetupWizard;","entrypoint":"index","exportName":"ChannelSetupWizard","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":247,"sourcePath":"src/channels/plugins/setup-wizard.ts"}
+{"declaration":"export type ChannelSetupWizardAllowFromEntry = ChannelSetupWizardAllowFromEntry;","entrypoint":"index","exportName":"ChannelSetupWizardAllowFromEntry","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":154,"sourcePath":"src/channels/plugins/setup-wizard.ts"}
+{"declaration":"export type ChannelStatusIssue = ChannelStatusIssue;","entrypoint":"index","exportName":"ChannelStatusIssue","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":100,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"index","exportName":"ClawdbotConfig","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"declaration":"export type CompiledConfiguredBinding = CompiledConfiguredBinding;","entrypoint":"index","exportName":"CompiledConfiguredBinding","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":38,"sourcePath":"src/channels/plugins/binding-types.ts"}
+{"declaration":"export type ConfiguredBindingConversation = ConversationRef;","entrypoint":"index","exportName":"ConfiguredBindingConversation","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/channels/plugins/binding-types.ts"}
+{"declaration":"export type ConfiguredBindingResolution = ConfiguredBindingResolution;","entrypoint":"index","exportName":"ConfiguredBindingResolution","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":49,"sourcePath":"src/channels/plugins/binding-types.ts"}
+{"declaration":"export type ContextEngineFactory = ContextEngineFactory;","entrypoint":"index","exportName":"ContextEngineFactory","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":10,"sourcePath":"src/context-engine/registry.ts"}
+{"declaration":"export type ContextEngineInfo = ContextEngineInfo;","entrypoint":"index","exportName":"ContextEngineInfo","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":46,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type ContextEngineMaintenanceResult = TranscriptRewriteResult;","entrypoint":"index","exportName":"ContextEngineMaintenanceResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":84,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type ContextEngineRuntimeContext = ContextEngineRuntimeContext;","entrypoint":"index","exportName":"ContextEngineRuntimeContext","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":86,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type DiagnosticEventPayload = DiagnosticEventPayload;","entrypoint":"index","exportName":"DiagnosticEventPayload","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":152,"sourcePath":"src/infra/diagnostic-events.ts"}
+{"declaration":"export type GeneratedImageAsset = GeneratedImageAsset;","entrypoint":"index","exportName":"GeneratedImageAsset","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type HookEntry = HookEntry;","entrypoint":"index","exportName":"HookEntry","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":47,"sourcePath":"src/hooks/types.ts"}
+{"declaration":"export type ImageGenerationProvider = ImageGenerationProvider;","entrypoint":"index","exportName":"ImageGenerationProvider","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":66,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type ImageGenerationRequest = ImageGenerationRequest;","entrypoint":"index","exportName":"ImageGenerationRequest","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":21,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type ImageGenerationResolution = ImageGenerationResolution;","entrypoint":"index","exportName":"ImageGenerationResolution","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":12,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type ImageGenerationResult = ImageGenerationResult;","entrypoint":"index","exportName":"ImageGenerationResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":36,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type ImageGenerationSourceImage = ImageGenerationSourceImage;","entrypoint":"index","exportName":"ImageGenerationSourceImage","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":14,"sourcePath":"src/image-generation/types.ts"}
+{"declaration":"export type MediaUnderstandingProviderPlugin = MediaUnderstandingProvider;","entrypoint":"index","exportName":"MediaUnderstandingProviderPlugin","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":950,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"index","exportName":"OpenClawConfig","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"declaration":"export type OpenClawPluginApi = OpenClawPluginApi;","entrypoint":"index","exportName":"OpenClawPluginApi","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":1311,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginConfigSchema = OpenClawPluginConfigSchema;","entrypoint":"index","exportName":"OpenClawPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":88,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginLogger = PluginLogger;","entrypoint":"index","exportName":"PluginLogger","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":59,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginRuntime = PluginRuntime;","entrypoint":"index","exportName":"PluginRuntime","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":54,"sourcePath":"src/plugins/runtime/types.ts"}
+{"declaration":"export type ProviderAuthContext = ProviderAuthContext;","entrypoint":"index","exportName":"ProviderAuthContext","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":155,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthResult = ProviderAuthResult;","entrypoint":"index","exportName":"ProviderAuthResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":140,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderRuntimeModel = ProviderRuntimeModel;","entrypoint":"index","exportName":"ProviderRuntimeModel","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":295,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ReplyPayload = ReplyPayload;","entrypoint":"index","exportName":"ReplyPayload","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":76,"sourcePath":"src/auto-reply/types.ts"}
+{"declaration":"export type RuntimeEnv = RuntimeEnv;","entrypoint":"index","exportName":"RuntimeEnv","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/runtime.ts"}
+{"declaration":"export type RuntimeLogger = RuntimeLogger;","entrypoint":"index","exportName":"RuntimeLogger","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/plugins/runtime/types-core.ts"}
+{"declaration":"export type SecretInput = SecretInput;","entrypoint":"index","exportName":"SecretInput","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":16,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export type SecretRef = SecretRef;","entrypoint":"index","exportName":"SecretRef","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":10,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export type SpeechProviderPlugin = SpeechProviderPlugin;","entrypoint":"index","exportName":"SpeechProviderPlugin","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":932,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type StatefulBindingTargetDescriptor = StatefulBindingTargetDescriptor;","entrypoint":"index","exportName":"StatefulBindingTargetDescriptor","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":17,"sourcePath":"src/channels/plugins/binding-types.ts"}
+{"declaration":"export type StatefulBindingTargetDriver = StatefulBindingTargetDriver;","entrypoint":"index","exportName":"StatefulBindingTargetDriver","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":15,"sourcePath":"src/channels/plugins/stateful-target-drivers.ts"}
+{"declaration":"export type StatefulBindingTargetReadyResult = StatefulBindingTargetReadyResult;","entrypoint":"index","exportName":"StatefulBindingTargetReadyResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":7,"sourcePath":"src/channels/plugins/stateful-target-drivers.ts"}
+{"declaration":"export type StatefulBindingTargetResetResult = StatefulBindingTargetResetResult;","entrypoint":"index","exportName":"StatefulBindingTargetResetResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":11,"sourcePath":"src/channels/plugins/stateful-target-drivers.ts"}
+{"declaration":"export type StatefulBindingTargetSessionResult = StatefulBindingTargetSessionResult;","entrypoint":"index","exportName":"StatefulBindingTargetSessionResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":8,"sourcePath":"src/channels/plugins/stateful-target-drivers.ts"}
+{"declaration":"export type SubagentRunParams = SubagentRunParams;","entrypoint":"index","exportName":"SubagentRunParams","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":8,"sourcePath":"src/plugins/runtime/types.ts"}
+{"declaration":"export type SubagentRunResult = SubagentRunResult;","entrypoint":"index","exportName":"SubagentRunResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":19,"sourcePath":"src/plugins/runtime/types.ts"}
+{"declaration":"export type TranscriptRewriteReplacement = TranscriptRewriteReplacement;","entrypoint":"index","exportName":"TranscriptRewriteReplacement","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":61,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type TranscriptRewriteRequest = TranscriptRewriteRequest;","entrypoint":"index","exportName":"TranscriptRewriteRequest","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":68,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type TranscriptRewriteResult = TranscriptRewriteResult;","entrypoint":"index","exportName":"TranscriptRewriteResult","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":73,"sourcePath":"src/context-engine/types.ts"}
+{"declaration":"export type WizardPrompter = WizardPrompter;","entrypoint":"index","exportName":"WizardPrompter","importSpecifier":"openclaw/plugin-sdk","kind":"type","recordType":"export","sourceLine":37,"sourcePath":"src/wizard/prompts.ts"}
+{"declaration":"export interface ContextEngine","entrypoint":"index","exportName":"ContextEngine","importSpecifier":"openclaw/plugin-sdk","kind":"interface","recordType":"export","sourceLine":104,"sourcePath":"src/context-engine/types.ts"}
+{"category":"utilities","entrypoint":"allow-from","importSpecifier":"openclaw/plugin-sdk/allow-from","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function addAllowlistUserEntriesFromConfigEntry(target: Set<string>, entry: unknown): void;","entrypoint":"allow-from","exportName":"addAllowlistUserEntriesFromConfigEntry","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":130,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export function buildAllowlistResolutionSummary<T extends AllowlistUserResolutionLike>(resolvedUsers: T[], opts?: { formatResolved?: ((entry: T) => string) | undefined; formatUnresolved?: ((entry: T) => string) | undefined; } | undefined): { ...; };","entrypoint":"allow-from","exportName":"buildAllowlistResolutionSummary","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":36,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export function canonicalizeAllowlistWithResolvedIds<T extends AllowlistUserResolutionLike>(params: { existing?: (string | number)[] | undefined; resolvedMap: Map<string, T>; }): string[];","entrypoint":"allow-from","exportName":"canonicalizeAllowlistWithResolvedIds","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":73,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export function compileAllowlist(entries: readonly string[]): CompiledAllowlist;","entrypoint":"allow-from","exportName":"compileAllowlist","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":30,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function firstDefined<T>(...values: (T | undefined)[]): (T & ({} | null)) | undefined;","entrypoint":"allow-from","exportName":"firstDefined","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":29,"sourcePath":"src/channels/allow-from.ts"}
+{"declaration":"export function formatAllowFromLowercase(params: { allowFrom: (string | number)[]; stripPrefixRe?: RegExp | undefined; }): string[];","entrypoint":"allow-from","exportName":"formatAllowFromLowercase","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":31,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function formatAllowlistMatchMeta(match?: { matchKey?: string | undefined; matchSource?: string | undefined; } | null | undefined): string;","entrypoint":"allow-from","exportName":"formatAllowlistMatchMeta","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":24,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function formatNormalizedAllowFromEntries(params: { allowFrom: (string | number)[]; normalizeEntry: (entry: string) => string | null | undefined; }): string[];","entrypoint":"allow-from","exportName":"formatNormalizedAllowFromEntries","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":43,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function isAllowedParsedChatSender<TParsed extends ParsedChatAllowTarget>(params: { allowFrom: (string | number)[]; sender: string; chatId?: number | null | undefined; chatGuid?: string | null | undefined; chatIdentifier?: string | null | undefined; normalizeSender: (sender: string) => string; parseAllowTarget: (entry: string) => TParsed; }): boolean;","entrypoint":"allow-from","exportName":"isAllowedParsedChatSender","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":81,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function isNormalizedSenderAllowed(params: { senderId: string | number; allowFrom: (string | number)[]; stripPrefixRe?: RegExp | undefined; }): boolean;","entrypoint":"allow-from","exportName":"isNormalizedSenderAllowed","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":55,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function isSenderIdAllowed(allow: { entries: string[]; hasWildcard: boolean; hasEntries: boolean; }, senderId: string | undefined, allowWhenEmpty: boolean): boolean;","entrypoint":"allow-from","exportName":"isSenderIdAllowed","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":38,"sourcePath":"src/channels/allow-from.ts"}
+{"declaration":"export function mapAllowlistResolutionInputs<T>(params: { inputs: string[]; mapInput: (input: string) => T | Promise<T>; }): Promise<T[]>;","entrypoint":"allow-from","exportName":"mapAllowlistResolutionInputs","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":151,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function mapBasicAllowlistResolutionEntries(entries: BasicAllowlistResolutionEntry[]): BasicAllowlistResolutionEntry[];","entrypoint":"allow-from","exportName":"mapBasicAllowlistResolutionEntries","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":138,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export function mergeAllowlist(params: { existing?: (string | number)[] | undefined; additions: string[]; }): string[];","entrypoint":"allow-from","exportName":"mergeAllowlist","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":29,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export function mergeDmAllowFromSources(params: { allowFrom?: (string | number)[] | undefined; storeAllowFrom?: (string | number)[] | undefined; dmPolicy?: string | undefined; }): string[];","entrypoint":"allow-from","exportName":"mergeDmAllowFromSources","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":1,"sourcePath":"src/channels/allow-from.ts"}
+{"declaration":"export function patchAllowlistUsersInConfigEntries<T extends AllowlistUserResolutionLike, TEntries extends Record<string, unknown>>(params: { entries: TEntries; resolvedMap: Map<string, T>; strategy?: \"merge\" | \"canonicalize\" | undefined; }): TEntries;","entrypoint":"allow-from","exportName":"patchAllowlistUsersInConfigEntries","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":92,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export function resolveAllowlistCandidates<TSource extends string>(params: { compiledAllowlist: CompiledAllowlist; candidates: { value?: string | undefined; source: TSource; }[]; }): AllowlistMatch<TSource>;","entrypoint":"allow-from","exportName":"resolveAllowlistCandidates","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":44,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function resolveAllowlistMatchByCandidates<TSource extends string>(params: { allowList: readonly string[]; candidates: { value?: string | undefined; source: TSource; }[]; }): AllowlistMatch<TSource>;","entrypoint":"allow-from","exportName":"resolveAllowlistMatchByCandidates","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":76,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function resolveAllowlistMatchSimple(params: { allowFrom: readonly (string | number)[]; senderId: string; senderName?: string | null | undefined; allowNameMatching?: boolean | undefined; }): AllowlistMatch<\"name\" | \"id\" | \"wildcard\">;","entrypoint":"allow-from","exportName":"resolveAllowlistMatchSimple","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":86,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function resolveCompiledAllowlistMatch<TSource extends string>(params: { compiledAllowlist: CompiledAllowlist; candidates: { value?: string | undefined; source: TSource; }[]; }): AllowlistMatch<TSource>;","entrypoint":"allow-from","exportName":"resolveCompiledAllowlistMatch","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":63,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export function resolveGroupAllowFromSources(params: { allowFrom?: (string | number)[] | undefined; groupAllowFrom?: (string | number)[] | undefined; fallbackToAllowFrom?: boolean | undefined; }): string[];","entrypoint":"allow-from","exportName":"resolveGroupAllowFromSources","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":12,"sourcePath":"src/channels/allow-from.ts"}
+{"declaration":"export function summarizeMapping(label: string, mapping: string[], unresolved: string[], runtime: RuntimeEnv): void;","entrypoint":"allow-from","exportName":"summarizeMapping","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"function","recordType":"export","sourceLine":146,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export type AllowlistMatch = AllowlistMatch<TSource>;","entrypoint":"allow-from","exportName":"AllowlistMatch","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export type AllowlistMatchSource = AllowlistMatchSource;","entrypoint":"allow-from","exportName":"AllowlistMatchSource","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/channels/allowlist-match.ts"}
+{"declaration":"export type AllowlistUserResolutionLike = AllowlistUserResolutionLike;","entrypoint":"allow-from","exportName":"AllowlistUserResolutionLike","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"type","recordType":"export","sourceLine":5,"sourcePath":"src/channels/allowlists/resolve-utils.ts"}
+{"declaration":"export type BasicAllowlistResolutionEntry = BasicAllowlistResolutionEntry;","entrypoint":"allow-from","exportName":"BasicAllowlistResolutionEntry","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"type","recordType":"export","sourceLine":129,"sourcePath":"src/plugin-sdk/allow-from.ts"}
+{"declaration":"export type CompiledAllowlist = CompiledAllowlist;","entrypoint":"allow-from","exportName":"CompiledAllowlist","importSpecifier":"openclaw/plugin-sdk/allow-from","kind":"type","recordType":"export","sourceLine":19,"sourcePath":"src/channels/allowlist-match.ts"}
+{"category":"channel","entrypoint":"channel-actions","importSpecifier":"openclaw/plugin-sdk/channel-actions","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-actions.ts"}
+{"declaration":"export function createMessageToolButtonsSchema(): TSchema;","entrypoint":"channel-actions","exportName":"createMessageToolButtonsSchema","importSpecifier":"openclaw/plugin-sdk/channel-actions","kind":"function","recordType":"export","sourceLine":11,"sourcePath":"src/plugin-sdk/channel-actions.ts"}
+{"declaration":"export function createMessageToolCardSchema(): TSchema;","entrypoint":"channel-actions","exportName":"createMessageToolCardSchema","importSpecifier":"openclaw/plugin-sdk/channel-actions","kind":"function","recordType":"export","sourceLine":27,"sourcePath":"src/plugin-sdk/channel-actions.ts"}
+{"declaration":"export function createUnionActionGate<TAccount, TKey extends string>(accounts: readonly TAccount[], createGate: (account: TAccount) => OptionalDefaultGate<TKey>): OptionalDefaultGate<TKey>;","entrypoint":"channel-actions","exportName":"createUnionActionGate","importSpecifier":"openclaw/plugin-sdk/channel-actions","kind":"function","recordType":"export","sourceLine":13,"sourcePath":"src/channels/plugins/actions/shared.ts"}
+{"declaration":"export function listTokenSourcedAccounts<TAccount extends TokenSourcedAccount>(accounts: readonly TAccount[]): TAccount[];","entrypoint":"channel-actions","exportName":"listTokenSourcedAccounts","importSpecifier":"openclaw/plugin-sdk/channel-actions","kind":"function","recordType":"export","sourceLine":7,"sourcePath":"src/channels/plugins/actions/shared.ts"}
+{"declaration":"export function resolveReactionMessageId(params: { args: Record<string, unknown>; toolContext?: ReactionToolContext | undefined; }): string | number | undefined;","entrypoint":"channel-actions","exportName":"resolveReactionMessageId","importSpecifier":"openclaw/plugin-sdk/channel-actions","kind":"function","recordType":"export","sourceLine":7,"sourcePath":"src/channels/plugins/actions/reaction-message-id.ts"}
+{"category":"channel","entrypoint":"channel-config-schema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-config-schema.ts"}
+{"declaration":"export function buildCatchallMultiAccountChannelSchema<T extends ExtendableZodObject>(accountSchema: T): T;","entrypoint":"channel-config-schema","exportName":"buildCatchallMultiAccountChannelSchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"function","recordType":"export","sourceLine":26,"sourcePath":"src/channels/plugins/config-schema.ts"}
+{"declaration":"export function buildChannelConfigSchema(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): ChannelConfigSchema;","entrypoint":"channel-config-schema","exportName":"buildChannelConfigSchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"function","recordType":"export","sourceLine":35,"sourcePath":"src/channels/plugins/config-schema.ts"}
+{"declaration":"export function buildNestedDmConfigSchema(): ZodOptional<ZodObject<{ enabled: ZodOptional<ZodBoolean>; policy: ZodOptional<ZodEnum<{ disabled: \"disabled\"; pairing: \"pairing\"; allowlist: \"allowlist\"; open: \"open\"; }>>; allowFrom: ZodOptional<...>; }, $strip>>;","entrypoint":"channel-config-schema","exportName":"buildNestedDmConfigSchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/channels/plugins/config-schema.ts"}
+{"declaration":"export const AllowFromListSchema: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>>;","entrypoint":"channel-config-schema","exportName":"AllowFromListSchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"const","recordType":"export","sourceLine":14,"sourcePath":"src/channels/plugins/config-schema.ts"}
+{"declaration":"export const DmPolicySchema: z.ZodEnum<{ disabled: \"disabled\"; pairing: \"pairing\"; allowlist: \"allowlist\"; open: \"open\"; }>;","entrypoint":"channel-config-schema","exportName":"DmPolicySchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"const","recordType":"export","sourceLine":337,"sourcePath":"src/config/zod-schema.core.ts"}
+{"declaration":"export const GroupPolicySchema: z.ZodEnum<{ disabled: \"disabled\"; allowlist: \"allowlist\"; open: \"open\"; }>;","entrypoint":"channel-config-schema","exportName":"GroupPolicySchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"const","recordType":"export","sourceLine":335,"sourcePath":"src/config/zod-schema.core.ts"}
+{"declaration":"export const MarkdownConfigSchema: z.ZodOptional<z.ZodObject<{ tables: z.ZodOptional<z.ZodEnum<{ off: \"off\"; bullets: \"bullets\"; code: \"code\"; }>>; }, z.core.$strict>>;","entrypoint":"channel-config-schema","exportName":"MarkdownConfigSchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"const","recordType":"export","sourceLine":371,"sourcePath":"src/config/zod-schema.core.ts"}
+{"declaration":"export const ToolPolicySchema: z.ZodOptional<z.ZodObject<{ allow: z.ZodOptional<z.ZodArray<z.ZodString>>; alsoAllow: z.ZodOptional<z.ZodArray<z.ZodString>>; deny: z.ZodOptional<z.ZodArray<z.ZodString>>; }, z.core.$strict>>;","entrypoint":"channel-config-schema","exportName":"ToolPolicySchema","importSpecifier":"openclaw/plugin-sdk/channel-config-schema","kind":"const","recordType":"export","sourceLine":253,"sourcePath":"src/config/zod-schema.agent-runtime.ts"}
+{"category":"channel","entrypoint":"channel-contract","importSpecifier":"openclaw/plugin-sdk/channel-contract","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-contract.ts"}
+{"declaration":"export type BaseProbeResult = BaseProbeResult<TError>;","entrypoint":"channel-contract","exportName":"BaseProbeResult","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":557,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type BaseTokenResolution = BaseTokenResolution;","entrypoint":"channel-contract","exportName":"BaseTokenResolution","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":563,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAccountSnapshot = ChannelAccountSnapshot;","entrypoint":"channel-contract","exportName":"ChannelAccountSnapshot","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":144,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentTool = ChannelAgentTool;","entrypoint":"channel-contract","exportName":"ChannelAgentTool","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":18,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelGroupContext = ChannelGroupContext;","entrypoint":"channel-contract","exportName":"ChannelGroupContext","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":215,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionAdapter = ChannelMessageActionAdapter;","entrypoint":"channel-contract","exportName":"ChannelMessageActionAdapter","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":515,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionContext = ChannelMessageActionContext;","entrypoint":"channel-contract","exportName":"ChannelMessageActionContext","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":481,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionDiscoveryContext = ChannelMessageActionDiscoveryContext;","entrypoint":"channel-contract","exportName":"ChannelMessageActionDiscoveryContext","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":31,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionName = \"send\" | \"broadcast\" | \"poll\" | \"poll-vote\" | \"react\" | \"reactions\" | \"read\" | \"edit\" | \"unsend\" | \"reply\" | \"sendWithEffect\" | \"renameGroup\" | \"setGroupIcon\" | \"addParticipant\" | \"removeParticipant\" | \"leaveGroup\" | \"sendAttachment\" | \"delete\" | \"pin\" | \"unpin\" | \"list-pins\" | \"permissions\" | \"thread-create\" | \"thread-list\" | \"thread-reply\" | \"search\" | \"sticker\" | \"sticker-search\" | \"member-info\" | \"role-info\" | \"emoji-list\" | \"emoji-upload\" | \"sticker-upload\" | \"role-add\" | \"role-remove\" | \"channel-info\" | \"channel-list\" | \"channel-create\" | \"channel-edit\" | \"channel-delete\" | \"channel-move\" | \"category-create\" | \"category-edit\" | \"category-delete\" | \"topic-create\" | \"topic-edit\" | \"voice-status\" | \"event-list\" | \"event-create\" | \"timeout\" | \"kick\" | \"ban\" | \"set-profile\" | \"set-presence\" | \"download-file\";","entrypoint":"channel-contract","exportName":"ChannelMessageActionName","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/channels/plugins/types.ts"}
+{"declaration":"export type ChannelMessageToolDiscovery = ChannelMessageToolDiscovery;","entrypoint":"channel-contract","exportName":"ChannelMessageToolDiscovery","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":56,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageToolSchemaContribution = ChannelMessageToolSchemaContribution;","entrypoint":"channel-contract","exportName":"ChannelMessageToolSchemaContribution","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":51,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelStatusIssue = ChannelStatusIssue;","entrypoint":"channel-contract","exportName":"ChannelStatusIssue","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":100,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelThreadingContext = ChannelThreadingContext;","entrypoint":"channel-contract","exportName":"ChannelThreadingContext","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":364,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelThreadingToolContext = ChannelThreadingToolContext;","entrypoint":"channel-contract","exportName":"ChannelThreadingToolContext","importSpecifier":"openclaw/plugin-sdk/channel-contract","kind":"type","recordType":"export","sourceLine":378,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"category":"channel","entrypoint":"channel-pairing","importSpecifier":"openclaw/plugin-sdk/channel-pairing","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-pairing.ts"}
+{"declaration":"export function createChannelPairingChallengeIssuer(params: { channel: ChannelId; upsertPairingRequest: (params: { id: string; meta?: PairingMeta | undefined; }) => Promise<{ code: string; created: boolean; }>; }): (challenge: Omit<...>) => Promise<...>;","entrypoint":"channel-pairing","exportName":"createChannelPairingChallengeIssuer","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"function","recordType":"export","sourceLine":21,"sourcePath":"src/plugin-sdk/channel-pairing.ts"}
+{"declaration":"export function createChannelPairingController(params: { core: PluginRuntime; channel: ChannelId; accountId: string; }): ChannelPairingController;","entrypoint":"channel-pairing","exportName":"createChannelPairingController","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"function","recordType":"export","sourceLine":39,"sourcePath":"src/plugin-sdk/channel-pairing.ts"}
+{"declaration":"export function createLoggedPairingApprovalNotifier(format: string | ((params: { cfg: OpenClawConfig; id: string; accountId?: string | undefined; runtime?: RuntimeEnv | undefined; }) => string), log?: (message: string) => void): (params: { ...; }) => Promise<...>;","entrypoint":"channel-pairing","exportName":"createLoggedPairingApprovalNotifier","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"function","recordType":"export","sourceLine":12,"sourcePath":"src/channels/plugins/pairing-adapters.ts"}
+{"declaration":"export function createPairingPrefixStripper(prefixRe: RegExp, map?: (entry: string) => string): (entry: string) => string;","entrypoint":"channel-pairing","exportName":"createPairingPrefixStripper","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"function","recordType":"export","sourceLine":5,"sourcePath":"src/channels/plugins/pairing-adapters.ts"}
+{"declaration":"export function createTextPairingAdapter(params: { idLabel: string; message: string; normalizeAllowEntry?: ((entry: string) => string) | undefined; notify: (params: { cfg: OpenClawConfig; id: string; accountId?: string | undefined; runtime?: RuntimeEnv | undefined; } & { ...; }) => void | Promise<...>; }): ChannelPairingAdapter;","entrypoint":"channel-pairing","exportName":"createTextPairingAdapter","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"function","recordType":"export","sourceLine":21,"sourcePath":"src/channels/plugins/pairing-adapters.ts"}
+{"declaration":"export type ChannelPairingController = ChannelPairingController;","entrypoint":"channel-pairing","exportName":"ChannelPairingController","importSpecifier":"openclaw/plugin-sdk/channel-pairing","kind":"type","recordType":"export","sourceLine":14,"sourcePath":"src/plugin-sdk/channel-pairing.ts"}
+{"category":"channel","entrypoint":"channel-reply-pipeline","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-reply-pipeline.ts"}
+{"declaration":"export function createChannelReplyPipeline(params: { cfg: OpenClawConfig; agentId: string; channel?: string | undefined; accountId?: string | undefined; typing?: CreateTypingCallbacksParams | undefined; typingCallbacks?: TypingCallbacks | undefined; }): ChannelReplyPipeline;","entrypoint":"channel-reply-pipeline","exportName":"createChannelReplyPipeline","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"function","recordType":"export","sourceLine":20,"sourcePath":"src/plugin-sdk/channel-reply-pipeline.ts"}
+{"declaration":"export type ChannelReplyPipeline = ChannelReplyPipeline;","entrypoint":"channel-reply-pipeline","exportName":"ChannelReplyPipeline","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":16,"sourcePath":"src/plugin-sdk/channel-reply-pipeline.ts"}
+{"declaration":"export type CreateTypingCallbacksParams = CreateTypingCallbacksParams;","entrypoint":"channel-reply-pipeline","exportName":"CreateTypingCallbacksParams","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":11,"sourcePath":"src/channels/typing.ts"}
+{"declaration":"export type ReplyPrefixContext = import(\"src/auto-reply/reply/response-prefix-template\").ResponsePrefixContext;","entrypoint":"channel-reply-pipeline","exportName":"ReplyPrefixContext","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":12,"sourcePath":"src/plugin-sdk/channel-reply-pipeline.ts"}
+{"declaration":"export type ReplyPrefixContextBundle = ReplyPrefixContextBundle;","entrypoint":"channel-reply-pipeline","exportName":"ReplyPrefixContextBundle","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":12,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export type ReplyPrefixOptions = ReplyPrefixOptions;","entrypoint":"channel-reply-pipeline","exportName":"ReplyPrefixOptions","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":20,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export type TypingCallbacks = TypingCallbacks;","entrypoint":"channel-reply-pipeline","exportName":"TypingCallbacks","importSpecifier":"openclaw/plugin-sdk/channel-reply-pipeline","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/channels/typing.ts"}
+{"category":"legacy","entrypoint":"channel-runtime","importSpecifier":"openclaw/plugin-sdk/channel-runtime","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-runtime.ts"}
+{"declaration":"export function createAccountStatusSink(params: { accountId: string; setStatus: (next: ChannelAccountSnapshot) => void; }): (patch: Omit<ChannelAccountSnapshot, \"accountId\">) => void;","entrypoint":"channel-runtime","exportName":"createAccountStatusSink","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":23,"sourcePath":"src/plugin-sdk/channel-lifecycle.ts"}
+{"declaration":"export function createReplyPrefixContext(params: { cfg: OpenClawConfig; agentId: string; channel?: string | undefined; accountId?: string | undefined; }): ReplyPrefixContextBundle;","entrypoint":"channel-runtime","exportName":"createReplyPrefixContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":28,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export function createReplyPrefixOptions(params: { cfg: OpenClawConfig; agentId: string; channel?: string | undefined; accountId?: string | undefined; }): ReplyPrefixOptions;","entrypoint":"channel-runtime","exportName":"createReplyPrefixOptions","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":64,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export function createTypingCallbacks(params: CreateTypingCallbacksParams): TypingCallbacks;","entrypoint":"channel-runtime","exportName":"createTypingCallbacks","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":23,"sourcePath":"src/channels/typing.ts"}
+{"declaration":"export function isWhatsAppGroupJid(value: string): boolean;","entrypoint":"channel-runtime","exportName":"isWhatsAppGroupJid","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":17,"sourcePath":"src/whatsapp/normalize.ts"}
+{"declaration":"export function isWhatsAppUserTarget(value: string): boolean;","entrypoint":"channel-runtime","exportName":"isWhatsAppUserTarget","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":33,"sourcePath":"src/whatsapp/normalize.ts"}
+{"declaration":"export function keepHttpServerTaskAlive(params: { server: CloseAwareServer; abortSignal?: AbortSignal | undefined; onAbort?: (() => void | Promise<void>) | undefined; }): Promise<void>;","entrypoint":"channel-runtime","exportName":"keepHttpServerTaskAlive","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":79,"sourcePath":"src/plugin-sdk/channel-lifecycle.ts"}
+{"declaration":"export function looksLikeSignalTargetId(raw: string, normalized?: string | undefined): boolean;","entrypoint":"channel-runtime","exportName":"looksLikeSignalTargetId","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":38,"sourcePath":"src/channels/plugins/normalize/signal.ts"}
+{"declaration":"export function looksLikeWhatsAppTargetId(raw: string): boolean;","entrypoint":"channel-runtime","exportName":"looksLikeWhatsAppTargetId","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":20,"sourcePath":"src/channels/plugins/normalize/whatsapp.ts"}
+{"declaration":"export function normalizeChatType(raw?: string | undefined): ChatType | undefined;","entrypoint":"channel-runtime","exportName":"normalizeChatType","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":3,"sourcePath":"src/channels/chat-type.ts"}
+{"declaration":"export function normalizePollDurationHours(value: number | undefined, options: { defaultHours: number; maxHours: number; }): number;","entrypoint":"channel-runtime","exportName":"normalizePollDurationHours","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":93,"sourcePath":"src/polls.ts"}
+{"declaration":"export function normalizePollInput(input: PollInput, options?: NormalizePollOptions): NormalizedPollInput;","entrypoint":"channel-runtime","exportName":"normalizePollInput","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":36,"sourcePath":"src/polls.ts"}
+{"declaration":"export function normalizeSignalMessagingTarget(raw: string): string | undefined;","entrypoint":"channel-runtime","exportName":"normalizeSignalMessagingTarget","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":1,"sourcePath":"src/channels/plugins/normalize/signal.ts"}
+{"declaration":"export function normalizeWhatsAppAllowFromEntries(allowFrom: (string | number)[]): string[];","entrypoint":"channel-runtime","exportName":"normalizeWhatsAppAllowFromEntries","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":12,"sourcePath":"src/channels/plugins/normalize/whatsapp.ts"}
+{"declaration":"export function normalizeWhatsAppMessagingTarget(raw: string): string | undefined;","entrypoint":"channel-runtime","exportName":"normalizeWhatsAppMessagingTarget","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":4,"sourcePath":"src/channels/plugins/normalize/whatsapp.ts"}
+{"declaration":"export function normalizeWhatsAppTarget(value: string): string | null;","entrypoint":"channel-runtime","exportName":"normalizeWhatsAppTarget","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":55,"sourcePath":"src/whatsapp/normalize.ts"}
+{"declaration":"export function reduceInteractiveReply<TState>(interactive: InteractiveReply | undefined, initialState: TState, reduce: (state: TState, block: InteractiveReplyBlock, index: number) => TState): TState;","entrypoint":"channel-runtime","exportName":"reduceInteractiveReply","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":3,"sourcePath":"src/channels/plugins/outbound/interactive.ts"}
+{"declaration":"export function resolvePollMaxSelections(optionCount: number, allowMultiselect: boolean | undefined): number;","entrypoint":"channel-runtime","exportName":"resolvePollMaxSelections","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":29,"sourcePath":"src/polls.ts"}
+{"declaration":"export function resolveWhatsAppHeartbeatRecipients(cfg: OpenClawConfig, opts?: HeartbeatRecipientsOpts): HeartbeatRecipientsResult;","entrypoint":"channel-runtime","exportName":"resolveWhatsAppHeartbeatRecipients","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":48,"sourcePath":"src/channels/plugins/whatsapp-heartbeat.ts"}
+{"declaration":"export function waitUntilAbort(signal?: AbortSignal | undefined, onAbort?: (() => void | Promise<void>) | undefined): Promise<void>;","entrypoint":"channel-runtime","exportName":"waitUntilAbort","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"function","recordType":"export","sourceLine":38,"sourcePath":"src/plugin-sdk/channel-lifecycle.ts"}
+{"declaration":"export const CHANNEL_MESSAGE_ACTION_NAMES: readonly [\"send\", \"broadcast\", \"poll\", \"poll-vote\", \"react\", \"reactions\", \"read\", \"edit\", \"unsend\", \"reply\", \"sendWithEffect\", \"renameGroup\", \"setGroupIcon\", \"addParticipant\", \"removeParticipant\", \"leaveGroup\", \"sendAttachment\", \"delete\", \"pin\", \"unpin\", \"list-pins\", \"permissions\", \"thread-create\", \"thread-list\", \"thread-reply\", \"search\", \"sticker\", \"sticker-search\", \"member-info\", \"role-info\", \"emoji-list\", \"emoji-upload\", \"sticker-upload\", \"role-add\", \"role-remove\", \"channel-info\", \"channel-list\", \"channel-create\", \"channel-edit\", \"channel-delete\", \"channel-move\", \"category-create\", \"category-edit\", \"category-delete\", \"topic-create\", \"topic-edit\", \"voice-status\", \"event-list\", \"event-create\", \"timeout\", \"kick\", \"ban\", \"set-profile\", \"set-presence\", \"set-profile\", \"download-file\"];","entrypoint":"channel-runtime","exportName":"CHANNEL_MESSAGE_ACTION_NAMES","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"const","recordType":"export","sourceLine":1,"sourcePath":"src/channels/plugins/message-action-names.ts"}
+{"declaration":"export const CHANNEL_MESSAGE_CAPABILITIES: readonly [\"interactive\", \"buttons\", \"cards\", \"components\", \"blocks\"];","entrypoint":"channel-runtime","exportName":"CHANNEL_MESSAGE_CAPABILITIES","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"const","recordType":"export","sourceLine":1,"sourcePath":"src/channels/plugins/message-capabilities.ts"}
+{"declaration":"export type BaseProbeResult = BaseProbeResult<TError>;","entrypoint":"channel-runtime","exportName":"BaseProbeResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":557,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type BaseTokenResolution = BaseTokenResolution;","entrypoint":"channel-runtime","exportName":"BaseTokenResolution","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":563,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAccountSnapshot = ChannelAccountSnapshot;","entrypoint":"channel-runtime","exportName":"ChannelAccountSnapshot","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":144,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAccountState = ChannelAccountState;","entrypoint":"channel-runtime","exportName":"ChannelAccountState","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":108,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentPromptAdapter = ChannelAgentPromptAdapter;","entrypoint":"channel-runtime","exportName":"ChannelAgentPromptAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":462,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentTool = ChannelAgentTool;","entrypoint":"channel-runtime","exportName":"ChannelAgentTool","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":18,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAgentToolFactory = ChannelAgentToolFactory;","entrypoint":"channel-runtime","exportName":"ChannelAgentToolFactory","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":23,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelAllowlistAdapter = ChannelAllowlistAdapter;","entrypoint":"channel-runtime","exportName":"ChannelAllowlistAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":497,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelAuthAdapter = ChannelAuthAdapter;","entrypoint":"channel-runtime","exportName":"ChannelAuthAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":362,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelCapabilities = ChannelCapabilities;","entrypoint":"channel-runtime","exportName":"ChannelCapabilities","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":229,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelCapabilitiesDiagnostics = ChannelCapabilitiesDiagnostics;","entrypoint":"channel-runtime","exportName":"ChannelCapabilitiesDiagnostics","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":47,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelCapabilitiesDisplayLine = ChannelCapabilitiesDisplayLine;","entrypoint":"channel-runtime","exportName":"ChannelCapabilitiesDisplayLine","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":42,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelCapabilitiesDisplayTone = ChannelCapabilitiesDisplayTone;","entrypoint":"channel-runtime","exportName":"ChannelCapabilitiesDisplayTone","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":40,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelCommandAdapter = ChannelCommandAdapter;","entrypoint":"channel-runtime","exportName":"ChannelCommandAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":444,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfigAdapter = ChannelConfigAdapter<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelConfigAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":91,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfiguredBindingConversationRef = ChannelConfiguredBindingConversationRef;","entrypoint":"channel-runtime","exportName":"ChannelConfiguredBindingConversationRef","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":553,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfiguredBindingMatch = ChannelConfiguredBindingMatch;","entrypoint":"channel-runtime","exportName":"ChannelConfiguredBindingMatch","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":558,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelConfiguredBindingProvider = ChannelConfiguredBindingProvider;","entrypoint":"channel-runtime","exportName":"ChannelConfiguredBindingProvider","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":562,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelDirectoryAdapter = ChannelDirectoryAdapter;","entrypoint":"channel-runtime","exportName":"ChannelDirectoryAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":406,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelDirectoryEntry = ChannelDirectoryEntry;","entrypoint":"channel-runtime","exportName":"ChannelDirectoryEntry","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":468,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelDirectoryEntryKind = ChannelDirectoryEntryKind;","entrypoint":"channel-runtime","exportName":"ChannelDirectoryEntryKind","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":466,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelElevatedAdapter = ChannelElevatedAdapter;","entrypoint":"channel-runtime","exportName":"ChannelElevatedAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":437,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelExecApprovalAdapter = ChannelExecApprovalAdapter;","entrypoint":"channel-runtime","exportName":"ChannelExecApprovalAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":463,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelExecApprovalForwardTarget = ChannelExecApprovalForwardTarget;","entrypoint":"channel-runtime","exportName":"ChannelExecApprovalForwardTarget","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelExecApprovalInitiatingSurfaceState = ChannelExecApprovalInitiatingSurfaceState;","entrypoint":"channel-runtime","exportName":"ChannelExecApprovalInitiatingSurfaceState","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":27,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelGatewayAdapter = ChannelGatewayAdapter<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelGatewayAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":346,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelGatewayContext = ChannelGatewayContext<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelGatewayContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":238,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelGroupAdapter = ChannelGroupAdapter;","entrypoint":"channel-runtime","exportName":"ChannelGroupAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":122,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelGroupContext = ChannelGroupContext;","entrypoint":"channel-runtime","exportName":"ChannelGroupContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":215,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelHeartbeatAdapter = ChannelHeartbeatAdapter;","entrypoint":"channel-runtime","exportName":"ChannelHeartbeatAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":372,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelHeartbeatDeps = ChannelHeartbeatDeps;","entrypoint":"channel-runtime","exportName":"ChannelHeartbeatDeps","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":116,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelId = ChannelId;","entrypoint":"channel-runtime","exportName":"ChannelId","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelLifecycleAdapter = ChannelLifecycleAdapter;","entrypoint":"channel-runtime","exportName":"ChannelLifecycleAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":449,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelLoginWithQrStartResult = ChannelLoginWithQrStartResult;","entrypoint":"channel-runtime","exportName":"ChannelLoginWithQrStartResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":317,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelLoginWithQrWaitResult = ChannelLoginWithQrWaitResult;","entrypoint":"channel-runtime","exportName":"ChannelLoginWithQrWaitResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":322,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelLogoutContext = ChannelLogoutContext<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelLogoutContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":327,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelLogoutResult = ChannelLogoutResult;","entrypoint":"channel-runtime","exportName":"ChannelLogoutResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":311,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelLogSink = ChannelLogSink;","entrypoint":"channel-runtime","exportName":"ChannelLogSink","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":208,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMentionAdapter = ChannelMentionAdapter;","entrypoint":"channel-runtime","exportName":"ChannelMentionAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":259,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionAdapter = ChannelMessageActionAdapter;","entrypoint":"channel-runtime","exportName":"ChannelMessageActionAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":515,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionContext = ChannelMessageActionContext;","entrypoint":"channel-runtime","exportName":"ChannelMessageActionContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":481,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionDiscoveryContext = ChannelMessageActionDiscoveryContext;","entrypoint":"channel-runtime","exportName":"ChannelMessageActionDiscoveryContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":31,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageActionName = \"send\" | \"broadcast\" | \"poll\" | \"poll-vote\" | \"react\" | \"reactions\" | \"read\" | \"edit\" | \"unsend\" | \"reply\" | \"sendWithEffect\" | \"renameGroup\" | \"setGroupIcon\" | \"addParticipant\" | \"removeParticipant\" | \"leaveGroup\" | \"sendAttachment\" | \"delete\" | \"pin\" | \"unpin\" | \"list-pins\" | \"permissions\" | \"thread-create\" | \"thread-list\" | \"thread-reply\" | \"search\" | \"sticker\" | \"sticker-search\" | \"member-info\" | \"role-info\" | \"emoji-list\" | \"emoji-upload\" | \"sticker-upload\" | \"role-add\" | \"role-remove\" | \"channel-info\" | \"channel-list\" | \"channel-create\" | \"channel-edit\" | \"channel-delete\" | \"channel-move\" | \"category-create\" | \"category-edit\" | \"category-delete\" | \"topic-create\" | \"topic-edit\" | \"voice-status\" | \"event-list\" | \"event-create\" | \"timeout\" | \"kick\" | \"ban\" | \"set-profile\" | \"set-presence\" | \"download-file\";","entrypoint":"channel-runtime","exportName":"ChannelMessageActionName","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/channels/plugins/types.ts"}
+{"declaration":"export type ChannelMessageCapability = \"interactive\" | \"buttons\" | \"cards\" | \"components\" | \"blocks\";","entrypoint":"channel-runtime","exportName":"ChannelMessageCapability","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":9,"sourcePath":"src/channels/plugins/message-capabilities.ts"}
+{"declaration":"export type ChannelMessageToolDiscovery = ChannelMessageToolDiscovery;","entrypoint":"channel-runtime","exportName":"ChannelMessageToolDiscovery","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":56,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessageToolSchemaContribution = ChannelMessageToolSchemaContribution;","entrypoint":"channel-runtime","exportName":"ChannelMessageToolSchemaContribution","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":51,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessagingAdapter = ChannelMessagingAdapter;","entrypoint":"channel-runtime","exportName":"ChannelMessagingAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":394,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMeta = ChannelMeta;","entrypoint":"channel-runtime","exportName":"ChannelMeta","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":122,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelOutboundAdapter = ChannelOutboundAdapter;","entrypoint":"channel-runtime","exportName":"ChannelOutboundAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":154,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelOutboundContext = ChannelOutboundContext;","entrypoint":"channel-runtime","exportName":"ChannelOutboundContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":128,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelOutboundTargetMode = ChannelOutboundTargetMode;","entrypoint":"channel-runtime","exportName":"ChannelOutboundTargetMode","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":15,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelPairingAdapter = ChannelPairingAdapter;","entrypoint":"channel-runtime","exportName":"ChannelPairingAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":335,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelPlugin = ChannelPlugin<ResolvedAccount, Probe, Audit>;","entrypoint":"channel-runtime","exportName":"ChannelPlugin","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":55,"sourcePath":"src/channels/plugins/types.plugin.ts"}
+{"declaration":"export type ChannelPollContext = ChannelPollContext;","entrypoint":"channel-runtime","exportName":"ChannelPollContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":546,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelPollResult = ChannelPollResult;","entrypoint":"channel-runtime","exportName":"ChannelPollResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":537,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelResolveKind = ChannelResolveKind;","entrypoint":"channel-runtime","exportName":"ChannelResolveKind","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":417,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelResolverAdapter = ChannelResolverAdapter;","entrypoint":"channel-runtime","exportName":"ChannelResolverAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":427,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelResolveResult = ChannelResolveResult;","entrypoint":"channel-runtime","exportName":"ChannelResolveResult","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":419,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelSecurityAdapter = ChannelSecurityAdapter<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelSecurityAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":575,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelSecurityContext = ChannelSecurityContext<ResolvedAccount>;","entrypoint":"channel-runtime","exportName":"ChannelSecurityContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":253,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelSecurityDmPolicy = ChannelSecurityDmPolicy;","entrypoint":"channel-runtime","exportName":"ChannelSecurityDmPolicy","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":244,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelSetupAdapter = ChannelSetupAdapter;","entrypoint":"channel-runtime","exportName":"ChannelSetupAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":56,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelSetupInput = ChannelSetupInput;","entrypoint":"channel-runtime","exportName":"ChannelSetupInput","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":63,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelStatusAdapter = ChannelStatusAdapter<ResolvedAccount, Probe, Audit>;","entrypoint":"channel-runtime","exportName":"ChannelStatusAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":184,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelStatusIssue = ChannelStatusIssue;","entrypoint":"channel-runtime","exportName":"ChannelStatusIssue","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":100,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelStreamingAdapter = ChannelStreamingAdapter;","entrypoint":"channel-runtime","exportName":"ChannelStreamingAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":278,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelStructuredComponents = ChannelStructuredComponents;","entrypoint":"channel-runtime","exportName":"ChannelStructuredComponents","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":287,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelThreadingAdapter = ChannelThreadingAdapter;","entrypoint":"channel-runtime","exportName":"ChannelThreadingAdapter","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":321,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelThreadingContext = ChannelThreadingContext;","entrypoint":"channel-runtime","exportName":"ChannelThreadingContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":364,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelThreadingToolContext = ChannelThreadingToolContext;","entrypoint":"channel-runtime","exportName":"ChannelThreadingToolContext","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":378,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelToolSend = ChannelToolSend;","entrypoint":"channel-runtime","exportName":"ChannelToolSend","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":508,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChatType = ChatType;","entrypoint":"channel-runtime","exportName":"ChatType","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/channels/chat-type.ts"}
+{"declaration":"export type CreateTypingCallbacksParams = CreateTypingCallbacksParams;","entrypoint":"channel-runtime","exportName":"CreateTypingCallbacksParams","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":11,"sourcePath":"src/channels/typing.ts"}
+{"declaration":"export type NormalizedPollInput = NormalizedPollInput;","entrypoint":"channel-runtime","exportName":"NormalizedPollInput","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":17,"sourcePath":"src/polls.ts"}
+{"declaration":"export type PollInput = PollInput;","entrypoint":"channel-runtime","exportName":"PollInput","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/polls.ts"}
+{"declaration":"export type ReplyPrefixContextBundle = ReplyPrefixContextBundle;","entrypoint":"channel-runtime","exportName":"ReplyPrefixContextBundle","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":12,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export type ReplyPrefixOptions = ReplyPrefixOptions;","entrypoint":"channel-runtime","exportName":"ReplyPrefixOptions","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":20,"sourcePath":"src/channels/reply-prefix.ts"}
+{"declaration":"export type TypingCallbacks = TypingCallbacks;","entrypoint":"channel-runtime","exportName":"TypingCallbacks","importSpecifier":"openclaw/plugin-sdk/channel-runtime","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/channels/typing.ts"}
+{"category":"channel","entrypoint":"channel-setup","importSpecifier":"openclaw/plugin-sdk/channel-setup","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/channel-setup.ts"}
+{"declaration":"export function createOptionalChannelSetupAdapter(params: OptionalChannelSetupParams): ChannelSetupAdapter;","entrypoint":"channel-setup","exportName":"createOptionalChannelSetupAdapter","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":22,"sourcePath":"src/plugin-sdk/optional-channel-setup.ts"}
+{"declaration":"export function createOptionalChannelSetupSurface(params: OptionalChannelSetupParams): OptionalChannelSetupSurface;","entrypoint":"channel-setup","exportName":"createOptionalChannelSetupSurface","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":40,"sourcePath":"src/plugin-sdk/channel-setup.ts"}
+{"declaration":"export function createOptionalChannelSetupWizard(params: OptionalChannelSetupParams): ChannelSetupWizard;","entrypoint":"channel-setup","exportName":"createOptionalChannelSetupWizard","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":35,"sourcePath":"src/plugin-sdk/optional-channel-setup.ts"}
+{"declaration":"export function createTopLevelChannelDmPolicy(params: { label: string; channel: string; policyKey: string; allowFromKey: string; getCurrent: (cfg: OpenClawConfig) => DmPolicy; promptAllowFrom?: ((params: { cfg: OpenClawConfig; prompter: WizardPrompter; accountId?: string | undefined; }) => Promise<...>) | undefined; getAllowFrom?: ((cfg: OpenClawConfig) => (string | number)[] | undefined) | undefined; }): ChannelSetupDmPolicy;","entrypoint":"channel-setup","exportName":"createTopLevelChannelDmPolicy","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":363,"sourcePath":"src/channels/plugins/setup-wizard-helpers.ts"}
+{"declaration":"export function formatDocsLink(path: string, label?: string | undefined, opts?: { fallback?: string | undefined; force?: boolean | undefined; } | undefined): string;","entrypoint":"channel-setup","exportName":"formatDocsLink","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":5,"sourcePath":"src/terminal/links.ts"}
+{"declaration":"export function setSetupChannelEnabled(cfg: OpenClawConfig, channel: string, enabled: boolean): OpenClawConfig;","entrypoint":"channel-setup","exportName":"setSetupChannelEnabled","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":765,"sourcePath":"src/channels/plugins/setup-wizard-helpers.ts"}
+{"declaration":"export function splitSetupEntries(raw: string): string[];","entrypoint":"channel-setup","exportName":"splitSetupEntries","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"function","recordType":"export","sourceLine":76,"sourcePath":"src/channels/plugins/setup-wizard-helpers.ts"}
+{"declaration":"export const DEFAULT_ACCOUNT_ID: \"default\";","entrypoint":"channel-setup","exportName":"DEFAULT_ACCOUNT_ID","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"const","recordType":"export","sourceLine":3,"sourcePath":"src/routing/account-id.ts"}
+{"declaration":"export type ChannelSetupAdapter = ChannelSetupAdapter;","entrypoint":"channel-setup","exportName":"ChannelSetupAdapter","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"type","recordType":"export","sourceLine":56,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type ChannelSetupDmPolicy = ChannelSetupDmPolicy;","entrypoint":"channel-setup","exportName":"ChannelSetupDmPolicy","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"type","recordType":"export","sourceLine":93,"sourcePath":"src/channels/plugins/setup-wizard-types.ts"}
+{"declaration":"export type ChannelSetupInput = ChannelSetupInput;","entrypoint":"channel-setup","exportName":"ChannelSetupInput","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"type","recordType":"export","sourceLine":63,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelSetupWizard = ChannelSetupWizard;","entrypoint":"channel-setup","exportName":"ChannelSetupWizard","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"type","recordType":"export","sourceLine":247,"sourcePath":"src/channels/plugins/setup-wizard.ts"}
+{"declaration":"export type OptionalChannelSetupSurface = OptionalChannelSetupSurface;","entrypoint":"channel-setup","exportName":"OptionalChannelSetupSurface","importSpecifier":"openclaw/plugin-sdk/channel-setup","kind":"type","recordType":"export","sourceLine":29,"sourcePath":"src/plugin-sdk/channel-setup.ts"}
+{"category":"channel","entrypoint":"command-auth","importSpecifier":"openclaw/plugin-sdk/command-auth","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export function buildCommandsMessage(cfg?: OpenClawConfig | undefined, skillCommands?: SkillCommandSpec[] | undefined, options?: CommandsMessageOptions | undefined): string;","entrypoint":"command-auth","exportName":"buildCommandsMessage","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":847,"sourcePath":"src/auto-reply/status.ts"}
+{"declaration":"export function buildCommandsMessagePaginated(cfg?: OpenClawConfig | undefined, skillCommands?: SkillCommandSpec[] | undefined, options?: CommandsMessageOptions | undefined): CommandsMessageResult;","entrypoint":"command-auth","exportName":"buildCommandsMessagePaginated","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":856,"sourcePath":"src/auto-reply/status.ts"}
+{"declaration":"export function buildCommandsPaginationKeyboard(currentPage: number, totalPages: number, agentId?: string | undefined): { text: string; callback_data: string; }[][];","entrypoint":"command-auth","exportName":"buildCommandsPaginationKeyboard","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":89,"sourcePath":"src/auto-reply/reply/commands-info.ts"}
+{"declaration":"export function buildCommandText(commandName: string, args?: string | undefined): string;","entrypoint":"command-auth","exportName":"buildCommandText","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":199,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function buildCommandTextFromArgs(command: ChatCommandDefinition, args?: CommandArgs | undefined): string;","entrypoint":"command-auth","exportName":"buildCommandTextFromArgs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":291,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function buildHelpMessage(cfg?: OpenClawConfig | undefined): string;","entrypoint":"command-auth","exportName":"buildHelpMessage","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":727,"sourcePath":"src/auto-reply/status.ts"}
+{"declaration":"export function buildModelsProviderData(cfg: OpenClawConfig, agentId?: string | undefined): Promise<ModelsProviderData>;","entrypoint":"command-auth","exportName":"buildModelsProviderData","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":37,"sourcePath":"src/auto-reply/reply/commands-models.ts"}
+{"declaration":"export function createPreCryptoDirectDmAuthorizer(params: { resolveAccess: (senderId: string) => Promise<ResolvedInboundDirectDmAccess | Pick<ResolvedInboundDirectDmAccess, \"access\">>; issuePairingChallenge?: ((params: { ...; }) => Promise<...>) | undefined; onBlocked?: ((params: { ...; }) => void) | undefined; }): (input: { ...; }) => Promise<...>;","entrypoint":"command-auth","exportName":"createPreCryptoDirectDmAuthorizer","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":105,"sourcePath":"src/plugin-sdk/direct-dm.ts"}
+{"declaration":"export function findCommandByNativeName(name: string, provider?: string | undefined): ChatCommandDefinition | undefined;","entrypoint":"command-auth","exportName":"findCommandByNativeName","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":187,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function formatModelsAvailableHeader(params: { provider: string; total: number; cfg: OpenClawConfig; agentDir?: string | undefined; sessionEntry?: SessionEntry | undefined; }): string;","entrypoint":"command-auth","exportName":"formatModelsAvailableHeader","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":204,"sourcePath":"src/auto-reply/reply/commands-models.ts"}
+{"declaration":"export function getCommandDetection(_cfg?: OpenClawConfig | undefined): CommandDetection;","entrypoint":"command-auth","exportName":"getCommandDetection","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":440,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function hasControlCommand(text?: string | undefined, cfg?: OpenClawConfig | undefined, options?: CommandNormalizeOptions | undefined): boolean;","entrypoint":"command-auth","exportName":"hasControlCommand","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":10,"sourcePath":"src/auto-reply/command-detection.ts"}
+{"declaration":"export function hasInlineCommandTokens(text?: string | undefined): boolean;","entrypoint":"command-auth","exportName":"hasInlineCommandTokens","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":74,"sourcePath":"src/auto-reply/command-detection.ts"}
+{"declaration":"export function isCommandEnabled(cfg: OpenClawConfig, commandKey: string): boolean;","entrypoint":"command-auth","exportName":"isCommandEnabled","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":98,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function isCommandMessage(raw: string): boolean;","entrypoint":"command-auth","exportName":"isCommandMessage","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":435,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function isControlCommandMessage(text?: string | undefined, cfg?: OpenClawConfig | undefined, options?: CommandNormalizeOptions | undefined): boolean;","entrypoint":"command-auth","exportName":"isControlCommandMessage","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":48,"sourcePath":"src/auto-reply/command-detection.ts"}
+{"declaration":"export function isNativeCommandSurface(surface?: string | undefined): boolean;","entrypoint":"command-auth","exportName":"isNativeCommandSurface","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":521,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function listChatCommands(params?: { skillCommands?: SkillCommandSpec[] | undefined; } | undefined): ChatCommandDefinition[];","entrypoint":"command-auth","exportName":"listChatCommands","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":88,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function listChatCommandsForConfig(cfg: OpenClawConfig, params?: { skillCommands?: SkillCommandSpec[] | undefined; } | undefined): ChatCommandDefinition[];","entrypoint":"command-auth","exportName":"listChatCommandsForConfig","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":117,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function listNativeCommandSpecs(params?: { skillCommands?: SkillCommandSpec[] | undefined; provider?: string | undefined; } | undefined): NativeCommandSpec[];","entrypoint":"command-auth","exportName":"listNativeCommandSpecs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":170,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function listNativeCommandSpecsForConfig(cfg: OpenClawConfig, params?: { skillCommands?: SkillCommandSpec[] | undefined; provider?: string | undefined; } | undefined): NativeCommandSpec[];","entrypoint":"command-auth","exportName":"listNativeCommandSpecsForConfig","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":180,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function listReservedChatSlashCommandNames(extraNames?: string[]): Set<string>;","entrypoint":"command-auth","exportName":"listReservedChatSlashCommandNames","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":4,"sourcePath":"src/auto-reply/skill-commands-base.ts"}
+{"declaration":"export function listSkillCommandsForAgents(params: { cfg: OpenClawConfig; agentIds?: string[] | undefined; }): SkillCommandSpec[];","entrypoint":"command-auth","exportName":"listSkillCommandsForAgents","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":46,"sourcePath":"src/auto-reply/skill-commands.ts"}
+{"declaration":"export function listSkillCommandsForWorkspace(params: { workspaceDir: string; cfg: OpenClawConfig; skillFilter?: string[] | undefined; }): SkillCommandSpec[];","entrypoint":"command-auth","exportName":"listSkillCommandsForWorkspace","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":17,"sourcePath":"src/auto-reply/skill-commands.ts"}
+{"declaration":"export function maybeResolveTextAlias(raw: string, cfg?: OpenClawConfig | undefined): string | null;","entrypoint":"command-auth","exportName":"maybeResolveTextAlias","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":473,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function normalizeCommandBody(raw: string, options?: CommandNormalizeOptions | undefined): string;","entrypoint":"command-auth","exportName":"normalizeCommandBody","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":384,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function parseCommandArgs(command: ChatCommandDefinition, raw?: string | undefined): CommandArgs | undefined;","entrypoint":"command-auth","exportName":"parseCommandArgs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":254,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function resolveCommandArgChoices(params: { command: ChatCommandDefinition; arg: CommandArgDefinition; cfg?: OpenClawConfig | undefined; provider?: string | undefined; model?: string | undefined; }): ResolvedCommandArgChoice[];","entrypoint":"command-auth","exportName":"resolveCommandArgChoices","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":316,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function resolveCommandArgMenu(params: { command: ChatCommandDefinition; args?: CommandArgs | undefined; cfg?: OpenClawConfig | undefined; }): { arg: CommandArgDefinition; choices: ResolvedCommandArgChoice[]; title?: string | undefined; } | null;","entrypoint":"command-auth","exportName":"resolveCommandArgMenu","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":346,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function resolveCommandAuthorization(params: { ctx: MsgContext; cfg: OpenClawConfig; commandAuthorized: boolean; }): CommandAuthorization;","entrypoint":"command-auth","exportName":"resolveCommandAuthorization","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":303,"sourcePath":"src/auto-reply/command-auth.ts"}
+{"declaration":"export function resolveCommandAuthorizedFromAuthorizers(params: { useAccessGroups: boolean; authorizers: CommandAuthorizer[]; modeWhenAccessGroupsOff?: CommandGatingModeWhenAccessGroupsOff | undefined; }): boolean;","entrypoint":"command-auth","exportName":"resolveCommandAuthorizedFromAuthorizers","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":8,"sourcePath":"src/channels/command-gating.ts"}
+{"declaration":"export function resolveControlCommandGate(params: { useAccessGroups: boolean; authorizers: CommandAuthorizer[]; allowTextCommands: boolean; hasControlCommand: boolean; modeWhenAccessGroupsOff?: CommandGatingModeWhenAccessGroupsOff | undefined; }): { ...; };","entrypoint":"command-auth","exportName":"resolveControlCommandGate","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":31,"sourcePath":"src/channels/command-gating.ts"}
+{"declaration":"export function resolveDirectDmAuthorizationOutcome(params: { isGroup: boolean; dmPolicy: string; senderAllowedForCommands: boolean; }): \"disabled\" | \"unauthorized\" | \"allowed\";","entrypoint":"command-auth","exportName":"resolveDirectDmAuthorizationOutcome","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":120,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export function resolveDualTextControlCommandGate(params: { useAccessGroups: boolean; primaryConfigured: boolean; primaryAllowed: boolean; secondaryConfigured: boolean; secondaryAllowed: boolean; hasControlCommand: boolean; modeWhenAccessGroupsOff?: CommandGatingModeWhenAccessGroupsOff | undefined; }): { ...; };","entrypoint":"command-auth","exportName":"resolveDualTextControlCommandGate","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":47,"sourcePath":"src/channels/command-gating.ts"}
+{"declaration":"export function resolveInboundDirectDmAccessWithRuntime(params: { cfg: OpenClawConfig; channel: ChannelId; accountId: string; dmPolicy?: string | null | undefined; allowFrom?: (string | number)[] | null | undefined; senderId: string; ... 4 more ...; readStoreAllowFrom?: ((provider: ChannelId, accountId: string) => Promise<...>) | undefined; }): Promise<...>;","entrypoint":"command-auth","exportName":"resolveInboundDirectDmAccessWithRuntime","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":35,"sourcePath":"src/plugin-sdk/direct-dm.ts"}
+{"declaration":"export function resolveModelsCommandReply(params: { cfg: OpenClawConfig; commandBodyNormalized: string; surface?: string | undefined; currentModel?: string | undefined; agentId?: string | undefined; agentDir?: string | undefined; sessionEntry?: SessionEntry | undefined; }): Promise<...>;","entrypoint":"command-auth","exportName":"resolveModelsCommandReply","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":220,"sourcePath":"src/auto-reply/reply/commands-models.ts"}
+{"declaration":"export function resolveNativeCommandSessionTargets(params: ResolveNativeCommandSessionTargetsParams): { sessionKey: string; commandTargetSessionKey: string; };","entrypoint":"command-auth","exportName":"resolveNativeCommandSessionTargets","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":10,"sourcePath":"src/channels/native-command-session-targets.ts"}
+{"declaration":"export function resolveSenderCommandAuthorization(params: ResolveSenderCommandAuthorizationParams): Promise<{ shouldComputeAuth: boolean; effectiveAllowFrom: string[]; effectiveGroupAllowFrom: string[]; senderAllowedForCommands: boolean; commandAuthorized: boolean | undefined; }>;","entrypoint":"command-auth","exportName":"resolveSenderCommandAuthorization","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":149,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export function resolveSenderCommandAuthorizationWithRuntime(params: ResolveSenderCommandAuthorizationWithRuntimeParams): Promise<{ shouldComputeAuth: boolean; effectiveAllowFrom: string[]; effectiveGroupAllowFrom: string[]; senderAllowedForCommands: boolean; commandAuthorized: boolean | undefined; }>;","entrypoint":"command-auth","exportName":"resolveSenderCommandAuthorizationWithRuntime","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":138,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export function resolveSkillCommandInvocation(params: { commandBodyNormalized: string; skillCommands: SkillCommandSpec[]; }): { command: SkillCommandSpec; args?: string | undefined; } | null;","entrypoint":"command-auth","exportName":"resolveSkillCommandInvocation","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":58,"sourcePath":"src/auto-reply/skill-commands-base.ts"}
+{"declaration":"export function resolveStoredModelOverride(params: { sessionEntry?: SessionEntry | undefined; sessionStore?: Record<string, SessionEntry> | undefined; sessionKey?: string | undefined; parentSessionKey?: string | undefined; }): StoredModelOverride | null;","entrypoint":"command-auth","exportName":"resolveStoredModelOverride","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":156,"sourcePath":"src/auto-reply/reply/model-selection.ts"}
+{"declaration":"export function resolveTextCommand(raw: string, cfg?: OpenClawConfig | undefined): { command: ChatCommandDefinition; args?: string | undefined; } | null;","entrypoint":"command-auth","exportName":"resolveTextCommand","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":494,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function serializeCommandArgs(command: ChatCommandDefinition, args?: CommandArgs | undefined): string | undefined;","entrypoint":"command-auth","exportName":"serializeCommandArgs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":271,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export function shouldComputeCommandAuthorized(text?: string | undefined, cfg?: OpenClawConfig | undefined, options?: CommandNormalizeOptions | undefined): boolean;","entrypoint":"command-auth","exportName":"shouldComputeCommandAuthorized","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":82,"sourcePath":"src/auto-reply/command-detection.ts"}
+{"declaration":"export function shouldHandleTextCommands(params: ShouldHandleTextCommandsParams): boolean;","entrypoint":"command-auth","exportName":"shouldHandleTextCommands","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":528,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export type ChatCommandDefinition = ChatCommandDefinition;","entrypoint":"command-auth","exportName":"ChatCommandDefinition","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":53,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandArgChoiceContext = CommandArgChoiceContext;","entrypoint":"command-auth","exportName":"CommandArgChoiceContext","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":16,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandArgDefinition = CommandArgDefinition;","entrypoint":"command-auth","exportName":"CommandArgDefinition","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":28,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandArgMenuSpec = CommandArgMenuSpec;","entrypoint":"command-auth","exportName":"CommandArgMenuSpec","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":38,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandArgs = CommandArgs;","entrypoint":"command-auth","exportName":"CommandArgs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":46,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandArgValues = CommandArgValues;","entrypoint":"command-auth","exportName":"CommandArgValues","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":44,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandAuthorization = CommandAuthorization;","entrypoint":"command-auth","exportName":"CommandAuthorization","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/auto-reply/command-auth.ts"}
+{"declaration":"export type CommandAuthorizationRuntime = CommandAuthorizationRuntime;","entrypoint":"command-auth","exportName":"CommandAuthorizationRuntime","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":104,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export type CommandAuthorizer = CommandAuthorizer;","entrypoint":"command-auth","exportName":"CommandAuthorizer","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/channels/command-gating.ts"}
+{"declaration":"export type CommandDetection = CommandDetection;","entrypoint":"command-auth","exportName":"CommandDetection","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":78,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandGatingModeWhenAccessGroupsOff = CommandGatingModeWhenAccessGroupsOff;","entrypoint":"command-auth","exportName":"CommandGatingModeWhenAccessGroupsOff","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/channels/command-gating.ts"}
+{"declaration":"export type CommandNormalizeOptions = CommandNormalizeOptions;","entrypoint":"command-auth","exportName":"CommandNormalizeOptions","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":74,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type CommandScope = CommandScope;","entrypoint":"command-auth","exportName":"CommandScope","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":3,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type DirectDmCommandAuthorizationRuntime = DirectDmCommandAuthorizationRuntime;","entrypoint":"command-auth","exportName":"DirectDmCommandAuthorizationRuntime","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/plugin-sdk/direct-dm.ts"}
+{"declaration":"export type ModelsProviderData = ModelsProviderData;","entrypoint":"command-auth","exportName":"ModelsProviderData","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":27,"sourcePath":"src/auto-reply/reply/commands-models.ts"}
+{"declaration":"export type NativeCommandSpec = NativeCommandSpec;","entrypoint":"command-auth","exportName":"NativeCommandSpec","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":67,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type ResolvedCommandArgChoice = ResolvedCommandArgChoice;","entrypoint":"command-auth","exportName":"ResolvedCommandArgChoice","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":314,"sourcePath":"src/auto-reply/commands-registry.ts"}
+{"declaration":"export type ResolvedInboundDirectDmAccess = ResolvedInboundDirectDmAccess;","entrypoint":"command-auth","exportName":"ResolvedInboundDirectDmAccess","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":22,"sourcePath":"src/plugin-sdk/direct-dm.ts"}
+{"declaration":"export type ResolveNativeCommandSessionTargetsParams = ResolveNativeCommandSessionTargetsParams;","entrypoint":"command-auth","exportName":"ResolveNativeCommandSessionTargetsParams","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/channels/native-command-session-targets.ts"}
+{"declaration":"export type ResolveSenderCommandAuthorizationParams = ResolveSenderCommandAuthorizationParams;","entrypoint":"command-auth","exportName":"ResolveSenderCommandAuthorizationParams","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":87,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export type ResolveSenderCommandAuthorizationWithRuntimeParams = ResolveSenderCommandAuthorizationWithRuntimeParams;","entrypoint":"command-auth","exportName":"ResolveSenderCommandAuthorizationWithRuntimeParams","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":112,"sourcePath":"src/plugin-sdk/command-auth.ts"}
+{"declaration":"export type ShouldHandleTextCommandsParams = ShouldHandleTextCommandsParams;","entrypoint":"command-auth","exportName":"ShouldHandleTextCommandsParams","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":83,"sourcePath":"src/auto-reply/commands-registry.types.ts"}
+{"declaration":"export type StoredModelOverride = StoredModelOverride;","entrypoint":"command-auth","exportName":"StoredModelOverride","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"type","recordType":"export","sourceLine":123,"sourcePath":"src/auto-reply/reply/model-selection.ts"}
+{"category":"core","entrypoint":"core","importSpecifier":"openclaw/plugin-sdk/core","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function applyAccountNameToChannelSection(params: { cfg: OpenClawConfig; channelKey: string; accountId: string; name?: string | undefined; alwaysUseAccounts?: boolean | undefined; }): OpenClawConfig;","entrypoint":"core","exportName":"applyAccountNameToChannelSection","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":33,"sourcePath":"src/channels/plugins/setup-helpers.ts"}
+{"declaration":"export function buildAgentSessionKey(params: { agentId: string; channel: string; accountId?: string | null | undefined; peer?: RoutePeer | null | undefined; dmScope?: \"main\" | \"per-peer\" | \"per-channel-peer\" | \"per-account-channel-peer\" | undefined; identityLinks?: Record<...> | undefined; }): string;","entrypoint":"core","exportName":"buildAgentSessionKey","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":91,"sourcePath":"src/routing/resolve-route.ts"}
+{"declaration":"export function buildChannelConfigSchema(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): ChannelConfigSchema;","entrypoint":"core","exportName":"buildChannelConfigSchema","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":35,"sourcePath":"src/channels/plugins/config-schema.ts"}
+{"declaration":"export function buildChannelOutboundSessionRoute(params: { cfg: OpenClawConfig; agentId: string; channel: string; accountId?: string | null | undefined; peer: { kind: \"direct\" | \"group\" | \"channel\"; id: string; }; chatType: \"direct\" | \"group\" | \"channel\"; from: string; to: string; threadId?: string | ... 1 more ... | undefined; }): ChannelOutboundSessionRoute;","entrypoint":"core","exportName":"buildChannelOutboundSessionRoute","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":161,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function channelTargetSchema(options?: { description?: string | undefined; } | undefined): TString;","entrypoint":"core","exportName":"channelTargetSchema","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":33,"sourcePath":"src/agents/schema/typebox.ts"}
+{"declaration":"export function channelTargetsSchema(options?: { description?: string | undefined; } | undefined): TArray<TString>;","entrypoint":"core","exportName":"channelTargetsSchema","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":39,"sourcePath":"src/agents/schema/typebox.ts"}
+{"declaration":"export function clearAccountEntryFields<TAccountEntry extends object>(params: { accounts?: Record<string, TAccountEntry> | undefined; accountId: string; fields: string[]; isValueSet?: ((value: unknown) => boolean) | undefined; markClearedOnFieldPresence?: boolean | undefined; }): { ...; };","entrypoint":"core","exportName":"clearAccountEntryFields","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":122,"sourcePath":"src/channels/plugins/config-helpers.ts"}
+{"declaration":"export function createChannelPluginBase<TResolvedAccount>(params: CreateChannelPluginBaseOptions<TResolvedAccount>): CreatedChannelPluginBase<TResolvedAccount>;","entrypoint":"core","exportName":"createChannelPluginBase","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":435,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function createChatChannelPlugin<TResolvedAccount extends { accountId?: string | null; }, Probe = unknown, Audit = unknown>(params: { base: ChatChannelPluginBase<TResolvedAccount, Probe, Audit>; security?: ChannelSecurityAdapter<TResolvedAccount> | ChatChannelSecurityOptions<...> | undefined; pairing?: ChannelPairingAdapter | ... 1 more ... | undefined; threading?: ChannelThreadingAdapter | ... 1 more ... | undefined; outbound?: ChannelOutboundAdapter | ... 1 more ... | undefined; }): ChannelPlugin<...>;","entrypoint":"core","exportName":"createChatChannelPlugin","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":412,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function defineChannelPluginEntry<TPlugin extends ChannelPlugin>({ id, name, description, plugin, configSchema, setRuntime, registerFull, }: DefineChannelPluginEntryOptions<TPlugin>): DefinedPluginEntry;","entrypoint":"core","exportName":"defineChannelPluginEntry","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":244,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function definePluginEntry({ id, name, description, kind, configSchema, register, }: DefinePluginEntryOptions): DefinedPluginEntry;","entrypoint":"core","exportName":"definePluginEntry","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":88,"sourcePath":"src/plugin-sdk/plugin-entry.ts"}
+{"declaration":"export function defineSetupPluginEntry<TPlugin>(plugin: TPlugin): { plugin: TPlugin; };","entrypoint":"core","exportName":"defineSetupPluginEntry","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":275,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function delegateCompactionToRuntime(params: { sessionId: string; sessionKey?: string | undefined; sessionFile: string; tokenBudget?: number | undefined; force?: boolean | undefined; currentTokenCount?: number | undefined; compactionTarget?: \"budget\" | ... 1 more ... | undefined; customInstructions?: string | undefined; runtimeContext?: ContextEngineRuntimeContext | undefined; }): Promise<...>;","entrypoint":"core","exportName":"delegateCompactionToRuntime","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/context-engine/delegate.ts"}
+{"declaration":"export function deleteAccountFromConfigSection(params: { cfg: OpenClawConfig; sectionKey: string; accountId: string; clearBaseFields?: string[] | undefined; }): OpenClawConfig;","entrypoint":"core","exportName":"deleteAccountFromConfigSection","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":60,"sourcePath":"src/channels/plugins/config-helpers.ts"}
+{"declaration":"export function emptyPluginConfigSchema(): OpenClawPluginConfigSchema;","entrypoint":"core","exportName":"emptyPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":13,"sourcePath":"src/plugins/config-schema.ts"}
+{"declaration":"export function formatPairingApproveHint(channelId: string): string;","entrypoint":"core","exportName":"formatPairingApproveHint","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":17,"sourcePath":"src/channels/plugins/helpers.ts"}
+{"declaration":"export function getChatChannelMeta(id: \"telegram\" | \"whatsapp\" | \"discord\" | \"irc\" | \"googlechat\" | \"slack\" | \"signal\" | \"imessage\" | \"line\"): ChannelMeta;","entrypoint":"core","exportName":"getChatChannelMeta","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":158,"sourcePath":"src/channels/registry.ts"}
+{"declaration":"export function isSecretRef(value: unknown): value is SecretRef;","entrypoint":"core","exportName":"isSecretRef","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":34,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export function loadSecretFileSync(filePath: string, label: string, options?: SecretFileReadOptions): SecretFileReadResult;","entrypoint":"core","exportName":"loadSecretFileSync","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":29,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export function migrateBaseNameToDefaultAccount(params: { cfg: OpenClawConfig; channelKey: string; alwaysUseAccounts?: boolean | undefined; }): OpenClawConfig;","entrypoint":"core","exportName":"migrateBaseNameToDefaultAccount","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":92,"sourcePath":"src/channels/plugins/setup-helpers.ts"}
+{"declaration":"export function normalizeAccountId(value: string | null | undefined): string;","entrypoint":"core","exportName":"normalizeAccountId","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":34,"sourcePath":"src/routing/account-id.ts"}
+{"declaration":"export function normalizeAtHashSlug(raw?: string | null | undefined): string;","entrypoint":"core","exportName":"normalizeAtHashSlug","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":19,"sourcePath":"src/shared/string-normalization.ts"}
+{"declaration":"export function normalizeHyphenSlug(raw?: string | null | undefined): string;","entrypoint":"core","exportName":"normalizeHyphenSlug","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":9,"sourcePath":"src/shared/string-normalization.ts"}
+{"declaration":"export function optionalStringEnum<T extends readonly string[]>(values: T, options?: StringEnumOptions<T>): TOptional<TUnsafe<T[number]>>;","entrypoint":"core","exportName":"optionalStringEnum","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":26,"sourcePath":"src/agents/schema/typebox.ts"}
+{"declaration":"export function parseOptionalDelimitedEntries(value?: string | undefined): string[] | undefined;","entrypoint":"core","exportName":"parseOptionalDelimitedEntries","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":23,"sourcePath":"src/channels/plugins/helpers.ts"}
+{"declaration":"export function readSecretFileSync(filePath: string, label: string, options?: SecretFileReadOptions): string;","entrypoint":"core","exportName":"readSecretFileSync","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":118,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export function resolveGatewayBindUrl(params: { bind?: string | undefined; customBindHost?: string | undefined; scheme: \"ws\" | \"wss\"; port: number; pickTailnetHost: () => string | null; pickLanHost: () => string | null; }): GatewayBindUrlResult;","entrypoint":"core","exportName":"resolveGatewayBindUrl","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":11,"sourcePath":"src/shared/gateway-bind-url.ts"}
+{"declaration":"export function resolveTailnetHostWithRunner(runCommandWithTimeout?: TailscaleStatusCommandRunner | undefined): Promise<string | null>;","entrypoint":"core","exportName":"resolveTailnetHostWithRunner","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":43,"sourcePath":"src/shared/tailscale-status.ts"}
+{"declaration":"export function resolveThreadSessionKeys(params: { baseSessionKey: string; threadId?: string | null | undefined; parentSessionKey?: string | undefined; useSuffix?: boolean | undefined; normalizeThreadId?: ((threadId: string) => string) | undefined; }): { ...; };","entrypoint":"core","exportName":"resolveThreadSessionKeys","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":234,"sourcePath":"src/routing/session-key.ts"}
+{"declaration":"export function setAccountEnabledInConfigSection(params: { cfg: OpenClawConfig; sectionKey: string; accountId: string; enabled: boolean; allowTopLevel?: boolean | undefined; }): OpenClawConfig;","entrypoint":"core","exportName":"setAccountEnabledInConfigSection","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/channels/plugins/config-helpers.ts"}
+{"declaration":"export function stringEnum<T extends readonly string[]>(values: T, options?: StringEnumOptions<T>): TUnsafe<T[number]>;","entrypoint":"core","exportName":"stringEnum","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":15,"sourcePath":"src/agents/schema/typebox.ts"}
+{"declaration":"export function stripChannelTargetPrefix(raw: string, ...providers: string[]): string;","entrypoint":"core","exportName":"stripChannelTargetPrefix","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":141,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function stripTargetKindPrefix(raw: string): string;","entrypoint":"core","exportName":"stripTargetKindPrefix","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":153,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export function tryReadSecretFileSync(filePath: string | undefined, label: string, options?: SecretFileReadOptions): string | undefined;","entrypoint":"core","exportName":"tryReadSecretFileSync","importSpecifier":"openclaw/plugin-sdk/core","kind":"function","recordType":"export","sourceLine":130,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export const DEFAULT_ACCOUNT_ID: \"default\";","entrypoint":"core","exportName":"DEFAULT_ACCOUNT_ID","importSpecifier":"openclaw/plugin-sdk/core","kind":"const","recordType":"export","sourceLine":3,"sourcePath":"src/routing/account-id.ts"}
+{"declaration":"export const DEFAULT_SECRET_FILE_MAX_BYTES: number;","entrypoint":"core","exportName":"DEFAULT_SECRET_FILE_MAX_BYTES","importSpecifier":"openclaw/plugin-sdk/core","kind":"const","recordType":"export","sourceLine":5,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export type AnyAgentTool = AnyAgentTool;","entrypoint":"core","exportName":"AnyAgentTool","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":9,"sourcePath":"src/agents/tools/common.ts"}
+{"declaration":"export type ChannelMessageActionContext = ChannelMessageActionContext;","entrypoint":"core","exportName":"ChannelMessageActionContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":481,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelMessagingAdapter = ChannelMessagingAdapter;","entrypoint":"core","exportName":"ChannelMessagingAdapter","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":394,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelOutboundSessionRoute = ChannelOutboundSessionRoute;","entrypoint":"core","exportName":"ChannelOutboundSessionRoute","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":308,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelOutboundSessionRouteParams = {    cfg: OpenClawConfig;    agentId: string;    accountId?: string | null;    target: string;    resolvedTarget?: {        to: string;        kind: import(\"src/channels/plugins/types.core\").ChannelDirectoryEntryKind | \"channel\";        display?: string;        source: \"normalized\" | \"directory\";    };    replyToId?: string | null;    threadId?: string | number | null;};","entrypoint":"core","exportName":"ChannelOutboundSessionRouteParams","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":136,"sourcePath":"src/plugin-sdk/core.ts"}
+{"declaration":"export type ChannelPlugin = ChannelPlugin<ResolvedAccount, Probe, Audit>;","entrypoint":"core","exportName":"ChannelPlugin","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":55,"sourcePath":"src/channels/plugins/types.plugin.ts"}
+{"declaration":"export type GatewayBindUrlResult = GatewayBindUrlResult;","entrypoint":"core","exportName":"GatewayBindUrlResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/shared/gateway-bind-url.ts"}
+{"declaration":"export type GatewayRequestHandlerOptions = GatewayRequestHandlerOptions;","entrypoint":"core","exportName":"GatewayRequestHandlerOptions","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":111,"sourcePath":"src/gateway/server-methods/types.ts"}
+{"declaration":"export type MediaUnderstandingProviderPlugin = MediaUnderstandingProvider;","entrypoint":"core","exportName":"MediaUnderstandingProviderPlugin","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":950,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"core","exportName":"OpenClawConfig","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"declaration":"export type OpenClawPluginApi = OpenClawPluginApi;","entrypoint":"core","exportName":"OpenClawPluginApi","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1311,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginCommandDefinition = OpenClawPluginCommandDefinition;","entrypoint":"core","exportName":"OpenClawPluginCommandDefinition","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1065,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginConfigSchema = OpenClawPluginConfigSchema;","entrypoint":"core","exportName":"OpenClawPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":88,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginDefinition = OpenClawPluginDefinition;","entrypoint":"core","exportName":"OpenClawPluginDefinition","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1293,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginService = OpenClawPluginService;","entrypoint":"core","exportName":"OpenClawPluginService","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1282,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginServiceContext = OpenClawPluginServiceContext;","entrypoint":"core","exportName":"OpenClawPluginServiceContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1274,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginToolContext = OpenClawPluginToolContext;","entrypoint":"core","exportName":"OpenClawPluginToolContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":103,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginToolFactory = OpenClawPluginToolFactory;","entrypoint":"core","exportName":"OpenClawPluginToolFactory","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":120,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginCommandContext = PluginCommandContext;","entrypoint":"core","exportName":"PluginCommandContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":965,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginInteractiveTelegramHandlerContext = PluginInteractiveTelegramHandlerContext;","entrypoint":"core","exportName":"PluginInteractiveTelegramHandlerContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1094,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginLogger = PluginLogger;","entrypoint":"core","exportName":"PluginLogger","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":59,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginRuntime = PluginRuntime;","entrypoint":"core","exportName":"PluginRuntime","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":54,"sourcePath":"src/plugins/runtime/types.ts"}
+{"declaration":"export type ProviderAugmentModelCatalogContext = ProviderAugmentModelCatalogContext;","entrypoint":"core","exportName":"ProviderAugmentModelCatalogContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":571,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthContext = ProviderAuthContext;","entrypoint":"core","exportName":"ProviderAuthContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":155,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthDoctorHintContext = ProviderAuthDoctorHintContext;","entrypoint":"core","exportName":"ProviderAuthDoctorHintContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":446,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthMethod = ProviderAuthMethod;","entrypoint":"core","exportName":"ProviderAuthMethod","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":233,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthMethodNonInteractiveContext = ProviderAuthMethodNonInteractiveContext;","entrypoint":"core","exportName":"ProviderAuthMethodNonInteractiveContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":217,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthResult = ProviderAuthResult;","entrypoint":"core","exportName":"ProviderAuthResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":140,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuildMissingAuthMessageContext = ProviderBuildMissingAuthMessageContext;","entrypoint":"core","exportName":"ProviderBuildMissingAuthMessageContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":499,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuiltInModelSuppressionContext = ProviderBuiltInModelSuppressionContext;","entrypoint":"core","exportName":"ProviderBuiltInModelSuppressionContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":515,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuiltInModelSuppressionResult = ProviderBuiltInModelSuppressionResult;","entrypoint":"core","exportName":"ProviderBuiltInModelSuppressionResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":524,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCacheTtlEligibilityContext = ProviderCacheTtlEligibilityContext;","entrypoint":"core","exportName":"ProviderCacheTtlEligibilityContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":487,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCatalogContext = ProviderCatalogContext;","entrypoint":"core","exportName":"ProviderCatalogContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":254,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCatalogResult = ProviderCatalogResult;","entrypoint":"core","exportName":"ProviderCatalogResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":277,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderDefaultThinkingPolicyContext = ProviderDefaultThinkingPolicyContext;","entrypoint":"core","exportName":"ProviderDefaultThinkingPolicyContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":548,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderDiscoveryContext = ProviderCatalogContext;","entrypoint":"core","exportName":"ProviderDiscoveryContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":587,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderFetchUsageSnapshotContext = ProviderFetchUsageSnapshotContext;","entrypoint":"core","exportName":"ProviderFetchUsageSnapshotContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":427,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderModernModelPolicyContext = ProviderModernModelPolicyContext;","entrypoint":"core","exportName":"ProviderModernModelPolicyContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":558,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderNormalizeResolvedModelContext = ProviderNormalizeResolvedModelContext;","entrypoint":"core","exportName":"ProviderNormalizeResolvedModelContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":338,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPreparedRuntimeAuth = ProviderPreparedRuntimeAuth;","entrypoint":"core","exportName":"ProviderPreparedRuntimeAuth","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":374,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareDynamicModelContext = ProviderResolveDynamicModelContext;","entrypoint":"core","exportName":"ProviderPrepareDynamicModelContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":329,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareExtraParamsContext = ProviderPrepareExtraParamsContext;","entrypoint":"core","exportName":"ProviderPrepareExtraParamsContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":460,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareRuntimeAuthContext = ProviderPrepareRuntimeAuthContext;","entrypoint":"core","exportName":"ProviderPrepareRuntimeAuthContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":353,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolvedUsageAuth = ProviderResolvedUsageAuth;","entrypoint":"core","exportName":"ProviderResolvedUsageAuth","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":414,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolveDynamicModelContext = ProviderResolveDynamicModelContext;","entrypoint":"core","exportName":"ProviderResolveDynamicModelContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":312,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolveUsageAuthContext = ProviderResolveUsageAuthContext;","entrypoint":"core","exportName":"ProviderResolveUsageAuthContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":395,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderRuntimeModel = ProviderRuntimeModel;","entrypoint":"core","exportName":"ProviderRuntimeModel","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":295,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderThinkingPolicyContext = ProviderThinkingPolicyContext;","entrypoint":"core","exportName":"ProviderThinkingPolicyContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":536,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderUsageSnapshot = ProviderUsageSnapshot;","entrypoint":"core","exportName":"ProviderUsageSnapshot","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":7,"sourcePath":"src/infra/provider-usage.types.ts"}
+{"declaration":"export type ProviderWrapStreamFnContext = ProviderWrapStreamFnContext;","entrypoint":"core","exportName":"ProviderWrapStreamFnContext","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":477,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type RoutePeer = RoutePeer;","entrypoint":"core","exportName":"RoutePeer","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":21,"sourcePath":"src/routing/resolve-route.ts"}
+{"declaration":"export type RoutePeerKind = ChatType;","entrypoint":"core","exportName":"RoutePeerKind","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":19,"sourcePath":"src/routing/resolve-route.ts"}
+{"declaration":"export type SecretFileReadOptions = SecretFileReadOptions;","entrypoint":"core","exportName":"SecretFileReadOptions","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":7,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export type SecretFileReadResult = SecretFileReadResult;","entrypoint":"core","exportName":"SecretFileReadResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":12,"sourcePath":"src/infra/secret-file.ts"}
+{"declaration":"export type SpeechProviderPlugin = SpeechProviderPlugin;","entrypoint":"core","exportName":"SpeechProviderPlugin","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":932,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type TailscaleStatusCommandResult = TailscaleStatusCommandResult;","entrypoint":"core","exportName":"TailscaleStatusCommandResult","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/shared/tailscale-status.ts"}
+{"declaration":"export type TailscaleStatusCommandRunner = TailscaleStatusCommandRunner;","entrypoint":"core","exportName":"TailscaleStatusCommandRunner","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/shared/tailscale-status.ts"}
+{"declaration":"export type UsageProviderId = UsageProviderId;","entrypoint":"core","exportName":"UsageProviderId","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":20,"sourcePath":"src/infra/provider-usage.types.ts"}
+{"declaration":"export type UsageWindow = UsageWindow;","entrypoint":"core","exportName":"UsageWindow","importSpecifier":"openclaw/plugin-sdk/core","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/infra/provider-usage.types.ts"}
+{"category":"core","entrypoint":"plugin-entry","importSpecifier":"openclaw/plugin-sdk/plugin-entry","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/plugin-entry.ts"}
+{"declaration":"export function definePluginEntry({ id, name, description, kind, configSchema, register, }: DefinePluginEntryOptions): DefinedPluginEntry;","entrypoint":"plugin-entry","exportName":"definePluginEntry","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"function","recordType":"export","sourceLine":88,"sourcePath":"src/plugin-sdk/plugin-entry.ts"}
+{"declaration":"export function emptyPluginConfigSchema(): OpenClawPluginConfigSchema;","entrypoint":"plugin-entry","exportName":"emptyPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"function","recordType":"export","sourceLine":13,"sourcePath":"src/plugins/config-schema.ts"}
+{"declaration":"export type AnyAgentTool = AnyAgentTool;","entrypoint":"plugin-entry","exportName":"AnyAgentTool","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":9,"sourcePath":"src/agents/tools/common.ts"}
+{"declaration":"export type MediaUnderstandingProviderPlugin = MediaUnderstandingProvider;","entrypoint":"plugin-entry","exportName":"MediaUnderstandingProviderPlugin","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":950,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"plugin-entry","exportName":"OpenClawConfig","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"declaration":"export type OpenClawPluginApi = OpenClawPluginApi;","entrypoint":"plugin-entry","exportName":"OpenClawPluginApi","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1311,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginCommandDefinition = OpenClawPluginCommandDefinition;","entrypoint":"plugin-entry","exportName":"OpenClawPluginCommandDefinition","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1065,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginConfigSchema = OpenClawPluginConfigSchema;","entrypoint":"plugin-entry","exportName":"OpenClawPluginConfigSchema","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":88,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginDefinition = OpenClawPluginDefinition;","entrypoint":"plugin-entry","exportName":"OpenClawPluginDefinition","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1293,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginService = OpenClawPluginService;","entrypoint":"plugin-entry","exportName":"OpenClawPluginService","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1282,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type OpenClawPluginServiceContext = OpenClawPluginServiceContext;","entrypoint":"plugin-entry","exportName":"OpenClawPluginServiceContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1274,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginCommandContext = PluginCommandContext;","entrypoint":"plugin-entry","exportName":"PluginCommandContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":965,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginInteractiveTelegramHandlerContext = PluginInteractiveTelegramHandlerContext;","entrypoint":"plugin-entry","exportName":"PluginInteractiveTelegramHandlerContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":1094,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type PluginLogger = PluginLogger;","entrypoint":"plugin-entry","exportName":"PluginLogger","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":59,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAugmentModelCatalogContext = ProviderAugmentModelCatalogContext;","entrypoint":"plugin-entry","exportName":"ProviderAugmentModelCatalogContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":571,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthContext = ProviderAuthContext;","entrypoint":"plugin-entry","exportName":"ProviderAuthContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":155,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthDoctorHintContext = ProviderAuthDoctorHintContext;","entrypoint":"plugin-entry","exportName":"ProviderAuthDoctorHintContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":446,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthMethod = ProviderAuthMethod;","entrypoint":"plugin-entry","exportName":"ProviderAuthMethod","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":233,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthMethodNonInteractiveContext = ProviderAuthMethodNonInteractiveContext;","entrypoint":"plugin-entry","exportName":"ProviderAuthMethodNonInteractiveContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":217,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderAuthResult = ProviderAuthResult;","entrypoint":"plugin-entry","exportName":"ProviderAuthResult","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":140,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuildMissingAuthMessageContext = ProviderBuildMissingAuthMessageContext;","entrypoint":"plugin-entry","exportName":"ProviderBuildMissingAuthMessageContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":499,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuiltInModelSuppressionContext = ProviderBuiltInModelSuppressionContext;","entrypoint":"plugin-entry","exportName":"ProviderBuiltInModelSuppressionContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":515,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderBuiltInModelSuppressionResult = ProviderBuiltInModelSuppressionResult;","entrypoint":"plugin-entry","exportName":"ProviderBuiltInModelSuppressionResult","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":524,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCacheTtlEligibilityContext = ProviderCacheTtlEligibilityContext;","entrypoint":"plugin-entry","exportName":"ProviderCacheTtlEligibilityContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":487,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCatalogContext = ProviderCatalogContext;","entrypoint":"plugin-entry","exportName":"ProviderCatalogContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":254,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderCatalogResult = ProviderCatalogResult;","entrypoint":"plugin-entry","exportName":"ProviderCatalogResult","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":277,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderDefaultThinkingPolicyContext = ProviderDefaultThinkingPolicyContext;","entrypoint":"plugin-entry","exportName":"ProviderDefaultThinkingPolicyContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":548,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderDiscoveryContext = ProviderCatalogContext;","entrypoint":"plugin-entry","exportName":"ProviderDiscoveryContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":587,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderFetchUsageSnapshotContext = ProviderFetchUsageSnapshotContext;","entrypoint":"plugin-entry","exportName":"ProviderFetchUsageSnapshotContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":427,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderModernModelPolicyContext = ProviderModernModelPolicyContext;","entrypoint":"plugin-entry","exportName":"ProviderModernModelPolicyContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":558,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderNormalizeResolvedModelContext = ProviderNormalizeResolvedModelContext;","entrypoint":"plugin-entry","exportName":"ProviderNormalizeResolvedModelContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":338,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPreparedRuntimeAuth = ProviderPreparedRuntimeAuth;","entrypoint":"plugin-entry","exportName":"ProviderPreparedRuntimeAuth","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":374,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareDynamicModelContext = ProviderResolveDynamicModelContext;","entrypoint":"plugin-entry","exportName":"ProviderPrepareDynamicModelContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":329,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareExtraParamsContext = ProviderPrepareExtraParamsContext;","entrypoint":"plugin-entry","exportName":"ProviderPrepareExtraParamsContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":460,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderPrepareRuntimeAuthContext = ProviderPrepareRuntimeAuthContext;","entrypoint":"plugin-entry","exportName":"ProviderPrepareRuntimeAuthContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":353,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolvedUsageAuth = ProviderResolvedUsageAuth;","entrypoint":"plugin-entry","exportName":"ProviderResolvedUsageAuth","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":414,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolveDynamicModelContext = ProviderResolveDynamicModelContext;","entrypoint":"plugin-entry","exportName":"ProviderResolveDynamicModelContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":312,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderResolveUsageAuthContext = ProviderResolveUsageAuthContext;","entrypoint":"plugin-entry","exportName":"ProviderResolveUsageAuthContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":395,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderRuntimeModel = ProviderRuntimeModel;","entrypoint":"plugin-entry","exportName":"ProviderRuntimeModel","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":295,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderThinkingPolicyContext = ProviderThinkingPolicyContext;","entrypoint":"plugin-entry","exportName":"ProviderThinkingPolicyContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":536,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type ProviderWrapStreamFnContext = ProviderWrapStreamFnContext;","entrypoint":"plugin-entry","exportName":"ProviderWrapStreamFnContext","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":477,"sourcePath":"src/plugins/types.ts"}
+{"declaration":"export type SpeechProviderPlugin = SpeechProviderPlugin;","entrypoint":"plugin-entry","exportName":"SpeechProviderPlugin","importSpecifier":"openclaw/plugin-sdk/plugin-entry","kind":"type","recordType":"export","sourceLine":932,"sourcePath":"src/plugins/types.ts"}
+{"category":"provider","entrypoint":"provider-onboard","importSpecifier":"openclaw/plugin-sdk/provider-onboard","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/provider-onboard.ts"}
+{"declaration":"export function applyAgentDefaultModelPrimary(cfg: OpenClawConfig, primary: string): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyAgentDefaultModelPrimary","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":76,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyOnboardAuthAgentModelsAndProviders(cfg: OpenClawConfig, params: { agentModels: Record<string, AgentModelEntryConfig>; providers: Record<string, ModelProviderConfig>; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyOnboardAuthAgentModelsAndProviders","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":53,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithDefaultModel(cfg: OpenClawConfig, params: { agentModels: Record<string, AgentModelEntryConfig>; providerId: string; api: \"github-copilot\" | \"openai-completions\" | ... 5 more ... | \"ollama\"; baseUrl: string; defaultModel: ModelDefinitionConfig; defaultModelId?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithDefaultModel","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":131,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithDefaultModelPreset(cfg: OpenClawConfig, params: { providerId: string; api: \"github-copilot\" | \"openai-completions\" | \"openai-responses\" | \"openai-codex-responses\" | \"anthropic-messages\" | \"google-generative-ai\" | \"bedrock-converse-stream\" | \"ollama\"; ... 4 more ...; primaryModelRef?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithDefaultModelPreset","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":152,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithDefaultModels(cfg: OpenClawConfig, params: { agentModels: Record<string, AgentModelEntryConfig>; providerId: string; api: \"github-copilot\" | \"openai-completions\" | ... 5 more ... | \"ollama\"; baseUrl: string; defaultModels: ModelDefinitionConfig[]; defaultModelId?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithDefaultModels","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":96,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithDefaultModelsPreset(cfg: OpenClawConfig, params: { providerId: string; api: \"github-copilot\" | \"openai-completions\" | \"openai-responses\" | \"openai-codex-responses\" | \"anthropic-messages\" | \"google-generative-ai\" | \"bedrock-converse-stream\" | \"ollama\"; ... 4 more ...; primaryModelRef?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithDefaultModelsPreset","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":177,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithModelCatalog(cfg: OpenClawConfig, params: { agentModels: Record<string, AgentModelEntryConfig>; providerId: string; api: \"github-copilot\" | \"openai-completions\" | ... 5 more ... | \"ollama\"; baseUrl: string; catalogModels: ModelDefinitionConfig[]; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithModelCatalog","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":202,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function applyProviderConfigWithModelCatalogPreset(cfg: OpenClawConfig, params: { providerId: string; api: \"github-copilot\" | \"openai-completions\" | \"openai-responses\" | \"openai-codex-responses\" | \"anthropic-messages\" | \"google-generative-ai\" | \"bedrock-converse-stream\" | \"ollama\"; baseUrl: string; catalogModels: ModelDefinitionConfig[]; aliases?: readonly AgentModelAliasEntry[] | undefined; primaryModelRef?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"applyProviderConfigWithModelCatalogPreset","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":234,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export function ensureModelAllowlistEntry(params: { cfg: OpenClawConfig; modelRef: string; defaultProvider?: string | undefined; }): OpenClawConfig;","entrypoint":"provider-onboard","exportName":"ensureModelAllowlistEntry","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":5,"sourcePath":"src/plugins/provider-model-allowlist.ts"}
+{"declaration":"export function withAgentModelAliases(existing: Record<string, AgentModelEntryConfig> | undefined, aliases: readonly AgentModelAliasEntry[]): Record<string, AgentModelEntryConfig>;","entrypoint":"provider-onboard","exportName":"withAgentModelAliases","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"function","recordType":"export","sourceLine":38,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export type AgentModelAliasEntry = AgentModelAliasEntry;","entrypoint":"provider-onboard","exportName":"AgentModelAliasEntry","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"type","recordType":"export","sourceLine":21,"sourcePath":"src/plugins/provider-onboarding-config.ts"}
+{"declaration":"export type ModelApi = \"github-copilot\" | \"openai-completions\" | \"openai-responses\" | \"openai-codex-responses\" | \"anthropic-messages\" | \"google-generative-ai\" | \"bedrock-converse-stream\" | \"ollama\";","entrypoint":"provider-onboard","exportName":"ModelApi","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"type","recordType":"export","sourceLine":15,"sourcePath":"src/config/types.models.ts"}
+{"declaration":"export type ModelDefinitionConfig = ModelDefinitionConfig;","entrypoint":"provider-onboard","exportName":"ModelDefinitionConfig","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"type","recordType":"export","sourceLine":47,"sourcePath":"src/config/types.models.ts"}
+{"declaration":"export type ModelProviderConfig = ModelProviderConfig;","entrypoint":"provider-onboard","exportName":"ModelProviderConfig","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"type","recordType":"export","sourceLine":65,"sourcePath":"src/config/types.models.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"provider-onboard","exportName":"OpenClawConfig","importSpecifier":"openclaw/plugin-sdk/provider-onboard","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"category":"utilities","entrypoint":"reply-payload","importSpecifier":"openclaw/plugin-sdk/reply-payload","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function buildMediaPayload(mediaList: MediaPayloadInput[], opts?: { preserveMediaTypeCardinality?: boolean | undefined; } | undefined): MediaPayload;","entrypoint":"reply-payload","exportName":"buildMediaPayload","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":15,"sourcePath":"src/channels/plugins/media-payload.ts"}
+{"declaration":"export function countOutboundMedia(payload: { mediaUrls?: string[] | undefined; mediaUrl?: string | undefined; }): number;","entrypoint":"reply-payload","exportName":"countOutboundMedia","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":83,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function createNormalizedOutboundDeliverer(handler: (payload: OutboundReplyPayload) => Promise<void>): (payload: unknown) => Promise<void>;","entrypoint":"reply-payload","exportName":"createNormalizedOutboundDeliverer","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":51,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function deliverFormattedTextWithAttachments(params: { payload: OutboundReplyPayload; send: (params: { text: string; replyToId?: string | undefined; }) => Promise<void>; }): Promise<boolean>;","entrypoint":"reply-payload","exportName":"deliverFormattedTextWithAttachments","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":386,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function deliverTextOrMediaReply(params: { payload: OutboundReplyPayload; text: string; chunkText?: ((text: string) => readonly string[]) | undefined; sendText: (text: string) => Promise<void>; sendMedia: (payload: { ...; }) => Promise<...>; onMediaError?: ((params: { ...; }) => void | Promise<...>) | undefined; }): Promise<...>;","entrypoint":"reply-payload","exportName":"deliverTextOrMediaReply","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":345,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function formatTextWithAttachmentLinks(text: string | undefined, mediaUrls: string[]): string;","entrypoint":"reply-payload","exportName":"formatTextWithAttachmentLinks","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":286,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function hasOutboundMedia(payload: { mediaUrls?: string[] | undefined; mediaUrl?: string | undefined; }): boolean;","entrypoint":"reply-payload","exportName":"hasOutboundMedia","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":88,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function hasOutboundReplyContent(payload: { text?: string | undefined; mediaUrls?: string[] | undefined; mediaUrl?: string | undefined; }, options?: { trimText?: boolean | undefined; } | undefined): boolean;","entrypoint":"reply-payload","exportName":"hasOutboundReplyContent","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":99,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function hasOutboundText(payload: { text?: string | undefined; }, options?: { trim?: boolean | undefined; } | undefined): boolean;","entrypoint":"reply-payload","exportName":"hasOutboundText","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":93,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function isNumericTargetId(raw: string): boolean;","entrypoint":"reply-payload","exportName":"isNumericTargetId","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":277,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function normalizeOutboundReplyPayload(payload: Record<string, unknown>): OutboundReplyPayload;","entrypoint":"reply-payload","exportName":"normalizeOutboundReplyPayload","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":31,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function resolveOutboundMediaUrls(payload: { mediaUrls?: string[] | undefined; mediaUrl?: string | undefined; }): string[];","entrypoint":"reply-payload","exportName":"resolveOutboundMediaUrls","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":64,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function resolvePayloadMediaUrls(payload: ReplyPayload): string[];","entrypoint":"reply-payload","exportName":"resolvePayloadMediaUrls","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":78,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function resolveSendableOutboundReplyParts(payload: { text?: string | undefined; mediaUrls?: string[] | undefined; mediaUrl?: string | undefined; }, options?: { text?: string | undefined; } | undefined): SendableOutboundReplyParts;","entrypoint":"reply-payload","exportName":"resolveSendableOutboundReplyParts","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":107,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function resolveTextChunksWithFallback(text: string, chunks: readonly string[]): string[];","entrypoint":"reply-payload","exportName":"resolveTextChunksWithFallback","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":131,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendMediaWithLeadingCaption(params: { mediaUrls: string[]; caption: string; send: (payload: { mediaUrl: string; caption?: string | undefined; }) => Promise<void>; onError?: ((params: { error: unknown; mediaUrl: string; caption?: string | undefined; index: number; isFirst: boolean; }) => void | Promise<...>) | undefined; }): Promise<...>;","entrypoint":"reply-payload","exportName":"sendMediaWithLeadingCaption","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":307,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendPayloadMediaSequence<TResult>(params: { text: string; mediaUrls: readonly string[]; send: (input: { text: string; mediaUrl: string; index: number; isFirst: boolean; }) => Promise<TResult>; }): Promise<TResult | undefined>;","entrypoint":"reply-payload","exportName":"sendPayloadMediaSequence","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":183,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendPayloadMediaSequenceAndFinalize<TMediaResult, TResult>(params: { text: string; mediaUrls: readonly string[]; send: (input: { text: string; mediaUrl: string; index: number; isFirst: boolean; }) => Promise<TMediaResult>; finalize: () => Promise<TResult>; }): Promise<...>;","entrypoint":"reply-payload","exportName":"sendPayloadMediaSequenceAndFinalize","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":227,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendPayloadMediaSequenceOrFallback<TResult>(params: { text: string; mediaUrls: readonly string[]; send: (input: { text: string; mediaUrl: string; index: number; isFirst: boolean; }) => Promise<TResult>; fallbackResult: TResult; sendNoMedia?: (() => Promise<...>) | undefined; }): Promise<...>;","entrypoint":"reply-payload","exportName":"sendPayloadMediaSequenceOrFallback","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":209,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendPayloadWithChunkedTextAndMedia<TContext extends { payload: object; }, TResult>(params: { ctx: TContext; textChunkLimit?: number | undefined; chunker?: ((text: string, limit: number) => string[]) | null | undefined; sendText: (ctx: TContext & { ...; }) => Promise<...>; sendMedia: (ctx: TContext & { ...; }) => Promise<...>; emptyResult: TResult; }): Promise<...>;","entrypoint":"reply-payload","exportName":"sendPayloadWithChunkedTextAndMedia","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":142,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export function sendTextMediaPayload(params: { channel: string; ctx: ChannelOutboundPayloadContext; adapter: SendPayloadAdapter; }): Promise<OutboundDeliveryResult>;","entrypoint":"reply-payload","exportName":"sendTextMediaPayload","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"function","recordType":"export","sourceLine":244,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export type MediaPayload = MediaPayload;","entrypoint":"reply-payload","exportName":"MediaPayload","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/channels/plugins/media-payload.ts"}
+{"declaration":"export type MediaPayloadInput = MediaPayloadInput;","entrypoint":"reply-payload","exportName":"MediaPayloadInput","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"type","recordType":"export","sourceLine":1,"sourcePath":"src/channels/plugins/media-payload.ts"}
+{"declaration":"export type OutboundReplyPayload = OutboundReplyPayload;","entrypoint":"reply-payload","exportName":"OutboundReplyPayload","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"type","recordType":"export","sourceLine":6,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"declaration":"export type SendableOutboundReplyParts = SendableOutboundReplyParts;","entrypoint":"reply-payload","exportName":"SendableOutboundReplyParts","importSpecifier":"openclaw/plugin-sdk/reply-payload","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/plugin-sdk/reply-payload.ts"}
+{"category":"runtime","entrypoint":"runtime-store","importSpecifier":"openclaw/plugin-sdk/runtime-store","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/runtime-store.ts"}
+{"declaration":"export function createPluginRuntimeStore<T>(errorMessage: string): { setRuntime: (next: T) => void; clearRuntime: () => void; tryGetRuntime: () => T | null; getRuntime: () => T; };","entrypoint":"runtime-store","exportName":"createPluginRuntimeStore","importSpecifier":"openclaw/plugin-sdk/runtime-store","kind":"function","recordType":"export","sourceLine":4,"sourcePath":"src/plugin-sdk/runtime-store.ts"}
+{"declaration":"export type PluginRuntime = PluginRuntime;","entrypoint":"runtime-store","exportName":"PluginRuntime","importSpecifier":"openclaw/plugin-sdk/runtime-store","kind":"type","recordType":"export","sourceLine":54,"sourcePath":"src/plugins/runtime/types.ts"}
+{"category":"channel","entrypoint":"secret-input","importSpecifier":"openclaw/plugin-sdk/secret-input","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/secret-input.ts"}
+{"declaration":"export function buildOptionalSecretInputSchema(): ZodOptional<ZodUnion<readonly [ZodString, ZodDiscriminatedUnion<[ZodObject<{ source: ZodLiteral<\"env\">; provider: ZodString; id: ZodString; }, $strip>, ZodObject<...>, ZodObject<...>], \"source\">]>>;","entrypoint":"secret-input","exportName":"buildOptionalSecretInputSchema","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":18,"sourcePath":"src/plugin-sdk/secret-input.ts"}
+{"declaration":"export function buildSecretInputArraySchema(): ZodArray<ZodUnion<readonly [ZodString, ZodDiscriminatedUnion<[ZodObject<{ source: ZodLiteral<\"env\">; provider: ZodString; id: ZodString; }, $strip>, ZodObject<...>, ZodObject<...>], \"source\">]>>;","entrypoint":"secret-input","exportName":"buildSecretInputArraySchema","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":23,"sourcePath":"src/plugin-sdk/secret-input.ts"}
+{"declaration":"export function buildSecretInputSchema(): ZodUnion<readonly [ZodString, ZodDiscriminatedUnion<[ZodObject<{ source: ZodLiteral<\"env\">; provider: ZodString; id: ZodString; }, $strip>, ZodObject<...>, ZodObject<...>], \"source\">]>;","entrypoint":"secret-input","exportName":"buildSecretInputSchema","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":11,"sourcePath":"src/plugin-sdk/secret-input-schema.ts"}
+{"declaration":"export function hasConfiguredSecretInput(value: unknown, defaults?: SecretDefaults | undefined): boolean;","entrypoint":"secret-input","exportName":"hasConfiguredSecretInput","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":106,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export function normalizeResolvedSecretInputString(params: { value: unknown; refValue?: unknown; defaults?: SecretDefaults | undefined; path: string; }): string | undefined;","entrypoint":"secret-input","exportName":"normalizeResolvedSecretInputString","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":144,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export function normalizeSecretInputString(value: unknown): string | undefined;","entrypoint":"secret-input","exportName":"normalizeSecretInputString","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"function","recordType":"export","sourceLine":113,"sourcePath":"src/config/types.secrets.ts"}
+{"declaration":"export type SecretInput = SecretInput;","entrypoint":"secret-input","exportName":"SecretInput","importSpecifier":"openclaw/plugin-sdk/secret-input","kind":"type","recordType":"export","sourceLine":16,"sourcePath":"src/config/types.secrets.ts"}
+{"category":"utilities","entrypoint":"testing","importSpecifier":"openclaw/plugin-sdk/testing","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/testing.ts"}
+{"declaration":"export function createWindowsCmdShimFixture(params: { shimPath: string; scriptPath: string; shimLine: string; }): Promise<void>;","entrypoint":"testing","exportName":"createWindowsCmdShimFixture","importSpecifier":"openclaw/plugin-sdk/testing","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/plugin-sdk/testing.ts"}
+{"declaration":"export function installCommonResolveTargetErrorCases(params: { resolveTarget: ResolveTargetFn; implicitAllowFrom: string[]; }): void;","entrypoint":"testing","exportName":"installCommonResolveTargetErrorCases","importSpecifier":"openclaw/plugin-sdk/testing","kind":"function","recordType":"export","sourceLine":42,"sourcePath":"src/plugin-sdk/testing.ts"}
+{"declaration":"export function removeAckReactionAfterReply(params: { removeAfterReply: boolean; ackReactionPromise: Promise<boolean> | null; ackReactionValue: string | null; remove: () => Promise<void>; onError?: ((err: unknown) => void) | undefined; }): void;","entrypoint":"testing","exportName":"removeAckReactionAfterReply","importSpecifier":"openclaw/plugin-sdk/testing","kind":"function","recordType":"export","sourceLine":81,"sourcePath":"src/channels/ack-reactions.ts"}
+{"declaration":"export function shouldAckReaction(params: AckReactionGateParams): boolean;","entrypoint":"testing","exportName":"shouldAckReaction","importSpecifier":"openclaw/plugin-sdk/testing","kind":"function","recordType":"export","sourceLine":16,"sourcePath":"src/channels/ack-reactions.ts"}
+{"declaration":"export type ChannelAccountSnapshot = ChannelAccountSnapshot;","entrypoint":"testing","exportName":"ChannelAccountSnapshot","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":144,"sourcePath":"src/channels/plugins/types.core.ts"}
+{"declaration":"export type ChannelGatewayContext = ChannelGatewayContext<ResolvedAccount>;","entrypoint":"testing","exportName":"ChannelGatewayContext","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":238,"sourcePath":"src/channels/plugins/types.adapters.ts"}
+{"declaration":"export type MockFn = MockFn<T>;","entrypoint":"testing","exportName":"MockFn","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":5,"sourcePath":"src/test-utils/vitest-mock-fn.ts"}
+{"declaration":"export type OpenClawConfig = OpenClawConfig;","entrypoint":"testing","exportName":"OpenClawConfig","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":32,"sourcePath":"src/config/types.openclaw.ts"}
+{"declaration":"export type PluginRuntime = PluginRuntime;","entrypoint":"testing","exportName":"PluginRuntime","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":54,"sourcePath":"src/plugins/runtime/types.ts"}
+{"declaration":"export type RuntimeEnv = RuntimeEnv;","entrypoint":"testing","exportName":"RuntimeEnv","importSpecifier":"openclaw/plugin-sdk/testing","kind":"type","recordType":"export","sourceLine":4,"sourcePath":"src/runtime.ts"}
+{"category":"channel","entrypoint":"webhook-ingress","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","recordType":"module","sourceLine":1,"sourcePath":"src/plugin-sdk/webhook-ingress.ts"}
+{"declaration":"export function applyBasicWebhookRequestGuards(params: { req: IncomingMessage; res: ServerResponse<IncomingMessage>; allowMethods?: readonly string[] | undefined; rateLimiter?: FixedWindowRateLimiter | undefined; rateLimitKey?: string | undefined; nowMs?: number | undefined; requireJsonContentType?: boolean | undefined; }): boolean;","entrypoint":"webhook-ingress","exportName":"applyBasicWebhookRequestGuards","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":148,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function beginWebhookRequestPipelineOrReject(params: { req: IncomingMessage; res: ServerResponse<IncomingMessage>; allowMethods?: readonly string[] | undefined; rateLimiter?: FixedWindowRateLimiter | undefined; ... 6 more ...; inFlightLimitMessage?: string | undefined; }): { ...; } | { ...; };","entrypoint":"webhook-ingress","exportName":"beginWebhookRequestPipelineOrReject","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":189,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function createBoundedCounter(options: { maxTrackedKeys: number; ttlMs?: number | undefined; pruneIntervalMs?: number | undefined; }): BoundedCounter;","entrypoint":"webhook-ingress","exportName":"createBoundedCounter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":109,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export function createFixedWindowRateLimiter(options: { windowMs: number; maxRequests: number; maxTrackedKeys: number; pruneIntervalMs?: number | undefined; }): FixedWindowRateLimiter;","entrypoint":"webhook-ingress","exportName":"createFixedWindowRateLimiter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":52,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export function createWebhookAnomalyTracker(options?: { maxTrackedKeys?: number | undefined; ttlMs?: number | undefined; logEvery?: number | undefined; trackedStatusCodes?: readonly number[] | undefined; } | undefined): WebhookAnomalyTracker;","entrypoint":"webhook-ingress","exportName":"createWebhookAnomalyTracker","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":167,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export function createWebhookInFlightLimiter(options?: { maxInFlightPerKey?: number | undefined; maxTrackedKeys?: number | undefined; } | undefined): WebhookInFlightLimiter;","entrypoint":"webhook-ingress","exportName":"createWebhookInFlightLimiter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":91,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function isJsonContentType(value: string | string[] | undefined): boolean;","entrypoint":"webhook-ingress","exportName":"isJsonContentType","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":138,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function isRequestBodyLimitError(error: unknown, code?: RequestBodyLimitErrorCode | undefined): error is RequestBodyLimitError;","entrypoint":"webhook-ingress","exportName":"isRequestBodyLimitError","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":47,"sourcePath":"src/infra/http-body.ts"}
+{"declaration":"export function normalizeWebhookPath(raw: string): string;","entrypoint":"webhook-ingress","exportName":"normalizeWebhookPath","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":2,"sourcePath":"src/plugin-sdk/webhook-path.ts"}
+{"declaration":"export function readJsonWebhookBodyOrReject(params: { req: IncomingMessage; res: ServerResponse<IncomingMessage>; maxBytes?: number | undefined; timeoutMs?: number | undefined; profile?: WebhookBodyReadProfile | undefined; emptyObjectOnEmpty?: boolean | undefined; invalidJsonMessage?: string | undefined; }): Promise<...>;","entrypoint":"webhook-ingress","exportName":"readJsonWebhookBodyOrReject","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":275,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function readRequestBodyWithLimit(req: IncomingMessage, options: ReadRequestBodyOptions): Promise<string>;","entrypoint":"webhook-ingress","exportName":"readRequestBodyWithLimit","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":122,"sourcePath":"src/infra/http-body.ts"}
+{"declaration":"export function readWebhookBodyOrReject(params: { req: IncomingMessage; res: ServerResponse<IncomingMessage>; maxBytes?: number | undefined; timeoutMs?: number | undefined; profile?: WebhookBodyReadProfile | undefined; invalidBodyMessage?: string | undefined; }): Promise<...>;","entrypoint":"webhook-ingress","exportName":"readWebhookBodyOrReject","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":240,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export function registerPluginHttpRoute(params: { path?: string | null | undefined; fallbackPath?: string | null | undefined; handler: PluginHttpRouteHandler; auth: OpenClawPluginHttpRouteAuth; ... 6 more ...; registry?: PluginRegistry | undefined; }): () => void;","entrypoint":"webhook-ingress","exportName":"registerPluginHttpRoute","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":12,"sourcePath":"src/plugins/http-registry.ts"}
+{"declaration":"export function registerWebhookTarget<T extends { path: string; }>(targetsByPath: Map<string, T[]>, target: T, opts?: RegisterWebhookTargetOptions<T> | undefined): RegisteredWebhookTarget<T>;","entrypoint":"webhook-ingress","exportName":"registerWebhookTarget","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":61,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function registerWebhookTargetWithPluginRoute<T extends { path: string; }>(params: { targetsByPath: Map<string, T[]>; target: T; route: RegisterWebhookPluginRouteOptions; onLastPathTargetRemoved?: ((params: { ...; }) => void) | undefined; }): RegisteredWebhookTarget<...>;","entrypoint":"webhook-ingress","exportName":"registerWebhookTargetWithPluginRoute","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":30,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function requestBodyErrorToText(code: RequestBodyLimitErrorCode): string;","entrypoint":"webhook-ingress","exportName":"requestBodyErrorToText","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":60,"sourcePath":"src/infra/http-body.ts"}
+{"declaration":"export function resolveSingleWebhookTarget<T>(targets: readonly T[], isMatch: (target: T) => boolean): WebhookTargetMatchResult<T>;","entrypoint":"webhook-ingress","exportName":"resolveSingleWebhookTarget","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":193,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function resolveSingleWebhookTargetAsync<T>(targets: readonly T[], isMatch: (target: T) => Promise<boolean>): Promise<WebhookTargetMatchResult<T>>;","entrypoint":"webhook-ingress","exportName":"resolveSingleWebhookTargetAsync","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":212,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function resolveWebhookPath(params: { webhookPath?: string | undefined; webhookUrl?: string | undefined; defaultPath?: string | null | undefined; }): string | null;","entrypoint":"webhook-ingress","exportName":"resolveWebhookPath","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":15,"sourcePath":"src/plugin-sdk/webhook-path.ts"}
+{"declaration":"export function resolveWebhookTargets<T>(req: IncomingMessage, targetsByPath: Map<string, T[]>): { path: string; targets: T[]; } | null;","entrypoint":"webhook-ingress","exportName":"resolveWebhookTargets","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":107,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function resolveWebhookTargetWithAuthOrReject<T>(params: { targets: readonly T[]; res: ServerResponse<IncomingMessage>; isMatch: (target: T) => boolean | Promise<boolean>; unauthorizedStatusCode?: number | undefined; unauthorizedMessage?: string | undefined; ambiguousStatusCode?: number | undefined; ambiguousMessage?: string | undefined; }): Promise<...>;","entrypoint":"webhook-ingress","exportName":"resolveWebhookTargetWithAuthOrReject","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":231,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function resolveWebhookTargetWithAuthOrRejectSync<T>(params: { targets: readonly T[]; res: ServerResponse<IncomingMessage>; isMatch: (target: T) => boolean; unauthorizedStatusCode?: number | undefined; unauthorizedMessage?: string | undefined; ambiguousStatusCode?: number | undefined; ambiguousMessage?: string | undefined; }): T | null;","entrypoint":"webhook-ingress","exportName":"resolveWebhookTargetWithAuthOrRejectSync","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":247,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export function withResolvedWebhookRequestPipeline<T>(params: { req: IncomingMessage; res: ServerResponse<IncomingMessage>; targetsByPath: Map<string, T[]>; allowMethods?: readonly string[] | undefined; ... 8 more ...; handle: (args: { ...; }) => boolean | ... 1 more ... | Promise<...>; }): Promise<...>;","entrypoint":"webhook-ingress","exportName":"withResolvedWebhookRequestPipeline","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"function","recordType":"export","sourceLine":121,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export const WEBHOOK_ANOMALY_COUNTER_DEFAULTS: Readonly<{ maxTrackedKeys: 4096; ttlMs: number; logEvery: 25; }>;","entrypoint":"webhook-ingress","exportName":"WEBHOOK_ANOMALY_COUNTER_DEFAULTS","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"const","recordType":"export","sourceLine":31,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export const WEBHOOK_ANOMALY_STATUS_CODES: readonly number[];","entrypoint":"webhook-ingress","exportName":"WEBHOOK_ANOMALY_STATUS_CODES","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"const","recordType":"export","sourceLine":37,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export const WEBHOOK_BODY_READ_DEFAULTS: Readonly<{ preAuth: { maxBytes: number; timeoutMs: number; }; postAuth: { maxBytes: number; timeoutMs: number; }; }>;","entrypoint":"webhook-ingress","exportName":"WEBHOOK_BODY_READ_DEFAULTS","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"const","recordType":"export","sourceLine":19,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export const WEBHOOK_IN_FLIGHT_DEFAULTS: Readonly<{ maxInFlightPerKey: 8; maxTrackedKeys: 4096; }>;","entrypoint":"webhook-ingress","exportName":"WEBHOOK_IN_FLIGHT_DEFAULTS","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"const","recordType":"export","sourceLine":30,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export const WEBHOOK_RATE_LIMIT_DEFAULTS: Readonly<{ windowMs: 60000; maxRequests: 120; maxTrackedKeys: 4096; }>;","entrypoint":"webhook-ingress","exportName":"WEBHOOK_RATE_LIMIT_DEFAULTS","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"const","recordType":"export","sourceLine":25,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export type BoundedCounter = BoundedCounter;","entrypoint":"webhook-ingress","exportName":"BoundedCounter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":19,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export type FixedWindowRateLimiter = FixedWindowRateLimiter;","entrypoint":"webhook-ingress","exportName":"FixedWindowRateLimiter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":13,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export type RegisteredWebhookTarget = RegisteredWebhookTarget<T>;","entrypoint":"webhook-ingress","exportName":"RegisteredWebhookTarget","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":10,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export type RegisterWebhookPluginRouteOptions = RegisterWebhookPluginRouteOptions;","entrypoint":"webhook-ingress","exportName":"RegisterWebhookPluginRouteOptions","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":24,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export type RegisterWebhookTargetOptions = RegisterWebhookTargetOptions<T>;","entrypoint":"webhook-ingress","exportName":"RegisterWebhookTargetOptions","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":15,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}
+{"declaration":"export type WebhookAnomalyTracker = WebhookAnomalyTracker;","entrypoint":"webhook-ingress","exportName":"WebhookAnomalyTracker","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":39,"sourcePath":"src/plugin-sdk/webhook-memory-guards.ts"}
+{"declaration":"export type WebhookBodyReadProfile = WebhookBodyReadProfile;","entrypoint":"webhook-ingress","exportName":"WebhookBodyReadProfile","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":11,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export type WebhookInFlightLimiter = WebhookInFlightLimiter;","entrypoint":"webhook-ingress","exportName":"WebhookInFlightLimiter","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":35,"sourcePath":"src/plugin-sdk/webhook-request-guards.ts"}
+{"declaration":"export type WebhookTargetMatchResult = WebhookTargetMatchResult<T>;","entrypoint":"webhook-ingress","exportName":"WebhookTargetMatchResult","importSpecifier":"openclaw/plugin-sdk/webhook-ingress","kind":"type","recordType":"export","sourceLine":170,"sourcePath":"src/plugin-sdk/webhook-targets.ts"}

docs/.i18n/glossary.zh-CN.json

@@ -238,5 +238,65 @@
   {
     "source": "env var",
     "target": "环境变量"
+  },
+  {
+    "source": "Plugin SDK",
+    "target": "插件 SDK"
+  },
+  {
+    "source": "Plugin SDK Overview",
+    "target": "插件 SDK 概览"
+  },
+  {
+    "source": "SDK Overview",
+    "target": "SDK 概览"
+  },
+  {
+    "source": "Plugin Entry Points",
+    "target": "插件入口点"
+  },
+  {
+    "source": "Entry Points",
+    "target": "入口点"
+  },
+  {
+    "source": "Plugin Runtime",
+    "target": "插件运行时"
+  },
+  {
+    "source": "Runtime",
+    "target": "运行时"
+  },
+  {
+    "source": "Plugin Setup",
+    "target": "插件设置"
+  },
+  {
+    "source": "Setup",
+    "target": "设置"
+  },
+  {
+    "source": "Channel Plugin SDK",
+    "target": "渠道插件 SDK"
+  },
+  {
+    "source": "Channel Plugins",
+    "target": "渠道插件"
+  },
+  {
+    "source": "Provider Plugin SDK",
+    "target": "提供商插件 SDK"
+  },
+  {
+    "source": "Provider Plugins",
+    "target": "提供商插件"
+  },
+  {
+    "source": "Plugin SDK Testing",
+    "target": "插件 SDK 测试"
+  },
+  {
+    "source": "Testing",
+    "target": "测试"
   }
 ]

docs/automation/hooks.md

@@ -8,7 +8,7 @@ title: "Hooks"
 
 # Hooks
 
-Hooks provide an extensible event-driven system for automating actions in response to agent commands and events. Hooks are automatically discovered from directories and can be managed via CLI commands, similar to how skills work in OpenClaw.
+Hooks provide an extensible event-driven system for automating actions in response to agent commands and events. Hooks are automatically discovered from directories and can be inspected with `openclaw hooks`, while hook-pack installation and updates now go through `openclaw plugins`.
 
 ## Getting Oriented
 
@@ -17,7 +17,7 @@ Hooks are small scripts that run when something happens. There are two kinds:
 - **Hooks** (this page): run inside the Gateway when agent events fire, like `/new`, `/reset`, `/stop`, or lifecycle events.
 - **Webhooks**: external HTTP webhooks that let other systems trigger work in OpenClaw. See [Webhook Hooks](/automation/webhook) or use `openclaw webhooks` for Gmail helper commands.
 
-Hooks can also be bundled inside plugins; see [Plugin hooks](/plugins/architecture#provider-runtime-hooks).
+Hooks can also be bundled inside plugins; see [Plugin hooks](/plugins/architecture#provider-runtime-hooks). `openclaw hooks list` shows both standalone hooks and plugin-managed hooks.
 
 Common uses:
 
@@ -26,7 +26,7 @@ Common uses:
 - Trigger follow-up automation when a session starts or ends
 - Write files into the agent workspace or call external APIs when events fire
 
-If you can write a small TypeScript function, you can write a hook. Hooks are discovered automatically, and you enable or disable them via the CLI.
+If you can write a small TypeScript function, you can write a hook. Managed and bundled hooks are trusted local code. Workspace hooks are discovered automatically, but OpenClaw keeps them disabled until you explicitly enable them via the CLI or config.
 
 ## Overview
 
@@ -76,13 +76,20 @@ openclaw hooks info session-memory
 
 During onboarding (`openclaw onboard`), you'll be prompted to enable recommended hooks. The wizard automatically discovers eligible hooks and presents them for selection.
 
+### Trust Boundary
+
+Hooks run inside the Gateway process. Treat bundled hooks, managed hooks, and `hooks.internal.load.extraDirs` as trusted local code. Workspace hooks under `<workspace>/hooks/` are repo-local code, so OpenClaw requires an explicit enable step before loading them.
+
 ## Hook Discovery
 
-Hooks are automatically discovered from three directories (in order of precedence):
+Hooks are automatically discovered from these directories:
 
-1. **Workspace hooks**: `<workspace>/hooks/` (per-agent, highest precedence)
+1. **Workspace hooks**: `<workspace>/hooks/` (per-agent, disabled by default until explicitly enabled)
 2. **Managed hooks**: `~/.openclaw/hooks/` (user-installed, shared across workspaces)
-3. **Bundled hooks**: `<openclaw>/dist/hooks/bundled/` (shipped with OpenClaw)
+3. **Extra hook directories**: `hooks.internal.load.extraDirs` (operator-configured shared hook folders)
+4. **Bundled hooks**: `<openclaw>/dist/hooks/bundled/` (shipped with OpenClaw)
+
+Workspace hooks can add new hook names for a repo, but they cannot override bundled, managed, or plugin-provided hooks with the same name.
 
 Managed hook directories can be either a **single hook** or a **hook pack** (package directory).
 
@@ -100,7 +107,7 @@ Hook packs are standard npm packages that export one or more hooks via `openclaw
 `package.json`. Install them with:
 
 ```bash
-openclaw hooks install <path-or-spec>
+openclaw plugins install <path-or-spec>
 ```
 
 Npm specs are registry-only (package name + optional exact version or dist-tag).
@@ -127,7 +134,7 @@ Hook packs can ship dependencies; they will be installed under `~/.openclaw/hook
 Each `openclaw.hooks` entry must stay inside the package directory after symlink
 resolution; entries that escape are rejected.
 
-Security note: `openclaw hooks install` installs dependencies with `npm install --ignore-scripts`
+Security note: `openclaw plugins install` installs hook-pack dependencies with `npm install --ignore-scripts`
 (no lifecycle scripts). Keep hook pack dependency trees "pure JS/TS" and avoid packages that rely
 on `postinstall` builds.
 
@@ -294,11 +301,13 @@ Message events include rich context about the message:
     to?: string,
     provider?: string,
     surface?: string,
-    threadId?: string,
+    threadId?: string | number,
     senderId?: string,
     senderName?: string,
     senderUsername?: string,
     senderE164?: string,
+    guildId?: string,     // Discord guild / server ID
+    channelName?: string, // Channel name (e.g., Discord channel name)
   }
 }
 
@@ -318,22 +327,42 @@ Message events include rich context about the message:
 
 // message:transcribed context
 {
+  from?: string,          // Sender identifier
+  to?: string,            // Recipient identifier
   body?: string,          // Raw inbound body before enrichment
   bodyForAgent?: string,  // Enriched body visible to the agent
   transcript: string,     // Audio transcript text
+  timestamp?: number,     // Unix timestamp when received
   channelId: string,      // Channel (e.g., "telegram", "whatsapp")
   conversationId?: string,
   messageId?: string,
+  senderId?: string,      // Sender user ID
+  senderName?: string,    // Sender display name
+  senderUsername?: string,
+  provider?: string,      // Provider name
+  surface?: string,       // Surface name
+  mediaPath?: string,     // Path to the media file that was transcribed
+  mediaType?: string,     // MIME type of the media
 }
 
 // message:preprocessed context
 {
+  from?: string,          // Sender identifier
+  to?: string,            // Recipient identifier
   body?: string,          // Raw inbound body
   bodyForAgent?: string,  // Final enriched body after media/link understanding
   transcript?: string,    // Transcript when audio was present
+  timestamp?: number,     // Unix timestamp when received
   channelId: string,      // Channel (e.g., "telegram", "whatsapp")
   conversationId?: string,
   messageId?: string,
+  senderId?: string,      // Sender user ID
+  senderName?: string,    // Sender display name
+  senderUsername?: string,
+  provider?: string,      // Provider name
+  surface?: string,       // Surface name
+  mediaPath?: string,     // Path to the media file
+  mediaType?: string,     // MIME type of the media
   isGroup?: boolean,
   groupId?: string,
 }
@@ -594,6 +623,11 @@ Saves session context to memory when you issue `/new`.
 - **Session Key**: agent:main:main
 - **Session ID**: abc123def456
 - **Source**: telegram
+
+## Conversation Summary
+
+user: Can you help me design the API?
+assistant: Sure! Let's start with the endpoints...
 ```
 
 **Filename examples**:

docs/channels/discord.md

@@ -582,6 +582,7 @@ Default slash command settings:
     OpenClaw can stream draft replies by sending a temporary message and editing it as text arrives.
 
     - `channels.discord.streaming` controls preview streaming (`off` | `partial` | `block` | `progress`, default: `off`).
+    - Default stays `off` because Discord preview edits can hit rate limits quickly, especially when multiple bots or gateways share the same account or guild traffic.
     - `progress` is accepted for cross-channel consistency and maps to `partial` on Discord.
     - `channels.discord.streamMode` is a legacy alias and is auto-migrated.
     - `partial` edits a single preview message as tokens arrive.

docs/channels/nostr.md

@@ -130,6 +130,12 @@ Notes:
 - **open**: public inbound DMs (requires `allowFrom: ["*"]`).
 - **disabled**: ignore inbound DMs.
 
+Enforcement notes:
+
+- Sender policy is checked before signature verification and NIP-04 decryption.
+- Pairing replies are sent without processing the original DM body.
+- Inbound DMs are rate-limited and oversized payloads are dropped before decrypt.
+
 ### Allowlist example
 
 ```json5
@@ -234,6 +240,7 @@ docker run -p 7777:7777 ghcr.io/hoytech/strfry
 - Never commit private keys.
 - Use environment variables for keys.
 - Consider `allowlist` for production bots.
+- Pairing and allowlist policy is enforced before decrypt, so unknown senders cannot force full crypto work.
 
 ## Limitations (MVP)
 

docs/channels/pairing.md

@@ -36,7 +36,7 @@ openclaw pairing list telegram
 openclaw pairing approve telegram <CODE>
 ```
 
-Supported channels: `telegram`, `whatsapp`, `signal`, `imessage`, `discord`, `slack`, `feishu`.
+Supported channels: `telegram`, `whatsapp`, `signal`, `imessage`, `discord`, `slack`, `feishu`, `nostr`.
 
 ### Where the state lives
 

docs/channels/synology-chat.md

@@ -100,6 +100,8 @@ Media sends are supported by URL-based file delivery.
 
 Multiple Synology Chat accounts are supported under `channels.synology-chat.accounts`.
 Each account can override token, incoming URL, webhook path, DM policy, and limits.
+Direct-message sessions are isolated per account and user, so the same numeric `user_id`
+on two different Synology accounts does not share transcript state.
 
 ```json5
 {

docs/ci.md

@@ -36,6 +36,7 @@ Jobs are ordered so cheap checks fail before expensive ones run:
 3. Pushes to `main`: `build-artifacts` + `release-check` + Bun compat + `compat-node22`
 
 Scope logic lives in `scripts/ci-changed-scope.mjs` and is covered by unit tests in `src/scripts/ci-changed-scope.test.ts`.
+The same shared scope module also drives the separate `install-smoke` workflow through a narrower `changed-smoke` gate, so Docker/install smoke only runs for install, packaging, and container-relevant changes.
 
 ## Runners
 

docs/cli/hooks.md

@@ -2,7 +2,7 @@
 summary: "CLI reference for `openclaw hooks` (agent hooks)"
 read_when:
   - You want to manage agent hooks
-  - You want to install or update hooks
+  - You want to inspect hook availability or enable workspace hooks
 title: "hooks"
 ---
 
@@ -21,7 +21,7 @@ Related:
 openclaw hooks list
 ```
 
-List all discovered hooks from workspace, managed, and bundled directories.
+List all discovered hooks from workspace, managed, extra, and bundled directories.
 
 **Options:**
 
@@ -127,8 +127,7 @@ openclaw hooks enable <name>
 
 Enable a specific hook by adding it to your config (`~/.openclaw/config.json`).
 
-**Note:** Hooks managed by plugins show `plugin:<id>` in `openclaw hooks list` and
-can’t be enabled/disabled here. Enable/disable the plugin instead.
+**Note:** Workspace hooks are disabled by default until enabled here or in config. Hooks managed by plugins show `plugin:<id>` in `openclaw hooks list` and can’t be enabled/disabled here. Enable/disable the plugin instead.
 
 **Arguments:**
 
@@ -152,6 +151,9 @@ openclaw hooks enable session-memory
 - Updates `hooks.internal.entries.<name>.enabled = true` in your config
 - Saves config to disk
 
+If the hook came from `<workspace>/hooks/`, this opt-in step is required before
+the Gateway will load it.
+
 **After enabling:**
 
 - Restart the gateway so hooks reload (menu bar app restart on macOS, or restart your gateway process in dev).
@@ -184,14 +186,17 @@ openclaw hooks disable command-logger
 
 - Restart the gateway so hooks reload
 
-## Install Hooks
+## Install Hook Packs
 
 ```bash
-openclaw hooks install <path-or-spec>
-openclaw hooks install <npm-spec> --pin
+openclaw plugins install <path-or-spec>
+openclaw plugins install <npm-spec> --pin
 ```
 
-Install a hook pack from a local folder/archive or npm.
+Install hook packs through the unified plugins installer.
+
+`openclaw hooks install` still works as a compatibility alias, but it prints a
+deprecation warning and forwards to `openclaw plugins install`.
 
 Npm specs are **registry-only** (package name + optional **exact version** or
 **dist-tag**). Git/URL/file specs and semver ranges are rejected. Dependency
@@ -218,26 +223,32 @@ prerelease tag such as `@beta`/`@rc` or an exact prerelease version.
 
 ```bash
 # Local directory
-openclaw hooks install ./my-hook-pack
+openclaw plugins install ./my-hook-pack
 
 # Local archive
-openclaw hooks install ./my-hook-pack.zip
+openclaw plugins install ./my-hook-pack.zip
 
 # NPM package
-openclaw hooks install @openclaw/my-hook-pack
+openclaw plugins install @openclaw/my-hook-pack
 
 # Link a local directory without copying
-openclaw hooks install -l ./my-hook-pack
+openclaw plugins install -l ./my-hook-pack
 ```
 
-## Update Hooks
+Linked hook packs are treated as managed hooks from an operator-configured
+directory, not as workspace hooks.
+
+## Update Hook Packs
 
 ```bash
-openclaw hooks update <id>
-openclaw hooks update --all
+openclaw plugins update <id>
+openclaw plugins update --all
 ```
 
-Update installed hook packs (npm installs only).
+Update tracked npm-based hook packs through the unified plugins updater.
+
+`openclaw hooks update` still works as a compatibility alias, but it prints a
+deprecation warning and forwards to `openclaw plugins update`.
 
 **Options:**
 

docs/cli/index.md

@@ -30,7 +30,6 @@ This page describes the current CLI behavior. If commands change, update this do
 - [`status`](/cli/status)
 - [`health`](/cli/health)
 - [`sessions`](/cli/sessions)
-- [`report`](/cli/report)
 - [`gateway`](/cli/gateway)
 - [`logs`](/cli/logs)
 - [`system`](/cli/system)
@@ -152,10 +151,6 @@ openclaw [--dev] [--profile <name>] <command>
   status
   health
   sessions
-  report
-    bug
-    feature
-    security
   gateway
     call
     health
@@ -490,6 +485,9 @@ List and inspect available skills plus readiness info.
 
 Subcommands:
 
+- `skills search [query...]`: search ClawHub skills.
+- `skills install <slug>`: install a skill from ClawHub into the active workspace.
+- `skills update <slug|--all>`: update tracked ClawHub skills.
 - `skills list`: list skills (default when no subcommand).
 - `skills info <name>`: show details for one skill.
 - `skills check`: summary of ready vs missing requirements.
@@ -500,7 +498,7 @@ Options:
 - `--json`: output JSON (no styling).
 - `-v`, `--verbose`: include missing requirements detail.
 
-Tip: use `npx clawhub` to search, install, and sync skills.
+Tip: use `openclaw skills search`, `openclaw skills install`, and `openclaw skills update` for ClawHub-backed skills.
 
 ### `pairing`
 
@@ -717,27 +715,6 @@ Options:
 - `--store <path>`
 - `--active <minutes>`
 
-### `report`
-
-Prepare sanitized bug reports, feature requests, and private security report packets for `openclaw/openclaw`.
-
-Subcommands:
-
-- `bug`
-- `feature`
-- `security`
-
-Shared options:
-
-- `--title <text>`
-- `--summary <text>`
-- `--json`
-- `--markdown`
-- `--output <file>`
-- `--submit`
-- `--yes`
-- `--non-interactive`
-
 ## Reset / Uninstall
 
 ### `reset`

docs/cli/plugins.md

@@ -8,7 +8,7 @@ title: "plugins"
 
 # `openclaw plugins`
 
-Manage Gateway plugins/extensions and compatible bundles.
+Manage Gateway plugins/extensions, hook packs, and compatible bundles.
 
 Related:
 
@@ -48,12 +48,17 @@ capabilities.
 ```bash
 openclaw plugins install <path-or-spec>
 openclaw plugins install <npm-spec> --pin
+openclaw plugins install clawhub:<package>
 openclaw plugins install <plugin>@<marketplace>
 openclaw plugins install <plugin> --marketplace <marketplace>
 ```
 
 Security note: treat plugin installs like running code. Prefer pinned versions.
 
+`plugins install` is also the install surface for hook packs that expose
+`openclaw.hooks` in `package.json`. Use `openclaw hooks` for filtered hook
+visibility and per-hook enablement, not package installation.
+
 Npm specs are **registry-only** (package name + optional **exact version** or
 **dist-tag**). Git/URL/file specs and semver ranges are rejected. Dependency
 installs run with `--ignore-scripts` for safety.
@@ -71,6 +76,25 @@ Supported archives: `.zip`, `.tgz`, `.tar.gz`, `.tar`.
 
 Claude marketplace installs are also supported.
 
+ClawHub installs use an explicit `clawhub:<package>` locator:
+
+```bash
+openclaw plugins install clawhub:openclaw-codex-app-server
+openclaw plugins install clawhub:openclaw-codex-app-server@1.2.3
+```
+
+OpenClaw now also prefers ClawHub for bare npm-safe plugin specs. It only falls
+back to npm if ClawHub does not have that package or version:
+
+```bash
+openclaw plugins install openclaw-codex-app-server
+```
+
+OpenClaw downloads the package archive from ClawHub, checks the advertised
+plugin API / minimum gateway compatibility, then installs it through the normal
+archive path. Recorded installs keep their ClawHub source metadata for later
+updates.
+
 Use `plugin@marketplace` shorthand when the marketplace name exists in Claude's
 local registry cache at `~/.claude/plugins/known_marketplaces.json`:
 
@@ -144,8 +168,8 @@ openclaw plugins update <id-or-npm-spec> --dry-run
 openclaw plugins update @openclaw/voice-call@beta
 ```
 
-Updates apply to tracked installs in `plugins.installs`, currently npm and
-marketplace installs.
+Updates apply to tracked installs in `plugins.installs` and tracked hook-pack
+installs in `hooks.internal.installs`.
 
 When you pass a plugin id, OpenClaw reuses the recorded install spec for that
 plugin. That means previously stored dist-tags such as `@beta` and exact pinned

docs/cli/report.md

@@ -1,204 +0,0 @@
----
-summary: "CLI reference for `openclaw report` (bug reports, feature requests, and private security packets)"
-read_when:
-  - You want to prepare a sanitized GitHub issue draft from local OpenClaw state
-  - You want to submit a public bug or feature issue with `gh`
-  - You need a private security report packet instead of a public issue
-title: "report"
----
-
-# `openclaw report`
-
-Prepare sanitized reports for `openclaw/openclaw`.
-
-`openclaw report` turns a small amount of user input plus local runtime/config context into:
-
-- public bug report drafts
-- public feature request drafts
-- private security report packets
-
-Public bug and feature reports can optionally be submitted with `gh`. Security reports never create a public GitHub issue.
-
-## Subcommands
-
-- `openclaw report bug`
-- `openclaw report feature`
-- `openclaw report security`
-
-## Shared flags
-
-- `--title <text>`: explicit report title
-- `--summary <text>`: short summary (used in public reports and as a fallback title)
-- `--json`: emit the structured sanitized payload
-- `--markdown`: emit only the rendered report body
-- `--output <file>`: write the sanitized body to a file
-- `--submit`: submit a public bug/feature issue when the report is ready
-- `--yes`: skip interactive confirmation for submission
-- `--non-interactive`: disable prompts; public submission requires `--yes`
-
-If neither `--json` nor `--markdown` is passed, the default output is a human-readable sanitized preview.
-
-`--yes` only skips the final interactive confirmation. It does not skip draft generation, diagnostics, or probe execution.
-
-## Bug reports
-
-Use `openclaw report bug` for broken behavior, regressions, or operational failures.
-
-Examples:
-
-```bash
-openclaw report bug \
-  --summary "Gateway times out behind mitmproxy" \
-  --repro "1. Start gateway behind proxy\n2. Send any LLM request" \
-  --expected "Model responds successfully" \
-  --actual "Requests fail with timeout" \
-  --impact "Blocks all LLM traffic"
-```
-
-```bash
-openclaw report bug \
-  --summary "Gateway times out behind mitmproxy" \
-  --repro "1. Start gateway behind proxy\n2. Send any LLM request" \
-  --expected "Model responds successfully" \
-  --actual "Requests fail with timeout" \
-  --impact "Blocks all LLM traffic" \
-  --probe gateway \
-  --submit
-```
-
-Bug-specific flags:
-
-- `--repro <text>`: steps to reproduce
-- `--expected <text>`: expected behavior
-- `--actual <text>`: observed behavior
-- `--impact <text>`: severity or workflow impact
-- `--previous-version <text>`: optional regression context
-- `--evidence <text>`: extra evidence to append
-- `--additional-information <text>`: broad extra details, clues, timelines, or hypotheses
-- `--context <text>`: compatibility alias for `--additional-information`
-- `--probe <general|model|channel|gateway|none>`: bounded evidence collection mode
-
-Required fields for a submission-eligible bug report:
-
-- summary
-- repro
-- expected
-- actual
-- impact
-
-Auto-collected where available:
-
-- OpenClaw version
-- OS/runtime summary
-- configured model/provider hints
-- a short bounded probe summary when `--probe` is enabled
-
-Probe guidance:
-
-- `general`: runtime summary, proxy env context, gateway/model/channel signals, and one recent sanitized runtime error when available
-- `gateway`: gateway reachability, health, and proxy context
-- `model`: provider auth overview plus a bounded live model-path check with combined proxy-status output
-- `channel`: configured-channel summary plus recent channel/runtime issue hints
-
-## Feature requests
-
-Use `openclaw report feature` for improvements or new capabilities.
-
-Examples:
-
-```bash
-openclaw report feature \
-  --summary "Add a report dry-run flag" \
-  --problem "Operators want draft output without touching GitHub" \
-  --solution "Support report --submit only when explicitly requested" \
-  --impact "Safer issue authoring from scripts"
-```
-
-Feature-specific flags:
-
-- `--problem <text>`: problem to solve
-- `--solution <text>`: proposed solution
-- `--impact <text>`: expected impact
-- `--alternatives <text>`: alternatives considered
-- `--evidence <text>`: examples or supporting evidence
-- `--additional-information <text>`: broad extra details, clues, timelines, or hypotheses
-- `--context <text>`: compatibility alias for `--additional-information`
-- `--probe <general|model|channel|gateway|none>`: optional bounded evidence collection
-
-Required fields for a submission-eligible feature request:
-
-- summary
-- problem
-- solution
-- impact
-
-## Security reports
-
-Use `openclaw report security` for private vulnerability reports or sensitive disclosures.
-
-Example:
-
-```bash
-openclaw report security \
-  --title "Gateway token exposed in logs" \
-  --severity high \
-  --impact "Operator credential disclosure" \
-  --component "gateway auth logging" \
-  --reproduction "Run startup flow with verbose logging enabled" \
-  --demonstrated-impact "Token appears in terminal output" \
-  --environment "macOS 15.4, OpenClaw 2026.3.x" \
-  --remediation "Mask auth values before logging"
-```
-
-Security-specific flags:
-
-- `--severity <text>`
-- `--impact <text>`
-- `--component <text>`
-- `--reproduction <text>`
-- `--demonstrated-impact <text>`
-- `--environment <text>`
-- `--remediation <text>`
-
-Rules:
-
-- `report security` never calls `gh issue create`
-- `--submit` is ignored as a public-issue path and returns a blocked submission status
-- terminal output stays private-report-oriented
-- use `--output` or `--markdown` to save a private report packet for manual sending
-
-Private route: send completed security reports to `security@openclaw.ai`.
-
-## Redaction and submission behavior
-
-The command sanitizes common sensitive values before rendering output or submitting:
-
-- tokens / bearer values / API keys
-- email addresses
-- phone numbers
-- private user handles
-- local user path prefixes such as `/Users/<name>` or `/home/<name>`
-
-For public bug and feature reports:
-
-- `--submit` is required before any GitHub issue is created
-- interactive runs ask for confirmation before `gh issue create`
-- non-interactive submission requires both `--submit` and `--yes`
-- if required fields are missing, the command returns a structured blocked state instead of guessing
-- generated report bodies include a short provenance footer noting they were generated via `openclaw report`
-
-## JSON output
-
-`--json` emits a stable sanitized payload with fields such as:
-
-- `kind`
-- `title`
-- `body`
-- `labels`
-- `evidence`
-- `redactionsApplied`
-- `missingFields`
-- `submissionEligible`
-- `submission`
-
-This is intended for scripting and higher-level automation.

docs/cli/skills.md

@@ -1,14 +1,15 @@
 ---
-summary: "CLI reference for `openclaw skills` (list/info/check) and skill eligibility"
+summary: "CLI reference for `openclaw skills` (search/install/update/list/info/check)"
 read_when:
   - You want to see which skills are available and ready to run
+  - You want to search, install, or update skills from ClawHub
   - You want to debug missing binaries/env/config for skills
 title: "skills"
 ---
 
 # `openclaw skills`
 
-Inspect skills (bundled + workspace + managed overrides) and see what’s eligible vs missing requirements.
+Inspect local skills and install/update skills from ClawHub.
 
 Related:
 
@@ -19,8 +20,17 @@ Related:
 ## Commands
 
 ```bash
+openclaw skills search "calendar"
+openclaw skills install <slug>
+openclaw skills install <slug> --version <version>
+openclaw skills update <slug>
+openclaw skills update --all
 openclaw skills list
 openclaw skills list --eligible
 openclaw skills info <name>
 openclaw skills check
 ```
+
+`search`/`install`/`update` use ClawHub directly and install into the active
+workspace `skills/` directory. `list`/`info`/`check` still inspect the local
+skills visible to the current workspace and config.

docs/docs.json

@@ -1037,12 +1037,29 @@
                 "group": "Plugins",
                 "pages": [
                   "tools/plugin",
-                  "plugins/building-plugins",
                   "plugins/community",
                   "plugins/bundles",
-                  "plugins/manifest",
-                  "plugins/sdk-migration",
-                  "plugins/architecture"
+                  {
+                    "group": "Building Plugins",
+                    "pages": [
+                      "plugins/building-plugins",
+                      "plugins/sdk-channel-plugins",
+                      "plugins/sdk-provider-plugins",
+                      "plugins/sdk-migration"
+                    ]
+                  },
+                  {
+                    "group": "SDK Reference",
+                    "pages": [
+                      "plugins/sdk-overview",
+                      "plugins/sdk-entrypoints",
+                      "plugins/sdk-runtime",
+                      "plugins/sdk-setup",
+                      "plugins/sdk-testing",
+                      "plugins/manifest",
+                      "plugins/architecture"
+                    ]
+                  }
                 ]
               },
               {

docs/gateway/configuration-examples.md

@@ -303,6 +303,20 @@ Save to `~/.openclaw/openclaw.json` and you can DM the bot from that number.
         },
       },
     },
+    list: [
+      {
+        id: "main",
+        default: true,
+        thinkingDefault: "high", // per-agent thinking override
+        reasoningDefault: "on", // per-agent reasoning visibility
+        fastModeDefault: false, // per-agent fast mode
+      },
+      {
+        id: "quick",
+        fastModeDefault: true, // this agent always runs fast
+        thinkingDefault: "off",
+      },
+    ],
   },
 
   tools: {

docs/gateway/configuration-reference.md

@@ -179,7 +179,7 @@ WhatsApp runs through the gateway's web channel (Baileys Web). It starts automat
       historyLimit: 50,
       replyToMode: "first", // off | first | all
       linkPreview: true,
-      streaming: "partial", // off | partial | block | progress (default: off)
+      streaming: "partial", // off | partial | block | progress (default: off; opt in explicitly to avoid preview-edit rate limits)
       actions: { reactions: true, sendMessage: true },
       reactionNotifications: "own", // off | own | all
       mediaMaxMb: 100,
@@ -1372,6 +1372,9 @@ scripts/sandbox-browser-setup.sh   # optional browser image
         workspace: "~/.openclaw/workspace",
         agentDir: "~/.openclaw/agents/main/agent",
         model: "anthropic/claude-opus-4-6", // or { primary, fallbacks }
+        thinkingDefault: "high", // per-agent thinking level override
+        reasoningDefault: "on", // per-agent reasoning visibility override
+        fastModeDefault: false, // per-agent fast mode override
         params: { cacheRetention: "none" }, // overrides matching defaults.models params by key
         identity: {
           name: "Samantha",
@@ -1407,6 +1410,9 @@ scripts/sandbox-browser-setup.sh   # optional browser image
 - `default`: when multiple are set, first wins (warning logged). If none set, first list entry is default.
 - `model`: string form overrides `primary` only; object form `{ primary, fallbacks }` overrides both (`[]` disables global fallbacks). Cron jobs that only override `primary` still inherit default fallbacks unless you set `fallbacks: []`.
 - `params`: per-agent stream params merged over the selected model entry in `agents.defaults.models`. Use this for agent-specific overrides like `cacheRetention`, `temperature`, or `maxTokens` without duplicating the whole model catalog.
+- `thinkingDefault`: optional per-agent default thinking level (`off | minimal | low | medium | high | xhigh | adaptive`). Overrides `agents.defaults.thinkingDefault` for this agent when no per-message or session override is set.
+- `reasoningDefault`: optional per-agent default reasoning visibility (`on | off | stream`). Applies when no per-message or session reasoning override is set.
+- `fastModeDefault`: optional per-agent default for fast mode (`true | false`). Applies when no per-message or session fast-mode override is set.
 - `runtime`: optional per-agent runtime descriptor. Use `type: "acp"` with `runtime.acp` defaults (`agent`, `backend`, `mode`, `cwd`) when the agent should default to ACP harness sessions.
 - `identity.avatar`: workspace-relative path, `http(s)` URL, or `data:` URI.
 - `identity` derives defaults: `ackReaction` from `emoji`, `mentionPatterns` from `name`/`emoji`.

docs/gateway/security/index.md

@@ -36,7 +36,7 @@ openclaw security audit --fix
 openclaw security audit --json
 ```
 
-It flags common footguns (Gateway auth exposure, browser control exposure, elevated allowlists, filesystem permissions).
+It flags common footguns (Gateway auth exposure, browser control exposure, elevated allowlists, filesystem permissions, permissive exec approvals, and open-channel tool exposure).
 
 OpenClaw is both a product and an experiment: you’re wiring frontier-model behavior into real messaging surfaces and real tools. **There is no “perfectly secure” setup.** The goal is to be deliberate about:
 
@@ -185,6 +185,7 @@ If more than one person can DM your bot:
 
 - **Inbound access** (DM policies, group policies, allowlists): can strangers trigger the bot?
 - **Tool blast radius** (elevated tools + open rooms): could prompt injection turn into shell/file/network actions?
+- **Exec approval drift** (`security=full`, `autoAllowSkills`, interpreter allowlists without `strictInlineEval`): are host-exec guardrails still doing what you think they are?
 - **Network exposure** (Gateway bind/auth, Tailscale Serve/Funnel, weak/short auth tokens).
 - **Browser control exposure** (remote nodes, relay ports, remote CDP endpoints).
 - **Local disk hygiene** (permissions, symlinks, config includes, “synced folder” paths).
@@ -225,43 +226,48 @@ When the audit prints findings, treat this as a priority order:
 
 High-signal `checkId` values you will most likely see in real deployments (not exhaustive):
 
-| `checkId`                                          | Severity      | Why it matters                                                                       | Primary fix key/path                                                                              | Auto-fix |
-| -------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------- | -------- |
-| `fs.state_dir.perms_world_writable`                | critical      | Other users/processes can modify full OpenClaw state                                 | filesystem perms on `~/.openclaw`                                                                 | yes      |
-| `fs.config.perms_writable`                         | critical      | Others can change auth/tool policy/config                                            | filesystem perms on `~/.openclaw/openclaw.json`                                                   | yes      |
-| `fs.config.perms_world_readable`                   | critical      | Config can expose tokens/settings                                                    | filesystem perms on config file                                                                   | yes      |
-| `gateway.bind_no_auth`                             | critical      | Remote bind without shared secret                                                    | `gateway.bind`, `gateway.auth.*`                                                                  | no       |
-| `gateway.loopback_no_auth`                         | critical      | Reverse-proxied loopback may become unauthenticated                                  | `gateway.auth.*`, proxy setup                                                                     | no       |
-| `gateway.http.no_auth`                             | warn/critical | Gateway HTTP APIs reachable with `auth.mode="none"`                                  | `gateway.auth.mode`, `gateway.http.endpoints.*`                                                   | no       |
-| `gateway.tools_invoke_http.dangerous_allow`        | warn/critical | Re-enables dangerous tools over HTTP API                                             | `gateway.tools.allow`                                                                             | no       |
-| `gateway.nodes.allow_commands_dangerous`           | warn/critical | Enables high-impact node commands (camera/screen/contacts/calendar/SMS)              | `gateway.nodes.allowCommands`                                                                     | no       |
-| `gateway.tailscale_funnel`                         | critical      | Public internet exposure                                                             | `gateway.tailscale.mode`                                                                          | no       |
-| `gateway.control_ui.allowed_origins_required`      | critical      | Non-loopback Control UI without explicit browser-origin allowlist                    | `gateway.controlUi.allowedOrigins`                                                                | no       |
-| `gateway.control_ui.host_header_origin_fallback`   | warn/critical | Enables Host-header origin fallback (DNS rebinding hardening downgrade)              | `gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback`                                      | no       |
-| `gateway.control_ui.insecure_auth`                 | warn          | Insecure-auth compatibility toggle enabled                                           | `gateway.controlUi.allowInsecureAuth`                                                             | no       |
-| `gateway.control_ui.device_auth_disabled`          | critical      | Disables device identity check                                                       | `gateway.controlUi.dangerouslyDisableDeviceAuth`                                                  | no       |
-| `gateway.real_ip_fallback_enabled`                 | warn/critical | Trusting `X-Real-IP` fallback can enable source-IP spoofing via proxy misconfig      | `gateway.allowRealIpFallback`, `gateway.trustedProxies`                                           | no       |
-| `discovery.mdns_full_mode`                         | warn/critical | mDNS full mode advertises `cliPath`/`sshPort` metadata on local network              | `discovery.mdns.mode`, `gateway.bind`                                                             | no       |
-| `config.insecure_or_dangerous_flags`               | warn          | Any insecure/dangerous debug flags enabled                                           | multiple keys (see finding detail)                                                                | no       |
-| `hooks.token_reuse_gateway_token`                  | critical      | Hook ingress token also unlocks Gateway auth                                         | `hooks.token`, `gateway.auth.token`                                                               | no       |
-| `hooks.token_too_short`                            | warn          | Easier brute force on hook ingress                                                   | `hooks.token`                                                                                     | no       |
-| `hooks.default_session_key_unset`                  | warn          | Hook agent runs fan out into generated per-request sessions                          | `hooks.defaultSessionKey`                                                                         | no       |
-| `hooks.allowed_agent_ids_unrestricted`             | warn/critical | Authenticated hook callers may route to any configured agent                         | `hooks.allowedAgentIds`                                                                           | no       |
-| `hooks.request_session_key_enabled`                | warn/critical | External caller can choose sessionKey                                                | `hooks.allowRequestSessionKey`                                                                    | no       |
-| `hooks.request_session_key_prefixes_missing`       | warn/critical | No bound on external session key shapes                                              | `hooks.allowedSessionKeyPrefixes`                                                                 | no       |
-| `logging.redact_off`                               | warn          | Sensitive values leak to logs/status                                                 | `logging.redactSensitive`                                                                         | yes      |
-| `sandbox.docker_config_mode_off`                   | warn          | Sandbox Docker config present but inactive                                           | `agents.*.sandbox.mode`                                                                           | no       |
-| `sandbox.dangerous_network_mode`                   | critical      | Sandbox Docker network uses `host` or `container:*` namespace-join mode              | `agents.*.sandbox.docker.network`                                                                 | no       |
-| `tools.exec.host_sandbox_no_sandbox_defaults`      | warn          | `exec host=sandbox` resolves to host exec when sandbox is off                        | `tools.exec.host`, `agents.defaults.sandbox.mode`                                                 | no       |
-| `tools.exec.host_sandbox_no_sandbox_agents`        | warn          | Per-agent `exec host=sandbox` resolves to host exec when sandbox is off              | `agents.list[].tools.exec.host`, `agents.list[].sandbox.mode`                                     | no       |
-| `tools.exec.safe_bins_interpreter_unprofiled`      | warn          | Interpreter/runtime bins in `safeBins` without explicit profiles broaden exec risk   | `tools.exec.safeBins`, `tools.exec.safeBinProfiles`, `agents.list[].tools.exec.*`                 | no       |
-| `skills.workspace.symlink_escape`                  | warn          | Workspace `skills/**/SKILL.md` resolves outside workspace root (symlink-chain drift) | workspace `skills/**` filesystem state                                                            | no       |
-| `security.exposure.open_groups_with_elevated`      | critical      | Open groups + elevated tools create high-impact prompt-injection paths               | `channels.*.groupPolicy`, `tools.elevated.*`                                                      | no       |
-| `security.exposure.open_groups_with_runtime_or_fs` | critical/warn | Open groups can reach command/file tools without sandbox/workspace guards            | `channels.*.groupPolicy`, `tools.profile/deny`, `tools.fs.workspaceOnly`, `agents.*.sandbox.mode` | no       |
-| `security.trust_model.multi_user_heuristic`        | warn          | Config looks multi-user while gateway trust model is personal-assistant              | split trust boundaries, or shared-user hardening (`sandbox.mode`, tool deny/workspace scoping)    | no       |
-| `tools.profile_minimal_overridden`                 | warn          | Agent overrides bypass global minimal profile                                        | `agents.list[].tools.profile`                                                                     | no       |
-| `plugins.tools_reachable_permissive_policy`        | warn          | Extension tools reachable in permissive contexts                                     | `tools.profile` + tool allow/deny                                                                 | no       |
-| `models.small_params`                              | critical/info | Small models + unsafe tool surfaces raise injection risk                             | model choice + sandbox/tool policy                                                                | no       |
+| `checkId`                                                     | Severity      | Why it matters                                                                       | Primary fix key/path                                                                                 | Auto-fix |
+| ------------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------- | -------- |
+| `fs.state_dir.perms_world_writable`                           | critical      | Other users/processes can modify full OpenClaw state                                 | filesystem perms on `~/.openclaw`                                                                    | yes      |
+| `fs.config.perms_writable`                                    | critical      | Others can change auth/tool policy/config                                            | filesystem perms on `~/.openclaw/openclaw.json`                                                      | yes      |
+| `fs.config.perms_world_readable`                              | critical      | Config can expose tokens/settings                                                    | filesystem perms on config file                                                                      | yes      |
+| `gateway.bind_no_auth`                                        | critical      | Remote bind without shared secret                                                    | `gateway.bind`, `gateway.auth.*`                                                                     | no       |
+| `gateway.loopback_no_auth`                                    | critical      | Reverse-proxied loopback may become unauthenticated                                  | `gateway.auth.*`, proxy setup                                                                        | no       |
+| `gateway.http.no_auth`                                        | warn/critical | Gateway HTTP APIs reachable with `auth.mode="none"`                                  | `gateway.auth.mode`, `gateway.http.endpoints.*`                                                      | no       |
+| `gateway.tools_invoke_http.dangerous_allow`                   | warn/critical | Re-enables dangerous tools over HTTP API                                             | `gateway.tools.allow`                                                                                | no       |
+| `gateway.nodes.allow_commands_dangerous`                      | warn/critical | Enables high-impact node commands (camera/screen/contacts/calendar/SMS)              | `gateway.nodes.allowCommands`                                                                        | no       |
+| `gateway.tailscale_funnel`                                    | critical      | Public internet exposure                                                             | `gateway.tailscale.mode`                                                                             | no       |
+| `gateway.control_ui.allowed_origins_required`                 | critical      | Non-loopback Control UI without explicit browser-origin allowlist                    | `gateway.controlUi.allowedOrigins`                                                                   | no       |
+| `gateway.control_ui.host_header_origin_fallback`              | warn/critical | Enables Host-header origin fallback (DNS rebinding hardening downgrade)              | `gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback`                                         | no       |
+| `gateway.control_ui.insecure_auth`                            | warn          | Insecure-auth compatibility toggle enabled                                           | `gateway.controlUi.allowInsecureAuth`                                                                | no       |
+| `gateway.control_ui.device_auth_disabled`                     | critical      | Disables device identity check                                                       | `gateway.controlUi.dangerouslyDisableDeviceAuth`                                                     | no       |
+| `gateway.real_ip_fallback_enabled`                            | warn/critical | Trusting `X-Real-IP` fallback can enable source-IP spoofing via proxy misconfig      | `gateway.allowRealIpFallback`, `gateway.trustedProxies`                                              | no       |
+| `discovery.mdns_full_mode`                                    | warn/critical | mDNS full mode advertises `cliPath`/`sshPort` metadata on local network              | `discovery.mdns.mode`, `gateway.bind`                                                                | no       |
+| `config.insecure_or_dangerous_flags`                          | warn          | Any insecure/dangerous debug flags enabled                                           | multiple keys (see finding detail)                                                                   | no       |
+| `hooks.token_reuse_gateway_token`                             | critical      | Hook ingress token also unlocks Gateway auth                                         | `hooks.token`, `gateway.auth.token`                                                                  | no       |
+| `hooks.token_too_short`                                       | warn          | Easier brute force on hook ingress                                                   | `hooks.token`                                                                                        | no       |
+| `hooks.default_session_key_unset`                             | warn          | Hook agent runs fan out into generated per-request sessions                          | `hooks.defaultSessionKey`                                                                            | no       |
+| `hooks.allowed_agent_ids_unrestricted`                        | warn/critical | Authenticated hook callers may route to any configured agent                         | `hooks.allowedAgentIds`                                                                              | no       |
+| `hooks.request_session_key_enabled`                           | warn/critical | External caller can choose sessionKey                                                | `hooks.allowRequestSessionKey`                                                                       | no       |
+| `hooks.request_session_key_prefixes_missing`                  | warn/critical | No bound on external session key shapes                                              | `hooks.allowedSessionKeyPrefixes`                                                                    | no       |
+| `logging.redact_off`                                          | warn          | Sensitive values leak to logs/status                                                 | `logging.redactSensitive`                                                                            | yes      |
+| `sandbox.docker_config_mode_off`                              | warn          | Sandbox Docker config present but inactive                                           | `agents.*.sandbox.mode`                                                                              | no       |
+| `sandbox.dangerous_network_mode`                              | critical      | Sandbox Docker network uses `host` or `container:*` namespace-join mode              | `agents.*.sandbox.docker.network`                                                                    | no       |
+| `tools.exec.host_sandbox_no_sandbox_defaults`                 | warn          | `exec host=sandbox` resolves to host exec when sandbox is off                        | `tools.exec.host`, `agents.defaults.sandbox.mode`                                                    | no       |
+| `tools.exec.host_sandbox_no_sandbox_agents`                   | warn          | Per-agent `exec host=sandbox` resolves to host exec when sandbox is off              | `agents.list[].tools.exec.host`, `agents.list[].sandbox.mode`                                        | no       |
+| `tools.exec.security_full_configured`                         | warn/critical | Host exec is running with `security="full"`                                          | `tools.exec.security`, `agents.list[].tools.exec.security`                                           | no       |
+| `tools.exec.auto_allow_skills_enabled`                        | warn          | Exec approvals trust skill bins implicitly                                           | `~/.openclaw/exec-approvals.json`                                                                    | no       |
+| `tools.exec.allowlist_interpreter_without_strict_inline_eval` | warn          | Interpreter allowlists permit inline eval without forced reapproval                  | `tools.exec.strictInlineEval`, `agents.list[].tools.exec.strictInlineEval`, exec approvals allowlist | no       |
+| `tools.exec.safe_bins_interpreter_unprofiled`                 | warn          | Interpreter/runtime bins in `safeBins` without explicit profiles broaden exec risk   | `tools.exec.safeBins`, `tools.exec.safeBinProfiles`, `agents.list[].tools.exec.*`                    | no       |
+| `tools.exec.safe_bins_broad_behavior`                         | warn          | Broad-behavior tools in `safeBins` weaken the low-risk stdin-filter trust model      | `tools.exec.safeBins`, `agents.list[].tools.exec.safeBins`                                           | no       |
+| `skills.workspace.symlink_escape`                             | warn          | Workspace `skills/**/SKILL.md` resolves outside workspace root (symlink-chain drift) | workspace `skills/**` filesystem state                                                               | no       |
+| `security.exposure.open_channels_with_exec`                   | warn/critical | Shared/public rooms can reach exec-enabled agents                                    | `channels.*.dmPolicy`, `channels.*.groupPolicy`, `tools.exec.*`, `agents.list[].tools.exec.*`        | no       |
+| `security.exposure.open_groups_with_elevated`                 | critical      | Open groups + elevated tools create high-impact prompt-injection paths               | `channels.*.groupPolicy`, `tools.elevated.*`                                                         | no       |
+| `security.exposure.open_groups_with_runtime_or_fs`            | critical/warn | Open groups can reach command/file tools without sandbox/workspace guards            | `channels.*.groupPolicy`, `tools.profile/deny`, `tools.fs.workspaceOnly`, `agents.*.sandbox.mode`    | no       |
+| `security.trust_model.multi_user_heuristic`                   | warn          | Config looks multi-user while gateway trust model is personal-assistant              | split trust boundaries, or shared-user hardening (`sandbox.mode`, tool deny/workspace scoping)       | no       |
+| `tools.profile_minimal_overridden`                            | warn          | Agent overrides bypass global minimal profile                                        | `agents.list[].tools.profile`                                                                        | no       |
+| `plugins.tools_reachable_permissive_policy`                   | warn          | Extension tools reachable in permissive contexts                                     | `tools.profile` + tool allow/deny                                                                    | no       |
+| `models.small_params`                                         | critical/info | Small models + unsafe tool surfaces raise injection risk                             | model choice + sandbox/tool policy                                                                   | no       |
 
 ## Control UI over HTTP
 
@@ -528,6 +534,7 @@ Even with strong system prompts, **prompt injection is not solved**. System prom
 - Run sensitive tool execution in a sandbox; keep secrets out of the agent’s reachable filesystem.
 - Note: sandboxing is opt-in. If sandbox mode is off, exec runs on the gateway host even though tools.exec.host defaults to sandbox, and host exec does not require approvals unless you set host=gateway and configure exec approvals.
 - Limit high-risk tools (`exec`, `browser`, `web_fetch`, `web_search`) to trusted agents or explicit allowlists.
+- If you allowlist interpreters (`python`, `node`, `ruby`, `perl`, `php`, `lua`, `osascript`), enable `tools.exec.strictInlineEval` so inline eval forms still need explicit approval.
 - **Model choice matters:** older/smaller/legacy models are significantly less robust against prompt injection and tool misuse. For tool-enabled agents, use the strongest latest-generation, instruction-hardened model available.
 
 Red flags to treat as untrusted:

docs/gateway/tools-invoke-http-api.md

@@ -8,7 +8,7 @@ title: "Tools Invoke API"
 
 # Tools Invoke (HTTP)
 
-OpenClaw’s Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled, but gated by Gateway auth and tool policy.
+OpenClaw’s Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled and uses Gateway auth plus tool policy, but callers that pass Gateway bearer auth are treated as trusted operators for that gateway.
 
 - `POST /tools/invoke`
 - Same port as the Gateway (WS + HTTP multiplex): `http://<gateway-host>:<port>/tools/invoke`
@@ -26,6 +26,7 @@ Notes:
 - When `gateway.auth.mode="token"`, use `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
 - When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
 - If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
+- Treat this credential as a full-access operator secret for that gateway. It is not a scoped API token for a narrower `/tools/invoke` role.
 
 ## Request body
 
@@ -59,8 +60,15 @@ Tool availability is filtered through the same policy chain used by Gateway agen
 
 If a tool is not allowed by policy, the endpoint returns **404**.
 
+Important boundary notes:
+
+- `POST /tools/invoke` is in the same trusted-operator bucket as other Gateway HTTP APIs such as `/v1/chat/completions`, `/v1/responses`, and `/api/channels/*`.
+- Exec approvals are operator guardrails, not a separate authorization boundary for this HTTP endpoint. If a tool is reachable here via Gateway auth + tool policy, `/tools/invoke` does not add an extra per-call approval prompt.
+- Do not share Gateway bearer credentials with untrusted callers. If you need separation across trust boundaries, run separate gateways (and ideally separate OS users/hosts).
+
 Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool):
 
+- `cron`
 - `sessions_spawn`
 - `sessions_send`
 - `gateway`

docs/help/environment.md

@@ -133,6 +133,29 @@ When set, `OPENCLAW_HOME` replaces the system home directory (`$HOME` / `os.home
 
 `OPENCLAW_HOME` can also be set to a tilde path (e.g. `~/svc`), which gets expanded using `$HOME` before use.
 
+## nvm users: web_fetch TLS failures
+
+If Node.js was installed via **nvm** (not the system package manager), the built-in `fetch()` uses
+nvm's bundled CA store, which may be missing modern root CAs (ISRG Root X1/X2 for Let's Encrypt,
+DigiCert Global Root G2, etc.). This causes `web_fetch` to fail with `"fetch failed"` on most HTTPS sites.
+
+On Linux, OpenClaw automatically detects nvm and applies the fix in the actual startup environment:
+
+- `openclaw gateway install` writes `NODE_EXTRA_CA_CERTS` into the systemd service environment
+- the `openclaw` CLI entrypoint re-execs itself with `NODE_EXTRA_CA_CERTS` set before Node startup
+
+**Manual fix (for older versions or direct `node ...` launches):**
+
+Export the variable before starting OpenClaw:
+
+```bash
+export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+openclaw gateway run
+```
+
+Do not rely on writing only to `~/.openclaw/.env` for this variable; Node reads
+`NODE_EXTRA_CA_CERTS` at process startup.
+
 ## Related
 
 - [Gateway configuration](/gateway/configuration)

docs/help/faq.md

@@ -992,18 +992,16 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
   </Accordion>
 
   <Accordion title="How do I install skills on Linux?">
-    Use **ClawHub** (CLI) or drop skills into your workspace. The macOS Skills UI isn't available on Linux.
+    Use native `openclaw skills` commands or drop skills into your workspace. The macOS Skills UI isn't available on Linux.
     Browse skills at [https://clawhub.com](https://clawhub.com).
 
-    Install the ClawHub CLI (pick one package manager):
-
     ```bash
-    npm i -g clawhub
+    openclaw skills search "calendar"
+    openclaw skills install <skill-slug>
+    openclaw skills update --all
     ```
 
-    ```bash
-    pnpm add -g clawhub
-    ```
+    Install the separate `clawhub` CLI only if you want to publish or sync your own skills.
 
   </Accordion>
 
@@ -1075,11 +1073,11 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
     Install skills:
 
     ```bash
-    clawhub install <skill-slug>
-    clawhub update --all
+    openclaw skills install <skill-slug>
+    openclaw skills update --all
     ```
 
-    ClawHub installs into `./skills` under your current directory (or falls back to your configured OpenClaw workspace); OpenClaw treats that as `<workspace>/skills` on the next session. For shared skills across agents, place them in `~/.openclaw/skills/<name>/SKILL.md`. Some skills expect binaries installed via Homebrew; on Linux that means Linuxbrew (see the Homebrew Linux FAQ entry above). See [Skills](/tools/skills) and [ClawHub](/tools/clawhub).
+    Native installs land in the active workspace `skills/` directory. For shared skills across agents, place them in `~/.openclaw/skills/<name>/SKILL.md`. Some skills expect binaries installed via Homebrew; on Linux that means Linuxbrew (see the Homebrew Linux FAQ entry above). See [Skills](/tools/skills) and [ClawHub](/tools/clawhub).
 
   </Accordion>
 

docs/help/testing.md

@@ -54,7 +54,9 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
   - Should be fast and stable
 - Scheduler note:
   - `pnpm test` now keeps a small checked-in behavioral manifest for true pool/isolation overrides and a separate timing snapshot for the slowest unit files.
-  - Shared unit coverage stays on, but the wrapper peels the heaviest measured files into dedicated lanes instead of relying on a growing hand-maintained exclusion list.
+  - Shared unit coverage now defaults to `threads`, while the manifest keeps the measured fork-only exceptions and heavy singleton lanes explicit.
+  - The extension suite (`vitest.extensions.config.ts`) also now defaults to `threads`; the March 22, 2026 direct full-suite control run passed clean without extension-specific fork exceptions.
+  - The wrapper peels the heaviest measured files into dedicated lanes instead of relying on a growing hand-maintained exclusion list.
   - Refresh the timing snapshot with `pnpm test:perf:update-timings` after major suite shape changes.
 - Embedded runner note:
   - When you change message-tool discovery inputs or compaction runtime context,
@@ -68,9 +70,13 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
     through the real `run.ts` / `compact.ts` paths; helper-only tests are not a
     sufficient substitute for those integration paths.
 - Pool note:
-  - OpenClaw uses Vitest `vmForks` on Node 22, 23, and 24 for faster unit shards.
-  - On Node 25+, OpenClaw automatically falls back to regular `forks` until the repo is re-validated there.
-  - Override manually with `OPENCLAW_TEST_VM_FORKS=0` (force `forks`) or `OPENCLAW_TEST_VM_FORKS=1` (force `vmForks`).
+  - Base Vitest config still defaults to `forks`.
+  - Unit wrapper lanes default to `threads`, with explicit manifest fork/vmFork exceptions.
+  - Extension scoped config defaults to `threads`.
+  - `pnpm test` also defaults to `--isolate=false` at the wrapper level for faster file startup.
+  - Opt back into Vitest file isolation with `OPENCLAW_TEST_ISOLATE=1 pnpm test`.
+  - `OPENCLAW_TEST_NO_ISOLATE=0` or `OPENCLAW_TEST_NO_ISOLATE=false` also force isolated runs.
+  - `OPENCLAW_TEST_VM_FORKS=1` remains an opt-in experiment on Node 22, 23, and 24 only.
 
 ### E2E (gateway smoke)
 
@@ -78,8 +84,8 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
 - Config: `vitest.e2e.config.ts`
 - Files: `src/**/*.e2e.test.ts`, `test/**/*.e2e.test.ts`
 - Runtime defaults:
-  - Uses Vitest `vmForks` for faster file startup.
-  - Uses adaptive workers (CI: 2-4, local: 4-8).
+  - Uses Vitest `forks` for deterministic cross-file isolation.
+  - Uses adaptive workers (CI: up to 2, local: 1 by default).
   - Runs in silent mode by default to reduce console I/O overhead.
 - Useful overrides:
   - `OPENCLAW_E2E_WORKERS=<n>` to force worker count (capped at 16).

docs/install/development-channels.md

@@ -48,7 +48,7 @@ update **without** changing your persisted channel:
 
 ```bash
 # Install a specific version
-openclaw update --tag 2026.3.14
+openclaw update --tag 2026.3.22
 
 # Install from the beta dist-tag (one-off, does not persist)
 openclaw update --tag beta
@@ -57,7 +57,7 @@ openclaw update --tag beta
 openclaw update --tag main
 
 # Install a specific npm package spec
-openclaw update --tag openclaw@2026.3.12
+openclaw update --tag openclaw@2026.3.22
 ```
 
 Notes:
@@ -75,7 +75,7 @@ Preview what `openclaw update` would do without making changes:
 ```bash
 openclaw update --dry-run
 openclaw update --channel beta --dry-run
-openclaw update --tag 2026.3.14 --dry-run
+openclaw update --tag 2026.3.22 --dry-run
 openclaw update --dry-run --json
 ```
 

docs/plugins/architecture.md

@@ -12,9 +12,12 @@ sidebarTitle: "Internals"
 # Plugin Internals
 
 <Info>
-  This page is for **plugin developers and contributors**. If you just want to
-  install and use plugins, see [Plugins](/tools/plugin). If you want to build
-  a plugin, see [Building Plugins](/plugins/building-plugins).
+  This is the **deep architecture reference**. For practical guides, see:
+  - [Install and use plugins](/tools/plugin) — user guide
+  - [Getting Started](/plugins/building-plugins) — first plugin tutorial
+  - [Channel Plugins](/plugins/sdk-channel-plugins) — build a messaging channel
+  - [Provider Plugins](/plugins/sdk-provider-plugins) — build a model provider
+  - [SDK Overview](/plugins/sdk-overview) — import map and registration API
 </Info>
 
 This page covers the internal architecture of the OpenClaw plugin system.

docs/plugins/building-plugins.md

@@ -1,329 +1,182 @@
 ---
 title: "Building Plugins"
-sidebarTitle: "Building Plugins"
-summary: "Step-by-step guide for creating OpenClaw plugins with any combination of capabilities"
+sidebarTitle: "Getting Started"
+summary: "Create your first OpenClaw plugin in minutes"
 read_when:
   - You want to create a new OpenClaw plugin
-  - You need to understand the plugin SDK import patterns
+  - You need a quick-start for plugin development
   - You are adding a new channel, provider, tool, or other capability to OpenClaw
 ---
 
 # Building Plugins
 
 Plugins extend OpenClaw with new capabilities: channels, model providers, speech,
-image generation, web search, agent tools, or any combination. A single plugin
-can register multiple capabilities.
+image generation, web search, agent tools, or any combination.
 
-OpenClaw encourages **external plugin development**. You do not need to add your
-plugin to the OpenClaw repository. Publish your plugin on npm, and users install
-it with `openclaw plugins install <npm-spec>`. OpenClaw also maintains a set of
-core plugins in-repo, but the plugin system is designed for independent ownership
-and distribution.
+You do not need to add your plugin to the OpenClaw repository. Publish to
+[ClawHub](/tools/clawhub) or npm and users install with
+`openclaw plugins install <package-name>`. OpenClaw tries ClawHub first and
+falls back to npm automatically.
 
 ## Prerequisites
 
 - Node >= 22 and a package manager (npm or pnpm)
 - Familiarity with TypeScript (ESM)
-- For in-repo plugins: OpenClaw repository cloned and `pnpm install` done
+- For in-repo plugins: repository cloned and `pnpm install` done
 
-## Plugin capabilities
+## What kind of plugin?
 
-A plugin can register one or more capabilities. The capability you register
-determines what your plugin provides to OpenClaw:
+<CardGroup cols={3}>
+  <Card title="Channel plugin" icon="messages-square" href="/plugins/sdk-channel-plugins">
+    Connect OpenClaw to a messaging platform (Discord, IRC, etc.)
+  </Card>
+  <Card title="Provider plugin" icon="cpu" href="/plugins/sdk-provider-plugins">
+    Add a model provider (LLM, proxy, or custom endpoint)
+  </Card>
+  <Card title="Tool / hook plugin" icon="wrench">
+    Register agent tools, event hooks, or services — continue below
+  </Card>
+</CardGroup>
 
-| Capability          | Registration method                           | What it adds                   |
-| ------------------- | --------------------------------------------- | ------------------------------ |
-| Text inference      | `api.registerProvider(...)`                   | Model provider (LLM)           |
-| Channel / messaging | `api.registerChannel(...)`                    | Chat channel (e.g. Slack, IRC) |
-| Speech              | `api.registerSpeechProvider(...)`             | Text-to-speech / STT           |
-| Media understanding | `api.registerMediaUnderstandingProvider(...)` | Image/audio/video analysis     |
-| Image generation    | `api.registerImageGenerationProvider(...)`    | Image generation               |
-| Web search          | `api.registerWebSearchProvider(...)`          | Web search provider            |
-| Agent tools         | `api.registerTool(...)`                       | Tools callable by the agent    |
+## Quick start: tool plugin
 
-A plugin that registers zero capabilities but provides hooks or services is a
-**hook-only** plugin. That pattern is still supported.
-
-## Plugin structure
-
-Plugins follow this layout (whether in-repo or standalone):
-
-```
-my-plugin/
-├── package.json          # npm metadata + openclaw config
-├── openclaw.plugin.json  # Plugin manifest
-├── index.ts              # Entry point
-├── setup-entry.ts        # Setup wizard (optional)
-├── api.ts                # Public exports (optional)
-├── runtime-api.ts        # Internal exports (optional)
-└── src/
-    ├── provider.ts       # Capability implementation
-    ├── runtime.ts        # Runtime wiring
-    └── *.test.ts         # Colocated tests
-```
-
-## Create a plugin
+This walkthrough creates a minimal plugin that registers an agent tool. Channel
+and provider plugins have dedicated guides linked above.
 
 <Steps>
-  <Step title="Create the package">
-    Create `package.json` with the `openclaw` metadata block. The structure
-    depends on what capabilities your plugin provides.
-
-    **Channel plugin example:**
-
-    ```json
+  <Step title="Create the package and manifest">
+    <CodeGroup>
+    ```json package.json
     {
-      "name": "@myorg/openclaw-my-channel",
+      "name": "@myorg/openclaw-my-plugin",
       "version": "1.0.0",
       "type": "module",
       "openclaw": {
-        "extensions": ["./index.ts"],
-        "channel": {
-          "id": "my-channel",
-          "label": "My Channel",
-          "blurb": "Short description of the channel."
-        }
+        "extensions": ["./index.ts"]
       }
     }
     ```
 
-    **Provider plugin example:**
-
-    ```json
+    ```json openclaw.plugin.json
     {
-      "name": "@myorg/openclaw-my-provider",
-      "version": "1.0.0",
-      "type": "module",
-      "openclaw": {
-        "extensions": ["./index.ts"],
-        "providers": ["my-provider"]
+      "id": "my-plugin",
+      "name": "My Plugin",
+      "description": "Adds a custom tool to OpenClaw",
+      "configSchema": {
+        "type": "object",
+        "additionalProperties": false
       }
     }
     ```
+    </CodeGroup>
 
-    The `openclaw` field tells the plugin system what your plugin provides.
-    A plugin can declare both `channel` and `providers` if it provides multiple
-    capabilities.
+    Every plugin needs a manifest, even with no config. See
+    [Manifest](/plugins/manifest) for the full schema.
 
   </Step>
 
-  <Step title="Define the entry point">
-    The entry point registers your capabilities with the plugin API.
-
-    **Channel plugin:**
+  <Step title="Write the entry point">
 
     ```typescript
-    import { defineChannelPluginEntry } from "openclaw/plugin-sdk/core";
-
-    export default defineChannelPluginEntry({
-      id: "my-channel",
-      name: "My Channel",
-      description: "Connects OpenClaw to My Channel",
-      plugin: {
-        // Channel adapter implementation
-      },
-    });
-    ```
-
-    **Provider plugin:**
-
-    ```typescript
-    import { definePluginEntry } from "openclaw/plugin-sdk/core";
+    // index.ts
+    import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
+    import { Type } from "@sinclair/typebox";
 
     export default definePluginEntry({
-      id: "my-provider",
-      name: "My Provider",
+      id: "my-plugin",
+      name: "My Plugin",
+      description: "Adds a custom tool to OpenClaw",
       register(api) {
-        api.registerProvider({
-          // Provider implementation
+        api.registerTool({
+          name: "my_tool",
+          description: "Do a thing",
+          parameters: Type.Object({ input: Type.String() }),
+          async execute(_id, params) {
+            return { content: [{ type: "text", text: `Got: ${params.input}` }] };
+          },
         });
       },
     });
     ```
 
-    **Multi-capability plugin** (provider + tool):
-
-    ```typescript
-    import { definePluginEntry } from "openclaw/plugin-sdk/core";
-
-    export default definePluginEntry({
-      id: "my-plugin",
-      name: "My Plugin",
-      register(api) {
-        api.registerProvider({ /* ... */ });
-        api.registerTool({ /* ... */ });
-        api.registerImageGenerationProvider({ /* ... */ });
-      },
-    });
-    ```
-
-    Use `defineChannelPluginEntry` for channel plugins and `definePluginEntry`
-    for everything else. A single plugin can register as many capabilities as needed.
+    `definePluginEntry` is for non-channel plugins. For channels, use
+    `defineChannelPluginEntry` — see [Channel Plugins](/plugins/sdk-channel-plugins).
+    For full entry point options, see [Entry Points](/plugins/sdk-entrypoints).
 
   </Step>
 
-  <Step title="Import from focused SDK subpaths">
-    Always import from specific `openclaw/plugin-sdk/\<subpath\>` paths. The old
-    monolithic import is deprecated (see [SDK Migration](/plugins/sdk-migration)).
+  <Step title="Test and publish">
 
-    If older plugin code still imports `openclaw/extension-api`, treat that as a
-    temporary compatibility bridge only. New code should use injected runtime
-    helpers such as `api.runtime.agent.*` instead of importing host-side agent
-    helpers directly.
-
-    ```typescript
-    // Correct: focused subpaths
-    import { definePluginEntry } from "openclaw/plugin-sdk/core";
-    import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
-    import { buildOauthProviderAuthResult } from "openclaw/plugin-sdk/provider-oauth";
-
-    // Wrong: monolithic root (lint will reject this)
-    import { ... } from "openclaw/plugin-sdk";
-
-    // Deprecated: legacy host bridge
-    import { runEmbeddedPiAgent } from "openclaw/extension-api";
-    ```
-
-    <Accordion title="Common subpaths reference">
-      | Subpath | Purpose |
-      | --- | --- |
-      | `plugin-sdk/core` | Plugin entry definitions and base types |
-      | `plugin-sdk/channel-setup` | Setup wizard adapters |
-      | `plugin-sdk/channel-pairing` | DM pairing primitives |
-      | `plugin-sdk/channel-reply-pipeline` | Reply prefix + typing wiring |
-      | `plugin-sdk/channel-config-schema` | Config schema builders |
-      | `plugin-sdk/channel-policy` | Group/DM policy helpers |
-      | `plugin-sdk/secret-input` | Secret input parsing/helpers |
-      | `plugin-sdk/webhook-ingress` | Webhook request/target helpers |
-      | `plugin-sdk/runtime-store` | Persistent plugin storage |
-      | `plugin-sdk/allow-from` | Allowlist resolution |
-      | `plugin-sdk/reply-payload` | Message reply types |
-      | `plugin-sdk/provider-oauth` | OAuth login + PKCE helpers |
-      | `plugin-sdk/provider-onboard` | Provider onboarding config patches |
-      | `plugin-sdk/testing` | Test utilities |
-    </Accordion>
-
-    Use the narrowest subpath that matches the job.
-
-  </Step>
-
-  <Step title="Use local modules for internal imports">
-    Within your plugin, create local module files for internal code sharing
-    instead of re-importing through the plugin SDK:
-
-    ```typescript
-    // api.ts — public exports for this plugin
-    export { MyConfig } from "./src/config.js";
-    export { MyRuntime } from "./src/runtime.js";
-
-    // runtime-api.ts — internal-only exports
-    export { internalHelper } from "./src/helpers.js";
-    ```
-
-    <Warning>
-      Never import your own plugin back through its published SDK path from
-      production files. Route internal imports through local files like `./api.ts`
-      or `./runtime-api.ts`. The SDK path is for external consumers only.
-    </Warning>
-
-  </Step>
-
-  <Step title="Add a plugin manifest">
-    Create `openclaw.plugin.json` in your plugin root:
-
-    ```json
-    {
-      "id": "my-plugin",
-      "kind": "provider",
-      "name": "My Plugin",
-      "description": "Adds My Provider to OpenClaw"
-    }
-    ```
-
-    For channel plugins, set `"kind": "channel"` and add `"channels": ["my-channel"]`.
-
-    See [Plugin Manifest](/plugins/manifest) for the full schema.
-
-  </Step>
-
-  <Step title="Test your plugin">
-    **External plugins:** run your own test suite against the plugin SDK contracts.
-
-    **In-repo plugins:** OpenClaw runs contract tests against all registered plugins:
+    **External plugins:** publish to [ClawHub](/tools/clawhub) or npm, then install:
 
     ```bash
-    pnpm test:contracts:channels   # channel plugins
-    pnpm test:contracts:plugins    # provider plugins
-    ```
-
-    For unit tests, import test helpers from the testing surface:
-
-    ```typescript
-    import { createTestRuntime } from "openclaw/plugin-sdk/testing";
-    ```
-
-  </Step>
-
-  <Step title="Publish and install">
-    **External plugins:** publish to npm, then install:
-
-    ```bash
-    npm publish
     openclaw plugins install @myorg/openclaw-my-plugin
     ```
 
-    **In-repo plugins:** place the plugin under `extensions/` and it is
-    automatically discovered during build.
+    OpenClaw checks ClawHub first, then falls back to npm.
 
-    Users can browse and install community plugins with:
+    **In-repo plugins:** place under `extensions/` — automatically discovered.
 
     ```bash
-    openclaw plugins search <query>
-    openclaw plugins install <npm-spec>
+    pnpm test -- extensions/my-plugin/
     ```
 
   </Step>
 </Steps>
 
+## Plugin capabilities
+
+A single plugin can register any number of capabilities via the `api` object:
+
+| Capability           | Registration method                           | Detailed guide                                                                  |
+| -------------------- | --------------------------------------------- | ------------------------------------------------------------------------------- |
+| Text inference (LLM) | `api.registerProvider(...)`                   | [Provider Plugins](/plugins/sdk-provider-plugins)                               |
+| Channel / messaging  | `api.registerChannel(...)`                    | [Channel Plugins](/plugins/sdk-channel-plugins)                                 |
+| Speech (TTS/STT)     | `api.registerSpeechProvider(...)`             | [Provider Plugins](/plugins/sdk-provider-plugins#step-5-add-extra-capabilities) |
+| Media understanding  | `api.registerMediaUnderstandingProvider(...)` | [Provider Plugins](/plugins/sdk-provider-plugins#step-5-add-extra-capabilities) |
+| Image generation     | `api.registerImageGenerationProvider(...)`    | [Provider Plugins](/plugins/sdk-provider-plugins#step-5-add-extra-capabilities) |
+| Web search           | `api.registerWebSearchProvider(...)`          | [Provider Plugins](/plugins/sdk-provider-plugins#step-5-add-extra-capabilities) |
+| Agent tools          | `api.registerTool(...)`                       | Below                                                                           |
+| Custom commands      | `api.registerCommand(...)`                    | [Entry Points](/plugins/sdk-entrypoints)                                        |
+| Event hooks          | `api.registerHook(...)`                       | [Entry Points](/plugins/sdk-entrypoints)                                        |
+| HTTP routes          | `api.registerHttpRoute(...)`                  | [Internals](/plugins/architecture#gateway-http-routes)                          |
+| CLI subcommands      | `api.registerCli(...)`                        | [Entry Points](/plugins/sdk-entrypoints)                                        |
+
+For the full registration API, see [SDK Overview](/plugins/sdk-overview#registration-api).
+
 ## Registering agent tools
 
-Plugins can register **agent tools** — typed functions the LLM can call. Tools
-can be required (always available) or optional (users opt in via allowlists).
+Tools are typed functions the LLM can call. They can be required (always
+available) or optional (user opt-in):
 
 ```typescript
-import { Type } from "@sinclair/typebox";
+register(api) {
+  // Required tool — always available
+  api.registerTool({
+    name: "my_tool",
+    description: "Do a thing",
+    parameters: Type.Object({ input: Type.String() }),
+    async execute(_id, params) {
+      return { content: [{ type: "text", text: params.input }] };
+    },
+  });
 
-export default definePluginEntry({
-  id: "my-plugin",
-  name: "My Plugin",
-  register(api) {
-    // Required tool (always available)
-    api.registerTool({
-      name: "my_tool",
-      description: "Do a thing",
-      parameters: Type.Object({ input: Type.String() }),
+  // Optional tool — user must add to allowlist
+  api.registerTool(
+    {
+      name: "workflow_tool",
+      description: "Run a workflow",
+      parameters: Type.Object({ pipeline: Type.String() }),
       async execute(_id, params) {
-        return { content: [{ type: "text", text: params.input }] };
+        return { content: [{ type: "text", text: params.pipeline }] };
       },
-    });
-
-    // Optional tool (user must add to allowlist)
-    api.registerTool(
-      {
-        name: "workflow_tool",
-        description: "Run a workflow",
-        parameters: Type.Object({ pipeline: Type.String() }),
-        async execute(_id, params) {
-          return { content: [{ type: "text", text: params.pipeline }] };
-        },
-      },
-      { optional: true },
-    );
-  },
-});
+    },
+    { optional: true },
+  );
+}
 ```
 
-Enable optional tools in config:
+Users enable optional tools in config:
 
 ```json5
 {
@@ -331,39 +184,56 @@ Enable optional tools in config:
 }
 ```
 
-Tips:
-
-- Tool names must not clash with core tool names (conflicts are skipped)
-- Use `optional: true` for tools that trigger side effects or require extra binaries
+- Tool names must not clash with core tools (conflicts are skipped)
+- Use `optional: true` for tools with side effects or extra binary requirements
 - Users can enable all tools from a plugin by adding the plugin id to `tools.allow`
 
-## Lint enforcement (in-repo plugins)
+## Import conventions
 
-Three scripts enforce SDK boundaries for plugins in the OpenClaw repository:
+Always import from focused `openclaw/plugin-sdk/<subpath>` paths:
 
-1. **No monolithic root imports** — `openclaw/plugin-sdk` root is rejected
-2. **No direct src/ imports** — plugins cannot import `../../src/` directly
-3. **No self-imports** — plugins cannot import their own `plugin-sdk/\<name\>` subpath
+```typescript
+import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
 
-Run `pnpm check` to verify all boundaries before committing.
+// Wrong: monolithic root (deprecated, will be removed)
+import { ... } from "openclaw/plugin-sdk";
+```
 
-External plugins are not subject to these lint rules, but following the same
-patterns is strongly recommended.
+For the full subpath reference, see [SDK Overview](/plugins/sdk-overview).
+
+Within your plugin, use local barrel files (`api.ts`, `runtime-api.ts`) for
+internal imports — never import your own plugin through its SDK path.
 
 ## Pre-submission checklist
 
 <Check>**package.json** has correct `openclaw` metadata</Check>
+<Check>**openclaw.plugin.json** manifest is present and valid</Check>
 <Check>Entry point uses `defineChannelPluginEntry` or `definePluginEntry`</Check>
-<Check>All imports use focused `plugin-sdk/\<subpath\>` paths</Check>
+<Check>All imports use focused `plugin-sdk/<subpath>` paths</Check>
 <Check>Internal imports use local modules, not SDK self-imports</Check>
-<Check>`openclaw.plugin.json` manifest is present and valid</Check>
-<Check>Tests pass</Check>
+<Check>Tests pass (`pnpm test -- extensions/my-plugin/`)</Check>
 <Check>`pnpm check` passes (in-repo plugins)</Check>
 
-## Related
+## Next steps
 
-- [Plugin SDK Migration](/plugins/sdk-migration) — migrating from deprecated compat surfaces
-- [Plugin Architecture](/plugins/architecture) — internals and capability model
-- [Plugin Manifest](/plugins/manifest) — full manifest schema
-- [Plugin Agent Tools](/plugins/building-plugins#registering-agent-tools) — adding agent tools in a plugin
-- [Community Plugins](/plugins/community) — listing and quality bar
+<CardGroup cols={2}>
+  <Card title="Channel Plugins" icon="messages-square" href="/plugins/sdk-channel-plugins">
+    Build a messaging channel plugin
+  </Card>
+  <Card title="Provider Plugins" icon="cpu" href="/plugins/sdk-provider-plugins">
+    Build a model provider plugin
+  </Card>
+  <Card title="SDK Overview" icon="book-open" href="/plugins/sdk-overview">
+    Import map and registration API reference
+  </Card>
+  <Card title="Runtime Helpers" icon="settings" href="/plugins/sdk-runtime">
+    TTS, search, subagent via api.runtime
+  </Card>
+  <Card title="Testing" icon="test-tubes" href="/plugins/sdk-testing">
+    Test utilities and patterns
+  </Card>
+  <Card title="Plugin Manifest" icon="file-json" href="/plugins/manifest">
+    Full manifest schema reference
+  </Card>
+</CardGroup>

docs/plugins/community.md

@@ -10,12 +10,15 @@ title: "Community Plugins"
 
 Community plugins are third-party packages that extend OpenClaw with new
 channels, tools, providers, or other capabilities. They are built and maintained
-by the community, published on npm, and installable with a single command.
+by the community, published on [ClawHub](/tools/clawhub) or npm, and
+installable with a single command.
 
 ```bash
-openclaw plugins install <npm-spec>
+openclaw plugins install <package-name>
 ```
 
+OpenClaw checks ClawHub first and falls back to npm automatically.
+
 ## Listed plugins
 
 ### Codex App Server Bridge
@@ -99,8 +102,9 @@ openclaw plugins install @wecom/wecom-openclaw-plugin
 We welcome community plugins that are useful, documented, and safe to operate.
 
 <Steps>
-  <Step title="Publish to npm">
-    Your plugin must be installable via `openclaw plugins install \<npm-spec\>`.
+  <Step title="Publish to ClawHub or npm">
+    Your plugin must be installable via `openclaw plugins install \<package-name\>`.
+    Publish to [ClawHub](/tools/clawhub) (preferred) or npm.
     See [Building Plugins](/plugins/building-plugins) for the full guide.
 
   </Step>
@@ -125,12 +129,12 @@ We welcome community plugins that are useful, documented, and safe to operate.
 
 ## Quality bar
 
-| Requirement          | Why                                           |
-| -------------------- | --------------------------------------------- |
-| Published on npm     | Users need `openclaw plugins install` to work |
-| Public GitHub repo   | Source review, issue tracking, transparency   |
-| Setup and usage docs | Users need to know how to configure it        |
-| Active maintenance   | Recent updates or responsive issue handling   |
+| Requirement                 | Why                                           |
+| --------------------------- | --------------------------------------------- |
+| Published on ClawHub or npm | Users need `openclaw plugins install` to work |
+| Public GitHub repo          | Source review, issue tracking, transparency   |
+| Setup and usage docs        | Users need to know how to configure it        |
+| Active maintenance          | Recent updates or responsive issue handling   |
 
 Low-effort wrappers, unclear ownership, or unmaintained packages may be declined.
 

docs/plugins/manifest.md

@@ -35,7 +35,28 @@ See the full plugin system guide: [Plugins](/tools/plugin).
 For the native capability model and current external-compatibility guidance:
 [Capability model](/plugins/architecture#public-capability-model).
 
-## Required fields
+## What this file does
+
+`openclaw.plugin.json` is the metadata OpenClaw reads before it loads your
+plugin code.
+
+Use it for:
+
+- plugin identity
+- config validation
+- auth and onboarding metadata that should be available without booting plugin
+  runtime
+- config UI hints
+
+Do not use it for:
+
+- registering runtime behavior
+- declaring code entrypoints
+- npm install metadata
+
+Those belong in your plugin code and `package.json`.
+
+## Minimal example
 
 ```json
 {
@@ -48,45 +69,18 @@ For the native capability model and current external-compatibility guidance:
 }
 ```
 
-Required keys:
-
-- `id` (string): canonical plugin id.
-- `configSchema` (object): JSON Schema for plugin config (inline).
-
-Optional keys:
-
-- `kind` (string): plugin kind (examples: `"memory"`, `"context-engine"`).
-- `channels` (array): channel ids registered by this plugin (channel capability; example: `["matrix"]`).
-- `providers` (array): provider ids registered by this plugin (text inference capability).
-- `providerAuthEnvVars` (object): auth env vars keyed by provider id. Use this
-  when OpenClaw should resolve provider credentials from env without loading
-  plugin runtime first.
-- `providerAuthChoices` (array): cheap onboarding/auth-choice metadata keyed by
-  provider + auth method. Use this when OpenClaw should show a provider in
-  auth-choice pickers, preferred-provider resolution, and CLI help without
-  loading plugin runtime first.
-- `skills` (array): skill directories to load (relative to the plugin root).
-- `name` (string): display name for the plugin.
-- `description` (string): short plugin summary.
-- `uiHints` (object): config field labels/placeholders/sensitive flags for UI rendering.
-- `version` (string): plugin version (informational).
-
-### `providerAuthChoices` shape
-
-Each entry can declare:
-
-- `provider`: provider id
-- `method`: auth method id
-- `choiceId`: stable onboarding/auth-choice id
-- `choiceLabel` / `choiceHint`: picker label + short hint
-- `groupId` / `groupLabel` / `groupHint`: grouped onboarding bucket metadata
-- `optionKey` / `cliFlag` / `cliOption` / `cliDescription`: optional one-flag
-  CLI wiring for simple auth flows such as API keys
-
-Example:
+## Rich example
 
 ```json
 {
+  "id": "openrouter",
+  "name": "OpenRouter",
+  "description": "OpenRouter provider plugin",
+  "version": "1.0.0",
+  "providers": ["openrouter"],
+  "providerAuthEnvVars": {
+    "openrouter": ["OPENROUTER_API_KEY"]
+  },
   "providerAuthChoices": [
     {
       "provider": "openrouter",
@@ -98,12 +92,110 @@ Example:
       "optionKey": "openrouterApiKey",
       "cliFlag": "--openrouter-api-key",
       "cliOption": "--openrouter-api-key <key>",
-      "cliDescription": "OpenRouter API key"
+      "cliDescription": "OpenRouter API key",
+      "onboardingScopes": ["text-inference"]
     }
-  ]
+  ],
+  "uiHints": {
+    "apiKey": {
+      "label": "API key",
+      "placeholder": "sk-or-v1-...",
+      "sensitive": true
+    }
+  },
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "apiKey": {
+        "type": "string"
+      }
+    }
+  }
 }
 ```
 
+## Top-level field reference
+
+| Field                 | Required | Type                             | What it means                                                                                                                |
+| --------------------- | -------- | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| `id`                  | Yes      | `string`                         | Canonical plugin id. This is the id used in `plugins.entries.<id>`.                                                          |
+| `configSchema`        | Yes      | `object`                         | Inline JSON Schema for this plugin's config.                                                                                 |
+| `enabledByDefault`    | No       | `true`                           | Marks a bundled plugin as enabled by default. Omit it, or set any non-`true` value, to leave the plugin disabled by default. |
+| `kind`                | No       | `"memory"` \| `"context-engine"` | Declares an exclusive plugin kind used by `plugins.slots.*`.                                                                 |
+| `channels`            | No       | `string[]`                       | Channel ids owned by this plugin. Used for discovery and config validation.                                                  |
+| `providers`           | No       | `string[]`                       | Provider ids owned by this plugin.                                                                                           |
+| `providerAuthEnvVars` | No       | `Record<string, string[]>`       | Cheap provider-auth env metadata that OpenClaw can inspect without loading plugin code.                                      |
+| `providerAuthChoices` | No       | `object[]`                       | Cheap auth-choice metadata for onboarding pickers, preferred-provider resolution, and simple CLI flag wiring.                |
+| `skills`              | No       | `string[]`                       | Skill directories to load, relative to the plugin root.                                                                      |
+| `name`                | No       | `string`                         | Human-readable plugin name.                                                                                                  |
+| `description`         | No       | `string`                         | Short summary shown in plugin surfaces.                                                                                      |
+| `version`             | No       | `string`                         | Informational plugin version.                                                                                                |
+| `uiHints`             | No       | `Record<string, object>`         | UI labels, placeholders, and sensitivity hints for config fields.                                                            |
+
+## providerAuthChoices reference
+
+Each `providerAuthChoices` entry describes one onboarding or auth choice.
+OpenClaw reads this before provider runtime loads.
+
+| Field              | Required | Type                                            | What it means                                                                                            |
+| ------------------ | -------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
+| `provider`         | Yes      | `string`                                        | Provider id this choice belongs to.                                                                      |
+| `method`           | Yes      | `string`                                        | Auth method id to dispatch to.                                                                           |
+| `choiceId`         | Yes      | `string`                                        | Stable auth-choice id used by onboarding and CLI flows.                                                  |
+| `choiceLabel`      | No       | `string`                                        | User-facing label. If omitted, OpenClaw falls back to `choiceId`.                                        |
+| `choiceHint`       | No       | `string`                                        | Short helper text for the picker.                                                                        |
+| `groupId`          | No       | `string`                                        | Optional group id for grouping related choices.                                                          |
+| `groupLabel`       | No       | `string`                                        | User-facing label for that group.                                                                        |
+| `groupHint`        | No       | `string`                                        | Short helper text for the group.                                                                         |
+| `optionKey`        | No       | `string`                                        | Internal option key for simple one-flag auth flows.                                                      |
+| `cliFlag`          | No       | `string`                                        | CLI flag name, such as `--openrouter-api-key`.                                                           |
+| `cliOption`        | No       | `string`                                        | Full CLI option shape, such as `--openrouter-api-key <key>`.                                             |
+| `cliDescription`   | No       | `string`                                        | Description used in CLI help.                                                                            |
+| `onboardingScopes` | No       | `Array<"text-inference" \| "image-generation">` | Which onboarding surfaces this choice should appear in. If omitted, it defaults to `["text-inference"]`. |
+
+## uiHints reference
+
+`uiHints` is a map from config field names to small rendering hints.
+
+```json
+{
+  "uiHints": {
+    "apiKey": {
+      "label": "API key",
+      "help": "Used for OpenRouter requests",
+      "placeholder": "sk-or-v1-...",
+      "sensitive": true
+    }
+  }
+}
+```
+
+Each field hint can include:
+
+| Field         | Type       | What it means                           |
+| ------------- | ---------- | --------------------------------------- |
+| `label`       | `string`   | User-facing field label.                |
+| `help`        | `string`   | Short helper text.                      |
+| `tags`        | `string[]` | Optional UI tags.                       |
+| `advanced`    | `boolean`  | Marks the field as advanced.            |
+| `sensitive`   | `boolean`  | Marks the field as secret or sensitive. |
+| `placeholder` | `string`   | Placeholder text for form inputs.       |
+
+## Manifest versus package.json
+
+The two files serve different jobs:
+
+| File                   | Use it for                                                                                                         |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `openclaw.plugin.json` | Discovery, config validation, auth-choice metadata, and UI hints that must exist before plugin code runs           |
+| `package.json`         | npm metadata, dependency installation, and the `openclaw` block used for entrypoints and setup or catalog metadata |
+
+If you are unsure where a piece of metadata belongs, use this rule:
+
+- if OpenClaw must know it before loading plugin code, put it in `openclaw.plugin.json`
+- if it is about packaging, entry files, or npm install behavior, put it in `package.json`
+
 ## JSON Schema requirements
 
 - **Every plugin must ship a JSON Schema**, even if it accepts no config.
@@ -128,6 +220,8 @@ See [Configuration reference](/configuration) for the full `plugins.*` schema.
 - The manifest is **required for native OpenClaw plugins**, including local filesystem loads.
 - Runtime still loads the plugin module separately; the manifest is only for
   discovery + validation.
+- Only documented manifest fields are read by the manifest loader. Avoid adding
+  custom top-level keys here.
 - `providerAuthEnvVars` is the cheap metadata path for auth probes, env-marker
   validation, and similar provider-auth surfaces that should not boot plugin
   runtime just to inspect env names.
@@ -140,6 +234,8 @@ See [Configuration reference](/configuration) for the full `plugins.*` schema.
   - `kind: "memory"` is selected by `plugins.slots.memory`.
   - `kind: "context-engine"` is selected by `plugins.slots.contextEngine`
     (default: built-in `legacy`).
+- `channels`, `providers`, and `skills` can be omitted when a plugin does not
+  need them.
 - If your plugin depends on native modules, document the build steps and any
   package-manager allowlist requirements (for example, pnpm `allow-build-scripts`
   - `pnpm rebuild <package>`).

docs/plugins/sdk-channel-plugins.md

@@ -0,0 +1,370 @@
+---
+title: "Building Channel Plugins"
+sidebarTitle: "Channel Plugins"
+summary: "Step-by-step guide to building a messaging channel plugin for OpenClaw"
+read_when:
+  - You are building a new messaging channel plugin
+  - You want to connect OpenClaw to a messaging platform
+  - You need to understand the ChannelPlugin adapter surface
+---
+
+# Building Channel Plugins
+
+This guide walks through building a channel plugin that connects OpenClaw to a
+messaging platform. By the end you will have a working channel with DM security,
+pairing, reply threading, and outbound messaging.
+
+<Info>
+  If you have not built any OpenClaw plugin before, read
+  [Getting Started](/plugins/building-plugins) first for the basic package
+  structure and manifest setup.
+</Info>
+
+## How channel plugins work
+
+Channel plugins do not need their own send/edit/react tools. OpenClaw keeps one
+shared `message` tool in core. Your plugin owns:
+
+- **Config** — account resolution and setup wizard
+- **Security** — DM policy and allowlists
+- **Pairing** — DM approval flow
+- **Outbound** — sending text, media, and polls to the platform
+- **Threading** — how replies are threaded
+
+Core owns the shared message tool, prompt wiring, session bookkeeping, and
+dispatch.
+
+## Walkthrough
+
+<Steps>
+  <Step title="Package and manifest">
+    Create the standard plugin files. The `channel` field in `package.json` is
+    what makes this a channel plugin:
+
+    <CodeGroup>
+    ```json package.json
+    {
+      "name": "@myorg/openclaw-acme-chat",
+      "version": "1.0.0",
+      "type": "module",
+      "openclaw": {
+        "extensions": ["./index.ts"],
+        "setupEntry": "./setup-entry.ts",
+        "channel": {
+          "id": "acme-chat",
+          "label": "Acme Chat",
+          "blurb": "Connect OpenClaw to Acme Chat."
+        }
+      }
+    }
+    ```
+
+    ```json openclaw.plugin.json
+    {
+      "id": "acme-chat",
+      "kind": "channel",
+      "channels": ["acme-chat"],
+      "name": "Acme Chat",
+      "description": "Acme Chat channel plugin",
+      "configSchema": {
+        "type": "object",
+        "additionalProperties": false,
+        "properties": {
+          "acme-chat": {
+            "type": "object",
+            "properties": {
+              "token": { "type": "string" },
+              "allowFrom": {
+                "type": "array",
+                "items": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    }
+    ```
+    </CodeGroup>
+
+  </Step>
+
+  <Step title="Build the channel plugin object">
+    The `ChannelPlugin` interface has many optional adapter surfaces. Start with
+    the minimum — `id` and `setup` — and add adapters as you need them.
+
+    Create `src/channel.ts`:
+
+    ```typescript src/channel.ts
+    import {
+      createChatChannelPlugin,
+      createChannelPluginBase,
+    } from "openclaw/plugin-sdk/core";
+    import type { OpenClawConfig } from "openclaw/plugin-sdk/core";
+    import { acmeChatApi } from "./client.js"; // your platform API client
+
+    type ResolvedAccount = {
+      accountId: string | null;
+      token: string;
+      allowFrom: string[];
+      dmPolicy: string | undefined;
+    };
+
+    function resolveAccount(
+      cfg: OpenClawConfig,
+      accountId?: string | null,
+    ): ResolvedAccount {
+      const section = (cfg.channels as Record<string, any>)?.["acme-chat"];
+      const token = section?.token;
+      if (!token) throw new Error("acme-chat: token is required");
+      return {
+        accountId: accountId ?? null,
+        token,
+        allowFrom: section?.allowFrom ?? [],
+        dmPolicy: section?.dmSecurity,
+      };
+    }
+
+    export const acmeChatPlugin = createChatChannelPlugin<ResolvedAccount>({
+      base: createChannelPluginBase({
+        id: "acme-chat",
+        setup: {
+          resolveAccount,
+          inspectAccount(cfg, accountId) {
+            const section =
+              (cfg.channels as Record<string, any>)?.["acme-chat"];
+            return {
+              enabled: Boolean(section?.token),
+              configured: Boolean(section?.token),
+              tokenStatus: section?.token ? "available" : "missing",
+            };
+          },
+        },
+      }),
+
+      // DM security: who can message the bot
+      security: {
+        dm: {
+          channelKey: "acme-chat",
+          resolvePolicy: (account) => account.dmPolicy,
+          resolveAllowFrom: (account) => account.allowFrom,
+          defaultPolicy: "allowlist",
+        },
+      },
+
+      // Pairing: approval flow for new DM contacts
+      pairing: {
+        text: {
+          idLabel: "Acme Chat username",
+          message: "Send this code to verify your identity:",
+          notify: async ({ target, code }) => {
+            await acmeChatApi.sendDm(target, `Pairing code: ${code}`);
+          },
+        },
+      },
+
+      // Threading: how replies are delivered
+      threading: { topLevelReplyToMode: "reply" },
+
+      // Outbound: send messages to the platform
+      outbound: {
+        attachedResults: {
+          sendText: async (params) => {
+            const result = await acmeChatApi.sendMessage(
+              params.to,
+              params.text,
+            );
+            return { messageId: result.id };
+          },
+        },
+        base: {
+          sendMedia: async (params) => {
+            await acmeChatApi.sendFile(params.to, params.filePath);
+          },
+        },
+      },
+    });
+    ```
+
+    <Accordion title="What createChatChannelPlugin does for you">
+      Instead of implementing low-level adapter interfaces manually, you pass
+      declarative options and the builder composes them:
+
+      | Option | What it wires |
+      | --- | --- |
+      | `security.dm` | Scoped DM security resolver from config fields |
+      | `pairing.text` | Text-based DM pairing flow with code exchange |
+      | `threading` | Reply-to-mode resolver (fixed, account-scoped, or custom) |
+      | `outbound.attachedResults` | Send functions that return result metadata (message IDs) |
+
+      You can also pass raw adapter objects instead of the declarative options
+      if you need full control.
+    </Accordion>
+
+  </Step>
+
+  <Step title="Wire the entry point">
+    Create `index.ts`:
+
+    ```typescript index.ts
+    import { defineChannelPluginEntry } from "openclaw/plugin-sdk/core";
+    import { acmeChatPlugin } from "./src/channel.js";
+
+    export default defineChannelPluginEntry({
+      id: "acme-chat",
+      name: "Acme Chat",
+      description: "Acme Chat channel plugin",
+      plugin: acmeChatPlugin,
+      registerFull(api) {
+        api.registerCli(
+          ({ program }) => {
+            program
+              .command("acme-chat")
+              .description("Acme Chat management");
+          },
+          { commands: ["acme-chat"] },
+        );
+      },
+    });
+    ```
+
+    `defineChannelPluginEntry` handles the setup/full registration split
+    automatically. See
+    [Entry Points](/plugins/sdk-entrypoints#definechannelpluginentry) for all
+    options.
+
+  </Step>
+
+  <Step title="Add a setup entry">
+    Create `setup-entry.ts` for lightweight loading during onboarding:
+
+    ```typescript setup-entry.ts
+    import { defineSetupPluginEntry } from "openclaw/plugin-sdk/core";
+    import { acmeChatPlugin } from "./src/channel.js";
+
+    export default defineSetupPluginEntry(acmeChatPlugin);
+    ```
+
+    OpenClaw loads this instead of the full entry when the channel is disabled
+    or unconfigured. It avoids pulling in heavy runtime code during setup flows.
+    See [Setup and Config](/plugins/sdk-setup#setup-entry) for details.
+
+  </Step>
+
+  <Step title="Handle inbound messages">
+    Your plugin needs to receive messages from the platform and forward them to
+    OpenClaw. The typical pattern is a webhook that verifies the request and
+    dispatches it through your channel's inbound handler:
+
+    ```typescript
+    registerFull(api) {
+      api.registerHttpRoute({
+        path: "/acme-chat/webhook",
+        auth: "plugin", // plugin-managed auth (verify signatures yourself)
+        handler: async (req, res) => {
+          const event = parseWebhookPayload(req);
+
+          // Your inbound handler dispatches the message to OpenClaw.
+          // The exact wiring depends on your platform SDK —
+          // see a real example in extensions/msteams or extensions/googlechat.
+          await handleAcmeChatInbound(api, event);
+
+          res.statusCode = 200;
+          res.end("ok");
+          return true;
+        },
+      });
+    }
+    ```
+
+    <Note>
+      Inbound message handling is channel-specific. Each channel plugin owns
+      its own inbound pipeline. Look at bundled channel plugins
+      (e.g. `extensions/msteams`, `extensions/googlechat`) for real patterns.
+    </Note>
+
+  </Step>
+
+  <Step title="Test">
+    Write colocated tests in `src/channel.test.ts`:
+
+    ```typescript src/channel.test.ts
+    import { describe, it, expect } from "vitest";
+    import { acmeChatPlugin } from "./channel.js";
+
+    describe("acme-chat plugin", () => {
+      it("resolves account from config", () => {
+        const cfg = {
+          channels: {
+            "acme-chat": { token: "test-token", allowFrom: ["user1"] },
+          },
+        } as any;
+        const account = acmeChatPlugin.setup!.resolveAccount(cfg, undefined);
+        expect(account.token).toBe("test-token");
+      });
+
+      it("inspects account without materializing secrets", () => {
+        const cfg = {
+          channels: { "acme-chat": { token: "test-token" } },
+        } as any;
+        const result = acmeChatPlugin.setup!.inspectAccount!(cfg, undefined);
+        expect(result.configured).toBe(true);
+        expect(result.tokenStatus).toBe("available");
+      });
+
+      it("reports missing config", () => {
+        const cfg = { channels: {} } as any;
+        const result = acmeChatPlugin.setup!.inspectAccount!(cfg, undefined);
+        expect(result.configured).toBe(false);
+      });
+    });
+    ```
+
+    ```bash
+    pnpm test -- extensions/acme-chat/
+    ```
+
+    For shared test helpers, see [Testing](/plugins/sdk-testing).
+
+  </Step>
+</Steps>
+
+## File structure
+
+```
+extensions/acme-chat/
+├── package.json              # openclaw.channel metadata
+├── openclaw.plugin.json      # Manifest with config schema
+├── index.ts                  # defineChannelPluginEntry
+├── setup-entry.ts            # defineSetupPluginEntry
+├── api.ts                    # Public exports (optional)
+├── runtime-api.ts            # Internal runtime exports (optional)
+└── src/
+    ├── channel.ts            # ChannelPlugin via createChatChannelPlugin
+    ├── channel.test.ts       # Tests
+    ├── client.ts             # Platform API client
+    └── runtime.ts            # Runtime store (if needed)
+```
+
+## Advanced topics
+
+<CardGroup cols={2}>
+  <Card title="Threading options" icon="git-branch" href="/plugins/sdk-entrypoints#registration-mode">
+    Fixed, account-scoped, or custom reply modes
+  </Card>
+  <Card title="Message tool integration" icon="puzzle" href="/plugins/architecture#channel-plugins-and-the-shared-message-tool">
+    describeMessageTool and action discovery
+  </Card>
+  <Card title="Target resolution" icon="crosshair" href="/plugins/architecture#channel-target-resolution">
+    inferTargetChatType, looksLikeId, resolveTarget
+  </Card>
+  <Card title="Runtime helpers" icon="settings" href="/plugins/sdk-runtime">
+    TTS, STT, media, subagent via api.runtime
+  </Card>
+</CardGroup>
+
+## Next steps
+
+- [Provider Plugins](/plugins/sdk-provider-plugins) — if your plugin also provides models
+- [SDK Overview](/plugins/sdk-overview) — full subpath import reference
+- [SDK Testing](/plugins/sdk-testing) — test utilities and contract tests
+- [Plugin Manifest](/plugins/manifest) — full manifest schema

docs/plugins/sdk-entrypoints.md

@@ -0,0 +1,161 @@
+---
+title: "Plugin Entry Points"
+sidebarTitle: "Entry Points"
+summary: "Reference for definePluginEntry, defineChannelPluginEntry, and defineSetupPluginEntry"
+read_when:
+  - You need the exact type signature of definePluginEntry or defineChannelPluginEntry
+  - You want to understand registration mode (full vs setup)
+  - You are looking up entry point options
+---
+
+# Plugin Entry Points
+
+Every plugin exports a default entry object. The SDK provides three helpers for
+creating them.
+
+<Tip>
+  **Looking for a walkthrough?** See [Channel Plugins](/plugins/sdk-channel-plugins)
+  or [Provider Plugins](/plugins/sdk-provider-plugins) for step-by-step guides.
+</Tip>
+
+## `definePluginEntry`
+
+**Import:** `openclaw/plugin-sdk/plugin-entry`
+
+For provider plugins, tool plugins, hook plugins, and anything that is **not**
+a messaging channel.
+
+```typescript
+import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
+
+export default definePluginEntry({
+  id: "my-plugin",
+  name: "My Plugin",
+  description: "Short summary",
+  register(api) {
+    api.registerProvider({
+      /* ... */
+    });
+    api.registerTool({
+      /* ... */
+    });
+  },
+});
+```
+
+### Channel entry options
+
+| Field          | Type                                                             | Required | Default             |
+| -------------- | ---------------------------------------------------------------- | -------- | ------------------- |
+| `id`           | `string`                                                         | Yes      | —                   |
+| `name`         | `string`                                                         | Yes      | —                   |
+| `description`  | `string`                                                         | Yes      | —                   |
+| `kind`         | `string`                                                         | No       | —                   |
+| `configSchema` | `OpenClawPluginConfigSchema \| () => OpenClawPluginConfigSchema` | No       | Empty object schema |
+| `register`     | `(api: OpenClawPluginApi) => void`                               | Yes      | —                   |
+
+- `id` must match your `openclaw.plugin.json` manifest.
+- `kind` is for exclusive slots: `"memory"` or `"context-engine"`.
+- `configSchema` can be a function for lazy evaluation.
+
+## `defineChannelPluginEntry`
+
+**Import:** `openclaw/plugin-sdk/core`
+
+Wraps `definePluginEntry` with channel-specific wiring. Automatically calls
+`api.registerChannel({ plugin })` and gates `registerFull` on registration mode.
+
+```typescript
+import { defineChannelPluginEntry } from "openclaw/plugin-sdk/core";
+
+export default defineChannelPluginEntry({
+  id: "my-channel",
+  name: "My Channel",
+  description: "Short summary",
+  plugin: myChannelPlugin,
+  setRuntime: setMyRuntime,
+  registerFull(api) {
+    api.registerCli(/* ... */);
+    api.registerGatewayMethod(/* ... */);
+  },
+});
+```
+
+### Options
+
+| Field          | Type                                                             | Required | Default             |
+| -------------- | ---------------------------------------------------------------- | -------- | ------------------- |
+| `id`           | `string`                                                         | Yes      | —                   |
+| `name`         | `string`                                                         | Yes      | —                   |
+| `description`  | `string`                                                         | Yes      | —                   |
+| `plugin`       | `ChannelPlugin`                                                  | Yes      | —                   |
+| `configSchema` | `OpenClawPluginConfigSchema \| () => OpenClawPluginConfigSchema` | No       | Empty object schema |
+| `setRuntime`   | `(runtime: PluginRuntime) => void`                               | No       | —                   |
+| `registerFull` | `(api: OpenClawPluginApi) => void`                               | No       | —                   |
+
+- `setRuntime` is called during registration so you can store the runtime reference
+  (typically via `createPluginRuntimeStore`).
+- `registerFull` only runs when `api.registrationMode === "full"`. It is skipped
+  during setup-only loading.
+
+## `defineSetupPluginEntry`
+
+**Import:** `openclaw/plugin-sdk/core`
+
+For the lightweight `setup-entry.ts` file. Returns just `{ plugin }` with no
+runtime or CLI wiring.
+
+```typescript
+import { defineSetupPluginEntry } from "openclaw/plugin-sdk/core";
+
+export default defineSetupPluginEntry(myChannelPlugin);
+```
+
+OpenClaw loads this instead of the full entry when a channel is disabled,
+unconfigured, or when deferred loading is enabled. See
+[Setup and Config](/plugins/sdk-setup#setup-entry) for when this matters.
+
+## Registration mode
+
+`api.registrationMode` tells your plugin how it was loaded:
+
+| Mode              | When                              | What to register              |
+| ----------------- | --------------------------------- | ----------------------------- |
+| `"full"`          | Normal gateway startup            | Everything                    |
+| `"setup-only"`    | Disabled/unconfigured channel     | Channel registration only     |
+| `"setup-runtime"` | Setup flow with runtime available | Channel + lightweight runtime |
+
+`defineChannelPluginEntry` handles this split automatically. If you use
+`definePluginEntry` directly for a channel, check mode yourself:
+
+```typescript
+register(api) {
+  api.registerChannel({ plugin: myPlugin });
+  if (api.registrationMode !== "full") return;
+
+  // Heavy runtime-only registrations
+  api.registerCli(/* ... */);
+  api.registerService(/* ... */);
+}
+```
+
+## Plugin shapes
+
+OpenClaw classifies loaded plugins by their registration behavior:
+
+| Shape                 | Description                                        |
+| --------------------- | -------------------------------------------------- |
+| **plain-capability**  | One capability type (e.g. provider-only)           |
+| **hybrid-capability** | Multiple capability types (e.g. provider + speech) |
+| **hook-only**         | Only hooks, no capabilities                        |
+| **non-capability**    | Tools/commands/services but no capabilities        |
+
+Use `openclaw plugins inspect <id>` to see a plugin's shape.
+
+## Related
+
+- [SDK Overview](/plugins/sdk-overview) — registration API and subpath reference
+- [Runtime Helpers](/plugins/sdk-runtime) — `api.runtime` and `createPluginRuntimeStore`
+- [Setup and Config](/plugins/sdk-setup) — manifest, setup entry, deferred loading
+- [Channel Plugins](/plugins/sdk-channel-plugins) — building the `ChannelPlugin` object
+- [Provider Plugins](/plugins/sdk-provider-plugins) — provider registration and hooks

docs/plugins/sdk-migration.md

@@ -1,6 +1,6 @@
 ---
 title: "Plugin SDK Migration"
-sidebarTitle: "SDK Migration"
+sidebarTitle: "Migrate to SDK"
 summary: "Migrate from the legacy backwards-compatibility layer to the modern plugin SDK"
 read_when:
   - You see the OPENCLAW_PLUGIN_SDK_COMPAT_DEPRECATED warning
@@ -115,7 +115,8 @@ is a small, self-contained module with a clear purpose and documented contract.
 <Accordion title="Full import path table">
   | Import path | Purpose | Key exports |
   | --- | --- | --- |
-  | `plugin-sdk/core` | Plugin entry definitions, base types | `defineChannelPluginEntry`, `definePluginEntry` |
+  | `plugin-sdk/plugin-entry` | Canonical plugin entry helper | `definePluginEntry` |
+  | `plugin-sdk/core` | Channel entry definitions, channel builders, base types | `defineChannelPluginEntry`, `createChatChannelPlugin` |
   | `plugin-sdk/channel-setup` | Setup wizard adapters | `createOptionalChannelSetupSurface` |
   | `plugin-sdk/channel-pairing` | DM pairing primitives | `createChannelPairingController` |
   | `plugin-sdk/channel-reply-pipeline` | Reply prefix + typing wiring | `createChannelReplyPipeline` |
@@ -163,6 +164,9 @@ This is a temporary escape hatch, not a permanent solution.
 
 ## Related
 
-- [Building Plugins](/plugins/building-plugins)
-- [Plugin Internals](/plugins/architecture)
-- [Plugin Manifest](/plugins/manifest)
+- [Getting Started](/plugins/building-plugins) — build your first plugin
+- [SDK Overview](/plugins/sdk-overview) — full subpath import reference
+- [Channel Plugins](/plugins/sdk-channel-plugins) — building channel plugins
+- [Provider Plugins](/plugins/sdk-provider-plugins) — building provider plugins
+- [Plugin Internals](/plugins/architecture) — architecture deep dive
+- [Plugin Manifest](/plugins/manifest) — manifest schema reference

docs/plugins/sdk-overview.md

@@ -0,0 +1,196 @@
+---
+title: "Plugin SDK Overview"
+sidebarTitle: "SDK Overview"
+summary: "Import map, registration API reference, and SDK architecture"
+read_when:
+  - You need to know which SDK subpath to import from
+  - You want a reference for all registration methods on OpenClawPluginApi
+  - You are looking up a specific SDK export
+---
+
+# Plugin SDK Overview
+
+The plugin SDK is the typed contract between plugins and core. This page is the
+reference for **what to import** and **what you can register**.
+
+<Tip>
+  **Looking for a how-to guide?**
+  - First plugin? Start with [Getting Started](/plugins/building-plugins)
+  - Channel plugin? See [Channel Plugins](/plugins/sdk-channel-plugins)
+  - Provider plugin? See [Provider Plugins](/plugins/sdk-provider-plugins)
+</Tip>
+
+## Import convention
+
+Always import from a specific subpath:
+
+```typescript
+import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
+import { defineChannelPluginEntry } from "openclaw/plugin-sdk/core";
+
+// Deprecated — will be removed in the next major release
+import { definePluginEntry } from "openclaw/plugin-sdk";
+```
+
+Each subpath is a small, self-contained module. This keeps startup fast and
+prevents circular dependency issues.
+
+## Subpath reference
+
+The most commonly used subpaths, grouped by purpose. The full list of 100+
+subpaths is in `scripts/lib/plugin-sdk-entrypoints.json`.
+
+### Plugin entry
+
+| Subpath                   | Key exports                                                                                                                            |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| `plugin-sdk/plugin-entry` | `definePluginEntry`                                                                                                                    |
+| `plugin-sdk/core`         | `defineChannelPluginEntry`, `createChatChannelPlugin`, `createChannelPluginBase`, `defineSetupPluginEntry`, `buildChannelConfigSchema` |
+
+<AccordionGroup>
+  <Accordion title="Channel subpaths">
+    | Subpath | Key exports |
+    | --- | --- |
+    | `plugin-sdk/channel-setup` | `createOptionalChannelSetupSurface` |
+    | `plugin-sdk/channel-pairing` | `createChannelPairingController` |
+    | `plugin-sdk/channel-reply-pipeline` | `createChannelReplyPipeline` |
+    | `plugin-sdk/channel-config-helpers` | `createHybridChannelConfigAdapter` |
+    | `plugin-sdk/channel-config-schema` | Channel config schema types |
+    | `plugin-sdk/channel-policy` | `resolveChannelGroupRequireMention` |
+    | `plugin-sdk/channel-lifecycle` | `createAccountStatusSink` |
+    | `plugin-sdk/channel-inbound` | Debounce, mention matching, envelope helpers |
+    | `plugin-sdk/channel-send-result` | Reply result types |
+    | `plugin-sdk/channel-actions` | `createMessageToolButtonsSchema`, `createMessageToolCardSchema` |
+    | `plugin-sdk/channel-targets` | Target parsing/matching helpers |
+    | `plugin-sdk/channel-contract` | Channel contract types |
+    | `plugin-sdk/channel-feedback` | Feedback/reaction wiring |
+  </Accordion>
+
+  <Accordion title="Provider subpaths">
+    | Subpath | Key exports |
+    | --- | --- |
+    | `plugin-sdk/provider-auth` | `createProviderApiKeyAuthMethod`, `ensureApiKeyFromOptionEnvOrPrompt`, `upsertAuthProfile` |
+    | `plugin-sdk/provider-models` | `normalizeModelCompat` |
+    | `plugin-sdk/provider-catalog` | Catalog type re-exports |
+    | `plugin-sdk/provider-usage` | `fetchClaudeUsage` and similar |
+    | `plugin-sdk/provider-stream` | Stream wrapper types |
+    | `plugin-sdk/provider-onboard` | Onboarding config patch helpers |
+  </Accordion>
+
+  <Accordion title="Auth and security subpaths">
+    | Subpath | Key exports |
+    | --- | --- |
+    | `plugin-sdk/command-auth` | `resolveControlCommandGate` |
+    | `plugin-sdk/allow-from` | `formatAllowFromLowercase` |
+    | `plugin-sdk/secret-input` | Secret input parsing helpers |
+    | `plugin-sdk/webhook-ingress` | Webhook request/target helpers |
+  </Accordion>
+
+  <Accordion title="Runtime and storage subpaths">
+    | Subpath | Key exports |
+    | --- | --- |
+    | `plugin-sdk/runtime-store` | `createPluginRuntimeStore` |
+    | `plugin-sdk/config-runtime` | Config load/write helpers |
+    | `plugin-sdk/infra-runtime` | System event/heartbeat helpers |
+    | `plugin-sdk/agent-runtime` | Agent dir/identity/workspace helpers |
+    | `plugin-sdk/directory-runtime` | Config-backed directory query/dedup |
+    | `plugin-sdk/keyed-async-queue` | `KeyedAsyncQueue` |
+  </Accordion>
+
+  <Accordion title="Capability and testing subpaths">
+    | Subpath | Key exports |
+    | --- | --- |
+    | `plugin-sdk/image-generation` | Image generation provider types |
+    | `plugin-sdk/media-understanding` | Media understanding provider types |
+    | `plugin-sdk/speech` | Speech provider types |
+    | `plugin-sdk/testing` | `installCommonResolveTargetErrorCases`, `shouldAckReaction` |
+  </Accordion>
+</AccordionGroup>
+
+## Registration API
+
+The `register(api)` callback receives an `OpenClawPluginApi` object with these
+methods:
+
+### Capability registration
+
+| Method                                        | What it registers              |
+| --------------------------------------------- | ------------------------------ |
+| `api.registerProvider(...)`                   | Text inference (LLM)           |
+| `api.registerChannel(...)`                    | Messaging channel              |
+| `api.registerSpeechProvider(...)`             | Text-to-speech / STT synthesis |
+| `api.registerMediaUnderstandingProvider(...)` | Image/audio/video analysis     |
+| `api.registerImageGenerationProvider(...)`    | Image generation               |
+| `api.registerWebSearchProvider(...)`          | Web search                     |
+
+### Tools and commands
+
+| Method                          | What it registers                             |
+| ------------------------------- | --------------------------------------------- |
+| `api.registerTool(tool, opts?)` | Agent tool (required or `{ optional: true }`) |
+| `api.registerCommand(def)`      | Custom command (bypasses the LLM)             |
+
+### Infrastructure
+
+| Method                                         | What it registers     |
+| ---------------------------------------------- | --------------------- |
+| `api.registerHook(events, handler, opts?)`     | Event hook            |
+| `api.registerHttpRoute(params)`                | Gateway HTTP endpoint |
+| `api.registerGatewayMethod(name, handler)`     | Gateway RPC method    |
+| `api.registerCli(registrar, opts?)`            | CLI subcommand        |
+| `api.registerService(service)`                 | Background service    |
+| `api.registerInteractiveHandler(registration)` | Interactive handler   |
+
+### Exclusive slots
+
+| Method                                     | What it registers                     |
+| ------------------------------------------ | ------------------------------------- |
+| `api.registerContextEngine(id, factory)`   | Context engine (one active at a time) |
+| `api.registerMemoryPromptSection(builder)` | Memory prompt section builder         |
+
+### Events and lifecycle
+
+| Method                                       | What it does                  |
+| -------------------------------------------- | ----------------------------- |
+| `api.on(hookName, handler, opts?)`           | Typed lifecycle hook          |
+| `api.onConversationBindingResolved(handler)` | Conversation binding callback |
+
+### API object fields
+
+| Field                    | Type                      | Description                                               |
+| ------------------------ | ------------------------- | --------------------------------------------------------- |
+| `api.id`                 | `string`                  | Plugin id                                                 |
+| `api.name`               | `string`                  | Display name                                              |
+| `api.config`             | `OpenClawConfig`          | Current config snapshot                                   |
+| `api.pluginConfig`       | `Record<string, unknown>` | Plugin-specific config from `plugins.entries.<id>.config` |
+| `api.runtime`            | `PluginRuntime`           | [Runtime helpers](/plugins/sdk-runtime)                   |
+| `api.logger`             | `PluginLogger`            | Scoped logger (`debug`, `info`, `warn`, `error`)          |
+| `api.registrationMode`   | `PluginRegistrationMode`  | `"full"`, `"setup-only"`, or `"setup-runtime"`            |
+| `api.resolvePath(input)` | `(string) => string`      | Resolve path relative to plugin root                      |
+
+## Internal module convention
+
+Within your plugin, use local barrel files for internal imports:
+
+```
+my-plugin/
+  api.ts            # Public exports for external consumers
+  runtime-api.ts    # Internal-only runtime exports
+  index.ts          # Plugin entry point
+  setup-entry.ts    # Lightweight setup-only entry (optional)
+```
+
+<Warning>
+  Never import your own plugin through `openclaw/plugin-sdk/<your-plugin>`
+  from production code. Route internal imports through `./api.ts` or
+  `./runtime-api.ts`. The SDK path is the external contract only.
+</Warning>
+
+## Related
+
+- [Entry Points](/plugins/sdk-entrypoints) — `definePluginEntry` and `defineChannelPluginEntry` options
+- [Runtime Helpers](/plugins/sdk-runtime) — full `api.runtime` namespace reference
+- [Setup and Config](/plugins/sdk-setup) — packaging, manifests, config schemas
+- [Testing](/plugins/sdk-testing) — test utilities and lint rules
+- [SDK Migration](/plugins/sdk-migration) — migrating from deprecated surfaces
+- [Plugin Internals](/plugins/architecture) — deep architecture and capability model

docs/plugins/sdk-provider-plugins.md

@@ -0,0 +1,370 @@
+---
+title: "Building Provider Plugins"
+sidebarTitle: "Provider Plugins"
+summary: "Step-by-step guide to building a model provider plugin for OpenClaw"
+read_when:
+  - You are building a new model provider plugin
+  - You want to add an OpenAI-compatible proxy or custom LLM to OpenClaw
+  - You need to understand provider auth, catalogs, and runtime hooks
+---
+
+# Building Provider Plugins
+
+This guide walks through building a provider plugin that adds a model provider
+(LLM) to OpenClaw. By the end you will have a provider with a model catalog,
+API key auth, and dynamic model resolution.
+
+<Info>
+  If you have not built any OpenClaw plugin before, read
+  [Getting Started](/plugins/building-plugins) first for the basic package
+  structure and manifest setup.
+</Info>
+
+## Walkthrough
+
+<Steps>
+  <Step title="Package and manifest">
+    <CodeGroup>
+    ```json package.json
+    {
+      "name": "@myorg/openclaw-acme-ai",
+      "version": "1.0.0",
+      "type": "module",
+      "openclaw": {
+        "extensions": ["./index.ts"],
+        "providers": ["acme-ai"]
+      }
+    }
+    ```
+
+    ```json openclaw.plugin.json
+    {
+      "id": "acme-ai",
+      "name": "Acme AI",
+      "description": "Acme AI model provider",
+      "providers": ["acme-ai"],
+      "providerAuthEnvVars": {
+        "acme-ai": ["ACME_AI_API_KEY"]
+      },
+      "providerAuthChoices": [
+        {
+          "provider": "acme-ai",
+          "method": "api-key",
+          "choiceId": "acme-ai-api-key",
+          "choiceLabel": "Acme AI API key",
+          "groupId": "acme-ai",
+          "groupLabel": "Acme AI",
+          "cliFlag": "--acme-ai-api-key",
+          "cliOption": "--acme-ai-api-key <key>",
+          "cliDescription": "Acme AI API key"
+        }
+      ],
+      "configSchema": {
+        "type": "object",
+        "additionalProperties": false
+      }
+    }
+    ```
+    </CodeGroup>
+
+    The manifest declares `providerAuthEnvVars` so OpenClaw can detect
+    credentials without loading your plugin runtime.
+
+  </Step>
+
+  <Step title="Register the provider">
+    A minimal provider needs an `id`, `label`, `auth`, and `catalog`:
+
+    ```typescript index.ts
+    import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
+    import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth";
+
+    export default definePluginEntry({
+      id: "acme-ai",
+      name: "Acme AI",
+      description: "Acme AI model provider",
+      register(api) {
+        api.registerProvider({
+          id: "acme-ai",
+          label: "Acme AI",
+          docsPath: "/providers/acme-ai",
+          envVars: ["ACME_AI_API_KEY"],
+
+          auth: [
+            createProviderApiKeyAuthMethod({
+              providerId: "acme-ai",
+              methodId: "api-key",
+              label: "Acme AI API key",
+              hint: "API key from your Acme AI dashboard",
+              optionKey: "acmeAiApiKey",
+              flagName: "--acme-ai-api-key",
+              envVar: "ACME_AI_API_KEY",
+              promptMessage: "Enter your Acme AI API key",
+              defaultModel: "acme-ai/acme-large",
+            }),
+          ],
+
+          catalog: {
+            order: "simple",
+            run: async (ctx) => {
+              const apiKey =
+                ctx.resolveProviderApiKey("acme-ai").apiKey;
+              if (!apiKey) return null;
+              return {
+                provider: {
+                  baseUrl: "https://api.acme-ai.com/v1",
+                  apiKey,
+                  api: "openai-completions",
+                  models: [
+                    {
+                      id: "acme-large",
+                      name: "Acme Large",
+                      reasoning: true,
+                      input: ["text", "image"],
+                      cost: { input: 3, output: 15, cacheRead: 0.3, cacheWrite: 3.75 },
+                      contextWindow: 200000,
+                      maxTokens: 32768,
+                    },
+                    {
+                      id: "acme-small",
+                      name: "Acme Small",
+                      reasoning: false,
+                      input: ["text"],
+                      cost: { input: 1, output: 5, cacheRead: 0.1, cacheWrite: 1.25 },
+                      contextWindow: 128000,
+                      maxTokens: 8192,
+                    },
+                  ],
+                },
+              };
+            },
+          },
+        });
+      },
+    });
+    ```
+
+    That is a working provider. Users can now
+    `openclaw onboard --acme-ai-api-key <key>` and select
+    `acme-ai/acme-large` as their model.
+
+  </Step>
+
+  <Step title="Add dynamic model resolution">
+    If your provider accepts arbitrary model IDs (like a proxy or router),
+    add `resolveDynamicModel`:
+
+    ```typescript
+    api.registerProvider({
+      // ... id, label, auth, catalog from above
+
+      resolveDynamicModel: (ctx) => ({
+        id: ctx.modelId,
+        name: ctx.modelId,
+        provider: "acme-ai",
+        api: "openai-completions",
+        baseUrl: "https://api.acme-ai.com/v1",
+        reasoning: false,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 128000,
+        maxTokens: 8192,
+      }),
+    });
+    ```
+
+    If resolving requires a network call, use `prepareDynamicModel` for async
+    warm-up — `resolveDynamicModel` runs again after it completes.
+
+  </Step>
+
+  <Step title="Add runtime hooks (as needed)">
+    Most providers only need `catalog` + `resolveDynamicModel`. Add hooks
+    incrementally as your provider requires them.
+
+    <Tabs>
+      <Tab title="Token exchange">
+        For providers that need a token exchange before each inference call:
+
+        ```typescript
+        prepareRuntimeAuth: async (ctx) => {
+          const exchanged = await exchangeToken(ctx.apiKey);
+          return {
+            apiKey: exchanged.token,
+            baseUrl: exchanged.baseUrl,
+            expiresAt: exchanged.expiresAt,
+          };
+        },
+        ```
+      </Tab>
+      <Tab title="Custom headers">
+        For providers that need custom request headers or body modifications:
+
+        ```typescript
+        // wrapStreamFn returns a StreamFn derived from ctx.streamFn
+        wrapStreamFn: (ctx) => {
+          if (!ctx.streamFn) return undefined;
+          const inner = ctx.streamFn;
+          return async (params) => {
+            params.headers = {
+              ...params.headers,
+              "X-Acme-Version": "2",
+            };
+            return inner(params);
+          };
+        },
+        ```
+      </Tab>
+      <Tab title="Usage and billing">
+        For providers that expose usage/billing data:
+
+        ```typescript
+        resolveUsageAuth: async (ctx) => {
+          const auth = await ctx.resolveOAuthToken();
+          return auth ? { token: auth.token } : null;
+        },
+        fetchUsageSnapshot: async (ctx) => {
+          return await fetchAcmeUsage(ctx.token, ctx.timeoutMs);
+        },
+        ```
+      </Tab>
+    </Tabs>
+
+    <Accordion title="All 21 available hooks">
+      OpenClaw calls hooks in this order. Most providers only use 2-3:
+
+      | # | Hook | When to use |
+      | --- | --- | --- |
+      | 1 | `catalog` | Model catalog or base URL defaults |
+      | 2 | `resolveDynamicModel` | Accept arbitrary upstream model IDs |
+      | 3 | `prepareDynamicModel` | Async metadata fetch before resolving |
+      | 4 | `normalizeResolvedModel` | Transport rewrites before the runner |
+      | 5 | `capabilities` | Transcript/tooling metadata |
+      | 6 | `prepareExtraParams` | Default request params |
+      | 7 | `wrapStreamFn` | Custom headers/body wrappers |
+      | 8 | `formatApiKey` | Custom runtime token shape |
+      | 9 | `refreshOAuth` | Custom OAuth refresh |
+      | 10 | `buildAuthDoctorHint` | Auth repair guidance |
+      | 11 | `isCacheTtlEligible` | Prompt cache TTL gating |
+      | 12 | `buildMissingAuthMessage` | Custom missing-auth hint |
+      | 13 | `suppressBuiltInModel` | Hide stale upstream rows |
+      | 14 | `augmentModelCatalog` | Synthetic forward-compat rows |
+      | 15 | `isBinaryThinking` | Binary thinking on/off |
+      | 16 | `supportsXHighThinking` | `xhigh` reasoning support |
+      | 17 | `resolveDefaultThinkingLevel` | Default `/think` policy |
+      | 18 | `isModernModelRef` | Live/smoke model matching |
+      | 19 | `prepareRuntimeAuth` | Token exchange before inference |
+      | 20 | `resolveUsageAuth` | Custom usage credential parsing |
+      | 21 | `fetchUsageSnapshot` | Custom usage endpoint |
+
+      For detailed descriptions and real-world examples, see
+      [Internals: Provider Runtime Hooks](/plugins/architecture#provider-runtime-hooks).
+    </Accordion>
+
+  </Step>
+
+  <Step title="Add extra capabilities (optional)">
+    A provider plugin can register speech, media understanding, image
+    generation, and web search alongside text inference:
+
+    ```typescript
+    register(api) {
+      api.registerProvider({ id: "acme-ai", /* ... */ });
+
+      api.registerSpeechProvider({
+        id: "acme-ai",
+        label: "Acme Speech",
+        isConfigured: ({ config }) => Boolean(config.messages?.tts),
+        synthesize: async (req) => ({
+          audioBuffer: Buffer.from(/* PCM data */),
+          outputFormat: "mp3",
+          fileExtension: ".mp3",
+          voiceCompatible: false,
+        }),
+      });
+
+      api.registerMediaUnderstandingProvider({
+        id: "acme-ai",
+        capabilities: ["image", "audio"],
+        describeImage: async (req) => ({ text: "A photo of..." }),
+        transcribeAudio: async (req) => ({ text: "Transcript..." }),
+      });
+
+      api.registerImageGenerationProvider({
+        id: "acme-ai",
+        label: "Acme Images",
+        generate: async (req) => ({ /* image result */ }),
+      });
+    }
+    ```
+
+    OpenClaw classifies this as a **hybrid-capability** plugin. This is the
+    recommended pattern for company plugins (one plugin per vendor). See
+    [Internals: Capability Ownership](/plugins/architecture#capability-ownership-model).
+
+  </Step>
+
+  <Step title="Test">
+    ```typescript src/provider.test.ts
+    import { describe, it, expect } from "vitest";
+    // Export your provider config object from index.ts or a dedicated file
+    import { acmeProvider } from "./provider.js";
+
+    describe("acme-ai provider", () => {
+      it("resolves dynamic models", () => {
+        const model = acmeProvider.resolveDynamicModel!({
+          modelId: "acme-beta-v3",
+        } as any);
+        expect(model.id).toBe("acme-beta-v3");
+        expect(model.provider).toBe("acme-ai");
+      });
+
+      it("returns catalog when key is available", async () => {
+        const result = await acmeProvider.catalog!.run({
+          resolveProviderApiKey: () => ({ apiKey: "test-key" }),
+        } as any);
+        expect(result?.provider?.models).toHaveLength(2);
+      });
+
+      it("returns null catalog when no key", async () => {
+        const result = await acmeProvider.catalog!.run({
+          resolveProviderApiKey: () => ({ apiKey: undefined }),
+        } as any);
+        expect(result).toBeNull();
+      });
+    });
+    ```
+
+  </Step>
+</Steps>
+
+## File structure
+
+```
+extensions/acme-ai/
+├── package.json              # openclaw.providers metadata
+├── openclaw.plugin.json      # Manifest with providerAuthEnvVars
+├── index.ts                  # definePluginEntry + registerProvider
+└── src/
+    ├── provider.test.ts      # Tests
+    └── usage.ts              # Usage endpoint (optional)
+```
+
+## Catalog order reference
+
+`catalog.order` controls when your catalog merges relative to built-in
+providers:
+
+| Order     | When          | Use case                                        |
+| --------- | ------------- | ----------------------------------------------- |
+| `simple`  | First pass    | Plain API-key providers                         |
+| `profile` | After simple  | Providers gated on auth profiles                |
+| `paired`  | After profile | Synthesize multiple related entries             |
+| `late`    | Last pass     | Override existing providers (wins on collision) |
+
+## Next steps
+
+- [Channel Plugins](/plugins/sdk-channel-plugins) — if your plugin also provides a channel
+- [SDK Runtime](/plugins/sdk-runtime) — `api.runtime` helpers (TTS, search, subagent)
+- [SDK Overview](/plugins/sdk-overview) — full subpath import reference
+- [Plugin Internals](/plugins/architecture#provider-runtime-hooks) — hook details and bundled examples

docs/plugins/sdk-runtime.md

@@ -0,0 +1,345 @@
+---
+title: "Plugin SDK Runtime"
+sidebarTitle: "Runtime Helpers"
+summary: "api.runtime -- the injected runtime helpers available to plugins"
+read_when:
+  - You need to call core helpers from a plugin (TTS, STT, image gen, web search, subagent)
+  - You want to understand what api.runtime exposes
+  - You are accessing config, agent, or media helpers from plugin code
+---
+
+# Plugin Runtime Helpers
+
+Reference for the `api.runtime` object injected into every plugin during
+registration. Use these helpers instead of importing host internals directly.
+
+<Tip>
+  **Looking for a walkthrough?** See [Channel Plugins](/plugins/sdk-channel-plugins)
+  or [Provider Plugins](/plugins/sdk-provider-plugins) for step-by-step guides
+  that show these helpers in context.
+</Tip>
+
+```typescript
+register(api) {
+  const runtime = api.runtime;
+}
+```
+
+## Runtime namespaces
+
+### `api.runtime.agent`
+
+Agent identity, directories, and session management.
+
+```typescript
+// Resolve the agent's working directory
+const agentDir = api.runtime.agent.resolveAgentDir(cfg);
+
+// Resolve agent workspace
+const workspaceDir = api.runtime.agent.resolveAgentWorkspaceDir(cfg);
+
+// Get agent identity
+const identity = api.runtime.agent.resolveAgentIdentity(cfg);
+
+// Get default thinking level
+const thinking = api.runtime.agent.resolveThinkingDefault(cfg, provider, model);
+
+// Get agent timeout
+const timeoutMs = api.runtime.agent.resolveAgentTimeoutMs(cfg);
+
+// Ensure workspace exists
+await api.runtime.agent.ensureAgentWorkspace(cfg);
+
+// Run an embedded Pi agent (requires sessionFile + workspaceDir at minimum)
+const agentDir = api.runtime.agent.resolveAgentDir(cfg);
+const result = await api.runtime.agent.runEmbeddedPiAgent({
+  sessionId: "my-plugin:task-1",
+  sessionFile: path.join(agentDir, "sessions", "my-plugin-task-1.jsonl"),
+  workspaceDir: api.runtime.agent.resolveAgentWorkspaceDir(cfg),
+  prompt: "Summarize the latest changes",
+});
+```
+
+**Session store helpers** are under `api.runtime.agent.session`:
+
+```typescript
+const storePath = api.runtime.agent.session.resolveStorePath(cfg);
+const store = api.runtime.agent.session.loadSessionStore(cfg);
+await api.runtime.agent.session.saveSessionStore(cfg, store);
+const filePath = api.runtime.agent.session.resolveSessionFilePath(cfg, sessionId);
+```
+
+### `api.runtime.agent.defaults`
+
+Default model and provider constants:
+
+```typescript
+const model = api.runtime.agent.defaults.model; // e.g. "anthropic/claude-sonnet-4-6"
+const provider = api.runtime.agent.defaults.provider; // e.g. "anthropic"
+```
+
+### `api.runtime.subagent`
+
+Launch and manage background subagent runs.
+
+```typescript
+// Start a subagent run
+const { runId } = await api.runtime.subagent.run({
+  sessionKey: "agent:main:subagent:search-helper",
+  message: "Expand this query into focused follow-up searches.",
+  provider: "openai", // optional override
+  model: "gpt-4.1-mini", // optional override
+  deliver: false,
+});
+
+// Wait for completion
+const result = await api.runtime.subagent.waitForRun({ runId, timeoutMs: 30000 });
+
+// Read session messages
+const { messages } = await api.runtime.subagent.getSessionMessages({
+  sessionKey: "agent:main:subagent:search-helper",
+  limit: 10,
+});
+
+// Delete a session
+await api.runtime.subagent.deleteSession({
+  sessionKey: "agent:main:subagent:search-helper",
+});
+```
+
+<Warning>
+  Model overrides (`provider`/`model`) require operator opt-in via
+  `plugins.entries.<id>.subagent.allowModelOverride: true` in config.
+  Untrusted plugins can still run subagents, but override requests are rejected.
+</Warning>
+
+### `api.runtime.tts`
+
+Text-to-speech synthesis.
+
+```typescript
+// Standard TTS
+const clip = await api.runtime.tts.textToSpeech({
+  text: "Hello from OpenClaw",
+  cfg: api.config,
+});
+
+// Telephony-optimized TTS
+const telephonyClip = await api.runtime.tts.textToSpeechTelephony({
+  text: "Hello from OpenClaw",
+  cfg: api.config,
+});
+
+// List available voices
+const voices = await api.runtime.tts.listVoices({
+  provider: "elevenlabs",
+  cfg: api.config,
+});
+```
+
+Uses core `messages.tts` configuration and provider selection. Returns PCM audio
+buffer + sample rate.
+
+### `api.runtime.mediaUnderstanding`
+
+Image, audio, and video analysis.
+
+```typescript
+// Describe an image
+const image = await api.runtime.mediaUnderstanding.describeImageFile({
+  filePath: "/tmp/inbound-photo.jpg",
+  cfg: api.config,
+  agentDir: "/tmp/agent",
+});
+
+// Transcribe audio
+const { text } = await api.runtime.mediaUnderstanding.transcribeAudioFile({
+  filePath: "/tmp/inbound-audio.ogg",
+  cfg: api.config,
+  mime: "audio/ogg", // optional, for when MIME cannot be inferred
+});
+
+// Describe a video
+const video = await api.runtime.mediaUnderstanding.describeVideoFile({
+  filePath: "/tmp/inbound-video.mp4",
+  cfg: api.config,
+});
+
+// Generic file analysis
+const result = await api.runtime.mediaUnderstanding.runFile({
+  filePath: "/tmp/inbound-file.pdf",
+  cfg: api.config,
+});
+```
+
+Returns `{ text: undefined }` when no output is produced (e.g. skipped input).
+
+<Info>
+  `api.runtime.stt.transcribeAudioFile(...)` remains as a compatibility alias
+  for `api.runtime.mediaUnderstanding.transcribeAudioFile(...)`.
+</Info>
+
+### `api.runtime.imageGeneration`
+
+Image generation.
+
+```typescript
+const result = await api.runtime.imageGeneration.generate({
+  prompt: "A robot painting a sunset",
+  cfg: api.config,
+});
+
+const providers = api.runtime.imageGeneration.listProviders({ cfg: api.config });
+```
+
+### `api.runtime.webSearch`
+
+Web search.
+
+```typescript
+const providers = api.runtime.webSearch.listProviders({ config: api.config });
+
+const result = await api.runtime.webSearch.search({
+  config: api.config,
+  args: { query: "OpenClaw plugin SDK", count: 5 },
+});
+```
+
+### `api.runtime.media`
+
+Low-level media utilities.
+
+```typescript
+const webMedia = await api.runtime.media.loadWebMedia(url);
+const mime = await api.runtime.media.detectMime(buffer);
+const kind = api.runtime.media.mediaKindFromMime("image/jpeg"); // "image"
+const isVoice = api.runtime.media.isVoiceCompatibleAudio(filePath);
+const metadata = await api.runtime.media.getImageMetadata(filePath);
+const resized = await api.runtime.media.resizeToJpeg(buffer, { maxWidth: 800 });
+```
+
+### `api.runtime.config`
+
+Config load and write.
+
+```typescript
+const cfg = await api.runtime.config.loadConfig();
+await api.runtime.config.writeConfigFile(cfg);
+```
+
+### `api.runtime.system`
+
+System-level utilities.
+
+```typescript
+await api.runtime.system.enqueueSystemEvent(event);
+api.runtime.system.requestHeartbeatNow();
+const output = await api.runtime.system.runCommandWithTimeout(cmd, args, opts);
+const hint = api.runtime.system.formatNativeDependencyHint(pkg);
+```
+
+### `api.runtime.events`
+
+Event subscriptions.
+
+```typescript
+api.runtime.events.onAgentEvent((event) => {
+  /* ... */
+});
+api.runtime.events.onSessionTranscriptUpdate((update) => {
+  /* ... */
+});
+```
+
+### `api.runtime.logging`
+
+Logging.
+
+```typescript
+const verbose = api.runtime.logging.shouldLogVerbose();
+const childLogger = api.runtime.logging.getChildLogger({ plugin: "my-plugin" }, { level: "debug" });
+```
+
+### `api.runtime.modelAuth`
+
+Model and provider auth resolution.
+
+```typescript
+const auth = await api.runtime.modelAuth.getApiKeyForModel({ model, cfg });
+const providerAuth = await api.runtime.modelAuth.resolveApiKeyForProvider({
+  provider: "openai",
+  cfg,
+});
+```
+
+### `api.runtime.state`
+
+State directory resolution.
+
+```typescript
+const stateDir = api.runtime.state.resolveStateDir();
+```
+
+### `api.runtime.tools`
+
+Memory tool factories and CLI.
+
+```typescript
+const getTool = api.runtime.tools.createMemoryGetTool(/* ... */);
+const searchTool = api.runtime.tools.createMemorySearchTool(/* ... */);
+api.runtime.tools.registerMemoryCli(/* ... */);
+```
+
+### `api.runtime.channel`
+
+Channel-specific runtime helpers (available when a channel plugin is loaded).
+
+## Storing runtime references
+
+Use `createPluginRuntimeStore` to store the runtime reference for use outside
+the `register` callback:
+
+```typescript
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
+import type { PluginRuntime } from "openclaw/plugin-sdk/runtime-store";
+
+const store = createPluginRuntimeStore<PluginRuntime>("my-plugin runtime not initialized");
+
+// In your entry point
+export default defineChannelPluginEntry({
+  id: "my-plugin",
+  name: "My Plugin",
+  description: "Example",
+  plugin: myPlugin,
+  setRuntime: store.setRuntime,
+});
+
+// In other files
+export function getRuntime() {
+  return store.getRuntime(); // throws if not initialized
+}
+
+export function tryGetRuntime() {
+  return store.tryGetRuntime(); // returns null if not initialized
+}
+```
+
+## Other top-level `api` fields
+
+Beyond `api.runtime`, the API object also provides:
+
+| Field                    | Type                      | Description                                               |
+| ------------------------ | ------------------------- | --------------------------------------------------------- |
+| `api.id`                 | `string`                  | Plugin id                                                 |
+| `api.name`               | `string`                  | Plugin display name                                       |
+| `api.config`             | `OpenClawConfig`          | Current config snapshot                                   |
+| `api.pluginConfig`       | `Record<string, unknown>` | Plugin-specific config from `plugins.entries.<id>.config` |
+| `api.logger`             | `PluginLogger`            | Scoped logger (`debug`, `info`, `warn`, `error`)          |
+| `api.registrationMode`   | `PluginRegistrationMode`  | `"full"`, `"setup-only"`, or `"setup-runtime"`            |
+| `api.resolvePath(input)` | `(string) => string`      | Resolve a path relative to the plugin root                |
+
+## Related
+
+- [SDK Overview](/plugins/sdk-overview) -- subpath reference
+- [SDK Entry Points](/plugins/sdk-entrypoints) -- `definePluginEntry` options
+- [Plugin Internals](/plugins/architecture) -- capability model and registry

docs/plugins/sdk-setup.md

@@ -0,0 +1,331 @@
+---
+title: "Plugin SDK Setup"
+sidebarTitle: "Setup and Config"
+summary: "Setup wizards, setup-entry.ts, config schemas, and package.json metadata"
+read_when:
+  - You are adding a setup wizard to a plugin
+  - You need to understand setup-entry.ts vs index.ts
+  - You are defining plugin config schemas or package.json openclaw metadata
+---
+
+# Plugin Setup and Config
+
+Reference for plugin packaging (`package.json` metadata), manifests
+(`openclaw.plugin.json`), setup entries, and config schemas.
+
+<Tip>
+  **Looking for a walkthrough?** The how-to guides cover packaging in context:
+  [Channel Plugins](/plugins/sdk-channel-plugins#step-1-package-and-manifest) and
+  [Provider Plugins](/plugins/sdk-provider-plugins#step-1-package-and-manifest).
+</Tip>
+
+## Package metadata
+
+Your `package.json` needs an `openclaw` field that tells the plugin system what
+your plugin provides:
+
+**Channel plugin:**
+
+```json
+{
+  "name": "@myorg/openclaw-my-channel",
+  "version": "1.0.0",
+  "type": "module",
+  "openclaw": {
+    "extensions": ["./index.ts"],
+    "setupEntry": "./setup-entry.ts",
+    "channel": {
+      "id": "my-channel",
+      "label": "My Channel",
+      "blurb": "Short description of the channel."
+    }
+  }
+}
+```
+
+**Provider plugin:**
+
+```json
+{
+  "name": "@myorg/openclaw-my-provider",
+  "version": "1.0.0",
+  "type": "module",
+  "openclaw": {
+    "extensions": ["./index.ts"],
+    "providers": ["my-provider"]
+  }
+}
+```
+
+### `openclaw` fields
+
+| Field        | Type       | Description                                                                                |
+| ------------ | ---------- | ------------------------------------------------------------------------------------------ |
+| `extensions` | `string[]` | Entry point files (relative to package root)                                               |
+| `setupEntry` | `string`   | Lightweight setup-only entry (optional)                                                    |
+| `channel`    | `object`   | Channel metadata: `id`, `label`, `blurb`, `selectionLabel`, `docsPath`, `order`, `aliases` |
+| `providers`  | `string[]` | Provider ids registered by this plugin                                                     |
+| `install`    | `object`   | Install hints: `npmSpec`, `localPath`, `defaultChoice`                                     |
+| `startup`    | `object`   | Startup behavior flags                                                                     |
+
+### Deferred full load
+
+Channel plugins can opt into deferred loading with:
+
+```json
+{
+  "openclaw": {
+    "extensions": ["./index.ts"],
+    "setupEntry": "./setup-entry.ts",
+    "startup": {
+      "deferConfiguredChannelFullLoadUntilAfterListen": true
+    }
+  }
+}
+```
+
+When enabled, OpenClaw loads only `setupEntry` during the pre-listen startup
+phase, even for already-configured channels. The full entry loads after the
+gateway starts listening.
+
+<Warning>
+  Only enable deferred loading when your `setupEntry` registers everything the
+  gateway needs before it starts listening (channel registration, HTTP routes,
+  gateway methods). If the full entry owns required startup capabilities, keep
+  the default behavior.
+</Warning>
+
+## Plugin manifest
+
+Every native plugin must ship an `openclaw.plugin.json` in the package root.
+OpenClaw uses this to validate config without executing plugin code.
+
+```json
+{
+  "id": "my-plugin",
+  "name": "My Plugin",
+  "description": "Adds My Plugin capabilities to OpenClaw",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "webhookSecret": {
+        "type": "string",
+        "description": "Webhook verification secret"
+      }
+    }
+  }
+}
+```
+
+For channel plugins, add `kind` and `channels`:
+
+```json
+{
+  "id": "my-channel",
+  "kind": "channel",
+  "channels": ["my-channel"],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}
+```
+
+Even plugins with no config must ship a schema. An empty schema is valid:
+
+```json
+{
+  "id": "my-plugin",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false
+  }
+}
+```
+
+See [Plugin Manifest](/plugins/manifest) for the full schema reference.
+
+## Setup entry
+
+The `setup-entry.ts` file is a lightweight alternative to `index.ts` that
+OpenClaw loads when it only needs setup surfaces (onboarding, config repair,
+disabled channel inspection).
+
+```typescript
+// setup-entry.ts
+import { defineSetupPluginEntry } from "openclaw/plugin-sdk/core";
+import { myChannelPlugin } from "./src/channel.js";
+
+export default defineSetupPluginEntry(myChannelPlugin);
+```
+
+This avoids loading heavy runtime code (crypto libraries, CLI registrations,
+background services) during setup flows.
+
+**When OpenClaw uses `setupEntry` instead of the full entry:**
+
+- The channel is disabled but needs setup/onboarding surfaces
+- The channel is enabled but unconfigured
+- Deferred loading is enabled (`deferConfiguredChannelFullLoadUntilAfterListen`)
+
+**What `setupEntry` must register:**
+
+- The channel plugin object (via `defineSetupPluginEntry`)
+- Any HTTP routes required before gateway listen
+- Any gateway methods needed during startup
+
+**What `setupEntry` should NOT include:**
+
+- CLI registrations
+- Background services
+- Heavy runtime imports (crypto, SDKs)
+- Gateway methods only needed after startup
+
+## Config schema
+
+Plugin config is validated against the JSON Schema in your manifest. Users
+configure plugins via:
+
+```json5
+{
+  plugins: {
+    entries: {
+      "my-plugin": {
+        config: {
+          webhookSecret: "abc123",
+        },
+      },
+    },
+  },
+}
+```
+
+Your plugin receives this config as `api.pluginConfig` during registration.
+
+For channel-specific config, use the channel config section instead:
+
+```json5
+{
+  channels: {
+    "my-channel": {
+      token: "bot-token",
+      allowFrom: ["user1", "user2"],
+    },
+  },
+}
+```
+
+### Building channel config schemas
+
+Use `buildChannelConfigSchema` from `openclaw/plugin-sdk/core` to convert a
+Zod schema into the `ChannelConfigSchema` wrapper that OpenClaw validates:
+
+```typescript
+import { z } from "zod";
+import { buildChannelConfigSchema } from "openclaw/plugin-sdk/core";
+
+const accountSchema = z.object({
+  token: z.string().optional(),
+  allowFrom: z.array(z.string()).optional(),
+  accounts: z.object({}).catchall(z.any()).optional(),
+  defaultAccount: z.string().optional(),
+});
+
+const configSchema = buildChannelConfigSchema(accountSchema);
+```
+
+## Setup wizards
+
+Channel plugins can provide interactive setup wizards for `openclaw onboard`.
+The wizard is a `ChannelSetupWizard` object on the `ChannelPlugin`:
+
+```typescript
+import type { ChannelSetupWizard } from "openclaw/plugin-sdk/channel-setup";
+
+const setupWizard: ChannelSetupWizard = {
+  channel: "my-channel",
+  status: {
+    configuredLabel: "Connected",
+    unconfiguredLabel: "Not configured",
+    resolveConfigured: ({ cfg }) => Boolean((cfg.channels as any)?.["my-channel"]?.token),
+  },
+  credentials: [
+    {
+      inputKey: "token",
+      providerHint: "my-channel",
+      credentialLabel: "Bot token",
+      preferredEnvVar: "MY_CHANNEL_BOT_TOKEN",
+      envPrompt: "Use MY_CHANNEL_BOT_TOKEN from environment?",
+      keepPrompt: "Keep current token?",
+      inputPrompt: "Enter your bot token:",
+      inspect: ({ cfg, accountId }) => {
+        const token = (cfg.channels as any)?.["my-channel"]?.token;
+        return {
+          accountConfigured: Boolean(token),
+          hasConfiguredValue: Boolean(token),
+        };
+      },
+    },
+  ],
+};
+```
+
+The `ChannelSetupWizard` type supports `credentials`, `textInputs`,
+`dmPolicy`, `allowFrom`, `groupAccess`, `prepare`, `finalize`, and more.
+See bundled plugins (e.g. `extensions/discord/src/channel.setup.ts`) for
+full examples.
+
+For optional setup surfaces that should only appear in certain contexts, use
+`createOptionalChannelSetupSurface` from `openclaw/plugin-sdk/channel-setup`:
+
+```typescript
+import { createOptionalChannelSetupSurface } from "openclaw/plugin-sdk/channel-setup";
+
+const setupSurface = createOptionalChannelSetupSurface({
+  channel: "my-channel",
+  label: "My Channel",
+  npmSpec: "@myorg/openclaw-my-channel",
+  docsPath: "/channels/my-channel",
+});
+// Returns { setupAdapter, setupWizard }
+```
+
+## Publishing and installing
+
+**External plugins:** publish to [ClawHub](/tools/clawhub) or npm, then install:
+
+```bash
+openclaw plugins install @myorg/openclaw-my-plugin
+```
+
+OpenClaw tries ClawHub first and falls back to npm automatically. You can also
+force a specific source:
+
+```bash
+openclaw plugins install clawhub:@myorg/openclaw-my-plugin   # ClawHub only
+openclaw plugins install npm:@myorg/openclaw-my-plugin       # npm only
+```
+
+**In-repo plugins:** place under `extensions/` and they are automatically
+discovered during build.
+
+**Users can browse and install:**
+
+```bash
+openclaw plugins search <query>
+openclaw plugins install <package-name>
+```
+
+<Info>
+  For npm-sourced installs, `openclaw plugins install` runs
+  `npm install --ignore-scripts` (no lifecycle scripts). Keep plugin dependency
+  trees pure JS/TS and avoid packages that require `postinstall` builds.
+</Info>
+
+## Related
+
+- [SDK Entry Points](/plugins/sdk-entrypoints) -- `definePluginEntry` and `defineChannelPluginEntry`
+- [Plugin Manifest](/plugins/manifest) -- full manifest schema reference
+- [Building Plugins](/plugins/building-plugins) -- step-by-step getting started guide

docs/plugins/sdk-testing.md

@@ -0,0 +1,263 @@
+---
+title: "SDK Testing"
+sidebarTitle: "Testing"
+summary: "Testing utilities and patterns for OpenClaw plugins"
+read_when:
+  - You are writing tests for a plugin
+  - You need test utilities from the plugin SDK
+  - You want to understand contract tests for bundled plugins
+---
+
+# Plugin Testing
+
+Reference for test utilities, patterns, and lint enforcement for OpenClaw
+plugins.
+
+<Tip>
+  **Looking for test examples?** The how-to guides include worked test examples:
+  [Channel plugin tests](/plugins/sdk-channel-plugins#step-6-test) and
+  [Provider plugin tests](/plugins/sdk-provider-plugins#step-6-test).
+</Tip>
+
+## Test utilities
+
+**Import:** `openclaw/plugin-sdk/testing`
+
+The testing subpath exports a narrow set of helpers for plugin authors:
+
+```typescript
+import {
+  installCommonResolveTargetErrorCases,
+  shouldAckReaction,
+  removeAckReactionAfterReply,
+} from "openclaw/plugin-sdk/testing";
+```
+
+### Available exports
+
+| Export                                 | Purpose                                                |
+| -------------------------------------- | ------------------------------------------------------ |
+| `installCommonResolveTargetErrorCases` | Shared test cases for target resolution error handling |
+| `shouldAckReaction`                    | Check whether a channel should add an ack reaction     |
+| `removeAckReactionAfterReply`          | Remove ack reaction after reply delivery               |
+
+### Types
+
+The testing subpath also re-exports types useful in test files:
+
+```typescript
+import type {
+  ChannelAccountSnapshot,
+  ChannelGatewayContext,
+  OpenClawConfig,
+  PluginRuntime,
+  RuntimeEnv,
+  MockFn,
+} from "openclaw/plugin-sdk/testing";
+```
+
+## Testing target resolution
+
+Use `installCommonResolveTargetErrorCases` to add standard error cases for
+channel target resolution:
+
+```typescript
+import { describe } from "vitest";
+import { installCommonResolveTargetErrorCases } from "openclaw/plugin-sdk/testing";
+
+describe("my-channel target resolution", () => {
+  installCommonResolveTargetErrorCases({
+    resolveTarget: ({ to, mode, allowFrom }) => {
+      // Your channel's target resolution logic
+      return myChannelResolveTarget({ to, mode, allowFrom });
+    },
+    implicitAllowFrom: ["user1", "user2"],
+  });
+
+  // Add channel-specific test cases
+  it("should resolve @username targets", () => {
+    // ...
+  });
+});
+```
+
+## Testing patterns
+
+### Unit testing a channel plugin
+
+```typescript
+import { describe, it, expect, vi } from "vitest";
+
+describe("my-channel plugin", () => {
+  it("should resolve account from config", () => {
+    const cfg = {
+      channels: {
+        "my-channel": {
+          token: "test-token",
+          allowFrom: ["user1"],
+        },
+      },
+    };
+
+    const account = myPlugin.setup.resolveAccount(cfg, undefined);
+    expect(account.token).toBe("test-token");
+  });
+
+  it("should inspect account without materializing secrets", () => {
+    const cfg = {
+      channels: {
+        "my-channel": { token: "test-token" },
+      },
+    };
+
+    const inspection = myPlugin.setup.inspectAccount(cfg, undefined);
+    expect(inspection.configured).toBe(true);
+    expect(inspection.tokenStatus).toBe("available");
+    // No token value exposed
+    expect(inspection).not.toHaveProperty("token");
+  });
+});
+```
+
+### Unit testing a provider plugin
+
+```typescript
+import { describe, it, expect } from "vitest";
+
+describe("my-provider plugin", () => {
+  it("should resolve dynamic models", () => {
+    const model = myProvider.resolveDynamicModel({
+      modelId: "custom-model-v2",
+      // ... context
+    });
+
+    expect(model.id).toBe("custom-model-v2");
+    expect(model.provider).toBe("my-provider");
+    expect(model.api).toBe("openai-completions");
+  });
+
+  it("should return catalog when API key is available", async () => {
+    const result = await myProvider.catalog.run({
+      resolveProviderApiKey: () => ({ apiKey: "test-key" }),
+      // ... context
+    });
+
+    expect(result?.provider?.models).toHaveLength(2);
+  });
+});
+```
+
+### Mocking the plugin runtime
+
+For code that uses `createPluginRuntimeStore`, mock the runtime in tests:
+
+```typescript
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
+import type { PluginRuntime } from "openclaw/plugin-sdk/runtime-store";
+
+const store = createPluginRuntimeStore<PluginRuntime>("test runtime not set");
+
+// In test setup
+const mockRuntime = {
+  agent: {
+    resolveAgentDir: vi.fn().mockReturnValue("/tmp/agent"),
+    // ... other mocks
+  },
+  config: {
+    loadConfig: vi.fn(),
+    writeConfigFile: vi.fn(),
+  },
+  // ... other namespaces
+} as unknown as PluginRuntime;
+
+store.setRuntime(mockRuntime);
+
+// After tests
+store.clearRuntime();
+```
+
+### Testing with per-instance stubs
+
+Prefer per-instance stubs over prototype mutation:
+
+```typescript
+// Preferred: per-instance stub
+const client = new MyChannelClient();
+client.sendMessage = vi.fn().mockResolvedValue({ id: "msg-1" });
+
+// Avoid: prototype mutation
+// MyChannelClient.prototype.sendMessage = vi.fn();
+```
+
+## Contract tests (in-repo plugins)
+
+Bundled plugins have contract tests that verify registration ownership:
+
+```bash
+pnpm test -- src/plugins/contracts/
+```
+
+These tests assert:
+
+- Which plugins register which providers
+- Which plugins register which speech providers
+- Registration shape correctness
+- Runtime contract compliance
+
+### Running scoped tests
+
+For a specific plugin:
+
+```bash
+pnpm test -- extensions/my-channel/
+```
+
+For contract tests only:
+
+```bash
+pnpm test -- src/plugins/contracts/shape.contract.test.ts
+pnpm test -- src/plugins/contracts/auth.contract.test.ts
+pnpm test -- src/plugins/contracts/runtime.contract.test.ts
+```
+
+## Lint enforcement (in-repo plugins)
+
+Three rules are enforced by `pnpm check` for in-repo plugins:
+
+1. **No monolithic root imports** -- `openclaw/plugin-sdk` root barrel is rejected
+2. **No direct `src/` imports** -- plugins cannot import `../../src/` directly
+3. **No self-imports** -- plugins cannot import their own `plugin-sdk/<name>` subpath
+
+External plugins are not subject to these lint rules, but following the same
+patterns is recommended.
+
+## Test configuration
+
+OpenClaw uses Vitest with V8 coverage thresholds. For plugin tests:
+
+```bash
+# Run all tests
+pnpm test
+
+# Run specific plugin tests
+pnpm test -- extensions/my-channel/src/channel.test.ts
+
+# Run with a specific test name filter
+pnpm test -- extensions/my-channel/ -t "resolves account"
+
+# Run with coverage
+pnpm test:coverage
+```
+
+If local runs cause memory pressure:
+
+```bash
+OPENCLAW_TEST_PROFILE=low OPENCLAW_TEST_SERIAL_GATEWAY=1 pnpm test
+```
+
+## Related
+
+- [SDK Overview](/plugins/sdk-overview) -- import conventions
+- [SDK Channel Plugins](/plugins/sdk-channel-plugins) -- channel plugin interface
+- [SDK Provider Plugins](/plugins/sdk-provider-plugins) -- provider plugin hooks
+- [Building Plugins](/plugins/building-plugins) -- getting started guide

docs/reference/test.md

@@ -13,6 +13,8 @@ title: "Tests"
 - `pnpm test:coverage`: Runs the unit suite with V8 coverage (via `vitest.unit.config.ts`). Global thresholds are 70% lines/branches/functions/statements. Coverage excludes integration-heavy entrypoints (CLI wiring, gateway/telegram bridges, webchat static server) to keep the target focused on unit-testable logic.
 - `pnpm test` on Node 22, 23, and 24 uses Vitest `vmForks` by default for local runs with enough memory. CI stays on `forks` unless explicitly overridden. Node 25+ falls back to `forks` until re-validated. You can force behavior with `OPENCLAW_TEST_VM_FORKS=0|1`.
 - `pnpm test`: runs the full wrapper. It keeps only a small behavioral override manifest in git, then uses a checked-in timing snapshot to peel the heaviest measured unit files into dedicated lanes.
+- Unit files default to `threads` in the wrapper; keep fork-only or singleton exceptions documented in `test/fixtures/test-parallel.behavior.json`.
+- `pnpm test:extensions` now defaults to `threads` via `vitest.extensions.config.ts`; the March 22, 2026 direct full-suite control run passed clean without extension-specific fork exceptions.
 - Files marked `singletonIsolated` no longer spawn one fresh Vitest process each by default. The wrapper batches them into dedicated `forks` lanes with `maxWorkers=1`, which preserves isolation from `unit-fast` while cutting process startup overhead. Tune lane count with `OPENCLAW_TEST_SINGLETON_ISOLATED_LANES=<n>`.
 - `pnpm test:channels`: runs channel-heavy suites.
 - `pnpm test:extensions`: runs extension/plugin suites.

docs/start/openclaw.md

@@ -192,6 +192,11 @@ MEDIA:https://example.com/screenshot.png
 
 OpenClaw extracts these and sends them as media alongside the text.
 
+For local paths, the default allowlist is intentionally narrow: the OpenClaw temp
+root, the media cache, agent workspace paths, and sandbox-generated files. If you
+need broader local-file attachment roots, configure an explicit channel/plugin
+allowlist instead of relying on arbitrary host paths.
+
 ## Operations checklist
 
 ```bash

docs/tools/acp-agents.md

@@ -528,7 +528,7 @@ Then verify backend health:
 
 ### acpx command and version configuration
 
-By default, the acpx plugin (published as `@openclaw/acpx`) uses the plugin-local pinned binary:
+By default, the bundled acpx backend plugin (`acpx`) uses the plugin-local pinned binary:
 
 1. Command defaults to `extensions/acpx/node_modules/.bin/acpx`.
 2. Expected version defaults to the extension pin.

docs/tools/clawhub.md

@@ -1,5 +1,5 @@
 ---
-summary: "ClawHub guide: public skills registry + CLI workflows"
+summary: "ClawHub guide: public registry, native OpenClaw install flows, and ClawHub CLI workflows"
 read_when:
   - Introducing ClawHub to new users
   - Installing, searching, or publishing skills
@@ -9,10 +9,41 @@ title: "ClawHub"
 
 # ClawHub
 
-ClawHub is the **public skill registry for OpenClaw**. It is a free service: all skills are public, open, and visible to everyone for sharing and reuse. A skill is just a folder with a `SKILL.md` file (plus supporting text files). You can browse skills in the web app or use the CLI to search, install, update, and publish skills.
+ClawHub is the public registry for **OpenClaw skills and plugins**.
+
+- Use native `openclaw` commands to search/install/update skills and install
+  plugins from ClawHub.
+- Use the separate `clawhub` CLI when you need registry auth, publish, delete,
+  undelete, or sync workflows.
 
 Site: [clawhub.ai](https://clawhub.ai)
 
+## Native OpenClaw flows
+
+Skills:
+
+```bash
+openclaw skills search "calendar"
+openclaw skills install <skill-slug>
+openclaw skills update --all
+```
+
+Plugins:
+
+```bash
+openclaw plugins install clawhub:<package>
+openclaw plugins update --all
+```
+
+Bare npm-safe plugin specs are also tried against ClawHub before npm:
+
+```bash
+openclaw plugins install openclaw-codex-app-server
+```
+
+Native `openclaw` commands install into your active workspace and persist source
+metadata so later `update` calls can stay on ClawHub.
+
 ## What ClawHub is
 
 - A public registry for OpenClaw skills.
@@ -45,16 +76,17 @@ If you want to add new capabilities to your OpenClaw agent, ClawHub is the easie
 
 ## Quick start (non-technical)
 
-1. Install the CLI (see next section).
-2. Search for something you need:
-   - `clawhub search "calendar"`
-3. Install a skill:
-   - `clawhub install <skill-slug>`
-4. Start a new OpenClaw session so it picks up the new skill.
+1. Search for something you need:
+   - `openclaw skills search "calendar"`
+2. Install a skill:
+   - `openclaw skills install <skill-slug>`
+3. Start a new OpenClaw session so it picks up the new skill.
+4. If you want to publish or manage registry auth, install the separate
+   `clawhub` CLI too.
 
-## Install the CLI
+## Install the ClawHub CLI
 
-Pick one:
+You only need this for registry-authenticated workflows such as publish/sync:
 
 ```bash
 npm i -g clawhub
@@ -66,7 +98,16 @@ pnpm add -g clawhub
 
 ## How it fits into OpenClaw
 
-By default, the CLI installs skills into `./skills` under your current working directory. If an OpenClaw workspace is configured, `clawhub` falls back to that workspace unless you override `--workdir` (or `CLAWHUB_WORKDIR`). OpenClaw loads workspace skills from `<workspace>/skills` and will pick them up in the **next** session. If you already use `~/.openclaw/skills` or bundled skills, workspace skills take precedence.
+Native `openclaw skills install` installs into the active workspace `skills/`
+directory. `openclaw plugins install clawhub:...` records a normal managed
+plugin install plus ClawHub source metadata for updates.
+
+The separate `clawhub` CLI also installs skills into `./skills` under your
+current working directory. If an OpenClaw workspace is configured, `clawhub`
+falls back to that workspace unless you override `--workdir` (or
+`CLAWHUB_WORKDIR`). OpenClaw loads workspace skills from `<workspace>/skills`
+and will pick them up in the **next** session. If you already use
+`~/.openclaw/skills` or bundled skills, workspace skills take precedence.
 
 For more detail on how skills are loaded, shared, and gated, see
 [Skills](/tools/skills).

docs/tools/exec-approvals.md

@@ -107,6 +107,25 @@ If a prompt is required but no UI is reachable, fallback decides:
 - **allowlist**: allow only if allowlist matches.
 - **full**: allow.
 
+### Inline interpreter eval hardening (`tools.exec.strictInlineEval`)
+
+When `tools.exec.strictInlineEval=true`, OpenClaw treats inline code-eval forms as approval-only even if the interpreter binary itself is allowlisted.
+
+Examples:
+
+- `python -c`
+- `node -e`, `node --eval`, `node -p`
+- `ruby -e`
+- `perl -e`, `perl -E`
+- `php -r`
+- `lua -e`
+- `osascript -e`
+
+This is defense-in-depth for interpreter loaders that do not map cleanly to one stable file operand. In strict mode:
+
+- these commands still need explicit approval;
+- `allow-always` does not persist new allowlist entries for them automatically.
+
 ## Allowlist (per agent)
 
 Allowlists are **per agent**. If multiple agents exist, switch which agent you’re
@@ -141,7 +160,7 @@ Important trust notes:
 
 ## Safe bins (stdin-only)
 
-`tools.exec.safeBins` defines a small list of **stdin-only** binaries (for example `jq`)
+`tools.exec.safeBins` defines a small list of **stdin-only** binaries (for example `cut`)
 that can run in allowlist mode **without** explicit allowlist entries. Safe bins reject
 positional file args and path-like tokens, so they can only operate on the incoming stream.
 Treat this as a narrow fast-path for stream filters, not a general trust list.
@@ -194,8 +213,15 @@ For allow-always decisions in allowlist mode, known dispatch wrappers
 paths. Shell multiplexers (`busybox`, `toybox`) are also unwrapped for shell applets (`sh`, `ash`,
 etc.) so inner executables are persisted instead of multiplexer binaries. If a wrapper or
 multiplexer cannot be safely unwrapped, no allowlist entry is persisted automatically.
+If you allowlist interpreters like `python3` or `node`, prefer `tools.exec.strictInlineEval=true` so inline eval still requires an explicit approval.
 
-Default safe bins: `jq`, `cut`, `uniq`, `head`, `tail`, `tr`, `wc`.
+Default safe bins:
+
+[//]: # "SAFE_BIN_DEFAULTS:START"
+
+`cut`, `uniq`, `head`, `tail`, `tr`, `wc`
+
+[//]: # "SAFE_BIN_DEFAULTS:END"
 
 `grep` and `sort` are not in the default list. If you opt in, keep explicit allowlist entries for
 their non-stdin workflows.
@@ -209,7 +235,7 @@ rejected so file operands cannot be smuggled as ambiguous positionals.
 | Goal             | Auto-allow narrow stdin filters                        | Explicitly trust specific executables                        |
 | Match type       | Executable name + safe-bin argv policy                 | Resolved executable path glob pattern                        |
 | Argument scope   | Restricted by safe-bin profile and literal-token rules | Path match only; arguments are otherwise your responsibility |
-| Typical examples | `jq`, `head`, `tail`, `wc`                             | `python3`, `node`, `ffmpeg`, custom CLIs                     |
+| Typical examples | `head`, `tail`, `tr`, `wc`                             | `jq`, `python3`, `node`, `ffmpeg`, custom CLIs               |
 | Best use         | Low-risk text transforms in pipelines                  | Any tool with broader behavior or side effects               |
 
 Configuration location:
@@ -241,6 +267,10 @@ Custom profile example:
 }
 ```
 
+If you explicitly opt `jq` into `safeBins`, OpenClaw still rejects the `env` builtin in safe-bin
+mode so `jq -n env` cannot dump the host process environment without an explicit allowlist path
+or approval prompt.
+
 ## Control UI editing
 
 Use the **Control UI → Nodes → Exec approvals** card to edit defaults, per‑agent

docs/tools/exec.md

@@ -56,6 +56,7 @@ Notes:
 - `tools.exec.security` (default: `deny` for sandbox, `allowlist` for gateway + node when unset)
 - `tools.exec.ask` (default: `on-miss`)
 - `tools.exec.node` (default: unset)
+- `tools.exec.strictInlineEval` (default: false): when true, inline interpreter eval forms such as `python -c`, `node -e`, `ruby -e`, `perl -e`, `php -r`, `lua -e`, and `osascript -e` always require explicit approval and are never persisted by `allow-always`.
 - `tools.exec.pathPrepend`: list of directories to prepend to `PATH` for exec runs (gateway + sandbox only).
 - `tools.exec.safeBins`: stdin-only safe binaries that can run without explicit allowlist entries. For behavior details, see [Safe bins](/tools/exec-approvals#safe-bins-stdin-only).
 - `tools.exec.safeBinTrustedDirs`: additional explicit directories trusted for `safeBins` path checks. `PATH` entries are never auto-trusted. Built-in defaults are `/bin` and `/usr/bin`.
@@ -143,6 +144,8 @@ Use the two controls for different jobs:
 
 Do not treat `safeBins` as a generic allowlist, and do not add interpreter/runtime binaries (for example `python3`, `node`, `ruby`, `bash`). If you need those, use explicit allowlist entries and keep approval prompts enabled.
 `openclaw security audit` warns when interpreter/runtime `safeBins` entries are missing explicit profiles, and `openclaw doctor --fix` can scaffold missing custom `safeBinProfiles` entries.
+`openclaw security audit` and `openclaw doctor` also warn when you explicitly add broad-behavior bins such as `jq` back into `safeBins`.
+If you explicitly allowlist interpreters, enable `tools.exec.strictInlineEval` so inline code-eval forms still require a fresh approval.
 
 For full policy details and examples, see [Exec approvals](/tools/exec-approvals#safe-bins-stdin-only) and [Safe bins versus allowlist](/tools/exec-approvals#safe-bins-versus-allowlist).
 

docs/tools/plugin.md

@@ -56,6 +56,9 @@ OpenClaw recognizes two plugin formats:
 
 Both show up under `openclaw plugins list`. See [Plugin Bundles](/plugins/bundles) for bundle details.
 
+If you are writing a native plugin, start with [Building Plugins](/plugins/building-plugins)
+and the [Plugin SDK Overview](/plugins/sdk-overview).
+
 ## Official plugins
 
 ### Installable (npm)
@@ -190,7 +193,8 @@ openclaw plugins inspect <id> --json     # machine-readable
 openclaw plugins status                  # operational summary
 openclaw plugins doctor                  # diagnostics
 
-openclaw plugins install <npm-spec>      # install from npm
+openclaw plugins install <package>        # install (ClawHub first, then npm)
+openclaw plugins install clawhub:<pkg>   # install from ClawHub only
 openclaw plugins install <path>          # install from local path
 openclaw plugins install -l <path>       # link (no copy) for dev
 openclaw plugins update <id>             # update one plugin

docs/tools/skills.md

@@ -50,21 +50,24 @@ tool surface those skills teach.
 ## ClawHub (install + sync)
 
 ClawHub is the public skills registry for OpenClaw. Browse at
-[https://clawhub.com](https://clawhub.com). Use it to discover, install, update, and back up skills.
+[https://clawhub.com](https://clawhub.com). Use native `openclaw skills`
+commands to discover/install/update skills, or the separate `clawhub` CLI when
+you need publish/sync workflows.
 Full guide: [ClawHub](/tools/clawhub).
 
 Common flows:
 
 - Install a skill into your workspace:
-  - `clawhub install <skill-slug>`
+  - `openclaw skills install <skill-slug>`
 - Update all installed skills:
-  - `clawhub update --all`
+  - `openclaw skills update --all`
 - Sync (scan + publish updates):
   - `clawhub sync --all`
 
-By default, `clawhub` installs into `./skills` under your current working
-directory (or falls back to the configured OpenClaw workspace). OpenClaw picks
-that up as `<workspace>/skills` on the next session.
+Native `openclaw skills install` installs into the active workspace `skills/`
+directory. The separate `clawhub` CLI also installs into `./skills` under your
+current working directory (or falls back to the configured OpenClaw workspace).
+OpenClaw picks that up as `<workspace>/skills` on the next session.
 
 ## Security notes
 

docs/tools/thinking.md

@@ -28,8 +28,9 @@ title: "Thinking Levels"
 
 1. Inline directive on the message (applies only to that message).
 2. Session override (set by sending a directive-only message).
-3. Global default (`agents.defaults.thinkingDefault` in config).
-4. Fallback: `adaptive` for Anthropic Claude 4.6 models, `low` for other reasoning-capable models, `off` otherwise.
+3. Per-agent default (`agents.list[].thinkingDefault` in config).
+4. Global default (`agents.defaults.thinkingDefault` in config).
+5. Fallback: `adaptive` for Anthropic Claude 4.6 models, `low` for other reasoning-capable models, `off` otherwise.
 
 ## Setting a session default
 
@@ -50,8 +51,9 @@ title: "Thinking Levels"
 - OpenClaw resolves fast mode in this order:
   1. Inline/directive-only `/fast on|off`
   2. Session override
-  3. Per-model config: `agents.defaults.models["<provider>/<model>"].params.fastMode`
-  4. Fallback: `off`
+  3. Per-agent default (`agents.list[].fastModeDefault`)
+  4. Per-model config: `agents.defaults.models["<provider>/<model>"].params.fastMode`
+  5. Fallback: `off`
 - For `openai/*`, fast mode applies the OpenAI fast profile: `service_tier=priority` when supported, plus low reasoning effort and low text verbosity.
 - For `openai-codex/*`, fast mode applies the same low-latency profile on Codex Responses. OpenClaw keeps one shared `/fast` toggle across both auth paths.
 - For direct `anthropic/*` API-key requests, fast mode maps to Anthropic service tiers: `/fast on` sets `service_tier=auto`, `/fast off` sets `service_tier=standard_only`.
@@ -76,6 +78,7 @@ title: "Thinking Levels"
 - `stream` (Telegram only): streams reasoning into the Telegram draft bubble while the reply is generating, then sends the final answer without reasoning.
 - Alias: `/reason`.
 - Send `/reasoning` (or `/reasoning:`) with no argument to see the current reasoning level.
+- Resolution order: inline directive, then session override, then per-agent default (`agents.list[].reasoningDefault`), then fallback (`off`).
 
 ## Related
 

docs/tools/tts.md

@@ -390,9 +390,9 @@ Notes:
 
 ## Agent tool
 
-The `tts` tool converts text to speech and returns a `MEDIA:` path. When the
-result is Telegram-compatible, the tool includes `[[audio_as_voice]]` so
-Telegram sends a voice bubble.
+The `tts` tool converts text to speech and returns an audio attachment for
+reply delivery. When the result is Telegram-compatible, OpenClaw marks it for
+voice-bubble delivery.
 
 ## Gateway RPC
 

docs/tts.md

@@ -390,9 +390,9 @@ Notes:
 
 ## Agent tool
 
-The `tts` tool converts text to speech and returns a `MEDIA:` path. When the
-result is Telegram-compatible, the tool includes `[[audio_as_voice]]` so
-Telegram sends a voice bubble.
+The `tts` tool converts text to speech and returns an audio attachment for
+reply delivery. When the result is Telegram-compatible, OpenClaw marks it for
+voice-bubble delivery.
 
 ## Gateway RPC
 

docs/zh-CN/cli/index.md

@@ -37,7 +37,6 @@ x-i18n:
 - [`status`](/cli/status)
 - [`health`](/cli/health)
 - [`sessions`](/cli/sessions)
-- [`report`](/cli/report)
 - [`gateway`](/cli/gateway)
 - [`logs`](/cli/logs)
 - [`system`](/cli/system)
@@ -157,10 +156,6 @@ openclaw [--dev] [--profile <name>] <command>
   status
   health
   sessions
-  report
-    bug
-    feature
-    security
   gateway
     call
     health